1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 90 #include <linux/types.h> 91 #include <linux/if_packet.h> 92 #include <linux/filter.h> 93 #endif 94 #ifdef HAVE_NET_PFVAR_H 95 #include <sys/socket.h> 96 #include <net/if.h> 97 #include <net/pfvar.h> 98 #include <net/if_pflog.h> 99 #endif 100 #ifndef offsetof 101 #define offsetof(s, e) ((size_t)&((s *)0)->e) 102 #endif 103 #ifdef INET6 104 #ifndef WIN32 105 #include <netdb.h> /* for "struct addrinfo" */ 106 #endif /* WIN32 */ 107 #endif /*INET6*/ 108 #include <pcap/namedb.h> 109 110 #define ETHERMTU 1500 111 112 #ifndef IPPROTO_SCTP 113 #define IPPROTO_SCTP 132 114 #endif 115 116 #ifdef HAVE_OS_PROTO_H 117 #include "os-proto.h" 118 #endif 119 120 #define JMP(c) ((c)|BPF_JMP|BPF_K) 121 122 /* Locals */ 123 static jmp_buf top_ctx; 124 static pcap_t *bpf_pcap; 125 126 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 127 #ifdef WIN32 128 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 129 #else 130 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 131 #endif 132 133 /* XXX */ 134 #ifdef PCAP_FDDIPAD 135 static int pcap_fddipad; 136 #endif 137 138 /* VARARGS */ 139 void 140 bpf_error(const char *fmt, ...) 141 { 142 va_list ap; 143 144 va_start(ap, fmt); 145 if (bpf_pcap != NULL) 146 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 147 fmt, ap); 148 va_end(ap); 149 longjmp(top_ctx, 1); 150 /* NOTREACHED */ 151 } 152 153 static void init_linktype(pcap_t *); 154 155 static void init_regs(void); 156 static int alloc_reg(void); 157 static void free_reg(int); 158 159 static struct block *root; 160 161 /* 162 * Value passed to gen_load_a() to indicate what the offset argument 163 * is relative to. 164 */ 165 enum e_offrel { 166 OR_PACKET, /* relative to the beginning of the packet */ 167 OR_LINK, /* relative to the beginning of the link-layer header */ 168 OR_MACPL, /* relative to the end of the MAC-layer header */ 169 OR_NET, /* relative to the network-layer header */ 170 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 171 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 172 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 173 }; 174 175 #ifdef INET6 176 /* 177 * As errors are handled by a longjmp, anything allocated must be freed 178 * in the longjmp handler, so it must be reachable from that handler. 179 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 180 * it must be freed with freeaddrinfo(). This variable points to any 181 * addrinfo structure that would need to be freed. 182 */ 183 static struct addrinfo *ai; 184 #endif 185 186 /* 187 * We divy out chunks of memory rather than call malloc each time so 188 * we don't have to worry about leaking memory. It's probably 189 * not a big deal if all this memory was wasted but if this ever 190 * goes into a library that would probably not be a good idea. 191 * 192 * XXX - this *is* in a library.... 193 */ 194 #define NCHUNKS 16 195 #define CHUNK0SIZE 1024 196 struct chunk { 197 u_int n_left; 198 void *m; 199 }; 200 201 static struct chunk chunks[NCHUNKS]; 202 static int cur_chunk; 203 204 static void *newchunk(u_int); 205 static void freechunks(void); 206 static inline struct block *new_block(int); 207 static inline struct slist *new_stmt(int); 208 static struct block *gen_retblk(int); 209 static inline void syntax(void); 210 211 static void backpatch(struct block *, struct block *); 212 static void merge(struct block *, struct block *); 213 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 214 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 215 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 216 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 217 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 218 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 219 bpf_u_int32); 220 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 221 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 222 bpf_u_int32, bpf_u_int32, int, bpf_int32); 223 static struct slist *gen_load_llrel(u_int, u_int); 224 static struct slist *gen_load_macplrel(u_int, u_int); 225 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 226 static struct slist *gen_loadx_iphdrlen(void); 227 static struct block *gen_uncond(int); 228 static inline struct block *gen_true(void); 229 static inline struct block *gen_false(void); 230 static struct block *gen_ether_linktype(int); 231 static struct block *gen_ipnet_linktype(int); 232 static struct block *gen_linux_sll_linktype(int); 233 static struct slist *gen_load_prism_llprefixlen(void); 234 static struct slist *gen_load_avs_llprefixlen(void); 235 static struct slist *gen_load_radiotap_llprefixlen(void); 236 static struct slist *gen_load_ppi_llprefixlen(void); 237 static void insert_compute_vloffsets(struct block *); 238 static struct slist *gen_llprefixlen(void); 239 static struct slist *gen_off_macpl(void); 240 static int ethertype_to_ppptype(int); 241 static struct block *gen_linktype(int); 242 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 243 static struct block *gen_llc_linktype(int); 244 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 245 #ifdef INET6 246 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 247 #endif 248 static struct block *gen_ahostop(const u_char *, int); 249 static struct block *gen_ehostop(const u_char *, int); 250 static struct block *gen_fhostop(const u_char *, int); 251 static struct block *gen_thostop(const u_char *, int); 252 static struct block *gen_wlanhostop(const u_char *, int); 253 static struct block *gen_ipfchostop(const u_char *, int); 254 static struct block *gen_dnhostop(bpf_u_int32, int); 255 static struct block *gen_mpls_linktype(int); 256 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 257 #ifdef INET6 258 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 259 #endif 260 #ifndef INET6 261 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 262 #endif 263 static struct block *gen_ipfrag(void); 264 static struct block *gen_portatom(int, bpf_int32); 265 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 266 #ifdef INET6 267 static struct block *gen_portatom6(int, bpf_int32); 268 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 269 #endif 270 struct block *gen_portop(int, int, int); 271 static struct block *gen_port(int, int, int); 272 struct block *gen_portrangeop(int, int, int, int); 273 static struct block *gen_portrange(int, int, int, int); 274 #ifdef INET6 275 struct block *gen_portop6(int, int, int); 276 static struct block *gen_port6(int, int, int); 277 struct block *gen_portrangeop6(int, int, int, int); 278 static struct block *gen_portrange6(int, int, int, int); 279 #endif 280 static int lookup_proto(const char *, int); 281 static struct block *gen_protochain(int, int, int); 282 static struct block *gen_proto(int, int, int); 283 static struct slist *xfer_to_x(struct arth *); 284 static struct slist *xfer_to_a(struct arth *); 285 static struct block *gen_mac_multicast(int); 286 static struct block *gen_len(int, int); 287 static struct block *gen_check_802_11_data_frame(void); 288 289 static struct block *gen_ppi_dlt_check(void); 290 static struct block *gen_msg_abbrev(int type); 291 292 static void * 293 newchunk(n) 294 u_int n; 295 { 296 struct chunk *cp; 297 int k; 298 size_t size; 299 300 #ifndef __NetBSD__ 301 /* XXX Round up to nearest long. */ 302 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 303 #else 304 /* XXX Round up to structure boundary. */ 305 n = ALIGN(n); 306 #endif 307 308 cp = &chunks[cur_chunk]; 309 if (n > cp->n_left) { 310 ++cp, k = ++cur_chunk; 311 if (k >= NCHUNKS) 312 bpf_error("out of memory"); 313 size = CHUNK0SIZE << k; 314 cp->m = (void *)malloc(size); 315 if (cp->m == NULL) 316 bpf_error("out of memory"); 317 memset((char *)cp->m, 0, size); 318 cp->n_left = size; 319 if (n > size) 320 bpf_error("out of memory"); 321 } 322 cp->n_left -= n; 323 return (void *)((char *)cp->m + cp->n_left); 324 } 325 326 static void 327 freechunks() 328 { 329 int i; 330 331 cur_chunk = 0; 332 for (i = 0; i < NCHUNKS; ++i) 333 if (chunks[i].m != NULL) { 334 free(chunks[i].m); 335 chunks[i].m = NULL; 336 } 337 } 338 339 /* 340 * A strdup whose allocations are freed after code generation is over. 341 */ 342 char * 343 sdup(s) 344 register const char *s; 345 { 346 int n = strlen(s) + 1; 347 char *cp = newchunk(n); 348 349 strlcpy(cp, s, n); 350 return (cp); 351 } 352 353 static inline struct block * 354 new_block(code) 355 int code; 356 { 357 struct block *p; 358 359 p = (struct block *)newchunk(sizeof(*p)); 360 p->s.code = code; 361 p->head = p; 362 363 return p; 364 } 365 366 static inline struct slist * 367 new_stmt(code) 368 int code; 369 { 370 struct slist *p; 371 372 p = (struct slist *)newchunk(sizeof(*p)); 373 p->s.code = code; 374 375 return p; 376 } 377 378 static struct block * 379 gen_retblk(v) 380 int v; 381 { 382 struct block *b = new_block(BPF_RET|BPF_K); 383 384 b->s.k = v; 385 return b; 386 } 387 388 static inline void 389 syntax() 390 { 391 bpf_error("syntax error in filter expression"); 392 } 393 394 static bpf_u_int32 netmask; 395 static int snaplen; 396 int no_optimize; 397 #ifdef WIN32 398 static int 399 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 400 const char *buf, int optimize, bpf_u_int32 mask); 401 402 int 403 pcap_compile(pcap_t *p, struct bpf_program *program, 404 const char *buf, int optimize, bpf_u_int32 mask) 405 { 406 int result; 407 408 EnterCriticalSection(&g_PcapCompileCriticalSection); 409 410 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 411 412 LeaveCriticalSection(&g_PcapCompileCriticalSection); 413 414 return result; 415 } 416 417 static int 418 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 419 const char *buf, int optimize, bpf_u_int32 mask) 420 #else /* WIN32 */ 421 int 422 pcap_compile(pcap_t *p, struct bpf_program *program, 423 const char *buf, int optimize, bpf_u_int32 mask) 424 #endif /* WIN32 */ 425 { 426 extern int n_errors; 427 const char * volatile xbuf = buf; 428 u_int len; 429 430 no_optimize = 0; 431 n_errors = 0; 432 root = NULL; 433 bpf_pcap = p; 434 init_regs(); 435 if (setjmp(top_ctx)) { 436 #ifdef INET6 437 if (ai != NULL) { 438 freeaddrinfo(ai); 439 ai = NULL; 440 } 441 #endif 442 lex_cleanup(); 443 freechunks(); 444 return (-1); 445 } 446 447 netmask = mask; 448 449 snaplen = pcap_snapshot(p); 450 if (snaplen == 0) { 451 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 452 "snaplen of 0 rejects all packets"); 453 return -1; 454 } 455 456 lex_init(xbuf ? xbuf : ""); 457 init_linktype(p); 458 (void)pcap_parse(); 459 460 if (n_errors) 461 syntax(); 462 463 if (root == NULL) 464 root = gen_retblk(snaplen); 465 466 if (optimize && !no_optimize) { 467 bpf_optimize(&root); 468 if (root == NULL || 469 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 470 bpf_error("expression rejects all packets"); 471 } 472 program->bf_insns = icode_to_fcode(root, &len); 473 program->bf_len = len; 474 475 lex_cleanup(); 476 freechunks(); 477 return (0); 478 } 479 480 /* 481 * entry point for using the compiler with no pcap open 482 * pass in all the stuff that is needed explicitly instead. 483 */ 484 int 485 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 486 struct bpf_program *program, 487 const char *buf, int optimize, bpf_u_int32 mask) 488 { 489 pcap_t *p; 490 int ret; 491 492 p = pcap_open_dead(linktype_arg, snaplen_arg); 493 if (p == NULL) 494 return (-1); 495 ret = pcap_compile(p, program, buf, optimize, mask); 496 pcap_close(p); 497 return (ret); 498 } 499 500 /* 501 * Clean up a "struct bpf_program" by freeing all the memory allocated 502 * in it. 503 */ 504 void 505 pcap_freecode(struct bpf_program *program) 506 { 507 program->bf_len = 0; 508 if (program->bf_insns != NULL) { 509 free((char *)program->bf_insns); 510 program->bf_insns = NULL; 511 } 512 } 513 514 /* 515 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 516 * which of the jt and jf fields has been resolved and which is a pointer 517 * back to another unresolved block (or nil). At least one of the fields 518 * in each block is already resolved. 519 */ 520 static void 521 backpatch(list, target) 522 struct block *list, *target; 523 { 524 struct block *next; 525 526 while (list) { 527 if (!list->sense) { 528 next = JT(list); 529 JT(list) = target; 530 } else { 531 next = JF(list); 532 JF(list) = target; 533 } 534 list = next; 535 } 536 } 537 538 /* 539 * Merge the lists in b0 and b1, using the 'sense' field to indicate 540 * which of jt and jf is the link. 541 */ 542 static void 543 merge(b0, b1) 544 struct block *b0, *b1; 545 { 546 register struct block **p = &b0; 547 548 /* Find end of list. */ 549 while (*p) 550 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 551 552 /* Concatenate the lists. */ 553 *p = b1; 554 } 555 556 void 557 finish_parse(p) 558 struct block *p; 559 { 560 struct block *ppi_dlt_check; 561 562 /* 563 * Insert before the statements of the first (root) block any 564 * statements needed to load the lengths of any variable-length 565 * headers into registers. 566 * 567 * XXX - a fancier strategy would be to insert those before the 568 * statements of all blocks that use those lengths and that 569 * have no predecessors that use them, so that we only compute 570 * the lengths if we need them. There might be even better 571 * approaches than that. 572 * 573 * However, those strategies would be more complicated, and 574 * as we don't generate code to compute a length if the 575 * program has no tests that use the length, and as most 576 * tests will probably use those lengths, we would just 577 * postpone computing the lengths so that it's not done 578 * for tests that fail early, and it's not clear that's 579 * worth the effort. 580 */ 581 insert_compute_vloffsets(p->head); 582 583 /* 584 * For DLT_PPI captures, generate a check of the per-packet 585 * DLT value to make sure it's DLT_IEEE802_11. 586 */ 587 ppi_dlt_check = gen_ppi_dlt_check(); 588 if (ppi_dlt_check != NULL) 589 gen_and(ppi_dlt_check, p); 590 591 backpatch(p, gen_retblk(snaplen)); 592 p->sense = !p->sense; 593 backpatch(p, gen_retblk(0)); 594 root = p->head; 595 } 596 597 void 598 gen_and(b0, b1) 599 struct block *b0, *b1; 600 { 601 backpatch(b0, b1->head); 602 b0->sense = !b0->sense; 603 b1->sense = !b1->sense; 604 merge(b1, b0); 605 b1->sense = !b1->sense; 606 b1->head = b0->head; 607 } 608 609 void 610 gen_or(b0, b1) 611 struct block *b0, *b1; 612 { 613 b0->sense = !b0->sense; 614 backpatch(b0, b1->head); 615 b0->sense = !b0->sense; 616 merge(b1, b0); 617 b1->head = b0->head; 618 } 619 620 void 621 gen_not(b) 622 struct block *b; 623 { 624 b->sense = !b->sense; 625 } 626 627 static struct block * 628 gen_cmp(offrel, offset, size, v) 629 enum e_offrel offrel; 630 u_int offset, size; 631 bpf_int32 v; 632 { 633 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 634 } 635 636 static struct block * 637 gen_cmp_gt(offrel, offset, size, v) 638 enum e_offrel offrel; 639 u_int offset, size; 640 bpf_int32 v; 641 { 642 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 643 } 644 645 static struct block * 646 gen_cmp_ge(offrel, offset, size, v) 647 enum e_offrel offrel; 648 u_int offset, size; 649 bpf_int32 v; 650 { 651 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 652 } 653 654 static struct block * 655 gen_cmp_lt(offrel, offset, size, v) 656 enum e_offrel offrel; 657 u_int offset, size; 658 bpf_int32 v; 659 { 660 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 661 } 662 663 static struct block * 664 gen_cmp_le(offrel, offset, size, v) 665 enum e_offrel offrel; 666 u_int offset, size; 667 bpf_int32 v; 668 { 669 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 670 } 671 672 static struct block * 673 gen_mcmp(offrel, offset, size, v, mask) 674 enum e_offrel offrel; 675 u_int offset, size; 676 bpf_int32 v; 677 bpf_u_int32 mask; 678 { 679 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 680 } 681 682 static struct block * 683 gen_bcmp(offrel, offset, size, v) 684 enum e_offrel offrel; 685 register u_int offset, size; 686 register const u_char *v; 687 { 688 register struct block *b, *tmp; 689 690 b = NULL; 691 while (size >= 4) { 692 register const u_char *p = &v[size - 4]; 693 bpf_int32 w = ((bpf_int32)p[0] << 24) | 694 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 695 696 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 697 if (b != NULL) 698 gen_and(b, tmp); 699 b = tmp; 700 size -= 4; 701 } 702 while (size >= 2) { 703 register const u_char *p = &v[size - 2]; 704 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 705 706 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 707 if (b != NULL) 708 gen_and(b, tmp); 709 b = tmp; 710 size -= 2; 711 } 712 if (size > 0) { 713 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 714 if (b != NULL) 715 gen_and(b, tmp); 716 b = tmp; 717 } 718 return b; 719 } 720 721 /* 722 * AND the field of size "size" at offset "offset" relative to the header 723 * specified by "offrel" with "mask", and compare it with the value "v" 724 * with the test specified by "jtype"; if "reverse" is true, the test 725 * should test the opposite of "jtype". 726 */ 727 static struct block * 728 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 729 enum e_offrel offrel; 730 bpf_int32 v; 731 bpf_u_int32 offset, size, mask, jtype; 732 int reverse; 733 { 734 struct slist *s, *s2; 735 struct block *b; 736 737 s = gen_load_a(offrel, offset, size); 738 739 if (mask != 0xffffffff) { 740 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 741 s2->s.k = mask; 742 sappend(s, s2); 743 } 744 745 b = new_block(JMP(jtype)); 746 b->stmts = s; 747 b->s.k = v; 748 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 749 gen_not(b); 750 return b; 751 } 752 753 /* 754 * Various code constructs need to know the layout of the data link 755 * layer. These variables give the necessary offsets from the beginning 756 * of the packet data. 757 */ 758 759 /* 760 * This is the offset of the beginning of the link-layer header from 761 * the beginning of the raw packet data. 762 * 763 * It's usually 0, except for 802.11 with a fixed-length radio header. 764 * (For 802.11 with a variable-length radio header, we have to generate 765 * code to compute that offset; off_ll is 0 in that case.) 766 */ 767 static u_int off_ll; 768 769 /* 770 * If there's a variable-length header preceding the link-layer header, 771 * "reg_off_ll" is the register number for a register containing the 772 * length of that header, and therefore the offset of the link-layer 773 * header from the beginning of the raw packet data. Otherwise, 774 * "reg_off_ll" is -1. 775 */ 776 static int reg_off_ll; 777 778 /* 779 * This is the offset of the beginning of the MAC-layer header from 780 * the beginning of the link-layer header. 781 * It's usually 0, except for ATM LANE, where it's the offset, relative 782 * to the beginning of the raw packet data, of the Ethernet header, and 783 * for Ethernet with various additional information. 784 */ 785 static u_int off_mac; 786 787 /* 788 * This is the offset of the beginning of the MAC-layer payload, 789 * from the beginning of the raw packet data. 790 * 791 * I.e., it's the sum of the length of the link-layer header (without, 792 * for example, any 802.2 LLC header, so it's the MAC-layer 793 * portion of that header), plus any prefix preceding the 794 * link-layer header. 795 */ 796 static u_int off_macpl; 797 798 /* 799 * This is 1 if the offset of the beginning of the MAC-layer payload 800 * from the beginning of the link-layer header is variable-length. 801 */ 802 static int off_macpl_is_variable; 803 804 /* 805 * If the link layer has variable_length headers, "reg_off_macpl" 806 * is the register number for a register containing the length of the 807 * link-layer header plus the length of any variable-length header 808 * preceding the link-layer header. Otherwise, "reg_off_macpl" 809 * is -1. 810 */ 811 static int reg_off_macpl; 812 813 /* 814 * "off_linktype" is the offset to information in the link-layer header 815 * giving the packet type. This offset is relative to the beginning 816 * of the link-layer header (i.e., it doesn't include off_ll). 817 * 818 * For Ethernet, it's the offset of the Ethernet type field. 819 * 820 * For link-layer types that always use 802.2 headers, it's the 821 * offset of the LLC header. 822 * 823 * For PPP, it's the offset of the PPP type field. 824 * 825 * For Cisco HDLC, it's the offset of the CHDLC type field. 826 * 827 * For BSD loopback, it's the offset of the AF_ value. 828 * 829 * For Linux cooked sockets, it's the offset of the type field. 830 * 831 * It's set to -1 for no encapsulation, in which case, IP is assumed. 832 */ 833 static u_int off_linktype; 834 835 /* 836 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 837 * checks to check the PPP header, assumed to follow a LAN-style link- 838 * layer header and a PPPoE session header. 839 */ 840 static int is_pppoes = 0; 841 842 /* 843 * TRUE if the link layer includes an ATM pseudo-header. 844 */ 845 static int is_atm = 0; 846 847 /* 848 * TRUE if "lane" appeared in the filter; it causes us to generate 849 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 850 */ 851 static int is_lane = 0; 852 853 /* 854 * These are offsets for the ATM pseudo-header. 855 */ 856 static u_int off_vpi; 857 static u_int off_vci; 858 static u_int off_proto; 859 860 /* 861 * These are offsets for the MTP2 fields. 862 */ 863 static u_int off_li; 864 865 /* 866 * These are offsets for the MTP3 fields. 867 */ 868 static u_int off_sio; 869 static u_int off_opc; 870 static u_int off_dpc; 871 static u_int off_sls; 872 873 /* 874 * This is the offset of the first byte after the ATM pseudo_header, 875 * or -1 if there is no ATM pseudo-header. 876 */ 877 static u_int off_payload; 878 879 /* 880 * These are offsets to the beginning of the network-layer header. 881 * They are relative to the beginning of the MAC-layer payload (i.e., 882 * they don't include off_ll or off_macpl). 883 * 884 * If the link layer never uses 802.2 LLC: 885 * 886 * "off_nl" and "off_nl_nosnap" are the same. 887 * 888 * If the link layer always uses 802.2 LLC: 889 * 890 * "off_nl" is the offset if there's a SNAP header following 891 * the 802.2 header; 892 * 893 * "off_nl_nosnap" is the offset if there's no SNAP header. 894 * 895 * If the link layer is Ethernet: 896 * 897 * "off_nl" is the offset if the packet is an Ethernet II packet 898 * (we assume no 802.3+802.2+SNAP); 899 * 900 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 901 * with an 802.2 header following it. 902 */ 903 static u_int off_nl; 904 static u_int off_nl_nosnap; 905 906 static int linktype; 907 908 static void 909 init_linktype(p) 910 pcap_t *p; 911 { 912 linktype = pcap_datalink(p); 913 #ifdef PCAP_FDDIPAD 914 pcap_fddipad = p->fddipad; 915 #endif 916 917 /* 918 * Assume it's not raw ATM with a pseudo-header, for now. 919 */ 920 off_mac = 0; 921 is_atm = 0; 922 is_lane = 0; 923 off_vpi = -1; 924 off_vci = -1; 925 off_proto = -1; 926 off_payload = -1; 927 928 /* 929 * And that we're not doing PPPoE. 930 */ 931 is_pppoes = 0; 932 933 /* 934 * And assume we're not doing SS7. 935 */ 936 off_li = -1; 937 off_sio = -1; 938 off_opc = -1; 939 off_dpc = -1; 940 off_sls = -1; 941 942 /* 943 * Also assume it's not 802.11. 944 */ 945 off_ll = 0; 946 off_macpl = 0; 947 off_macpl_is_variable = 0; 948 949 orig_linktype = -1; 950 orig_nl = -1; 951 label_stack_depth = 0; 952 953 reg_off_ll = -1; 954 reg_off_macpl = -1; 955 956 switch (linktype) { 957 958 case DLT_ARCNET: 959 off_linktype = 2; 960 off_macpl = 6; 961 off_nl = 0; /* XXX in reality, variable! */ 962 off_nl_nosnap = 0; /* no 802.2 LLC */ 963 return; 964 965 case DLT_ARCNET_LINUX: 966 off_linktype = 4; 967 off_macpl = 8; 968 off_nl = 0; /* XXX in reality, variable! */ 969 off_nl_nosnap = 0; /* no 802.2 LLC */ 970 return; 971 972 case DLT_EN10MB: 973 off_linktype = 12; 974 off_macpl = 14; /* Ethernet header length */ 975 off_nl = 0; /* Ethernet II */ 976 off_nl_nosnap = 3; /* 802.3+802.2 */ 977 return; 978 979 case DLT_SLIP: 980 /* 981 * SLIP doesn't have a link level type. The 16 byte 982 * header is hacked into our SLIP driver. 983 */ 984 off_linktype = -1; 985 off_macpl = 16; 986 off_nl = 0; 987 off_nl_nosnap = 0; /* no 802.2 LLC */ 988 return; 989 990 case DLT_SLIP_BSDOS: 991 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 992 off_linktype = -1; 993 /* XXX end */ 994 off_macpl = 24; 995 off_nl = 0; 996 off_nl_nosnap = 0; /* no 802.2 LLC */ 997 return; 998 999 case DLT_NULL: 1000 case DLT_LOOP: 1001 off_linktype = 0; 1002 off_macpl = 4; 1003 off_nl = 0; 1004 off_nl_nosnap = 0; /* no 802.2 LLC */ 1005 return; 1006 1007 case DLT_ENC: 1008 off_linktype = 0; 1009 off_macpl = 12; 1010 off_nl = 0; 1011 off_nl_nosnap = 0; /* no 802.2 LLC */ 1012 return; 1013 1014 case DLT_PPP: 1015 case DLT_PPP_PPPD: 1016 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1017 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1018 off_linktype = 2; 1019 off_macpl = 4; 1020 off_nl = 0; 1021 off_nl_nosnap = 0; /* no 802.2 LLC */ 1022 return; 1023 1024 case DLT_PPP_ETHER: 1025 /* 1026 * This does no include the Ethernet header, and 1027 * only covers session state. 1028 */ 1029 off_linktype = 6; 1030 off_macpl = 8; 1031 off_nl = 0; 1032 off_nl_nosnap = 0; /* no 802.2 LLC */ 1033 return; 1034 1035 case DLT_PPP_BSDOS: 1036 off_linktype = 5; 1037 off_macpl = 24; 1038 off_nl = 0; 1039 off_nl_nosnap = 0; /* no 802.2 LLC */ 1040 return; 1041 1042 case DLT_FDDI: 1043 /* 1044 * FDDI doesn't really have a link-level type field. 1045 * We set "off_linktype" to the offset of the LLC header. 1046 * 1047 * To check for Ethernet types, we assume that SSAP = SNAP 1048 * is being used and pick out the encapsulated Ethernet type. 1049 * XXX - should we generate code to check for SNAP? 1050 */ 1051 off_linktype = 13; 1052 #ifdef PCAP_FDDIPAD 1053 off_linktype += pcap_fddipad; 1054 #endif 1055 off_macpl = 13; /* FDDI MAC header length */ 1056 #ifdef PCAP_FDDIPAD 1057 off_macpl += pcap_fddipad; 1058 #endif 1059 off_nl = 8; /* 802.2+SNAP */ 1060 off_nl_nosnap = 3; /* 802.2 */ 1061 return; 1062 1063 case DLT_IEEE802: 1064 /* 1065 * Token Ring doesn't really have a link-level type field. 1066 * We set "off_linktype" to the offset of the LLC header. 1067 * 1068 * To check for Ethernet types, we assume that SSAP = SNAP 1069 * is being used and pick out the encapsulated Ethernet type. 1070 * XXX - should we generate code to check for SNAP? 1071 * 1072 * XXX - the header is actually variable-length. 1073 * Some various Linux patched versions gave 38 1074 * as "off_linktype" and 40 as "off_nl"; however, 1075 * if a token ring packet has *no* routing 1076 * information, i.e. is not source-routed, the correct 1077 * values are 20 and 22, as they are in the vanilla code. 1078 * 1079 * A packet is source-routed iff the uppermost bit 1080 * of the first byte of the source address, at an 1081 * offset of 8, has the uppermost bit set. If the 1082 * packet is source-routed, the total number of bytes 1083 * of routing information is 2 plus bits 0x1F00 of 1084 * the 16-bit value at an offset of 14 (shifted right 1085 * 8 - figure out which byte that is). 1086 */ 1087 off_linktype = 14; 1088 off_macpl = 14; /* Token Ring MAC header length */ 1089 off_nl = 8; /* 802.2+SNAP */ 1090 off_nl_nosnap = 3; /* 802.2 */ 1091 return; 1092 1093 case DLT_IEEE802_11: 1094 case DLT_PRISM_HEADER: 1095 case DLT_IEEE802_11_RADIO_AVS: 1096 case DLT_IEEE802_11_RADIO: 1097 /* 1098 * 802.11 doesn't really have a link-level type field. 1099 * We set "off_linktype" to the offset of the LLC header. 