1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #if HAVE_INTTYPES_H 35 #include <inttypes.h> 36 #elif HAVE_STDINT_H 37 #include <stdint.h> 38 #endif 39 #ifdef HAVE_SYS_BITYPES_H 40 #include <sys/bitypes.h> 41 #endif 42 #include <sys/types.h> 43 #include <sys/socket.h> 44 #endif /* WIN32 */ 45 46 /* 47 * XXX - why was this included even on UNIX? 48 */ 49 #ifdef __MINGW32__ 50 #include "IP6_misc.h" 51 #endif 52 53 #ifndef WIN32 54 55 #ifdef __NetBSD__ 56 #include <sys/param.h> 57 #endif 58 59 #include <netinet/in.h> 60 #include <arpa/inet.h> 61 62 #endif /* WIN32 */ 63 64 #include <stdlib.h> 65 #include <string.h> 66 #include <memory.h> 67 #include <setjmp.h> 68 #include <stdarg.h> 69 70 #ifdef MSDOS 71 #include "pcap-dos.h" 72 #endif 73 74 #include "pcap-int.h" 75 76 #include "ethertype.h" 77 #include "nlpid.h" 78 #include "llc.h" 79 #include "gencode.h" 80 #include "ieee80211.h" 81 #include "atmuni31.h" 82 #include "sunatmpos.h" 83 #include "ppp.h" 84 #include "pcap/sll.h" 85 #include "pcap/ipnet.h" 86 #include "arcnet.h" 87 #ifdef HAVE_NET_PFVAR_H 88 #include <sys/socket.h> 89 #include <net/if.h> 90 #include <net/pfvar.h> 91 #include <net/if_pflog.h> 92 #endif 93 #ifndef offsetof 94 #define offsetof(s, e) ((size_t)&((s *)0)->e) 95 #endif 96 #ifdef INET6 97 #ifndef WIN32 98 #include <netdb.h> /* for "struct addrinfo" */ 99 #endif /* WIN32 */ 100 #endif /*INET6*/ 101 #include <pcap/namedb.h> 102 103 #define ETHERMTU 1500 104 105 #ifndef IPPROTO_SCTP 106 #define IPPROTO_SCTP 132 107 #endif 108 109 #ifdef HAVE_OS_PROTO_H 110 #include "os-proto.h" 111 #endif 112 113 #define JMP(c) ((c)|BPF_JMP|BPF_K) 114 115 /* Locals */ 116 static jmp_buf top_ctx; 117 static pcap_t *bpf_pcap; 118 119 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 120 #ifdef WIN32 121 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 122 #else 123 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 124 #endif 125 126 /* XXX */ 127 #ifdef PCAP_FDDIPAD 128 static int pcap_fddipad; 129 #endif 130 131 /* VARARGS */ 132 void 133 bpf_error(const char *fmt, ...) 134 { 135 va_list ap; 136 137 va_start(ap, fmt); 138 if (bpf_pcap != NULL) 139 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 140 fmt, ap); 141 va_end(ap); 142 longjmp(top_ctx, 1); 143 /* NOTREACHED */ 144 } 145 146 static void init_linktype(pcap_t *); 147 148 static void init_regs(void); 149 static int alloc_reg(void); 150 static void free_reg(int); 151 152 static struct block *root; 153 154 /* 155 * Value passed to gen_load_a() to indicate what the offset argument 156 * is relative to. 157 */ 158 enum e_offrel { 159 OR_PACKET, /* relative to the beginning of the packet */ 160 OR_LINK, /* relative to the beginning of the link-layer header */ 161 OR_MACPL, /* relative to the end of the MAC-layer header */ 162 OR_NET, /* relative to the network-layer header */ 163 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 164 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 165 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 166 }; 167 168 #ifdef INET6 169 /* 170 * As errors are handled by a longjmp, anything allocated must be freed 171 * in the longjmp handler, so it must be reachable from that handler. 172 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 173 * it must be freed with freeaddrinfo(). This variable points to any 174 * addrinfo structure that would need to be freed. 175 */ 176 static struct addrinfo *ai; 177 #endif 178 179 /* 180 * We divy out chunks of memory rather than call malloc each time so 181 * we don't have to worry about leaking memory. It's probably 182 * not a big deal if all this memory was wasted but if this ever 183 * goes into a library that would probably not be a good idea. 184 * 185 * XXX - this *is* in a library.... 186 */ 187 #define NCHUNKS 16 188 #define CHUNK0SIZE 1024 189 struct chunk { 190 u_int n_left; 191 void *m; 192 }; 193 194 static struct chunk chunks[NCHUNKS]; 195 static int cur_chunk; 196 197 static void *newchunk(u_int); 198 static void freechunks(void); 199 static inline struct block *new_block(int); 200 static inline struct slist *new_stmt(int); 201 static struct block *gen_retblk(int); 202 static inline void syntax(void); 203 204 static void backpatch(struct block *, struct block *); 205 static void merge(struct block *, struct block *); 206 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 207 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 208 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 209 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 210 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 211 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 212 bpf_u_int32); 213 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 214 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 215 bpf_u_int32, bpf_u_int32, int, bpf_int32); 216 static struct slist *gen_load_llrel(u_int, u_int); 217 static struct slist *gen_load_macplrel(u_int, u_int); 218 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 219 static struct slist *gen_loadx_iphdrlen(void); 220 static struct block *gen_uncond(int); 221 static inline struct block *gen_true(void); 222 static inline struct block *gen_false(void); 223 static struct block *gen_ether_linktype(int); 224 static struct block *gen_ipnet_linktype(int); 225 static struct block *gen_linux_sll_linktype(int); 226 static struct slist *gen_load_prism_llprefixlen(void); 227 static struct slist *gen_load_avs_llprefixlen(void); 228 static struct slist *gen_load_radiotap_llprefixlen(void); 229 static struct slist *gen_load_ppi_llprefixlen(void); 230 static void insert_compute_vloffsets(struct block *); 231 static struct slist *gen_llprefixlen(void); 232 static struct slist *gen_off_macpl(void); 233 static int ethertype_to_ppptype(int); 234 static struct block *gen_linktype(int); 235 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 236 static struct block *gen_llc_linktype(int); 237 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 238 #ifdef INET6 239 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 240 #endif 241 static struct block *gen_ahostop(const u_char *, int); 242 static struct block *gen_ehostop(const u_char *, int); 243 static struct block *gen_fhostop(const u_char *, int); 244 static struct block *gen_thostop(const u_char *, int); 245 static struct block *gen_wlanhostop(const u_char *, int); 246 static struct block *gen_ipfchostop(const u_char *, int); 247 static struct block *gen_dnhostop(bpf_u_int32, int); 248 static struct block *gen_mpls_linktype(int); 249 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 250 #ifdef INET6 251 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 252 #endif 253 #ifndef INET6 254 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 255 #endif 256 static struct block *gen_ipfrag(void); 257 static struct block *gen_portatom(int, bpf_int32); 258 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 259 #ifdef INET6 260 static struct block *gen_portatom6(int, bpf_int32); 261 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 262 #endif 263 struct block *gen_portop(int, int, int); 264 static struct block *gen_port(int, int, int); 265 struct block *gen_portrangeop(int, int, int, int); 266 static struct block *gen_portrange(int, int, int, int); 267 #ifdef INET6 268 struct block *gen_portop6(int, int, int); 269 static struct block *gen_port6(int, int, int); 270 struct block *gen_portrangeop6(int, int, int, int); 271 static struct block *gen_portrange6(int, int, int, int); 272 #endif 273 static int lookup_proto(const char *, int); 274 static struct block *gen_protochain(int, int, int); 275 static struct block *gen_proto(int, int, int); 276 static struct slist *xfer_to_x(struct arth *); 277 static struct slist *xfer_to_a(struct arth *); 278 static struct block *gen_mac_multicast(int); 279 static struct block *gen_len(int, int); 280 static struct block *gen_check_802_11_data_frame(void); 281 282 static struct block *gen_ppi_dlt_check(void); 283 static struct block *gen_msg_abbrev(int type); 284 285 static void * 286 newchunk(n) 287 u_int n; 288 { 289 struct chunk *cp; 290 int k; 291 size_t size; 292 293 #ifndef __NetBSD__ 294 /* XXX Round up to nearest long. */ 295 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 296 #else 297 /* XXX Round up to structure boundary. */ 298 n = ALIGN(n); 299 #endif 300 301 cp = &chunks[cur_chunk]; 302 if (n > cp->n_left) { 303 ++cp, k = ++cur_chunk; 304 if (k >= NCHUNKS) 305 bpf_error("out of memory"); 306 size = CHUNK0SIZE << k; 307 cp->m = (void *)malloc(size); 308 if (cp->m == NULL) 309 bpf_error("out of memory"); 310 memset((char *)cp->m, 0, size); 311 cp->n_left = size; 312 if (n > size) 313 bpf_error("out of memory"); 314 } 315 cp->n_left -= n; 316 return (void *)((char *)cp->m + cp->n_left); 317 } 318 319 static void 320 freechunks() 321 { 322 int i; 323 324 cur_chunk = 0; 325 for (i = 0; i < NCHUNKS; ++i) 326 if (chunks[i].m != NULL) { 327 free(chunks[i].m); 328 chunks[i].m = NULL; 329 } 330 } 331 332 /* 333 * A strdup whose allocations are freed after code generation is over. 334 */ 335 char * 336 sdup(s) 337 register const char *s; 338 { 339 int n = strlen(s) + 1; 340 char *cp = newchunk(n); 341 342 strlcpy(cp, s, n); 343 return (cp); 344 } 345 346 static inline struct block * 347 new_block(code) 348 int code; 349 { 350 struct block *p; 351 352 p = (struct block *)newchunk(sizeof(*p)); 353 p->s.code = code; 354 p->head = p; 355 356 return p; 357 } 358 359 static inline struct slist * 360 new_stmt(code) 361 int code; 362 { 363 struct slist *p; 364 365 p = (struct slist *)newchunk(sizeof(*p)); 366 p->s.code = code; 367 368 return p; 369 } 370 371 static struct block * 372 gen_retblk(v) 373 int v; 374 { 375 struct block *b = new_block(BPF_RET|BPF_K); 376 377 b->s.k = v; 378 return b; 379 } 380 381 static inline void 382 syntax() 383 { 384 bpf_error("syntax error in filter expression"); 385 } 386 387 static bpf_u_int32 netmask; 388 static int snaplen; 389 int no_optimize; 390 #ifdef WIN32 391 static int 392 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 393 const char *buf, int optimize, bpf_u_int32 mask); 394 395 int 396 pcap_compile(pcap_t *p, struct bpf_program *program, 397 const char *buf, int optimize, bpf_u_int32 mask) 398 { 399 int result; 400 401 EnterCriticalSection(&g_PcapCompileCriticalSection); 402 403 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 404 405 LeaveCriticalSection(&g_PcapCompileCriticalSection); 406 407 return result; 408 } 409 410 static int 411 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 412 const char *buf, int optimize, bpf_u_int32 mask) 413 #else /* WIN32 */ 414 int 415 pcap_compile(pcap_t *p, struct bpf_program *program, 416 const char *buf, int optimize, bpf_u_int32 mask) 417 #endif /* WIN32 */ 418 { 419 extern int n_errors; 420 const char * volatile xbuf = buf; 421 int len; 422 423 no_optimize = 0; 424 n_errors = 0; 425 root = NULL; 426 bpf_pcap = p; 427 init_regs(); 428 if (setjmp(top_ctx)) { 429 #ifdef INET6 430 if (ai != NULL) { 431 freeaddrinfo(ai); 432 ai = NULL; 433 } 434 #endif 435 lex_cleanup(); 436 freechunks(); 437 return (-1); 438 } 439 440 netmask = mask; 441 442 snaplen = pcap_snapshot(p); 443 if (snaplen == 0) { 444 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 445 "snaplen of 0 rejects all packets"); 446 return -1; 447 } 448 449 lex_init(xbuf ? xbuf : ""); 450 init_linktype(p); 451 (void)pcap_parse(); 452 453 if (n_errors) 454 syntax(); 455 456 if (root == NULL) 457 root = gen_retblk(snaplen); 458 459 if (optimize && !no_optimize) { 460 bpf_optimize(&root); 461 if (root == NULL || 462 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 463 bpf_error("expression rejects all packets"); 464 } 465 program->bf_insns = icode_to_fcode(root, &len); 466 program->bf_len = len; 467 468 lex_cleanup(); 469 freechunks(); 470 return (0); 471 } 472 473 /* 474 * entry point for using the compiler with no pcap open 475 * pass in all the stuff that is needed explicitly instead. 476 */ 477 int 478 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 479 struct bpf_program *program, 480 const char *buf, int optimize, bpf_u_int32 mask) 481 { 482 pcap_t *p; 483 int ret; 484 485 p = pcap_open_dead(linktype_arg, snaplen_arg); 486 if (p == NULL) 487 return (-1); 488 ret = pcap_compile(p, program, buf, optimize, mask); 489 pcap_close(p); 490 return (ret); 491 } 492 493 /* 494 * Clean up a "struct bpf_program" by freeing all the memory allocated 495 * in it. 496 */ 497 void 498 pcap_freecode(struct bpf_program *program) 499 { 500 program->bf_len = 0; 501 if (program->bf_insns != NULL) { 502 free((char *)program->bf_insns); 503 program->bf_insns = NULL; 504 } 505 } 506 507 /* 508 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 509 * which of the jt and jf fields has been resolved and which is a pointer 510 * back to another unresolved block (or nil). At least one of the fields 511 * in each block is already resolved. 512 */ 513 static void 514 backpatch(list, target) 515 struct block *list, *target; 516 { 517 struct block *next; 518 519 while (list) { 520 if (!list->sense) { 521 next = JT(list); 522 JT(list) = target; 523 } else { 524 next = JF(list); 525 JF(list) = target; 526 } 527 list = next; 528 } 529 } 530 531 /* 532 * Merge the lists in b0 and b1, using the 'sense' field to indicate 533 * which of jt and jf is the link. 534 */ 535 static void 536 merge(b0, b1) 537 struct block *b0, *b1; 538 { 539 register struct block **p = &b0; 540 541 /* Find end of list. */ 542 while (*p) 543 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 544 545 /* Concatenate the lists. */ 546 *p = b1; 547 } 548 549 void 550 finish_parse(p) 551 struct block *p; 552 { 553 struct block *ppi_dlt_check; 554 555 /* 556 * Insert before the statements of the first (root) block any 557 * statements needed to load the lengths of any variable-length 558 * headers into registers. 559 * 560 * XXX - a fancier strategy would be to insert those before the 561 * statements of all blocks that use those lengths and that 562 * have no predecessors that use them, so that we only compute 563 * the lengths if we need them. There might be even better 564 * approaches than that. 565 * 566 * However, those strategies would be more complicated, and 567 * as we don't generate code to compute a length if the 568 * program has no tests that use the length, and as most 569 * tests will probably use those lengths, we would just 570 * postpone computing the lengths so that it's not done 571 * for tests that fail early, and it's not clear that's 572 * worth the effort. 573 */ 574 insert_compute_vloffsets(p->head); 575 576 /* 577 * For DLT_PPI captures, generate a check of the per-packet 578 * DLT value to make sure it's DLT_IEEE802_11. 579 */ 580 ppi_dlt_check = gen_ppi_dlt_check(); 581 if (ppi_dlt_check != NULL) 582 gen_and(ppi_dlt_check, p); 583 584 backpatch(p, gen_retblk(snaplen)); 585 p->sense = !p->sense; 586 backpatch(p, gen_retblk(0)); 587 root = p->head; 588 } 589 590 void 591 gen_and(b0, b1) 592 struct block *b0, *b1; 593 { 594 backpatch(b0, b1->head); 595 b0->sense = !b0->sense; 596 b1->sense = !b1->sense; 597 merge(b1, b0); 598 b1->sense = !b1->sense; 599 b1->head = b0->head; 600 } 601 602 void 603 gen_or(b0, b1) 604 struct block *b0, *b1; 605 { 606 b0->sense = !b0->sense; 607 backpatch(b0, b1->head); 608 b0->sense = !b0->sense; 609 merge(b1, b0); 610 b1->head = b0->head; 611 } 612 613 void 614 gen_not(b) 615 struct block *b; 616 { 617 b->sense = !b->sense; 618 } 619 620 static struct block * 621 gen_cmp(offrel, offset, size, v) 622 enum e_offrel offrel; 623 u_int offset, size; 624 bpf_int32 v; 625 { 626 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 627 } 628 629 static struct block * 630 gen_cmp_gt(offrel, offset, size, v) 631 enum e_offrel offrel; 632 u_int offset, size; 633 bpf_int32 v; 634 { 635 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 636 } 637 638 static struct block * 639 gen_cmp_ge(offrel, offset, size, v) 640 enum e_offrel offrel; 641 u_int offset, size; 642 bpf_int32 v; 643 { 644 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 645 } 646 647 static struct block * 648 gen_cmp_lt(offrel, offset, size, v) 649 enum e_offrel offrel; 650 u_int offset, size; 651 bpf_int32 v; 652 { 653 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 654 } 655 656 static struct block * 657 gen_cmp_le(offrel, offset, size, v) 658 enum e_offrel offrel; 659 u_int offset, size; 660 bpf_int32 v; 661 { 662 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 663 } 664 665 static struct block * 666 gen_mcmp(offrel, offset, size, v, mask) 667 enum e_offrel offrel; 668 u_int offset, size; 669 bpf_int32 v; 670 bpf_u_int32 mask; 671 { 672 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 673 } 674 675 static struct block * 676 gen_bcmp(offrel, offset, size, v) 677 enum e_offrel offrel; 678 register u_int offset, size; 679 register const u_char *v; 680 { 681 register struct block *b, *tmp; 682 683 b = NULL; 684 while (size >= 4) { 685 register const u_char *p = &v[size - 4]; 686 bpf_int32 w = ((bpf_int32)p[0] << 24) | 687 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 688 689 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 690 if (b != NULL) 691 gen_and(b, tmp); 692 b = tmp; 693 size -= 4; 694 } 695 while (size >= 2) { 696 register const u_char *p = &v[size - 2]; 697 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 698 699 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 700 if (b != NULL) 701 gen_and(b, tmp); 702 b = tmp; 703 size -= 2; 704 } 705 if (size > 0) { 706 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 707 if (b != NULL) 708 gen_and(b, tmp); 709 b = tmp; 710 } 711 return b; 712 } 713 714 /* 715 * AND the field of size "size" at offset "offset" relative to the header 716 * specified by "offrel" with "mask", and compare it with the value "v" 717 * with the test specified by "jtype"; if "reverse" is true, the test 718 * should test the opposite of "jtype". 719 */ 720 static struct block * 721 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 722 enum e_offrel offrel; 723 bpf_int32 v; 724 bpf_u_int32 offset, size, mask, jtype; 725 int reverse; 726 { 727 struct slist *s, *s2; 728 struct block *b; 729 730 s = gen_load_a(offrel, offset, size); 731 732 if (mask != 0xffffffff) { 733 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 734 s2->s.k = mask; 735 sappend(s, s2); 736 } 737 738 b = new_block(JMP(jtype)); 739 b->stmts = s; 740 b->s.k = v; 741 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 742 gen_not(b); 743 return b; 744 } 745 746 /* 747 * Various code constructs need to know the layout of the data link 748 * layer. These variables give the necessary offsets from the beginning 749 * of the packet data. 750 */ 751 752 /* 753 * This is the offset of the beginning of the link-layer header from 754 * the beginning of the raw packet data. 755 * 756 * It's usually 0, except for 802.11 with a fixed-length radio header. 757 * (For 802.11 with a variable-length radio header, we have to generate 758 * code to compute that offset; off_ll is 0 in that case.) 759 */ 760 static u_int off_ll; 761 762 /* 763 * If there's a variable-length header preceding the link-layer header, 764 * "reg_off_ll" is the register number for a register containing the 765 * length of that header, and therefore the offset of the link-layer 766 * header from the beginning of the raw packet data. Otherwise, 767 * "reg_off_ll" is -1. 768 */ 769 static int reg_off_ll; 770 771 /* 772 * This is the offset of the beginning of the MAC-layer header from 773 * the beginning of the link-layer header. 774 * It's usually 0, except for ATM LANE, where it's the offset, relative 775 * to the beginning of the raw packet data, of the Ethernet header. 776 */ 777 static u_int off_mac; 778 779 /* 780 * This is the offset of the beginning of the MAC-layer payload, 781 * from the beginning of the raw packet data. 782 * 783 * I.e., it's the sum of the length of the link-layer header (without, 784 * for example, any 802.2 LLC header, so it's the MAC-layer 785 * portion of that header), plus any prefix preceding the 786 * link-layer header. 787 */ 788 static u_int off_macpl; 789 790 /* 791 * This is 1 if the offset of the beginning of the MAC-layer payload 792 * from the beginning of the link-layer header is variable-length. 793 */ 794 static int off_macpl_is_variable; 795 796 /* 797 * If the link layer has variable_length headers, "reg_off_macpl" 798 * is the register number for a register containing the length of the 799 * link-layer header plus the length of any variable-length header 800 * preceding the link-layer header. Otherwise, "reg_off_macpl" 801 * is -1. 802 */ 803 static int reg_off_macpl; 804 805 /* 806 * "off_linktype" is the offset to information in the link-layer header 807 * giving the packet type. This offset is relative to the beginning 808 * of the link-layer header (i.e., it doesn't include off_ll). 809 * 810 * For Ethernet, it's the offset of the Ethernet type field. 811 * 812 * For link-layer types that always use 802.2 headers, it's the 813 * offset of the LLC header. 814 * 815 * For PPP, it's the offset of the PPP type field. 816 * 817 * For Cisco HDLC, it's the offset of the CHDLC type field. 818 * 819 * For BSD loopback, it's the offset of the AF_ value. 820 * 821 * For Linux cooked sockets, it's the offset of the type field. 822 * 823 * It's set to -1 for no encapsulation, in which case, IP is assumed. 824 */ 825 static u_int off_linktype; 826 827 /* 828 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 829 * checks to check the PPP header, assumed to follow a LAN-style link- 830 * layer header and a PPPoE session header. 831 */ 832 static int is_pppoes = 0; 833 834 /* 835 * TRUE if the link layer includes an ATM pseudo-header. 836 */ 837 static int is_atm = 0; 838 839 /* 840 * TRUE if "lane" appeared in the filter; it causes us to generate 841 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 842 */ 843 static int is_lane = 0; 844 845 /* 846 * These are offsets for the ATM pseudo-header. 847 */ 848 static u_int off_vpi; 849 static u_int off_vci; 850 static u_int off_proto; 851 852 /* 853 * These are offsets for the MTP2 fields. 854 */ 855 static u_int off_li; 856 857 /* 858 * These are offsets for the MTP3 fields. 859 */ 860 static u_int off_sio; 861 static u_int off_opc; 862 static u_int off_dpc; 863 static u_int off_sls; 864 865 /* 866 * This is the offset of the first byte after the ATM pseudo_header, 867 * or -1 if there is no ATM pseudo-header. 868 */ 869 static u_int off_payload; 870 871 /* 872 * These are offsets to the beginning of the network-layer header. 873 * They are relative to the beginning of the MAC-layer payload (i.e., 874 * they don't include off_ll or off_macpl). 875 * 876 * If the link layer never uses 802.2 LLC: 877 * 878 * "off_nl" and "off_nl_nosnap" are the same. 879 * 880 * If the link layer always uses 802.2 LLC: 881 * 882 * "off_nl" is the offset if there's a SNAP header following 883 * the 802.2 header; 884 * 885 * "off_nl_nosnap" is the offset if there's no SNAP header. 886 * 887 * If the link layer is Ethernet: 888 * 889 * "off_nl" is the offset if the packet is an Ethernet II packet 890 * (we assume no 802.3+802.2+SNAP); 891 * 892 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 893 * with an 802.2 header following it. 894 */ 895 static u_int off_nl; 896 static u_int off_nl_nosnap; 897 898 static int linktype; 899 900 static void 901 init_linktype(p) 902 pcap_t *p; 903 { 904 linktype = pcap_datalink(p); 905 #ifdef PCAP_FDDIPAD 906 pcap_fddipad = p->fddipad; 907 #endif 908 909 /* 910 * Assume it's not raw ATM with a pseudo-header, for now. 911 */ 912 off_mac = 0; 913 is_atm = 0; 914 is_lane = 0; 915 off_vpi = -1; 916 off_vci = -1; 917 off_proto = -1; 918 off_payload = -1; 919 920 /* 921 * And that we're not doing PPPoE. 922 */ 923 is_pppoes = 0; 924 925 /* 926 * And assume we're not doing SS7. 927 */ 928 off_li = -1; 929 off_sio = -1; 930 off_opc = -1; 931 off_dpc = -1; 932 off_sls = -1; 933 934 /* 935 * Also assume it's not 802.11. 936 */ 937 off_ll = 0; 938 off_macpl = 0; 939 off_macpl_is_variable = 0; 940 941 orig_linktype = -1; 942 orig_nl = -1; 943 label_stack_depth = 0; 944 945 reg_off_ll = -1; 946 reg_off_macpl = -1; 947 948 switch (linktype) { 949 950 case DLT_ARCNET: 951 off_linktype = 2; 952 off_macpl = 6; 953 off_nl = 0; /* XXX in reality, variable! */ 954 off_nl_nosnap = 0; /* no 802.2 LLC */ 955 return; 956 957 case DLT_ARCNET_LINUX: 958 off_linktype = 4; 959 off_macpl = 8; 960 off_nl = 0; /* XXX in reality, variable! */ 961 off_nl_nosnap = 0; /* no 802.2 LLC */ 962 return; 963 964 case DLT_EN10MB: 965 off_linktype = 12; 966 off_macpl = 14; /* Ethernet header length */ 967 off_nl = 0; /* Ethernet II */ 968 off_nl_nosnap = 3; /* 802.3+802.2 */ 969 return; 970 971 case DLT_SLIP: 972 /* 973 * SLIP doesn't have a link level type. The 16 byte 974 * header is hacked into our SLIP driver. 975 */ 976 off_linktype = -1; 977 off_macpl = 16; 978 off_nl = 0; 979 off_nl_nosnap = 0; /* no 802.2 LLC */ 980 return; 981 982 case DLT_SLIP_BSDOS: 983 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 984 off_linktype = -1; 985 /* XXX end */ 986 off_macpl = 24; 987 off_nl = 0; 988 off_nl_nosnap = 0; /* no 802.2 LLC */ 989 return; 990 991 case DLT_NULL: 992 case DLT_LOOP: 993 off_linktype = 0; 994 off_macpl = 4; 995 off_nl = 0; 996 off_nl_nosnap = 0; /* no 802.2 LLC */ 997 return; 998 999 case DLT_ENC: 1000 off_linktype = 0; 1001 off_macpl = 12; 1002 off_nl = 0; 1003 off_nl_nosnap = 0; /* no 802.2 LLC */ 1004 return; 1005 1006 case DLT_PPP: 1007 case DLT_PPP_PPPD: 1008 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1009 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1010 off_linktype = 2; 1011 off_macpl = 4; 1012 off_nl = 0; 1013 off_nl_nosnap = 0; /* no 802.2 LLC */ 1014 return; 1015 1016 case DLT_PPP_ETHER: 1017 /* 1018 * This does no include the Ethernet header, and 1019 * only covers session state. 1020 */ 1021 off_linktype = 6; 1022 off_macpl = 8; 1023 off_nl = 0; 1024 off_nl_nosnap = 0; /* no 802.2 LLC */ 1025 return; 1026 1027 case DLT_PPP_BSDOS: 1028 off_linktype = 5; 1029 off_macpl = 24; 1030 off_nl = 0; 1031 off_nl_nosnap = 0; /* no 802.2 LLC */ 1032 return; 1033 1034 case DLT_FDDI: 1035 /* 1036 * FDDI doesn't really have a link-level type field. 1037 * We set "off_linktype" to the offset of the LLC header. 1038 * 1039 * To check for Ethernet types, we assume that SSAP = SNAP 1040 * is being used and pick out the encapsulated Ethernet type. 1041 * XXX - should we generate code to check for SNAP? 1042 */ 1043 off_linktype = 13; 1044 #ifdef PCAP_FDDIPAD 1045 off_linktype += pcap_fddipad; 1046 #endif 1047 off_macpl = 13; /* FDDI MAC header length */ 1048 #ifdef PCAP_FDDIPAD 1049 off_macpl += pcap_fddipad; 1050 #endif 1051 off_nl = 8; /* 802.2+SNAP */ 1052 off_nl_nosnap = 3; /* 802.2 */ 1053 return; 1054 1055 case DLT_IEEE802: 1056 /* 1057 * Token Ring doesn't really have a link-level type field. 1058 * We set "off_linktype" to the offset of the LLC header. 1059 * 1060 * To check for Ethernet types, we assume that SSAP = SNAP 1061 * is being used and pick out the encapsulated Ethernet type. 1062 * XXX - should we generate code to check for SNAP? 1063 * 1064 * XXX - the header is actually variable-length. 