1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 25 #ifdef HAVE_CONFIG_H 26 #include "config.h" 27 #endif 28 29 #ifdef _WIN32 30 #include <pcap-stdinc.h> 31 #else /* _WIN32 */ 32 #if HAVE_INTTYPES_H 33 #include <inttypes.h> 34 #elif HAVE_STDINT_H 35 #include <stdint.h> 36 #endif 37 #ifdef HAVE_SYS_BITYPES_H 38 #include <sys/bitypes.h> 39 #endif 40 #include <sys/types.h> 41 #include <sys/socket.h> 42 #endif /* _WIN32 */ 43 44 #ifndef _WIN32 45 46 #ifdef __NetBSD__ 47 #include <sys/param.h> 48 #endif 49 50 #include <netinet/in.h> 51 #include <arpa/inet.h> 52 53 #endif /* _WIN32 */ 54 55 #include <stdlib.h> 56 #include <string.h> 57 #include <memory.h> 58 #include <setjmp.h> 59 #include <stdarg.h> 60 61 #ifdef MSDOS 62 #include "pcap-dos.h" 63 #endif 64 65 #include "pcap-int.h" 66 67 #include "ethertype.h" 68 #include "nlpid.h" 69 #include "llc.h" 70 #include "gencode.h" 71 #include "ieee80211.h" 72 #include "atmuni31.h" 73 #include "sunatmpos.h" 74 #include "ppp.h" 75 #include "pcap/sll.h" 76 #include "pcap/ipnet.h" 77 #include "arcnet.h" 78 79 #include "grammar.h" 80 #include "scanner.h" 81 82 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 83 #include <linux/types.h> 84 #include <linux/if_packet.h> 85 #include <linux/filter.h> 86 #endif 87 88 #ifdef HAVE_NET_PFVAR_H 89 #include <sys/socket.h> 90 #include <net/if.h> 91 #include <net/pfvar.h> 92 #include <net/if_pflog.h> 93 #endif 94 95 #ifndef offsetof 96 #define offsetof(s, e) ((size_t)&((s *)0)->e) 97 #endif 98 99 #ifdef INET6 100 #ifdef _WIN32 101 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 102 /* IPv6 address */ 103 struct in6_addr 104 { 105 union 106 { 107 u_int8_t u6_addr8[16]; 108 u_int16_t u6_addr16[8]; 109 u_int32_t u6_addr32[4]; 110 } in6_u; 111 #define s6_addr in6_u.u6_addr8 112 #define s6_addr16 in6_u.u6_addr16 113 #define s6_addr32 in6_u.u6_addr32 114 #define s6_addr64 in6_u.u6_addr64 115 }; 116 117 typedef unsigned short sa_family_t; 118 119 #define __SOCKADDR_COMMON(sa_prefix) \ 120 sa_family_t sa_prefix##family 121 122 /* Ditto, for IPv6. */ 123 struct sockaddr_in6 124 { 125 __SOCKADDR_COMMON (sin6_); 126 u_int16_t sin6_port; /* Transport layer port # */ 127 u_int32_t sin6_flowinfo; /* IPv6 flow information */ 128 struct in6_addr sin6_addr; /* IPv6 address */ 129 }; 130 131 #ifndef EAI_ADDRFAMILY 132 struct addrinfo { 133 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 134 int ai_family; /* PF_xxx */ 135 int ai_socktype; /* SOCK_xxx */ 136 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 137 size_t ai_addrlen; /* length of ai_addr */ 138 char *ai_canonname; /* canonical name for hostname */ 139 struct sockaddr *ai_addr; /* binary address */ 140 struct addrinfo *ai_next; /* next structure in linked list */ 141 }; 142 #endif /* EAI_ADDRFAMILY */ 143 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 144 #else /* _WIN32 */ 145 #include <netdb.h> /* for "struct addrinfo" */ 146 #endif /* _WIN32 */ 147 #endif /* INET6 */ 148 #include <pcap/namedb.h> 149 150 #include "nametoaddr.h" 151 152 #define ETHERMTU 1500 153 154 #ifndef ETHERTYPE_TEB 155 #define ETHERTYPE_TEB 0x6558 156 #endif 157 158 #ifndef IPPROTO_HOPOPTS 159 #define IPPROTO_HOPOPTS 0 160 #endif 161 #ifndef IPPROTO_ROUTING 162 #define IPPROTO_ROUTING 43 163 #endif 164 #ifndef IPPROTO_FRAGMENT 165 #define IPPROTO_FRAGMENT 44 166 #endif 167 #ifndef IPPROTO_DSTOPTS 168 #define IPPROTO_DSTOPTS 60 169 #endif 170 #ifndef IPPROTO_SCTP 171 #define IPPROTO_SCTP 132 172 #endif 173 174 #define GENEVE_PORT 6081 175 176 #ifdef HAVE_OS_PROTO_H 177 #include "os-proto.h" 178 #endif 179 180 #define JMP(c) ((c)|BPF_JMP|BPF_K) 181 182 /* 183 * "Push" the current value of the link-layer header type and link-layer 184 * header offset onto a "stack", and set a new value. (It's not a 185 * full-blown stack; we keep only the top two items.) 186 */ 187 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 188 { \ 189 (cs)->prevlinktype = (cs)->linktype; \ 190 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 191 (cs)->linktype = (new_linktype); \ 192 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 193 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 194 (cs)->off_linkhdr.reg = (new_reg); \ 195 (cs)->is_geneve = 0; \ 196 } 197 198 /* 199 * Offset "not set" value. 200 */ 201 #define OFFSET_NOT_SET 0xffffffffU 202 203 /* 204 * Absolute offsets, which are offsets from the beginning of the raw 205 * packet data, are, in the general case, the sum of a variable value 206 * and a constant value; the variable value may be absent, in which 207 * case the offset is only the constant value, and the constant value 208 * may be zero, in which case the offset is only the variable value. 209 * 210 * bpf_abs_offset is a structure containing all that information: 211 * 212 * is_variable is 1 if there's a variable part. 213 * 214 * constant_part is the constant part of the value, possibly zero; 215 * 216 * if is_variable is 1, reg is the register number for a register 217 * containing the variable value if the register has been assigned, 218 * and -1 otherwise. 219 */ 220 typedef struct { 221 int is_variable; 222 u_int constant_part; 223 int reg; 224 } bpf_abs_offset; 225 226 /* 227 * Value passed to gen_load_a() to indicate what the offset argument 228 * is relative to the beginning of. 229 */ 230 enum e_offrel { 231 OR_PACKET, /* full packet data */ 232 OR_LINKHDR, /* link-layer header */ 233 OR_PREVLINKHDR, /* previous link-layer header */ 234 OR_LLC, /* 802.2 LLC header */ 235 OR_PREVMPLSHDR, /* previous MPLS header */ 236 OR_LINKTYPE, /* link-layer type */ 237 OR_LINKPL, /* link-layer payload */ 238 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 239 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 240 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 241 }; 242 243 /* 244 * We divy out chunks of memory rather than call malloc each time so 245 * we don't have to worry about leaking memory. It's probably 246 * not a big deal if all this memory was wasted but if this ever 247 * goes into a library that would probably not be a good idea. 248 * 249 * XXX - this *is* in a library.... 250 */ 251 #define NCHUNKS 16 252 #define CHUNK0SIZE 1024 253 struct chunk { 254 size_t n_left; 255 void *m; 256 }; 257 258 /* Code generator state */ 259 260 struct _compiler_state { 261 jmp_buf top_ctx; 262 pcap_t *bpf_pcap; 263 264 struct icode ic; 265 266 int snaplen; 267 268 int linktype; 269 int prevlinktype; 270 int outermostlinktype; 271 272 bpf_u_int32 netmask; 273 int no_optimize; 274 275 /* Hack for handling VLAN and MPLS stacks. */ 276 u_int label_stack_depth; 277 u_int vlan_stack_depth; 278 279 /* XXX */ 280 u_int pcap_fddipad; 281 282 #ifdef INET6 283 /* 284 * As errors are handled by a longjmp, anything allocated must 285 * be freed in the longjmp handler, so it must be reachable 286 * from that handler. 287 * 288 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 289 * it must be freed with freeaddrinfo(). This variable points to 290 * any addrinfo structure that would need to be freed. 291 */ 292 struct addrinfo *ai; 293 #endif 294 295 /* 296 * Various code constructs need to know the layout of the packet. 297 * These values give the necessary offsets from the beginning 298 * of the packet data. 299 */ 300 301 /* 302 * Absolute offset of the beginning of the link-layer header. 303 */ 304 bpf_abs_offset off_linkhdr; 305 306 /* 307 * If we're checking a link-layer header for a packet encapsulated 308 * in another protocol layer, this is the equivalent information 309 * for the previous layers' link-layer header from the beginning 310 * of the raw packet data. 311 */ 312 bpf_abs_offset off_prevlinkhdr; 313 314 /* 315 * This is the equivalent information for the outermost layers' 316 * link-layer header. 317 */ 318 bpf_abs_offset off_outermostlinkhdr; 319 320 /* 321 * Absolute offset of the beginning of the link-layer payload. 322 */ 323 bpf_abs_offset off_linkpl; 324 325 /* 326 * "off_linktype" is the offset to information in the link-layer 327 * header giving the packet type. This is an absolute offset 328 * from the beginning of the packet. 329 * 330 * For Ethernet, it's the offset of the Ethernet type field; this 331 * means that it must have a value that skips VLAN tags. 332 * 333 * For link-layer types that always use 802.2 headers, it's the 334 * offset of the LLC header; this means that it must have a value 335 * that skips VLAN tags. 336 * 337 * For PPP, it's the offset of the PPP type field. 338 * 339 * For Cisco HDLC, it's the offset of the CHDLC type field. 340 * 341 * For BSD loopback, it's the offset of the AF_ value. 342 * 343 * For Linux cooked sockets, it's the offset of the type field. 344 * 345 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 346 * encapsulation, in which case, IP is assumed. 347 */ 348 bpf_abs_offset off_linktype; 349 350 /* 351 * TRUE if the link layer includes an ATM pseudo-header. 352 */ 353 int is_atm; 354 355 /* 356 * TRUE if "geneve" appeared in the filter; it causes us to 357 * generate code that checks for a Geneve header and assume 358 * that later filters apply to the encapsulated payload. 359 */ 360 int is_geneve; 361 362 /* 363 * These are offsets for the ATM pseudo-header. 364 */ 365 u_int off_vpi; 366 u_int off_vci; 367 u_int off_proto; 368 369 /* 370 * These are offsets for the MTP2 fields. 371 */ 372 u_int off_li; 373 u_int off_li_hsl; 374 375 /* 376 * These are offsets for the MTP3 fields. 377 */ 378 u_int off_sio; 379 u_int off_opc; 380 u_int off_dpc; 381 u_int off_sls; 382 383 /* 384 * This is the offset of the first byte after the ATM pseudo_header, 385 * or -1 if there is no ATM pseudo-header. 386 */ 387 u_int off_payload; 388 389 /* 390 * These are offsets to the beginning of the network-layer header. 391 * They are relative to the beginning of the link-layer payload 392 * (i.e., they don't include off_linkhdr.constant_part or 393 * off_linkpl.constant_part). 394 * 395 * If the link layer never uses 802.2 LLC: 396 * 397 * "off_nl" and "off_nl_nosnap" are the same. 398 * 399 * If the link layer always uses 802.2 LLC: 400 * 401 * "off_nl" is the offset if there's a SNAP header following 402 * the 802.2 header; 403 * 404 * "off_nl_nosnap" is the offset if there's no SNAP header. 405 * 406 * If the link layer is Ethernet: 407 * 408 * "off_nl" is the offset if the packet is an Ethernet II packet 409 * (we assume no 802.3+802.2+SNAP); 410 * 411 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 412 * with an 802.2 header following it. 413 */ 414 u_int off_nl; 415 u_int off_nl_nosnap; 416 417 /* 418 * Here we handle simple allocation of the scratch registers. 419 * If too many registers are alloc'd, the allocator punts. 420 */ 421 int regused[BPF_MEMWORDS]; 422 int curreg; 423 424 /* 425 * Memory chunks. 426 */ 427 struct chunk chunks[NCHUNKS]; 428 int cur_chunk; 429 }; 430 431 void 432 bpf_syntax_error(compiler_state_t *cstate, const char *msg) 433 { 434 bpf_error(cstate, "syntax error in filter expression: %s", msg); 435 /* NOTREACHED */ 436 } 437 438 /* VARARGS */ 439 void 440 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 441 { 442 va_list ap; 443 444 va_start(ap, fmt); 445 if (cstate->bpf_pcap != NULL) 446 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap), 447 PCAP_ERRBUF_SIZE, fmt, ap); 448 va_end(ap); 449 longjmp(cstate->top_ctx, 1); 450 /* NOTREACHED */ 451 } 452 453 static void init_linktype(compiler_state_t *, pcap_t *); 454 455 static void init_regs(compiler_state_t *); 456 static int alloc_reg(compiler_state_t *); 457 static void free_reg(compiler_state_t *, int); 458 459 static void initchunks(compiler_state_t *cstate); 460 static void *newchunk(compiler_state_t *cstate, size_t); 461 static void freechunks(compiler_state_t *cstate); 462 static inline struct block *new_block(compiler_state_t *cstate, int); 463 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 464 static struct block *gen_retblk(compiler_state_t *cstate, int); 465 static inline void syntax(compiler_state_t *cstate); 466 467 static void backpatch(struct block *, struct block *); 468 static void merge(struct block *, struct block *); 469 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 470 u_int, bpf_int32); 471 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 472 u_int, bpf_int32); 473 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 474 u_int, bpf_int32); 475 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 476 u_int, bpf_int32); 477 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 478 u_int, bpf_int32); 479 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 480 u_int, bpf_int32, bpf_u_int32); 481 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 482 u_int, const u_char *); 483 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 484 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 485 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 486 u_int, u_int); 487 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 488 u_int); 489 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 490 static struct block *gen_uncond(compiler_state_t *, int); 491 static inline struct block *gen_true(compiler_state_t *); 492 static inline struct block *gen_false(compiler_state_t *); 493 static struct block *gen_ether_linktype(compiler_state_t *, int); 494 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 495 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 496 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 497 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 498 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 499 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 500 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 501 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 502 bpf_abs_offset *); 503 static int ethertype_to_ppptype(int); 504 static struct block *gen_linktype(compiler_state_t *, int); 505 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 506 static struct block *gen_llc_linktype(compiler_state_t *, int); 507 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 508 int, int, u_int, u_int); 509 #ifdef INET6 510 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 511 struct in6_addr *, int, int, u_int, u_int); 512 #endif 513 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 514 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 515 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 516 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 517 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 518 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 519 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 520 static struct block *gen_mpls_linktype(compiler_state_t *, int); 521 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 522 int, int, int); 523 #ifdef INET6 524 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 525 struct in6_addr *, int, int, int); 526 #endif 527 #ifndef INET6 528 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 529 #endif 530 static struct block *gen_ipfrag(compiler_state_t *); 531 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 532 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 533 bpf_int32); 534 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 535 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 536 bpf_int32); 537 struct block *gen_portop(compiler_state_t *, int, int, int); 538 static struct block *gen_port(compiler_state_t *, int, int, int); 539 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 540 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 541 struct block *gen_portop6(compiler_state_t *, int, int, int); 542 static struct block *gen_port6(compiler_state_t *, int, int, int); 543 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 544 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 545 static int lookup_proto(compiler_state_t *, const char *, int); 546 static struct block *gen_protochain(compiler_state_t *, int, int, int); 547 static struct block *gen_proto(compiler_state_t *, int, int, int); 548 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 549 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 550 static struct block *gen_mac_multicast(compiler_state_t *, int); 551 static struct block *gen_len(compiler_state_t *, int, int); 552 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 553 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 554 555 static struct block *gen_ppi_dlt_check(compiler_state_t *); 556 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 557 558 static void 559 initchunks(compiler_state_t *cstate) 560 { 561 int i; 562 563 for (i = 0; i < NCHUNKS; i++) { 564 cstate->chunks[i].n_left = 0; 565 cstate->chunks[i].m = NULL; 566 } 567 cstate->cur_chunk = 0; 568 } 569 570 static void * 571 newchunk(compiler_state_t *cstate, size_t n) 572 { 573 struct chunk *cp; 574 int k; 575 size_t size; 576 577 #ifndef __NetBSD__ 578 /* XXX Round up to nearest long. */ 579 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 580 #else 581 /* XXX Round up to structure boundary. */ 582 n = ALIGN(n); 583 #endif 584 585 cp = &cstate->chunks[cstate->cur_chunk]; 586 if (n > cp->n_left) { 587 ++cp, k = ++cstate->cur_chunk; 588 if (k >= NCHUNKS) 589 bpf_error(cstate, "out of memory"); 590 size = CHUNK0SIZE << k; 591 cp->m = (void *)malloc(size); 592 if (cp->m == NULL) 593 bpf_error(cstate, "out of memory"); 594 memset((char *)cp->m, 0, size); 595 cp->n_left = size; 596 if (n > size) 597 bpf_error(cstate, "out of memory"); 598 } 599 cp->n_left -= n; 600 return (void *)((char *)cp->m + cp->n_left); 601 } 602 603 static void 604 freechunks(compiler_state_t *cstate) 605 { 606 int i; 607 608 for (i = 0; i < NCHUNKS; ++i) 609 if (cstate->chunks[i].m != NULL) 610 free(cstate->chunks[i].m); 611 } 612 613 /* 614 * A strdup whose allocations are freed after code generation is over. 615 */ 616 char * 617 sdup(compiler_state_t *cstate, const char *s) 618 { 619 size_t n = strlen(s) + 1; 620 char *cp = newchunk(cstate, n); 621 622 strlcpy(cp, s, n); 623 return (cp); 624 } 625 626 static inline struct block * 627 new_block(compiler_state_t *cstate, int code) 628 { 629 struct block *p; 630 631 p = (struct block *)newchunk(cstate, sizeof(*p)); 632 p->s.code = code; 633 p->head = p; 634 635 return p; 636 } 637 638 static inline struct slist * 639 new_stmt(compiler_state_t *cstate, int code) 640 { 641 struct slist *p; 642 643 p = (struct slist *)newchunk(cstate, sizeof(*p)); 644 p->s.code = code; 645 646 return p; 647 } 648 649 static struct block * 650 gen_retblk(compiler_state_t *cstate, int v) 651 { 652 struct block *b = new_block(cstate, BPF_RET|BPF_K); 653 654 b->s.k = v; 655 return b; 656 } 657 658 static inline void 659 syntax(compiler_state_t *cstate) 660 { 661 bpf_error(cstate, "syntax error in filter expression"); 662 } 663 664 int 665 pcap_compile(pcap_t *p, struct bpf_program *program, 666 const char *buf, int optimize, bpf_u_int32 mask) 667 { 668 compiler_state_t cstate; 669 const char * volatile xbuf = buf; 670 yyscan_t scanner = NULL; 671 YY_BUFFER_STATE in_buffer = NULL; 672 u_int len; 673 int rc; 674 675 #ifdef _WIN32 676 static int done = 0; 677 678 if (!done) 679 pcap_wsockinit(); 680 done = 1; 681 #endif 682 683 /* 684 * If this pcap_t hasn't been activated, it doesn't have a 685 * link-layer type, so we can't use it. 686 */ 687 if (!p->activated) { 688 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 689 "not-yet-activated pcap_t passed to pcap_compile"); 690 rc = -1; 691 goto quit; 692 } 693 initchunks(&cstate); 694 cstate.no_optimize = 0; 695 cstate.ai = NULL; 696 cstate.ic.root = NULL; 697 cstate.ic.cur_mark = 0; 698 cstate.bpf_pcap = p; 699 init_regs(&cstate); 700 701 if (setjmp(cstate.top_ctx)) { 702 #ifdef INET6 703 if (cstate.ai != NULL) 704 freeaddrinfo(cstate.ai); 705 #endif 706 rc = -1; 707 goto quit; 708 } 709 710 cstate.netmask = mask; 711 712 cstate.snaplen = pcap_snapshot(p); 713 if (cstate.snaplen == 0) { 714 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 715 "snaplen of 0 rejects all packets"); 716 rc = -1; 717 goto quit; 718 } 719 720 if (pcap_lex_init(&scanner) != 0) 721 bpf_error(&cstate, "can't initialize scanner: %s", pcap_strerror(errno)); 722 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 723 724 /* 725 * Associate the compiler state with the lexical analyzer 726 * state. 727 */ 728 pcap_set_extra(&cstate, scanner); 729 730 init_linktype(&cstate, p); 731 (void)pcap_parse(scanner, &cstate); 732 733 if (cstate.ic.root == NULL) 734 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 735 736 if (optimize && !cstate.no_optimize) { 737 bpf_optimize(&cstate, &cstate.ic); 738 if (cstate.ic.root == NULL || 739 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) 740 bpf_error(&cstate, "expression rejects all packets"); 741 } 742 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len); 743 program->bf_len = len; 744 745 rc = 0; /* We're all okay */ 746 747 quit: 748 /* 749 * Clean up everything for the lexical analyzer. 750 */ 751 if (in_buffer != NULL) 752 pcap__delete_buffer(in_buffer, scanner); 753 if (scanner != NULL) 754 pcap_lex_destroy(scanner); 755 756 /* 757 * Clean up our own allocated memory. 758 */ 759 freechunks(&cstate); 760 761 return (rc); 762 } 763 764 /* 765 * entry point for using the compiler with no pcap open 766 * pass in all the stuff that is needed explicitly instead. 767 */ 768 int 769 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 770 struct bpf_program *program, 771 const char *buf, int optimize, bpf_u_int32 mask) 772 { 773 pcap_t *p; 774 int ret; 775 776 p = pcap_open_dead(linktype_arg, snaplen_arg); 777 if (p == NULL) 778 return (-1); 779 ret = pcap_compile(p, program, buf, optimize, mask); 780 pcap_close(p); 781 return (ret); 782 } 783 784 /* 785 * Clean up a "struct bpf_program" by freeing all the memory allocated 786 * in it. 787 */ 788 void 789 pcap_freecode(struct bpf_program *program) 790 { 791 program->bf_len = 0; 792 if (program->bf_insns != NULL) { 793 free((char *)program->bf_insns); 794 program->bf_insns = NULL; 795 } 796 } 797 798 /* 799 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 800 * which of the jt and jf fields has been resolved and which is a pointer 801 * back to another unresolved block (or nil). At least one of the fields 802 * in each block is already resolved. 803 */ 804 static void 805 backpatch(list, target) 806 struct block *list, *target; 807 { 808 struct block *next; 809 810 while (list) { 811 if (!list->sense) { 812 next = JT(list); 813 JT(list) = target; 814 } else { 815 next = JF(list); 816 JF(list) = target; 817 } 818 list = next; 819 } 820 } 821 822 /* 823 * Merge the lists in b0 and b1, using the 'sense' field to indicate 824 * which of jt and jf is the link. 825 */ 826 static void 827 merge(b0, b1) 828 struct block *b0, *b1; 829 { 830 register struct block **p = &b0; 831 832 /* Find end of list. */ 833 while (*p) 834 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 835 836 /* Concatenate the lists. */ 837 *p = b1; 838 } 839 840 void 841 finish_parse(compiler_state_t *cstate, struct block *p) 842 { 843 struct block *ppi_dlt_check; 844 845 /* 846 * Insert before the statements of the first (root) block any 847 * statements needed to load the lengths of any variable-length 848 * headers into registers. 849 * 850 * XXX - a fancier strategy would be to insert those before the 851 * statements of all blocks that use those lengths and that 852 * have no predecessors that use them, so that we only compute 853 * the lengths if we need them. There might be even better 854 * approaches than that. 855 * 856 * However, those strategies would be more complicated, and 857 * as we don't generate code to compute a length if the 858 * program has no tests that use the length, and as most 859 * tests will probably use those lengths, we would just 860 * postpone computing the lengths so that it's not done 861 * for tests that fail early, and it's not clear that's 862 * worth the effort. 863 */ 864 insert_compute_vloffsets(cstate, p->head); 865 866 /* 867 * For DLT_PPI captures, generate a check of the per-packet 868 * DLT value to make sure it's DLT_IEEE802_11. 869 * 870 * XXX - TurboCap cards use DLT_PPI for Ethernet. 871 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 872 * with appropriate Ethernet information and use that rather 873 * than using something such as DLT_PPI where you don't know 874 * the link-layer header type until runtime, which, in the 875 * general case, would force us to generate both Ethernet *and* 876 * 802.11 code (*and* anything else for which PPI is used) 877 * and choose between them early in the BPF program? 878 */ 879 ppi_dlt_check = gen_ppi_dlt_check(cstate); 880 if (ppi_dlt_check != NULL) 881 gen_and(ppi_dlt_check, p); 882 883 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 884 p->sense = !p->sense; 885 backpatch(p, gen_retblk(cstate, 0)); 886 cstate->ic.root = p->head; 887 } 888 889 void 890 gen_and(b0, b1) 891 struct block *b0, *b1; 892 { 893 backpatch(b0, b1->head); 894 b0->sense = !b0->sense; 895 b1->sense = !b1->sense; 896 merge(b1, b0); 897 b1->sense = !b1->sense; 898 b1->head = b0->head; 899 } 900 901 void 902 gen_or(b0, b1) 903 struct block *b0, *b1; 904 { 905 b0->sense = !b0->sense; 906 backpatch(b0, b1->head); 907 b0->sense = !b0->sense; 908 merge(b1, b0); 909 b1->head = b0->head; 910 } 911 912 void 913 gen_not(b) 914 struct block *b; 915 { 916 b->sense = !b->sense; 917 } 918 919 static struct block * 920 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 921 u_int size, bpf_int32 v) 922 { 923 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 924 } 925 926 static struct block * 927 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 928 u_int size, bpf_int32 v) 929 { 930 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 931 } 932 933 static struct block * 934 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 935 u_int size, bpf_int32 v) 936 { 937 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 938 } 939 940 static struct block * 941 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 942 u_int size, bpf_int32 v) 943 { 944 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 945 } 946 947 static struct block * 948 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 949 u_int size, bpf_int32 v) 950 { 951 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 952 } 953 954 static struct block * 955 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 956 u_int size, bpf_int32 v, bpf_u_int32 mask) 957 { 958 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 959 } 960 961 static struct block * 962 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 963 u_int size, const u_char *v) 964 { 965 register struct block *b, *tmp; 966 967 b = NULL; 968 while (size >= 4) { 969 register const u_char *p = &v[size - 4]; 970 bpf_int32 w = ((bpf_int32)p[0] << 24) | 971 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 972 973 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w); 974 if (b != NULL) 975 gen_and(b, tmp); 976 b = tmp; 977 size -= 4; 978 } 979 while (size >= 2) { 980 register const u_char *p = &v[size - 2]; 981 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 982 983 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w); 984 if (b != NULL) 985 gen_and(b, tmp); 986 b = tmp; 987 size -= 2; 988 } 989 if (size > 0) { 990 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 991 if (b != NULL) 992 gen_and(b, tmp); 993 b = tmp; 994 } 995 return b; 996 } 997 998 /* 999 * AND the field of size "size" at offset "offset" relative to the header 1000 * specified by "offrel" with "mask", and compare it with the value "v" 1001 * with the test specified by "jtype"; if "reverse" is true, the test 1002 * should test the opposite of "jtype". 1003 */ 1004 static struct block * 1005 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1006 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1007 bpf_int32 v) 1008 { 1009 struct slist *s, *s2; 1010 struct block *b; 1011 1012 s = gen_load_a(cstate, offrel, offset, size); 1013 1014 if (mask != 0xffffffff) { 1015 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1016 s2->s.k = mask; 1017 sappend(s, s2); 1018 } 1019 1020 b = new_block(cstate, JMP(jtype)); 1021 b->stmts = s; 1022 b->s.k = v; 1023 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1024 gen_not(b); 1025 return b; 1026 } 1027 1028 static void 1029 init_linktype(compiler_state_t *cstate, pcap_t *p) 1030 { 1031 cstate->pcap_fddipad = p->fddipad; 1032 1033 /* 1034 * We start out with only one link-layer header. 1035 */ 1036 cstate->outermostlinktype = pcap_datalink(p); 1037 cstate->off_outermostlinkhdr.constant_part = 0; 1038 cstate->off_outermostlinkhdr.is_variable = 0; 1039 cstate->off_outermostlinkhdr.reg = -1; 1040 1041 cstate->prevlinktype = cstate->outermostlinktype; 1042 cstate->off_prevlinkhdr.constant_part = 0; 1043 cstate->off_prevlinkhdr.is_variable = 0; 1044 cstate->off_prevlinkhdr.reg = -1; 1045 1046 cstate->linktype = cstate->outermostlinktype; 1047 cstate->off_linkhdr.constant_part = 0; 1048 cstate->off_linkhdr.is_variable = 0; 1049 cstate->off_linkhdr.reg = -1; 1050 1051 /* 1052 * XXX 1053 */ 1054 cstate->off_linkpl.constant_part = 0; 1055 cstate->off_linkpl.is_variable = 0; 1056 cstate->off_linkpl.reg = -1; 1057 1058 cstate->off_linktype.constant_part = 0; 1059 cstate->off_linktype.is_variable = 0; 1060 cstate->off_linktype.reg = -1; 1061 1062 /* 1063 * Assume it's not raw ATM with a pseudo-header, for now. 1064 */ 1065 cstate->is_atm = 0; 1066 cstate->off_vpi = -1; 1067 cstate->off_vci = -1; 1068 cstate->off_proto = -1; 1069 cstate->off_payload = -1; 1070 1071 /* 1072 * And not Geneve. 1073 */ 1074 cstate->is_geneve = 0; 1075 1076 /* 1077 * And assume we're not doing SS7. 1078 */ 1079 cstate->off_li = -1; 1080 cstate->off_li_hsl = -1; 1081 cstate->off_sio = -1; 1082 cstate->off_opc = -1; 1083 cstate->off_dpc = -1; 1084 cstate->off_sls = -1; 1085 1086 cstate->label_stack_depth = 0; 1087 cstate->vlan_stack_depth = 0; 1088 1089 switch (cstate->linktype) { 1090 1091 case DLT_ARCNET: 1092 cstate->off_linktype.constant_part = 2; 1093 cstate->off_linkpl.constant_part = 6; 1094 cstate->off_nl = 0; /* XXX in reality, variable! */ 1095 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1096 break; 1097 1098 case DLT_ARCNET_LINUX: 1099 cstate->off_linktype.constant_part = 4; 1100 cstate->off_linkpl.constant_part = 8; 1101 cstate->off_nl = 0; /* XXX in reality, variable! */ 1102 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1103 break; 1104 1105 case DLT_EN10MB: 1106 cstate->off_linktype.constant_part = 12; 1107 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1108 cstate->off_nl = 0; /* Ethernet II */ 1109 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1110 break; 1111 1112 case DLT_SLIP: 1113 /* 1114 * SLIP doesn't have a link level type. The 16 byte 1115 * header is hacked into our SLIP driver. 1116 */ 1117 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1118 cstate->off_linkpl.constant_part = 16; 1119 cstate->off_nl = 0; 1120 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1121 break; 1122 1123 case DLT_SLIP_BSDOS: 1124 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1125 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1126 /* XXX end */ 1127 cstate->off_linkpl.constant_part = 24; 1128 cstate->off_nl = 0; 1129 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1130 break; 1131 1132 case DLT_NULL: 1133 case DLT_LOOP: 1134 cstate->off_linktype.constant_part = 0; 1135 cstate->off_linkpl.constant_part = 4; 1136 cstate->off_nl = 0; 1137 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1138 break; 1139 1140 case DLT_ENC: 1141 cstate->off_linktype.constant_part = 0; 1142 cstate->off_linkpl.constant_part = 12; 1143 cstate->off_nl = 0; 1144 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1145 break; 1146 1147 case DLT_PPP: 1148 case DLT_PPP_PPPD: 1149 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1150 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1151 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1152 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1153 cstate->off_nl = 0; 1154 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1155 break; 1156 1157 case DLT_PPP_ETHER: 1158 /* 1159 * This does no include the Ethernet header, and 1160 * only covers session state. 