1100 * 1101 * To check for Ethernet types, we assume that SSAP = SNAP 1102 * is being used and pick out the encapsulated Ethernet type. 1103 * XXX - should we generate code to check for SNAP? 1104 * 1105 * We also handle variable-length radio headers here. 1106 * The Prism header is in theory variable-length, but in 1107 * practice it's always 144 bytes long. However, some 1108 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1109 * sometimes or always supply an AVS header, so we 1110 * have to check whether the radio header is a Prism 1111 * header or an AVS header, so, in practice, it's 1112 * variable-length. 1113 */ 1114 off_linktype = 24; 1115 off_macpl = 0; /* link-layer header is variable-length */ 1116 off_macpl_is_variable = 1; 1117 off_nl = 8; /* 802.2+SNAP */ 1118 off_nl_nosnap = 3; /* 802.2 */ 1119 return; 1120 1121 case DLT_PPI: 1122 /* 1123 * At the moment we treat PPI the same way that we treat 1124 * normal Radiotap encoded packets. The difference is in 1125 * the function that generates the code at the beginning 1126 * to compute the header length. Since this code generator 1127 * of PPI supports bare 802.11 encapsulation only (i.e. 1128 * the encapsulated DLT should be DLT_IEEE802_11) we 1129 * generate code to check for this too. 1130 */ 1131 off_linktype = 24; 1132 off_macpl = 0; /* link-layer header is variable-length */ 1133 off_macpl_is_variable = 1; 1134 off_nl = 8; /* 802.2+SNAP */ 1135 off_nl_nosnap = 3; /* 802.2 */ 1136 return; 1137 1138 case DLT_ATM_RFC1483: 1139 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1140 /* 1141 * assume routed, non-ISO PDUs 1142 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1143 * 1144 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1145 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1146 * latter would presumably be treated the way PPPoE 1147 * should be, so you can do "pppoe and udp port 2049" 1148 * or "pppoa and tcp port 80" and have it check for 1149 * PPPo{A,E} and a PPP protocol of IP and.... 1150 */ 1151 off_linktype = 0; 1152 off_macpl = 0; /* packet begins with LLC header */ 1153 off_nl = 8; /* 802.2+SNAP */ 1154 off_nl_nosnap = 3; /* 802.2 */ 1155 return; 1156 1157 case DLT_SUNATM: 1158 /* 1159 * Full Frontal ATM; you get AALn PDUs with an ATM 1160 * pseudo-header. 1161 */ 1162 is_atm = 1; 1163 off_vpi = SUNATM_VPI_POS; 1164 off_vci = SUNATM_VCI_POS; 1165 off_proto = PROTO_POS; 1166 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1167 off_payload = SUNATM_PKT_BEGIN_POS; 1168 off_linktype = off_payload; 1169 off_macpl = off_payload; /* if LLC-encapsulated */ 1170 off_nl = 8; /* 802.2+SNAP */ 1171 off_nl_nosnap = 3; /* 802.2 */ 1172 return; 1173 1174 case DLT_RAW: 1175 case DLT_IPV4: 1176 case DLT_IPV6: 1177 off_linktype = -1; 1178 off_macpl = 0; 1179 off_nl = 0; 1180 off_nl_nosnap = 0; /* no 802.2 LLC */ 1181 return; 1182 1183 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1184 off_linktype = 14; 1185 off_macpl = 16; 1186 off_nl = 0; 1187 off_nl_nosnap = 0; /* no 802.2 LLC */ 1188 return; 1189 1190 case DLT_LTALK: 1191 /* 1192 * LocalTalk does have a 1-byte type field in the LLAP header, 1193 * but really it just indicates whether there is a "short" or 1194 * "long" DDP packet following. 1195 */ 1196 off_linktype = -1; 1197 off_macpl = 0; 1198 off_nl = 0; 1199 off_nl_nosnap = 0; /* no 802.2 LLC */ 1200 return; 1201 1202 case DLT_IP_OVER_FC: 1203 /* 1204 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1205 * link-level type field. We set "off_linktype" to the 1206 * offset of the LLC header. 1207 * 1208 * To check for Ethernet types, we assume that SSAP = SNAP 1209 * is being used and pick out the encapsulated Ethernet type. 1210 * XXX - should we generate code to check for SNAP? RFC 1211 * 2625 says SNAP should be used. 1212 */ 1213 off_linktype = 16; 1214 off_macpl = 16; 1215 off_nl = 8; /* 802.2+SNAP */ 1216 off_nl_nosnap = 3; /* 802.2 */ 1217 return; 1218 1219 case DLT_FRELAY: 1220 /* 1221 * XXX - we should set this to handle SNAP-encapsulated 1222 * frames (NLPID of 0x80). 1223 */ 1224 off_linktype = -1; 1225 off_macpl = 0; 1226 off_nl = 0; 1227 off_nl_nosnap = 0; /* no 802.2 LLC */ 1228 return; 1229 1230 /* 1231 * the only BPF-interesting FRF.16 frames are non-control frames; 1232 * Frame Relay has a variable length link-layer 1233 * so lets start with offset 4 for now and increments later on (FIXME); 1234 */ 1235 case DLT_MFR: 1236 off_linktype = -1; 1237 off_macpl = 0; 1238 off_nl = 4; 1239 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1240 return; 1241 1242 case DLT_APPLE_IP_OVER_IEEE1394: 1243 off_linktype = 16; 1244 off_macpl = 18; 1245 off_nl = 0; 1246 off_nl_nosnap = 0; /* no 802.2 LLC */ 1247 return; 1248 1249 case DLT_SYMANTEC_FIREWALL: 1250 off_linktype = 6; 1251 off_macpl = 44; 1252 off_nl = 0; /* Ethernet II */ 1253 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1254 return; 1255 1256 #ifdef HAVE_NET_PFVAR_H 1257 case DLT_PFLOG: 1258 off_linktype = 0; 1259 off_macpl = PFLOG_HDRLEN; 1260 off_nl = 0; 1261 off_nl_nosnap = 0; /* no 802.2 LLC */ 1262 return; 1263 #endif 1264 1265 case DLT_JUNIPER_MFR: 1266 case DLT_JUNIPER_MLFR: 1267 case DLT_JUNIPER_MLPPP: 1268 case DLT_JUNIPER_PPP: 1269 case DLT_JUNIPER_CHDLC: 1270 case DLT_JUNIPER_FRELAY: 1271 off_linktype = 4; 1272 off_macpl = 4; 1273 off_nl = 0; 1274 off_nl_nosnap = -1; /* no 802.2 LLC */ 1275 return; 1276 1277 case DLT_JUNIPER_ATM1: 1278 off_linktype = 4; /* in reality variable between 4-8 */ 1279 off_macpl = 4; /* in reality variable between 4-8 */ 1280 off_nl = 0; 1281 off_nl_nosnap = 10; 1282 return; 1283 1284 case DLT_JUNIPER_ATM2: 1285 off_linktype = 8; /* in reality variable between 8-12 */ 1286 off_macpl = 8; /* in reality variable between 8-12 */ 1287 off_nl = 0; 1288 off_nl_nosnap = 10; 1289 return; 1290 1291 /* frames captured on a Juniper PPPoE service PIC 1292 * contain raw ethernet frames */ 1293 case DLT_JUNIPER_PPPOE: 1294 case DLT_JUNIPER_ETHER: 1295 off_macpl = 14; 1296 off_linktype = 16; 1297 off_nl = 18; /* Ethernet II */ 1298 off_nl_nosnap = 21; /* 802.3+802.2 */ 1299 return; 1300 1301 case DLT_JUNIPER_PPPOE_ATM: 1302 off_linktype = 4; 1303 off_macpl = 6; 1304 off_nl = 0; 1305 off_nl_nosnap = -1; /* no 802.2 LLC */ 1306 return; 1307 1308 case DLT_JUNIPER_GGSN: 1309 off_linktype = 6; 1310 off_macpl = 12; 1311 off_nl = 0; 1312 off_nl_nosnap = -1; /* no 802.2 LLC */ 1313 return; 1314 1315 case DLT_JUNIPER_ES: 1316 off_linktype = 6; 1317 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1318 off_nl = -1; /* not really a network layer but raw IP addresses */ 1319 off_nl_nosnap = -1; /* no 802.2 LLC */ 1320 return; 1321 1322 case DLT_JUNIPER_MONITOR: 1323 off_linktype = 12; 1324 off_macpl = 12; 1325 off_nl = 0; /* raw IP/IP6 header */ 1326 off_nl_nosnap = -1; /* no 802.2 LLC */ 1327 return; 1328 1329 case DLT_JUNIPER_SERVICES: 1330 off_linktype = 12; 1331 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1332 off_nl = -1; /* L3 proto location dep. on cookie type */ 1333 off_nl_nosnap = -1; /* no 802.2 LLC */ 1334 return; 1335 1336 case DLT_JUNIPER_VP: 1337 off_linktype = 18; 1338 off_macpl = -1; 1339 off_nl = -1; 1340 off_nl_nosnap = -1; 1341 return; 1342 1343 case DLT_JUNIPER_ST: 1344 off_linktype = 18; 1345 off_macpl = -1; 1346 off_nl = -1; 1347 off_nl_nosnap = -1; 1348 return; 1349 1350 case DLT_JUNIPER_ISM: 1351 off_linktype = 8; 1352 off_macpl = -1; 1353 off_nl = -1; 1354 off_nl_nosnap = -1; 1355 return; 1356 1357 case DLT_JUNIPER_VS: 1358 case DLT_JUNIPER_SRX_E2E: 1359 case DLT_JUNIPER_FIBRECHANNEL: 1360 case DLT_JUNIPER_ATM_CEMIC: 1361 off_linktype = 8; 1362 off_macpl = -1; 1363 off_nl = -1; 1364 off_nl_nosnap = -1; 1365 return; 1366 1367 case DLT_MTP2: 1368 off_li = 2; 1369 off_sio = 3; 1370 off_opc = 4; 1371 off_dpc = 4; 1372 off_sls = 7; 1373 off_linktype = -1; 1374 off_macpl = -1; 1375 off_nl = -1; 1376 off_nl_nosnap = -1; 1377 return; 1378 1379 case DLT_MTP2_WITH_PHDR: 1380 off_li = 6; 1381 off_sio = 7; 1382 off_opc = 8; 1383 off_dpc = 8; 1384 off_sls = 11; 1385 off_linktype = -1; 1386 off_macpl = -1; 1387 off_nl = -1; 1388 off_nl_nosnap = -1; 1389 return; 1390 1391 case DLT_ERF: 1392 off_li = 22; 1393 off_sio = 23; 1394 off_opc = 24; 1395 off_dpc = 24; 1396 off_sls = 27; 1397 off_linktype = -1; 1398 off_macpl = -1; 1399 off_nl = -1; 1400 off_nl_nosnap = -1; 1401 return; 1402 1403 case DLT_PFSYNC: 1404 off_linktype = -1; 1405 off_macpl = 4; 1406 off_nl = 0; 1407 off_nl_nosnap = 0; 1408 return; 1409 1410 case DLT_AX25_KISS: 1411 /* 1412 * Currently, only raw "link[N:M]" filtering is supported. 1413 */ 1414 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1415 off_macpl = -1; 1416 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1417 off_nl_nosnap = -1; /* no 802.2 LLC */ 1418 off_mac = 1; /* step over the kiss length byte */ 1419 return; 1420 1421 case DLT_IPNET: 1422 off_linktype = 1; 1423 off_macpl = 24; /* ipnet header length */ 1424 off_nl = 0; 1425 off_nl_nosnap = -1; 1426 return; 1427 1428 case DLT_NETANALYZER: 1429 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1430 off_linktype = 16; /* includes 4-byte pseudo-header */ 1431 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1432 off_nl = 0; /* Ethernet II */ 1433 off_nl_nosnap = 3; /* 802.3+802.2 */ 1434 return; 1435 1436 case DLT_NETANALYZER_TRANSPARENT: 1437 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1438 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1439 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1440 off_nl = 0; /* Ethernet II */ 1441 off_nl_nosnap = 3; /* 802.3+802.2 */ 1442 return; 1443 1444 default: 1445 /* 1446 * For values in the range in which we've assigned new 1447 * DLT_ values, only raw "link[N:M]" filtering is supported. 1448 */ 1449 if (linktype >= DLT_MATCHING_MIN && 1450 linktype <= DLT_MATCHING_MAX) { 1451 off_linktype = -1; 1452 off_macpl = -1; 1453 off_nl = -1; 1454 off_nl_nosnap = -1; 1455 return; 1456 } 1457 1458 } 1459 bpf_error("unknown data link type %d", linktype); 1460 /* NOTREACHED */ 1461 } 1462 1463 /* 1464 * Load a value relative to the beginning of the link-layer header. 1465 * The link-layer header doesn't necessarily begin at the beginning 1466 * of the packet data; there might be a variable-length prefix containing 1467 * radio information. 1468 */ 1469 static struct slist * 1470 gen_load_llrel(offset, size) 1471 u_int offset, size; 1472 { 1473 struct slist *s, *s2; 1474 1475 s = gen_llprefixlen(); 1476 1477 /* 1478 * If "s" is non-null, it has code to arrange that the X register 1479 * contains the length of the prefix preceding the link-layer 1480 * header. 1481 * 1482 * Otherwise, the length of the prefix preceding the link-layer 1483 * header is "off_ll". 1484 */ 1485 if (s != NULL) { 1486 /* 1487 * There's a variable-length prefix preceding the 1488 * link-layer header. "s" points to a list of statements 1489 * that put the length of that prefix into the X register. 1490 * do an indirect load, to use the X register as an offset. 1491 */ 1492 s2 = new_stmt(BPF_LD|BPF_IND|size); 1493 s2->s.k = offset; 1494 sappend(s, s2); 1495 } else { 1496 /* 1497 * There is no variable-length header preceding the 1498 * link-layer header; add in off_ll, which, if there's 1499 * a fixed-length header preceding the link-layer header, 1500 * is the length of that header. 1501 */ 1502 s = new_stmt(BPF_LD|BPF_ABS|size); 1503 s->s.k = offset + off_ll; 1504 } 1505 return s; 1506 } 1507 1508 /* 1509 * Load a value relative to the beginning of the MAC-layer payload. 1510 */ 1511 static struct slist * 1512 gen_load_macplrel(offset, size) 1513 u_int offset, size; 1514 { 1515 struct slist *s, *s2; 1516 1517 s = gen_off_macpl(); 1518 1519 /* 1520 * If s is non-null, the offset of the MAC-layer payload is 1521 * variable, and s points to a list of instructions that 1522 * arrange that the X register contains that offset. 1523 * 1524 * Otherwise, the offset of the MAC-layer payload is constant, 1525 * and is in off_macpl. 1526 */ 1527 if (s != NULL) { 1528 /* 1529 * The offset of the MAC-layer payload is in the X 1530 * register. Do an indirect load, to use the X register 1531 * as an offset. 1532 */ 1533 s2 = new_stmt(BPF_LD|BPF_IND|size); 1534 s2->s.k = offset; 1535 sappend(s, s2); 1536 } else { 1537 /* 1538 * The offset of the MAC-layer payload is constant, 1539 * and is in off_macpl; load the value at that offset 1540 * plus the specified offset. 1541 */ 1542 s = new_stmt(BPF_LD|BPF_ABS|size); 1543 s->s.k = off_macpl + offset; 1544 } 1545 return s; 1546 } 1547 1548 /* 1549 * Load a value relative to the beginning of the specified header. 1550 */ 1551 static struct slist * 1552 gen_load_a(offrel, offset, size) 1553 enum e_offrel offrel; 1554 u_int offset, size; 1555 { 1556 struct slist *s, *s2; 1557 1558 switch (offrel) { 1559 1560 case OR_PACKET: 1561 s = new_stmt(BPF_LD|BPF_ABS|size); 1562 s->s.k = offset; 1563 break; 1564 1565 case OR_LINK: 1566 s = gen_load_llrel(offset, size); 1567 break; 1568 1569 case OR_MACPL: 1570 s = gen_load_macplrel(offset, size); 1571 break; 1572 1573 case OR_NET: 1574 s = gen_load_macplrel(off_nl + offset, size); 1575 break; 1576 1577 case OR_NET_NOSNAP: 1578 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1579 break; 1580 1581 case OR_TRAN_IPV4: 1582 /* 1583 * Load the X register with the length of the IPv4 header 1584 * (plus the offset of the link-layer header, if it's 1585 * preceded by a variable-length header such as a radio 1586 * header), in bytes. 1587 */ 1588 s = gen_loadx_iphdrlen(); 1589 1590 /* 1591 * Load the item at {offset of the MAC-layer payload} + 1592 * {offset, relative to the start of the MAC-layer 1593 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1594 * {specified offset}. 1595 * 1596 * (If the offset of the MAC-layer payload is variable, 1597 * it's included in the value in the X register, and 1598 * off_macpl is 0.) 1599 */ 1600 s2 = new_stmt(BPF_LD|BPF_IND|size); 1601 s2->s.k = off_macpl + off_nl + offset; 1602 sappend(s, s2); 1603 break; 1604 1605 case OR_TRAN_IPV6: 1606 s = gen_load_macplrel(off_nl + 40 + offset, size); 1607 break; 1608 1609 default: 1610 abort(); 1611 return NULL; 1612 } 1613 return s; 1614 } 1615 1616 /* 1617 * Generate code to load into the X register the sum of the length of 1618 * the IPv4 header and any variable-length header preceding the link-layer 1619 * header. 1620 */ 1621 static struct slist * 1622 gen_loadx_iphdrlen() 1623 { 1624 struct slist *s, *s2; 1625 1626 s = gen_off_macpl(); 1627 if (s != NULL) { 1628 /* 1629 * There's a variable-length prefix preceding the 1630 * link-layer header, or the link-layer header is itself 1631 * variable-length. "s" points to a list of statements 1632 * that put the offset of the MAC-layer payload into 1633 * the X register. 1634 * 1635 * The 4*([k]&0xf) addressing mode can't be used, as we 1636 * don't have a constant offset, so we have to load the 1637 * value in question into the A register and add to it 1638 * the value from the X register. 1639 */ 1640 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1641 s2->s.k = off_nl; 1642 sappend(s, s2); 1643 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1644 s2->s.k = 0xf; 1645 sappend(s, s2); 1646 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1647 s2->s.k = 2; 1648 sappend(s, s2); 1649 1650 /* 1651 * The A register now contains the length of the 1652 * IP header. We need to add to it the offset of 1653 * the MAC-layer payload, which is still in the X 1654 * register, and move the result into the X register. 1655 */ 1656 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1657 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1658 } else { 1659 /* 1660 * There is no variable-length header preceding the 1661 * link-layer header, and the link-layer header is 1662 * fixed-length; load the length of the IPv4 header, 1663 * which is at an offset of off_nl from the beginning 1664 * of the MAC-layer payload, and thus at an offset 1665 * of off_mac_pl + off_nl from the beginning of the 1666 * raw packet data. 1667 */ 1668 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1669 s->s.k = off_macpl + off_nl; 1670 } 1671 return s; 1672 } 1673 1674 static struct block * 1675 gen_uncond(rsense) 1676 int rsense; 1677 { 1678 struct block *b; 1679 struct slist *s; 1680 1681 s = new_stmt(BPF_LD|BPF_IMM); 1682 s->s.k = !rsense; 1683 b = new_block(JMP(BPF_JEQ)); 1684 b->stmts = s; 1685 1686 return b; 1687 } 1688 1689 static inline struct block * 1690 gen_true() 1691 { 1692 return gen_uncond(1); 1693 } 1694 1695 static inline struct block * 1696 gen_false() 1697 { 1698 return gen_uncond(0); 1699 } 1700 1701 /* 1702 * Byte-swap a 32-bit number. 1703 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1704 * big-endian platforms.) 1705 */ 1706 #define SWAPLONG(y) \ 1707 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1708 1709 /* 1710 * Generate code to match a particular packet type. 1711 * 1712 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1713 * value, if <= ETHERMTU. We use that to determine whether to 1714 * match the type/length field or to check the type/length field for 1715 * a value <= ETHERMTU to see whether it's a type field and then do 1716 * the appropriate test. 1717 */ 1718 static struct block * 1719 gen_ether_linktype(proto) 1720 register int proto; 1721 { 1722 struct block *b0, *b1; 1723 1724 switch (proto) { 1725 1726 case LLCSAP_ISONS: 1727 case LLCSAP_IP: 1728 case LLCSAP_NETBEUI: 1729 /* 1730 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1731 * so we check the DSAP and SSAP. 1732 * 1733 * LLCSAP_IP checks for IP-over-802.2, rather 1734 * than IP-over-Ethernet or IP-over-SNAP. 1735 * 1736 * XXX - should we check both the DSAP and the 1737 * SSAP, like this, or should we check just the 1738 * DSAP, as we do for other types <= ETHERMTU 1739 * (i.e., other SAP values)? 1740 */ 1741 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1742 gen_not(b0); 1743 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1744 ((proto << 8) | proto)); 1745 gen_and(b0, b1); 1746 return b1; 1747 1748 case LLCSAP_IPX: 1749 /* 1750 * Check for; 1751 * 1752 * Ethernet_II frames, which are Ethernet 1753 * frames with a frame type of ETHERTYPE_IPX; 1754 * 1755 * Ethernet_802.3 frames, which are 802.3 1756 * frames (i.e., the type/length field is 1757 * a length field, <= ETHERMTU, rather than 1758 * a type field) with the first two bytes 1759 * after the Ethernet/802.3 header being 1760 * 0xFFFF; 1761 * 1762 * Ethernet_802.2 frames, which are 802.3 1763 * frames with an 802.2 LLC header and 1764 * with the IPX LSAP as the DSAP in the LLC 1765 * header; 1766 * 1767 * Ethernet_SNAP frames, which are 802.3 1768 * frames with an LLC header and a SNAP 1769 * header and with an OUI of 0x000000 1770 * (encapsulated Ethernet) and a protocol 1771 * ID of ETHERTYPE_IPX in the SNAP header. 1772 * 1773 * XXX - should we generate the same code both 1774 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1775 */ 1776 1777 /* 1778 * This generates code to check both for the 1779 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1780 */ 1781 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1782 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1783 gen_or(b0, b1); 1784 1785 /* 1786 * Now we add code to check for SNAP frames with 1787 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1788 */ 1789 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1790 gen_or(b0, b1); 1791 1792 /* 1793 * Now we generate code to check for 802.3 1794 * frames in general. 1795 */ 1796 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1797 gen_not(b0); 1798 1799 /* 1800 * Now add the check for 802.3 frames before the 1801 * check for Ethernet_802.2 and Ethernet_802.3, 1802 * as those checks should only be done on 802.3 1803 * frames, not on Ethernet frames. 1804 */ 1805 gen_and(b0, b1); 1806 1807 /* 1808 * Now add the check for Ethernet_II frames, and 1809 * do that before checking for the other frame 1810 * types. 1811 */ 1812 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1813 (bpf_int32)ETHERTYPE_IPX); 1814 gen_or(b0, b1); 1815 return b1; 1816 1817 case ETHERTYPE_ATALK: 1818 case ETHERTYPE_AARP: 1819 /* 1820 * EtherTalk (AppleTalk protocols on Ethernet link 1821 * layer) may use 802.2 encapsulation. 1822 */ 1823 1824 /* 1825 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1826 * we check for an Ethernet type field less than 1827 * 1500, which means it's an 802.3 length field. 1828 */ 1829 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1830 gen_not(b0); 1831 1832 /* 1833 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1834 * SNAP packets with an organization code of 1835 * 0x080007 (Apple, for Appletalk) and a protocol 1836 * type of ETHERTYPE_ATALK (Appletalk). 1837 * 1838 * 802.2-encapsulated ETHERTYPE_AARP packets are 1839 * SNAP packets with an organization code of 1840 * 0x000000 (encapsulated Ethernet) and a protocol 1841 * type of ETHERTYPE_AARP (Appletalk ARP). 1842 */ 1843 if (proto == ETHERTYPE_ATALK) 1844 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1845 else /* proto == ETHERTYPE_AARP */ 1846 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1847 gen_and(b0, b1); 1848 1849 /* 1850 * Check for Ethernet encapsulation (Ethertalk 1851 * phase 1?); we just check for the Ethernet 1852 * protocol type. 1853 */ 1854 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1855 1856 gen_or(b0, b1); 1857 return b1; 1858 1859 default: 1860 if (proto <= ETHERMTU) { 1861 /* 1862 * This is an LLC SAP value, so the frames 1863 * that match would be 802.2 frames. 1864 * Check that the frame is an 802.2 frame 1865 * (i.e., that the length/type field is 1866 * a length field, <= ETHERMTU) and 1867 * then check the DSAP. 1868 */ 1869 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1870 gen_not(b0); 1871 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1872 (bpf_int32)proto); 1873 gen_and(b0, b1); 1874 return b1; 1875 } else { 1876 /* 1877 * This is an Ethernet type, so compare 1878 * the length/type field with it (if 1879 * the frame is an 802.2 frame, the length 1880 * field will be <= ETHERMTU, and, as 1881 * "proto" is > ETHERMTU, this test 1882 * will fail and the frame won't match, 1883 * which is what we want). 1884 */ 1885 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1886 (bpf_int32)proto); 1887 } 1888 } 1889 } 1890 1891 /* 1892 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1893 * or IPv6 then we have an error. 1894 */ 1895 static struct block * 1896 gen_ipnet_linktype(proto) 1897 register int proto; 1898 { 1899 switch (proto) { 1900 1901 case ETHERTYPE_IP: 1902 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1903 (bpf_int32)IPH_AF_INET); 1904 /* NOTREACHED */ 1905 1906 case ETHERTYPE_IPV6: 1907 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1908 (bpf_int32)IPH_AF_INET6); 1909 /* NOTREACHED */ 1910 1911 default: 1912 break; 1913 } 1914 1915 return gen_false(); 1916 } 1917 1918 /* 1919 * Generate code to match a particular packet type. 1920 * 1921 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1922 * value, if <= ETHERMTU. We use that to determine whether to 1923 * match the type field or to check the type field for the special 1924 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1925 */ 1926 static struct block * 1927 gen_linux_sll_linktype(proto) 1928 register int proto; 1929 { 1930 struct block *b0, *b1; 1931 1932 switch (proto) { 1933 1934 case LLCSAP_ISONS: 1935 case LLCSAP_IP: 1936 case LLCSAP_NETBEUI: 1937 /* 1938 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1939 * so we check the DSAP and SSAP. 1940 * 1941 * LLCSAP_IP checks for IP-over-802.2, rather 1942 * than IP-over-Ethernet or IP-over-SNAP. 1943 * 1944 * XXX - should we check both the DSAP and the 1945 * SSAP, like this, or should we check just the 1946 * DSAP, as we do for other types <= ETHERMTU 1947 * (i.e., other SAP values)? 1948 */ 1949 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1950 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1951 ((proto << 8) | proto)); 1952 gen_and(b0, b1); 1953 return b1; 1954 1955 case LLCSAP_IPX: 1956 /* 1957 * Ethernet_II frames, which are Ethernet 1958 * frames with a frame type of ETHERTYPE_IPX; 1959 * 1960 * Ethernet_802.3 frames, which have a frame 1961 * type of LINUX_SLL_P_802_3; 1962 * 1963 * Ethernet_802.2 frames, which are 802.3 1964 * frames with an 802.2 LLC header (i.e, have 1965 * a frame type of LINUX_SLL_P_802_2) and 1966 * with the IPX LSAP as the DSAP in the LLC 1967 * header; 1968 * 1969 * Ethernet_SNAP frames, which are 802.3 1970 * frames with an LLC header and a SNAP 1971 * header and with an OUI of 0x000000 1972 * (encapsulated Ethernet) and a protocol 1973 * ID of ETHERTYPE_IPX in the SNAP header. 1974 * 1975 * First, do the checks on LINUX_SLL_P_802_2 1976 * frames; generate the check for either 1977 * Ethernet_802.2 or Ethernet_SNAP frames, and 1978 * then put a check for LINUX_SLL_P_802_2 frames 1979 * before it. 1980 */ 1981 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1982 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 1983 gen_or(b0, b1); 1984 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1985 gen_and(b0, b1); 1986 1987 /* 1988 * Now check for 802.3 frames and OR that with 1989 * the previous test. 1990 */ 1991 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1992 gen_or(b0, b1); 1993 1994 /* 1995 * Now add the check for Ethernet_II frames, and 1996 * do that before checking for the other frame 1997 * types. 1998 */ 1999 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2000 (bpf_int32)ETHERTYPE_IPX); 2001 gen_or(b0, b1); 2002 return b1; 2003 2004 case ETHERTYPE_ATALK: 2005 case ETHERTYPE_AARP: 2006 /* 2007 * EtherTalk (AppleTalk protocols on Ethernet link 2008 * layer) may use 802.2 encapsulation. 2009 */ 2010 2011 /* 2012 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2013 * we check for the 802.2 protocol type in the 2014 * "Ethernet type" field. 2015 */ 2016 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2017 2018 /* 2019 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2020 * SNAP packets with an organization code of 2021 * 0x080007 (Apple, for Appletalk) and a protocol 2022 * type of ETHERTYPE_ATALK (Appletalk). 2023 * 2024 * 802.2-encapsulated ETHERTYPE_AARP packets are 2025 * SNAP packets with an organization code of 2026 * 0x000000 (encapsulated Ethernet) and a protocol 2027 * type of ETHERTYPE_AARP (Appletalk ARP). 2028 */ 2029 if (proto == ETHERTYPE_ATALK) 2030 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2031 else /* proto == ETHERTYPE_AARP */ 2032 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2033 gen_and(b0, b1); 2034 2035 /* 2036 * Check for Ethernet encapsulation (Ethertalk 2037 * phase 1?); we just check for the Ethernet 2038 * protocol type. 2039 */ 2040 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2041 2042 gen_or(b0, b1); 2043 return b1; 2044 2045 default: 2046 if (proto <= ETHERMTU) { 2047 /* 2048 * This is an LLC SAP value, so the frames 2049 * that match would be 802.2 frames. 2050 * Check for the 802.2 protocol type 2051 * in the "Ethernet type" field, and 2052 * then check the DSAP. 2053 */ 2054 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2055 LINUX_SLL_P_802_2); 2056 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2057 (bpf_int32)proto); 2058 gen_and(b0, b1); 2059 return b1; 2060 } else { 2061 /* 2062 * This is an Ethernet type, so compare 2063 * the length/type field with it (if 2064 * the frame is an 802.2 frame, the length 2065 * field will be <= ETHERMTU, and, as 2066 * "proto" is > ETHERMTU, this test 2067 * will fail and the frame won't match, 2068 * which is what we want). 