1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #if HAVE_INTTYPES_H 35 #include <inttypes.h> 36 #elif HAVE_STDINT_H 37 #include <stdint.h> 38 #endif 39 #ifdef HAVE_SYS_BITYPES_H 40 #include <sys/bitypes.h> 41 #endif 42 #include <sys/types.h> 43 #include <sys/socket.h> 44 #endif /* WIN32 */ 45 46 /* 47 * XXX - why was this included even on UNIX? 48 */ 49 #ifdef __MINGW32__ 50 #include "ip6_misc.h" 51 #endif 52 53 #ifndef WIN32 54 55 #ifdef __NetBSD__ 56 #include <sys/param.h> 57 #endif 58 59 #include <netinet/in.h> 60 #include <arpa/inet.h> 61 62 #endif /* WIN32 */ 63 64 #include <stdlib.h> 65 #include <string.h> 66 #include <memory.h> 67 #include <setjmp.h> 68 #include <stdarg.h> 69 70 #ifdef MSDOS 71 #include "pcap-dos.h" 72 #endif 73 74 #include "pcap-int.h" 75 76 #include "ethertype.h" 77 #include "nlpid.h" 78 #include "llc.h" 79 #include "gencode.h" 80 #include "ieee80211.h" 81 #include "atmuni31.h" 82 #include "sunatmpos.h" 83 #include "ppp.h" 84 #include "pcap/sll.h" 85 #include "pcap/ipnet.h" 86 #include "arcnet.h" 87 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 88 #include <linux/types.h> 89 #include <linux/if_packet.h> 90 #include <linux/filter.h> 91 #endif 92 #ifdef HAVE_NET_PFVAR_H 93 #include <sys/socket.h> 94 #include <net/if.h> 95 #include <net/pf/pfvar.h> 96 #include <net/pf/if_pflog.h> 97 #endif 98 #ifndef offsetof 99 #define offsetof(s, e) ((size_t)&((s *)0)->e) 100 #endif 101 #ifdef INET6 102 #ifndef WIN32 103 #include <netdb.h> /* for "struct addrinfo" */ 104 #endif /* WIN32 */ 105 #endif /*INET6*/ 106 #include <pcap/namedb.h> 107 108 #define ETHERMTU 1500 109 110 #ifndef IPPROTO_HOPOPTS 111 #define IPPROTO_HOPOPTS 0 112 #endif 113 #ifndef IPPROTO_ROUTING 114 #define IPPROTO_ROUTING 43 115 #endif 116 #ifndef IPPROTO_FRAGMENT 117 #define IPPROTO_FRAGMENT 44 118 #endif 119 #ifndef IPPROTO_DSTOPTS 120 #define IPPROTO_DSTOPTS 60 121 #endif 122 #ifndef IPPROTO_SCTP 123 #define IPPROTO_SCTP 132 124 #endif 125 126 #ifdef HAVE_OS_PROTO_H 127 #include "os-proto.h" 128 #endif 129 130 #define JMP(c) ((c)|BPF_JMP|BPF_K) 131 132 /* Locals */ 133 static jmp_buf top_ctx; 134 static pcap_t *bpf_pcap; 135 136 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 137 #ifdef WIN32 138 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 139 #else 140 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 141 #endif 142 143 /* XXX */ 144 #ifdef PCAP_FDDIPAD 145 static int pcap_fddipad; 146 #endif 147 148 /* VARARGS */ 149 void 150 bpf_error(const char *fmt, ...) 151 { 152 va_list ap; 153 154 va_start(ap, fmt); 155 if (bpf_pcap != NULL) 156 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 157 fmt, ap); 158 va_end(ap); 159 longjmp(top_ctx, 1); 160 /* NOTREACHED */ 161 } 162 163 static void init_linktype(pcap_t *); 164 165 static void init_regs(void); 166 static int alloc_reg(void); 167 static void free_reg(int); 168 169 static struct block *root; 170 171 /* 172 * Value passed to gen_load_a() to indicate what the offset argument 173 * is relative to. 174 */ 175 enum e_offrel { 176 OR_PACKET, /* relative to the beginning of the packet */ 177 OR_LINK, /* relative to the beginning of the link-layer header */ 178 OR_MACPL, /* relative to the end of the MAC-layer header */ 179 OR_NET, /* relative to the network-layer header */ 180 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 181 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 182 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 183 }; 184 185 #ifdef INET6 186 /* 187 * As errors are handled by a longjmp, anything allocated must be freed 188 * in the longjmp handler, so it must be reachable from that handler. 189 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 190 * it must be freed with freeaddrinfo(). This variable points to any 191 * addrinfo structure that would need to be freed. 192 */ 193 static struct addrinfo *ai; 194 #endif 195 196 /* 197 * We divy out chunks of memory rather than call malloc each time so 198 * we don't have to worry about leaking memory. It's probably 199 * not a big deal if all this memory was wasted but if this ever 200 * goes into a library that would probably not be a good idea. 201 * 202 * XXX - this *is* in a library.... 203 */ 204 #define NCHUNKS 16 205 #define CHUNK0SIZE 1024 206 struct chunk { 207 u_int n_left; 208 void *m; 209 }; 210 211 static struct chunk chunks[NCHUNKS]; 212 static int cur_chunk; 213 214 static void *newchunk(u_int); 215 static void freechunks(void); 216 static inline struct block *new_block(int); 217 static inline struct slist *new_stmt(int); 218 static struct block *gen_retblk(int); 219 static inline void syntax(void); 220 221 static void backpatch(struct block *, struct block *); 222 static void merge(struct block *, struct block *); 223 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 224 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 225 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 226 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 227 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 228 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 229 bpf_u_int32); 230 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 231 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 232 bpf_u_int32, bpf_u_int32, int, bpf_int32); 233 static struct slist *gen_load_llrel(u_int, u_int); 234 static struct slist *gen_load_macplrel(u_int, u_int); 235 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 236 static struct slist *gen_loadx_iphdrlen(void); 237 static struct block *gen_uncond(int); 238 static inline struct block *gen_true(void); 239 static inline struct block *gen_false(void); 240 static struct block *gen_ether_linktype(int); 241 static struct block *gen_ipnet_linktype(int); 242 static struct block *gen_linux_sll_linktype(int); 243 static struct slist *gen_load_prism_llprefixlen(void); 244 static struct slist *gen_load_avs_llprefixlen(void); 245 static struct slist *gen_load_radiotap_llprefixlen(void); 246 static struct slist *gen_load_ppi_llprefixlen(void); 247 static void insert_compute_vloffsets(struct block *); 248 static struct slist *gen_llprefixlen(void); 249 static struct slist *gen_off_macpl(void); 250 static int ethertype_to_ppptype(int); 251 static struct block *gen_linktype(int); 252 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 253 static struct block *gen_llc_linktype(int); 254 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 255 #ifdef INET6 256 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 257 #endif 258 static struct block *gen_ahostop(const u_char *, int); 259 static struct block *gen_ehostop(const u_char *, int); 260 static struct block *gen_fhostop(const u_char *, int); 261 static struct block *gen_thostop(const u_char *, int); 262 static struct block *gen_wlanhostop(const u_char *, int); 263 static struct block *gen_ipfchostop(const u_char *, int); 264 static struct block *gen_dnhostop(bpf_u_int32, int); 265 static struct block *gen_mpls_linktype(int); 266 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 267 #ifdef INET6 268 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 269 #endif 270 #ifndef INET6 271 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 272 #endif 273 static struct block *gen_ipfrag(void); 274 static struct block *gen_portatom(int, bpf_int32); 275 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 276 static struct block *gen_portatom6(int, bpf_int32); 277 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 278 struct block *gen_portop(int, int, int); 279 static struct block *gen_port(int, int, int); 280 struct block *gen_portrangeop(int, int, int, int); 281 static struct block *gen_portrange(int, int, int, int); 282 struct block *gen_portop6(int, int, int); 283 static struct block *gen_port6(int, int, int); 284 struct block *gen_portrangeop6(int, int, int, int); 285 static struct block *gen_portrange6(int, int, int, int); 286 static int lookup_proto(const char *, int); 287 static struct block *gen_protochain(int, int, int); 288 static struct block *gen_proto(int, int, int); 289 static struct slist *xfer_to_x(struct arth *); 290 static struct slist *xfer_to_a(struct arth *); 291 static struct block *gen_mac_multicast(int); 292 static struct block *gen_len(int, int); 293 static struct block *gen_check_802_11_data_frame(void); 294 295 static struct block *gen_ppi_dlt_check(void); 296 static struct block *gen_msg_abbrev(int type); 297 298 static void * 299 newchunk(n) 300 u_int n; 301 { 302 struct chunk *cp; 303 int k; 304 size_t size; 305 306 #ifndef __NetBSD__ 307 /* XXX Round up to nearest long. */ 308 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 309 #else 310 /* XXX Round up to structure boundary. */ 311 n = ALIGN(n); 312 #endif 313 314 cp = &chunks[cur_chunk]; 315 if (n > cp->n_left) { 316 ++cp, k = ++cur_chunk; 317 if (k >= NCHUNKS) 318 bpf_error("out of memory"); 319 size = CHUNK0SIZE << k; 320 cp->m = (void *)malloc(size); 321 if (cp->m == NULL) 322 bpf_error("out of memory"); 323 memset((char *)cp->m, 0, size); 324 cp->n_left = size; 325 if (n > size) 326 bpf_error("out of memory"); 327 } 328 cp->n_left -= n; 329 return (void *)((char *)cp->m + cp->n_left); 330 } 331 332 static void 333 freechunks() 334 { 335 int i; 336 337 cur_chunk = 0; 338 for (i = 0; i < NCHUNKS; ++i) 339 if (chunks[i].m != NULL) { 340 free(chunks[i].m); 341 chunks[i].m = NULL; 342 } 343 } 344 345 /* 346 * A strdup whose allocations are freed after code generation is over. 347 */ 348 char * 349 sdup(s) 350 register const char *s; 351 { 352 int n = strlen(s) + 1; 353 char *cp = newchunk(n); 354 355 strlcpy(cp, s, n); 356 return (cp); 357 } 358 359 static inline struct block * 360 new_block(code) 361 int code; 362 { 363 struct block *p; 364 365 p = (struct block *)newchunk(sizeof(*p)); 366 p->s.code = code; 367 p->head = p; 368 369 return p; 370 } 371 372 static inline struct slist * 373 new_stmt(code) 374 int code; 375 { 376 struct slist *p; 377 378 p = (struct slist *)newchunk(sizeof(*p)); 379 p->s.code = code; 380 381 return p; 382 } 383 384 static struct block * 385 gen_retblk(v) 386 int v; 387 { 388 struct block *b = new_block(BPF_RET|BPF_K); 389 390 b->s.k = v; 391 return b; 392 } 393 394 static inline void 395 syntax() 396 { 397 bpf_error("syntax error in filter expression"); 398 } 399 400 static bpf_u_int32 netmask; 401 static int snaplen; 402 int no_optimize; 403 #ifdef WIN32 404 static int 405 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 406 const char *buf, int optimize, bpf_u_int32 mask); 407 408 int 409 pcap_compile(pcap_t *p, struct bpf_program *program, 410 const char *buf, int optimize, bpf_u_int32 mask) 411 { 412 int result; 413 414 EnterCriticalSection(&g_PcapCompileCriticalSection); 415 416 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 417 418 LeaveCriticalSection(&g_PcapCompileCriticalSection); 419 420 return result; 421 } 422 423 static int 424 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 425 const char *buf, int optimize, bpf_u_int32 mask) 426 #else /* WIN32 */ 427 int 428 pcap_compile(pcap_t *p, struct bpf_program *program, 429 const char *buf, int optimize, bpf_u_int32 mask) 430 #endif /* WIN32 */ 431 { 432 extern int n_errors; 433 const char * volatile xbuf = buf; 434 u_int len; 435 436 /* 437 * If this pcap_t hasn't been activated, it doesn't have a 438 * link-layer type, so we can't use it. 439 */ 440 if (!p->activated) { 441 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 442 "not-yet-activated pcap_t passed to pcap_compile"); 443 return (-1); 444 } 445 no_optimize = 0; 446 n_errors = 0; 447 root = NULL; 448 bpf_pcap = p; 449 init_regs(); 450 if (setjmp(top_ctx)) { 451 #ifdef INET6 452 if (ai != NULL) { 453 freeaddrinfo(ai); 454 ai = NULL; 455 } 456 #endif 457 lex_cleanup(); 458 freechunks(); 459 return (-1); 460 } 461 462 netmask = mask; 463 464 snaplen = pcap_snapshot(p); 465 if (snaplen == 0) { 466 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 467 "snaplen of 0 rejects all packets"); 468 return -1; 469 } 470 471 lex_init(xbuf ? xbuf : ""); 472 init_linktype(p); 473 (void)pcap_parse(); 474 475 if (n_errors) 476 syntax(); 477 478 if (root == NULL) 479 root = gen_retblk(snaplen); 480 481 if (optimize && !no_optimize) { 482 bpf_optimize(&root); 483 if (root == NULL || 484 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 485 bpf_error("expression rejects all packets"); 486 } 487 program->bf_insns = icode_to_fcode(root, &len); 488 program->bf_len = len; 489 490 lex_cleanup(); 491 freechunks(); 492 return (0); 493 } 494 495 /* 496 * entry point for using the compiler with no pcap open 497 * pass in all the stuff that is needed explicitly instead. 498 */ 499 int 500 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 501 struct bpf_program *program, 502 const char *buf, int optimize, bpf_u_int32 mask) 503 { 504 pcap_t *p; 505 int ret; 506 507 p = pcap_open_dead(linktype_arg, snaplen_arg); 508 if (p == NULL) 509 return (-1); 510 ret = pcap_compile(p, program, buf, optimize, mask); 511 pcap_close(p); 512 return (ret); 513 } 514 515 /* 516 * Clean up a "struct bpf_program" by freeing all the memory allocated 517 * in it. 518 */ 519 void 520 pcap_freecode(struct bpf_program *program) 521 { 522 program->bf_len = 0; 523 if (program->bf_insns != NULL) { 524 free((char *)program->bf_insns); 525 program->bf_insns = NULL; 526 } 527 } 528 529 /* 530 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 531 * which of the jt and jf fields has been resolved and which is a pointer 532 * back to another unresolved block (or nil). At least one of the fields 533 * in each block is already resolved. 534 */ 535 static void 536 backpatch(list, target) 537 struct block *list, *target; 538 { 539 struct block *next; 540 541 while (list) { 542 if (!list->sense) { 543 next = JT(list); 544 JT(list) = target; 545 } else { 546 next = JF(list); 547 JF(list) = target; 548 } 549 list = next; 550 } 551 } 552 553 /* 554 * Merge the lists in b0 and b1, using the 'sense' field to indicate 555 * which of jt and jf is the link. 556 */ 557 static void 558 merge(b0, b1) 559 struct block *b0, *b1; 560 { 561 register struct block **p = &b0; 562 563 /* Find end of list. */ 564 while (*p) 565 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 566 567 /* Concatenate the lists. */ 568 *p = b1; 569 } 570 571 void 572 finish_parse(p) 573 struct block *p; 574 { 575 struct block *ppi_dlt_check; 576 577 /* 578 * Insert before the statements of the first (root) block any 579 * statements needed to load the lengths of any variable-length 580 * headers into registers. 581 * 582 * XXX - a fancier strategy would be to insert those before the 583 * statements of all blocks that use those lengths and that 584 * have no predecessors that use them, so that we only compute 585 * the lengths if we need them. There might be even better 586 * approaches than that. 587 * 588 * However, those strategies would be more complicated, and 589 * as we don't generate code to compute a length if the 590 * program has no tests that use the length, and as most 591 * tests will probably use those lengths, we would just 592 * postpone computing the lengths so that it's not done 593 * for tests that fail early, and it's not clear that's 594 * worth the effort. 595 */ 596 insert_compute_vloffsets(p->head); 597 598 /* 599 * For DLT_PPI captures, generate a check of the per-packet 600 * DLT value to make sure it's DLT_IEEE802_11. 601 */ 602 ppi_dlt_check = gen_ppi_dlt_check(); 603 if (ppi_dlt_check != NULL) 604 gen_and(ppi_dlt_check, p); 605 606 backpatch(p, gen_retblk(snaplen)); 607 p->sense = !p->sense; 608 backpatch(p, gen_retblk(0)); 609 root = p->head; 610 } 611 612 void 613 gen_and(b0, b1) 614 struct block *b0, *b1; 615 { 616 backpatch(b0, b1->head); 617 b0->sense = !b0->sense; 618 b1->sense = !b1->sense; 619 merge(b1, b0); 620 b1->sense = !b1->sense; 621 b1->head = b0->head; 622 } 623 624 void 625 gen_or(b0, b1) 626 struct block *b0, *b1; 627 { 628 b0->sense = !b0->sense; 629 backpatch(b0, b1->head); 630 b0->sense = !b0->sense; 631 merge(b1, b0); 632 b1->head = b0->head; 633 } 634 635 void 636 gen_not(b) 637 struct block *b; 638 { 639 b->sense = !b->sense; 640 } 641 642 static struct block * 643 gen_cmp(offrel, offset, size, v) 644 enum e_offrel offrel; 645 u_int offset, size; 646 bpf_int32 v; 647 { 648 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 649 } 650 651 static struct block * 652 gen_cmp_gt(offrel, offset, size, v) 653 enum e_offrel offrel; 654 u_int offset, size; 655 bpf_int32 v; 656 { 657 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 658 } 659 660 static struct block * 661 gen_cmp_ge(offrel, offset, size, v) 662 enum e_offrel offrel; 663 u_int offset, size; 664 bpf_int32 v; 665 { 666 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 667 } 668 669 static struct block * 670 gen_cmp_lt(offrel, offset, size, v) 671 enum e_offrel offrel; 672 u_int offset, size; 673 bpf_int32 v; 674 { 675 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 676 } 677 678 static struct block * 679 gen_cmp_le(offrel, offset, size, v) 680 enum e_offrel offrel; 681 u_int offset, size; 682 bpf_int32 v; 683 { 684 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 685 } 686 687 static struct block * 688 gen_mcmp(offrel, offset, size, v, mask) 689 enum e_offrel offrel; 690 u_int offset, size; 691 bpf_int32 v; 692 bpf_u_int32 mask; 693 { 694 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 695 } 696 697 static struct block * 698 gen_bcmp(offrel, offset, size, v) 699 enum e_offrel offrel; 700 register u_int offset, size; 701 register const u_char *v; 702 { 703 register struct block *b, *tmp; 704 705 b = NULL; 706 while (size >= 4) { 707 register const u_char *p = &v[size - 4]; 708 bpf_int32 w = ((bpf_int32)p[0] << 24) | 709 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 710 711 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 712 if (b != NULL) 713 gen_and(b, tmp); 714 b = tmp; 715 size -= 4; 716 } 717 while (size >= 2) { 718 register const u_char *p = &v[size - 2]; 719 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 720 721 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 722 if (b != NULL) 723 gen_and(b, tmp); 724 b = tmp; 725 size -= 2; 726 } 727 if (size > 0) { 728 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 729 if (b != NULL) 730 gen_and(b, tmp); 731 b = tmp; 732 } 733 return b; 734 } 735 736 /* 737 * AND the field of size "size" at offset "offset" relative to the header 738 * specified by "offrel" with "mask", and compare it with the value "v" 739 * with the test specified by "jtype"; if "reverse" is true, the test 740 * should test the opposite of "jtype". 741 */ 742 static struct block * 743 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 744 enum e_offrel offrel; 745 bpf_int32 v; 746 bpf_u_int32 offset, size, mask, jtype; 747 int reverse; 748 { 749 struct slist *s, *s2; 750 struct block *b; 751 752 s = gen_load_a(offrel, offset, size); 753 754 if (mask != 0xffffffff) { 755 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 756 s2->s.k = mask; 757 sappend(s, s2); 758 } 759 760 b = new_block(JMP(jtype)); 761 b->stmts = s; 762 b->s.k = v; 763 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 764 gen_not(b); 765 return b; 766 } 767 768 /* 769 * Various code constructs need to know the layout of the data link 770 * layer. These variables give the necessary offsets from the beginning 771 * of the packet data. 772 */ 773 774 /* 775 * This is the offset of the beginning of the link-layer header from 776 * the beginning of the raw packet data. 777 * 778 * It's usually 0, except for 802.11 with a fixed-length radio header. 779 * (For 802.11 with a variable-length radio header, we have to generate 780 * code to compute that offset; off_ll is 0 in that case.) 781 */ 782 static u_int off_ll; 783 784 /* 785 * If there's a variable-length header preceding the link-layer header, 786 * "reg_off_ll" is the register number for a register containing the 787 * length of that header, and therefore the offset of the link-layer 788 * header from the beginning of the raw packet data. Otherwise, 789 * "reg_off_ll" is -1. 790 */ 791 static int reg_off_ll; 792 793 /* 794 * This is the offset of the beginning of the MAC-layer header from 795 * the beginning of the link-layer header. 796 * It's usually 0, except for ATM LANE, where it's the offset, relative 797 * to the beginning of the raw packet data, of the Ethernet header, and 798 * for Ethernet with various additional information. 799 */ 800 static u_int off_mac; 801 802 /* 803 * This is the offset of the beginning of the MAC-layer payload, 804 * from the beginning of the raw packet data. 805 * 806 * I.e., it's the sum of the length of the link-layer header (without, 807 * for example, any 802.2 LLC header, so it's the MAC-layer 808 * portion of that header), plus any prefix preceding the 809 * link-layer header. 810 */ 811 static u_int off_macpl; 812 813 /* 814 * This is 1 if the offset of the beginning of the MAC-layer payload 815 * from the beginning of the link-layer header is variable-length. 816 */ 817 static int off_macpl_is_variable; 818 819 /* 820 * If the link layer has variable_length headers, "reg_off_macpl" 821 * is the register number for a register containing the length of the 822 * link-layer header plus the length of any variable-length header 823 * preceding the link-layer header. Otherwise, "reg_off_macpl" 824 * is -1. 825 */ 826 static int reg_off_macpl; 827 828 /* 829 * "off_linktype" is the offset to information in the link-layer header 830 * giving the packet type. This offset is relative to the beginning 831 * of the link-layer header (i.e., it doesn't include off_ll). 832 * 833 * For Ethernet, it's the offset of the Ethernet type field. 834 * 835 * For link-layer types that always use 802.2 headers, it's the 836 * offset of the LLC header. 837 * 838 * For PPP, it's the offset of the PPP type field. 839 * 840 * For Cisco HDLC, it's the offset of the CHDLC type field. 841 * 842 * For BSD loopback, it's the offset of the AF_ value. 843 * 844 * For Linux cooked sockets, it's the offset of the type field. 845 * 846 * It's set to -1 for no encapsulation, in which case, IP is assumed. 847 */ 848 static u_int off_linktype; 849 850 /* 851 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 852 * checks to check the PPP header, assumed to follow a LAN-style link- 853 * layer header and a PPPoE session header. 854 */ 855 static int is_pppoes = 0; 856 857 /* 858 * TRUE if the link layer includes an ATM pseudo-header. 859 */ 860 static int is_atm = 0; 861 862 /* 863 * TRUE if "lane" appeared in the filter; it causes us to generate 864 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 865 */ 866 static int is_lane = 0; 867 868 /* 869 * These are offsets for the ATM pseudo-header. 870 */ 871 static u_int off_vpi; 872 static u_int off_vci; 873 static u_int off_proto; 874 875 /* 876 * These are offsets for the MTP2 fields. 877 */ 878 static u_int off_li; 879 880 /* 881 * These are offsets for the MTP3 fields. 882 */ 883 static u_int off_sio; 884 static u_int off_opc; 885 static u_int off_dpc; 886 static u_int off_sls; 887 888 /* 889 * This is the offset of the first byte after the ATM pseudo_header, 890 * or -1 if there is no ATM pseudo-header. 891 */ 892 static u_int off_payload; 893 894 /* 895 * These are offsets to the beginning of the network-layer header. 896 * They are relative to the beginning of the MAC-layer payload (i.e., 897 * they don't include off_ll or off_macpl). 898 * 899 * If the link layer never uses 802.2 LLC: 900 * 901 * "off_nl" and "off_nl_nosnap" are the same. 902 * 903 * If the link layer always uses 802.2 LLC: 904 * 905 * "off_nl" is the offset if there's a SNAP header following 906 * the 802.2 header; 907 * 908 * "off_nl_nosnap" is the offset if there's no SNAP header. 909 * 910 * If the link layer is Ethernet: 911 * 912 * "off_nl" is the offset if the packet is an Ethernet II packet 913 * (we assume no 802.3+802.2+SNAP); 914 * 915 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 916 * with an 802.2 header following it. 917 */ 918 static u_int off_nl; 919 static u_int off_nl_nosnap; 920 921 static int linktype; 922 923 static void 924 init_linktype(p) 925 pcap_t *p; 926 { 927 linktype = pcap_datalink(p); 928 #ifdef PCAP_FDDIPAD 929 pcap_fddipad = p->fddipad; 930 #endif 931 932 /* 933 * Assume it's not raw ATM with a pseudo-header, for now. 934 */ 935 off_mac = 0; 936 is_atm = 0; 937 is_lane = 0; 938 off_vpi = -1; 939 off_vci = -1; 940 off_proto = -1; 941 off_payload = -1; 942 943 /* 944 * And that we're not doing PPPoE. 945 */ 946 is_pppoes = 0; 947 948 /* 949 * And assume we're not doing SS7. 950 */ 951 off_li = -1; 952 off_sio = -1; 953 off_opc = -1; 954 off_dpc = -1; 955 off_sls = -1; 956 957 /* 958 * Also assume it's not 802.11. 959 */ 960 off_ll = 0; 961 off_macpl = 0; 962 off_macpl_is_variable = 0; 963 964 orig_linktype = -1; 965 orig_nl = -1; 966 label_stack_depth = 0; 967 968 reg_off_ll = -1; 969 reg_off_macpl = -1; 970 971 switch (linktype) { 972 973 case DLT_ARCNET: 974 off_linktype = 2; 975 off_macpl = 6; 976 off_nl = 0; /* XXX in reality, variable! */ 977 off_nl_nosnap = 0; /* no 802.2 LLC */ 978 return; 979 980 case DLT_ARCNET_LINUX: 981 off_linktype = 4; 982 off_macpl = 8; 983 off_nl = 0; /* XXX in reality, variable! */ 984 off_nl_nosnap = 0; /* no 802.2 LLC */ 985 return; 986 987 case DLT_EN10MB: 988 off_linktype = 12; 989 off_macpl = 14; /* Ethernet header length */ 990 off_nl = 0; /* Ethernet II */ 991 off_nl_nosnap = 3; /* 802.3+802.2 */ 992 return; 993 994 case DLT_SLIP: 995 /* 996 * SLIP doesn't have a link level type. The 16 byte 997 * header is hacked into our SLIP driver. 998 */ 999 off_linktype = -1; 1000 off_macpl = 16; 1001 off_nl = 0; 1002 off_nl_nosnap = 0; /* no 802.2 LLC */ 1003 return; 1004 1005 case DLT_SLIP_BSDOS: 1006 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1007 off_linktype = -1; 1008 /* XXX end */ 1009 off_macpl = 24; 1010 off_nl = 0; 1011 off_nl_nosnap = 0; /* no 802.2 LLC */ 1012 return; 1013 1014 case DLT_NULL: 1015 case DLT_LOOP: 1016 off_linktype = 0; 1017 off_macpl = 4; 1018 off_nl = 0; 1019 off_nl_nosnap = 0; /* no 802.2 LLC */ 1020 return; 1021 1022 case DLT_ENC: 1023 off_linktype = 0; 1024 off_macpl = 12; 1025 off_nl = 0; 1026 off_nl_nosnap = 0; /* no 802.2 LLC */ 1027 return; 1028 1029 case DLT_PPP: 1030 case DLT_PPP_PPPD: 1031 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1032 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1033 off_linktype = 2; 1034 off_macpl = 4; 1035 off_nl = 0; 1036 off_nl_nosnap = 0; /* no 802.2 LLC */ 1037 return; 1038 1039 case DLT_PPP_ETHER: 1040 /* 1041 * This does no include the Ethernet header, and 1042 * only covers session state. 1043 */ 1044 off_linktype = 6; 1045 off_macpl = 8; 1046 off_nl = 0; 1047 off_nl_nosnap = 0; /* no 802.2 LLC */ 1048 return; 1049 1050 case DLT_PPP_BSDOS: 1051 off_linktype = 5; 1052 off_macpl = 24; 1053 off_nl = 0; 1054 off_nl_nosnap = 0; /* no 802.2 LLC */ 1055 return; 1056 1057 case DLT_FDDI: 1058 /* 1059 * FDDI doesn't really have a link-level type field. 1060 * We set "off_linktype" to the offset of the LLC header. 1061 * 1062 * To check for Ethernet types, we assume that SSAP = SNAP 1063 * is being used and pick out the encapsulated Ethernet type. 1064 * XXX - should we generate code to check for SNAP? 1065 */ 1066 off_linktype = 13; 1067 #ifdef PCAP_FDDIPAD 1068 off_linktype += pcap_fddipad; 1069 #endif 1070 off_macpl = 13; /* FDDI MAC header length */ 1071 #ifdef PCAP_FDDIPAD 1072 off_macpl += pcap_fddipad; 1073 #endif 1074 off_nl = 8; /* 802.2+SNAP */ 1075 off_nl_nosnap = 3; /* 802.2 */ 1076 return; 1077 1078 case DLT_IEEE802: 1079 /* 1080 * Token Ring doesn't really have a link-level type field. 1081 * We set "off_linktype" to the offset of the LLC header. 