1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.53 2007/09/12 19:17:24 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #include <sys/types.h> 37 #include <sys/socket.h> 38 #endif /* WIN32 */ 39 40 /* 41 * XXX - why was this included even on UNIX? 42 */ 43 #ifdef __MINGW32__ 44 #include "IP6_misc.h" 45 #endif 46 47 #ifndef WIN32 48 49 #ifdef __NetBSD__ 50 #include <sys/param.h> 51 #endif 52 53 #include <netinet/in.h> 54 55 #endif /* WIN32 */ 56 57 #include <stdlib.h> 58 #include <string.h> 59 #include <memory.h> 60 #include <setjmp.h> 61 #include <stdarg.h> 62 63 #ifdef MSDOS 64 #include "pcap-dos.h" 65 #endif 66 67 #include "pcap-int.h" 68 69 #include "ethertype.h" 70 #include "nlpid.h" 71 #include "llc.h" 72 #include "gencode.h" 73 #include "atmuni31.h" 74 #include "sunatmpos.h" 75 #include "ppp.h" 76 #include "sll.h" 77 #include "arcnet.h" 78 #ifdef HAVE_NET_PFVAR_H 79 #include <sys/socket.h> 80 #include <net/if.h> 81 #include <net/pfvar.h> 82 #include <net/if_pflog.h> 83 #endif 84 #ifndef offsetof 85 #define offsetof(s, e) ((size_t)&((s *)0)->e) 86 #endif 87 #ifdef INET6 88 #ifndef WIN32 89 #include <netdb.h> /* for "struct addrinfo" */ 90 #endif /* WIN32 */ 91 #endif /*INET6*/ 92 #include <pcap-namedb.h> 93 94 #define ETHERMTU 1500 95 96 #ifndef IPPROTO_SCTP 97 #define IPPROTO_SCTP 132 98 #endif 99 100 #ifdef HAVE_OS_PROTO_H 101 #include "os-proto.h" 102 #endif 103 104 #define JMP(c) ((c)|BPF_JMP|BPF_K) 105 106 /* Locals */ 107 static jmp_buf top_ctx; 108 static pcap_t *bpf_pcap; 109 110 #ifdef WIN32 111 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 112 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 113 #else 114 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 115 #endif 116 117 /* XXX */ 118 #ifdef PCAP_FDDIPAD 119 static int pcap_fddipad; 120 #endif 121 122 /* VARARGS */ 123 void 124 bpf_error(const char *fmt, ...) 125 { 126 va_list ap; 127 128 va_start(ap, fmt); 129 if (bpf_pcap != NULL) 130 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 131 fmt, ap); 132 va_end(ap); 133 longjmp(top_ctx, 1); 134 /* NOTREACHED */ 135 } 136 137 static void init_linktype(pcap_t *); 138 139 static int alloc_reg(void); 140 static void free_reg(int); 141 142 static struct block *root; 143 144 /* 145 * Value passed to gen_load_a() to indicate what the offset argument 146 * is relative to. 147 */ 148 enum e_offrel { 149 OR_PACKET, /* relative to the beginning of the packet */ 150 OR_LINK, /* relative to the link-layer header */ 151 OR_NET, /* relative to the network-layer header */ 152 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 153 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 154 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 155 }; 156 157 /* 158 * We divy out chunks of memory rather than call malloc each time so 159 * we don't have to worry about leaking memory. It's probably 160 * not a big deal if all this memory was wasted but if this ever 161 * goes into a library that would probably not be a good idea. 162 * 163 * XXX - this *is* in a library.... 164 */ 165 #define NCHUNKS 16 166 #define CHUNK0SIZE 1024 167 struct chunk { 168 u_int n_left; 169 void *m; 170 }; 171 172 static struct chunk chunks[NCHUNKS]; 173 static int cur_chunk; 174 175 static void *newchunk(u_int); 176 static void freechunks(void); 177 static inline struct block *new_block(int); 178 static inline struct slist *new_stmt(int); 179 static struct block *gen_retblk(int); 180 static inline void syntax(void); 181 182 static void backpatch(struct block *, struct block *); 183 static void merge(struct block *, struct block *); 184 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 185 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 186 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 187 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 188 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 189 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 190 bpf_u_int32); 191 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 192 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 193 bpf_u_int32, bpf_u_int32, int, bpf_int32); 194 static struct slist *gen_load_llrel(u_int, u_int); 195 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 196 static struct slist *gen_loadx_iphdrlen(void); 197 static struct block *gen_uncond(int); 198 static inline struct block *gen_true(void); 199 static inline struct block *gen_false(void); 200 static struct block *gen_ether_linktype(int); 201 static struct block *gen_linux_sll_linktype(int); 202 static void insert_radiotap_load_llprefixlen(struct block *); 203 static void insert_ppi_load_llprefixlen(struct block *); 204 static void insert_load_llprefixlen(struct block *); 205 static struct slist *gen_llprefixlen(void); 206 static struct block *gen_linktype(int); 207 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int); 208 static struct block *gen_llc_linktype(int); 209 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 210 #ifdef INET6 211 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 212 #endif 213 static struct block *gen_ahostop(const u_char *, int); 214 static struct block *gen_ehostop(const u_char *, int); 215 static struct block *gen_fhostop(const u_char *, int); 216 static struct block *gen_thostop(const u_char *, int); 217 static struct block *gen_wlanhostop(const u_char *, int); 218 static struct block *gen_ipfchostop(const u_char *, int); 219 static struct block *gen_dnhostop(bpf_u_int32, int); 220 static struct block *gen_mpls_linktype(int); 221 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 222 #ifdef INET6 223 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 224 #endif 225 #ifndef INET6 226 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 227 #endif 228 static struct block *gen_ipfrag(void); 229 static struct block *gen_portatom(int, bpf_int32); 230 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 231 #ifdef INET6 232 static struct block *gen_portatom6(int, bpf_int32); 233 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 234 #endif 235 struct block *gen_portop(int, int, int); 236 static struct block *gen_port(int, int, int); 237 struct block *gen_portrangeop(int, int, int, int); 238 static struct block *gen_portrange(int, int, int, int); 239 #ifdef INET6 240 struct block *gen_portop6(int, int, int); 241 static struct block *gen_port6(int, int, int); 242 struct block *gen_portrangeop6(int, int, int, int); 243 static struct block *gen_portrange6(int, int, int, int); 244 #endif 245 static int lookup_proto(const char *, int); 246 static struct block *gen_protochain(int, int, int); 247 static struct block *gen_proto(int, int, int); 248 static struct slist *xfer_to_x(struct arth *); 249 static struct slist *xfer_to_a(struct arth *); 250 static struct block *gen_mac_multicast(int); 251 static struct block *gen_len(int, int); 252 253 static struct block *gen_ppi_dlt_check(void); 254 static struct block *gen_msg_abbrev(int type); 255 256 static void * 257 newchunk(n) 258 u_int n; 259 { 260 struct chunk *cp; 261 int k; 262 size_t size; 263 264 #ifndef __NetBSD__ 265 /* XXX Round up to nearest long. */ 266 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 267 #else 268 /* XXX Round up to structure boundary. */ 269 n = ALIGN(n); 270 #endif 271 272 cp = &chunks[cur_chunk]; 273 if (n > cp->n_left) { 274 ++cp, k = ++cur_chunk; 275 if (k >= NCHUNKS) 276 bpf_error("out of memory"); 277 size = CHUNK0SIZE << k; 278 cp->m = (void *)malloc(size); 279 if (cp->m == NULL) 280 bpf_error("out of memory"); 281 memset((char *)cp->m, 0, size); 282 cp->n_left = size; 283 if (n > size) 284 bpf_error("out of memory"); 285 } 286 cp->n_left -= n; 287 return (void *)((char *)cp->m + cp->n_left); 288 } 289 290 static void 291 freechunks() 292 { 293 int i; 294 295 cur_chunk = 0; 296 for (i = 0; i < NCHUNKS; ++i) 297 if (chunks[i].m != NULL) { 298 free(chunks[i].m); 299 chunks[i].m = NULL; 300 } 301 } 302 303 /* 304 * A strdup whose allocations are freed after code generation is over. 305 */ 306 char * 307 sdup(s) 308 register const char *s; 309 { 310 int n = strlen(s) + 1; 311 char *cp = newchunk(n); 312 313 strlcpy(cp, s, n); 314 return (cp); 315 } 316 317 static inline struct block * 318 new_block(code) 319 int code; 320 { 321 struct block *p; 322 323 p = (struct block *)newchunk(sizeof(*p)); 324 p->s.code = code; 325 p->head = p; 326 327 return p; 328 } 329 330 static inline struct slist * 331 new_stmt(code) 332 int code; 333 { 334 struct slist *p; 335 336 p = (struct slist *)newchunk(sizeof(*p)); 337 p->s.code = code; 338 339 return p; 340 } 341 342 static struct block * 343 gen_retblk(v) 344 int v; 345 { 346 struct block *b = new_block(BPF_RET|BPF_K); 347 348 b->s.k = v; 349 return b; 350 } 351 352 static inline void 353 syntax() 354 { 355 bpf_error("syntax error in filter expression"); 356 } 357 358 static bpf_u_int32 netmask; 359 static int snaplen; 360 int no_optimize; 361 362 int 363 pcap_compile(pcap_t *p, struct bpf_program *program, 364 const char *buf, int optimize, bpf_u_int32 mask) 365 { 366 extern int n_errors; 367 const char * volatile xbuf = buf; 368 int len; 369 370 no_optimize = 0; 371 n_errors = 0; 372 root = NULL; 373 bpf_pcap = p; 374 if (setjmp(top_ctx)) { 375 lex_cleanup(); 376 freechunks(); 377 return (-1); 378 } 379 380 netmask = mask; 381 382 snaplen = pcap_snapshot(p); 383 if (snaplen == 0) { 384 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 385 "snaplen of 0 rejects all packets"); 386 return -1; 387 } 388 389 lex_init(xbuf ? xbuf : ""); 390 init_linktype(p); 391 (void)pcap_parse(); 392 393 if (n_errors) 394 syntax(); 395 396 if (root == NULL) 397 root = gen_retblk(snaplen); 398 399 if (optimize && !no_optimize) { 400 bpf_optimize(&root); 401 if (root == NULL || 402 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 403 bpf_error("expression rejects all packets"); 404 } 405 program->bf_insns = icode_to_fcode(root, &len); 406 program->bf_len = len; 407 408 lex_cleanup(); 409 freechunks(); 410 return (0); 411 } 412 413 /* 414 * entry point for using the compiler with no pcap open 415 * pass in all the stuff that is needed explicitly instead. 416 */ 417 int 418 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 419 struct bpf_program *program, 420 const char *buf, int optimize, bpf_u_int32 mask) 421 { 422 pcap_t *p; 423 int ret; 424 425 p = pcap_open_dead(linktype_arg, snaplen_arg); 426 if (p == NULL) 427 return (-1); 428 ret = pcap_compile(p, program, buf, optimize, mask); 429 pcap_close(p); 430 return (ret); 431 } 432 433 /* 434 * Clean up a "struct bpf_program" by freeing all the memory allocated 435 * in it. 436 */ 437 void 438 pcap_freecode(struct bpf_program *program) 439 { 440 program->bf_len = 0; 441 if (program->bf_insns != NULL) { 442 free((char *)program->bf_insns); 443 program->bf_insns = NULL; 444 } 445 } 446 447 /* 448 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 449 * which of the jt and jf fields has been resolved and which is a pointer 450 * back to another unresolved block (or nil). At least one of the fields 451 * in each block is already resolved. 452 */ 453 static void 454 backpatch(list, target) 455 struct block *list, *target; 456 { 457 struct block *next; 458 459 while (list) { 460 if (!list->sense) { 461 next = JT(list); 462 JT(list) = target; 463 } else { 464 next = JF(list); 465 JF(list) = target; 466 } 467 list = next; 468 } 469 } 470 471 /* 472 * Merge the lists in b0 and b1, using the 'sense' field to indicate 473 * which of jt and jf is the link. 474 */ 475 static void 476 merge(b0, b1) 477 struct block *b0, *b1; 478 { 479 register struct block **p = &b0; 480 481 /* Find end of list. */ 482 while (*p) 483 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 484 485 /* Concatenate the lists. */ 486 *p = b1; 487 } 488 489 490 void 491 finish_parse(p) 492 struct block *p; 493 { 494 struct block *ppi_dlt_check; 495 496 ppi_dlt_check = gen_ppi_dlt_check(); 497 498 if (ppi_dlt_check != NULL) 499 { 500 gen_and(ppi_dlt_check, p); 501 } 502 503 backpatch(p, gen_retblk(snaplen)); 504 p->sense = !p->sense; 505 backpatch(p, gen_retblk(0)); 506 root = p->head; 507 508 /* 509 * Insert before the statements of the first (root) block any 510 * statements needed to load the lengths of any variable-length 511 * headers into registers. 512 * 513 * XXX - a fancier strategy would be to insert those before the 514 * statements of all blocks that use those lengths and that 515 * have no predecessors that use them, so that we only compute 516 * the lengths if we need them. There might be even better 517 * approaches than that. However, as we're currently only 518 * handling variable-length radiotap headers, and as all 519 * filtering expressions other than raw link[M:N] tests 520 * require the length of that header, doing more for that 521 * header length isn't really worth the effort. 522 */ 523 524 insert_load_llprefixlen(root); 525 } 526 527 void 528 gen_and(b0, b1) 529 struct block *b0, *b1; 530 { 531 backpatch(b0, b1->head); 532 b0->sense = !b0->sense; 533 b1->sense = !b1->sense; 534 merge(b1, b0); 535 b1->sense = !b1->sense; 536 b1->head = b0->head; 537 } 538 539 void 540 gen_or(b0, b1) 541 struct block *b0, *b1; 542 { 543 b0->sense = !b0->sense; 544 backpatch(b0, b1->head); 545 b0->sense = !b0->sense; 546 merge(b1, b0); 547 b1->head = b0->head; 548 } 549 550 void 551 gen_not(b) 552 struct block *b; 553 { 554 b->sense = !b->sense; 555 } 556 557 static struct block * 558 gen_cmp(offrel, offset, size, v) 559 enum e_offrel offrel; 560 u_int offset, size; 561 bpf_int32 v; 562 { 563 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 564 } 565 566 static struct block * 567 gen_cmp_gt(offrel, offset, size, v) 568 enum e_offrel offrel; 569 u_int offset, size; 570 bpf_int32 v; 571 { 572 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 573 } 574 575 static struct block * 576 gen_cmp_ge(offrel, offset, size, v) 577 enum e_offrel offrel; 578 u_int offset, size; 579 bpf_int32 v; 580 { 581 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 582 } 583 584 static struct block * 585 gen_cmp_lt(offrel, offset, size, v) 586 enum e_offrel offrel; 587 u_int offset, size; 588 bpf_int32 v; 589 { 590 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 591 } 592 593 static struct block * 594 gen_cmp_le(offrel, offset, size, v) 595 enum e_offrel offrel; 596 u_int offset, size; 597 bpf_int32 v; 598 { 599 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 600 } 601 602 static struct block * 603 gen_mcmp(offrel, offset, size, v, mask) 604 enum e_offrel offrel; 605 u_int offset, size; 606 bpf_int32 v; 607 bpf_u_int32 mask; 608 { 609 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 610 } 611 612 static struct block * 613 gen_bcmp(offrel, offset, size, v) 614 enum e_offrel offrel; 615 register u_int offset, size; 616 register const u_char *v; 617 { 618 register struct block *b, *tmp; 619 620 b = NULL; 621 while (size >= 4) { 622 register const u_char *p = &v[size - 4]; 623 bpf_int32 w = ((bpf_int32)p[0] << 24) | 624 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 625 626 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 627 if (b != NULL) 628 gen_and(b, tmp); 629 b = tmp; 630 size -= 4; 631 } 632 while (size >= 2) { 633 register const u_char *p = &v[size - 2]; 634 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 635 636 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 637 if (b != NULL) 638 gen_and(b, tmp); 639 b = tmp; 640 size -= 2; 641 } 642 if (size > 0) { 643 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 644 if (b != NULL) 645 gen_and(b, tmp); 646 b = tmp; 647 } 648 return b; 649 } 650 651 /* 652 * AND the field of size "size" at offset "offset" relative to the header 653 * specified by "offrel" with "mask", and compare it with the value "v" 654 * with the test specified by "jtype"; if "reverse" is true, the test 655 * should test the opposite of "jtype". 656 */ 657 static struct block * 658 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 659 enum e_offrel offrel; 660 bpf_int32 v; 661 bpf_u_int32 offset, size, mask, jtype; 662 int reverse; 663 { 664 struct slist *s, *s2; 665 struct block *b; 666 667 s = gen_load_a(offrel, offset, size); 668 669 if (mask != 0xffffffff) { 670 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 671 s2->s.k = mask; 672 sappend(s, s2); 673 } 674 675 b = new_block(JMP(jtype)); 676 b->stmts = s; 677 b->s.k = v; 678 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 679 gen_not(b); 680 return b; 681 } 682 683 /* 684 * Various code constructs need to know the layout of the data link 685 * layer. These variables give the necessary offsets from the beginning 686 * of the packet data. 687 * 688 * If the link layer has variable_length headers, the offsets are offsets 689 * from the end of the link-link-layer header, and "reg_ll_size" is 690 * the register number for a register containing the length of the 691 * link-layer header. Otherwise, "reg_ll_size" is -1. 692 */ 693 static int reg_ll_size; 694 695 /* 696 * This is the offset of the beginning of the link-layer header from 697 * the beginning of the raw packet data. 698 * 699 * It's usually 0, except for 802.11 with a fixed-length radio header. 700 * (For 802.11 with a variable-length radio header, we have to generate 701 * code to compute that offset; off_ll is 0 in that case.) 702 */ 703 static u_int off_ll; 704 705 /* 706 * This is the offset of the beginning of the MAC-layer header. 707 * It's usually 0, except for ATM LANE, where it's the offset, relative 708 * to the beginning of the raw packet data, of the Ethernet header. 709 */ 710 static u_int off_mac; 711 712 /* 713 * "off_linktype" is the offset to information in the link-layer header 714 * giving the packet type. This offset is relative to the beginning 715 * of the link-layer header (i.e., it doesn't include off_ll). 716 * 717 * For Ethernet, it's the offset of the Ethernet type field. 718 * 719 * For link-layer types that always use 802.2 headers, it's the 720 * offset of the LLC header. 721 * 722 * For PPP, it's the offset of the PPP type field. 723 * 724 * For Cisco HDLC, it's the offset of the CHDLC type field. 725 * 726 * For BSD loopback, it's the offset of the AF_ value. 727 * 728 * For Linux cooked sockets, it's the offset of the type field. 729 * 730 * It's set to -1 for no encapsulation, in which case, IP is assumed. 731 */ 732 static u_int off_linktype; 733 734 /* 735 * TRUE if the link layer includes an ATM pseudo-header. 736 */ 737 static int is_atm = 0; 738 739 /* 740 * TRUE if "lane" appeared in the filter; it causes us to generate 741 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 742 */ 743 static int is_lane = 0; 744 745 /* 746 * These are offsets for the ATM pseudo-header. 747 */ 748 static u_int off_vpi; 749 static u_int off_vci; 750 static u_int off_proto; 751 752 /* 753 * These are offsets for the MTP2 fields. 754 */ 755 static u_int off_li; 756 757 /* 758 * These are offsets for the MTP3 fields. 759 */ 760 static u_int off_sio; 761 static u_int off_opc; 762 static u_int off_dpc; 763 static u_int off_sls; 764 765 /* 766 * This is the offset of the first byte after the ATM pseudo_header, 767 * or -1 if there is no ATM pseudo-header. 768 */ 769 static u_int off_payload; 770 771 /* 772 * These are offsets to the beginning of the network-layer header. 773 * They are relative to the beginning of the link-layer header (i.e., 774 * they don't include off_ll). 775 * 776 * If the link layer never uses 802.2 LLC: 777 * 778 * "off_nl" and "off_nl_nosnap" are the same. 779 * 780 * If the link layer always uses 802.2 LLC: 781 * 782 * "off_nl" is the offset if there's a SNAP header following 783 * the 802.2 header; 784 * 785 * "off_nl_nosnap" is the offset if there's no SNAP header. 786 * 787 * If the link layer is Ethernet: 788 * 789 * "off_nl" is the offset if the packet is an Ethernet II packet 790 * (we assume no 802.3+802.2+SNAP); 791 * 792 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 793 * with an 802.2 header following it. 794 */ 795 static u_int off_nl; 796 static u_int off_nl_nosnap; 797 798 static int linktype; 799 800 static void 801 init_linktype(p) 802 pcap_t *p; 803 { 804 linktype = pcap_datalink(p); 805 #ifdef PCAP_FDDIPAD 806 pcap_fddipad = p->fddipad; 807 #endif 808 809 /* 810 * Assume it's not raw ATM with a pseudo-header, for now. 811 */ 812 off_mac = 0; 813 is_atm = 0; 814 is_lane = 0; 815 off_vpi = -1; 816 off_vci = -1; 817 off_proto = -1; 818 off_payload = -1; 819 820 /* 821 * And assume we're not doing SS7. 822 */ 823 off_li = -1; 824 off_sio = -1; 825 off_opc = -1; 826 off_dpc = -1; 827 off_sls = -1; 828 829 /* 830 * Also assume it's not 802.11 with a fixed-length radio header. 831 */ 832 off_ll = 0; 833 834 orig_linktype = -1; 835 orig_nl = -1; 836 label_stack_depth = 0; 837 838 reg_ll_size = -1; 839 840 switch (linktype) { 841 842 case DLT_ARCNET: 843 off_linktype = 2; 844 off_nl = 6; /* XXX in reality, variable! */ 845 off_nl_nosnap = 6; /* no 802.2 LLC */ 846 return; 847 848 case DLT_ARCNET_LINUX: 849 off_linktype = 4; 850 off_nl = 8; /* XXX in reality, variable! */ 851 off_nl_nosnap = 8; /* no 802.2 LLC */ 852 return; 853 854 case DLT_EN10MB: 855 off_linktype = 12; 856 off_nl = 14; /* Ethernet II */ 857 off_nl_nosnap = 17; /* 802.3+802.2 */ 858 return; 859 860 case DLT_SLIP: 861 /* 862 * SLIP doesn't have a link level type. The 16 byte 863 * header is hacked into our SLIP driver. 864 */ 865 off_linktype = -1; 866 off_nl = 16; 867 off_nl_nosnap = 16; /* no 802.2 LLC */ 868 return; 869 870 case DLT_SLIP_BSDOS: 871 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 872 off_linktype = -1; 873 /* XXX end */ 874 off_nl = 24; 875 off_nl_nosnap = 24; /* no 802.2 LLC */ 876 return; 877 878 case DLT_NULL: 879 case DLT_LOOP: 880 off_linktype = 0; 881 off_nl = 4; 882 off_nl_nosnap = 4; /* no 802.2 LLC */ 883 return; 884 885 case DLT_ENC: 886 off_linktype = 0; 887 off_nl = 12; 888 off_nl_nosnap = 12; /* no 802.2 LLC */ 889 return; 890 891 case DLT_PPP: 892 case DLT_PPP_PPPD: 893 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 894 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 895 off_linktype = 2; 896 off_nl = 4; 897 off_nl_nosnap = 4; /* no 802.2 LLC */ 898 return; 899 900 case DLT_PPP_ETHER: 901 /* 902 * This does no include the Ethernet header, and 903 * only covers session state. 904 */ 905 off_linktype = 6; 906 off_nl = 8; 907 off_nl_nosnap = 8; /* no 802.2 LLC */ 908 return; 909 910 case DLT_PPP_BSDOS: 911 off_linktype = 5; 912 off_nl = 24; 913 off_nl_nosnap = 24; /* no 802.2 LLC */ 914 return; 915 916 case DLT_FDDI: 917 /* 918 * FDDI doesn't really have a link-level type field. 919 * We set "off_linktype" to the offset of the LLC header. 920 * 921 * To check for Ethernet types, we assume that SSAP = SNAP 922 * is being used and pick out the encapsulated Ethernet type. 923 * XXX - should we generate code to check for SNAP? 924 */ 925 off_linktype = 13; 926 #ifdef PCAP_FDDIPAD 927 off_linktype += pcap_fddipad; 928 #endif 929 off_nl = 21; /* FDDI+802.2+SNAP */ 930 off_nl_nosnap = 16; /* FDDI+802.2 */ 931 #ifdef PCAP_FDDIPAD 932 off_nl += pcap_fddipad; 933 off_nl_nosnap += pcap_fddipad; 934 #endif 935 return; 936 937 case DLT_IEEE802: 938 /* 939 * Token Ring doesn't really have a link-level type field. 940 * We set "off_linktype" to the offset of the LLC header. 