1161 */ 1162 cstate->off_linktype.constant_part = 6; 1163 cstate->off_linkpl.constant_part = 8; 1164 cstate->off_nl = 0; 1165 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1166 break; 1167 1168 case DLT_PPP_BSDOS: 1169 cstate->off_linktype.constant_part = 5; 1170 cstate->off_linkpl.constant_part = 24; 1171 cstate->off_nl = 0; 1172 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1173 break; 1174 1175 case DLT_FDDI: 1176 /* 1177 * FDDI doesn't really have a link-level type field. 1178 * We set "off_linktype" to the offset of the LLC header. 1179 * 1180 * To check for Ethernet types, we assume that SSAP = SNAP 1181 * is being used and pick out the encapsulated Ethernet type. 1182 * XXX - should we generate code to check for SNAP? 1183 */ 1184 cstate->off_linktype.constant_part = 13; 1185 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1186 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1187 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1188 cstate->off_nl = 8; /* 802.2+SNAP */ 1189 cstate->off_nl_nosnap = 3; /* 802.2 */ 1190 break; 1191 1192 case DLT_IEEE802: 1193 /* 1194 * Token Ring doesn't really have a link-level type field. 1195 * We set "off_linktype" to the offset of the LLC header. 1196 * 1197 * To check for Ethernet types, we assume that SSAP = SNAP 1198 * is being used and pick out the encapsulated Ethernet type. 1199 * XXX - should we generate code to check for SNAP? 1200 * 1201 * XXX - the header is actually variable-length. 1202 * Some various Linux patched versions gave 38 1203 * as "off_linktype" and 40 as "off_nl"; however, 1204 * if a token ring packet has *no* routing 1205 * information, i.e. is not source-routed, the correct 1206 * values are 20 and 22, as they are in the vanilla code. 1207 * 1208 * A packet is source-routed iff the uppermost bit 1209 * of the first byte of the source address, at an 1210 * offset of 8, has the uppermost bit set. If the 1211 * packet is source-routed, the total number of bytes 1212 * of routing information is 2 plus bits 0x1F00 of 1213 * the 16-bit value at an offset of 14 (shifted right 1214 * 8 - figure out which byte that is). 1215 */ 1216 cstate->off_linktype.constant_part = 14; 1217 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1218 cstate->off_nl = 8; /* 802.2+SNAP */ 1219 cstate->off_nl_nosnap = 3; /* 802.2 */ 1220 break; 1221 1222 case DLT_PRISM_HEADER: 1223 case DLT_IEEE802_11_RADIO_AVS: 1224 case DLT_IEEE802_11_RADIO: 1225 cstate->off_linkhdr.is_variable = 1; 1226 /* Fall through, 802.11 doesn't have a variable link 1227 * prefix but is otherwise the same. */ 1228 1229 case DLT_IEEE802_11: 1230 /* 1231 * 802.11 doesn't really have a link-level type field. 1232 * We set "off_linktype.constant_part" to the offset of 1233 * the LLC header. 1234 * 1235 * To check for Ethernet types, we assume that SSAP = SNAP 1236 * is being used and pick out the encapsulated Ethernet type. 1237 * XXX - should we generate code to check for SNAP? 1238 * 1239 * We also handle variable-length radio headers here. 1240 * The Prism header is in theory variable-length, but in 1241 * practice it's always 144 bytes long. However, some 1242 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1243 * sometimes or always supply an AVS header, so we 1244 * have to check whether the radio header is a Prism 1245 * header or an AVS header, so, in practice, it's 1246 * variable-length. 1247 */ 1248 cstate->off_linktype.constant_part = 24; 1249 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1250 cstate->off_linkpl.is_variable = 1; 1251 cstate->off_nl = 8; /* 802.2+SNAP */ 1252 cstate->off_nl_nosnap = 3; /* 802.2 */ 1253 break; 1254 1255 case DLT_PPI: 1256 /* 1257 * At the moment we treat PPI the same way that we treat 1258 * normal Radiotap encoded packets. The difference is in 1259 * the function that generates the code at the beginning 1260 * to compute the header length. Since this code generator 1261 * of PPI supports bare 802.11 encapsulation only (i.e. 1262 * the encapsulated DLT should be DLT_IEEE802_11) we 1263 * generate code to check for this too. 1264 */ 1265 cstate->off_linktype.constant_part = 24; 1266 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1267 cstate->off_linkpl.is_variable = 1; 1268 cstate->off_linkhdr.is_variable = 1; 1269 cstate->off_nl = 8; /* 802.2+SNAP */ 1270 cstate->off_nl_nosnap = 3; /* 802.2 */ 1271 break; 1272 1273 case DLT_ATM_RFC1483: 1274 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1275 /* 1276 * assume routed, non-ISO PDUs 1277 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1278 * 1279 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1280 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1281 * latter would presumably be treated the way PPPoE 1282 * should be, so you can do "pppoe and udp port 2049" 1283 * or "pppoa and tcp port 80" and have it check for 1284 * PPPo{A,E} and a PPP protocol of IP and.... 1285 */ 1286 cstate->off_linktype.constant_part = 0; 1287 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1288 cstate->off_nl = 8; /* 802.2+SNAP */ 1289 cstate->off_nl_nosnap = 3; /* 802.2 */ 1290 break; 1291 1292 case DLT_SUNATM: 1293 /* 1294 * Full Frontal ATM; you get AALn PDUs with an ATM 1295 * pseudo-header. 1296 */ 1297 cstate->is_atm = 1; 1298 cstate->off_vpi = SUNATM_VPI_POS; 1299 cstate->off_vci = SUNATM_VCI_POS; 1300 cstate->off_proto = PROTO_POS; 1301 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1302 cstate->off_linktype.constant_part = cstate->off_payload; 1303 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1304 cstate->off_nl = 8; /* 802.2+SNAP */ 1305 cstate->off_nl_nosnap = 3; /* 802.2 */ 1306 break; 1307 1308 case DLT_RAW: 1309 case DLT_IPV4: 1310 case DLT_IPV6: 1311 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1312 cstate->off_linkpl.constant_part = 0; 1313 cstate->off_nl = 0; 1314 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1315 break; 1316 1317 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1318 cstate->off_linktype.constant_part = 14; 1319 cstate->off_linkpl.constant_part = 16; 1320 cstate->off_nl = 0; 1321 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1322 break; 1323 1324 case DLT_LTALK: 1325 /* 1326 * LocalTalk does have a 1-byte type field in the LLAP header, 1327 * but really it just indicates whether there is a "short" or 1328 * "long" DDP packet following. 1329 */ 1330 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1331 cstate->off_linkpl.constant_part = 0; 1332 cstate->off_nl = 0; 1333 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1334 break; 1335 1336 case DLT_IP_OVER_FC: 1337 /* 1338 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1339 * link-level type field. We set "off_linktype" to the 1340 * offset of the LLC header. 1341 * 1342 * To check for Ethernet types, we assume that SSAP = SNAP 1343 * is being used and pick out the encapsulated Ethernet type. 1344 * XXX - should we generate code to check for SNAP? RFC 1345 * 2625 says SNAP should be used. 1346 */ 1347 cstate->off_linktype.constant_part = 16; 1348 cstate->off_linkpl.constant_part = 16; 1349 cstate->off_nl = 8; /* 802.2+SNAP */ 1350 cstate->off_nl_nosnap = 3; /* 802.2 */ 1351 break; 1352 1353 case DLT_FRELAY: 1354 /* 1355 * XXX - we should set this to handle SNAP-encapsulated 1356 * frames (NLPID of 0x80). 1357 */ 1358 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1359 cstate->off_linkpl.constant_part = 0; 1360 cstate->off_nl = 0; 1361 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1362 break; 1363 1364 /* 1365 * the only BPF-interesting FRF.16 frames are non-control frames; 1366 * Frame Relay has a variable length link-layer 1367 * so lets start with offset 4 for now and increments later on (FIXME); 1368 */ 1369 case DLT_MFR: 1370 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1371 cstate->off_linkpl.constant_part = 0; 1372 cstate->off_nl = 4; 1373 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1374 break; 1375 1376 case DLT_APPLE_IP_OVER_IEEE1394: 1377 cstate->off_linktype.constant_part = 16; 1378 cstate->off_linkpl.constant_part = 18; 1379 cstate->off_nl = 0; 1380 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1381 break; 1382 1383 case DLT_SYMANTEC_FIREWALL: 1384 cstate->off_linktype.constant_part = 6; 1385 cstate->off_linkpl.constant_part = 44; 1386 cstate->off_nl = 0; /* Ethernet II */ 1387 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1388 break; 1389 1390 #ifdef HAVE_NET_PFVAR_H 1391 case DLT_PFLOG: 1392 cstate->off_linktype.constant_part = 0; 1393 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1394 cstate->off_nl = 0; 1395 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1396 break; 1397 #endif 1398 1399 case DLT_JUNIPER_MFR: 1400 case DLT_JUNIPER_MLFR: 1401 case DLT_JUNIPER_MLPPP: 1402 case DLT_JUNIPER_PPP: 1403 case DLT_JUNIPER_CHDLC: 1404 case DLT_JUNIPER_FRELAY: 1405 cstate->off_linktype.constant_part = 4; 1406 cstate->off_linkpl.constant_part = 4; 1407 cstate->off_nl = 0; 1408 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1409 break; 1410 1411 case DLT_JUNIPER_ATM1: 1412 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1413 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1414 cstate->off_nl = 0; 1415 cstate->off_nl_nosnap = 10; 1416 break; 1417 1418 case DLT_JUNIPER_ATM2: 1419 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1420 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1421 cstate->off_nl = 0; 1422 cstate->off_nl_nosnap = 10; 1423 break; 1424 1425 /* frames captured on a Juniper PPPoE service PIC 1426 * contain raw ethernet frames */ 1427 case DLT_JUNIPER_PPPOE: 1428 case DLT_JUNIPER_ETHER: 1429 cstate->off_linkpl.constant_part = 14; 1430 cstate->off_linktype.constant_part = 16; 1431 cstate->off_nl = 18; /* Ethernet II */ 1432 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1433 break; 1434 1435 case DLT_JUNIPER_PPPOE_ATM: 1436 cstate->off_linktype.constant_part = 4; 1437 cstate->off_linkpl.constant_part = 6; 1438 cstate->off_nl = 0; 1439 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1440 break; 1441 1442 case DLT_JUNIPER_GGSN: 1443 cstate->off_linktype.constant_part = 6; 1444 cstate->off_linkpl.constant_part = 12; 1445 cstate->off_nl = 0; 1446 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1447 break; 1448 1449 case DLT_JUNIPER_ES: 1450 cstate->off_linktype.constant_part = 6; 1451 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1452 cstate->off_nl = -1; /* not really a network layer but raw IP addresses */ 1453 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1454 break; 1455 1456 case DLT_JUNIPER_MONITOR: 1457 cstate->off_linktype.constant_part = 12; 1458 cstate->off_linkpl.constant_part = 12; 1459 cstate->off_nl = 0; /* raw IP/IP6 header */ 1460 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1461 break; 1462 1463 case DLT_BACNET_MS_TP: 1464 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1465 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1466 cstate->off_nl = -1; 1467 cstate->off_nl_nosnap = -1; 1468 break; 1469 1470 case DLT_JUNIPER_SERVICES: 1471 cstate->off_linktype.constant_part = 12; 1472 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1473 cstate->off_nl = -1; /* L3 proto location dep. on cookie type */ 1474 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1475 break; 1476 1477 case DLT_JUNIPER_VP: 1478 cstate->off_linktype.constant_part = 18; 1479 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1480 cstate->off_nl = -1; 1481 cstate->off_nl_nosnap = -1; 1482 break; 1483 1484 case DLT_JUNIPER_ST: 1485 cstate->off_linktype.constant_part = 18; 1486 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1487 cstate->off_nl = -1; 1488 cstate->off_nl_nosnap = -1; 1489 break; 1490 1491 case DLT_JUNIPER_ISM: 1492 cstate->off_linktype.constant_part = 8; 1493 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1494 cstate->off_nl = -1; 1495 cstate->off_nl_nosnap = -1; 1496 break; 1497 1498 case DLT_JUNIPER_VS: 1499 case DLT_JUNIPER_SRX_E2E: 1500 case DLT_JUNIPER_FIBRECHANNEL: 1501 case DLT_JUNIPER_ATM_CEMIC: 1502 cstate->off_linktype.constant_part = 8; 1503 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1504 cstate->off_nl = -1; 1505 cstate->off_nl_nosnap = -1; 1506 break; 1507 1508 case DLT_MTP2: 1509 cstate->off_li = 2; 1510 cstate->off_li_hsl = 4; 1511 cstate->off_sio = 3; 1512 cstate->off_opc = 4; 1513 cstate->off_dpc = 4; 1514 cstate->off_sls = 7; 1515 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1516 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1517 cstate->off_nl = -1; 1518 cstate->off_nl_nosnap = -1; 1519 break; 1520 1521 case DLT_MTP2_WITH_PHDR: 1522 cstate->off_li = 6; 1523 cstate->off_li_hsl = 8; 1524 cstate->off_sio = 7; 1525 cstate->off_opc = 8; 1526 cstate->off_dpc = 8; 1527 cstate->off_sls = 11; 1528 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1529 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1530 cstate->off_nl = -1; 1531 cstate->off_nl_nosnap = -1; 1532 break; 1533 1534 case DLT_ERF: 1535 cstate->off_li = 22; 1536 cstate->off_li_hsl = 24; 1537 cstate->off_sio = 23; 1538 cstate->off_opc = 24; 1539 cstate->off_dpc = 24; 1540 cstate->off_sls = 27; 1541 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1542 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1543 cstate->off_nl = -1; 1544 cstate->off_nl_nosnap = -1; 1545 break; 1546 1547 case DLT_PFSYNC: 1548 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1549 cstate->off_linkpl.constant_part = 4; 1550 cstate->off_nl = 0; 1551 cstate->off_nl_nosnap = 0; 1552 break; 1553 1554 case DLT_AX25_KISS: 1555 /* 1556 * Currently, only raw "link[N:M]" filtering is supported. 1557 */ 1558 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1559 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1560 cstate->off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1561 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1562 break; 1563 1564 case DLT_IPNET: 1565 cstate->off_linktype.constant_part = 1; 1566 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1567 cstate->off_nl = 0; 1568 cstate->off_nl_nosnap = -1; 1569 break; 1570 1571 case DLT_NETANALYZER: 1572 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1573 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1574 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1575 cstate->off_nl = 0; /* Ethernet II */ 1576 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1577 break; 1578 1579 case DLT_NETANALYZER_TRANSPARENT: 1580 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1581 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1582 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1583 cstate->off_nl = 0; /* Ethernet II */ 1584 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1585 break; 1586 1587 default: 1588 /* 1589 * For values in the range in which we've assigned new 1590 * DLT_ values, only raw "link[N:M]" filtering is supported. 1591 */ 1592 if (cstate->linktype >= DLT_MATCHING_MIN && 1593 cstate->linktype <= DLT_MATCHING_MAX) { 1594 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1595 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1596 cstate->off_nl = -1; 1597 cstate->off_nl_nosnap = -1; 1598 } else { 1599 bpf_error(cstate, "unknown data link type %d", cstate->linktype); 1600 } 1601 break; 1602 } 1603 1604 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1605 } 1606 1607 /* 1608 * Load a value relative to the specified absolute offset. 1609 */ 1610 static struct slist * 1611 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1612 u_int offset, u_int size) 1613 { 1614 struct slist *s, *s2; 1615 1616 s = gen_abs_offset_varpart(cstate, abs_offset); 1617 1618 /* 1619 * If "s" is non-null, it has code to arrange that the X register 1620 * contains the variable part of the absolute offset, so we 1621 * generate a load relative to that, with an offset of 1622 * abs_offset->constant_part + offset. 1623 * 1624 * Otherwise, we can do an absolute load with an offset of 1625 * abs_offset->constant_part + offset. 1626 */ 1627 if (s != NULL) { 1628 /* 1629 * "s" points to a list of statements that puts the 1630 * variable part of the absolute offset into the X register. 1631 * Do an indirect load, to use the X register as an offset. 1632 */ 1633 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1634 s2->s.k = abs_offset->constant_part + offset; 1635 sappend(s, s2); 1636 } else { 1637 /* 1638 * There is no variable part of the absolute offset, so 1639 * just do an absolute load. 1640 */ 1641 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1642 s->s.k = abs_offset->constant_part + offset; 1643 } 1644 return s; 1645 } 1646 1647 /* 1648 * Load a value relative to the beginning of the specified header. 1649 */ 1650 static struct slist * 1651 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1652 u_int size) 1653 { 1654 struct slist *s, *s2; 1655 1656 switch (offrel) { 1657 1658 case OR_PACKET: 1659 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1660 s->s.k = offset; 1661 break; 1662 1663 case OR_LINKHDR: 1664 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1665 break; 1666 1667 case OR_PREVLINKHDR: 1668 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1669 break; 1670 1671 case OR_LLC: 1672 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1673 break; 1674 1675 case OR_PREVMPLSHDR: 1676 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1677 break; 1678 1679 case OR_LINKPL: 1680 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1681 break; 1682 1683 case OR_LINKPL_NOSNAP: 1684 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1685 break; 1686 1687 case OR_LINKTYPE: 1688 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1689 break; 1690 1691 case OR_TRAN_IPV4: 1692 /* 1693 * Load the X register with the length of the IPv4 header 1694 * (plus the offset of the link-layer header, if it's 1695 * preceded by a variable-length header such as a radio 1696 * header), in bytes. 1697 */ 1698 s = gen_loadx_iphdrlen(cstate); 1699 1700 /* 1701 * Load the item at {offset of the link-layer payload} + 1702 * {offset, relative to the start of the link-layer 1703 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1704 * {specified offset}. 1705 * 1706 * If the offset of the link-layer payload is variable, 1707 * the variable part of that offset is included in the 1708 * value in the X register, and we include the constant 1709 * part in the offset of the load. 1710 */ 1711 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1712 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1713 sappend(s, s2); 1714 break; 1715 1716 case OR_TRAN_IPV6: 1717 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1718 break; 1719 1720 default: 1721 abort(); 1722 return NULL; 1723 } 1724 return s; 1725 } 1726 1727 /* 1728 * Generate code to load into the X register the sum of the length of 1729 * the IPv4 header and the variable part of the offset of the link-layer 1730 * payload. 1731 */ 1732 static struct slist * 1733 gen_loadx_iphdrlen(compiler_state_t *cstate) 1734 { 1735 struct slist *s, *s2; 1736 1737 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1738 if (s != NULL) { 1739 /* 1740 * The offset of the link-layer payload has a variable 1741 * part. "s" points to a list of statements that put 1742 * the variable part of that offset into the X register. 1743 * 1744 * The 4*([k]&0xf) addressing mode can't be used, as we 1745 * don't have a constant offset, so we have to load the 1746 * value in question into the A register and add to it 1747 * the value from the X register. 1748 */ 1749 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1750 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1751 sappend(s, s2); 1752 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1753 s2->s.k = 0xf; 1754 sappend(s, s2); 1755 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1756 s2->s.k = 2; 1757 sappend(s, s2); 1758 1759 /* 1760 * The A register now contains the length of the IP header. 1761 * We need to add to it the variable part of the offset of 1762 * the link-layer payload, which is still in the X 1763 * register, and move the result into the X register. 1764 */ 1765 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1766 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1767 } else { 1768 /* 1769 * The offset of the link-layer payload is a constant, 1770 * so no code was generated to load the (non-existent) 1771 * variable part of that offset. 1772 * 1773 * This means we can use the 4*([k]&0xf) addressing 1774 * mode. Load the length of the IPv4 header, which 1775 * is at an offset of cstate->off_nl from the beginning of 1776 * the link-layer payload, and thus at an offset of 1777 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1778 * of the raw packet data, using that addressing mode. 1779 */ 1780 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1781 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1782 } 1783 return s; 1784 } 1785 1786 static struct block * 1787 gen_uncond(compiler_state_t *cstate, int rsense) 1788 { 1789 struct block *b; 1790 struct slist *s; 1791 1792 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1793 s->s.k = !rsense; 1794 b = new_block(cstate, JMP(BPF_JEQ)); 1795 b->stmts = s; 1796 1797 return b; 1798 } 1799 1800 static inline struct block * 1801 gen_true(compiler_state_t *cstate) 1802 { 1803 return gen_uncond(cstate, 1); 1804 } 1805 1806 static inline struct block * 1807 gen_false(compiler_state_t *cstate) 1808 { 1809 return gen_uncond(cstate, 0); 1810 } 1811 1812 /* 1813 * Byte-swap a 32-bit number. 1814 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1815 * big-endian platforms.) 1816 */ 1817 #define SWAPLONG(y) \ 1818 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1819 1820 /* 1821 * Generate code to match a particular packet type. 1822 * 1823 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1824 * value, if <= ETHERMTU. We use that to determine whether to 1825 * match the type/length field or to check the type/length field for 1826 * a value <= ETHERMTU to see whether it's a type field and then do 1827 * the appropriate test. 1828 */ 1829 static struct block * 1830 gen_ether_linktype(compiler_state_t *cstate, int proto) 1831 { 1832 struct block *b0, *b1; 1833 1834 switch (proto) { 1835 1836 case LLCSAP_ISONS: 1837 case LLCSAP_IP: 1838 case LLCSAP_NETBEUI: 1839 /* 1840 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1841 * so we check the DSAP and SSAP. 1842 * 1843 * LLCSAP_IP checks for IP-over-802.2, rather 1844 * than IP-over-Ethernet or IP-over-SNAP. 1845 * 1846 * XXX - should we check both the DSAP and the 1847 * SSAP, like this, or should we check just the 1848 * DSAP, as we do for other types <= ETHERMTU 1849 * (i.e., other SAP values)? 1850 */ 1851 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1852 gen_not(b0); 1853 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1854 ((proto << 8) | proto)); 1855 gen_and(b0, b1); 1856 return b1; 1857 1858 case LLCSAP_IPX: 1859 /* 1860 * Check for; 1861 * 1862 * Ethernet_II frames, which are Ethernet 1863 * frames with a frame type of ETHERTYPE_IPX; 1864 * 1865 * Ethernet_802.3 frames, which are 802.3 1866 * frames (i.e., the type/length field is 1867 * a length field, <= ETHERMTU, rather than 1868 * a type field) with the first two bytes 1869 * after the Ethernet/802.3 header being 1870 * 0xFFFF; 1871 * 1872 * Ethernet_802.2 frames, which are 802.3 1873 * frames with an 802.2 LLC header and 1874 * with the IPX LSAP as the DSAP in the LLC 1875 * header; 1876 * 1877 * Ethernet_SNAP frames, which are 802.3 1878 * frames with an LLC header and a SNAP 1879 * header and with an OUI of 0x000000 1880 * (encapsulated Ethernet) and a protocol 1881 * ID of ETHERTYPE_IPX in the SNAP header. 1882 * 1883 * XXX - should we generate the same code both 1884 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1885 */ 1886 1887 /* 1888 * This generates code to check both for the 1889 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1890 */ 1891 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1892 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1893 gen_or(b0, b1); 1894 1895 /* 1896 * Now we add code to check for SNAP frames with 1897 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1898 */ 1899 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 1900 gen_or(b0, b1); 1901 1902 /* 1903 * Now we generate code to check for 802.3 1904 * frames in general. 1905 */ 1906 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1907 gen_not(b0); 1908 1909 /* 1910 * Now add the check for 802.3 frames before the 1911 * check for Ethernet_802.2 and Ethernet_802.3, 1912 * as those checks should only be done on 802.3 1913 * frames, not on Ethernet frames. 1914 */ 1915 gen_and(b0, b1); 1916 1917 /* 1918 * Now add the check for Ethernet_II frames, and 1919 * do that before checking for the other frame 1920 * types. 1921 */ 1922 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1923 gen_or(b0, b1); 1924 return b1; 1925 1926 case ETHERTYPE_ATALK: 1927 case ETHERTYPE_AARP: 1928 /* 1929 * EtherTalk (AppleTalk protocols on Ethernet link 1930 * layer) may use 802.2 encapsulation. 1931 */ 1932 1933 /* 1934 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1935 * we check for an Ethernet type field less than 1936 * 1500, which means it's an 802.3 length field. 1937 */ 1938 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1939 gen_not(b0); 1940 1941 /* 1942 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1943 * SNAP packets with an organization code of 1944 * 0x080007 (Apple, for Appletalk) and a protocol 1945 * type of ETHERTYPE_ATALK (Appletalk). 1946 * 1947 * 802.2-encapsulated ETHERTYPE_AARP packets are 1948 * SNAP packets with an organization code of 1949 * 0x000000 (encapsulated Ethernet) and a protocol 1950 * type of ETHERTYPE_AARP (Appletalk ARP). 1951 */ 1952 if (proto == ETHERTYPE_ATALK) 1953 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 1954 else /* proto == ETHERTYPE_AARP */ 1955 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 1956 gen_and(b0, b1); 1957 1958 /* 1959 * Check for Ethernet encapsulation (Ethertalk 1960 * phase 1?); we just check for the Ethernet 1961 * protocol type. 1962 */ 1963 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1964 1965 gen_or(b0, b1); 1966 return b1; 1967 1968 default: 1969 if (proto <= ETHERMTU) { 1970 /* 1971 * This is an LLC SAP value, so the frames 1972 * that match would be 802.2 frames. 1973 * Check that the frame is an 802.2 frame 1974 * (i.e., that the length/type field is 1975 * a length field, <= ETHERMTU) and 1976 * then check the DSAP. 1977 */ 1978 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1979 gen_not(b0); 1980 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1981 gen_and(b0, b1); 1982 return b1; 1983 } else { 1984 /* 1985 * This is an Ethernet type, so compare 1986 * the length/type field with it (if 1987 * the frame is an 802.2 frame, the length 1988 * field will be <= ETHERMTU, and, as 1989 * "proto" is > ETHERMTU, this test 1990 * will fail and the frame won't match, 1991 * which is what we want). 1992 */ 1993 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 1994 (bpf_int32)proto); 1995 } 1996 } 1997 } 1998 1999 static struct block * 2000 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2001 { 2002 /* 2003 * For DLT_NULL, the link-layer header is a 32-bit word 2004 * containing an AF_ value in *host* byte order, and for 2005 * DLT_ENC, the link-layer header begins with a 32-bit 2006 * word containing an AF_ value in host byte order. 2007 * 2008 * In addition, if we're reading a saved capture file, 2009 * the host byte order in the capture may not be the 2010 * same as the host byte order on this machine. 2011 * 2012 * For DLT_LOOP, the link-layer header is a 32-bit 2013 * word containing an AF_ value in *network* byte order. 2014 */ 2015 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2016 /* 2017 * The AF_ value is in host byte order, but the BPF 2018 * interpreter will convert it to network byte order. 2019 * 2020 * If this is a save file, and it's from a machine 2021 * with the opposite byte order to ours, we byte-swap 2022 * the AF_ value. 2023 * 2024 * Then we run it through "htonl()", and generate 2025 * code to compare against the result. 2026 */ 2027 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2028 proto = SWAPLONG(proto); 2029 proto = htonl(proto); 2030 } 2031 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2032 } 2033 2034 /* 2035 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2036 * or IPv6 then we have an error. 2037 */ 2038 static struct block * 2039 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2040 { 2041 switch (proto) { 2042 2043 case ETHERTYPE_IP: 2044 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2045 /* NOTREACHED */ 2046 2047 case ETHERTYPE_IPV6: 2048 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2049 (bpf_int32)IPH_AF_INET6); 2050 /* NOTREACHED */ 2051 2052 default: 2053 break; 2054 } 2055 2056 return gen_false(cstate); 2057 } 2058 2059 /* 2060 * Generate code to match a particular packet type. 2061 * 2062 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2063 * value, if <= ETHERMTU. We use that to determine whether to 2064 * match the type field or to check the type field for the special 2065 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2066 */ 2067 static struct block * 2068 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2069 { 2070 struct block *b0, *b1; 2071 2072 switch (proto) { 2073 2074 case LLCSAP_ISONS: 2075 case LLCSAP_IP: 2076 case LLCSAP_NETBEUI: 2077 /* 2078 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2079 * so we check the DSAP and SSAP. 2080 * 2081 * LLCSAP_IP checks for IP-over-802.2, rather 2082 * than IP-over-Ethernet or IP-over-SNAP. 2083 * 2084 * XXX - should we check both the DSAP and the 2085 * SSAP, like this, or should we check just the 2086 * DSAP, as we do for other types <= ETHERMTU 2087 * (i.e., other SAP values)? 2088 */ 2089 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2090 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2091 ((proto << 8) | proto)); 2092 gen_and(b0, b1); 2093 return b1; 2094 2095 case LLCSAP_IPX: 2096 /* 2097 * Ethernet_II frames, which are Ethernet 2098 * frames with a frame type of ETHERTYPE_IPX; 2099 * 2100 * Ethernet_802.3 frames, which have a frame 2101 * type of LINUX_SLL_P_802_3; 2102 * 2103 * Ethernet_802.2 frames, which are 802.3 2104 * frames with an 802.2 LLC header (i.e, have 2105 * a frame type of LINUX_SLL_P_802_2) and 2106 * with the IPX LSAP as the DSAP in the LLC 2107 * header; 2108 * 2109 * Ethernet_SNAP frames, which are 802.3 2110 * frames with an LLC header and a SNAP 2111 * header and with an OUI of 0x000000 2112 * (encapsulated Ethernet) and a protocol 2113 * ID of ETHERTYPE_IPX in the SNAP header. 2114 * 2115 * First, do the checks on LINUX_SLL_P_802_2 2116 * frames; generate the check for either 2117 * Ethernet_802.2 or Ethernet_SNAP frames, and 2118 * then put a check for LINUX_SLL_P_802_2 frames 2119 * before it. 2120 */ 2121 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2122 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2123 gen_or(b0, b1); 2124 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2125 gen_and(b0, b1); 2126 2127 /* 2128 * Now check for 802.3 frames and OR that with 2129 * the previous test. 2130 */ 2131 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2132 gen_or(b0, b1); 2133 2134 /* 2135 * Now add the check for Ethernet_II frames, and 2136 * do that before checking for the other frame 2137 * types. 