2069 */ 2070 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2071 (bpf_int32)proto); 2072 } 2073 } 2074 } 2075 2076 static struct slist * 2077 gen_load_prism_llprefixlen() 2078 { 2079 struct slist *s1, *s2; 2080 struct slist *sjeq_avs_cookie; 2081 struct slist *sjcommon; 2082 2083 /* 2084 * This code is not compatible with the optimizer, as 2085 * we are generating jmp instructions within a normal 2086 * slist of instructions 2087 */ 2088 no_optimize = 1; 2089 2090 /* 2091 * Generate code to load the length of the radio header into 2092 * the register assigned to hold that length, if one has been 2093 * assigned. (If one hasn't been assigned, no code we've 2094 * generated uses that prefix, so we don't need to generate any 2095 * code to load it.) 2096 * 2097 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2098 * or always use the AVS header rather than the Prism header. 2099 * We load a 4-byte big-endian value at the beginning of the 2100 * raw packet data, and see whether, when masked with 0xFFFFF000, 2101 * it's equal to 0x80211000. If so, that indicates that it's 2102 * an AVS header (the masked-out bits are the version number). 2103 * Otherwise, it's a Prism header. 2104 * 2105 * XXX - the Prism header is also, in theory, variable-length, 2106 * but no known software generates headers that aren't 144 2107 * bytes long. 2108 */ 2109 if (reg_off_ll != -1) { 2110 /* 2111 * Load the cookie. 2112 */ 2113 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2114 s1->s.k = 0; 2115 2116 /* 2117 * AND it with 0xFFFFF000. 2118 */ 2119 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2120 s2->s.k = 0xFFFFF000; 2121 sappend(s1, s2); 2122 2123 /* 2124 * Compare with 0x80211000. 2125 */ 2126 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2127 sjeq_avs_cookie->s.k = 0x80211000; 2128 sappend(s1, sjeq_avs_cookie); 2129 2130 /* 2131 * If it's AVS: 2132 * 2133 * The 4 bytes at an offset of 4 from the beginning of 2134 * the AVS header are the length of the AVS header. 2135 * That field is big-endian. 2136 */ 2137 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2138 s2->s.k = 4; 2139 sappend(s1, s2); 2140 sjeq_avs_cookie->s.jt = s2; 2141 2142 /* 2143 * Now jump to the code to allocate a register 2144 * into which to save the header length and 2145 * store the length there. (The "jump always" 2146 * instruction needs to have the k field set; 2147 * it's added to the PC, so, as we're jumping 2148 * over a single instruction, it should be 1.) 2149 */ 2150 sjcommon = new_stmt(JMP(BPF_JA)); 2151 sjcommon->s.k = 1; 2152 sappend(s1, sjcommon); 2153 2154 /* 2155 * Now for the code that handles the Prism header. 2156 * Just load the length of the Prism header (144) 2157 * into the A register. Have the test for an AVS 2158 * header branch here if we don't have an AVS header. 2159 */ 2160 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2161 s2->s.k = 144; 2162 sappend(s1, s2); 2163 sjeq_avs_cookie->s.jf = s2; 2164 2165 /* 2166 * Now allocate a register to hold that value and store 2167 * it. The code for the AVS header will jump here after 2168 * loading the length of the AVS header. 2169 */ 2170 s2 = new_stmt(BPF_ST); 2171 s2->s.k = reg_off_ll; 2172 sappend(s1, s2); 2173 sjcommon->s.jf = s2; 2174 2175 /* 2176 * Now move it into the X register. 2177 */ 2178 s2 = new_stmt(BPF_MISC|BPF_TAX); 2179 sappend(s1, s2); 2180 2181 return (s1); 2182 } else 2183 return (NULL); 2184 } 2185 2186 static struct slist * 2187 gen_load_avs_llprefixlen() 2188 { 2189 struct slist *s1, *s2; 2190 2191 /* 2192 * Generate code to load the length of the AVS header into 2193 * the register assigned to hold that length, if one has been 2194 * assigned. (If one hasn't been assigned, no code we've 2195 * generated uses that prefix, so we don't need to generate any 2196 * code to load it.) 2197 */ 2198 if (reg_off_ll != -1) { 2199 /* 2200 * The 4 bytes at an offset of 4 from the beginning of 2201 * the AVS header are the length of the AVS header. 2202 * That field is big-endian. 2203 */ 2204 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2205 s1->s.k = 4; 2206 2207 /* 2208 * Now allocate a register to hold that value and store 2209 * it. 2210 */ 2211 s2 = new_stmt(BPF_ST); 2212 s2->s.k = reg_off_ll; 2213 sappend(s1, s2); 2214 2215 /* 2216 * Now move it into the X register. 2217 */ 2218 s2 = new_stmt(BPF_MISC|BPF_TAX); 2219 sappend(s1, s2); 2220 2221 return (s1); 2222 } else 2223 return (NULL); 2224 } 2225 2226 static struct slist * 2227 gen_load_radiotap_llprefixlen() 2228 { 2229 struct slist *s1, *s2; 2230 2231 /* 2232 * Generate code to load the length of the radiotap header into 2233 * the register assigned to hold that length, if one has been 2234 * assigned. (If one hasn't been assigned, no code we've 2235 * generated uses that prefix, so we don't need to generate any 2236 * code to load it.) 2237 */ 2238 if (reg_off_ll != -1) { 2239 /* 2240 * The 2 bytes at offsets of 2 and 3 from the beginning 2241 * of the radiotap header are the length of the radiotap 2242 * header; unfortunately, it's little-endian, so we have 2243 * to load it a byte at a time and construct the value. 2244 */ 2245 2246 /* 2247 * Load the high-order byte, at an offset of 3, shift it 2248 * left a byte, and put the result in the X register. 2249 */ 2250 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2251 s1->s.k = 3; 2252 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2253 sappend(s1, s2); 2254 s2->s.k = 8; 2255 s2 = new_stmt(BPF_MISC|BPF_TAX); 2256 sappend(s1, s2); 2257 2258 /* 2259 * Load the next byte, at an offset of 2, and OR the 2260 * value from the X register into it. 2261 */ 2262 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2263 sappend(s1, s2); 2264 s2->s.k = 2; 2265 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2266 sappend(s1, s2); 2267 2268 /* 2269 * Now allocate a register to hold that value and store 2270 * it. 2271 */ 2272 s2 = new_stmt(BPF_ST); 2273 s2->s.k = reg_off_ll; 2274 sappend(s1, s2); 2275 2276 /* 2277 * Now move it into the X register. 2278 */ 2279 s2 = new_stmt(BPF_MISC|BPF_TAX); 2280 sappend(s1, s2); 2281 2282 return (s1); 2283 } else 2284 return (NULL); 2285 } 2286 2287 /* 2288 * At the moment we treat PPI as normal Radiotap encoded 2289 * packets. The difference is in the function that generates 2290 * the code at the beginning to compute the header length. 2291 * Since this code generator of PPI supports bare 802.11 2292 * encapsulation only (i.e. the encapsulated DLT should be 2293 * DLT_IEEE802_11) we generate code to check for this too; 2294 * that's done in finish_parse(). 2295 */ 2296 static struct slist * 2297 gen_load_ppi_llprefixlen() 2298 { 2299 struct slist *s1, *s2; 2300 2301 /* 2302 * Generate code to load the length of the radiotap header 2303 * into the register assigned to hold that length, if one has 2304 * been assigned. 2305 */ 2306 if (reg_off_ll != -1) { 2307 /* 2308 * The 2 bytes at offsets of 2 and 3 from the beginning 2309 * of the radiotap header are the length of the radiotap 2310 * header; unfortunately, it's little-endian, so we have 2311 * to load it a byte at a time and construct the value. 2312 */ 2313 2314 /* 2315 * Load the high-order byte, at an offset of 3, shift it 2316 * left a byte, and put the result in the X register. 2317 */ 2318 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2319 s1->s.k = 3; 2320 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2321 sappend(s1, s2); 2322 s2->s.k = 8; 2323 s2 = new_stmt(BPF_MISC|BPF_TAX); 2324 sappend(s1, s2); 2325 2326 /* 2327 * Load the next byte, at an offset of 2, and OR the 2328 * value from the X register into it. 2329 */ 2330 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2331 sappend(s1, s2); 2332 s2->s.k = 2; 2333 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2334 sappend(s1, s2); 2335 2336 /* 2337 * Now allocate a register to hold that value and store 2338 * it. 2339 */ 2340 s2 = new_stmt(BPF_ST); 2341 s2->s.k = reg_off_ll; 2342 sappend(s1, s2); 2343 2344 /* 2345 * Now move it into the X register. 2346 */ 2347 s2 = new_stmt(BPF_MISC|BPF_TAX); 2348 sappend(s1, s2); 2349 2350 return (s1); 2351 } else 2352 return (NULL); 2353 } 2354 2355 /* 2356 * Load a value relative to the beginning of the link-layer header after the 802.11 2357 * header, i.e. LLC_SNAP. 2358 * The link-layer header doesn't necessarily begin at the beginning 2359 * of the packet data; there might be a variable-length prefix containing 2360 * radio information. 2361 */ 2362 static struct slist * 2363 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2364 { 2365 struct slist *s2; 2366 struct slist *sjset_data_frame_1; 2367 struct slist *sjset_data_frame_2; 2368 struct slist *sjset_qos; 2369 struct slist *sjset_radiotap_flags; 2370 struct slist *sjset_radiotap_tsft; 2371 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2372 struct slist *s_roundup; 2373 2374 if (reg_off_macpl == -1) { 2375 /* 2376 * No register has been assigned to the offset of 2377 * the MAC-layer payload, which means nobody needs 2378 * it; don't bother computing it - just return 2379 * what we already have. 2380 */ 2381 return (s); 2382 } 2383 2384 /* 2385 * This code is not compatible with the optimizer, as 2386 * we are generating jmp instructions within a normal 2387 * slist of instructions 2388 */ 2389 no_optimize = 1; 2390 2391 /* 2392 * If "s" is non-null, it has code to arrange that the X register 2393 * contains the length of the prefix preceding the link-layer 2394 * header. 2395 * 2396 * Otherwise, the length of the prefix preceding the link-layer 2397 * header is "off_ll". 2398 */ 2399 if (s == NULL) { 2400 /* 2401 * There is no variable-length header preceding the 2402 * link-layer header. 2403 * 2404 * Load the length of the fixed-length prefix preceding 2405 * the link-layer header (if any) into the X register, 2406 * and store it in the reg_off_macpl register. 2407 * That length is off_ll. 2408 */ 2409 s = new_stmt(BPF_LDX|BPF_IMM); 2410 s->s.k = off_ll; 2411 } 2412 2413 /* 2414 * The X register contains the offset of the beginning of the 2415 * link-layer header; add 24, which is the minimum length 2416 * of the MAC header for a data frame, to that, and store it 2417 * in reg_off_macpl, and then load the Frame Control field, 2418 * which is at the offset in the X register, with an indexed load. 2419 */ 2420 s2 = new_stmt(BPF_MISC|BPF_TXA); 2421 sappend(s, s2); 2422 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2423 s2->s.k = 24; 2424 sappend(s, s2); 2425 s2 = new_stmt(BPF_ST); 2426 s2->s.k = reg_off_macpl; 2427 sappend(s, s2); 2428 2429 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2430 s2->s.k = 0; 2431 sappend(s, s2); 2432 2433 /* 2434 * Check the Frame Control field to see if this is a data frame; 2435 * a data frame has the 0x08 bit (b3) in that field set and the 2436 * 0x04 bit (b2) clear. 2437 */ 2438 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2439 sjset_data_frame_1->s.k = 0x08; 2440 sappend(s, sjset_data_frame_1); 2441 2442 /* 2443 * If b3 is set, test b2, otherwise go to the first statement of 2444 * the rest of the program. 2445 */ 2446 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2447 sjset_data_frame_2->s.k = 0x04; 2448 sappend(s, sjset_data_frame_2); 2449 sjset_data_frame_1->s.jf = snext; 2450 2451 /* 2452 * If b2 is not set, this is a data frame; test the QoS bit. 2453 * Otherwise, go to the first statement of the rest of the 2454 * program. 2455 */ 2456 sjset_data_frame_2->s.jt = snext; 2457 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2458 sjset_qos->s.k = 0x80; /* QoS bit */ 2459 sappend(s, sjset_qos); 2460 2461 /* 2462 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2463 * field. 2464 * Otherwise, go to the first statement of the rest of the 2465 * program. 2466 */ 2467 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2468 s2->s.k = reg_off_macpl; 2469 sappend(s, s2); 2470 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2471 s2->s.k = 2; 2472 sappend(s, s2); 2473 s2 = new_stmt(BPF_ST); 2474 s2->s.k = reg_off_macpl; 2475 sappend(s, s2); 2476 2477 /* 2478 * If we have a radiotap header, look at it to see whether 2479 * there's Atheros padding between the MAC-layer header 2480 * and the payload. 2481 * 2482 * Note: all of the fields in the radiotap header are 2483 * little-endian, so we byte-swap all of the values 2484 * we test against, as they will be loaded as big-endian 2485 * values. 2486 */ 2487 if (linktype == DLT_IEEE802_11_RADIO) { 2488 /* 2489 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2490 * in the presence flag? 2491 */ 2492 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2493 s2->s.k = 4; 2494 sappend(s, s2); 2495 2496 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2497 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2498 sappend(s, sjset_radiotap_flags); 2499 2500 /* 2501 * If not, skip all of this. 2502 */ 2503 sjset_radiotap_flags->s.jf = snext; 2504 2505 /* 2506 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2507 */ 2508 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2509 new_stmt(JMP(BPF_JSET)); 2510 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2511 sappend(s, sjset_radiotap_tsft); 2512 2513 /* 2514 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2515 * at an offset of 16 from the beginning of the raw packet 2516 * data (8 bytes for the radiotap header and 8 bytes for 2517 * the TSFT field). 2518 * 2519 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2520 * is set. 2521 */ 2522 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2523 s2->s.k = 16; 2524 sappend(s, s2); 2525 2526 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2527 sjset_tsft_datapad->s.k = 0x20; 2528 sappend(s, sjset_tsft_datapad); 2529 2530 /* 2531 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2532 * at an offset of 8 from the beginning of the raw packet 2533 * data (8 bytes for the radiotap header). 2534 * 2535 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2536 * is set. 2537 */ 2538 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2539 s2->s.k = 8; 2540 sappend(s, s2); 2541 2542 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2543 sjset_notsft_datapad->s.k = 0x20; 2544 sappend(s, sjset_notsft_datapad); 2545 2546 /* 2547 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2548 * set, round the length of the 802.11 header to 2549 * a multiple of 4. Do that by adding 3 and then 2550 * dividing by and multiplying by 4, which we do by 2551 * ANDing with ~3. 2552 */ 2553 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2554 s_roundup->s.k = reg_off_macpl; 2555 sappend(s, s_roundup); 2556 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2557 s2->s.k = 3; 2558 sappend(s, s2); 2559 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2560 s2->s.k = ~3; 2561 sappend(s, s2); 2562 s2 = new_stmt(BPF_ST); 2563 s2->s.k = reg_off_macpl; 2564 sappend(s, s2); 2565 2566 sjset_tsft_datapad->s.jt = s_roundup; 2567 sjset_tsft_datapad->s.jf = snext; 2568 sjset_notsft_datapad->s.jt = s_roundup; 2569 sjset_notsft_datapad->s.jf = snext; 2570 } else 2571 sjset_qos->s.jf = snext; 2572 2573 return s; 2574 } 2575 2576 static void 2577 insert_compute_vloffsets(b) 2578 struct block *b; 2579 { 2580 struct slist *s; 2581 2582 /* 2583 * For link-layer types that have a variable-length header 2584 * preceding the link-layer header, generate code to load 2585 * the offset of the link-layer header into the register 2586 * assigned to that offset, if any. 2587 */ 2588 switch (linktype) { 2589 2590 case DLT_PRISM_HEADER: 2591 s = gen_load_prism_llprefixlen(); 2592 break; 2593 2594 case DLT_IEEE802_11_RADIO_AVS: 2595 s = gen_load_avs_llprefixlen(); 2596 break; 2597 2598 case DLT_IEEE802_11_RADIO: 2599 s = gen_load_radiotap_llprefixlen(); 2600 break; 2601 2602 case DLT_PPI: 2603 s = gen_load_ppi_llprefixlen(); 2604 break; 2605 2606 default: 2607 s = NULL; 2608 break; 2609 } 2610 2611 /* 2612 * For link-layer types that have a variable-length link-layer 2613 * header, generate code to load the offset of the MAC-layer 2614 * payload into the register assigned to that offset, if any. 2615 */ 2616 switch (linktype) { 2617 2618 case DLT_IEEE802_11: 2619 case DLT_PRISM_HEADER: 2620 case DLT_IEEE802_11_RADIO_AVS: 2621 case DLT_IEEE802_11_RADIO: 2622 case DLT_PPI: 2623 s = gen_load_802_11_header_len(s, b->stmts); 2624 break; 2625 } 2626 2627 /* 2628 * If we have any offset-loading code, append all the 2629 * existing statements in the block to those statements, 2630 * and make the resulting list the list of statements 2631 * for the block. 2632 */ 2633 if (s != NULL) { 2634 sappend(s, b->stmts); 2635 b->stmts = s; 2636 } 2637 } 2638 2639 static struct block * 2640 gen_ppi_dlt_check(void) 2641 { 2642 struct slist *s_load_dlt; 2643 struct block *b; 2644 2645 if (linktype == DLT_PPI) 2646 { 2647 /* Create the statements that check for the DLT 2648 */ 2649 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2650 s_load_dlt->s.k = 4; 2651 2652 b = new_block(JMP(BPF_JEQ)); 2653 2654 b->stmts = s_load_dlt; 2655 b->s.k = SWAPLONG(DLT_IEEE802_11); 2656 } 2657 else 2658 { 2659 b = NULL; 2660 } 2661 2662 return b; 2663 } 2664 2665 static struct slist * 2666 gen_prism_llprefixlen(void) 2667 { 2668 struct slist *s; 2669 2670 if (reg_off_ll == -1) { 2671 /* 2672 * We haven't yet assigned a register for the length 2673 * of the radio header; allocate one. 2674 */ 2675 reg_off_ll = alloc_reg(); 2676 } 2677 2678 /* 2679 * Load the register containing the radio length 2680 * into the X register. 2681 */ 2682 s = new_stmt(BPF_LDX|BPF_MEM); 2683 s->s.k = reg_off_ll; 2684 return s; 2685 } 2686 2687 static struct slist * 2688 gen_avs_llprefixlen(void) 2689 { 2690 struct slist *s; 2691 2692 if (reg_off_ll == -1) { 2693 /* 2694 * We haven't yet assigned a register for the length 2695 * of the AVS header; allocate one. 2696 */ 2697 reg_off_ll = alloc_reg(); 2698 } 2699 2700 /* 2701 * Load the register containing the AVS length 2702 * into the X register. 2703 */ 2704 s = new_stmt(BPF_LDX|BPF_MEM); 2705 s->s.k = reg_off_ll; 2706 return s; 2707 } 2708 2709 static struct slist * 2710 gen_radiotap_llprefixlen(void) 2711 { 2712 struct slist *s; 2713 2714 if (reg_off_ll == -1) { 2715 /* 2716 * We haven't yet assigned a register for the length 2717 * of the radiotap header; allocate one. 2718 */ 2719 reg_off_ll = alloc_reg(); 2720 } 2721 2722 /* 2723 * Load the register containing the radiotap length 2724 * into the X register. 2725 */ 2726 s = new_stmt(BPF_LDX|BPF_MEM); 2727 s->s.k = reg_off_ll; 2728 return s; 2729 } 2730 2731 /* 2732 * At the moment we treat PPI as normal Radiotap encoded 2733 * packets. The difference is in the function that generates 2734 * the code at the beginning to compute the header length. 2735 * Since this code generator of PPI supports bare 802.11 2736 * encapsulation only (i.e. the encapsulated DLT should be 2737 * DLT_IEEE802_11) we generate code to check for this too. 2738 */ 2739 static struct slist * 2740 gen_ppi_llprefixlen(void) 2741 { 2742 struct slist *s; 2743 2744 if (reg_off_ll == -1) { 2745 /* 2746 * We haven't yet assigned a register for the length 2747 * of the radiotap header; allocate one. 2748 */ 2749 reg_off_ll = alloc_reg(); 2750 } 2751 2752 /* 2753 * Load the register containing the PPI length 2754 * into the X register. 2755 */ 2756 s = new_stmt(BPF_LDX|BPF_MEM); 2757 s->s.k = reg_off_ll; 2758 return s; 2759 } 2760 2761 /* 2762 * Generate code to compute the link-layer header length, if necessary, 2763 * putting it into the X register, and to return either a pointer to a 2764 * "struct slist" for the list of statements in that code, or NULL if 2765 * no code is necessary. 2766 */ 2767 static struct slist * 2768 gen_llprefixlen(void) 2769 { 2770 switch (linktype) { 2771 2772 case DLT_PRISM_HEADER: 2773 return gen_prism_llprefixlen(); 2774 2775 case DLT_IEEE802_11_RADIO_AVS: 2776 return gen_avs_llprefixlen(); 2777 2778 case DLT_IEEE802_11_RADIO: 2779 return gen_radiotap_llprefixlen(); 2780 2781 case DLT_PPI: 2782 return gen_ppi_llprefixlen(); 2783 2784 default: 2785 return NULL; 2786 } 2787 } 2788 2789 /* 2790 * Generate code to load the register containing the offset of the 2791 * MAC-layer payload into the X register; if no register for that offset 2792 * has been allocated, allocate it first. 2793 */ 2794 static struct slist * 2795 gen_off_macpl(void) 2796 { 2797 struct slist *s; 2798 2799 if (off_macpl_is_variable) { 2800 if (reg_off_macpl == -1) { 2801 /* 2802 * We haven't yet assigned a register for the offset 2803 * of the MAC-layer payload; allocate one. 2804 */ 2805 reg_off_macpl = alloc_reg(); 2806 } 2807 2808 /* 2809 * Load the register containing the offset of the MAC-layer 2810 * payload into the X register. 2811 */ 2812 s = new_stmt(BPF_LDX|BPF_MEM); 2813 s->s.k = reg_off_macpl; 2814 return s; 2815 } else { 2816 /* 2817 * That offset isn't variable, so we don't need to 2818 * generate any code. 2819 */ 2820 return NULL; 2821 } 2822 } 2823 2824 /* 2825 * Map an Ethernet type to the equivalent PPP type. 2826 */ 2827 static int 2828 ethertype_to_ppptype(proto) 2829 int proto; 2830 { 2831 switch (proto) { 2832 2833 case ETHERTYPE_IP: 2834 proto = PPP_IP; 2835 break; 2836 2837 #ifdef INET6 2838 case ETHERTYPE_IPV6: 2839 proto = PPP_IPV6; 2840 break; 2841 #endif 2842 2843 case ETHERTYPE_DN: 2844 proto = PPP_DECNET; 2845 break; 2846 2847 case ETHERTYPE_ATALK: 2848 proto = PPP_APPLE; 2849 break; 2850 2851 case ETHERTYPE_NS: 2852 proto = PPP_NS; 2853 break; 2854 2855 case LLCSAP_ISONS: 2856 proto = PPP_OSI; 2857 break; 2858 2859 case LLCSAP_8021D: 2860 /* 2861 * I'm assuming the "Bridging PDU"s that go 2862 * over PPP are Spanning Tree Protocol 2863 * Bridging PDUs. 2864 */ 2865 proto = PPP_BRPDU; 2866 break; 2867 2868 case LLCSAP_IPX: 2869 proto = PPP_IPX; 2870 break; 2871 } 2872 return (proto); 2873 } 2874 2875 /* 2876 * Generate code to match a particular packet type by matching the 2877 * link-layer type field or fields in the 802.2 LLC header. 2878 * 2879 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2880 * value, if <= ETHERMTU. 2881 */ 2882 static struct block * 2883 gen_linktype(proto) 2884 register int proto; 2885 { 2886 struct block *b0, *b1, *b2; 2887 2888 /* are we checking MPLS-encapsulated packets? */ 2889 if (label_stack_depth > 0) { 2890 switch (proto) { 2891 case ETHERTYPE_IP: 2892 case PPP_IP: 2893 /* FIXME add other L3 proto IDs */ 2894 return gen_mpls_linktype(Q_IP); 2895 2896 case ETHERTYPE_IPV6: 2897 case PPP_IPV6: 2898 /* FIXME add other L3 proto IDs */ 2899 return gen_mpls_linktype(Q_IPV6); 2900 2901 default: 2902 bpf_error("unsupported protocol over mpls"); 2903 /* NOTREACHED */ 2904 } 2905 } 2906 2907 /* 2908 * Are we testing PPPoE packets? 2909 */ 2910 if (is_pppoes) { 2911 /* 2912 * The PPPoE session header is part of the 2913 * MAC-layer payload, so all references 2914 * should be relative to the beginning of 2915 * that payload. 2916 */ 2917 2918 /* 2919 * We use Ethernet protocol types inside libpcap; 2920 * map them to the corresponding PPP protocol types. 2921 */ 2922 proto = ethertype_to_ppptype(proto); 2923 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2924 } 2925 2926 switch (linktype) { 2927 2928 case DLT_EN10MB: 2929 case DLT_NETANALYZER: 2930 case DLT_NETANALYZER_TRANSPARENT: 2931 return gen_ether_linktype(proto); 2932 /*NOTREACHED*/ 2933 break; 2934 2935 case DLT_C_HDLC: 2936 switch (proto) { 2937 2938 case LLCSAP_ISONS: 2939 proto = (proto << 8 | LLCSAP_ISONS); 2940 /* fall through */ 2941 2942 default: 2943 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2944 (bpf_int32)proto); 2945 /*NOTREACHED*/ 2946 break; 2947 } 2948 break; 2949 2950 case DLT_IEEE802_11: 2951 case DLT_PRISM_HEADER: 2952 case DLT_IEEE802_11_RADIO_AVS: 2953 case DLT_IEEE802_11_RADIO: 2954 case DLT_PPI: 2955 /* 2956 * Check that we have a data frame. 2957 */ 2958 b0 = gen_check_802_11_data_frame(); 2959 2960 /* 2961 * Now check for the specified link-layer type. 2962 */ 2963 b1 = gen_llc_linktype(proto); 2964 gen_and(b0, b1); 2965 return b1; 2966 /*NOTREACHED*/ 2967 break; 2968 2969 case DLT_FDDI: 2970 /* 2971 * XXX - check for asynchronous frames, as per RFC 1103. 2972 */ 2973 return gen_llc_linktype(proto); 2974 /*NOTREACHED*/ 2975 break; 2976 2977 case DLT_IEEE802: 2978 /* 2979 * XXX - check for LLC PDUs, as per IEEE 802.5. 2980 */ 2981 return gen_llc_linktype(proto); 2982 /*NOTREACHED*/ 2983 break; 2984 2985 case DLT_ATM_RFC1483: 2986 case DLT_ATM_CLIP: 2987 case DLT_IP_OVER_FC: 2988 return gen_llc_linktype(proto); 2989 /*NOTREACHED*/ 2990 break; 2991 2992 case DLT_SUNATM: 2993 /* 2994 * If "is_lane" is set, check for a LANE-encapsulated 2995 * version of this protocol, otherwise check for an 2996 * LLC-encapsulated version of this protocol. 2997 * 2998 * We assume LANE means Ethernet, not Token Ring. 2999 */ 3000 if (is_lane) { 3001 /* 3002 * Check that the packet doesn't begin with an 3003 * LE Control marker. (We've already generated 3004 * a test for LANE.) 3005 */ 3006 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3007 0xFF00); 3008 gen_not(b0); 3009 3010 /* 3011 * Now generate an Ethernet test. 3012 */ 3013 b1 = gen_ether_linktype(proto); 3014 gen_and(b0, b1); 3015 return b1; 3016 } else { 3017 /* 3018 * Check for LLC encapsulation and then check the 3019 * protocol. 3020 */ 3021 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3022 b1 = gen_llc_linktype(proto); 3023 gen_and(b0, b1); 3024 return b1; 3025 } 3026 /*NOTREACHED*/ 3027 break; 3028 3029 case DLT_LINUX_SLL: 3030 return gen_linux_sll_linktype(proto); 3031 /*NOTREACHED*/ 3032 break; 3033 3034 case DLT_SLIP: 3035 case DLT_SLIP_BSDOS: 3036 case DLT_RAW: 3037 /* 3038 * These types don't provide any type field; packets 3039 * are always IPv4 or IPv6. 3040 * 3041 * XXX - for IPv4, check for a version number of 4, and, 3042 * for IPv6, check for a version number of 6? 3043 */ 3044 switch (proto) { 3045 3046 case ETHERTYPE_IP: 3047 /* Check for a version number of 4. */ 3048 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3049 #ifdef INET6 3050 case ETHERTYPE_IPV6: 3051 /* Check for a version number of 6. */ 3052 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3053 #endif 3054 3055 default: 3056 return gen_false(); /* always false */ 3057 } 3058 /*NOTREACHED*/ 3059 break; 3060 3061 case DLT_IPV4: 3062 /* 3063 * Raw IPv4, so no type field. 3064 */ 3065 if (proto == ETHERTYPE_IP) 3066 return gen_true(); /* always true */ 3067 3068 /* Checking for something other than IPv4; always false */ 3069 return gen_false(); 3070 /*NOTREACHED*/ 3071 break; 3072 3073 case DLT_IPV6: 3074 /* 3075 * Raw IPv6, so no type field. 3076 */ 3077 #ifdef INET6 3078 if (proto == ETHERTYPE_IPV6) 3079 return gen_true(); /* always true */ 3080 #endif 3081 3082 /* Checking for something other than IPv6; always false */ 3083 return gen_false(); 3084 /*NOTREACHED*/ 3085 break; 3086 3087 case DLT_PPP: 3088 case DLT_PPP_PPPD: 3089 case DLT_PPP_SERIAL: 3090 case DLT_PPP_ETHER: 3091 /* 3092 * We use Ethernet protocol types inside libpcap; 3093 * map them to the corresponding PPP protocol types. 3094 */ 3095 proto = ethertype_to_ppptype(proto); 3096 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3097 /*NOTREACHED*/ 3098 break; 3099 3100 case DLT_PPP_BSDOS: 3101 /* 3102 * We use Ethernet protocol types inside libpcap; 3103 * map them to the corresponding PPP protocol types. 3104 */ 3105 switch (proto) { 3106 3107 case ETHERTYPE_IP: 3108 /* 3109 * Also check for Van Jacobson-compressed IP. 3110 * XXX - do this for other forms of PPP? 3111 */ 3112 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3113 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3114 gen_or(b0, b1); 3115 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3116 gen_or(b1, b0); 3117 return b0; 3118 3119 default: 3120 proto = ethertype_to_ppptype(proto); 3121 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3122 (bpf_int32)proto); 3123 } 3124 /*NOTREACHED*/ 3125 break; 3126 3127 case DLT_NULL: 3128 case DLT_LOOP: 3129 case DLT_ENC: 3130 /* 3131 * For DLT_NULL, the link-layer header is a 32-bit 3132 * word containing an AF_ value in *host* byte order, 3133 * and for DLT_ENC, the link-layer header begins 3134 * with a 32-bit work containing an AF_ value in 3135 * host byte order. 