941 * 942 * To check for Ethernet types, we assume that SSAP = SNAP 943 * is being used and pick out the encapsulated Ethernet type. 944 * XXX - should we generate code to check for SNAP? 945 * 946 * XXX - the header is actually variable-length. 947 * Some various Linux patched versions gave 38 948 * as "off_linktype" and 40 as "off_nl"; however, 949 * if a token ring packet has *no* routing 950 * information, i.e. is not source-routed, the correct 951 * values are 20 and 22, as they are in the vanilla code. 952 * 953 * A packet is source-routed iff the uppermost bit 954 * of the first byte of the source address, at an 955 * offset of 8, has the uppermost bit set. If the 956 * packet is source-routed, the total number of bytes 957 * of routing information is 2 plus bits 0x1F00 of 958 * the 16-bit value at an offset of 14 (shifted right 959 * 8 - figure out which byte that is). 960 */ 961 off_linktype = 14; 962 off_nl = 22; /* Token Ring+802.2+SNAP */ 963 off_nl_nosnap = 17; /* Token Ring+802.2 */ 964 return; 965 966 case DLT_IEEE802_11: 967 /* 968 * 802.11 doesn't really have a link-level type field. 969 * We set "off_linktype" to the offset of the LLC header. 970 * 971 * To check for Ethernet types, we assume that SSAP = SNAP 972 * is being used and pick out the encapsulated Ethernet type. 973 * XXX - should we generate code to check for SNAP? 974 * 975 * XXX - the header is actually variable-length. We 976 * assume a 24-byte link-layer header, as appears in 977 * data frames in networks with no bridges. If the 978 * fromds and tods 802.11 header bits are both set, 979 * it's actually supposed to be 30 bytes. 980 */ 981 off_linktype = 24; 982 off_nl = 32; /* 802.11+802.2+SNAP */ 983 off_nl_nosnap = 27; /* 802.11+802.2 */ 984 return; 985 986 case DLT_PRISM_HEADER: 987 /* 988 * Same as 802.11, but with an additional header before 989 * the 802.11 header, containing a bunch of additional 990 * information including radio-level information. 991 * 992 * The header is 144 bytes long. 993 * 994 * XXX - same variable-length header problem; at least 995 * the Prism header is fixed-length. 996 */ 997 off_ll = 144; 998 off_linktype = 24; 999 off_nl = 32; /* Prism+802.11+802.2+SNAP */ 1000 off_nl_nosnap = 27; /* Prism+802.11+802.2 */ 1001 return; 1002 1003 case DLT_IEEE802_11_RADIO_AVS: 1004 /* 1005 * Same as 802.11, but with an additional header before 1006 * the 802.11 header, containing a bunch of additional 1007 * information including radio-level information. 1008 * 1009 * The header is 64 bytes long, at least in its 1010 * current incarnation. 1011 * 1012 * XXX - same variable-length header problem, only 1013 * more so; this header is also variable-length, 1014 * with the length being the 32-bit big-endian 1015 * number at an offset of 4 from the beginning 1016 * of the radio header. We should handle that the 1017 * same way we handle the length at the beginning 1018 * of the radiotap header. 1019 * 1020 * XXX - in Linux, do any drivers that supply an AVS 1021 * header supply a link-layer type other than 1022 * ARPHRD_IEEE80211_PRISM? If so, we should map that 1023 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are 1024 * any drivers that supply an AVS header but supply 1025 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll 1026 * have to check the header in the generated code to 1027 * determine whether it's Prism or AVS. 1028 */ 1029 off_ll = 64; 1030 off_linktype = 24; 1031 off_nl = 32; /* Radio+802.11+802.2+SNAP */ 1032 off_nl_nosnap = 27; /* Radio+802.11+802.2 */ 1033 return; 1034 1035 1036 /* 1037 * At the moment we treat PPI as normal Radiotap encoded 1038 * packets. The difference is in the function that generates 1039 * the code at the beginning to compute the header length. 1040 * Since this code generator of PPI supports bare 802.11 1041 * encapsulation only (i.e. the encapsulated DLT should be 1042 * DLT_IEEE802_11) we generate code to check for this too. 1043 */ 1044 case DLT_PPI: 1045 case DLT_IEEE802_11_RADIO: 1046 /* 1047 * Same as 802.11, but with an additional header before 1048 * the 802.11 header, containing a bunch of additional 1049 * information including radio-level information. 1050 * 1051 * The radiotap header is variable length, and we 1052 * generate code to compute its length and store it 1053 * in a register. These offsets are relative to the 1054 * beginning of the 802.11 header. 1055 */ 1056 off_linktype = 24; 1057 off_nl = 32; /* 802.11+802.2+SNAP */ 1058 off_nl_nosnap = 27; /* 802.11+802.2 */ 1059 return; 1060 1061 case DLT_ATM_RFC1483: 1062 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1063 /* 1064 * assume routed, non-ISO PDUs 1065 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1066 * 1067 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1068 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1069 * latter would presumably be treated the way PPPoE 1070 * should be, so you can do "pppoe and udp port 2049" 1071 * or "pppoa and tcp port 80" and have it check for 1072 * PPPo{A,E} and a PPP protocol of IP and.... 1073 */ 1074 off_linktype = 0; 1075 off_nl = 8; /* 802.2+SNAP */ 1076 off_nl_nosnap = 3; /* 802.2 */ 1077 return; 1078 1079 case DLT_SUNATM: 1080 /* 1081 * Full Frontal ATM; you get AALn PDUs with an ATM 1082 * pseudo-header. 1083 */ 1084 is_atm = 1; 1085 off_vpi = SUNATM_VPI_POS; 1086 off_vci = SUNATM_VCI_POS; 1087 off_proto = PROTO_POS; 1088 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */ 1089 off_payload = SUNATM_PKT_BEGIN_POS; 1090 off_linktype = off_payload; 1091 off_nl = off_payload+8; /* 802.2+SNAP */ 1092 off_nl_nosnap = off_payload+3; /* 802.2 */ 1093 return; 1094 1095 case DLT_RAW: 1096 off_linktype = -1; 1097 off_nl = 0; 1098 off_nl_nosnap = 0; /* no 802.2 LLC */ 1099 return; 1100 1101 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1102 off_linktype = 14; 1103 off_nl = 16; 1104 off_nl_nosnap = 16; /* no 802.2 LLC */ 1105 return; 1106 1107 case DLT_LTALK: 1108 /* 1109 * LocalTalk does have a 1-byte type field in the LLAP header, 1110 * but really it just indicates whether there is a "short" or 1111 * "long" DDP packet following. 1112 */ 1113 off_linktype = -1; 1114 off_nl = 0; 1115 off_nl_nosnap = 0; /* no 802.2 LLC */ 1116 return; 1117 1118 case DLT_IP_OVER_FC: 1119 /* 1120 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1121 * link-level type field. We set "off_linktype" to the 1122 * offset of the LLC header. 1123 * 1124 * To check for Ethernet types, we assume that SSAP = SNAP 1125 * is being used and pick out the encapsulated Ethernet type. 1126 * XXX - should we generate code to check for SNAP? RFC 1127 * 2625 says SNAP should be used. 1128 */ 1129 off_linktype = 16; 1130 off_nl = 24; /* IPFC+802.2+SNAP */ 1131 off_nl_nosnap = 19; /* IPFC+802.2 */ 1132 return; 1133 1134 case DLT_FRELAY: 1135 /* 1136 * XXX - we should set this to handle SNAP-encapsulated 1137 * frames (NLPID of 0x80). 1138 */ 1139 off_linktype = -1; 1140 off_nl = 0; 1141 off_nl_nosnap = 0; /* no 802.2 LLC */ 1142 return; 1143 1144 /* 1145 * the only BPF-interesting FRF.16 frames are non-control frames; 1146 * Frame Relay has a variable length link-layer 1147 * so lets start with offset 4 for now and increments later on (FIXME); 1148 */ 1149 case DLT_MFR: 1150 off_linktype = -1; 1151 off_nl = 4; 1152 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1153 return; 1154 1155 case DLT_APPLE_IP_OVER_IEEE1394: 1156 off_linktype = 16; 1157 off_nl = 18; 1158 off_nl_nosnap = 18; /* no 802.2 LLC */ 1159 return; 1160 1161 case DLT_LINUX_IRDA: 1162 /* 1163 * Currently, only raw "link[N:M]" filtering is supported. 1164 */ 1165 off_linktype = -1; 1166 off_nl = -1; 1167 off_nl_nosnap = -1; 1168 return; 1169 1170 case DLT_DOCSIS: 1171 /* 1172 * Currently, only raw "link[N:M]" filtering is supported. 1173 */ 1174 off_linktype = -1; 1175 off_nl = -1; 1176 off_nl_nosnap = -1; 1177 return; 1178 1179 case DLT_SYMANTEC_FIREWALL: 1180 off_linktype = 6; 1181 off_nl = 44; /* Ethernet II */ 1182 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */ 1183 return; 1184 1185 #ifdef HAVE_NET_PFVAR_H 1186 case DLT_PFLOG: 1187 off_linktype = 0; 1188 off_nl = PFLOG_HDRLEN; 1189 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */ 1190 return; 1191 #endif 1192 1193 case DLT_JUNIPER_MFR: 1194 case DLT_JUNIPER_MLFR: 1195 case DLT_JUNIPER_MLPPP: 1196 case DLT_JUNIPER_PPP: 1197 case DLT_JUNIPER_CHDLC: 1198 case DLT_JUNIPER_FRELAY: 1199 off_linktype = 4; 1200 off_nl = 4; 1201 off_nl_nosnap = -1; /* no 802.2 LLC */ 1202 return; 1203 1204 case DLT_JUNIPER_ATM1: 1205 off_linktype = 4; /* in reality variable between 4-8 */ 1206 off_nl = 4; 1207 off_nl_nosnap = 14; 1208 return; 1209 1210 case DLT_JUNIPER_ATM2: 1211 off_linktype = 8; /* in reality variable between 8-12 */ 1212 off_nl = 8; 1213 off_nl_nosnap = 18; 1214 return; 1215 1216 /* frames captured on a Juniper PPPoE service PIC 1217 * contain raw ethernet frames */ 1218 case DLT_JUNIPER_PPPOE: 1219 case DLT_JUNIPER_ETHER: 1220 off_linktype = 16; 1221 off_nl = 18; /* Ethernet II */ 1222 off_nl_nosnap = 21; /* 802.3+802.2 */ 1223 return; 1224 1225 case DLT_JUNIPER_PPPOE_ATM: 1226 off_linktype = 4; 1227 off_nl = 6; 1228 off_nl_nosnap = -1; /* no 802.2 LLC */ 1229 return; 1230 1231 case DLT_JUNIPER_GGSN: 1232 off_linktype = 6; 1233 off_nl = 12; 1234 off_nl_nosnap = -1; /* no 802.2 LLC */ 1235 return; 1236 1237 case DLT_JUNIPER_ES: 1238 off_linktype = 6; 1239 off_nl = -1; /* not really a network layer but raw IP adresses */ 1240 off_nl_nosnap = -1; /* no 802.2 LLC */ 1241 return; 1242 1243 case DLT_JUNIPER_MONITOR: 1244 off_linktype = 12; 1245 off_nl = 12; /* raw IP/IP6 header */ 1246 off_nl_nosnap = -1; /* no 802.2 LLC */ 1247 return; 1248 1249 case DLT_JUNIPER_SERVICES: 1250 off_linktype = 12; 1251 off_nl = -1; /* L3 proto location dep. on cookie type */ 1252 off_nl_nosnap = -1; /* no 802.2 LLC */ 1253 return; 1254 1255 case DLT_JUNIPER_VP: 1256 off_linktype = 18; 1257 off_nl = -1; 1258 off_nl_nosnap = -1; 1259 return; 1260 1261 case DLT_MTP2: 1262 off_li = 2; 1263 off_sio = 3; 1264 off_opc = 4; 1265 off_dpc = 4; 1266 off_sls = 7; 1267 off_linktype = -1; 1268 off_nl = -1; 1269 off_nl_nosnap = -1; 1270 return; 1271 1272 case DLT_MTP2_WITH_PHDR: 1273 off_li = 6; 1274 off_sio = 7; 1275 off_opc = 8; 1276 off_dpc = 8; 1277 off_sls = 11; 1278 off_linktype = -1; 1279 off_nl = -1; 1280 off_nl_nosnap = -1; 1281 return; 1282 1283 #ifdef DLT_PFSYNC 1284 case DLT_PFSYNC: 1285 off_linktype = -1; 1286 off_nl = 4; 1287 off_nl_nosnap = 4; 1288 return; 1289 #endif 1290 1291 case DLT_LINUX_LAPD: 1292 /* 1293 * Currently, only raw "link[N:M]" filtering is supported. 1294 */ 1295 off_linktype = -1; 1296 off_nl = -1; 1297 off_nl_nosnap = -1; 1298 return; 1299 1300 case DLT_USB: 1301 /* 1302 * Currently, only raw "link[N:M]" filtering is supported. 1303 */ 1304 off_linktype = -1; 1305 off_nl = -1; 1306 off_nl_nosnap = -1; 1307 return; 1308 1309 case DLT_BLUETOOTH_HCI_H4: 1310 /* 1311 * Currently, only raw "link[N:M]" filtering is supported. 1312 */ 1313 off_linktype = -1; 1314 off_nl = -1; 1315 off_nl_nosnap = -1; 1316 return; 1317 } 1318 bpf_error("unknown data link type %d", linktype); 1319 /* NOTREACHED */ 1320 } 1321 1322 /* 1323 * Load a value relative to the beginning of the link-layer header. 1324 * The link-layer header doesn't necessarily begin at the beginning 1325 * of the packet data; there might be a variable-length prefix containing 1326 * radio information. 1327 */ 1328 static struct slist * 1329 gen_load_llrel(offset, size) 1330 u_int offset, size; 1331 { 1332 struct slist *s, *s2; 1333 1334 s = gen_llprefixlen(); 1335 1336 /* 1337 * If "s" is non-null, it has code to arrange that the X register 1338 * contains the length of the prefix preceding the link-layer 1339 * header. 1340 * 1341 * Otherwise, the length of the prefix preceding the link-layer 1342 * header is "off_ll". 1343 */ 1344 if (s != NULL) { 1345 /* 1346 * There's a variable-length prefix preceding the 1347 * link-layer header. "s" points to a list of statements 1348 * that put the length of that prefix into the X register. 1349 * do an indirect load, to use the X register as an offset. 1350 */ 1351 s2 = new_stmt(BPF_LD|BPF_IND|size); 1352 s2->s.k = offset; 1353 sappend(s, s2); 1354 } else { 1355 /* 1356 * There is no variable-length header preceding the 1357 * link-layer header; add in off_ll, which, if there's 1358 * a fixed-length header preceding the link-layer header, 1359 * is the length of that header. 1360 */ 1361 s = new_stmt(BPF_LD|BPF_ABS|size); 1362 s->s.k = offset + off_ll; 1363 } 1364 return s; 1365 } 1366 1367 1368 /* 1369 * Load a value relative to the beginning of the specified header. 1370 */ 1371 static struct slist * 1372 gen_load_a(offrel, offset, size) 1373 enum e_offrel offrel; 1374 u_int offset, size; 1375 { 1376 struct slist *s, *s2; 1377 1378 switch (offrel) { 1379 1380 case OR_PACKET: 1381 s = new_stmt(BPF_LD|BPF_ABS|size); 1382 s->s.k = offset; 1383 break; 1384 1385 case OR_LINK: 1386 s = gen_load_llrel(offset, size); 1387 break; 1388 1389 case OR_NET: 1390 s = gen_load_llrel(off_nl + offset, size); 1391 break; 1392 1393 case OR_NET_NOSNAP: 1394 s = gen_load_llrel(off_nl_nosnap + offset, size); 1395 break; 1396 1397 case OR_TRAN_IPV4: 1398 /* 1399 * Load the X register with the length of the IPv4 header 1400 * (plus the offset of the link-layer header, if it's 1401 * preceded by a variable-length header such as a radio 1402 * header), in bytes. 1403 */ 1404 s = gen_loadx_iphdrlen(); 1405 1406 /* 1407 * Load the item at {offset of the link-layer header} + 1408 * {offset, relative to the start of the link-layer 1409 * header, of the IPv4 header} + {length of the IPv4 header} + 1410 * {specified offset}. 1411 * 1412 * (If the link-layer is variable-length, it's included 1413 * in the value in the X register, and off_ll is 0.) 1414 */ 1415 s2 = new_stmt(BPF_LD|BPF_IND|size); 1416 s2->s.k = off_ll + off_nl + offset; 1417 sappend(s, s2); 1418 break; 1419 1420 case OR_TRAN_IPV6: 1421 s = gen_load_llrel(off_nl + 40 + offset, size); 1422 break; 1423 1424 default: 1425 abort(); 1426 return NULL; 1427 } 1428 return s; 1429 } 1430 1431 /* 1432 * Generate code to load into the X register the sum of the length of 1433 * the IPv4 header and any variable-length header preceding the link-layer 1434 * header. 1435 */ 1436 static struct slist * 1437 gen_loadx_iphdrlen() 1438 { 1439 struct slist *s, *s2; 1440 1441 s = gen_llprefixlen(); 1442 if (s != NULL) { 1443 /* 1444 * There's a variable-length prefix preceding the 1445 * link-layer header. "s" points to a list of statements 1446 * that put the length of that prefix into the X register. 1447 * The 4*([k]&0xf) addressing mode can't be used, as we 1448 * don't have a constant offset, so we have to load the 1449 * value in question into the A register and add to it 1450 * the value from the X register. 1451 */ 1452 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1453 s2->s.k = off_nl; 1454 sappend(s, s2); 1455 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1456 s2->s.k = 0xf; 1457 sappend(s, s2); 1458 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1459 s2->s.k = 2; 1460 sappend(s, s2); 1461 1462 /* 1463 * The A register now contains the length of the 1464 * IP header. We need to add to it the length 1465 * of the prefix preceding the link-layer 1466 * header, which is still in the X register, and 1467 * move the result into the X register. 1468 */ 1469 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1470 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1471 } else { 1472 /* 1473 * There is no variable-length header preceding the 1474 * link-layer header; add in off_ll, which, if there's 1475 * a fixed-length header preceding the link-layer header, 1476 * is the length of that header. 1477 */ 1478 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1479 s->s.k = off_ll + off_nl; 1480 } 1481 return s; 1482 } 1483 1484 static struct block * 1485 gen_uncond(rsense) 1486 int rsense; 1487 { 1488 struct block *b; 1489 struct slist *s; 1490 1491 s = new_stmt(BPF_LD|BPF_IMM); 1492 s->s.k = !rsense; 1493 b = new_block(JMP(BPF_JEQ)); 1494 b->stmts = s; 1495 1496 return b; 1497 } 1498 1499 static inline struct block * 1500 gen_true() 1501 { 1502 return gen_uncond(1); 1503 } 1504 1505 static inline struct block * 1506 gen_false() 1507 { 1508 return gen_uncond(0); 1509 } 1510 1511 /* 1512 * Byte-swap a 32-bit number. 1513 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1514 * big-endian platforms.) 1515 */ 1516 #define SWAPLONG(y) \ 1517 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1518 1519 /* 1520 * Generate code to match a particular packet type. 1521 * 1522 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1523 * value, if <= ETHERMTU. We use that to determine whether to 1524 * match the type/length field or to check the type/length field for 1525 * a value <= ETHERMTU to see whether it's a type field and then do 1526 * the appropriate test. 1527 */ 1528 static struct block * 1529 gen_ether_linktype(proto) 1530 register int proto; 1531 { 1532 struct block *b0, *b1; 1533 1534 switch (proto) { 1535 1536 case LLCSAP_ISONS: 1537 case LLCSAP_IP: 1538 case LLCSAP_NETBEUI: 1539 /* 1540 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1541 * so we check the DSAP and SSAP. 1542 * 1543 * LLCSAP_IP checks for IP-over-802.2, rather 1544 * than IP-over-Ethernet or IP-over-SNAP. 1545 * 1546 * XXX - should we check both the DSAP and the 1547 * SSAP, like this, or should we check just the 1548 * DSAP, as we do for other types <= ETHERMTU 1549 * (i.e., other SAP values)? 1550 */ 1551 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1552 gen_not(b0); 1553 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1554 ((proto << 8) | proto)); 1555 gen_and(b0, b1); 1556 return b1; 1557 1558 case LLCSAP_IPX: 1559 /* 1560 * Check for; 1561 * 1562 * Ethernet_II frames, which are Ethernet 1563 * frames with a frame type of ETHERTYPE_IPX; 1564 * 1565 * Ethernet_802.3 frames, which are 802.3 1566 * frames (i.e., the type/length field is 1567 * a length field, <= ETHERMTU, rather than 1568 * a type field) with the first two bytes 1569 * after the Ethernet/802.3 header being 1570 * 0xFFFF; 1571 * 1572 * Ethernet_802.2 frames, which are 802.3 1573 * frames with an 802.2 LLC header and 1574 * with the IPX LSAP as the DSAP in the LLC 1575 * header; 1576 * 1577 * Ethernet_SNAP frames, which are 802.3 1578 * frames with an LLC header and a SNAP 1579 * header and with an OUI of 0x000000 1580 * (encapsulated Ethernet) and a protocol 1581 * ID of ETHERTYPE_IPX in the SNAP header. 1582 * 1583 * XXX - should we generate the same code both 1584 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1585 */ 1586 1587 /* 1588 * This generates code to check both for the 1589 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1590 */ 1591 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1592 (bpf_int32)LLCSAP_IPX); 1593 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, 1594 (bpf_int32)0xFFFF); 1595 gen_or(b0, b1); 1596 1597 /* 1598 * Now we add code to check for SNAP frames with 1599 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1600 */ 1601 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14); 1602 gen_or(b0, b1); 1603 1604 /* 1605 * Now we generate code to check for 802.3 1606 * frames in general. 1607 */ 1608 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1609 gen_not(b0); 1610 1611 /* 1612 * Now add the check for 802.3 frames before the 1613 * check for Ethernet_802.2 and Ethernet_802.3, 1614 * as those checks should only be done on 802.3 1615 * frames, not on Ethernet frames. 1616 */ 1617 gen_and(b0, b1); 1618 1619 /* 1620 * Now add the check for Ethernet_II frames, and 1621 * do that before checking for the other frame 1622 * types. 1623 */ 1624 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1625 (bpf_int32)ETHERTYPE_IPX); 1626 gen_or(b0, b1); 1627 return b1; 1628 1629 case ETHERTYPE_ATALK: 1630 case ETHERTYPE_AARP: 1631 /* 1632 * EtherTalk (AppleTalk protocols on Ethernet link 1633 * layer) may use 802.2 encapsulation. 1634 */ 1635 1636 /* 1637 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1638 * we check for an Ethernet type field less than 1639 * 1500, which means it's an 802.3 length field. 1640 */ 1641 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1642 gen_not(b0); 1643 1644 /* 1645 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1646 * SNAP packets with an organization code of 1647 * 0x080007 (Apple, for Appletalk) and a protocol 1648 * type of ETHERTYPE_ATALK (Appletalk). 1649 * 1650 * 802.2-encapsulated ETHERTYPE_AARP packets are 1651 * SNAP packets with an organization code of 1652 * 0x000000 (encapsulated Ethernet) and a protocol 1653 * type of ETHERTYPE_AARP (Appletalk ARP). 1654 */ 1655 if (proto == ETHERTYPE_ATALK) 1656 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14); 1657 else /* proto == ETHERTYPE_AARP */ 1658 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14); 1659 gen_and(b0, b1); 1660 1661 /* 1662 * Check for Ethernet encapsulation (Ethertalk 1663 * phase 1?); we just check for the Ethernet 1664 * protocol type. 1665 */ 1666 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1667 1668 gen_or(b0, b1); 1669 return b1; 1670 1671 default: 1672 if (proto <= ETHERMTU) { 1673 /* 1674 * This is an LLC SAP value, so the frames 1675 * that match would be 802.2 frames. 1676 * Check that the frame is an 802.2 frame 1677 * (i.e., that the length/type field is 1678 * a length field, <= ETHERMTU) and 1679 * then check the DSAP. 1680 */ 1681 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1682 gen_not(b0); 1683 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1684 (bpf_int32)proto); 1685 gen_and(b0, b1); 1686 return b1; 1687 } else { 1688 /* 1689 * This is an Ethernet type, so compare 1690 * the length/type field with it (if 1691 * the frame is an 802.2 frame, the length 1692 * field will be <= ETHERMTU, and, as 1693 * "proto" is > ETHERMTU, this test 1694 * will fail and the frame won't match, 1695 * which is what we want). 1696 */ 1697 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1698 (bpf_int32)proto); 1699 } 1700 } 1701 } 1702 1703 /* 1704 * Generate code to match a particular packet type. 1705 * 1706 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1707 * value, if <= ETHERMTU. We use that to determine whether to 1708 * match the type field or to check the type field for the special 1709 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1710 */ 1711 static struct block * 1712 gen_linux_sll_linktype(proto) 1713 register int proto; 1714 { 1715 struct block *b0, *b1; 1716 1717 switch (proto) { 1718 1719 case LLCSAP_ISONS: 1720 case LLCSAP_IP: 1721 case LLCSAP_NETBEUI: 1722 /* 1723 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1724 * so we check the DSAP and SSAP. 1725 * 1726 * LLCSAP_IP checks for IP-over-802.2, rather 1727 * than IP-over-Ethernet or IP-over-SNAP. 1728 * 1729 * XXX - should we check both the DSAP and the 1730 * SSAP, like this, or should we check just the 1731 * DSAP, as we do for other types <= ETHERMTU 1732 * (i.e., other SAP values)? 