1065 * Some various Linux patched versions gave 38 1066 * as "off_linktype" and 40 as "off_nl"; however, 1067 * if a token ring packet has *no* routing 1068 * information, i.e. is not source-routed, the correct 1069 * values are 20 and 22, as they are in the vanilla code. 1070 * 1071 * A packet is source-routed iff the uppermost bit 1072 * of the first byte of the source address, at an 1073 * offset of 8, has the uppermost bit set. If the 1074 * packet is source-routed, the total number of bytes 1075 * of routing information is 2 plus bits 0x1F00 of 1076 * the 16-bit value at an offset of 14 (shifted right 1077 * 8 - figure out which byte that is). 1078 */ 1079 off_linktype = 14; 1080 off_macpl = 14; /* Token Ring MAC header length */ 1081 off_nl = 8; /* 802.2+SNAP */ 1082 off_nl_nosnap = 3; /* 802.2 */ 1083 return; 1084 1085 case DLT_IEEE802_11: 1086 case DLT_PRISM_HEADER: 1087 case DLT_IEEE802_11_RADIO_AVS: 1088 case DLT_IEEE802_11_RADIO: 1089 /* 1090 * 802.11 doesn't really have a link-level type field. 1091 * We set "off_linktype" to the offset of the LLC header. 1092 * 1093 * To check for Ethernet types, we assume that SSAP = SNAP 1094 * is being used and pick out the encapsulated Ethernet type. 1095 * XXX - should we generate code to check for SNAP? 1096 * 1097 * We also handle variable-length radio headers here. 1098 * The Prism header is in theory variable-length, but in 1099 * practice it's always 144 bytes long. However, some 1100 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1101 * sometimes or always supply an AVS header, so we 1102 * have to check whether the radio header is a Prism 1103 * header or an AVS header, so, in practice, it's 1104 * variable-length. 1105 */ 1106 off_linktype = 24; 1107 off_macpl = 0; /* link-layer header is variable-length */ 1108 off_macpl_is_variable = 1; 1109 off_nl = 8; /* 802.2+SNAP */ 1110 off_nl_nosnap = 3; /* 802.2 */ 1111 return; 1112 1113 case DLT_PPI: 1114 /* 1115 * At the moment we treat PPI the same way that we treat 1116 * normal Radiotap encoded packets. The difference is in 1117 * the function that generates the code at the beginning 1118 * to compute the header length. Since this code generator 1119 * of PPI supports bare 802.11 encapsulation only (i.e. 1120 * the encapsulated DLT should be DLT_IEEE802_11) we 1121 * generate code to check for this too. 1122 */ 1123 off_linktype = 24; 1124 off_macpl = 0; /* link-layer header is variable-length */ 1125 off_macpl_is_variable = 1; 1126 off_nl = 8; /* 802.2+SNAP */ 1127 off_nl_nosnap = 3; /* 802.2 */ 1128 return; 1129 1130 case DLT_ATM_RFC1483: 1131 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1132 /* 1133 * assume routed, non-ISO PDUs 1134 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1135 * 1136 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1137 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1138 * latter would presumably be treated the way PPPoE 1139 * should be, so you can do "pppoe and udp port 2049" 1140 * or "pppoa and tcp port 80" and have it check for 1141 * PPPo{A,E} and a PPP protocol of IP and.... 1142 */ 1143 off_linktype = 0; 1144 off_macpl = 0; /* packet begins with LLC header */ 1145 off_nl = 8; /* 802.2+SNAP */ 1146 off_nl_nosnap = 3; /* 802.2 */ 1147 return; 1148 1149 case DLT_SUNATM: 1150 /* 1151 * Full Frontal ATM; you get AALn PDUs with an ATM 1152 * pseudo-header. 1153 */ 1154 is_atm = 1; 1155 off_vpi = SUNATM_VPI_POS; 1156 off_vci = SUNATM_VCI_POS; 1157 off_proto = PROTO_POS; 1158 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1159 off_payload = SUNATM_PKT_BEGIN_POS; 1160 off_linktype = off_payload; 1161 off_macpl = off_payload; /* if LLC-encapsulated */ 1162 off_nl = 8; /* 802.2+SNAP */ 1163 off_nl_nosnap = 3; /* 802.2 */ 1164 return; 1165 1166 case DLT_RAW: 1167 case DLT_IPV4: 1168 case DLT_IPV6: 1169 off_linktype = -1; 1170 off_macpl = 0; 1171 off_nl = 0; 1172 off_nl_nosnap = 0; /* no 802.2 LLC */ 1173 return; 1174 1175 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1176 off_linktype = 14; 1177 off_macpl = 16; 1178 off_nl = 0; 1179 off_nl_nosnap = 0; /* no 802.2 LLC */ 1180 return; 1181 1182 case DLT_LTALK: 1183 /* 1184 * LocalTalk does have a 1-byte type field in the LLAP header, 1185 * but really it just indicates whether there is a "short" or 1186 * "long" DDP packet following. 1187 */ 1188 off_linktype = -1; 1189 off_macpl = 0; 1190 off_nl = 0; 1191 off_nl_nosnap = 0; /* no 802.2 LLC */ 1192 return; 1193 1194 case DLT_IP_OVER_FC: 1195 /* 1196 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1197 * link-level type field. We set "off_linktype" to the 1198 * offset of the LLC header. 1199 * 1200 * To check for Ethernet types, we assume that SSAP = SNAP 1201 * is being used and pick out the encapsulated Ethernet type. 1202 * XXX - should we generate code to check for SNAP? RFC 1203 * 2625 says SNAP should be used. 1204 */ 1205 off_linktype = 16; 1206 off_macpl = 16; 1207 off_nl = 8; /* 802.2+SNAP */ 1208 off_nl_nosnap = 3; /* 802.2 */ 1209 return; 1210 1211 case DLT_FRELAY: 1212 /* 1213 * XXX - we should set this to handle SNAP-encapsulated 1214 * frames (NLPID of 0x80). 1215 */ 1216 off_linktype = -1; 1217 off_macpl = 0; 1218 off_nl = 0; 1219 off_nl_nosnap = 0; /* no 802.2 LLC */ 1220 return; 1221 1222 /* 1223 * the only BPF-interesting FRF.16 frames are non-control frames; 1224 * Frame Relay has a variable length link-layer 1225 * so lets start with offset 4 for now and increments later on (FIXME); 1226 */ 1227 case DLT_MFR: 1228 off_linktype = -1; 1229 off_macpl = 0; 1230 off_nl = 4; 1231 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1232 return; 1233 1234 case DLT_APPLE_IP_OVER_IEEE1394: 1235 off_linktype = 16; 1236 off_macpl = 18; 1237 off_nl = 0; 1238 off_nl_nosnap = 0; /* no 802.2 LLC */ 1239 return; 1240 1241 case DLT_LINUX_IRDA: 1242 /* 1243 * Currently, only raw "link[N:M]" filtering is supported. 1244 */ 1245 off_linktype = -1; 1246 off_macpl = -1; 1247 off_nl = -1; 1248 off_nl_nosnap = -1; 1249 return; 1250 1251 case DLT_DOCSIS: 1252 /* 1253 * Currently, only raw "link[N:M]" filtering is supported. 1254 */ 1255 off_linktype = -1; 1256 off_macpl = -1; 1257 off_nl = -1; 1258 off_nl_nosnap = -1; 1259 return; 1260 1261 case DLT_SYMANTEC_FIREWALL: 1262 off_linktype = 6; 1263 off_macpl = 44; 1264 off_nl = 0; /* Ethernet II */ 1265 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1266 return; 1267 1268 #ifdef HAVE_NET_PFVAR_H 1269 case DLT_PFLOG: 1270 off_linktype = 0; 1271 off_macpl = PFLOG_HDRLEN; 1272 off_nl = 0; 1273 off_nl_nosnap = 0; /* no 802.2 LLC */ 1274 return; 1275 #endif 1276 1277 case DLT_JUNIPER_MFR: 1278 case DLT_JUNIPER_MLFR: 1279 case DLT_JUNIPER_MLPPP: 1280 case DLT_JUNIPER_PPP: 1281 case DLT_JUNIPER_CHDLC: 1282 case DLT_JUNIPER_FRELAY: 1283 off_linktype = 4; 1284 off_macpl = 4; 1285 off_nl = 0; 1286 off_nl_nosnap = -1; /* no 802.2 LLC */ 1287 return; 1288 1289 case DLT_JUNIPER_ATM1: 1290 off_linktype = 4; /* in reality variable between 4-8 */ 1291 off_macpl = 4; /* in reality variable between 4-8 */ 1292 off_nl = 0; 1293 off_nl_nosnap = 10; 1294 return; 1295 1296 case DLT_JUNIPER_ATM2: 1297 off_linktype = 8; /* in reality variable between 8-12 */ 1298 off_macpl = 8; /* in reality variable between 8-12 */ 1299 off_nl = 0; 1300 off_nl_nosnap = 10; 1301 return; 1302 1303 /* frames captured on a Juniper PPPoE service PIC 1304 * contain raw ethernet frames */ 1305 case DLT_JUNIPER_PPPOE: 1306 case DLT_JUNIPER_ETHER: 1307 off_macpl = 14; 1308 off_linktype = 16; 1309 off_nl = 18; /* Ethernet II */ 1310 off_nl_nosnap = 21; /* 802.3+802.2 */ 1311 return; 1312 1313 case DLT_JUNIPER_PPPOE_ATM: 1314 off_linktype = 4; 1315 off_macpl = 6; 1316 off_nl = 0; 1317 off_nl_nosnap = -1; /* no 802.2 LLC */ 1318 return; 1319 1320 case DLT_JUNIPER_GGSN: 1321 off_linktype = 6; 1322 off_macpl = 12; 1323 off_nl = 0; 1324 off_nl_nosnap = -1; /* no 802.2 LLC */ 1325 return; 1326 1327 case DLT_JUNIPER_ES: 1328 off_linktype = 6; 1329 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1330 off_nl = -1; /* not really a network layer but raw IP addresses */ 1331 off_nl_nosnap = -1; /* no 802.2 LLC */ 1332 return; 1333 1334 case DLT_JUNIPER_MONITOR: 1335 off_linktype = 12; 1336 off_macpl = 12; 1337 off_nl = 0; /* raw IP/IP6 header */ 1338 off_nl_nosnap = -1; /* no 802.2 LLC */ 1339 return; 1340 1341 case DLT_JUNIPER_SERVICES: 1342 off_linktype = 12; 1343 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1344 off_nl = -1; /* L3 proto location dep. on cookie type */ 1345 off_nl_nosnap = -1; /* no 802.2 LLC */ 1346 return; 1347 1348 case DLT_JUNIPER_VP: 1349 off_linktype = 18; 1350 off_macpl = -1; 1351 off_nl = -1; 1352 off_nl_nosnap = -1; 1353 return; 1354 1355 case DLT_JUNIPER_ST: 1356 off_linktype = 18; 1357 off_macpl = -1; 1358 off_nl = -1; 1359 off_nl_nosnap = -1; 1360 return; 1361 1362 case DLT_JUNIPER_ISM: 1363 off_linktype = 8; 1364 off_macpl = -1; 1365 off_nl = -1; 1366 off_nl_nosnap = -1; 1367 return; 1368 1369 case DLT_MTP2: 1370 off_li = 2; 1371 off_sio = 3; 1372 off_opc = 4; 1373 off_dpc = 4; 1374 off_sls = 7; 1375 off_linktype = -1; 1376 off_macpl = -1; 1377 off_nl = -1; 1378 off_nl_nosnap = -1; 1379 return; 1380 1381 case DLT_MTP2_WITH_PHDR: 1382 off_li = 6; 1383 off_sio = 7; 1384 off_opc = 8; 1385 off_dpc = 8; 1386 off_sls = 11; 1387 off_linktype = -1; 1388 off_macpl = -1; 1389 off_nl = -1; 1390 off_nl_nosnap = -1; 1391 return; 1392 1393 case DLT_ERF: 1394 off_li = 22; 1395 off_sio = 23; 1396 off_opc = 24; 1397 off_dpc = 24; 1398 off_sls = 27; 1399 off_linktype = -1; 1400 off_macpl = -1; 1401 off_nl = -1; 1402 off_nl_nosnap = -1; 1403 return; 1404 1405 #ifdef DLT_PFSYNC 1406 case DLT_PFSYNC: 1407 off_linktype = -1; 1408 off_macpl = 4; 1409 off_nl = 0; 1410 off_nl_nosnap = 0; 1411 return; 1412 #endif 1413 1414 case DLT_LINUX_LAPD: 1415 /* 1416 * Currently, only raw "link[N:M]" filtering is supported. 1417 */ 1418 off_linktype = -1; 1419 off_macpl = -1; 1420 off_nl = -1; 1421 off_nl_nosnap = -1; 1422 return; 1423 1424 case DLT_USB: 1425 /* 1426 * Currently, only raw "link[N:M]" filtering is supported. 1427 */ 1428 off_linktype = -1; 1429 off_macpl = -1; 1430 off_nl = -1; 1431 off_nl_nosnap = -1; 1432 return; 1433 1434 case DLT_BLUETOOTH_HCI_H4: 1435 /* 1436 * Currently, only raw "link[N:M]" filtering is supported. 1437 */ 1438 off_linktype = -1; 1439 off_macpl = -1; 1440 off_nl = -1; 1441 off_nl_nosnap = -1; 1442 return; 1443 1444 case DLT_USB_LINUX: 1445 /* 1446 * Currently, only raw "link[N:M]" filtering is supported. 1447 */ 1448 off_linktype = -1; 1449 off_macpl = -1; 1450 off_nl = -1; 1451 off_nl_nosnap = -1; 1452 return; 1453 1454 case DLT_CAN20B: 1455 /* 1456 * Currently, only raw "link[N:M]" filtering is supported. 1457 */ 1458 off_linktype = -1; 1459 off_macpl = -1; 1460 off_nl = -1; 1461 off_nl_nosnap = -1; 1462 return; 1463 1464 case DLT_IEEE802_15_4_LINUX: 1465 /* 1466 * Currently, only raw "link[N:M]" filtering is supported. 1467 */ 1468 off_linktype = -1; 1469 off_macpl = -1; 1470 off_nl = -1; 1471 off_nl_nosnap = -1; 1472 return; 1473 1474 case DLT_IEEE802_16_MAC_CPS_RADIO: 1475 /* 1476 * Currently, only raw "link[N:M]" filtering is supported. 1477 */ 1478 off_linktype = -1; 1479 off_macpl = -1; 1480 off_nl = -1; 1481 off_nl_nosnap = -1; 1482 return; 1483 1484 case DLT_IEEE802_15_4: 1485 /* 1486 * Currently, only raw "link[N:M]" filtering is supported. 1487 */ 1488 off_linktype = -1; 1489 off_macpl = -1; 1490 off_nl = -1; 1491 off_nl_nosnap = -1; 1492 return; 1493 1494 case DLT_SITA: 1495 /* 1496 * Currently, only raw "link[N:M]" filtering is supported. 1497 */ 1498 off_linktype = -1; 1499 off_macpl = -1; 1500 off_nl = -1; 1501 off_nl_nosnap = -1; 1502 return; 1503 1504 case DLT_RAIF1: 1505 /* 1506 * Currently, only raw "link[N:M]" filtering is supported. 1507 */ 1508 off_linktype = -1; 1509 off_macpl = -1; 1510 off_nl = -1; 1511 off_nl_nosnap = -1; 1512 return; 1513 1514 case DLT_IPMB: 1515 /* 1516 * Currently, only raw "link[N:M]" filtering is supported. 1517 */ 1518 off_linktype = -1; 1519 off_macpl = -1; 1520 off_nl = -1; 1521 off_nl_nosnap = -1; 1522 return; 1523 1524 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1525 /* 1526 * Currently, only raw "link[N:M]" filtering is supported. 1527 */ 1528 off_linktype = -1; 1529 off_macpl = -1; 1530 off_nl = -1; 1531 off_nl_nosnap = -1; 1532 return; 1533 1534 case DLT_AX25_KISS: 1535 /* 1536 * Currently, only raw "link[N:M]" filtering is supported. 1537 */ 1538 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1539 off_macpl = -1; 1540 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1541 off_nl_nosnap = -1; /* no 802.2 LLC */ 1542 off_mac = 1; /* step over the kiss length byte */ 1543 return; 1544 1545 case DLT_IEEE802_15_4_NONASK_PHY: 1546 /* 1547 * Currently, only raw "link[N:M]" filtering is supported. 1548 */ 1549 off_linktype = -1; 1550 off_macpl = -1; 1551 off_nl = -1; 1552 off_nl_nosnap = -1; 1553 return; 1554 1555 case DLT_MPLS: 1556 /* 1557 * Currently, only raw "link[N:M]" filtering is supported. 1558 */ 1559 off_linktype = -1; 1560 off_macpl = -1; 1561 off_nl = -1; 1562 off_nl_nosnap = -1; 1563 return; 1564 1565 case DLT_USB_LINUX_MMAPPED: 1566 /* 1567 * Currently, only raw "link[N:M]" filtering is supported. 1568 */ 1569 off_linktype = -1; 1570 off_macpl = -1; 1571 off_nl = -1; 1572 off_nl_nosnap = -1; 1573 return; 1574 1575 case DLT_CAN_SOCKETCAN: 1576 /* 1577 * Currently, only raw "link[N:M]" filtering is supported. 1578 */ 1579 off_linktype = -1; 1580 off_macpl = -1; 1581 off_nl = -1; 1582 off_nl_nosnap = -1; 1583 return; 1584 1585 case DLT_IPNET: 1586 off_linktype = 1; 1587 off_macpl = 24; /* ipnet header length */ 1588 off_nl = 0; 1589 off_nl_nosnap = -1; 1590 return; 1591 } 1592 bpf_error("unknown data link type %d", linktype); 1593 /* NOTREACHED */ 1594 } 1595 1596 /* 1597 * Load a value relative to the beginning of the link-layer header. 1598 * The link-layer header doesn't necessarily begin at the beginning 1599 * of the packet data; there might be a variable-length prefix containing 1600 * radio information. 1601 */ 1602 static struct slist * 1603 gen_load_llrel(offset, size) 1604 u_int offset, size; 1605 { 1606 struct slist *s, *s2; 1607 1608 s = gen_llprefixlen(); 1609 1610 /* 1611 * If "s" is non-null, it has code to arrange that the X register 1612 * contains the length of the prefix preceding the link-layer 1613 * header. 1614 * 1615 * Otherwise, the length of the prefix preceding the link-layer 1616 * header is "off_ll". 1617 */ 1618 if (s != NULL) { 1619 /* 1620 * There's a variable-length prefix preceding the 1621 * link-layer header. "s" points to a list of statements 1622 * that put the length of that prefix into the X register. 1623 * do an indirect load, to use the X register as an offset. 1624 */ 1625 s2 = new_stmt(BPF_LD|BPF_IND|size); 1626 s2->s.k = offset; 1627 sappend(s, s2); 1628 } else { 1629 /* 1630 * There is no variable-length header preceding the 1631 * link-layer header; add in off_ll, which, if there's 1632 * a fixed-length header preceding the link-layer header, 1633 * is the length of that header. 1634 */ 1635 s = new_stmt(BPF_LD|BPF_ABS|size); 1636 s->s.k = offset + off_ll; 1637 } 1638 return s; 1639 } 1640 1641 /* 1642 * Load a value relative to the beginning of the MAC-layer payload. 1643 */ 1644 static struct slist * 1645 gen_load_macplrel(offset, size) 1646 u_int offset, size; 1647 { 1648 struct slist *s, *s2; 1649 1650 s = gen_off_macpl(); 1651 1652 /* 1653 * If s is non-null, the offset of the MAC-layer payload is 1654 * variable, and s points to a list of instructions that 1655 * arrange that the X register contains that offset. 1656 * 1657 * Otherwise, the offset of the MAC-layer payload is constant, 1658 * and is in off_macpl. 1659 */ 1660 if (s != NULL) { 1661 /* 1662 * The offset of the MAC-layer payload is in the X 1663 * register. Do an indirect load, to use the X register 1664 * as an offset. 1665 */ 1666 s2 = new_stmt(BPF_LD|BPF_IND|size); 1667 s2->s.k = offset; 1668 sappend(s, s2); 1669 } else { 1670 /* 1671 * The offset of the MAC-layer payload is constant, 1672 * and is in off_macpl; load the value at that offset 1673 * plus the specified offset. 1674 */ 1675 s = new_stmt(BPF_LD|BPF_ABS|size); 1676 s->s.k = off_macpl + offset; 1677 } 1678 return s; 1679 } 1680 1681 /* 1682 * Load a value relative to the beginning of the specified header. 1683 */ 1684 static struct slist * 1685 gen_load_a(offrel, offset, size) 1686 enum e_offrel offrel; 1687 u_int offset, size; 1688 { 1689 struct slist *s, *s2; 1690 1691 switch (offrel) { 1692 1693 case OR_PACKET: 1694 s = new_stmt(BPF_LD|BPF_ABS|size); 1695 s->s.k = offset; 1696 break; 1697 1698 case OR_LINK: 1699 s = gen_load_llrel(offset, size); 1700 break; 1701 1702 case OR_MACPL: 1703 s = gen_load_macplrel(offset, size); 1704 break; 1705 1706 case OR_NET: 1707 s = gen_load_macplrel(off_nl + offset, size); 1708 break; 1709 1710 case OR_NET_NOSNAP: 1711 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1712 break; 1713 1714 case OR_TRAN_IPV4: 1715 /* 1716 * Load the X register with the length of the IPv4 header 1717 * (plus the offset of the link-layer header, if it's 1718 * preceded by a variable-length header such as a radio 1719 * header), in bytes. 1720 */ 1721 s = gen_loadx_iphdrlen(); 1722 1723 /* 1724 * Load the item at {offset of the MAC-layer payload} + 1725 * {offset, relative to the start of the MAC-layer 1726 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1727 * {specified offset}. 1728 * 1729 * (If the offset of the MAC-layer payload is variable, 1730 * it's included in the value in the X register, and 1731 * off_macpl is 0.) 1732 */ 1733 s2 = new_stmt(BPF_LD|BPF_IND|size); 1734 s2->s.k = off_macpl + off_nl + offset; 1735 sappend(s, s2); 1736 break; 1737 1738 case OR_TRAN_IPV6: 1739 s = gen_load_macplrel(off_nl + 40 + offset, size); 1740 break; 1741 1742 default: 1743 abort(); 1744 return NULL; 1745 } 1746 return s; 1747 } 1748 1749 /* 1750 * Generate code to load into the X register the sum of the length of 1751 * the IPv4 header and any variable-length header preceding the link-layer 1752 * header. 1753 */ 1754 static struct slist * 1755 gen_loadx_iphdrlen() 1756 { 1757 struct slist *s, *s2; 1758 1759 s = gen_off_macpl(); 1760 if (s != NULL) { 1761 /* 1762 * There's a variable-length prefix preceding the 1763 * link-layer header, or the link-layer header is itself 1764 * variable-length. "s" points to a list of statements 1765 * that put the offset of the MAC-layer payload into 1766 * the X register. 1767 * 1768 * The 4*([k]&0xf) addressing mode can't be used, as we 1769 * don't have a constant offset, so we have to load the 1770 * value in question into the A register and add to it 1771 * the value from the X register. 1772 */ 1773 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1774 s2->s.k = off_nl; 1775 sappend(s, s2); 1776 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1777 s2->s.k = 0xf; 1778 sappend(s, s2); 1779 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1780 s2->s.k = 2; 1781 sappend(s, s2); 1782 1783 /* 1784 * The A register now contains the length of the 1785 * IP header. We need to add to it the offset of 1786 * the MAC-layer payload, which is still in the X 1787 * register, and move the result into the X register. 1788 */ 1789 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1790 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1791 } else { 1792 /* 1793 * There is no variable-length header preceding the 1794 * link-layer header, and the link-layer header is 1795 * fixed-length; load the length of the IPv4 header, 1796 * which is at an offset of off_nl from the beginning 1797 * of the MAC-layer payload, and thus at an offset 1798 * of off_mac_pl + off_nl from the beginning of the 1799 * raw packet data. 1800 */ 1801 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1802 s->s.k = off_macpl + off_nl; 1803 } 1804 return s; 1805 } 1806 1807 static struct block * 1808 gen_uncond(rsense) 1809 int rsense; 1810 { 1811 struct block *b; 1812 struct slist *s; 1813 1814 s = new_stmt(BPF_LD|BPF_IMM); 1815 s->s.k = !rsense; 1816 b = new_block(JMP(BPF_JEQ)); 1817 b->stmts = s; 1818 1819 return b; 1820 } 1821 1822 static inline struct block * 1823 gen_true() 1824 { 1825 return gen_uncond(1); 1826 } 1827 1828 static inline struct block * 1829 gen_false() 1830 { 1831 return gen_uncond(0); 1832 } 1833 1834 /* 1835 * Byte-swap a 32-bit number. 1836 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1837 * big-endian platforms.) 1838 */ 1839 #define SWAPLONG(y) \ 1840 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1841 1842 /* 1843 * Generate code to match a particular packet type. 1844 * 1845 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1846 * value, if <= ETHERMTU. We use that to determine whether to 1847 * match the type/length field or to check the type/length field for 1848 * a value <= ETHERMTU to see whether it's a type field and then do 1849 * the appropriate test. 1850 */ 1851 static struct block * 1852 gen_ether_linktype(proto) 1853 register int proto; 1854 { 1855 struct block *b0, *b1; 1856 1857 switch (proto) { 1858 1859 case LLCSAP_ISONS: 1860 case LLCSAP_IP: 1861 case LLCSAP_NETBEUI: 1862 /* 1863 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1864 * so we check the DSAP and SSAP. 1865 * 1866 * LLCSAP_IP checks for IP-over-802.2, rather 1867 * than IP-over-Ethernet or IP-over-SNAP. 1868 * 1869 * XXX - should we check both the DSAP and the 1870 * SSAP, like this, or should we check just the 1871 * DSAP, as we do for other types <= ETHERMTU 1872 * (i.e., other SAP values)? 1873 */ 1874 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1875 gen_not(b0); 1876 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1877 ((proto << 8) | proto)); 1878 gen_and(b0, b1); 1879 return b1; 1880 1881 case LLCSAP_IPX: 1882 /* 1883 * Check for; 1884 * 1885 * Ethernet_II frames, which are Ethernet 1886 * frames with a frame type of ETHERTYPE_IPX; 1887 * 1888 * Ethernet_802.3 frames, which are 802.3 1889 * frames (i.e., the type/length field is 1890 * a length field, <= ETHERMTU, rather than 1891 * a type field) with the first two bytes 1892 * after the Ethernet/802.3 header being 1893 * 0xFFFF; 1894 * 1895 * Ethernet_802.2 frames, which are 802.3 1896 * frames with an 802.2 LLC header and 1897 * with the IPX LSAP as the DSAP in the LLC 1898 * header; 1899 * 1900 * Ethernet_SNAP frames, which are 802.3 1901 * frames with an LLC header and a SNAP 1902 * header and with an OUI of 0x000000 1903 * (encapsulated Ethernet) and a protocol 1904 * ID of ETHERTYPE_IPX in the SNAP header. 1905 * 1906 * XXX - should we generate the same code both 1907 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1908 */ 1909 1910 /* 1911 * This generates code to check both for the 1912 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1913 */ 1914 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1915 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1916 gen_or(b0, b1); 1917 1918 /* 1919 * Now we add code to check for SNAP frames with 1920 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1921 */ 1922 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1923 gen_or(b0, b1); 1924 1925 /* 1926 * Now we generate code to check for 802.3 1927 * frames in general. 1928 */ 1929 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1930 gen_not(b0); 1931 1932 /* 1933 * Now add the check for 802.3 frames before the 1934 * check for Ethernet_802.2 and Ethernet_802.3, 1935 * as those checks should only be done on 802.3 1936 * frames, not on Ethernet frames. 1937 */ 1938 gen_and(b0, b1); 1939 1940 /* 1941 * Now add the check for Ethernet_II frames, and 1942 * do that before checking for the other frame 1943 * types. 1944 */ 1945 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1946 (bpf_int32)ETHERTYPE_IPX); 1947 gen_or(b0, b1); 1948 return b1; 1949 1950 case ETHERTYPE_ATALK: 1951 case ETHERTYPE_AARP: 1952 /* 1953 * EtherTalk (AppleTalk protocols on Ethernet link 1954 * layer) may use 802.2 encapsulation. 1955 */ 1956 1957 /* 1958 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1959 * we check for an Ethernet type field less than 1960 * 1500, which means it's an 802.3 length field. 1961 */ 1962 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1963 gen_not(b0); 1964 1965 /* 1966 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1967 * SNAP packets with an organization code of 1968 * 0x080007 (Apple, for Appletalk) and a protocol 1969 * type of ETHERTYPE_ATALK (Appletalk). 1970 * 1971 * 802.2-encapsulated ETHERTYPE_AARP packets are 1972 * SNAP packets with an organization code of 1973 * 0x000000 (encapsulated Ethernet) and a protocol 1974 * type of ETHERTYPE_AARP (Appletalk ARP). 1975 */ 1976 if (proto == ETHERTYPE_ATALK) 1977 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1978 else /* proto == ETHERTYPE_AARP */ 1979 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1980 gen_and(b0, b1); 1981 1982 /* 1983 * Check for Ethernet encapsulation (Ethertalk 1984 * phase 1?); we just check for the Ethernet 1985 * protocol type. 1986 */ 1987 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1988 1989 gen_or(b0, b1); 1990 return b1; 1991 1992 default: 1993 if (proto <= ETHERMTU) { 1994 /* 1995 * This is an LLC SAP value, so the frames 1996 * that match would be 802.2 frames. 1997 * Check that the frame is an 802.2 frame 1998 * (i.e., that the length/type field is 1999 * a length field, <= ETHERMTU) and 2000 * then check the DSAP. 2001 */ 2002 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 2003 gen_not(b0); 2004 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 2005 (bpf_int32)proto); 2006 gen_and(b0, b1); 2007 return b1; 2008 } else { 2009 /* 2010 * This is an Ethernet type, so compare 2011 * the length/type field with it (if 2012 * the frame is an 802.2 frame, the length 2013 * field will be <= ETHERMTU, and, as 2014 * "proto" is > ETHERMTU, this test 2015 * will fail and the frame won't match, 2016 * which is what we want). 2017 */ 2018 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2019 (bpf_int32)proto); 2020 } 2021 } 2022 } 2023 2024 /* 2025 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2026 * or IPv6 then we have an error. 2027 */ 2028 static struct block * 2029 gen_ipnet_linktype(proto) 2030 register int proto; 2031 { 2032 switch (proto) { 2033 2034 case ETHERTYPE_IP: 2035 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2036 (bpf_int32)IPH_AF_INET); 2037 /* NOTREACHED */ 2038 2039 case ETHERTYPE_IPV6: 2040 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2041 (bpf_int32)IPH_AF_INET6); 2042 /* NOTREACHED */ 2043 2044 default: 2045 break; 2046 } 2047 2048 return gen_false(); 2049 } 2050 2051 /* 2052 * Generate code to match a particular packet type. 2053 * 2054 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2055 * value, if <= ETHERMTU. We use that to determine whether to 2056 * match the type field or to check the type field for the special 2057 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2058 */ 2059 static struct block * 2060 gen_linux_sll_linktype(proto) 2061 register int proto; 2062 { 2063 struct block *b0, *b1; 2064 2065 switch (proto) { 2066 2067 case LLCSAP_ISONS: 2068 case LLCSAP_IP: 2069 case LLCSAP_NETBEUI: 2070 /* 2071 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2072 * so we check the DSAP and SSAP. 2073 * 2074 * LLCSAP_IP checks for IP-over-802.2, rather 2075 * than IP-over-Ethernet or IP-over-SNAP. 2076 * 2077 * XXX - should we check both the DSAP and the 2078 * SSAP, like this, or should we check just the 2079 * DSAP, as we do for other types <= ETHERMTU 2080 * (i.e., other SAP values)? 