2138 */ 2139 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2140 gen_or(b0, b1); 2141 return b1; 2142 2143 case ETHERTYPE_ATALK: 2144 case ETHERTYPE_AARP: 2145 /* 2146 * EtherTalk (AppleTalk protocols on Ethernet link 2147 * layer) may use 802.2 encapsulation. 2148 */ 2149 2150 /* 2151 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2152 * we check for the 802.2 protocol type in the 2153 * "Ethernet type" field. 2154 */ 2155 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2156 2157 /* 2158 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2159 * SNAP packets with an organization code of 2160 * 0x080007 (Apple, for Appletalk) and a protocol 2161 * type of ETHERTYPE_ATALK (Appletalk). 2162 * 2163 * 802.2-encapsulated ETHERTYPE_AARP packets are 2164 * SNAP packets with an organization code of 2165 * 0x000000 (encapsulated Ethernet) and a protocol 2166 * type of ETHERTYPE_AARP (Appletalk ARP). 2167 */ 2168 if (proto == ETHERTYPE_ATALK) 2169 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2170 else /* proto == ETHERTYPE_AARP */ 2171 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2172 gen_and(b0, b1); 2173 2174 /* 2175 * Check for Ethernet encapsulation (Ethertalk 2176 * phase 1?); we just check for the Ethernet 2177 * protocol type. 2178 */ 2179 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2180 2181 gen_or(b0, b1); 2182 return b1; 2183 2184 default: 2185 if (proto <= ETHERMTU) { 2186 /* 2187 * This is an LLC SAP value, so the frames 2188 * that match would be 802.2 frames. 2189 * Check for the 802.2 protocol type 2190 * in the "Ethernet type" field, and 2191 * then check the DSAP. 2192 */ 2193 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2194 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2195 (bpf_int32)proto); 2196 gen_and(b0, b1); 2197 return b1; 2198 } else { 2199 /* 2200 * This is an Ethernet type, so compare 2201 * the length/type field with it (if 2202 * the frame is an 802.2 frame, the length 2203 * field will be <= ETHERMTU, and, as 2204 * "proto" is > ETHERMTU, this test 2205 * will fail and the frame won't match, 2206 * which is what we want). 2207 */ 2208 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2209 } 2210 } 2211 } 2212 2213 static struct slist * 2214 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2215 { 2216 struct slist *s1, *s2; 2217 struct slist *sjeq_avs_cookie; 2218 struct slist *sjcommon; 2219 2220 /* 2221 * This code is not compatible with the optimizer, as 2222 * we are generating jmp instructions within a normal 2223 * slist of instructions 2224 */ 2225 cstate->no_optimize = 1; 2226 2227 /* 2228 * Generate code to load the length of the radio header into 2229 * the register assigned to hold that length, if one has been 2230 * assigned. (If one hasn't been assigned, no code we've 2231 * generated uses that prefix, so we don't need to generate any 2232 * code to load it.) 2233 * 2234 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2235 * or always use the AVS header rather than the Prism header. 2236 * We load a 4-byte big-endian value at the beginning of the 2237 * raw packet data, and see whether, when masked with 0xFFFFF000, 2238 * it's equal to 0x80211000. If so, that indicates that it's 2239 * an AVS header (the masked-out bits are the version number). 2240 * Otherwise, it's a Prism header. 2241 * 2242 * XXX - the Prism header is also, in theory, variable-length, 2243 * but no known software generates headers that aren't 144 2244 * bytes long. 2245 */ 2246 if (cstate->off_linkhdr.reg != -1) { 2247 /* 2248 * Load the cookie. 2249 */ 2250 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2251 s1->s.k = 0; 2252 2253 /* 2254 * AND it with 0xFFFFF000. 2255 */ 2256 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2257 s2->s.k = 0xFFFFF000; 2258 sappend(s1, s2); 2259 2260 /* 2261 * Compare with 0x80211000. 2262 */ 2263 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2264 sjeq_avs_cookie->s.k = 0x80211000; 2265 sappend(s1, sjeq_avs_cookie); 2266 2267 /* 2268 * If it's AVS: 2269 * 2270 * The 4 bytes at an offset of 4 from the beginning of 2271 * the AVS header are the length of the AVS header. 2272 * That field is big-endian. 2273 */ 2274 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2275 s2->s.k = 4; 2276 sappend(s1, s2); 2277 sjeq_avs_cookie->s.jt = s2; 2278 2279 /* 2280 * Now jump to the code to allocate a register 2281 * into which to save the header length and 2282 * store the length there. (The "jump always" 2283 * instruction needs to have the k field set; 2284 * it's added to the PC, so, as we're jumping 2285 * over a single instruction, it should be 1.) 2286 */ 2287 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2288 sjcommon->s.k = 1; 2289 sappend(s1, sjcommon); 2290 2291 /* 2292 * Now for the code that handles the Prism header. 2293 * Just load the length of the Prism header (144) 2294 * into the A register. Have the test for an AVS 2295 * header branch here if we don't have an AVS header. 2296 */ 2297 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2298 s2->s.k = 144; 2299 sappend(s1, s2); 2300 sjeq_avs_cookie->s.jf = s2; 2301 2302 /* 2303 * Now allocate a register to hold that value and store 2304 * it. The code for the AVS header will jump here after 2305 * loading the length of the AVS header. 2306 */ 2307 s2 = new_stmt(cstate, BPF_ST); 2308 s2->s.k = cstate->off_linkhdr.reg; 2309 sappend(s1, s2); 2310 sjcommon->s.jf = s2; 2311 2312 /* 2313 * Now move it into the X register. 2314 */ 2315 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2316 sappend(s1, s2); 2317 2318 return (s1); 2319 } else 2320 return (NULL); 2321 } 2322 2323 static struct slist * 2324 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2325 { 2326 struct slist *s1, *s2; 2327 2328 /* 2329 * Generate code to load the length of the AVS header into 2330 * the register assigned to hold that length, if one has been 2331 * assigned. (If one hasn't been assigned, no code we've 2332 * generated uses that prefix, so we don't need to generate any 2333 * code to load it.) 2334 */ 2335 if (cstate->off_linkhdr.reg != -1) { 2336 /* 2337 * The 4 bytes at an offset of 4 from the beginning of 2338 * the AVS header are the length of the AVS header. 2339 * That field is big-endian. 2340 */ 2341 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2342 s1->s.k = 4; 2343 2344 /* 2345 * Now allocate a register to hold that value and store 2346 * it. 2347 */ 2348 s2 = new_stmt(cstate, BPF_ST); 2349 s2->s.k = cstate->off_linkhdr.reg; 2350 sappend(s1, s2); 2351 2352 /* 2353 * Now move it into the X register. 2354 */ 2355 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2356 sappend(s1, s2); 2357 2358 return (s1); 2359 } else 2360 return (NULL); 2361 } 2362 2363 static struct slist * 2364 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2365 { 2366 struct slist *s1, *s2; 2367 2368 /* 2369 * Generate code to load the length of the radiotap header into 2370 * the register assigned to hold that length, if one has been 2371 * assigned. (If one hasn't been assigned, no code we've 2372 * generated uses that prefix, so we don't need to generate any 2373 * code to load it.) 2374 */ 2375 if (cstate->off_linkhdr.reg != -1) { 2376 /* 2377 * The 2 bytes at offsets of 2 and 3 from the beginning 2378 * of the radiotap header are the length of the radiotap 2379 * header; unfortunately, it's little-endian, so we have 2380 * to load it a byte at a time and construct the value. 2381 */ 2382 2383 /* 2384 * Load the high-order byte, at an offset of 3, shift it 2385 * left a byte, and put the result in the X register. 2386 */ 2387 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2388 s1->s.k = 3; 2389 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2390 sappend(s1, s2); 2391 s2->s.k = 8; 2392 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2393 sappend(s1, s2); 2394 2395 /* 2396 * Load the next byte, at an offset of 2, and OR the 2397 * value from the X register into it. 2398 */ 2399 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2400 sappend(s1, s2); 2401 s2->s.k = 2; 2402 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2403 sappend(s1, s2); 2404 2405 /* 2406 * Now allocate a register to hold that value and store 2407 * it. 2408 */ 2409 s2 = new_stmt(cstate, BPF_ST); 2410 s2->s.k = cstate->off_linkhdr.reg; 2411 sappend(s1, s2); 2412 2413 /* 2414 * Now move it into the X register. 2415 */ 2416 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2417 sappend(s1, s2); 2418 2419 return (s1); 2420 } else 2421 return (NULL); 2422 } 2423 2424 /* 2425 * At the moment we treat PPI as normal Radiotap encoded 2426 * packets. The difference is in the function that generates 2427 * the code at the beginning to compute the header length. 2428 * Since this code generator of PPI supports bare 802.11 2429 * encapsulation only (i.e. the encapsulated DLT should be 2430 * DLT_IEEE802_11) we generate code to check for this too; 2431 * that's done in finish_parse(). 2432 */ 2433 static struct slist * 2434 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2435 { 2436 struct slist *s1, *s2; 2437 2438 /* 2439 * Generate code to load the length of the radiotap header 2440 * into the register assigned to hold that length, if one has 2441 * been assigned. 2442 */ 2443 if (cstate->off_linkhdr.reg != -1) { 2444 /* 2445 * The 2 bytes at offsets of 2 and 3 from the beginning 2446 * of the radiotap header are the length of the radiotap 2447 * header; unfortunately, it's little-endian, so we have 2448 * to load it a byte at a time and construct the value. 2449 */ 2450 2451 /* 2452 * Load the high-order byte, at an offset of 3, shift it 2453 * left a byte, and put the result in the X register. 2454 */ 2455 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2456 s1->s.k = 3; 2457 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2458 sappend(s1, s2); 2459 s2->s.k = 8; 2460 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2461 sappend(s1, s2); 2462 2463 /* 2464 * Load the next byte, at an offset of 2, and OR the 2465 * value from the X register into it. 2466 */ 2467 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2468 sappend(s1, s2); 2469 s2->s.k = 2; 2470 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2471 sappend(s1, s2); 2472 2473 /* 2474 * Now allocate a register to hold that value and store 2475 * it. 2476 */ 2477 s2 = new_stmt(cstate, BPF_ST); 2478 s2->s.k = cstate->off_linkhdr.reg; 2479 sappend(s1, s2); 2480 2481 /* 2482 * Now move it into the X register. 2483 */ 2484 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2485 sappend(s1, s2); 2486 2487 return (s1); 2488 } else 2489 return (NULL); 2490 } 2491 2492 /* 2493 * Load a value relative to the beginning of the link-layer header after the 802.11 2494 * header, i.e. LLC_SNAP. 2495 * The link-layer header doesn't necessarily begin at the beginning 2496 * of the packet data; there might be a variable-length prefix containing 2497 * radio information. 2498 */ 2499 static struct slist * 2500 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2501 { 2502 struct slist *s2; 2503 struct slist *sjset_data_frame_1; 2504 struct slist *sjset_data_frame_2; 2505 struct slist *sjset_qos; 2506 struct slist *sjset_radiotap_flags_present; 2507 struct slist *sjset_radiotap_ext_present; 2508 struct slist *sjset_radiotap_tsft_present; 2509 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2510 struct slist *s_roundup; 2511 2512 if (cstate->off_linkpl.reg == -1) { 2513 /* 2514 * No register has been assigned to the offset of 2515 * the link-layer payload, which means nobody needs 2516 * it; don't bother computing it - just return 2517 * what we already have. 2518 */ 2519 return (s); 2520 } 2521 2522 /* 2523 * This code is not compatible with the optimizer, as 2524 * we are generating jmp instructions within a normal 2525 * slist of instructions 2526 */ 2527 cstate->no_optimize = 1; 2528 2529 /* 2530 * If "s" is non-null, it has code to arrange that the X register 2531 * contains the length of the prefix preceding the link-layer 2532 * header. 2533 * 2534 * Otherwise, the length of the prefix preceding the link-layer 2535 * header is "off_outermostlinkhdr.constant_part". 2536 */ 2537 if (s == NULL) { 2538 /* 2539 * There is no variable-length header preceding the 2540 * link-layer header. 2541 * 2542 * Load the length of the fixed-length prefix preceding 2543 * the link-layer header (if any) into the X register, 2544 * and store it in the cstate->off_linkpl.reg register. 2545 * That length is off_outermostlinkhdr.constant_part. 2546 */ 2547 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2548 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2549 } 2550 2551 /* 2552 * The X register contains the offset of the beginning of the 2553 * link-layer header; add 24, which is the minimum length 2554 * of the MAC header for a data frame, to that, and store it 2555 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2556 * which is at the offset in the X register, with an indexed load. 2557 */ 2558 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2559 sappend(s, s2); 2560 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2561 s2->s.k = 24; 2562 sappend(s, s2); 2563 s2 = new_stmt(cstate, BPF_ST); 2564 s2->s.k = cstate->off_linkpl.reg; 2565 sappend(s, s2); 2566 2567 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2568 s2->s.k = 0; 2569 sappend(s, s2); 2570 2571 /* 2572 * Check the Frame Control field to see if this is a data frame; 2573 * a data frame has the 0x08 bit (b3) in that field set and the 2574 * 0x04 bit (b2) clear. 2575 */ 2576 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2577 sjset_data_frame_1->s.k = 0x08; 2578 sappend(s, sjset_data_frame_1); 2579 2580 /* 2581 * If b3 is set, test b2, otherwise go to the first statement of 2582 * the rest of the program. 2583 */ 2584 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2585 sjset_data_frame_2->s.k = 0x04; 2586 sappend(s, sjset_data_frame_2); 2587 sjset_data_frame_1->s.jf = snext; 2588 2589 /* 2590 * If b2 is not set, this is a data frame; test the QoS bit. 2591 * Otherwise, go to the first statement of the rest of the 2592 * program. 2593 */ 2594 sjset_data_frame_2->s.jt = snext; 2595 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2596 sjset_qos->s.k = 0x80; /* QoS bit */ 2597 sappend(s, sjset_qos); 2598 2599 /* 2600 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2601 * field. 2602 * Otherwise, go to the first statement of the rest of the 2603 * program. 2604 */ 2605 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2606 s2->s.k = cstate->off_linkpl.reg; 2607 sappend(s, s2); 2608 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2609 s2->s.k = 2; 2610 sappend(s, s2); 2611 s2 = new_stmt(cstate, BPF_ST); 2612 s2->s.k = cstate->off_linkpl.reg; 2613 sappend(s, s2); 2614 2615 /* 2616 * If we have a radiotap header, look at it to see whether 2617 * there's Atheros padding between the MAC-layer header 2618 * and the payload. 2619 * 2620 * Note: all of the fields in the radiotap header are 2621 * little-endian, so we byte-swap all of the values 2622 * we test against, as they will be loaded as big-endian 2623 * values. 2624 * 2625 * XXX - in the general case, we would have to scan through 2626 * *all* the presence bits, if there's more than one word of 2627 * presence bits. That would require a loop, meaning that 2628 * we wouldn't be able to run the filter in the kernel. 2629 * 2630 * We assume here that the Atheros adapters that insert the 2631 * annoying padding don't have multiple antennae and therefore 2632 * do not generate radiotap headers with multiple presence words. 2633 */ 2634 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2635 /* 2636 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2637 * in the first presence flag word? 2638 */ 2639 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2640 s2->s.k = 4; 2641 sappend(s, s2); 2642 2643 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2644 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2645 sappend(s, sjset_radiotap_flags_present); 2646 2647 /* 2648 * If not, skip all of this. 2649 */ 2650 sjset_radiotap_flags_present->s.jf = snext; 2651 2652 /* 2653 * Otherwise, is the "extension" bit set in that word? 2654 */ 2655 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2656 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2657 sappend(s, sjset_radiotap_ext_present); 2658 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2659 2660 /* 2661 * If so, skip all of this. 2662 */ 2663 sjset_radiotap_ext_present->s.jt = snext; 2664 2665 /* 2666 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2667 */ 2668 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2669 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2670 sappend(s, sjset_radiotap_tsft_present); 2671 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2672 2673 /* 2674 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2675 * at an offset of 16 from the beginning of the raw packet 2676 * data (8 bytes for the radiotap header and 8 bytes for 2677 * the TSFT field). 2678 * 2679 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2680 * is set. 2681 */ 2682 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2683 s2->s.k = 16; 2684 sappend(s, s2); 2685 sjset_radiotap_tsft_present->s.jt = s2; 2686 2687 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2688 sjset_tsft_datapad->s.k = 0x20; 2689 sappend(s, sjset_tsft_datapad); 2690 2691 /* 2692 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2693 * at an offset of 8 from the beginning of the raw packet 2694 * data (8 bytes for the radiotap header). 2695 * 2696 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2697 * is set. 2698 */ 2699 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2700 s2->s.k = 8; 2701 sappend(s, s2); 2702 sjset_radiotap_tsft_present->s.jf = s2; 2703 2704 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2705 sjset_notsft_datapad->s.k = 0x20; 2706 sappend(s, sjset_notsft_datapad); 2707 2708 /* 2709 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2710 * set, round the length of the 802.11 header to 2711 * a multiple of 4. Do that by adding 3 and then 2712 * dividing by and multiplying by 4, which we do by 2713 * ANDing with ~3. 2714 */ 2715 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2716 s_roundup->s.k = cstate->off_linkpl.reg; 2717 sappend(s, s_roundup); 2718 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2719 s2->s.k = 3; 2720 sappend(s, s2); 2721 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2722 s2->s.k = ~3; 2723 sappend(s, s2); 2724 s2 = new_stmt(cstate, BPF_ST); 2725 s2->s.k = cstate->off_linkpl.reg; 2726 sappend(s, s2); 2727 2728 sjset_tsft_datapad->s.jt = s_roundup; 2729 sjset_tsft_datapad->s.jf = snext; 2730 sjset_notsft_datapad->s.jt = s_roundup; 2731 sjset_notsft_datapad->s.jf = snext; 2732 } else 2733 sjset_qos->s.jf = snext; 2734 2735 return s; 2736 } 2737 2738 static void 2739 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2740 { 2741 struct slist *s; 2742 2743 /* There is an implicit dependency between the link 2744 * payload and link header since the payload computation 2745 * includes the variable part of the header. Therefore, 2746 * if nobody else has allocated a register for the link 2747 * header and we need it, do it now. */ 2748 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2749 cstate->off_linkhdr.reg == -1) 2750 cstate->off_linkhdr.reg = alloc_reg(cstate); 2751 2752 /* 2753 * For link-layer types that have a variable-length header 2754 * preceding the link-layer header, generate code to load 2755 * the offset of the link-layer header into the register 2756 * assigned to that offset, if any. 2757 * 2758 * XXX - this, and the next switch statement, won't handle 2759 * encapsulation of 802.11 or 802.11+radio information in 2760 * some other protocol stack. That's significantly more 2761 * complicated. 2762 */ 2763 switch (cstate->outermostlinktype) { 2764 2765 case DLT_PRISM_HEADER: 2766 s = gen_load_prism_llprefixlen(cstate); 2767 break; 2768 2769 case DLT_IEEE802_11_RADIO_AVS: 2770 s = gen_load_avs_llprefixlen(cstate); 2771 break; 2772 2773 case DLT_IEEE802_11_RADIO: 2774 s = gen_load_radiotap_llprefixlen(cstate); 2775 break; 2776 2777 case DLT_PPI: 2778 s = gen_load_ppi_llprefixlen(cstate); 2779 break; 2780 2781 default: 2782 s = NULL; 2783 break; 2784 } 2785 2786 /* 2787 * For link-layer types that have a variable-length link-layer 2788 * header, generate code to load the offset of the link-layer 2789 * payload into the register assigned to that offset, if any. 2790 */ 2791 switch (cstate->outermostlinktype) { 2792 2793 case DLT_IEEE802_11: 2794 case DLT_PRISM_HEADER: 2795 case DLT_IEEE802_11_RADIO_AVS: 2796 case DLT_IEEE802_11_RADIO: 2797 case DLT_PPI: 2798 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2799 break; 2800 } 2801 2802 /* 2803 * If we have any offset-loading code, append all the 2804 * existing statements in the block to those statements, 2805 * and make the resulting list the list of statements 2806 * for the block. 2807 */ 2808 if (s != NULL) { 2809 sappend(s, b->stmts); 2810 b->stmts = s; 2811 } 2812 } 2813 2814 static struct block * 2815 gen_ppi_dlt_check(compiler_state_t *cstate) 2816 { 2817 struct slist *s_load_dlt; 2818 struct block *b; 2819 2820 if (cstate->linktype == DLT_PPI) 2821 { 2822 /* Create the statements that check for the DLT 2823 */ 2824 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2825 s_load_dlt->s.k = 4; 2826 2827 b = new_block(cstate, JMP(BPF_JEQ)); 2828 2829 b->stmts = s_load_dlt; 2830 b->s.k = SWAPLONG(DLT_IEEE802_11); 2831 } 2832 else 2833 { 2834 b = NULL; 2835 } 2836 2837 return b; 2838 } 2839 2840 /* 2841 * Take an absolute offset, and: 2842 * 2843 * if it has no variable part, return NULL; 2844 * 2845 * if it has a variable part, generate code to load the register 2846 * containing that variable part into the X register, returning 2847 * a pointer to that code - if no register for that offset has 2848 * been allocated, allocate it first. 2849 * 2850 * (The code to set that register will be generated later, but will 2851 * be placed earlier in the code sequence.) 2852 */ 2853 static struct slist * 2854 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 2855 { 2856 struct slist *s; 2857 2858 if (off->is_variable) { 2859 if (off->reg == -1) { 2860 /* 2861 * We haven't yet assigned a register for the 2862 * variable part of the offset of the link-layer 2863 * header; allocate one. 2864 */ 2865 off->reg = alloc_reg(cstate); 2866 } 2867 2868 /* 2869 * Load the register containing the variable part of the 2870 * offset of the link-layer header into the X register. 2871 */ 2872 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 2873 s->s.k = off->reg; 2874 return s; 2875 } else { 2876 /* 2877 * That offset isn't variable, there's no variable part, 2878 * so we don't need to generate any code. 2879 */ 2880 return NULL; 2881 } 2882 } 2883 2884 /* 2885 * Map an Ethernet type to the equivalent PPP type. 2886 */ 2887 static int 2888 ethertype_to_ppptype(proto) 2889 int proto; 2890 { 2891 switch (proto) { 2892 2893 case ETHERTYPE_IP: 2894 proto = PPP_IP; 2895 break; 2896 2897 case ETHERTYPE_IPV6: 2898 proto = PPP_IPV6; 2899 break; 2900 2901 case ETHERTYPE_DN: 2902 proto = PPP_DECNET; 2903 break; 2904 2905 case ETHERTYPE_ATALK: 2906 proto = PPP_APPLE; 2907 break; 2908 2909 case ETHERTYPE_NS: 2910 proto = PPP_NS; 2911 break; 2912 2913 case LLCSAP_ISONS: 2914 proto = PPP_OSI; 2915 break; 2916 2917 case LLCSAP_8021D: 2918 /* 2919 * I'm assuming the "Bridging PDU"s that go 2920 * over PPP are Spanning Tree Protocol 2921 * Bridging PDUs. 2922 */ 2923 proto = PPP_BRPDU; 2924 break; 2925 2926 case LLCSAP_IPX: 2927 proto = PPP_IPX; 2928 break; 2929 } 2930 return (proto); 2931 } 2932 2933 /* 2934 * Generate any tests that, for encapsulation of a link-layer packet 2935 * inside another protocol stack, need to be done to check for those 2936 * link-layer packets (and that haven't already been done by a check 2937 * for that encapsulation). 2938 */ 2939 static struct block * 2940 gen_prevlinkhdr_check(compiler_state_t *cstate) 2941 { 2942 struct block *b0; 2943 2944 if (cstate->is_geneve) 2945 return gen_geneve_ll_check(cstate); 2946 2947 switch (cstate->prevlinktype) { 2948 2949 case DLT_SUNATM: 2950 /* 2951 * This is LANE-encapsulated Ethernet; check that the LANE 2952 * packet doesn't begin with an LE Control marker, i.e. 2953 * that it's data, not a control message. 2954 * 2955 * (We've already generated a test for LANE.) 2956 */ 2957 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2958 gen_not(b0); 2959 return b0; 2960 2961 default: 2962 /* 2963 * No such tests are necessary. 2964 */ 2965 return NULL; 2966 } 2967 /*NOTREACHED*/ 2968 } 2969 2970 /* 2971 * The three different values we should check for when checking for an 2972 * IPv6 packet with DLT_NULL. 2973 */ 2974 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 2975 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 2976 #define BSD_AFNUM_INET6_DARWIN 30 /* OS X, iOS, other Darwin-based OSes */ 2977 2978 /* 2979 * Generate code to match a particular packet type by matching the 2980 * link-layer type field or fields in the 802.2 LLC header. 2981 * 2982 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2983 * value, if <= ETHERMTU. 2984 */ 2985 static struct block * 2986 gen_linktype(compiler_state_t *cstate, int proto) 2987 { 2988 struct block *b0, *b1, *b2; 2989 const char *description; 2990 2991 /* are we checking MPLS-encapsulated packets? */ 2992 if (cstate->label_stack_depth > 0) { 2993 switch (proto) { 2994 case ETHERTYPE_IP: 2995 case PPP_IP: 2996 /* FIXME add other L3 proto IDs */ 2997 return gen_mpls_linktype(cstate, Q_IP); 2998 2999 case ETHERTYPE_IPV6: 3000 case PPP_IPV6: 3001 /* FIXME add other L3 proto IDs */ 3002 return gen_mpls_linktype(cstate, Q_IPV6); 3003 3004 default: 3005 bpf_error(cstate, "unsupported protocol over mpls"); 3006 /* NOTREACHED */ 3007 } 3008 } 3009 3010 switch (cstate->linktype) { 3011 3012 case DLT_EN10MB: 3013 case DLT_NETANALYZER: 3014 case DLT_NETANALYZER_TRANSPARENT: 3015 /* Geneve has an EtherType regardless of whether there is an 3016 * L2 header. */ 3017 if (!cstate->is_geneve) 3018 b0 = gen_prevlinkhdr_check(cstate); 3019 else 3020 b0 = NULL; 3021 3022 b1 = gen_ether_linktype(cstate, proto); 3023 if (b0 != NULL) 3024 gen_and(b0, b1); 3025 return b1; 3026 /*NOTREACHED*/ 3027 break; 3028 3029 case DLT_C_HDLC: 3030 switch (proto) { 3031 3032 case LLCSAP_ISONS: 3033 proto = (proto << 8 | LLCSAP_ISONS); 3034 /* fall through */ 3035 3036 default: 3037 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3038 /*NOTREACHED*/ 3039 break; 3040 } 3041 break; 3042 3043 case DLT_IEEE802_11: 3044 case DLT_PRISM_HEADER: 3045 case DLT_IEEE802_11_RADIO_AVS: 3046 case DLT_IEEE802_11_RADIO: 3047 case DLT_PPI: 3048 /* 3049 * Check that we have a data frame. 3050 */ 3051 b0 = gen_check_802_11_data_frame(cstate); 3052 3053 /* 3054 * Now check for the specified link-layer type. 3055 */ 3056 b1 = gen_llc_linktype(cstate, proto); 3057 gen_and(b0, b1); 3058 return b1; 3059 /*NOTREACHED*/ 3060 break; 3061 3062 case DLT_FDDI: 3063 /* 3064 * XXX - check for LLC frames. 3065 */ 3066 return gen_llc_linktype(cstate, proto); 3067 /*NOTREACHED*/ 3068 break; 3069 3070 case DLT_IEEE802: 3071 /* 3072 * XXX - check for LLC PDUs, as per IEEE 802.5. 3073 */ 3074 return gen_llc_linktype(cstate, proto); 3075 /*NOTREACHED*/ 3076 break; 3077 3078 case DLT_ATM_RFC1483: 3079 case DLT_ATM_CLIP: 3080 case DLT_IP_OVER_FC: 3081 return gen_llc_linktype(cstate, proto); 3082 /*NOTREACHED*/ 3083 break; 3084 3085 case DLT_SUNATM: 3086 /* 3087 * Check for an LLC-encapsulated version of this protocol; 3088 * if we were checking for LANE, linktype would no longer 3089 * be DLT_SUNATM. 3090 * 3091 * Check for LLC encapsulation and then check the protocol. 3092 */ 3093 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3094 b1 = gen_llc_linktype(cstate, proto); 3095 gen_and(b0, b1); 3096 return b1; 3097 /*NOTREACHED*/ 3098 break; 3099 3100 case DLT_LINUX_SLL: 3101 return gen_linux_sll_linktype(cstate, proto); 3102 /*NOTREACHED*/ 3103 break; 3104 3105 case DLT_SLIP: 3106 case DLT_SLIP_BSDOS: 3107 case DLT_RAW: 3108 /* 3109 * These types don't provide any type field; packets 3110 * are always IPv4 or IPv6. 3111 * 3112 * XXX - for IPv4, check for a version number of 4, and, 3113 * for IPv6, check for a version number of 6? 3114 */ 3115 switch (proto) { 3116 3117 case ETHERTYPE_IP: 3118 /* Check for a version number of 4. */ 3119 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3120 3121 case ETHERTYPE_IPV6: 3122 /* Check for a version number of 6. */ 3123 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3124 3125 default: 3126 return gen_false(cstate); /* always false */ 3127 } 3128 /*NOTREACHED*/ 3129 break; 3130 3131 case DLT_IPV4: 3132 /* 3133 * Raw IPv4, so no type field. 3134 */ 3135 if (proto == ETHERTYPE_IP) 3136 return gen_true(cstate); /* always true */ 3137 3138 /* Checking for something other than IPv4; always false */ 3139 return gen_false(cstate); 3140 /*NOTREACHED*/ 3141 break; 3142 3143 case DLT_IPV6: 3144 /* 3145 * Raw IPv6, so no type field. 3146 */ 3147 if (proto == ETHERTYPE_IPV6) 3148 return gen_true(cstate); /* always true */ 3149 3150 /* Checking for something other than IPv6; always false */ 3151 return gen_false(cstate); 3152 /*NOTREACHED*/ 3153 break; 3154 3155 case DLT_PPP: 3156 case DLT_PPP_PPPD: 3157 case DLT_PPP_SERIAL: 3158 case DLT_PPP_ETHER: 3159 /* 3160 * We use Ethernet protocol types inside libpcap; 3161 * map them to the corresponding PPP protocol types. 3162 */ 3163 proto = ethertype_to_ppptype(proto); 3164 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3165 /*NOTREACHED*/ 3166 break; 3167 3168 case DLT_PPP_BSDOS: 3169 /* 3170 * We use Ethernet protocol types inside libpcap; 3171 * map them to the corresponding PPP protocol types. 3172 */ 3173 switch (proto) { 3174 3175 case ETHERTYPE_IP: 3176 /* 3177 * Also check for Van Jacobson-compressed IP. 3178 * XXX - do this for other forms of PPP? 3179 */ 3180 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3181 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3182 gen_or(b0, b1); 3183 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3184 gen_or(b1, b0); 3185 return b0; 3186 3187 default: 3188 proto = ethertype_to_ppptype(proto); 3189 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3190 (bpf_int32)proto); 3191 } 3192 /*NOTREACHED*/ 3193 break; 3194 3195 case DLT_NULL: 3196 case DLT_LOOP: 3197 case DLT_ENC: 3198 switch (proto) { 3199 3200 case ETHERTYPE_IP: 3201 return (gen_loopback_linktype(cstate, AF_INET)); 3202 3203 case ETHERTYPE_IPV6: 3204 /* 3205 * AF_ values may, unfortunately, be platform- 3206 * dependent; AF_INET isn't, because everybody 3207 * used 4.2BSD's value, but AF_INET6 is, because 3208 * 4.2BSD didn't have a value for it (given that 3209 * IPv6 didn't exist back in the early 1980's), 3210 * and they all picked their own values. 3211 * 3212 * This means that, if we're reading from a 3213 * savefile, we need to check for all the 3214 * possible values. 3215 * 3216 * If we're doing a live capture, we only need 3217 * to check for this platform's value; however, 3218 * Npcap uses 24, which isn't Windows's AF_INET6 3219 * value. (Given the multiple different values, 3220 * programs that read pcap files shouldn't be 3221 * checking for their platform's AF_INET6 value 3222 * anyway, they should check for all of the 3223 * possible values. and they might as well do 3224 * that even for live captures.) 