3136 * 3137 * In addition, if we're reading a saved capture file, 3138 * the host byte order in the capture may not be the 3139 * same as the host byte order on this machine. 3140 * 3141 * For DLT_LOOP, the link-layer header is a 32-bit 3142 * word containing an AF_ value in *network* byte order. 3143 * 3144 * XXX - AF_ values may, unfortunately, be platform- 3145 * dependent; for example, FreeBSD's AF_INET6 is 24 3146 * whilst NetBSD's and OpenBSD's is 26. 3147 * 3148 * This means that, when reading a capture file, just 3149 * checking for our AF_INET6 value won't work if the 3150 * capture file came from another OS. 3151 */ 3152 switch (proto) { 3153 3154 case ETHERTYPE_IP: 3155 proto = AF_INET; 3156 break; 3157 3158 #ifdef INET6 3159 case ETHERTYPE_IPV6: 3160 proto = AF_INET6; 3161 break; 3162 #endif 3163 3164 default: 3165 /* 3166 * Not a type on which we support filtering. 3167 * XXX - support those that have AF_ values 3168 * #defined on this platform, at least? 3169 */ 3170 return gen_false(); 3171 } 3172 3173 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3174 /* 3175 * The AF_ value is in host byte order, but 3176 * the BPF interpreter will convert it to 3177 * network byte order. 3178 * 3179 * If this is a save file, and it's from a 3180 * machine with the opposite byte order to 3181 * ours, we byte-swap the AF_ value. 3182 * 3183 * Then we run it through "htonl()", and 3184 * generate code to compare against the result. 3185 */ 3186 if (bpf_pcap->sf.rfile != NULL && 3187 bpf_pcap->sf.swapped) 3188 proto = SWAPLONG(proto); 3189 proto = htonl(proto); 3190 } 3191 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3192 3193 #ifdef HAVE_NET_PFVAR_H 3194 case DLT_PFLOG: 3195 /* 3196 * af field is host byte order in contrast to the rest of 3197 * the packet. 3198 */ 3199 if (proto == ETHERTYPE_IP) 3200 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3201 BPF_B, (bpf_int32)AF_INET)); 3202 #ifdef INET6 3203 else if (proto == ETHERTYPE_IPV6) 3204 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3205 BPF_B, (bpf_int32)AF_INET6)); 3206 #endif /* INET6 */ 3207 else 3208 return gen_false(); 3209 /*NOTREACHED*/ 3210 break; 3211 #endif /* HAVE_NET_PFVAR_H */ 3212 3213 case DLT_ARCNET: 3214 case DLT_ARCNET_LINUX: 3215 /* 3216 * XXX should we check for first fragment if the protocol 3217 * uses PHDS? 3218 */ 3219 switch (proto) { 3220 3221 default: 3222 return gen_false(); 3223 3224 #ifdef INET6 3225 case ETHERTYPE_IPV6: 3226 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3227 (bpf_int32)ARCTYPE_INET6)); 3228 #endif /* INET6 */ 3229 3230 case ETHERTYPE_IP: 3231 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3232 (bpf_int32)ARCTYPE_IP); 3233 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3234 (bpf_int32)ARCTYPE_IP_OLD); 3235 gen_or(b0, b1); 3236 return (b1); 3237 3238 case ETHERTYPE_ARP: 3239 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3240 (bpf_int32)ARCTYPE_ARP); 3241 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3242 (bpf_int32)ARCTYPE_ARP_OLD); 3243 gen_or(b0, b1); 3244 return (b1); 3245 3246 case ETHERTYPE_REVARP: 3247 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3248 (bpf_int32)ARCTYPE_REVARP)); 3249 3250 case ETHERTYPE_ATALK: 3251 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3252 (bpf_int32)ARCTYPE_ATALK)); 3253 } 3254 /*NOTREACHED*/ 3255 break; 3256 3257 case DLT_LTALK: 3258 switch (proto) { 3259 case ETHERTYPE_ATALK: 3260 return gen_true(); 3261 default: 3262 return gen_false(); 3263 } 3264 /*NOTREACHED*/ 3265 break; 3266 3267 case DLT_FRELAY: 3268 /* 3269 * XXX - assumes a 2-byte Frame Relay header with 3270 * DLCI and flags. What if the address is longer? 3271 */ 3272 switch (proto) { 3273 3274 case ETHERTYPE_IP: 3275 /* 3276 * Check for the special NLPID for IP. 3277 */ 3278 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3279 3280 #ifdef INET6 3281 case ETHERTYPE_IPV6: 3282 /* 3283 * Check for the special NLPID for IPv6. 3284 */ 3285 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3286 #endif 3287 3288 case LLCSAP_ISONS: 3289 /* 3290 * Check for several OSI protocols. 3291 * 3292 * Frame Relay packets typically have an OSI 3293 * NLPID at the beginning; we check for each 3294 * of them. 3295 * 3296 * What we check for is the NLPID and a frame 3297 * control field of UI, i.e. 0x03 followed 3298 * by the NLPID. 3299 */ 3300 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3301 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3302 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3303 gen_or(b1, b2); 3304 gen_or(b0, b2); 3305 return b2; 3306 3307 default: 3308 return gen_false(); 3309 } 3310 /*NOTREACHED*/ 3311 break; 3312 3313 case DLT_MFR: 3314 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3315 3316 case DLT_JUNIPER_MFR: 3317 case DLT_JUNIPER_MLFR: 3318 case DLT_JUNIPER_MLPPP: 3319 case DLT_JUNIPER_ATM1: 3320 case DLT_JUNIPER_ATM2: 3321 case DLT_JUNIPER_PPPOE: 3322 case DLT_JUNIPER_PPPOE_ATM: 3323 case DLT_JUNIPER_GGSN: 3324 case DLT_JUNIPER_ES: 3325 case DLT_JUNIPER_MONITOR: 3326 case DLT_JUNIPER_SERVICES: 3327 case DLT_JUNIPER_ETHER: 3328 case DLT_JUNIPER_PPP: 3329 case DLT_JUNIPER_FRELAY: 3330 case DLT_JUNIPER_CHDLC: 3331 case DLT_JUNIPER_VP: 3332 case DLT_JUNIPER_ST: 3333 case DLT_JUNIPER_ISM: 3334 case DLT_JUNIPER_VS: 3335 case DLT_JUNIPER_SRX_E2E: 3336 case DLT_JUNIPER_FIBRECHANNEL: 3337 case DLT_JUNIPER_ATM_CEMIC: 3338 3339 /* just lets verify the magic number for now - 3340 * on ATM we may have up to 6 different encapsulations on the wire 3341 * and need a lot of heuristics to figure out that the payload 3342 * might be; 3343 * 3344 * FIXME encapsulation specific BPF_ filters 3345 */ 3346 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3347 3348 case DLT_IPNET: 3349 return gen_ipnet_linktype(proto); 3350 3351 case DLT_LINUX_IRDA: 3352 bpf_error("IrDA link-layer type filtering not implemented"); 3353 3354 case DLT_DOCSIS: 3355 bpf_error("DOCSIS link-layer type filtering not implemented"); 3356 3357 case DLT_MTP2: 3358 case DLT_MTP2_WITH_PHDR: 3359 bpf_error("MTP2 link-layer type filtering not implemented"); 3360 3361 case DLT_ERF: 3362 bpf_error("ERF link-layer type filtering not implemented"); 3363 3364 case DLT_PFSYNC: 3365 bpf_error("PFSYNC link-layer type filtering not implemented"); 3366 3367 case DLT_LINUX_LAPD: 3368 bpf_error("LAPD link-layer type filtering not implemented"); 3369 3370 case DLT_USB: 3371 case DLT_USB_LINUX: 3372 case DLT_USB_LINUX_MMAPPED: 3373 bpf_error("USB link-layer type filtering not implemented"); 3374 3375 case DLT_BLUETOOTH_HCI_H4: 3376 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3377 bpf_error("Bluetooth link-layer type filtering not implemented"); 3378 3379 case DLT_CAN20B: 3380 case DLT_CAN_SOCKETCAN: 3381 bpf_error("CAN link-layer type filtering not implemented"); 3382 3383 case DLT_IEEE802_15_4: 3384 case DLT_IEEE802_15_4_LINUX: 3385 case DLT_IEEE802_15_4_NONASK_PHY: 3386 case DLT_IEEE802_15_4_NOFCS: 3387 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3388 3389 case DLT_IEEE802_16_MAC_CPS_RADIO: 3390 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3391 3392 case DLT_SITA: 3393 bpf_error("SITA link-layer type filtering not implemented"); 3394 3395 case DLT_RAIF1: 3396 bpf_error("RAIF1 link-layer type filtering not implemented"); 3397 3398 case DLT_IPMB: 3399 bpf_error("IPMB link-layer type filtering not implemented"); 3400 3401 case DLT_AX25_KISS: 3402 bpf_error("AX.25 link-layer type filtering not implemented"); 3403 } 3404 3405 /* 3406 * All the types that have no encapsulation should either be 3407 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3408 * all packets are IP packets, or should be handled in some 3409 * special case, if none of them are (if some are and some 3410 * aren't, the lack of encapsulation is a problem, as we'd 3411 * have to find some other way of determining the packet type). 3412 * 3413 * Therefore, if "off_linktype" is -1, there's an error. 3414 */ 3415 if (off_linktype == (u_int)-1) 3416 abort(); 3417 3418 /* 3419 * Any type not handled above should always have an Ethernet 3420 * type at an offset of "off_linktype". 3421 */ 3422 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3423 } 3424 3425 /* 3426 * Check for an LLC SNAP packet with a given organization code and 3427 * protocol type; we check the entire contents of the 802.2 LLC and 3428 * snap headers, checking for DSAP and SSAP of SNAP and a control 3429 * field of 0x03 in the LLC header, and for the specified organization 3430 * code and protocol type in the SNAP header. 3431 */ 3432 static struct block * 3433 gen_snap(orgcode, ptype) 3434 bpf_u_int32 orgcode; 3435 bpf_u_int32 ptype; 3436 { 3437 u_char snapblock[8]; 3438 3439 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3440 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3441 snapblock[2] = 0x03; /* control = UI */ 3442 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3443 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3444 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3445 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3446 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3447 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3448 } 3449 3450 /* 3451 * Generate code to match a particular packet type, for link-layer types 3452 * using 802.2 LLC headers. 3453 * 3454 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3455 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3456 * 3457 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3458 * value, if <= ETHERMTU. We use that to determine whether to 3459 * match the DSAP or both DSAP and LSAP or to check the OUI and 3460 * protocol ID in a SNAP header. 3461 */ 3462 static struct block * 3463 gen_llc_linktype(proto) 3464 int proto; 3465 { 3466 /* 3467 * XXX - handle token-ring variable-length header. 3468 */ 3469 switch (proto) { 3470 3471 case LLCSAP_IP: 3472 case LLCSAP_ISONS: 3473 case LLCSAP_NETBEUI: 3474 /* 3475 * XXX - should we check both the DSAP and the 3476 * SSAP, like this, or should we check just the 3477 * DSAP, as we do for other types <= ETHERMTU 3478 * (i.e., other SAP values)? 3479 */ 3480 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3481 ((proto << 8) | proto)); 3482 3483 case LLCSAP_IPX: 3484 /* 3485 * XXX - are there ever SNAP frames for IPX on 3486 * non-Ethernet 802.x networks? 3487 */ 3488 return gen_cmp(OR_MACPL, 0, BPF_B, 3489 (bpf_int32)LLCSAP_IPX); 3490 3491 case ETHERTYPE_ATALK: 3492 /* 3493 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3494 * SNAP packets with an organization code of 3495 * 0x080007 (Apple, for Appletalk) and a protocol 3496 * type of ETHERTYPE_ATALK (Appletalk). 3497 * 3498 * XXX - check for an organization code of 3499 * encapsulated Ethernet as well? 3500 */ 3501 return gen_snap(0x080007, ETHERTYPE_ATALK); 3502 3503 default: 3504 /* 3505 * XXX - we don't have to check for IPX 802.3 3506 * here, but should we check for the IPX Ethertype? 3507 */ 3508 if (proto <= ETHERMTU) { 3509 /* 3510 * This is an LLC SAP value, so check 3511 * the DSAP. 3512 */ 3513 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3514 } else { 3515 /* 3516 * This is an Ethernet type; we assume that it's 3517 * unlikely that it'll appear in the right place 3518 * at random, and therefore check only the 3519 * location that would hold the Ethernet type 3520 * in a SNAP frame with an organization code of 3521 * 0x000000 (encapsulated Ethernet). 3522 * 3523 * XXX - if we were to check for the SNAP DSAP and 3524 * LSAP, as per XXX, and were also to check for an 3525 * organization code of 0x000000 (encapsulated 3526 * Ethernet), we'd do 3527 * 3528 * return gen_snap(0x000000, proto); 3529 * 3530 * here; for now, we don't, as per the above. 3531 * I don't know whether it's worth the extra CPU 3532 * time to do the right check or not. 3533 */ 3534 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3535 } 3536 } 3537 } 3538 3539 static struct block * 3540 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3541 bpf_u_int32 addr; 3542 bpf_u_int32 mask; 3543 int dir, proto; 3544 u_int src_off, dst_off; 3545 { 3546 struct block *b0, *b1; 3547 u_int offset; 3548 3549 switch (dir) { 3550 3551 case Q_SRC: 3552 offset = src_off; 3553 break; 3554 3555 case Q_DST: 3556 offset = dst_off; 3557 break; 3558 3559 case Q_AND: 3560 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3561 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3562 gen_and(b0, b1); 3563 return b1; 3564 3565 case Q_OR: 3566 case Q_DEFAULT: 3567 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3568 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3569 gen_or(b0, b1); 3570 return b1; 3571 3572 default: 3573 abort(); 3574 } 3575 b0 = gen_linktype(proto); 3576 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3577 gen_and(b0, b1); 3578 return b1; 3579 } 3580 3581 #ifdef INET6 3582 static struct block * 3583 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3584 struct in6_addr *addr; 3585 struct in6_addr *mask; 3586 int dir, proto; 3587 u_int src_off, dst_off; 3588 { 3589 struct block *b0, *b1; 3590 u_int offset; 3591 u_int32_t *a, *m; 3592 3593 switch (dir) { 3594 3595 case Q_SRC: 3596 offset = src_off; 3597 break; 3598 3599 case Q_DST: 3600 offset = dst_off; 3601 break; 3602 3603 case Q_AND: 3604 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3605 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3606 gen_and(b0, b1); 3607 return b1; 3608 3609 case Q_OR: 3610 case Q_DEFAULT: 3611 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3612 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3613 gen_or(b0, b1); 3614 return b1; 3615 3616 default: 3617 abort(); 3618 } 3619 /* this order is important */ 3620 a = (u_int32_t *)addr; 3621 m = (u_int32_t *)mask; 3622 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3623 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3624 gen_and(b0, b1); 3625 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3626 gen_and(b0, b1); 3627 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3628 gen_and(b0, b1); 3629 b0 = gen_linktype(proto); 3630 gen_and(b0, b1); 3631 return b1; 3632 } 3633 #endif /*INET6*/ 3634 3635 static struct block * 3636 gen_ehostop(eaddr, dir) 3637 register const u_char *eaddr; 3638 register int dir; 3639 { 3640 register struct block *b0, *b1; 3641 3642 switch (dir) { 3643 case Q_SRC: 3644 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3645 3646 case Q_DST: 3647 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3648 3649 case Q_AND: 3650 b0 = gen_ehostop(eaddr, Q_SRC); 3651 b1 = gen_ehostop(eaddr, Q_DST); 3652 gen_and(b0, b1); 3653 return b1; 3654 3655 case Q_DEFAULT: 3656 case Q_OR: 3657 b0 = gen_ehostop(eaddr, Q_SRC); 3658 b1 = gen_ehostop(eaddr, Q_DST); 3659 gen_or(b0, b1); 3660 return b1; 3661 3662 case Q_ADDR1: 3663 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3664 break; 3665 3666 case Q_ADDR2: 3667 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3668 break; 3669 3670 case Q_ADDR3: 3671 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3672 break; 3673 3674 case Q_ADDR4: 3675 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3676 break; 3677 3678 case Q_RA: 3679 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3680 break; 3681 3682 case Q_TA: 3683 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3684 break; 3685 } 3686 abort(); 3687 /* NOTREACHED */ 3688 } 3689 3690 /* 3691 * Like gen_ehostop, but for DLT_FDDI 3692 */ 3693 static struct block * 3694 gen_fhostop(eaddr, dir) 3695 register const u_char *eaddr; 3696 register int dir; 3697 { 3698 struct block *b0, *b1; 3699 3700 switch (dir) { 3701 case Q_SRC: 3702 #ifdef PCAP_FDDIPAD 3703 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3704 #else 3705 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3706 #endif 3707 3708 case Q_DST: 3709 #ifdef PCAP_FDDIPAD 3710 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3711 #else 3712 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3713 #endif 3714 3715 case Q_AND: 3716 b0 = gen_fhostop(eaddr, Q_SRC); 3717 b1 = gen_fhostop(eaddr, Q_DST); 3718 gen_and(b0, b1); 3719 return b1; 3720 3721 case Q_DEFAULT: 3722 case Q_OR: 3723 b0 = gen_fhostop(eaddr, Q_SRC); 3724 b1 = gen_fhostop(eaddr, Q_DST); 3725 gen_or(b0, b1); 3726 return b1; 3727 3728 case Q_ADDR1: 3729 bpf_error("'addr1' is only supported on 802.11"); 3730 break; 3731 3732 case Q_ADDR2: 3733 bpf_error("'addr2' is only supported on 802.11"); 3734 break; 3735 3736 case Q_ADDR3: 3737 bpf_error("'addr3' is only supported on 802.11"); 3738 break; 3739 3740 case Q_ADDR4: 3741 bpf_error("'addr4' is only supported on 802.11"); 3742 break; 3743 3744 case Q_RA: 3745 bpf_error("'ra' is only supported on 802.11"); 3746 break; 3747 3748 case Q_TA: 3749 bpf_error("'ta' is only supported on 802.11"); 3750 break; 3751 } 3752 abort(); 3753 /* NOTREACHED */ 3754 } 3755 3756 /* 3757 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3758 */ 3759 static struct block * 3760 gen_thostop(eaddr, dir) 3761 register const u_char *eaddr; 3762 register int dir; 3763 { 3764 register struct block *b0, *b1; 3765 3766 switch (dir) { 3767 case Q_SRC: 3768 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3769 3770 case Q_DST: 3771 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3772 3773 case Q_AND: 3774 b0 = gen_thostop(eaddr, Q_SRC); 3775 b1 = gen_thostop(eaddr, Q_DST); 3776 gen_and(b0, b1); 3777 return b1; 3778 3779 case Q_DEFAULT: 3780 case Q_OR: 3781 b0 = gen_thostop(eaddr, Q_SRC); 3782 b1 = gen_thostop(eaddr, Q_DST); 3783 gen_or(b0, b1); 3784 return b1; 3785 3786 case Q_ADDR1: 3787 bpf_error("'addr1' is only supported on 802.11"); 3788 break; 3789 3790 case Q_ADDR2: 3791 bpf_error("'addr2' is only supported on 802.11"); 3792 break; 3793 3794 case Q_ADDR3: 3795 bpf_error("'addr3' is only supported on 802.11"); 3796 break; 3797 3798 case Q_ADDR4: 3799 bpf_error("'addr4' is only supported on 802.11"); 3800 break; 3801 3802 case Q_RA: 3803 bpf_error("'ra' is only supported on 802.11"); 3804 break; 3805 3806 case Q_TA: 3807 bpf_error("'ta' is only supported on 802.11"); 3808 break; 3809 } 3810 abort(); 3811 /* NOTREACHED */ 3812 } 3813 3814 /* 3815 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3816 * various 802.11 + radio headers. 3817 */ 3818 static struct block * 3819 gen_wlanhostop(eaddr, dir) 3820 register const u_char *eaddr; 3821 register int dir; 3822 { 3823 register struct block *b0, *b1, *b2; 3824 register struct slist *s; 3825 3826 #ifdef ENABLE_WLAN_FILTERING_PATCH 3827 /* 3828 * TODO GV 20070613 3829 * We need to disable the optimizer because the optimizer is buggy 3830 * and wipes out some LD instructions generated by the below 3831 * code to validate the Frame Control bits 3832 */ 3833 no_optimize = 1; 3834 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3835 3836 switch (dir) { 3837 case Q_SRC: 3838 /* 3839 * Oh, yuk. 3840 * 3841 * For control frames, there is no SA. 3842 * 3843 * For management frames, SA is at an 3844 * offset of 10 from the beginning of 3845 * the packet. 3846 * 3847 * For data frames, SA is at an offset 3848 * of 10 from the beginning of the packet 3849 * if From DS is clear, at an offset of 3850 * 16 from the beginning of the packet 3851 * if From DS is set and To DS is clear, 3852 * and an offset of 24 from the beginning 3853 * of the packet if From DS is set and To DS 3854 * is set. 3855 */ 3856 3857 /* 3858 * Generate the tests to be done for data frames 3859 * with From DS set. 3860 * 3861 * First, check for To DS set, i.e. check "link[1] & 0x01". 3862 */ 3863 s = gen_load_a(OR_LINK, 1, BPF_B); 3864 b1 = new_block(JMP(BPF_JSET)); 3865 b1->s.k = 0x01; /* To DS */ 3866 b1->stmts = s; 3867 3868 /* 3869 * If To DS is set, the SA is at 24. 3870 */ 3871 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3872 gen_and(b1, b0); 3873 3874 /* 3875 * Now, check for To DS not set, i.e. check 3876 * "!(link[1] & 0x01)". 3877 */ 3878 s = gen_load_a(OR_LINK, 1, BPF_B); 3879 b2 = new_block(JMP(BPF_JSET)); 3880 b2->s.k = 0x01; /* To DS */ 3881 b2->stmts = s; 3882 gen_not(b2); 3883 3884 /* 3885 * If To DS is not set, the SA is at 16. 3886 */ 3887 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3888 gen_and(b2, b1); 3889 3890 /* 3891 * Now OR together the last two checks. That gives 3892 * the complete set of checks for data frames with 3893 * From DS set. 3894 */ 3895 gen_or(b1, b0); 3896 3897 /* 3898 * Now check for From DS being set, and AND that with 3899 * the ORed-together checks. 3900 */ 3901 s = gen_load_a(OR_LINK, 1, BPF_B); 3902 b1 = new_block(JMP(BPF_JSET)); 3903 b1->s.k = 0x02; /* From DS */ 3904 b1->stmts = s; 3905 gen_and(b1, b0); 3906 3907 /* 3908 * Now check for data frames with From DS not set. 3909 */ 3910 s = gen_load_a(OR_LINK, 1, BPF_B); 3911 b2 = new_block(JMP(BPF_JSET)); 3912 b2->s.k = 0x02; /* From DS */ 3913 b2->stmts = s; 3914 gen_not(b2); 3915 3916 /* 3917 * If From DS isn't set, the SA is at 10. 3918 */ 3919 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3920 gen_and(b2, b1); 3921 3922 /* 3923 * Now OR together the checks for data frames with 3924 * From DS not set and for data frames with From DS 3925 * set; that gives the checks done for data frames. 3926 */ 3927 gen_or(b1, b0); 3928 3929 /* 3930 * Now check for a data frame. 3931 * I.e, check "link[0] & 0x08". 3932 */ 3933 s = gen_load_a(OR_LINK, 0, BPF_B); 3934 b1 = new_block(JMP(BPF_JSET)); 3935 b1->s.k = 0x08; 3936 b1->stmts = s; 3937 3938 /* 3939 * AND that with the checks done for data frames. 3940 */ 3941 gen_and(b1, b0); 3942 3943 /* 3944 * If the high-order bit of the type value is 0, this 3945 * is a management frame. 3946 * I.e, check "!(link[0] & 0x08)". 3947 */ 3948 s = gen_load_a(OR_LINK, 0, BPF_B); 3949 b2 = new_block(JMP(BPF_JSET)); 3950 b2->s.k = 0x08; 3951 b2->stmts = s; 3952 gen_not(b2); 3953 3954 /* 3955 * For management frames, the SA is at 10. 3956 */ 3957 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3958 gen_and(b2, b1); 3959 3960 /* 3961 * OR that with the checks done for data frames. 3962 * That gives the checks done for management and 3963 * data frames. 3964 */ 3965 gen_or(b1, b0); 3966 3967 /* 3968 * If the low-order bit of the type value is 1, 3969 * this is either a control frame or a frame 3970 * with a reserved type, and thus not a 3971 * frame with an SA. 3972 * 3973 * I.e., check "!(link[0] & 0x04)". 3974 */ 3975 s = gen_load_a(OR_LINK, 0, BPF_B); 3976 b1 = new_block(JMP(BPF_JSET)); 3977 b1->s.k = 0x04; 3978 b1->stmts = s; 3979 gen_not(b1); 3980 3981 /* 3982 * AND that with the checks for data and management 3983 * frames. 3984 */ 3985 gen_and(b1, b0); 3986 return b0; 3987 3988 case Q_DST: 3989 /* 3990 * Oh, yuk. 3991 * 3992 * For control frames, there is no DA. 3993 * 3994 * For management frames, DA is at an 3995 * offset of 4 from the beginning of 3996 * the packet. 3997 * 3998 * For data frames, DA is at an offset 3999 * of 4 from the beginning of the packet 4000 * if To DS is clear and at an offset of 4001 * 16 from the beginning of the packet 4002 * if To DS is set. 4003 */ 4004 4005 /* 4006 * Generate the tests to be done for data frames. 4007 * 4008 * First, check for To DS set, i.e. "link[1] & 0x01". 4009 */ 4010 s = gen_load_a(OR_LINK, 1, BPF_B); 4011 b1 = new_block(JMP(BPF_JSET)); 4012 b1->s.k = 0x01; /* To DS */ 4013 b1->stmts = s; 4014 4015 /* 4016 * If To DS is set, the DA is at 16. 4017 */ 4018 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4019 gen_and(b1, b0); 4020 4021 /* 4022 * Now, check for To DS not set, i.e. check 4023 * "!(link[1] & 0x01)". 4024 */ 4025 s = gen_load_a(OR_LINK, 1, BPF_B); 4026 b2 = new_block(JMP(BPF_JSET)); 4027 b2->s.k = 0x01; /* To DS */ 4028 b2->stmts = s; 4029 gen_not(b2); 4030 4031 /* 4032 * If To DS is not set, the DA is at 4. 4033 */ 4034 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4035 gen_and(b2, b1); 4036 4037 /* 4038 * Now OR together the last two checks. That gives 4039 * the complete set of checks for data frames. 4040 */ 4041 gen_or(b1, b0); 4042 4043 /* 4044 * Now check for a data frame. 4045 * I.e, check "link[0] & 0x08". 4046 */ 4047 s = gen_load_a(OR_LINK, 0, BPF_B); 4048 b1 = new_block(JMP(BPF_JSET)); 4049 b1->s.k = 0x08; 4050 b1->stmts = s; 4051 4052 /* 4053 * AND that with the checks done for data frames. 4054 */ 4055 gen_and(b1, b0); 4056 4057 /* 4058 * If the high-order bit of the type value is 0, this 4059 * is a management frame. 4060 * I.e, check "!(link[0] & 0x08)". 4061 */ 4062 s = gen_load_a(OR_LINK, 0, BPF_B); 4063 b2 = new_block(JMP(BPF_JSET)); 4064 b2->s.k = 0x08; 4065 b2->stmts = s; 4066 gen_not(b2); 4067 4068 /* 4069 * For management frames, the DA is at 4. 4070 */ 4071 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4072 gen_and(b2, b1); 4073 4074 /* 4075 * OR that with the checks done for data frames. 4076 * That gives the checks done for management and 4077 * data frames. 4078 */ 4079 gen_or(b1, b0); 4080 4081 /* 4082 * If the low-order bit of the type value is 1, 4083 * this is either a control frame or a frame 4084 * with a reserved type, and thus not a 4085 * frame with an SA. 4086 * 4087 * I.e., check "!(link[0] & 0x04)". 4088 */ 4089 s = gen_load_a(OR_LINK, 0, BPF_B); 4090 b1 = new_block(JMP(BPF_JSET)); 4091 b1->s.k = 0x04; 4092 b1->stmts = s; 4093 gen_not(b1); 4094 4095 /* 4096 * AND that with the checks for data and management 4097 * frames. 4098 */ 4099 gen_and(b1, b0); 4100 return b0; 4101 4102 case Q_RA: 4103 /* 4104 * Not present in management frames; addr1 in other 4105 * frames. 4106 */ 4107 4108 /* 4109 * If the high-order bit of the type value is 0, this 4110 * is a management frame. 4111 * I.e, check "(link[0] & 0x08)". 4112 */ 4113 s = gen_load_a(OR_LINK, 0, BPF_B); 4114 b1 = new_block(JMP(BPF_JSET)); 4115 b1->s.k = 0x08; 4116 b1->stmts = s; 4117 4118 /* 4119 * Check addr1. 4120 */ 4121 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4122 4123 /* 4124 * AND that with the check of addr1. 4125 */ 4126 gen_and(b1, b0); 4127 return (b0); 4128 4129 case Q_TA: 4130 /* 4131 * Not present in management frames; addr2, if present, 4132 * in other frames. 4133 */ 4134 4135 /* 4136 * Not present in CTS or ACK control frames. 4137 */ 4138 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4139 IEEE80211_FC0_TYPE_MASK); 4140 gen_not(b0); 4141 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4142 IEEE80211_FC0_SUBTYPE_MASK); 4143 gen_not(b1); 4144 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4145 IEEE80211_FC0_SUBTYPE_MASK); 4146 gen_not(b2); 4147 gen_and(b1, b2); 4148 gen_or(b0, b2); 4149 4150 /* 4151 * If the high-order bit of the type value is 0, this 4152 * is a management frame. 4153 * I.e, check "(link[0] & 0x08)". 4154 */ 4155 s = gen_load_a(OR_LINK, 0, BPF_B); 4156 b1 = new_block(JMP(BPF_JSET)); 4157 b1->s.k = 0x08; 4158 b1->stmts = s; 4159 4160 /* 4161 * AND that with the check for frames other than 4162 * CTS and ACK frames. 4163 */ 4164 gen_and(b1, b2); 4165 4166 /* 4167 * Check addr2. 4168 */ 4169 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4170 gen_and(b2, b1); 4171 return b1; 4172 4173 /* 4174 * XXX - add BSSID keyword? 4175 */ 4176 case Q_ADDR1: 4177 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4178 4179 case Q_ADDR2: 4180 /* 4181 * Not present in CTS or ACK control frames. 4182 */ 4183 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4184 IEEE80211_FC0_TYPE_MASK); 4185 gen_not(b0); 4186 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4187 IEEE80211_FC0_SUBTYPE_MASK); 4188 gen_not(b1); 4189 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4190 IEEE80211_FC0_SUBTYPE_MASK); 4191 gen_not(b2); 4192 gen_and(b1, b2); 4193 gen_or(b0, b2); 4194 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4195 gen_and(b2, b1); 4196 return b1; 4197 4198 case Q_ADDR3: 4199 /* 4200 * Not present in control frames. 