2081 */ 2082 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2083 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 2084 ((proto << 8) | proto)); 2085 gen_and(b0, b1); 2086 return b1; 2087 2088 case LLCSAP_IPX: 2089 /* 2090 * Ethernet_II frames, which are Ethernet 2091 * frames with a frame type of ETHERTYPE_IPX; 2092 * 2093 * Ethernet_802.3 frames, which have a frame 2094 * type of LINUX_SLL_P_802_3; 2095 * 2096 * Ethernet_802.2 frames, which are 802.3 2097 * frames with an 802.2 LLC header (i.e, have 2098 * a frame type of LINUX_SLL_P_802_2) and 2099 * with the IPX LSAP as the DSAP in the LLC 2100 * header; 2101 * 2102 * Ethernet_SNAP frames, which are 802.3 2103 * frames with an LLC header and a SNAP 2104 * header and with an OUI of 0x000000 2105 * (encapsulated Ethernet) and a protocol 2106 * ID of ETHERTYPE_IPX in the SNAP header. 2107 * 2108 * First, do the checks on LINUX_SLL_P_802_2 2109 * frames; generate the check for either 2110 * Ethernet_802.2 or Ethernet_SNAP frames, and 2111 * then put a check for LINUX_SLL_P_802_2 frames 2112 * before it. 2113 */ 2114 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2115 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2116 gen_or(b0, b1); 2117 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2118 gen_and(b0, b1); 2119 2120 /* 2121 * Now check for 802.3 frames and OR that with 2122 * the previous test. 2123 */ 2124 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2125 gen_or(b0, b1); 2126 2127 /* 2128 * Now add the check for Ethernet_II frames, and 2129 * do that before checking for the other frame 2130 * types. 2131 */ 2132 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2133 (bpf_int32)ETHERTYPE_IPX); 2134 gen_or(b0, b1); 2135 return b1; 2136 2137 case ETHERTYPE_ATALK: 2138 case ETHERTYPE_AARP: 2139 /* 2140 * EtherTalk (AppleTalk protocols on Ethernet link 2141 * layer) may use 802.2 encapsulation. 2142 */ 2143 2144 /* 2145 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2146 * we check for the 802.2 protocol type in the 2147 * "Ethernet type" field. 2148 */ 2149 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2150 2151 /* 2152 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2153 * SNAP packets with an organization code of 2154 * 0x080007 (Apple, for Appletalk) and a protocol 2155 * type of ETHERTYPE_ATALK (Appletalk). 2156 * 2157 * 802.2-encapsulated ETHERTYPE_AARP packets are 2158 * SNAP packets with an organization code of 2159 * 0x000000 (encapsulated Ethernet) and a protocol 2160 * type of ETHERTYPE_AARP (Appletalk ARP). 2161 */ 2162 if (proto == ETHERTYPE_ATALK) 2163 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2164 else /* proto == ETHERTYPE_AARP */ 2165 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2166 gen_and(b0, b1); 2167 2168 /* 2169 * Check for Ethernet encapsulation (Ethertalk 2170 * phase 1?); we just check for the Ethernet 2171 * protocol type. 2172 */ 2173 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2174 2175 gen_or(b0, b1); 2176 return b1; 2177 2178 default: 2179 if (proto <= ETHERMTU) { 2180 /* 2181 * This is an LLC SAP value, so the frames 2182 * that match would be 802.2 frames. 2183 * Check for the 802.2 protocol type 2184 * in the "Ethernet type" field, and 2185 * then check the DSAP. 2186 */ 2187 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2188 LINUX_SLL_P_802_2); 2189 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2190 (bpf_int32)proto); 2191 gen_and(b0, b1); 2192 return b1; 2193 } else { 2194 /* 2195 * This is an Ethernet type, so compare 2196 * the length/type field with it (if 2197 * the frame is an 802.2 frame, the length 2198 * field will be <= ETHERMTU, and, as 2199 * "proto" is > ETHERMTU, this test 2200 * will fail and the frame won't match, 2201 * which is what we want). 2202 */ 2203 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2204 (bpf_int32)proto); 2205 } 2206 } 2207 } 2208 2209 static struct slist * 2210 gen_load_prism_llprefixlen() 2211 { 2212 struct slist *s1, *s2; 2213 struct slist *sjeq_avs_cookie; 2214 struct slist *sjcommon; 2215 2216 /* 2217 * This code is not compatible with the optimizer, as 2218 * we are generating jmp instructions within a normal 2219 * slist of instructions 2220 */ 2221 no_optimize = 1; 2222 2223 /* 2224 * Generate code to load the length of the radio header into 2225 * the register assigned to hold that length, if one has been 2226 * assigned. (If one hasn't been assigned, no code we've 2227 * generated uses that prefix, so we don't need to generate any 2228 * code to load it.) 2229 * 2230 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2231 * or always use the AVS header rather than the Prism header. 2232 * We load a 4-byte big-endian value at the beginning of the 2233 * raw packet data, and see whether, when masked with 0xFFFFF000, 2234 * it's equal to 0x80211000. If so, that indicates that it's 2235 * an AVS header (the masked-out bits are the version number). 2236 * Otherwise, it's a Prism header. 2237 * 2238 * XXX - the Prism header is also, in theory, variable-length, 2239 * but no known software generates headers that aren't 144 2240 * bytes long. 2241 */ 2242 if (reg_off_ll != -1) { 2243 /* 2244 * Load the cookie. 2245 */ 2246 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2247 s1->s.k = 0; 2248 2249 /* 2250 * AND it with 0xFFFFF000. 2251 */ 2252 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2253 s2->s.k = 0xFFFFF000; 2254 sappend(s1, s2); 2255 2256 /* 2257 * Compare with 0x80211000. 2258 */ 2259 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2260 sjeq_avs_cookie->s.k = 0x80211000; 2261 sappend(s1, sjeq_avs_cookie); 2262 2263 /* 2264 * If it's AVS: 2265 * 2266 * The 4 bytes at an offset of 4 from the beginning of 2267 * the AVS header are the length of the AVS header. 2268 * That field is big-endian. 2269 */ 2270 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2271 s2->s.k = 4; 2272 sappend(s1, s2); 2273 sjeq_avs_cookie->s.jt = s2; 2274 2275 /* 2276 * Now jump to the code to allocate a register 2277 * into which to save the header length and 2278 * store the length there. (The "jump always" 2279 * instruction needs to have the k field set; 2280 * it's added to the PC, so, as we're jumping 2281 * over a single instruction, it should be 1.) 2282 */ 2283 sjcommon = new_stmt(JMP(BPF_JA)); 2284 sjcommon->s.k = 1; 2285 sappend(s1, sjcommon); 2286 2287 /* 2288 * Now for the code that handles the Prism header. 2289 * Just load the length of the Prism header (144) 2290 * into the A register. Have the test for an AVS 2291 * header branch here if we don't have an AVS header. 2292 */ 2293 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2294 s2->s.k = 144; 2295 sappend(s1, s2); 2296 sjeq_avs_cookie->s.jf = s2; 2297 2298 /* 2299 * Now allocate a register to hold that value and store 2300 * it. The code for the AVS header will jump here after 2301 * loading the length of the AVS header. 2302 */ 2303 s2 = new_stmt(BPF_ST); 2304 s2->s.k = reg_off_ll; 2305 sappend(s1, s2); 2306 sjcommon->s.jf = s2; 2307 2308 /* 2309 * Now move it into the X register. 2310 */ 2311 s2 = new_stmt(BPF_MISC|BPF_TAX); 2312 sappend(s1, s2); 2313 2314 return (s1); 2315 } else 2316 return (NULL); 2317 } 2318 2319 static struct slist * 2320 gen_load_avs_llprefixlen() 2321 { 2322 struct slist *s1, *s2; 2323 2324 /* 2325 * Generate code to load the length of the AVS header into 2326 * the register assigned to hold that length, if one has been 2327 * assigned. (If one hasn't been assigned, no code we've 2328 * generated uses that prefix, so we don't need to generate any 2329 * code to load it.) 2330 */ 2331 if (reg_off_ll != -1) { 2332 /* 2333 * The 4 bytes at an offset of 4 from the beginning of 2334 * the AVS header are the length of the AVS header. 2335 * That field is big-endian. 2336 */ 2337 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2338 s1->s.k = 4; 2339 2340 /* 2341 * Now allocate a register to hold that value and store 2342 * it. 2343 */ 2344 s2 = new_stmt(BPF_ST); 2345 s2->s.k = reg_off_ll; 2346 sappend(s1, s2); 2347 2348 /* 2349 * Now move it into the X register. 2350 */ 2351 s2 = new_stmt(BPF_MISC|BPF_TAX); 2352 sappend(s1, s2); 2353 2354 return (s1); 2355 } else 2356 return (NULL); 2357 } 2358 2359 static struct slist * 2360 gen_load_radiotap_llprefixlen() 2361 { 2362 struct slist *s1, *s2; 2363 2364 /* 2365 * Generate code to load the length of the radiotap header into 2366 * the register assigned to hold that length, if one has been 2367 * assigned. (If one hasn't been assigned, no code we've 2368 * generated uses that prefix, so we don't need to generate any 2369 * code to load it.) 2370 */ 2371 if (reg_off_ll != -1) { 2372 /* 2373 * The 2 bytes at offsets of 2 and 3 from the beginning 2374 * of the radiotap header are the length of the radiotap 2375 * header; unfortunately, it's little-endian, so we have 2376 * to load it a byte at a time and construct the value. 2377 */ 2378 2379 /* 2380 * Load the high-order byte, at an offset of 3, shift it 2381 * left a byte, and put the result in the X register. 2382 */ 2383 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2384 s1->s.k = 3; 2385 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2386 sappend(s1, s2); 2387 s2->s.k = 8; 2388 s2 = new_stmt(BPF_MISC|BPF_TAX); 2389 sappend(s1, s2); 2390 2391 /* 2392 * Load the next byte, at an offset of 2, and OR the 2393 * value from the X register into it. 2394 */ 2395 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2396 sappend(s1, s2); 2397 s2->s.k = 2; 2398 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2399 sappend(s1, s2); 2400 2401 /* 2402 * Now allocate a register to hold that value and store 2403 * it. 2404 */ 2405 s2 = new_stmt(BPF_ST); 2406 s2->s.k = reg_off_ll; 2407 sappend(s1, s2); 2408 2409 /* 2410 * Now move it into the X register. 2411 */ 2412 s2 = new_stmt(BPF_MISC|BPF_TAX); 2413 sappend(s1, s2); 2414 2415 return (s1); 2416 } else 2417 return (NULL); 2418 } 2419 2420 /* 2421 * At the moment we treat PPI as normal Radiotap encoded 2422 * packets. The difference is in the function that generates 2423 * the code at the beginning to compute the header length. 2424 * Since this code generator of PPI supports bare 802.11 2425 * encapsulation only (i.e. the encapsulated DLT should be 2426 * DLT_IEEE802_11) we generate code to check for this too; 2427 * that's done in finish_parse(). 2428 */ 2429 static struct slist * 2430 gen_load_ppi_llprefixlen() 2431 { 2432 struct slist *s1, *s2; 2433 2434 /* 2435 * Generate code to load the length of the radiotap header 2436 * into the register assigned to hold that length, if one has 2437 * been assigned. 2438 */ 2439 if (reg_off_ll != -1) { 2440 /* 2441 * The 2 bytes at offsets of 2 and 3 from the beginning 2442 * of the radiotap header are the length of the radiotap 2443 * header; unfortunately, it's little-endian, so we have 2444 * to load it a byte at a time and construct the value. 2445 */ 2446 2447 /* 2448 * Load the high-order byte, at an offset of 3, shift it 2449 * left a byte, and put the result in the X register. 2450 */ 2451 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2452 s1->s.k = 3; 2453 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2454 sappend(s1, s2); 2455 s2->s.k = 8; 2456 s2 = new_stmt(BPF_MISC|BPF_TAX); 2457 sappend(s1, s2); 2458 2459 /* 2460 * Load the next byte, at an offset of 2, and OR the 2461 * value from the X register into it. 2462 */ 2463 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2464 sappend(s1, s2); 2465 s2->s.k = 2; 2466 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2467 sappend(s1, s2); 2468 2469 /* 2470 * Now allocate a register to hold that value and store 2471 * it. 2472 */ 2473 s2 = new_stmt(BPF_ST); 2474 s2->s.k = reg_off_ll; 2475 sappend(s1, s2); 2476 2477 /* 2478 * Now move it into the X register. 2479 */ 2480 s2 = new_stmt(BPF_MISC|BPF_TAX); 2481 sappend(s1, s2); 2482 2483 return (s1); 2484 } else 2485 return (NULL); 2486 } 2487 2488 /* 2489 * Load a value relative to the beginning of the link-layer header after the 802.11 2490 * header, i.e. LLC_SNAP. 2491 * The link-layer header doesn't necessarily begin at the beginning 2492 * of the packet data; there might be a variable-length prefix containing 2493 * radio information. 2494 */ 2495 static struct slist * 2496 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2497 { 2498 struct slist *s2; 2499 struct slist *sjset_data_frame_1; 2500 struct slist *sjset_data_frame_2; 2501 struct slist *sjset_qos; 2502 struct slist *sjset_radiotap_flags; 2503 struct slist *sjset_radiotap_tsft; 2504 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2505 struct slist *s_roundup; 2506 2507 if (reg_off_macpl == -1) { 2508 /* 2509 * No register has been assigned to the offset of 2510 * the MAC-layer payload, which means nobody needs 2511 * it; don't bother computing it - just return 2512 * what we already have. 2513 */ 2514 return (s); 2515 } 2516 2517 /* 2518 * This code is not compatible with the optimizer, as 2519 * we are generating jmp instructions within a normal 2520 * slist of instructions 2521 */ 2522 no_optimize = 1; 2523 2524 /* 2525 * If "s" is non-null, it has code to arrange that the X register 2526 * contains the length of the prefix preceding the link-layer 2527 * header. 2528 * 2529 * Otherwise, the length of the prefix preceding the link-layer 2530 * header is "off_ll". 2531 */ 2532 if (s == NULL) { 2533 /* 2534 * There is no variable-length header preceding the 2535 * link-layer header. 2536 * 2537 * Load the length of the fixed-length prefix preceding 2538 * the link-layer header (if any) into the X register, 2539 * and store it in the reg_off_macpl register. 2540 * That length is off_ll. 2541 */ 2542 s = new_stmt(BPF_LDX|BPF_IMM); 2543 s->s.k = off_ll; 2544 } 2545 2546 /* 2547 * The X register contains the offset of the beginning of the 2548 * link-layer header; add 24, which is the minimum length 2549 * of the MAC header for a data frame, to that, and store it 2550 * in reg_off_macpl, and then load the Frame Control field, 2551 * which is at the offset in the X register, with an indexed load. 2552 */ 2553 s2 = new_stmt(BPF_MISC|BPF_TXA); 2554 sappend(s, s2); 2555 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2556 s2->s.k = 24; 2557 sappend(s, s2); 2558 s2 = new_stmt(BPF_ST); 2559 s2->s.k = reg_off_macpl; 2560 sappend(s, s2); 2561 2562 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2563 s2->s.k = 0; 2564 sappend(s, s2); 2565 2566 /* 2567 * Check the Frame Control field to see if this is a data frame; 2568 * a data frame has the 0x08 bit (b3) in that field set and the 2569 * 0x04 bit (b2) clear. 2570 */ 2571 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2572 sjset_data_frame_1->s.k = 0x08; 2573 sappend(s, sjset_data_frame_1); 2574 2575 /* 2576 * If b3 is set, test b2, otherwise go to the first statement of 2577 * the rest of the program. 2578 */ 2579 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2580 sjset_data_frame_2->s.k = 0x04; 2581 sappend(s, sjset_data_frame_2); 2582 sjset_data_frame_1->s.jf = snext; 2583 2584 /* 2585 * If b2 is not set, this is a data frame; test the QoS bit. 2586 * Otherwise, go to the first statement of the rest of the 2587 * program. 2588 */ 2589 sjset_data_frame_2->s.jt = snext; 2590 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2591 sjset_qos->s.k = 0x80; /* QoS bit */ 2592 sappend(s, sjset_qos); 2593 2594 /* 2595 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2596 * field. 2597 * Otherwise, go to the first statement of the rest of the 2598 * program. 2599 */ 2600 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2601 s2->s.k = reg_off_macpl; 2602 sappend(s, s2); 2603 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2604 s2->s.k = 2; 2605 sappend(s, s2); 2606 s2 = new_stmt(BPF_ST); 2607 s2->s.k = reg_off_macpl; 2608 sappend(s, s2); 2609 2610 /* 2611 * If we have a radiotap header, look at it to see whether 2612 * there's Atheros padding between the MAC-layer header 2613 * and the payload. 2614 * 2615 * Note: all of the fields in the radiotap header are 2616 * little-endian, so we byte-swap all of the values 2617 * we test against, as they will be loaded as big-endian 2618 * values. 2619 */ 2620 if (linktype == DLT_IEEE802_11_RADIO) { 2621 /* 2622 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2623 * in the presence flag? 2624 */ 2625 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2626 s2->s.k = 4; 2627 sappend(s, s2); 2628 2629 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2630 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2631 sappend(s, sjset_radiotap_flags); 2632 2633 /* 2634 * If not, skip all of this. 2635 */ 2636 sjset_radiotap_flags->s.jf = snext; 2637 2638 /* 2639 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2640 */ 2641 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2642 new_stmt(JMP(BPF_JSET)); 2643 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2644 sappend(s, sjset_radiotap_tsft); 2645 2646 /* 2647 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2648 * at an offset of 16 from the beginning of the raw packet 2649 * data (8 bytes for the radiotap header and 8 bytes for 2650 * the TSFT field). 2651 * 2652 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2653 * is set. 2654 */ 2655 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2656 s2->s.k = 16; 2657 sappend(s, s2); 2658 2659 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2660 sjset_tsft_datapad->s.k = 0x20; 2661 sappend(s, sjset_tsft_datapad); 2662 2663 /* 2664 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2665 * at an offset of 8 from the beginning of the raw packet 2666 * data (8 bytes for the radiotap header). 2667 * 2668 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2669 * is set. 2670 */ 2671 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2672 s2->s.k = 8; 2673 sappend(s, s2); 2674 2675 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2676 sjset_notsft_datapad->s.k = 0x20; 2677 sappend(s, sjset_notsft_datapad); 2678 2679 /* 2680 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2681 * set, round the length of the 802.11 header to 2682 * a multiple of 4. Do that by adding 3 and then 2683 * dividing by and multiplying by 4, which we do by 2684 * ANDing with ~3. 2685 */ 2686 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2687 s_roundup->s.k = reg_off_macpl; 2688 sappend(s, s_roundup); 2689 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2690 s2->s.k = 3; 2691 sappend(s, s2); 2692 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2693 s2->s.k = ~3; 2694 sappend(s, s2); 2695 s2 = new_stmt(BPF_ST); 2696 s2->s.k = reg_off_macpl; 2697 sappend(s, s2); 2698 2699 sjset_tsft_datapad->s.jt = s_roundup; 2700 sjset_tsft_datapad->s.jf = snext; 2701 sjset_notsft_datapad->s.jt = s_roundup; 2702 sjset_notsft_datapad->s.jf = snext; 2703 } else 2704 sjset_qos->s.jf = snext; 2705 2706 return s; 2707 } 2708 2709 static void 2710 insert_compute_vloffsets(b) 2711 struct block *b; 2712 { 2713 struct slist *s; 2714 2715 /* 2716 * For link-layer types that have a variable-length header 2717 * preceding the link-layer header, generate code to load 2718 * the offset of the link-layer header into the register 2719 * assigned to that offset, if any. 2720 */ 2721 switch (linktype) { 2722 2723 case DLT_PRISM_HEADER: 2724 s = gen_load_prism_llprefixlen(); 2725 break; 2726 2727 case DLT_IEEE802_11_RADIO_AVS: 2728 s = gen_load_avs_llprefixlen(); 2729 break; 2730 2731 case DLT_IEEE802_11_RADIO: 2732 s = gen_load_radiotap_llprefixlen(); 2733 break; 2734 2735 case DLT_PPI: 2736 s = gen_load_ppi_llprefixlen(); 2737 break; 2738 2739 default: 2740 s = NULL; 2741 break; 2742 } 2743 2744 /* 2745 * For link-layer types that have a variable-length link-layer 2746 * header, generate code to load the offset of the MAC-layer 2747 * payload into the register assigned to that offset, if any. 2748 */ 2749 switch (linktype) { 2750 2751 case DLT_IEEE802_11: 2752 case DLT_PRISM_HEADER: 2753 case DLT_IEEE802_11_RADIO_AVS: 2754 case DLT_IEEE802_11_RADIO: 2755 case DLT_PPI: 2756 s = gen_load_802_11_header_len(s, b->stmts); 2757 break; 2758 } 2759 2760 /* 2761 * If we have any offset-loading code, append all the 2762 * existing statements in the block to those statements, 2763 * and make the resulting list the list of statements 2764 * for the block. 2765 */ 2766 if (s != NULL) { 2767 sappend(s, b->stmts); 2768 b->stmts = s; 2769 } 2770 } 2771 2772 static struct block * 2773 gen_ppi_dlt_check(void) 2774 { 2775 struct slist *s_load_dlt; 2776 struct block *b; 2777 2778 if (linktype == DLT_PPI) 2779 { 2780 /* Create the statements that check for the DLT 2781 */ 2782 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2783 s_load_dlt->s.k = 4; 2784 2785 b = new_block(JMP(BPF_JEQ)); 2786 2787 b->stmts = s_load_dlt; 2788 b->s.k = SWAPLONG(DLT_IEEE802_11); 2789 } 2790 else 2791 { 2792 b = NULL; 2793 } 2794 2795 return b; 2796 } 2797 2798 static struct slist * 2799 gen_prism_llprefixlen(void) 2800 { 2801 struct slist *s; 2802 2803 if (reg_off_ll == -1) { 2804 /* 2805 * We haven't yet assigned a register for the length 2806 * of the radio header; allocate one. 2807 */ 2808 reg_off_ll = alloc_reg(); 2809 } 2810 2811 /* 2812 * Load the register containing the radio length 2813 * into the X register. 2814 */ 2815 s = new_stmt(BPF_LDX|BPF_MEM); 2816 s->s.k = reg_off_ll; 2817 return s; 2818 } 2819 2820 static struct slist * 2821 gen_avs_llprefixlen(void) 2822 { 2823 struct slist *s; 2824 2825 if (reg_off_ll == -1) { 2826 /* 2827 * We haven't yet assigned a register for the length 2828 * of the AVS header; allocate one. 2829 */ 2830 reg_off_ll = alloc_reg(); 2831 } 2832 2833 /* 2834 * Load the register containing the AVS length 2835 * into the X register. 2836 */ 2837 s = new_stmt(BPF_LDX|BPF_MEM); 2838 s->s.k = reg_off_ll; 2839 return s; 2840 } 2841 2842 static struct slist * 2843 gen_radiotap_llprefixlen(void) 2844 { 2845 struct slist *s; 2846 2847 if (reg_off_ll == -1) { 2848 /* 2849 * We haven't yet assigned a register for the length 2850 * of the radiotap header; allocate one. 2851 */ 2852 reg_off_ll = alloc_reg(); 2853 } 2854 2855 /* 2856 * Load the register containing the radiotap length 2857 * into the X register. 2858 */ 2859 s = new_stmt(BPF_LDX|BPF_MEM); 2860 s->s.k = reg_off_ll; 2861 return s; 2862 } 2863 2864 /* 2865 * At the moment we treat PPI as normal Radiotap encoded 2866 * packets. The difference is in the function that generates 2867 * the code at the beginning to compute the header length. 2868 * Since this code generator of PPI supports bare 802.11 2869 * encapsulation only (i.e. the encapsulated DLT should be 2870 * DLT_IEEE802_11) we generate code to check for this too. 2871 */ 2872 static struct slist * 2873 gen_ppi_llprefixlen(void) 2874 { 2875 struct slist *s; 2876 2877 if (reg_off_ll == -1) { 2878 /* 2879 * We haven't yet assigned a register for the length 2880 * of the radiotap header; allocate one. 2881 */ 2882 reg_off_ll = alloc_reg(); 2883 } 2884 2885 /* 2886 * Load the register containing the PPI length 2887 * into the X register. 2888 */ 2889 s = new_stmt(BPF_LDX|BPF_MEM); 2890 s->s.k = reg_off_ll; 2891 return s; 2892 } 2893 2894 /* 2895 * Generate code to compute the link-layer header length, if necessary, 2896 * putting it into the X register, and to return either a pointer to a 2897 * "struct slist" for the list of statements in that code, or NULL if 2898 * no code is necessary. 2899 */ 2900 static struct slist * 2901 gen_llprefixlen(void) 2902 { 2903 switch (linktype) { 2904 2905 case DLT_PRISM_HEADER: 2906 return gen_prism_llprefixlen(); 2907 2908 case DLT_IEEE802_11_RADIO_AVS: 2909 return gen_avs_llprefixlen(); 2910 2911 case DLT_IEEE802_11_RADIO: 2912 return gen_radiotap_llprefixlen(); 2913 2914 case DLT_PPI: 2915 return gen_ppi_llprefixlen(); 2916 2917 default: 2918 return NULL; 2919 } 2920 } 2921 2922 /* 2923 * Generate code to load the register containing the offset of the 2924 * MAC-layer payload into the X register; if no register for that offset 2925 * has been allocated, allocate it first. 2926 */ 2927 static struct slist * 2928 gen_off_macpl(void) 2929 { 2930 struct slist *s; 2931 2932 if (off_macpl_is_variable) { 2933 if (reg_off_macpl == -1) { 2934 /* 2935 * We haven't yet assigned a register for the offset 2936 * of the MAC-layer payload; allocate one. 2937 */ 2938 reg_off_macpl = alloc_reg(); 2939 } 2940 2941 /* 2942 * Load the register containing the offset of the MAC-layer 2943 * payload into the X register. 2944 */ 2945 s = new_stmt(BPF_LDX|BPF_MEM); 2946 s->s.k = reg_off_macpl; 2947 return s; 2948 } else { 2949 /* 2950 * That offset isn't variable, so we don't need to 2951 * generate any code. 2952 */ 2953 return NULL; 2954 } 2955 } 2956 2957 /* 2958 * Map an Ethernet type to the equivalent PPP type. 2959 */ 2960 static int 2961 ethertype_to_ppptype(proto) 2962 int proto; 2963 { 2964 switch (proto) { 2965 2966 case ETHERTYPE_IP: 2967 proto = PPP_IP; 2968 break; 2969 2970 #ifdef INET6 2971 case ETHERTYPE_IPV6: 2972 proto = PPP_IPV6; 2973 break; 2974 #endif 2975 2976 case ETHERTYPE_DN: 2977 proto = PPP_DECNET; 2978 break; 2979 2980 case ETHERTYPE_ATALK: 2981 proto = PPP_APPLE; 2982 break; 2983 2984 case ETHERTYPE_NS: 2985 proto = PPP_NS; 2986 break; 2987 2988 case LLCSAP_ISONS: 2989 proto = PPP_OSI; 2990 break; 2991 2992 case LLCSAP_8021D: 2993 /* 2994 * I'm assuming the "Bridging PDU"s that go 2995 * over PPP are Spanning Tree Protocol 2996 * Bridging PDUs. 2997 */ 2998 proto = PPP_BRPDU; 2999 break; 3000 3001 case LLCSAP_IPX: 3002 proto = PPP_IPX; 3003 break; 3004 } 3005 return (proto); 3006 } 3007 3008 /* 3009 * Generate code to match a particular packet type by matching the 3010 * link-layer type field or fields in the 802.2 LLC header. 3011 * 3012 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3013 * value, if <= ETHERMTU. 3014 */ 3015 static struct block * 3016 gen_linktype(proto) 3017 register int proto; 3018 { 3019 struct block *b0, *b1, *b2; 3020 3021 /* are we checking MPLS-encapsulated packets? */ 3022 if (label_stack_depth > 0) { 3023 switch (proto) { 3024 case ETHERTYPE_IP: 3025 case PPP_IP: 3026 /* FIXME add other L3 proto IDs */ 3027 return gen_mpls_linktype(Q_IP); 3028 3029 case ETHERTYPE_IPV6: 3030 case PPP_IPV6: 3031 /* FIXME add other L3 proto IDs */ 3032 return gen_mpls_linktype(Q_IPV6); 3033 3034 default: 3035 bpf_error("unsupported protocol over mpls"); 3036 /* NOTREACHED */ 3037 } 3038 } 3039 3040 /* 3041 * Are we testing PPPoE packets? 3042 */ 3043 if (is_pppoes) { 3044 /* 3045 * The PPPoE session header is part of the 3046 * MAC-layer payload, so all references 3047 * should be relative to the beginning of 3048 * that payload. 3049 */ 3050 3051 /* 3052 * We use Ethernet protocol types inside libpcap; 3053 * map them to the corresponding PPP protocol types. 