1733 */ 1734 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1735 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1736 ((proto << 8) | proto)); 1737 gen_and(b0, b1); 1738 return b1; 1739 1740 case LLCSAP_IPX: 1741 /* 1742 * Ethernet_II frames, which are Ethernet 1743 * frames with a frame type of ETHERTYPE_IPX; 1744 * 1745 * Ethernet_802.3 frames, which have a frame 1746 * type of LINUX_SLL_P_802_3; 1747 * 1748 * Ethernet_802.2 frames, which are 802.3 1749 * frames with an 802.2 LLC header (i.e, have 1750 * a frame type of LINUX_SLL_P_802_2) and 1751 * with the IPX LSAP as the DSAP in the LLC 1752 * header; 1753 * 1754 * Ethernet_SNAP frames, which are 802.3 1755 * frames with an LLC header and a SNAP 1756 * header and with an OUI of 0x000000 1757 * (encapsulated Ethernet) and a protocol 1758 * ID of ETHERTYPE_IPX in the SNAP header. 1759 * 1760 * First, do the checks on LINUX_SLL_P_802_2 1761 * frames; generate the check for either 1762 * Ethernet_802.2 or Ethernet_SNAP frames, and 1763 * then put a check for LINUX_SLL_P_802_2 frames 1764 * before it. 1765 */ 1766 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1767 (bpf_int32)LLCSAP_IPX); 1768 b1 = gen_snap(0x000000, ETHERTYPE_IPX, 1769 off_linktype + 2); 1770 gen_or(b0, b1); 1771 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1772 gen_and(b0, b1); 1773 1774 /* 1775 * Now check for 802.3 frames and OR that with 1776 * the previous test. 1777 */ 1778 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1779 gen_or(b0, b1); 1780 1781 /* 1782 * Now add the check for Ethernet_II frames, and 1783 * do that before checking for the other frame 1784 * types. 1785 */ 1786 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1787 (bpf_int32)ETHERTYPE_IPX); 1788 gen_or(b0, b1); 1789 return b1; 1790 1791 case ETHERTYPE_ATALK: 1792 case ETHERTYPE_AARP: 1793 /* 1794 * EtherTalk (AppleTalk protocols on Ethernet link 1795 * layer) may use 802.2 encapsulation. 1796 */ 1797 1798 /* 1799 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1800 * we check for the 802.2 protocol type in the 1801 * "Ethernet type" field. 1802 */ 1803 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1804 1805 /* 1806 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1807 * SNAP packets with an organization code of 1808 * 0x080007 (Apple, for Appletalk) and a protocol 1809 * type of ETHERTYPE_ATALK (Appletalk). 1810 * 1811 * 802.2-encapsulated ETHERTYPE_AARP packets are 1812 * SNAP packets with an organization code of 1813 * 0x000000 (encapsulated Ethernet) and a protocol 1814 * type of ETHERTYPE_AARP (Appletalk ARP). 1815 */ 1816 if (proto == ETHERTYPE_ATALK) 1817 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 1818 off_linktype + 2); 1819 else /* proto == ETHERTYPE_AARP */ 1820 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 1821 off_linktype + 2); 1822 gen_and(b0, b1); 1823 1824 /* 1825 * Check for Ethernet encapsulation (Ethertalk 1826 * phase 1?); we just check for the Ethernet 1827 * protocol type. 1828 */ 1829 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1830 1831 gen_or(b0, b1); 1832 return b1; 1833 1834 default: 1835 if (proto <= ETHERMTU) { 1836 /* 1837 * This is an LLC SAP value, so the frames 1838 * that match would be 802.2 frames. 1839 * Check for the 802.2 protocol type 1840 * in the "Ethernet type" field, and 1841 * then check the DSAP. 1842 */ 1843 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1844 LINUX_SLL_P_802_2); 1845 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1846 (bpf_int32)proto); 1847 gen_and(b0, b1); 1848 return b1; 1849 } else { 1850 /* 1851 * This is an Ethernet type, so compare 1852 * the length/type field with it (if 1853 * the frame is an 802.2 frame, the length 1854 * field will be <= ETHERMTU, and, as 1855 * "proto" is > ETHERMTU, this test 1856 * will fail and the frame won't match, 1857 * which is what we want). 1858 */ 1859 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1860 (bpf_int32)proto); 1861 } 1862 } 1863 } 1864 1865 static void 1866 insert_radiotap_load_llprefixlen(b) 1867 struct block *b; 1868 { 1869 struct slist *s1, *s2; 1870 1871 /* 1872 * Prepend to the statements in this block code to load the 1873 * length of the radiotap header into the register assigned 1874 * to hold that length, if one has been assigned. 1875 */ 1876 if (reg_ll_size != -1) { 1877 /* 1878 * The 2 bytes at offsets of 2 and 3 from the beginning 1879 * of the radiotap header are the length of the radiotap 1880 * header; unfortunately, it's little-endian, so we have 1881 * to load it a byte at a time and construct the value. 1882 */ 1883 1884 /* 1885 * Load the high-order byte, at an offset of 3, shift it 1886 * left a byte, and put the result in the X register. 1887 */ 1888 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1889 s1->s.k = 3; 1890 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1891 sappend(s1, s2); 1892 s2->s.k = 8; 1893 s2 = new_stmt(BPF_MISC|BPF_TAX); 1894 sappend(s1, s2); 1895 1896 /* 1897 * Load the next byte, at an offset of 2, and OR the 1898 * value from the X register into it. 1899 */ 1900 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1901 sappend(s1, s2); 1902 s2->s.k = 2; 1903 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1904 sappend(s1, s2); 1905 1906 /* 1907 * Now allocate a register to hold that value and store 1908 * it. 1909 */ 1910 s2 = new_stmt(BPF_ST); 1911 s2->s.k = reg_ll_size; 1912 sappend(s1, s2); 1913 1914 /* 1915 * Now move it into the X register. 1916 */ 1917 s2 = new_stmt(BPF_MISC|BPF_TAX); 1918 sappend(s1, s2); 1919 1920 /* 1921 * Now append all the existing statements in this 1922 * block to these statements. 1923 */ 1924 sappend(s1, b->stmts); 1925 b->stmts = s1; 1926 } 1927 } 1928 1929 /* 1930 * At the moment we treat PPI as normal Radiotap encoded 1931 * packets. The difference is in the function that generates 1932 * the code at the beginning to compute the header length. 1933 * Since this code generator of PPI supports bare 802.11 1934 * encapsulation only (i.e. the encapsulated DLT should be 1935 * DLT_IEEE802_11) we generate code to check for this too. 1936 */ 1937 static void 1938 insert_ppi_load_llprefixlen(b) 1939 struct block *b; 1940 { 1941 struct slist *s1, *s2; 1942 1943 /* 1944 * Prepend to the statements in this block code to load the 1945 * length of the radiotap header into the register assigned 1946 * to hold that length, if one has been assigned. 1947 */ 1948 if (reg_ll_size != -1) { 1949 /* 1950 * The 2 bytes at offsets of 2 and 3 from the beginning 1951 * of the radiotap header are the length of the radiotap 1952 * header; unfortunately, it's little-endian, so we have 1953 * to load it a byte at a time and construct the value. 1954 */ 1955 1956 /* 1957 * Load the high-order byte, at an offset of 3, shift it 1958 * left a byte, and put the result in the X register. 1959 */ 1960 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1961 s1->s.k = 3; 1962 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1963 sappend(s1, s2); 1964 s2->s.k = 8; 1965 s2 = new_stmt(BPF_MISC|BPF_TAX); 1966 sappend(s1, s2); 1967 1968 /* 1969 * Load the next byte, at an offset of 2, and OR the 1970 * value from the X register into it. 1971 */ 1972 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1973 sappend(s1, s2); 1974 s2->s.k = 2; 1975 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1976 sappend(s1, s2); 1977 1978 /* 1979 * Now allocate a register to hold that value and store 1980 * it. 1981 */ 1982 s2 = new_stmt(BPF_ST); 1983 s2->s.k = reg_ll_size; 1984 sappend(s1, s2); 1985 1986 /* 1987 * Now move it into the X register. 1988 */ 1989 s2 = new_stmt(BPF_MISC|BPF_TAX); 1990 sappend(s1, s2); 1991 1992 /* 1993 * Now append all the existing statements in this 1994 * block to these statements. 1995 */ 1996 sappend(s1, b->stmts); 1997 b->stmts = s1; 1998 1999 } 2000 } 2001 2002 static struct block * 2003 gen_ppi_dlt_check(void) 2004 { 2005 struct slist *s_load_dlt; 2006 struct block *b; 2007 2008 if (linktype == DLT_PPI) 2009 { 2010 /* Create the statements that check for the DLT 2011 */ 2012 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2013 s_load_dlt->s.k = 4; 2014 2015 b = new_block(JMP(BPF_JEQ)); 2016 2017 b->stmts = s_load_dlt; 2018 b->s.k = SWAPLONG(DLT_IEEE802_11); 2019 } 2020 else 2021 { 2022 b = NULL; 2023 } 2024 2025 return b; 2026 } 2027 2028 static void 2029 insert_load_llprefixlen(b) 2030 struct block *b; 2031 { 2032 switch (linktype) { 2033 2034 /* 2035 * At the moment we treat PPI as normal Radiotap encoded 2036 * packets. The difference is in the function that generates 2037 * the code at the beginning to compute the header length. 2038 * Since this code generator of PPI supports bare 802.11 2039 * encapsulation only (i.e. the encapsulated DLT should be 2040 * DLT_IEEE802_11) we generate code to check for this too. 2041 */ 2042 case DLT_PPI: 2043 insert_ppi_load_llprefixlen(b); 2044 break; 2045 2046 case DLT_IEEE802_11_RADIO: 2047 insert_radiotap_load_llprefixlen(b); 2048 break; 2049 } 2050 } 2051 2052 2053 static struct slist * 2054 gen_radiotap_llprefixlen(void) 2055 { 2056 struct slist *s; 2057 2058 if (reg_ll_size == -1) { 2059 /* 2060 * We haven't yet assigned a register for the length 2061 * of the radiotap header; allocate one. 2062 */ 2063 reg_ll_size = alloc_reg(); 2064 } 2065 2066 /* 2067 * Load the register containing the radiotap length 2068 * into the X register. 2069 */ 2070 s = new_stmt(BPF_LDX|BPF_MEM); 2071 s->s.k = reg_ll_size; 2072 return s; 2073 } 2074 2075 /* 2076 * At the moment we treat PPI as normal Radiotap encoded 2077 * packets. The difference is in the function that generates 2078 * the code at the beginning to compute the header length. 2079 * Since this code generator of PPI supports bare 802.11 2080 * encapsulation only (i.e. the encapsulated DLT should be 2081 * DLT_IEEE802_11) we generate code to check for this too. 2082 */ 2083 static struct slist * 2084 gen_ppi_llprefixlen(void) 2085 { 2086 struct slist *s; 2087 2088 if (reg_ll_size == -1) { 2089 /* 2090 * We haven't yet assigned a register for the length 2091 * of the radiotap header; allocate one. 2092 */ 2093 reg_ll_size = alloc_reg(); 2094 } 2095 2096 /* 2097 * Load the register containing the radiotap length 2098 * into the X register. 2099 */ 2100 s = new_stmt(BPF_LDX|BPF_MEM); 2101 s->s.k = reg_ll_size; 2102 return s; 2103 } 2104 2105 2106 2107 /* 2108 * Generate code to compute the link-layer header length, if necessary, 2109 * putting it into the X register, and to return either a pointer to a 2110 * "struct slist" for the list of statements in that code, or NULL if 2111 * no code is necessary. 2112 */ 2113 static struct slist * 2114 gen_llprefixlen(void) 2115 { 2116 switch (linktype) { 2117 2118 case DLT_PPI: 2119 return gen_ppi_llprefixlen(); 2120 2121 2122 case DLT_IEEE802_11_RADIO: 2123 return gen_radiotap_llprefixlen(); 2124 2125 default: 2126 return NULL; 2127 } 2128 } 2129 2130 /* 2131 * Generate code to match a particular packet type by matching the 2132 * link-layer type field or fields in the 802.2 LLC header. 2133 * 2134 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2135 * value, if <= ETHERMTU. 2136 */ 2137 static struct block * 2138 gen_linktype(proto) 2139 register int proto; 2140 { 2141 struct block *b0, *b1, *b2; 2142 2143 /* are we checking MPLS-encapsulated packets? */ 2144 if (label_stack_depth > 0) { 2145 switch (proto) { 2146 case ETHERTYPE_IP: 2147 case PPP_IP: 2148 /* FIXME add other L3 proto IDs */ 2149 return gen_mpls_linktype(Q_IP); 2150 2151 case ETHERTYPE_IPV6: 2152 case PPP_IPV6: 2153 /* FIXME add other L3 proto IDs */ 2154 return gen_mpls_linktype(Q_IPV6); 2155 2156 default: 2157 bpf_error("unsupported protocol over mpls"); 2158 /* NOTREACHED */ 2159 } 2160 } 2161 2162 switch (linktype) { 2163 2164 case DLT_EN10MB: 2165 return gen_ether_linktype(proto); 2166 /*NOTREACHED*/ 2167 break; 2168 2169 case DLT_C_HDLC: 2170 switch (proto) { 2171 2172 case LLCSAP_ISONS: 2173 proto = (proto << 8 | LLCSAP_ISONS); 2174 /* fall through */ 2175 2176 default: 2177 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2178 (bpf_int32)proto); 2179 /*NOTREACHED*/ 2180 break; 2181 } 2182 break; 2183 2184 case DLT_PPI: 2185 case DLT_FDDI: 2186 case DLT_IEEE802: 2187 case DLT_IEEE802_11: 2188 case DLT_IEEE802_11_RADIO_AVS: 2189 case DLT_IEEE802_11_RADIO: 2190 case DLT_PRISM_HEADER: 2191 case DLT_ATM_RFC1483: 2192 case DLT_ATM_CLIP: 2193 case DLT_IP_OVER_FC: 2194 return gen_llc_linktype(proto); 2195 /*NOTREACHED*/ 2196 break; 2197 2198 case DLT_SUNATM: 2199 /* 2200 * If "is_lane" is set, check for a LANE-encapsulated 2201 * version of this protocol, otherwise check for an 2202 * LLC-encapsulated version of this protocol. 2203 * 2204 * We assume LANE means Ethernet, not Token Ring. 2205 */ 2206 if (is_lane) { 2207 /* 2208 * Check that the packet doesn't begin with an 2209 * LE Control marker. (We've already generated 2210 * a test for LANE.) 2211 */ 2212 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 2213 0xFF00); 2214 gen_not(b0); 2215 2216 /* 2217 * Now generate an Ethernet test. 2218 */ 2219 b1 = gen_ether_linktype(proto); 2220 gen_and(b0, b1); 2221 return b1; 2222 } else { 2223 /* 2224 * Check for LLC encapsulation and then check the 2225 * protocol. 2226 */ 2227 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 2228 b1 = gen_llc_linktype(proto); 2229 gen_and(b0, b1); 2230 return b1; 2231 } 2232 /*NOTREACHED*/ 2233 break; 2234 2235 case DLT_LINUX_SLL: 2236 return gen_linux_sll_linktype(proto); 2237 /*NOTREACHED*/ 2238 break; 2239 2240 case DLT_SLIP: 2241 case DLT_SLIP_BSDOS: 2242 case DLT_RAW: 2243 /* 2244 * These types don't provide any type field; packets 2245 * are always IPv4 or IPv6. 2246 * 2247 * XXX - for IPv4, check for a version number of 4, and, 2248 * for IPv6, check for a version number of 6? 2249 */ 2250 switch (proto) { 2251 2252 case ETHERTYPE_IP: 2253 /* Check for a version number of 4. */ 2254 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 2255 #ifdef INET6 2256 case ETHERTYPE_IPV6: 2257 /* Check for a version number of 6. */ 2258 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 2259 #endif 2260 2261 default: 2262 return gen_false(); /* always false */ 2263 } 2264 /*NOTREACHED*/ 2265 break; 2266 2267 case DLT_PPP: 2268 case DLT_PPP_PPPD: 2269 case DLT_PPP_SERIAL: 2270 case DLT_PPP_ETHER: 2271 /* 2272 * We use Ethernet protocol types inside libpcap; 2273 * map them to the corresponding PPP protocol types. 2274 */ 2275 switch (proto) { 2276 2277 case ETHERTYPE_IP: 2278 proto = PPP_IP; 2279 break; 2280 2281 #ifdef INET6 2282 case ETHERTYPE_IPV6: 2283 proto = PPP_IPV6; 2284 break; 2285 #endif 2286 2287 case ETHERTYPE_DN: 2288 proto = PPP_DECNET; 2289 break; 2290 2291 case ETHERTYPE_ATALK: 2292 proto = PPP_APPLE; 2293 break; 2294 2295 case ETHERTYPE_NS: 2296 proto = PPP_NS; 2297 break; 2298 2299 case LLCSAP_ISONS: 2300 proto = PPP_OSI; 2301 break; 2302 2303 case LLCSAP_8021D: 2304 /* 2305 * I'm assuming the "Bridging PDU"s that go 2306 * over PPP are Spanning Tree Protocol 2307 * Bridging PDUs. 2308 */ 2309 proto = PPP_BRPDU; 2310 break; 2311 2312 case LLCSAP_IPX: 2313 proto = PPP_IPX; 2314 break; 2315 } 2316 break; 2317 2318 case DLT_PPP_BSDOS: 2319 /* 2320 * We use Ethernet protocol types inside libpcap; 2321 * map them to the corresponding PPP protocol types. 2322 */ 2323 switch (proto) { 2324 2325 case ETHERTYPE_IP: 2326 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 2327 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 2328 gen_or(b0, b1); 2329 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 2330 gen_or(b1, b0); 2331 return b0; 2332 2333 #ifdef INET6 2334 case ETHERTYPE_IPV6: 2335 proto = PPP_IPV6; 2336 /* more to go? */ 2337 break; 2338 #endif 2339 2340 case ETHERTYPE_DN: 2341 proto = PPP_DECNET; 2342 break; 2343 2344 case ETHERTYPE_ATALK: 2345 proto = PPP_APPLE; 2346 break; 2347 2348 case ETHERTYPE_NS: 2349 proto = PPP_NS; 2350 break; 2351 2352 case LLCSAP_ISONS: 2353 proto = PPP_OSI; 2354 break; 2355 2356 case LLCSAP_8021D: 2357 /* 2358 * I'm assuming the "Bridging PDU"s that go 2359 * over PPP are Spanning Tree Protocol 2360 * Bridging PDUs. 2361 */ 2362 proto = PPP_BRPDU; 2363 break; 2364 2365 case LLCSAP_IPX: 2366 proto = PPP_IPX; 2367 break; 2368 } 2369 break; 2370 2371 case DLT_NULL: 2372 case DLT_LOOP: 2373 case DLT_ENC: 2374 /* 2375 * For DLT_NULL, the link-layer header is a 32-bit 2376 * word containing an AF_ value in *host* byte order, 2377 * and for DLT_ENC, the link-layer header begins 2378 * with a 32-bit work containing an AF_ value in 2379 * host byte order. 2380 * 2381 * In addition, if we're reading a saved capture file, 2382 * the host byte order in the capture may not be the 2383 * same as the host byte order on this machine. 2384 * 2385 * For DLT_LOOP, the link-layer header is a 32-bit 2386 * word containing an AF_ value in *network* byte order. 2387 * 2388 * XXX - AF_ values may, unfortunately, be platform- 2389 * dependent; for example, FreeBSD's AF_INET6 is 24 2390 * whilst NetBSD's and OpenBSD's is 26. 2391 * 2392 * This means that, when reading a capture file, just 2393 * checking for our AF_INET6 value won't work if the 2394 * capture file came from another OS. 2395 */ 2396 switch (proto) { 2397 2398 case ETHERTYPE_IP: 2399 proto = AF_INET; 2400 break; 2401 2402 #ifdef INET6 2403 case ETHERTYPE_IPV6: 2404 proto = AF_INET6; 2405 break; 2406 #endif 2407 2408 default: 2409 /* 2410 * Not a type on which we support filtering. 2411 * XXX - support those that have AF_ values 2412 * #defined on this platform, at least? 2413 */ 2414 return gen_false(); 2415 } 2416 2417 if (linktype == DLT_NULL || linktype == DLT_ENC) { 2418 /* 2419 * The AF_ value is in host byte order, but 2420 * the BPF interpreter will convert it to 2421 * network byte order. 2422 * 2423 * If this is a save file, and it's from a 2424 * machine with the opposite byte order to 2425 * ours, we byte-swap the AF_ value. 2426 * 2427 * Then we run it through "htonl()", and 2428 * generate code to compare against the result. 2429 */ 2430 if (bpf_pcap->sf.rfile != NULL && 2431 bpf_pcap->sf.swapped) 2432 proto = SWAPLONG(proto); 2433 proto = htonl(proto); 2434 } 2435 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 2436 2437 #ifdef HAVE_NET_PFVAR_H 2438 case DLT_PFLOG: 2439 /* 2440 * af field is host byte order in contrast to the rest of 2441 * the packet. 2442 */ 2443 if (proto == ETHERTYPE_IP) 2444 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2445 BPF_B, (bpf_int32)AF_INET)); 2446 #ifdef INET6 2447 else if (proto == ETHERTYPE_IPV6) 2448 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2449 BPF_B, (bpf_int32)AF_INET6)); 2450 #endif /* INET6 */ 2451 else 2452 return gen_false(); 2453 /*NOTREACHED*/ 2454 break; 2455 #endif /* HAVE_NET_PFVAR_H */ 2456 2457 case DLT_ARCNET: 2458 case DLT_ARCNET_LINUX: 2459 /* 2460 * XXX should we check for first fragment if the protocol 2461 * uses PHDS? 2462 */ 2463 switch (proto) { 2464 2465 default: 2466 return gen_false(); 2467 2468 #ifdef INET6 2469 case ETHERTYPE_IPV6: 2470 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2471 (bpf_int32)ARCTYPE_INET6)); 2472 #endif /* INET6 */ 2473 2474 case ETHERTYPE_IP: 2475 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2476 (bpf_int32)ARCTYPE_IP); 2477 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2478 (bpf_int32)ARCTYPE_IP_OLD); 2479 gen_or(b0, b1); 2480 return (b1); 2481 2482 case ETHERTYPE_ARP: 2483 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2484 (bpf_int32)ARCTYPE_ARP); 2485 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2486 (bpf_int32)ARCTYPE_ARP_OLD); 2487 gen_or(b0, b1); 2488 return (b1); 2489 2490 case ETHERTYPE_REVARP: 2491 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2492 (bpf_int32)ARCTYPE_REVARP)); 2493 2494 case ETHERTYPE_ATALK: 2495 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2496 (bpf_int32)ARCTYPE_ATALK)); 2497 } 2498 /*NOTREACHED*/ 2499 break; 2500 2501 case DLT_LTALK: 2502 switch (proto) { 2503 case ETHERTYPE_ATALK: 2504 return gen_true(); 2505 default: 2506 return gen_false(); 2507 } 2508 /*NOTREACHED*/ 2509 break; 2510 2511 case DLT_FRELAY: 2512 /* 2513 * XXX - assumes a 2-byte Frame Relay header with 2514 * DLCI and flags. What if the address is longer? 2515 */ 2516 switch (proto) { 2517 2518 case ETHERTYPE_IP: 2519 /* 2520 * Check for the special NLPID for IP. 2521 */ 2522 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 2523 2524 #ifdef INET6 2525 case ETHERTYPE_IPV6: 2526 /* 2527 * Check for the special NLPID for IPv6. 2528 */ 2529 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 2530 #endif 2531 2532 case LLCSAP_ISONS: 2533 /* 2534 * Check for several OSI protocols. 2535 * 2536 * Frame Relay packets typically have an OSI 2537 * NLPID at the beginning; we check for each 2538 * of them. 2539 * 2540 * What we check for is the NLPID and a frame 2541 * control field of UI, i.e. 0x03 followed 2542 * by the NLPID. 2543 */ 2544 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 2545 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 2546 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 2547 gen_or(b1, b2); 2548 gen_or(b0, b2); 2549 return b2; 2550 2551 default: 2552 return gen_false(); 2553 } 2554 /*NOTREACHED*/ 2555 break; 2556 2557 case DLT_JUNIPER_MFR: 2558 case DLT_JUNIPER_MLFR: 2559 case DLT_JUNIPER_MLPPP: 2560 case DLT_JUNIPER_ATM1: 2561 case DLT_JUNIPER_ATM2: 2562 case DLT_JUNIPER_PPPOE: 2563 case DLT_JUNIPER_PPPOE_ATM: 2564 case DLT_JUNIPER_GGSN: 2565 case DLT_JUNIPER_ES: 2566 case DLT_JUNIPER_MONITOR: 2567 case DLT_JUNIPER_SERVICES: 2568 case DLT_JUNIPER_ETHER: 2569 case DLT_JUNIPER_PPP: 2570 case DLT_JUNIPER_FRELAY: 2571 case DLT_JUNIPER_CHDLC: 2572 case DLT_JUNIPER_VP: 2573 /* just lets verify the magic number for now - 2574 * on ATM we may have up to 6 different encapsulations on the wire 2575 * and need a lot of heuristics to figure out that the payload 2576 * might be; 2577 * 2578 * FIXME encapsulation specific BPF_ filters 2579 */ 2580 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 2581 2582 case DLT_LINUX_IRDA: 2583 bpf_error("IrDA link-layer type filtering not implemented"); 2584 2585 case DLT_DOCSIS: 2586 bpf_error("DOCSIS link-layer type filtering not implemented"); 2587 2588 case DLT_LINUX_LAPD: 2589 bpf_error("LAPD link-layer type filtering not implemented"); 2590 } 2591 2592 /* 2593 * All the types that have no encapsulation should either be 2594 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 2595 * all packets are IP packets, or should be handled in some 2596 * special case, if none of them are (if some are and some 2597 * aren't, the lack of encapsulation is a problem, as we'd 2598 * have to find some other way of determining the packet type). 2599 * 2600 * Therefore, if "off_linktype" is -1, there's an error. 2601 */ 2602 if (off_linktype == (u_int)-1) 2603 abort(); 2604 2605 /* 2606 * Any type not handled above should always have an Ethernet 2607 * type at an offset of "off_linktype". (PPP is partially 2608 * handled above - the protocol type is mapped from the 2609 * Ethernet and LLC types we use internally to the corresponding 2610 * PPP type - but the PPP type is always specified by a value 2611 * at "off_linktype", so we don't have to do the code generation 2612 * above.) 