1082 * 1083 * To check for Ethernet types, we assume that SSAP = SNAP 1084 * is being used and pick out the encapsulated Ethernet type. 1085 * XXX - should we generate code to check for SNAP? 1086 * 1087 * XXX - the header is actually variable-length. 1088 * Some various Linux patched versions gave 38 1089 * as "off_linktype" and 40 as "off_nl"; however, 1090 * if a token ring packet has *no* routing 1091 * information, i.e. is not source-routed, the correct 1092 * values are 20 and 22, as they are in the vanilla code. 1093 * 1094 * A packet is source-routed iff the uppermost bit 1095 * of the first byte of the source address, at an 1096 * offset of 8, has the uppermost bit set. If the 1097 * packet is source-routed, the total number of bytes 1098 * of routing information is 2 plus bits 0x1F00 of 1099 * the 16-bit value at an offset of 14 (shifted right 1100 * 8 - figure out which byte that is). 1101 */ 1102 off_linktype = 14; 1103 off_macpl = 14; /* Token Ring MAC header length */ 1104 off_nl = 8; /* 802.2+SNAP */ 1105 off_nl_nosnap = 3; /* 802.2 */ 1106 return; 1107 1108 case DLT_IEEE802_11: 1109 case DLT_PRISM_HEADER: 1110 case DLT_IEEE802_11_RADIO_AVS: 1111 case DLT_IEEE802_11_RADIO: 1112 /* 1113 * 802.11 doesn't really have a link-level type field. 1114 * We set "off_linktype" to the offset of the LLC header. 1115 * 1116 * To check for Ethernet types, we assume that SSAP = SNAP 1117 * is being used and pick out the encapsulated Ethernet type. 1118 * XXX - should we generate code to check for SNAP? 1119 * 1120 * We also handle variable-length radio headers here. 1121 * The Prism header is in theory variable-length, but in 1122 * practice it's always 144 bytes long. However, some 1123 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1124 * sometimes or always supply an AVS header, so we 1125 * have to check whether the radio header is a Prism 1126 * header or an AVS header, so, in practice, it's 1127 * variable-length. 1128 */ 1129 off_linktype = 24; 1130 off_macpl = 0; /* link-layer header is variable-length */ 1131 off_macpl_is_variable = 1; 1132 off_nl = 8; /* 802.2+SNAP */ 1133 off_nl_nosnap = 3; /* 802.2 */ 1134 return; 1135 1136 case DLT_PPI: 1137 /* 1138 * At the moment we treat PPI the same way that we treat 1139 * normal Radiotap encoded packets. The difference is in 1140 * the function that generates the code at the beginning 1141 * to compute the header length. Since this code generator 1142 * of PPI supports bare 802.11 encapsulation only (i.e. 1143 * the encapsulated DLT should be DLT_IEEE802_11) we 1144 * generate code to check for this too. 1145 */ 1146 off_linktype = 24; 1147 off_macpl = 0; /* link-layer header is variable-length */ 1148 off_macpl_is_variable = 1; 1149 off_nl = 8; /* 802.2+SNAP */ 1150 off_nl_nosnap = 3; /* 802.2 */ 1151 return; 1152 1153 case DLT_ATM_RFC1483: 1154 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1155 /* 1156 * assume routed, non-ISO PDUs 1157 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1158 * 1159 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1160 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1161 * latter would presumably be treated the way PPPoE 1162 * should be, so you can do "pppoe and udp port 2049" 1163 * or "pppoa and tcp port 80" and have it check for 1164 * PPPo{A,E} and a PPP protocol of IP and.... 1165 */ 1166 off_linktype = 0; 1167 off_macpl = 0; /* packet begins with LLC header */ 1168 off_nl = 8; /* 802.2+SNAP */ 1169 off_nl_nosnap = 3; /* 802.2 */ 1170 return; 1171 1172 case DLT_SUNATM: 1173 /* 1174 * Full Frontal ATM; you get AALn PDUs with an ATM 1175 * pseudo-header. 1176 */ 1177 is_atm = 1; 1178 off_vpi = SUNATM_VPI_POS; 1179 off_vci = SUNATM_VCI_POS; 1180 off_proto = PROTO_POS; 1181 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1182 off_payload = SUNATM_PKT_BEGIN_POS; 1183 off_linktype = off_payload; 1184 off_macpl = off_payload; /* if LLC-encapsulated */ 1185 off_nl = 8; /* 802.2+SNAP */ 1186 off_nl_nosnap = 3; /* 802.2 */ 1187 return; 1188 1189 case DLT_RAW: 1190 case DLT_IPV4: 1191 case DLT_IPV6: 1192 off_linktype = -1; 1193 off_macpl = 0; 1194 off_nl = 0; 1195 off_nl_nosnap = 0; /* no 802.2 LLC */ 1196 return; 1197 1198 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1199 off_linktype = 14; 1200 off_macpl = 16; 1201 off_nl = 0; 1202 off_nl_nosnap = 0; /* no 802.2 LLC */ 1203 return; 1204 1205 case DLT_LTALK: 1206 /* 1207 * LocalTalk does have a 1-byte type field in the LLAP header, 1208 * but really it just indicates whether there is a "short" or 1209 * "long" DDP packet following. 1210 */ 1211 off_linktype = -1; 1212 off_macpl = 0; 1213 off_nl = 0; 1214 off_nl_nosnap = 0; /* no 802.2 LLC */ 1215 return; 1216 1217 case DLT_IP_OVER_FC: 1218 /* 1219 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1220 * link-level type field. We set "off_linktype" to the 1221 * offset of the LLC header. 1222 * 1223 * To check for Ethernet types, we assume that SSAP = SNAP 1224 * is being used and pick out the encapsulated Ethernet type. 1225 * XXX - should we generate code to check for SNAP? RFC 1226 * 2625 says SNAP should be used. 1227 */ 1228 off_linktype = 16; 1229 off_macpl = 16; 1230 off_nl = 8; /* 802.2+SNAP */ 1231 off_nl_nosnap = 3; /* 802.2 */ 1232 return; 1233 1234 case DLT_FRELAY: 1235 /* 1236 * XXX - we should set this to handle SNAP-encapsulated 1237 * frames (NLPID of 0x80). 1238 */ 1239 off_linktype = -1; 1240 off_macpl = 0; 1241 off_nl = 0; 1242 off_nl_nosnap = 0; /* no 802.2 LLC */ 1243 return; 1244 1245 /* 1246 * the only BPF-interesting FRF.16 frames are non-control frames; 1247 * Frame Relay has a variable length link-layer 1248 * so lets start with offset 4 for now and increments later on (FIXME); 1249 */ 1250 case DLT_MFR: 1251 off_linktype = -1; 1252 off_macpl = 0; 1253 off_nl = 4; 1254 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1255 return; 1256 1257 case DLT_APPLE_IP_OVER_IEEE1394: 1258 off_linktype = 16; 1259 off_macpl = 18; 1260 off_nl = 0; 1261 off_nl_nosnap = 0; /* no 802.2 LLC */ 1262 return; 1263 1264 case DLT_SYMANTEC_FIREWALL: 1265 off_linktype = 6; 1266 off_macpl = 44; 1267 off_nl = 0; /* Ethernet II */ 1268 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1269 return; 1270 1271 #ifdef HAVE_NET_PFVAR_H 1272 case DLT_PFLOG: 1273 off_linktype = 0; 1274 off_macpl = PFLOG_HDRLEN; 1275 off_nl = 0; 1276 off_nl_nosnap = 0; /* no 802.2 LLC */ 1277 return; 1278 #endif 1279 1280 case DLT_JUNIPER_MFR: 1281 case DLT_JUNIPER_MLFR: 1282 case DLT_JUNIPER_MLPPP: 1283 case DLT_JUNIPER_PPP: 1284 case DLT_JUNIPER_CHDLC: 1285 case DLT_JUNIPER_FRELAY: 1286 off_linktype = 4; 1287 off_macpl = 4; 1288 off_nl = 0; 1289 off_nl_nosnap = -1; /* no 802.2 LLC */ 1290 return; 1291 1292 case DLT_JUNIPER_ATM1: 1293 off_linktype = 4; /* in reality variable between 4-8 */ 1294 off_macpl = 4; /* in reality variable between 4-8 */ 1295 off_nl = 0; 1296 off_nl_nosnap = 10; 1297 return; 1298 1299 case DLT_JUNIPER_ATM2: 1300 off_linktype = 8; /* in reality variable between 8-12 */ 1301 off_macpl = 8; /* in reality variable between 8-12 */ 1302 off_nl = 0; 1303 off_nl_nosnap = 10; 1304 return; 1305 1306 /* frames captured on a Juniper PPPoE service PIC 1307 * contain raw ethernet frames */ 1308 case DLT_JUNIPER_PPPOE: 1309 case DLT_JUNIPER_ETHER: 1310 off_macpl = 14; 1311 off_linktype = 16; 1312 off_nl = 18; /* Ethernet II */ 1313 off_nl_nosnap = 21; /* 802.3+802.2 */ 1314 return; 1315 1316 case DLT_JUNIPER_PPPOE_ATM: 1317 off_linktype = 4; 1318 off_macpl = 6; 1319 off_nl = 0; 1320 off_nl_nosnap = -1; /* no 802.2 LLC */ 1321 return; 1322 1323 case DLT_JUNIPER_GGSN: 1324 off_linktype = 6; 1325 off_macpl = 12; 1326 off_nl = 0; 1327 off_nl_nosnap = -1; /* no 802.2 LLC */ 1328 return; 1329 1330 case DLT_JUNIPER_ES: 1331 off_linktype = 6; 1332 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1333 off_nl = -1; /* not really a network layer but raw IP addresses */ 1334 off_nl_nosnap = -1; /* no 802.2 LLC */ 1335 return; 1336 1337 case DLT_JUNIPER_MONITOR: 1338 off_linktype = 12; 1339 off_macpl = 12; 1340 off_nl = 0; /* raw IP/IP6 header */ 1341 off_nl_nosnap = -1; /* no 802.2 LLC */ 1342 return; 1343 1344 case DLT_JUNIPER_SERVICES: 1345 off_linktype = 12; 1346 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1347 off_nl = -1; /* L3 proto location dep. on cookie type */ 1348 off_nl_nosnap = -1; /* no 802.2 LLC */ 1349 return; 1350 1351 case DLT_JUNIPER_VP: 1352 off_linktype = 18; 1353 off_macpl = -1; 1354 off_nl = -1; 1355 off_nl_nosnap = -1; 1356 return; 1357 1358 case DLT_JUNIPER_ST: 1359 off_linktype = 18; 1360 off_macpl = -1; 1361 off_nl = -1; 1362 off_nl_nosnap = -1; 1363 return; 1364 1365 case DLT_JUNIPER_ISM: 1366 off_linktype = 8; 1367 off_macpl = -1; 1368 off_nl = -1; 1369 off_nl_nosnap = -1; 1370 return; 1371 1372 case DLT_JUNIPER_VS: 1373 case DLT_JUNIPER_SRX_E2E: 1374 case DLT_JUNIPER_FIBRECHANNEL: 1375 case DLT_JUNIPER_ATM_CEMIC: 1376 off_linktype = 8; 1377 off_macpl = -1; 1378 off_nl = -1; 1379 off_nl_nosnap = -1; 1380 return; 1381 1382 case DLT_MTP2: 1383 off_li = 2; 1384 off_sio = 3; 1385 off_opc = 4; 1386 off_dpc = 4; 1387 off_sls = 7; 1388 off_linktype = -1; 1389 off_macpl = -1; 1390 off_nl = -1; 1391 off_nl_nosnap = -1; 1392 return; 1393 1394 case DLT_MTP2_WITH_PHDR: 1395 off_li = 6; 1396 off_sio = 7; 1397 off_opc = 8; 1398 off_dpc = 8; 1399 off_sls = 11; 1400 off_linktype = -1; 1401 off_macpl = -1; 1402 off_nl = -1; 1403 off_nl_nosnap = -1; 1404 return; 1405 1406 case DLT_ERF: 1407 off_li = 22; 1408 off_sio = 23; 1409 off_opc = 24; 1410 off_dpc = 24; 1411 off_sls = 27; 1412 off_linktype = -1; 1413 off_macpl = -1; 1414 off_nl = -1; 1415 off_nl_nosnap = -1; 1416 return; 1417 1418 case DLT_PFSYNC: 1419 off_linktype = -1; 1420 off_macpl = 4; 1421 off_nl = 0; 1422 off_nl_nosnap = 0; 1423 return; 1424 1425 case DLT_AX25_KISS: 1426 /* 1427 * Currently, only raw "link[N:M]" filtering is supported. 1428 */ 1429 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1430 off_macpl = -1; 1431 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1432 off_nl_nosnap = -1; /* no 802.2 LLC */ 1433 off_mac = 1; /* step over the kiss length byte */ 1434 return; 1435 1436 case DLT_IPNET: 1437 off_linktype = 1; 1438 off_macpl = 24; /* ipnet header length */ 1439 off_nl = 0; 1440 off_nl_nosnap = -1; 1441 return; 1442 1443 case DLT_NETANALYZER: 1444 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1445 off_linktype = 16; /* includes 4-byte pseudo-header */ 1446 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1447 off_nl = 0; /* Ethernet II */ 1448 off_nl_nosnap = 3; /* 802.3+802.2 */ 1449 return; 1450 1451 case DLT_NETANALYZER_TRANSPARENT: 1452 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1453 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1454 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1455 off_nl = 0; /* Ethernet II */ 1456 off_nl_nosnap = 3; /* 802.3+802.2 */ 1457 return; 1458 1459 default: 1460 /* 1461 * For values in the range in which we've assigned new 1462 * DLT_ values, only raw "link[N:M]" filtering is supported. 1463 */ 1464 if (linktype >= DLT_MATCHING_MIN && 1465 linktype <= DLT_MATCHING_MAX) { 1466 off_linktype = -1; 1467 off_macpl = -1; 1468 off_nl = -1; 1469 off_nl_nosnap = -1; 1470 return; 1471 } 1472 1473 } 1474 bpf_error("unknown data link type %d", linktype); 1475 /* NOTREACHED */ 1476 } 1477 1478 /* 1479 * Load a value relative to the beginning of the link-layer header. 1480 * The link-layer header doesn't necessarily begin at the beginning 1481 * of the packet data; there might be a variable-length prefix containing 1482 * radio information. 1483 */ 1484 static struct slist * 1485 gen_load_llrel(offset, size) 1486 u_int offset, size; 1487 { 1488 struct slist *s, *s2; 1489 1490 s = gen_llprefixlen(); 1491 1492 /* 1493 * If "s" is non-null, it has code to arrange that the X register 1494 * contains the length of the prefix preceding the link-layer 1495 * header. 1496 * 1497 * Otherwise, the length of the prefix preceding the link-layer 1498 * header is "off_ll". 1499 */ 1500 if (s != NULL) { 1501 /* 1502 * There's a variable-length prefix preceding the 1503 * link-layer header. "s" points to a list of statements 1504 * that put the length of that prefix into the X register. 1505 * do an indirect load, to use the X register as an offset. 1506 */ 1507 s2 = new_stmt(BPF_LD|BPF_IND|size); 1508 s2->s.k = offset; 1509 sappend(s, s2); 1510 } else { 1511 /* 1512 * There is no variable-length header preceding the 1513 * link-layer header; add in off_ll, which, if there's 1514 * a fixed-length header preceding the link-layer header, 1515 * is the length of that header. 1516 */ 1517 s = new_stmt(BPF_LD|BPF_ABS|size); 1518 s->s.k = offset + off_ll; 1519 } 1520 return s; 1521 } 1522 1523 /* 1524 * Load a value relative to the beginning of the MAC-layer payload. 1525 */ 1526 static struct slist * 1527 gen_load_macplrel(offset, size) 1528 u_int offset, size; 1529 { 1530 struct slist *s, *s2; 1531 1532 s = gen_off_macpl(); 1533 1534 /* 1535 * If s is non-null, the offset of the MAC-layer payload is 1536 * variable, and s points to a list of instructions that 1537 * arrange that the X register contains that offset. 1538 * 1539 * Otherwise, the offset of the MAC-layer payload is constant, 1540 * and is in off_macpl. 1541 */ 1542 if (s != NULL) { 1543 /* 1544 * The offset of the MAC-layer payload is in the X 1545 * register. Do an indirect load, to use the X register 1546 * as an offset. 1547 */ 1548 s2 = new_stmt(BPF_LD|BPF_IND|size); 1549 s2->s.k = offset; 1550 sappend(s, s2); 1551 } else { 1552 /* 1553 * The offset of the MAC-layer payload is constant, 1554 * and is in off_macpl; load the value at that offset 1555 * plus the specified offset. 1556 */ 1557 s = new_stmt(BPF_LD|BPF_ABS|size); 1558 s->s.k = off_macpl + offset; 1559 } 1560 return s; 1561 } 1562 1563 /* 1564 * Load a value relative to the beginning of the specified header. 1565 */ 1566 static struct slist * 1567 gen_load_a(offrel, offset, size) 1568 enum e_offrel offrel; 1569 u_int offset, size; 1570 { 1571 struct slist *s, *s2; 1572 1573 switch (offrel) { 1574 1575 case OR_PACKET: 1576 s = new_stmt(BPF_LD|BPF_ABS|size); 1577 s->s.k = offset; 1578 break; 1579 1580 case OR_LINK: 1581 s = gen_load_llrel(offset, size); 1582 break; 1583 1584 case OR_MACPL: 1585 s = gen_load_macplrel(offset, size); 1586 break; 1587 1588 case OR_NET: 1589 s = gen_load_macplrel(off_nl + offset, size); 1590 break; 1591 1592 case OR_NET_NOSNAP: 1593 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1594 break; 1595 1596 case OR_TRAN_IPV4: 1597 /* 1598 * Load the X register with the length of the IPv4 header 1599 * (plus the offset of the link-layer header, if it's 1600 * preceded by a variable-length header such as a radio 1601 * header), in bytes. 1602 */ 1603 s = gen_loadx_iphdrlen(); 1604 1605 /* 1606 * Load the item at {offset of the MAC-layer payload} + 1607 * {offset, relative to the start of the MAC-layer 1608 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1609 * {specified offset}. 1610 * 1611 * (If the offset of the MAC-layer payload is variable, 1612 * it's included in the value in the X register, and 1613 * off_macpl is 0.) 1614 */ 1615 s2 = new_stmt(BPF_LD|BPF_IND|size); 1616 s2->s.k = off_macpl + off_nl + offset; 1617 sappend(s, s2); 1618 break; 1619 1620 case OR_TRAN_IPV6: 1621 s = gen_load_macplrel(off_nl + 40 + offset, size); 1622 break; 1623 1624 default: 1625 abort(); 1626 return NULL; 1627 } 1628 return s; 1629 } 1630 1631 /* 1632 * Generate code to load into the X register the sum of the length of 1633 * the IPv4 header and any variable-length header preceding the link-layer 1634 * header. 1635 */ 1636 static struct slist * 1637 gen_loadx_iphdrlen() 1638 { 1639 struct slist *s, *s2; 1640 1641 s = gen_off_macpl(); 1642 if (s != NULL) { 1643 /* 1644 * There's a variable-length prefix preceding the 1645 * link-layer header, or the link-layer header is itself 1646 * variable-length. "s" points to a list of statements 1647 * that put the offset of the MAC-layer payload into 1648 * the X register. 1649 * 1650 * The 4*([k]&0xf) addressing mode can't be used, as we 1651 * don't have a constant offset, so we have to load the 1652 * value in question into the A register and add to it 1653 * the value from the X register. 1654 */ 1655 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1656 s2->s.k = off_nl; 1657 sappend(s, s2); 1658 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1659 s2->s.k = 0xf; 1660 sappend(s, s2); 1661 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1662 s2->s.k = 2; 1663 sappend(s, s2); 1664 1665 /* 1666 * The A register now contains the length of the 1667 * IP header. We need to add to it the offset of 1668 * the MAC-layer payload, which is still in the X 1669 * register, and move the result into the X register. 1670 */ 1671 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1672 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1673 } else { 1674 /* 1675 * There is no variable-length header preceding the 1676 * link-layer header, and the link-layer header is 1677 * fixed-length; load the length of the IPv4 header, 1678 * which is at an offset of off_nl from the beginning 1679 * of the MAC-layer payload, and thus at an offset 1680 * of off_mac_pl + off_nl from the beginning of the 1681 * raw packet data. 1682 */ 1683 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1684 s->s.k = off_macpl + off_nl; 1685 } 1686 return s; 1687 } 1688 1689 static struct block * 1690 gen_uncond(rsense) 1691 int rsense; 1692 { 1693 struct block *b; 1694 struct slist *s; 1695 1696 s = new_stmt(BPF_LD|BPF_IMM); 1697 s->s.k = !rsense; 1698 b = new_block(JMP(BPF_JEQ)); 1699 b->stmts = s; 1700 1701 return b; 1702 } 1703 1704 static inline struct block * 1705 gen_true() 1706 { 1707 return gen_uncond(1); 1708 } 1709 1710 static inline struct block * 1711 gen_false() 1712 { 1713 return gen_uncond(0); 1714 } 1715 1716 /* 1717 * Byte-swap a 32-bit number. 1718 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1719 * big-endian platforms.) 1720 */ 1721 #define SWAPLONG(y) \ 1722 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1723 1724 /* 1725 * Generate code to match a particular packet type. 1726 * 1727 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1728 * value, if <= ETHERMTU. We use that to determine whether to 1729 * match the type/length field or to check the type/length field for 1730 * a value <= ETHERMTU to see whether it's a type field and then do 1731 * the appropriate test. 1732 */ 1733 static struct block * 1734 gen_ether_linktype(proto) 1735 register int proto; 1736 { 1737 struct block *b0, *b1; 1738 1739 switch (proto) { 1740 1741 case LLCSAP_ISONS: 1742 case LLCSAP_IP: 1743 case LLCSAP_NETBEUI: 1744 /* 1745 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1746 * so we check the DSAP and SSAP. 1747 * 1748 * LLCSAP_IP checks for IP-over-802.2, rather 1749 * than IP-over-Ethernet or IP-over-SNAP. 1750 * 1751 * XXX - should we check both the DSAP and the 1752 * SSAP, like this, or should we check just the 1753 * DSAP, as we do for other types <= ETHERMTU 1754 * (i.e., other SAP values)? 1755 */ 1756 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1757 gen_not(b0); 1758 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1759 ((proto << 8) | proto)); 1760 gen_and(b0, b1); 1761 return b1; 1762 1763 case LLCSAP_IPX: 1764 /* 1765 * Check for; 1766 * 1767 * Ethernet_II frames, which are Ethernet 1768 * frames with a frame type of ETHERTYPE_IPX; 1769 * 1770 * Ethernet_802.3 frames, which are 802.3 1771 * frames (i.e., the type/length field is 1772 * a length field, <= ETHERMTU, rather than 1773 * a type field) with the first two bytes 1774 * after the Ethernet/802.3 header being 1775 * 0xFFFF; 1776 * 1777 * Ethernet_802.2 frames, which are 802.3 1778 * frames with an 802.2 LLC header and 1779 * with the IPX LSAP as the DSAP in the LLC 1780 * header; 1781 * 1782 * Ethernet_SNAP frames, which are 802.3 1783 * frames with an LLC header and a SNAP 1784 * header and with an OUI of 0x000000 1785 * (encapsulated Ethernet) and a protocol 1786 * ID of ETHERTYPE_IPX in the SNAP header. 1787 * 1788 * XXX - should we generate the same code both 1789 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1790 */ 1791 1792 /* 1793 * This generates code to check both for the 1794 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1795 */ 1796 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1797 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1798 gen_or(b0, b1); 1799 1800 /* 1801 * Now we add code to check for SNAP frames with 1802 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1803 */ 1804 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1805 gen_or(b0, b1); 1806 1807 /* 1808 * Now we generate code to check for 802.3 1809 * frames in general. 1810 */ 1811 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1812 gen_not(b0); 1813 1814 /* 1815 * Now add the check for 802.3 frames before the 1816 * check for Ethernet_802.2 and Ethernet_802.3, 1817 * as those checks should only be done on 802.3 1818 * frames, not on Ethernet frames. 1819 */ 1820 gen_and(b0, b1); 1821 1822 /* 1823 * Now add the check for Ethernet_II frames, and 1824 * do that before checking for the other frame 1825 * types. 1826 */ 1827 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1828 (bpf_int32)ETHERTYPE_IPX); 1829 gen_or(b0, b1); 1830 return b1; 1831 1832 case ETHERTYPE_ATALK: 1833 case ETHERTYPE_AARP: 1834 /* 1835 * EtherTalk (AppleTalk protocols on Ethernet link 1836 * layer) may use 802.2 encapsulation. 1837 */ 1838 1839 /* 1840 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1841 * we check for an Ethernet type field less than 1842 * 1500, which means it's an 802.3 length field. 1843 */ 1844 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1845 gen_not(b0); 1846 1847 /* 1848 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1849 * SNAP packets with an organization code of 1850 * 0x080007 (Apple, for Appletalk) and a protocol 1851 * type of ETHERTYPE_ATALK (Appletalk). 1852 * 1853 * 802.2-encapsulated ETHERTYPE_AARP packets are 1854 * SNAP packets with an organization code of 1855 * 0x000000 (encapsulated Ethernet) and a protocol 1856 * type of ETHERTYPE_AARP (Appletalk ARP). 1857 */ 1858 if (proto == ETHERTYPE_ATALK) 1859 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1860 else /* proto == ETHERTYPE_AARP */ 1861 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1862 gen_and(b0, b1); 1863 1864 /* 1865 * Check for Ethernet encapsulation (Ethertalk 1866 * phase 1?); we just check for the Ethernet 1867 * protocol type. 1868 */ 1869 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1870 1871 gen_or(b0, b1); 1872 return b1; 1873 1874 default: 1875 if (proto <= ETHERMTU) { 1876 /* 1877 * This is an LLC SAP value, so the frames 1878 * that match would be 802.2 frames. 1879 * Check that the frame is an 802.2 frame 1880 * (i.e., that the length/type field is 1881 * a length field, <= ETHERMTU) and 1882 * then check the DSAP. 1883 */ 1884 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1885 gen_not(b0); 1886 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1887 (bpf_int32)proto); 1888 gen_and(b0, b1); 1889 return b1; 1890 } else { 1891 /* 1892 * This is an Ethernet type, so compare 1893 * the length/type field with it (if 1894 * the frame is an 802.2 frame, the length 1895 * field will be <= ETHERMTU, and, as 1896 * "proto" is > ETHERMTU, this test 1897 * will fail and the frame won't match, 1898 * which is what we want). 1899 */ 1900 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1901 (bpf_int32)proto); 1902 } 1903 } 1904 } 1905 1906 /* 1907 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1908 * or IPv6 then we have an error. 1909 */ 1910 static struct block * 1911 gen_ipnet_linktype(proto) 1912 register int proto; 1913 { 1914 switch (proto) { 1915 1916 case ETHERTYPE_IP: 1917 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1918 (bpf_int32)IPH_AF_INET); 1919 /* NOTREACHED */ 1920 1921 case ETHERTYPE_IPV6: 1922 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1923 (bpf_int32)IPH_AF_INET6); 1924 /* NOTREACHED */ 1925 1926 default: 1927 break; 1928 } 1929 1930 return gen_false(); 1931 } 1932 1933 /* 1934 * Generate code to match a particular packet type. 1935 * 1936 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1937 * value, if <= ETHERMTU. We use that to determine whether to 1938 * match the type field or to check the type field for the special 1939 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1940 */ 1941 static struct block * 1942 gen_linux_sll_linktype(proto) 1943 register int proto; 1944 { 1945 struct block *b0, *b1; 1946 1947 switch (proto) { 1948 1949 case LLCSAP_ISONS: 1950 case LLCSAP_IP: 1951 case LLCSAP_NETBEUI: 1952 /* 1953 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1954 * so we check the DSAP and SSAP. 1955 * 1956 * LLCSAP_IP checks for IP-over-802.2, rather 1957 * than IP-over-Ethernet or IP-over-SNAP. 1958 * 1959 * XXX - should we check both the DSAP and the 1960 * SSAP, like this, or should we check just the 1961 * DSAP, as we do for other types <= ETHERMTU 1962 * (i.e., other SAP values)? 1963 */ 1964 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1965 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1966 ((proto << 8) | proto)); 1967 gen_and(b0, b1); 1968 return b1; 1969 1970 case LLCSAP_IPX: 1971 /* 1972 * Ethernet_II frames, which are Ethernet 1973 * frames with a frame type of ETHERTYPE_IPX; 1974 * 1975 * Ethernet_802.3 frames, which have a frame 1976 * type of LINUX_SLL_P_802_3; 1977 * 1978 * Ethernet_802.2 frames, which are 802.3 1979 * frames with an 802.2 LLC header (i.e, have 1980 * a frame type of LINUX_SLL_P_802_2) and 1981 * with the IPX LSAP as the DSAP in the LLC 1982 * header; 1983 * 1984 * Ethernet_SNAP frames, which are 802.3 1985 * frames with an LLC header and a SNAP 1986 * header and with an OUI of 0x000000 1987 * (encapsulated Ethernet) and a protocol 1988 * ID of ETHERTYPE_IPX in the SNAP header. 1989 * 1990 * First, do the checks on LINUX_SLL_P_802_2 1991 * frames; generate the check for either 1992 * Ethernet_802.2 or Ethernet_SNAP frames, and 1993 * then put a check for LINUX_SLL_P_802_2 frames 1994 * before it. 1995 */ 1996 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1997 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 1998 gen_or(b0, b1); 1999 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2000 gen_and(b0, b1); 2001 2002 /* 2003 * Now check for 802.3 frames and OR that with 2004 * the previous test. 2005 */ 2006 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2007 gen_or(b0, b1); 2008 2009 /* 2010 * Now add the check for Ethernet_II frames, and 2011 * do that before checking for the other frame 2012 * types. 2013 */ 2014 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2015 (bpf_int32)ETHERTYPE_IPX); 2016 gen_or(b0, b1); 2017 return b1; 2018 2019 case ETHERTYPE_ATALK: 2020 case ETHERTYPE_AARP: 2021 /* 2022 * EtherTalk (AppleTalk protocols on Ethernet link 2023 * layer) may use 802.2 encapsulation. 2024 */ 2025 2026 /* 2027 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2028 * we check for the 802.2 protocol type in the 2029 * "Ethernet type" field. 2030 */ 2031 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2032 2033 /* 2034 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2035 * SNAP packets with an organization code of 2036 * 0x080007 (Apple, for Appletalk) and a protocol 2037 * type of ETHERTYPE_ATALK (Appletalk). 2038 * 2039 * 802.2-encapsulated ETHERTYPE_AARP packets are 2040 * SNAP packets with an organization code of 2041 * 0x000000 (encapsulated Ethernet) and a protocol 2042 * type of ETHERTYPE_AARP (Appletalk ARP). 