4201 */ 4202 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4203 IEEE80211_FC0_TYPE_MASK); 4204 gen_not(b0); 4205 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4206 gen_and(b0, b1); 4207 return b1; 4208 4209 case Q_ADDR4: 4210 /* 4211 * Present only if the direction mask has both "From DS" 4212 * and "To DS" set. Neither control frames nor management 4213 * frames should have both of those set, so we don't 4214 * check the frame type. 4215 */ 4216 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4217 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4218 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4219 gen_and(b0, b1); 4220 return b1; 4221 4222 case Q_AND: 4223 b0 = gen_wlanhostop(eaddr, Q_SRC); 4224 b1 = gen_wlanhostop(eaddr, Q_DST); 4225 gen_and(b0, b1); 4226 return b1; 4227 4228 case Q_DEFAULT: 4229 case Q_OR: 4230 b0 = gen_wlanhostop(eaddr, Q_SRC); 4231 b1 = gen_wlanhostop(eaddr, Q_DST); 4232 gen_or(b0, b1); 4233 return b1; 4234 } 4235 abort(); 4236 /* NOTREACHED */ 4237 } 4238 4239 /* 4240 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4241 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4242 * as the RFC states.) 4243 */ 4244 static struct block * 4245 gen_ipfchostop(eaddr, dir) 4246 register const u_char *eaddr; 4247 register int dir; 4248 { 4249 register struct block *b0, *b1; 4250 4251 switch (dir) { 4252 case Q_SRC: 4253 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4254 4255 case Q_DST: 4256 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4257 4258 case Q_AND: 4259 b0 = gen_ipfchostop(eaddr, Q_SRC); 4260 b1 = gen_ipfchostop(eaddr, Q_DST); 4261 gen_and(b0, b1); 4262 return b1; 4263 4264 case Q_DEFAULT: 4265 case Q_OR: 4266 b0 = gen_ipfchostop(eaddr, Q_SRC); 4267 b1 = gen_ipfchostop(eaddr, Q_DST); 4268 gen_or(b0, b1); 4269 return b1; 4270 4271 case Q_ADDR1: 4272 bpf_error("'addr1' is only supported on 802.11"); 4273 break; 4274 4275 case Q_ADDR2: 4276 bpf_error("'addr2' is only supported on 802.11"); 4277 break; 4278 4279 case Q_ADDR3: 4280 bpf_error("'addr3' is only supported on 802.11"); 4281 break; 4282 4283 case Q_ADDR4: 4284 bpf_error("'addr4' is only supported on 802.11"); 4285 break; 4286 4287 case Q_RA: 4288 bpf_error("'ra' is only supported on 802.11"); 4289 break; 4290 4291 case Q_TA: 4292 bpf_error("'ta' is only supported on 802.11"); 4293 break; 4294 } 4295 abort(); 4296 /* NOTREACHED */ 4297 } 4298 4299 /* 4300 * This is quite tricky because there may be pad bytes in front of the 4301 * DECNET header, and then there are two possible data packet formats that 4302 * carry both src and dst addresses, plus 5 packet types in a format that 4303 * carries only the src node, plus 2 types that use a different format and 4304 * also carry just the src node. 4305 * 4306 * Yuck. 4307 * 4308 * Instead of doing those all right, we just look for data packets with 4309 * 0 or 1 bytes of padding. If you want to look at other packets, that 4310 * will require a lot more hacking. 4311 * 4312 * To add support for filtering on DECNET "areas" (network numbers) 4313 * one would want to add a "mask" argument to this routine. That would 4314 * make the filter even more inefficient, although one could be clever 4315 * and not generate masking instructions if the mask is 0xFFFF. 4316 */ 4317 static struct block * 4318 gen_dnhostop(addr, dir) 4319 bpf_u_int32 addr; 4320 int dir; 4321 { 4322 struct block *b0, *b1, *b2, *tmp; 4323 u_int offset_lh; /* offset if long header is received */ 4324 u_int offset_sh; /* offset if short header is received */ 4325 4326 switch (dir) { 4327 4328 case Q_DST: 4329 offset_sh = 1; /* follows flags */ 4330 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4331 break; 4332 4333 case Q_SRC: 4334 offset_sh = 3; /* follows flags, dstnode */ 4335 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4336 break; 4337 4338 case Q_AND: 4339 /* Inefficient because we do our Calvinball dance twice */ 4340 b0 = gen_dnhostop(addr, Q_SRC); 4341 b1 = gen_dnhostop(addr, Q_DST); 4342 gen_and(b0, b1); 4343 return b1; 4344 4345 case Q_OR: 4346 case Q_DEFAULT: 4347 /* Inefficient because we do our Calvinball dance twice */ 4348 b0 = gen_dnhostop(addr, Q_SRC); 4349 b1 = gen_dnhostop(addr, Q_DST); 4350 gen_or(b0, b1); 4351 return b1; 4352 4353 case Q_ISO: 4354 bpf_error("ISO host filtering not implemented"); 4355 4356 default: 4357 abort(); 4358 } 4359 b0 = gen_linktype(ETHERTYPE_DN); 4360 /* Check for pad = 1, long header case */ 4361 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4362 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4363 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4364 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4365 gen_and(tmp, b1); 4366 /* Check for pad = 0, long header case */ 4367 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4368 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4369 gen_and(tmp, b2); 4370 gen_or(b2, b1); 4371 /* Check for pad = 1, short header case */ 4372 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4373 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4374 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4375 gen_and(tmp, b2); 4376 gen_or(b2, b1); 4377 /* Check for pad = 0, short header case */ 4378 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4379 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4380 gen_and(tmp, b2); 4381 gen_or(b2, b1); 4382 4383 /* Combine with test for linktype */ 4384 gen_and(b0, b1); 4385 return b1; 4386 } 4387 4388 /* 4389 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4390 * test the bottom-of-stack bit, and then check the version number 4391 * field in the IP header. 4392 */ 4393 static struct block * 4394 gen_mpls_linktype(proto) 4395 int proto; 4396 { 4397 struct block *b0, *b1; 4398 4399 switch (proto) { 4400 4401 case Q_IP: 4402 /* match the bottom-of-stack bit */ 4403 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4404 /* match the IPv4 version number */ 4405 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4406 gen_and(b0, b1); 4407 return b1; 4408 4409 case Q_IPV6: 4410 /* match the bottom-of-stack bit */ 4411 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4412 /* match the IPv4 version number */ 4413 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4414 gen_and(b0, b1); 4415 return b1; 4416 4417 default: 4418 abort(); 4419 } 4420 } 4421 4422 static struct block * 4423 gen_host(addr, mask, proto, dir, type) 4424 bpf_u_int32 addr; 4425 bpf_u_int32 mask; 4426 int proto; 4427 int dir; 4428 int type; 4429 { 4430 struct block *b0, *b1; 4431 const char *typestr; 4432 4433 if (type == Q_NET) 4434 typestr = "net"; 4435 else 4436 typestr = "host"; 4437 4438 switch (proto) { 4439 4440 case Q_DEFAULT: 4441 b0 = gen_host(addr, mask, Q_IP, dir, type); 4442 /* 4443 * Only check for non-IPv4 addresses if we're not 4444 * checking MPLS-encapsulated packets. 4445 */ 4446 if (label_stack_depth == 0) { 4447 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4448 gen_or(b0, b1); 4449 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4450 gen_or(b1, b0); 4451 } 4452 return b0; 4453 4454 case Q_IP: 4455 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4456 4457 case Q_RARP: 4458 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4459 4460 case Q_ARP: 4461 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4462 4463 case Q_TCP: 4464 bpf_error("'tcp' modifier applied to %s", typestr); 4465 4466 case Q_SCTP: 4467 bpf_error("'sctp' modifier applied to %s", typestr); 4468 4469 case Q_UDP: 4470 bpf_error("'udp' modifier applied to %s", typestr); 4471 4472 case Q_ICMP: 4473 bpf_error("'icmp' modifier applied to %s", typestr); 4474 4475 case Q_IGMP: 4476 bpf_error("'igmp' modifier applied to %s", typestr); 4477 4478 case Q_IGRP: 4479 bpf_error("'igrp' modifier applied to %s", typestr); 4480 4481 case Q_PIM: 4482 bpf_error("'pim' modifier applied to %s", typestr); 4483 4484 case Q_VRRP: 4485 bpf_error("'vrrp' modifier applied to %s", typestr); 4486 4487 case Q_CARP: 4488 bpf_error("'carp' modifier applied to %s", typestr); 4489 4490 case Q_ATALK: 4491 bpf_error("ATALK host filtering not implemented"); 4492 4493 case Q_AARP: 4494 bpf_error("AARP host filtering not implemented"); 4495 4496 case Q_DECNET: 4497 return gen_dnhostop(addr, dir); 4498 4499 case Q_SCA: 4500 bpf_error("SCA host filtering not implemented"); 4501 4502 case Q_LAT: 4503 bpf_error("LAT host filtering not implemented"); 4504 4505 case Q_MOPDL: 4506 bpf_error("MOPDL host filtering not implemented"); 4507 4508 case Q_MOPRC: 4509 bpf_error("MOPRC host filtering not implemented"); 4510 4511 #ifdef INET6 4512 case Q_IPV6: 4513 bpf_error("'ip6' modifier applied to ip host"); 4514 4515 case Q_ICMPV6: 4516 bpf_error("'icmp6' modifier applied to %s", typestr); 4517 #endif /* INET6 */ 4518 4519 case Q_AH: 4520 bpf_error("'ah' modifier applied to %s", typestr); 4521 4522 case Q_ESP: 4523 bpf_error("'esp' modifier applied to %s", typestr); 4524 4525 case Q_ISO: 4526 bpf_error("ISO host filtering not implemented"); 4527 4528 case Q_ESIS: 4529 bpf_error("'esis' modifier applied to %s", typestr); 4530 4531 case Q_ISIS: 4532 bpf_error("'isis' modifier applied to %s", typestr); 4533 4534 case Q_CLNP: 4535 bpf_error("'clnp' modifier applied to %s", typestr); 4536 4537 case Q_STP: 4538 bpf_error("'stp' modifier applied to %s", typestr); 4539 4540 case Q_IPX: 4541 bpf_error("IPX host filtering not implemented"); 4542 4543 case Q_NETBEUI: 4544 bpf_error("'netbeui' modifier applied to %s", typestr); 4545 4546 case Q_RADIO: 4547 bpf_error("'radio' modifier applied to %s", typestr); 4548 4549 default: 4550 abort(); 4551 } 4552 /* NOTREACHED */ 4553 } 4554 4555 #ifdef INET6 4556 static struct block * 4557 gen_host6(addr, mask, proto, dir, type) 4558 struct in6_addr *addr; 4559 struct in6_addr *mask; 4560 int proto; 4561 int dir; 4562 int type; 4563 { 4564 const char *typestr; 4565 4566 if (type == Q_NET) 4567 typestr = "net"; 4568 else 4569 typestr = "host"; 4570 4571 switch (proto) { 4572 4573 case Q_DEFAULT: 4574 return gen_host6(addr, mask, Q_IPV6, dir, type); 4575 4576 case Q_IP: 4577 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4578 4579 case Q_RARP: 4580 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4581 4582 case Q_ARP: 4583 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4584 4585 case Q_SCTP: 4586 bpf_error("'sctp' modifier applied to %s", typestr); 4587 4588 case Q_TCP: 4589 bpf_error("'tcp' modifier applied to %s", typestr); 4590 4591 case Q_UDP: 4592 bpf_error("'udp' modifier applied to %s", typestr); 4593 4594 case Q_ICMP: 4595 bpf_error("'icmp' modifier applied to %s", typestr); 4596 4597 case Q_IGMP: 4598 bpf_error("'igmp' modifier applied to %s", typestr); 4599 4600 case Q_IGRP: 4601 bpf_error("'igrp' modifier applied to %s", typestr); 4602 4603 case Q_PIM: 4604 bpf_error("'pim' modifier applied to %s", typestr); 4605 4606 case Q_VRRP: 4607 bpf_error("'vrrp' modifier applied to %s", typestr); 4608 4609 case Q_CARP: 4610 bpf_error("'carp' modifier applied to %s", typestr); 4611 4612 case Q_ATALK: 4613 bpf_error("ATALK host filtering not implemented"); 4614 4615 case Q_AARP: 4616 bpf_error("AARP host filtering not implemented"); 4617 4618 case Q_DECNET: 4619 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4620 4621 case Q_SCA: 4622 bpf_error("SCA host filtering not implemented"); 4623 4624 case Q_LAT: 4625 bpf_error("LAT host filtering not implemented"); 4626 4627 case Q_MOPDL: 4628 bpf_error("MOPDL host filtering not implemented"); 4629 4630 case Q_MOPRC: 4631 bpf_error("MOPRC host filtering not implemented"); 4632 4633 case Q_IPV6: 4634 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4635 4636 case Q_ICMPV6: 4637 bpf_error("'icmp6' modifier applied to %s", typestr); 4638 4639 case Q_AH: 4640 bpf_error("'ah' modifier applied to %s", typestr); 4641 4642 case Q_ESP: 4643 bpf_error("'esp' modifier applied to %s", typestr); 4644 4645 case Q_ISO: 4646 bpf_error("ISO host filtering not implemented"); 4647 4648 case Q_ESIS: 4649 bpf_error("'esis' modifier applied to %s", typestr); 4650 4651 case Q_ISIS: 4652 bpf_error("'isis' modifier applied to %s", typestr); 4653 4654 case Q_CLNP: 4655 bpf_error("'clnp' modifier applied to %s", typestr); 4656 4657 case Q_STP: 4658 bpf_error("'stp' modifier applied to %s", typestr); 4659 4660 case Q_IPX: 4661 bpf_error("IPX host filtering not implemented"); 4662 4663 case Q_NETBEUI: 4664 bpf_error("'netbeui' modifier applied to %s", typestr); 4665 4666 case Q_RADIO: 4667 bpf_error("'radio' modifier applied to %s", typestr); 4668 4669 default: 4670 abort(); 4671 } 4672 /* NOTREACHED */ 4673 } 4674 #endif /*INET6*/ 4675 4676 #ifndef INET6 4677 static struct block * 4678 gen_gateway(eaddr, alist, proto, dir) 4679 const u_char *eaddr; 4680 bpf_u_int32 **alist; 4681 int proto; 4682 int dir; 4683 { 4684 struct block *b0, *b1, *tmp; 4685 4686 if (dir != 0) 4687 bpf_error("direction applied to 'gateway'"); 4688 4689 switch (proto) { 4690 case Q_DEFAULT: 4691 case Q_IP: 4692 case Q_ARP: 4693 case Q_RARP: 4694 switch (linktype) { 4695 case DLT_EN10MB: 4696 case DLT_NETANALYZER: 4697 case DLT_NETANALYZER_TRANSPARENT: 4698 b0 = gen_ehostop(eaddr, Q_OR); 4699 break; 4700 case DLT_FDDI: 4701 b0 = gen_fhostop(eaddr, Q_OR); 4702 break; 4703 case DLT_IEEE802: 4704 b0 = gen_thostop(eaddr, Q_OR); 4705 break; 4706 case DLT_IEEE802_11: 4707 case DLT_PRISM_HEADER: 4708 case DLT_IEEE802_11_RADIO_AVS: 4709 case DLT_IEEE802_11_RADIO: 4710 case DLT_PPI: 4711 b0 = gen_wlanhostop(eaddr, Q_OR); 4712 break; 4713 case DLT_SUNATM: 4714 if (!is_lane) 4715 bpf_error( 4716 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4717 /* 4718 * Check that the packet doesn't begin with an 4719 * LE Control marker. (We've already generated 4720 * a test for LANE.) 4721 */ 4722 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4723 BPF_H, 0xFF00); 4724 gen_not(b1); 4725 4726 /* 4727 * Now check the MAC address. 4728 */ 4729 b0 = gen_ehostop(eaddr, Q_OR); 4730 gen_and(b1, b0); 4731 break; 4732 case DLT_IP_OVER_FC: 4733 b0 = gen_ipfchostop(eaddr, Q_OR); 4734 break; 4735 default: 4736 bpf_error( 4737 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4738 } 4739 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4740 while (*alist) { 4741 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4742 Q_HOST); 4743 gen_or(b1, tmp); 4744 b1 = tmp; 4745 } 4746 gen_not(b1); 4747 gen_and(b0, b1); 4748 return b1; 4749 } 4750 bpf_error("illegal modifier of 'gateway'"); 4751 /* NOTREACHED */ 4752 } 4753 #endif 4754 4755 struct block * 4756 gen_proto_abbrev(proto) 4757 int proto; 4758 { 4759 struct block *b0; 4760 struct block *b1; 4761 4762 switch (proto) { 4763 4764 case Q_SCTP: 4765 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4766 #ifdef INET6 4767 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4768 gen_or(b0, b1); 4769 #endif 4770 break; 4771 4772 case Q_TCP: 4773 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4774 #ifdef INET6 4775 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4776 gen_or(b0, b1); 4777 #endif 4778 break; 4779 4780 case Q_UDP: 4781 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4782 #ifdef INET6 4783 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4784 gen_or(b0, b1); 4785 #endif 4786 break; 4787 4788 case Q_ICMP: 4789 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4790 break; 4791 4792 #ifndef IPPROTO_IGMP 4793 #define IPPROTO_IGMP 2 4794 #endif 4795 4796 case Q_IGMP: 4797 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4798 break; 4799 4800 #ifndef IPPROTO_IGRP 4801 #define IPPROTO_IGRP 9 4802 #endif 4803 case Q_IGRP: 4804 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4805 break; 4806 4807 #ifndef IPPROTO_PIM 4808 #define IPPROTO_PIM 103 4809 #endif 4810 4811 case Q_PIM: 4812 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4813 #ifdef INET6 4814 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4815 gen_or(b0, b1); 4816 #endif 4817 break; 4818 4819 #ifndef IPPROTO_VRRP 4820 #define IPPROTO_VRRP 112 4821 #endif 4822 4823 case Q_VRRP: 4824 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4825 break; 4826 4827 #ifndef IPPROTO_CARP 4828 #define IPPROTO_CARP 112 4829 #endif 4830 4831 case Q_CARP: 4832 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4833 break; 4834 4835 case Q_IP: 4836 b1 = gen_linktype(ETHERTYPE_IP); 4837 break; 4838 4839 case Q_ARP: 4840 b1 = gen_linktype(ETHERTYPE_ARP); 4841 break; 4842 4843 case Q_RARP: 4844 b1 = gen_linktype(ETHERTYPE_REVARP); 4845 break; 4846 4847 case Q_LINK: 4848 bpf_error("link layer applied in wrong context"); 4849 4850 case Q_ATALK: 4851 b1 = gen_linktype(ETHERTYPE_ATALK); 4852 break; 4853 4854 case Q_AARP: 4855 b1 = gen_linktype(ETHERTYPE_AARP); 4856 break; 4857 4858 case Q_DECNET: 4859 b1 = gen_linktype(ETHERTYPE_DN); 4860 break; 4861 4862 case Q_SCA: 4863 b1 = gen_linktype(ETHERTYPE_SCA); 4864 break; 4865 4866 case Q_LAT: 4867 b1 = gen_linktype(ETHERTYPE_LAT); 4868 break; 4869 4870 case Q_MOPDL: 4871 b1 = gen_linktype(ETHERTYPE_MOPDL); 4872 break; 4873 4874 case Q_MOPRC: 4875 b1 = gen_linktype(ETHERTYPE_MOPRC); 4876 break; 4877 4878 #ifdef INET6 4879 case Q_IPV6: 4880 b1 = gen_linktype(ETHERTYPE_IPV6); 4881 break; 4882 4883 #ifndef IPPROTO_ICMPV6 4884 #define IPPROTO_ICMPV6 58 4885 #endif 4886 case Q_ICMPV6: 4887 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4888 break; 4889 #endif /* INET6 */ 4890 4891 #ifndef IPPROTO_AH 4892 #define IPPROTO_AH 51 4893 #endif 4894 case Q_AH: 4895 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4896 #ifdef INET6 4897 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4898 gen_or(b0, b1); 4899 #endif 4900 break; 4901 4902 #ifndef IPPROTO_ESP 4903 #define IPPROTO_ESP 50 4904 #endif 4905 case Q_ESP: 4906 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4907 #ifdef INET6 4908 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4909 gen_or(b0, b1); 4910 #endif 4911 break; 4912 4913 case Q_ISO: 4914 b1 = gen_linktype(LLCSAP_ISONS); 4915 break; 4916 4917 case Q_ESIS: 4918 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4919 break; 4920 4921 case Q_ISIS: 4922 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4923 break; 4924 4925 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4926 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4927 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4928 gen_or(b0, b1); 4929 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4930 gen_or(b0, b1); 4931 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4932 gen_or(b0, b1); 4933 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4934 gen_or(b0, b1); 4935 break; 4936 4937 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4938 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4939 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4940 gen_or(b0, b1); 4941 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4942 gen_or(b0, b1); 4943 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4944 gen_or(b0, b1); 4945 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4946 gen_or(b0, b1); 4947 break; 4948 4949 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4950 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4951 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4952 gen_or(b0, b1); 4953 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4954 gen_or(b0, b1); 4955 break; 4956 4957 case Q_ISIS_LSP: 4958 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4959 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4960 gen_or(b0, b1); 4961 break; 4962 4963 case Q_ISIS_SNP: 4964 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4965 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4966 gen_or(b0, b1); 4967 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4968 gen_or(b0, b1); 4969 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4970 gen_or(b0, b1); 4971 break; 4972 4973 case Q_ISIS_CSNP: 4974 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4975 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4976 gen_or(b0, b1); 4977 break; 4978 4979 case Q_ISIS_PSNP: 4980 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4981 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4982 gen_or(b0, b1); 4983 break; 4984 4985 case Q_CLNP: 4986 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4987 break; 4988 4989 case Q_STP: 4990 b1 = gen_linktype(LLCSAP_8021D); 4991 break; 4992 4993 case Q_IPX: 4994 b1 = gen_linktype(LLCSAP_IPX); 4995 break; 4996 4997 case Q_NETBEUI: 4998 b1 = gen_linktype(LLCSAP_NETBEUI); 4999 break; 5000 5001 case Q_RADIO: 5002 bpf_error("'radio' is not a valid protocol type"); 5003 5004 default: 5005 abort(); 5006 } 5007 return b1; 5008 } 5009 5010 static struct block * 5011 gen_ipfrag() 5012 { 5013 struct slist *s; 5014 struct block *b; 5015 5016 /* not IPv4 frag other than the first frag */ 5017 s = gen_load_a(OR_NET, 6, BPF_H); 5018 b = new_block(JMP(BPF_JSET)); 5019 b->s.k = 0x1fff; 5020 b->stmts = s; 5021 gen_not(b); 5022 5023 return b; 5024 } 5025 5026 /* 5027 * Generate a comparison to a port value in the transport-layer header 5028 * at the specified offset from the beginning of that header. 5029 * 5030 * XXX - this handles a variable-length prefix preceding the link-layer 5031 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5032 * variable-length link-layer headers (such as Token Ring or 802.11 5033 * headers). 5034 */ 5035 static struct block * 5036 gen_portatom(off, v) 5037 int off; 5038 bpf_int32 v; 5039 { 5040 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5041 } 5042 5043 #ifdef INET6 5044 static struct block * 5045 gen_portatom6(off, v) 5046 int off; 5047 bpf_int32 v; 5048 { 5049 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5050 } 5051 #endif/*INET6*/ 5052 5053 struct block * 5054 gen_portop(port, proto, dir) 5055 int port, proto, dir; 5056 { 5057 struct block *b0, *b1, *tmp; 5058 5059 /* ip proto 'proto' and not a fragment other than the first fragment */ 5060 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5061 b0 = gen_ipfrag(); 5062 gen_and(tmp, b0); 5063 5064 switch (dir) { 5065 case Q_SRC: 5066 b1 = gen_portatom(0, (bpf_int32)port); 5067 break; 5068 5069 case Q_DST: 5070 b1 = gen_portatom(2, (bpf_int32)port); 5071 break; 5072 5073 case Q_OR: 5074 case Q_DEFAULT: 5075 tmp = gen_portatom(0, (bpf_int32)port); 5076 b1 = gen_portatom(2, (bpf_int32)port); 5077 gen_or(tmp, b1); 5078 break; 5079 5080 case Q_AND: 5081 tmp = gen_portatom(0, (bpf_int32)port); 5082 b1 = gen_portatom(2, (bpf_int32)port); 5083 gen_and(tmp, b1); 5084 break; 5085 5086 default: 5087 abort(); 5088 } 5089 gen_and(b0, b1); 5090 5091 return b1; 5092 } 5093 5094 static struct block * 5095 gen_port(port, ip_proto, dir) 5096 int port; 5097 int ip_proto; 5098 int dir; 5099 { 5100 struct block *b0, *b1, *tmp; 5101 5102 /* 5103 * ether proto ip 5104 * 5105 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5106 * not LLC encapsulation with LLCSAP_IP. 5107 * 5108 * For IEEE 802 networks - which includes 802.5 token ring 5109 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5110 * says that SNAP encapsulation is used, not LLC encapsulation 5111 * with LLCSAP_IP. 5112 * 5113 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5114 * RFC 2225 say that SNAP encapsulation is used, not LLC 5115 * encapsulation with LLCSAP_IP. 5116 * 5117 * So we always check for ETHERTYPE_IP. 5118 */ 5119 b0 = gen_linktype(ETHERTYPE_IP); 5120 5121 switch (ip_proto) { 5122 case IPPROTO_UDP: 5123 case IPPROTO_TCP: 5124 case IPPROTO_SCTP: 5125 b1 = gen_portop(port, ip_proto, dir); 5126 break; 5127 5128 case PROTO_UNDEF: 5129 tmp = gen_portop(port, IPPROTO_TCP, dir); 5130 b1 = gen_portop(port, IPPROTO_UDP, dir); 5131 gen_or(tmp, b1); 5132 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5133 gen_or(tmp, b1); 5134 break; 5135 5136 default: 5137 abort(); 5138 } 5139 gen_and(b0, b1); 5140 return b1; 5141 } 5142 5143 #ifdef INET6 5144 struct block * 5145 gen_portop6(port, proto, dir) 5146 int port, proto, dir; 5147 { 5148 struct block *b0, *b1, *tmp; 5149 5150 /* ip6 proto 'proto' */ 5151 /* XXX - catch the first fragment of a fragmented packet? */ 5152 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5153 5154 switch (dir) { 5155 case Q_SRC: 5156 b1 = gen_portatom6(0, (bpf_int32)port); 5157 break; 5158 5159 case Q_DST: 5160 b1 = gen_portatom6(2, (bpf_int32)port); 5161 break; 5162 5163 case Q_OR: 5164 case Q_DEFAULT: 5165 tmp = gen_portatom6(0, (bpf_int32)port); 5166 b1 = gen_portatom6(2, (bpf_int32)port); 5167 gen_or(tmp, b1); 5168 break; 5169 5170 case Q_AND: 5171 tmp = gen_portatom6(0, (bpf_int32)port); 5172 b1 = gen_portatom6(2, (bpf_int32)port); 5173 gen_and(tmp, b1); 5174 break; 5175 5176 default: 5177 abort(); 5178 } 5179 gen_and(b0, b1); 5180 5181 return b1; 5182 } 5183 5184 static struct block * 5185 gen_port6(port, ip_proto, dir) 5186 int port; 5187 int ip_proto; 5188 int dir; 5189 { 5190 struct block *b0, *b1, *tmp; 5191 5192 /* link proto ip6 */ 5193 b0 = gen_linktype(ETHERTYPE_IPV6); 5194 5195 switch (ip_proto) { 5196 case IPPROTO_UDP: 5197 case IPPROTO_TCP: 5198 case IPPROTO_SCTP: 5199 b1 = gen_portop6(port, ip_proto, dir); 5200 break; 5201 5202 case PROTO_UNDEF: 5203 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5204 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5205 gen_or(tmp, b1); 5206 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5207 gen_or(tmp, b1); 5208 break; 5209 5210 default: 5211 abort(); 5212 } 5213 gen_and(b0, b1); 5214 return b1; 5215 } 5216 #endif /* INET6 */ 5217 5218 /* gen_portrange code */ 5219 static struct block * 5220 gen_portrangeatom(off, v1, v2) 5221 int off; 5222 bpf_int32 v1, v2; 5223 { 5224 struct block *b1, *b2; 5225 5226 if (v1 > v2) { 5227 /* 5228 * Reverse the order of the ports, so v1 is the lower one. 5229 */ 5230 bpf_int32 vtemp; 5231 5232 vtemp = v1; 5233 v1 = v2; 5234 v2 = vtemp; 5235 } 5236 5237 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5238 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5239 5240 gen_and(b1, b2); 5241 5242 return b2; 5243 } 5244 5245 struct block * 5246 gen_portrangeop(port1, port2, proto, dir) 5247 int port1, port2; 5248 int proto; 5249 int dir; 5250 { 5251 struct block *b0, *b1, *tmp; 5252 5253 /* ip proto 'proto' and not a fragment other than the first fragment */ 5254 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5255 b0 = gen_ipfrag(); 5256 gen_and(tmp, b0); 5257 5258 switch (dir) { 5259 case Q_SRC: 5260 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5261 break; 5262 5263 case Q_DST: 5264 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5265 break; 5266 5267 case Q_OR: 5268 case Q_DEFAULT: 5269 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5270 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5271 gen_or(tmp, b1); 5272 break; 5273 5274 case Q_AND: 5275 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5276 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5277 gen_and(tmp, b1); 5278 break; 5279 5280 default: 5281 abort(); 5282 } 5283 gen_and(b0, b1); 5284 5285 return b1; 5286 } 5287 5288 static struct block * 5289 gen_portrange(port1, port2, ip_proto, dir) 5290 int port1, port2; 5291 int ip_proto; 5292 int dir; 5293 { 5294 struct block *b0, *b1, *tmp; 5295 5296 /* link proto ip */ 5297 b0 = gen_linktype(ETHERTYPE_IP); 5298 5299 switch (ip_proto) { 5300 case IPPROTO_UDP: 5301 case IPPROTO_TCP: 5302 case IPPROTO_SCTP: 5303 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5304 break; 5305 5306 case PROTO_UNDEF: 5307 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5308 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5309 gen_or(tmp, b1); 5310 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5311 gen_or(tmp, b1); 5312 break; 5313 5314 default: 5315 abort(); 5316 } 5317 gen_and(b0, b1); 5318 return b1; 