2613 */ 2614 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2615 } 2616 2617 /* 2618 * Check for an LLC SNAP packet with a given organization code and 2619 * protocol type; we check the entire contents of the 802.2 LLC and 2620 * snap headers, checking for DSAP and SSAP of SNAP and a control 2621 * field of 0x03 in the LLC header, and for the specified organization 2622 * code and protocol type in the SNAP header. 2623 */ 2624 static struct block * 2625 gen_snap(orgcode, ptype, offset) 2626 bpf_u_int32 orgcode; 2627 bpf_u_int32 ptype; 2628 u_int offset; 2629 { 2630 u_char snapblock[8]; 2631 2632 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 2633 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 2634 snapblock[2] = 0x03; /* control = UI */ 2635 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 2636 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 2637 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 2638 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 2639 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 2640 return gen_bcmp(OR_LINK, offset, 8, snapblock); 2641 } 2642 2643 /* 2644 * Generate code to match a particular packet type, for link-layer types 2645 * using 802.2 LLC headers. 2646 * 2647 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 2648 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 2649 * 2650 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2651 * value, if <= ETHERMTU. We use that to determine whether to 2652 * match the DSAP or both DSAP and LSAP or to check the OUI and 2653 * protocol ID in a SNAP header. 2654 */ 2655 static struct block * 2656 gen_llc_linktype(proto) 2657 int proto; 2658 { 2659 /* 2660 * XXX - handle token-ring variable-length header. 2661 */ 2662 switch (proto) { 2663 2664 case LLCSAP_IP: 2665 case LLCSAP_ISONS: 2666 case LLCSAP_NETBEUI: 2667 /* 2668 * XXX - should we check both the DSAP and the 2669 * SSAP, like this, or should we check just the 2670 * DSAP, as we do for other types <= ETHERMTU 2671 * (i.e., other SAP values)? 2672 */ 2673 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32) 2674 ((proto << 8) | proto)); 2675 2676 case LLCSAP_IPX: 2677 /* 2678 * XXX - are there ever SNAP frames for IPX on 2679 * non-Ethernet 802.x networks? 2680 */ 2681 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2682 (bpf_int32)LLCSAP_IPX); 2683 2684 case ETHERTYPE_ATALK: 2685 /* 2686 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2687 * SNAP packets with an organization code of 2688 * 0x080007 (Apple, for Appletalk) and a protocol 2689 * type of ETHERTYPE_ATALK (Appletalk). 2690 * 2691 * XXX - check for an organization code of 2692 * encapsulated Ethernet as well? 2693 */ 2694 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype); 2695 2696 default: 2697 /* 2698 * XXX - we don't have to check for IPX 802.3 2699 * here, but should we check for the IPX Ethertype? 2700 */ 2701 if (proto <= ETHERMTU) { 2702 /* 2703 * This is an LLC SAP value, so check 2704 * the DSAP. 2705 */ 2706 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2707 (bpf_int32)proto); 2708 } else { 2709 /* 2710 * This is an Ethernet type; we assume that it's 2711 * unlikely that it'll appear in the right place 2712 * at random, and therefore check only the 2713 * location that would hold the Ethernet type 2714 * in a SNAP frame with an organization code of 2715 * 0x000000 (encapsulated Ethernet). 2716 * 2717 * XXX - if we were to check for the SNAP DSAP and 2718 * LSAP, as per XXX, and were also to check for an 2719 * organization code of 0x000000 (encapsulated 2720 * Ethernet), we'd do 2721 * 2722 * return gen_snap(0x000000, proto, 2723 * off_linktype); 2724 * 2725 * here; for now, we don't, as per the above. 2726 * I don't know whether it's worth the extra CPU 2727 * time to do the right check or not. 2728 */ 2729 return gen_cmp(OR_LINK, off_linktype+6, BPF_H, 2730 (bpf_int32)proto); 2731 } 2732 } 2733 } 2734 2735 static struct block * 2736 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 2737 bpf_u_int32 addr; 2738 bpf_u_int32 mask; 2739 int dir, proto; 2740 u_int src_off, dst_off; 2741 { 2742 struct block *b0, *b1; 2743 u_int offset; 2744 2745 switch (dir) { 2746 2747 case Q_SRC: 2748 offset = src_off; 2749 break; 2750 2751 case Q_DST: 2752 offset = dst_off; 2753 break; 2754 2755 case Q_AND: 2756 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2757 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2758 gen_and(b0, b1); 2759 return b1; 2760 2761 case Q_OR: 2762 case Q_DEFAULT: 2763 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2764 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2765 gen_or(b0, b1); 2766 return b1; 2767 2768 default: 2769 abort(); 2770 } 2771 b0 = gen_linktype(proto); 2772 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 2773 gen_and(b0, b1); 2774 return b1; 2775 } 2776 2777 #ifdef INET6 2778 static struct block * 2779 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 2780 struct in6_addr *addr; 2781 struct in6_addr *mask; 2782 int dir, proto; 2783 u_int src_off, dst_off; 2784 { 2785 struct block *b0, *b1; 2786 u_int offset; 2787 u_int32_t *a, *m; 2788 2789 switch (dir) { 2790 2791 case Q_SRC: 2792 offset = src_off; 2793 break; 2794 2795 case Q_DST: 2796 offset = dst_off; 2797 break; 2798 2799 case Q_AND: 2800 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2801 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2802 gen_and(b0, b1); 2803 return b1; 2804 2805 case Q_OR: 2806 case Q_DEFAULT: 2807 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2808 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2809 gen_or(b0, b1); 2810 return b1; 2811 2812 default: 2813 abort(); 2814 } 2815 /* this order is important */ 2816 a = (u_int32_t *)addr; 2817 m = (u_int32_t *)mask; 2818 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 2819 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 2820 gen_and(b0, b1); 2821 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 2822 gen_and(b0, b1); 2823 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 2824 gen_and(b0, b1); 2825 b0 = gen_linktype(proto); 2826 gen_and(b0, b1); 2827 return b1; 2828 } 2829 #endif /*INET6*/ 2830 2831 static struct block * 2832 gen_ehostop(eaddr, dir) 2833 register const u_char *eaddr; 2834 register int dir; 2835 { 2836 register struct block *b0, *b1; 2837 2838 switch (dir) { 2839 case Q_SRC: 2840 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 2841 2842 case Q_DST: 2843 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 2844 2845 case Q_AND: 2846 b0 = gen_ehostop(eaddr, Q_SRC); 2847 b1 = gen_ehostop(eaddr, Q_DST); 2848 gen_and(b0, b1); 2849 return b1; 2850 2851 case Q_DEFAULT: 2852 case Q_OR: 2853 b0 = gen_ehostop(eaddr, Q_SRC); 2854 b1 = gen_ehostop(eaddr, Q_DST); 2855 gen_or(b0, b1); 2856 return b1; 2857 } 2858 abort(); 2859 /* NOTREACHED */ 2860 } 2861 2862 /* 2863 * Like gen_ehostop, but for DLT_FDDI 2864 */ 2865 static struct block * 2866 gen_fhostop(eaddr, dir) 2867 register const u_char *eaddr; 2868 register int dir; 2869 { 2870 struct block *b0, *b1; 2871 2872 switch (dir) { 2873 case Q_SRC: 2874 #ifdef PCAP_FDDIPAD 2875 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 2876 #else 2877 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 2878 #endif 2879 2880 case Q_DST: 2881 #ifdef PCAP_FDDIPAD 2882 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 2883 #else 2884 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 2885 #endif 2886 2887 case Q_AND: 2888 b0 = gen_fhostop(eaddr, Q_SRC); 2889 b1 = gen_fhostop(eaddr, Q_DST); 2890 gen_and(b0, b1); 2891 return b1; 2892 2893 case Q_DEFAULT: 2894 case Q_OR: 2895 b0 = gen_fhostop(eaddr, Q_SRC); 2896 b1 = gen_fhostop(eaddr, Q_DST); 2897 gen_or(b0, b1); 2898 return b1; 2899 } 2900 abort(); 2901 /* NOTREACHED */ 2902 } 2903 2904 /* 2905 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 2906 */ 2907 static struct block * 2908 gen_thostop(eaddr, dir) 2909 register const u_char *eaddr; 2910 register int dir; 2911 { 2912 register struct block *b0, *b1; 2913 2914 switch (dir) { 2915 case Q_SRC: 2916 return gen_bcmp(OR_LINK, 8, 6, eaddr); 2917 2918 case Q_DST: 2919 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2920 2921 case Q_AND: 2922 b0 = gen_thostop(eaddr, Q_SRC); 2923 b1 = gen_thostop(eaddr, Q_DST); 2924 gen_and(b0, b1); 2925 return b1; 2926 2927 case Q_DEFAULT: 2928 case Q_OR: 2929 b0 = gen_thostop(eaddr, Q_SRC); 2930 b1 = gen_thostop(eaddr, Q_DST); 2931 gen_or(b0, b1); 2932 return b1; 2933 } 2934 abort(); 2935 /* NOTREACHED */ 2936 } 2937 2938 /* 2939 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) 2940 */ 2941 static struct block * 2942 gen_wlanhostop(eaddr, dir) 2943 register const u_char *eaddr; 2944 register int dir; 2945 { 2946 register struct block *b0, *b1, *b2; 2947 register struct slist *s; 2948 2949 switch (dir) { 2950 case Q_SRC: 2951 /* 2952 * Oh, yuk. 2953 * 2954 * For control frames, there is no SA. 2955 * 2956 * For management frames, SA is at an 2957 * offset of 10 from the beginning of 2958 * the packet. 2959 * 2960 * For data frames, SA is at an offset 2961 * of 10 from the beginning of the packet 2962 * if From DS is clear, at an offset of 2963 * 16 from the beginning of the packet 2964 * if From DS is set and To DS is clear, 2965 * and an offset of 24 from the beginning 2966 * of the packet if From DS is set and To DS 2967 * is set. 2968 */ 2969 2970 /* 2971 * Generate the tests to be done for data frames 2972 * with From DS set. 2973 * 2974 * First, check for To DS set, i.e. check "link[1] & 0x01". 2975 */ 2976 s = gen_load_a(OR_LINK, 1, BPF_B); 2977 b1 = new_block(JMP(BPF_JSET)); 2978 b1->s.k = 0x01; /* To DS */ 2979 b1->stmts = s; 2980 2981 /* 2982 * If To DS is set, the SA is at 24. 2983 */ 2984 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 2985 gen_and(b1, b0); 2986 2987 /* 2988 * Now, check for To DS not set, i.e. check 2989 * "!(link[1] & 0x01)". 2990 */ 2991 s = gen_load_a(OR_LINK, 1, BPF_B); 2992 b2 = new_block(JMP(BPF_JSET)); 2993 b2->s.k = 0x01; /* To DS */ 2994 b2->stmts = s; 2995 gen_not(b2); 2996 2997 /* 2998 * If To DS is not set, the SA is at 16. 2999 */ 3000 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3001 gen_and(b2, b1); 3002 3003 /* 3004 * Now OR together the last two checks. That gives 3005 * the complete set of checks for data frames with 3006 * From DS set. 3007 */ 3008 gen_or(b1, b0); 3009 3010 /* 3011 * Now check for From DS being set, and AND that with 3012 * the ORed-together checks. 3013 */ 3014 s = gen_load_a(OR_LINK, 1, BPF_B); 3015 b1 = new_block(JMP(BPF_JSET)); 3016 b1->s.k = 0x02; /* From DS */ 3017 b1->stmts = s; 3018 gen_and(b1, b0); 3019 3020 /* 3021 * Now check for data frames with From DS not set. 3022 */ 3023 s = gen_load_a(OR_LINK, 1, BPF_B); 3024 b2 = new_block(JMP(BPF_JSET)); 3025 b2->s.k = 0x02; /* From DS */ 3026 b2->stmts = s; 3027 gen_not(b2); 3028 3029 /* 3030 * If From DS isn't set, the SA is at 10. 3031 */ 3032 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3033 gen_and(b2, b1); 3034 3035 /* 3036 * Now OR together the checks for data frames with 3037 * From DS not set and for data frames with From DS 3038 * set; that gives the checks done for data frames. 3039 */ 3040 gen_or(b1, b0); 3041 3042 /* 3043 * Now check for a data frame. 3044 * I.e, check "link[0] & 0x08". 3045 */ 3046 gen_load_a(OR_LINK, 0, BPF_B); 3047 b1 = new_block(JMP(BPF_JSET)); 3048 b1->s.k = 0x08; 3049 b1->stmts = s; 3050 3051 /* 3052 * AND that with the checks done for data frames. 3053 */ 3054 gen_and(b1, b0); 3055 3056 /* 3057 * If the high-order bit of the type value is 0, this 3058 * is a management frame. 3059 * I.e, check "!(link[0] & 0x08)". 3060 */ 3061 s = gen_load_a(OR_LINK, 0, BPF_B); 3062 b2 = new_block(JMP(BPF_JSET)); 3063 b2->s.k = 0x08; 3064 b2->stmts = s; 3065 gen_not(b2); 3066 3067 /* 3068 * For management frames, the SA is at 10. 3069 */ 3070 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3071 gen_and(b2, b1); 3072 3073 /* 3074 * OR that with the checks done for data frames. 3075 * That gives the checks done for management and 3076 * data frames. 3077 */ 3078 gen_or(b1, b0); 3079 3080 /* 3081 * If the low-order bit of the type value is 1, 3082 * this is either a control frame or a frame 3083 * with a reserved type, and thus not a 3084 * frame with an SA. 3085 * 3086 * I.e., check "!(link[0] & 0x04)". 3087 */ 3088 s = gen_load_a(OR_LINK, 0, BPF_B); 3089 b1 = new_block(JMP(BPF_JSET)); 3090 b1->s.k = 0x04; 3091 b1->stmts = s; 3092 gen_not(b1); 3093 3094 /* 3095 * AND that with the checks for data and management 3096 * frames. 3097 */ 3098 gen_and(b1, b0); 3099 return b0; 3100 3101 case Q_DST: 3102 /* 3103 * Oh, yuk. 3104 * 3105 * For control frames, there is no DA. 3106 * 3107 * For management frames, DA is at an 3108 * offset of 4 from the beginning of 3109 * the packet. 3110 * 3111 * For data frames, DA is at an offset 3112 * of 4 from the beginning of the packet 3113 * if To DS is clear and at an offset of 3114 * 16 from the beginning of the packet 3115 * if To DS is set. 3116 */ 3117 3118 /* 3119 * Generate the tests to be done for data frames. 3120 * 3121 * First, check for To DS set, i.e. "link[1] & 0x01". 3122 */ 3123 s = gen_load_a(OR_LINK, 1, BPF_B); 3124 b1 = new_block(JMP(BPF_JSET)); 3125 b1->s.k = 0x01; /* To DS */ 3126 b1->stmts = s; 3127 3128 /* 3129 * If To DS is set, the DA is at 16. 3130 */ 3131 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3132 gen_and(b1, b0); 3133 3134 /* 3135 * Now, check for To DS not set, i.e. check 3136 * "!(link[1] & 0x01)". 3137 */ 3138 s = gen_load_a(OR_LINK, 1, BPF_B); 3139 b2 = new_block(JMP(BPF_JSET)); 3140 b2->s.k = 0x01; /* To DS */ 3141 b2->stmts = s; 3142 gen_not(b2); 3143 3144 /* 3145 * If To DS is not set, the DA is at 4. 3146 */ 3147 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3148 gen_and(b2, b1); 3149 3150 /* 3151 * Now OR together the last two checks. That gives 3152 * the complete set of checks for data frames. 3153 */ 3154 gen_or(b1, b0); 3155 3156 /* 3157 * Now check for a data frame. 3158 * I.e, check "link[0] & 0x08". 3159 */ 3160 s = gen_load_a(OR_LINK, 0, BPF_B); 3161 b1 = new_block(JMP(BPF_JSET)); 3162 b1->s.k = 0x08; 3163 b1->stmts = s; 3164 3165 /* 3166 * AND that with the checks done for data frames. 3167 */ 3168 gen_and(b1, b0); 3169 3170 /* 3171 * If the high-order bit of the type value is 0, this 3172 * is a management frame. 3173 * I.e, check "!(link[0] & 0x08)". 3174 */ 3175 s = gen_load_a(OR_LINK, 0, BPF_B); 3176 b2 = new_block(JMP(BPF_JSET)); 3177 b2->s.k = 0x08; 3178 b2->stmts = s; 3179 gen_not(b2); 3180 3181 /* 3182 * For management frames, the DA is at 4. 3183 */ 3184 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3185 gen_and(b2, b1); 3186 3187 /* 3188 * OR that with the checks done for data frames. 3189 * That gives the checks done for management and 3190 * data frames. 3191 */ 3192 gen_or(b1, b0); 3193 3194 /* 3195 * If the low-order bit of the type value is 1, 3196 * this is either a control frame or a frame 3197 * with a reserved type, and thus not a 3198 * frame with an SA. 3199 * 3200 * I.e., check "!(link[0] & 0x04)". 3201 */ 3202 s = gen_load_a(OR_LINK, 0, BPF_B); 3203 b1 = new_block(JMP(BPF_JSET)); 3204 b1->s.k = 0x04; 3205 b1->stmts = s; 3206 gen_not(b1); 3207 3208 /* 3209 * AND that with the checks for data and management 3210 * frames. 3211 */ 3212 gen_and(b1, b0); 3213 return b0; 3214 3215 case Q_AND: 3216 b0 = gen_wlanhostop(eaddr, Q_SRC); 3217 b1 = gen_wlanhostop(eaddr, Q_DST); 3218 gen_and(b0, b1); 3219 return b1; 3220 3221 case Q_DEFAULT: 3222 case Q_OR: 3223 b0 = gen_wlanhostop(eaddr, Q_SRC); 3224 b1 = gen_wlanhostop(eaddr, Q_DST); 3225 gen_or(b0, b1); 3226 return b1; 3227 } 3228 abort(); 3229 /* NOTREACHED */ 3230 } 3231 3232 /* 3233 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 3234 * (We assume that the addresses are IEEE 48-bit MAC addresses, 3235 * as the RFC states.) 3236 */ 3237 static struct block * 3238 gen_ipfchostop(eaddr, dir) 3239 register const u_char *eaddr; 3240 register int dir; 3241 { 3242 register struct block *b0, *b1; 3243 3244 switch (dir) { 3245 case Q_SRC: 3246 return gen_bcmp(OR_LINK, 10, 6, eaddr); 3247 3248 case Q_DST: 3249 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3250 3251 case Q_AND: 3252 b0 = gen_ipfchostop(eaddr, Q_SRC); 3253 b1 = gen_ipfchostop(eaddr, Q_DST); 3254 gen_and(b0, b1); 3255 return b1; 3256 3257 case Q_DEFAULT: 3258 case Q_OR: 3259 b0 = gen_ipfchostop(eaddr, Q_SRC); 3260 b1 = gen_ipfchostop(eaddr, Q_DST); 3261 gen_or(b0, b1); 3262 return b1; 3263 } 3264 abort(); 3265 /* NOTREACHED */ 3266 } 3267 3268 /* 3269 * This is quite tricky because there may be pad bytes in front of the 3270 * DECNET header, and then there are two possible data packet formats that 3271 * carry both src and dst addresses, plus 5 packet types in a format that 3272 * carries only the src node, plus 2 types that use a different format and 3273 * also carry just the src node. 3274 * 3275 * Yuck. 3276 * 3277 * Instead of doing those all right, we just look for data packets with 3278 * 0 or 1 bytes of padding. If you want to look at other packets, that 3279 * will require a lot more hacking. 3280 * 3281 * To add support for filtering on DECNET "areas" (network numbers) 3282 * one would want to add a "mask" argument to this routine. That would 3283 * make the filter even more inefficient, although one could be clever 3284 * and not generate masking instructions if the mask is 0xFFFF. 3285 */ 3286 static struct block * 3287 gen_dnhostop(addr, dir) 3288 bpf_u_int32 addr; 3289 int dir; 3290 { 3291 struct block *b0, *b1, *b2, *tmp; 3292 u_int offset_lh; /* offset if long header is received */ 3293 u_int offset_sh; /* offset if short header is received */ 3294 3295 switch (dir) { 3296 3297 case Q_DST: 3298 offset_sh = 1; /* follows flags */ 3299 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 3300 break; 3301 3302 case Q_SRC: 3303 offset_sh = 3; /* follows flags, dstnode */ 3304 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 3305 break; 3306 3307 case Q_AND: 3308 /* Inefficient because we do our Calvinball dance twice */ 3309 b0 = gen_dnhostop(addr, Q_SRC); 3310 b1 = gen_dnhostop(addr, Q_DST); 3311 gen_and(b0, b1); 3312 return b1; 3313 3314 case Q_OR: 3315 case Q_DEFAULT: 3316 /* Inefficient because we do our Calvinball dance twice */ 3317 b0 = gen_dnhostop(addr, Q_SRC); 3318 b1 = gen_dnhostop(addr, Q_DST); 3319 gen_or(b0, b1); 3320 return b1; 3321 3322 case Q_ISO: 3323 bpf_error("ISO host filtering not implemented"); 3324 3325 default: 3326 abort(); 3327 } 3328 b0 = gen_linktype(ETHERTYPE_DN); 3329 /* Check for pad = 1, long header case */ 3330 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3331 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 3332 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 3333 BPF_H, (bpf_int32)ntohs((u_short)addr)); 3334 gen_and(tmp, b1); 3335 /* Check for pad = 0, long header case */ 3336 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 3337 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3338 gen_and(tmp, b2); 3339 gen_or(b2, b1); 3340 /* Check for pad = 1, short header case */ 3341 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3342 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 3343 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3344 gen_and(tmp, b2); 3345 gen_or(b2, b1); 3346 /* Check for pad = 0, short header case */ 3347 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 3348 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3349 gen_and(tmp, b2); 3350 gen_or(b2, b1); 3351 3352 /* Combine with test for linktype */ 3353 gen_and(b0, b1); 3354 return b1; 3355 } 3356 3357 /* 3358 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 3359 * test the bottom-of-stack bit, and then check the version number 3360 * field in the IP header. 3361 */ 3362 static struct block * 3363 gen_mpls_linktype(proto) 3364 int proto; 3365 { 3366 struct block *b0, *b1; 3367 3368 switch (proto) { 3369 3370 case Q_IP: 3371 /* match the bottom-of-stack bit */ 3372 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3373 /* match the IPv4 version number */ 3374 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 3375 gen_and(b0, b1); 3376 return b1; 3377 3378 case Q_IPV6: 3379 /* match the bottom-of-stack bit */ 3380 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3381 /* match the IPv4 version number */ 3382 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 3383 gen_and(b0, b1); 3384 return b1; 3385 3386 default: 3387 abort(); 3388 } 3389 } 3390 3391 static struct block * 3392 gen_host(addr, mask, proto, dir, type) 3393 bpf_u_int32 addr; 3394 bpf_u_int32 mask; 3395 int proto; 3396 int dir; 3397 int type; 3398 { 3399 struct block *b0, *b1; 3400 const char *typestr; 3401 3402 if (type == Q_NET) 3403 typestr = "net"; 3404 else 3405 typestr = "host"; 3406 3407 switch (proto) { 3408 3409 case Q_DEFAULT: 3410 b0 = gen_host(addr, mask, Q_IP, dir, type); 3411 /* 3412 * Only check for non-IPv4 addresses if we're not 3413 * checking MPLS-encapsulated packets. 