3225 */ 3226 if (cstate->bpf_pcap->rfile != NULL) { 3227 /* 3228 * Savefile - check for all three 3229 * possible IPv6 values. 3230 */ 3231 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3232 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3233 gen_or(b0, b1); 3234 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3235 gen_or(b0, b1); 3236 return (b1); 3237 } else { 3238 /* 3239 * Live capture, so we only need to 3240 * check for the value used on this 3241 * platform. 3242 */ 3243 #ifdef _WIN32 3244 /* 3245 * Npcap doesn't use Windows's AF_INET6, 3246 * as that collides with AF_IPX on 3247 * some BSDs (both have the value 23). 3248 * Instead, it uses 24. 3249 */ 3250 return (gen_loopback_linktype(cstate, 24)); 3251 #else /* _WIN32 */ 3252 #ifdef AF_INET6 3253 return (gen_loopback_linktype(cstate, AF_INET6)); 3254 #else /* AF_INET6 */ 3255 /* 3256 * I guess this platform doesn't support 3257 * IPv6, so we just reject all packets. 3258 */ 3259 return gen_false(cstate); 3260 #endif /* AF_INET6 */ 3261 #endif /* _WIN32 */ 3262 } 3263 3264 default: 3265 /* 3266 * Not a type on which we support filtering. 3267 * XXX - support those that have AF_ values 3268 * #defined on this platform, at least? 3269 */ 3270 return gen_false(cstate); 3271 } 3272 3273 #ifdef HAVE_NET_PFVAR_H 3274 case DLT_PFLOG: 3275 /* 3276 * af field is host byte order in contrast to the rest of 3277 * the packet. 3278 */ 3279 if (proto == ETHERTYPE_IP) 3280 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3281 BPF_B, (bpf_int32)AF_INET)); 3282 else if (proto == ETHERTYPE_IPV6) 3283 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3284 BPF_B, (bpf_int32)AF_INET6)); 3285 else 3286 return gen_false(cstate); 3287 /*NOTREACHED*/ 3288 break; 3289 #endif /* HAVE_NET_PFVAR_H */ 3290 3291 case DLT_ARCNET: 3292 case DLT_ARCNET_LINUX: 3293 /* 3294 * XXX should we check for first fragment if the protocol 3295 * uses PHDS? 3296 */ 3297 switch (proto) { 3298 3299 default: 3300 return gen_false(cstate); 3301 3302 case ETHERTYPE_IPV6: 3303 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3304 (bpf_int32)ARCTYPE_INET6)); 3305 3306 case ETHERTYPE_IP: 3307 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3308 (bpf_int32)ARCTYPE_IP); 3309 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3310 (bpf_int32)ARCTYPE_IP_OLD); 3311 gen_or(b0, b1); 3312 return (b1); 3313 3314 case ETHERTYPE_ARP: 3315 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3316 (bpf_int32)ARCTYPE_ARP); 3317 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3318 (bpf_int32)ARCTYPE_ARP_OLD); 3319 gen_or(b0, b1); 3320 return (b1); 3321 3322 case ETHERTYPE_REVARP: 3323 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3324 (bpf_int32)ARCTYPE_REVARP)); 3325 3326 case ETHERTYPE_ATALK: 3327 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3328 (bpf_int32)ARCTYPE_ATALK)); 3329 } 3330 /*NOTREACHED*/ 3331 break; 3332 3333 case DLT_LTALK: 3334 switch (proto) { 3335 case ETHERTYPE_ATALK: 3336 return gen_true(cstate); 3337 default: 3338 return gen_false(cstate); 3339 } 3340 /*NOTREACHED*/ 3341 break; 3342 3343 case DLT_FRELAY: 3344 /* 3345 * XXX - assumes a 2-byte Frame Relay header with 3346 * DLCI and flags. What if the address is longer? 3347 */ 3348 switch (proto) { 3349 3350 case ETHERTYPE_IP: 3351 /* 3352 * Check for the special NLPID for IP. 3353 */ 3354 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3355 3356 case ETHERTYPE_IPV6: 3357 /* 3358 * Check for the special NLPID for IPv6. 3359 */ 3360 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3361 3362 case LLCSAP_ISONS: 3363 /* 3364 * Check for several OSI protocols. 3365 * 3366 * Frame Relay packets typically have an OSI 3367 * NLPID at the beginning; we check for each 3368 * of them. 3369 * 3370 * What we check for is the NLPID and a frame 3371 * control field of UI, i.e. 0x03 followed 3372 * by the NLPID. 3373 */ 3374 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3375 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3376 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3377 gen_or(b1, b2); 3378 gen_or(b0, b2); 3379 return b2; 3380 3381 default: 3382 return gen_false(cstate); 3383 } 3384 /*NOTREACHED*/ 3385 break; 3386 3387 case DLT_MFR: 3388 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3389 3390 case DLT_JUNIPER_MFR: 3391 case DLT_JUNIPER_MLFR: 3392 case DLT_JUNIPER_MLPPP: 3393 case DLT_JUNIPER_ATM1: 3394 case DLT_JUNIPER_ATM2: 3395 case DLT_JUNIPER_PPPOE: 3396 case DLT_JUNIPER_PPPOE_ATM: 3397 case DLT_JUNIPER_GGSN: 3398 case DLT_JUNIPER_ES: 3399 case DLT_JUNIPER_MONITOR: 3400 case DLT_JUNIPER_SERVICES: 3401 case DLT_JUNIPER_ETHER: 3402 case DLT_JUNIPER_PPP: 3403 case DLT_JUNIPER_FRELAY: 3404 case DLT_JUNIPER_CHDLC: 3405 case DLT_JUNIPER_VP: 3406 case DLT_JUNIPER_ST: 3407 case DLT_JUNIPER_ISM: 3408 case DLT_JUNIPER_VS: 3409 case DLT_JUNIPER_SRX_E2E: 3410 case DLT_JUNIPER_FIBRECHANNEL: 3411 case DLT_JUNIPER_ATM_CEMIC: 3412 3413 /* just lets verify the magic number for now - 3414 * on ATM we may have up to 6 different encapsulations on the wire 3415 * and need a lot of heuristics to figure out that the payload 3416 * might be; 3417 * 3418 * FIXME encapsulation specific BPF_ filters 3419 */ 3420 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3421 3422 case DLT_BACNET_MS_TP: 3423 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3424 3425 case DLT_IPNET: 3426 return gen_ipnet_linktype(cstate, proto); 3427 3428 case DLT_LINUX_IRDA: 3429 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3430 3431 case DLT_DOCSIS: 3432 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3433 3434 case DLT_MTP2: 3435 case DLT_MTP2_WITH_PHDR: 3436 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3437 3438 case DLT_ERF: 3439 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3440 3441 case DLT_PFSYNC: 3442 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3443 3444 case DLT_LINUX_LAPD: 3445 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3446 3447 case DLT_USB_FREEBSD: 3448 case DLT_USB_LINUX: 3449 case DLT_USB_LINUX_MMAPPED: 3450 case DLT_USBPCAP: 3451 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3452 3453 case DLT_BLUETOOTH_HCI_H4: 3454 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3455 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3456 3457 case DLT_CAN20B: 3458 case DLT_CAN_SOCKETCAN: 3459 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3460 3461 case DLT_IEEE802_15_4: 3462 case DLT_IEEE802_15_4_LINUX: 3463 case DLT_IEEE802_15_4_NONASK_PHY: 3464 case DLT_IEEE802_15_4_NOFCS: 3465 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3466 3467 case DLT_IEEE802_16_MAC_CPS_RADIO: 3468 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3469 3470 case DLT_SITA: 3471 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3472 3473 case DLT_RAIF1: 3474 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3475 3476 case DLT_IPMB: 3477 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3478 3479 case DLT_AX25_KISS: 3480 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3481 3482 case DLT_NFLOG: 3483 /* Using the fixed-size NFLOG header it is possible to tell only 3484 * the address family of the packet, other meaningful data is 3485 * either missing or behind TLVs. 3486 */ 3487 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3488 3489 default: 3490 /* 3491 * Does this link-layer header type have a field 3492 * indicating the type of the next protocol? If 3493 * so, off_linktype.constant_part will be the offset of that 3494 * field in the packet; if not, it will be OFFSET_NOT_SET. 3495 */ 3496 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3497 /* 3498 * Yes; assume it's an Ethernet type. (If 3499 * it's not, it needs to be handled specially 3500 * above.) 3501 */ 3502 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3503 } else { 3504 /* 3505 * No; report an error. 3506 */ 3507 description = pcap_datalink_val_to_description(cstate->linktype); 3508 if (description != NULL) { 3509 bpf_error(cstate, "%s link-layer type filtering not implemented", 3510 description); 3511 } else { 3512 bpf_error(cstate, "DLT %u link-layer type filtering not implemented", 3513 cstate->linktype); 3514 } 3515 } 3516 break; 3517 } 3518 } 3519 3520 /* 3521 * Check for an LLC SNAP packet with a given organization code and 3522 * protocol type; we check the entire contents of the 802.2 LLC and 3523 * snap headers, checking for DSAP and SSAP of SNAP and a control 3524 * field of 0x03 in the LLC header, and for the specified organization 3525 * code and protocol type in the SNAP header. 3526 */ 3527 static struct block * 3528 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3529 { 3530 u_char snapblock[8]; 3531 3532 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3533 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3534 snapblock[2] = 0x03; /* control = UI */ 3535 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3536 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3537 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3538 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3539 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3540 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3541 } 3542 3543 /* 3544 * Generate code to match frames with an LLC header. 3545 */ 3546 struct block * 3547 gen_llc(compiler_state_t *cstate) 3548 { 3549 struct block *b0, *b1; 3550 3551 switch (cstate->linktype) { 3552 3553 case DLT_EN10MB: 3554 /* 3555 * We check for an Ethernet type field less than 3556 * 1500, which means it's an 802.3 length field. 3557 */ 3558 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3559 gen_not(b0); 3560 3561 /* 3562 * Now check for the purported DSAP and SSAP not being 3563 * 0xFF, to rule out NetWare-over-802.3. 3564 */ 3565 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3566 gen_not(b1); 3567 gen_and(b0, b1); 3568 return b1; 3569 3570 case DLT_SUNATM: 3571 /* 3572 * We check for LLC traffic. 3573 */ 3574 b0 = gen_atmtype_abbrev(cstate, A_LLC); 3575 return b0; 3576 3577 case DLT_IEEE802: /* Token Ring */ 3578 /* 3579 * XXX - check for LLC frames. 3580 */ 3581 return gen_true(cstate); 3582 3583 case DLT_FDDI: 3584 /* 3585 * XXX - check for LLC frames. 3586 */ 3587 return gen_true(cstate); 3588 3589 case DLT_ATM_RFC1483: 3590 /* 3591 * For LLC encapsulation, these are defined to have an 3592 * 802.2 LLC header. 3593 * 3594 * For VC encapsulation, they don't, but there's no 3595 * way to check for that; the protocol used on the VC 3596 * is negotiated out of band. 3597 */ 3598 return gen_true(cstate); 3599 3600 case DLT_IEEE802_11: 3601 case DLT_PRISM_HEADER: 3602 case DLT_IEEE802_11_RADIO: 3603 case DLT_IEEE802_11_RADIO_AVS: 3604 case DLT_PPI: 3605 /* 3606 * Check that we have a data frame. 3607 */ 3608 b0 = gen_check_802_11_data_frame(cstate); 3609 return b0; 3610 3611 default: 3612 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype); 3613 /* NOTREACHED */ 3614 } 3615 } 3616 3617 struct block * 3618 gen_llc_i(compiler_state_t *cstate) 3619 { 3620 struct block *b0, *b1; 3621 struct slist *s; 3622 3623 /* 3624 * Check whether this is an LLC frame. 3625 */ 3626 b0 = gen_llc(cstate); 3627 3628 /* 3629 * Load the control byte and test the low-order bit; it must 3630 * be clear for I frames. 3631 */ 3632 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3633 b1 = new_block(cstate, JMP(BPF_JSET)); 3634 b1->s.k = 0x01; 3635 b1->stmts = s; 3636 gen_not(b1); 3637 gen_and(b0, b1); 3638 return b1; 3639 } 3640 3641 struct block * 3642 gen_llc_s(compiler_state_t *cstate) 3643 { 3644 struct block *b0, *b1; 3645 3646 /* 3647 * Check whether this is an LLC frame. 3648 */ 3649 b0 = gen_llc(cstate); 3650 3651 /* 3652 * Now compare the low-order 2 bit of the control byte against 3653 * the appropriate value for S frames. 3654 */ 3655 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3656 gen_and(b0, b1); 3657 return b1; 3658 } 3659 3660 struct block * 3661 gen_llc_u(compiler_state_t *cstate) 3662 { 3663 struct block *b0, *b1; 3664 3665 /* 3666 * Check whether this is an LLC frame. 3667 */ 3668 b0 = gen_llc(cstate); 3669 3670 /* 3671 * Now compare the low-order 2 bit of the control byte against 3672 * the appropriate value for U frames. 3673 */ 3674 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3675 gen_and(b0, b1); 3676 return b1; 3677 } 3678 3679 struct block * 3680 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3681 { 3682 struct block *b0, *b1; 3683 3684 /* 3685 * Check whether this is an LLC frame. 3686 */ 3687 b0 = gen_llc(cstate); 3688 3689 /* 3690 * Now check for an S frame with the appropriate type. 3691 */ 3692 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3693 gen_and(b0, b1); 3694 return b1; 3695 } 3696 3697 struct block * 3698 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3699 { 3700 struct block *b0, *b1; 3701 3702 /* 3703 * Check whether this is an LLC frame. 3704 */ 3705 b0 = gen_llc(cstate); 3706 3707 /* 3708 * Now check for a U frame with the appropriate type. 3709 */ 3710 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3711 gen_and(b0, b1); 3712 return b1; 3713 } 3714 3715 /* 3716 * Generate code to match a particular packet type, for link-layer types 3717 * using 802.2 LLC headers. 3718 * 3719 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3720 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3721 * 3722 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3723 * value, if <= ETHERMTU. We use that to determine whether to 3724 * match the DSAP or both DSAP and LSAP or to check the OUI and 3725 * protocol ID in a SNAP header. 3726 */ 3727 static struct block * 3728 gen_llc_linktype(compiler_state_t *cstate, int proto) 3729 { 3730 /* 3731 * XXX - handle token-ring variable-length header. 3732 */ 3733 switch (proto) { 3734 3735 case LLCSAP_IP: 3736 case LLCSAP_ISONS: 3737 case LLCSAP_NETBEUI: 3738 /* 3739 * XXX - should we check both the DSAP and the 3740 * SSAP, like this, or should we check just the 3741 * DSAP, as we do for other SAP values? 3742 */ 3743 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3744 ((proto << 8) | proto)); 3745 3746 case LLCSAP_IPX: 3747 /* 3748 * XXX - are there ever SNAP frames for IPX on 3749 * non-Ethernet 802.x networks? 3750 */ 3751 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3752 (bpf_int32)LLCSAP_IPX); 3753 3754 case ETHERTYPE_ATALK: 3755 /* 3756 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3757 * SNAP packets with an organization code of 3758 * 0x080007 (Apple, for Appletalk) and a protocol 3759 * type of ETHERTYPE_ATALK (Appletalk). 3760 * 3761 * XXX - check for an organization code of 3762 * encapsulated Ethernet as well? 3763 */ 3764 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3765 3766 default: 3767 /* 3768 * XXX - we don't have to check for IPX 802.3 3769 * here, but should we check for the IPX Ethertype? 3770 */ 3771 if (proto <= ETHERMTU) { 3772 /* 3773 * This is an LLC SAP value, so check 3774 * the DSAP. 3775 */ 3776 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3777 } else { 3778 /* 3779 * This is an Ethernet type; we assume that it's 3780 * unlikely that it'll appear in the right place 3781 * at random, and therefore check only the 3782 * location that would hold the Ethernet type 3783 * in a SNAP frame with an organization code of 3784 * 0x000000 (encapsulated Ethernet). 3785 * 3786 * XXX - if we were to check for the SNAP DSAP and 3787 * LSAP, as per XXX, and were also to check for an 3788 * organization code of 0x000000 (encapsulated 3789 * Ethernet), we'd do 3790 * 3791 * return gen_snap(cstate, 0x000000, proto); 3792 * 3793 * here; for now, we don't, as per the above. 3794 * I don't know whether it's worth the extra CPU 3795 * time to do the right check or not. 3796 */ 3797 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3798 } 3799 } 3800 } 3801 3802 static struct block * 3803 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3804 int dir, int proto, u_int src_off, u_int dst_off) 3805 { 3806 struct block *b0, *b1; 3807 u_int offset; 3808 3809 switch (dir) { 3810 3811 case Q_SRC: 3812 offset = src_off; 3813 break; 3814 3815 case Q_DST: 3816 offset = dst_off; 3817 break; 3818 3819 case Q_AND: 3820 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3821 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3822 gen_and(b0, b1); 3823 return b1; 3824 3825 case Q_OR: 3826 case Q_DEFAULT: 3827 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3828 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3829 gen_or(b0, b1); 3830 return b1; 3831 3832 default: 3833 abort(); 3834 } 3835 b0 = gen_linktype(cstate, proto); 3836 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3837 gen_and(b0, b1); 3838 return b1; 3839 } 3840 3841 #ifdef INET6 3842 static struct block * 3843 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 3844 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 3845 { 3846 struct block *b0, *b1; 3847 u_int offset; 3848 u_int32_t *a, *m; 3849 3850 switch (dir) { 3851 3852 case Q_SRC: 3853 offset = src_off; 3854 break; 3855 3856 case Q_DST: 3857 offset = dst_off; 3858 break; 3859 3860 case Q_AND: 3861 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3862 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3863 gen_and(b0, b1); 3864 return b1; 3865 3866 case Q_OR: 3867 case Q_DEFAULT: 3868 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3869 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3870 gen_or(b0, b1); 3871 return b1; 3872 3873 default: 3874 abort(); 3875 } 3876 /* this order is important */ 3877 a = (u_int32_t *)addr; 3878 m = (u_int32_t *)mask; 3879 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3880 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3881 gen_and(b0, b1); 3882 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3883 gen_and(b0, b1); 3884 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3885 gen_and(b0, b1); 3886 b0 = gen_linktype(cstate, proto); 3887 gen_and(b0, b1); 3888 return b1; 3889 } 3890 #endif 3891 3892 static struct block * 3893 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3894 { 3895 register struct block *b0, *b1; 3896 3897 switch (dir) { 3898 case Q_SRC: 3899 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 3900 3901 case Q_DST: 3902 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 3903 3904 case Q_AND: 3905 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3906 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3907 gen_and(b0, b1); 3908 return b1; 3909 3910 case Q_DEFAULT: 3911 case Q_OR: 3912 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3913 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3914 gen_or(b0, b1); 3915 return b1; 3916 3917 case Q_ADDR1: 3918 bpf_error(cstate, "'addr1' is only supported on 802.11 with 802.11 headers"); 3919 break; 3920 3921 case Q_ADDR2: 3922 bpf_error(cstate, "'addr2' is only supported on 802.11 with 802.11 headers"); 3923 break; 3924 3925 case Q_ADDR3: 3926 bpf_error(cstate, "'addr3' is only supported on 802.11 with 802.11 headers"); 3927 break; 3928 3929 case Q_ADDR4: 3930 bpf_error(cstate, "'addr4' is only supported on 802.11 with 802.11 headers"); 3931 break; 3932 3933 case Q_RA: 3934 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 3935 break; 3936 3937 case Q_TA: 3938 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 3939 break; 3940 } 3941 abort(); 3942 /* NOTREACHED */ 3943 } 3944 3945 /* 3946 * Like gen_ehostop, but for DLT_FDDI 3947 */ 3948 static struct block * 3949 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3950 { 3951 struct block *b0, *b1; 3952 3953 switch (dir) { 3954 case Q_SRC: 3955 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 3956 3957 case Q_DST: 3958 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 3959 3960 case Q_AND: 3961 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3962 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3963 gen_and(b0, b1); 3964 return b1; 3965 3966 case Q_DEFAULT: 3967 case Q_OR: 3968 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3969 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3970 gen_or(b0, b1); 3971 return b1; 3972 3973 case Q_ADDR1: 3974 bpf_error(cstate, "'addr1' is only supported on 802.11"); 3975 break; 3976 3977 case Q_ADDR2: 3978 bpf_error(cstate, "'addr2' is only supported on 802.11"); 3979 break; 3980 3981 case Q_ADDR3: 3982 bpf_error(cstate, "'addr3' is only supported on 802.11"); 3983 break; 3984 3985 case Q_ADDR4: 3986 bpf_error(cstate, "'addr4' is only supported on 802.11"); 3987 break; 3988 3989 case Q_RA: 3990 bpf_error(cstate, "'ra' is only supported on 802.11"); 3991 break; 3992 3993 case Q_TA: 3994 bpf_error(cstate, "'ta' is only supported on 802.11"); 3995 break; 3996 } 3997 abort(); 3998 /* NOTREACHED */ 3999 } 4000 4001 /* 4002 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4003 */ 4004 static struct block * 4005 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4006 { 4007 register struct block *b0, *b1; 4008 4009 switch (dir) { 4010 case Q_SRC: 4011 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4012 4013 case Q_DST: 4014 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4015 4016 case Q_AND: 4017 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4018 b1 = gen_thostop(cstate, eaddr, Q_DST); 4019 gen_and(b0, b1); 4020 return b1; 4021 4022 case Q_DEFAULT: 4023 case Q_OR: 4024 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4025 b1 = gen_thostop(cstate, eaddr, Q_DST); 4026 gen_or(b0, b1); 4027 return b1; 4028 4029 case Q_ADDR1: 4030 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4031 break; 4032 4033 case Q_ADDR2: 4034 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4035 break; 4036 4037 case Q_ADDR3: 4038 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4039 break; 4040 4041 case Q_ADDR4: 4042 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4043 break; 4044 4045 case Q_RA: 4046 bpf_error(cstate, "'ra' is only supported on 802.11"); 4047 break; 4048 4049 case Q_TA: 4050 bpf_error(cstate, "'ta' is only supported on 802.11"); 4051 break; 4052 } 4053 abort(); 4054 /* NOTREACHED */ 4055 } 4056 4057 /* 4058 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4059 * various 802.11 + radio headers. 4060 */ 4061 static struct block * 4062 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4063 { 4064 register struct block *b0, *b1, *b2; 4065 register struct slist *s; 4066 4067 #ifdef ENABLE_WLAN_FILTERING_PATCH 4068 /* 4069 * TODO GV 20070613 4070 * We need to disable the optimizer because the optimizer is buggy 4071 * and wipes out some LD instructions generated by the below 4072 * code to validate the Frame Control bits 4073 */ 4074 cstate->no_optimize = 1; 4075 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4076 4077 switch (dir) { 4078 case Q_SRC: 4079 /* 4080 * Oh, yuk. 4081 * 4082 * For control frames, there is no SA. 4083 * 4084 * For management frames, SA is at an 4085 * offset of 10 from the beginning of 4086 * the packet. 4087 * 4088 * For data frames, SA is at an offset 4089 * of 10 from the beginning of the packet 4090 * if From DS is clear, at an offset of 4091 * 16 from the beginning of the packet 4092 * if From DS is set and To DS is clear, 4093 * and an offset of 24 from the beginning 4094 * of the packet if From DS is set and To DS 4095 * is set. 4096 */ 4097 4098 /* 4099 * Generate the tests to be done for data frames 4100 * with From DS set. 4101 * 4102 * First, check for To DS set, i.e. check "link[1] & 0x01". 4103 */ 4104 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4105 b1 = new_block(cstate, JMP(BPF_JSET)); 4106 b1->s.k = 0x01; /* To DS */ 4107 b1->stmts = s; 4108 4109 /* 4110 * If To DS is set, the SA is at 24. 4111 */ 4112 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4113 gen_and(b1, b0); 4114 4115 /* 4116 * Now, check for To DS not set, i.e. check 4117 * "!(link[1] & 0x01)". 4118 */ 4119 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4120 b2 = new_block(cstate, JMP(BPF_JSET)); 4121 b2->s.k = 0x01; /* To DS */ 4122 b2->stmts = s; 4123 gen_not(b2); 4124 4125 /* 4126 * If To DS is not set, the SA is at 16. 4127 */ 4128 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4129 gen_and(b2, b1); 4130 4131 /* 4132 * Now OR together the last two checks. That gives 4133 * the complete set of checks for data frames with 4134 * From DS set. 4135 */ 4136 gen_or(b1, b0); 4137 4138 /* 4139 * Now check for From DS being set, and AND that with 4140 * the ORed-together checks. 4141 */ 4142 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4143 b1 = new_block(cstate, JMP(BPF_JSET)); 4144 b1->s.k = 0x02; /* From DS */ 4145 b1->stmts = s; 4146 gen_and(b1, b0); 4147 4148 /* 4149 * Now check for data frames with From DS not set. 4150 */ 4151 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4152 b2 = new_block(cstate, JMP(BPF_JSET)); 4153 b2->s.k = 0x02; /* From DS */ 4154 b2->stmts = s; 4155 gen_not(b2); 4156 4157 /* 4158 * If From DS isn't set, the SA is at 10. 4159 */ 4160 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4161 gen_and(b2, b1); 4162 4163 /* 4164 * Now OR together the checks for data frames with 4165 * From DS not set and for data frames with From DS 4166 * set; that gives the checks done for data frames. 4167 */ 4168 gen_or(b1, b0); 4169 4170 /* 4171 * Now check for a data frame. 4172 * I.e, check "link[0] & 0x08". 4173 */ 4174 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4175 b1 = new_block(cstate, JMP(BPF_JSET)); 4176 b1->s.k = 0x08; 4177 b1->stmts = s; 4178 4179 /* 4180 * AND that with the checks done for data frames. 4181 */ 4182 gen_and(b1, b0); 4183 4184 /* 4185 * If the high-order bit of the type value is 0, this 4186 * is a management frame. 4187 * I.e, check "!(link[0] & 0x08)". 4188 */ 4189 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4190 b2 = new_block(cstate, JMP(BPF_JSET)); 4191 b2->s.k = 0x08; 4192 b2->stmts = s; 4193 gen_not(b2); 4194 4195 /* 4196 * For management frames, the SA is at 10. 4197 */ 4198 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4199 gen_and(b2, b1); 4200 4201 /* 4202 * OR that with the checks done for data frames. 4203 * That gives the checks done for management and 4204 * data frames. 4205 */ 4206 gen_or(b1, b0); 4207 4208 /* 4209 * If the low-order bit of the type value is 1, 4210 * this is either a control frame or a frame 4211 * with a reserved type, and thus not a 4212 * frame with an SA. 4213 * 4214 * I.e., check "!(link[0] & 0x04)". 4215 */ 4216 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4217 b1 = new_block(cstate, JMP(BPF_JSET)); 4218 b1->s.k = 0x04; 4219 b1->stmts = s; 4220 gen_not(b1); 4221 4222 /* 4223 * AND that with the checks for data and management 4224 * frames. 4225 */ 4226 gen_and(b1, b0); 4227 return b0; 4228 4229 case Q_DST: 4230 /* 4231 * Oh, yuk. 4232 * 4233 * For control frames, there is no DA. 4234 * 4235 * For management frames, DA is at an 4236 * offset of 4 from the beginning of 4237 * the packet. 4238 * 4239 * For data frames, DA is at an offset 4240 * of 4 from the beginning of the packet 4241 * if To DS is clear and at an offset of 4242 * 16 from the beginning of the packet 4243 * if To DS is set. 4244 */ 4245 4246 /* 4247 * Generate the tests to be done for data frames. 4248 * 4249 * First, check for To DS set, i.e. "link[1] & 0x01". 4250 */ 4251 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4252 b1 = new_block(cstate, JMP(BPF_JSET)); 4253 b1->s.k = 0x01; /* To DS */ 4254 b1->stmts = s; 4255 4256 /* 4257 * If To DS is set, the DA is at 16. 4258 */ 4259 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4260 gen_and(b1, b0); 4261 4262 /* 4263 * Now, check for To DS not set, i.e. check 4264 * "!(link[1] & 0x01)". 4265 */ 4266 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4267 b2 = new_block(cstate, JMP(BPF_JSET)); 4268 b2->s.k = 0x01; /* To DS */ 4269 b2->stmts = s; 4270 gen_not(b2); 4271 4272 /* 4273 * If To DS is not set, the DA is at 4. 4274 */ 4275 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4276 gen_and(b2, b1); 4277 4278 /* 4279 * Now OR together the last two checks. That gives 4280 * the complete set of checks for data frames. 4281 */ 4282 gen_or(b1, b0); 4283 4284 /* 4285 * Now check for a data frame. 4286 * I.e, check "link[0] & 0x08". 4287 */ 4288 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4289 b1 = new_block(cstate, JMP(BPF_JSET)); 4290 b1->s.k = 0x08; 4291 b1->stmts = s; 4292 4293 /* 4294 * AND that with the checks done for data frames. 4295 */ 4296 gen_and(b1, b0); 4297 4298 /* 4299 * If the high-order bit of the type value is 0, this 4300 * is a management frame. 4301 * I.e, check "!(link[0] & 0x08)". 4302 */ 4303 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4304 b2 = new_block(cstate, JMP(BPF_JSET)); 4305 b2->s.k = 0x08; 4306 b2->stmts = s; 4307 gen_not(b2); 4308 4309 /* 4310 * For management frames, the DA is at 4. 4311 */ 4312 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4313 gen_and(b2, b1); 4314 4315 /* 4316 * OR that with the checks done for data frames. 4317 * That gives the checks done for management and 4318 * data frames. 4319 */ 4320 gen_or(b1, b0); 4321 4322 /* 4323 * If the low-order bit of the type value is 1, 4324 * this is either a control frame or a frame 4325 * with a reserved type, and thus not a 4326 * frame with an SA. 4327 * 4328 * I.e., check "!(link[0] & 0x04)". 4329 */ 4330 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4331 b1 = new_block(cstate, JMP(BPF_JSET)); 4332 b1->s.k = 0x04; 4333 b1->stmts = s; 4334 gen_not(b1); 4335 4336 /* 4337 * AND that with the checks for data and management 4338 * frames. 4339 */ 4340 gen_and(b1, b0); 4341 return b0; 4342 4343 case Q_RA: 4344 /* 4345 * Not present in management frames; addr1 in other 4346 * frames. 4347 */ 4348 4349 /* 4350 * If the high-order bit of the type value is 0, this 4351 * is a management frame. 4352 * I.e, check "(link[0] & 0x08)". 4353 */ 4354 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4355 b1 = new_block(cstate, JMP(BPF_JSET)); 4356 b1->s.k = 0x08; 4357 b1->stmts = s; 4358 4359 /* 4360 * Check addr1. 4361 */ 4362 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4363 4364 /* 4365 * AND that with the check of addr1. 4366 */ 4367 gen_and(b1, b0); 4368 return (b0); 4369 4370 case Q_TA: 4371 /* 4372 * Not present in management frames; addr2, if present, 4373 * in other frames. 4374 */ 4375 4376 /* 4377 * Not present in CTS or ACK control frames. 4378 */ 4379 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4380 IEEE80211_FC0_TYPE_MASK); 4381 gen_not(b0); 4382 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4383 IEEE80211_FC0_SUBTYPE_MASK); 4384 gen_not(b1); 4385 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4386 IEEE80211_FC0_SUBTYPE_MASK); 4387 gen_not(b2); 4388 gen_and(b1, b2); 4389 gen_or(b0, b2); 4390 4391 /* 4392 * If the high-order bit of the type value is 0, this 4393 * is a management frame. 4394 * I.e, check "(link[0] & 0x08)". 4395 */ 4396 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4397 b1 = new_block(cstate, JMP(BPF_JSET)); 4398 b1->s.k = 0x08; 4399 b1->stmts = s; 4400 4401 /* 4402 * AND that with the check for frames other than 4403 * CTS and ACK frames. 4404 */ 4405 gen_and(b1, b2); 4406 4407 /* 4408 * Check addr2. 4409 */ 4410 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4411 gen_and(b2, b1); 4412 return b1; 4413 4414 /* 4415 * XXX - add BSSID keyword? 4416 */ 4417 case Q_ADDR1: 4418 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4419 4420 case Q_ADDR2: 4421 /* 4422 * Not present in CTS or ACK control frames. 