5319 } 5320 5321 #ifdef INET6 5322 static struct block * 5323 gen_portrangeatom6(off, v1, v2) 5324 int off; 5325 bpf_int32 v1, v2; 5326 { 5327 struct block *b1, *b2; 5328 5329 if (v1 > v2) { 5330 /* 5331 * Reverse the order of the ports, so v1 is the lower one. 5332 */ 5333 bpf_int32 vtemp; 5334 5335 vtemp = v1; 5336 v1 = v2; 5337 v2 = vtemp; 5338 } 5339 5340 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5341 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5342 5343 gen_and(b1, b2); 5344 5345 return b2; 5346 } 5347 5348 struct block * 5349 gen_portrangeop6(port1, port2, proto, dir) 5350 int port1, port2; 5351 int proto; 5352 int dir; 5353 { 5354 struct block *b0, *b1, *tmp; 5355 5356 /* ip6 proto 'proto' */ 5357 /* XXX - catch the first fragment of a fragmented packet? */ 5358 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5359 5360 switch (dir) { 5361 case Q_SRC: 5362 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5363 break; 5364 5365 case Q_DST: 5366 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5367 break; 5368 5369 case Q_OR: 5370 case Q_DEFAULT: 5371 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5372 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5373 gen_or(tmp, b1); 5374 break; 5375 5376 case Q_AND: 5377 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5378 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5379 gen_and(tmp, b1); 5380 break; 5381 5382 default: 5383 abort(); 5384 } 5385 gen_and(b0, b1); 5386 5387 return b1; 5388 } 5389 5390 static struct block * 5391 gen_portrange6(port1, port2, ip_proto, dir) 5392 int port1, port2; 5393 int ip_proto; 5394 int dir; 5395 { 5396 struct block *b0, *b1, *tmp; 5397 5398 /* link proto ip6 */ 5399 b0 = gen_linktype(ETHERTYPE_IPV6); 5400 5401 switch (ip_proto) { 5402 case IPPROTO_UDP: 5403 case IPPROTO_TCP: 5404 case IPPROTO_SCTP: 5405 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5406 break; 5407 5408 case PROTO_UNDEF: 5409 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5410 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5411 gen_or(tmp, b1); 5412 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5413 gen_or(tmp, b1); 5414 break; 5415 5416 default: 5417 abort(); 5418 } 5419 gen_and(b0, b1); 5420 return b1; 5421 } 5422 #endif /* INET6 */ 5423 5424 static int 5425 lookup_proto(name, proto) 5426 register const char *name; 5427 register int proto; 5428 { 5429 register int v; 5430 5431 switch (proto) { 5432 5433 case Q_DEFAULT: 5434 case Q_IP: 5435 case Q_IPV6: 5436 v = pcap_nametoproto(name); 5437 if (v == PROTO_UNDEF) 5438 bpf_error("unknown ip proto '%s'", name); 5439 break; 5440 5441 case Q_LINK: 5442 /* XXX should look up h/w protocol type based on linktype */ 5443 v = pcap_nametoeproto(name); 5444 if (v == PROTO_UNDEF) { 5445 v = pcap_nametollc(name); 5446 if (v == PROTO_UNDEF) 5447 bpf_error("unknown ether proto '%s'", name); 5448 } 5449 break; 5450 5451 case Q_ISO: 5452 if (strcmp(name, "esis") == 0) 5453 v = ISO9542_ESIS; 5454 else if (strcmp(name, "isis") == 0) 5455 v = ISO10589_ISIS; 5456 else if (strcmp(name, "clnp") == 0) 5457 v = ISO8473_CLNP; 5458 else 5459 bpf_error("unknown osi proto '%s'", name); 5460 break; 5461 5462 default: 5463 v = PROTO_UNDEF; 5464 break; 5465 } 5466 return v; 5467 } 5468 5469 #if 0 5470 struct stmt * 5471 gen_joinsp(s, n) 5472 struct stmt **s; 5473 int n; 5474 { 5475 return NULL; 5476 } 5477 #endif 5478 5479 static struct block * 5480 gen_protochain(v, proto, dir) 5481 int v; 5482 int proto; 5483 int dir; 5484 { 5485 #ifdef NO_PROTOCHAIN 5486 return gen_proto(v, proto, dir); 5487 #else 5488 struct block *b0, *b; 5489 struct slist *s[100]; 5490 int fix2, fix3, fix4, fix5; 5491 int ahcheck, again, end; 5492 int i, max; 5493 int reg2 = alloc_reg(); 5494 5495 memset(s, 0, sizeof(s)); 5496 fix2 = fix3 = fix4 = fix5 = 0; 5497 5498 switch (proto) { 5499 case Q_IP: 5500 case Q_IPV6: 5501 break; 5502 case Q_DEFAULT: 5503 b0 = gen_protochain(v, Q_IP, dir); 5504 b = gen_protochain(v, Q_IPV6, dir); 5505 gen_or(b0, b); 5506 return b; 5507 default: 5508 bpf_error("bad protocol applied for 'protochain'"); 5509 /*NOTREACHED*/ 5510 } 5511 5512 /* 5513 * We don't handle variable-length prefixes before the link-layer 5514 * header, or variable-length link-layer headers, here yet. 5515 * We might want to add BPF instructions to do the protochain 5516 * work, to simplify that and, on platforms that have a BPF 5517 * interpreter with the new instructions, let the filtering 5518 * be done in the kernel. (We already require a modified BPF 5519 * engine to do the protochain stuff, to support backward 5520 * branches, and backward branch support is unlikely to appear 5521 * in kernel BPF engines.) 5522 */ 5523 switch (linktype) { 5524 5525 case DLT_IEEE802_11: 5526 case DLT_PRISM_HEADER: 5527 case DLT_IEEE802_11_RADIO_AVS: 5528 case DLT_IEEE802_11_RADIO: 5529 case DLT_PPI: 5530 bpf_error("'protochain' not supported with 802.11"); 5531 } 5532 5533 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5534 5535 /* 5536 * s[0] is a dummy entry to protect other BPF insn from damage 5537 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5538 * hard to find interdependency made by jump table fixup. 5539 */ 5540 i = 0; 5541 s[i] = new_stmt(0); /*dummy*/ 5542 i++; 5543 5544 switch (proto) { 5545 case Q_IP: 5546 b0 = gen_linktype(ETHERTYPE_IP); 5547 5548 /* A = ip->ip_p */ 5549 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5550 s[i]->s.k = off_macpl + off_nl + 9; 5551 i++; 5552 /* X = ip->ip_hl << 2 */ 5553 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5554 s[i]->s.k = off_macpl + off_nl; 5555 i++; 5556 break; 5557 #ifdef INET6 5558 case Q_IPV6: 5559 b0 = gen_linktype(ETHERTYPE_IPV6); 5560 5561 /* A = ip6->ip_nxt */ 5562 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5563 s[i]->s.k = off_macpl + off_nl + 6; 5564 i++; 5565 /* X = sizeof(struct ip6_hdr) */ 5566 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5567 s[i]->s.k = 40; 5568 i++; 5569 break; 5570 #endif 5571 default: 5572 bpf_error("unsupported proto to gen_protochain"); 5573 /*NOTREACHED*/ 5574 } 5575 5576 /* again: if (A == v) goto end; else fall through; */ 5577 again = i; 5578 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5579 s[i]->s.k = v; 5580 s[i]->s.jt = NULL; /*later*/ 5581 s[i]->s.jf = NULL; /*update in next stmt*/ 5582 fix5 = i; 5583 i++; 5584 5585 #ifndef IPPROTO_NONE 5586 #define IPPROTO_NONE 59 5587 #endif 5588 /* if (A == IPPROTO_NONE) goto end */ 5589 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5590 s[i]->s.jt = NULL; /*later*/ 5591 s[i]->s.jf = NULL; /*update in next stmt*/ 5592 s[i]->s.k = IPPROTO_NONE; 5593 s[fix5]->s.jf = s[i]; 5594 fix2 = i; 5595 i++; 5596 5597 #ifdef INET6 5598 if (proto == Q_IPV6) { 5599 int v6start, v6end, v6advance, j; 5600 5601 v6start = i; 5602 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5603 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5604 s[i]->s.jt = NULL; /*later*/ 5605 s[i]->s.jf = NULL; /*update in next stmt*/ 5606 s[i]->s.k = IPPROTO_HOPOPTS; 5607 s[fix2]->s.jf = s[i]; 5608 i++; 5609 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5610 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5611 s[i]->s.jt = NULL; /*later*/ 5612 s[i]->s.jf = NULL; /*update in next stmt*/ 5613 s[i]->s.k = IPPROTO_DSTOPTS; 5614 i++; 5615 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5616 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5617 s[i]->s.jt = NULL; /*later*/ 5618 s[i]->s.jf = NULL; /*update in next stmt*/ 5619 s[i]->s.k = IPPROTO_ROUTING; 5620 i++; 5621 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5622 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5623 s[i]->s.jt = NULL; /*later*/ 5624 s[i]->s.jf = NULL; /*later*/ 5625 s[i]->s.k = IPPROTO_FRAGMENT; 5626 fix3 = i; 5627 v6end = i; 5628 i++; 5629 5630 /* v6advance: */ 5631 v6advance = i; 5632 5633 /* 5634 * in short, 5635 * A = P[X + packet head]; 5636 * X = X + (P[X + packet head + 1] + 1) * 8; 5637 */ 5638 /* A = P[X + packet head] */ 5639 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5640 s[i]->s.k = off_macpl + off_nl; 5641 i++; 5642 /* MEM[reg2] = A */ 5643 s[i] = new_stmt(BPF_ST); 5644 s[i]->s.k = reg2; 5645 i++; 5646 /* A = P[X + packet head + 1]; */ 5647 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5648 s[i]->s.k = off_macpl + off_nl + 1; 5649 i++; 5650 /* A += 1 */ 5651 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5652 s[i]->s.k = 1; 5653 i++; 5654 /* A *= 8 */ 5655 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5656 s[i]->s.k = 8; 5657 i++; 5658 /* A += X */ 5659 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5660 s[i]->s.k = 0; 5661 i++; 5662 /* X = A; */ 5663 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5664 i++; 5665 /* A = MEM[reg2] */ 5666 s[i] = new_stmt(BPF_LD|BPF_MEM); 5667 s[i]->s.k = reg2; 5668 i++; 5669 5670 /* goto again; (must use BPF_JA for backward jump) */ 5671 s[i] = new_stmt(BPF_JMP|BPF_JA); 5672 s[i]->s.k = again - i - 1; 5673 s[i - 1]->s.jf = s[i]; 5674 i++; 5675 5676 /* fixup */ 5677 for (j = v6start; j <= v6end; j++) 5678 s[j]->s.jt = s[v6advance]; 5679 } else 5680 #endif 5681 { 5682 /* nop */ 5683 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5684 s[i]->s.k = 0; 5685 s[fix2]->s.jf = s[i]; 5686 i++; 5687 } 5688 5689 /* ahcheck: */ 5690 ahcheck = i; 5691 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5692 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5693 s[i]->s.jt = NULL; /*later*/ 5694 s[i]->s.jf = NULL; /*later*/ 5695 s[i]->s.k = IPPROTO_AH; 5696 if (fix3) 5697 s[fix3]->s.jf = s[ahcheck]; 5698 fix4 = i; 5699 i++; 5700 5701 /* 5702 * in short, 5703 * A = P[X]; 5704 * X = X + (P[X + 1] + 2) * 4; 5705 */ 5706 /* A = X */ 5707 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5708 i++; 5709 /* A = P[X + packet head]; */ 5710 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5711 s[i]->s.k = off_macpl + off_nl; 5712 i++; 5713 /* MEM[reg2] = A */ 5714 s[i] = new_stmt(BPF_ST); 5715 s[i]->s.k = reg2; 5716 i++; 5717 /* A = X */ 5718 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5719 i++; 5720 /* A += 1 */ 5721 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5722 s[i]->s.k = 1; 5723 i++; 5724 /* X = A */ 5725 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5726 i++; 5727 /* A = P[X + packet head] */ 5728 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5729 s[i]->s.k = off_macpl + off_nl; 5730 i++; 5731 /* A += 2 */ 5732 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5733 s[i]->s.k = 2; 5734 i++; 5735 /* A *= 4 */ 5736 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5737 s[i]->s.k = 4; 5738 i++; 5739 /* X = A; */ 5740 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5741 i++; 5742 /* A = MEM[reg2] */ 5743 s[i] = new_stmt(BPF_LD|BPF_MEM); 5744 s[i]->s.k = reg2; 5745 i++; 5746 5747 /* goto again; (must use BPF_JA for backward jump) */ 5748 s[i] = new_stmt(BPF_JMP|BPF_JA); 5749 s[i]->s.k = again - i - 1; 5750 i++; 5751 5752 /* end: nop */ 5753 end = i; 5754 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5755 s[i]->s.k = 0; 5756 s[fix2]->s.jt = s[end]; 5757 s[fix4]->s.jf = s[end]; 5758 s[fix5]->s.jt = s[end]; 5759 i++; 5760 5761 /* 5762 * make slist chain 5763 */ 5764 max = i; 5765 for (i = 0; i < max - 1; i++) 5766 s[i]->next = s[i + 1]; 5767 s[max - 1]->next = NULL; 5768 5769 /* 5770 * emit final check 5771 */ 5772 b = new_block(JMP(BPF_JEQ)); 5773 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5774 b->s.k = v; 5775 5776 free_reg(reg2); 5777 5778 gen_and(b0, b); 5779 return b; 5780 #endif 5781 } 5782 5783 static struct block * 5784 gen_check_802_11_data_frame() 5785 { 5786 struct slist *s; 5787 struct block *b0, *b1; 5788 5789 /* 5790 * A data frame has the 0x08 bit (b3) in the frame control field set 5791 * and the 0x04 bit (b2) clear. 5792 */ 5793 s = gen_load_a(OR_LINK, 0, BPF_B); 5794 b0 = new_block(JMP(BPF_JSET)); 5795 b0->s.k = 0x08; 5796 b0->stmts = s; 5797 5798 s = gen_load_a(OR_LINK, 0, BPF_B); 5799 b1 = new_block(JMP(BPF_JSET)); 5800 b1->s.k = 0x04; 5801 b1->stmts = s; 5802 gen_not(b1); 5803 5804 gen_and(b1, b0); 5805 5806 return b0; 5807 } 5808 5809 /* 5810 * Generate code that checks whether the packet is a packet for protocol 5811 * <proto> and whether the type field in that protocol's header has 5812 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5813 * IP packet and checks the protocol number in the IP header against <v>. 5814 * 5815 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5816 * against Q_IP and Q_IPV6. 5817 */ 5818 static struct block * 5819 gen_proto(v, proto, dir) 5820 int v; 5821 int proto; 5822 int dir; 5823 { 5824 struct block *b0, *b1; 5825 #ifdef INET6 5826 #ifndef CHASE_CHAIN 5827 struct block *b2; 5828 #endif 5829 #endif 5830 5831 if (dir != Q_DEFAULT) 5832 bpf_error("direction applied to 'proto'"); 5833 5834 switch (proto) { 5835 case Q_DEFAULT: 5836 #ifdef INET6 5837 b0 = gen_proto(v, Q_IP, dir); 5838 b1 = gen_proto(v, Q_IPV6, dir); 5839 gen_or(b0, b1); 5840 return b1; 5841 #else 5842 /*FALLTHROUGH*/ 5843 #endif 5844 case Q_IP: 5845 /* 5846 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5847 * not LLC encapsulation with LLCSAP_IP. 5848 * 5849 * For IEEE 802 networks - which includes 802.5 token ring 5850 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5851 * says that SNAP encapsulation is used, not LLC encapsulation 5852 * with LLCSAP_IP. 5853 * 5854 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5855 * RFC 2225 say that SNAP encapsulation is used, not LLC 5856 * encapsulation with LLCSAP_IP. 5857 * 5858 * So we always check for ETHERTYPE_IP. 5859 */ 5860 b0 = gen_linktype(ETHERTYPE_IP); 5861 #ifndef CHASE_CHAIN 5862 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5863 #else 5864 b1 = gen_protochain(v, Q_IP); 5865 #endif 5866 gen_and(b0, b1); 5867 return b1; 5868 5869 case Q_ISO: 5870 switch (linktype) { 5871 5872 case DLT_FRELAY: 5873 /* 5874 * Frame Relay packets typically have an OSI 5875 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5876 * generates code to check for all the OSI 5877 * NLPIDs, so calling it and then adding a check 5878 * for the particular NLPID for which we're 5879 * looking is bogus, as we can just check for 5880 * the NLPID. 5881 * 5882 * What we check for is the NLPID and a frame 5883 * control field value of UI, i.e. 0x03 followed 5884 * by the NLPID. 5885 * 5886 * XXX - assumes a 2-byte Frame Relay header with 5887 * DLCI and flags. What if the address is longer? 5888 * 5889 * XXX - what about SNAP-encapsulated frames? 5890 */ 5891 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5892 /*NOTREACHED*/ 5893 break; 5894 5895 case DLT_C_HDLC: 5896 /* 5897 * Cisco uses an Ethertype lookalike - for OSI, 5898 * it's 0xfefe. 5899 */ 5900 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5901 /* OSI in C-HDLC is stuffed with a fudge byte */ 5902 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5903 gen_and(b0, b1); 5904 return b1; 5905 5906 default: 5907 b0 = gen_linktype(LLCSAP_ISONS); 5908 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5909 gen_and(b0, b1); 5910 return b1; 5911 } 5912 5913 case Q_ISIS: 5914 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5915 /* 5916 * 4 is the offset of the PDU type relative to the IS-IS 5917 * header. 5918 */ 5919 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5920 gen_and(b0, b1); 5921 return b1; 5922 5923 case Q_ARP: 5924 bpf_error("arp does not encapsulate another protocol"); 5925 /* NOTREACHED */ 5926 5927 case Q_RARP: 5928 bpf_error("rarp does not encapsulate another protocol"); 5929 /* NOTREACHED */ 5930 5931 case Q_ATALK: 5932 bpf_error("atalk encapsulation is not specifiable"); 5933 /* NOTREACHED */ 5934 5935 case Q_DECNET: 5936 bpf_error("decnet encapsulation is not specifiable"); 5937 /* NOTREACHED */ 5938 5939 case Q_SCA: 5940 bpf_error("sca does not encapsulate another protocol"); 5941 /* NOTREACHED */ 5942 5943 case Q_LAT: 5944 bpf_error("lat does not encapsulate another protocol"); 5945 /* NOTREACHED */ 5946 5947 case Q_MOPRC: 5948 bpf_error("moprc does not encapsulate another protocol"); 5949 /* NOTREACHED */ 5950 5951 case Q_MOPDL: 5952 bpf_error("mopdl does not encapsulate another protocol"); 5953 /* NOTREACHED */ 5954 5955 case Q_LINK: 5956 return gen_linktype(v); 5957 5958 case Q_UDP: 5959 bpf_error("'udp proto' is bogus"); 5960 /* NOTREACHED */ 5961 5962 case Q_TCP: 5963 bpf_error("'tcp proto' is bogus"); 5964 /* NOTREACHED */ 5965 5966 case Q_SCTP: 5967 bpf_error("'sctp proto' is bogus"); 5968 /* NOTREACHED */ 5969 5970 case Q_ICMP: 5971 bpf_error("'icmp proto' is bogus"); 5972 /* NOTREACHED */ 5973 5974 case Q_IGMP: 5975 bpf_error("'igmp proto' is bogus"); 5976 /* NOTREACHED */ 5977 5978 case Q_IGRP: 5979 bpf_error("'igrp proto' is bogus"); 5980 /* NOTREACHED */ 5981 5982 case Q_PIM: 5983 bpf_error("'pim proto' is bogus"); 5984 /* NOTREACHED */ 5985 5986 case Q_VRRP: 5987 bpf_error("'vrrp proto' is bogus"); 5988 /* NOTREACHED */ 5989 5990 case Q_CARP: 5991 bpf_error("'carp proto' is bogus"); 5992 /* NOTREACHED */ 5993 5994 #ifdef INET6 5995 case Q_IPV6: 5996 b0 = gen_linktype(ETHERTYPE_IPV6); 5997 #ifndef CHASE_CHAIN 5998 /* 5999 * Also check for a fragment header before the final 6000 * header. 6001 */ 6002 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 6003 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 6004 gen_and(b2, b1); 6005 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 6006 gen_or(b2, b1); 6007 #else 6008 b1 = gen_protochain(v, Q_IPV6); 6009 #endif 6010 gen_and(b0, b1); 6011 return b1; 6012 6013 case Q_ICMPV6: 6014 bpf_error("'icmp6 proto' is bogus"); 6015 #endif /* INET6 */ 6016 6017 case Q_AH: 6018 bpf_error("'ah proto' is bogus"); 6019 6020 case Q_ESP: 6021 bpf_error("'ah proto' is bogus"); 6022 6023 case Q_STP: 6024 bpf_error("'stp proto' is bogus"); 6025 6026 case Q_IPX: 6027 bpf_error("'ipx proto' is bogus"); 6028 6029 case Q_NETBEUI: 6030 bpf_error("'netbeui proto' is bogus"); 6031 6032 case Q_RADIO: 6033 bpf_error("'radio proto' is bogus"); 6034 6035 default: 6036 abort(); 6037 /* NOTREACHED */ 6038 } 6039 /* NOTREACHED */ 6040 } 6041 6042 struct block * 6043 gen_scode(name, q) 6044 register const char *name; 6045 struct qual q; 6046 { 6047 int proto = q.proto; 6048 int dir = q.dir; 6049 int tproto; 6050 u_char *eaddr; 6051 bpf_u_int32 mask, addr; 6052 #ifndef INET6 6053 bpf_u_int32 **alist; 6054 #else 6055 int tproto6; 6056 struct sockaddr_in *sin4; 6057 struct sockaddr_in6 *sin6; 6058 struct addrinfo *res, *res0; 6059 struct in6_addr mask128; 6060 #endif /*INET6*/ 6061 struct block *b, *tmp; 6062 int port, real_proto; 6063 int port1, port2; 6064 6065 switch (q.addr) { 6066 6067 case Q_NET: 6068 addr = pcap_nametonetaddr(name); 6069 if (addr == 0) 6070 bpf_error("unknown network '%s'", name); 6071 /* Left justify network addr and calculate its network mask */ 6072 mask = 0xffffffff; 6073 while (addr && (addr & 0xff000000) == 0) { 6074 addr <<= 8; 6075 mask <<= 8; 6076 } 6077 return gen_host(addr, mask, proto, dir, q.addr); 6078 6079 case Q_DEFAULT: 6080 case Q_HOST: 6081 if (proto == Q_LINK) { 6082 switch (linktype) { 6083 6084 case DLT_EN10MB: 6085 case DLT_NETANALYZER: 6086 case DLT_NETANALYZER_TRANSPARENT: 6087 eaddr = pcap_ether_hostton(name); 6088 if (eaddr == NULL) 6089 bpf_error( 6090 "unknown ether host '%s'", name); 6091 b = gen_ehostop(eaddr, dir); 6092 free(eaddr); 6093 return b; 6094 6095 case DLT_FDDI: 6096 eaddr = pcap_ether_hostton(name); 6097 if (eaddr == NULL) 6098 bpf_error( 6099 "unknown FDDI host '%s'", name); 6100 b = gen_fhostop(eaddr, dir); 6101 free(eaddr); 6102 return b; 6103 6104 case DLT_IEEE802: 6105 eaddr = pcap_ether_hostton(name); 6106 if (eaddr == NULL) 6107 bpf_error( 6108 "unknown token ring host '%s'", name); 6109 b = gen_thostop(eaddr, dir); 6110 free(eaddr); 6111 return b; 6112 6113 case DLT_IEEE802_11: 6114 case DLT_PRISM_HEADER: 6115 case DLT_IEEE802_11_RADIO_AVS: 6116 case DLT_IEEE802_11_RADIO: 6117 case DLT_PPI: 6118 eaddr = pcap_ether_hostton(name); 6119 if (eaddr == NULL) 6120 bpf_error( 6121 "unknown 802.11 host '%s'", name); 6122 b = gen_wlanhostop(eaddr, dir); 6123 free(eaddr); 6124 return b; 6125 6126 case DLT_IP_OVER_FC: 6127 eaddr = pcap_ether_hostton(name); 6128 if (eaddr == NULL) 6129 bpf_error( 6130 "unknown Fibre Channel host '%s'", name); 6131 b = gen_ipfchostop(eaddr, dir); 6132 free(eaddr); 6133 return b; 6134 6135 case DLT_SUNATM: 6136 if (!is_lane) 6137 break; 6138 6139 /* 6140 * Check that the packet doesn't begin 6141 * with an LE Control marker. (We've 6142 * already generated a test for LANE.) 6143 */ 6144 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6145 BPF_H, 0xFF00); 6146 gen_not(tmp); 6147 6148 eaddr = pcap_ether_hostton(name); 6149 if (eaddr == NULL) 6150 bpf_error( 6151 "unknown ether host '%s'", name); 6152 b = gen_ehostop(eaddr, dir); 6153 gen_and(tmp, b); 6154 free(eaddr); 6155 return b; 6156 } 6157 6158 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6159 } else if (proto == Q_DECNET) { 6160 unsigned short dn_addr = __pcap_nametodnaddr(name); 6161 /* 6162 * I don't think DECNET hosts can be multihomed, so 6163 * there is no need to build up a list of addresses 6164 */ 6165 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6166 } else { 6167 #ifndef INET6 6168 alist = pcap_nametoaddr(name); 6169 if (alist == NULL || *alist == NULL) 6170 bpf_error("unknown host '%s'", name); 6171 tproto = proto; 6172 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6173 tproto = Q_IP; 6174 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6175 while (*alist) { 6176 tmp = gen_host(**alist++, 0xffffffff, 6177 tproto, dir, q.addr); 6178 gen_or(b, tmp); 6179 b = tmp; 6180 } 6181 return b; 6182 #else 6183 memset(&mask128, 0xff, sizeof(mask128)); 6184 res0 = res = pcap_nametoaddrinfo(name); 6185 if (res == NULL) 6186 bpf_error("unknown host '%s'", name); 6187 ai = res; 6188 b = tmp = NULL; 6189 tproto = tproto6 = proto; 6190 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6191 tproto = Q_IP; 6192 tproto6 = Q_IPV6; 6193 } 6194 for (res = res0; res; res = res->ai_next) { 6195 switch (res->ai_family) { 6196 case AF_INET: 6197 if (tproto == Q_IPV6) 6198 continue; 6199 6200 sin4 = (struct sockaddr_in *) 6201 res->ai_addr; 6202 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6203 0xffffffff, tproto, dir, q.addr); 6204 break; 6205 case AF_INET6: 6206 if (tproto6 == Q_IP) 6207 continue; 6208 6209 sin6 = (struct sockaddr_in6 *) 6210 res->ai_addr; 6211 tmp = gen_host6(&sin6->sin6_addr, 6212 &mask128, tproto6, dir, q.addr); 6213 break; 6214 default: 6215 continue; 6216 } 6217 if (b) 6218 gen_or(b, tmp); 6219 b = tmp; 6220 } 6221 ai = NULL; 6222 freeaddrinfo(res0); 6223 if (b == NULL) { 6224 bpf_error("unknown host '%s'%s", name, 6225 (proto == Q_DEFAULT) 6226 ? "" 6227 : " for specified address family"); 6228 } 6229 return b; 6230 #endif /*INET6*/ 6231 } 6232 6233 case Q_PORT: 6234 if (proto != Q_DEFAULT && 6235 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6236 bpf_error("illegal qualifier of 'port'"); 6237 if (pcap_nametoport(name, &port, &real_proto) == 0) 6238 bpf_error("unknown port '%s'", name); 6239 if (proto == Q_UDP) { 6240 if (real_proto == IPPROTO_TCP) 6241 bpf_error("port '%s' is tcp", name); 6242 else if (real_proto == IPPROTO_SCTP) 6243 bpf_error("port '%s' is sctp", name); 6244 else 6245 /* override PROTO_UNDEF */ 6246 real_proto = IPPROTO_UDP; 6247 } 6248 if (proto == Q_TCP) { 6249 if (real_proto == IPPROTO_UDP) 6250 bpf_error("port '%s' is udp", name); 6251 6252 else if (real_proto == IPPROTO_SCTP) 6253 bpf_error("port '%s' is sctp", name); 6254 else 6255 /* override PROTO_UNDEF */ 6256 real_proto = IPPROTO_TCP; 6257 } 6258 if (proto == Q_SCTP) { 6259 if (real_proto == IPPROTO_UDP) 6260 bpf_error("port '%s' is udp", name); 6261 6262 else if (real_proto == IPPROTO_TCP) 6263 bpf_error("port '%s' is tcp", name); 6264 else 6265 /* override PROTO_UNDEF */ 6266 real_proto = IPPROTO_SCTP; 6267 } 6268 if (port < 0) 6269 bpf_error("illegal port number %d < 0", port); 6270 if (port > 65535) 6271 bpf_error("illegal port number %d > 65535", port); 6272 #ifndef INET6 6273 return gen_port(port, real_proto, dir); 6274 #else 6275 b = gen_port(port, real_proto, dir); 6276 gen_or(gen_port6(port, real_proto, dir), b); 6277 return b; 6278 #endif /* INET6 */ 6279 6280 case Q_PORTRANGE: 6281 if (proto != Q_DEFAULT && 6282 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6283 bpf_error("illegal qualifier of 'portrange'"); 6284 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6285 bpf_error("unknown port in range '%s'", name); 6286 if (proto == Q_UDP) { 6287 if (real_proto == IPPROTO_TCP) 6288 bpf_error("port in range '%s' is tcp", name); 6289 else if (real_proto == IPPROTO_SCTP) 6290 bpf_error("port in range '%s' is sctp", name); 6291 else 6292 /* override PROTO_UNDEF */ 6293 real_proto = IPPROTO_UDP; 6294 } 6295 if (proto == Q_TCP) { 6296 if (real_proto == IPPROTO_UDP) 6297 bpf_error("port in range '%s' is udp", name); 6298 else if (real_proto == IPPROTO_SCTP) 6299 bpf_error("port in range '%s' is sctp", name); 6300 else 6301 /* override PROTO_UNDEF */ 6302 real_proto = IPPROTO_TCP; 6303 } 6304 if (proto == Q_SCTP) { 6305 if (real_proto == IPPROTO_UDP) 6306 bpf_error("port in range '%s' is udp", name); 6307 else if (real_proto == IPPROTO_TCP) 6308 bpf_error("port in range '%s' is tcp", name); 6309 else 6310 /* override PROTO_UNDEF */ 6311 real_proto = IPPROTO_SCTP; 6312 } 6313 if (port1 < 0) 6314 bpf_error("illegal port number %d < 0", port1); 6315 if (port1 > 65535) 6316 bpf_error("illegal port number %d > 65535", port1); 6317 if (port2 < 0) 6318 bpf_error("illegal port number %d < 0", port2); 6319 if (port2 > 65535) 6320 bpf_error("illegal port number %d > 65535", port2); 6321 6322 #ifndef INET6 6323 return gen_portrange(port1, port2, real_proto, dir); 6324 #else 6325 b = gen_portrange(port1, port2, real_proto, dir); 6326 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6327 return b; 6328 #endif /* INET6 */ 6329 6330 case Q_GATEWAY: 6331 #ifndef INET6 6332 eaddr = pcap_ether_hostton(name); 6333 if (eaddr == NULL) 6334 bpf_error("unknown ether host: %s", name); 6335 6336 alist = pcap_nametoaddr(name); 6337 if (alist == NULL || *alist == NULL) 6338 bpf_error("unknown host '%s'", name); 6339 b = gen_gateway(eaddr, alist, proto, dir); 6340 free(eaddr); 6341 return b; 6342 #else 6343 bpf_error("'gateway' not supported in this configuration"); 6344 #endif /*INET6*/ 6345 6346 case Q_PROTO: 6347 real_proto = lookup_proto(name, proto); 6348 if (real_proto >= 0) 6349 return gen_proto(real_proto, proto, dir); 6350 else 6351 bpf_error("unknown protocol: %s", name); 6352 6353 case Q_PROTOCHAIN: 6354 real_proto = lookup_proto(name, proto); 6355 if (real_proto >= 0) 6356 return gen_protochain(real_proto, proto, dir); 6357 else 6358 bpf_error("unknown protocol: %s", name); 6359 6360 case Q_UNDEF: 6361 syntax(); 6362 /* NOTREACHED */ 6363 } 6364 abort(); 6365 /* NOTREACHED */ 6366 } 6367 6368 struct block * 6369 gen_mcode(s1, s2, masklen, q) 6370 register const char *s1, *s2; 6371 register int masklen; 6372 struct qual q; 6373 { 6374 register int nlen, mlen; 6375 bpf_u_int32 n, m; 6376 6377 nlen = __pcap_atoin(s1, &n); 6378 /* Promote short ipaddr */ 6379 n <<= 32 - nlen; 6380 6381 if (s2 != NULL) { 6382 mlen = __pcap_atoin(s2, &m); 6383 /* Promote short ipaddr */ 6384 m <<= 32 - mlen; 6385 if ((n & ~m) != 0) 6386 bpf_error("non-network bits set in \"%s mask %s\"", 6387 s1, s2); 6388 } else { 6389 /* Convert mask len to mask */ 6390 if (masklen > 32) 6391 bpf_error("mask length must be <= 32"); 6392 if (masklen == 0) { 6393 /* 6394 * X << 32 is not guaranteed by C to be 0; it's 6395 * undefined. 