3414 */ 3415 if (label_stack_depth == 0) { 3416 b1 = gen_host(addr, mask, Q_ARP, dir, type); 3417 gen_or(b0, b1); 3418 b0 = gen_host(addr, mask, Q_RARP, dir, type); 3419 gen_or(b1, b0); 3420 } 3421 return b0; 3422 3423 case Q_IP: 3424 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 3425 3426 case Q_RARP: 3427 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 3428 3429 case Q_ARP: 3430 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 3431 3432 case Q_TCP: 3433 bpf_error("'tcp' modifier applied to %s", typestr); 3434 3435 case Q_SCTP: 3436 bpf_error("'sctp' modifier applied to %s", typestr); 3437 3438 case Q_UDP: 3439 bpf_error("'udp' modifier applied to %s", typestr); 3440 3441 case Q_ICMP: 3442 bpf_error("'icmp' modifier applied to %s", typestr); 3443 3444 case Q_IGMP: 3445 bpf_error("'igmp' modifier applied to %s", typestr); 3446 3447 case Q_IGRP: 3448 bpf_error("'igrp' modifier applied to %s", typestr); 3449 3450 case Q_PIM: 3451 bpf_error("'pim' modifier applied to %s", typestr); 3452 3453 case Q_VRRP: 3454 bpf_error("'vrrp' modifier applied to %s", typestr); 3455 3456 case Q_ATALK: 3457 bpf_error("ATALK host filtering not implemented"); 3458 3459 case Q_AARP: 3460 bpf_error("AARP host filtering not implemented"); 3461 3462 case Q_DECNET: 3463 return gen_dnhostop(addr, dir); 3464 3465 case Q_SCA: 3466 bpf_error("SCA host filtering not implemented"); 3467 3468 case Q_LAT: 3469 bpf_error("LAT host filtering not implemented"); 3470 3471 case Q_MOPDL: 3472 bpf_error("MOPDL host filtering not implemented"); 3473 3474 case Q_MOPRC: 3475 bpf_error("MOPRC host filtering not implemented"); 3476 3477 #ifdef INET6 3478 case Q_IPV6: 3479 bpf_error("'ip6' modifier applied to ip host"); 3480 3481 case Q_ICMPV6: 3482 bpf_error("'icmp6' modifier applied to %s", typestr); 3483 #endif /* INET6 */ 3484 3485 case Q_AH: 3486 bpf_error("'ah' modifier applied to %s", typestr); 3487 3488 case Q_ESP: 3489 bpf_error("'esp' modifier applied to %s", typestr); 3490 3491 case Q_ISO: 3492 bpf_error("ISO host filtering not implemented"); 3493 3494 case Q_ESIS: 3495 bpf_error("'esis' modifier applied to %s", typestr); 3496 3497 case Q_ISIS: 3498 bpf_error("'isis' modifier applied to %s", typestr); 3499 3500 case Q_CLNP: 3501 bpf_error("'clnp' modifier applied to %s", typestr); 3502 3503 case Q_STP: 3504 bpf_error("'stp' modifier applied to %s", typestr); 3505 3506 case Q_IPX: 3507 bpf_error("IPX host filtering not implemented"); 3508 3509 case Q_NETBEUI: 3510 bpf_error("'netbeui' modifier applied to %s", typestr); 3511 3512 case Q_RADIO: 3513 bpf_error("'radio' modifier applied to %s", typestr); 3514 3515 default: 3516 abort(); 3517 } 3518 /* NOTREACHED */ 3519 } 3520 3521 #ifdef INET6 3522 static struct block * 3523 gen_host6(addr, mask, proto, dir, type) 3524 struct in6_addr *addr; 3525 struct in6_addr *mask; 3526 int proto; 3527 int dir; 3528 int type; 3529 { 3530 const char *typestr; 3531 3532 if (type == Q_NET) 3533 typestr = "net"; 3534 else 3535 typestr = "host"; 3536 3537 switch (proto) { 3538 3539 case Q_DEFAULT: 3540 return gen_host6(addr, mask, Q_IPV6, dir, type); 3541 3542 case Q_IP: 3543 bpf_error("'ip' modifier applied to ip6 %s", typestr); 3544 3545 case Q_RARP: 3546 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 3547 3548 case Q_ARP: 3549 bpf_error("'arp' modifier applied to ip6 %s", typestr); 3550 3551 case Q_SCTP: 3552 bpf_error("'sctp' modifier applied to %s", typestr); 3553 3554 case Q_TCP: 3555 bpf_error("'tcp' modifier applied to %s", typestr); 3556 3557 case Q_UDP: 3558 bpf_error("'udp' modifier applied to %s", typestr); 3559 3560 case Q_ICMP: 3561 bpf_error("'icmp' modifier applied to %s", typestr); 3562 3563 case Q_IGMP: 3564 bpf_error("'igmp' modifier applied to %s", typestr); 3565 3566 case Q_IGRP: 3567 bpf_error("'igrp' modifier applied to %s", typestr); 3568 3569 case Q_PIM: 3570 bpf_error("'pim' modifier applied to %s", typestr); 3571 3572 case Q_VRRP: 3573 bpf_error("'vrrp' modifier applied to %s", typestr); 3574 3575 case Q_ATALK: 3576 bpf_error("ATALK host filtering not implemented"); 3577 3578 case Q_AARP: 3579 bpf_error("AARP host filtering not implemented"); 3580 3581 case Q_DECNET: 3582 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 3583 3584 case Q_SCA: 3585 bpf_error("SCA host filtering not implemented"); 3586 3587 case Q_LAT: 3588 bpf_error("LAT host filtering not implemented"); 3589 3590 case Q_MOPDL: 3591 bpf_error("MOPDL host filtering not implemented"); 3592 3593 case Q_MOPRC: 3594 bpf_error("MOPRC host filtering not implemented"); 3595 3596 case Q_IPV6: 3597 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 3598 3599 case Q_ICMPV6: 3600 bpf_error("'icmp6' modifier applied to %s", typestr); 3601 3602 case Q_AH: 3603 bpf_error("'ah' modifier applied to %s", typestr); 3604 3605 case Q_ESP: 3606 bpf_error("'esp' modifier applied to %s", typestr); 3607 3608 case Q_ISO: 3609 bpf_error("ISO host filtering not implemented"); 3610 3611 case Q_ESIS: 3612 bpf_error("'esis' modifier applied to %s", typestr); 3613 3614 case Q_ISIS: 3615 bpf_error("'isis' modifier applied to %s", typestr); 3616 3617 case Q_CLNP: 3618 bpf_error("'clnp' modifier applied to %s", typestr); 3619 3620 case Q_STP: 3621 bpf_error("'stp' modifier applied to %s", typestr); 3622 3623 case Q_IPX: 3624 bpf_error("IPX host filtering not implemented"); 3625 3626 case Q_NETBEUI: 3627 bpf_error("'netbeui' modifier applied to %s", typestr); 3628 3629 case Q_RADIO: 3630 bpf_error("'radio' modifier applied to %s", typestr); 3631 3632 default: 3633 abort(); 3634 } 3635 /* NOTREACHED */ 3636 } 3637 #endif /*INET6*/ 3638 3639 #ifndef INET6 3640 static struct block * 3641 gen_gateway(eaddr, alist, proto, dir) 3642 const u_char *eaddr; 3643 bpf_u_int32 **alist; 3644 int proto; 3645 int dir; 3646 { 3647 struct block *b0, *b1, *tmp; 3648 3649 if (dir != 0) 3650 bpf_error("direction applied to 'gateway'"); 3651 3652 switch (proto) { 3653 case Q_DEFAULT: 3654 case Q_IP: 3655 case Q_ARP: 3656 case Q_RARP: 3657 switch (linktype) { 3658 case DLT_EN10MB: 3659 b0 = gen_ehostop(eaddr, Q_OR); 3660 break; 3661 case DLT_FDDI: 3662 b0 = gen_fhostop(eaddr, Q_OR); 3663 break; 3664 case DLT_IEEE802: 3665 b0 = gen_thostop(eaddr, Q_OR); 3666 break; 3667 case DLT_IEEE802_11: 3668 case DLT_IEEE802_11_RADIO_AVS: 3669 case DLT_PPI: 3670 case DLT_IEEE802_11_RADIO: 3671 case DLT_PRISM_HEADER: 3672 b0 = gen_wlanhostop(eaddr, Q_OR); 3673 break; 3674 case DLT_SUNATM: 3675 if (is_lane) { 3676 /* 3677 * Check that the packet doesn't begin with an 3678 * LE Control marker. (We've already generated 3679 * a test for LANE.) 3680 */ 3681 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3682 0xFF00); 3683 gen_not(b1); 3684 3685 /* 3686 * Now check the MAC address. 3687 */ 3688 b0 = gen_ehostop(eaddr, Q_OR); 3689 gen_and(b1, b0); 3690 } 3691 break; 3692 case DLT_IP_OVER_FC: 3693 b0 = gen_ipfchostop(eaddr, Q_OR); 3694 break; 3695 default: 3696 bpf_error( 3697 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 3698 } 3699 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 3700 while (*alist) { 3701 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 3702 Q_HOST); 3703 gen_or(b1, tmp); 3704 b1 = tmp; 3705 } 3706 gen_not(b1); 3707 gen_and(b0, b1); 3708 return b1; 3709 } 3710 bpf_error("illegal modifier of 'gateway'"); 3711 /* NOTREACHED */ 3712 } 3713 #endif 3714 3715 struct block * 3716 gen_proto_abbrev(proto) 3717 int proto; 3718 { 3719 struct block *b0; 3720 struct block *b1; 3721 3722 switch (proto) { 3723 3724 case Q_SCTP: 3725 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 3726 #ifdef INET6 3727 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 3728 gen_or(b0, b1); 3729 #endif 3730 break; 3731 3732 case Q_TCP: 3733 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 3734 #ifdef INET6 3735 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 3736 gen_or(b0, b1); 3737 #endif 3738 break; 3739 3740 case Q_UDP: 3741 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 3742 #ifdef INET6 3743 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 3744 gen_or(b0, b1); 3745 #endif 3746 break; 3747 3748 case Q_ICMP: 3749 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 3750 break; 3751 3752 #ifndef IPPROTO_IGMP 3753 #define IPPROTO_IGMP 2 3754 #endif 3755 3756 case Q_IGMP: 3757 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 3758 break; 3759 3760 #ifndef IPPROTO_IGRP 3761 #define IPPROTO_IGRP 9 3762 #endif 3763 case Q_IGRP: 3764 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 3765 break; 3766 3767 #ifndef IPPROTO_PIM 3768 #define IPPROTO_PIM 103 3769 #endif 3770 3771 case Q_PIM: 3772 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 3773 #ifdef INET6 3774 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 3775 gen_or(b0, b1); 3776 #endif 3777 break; 3778 3779 #ifndef IPPROTO_VRRP 3780 #define IPPROTO_VRRP 112 3781 #endif 3782 3783 case Q_VRRP: 3784 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 3785 break; 3786 3787 case Q_IP: 3788 b1 = gen_linktype(ETHERTYPE_IP); 3789 break; 3790 3791 case Q_ARP: 3792 b1 = gen_linktype(ETHERTYPE_ARP); 3793 break; 3794 3795 case Q_RARP: 3796 b1 = gen_linktype(ETHERTYPE_REVARP); 3797 break; 3798 3799 case Q_LINK: 3800 bpf_error("link layer applied in wrong context"); 3801 3802 case Q_ATALK: 3803 b1 = gen_linktype(ETHERTYPE_ATALK); 3804 break; 3805 3806 case Q_AARP: 3807 b1 = gen_linktype(ETHERTYPE_AARP); 3808 break; 3809 3810 case Q_DECNET: 3811 b1 = gen_linktype(ETHERTYPE_DN); 3812 break; 3813 3814 case Q_SCA: 3815 b1 = gen_linktype(ETHERTYPE_SCA); 3816 break; 3817 3818 case Q_LAT: 3819 b1 = gen_linktype(ETHERTYPE_LAT); 3820 break; 3821 3822 case Q_MOPDL: 3823 b1 = gen_linktype(ETHERTYPE_MOPDL); 3824 break; 3825 3826 case Q_MOPRC: 3827 b1 = gen_linktype(ETHERTYPE_MOPRC); 3828 break; 3829 3830 #ifdef INET6 3831 case Q_IPV6: 3832 b1 = gen_linktype(ETHERTYPE_IPV6); 3833 break; 3834 3835 #ifndef IPPROTO_ICMPV6 3836 #define IPPROTO_ICMPV6 58 3837 #endif 3838 case Q_ICMPV6: 3839 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 3840 break; 3841 #endif /* INET6 */ 3842 3843 #ifndef IPPROTO_AH 3844 #define IPPROTO_AH 51 3845 #endif 3846 case Q_AH: 3847 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 3848 #ifdef INET6 3849 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 3850 gen_or(b0, b1); 3851 #endif 3852 break; 3853 3854 #ifndef IPPROTO_ESP 3855 #define IPPROTO_ESP 50 3856 #endif 3857 case Q_ESP: 3858 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 3859 #ifdef INET6 3860 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 3861 gen_or(b0, b1); 3862 #endif 3863 break; 3864 3865 case Q_ISO: 3866 b1 = gen_linktype(LLCSAP_ISONS); 3867 break; 3868 3869 case Q_ESIS: 3870 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 3871 break; 3872 3873 case Q_ISIS: 3874 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 3875 break; 3876 3877 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 3878 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3879 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3880 gen_or(b0, b1); 3881 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3882 gen_or(b0, b1); 3883 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3884 gen_or(b0, b1); 3885 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3886 gen_or(b0, b1); 3887 break; 3888 3889 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 3890 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3891 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3892 gen_or(b0, b1); 3893 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3894 gen_or(b0, b1); 3895 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3896 gen_or(b0, b1); 3897 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3898 gen_or(b0, b1); 3899 break; 3900 3901 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 3902 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3903 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3904 gen_or(b0, b1); 3905 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 3906 gen_or(b0, b1); 3907 break; 3908 3909 case Q_ISIS_LSP: 3910 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3911 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3912 gen_or(b0, b1); 3913 break; 3914 3915 case Q_ISIS_SNP: 3916 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3917 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3918 gen_or(b0, b1); 3919 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3920 gen_or(b0, b1); 3921 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3922 gen_or(b0, b1); 3923 break; 3924 3925 case Q_ISIS_CSNP: 3926 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3927 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3928 gen_or(b0, b1); 3929 break; 3930 3931 case Q_ISIS_PSNP: 3932 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3933 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3934 gen_or(b0, b1); 3935 break; 3936 3937 case Q_CLNP: 3938 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 3939 break; 3940 3941 case Q_STP: 3942 b1 = gen_linktype(LLCSAP_8021D); 3943 break; 3944 3945 case Q_IPX: 3946 b1 = gen_linktype(LLCSAP_IPX); 3947 break; 3948 3949 case Q_NETBEUI: 3950 b1 = gen_linktype(LLCSAP_NETBEUI); 3951 break; 3952 3953 case Q_RADIO: 3954 bpf_error("'radio' is not a valid protocol type"); 3955 3956 default: 3957 abort(); 3958 } 3959 return b1; 3960 } 3961 3962 static struct block * 3963 gen_ipfrag() 3964 { 3965 struct slist *s; 3966 struct block *b; 3967 3968 /* not ip frag */ 3969 s = gen_load_a(OR_NET, 6, BPF_H); 3970 b = new_block(JMP(BPF_JSET)); 3971 b->s.k = 0x1fff; 3972 b->stmts = s; 3973 gen_not(b); 3974 3975 return b; 3976 } 3977 3978 /* 3979 * Generate a comparison to a port value in the transport-layer header 3980 * at the specified offset from the beginning of that header. 3981 * 3982 * XXX - this handles a variable-length prefix preceding the link-layer 3983 * header, such as the radiotap or AVS radio prefix, but doesn't handle 3984 * variable-length link-layer headers (such as Token Ring or 802.11 3985 * headers). 3986 */ 3987 static struct block * 3988 gen_portatom(off, v) 3989 int off; 3990 bpf_int32 v; 3991 { 3992 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 3993 } 3994 3995 #ifdef INET6 3996 static struct block * 3997 gen_portatom6(off, v) 3998 int off; 3999 bpf_int32 v; 4000 { 4001 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4002 } 4003 #endif/*INET6*/ 4004 4005 struct block * 4006 gen_portop(port, proto, dir) 4007 int port, proto, dir; 4008 { 4009 struct block *b0, *b1, *tmp; 4010 4011 /* ip proto 'proto' */ 4012 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4013 b0 = gen_ipfrag(); 4014 gen_and(tmp, b0); 4015 4016 switch (dir) { 4017 case Q_SRC: 4018 b1 = gen_portatom(0, (bpf_int32)port); 4019 break; 4020 4021 case Q_DST: 4022 b1 = gen_portatom(2, (bpf_int32)port); 4023 break; 4024 4025 case Q_OR: 4026 case Q_DEFAULT: 4027 tmp = gen_portatom(0, (bpf_int32)port); 4028 b1 = gen_portatom(2, (bpf_int32)port); 4029 gen_or(tmp, b1); 4030 break; 4031 4032 case Q_AND: 4033 tmp = gen_portatom(0, (bpf_int32)port); 4034 b1 = gen_portatom(2, (bpf_int32)port); 4035 gen_and(tmp, b1); 4036 break; 4037 4038 default: 4039 abort(); 4040 } 4041 gen_and(b0, b1); 4042 4043 return b1; 4044 } 4045 4046 static struct block * 4047 gen_port(port, ip_proto, dir) 4048 int port; 4049 int ip_proto; 4050 int dir; 4051 { 4052 struct block *b0, *b1, *tmp; 4053 4054 /* 4055 * ether proto ip 4056 * 4057 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4058 * not LLC encapsulation with LLCSAP_IP. 4059 * 4060 * For IEEE 802 networks - which includes 802.5 token ring 4061 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4062 * says that SNAP encapsulation is used, not LLC encapsulation 4063 * with LLCSAP_IP. 4064 * 4065 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4066 * RFC 2225 say that SNAP encapsulation is used, not LLC 4067 * encapsulation with LLCSAP_IP. 4068 * 4069 * So we always check for ETHERTYPE_IP. 4070 */ 4071 b0 = gen_linktype(ETHERTYPE_IP); 4072 4073 switch (ip_proto) { 4074 case IPPROTO_UDP: 4075 case IPPROTO_TCP: 4076 case IPPROTO_SCTP: 4077 b1 = gen_portop(port, ip_proto, dir); 4078 break; 4079 4080 case PROTO_UNDEF: 4081 tmp = gen_portop(port, IPPROTO_TCP, dir); 4082 b1 = gen_portop(port, IPPROTO_UDP, dir); 4083 gen_or(tmp, b1); 4084 tmp = gen_portop(port, IPPROTO_SCTP, dir); 4085 gen_or(tmp, b1); 4086 break; 4087 4088 default: 4089 abort(); 4090 } 4091 gen_and(b0, b1); 4092 return b1; 4093 } 4094 4095 #ifdef INET6 4096 struct block * 4097 gen_portop6(port, proto, dir) 4098 int port, proto, dir; 4099 { 4100 struct block *b0, *b1, *tmp; 4101 4102 /* ip6 proto 'proto' */ 4103 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4104 4105 switch (dir) { 4106 case Q_SRC: 4107 b1 = gen_portatom6(0, (bpf_int32)port); 4108 break; 4109 4110 case Q_DST: 4111 b1 = gen_portatom6(2, (bpf_int32)port); 4112 break; 4113 4114 case Q_OR: 4115 case Q_DEFAULT: 4116 tmp = gen_portatom6(0, (bpf_int32)port); 4117 b1 = gen_portatom6(2, (bpf_int32)port); 4118 gen_or(tmp, b1); 4119 break; 4120 4121 case Q_AND: 4122 tmp = gen_portatom6(0, (bpf_int32)port); 4123 b1 = gen_portatom6(2, (bpf_int32)port); 4124 gen_and(tmp, b1); 4125 break; 4126 4127 default: 4128 abort(); 4129 } 4130 gen_and(b0, b1); 4131 4132 return b1; 4133 } 4134 4135 static struct block * 4136 gen_port6(port, ip_proto, dir) 4137 int port; 4138 int ip_proto; 4139 int dir; 4140 { 4141 struct block *b0, *b1, *tmp; 4142 4143 /* link proto ip6 */ 4144 b0 = gen_linktype(ETHERTYPE_IPV6); 4145 4146 switch (ip_proto) { 4147 case IPPROTO_UDP: 4148 case IPPROTO_TCP: 4149 case IPPROTO_SCTP: 4150 b1 = gen_portop6(port, ip_proto, dir); 4151 break; 4152 4153 case PROTO_UNDEF: 4154 tmp = gen_portop6(port, IPPROTO_TCP, dir); 4155 b1 = gen_portop6(port, IPPROTO_UDP, dir); 4156 gen_or(tmp, b1); 4157 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 4158 gen_or(tmp, b1); 4159 break; 4160 4161 default: 4162 abort(); 4163 } 4164 gen_and(b0, b1); 4165 return b1; 4166 } 4167 #endif /* INET6 */ 4168 4169 /* gen_portrange code */ 4170 static struct block * 4171 gen_portrangeatom(off, v1, v2) 4172 int off; 4173 bpf_int32 v1, v2; 4174 { 4175 struct block *b1, *b2; 4176 4177 if (v1 > v2) { 4178 /* 4179 * Reverse the order of the ports, so v1 is the lower one. 4180 */ 4181 bpf_int32 vtemp; 4182 4183 vtemp = v1; 4184 v1 = v2; 4185 v2 = vtemp; 4186 } 4187 4188 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 4189 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 4190 4191 gen_and(b1, b2); 4192 4193 return b2; 4194 } 4195 4196 struct block * 4197 gen_portrangeop(port1, port2, proto, dir) 4198 int port1, port2; 4199 int proto; 4200 int dir; 4201 { 4202 struct block *b0, *b1, *tmp; 4203 4204 /* ip proto 'proto' */ 4205 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4206 b0 = gen_ipfrag(); 4207 gen_and(tmp, b0); 4208 4209 switch (dir) { 4210 case Q_SRC: 4211 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4212 break; 4213 4214 case Q_DST: 4215 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4216 break; 4217 4218 case Q_OR: 4219 case Q_DEFAULT: 4220 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4221 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4222 gen_or(tmp, b1); 4223 break; 4224 4225 case Q_AND: 4226 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4227 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4228 gen_and(tmp, b1); 4229 break; 4230 4231 default: 4232 abort(); 4233 } 4234 gen_and(b0, b1); 4235 4236 return b1; 4237 } 4238 4239 static struct block * 4240 gen_portrange(port1, port2, ip_proto, dir) 4241 int port1, port2; 4242 int ip_proto; 4243 int dir; 4244 { 4245 struct block *b0, *b1, *tmp; 4246 4247 /* link proto ip */ 4248 b0 = gen_linktype(ETHERTYPE_IP); 4249 4250 switch (ip_proto) { 4251 case IPPROTO_UDP: 4252 case IPPROTO_TCP: 4253 case IPPROTO_SCTP: 4254 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 4255 break; 4256 4257 case PROTO_UNDEF: 4258 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 4259 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 4260 gen_or(tmp, b1); 4261 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 4262 gen_or(tmp, b1); 4263 break; 4264 4265 default: 4266 abort(); 4267 } 4268 gen_and(b0, b1); 4269 return b1; 4270 } 4271 4272 #ifdef INET6 4273 static struct block * 4274 gen_portrangeatom6(off, v1, v2) 4275 int off; 4276 bpf_int32 v1, v2; 4277 { 4278 struct block *b1, *b2; 4279 4280 if (v1 > v2) { 4281 /* 4282 * Reverse the order of the ports, so v1 is the lower one. 4283 */ 4284 bpf_int32 vtemp; 4285 4286 vtemp = v1; 4287 v1 = v2; 4288 v2 = vtemp; 4289 } 4290 4291 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 4292 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 4293 4294 gen_and(b1, b2); 4295 4296 return b2; 4297 } 4298 4299 struct block * 4300 gen_portrangeop6(port1, port2, proto, dir) 4301 int port1, port2; 4302 int proto; 4303 int dir; 4304 { 4305 struct block *b0, *b1, *tmp; 4306 4307 /* ip6 proto 'proto' */ 4308 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4309 4310 switch (dir) { 4311 case Q_SRC: 4312 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4313 break; 4314 4315 case Q_DST: 4316 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4317 break; 4318 4319 case Q_OR: 4320 case Q_DEFAULT: 4321 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4322 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4323 gen_or(tmp, b1); 4324 break; 4325 4326 case Q_AND: 4327 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4328 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4329 gen_and(tmp, b1); 4330 break; 4331 4332 default: 4333 abort(); 4334 } 4335 gen_and(b0, b1); 4336 4337 return b1; 4338 } 4339 4340 static struct block * 4341 gen_portrange6(port1, port2, ip_proto, dir) 4342 int port1, port2; 4343 int ip_proto; 4344 int dir; 4345 { 4346 struct block *b0, *b1, *tmp; 4347 4348 /* link proto ip6 */ 4349 b0 = gen_linktype(ETHERTYPE_IPV6); 4350 4351 switch (ip_proto) { 4352 case IPPROTO_UDP: 4353 case IPPROTO_TCP: 4354 case IPPROTO_SCTP: 4355 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 4356 break; 4357 4358 case PROTO_UNDEF: 4359 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 4360 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 4361 gen_or(tmp, b1); 4362 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 4363 gen_or(tmp, b1); 4364 break; 4365 4366 default: 4367 abort(); 4368 } 4369 gen_and(b0, b1); 4370 return b1; 4371 } 4372 #endif /* INET6 */ 4373 4374 static int 4375 lookup_proto(name, proto) 4376 register const char *name; 4377 register int proto; 4378 { 4379 register int v; 4380 4381 switch (proto) { 4382 4383 case Q_DEFAULT: 4384 case Q_IP: 4385 case Q_IPV6: 4386 v = pcap_nametoproto(name); 4387 if (v == PROTO_UNDEF) 4388 bpf_error("unknown ip proto '%s'", name); 4389 break; 4390 4391 case Q_LINK: 4392 /* XXX should look up h/w protocol type based on linktype */ 4393 v = pcap_nametoeproto(name); 4394 if (v == PROTO_UNDEF) { 4395 v = pcap_nametollc(name); 4396 if (v == PROTO_UNDEF) 4397 bpf_error("unknown ether proto '%s'", name); 4398 } 4399 break; 4400 4401 case Q_ISO: 4402 if (strcmp(name, "esis") == 0) 4403 v = ISO9542_ESIS; 4404 else if (strcmp(name, "isis") == 0) 4405 v = ISO10589_ISIS; 4406 else if (strcmp(name, "clnp") == 0) 4407 v = ISO8473_CLNP; 4408 else 4409 bpf_error("unknown osi proto '%s'", name); 4410 break; 4411 4412 default: 4413 v = PROTO_UNDEF; 4414 break; 4415 } 4416 return v; 4417 } 4418 4419 #if 0 4420 struct stmt * 4421 gen_joinsp(s, n) 4422 struct stmt **s; 4423 int n; 4424 { 4425 return NULL; 4426 } 4427 #endif 4428 4429 static struct block * 4430 gen_protochain(v, proto, dir) 4431 int v; 4432 int proto; 4433 int dir; 4434 { 4435 #ifdef NO_PROTOCHAIN 4436 return gen_proto(v, proto, dir); 4437 #else 4438 struct block *b0, *b; 4439 struct slist *s[100]; 4440 int fix2, fix3, fix4, fix5; 4441 int ahcheck, again, end; 4442 int i, max; 4443 int reg2 = alloc_reg(); 4444 4445 memset(s, 0, sizeof(s)); 4446 fix2 = fix3 = fix4 = fix5 = 0; 4447 4448 switch (proto) { 4449 case Q_IP: 4450 case Q_IPV6: 4451 break; 4452 case Q_DEFAULT: 4453 b0 = gen_protochain(v, Q_IP, dir); 4454 b = gen_protochain(v, Q_IPV6, dir); 4455 gen_or(b0, b); 4456 return b; 4457 default: 4458 bpf_error("bad protocol applied for 'protochain'"); 4459 /*NOTREACHED*/ 4460 } 4461 4462 /* 4463 * We don't handle variable-length radiotap here headers yet. 4464 * We might want to add BPF instructions to do the protochain 4465 * work, to simplify that and, on platforms that have a BPF 4466 * interpreter with the new instructions, let the filtering 4467 * be done in the kernel. (We already require a modified BPF 4468 * engine to do the protochain stuff, to support backward 4469 * branches, and backward branch support is unlikely to appear 4470 * in kernel BPF engines.) 4471 */ 4472 if (linktype == DLT_IEEE802_11_RADIO) 4473 bpf_error("'protochain' not supported with radiotap headers"); 4474 4475 if (linktype == DLT_PPI) 4476 bpf_error("'protochain' not supported with PPI headers"); 4477 4478 no_optimize = 1; /*this code is not compatible with optimzer yet */ 4479 4480 /* 4481 * s[0] is a dummy entry to protect other BPF insn from damage 4482 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 4483 * hard to find interdependency made by jump table fixup. 