3054 */ 3055 proto = ethertype_to_ppptype(proto); 3056 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 3057 } 3058 3059 switch (linktype) { 3060 3061 case DLT_EN10MB: 3062 return gen_ether_linktype(proto); 3063 /*NOTREACHED*/ 3064 break; 3065 3066 case DLT_C_HDLC: 3067 switch (proto) { 3068 3069 case LLCSAP_ISONS: 3070 proto = (proto << 8 | LLCSAP_ISONS); 3071 /* fall through */ 3072 3073 default: 3074 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3075 (bpf_int32)proto); 3076 /*NOTREACHED*/ 3077 break; 3078 } 3079 break; 3080 3081 case DLT_IEEE802_11: 3082 case DLT_PRISM_HEADER: 3083 case DLT_IEEE802_11_RADIO_AVS: 3084 case DLT_IEEE802_11_RADIO: 3085 case DLT_PPI: 3086 /* 3087 * Check that we have a data frame. 3088 */ 3089 b0 = gen_check_802_11_data_frame(); 3090 3091 /* 3092 * Now check for the specified link-layer type. 3093 */ 3094 b1 = gen_llc_linktype(proto); 3095 gen_and(b0, b1); 3096 return b1; 3097 /*NOTREACHED*/ 3098 break; 3099 3100 case DLT_FDDI: 3101 /* 3102 * XXX - check for asynchronous frames, as per RFC 1103. 3103 */ 3104 return gen_llc_linktype(proto); 3105 /*NOTREACHED*/ 3106 break; 3107 3108 case DLT_IEEE802: 3109 /* 3110 * XXX - check for LLC PDUs, as per IEEE 802.5. 3111 */ 3112 return gen_llc_linktype(proto); 3113 /*NOTREACHED*/ 3114 break; 3115 3116 case DLT_ATM_RFC1483: 3117 case DLT_ATM_CLIP: 3118 case DLT_IP_OVER_FC: 3119 return gen_llc_linktype(proto); 3120 /*NOTREACHED*/ 3121 break; 3122 3123 case DLT_SUNATM: 3124 /* 3125 * If "is_lane" is set, check for a LANE-encapsulated 3126 * version of this protocol, otherwise check for an 3127 * LLC-encapsulated version of this protocol. 3128 * 3129 * We assume LANE means Ethernet, not Token Ring. 3130 */ 3131 if (is_lane) { 3132 /* 3133 * Check that the packet doesn't begin with an 3134 * LE Control marker. (We've already generated 3135 * a test for LANE.) 3136 */ 3137 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3138 0xFF00); 3139 gen_not(b0); 3140 3141 /* 3142 * Now generate an Ethernet test. 3143 */ 3144 b1 = gen_ether_linktype(proto); 3145 gen_and(b0, b1); 3146 return b1; 3147 } else { 3148 /* 3149 * Check for LLC encapsulation and then check the 3150 * protocol. 3151 */ 3152 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3153 b1 = gen_llc_linktype(proto); 3154 gen_and(b0, b1); 3155 return b1; 3156 } 3157 /*NOTREACHED*/ 3158 break; 3159 3160 case DLT_LINUX_SLL: 3161 return gen_linux_sll_linktype(proto); 3162 /*NOTREACHED*/ 3163 break; 3164 3165 case DLT_SLIP: 3166 case DLT_SLIP_BSDOS: 3167 case DLT_RAW: 3168 /* 3169 * These types don't provide any type field; packets 3170 * are always IPv4 or IPv6. 3171 * 3172 * XXX - for IPv4, check for a version number of 4, and, 3173 * for IPv6, check for a version number of 6? 3174 */ 3175 switch (proto) { 3176 3177 case ETHERTYPE_IP: 3178 /* Check for a version number of 4. */ 3179 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3180 #ifdef INET6 3181 case ETHERTYPE_IPV6: 3182 /* Check for a version number of 6. */ 3183 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3184 #endif 3185 3186 default: 3187 return gen_false(); /* always false */ 3188 } 3189 /*NOTREACHED*/ 3190 break; 3191 3192 case DLT_IPV4: 3193 /* 3194 * Raw IPv4, so no type field. 3195 */ 3196 if (proto == ETHERTYPE_IP) 3197 return gen_true(); /* always true */ 3198 3199 /* Checking for something other than IPv4; always false */ 3200 return gen_false(); 3201 /*NOTREACHED*/ 3202 break; 3203 3204 case DLT_IPV6: 3205 /* 3206 * Raw IPv6, so no type field. 3207 */ 3208 #ifdef INET6 3209 if (proto == ETHERTYPE_IPV6) 3210 return gen_true(); /* always true */ 3211 #endif 3212 3213 /* Checking for something other than IPv6; always false */ 3214 return gen_false(); 3215 /*NOTREACHED*/ 3216 break; 3217 3218 case DLT_PPP: 3219 case DLT_PPP_PPPD: 3220 case DLT_PPP_SERIAL: 3221 case DLT_PPP_ETHER: 3222 /* 3223 * We use Ethernet protocol types inside libpcap; 3224 * map them to the corresponding PPP protocol types. 3225 */ 3226 proto = ethertype_to_ppptype(proto); 3227 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3228 /*NOTREACHED*/ 3229 break; 3230 3231 case DLT_PPP_BSDOS: 3232 /* 3233 * We use Ethernet protocol types inside libpcap; 3234 * map them to the corresponding PPP protocol types. 3235 */ 3236 switch (proto) { 3237 3238 case ETHERTYPE_IP: 3239 /* 3240 * Also check for Van Jacobson-compressed IP. 3241 * XXX - do this for other forms of PPP? 3242 */ 3243 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3244 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3245 gen_or(b0, b1); 3246 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3247 gen_or(b1, b0); 3248 return b0; 3249 3250 default: 3251 proto = ethertype_to_ppptype(proto); 3252 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3253 (bpf_int32)proto); 3254 } 3255 /*NOTREACHED*/ 3256 break; 3257 3258 case DLT_NULL: 3259 case DLT_LOOP: 3260 case DLT_ENC: 3261 /* 3262 * For DLT_NULL, the link-layer header is a 32-bit 3263 * word containing an AF_ value in *host* byte order, 3264 * and for DLT_ENC, the link-layer header begins 3265 * with a 32-bit work containing an AF_ value in 3266 * host byte order. 3267 * 3268 * In addition, if we're reading a saved capture file, 3269 * the host byte order in the capture may not be the 3270 * same as the host byte order on this machine. 3271 * 3272 * For DLT_LOOP, the link-layer header is a 32-bit 3273 * word containing an AF_ value in *network* byte order. 3274 * 3275 * XXX - AF_ values may, unfortunately, be platform- 3276 * dependent; for example, FreeBSD's AF_INET6 is 24 3277 * whilst NetBSD's and OpenBSD's is 26. 3278 * 3279 * This means that, when reading a capture file, just 3280 * checking for our AF_INET6 value won't work if the 3281 * capture file came from another OS. 3282 */ 3283 switch (proto) { 3284 3285 case ETHERTYPE_IP: 3286 proto = AF_INET; 3287 break; 3288 3289 #ifdef INET6 3290 case ETHERTYPE_IPV6: 3291 proto = AF_INET6; 3292 break; 3293 #endif 3294 3295 default: 3296 /* 3297 * Not a type on which we support filtering. 3298 * XXX - support those that have AF_ values 3299 * #defined on this platform, at least? 3300 */ 3301 return gen_false(); 3302 } 3303 3304 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3305 /* 3306 * The AF_ value is in host byte order, but 3307 * the BPF interpreter will convert it to 3308 * network byte order. 3309 * 3310 * If this is a save file, and it's from a 3311 * machine with the opposite byte order to 3312 * ours, we byte-swap the AF_ value. 3313 * 3314 * Then we run it through "htonl()", and 3315 * generate code to compare against the result. 3316 */ 3317 if (bpf_pcap->sf.rfile != NULL && 3318 bpf_pcap->sf.swapped) 3319 proto = SWAPLONG(proto); 3320 proto = htonl(proto); 3321 } 3322 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3323 3324 #ifdef HAVE_NET_PFVAR_H 3325 case DLT_PFLOG: 3326 /* 3327 * af field is host byte order in contrast to the rest of 3328 * the packet. 3329 */ 3330 if (proto == ETHERTYPE_IP) 3331 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3332 BPF_B, (bpf_int32)AF_INET)); 3333 #ifdef INET6 3334 else if (proto == ETHERTYPE_IPV6) 3335 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3336 BPF_B, (bpf_int32)AF_INET6)); 3337 #endif /* INET6 */ 3338 else 3339 return gen_false(); 3340 /*NOTREACHED*/ 3341 break; 3342 #endif /* HAVE_NET_PFVAR_H */ 3343 3344 case DLT_ARCNET: 3345 case DLT_ARCNET_LINUX: 3346 /* 3347 * XXX should we check for first fragment if the protocol 3348 * uses PHDS? 3349 */ 3350 switch (proto) { 3351 3352 default: 3353 return gen_false(); 3354 3355 #ifdef INET6 3356 case ETHERTYPE_IPV6: 3357 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3358 (bpf_int32)ARCTYPE_INET6)); 3359 #endif /* INET6 */ 3360 3361 case ETHERTYPE_IP: 3362 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3363 (bpf_int32)ARCTYPE_IP); 3364 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3365 (bpf_int32)ARCTYPE_IP_OLD); 3366 gen_or(b0, b1); 3367 return (b1); 3368 3369 case ETHERTYPE_ARP: 3370 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3371 (bpf_int32)ARCTYPE_ARP); 3372 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3373 (bpf_int32)ARCTYPE_ARP_OLD); 3374 gen_or(b0, b1); 3375 return (b1); 3376 3377 case ETHERTYPE_REVARP: 3378 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3379 (bpf_int32)ARCTYPE_REVARP)); 3380 3381 case ETHERTYPE_ATALK: 3382 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3383 (bpf_int32)ARCTYPE_ATALK)); 3384 } 3385 /*NOTREACHED*/ 3386 break; 3387 3388 case DLT_LTALK: 3389 switch (proto) { 3390 case ETHERTYPE_ATALK: 3391 return gen_true(); 3392 default: 3393 return gen_false(); 3394 } 3395 /*NOTREACHED*/ 3396 break; 3397 3398 case DLT_FRELAY: 3399 /* 3400 * XXX - assumes a 2-byte Frame Relay header with 3401 * DLCI and flags. What if the address is longer? 3402 */ 3403 switch (proto) { 3404 3405 case ETHERTYPE_IP: 3406 /* 3407 * Check for the special NLPID for IP. 3408 */ 3409 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3410 3411 #ifdef INET6 3412 case ETHERTYPE_IPV6: 3413 /* 3414 * Check for the special NLPID for IPv6. 3415 */ 3416 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3417 #endif 3418 3419 case LLCSAP_ISONS: 3420 /* 3421 * Check for several OSI protocols. 3422 * 3423 * Frame Relay packets typically have an OSI 3424 * NLPID at the beginning; we check for each 3425 * of them. 3426 * 3427 * What we check for is the NLPID and a frame 3428 * control field of UI, i.e. 0x03 followed 3429 * by the NLPID. 3430 */ 3431 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3432 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3433 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3434 gen_or(b1, b2); 3435 gen_or(b0, b2); 3436 return b2; 3437 3438 default: 3439 return gen_false(); 3440 } 3441 /*NOTREACHED*/ 3442 break; 3443 3444 case DLT_MFR: 3445 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3446 3447 case DLT_JUNIPER_MFR: 3448 case DLT_JUNIPER_MLFR: 3449 case DLT_JUNIPER_MLPPP: 3450 case DLT_JUNIPER_ATM1: 3451 case DLT_JUNIPER_ATM2: 3452 case DLT_JUNIPER_PPPOE: 3453 case DLT_JUNIPER_PPPOE_ATM: 3454 case DLT_JUNIPER_GGSN: 3455 case DLT_JUNIPER_ES: 3456 case DLT_JUNIPER_MONITOR: 3457 case DLT_JUNIPER_SERVICES: 3458 case DLT_JUNIPER_ETHER: 3459 case DLT_JUNIPER_PPP: 3460 case DLT_JUNIPER_FRELAY: 3461 case DLT_JUNIPER_CHDLC: 3462 case DLT_JUNIPER_VP: 3463 case DLT_JUNIPER_ST: 3464 case DLT_JUNIPER_ISM: 3465 /* just lets verify the magic number for now - 3466 * on ATM we may have up to 6 different encapsulations on the wire 3467 * and need a lot of heuristics to figure out that the payload 3468 * might be; 3469 * 3470 * FIXME encapsulation specific BPF_ filters 3471 */ 3472 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3473 3474 case DLT_IPNET: 3475 return gen_ipnet_linktype(proto); 3476 3477 case DLT_LINUX_IRDA: 3478 bpf_error("IrDA link-layer type filtering not implemented"); 3479 3480 case DLT_DOCSIS: 3481 bpf_error("DOCSIS link-layer type filtering not implemented"); 3482 3483 case DLT_MTP2: 3484 case DLT_MTP2_WITH_PHDR: 3485 bpf_error("MTP2 link-layer type filtering not implemented"); 3486 3487 case DLT_ERF: 3488 bpf_error("ERF link-layer type filtering not implemented"); 3489 3490 #ifdef DLT_PFSYNC 3491 case DLT_PFSYNC: 3492 bpf_error("PFSYNC link-layer type filtering not implemented"); 3493 #endif 3494 3495 case DLT_LINUX_LAPD: 3496 bpf_error("LAPD link-layer type filtering not implemented"); 3497 3498 case DLT_USB: 3499 case DLT_USB_LINUX: 3500 case DLT_USB_LINUX_MMAPPED: 3501 bpf_error("USB link-layer type filtering not implemented"); 3502 3503 case DLT_BLUETOOTH_HCI_H4: 3504 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3505 bpf_error("Bluetooth link-layer type filtering not implemented"); 3506 3507 case DLT_CAN20B: 3508 case DLT_CAN_SOCKETCAN: 3509 bpf_error("CAN link-layer type filtering not implemented"); 3510 3511 case DLT_IEEE802_15_4: 3512 case DLT_IEEE802_15_4_LINUX: 3513 case DLT_IEEE802_15_4_NONASK_PHY: 3514 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3515 3516 case DLT_IEEE802_16_MAC_CPS_RADIO: 3517 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3518 3519 case DLT_SITA: 3520 bpf_error("SITA link-layer type filtering not implemented"); 3521 3522 case DLT_RAIF1: 3523 bpf_error("RAIF1 link-layer type filtering not implemented"); 3524 3525 case DLT_IPMB: 3526 bpf_error("IPMB link-layer type filtering not implemented"); 3527 3528 case DLT_AX25_KISS: 3529 bpf_error("AX.25 link-layer type filtering not implemented"); 3530 } 3531 3532 /* 3533 * All the types that have no encapsulation should either be 3534 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3535 * all packets are IP packets, or should be handled in some 3536 * special case, if none of them are (if some are and some 3537 * aren't, the lack of encapsulation is a problem, as we'd 3538 * have to find some other way of determining the packet type). 3539 * 3540 * Therefore, if "off_linktype" is -1, there's an error. 3541 */ 3542 if (off_linktype == (u_int)-1) 3543 abort(); 3544 3545 /* 3546 * Any type not handled above should always have an Ethernet 3547 * type at an offset of "off_linktype". 3548 */ 3549 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3550 } 3551 3552 /* 3553 * Check for an LLC SNAP packet with a given organization code and 3554 * protocol type; we check the entire contents of the 802.2 LLC and 3555 * snap headers, checking for DSAP and SSAP of SNAP and a control 3556 * field of 0x03 in the LLC header, and for the specified organization 3557 * code and protocol type in the SNAP header. 3558 */ 3559 static struct block * 3560 gen_snap(orgcode, ptype) 3561 bpf_u_int32 orgcode; 3562 bpf_u_int32 ptype; 3563 { 3564 u_char snapblock[8]; 3565 3566 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3567 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3568 snapblock[2] = 0x03; /* control = UI */ 3569 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3570 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3571 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3572 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3573 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3574 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3575 } 3576 3577 /* 3578 * Generate code to match a particular packet type, for link-layer types 3579 * using 802.2 LLC headers. 3580 * 3581 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3582 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3583 * 3584 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3585 * value, if <= ETHERMTU. We use that to determine whether to 3586 * match the DSAP or both DSAP and LSAP or to check the OUI and 3587 * protocol ID in a SNAP header. 3588 */ 3589 static struct block * 3590 gen_llc_linktype(proto) 3591 int proto; 3592 { 3593 /* 3594 * XXX - handle token-ring variable-length header. 3595 */ 3596 switch (proto) { 3597 3598 case LLCSAP_IP: 3599 case LLCSAP_ISONS: 3600 case LLCSAP_NETBEUI: 3601 /* 3602 * XXX - should we check both the DSAP and the 3603 * SSAP, like this, or should we check just the 3604 * DSAP, as we do for other types <= ETHERMTU 3605 * (i.e., other SAP values)? 3606 */ 3607 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3608 ((proto << 8) | proto)); 3609 3610 case LLCSAP_IPX: 3611 /* 3612 * XXX - are there ever SNAP frames for IPX on 3613 * non-Ethernet 802.x networks? 3614 */ 3615 return gen_cmp(OR_MACPL, 0, BPF_B, 3616 (bpf_int32)LLCSAP_IPX); 3617 3618 case ETHERTYPE_ATALK: 3619 /* 3620 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3621 * SNAP packets with an organization code of 3622 * 0x080007 (Apple, for Appletalk) and a protocol 3623 * type of ETHERTYPE_ATALK (Appletalk). 3624 * 3625 * XXX - check for an organization code of 3626 * encapsulated Ethernet as well? 3627 */ 3628 return gen_snap(0x080007, ETHERTYPE_ATALK); 3629 3630 default: 3631 /* 3632 * XXX - we don't have to check for IPX 802.3 3633 * here, but should we check for the IPX Ethertype? 3634 */ 3635 if (proto <= ETHERMTU) { 3636 /* 3637 * This is an LLC SAP value, so check 3638 * the DSAP. 3639 */ 3640 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3641 } else { 3642 /* 3643 * This is an Ethernet type; we assume that it's 3644 * unlikely that it'll appear in the right place 3645 * at random, and therefore check only the 3646 * location that would hold the Ethernet type 3647 * in a SNAP frame with an organization code of 3648 * 0x000000 (encapsulated Ethernet). 3649 * 3650 * XXX - if we were to check for the SNAP DSAP and 3651 * LSAP, as per XXX, and were also to check for an 3652 * organization code of 0x000000 (encapsulated 3653 * Ethernet), we'd do 3654 * 3655 * return gen_snap(0x000000, proto); 3656 * 3657 * here; for now, we don't, as per the above. 3658 * I don't know whether it's worth the extra CPU 3659 * time to do the right check or not. 3660 */ 3661 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3662 } 3663 } 3664 } 3665 3666 static struct block * 3667 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3668 bpf_u_int32 addr; 3669 bpf_u_int32 mask; 3670 int dir, proto; 3671 u_int src_off, dst_off; 3672 { 3673 struct block *b0, *b1; 3674 u_int offset; 3675 3676 switch (dir) { 3677 3678 case Q_SRC: 3679 offset = src_off; 3680 break; 3681 3682 case Q_DST: 3683 offset = dst_off; 3684 break; 3685 3686 case Q_AND: 3687 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3688 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3689 gen_and(b0, b1); 3690 return b1; 3691 3692 case Q_OR: 3693 case Q_DEFAULT: 3694 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3695 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3696 gen_or(b0, b1); 3697 return b1; 3698 3699 default: 3700 abort(); 3701 } 3702 b0 = gen_linktype(proto); 3703 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3704 gen_and(b0, b1); 3705 return b1; 3706 } 3707 3708 #ifdef INET6 3709 static struct block * 3710 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3711 struct in6_addr *addr; 3712 struct in6_addr *mask; 3713 int dir, proto; 3714 u_int src_off, dst_off; 3715 { 3716 struct block *b0, *b1; 3717 u_int offset; 3718 u_int32_t *a, *m; 3719 3720 switch (dir) { 3721 3722 case Q_SRC: 3723 offset = src_off; 3724 break; 3725 3726 case Q_DST: 3727 offset = dst_off; 3728 break; 3729 3730 case Q_AND: 3731 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3732 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3733 gen_and(b0, b1); 3734 return b1; 3735 3736 case Q_OR: 3737 case Q_DEFAULT: 3738 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3739 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3740 gen_or(b0, b1); 3741 return b1; 3742 3743 default: 3744 abort(); 3745 } 3746 /* this order is important */ 3747 a = (u_int32_t *)addr; 3748 m = (u_int32_t *)mask; 3749 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3750 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3751 gen_and(b0, b1); 3752 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3753 gen_and(b0, b1); 3754 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3755 gen_and(b0, b1); 3756 b0 = gen_linktype(proto); 3757 gen_and(b0, b1); 3758 return b1; 3759 } 3760 #endif /*INET6*/ 3761 3762 static struct block * 3763 gen_ehostop(eaddr, dir) 3764 register const u_char *eaddr; 3765 register int dir; 3766 { 3767 register struct block *b0, *b1; 3768 3769 switch (dir) { 3770 case Q_SRC: 3771 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3772 3773 case Q_DST: 3774 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3775 3776 case Q_AND: 3777 b0 = gen_ehostop(eaddr, Q_SRC); 3778 b1 = gen_ehostop(eaddr, Q_DST); 3779 gen_and(b0, b1); 3780 return b1; 3781 3782 case Q_DEFAULT: 3783 case Q_OR: 3784 b0 = gen_ehostop(eaddr, Q_SRC); 3785 b1 = gen_ehostop(eaddr, Q_DST); 3786 gen_or(b0, b1); 3787 return b1; 3788 } 3789 abort(); 3790 /* NOTREACHED */ 3791 } 3792 3793 /* 3794 * Like gen_ehostop, but for DLT_FDDI 3795 */ 3796 static struct block * 3797 gen_fhostop(eaddr, dir) 3798 register const u_char *eaddr; 3799 register int dir; 3800 { 3801 struct block *b0, *b1; 3802 3803 switch (dir) { 3804 case Q_SRC: 3805 #ifdef PCAP_FDDIPAD 3806 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3807 #else 3808 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3809 #endif 3810 3811 case Q_DST: 3812 #ifdef PCAP_FDDIPAD 3813 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3814 #else 3815 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3816 #endif 3817 3818 case Q_AND: 3819 b0 = gen_fhostop(eaddr, Q_SRC); 3820 b1 = gen_fhostop(eaddr, Q_DST); 3821 gen_and(b0, b1); 3822 return b1; 3823 3824 case Q_DEFAULT: 3825 case Q_OR: 3826 b0 = gen_fhostop(eaddr, Q_SRC); 3827 b1 = gen_fhostop(eaddr, Q_DST); 3828 gen_or(b0, b1); 3829 return b1; 3830 } 3831 abort(); 3832 /* NOTREACHED */ 3833 } 3834 3835 /* 3836 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3837 */ 3838 static struct block * 3839 gen_thostop(eaddr, dir) 3840 register const u_char *eaddr; 3841 register int dir; 3842 { 3843 register struct block *b0, *b1; 3844 3845 switch (dir) { 3846 case Q_SRC: 3847 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3848 3849 case Q_DST: 3850 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3851 3852 case Q_AND: 3853 b0 = gen_thostop(eaddr, Q_SRC); 3854 b1 = gen_thostop(eaddr, Q_DST); 3855 gen_and(b0, b1); 3856 return b1; 3857 3858 case Q_DEFAULT: 3859 case Q_OR: 3860 b0 = gen_thostop(eaddr, Q_SRC); 3861 b1 = gen_thostop(eaddr, Q_DST); 3862 gen_or(b0, b1); 3863 return b1; 3864 } 3865 abort(); 3866 /* NOTREACHED */ 3867 } 3868 3869 /* 3870 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3871 * various 802.11 + radio headers. 3872 */ 3873 static struct block * 3874 gen_wlanhostop(eaddr, dir) 3875 register const u_char *eaddr; 3876 register int dir; 3877 { 3878 register struct block *b0, *b1, *b2; 3879 register struct slist *s; 3880 3881 #ifdef ENABLE_WLAN_FILTERING_PATCH 3882 /* 3883 * TODO GV 20070613 3884 * We need to disable the optimizer because the optimizer is buggy 3885 * and wipes out some LD instructions generated by the below 3886 * code to validate the Frame Control bits 3887 */ 3888 no_optimize = 1; 3889 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3890 3891 switch (dir) { 3892 case Q_SRC: 3893 /* 3894 * Oh, yuk. 3895 * 3896 * For control frames, there is no SA. 3897 * 3898 * For management frames, SA is at an 3899 * offset of 10 from the beginning of 3900 * the packet. 3901 * 3902 * For data frames, SA is at an offset 3903 * of 10 from the beginning of the packet 3904 * if From DS is clear, at an offset of 3905 * 16 from the beginning of the packet 3906 * if From DS is set and To DS is clear, 3907 * and an offset of 24 from the beginning 3908 * of the packet if From DS is set and To DS 3909 * is set. 3910 */ 3911 3912 /* 3913 * Generate the tests to be done for data frames 3914 * with From DS set. 3915 * 3916 * First, check for To DS set, i.e. check "link[1] & 0x01". 3917 */ 3918 s = gen_load_a(OR_LINK, 1, BPF_B); 3919 b1 = new_block(JMP(BPF_JSET)); 3920 b1->s.k = 0x01; /* To DS */ 3921 b1->stmts = s; 3922 3923 /* 3924 * If To DS is set, the SA is at 24. 3925 */ 3926 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3927 gen_and(b1, b0); 3928 3929 /* 3930 * Now, check for To DS not set, i.e. check 3931 * "!(link[1] & 0x01)". 3932 */ 3933 s = gen_load_a(OR_LINK, 1, BPF_B); 3934 b2 = new_block(JMP(BPF_JSET)); 3935 b2->s.k = 0x01; /* To DS */ 3936 b2->stmts = s; 3937 gen_not(b2); 3938 3939 /* 3940 * If To DS is not set, the SA is at 16. 3941 */ 3942 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3943 gen_and(b2, b1); 3944 3945 /* 3946 * Now OR together the last two checks. That gives 3947 * the complete set of checks for data frames with 3948 * From DS set. 3949 */ 3950 gen_or(b1, b0); 3951 3952 /* 3953 * Now check for From DS being set, and AND that with 3954 * the ORed-together checks. 3955 */ 3956 s = gen_load_a(OR_LINK, 1, BPF_B); 3957 b1 = new_block(JMP(BPF_JSET)); 3958 b1->s.k = 0x02; /* From DS */ 3959 b1->stmts = s; 3960 gen_and(b1, b0); 3961 3962 /* 3963 * Now check for data frames with From DS not set. 3964 */ 3965 s = gen_load_a(OR_LINK, 1, BPF_B); 3966 b2 = new_block(JMP(BPF_JSET)); 3967 b2->s.k = 0x02; /* From DS */ 3968 b2->stmts = s; 3969 gen_not(b2); 3970 3971 /* 3972 * If From DS isn't set, the SA is at 10. 3973 */ 3974 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3975 gen_and(b2, b1); 3976 3977 /* 3978 * Now OR together the checks for data frames with 3979 * From DS not set and for data frames with From DS 3980 * set; that gives the checks done for data frames. 3981 */ 3982 gen_or(b1, b0); 3983 3984 /* 3985 * Now check for a data frame. 3986 * I.e, check "link[0] & 0x08". 3987 */ 3988 s = gen_load_a(OR_LINK, 0, BPF_B); 3989 b1 = new_block(JMP(BPF_JSET)); 3990 b1->s.k = 0x08; 3991 b1->stmts = s; 3992 3993 /* 3994 * AND that with the checks done for data frames. 3995 */ 3996 gen_and(b1, b0); 3997 3998 /* 3999 * If the high-order bit of the type value is 0, this 4000 * is a management frame. 4001 * I.e, check "!(link[0] & 0x08)". 4002 */ 4003 s = gen_load_a(OR_LINK, 0, BPF_B); 4004 b2 = new_block(JMP(BPF_JSET)); 4005 b2->s.k = 0x08; 4006 b2->stmts = s; 4007 gen_not(b2); 4008 4009 /* 4010 * For management frames, the SA is at 10. 4011 */ 4012 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4013 gen_and(b2, b1); 4014 4015 /* 4016 * OR that with the checks done for data frames. 4017 * That gives the checks done for management and 4018 * data frames. 4019 */ 4020 gen_or(b1, b0); 4021 4022 /* 4023 * If the low-order bit of the type value is 1, 4024 * this is either a control frame or a frame 4025 * with a reserved type, and thus not a 4026 * frame with an SA. 4027 * 4028 * I.e., check "!(link[0] & 0x04)". 4029 */ 4030 s = gen_load_a(OR_LINK, 0, BPF_B); 4031 b1 = new_block(JMP(BPF_JSET)); 4032 b1->s.k = 0x04; 4033 b1->stmts = s; 4034 gen_not(b1); 4035 4036 /* 4037 * AND that with the checks for data and management 4038 * frames. 4039 */ 4040 gen_and(b1, b0); 4041 return b0; 4042 4043 case Q_DST: 4044 /* 4045 * Oh, yuk. 4046 * 4047 * For control frames, there is no DA. 4048 * 4049 * For management frames, DA is at an 4050 * offset of 4 from the beginning of 4051 * the packet. 4052 * 4053 * For data frames, DA is at an offset 4054 * of 4 from the beginning of the packet 4055 * if To DS is clear and at an offset of 4056 * 16 from the beginning of the packet 4057 * if To DS is set. 4058 */ 4059 4060 /* 4061 * Generate the tests to be done for data frames. 4062 * 4063 * First, check for To DS set, i.e. "link[1] & 0x01". 4064 */ 4065 s = gen_load_a(OR_LINK, 1, BPF_B); 4066 b1 = new_block(JMP(BPF_JSET)); 4067 b1->s.k = 0x01; /* To DS */ 4068 b1->stmts = s; 4069 4070 /* 4071 * If To DS is set, the DA is at 16. 4072 */ 4073 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4074 gen_and(b1, b0); 4075 4076 /* 4077 * Now, check for To DS not set, i.e. check 4078 * "!(link[1] & 0x01)". 4079 */ 4080 s = gen_load_a(OR_LINK, 1, BPF_B); 4081 b2 = new_block(JMP(BPF_JSET)); 4082 b2->s.k = 0x01; /* To DS */ 4083 b2->stmts = s; 4084 gen_not(b2); 4085 4086 /* 4087 * If To DS is not set, the DA is at 4. 4088 */ 4089 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4090 gen_and(b2, b1); 4091 4092 /* 4093 * Now OR together the last two checks. That gives 4094 * the complete set of checks for data frames. 4095 */ 4096 gen_or(b1, b0); 4097 4098 /* 4099 * Now check for a data frame. 