4423 */ 4424 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4425 IEEE80211_FC0_TYPE_MASK); 4426 gen_not(b0); 4427 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4428 IEEE80211_FC0_SUBTYPE_MASK); 4429 gen_not(b1); 4430 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4431 IEEE80211_FC0_SUBTYPE_MASK); 4432 gen_not(b2); 4433 gen_and(b1, b2); 4434 gen_or(b0, b2); 4435 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4436 gen_and(b2, b1); 4437 return b1; 4438 4439 case Q_ADDR3: 4440 /* 4441 * Not present in control frames. 4442 */ 4443 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4444 IEEE80211_FC0_TYPE_MASK); 4445 gen_not(b0); 4446 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4447 gen_and(b0, b1); 4448 return b1; 4449 4450 case Q_ADDR4: 4451 /* 4452 * Present only if the direction mask has both "From DS" 4453 * and "To DS" set. Neither control frames nor management 4454 * frames should have both of those set, so we don't 4455 * check the frame type. 4456 */ 4457 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4458 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4459 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4460 gen_and(b0, b1); 4461 return b1; 4462 4463 case Q_AND: 4464 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4465 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4466 gen_and(b0, b1); 4467 return b1; 4468 4469 case Q_DEFAULT: 4470 case Q_OR: 4471 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4472 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4473 gen_or(b0, b1); 4474 return b1; 4475 } 4476 abort(); 4477 /* NOTREACHED */ 4478 } 4479 4480 /* 4481 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4482 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4483 * as the RFC states.) 4484 */ 4485 static struct block * 4486 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4487 { 4488 register struct block *b0, *b1; 4489 4490 switch (dir) { 4491 case Q_SRC: 4492 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4493 4494 case Q_DST: 4495 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4496 4497 case Q_AND: 4498 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4499 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4500 gen_and(b0, b1); 4501 return b1; 4502 4503 case Q_DEFAULT: 4504 case Q_OR: 4505 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4506 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4507 gen_or(b0, b1); 4508 return b1; 4509 4510 case Q_ADDR1: 4511 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4512 break; 4513 4514 case Q_ADDR2: 4515 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4516 break; 4517 4518 case Q_ADDR3: 4519 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4520 break; 4521 4522 case Q_ADDR4: 4523 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4524 break; 4525 4526 case Q_RA: 4527 bpf_error(cstate, "'ra' is only supported on 802.11"); 4528 break; 4529 4530 case Q_TA: 4531 bpf_error(cstate, "'ta' is only supported on 802.11"); 4532 break; 4533 } 4534 abort(); 4535 /* NOTREACHED */ 4536 } 4537 4538 /* 4539 * This is quite tricky because there may be pad bytes in front of the 4540 * DECNET header, and then there are two possible data packet formats that 4541 * carry both src and dst addresses, plus 5 packet types in a format that 4542 * carries only the src node, plus 2 types that use a different format and 4543 * also carry just the src node. 4544 * 4545 * Yuck. 4546 * 4547 * Instead of doing those all right, we just look for data packets with 4548 * 0 or 1 bytes of padding. If you want to look at other packets, that 4549 * will require a lot more hacking. 4550 * 4551 * To add support for filtering on DECNET "areas" (network numbers) 4552 * one would want to add a "mask" argument to this routine. That would 4553 * make the filter even more inefficient, although one could be clever 4554 * and not generate masking instructions if the mask is 0xFFFF. 4555 */ 4556 static struct block * 4557 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4558 { 4559 struct block *b0, *b1, *b2, *tmp; 4560 u_int offset_lh; /* offset if long header is received */ 4561 u_int offset_sh; /* offset if short header is received */ 4562 4563 switch (dir) { 4564 4565 case Q_DST: 4566 offset_sh = 1; /* follows flags */ 4567 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4568 break; 4569 4570 case Q_SRC: 4571 offset_sh = 3; /* follows flags, dstnode */ 4572 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4573 break; 4574 4575 case Q_AND: 4576 /* Inefficient because we do our Calvinball dance twice */ 4577 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4578 b1 = gen_dnhostop(cstate, addr, Q_DST); 4579 gen_and(b0, b1); 4580 return b1; 4581 4582 case Q_OR: 4583 case Q_DEFAULT: 4584 /* Inefficient because we do our Calvinball dance twice */ 4585 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4586 b1 = gen_dnhostop(cstate, addr, Q_DST); 4587 gen_or(b0, b1); 4588 return b1; 4589 4590 case Q_ISO: 4591 bpf_error(cstate, "ISO host filtering not implemented"); 4592 4593 default: 4594 abort(); 4595 } 4596 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4597 /* Check for pad = 1, long header case */ 4598 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4599 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4600 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4601 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4602 gen_and(tmp, b1); 4603 /* Check for pad = 0, long header case */ 4604 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4605 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4606 gen_and(tmp, b2); 4607 gen_or(b2, b1); 4608 /* Check for pad = 1, short header case */ 4609 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4610 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4611 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4612 gen_and(tmp, b2); 4613 gen_or(b2, b1); 4614 /* Check for pad = 0, short header case */ 4615 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4616 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4617 gen_and(tmp, b2); 4618 gen_or(b2, b1); 4619 4620 /* Combine with test for cstate->linktype */ 4621 gen_and(b0, b1); 4622 return b1; 4623 } 4624 4625 /* 4626 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4627 * test the bottom-of-stack bit, and then check the version number 4628 * field in the IP header. 4629 */ 4630 static struct block * 4631 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4632 { 4633 struct block *b0, *b1; 4634 4635 switch (proto) { 4636 4637 case Q_IP: 4638 /* match the bottom-of-stack bit */ 4639 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4640 /* match the IPv4 version number */ 4641 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4642 gen_and(b0, b1); 4643 return b1; 4644 4645 case Q_IPV6: 4646 /* match the bottom-of-stack bit */ 4647 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4648 /* match the IPv4 version number */ 4649 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4650 gen_and(b0, b1); 4651 return b1; 4652 4653 default: 4654 abort(); 4655 } 4656 } 4657 4658 static struct block * 4659 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4660 int proto, int dir, int type) 4661 { 4662 struct block *b0, *b1; 4663 const char *typestr; 4664 4665 if (type == Q_NET) 4666 typestr = "net"; 4667 else 4668 typestr = "host"; 4669 4670 switch (proto) { 4671 4672 case Q_DEFAULT: 4673 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4674 /* 4675 * Only check for non-IPv4 addresses if we're not 4676 * checking MPLS-encapsulated packets. 4677 */ 4678 if (cstate->label_stack_depth == 0) { 4679 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4680 gen_or(b0, b1); 4681 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4682 gen_or(b1, b0); 4683 } 4684 return b0; 4685 4686 case Q_IP: 4687 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4688 4689 case Q_RARP: 4690 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4691 4692 case Q_ARP: 4693 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4694 4695 case Q_TCP: 4696 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4697 4698 case Q_SCTP: 4699 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4700 4701 case Q_UDP: 4702 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4703 4704 case Q_ICMP: 4705 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4706 4707 case Q_IGMP: 4708 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4709 4710 case Q_IGRP: 4711 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4712 4713 case Q_PIM: 4714 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4715 4716 case Q_VRRP: 4717 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4718 4719 case Q_CARP: 4720 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4721 4722 case Q_ATALK: 4723 bpf_error(cstate, "ATALK host filtering not implemented"); 4724 4725 case Q_AARP: 4726 bpf_error(cstate, "AARP host filtering not implemented"); 4727 4728 case Q_DECNET: 4729 return gen_dnhostop(cstate, addr, dir); 4730 4731 case Q_SCA: 4732 bpf_error(cstate, "SCA host filtering not implemented"); 4733 4734 case Q_LAT: 4735 bpf_error(cstate, "LAT host filtering not implemented"); 4736 4737 case Q_MOPDL: 4738 bpf_error(cstate, "MOPDL host filtering not implemented"); 4739 4740 case Q_MOPRC: 4741 bpf_error(cstate, "MOPRC host filtering not implemented"); 4742 4743 case Q_IPV6: 4744 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4745 4746 case Q_ICMPV6: 4747 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4748 4749 case Q_AH: 4750 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4751 4752 case Q_ESP: 4753 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4754 4755 case Q_ISO: 4756 bpf_error(cstate, "ISO host filtering not implemented"); 4757 4758 case Q_ESIS: 4759 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4760 4761 case Q_ISIS: 4762 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4763 4764 case Q_CLNP: 4765 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4766 4767 case Q_STP: 4768 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4769 4770 case Q_IPX: 4771 bpf_error(cstate, "IPX host filtering not implemented"); 4772 4773 case Q_NETBEUI: 4774 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4775 4776 case Q_RADIO: 4777 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4778 4779 default: 4780 abort(); 4781 } 4782 /* NOTREACHED */ 4783 } 4784 4785 #ifdef INET6 4786 static struct block * 4787 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 4788 struct in6_addr *mask, int proto, int dir, int type) 4789 { 4790 const char *typestr; 4791 4792 if (type == Q_NET) 4793 typestr = "net"; 4794 else 4795 typestr = "host"; 4796 4797 switch (proto) { 4798 4799 case Q_DEFAULT: 4800 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 4801 4802 case Q_LINK: 4803 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 4804 4805 case Q_IP: 4806 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 4807 4808 case Q_RARP: 4809 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 4810 4811 case Q_ARP: 4812 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 4813 4814 case Q_SCTP: 4815 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4816 4817 case Q_TCP: 4818 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4819 4820 case Q_UDP: 4821 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4822 4823 case Q_ICMP: 4824 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4825 4826 case Q_IGMP: 4827 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4828 4829 case Q_IGRP: 4830 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4831 4832 case Q_PIM: 4833 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4834 4835 case Q_VRRP: 4836 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4837 4838 case Q_CARP: 4839 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4840 4841 case Q_ATALK: 4842 bpf_error(cstate, "ATALK host filtering not implemented"); 4843 4844 case Q_AARP: 4845 bpf_error(cstate, "AARP host filtering not implemented"); 4846 4847 case Q_DECNET: 4848 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 4849 4850 case Q_SCA: 4851 bpf_error(cstate, "SCA host filtering not implemented"); 4852 4853 case Q_LAT: 4854 bpf_error(cstate, "LAT host filtering not implemented"); 4855 4856 case Q_MOPDL: 4857 bpf_error(cstate, "MOPDL host filtering not implemented"); 4858 4859 case Q_MOPRC: 4860 bpf_error(cstate, "MOPRC host filtering not implemented"); 4861 4862 case Q_IPV6: 4863 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4864 4865 case Q_ICMPV6: 4866 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4867 4868 case Q_AH: 4869 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4870 4871 case Q_ESP: 4872 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4873 4874 case Q_ISO: 4875 bpf_error(cstate, "ISO host filtering not implemented"); 4876 4877 case Q_ESIS: 4878 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4879 4880 case Q_ISIS: 4881 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4882 4883 case Q_CLNP: 4884 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4885 4886 case Q_STP: 4887 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4888 4889 case Q_IPX: 4890 bpf_error(cstate, "IPX host filtering not implemented"); 4891 4892 case Q_NETBEUI: 4893 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4894 4895 case Q_RADIO: 4896 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4897 4898 default: 4899 abort(); 4900 } 4901 /* NOTREACHED */ 4902 } 4903 #endif 4904 4905 #ifndef INET6 4906 static struct block * 4907 gen_gateway(eaddr, alist, proto, dir) 4908 const u_char *eaddr; 4909 bpf_u_int32 **alist; 4910 int proto; 4911 int dir; 4912 { 4913 struct block *b0, *b1, *tmp; 4914 4915 if (dir != 0) 4916 bpf_error(cstate, "direction applied to 'gateway'"); 4917 4918 switch (proto) { 4919 case Q_DEFAULT: 4920 case Q_IP: 4921 case Q_ARP: 4922 case Q_RARP: 4923 switch (cstate->linktype) { 4924 case DLT_EN10MB: 4925 case DLT_NETANALYZER: 4926 case DLT_NETANALYZER_TRANSPARENT: 4927 b1 = gen_prevlinkhdr_check(cstate); 4928 b0 = gen_ehostop(cstate, eaddr, Q_OR); 4929 if (b1 != NULL) 4930 gen_and(b1, b0); 4931 break; 4932 case DLT_FDDI: 4933 b0 = gen_fhostop(cstate, eaddr, Q_OR); 4934 break; 4935 case DLT_IEEE802: 4936 b0 = gen_thostop(cstate, eaddr, Q_OR); 4937 break; 4938 case DLT_IEEE802_11: 4939 case DLT_PRISM_HEADER: 4940 case DLT_IEEE802_11_RADIO_AVS: 4941 case DLT_IEEE802_11_RADIO: 4942 case DLT_PPI: 4943 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 4944 break; 4945 case DLT_SUNATM: 4946 /* 4947 * This is LLC-multiplexed traffic; if it were 4948 * LANE, cstate->linktype would have been set to 4949 * DLT_EN10MB. 4950 */ 4951 bpf_error(cstate, 4952 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4953 break; 4954 case DLT_IP_OVER_FC: 4955 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 4956 break; 4957 default: 4958 bpf_error(cstate, 4959 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4960 } 4961 b1 = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4962 while (*alist) { 4963 tmp = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, 4964 Q_HOST); 4965 gen_or(b1, tmp); 4966 b1 = tmp; 4967 } 4968 gen_not(b1); 4969 gen_and(b0, b1); 4970 return b1; 4971 } 4972 bpf_error(cstate, "illegal modifier of 'gateway'"); 4973 /* NOTREACHED */ 4974 } 4975 #endif 4976 4977 struct block * 4978 gen_proto_abbrev(compiler_state_t *cstate, int proto) 4979 { 4980 struct block *b0; 4981 struct block *b1; 4982 4983 switch (proto) { 4984 4985 case Q_SCTP: 4986 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4987 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4988 gen_or(b0, b1); 4989 break; 4990 4991 case Q_TCP: 4992 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 4993 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4994 gen_or(b0, b1); 4995 break; 4996 4997 case Q_UDP: 4998 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 4999 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5000 gen_or(b0, b1); 5001 break; 5002 5003 case Q_ICMP: 5004 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5005 break; 5006 5007 #ifndef IPPROTO_IGMP 5008 #define IPPROTO_IGMP 2 5009 #endif 5010 5011 case Q_IGMP: 5012 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5013 break; 5014 5015 #ifndef IPPROTO_IGRP 5016 #define IPPROTO_IGRP 9 5017 #endif 5018 case Q_IGRP: 5019 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5020 break; 5021 5022 #ifndef IPPROTO_PIM 5023 #define IPPROTO_PIM 103 5024 #endif 5025 5026 case Q_PIM: 5027 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5028 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5029 gen_or(b0, b1); 5030 break; 5031 5032 #ifndef IPPROTO_VRRP 5033 #define IPPROTO_VRRP 112 5034 #endif 5035 5036 case Q_VRRP: 5037 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5038 break; 5039 5040 #ifndef IPPROTO_CARP 5041 #define IPPROTO_CARP 112 5042 #endif 5043 5044 case Q_CARP: 5045 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5046 break; 5047 5048 case Q_IP: 5049 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5050 break; 5051 5052 case Q_ARP: 5053 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5054 break; 5055 5056 case Q_RARP: 5057 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5058 break; 5059 5060 case Q_LINK: 5061 bpf_error(cstate, "link layer applied in wrong context"); 5062 5063 case Q_ATALK: 5064 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5065 break; 5066 5067 case Q_AARP: 5068 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5069 break; 5070 5071 case Q_DECNET: 5072 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5073 break; 5074 5075 case Q_SCA: 5076 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5077 break; 5078 5079 case Q_LAT: 5080 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5081 break; 5082 5083 case Q_MOPDL: 5084 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5085 break; 5086 5087 case Q_MOPRC: 5088 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5089 break; 5090 5091 case Q_IPV6: 5092 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5093 break; 5094 5095 #ifndef IPPROTO_ICMPV6 5096 #define IPPROTO_ICMPV6 58 5097 #endif 5098 case Q_ICMPV6: 5099 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5100 break; 5101 5102 #ifndef IPPROTO_AH 5103 #define IPPROTO_AH 51 5104 #endif 5105 case Q_AH: 5106 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5107 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5108 gen_or(b0, b1); 5109 break; 5110 5111 #ifndef IPPROTO_ESP 5112 #define IPPROTO_ESP 50 5113 #endif 5114 case Q_ESP: 5115 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5116 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5117 gen_or(b0, b1); 5118 break; 5119 5120 case Q_ISO: 5121 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5122 break; 5123 5124 case Q_ESIS: 5125 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5126 break; 5127 5128 case Q_ISIS: 5129 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5130 break; 5131 5132 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5133 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5134 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5135 gen_or(b0, b1); 5136 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5137 gen_or(b0, b1); 5138 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5139 gen_or(b0, b1); 5140 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5141 gen_or(b0, b1); 5142 break; 5143 5144 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5145 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5146 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5147 gen_or(b0, b1); 5148 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5149 gen_or(b0, b1); 5150 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5151 gen_or(b0, b1); 5152 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5153 gen_or(b0, b1); 5154 break; 5155 5156 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5157 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5158 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5159 gen_or(b0, b1); 5160 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5161 gen_or(b0, b1); 5162 break; 5163 5164 case Q_ISIS_LSP: 5165 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5166 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5167 gen_or(b0, b1); 5168 break; 5169 5170 case Q_ISIS_SNP: 5171 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5172 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5173 gen_or(b0, b1); 5174 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5175 gen_or(b0, b1); 5176 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5177 gen_or(b0, b1); 5178 break; 5179 5180 case Q_ISIS_CSNP: 5181 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5182 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5183 gen_or(b0, b1); 5184 break; 5185 5186 case Q_ISIS_PSNP: 5187 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5188 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5189 gen_or(b0, b1); 5190 break; 5191 5192 case Q_CLNP: 5193 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5194 break; 5195 5196 case Q_STP: 5197 b1 = gen_linktype(cstate, LLCSAP_8021D); 5198 break; 5199 5200 case Q_IPX: 5201 b1 = gen_linktype(cstate, LLCSAP_IPX); 5202 break; 5203 5204 case Q_NETBEUI: 5205 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5206 break; 5207 5208 case Q_RADIO: 5209 bpf_error(cstate, "'radio' is not a valid protocol type"); 5210 5211 default: 5212 abort(); 5213 } 5214 return b1; 5215 } 5216 5217 static struct block * 5218 gen_ipfrag(compiler_state_t *cstate) 5219 { 5220 struct slist *s; 5221 struct block *b; 5222 5223 /* not IPv4 frag other than the first frag */ 5224 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5225 b = new_block(cstate, JMP(BPF_JSET)); 5226 b->s.k = 0x1fff; 5227 b->stmts = s; 5228 gen_not(b); 5229 5230 return b; 5231 } 5232 5233 /* 5234 * Generate a comparison to a port value in the transport-layer header 5235 * at the specified offset from the beginning of that header. 5236 * 5237 * XXX - this handles a variable-length prefix preceding the link-layer 5238 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5239 * variable-length link-layer headers (such as Token Ring or 802.11 5240 * headers). 5241 */ 5242 static struct block * 5243 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5244 { 5245 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5246 } 5247 5248 static struct block * 5249 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5250 { 5251 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5252 } 5253 5254 struct block * 5255 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5256 { 5257 struct block *b0, *b1, *tmp; 5258 5259 /* ip proto 'proto' and not a fragment other than the first fragment */ 5260 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5261 b0 = gen_ipfrag(cstate); 5262 gen_and(tmp, b0); 5263 5264 switch (dir) { 5265 case Q_SRC: 5266 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5267 break; 5268 5269 case Q_DST: 5270 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5271 break; 5272 5273 case Q_OR: 5274 case Q_DEFAULT: 5275 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5276 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5277 gen_or(tmp, b1); 5278 break; 5279 5280 case Q_AND: 5281 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5282 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5283 gen_and(tmp, b1); 5284 break; 5285 5286 default: 5287 abort(); 5288 } 5289 gen_and(b0, b1); 5290 5291 return b1; 5292 } 5293 5294 static struct block * 5295 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5296 { 5297 struct block *b0, *b1, *tmp; 5298 5299 /* 5300 * ether proto ip 5301 * 5302 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5303 * not LLC encapsulation with LLCSAP_IP. 5304 * 5305 * For IEEE 802 networks - which includes 802.5 token ring 5306 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5307 * says that SNAP encapsulation is used, not LLC encapsulation 5308 * with LLCSAP_IP. 5309 * 5310 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5311 * RFC 2225 say that SNAP encapsulation is used, not LLC 5312 * encapsulation with LLCSAP_IP. 5313 * 5314 * So we always check for ETHERTYPE_IP. 5315 */ 5316 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5317 5318 switch (ip_proto) { 5319 case IPPROTO_UDP: 5320 case IPPROTO_TCP: 5321 case IPPROTO_SCTP: 5322 b1 = gen_portop(cstate, port, ip_proto, dir); 5323 break; 5324 5325 case PROTO_UNDEF: 5326 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5327 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5328 gen_or(tmp, b1); 5329 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5330 gen_or(tmp, b1); 5331 break; 5332 5333 default: 5334 abort(); 5335 } 5336 gen_and(b0, b1); 5337 return b1; 5338 } 5339 5340 struct block * 5341 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5342 { 5343 struct block *b0, *b1, *tmp; 5344 5345 /* ip6 proto 'proto' */ 5346 /* XXX - catch the first fragment of a fragmented packet? */ 5347 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5348 5349 switch (dir) { 5350 case Q_SRC: 5351 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5352 break; 5353 5354 case Q_DST: 5355 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5356 break; 5357 5358 case Q_OR: 5359 case Q_DEFAULT: 5360 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5361 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5362 gen_or(tmp, b1); 5363 break; 5364 5365 case Q_AND: 5366 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5367 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5368 gen_and(tmp, b1); 5369 break; 5370 5371 default: 5372 abort(); 5373 } 5374 gen_and(b0, b1); 5375 5376 return b1; 5377 } 5378 5379 static struct block * 5380 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5381 { 5382 struct block *b0, *b1, *tmp; 5383 5384 /* link proto ip6 */ 5385 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5386 5387 switch (ip_proto) { 5388 case IPPROTO_UDP: 5389 case IPPROTO_TCP: 5390 case IPPROTO_SCTP: 5391 b1 = gen_portop6(cstate, port, ip_proto, dir); 5392 break; 5393 5394 case PROTO_UNDEF: 5395 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5396 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5397 gen_or(tmp, b1); 5398 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5399 gen_or(tmp, b1); 5400 break; 5401 5402 default: 5403 abort(); 5404 } 5405 gen_and(b0, b1); 5406 return b1; 5407 } 5408 5409 /* gen_portrange code */ 5410 static struct block * 5411 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5412 bpf_int32 v2) 5413 { 5414 struct block *b1, *b2; 5415 5416 if (v1 > v2) { 5417 /* 5418 * Reverse the order of the ports, so v1 is the lower one. 5419 */ 5420 bpf_int32 vtemp; 5421 5422 vtemp = v1; 5423 v1 = v2; 5424 v2 = vtemp; 5425 } 5426 5427 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5428 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5429 5430 gen_and(b1, b2); 5431 5432 return b2; 5433 } 5434 5435 struct block * 5436 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5437 int dir) 5438 { 5439 struct block *b0, *b1, *tmp; 5440 5441 /* ip proto 'proto' and not a fragment other than the first fragment */ 5442 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5443 b0 = gen_ipfrag(cstate); 5444 gen_and(tmp, b0); 5445 5446 switch (dir) { 5447 case Q_SRC: 5448 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5449 break; 5450 5451 case Q_DST: 5452 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5453 break; 5454 5455 case Q_OR: 5456 case Q_DEFAULT: 5457 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5458 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5459 gen_or(tmp, b1); 5460 break; 5461 5462 case Q_AND: 5463 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5464 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5465 gen_and(tmp, b1); 5466 break; 5467 5468 default: 5469 abort(); 5470 } 5471 gen_and(b0, b1); 5472 5473 return b1; 5474 } 5475 5476 static struct block * 5477 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5478 int dir) 5479 { 5480 struct block *b0, *b1, *tmp; 5481 5482 /* link proto ip */ 5483 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5484 5485 switch (ip_proto) { 5486 case IPPROTO_UDP: 5487 case IPPROTO_TCP: 5488 case IPPROTO_SCTP: 5489 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5490 break; 5491 5492 case PROTO_UNDEF: 5493 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5494 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5495 gen_or(tmp, b1); 5496 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5497 gen_or(tmp, b1); 5498 break; 5499 5500 default: 5501 abort(); 5502 } 5503 gen_and(b0, b1); 5504 return b1; 5505 } 5506 5507 static struct block * 5508 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5509 bpf_int32 v2) 5510 { 5511 struct block *b1, *b2; 5512 5513 if (v1 > v2) { 5514 /* 5515 * Reverse the order of the ports, so v1 is the lower one. 5516 */ 5517 bpf_int32 vtemp; 5518 5519 vtemp = v1; 5520 v1 = v2; 5521 v2 = vtemp; 5522 } 5523 5524 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5525 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5526 5527 gen_and(b1, b2); 5528 5529 return b2; 5530 } 5531 5532 struct block * 5533 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5534 int dir) 5535 { 5536 struct block *b0, *b1, *tmp; 5537 5538 /* ip6 proto 'proto' */ 5539 /* XXX - catch the first fragment of a fragmented packet? */ 5540 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5541 5542 switch (dir) { 5543 case Q_SRC: 5544 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5545 break; 5546 5547 case Q_DST: 5548 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5549 break; 5550 5551 case Q_OR: 5552 case Q_DEFAULT: 5553 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5554 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5555 gen_or(tmp, b1); 5556 break; 5557 5558 case Q_AND: 5559 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5560 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5561 gen_and(tmp, b1); 5562 break; 5563 5564 default: 5565 abort(); 5566 } 5567 gen_and(b0, b1); 5568 5569 return b1; 5570 } 5571 5572 static struct block * 5573 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5574 int dir) 5575 { 5576 struct block *b0, *b1, *tmp; 5577 5578 /* link proto ip6 */ 5579 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5580 5581 switch (ip_proto) { 5582 case IPPROTO_UDP: 5583 case IPPROTO_TCP: 5584 case IPPROTO_SCTP: 5585 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5586 break; 5587 5588 case PROTO_UNDEF: 5589 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5590 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5591 gen_or(tmp, b1); 5592 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5593 gen_or(tmp, b1); 5594 break; 5595 5596 default: 5597 abort(); 5598 } 5599 gen_and(b0, b1); 5600 return b1; 5601 } 5602 5603 static int 5604 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5605 { 5606 register int v; 5607 5608 switch (proto) { 5609 5610 case Q_DEFAULT: 5611 case Q_IP: 5612 case Q_IPV6: 5613 v = pcap_nametoproto(name); 5614 if (v == PROTO_UNDEF) 5615 bpf_error(cstate, "unknown ip proto '%s'", name); 5616 break; 5617 5618 case Q_LINK: 5619 /* XXX should look up h/w protocol type based on cstate->linktype */ 5620 v = pcap_nametoeproto(name); 5621 if (v == PROTO_UNDEF) { 5622 v = pcap_nametollc(name); 5623 if (v == PROTO_UNDEF) 5624 bpf_error(cstate, "unknown ether proto '%s'", name); 5625 } 5626 break; 5627 5628 case Q_ISO: 5629 if (strcmp(name, "esis") == 0) 5630 v = ISO9542_ESIS; 5631 else if (strcmp(name, "isis") == 0) 5632 v = ISO10589_ISIS; 5633 else if (strcmp(name, "clnp") == 0) 5634 v = ISO8473_CLNP; 5635 else 5636 bpf_error(cstate, "unknown osi proto '%s'", name); 5637 break; 5638 5639 default: 5640 v = PROTO_UNDEF; 5641 break; 5642 } 5643 return v; 5644 } 5645 5646 #if 0 5647 struct stmt * 5648 gen_joinsp(s, n) 5649 struct stmt **s; 5650 int n; 5651 { 5652 return NULL; 5653 } 5654 #endif 5655 5656 static struct block * 5657 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 5658 { 5659 #ifdef NO_PROTOCHAIN 5660 return gen_proto(cstate, v, proto, dir); 5661 #else 5662 struct block *b0, *b; 5663 struct slist *s[100]; 5664 int fix2, fix3, fix4, fix5; 5665 int ahcheck, again, end; 5666 int i, max; 5667 int reg2 = alloc_reg(cstate); 5668 5669 memset(s, 0, sizeof(s)); 5670 fix3 = fix4 = fix5 = 0; 5671 5672 switch (proto) { 5673 case Q_IP: 5674 case Q_IPV6: 5675 break; 5676 case Q_DEFAULT: 5677 b0 = gen_protochain(cstate, v, Q_IP, dir); 5678 b = gen_protochain(cstate, v, Q_IPV6, dir); 5679 gen_or(b0, b); 5680 return b; 5681 default: 5682 bpf_error(cstate, "bad protocol applied for 'protochain'"); 5683 /*NOTREACHED*/ 5684 } 5685 5686 /* 5687 * We don't handle variable-length prefixes before the link-layer 5688 * header, or variable-length link-layer headers, here yet. 5689 * We might want to add BPF instructions to do the protochain 5690 * work, to simplify that and, on platforms that have a BPF 5691 * interpreter with the new instructions, let the filtering 5692 * be done in the kernel. (We already require a modified BPF 5693 * engine to do the protochain stuff, to support backward 5694 * branches, and backward branch support is unlikely to appear 5695 * in kernel BPF engines.) 