4484 */ 4485 i = 0; 4486 s[i] = new_stmt(0); /*dummy*/ 4487 i++; 4488 4489 switch (proto) { 4490 case Q_IP: 4491 b0 = gen_linktype(ETHERTYPE_IP); 4492 4493 /* A = ip->ip_p */ 4494 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4495 s[i]->s.k = off_ll + off_nl + 9; 4496 i++; 4497 /* X = ip->ip_hl << 2 */ 4498 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 4499 s[i]->s.k = off_ll + off_nl; 4500 i++; 4501 break; 4502 #ifdef INET6 4503 case Q_IPV6: 4504 b0 = gen_linktype(ETHERTYPE_IPV6); 4505 4506 /* A = ip6->ip_nxt */ 4507 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4508 s[i]->s.k = off_ll + off_nl + 6; 4509 i++; 4510 /* X = sizeof(struct ip6_hdr) */ 4511 s[i] = new_stmt(BPF_LDX|BPF_IMM); 4512 s[i]->s.k = 40; 4513 i++; 4514 break; 4515 #endif 4516 default: 4517 bpf_error("unsupported proto to gen_protochain"); 4518 /*NOTREACHED*/ 4519 } 4520 4521 /* again: if (A == v) goto end; else fall through; */ 4522 again = i; 4523 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4524 s[i]->s.k = v; 4525 s[i]->s.jt = NULL; /*later*/ 4526 s[i]->s.jf = NULL; /*update in next stmt*/ 4527 fix5 = i; 4528 i++; 4529 4530 #ifndef IPPROTO_NONE 4531 #define IPPROTO_NONE 59 4532 #endif 4533 /* if (A == IPPROTO_NONE) goto end */ 4534 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4535 s[i]->s.jt = NULL; /*later*/ 4536 s[i]->s.jf = NULL; /*update in next stmt*/ 4537 s[i]->s.k = IPPROTO_NONE; 4538 s[fix5]->s.jf = s[i]; 4539 fix2 = i; 4540 i++; 4541 4542 #ifdef INET6 4543 if (proto == Q_IPV6) { 4544 int v6start, v6end, v6advance, j; 4545 4546 v6start = i; 4547 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 4548 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4549 s[i]->s.jt = NULL; /*later*/ 4550 s[i]->s.jf = NULL; /*update in next stmt*/ 4551 s[i]->s.k = IPPROTO_HOPOPTS; 4552 s[fix2]->s.jf = s[i]; 4553 i++; 4554 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 4555 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4556 s[i]->s.jt = NULL; /*later*/ 4557 s[i]->s.jf = NULL; /*update in next stmt*/ 4558 s[i]->s.k = IPPROTO_DSTOPTS; 4559 i++; 4560 /* if (A == IPPROTO_ROUTING) goto v6advance */ 4561 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4562 s[i]->s.jt = NULL; /*later*/ 4563 s[i]->s.jf = NULL; /*update in next stmt*/ 4564 s[i]->s.k = IPPROTO_ROUTING; 4565 i++; 4566 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 4567 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4568 s[i]->s.jt = NULL; /*later*/ 4569 s[i]->s.jf = NULL; /*later*/ 4570 s[i]->s.k = IPPROTO_FRAGMENT; 4571 fix3 = i; 4572 v6end = i; 4573 i++; 4574 4575 /* v6advance: */ 4576 v6advance = i; 4577 4578 /* 4579 * in short, 4580 * A = P[X]; 4581 * X = X + (P[X + 1] + 1) * 8; 4582 */ 4583 /* A = X */ 4584 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4585 i++; 4586 /* A = P[X + packet head] */ 4587 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4588 s[i]->s.k = off_ll + off_nl; 4589 i++; 4590 /* MEM[reg2] = A */ 4591 s[i] = new_stmt(BPF_ST); 4592 s[i]->s.k = reg2; 4593 i++; 4594 /* A = X */ 4595 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4596 i++; 4597 /* A += 1 */ 4598 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4599 s[i]->s.k = 1; 4600 i++; 4601 /* X = A */ 4602 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4603 i++; 4604 /* A = P[X + packet head]; */ 4605 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4606 s[i]->s.k = off_ll + off_nl; 4607 i++; 4608 /* A += 1 */ 4609 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4610 s[i]->s.k = 1; 4611 i++; 4612 /* A *= 8 */ 4613 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4614 s[i]->s.k = 8; 4615 i++; 4616 /* X = A; */ 4617 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4618 i++; 4619 /* A = MEM[reg2] */ 4620 s[i] = new_stmt(BPF_LD|BPF_MEM); 4621 s[i]->s.k = reg2; 4622 i++; 4623 4624 /* goto again; (must use BPF_JA for backward jump) */ 4625 s[i] = new_stmt(BPF_JMP|BPF_JA); 4626 s[i]->s.k = again - i - 1; 4627 s[i - 1]->s.jf = s[i]; 4628 i++; 4629 4630 /* fixup */ 4631 for (j = v6start; j <= v6end; j++) 4632 s[j]->s.jt = s[v6advance]; 4633 } else 4634 #endif 4635 { 4636 /* nop */ 4637 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4638 s[i]->s.k = 0; 4639 s[fix2]->s.jf = s[i]; 4640 i++; 4641 } 4642 4643 /* ahcheck: */ 4644 ahcheck = i; 4645 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 4646 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4647 s[i]->s.jt = NULL; /*later*/ 4648 s[i]->s.jf = NULL; /*later*/ 4649 s[i]->s.k = IPPROTO_AH; 4650 if (fix3) 4651 s[fix3]->s.jf = s[ahcheck]; 4652 fix4 = i; 4653 i++; 4654 4655 /* 4656 * in short, 4657 * A = P[X]; 4658 * X = X + (P[X + 1] + 2) * 4; 4659 */ 4660 /* A = X */ 4661 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4662 i++; 4663 /* A = P[X + packet head]; */ 4664 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4665 s[i]->s.k = off_ll + off_nl; 4666 i++; 4667 /* MEM[reg2] = A */ 4668 s[i] = new_stmt(BPF_ST); 4669 s[i]->s.k = reg2; 4670 i++; 4671 /* A = X */ 4672 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4673 i++; 4674 /* A += 1 */ 4675 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4676 s[i]->s.k = 1; 4677 i++; 4678 /* X = A */ 4679 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4680 i++; 4681 /* A = P[X + packet head] */ 4682 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4683 s[i]->s.k = off_ll + off_nl; 4684 i++; 4685 /* A += 2 */ 4686 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4687 s[i]->s.k = 2; 4688 i++; 4689 /* A *= 4 */ 4690 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4691 s[i]->s.k = 4; 4692 i++; 4693 /* X = A; */ 4694 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4695 i++; 4696 /* A = MEM[reg2] */ 4697 s[i] = new_stmt(BPF_LD|BPF_MEM); 4698 s[i]->s.k = reg2; 4699 i++; 4700 4701 /* goto again; (must use BPF_JA for backward jump) */ 4702 s[i] = new_stmt(BPF_JMP|BPF_JA); 4703 s[i]->s.k = again - i - 1; 4704 i++; 4705 4706 /* end: nop */ 4707 end = i; 4708 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4709 s[i]->s.k = 0; 4710 s[fix2]->s.jt = s[end]; 4711 s[fix4]->s.jf = s[end]; 4712 s[fix5]->s.jt = s[end]; 4713 i++; 4714 4715 /* 4716 * make slist chain 4717 */ 4718 max = i; 4719 for (i = 0; i < max - 1; i++) 4720 s[i]->next = s[i + 1]; 4721 s[max - 1]->next = NULL; 4722 4723 /* 4724 * emit final check 4725 */ 4726 b = new_block(JMP(BPF_JEQ)); 4727 b->stmts = s[1]; /*remember, s[0] is dummy*/ 4728 b->s.k = v; 4729 4730 free_reg(reg2); 4731 4732 gen_and(b0, b); 4733 return b; 4734 #endif 4735 } 4736 4737 4738 /* 4739 * Generate code that checks whether the packet is a packet for protocol 4740 * <proto> and whether the type field in that protocol's header has 4741 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 4742 * IP packet and checks the protocol number in the IP header against <v>. 4743 * 4744 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 4745 * against Q_IP and Q_IPV6. 4746 */ 4747 static struct block * 4748 gen_proto(v, proto, dir) 4749 int v; 4750 int proto; 4751 int dir; 4752 { 4753 struct block *b0, *b1; 4754 4755 if (dir != Q_DEFAULT) 4756 bpf_error("direction applied to 'proto'"); 4757 4758 switch (proto) { 4759 case Q_DEFAULT: 4760 #ifdef INET6 4761 b0 = gen_proto(v, Q_IP, dir); 4762 b1 = gen_proto(v, Q_IPV6, dir); 4763 gen_or(b0, b1); 4764 return b1; 4765 #else 4766 /*FALLTHROUGH*/ 4767 #endif 4768 case Q_IP: 4769 /* 4770 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4771 * not LLC encapsulation with LLCSAP_IP. 4772 * 4773 * For IEEE 802 networks - which includes 802.5 token ring 4774 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4775 * says that SNAP encapsulation is used, not LLC encapsulation 4776 * with LLCSAP_IP. 4777 * 4778 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4779 * RFC 2225 say that SNAP encapsulation is used, not LLC 4780 * encapsulation with LLCSAP_IP. 4781 * 4782 * So we always check for ETHERTYPE_IP. 4783 */ 4784 b0 = gen_linktype(ETHERTYPE_IP); 4785 #ifndef CHASE_CHAIN 4786 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 4787 #else 4788 b1 = gen_protochain(v, Q_IP); 4789 #endif 4790 gen_and(b0, b1); 4791 return b1; 4792 4793 case Q_ISO: 4794 switch (linktype) { 4795 4796 case DLT_FRELAY: 4797 /* 4798 * Frame Relay packets typically have an OSI 4799 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 4800 * generates code to check for all the OSI 4801 * NLPIDs, so calling it and then adding a check 4802 * for the particular NLPID for which we're 4803 * looking is bogus, as we can just check for 4804 * the NLPID. 4805 * 4806 * What we check for is the NLPID and a frame 4807 * control field value of UI, i.e. 0x03 followed 4808 * by the NLPID. 4809 * 4810 * XXX - assumes a 2-byte Frame Relay header with 4811 * DLCI and flags. What if the address is longer? 4812 * 4813 * XXX - what about SNAP-encapsulated frames? 4814 */ 4815 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 4816 /*NOTREACHED*/ 4817 break; 4818 4819 case DLT_C_HDLC: 4820 /* 4821 * Cisco uses an Ethertype lookalike - for OSI, 4822 * it's 0xfefe. 4823 */ 4824 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 4825 /* OSI in C-HDLC is stuffed with a fudge byte */ 4826 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 4827 gen_and(b0, b1); 4828 return b1; 4829 4830 default: 4831 b0 = gen_linktype(LLCSAP_ISONS); 4832 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 4833 gen_and(b0, b1); 4834 return b1; 4835 } 4836 4837 case Q_ISIS: 4838 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4839 /* 4840 * 4 is the offset of the PDU type relative to the IS-IS 4841 * header. 4842 */ 4843 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 4844 gen_and(b0, b1); 4845 return b1; 4846 4847 case Q_ARP: 4848 bpf_error("arp does not encapsulate another protocol"); 4849 /* NOTREACHED */ 4850 4851 case Q_RARP: 4852 bpf_error("rarp does not encapsulate another protocol"); 4853 /* NOTREACHED */ 4854 4855 case Q_ATALK: 4856 bpf_error("atalk encapsulation is not specifiable"); 4857 /* NOTREACHED */ 4858 4859 case Q_DECNET: 4860 bpf_error("decnet encapsulation is not specifiable"); 4861 /* NOTREACHED */ 4862 4863 case Q_SCA: 4864 bpf_error("sca does not encapsulate another protocol"); 4865 /* NOTREACHED */ 4866 4867 case Q_LAT: 4868 bpf_error("lat does not encapsulate another protocol"); 4869 /* NOTREACHED */ 4870 4871 case Q_MOPRC: 4872 bpf_error("moprc does not encapsulate another protocol"); 4873 /* NOTREACHED */ 4874 4875 case Q_MOPDL: 4876 bpf_error("mopdl does not encapsulate another protocol"); 4877 /* NOTREACHED */ 4878 4879 case Q_LINK: 4880 return gen_linktype(v); 4881 4882 case Q_UDP: 4883 bpf_error("'udp proto' is bogus"); 4884 /* NOTREACHED */ 4885 4886 case Q_TCP: 4887 bpf_error("'tcp proto' is bogus"); 4888 /* NOTREACHED */ 4889 4890 case Q_SCTP: 4891 bpf_error("'sctp proto' is bogus"); 4892 /* NOTREACHED */ 4893 4894 case Q_ICMP: 4895 bpf_error("'icmp proto' is bogus"); 4896 /* NOTREACHED */ 4897 4898 case Q_IGMP: 4899 bpf_error("'igmp proto' is bogus"); 4900 /* NOTREACHED */ 4901 4902 case Q_IGRP: 4903 bpf_error("'igrp proto' is bogus"); 4904 /* NOTREACHED */ 4905 4906 case Q_PIM: 4907 bpf_error("'pim proto' is bogus"); 4908 /* NOTREACHED */ 4909 4910 case Q_VRRP: 4911 bpf_error("'vrrp proto' is bogus"); 4912 /* NOTREACHED */ 4913 4914 #ifdef INET6 4915 case Q_IPV6: 4916 b0 = gen_linktype(ETHERTYPE_IPV6); 4917 #ifndef CHASE_CHAIN 4918 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 4919 #else 4920 b1 = gen_protochain(v, Q_IPV6); 4921 #endif 4922 gen_and(b0, b1); 4923 return b1; 4924 4925 case Q_ICMPV6: 4926 bpf_error("'icmp6 proto' is bogus"); 4927 #endif /* INET6 */ 4928 4929 case Q_AH: 4930 bpf_error("'ah proto' is bogus"); 4931 4932 case Q_ESP: 4933 bpf_error("'ah proto' is bogus"); 4934 4935 case Q_STP: 4936 bpf_error("'stp proto' is bogus"); 4937 4938 case Q_IPX: 4939 bpf_error("'ipx proto' is bogus"); 4940 4941 case Q_NETBEUI: 4942 bpf_error("'netbeui proto' is bogus"); 4943 4944 case Q_RADIO: 4945 bpf_error("'radio proto' is bogus"); 4946 4947 default: 4948 abort(); 4949 /* NOTREACHED */ 4950 } 4951 /* NOTREACHED */ 4952 } 4953 4954 struct block * 4955 gen_scode(name, q) 4956 register const char *name; 4957 struct qual q; 4958 { 4959 int proto = q.proto; 4960 int dir = q.dir; 4961 int tproto; 4962 u_char *eaddr; 4963 bpf_u_int32 mask, addr; 4964 #ifndef INET6 4965 bpf_u_int32 **alist; 4966 #else 4967 int tproto6; 4968 struct sockaddr_in *sin4; 4969 struct sockaddr_in6 *sin6; 4970 struct addrinfo *res, *res0; 4971 struct in6_addr mask128; 4972 #endif /*INET6*/ 4973 struct block *b, *tmp; 4974 int port, real_proto; 4975 int port1, port2; 4976 4977 switch (q.addr) { 4978 4979 case Q_NET: 4980 addr = pcap_nametonetaddr(name); 4981 if (addr == 0) 4982 bpf_error("unknown network '%s'", name); 4983 /* Left justify network addr and calculate its network mask */ 4984 mask = 0xffffffff; 4985 while (addr && (addr & 0xff000000) == 0) { 4986 addr <<= 8; 4987 mask <<= 8; 4988 } 4989 return gen_host(addr, mask, proto, dir, q.addr); 4990 4991 case Q_DEFAULT: 4992 case Q_HOST: 4993 if (proto == Q_LINK) { 4994 switch (linktype) { 4995 4996 case DLT_EN10MB: 4997 eaddr = pcap_ether_hostton(name); 4998 if (eaddr == NULL) 4999 bpf_error( 5000 "unknown ether host '%s'", name); 5001 b = gen_ehostop(eaddr, dir); 5002 free(eaddr); 5003 return b; 5004 5005 case DLT_FDDI: 5006 eaddr = pcap_ether_hostton(name); 5007 if (eaddr == NULL) 5008 bpf_error( 5009 "unknown FDDI host '%s'", name); 5010 b = gen_fhostop(eaddr, dir); 5011 free(eaddr); 5012 return b; 5013 5014 case DLT_IEEE802: 5015 eaddr = pcap_ether_hostton(name); 5016 if (eaddr == NULL) 5017 bpf_error( 5018 "unknown token ring host '%s'", name); 5019 b = gen_thostop(eaddr, dir); 5020 free(eaddr); 5021 return b; 5022 5023 case DLT_IEEE802_11: 5024 case DLT_IEEE802_11_RADIO_AVS: 5025 case DLT_IEEE802_11_RADIO: 5026 case DLT_PRISM_HEADER: 5027 case DLT_PPI: 5028 eaddr = pcap_ether_hostton(name); 5029 if (eaddr == NULL) 5030 bpf_error( 5031 "unknown 802.11 host '%s'", name); 5032 b = gen_wlanhostop(eaddr, dir); 5033 free(eaddr); 5034 return b; 5035 5036 case DLT_IP_OVER_FC: 5037 eaddr = pcap_ether_hostton(name); 5038 if (eaddr == NULL) 5039 bpf_error( 5040 "unknown Fibre Channel host '%s'", name); 5041 b = gen_ipfchostop(eaddr, dir); 5042 free(eaddr); 5043 return b; 5044 5045 case DLT_SUNATM: 5046 if (!is_lane) 5047 break; 5048 5049 /* 5050 * Check that the packet doesn't begin 5051 * with an LE Control marker. (We've 5052 * already generated a test for LANE.) 5053 */ 5054 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 5055 BPF_H, 0xFF00); 5056 gen_not(tmp); 5057 5058 eaddr = pcap_ether_hostton(name); 5059 if (eaddr == NULL) 5060 bpf_error( 5061 "unknown ether host '%s'", name); 5062 b = gen_ehostop(eaddr, dir); 5063 gen_and(tmp, b); 5064 free(eaddr); 5065 return b; 5066 } 5067 5068 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 5069 } else if (proto == Q_DECNET) { 5070 unsigned short dn_addr = __pcap_nametodnaddr(name); 5071 /* 5072 * I don't think DECNET hosts can be multihomed, so 5073 * there is no need to build up a list of addresses 5074 */ 5075 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 5076 } else { 5077 #ifndef INET6 5078 alist = pcap_nametoaddr(name); 5079 if (alist == NULL || *alist == NULL) 5080 bpf_error("unknown host '%s'", name); 5081 tproto = proto; 5082 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 5083 tproto = Q_IP; 5084 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 5085 while (*alist) { 5086 tmp = gen_host(**alist++, 0xffffffff, 5087 tproto, dir, q.addr); 5088 gen_or(b, tmp); 5089 b = tmp; 5090 } 5091 return b; 5092 #else 5093 memset(&mask128, 0xff, sizeof(mask128)); 5094 res0 = res = pcap_nametoaddrinfo(name); 5095 if (res == NULL) 5096 bpf_error("unknown host '%s'", name); 5097 b = tmp = NULL; 5098 tproto = tproto6 = proto; 5099 if (off_linktype == -1 && tproto == Q_DEFAULT) { 5100 tproto = Q_IP; 5101 tproto6 = Q_IPV6; 5102 } 5103 for (res = res0; res; res = res->ai_next) { 5104 switch (res->ai_family) { 5105 case AF_INET: 5106 if (tproto == Q_IPV6) 5107 continue; 5108 5109 sin4 = (struct sockaddr_in *) 5110 res->ai_addr; 5111 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 5112 0xffffffff, tproto, dir, q.addr); 5113 break; 5114 case AF_INET6: 5115 if (tproto6 == Q_IP) 5116 continue; 5117 5118 sin6 = (struct sockaddr_in6 *) 5119 res->ai_addr; 5120 tmp = gen_host6(&sin6->sin6_addr, 5121 &mask128, tproto6, dir, q.addr); 5122 break; 5123 default: 5124 continue; 5125 } 5126 if (b) 5127 gen_or(b, tmp); 5128 b = tmp; 5129 } 5130 freeaddrinfo(res0); 5131 if (b == NULL) { 5132 bpf_error("unknown host '%s'%s", name, 5133 (proto == Q_DEFAULT) 5134 ? "" 5135 : " for specified address family"); 5136 } 5137 return b; 5138 #endif /*INET6*/ 5139 } 5140 5141 case Q_PORT: 5142 if (proto != Q_DEFAULT && 5143 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5144 bpf_error("illegal qualifier of 'port'"); 5145 if (pcap_nametoport(name, &port, &real_proto) == 0) 5146 bpf_error("unknown port '%s'", name); 5147 if (proto == Q_UDP) { 5148 if (real_proto == IPPROTO_TCP) 5149 bpf_error("port '%s' is tcp", name); 5150 else if (real_proto == IPPROTO_SCTP) 5151 bpf_error("port '%s' is sctp", name); 5152 else 5153 /* override PROTO_UNDEF */ 5154 real_proto = IPPROTO_UDP; 5155 } 5156 if (proto == Q_TCP) { 5157 if (real_proto == IPPROTO_UDP) 5158 bpf_error("port '%s' is udp", name); 5159 5160 else if (real_proto == IPPROTO_SCTP) 5161 bpf_error("port '%s' is sctp", name); 5162 else 5163 /* override PROTO_UNDEF */ 5164 real_proto = IPPROTO_TCP; 5165 } 5166 if (proto == Q_SCTP) { 5167 if (real_proto == IPPROTO_UDP) 5168 bpf_error("port '%s' is udp", name); 5169 5170 else if (real_proto == IPPROTO_TCP) 5171 bpf_error("port '%s' is tcp", name); 5172 else 5173 /* override PROTO_UNDEF */ 5174 real_proto = IPPROTO_SCTP; 5175 } 5176 #ifndef INET6 5177 return gen_port(port, real_proto, dir); 5178 #else 5179 b = gen_port(port, real_proto, dir); 5180 gen_or(gen_port6(port, real_proto, dir), b); 5181 return b; 5182 #endif /* INET6 */ 5183 5184 case Q_PORTRANGE: 5185 if (proto != Q_DEFAULT && 5186 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5187 bpf_error("illegal qualifier of 'portrange'"); 5188 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 5189 bpf_error("unknown port in range '%s'", name); 5190 if (proto == Q_UDP) { 5191 if (real_proto == IPPROTO_TCP) 5192 bpf_error("port in range '%s' is tcp", name); 5193 else if (real_proto == IPPROTO_SCTP) 5194 bpf_error("port in range '%s' is sctp", name); 5195 else 5196 /* override PROTO_UNDEF */ 5197 real_proto = IPPROTO_UDP; 5198 } 5199 if (proto == Q_TCP) { 5200 if (real_proto == IPPROTO_UDP) 5201 bpf_error("port in range '%s' is udp", name); 5202 else if (real_proto == IPPROTO_SCTP) 5203 bpf_error("port in range '%s' is sctp", name); 5204 else 5205 /* override PROTO_UNDEF */ 5206 real_proto = IPPROTO_TCP; 5207 } 5208 if (proto == Q_SCTP) { 5209 if (real_proto == IPPROTO_UDP) 5210 bpf_error("port in range '%s' is udp", name); 5211 else if (real_proto == IPPROTO_TCP) 5212 bpf_error("port in range '%s' is tcp", name); 5213 else 5214 /* override PROTO_UNDEF */ 5215 real_proto = IPPROTO_SCTP; 5216 } 5217 #ifndef INET6 5218 return gen_portrange(port1, port2, real_proto, dir); 5219 #else 5220 b = gen_portrange(port1, port2, real_proto, dir); 5221 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 5222 return b; 5223 #endif /* INET6 */ 5224 5225 case Q_GATEWAY: 5226 #ifndef INET6 5227 eaddr = pcap_ether_hostton(name); 5228 if (eaddr == NULL) 5229 bpf_error("unknown ether host: %s", name); 5230 5231 alist = pcap_nametoaddr(name); 5232 if (alist == NULL || *alist == NULL) 5233 bpf_error("unknown host '%s'", name); 5234 b = gen_gateway(eaddr, alist, proto, dir); 5235 free(eaddr); 5236 return b; 5237 #else 5238 bpf_error("'gateway' not supported in this configuration"); 5239 #endif /*INET6*/ 5240 5241 case Q_PROTO: 5242 real_proto = lookup_proto(name, proto); 5243 if (real_proto >= 0) 5244 return gen_proto(real_proto, proto, dir); 5245 else 5246 bpf_error("unknown protocol: %s", name); 5247 5248 case Q_PROTOCHAIN: 5249 real_proto = lookup_proto(name, proto); 5250 if (real_proto >= 0) 5251 return gen_protochain(real_proto, proto, dir); 5252 else 5253 bpf_error("unknown protocol: %s", name); 5254 5255 5256 case Q_UNDEF: 5257 syntax(); 5258 /* NOTREACHED */ 5259 } 5260 abort(); 5261 /* NOTREACHED */ 5262 } 5263 5264 struct block * 5265 gen_mcode(s1, s2, masklen, q) 5266 register const char *s1, *s2; 5267 register int masklen; 5268 struct qual q; 5269 { 5270 register int nlen, mlen; 5271 bpf_u_int32 n, m; 5272 5273 nlen = __pcap_atoin(s1, &n); 5274 /* Promote short ipaddr */ 5275 n <<= 32 - nlen; 5276 5277 if (s2 != NULL) { 5278 mlen = __pcap_atoin(s2, &m); 5279 /* Promote short ipaddr */ 5280 m <<= 32 - mlen; 5281 if ((n & ~m) != 0) 5282 bpf_error("non-network bits set in \"%s mask %s\"", 5283 s1, s2); 5284 } else { 5285 /* Convert mask len to mask */ 5286 if (masklen > 32) 5287 bpf_error("mask length must be <= 32"); 5288 if (masklen == 0) { 5289 /* 5290 * X << 32 is not guaranteed by C to be 0; it's 5291 * undefined. 