4100 * I.e, check "link[0] & 0x08". 4101 */ 4102 s = gen_load_a(OR_LINK, 0, BPF_B); 4103 b1 = new_block(JMP(BPF_JSET)); 4104 b1->s.k = 0x08; 4105 b1->stmts = s; 4106 4107 /* 4108 * AND that with the checks done for data frames. 4109 */ 4110 gen_and(b1, b0); 4111 4112 /* 4113 * If the high-order bit of the type value is 0, this 4114 * is a management frame. 4115 * I.e, check "!(link[0] & 0x08)". 4116 */ 4117 s = gen_load_a(OR_LINK, 0, BPF_B); 4118 b2 = new_block(JMP(BPF_JSET)); 4119 b2->s.k = 0x08; 4120 b2->stmts = s; 4121 gen_not(b2); 4122 4123 /* 4124 * For management frames, the DA is at 4. 4125 */ 4126 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4127 gen_and(b2, b1); 4128 4129 /* 4130 * OR that with the checks done for data frames. 4131 * That gives the checks done for management and 4132 * data frames. 4133 */ 4134 gen_or(b1, b0); 4135 4136 /* 4137 * If the low-order bit of the type value is 1, 4138 * this is either a control frame or a frame 4139 * with a reserved type, and thus not a 4140 * frame with an SA. 4141 * 4142 * I.e., check "!(link[0] & 0x04)". 4143 */ 4144 s = gen_load_a(OR_LINK, 0, BPF_B); 4145 b1 = new_block(JMP(BPF_JSET)); 4146 b1->s.k = 0x04; 4147 b1->stmts = s; 4148 gen_not(b1); 4149 4150 /* 4151 * AND that with the checks for data and management 4152 * frames. 4153 */ 4154 gen_and(b1, b0); 4155 return b0; 4156 4157 /* 4158 * XXX - add RA, TA, and BSSID keywords? 4159 */ 4160 case Q_ADDR1: 4161 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4162 4163 case Q_ADDR2: 4164 /* 4165 * Not present in CTS or ACK control frames. 4166 */ 4167 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4168 IEEE80211_FC0_TYPE_MASK); 4169 gen_not(b0); 4170 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4171 IEEE80211_FC0_SUBTYPE_MASK); 4172 gen_not(b1); 4173 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4174 IEEE80211_FC0_SUBTYPE_MASK); 4175 gen_not(b2); 4176 gen_and(b1, b2); 4177 gen_or(b0, b2); 4178 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4179 gen_and(b2, b1); 4180 return b1; 4181 4182 case Q_ADDR3: 4183 /* 4184 * Not present in control frames. 4185 */ 4186 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4187 IEEE80211_FC0_TYPE_MASK); 4188 gen_not(b0); 4189 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4190 gen_and(b0, b1); 4191 return b1; 4192 4193 case Q_ADDR4: 4194 /* 4195 * Present only if the direction mask has both "From DS" 4196 * and "To DS" set. Neither control frames nor management 4197 * frames should have both of those set, so we don't 4198 * check the frame type. 4199 */ 4200 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4201 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4202 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4203 gen_and(b0, b1); 4204 return b1; 4205 4206 case Q_AND: 4207 b0 = gen_wlanhostop(eaddr, Q_SRC); 4208 b1 = gen_wlanhostop(eaddr, Q_DST); 4209 gen_and(b0, b1); 4210 return b1; 4211 4212 case Q_DEFAULT: 4213 case Q_OR: 4214 b0 = gen_wlanhostop(eaddr, Q_SRC); 4215 b1 = gen_wlanhostop(eaddr, Q_DST); 4216 gen_or(b0, b1); 4217 return b1; 4218 } 4219 abort(); 4220 /* NOTREACHED */ 4221 } 4222 4223 /* 4224 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4225 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4226 * as the RFC states.) 4227 */ 4228 static struct block * 4229 gen_ipfchostop(eaddr, dir) 4230 register const u_char *eaddr; 4231 register int dir; 4232 { 4233 register struct block *b0, *b1; 4234 4235 switch (dir) { 4236 case Q_SRC: 4237 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4238 4239 case Q_DST: 4240 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4241 4242 case Q_AND: 4243 b0 = gen_ipfchostop(eaddr, Q_SRC); 4244 b1 = gen_ipfchostop(eaddr, Q_DST); 4245 gen_and(b0, b1); 4246 return b1; 4247 4248 case Q_DEFAULT: 4249 case Q_OR: 4250 b0 = gen_ipfchostop(eaddr, Q_SRC); 4251 b1 = gen_ipfchostop(eaddr, Q_DST); 4252 gen_or(b0, b1); 4253 return b1; 4254 } 4255 abort(); 4256 /* NOTREACHED */ 4257 } 4258 4259 /* 4260 * This is quite tricky because there may be pad bytes in front of the 4261 * DECNET header, and then there are two possible data packet formats that 4262 * carry both src and dst addresses, plus 5 packet types in a format that 4263 * carries only the src node, plus 2 types that use a different format and 4264 * also carry just the src node. 4265 * 4266 * Yuck. 4267 * 4268 * Instead of doing those all right, we just look for data packets with 4269 * 0 or 1 bytes of padding. If you want to look at other packets, that 4270 * will require a lot more hacking. 4271 * 4272 * To add support for filtering on DECNET "areas" (network numbers) 4273 * one would want to add a "mask" argument to this routine. That would 4274 * make the filter even more inefficient, although one could be clever 4275 * and not generate masking instructions if the mask is 0xFFFF. 4276 */ 4277 static struct block * 4278 gen_dnhostop(addr, dir) 4279 bpf_u_int32 addr; 4280 int dir; 4281 { 4282 struct block *b0, *b1, *b2, *tmp; 4283 u_int offset_lh; /* offset if long header is received */ 4284 u_int offset_sh; /* offset if short header is received */ 4285 4286 switch (dir) { 4287 4288 case Q_DST: 4289 offset_sh = 1; /* follows flags */ 4290 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4291 break; 4292 4293 case Q_SRC: 4294 offset_sh = 3; /* follows flags, dstnode */ 4295 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4296 break; 4297 4298 case Q_AND: 4299 /* Inefficient because we do our Calvinball dance twice */ 4300 b0 = gen_dnhostop(addr, Q_SRC); 4301 b1 = gen_dnhostop(addr, Q_DST); 4302 gen_and(b0, b1); 4303 return b1; 4304 4305 case Q_OR: 4306 case Q_DEFAULT: 4307 /* Inefficient because we do our Calvinball dance twice */ 4308 b0 = gen_dnhostop(addr, Q_SRC); 4309 b1 = gen_dnhostop(addr, Q_DST); 4310 gen_or(b0, b1); 4311 return b1; 4312 4313 case Q_ISO: 4314 bpf_error("ISO host filtering not implemented"); 4315 4316 default: 4317 abort(); 4318 } 4319 b0 = gen_linktype(ETHERTYPE_DN); 4320 /* Check for pad = 1, long header case */ 4321 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4322 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4323 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4324 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4325 gen_and(tmp, b1); 4326 /* Check for pad = 0, long header case */ 4327 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4328 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4329 gen_and(tmp, b2); 4330 gen_or(b2, b1); 4331 /* Check for pad = 1, short header case */ 4332 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4333 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4334 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4335 gen_and(tmp, b2); 4336 gen_or(b2, b1); 4337 /* Check for pad = 0, short header case */ 4338 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4339 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4340 gen_and(tmp, b2); 4341 gen_or(b2, b1); 4342 4343 /* Combine with test for linktype */ 4344 gen_and(b0, b1); 4345 return b1; 4346 } 4347 4348 /* 4349 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4350 * test the bottom-of-stack bit, and then check the version number 4351 * field in the IP header. 4352 */ 4353 static struct block * 4354 gen_mpls_linktype(proto) 4355 int proto; 4356 { 4357 struct block *b0, *b1; 4358 4359 switch (proto) { 4360 4361 case Q_IP: 4362 /* match the bottom-of-stack bit */ 4363 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4364 /* match the IPv4 version number */ 4365 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4366 gen_and(b0, b1); 4367 return b1; 4368 4369 case Q_IPV6: 4370 /* match the bottom-of-stack bit */ 4371 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4372 /* match the IPv4 version number */ 4373 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4374 gen_and(b0, b1); 4375 return b1; 4376 4377 default: 4378 abort(); 4379 } 4380 } 4381 4382 static struct block * 4383 gen_host(addr, mask, proto, dir, type) 4384 bpf_u_int32 addr; 4385 bpf_u_int32 mask; 4386 int proto; 4387 int dir; 4388 int type; 4389 { 4390 struct block *b0, *b1; 4391 const char *typestr; 4392 4393 if (type == Q_NET) 4394 typestr = "net"; 4395 else 4396 typestr = "host"; 4397 4398 switch (proto) { 4399 4400 case Q_DEFAULT: 4401 b0 = gen_host(addr, mask, Q_IP, dir, type); 4402 /* 4403 * Only check for non-IPv4 addresses if we're not 4404 * checking MPLS-encapsulated packets. 4405 */ 4406 if (label_stack_depth == 0) { 4407 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4408 gen_or(b0, b1); 4409 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4410 gen_or(b1, b0); 4411 } 4412 return b0; 4413 4414 case Q_IP: 4415 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4416 4417 case Q_RARP: 4418 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4419 4420 case Q_ARP: 4421 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4422 4423 case Q_TCP: 4424 bpf_error("'tcp' modifier applied to %s", typestr); 4425 4426 case Q_SCTP: 4427 bpf_error("'sctp' modifier applied to %s", typestr); 4428 4429 case Q_UDP: 4430 bpf_error("'udp' modifier applied to %s", typestr); 4431 4432 case Q_ICMP: 4433 bpf_error("'icmp' modifier applied to %s", typestr); 4434 4435 case Q_IGMP: 4436 bpf_error("'igmp' modifier applied to %s", typestr); 4437 4438 case Q_IGRP: 4439 bpf_error("'igrp' modifier applied to %s", typestr); 4440 4441 case Q_PIM: 4442 bpf_error("'pim' modifier applied to %s", typestr); 4443 4444 case Q_VRRP: 4445 bpf_error("'vrrp' modifier applied to %s", typestr); 4446 4447 case Q_ATALK: 4448 bpf_error("ATALK host filtering not implemented"); 4449 4450 case Q_AARP: 4451 bpf_error("AARP host filtering not implemented"); 4452 4453 case Q_DECNET: 4454 return gen_dnhostop(addr, dir); 4455 4456 case Q_SCA: 4457 bpf_error("SCA host filtering not implemented"); 4458 4459 case Q_LAT: 4460 bpf_error("LAT host filtering not implemented"); 4461 4462 case Q_MOPDL: 4463 bpf_error("MOPDL host filtering not implemented"); 4464 4465 case Q_MOPRC: 4466 bpf_error("MOPRC host filtering not implemented"); 4467 4468 #ifdef INET6 4469 case Q_IPV6: 4470 bpf_error("'ip6' modifier applied to ip host"); 4471 4472 case Q_ICMPV6: 4473 bpf_error("'icmp6' modifier applied to %s", typestr); 4474 #endif /* INET6 */ 4475 4476 case Q_AH: 4477 bpf_error("'ah' modifier applied to %s", typestr); 4478 4479 case Q_ESP: 4480 bpf_error("'esp' modifier applied to %s", typestr); 4481 4482 case Q_ISO: 4483 bpf_error("ISO host filtering not implemented"); 4484 4485 case Q_ESIS: 4486 bpf_error("'esis' modifier applied to %s", typestr); 4487 4488 case Q_ISIS: 4489 bpf_error("'isis' modifier applied to %s", typestr); 4490 4491 case Q_CLNP: 4492 bpf_error("'clnp' modifier applied to %s", typestr); 4493 4494 case Q_STP: 4495 bpf_error("'stp' modifier applied to %s", typestr); 4496 4497 case Q_IPX: 4498 bpf_error("IPX host filtering not implemented"); 4499 4500 case Q_NETBEUI: 4501 bpf_error("'netbeui' modifier applied to %s", typestr); 4502 4503 case Q_RADIO: 4504 bpf_error("'radio' modifier applied to %s", typestr); 4505 4506 default: 4507 abort(); 4508 } 4509 /* NOTREACHED */ 4510 } 4511 4512 #ifdef INET6 4513 static struct block * 4514 gen_host6(addr, mask, proto, dir, type) 4515 struct in6_addr *addr; 4516 struct in6_addr *mask; 4517 int proto; 4518 int dir; 4519 int type; 4520 { 4521 const char *typestr; 4522 4523 if (type == Q_NET) 4524 typestr = "net"; 4525 else 4526 typestr = "host"; 4527 4528 switch (proto) { 4529 4530 case Q_DEFAULT: 4531 return gen_host6(addr, mask, Q_IPV6, dir, type); 4532 4533 case Q_IP: 4534 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4535 4536 case Q_RARP: 4537 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4538 4539 case Q_ARP: 4540 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4541 4542 case Q_SCTP: 4543 bpf_error("'sctp' modifier applied to %s", typestr); 4544 4545 case Q_TCP: 4546 bpf_error("'tcp' modifier applied to %s", typestr); 4547 4548 case Q_UDP: 4549 bpf_error("'udp' modifier applied to %s", typestr); 4550 4551 case Q_ICMP: 4552 bpf_error("'icmp' modifier applied to %s", typestr); 4553 4554 case Q_IGMP: 4555 bpf_error("'igmp' modifier applied to %s", typestr); 4556 4557 case Q_IGRP: 4558 bpf_error("'igrp' modifier applied to %s", typestr); 4559 4560 case Q_PIM: 4561 bpf_error("'pim' modifier applied to %s", typestr); 4562 4563 case Q_VRRP: 4564 bpf_error("'vrrp' modifier applied to %s", typestr); 4565 4566 case Q_ATALK: 4567 bpf_error("ATALK host filtering not implemented"); 4568 4569 case Q_AARP: 4570 bpf_error("AARP host filtering not implemented"); 4571 4572 case Q_DECNET: 4573 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4574 4575 case Q_SCA: 4576 bpf_error("SCA host filtering not implemented"); 4577 4578 case Q_LAT: 4579 bpf_error("LAT host filtering not implemented"); 4580 4581 case Q_MOPDL: 4582 bpf_error("MOPDL host filtering not implemented"); 4583 4584 case Q_MOPRC: 4585 bpf_error("MOPRC host filtering not implemented"); 4586 4587 case Q_IPV6: 4588 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4589 4590 case Q_ICMPV6: 4591 bpf_error("'icmp6' modifier applied to %s", typestr); 4592 4593 case Q_AH: 4594 bpf_error("'ah' modifier applied to %s", typestr); 4595 4596 case Q_ESP: 4597 bpf_error("'esp' modifier applied to %s", typestr); 4598 4599 case Q_ISO: 4600 bpf_error("ISO host filtering not implemented"); 4601 4602 case Q_ESIS: 4603 bpf_error("'esis' modifier applied to %s", typestr); 4604 4605 case Q_ISIS: 4606 bpf_error("'isis' modifier applied to %s", typestr); 4607 4608 case Q_CLNP: 4609 bpf_error("'clnp' modifier applied to %s", typestr); 4610 4611 case Q_STP: 4612 bpf_error("'stp' modifier applied to %s", typestr); 4613 4614 case Q_IPX: 4615 bpf_error("IPX host filtering not implemented"); 4616 4617 case Q_NETBEUI: 4618 bpf_error("'netbeui' modifier applied to %s", typestr); 4619 4620 case Q_RADIO: 4621 bpf_error("'radio' modifier applied to %s", typestr); 4622 4623 default: 4624 abort(); 4625 } 4626 /* NOTREACHED */ 4627 } 4628 #endif /*INET6*/ 4629 4630 #ifndef INET6 4631 static struct block * 4632 gen_gateway(eaddr, alist, proto, dir) 4633 const u_char *eaddr; 4634 bpf_u_int32 **alist; 4635 int proto; 4636 int dir; 4637 { 4638 struct block *b0, *b1, *tmp; 4639 4640 if (dir != 0) 4641 bpf_error("direction applied to 'gateway'"); 4642 4643 switch (proto) { 4644 case Q_DEFAULT: 4645 case Q_IP: 4646 case Q_ARP: 4647 case Q_RARP: 4648 switch (linktype) { 4649 case DLT_EN10MB: 4650 b0 = gen_ehostop(eaddr, Q_OR); 4651 break; 4652 case DLT_FDDI: 4653 b0 = gen_fhostop(eaddr, Q_OR); 4654 break; 4655 case DLT_IEEE802: 4656 b0 = gen_thostop(eaddr, Q_OR); 4657 break; 4658 case DLT_IEEE802_11: 4659 case DLT_PRISM_HEADER: 4660 case DLT_IEEE802_11_RADIO_AVS: 4661 case DLT_IEEE802_11_RADIO: 4662 case DLT_PPI: 4663 b0 = gen_wlanhostop(eaddr, Q_OR); 4664 break; 4665 case DLT_SUNATM: 4666 if (!is_lane) 4667 bpf_error( 4668 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4669 /* 4670 * Check that the packet doesn't begin with an 4671 * LE Control marker. (We've already generated 4672 * a test for LANE.) 4673 */ 4674 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4675 BPF_H, 0xFF00); 4676 gen_not(b1); 4677 4678 /* 4679 * Now check the MAC address. 4680 */ 4681 b0 = gen_ehostop(eaddr, Q_OR); 4682 gen_and(b1, b0); 4683 break; 4684 case DLT_IP_OVER_FC: 4685 b0 = gen_ipfchostop(eaddr, Q_OR); 4686 break; 4687 default: 4688 bpf_error( 4689 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4690 } 4691 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4692 while (*alist) { 4693 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4694 Q_HOST); 4695 gen_or(b1, tmp); 4696 b1 = tmp; 4697 } 4698 gen_not(b1); 4699 gen_and(b0, b1); 4700 return b1; 4701 } 4702 bpf_error("illegal modifier of 'gateway'"); 4703 /* NOTREACHED */ 4704 } 4705 #endif 4706 4707 struct block * 4708 gen_proto_abbrev(proto) 4709 int proto; 4710 { 4711 struct block *b0; 4712 struct block *b1; 4713 4714 switch (proto) { 4715 4716 case Q_SCTP: 4717 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4718 #ifdef INET6 4719 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4720 gen_or(b0, b1); 4721 #endif 4722 break; 4723 4724 case Q_TCP: 4725 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4726 #ifdef INET6 4727 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4728 gen_or(b0, b1); 4729 #endif 4730 break; 4731 4732 case Q_UDP: 4733 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4734 #ifdef INET6 4735 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4736 gen_or(b0, b1); 4737 #endif 4738 break; 4739 4740 case Q_ICMP: 4741 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4742 break; 4743 4744 #ifndef IPPROTO_IGMP 4745 #define IPPROTO_IGMP 2 4746 #endif 4747 4748 case Q_IGMP: 4749 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4750 break; 4751 4752 #ifndef IPPROTO_IGRP 4753 #define IPPROTO_IGRP 9 4754 #endif 4755 case Q_IGRP: 4756 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4757 break; 4758 4759 #ifndef IPPROTO_PIM 4760 #define IPPROTO_PIM 103 4761 #endif 4762 4763 case Q_PIM: 4764 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4765 #ifdef INET6 4766 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4767 gen_or(b0, b1); 4768 #endif 4769 break; 4770 4771 #ifndef IPPROTO_VRRP 4772 #define IPPROTO_VRRP 112 4773 #endif 4774 4775 case Q_VRRP: 4776 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4777 break; 4778 4779 case Q_IP: 4780 b1 = gen_linktype(ETHERTYPE_IP); 4781 break; 4782 4783 case Q_ARP: 4784 b1 = gen_linktype(ETHERTYPE_ARP); 4785 break; 4786 4787 case Q_RARP: 4788 b1 = gen_linktype(ETHERTYPE_REVARP); 4789 break; 4790 4791 case Q_LINK: 4792 bpf_error("link layer applied in wrong context"); 4793 4794 case Q_ATALK: 4795 b1 = gen_linktype(ETHERTYPE_ATALK); 4796 break; 4797 4798 case Q_AARP: 4799 b1 = gen_linktype(ETHERTYPE_AARP); 4800 break; 4801 4802 case Q_DECNET: 4803 b1 = gen_linktype(ETHERTYPE_DN); 4804 break; 4805 4806 case Q_SCA: 4807 b1 = gen_linktype(ETHERTYPE_SCA); 4808 break; 4809 4810 case Q_LAT: 4811 b1 = gen_linktype(ETHERTYPE_LAT); 4812 break; 4813 4814 case Q_MOPDL: 4815 b1 = gen_linktype(ETHERTYPE_MOPDL); 4816 break; 4817 4818 case Q_MOPRC: 4819 b1 = gen_linktype(ETHERTYPE_MOPRC); 4820 break; 4821 4822 #ifdef INET6 4823 case Q_IPV6: 4824 b1 = gen_linktype(ETHERTYPE_IPV6); 4825 break; 4826 4827 #ifndef IPPROTO_ICMPV6 4828 #define IPPROTO_ICMPV6 58 4829 #endif 4830 case Q_ICMPV6: 4831 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4832 break; 4833 #endif /* INET6 */ 4834 4835 #ifndef IPPROTO_AH 4836 #define IPPROTO_AH 51 4837 #endif 4838 case Q_AH: 4839 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4840 #ifdef INET6 4841 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4842 gen_or(b0, b1); 4843 #endif 4844 break; 4845 4846 #ifndef IPPROTO_ESP 4847 #define IPPROTO_ESP 50 4848 #endif 4849 case Q_ESP: 4850 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4851 #ifdef INET6 4852 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4853 gen_or(b0, b1); 4854 #endif 4855 break; 4856 4857 case Q_ISO: 4858 b1 = gen_linktype(LLCSAP_ISONS); 4859 break; 4860 4861 case Q_ESIS: 4862 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4863 break; 4864 4865 case Q_ISIS: 4866 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4867 break; 4868 4869 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4870 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4871 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4872 gen_or(b0, b1); 4873 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4874 gen_or(b0, b1); 4875 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4876 gen_or(b0, b1); 4877 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4878 gen_or(b0, b1); 4879 break; 4880 4881 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4882 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4883 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4884 gen_or(b0, b1); 4885 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4886 gen_or(b0, b1); 4887 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4888 gen_or(b0, b1); 4889 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4890 gen_or(b0, b1); 4891 break; 4892 4893 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4894 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4895 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4896 gen_or(b0, b1); 4897 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4898 gen_or(b0, b1); 4899 break; 4900 4901 case Q_ISIS_LSP: 4902 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4903 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4904 gen_or(b0, b1); 4905 break; 4906 4907 case Q_ISIS_SNP: 4908 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4909 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4910 gen_or(b0, b1); 4911 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4912 gen_or(b0, b1); 4913 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4914 gen_or(b0, b1); 4915 break; 4916 4917 case Q_ISIS_CSNP: 4918 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4919 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4920 gen_or(b0, b1); 4921 break; 4922 4923 case Q_ISIS_PSNP: 4924 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4925 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4926 gen_or(b0, b1); 4927 break; 4928 4929 case Q_CLNP: 4930 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4931 break; 4932 4933 case Q_STP: 4934 b1 = gen_linktype(LLCSAP_8021D); 4935 break; 4936 4937 case Q_IPX: 4938 b1 = gen_linktype(LLCSAP_IPX); 4939 break; 4940 4941 case Q_NETBEUI: 4942 b1 = gen_linktype(LLCSAP_NETBEUI); 4943 break; 4944 4945 case Q_RADIO: 4946 bpf_error("'radio' is not a valid protocol type"); 4947 4948 default: 4949 abort(); 4950 } 4951 return b1; 4952 } 4953 4954 static struct block * 4955 gen_ipfrag() 4956 { 4957 struct slist *s; 4958 struct block *b; 4959 4960 /* not ip frag */ 4961 s = gen_load_a(OR_NET, 6, BPF_H); 4962 b = new_block(JMP(BPF_JSET)); 4963 b->s.k = 0x1fff; 4964 b->stmts = s; 4965 gen_not(b); 4966 4967 return b; 4968 } 4969 4970 /* 4971 * Generate a comparison to a port value in the transport-layer header 4972 * at the specified offset from the beginning of that header. 4973 * 4974 * XXX - this handles a variable-length prefix preceding the link-layer 4975 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4976 * variable-length link-layer headers (such as Token Ring or 802.11 4977 * headers). 4978 */ 4979 static struct block * 4980 gen_portatom(off, v) 4981 int off; 4982 bpf_int32 v; 4983 { 4984 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4985 } 4986 4987 #ifdef INET6 4988 static struct block * 4989 gen_portatom6(off, v) 4990 int off; 4991 bpf_int32 v; 4992 { 4993 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4994 } 4995 #endif/*INET6*/ 4996 4997 struct block * 4998 gen_portop(port, proto, dir) 4999 int port, proto, dir; 5000 { 5001 struct block *b0, *b1, *tmp; 5002 5003 /* ip proto 'proto' */ 5004 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5005 b0 = gen_ipfrag(); 5006 gen_and(tmp, b0); 5007 5008 switch (dir) { 5009 case Q_SRC: 5010 b1 = gen_portatom(0, (bpf_int32)port); 5011 break; 5012 5013 case Q_DST: 5014 b1 = gen_portatom(2, (bpf_int32)port); 5015 break; 5016 5017 case Q_OR: 5018 case Q_DEFAULT: 5019 tmp = gen_portatom(0, (bpf_int32)port); 5020 b1 = gen_portatom(2, (bpf_int32)port); 5021 gen_or(tmp, b1); 5022 break; 5023 5024 case Q_AND: 5025 tmp = gen_portatom(0, (bpf_int32)port); 5026 b1 = gen_portatom(2, (bpf_int32)port); 5027 gen_and(tmp, b1); 5028 break; 5029 5030 default: 5031 abort(); 5032 } 5033 gen_and(b0, b1); 5034 5035 return b1; 5036 } 5037 5038 static struct block * 5039 gen_port(port, ip_proto, dir) 5040 int port; 5041 int ip_proto; 5042 int dir; 5043 { 5044 struct block *b0, *b1, *tmp; 5045 5046 /* 5047 * ether proto ip 5048 * 5049 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5050 * not LLC encapsulation with LLCSAP_IP. 5051 * 5052 * For IEEE 802 networks - which includes 802.5 token ring 5053 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5054 * says that SNAP encapsulation is used, not LLC encapsulation 5055 * with LLCSAP_IP. 5056 * 5057 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5058 * RFC 2225 say that SNAP encapsulation is used, not LLC 5059 * encapsulation with LLCSAP_IP. 5060 * 5061 * So we always check for ETHERTYPE_IP. 5062 */ 5063 b0 = gen_linktype(ETHERTYPE_IP); 5064 5065 switch (ip_proto) { 5066 case IPPROTO_UDP: 5067 case IPPROTO_TCP: 5068 case IPPROTO_SCTP: 5069 b1 = gen_portop(port, ip_proto, dir); 5070 break; 5071 5072 case PROTO_UNDEF: 5073 tmp = gen_portop(port, IPPROTO_TCP, dir); 5074 b1 = gen_portop(port, IPPROTO_UDP, dir); 5075 gen_or(tmp, b1); 5076 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5077 gen_or(tmp, b1); 5078 break; 5079 5080 default: 5081 abort(); 5082 } 5083 gen_and(b0, b1); 5084 return b1; 5085 } 5086 5087 #ifdef INET6 5088 struct block * 5089 gen_portop6(port, proto, dir) 5090 int port, proto, dir; 5091 { 5092 struct block *b0, *b1, *tmp; 5093 5094 /* ip6 proto 'proto' */ 5095 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5096 5097 switch (dir) { 5098 case Q_SRC: 5099 b1 = gen_portatom6(0, (bpf_int32)port); 5100 break; 5101 5102 case Q_DST: 5103 b1 = gen_portatom6(2, (bpf_int32)port); 5104 break; 5105 5106 case Q_OR: 5107 case Q_DEFAULT: 5108 tmp = gen_portatom6(0, (bpf_int32)port); 5109 b1 = gen_portatom6(2, (bpf_int32)port); 5110 gen_or(tmp, b1); 5111 break; 5112 5113 case Q_AND: 5114 tmp = gen_portatom6(0, (bpf_int32)port); 5115 b1 = gen_portatom6(2, (bpf_int32)port); 5116 gen_and(tmp, b1); 5117 break; 5118 5119 default: 5120 abort(); 5121 } 5122 gen_and(b0, b1); 5123 5124 return b1; 5125 } 5126 5127 static struct block * 5128 gen_port6(port, ip_proto, dir) 5129 int port; 5130 int ip_proto; 5131 int dir; 5132 { 5133 struct block *b0, *b1, *tmp; 5134 5135 /* link proto ip6 */ 5136 b0 = gen_linktype(ETHERTYPE_IPV6); 5137 5138 switch (ip_proto) { 5139 case IPPROTO_UDP: 5140 case IPPROTO_TCP: 5141 case IPPROTO_SCTP: 5142 b1 = gen_portop6(port, ip_proto, dir); 5143 break; 5144 5145 case PROTO_UNDEF: 5146 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5147 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5148 gen_or(tmp, b1); 5149 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5150 gen_or(tmp, b1); 5151 break; 5152 5153 default: 5154 abort(); 5155 } 5156 gen_and(b0, b1); 5157 return b1; 5158 } 5159 #endif /* INET6 */ 5160 5161 /* gen_portrange code */ 5162 static struct block * 5163 gen_portrangeatom(off, v1, v2) 5164 int off; 5165 bpf_int32 v1, v2; 5166 { 5167 struct block *b1, *b2; 5168 5169 if (v1 > v2) { 5170 /* 5171 * Reverse the order of the ports, so v1 is the lower one. 5172 */ 5173 bpf_int32 vtemp; 5174 5175 vtemp = v1; 5176 v1 = v2; 5177 v2 = vtemp; 5178 } 5179 5180 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5181 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5182 5183 gen_and(b1, b2); 5184 5185 return b2; 5186 } 5187 5188 struct block * 5189 gen_portrangeop(port1, port2, proto, dir) 5190 int port1, port2; 5191 int proto; 5192 int dir; 5193 { 5194 struct block *b0, *b1, *tmp; 5195 5196 /* ip proto 'proto' */ 5197 