5696 */ 5697 if (cstate->off_linkpl.is_variable) 5698 bpf_error(cstate, "'protochain' not supported with variable length headers"); 5699 5700 cstate->no_optimize = 1; /*this code is not compatible with optimzer yet */ 5701 5702 /* 5703 * s[0] is a dummy entry to protect other BPF insn from damage 5704 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5705 * hard to find interdependency made by jump table fixup. 5706 */ 5707 i = 0; 5708 s[i] = new_stmt(cstate, 0); /*dummy*/ 5709 i++; 5710 5711 switch (proto) { 5712 case Q_IP: 5713 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5714 5715 /* A = ip->ip_p */ 5716 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5717 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 5718 i++; 5719 /* X = ip->ip_hl << 2 */ 5720 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 5721 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5722 i++; 5723 break; 5724 5725 case Q_IPV6: 5726 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5727 5728 /* A = ip6->ip_nxt */ 5729 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5730 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 5731 i++; 5732 /* X = sizeof(struct ip6_hdr) */ 5733 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 5734 s[i]->s.k = 40; 5735 i++; 5736 break; 5737 5738 default: 5739 bpf_error(cstate, "unsupported proto to gen_protochain"); 5740 /*NOTREACHED*/ 5741 } 5742 5743 /* again: if (A == v) goto end; else fall through; */ 5744 again = i; 5745 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5746 s[i]->s.k = v; 5747 s[i]->s.jt = NULL; /*later*/ 5748 s[i]->s.jf = NULL; /*update in next stmt*/ 5749 fix5 = i; 5750 i++; 5751 5752 #ifndef IPPROTO_NONE 5753 #define IPPROTO_NONE 59 5754 #endif 5755 /* if (A == IPPROTO_NONE) goto end */ 5756 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5757 s[i]->s.jt = NULL; /*later*/ 5758 s[i]->s.jf = NULL; /*update in next stmt*/ 5759 s[i]->s.k = IPPROTO_NONE; 5760 s[fix5]->s.jf = s[i]; 5761 fix2 = i; 5762 i++; 5763 5764 if (proto == Q_IPV6) { 5765 int v6start, v6end, v6advance, j; 5766 5767 v6start = i; 5768 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5769 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5770 s[i]->s.jt = NULL; /*later*/ 5771 s[i]->s.jf = NULL; /*update in next stmt*/ 5772 s[i]->s.k = IPPROTO_HOPOPTS; 5773 s[fix2]->s.jf = s[i]; 5774 i++; 5775 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5776 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5777 s[i]->s.jt = NULL; /*later*/ 5778 s[i]->s.jf = NULL; /*update in next stmt*/ 5779 s[i]->s.k = IPPROTO_DSTOPTS; 5780 i++; 5781 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5782 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5783 s[i]->s.jt = NULL; /*later*/ 5784 s[i]->s.jf = NULL; /*update in next stmt*/ 5785 s[i]->s.k = IPPROTO_ROUTING; 5786 i++; 5787 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5788 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5789 s[i]->s.jt = NULL; /*later*/ 5790 s[i]->s.jf = NULL; /*later*/ 5791 s[i]->s.k = IPPROTO_FRAGMENT; 5792 fix3 = i; 5793 v6end = i; 5794 i++; 5795 5796 /* v6advance: */ 5797 v6advance = i; 5798 5799 /* 5800 * in short, 5801 * A = P[X + packet head]; 5802 * X = X + (P[X + packet head + 1] + 1) * 8; 5803 */ 5804 /* A = P[X + packet head] */ 5805 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5806 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5807 i++; 5808 /* MEM[reg2] = A */ 5809 s[i] = new_stmt(cstate, BPF_ST); 5810 s[i]->s.k = reg2; 5811 i++; 5812 /* A = P[X + packet head + 1]; */ 5813 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5814 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 5815 i++; 5816 /* A += 1 */ 5817 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5818 s[i]->s.k = 1; 5819 i++; 5820 /* A *= 8 */ 5821 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5822 s[i]->s.k = 8; 5823 i++; 5824 /* A += X */ 5825 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 5826 s[i]->s.k = 0; 5827 i++; 5828 /* X = A; */ 5829 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5830 i++; 5831 /* A = MEM[reg2] */ 5832 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5833 s[i]->s.k = reg2; 5834 i++; 5835 5836 /* goto again; (must use BPF_JA for backward jump) */ 5837 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5838 s[i]->s.k = again - i - 1; 5839 s[i - 1]->s.jf = s[i]; 5840 i++; 5841 5842 /* fixup */ 5843 for (j = v6start; j <= v6end; j++) 5844 s[j]->s.jt = s[v6advance]; 5845 } else { 5846 /* nop */ 5847 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5848 s[i]->s.k = 0; 5849 s[fix2]->s.jf = s[i]; 5850 i++; 5851 } 5852 5853 /* ahcheck: */ 5854 ahcheck = i; 5855 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5856 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5857 s[i]->s.jt = NULL; /*later*/ 5858 s[i]->s.jf = NULL; /*later*/ 5859 s[i]->s.k = IPPROTO_AH; 5860 if (fix3) 5861 s[fix3]->s.jf = s[ahcheck]; 5862 fix4 = i; 5863 i++; 5864 5865 /* 5866 * in short, 5867 * A = P[X]; 5868 * X = X + (P[X + 1] + 2) * 4; 5869 */ 5870 /* A = X */ 5871 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5872 i++; 5873 /* A = P[X + packet head]; */ 5874 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5875 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5876 i++; 5877 /* MEM[reg2] = A */ 5878 s[i] = new_stmt(cstate, BPF_ST); 5879 s[i]->s.k = reg2; 5880 i++; 5881 /* A = X */ 5882 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5883 i++; 5884 /* A += 1 */ 5885 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5886 s[i]->s.k = 1; 5887 i++; 5888 /* X = A */ 5889 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5890 i++; 5891 /* A = P[X + packet head] */ 5892 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5893 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5894 i++; 5895 /* A += 2 */ 5896 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5897 s[i]->s.k = 2; 5898 i++; 5899 /* A *= 4 */ 5900 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5901 s[i]->s.k = 4; 5902 i++; 5903 /* X = A; */ 5904 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5905 i++; 5906 /* A = MEM[reg2] */ 5907 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5908 s[i]->s.k = reg2; 5909 i++; 5910 5911 /* goto again; (must use BPF_JA for backward jump) */ 5912 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5913 s[i]->s.k = again - i - 1; 5914 i++; 5915 5916 /* end: nop */ 5917 end = i; 5918 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5919 s[i]->s.k = 0; 5920 s[fix2]->s.jt = s[end]; 5921 s[fix4]->s.jf = s[end]; 5922 s[fix5]->s.jt = s[end]; 5923 i++; 5924 5925 /* 5926 * make slist chain 5927 */ 5928 max = i; 5929 for (i = 0; i < max - 1; i++) 5930 s[i]->next = s[i + 1]; 5931 s[max - 1]->next = NULL; 5932 5933 /* 5934 * emit final check 5935 */ 5936 b = new_block(cstate, JMP(BPF_JEQ)); 5937 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5938 b->s.k = v; 5939 5940 free_reg(cstate, reg2); 5941 5942 gen_and(b0, b); 5943 return b; 5944 #endif 5945 } 5946 5947 static struct block * 5948 gen_check_802_11_data_frame(compiler_state_t *cstate) 5949 { 5950 struct slist *s; 5951 struct block *b0, *b1; 5952 5953 /* 5954 * A data frame has the 0x08 bit (b3) in the frame control field set 5955 * and the 0x04 bit (b2) clear. 5956 */ 5957 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5958 b0 = new_block(cstate, JMP(BPF_JSET)); 5959 b0->s.k = 0x08; 5960 b0->stmts = s; 5961 5962 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5963 b1 = new_block(cstate, JMP(BPF_JSET)); 5964 b1->s.k = 0x04; 5965 b1->stmts = s; 5966 gen_not(b1); 5967 5968 gen_and(b1, b0); 5969 5970 return b0; 5971 } 5972 5973 /* 5974 * Generate code that checks whether the packet is a packet for protocol 5975 * <proto> and whether the type field in that protocol's header has 5976 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5977 * IP packet and checks the protocol number in the IP header against <v>. 5978 * 5979 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5980 * against Q_IP and Q_IPV6. 5981 */ 5982 static struct block * 5983 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 5984 { 5985 struct block *b0, *b1; 5986 #ifndef CHASE_CHAIN 5987 struct block *b2; 5988 #endif 5989 5990 if (dir != Q_DEFAULT) 5991 bpf_error(cstate, "direction applied to 'proto'"); 5992 5993 switch (proto) { 5994 case Q_DEFAULT: 5995 b0 = gen_proto(cstate, v, Q_IP, dir); 5996 b1 = gen_proto(cstate, v, Q_IPV6, dir); 5997 gen_or(b0, b1); 5998 return b1; 5999 6000 case Q_IP: 6001 /* 6002 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6003 * not LLC encapsulation with LLCSAP_IP. 6004 * 6005 * For IEEE 802 networks - which includes 802.5 token ring 6006 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6007 * says that SNAP encapsulation is used, not LLC encapsulation 6008 * with LLCSAP_IP. 6009 * 6010 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6011 * RFC 2225 say that SNAP encapsulation is used, not LLC 6012 * encapsulation with LLCSAP_IP. 6013 * 6014 * So we always check for ETHERTYPE_IP. 6015 */ 6016 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6017 #ifndef CHASE_CHAIN 6018 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6019 #else 6020 b1 = gen_protochain(cstate, v, Q_IP); 6021 #endif 6022 gen_and(b0, b1); 6023 return b1; 6024 6025 case Q_ISO: 6026 switch (cstate->linktype) { 6027 6028 case DLT_FRELAY: 6029 /* 6030 * Frame Relay packets typically have an OSI 6031 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6032 * generates code to check for all the OSI 6033 * NLPIDs, so calling it and then adding a check 6034 * for the particular NLPID for which we're 6035 * looking is bogus, as we can just check for 6036 * the NLPID. 6037 * 6038 * What we check for is the NLPID and a frame 6039 * control field value of UI, i.e. 0x03 followed 6040 * by the NLPID. 6041 * 6042 * XXX - assumes a 2-byte Frame Relay header with 6043 * DLCI and flags. What if the address is longer? 6044 * 6045 * XXX - what about SNAP-encapsulated frames? 6046 */ 6047 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6048 /*NOTREACHED*/ 6049 break; 6050 6051 case DLT_C_HDLC: 6052 /* 6053 * Cisco uses an Ethertype lookalike - for OSI, 6054 * it's 0xfefe. 6055 */ 6056 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6057 /* OSI in C-HDLC is stuffed with a fudge byte */ 6058 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6059 gen_and(b0, b1); 6060 return b1; 6061 6062 default: 6063 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6064 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6065 gen_and(b0, b1); 6066 return b1; 6067 } 6068 6069 case Q_ISIS: 6070 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6071 /* 6072 * 4 is the offset of the PDU type relative to the IS-IS 6073 * header. 6074 */ 6075 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6076 gen_and(b0, b1); 6077 return b1; 6078 6079 case Q_ARP: 6080 bpf_error(cstate, "arp does not encapsulate another protocol"); 6081 /* NOTREACHED */ 6082 6083 case Q_RARP: 6084 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6085 /* NOTREACHED */ 6086 6087 case Q_ATALK: 6088 bpf_error(cstate, "atalk encapsulation is not specifiable"); 6089 /* NOTREACHED */ 6090 6091 case Q_DECNET: 6092 bpf_error(cstate, "decnet encapsulation is not specifiable"); 6093 /* NOTREACHED */ 6094 6095 case Q_SCA: 6096 bpf_error(cstate, "sca does not encapsulate another protocol"); 6097 /* NOTREACHED */ 6098 6099 case Q_LAT: 6100 bpf_error(cstate, "lat does not encapsulate another protocol"); 6101 /* NOTREACHED */ 6102 6103 case Q_MOPRC: 6104 bpf_error(cstate, "moprc does not encapsulate another protocol"); 6105 /* NOTREACHED */ 6106 6107 case Q_MOPDL: 6108 bpf_error(cstate, "mopdl does not encapsulate another protocol"); 6109 /* NOTREACHED */ 6110 6111 case Q_LINK: 6112 return gen_linktype(cstate, v); 6113 6114 case Q_UDP: 6115 bpf_error(cstate, "'udp proto' is bogus"); 6116 /* NOTREACHED */ 6117 6118 case Q_TCP: 6119 bpf_error(cstate, "'tcp proto' is bogus"); 6120 /* NOTREACHED */ 6121 6122 case Q_SCTP: 6123 bpf_error(cstate, "'sctp proto' is bogus"); 6124 /* NOTREACHED */ 6125 6126 case Q_ICMP: 6127 bpf_error(cstate, "'icmp proto' is bogus"); 6128 /* NOTREACHED */ 6129 6130 case Q_IGMP: 6131 bpf_error(cstate, "'igmp proto' is bogus"); 6132 /* NOTREACHED */ 6133 6134 case Q_IGRP: 6135 bpf_error(cstate, "'igrp proto' is bogus"); 6136 /* NOTREACHED */ 6137 6138 case Q_PIM: 6139 bpf_error(cstate, "'pim proto' is bogus"); 6140 /* NOTREACHED */ 6141 6142 case Q_VRRP: 6143 bpf_error(cstate, "'vrrp proto' is bogus"); 6144 /* NOTREACHED */ 6145 6146 case Q_CARP: 6147 bpf_error(cstate, "'carp proto' is bogus"); 6148 /* NOTREACHED */ 6149 6150 case Q_IPV6: 6151 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6152 #ifndef CHASE_CHAIN 6153 /* 6154 * Also check for a fragment header before the final 6155 * header. 6156 */ 6157 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6158 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6159 gen_and(b2, b1); 6160 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6161 gen_or(b2, b1); 6162 #else 6163 b1 = gen_protochain(cstate, v, Q_IPV6); 6164 #endif 6165 gen_and(b0, b1); 6166 return b1; 6167 6168 case Q_ICMPV6: 6169 bpf_error(cstate, "'icmp6 proto' is bogus"); 6170 6171 case Q_AH: 6172 bpf_error(cstate, "'ah proto' is bogus"); 6173 6174 case Q_ESP: 6175 bpf_error(cstate, "'ah proto' is bogus"); 6176 6177 case Q_STP: 6178 bpf_error(cstate, "'stp proto' is bogus"); 6179 6180 case Q_IPX: 6181 bpf_error(cstate, "'ipx proto' is bogus"); 6182 6183 case Q_NETBEUI: 6184 bpf_error(cstate, "'netbeui proto' is bogus"); 6185 6186 case Q_RADIO: 6187 bpf_error(cstate, "'radio proto' is bogus"); 6188 6189 default: 6190 abort(); 6191 /* NOTREACHED */ 6192 } 6193 /* NOTREACHED */ 6194 } 6195 6196 struct block * 6197 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6198 { 6199 int proto = q.proto; 6200 int dir = q.dir; 6201 int tproto; 6202 u_char *eaddr; 6203 bpf_u_int32 mask, addr; 6204 #ifndef INET6 6205 bpf_u_int32 **alist; 6206 #else 6207 int tproto6; 6208 struct sockaddr_in *sin4; 6209 struct sockaddr_in6 *sin6; 6210 struct addrinfo *res, *res0; 6211 struct in6_addr mask128; 6212 #endif /*INET6*/ 6213 struct block *b, *tmp; 6214 int port, real_proto; 6215 int port1, port2; 6216 6217 switch (q.addr) { 6218 6219 case Q_NET: 6220 addr = pcap_nametonetaddr(name); 6221 if (addr == 0) 6222 bpf_error(cstate, "unknown network '%s'", name); 6223 /* Left justify network addr and calculate its network mask */ 6224 mask = 0xffffffff; 6225 while (addr && (addr & 0xff000000) == 0) { 6226 addr <<= 8; 6227 mask <<= 8; 6228 } 6229 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6230 6231 case Q_DEFAULT: 6232 case Q_HOST: 6233 if (proto == Q_LINK) { 6234 switch (cstate->linktype) { 6235 6236 case DLT_EN10MB: 6237 case DLT_NETANALYZER: 6238 case DLT_NETANALYZER_TRANSPARENT: 6239 eaddr = pcap_ether_hostton(name); 6240 if (eaddr == NULL) 6241 bpf_error(cstate, 6242 "unknown ether host '%s'", name); 6243 tmp = gen_prevlinkhdr_check(cstate); 6244 b = gen_ehostop(cstate, eaddr, dir); 6245 if (tmp != NULL) 6246 gen_and(tmp, b); 6247 free(eaddr); 6248 return b; 6249 6250 case DLT_FDDI: 6251 eaddr = pcap_ether_hostton(name); 6252 if (eaddr == NULL) 6253 bpf_error(cstate, 6254 "unknown FDDI host '%s'", name); 6255 b = gen_fhostop(cstate, eaddr, dir); 6256 free(eaddr); 6257 return b; 6258 6259 case DLT_IEEE802: 6260 eaddr = pcap_ether_hostton(name); 6261 if (eaddr == NULL) 6262 bpf_error(cstate, 6263 "unknown token ring host '%s'", name); 6264 b = gen_thostop(cstate, eaddr, dir); 6265 free(eaddr); 6266 return b; 6267 6268 case DLT_IEEE802_11: 6269 case DLT_PRISM_HEADER: 6270 case DLT_IEEE802_11_RADIO_AVS: 6271 case DLT_IEEE802_11_RADIO: 6272 case DLT_PPI: 6273 eaddr = pcap_ether_hostton(name); 6274 if (eaddr == NULL) 6275 bpf_error(cstate, 6276 "unknown 802.11 host '%s'", name); 6277 b = gen_wlanhostop(cstate, eaddr, dir); 6278 free(eaddr); 6279 return b; 6280 6281 case DLT_IP_OVER_FC: 6282 eaddr = pcap_ether_hostton(name); 6283 if (eaddr == NULL) 6284 bpf_error(cstate, 6285 "unknown Fibre Channel host '%s'", name); 6286 b = gen_ipfchostop(cstate, eaddr, dir); 6287 free(eaddr); 6288 return b; 6289 } 6290 6291 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6292 } else if (proto == Q_DECNET) { 6293 unsigned short dn_addr; 6294 6295 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6296 #ifdef DECNETLIB 6297 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6298 #else 6299 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6300 name); 6301 #endif 6302 } 6303 /* 6304 * I don't think DECNET hosts can be multihomed, so 6305 * there is no need to build up a list of addresses 6306 */ 6307 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6308 } else { 6309 #ifndef INET6 6310 alist = pcap_nametoaddr(name); 6311 if (alist == NULL || *alist == NULL) 6312 bpf_error(cstate, "unknown host '%s'", name); 6313 tproto = proto; 6314 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6315 tproto == Q_DEFAULT) 6316 tproto = Q_IP; 6317 b = gen_host(cstate, **alist++, 0xffffffff, tproto, dir, q.addr); 6318 while (*alist) { 6319 tmp = gen_host(cstate, **alist++, 0xffffffff, 6320 tproto, dir, q.addr); 6321 gen_or(b, tmp); 6322 b = tmp; 6323 } 6324 return b; 6325 #else 6326 memset(&mask128, 0xff, sizeof(mask128)); 6327 res0 = res = pcap_nametoaddrinfo(name); 6328 if (res == NULL) 6329 bpf_error(cstate, "unknown host '%s'", name); 6330 cstate->ai = res; 6331 b = tmp = NULL; 6332 tproto = tproto6 = proto; 6333 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6334 tproto == Q_DEFAULT) { 6335 tproto = Q_IP; 6336 tproto6 = Q_IPV6; 6337 } 6338 for (res = res0; res; res = res->ai_next) { 6339 switch (res->ai_family) { 6340 case AF_INET: 6341 if (tproto == Q_IPV6) 6342 continue; 6343 6344 sin4 = (struct sockaddr_in *) 6345 res->ai_addr; 6346 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6347 0xffffffff, tproto, dir, q.addr); 6348 break; 6349 case AF_INET6: 6350 if (tproto6 == Q_IP) 6351 continue; 6352 6353 sin6 = (struct sockaddr_in6 *) 6354 res->ai_addr; 6355 tmp = gen_host6(cstate, &sin6->sin6_addr, 6356 &mask128, tproto6, dir, q.addr); 6357 break; 6358 default: 6359 continue; 6360 } 6361 if (b) 6362 gen_or(b, tmp); 6363 b = tmp; 6364 } 6365 cstate->ai = NULL; 6366 freeaddrinfo(res0); 6367 if (b == NULL) { 6368 bpf_error(cstate, "unknown host '%s'%s", name, 6369 (proto == Q_DEFAULT) 6370 ? "" 6371 : " for specified address family"); 6372 } 6373 return b; 6374 #endif /*INET6*/ 6375 } 6376 6377 case Q_PORT: 6378 if (proto != Q_DEFAULT && 6379 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6380 bpf_error(cstate, "illegal qualifier of 'port'"); 6381 if (pcap_nametoport(name, &port, &real_proto) == 0) 6382 bpf_error(cstate, "unknown port '%s'", name); 6383 if (proto == Q_UDP) { 6384 if (real_proto == IPPROTO_TCP) 6385 bpf_error(cstate, "port '%s' is tcp", name); 6386 else if (real_proto == IPPROTO_SCTP) 6387 bpf_error(cstate, "port '%s' is sctp", name); 6388 else 6389 /* override PROTO_UNDEF */ 6390 real_proto = IPPROTO_UDP; 6391 } 6392 if (proto == Q_TCP) { 6393 if (real_proto == IPPROTO_UDP) 6394 bpf_error(cstate, "port '%s' is udp", name); 6395 6396 else if (real_proto == IPPROTO_SCTP) 6397 bpf_error(cstate, "port '%s' is sctp", name); 6398 else 6399 /* override PROTO_UNDEF */ 6400 real_proto = IPPROTO_TCP; 6401 } 6402 if (proto == Q_SCTP) { 6403 if (real_proto == IPPROTO_UDP) 6404 bpf_error(cstate, "port '%s' is udp", name); 6405 6406 else if (real_proto == IPPROTO_TCP) 6407 bpf_error(cstate, "port '%s' is tcp", name); 6408 else 6409 /* override PROTO_UNDEF */ 6410 real_proto = IPPROTO_SCTP; 6411 } 6412 if (port < 0) 6413 bpf_error(cstate, "illegal port number %d < 0", port); 6414 if (port > 65535) 6415 bpf_error(cstate, "illegal port number %d > 65535", port); 6416 b = gen_port(cstate, port, real_proto, dir); 6417 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6418 return b; 6419 6420 case Q_PORTRANGE: 6421 if (proto != Q_DEFAULT && 6422 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6423 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6424 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6425 bpf_error(cstate, "unknown port in range '%s'", name); 6426 if (proto == Q_UDP) { 6427 if (real_proto == IPPROTO_TCP) 6428 bpf_error(cstate, "port in range '%s' is tcp", name); 6429 else if (real_proto == IPPROTO_SCTP) 6430 bpf_error(cstate, "port in range '%s' is sctp", name); 6431 else 6432 /* override PROTO_UNDEF */ 6433 real_proto = IPPROTO_UDP; 6434 } 6435 if (proto == Q_TCP) { 6436 if (real_proto == IPPROTO_UDP) 6437 bpf_error(cstate, "port in range '%s' is udp", name); 6438 else if (real_proto == IPPROTO_SCTP) 6439 bpf_error(cstate, "port in range '%s' is sctp", name); 6440 else 6441 /* override PROTO_UNDEF */ 6442 real_proto = IPPROTO_TCP; 6443 } 6444 if (proto == Q_SCTP) { 6445 if (real_proto == IPPROTO_UDP) 6446 bpf_error(cstate, "port in range '%s' is udp", name); 6447 else if (real_proto == IPPROTO_TCP) 6448 bpf_error(cstate, "port in range '%s' is tcp", name); 6449 else 6450 /* override PROTO_UNDEF */ 6451 real_proto = IPPROTO_SCTP; 6452 } 6453 if (port1 < 0) 6454 bpf_error(cstate, "illegal port number %d < 0", port1); 6455 if (port1 > 65535) 6456 bpf_error(cstate, "illegal port number %d > 65535", port1); 6457 if (port2 < 0) 6458 bpf_error(cstate, "illegal port number %d < 0", port2); 6459 if (port2 > 65535) 6460 bpf_error(cstate, "illegal port number %d > 65535", port2); 6461 6462 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6463 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6464 return b; 6465 6466 case Q_GATEWAY: 6467 #ifndef INET6 6468 eaddr = pcap_ether_hostton(name); 6469 if (eaddr == NULL) 6470 bpf_error(cstate, "unknown ether host: %s", name); 6471 6472 alist = pcap_nametoaddr(name); 6473 if (alist == NULL || *alist == NULL) 6474 bpf_error(cstate, "unknown host '%s'", name); 6475 b = gen_gateway(eaddr, alist, proto, dir); 6476 free(eaddr); 6477 return b; 6478 #else 6479 bpf_error(cstate, "'gateway' not supported in this configuration"); 6480 #endif /*INET6*/ 6481 6482 case Q_PROTO: 6483 real_proto = lookup_proto(cstate, name, proto); 6484 if (real_proto >= 0) 6485 return gen_proto(cstate, real_proto, proto, dir); 6486 else 6487 bpf_error(cstate, "unknown protocol: %s", name); 6488 6489 case Q_PROTOCHAIN: 6490 real_proto = lookup_proto(cstate, name, proto); 6491 if (real_proto >= 0) 6492 return gen_protochain(cstate, real_proto, proto, dir); 6493 else 6494 bpf_error(cstate, "unknown protocol: %s", name); 6495 6496 case Q_UNDEF: 6497 syntax(cstate); 6498 /* NOTREACHED */ 6499 } 6500 abort(); 6501 /* NOTREACHED */ 6502 } 6503 6504 struct block * 6505 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6506 unsigned int masklen, struct qual q) 6507 { 6508 register int nlen, mlen; 6509 bpf_u_int32 n, m; 6510 6511 nlen = __pcap_atoin(s1, &n); 6512 /* Promote short ipaddr */ 6513 n <<= 32 - nlen; 6514 6515 if (s2 != NULL) { 6516 mlen = __pcap_atoin(s2, &m); 6517 /* Promote short ipaddr */ 6518 m <<= 32 - mlen; 6519 if ((n & ~m) != 0) 6520 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6521 s1, s2); 6522 } else { 6523 /* Convert mask len to mask */ 6524 if (masklen > 32) 6525 bpf_error(cstate, "mask length must be <= 32"); 6526 if (masklen == 0) { 6527 /* 6528 * X << 32 is not guaranteed by C to be 0; it's 6529 * undefined. 6530 */ 6531 m = 0; 6532 } else 6533 m = 0xffffffff << (32 - masklen); 6534 if ((n & ~m) != 0) 6535 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6536 s1, masklen); 6537 } 6538 6539 switch (q.addr) { 6540 6541 case Q_NET: 6542 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6543 6544 default: 6545 bpf_error(cstate, "Mask syntax for networks only"); 6546 /* NOTREACHED */ 6547 } 6548 /* NOTREACHED */ 6549 return NULL; 6550 } 6551 6552 struct block * 6553 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 6554 { 6555 bpf_u_int32 mask; 6556 int proto = q.proto; 6557 int dir = q.dir; 6558 register int vlen; 6559 6560 if (s == NULL) 6561 vlen = 32; 6562 else if (q.proto == Q_DECNET) { 6563 vlen = __pcap_atodn(s, &v); 6564 if (vlen == 0) 6565 bpf_error(cstate, "malformed decnet address '%s'", s); 6566 } else 6567 vlen = __pcap_atoin(s, &v); 6568 6569 switch (q.addr) { 6570 6571 case Q_DEFAULT: 6572 case Q_HOST: 6573 case Q_NET: 6574 if (proto == Q_DECNET) 6575 return gen_host(cstate, v, 0, proto, dir, q.addr); 6576 else if (proto == Q_LINK) { 6577 bpf_error(cstate, "illegal link layer address"); 6578 } else { 6579 mask = 0xffffffff; 6580 if (s == NULL && q.addr == Q_NET) { 6581 /* Promote short net number */ 6582 while (v && (v & 0xff000000) == 0) { 6583 v <<= 8; 6584 mask <<= 8; 6585 } 6586 } else { 6587 /* Promote short ipaddr */ 6588 v <<= 32 - vlen; 6589 mask <<= 32 - vlen ; 6590 } 6591 return gen_host(cstate, v, mask, proto, dir, q.addr); 6592 } 6593 6594 case Q_PORT: 6595 if (proto == Q_UDP) 6596 proto = IPPROTO_UDP; 6597 else if (proto == Q_TCP) 6598 proto = IPPROTO_TCP; 6599 else if (proto == Q_SCTP) 6600 proto = IPPROTO_SCTP; 6601 else if (proto == Q_DEFAULT) 6602 proto = PROTO_UNDEF; 6603 else 6604 bpf_error(cstate, "illegal qualifier of 'port'"); 6605 6606 if (v > 65535) 6607 bpf_error(cstate, "illegal port number %u > 65535", v); 6608 6609 { 6610 struct block *b; 6611 b = gen_port(cstate, (int)v, proto, dir); 6612 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 6613 return b; 6614 } 6615 6616 case Q_PORTRANGE: 6617 if (proto == Q_UDP) 6618 proto = IPPROTO_UDP; 6619 else if (proto == Q_TCP) 6620 proto = IPPROTO_TCP; 6621 else if (proto == Q_SCTP) 6622 proto = IPPROTO_SCTP; 6623 else if (proto == Q_DEFAULT) 6624 proto = PROTO_UNDEF; 6625 else 6626 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6627 6628 if (v > 65535) 6629 bpf_error(cstate, "illegal port number %u > 65535", v); 6630 6631 { 6632 struct block *b; 6633 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 6634 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 6635 return b; 6636 } 6637 6638 case Q_GATEWAY: 6639 bpf_error(cstate, "'gateway' requires a name"); 6640 /* NOTREACHED */ 6641 6642 case Q_PROTO: 6643 return gen_proto(cstate, (int)v, proto, dir); 6644 6645 case Q_PROTOCHAIN: 6646 return gen_protochain(cstate, (int)v, proto, dir); 6647 6648 case Q_UNDEF: 6649 syntax(cstate); 6650 /* NOTREACHED */ 6651 6652 default: 6653 abort(); 6654 /* NOTREACHED */ 6655 } 6656 /* NOTREACHED */ 6657 } 6658 6659 #ifdef INET6 6660 struct block * 6661 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 6662 unsigned int masklen, struct qual q) 6663 { 6664 struct addrinfo *res; 6665 struct in6_addr *addr; 6666 struct in6_addr mask; 6667 struct block *b; 6668 u_int32_t *a, *m; 6669 6670 if (s2) 6671 bpf_error(cstate, "no mask %s supported", s2); 6672 6673 res = pcap_nametoaddrinfo(s1); 6674 if (!res) 6675 bpf_error(cstate, "invalid ip6 address %s", s1); 6676 cstate->ai = res; 6677 if (res->ai_next) 6678 bpf_error(cstate, "%s resolved to multiple address", s1); 6679 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6680 6681 if (sizeof(mask) * 8 < masklen) 6682 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6683 memset(&mask, 0, sizeof(mask)); 6684 memset(&mask, 0xff, masklen / 8); 6685 if (masklen % 8) { 6686 mask.s6_addr[masklen / 8] = 6687 (0xff << (8 - masklen % 8)) & 0xff; 6688 } 6689 6690 a = (u_int32_t *)addr; 6691 m = (u_int32_t *)&mask; 6692 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6693 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6694 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 6695 } 6696 6697 switch (q.addr) { 6698 6699 case Q_DEFAULT: 6700 case Q_HOST: 6701 if (masklen != 128) 6702 bpf_error(cstate, "Mask syntax for networks only"); 6703 /* FALLTHROUGH */ 6704 6705 case Q_NET: 6706 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 6707 cstate->ai = NULL; 6708 freeaddrinfo(res); 6709 return b; 6710 6711 default: 6712 bpf_error(cstate, "invalid qualifier against IPv6 address"); 6713 /* NOTREACHED */ 6714 } 6715 return NULL; 6716 } 6717 #endif /*INET6*/ 6718 6719 struct block * 6720 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 6721 { 6722 struct block *b, *tmp; 6723 6724 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6725 switch (cstate->linktype) { 6726 case DLT_EN10MB: 6727 case DLT_NETANALYZER: 6728 case DLT_NETANALYZER_TRANSPARENT: 6729 tmp = gen_prevlinkhdr_check(cstate); 6730 b = gen_ehostop(cstate, eaddr, (int)q.dir); 6731 if (tmp != NULL) 6732 gen_and(tmp, b); 6733 return b; 6734 case DLT_FDDI: 6735 return gen_fhostop(cstate, eaddr, (int)q.dir); 6736 case DLT_IEEE802: 6737 return gen_thostop(cstate, eaddr, (int)q.dir); 6738 case DLT_IEEE802_11: 6739 case DLT_PRISM_HEADER: 6740 case DLT_IEEE802_11_RADIO_AVS: 6741 case DLT_IEEE802_11_RADIO: 6742 case DLT_PPI: 6743 return gen_wlanhostop(cstate, eaddr, (int)q.dir); 6744 case DLT_IP_OVER_FC: 6745 return gen_ipfchostop(cstate, eaddr, (int)q.dir); 6746 default: 6747 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6748 break; 6749 } 6750 } 6751 bpf_error(cstate, "ethernet address used in non-ether expression"); 6752 /* NOTREACHED */ 6753 return NULL; 6754 } 6755 6756 void 6757 sappend(s0, s1) 6758 struct slist *s0, *s1; 6759 { 6760 /* 6761 * This is definitely not the best way to do this, but the 6762 * lists will rarely get long. 6763 */ 6764 while (s0->next) 6765 s0 = s0->next; 6766 s0->next = s1; 6767 } 6768 6769 static struct slist * 6770 xfer_to_x(compiler_state_t *cstate, struct arth *a) 6771 { 6772 struct slist *s; 6773 6774 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 6775 s->s.k = a->regno; 6776 return s; 6777 } 6778 6779 static struct slist * 6780 xfer_to_a(compiler_state_t *cstate, struct arth *a) 6781 { 6782 struct slist *s; 6783 6784 s = new_stmt(cstate, BPF_LD|BPF_MEM); 6785 s->s.k = a->regno; 6786 return s; 6787 } 6788 6789 /* 6790 * Modify "index" to use the value stored into its register as an 6791 * offset relative to the beginning of the header for the protocol 6792 * "proto", and allocate a register and put an item "size" bytes long 6793 * (1, 2, or 4) at that offset into that register, making it the register 6794 * for "index". 