5292 */ 5293 m = 0; 5294 } else 5295 m = 0xffffffff << (32 - masklen); 5296 if ((n & ~m) != 0) 5297 bpf_error("non-network bits set in \"%s/%d\"", 5298 s1, masklen); 5299 } 5300 5301 switch (q.addr) { 5302 5303 case Q_NET: 5304 return gen_host(n, m, q.proto, q.dir, q.addr); 5305 5306 default: 5307 bpf_error("Mask syntax for networks only"); 5308 /* NOTREACHED */ 5309 } 5310 /* NOTREACHED */ 5311 return NULL; 5312 } 5313 5314 struct block * 5315 gen_ncode(s, v, q) 5316 register const char *s; 5317 bpf_u_int32 v; 5318 struct qual q; 5319 { 5320 bpf_u_int32 mask; 5321 int proto = q.proto; 5322 int dir = q.dir; 5323 register int vlen; 5324 5325 if (s == NULL) 5326 vlen = 32; 5327 else if (q.proto == Q_DECNET) 5328 vlen = __pcap_atodn(s, &v); 5329 else 5330 vlen = __pcap_atoin(s, &v); 5331 5332 switch (q.addr) { 5333 5334 case Q_DEFAULT: 5335 case Q_HOST: 5336 case Q_NET: 5337 if (proto == Q_DECNET) 5338 return gen_host(v, 0, proto, dir, q.addr); 5339 else if (proto == Q_LINK) { 5340 bpf_error("illegal link layer address"); 5341 } else { 5342 mask = 0xffffffff; 5343 if (s == NULL && q.addr == Q_NET) { 5344 /* Promote short net number */ 5345 while (v && (v & 0xff000000) == 0) { 5346 v <<= 8; 5347 mask <<= 8; 5348 } 5349 } else { 5350 /* Promote short ipaddr */ 5351 v <<= 32 - vlen; 5352 mask <<= 32 - vlen; 5353 } 5354 return gen_host(v, mask, proto, dir, q.addr); 5355 } 5356 5357 case Q_PORT: 5358 if (proto == Q_UDP) 5359 proto = IPPROTO_UDP; 5360 else if (proto == Q_TCP) 5361 proto = IPPROTO_TCP; 5362 else if (proto == Q_SCTP) 5363 proto = IPPROTO_SCTP; 5364 else if (proto == Q_DEFAULT) 5365 proto = PROTO_UNDEF; 5366 else 5367 bpf_error("illegal qualifier of 'port'"); 5368 5369 #ifndef INET6 5370 return gen_port((int)v, proto, dir); 5371 #else 5372 { 5373 struct block *b; 5374 b = gen_port((int)v, proto, dir); 5375 gen_or(gen_port6((int)v, proto, dir), b); 5376 return b; 5377 } 5378 #endif /* INET6 */ 5379 5380 case Q_PORTRANGE: 5381 if (proto == Q_UDP) 5382 proto = IPPROTO_UDP; 5383 else if (proto == Q_TCP) 5384 proto = IPPROTO_TCP; 5385 else if (proto == Q_SCTP) 5386 proto = IPPROTO_SCTP; 5387 else if (proto == Q_DEFAULT) 5388 proto = PROTO_UNDEF; 5389 else 5390 bpf_error("illegal qualifier of 'portrange'"); 5391 5392 #ifndef INET6 5393 return gen_portrange((int)v, (int)v, proto, dir); 5394 #else 5395 { 5396 struct block *b; 5397 b = gen_portrange((int)v, (int)v, proto, dir); 5398 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 5399 return b; 5400 } 5401 #endif /* INET6 */ 5402 5403 case Q_GATEWAY: 5404 bpf_error("'gateway' requires a name"); 5405 /* NOTREACHED */ 5406 5407 case Q_PROTO: 5408 return gen_proto((int)v, proto, dir); 5409 5410 case Q_PROTOCHAIN: 5411 return gen_protochain((int)v, proto, dir); 5412 5413 case Q_UNDEF: 5414 syntax(); 5415 /* NOTREACHED */ 5416 5417 default: 5418 abort(); 5419 /* NOTREACHED */ 5420 } 5421 /* NOTREACHED */ 5422 } 5423 5424 #ifdef INET6 5425 struct block * 5426 gen_mcode6(s1, s2, masklen, q) 5427 register const char *s1, *s2; 5428 register int masklen; 5429 struct qual q; 5430 { 5431 struct addrinfo *res; 5432 struct in6_addr *addr; 5433 struct in6_addr mask; 5434 struct block *b; 5435 u_int32_t *a, *m; 5436 5437 if (s2) 5438 bpf_error("no mask %s supported", s2); 5439 5440 res = pcap_nametoaddrinfo(s1); 5441 if (!res) 5442 bpf_error("invalid ip6 address %s", s1); 5443 if (res->ai_next) 5444 bpf_error("%s resolved to multiple address", s1); 5445 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 5446 5447 if (sizeof(mask) * 8 < masklen) 5448 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 5449 memset(&mask, 0, sizeof(mask)); 5450 memset(&mask, 0xff, masklen / 8); 5451 if (masklen % 8) { 5452 mask.s6_addr[masklen / 8] = 5453 (0xff << (8 - masklen % 8)) & 0xff; 5454 } 5455 5456 a = (u_int32_t *)addr; 5457 m = (u_int32_t *)&mask; 5458 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 5459 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 5460 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 5461 } 5462 5463 switch (q.addr) { 5464 5465 case Q_DEFAULT: 5466 case Q_HOST: 5467 if (masklen != 128) 5468 bpf_error("Mask syntax for networks only"); 5469 /* FALLTHROUGH */ 5470 5471 case Q_NET: 5472 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 5473 freeaddrinfo(res); 5474 return b; 5475 5476 default: 5477 bpf_error("invalid qualifier against IPv6 address"); 5478 /* NOTREACHED */ 5479 } 5480 return NULL; 5481 } 5482 #endif /*INET6*/ 5483 5484 struct block * 5485 gen_ecode(eaddr, q) 5486 register const u_char *eaddr; 5487 struct qual q; 5488 { 5489 struct block *b, *tmp; 5490 5491 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 5492 switch (linktype) { 5493 case DLT_EN10MB: 5494 return gen_ehostop(eaddr, (int)q.dir); 5495 case DLT_FDDI: 5496 return gen_fhostop(eaddr, (int)q.dir); 5497 case DLT_IEEE802: 5498 return gen_thostop(eaddr, (int)q.dir); 5499 case DLT_IEEE802_11: 5500 case DLT_IEEE802_11_RADIO_AVS: 5501 case DLT_IEEE802_11_RADIO: 5502 case DLT_PRISM_HEADER: 5503 case DLT_PPI: 5504 return gen_wlanhostop(eaddr, (int)q.dir); 5505 case DLT_SUNATM: 5506 if (is_lane) { 5507 /* 5508 * Check that the packet doesn't begin with an 5509 * LE Control marker. (We've already generated 5510 * a test for LANE.) 5511 */ 5512 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5513 0xFF00); 5514 gen_not(tmp); 5515 5516 /* 5517 * Now check the MAC address. 5518 */ 5519 b = gen_ehostop(eaddr, (int)q.dir); 5520 gen_and(tmp, b); 5521 return b; 5522 } 5523 break; 5524 case DLT_IP_OVER_FC: 5525 return gen_ipfchostop(eaddr, (int)q.dir); 5526 default: 5527 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5528 break; 5529 } 5530 } 5531 bpf_error("ethernet address used in non-ether expression"); 5532 /* NOTREACHED */ 5533 return NULL; 5534 } 5535 5536 void 5537 sappend(s0, s1) 5538 struct slist *s0, *s1; 5539 { 5540 /* 5541 * This is definitely not the best way to do this, but the 5542 * lists will rarely get long. 5543 */ 5544 while (s0->next) 5545 s0 = s0->next; 5546 s0->next = s1; 5547 } 5548 5549 static struct slist * 5550 xfer_to_x(a) 5551 struct arth *a; 5552 { 5553 struct slist *s; 5554 5555 s = new_stmt(BPF_LDX|BPF_MEM); 5556 s->s.k = a->regno; 5557 return s; 5558 } 5559 5560 static struct slist * 5561 xfer_to_a(a) 5562 struct arth *a; 5563 { 5564 struct slist *s; 5565 5566 s = new_stmt(BPF_LD|BPF_MEM); 5567 s->s.k = a->regno; 5568 return s; 5569 } 5570 5571 /* 5572 * Modify "index" to use the value stored into its register as an 5573 * offset relative to the beginning of the header for the protocol 5574 * "proto", and allocate a register and put an item "size" bytes long 5575 * (1, 2, or 4) at that offset into that register, making it the register 5576 * for "index". 5577 */ 5578 struct arth * 5579 gen_load(proto, inst, size) 5580 int proto; 5581 struct arth *inst; 5582 int size; 5583 { 5584 struct slist *s, *tmp; 5585 struct block *b; 5586 int regno = alloc_reg(); 5587 5588 free_reg(inst->regno); 5589 switch (size) { 5590 5591 default: 5592 bpf_error("data size must be 1, 2, or 4"); 5593 5594 case 1: 5595 size = BPF_B; 5596 break; 5597 5598 case 2: 5599 size = BPF_H; 5600 break; 5601 5602 case 4: 5603 size = BPF_W; 5604 break; 5605 } 5606 switch (proto) { 5607 default: 5608 bpf_error("unsupported index operation"); 5609 5610 case Q_RADIO: 5611 /* 5612 * The offset is relative to the beginning of the packet 5613 * data, if we have a radio header. (If we don't, this 5614 * is an error.) 5615 */ 5616 if (linktype != DLT_IEEE802_11_RADIO_AVS && 5617 linktype != DLT_IEEE802_11_RADIO && 5618 linktype != DLT_PRISM_HEADER) 5619 bpf_error("radio information not present in capture"); 5620 5621 /* 5622 * Load into the X register the offset computed into the 5623 * register specifed by "index". 5624 */ 5625 s = xfer_to_x(inst); 5626 5627 /* 5628 * Load the item at that offset. 5629 */ 5630 tmp = new_stmt(BPF_LD|BPF_IND|size); 5631 sappend(s, tmp); 5632 sappend(inst->s, s); 5633 break; 5634 5635 case Q_LINK: 5636 /* 5637 * The offset is relative to the beginning of 5638 * the link-layer header. 5639 * 5640 * XXX - what about ATM LANE? Should the index be 5641 * relative to the beginning of the AAL5 frame, so 5642 * that 0 refers to the beginning of the LE Control 5643 * field, or relative to the beginning of the LAN 5644 * frame, so that 0 refers, for Ethernet LANE, to 5645 * the beginning of the destination address? 5646 */ 5647 s = gen_llprefixlen(); 5648 5649 /* 5650 * If "s" is non-null, it has code to arrange that the 5651 * X register contains the length of the prefix preceding 5652 * the link-layer header. Add to it the offset computed 5653 * into the register specified by "index", and move that 5654 * into the X register. Otherwise, just load into the X 5655 * register the offset computed into the register specifed 5656 * by "index". 5657 */ 5658 if (s != NULL) { 5659 sappend(s, xfer_to_a(inst)); 5660 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5661 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5662 } else 5663 s = xfer_to_x(inst); 5664 5665 /* 5666 * Load the item at the sum of the offset we've put in the 5667 * X register and the offset of the start of the link 5668 * layer header (which is 0 if the radio header is 5669 * variable-length; that header length is what we put 5670 * into the X register and then added to the index). 5671 */ 5672 tmp = new_stmt(BPF_LD|BPF_IND|size); 5673 tmp->s.k = off_ll; 5674 sappend(s, tmp); 5675 sappend(inst->s, s); 5676 break; 5677 5678 case Q_IP: 5679 case Q_ARP: 5680 case Q_RARP: 5681 case Q_ATALK: 5682 case Q_DECNET: 5683 case Q_SCA: 5684 case Q_LAT: 5685 case Q_MOPRC: 5686 case Q_MOPDL: 5687 #ifdef INET6 5688 case Q_IPV6: 5689 #endif 5690 /* 5691 * The offset is relative to the beginning of 5692 * the network-layer header. 5693 * XXX - are there any cases where we want 5694 * off_nl_nosnap? 5695 */ 5696 s = gen_llprefixlen(); 5697 5698 /* 5699 * If "s" is non-null, it has code to arrange that the 5700 * X register contains the length of the prefix preceding 5701 * the link-layer header. Add to it the offset computed 5702 * into the register specified by "index", and move that 5703 * into the X register. Otherwise, just load into the X 5704 * register the offset computed into the register specifed 5705 * by "index". 5706 */ 5707 if (s != NULL) { 5708 sappend(s, xfer_to_a(inst)); 5709 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5710 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5711 } else 5712 s = xfer_to_x(inst); 5713 5714 /* 5715 * Load the item at the sum of the offset we've put in the 5716 * X register, the offset of the start of the network 5717 * layer header, and the offset of the start of the link 5718 * layer header (which is 0 if the radio header is 5719 * variable-length; that header length is what we put 5720 * into the X register and then added to the index). 5721 */ 5722 tmp = new_stmt(BPF_LD|BPF_IND|size); 5723 tmp->s.k = off_ll + off_nl; 5724 sappend(s, tmp); 5725 sappend(inst->s, s); 5726 5727 /* 5728 * Do the computation only if the packet contains 5729 * the protocol in question. 5730 */ 5731 b = gen_proto_abbrev(proto); 5732 if (inst->b) 5733 gen_and(inst->b, b); 5734 inst->b = b; 5735 break; 5736 5737 case Q_SCTP: 5738 case Q_TCP: 5739 case Q_UDP: 5740 case Q_ICMP: 5741 case Q_IGMP: 5742 case Q_IGRP: 5743 case Q_PIM: 5744 case Q_VRRP: 5745 /* 5746 * The offset is relative to the beginning of 5747 * the transport-layer header. 5748 * 5749 * Load the X register with the length of the IPv4 header 5750 * (plus the offset of the link-layer header, if it's 5751 * a variable-length header), in bytes. 5752 * 5753 * XXX - are there any cases where we want 5754 * off_nl_nosnap? 5755 * XXX - we should, if we're built with 5756 * IPv6 support, generate code to load either 5757 * IPv4, IPv6, or both, as appropriate. 5758 */ 5759 s = gen_loadx_iphdrlen(); 5760 5761 /* 5762 * The X register now contains the sum of the length 5763 * of any variable-length header preceding the link-layer 5764 * header and the length of the network-layer header. 5765 * Load into the A register the offset relative to 5766 * the beginning of the transport layer header, 5767 * add the X register to that, move that to the 5768 * X register, and load with an offset from the 5769 * X register equal to the offset of the network 5770 * layer header relative to the beginning of 5771 * the link-layer header plus the length of any 5772 * fixed-length header preceding the link-layer 5773 * header. 5774 */ 5775 sappend(s, xfer_to_a(inst)); 5776 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5777 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5778 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 5779 tmp->s.k = off_ll + off_nl; 5780 sappend(inst->s, s); 5781 5782 /* 5783 * Do the computation only if the packet contains 5784 * the protocol in question - which is true only 5785 * if this is an IP datagram and is the first or 5786 * only fragment of that datagram. 5787 */ 5788 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 5789 if (inst->b) 5790 gen_and(inst->b, b); 5791 #ifdef INET6 5792 gen_and(gen_proto_abbrev(Q_IP), b); 5793 #endif 5794 inst->b = b; 5795 break; 5796 #ifdef INET6 5797 case Q_ICMPV6: 5798 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 5799 /*NOTREACHED*/ 5800 #endif 5801 } 5802 inst->regno = regno; 5803 s = new_stmt(BPF_ST); 5804 s->s.k = regno; 5805 sappend(inst->s, s); 5806 5807 return inst; 5808 } 5809 5810 struct block * 5811 gen_relation(code, a0, a1, reversed) 5812 int code; 5813 struct arth *a0, *a1; 5814 int reversed; 5815 { 5816 struct slist *s0, *s1, *s2; 5817 struct block *b, *tmp; 5818 5819 s0 = xfer_to_x(a1); 5820 s1 = xfer_to_a(a0); 5821 if (code == BPF_JEQ) { 5822 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 5823 b = new_block(JMP(code)); 5824 sappend(s1, s2); 5825 } 5826 else 5827 b = new_block(BPF_JMP|code|BPF_X); 5828 if (reversed) 5829 gen_not(b); 5830 5831 sappend(s0, s1); 5832 sappend(a1->s, s0); 5833 sappend(a0->s, a1->s); 5834 5835 b->stmts = a0->s; 5836 5837 free_reg(a0->regno); 5838 free_reg(a1->regno); 5839 5840 /* 'and' together protocol checks */ 5841 if (a0->b) { 5842 if (a1->b) { 5843 gen_and(a0->b, tmp = a1->b); 5844 } 5845 else 5846 tmp = a0->b; 5847 } else 5848 tmp = a1->b; 5849 5850 if (tmp) 5851 gen_and(tmp, b); 5852 5853 return b; 5854 } 5855 5856 struct arth * 5857 gen_loadlen() 5858 { 5859 int regno = alloc_reg(); 5860 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 5861 struct slist *s; 5862 5863 s = new_stmt(BPF_LD|BPF_LEN); 5864 s->next = new_stmt(BPF_ST); 5865 s->next->s.k = regno; 5866 a->s = s; 5867 a->regno = regno; 5868 5869 return a; 5870 } 5871 5872 struct arth * 5873 gen_loadi(val) 5874 int val; 5875 { 5876 struct arth *a; 5877 struct slist *s; 5878 int reg; 5879 5880 a = (struct arth *)newchunk(sizeof(*a)); 5881 5882 reg = alloc_reg(); 5883 5884 s = new_stmt(BPF_LD|BPF_IMM); 5885 s->s.k = val; 5886 s->next = new_stmt(BPF_ST); 5887 s->next->s.k = reg; 5888 a->s = s; 5889 a->regno = reg; 5890 5891 return a; 5892 } 5893 5894 struct arth * 5895 gen_neg(a) 5896 struct arth *a; 5897 { 5898 struct slist *s; 5899 5900 s = xfer_to_a(a); 5901 sappend(a->s, s); 5902 s = new_stmt(BPF_ALU|BPF_NEG); 5903 s->s.k = 0; 5904 sappend(a->s, s); 5905 s = new_stmt(BPF_ST); 5906 s->s.k = a->regno; 5907 sappend(a->s, s); 5908 5909 return a; 5910 } 5911 5912 struct arth * 5913 gen_arth(code, a0, a1) 5914 int code; 5915 struct arth *a0, *a1; 5916 { 5917 struct slist *s0, *s1, *s2; 5918 5919 s0 = xfer_to_x(a1); 5920 s1 = xfer_to_a(a0); 5921 s2 = new_stmt(BPF_ALU|BPF_X|code); 5922 5923 sappend(s1, s2); 5924 sappend(s0, s1); 5925 sappend(a1->s, s0); 5926 sappend(a0->s, a1->s); 5927 5928 free_reg(a0->regno); 5929 free_reg(a1->regno); 5930 5931 s0 = new_stmt(BPF_ST); 5932 a0->regno = s0->s.k = alloc_reg(); 5933 sappend(a0->s, s0); 5934 5935 return a0; 5936 } 5937 5938 /* 5939 * Here we handle simple allocation of the scratch registers. 5940 * If too many registers are alloc'd, the allocator punts. 5941 */ 5942 static int regused[BPF_MEMWORDS]; 5943 static int curreg; 5944 5945 /* 5946 * Return the next free register. 5947 */ 5948 static int 5949 alloc_reg() 5950 { 5951 int n = BPF_MEMWORDS; 5952 5953 while (--n >= 0) { 5954 if (regused[curreg]) 5955 curreg = (curreg + 1) % BPF_MEMWORDS; 5956 else { 5957 regused[curreg] = 1; 5958 return curreg; 5959 } 5960 } 5961 bpf_error("too many registers needed to evaluate expression"); 5962 /* NOTREACHED */ 5963 return 0; 5964 } 5965 5966 /* 5967 * Return a register to the table so it can 5968 * be used later. 5969 */ 5970 static void 5971 free_reg(n) 5972 int n; 5973 { 5974 regused[n] = 0; 5975 } 5976 5977 static struct block * 5978 gen_len(jmp, n) 5979 int jmp, n; 5980 { 5981 struct slist *s; 5982 struct block *b; 5983 5984 s = new_stmt(BPF_LD|BPF_LEN); 5985 b = new_block(JMP(jmp)); 5986 b->stmts = s; 5987 b->s.k = n; 5988 5989 return b; 5990 } 5991 5992 struct block * 5993 gen_greater(n) 5994 int n; 5995 { 5996 return gen_len(BPF_JGE, n); 5997 } 5998 5999 /* 6000 * Actually, this is less than or equal. 6001 */ 6002 struct block * 6003 gen_less(n) 6004 int n; 6005 { 6006 struct block *b; 6007 6008 b = gen_len(BPF_JGT, n); 6009 gen_not(b); 6010 6011 return b; 6012 } 6013 6014 /* 6015 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6016 * the beginning of the link-layer header. 6017 * XXX - that means you can't test values in the radiotap header, but 6018 * as that header is difficult if not impossible to parse generally 6019 * without a loop, that might not be a severe problem. A new keyword 6020 * "radio" could be added for that, although what you'd really want 6021 * would be a way of testing particular radio header values, which 6022 * would generate code appropriate to the radio header in question. 6023 */ 6024 struct block * 6025 gen_byteop(op, idx, val) 6026 int op, idx, val; 6027 { 6028 struct block *b; 6029 struct slist *s; 6030 6031 switch (op) { 6032 default: 6033 abort(); 6034 6035 case '=': 6036 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6037 6038 case '<': 6039 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6040 return b; 6041 6042 case '>': 6043 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6044 return b; 6045 6046 case '|': 6047 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 6048 break; 6049 6050 case '&': 6051 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 6052 break; 6053 } 6054 s->s.k = val; 6055 b = new_block(JMP(BPF_JEQ)); 6056 b->stmts = s; 6057 gen_not(b); 6058 6059 return b; 6060 } 6061 6062 static u_char abroadcast[] = { 0x0 }; 6063 6064 struct block * 6065 gen_broadcast(proto) 6066 int proto; 6067 { 6068 bpf_u_int32 hostmask; 6069 struct block *b0, *b1, *b2; 6070 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 6071 6072 switch (proto) { 6073 6074 case Q_DEFAULT: 6075 case Q_LINK: 6076 switch (linktype) { 6077 case DLT_ARCNET: 6078 case DLT_ARCNET_LINUX: 6079 return gen_ahostop(abroadcast, Q_DST); 6080 case DLT_EN10MB: 6081 return gen_ehostop(ebroadcast, Q_DST); 6082 case DLT_FDDI: 6083 return gen_fhostop(ebroadcast, Q_DST); 6084 case DLT_IEEE802: 6085 return gen_thostop(ebroadcast, Q_DST); 6086 case DLT_IEEE802_11: 6087 case DLT_IEEE802_11_RADIO_AVS: 6088 case DLT_IEEE802_11_RADIO: 6089 case DLT_PPI: 6090 case DLT_PRISM_HEADER: 6091 return gen_wlanhostop(ebroadcast, Q_DST); 6092 case DLT_IP_OVER_FC: 6093 return gen_ipfchostop(ebroadcast, Q_DST); 6094 case DLT_SUNATM: 6095 if (is_lane) { 6096 /* 6097 * Check that the packet doesn't begin with an 6098 * LE Control marker. (We've already generated 6099 * a test for LANE.) 6100 */ 6101 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6102 0xFF00); 6103 gen_not(b1); 6104 6105 /* 6106 * Now check the MAC address. 6107 */ 6108 b0 = gen_ehostop(ebroadcast, Q_DST); 6109 gen_and(b1, b0); 6110 return b0; 6111 } 6112 break; 6113 default: 6114 bpf_error("not a broadcast link"); 6115 } 6116 break; 6117 6118 case Q_IP: 6119 b0 = gen_linktype(ETHERTYPE_IP); 6120 hostmask = ~netmask; 6121 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 6122 b2 = gen_mcmp(OR_NET, 16, BPF_W, 6123 (bpf_int32)(~0 & hostmask), hostmask); 6124 gen_or(b1, b2); 6125 gen_and(b0, b2); 6126 return b2; 6127 } 6128 bpf_error("only link-layer/IP broadcast filters supported"); 6129 /* NOTREACHED */ 6130 return NULL; 6131 } 6132 6133 /* 6134 * Generate code to test the low-order bit of a MAC address (that's 6135 * the bottom bit of the *first* byte). 6136 */ 6137 static struct block * 6138 gen_mac_multicast(offset) 6139 int offset; 6140 { 6141 register struct block *b0; 6142 register struct slist *s; 6143 6144 /* link[offset] & 1 != 0 */ 6145 s = gen_load_a(OR_LINK, offset, BPF_B); 6146 b0 = new_block(JMP(BPF_JSET)); 6147 b0->s.k = 1; 6148 b0->stmts = s; 6149 return b0; 6150 } 6151 6152 struct block * 6153 gen_multicast(proto) 6154 int proto; 6155 { 6156 register struct block *b0, *b1, *b2; 6157 register struct slist *s; 6158 6159 switch (proto) { 6160 6161 case Q_DEFAULT: 6162 case Q_LINK: 6163 switch (linktype) { 6164 case DLT_ARCNET: 6165 case DLT_ARCNET_LINUX: 6166 /* all ARCnet multicasts use the same address */ 6167 return gen_ahostop(abroadcast, Q_DST); 6168 case DLT_EN10MB: 6169 /* ether[0] & 1 != 0 */ 6170 return gen_mac_multicast(0); 6171 case DLT_FDDI: 6172 /* 6173 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 6174 * 6175 * XXX - was that referring to bit-order issues? 6176 */ 6177 /* fddi[1] & 1 != 0 */ 6178 return gen_mac_multicast(1); 6179 case DLT_IEEE802: 6180 /* tr[2] & 1 != 0 */ 6181 return gen_mac_multicast(2); 6182 case DLT_IEEE802_11: 6183 case DLT_IEEE802_11_RADIO_AVS: 6184 case DLT_PPI: 6185 case DLT_IEEE802_11_RADIO: 6186 case DLT_PRISM_HEADER: 6187 /* 6188 * Oh, yuk. 6189 * 6190 * For control frames, there is no DA. 6191 * 6192 * For management frames, DA is at an 6193 * offset of 4 from the beginning of 6194 * the packet. 6195 * 6196 * For data frames, DA is at an offset 6197 * of 4 from the beginning of the packet 6198 * if To DS is clear and at an offset of 6199 * 16 from the beginning of the packet 6200 * if To DS is set. 6201 */ 6202 6203 /* 6204 * Generate the tests to be done for data frames. 6205 * 6206 * First, check for To DS set, i.e. "link[1] & 0x01". 6207 */ 6208 s = gen_load_a(OR_LINK, 1, BPF_B); 6209 b1 = new_block(JMP(BPF_JSET)); 6210 b1->s.k = 0x01; /* To DS */ 6211 b1->stmts = s; 6212 6213 /* 6214 * If To DS is set, the DA is at 16. 6215 */ 6216 b0 = gen_mac_multicast(16); 6217 gen_and(b1, b0); 6218 6219 /* 6220 * Now, check for To DS not set, i.e. check 6221 * "!(link[1] & 0x01)". 6222 */ 6223 s = gen_load_a(OR_LINK, 1, BPF_B); 6224 b2 = new_block(JMP(BPF_JSET)); 6225 b2->s.k = 0x01; /* To DS */ 6226 b2->stmts = s; 6227 gen_not(b2); 6228 6229 /* 6230 * If To DS is not set, the DA is at 4. 6231 */ 6232 b1 = gen_mac_multicast(4); 6233 gen_and(b2, b1); 6234 6235 /* 6236 * Now OR together the last two checks. That gives 6237 * the complete set of checks for data frames. 6238 */ 6239 gen_or(b1, b0); 6240 6241 /* 6242 * Now check for a data frame. 6243 * I.e, check "link[0] & 0x08". 6244 */ 6245 s = gen_load_a(OR_LINK, 0, BPF_B); 6246 b1 = new_block(JMP(BPF_JSET)); 6247 b1->s.k = 0x08; 6248 b1->stmts = s; 6249 6250 /* 6251 * AND that with the checks done for data frames. 6252 */ 6253 gen_and(b1, b0); 6254 6255 /* 6256 * If the high-order bit of the type value is 0, this 6257 * is a management frame. 6258 * I.e, check "!(link[0] & 0x08)". 6259 */ 6260 s = gen_load_a(OR_LINK, 0, BPF_B); 6261 b2 = new_block(JMP(BPF_JSET)); 6262 b2->s.k = 0x08; 6263 b2->stmts = s; 6264 gen_not(b2); 6265 6266 /* 6267 * For management frames, the DA is at 4. 6268 */ 6269 b1 = gen_mac_multicast(4); 6270 gen_and(b2, b1); 6271 6272 /* 6273 * OR that with the checks done for data frames. 6274 * That gives the checks done for management and 6275 * data frames. 6276 */ 6277 gen_or(b1, b0); 6278 6279 /* 6280 * If the low-order bit of the type value is 1, 6281 * this is either a control frame or a frame 6282 * with a reserved type, and thus not a 6283 * frame with an SA. 6284 * 6285 * I.e., check "!(link[0] & 0x04)". 6286 */ 6287 s = gen_load_a(OR_LINK, 0, BPF_B); 6288 b1 = new_block(JMP(BPF_JSET)); 6289 b1->s.k = 0x04; 6290 b1->stmts = s; 6291 gen_not(b1); 6292 6293 /* 6294 * AND that with the checks for data and management 6295 * frames. 6296 */ 6297 gen_and(b1, b0); 6298 return b0; 6299 case DLT_IP_OVER_FC: 6300 b0 = gen_mac_multicast(2); 6301 return b0; 6302 case DLT_SUNATM: 6303 if (is_lane) { 6304 /* 6305 * Check that the packet doesn't begin with an 6306 * LE Control marker. (We've already generated 6307 * a test for LANE.) 6308 */ 6309 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6310 0xFF00); 6311 gen_not(b1); 6312 6313 /* ether[off_mac] & 1 != 0 */ 6314 b0 = gen_mac_multicast(off_mac); 6315 gen_and(b1, b0); 6316 return b0; 6317 } 6318 break; 6319 default: 6320 break; 6321 } 6322 /* Link not known to support multicasts */ 6323 break; 6324 6325 case Q_IP: 6326 b0 = gen_linktype(ETHERTYPE_IP); 6327 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 6328 gen_and(b0, b1); 6329 return b1; 6330 6331 #ifdef INET6 6332 case Q_IPV6: 6333 b0 = gen_linktype(ETHERTYPE_IPV6); 6334 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 6335 gen_and(b0, b1); 6336 return b1; 6337 #endif /* INET6 */ 6338 } 6339 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 6340 /* NOTREACHED */ 6341 return NULL; 6342 } 6343 6344 /* 6345 * generate command for inbound/outbound. It's here so we can 6346 * make it link-type specific. 'dir' = 0 implies "inbound", 6347 * = 1 implies "outbound". 6348 */ 6349 struct block * 6350 gen_inbound(dir) 6351 int dir; 6352 { 6353 register struct block *b0; 6354 6355 /* 6356 * Only some data link types support inbound/outbound qualifiers. 