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5198 b0 = gen_ipfrag(); 5199 gen_and(tmp, b0); 5200 5201 switch (dir) { 5202 case Q_SRC: 5203 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5204 break; 5205 5206 case Q_DST: 5207 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5208 break; 5209 5210 case Q_OR: 5211 case Q_DEFAULT: 5212 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5213 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5214 gen_or(tmp, b1); 5215 break; 5216 5217 case Q_AND: 5218 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5219 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5220 gen_and(tmp, b1); 5221 break; 5222 5223 default: 5224 abort(); 5225 } 5226 gen_and(b0, b1); 5227 5228 return b1; 5229 } 5230 5231 static struct block * 5232 gen_portrange(port1, port2, ip_proto, dir) 5233 int port1, port2; 5234 int ip_proto; 5235 int dir; 5236 { 5237 struct block *b0, *b1, *tmp; 5238 5239 /* link proto ip */ 5240 b0 = gen_linktype(ETHERTYPE_IP); 5241 5242 switch (ip_proto) { 5243 case IPPROTO_UDP: 5244 case IPPROTO_TCP: 5245 case IPPROTO_SCTP: 5246 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5247 break; 5248 5249 case PROTO_UNDEF: 5250 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5251 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5252 gen_or(tmp, b1); 5253 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5254 gen_or(tmp, b1); 5255 break; 5256 5257 default: 5258 abort(); 5259 } 5260 gen_and(b0, b1); 5261 return b1; 5262 } 5263 5264 #ifdef INET6 5265 static struct block * 5266 gen_portrangeatom6(off, v1, v2) 5267 int off; 5268 bpf_int32 v1, v2; 5269 { 5270 struct block *b1, *b2; 5271 5272 if (v1 > v2) { 5273 /* 5274 * Reverse the order of the ports, so v1 is the lower one. 5275 */ 5276 bpf_int32 vtemp; 5277 5278 vtemp = v1; 5279 v1 = v2; 5280 v2 = vtemp; 5281 } 5282 5283 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5284 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5285 5286 gen_and(b1, b2); 5287 5288 return b2; 5289 } 5290 5291 struct block * 5292 gen_portrangeop6(port1, port2, proto, dir) 5293 int port1, port2; 5294 int proto; 5295 int dir; 5296 { 5297 struct block *b0, *b1, *tmp; 5298 5299 /* ip6 proto 'proto' */ 5300 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5301 5302 switch (dir) { 5303 case Q_SRC: 5304 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5305 break; 5306 5307 case Q_DST: 5308 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5309 break; 5310 5311 case Q_OR: 5312 case Q_DEFAULT: 5313 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5314 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5315 gen_or(tmp, b1); 5316 break; 5317 5318 case Q_AND: 5319 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5320 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5321 gen_and(tmp, b1); 5322 break; 5323 5324 default: 5325 abort(); 5326 } 5327 gen_and(b0, b1); 5328 5329 return b1; 5330 } 5331 5332 static struct block * 5333 gen_portrange6(port1, port2, ip_proto, dir) 5334 int port1, port2; 5335 int ip_proto; 5336 int dir; 5337 { 5338 struct block *b0, *b1, *tmp; 5339 5340 /* link proto ip6 */ 5341 b0 = gen_linktype(ETHERTYPE_IPV6); 5342 5343 switch (ip_proto) { 5344 case IPPROTO_UDP: 5345 case IPPROTO_TCP: 5346 case IPPROTO_SCTP: 5347 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5348 break; 5349 5350 case PROTO_UNDEF: 5351 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5352 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5353 gen_or(tmp, b1); 5354 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5355 gen_or(tmp, b1); 5356 break; 5357 5358 default: 5359 abort(); 5360 } 5361 gen_and(b0, b1); 5362 return b1; 5363 } 5364 #endif /* INET6 */ 5365 5366 static int 5367 lookup_proto(name, proto) 5368 register const char *name; 5369 register int proto; 5370 { 5371 register int v; 5372 5373 switch (proto) { 5374 5375 case Q_DEFAULT: 5376 case Q_IP: 5377 case Q_IPV6: 5378 v = pcap_nametoproto(name); 5379 if (v == PROTO_UNDEF) 5380 bpf_error("unknown ip proto '%s'", name); 5381 break; 5382 5383 case Q_LINK: 5384 /* XXX should look up h/w protocol type based on linktype */ 5385 v = pcap_nametoeproto(name); 5386 if (v == PROTO_UNDEF) { 5387 v = pcap_nametollc(name); 5388 if (v == PROTO_UNDEF) 5389 bpf_error("unknown ether proto '%s'", name); 5390 } 5391 break; 5392 5393 case Q_ISO: 5394 if (strcmp(name, "esis") == 0) 5395 v = ISO9542_ESIS; 5396 else if (strcmp(name, "isis") == 0) 5397 v = ISO10589_ISIS; 5398 else if (strcmp(name, "clnp") == 0) 5399 v = ISO8473_CLNP; 5400 else 5401 bpf_error("unknown osi proto '%s'", name); 5402 break; 5403 5404 default: 5405 v = PROTO_UNDEF; 5406 break; 5407 } 5408 return v; 5409 } 5410 5411 #if 0 5412 struct stmt * 5413 gen_joinsp(s, n) 5414 struct stmt **s; 5415 int n; 5416 { 5417 return NULL; 5418 } 5419 #endif 5420 5421 static struct block * 5422 gen_protochain(v, proto, dir) 5423 int v; 5424 int proto; 5425 int dir; 5426 { 5427 #ifdef NO_PROTOCHAIN 5428 return gen_proto(v, proto, dir); 5429 #else 5430 struct block *b0, *b; 5431 struct slist *s[100]; 5432 int fix2, fix3, fix4, fix5; 5433 int ahcheck, again, end; 5434 int i, max; 5435 int reg2 = alloc_reg(); 5436 5437 memset(s, 0, sizeof(s)); 5438 fix2 = fix3 = fix4 = fix5 = 0; 5439 5440 switch (proto) { 5441 case Q_IP: 5442 case Q_IPV6: 5443 break; 5444 case Q_DEFAULT: 5445 b0 = gen_protochain(v, Q_IP, dir); 5446 b = gen_protochain(v, Q_IPV6, dir); 5447 gen_or(b0, b); 5448 return b; 5449 default: 5450 bpf_error("bad protocol applied for 'protochain'"); 5451 /*NOTREACHED*/ 5452 } 5453 5454 /* 5455 * We don't handle variable-length prefixes before the link-layer 5456 * header, or variable-length link-layer headers, here yet. 5457 * We might want to add BPF instructions to do the protochain 5458 * work, to simplify that and, on platforms that have a BPF 5459 * interpreter with the new instructions, let the filtering 5460 * be done in the kernel. (We already require a modified BPF 5461 * engine to do the protochain stuff, to support backward 5462 * branches, and backward branch support is unlikely to appear 5463 * in kernel BPF engines.) 5464 */ 5465 switch (linktype) { 5466 5467 case DLT_IEEE802_11: 5468 case DLT_PRISM_HEADER: 5469 case DLT_IEEE802_11_RADIO_AVS: 5470 case DLT_IEEE802_11_RADIO: 5471 case DLT_PPI: 5472 bpf_error("'protochain' not supported with 802.11"); 5473 } 5474 5475 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5476 5477 /* 5478 * s[0] is a dummy entry to protect other BPF insn from damage 5479 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5480 * hard to find interdependency made by jump table fixup. 5481 */ 5482 i = 0; 5483 s[i] = new_stmt(0); /*dummy*/ 5484 i++; 5485 5486 switch (proto) { 5487 case Q_IP: 5488 b0 = gen_linktype(ETHERTYPE_IP); 5489 5490 /* A = ip->ip_p */ 5491 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5492 s[i]->s.k = off_macpl + off_nl + 9; 5493 i++; 5494 /* X = ip->ip_hl << 2 */ 5495 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5496 s[i]->s.k = off_macpl + off_nl; 5497 i++; 5498 break; 5499 #ifdef INET6 5500 case Q_IPV6: 5501 b0 = gen_linktype(ETHERTYPE_IPV6); 5502 5503 /* A = ip6->ip_nxt */ 5504 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5505 s[i]->s.k = off_macpl + off_nl + 6; 5506 i++; 5507 /* X = sizeof(struct ip6_hdr) */ 5508 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5509 s[i]->s.k = 40; 5510 i++; 5511 break; 5512 #endif 5513 default: 5514 bpf_error("unsupported proto to gen_protochain"); 5515 /*NOTREACHED*/ 5516 } 5517 5518 /* again: if (A == v) goto end; else fall through; */ 5519 again = i; 5520 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5521 s[i]->s.k = v; 5522 s[i]->s.jt = NULL; /*later*/ 5523 s[i]->s.jf = NULL; /*update in next stmt*/ 5524 fix5 = i; 5525 i++; 5526 5527 #ifndef IPPROTO_NONE 5528 #define IPPROTO_NONE 59 5529 #endif 5530 /* if (A == IPPROTO_NONE) goto end */ 5531 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5532 s[i]->s.jt = NULL; /*later*/ 5533 s[i]->s.jf = NULL; /*update in next stmt*/ 5534 s[i]->s.k = IPPROTO_NONE; 5535 s[fix5]->s.jf = s[i]; 5536 fix2 = i; 5537 i++; 5538 5539 #ifdef INET6 5540 if (proto == Q_IPV6) { 5541 int v6start, v6end, v6advance, j; 5542 5543 v6start = i; 5544 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5545 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5546 s[i]->s.jt = NULL; /*later*/ 5547 s[i]->s.jf = NULL; /*update in next stmt*/ 5548 s[i]->s.k = IPPROTO_HOPOPTS; 5549 s[fix2]->s.jf = s[i]; 5550 i++; 5551 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5552 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5553 s[i]->s.jt = NULL; /*later*/ 5554 s[i]->s.jf = NULL; /*update in next stmt*/ 5555 s[i]->s.k = IPPROTO_DSTOPTS; 5556 i++; 5557 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5558 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5559 s[i]->s.jt = NULL; /*later*/ 5560 s[i]->s.jf = NULL; /*update in next stmt*/ 5561 s[i]->s.k = IPPROTO_ROUTING; 5562 i++; 5563 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5564 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5565 s[i]->s.jt = NULL; /*later*/ 5566 s[i]->s.jf = NULL; /*later*/ 5567 s[i]->s.k = IPPROTO_FRAGMENT; 5568 fix3 = i; 5569 v6end = i; 5570 i++; 5571 5572 /* v6advance: */ 5573 v6advance = i; 5574 5575 /* 5576 * in short, 5577 * A = P[X]; 5578 * X = X + (P[X + 1] + 1) * 8; 5579 */ 5580 /* A = X */ 5581 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5582 i++; 5583 /* A = P[X + packet head] */ 5584 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5585 s[i]->s.k = off_macpl + off_nl; 5586 i++; 5587 /* MEM[reg2] = A */ 5588 s[i] = new_stmt(BPF_ST); 5589 s[i]->s.k = reg2; 5590 i++; 5591 /* A = X */ 5592 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5593 i++; 5594 /* A += 1 */ 5595 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5596 s[i]->s.k = 1; 5597 i++; 5598 /* X = A */ 5599 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5600 i++; 5601 /* A = P[X + packet head]; */ 5602 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5603 s[i]->s.k = off_macpl + off_nl; 5604 i++; 5605 /* A += 1 */ 5606 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5607 s[i]->s.k = 1; 5608 i++; 5609 /* A *= 8 */ 5610 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5611 s[i]->s.k = 8; 5612 i++; 5613 /* X = A; */ 5614 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5615 i++; 5616 /* A = MEM[reg2] */ 5617 s[i] = new_stmt(BPF_LD|BPF_MEM); 5618 s[i]->s.k = reg2; 5619 i++; 5620 5621 /* goto again; (must use BPF_JA for backward jump) */ 5622 s[i] = new_stmt(BPF_JMP|BPF_JA); 5623 s[i]->s.k = again - i - 1; 5624 s[i - 1]->s.jf = s[i]; 5625 i++; 5626 5627 /* fixup */ 5628 for (j = v6start; j <= v6end; j++) 5629 s[j]->s.jt = s[v6advance]; 5630 } else 5631 #endif 5632 { 5633 /* nop */ 5634 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5635 s[i]->s.k = 0; 5636 s[fix2]->s.jf = s[i]; 5637 i++; 5638 } 5639 5640 /* ahcheck: */ 5641 ahcheck = i; 5642 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5643 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5644 s[i]->s.jt = NULL; /*later*/ 5645 s[i]->s.jf = NULL; /*later*/ 5646 s[i]->s.k = IPPROTO_AH; 5647 if (fix3) 5648 s[fix3]->s.jf = s[ahcheck]; 5649 fix4 = i; 5650 i++; 5651 5652 /* 5653 * in short, 5654 * A = P[X]; 5655 * X = X + (P[X + 1] + 2) * 4; 5656 */ 5657 /* A = X */ 5658 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5659 i++; 5660 /* A = P[X + packet head]; */ 5661 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5662 s[i]->s.k = off_macpl + off_nl; 5663 i++; 5664 /* MEM[reg2] = A */ 5665 s[i] = new_stmt(BPF_ST); 5666 s[i]->s.k = reg2; 5667 i++; 5668 /* A = X */ 5669 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5670 i++; 5671 /* A += 1 */ 5672 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5673 s[i]->s.k = 1; 5674 i++; 5675 /* X = A */ 5676 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5677 i++; 5678 /* A = P[X + packet head] */ 5679 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5680 s[i]->s.k = off_macpl + off_nl; 5681 i++; 5682 /* A += 2 */ 5683 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5684 s[i]->s.k = 2; 5685 i++; 5686 /* A *= 4 */ 5687 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5688 s[i]->s.k = 4; 5689 i++; 5690 /* X = A; */ 5691 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5692 i++; 5693 /* A = MEM[reg2] */ 5694 s[i] = new_stmt(BPF_LD|BPF_MEM); 5695 s[i]->s.k = reg2; 5696 i++; 5697 5698 /* goto again; (must use BPF_JA for backward jump) */ 5699 s[i] = new_stmt(BPF_JMP|BPF_JA); 5700 s[i]->s.k = again - i - 1; 5701 i++; 5702 5703 /* end: nop */ 5704 end = i; 5705 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5706 s[i]->s.k = 0; 5707 s[fix2]->s.jt = s[end]; 5708 s[fix4]->s.jf = s[end]; 5709 s[fix5]->s.jt = s[end]; 5710 i++; 5711 5712 /* 5713 * make slist chain 5714 */ 5715 max = i; 5716 for (i = 0; i < max - 1; i++) 5717 s[i]->next = s[i + 1]; 5718 s[max - 1]->next = NULL; 5719 5720 /* 5721 * emit final check 5722 */ 5723 b = new_block(JMP(BPF_JEQ)); 5724 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5725 b->s.k = v; 5726 5727 free_reg(reg2); 5728 5729 gen_and(b0, b); 5730 return b; 5731 #endif 5732 } 5733 5734 static struct block * 5735 gen_check_802_11_data_frame() 5736 { 5737 struct slist *s; 5738 struct block *b0, *b1; 5739 5740 /* 5741 * A data frame has the 0x08 bit (b3) in the frame control field set 5742 * and the 0x04 bit (b2) clear. 5743 */ 5744 s = gen_load_a(OR_LINK, 0, BPF_B); 5745 b0 = new_block(JMP(BPF_JSET)); 5746 b0->s.k = 0x08; 5747 b0->stmts = s; 5748 5749 s = gen_load_a(OR_LINK, 0, BPF_B); 5750 b1 = new_block(JMP(BPF_JSET)); 5751 b1->s.k = 0x04; 5752 b1->stmts = s; 5753 gen_not(b1); 5754 5755 gen_and(b1, b0); 5756 5757 return b0; 5758 } 5759 5760 /* 5761 * Generate code that checks whether the packet is a packet for protocol 5762 * <proto> and whether the type field in that protocol's header has 5763 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5764 * IP packet and checks the protocol number in the IP header against <v>. 5765 * 5766 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5767 * against Q_IP and Q_IPV6. 5768 */ 5769 static struct block * 5770 gen_proto(v, proto, dir) 5771 int v; 5772 int proto; 5773 int dir; 5774 { 5775 struct block *b0, *b1; 5776 5777 if (dir != Q_DEFAULT) 5778 bpf_error("direction applied to 'proto'"); 5779 5780 switch (proto) { 5781 case Q_DEFAULT: 5782 #ifdef INET6 5783 b0 = gen_proto(v, Q_IP, dir); 5784 b1 = gen_proto(v, Q_IPV6, dir); 5785 gen_or(b0, b1); 5786 return b1; 5787 #else 5788 /*FALLTHROUGH*/ 5789 #endif 5790 case Q_IP: 5791 /* 5792 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5793 * not LLC encapsulation with LLCSAP_IP. 5794 * 5795 * For IEEE 802 networks - which includes 802.5 token ring 5796 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5797 * says that SNAP encapsulation is used, not LLC encapsulation 5798 * with LLCSAP_IP. 5799 * 5800 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5801 * RFC 2225 say that SNAP encapsulation is used, not LLC 5802 * encapsulation with LLCSAP_IP. 5803 * 5804 * So we always check for ETHERTYPE_IP. 5805 */ 5806 b0 = gen_linktype(ETHERTYPE_IP); 5807 #ifndef CHASE_CHAIN 5808 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5809 #else 5810 b1 = gen_protochain(v, Q_IP); 5811 #endif 5812 gen_and(b0, b1); 5813 return b1; 5814 5815 case Q_ISO: 5816 switch (linktype) { 5817 5818 case DLT_FRELAY: 5819 /* 5820 * Frame Relay packets typically have an OSI 5821 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5822 * generates code to check for all the OSI 5823 * NLPIDs, so calling it and then adding a check 5824 * for the particular NLPID for which we're 5825 * looking is bogus, as we can just check for 5826 * the NLPID. 5827 * 5828 * What we check for is the NLPID and a frame 5829 * control field value of UI, i.e. 0x03 followed 5830 * by the NLPID. 5831 * 5832 * XXX - assumes a 2-byte Frame Relay header with 5833 * DLCI and flags. What if the address is longer? 5834 * 5835 * XXX - what about SNAP-encapsulated frames? 5836 */ 5837 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5838 /*NOTREACHED*/ 5839 break; 5840 5841 case DLT_C_HDLC: 5842 /* 5843 * Cisco uses an Ethertype lookalike - for OSI, 5844 * it's 0xfefe. 5845 */ 5846 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5847 /* OSI in C-HDLC is stuffed with a fudge byte */ 5848 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5849 gen_and(b0, b1); 5850 return b1; 5851 5852 default: 5853 b0 = gen_linktype(LLCSAP_ISONS); 5854 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5855 gen_and(b0, b1); 5856 return b1; 5857 } 5858 5859 case Q_ISIS: 5860 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5861 /* 5862 * 4 is the offset of the PDU type relative to the IS-IS 5863 * header. 5864 */ 5865 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5866 gen_and(b0, b1); 5867 return b1; 5868 5869 case Q_ARP: 5870 bpf_error("arp does not encapsulate another protocol"); 5871 /* NOTREACHED */ 5872 5873 case Q_RARP: 5874 bpf_error("rarp does not encapsulate another protocol"); 5875 /* NOTREACHED */ 5876 5877 case Q_ATALK: 5878 bpf_error("atalk encapsulation is not specifiable"); 5879 /* NOTREACHED */ 5880 5881 case Q_DECNET: 5882 bpf_error("decnet encapsulation is not specifiable"); 5883 /* NOTREACHED */ 5884 5885 case Q_SCA: 5886 bpf_error("sca does not encapsulate another protocol"); 5887 /* NOTREACHED */ 5888 5889 case Q_LAT: 5890 bpf_error("lat does not encapsulate another protocol"); 5891 /* NOTREACHED */ 5892 5893 case Q_MOPRC: 5894 bpf_error("moprc does not encapsulate another protocol"); 5895 /* NOTREACHED */ 5896 5897 case Q_MOPDL: 5898 bpf_error("mopdl does not encapsulate another protocol"); 5899 /* NOTREACHED */ 5900 5901 case Q_LINK: 5902 return gen_linktype(v); 5903 5904 case Q_UDP: 5905 bpf_error("'udp proto' is bogus"); 5906 /* NOTREACHED */ 5907 5908 case Q_TCP: 5909 bpf_error("'tcp proto' is bogus"); 5910 /* NOTREACHED */ 5911 5912 case Q_SCTP: 5913 bpf_error("'sctp proto' is bogus"); 5914 /* NOTREACHED */ 5915 5916 case Q_ICMP: 5917 bpf_error("'icmp proto' is bogus"); 5918 /* NOTREACHED */ 5919 5920 case Q_IGMP: 5921 bpf_error("'igmp proto' is bogus"); 5922 /* NOTREACHED */ 5923 5924 case Q_IGRP: 5925 bpf_error("'igrp proto' is bogus"); 5926 /* NOTREACHED */ 5927 5928 case Q_PIM: 5929 bpf_error("'pim proto' is bogus"); 5930 /* NOTREACHED */ 5931 5932 case Q_VRRP: 5933 bpf_error("'vrrp proto' is bogus"); 5934 /* NOTREACHED */ 5935 5936 #ifdef INET6 5937 case Q_IPV6: 5938 b0 = gen_linktype(ETHERTYPE_IPV6); 5939 #ifndef CHASE_CHAIN 5940 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5941 #else 5942 b1 = gen_protochain(v, Q_IPV6); 5943 #endif 5944 gen_and(b0, b1); 5945 return b1; 5946 5947 case Q_ICMPV6: 5948 bpf_error("'icmp6 proto' is bogus"); 5949 #endif /* INET6 */ 5950 5951 case Q_AH: 5952 bpf_error("'ah proto' is bogus"); 5953 5954 case Q_ESP: 5955 bpf_error("'ah proto' is bogus"); 5956 5957 case Q_STP: 5958 bpf_error("'stp proto' is bogus"); 5959 5960 case Q_IPX: 5961 bpf_error("'ipx proto' is bogus"); 5962 5963 case Q_NETBEUI: 5964 bpf_error("'netbeui proto' is bogus"); 5965 5966 case Q_RADIO: 5967 bpf_error("'radio proto' is bogus"); 5968 5969 default: 5970 abort(); 5971 /* NOTREACHED */ 5972 } 5973 /* NOTREACHED */ 5974 } 5975 5976 struct block * 5977 gen_scode(name, q) 5978 register const char *name; 5979 struct qual q; 5980 { 5981 int proto = q.proto; 5982 int dir = q.dir; 5983 int tproto; 5984 u_char *eaddr; 5985 bpf_u_int32 mask, addr; 5986 #ifndef INET6 5987 bpf_u_int32 **alist; 5988 #else 5989 int tproto6; 5990 struct sockaddr_in *sin4; 5991 struct sockaddr_in6 *sin6; 5992 struct addrinfo *res, *res0; 5993 struct in6_addr mask128; 5994 #endif /*INET6*/ 5995 struct block *b, *tmp; 5996 int port, real_proto; 5997 int port1, port2; 5998 5999 switch (q.addr) { 6000 6001 case Q_NET: 6002 addr = pcap_nametonetaddr(name); 6003 if (addr == 0) 6004 bpf_error("unknown network '%s'", name); 6005 /* Left justify network addr and calculate its network mask */ 6006 mask = 0xffffffff; 6007 while (addr && (addr & 0xff000000) == 0) { 6008 addr <<= 8; 6009 mask <<= 8; 6010 } 6011 return gen_host(addr, mask, proto, dir, q.addr); 6012 6013 case Q_DEFAULT: 6014 case Q_HOST: 6015 if (proto == Q_LINK) { 6016 switch (linktype) { 6017 6018 case DLT_EN10MB: 6019 eaddr = pcap_ether_hostton(name); 6020 if (eaddr == NULL) 6021 bpf_error( 6022 "unknown ether host '%s'", name); 6023 b = gen_ehostop(eaddr, dir); 6024 free(eaddr); 6025 return b; 6026 6027 case DLT_FDDI: 6028 eaddr = pcap_ether_hostton(name); 6029 if (eaddr == NULL) 6030 bpf_error( 6031 "unknown FDDI host '%s'", name); 6032 b = gen_fhostop(eaddr, dir); 6033 free(eaddr); 6034 return b; 6035 6036 case DLT_IEEE802: 6037 eaddr = pcap_ether_hostton(name); 6038 if (eaddr == NULL) 6039 bpf_error( 6040 "unknown token ring host '%s'", name); 6041 b = gen_thostop(eaddr, dir); 6042 free(eaddr); 6043 return b; 6044 6045 case DLT_IEEE802_11: 6046 case DLT_PRISM_HEADER: 6047 case DLT_IEEE802_11_RADIO_AVS: 6048 case DLT_IEEE802_11_RADIO: 6049 case DLT_PPI: 6050 eaddr = pcap_ether_hostton(name); 6051 if (eaddr == NULL) 6052 bpf_error( 6053 "unknown 802.11 host '%s'", name); 6054 b = gen_wlanhostop(eaddr, dir); 6055 free(eaddr); 6056 return b; 6057 6058 case DLT_IP_OVER_FC: 6059 eaddr = pcap_ether_hostton(name); 6060 if (eaddr == NULL) 6061 bpf_error( 6062 "unknown Fibre Channel host '%s'", name); 6063 b = gen_ipfchostop(eaddr, dir); 6064 free(eaddr); 6065 return b; 6066 6067 case DLT_SUNATM: 6068 if (!is_lane) 6069 break; 6070 6071 /* 6072 * Check that the packet doesn't begin 6073 * with an LE Control marker. (We've 6074 * already generated a test for LANE.) 6075 */ 6076 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6077 BPF_H, 0xFF00); 6078 gen_not(tmp); 6079 6080 eaddr = pcap_ether_hostton(name); 6081 if (eaddr == NULL) 6082 bpf_error( 6083 "unknown ether host '%s'", name); 6084 b = gen_ehostop(eaddr, dir); 6085 gen_and(tmp, b); 6086 free(eaddr); 6087 return b; 6088 } 6089 6090 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6091 } else if (proto == Q_DECNET) { 6092 unsigned short dn_addr = __pcap_nametodnaddr(name); 6093 /* 6094 * I don't think DECNET hosts can be multihomed, so 6095 * there is no need to build up a list of addresses 6096 */ 6097 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6098 } else { 6099 #ifndef INET6 6100 alist = pcap_nametoaddr(name); 6101 if (alist == NULL || *alist == NULL) 6102 bpf_error("unknown host '%s'", name); 6103 tproto = proto; 6104 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6105 tproto = Q_IP; 6106 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6107 while (*alist) { 6108 tmp = gen_host(**alist++, 0xffffffff, 6109 tproto, dir, q.addr); 6110 gen_or(b, tmp); 6111 b = tmp; 6112 } 6113 return b; 6114 #else 6115 memset(&mask128, 0xff, sizeof(mask128)); 6116 res0 = res = pcap_nametoaddrinfo(name); 6117 if (res == NULL) 6118 bpf_error("unknown host '%s'", name); 6119 ai = res; 6120 b = tmp = NULL; 6121 tproto = tproto6 = proto; 6122 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) { 6123 tproto = Q_IP; 6124 tproto6 = Q_IPV6; 6125 } 6126 for (res = res0; res; res = res->ai_next) { 6127 switch (res->ai_family) { 6128 case AF_INET: 6129 if (tproto == Q_IPV6) 6130 continue; 6131 6132 sin4 = (struct sockaddr_in *) 6133 res->ai_addr; 6134 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6135 0xffffffff, tproto, dir, q.addr); 6136 break; 6137 case AF_INET6: 6138 if (tproto6 == Q_IP) 6139 continue; 6140 6141 sin6 = (struct sockaddr_in6 *) 6142 res->ai_addr; 6143 tmp = gen_host6(&sin6->sin6_addr, 6144 &mask128, tproto6, dir, q.addr); 6145 break; 6146 default: 6147 continue; 6148 } 6149 if (b) 6150 gen_or(b, tmp); 6151 b = tmp; 6152 } 6153 ai = NULL; 6154 freeaddrinfo(res0); 6155 if (b == NULL) { 6156 bpf_error("unknown host '%s'%s", name, 6157 (proto == Q_DEFAULT) 6158 ? "" 6159 : " for specified address family"); 6160 } 6161 return b; 6162 #endif /*INET6*/ 6163 } 6164 6165 case Q_PORT: 6166 if (proto != Q_DEFAULT && 6167 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6168 bpf_error("illegal qualifier of 'port'"); 6169 if (pcap_nametoport(name, &port, &real_proto) == 0) 6170 bpf_error("unknown port '%s'", name); 6171 if (proto == Q_UDP) { 6172 if (real_proto == IPPROTO_TCP) 6173 bpf_error("port '%s' is tcp", name); 6174 else if (real_proto == IPPROTO_SCTP) 6175 bpf_error("port '%s' is sctp", name); 6176 else 6177 /* override PROTO_UNDEF */ 6178 real_proto = IPPROTO_UDP; 6179 } 6180 if (proto == Q_TCP) { 6181 if (real_proto == IPPROTO_UDP) 6182 bpf_error("port '%s' is udp", name); 6183 6184 else if (real_proto == IPPROTO_SCTP) 6185 bpf_error("port '%s' is sctp", name); 6186 else 6187 /* override PROTO_UNDEF */ 6188 real_proto = IPPROTO_TCP; 6189 } 6190 if (proto == Q_SCTP) { 6191 if (real_proto == IPPROTO_UDP) 6192 bpf_error("port '%s' is udp", name); 6193 6194 else if (real_proto == IPPROTO_TCP) 6195 bpf_error("port '%s' is tcp", name); 6196 else 6197 /* override PROTO_UNDEF */ 6198 real_proto = IPPROTO_SCTP; 6199 } 6200 #ifndef INET6 6201 return gen_port(port, real_proto, dir); 6202 #else 6203 b = gen_port(port, real_proto, dir); 6204 gen_or(gen_port6(port, real_proto, dir), b); 6205 return b; 6206 #endif /* INET6 */ 6207 6208 case Q_PORTRANGE: 6209 if (proto != Q_DEFAULT && 6210 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6211 bpf_error("illegal qualifier of 'portrange'"); 6212 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6213 bpf_error("unknown port in range '%s'", name); 6214 if (proto == Q_UDP) { 6215 if (real_proto == IPPROTO_TCP) 6216 bpf_error("port in range '%s' is tcp", name); 6217 else if (real_proto == IPPROTO_SCTP) 6218 bpf_error("port in range '%s' is sctp", name); 6219 else 6220 /* override PROTO_UNDEF */ 6221 real_proto = IPPROTO_UDP; 6222 } 6223 if (proto == Q_TCP) { 6224 if (real_proto == IPPROTO_UDP) 6225 bpf_error("port in range '%s' is udp", name); 6226 else if (real_proto == IPPROTO_SCTP) 6227 bpf_error("port in range '%s' is sctp", name); 6228 else 6229 /* override PROTO_UNDEF */ 6230 real_proto = IPPROTO_TCP; 6231 } 6232 if (proto == Q_SCTP) { 6233 if (real_proto == IPPROTO_UDP) 6234 bpf_error("port in range '%s' is udp", name); 6235 else if (real_proto == IPPROTO_TCP) 6236 bpf_error("port in range '%s' is tcp", name); 6237 else 6238 /* override PROTO_UNDEF */ 6239 real_proto = IPPROTO_SCTP; 6240 } 6241 #ifndef INET6 6242 return gen_portrange(port1, port2, real_proto, dir); 6243 #else 6244 b = gen_portrange(port1, port2, real_proto, dir); 6245 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6246 return b; 6247 #endif /* INET6 */ 6248 6249 case Q_GATEWAY: 6250 #ifndef INET6 6251 eaddr = pcap_ether_hostton(name); 6252 if (eaddr == NULL) 6253 bpf_error("unknown ether host: %s", name); 6254 6255 alist = pcap_nametoaddr(name); 6256 if (alist == NULL || *alist == NULL) 6257 bpf_error("unknown host '%s'", name); 6258 b = gen_gateway(eaddr, alist, proto, dir); 6259 free(eaddr); 6260 return b; 6261 #else 6262 bpf_error("'gateway' not supported in this configuration"); 6263 #endif /*INET6*/ 6264 6265 case Q_PROTO: 6266 real_proto = lookup_proto(name, proto); 6267 if (real_proto >= 0) 6268 return gen_proto(real_proto, proto, dir); 6269 else 6270 bpf_error("unknown protocol: %s", name); 6271 6272 case Q_PROTOCHAIN: 6273 real_proto = lookup_proto(name, proto); 6274 if (real_proto >= 0) 6275 return gen_protochain(real_proto, proto, dir); 6276 else 6277 bpf_error("unknown protocol: %s", name); 6278 6279 case Q_UNDEF: 6280 syntax(); 6281 /* NOTREACHED */ 6282 } 6283 abort(); 6284 /* NOTREACHED */ 6285 } 6286 6287 struct block * 6288 gen_mcode(s1, s2, masklen, q) 6289 register const char *s1, *s2; 6290 register int masklen; 6291 struct qual q; 6292 { 6293 register int nlen, mlen; 6294 bpf_u_int32 n, m; 6295 6296 nlen = __pcap_atoin(s1, &n); 6297 /* Promote short ipaddr */ 6298 n <<= 32 - nlen; 6299 6300 if (s2 != NULL) { 6301 mlen = __pcap_atoin(s2, &m); 6302 /* Promote short ipaddr */ 6303 m <<= 32 - mlen; 6304 if ((n & ~m) != 0) 6305 bpf_error("non-network bits set in \"%s mask %s\"", 6306 s1, s2); 6307 } else { 6308 /* Convert mask len to mask */ 6309 if (masklen > 32) 6310 bpf_error("mask length must be <= 32"); 6311 if (masklen == 0) { 6312 /* 6313 * X << 32 is not guaranteed by C to be 0; it's 6314 * undefined. 