2043 */ 2044 if (proto == ETHERTYPE_ATALK) 2045 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2046 else /* proto == ETHERTYPE_AARP */ 2047 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2048 gen_and(b0, b1); 2049 2050 /* 2051 * Check for Ethernet encapsulation (Ethertalk 2052 * phase 1?); we just check for the Ethernet 2053 * protocol type. 2054 */ 2055 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2056 2057 gen_or(b0, b1); 2058 return b1; 2059 2060 default: 2061 if (proto <= ETHERMTU) { 2062 /* 2063 * This is an LLC SAP value, so the frames 2064 * that match would be 802.2 frames. 2065 * Check for the 802.2 protocol type 2066 * in the "Ethernet type" field, and 2067 * then check the DSAP. 2068 */ 2069 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2070 LINUX_SLL_P_802_2); 2071 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2072 (bpf_int32)proto); 2073 gen_and(b0, b1); 2074 return b1; 2075 } else { 2076 /* 2077 * This is an Ethernet type, so compare 2078 * the length/type field with it (if 2079 * the frame is an 802.2 frame, the length 2080 * field will be <= ETHERMTU, and, as 2081 * "proto" is > ETHERMTU, this test 2082 * will fail and the frame won't match, 2083 * which is what we want). 2084 */ 2085 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2086 (bpf_int32)proto); 2087 } 2088 } 2089 } 2090 2091 static struct slist * 2092 gen_load_prism_llprefixlen() 2093 { 2094 struct slist *s1, *s2; 2095 struct slist *sjeq_avs_cookie; 2096 struct slist *sjcommon; 2097 2098 /* 2099 * This code is not compatible with the optimizer, as 2100 * we are generating jmp instructions within a normal 2101 * slist of instructions 2102 */ 2103 no_optimize = 1; 2104 2105 /* 2106 * Generate code to load the length of the radio header into 2107 * the register assigned to hold that length, if one has been 2108 * assigned. (If one hasn't been assigned, no code we've 2109 * generated uses that prefix, so we don't need to generate any 2110 * code to load it.) 2111 * 2112 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2113 * or always use the AVS header rather than the Prism header. 2114 * We load a 4-byte big-endian value at the beginning of the 2115 * raw packet data, and see whether, when masked with 0xFFFFF000, 2116 * it's equal to 0x80211000. If so, that indicates that it's 2117 * an AVS header (the masked-out bits are the version number). 2118 * Otherwise, it's a Prism header. 2119 * 2120 * XXX - the Prism header is also, in theory, variable-length, 2121 * but no known software generates headers that aren't 144 2122 * bytes long. 2123 */ 2124 if (reg_off_ll != -1) { 2125 /* 2126 * Load the cookie. 2127 */ 2128 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2129 s1->s.k = 0; 2130 2131 /* 2132 * AND it with 0xFFFFF000. 2133 */ 2134 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2135 s2->s.k = 0xFFFFF000; 2136 sappend(s1, s2); 2137 2138 /* 2139 * Compare with 0x80211000. 2140 */ 2141 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2142 sjeq_avs_cookie->s.k = 0x80211000; 2143 sappend(s1, sjeq_avs_cookie); 2144 2145 /* 2146 * If it's AVS: 2147 * 2148 * The 4 bytes at an offset of 4 from the beginning of 2149 * the AVS header are the length of the AVS header. 2150 * That field is big-endian. 2151 */ 2152 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2153 s2->s.k = 4; 2154 sappend(s1, s2); 2155 sjeq_avs_cookie->s.jt = s2; 2156 2157 /* 2158 * Now jump to the code to allocate a register 2159 * into which to save the header length and 2160 * store the length there. (The "jump always" 2161 * instruction needs to have the k field set; 2162 * it's added to the PC, so, as we're jumping 2163 * over a single instruction, it should be 1.) 2164 */ 2165 sjcommon = new_stmt(JMP(BPF_JA)); 2166 sjcommon->s.k = 1; 2167 sappend(s1, sjcommon); 2168 2169 /* 2170 * Now for the code that handles the Prism header. 2171 * Just load the length of the Prism header (144) 2172 * into the A register. Have the test for an AVS 2173 * header branch here if we don't have an AVS header. 2174 */ 2175 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2176 s2->s.k = 144; 2177 sappend(s1, s2); 2178 sjeq_avs_cookie->s.jf = s2; 2179 2180 /* 2181 * Now allocate a register to hold that value and store 2182 * it. The code for the AVS header will jump here after 2183 * loading the length of the AVS header. 2184 */ 2185 s2 = new_stmt(BPF_ST); 2186 s2->s.k = reg_off_ll; 2187 sappend(s1, s2); 2188 sjcommon->s.jf = s2; 2189 2190 /* 2191 * Now move it into the X register. 2192 */ 2193 s2 = new_stmt(BPF_MISC|BPF_TAX); 2194 sappend(s1, s2); 2195 2196 return (s1); 2197 } else 2198 return (NULL); 2199 } 2200 2201 static struct slist * 2202 gen_load_avs_llprefixlen() 2203 { 2204 struct slist *s1, *s2; 2205 2206 /* 2207 * Generate code to load the length of the AVS header into 2208 * the register assigned to hold that length, if one has been 2209 * assigned. (If one hasn't been assigned, no code we've 2210 * generated uses that prefix, so we don't need to generate any 2211 * code to load it.) 2212 */ 2213 if (reg_off_ll != -1) { 2214 /* 2215 * The 4 bytes at an offset of 4 from the beginning of 2216 * the AVS header are the length of the AVS header. 2217 * That field is big-endian. 2218 */ 2219 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2220 s1->s.k = 4; 2221 2222 /* 2223 * Now allocate a register to hold that value and store 2224 * it. 2225 */ 2226 s2 = new_stmt(BPF_ST); 2227 s2->s.k = reg_off_ll; 2228 sappend(s1, s2); 2229 2230 /* 2231 * Now move it into the X register. 2232 */ 2233 s2 = new_stmt(BPF_MISC|BPF_TAX); 2234 sappend(s1, s2); 2235 2236 return (s1); 2237 } else 2238 return (NULL); 2239 } 2240 2241 static struct slist * 2242 gen_load_radiotap_llprefixlen() 2243 { 2244 struct slist *s1, *s2; 2245 2246 /* 2247 * Generate code to load the length of the radiotap header into 2248 * the register assigned to hold that length, if one has been 2249 * assigned. (If one hasn't been assigned, no code we've 2250 * generated uses that prefix, so we don't need to generate any 2251 * code to load it.) 2252 */ 2253 if (reg_off_ll != -1) { 2254 /* 2255 * The 2 bytes at offsets of 2 and 3 from the beginning 2256 * of the radiotap header are the length of the radiotap 2257 * header; unfortunately, it's little-endian, so we have 2258 * to load it a byte at a time and construct the value. 2259 */ 2260 2261 /* 2262 * Load the high-order byte, at an offset of 3, shift it 2263 * left a byte, and put the result in the X register. 2264 */ 2265 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2266 s1->s.k = 3; 2267 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2268 sappend(s1, s2); 2269 s2->s.k = 8; 2270 s2 = new_stmt(BPF_MISC|BPF_TAX); 2271 sappend(s1, s2); 2272 2273 /* 2274 * Load the next byte, at an offset of 2, and OR the 2275 * value from the X register into it. 2276 */ 2277 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2278 sappend(s1, s2); 2279 s2->s.k = 2; 2280 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2281 sappend(s1, s2); 2282 2283 /* 2284 * Now allocate a register to hold that value and store 2285 * it. 2286 */ 2287 s2 = new_stmt(BPF_ST); 2288 s2->s.k = reg_off_ll; 2289 sappend(s1, s2); 2290 2291 /* 2292 * Now move it into the X register. 2293 */ 2294 s2 = new_stmt(BPF_MISC|BPF_TAX); 2295 sappend(s1, s2); 2296 2297 return (s1); 2298 } else 2299 return (NULL); 2300 } 2301 2302 /* 2303 * At the moment we treat PPI as normal Radiotap encoded 2304 * packets. The difference is in the function that generates 2305 * the code at the beginning to compute the header length. 2306 * Since this code generator of PPI supports bare 802.11 2307 * encapsulation only (i.e. the encapsulated DLT should be 2308 * DLT_IEEE802_11) we generate code to check for this too; 2309 * that's done in finish_parse(). 2310 */ 2311 static struct slist * 2312 gen_load_ppi_llprefixlen() 2313 { 2314 struct slist *s1, *s2; 2315 2316 /* 2317 * Generate code to load the length of the radiotap header 2318 * into the register assigned to hold that length, if one has 2319 * been assigned. 2320 */ 2321 if (reg_off_ll != -1) { 2322 /* 2323 * The 2 bytes at offsets of 2 and 3 from the beginning 2324 * of the radiotap header are the length of the radiotap 2325 * header; unfortunately, it's little-endian, so we have 2326 * to load it a byte at a time and construct the value. 2327 */ 2328 2329 /* 2330 * Load the high-order byte, at an offset of 3, shift it 2331 * left a byte, and put the result in the X register. 2332 */ 2333 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2334 s1->s.k = 3; 2335 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2336 sappend(s1, s2); 2337 s2->s.k = 8; 2338 s2 = new_stmt(BPF_MISC|BPF_TAX); 2339 sappend(s1, s2); 2340 2341 /* 2342 * Load the next byte, at an offset of 2, and OR the 2343 * value from the X register into it. 2344 */ 2345 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2346 sappend(s1, s2); 2347 s2->s.k = 2; 2348 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2349 sappend(s1, s2); 2350 2351 /* 2352 * Now allocate a register to hold that value and store 2353 * it. 2354 */ 2355 s2 = new_stmt(BPF_ST); 2356 s2->s.k = reg_off_ll; 2357 sappend(s1, s2); 2358 2359 /* 2360 * Now move it into the X register. 2361 */ 2362 s2 = new_stmt(BPF_MISC|BPF_TAX); 2363 sappend(s1, s2); 2364 2365 return (s1); 2366 } else 2367 return (NULL); 2368 } 2369 2370 /* 2371 * Load a value relative to the beginning of the link-layer header after the 802.11 2372 * header, i.e. LLC_SNAP. 2373 * The link-layer header doesn't necessarily begin at the beginning 2374 * of the packet data; there might be a variable-length prefix containing 2375 * radio information. 2376 */ 2377 static struct slist * 2378 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2379 { 2380 struct slist *s2; 2381 struct slist *sjset_data_frame_1; 2382 struct slist *sjset_data_frame_2; 2383 struct slist *sjset_qos; 2384 struct slist *sjset_radiotap_flags; 2385 struct slist *sjset_radiotap_tsft; 2386 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2387 struct slist *s_roundup; 2388 2389 if (reg_off_macpl == -1) { 2390 /* 2391 * No register has been assigned to the offset of 2392 * the MAC-layer payload, which means nobody needs 2393 * it; don't bother computing it - just return 2394 * what we already have. 2395 */ 2396 return (s); 2397 } 2398 2399 /* 2400 * This code is not compatible with the optimizer, as 2401 * we are generating jmp instructions within a normal 2402 * slist of instructions 2403 */ 2404 no_optimize = 1; 2405 2406 /* 2407 * If "s" is non-null, it has code to arrange that the X register 2408 * contains the length of the prefix preceding the link-layer 2409 * header. 2410 * 2411 * Otherwise, the length of the prefix preceding the link-layer 2412 * header is "off_ll". 2413 */ 2414 if (s == NULL) { 2415 /* 2416 * There is no variable-length header preceding the 2417 * link-layer header. 2418 * 2419 * Load the length of the fixed-length prefix preceding 2420 * the link-layer header (if any) into the X register, 2421 * and store it in the reg_off_macpl register. 2422 * That length is off_ll. 2423 */ 2424 s = new_stmt(BPF_LDX|BPF_IMM); 2425 s->s.k = off_ll; 2426 } 2427 2428 /* 2429 * The X register contains the offset of the beginning of the 2430 * link-layer header; add 24, which is the minimum length 2431 * of the MAC header for a data frame, to that, and store it 2432 * in reg_off_macpl, and then load the Frame Control field, 2433 * which is at the offset in the X register, with an indexed load. 2434 */ 2435 s2 = new_stmt(BPF_MISC|BPF_TXA); 2436 sappend(s, s2); 2437 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2438 s2->s.k = 24; 2439 sappend(s, s2); 2440 s2 = new_stmt(BPF_ST); 2441 s2->s.k = reg_off_macpl; 2442 sappend(s, s2); 2443 2444 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2445 s2->s.k = 0; 2446 sappend(s, s2); 2447 2448 /* 2449 * Check the Frame Control field to see if this is a data frame; 2450 * a data frame has the 0x08 bit (b3) in that field set and the 2451 * 0x04 bit (b2) clear. 2452 */ 2453 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2454 sjset_data_frame_1->s.k = 0x08; 2455 sappend(s, sjset_data_frame_1); 2456 2457 /* 2458 * If b3 is set, test b2, otherwise go to the first statement of 2459 * the rest of the program. 2460 */ 2461 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2462 sjset_data_frame_2->s.k = 0x04; 2463 sappend(s, sjset_data_frame_2); 2464 sjset_data_frame_1->s.jf = snext; 2465 2466 /* 2467 * If b2 is not set, this is a data frame; test the QoS bit. 2468 * Otherwise, go to the first statement of the rest of the 2469 * program. 2470 */ 2471 sjset_data_frame_2->s.jt = snext; 2472 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2473 sjset_qos->s.k = 0x80; /* QoS bit */ 2474 sappend(s, sjset_qos); 2475 2476 /* 2477 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2478 * field. 2479 * Otherwise, go to the first statement of the rest of the 2480 * program. 2481 */ 2482 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2483 s2->s.k = reg_off_macpl; 2484 sappend(s, s2); 2485 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2486 s2->s.k = 2; 2487 sappend(s, s2); 2488 s2 = new_stmt(BPF_ST); 2489 s2->s.k = reg_off_macpl; 2490 sappend(s, s2); 2491 2492 /* 2493 * If we have a radiotap header, look at it to see whether 2494 * there's Atheros padding between the MAC-layer header 2495 * and the payload. 2496 * 2497 * Note: all of the fields in the radiotap header are 2498 * little-endian, so we byte-swap all of the values 2499 * we test against, as they will be loaded as big-endian 2500 * values. 2501 */ 2502 if (linktype == DLT_IEEE802_11_RADIO) { 2503 /* 2504 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2505 * in the presence flag? 2506 */ 2507 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2508 s2->s.k = 4; 2509 sappend(s, s2); 2510 2511 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2512 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2513 sappend(s, sjset_radiotap_flags); 2514 2515 /* 2516 * If not, skip all of this. 2517 */ 2518 sjset_radiotap_flags->s.jf = snext; 2519 2520 /* 2521 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2522 */ 2523 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2524 new_stmt(JMP(BPF_JSET)); 2525 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2526 sappend(s, sjset_radiotap_tsft); 2527 2528 /* 2529 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2530 * at an offset of 16 from the beginning of the raw packet 2531 * data (8 bytes for the radiotap header and 8 bytes for 2532 * the TSFT field). 2533 * 2534 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2535 * is set. 2536 */ 2537 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2538 s2->s.k = 16; 2539 sappend(s, s2); 2540 2541 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2542 sjset_tsft_datapad->s.k = 0x20; 2543 sappend(s, sjset_tsft_datapad); 2544 2545 /* 2546 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2547 * at an offset of 8 from the beginning of the raw packet 2548 * data (8 bytes for the radiotap header). 2549 * 2550 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2551 * is set. 2552 */ 2553 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2554 s2->s.k = 8; 2555 sappend(s, s2); 2556 2557 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2558 sjset_notsft_datapad->s.k = 0x20; 2559 sappend(s, sjset_notsft_datapad); 2560 2561 /* 2562 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2563 * set, round the length of the 802.11 header to 2564 * a multiple of 4. Do that by adding 3 and then 2565 * dividing by and multiplying by 4, which we do by 2566 * ANDing with ~3. 2567 */ 2568 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2569 s_roundup->s.k = reg_off_macpl; 2570 sappend(s, s_roundup); 2571 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2572 s2->s.k = 3; 2573 sappend(s, s2); 2574 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2575 s2->s.k = ~3; 2576 sappend(s, s2); 2577 s2 = new_stmt(BPF_ST); 2578 s2->s.k = reg_off_macpl; 2579 sappend(s, s2); 2580 2581 sjset_tsft_datapad->s.jt = s_roundup; 2582 sjset_tsft_datapad->s.jf = snext; 2583 sjset_notsft_datapad->s.jt = s_roundup; 2584 sjset_notsft_datapad->s.jf = snext; 2585 } else 2586 sjset_qos->s.jf = snext; 2587 2588 return s; 2589 } 2590 2591 static void 2592 insert_compute_vloffsets(b) 2593 struct block *b; 2594 { 2595 struct slist *s; 2596 2597 /* 2598 * For link-layer types that have a variable-length header 2599 * preceding the link-layer header, generate code to load 2600 * the offset of the link-layer header into the register 2601 * assigned to that offset, if any. 2602 */ 2603 switch (linktype) { 2604 2605 case DLT_PRISM_HEADER: 2606 s = gen_load_prism_llprefixlen(); 2607 break; 2608 2609 case DLT_IEEE802_11_RADIO_AVS: 2610 s = gen_load_avs_llprefixlen(); 2611 break; 2612 2613 case DLT_IEEE802_11_RADIO: 2614 s = gen_load_radiotap_llprefixlen(); 2615 break; 2616 2617 case DLT_PPI: 2618 s = gen_load_ppi_llprefixlen(); 2619 break; 2620 2621 default: 2622 s = NULL; 2623 break; 2624 } 2625 2626 /* 2627 * For link-layer types that have a variable-length link-layer 2628 * header, generate code to load the offset of the MAC-layer 2629 * payload into the register assigned to that offset, if any. 2630 */ 2631 switch (linktype) { 2632 2633 case DLT_IEEE802_11: 2634 case DLT_PRISM_HEADER: 2635 case DLT_IEEE802_11_RADIO_AVS: 2636 case DLT_IEEE802_11_RADIO: 2637 case DLT_PPI: 2638 s = gen_load_802_11_header_len(s, b->stmts); 2639 break; 2640 } 2641 2642 /* 2643 * If we have any offset-loading code, append all the 2644 * existing statements in the block to those statements, 2645 * and make the resulting list the list of statements 2646 * for the block. 2647 */ 2648 if (s != NULL) { 2649 sappend(s, b->stmts); 2650 b->stmts = s; 2651 } 2652 } 2653 2654 static struct block * 2655 gen_ppi_dlt_check(void) 2656 { 2657 struct slist *s_load_dlt; 2658 struct block *b; 2659 2660 if (linktype == DLT_PPI) 2661 { 2662 /* Create the statements that check for the DLT 2663 */ 2664 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2665 s_load_dlt->s.k = 4; 2666 2667 b = new_block(JMP(BPF_JEQ)); 2668 2669 b->stmts = s_load_dlt; 2670 b->s.k = SWAPLONG(DLT_IEEE802_11); 2671 } 2672 else 2673 { 2674 b = NULL; 2675 } 2676 2677 return b; 2678 } 2679 2680 static struct slist * 2681 gen_prism_llprefixlen(void) 2682 { 2683 struct slist *s; 2684 2685 if (reg_off_ll == -1) { 2686 /* 2687 * We haven't yet assigned a register for the length 2688 * of the radio header; allocate one. 2689 */ 2690 reg_off_ll = alloc_reg(); 2691 } 2692 2693 /* 2694 * Load the register containing the radio length 2695 * into the X register. 2696 */ 2697 s = new_stmt(BPF_LDX|BPF_MEM); 2698 s->s.k = reg_off_ll; 2699 return s; 2700 } 2701 2702 static struct slist * 2703 gen_avs_llprefixlen(void) 2704 { 2705 struct slist *s; 2706 2707 if (reg_off_ll == -1) { 2708 /* 2709 * We haven't yet assigned a register for the length 2710 * of the AVS header; allocate one. 2711 */ 2712 reg_off_ll = alloc_reg(); 2713 } 2714 2715 /* 2716 * Load the register containing the AVS length 2717 * into the X register. 2718 */ 2719 s = new_stmt(BPF_LDX|BPF_MEM); 2720 s->s.k = reg_off_ll; 2721 return s; 2722 } 2723 2724 static struct slist * 2725 gen_radiotap_llprefixlen(void) 2726 { 2727 struct slist *s; 2728 2729 if (reg_off_ll == -1) { 2730 /* 2731 * We haven't yet assigned a register for the length 2732 * of the radiotap header; allocate one. 2733 */ 2734 reg_off_ll = alloc_reg(); 2735 } 2736 2737 /* 2738 * Load the register containing the radiotap length 2739 * into the X register. 2740 */ 2741 s = new_stmt(BPF_LDX|BPF_MEM); 2742 s->s.k = reg_off_ll; 2743 return s; 2744 } 2745 2746 /* 2747 * At the moment we treat PPI as normal Radiotap encoded 2748 * packets. The difference is in the function that generates 2749 * the code at the beginning to compute the header length. 2750 * Since this code generator of PPI supports bare 802.11 2751 * encapsulation only (i.e. the encapsulated DLT should be 2752 * DLT_IEEE802_11) we generate code to check for this too. 2753 */ 2754 static struct slist * 2755 gen_ppi_llprefixlen(void) 2756 { 2757 struct slist *s; 2758 2759 if (reg_off_ll == -1) { 2760 /* 2761 * We haven't yet assigned a register for the length 2762 * of the radiotap header; allocate one. 2763 */ 2764 reg_off_ll = alloc_reg(); 2765 } 2766 2767 /* 2768 * Load the register containing the PPI length 2769 * into the X register. 2770 */ 2771 s = new_stmt(BPF_LDX|BPF_MEM); 2772 s->s.k = reg_off_ll; 2773 return s; 2774 } 2775 2776 /* 2777 * Generate code to compute the link-layer header length, if necessary, 2778 * putting it into the X register, and to return either a pointer to a 2779 * "struct slist" for the list of statements in that code, or NULL if 2780 * no code is necessary. 2781 */ 2782 static struct slist * 2783 gen_llprefixlen(void) 2784 { 2785 switch (linktype) { 2786 2787 case DLT_PRISM_HEADER: 2788 return gen_prism_llprefixlen(); 2789 2790 case DLT_IEEE802_11_RADIO_AVS: 2791 return gen_avs_llprefixlen(); 2792 2793 case DLT_IEEE802_11_RADIO: 2794 return gen_radiotap_llprefixlen(); 2795 2796 case DLT_PPI: 2797 return gen_ppi_llprefixlen(); 2798 2799 default: 2800 return NULL; 2801 } 2802 } 2803 2804 /* 2805 * Generate code to load the register containing the offset of the 2806 * MAC-layer payload into the X register; if no register for that offset 2807 * has been allocated, allocate it first. 2808 */ 2809 static struct slist * 2810 gen_off_macpl(void) 2811 { 2812 struct slist *s; 2813 2814 if (off_macpl_is_variable) { 2815 if (reg_off_macpl == -1) { 2816 /* 2817 * We haven't yet assigned a register for the offset 2818 * of the MAC-layer payload; allocate one. 2819 */ 2820 reg_off_macpl = alloc_reg(); 2821 } 2822 2823 /* 2824 * Load the register containing the offset of the MAC-layer 2825 * payload into the X register. 2826 */ 2827 s = new_stmt(BPF_LDX|BPF_MEM); 2828 s->s.k = reg_off_macpl; 2829 return s; 2830 } else { 2831 /* 2832 * That offset isn't variable, so we don't need to 2833 * generate any code. 2834 */ 2835 return NULL; 2836 } 2837 } 2838 2839 /* 2840 * Map an Ethernet type to the equivalent PPP type. 2841 */ 2842 static int 2843 ethertype_to_ppptype(proto) 2844 int proto; 2845 { 2846 switch (proto) { 2847 2848 case ETHERTYPE_IP: 2849 proto = PPP_IP; 2850 break; 2851 2852 case ETHERTYPE_IPV6: 2853 proto = PPP_IPV6; 2854 break; 2855 2856 case ETHERTYPE_DN: 2857 proto = PPP_DECNET; 2858 break; 2859 2860 case ETHERTYPE_ATALK: 2861 proto = PPP_APPLE; 2862 break; 2863 2864 case ETHERTYPE_NS: 2865 proto = PPP_NS; 2866 break; 2867 2868 case LLCSAP_ISONS: 2869 proto = PPP_OSI; 2870 break; 2871 2872 case LLCSAP_8021D: 2873 /* 2874 * I'm assuming the "Bridging PDU"s that go 2875 * over PPP are Spanning Tree Protocol 2876 * Bridging PDUs. 2877 */ 2878 proto = PPP_BRPDU; 2879 break; 2880 2881 case LLCSAP_IPX: 2882 proto = PPP_IPX; 2883 break; 2884 } 2885 return (proto); 2886 } 2887 2888 /* 2889 * Generate code to match a particular packet type by matching the 2890 * link-layer type field or fields in the 802.2 LLC header. 2891 * 2892 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2893 * value, if <= ETHERMTU. 2894 */ 2895 static struct block * 2896 gen_linktype(proto) 2897 register int proto; 2898 { 2899 struct block *b0, *b1, *b2; 2900 2901 /* are we checking MPLS-encapsulated packets? */ 2902 if (label_stack_depth > 0) { 2903 switch (proto) { 2904 case ETHERTYPE_IP: 2905 case PPP_IP: 2906 /* FIXME add other L3 proto IDs */ 2907 return gen_mpls_linktype(Q_IP); 2908 2909 case ETHERTYPE_IPV6: 2910 case PPP_IPV6: 2911 /* FIXME add other L3 proto IDs */ 2912 return gen_mpls_linktype(Q_IPV6); 2913 2914 default: 2915 bpf_error("unsupported protocol over mpls"); 2916 /* NOTREACHED */ 2917 } 2918 } 2919 2920 /* 2921 * Are we testing PPPoE packets? 2922 */ 2923 if (is_pppoes) { 2924 /* 2925 * The PPPoE session header is part of the 2926 * MAC-layer payload, so all references 2927 * should be relative to the beginning of 2928 * that payload. 2929 */ 2930 2931 /* 2932 * We use Ethernet protocol types inside libpcap; 2933 * map them to the corresponding PPP protocol types. 2934 */ 2935 proto = ethertype_to_ppptype(proto); 2936 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2937 } 2938 2939 switch (linktype) { 2940 2941 case DLT_EN10MB: 2942 case DLT_NETANALYZER: 2943 case DLT_NETANALYZER_TRANSPARENT: 2944 return gen_ether_linktype(proto); 2945 /*NOTREACHED*/ 2946 break; 2947 2948 case DLT_C_HDLC: 2949 switch (proto) { 2950 2951 case LLCSAP_ISONS: 2952 proto = (proto << 8 | LLCSAP_ISONS); 2953 /* fall through */ 2954 2955 default: 2956 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2957 (bpf_int32)proto); 2958 /*NOTREACHED*/ 2959 break; 2960 } 2961 break; 2962 2963 case DLT_IEEE802_11: 2964 case DLT_PRISM_HEADER: 2965 case DLT_IEEE802_11_RADIO_AVS: 2966 case DLT_IEEE802_11_RADIO: 2967 case DLT_PPI: 2968 /* 2969 * Check that we have a data frame. 2970 */ 2971 b0 = gen_check_802_11_data_frame(); 2972 2973 /* 2974 * Now check for the specified link-layer type. 2975 */ 2976 b1 = gen_llc_linktype(proto); 2977 gen_and(b0, b1); 2978 return b1; 2979 /*NOTREACHED*/ 2980 break; 2981 2982 case DLT_FDDI: 2983 /* 2984 * XXX - check for asynchronous frames, as per RFC 1103. 2985 */ 2986 return gen_llc_linktype(proto); 2987 /*NOTREACHED*/ 2988 break; 2989 2990 case DLT_IEEE802: 2991 /* 2992 * XXX - check for LLC PDUs, as per IEEE 802.5. 2993 */ 2994 return gen_llc_linktype(proto); 2995 /*NOTREACHED*/ 2996 break; 2997 2998 case DLT_ATM_RFC1483: 2999 case DLT_ATM_CLIP: 3000 case DLT_IP_OVER_FC: 3001 return gen_llc_linktype(proto); 3002 /*NOTREACHED*/ 3003 break; 3004 3005 case DLT_SUNATM: 3006 /* 3007 * If "is_lane" is set, check for a LANE-encapsulated 3008 * version of this protocol, otherwise check for an 3009 * LLC-encapsulated version of this protocol. 3010 * 3011 * We assume LANE means Ethernet, not Token Ring. 3012 */ 3013 if (is_lane) { 3014 /* 3015 * Check that the packet doesn't begin with an 3016 * LE Control marker. (We've already generated 3017 * a test for LANE.) 3018 */ 3019 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3020 0xFF00); 3021 gen_not(b0); 3022 3023 /* 3024 * Now generate an Ethernet test. 3025 */ 3026 b1 = gen_ether_linktype(proto); 3027 gen_and(b0, b1); 3028 return b1; 3029 } else { 3030 /* 3031 * Check for LLC encapsulation and then check the 3032 * protocol. 3033 */ 3034 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3035 b1 = gen_llc_linktype(proto); 3036 gen_and(b0, b1); 3037 return b1; 3038 } 3039 /*NOTREACHED*/ 3040 break; 3041 3042 case DLT_LINUX_SLL: 3043 return gen_linux_sll_linktype(proto); 3044 /*NOTREACHED*/ 3045 break; 3046 3047 case DLT_SLIP: 3048 case DLT_SLIP_BSDOS: 3049 case DLT_RAW: 3050 /* 3051 * These types don't provide any type field; packets 3052 * are always IPv4 or IPv6. 3053 * 3054 * XXX - for IPv4, check for a version number of 4, and, 3055 * for IPv6, check for a version number of 6? 3056 */ 3057 switch (proto) { 3058 3059 case ETHERTYPE_IP: 3060 /* Check for a version number of 4. */ 3061 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3062 3063 case ETHERTYPE_IPV6: 3064 /* Check for a version number of 6. */ 3065 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3066 3067 default: 3068 return gen_false(); /* always false */ 3069 } 3070 /*NOTREACHED*/ 3071 break; 3072 3073 case DLT_IPV4: 3074 /* 3075 * Raw IPv4, so no type field. 3076 */ 3077 if (proto == ETHERTYPE_IP) 3078 return gen_true(); /* always true */ 3079 3080 /* Checking for something other than IPv4; always false */ 3081 return gen_false(); 3082 /*NOTREACHED*/ 3083 break; 3084 3085 case DLT_IPV6: 3086 /* 3087 * Raw IPv6, so no type field. 