6795 */ 6796 struct arth * 6797 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 6798 { 6799 struct slist *s, *tmp; 6800 struct block *b; 6801 int regno = alloc_reg(cstate); 6802 6803 free_reg(cstate, inst->regno); 6804 switch (size) { 6805 6806 default: 6807 bpf_error(cstate, "data size must be 1, 2, or 4"); 6808 6809 case 1: 6810 size = BPF_B; 6811 break; 6812 6813 case 2: 6814 size = BPF_H; 6815 break; 6816 6817 case 4: 6818 size = BPF_W; 6819 break; 6820 } 6821 switch (proto) { 6822 default: 6823 bpf_error(cstate, "unsupported index operation"); 6824 6825 case Q_RADIO: 6826 /* 6827 * The offset is relative to the beginning of the packet 6828 * data, if we have a radio header. (If we don't, this 6829 * is an error.) 6830 */ 6831 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 6832 cstate->linktype != DLT_IEEE802_11_RADIO && 6833 cstate->linktype != DLT_PRISM_HEADER) 6834 bpf_error(cstate, "radio information not present in capture"); 6835 6836 /* 6837 * Load into the X register the offset computed into the 6838 * register specified by "index". 6839 */ 6840 s = xfer_to_x(cstate, inst); 6841 6842 /* 6843 * Load the item at that offset. 6844 */ 6845 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6846 sappend(s, tmp); 6847 sappend(inst->s, s); 6848 break; 6849 6850 case Q_LINK: 6851 /* 6852 * The offset is relative to the beginning of 6853 * the link-layer header. 6854 * 6855 * XXX - what about ATM LANE? Should the index be 6856 * relative to the beginning of the AAL5 frame, so 6857 * that 0 refers to the beginning of the LE Control 6858 * field, or relative to the beginning of the LAN 6859 * frame, so that 0 refers, for Ethernet LANE, to 6860 * the beginning of the destination address? 6861 */ 6862 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 6863 6864 /* 6865 * If "s" is non-null, it has code to arrange that the 6866 * X register contains the length of the prefix preceding 6867 * the link-layer header. Add to it the offset computed 6868 * into the register specified by "index", and move that 6869 * into the X register. Otherwise, just load into the X 6870 * register the offset computed into the register specified 6871 * by "index". 6872 */ 6873 if (s != NULL) { 6874 sappend(s, xfer_to_a(cstate, inst)); 6875 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6876 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6877 } else 6878 s = xfer_to_x(cstate, inst); 6879 6880 /* 6881 * Load the item at the sum of the offset we've put in the 6882 * X register and the offset of the start of the link 6883 * layer header (which is 0 if the radio header is 6884 * variable-length; that header length is what we put 6885 * into the X register and then added to the index). 6886 */ 6887 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6888 tmp->s.k = cstate->off_linkhdr.constant_part; 6889 sappend(s, tmp); 6890 sappend(inst->s, s); 6891 break; 6892 6893 case Q_IP: 6894 case Q_ARP: 6895 case Q_RARP: 6896 case Q_ATALK: 6897 case Q_DECNET: 6898 case Q_SCA: 6899 case Q_LAT: 6900 case Q_MOPRC: 6901 case Q_MOPDL: 6902 case Q_IPV6: 6903 /* 6904 * The offset is relative to the beginning of 6905 * the network-layer header. 6906 * XXX - are there any cases where we want 6907 * cstate->off_nl_nosnap? 6908 */ 6909 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 6910 6911 /* 6912 * If "s" is non-null, it has code to arrange that the 6913 * X register contains the variable part of the offset 6914 * of the link-layer payload. Add to it the offset 6915 * computed into the register specified by "index", 6916 * and move that into the X register. Otherwise, just 6917 * load into the X register the offset computed into 6918 * the register specified by "index". 6919 */ 6920 if (s != NULL) { 6921 sappend(s, xfer_to_a(cstate, inst)); 6922 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6923 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6924 } else 6925 s = xfer_to_x(cstate, inst); 6926 6927 /* 6928 * Load the item at the sum of the offset we've put in the 6929 * X register, the offset of the start of the network 6930 * layer header from the beginning of the link-layer 6931 * payload, and the constant part of the offset of the 6932 * start of the link-layer payload. 6933 */ 6934 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6935 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6936 sappend(s, tmp); 6937 sappend(inst->s, s); 6938 6939 /* 6940 * Do the computation only if the packet contains 6941 * the protocol in question. 6942 */ 6943 b = gen_proto_abbrev(cstate, proto); 6944 if (inst->b) 6945 gen_and(inst->b, b); 6946 inst->b = b; 6947 break; 6948 6949 case Q_SCTP: 6950 case Q_TCP: 6951 case Q_UDP: 6952 case Q_ICMP: 6953 case Q_IGMP: 6954 case Q_IGRP: 6955 case Q_PIM: 6956 case Q_VRRP: 6957 case Q_CARP: 6958 /* 6959 * The offset is relative to the beginning of 6960 * the transport-layer header. 6961 * 6962 * Load the X register with the length of the IPv4 header 6963 * (plus the offset of the link-layer header, if it's 6964 * a variable-length header), in bytes. 6965 * 6966 * XXX - are there any cases where we want 6967 * cstate->off_nl_nosnap? 6968 * XXX - we should, if we're built with 6969 * IPv6 support, generate code to load either 6970 * IPv4, IPv6, or both, as appropriate. 6971 */ 6972 s = gen_loadx_iphdrlen(cstate); 6973 6974 /* 6975 * The X register now contains the sum of the variable 6976 * part of the offset of the link-layer payload and the 6977 * length of the network-layer header. 6978 * 6979 * Load into the A register the offset relative to 6980 * the beginning of the transport layer header, 6981 * add the X register to that, move that to the 6982 * X register, and load with an offset from the 6983 * X register equal to the sum of the constant part of 6984 * the offset of the link-layer payload and the offset, 6985 * relative to the beginning of the link-layer payload, 6986 * of the network-layer header. 6987 */ 6988 sappend(s, xfer_to_a(cstate, inst)); 6989 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6990 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6991 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 6992 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6993 sappend(inst->s, s); 6994 6995 /* 6996 * Do the computation only if the packet contains 6997 * the protocol in question - which is true only 6998 * if this is an IP datagram and is the first or 6999 * only fragment of that datagram. 7000 */ 7001 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate)); 7002 if (inst->b) 7003 gen_and(inst->b, b); 7004 gen_and(gen_proto_abbrev(cstate, Q_IP), b); 7005 inst->b = b; 7006 break; 7007 case Q_ICMPV6: 7008 bpf_error(cstate, "IPv6 upper-layer protocol is not supported by proto[x]"); 7009 /*NOTREACHED*/ 7010 } 7011 inst->regno = regno; 7012 s = new_stmt(cstate, BPF_ST); 7013 s->s.k = regno; 7014 sappend(inst->s, s); 7015 7016 return inst; 7017 } 7018 7019 struct block * 7020 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7021 struct arth *a1, int reversed) 7022 { 7023 struct slist *s0, *s1, *s2; 7024 struct block *b, *tmp; 7025 7026 s0 = xfer_to_x(cstate, a1); 7027 s1 = xfer_to_a(cstate, a0); 7028 if (code == BPF_JEQ) { 7029 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7030 b = new_block(cstate, JMP(code)); 7031 sappend(s1, s2); 7032 } 7033 else 7034 b = new_block(cstate, BPF_JMP|code|BPF_X); 7035 if (reversed) 7036 gen_not(b); 7037 7038 sappend(s0, s1); 7039 sappend(a1->s, s0); 7040 sappend(a0->s, a1->s); 7041 7042 b->stmts = a0->s; 7043 7044 free_reg(cstate, a0->regno); 7045 free_reg(cstate, a1->regno); 7046 7047 /* 'and' together protocol checks */ 7048 if (a0->b) { 7049 if (a1->b) { 7050 gen_and(a0->b, tmp = a1->b); 7051 } 7052 else 7053 tmp = a0->b; 7054 } else 7055 tmp = a1->b; 7056 7057 if (tmp) 7058 gen_and(tmp, b); 7059 7060 return b; 7061 } 7062 7063 struct arth * 7064 gen_loadlen(compiler_state_t *cstate) 7065 { 7066 int regno = alloc_reg(cstate); 7067 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a)); 7068 struct slist *s; 7069 7070 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7071 s->next = new_stmt(cstate, BPF_ST); 7072 s->next->s.k = regno; 7073 a->s = s; 7074 a->regno = regno; 7075 7076 return a; 7077 } 7078 7079 struct arth * 7080 gen_loadi(compiler_state_t *cstate, int val) 7081 { 7082 struct arth *a; 7083 struct slist *s; 7084 int reg; 7085 7086 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7087 7088 reg = alloc_reg(cstate); 7089 7090 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7091 s->s.k = val; 7092 s->next = new_stmt(cstate, BPF_ST); 7093 s->next->s.k = reg; 7094 a->s = s; 7095 a->regno = reg; 7096 7097 return a; 7098 } 7099 7100 struct arth * 7101 gen_neg(compiler_state_t *cstate, struct arth *a) 7102 { 7103 struct slist *s; 7104 7105 s = xfer_to_a(cstate, a); 7106 sappend(a->s, s); 7107 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7108 s->s.k = 0; 7109 sappend(a->s, s); 7110 s = new_stmt(cstate, BPF_ST); 7111 s->s.k = a->regno; 7112 sappend(a->s, s); 7113 7114 return a; 7115 } 7116 7117 struct arth * 7118 gen_arth(compiler_state_t *cstate, int code, struct arth *a0, 7119 struct arth *a1) 7120 { 7121 struct slist *s0, *s1, *s2; 7122 7123 /* 7124 * Disallow division by, or modulus by, zero; we do this here 7125 * so that it gets done even if the optimizer is disabled. 7126 */ 7127 if (code == BPF_DIV) { 7128 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7129 bpf_error(cstate, "division by zero"); 7130 } else if (code == BPF_MOD) { 7131 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7132 bpf_error(cstate, "modulus by zero"); 7133 } 7134 s0 = xfer_to_x(cstate, a1); 7135 s1 = xfer_to_a(cstate, a0); 7136 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7137 7138 sappend(s1, s2); 7139 sappend(s0, s1); 7140 sappend(a1->s, s0); 7141 sappend(a0->s, a1->s); 7142 7143 free_reg(cstate, a0->regno); 7144 free_reg(cstate, a1->regno); 7145 7146 s0 = new_stmt(cstate, BPF_ST); 7147 a0->regno = s0->s.k = alloc_reg(cstate); 7148 sappend(a0->s, s0); 7149 7150 return a0; 7151 } 7152 7153 /* 7154 * Initialize the table of used registers and the current register. 7155 */ 7156 static void 7157 init_regs(compiler_state_t *cstate) 7158 { 7159 cstate->curreg = 0; 7160 memset(cstate->regused, 0, sizeof cstate->regused); 7161 } 7162 7163 /* 7164 * Return the next free register. 7165 */ 7166 static int 7167 alloc_reg(compiler_state_t *cstate) 7168 { 7169 int n = BPF_MEMWORDS; 7170 7171 while (--n >= 0) { 7172 if (cstate->regused[cstate->curreg]) 7173 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7174 else { 7175 cstate->regused[cstate->curreg] = 1; 7176 return cstate->curreg; 7177 } 7178 } 7179 bpf_error(cstate, "too many registers needed to evaluate expression"); 7180 /* NOTREACHED */ 7181 return 0; 7182 } 7183 7184 /* 7185 * Return a register to the table so it can 7186 * be used later. 7187 */ 7188 static void 7189 free_reg(compiler_state_t *cstate, int n) 7190 { 7191 cstate->regused[n] = 0; 7192 } 7193 7194 static struct block * 7195 gen_len(compiler_state_t *cstate, int jmp, int n) 7196 { 7197 struct slist *s; 7198 struct block *b; 7199 7200 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7201 b = new_block(cstate, JMP(jmp)); 7202 b->stmts = s; 7203 b->s.k = n; 7204 7205 return b; 7206 } 7207 7208 struct block * 7209 gen_greater(compiler_state_t *cstate, int n) 7210 { 7211 return gen_len(cstate, BPF_JGE, n); 7212 } 7213 7214 /* 7215 * Actually, this is less than or equal. 7216 */ 7217 struct block * 7218 gen_less(compiler_state_t *cstate, int n) 7219 { 7220 struct block *b; 7221 7222 b = gen_len(cstate, BPF_JGT, n); 7223 gen_not(b); 7224 7225 return b; 7226 } 7227 7228 /* 7229 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7230 * the beginning of the link-layer header. 7231 * XXX - that means you can't test values in the radiotap header, but 7232 * as that header is difficult if not impossible to parse generally 7233 * without a loop, that might not be a severe problem. A new keyword 7234 * "radio" could be added for that, although what you'd really want 7235 * would be a way of testing particular radio header values, which 7236 * would generate code appropriate to the radio header in question. 7237 */ 7238 struct block * 7239 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7240 { 7241 struct block *b; 7242 struct slist *s; 7243 7244 switch (op) { 7245 default: 7246 abort(); 7247 7248 case '=': 7249 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7250 7251 case '<': 7252 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7253 return b; 7254 7255 case '>': 7256 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7257 return b; 7258 7259 case '|': 7260 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7261 break; 7262 7263 case '&': 7264 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7265 break; 7266 } 7267 s->s.k = val; 7268 b = new_block(cstate, JMP(BPF_JEQ)); 7269 b->stmts = s; 7270 gen_not(b); 7271 7272 return b; 7273 } 7274 7275 static const u_char abroadcast[] = { 0x0 }; 7276 7277 struct block * 7278 gen_broadcast(compiler_state_t *cstate, int proto) 7279 { 7280 bpf_u_int32 hostmask; 7281 struct block *b0, *b1, *b2; 7282 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7283 7284 switch (proto) { 7285 7286 case Q_DEFAULT: 7287 case Q_LINK: 7288 switch (cstate->linktype) { 7289 case DLT_ARCNET: 7290 case DLT_ARCNET_LINUX: 7291 return gen_ahostop(cstate, abroadcast, Q_DST); 7292 case DLT_EN10MB: 7293 case DLT_NETANALYZER: 7294 case DLT_NETANALYZER_TRANSPARENT: 7295 b1 = gen_prevlinkhdr_check(cstate); 7296 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7297 if (b1 != NULL) 7298 gen_and(b1, b0); 7299 return b0; 7300 case DLT_FDDI: 7301 return gen_fhostop(cstate, ebroadcast, Q_DST); 7302 case DLT_IEEE802: 7303 return gen_thostop(cstate, ebroadcast, Q_DST); 7304 case DLT_IEEE802_11: 7305 case DLT_PRISM_HEADER: 7306 case DLT_IEEE802_11_RADIO_AVS: 7307 case DLT_IEEE802_11_RADIO: 7308 case DLT_PPI: 7309 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7310 case DLT_IP_OVER_FC: 7311 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7312 default: 7313 bpf_error(cstate, "not a broadcast link"); 7314 } 7315 break; 7316 7317 case Q_IP: 7318 /* 7319 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7320 * as an indication that we don't know the netmask, and fail 7321 * in that case. 7322 */ 7323 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7324 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7325 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7326 hostmask = ~cstate->netmask; 7327 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7328 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7329 (bpf_int32)(~0 & hostmask), hostmask); 7330 gen_or(b1, b2); 7331 gen_and(b0, b2); 7332 return b2; 7333 } 7334 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7335 /* NOTREACHED */ 7336 return NULL; 7337 } 7338 7339 /* 7340 * Generate code to test the low-order bit of a MAC address (that's 7341 * the bottom bit of the *first* byte). 7342 */ 7343 static struct block * 7344 gen_mac_multicast(compiler_state_t *cstate, int offset) 7345 { 7346 register struct block *b0; 7347 register struct slist *s; 7348 7349 /* link[offset] & 1 != 0 */ 7350 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7351 b0 = new_block(cstate, JMP(BPF_JSET)); 7352 b0->s.k = 1; 7353 b0->stmts = s; 7354 return b0; 7355 } 7356 7357 struct block * 7358 gen_multicast(compiler_state_t *cstate, int proto) 7359 { 7360 register struct block *b0, *b1, *b2; 7361 register struct slist *s; 7362 7363 switch (proto) { 7364 7365 case Q_DEFAULT: 7366 case Q_LINK: 7367 switch (cstate->linktype) { 7368 case DLT_ARCNET: 7369 case DLT_ARCNET_LINUX: 7370 /* all ARCnet multicasts use the same address */ 7371 return gen_ahostop(cstate, abroadcast, Q_DST); 7372 case DLT_EN10MB: 7373 case DLT_NETANALYZER: 7374 case DLT_NETANALYZER_TRANSPARENT: 7375 b1 = gen_prevlinkhdr_check(cstate); 7376 /* ether[0] & 1 != 0 */ 7377 b0 = gen_mac_multicast(cstate, 0); 7378 if (b1 != NULL) 7379 gen_and(b1, b0); 7380 return b0; 7381 case DLT_FDDI: 7382 /* 7383 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7384 * 7385 * XXX - was that referring to bit-order issues? 7386 */ 7387 /* fddi[1] & 1 != 0 */ 7388 return gen_mac_multicast(cstate, 1); 7389 case DLT_IEEE802: 7390 /* tr[2] & 1 != 0 */ 7391 return gen_mac_multicast(cstate, 2); 7392 case DLT_IEEE802_11: 7393 case DLT_PRISM_HEADER: 7394 case DLT_IEEE802_11_RADIO_AVS: 7395 case DLT_IEEE802_11_RADIO: 7396 case DLT_PPI: 7397 /* 7398 * Oh, yuk. 7399 * 7400 * For control frames, there is no DA. 7401 * 7402 * For management frames, DA is at an 7403 * offset of 4 from the beginning of 7404 * the packet. 7405 * 7406 * For data frames, DA is at an offset 7407 * of 4 from the beginning of the packet 7408 * if To DS is clear and at an offset of 7409 * 16 from the beginning of the packet 7410 * if To DS is set. 7411 */ 7412 7413 /* 7414 * Generate the tests to be done for data frames. 7415 * 7416 * First, check for To DS set, i.e. "link[1] & 0x01". 7417 */ 7418 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7419 b1 = new_block(cstate, JMP(BPF_JSET)); 7420 b1->s.k = 0x01; /* To DS */ 7421 b1->stmts = s; 7422 7423 /* 7424 * If To DS is set, the DA is at 16. 7425 */ 7426 b0 = gen_mac_multicast(cstate, 16); 7427 gen_and(b1, b0); 7428 7429 /* 7430 * Now, check for To DS not set, i.e. check 7431 * "!(link[1] & 0x01)". 7432 */ 7433 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7434 b2 = new_block(cstate, JMP(BPF_JSET)); 7435 b2->s.k = 0x01; /* To DS */ 7436 b2->stmts = s; 7437 gen_not(b2); 7438 7439 /* 7440 * If To DS is not set, the DA is at 4. 7441 */ 7442 b1 = gen_mac_multicast(cstate, 4); 7443 gen_and(b2, b1); 7444 7445 /* 7446 * Now OR together the last two checks. That gives 7447 * the complete set of checks for data frames. 7448 */ 7449 gen_or(b1, b0); 7450 7451 /* 7452 * Now check for a data frame. 7453 * I.e, check "link[0] & 0x08". 7454 */ 7455 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7456 b1 = new_block(cstate, JMP(BPF_JSET)); 7457 b1->s.k = 0x08; 7458 b1->stmts = s; 7459 7460 /* 7461 * AND that with the checks done for data frames. 7462 */ 7463 gen_and(b1, b0); 7464 7465 /* 7466 * If the high-order bit of the type value is 0, this 7467 * is a management frame. 7468 * I.e, check "!(link[0] & 0x08)". 7469 */ 7470 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7471 b2 = new_block(cstate, JMP(BPF_JSET)); 7472 b2->s.k = 0x08; 7473 b2->stmts = s; 7474 gen_not(b2); 7475 7476 /* 7477 * For management frames, the DA is at 4. 7478 */ 7479 b1 = gen_mac_multicast(cstate, 4); 7480 gen_and(b2, b1); 7481 7482 /* 7483 * OR that with the checks done for data frames. 7484 * That gives the checks done for management and 7485 * data frames. 7486 */ 7487 gen_or(b1, b0); 7488 7489 /* 7490 * If the low-order bit of the type value is 1, 7491 * this is either a control frame or a frame 7492 * with a reserved type, and thus not a 7493 * frame with an SA. 7494 * 7495 * I.e., check "!(link[0] & 0x04)". 7496 */ 7497 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7498 b1 = new_block(cstate, JMP(BPF_JSET)); 7499 b1->s.k = 0x04; 7500 b1->stmts = s; 7501 gen_not(b1); 7502 7503 /* 7504 * AND that with the checks for data and management 7505 * frames. 7506 */ 7507 gen_and(b1, b0); 7508 return b0; 7509 case DLT_IP_OVER_FC: 7510 b0 = gen_mac_multicast(cstate, 2); 7511 return b0; 7512 default: 7513 break; 7514 } 7515 /* Link not known to support multicasts */ 7516 break; 7517 7518 case Q_IP: 7519 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7520 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7521 gen_and(b0, b1); 7522 return b1; 7523 7524 case Q_IPV6: 7525 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 7526 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7527 gen_and(b0, b1); 7528 return b1; 7529 } 7530 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7531 /* NOTREACHED */ 7532 return NULL; 7533 } 7534 7535 /* 7536 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7537 * Outbound traffic is sent by this machine, while inbound traffic is 7538 * sent by a remote machine (and may include packets destined for a 7539 * unicast or multicast link-layer address we are not subscribing to). 7540 * These are the same definitions implemented by pcap_setdirection(). 7541 * Capturing only unicast traffic destined for this host is probably 7542 * better accomplished using a higher-layer filter. 7543 */ 7544 struct block * 7545 gen_inbound(compiler_state_t *cstate, int dir) 7546 { 7547 register struct block *b0; 7548 7549 /* 7550 * Only some data link types support inbound/outbound qualifiers. 7551 */ 7552 switch (cstate->linktype) { 7553 case DLT_SLIP: 7554 b0 = gen_relation(cstate, BPF_JEQ, 7555 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1), 7556 gen_loadi(cstate, 0), 7557 dir); 7558 break; 7559 7560 case DLT_IPNET: 7561 if (dir) { 7562 /* match outgoing packets */ 7563 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7564 } else { 7565 /* match incoming packets */ 7566 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7567 } 7568 break; 7569 7570 case DLT_LINUX_SLL: 7571 /* match outgoing packets */ 7572 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7573 if (!dir) { 7574 /* to filter on inbound traffic, invert the match */ 7575 gen_not(b0); 7576 } 7577 break; 7578 7579 #ifdef HAVE_NET_PFVAR_H 7580 case DLT_PFLOG: 7581 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7582 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7583 break; 7584 #endif 7585 7586 case DLT_PPP_PPPD: 7587 if (dir) { 7588 /* match outgoing packets */ 7589 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7590 } else { 7591 /* match incoming packets */ 7592 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7593 } 7594 break; 7595 7596 case DLT_JUNIPER_MFR: 7597 case DLT_JUNIPER_MLFR: 7598 case DLT_JUNIPER_MLPPP: 7599 case DLT_JUNIPER_ATM1: 7600 case DLT_JUNIPER_ATM2: 7601 case DLT_JUNIPER_PPPOE: 7602 case DLT_JUNIPER_PPPOE_ATM: 7603 case DLT_JUNIPER_GGSN: 7604 case DLT_JUNIPER_ES: 7605 case DLT_JUNIPER_MONITOR: 7606 case DLT_JUNIPER_SERVICES: 7607 case DLT_JUNIPER_ETHER: 7608 case DLT_JUNIPER_PPP: 7609 case DLT_JUNIPER_FRELAY: 7610 case DLT_JUNIPER_CHDLC: 7611 case DLT_JUNIPER_VP: 7612 case DLT_JUNIPER_ST: 7613 case DLT_JUNIPER_ISM: 7614 case DLT_JUNIPER_VS: 7615 case DLT_JUNIPER_SRX_E2E: 7616 case DLT_JUNIPER_FIBRECHANNEL: 7617 case DLT_JUNIPER_ATM_CEMIC: 7618 7619 /* juniper flags (including direction) are stored 7620 * the byte after the 3-byte magic number */ 7621 if (dir) { 7622 /* match outgoing packets */ 7623 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 7624 } else { 7625 /* match incoming packets */ 7626 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 7627 } 7628 break; 7629 7630 default: 7631 /* 7632 * If we have packet meta-data indicating a direction, 7633 * check it, otherwise give up as this link-layer type 7634 * has nothing in the packet data. 7635 */ 7636 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7637 /* 7638 * This is Linux with PF_PACKET support. 7639 * If this is a *live* capture, we can look at 7640 * special meta-data in the filter expression; 7641 * if it's a savefile, we can't. 7642 */ 7643 if (cstate->bpf_pcap->rfile != NULL) { 7644 /* We have a FILE *, so this is a savefile */ 7645 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles", 7646 cstate->linktype); 7647 b0 = NULL; 7648 /* NOTREACHED */ 7649 } 7650 /* match outgoing packets */ 7651 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7652 PACKET_OUTGOING); 7653 if (!dir) { 7654 /* to filter on inbound traffic, invert the match */ 7655 gen_not(b0); 7656 } 7657 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7658 bpf_error(cstate, "inbound/outbound not supported on linktype %d", 7659 cstate->linktype); 7660 b0 = NULL; 7661 /* NOTREACHED */ 7662 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7663 } 7664 return (b0); 7665 } 7666 7667 #ifdef HAVE_NET_PFVAR_H 7668 /* PF firewall log matched interface */ 7669 struct block * 7670 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7671 { 7672 struct block *b0; 7673 u_int len, off; 7674 7675 if (cstate->linktype != DLT_PFLOG) { 7676 bpf_error(cstate, "ifname supported only on PF linktype"); 7677 /* NOTREACHED */ 7678 } 7679 len = sizeof(((struct pfloghdr *)0)->ifname); 7680 off = offsetof(struct pfloghdr, ifname); 7681 if (strlen(ifname) >= len) { 7682 bpf_error(cstate, "ifname interface names can only be %d characters", 7683 len-1); 7684 /* NOTREACHED */ 7685 } 7686 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7687 return (b0); 7688 } 7689 7690 /* PF firewall log ruleset name */ 7691 struct block * 7692 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7693 { 7694 struct block *b0; 7695 7696 if (cstate->linktype != DLT_PFLOG) { 7697 bpf_error(cstate, "ruleset supported only on PF linktype"); 7698 /* NOTREACHED */ 7699 } 7700 7701 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7702 bpf_error(cstate, "ruleset names can only be %ld characters", 7703 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7704 /* NOTREACHED */ 7705 } 7706 7707 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7708 strlen(ruleset), (const u_char *)ruleset); 7709 return (b0); 7710 } 7711 7712 /* PF firewall log rule number */ 7713 struct block * 7714 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7715 { 7716 struct block *b0; 7717 7718 if (cstate->linktype != DLT_PFLOG) { 7719 bpf_error(cstate, "rnr supported only on PF linktype"); 7720 /* NOTREACHED */ 7721 } 7722 7723 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7724 (bpf_int32)rnr); 7725 return (b0); 7726 } 7727 7728 /* PF firewall log sub-rule number */ 7729 struct block * 7730 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7731 { 7732 struct block *b0; 7733 7734 if (cstate->linktype != DLT_PFLOG) { 7735 bpf_error(cstate, "srnr supported only on PF linktype"); 7736 /* NOTREACHED */ 7737 } 7738 7739 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7740 (bpf_int32)srnr); 7741 return (b0); 7742 } 7743 7744 /* PF firewall log reason code */ 7745 struct block * 7746 gen_pf_reason(compiler_state_t *cstate, int reason) 7747 { 7748 struct block *b0; 7749 7750 if (cstate->linktype != DLT_PFLOG) { 7751 bpf_error(cstate, "reason supported only on PF linktype"); 7752 /* NOTREACHED */ 7753 } 7754 7755 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7756 (bpf_int32)reason); 7757 return (b0); 7758 } 7759 7760 /* PF firewall log action */ 7761 struct block * 7762 gen_pf_action(compiler_state_t *cstate, int action) 7763 { 7764 struct block *b0; 7765 7766 if (cstate->linktype != DLT_PFLOG) { 7767 bpf_error(cstate, "action supported only on PF linktype"); 7768 /* NOTREACHED */ 7769 } 7770 7771 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7772 (bpf_int32)action); 7773 return (b0); 7774 } 7775 #else /* !HAVE_NET_PFVAR_H */ 7776 struct block * 7777 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7778 { 7779 bpf_error(cstate, "libpcap was compiled without pf support"); 7780 /* NOTREACHED */ 7781 return (NULL); 7782 } 7783 7784 struct block * 7785 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7786 { 7787 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7788 /* NOTREACHED */ 7789 return (NULL); 7790 } 7791 7792 struct block * 7793 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7794 { 7795 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7796 /* NOTREACHED */ 7797 return (NULL); 7798 } 7799 7800 struct block * 7801 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7802 { 7803 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7804 /* NOTREACHED */ 7805 return (NULL); 7806 } 7807 7808 struct block * 7809 gen_pf_reason(compiler_state_t *cstate, int reason) 7810 { 7811 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7812 /* NOTREACHED */ 7813 return (NULL); 7814 } 7815 7816 struct block * 7817 gen_pf_action(compiler_state_t *cstate, int action) 7818 { 7819 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7820 /* NOTREACHED */ 7821 return (NULL); 7822 } 7823 #endif /* HAVE_NET_PFVAR_H */ 7824 7825 /* IEEE 802.11 wireless header */ 7826 struct block * 7827 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 7828 { 7829 struct block *b0; 7830 7831 switch (cstate->linktype) { 7832 7833 case DLT_IEEE802_11: 7834 case DLT_PRISM_HEADER: 7835 case DLT_IEEE802_11_RADIO_AVS: 7836 case DLT_IEEE802_11_RADIO: 7837 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7838 (bpf_int32)mask); 7839 break; 7840 7841 default: 7842 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 7843 /* NOTREACHED */ 7844 } 7845 7846 return (b0); 7847 } 7848 7849 struct block * 7850 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 7851 { 7852 struct block *b0; 7853 7854 switch (cstate->linktype) { 7855 7856 case DLT_IEEE802_11: 7857 case DLT_PRISM_HEADER: 7858 case DLT_IEEE802_11_RADIO_AVS: 7859 case DLT_IEEE802_11_RADIO: 7860 break; 7861 7862 default: 7863 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 7864 /* NOTREACHED */ 7865 } 7866 7867 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 7868 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7869 7870 return (b0); 7871 } 7872 7873 struct block * 7874 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 7875 { 7876 switch (cstate->linktype) { 7877 7878 case DLT_ARCNET: 7879 case DLT_ARCNET_LINUX: 7880 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7881 q.proto == Q_LINK) 7882 return (gen_ahostop(cstate, eaddr, (int)q.dir)); 7883 else { 7884 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7885 /* NOTREACHED */ 7886 } 7887 break; 7888 7889 default: 7890 bpf_error(cstate, "aid supported only on ARCnet"); 7891 /* NOTREACHED */ 7892 } 7893 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7894 /* NOTREACHED */ 7895 return NULL; 7896 } 7897 7898 static struct block * 7899 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 7900 { 7901 register struct block *b0, *b1; 7902 7903 switch (dir) { 7904 /* src comes first, different from Ethernet */ 7905 case Q_SRC: 7906 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 7907 7908 case Q_DST: 7909 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 7910 7911 case Q_AND: 7912 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7913 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7914 gen_and(b0, b1); 7915 return b1; 7916 7917 case Q_DEFAULT: 7918 case Q_OR: 7919 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7920 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7921 gen_or(b0, b1); 7922 return b1; 7923 7924 case Q_ADDR1: 7925 bpf_error(cstate, "'addr1' is only supported on 802.11"); 7926 break; 7927 7928 case Q_ADDR2: 7929 bpf_error(cstate, "'addr2' is only supported on 802.11"); 7930 break; 7931 7932 case Q_ADDR3: 7933 bpf_error(cstate, "'addr3' is only supported on 802.11"); 7934 break; 7935 7936 case Q_ADDR4: 7937 bpf_error(cstate, "'addr4' is only supported on 802.11"); 7938 break; 7939 7940 case Q_RA: 7941 bpf_error(cstate, "'ra' is only supported on 802.11"); 7942 break; 7943 7944 case Q_TA: 7945 bpf_error(cstate, "'ta' is only supported on 802.11"); 7946 break; 7947 } 7948 abort(); 7949 /* NOTREACHED */ 7950 } 7951 7952 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7953 static struct block * 7954 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7955 { 7956 struct block *b0, *b1; 7957 struct slist *s; 7958 7959 /* generate new filter code based on extracting packet 7960 * metadata */ 7961 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7962 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 7963 7964 b0 = new_block(cstate, JMP(BPF_JEQ)); 7965 b0->stmts = s; 7966 b0->s.k = 1; 7967 7968 if (vlan_num >= 0) { 7969 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7970 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 7971 7972 b1 = new_block(cstate, JMP(BPF_JEQ)); 7973 b1->stmts = s; 7974 b1->s.k = (bpf_int32) vlan_num; 7975 7976 gen_and(b0,b1); 7977 b0 = b1; 7978 } 7979 7980 return b0; 7981 } 7982 #endif 7983 7984 static struct block * 7985 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7986 { 7987 struct block *b0, *b1; 7988 7989 /* check for VLAN, including QinQ */ 7990 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 7991 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 7992 gen_or(b0,b1); 7993 b0 = b1; 7994 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 7995 gen_or(b0,b1); 7996 b0 = b1; 7997 7998 /* If a specific VLAN is requested, check VLAN id */ 7999 if (vlan_num >= 0) { 8000 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, 8001 (bpf_int32)vlan_num, 0x0fff); 8002 gen_and(b0, b1); 8003 b0 = b1; 8004 } 8005 8006 /* 8007 * The payload follows the full header, including the 8008 * VLAN tags, so skip past this VLAN tag. 8009 */ 8010 cstate->off_linkpl.constant_part += 4; 8011 8012 /* 8013 * The link-layer type information follows the VLAN tags, so 8014 * skip past this VLAN tag. 8015 */ 8016 cstate->off_linktype.constant_part += 4; 8017 8018 return b0; 8019 } 8020 8021 /* 8022 * support IEEE 802.1Q VLAN trunk over ethernet 8023 */ 8024 struct block * 8025 gen_vlan(compiler_state_t *cstate, int vlan_num) 8026 { 8027 struct block *b0; 8028 8029 /* can't check for VLAN-encapsulated packets inside MPLS */ 8030 if (cstate->label_stack_depth > 0) 8031 bpf_error(cstate, "no VLAN match after MPLS"); 8032 8033 /* 8034 * Check for a VLAN packet, and then change the offsets to point 8035 * to the type and data fields within the VLAN packet. Just 8036 * increment the offsets, so that we can support a hierarchy, e.g. 8037 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8038 * VLAN 100. 