6315 */ 6316 m = 0; 6317 } else 6318 m = 0xffffffff << (32 - masklen); 6319 if ((n & ~m) != 0) 6320 bpf_error("non-network bits set in \"%s/%d\"", 6321 s1, masklen); 6322 } 6323 6324 switch (q.addr) { 6325 6326 case Q_NET: 6327 return gen_host(n, m, q.proto, q.dir, q.addr); 6328 6329 default: 6330 bpf_error("Mask syntax for networks only"); 6331 /* NOTREACHED */ 6332 } 6333 /* NOTREACHED */ 6334 return NULL; 6335 } 6336 6337 struct block * 6338 gen_ncode(s, v, q) 6339 register const char *s; 6340 bpf_u_int32 v; 6341 struct qual q; 6342 { 6343 bpf_u_int32 mask; 6344 int proto = q.proto; 6345 int dir = q.dir; 6346 register int vlen; 6347 6348 if (s == NULL) 6349 vlen = 32; 6350 else if (q.proto == Q_DECNET) 6351 vlen = __pcap_atodn(s, &v); 6352 else 6353 vlen = __pcap_atoin(s, &v); 6354 6355 switch (q.addr) { 6356 6357 case Q_DEFAULT: 6358 case Q_HOST: 6359 case Q_NET: 6360 if (proto == Q_DECNET) 6361 return gen_host(v, 0, proto, dir, q.addr); 6362 else if (proto == Q_LINK) { 6363 bpf_error("illegal link layer address"); 6364 } else { 6365 mask = 0xffffffff; 6366 if (s == NULL && q.addr == Q_NET) { 6367 /* Promote short net number */ 6368 while (v && (v & 0xff000000) == 0) { 6369 v <<= 8; 6370 mask <<= 8; 6371 } 6372 } else { 6373 /* Promote short ipaddr */ 6374 v <<= 32 - vlen; 6375 mask <<= 32 - vlen; 6376 } 6377 return gen_host(v, mask, proto, dir, q.addr); 6378 } 6379 6380 case Q_PORT: 6381 if (proto == Q_UDP) 6382 proto = IPPROTO_UDP; 6383 else if (proto == Q_TCP) 6384 proto = IPPROTO_TCP; 6385 else if (proto == Q_SCTP) 6386 proto = IPPROTO_SCTP; 6387 else if (proto == Q_DEFAULT) 6388 proto = PROTO_UNDEF; 6389 else 6390 bpf_error("illegal qualifier of 'port'"); 6391 6392 #ifndef INET6 6393 return gen_port((int)v, proto, dir); 6394 #else 6395 { 6396 struct block *b; 6397 b = gen_port((int)v, proto, dir); 6398 gen_or(gen_port6((int)v, proto, dir), b); 6399 return b; 6400 } 6401 #endif /* INET6 */ 6402 6403 case Q_PORTRANGE: 6404 if (proto == Q_UDP) 6405 proto = IPPROTO_UDP; 6406 else if (proto == Q_TCP) 6407 proto = IPPROTO_TCP; 6408 else if (proto == Q_SCTP) 6409 proto = IPPROTO_SCTP; 6410 else if (proto == Q_DEFAULT) 6411 proto = PROTO_UNDEF; 6412 else 6413 bpf_error("illegal qualifier of 'portrange'"); 6414 6415 #ifndef INET6 6416 return gen_portrange((int)v, (int)v, proto, dir); 6417 #else 6418 { 6419 struct block *b; 6420 b = gen_portrange((int)v, (int)v, proto, dir); 6421 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6422 return b; 6423 } 6424 #endif /* INET6 */ 6425 6426 case Q_GATEWAY: 6427 bpf_error("'gateway' requires a name"); 6428 /* NOTREACHED */ 6429 6430 case Q_PROTO: 6431 return gen_proto((int)v, proto, dir); 6432 6433 case Q_PROTOCHAIN: 6434 return gen_protochain((int)v, proto, dir); 6435 6436 case Q_UNDEF: 6437 syntax(); 6438 /* NOTREACHED */ 6439 6440 default: 6441 abort(); 6442 /* NOTREACHED */ 6443 } 6444 /* NOTREACHED */ 6445 } 6446 6447 #ifdef INET6 6448 struct block * 6449 gen_mcode6(s1, s2, masklen, q) 6450 register const char *s1, *s2; 6451 register int masklen; 6452 struct qual q; 6453 { 6454 struct addrinfo *res; 6455 struct in6_addr *addr; 6456 struct in6_addr mask; 6457 struct block *b; 6458 u_int32_t *a, *m; 6459 6460 if (s2) 6461 bpf_error("no mask %s supported", s2); 6462 6463 res = pcap_nametoaddrinfo(s1); 6464 if (!res) 6465 bpf_error("invalid ip6 address %s", s1); 6466 ai = res; 6467 if (res->ai_next) 6468 bpf_error("%s resolved to multiple address", s1); 6469 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6470 6471 if ((int)sizeof(mask) * 8 < masklen) 6472 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6473 memset(&mask, 0, sizeof(mask)); 6474 memset(&mask, 0xff, masklen / 8); 6475 if (masklen % 8) { 6476 mask.s6_addr[masklen / 8] = 6477 (0xff << (8 - masklen % 8)) & 0xff; 6478 } 6479 6480 a = (u_int32_t *)addr; 6481 m = (u_int32_t *)&mask; 6482 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6483 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6484 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6485 } 6486 6487 switch (q.addr) { 6488 6489 case Q_DEFAULT: 6490 case Q_HOST: 6491 if (masklen != 128) 6492 bpf_error("Mask syntax for networks only"); 6493 /* FALLTHROUGH */ 6494 6495 case Q_NET: 6496 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6497 ai = NULL; 6498 freeaddrinfo(res); 6499 return b; 6500 6501 default: 6502 bpf_error("invalid qualifier against IPv6 address"); 6503 /* NOTREACHED */ 6504 } 6505 return NULL; 6506 } 6507 #endif /*INET6*/ 6508 6509 struct block * 6510 gen_ecode(eaddr, q) 6511 register const u_char *eaddr; 6512 struct qual q; 6513 { 6514 struct block *b, *tmp; 6515 6516 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6517 switch (linktype) { 6518 case DLT_EN10MB: 6519 return gen_ehostop(eaddr, (int)q.dir); 6520 case DLT_FDDI: 6521 return gen_fhostop(eaddr, (int)q.dir); 6522 case DLT_IEEE802: 6523 return gen_thostop(eaddr, (int)q.dir); 6524 case DLT_IEEE802_11: 6525 case DLT_PRISM_HEADER: 6526 case DLT_IEEE802_11_RADIO_AVS: 6527 case DLT_IEEE802_11_RADIO: 6528 case DLT_PPI: 6529 return gen_wlanhostop(eaddr, (int)q.dir); 6530 case DLT_SUNATM: 6531 if (is_lane) { 6532 /* 6533 * Check that the packet doesn't begin with an 6534 * LE Control marker. (We've already generated 6535 * a test for LANE.) 6536 */ 6537 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6538 0xFF00); 6539 gen_not(tmp); 6540 6541 /* 6542 * Now check the MAC address. 6543 */ 6544 b = gen_ehostop(eaddr, (int)q.dir); 6545 gen_and(tmp, b); 6546 return b; 6547 } 6548 break; 6549 case DLT_IP_OVER_FC: 6550 return gen_ipfchostop(eaddr, (int)q.dir); 6551 default: 6552 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6553 break; 6554 } 6555 } 6556 bpf_error("ethernet address used in non-ether expression"); 6557 /* NOTREACHED */ 6558 return NULL; 6559 } 6560 6561 void 6562 sappend(s0, s1) 6563 struct slist *s0, *s1; 6564 { 6565 /* 6566 * This is definitely not the best way to do this, but the 6567 * lists will rarely get long. 6568 */ 6569 while (s0->next) 6570 s0 = s0->next; 6571 s0->next = s1; 6572 } 6573 6574 static struct slist * 6575 xfer_to_x(a) 6576 struct arth *a; 6577 { 6578 struct slist *s; 6579 6580 s = new_stmt(BPF_LDX|BPF_MEM); 6581 s->s.k = a->regno; 6582 return s; 6583 } 6584 6585 static struct slist * 6586 xfer_to_a(a) 6587 struct arth *a; 6588 { 6589 struct slist *s; 6590 6591 s = new_stmt(BPF_LD|BPF_MEM); 6592 s->s.k = a->regno; 6593 return s; 6594 } 6595 6596 /* 6597 * Modify "index" to use the value stored into its register as an 6598 * offset relative to the beginning of the header for the protocol 6599 * "proto", and allocate a register and put an item "size" bytes long 6600 * (1, 2, or 4) at that offset into that register, making it the register 6601 * for "index". 6602 */ 6603 struct arth * 6604 gen_load(proto, inst, size) 6605 int proto; 6606 struct arth *inst; 6607 int size; 6608 { 6609 struct slist *s, *tmp; 6610 struct block *b; 6611 int regno = alloc_reg(); 6612 6613 free_reg(inst->regno); 6614 switch (size) { 6615 6616 default: 6617 bpf_error("data size must be 1, 2, or 4"); 6618 6619 case 1: 6620 size = BPF_B; 6621 break; 6622 6623 case 2: 6624 size = BPF_H; 6625 break; 6626 6627 case 4: 6628 size = BPF_W; 6629 break; 6630 } 6631 switch (proto) { 6632 default: 6633 bpf_error("unsupported index operation"); 6634 6635 case Q_RADIO: 6636 /* 6637 * The offset is relative to the beginning of the packet 6638 * data, if we have a radio header. (If we don't, this 6639 * is an error.) 6640 */ 6641 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6642 linktype != DLT_IEEE802_11_RADIO && 6643 linktype != DLT_PRISM_HEADER) 6644 bpf_error("radio information not present in capture"); 6645 6646 /* 6647 * Load into the X register the offset computed into the 6648 * register specifed by "index". 6649 */ 6650 s = xfer_to_x(inst); 6651 6652 /* 6653 * Load the item at that offset. 6654 */ 6655 tmp = new_stmt(BPF_LD|BPF_IND|size); 6656 sappend(s, tmp); 6657 sappend(inst->s, s); 6658 break; 6659 6660 case Q_LINK: 6661 /* 6662 * The offset is relative to the beginning of 6663 * the link-layer header. 6664 * 6665 * XXX - what about ATM LANE? Should the index be 6666 * relative to the beginning of the AAL5 frame, so 6667 * that 0 refers to the beginning of the LE Control 6668 * field, or relative to the beginning of the LAN 6669 * frame, so that 0 refers, for Ethernet LANE, to 6670 * the beginning of the destination address? 6671 */ 6672 s = gen_llprefixlen(); 6673 6674 /* 6675 * If "s" is non-null, it has code to arrange that the 6676 * X register contains the length of the prefix preceding 6677 * the link-layer header. Add to it the offset computed 6678 * into the register specified by "index", and move that 6679 * into the X register. Otherwise, just load into the X 6680 * register the offset computed into the register specifed 6681 * by "index". 6682 */ 6683 if (s != NULL) { 6684 sappend(s, xfer_to_a(inst)); 6685 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6686 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6687 } else 6688 s = xfer_to_x(inst); 6689 6690 /* 6691 * Load the item at the sum of the offset we've put in the 6692 * X register and the offset of the start of the link 6693 * layer header (which is 0 if the radio header is 6694 * variable-length; that header length is what we put 6695 * into the X register and then added to the index). 6696 */ 6697 tmp = new_stmt(BPF_LD|BPF_IND|size); 6698 tmp->s.k = off_ll; 6699 sappend(s, tmp); 6700 sappend(inst->s, s); 6701 break; 6702 6703 case Q_IP: 6704 case Q_ARP: 6705 case Q_RARP: 6706 case Q_ATALK: 6707 case Q_DECNET: 6708 case Q_SCA: 6709 case Q_LAT: 6710 case Q_MOPRC: 6711 case Q_MOPDL: 6712 #ifdef INET6 6713 case Q_IPV6: 6714 #endif 6715 /* 6716 * The offset is relative to the beginning of 6717 * the network-layer header. 6718 * XXX - are there any cases where we want 6719 * off_nl_nosnap? 6720 */ 6721 s = gen_off_macpl(); 6722 6723 /* 6724 * If "s" is non-null, it has code to arrange that the 6725 * X register contains the offset of the MAC-layer 6726 * payload. Add to it the offset computed into the 6727 * register specified by "index", and move that into 6728 * the X register. Otherwise, just load into the X 6729 * register the offset computed into the register specifed 6730 * by "index". 6731 */ 6732 if (s != NULL) { 6733 sappend(s, xfer_to_a(inst)); 6734 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6735 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6736 } else 6737 s = xfer_to_x(inst); 6738 6739 /* 6740 * Load the item at the sum of the offset we've put in the 6741 * X register, the offset of the start of the network 6742 * layer header from the beginning of the MAC-layer 6743 * payload, and the purported offset of the start of the 6744 * MAC-layer payload (which might be 0 if there's a 6745 * variable-length prefix before the link-layer header 6746 * or the link-layer header itself is variable-length; 6747 * the variable-length offset of the start of the 6748 * MAC-layer payload is what we put into the X register 6749 * and then added to the index). 6750 */ 6751 tmp = new_stmt(BPF_LD|BPF_IND|size); 6752 tmp->s.k = off_macpl + off_nl; 6753 sappend(s, tmp); 6754 sappend(inst->s, s); 6755 6756 /* 6757 * Do the computation only if the packet contains 6758 * the protocol in question. 6759 */ 6760 b = gen_proto_abbrev(proto); 6761 if (inst->b) 6762 gen_and(inst->b, b); 6763 inst->b = b; 6764 break; 6765 6766 case Q_SCTP: 6767 case Q_TCP: 6768 case Q_UDP: 6769 case Q_ICMP: 6770 case Q_IGMP: 6771 case Q_IGRP: 6772 case Q_PIM: 6773 case Q_VRRP: 6774 /* 6775 * The offset is relative to the beginning of 6776 * the transport-layer header. 6777 * 6778 * Load the X register with the length of the IPv4 header 6779 * (plus the offset of the link-layer header, if it's 6780 * a variable-length header), in bytes. 6781 * 6782 * XXX - are there any cases where we want 6783 * off_nl_nosnap? 6784 * XXX - we should, if we're built with 6785 * IPv6 support, generate code to load either 6786 * IPv4, IPv6, or both, as appropriate. 6787 */ 6788 s = gen_loadx_iphdrlen(); 6789 6790 /* 6791 * The X register now contains the sum of the length 6792 * of any variable-length header preceding the link-layer 6793 * header, any variable-length link-layer header, and the 6794 * length of the network-layer header. 6795 * 6796 * Load into the A register the offset relative to 6797 * the beginning of the transport layer header, 6798 * add the X register to that, move that to the 6799 * X register, and load with an offset from the 6800 * X register equal to the offset of the network 6801 * layer header relative to the beginning of 6802 * the MAC-layer payload plus the fixed-length 6803 * portion of the offset of the MAC-layer payload 6804 * from the beginning of the raw packet data. 6805 */ 6806 sappend(s, xfer_to_a(inst)); 6807 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6808 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6809 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6810 tmp->s.k = off_macpl + off_nl; 6811 sappend(inst->s, s); 6812 6813 /* 6814 * Do the computation only if the packet contains 6815 * the protocol in question - which is true only 6816 * if this is an IP datagram and is the first or 6817 * only fragment of that datagram. 6818 */ 6819 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6820 if (inst->b) 6821 gen_and(inst->b, b); 6822 #ifdef INET6 6823 gen_and(gen_proto_abbrev(Q_IP), b); 6824 #endif 6825 inst->b = b; 6826 break; 6827 #ifdef INET6 6828 case Q_ICMPV6: 6829 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6830 /*NOTREACHED*/ 6831 #endif 6832 } 6833 inst->regno = regno; 6834 s = new_stmt(BPF_ST); 6835 s->s.k = regno; 6836 sappend(inst->s, s); 6837 6838 return inst; 6839 } 6840 6841 struct block * 6842 gen_relation(code, a0, a1, reversed) 6843 int code; 6844 struct arth *a0, *a1; 6845 int reversed; 6846 { 6847 struct slist *s0, *s1, *s2; 6848 struct block *b, *tmp; 6849 6850 s0 = xfer_to_x(a1); 6851 s1 = xfer_to_a(a0); 6852 if (code == BPF_JEQ) { 6853 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6854 b = new_block(JMP(code)); 6855 sappend(s1, s2); 6856 } 6857 else 6858 b = new_block(BPF_JMP|code|BPF_X); 6859 if (reversed) 6860 gen_not(b); 6861 6862 sappend(s0, s1); 6863 sappend(a1->s, s0); 6864 sappend(a0->s, a1->s); 6865 6866 b->stmts = a0->s; 6867 6868 free_reg(a0->regno); 6869 free_reg(a1->regno); 6870 6871 /* 'and' together protocol checks */ 6872 if (a0->b) { 6873 if (a1->b) { 6874 gen_and(a0->b, tmp = a1->b); 6875 } 6876 else 6877 tmp = a0->b; 6878 } else 6879 tmp = a1->b; 6880 6881 if (tmp) 6882 gen_and(tmp, b); 6883 6884 return b; 6885 } 6886 6887 struct arth * 6888 gen_loadlen() 6889 { 6890 int regno = alloc_reg(); 6891 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6892 struct slist *s; 6893 6894 s = new_stmt(BPF_LD|BPF_LEN); 6895 s->next = new_stmt(BPF_ST); 6896 s->next->s.k = regno; 6897 a->s = s; 6898 a->regno = regno; 6899 6900 return a; 6901 } 6902 6903 struct arth * 6904 gen_loadi(val) 6905 int val; 6906 { 6907 struct arth *a; 6908 struct slist *s; 6909 int reg; 6910 6911 a = (struct arth *)newchunk(sizeof(*a)); 6912 6913 reg = alloc_reg(); 6914 6915 s = new_stmt(BPF_LD|BPF_IMM); 6916 s->s.k = val; 6917 s->next = new_stmt(BPF_ST); 6918 s->next->s.k = reg; 6919 a->s = s; 6920 a->regno = reg; 6921 6922 return a; 6923 } 6924 6925 struct arth * 6926 gen_neg(a) 6927 struct arth *a; 6928 { 6929 struct slist *s; 6930 6931 s = xfer_to_a(a); 6932 sappend(a->s, s); 6933 s = new_stmt(BPF_ALU|BPF_NEG); 6934 s->s.k = 0; 6935 sappend(a->s, s); 6936 s = new_stmt(BPF_ST); 6937 s->s.k = a->regno; 6938 sappend(a->s, s); 6939 6940 return a; 6941 } 6942 6943 struct arth * 6944 gen_arth(code, a0, a1) 6945 int code; 6946 struct arth *a0, *a1; 6947 { 6948 struct slist *s0, *s1, *s2; 6949 6950 s0 = xfer_to_x(a1); 6951 s1 = xfer_to_a(a0); 6952 s2 = new_stmt(BPF_ALU|BPF_X|code); 6953 6954 sappend(s1, s2); 6955 sappend(s0, s1); 6956 sappend(a1->s, s0); 6957 sappend(a0->s, a1->s); 6958 6959 free_reg(a0->regno); 6960 free_reg(a1->regno); 6961 6962 s0 = new_stmt(BPF_ST); 6963 a0->regno = s0->s.k = alloc_reg(); 6964 sappend(a0->s, s0); 6965 6966 return a0; 6967 } 6968 6969 /* 6970 * Here we handle simple allocation of the scratch registers. 6971 * If too many registers are alloc'd, the allocator punts. 6972 */ 6973 static int regused[BPF_MEMWORDS]; 6974 static int curreg; 6975 6976 /* 6977 * Initialize the table of used registers and the current register. 6978 */ 6979 static void 6980 init_regs() 6981 { 6982 curreg = 0; 6983 memset(regused, 0, sizeof regused); 6984 } 6985 6986 /* 6987 * Return the next free register. 6988 */ 6989 static int 6990 alloc_reg() 6991 { 6992 int n = BPF_MEMWORDS; 6993 6994 while (--n >= 0) { 6995 if (regused[curreg]) 6996 curreg = (curreg + 1) % BPF_MEMWORDS; 6997 else { 6998 regused[curreg] = 1; 6999 return curreg; 7000 } 7001 } 7002 bpf_error("too many registers needed to evaluate expression"); 7003 /* NOTREACHED */ 7004 return 0; 7005 } 7006 7007 /* 7008 * Return a register to the table so it can 7009 * be used later. 7010 */ 7011 static void 7012 free_reg(n) 7013 int n; 7014 { 7015 regused[n] = 0; 7016 } 7017 7018 static struct block * 7019 gen_len(jmp, n) 7020 int jmp, n; 7021 { 7022 struct slist *s; 7023 struct block *b; 7024 7025 s = new_stmt(BPF_LD|BPF_LEN); 7026 b = new_block(JMP(jmp)); 7027 b->stmts = s; 7028 b->s.k = n; 7029 7030 return b; 7031 } 7032 7033 struct block * 7034 gen_greater(n) 7035 int n; 7036 { 7037 return gen_len(BPF_JGE, n); 7038 } 7039 7040 /* 7041 * Actually, this is less than or equal. 7042 */ 7043 struct block * 7044 gen_less(n) 7045 int n; 7046 { 7047 struct block *b; 7048 7049 b = gen_len(BPF_JGT, n); 7050 gen_not(b); 7051 7052 return b; 7053 } 7054 7055 /* 7056 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7057 * the beginning of the link-layer header. 7058 * XXX - that means you can't test values in the radiotap header, but 7059 * as that header is difficult if not impossible to parse generally 7060 * without a loop, that might not be a severe problem. A new keyword 7061 * "radio" could be added for that, although what you'd really want 7062 * would be a way of testing particular radio header values, which 7063 * would generate code appropriate to the radio header in question. 7064 */ 7065 struct block * 7066 gen_byteop(op, idx, val) 7067 int op, idx, val; 7068 { 7069 struct block *b; 7070 struct slist *s; 7071 7072 switch (op) { 7073 default: 7074 abort(); 7075 7076 case '=': 7077 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7078 7079 case '<': 7080 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7081 return b; 7082 7083 case '>': 7084 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7085 return b; 7086 7087 case '|': 7088 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7089 break; 7090 7091 case '&': 7092 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7093 break; 7094 } 7095 s->s.k = val; 7096 b = new_block(JMP(BPF_JEQ)); 7097 b->stmts = s; 7098 gen_not(b); 7099 7100 return b; 7101 } 7102 7103 static u_char abroadcast[] = { 0x0 }; 7104 7105 struct block * 7106 gen_broadcast(proto) 7107 int proto; 7108 { 7109 bpf_u_int32 hostmask; 7110 struct block *b0, *b1, *b2; 7111 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7112 7113 switch (proto) { 7114 7115 case Q_DEFAULT: 7116 case Q_LINK: 7117 switch (linktype) { 7118 case DLT_ARCNET: 7119 case DLT_ARCNET_LINUX: 7120 return gen_ahostop(abroadcast, Q_DST); 7121 case DLT_EN10MB: 7122 return gen_ehostop(ebroadcast, Q_DST); 7123 case DLT_FDDI: 7124 return gen_fhostop(ebroadcast, Q_DST); 7125 case DLT_IEEE802: 7126 return gen_thostop(ebroadcast, Q_DST); 7127 case DLT_IEEE802_11: 7128 case DLT_PRISM_HEADER: 7129 case DLT_IEEE802_11_RADIO_AVS: 7130 case DLT_IEEE802_11_RADIO: 7131 case DLT_PPI: 7132 return gen_wlanhostop(ebroadcast, Q_DST); 7133 case DLT_IP_OVER_FC: 7134 return gen_ipfchostop(ebroadcast, Q_DST); 7135 case DLT_SUNATM: 7136 if (is_lane) { 7137 /* 7138 * Check that the packet doesn't begin with an 7139 * LE Control marker. (We've already generated 7140 * a test for LANE.) 7141 */ 7142 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7143 BPF_H, 0xFF00); 7144 gen_not(b1); 7145 7146 /* 7147 * Now check the MAC address. 7148 */ 7149 b0 = gen_ehostop(ebroadcast, Q_DST); 7150 gen_and(b1, b0); 7151 return b0; 7152 } 7153 break; 7154 default: 7155 bpf_error("not a broadcast link"); 7156 } 7157 break; 7158 7159 case Q_IP: 7160 /* 7161 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7162 * as an indication that we don't know the netmask, and fail 7163 * in that case. 7164 */ 7165 if (netmask == PCAP_NETMASK_UNKNOWN) 7166 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7167 b0 = gen_linktype(ETHERTYPE_IP); 7168 hostmask = ~netmask; 7169 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7170 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7171 (bpf_int32)(~0 & hostmask), hostmask); 7172 gen_or(b1, b2); 7173 gen_and(b0, b2); 7174 return b2; 7175 } 7176 bpf_error("only link-layer/IP broadcast filters supported"); 7177 /* NOTREACHED */ 7178 return NULL; 7179 } 7180 7181 /* 7182 * Generate code to test the low-order bit of a MAC address (that's 7183 * the bottom bit of the *first* byte). 7184 */ 7185 static struct block * 7186 gen_mac_multicast(offset) 7187 int offset; 7188 { 7189 register struct block *b0; 7190 register struct slist *s; 7191 7192 /* link[offset] & 1 != 0 */ 7193 s = gen_load_a(OR_LINK, offset, BPF_B); 7194 b0 = new_block(JMP(BPF_JSET)); 7195 b0->s.k = 1; 7196 b0->stmts = s; 7197 return b0; 7198 } 7199 7200 struct block * 7201 gen_multicast(proto) 7202 int proto; 7203 { 7204 register struct block *b0, *b1, *b2; 7205 register struct slist *s; 7206 7207 switch (proto) { 7208 7209 case Q_DEFAULT: 7210 case Q_LINK: 7211 switch (linktype) { 7212 case DLT_ARCNET: 7213 case DLT_ARCNET_LINUX: 7214 /* all ARCnet multicasts use the same address */ 7215 return gen_ahostop(abroadcast, Q_DST); 7216 case DLT_EN10MB: 7217 /* ether[0] & 1 != 0 */ 7218 return gen_mac_multicast(0); 7219 case DLT_FDDI: 7220 /* 7221 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7222 * 7223 * XXX - was that referring to bit-order issues? 7224 */ 7225 /* fddi[1] & 1 != 0 */ 7226 return gen_mac_multicast(1); 7227 case DLT_IEEE802: 7228 /* tr[2] & 1 != 0 */ 7229 return gen_mac_multicast(2); 7230 case DLT_IEEE802_11: 7231 case DLT_PRISM_HEADER: 7232 case DLT_IEEE802_11_RADIO_AVS: 7233 case DLT_IEEE802_11_RADIO: 7234 case DLT_PPI: 7235 /* 7236 * Oh, yuk. 7237 * 7238 * For control frames, there is no DA. 7239 * 7240 * For management frames, DA is at an 7241 * offset of 4 from the beginning of 7242 * the packet. 7243 * 7244 * For data frames, DA is at an offset 7245 * of 4 from the beginning of the packet 7246 * if To DS is clear and at an offset of 7247 * 16 from the beginning of the packet 7248 * if To DS is set. 7249 */ 7250 7251 /* 7252 * Generate the tests to be done for data frames. 7253 * 7254 * First, check for To DS set, i.e. "link[1] & 0x01". 7255 */ 7256 s = gen_load_a(OR_LINK, 1, BPF_B); 7257 b1 = new_block(JMP(BPF_JSET)); 7258 b1->s.k = 0x01; /* To DS */ 7259 b1->stmts = s; 7260 7261 /* 7262 * If To DS is set, the DA is at 16. 7263 */ 7264 b0 = gen_mac_multicast(16); 7265 gen_and(b1, b0); 7266 7267 /* 7268 * Now, check for To DS not set, i.e. check 7269 * "!(link[1] & 0x01)". 7270 */ 7271 s = gen_load_a(OR_LINK, 1, BPF_B); 7272 b2 = new_block(JMP(BPF_JSET)); 7273 b2->s.k = 0x01; /* To DS */ 7274 b2->stmts = s; 7275 gen_not(b2); 7276 7277 /* 7278 * If To DS is not set, the DA is at 4. 7279 */ 7280 b1 = gen_mac_multicast(4); 7281 gen_and(b2, b1); 7282 7283 /* 7284 * Now OR together the last two checks. That gives 7285 * the complete set of checks for data frames. 7286 */ 7287 gen_or(b1, b0); 7288 7289 /* 7290 * Now check for a data frame. 7291 * I.e, check "link[0] & 0x08". 7292 */ 7293 s = gen_load_a(OR_LINK, 0, BPF_B); 7294 b1 = new_block(JMP(BPF_JSET)); 7295 b1->s.k = 0x08; 7296 b1->stmts = s; 7297 7298 /* 7299 * AND that with the checks done for data frames. 7300 */ 7301 gen_and(b1, b0); 7302 7303 /* 7304 * If the high-order bit of the type value is 0, this 7305 * is a management frame. 7306 * I.e, check "!(link[0] & 0x08)". 7307 */ 7308 s = gen_load_a(OR_LINK, 0, BPF_B); 7309 b2 = new_block(JMP(BPF_JSET)); 7310 b2->s.k = 0x08; 7311 b2->stmts = s; 7312 gen_not(b2); 7313 7314 /* 7315 * For management frames, the DA is at 4. 7316 */ 7317 b1 = gen_mac_multicast(4); 7318 gen_and(b2, b1); 7319 7320 /* 7321 * OR that with the checks done for data frames. 7322 * That gives the checks done for management and 7323 * data frames. 7324 */ 7325 gen_or(b1, b0); 7326 7327 /* 7328 * If the low-order bit of the type value is 1, 7329 * this is either a control frame or a frame 7330 * with a reserved type, and thus not a 7331 * frame with an SA. 7332 * 7333 * I.e., check "!(link[0] & 0x04)". 7334 */ 7335 s = gen_load_a(OR_LINK, 0, BPF_B); 7336 b1 = new_block(JMP(BPF_JSET)); 7337 b1->s.k = 0x04; 7338 b1->stmts = s; 7339 gen_not(b1); 7340 7341 /* 7342 * AND that with the checks for data and management 7343 * frames. 7344 */ 7345 gen_and(b1, b0); 7346 return b0; 7347 case DLT_IP_OVER_FC: 7348 b0 = gen_mac_multicast(2); 7349 return b0; 7350 case DLT_SUNATM: 7351 if (is_lane) { 7352 /* 7353 * Check that the packet doesn't begin with an 7354 * LE Control marker. (We've already generated 7355 * a test for LANE.) 7356 */ 7357 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7358 BPF_H, 0xFF00); 7359 gen_not(b1); 7360 7361 /* ether[off_mac] & 1 != 0 */ 7362 b0 = gen_mac_multicast(off_mac); 7363 gen_and(b1, b0); 7364 return b0; 7365 } 7366 break; 7367 default: 7368 break; 7369 } 7370 /* Link not known to support multicasts */ 7371 break; 7372 7373 case Q_IP: 7374 b0 = gen_linktype(ETHERTYPE_IP); 7375 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7376 gen_and(b0, b1); 7377 return b1; 7378 7379 #ifdef INET6 7380 case Q_IPV6: 7381 b0 = gen_linktype(ETHERTYPE_IPV6); 7382 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7383 gen_and(b0, b1); 7384 return b1; 7385 #endif /* INET6 */ 7386 } 7387 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7388 /* NOTREACHED */ 7389 return NULL; 7390 } 7391 7392 /* 7393 * generate command for inbound/outbound. It's here so we can 7394 * make it link-type specific. 