3088 */ 3089 if (proto == ETHERTYPE_IPV6) 3090 return gen_true(); /* always true */ 3091 3092 /* Checking for something other than IPv6; always false */ 3093 return gen_false(); 3094 /*NOTREACHED*/ 3095 break; 3096 3097 case DLT_PPP: 3098 case DLT_PPP_PPPD: 3099 case DLT_PPP_SERIAL: 3100 case DLT_PPP_ETHER: 3101 /* 3102 * We use Ethernet protocol types inside libpcap; 3103 * map them to the corresponding PPP protocol types. 3104 */ 3105 proto = ethertype_to_ppptype(proto); 3106 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3107 /*NOTREACHED*/ 3108 break; 3109 3110 case DLT_PPP_BSDOS: 3111 /* 3112 * We use Ethernet protocol types inside libpcap; 3113 * map them to the corresponding PPP protocol types. 3114 */ 3115 switch (proto) { 3116 3117 case ETHERTYPE_IP: 3118 /* 3119 * Also check for Van Jacobson-compressed IP. 3120 * XXX - do this for other forms of PPP? 3121 */ 3122 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3123 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3124 gen_or(b0, b1); 3125 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3126 gen_or(b1, b0); 3127 return b0; 3128 3129 default: 3130 proto = ethertype_to_ppptype(proto); 3131 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3132 (bpf_int32)proto); 3133 } 3134 /*NOTREACHED*/ 3135 break; 3136 3137 case DLT_NULL: 3138 case DLT_LOOP: 3139 case DLT_ENC: 3140 /* 3141 * For DLT_NULL, the link-layer header is a 32-bit 3142 * word containing an AF_ value in *host* byte order, 3143 * and for DLT_ENC, the link-layer header begins 3144 * with a 32-bit work containing an AF_ value in 3145 * host byte order. 3146 * 3147 * In addition, if we're reading a saved capture file, 3148 * the host byte order in the capture may not be the 3149 * same as the host byte order on this machine. 3150 * 3151 * For DLT_LOOP, the link-layer header is a 32-bit 3152 * word containing an AF_ value in *network* byte order. 3153 * 3154 * XXX - AF_ values may, unfortunately, be platform- 3155 * dependent; for example, FreeBSD's AF_INET6 is 24 3156 * whilst NetBSD's and OpenBSD's is 26. 3157 * 3158 * This means that, when reading a capture file, just 3159 * checking for our AF_INET6 value won't work if the 3160 * capture file came from another OS. 3161 */ 3162 switch (proto) { 3163 3164 case ETHERTYPE_IP: 3165 proto = AF_INET; 3166 break; 3167 3168 #ifdef INET6 3169 case ETHERTYPE_IPV6: 3170 proto = AF_INET6; 3171 break; 3172 #endif 3173 3174 default: 3175 /* 3176 * Not a type on which we support filtering. 3177 * XXX - support those that have AF_ values 3178 * #defined on this platform, at least? 3179 */ 3180 return gen_false(); 3181 } 3182 3183 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3184 /* 3185 * The AF_ value is in host byte order, but 3186 * the BPF interpreter will convert it to 3187 * network byte order. 3188 * 3189 * If this is a save file, and it's from a 3190 * machine with the opposite byte order to 3191 * ours, we byte-swap the AF_ value. 3192 * 3193 * Then we run it through "htonl()", and 3194 * generate code to compare against the result. 3195 */ 3196 if (bpf_pcap->sf.rfile != NULL && 3197 bpf_pcap->sf.swapped) 3198 proto = SWAPLONG(proto); 3199 proto = htonl(proto); 3200 } 3201 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3202 3203 #ifdef HAVE_NET_PFVAR_H 3204 case DLT_PFLOG: 3205 /* 3206 * af field is host byte order in contrast to the rest of 3207 * the packet. 3208 */ 3209 if (proto == ETHERTYPE_IP) 3210 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3211 BPF_B, (bpf_int32)AF_INET)); 3212 else if (proto == ETHERTYPE_IPV6) 3213 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3214 BPF_B, (bpf_int32)AF_INET6)); 3215 else 3216 return gen_false(); 3217 /*NOTREACHED*/ 3218 break; 3219 #endif /* HAVE_NET_PFVAR_H */ 3220 3221 case DLT_ARCNET: 3222 case DLT_ARCNET_LINUX: 3223 /* 3224 * XXX should we check for first fragment if the protocol 3225 * uses PHDS? 3226 */ 3227 switch (proto) { 3228 3229 default: 3230 return gen_false(); 3231 3232 case ETHERTYPE_IPV6: 3233 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3234 (bpf_int32)ARCTYPE_INET6)); 3235 3236 case ETHERTYPE_IP: 3237 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3238 (bpf_int32)ARCTYPE_IP); 3239 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3240 (bpf_int32)ARCTYPE_IP_OLD); 3241 gen_or(b0, b1); 3242 return (b1); 3243 3244 case ETHERTYPE_ARP: 3245 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3246 (bpf_int32)ARCTYPE_ARP); 3247 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3248 (bpf_int32)ARCTYPE_ARP_OLD); 3249 gen_or(b0, b1); 3250 return (b1); 3251 3252 case ETHERTYPE_REVARP: 3253 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3254 (bpf_int32)ARCTYPE_REVARP)); 3255 3256 case ETHERTYPE_ATALK: 3257 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3258 (bpf_int32)ARCTYPE_ATALK)); 3259 } 3260 /*NOTREACHED*/ 3261 break; 3262 3263 case DLT_LTALK: 3264 switch (proto) { 3265 case ETHERTYPE_ATALK: 3266 return gen_true(); 3267 default: 3268 return gen_false(); 3269 } 3270 /*NOTREACHED*/ 3271 break; 3272 3273 case DLT_FRELAY: 3274 /* 3275 * XXX - assumes a 2-byte Frame Relay header with 3276 * DLCI and flags. What if the address is longer? 3277 */ 3278 switch (proto) { 3279 3280 case ETHERTYPE_IP: 3281 /* 3282 * Check for the special NLPID for IP. 3283 */ 3284 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3285 3286 case ETHERTYPE_IPV6: 3287 /* 3288 * Check for the special NLPID for IPv6. 3289 */ 3290 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3291 3292 case LLCSAP_ISONS: 3293 /* 3294 * Check for several OSI protocols. 3295 * 3296 * Frame Relay packets typically have an OSI 3297 * NLPID at the beginning; we check for each 3298 * of them. 3299 * 3300 * What we check for is the NLPID and a frame 3301 * control field of UI, i.e. 0x03 followed 3302 * by the NLPID. 3303 */ 3304 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3305 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3306 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3307 gen_or(b1, b2); 3308 gen_or(b0, b2); 3309 return b2; 3310 3311 default: 3312 return gen_false(); 3313 } 3314 /*NOTREACHED*/ 3315 break; 3316 3317 case DLT_MFR: 3318 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3319 3320 case DLT_JUNIPER_MFR: 3321 case DLT_JUNIPER_MLFR: 3322 case DLT_JUNIPER_MLPPP: 3323 case DLT_JUNIPER_ATM1: 3324 case DLT_JUNIPER_ATM2: 3325 case DLT_JUNIPER_PPPOE: 3326 case DLT_JUNIPER_PPPOE_ATM: 3327 case DLT_JUNIPER_GGSN: 3328 case DLT_JUNIPER_ES: 3329 case DLT_JUNIPER_MONITOR: 3330 case DLT_JUNIPER_SERVICES: 3331 case DLT_JUNIPER_ETHER: 3332 case DLT_JUNIPER_PPP: 3333 case DLT_JUNIPER_FRELAY: 3334 case DLT_JUNIPER_CHDLC: 3335 case DLT_JUNIPER_VP: 3336 case DLT_JUNIPER_ST: 3337 case DLT_JUNIPER_ISM: 3338 case DLT_JUNIPER_VS: 3339 case DLT_JUNIPER_SRX_E2E: 3340 case DLT_JUNIPER_FIBRECHANNEL: 3341 case DLT_JUNIPER_ATM_CEMIC: 3342 3343 /* just lets verify the magic number for now - 3344 * on ATM we may have up to 6 different encapsulations on the wire 3345 * and need a lot of heuristics to figure out that the payload 3346 * might be; 3347 * 3348 * FIXME encapsulation specific BPF_ filters 3349 */ 3350 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3351 3352 case DLT_IPNET: 3353 return gen_ipnet_linktype(proto); 3354 3355 case DLT_LINUX_IRDA: 3356 bpf_error("IrDA link-layer type filtering not implemented"); 3357 3358 case DLT_DOCSIS: 3359 bpf_error("DOCSIS link-layer type filtering not implemented"); 3360 3361 case DLT_MTP2: 3362 case DLT_MTP2_WITH_PHDR: 3363 bpf_error("MTP2 link-layer type filtering not implemented"); 3364 3365 case DLT_ERF: 3366 bpf_error("ERF link-layer type filtering not implemented"); 3367 3368 case DLT_PFSYNC: 3369 bpf_error("PFSYNC link-layer type filtering not implemented"); 3370 3371 case DLT_LINUX_LAPD: 3372 bpf_error("LAPD link-layer type filtering not implemented"); 3373 3374 case DLT_USB: 3375 case DLT_USB_LINUX: 3376 case DLT_USB_LINUX_MMAPPED: 3377 bpf_error("USB link-layer type filtering not implemented"); 3378 3379 case DLT_BLUETOOTH_HCI_H4: 3380 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3381 bpf_error("Bluetooth link-layer type filtering not implemented"); 3382 3383 case DLT_CAN20B: 3384 case DLT_CAN_SOCKETCAN: 3385 bpf_error("CAN link-layer type filtering not implemented"); 3386 3387 case DLT_IEEE802_15_4: 3388 case DLT_IEEE802_15_4_LINUX: 3389 case DLT_IEEE802_15_4_NONASK_PHY: 3390 case DLT_IEEE802_15_4_NOFCS: 3391 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3392 3393 case DLT_IEEE802_16_MAC_CPS_RADIO: 3394 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3395 3396 case DLT_SITA: 3397 bpf_error("SITA link-layer type filtering not implemented"); 3398 3399 case DLT_RAIF1: 3400 bpf_error("RAIF1 link-layer type filtering not implemented"); 3401 3402 case DLT_IPMB: 3403 bpf_error("IPMB link-layer type filtering not implemented"); 3404 3405 case DLT_AX25_KISS: 3406 bpf_error("AX.25 link-layer type filtering not implemented"); 3407 } 3408 3409 /* 3410 * All the types that have no encapsulation should either be 3411 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3412 * all packets are IP packets, or should be handled in some 3413 * special case, if none of them are (if some are and some 3414 * aren't, the lack of encapsulation is a problem, as we'd 3415 * have to find some other way of determining the packet type). 3416 * 3417 * Therefore, if "off_linktype" is -1, there's an error. 3418 */ 3419 if (off_linktype == (u_int)-1) 3420 abort(); 3421 3422 /* 3423 * Any type not handled above should always have an Ethernet 3424 * type at an offset of "off_linktype". 3425 */ 3426 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3427 } 3428 3429 /* 3430 * Check for an LLC SNAP packet with a given organization code and 3431 * protocol type; we check the entire contents of the 802.2 LLC and 3432 * snap headers, checking for DSAP and SSAP of SNAP and a control 3433 * field of 0x03 in the LLC header, and for the specified organization 3434 * code and protocol type in the SNAP header. 3435 */ 3436 static struct block * 3437 gen_snap(orgcode, ptype) 3438 bpf_u_int32 orgcode; 3439 bpf_u_int32 ptype; 3440 { 3441 u_char snapblock[8]; 3442 3443 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3444 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3445 snapblock[2] = 0x03; /* control = UI */ 3446 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3447 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3448 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3449 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3450 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3451 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3452 } 3453 3454 /* 3455 * Generate code to match a particular packet type, for link-layer types 3456 * using 802.2 LLC headers. 3457 * 3458 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3459 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3460 * 3461 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3462 * value, if <= ETHERMTU. We use that to determine whether to 3463 * match the DSAP or both DSAP and LSAP or to check the OUI and 3464 * protocol ID in a SNAP header. 3465 */ 3466 static struct block * 3467 gen_llc_linktype(proto) 3468 int proto; 3469 { 3470 /* 3471 * XXX - handle token-ring variable-length header. 3472 */ 3473 switch (proto) { 3474 3475 case LLCSAP_IP: 3476 case LLCSAP_ISONS: 3477 case LLCSAP_NETBEUI: 3478 /* 3479 * XXX - should we check both the DSAP and the 3480 * SSAP, like this, or should we check just the 3481 * DSAP, as we do for other types <= ETHERMTU 3482 * (i.e., other SAP values)? 3483 */ 3484 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3485 ((proto << 8) | proto)); 3486 3487 case LLCSAP_IPX: 3488 /* 3489 * XXX - are there ever SNAP frames for IPX on 3490 * non-Ethernet 802.x networks? 3491 */ 3492 return gen_cmp(OR_MACPL, 0, BPF_B, 3493 (bpf_int32)LLCSAP_IPX); 3494 3495 case ETHERTYPE_ATALK: 3496 /* 3497 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3498 * SNAP packets with an organization code of 3499 * 0x080007 (Apple, for Appletalk) and a protocol 3500 * type of ETHERTYPE_ATALK (Appletalk). 3501 * 3502 * XXX - check for an organization code of 3503 * encapsulated Ethernet as well? 3504 */ 3505 return gen_snap(0x080007, ETHERTYPE_ATALK); 3506 3507 default: 3508 /* 3509 * XXX - we don't have to check for IPX 802.3 3510 * here, but should we check for the IPX Ethertype? 3511 */ 3512 if (proto <= ETHERMTU) { 3513 /* 3514 * This is an LLC SAP value, so check 3515 * the DSAP. 3516 */ 3517 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3518 } else { 3519 /* 3520 * This is an Ethernet type; we assume that it's 3521 * unlikely that it'll appear in the right place 3522 * at random, and therefore check only the 3523 * location that would hold the Ethernet type 3524 * in a SNAP frame with an organization code of 3525 * 0x000000 (encapsulated Ethernet). 3526 * 3527 * XXX - if we were to check for the SNAP DSAP and 3528 * LSAP, as per XXX, and were also to check for an 3529 * organization code of 0x000000 (encapsulated 3530 * Ethernet), we'd do 3531 * 3532 * return gen_snap(0x000000, proto); 3533 * 3534 * here; for now, we don't, as per the above. 3535 * I don't know whether it's worth the extra CPU 3536 * time to do the right check or not. 3537 */ 3538 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3539 } 3540 } 3541 } 3542 3543 static struct block * 3544 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3545 bpf_u_int32 addr; 3546 bpf_u_int32 mask; 3547 int dir, proto; 3548 u_int src_off, dst_off; 3549 { 3550 struct block *b0, *b1; 3551 u_int offset; 3552 3553 switch (dir) { 3554 3555 case Q_SRC: 3556 offset = src_off; 3557 break; 3558 3559 case Q_DST: 3560 offset = dst_off; 3561 break; 3562 3563 case Q_AND: 3564 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3565 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3566 gen_and(b0, b1); 3567 return b1; 3568 3569 case Q_OR: 3570 case Q_DEFAULT: 3571 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3572 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3573 gen_or(b0, b1); 3574 return b1; 3575 3576 default: 3577 abort(); 3578 } 3579 b0 = gen_linktype(proto); 3580 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3581 gen_and(b0, b1); 3582 return b1; 3583 } 3584 3585 #ifdef INET6 3586 static struct block * 3587 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3588 struct in6_addr *addr; 3589 struct in6_addr *mask; 3590 int dir, proto; 3591 u_int src_off, dst_off; 3592 { 3593 struct block *b0, *b1; 3594 u_int offset; 3595 u_int32_t *a, *m; 3596 3597 switch (dir) { 3598 3599 case Q_SRC: 3600 offset = src_off; 3601 break; 3602 3603 case Q_DST: 3604 offset = dst_off; 3605 break; 3606 3607 case Q_AND: 3608 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3609 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3610 gen_and(b0, b1); 3611 return b1; 3612 3613 case Q_OR: 3614 case Q_DEFAULT: 3615 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3616 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3617 gen_or(b0, b1); 3618 return b1; 3619 3620 default: 3621 abort(); 3622 } 3623 /* this order is important */ 3624 a = (u_int32_t *)addr; 3625 m = (u_int32_t *)mask; 3626 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3627 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3628 gen_and(b0, b1); 3629 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3630 gen_and(b0, b1); 3631 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3632 gen_and(b0, b1); 3633 b0 = gen_linktype(proto); 3634 gen_and(b0, b1); 3635 return b1; 3636 } 3637 #endif 3638 3639 static struct block * 3640 gen_ehostop(eaddr, dir) 3641 register const u_char *eaddr; 3642 register int dir; 3643 { 3644 register struct block *b0, *b1; 3645 3646 switch (dir) { 3647 case Q_SRC: 3648 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3649 3650 case Q_DST: 3651 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3652 3653 case Q_AND: 3654 b0 = gen_ehostop(eaddr, Q_SRC); 3655 b1 = gen_ehostop(eaddr, Q_DST); 3656 gen_and(b0, b1); 3657 return b1; 3658 3659 case Q_DEFAULT: 3660 case Q_OR: 3661 b0 = gen_ehostop(eaddr, Q_SRC); 3662 b1 = gen_ehostop(eaddr, Q_DST); 3663 gen_or(b0, b1); 3664 return b1; 3665 3666 case Q_ADDR1: 3667 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3668 break; 3669 3670 case Q_ADDR2: 3671 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3672 break; 3673 3674 case Q_ADDR3: 3675 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3676 break; 3677 3678 case Q_ADDR4: 3679 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3680 break; 3681 3682 case Q_RA: 3683 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3684 break; 3685 3686 case Q_TA: 3687 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3688 break; 3689 } 3690 abort(); 3691 /* NOTREACHED */ 3692 } 3693 3694 /* 3695 * Like gen_ehostop, but for DLT_FDDI 3696 */ 3697 static struct block * 3698 gen_fhostop(eaddr, dir) 3699 register const u_char *eaddr; 3700 register int dir; 3701 { 3702 struct block *b0, *b1; 3703 3704 switch (dir) { 3705 case Q_SRC: 3706 #ifdef PCAP_FDDIPAD 3707 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3708 #else 3709 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3710 #endif 3711 3712 case Q_DST: 3713 #ifdef PCAP_FDDIPAD 3714 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3715 #else 3716 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3717 #endif 3718 3719 case Q_AND: 3720 b0 = gen_fhostop(eaddr, Q_SRC); 3721 b1 = gen_fhostop(eaddr, Q_DST); 3722 gen_and(b0, b1); 3723 return b1; 3724 3725 case Q_DEFAULT: 3726 case Q_OR: 3727 b0 = gen_fhostop(eaddr, Q_SRC); 3728 b1 = gen_fhostop(eaddr, Q_DST); 3729 gen_or(b0, b1); 3730 return b1; 3731 3732 case Q_ADDR1: 3733 bpf_error("'addr1' is only supported on 802.11"); 3734 break; 3735 3736 case Q_ADDR2: 3737 bpf_error("'addr2' is only supported on 802.11"); 3738 break; 3739 3740 case Q_ADDR3: 3741 bpf_error("'addr3' is only supported on 802.11"); 3742 break; 3743 3744 case Q_ADDR4: 3745 bpf_error("'addr4' is only supported on 802.11"); 3746 break; 3747 3748 case Q_RA: 3749 bpf_error("'ra' is only supported on 802.11"); 3750 break; 3751 3752 case Q_TA: 3753 bpf_error("'ta' is only supported on 802.11"); 3754 break; 3755 } 3756 abort(); 3757 /* NOTREACHED */ 3758 } 3759 3760 /* 3761 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3762 */ 3763 static struct block * 3764 gen_thostop(eaddr, dir) 3765 register const u_char *eaddr; 3766 register int dir; 3767 { 3768 register struct block *b0, *b1; 3769 3770 switch (dir) { 3771 case Q_SRC: 3772 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3773 3774 case Q_DST: 3775 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3776 3777 case Q_AND: 3778 b0 = gen_thostop(eaddr, Q_SRC); 3779 b1 = gen_thostop(eaddr, Q_DST); 3780 gen_and(b0, b1); 3781 return b1; 3782 3783 case Q_DEFAULT: 3784 case Q_OR: 3785 b0 = gen_thostop(eaddr, Q_SRC); 3786 b1 = gen_thostop(eaddr, Q_DST); 3787 gen_or(b0, b1); 3788 return b1; 3789 3790 case Q_ADDR1: 3791 bpf_error("'addr1' is only supported on 802.11"); 3792 break; 3793 3794 case Q_ADDR2: 3795 bpf_error("'addr2' is only supported on 802.11"); 3796 break; 3797 3798 case Q_ADDR3: 3799 bpf_error("'addr3' is only supported on 802.11"); 3800 break; 3801 3802 case Q_ADDR4: 3803 bpf_error("'addr4' is only supported on 802.11"); 3804 break; 3805 3806 case Q_RA: 3807 bpf_error("'ra' is only supported on 802.11"); 3808 break; 3809 3810 case Q_TA: 3811 bpf_error("'ta' is only supported on 802.11"); 3812 break; 3813 } 3814 abort(); 3815 /* NOTREACHED */ 3816 } 3817 3818 /* 3819 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3820 * various 802.11 + radio headers. 3821 */ 3822 static struct block * 3823 gen_wlanhostop(eaddr, dir) 3824 register const u_char *eaddr; 3825 register int dir; 3826 { 3827 register struct block *b0, *b1, *b2; 3828 register struct slist *s; 3829 3830 #ifdef ENABLE_WLAN_FILTERING_PATCH 3831 /* 3832 * TODO GV 20070613 3833 * We need to disable the optimizer because the optimizer is buggy 3834 * and wipes out some LD instructions generated by the below 3835 * code to validate the Frame Control bits 3836 */ 3837 no_optimize = 1; 3838 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3839 3840 switch (dir) { 3841 case Q_SRC: 3842 /* 3843 * Oh, yuk. 3844 * 3845 * For control frames, there is no SA. 3846 * 3847 * For management frames, SA is at an 3848 * offset of 10 from the beginning of 3849 * the packet. 3850 * 3851 * For data frames, SA is at an offset 3852 * of 10 from the beginning of the packet 3853 * if From DS is clear, at an offset of 3854 * 16 from the beginning of the packet 3855 * if From DS is set and To DS is clear, 3856 * and an offset of 24 from the beginning 3857 * of the packet if From DS is set and To DS 3858 * is set. 3859 */ 3860 3861 /* 3862 * Generate the tests to be done for data frames 3863 * with From DS set. 3864 * 3865 * First, check for To DS set, i.e. check "link[1] & 0x01". 3866 */ 3867 s = gen_load_a(OR_LINK, 1, BPF_B); 3868 b1 = new_block(JMP(BPF_JSET)); 3869 b1->s.k = 0x01; /* To DS */ 3870 b1->stmts = s; 3871 3872 /* 3873 * If To DS is set, the SA is at 24. 3874 */ 3875 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3876 gen_and(b1, b0); 3877 3878 /* 3879 * Now, check for To DS not set, i.e. check 3880 * "!(link[1] & 0x01)". 3881 */ 3882 s = gen_load_a(OR_LINK, 1, BPF_B); 3883 b2 = new_block(JMP(BPF_JSET)); 3884 b2->s.k = 0x01; /* To DS */ 3885 b2->stmts = s; 3886 gen_not(b2); 3887 3888 /* 3889 * If To DS is not set, the SA is at 16. 3890 */ 3891 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3892 gen_and(b2, b1); 3893 3894 /* 3895 * Now OR together the last two checks. That gives 3896 * the complete set of checks for data frames with 3897 * From DS set. 3898 */ 3899 gen_or(b1, b0); 3900 3901 /* 3902 * Now check for From DS being set, and AND that with 3903 * the ORed-together checks. 3904 */ 3905 s = gen_load_a(OR_LINK, 1, BPF_B); 3906 b1 = new_block(JMP(BPF_JSET)); 3907 b1->s.k = 0x02; /* From DS */ 3908 b1->stmts = s; 3909 gen_and(b1, b0); 3910 3911 /* 3912 * Now check for data frames with From DS not set. 3913 */ 3914 s = gen_load_a(OR_LINK, 1, BPF_B); 3915 b2 = new_block(JMP(BPF_JSET)); 3916 b2->s.k = 0x02; /* From DS */ 3917 b2->stmts = s; 3918 gen_not(b2); 3919 3920 /* 3921 * If From DS isn't set, the SA is at 10. 3922 */ 3923 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3924 gen_and(b2, b1); 3925 3926 /* 3927 * Now OR together the checks for data frames with 3928 * From DS not set and for data frames with From DS 3929 * set; that gives the checks done for data frames. 3930 */ 3931 gen_or(b1, b0); 3932 3933 /* 3934 * Now check for a data frame. 3935 * I.e, check "link[0] & 0x08". 3936 */ 3937 s = gen_load_a(OR_LINK, 0, BPF_B); 3938 b1 = new_block(JMP(BPF_JSET)); 3939 b1->s.k = 0x08; 3940 b1->stmts = s; 3941 3942 /* 3943 * AND that with the checks done for data frames. 3944 */ 3945 gen_and(b1, b0); 3946 3947 /* 3948 * If the high-order bit of the type value is 0, this 3949 * is a management frame. 3950 * I.e, check "!(link[0] & 0x08)". 3951 */ 3952 s = gen_load_a(OR_LINK, 0, BPF_B); 3953 b2 = new_block(JMP(BPF_JSET)); 3954 b2->s.k = 0x08; 3955 b2->stmts = s; 3956 gen_not(b2); 3957 3958 /* 3959 * For management frames, the SA is at 10. 3960 */ 3961 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3962 gen_and(b2, b1); 3963 3964 /* 3965 * OR that with the checks done for data frames. 3966 * That gives the checks done for management and 3967 * data frames. 3968 */ 3969 gen_or(b1, b0); 3970 3971 /* 3972 * If the low-order bit of the type value is 1, 3973 * this is either a control frame or a frame 3974 * with a reserved type, and thus not a 3975 * frame with an SA. 3976 * 3977 * I.e., check "!(link[0] & 0x04)". 3978 */ 3979 s = gen_load_a(OR_LINK, 0, BPF_B); 3980 b1 = new_block(JMP(BPF_JSET)); 3981 b1->s.k = 0x04; 3982 b1->stmts = s; 3983 gen_not(b1); 3984 3985 /* 3986 * AND that with the checks for data and management 3987 * frames. 3988 */ 3989 gen_and(b1, b0); 3990 return b0; 3991 3992 case Q_DST: 3993 /* 3994 * Oh, yuk. 3995 * 3996 * For control frames, there is no DA. 3997 * 3998 * For management frames, DA is at an 3999 * offset of 4 from the beginning of 4000 * the packet. 4001 * 4002 * For data frames, DA is at an offset 4003 * of 4 from the beginning of the packet 4004 * if To DS is clear and at an offset of 4005 * 16 from the beginning of the packet 4006 * if To DS is set. 4007 */ 4008 4009 /* 4010 * Generate the tests to be done for data frames. 4011 * 4012 * First, check for To DS set, i.e. "link[1] & 0x01". 4013 */ 4014 s = gen_load_a(OR_LINK, 1, BPF_B); 4015 b1 = new_block(JMP(BPF_JSET)); 4016 b1->s.k = 0x01; /* To DS */ 4017 b1->stmts = s; 4018 4019 /* 4020 * If To DS is set, the DA is at 16. 4021 */ 4022 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4023 gen_and(b1, b0); 4024 4025 /* 4026 * Now, check for To DS not set, i.e. check 4027 * "!(link[1] & 0x01)". 4028 */ 4029 s = gen_load_a(OR_LINK, 1, BPF_B); 4030 b2 = new_block(JMP(BPF_JSET)); 4031 b2->s.k = 0x01; /* To DS */ 4032 b2->stmts = s; 4033 gen_not(b2); 4034 4035 /* 4036 * If To DS is not set, the DA is at 4. 4037 */ 4038 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4039 gen_and(b2, b1); 4040 4041 /* 4042 * Now OR together the last two checks. That gives 4043 * the complete set of checks for data frames. 4044 */ 4045 gen_or(b1, b0); 4046 4047 /* 4048 * Now check for a data frame. 4049 * I.e, check "link[0] & 0x08". 4050 */ 4051 s = gen_load_a(OR_LINK, 0, BPF_B); 4052 b1 = new_block(JMP(BPF_JSET)); 4053 b1->s.k = 0x08; 4054 b1->stmts = s; 4055 4056 /* 4057 * AND that with the checks done for data frames. 4058 */ 4059 gen_and(b1, b0); 4060 4061 /* 4062 * If the high-order bit of the type value is 0, this 4063 * is a management frame. 4064 * I.e, check "!(link[0] & 0x08)". 4065 */ 4066 s = gen_load_a(OR_LINK, 0, BPF_B); 4067 b2 = new_block(JMP(BPF_JSET)); 4068 b2->s.k = 0x08; 4069 b2->stmts = s; 4070 gen_not(b2); 4071 4072 /* 4073 * For management frames, the DA is at 4. 4074 */ 4075 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4076 gen_and(b2, b1); 4077 4078 /* 4079 * OR that with the checks done for data frames. 4080 * That gives the checks done for management and 4081 * data frames. 4082 */ 4083 gen_or(b1, b0); 4084 4085 /* 4086 * If the low-order bit of the type value is 1, 4087 * this is either a control frame or a frame 4088 * with a reserved type, and thus not a 4089 * frame with an SA. 4090 * 4091 * I.e., check "!(link[0] & 0x04)". 4092 */ 4093 s = gen_load_a(OR_LINK, 0, BPF_B); 4094 b1 = new_block(JMP(BPF_JSET)); 4095 b1->s.k = 0x04; 4096 b1->stmts = s; 4097 gen_not(b1); 4098 4099 /* 4100 * AND that with the checks for data and management 4101 * frames. 4102 */ 4103 gen_and(b1, b0); 4104 return b0; 4105 4106 case Q_RA: 4107 /* 4108 * Not present in management frames; addr1 in other 4109 * frames. 4110 */ 4111 4112 /* 4113 * If the high-order bit of the type value is 0, this 4114 * is a management frame. 4115 * I.e, check "(link[0] & 0x08)". 4116 */ 4117 s = gen_load_a(OR_LINK, 0, BPF_B); 4118 b1 = new_block(JMP(BPF_JSET)); 4119 b1->s.k = 0x08; 4120 b1->stmts = s; 4121 4122 /* 4123 * Check addr1. 4124 */ 4125 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4126 4127 /* 4128 * AND that with the check of addr1. 4129 */ 4130 gen_and(b1, b0); 4131 return (b0); 4132 4133 case Q_TA: 4134 /* 4135 * Not present in management frames; addr2, if present, 4136 * in other frames. 4137 */ 4138 4139 /* 4140 * Not present in CTS or ACK control frames. 4141 */ 4142 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4143 IEEE80211_FC0_TYPE_MASK); 4144 gen_not(b0); 4145 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4146 IEEE80211_FC0_SUBTYPE_MASK); 4147 gen_not(b1); 4148 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4149 IEEE80211_FC0_SUBTYPE_MASK); 4150 gen_not(b2); 4151 gen_and(b1, b2); 4152 gen_or(b0, b2); 4153 4154 /* 4155 * If the high-order bit of the type value is 0, this 4156 * is a management frame. 