6396 */ 6397 m = 0; 6398 } else 6399 m = 0xffffffff << (32 - masklen); 6400 if ((n & ~m) != 0) 6401 bpf_error("non-network bits set in \"%s/%d\"", 6402 s1, masklen); 6403 } 6404 6405 switch (q.addr) { 6406 6407 case Q_NET: 6408 return gen_host(n, m, q.proto, q.dir, q.addr); 6409 6410 default: 6411 bpf_error("Mask syntax for networks only"); 6412 /* NOTREACHED */ 6413 } 6414 /* NOTREACHED */ 6415 return NULL; 6416 } 6417 6418 struct block * 6419 gen_ncode(s, v, q) 6420 register const char *s; 6421 bpf_u_int32 v; 6422 struct qual q; 6423 { 6424 bpf_u_int32 mask; 6425 int proto = q.proto; 6426 int dir = q.dir; 6427 register int vlen; 6428 6429 if (s == NULL) 6430 vlen = 32; 6431 else if (q.proto == Q_DECNET) 6432 vlen = __pcap_atodn(s, &v); 6433 else 6434 vlen = __pcap_atoin(s, &v); 6435 6436 switch (q.addr) { 6437 6438 case Q_DEFAULT: 6439 case Q_HOST: 6440 case Q_NET: 6441 if (proto == Q_DECNET) 6442 return gen_host(v, 0, proto, dir, q.addr); 6443 else if (proto == Q_LINK) { 6444 bpf_error("illegal link layer address"); 6445 } else { 6446 mask = 0xffffffff; 6447 if (s == NULL && q.addr == Q_NET) { 6448 /* Promote short net number */ 6449 while (v && (v & 0xff000000) == 0) { 6450 v <<= 8; 6451 mask <<= 8; 6452 } 6453 } else { 6454 /* Promote short ipaddr */ 6455 v <<= 32 - vlen; 6456 mask <<= 32 - vlen; 6457 } 6458 return gen_host(v, mask, proto, dir, q.addr); 6459 } 6460 6461 case Q_PORT: 6462 if (proto == Q_UDP) 6463 proto = IPPROTO_UDP; 6464 else if (proto == Q_TCP) 6465 proto = IPPROTO_TCP; 6466 else if (proto == Q_SCTP) 6467 proto = IPPROTO_SCTP; 6468 else if (proto == Q_DEFAULT) 6469 proto = PROTO_UNDEF; 6470 else 6471 bpf_error("illegal qualifier of 'port'"); 6472 6473 if (v > 65535) 6474 bpf_error("illegal port number %u > 65535", v); 6475 6476 #ifndef INET6 6477 return gen_port((int)v, proto, dir); 6478 #else 6479 { 6480 struct block *b; 6481 b = gen_port((int)v, proto, dir); 6482 gen_or(gen_port6((int)v, proto, dir), b); 6483 return b; 6484 } 6485 #endif /* INET6 */ 6486 6487 case Q_PORTRANGE: 6488 if (proto == Q_UDP) 6489 proto = IPPROTO_UDP; 6490 else if (proto == Q_TCP) 6491 proto = IPPROTO_TCP; 6492 else if (proto == Q_SCTP) 6493 proto = IPPROTO_SCTP; 6494 else if (proto == Q_DEFAULT) 6495 proto = PROTO_UNDEF; 6496 else 6497 bpf_error("illegal qualifier of 'portrange'"); 6498 6499 if (v > 65535) 6500 bpf_error("illegal port number %u > 65535", v); 6501 6502 #ifndef INET6 6503 return gen_portrange((int)v, (int)v, proto, dir); 6504 #else 6505 { 6506 struct block *b; 6507 b = gen_portrange((int)v, (int)v, proto, dir); 6508 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6509 return b; 6510 } 6511 #endif /* INET6 */ 6512 6513 case Q_GATEWAY: 6514 bpf_error("'gateway' requires a name"); 6515 /* NOTREACHED */ 6516 6517 case Q_PROTO: 6518 return gen_proto((int)v, proto, dir); 6519 6520 case Q_PROTOCHAIN: 6521 return gen_protochain((int)v, proto, dir); 6522 6523 case Q_UNDEF: 6524 syntax(); 6525 /* NOTREACHED */ 6526 6527 default: 6528 abort(); 6529 /* NOTREACHED */ 6530 } 6531 /* NOTREACHED */ 6532 } 6533 6534 #ifdef INET6 6535 struct block * 6536 gen_mcode6(s1, s2, masklen, q) 6537 register const char *s1, *s2; 6538 register int masklen; 6539 struct qual q; 6540 { 6541 struct addrinfo *res; 6542 struct in6_addr *addr; 6543 struct in6_addr mask; 6544 struct block *b; 6545 u_int32_t *a, *m; 6546 6547 if (s2) 6548 bpf_error("no mask %s supported", s2); 6549 6550 res = pcap_nametoaddrinfo(s1); 6551 if (!res) 6552 bpf_error("invalid ip6 address %s", s1); 6553 ai = res; 6554 if (res->ai_next) 6555 bpf_error("%s resolved to multiple address", s1); 6556 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6557 6558 if (sizeof(mask) * 8 < masklen) 6559 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6560 memset(&mask, 0, sizeof(mask)); 6561 memset(&mask, 0xff, masklen / 8); 6562 if (masklen % 8) { 6563 mask.s6_addr[masklen / 8] = 6564 (0xff << (8 - masklen % 8)) & 0xff; 6565 } 6566 6567 a = (u_int32_t *)addr; 6568 m = (u_int32_t *)&mask; 6569 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6570 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6571 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6572 } 6573 6574 switch (q.addr) { 6575 6576 case Q_DEFAULT: 6577 case Q_HOST: 6578 if (masklen != 128) 6579 bpf_error("Mask syntax for networks only"); 6580 /* FALLTHROUGH */ 6581 6582 case Q_NET: 6583 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6584 ai = NULL; 6585 freeaddrinfo(res); 6586 return b; 6587 6588 default: 6589 bpf_error("invalid qualifier against IPv6 address"); 6590 /* NOTREACHED */ 6591 } 6592 return NULL; 6593 } 6594 #endif /*INET6*/ 6595 6596 struct block * 6597 gen_ecode(eaddr, q) 6598 register const u_char *eaddr; 6599 struct qual q; 6600 { 6601 struct block *b, *tmp; 6602 6603 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6604 switch (linktype) { 6605 case DLT_EN10MB: 6606 case DLT_NETANALYZER: 6607 case DLT_NETANALYZER_TRANSPARENT: 6608 return gen_ehostop(eaddr, (int)q.dir); 6609 case DLT_FDDI: 6610 return gen_fhostop(eaddr, (int)q.dir); 6611 case DLT_IEEE802: 6612 return gen_thostop(eaddr, (int)q.dir); 6613 case DLT_IEEE802_11: 6614 case DLT_PRISM_HEADER: 6615 case DLT_IEEE802_11_RADIO_AVS: 6616 case DLT_IEEE802_11_RADIO: 6617 case DLT_PPI: 6618 return gen_wlanhostop(eaddr, (int)q.dir); 6619 case DLT_SUNATM: 6620 if (is_lane) { 6621 /* 6622 * Check that the packet doesn't begin with an 6623 * LE Control marker. (We've already generated 6624 * a test for LANE.) 6625 */ 6626 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6627 0xFF00); 6628 gen_not(tmp); 6629 6630 /* 6631 * Now check the MAC address. 6632 */ 6633 b = gen_ehostop(eaddr, (int)q.dir); 6634 gen_and(tmp, b); 6635 return b; 6636 } 6637 break; 6638 case DLT_IP_OVER_FC: 6639 return gen_ipfchostop(eaddr, (int)q.dir); 6640 default: 6641 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6642 break; 6643 } 6644 } 6645 bpf_error("ethernet address used in non-ether expression"); 6646 /* NOTREACHED */ 6647 return NULL; 6648 } 6649 6650 void 6651 sappend(s0, s1) 6652 struct slist *s0, *s1; 6653 { 6654 /* 6655 * This is definitely not the best way to do this, but the 6656 * lists will rarely get long. 6657 */ 6658 while (s0->next) 6659 s0 = s0->next; 6660 s0->next = s1; 6661 } 6662 6663 static struct slist * 6664 xfer_to_x(a) 6665 struct arth *a; 6666 { 6667 struct slist *s; 6668 6669 s = new_stmt(BPF_LDX|BPF_MEM); 6670 s->s.k = a->regno; 6671 return s; 6672 } 6673 6674 static struct slist * 6675 xfer_to_a(a) 6676 struct arth *a; 6677 { 6678 struct slist *s; 6679 6680 s = new_stmt(BPF_LD|BPF_MEM); 6681 s->s.k = a->regno; 6682 return s; 6683 } 6684 6685 /* 6686 * Modify "index" to use the value stored into its register as an 6687 * offset relative to the beginning of the header for the protocol 6688 * "proto", and allocate a register and put an item "size" bytes long 6689 * (1, 2, or 4) at that offset into that register, making it the register 6690 * for "index". 6691 */ 6692 struct arth * 6693 gen_load(proto, inst, size) 6694 int proto; 6695 struct arth *inst; 6696 int size; 6697 { 6698 struct slist *s, *tmp; 6699 struct block *b; 6700 int regno = alloc_reg(); 6701 6702 free_reg(inst->regno); 6703 switch (size) { 6704 6705 default: 6706 bpf_error("data size must be 1, 2, or 4"); 6707 6708 case 1: 6709 size = BPF_B; 6710 break; 6711 6712 case 2: 6713 size = BPF_H; 6714 break; 6715 6716 case 4: 6717 size = BPF_W; 6718 break; 6719 } 6720 switch (proto) { 6721 default: 6722 bpf_error("unsupported index operation"); 6723 6724 case Q_RADIO: 6725 /* 6726 * The offset is relative to the beginning of the packet 6727 * data, if we have a radio header. (If we don't, this 6728 * is an error.) 6729 */ 6730 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6731 linktype != DLT_IEEE802_11_RADIO && 6732 linktype != DLT_PRISM_HEADER) 6733 bpf_error("radio information not present in capture"); 6734 6735 /* 6736 * Load into the X register the offset computed into the 6737 * register specified by "index". 6738 */ 6739 s = xfer_to_x(inst); 6740 6741 /* 6742 * Load the item at that offset. 6743 */ 6744 tmp = new_stmt(BPF_LD|BPF_IND|size); 6745 sappend(s, tmp); 6746 sappend(inst->s, s); 6747 break; 6748 6749 case Q_LINK: 6750 /* 6751 * The offset is relative to the beginning of 6752 * the link-layer header. 6753 * 6754 * XXX - what about ATM LANE? Should the index be 6755 * relative to the beginning of the AAL5 frame, so 6756 * that 0 refers to the beginning of the LE Control 6757 * field, or relative to the beginning of the LAN 6758 * frame, so that 0 refers, for Ethernet LANE, to 6759 * the beginning of the destination address? 6760 */ 6761 s = gen_llprefixlen(); 6762 6763 /* 6764 * If "s" is non-null, it has code to arrange that the 6765 * X register contains the length of the prefix preceding 6766 * the link-layer header. Add to it the offset computed 6767 * into the register specified by "index", and move that 6768 * into the X register. Otherwise, just load into the X 6769 * register the offset computed into the register specified 6770 * by "index". 6771 */ 6772 if (s != NULL) { 6773 sappend(s, xfer_to_a(inst)); 6774 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6775 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6776 } else 6777 s = xfer_to_x(inst); 6778 6779 /* 6780 * Load the item at the sum of the offset we've put in the 6781 * X register and the offset of the start of the link 6782 * layer header (which is 0 if the radio header is 6783 * variable-length; that header length is what we put 6784 * into the X register and then added to the index). 6785 */ 6786 tmp = new_stmt(BPF_LD|BPF_IND|size); 6787 tmp->s.k = off_ll; 6788 sappend(s, tmp); 6789 sappend(inst->s, s); 6790 break; 6791 6792 case Q_IP: 6793 case Q_ARP: 6794 case Q_RARP: 6795 case Q_ATALK: 6796 case Q_DECNET: 6797 case Q_SCA: 6798 case Q_LAT: 6799 case Q_MOPRC: 6800 case Q_MOPDL: 6801 #ifdef INET6 6802 case Q_IPV6: 6803 #endif 6804 /* 6805 * The offset is relative to the beginning of 6806 * the network-layer header. 6807 * XXX - are there any cases where we want 6808 * off_nl_nosnap? 6809 */ 6810 s = gen_off_macpl(); 6811 6812 /* 6813 * If "s" is non-null, it has code to arrange that the 6814 * X register contains the offset of the MAC-layer 6815 * payload. Add to it the offset computed into the 6816 * register specified by "index", and move that into 6817 * the X register. Otherwise, just load into the X 6818 * register the offset computed into the register specified 6819 * by "index". 6820 */ 6821 if (s != NULL) { 6822 sappend(s, xfer_to_a(inst)); 6823 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6824 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6825 } else 6826 s = xfer_to_x(inst); 6827 6828 /* 6829 * Load the item at the sum of the offset we've put in the 6830 * X register, the offset of the start of the network 6831 * layer header from the beginning of the MAC-layer 6832 * payload, and the purported offset of the start of the 6833 * MAC-layer payload (which might be 0 if there's a 6834 * variable-length prefix before the link-layer header 6835 * or the link-layer header itself is variable-length; 6836 * the variable-length offset of the start of the 6837 * MAC-layer payload is what we put into the X register 6838 * and then added to the index). 6839 */ 6840 tmp = new_stmt(BPF_LD|BPF_IND|size); 6841 tmp->s.k = off_macpl + off_nl; 6842 sappend(s, tmp); 6843 sappend(inst->s, s); 6844 6845 /* 6846 * Do the computation only if the packet contains 6847 * the protocol in question. 6848 */ 6849 b = gen_proto_abbrev(proto); 6850 if (inst->b) 6851 gen_and(inst->b, b); 6852 inst->b = b; 6853 break; 6854 6855 case Q_SCTP: 6856 case Q_TCP: 6857 case Q_UDP: 6858 case Q_ICMP: 6859 case Q_IGMP: 6860 case Q_IGRP: 6861 case Q_PIM: 6862 case Q_VRRP: 6863 case Q_CARP: 6864 /* 6865 * The offset is relative to the beginning of 6866 * the transport-layer header. 6867 * 6868 * Load the X register with the length of the IPv4 header 6869 * (plus the offset of the link-layer header, if it's 6870 * a variable-length header), in bytes. 6871 * 6872 * XXX - are there any cases where we want 6873 * off_nl_nosnap? 6874 * XXX - we should, if we're built with 6875 * IPv6 support, generate code to load either 6876 * IPv4, IPv6, or both, as appropriate. 6877 */ 6878 s = gen_loadx_iphdrlen(); 6879 6880 /* 6881 * The X register now contains the sum of the length 6882 * of any variable-length header preceding the link-layer 6883 * header, any variable-length link-layer header, and the 6884 * length of the network-layer header. 6885 * 6886 * Load into the A register the offset relative to 6887 * the beginning of the transport layer header, 6888 * add the X register to that, move that to the 6889 * X register, and load with an offset from the 6890 * X register equal to the offset of the network 6891 * layer header relative to the beginning of 6892 * the MAC-layer payload plus the fixed-length 6893 * portion of the offset of the MAC-layer payload 6894 * from the beginning of the raw packet data. 6895 */ 6896 sappend(s, xfer_to_a(inst)); 6897 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6898 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6899 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6900 tmp->s.k = off_macpl + off_nl; 6901 sappend(inst->s, s); 6902 6903 /* 6904 * Do the computation only if the packet contains 6905 * the protocol in question - which is true only 6906 * if this is an IP datagram and is the first or 6907 * only fragment of that datagram. 6908 */ 6909 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6910 if (inst->b) 6911 gen_and(inst->b, b); 6912 #ifdef INET6 6913 gen_and(gen_proto_abbrev(Q_IP), b); 6914 #endif 6915 inst->b = b; 6916 break; 6917 #ifdef INET6 6918 case Q_ICMPV6: 6919 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6920 /*NOTREACHED*/ 6921 #endif 6922 } 6923 inst->regno = regno; 6924 s = new_stmt(BPF_ST); 6925 s->s.k = regno; 6926 sappend(inst->s, s); 6927 6928 return inst; 6929 } 6930 6931 struct block * 6932 gen_relation(code, a0, a1, reversed) 6933 int code; 6934 struct arth *a0, *a1; 6935 int reversed; 6936 { 6937 struct slist *s0, *s1, *s2; 6938 struct block *b, *tmp; 6939 6940 s0 = xfer_to_x(a1); 6941 s1 = xfer_to_a(a0); 6942 if (code == BPF_JEQ) { 6943 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6944 b = new_block(JMP(code)); 6945 sappend(s1, s2); 6946 } 6947 else 6948 b = new_block(BPF_JMP|code|BPF_X); 6949 if (reversed) 6950 gen_not(b); 6951 6952 sappend(s0, s1); 6953 sappend(a1->s, s0); 6954 sappend(a0->s, a1->s); 6955 6956 b->stmts = a0->s; 6957 6958 free_reg(a0->regno); 6959 free_reg(a1->regno); 6960 6961 /* 'and' together protocol checks */ 6962 if (a0->b) { 6963 if (a1->b) { 6964 gen_and(a0->b, tmp = a1->b); 6965 } 6966 else 6967 tmp = a0->b; 6968 } else 6969 tmp = a1->b; 6970 6971 if (tmp) 6972 gen_and(tmp, b); 6973 6974 return b; 6975 } 6976 6977 struct arth * 6978 gen_loadlen() 6979 { 6980 int regno = alloc_reg(); 6981 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6982 struct slist *s; 6983 6984 s = new_stmt(BPF_LD|BPF_LEN); 6985 s->next = new_stmt(BPF_ST); 6986 s->next->s.k = regno; 6987 a->s = s; 6988 a->regno = regno; 6989 6990 return a; 6991 } 6992 6993 struct arth * 6994 gen_loadi(val) 6995 int val; 6996 { 6997 struct arth *a; 6998 struct slist *s; 6999 int reg; 7000 7001 a = (struct arth *)newchunk(sizeof(*a)); 7002 7003 reg = alloc_reg(); 7004 7005 s = new_stmt(BPF_LD|BPF_IMM); 7006 s->s.k = val; 7007 s->next = new_stmt(BPF_ST); 7008 s->next->s.k = reg; 7009 a->s = s; 7010 a->regno = reg; 7011 7012 return a; 7013 } 7014 7015 struct arth * 7016 gen_neg(a) 7017 struct arth *a; 7018 { 7019 struct slist *s; 7020 7021 s = xfer_to_a(a); 7022 sappend(a->s, s); 7023 s = new_stmt(BPF_ALU|BPF_NEG); 7024 s->s.k = 0; 7025 sappend(a->s, s); 7026 s = new_stmt(BPF_ST); 7027 s->s.k = a->regno; 7028 sappend(a->s, s); 7029 7030 return a; 7031 } 7032 7033 struct arth * 7034 gen_arth(code, a0, a1) 7035 int code; 7036 struct arth *a0, *a1; 7037 { 7038 struct slist *s0, *s1, *s2; 7039 7040 s0 = xfer_to_x(a1); 7041 s1 = xfer_to_a(a0); 7042 s2 = new_stmt(BPF_ALU|BPF_X|code); 7043 7044 sappend(s1, s2); 7045 sappend(s0, s1); 7046 sappend(a1->s, s0); 7047 sappend(a0->s, a1->s); 7048 7049 free_reg(a0->regno); 7050 free_reg(a1->regno); 7051 7052 s0 = new_stmt(BPF_ST); 7053 a0->regno = s0->s.k = alloc_reg(); 7054 sappend(a0->s, s0); 7055 7056 return a0; 7057 } 7058 7059 /* 7060 * Here we handle simple allocation of the scratch registers. 7061 * If too many registers are alloc'd, the allocator punts. 7062 */ 7063 static int regused[BPF_MEMWORDS]; 7064 static int curreg; 7065 7066 /* 7067 * Initialize the table of used registers and the current register. 7068 */ 7069 static void 7070 init_regs() 7071 { 7072 curreg = 0; 7073 memset(regused, 0, sizeof regused); 7074 } 7075 7076 /* 7077 * Return the next free register. 7078 */ 7079 static int 7080 alloc_reg() 7081 { 7082 int n = BPF_MEMWORDS; 7083 7084 while (--n >= 0) { 7085 if (regused[curreg]) 7086 curreg = (curreg + 1) % BPF_MEMWORDS; 7087 else { 7088 regused[curreg] = 1; 7089 return curreg; 7090 } 7091 } 7092 bpf_error("too many registers needed to evaluate expression"); 7093 /* NOTREACHED */ 7094 return 0; 7095 } 7096 7097 /* 7098 * Return a register to the table so it can 7099 * be used later. 7100 */ 7101 static void 7102 free_reg(n) 7103 int n; 7104 { 7105 regused[n] = 0; 7106 } 7107 7108 static struct block * 7109 gen_len(jmp, n) 7110 int jmp, n; 7111 { 7112 struct slist *s; 7113 struct block *b; 7114 7115 s = new_stmt(BPF_LD|BPF_LEN); 7116 b = new_block(JMP(jmp)); 7117 b->stmts = s; 7118 b->s.k = n; 7119 7120 return b; 7121 } 7122 7123 struct block * 7124 gen_greater(n) 7125 int n; 7126 { 7127 return gen_len(BPF_JGE, n); 7128 } 7129 7130 /* 7131 * Actually, this is less than or equal. 7132 */ 7133 struct block * 7134 gen_less(n) 7135 int n; 7136 { 7137 struct block *b; 7138 7139 b = gen_len(BPF_JGT, n); 7140 gen_not(b); 7141 7142 return b; 7143 } 7144 7145 /* 7146 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7147 * the beginning of the link-layer header. 7148 * XXX - that means you can't test values in the radiotap header, but 7149 * as that header is difficult if not impossible to parse generally 7150 * without a loop, that might not be a severe problem. A new keyword 7151 * "radio" could be added for that, although what you'd really want 7152 * would be a way of testing particular radio header values, which 7153 * would generate code appropriate to the radio header in question. 7154 */ 7155 struct block * 7156 gen_byteop(op, idx, val) 7157 int op, idx, val; 7158 { 7159 struct block *b; 7160 struct slist *s; 7161 7162 switch (op) { 7163 default: 7164 abort(); 7165 7166 case '=': 7167 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7168 7169 case '<': 7170 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7171 return b; 7172 7173 case '>': 7174 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7175 return b; 7176 7177 case '|': 7178 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7179 break; 7180 7181 case '&': 7182 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7183 break; 7184 } 7185 s->s.k = val; 7186 b = new_block(JMP(BPF_JEQ)); 7187 b->stmts = s; 7188 gen_not(b); 7189 7190 return b; 7191 } 7192 7193 static u_char abroadcast[] = { 0x0 }; 7194 7195 struct block * 7196 gen_broadcast(proto) 7197 int proto; 7198 { 7199 bpf_u_int32 hostmask; 7200 struct block *b0, *b1, *b2; 7201 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7202 7203 switch (proto) { 7204 7205 case Q_DEFAULT: 7206 case Q_LINK: 7207 switch (linktype) { 7208 case DLT_ARCNET: 7209 case DLT_ARCNET_LINUX: 7210 return gen_ahostop(abroadcast, Q_DST); 7211 case DLT_EN10MB: 7212 case DLT_NETANALYZER: 7213 case DLT_NETANALYZER_TRANSPARENT: 7214 return gen_ehostop(ebroadcast, Q_DST); 7215 case DLT_FDDI: 7216 return gen_fhostop(ebroadcast, Q_DST); 7217 case DLT_IEEE802: 7218 return gen_thostop(ebroadcast, Q_DST); 7219 case DLT_IEEE802_11: 7220 case DLT_PRISM_HEADER: 7221 case DLT_IEEE802_11_RADIO_AVS: 7222 case DLT_IEEE802_11_RADIO: 7223 case DLT_PPI: 7224 return gen_wlanhostop(ebroadcast, Q_DST); 7225 case DLT_IP_OVER_FC: 7226 return gen_ipfchostop(ebroadcast, Q_DST); 7227 case DLT_SUNATM: 7228 if (is_lane) { 7229 /* 7230 * Check that the packet doesn't begin with an 7231 * LE Control marker. (We've already generated 7232 * a test for LANE.) 7233 */ 7234 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7235 BPF_H, 0xFF00); 7236 gen_not(b1); 7237 7238 /* 7239 * Now check the MAC address. 7240 */ 7241 b0 = gen_ehostop(ebroadcast, Q_DST); 7242 gen_and(b1, b0); 7243 return b0; 7244 } 7245 break; 7246 default: 7247 bpf_error("not a broadcast link"); 7248 } 7249 break; 7250 7251 case Q_IP: 7252 /* 7253 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7254 * as an indication that we don't know the netmask, and fail 7255 * in that case. 7256 */ 7257 if (netmask == PCAP_NETMASK_UNKNOWN) 7258 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7259 b0 = gen_linktype(ETHERTYPE_IP); 7260 hostmask = ~netmask; 7261 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7262 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7263 (bpf_int32)(~0 & hostmask), hostmask); 7264 gen_or(b1, b2); 7265 gen_and(b0, b2); 7266 return b2; 7267 } 7268 bpf_error("only link-layer/IP broadcast filters supported"); 7269 /* NOTREACHED */ 7270 return NULL; 7271 } 7272 7273 /* 7274 * Generate code to test the low-order bit of a MAC address (that's 7275 * the bottom bit of the *first* byte). 7276 */ 7277 static struct block * 7278 gen_mac_multicast(offset) 7279 int offset; 7280 { 7281 register struct block *b0; 7282 register struct slist *s; 7283 7284 /* link[offset] & 1 != 0 */ 7285 s = gen_load_a(OR_LINK, offset, BPF_B); 7286 b0 = new_block(JMP(BPF_JSET)); 7287 b0->s.k = 1; 7288 b0->stmts = s; 7289 return b0; 7290 } 7291 7292 struct block * 7293 gen_multicast(proto) 7294 int proto; 7295 { 7296 register struct block *b0, *b1, *b2; 7297 register struct slist *s; 7298 7299 switch (proto) { 7300 7301 case Q_DEFAULT: 7302 case Q_LINK: 7303 switch (linktype) { 7304 case DLT_ARCNET: 7305 case DLT_ARCNET_LINUX: 7306 /* all ARCnet multicasts use the same address */ 7307 return gen_ahostop(abroadcast, Q_DST); 7308 case DLT_EN10MB: 7309 case DLT_NETANALYZER: 7310 case DLT_NETANALYZER_TRANSPARENT: 7311 /* ether[0] & 1 != 0 */ 7312 return gen_mac_multicast(0); 7313 case DLT_FDDI: 7314 /* 7315 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7316 * 7317 * XXX - was that referring to bit-order issues? 7318 */ 7319 /* fddi[1] & 1 != 0 */ 7320 return gen_mac_multicast(1); 7321 case DLT_IEEE802: 7322 /* tr[2] & 1 != 0 */ 7323 return gen_mac_multicast(2); 7324 case DLT_IEEE802_11: 7325 case DLT_PRISM_HEADER: 7326 case DLT_IEEE802_11_RADIO_AVS: 7327 case DLT_IEEE802_11_RADIO: 7328 case DLT_PPI: 7329 /* 7330 * Oh, yuk. 7331 * 7332 * For control frames, there is no DA. 7333 * 7334 * For management frames, DA is at an 7335 * offset of 4 from the beginning of 7336 * the packet. 7337 * 7338 * For data frames, DA is at an offset 7339 * of 4 from the beginning of the packet 7340 * if To DS is clear and at an offset of 7341 * 16 from the beginning of the packet 7342 * if To DS is set. 7343 */ 7344 7345 /* 7346 * Generate the tests to be done for data frames. 7347 * 7348 * First, check for To DS set, i.e. "link[1] & 0x01". 7349 */ 7350 s = gen_load_a(OR_LINK, 1, BPF_B); 7351 b1 = new_block(JMP(BPF_JSET)); 7352 b1->s.k = 0x01; /* To DS */ 7353 b1->stmts = s; 7354 7355 /* 7356 * If To DS is set, the DA is at 16. 7357 */ 7358 b0 = gen_mac_multicast(16); 7359 gen_and(b1, b0); 7360 7361 /* 7362 * Now, check for To DS not set, i.e. check 7363 * "!(link[1] & 0x01)". 7364 */ 7365 s = gen_load_a(OR_LINK, 1, BPF_B); 7366 b2 = new_block(JMP(BPF_JSET)); 7367 b2->s.k = 0x01; /* To DS */ 7368 b2->stmts = s; 7369 gen_not(b2); 7370 7371 /* 7372 * If To DS is not set, the DA is at 4. 7373 */ 7374 b1 = gen_mac_multicast(4); 7375 gen_and(b2, b1); 7376 7377 /* 7378 * Now OR together the last two checks. That gives 7379 * the complete set of checks for data frames. 7380 */ 7381 gen_or(b1, b0); 7382 7383 /* 7384 * Now check for a data frame. 7385 * I.e, check "link[0] & 0x08". 7386 */ 7387 s = gen_load_a(OR_LINK, 0, BPF_B); 7388 b1 = new_block(JMP(BPF_JSET)); 7389 b1->s.k = 0x08; 7390 b1->stmts = s; 7391 7392 /* 7393 * AND that with the checks done for data frames. 7394 */ 7395 gen_and(b1, b0); 7396 7397 /* 7398 * If the high-order bit of the type value is 0, this 7399 * is a management frame. 7400 * I.e, check "!(link[0] & 0x08)". 7401 */ 7402 s = gen_load_a(OR_LINK, 0, BPF_B); 7403 b2 = new_block(JMP(BPF_JSET)); 7404 b2->s.k = 0x08; 7405 b2->stmts = s; 7406 gen_not(b2); 7407 7408 /* 7409 * For management frames, the DA is at 4. 7410 */ 7411 b1 = gen_mac_multicast(4); 7412 gen_and(b2, b1); 7413 7414 /* 7415 * OR that with the checks done for data frames. 7416 * That gives the checks done for management and 7417 * data frames. 7418 */ 7419 gen_or(b1, b0); 7420 7421 /* 7422 * If the low-order bit of the type value is 1, 7423 * this is either a control frame or a frame 7424 * with a reserved type, and thus not a 7425 * frame with an SA. 7426 * 7427 * I.e., check "!(link[0] & 0x04)". 7428 */ 7429 s = gen_load_a(OR_LINK, 0, BPF_B); 7430 b1 = new_block(JMP(BPF_JSET)); 7431 b1->s.k = 0x04; 7432 b1->stmts = s; 7433 gen_not(b1); 7434 7435 /* 7436 * AND that with the checks for data and management 7437 * frames. 7438 */ 7439 gen_and(b1, b0); 7440 return b0; 7441 case DLT_IP_OVER_FC: 7442 b0 = gen_mac_multicast(2); 7443 return b0; 7444 case DLT_SUNATM: 7445 if (is_lane) { 7446 /* 7447 * Check that the packet doesn't begin with an 7448 * LE Control marker. (We've already generated 7449 * a test for LANE.) 7450 */ 7451 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7452 BPF_H, 0xFF00); 7453 gen_not(b1); 7454 7455 /* ether[off_mac] & 1 != 0 */ 7456 b0 = gen_mac_multicast(off_mac); 7457 gen_and(b1, b0); 7458 return b0; 7459 } 7460 break; 7461 default: 7462 break; 7463 } 7464 /* Link not known to support multicasts */ 7465 break; 7466 7467 case Q_IP: 7468 b0 = gen_linktype(ETHERTYPE_IP); 7469 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7470 gen_and(b0, b1); 7471 return b1; 7472 7473 #ifdef INET6 7474 case Q_IPV6: 7475 b0 = gen_linktype(ETHERTYPE_IPV6); 7476 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7477 gen_and(b0, b1); 7478 return b1; 7479 #endif /* INET6 */ 7480 } 7481 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7482 /* NOTREACHED */ 7483 return NULL; 7484 } 7485 7486 /* 7487 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7488 * Outbound traffic is sent by this machine, while inbound traffic is 7489 * sent by a remote machine (and may include packets destined for a 7490 * unicast or multicast link-layer address we are not subscribing to). 7491 * These are the same definitions implemented by pcap_setdirection(). 7492 * Capturing only unicast traffic destined for this host is probably 7493 * better accomplished using a higher-layer filter. 7494 */ 7495 struct block * 7496 gen_inbound(dir) 7497 int dir; 7498 { 7499 register struct block *b0; 7500 7501 /* 7502 * Only some data link types support inbound/outbound qualifiers. 