8039 * 8040 * XXX - this is a bit of a kludge. If we were to split the 8041 * compiler into a parser that parses an expression and 8042 * generates an expression tree, and a code generator that 8043 * takes an expression tree (which could come from our 8044 * parser or from some other parser) and generates BPF code, 8045 * we could perhaps make the offsets parameters of routines 8046 * and, in the handler for an "AND" node, pass to subnodes 8047 * other than the VLAN node the adjusted offsets. 8048 * 8049 * This would mean that "vlan" would, instead of changing the 8050 * behavior of *all* tests after it, change only the behavior 8051 * of tests ANDed with it. That would change the documented 8052 * semantics of "vlan", which might break some expressions. 8053 * However, it would mean that "(vlan and ip) or ip" would check 8054 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8055 * checking only for VLAN-encapsulated IP, so that could still 8056 * be considered worth doing; it wouldn't break expressions 8057 * that are of the form "vlan and ..." or "vlan N and ...", 8058 * which I suspect are the most common expressions involving 8059 * "vlan". "vlan or ..." doesn't necessarily do what the user 8060 * would really want, now, as all the "or ..." tests would 8061 * be done assuming a VLAN, even though the "or" could be viewed 8062 * as meaning "or, if this isn't a VLAN packet...". 8063 */ 8064 switch (cstate->linktype) { 8065 8066 case DLT_EN10MB: 8067 case DLT_NETANALYZER: 8068 case DLT_NETANALYZER_TRANSPARENT: 8069 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 8070 /* Verify that this is the outer part of the packet and 8071 * not encapsulated somehow. */ 8072 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8073 cstate->off_linkhdr.constant_part == 8074 cstate->off_outermostlinkhdr.constant_part) { 8075 /* 8076 * Do we need special VLAN handling? 8077 */ 8078 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8079 b0 = gen_vlan_bpf_extensions(cstate, vlan_num); 8080 else 8081 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8082 } else 8083 #endif 8084 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8085 break; 8086 8087 case DLT_IEEE802_11: 8088 case DLT_PRISM_HEADER: 8089 case DLT_IEEE802_11_RADIO_AVS: 8090 case DLT_IEEE802_11_RADIO: 8091 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8092 break; 8093 8094 default: 8095 bpf_error(cstate, "no VLAN support for data link type %d", 8096 cstate->linktype); 8097 /*NOTREACHED*/ 8098 } 8099 8100 cstate->vlan_stack_depth++; 8101 8102 return (b0); 8103 } 8104 8105 /* 8106 * support for MPLS 8107 */ 8108 struct block * 8109 gen_mpls(compiler_state_t *cstate, int label_num) 8110 { 8111 struct block *b0, *b1; 8112 8113 if (cstate->label_stack_depth > 0) { 8114 /* just match the bottom-of-stack bit clear */ 8115 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8116 } else { 8117 /* 8118 * We're not in an MPLS stack yet, so check the link-layer 8119 * type against MPLS. 8120 */ 8121 switch (cstate->linktype) { 8122 8123 case DLT_C_HDLC: /* fall through */ 8124 case DLT_EN10MB: 8125 case DLT_NETANALYZER: 8126 case DLT_NETANALYZER_TRANSPARENT: 8127 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 8128 break; 8129 8130 case DLT_PPP: 8131 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 8132 break; 8133 8134 /* FIXME add other DLT_s ... 8135 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8136 * leave it for now */ 8137 8138 default: 8139 bpf_error(cstate, "no MPLS support for data link type %d", 8140 cstate->linktype); 8141 b0 = NULL; 8142 /*NOTREACHED*/ 8143 break; 8144 } 8145 } 8146 8147 /* If a specific MPLS label is requested, check it */ 8148 if (label_num >= 0) { 8149 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8150 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8151 0xfffff000); /* only compare the first 20 bits */ 8152 gen_and(b0, b1); 8153 b0 = b1; 8154 } 8155 8156 /* 8157 * Change the offsets to point to the type and data fields within 8158 * the MPLS packet. Just increment the offsets, so that we 8159 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8160 * capture packets with an outer label of 100000 and an inner 8161 * label of 1024. 8162 * 8163 * Increment the MPLS stack depth as well; this indicates that 8164 * we're checking MPLS-encapsulated headers, to make sure higher 8165 * level code generators don't try to match against IP-related 8166 * protocols such as Q_ARP, Q_RARP etc. 8167 * 8168 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8169 */ 8170 cstate->off_nl_nosnap += 4; 8171 cstate->off_nl += 4; 8172 cstate->label_stack_depth++; 8173 return (b0); 8174 } 8175 8176 /* 8177 * Support PPPOE discovery and session. 8178 */ 8179 struct block * 8180 gen_pppoed(compiler_state_t *cstate) 8181 { 8182 /* check for PPPoE discovery */ 8183 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 8184 } 8185 8186 struct block * 8187 gen_pppoes(compiler_state_t *cstate, int sess_num) 8188 { 8189 struct block *b0, *b1; 8190 8191 /* 8192 * Test against the PPPoE session link-layer type. 8193 */ 8194 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 8195 8196 /* If a specific session is requested, check PPPoE session id */ 8197 if (sess_num >= 0) { 8198 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 8199 (bpf_int32)sess_num, 0x0000ffff); 8200 gen_and(b0, b1); 8201 b0 = b1; 8202 } 8203 8204 /* 8205 * Change the offsets to point to the type and data fields within 8206 * the PPP packet, and note that this is PPPoE rather than 8207 * raw PPP. 8208 * 8209 * XXX - this is a bit of a kludge. If we were to split the 8210 * compiler into a parser that parses an expression and 8211 * generates an expression tree, and a code generator that 8212 * takes an expression tree (which could come from our 8213 * parser or from some other parser) and generates BPF code, 8214 * we could perhaps make the offsets parameters of routines 8215 * and, in the handler for an "AND" node, pass to subnodes 8216 * other than the PPPoE node the adjusted offsets. 8217 * 8218 * This would mean that "pppoes" would, instead of changing the 8219 * behavior of *all* tests after it, change only the behavior 8220 * of tests ANDed with it. That would change the documented 8221 * semantics of "pppoes", which might break some expressions. 8222 * However, it would mean that "(pppoes and ip) or ip" would check 8223 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8224 * checking only for VLAN-encapsulated IP, so that could still 8225 * be considered worth doing; it wouldn't break expressions 8226 * that are of the form "pppoes and ..." which I suspect are the 8227 * most common expressions involving "pppoes". "pppoes or ..." 8228 * doesn't necessarily do what the user would really want, now, 8229 * as all the "or ..." tests would be done assuming PPPoE, even 8230 * though the "or" could be viewed as meaning "or, if this isn't 8231 * a PPPoE packet...". 8232 * 8233 * The "network-layer" protocol is PPPoE, which has a 6-byte 8234 * PPPoE header, followed by a PPP packet. 8235 * 8236 * There is no HDLC encapsulation for the PPP packet (it's 8237 * encapsulated in PPPoES instead), so the link-layer type 8238 * starts at the first byte of the PPP packet. For PPPoE, 8239 * that offset is relative to the beginning of the total 8240 * link-layer payload, including any 802.2 LLC header, so 8241 * it's 6 bytes past cstate->off_nl. 8242 */ 8243 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 8244 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 8245 cstate->off_linkpl.reg); 8246 8247 cstate->off_linktype = cstate->off_linkhdr; 8248 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 8249 8250 cstate->off_nl = 0; 8251 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 8252 8253 return b0; 8254 } 8255 8256 /* Check that this is Geneve and the VNI is correct if 8257 * specified. Parameterized to handle both IPv4 and IPv6. */ 8258 static struct block * 8259 gen_geneve_check(compiler_state_t *cstate, 8260 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 8261 enum e_offrel offrel, int vni) 8262 { 8263 struct block *b0, *b1; 8264 8265 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 8266 8267 /* Check that we are operating on version 0. Otherwise, we 8268 * can't decode the rest of the fields. The version is 2 bits 8269 * in the first byte of the Geneve header. */ 8270 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8271 gen_and(b0, b1); 8272 b0 = b1; 8273 8274 if (vni >= 0) { 8275 vni <<= 8; /* VNI is in the upper 3 bytes */ 8276 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 8277 0xffffff00); 8278 gen_and(b0, b1); 8279 b0 = b1; 8280 } 8281 8282 return b0; 8283 } 8284 8285 /* The IPv4 and IPv6 Geneve checks need to do two things: 8286 * - Verify that this actually is Geneve with the right VNI. 8287 * - Place the IP header length (plus variable link prefix if 8288 * needed) into register A to be used later to compute 8289 * the inner packet offsets. */ 8290 static struct block * 8291 gen_geneve4(compiler_state_t *cstate, int vni) 8292 { 8293 struct block *b0, *b1; 8294 struct slist *s, *s1; 8295 8296 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni); 8297 8298 /* Load the IP header length into A. */ 8299 s = gen_loadx_iphdrlen(cstate); 8300 8301 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8302 sappend(s, s1); 8303 8304 /* Forcibly append these statements to the true condition 8305 * of the protocol check by creating a new block that is 8306 * always true and ANDing them. */ 8307 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8308 b1->stmts = s; 8309 b1->s.k = 0; 8310 8311 gen_and(b0, b1); 8312 8313 return b1; 8314 } 8315 8316 static struct block * 8317 gen_geneve6(compiler_state_t *cstate, int vni) 8318 { 8319 struct block *b0, *b1; 8320 struct slist *s, *s1; 8321 8322 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni); 8323 8324 /* Load the IP header length. We need to account for a 8325 * variable length link prefix if there is one. */ 8326 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 8327 if (s) { 8328 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 8329 s1->s.k = 40; 8330 sappend(s, s1); 8331 8332 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8333 s1->s.k = 0; 8334 sappend(s, s1); 8335 } else { 8336 s = new_stmt(cstate, BPF_LD|BPF_IMM); 8337 s->s.k = 40; 8338 } 8339 8340 /* Forcibly append these statements to the true condition 8341 * of the protocol check by creating a new block that is 8342 * always true and ANDing them. */ 8343 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8344 sappend(s, s1); 8345 8346 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8347 b1->stmts = s; 8348 b1->s.k = 0; 8349 8350 gen_and(b0, b1); 8351 8352 return b1; 8353 } 8354 8355 /* We need to store three values based on the Geneve header:: 8356 * - The offset of the linktype. 8357 * - The offset of the end of the Geneve header. 8358 * - The offset of the end of the encapsulated MAC header. */ 8359 static struct slist * 8360 gen_geneve_offsets(compiler_state_t *cstate) 8361 { 8362 struct slist *s, *s1, *s_proto; 8363 8364 /* First we need to calculate the offset of the Geneve header 8365 * itself. This is composed of the IP header previously calculated 8366 * (include any variable link prefix) and stored in A plus the 8367 * fixed sized headers (fixed link prefix, MAC length, and UDP 8368 * header). */ 8369 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8370 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 8371 8372 /* Stash this in X since we'll need it later. */ 8373 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8374 sappend(s, s1); 8375 8376 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8377 * store it. */ 8378 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8379 s1->s.k = 2; 8380 sappend(s, s1); 8381 8382 cstate->off_linktype.reg = alloc_reg(cstate); 8383 cstate->off_linktype.is_variable = 1; 8384 cstate->off_linktype.constant_part = 0; 8385 8386 s1 = new_stmt(cstate, BPF_ST); 8387 s1->s.k = cstate->off_linktype.reg; 8388 sappend(s, s1); 8389 8390 /* Load the Geneve option length and mask and shift to get the 8391 * number of bytes. It is stored in the first byte of the Geneve 8392 * header. */ 8393 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 8394 s1->s.k = 0; 8395 sappend(s, s1); 8396 8397 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 8398 s1->s.k = 0x3f; 8399 sappend(s, s1); 8400 8401 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 8402 s1->s.k = 4; 8403 sappend(s, s1); 8404 8405 /* Add in the rest of the Geneve base header. */ 8406 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8407 s1->s.k = 8; 8408 sappend(s, s1); 8409 8410 /* Add the Geneve header length to its offset and store. */ 8411 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8412 s1->s.k = 0; 8413 sappend(s, s1); 8414 8415 /* Set the encapsulated type as Ethernet. Even though we may 8416 * not actually have Ethernet inside there are two reasons this 8417 * is useful: 8418 * - The linktype field is always in EtherType format regardless 8419 * of whether it is in Geneve or an inner Ethernet frame. 8420 * - The only link layer that we have specific support for is 8421 * Ethernet. We will confirm that the packet actually is 8422 * Ethernet at runtime before executing these checks. */ 8423 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 8424 8425 s1 = new_stmt(cstate, BPF_ST); 8426 s1->s.k = cstate->off_linkhdr.reg; 8427 sappend(s, s1); 8428 8429 /* Calculate whether we have an Ethernet header or just raw IP/ 8430 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8431 * and linktype by 14 bytes so that the network header can be found 8432 * seamlessly. Otherwise, keep what we've calculated already. */ 8433 8434 /* We have a bare jmp so we can't use the optimizer. */ 8435 cstate->no_optimize = 1; 8436 8437 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8438 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 8439 s1->s.k = 2; 8440 sappend(s, s1); 8441 8442 /* Load X with the end of the Geneve header. */ 8443 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8444 s1->s.k = cstate->off_linkhdr.reg; 8445 sappend(s, s1); 8446 8447 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8448 * end of this check, we should have the total length in X. In 8449 * the non-Ethernet case, it's already there. */ 8450 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 8451 s_proto->s.k = ETHERTYPE_TEB; 8452 sappend(s, s_proto); 8453 8454 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8455 sappend(s, s1); 8456 s_proto->s.jt = s1; 8457 8458 /* Since this is Ethernet, use the EtherType of the payload 8459 * directly as the linktype. Overwrite what we already have. */ 8460 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8461 s1->s.k = 12; 8462 sappend(s, s1); 8463 8464 s1 = new_stmt(cstate, BPF_ST); 8465 s1->s.k = cstate->off_linktype.reg; 8466 sappend(s, s1); 8467 8468 /* Advance two bytes further to get the end of the Ethernet 8469 * header. */ 8470 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8471 s1->s.k = 2; 8472 sappend(s, s1); 8473 8474 /* Move the result to X. */ 8475 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8476 sappend(s, s1); 8477 8478 /* Store the final result of our linkpl calculation. */ 8479 cstate->off_linkpl.reg = alloc_reg(cstate); 8480 cstate->off_linkpl.is_variable = 1; 8481 cstate->off_linkpl.constant_part = 0; 8482 8483 s1 = new_stmt(cstate, BPF_STX); 8484 s1->s.k = cstate->off_linkpl.reg; 8485 sappend(s, s1); 8486 s_proto->s.jf = s1; 8487 8488 cstate->off_nl = 0; 8489 8490 return s; 8491 } 8492 8493 /* Check to see if this is a Geneve packet. */ 8494 struct block * 8495 gen_geneve(compiler_state_t *cstate, int vni) 8496 { 8497 struct block *b0, *b1; 8498 struct slist *s; 8499 8500 b0 = gen_geneve4(cstate, vni); 8501 b1 = gen_geneve6(cstate, vni); 8502 8503 gen_or(b0, b1); 8504 b0 = b1; 8505 8506 /* Later filters should act on the payload of the Geneve frame, 8507 * update all of the header pointers. Attach this code so that 8508 * it gets executed in the event that the Geneve filter matches. */ 8509 s = gen_geneve_offsets(cstate); 8510 8511 b1 = gen_true(cstate); 8512 sappend(s, b1->stmts); 8513 b1->stmts = s; 8514 8515 gen_and(b0, b1); 8516 8517 cstate->is_geneve = 1; 8518 8519 return b1; 8520 } 8521 8522 /* Check that the encapsulated frame has a link layer header 8523 * for Ethernet filters. */ 8524 static struct block * 8525 gen_geneve_ll_check(compiler_state_t *cstate) 8526 { 8527 struct block *b0; 8528 struct slist *s, *s1; 8529 8530 /* The easiest way to see if there is a link layer present 8531 * is to check if the link layer header and payload are not 8532 * the same. */ 8533 8534 /* Geneve always generates pure variable offsets so we can 8535 * compare only the registers. */ 8536 s = new_stmt(cstate, BPF_LD|BPF_MEM); 8537 s->s.k = cstate->off_linkhdr.reg; 8538 8539 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8540 s1->s.k = cstate->off_linkpl.reg; 8541 sappend(s, s1); 8542 8543 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8544 b0->stmts = s; 8545 b0->s.k = 0; 8546 gen_not(b0); 8547 8548 return b0; 8549 } 8550 8551 struct block * 8552 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue, 8553 bpf_u_int32 jtype, int reverse) 8554 { 8555 struct block *b0; 8556 8557 switch (atmfield) { 8558 8559 case A_VPI: 8560 if (!cstate->is_atm) 8561 bpf_error(cstate, "'vpi' supported only on raw ATM"); 8562 if (cstate->off_vpi == (u_int)-1) 8563 abort(); 8564 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 8565 reverse, jvalue); 8566 break; 8567 8568 case A_VCI: 8569 if (!cstate->is_atm) 8570 bpf_error(cstate, "'vci' supported only on raw ATM"); 8571 if (cstate->off_vci == (u_int)-1) 8572 abort(); 8573 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 8574 reverse, jvalue); 8575 break; 8576 8577 case A_PROTOTYPE: 8578 if (cstate->off_proto == (u_int)-1) 8579 abort(); /* XXX - this isn't on FreeBSD */ 8580 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 8581 reverse, jvalue); 8582 break; 8583 8584 case A_MSGTYPE: 8585 if (cstate->off_payload == (u_int)-1) 8586 abort(); 8587 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 8588 0xffffffff, jtype, reverse, jvalue); 8589 break; 8590 8591 case A_CALLREFTYPE: 8592 if (!cstate->is_atm) 8593 bpf_error(cstate, "'callref' supported only on raw ATM"); 8594 if (cstate->off_proto == (u_int)-1) 8595 abort(); 8596 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 8597 jtype, reverse, jvalue); 8598 break; 8599 8600 default: 8601 abort(); 8602 } 8603 return b0; 8604 } 8605 8606 struct block * 8607 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 8608 { 8609 struct block *b0, *b1; 8610 8611 switch (type) { 8612 8613 case A_METAC: 8614 /* Get all packets in Meta signalling Circuit */ 8615 if (!cstate->is_atm) 8616 bpf_error(cstate, "'metac' supported only on raw ATM"); 8617 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8618 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0); 8619 gen_and(b0, b1); 8620 break; 8621 8622 case A_BCC: 8623 /* Get all packets in Broadcast Circuit*/ 8624 if (!cstate->is_atm) 8625 bpf_error(cstate, "'bcc' supported only on raw ATM"); 8626 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8627 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0); 8628 gen_and(b0, b1); 8629 break; 8630 8631 case A_OAMF4SC: 8632 /* Get all cells in Segment OAM F4 circuit*/ 8633 if (!cstate->is_atm) 8634 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 8635 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8636 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8637 gen_and(b0, b1); 8638 break; 8639 8640 case A_OAMF4EC: 8641 /* Get all cells in End-to-End OAM F4 Circuit*/ 8642 if (!cstate->is_atm) 8643 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 8644 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8645 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8646 gen_and(b0, b1); 8647 break; 8648 8649 case A_SC: 8650 /* Get all packets in connection Signalling Circuit */ 8651 if (!cstate->is_atm) 8652 bpf_error(cstate, "'sc' supported only on raw ATM"); 8653 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8654 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0); 8655 gen_and(b0, b1); 8656 break; 8657 8658 case A_ILMIC: 8659 /* Get all packets in ILMI Circuit */ 8660 if (!cstate->is_atm) 8661 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 8662 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8663 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0); 8664 gen_and(b0, b1); 8665 break; 8666 8667 case A_LANE: 8668 /* Get all LANE packets */ 8669 if (!cstate->is_atm) 8670 bpf_error(cstate, "'lane' supported only on raw ATM"); 8671 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8672 8673 /* 8674 * Arrange that all subsequent tests assume LANE 8675 * rather than LLC-encapsulated packets, and set 8676 * the offsets appropriately for LANE-encapsulated 8677 * Ethernet. 8678 * 8679 * We assume LANE means Ethernet, not Token Ring. 8680 */ 8681 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 8682 cstate->off_payload + 2, /* Ethernet header */ 8683 -1); 8684 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 8685 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 8686 cstate->off_nl = 0; /* Ethernet II */ 8687 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 8688 break; 8689 8690 case A_LLC: 8691 /* Get all LLC-encapsulated packets */ 8692 if (!cstate->is_atm) 8693 bpf_error(cstate, "'llc' supported only on raw ATM"); 8694 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8695 cstate->linktype = cstate->prevlinktype; 8696 break; 8697 8698 default: 8699 abort(); 8700 } 8701 return b1; 8702 } 8703 8704 /* 8705 * Filtering for MTP2 messages based on li value 8706 * FISU, length is null 8707 * LSSU, length is 1 or 2 8708 * MSU, length is 3 or more 8709 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8710 */ 8711 struct block * 8712 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 8713 { 8714 struct block *b0, *b1; 8715 8716 switch (type) { 8717 8718 case M_FISU: 8719 if ( (cstate->linktype != DLT_MTP2) && 8720 (cstate->linktype != DLT_ERF) && 8721 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8722 bpf_error(cstate, "'fisu' supported only on MTP2"); 8723 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8724 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8725 break; 8726 8727 case M_LSSU: 8728 if ( (cstate->linktype != DLT_MTP2) && 8729 (cstate->linktype != DLT_ERF) && 8730 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8731 bpf_error(cstate, "'lssu' supported only on MTP2"); 8732 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8733 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8734 gen_and(b1, b0); 8735 break; 8736 8737 case M_MSU: 8738 if ( (cstate->linktype != DLT_MTP2) && 8739 (cstate->linktype != DLT_ERF) && 8740 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8741 bpf_error(cstate, "'msu' supported only on MTP2"); 8742 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8743 break; 8744 8745 case MH_FISU: 8746 if ( (cstate->linktype != DLT_MTP2) && 8747 (cstate->linktype != DLT_ERF) && 8748 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8749 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 8750 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8751 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8752 break; 8753 8754 case MH_LSSU: 8755 if ( (cstate->linktype != DLT_MTP2) && 8756 (cstate->linktype != DLT_ERF) && 8757 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8758 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 8759 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8760 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8761 gen_and(b1, b0); 8762 break; 8763 8764 case MH_MSU: 8765 if ( (cstate->linktype != DLT_MTP2) && 8766 (cstate->linktype != DLT_ERF) && 8767 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8768 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 8769 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8770 break; 8771 8772 default: 8773 abort(); 8774 } 8775 return b0; 8776 } 8777 8778 struct block * 8779 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue, 8780 bpf_u_int32 jtype, int reverse) 8781 { 8782 struct block *b0; 8783 bpf_u_int32 val1 , val2 , val3; 8784 u_int newoff_sio = cstate->off_sio; 8785 u_int newoff_opc = cstate->off_opc; 8786 u_int newoff_dpc = cstate->off_dpc; 8787 u_int newoff_sls = cstate->off_sls; 8788 8789 switch (mtp3field) { 8790 8791 case MH_SIO: 8792 newoff_sio += 3; /* offset for MTP2_HSL */ 8793 /* FALLTHROUGH */ 8794 8795 case M_SIO: 8796 if (cstate->off_sio == (u_int)-1) 8797 bpf_error(cstate, "'sio' supported only on SS7"); 8798 /* sio coded on 1 byte so max value 255 */ 8799 if(jvalue > 255) 8800 bpf_error(cstate, "sio value %u too big; max value = 255", 8801 jvalue); 8802 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8803 (u_int)jtype, reverse, (u_int)jvalue); 8804 break; 8805 8806 case MH_OPC: 8807 newoff_opc+=3; 8808 case M_OPC: 8809 if (cstate->off_opc == (u_int)-1) 8810 bpf_error(cstate, "'opc' supported only on SS7"); 8811 /* opc coded on 14 bits so max value 16383 */ 8812 if (jvalue > 16383) 8813 bpf_error(cstate, "opc value %u too big; max value = 16383", 8814 jvalue); 8815 /* the following instructions are made to convert jvalue 8816 * to the form used to write opc in an ss7 message*/ 8817 val1 = jvalue & 0x00003c00; 8818 val1 = val1 >>10; 8819 val2 = jvalue & 0x000003fc; 8820 val2 = val2 <<6; 8821 val3 = jvalue & 0x00000003; 8822 val3 = val3 <<22; 8823 jvalue = val1 + val2 + val3; 8824 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8825 (u_int)jtype, reverse, (u_int)jvalue); 8826 break; 8827 8828 case MH_DPC: 8829 newoff_dpc += 3; 8830 /* FALLTHROUGH */ 8831 8832 case M_DPC: 8833 if (cstate->off_dpc == (u_int)-1) 8834 bpf_error(cstate, "'dpc' supported only on SS7"); 8835 /* dpc coded on 14 bits so max value 16383 */ 8836 if (jvalue > 16383) 8837 bpf_error(cstate, "dpc value %u too big; max value = 16383", 8838 jvalue); 8839 /* the following instructions are made to convert jvalue 8840 * to the forme used to write dpc in an ss7 message*/ 8841 val1 = jvalue & 0x000000ff; 8842 val1 = val1 << 24; 8843 val2 = jvalue & 0x00003f00; 8844 val2 = val2 << 8; 8845 jvalue = val1 + val2; 8846 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8847 (u_int)jtype, reverse, (u_int)jvalue); 8848 break; 8849 8850 case MH_SLS: 8851 newoff_sls+=3; 8852 case M_SLS: 8853 if (cstate->off_sls == (u_int)-1) 8854 bpf_error(cstate, "'sls' supported only on SS7"); 8855 /* sls coded on 4 bits so max value 15 */ 8856 if (jvalue > 15) 8857 bpf_error(cstate, "sls value %u too big; max value = 15", 8858 jvalue); 8859 /* the following instruction is made to convert jvalue 8860 * to the forme used to write sls in an ss7 message*/ 8861 jvalue = jvalue << 4; 8862 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 8863 (u_int)jtype,reverse, (u_int)jvalue); 8864 break; 8865 8866 default: 8867 abort(); 8868 } 8869 return b0; 8870 } 8871 8872 static struct block * 8873 gen_msg_abbrev(compiler_state_t *cstate, int type) 8874 { 8875 struct block *b1; 8876 8877 /* 8878 * Q.2931 signalling protocol messages for handling virtual circuits 8879 * establishment and teardown 8880 */ 8881 switch (type) { 8882 8883 case A_SETUP: 8884 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 8885 break; 8886 8887 case A_CALLPROCEED: 8888 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8889 break; 8890 8891 case A_CONNECT: 8892 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8893 break; 8894 8895 case A_CONNECTACK: 8896 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8897 break; 8898 8899 case A_RELEASE: 8900 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8901 break; 8902 8903 case A_RELEASE_DONE: 8904 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8905 break; 8906 8907 default: 8908 abort(); 8909 } 8910 return b1; 8911 } 8912 8913 struct block * 8914 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 8915 { 8916 struct block *b0, *b1; 8917 8918 switch (type) { 8919 8920 case A_OAM: 8921 if (!cstate->is_atm) 8922 bpf_error(cstate, "'oam' supported only on raw ATM"); 8923 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4); 8924 break; 8925 8926 case A_OAMF4: 8927 if (!cstate->is_atm) 8928 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 8929 /* OAM F4 type */ 8930 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8931 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8932 gen_or(b0, b1); 8933 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8934 gen_and(b0, b1); 8935 break; 8936 8937 case A_CONNECTMSG: 8938 /* 8939 * Get Q.2931 signalling messages for switched 8940 * virtual connection 8941 */ 8942 if (!cstate->is_atm) 8943 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 8944 b0 = gen_msg_abbrev(cstate, A_SETUP); 8945 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8946 gen_or(b0, b1); 8947 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8948 gen_or(b0, b1); 8949 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 8950 gen_or(b0, b1); 8951 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8952 gen_or(b0, b1); 8953 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8954 gen_or(b0, b1); 8955 b0 = gen_atmtype_abbrev(cstate, A_SC); 8956 gen_and(b0, b1); 8957 break; 8958 8959 case A_METACONNECT: 8960 if (!cstate->is_atm) 8961 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 8962 b0 = gen_msg_abbrev(cstate, A_SETUP); 8963 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8964 gen_or(b0, b1); 8965 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8966 gen_or(b0, b1); 8967 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8968 gen_or(b0, b1); 8969 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8970 gen_or(b0, b1); 8971 b0 = gen_atmtype_abbrev(cstate, A_METAC); 8972 gen_and(b0, b1); 8973 break; 8974 8975 default: 8976 abort(); 8977 } 8978 return b1; 8979 } 8980