4157 * I.e, check "(link[0] & 0x08)". 4158 */ 4159 s = gen_load_a(OR_LINK, 0, BPF_B); 4160 b1 = new_block(JMP(BPF_JSET)); 4161 b1->s.k = 0x08; 4162 b1->stmts = s; 4163 4164 /* 4165 * AND that with the check for frames other than 4166 * CTS and ACK frames. 4167 */ 4168 gen_and(b1, b2); 4169 4170 /* 4171 * Check addr2. 4172 */ 4173 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4174 gen_and(b2, b1); 4175 return b1; 4176 4177 /* 4178 * XXX - add BSSID keyword? 4179 */ 4180 case Q_ADDR1: 4181 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4182 4183 case Q_ADDR2: 4184 /* 4185 * Not present in CTS or ACK control frames. 4186 */ 4187 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4188 IEEE80211_FC0_TYPE_MASK); 4189 gen_not(b0); 4190 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4191 IEEE80211_FC0_SUBTYPE_MASK); 4192 gen_not(b1); 4193 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4194 IEEE80211_FC0_SUBTYPE_MASK); 4195 gen_not(b2); 4196 gen_and(b1, b2); 4197 gen_or(b0, b2); 4198 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4199 gen_and(b2, b1); 4200 return b1; 4201 4202 case Q_ADDR3: 4203 /* 4204 * Not present in control frames. 4205 */ 4206 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4207 IEEE80211_FC0_TYPE_MASK); 4208 gen_not(b0); 4209 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4210 gen_and(b0, b1); 4211 return b1; 4212 4213 case Q_ADDR4: 4214 /* 4215 * Present only if the direction mask has both "From DS" 4216 * and "To DS" set. Neither control frames nor management 4217 * frames should have both of those set, so we don't 4218 * check the frame type. 4219 */ 4220 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4221 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4222 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4223 gen_and(b0, b1); 4224 return b1; 4225 4226 case Q_AND: 4227 b0 = gen_wlanhostop(eaddr, Q_SRC); 4228 b1 = gen_wlanhostop(eaddr, Q_DST); 4229 gen_and(b0, b1); 4230 return b1; 4231 4232 case Q_DEFAULT: 4233 case Q_OR: 4234 b0 = gen_wlanhostop(eaddr, Q_SRC); 4235 b1 = gen_wlanhostop(eaddr, Q_DST); 4236 gen_or(b0, b1); 4237 return b1; 4238 } 4239 abort(); 4240 /* NOTREACHED */ 4241 } 4242 4243 /* 4244 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4245 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4246 * as the RFC states.) 4247 */ 4248 static struct block * 4249 gen_ipfchostop(eaddr, dir) 4250 register const u_char *eaddr; 4251 register int dir; 4252 { 4253 register struct block *b0, *b1; 4254 4255 switch (dir) { 4256 case Q_SRC: 4257 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4258 4259 case Q_DST: 4260 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4261 4262 case Q_AND: 4263 b0 = gen_ipfchostop(eaddr, Q_SRC); 4264 b1 = gen_ipfchostop(eaddr, Q_DST); 4265 gen_and(b0, b1); 4266 return b1; 4267 4268 case Q_DEFAULT: 4269 case Q_OR: 4270 b0 = gen_ipfchostop(eaddr, Q_SRC); 4271 b1 = gen_ipfchostop(eaddr, Q_DST); 4272 gen_or(b0, b1); 4273 return b1; 4274 4275 case Q_ADDR1: 4276 bpf_error("'addr1' is only supported on 802.11"); 4277 break; 4278 4279 case Q_ADDR2: 4280 bpf_error("'addr2' is only supported on 802.11"); 4281 break; 4282 4283 case Q_ADDR3: 4284 bpf_error("'addr3' is only supported on 802.11"); 4285 break; 4286 4287 case Q_ADDR4: 4288 bpf_error("'addr4' is only supported on 802.11"); 4289 break; 4290 4291 case Q_RA: 4292 bpf_error("'ra' is only supported on 802.11"); 4293 break; 4294 4295 case Q_TA: 4296 bpf_error("'ta' is only supported on 802.11"); 4297 break; 4298 } 4299 abort(); 4300 /* NOTREACHED */ 4301 } 4302 4303 /* 4304 * This is quite tricky because there may be pad bytes in front of the 4305 * DECNET header, and then there are two possible data packet formats that 4306 * carry both src and dst addresses, plus 5 packet types in a format that 4307 * carries only the src node, plus 2 types that use a different format and 4308 * also carry just the src node. 4309 * 4310 * Yuck. 4311 * 4312 * Instead of doing those all right, we just look for data packets with 4313 * 0 or 1 bytes of padding. If you want to look at other packets, that 4314 * will require a lot more hacking. 4315 * 4316 * To add support for filtering on DECNET "areas" (network numbers) 4317 * one would want to add a "mask" argument to this routine. That would 4318 * make the filter even more inefficient, although one could be clever 4319 * and not generate masking instructions if the mask is 0xFFFF. 4320 */ 4321 static struct block * 4322 gen_dnhostop(addr, dir) 4323 bpf_u_int32 addr; 4324 int dir; 4325 { 4326 struct block *b0, *b1, *b2, *tmp; 4327 u_int offset_lh; /* offset if long header is received */ 4328 u_int offset_sh; /* offset if short header is received */ 4329 4330 switch (dir) { 4331 4332 case Q_DST: 4333 offset_sh = 1; /* follows flags */ 4334 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4335 break; 4336 4337 case Q_SRC: 4338 offset_sh = 3; /* follows flags, dstnode */ 4339 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4340 break; 4341 4342 case Q_AND: 4343 /* Inefficient because we do our Calvinball dance twice */ 4344 b0 = gen_dnhostop(addr, Q_SRC); 4345 b1 = gen_dnhostop(addr, Q_DST); 4346 gen_and(b0, b1); 4347 return b1; 4348 4349 case Q_OR: 4350 case Q_DEFAULT: 4351 /* Inefficient because we do our Calvinball dance twice */ 4352 b0 = gen_dnhostop(addr, Q_SRC); 4353 b1 = gen_dnhostop(addr, Q_DST); 4354 gen_or(b0, b1); 4355 return b1; 4356 4357 case Q_ISO: 4358 bpf_error("ISO host filtering not implemented"); 4359 4360 default: 4361 abort(); 4362 } 4363 b0 = gen_linktype(ETHERTYPE_DN); 4364 /* Check for pad = 1, long header case */ 4365 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4366 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4367 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4368 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4369 gen_and(tmp, b1); 4370 /* Check for pad = 0, long header case */ 4371 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4372 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4373 gen_and(tmp, b2); 4374 gen_or(b2, b1); 4375 /* Check for pad = 1, short header case */ 4376 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4377 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4378 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4379 gen_and(tmp, b2); 4380 gen_or(b2, b1); 4381 /* Check for pad = 0, short header case */ 4382 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4383 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4384 gen_and(tmp, b2); 4385 gen_or(b2, b1); 4386 4387 /* Combine with test for linktype */ 4388 gen_and(b0, b1); 4389 return b1; 4390 } 4391 4392 /* 4393 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4394 * test the bottom-of-stack bit, and then check the version number 4395 * field in the IP header. 4396 */ 4397 static struct block * 4398 gen_mpls_linktype(proto) 4399 int proto; 4400 { 4401 struct block *b0, *b1; 4402 4403 switch (proto) { 4404 4405 case Q_IP: 4406 /* match the bottom-of-stack bit */ 4407 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4408 /* match the IPv4 version number */ 4409 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4410 gen_and(b0, b1); 4411 return b1; 4412 4413 case Q_IPV6: 4414 /* match the bottom-of-stack bit */ 4415 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4416 /* match the IPv4 version number */ 4417 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4418 gen_and(b0, b1); 4419 return b1; 4420 4421 default: 4422 abort(); 4423 } 4424 } 4425 4426 static struct block * 4427 gen_host(addr, mask, proto, dir, type) 4428 bpf_u_int32 addr; 4429 bpf_u_int32 mask; 4430 int proto; 4431 int dir; 4432 int type; 4433 { 4434 struct block *b0, *b1; 4435 const char *typestr; 4436 4437 if (type == Q_NET) 4438 typestr = "net"; 4439 else 4440 typestr = "host"; 4441 4442 switch (proto) { 4443 4444 case Q_DEFAULT: 4445 b0 = gen_host(addr, mask, Q_IP, dir, type); 4446 /* 4447 * Only check for non-IPv4 addresses if we're not 4448 * checking MPLS-encapsulated packets. 4449 */ 4450 if (label_stack_depth == 0) { 4451 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4452 gen_or(b0, b1); 4453 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4454 gen_or(b1, b0); 4455 } 4456 return b0; 4457 4458 case Q_IP: 4459 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4460 4461 case Q_RARP: 4462 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4463 4464 case Q_ARP: 4465 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4466 4467 case Q_TCP: 4468 bpf_error("'tcp' modifier applied to %s", typestr); 4469 4470 case Q_SCTP: 4471 bpf_error("'sctp' modifier applied to %s", typestr); 4472 4473 case Q_UDP: 4474 bpf_error("'udp' modifier applied to %s", typestr); 4475 4476 case Q_ICMP: 4477 bpf_error("'icmp' modifier applied to %s", typestr); 4478 4479 case Q_IGMP: 4480 bpf_error("'igmp' modifier applied to %s", typestr); 4481 4482 case Q_IGRP: 4483 bpf_error("'igrp' modifier applied to %s", typestr); 4484 4485 case Q_PIM: 4486 bpf_error("'pim' modifier applied to %s", typestr); 4487 4488 case Q_VRRP: 4489 bpf_error("'vrrp' modifier applied to %s", typestr); 4490 4491 case Q_CARP: 4492 bpf_error("'carp' modifier applied to %s", typestr); 4493 4494 case Q_ATALK: 4495 bpf_error("ATALK host filtering not implemented"); 4496 4497 case Q_AARP: 4498 bpf_error("AARP host filtering not implemented"); 4499 4500 case Q_DECNET: 4501 return gen_dnhostop(addr, dir); 4502 4503 case Q_SCA: 4504 bpf_error("SCA host filtering not implemented"); 4505 4506 case Q_LAT: 4507 bpf_error("LAT host filtering not implemented"); 4508 4509 case Q_MOPDL: 4510 bpf_error("MOPDL host filtering not implemented"); 4511 4512 case Q_MOPRC: 4513 bpf_error("MOPRC host filtering not implemented"); 4514 4515 case Q_IPV6: 4516 bpf_error("'ip6' modifier applied to ip host"); 4517 4518 case Q_ICMPV6: 4519 bpf_error("'icmp6' modifier applied to %s", typestr); 4520 4521 case Q_AH: 4522 bpf_error("'ah' modifier applied to %s", typestr); 4523 4524 case Q_ESP: 4525 bpf_error("'esp' modifier applied to %s", typestr); 4526 4527 case Q_ISO: 4528 bpf_error("ISO host filtering not implemented"); 4529 4530 case Q_ESIS: 4531 bpf_error("'esis' modifier applied to %s", typestr); 4532 4533 case Q_ISIS: 4534 bpf_error("'isis' modifier applied to %s", typestr); 4535 4536 case Q_CLNP: 4537 bpf_error("'clnp' modifier applied to %s", typestr); 4538 4539 case Q_STP: 4540 bpf_error("'stp' modifier applied to %s", typestr); 4541 4542 case Q_IPX: 4543 bpf_error("IPX host filtering not implemented"); 4544 4545 case Q_NETBEUI: 4546 bpf_error("'netbeui' modifier applied to %s", typestr); 4547 4548 case Q_RADIO: 4549 bpf_error("'radio' modifier applied to %s", typestr); 4550 4551 default: 4552 abort(); 4553 } 4554 /* NOTREACHED */ 4555 } 4556 4557 #ifdef INET6 4558 static struct block * 4559 gen_host6(addr, mask, proto, dir, type) 4560 struct in6_addr *addr; 4561 struct in6_addr *mask; 4562 int proto; 4563 int dir; 4564 int type; 4565 { 4566 const char *typestr; 4567 4568 if (type == Q_NET) 4569 typestr = "net"; 4570 else 4571 typestr = "host"; 4572 4573 switch (proto) { 4574 4575 case Q_DEFAULT: 4576 return gen_host6(addr, mask, Q_IPV6, dir, type); 4577 4578 case Q_IP: 4579 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4580 4581 case Q_RARP: 4582 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4583 4584 case Q_ARP: 4585 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4586 4587 case Q_SCTP: 4588 bpf_error("'sctp' modifier applied to %s", typestr); 4589 4590 case Q_TCP: 4591 bpf_error("'tcp' modifier applied to %s", typestr); 4592 4593 case Q_UDP: 4594 bpf_error("'udp' modifier applied to %s", typestr); 4595 4596 case Q_ICMP: 4597 bpf_error("'icmp' modifier applied to %s", typestr); 4598 4599 case Q_IGMP: 4600 bpf_error("'igmp' modifier applied to %s", typestr); 4601 4602 case Q_IGRP: 4603 bpf_error("'igrp' modifier applied to %s", typestr); 4604 4605 case Q_PIM: 4606 bpf_error("'pim' modifier applied to %s", typestr); 4607 4608 case Q_VRRP: 4609 bpf_error("'vrrp' modifier applied to %s", typestr); 4610 4611 case Q_CARP: 4612 bpf_error("'carp' modifier applied to %s", typestr); 4613 4614 case Q_ATALK: 4615 bpf_error("ATALK host filtering not implemented"); 4616 4617 case Q_AARP: 4618 bpf_error("AARP host filtering not implemented"); 4619 4620 case Q_DECNET: 4621 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4622 4623 case Q_SCA: 4624 bpf_error("SCA host filtering not implemented"); 4625 4626 case Q_LAT: 4627 bpf_error("LAT host filtering not implemented"); 4628 4629 case Q_MOPDL: 4630 bpf_error("MOPDL host filtering not implemented"); 4631 4632 case Q_MOPRC: 4633 bpf_error("MOPRC host filtering not implemented"); 4634 4635 case Q_IPV6: 4636 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4637 4638 case Q_ICMPV6: 4639 bpf_error("'icmp6' modifier applied to %s", typestr); 4640 4641 case Q_AH: 4642 bpf_error("'ah' modifier applied to %s", typestr); 4643 4644 case Q_ESP: 4645 bpf_error("'esp' modifier applied to %s", typestr); 4646 4647 case Q_ISO: 4648 bpf_error("ISO host filtering not implemented"); 4649 4650 case Q_ESIS: 4651 bpf_error("'esis' modifier applied to %s", typestr); 4652 4653 case Q_ISIS: 4654 bpf_error("'isis' modifier applied to %s", typestr); 4655 4656 case Q_CLNP: 4657 bpf_error("'clnp' modifier applied to %s", typestr); 4658 4659 case Q_STP: 4660 bpf_error("'stp' modifier applied to %s", typestr); 4661 4662 case Q_IPX: 4663 bpf_error("IPX host filtering not implemented"); 4664 4665 case Q_NETBEUI: 4666 bpf_error("'netbeui' modifier applied to %s", typestr); 4667 4668 case Q_RADIO: 4669 bpf_error("'radio' modifier applied to %s", typestr); 4670 4671 default: 4672 abort(); 4673 } 4674 /* NOTREACHED */ 4675 } 4676 #endif 4677 4678 #ifndef INET6 4679 static struct block * 4680 gen_gateway(eaddr, alist, proto, dir) 4681 const u_char *eaddr; 4682 bpf_u_int32 **alist; 4683 int proto; 4684 int dir; 4685 { 4686 struct block *b0, *b1, *tmp; 4687 4688 if (dir != 0) 4689 bpf_error("direction applied to 'gateway'"); 4690 4691 switch (proto) { 4692 case Q_DEFAULT: 4693 case Q_IP: 4694 case Q_ARP: 4695 case Q_RARP: 4696 switch (linktype) { 4697 case DLT_EN10MB: 4698 case DLT_NETANALYZER: 4699 case DLT_NETANALYZER_TRANSPARENT: 4700 b0 = gen_ehostop(eaddr, Q_OR); 4701 break; 4702 case DLT_FDDI: 4703 b0 = gen_fhostop(eaddr, Q_OR); 4704 break; 4705 case DLT_IEEE802: 4706 b0 = gen_thostop(eaddr, Q_OR); 4707 break; 4708 case DLT_IEEE802_11: 4709 case DLT_PRISM_HEADER: 4710 case DLT_IEEE802_11_RADIO_AVS: 4711 case DLT_IEEE802_11_RADIO: 4712 case DLT_PPI: 4713 b0 = gen_wlanhostop(eaddr, Q_OR); 4714 break; 4715 case DLT_SUNATM: 4716 if (!is_lane) 4717 bpf_error( 4718 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4719 /* 4720 * Check that the packet doesn't begin with an 4721 * LE Control marker. (We've already generated 4722 * a test for LANE.) 4723 */ 4724 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4725 BPF_H, 0xFF00); 4726 gen_not(b1); 4727 4728 /* 4729 * Now check the MAC address. 4730 */ 4731 b0 = gen_ehostop(eaddr, Q_OR); 4732 gen_and(b1, b0); 4733 break; 4734 case DLT_IP_OVER_FC: 4735 b0 = gen_ipfchostop(eaddr, Q_OR); 4736 break; 4737 default: 4738 bpf_error( 4739 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4740 } 4741 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4742 while (*alist) { 4743 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4744 Q_HOST); 4745 gen_or(b1, tmp); 4746 b1 = tmp; 4747 } 4748 gen_not(b1); 4749 gen_and(b0, b1); 4750 return b1; 4751 } 4752 bpf_error("illegal modifier of 'gateway'"); 4753 /* NOTREACHED */ 4754 } 4755 #endif 4756 4757 struct block * 4758 gen_proto_abbrev(proto) 4759 int proto; 4760 { 4761 struct block *b0; 4762 struct block *b1; 4763 4764 switch (proto) { 4765 4766 case Q_SCTP: 4767 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4768 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4769 gen_or(b0, b1); 4770 break; 4771 4772 case Q_TCP: 4773 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4774 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4775 gen_or(b0, b1); 4776 break; 4777 4778 case Q_UDP: 4779 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4780 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4781 gen_or(b0, b1); 4782 break; 4783 4784 case Q_ICMP: 4785 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4786 break; 4787 4788 #ifndef IPPROTO_IGMP 4789 #define IPPROTO_IGMP 2 4790 #endif 4791 4792 case Q_IGMP: 4793 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4794 break; 4795 4796 #ifndef IPPROTO_IGRP 4797 #define IPPROTO_IGRP 9 4798 #endif 4799 case Q_IGRP: 4800 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4801 break; 4802 4803 #ifndef IPPROTO_PIM 4804 #define IPPROTO_PIM 103 4805 #endif 4806 4807 case Q_PIM: 4808 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4809 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4810 gen_or(b0, b1); 4811 break; 4812 4813 #ifndef IPPROTO_VRRP 4814 #define IPPROTO_VRRP 112 4815 #endif 4816 4817 case Q_VRRP: 4818 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4819 break; 4820 4821 #ifndef IPPROTO_CARP 4822 #define IPPROTO_CARP 112 4823 #endif 4824 4825 case Q_CARP: 4826 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4827 break; 4828 4829 case Q_IP: 4830 b1 = gen_linktype(ETHERTYPE_IP); 4831 break; 4832 4833 case Q_ARP: 4834 b1 = gen_linktype(ETHERTYPE_ARP); 4835 break; 4836 4837 case Q_RARP: 4838 b1 = gen_linktype(ETHERTYPE_REVARP); 4839 break; 4840 4841 case Q_LINK: 4842 bpf_error("link layer applied in wrong context"); 4843 4844 case Q_ATALK: 4845 b1 = gen_linktype(ETHERTYPE_ATALK); 4846 break; 4847 4848 case Q_AARP: 4849 b1 = gen_linktype(ETHERTYPE_AARP); 4850 break; 4851 4852 case Q_DECNET: 4853 b1 = gen_linktype(ETHERTYPE_DN); 4854 break; 4855 4856 case Q_SCA: 4857 b1 = gen_linktype(ETHERTYPE_SCA); 4858 break; 4859 4860 case Q_LAT: 4861 b1 = gen_linktype(ETHERTYPE_LAT); 4862 break; 4863 4864 case Q_MOPDL: 4865 b1 = gen_linktype(ETHERTYPE_MOPDL); 4866 break; 4867 4868 case Q_MOPRC: 4869 b1 = gen_linktype(ETHERTYPE_MOPRC); 4870 break; 4871 4872 case Q_IPV6: 4873 b1 = gen_linktype(ETHERTYPE_IPV6); 4874 break; 4875 4876 #ifndef IPPROTO_ICMPV6 4877 #define IPPROTO_ICMPV6 58 4878 #endif 4879 case Q_ICMPV6: 4880 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4881 break; 4882 4883 #ifndef IPPROTO_AH 4884 #define IPPROTO_AH 51 4885 #endif 4886 case Q_AH: 4887 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4888 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4889 gen_or(b0, b1); 4890 break; 4891 4892 #ifndef IPPROTO_ESP 4893 #define IPPROTO_ESP 50 4894 #endif 4895 case Q_ESP: 4896 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4897 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4898 gen_or(b0, b1); 4899 break; 4900 4901 case Q_ISO: 4902 b1 = gen_linktype(LLCSAP_ISONS); 4903 break; 4904 4905 case Q_ESIS: 4906 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4907 break; 4908 4909 case Q_ISIS: 4910 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4911 break; 4912 4913 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4914 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4915 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4916 gen_or(b0, b1); 4917 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4918 gen_or(b0, b1); 4919 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4920 gen_or(b0, b1); 4921 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4922 gen_or(b0, b1); 4923 break; 4924 4925 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4926 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4927 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4928 gen_or(b0, b1); 4929 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4930 gen_or(b0, b1); 4931 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4932 gen_or(b0, b1); 4933 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4934 gen_or(b0, b1); 4935 break; 4936 4937 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4938 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4939 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4940 gen_or(b0, b1); 4941 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4942 gen_or(b0, b1); 4943 break; 4944 4945 case Q_ISIS_LSP: 4946 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4947 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4948 gen_or(b0, b1); 4949 break; 4950 4951 case Q_ISIS_SNP: 4952 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4953 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4954 gen_or(b0, b1); 4955 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4956 gen_or(b0, b1); 4957 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4958 gen_or(b0, b1); 4959 break; 4960 4961 case Q_ISIS_CSNP: 4962 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4963 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4964 gen_or(b0, b1); 4965 break; 4966 4967 case Q_ISIS_PSNP: 4968 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4969 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4970 gen_or(b0, b1); 4971 break; 4972 4973 case Q_CLNP: 4974 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4975 break; 4976 4977 case Q_STP: 4978 b1 = gen_linktype(LLCSAP_8021D); 4979 break; 4980 4981 case Q_IPX: 4982 b1 = gen_linktype(LLCSAP_IPX); 4983 break; 4984 4985 case Q_NETBEUI: 4986 b1 = gen_linktype(LLCSAP_NETBEUI); 4987 break; 4988 4989 case Q_RADIO: 4990 bpf_error("'radio' is not a valid protocol type"); 4991 4992 default: 4993 abort(); 4994 } 4995 return b1; 4996 } 4997 4998 static struct block * 4999 gen_ipfrag() 5000 { 5001 struct slist *s; 5002 struct block *b; 5003 5004 /* not IPv4 frag other than the first frag */ 5005 s = gen_load_a(OR_NET, 6, BPF_H); 5006 b = new_block(JMP(BPF_JSET)); 5007 b->s.k = 0x1fff; 5008 b->stmts = s; 5009 gen_not(b); 5010 5011 return b; 5012 } 5013 5014 /* 5015 * Generate a comparison to a port value in the transport-layer header 5016 * at the specified offset from the beginning of that header. 5017 * 5018 * XXX - this handles a variable-length prefix preceding the link-layer 5019 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5020 * variable-length link-layer headers (such as Token Ring or 802.11 5021 * headers). 5022 */ 5023 static struct block * 5024 gen_portatom(off, v) 5025 int off; 5026 bpf_int32 v; 5027 { 5028 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5029 } 5030 5031 static struct block * 5032 gen_portatom6(off, v) 5033 int off; 5034 bpf_int32 v; 5035 { 5036 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5037 } 5038 5039 struct block * 5040 gen_portop(port, proto, dir) 5041 int port, proto, dir; 5042 { 5043 struct block *b0, *b1, *tmp; 5044 5045 /* ip proto 'proto' and not a fragment other than the first fragment */ 5046 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5047 b0 = gen_ipfrag(); 5048 gen_and(tmp, b0); 5049 5050 switch (dir) { 5051 case Q_SRC: 5052 b1 = gen_portatom(0, (bpf_int32)port); 5053 break; 5054 5055 case Q_DST: 5056 b1 = gen_portatom(2, (bpf_int32)port); 5057 break; 5058 5059 case Q_OR: 5060 case Q_DEFAULT: 5061 tmp = gen_portatom(0, (bpf_int32)port); 5062 b1 = gen_portatom(2, (bpf_int32)port); 5063 gen_or(tmp, b1); 5064 break; 5065 5066 case Q_AND: 5067 tmp = gen_portatom(0, (bpf_int32)port); 5068 b1 = gen_portatom(2, (bpf_int32)port); 5069 gen_and(tmp, b1); 5070 break; 5071 5072 default: 5073 abort(); 5074 } 5075 gen_and(b0, b1); 5076 5077 return b1; 5078 } 5079 5080 static struct block * 5081 gen_port(port, ip_proto, dir) 5082 int port; 5083 int ip_proto; 5084 int dir; 5085 { 5086 struct block *b0, *b1, *tmp; 5087 5088 /* 5089 * ether proto ip 5090 * 5091 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5092 * not LLC encapsulation with LLCSAP_IP. 5093 * 5094 * For IEEE 802 networks - which includes 802.5 token ring 5095 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5096 * says that SNAP encapsulation is used, not LLC encapsulation 5097 * with LLCSAP_IP. 5098 * 5099 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5100 * RFC 2225 say that SNAP encapsulation is used, not LLC 5101 * encapsulation with LLCSAP_IP. 5102 * 5103 * So we always check for ETHERTYPE_IP. 5104 */ 5105 b0 = gen_linktype(ETHERTYPE_IP); 5106 5107 switch (ip_proto) { 5108 case IPPROTO_UDP: 5109 case IPPROTO_TCP: 5110 case IPPROTO_SCTP: 5111 b1 = gen_portop(port, ip_proto, dir); 5112 break; 5113 5114 case PROTO_UNDEF: 5115 tmp = gen_portop(port, IPPROTO_TCP, dir); 5116 b1 = gen_portop(port, IPPROTO_UDP, dir); 5117 gen_or(tmp, b1); 5118 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5119 gen_or(tmp, b1); 5120 break; 5121 5122 default: 5123 abort(); 5124 } 5125 gen_and(b0, b1); 5126 return b1; 5127 } 5128 5129 struct block * 5130 gen_portop6(port, proto, dir) 5131 int port, proto, dir; 5132 { 5133 struct block *b0, *b1, *tmp; 5134 5135 /* ip6 proto 'proto' */ 5136 /* XXX - catch the first fragment of a fragmented packet? */ 5137 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5138 5139 switch (dir) { 5140 case Q_SRC: 5141 b1 = gen_portatom6(0, (bpf_int32)port); 5142 break; 5143 5144 case Q_DST: 5145 b1 = gen_portatom6(2, (bpf_int32)port); 5146 break; 5147 5148 case Q_OR: 5149 case Q_DEFAULT: 5150 tmp = gen_portatom6(0, (bpf_int32)port); 5151 b1 = gen_portatom6(2, (bpf_int32)port); 5152 gen_or(tmp, b1); 5153 break; 5154 5155 case Q_AND: 5156 tmp = gen_portatom6(0, (bpf_int32)port); 5157 b1 = gen_portatom6(2, (bpf_int32)port); 5158 gen_and(tmp, b1); 5159 break; 5160 5161 default: 5162 abort(); 5163 } 5164 gen_and(b0, b1); 5165 5166 return b1; 5167 } 5168 5169 static struct block * 5170 gen_port6(port, ip_proto, dir) 5171 int port; 5172 int ip_proto; 5173 int dir; 5174 { 5175 struct block *b0, *b1, *tmp; 5176 5177 /* link proto ip6 */ 5178 b0 = gen_linktype(ETHERTYPE_IPV6); 5179 5180 switch (ip_proto) { 5181 case IPPROTO_UDP: 5182 case IPPROTO_TCP: 5183 case IPPROTO_SCTP: 5184 b1 = gen_portop6(port, ip_proto, dir); 5185 break; 5186 5187 case PROTO_UNDEF: 5188 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5189 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5190 gen_or(tmp, b1); 5191 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5192 gen_or(tmp, b1); 5193 break; 5194 5195 default: 5196 abort(); 5197 } 5198 gen_and(b0, b1); 5199 return b1; 5200 } 5201 5202 /* gen_portrange code */ 5203 static struct block * 5204 gen_portrangeatom(off, v1, v2) 5205 int off; 5206 bpf_int32 v1, v2; 5207 { 5208 struct block *b1, *b2; 5209 5210 if (v1 > v2) { 5211 /* 5212 * Reverse the order of the ports, so v1 is the lower one. 5213 */ 5214 bpf_int32 vtemp; 5215 5216 vtemp = v1; 5217 v1 = v2; 5218 v2 = vtemp; 5219 } 5220 5221 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5222 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5223 5224 gen_and(b1, b2); 5225 5226 return b2; 5227 } 5228 5229 struct block * 5230 gen_portrangeop(port1, port2, proto, dir) 5231 int port1, port2; 5232 int proto; 5233 int dir; 5234 { 5235 struct block *b0, *b1, *tmp; 5236 5237 /* ip proto 'proto' and not a fragment other than the first fragment */ 5238 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5239 b0 = gen_ipfrag(); 5240 gen_and(tmp, b0); 5241 5242 switch (dir) { 5243 case Q_SRC: 5244 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5245 break; 5246 5247 case Q_DST: 5248 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5249 break; 5250 5251 case Q_OR: 5252 case Q_DEFAULT: 5253 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5254 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5255 gen_or(tmp, b1); 5256 break; 5257 5258 case Q_AND: 5259 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5260 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5261 gen_and(tmp, b1); 