'dir' = 0 implies "inbound", 7395 * = 1 implies "outbound". 7396 */ 7397 struct block * 7398 gen_inbound(dir) 7399 int dir; 7400 { 7401 register struct block *b0; 7402 7403 /* 7404 * Only some data link types support inbound/outbound qualifiers. 7405 */ 7406 switch (linktype) { 7407 case DLT_SLIP: 7408 b0 = gen_relation(BPF_JEQ, 7409 gen_load(Q_LINK, gen_loadi(0), 1), 7410 gen_loadi(0), 7411 dir); 7412 break; 7413 7414 case DLT_IPNET: 7415 if (dir) { 7416 /* match outgoing packets */ 7417 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7418 } else { 7419 /* match incoming packets */ 7420 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7421 } 7422 break; 7423 7424 case DLT_LINUX_SLL: 7425 if (dir) { 7426 /* 7427 * Match packets sent by this machine. 7428 */ 7429 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7430 } else { 7431 /* 7432 * Match packets sent to this machine. 7433 * (No broadcast or multicast packets, or 7434 * packets sent to some other machine and 7435 * received promiscuously.) 7436 * 7437 * XXX - packets sent to other machines probably 7438 * shouldn't be matched, but what about broadcast 7439 * or multicast packets we received? 7440 */ 7441 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7442 } 7443 break; 7444 7445 #ifdef HAVE_NET_PFVAR_H 7446 case DLT_PFLOG: 7447 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7448 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7449 break; 7450 #endif 7451 7452 case DLT_PPP_PPPD: 7453 if (dir) { 7454 /* match outgoing packets */ 7455 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7456 } else { 7457 /* match incoming packets */ 7458 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7459 } 7460 break; 7461 7462 case DLT_JUNIPER_MFR: 7463 case DLT_JUNIPER_MLFR: 7464 case DLT_JUNIPER_MLPPP: 7465 case DLT_JUNIPER_ATM1: 7466 case DLT_JUNIPER_ATM2: 7467 case DLT_JUNIPER_PPPOE: 7468 case DLT_JUNIPER_PPPOE_ATM: 7469 case DLT_JUNIPER_GGSN: 7470 case DLT_JUNIPER_ES: 7471 case DLT_JUNIPER_MONITOR: 7472 case DLT_JUNIPER_SERVICES: 7473 case DLT_JUNIPER_ETHER: 7474 case DLT_JUNIPER_PPP: 7475 case DLT_JUNIPER_FRELAY: 7476 case DLT_JUNIPER_CHDLC: 7477 case DLT_JUNIPER_VP: 7478 case DLT_JUNIPER_ST: 7479 case DLT_JUNIPER_ISM: 7480 /* juniper flags (including direction) are stored 7481 * the byte after the 3-byte magic number */ 7482 if (dir) { 7483 /* match outgoing packets */ 7484 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7485 } else { 7486 /* match incoming packets */ 7487 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7488 } 7489 break; 7490 7491 default: 7492 bpf_error("inbound/outbound not supported on linktype %d", 7493 linktype); 7494 b0 = NULL; 7495 /* NOTREACHED */ 7496 } 7497 return (b0); 7498 } 7499 7500 #ifdef HAVE_NET_PFVAR_H 7501 /* PF firewall log matched interface */ 7502 struct block * 7503 gen_pf_ifname(const char *ifname) 7504 { 7505 struct block *b0; 7506 u_int len, off; 7507 7508 if (linktype != DLT_PFLOG) { 7509 bpf_error("ifname supported only on PF linktype"); 7510 /* NOTREACHED */ 7511 } 7512 len = sizeof(((struct pfloghdr *)0)->ifname); 7513 off = offsetof(struct pfloghdr, ifname); 7514 if (strlen(ifname) >= len) { 7515 bpf_error("ifname interface names can only be %d characters", 7516 len-1); 7517 /* NOTREACHED */ 7518 } 7519 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7520 return (b0); 7521 } 7522 7523 /* PF firewall log ruleset name */ 7524 struct block * 7525 gen_pf_ruleset(char *ruleset) 7526 { 7527 struct block *b0; 7528 7529 if (linktype != DLT_PFLOG) { 7530 bpf_error("ruleset supported only on PF linktype"); 7531 /* NOTREACHED */ 7532 } 7533 7534 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7535 bpf_error("ruleset names can only be %ld characters", 7536 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7537 /* NOTREACHED */ 7538 } 7539 7540 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7541 strlen(ruleset), (const u_char *)ruleset); 7542 return (b0); 7543 } 7544 7545 /* PF firewall log rule number */ 7546 struct block * 7547 gen_pf_rnr(int rnr) 7548 { 7549 struct block *b0; 7550 7551 if (linktype != DLT_PFLOG) { 7552 bpf_error("rnr supported only on PF linktype"); 7553 /* NOTREACHED */ 7554 } 7555 7556 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7557 (bpf_int32)rnr); 7558 return (b0); 7559 } 7560 7561 /* PF firewall log sub-rule number */ 7562 struct block * 7563 gen_pf_srnr(int srnr) 7564 { 7565 struct block *b0; 7566 7567 if (linktype != DLT_PFLOG) { 7568 bpf_error("srnr supported only on PF linktype"); 7569 /* NOTREACHED */ 7570 } 7571 7572 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7573 (bpf_int32)srnr); 7574 return (b0); 7575 } 7576 7577 /* PF firewall log reason code */ 7578 struct block * 7579 gen_pf_reason(int reason) 7580 { 7581 struct block *b0; 7582 7583 if (linktype != DLT_PFLOG) { 7584 bpf_error("reason supported only on PF linktype"); 7585 /* NOTREACHED */ 7586 } 7587 7588 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7589 (bpf_int32)reason); 7590 return (b0); 7591 } 7592 7593 /* PF firewall log action */ 7594 struct block * 7595 gen_pf_action(int action) 7596 { 7597 struct block *b0; 7598 7599 if (linktype != DLT_PFLOG) { 7600 bpf_error("action supported only on PF linktype"); 7601 /* NOTREACHED */ 7602 } 7603 7604 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7605 (bpf_int32)action); 7606 return (b0); 7607 } 7608 #else /* !HAVE_NET_PFVAR_H */ 7609 struct block * 7610 gen_pf_ifname(const char *ifname) 7611 { 7612 bpf_error("libpcap was compiled without pf support"); 7613 /* NOTREACHED */ 7614 return (NULL); 7615 } 7616 7617 struct block * 7618 gen_pf_ruleset(char *ruleset) 7619 { 7620 bpf_error("libpcap was compiled on a machine without pf support"); 7621 /* NOTREACHED */ 7622 return (NULL); 7623 } 7624 7625 struct block * 7626 gen_pf_rnr(int rnr) 7627 { 7628 bpf_error("libpcap was compiled on a machine without pf support"); 7629 /* NOTREACHED */ 7630 return (NULL); 7631 } 7632 7633 struct block * 7634 gen_pf_srnr(int srnr) 7635 { 7636 bpf_error("libpcap was compiled on a machine without pf support"); 7637 /* NOTREACHED */ 7638 return (NULL); 7639 } 7640 7641 struct block * 7642 gen_pf_reason(int reason) 7643 { 7644 bpf_error("libpcap was compiled on a machine without pf support"); 7645 /* NOTREACHED */ 7646 return (NULL); 7647 } 7648 7649 struct block * 7650 gen_pf_action(int action) 7651 { 7652 bpf_error("libpcap was compiled on a machine without pf support"); 7653 /* NOTREACHED */ 7654 return (NULL); 7655 } 7656 #endif /* HAVE_NET_PFVAR_H */ 7657 7658 /* IEEE 802.11 wireless header */ 7659 struct block * 7660 gen_p80211_type(int type, int mask) 7661 { 7662 struct block *b0; 7663 7664 switch (linktype) { 7665 7666 case DLT_IEEE802_11: 7667 case DLT_PRISM_HEADER: 7668 case DLT_IEEE802_11_RADIO_AVS: 7669 case DLT_IEEE802_11_RADIO: 7670 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7671 (bpf_int32)mask); 7672 break; 7673 7674 default: 7675 bpf_error("802.11 link-layer types supported only on 802.11"); 7676 /* NOTREACHED */ 7677 } 7678 7679 return (b0); 7680 } 7681 7682 struct block * 7683 gen_p80211_fcdir(int fcdir) 7684 { 7685 struct block *b0; 7686 7687 switch (linktype) { 7688 7689 case DLT_IEEE802_11: 7690 case DLT_PRISM_HEADER: 7691 case DLT_IEEE802_11_RADIO_AVS: 7692 case DLT_IEEE802_11_RADIO: 7693 break; 7694 7695 default: 7696 bpf_error("frame direction supported only with 802.11 headers"); 7697 /* NOTREACHED */ 7698 } 7699 7700 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7701 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7702 7703 return (b0); 7704 } 7705 7706 struct block * 7707 gen_acode(eaddr, q) 7708 register const u_char *eaddr; 7709 struct qual q; 7710 { 7711 switch (linktype) { 7712 7713 case DLT_ARCNET: 7714 case DLT_ARCNET_LINUX: 7715 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7716 q.proto == Q_LINK) 7717 return (gen_ahostop(eaddr, (int)q.dir)); 7718 else { 7719 bpf_error("ARCnet address used in non-arc expression"); 7720 /* NOTREACHED */ 7721 } 7722 break; 7723 7724 default: 7725 bpf_error("aid supported only on ARCnet"); 7726 /* NOTREACHED */ 7727 } 7728 bpf_error("ARCnet address used in non-arc expression"); 7729 /* NOTREACHED */ 7730 return NULL; 7731 } 7732 7733 static struct block * 7734 gen_ahostop(eaddr, dir) 7735 register const u_char *eaddr; 7736 register int dir; 7737 { 7738 register struct block *b0, *b1; 7739 7740 switch (dir) { 7741 /* src comes first, different from Ethernet */ 7742 case Q_SRC: 7743 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7744 7745 case Q_DST: 7746 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7747 7748 case Q_AND: 7749 b0 = gen_ahostop(eaddr, Q_SRC); 7750 b1 = gen_ahostop(eaddr, Q_DST); 7751 gen_and(b0, b1); 7752 return b1; 7753 7754 case Q_DEFAULT: 7755 case Q_OR: 7756 b0 = gen_ahostop(eaddr, Q_SRC); 7757 b1 = gen_ahostop(eaddr, Q_DST); 7758 gen_or(b0, b1); 7759 return b1; 7760 } 7761 abort(); 7762 /* NOTREACHED */ 7763 } 7764 7765 /* 7766 * support IEEE 802.1Q VLAN trunk over ethernet 7767 */ 7768 struct block * 7769 gen_vlan(vlan_num) 7770 int vlan_num; 7771 { 7772 struct block *b0, *b1; 7773 7774 /* can't check for VLAN-encapsulated packets inside MPLS */ 7775 if (label_stack_depth > 0) 7776 bpf_error("no VLAN match after MPLS"); 7777 7778 /* 7779 * Check for a VLAN packet, and then change the offsets to point 7780 * to the type and data fields within the VLAN packet. Just 7781 * increment the offsets, so that we can support a hierarchy, e.g. 7782 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7783 * VLAN 100. 7784 * 7785 * XXX - this is a bit of a kludge. If we were to split the 7786 * compiler into a parser that parses an expression and 7787 * generates an expression tree, and a code generator that 7788 * takes an expression tree (which could come from our 7789 * parser or from some other parser) and generates BPF code, 7790 * we could perhaps make the offsets parameters of routines 7791 * and, in the handler for an "AND" node, pass to subnodes 7792 * other than the VLAN node the adjusted offsets. 7793 * 7794 * This would mean that "vlan" would, instead of changing the 7795 * behavior of *all* tests after it, change only the behavior 7796 * of tests ANDed with it. That would change the documented 7797 * semantics of "vlan", which might break some expressions. 7798 * However, it would mean that "(vlan and ip) or ip" would check 7799 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7800 * checking only for VLAN-encapsulated IP, so that could still 7801 * be considered worth doing; it wouldn't break expressions 7802 * that are of the form "vlan and ..." or "vlan N and ...", 7803 * which I suspect are the most common expressions involving 7804 * "vlan". "vlan or ..." doesn't necessarily do what the user 7805 * would really want, now, as all the "or ..." tests would 7806 * be done assuming a VLAN, even though the "or" could be viewed 7807 * as meaning "or, if this isn't a VLAN packet...". 7808 */ 7809 orig_nl = off_nl; 7810 7811 switch (linktype) { 7812 7813 case DLT_EN10MB: 7814 /* check for VLAN */ 7815 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7816 (bpf_int32)ETHERTYPE_8021Q); 7817 7818 /* If a specific VLAN is requested, check VLAN id */ 7819 if (vlan_num >= 0) { 7820 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7821 (bpf_int32)vlan_num, 0x0fff); 7822 gen_and(b0, b1); 7823 b0 = b1; 7824 } 7825 7826 off_macpl += 4; 7827 off_linktype += 4; 7828 #if 0 7829 off_nl_nosnap += 4; 7830 off_nl += 4; 7831 #endif 7832 break; 7833 7834 default: 7835 bpf_error("no VLAN support for data link type %d", 7836 linktype); 7837 /*NOTREACHED*/ 7838 } 7839 7840 return (b0); 7841 } 7842 7843 /* 7844 * support for MPLS 7845 */ 7846 struct block * 7847 gen_mpls(label_num) 7848 int label_num; 7849 { 7850 struct block *b0,*b1; 7851 7852 /* 7853 * Change the offsets to point to the type and data fields within 7854 * the MPLS packet. Just increment the offsets, so that we 7855 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7856 * capture packets with an outer label of 100000 and an inner 7857 * label of 1024. 7858 * 7859 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7860 */ 7861 orig_nl = off_nl; 7862 7863 if (label_stack_depth > 0) { 7864 /* just match the bottom-of-stack bit clear */ 7865 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7866 } else { 7867 /* 7868 * Indicate that we're checking MPLS-encapsulated headers, 7869 * to make sure higher level code generators don't try to 7870 * match against IP-related protocols such as Q_ARP, Q_RARP 7871 * etc. 7872 */ 7873 switch (linktype) { 7874 7875 case DLT_C_HDLC: /* fall through */ 7876 case DLT_EN10MB: 7877 b0 = gen_linktype(ETHERTYPE_MPLS); 7878 break; 7879 7880 case DLT_PPP: 7881 b0 = gen_linktype(PPP_MPLS_UCAST); 7882 break; 7883 7884 /* FIXME add other DLT_s ... 7885 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7886 * leave it for now */ 7887 7888 default: 7889 bpf_error("no MPLS support for data link type %d", 7890 linktype); 7891 b0 = NULL; 7892 /*NOTREACHED*/ 7893 break; 7894 } 7895 } 7896 7897 /* If a specific MPLS label is requested, check it */ 7898 if (label_num >= 0) { 7899 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7900 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 7901 0xfffff000); /* only compare the first 20 bits */ 7902 gen_and(b0, b1); 7903 b0 = b1; 7904 } 7905 7906 off_nl_nosnap += 4; 7907 off_nl += 4; 7908 label_stack_depth++; 7909 return (b0); 7910 } 7911 7912 /* 7913 * Support PPPOE discovery and session. 7914 */ 7915 struct block * 7916 gen_pppoed() 7917 { 7918 /* check for PPPoE discovery */ 7919 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 7920 } 7921 7922 struct block * 7923 gen_pppoes() 7924 { 7925 struct block *b0; 7926 7927 /* 7928 * Test against the PPPoE session link-layer type. 7929 */ 7930 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 7931 7932 /* 7933 * Change the offsets to point to the type and data fields within 7934 * the PPP packet, and note that this is PPPoE rather than 7935 * raw PPP. 7936 * 7937 * XXX - this is a bit of a kludge. If we were to split the 7938 * compiler into a parser that parses an expression and 7939 * generates an expression tree, and a code generator that 7940 * takes an expression tree (which could come from our 7941 * parser or from some other parser) and generates BPF code, 7942 * we could perhaps make the offsets parameters of routines 7943 * and, in the handler for an "AND" node, pass to subnodes 7944 * other than the PPPoE node the adjusted offsets. 7945 * 7946 * This would mean that "pppoes" would, instead of changing the 7947 * behavior of *all* tests after it, change only the behavior 7948 * of tests ANDed with it. That would change the documented 7949 * semantics of "pppoes", which might break some expressions. 7950 * However, it would mean that "(pppoes and ip) or ip" would check 7951 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7952 * checking only for VLAN-encapsulated IP, so that could still 7953 * be considered worth doing; it wouldn't break expressions 7954 * that are of the form "pppoes and ..." which I suspect are the 7955 * most common expressions involving "pppoes". "pppoes or ..." 7956 * doesn't necessarily do what the user would really want, now, 7957 * as all the "or ..." tests would be done assuming PPPoE, even 7958 * though the "or" could be viewed as meaning "or, if this isn't 7959 * a PPPoE packet...". 7960 */ 7961 orig_linktype = off_linktype; /* save original values */ 7962 orig_nl = off_nl; 7963 is_pppoes = 1; 7964 7965 /* 7966 * The "network-layer" protocol is PPPoE, which has a 6-byte 7967 * PPPoE header, followed by a PPP packet. 7968 * 7969 * There is no HDLC encapsulation for the PPP packet (it's 7970 * encapsulated in PPPoES instead), so the link-layer type 7971 * starts at the first byte of the PPP packet. For PPPoE, 7972 * that offset is relative to the beginning of the total 7973 * link-layer payload, including any 802.2 LLC header, so 7974 * it's 6 bytes past off_nl. 7975 */ 7976 off_linktype = off_nl + 6; 7977 7978 /* 7979 * The network-layer offsets are relative to the beginning 7980 * of the MAC-layer payload; that's past the 6-byte 7981 * PPPoE header and the 2-byte PPP header. 7982 */ 7983 off_nl = 6+2; 7984 off_nl_nosnap = 6+2; 7985 7986 return b0; 7987 } 7988 7989 struct block * 7990 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7991 int atmfield; 7992 bpf_int32 jvalue; 7993 bpf_u_int32 jtype; 7994 int reverse; 7995 { 7996 struct block *b0; 7997 7998 switch (atmfield) { 7999 8000 case A_VPI: 8001 if (!is_atm) 8002 bpf_error("'vpi' supported only on raw ATM"); 8003 if (off_vpi == (u_int)-1) 8004 abort(); 8005 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8006 reverse, jvalue); 8007 break; 8008 8009 case A_VCI: 8010 if (!is_atm) 8011 bpf_error("'vci' supported only on raw ATM"); 8012 if (off_vci == (u_int)-1) 8013 abort(); 8014 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8015 reverse, jvalue); 8016 break; 8017 8018 case A_PROTOTYPE: 8019 if (off_proto == (u_int)-1) 8020 abort(); /* XXX - this isn't on FreeBSD */ 8021 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8022 reverse, jvalue); 8023 break; 8024 8025 case A_MSGTYPE: 8026 if (off_payload == (u_int)-1) 8027 abort(); 8028 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8029 0xffffffff, jtype, reverse, jvalue); 8030 break; 8031 8032 case A_CALLREFTYPE: 8033 if (!is_atm) 8034 bpf_error("'callref' supported only on raw ATM"); 8035 if (off_proto == (u_int)-1) 8036 abort(); 8037 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8038 jtype, reverse, jvalue); 8039 break; 8040 8041 default: 8042 abort(); 8043 } 8044 return b0; 8045 } 8046 8047 struct block * 8048 gen_atmtype_abbrev(type) 8049 int type; 8050 { 8051 struct block *b0, *b1; 8052 8053 switch (type) { 8054 8055 case A_METAC: 8056 /* Get all packets in Meta signalling Circuit */ 8057 if (!is_atm) 8058 bpf_error("'metac' supported only on raw ATM"); 8059 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8060 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8061 gen_and(b0, b1); 8062 break; 8063 8064 case A_BCC: 8065 /* Get all packets in Broadcast Circuit*/ 8066 if (!is_atm) 8067 bpf_error("'bcc' supported only on raw ATM"); 8068 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8069 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8070 gen_and(b0, b1); 8071 break; 8072 8073 case A_OAMF4SC: 8074 /* Get all cells in Segment OAM F4 circuit*/ 8075 if (!is_atm) 8076 bpf_error("'oam4sc' supported only on raw ATM"); 8077 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8078 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8079 gen_and(b0, b1); 8080 break; 8081 8082 case A_OAMF4EC: 8083 /* Get all cells in End-to-End OAM F4 Circuit*/ 8084 if (!is_atm) 8085 bpf_error("'oam4ec' supported only on raw ATM"); 8086 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8087 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8088 gen_and(b0, b1); 8089 break; 8090 8091 case A_SC: 8092 /* Get all packets in connection Signalling Circuit */ 8093 if (!is_atm) 8094 bpf_error("'sc' supported only on raw ATM"); 8095 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8096 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8097 gen_and(b0, b1); 8098 break; 8099 8100 case A_ILMIC: 8101 /* Get all packets in ILMI Circuit */ 8102 if (!is_atm) 8103 bpf_error("'ilmic' supported only on raw ATM"); 8104 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8105 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8106 gen_and(b0, b1); 8107 break; 8108 8109 case A_LANE: 8110 /* Get all LANE packets */ 8111 if (!is_atm) 8112 bpf_error("'lane' supported only on raw ATM"); 8113 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8114 8115 /* 8116 * Arrange that all subsequent tests assume LANE 8117 * rather than LLC-encapsulated packets, and set 8118 * the offsets appropriately for LANE-encapsulated 8119 * Ethernet. 8120 * 8121 * "off_mac" is the offset of the Ethernet header, 8122 * which is 2 bytes past the ATM pseudo-header 8123 * (skipping the pseudo-header and 2-byte LE Client 8124 * field). The other offsets are Ethernet offsets 8125 * relative to "off_mac". 8126 */ 8127 is_lane = 1; 8128 off_mac = off_payload + 2; /* MAC header */ 8129 off_linktype = off_mac + 12; 8130 off_macpl = off_mac + 14; /* Ethernet */ 8131 off_nl = 0; /* Ethernet II */ 8132 off_nl_nosnap = 3; /* 802.3+802.2 */ 8133 break; 8134 8135 case A_LLC: 8136 /* Get all LLC-encapsulated packets */ 8137 if (!is_atm) 8138 bpf_error("'llc' supported only on raw ATM"); 8139 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8140 is_lane = 0; 8141 break; 8142 8143 default: 8144 abort(); 8145 } 8146 return b1; 8147 } 8148 8149 /* 8150 * Filtering for MTP2 messages based on li value 8151 * FISU, length is null 8152 * LSSU, length is 1 or 2 8153 * MSU, length is 3 or more 8154 */ 8155 struct block * 8156 gen_mtp2type_abbrev(type) 8157 int type; 8158 { 8159 struct block *b0, *b1; 8160 8161 switch (type) { 8162 8163 case M_FISU: 8164 if ( (linktype != DLT_MTP2) && 8165 (linktype != DLT_ERF) && 8166 (linktype != DLT_MTP2_WITH_PHDR) ) 8167 bpf_error("'fisu' supported only on MTP2"); 8168 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8169 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8170 break; 8171 8172 case M_LSSU: 8173 if ( (linktype != DLT_MTP2) && 8174 (linktype != DLT_ERF) && 8175 (linktype != DLT_MTP2_WITH_PHDR) ) 8176 bpf_error("'lssu' supported only on MTP2"); 8177 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8178 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8179 gen_and(b1, b0); 8180 break; 8181 8182 case M_MSU: 8183 if ( (linktype != DLT_MTP2) && 8184 (linktype != DLT_ERF) && 8185 (linktype != DLT_MTP2_WITH_PHDR) ) 8186 bpf_error("'msu' supported only on MTP2"); 8187 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8188 break; 8189 8190 default: 8191 abort(); 8192 } 8193 return b0; 8194 } 8195 8196 struct block * 8197 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8198 int mtp3field; 8199 bpf_u_int32 jvalue; 8200 bpf_u_int32 jtype; 8201 int reverse; 8202 { 8203 struct block *b0; 8204 bpf_u_int32 val1 , val2 , val3; 8205 8206 switch (mtp3field) { 8207 8208 case M_SIO: 8209 if (off_sio == (u_int)-1) 8210 bpf_error("'sio' supported only on SS7"); 8211 /* sio coded on 1 byte so max value 255 */ 8212 if(jvalue > 255) 8213 bpf_error("sio value %u too big; max value = 255", 8214 jvalue); 8215 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8216 (u_int)jtype, reverse, (u_int)jvalue); 8217 break; 8218 8219 case M_OPC: 8220 if (off_opc == (u_int)-1) 8221 bpf_error("'opc' supported only on SS7"); 8222 /* opc coded on 14 bits so max value 16383 */ 8223 if (jvalue > 16383) 8224 bpf_error("opc value %u too big; max value = 16383", 8225 jvalue); 8226 /* the following instructions are made to convert jvalue 8227 * to the form used to write opc in an ss7 message*/ 8228 val1 = jvalue & 0x00003c00; 8229 val1 = val1 >>10; 8230 val2 = jvalue & 0x000003fc; 8231 val2 = val2 <<6; 8232 val3 = jvalue & 0x00000003; 8233 val3 = val3 <<22; 8234 jvalue = val1 + val2 + val3; 8235 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8236 (u_int)jtype, reverse, (u_int)jvalue); 8237 break; 8238 8239 case M_DPC: 8240 if (off_dpc == (u_int)-1) 8241 bpf_error("'dpc' supported only on SS7"); 8242 /* dpc coded on 14 bits so max value 16383 */ 8243 if (jvalue > 16383) 8244 bpf_error("dpc value %u too big; max value = 16383", 8245 jvalue); 8246 /* the following instructions are made to convert jvalue 8247 * to the forme used to write dpc in an ss7 message*/ 8248 val1 = jvalue & 0x000000ff; 8249 val1 = val1 << 24; 8250 val2 = jvalue & 0x00003f00; 8251 val2 = val2 << 8; 8252 jvalue = val1 + val2; 8253 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8254 (u_int)jtype, reverse, (u_int)jvalue); 8255 break; 8256 8257 case M_SLS: 8258 if (off_sls == (u_int)-1) 8259 bpf_error("'sls' supported only on SS7"); 8260 /* sls coded on 4 bits so max value 15 */ 8261 if (jvalue > 15) 8262 bpf_error("sls value %u too big; max value = 15", 8263 jvalue); 8264 /* the following instruction is made to convert jvalue 8265 * to the forme used to write sls in an ss7 message*/ 8266 jvalue = jvalue << 4; 8267 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8268 (u_int)jtype,reverse, (u_int)jvalue); 8269 break; 8270 8271 default: 8272 abort(); 8273 } 8274 return b0; 8275 } 8276 8277 static struct block * 8278 gen_msg_abbrev(type) 8279 int type; 8280 { 8281 struct block *b1; 8282 8283 /* 8284 * Q.2931 signalling protocol messages for handling virtual circuits 8285 * establishment and teardown 8286 */ 8287 switch (type) { 8288 8289 case A_SETUP: 8290 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8291 break; 8292 8293 case A_CALLPROCEED: 8294 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8295 break; 8296 8297 case A_CONNECT: 8298 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8299 break; 8300 8301 case A_CONNECTACK: 8302 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8303 break; 8304 8305 case A_RELEASE: 8306 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8307 break; 8308 8309 case A_RELEASE_DONE: 8310 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8311 break; 8312 8313 default: 8314 abort(); 8315 } 8316 return b1; 8317 } 8318 8319 struct block * 8320 gen_atmmulti_abbrev(type) 8321 int type; 8322 { 8323 struct block *b0, *b1; 8324 8325 switch (type) { 8326 8327 case A_OAM: 8328 if (!is_atm) 8329 bpf_error("'oam' supported only on raw ATM"); 8330 b1 = gen_atmmulti_abbrev(A_OAMF4); 8331 break; 8332 8333 case A_OAMF4: 8334 if (!is_atm) 8335 bpf_error("'oamf4' supported only on raw ATM"); 8336 /* OAM F4 type */ 8337 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8338 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8339 gen_or(b0, b1); 8340 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8341 gen_and(b0, b1); 8342 break; 8343 8344 case A_CONNECTMSG: 8345 /* 8346 * Get Q.2931 signalling messages for switched 8347 * virtual connection 8348 */ 8349 if (!is_atm) 8350 bpf_error("'connectmsg' supported only on raw ATM"); 8351 b0 = gen_msg_abbrev(A_SETUP); 8352 b1 = gen_msg_abbrev(A_CALLPROCEED); 8353 gen_or(b0, b1); 8354 b0 = gen_msg_abbrev(A_CONNECT); 8355 gen_or(b0, b1); 8356 b0 = gen_msg_abbrev(A_CONNECTACK); 8357 gen_or(b0, b1); 8358 b0 = gen_msg_abbrev(A_RELEASE); 8359 gen_or(b0, b1); 8360 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8361 gen_or(b0, b1); 8362 b0 = gen_atmtype_abbrev(A_SC); 8363 gen_and(b0, b1); 8364 break; 8365 8366 case A_METACONNECT: 8367 if (!is_atm) 8368 bpf_error("'metaconnect' supported only on raw ATM"); 8369 b0 = gen_msg_abbrev(A_SETUP); 8370 b1 = gen_msg_abbrev(A_CALLPROCEED); 8371 gen_or(b0, b1); 8372 b0 = gen_msg_abbrev(A_CONNECT); 8373 gen_or(b0, b1); 8374 b0 = gen_msg_abbrev(A_RELEASE); 8375 gen_or(b0, b1); 8376 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8377 gen_or(b0, b1); 8378 b0 = gen_atmtype_abbrev(A_METAC); 8379 gen_and(b0, b1); 8380 break; 8381 8382 default: 8383 abort(); 8384 } 8385 return b1; 8386 } 8387