7503 */ 7504 switch (linktype) { 7505 case DLT_SLIP: 7506 b0 = gen_relation(BPF_JEQ, 7507 gen_load(Q_LINK, gen_loadi(0), 1), 7508 gen_loadi(0), 7509 dir); 7510 break; 7511 7512 case DLT_IPNET: 7513 if (dir) { 7514 /* match outgoing packets */ 7515 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7516 } else { 7517 /* match incoming packets */ 7518 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7519 } 7520 break; 7521 7522 case DLT_LINUX_SLL: 7523 /* match outgoing packets */ 7524 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7525 if (!dir) { 7526 /* to filter on inbound traffic, invert the match */ 7527 gen_not(b0); 7528 } 7529 break; 7530 7531 #ifdef HAVE_NET_PFVAR_H 7532 case DLT_PFLOG: 7533 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7534 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7535 break; 7536 #endif 7537 7538 case DLT_PPP_PPPD: 7539 if (dir) { 7540 /* match outgoing packets */ 7541 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7542 } else { 7543 /* match incoming packets */ 7544 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7545 } 7546 break; 7547 7548 case DLT_JUNIPER_MFR: 7549 case DLT_JUNIPER_MLFR: 7550 case DLT_JUNIPER_MLPPP: 7551 case DLT_JUNIPER_ATM1: 7552 case DLT_JUNIPER_ATM2: 7553 case DLT_JUNIPER_PPPOE: 7554 case DLT_JUNIPER_PPPOE_ATM: 7555 case DLT_JUNIPER_GGSN: 7556 case DLT_JUNIPER_ES: 7557 case DLT_JUNIPER_MONITOR: 7558 case DLT_JUNIPER_SERVICES: 7559 case DLT_JUNIPER_ETHER: 7560 case DLT_JUNIPER_PPP: 7561 case DLT_JUNIPER_FRELAY: 7562 case DLT_JUNIPER_CHDLC: 7563 case DLT_JUNIPER_VP: 7564 case DLT_JUNIPER_ST: 7565 case DLT_JUNIPER_ISM: 7566 case DLT_JUNIPER_VS: 7567 case DLT_JUNIPER_SRX_E2E: 7568 case DLT_JUNIPER_FIBRECHANNEL: 7569 case DLT_JUNIPER_ATM_CEMIC: 7570 7571 /* juniper flags (including direction) are stored 7572 * the byte after the 3-byte magic number */ 7573 if (dir) { 7574 /* match outgoing packets */ 7575 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7576 } else { 7577 /* match incoming packets */ 7578 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7579 } 7580 break; 7581 7582 default: 7583 /* 7584 * If we have packet meta-data indicating a direction, 7585 * check it, otherwise give up as this link-layer type 7586 * has nothing in the packet data. 7587 */ 7588 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7589 /* 7590 * We infer that this is Linux with PF_PACKET support. 7591 * If this is a *live* capture, we can look at 7592 * special meta-data in the filter expression; 7593 * if it's a savefile, we can't. 7594 */ 7595 if (bpf_pcap->sf.rfile != NULL) { 7596 /* We have a FILE *, so this is a savefile */ 7597 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7598 linktype); 7599 b0 = NULL; 7600 /* NOTREACHED */ 7601 } 7602 /* match outgoing packets */ 7603 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7604 PACKET_OUTGOING); 7605 if (!dir) { 7606 /* to filter on inbound traffic, invert the match */ 7607 gen_not(b0); 7608 } 7609 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7610 bpf_error("inbound/outbound not supported on linktype %d", 7611 linktype); 7612 b0 = NULL; 7613 /* NOTREACHED */ 7614 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7615 } 7616 return (b0); 7617 } 7618 7619 #ifdef HAVE_NET_PFVAR_H 7620 /* PF firewall log matched interface */ 7621 struct block * 7622 gen_pf_ifname(const char *ifname) 7623 { 7624 struct block *b0; 7625 u_int len, off; 7626 7627 if (linktype != DLT_PFLOG) { 7628 bpf_error("ifname supported only on PF linktype"); 7629 /* NOTREACHED */ 7630 } 7631 len = sizeof(((struct pfloghdr *)0)->ifname); 7632 off = offsetof(struct pfloghdr, ifname); 7633 if (strlen(ifname) >= len) { 7634 bpf_error("ifname interface names can only be %d characters", 7635 len-1); 7636 /* NOTREACHED */ 7637 } 7638 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7639 return (b0); 7640 } 7641 7642 /* PF firewall log ruleset name */ 7643 struct block * 7644 gen_pf_ruleset(char *ruleset) 7645 { 7646 struct block *b0; 7647 7648 if (linktype != DLT_PFLOG) { 7649 bpf_error("ruleset supported only on PF linktype"); 7650 /* NOTREACHED */ 7651 } 7652 7653 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7654 bpf_error("ruleset names can only be %ld characters", 7655 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7656 /* NOTREACHED */ 7657 } 7658 7659 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7660 strlen(ruleset), (const u_char *)ruleset); 7661 return (b0); 7662 } 7663 7664 /* PF firewall log rule number */ 7665 struct block * 7666 gen_pf_rnr(int rnr) 7667 { 7668 struct block *b0; 7669 7670 if (linktype != DLT_PFLOG) { 7671 bpf_error("rnr supported only on PF linktype"); 7672 /* NOTREACHED */ 7673 } 7674 7675 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7676 (bpf_int32)rnr); 7677 return (b0); 7678 } 7679 7680 /* PF firewall log sub-rule number */ 7681 struct block * 7682 gen_pf_srnr(int srnr) 7683 { 7684 struct block *b0; 7685 7686 if (linktype != DLT_PFLOG) { 7687 bpf_error("srnr supported only on PF linktype"); 7688 /* NOTREACHED */ 7689 } 7690 7691 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7692 (bpf_int32)srnr); 7693 return (b0); 7694 } 7695 7696 /* PF firewall log reason code */ 7697 struct block * 7698 gen_pf_reason(int reason) 7699 { 7700 struct block *b0; 7701 7702 if (linktype != DLT_PFLOG) { 7703 bpf_error("reason supported only on PF linktype"); 7704 /* NOTREACHED */ 7705 } 7706 7707 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7708 (bpf_int32)reason); 7709 return (b0); 7710 } 7711 7712 /* PF firewall log action */ 7713 struct block * 7714 gen_pf_action(int action) 7715 { 7716 struct block *b0; 7717 7718 if (linktype != DLT_PFLOG) { 7719 bpf_error("action supported only on PF linktype"); 7720 /* NOTREACHED */ 7721 } 7722 7723 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7724 (bpf_int32)action); 7725 return (b0); 7726 } 7727 #else /* !HAVE_NET_PFVAR_H */ 7728 struct block * 7729 gen_pf_ifname(const char *ifname) 7730 { 7731 bpf_error("libpcap was compiled without pf support"); 7732 /* NOTREACHED */ 7733 return (NULL); 7734 } 7735 7736 struct block * 7737 gen_pf_ruleset(char *ruleset) 7738 { 7739 bpf_error("libpcap was compiled on a machine without pf support"); 7740 /* NOTREACHED */ 7741 return (NULL); 7742 } 7743 7744 struct block * 7745 gen_pf_rnr(int rnr) 7746 { 7747 bpf_error("libpcap was compiled on a machine without pf support"); 7748 /* NOTREACHED */ 7749 return (NULL); 7750 } 7751 7752 struct block * 7753 gen_pf_srnr(int srnr) 7754 { 7755 bpf_error("libpcap was compiled on a machine without pf support"); 7756 /* NOTREACHED */ 7757 return (NULL); 7758 } 7759 7760 struct block * 7761 gen_pf_reason(int reason) 7762 { 7763 bpf_error("libpcap was compiled on a machine without pf support"); 7764 /* NOTREACHED */ 7765 return (NULL); 7766 } 7767 7768 struct block * 7769 gen_pf_action(int action) 7770 { 7771 bpf_error("libpcap was compiled on a machine without pf support"); 7772 /* NOTREACHED */ 7773 return (NULL); 7774 } 7775 #endif /* HAVE_NET_PFVAR_H */ 7776 7777 /* IEEE 802.11 wireless header */ 7778 struct block * 7779 gen_p80211_type(int type, int mask) 7780 { 7781 struct block *b0; 7782 7783 switch (linktype) { 7784 7785 case DLT_IEEE802_11: 7786 case DLT_PRISM_HEADER: 7787 case DLT_IEEE802_11_RADIO_AVS: 7788 case DLT_IEEE802_11_RADIO: 7789 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7790 (bpf_int32)mask); 7791 break; 7792 7793 default: 7794 bpf_error("802.11 link-layer types supported only on 802.11"); 7795 /* NOTREACHED */ 7796 } 7797 7798 return (b0); 7799 } 7800 7801 struct block * 7802 gen_p80211_fcdir(int fcdir) 7803 { 7804 struct block *b0; 7805 7806 switch (linktype) { 7807 7808 case DLT_IEEE802_11: 7809 case DLT_PRISM_HEADER: 7810 case DLT_IEEE802_11_RADIO_AVS: 7811 case DLT_IEEE802_11_RADIO: 7812 break; 7813 7814 default: 7815 bpf_error("frame direction supported only with 802.11 headers"); 7816 /* NOTREACHED */ 7817 } 7818 7819 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7820 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7821 7822 return (b0); 7823 } 7824 7825 struct block * 7826 gen_acode(eaddr, q) 7827 register const u_char *eaddr; 7828 struct qual q; 7829 { 7830 switch (linktype) { 7831 7832 case DLT_ARCNET: 7833 case DLT_ARCNET_LINUX: 7834 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7835 q.proto == Q_LINK) 7836 return (gen_ahostop(eaddr, (int)q.dir)); 7837 else { 7838 bpf_error("ARCnet address used in non-arc expression"); 7839 /* NOTREACHED */ 7840 } 7841 break; 7842 7843 default: 7844 bpf_error("aid supported only on ARCnet"); 7845 /* NOTREACHED */ 7846 } 7847 bpf_error("ARCnet address used in non-arc expression"); 7848 /* NOTREACHED */ 7849 return NULL; 7850 } 7851 7852 static struct block * 7853 gen_ahostop(eaddr, dir) 7854 register const u_char *eaddr; 7855 register int dir; 7856 { 7857 register struct block *b0, *b1; 7858 7859 switch (dir) { 7860 /* src comes first, different from Ethernet */ 7861 case Q_SRC: 7862 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7863 7864 case Q_DST: 7865 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7866 7867 case Q_AND: 7868 b0 = gen_ahostop(eaddr, Q_SRC); 7869 b1 = gen_ahostop(eaddr, Q_DST); 7870 gen_and(b0, b1); 7871 return b1; 7872 7873 case Q_DEFAULT: 7874 case Q_OR: 7875 b0 = gen_ahostop(eaddr, Q_SRC); 7876 b1 = gen_ahostop(eaddr, Q_DST); 7877 gen_or(b0, b1); 7878 return b1; 7879 7880 case Q_ADDR1: 7881 bpf_error("'addr1' is only supported on 802.11"); 7882 break; 7883 7884 case Q_ADDR2: 7885 bpf_error("'addr2' is only supported on 802.11"); 7886 break; 7887 7888 case Q_ADDR3: 7889 bpf_error("'addr3' is only supported on 802.11"); 7890 break; 7891 7892 case Q_ADDR4: 7893 bpf_error("'addr4' is only supported on 802.11"); 7894 break; 7895 7896 case Q_RA: 7897 bpf_error("'ra' is only supported on 802.11"); 7898 break; 7899 7900 case Q_TA: 7901 bpf_error("'ta' is only supported on 802.11"); 7902 break; 7903 } 7904 abort(); 7905 /* NOTREACHED */ 7906 } 7907 7908 /* 7909 * support IEEE 802.1Q VLAN trunk over ethernet 7910 */ 7911 struct block * 7912 gen_vlan(vlan_num) 7913 int vlan_num; 7914 { 7915 struct block *b0, *b1; 7916 7917 /* can't check for VLAN-encapsulated packets inside MPLS */ 7918 if (label_stack_depth > 0) 7919 bpf_error("no VLAN match after MPLS"); 7920 7921 /* 7922 * Check for a VLAN packet, and then change the offsets to point 7923 * to the type and data fields within the VLAN packet. Just 7924 * increment the offsets, so that we can support a hierarchy, e.g. 7925 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7926 * VLAN 100. 7927 * 7928 * XXX - this is a bit of a kludge. If we were to split the 7929 * compiler into a parser that parses an expression and 7930 * generates an expression tree, and a code generator that 7931 * takes an expression tree (which could come from our 7932 * parser or from some other parser) and generates BPF code, 7933 * we could perhaps make the offsets parameters of routines 7934 * and, in the handler for an "AND" node, pass to subnodes 7935 * other than the VLAN node the adjusted offsets. 7936 * 7937 * This would mean that "vlan" would, instead of changing the 7938 * behavior of *all* tests after it, change only the behavior 7939 * of tests ANDed with it. That would change the documented 7940 * semantics of "vlan", which might break some expressions. 7941 * However, it would mean that "(vlan and ip) or ip" would check 7942 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7943 * checking only for VLAN-encapsulated IP, so that could still 7944 * be considered worth doing; it wouldn't break expressions 7945 * that are of the form "vlan and ..." or "vlan N and ...", 7946 * which I suspect are the most common expressions involving 7947 * "vlan". "vlan or ..." doesn't necessarily do what the user 7948 * would really want, now, as all the "or ..." tests would 7949 * be done assuming a VLAN, even though the "or" could be viewed 7950 * as meaning "or, if this isn't a VLAN packet...". 7951 */ 7952 orig_nl = off_nl; 7953 7954 switch (linktype) { 7955 7956 case DLT_EN10MB: 7957 case DLT_NETANALYZER: 7958 case DLT_NETANALYZER_TRANSPARENT: 7959 /* check for VLAN, including QinQ */ 7960 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7961 (bpf_int32)ETHERTYPE_8021Q); 7962 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7963 (bpf_int32)ETHERTYPE_8021QINQ); 7964 gen_or(b0,b1); 7965 b0 = b1; 7966 7967 /* If a specific VLAN is requested, check VLAN id */ 7968 if (vlan_num >= 0) { 7969 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7970 (bpf_int32)vlan_num, 0x0fff); 7971 gen_and(b0, b1); 7972 b0 = b1; 7973 } 7974 7975 off_macpl += 4; 7976 off_linktype += 4; 7977 #if 0 7978 off_nl_nosnap += 4; 7979 off_nl += 4; 7980 #endif 7981 break; 7982 7983 default: 7984 bpf_error("no VLAN support for data link type %d", 7985 linktype); 7986 /*NOTREACHED*/ 7987 } 7988 7989 return (b0); 7990 } 7991 7992 /* 7993 * support for MPLS 7994 */ 7995 struct block * 7996 gen_mpls(label_num) 7997 int label_num; 7998 { 7999 struct block *b0,*b1; 8000 8001 /* 8002 * Change the offsets to point to the type and data fields within 8003 * the MPLS packet. Just increment the offsets, so that we 8004 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8005 * capture packets with an outer label of 100000 and an inner 8006 * label of 1024. 8007 * 8008 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8009 */ 8010 orig_nl = off_nl; 8011 8012 if (label_stack_depth > 0) { 8013 /* just match the bottom-of-stack bit clear */ 8014 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 8015 } else { 8016 /* 8017 * Indicate that we're checking MPLS-encapsulated headers, 8018 * to make sure higher level code generators don't try to 8019 * match against IP-related protocols such as Q_ARP, Q_RARP 8020 * etc. 8021 */ 8022 switch (linktype) { 8023 8024 case DLT_C_HDLC: /* fall through */ 8025 case DLT_EN10MB: 8026 case DLT_NETANALYZER: 8027 case DLT_NETANALYZER_TRANSPARENT: 8028 b0 = gen_linktype(ETHERTYPE_MPLS); 8029 break; 8030 8031 case DLT_PPP: 8032 b0 = gen_linktype(PPP_MPLS_UCAST); 8033 break; 8034 8035 /* FIXME add other DLT_s ... 8036 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8037 * leave it for now */ 8038 8039 default: 8040 bpf_error("no MPLS support for data link type %d", 8041 linktype); 8042 b0 = NULL; 8043 /*NOTREACHED*/ 8044 break; 8045 } 8046 } 8047 8048 /* If a specific MPLS label is requested, check it */ 8049 if (label_num >= 0) { 8050 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8051 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8052 0xfffff000); /* only compare the first 20 bits */ 8053 gen_and(b0, b1); 8054 b0 = b1; 8055 } 8056 8057 off_nl_nosnap += 4; 8058 off_nl += 4; 8059 label_stack_depth++; 8060 return (b0); 8061 } 8062 8063 /* 8064 * Support PPPOE discovery and session. 8065 */ 8066 struct block * 8067 gen_pppoed() 8068 { 8069 /* check for PPPoE discovery */ 8070 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8071 } 8072 8073 struct block * 8074 gen_pppoes() 8075 { 8076 struct block *b0; 8077 8078 /* 8079 * Test against the PPPoE session link-layer type. 8080 */ 8081 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8082 8083 /* 8084 * Change the offsets to point to the type and data fields within 8085 * the PPP packet, and note that this is PPPoE rather than 8086 * raw PPP. 8087 * 8088 * XXX - this is a bit of a kludge. If we were to split the 8089 * compiler into a parser that parses an expression and 8090 * generates an expression tree, and a code generator that 8091 * takes an expression tree (which could come from our 8092 * parser or from some other parser) and generates BPF code, 8093 * we could perhaps make the offsets parameters of routines 8094 * and, in the handler for an "AND" node, pass to subnodes 8095 * other than the PPPoE node the adjusted offsets. 8096 * 8097 * This would mean that "pppoes" would, instead of changing the 8098 * behavior of *all* tests after it, change only the behavior 8099 * of tests ANDed with it. That would change the documented 8100 * semantics of "pppoes", which might break some expressions. 8101 * However, it would mean that "(pppoes and ip) or ip" would check 8102 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8103 * checking only for VLAN-encapsulated IP, so that could still 8104 * be considered worth doing; it wouldn't break expressions 8105 * that are of the form "pppoes and ..." which I suspect are the 8106 * most common expressions involving "pppoes". "pppoes or ..." 8107 * doesn't necessarily do what the user would really want, now, 8108 * as all the "or ..." tests would be done assuming PPPoE, even 8109 * though the "or" could be viewed as meaning "or, if this isn't 8110 * a PPPoE packet...". 8111 */ 8112 orig_linktype = off_linktype; /* save original values */ 8113 orig_nl = off_nl; 8114 is_pppoes = 1; 8115 8116 /* 8117 * The "network-layer" protocol is PPPoE, which has a 6-byte 8118 * PPPoE header, followed by a PPP packet. 8119 * 8120 * There is no HDLC encapsulation for the PPP packet (it's 8121 * encapsulated in PPPoES instead), so the link-layer type 8122 * starts at the first byte of the PPP packet. For PPPoE, 8123 * that offset is relative to the beginning of the total 8124 * link-layer payload, including any 802.2 LLC header, so 8125 * it's 6 bytes past off_nl. 8126 */ 8127 off_linktype = off_nl + 6; 8128 8129 /* 8130 * The network-layer offsets are relative to the beginning 8131 * of the MAC-layer payload; that's past the 6-byte 8132 * PPPoE header and the 2-byte PPP header. 8133 */ 8134 off_nl = 6+2; 8135 off_nl_nosnap = 6+2; 8136 8137 return b0; 8138 } 8139 8140 struct block * 8141 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8142 int atmfield; 8143 bpf_int32 jvalue; 8144 bpf_u_int32 jtype; 8145 int reverse; 8146 { 8147 struct block *b0; 8148 8149 switch (atmfield) { 8150 8151 case A_VPI: 8152 if (!is_atm) 8153 bpf_error("'vpi' supported only on raw ATM"); 8154 if (off_vpi == (u_int)-1) 8155 abort(); 8156 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8157 reverse, jvalue); 8158 break; 8159 8160 case A_VCI: 8161 if (!is_atm) 8162 bpf_error("'vci' supported only on raw ATM"); 8163 if (off_vci == (u_int)-1) 8164 abort(); 8165 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8166 reverse, jvalue); 8167 break; 8168 8169 case A_PROTOTYPE: 8170 if (off_proto == (u_int)-1) 8171 abort(); /* XXX - this isn't on FreeBSD */ 8172 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8173 reverse, jvalue); 8174 break; 8175 8176 case A_MSGTYPE: 8177 if (off_payload == (u_int)-1) 8178 abort(); 8179 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8180 0xffffffff, jtype, reverse, jvalue); 8181 break; 8182 8183 case A_CALLREFTYPE: 8184 if (!is_atm) 8185 bpf_error("'callref' supported only on raw ATM"); 8186 if (off_proto == (u_int)-1) 8187 abort(); 8188 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8189 jtype, reverse, jvalue); 8190 break; 8191 8192 default: 8193 abort(); 8194 } 8195 return b0; 8196 } 8197 8198 struct block * 8199 gen_atmtype_abbrev(type) 8200 int type; 8201 { 8202 struct block *b0, *b1; 8203 8204 switch (type) { 8205 8206 case A_METAC: 8207 /* Get all packets in Meta signalling Circuit */ 8208 if (!is_atm) 8209 bpf_error("'metac' supported only on raw ATM"); 8210 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8211 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8212 gen_and(b0, b1); 8213 break; 8214 8215 case A_BCC: 8216 /* Get all packets in Broadcast Circuit*/ 8217 if (!is_atm) 8218 bpf_error("'bcc' supported only on raw ATM"); 8219 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8220 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8221 gen_and(b0, b1); 8222 break; 8223 8224 case A_OAMF4SC: 8225 /* Get all cells in Segment OAM F4 circuit*/ 8226 if (!is_atm) 8227 bpf_error("'oam4sc' supported only on raw ATM"); 8228 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8229 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8230 gen_and(b0, b1); 8231 break; 8232 8233 case A_OAMF4EC: 8234 /* Get all cells in End-to-End OAM F4 Circuit*/ 8235 if (!is_atm) 8236 bpf_error("'oam4ec' supported only on raw ATM"); 8237 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8238 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8239 gen_and(b0, b1); 8240 break; 8241 8242 case A_SC: 8243 /* Get all packets in connection Signalling Circuit */ 8244 if (!is_atm) 8245 bpf_error("'sc' supported only on raw ATM"); 8246 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8247 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8248 gen_and(b0, b1); 8249 break; 8250 8251 case A_ILMIC: 8252 /* Get all packets in ILMI Circuit */ 8253 if (!is_atm) 8254 bpf_error("'ilmic' supported only on raw ATM"); 8255 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8256 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8257 gen_and(b0, b1); 8258 break; 8259 8260 case A_LANE: 8261 /* Get all LANE packets */ 8262 if (!is_atm) 8263 bpf_error("'lane' supported only on raw ATM"); 8264 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8265 8266 /* 8267 * Arrange that all subsequent tests assume LANE 8268 * rather than LLC-encapsulated packets, and set 8269 * the offsets appropriately for LANE-encapsulated 8270 * Ethernet. 8271 * 8272 * "off_mac" is the offset of the Ethernet header, 8273 * which is 2 bytes past the ATM pseudo-header 8274 * (skipping the pseudo-header and 2-byte LE Client 8275 * field). The other offsets are Ethernet offsets 8276 * relative to "off_mac". 8277 */ 8278 is_lane = 1; 8279 off_mac = off_payload + 2; /* MAC header */ 8280 off_linktype = off_mac + 12; 8281 off_macpl = off_mac + 14; /* Ethernet */ 8282 off_nl = 0; /* Ethernet II */ 8283 off_nl_nosnap = 3; /* 802.3+802.2 */ 8284 break; 8285 8286 case A_LLC: 8287 /* Get all LLC-encapsulated packets */ 8288 if (!is_atm) 8289 bpf_error("'llc' supported only on raw ATM"); 8290 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8291 is_lane = 0; 8292 break; 8293 8294 default: 8295 abort(); 8296 } 8297 return b1; 8298 } 8299 8300 /* 8301 * Filtering for MTP2 messages based on li value 8302 * FISU, length is null 8303 * LSSU, length is 1 or 2 8304 * MSU, length is 3 or more 8305 */ 8306 struct block * 8307 gen_mtp2type_abbrev(type) 8308 int type; 8309 { 8310 struct block *b0, *b1; 8311 8312 switch (type) { 8313 8314 case M_FISU: 8315 if ( (linktype != DLT_MTP2) && 8316 (linktype != DLT_ERF) && 8317 (linktype != DLT_MTP2_WITH_PHDR) ) 8318 bpf_error("'fisu' supported only on MTP2"); 8319 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8320 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8321 break; 8322 8323 case M_LSSU: 8324 if ( (linktype != DLT_MTP2) && 8325 (linktype != DLT_ERF) && 8326 (linktype != DLT_MTP2_WITH_PHDR) ) 8327 bpf_error("'lssu' supported only on MTP2"); 8328 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8329 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8330 gen_and(b1, b0); 8331 break; 8332 8333 case M_MSU: 8334 if ( (linktype != DLT_MTP2) && 8335 (linktype != DLT_ERF) && 8336 (linktype != DLT_MTP2_WITH_PHDR) ) 8337 bpf_error("'msu' supported only on MTP2"); 8338 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8339 break; 8340 8341 default: 8342 abort(); 8343 } 8344 return b0; 8345 } 8346 8347 struct block * 8348 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8349 int mtp3field; 8350 bpf_u_int32 jvalue; 8351 bpf_u_int32 jtype; 8352 int reverse; 8353 { 8354 struct block *b0; 8355 bpf_u_int32 val1 , val2 , val3; 8356 8357 switch (mtp3field) { 8358 8359 case M_SIO: 8360 if (off_sio == (u_int)-1) 8361 bpf_error("'sio' supported only on SS7"); 8362 /* sio coded on 1 byte so max value 255 */ 8363 if(jvalue > 255) 8364 bpf_error("sio value %u too big; max value = 255", 8365 jvalue); 8366 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8367 (u_int)jtype, reverse, (u_int)jvalue); 8368 break; 8369 8370 case M_OPC: 8371 if (off_opc == (u_int)-1) 8372 bpf_error("'opc' supported only on SS7"); 8373 /* opc coded on 14 bits so max value 16383 */ 8374 if (jvalue > 16383) 8375 bpf_error("opc value %u too big; max value = 16383", 8376 jvalue); 8377 /* the following instructions are made to convert jvalue 8378 * to the form used to write opc in an ss7 message*/ 8379 val1 = jvalue & 0x00003c00; 8380 val1 = val1 >>10; 8381 val2 = jvalue & 0x000003fc; 8382 val2 = val2 <<6; 8383 val3 = jvalue & 0x00000003; 8384 val3 = val3 <<22; 8385 jvalue = val1 + val2 + val3; 8386 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8387 (u_int)jtype, reverse, (u_int)jvalue); 8388 break; 8389 8390 case M_DPC: 8391 if (off_dpc == (u_int)-1) 8392 bpf_error("'dpc' supported only on SS7"); 8393 /* dpc coded on 14 bits so max value 16383 */ 8394 if (jvalue > 16383) 8395 bpf_error("dpc value %u too big; max value = 16383", 8396 jvalue); 8397 /* the following instructions are made to convert jvalue 8398 * to the forme used to write dpc in an ss7 message*/ 8399 val1 = jvalue & 0x000000ff; 8400 val1 = val1 << 24; 8401 val2 = jvalue & 0x00003f00; 8402 val2 = val2 << 8; 8403 jvalue = val1 + val2; 8404 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8405 (u_int)jtype, reverse, (u_int)jvalue); 8406 break; 8407 8408 case M_SLS: 8409 if (off_sls == (u_int)-1) 8410 bpf_error("'sls' supported only on SS7"); 8411 /* sls coded on 4 bits so max value 15 */ 8412 if (jvalue > 15) 8413 bpf_error("sls value %u too big; max value = 15", 8414 jvalue); 8415 /* the following instruction is made to convert jvalue 8416 * to the forme used to write sls in an ss7 message*/ 8417 jvalue = jvalue << 4; 8418 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8419 (u_int)jtype,reverse, (u_int)jvalue); 8420 break; 8421 8422 default: 8423 abort(); 8424 } 8425 return b0; 8426 } 8427 8428 static struct block * 8429 gen_msg_abbrev(type) 8430 int type; 8431 { 8432 struct block *b1; 8433 8434 /* 8435 * Q.2931 signalling protocol messages for handling virtual circuits 8436 * establishment and teardown 8437 */ 8438 switch (type) { 8439 8440 case A_SETUP: 8441 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8442 break; 8443 8444 case A_CALLPROCEED: 8445 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8446 break; 8447 8448 case A_CONNECT: 8449 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8450 break; 8451 8452 case A_CONNECTACK: 8453 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8454 break; 8455 8456 case A_RELEASE: 8457 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8458 break; 8459 8460 case A_RELEASE_DONE: 8461 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8462 break; 8463 8464 default: 8465 abort(); 8466 } 8467 return b1; 8468 } 8469 8470 struct block * 8471 gen_atmmulti_abbrev(type) 8472 int type; 8473 { 8474 struct block *b0, *b1; 8475 8476 switch (type) { 8477 8478 case A_OAM: 8479 if (!is_atm) 8480 bpf_error("'oam' supported only on raw ATM"); 8481 b1 = gen_atmmulti_abbrev(A_OAMF4); 8482 break; 8483 8484 case A_OAMF4: 8485 if (!is_atm) 8486 bpf_error("'oamf4' supported only on raw ATM"); 8487 /* OAM F4 type */ 8488 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8489 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8490 gen_or(b0, b1); 8491 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8492 gen_and(b0, b1); 8493 break; 8494 8495 case A_CONNECTMSG: 8496 /* 8497 * Get Q.2931 signalling messages for switched 8498 * virtual connection 8499 */ 8500 if (!is_atm) 8501 bpf_error("'connectmsg' supported only on raw ATM"); 8502 b0 = gen_msg_abbrev(A_SETUP); 8503 b1 = gen_msg_abbrev(A_CALLPROCEED); 8504 gen_or(b0, b1); 8505 b0 = gen_msg_abbrev(A_CONNECT); 8506 gen_or(b0, b1); 8507 b0 = gen_msg_abbrev(A_CONNECTACK); 8508 gen_or(b0, b1); 8509 b0 = gen_msg_abbrev(A_RELEASE); 8510 gen_or(b0, b1); 8511 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8512 gen_or(b0, b1); 8513 b0 = gen_atmtype_abbrev(A_SC); 8514 gen_and(b0, b1); 8515 break; 8516 8517 case A_METACONNECT: 8518 if (!is_atm) 8519 bpf_error("'metaconnect' supported only on raw ATM"); 8520 b0 = gen_msg_abbrev(A_SETUP); 8521 b1 = gen_msg_abbrev(A_CALLPROCEED); 8522 gen_or(b0, b1); 8523 b0 = gen_msg_abbrev(A_CONNECT); 8524 gen_or(b0, b1); 8525 b0 = gen_msg_abbrev(A_RELEASE); 8526 gen_or(b0, b1); 8527 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8528 gen_or(b0, b1); 8529 b0 = gen_atmtype_abbrev(A_METAC); 8530 gen_and(b0, b1); 8531 break; 8532 8533 default: 8534 abort(); 8535 } 8536 return b1; 8537 } 8538