5262 break; 5263 5264 default: 5265 abort(); 5266 } 5267 gen_and(b0, b1); 5268 5269 return b1; 5270 } 5271 5272 static struct block * 5273 gen_portrange(port1, port2, ip_proto, dir) 5274 int port1, port2; 5275 int ip_proto; 5276 int dir; 5277 { 5278 struct block *b0, *b1, *tmp; 5279 5280 /* link proto ip */ 5281 b0 = gen_linktype(ETHERTYPE_IP); 5282 5283 switch (ip_proto) { 5284 case IPPROTO_UDP: 5285 case IPPROTO_TCP: 5286 case IPPROTO_SCTP: 5287 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5288 break; 5289 5290 case PROTO_UNDEF: 5291 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5292 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5293 gen_or(tmp, b1); 5294 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5295 gen_or(tmp, b1); 5296 break; 5297 5298 default: 5299 abort(); 5300 } 5301 gen_and(b0, b1); 5302 return b1; 5303 } 5304 5305 static struct block * 5306 gen_portrangeatom6(off, v1, v2) 5307 int off; 5308 bpf_int32 v1, v2; 5309 { 5310 struct block *b1, *b2; 5311 5312 if (v1 > v2) { 5313 /* 5314 * Reverse the order of the ports, so v1 is the lower one. 5315 */ 5316 bpf_int32 vtemp; 5317 5318 vtemp = v1; 5319 v1 = v2; 5320 v2 = vtemp; 5321 } 5322 5323 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5324 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5325 5326 gen_and(b1, b2); 5327 5328 return b2; 5329 } 5330 5331 struct block * 5332 gen_portrangeop6(port1, port2, proto, dir) 5333 int port1, port2; 5334 int proto; 5335 int dir; 5336 { 5337 struct block *b0, *b1, *tmp; 5338 5339 /* ip6 proto 'proto' */ 5340 /* XXX - catch the first fragment of a fragmented packet? */ 5341 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5342 5343 switch (dir) { 5344 case Q_SRC: 5345 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5346 break; 5347 5348 case Q_DST: 5349 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5350 break; 5351 5352 case Q_OR: 5353 case Q_DEFAULT: 5354 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5355 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5356 gen_or(tmp, b1); 5357 break; 5358 5359 case Q_AND: 5360 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5361 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5362 gen_and(tmp, b1); 5363 break; 5364 5365 default: 5366 abort(); 5367 } 5368 gen_and(b0, b1); 5369 5370 return b1; 5371 } 5372 5373 static struct block * 5374 gen_portrange6(port1, port2, ip_proto, dir) 5375 int port1, port2; 5376 int ip_proto; 5377 int dir; 5378 { 5379 struct block *b0, *b1, *tmp; 5380 5381 /* link proto ip6 */ 5382 b0 = gen_linktype(ETHERTYPE_IPV6); 5383 5384 switch (ip_proto) { 5385 case IPPROTO_UDP: 5386 case IPPROTO_TCP: 5387 case IPPROTO_SCTP: 5388 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5389 break; 5390 5391 case PROTO_UNDEF: 5392 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5393 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5394 gen_or(tmp, b1); 5395 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5396 gen_or(tmp, b1); 5397 break; 5398 5399 default: 5400 abort(); 5401 } 5402 gen_and(b0, b1); 5403 return b1; 5404 } 5405 5406 static int 5407 lookup_proto(name, proto) 5408 register const char *name; 5409 register int proto; 5410 { 5411 register int v; 5412 5413 switch (proto) { 5414 5415 case Q_DEFAULT: 5416 case Q_IP: 5417 case Q_IPV6: 5418 v = pcap_nametoproto(name); 5419 if (v == PROTO_UNDEF) 5420 bpf_error("unknown ip proto '%s'", name); 5421 break; 5422 5423 case Q_LINK: 5424 /* XXX should look up h/w protocol type based on linktype */ 5425 v = pcap_nametoeproto(name); 5426 if (v == PROTO_UNDEF) { 5427 v = pcap_nametollc(name); 5428 if (v == PROTO_UNDEF) 5429 bpf_error("unknown ether proto '%s'", name); 5430 } 5431 break; 5432 5433 case Q_ISO: 5434 if (strcmp(name, "esis") == 0) 5435 v = ISO9542_ESIS; 5436 else if (strcmp(name, "isis") == 0) 5437 v = ISO10589_ISIS; 5438 else if (strcmp(name, "clnp") == 0) 5439 v = ISO8473_CLNP; 5440 else 5441 bpf_error("unknown osi proto '%s'", name); 5442 break; 5443 5444 default: 5445 v = PROTO_UNDEF; 5446 break; 5447 } 5448 return v; 5449 } 5450 5451 #if 0 5452 struct stmt * 5453 gen_joinsp(s, n) 5454 struct stmt **s; 5455 int n; 5456 { 5457 return NULL; 5458 } 5459 #endif 5460 5461 static struct block * 5462 gen_protochain(v, proto, dir) 5463 int v; 5464 int proto; 5465 int dir; 5466 { 5467 #ifdef NO_PROTOCHAIN 5468 return gen_proto(v, proto, dir); 5469 #else 5470 struct block *b0, *b; 5471 struct slist *s[100]; 5472 int fix2, fix3, fix4, fix5; 5473 int ahcheck, again, end; 5474 int i, max; 5475 int reg2 = alloc_reg(); 5476 5477 memset(s, 0, sizeof(s)); 5478 fix2 = fix3 = fix4 = fix5 = 0; 5479 5480 switch (proto) { 5481 case Q_IP: 5482 case Q_IPV6: 5483 break; 5484 case Q_DEFAULT: 5485 b0 = gen_protochain(v, Q_IP, dir); 5486 b = gen_protochain(v, Q_IPV6, dir); 5487 gen_or(b0, b); 5488 return b; 5489 default: 5490 bpf_error("bad protocol applied for 'protochain'"); 5491 /*NOTREACHED*/ 5492 } 5493 5494 /* 5495 * We don't handle variable-length prefixes before the link-layer 5496 * header, or variable-length link-layer headers, here yet. 5497 * We might want to add BPF instructions to do the protochain 5498 * work, to simplify that and, on platforms that have a BPF 5499 * interpreter with the new instructions, let the filtering 5500 * be done in the kernel. (We already require a modified BPF 5501 * engine to do the protochain stuff, to support backward 5502 * branches, and backward branch support is unlikely to appear 5503 * in kernel BPF engines.) 5504 */ 5505 switch (linktype) { 5506 5507 case DLT_IEEE802_11: 5508 case DLT_PRISM_HEADER: 5509 case DLT_IEEE802_11_RADIO_AVS: 5510 case DLT_IEEE802_11_RADIO: 5511 case DLT_PPI: 5512 bpf_error("'protochain' not supported with 802.11"); 5513 } 5514 5515 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5516 5517 /* 5518 * s[0] is a dummy entry to protect other BPF insn from damage 5519 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5520 * hard to find interdependency made by jump table fixup. 5521 */ 5522 i = 0; 5523 s[i] = new_stmt(0); /*dummy*/ 5524 i++; 5525 5526 switch (proto) { 5527 case Q_IP: 5528 b0 = gen_linktype(ETHERTYPE_IP); 5529 5530 /* A = ip->ip_p */ 5531 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5532 s[i]->s.k = off_macpl + off_nl + 9; 5533 i++; 5534 /* X = ip->ip_hl << 2 */ 5535 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5536 s[i]->s.k = off_macpl + off_nl; 5537 i++; 5538 break; 5539 5540 case Q_IPV6: 5541 b0 = gen_linktype(ETHERTYPE_IPV6); 5542 5543 /* A = ip6->ip_nxt */ 5544 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5545 s[i]->s.k = off_macpl + off_nl + 6; 5546 i++; 5547 /* X = sizeof(struct ip6_hdr) */ 5548 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5549 s[i]->s.k = 40; 5550 i++; 5551 break; 5552 5553 default: 5554 bpf_error("unsupported proto to gen_protochain"); 5555 /*NOTREACHED*/ 5556 } 5557 5558 /* again: if (A == v) goto end; else fall through; */ 5559 again = i; 5560 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5561 s[i]->s.k = v; 5562 s[i]->s.jt = NULL; /*later*/ 5563 s[i]->s.jf = NULL; /*update in next stmt*/ 5564 fix5 = i; 5565 i++; 5566 5567 #ifndef IPPROTO_NONE 5568 #define IPPROTO_NONE 59 5569 #endif 5570 /* if (A == IPPROTO_NONE) goto end */ 5571 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5572 s[i]->s.jt = NULL; /*later*/ 5573 s[i]->s.jf = NULL; /*update in next stmt*/ 5574 s[i]->s.k = IPPROTO_NONE; 5575 s[fix5]->s.jf = s[i]; 5576 fix2 = i; 5577 i++; 5578 5579 if (proto == Q_IPV6) { 5580 int v6start, v6end, v6advance, j; 5581 5582 v6start = i; 5583 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5584 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5585 s[i]->s.jt = NULL; /*later*/ 5586 s[i]->s.jf = NULL; /*update in next stmt*/ 5587 s[i]->s.k = IPPROTO_HOPOPTS; 5588 s[fix2]->s.jf = s[i]; 5589 i++; 5590 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5591 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5592 s[i]->s.jt = NULL; /*later*/ 5593 s[i]->s.jf = NULL; /*update in next stmt*/ 5594 s[i]->s.k = IPPROTO_DSTOPTS; 5595 i++; 5596 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5597 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5598 s[i]->s.jt = NULL; /*later*/ 5599 s[i]->s.jf = NULL; /*update in next stmt*/ 5600 s[i]->s.k = IPPROTO_ROUTING; 5601 i++; 5602 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5603 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5604 s[i]->s.jt = NULL; /*later*/ 5605 s[i]->s.jf = NULL; /*later*/ 5606 s[i]->s.k = IPPROTO_FRAGMENT; 5607 fix3 = i; 5608 v6end = i; 5609 i++; 5610 5611 /* v6advance: */ 5612 v6advance = i; 5613 5614 /* 5615 * in short, 5616 * A = P[X + packet head]; 5617 * X = X + (P[X + packet head + 1] + 1) * 8; 5618 */ 5619 /* A = P[X + packet head] */ 5620 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5621 s[i]->s.k = off_macpl + off_nl; 5622 i++; 5623 /* MEM[reg2] = A */ 5624 s[i] = new_stmt(BPF_ST); 5625 s[i]->s.k = reg2; 5626 i++; 5627 /* A = P[X + packet head + 1]; */ 5628 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5629 s[i]->s.k = off_macpl + off_nl + 1; 5630 i++; 5631 /* A += 1 */ 5632 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5633 s[i]->s.k = 1; 5634 i++; 5635 /* A *= 8 */ 5636 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5637 s[i]->s.k = 8; 5638 i++; 5639 /* A += X */ 5640 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5641 s[i]->s.k = 0; 5642 i++; 5643 /* X = A; */ 5644 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5645 i++; 5646 /* A = MEM[reg2] */ 5647 s[i] = new_stmt(BPF_LD|BPF_MEM); 5648 s[i]->s.k = reg2; 5649 i++; 5650 5651 /* goto again; (must use BPF_JA for backward jump) */ 5652 s[i] = new_stmt(BPF_JMP|BPF_JA); 5653 s[i]->s.k = again - i - 1; 5654 s[i - 1]->s.jf = s[i]; 5655 i++; 5656 5657 /* fixup */ 5658 for (j = v6start; j <= v6end; j++) 5659 s[j]->s.jt = s[v6advance]; 5660 } else { 5661 /* nop */ 5662 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5663 s[i]->s.k = 0; 5664 s[fix2]->s.jf = s[i]; 5665 i++; 5666 } 5667 5668 /* ahcheck: */ 5669 ahcheck = i; 5670 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5671 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5672 s[i]->s.jt = NULL; /*later*/ 5673 s[i]->s.jf = NULL; /*later*/ 5674 s[i]->s.k = IPPROTO_AH; 5675 if (fix3) 5676 s[fix3]->s.jf = s[ahcheck]; 5677 fix4 = i; 5678 i++; 5679 5680 /* 5681 * in short, 5682 * A = P[X]; 5683 * X = X + (P[X + 1] + 2) * 4; 5684 */ 5685 /* A = X */ 5686 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5687 i++; 5688 /* A = P[X + packet head]; */ 5689 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5690 s[i]->s.k = off_macpl + off_nl; 5691 i++; 5692 /* MEM[reg2] = A */ 5693 s[i] = new_stmt(BPF_ST); 5694 s[i]->s.k = reg2; 5695 i++; 5696 /* A = X */ 5697 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5698 i++; 5699 /* A += 1 */ 5700 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5701 s[i]->s.k = 1; 5702 i++; 5703 /* X = A */ 5704 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5705 i++; 5706 /* A = P[X + packet head] */ 5707 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5708 s[i]->s.k = off_macpl + off_nl; 5709 i++; 5710 /* A += 2 */ 5711 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5712 s[i]->s.k = 2; 5713 i++; 5714 /* A *= 4 */ 5715 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5716 s[i]->s.k = 4; 5717 i++; 5718 /* X = A; */ 5719 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5720 i++; 5721 /* A = MEM[reg2] */ 5722 s[i] = new_stmt(BPF_LD|BPF_MEM); 5723 s[i]->s.k = reg2; 5724 i++; 5725 5726 /* goto again; (must use BPF_JA for backward jump) */ 5727 s[i] = new_stmt(BPF_JMP|BPF_JA); 5728 s[i]->s.k = again - i - 1; 5729 i++; 5730 5731 /* end: nop */ 5732 end = i; 5733 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5734 s[i]->s.k = 0; 5735 s[fix2]->s.jt = s[end]; 5736 s[fix4]->s.jf = s[end]; 5737 s[fix5]->s.jt = s[end]; 5738 i++; 5739 5740 /* 5741 * make slist chain 5742 */ 5743 max = i; 5744 for (i = 0; i < max - 1; i++) 5745 s[i]->next = s[i + 1]; 5746 s[max - 1]->next = NULL; 5747 5748 /* 5749 * emit final check 5750 */ 5751 b = new_block(JMP(BPF_JEQ)); 5752 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5753 b->s.k = v; 5754 5755 free_reg(reg2); 5756 5757 gen_and(b0, b); 5758 return b; 5759 #endif 5760 } 5761 5762 static struct block * 5763 gen_check_802_11_data_frame() 5764 { 5765 struct slist *s; 5766 struct block *b0, *b1; 5767 5768 /* 5769 * A data frame has the 0x08 bit (b3) in the frame control field set 5770 * and the 0x04 bit (b2) clear. 5771 */ 5772 s = gen_load_a(OR_LINK, 0, BPF_B); 5773 b0 = new_block(JMP(BPF_JSET)); 5774 b0->s.k = 0x08; 5775 b0->stmts = s; 5776 5777 s = gen_load_a(OR_LINK, 0, BPF_B); 5778 b1 = new_block(JMP(BPF_JSET)); 5779 b1->s.k = 0x04; 5780 b1->stmts = s; 5781 gen_not(b1); 5782 5783 gen_and(b1, b0); 5784 5785 return b0; 5786 } 5787 5788 /* 5789 * Generate code that checks whether the packet is a packet for protocol 5790 * <proto> and whether the type field in that protocol's header has 5791 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5792 * IP packet and checks the protocol number in the IP header against <v>. 5793 * 5794 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5795 * against Q_IP and Q_IPV6. 5796 */ 5797 static struct block * 5798 gen_proto(v, proto, dir) 5799 int v; 5800 int proto; 5801 int dir; 5802 { 5803 struct block *b0, *b1; 5804 #ifndef CHASE_CHAIN 5805 struct block *b2; 5806 #endif 5807 5808 if (dir != Q_DEFAULT) 5809 bpf_error("direction applied to 'proto'"); 5810 5811 switch (proto) { 5812 case Q_DEFAULT: 5813 b0 = gen_proto(v, Q_IP, dir); 5814 b1 = gen_proto(v, Q_IPV6, dir); 5815 gen_or(b0, b1); 5816 return b1; 5817 5818 case Q_IP: 5819 /* 5820 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5821 * not LLC encapsulation with LLCSAP_IP. 5822 * 5823 * For IEEE 802 networks - which includes 802.5 token ring 5824 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5825 * says that SNAP encapsulation is used, not LLC encapsulation 5826 * with LLCSAP_IP. 5827 * 5828 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5829 * RFC 2225 say that SNAP encapsulation is used, not LLC 5830 * encapsulation with LLCSAP_IP. 5831 * 5832 * So we always check for ETHERTYPE_IP. 5833 */ 5834 b0 = gen_linktype(ETHERTYPE_IP); 5835 #ifndef CHASE_CHAIN 5836 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5837 #else 5838 b1 = gen_protochain(v, Q_IP); 5839 #endif 5840 gen_and(b0, b1); 5841 return b1; 5842 5843 case Q_ISO: 5844 switch (linktype) { 5845 5846 case DLT_FRELAY: 5847 /* 5848 * Frame Relay packets typically have an OSI 5849 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5850 * generates code to check for all the OSI 5851 * NLPIDs, so calling it and then adding a check 5852 * for the particular NLPID for which we're 5853 * looking is bogus, as we can just check for 5854 * the NLPID. 5855 * 5856 * What we check for is the NLPID and a frame 5857 * control field value of UI, i.e. 0x03 followed 5858 * by the NLPID. 5859 * 5860 * XXX - assumes a 2-byte Frame Relay header with 5861 * DLCI and flags. What if the address is longer? 5862 * 5863 * XXX - what about SNAP-encapsulated frames? 5864 */ 5865 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5866 /*NOTREACHED*/ 5867 break; 5868 5869 case DLT_C_HDLC: 5870 /* 5871 * Cisco uses an Ethertype lookalike - for OSI, 5872 * it's 0xfefe. 5873 */ 5874 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5875 /* OSI in C-HDLC is stuffed with a fudge byte */ 5876 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5877 gen_and(b0, b1); 5878 return b1; 5879 5880 default: 5881 b0 = gen_linktype(LLCSAP_ISONS); 5882 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5883 gen_and(b0, b1); 5884 return b1; 5885 } 5886 5887 case Q_ISIS: 5888 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5889 /* 5890 * 4 is the offset of the PDU type relative to the IS-IS 5891 * header. 5892 */ 5893 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5894 gen_and(b0, b1); 5895 return b1; 5896 5897 case Q_ARP: 5898 bpf_error("arp does not encapsulate another protocol"); 5899 /* NOTREACHED */ 5900 5901 case Q_RARP: 5902 bpf_error("rarp does not encapsulate another protocol"); 5903 /* NOTREACHED */ 5904 5905 case Q_ATALK: 5906 bpf_error("atalk encapsulation is not specifiable"); 5907 /* NOTREACHED */ 5908 5909 case Q_DECNET: 5910 bpf_error("decnet encapsulation is not specifiable"); 5911 /* NOTREACHED */ 5912 5913 case Q_SCA: 5914 bpf_error("sca does not encapsulate another protocol"); 5915 /* NOTREACHED */ 5916 5917 case Q_LAT: 5918 bpf_error("lat does not encapsulate another protocol"); 5919 /* NOTREACHED */ 5920 5921 case Q_MOPRC: 5922 bpf_error("moprc does not encapsulate another protocol"); 5923 /* NOTREACHED */ 5924 5925 case Q_MOPDL: 5926 bpf_error("mopdl does not encapsulate another protocol"); 5927 /* NOTREACHED */ 5928 5929 case Q_LINK: 5930 return gen_linktype(v); 5931 5932 case Q_UDP: 5933 bpf_error("'udp proto' is bogus"); 5934 /* NOTREACHED */ 5935 5936 case Q_TCP: 5937 bpf_error("'tcp proto' is bogus"); 5938 /* NOTREACHED */ 5939 5940 case Q_SCTP: 5941 bpf_error("'sctp proto' is bogus"); 5942 /* NOTREACHED */ 5943 5944 case Q_ICMP: 5945 bpf_error("'icmp proto' is bogus"); 5946 /* NOTREACHED */ 5947 5948 case Q_IGMP: 5949 bpf_error("'igmp proto' is bogus"); 5950 /* NOTREACHED */ 5951 5952 case Q_IGRP: 5953 bpf_error("'igrp proto' is bogus"); 5954 /* NOTREACHED */ 5955 5956 case Q_PIM: 5957 bpf_error("'pim proto' is bogus"); 5958 /* NOTREACHED */ 5959 5960 case Q_VRRP: 5961 bpf_error("'vrrp proto' is bogus"); 5962 /* NOTREACHED */ 5963 5964 case Q_CARP: 5965 bpf_error("'carp proto' is bogus"); 5966 /* NOTREACHED */ 5967 5968 case Q_IPV6: 5969 b0 = gen_linktype(ETHERTYPE_IPV6); 5970 #ifndef CHASE_CHAIN 5971 /* 5972 * Also check for a fragment header before the final 5973 * header. 5974 */ 5975 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 5976 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 5977 gen_and(b2, b1); 5978 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5979 gen_or(b2, b1); 5980 #else 5981 b1 = gen_protochain(v, Q_IPV6); 5982 #endif 5983 gen_and(b0, b1); 5984 return b1; 5985 5986 case Q_ICMPV6: 5987 bpf_error("'icmp6 proto' is bogus"); 5988 5989 case Q_AH: 5990 bpf_error("'ah proto' is bogus"); 5991 5992 case Q_ESP: 5993 bpf_error("'ah proto' is bogus"); 5994 5995 case Q_STP: 5996 bpf_error("'stp proto' is bogus"); 5997 5998 case Q_IPX: 5999 bpf_error("'ipx proto' is bogus"); 6000 6001 case Q_NETBEUI: 6002 bpf_error("'netbeui proto' is bogus"); 6003 6004 case Q_RADIO: 6005 bpf_error("'radio proto' is bogus"); 6006 6007 default: 6008 abort(); 6009 /* NOTREACHED */ 6010 } 6011 /* NOTREACHED */ 6012 } 6013 6014 struct block * 6015 gen_scode(name, q) 6016 register const char *name; 6017 struct qual q; 6018 { 6019 int proto = q.proto; 6020 int dir = q.dir; 6021 int tproto; 6022 u_char *eaddr; 6023 bpf_u_int32 mask, addr; 6024 #ifndef INET6 6025 bpf_u_int32 **alist; 6026 #else 6027 int tproto6; 6028 struct sockaddr_in *sin4; 6029 struct sockaddr_in6 *sin6; 6030 struct addrinfo *res, *res0; 6031 struct in6_addr mask128; 6032 #endif /*INET6*/ 6033 struct block *b, *tmp; 6034 int port, real_proto; 6035 int port1, port2; 6036 6037 switch (q.addr) { 6038 6039 case Q_NET: 6040 addr = pcap_nametonetaddr(name); 6041 if (addr == 0) 6042 bpf_error("unknown network '%s'", name); 6043 /* Left justify network addr and calculate its network mask */ 6044 mask = 0xffffffff; 6045 while (addr && (addr & 0xff000000) == 0) { 6046 addr <<= 8; 6047 mask <<= 8; 6048 } 6049 return gen_host(addr, mask, proto, dir, q.addr); 6050 6051 case Q_DEFAULT: 6052 case Q_HOST: 6053 if (proto == Q_LINK) { 6054 switch (linktype) { 6055 6056 case DLT_EN10MB: 6057 case DLT_NETANALYZER: 6058 case DLT_NETANALYZER_TRANSPARENT: 6059 eaddr = pcap_ether_hostton(name); 6060 if (eaddr == NULL) 6061 bpf_error( 6062 "unknown ether host '%s'", name); 6063 b = gen_ehostop(eaddr, dir); 6064 free(eaddr); 6065 return b; 6066 6067 case DLT_FDDI: 6068 eaddr = pcap_ether_hostton(name); 6069 if (eaddr == NULL) 6070 bpf_error( 6071 "unknown FDDI host '%s'", name); 6072 b = gen_fhostop(eaddr, dir); 6073 free(eaddr); 6074 return b; 6075 6076 case DLT_IEEE802: 6077 eaddr = pcap_ether_hostton(name); 6078 if (eaddr == NULL) 6079 bpf_error( 6080 "unknown token ring host '%s'", name); 6081 b = gen_thostop(eaddr, dir); 6082 free(eaddr); 6083 return b; 6084 6085 case DLT_IEEE802_11: 6086 case DLT_PRISM_HEADER: 6087 case DLT_IEEE802_11_RADIO_AVS: 6088 case DLT_IEEE802_11_RADIO: 6089 case DLT_PPI: 6090 eaddr = pcap_ether_hostton(name); 6091 if (eaddr == NULL) 6092 bpf_error( 6093 "unknown 802.11 host '%s'", name); 6094 b = gen_wlanhostop(eaddr, dir); 6095 free(eaddr); 6096 return b; 6097 6098 case DLT_IP_OVER_FC: 6099 eaddr = pcap_ether_hostton(name); 6100 if (eaddr == NULL) 6101 bpf_error( 6102 "unknown Fibre Channel host '%s'", name); 6103 b = gen_ipfchostop(eaddr, dir); 6104 free(eaddr); 6105 return b; 6106 6107 case DLT_SUNATM: 6108 if (!is_lane) 6109 break; 6110 6111 /* 6112 * Check that the packet doesn't begin 6113 * with an LE Control marker. (We've 6114 * already generated a test for LANE.) 6115 */ 6116 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6117 BPF_H, 0xFF00); 6118 gen_not(tmp); 6119 6120 eaddr = pcap_ether_hostton(name); 6121 if (eaddr == NULL) 6122 bpf_error( 6123 "unknown ether host '%s'", name); 6124 b = gen_ehostop(eaddr, dir); 6125 gen_and(tmp, b); 6126 free(eaddr); 6127 return b; 6128 } 6129 6130 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6131 } else if (proto == Q_DECNET) { 6132 unsigned short dn_addr = __pcap_nametodnaddr(name); 6133 /* 6134 * I don't think DECNET hosts can be multihomed, so 6135 * there is no need to build up a list of addresses 6136 */ 6137 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6138 } else { 6139 #ifndef INET6 6140 alist = pcap_nametoaddr(name); 6141 if (alist == NULL || *alist == NULL) 6142 bpf_error("unknown host '%s'", name); 6143 tproto = proto; 6144 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6145 tproto = Q_IP; 6146 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6147 while (*alist) { 6148 tmp = gen_host(**alist++, 0xffffffff, 6149 tproto, dir, q.addr); 6150 gen_or(b, tmp); 6151 b = tmp; 6152 } 6153 return b; 6154 #else 6155 memset(&mask128, 0xff, sizeof(mask128)); 6156 res0 = res = pcap_nametoaddrinfo(name); 6157 if (res == NULL) 6158 bpf_error("unknown host '%s'", name); 6159 ai = res; 6160 b = tmp = NULL; 6161 tproto = tproto6 = proto; 6162 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6163 tproto = Q_IP; 6164 tproto6 = Q_IPV6; 6165 } 6166 for (res = res0; res; res = res->ai_next) { 6167 switch (res->ai_family) { 6168 case AF_INET: 6169 if (tproto == Q_IPV6) 6170 continue; 6171 6172 sin4 = (struct sockaddr_in *) 6173 res->ai_addr; 6174 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6175 0xffffffff, tproto, dir, q.addr); 6176 break; 6177 case AF_INET6: 6178 if (tproto6 == Q_IP) 6179 continue; 6180 6181 sin6 = (struct sockaddr_in6 *) 6182 res->ai_addr; 6183 tmp = gen_host6(&sin6->sin6_addr, 6184 &mask128, tproto6, dir, q.addr); 6185 break; 6186 default: 6187 continue; 6188 } 6189 if (b) 6190 gen_or(b, tmp); 6191 b = tmp; 6192 } 6193 ai = NULL; 6194 freeaddrinfo(res0); 6195 if (b == NULL) { 6196 bpf_error("unknown host '%s'%s", name, 6197 (proto == Q_DEFAULT) 6198 ? "" 6199 : " for specified address family"); 6200 } 6201 return b; 6202 #endif /*INET6*/ 6203 } 6204 6205 case Q_PORT: 6206 if (proto != Q_DEFAULT && 6207 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6208 bpf_error("illegal qualifier of 'port'"); 6209 if (pcap_nametoport(name, &port, &real_proto) == 0) 6210 bpf_error("unknown port '%s'", name); 6211 if (proto == Q_UDP) { 6212 if (real_proto == IPPROTO_TCP) 6213 bpf_error("port '%s' is tcp", name); 6214 else if (real_proto == IPPROTO_SCTP) 6215 bpf_error("port '%s' is sctp", name); 6216 else 6217 /* override PROTO_UNDEF */ 6218 real_proto = IPPROTO_UDP; 6219 } 6220 if (proto == Q_TCP) { 6221 if (real_proto == IPPROTO_UDP) 6222 bpf_error("port '%s' is udp", name); 6223 6224 else if (real_proto == IPPROTO_SCTP) 6225 bpf_error("port '%s' is sctp", name); 6226 else 6227 /* override PROTO_UNDEF */ 6228 real_proto = IPPROTO_TCP; 6229 } 6230 if (proto == Q_SCTP) { 6231 if (real_proto == IPPROTO_UDP) 6232 bpf_error("port '%s' is udp", name); 6233 6234 else if (real_proto == IPPROTO_TCP) 6235 bpf_error("port '%s' is tcp", name); 6236 else 6237 /* override PROTO_UNDEF */ 6238 real_proto = IPPROTO_SCTP; 6239 } 6240 if (port < 0) 6241 bpf_error("illegal port number %d < 0", port); 6242 if (port > 65535) 6243 bpf_error("illegal port number %d > 65535", port); 6244 b = gen_port(port, real_proto, dir); 6245 gen_or(gen_port6(port, real_proto, dir), b); 6246 return b; 6247 6248 case Q_PORTRANGE: 6249 if (proto != Q_DEFAULT && 6250 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6251 bpf_error("illegal qualifier of 'portrange'"); 6252 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6253 bpf_error("unknown port in range '%s'", name); 6254 if (proto == Q_UDP) { 6255 if (real_proto == IPPROTO_TCP) 6256 bpf_error("port in range '%s' is tcp", name); 6257 else if (real_proto == IPPROTO_SCTP) 6258 bpf_error("port in range '%s' is sctp", name); 6259 else 6260 /* override PROTO_UNDEF */ 6261 real_proto = IPPROTO_UDP; 6262 } 6263 if (proto == Q_TCP) { 6264 if (real_proto == IPPROTO_UDP) 6265 bpf_error("port in range '%s' is udp", name); 6266 else if (real_proto == IPPROTO_SCTP) 6267 bpf_error("port in range '%s' is sctp", name); 6268 else 6269 /* override PROTO_UNDEF */ 6270 real_proto = IPPROTO_TCP; 6271 } 6272 if (proto == Q_SCTP) { 6273 if (real_proto == IPPROTO_UDP) 6274 bpf_error("port in range '%s' is udp", name); 6275 else if (real_proto == IPPROTO_TCP) 6276 bpf_error("port in range '%s' is tcp", name); 6277 else 6278 /* override PROTO_UNDEF */ 6279 real_proto = IPPROTO_SCTP; 6280 } 6281 if (port1 < 0) 6282 bpf_error("illegal port number %d < 0", port1); 6283 if (port1 > 65535) 6284 bpf_error("illegal port number %d > 65535", port1); 6285 if (port2 < 0) 6286 bpf_error("illegal port number %d < 0", port2); 6287 if (port2 > 65535) 6288 bpf_error("illegal port number %d > 65535", port2); 6289 6290 b = gen_portrange(port1, port2, real_proto, dir); 6291 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6292 return b; 6293 6294 case Q_GATEWAY: 6295 #ifndef INET6 6296 eaddr = pcap_ether_hostton(name); 6297 if (eaddr == NULL) 6298 bpf_error("unknown ether host: %s", name); 6299 6300 alist = pcap_nametoaddr(name); 6301 if (alist == NULL || *alist == NULL) 6302 bpf_error("unknown host '%s'", name); 6303 b = gen_gateway(eaddr, alist, proto, dir); 6304 free(eaddr); 6305 return b; 6306 #else 6307 bpf_error("'gateway' not supported in this configuration"); 6308 #endif /*INET6*/ 6309 6310 case Q_PROTO: 6311 real_proto = lookup_proto(name, proto); 6312 if (real_proto >= 0) 6313 return gen_proto(real_proto, proto, dir); 6314 else 6315 bpf_error("unknown protocol: %s", name); 6316 6317 case Q_PROTOCHAIN: 6318 real_proto = lookup_proto(name, proto); 6319 if (real_proto >= 0) 6320 return gen_protochain(real_proto, proto, dir); 6321 else 6322 bpf_error("unknown protocol: %s", name); 6323 6324 case Q_UNDEF: 6325 syntax(); 6326 /* NOTREACHED */ 6327 } 6328 abort(); 6329 /* NOTREACHED */ 6330 } 6331 6332 struct block * 6333 gen_mcode(s1, s2, masklen, q) 6334 register const char *s1, *s2; 6335 register int masklen; 6336 struct qual q; 6337 { 6338 register int nlen, mlen; 6339 bpf_u_int32 n, m; 6340 6341 nlen = __pcap_atoin(s1, &n); 6342 /* Promote short ipaddr */ 6343 n <<= 32 - nlen; 6344 6345 if (s2 != NULL) { 6346 mlen = __pcap_atoin(s2, &m); 6347 /* Promote short ipaddr */ 6348 m <<= 32 - mlen; 6349 if ((n & ~m) != 0) 6350 bpf_error("non-network bits set in \"%s mask %s\"", 6351 s1, s2); 6352 } else { 6353 /* Convert mask len to mask */ 6354 if (masklen > 32) 6355 bpf_error("mask length must be <= 32"); 6356 if (masklen == 0) { 6357 /* 6358 * X << 32 is not guaranteed by C to be 0; it's 6359 * undefined. 6360 */ 6361 m = 0; 6362 } else 6363 m = 0xffffffff << (32 - masklen); 6364 if ((n & ~m) != 0) 6365 bpf_error("non-network bits set in \"%s/%d\"", 6366 s1, masklen); 6367 } 6368 6369 switch (q.addr) { 6370 6371 case Q_NET: 6372 return gen_host(n, m, q.proto, q.dir, q.addr); 6373 6374 default: 6375 bpf_error("Mask syntax for networks only"); 6376 /* NOTREACHED */ 6377 } 6378 /* NOTREACHED */ 6379 return NULL; 6380 } 6381 6382 struct block * 6383 gen_ncode(s, v, q) 6384 register const char *s; 6385 bpf_u_int32 v; 6386 struct qual q; 6387 { 6388 bpf_u_int32 mask; 6389 int proto = q.proto; 6390 int dir = q.dir; 6391 register int vlen; 6392 6393 if (s == NULL) 6394 vlen = 32; 6395 else if (q.proto == Q_DECNET) 6396 vlen = __pcap_atodn(s, &v); 6397 else 6398 vlen = __pcap_atoin(s, &v); 6399 6400 switch (q.addr) { 6401 6402 case Q_DEFAULT: 6403 case Q_HOST: 6404 case Q_NET: 6405 if (proto == Q_DECNET) 6406 return gen_host(v, 0, proto, dir, q.addr); 6407 else if (proto == Q_LINK) { 6408 bpf_error("illegal link layer address"); 6409 } else { 6410 mask = 0xffffffff; 6411 if (s == NULL && q.addr == Q_NET) { 6412 /* Promote short net number */ 6413 while (v && (v & 0xff000000) == 0) { 6414 v <<= 8; 6415 mask <<= 8; 6416 } 6417 } else { 6418 /* Promote short ipaddr */ 6419 v <<= 32 - vlen; 6420 mask <<= 32 - vlen; 6421 } 6422 return gen_host(v, mask, proto, dir, q.addr); 6423 } 6424 6425 case Q_PORT: 6426 if (proto == Q_UDP) 6427 proto = IPPROTO_UDP; 6428 else if (proto == Q_TCP) 6429 proto = IPPROTO_TCP; 6430 else if (proto == Q_SCTP) 6431 proto = IPPROTO_SCTP; 6432 else if (proto == Q_DEFAULT) 6433 proto = PROTO_UNDEF; 6434 else 6435 bpf_error("illegal qualifier of 'port'"); 6436 6437 if (v > 65535) 6438 bpf_error("illegal port number %u > 65535", v); 6439 6440 { 6441 struct block *b; 6442 b = gen_port((int)v, proto, dir); 6443 gen_or(gen_port6((int)v, proto, dir), b); 6444 return b; 6445 } 6446 6447 case Q_PORTRANGE: 6448 if (proto == Q_UDP) 6449 proto = IPPROTO_UDP; 6450 else if (proto == Q_TCP) 6451 proto = IPPROTO_TCP; 6452 else if (proto == Q_SCTP) 6453 proto = IPPROTO_SCTP; 6454 else if (proto == Q_DEFAULT) 6455 proto = PROTO_UNDEF; 6456 else 6457 bpf_error("illegal qualifier of 'portrange'"); 6458 6459 if (v > 65535) 6460 bpf_error("illegal port number %u > 65535", v); 6461 6462 { 6463 struct block *b; 6464 b = gen_portrange((int)v, (int)v, proto, dir); 6465 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6466 return b; 6467 } 6468 6469 case Q_GATEWAY: 6470 bpf_error("'gateway' requires a name"); 6471 /* NOTREACHED */ 6472 6473 case Q_PROTO: 6474 return gen_proto((int)v, proto, dir); 6475 6476 case Q_PROTOCHAIN: 6477 return gen_protochain((int)v, proto, dir); 6478 6479 case Q_UNDEF: 6480 syntax(); 6481 /* NOTREACHED */ 6482 6483 default: 6484 abort(); 6485 /* NOTREACHED */ 6486 } 6487 /* NOTREACHED */ 6488 } 6489 6490 #ifdef INET6 6491 struct block * 6492 gen_mcode6(s1, s2, masklen, q) 6493 register const char *s1, *s2; 6494 register int masklen; 6495 struct qual q; 6496 { 6497 struct addrinfo *res; 6498 struct in6_addr *addr; 6499 struct in6_addr mask; 6500 struct block *b; 6501 u_int32_t *a, *m; 6502 6503 if (s2) 6504 bpf_error("no mask %s supported", s2); 6505 6506 res = pcap_nametoaddrinfo(s1); 6507 if (!res) 6508 bpf_error("invalid ip6 address %s", s1); 6509 ai = res; 6510 if (res->ai_next) 6511 bpf_error("%s resolved to multiple address", s1); 6512 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6513 6514 if (sizeof(mask) * 8 < masklen) 6515 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6516 memset(&mask, 0, sizeof(mask)); 6517 memset(&mask, 0xff, masklen / 8); 6518 if (masklen % 8) { 6519 mask.s6_addr[masklen / 8] = 6520 (0xff << (8 - masklen % 8)) & 0xff; 6521 } 6522 6523 a = (u_int32_t *)addr; 6524 m = (u_int32_t *)&mask; 6525 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6526 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6527 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6528 } 6529 6530 switch (q.addr) { 6531 6532 case Q_DEFAULT: 6533 case Q_HOST: 6534 if (masklen != 128) 6535 bpf_error("Mask syntax for networks only"); 6536 /* FALLTHROUGH */ 6537 6538 case Q_NET: 6539 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6540 ai = NULL; 6541 freeaddrinfo(res); 6542 return b; 6543 6544 default: 6545 bpf_error("invalid qualifier against IPv6 address"); 6546 /* NOTREACHED */ 6547 } 6548 return NULL; 6549 } 6550 #endif /*INET6*/ 6551 6552 struct block * 6553 gen_ecode(eaddr, q) 6554 register const u_char *eaddr; 6555 struct qual q; 6556 { 6557 struct block *b, *tmp; 6558 6559 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6560 switch (linktype) { 6561 case DLT_EN10MB: 6562 case DLT_NETANALYZER: 6563 case DLT_NETANALYZER_TRANSPARENT: 6564 return gen_ehostop(eaddr, (int)q.dir); 6565 case DLT_FDDI: 6566 return gen_fhostop(eaddr, (int)q.dir); 6567 case DLT_IEEE802: 6568 return gen_thostop(eaddr, (int)q.dir); 6569 case DLT_IEEE802_11: 6570 case DLT_PRISM_HEADER: 6571 case DLT_IEEE802_11_RADIO_AVS: 6572 case DLT_IEEE802_11_RADIO: 6573 case DLT_PPI: 6574 return gen_wlanhostop(eaddr, (int)q.dir); 6575 case DLT_SUNATM: 6576 if (is_lane) { 6577 /* 6578 * Check that the packet doesn't begin with an 6579 * LE Control marker. (We've already generated 6580 * a test for LANE.) 6581 */ 6582 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6583 0xFF00); 6584 gen_not(tmp); 6585 6586 /* 6587 * Now check the MAC address. 6588 */ 6589 b = gen_ehostop(eaddr, (int)q.dir); 6590 gen_and(tmp, b); 6591 return b; 6592 } 6593 break; 6594 case DLT_IP_OVER_FC: 6595 return gen_ipfchostop(eaddr, (int)q.dir); 6596 default: 6597 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6598 break; 6599 } 6600 } 6601 bpf_error("ethernet address used in non-ether expression"); 6602 /* NOTREACHED */ 6603 return NULL; 6604 } 6605 6606 void 6607 sappend(s0, s1) 6608 struct slist *s0, *s1; 6609 { 6610 /* 6611 * This is definitely not the best way to do this, but the 6612 * lists will rarely get long. 6613 */ 6614 while (s0->next) 6615 s0 = s0->next; 6616 s0->next = s1; 6617 } 6618 6619 static struct slist * 6620 xfer_to_x(a) 6621 struct arth *a; 6622 { 6623 struct slist *s; 6624 6625 s = new_stmt(BPF_LDX|BPF_MEM); 6626 s->s.k = a->regno; 6627 return s; 6628 } 6629 6630 static struct slist * 6631 xfer_to_a(a) 6632 struct arth *a; 6633 { 6634 struct slist *s; 6635 6636 s = new_stmt(BPF_LD|BPF_MEM); 6637 s->s.k = a->regno; 6638 return s; 6639 } 6640 6641 /* 6642 * Modify "index" to use the value stored into its register as an 6643 * offset relative to the beginning of the header for the protocol 6644 * "proto", and allocate a register and put an item "size" bytes long 6645 * (1, 2, or 4) at that offset into that register, making it the register 6646 * for "index". 6647 */ 6648 struct arth * 6649 gen_load(proto, inst, size) 6650 int proto; 6651 struct arth *inst; 6652 int size; 6653 { 6654 struct slist *s, *tmp; 6655 struct block *b; 6656 int regno = alloc_reg(); 6657 6658 free_reg(inst->regno); 6659 switch (size) { 6660 6661 default: 6662 bpf_error("data size must be 1, 2, or 4"); 6663 6664 case 1: 6665 size = BPF_B; 6666 break; 6667 6668 case 2: 6669 size = BPF_H; 6670 break; 6671 6672 case 4: 6673 size = BPF_W; 6674 break; 6675 } 6676 switch (proto) { 6677 default: 6678 bpf_error("unsupported index operation"); 6679 6680 case Q_RADIO: 6681 /* 6682 * The offset is relative to the beginning of the packet 6683 * data, if we have a radio header. (If we don't, this 6684 * is an error.) 6685 */ 6686 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6687 linktype != DLT_IEEE802_11_RADIO && 6688 linktype != DLT_PRISM_HEADER) 6689 bpf_error("radio information not present in capture"); 6690 6691 /* 6692 * Load into the X register the offset computed into the 6693 * register specified by "index". 6694 */ 6695 s = xfer_to_x(inst); 6696 6697 /* 6698 * Load the item at that offset. 6699 */ 6700 tmp = new_stmt(BPF_LD|BPF_IND|size); 6701 sappend(s, tmp); 6702 sappend(inst->s, s); 6703 break; 6704 6705 case Q_LINK: 6706 /* 6707 * The offset is relative to the beginning of 6708 * the link-layer header. 6709 * 6710 * XXX - what about ATM LANE? Should the index be 6711 * relative to the beginning of the AAL5 frame, so 6712 * that 0 refers to the beginning of the LE Control 6713 * field, or relative to the beginning of the LAN 6714 * frame, so that 0 refers, for Ethernet LANE, to 6715 * the beginning of the destination address? 6716 */ 6717 s = gen_llprefixlen(); 6718 6719 /* 6720 * If "s" is non-null, it has code to arrange that the 6721 * X register contains the length of the prefix preceding 6722 * the link-layer header. Add to it the offset computed 6723 * into the register specified by "index", and move that 6724 * into the X register. Otherwise, just load into the X 6725 * register the offset computed into the register specified 6726 * by "index". 6727 */ 6728 if (s != NULL) { 6729 sappend(s, xfer_to_a(inst)); 6730 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6731 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6732 } else 6733 s = xfer_to_x(inst); 6734 6735 /* 6736 * Load the item at the sum of the offset we've put in the 6737 * X register and the offset of the start of the link 6738 * layer header (which is 0 if the radio header is 6739 * variable-length; that header length is what we put 6740 * into the X register and then added to the index). 6741 */ 6742 tmp = new_stmt(BPF_LD|BPF_IND|size); 6743 tmp->s.k = off_ll; 6744 sappend(s, tmp); 6745 sappend(inst->s, s); 6746 break; 6747 6748 case Q_IP: 6749 case Q_ARP: 6750 case Q_RARP: 6751 case Q_ATALK: 6752 case Q_DECNET: 6753 case Q_SCA: 6754 case Q_LAT: 6755 case Q_MOPRC: 6756 case Q_MOPDL: 6757 case Q_IPV6: 6758 /* 6759 * The offset is relative to the beginning of 6760 * the network-layer header. 6761 * XXX - are there any cases where we want 6762 * off_nl_nosnap? 6763 */ 6764 s = gen_off_macpl(); 6765 6766 /* 6767 * If "s" is non-null, it has code to arrange that the 6768 * X register contains the offset of the MAC-layer 6769 * payload. Add to it the offset computed into the 6770 * register specified by "index", and move that into 6771 * the X register. Otherwise, just load into the X 6772 * register the offset computed into the register specified 6773 * by "index". 6774 */ 6775 if (s != NULL) { 6776 sappend(s, xfer_to_a(inst)); 6777 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6778 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6779 } else 6780 s = xfer_to_x(inst); 6781 6782 /* 6783 * Load the item at the sum of the offset we've put in the 6784 * X register, the offset of the start of the network 6785 * layer header from the beginning of the MAC-layer 6786 * payload, and the purported offset of the start of the 6787 * MAC-layer payload (which might be 0 if there's a 6788 * variable-length prefix before the link-layer header 6789 * or the link-layer header itself is variable-length; 6790 * the variable-length offset of the start of the 6791 * MAC-layer payload is what we put into the X register 6792 * and then added to the index). 6793 */ 6794 tmp = new_stmt(BPF_LD|BPF_IND|size); 6795 tmp->s.k = off_macpl + off_nl; 6796 sappend(s, tmp); 6797 sappend(inst->s, s); 6798 6799 /* 6800 * Do the computation only if the packet contains 6801 * the protocol in question. 6802 */ 6803 b = gen_proto_abbrev(proto); 6804 if (inst->b) 6805 gen_and(inst->b, b); 6806 inst->b = b; 6807 break; 6808 6809 case Q_SCTP: 6810 case Q_TCP: 6811 case Q_UDP: 6812 case Q_ICMP: 6813 case Q_IGMP: 6814 case Q_IGRP: 6815 case Q_PIM: 6816 case Q_VRRP: 6817 case Q_CARP: 6818 /* 6819 * The offset is relative to the beginning of 6820 * the transport-layer header. 6821 * 6822 * Load the X register with the length of the IPv4 header 6823 * (plus the offset of the link-layer header, if it's 6824 * a variable-length header), in bytes. 6825 * 6826 * XXX - are there any cases where we want 6827 * off_nl_nosnap? 6828 * XXX - we should, if we're built with 6829 * IPv6 support, generate code to load either 6830 * IPv4, IPv6, or both, as appropriate. 6831 */ 6832 s = gen_loadx_iphdrlen(); 6833 6834 /* 6835 * The X register now contains the sum of the length 6836 * of any variable-length header preceding the link-layer 6837 * header, any variable-length link-layer header, and the 6838 * length of the network-layer header. 6839 * 6840 * Load into the A register the offset relative to 6841 * the beginning of the transport layer header, 6842 * add the X register to that, move that to the 6843 * X register, and load with an offset from the 6844 * X register equal to the offset of the network 6845 * layer header relative to the beginning of 6846 * the MAC-layer payload plus the fixed-length 6847 * portion of the offset of the MAC-layer payload 6848 * from the beginning of the raw packet data. 6849 */ 6850 sappend(s, xfer_to_a(inst)); 6851 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6852 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6853 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6854 tmp->s.k = off_macpl + off_nl; 6855 sappend(inst->s, s); 6856 6857 /* 6858 * Do the computation only if the packet contains 6859 * the protocol in question - which is true only 6860 * if this is an IP datagram and is the first or 6861 * only fragment of that datagram. 6862 */ 6863 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6864 if (inst->b) 6865 gen_and(inst->b, b); 6866 gen_and(gen_proto_abbrev(Q_IP), b); 6867 inst->b = b; 6868 break; 6869 case Q_ICMPV6: 6870 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6871 /*NOTREACHED*/ 6872 } 6873 inst->regno = regno; 6874 s = new_stmt(BPF_ST); 6875 s->s.k = regno; 6876 sappend(inst->s, s); 6877 6878 return inst; 6879 } 6880 6881 struct block * 6882 gen_relation(code, a0, a1, reversed) 6883 int code; 6884 struct arth *a0, *a1; 6885 int reversed; 6886 { 6887 struct slist *s0, *s1, *s2; 6888 struct block *b, *tmp; 6889 6890 s0 = xfer_to_x(a1); 6891 s1 = xfer_to_a(a0); 6892 if (code == BPF_JEQ) { 6893 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6894 b = new_block(JMP(code)); 6895 sappend(s1, s2); 6896 } 6897 else 6898 b = new_block(BPF_JMP|code|BPF_X); 6899 if (reversed) 6900 gen_not(b); 6901 6902 sappend(s0, s1); 6903 sappend(a1->s, s0); 6904 sappend(a0->s, a1->s); 6905 6906 b->stmts = a0->s; 6907 6908 free_reg(a0->regno); 6909 free_reg(a1->regno); 6910 6911 /* 'and' together protocol checks */ 6912 if (a0->b) { 6913 if (a1->b) { 6914 gen_and(a0->b, tmp = a1->b); 6915 } 6916 else 6917 tmp = a0->b; 6918 } else 6919 tmp = a1->b; 6920 6921 if (tmp) 6922 gen_and(tmp, b); 6923 6924 return b; 6925 } 6926 6927 struct arth * 6928 gen_loadlen() 6929 { 6930 int regno = alloc_reg(); 6931 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6932 struct slist *s; 6933 6934 s = new_stmt(BPF_LD|BPF_LEN); 6935 s->next = new_stmt(BPF_ST); 6936 s->next->s.k = regno; 6937 a->s = s; 6938 a->regno = regno; 6939 6940 return a; 6941 } 6942 6943 struct arth * 6944 gen_loadi(val) 6945 int val; 6946 { 6947 struct arth *a; 6948 struct slist *s; 6949 int reg; 6950 6951 a = (struct arth *)newchunk(sizeof(*a)); 6952 6953 reg = alloc_reg(); 6954 6955 s = new_stmt(BPF_LD|BPF_IMM); 6956 s->s.k = val; 6957 s->next = new_stmt(BPF_ST); 6958 s->next->s.k = reg; 6959 a->s = s; 6960 a->regno = reg; 6961 6962 return a; 6963 } 6964 6965 struct arth * 6966 gen_neg(a) 6967 struct arth *a; 6968 { 6969 struct slist *s; 6970 6971 s = xfer_to_a(a); 6972 sappend(a->s, s); 6973 s = new_stmt(BPF_ALU|BPF_NEG); 6974 s->s.k = 0; 6975 sappend(a->s, s); 6976 s = new_stmt(BPF_ST); 6977 s->s.k = a->regno; 6978 sappend(a->s, s); 6979 6980 return a; 6981 } 6982 6983 struct arth * 6984 gen_arth(code, a0, a1) 6985 int code; 6986 struct arth *a0, *a1; 6987 { 6988 struct slist *s0, *s1, *s2; 6989 6990 s0 = xfer_to_x(a1); 6991 s1 = xfer_to_a(a0); 6992 s2 = new_stmt(BPF_ALU|BPF_X|code); 6993 6994 sappend(s1, s2); 6995 sappend(s0, s1); 6996 sappend(a1->s, s0); 6997 sappend(a0->s, a1->s); 6998 6999 free_reg(a0->regno); 7000 free_reg(a1->regno); 7001 7002 s0 = new_stmt(BPF_ST); 7003 a0->regno = s0->s.k = alloc_reg(); 7004 sappend(a0->s, s0); 7005 7006 return a0; 7007 } 7008 7009 /* 7010 * Here we handle simple allocation of the scratch registers. 7011 * If too many registers are alloc'd, the allocator punts. 7012 */ 7013 static int regused[BPF_MEMWORDS]; 7014 static int curreg; 7015 7016 /* 7017 * Initialize the table of used registers and the current register. 7018 */ 7019 static void 7020 init_regs() 7021 { 7022 curreg = 0; 7023 memset(regused, 0, sizeof regused); 7024 } 7025 7026 /* 7027 * Return the next free register. 7028 */ 7029 static int 7030 alloc_reg() 7031 { 7032 int n = BPF_MEMWORDS; 7033 7034 while (--n >= 0) { 7035 if (regused[curreg]) 7036 curreg = (curreg + 1) % BPF_MEMWORDS; 7037 else { 7038 regused[curreg] = 1; 7039 return curreg; 7040 } 7041 } 7042 bpf_error("too many registers needed to evaluate expression"); 7043 /* NOTREACHED */ 7044 return 0; 7045 } 7046 7047 /* 7048 * Return a register to the table so it can 7049 * be used later. 7050 */ 7051 static void 7052 free_reg(n) 7053 int n; 7054 { 7055 regused[n] = 0; 7056 } 7057 7058 static struct block * 7059 gen_len(jmp, n) 7060 int jmp, n; 7061 { 7062 struct slist *s; 7063 struct block *b; 7064 7065 s = new_stmt(BPF_LD|BPF_LEN); 7066 b = new_block(JMP(jmp)); 7067 b->stmts = s; 7068 b->s.k = n; 7069 7070 return b; 7071 } 7072 7073 struct block * 7074 gen_greater(n) 7075 int n; 7076 { 7077 return gen_len(BPF_JGE, n); 7078 } 7079 7080 /* 7081 * Actually, this is less than or equal. 7082 */ 7083 struct block * 7084 gen_less(n) 7085 int n; 7086 { 7087 struct block *b; 7088 7089 b = gen_len(BPF_JGT, n); 7090 gen_not(b); 7091 7092 return b; 7093 } 7094 7095 /* 7096 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7097 * the beginning of the link-layer header. 7098 * XXX - that means you can't test values in the radiotap header, but 7099 * as that header is difficult if not impossible to parse generally 7100 * without a loop, that might not be a severe problem. A new keyword 7101 * "radio" could be added for that, although what you'd really want 7102 * would be a way of testing particular radio header values, which 7103 * would generate code appropriate to the radio header in question. 7104 */ 7105 struct block * 7106 gen_byteop(op, idx, val) 7107 int op, idx, val; 7108 { 7109 struct block *b; 7110 struct slist *s; 7111 7112 switch (op) { 7113 default: 7114 abort(); 7115 7116 case '=': 7117 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7118 7119 case '<': 7120 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7121 return b; 7122 7123 case '>': 7124 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7125 return b; 7126 7127 case '|': 7128 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7129 break; 7130 7131 case '&': 7132 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7133 break; 7134 } 7135 s->s.k = val; 7136 b = new_block(JMP(BPF_JEQ)); 7137 b->stmts = s; 7138 gen_not(b); 7139 7140 return b; 7141 } 7142 7143 static u_char abroadcast[] = { 0x0 }; 7144 7145 struct block * 7146 gen_broadcast(proto) 7147 int proto; 7148 { 7149 bpf_u_int32 hostmask; 7150 struct block *b0, *b1, *b2; 7151 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7152 7153 switch (proto) { 7154 7155 case Q_DEFAULT: 7156 case Q_LINK: 7157 switch (linktype) { 7158 case DLT_ARCNET: 7159 case DLT_ARCNET_LINUX: 7160 return gen_ahostop(abroadcast, Q_DST); 7161 case DLT_EN10MB: 7162 case DLT_NETANALYZER: 7163 case DLT_NETANALYZER_TRANSPARENT: 7164 return gen_ehostop(ebroadcast, Q_DST); 7165 case DLT_FDDI: 7166 return gen_fhostop(ebroadcast, Q_DST); 7167 case DLT_IEEE802: 7168 return gen_thostop(ebroadcast, Q_DST); 7169 case DLT_IEEE802_11: 7170 case DLT_PRISM_HEADER: 7171 case DLT_IEEE802_11_RADIO_AVS: 7172 case DLT_IEEE802_11_RADIO: 7173 case DLT_PPI: 7174 return gen_wlanhostop(ebroadcast, Q_DST); 7175 case DLT_IP_OVER_FC: 7176 return gen_ipfchostop(ebroadcast, Q_DST); 7177 case DLT_SUNATM: 7178 if (is_lane) { 7179 /* 7180 * Check that the packet doesn't begin with an 7181 * LE Control marker. (We've already generated 7182 * a test for LANE.) 7183 */ 7184 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7185 BPF_H, 0xFF00); 7186 gen_not(b1); 7187 7188 /* 7189 * Now check the MAC address. 7190 */ 7191 b0 = gen_ehostop(ebroadcast, Q_DST); 7192 gen_and(b1, b0); 7193 return b0; 7194 } 7195 break; 7196 default: 7197 bpf_error("not a broadcast link"); 7198 } 7199 break; 7200 7201 case Q_IP: 7202 /* 7203 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7204 * as an indication that we don't know the netmask, and fail 7205 * in that case. 7206 */ 7207 if (netmask == PCAP_NETMASK_UNKNOWN) 7208 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7209 b0 = gen_linktype(ETHERTYPE_IP); 7210 hostmask = ~netmask; 7211 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7212 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7213 (bpf_int32)(~0 & hostmask), hostmask); 7214 gen_or(b1, b2); 7215 gen_and(b0, b2); 7216 return b2; 7217 } 7218 bpf_error("only link-layer/IP broadcast filters supported"); 7219 /* NOTREACHED */ 7220 return NULL; 7221 } 7222 7223 /* 7224 * Generate code to test the low-order bit of a MAC address (that's 7225 * the bottom bit of the *first* byte). 7226 */ 7227 static struct block * 7228 gen_mac_multicast(offset) 7229 int offset; 7230 { 7231 register struct block *b0; 7232 register struct slist *s; 7233 7234 /* link[offset] & 1 != 0 */ 7235 s = gen_load_a(OR_LINK, offset, BPF_B); 7236 b0 = new_block(JMP(BPF_JSET)); 7237 b0->s.k = 1; 7238 b0->stmts = s; 7239 return b0; 7240 } 7241 7242 struct block * 7243 gen_multicast(proto) 7244 int proto; 7245 { 7246 register struct block *b0, *b1, *b2; 7247 register struct slist *s; 7248 7249 switch (proto) { 7250 7251 case Q_DEFAULT: 7252 case Q_LINK: 7253 switch (linktype) { 7254 case DLT_ARCNET: 7255 case DLT_ARCNET_LINUX: 7256 /* all ARCnet multicasts use the same address */ 7257 return gen_ahostop(abroadcast, Q_DST); 7258 case DLT_EN10MB: 7259 case DLT_NETANALYZER: 7260 case DLT_NETANALYZER_TRANSPARENT: 7261 /* ether[0] & 1 != 0 */ 7262 return gen_mac_multicast(0); 7263 case DLT_FDDI: 7264 /* 7265 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7266 * 7267 * XXX - was that referring to bit-order issues? 7268 */ 7269 /* fddi[1] & 1 != 0 */ 7270 return gen_mac_multicast(1); 7271 case DLT_IEEE802: 7272 /* tr[2] & 1 != 0 */ 7273 return gen_mac_multicast(2); 7274 case DLT_IEEE802_11: 7275 case DLT_PRISM_HEADER: 7276 case DLT_IEEE802_11_RADIO_AVS: 7277 case DLT_IEEE802_11_RADIO: 7278 case DLT_PPI: 7279 /* 7280 * Oh, yuk. 7281 * 7282 * For control frames, there is no DA. 7283 * 7284 * For management frames, DA is at an 7285 * offset of 4 from the beginning of 7286 * the packet. 7287 * 7288 * For data frames, DA is at an offset 7289 * of 4 from the beginning of the packet 7290 * if To DS is clear and at an offset of 7291 * 16 from the beginning of the packet 7292 * if To DS is set. 7293 */ 7294 7295 /* 7296 * Generate the tests to be done for data frames. 7297 * 7298 * First, check for To DS set, i.e. "link[1] & 0x01". 7299 */ 7300 s = gen_load_a(OR_LINK, 1, BPF_B); 7301 b1 = new_block(JMP(BPF_JSET)); 7302 b1->s.k = 0x01; /* To DS */ 7303 b1->stmts = s; 7304 7305 /* 7306 * If To DS is set, the DA is at 16. 7307 */ 7308 b0 = gen_mac_multicast(16); 7309 gen_and(b1, b0); 7310 7311 /* 7312 * Now, check for To DS not set, i.e. check 7313 * "!(link[1] & 0x01)". 7314 */ 7315 s = gen_load_a(OR_LINK, 1, BPF_B); 7316 b2 = new_block(JMP(BPF_JSET)); 7317 b2->s.k = 0x01; /* To DS */ 7318 b2->stmts = s; 7319 gen_not(b2); 7320 7321 /* 7322 * If To DS is not set, the DA is at 4. 7323 */ 7324 b1 = gen_mac_multicast(4); 7325 gen_and(b2, b1); 7326 7327 /* 7328 * Now OR together the last two checks. That gives 7329 * the complete set of checks for data frames. 7330 */ 7331 gen_or(b1, b0); 7332 7333 /* 7334 * Now check for a data frame. 7335 * I.e, check "link[0] & 0x08". 7336 */ 7337 s = gen_load_a(OR_LINK, 0, BPF_B); 7338 b1 = new_block(JMP(BPF_JSET)); 7339 b1->s.k = 0x08; 7340 b1->stmts = s; 7341 7342 /* 7343 * AND that with the checks done for data frames. 7344 */ 7345 gen_and(b1, b0); 7346 7347 /* 7348 * If the high-order bit of the type value is 0, this 7349 * is a management frame. 7350 * I.e, check "!(link[0] & 0x08)". 7351 */ 7352 s = gen_load_a(OR_LINK, 0, BPF_B); 7353 b2 = new_block(JMP(BPF_JSET)); 7354 b2->s.k = 0x08; 7355 b2->stmts = s; 7356 gen_not(b2); 7357 7358 /* 7359 * For management frames, the DA is at 4. 7360 */ 7361 b1 = gen_mac_multicast(4); 7362 gen_and(b2, b1); 7363 7364 /* 7365 * OR that with the checks done for data frames. 7366 * That gives the checks done for management and 7367 * data frames. 7368 */ 7369 gen_or(b1, b0); 7370 7371 /* 7372 * If the low-order bit of the type value is 1, 7373 * this is either a control frame or a frame 7374 * with a reserved type, and thus not a 7375 * frame with an SA. 7376 * 7377 * I.e., check "!(link[0] & 0x04)". 7378 */ 7379 s = gen_load_a(OR_LINK, 0, BPF_B); 7380 b1 = new_block(JMP(BPF_JSET)); 7381 b1->s.k = 0x04; 7382 b1->stmts = s; 7383 gen_not(b1); 7384 7385 /* 7386 * AND that with the checks for data and management 7387 * frames. 7388 */ 7389 gen_and(b1, b0); 7390 return b0; 7391 case DLT_IP_OVER_FC: 7392 b0 = gen_mac_multicast(2); 7393 return b0; 7394 case DLT_SUNATM: 7395 if (is_lane) { 7396 /* 7397 * Check that the packet doesn't begin with an 7398 * LE Control marker. (We've already generated 7399 * a test for LANE.) 7400 */ 7401 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7402 BPF_H, 0xFF00); 7403 gen_not(b1); 7404 7405 /* ether[off_mac] & 1 != 0 */ 7406 b0 = gen_mac_multicast(off_mac); 7407 gen_and(b1, b0); 7408 return b0; 7409 } 7410 break; 7411 default: 7412 break; 7413 } 7414 /* Link not known to support multicasts */ 7415 break; 7416 7417 case Q_IP: 7418 b0 = gen_linktype(ETHERTYPE_IP); 7419 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7420 gen_and(b0, b1); 7421 return b1; 7422 7423 case Q_IPV6: 7424 b0 = gen_linktype(ETHERTYPE_IPV6); 7425 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7426 gen_and(b0, b1); 7427 return b1; 7428 } 7429 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7430 /* NOTREACHED */ 7431 return NULL; 7432 } 7433 7434 /* 7435 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7436 * Outbound traffic is sent by this machine, while inbound traffic is 7437 * sent by a remote machine (and may include packets destined for a 7438 * unicast or multicast link-layer address we are not subscribing to). 7439 * These are the same definitions implemented by pcap_setdirection(). 7440 * Capturing only unicast traffic destined for this host is probably 7441 * better accomplished using a higher-layer filter. 7442 */ 7443 struct block * 7444 gen_inbound(dir) 7445 int dir; 7446 { 7447 register struct block *b0; 7448 7449 /* 7450 * Only some data link types support inbound/outbound qualifiers. 7451 */ 7452 switch (linktype) { 7453 case DLT_SLIP: 7454 b0 = gen_relation(BPF_JEQ, 7455 gen_load(Q_LINK, gen_loadi(0), 1), 7456 gen_loadi(0), 7457 dir); 7458 break; 7459 7460 case DLT_IPNET: 7461 if (dir) { 7462 /* match outgoing packets */ 7463 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7464 } else { 7465 /* match incoming packets */ 7466 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7467 } 7468 break; 7469 7470 case DLT_LINUX_SLL: 7471 /* match outgoing packets */ 7472 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7473 if (!dir) { 7474 /* to filter on inbound traffic, invert the match */ 7475 gen_not(b0); 7476 } 7477 break; 7478 7479 #ifdef HAVE_NET_PFVAR_H 7480 case DLT_PFLOG: 7481 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7482 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7483 break; 7484 #endif 7485 7486 case DLT_PPP_PPPD: 7487 if (dir) { 7488 /* match outgoing packets */ 7489 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7490 } else { 7491 /* match incoming packets */ 7492 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7493 } 7494 break; 7495 7496 case DLT_JUNIPER_MFR: 7497 case DLT_JUNIPER_MLFR: 7498 case DLT_JUNIPER_MLPPP: 7499 case DLT_JUNIPER_ATM1: 7500 case DLT_JUNIPER_ATM2: 7501 case DLT_JUNIPER_PPPOE: 7502 case DLT_JUNIPER_PPPOE_ATM: 7503 case DLT_JUNIPER_GGSN: 7504 case DLT_JUNIPER_ES: 7505 case DLT_JUNIPER_MONITOR: 7506 case DLT_JUNIPER_SERVICES: 7507 case DLT_JUNIPER_ETHER: 7508 case DLT_JUNIPER_PPP: 7509 case DLT_JUNIPER_FRELAY: 7510 case DLT_JUNIPER_CHDLC: 7511 case DLT_JUNIPER_VP: 7512 case DLT_JUNIPER_ST: 7513 case DLT_JUNIPER_ISM: 7514 case DLT_JUNIPER_VS: 7515 case DLT_JUNIPER_SRX_E2E: 7516 case DLT_JUNIPER_FIBRECHANNEL: 7517 case DLT_JUNIPER_ATM_CEMIC: 7518 7519 /* juniper flags (including direction) are stored 7520 * the byte after the 3-byte magic number */ 7521 if (dir) { 7522 /* match outgoing packets */ 7523 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7524 } else { 7525 /* match incoming packets */ 7526 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7527 } 7528 break; 7529 7530 default: 7531 /* 7532 * If we have packet meta-data indicating a direction, 7533 * check it, otherwise give up as this link-layer type 7534 * has nothing in the packet data. 7535 */ 7536 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7537 /* 7538 * We infer that this is Linux with PF_PACKET support. 7539 * If this is a *live* capture, we can look at 7540 * special meta-data in the filter expression; 7541 * if it's a savefile, we can't. 7542 */ 7543 if (bpf_pcap->sf.rfile != NULL) { 7544 /* We have a FILE *, so this is a savefile */ 7545 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7546 linktype); 7547 b0 = NULL; 7548 /* NOTREACHED */ 7549 } 7550 /* match outgoing packets */ 7551 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7552 PACKET_OUTGOING); 7553 if (!dir) { 7554 /* to filter on inbound traffic, invert the match */ 7555 gen_not(b0); 7556 } 7557 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7558 bpf_error("inbound/outbound not supported on linktype %d", 7559 linktype); 7560 b0 = NULL; 7561 /* NOTREACHED */ 7562 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7563 } 7564 return (b0); 7565 } 7566 7567 #ifdef HAVE_NET_PFVAR_H 7568 /* PF firewall log matched interface */ 7569 struct block * 7570 gen_pf_ifname(const char *ifname) 7571 { 7572 struct block *b0; 7573 u_int len, off; 7574 7575 if (linktype != DLT_PFLOG) { 7576 bpf_error("ifname supported only on PF linktype"); 7577 /* NOTREACHED */ 7578 } 7579 len = sizeof(((struct pfloghdr *)0)->ifname); 7580 off = offsetof(struct pfloghdr, ifname); 7581 if (strlen(ifname) >= len) { 7582 bpf_error("ifname interface names can only be %d characters", 7583 len-1); 7584 /* NOTREACHED */ 7585 } 7586 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7587 return (b0); 7588 } 7589 7590 /* PF firewall log ruleset name */ 7591 struct block * 7592 gen_pf_ruleset(char *ruleset) 7593 { 7594 struct block *b0; 7595 7596 if (linktype != DLT_PFLOG) { 7597 bpf_error("ruleset supported only on PF linktype"); 7598 /* NOTREACHED */ 7599 } 7600 7601 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7602 bpf_error("ruleset names can only be %ld characters", 7603 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7604 /* NOTREACHED */ 7605 } 7606 7607 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7608 strlen(ruleset), (const u_char *)ruleset); 7609 return (b0); 7610 } 7611 7612 /* PF firewall log rule number */ 7613 struct block * 7614 gen_pf_rnr(int rnr) 7615 { 7616 struct block *b0; 7617 7618 if (linktype != DLT_PFLOG) { 7619 bpf_error("rnr supported only on PF linktype"); 7620 /* NOTREACHED */ 7621 } 7622 7623 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7624 (bpf_int32)rnr); 7625 return (b0); 7626 } 7627 7628 /* PF firewall log sub-rule number */ 7629 struct block * 7630 gen_pf_srnr(int srnr) 7631 { 7632 struct block *b0; 7633 7634 if (linktype != DLT_PFLOG) { 7635 bpf_error("srnr supported only on PF linktype"); 7636 /* NOTREACHED */ 7637 } 7638 7639 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7640 (bpf_int32)srnr); 7641 return (b0); 7642 } 7643 7644 /* PF firewall log reason code */ 7645 struct block * 7646 gen_pf_reason(int reason) 7647 { 7648 struct block *b0; 7649 7650 if (linktype != DLT_PFLOG) { 7651 bpf_error("reason supported only on PF linktype"); 7652 /* NOTREACHED */ 7653 } 7654 7655 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7656 (bpf_int32)reason); 7657 return (b0); 7658 } 7659 7660 /* PF firewall log action */ 7661 struct block * 7662 gen_pf_action(int action) 7663 { 7664 struct block *b0; 7665 7666 if (linktype != DLT_PFLOG) { 7667 bpf_error("action supported only on PF linktype"); 7668 /* NOTREACHED */ 7669 } 7670 7671 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7672 (bpf_int32)action); 7673 return (b0); 7674 } 7675 #else /* !HAVE_NET_PFVAR_H */ 7676 struct block * 7677 gen_pf_ifname(const char *ifname) 7678 { 7679 bpf_error("libpcap was compiled without pf support"); 7680 /* NOTREACHED */ 7681 return (NULL); 7682 } 7683 7684 struct block * 7685 gen_pf_ruleset(char *ruleset) 7686 { 7687 bpf_error("libpcap was compiled on a machine without pf support"); 7688 /* NOTREACHED */ 7689 return (NULL); 7690 } 7691 7692 struct block * 7693 gen_pf_rnr(int rnr) 7694 { 7695 bpf_error("libpcap was compiled on a machine without pf support"); 7696 /* NOTREACHED */ 7697 return (NULL); 7698 } 7699 7700 struct block * 7701 gen_pf_srnr(int srnr) 7702 { 7703 bpf_error("libpcap was compiled on a machine without pf support"); 7704 /* NOTREACHED */ 7705 return (NULL); 7706 } 7707 7708 struct block * 7709 gen_pf_reason(int reason) 7710 { 7711 bpf_error("libpcap was compiled on a machine without pf support"); 7712 /* NOTREACHED */ 7713 return (NULL); 7714 } 7715 7716 struct block * 7717 gen_pf_action(int action) 7718 { 7719 bpf_error("libpcap was compiled on a machine without pf support"); 7720 /* NOTREACHED */ 7721 return (NULL); 7722 } 7723 #endif /* HAVE_NET_PFVAR_H */ 7724 7725 /* IEEE 802.11 wireless header */ 7726 struct block * 7727 gen_p80211_type(int type, int mask) 7728 { 7729 struct block *b0; 7730 7731 switch (linktype) { 7732 7733 case DLT_IEEE802_11: 7734 case DLT_PRISM_HEADER: 7735 case DLT_IEEE802_11_RADIO_AVS: 7736 case DLT_IEEE802_11_RADIO: 7737 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7738 (bpf_int32)mask); 7739 break; 7740 7741 default: 7742 bpf_error("802.11 link-layer types supported only on 802.11"); 7743 /* NOTREACHED */ 7744 } 7745 7746 return (b0); 7747 } 7748 7749 struct block * 7750 gen_p80211_fcdir(int fcdir) 7751 { 7752 struct block *b0; 7753 7754 switch (linktype) { 7755 7756 case DLT_IEEE802_11: 7757 case DLT_PRISM_HEADER: 7758 case DLT_IEEE802_11_RADIO_AVS: 7759 case DLT_IEEE802_11_RADIO: 7760 break; 7761 7762 default: 7763 bpf_error("frame direction supported only with 802.11 headers"); 7764 /* NOTREACHED */ 7765 } 7766 7767 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7768 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7769 7770 return (b0); 7771 } 7772 7773 struct block * 7774 gen_acode(eaddr, q) 7775 register const u_char *eaddr; 7776 struct qual q; 7777 { 7778 switch (linktype) { 7779 7780 case DLT_ARCNET: 7781 case DLT_ARCNET_LINUX: 7782 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7783 q.proto == Q_LINK) 7784 return (gen_ahostop(eaddr, (int)q.dir)); 7785 else { 7786 bpf_error("ARCnet address used in non-arc expression"); 7787 /* NOTREACHED */ 7788 } 7789 break; 7790 7791 default: 7792 bpf_error("aid supported only on ARCnet"); 7793 /* NOTREACHED */ 7794 } 7795 bpf_error("ARCnet address used in non-arc expression"); 7796 /* NOTREACHED */ 7797 return NULL; 7798 } 7799 7800 static struct block * 7801 gen_ahostop(eaddr, dir) 7802 register const u_char *eaddr; 7803 register int dir; 7804 { 7805 register struct block *b0, *b1; 7806 7807 switch (dir) { 7808 /* src comes first, different from Ethernet */ 7809 case Q_SRC: 7810 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7811 7812 case Q_DST: 7813 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7814 7815 case Q_AND: 7816 b0 = gen_ahostop(eaddr, Q_SRC); 7817 b1 = gen_ahostop(eaddr, Q_DST); 7818 gen_and(b0, b1); 7819 return b1; 7820 7821 case Q_DEFAULT: 7822 case Q_OR: 7823 b0 = gen_ahostop(eaddr, Q_SRC); 7824 b1 = gen_ahostop(eaddr, Q_DST); 7825 gen_or(b0, b1); 7826 return b1; 7827 7828 case Q_ADDR1: 7829 bpf_error("'addr1' is only supported on 802.11"); 7830 break; 7831 7832 case Q_ADDR2: 7833 bpf_error("'addr2' is only supported on 802.11"); 7834 break; 7835 7836 case Q_ADDR3: 7837 bpf_error("'addr3' is only supported on 802.11"); 7838 break; 7839 7840 case Q_ADDR4: 7841 bpf_error("'addr4' is only supported on 802.11"); 7842 break; 7843 7844 case Q_RA: 7845 bpf_error("'ra' is only supported on 802.11"); 7846 break; 7847 7848 case Q_TA: 7849 bpf_error("'ta' is only supported on 802.11"); 7850 break; 7851 } 7852 abort(); 7853 /* NOTREACHED */ 7854 } 7855 7856 /* 7857 * support IEEE 802.1Q VLAN trunk over ethernet 7858 */ 7859 struct block * 7860 gen_vlan(vlan_num) 7861 int vlan_num; 7862 { 7863 struct block *b0, *b1; 7864 7865 /* can't check for VLAN-encapsulated packets inside MPLS */ 7866 if (label_stack_depth > 0) 7867 bpf_error("no VLAN match after MPLS"); 7868 7869 /* 7870 * Check for a VLAN packet, and then change the offsets to point 7871 * to the type and data fields within the VLAN packet. Just 7872 * increment the offsets, so that we can support a hierarchy, e.g. 7873 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7874 * VLAN 100. 7875 * 7876 * XXX - this is a bit of a kludge. If we were to split the 7877 * compiler into a parser that parses an expression and 7878 * generates an expression tree, and a code generator that 7879 * takes an expression tree (which could come from our 7880 * parser or from some other parser) and generates BPF code, 7881 * we could perhaps make the offsets parameters of routines 7882 * and, in the handler for an "AND" node, pass to subnodes 7883 * other than the VLAN node the adjusted offsets. 7884 * 7885 * This would mean that "vlan" would, instead of changing the 7886 * behavior of *all* tests after it, change only the behavior 7887 * of tests ANDed with it. That would change the documented 7888 * semantics of "vlan", which might break some expressions. 7889 * However, it would mean that "(vlan and ip) or ip" would check 7890 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7891 * checking only for VLAN-encapsulated IP, so that could still 7892 * be considered worth doing; it wouldn't break expressions 7893 * that are of the form "vlan and ..." or "vlan N and ...", 7894 * which I suspect are the most common expressions involving 7895 * "vlan". "vlan or ..." doesn't necessarily do what the user 7896 * would really want, now, as all the "or ..." tests would 7897 * be done assuming a VLAN, even though the "or" could be viewed 7898 * as meaning "or, if this isn't a VLAN packet...". 7899 */ 7900 orig_nl = off_nl; 7901 7902 switch (linktype) { 7903 7904 case DLT_EN10MB: 7905 case DLT_NETANALYZER: 7906 case DLT_NETANALYZER_TRANSPARENT: 7907 /* check for VLAN, including QinQ */ 7908 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7909 (bpf_int32)ETHERTYPE_8021Q); 7910 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7911 (bpf_int32)ETHERTYPE_8021QINQ); 7912 gen_or(b0,b1); 7913 b0 = b1; 7914 7915 /* If a specific VLAN is requested, check VLAN id */ 7916 if (vlan_num >= 0) { 7917 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7918 (bpf_int32)vlan_num, 0x0fff); 7919 gen_and(b0, b1); 7920 b0 = b1; 7921 } 7922 7923 off_macpl += 4; 7924 off_linktype += 4; 7925 #if 0 7926 off_nl_nosnap += 4; 7927 off_nl += 4; 7928 #endif 7929 break; 7930 7931 default: 7932 bpf_error("no VLAN support for data link type %d", 7933 linktype); 7934 /*NOTREACHED*/ 7935 } 7936 7937 return (b0); 7938 } 7939 7940 /* 7941 * support for MPLS 7942 */ 7943 struct block * 7944 gen_mpls(label_num) 7945 int label_num; 7946 { 7947 struct block *b0,*b1; 7948 7949 /* 7950 * Change the offsets to point to the type and data fields within 7951 * the MPLS packet. Just increment the offsets, so that we 7952 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7953 * capture packets with an outer label of 100000 and an inner 7954 * label of 1024. 7955 * 7956 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7957 */ 7958 orig_nl = off_nl; 7959 7960 if (label_stack_depth > 0) { 7961 /* just match the bottom-of-stack bit clear */ 7962 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7963 } else { 7964 /* 7965 * Indicate that we're checking MPLS-encapsulated headers, 7966 * to make sure higher level code generators don't try to 7967 * match against IP-related protocols such as Q_ARP, Q_RARP 7968 * etc. 7969 */ 7970 switch (linktype) { 7971 7972 case DLT_C_HDLC: /* fall through */ 7973 case DLT_EN10MB: 7974 case DLT_NETANALYZER: 7975 case DLT_NETANALYZER_TRANSPARENT: 7976 b0 = gen_linktype(ETHERTYPE_MPLS); 7977 break; 7978 7979 case DLT_PPP: 7980 b0 = gen_linktype(PPP_MPLS_UCAST); 7981 break; 7982 7983 /* FIXME add other DLT_s ... 7984 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7985 * leave it for now */ 7986 7987 default: 7988 bpf_error("no MPLS support for data link type %d", 7989 linktype); 7990 b0 = NULL; 7991 /*NOTREACHED*/ 7992 break; 7993 } 7994 } 7995 7996 /* If a specific MPLS label is requested, check it */ 7997 if (label_num >= 0) { 7998 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7999 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8000 0xfffff000); /* only compare the first 20 bits */ 8001 gen_and(b0, b1); 8002 b0 = b1; 8003 } 8004 8005 off_nl_nosnap += 4; 8006 off_nl += 4; 8007 label_stack_depth++; 8008 return (b0); 8009 } 8010 8011 /* 8012 * Support PPPOE discovery and session. 8013 */ 8014 struct block * 8015 gen_pppoed() 8016 { 8017 /* check for PPPoE discovery */ 8018 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8019 } 8020 8021 struct block * 8022 gen_pppoes() 8023 { 8024 struct block *b0; 8025 8026 /* 8027 * Test against the PPPoE session link-layer type. 8028 */ 8029 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8030 8031 /* 8032 * Change the offsets to point to the type and data fields within 8033 * the PPP packet, and note that this is PPPoE rather than 8034 * raw PPP. 8035 * 8036 * XXX - this is a bit of a kludge. If we were to split the 8037 * compiler into a parser that parses an expression and 8038 * generates an expression tree, and a code generator that 8039 * takes an expression tree (which could come from our 8040 * parser or from some other parser) and generates BPF code, 8041 * we could perhaps make the offsets parameters of routines 8042 * and, in the handler for an "AND" node, pass to subnodes 8043 * other than the PPPoE node the adjusted offsets. 8044 * 8045 * This would mean that "pppoes" would, instead of changing the 8046 * behavior of *all* tests after it, change only the behavior 8047 * of tests ANDed with it. That would change the documented 8048 * semantics of "pppoes", which might break some expressions. 8049 * However, it would mean that "(pppoes and ip) or ip" would check 8050 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8051 * checking only for VLAN-encapsulated IP, so that could still 8052 * be considered worth doing; it wouldn't break expressions 8053 * that are of the form "pppoes and ..." which I suspect are the 8054 * most common expressions involving "pppoes". "pppoes or ..." 8055 * doesn't necessarily do what the user would really want, now, 8056 * as all the "or ..." tests would be done assuming PPPoE, even 8057 * though the "or" could be viewed as meaning "or, if this isn't 8058 * a PPPoE packet...". 8059 */ 8060 orig_linktype = off_linktype; /* save original values */ 8061 orig_nl = off_nl; 8062 is_pppoes = 1; 8063 8064 /* 8065 * The "network-layer" protocol is PPPoE, which has a 6-byte 8066 * PPPoE header, followed by a PPP packet. 8067 * 8068 * There is no HDLC encapsulation for the PPP packet (it's 8069 * encapsulated in PPPoES instead), so the link-layer type 8070 * starts at the first byte of the PPP packet. For PPPoE, 8071 * that offset is relative to the beginning of the total 8072 * link-layer payload, including any 802.2 LLC header, so 8073 * it's 6 bytes past off_nl. 8074 */ 8075 off_linktype = off_nl + 6; 8076 8077 /* 8078 * The network-layer offsets are relative to the beginning 8079 * of the MAC-layer payload; that's past the 6-byte 8080 * PPPoE header and the 2-byte PPP header. 8081 */ 8082 off_nl = 6+2; 8083 off_nl_nosnap = 6+2; 8084 8085 return b0; 8086 } 8087 8088 struct block * 8089 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8090 int atmfield; 8091 bpf_int32 jvalue; 8092 bpf_u_int32 jtype; 8093 int reverse; 8094 { 8095 struct block *b0; 8096 8097 switch (atmfield) { 8098 8099 case A_VPI: 8100 if (!is_atm) 8101 bpf_error("'vpi' supported only on raw ATM"); 8102 if (off_vpi == (u_int)-1) 8103 abort(); 8104 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8105 reverse, jvalue); 8106 break; 8107 8108 case A_VCI: 8109 if (!is_atm) 8110 bpf_error("'vci' supported only on raw ATM"); 8111 if (off_vci == (u_int)-1) 8112 abort(); 8113 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8114 reverse, jvalue); 8115 break; 8116 8117 case A_PROTOTYPE: 8118 if (off_proto == (u_int)-1) 8119 abort(); /* XXX - this isn't on FreeBSD */ 8120 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8121 reverse, jvalue); 8122 break; 8123 8124 case A_MSGTYPE: 8125 if (off_payload == (u_int)-1) 8126 abort(); 8127 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8128 0xffffffff, jtype, reverse, jvalue); 8129 break; 8130 8131 case A_CALLREFTYPE: 8132 if (!is_atm) 8133 bpf_error("'callref' supported only on raw ATM"); 8134 if (off_proto == (u_int)-1) 8135 abort(); 8136 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8137 jtype, reverse, jvalue); 8138 break; 8139 8140 default: 8141 abort(); 8142 } 8143 return b0; 8144 } 8145 8146 struct block * 8147 gen_atmtype_abbrev(type) 8148 int type; 8149 { 8150 struct block *b0, *b1; 8151 8152 switch (type) { 8153 8154 case A_METAC: 8155 /* Get all packets in Meta signalling Circuit */ 8156 if (!is_atm) 8157 bpf_error("'metac' supported only on raw ATM"); 8158 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8159 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8160 gen_and(b0, b1); 8161 break; 8162 8163 case A_BCC: 8164 /* Get all packets in Broadcast Circuit*/ 8165 if (!is_atm) 8166 bpf_error("'bcc' supported only on raw ATM"); 8167 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8168 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8169 gen_and(b0, b1); 8170 break; 8171 8172 case A_OAMF4SC: 8173 /* Get all cells in Segment OAM F4 circuit*/ 8174 if (!is_atm) 8175 bpf_error("'oam4sc' supported only on raw ATM"); 8176 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8177 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8178 gen_and(b0, b1); 8179 break; 8180 8181 case A_OAMF4EC: 8182 /* Get all cells in End-to-End OAM F4 Circuit*/ 8183 if (!is_atm) 8184 bpf_error("'oam4ec' supported only on raw ATM"); 8185 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8186 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8187 gen_and(b0, b1); 8188 break; 8189 8190 case A_SC: 8191 /* Get all packets in connection Signalling Circuit */ 8192 if (!is_atm) 8193 bpf_error("'sc' supported only on raw ATM"); 8194 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8195 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8196 gen_and(b0, b1); 8197 break; 8198 8199 case A_ILMIC: 8200 /* Get all packets in ILMI Circuit */ 8201 if (!is_atm) 8202 bpf_error("'ilmic' supported only on raw ATM"); 8203 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8204 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8205 gen_and(b0, b1); 8206 break; 8207 8208 case A_LANE: 8209 /* Get all LANE packets */ 8210 if (!is_atm) 8211 bpf_error("'lane' supported only on raw ATM"); 8212 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8213 8214 /* 8215 * Arrange that all subsequent tests assume LANE 8216 * rather than LLC-encapsulated packets, and set 8217 * the offsets appropriately for LANE-encapsulated 8218 * Ethernet. 8219 * 8220 * "off_mac" is the offset of the Ethernet header, 8221 * which is 2 bytes past the ATM pseudo-header 8222 * (skipping the pseudo-header and 2-byte LE Client 8223 * field). The other offsets are Ethernet offsets 8224 * relative to "off_mac". 8225 */ 8226 is_lane = 1; 8227 off_mac = off_payload + 2; /* MAC header */ 8228 off_linktype = off_mac + 12; 8229 off_macpl = off_mac + 14; /* Ethernet */ 8230 off_nl = 0; /* Ethernet II */ 8231 off_nl_nosnap = 3; /* 802.3+802.2 */ 8232 break; 8233 8234 case A_LLC: 8235 /* Get all LLC-encapsulated packets */ 8236 if (!is_atm) 8237 bpf_error("'llc' supported only on raw ATM"); 8238 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8239 is_lane = 0; 8240 break; 8241 8242 default: 8243 abort(); 8244 } 8245 return b1; 8246 } 8247 8248 /* 8249 * Filtering for MTP2 messages based on li value 8250 * FISU, length is null 8251 * LSSU, length is 1 or 2 8252 * MSU, length is 3 or more 8253 */ 8254 struct block * 8255 gen_mtp2type_abbrev(type) 8256 int type; 8257 { 8258 struct block *b0, *b1; 8259 8260 switch (type) { 8261 8262 case M_FISU: 8263 if ( (linktype != DLT_MTP2) && 8264 (linktype != DLT_ERF) && 8265 (linktype != DLT_MTP2_WITH_PHDR) ) 8266 bpf_error("'fisu' supported only on MTP2"); 8267 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8268 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8269 break; 8270 8271 case M_LSSU: 8272 if ( (linktype != DLT_MTP2) && 8273 (linktype != DLT_ERF) && 8274 (linktype != DLT_MTP2_WITH_PHDR) ) 8275 bpf_error("'lssu' supported only on MTP2"); 8276 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8277 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8278 gen_and(b1, b0); 8279 break; 8280 8281 case M_MSU: 8282 if ( (linktype != DLT_MTP2) && 8283 (linktype != DLT_ERF) && 8284 (linktype != DLT_MTP2_WITH_PHDR) ) 8285 bpf_error("'msu' supported only on MTP2"); 8286 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8287 break; 8288 8289 default: 8290 abort(); 8291 } 8292 return b0; 8293 } 8294 8295 struct block * 8296 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8297 int mtp3field; 8298 bpf_u_int32 jvalue; 8299 bpf_u_int32 jtype; 8300 int reverse; 8301 { 8302 struct block *b0; 8303 bpf_u_int32 val1 , val2 , val3; 8304 8305 switch (mtp3field) { 8306 8307 case M_SIO: 8308 if (off_sio == (u_int)-1) 8309 bpf_error("'sio' supported only on SS7"); 8310 /* sio coded on 1 byte so max value 255 */ 8311 if(jvalue > 255) 8312 bpf_error("sio value %u too big; max value = 255", 8313 jvalue); 8314 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8315 (u_int)jtype, reverse, (u_int)jvalue); 8316 break; 8317 8318 case M_OPC: 8319 if (off_opc == (u_int)-1) 8320 bpf_error("'opc' supported only on SS7"); 8321 /* opc coded on 14 bits so max value 16383 */ 8322 if (jvalue > 16383) 8323 bpf_error("opc value %u too big; max value = 16383", 8324 jvalue); 8325 /* the following instructions are made to convert jvalue 8326 * to the form used to write opc in an ss7 message*/ 8327 val1 = jvalue & 0x00003c00; 8328 val1 = val1 >>10; 8329 val2 = jvalue & 0x000003fc; 8330 val2 = val2 <<6; 8331 val3 = jvalue & 0x00000003; 8332 val3 = val3 <<22; 8333 jvalue = val1 + val2 + val3; 8334 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8335 (u_int)jtype, reverse, (u_int)jvalue); 8336 break; 8337 8338 case M_DPC: 8339 if (off_dpc == (u_int)-1) 8340 bpf_error("'dpc' supported only on SS7"); 8341 /* dpc coded on 14 bits so max value 16383 */ 8342 if (jvalue > 16383) 8343 bpf_error("dpc value %u too big; max value = 16383", 8344 jvalue); 8345 /* the following instructions are made to convert jvalue 8346 * to the forme used to write dpc in an ss7 message*/ 8347 val1 = jvalue & 0x000000ff; 8348 val1 = val1 << 24; 8349 val2 = jvalue & 0x00003f00; 8350 val2 = val2 << 8; 8351 jvalue = val1 + val2; 8352 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8353 (u_int)jtype, reverse, (u_int)jvalue); 8354 break; 8355 8356 case M_SLS: 8357 if (off_sls == (u_int)-1) 8358 bpf_error("'sls' supported only on SS7"); 8359 /* sls coded on 4 bits so max value 15 */ 8360 if (jvalue > 15) 8361 bpf_error("sls value %u too big; max value = 15", 8362 jvalue); 8363 /* the following instruction is made to convert jvalue 8364 * to the forme used to write sls in an ss7 message*/ 8365 jvalue = jvalue << 4; 8366 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8367 (u_int)jtype,reverse, (u_int)jvalue); 8368 break; 8369 8370 default: 8371 abort(); 8372 } 8373 return b0; 8374 } 8375 8376 static struct block * 8377 gen_msg_abbrev(type) 8378 int type; 8379 { 8380 struct block *b1; 8381 8382 /* 8383 * Q.2931 signalling protocol messages for handling virtual circuits 8384 * establishment and teardown 8385 */ 8386 switch (type) { 8387 8388 case A_SETUP: 8389 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8390 break; 8391 8392 case A_CALLPROCEED: 8393 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8394 break; 8395 8396 case A_CONNECT: 8397 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8398 break; 8399 8400 case A_CONNECTACK: 8401 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8402 break; 8403 8404 case A_RELEASE: 8405 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8406 break; 8407 8408 case A_RELEASE_DONE: 8409 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8410 break; 8411 8412 default: 8413 abort(); 8414 } 8415 return b1; 8416 } 8417 8418 struct block * 8419 gen_atmmulti_abbrev(type) 8420 int type; 8421 { 8422 struct block *b0, *b1; 8423 8424 switch (type) { 8425 8426 case A_OAM: 8427 if (!is_atm) 8428 bpf_error("'oam' supported only on raw ATM"); 8429 b1 = gen_atmmulti_abbrev(A_OAMF4); 8430 break; 8431 8432 case A_OAMF4: 8433 if (!is_atm) 8434 bpf_error("'oamf4' supported only on raw ATM"); 8435 /* OAM F4 type */ 8436 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8437 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8438 gen_or(b0, b1); 8439 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8440 gen_and(b0, b1); 8441 break; 8442 8443 case A_CONNECTMSG: 8444 /* 8445 * Get Q.2931 signalling messages for switched 8446 * virtual connection 8447 */ 8448 if (!is_atm) 8449 bpf_error("'connectmsg' supported only on raw ATM"); 8450 b0 = gen_msg_abbrev(A_SETUP); 8451 b1 = gen_msg_abbrev(A_CALLPROCEED); 8452 gen_or(b0, b1); 8453 b0 = gen_msg_abbrev(A_CONNECT); 8454 gen_or(b0, b1); 8455 b0 = gen_msg_abbrev(A_CONNECTACK); 8456 gen_or(b0, b1); 8457 b0 = gen_msg_abbrev(A_RELEASE); 8458 gen_or(b0, b1); 8459 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8460 gen_or(b0, b1); 8461 b0 = gen_atmtype_abbrev(A_SC); 8462 gen_and(b0, b1); 8463 break; 8464 8465 case A_METACONNECT: 8466 if (!is_atm) 8467 bpf_error("'metaconnect' supported only on raw ATM"); 8468 b0 = gen_msg_abbrev(A_SETUP); 8469 b1 = gen_msg_abbrev(A_CALLPROCEED); 8470 gen_or(b0, b1); 8471 b0 = gen_msg_abbrev(A_CONNECT); 8472 gen_or(b0, b1); 8473 b0 = gen_msg_abbrev(A_RELEASE); 8474 gen_or(b0, b1); 8475 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8476 gen_or(b0, b1); 8477 b0 = gen_atmtype_abbrev(A_METAC); 8478 gen_and(b0, b1); 8479 break; 8480 8481 default: 8482 abort(); 8483 } 8484 return b1; 8485 } 8486