6357 */ 6358 switch (linktype) { 6359 case DLT_SLIP: 6360 b0 = gen_relation(BPF_JEQ, 6361 gen_load(Q_LINK, gen_loadi(0), 1), 6362 gen_loadi(0), 6363 dir); 6364 break; 6365 6366 case DLT_LINUX_SLL: 6367 if (dir) { 6368 /* 6369 * Match packets sent by this machine. 6370 */ 6371 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 6372 } else { 6373 /* 6374 * Match packets sent to this machine. 6375 * (No broadcast or multicast packets, or 6376 * packets sent to some other machine and 6377 * received promiscuously.) 6378 * 6379 * XXX - packets sent to other machines probably 6380 * shouldn't be matched, but what about broadcast 6381 * or multicast packets we received? 6382 */ 6383 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 6384 } 6385 break; 6386 6387 #ifdef HAVE_NET_PFVAR_H 6388 case DLT_PFLOG: 6389 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 6390 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 6391 break; 6392 #endif 6393 6394 case DLT_PPP_PPPD: 6395 if (dir) { 6396 /* match outgoing packets */ 6397 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 6398 } else { 6399 /* match incoming packets */ 6400 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 6401 } 6402 break; 6403 6404 case DLT_JUNIPER_MFR: 6405 case DLT_JUNIPER_MLFR: 6406 case DLT_JUNIPER_MLPPP: 6407 case DLT_JUNIPER_ATM1: 6408 case DLT_JUNIPER_ATM2: 6409 case DLT_JUNIPER_PPPOE: 6410 case DLT_JUNIPER_PPPOE_ATM: 6411 case DLT_JUNIPER_GGSN: 6412 case DLT_JUNIPER_ES: 6413 case DLT_JUNIPER_MONITOR: 6414 case DLT_JUNIPER_SERVICES: 6415 case DLT_JUNIPER_ETHER: 6416 case DLT_JUNIPER_PPP: 6417 case DLT_JUNIPER_FRELAY: 6418 case DLT_JUNIPER_CHDLC: 6419 case DLT_JUNIPER_VP: 6420 /* juniper flags (including direction) are stored 6421 * the byte after the 3-byte magic number */ 6422 if (dir) { 6423 /* match outgoing packets */ 6424 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 6425 } else { 6426 /* match incoming packets */ 6427 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 6428 } 6429 break; 6430 6431 default: 6432 bpf_error("inbound/outbound not supported on linktype %d", 6433 linktype); 6434 b0 = NULL; 6435 /* NOTREACHED */ 6436 } 6437 return (b0); 6438 } 6439 6440 #ifdef HAVE_NET_PFVAR_H 6441 /* PF firewall log matched interface */ 6442 struct block * 6443 gen_pf_ifname(const char *ifname) 6444 { 6445 struct block *b0; 6446 u_int len, off; 6447 6448 if (linktype == DLT_PFLOG) { 6449 len = sizeof(((struct pfloghdr *)0)->ifname); 6450 off = offsetof(struct pfloghdr, ifname); 6451 } else { 6452 bpf_error("ifname not supported on linktype 0x%x", linktype); 6453 /* NOTREACHED */ 6454 } 6455 if (strlen(ifname) >= len) { 6456 bpf_error("ifname interface names can only be %d characters", 6457 len-1); 6458 /* NOTREACHED */ 6459 } 6460 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 6461 return (b0); 6462 } 6463 6464 /* PF firewall log ruleset name */ 6465 struct block * 6466 gen_pf_ruleset(char *ruleset) 6467 { 6468 struct block *b0; 6469 6470 if (linktype != DLT_PFLOG) { 6471 bpf_error("ruleset not supported on linktype 0x%x", linktype); 6472 /* NOTREACHED */ 6473 } 6474 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 6475 bpf_error("ruleset names can only be %ld characters", 6476 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 6477 /* NOTREACHED */ 6478 } 6479 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 6480 strlen(ruleset), (const u_char *)ruleset); 6481 return (b0); 6482 } 6483 6484 /* PF firewall log rule number */ 6485 struct block * 6486 gen_pf_rnr(int rnr) 6487 { 6488 struct block *b0; 6489 6490 if (linktype == DLT_PFLOG) { 6491 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 6492 (bpf_int32)rnr); 6493 } else { 6494 bpf_error("rnr not supported on linktype 0x%x", linktype); 6495 /* NOTREACHED */ 6496 } 6497 6498 return (b0); 6499 } 6500 6501 /* PF firewall log sub-rule number */ 6502 struct block * 6503 gen_pf_srnr(int srnr) 6504 { 6505 struct block *b0; 6506 6507 if (linktype != DLT_PFLOG) { 6508 bpf_error("srnr not supported on linktype 0x%x", linktype); 6509 /* NOTREACHED */ 6510 } 6511 6512 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 6513 (bpf_int32)srnr); 6514 return (b0); 6515 } 6516 6517 /* PF firewall log reason code */ 6518 struct block * 6519 gen_pf_reason(int reason) 6520 { 6521 struct block *b0; 6522 6523 if (linktype == DLT_PFLOG) { 6524 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 6525 (bpf_int32)reason); 6526 } else { 6527 bpf_error("reason not supported on linktype 0x%x", linktype); 6528 /* NOTREACHED */ 6529 } 6530 6531 return (b0); 6532 } 6533 6534 /* PF firewall log action */ 6535 struct block * 6536 gen_pf_action(int action) 6537 { 6538 struct block *b0; 6539 6540 if (linktype == DLT_PFLOG) { 6541 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 6542 (bpf_int32)action); 6543 } else { 6544 bpf_error("action not supported on linktype 0x%x", linktype); 6545 /* NOTREACHED */ 6546 } 6547 6548 return (b0); 6549 } 6550 #else /* !HAVE_NET_PFVAR_H */ 6551 struct block * 6552 gen_pf_ifname(const char *ifname) 6553 { 6554 bpf_error("libpcap was compiled without pf support"); 6555 /* NOTREACHED */ 6556 return (NULL); 6557 } 6558 6559 struct block * 6560 gen_pf_ruleset(char *ruleset) 6561 { 6562 bpf_error("libpcap was compiled on a machine without pf support"); 6563 /* NOTREACHED */ 6564 return (NULL); 6565 } 6566 6567 struct block * 6568 gen_pf_rnr(int rnr) 6569 { 6570 bpf_error("libpcap was compiled on a machine without pf support"); 6571 /* NOTREACHED */ 6572 return (NULL); 6573 } 6574 6575 struct block * 6576 gen_pf_srnr(int srnr) 6577 { 6578 bpf_error("libpcap was compiled on a machine without pf support"); 6579 /* NOTREACHED */ 6580 return (NULL); 6581 } 6582 6583 struct block * 6584 gen_pf_reason(int reason) 6585 { 6586 bpf_error("libpcap was compiled on a machine without pf support"); 6587 /* NOTREACHED */ 6588 return (NULL); 6589 } 6590 6591 struct block * 6592 gen_pf_action(int action) 6593 { 6594 bpf_error("libpcap was compiled on a machine without pf support"); 6595 /* NOTREACHED */ 6596 return (NULL); 6597 } 6598 #endif /* HAVE_NET_PFVAR_H */ 6599 6600 struct block * 6601 gen_acode(eaddr, q) 6602 register const u_char *eaddr; 6603 struct qual q; 6604 { 6605 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6606 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 6607 return gen_ahostop(eaddr, (int)q.dir); 6608 } 6609 bpf_error("ARCnet address used in non-arc expression"); 6610 /* NOTREACHED */ 6611 return NULL; 6612 } 6613 6614 static struct block * 6615 gen_ahostop(eaddr, dir) 6616 register const u_char *eaddr; 6617 register int dir; 6618 { 6619 register struct block *b0, *b1; 6620 6621 switch (dir) { 6622 /* src comes first, different from Ethernet */ 6623 case Q_SRC: 6624 return gen_bcmp(OR_LINK, 0, 1, eaddr); 6625 6626 case Q_DST: 6627 return gen_bcmp(OR_LINK, 1, 1, eaddr); 6628 6629 case Q_AND: 6630 b0 = gen_ahostop(eaddr, Q_SRC); 6631 b1 = gen_ahostop(eaddr, Q_DST); 6632 gen_and(b0, b1); 6633 return b1; 6634 6635 case Q_DEFAULT: 6636 case Q_OR: 6637 b0 = gen_ahostop(eaddr, Q_SRC); 6638 b1 = gen_ahostop(eaddr, Q_DST); 6639 gen_or(b0, b1); 6640 return b1; 6641 } 6642 abort(); 6643 /* NOTREACHED */ 6644 } 6645 6646 /* 6647 * support IEEE 802.1Q VLAN trunk over ethernet 6648 */ 6649 struct block * 6650 gen_vlan(vlan_num) 6651 int vlan_num; 6652 { 6653 struct block *b0, *b1; 6654 6655 /* can't check for VLAN-encapsulated packets inside MPLS */ 6656 if (label_stack_depth > 0) 6657 bpf_error("no VLAN match after MPLS"); 6658 6659 /* 6660 * Change the offsets to point to the type and data fields within 6661 * the VLAN packet. Just increment the offsets, so that we 6662 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to 6663 * capture VLAN 200 encapsulated within VLAN 100. 6664 * 6665 * XXX - this is a bit of a kludge. If we were to split the 6666 * compiler into a parser that parses an expression and 6667 * generates an expression tree, and a code generator that 6668 * takes an expression tree (which could come from our 6669 * parser or from some other parser) and generates BPF code, 6670 * we could perhaps make the offsets parameters of routines 6671 * and, in the handler for an "AND" node, pass to subnodes 6672 * other than the VLAN node the adjusted offsets. 6673 * 6674 * This would mean that "vlan" would, instead of changing the 6675 * behavior of *all* tests after it, change only the behavior 6676 * of tests ANDed with it. That would change the documented 6677 * semantics of "vlan", which might break some expressions. 6678 * However, it would mean that "(vlan and ip) or ip" would check 6679 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6680 * checking only for VLAN-encapsulated IP, so that could still 6681 * be considered worth doing; it wouldn't break expressions 6682 * that are of the form "vlan and ..." or "vlan N and ...", 6683 * which I suspect are the most common expressions involving 6684 * "vlan". "vlan or ..." doesn't necessarily do what the user 6685 * would really want, now, as all the "or ..." tests would 6686 * be done assuming a VLAN, even though the "or" could be viewed 6687 * as meaning "or, if this isn't a VLAN packet...". 6688 */ 6689 orig_linktype = off_linktype; /* save original values */ 6690 orig_nl = off_nl; 6691 6692 switch (linktype) { 6693 6694 case DLT_EN10MB: 6695 off_linktype += 4; 6696 off_nl_nosnap += 4; 6697 off_nl += 4; 6698 break; 6699 6700 default: 6701 bpf_error("no VLAN support for data link type %d", 6702 linktype); 6703 /*NOTREACHED*/ 6704 } 6705 6706 /* check for VLAN */ 6707 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q); 6708 6709 /* If a specific VLAN is requested, check VLAN id */ 6710 if (vlan_num >= 0) { 6711 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num, 6712 0x0fff); 6713 gen_and(b0, b1); 6714 b0 = b1; 6715 } 6716 6717 return (b0); 6718 } 6719 6720 /* 6721 * support for MPLS 6722 */ 6723 struct block * 6724 gen_mpls(label_num) 6725 int label_num; 6726 { 6727 struct block *b0,*b1; 6728 6729 /* 6730 * Change the offsets to point to the type and data fields within 6731 * the MPLS packet. Just increment the offsets, so that we 6732 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 6733 * capture packets with an outer label of 100000 and an inner 6734 * label of 1024. 6735 * 6736 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 6737 */ 6738 orig_nl = off_nl; 6739 6740 if (label_stack_depth > 0) { 6741 /* just match the bottom-of-stack bit clear */ 6742 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01); 6743 } else { 6744 /* 6745 * Indicate that we're checking MPLS-encapsulated headers, 6746 * to make sure higher level code generators don't try to 6747 * match against IP-related protocols such as Q_ARP, Q_RARP 6748 * etc. 6749 */ 6750 switch (linktype) { 6751 6752 case DLT_C_HDLC: /* fall through */ 6753 case DLT_EN10MB: 6754 b0 = gen_linktype(ETHERTYPE_MPLS); 6755 break; 6756 6757 case DLT_PPP: 6758 b0 = gen_linktype(PPP_MPLS_UCAST); 6759 break; 6760 6761 /* FIXME add other DLT_s ... 6762 * for Frame-Relay/and ATM this may get messy due to SNAP headers 6763 * leave it for now */ 6764 6765 default: 6766 bpf_error("no MPLS support for data link type %d", 6767 linktype); 6768 b0 = NULL; 6769 /*NOTREACHED*/ 6770 break; 6771 } 6772 } 6773 6774 /* If a specific MPLS label is requested, check it */ 6775 if (label_num >= 0) { 6776 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 6777 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num, 6778 0xfffff000); /* only compare the first 20 bits */ 6779 gen_and(b0, b1); 6780 b0 = b1; 6781 } 6782 6783 off_nl_nosnap += 4; 6784 off_nl += 4; 6785 label_stack_depth++; 6786 return (b0); 6787 } 6788 6789 /* 6790 * Support PPPOE discovery and session. 6791 */ 6792 struct block * 6793 gen_pppoed() 6794 { 6795 /* check for PPPoE discovery */ 6796 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 6797 } 6798 6799 struct block * 6800 gen_pppoes() 6801 { 6802 struct block *b0; 6803 6804 /* 6805 * Test against the PPPoE session link-layer type. 6806 */ 6807 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 6808 6809 /* 6810 * Change the offsets to point to the type and data fields within 6811 * the PPP packet. 6812 * 6813 * XXX - this is a bit of a kludge. If we were to split the 6814 * compiler into a parser that parses an expression and 6815 * generates an expression tree, and a code generator that 6816 * takes an expression tree (which could come from our 6817 * parser or from some other parser) and generates BPF code, 6818 * we could perhaps make the offsets parameters of routines 6819 * and, in the handler for an "AND" node, pass to subnodes 6820 * other than the PPPoE node the adjusted offsets. 6821 * 6822 * This would mean that "pppoes" would, instead of changing the 6823 * behavior of *all* tests after it, change only the behavior 6824 * of tests ANDed with it. That would change the documented 6825 * semantics of "pppoes", which might break some expressions. 6826 * However, it would mean that "(pppoes and ip) or ip" would check 6827 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6828 * checking only for VLAN-encapsulated IP, so that could still 6829 * be considered worth doing; it wouldn't break expressions 6830 * that are of the form "pppoes and ..." which I suspect are the 6831 * most common expressions involving "pppoes". "pppoes or ..." 6832 * doesn't necessarily do what the user would really want, now, 6833 * as all the "or ..." tests would be done assuming PPPoE, even 6834 * though the "or" could be viewed as meaning "or, if this isn't 6835 * a PPPoE packet...". 6836 */ 6837 orig_linktype = off_linktype; /* save original values */ 6838 orig_nl = off_nl; 6839 6840 /* 6841 * The "network-layer" protocol is PPPoE, which has a 6-byte 6842 * PPPoE header, followed by PPP payload, so we set the 6843 * offsets to the network layer offset plus 6 bytes for 6844 * the PPPoE header plus the values appropriate for PPP when 6845 * encapsulated in Ethernet (which means there's no HDLC 6846 * encapsulation). 6847 */ 6848 off_linktype = orig_nl + 6; 6849 off_nl = orig_nl + 6 + 2; 6850 off_nl_nosnap = orig_nl + 6 + 2; 6851 6852 /* 6853 * Set the link-layer type to PPP, as all subsequent tests will 6854 * be on the encapsulated PPP header. 6855 */ 6856 linktype = DLT_PPP; 6857 6858 return b0; 6859 } 6860 6861 struct block * 6862 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 6863 int atmfield; 6864 bpf_int32 jvalue; 6865 bpf_u_int32 jtype; 6866 int reverse; 6867 { 6868 struct block *b0; 6869 6870 switch (atmfield) { 6871 6872 case A_VPI: 6873 if (!is_atm) 6874 bpf_error("'vpi' supported only on raw ATM"); 6875 if (off_vpi == (u_int)-1) 6876 abort(); 6877 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 6878 reverse, jvalue); 6879 break; 6880 6881 case A_VCI: 6882 if (!is_atm) 6883 bpf_error("'vci' supported only on raw ATM"); 6884 if (off_vci == (u_int)-1) 6885 abort(); 6886 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 6887 reverse, jvalue); 6888 break; 6889 6890 case A_PROTOTYPE: 6891 if (off_proto == (u_int)-1) 6892 abort(); /* XXX - this isn't on FreeBSD */ 6893 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 6894 reverse, jvalue); 6895 break; 6896 6897 case A_MSGTYPE: 6898 if (off_payload == (u_int)-1) 6899 abort(); 6900 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 6901 0xffffffff, jtype, reverse, jvalue); 6902 break; 6903 6904 case A_CALLREFTYPE: 6905 if (!is_atm) 6906 bpf_error("'callref' supported only on raw ATM"); 6907 if (off_proto == (u_int)-1) 6908 abort(); 6909 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 6910 jtype, reverse, jvalue); 6911 break; 6912 6913 default: 6914 abort(); 6915 } 6916 return b0; 6917 } 6918 6919 struct block * 6920 gen_atmtype_abbrev(type) 6921 int type; 6922 { 6923 struct block *b0, *b1; 6924 6925 switch (type) { 6926 6927 case A_METAC: 6928 /* Get all packets in Meta signalling Circuit */ 6929 if (!is_atm) 6930 bpf_error("'metac' supported only on raw ATM"); 6931 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6932 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 6933 gen_and(b0, b1); 6934 break; 6935 6936 case A_BCC: 6937 /* Get all packets in Broadcast Circuit*/ 6938 if (!is_atm) 6939 bpf_error("'bcc' supported only on raw ATM"); 6940 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6941 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 6942 gen_and(b0, b1); 6943 break; 6944 6945 case A_OAMF4SC: 6946 /* Get all cells in Segment OAM F4 circuit*/ 6947 if (!is_atm) 6948 bpf_error("'oam4sc' supported only on raw ATM"); 6949 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6950 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6951 gen_and(b0, b1); 6952 break; 6953 6954 case A_OAMF4EC: 6955 /* Get all cells in End-to-End OAM F4 Circuit*/ 6956 if (!is_atm) 6957 bpf_error("'oam4ec' supported only on raw ATM"); 6958 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6959 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6960 gen_and(b0, b1); 6961 break; 6962 6963 case A_SC: 6964 /* Get all packets in connection Signalling Circuit */ 6965 if (!is_atm) 6966 bpf_error("'sc' supported only on raw ATM"); 6967 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6968 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 6969 gen_and(b0, b1); 6970 break; 6971 6972 case A_ILMIC: 6973 /* Get all packets in ILMI Circuit */ 6974 if (!is_atm) 6975 bpf_error("'ilmic' supported only on raw ATM"); 6976 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6977 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 6978 gen_and(b0, b1); 6979 break; 6980 6981 case A_LANE: 6982 /* Get all LANE packets */ 6983 if (!is_atm) 6984 bpf_error("'lane' supported only on raw ATM"); 6985 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 6986 6987 /* 6988 * Arrange that all subsequent tests assume LANE 6989 * rather than LLC-encapsulated packets, and set 6990 * the offsets appropriately for LANE-encapsulated 6991 * Ethernet. 6992 * 6993 * "off_mac" is the offset of the Ethernet header, 6994 * which is 2 bytes past the ATM pseudo-header 6995 * (skipping the pseudo-header and 2-byte LE Client 6996 * field). The other offsets are Ethernet offsets 6997 * relative to "off_mac". 6998 */ 6999 is_lane = 1; 7000 off_mac = off_payload + 2; /* MAC header */ 7001 off_linktype = off_mac + 12; 7002 off_nl = off_mac + 14; /* Ethernet II */ 7003 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */ 7004 break; 7005 7006 case A_LLC: 7007 /* Get all LLC-encapsulated packets */ 7008 if (!is_atm) 7009 bpf_error("'llc' supported only on raw ATM"); 7010 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 7011 is_lane = 0; 7012 break; 7013 7014 default: 7015 abort(); 7016 } 7017 return b1; 7018 } 7019 7020 /* 7021 * Filtering for MTP2 messages based on li value 7022 * FISU, length is null 7023 * LSSU, length is 1 or 2 7024 * MSU, length is 3 or more 7025 */ 7026 struct block * 7027 gen_mtp2type_abbrev(type) 7028 int type; 7029 { 7030 struct block *b0, *b1; 7031 7032 switch (type) { 7033 7034 case M_FISU: 7035 if ( (linktype != DLT_MTP2) && 7036 (linktype != DLT_MTP2_WITH_PHDR) ) 7037 bpf_error("'fisu' supported only on MTP2"); 7038 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 7039 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 7040 break; 7041 7042 case M_LSSU: 7043 if ( (linktype != DLT_MTP2) && 7044 (linktype != DLT_MTP2_WITH_PHDR) ) 7045 bpf_error("'lssu' supported only on MTP2"); 7046 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 7047 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 7048 gen_and(b1, b0); 7049 break; 7050 7051 case M_MSU: 7052 if ( (linktype != DLT_MTP2) && 7053 (linktype != DLT_MTP2_WITH_PHDR) ) 7054 bpf_error("'msu' supported only on MTP2"); 7055 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 7056 break; 7057 7058 default: 7059 abort(); 7060 } 7061 return b0; 7062 } 7063 7064 struct block * 7065 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 7066 int mtp3field; 7067 bpf_u_int32 jvalue; 7068 bpf_u_int32 jtype; 7069 int reverse; 7070 { 7071 struct block *b0; 7072 bpf_u_int32 val1 , val2 , val3; 7073 7074 switch (mtp3field) { 7075 7076 case M_SIO: 7077 if (off_sio == (u_int)-1) 7078 bpf_error("'sio' supported only on SS7"); 7079 /* sio coded on 1 byte so max value 255 */ 7080 if(jvalue > 255) 7081 bpf_error("sio value %u too big; max value = 255", 7082 jvalue); 7083 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 7084 (u_int)jtype, reverse, (u_int)jvalue); 7085 break; 7086 7087 case M_OPC: 7088 if (off_opc == (u_int)-1) 7089 bpf_error("'opc' supported only on SS7"); 7090 /* opc coded on 14 bits so max value 16383 */ 7091 if (jvalue > 16383) 7092 bpf_error("opc value %u too big; max value = 16383", 7093 jvalue); 7094 /* the following instructions are made to convert jvalue 7095 * to the form used to write opc in an ss7 message*/ 7096 val1 = jvalue & 0x00003c00; 7097 val1 = val1 >>10; 7098 val2 = jvalue & 0x000003fc; 7099 val2 = val2 <<6; 7100 val3 = jvalue & 0x00000003; 7101 val3 = val3 <<22; 7102 jvalue = val1 + val2 + val3; 7103 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 7104 (u_int)jtype, reverse, (u_int)jvalue); 7105 break; 7106 7107 case M_DPC: 7108 if (off_dpc == (u_int)-1) 7109 bpf_error("'dpc' supported only on SS7"); 7110 /* dpc coded on 14 bits so max value 16383 */ 7111 if (jvalue > 16383) 7112 bpf_error("dpc value %u too big; max value = 16383", 7113 jvalue); 7114 /* the following instructions are made to convert jvalue 7115 * to the forme used to write dpc in an ss7 message*/ 7116 val1 = jvalue & 0x000000ff; 7117 val1 = val1 << 24; 7118 val2 = jvalue & 0x00003f00; 7119 val2 = val2 << 8; 7120 jvalue = val1 + val2; 7121 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 7122 (u_int)jtype, reverse, (u_int)jvalue); 7123 break; 7124 7125 case M_SLS: 7126 if (off_sls == (u_int)-1) 7127 bpf_error("'sls' supported only on SS7"); 7128 /* sls coded on 4 bits so max value 15 */ 7129 if (jvalue > 15) 7130 bpf_error("sls value %u too big; max value = 15", 7131 jvalue); 7132 /* the following instruction is made to convert jvalue 7133 * to the forme used to write sls in an ss7 message*/ 7134 jvalue = jvalue << 4; 7135 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 7136 (u_int)jtype,reverse, (u_int)jvalue); 7137 break; 7138 7139 default: 7140 abort(); 7141 } 7142 return b0; 7143 } 7144 7145 static struct block * 7146 gen_msg_abbrev(type) 7147 int type; 7148 { 7149 struct block *b1; 7150 7151 /* 7152 * Q.2931 signalling protocol messages for handling virtual circuits 7153 * establishment and teardown 7154 */ 7155 switch (type) { 7156 7157 case A_SETUP: 7158 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 7159 break; 7160 7161 case A_CALLPROCEED: 7162 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 7163 break; 7164 7165 case A_CONNECT: 7166 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 7167 break; 7168 7169 case A_CONNECTACK: 7170 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 7171 break; 7172 7173 case A_RELEASE: 7174 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 7175 break; 7176 7177 case A_RELEASE_DONE: 7178 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 7179 break; 7180 7181 default: 7182 abort(); 7183 } 7184 return b1; 7185 } 7186 7187 struct block * 7188 gen_atmmulti_abbrev(type) 7189 int type; 7190 { 7191 struct block *b0, *b1; 7192 7193 switch (type) { 7194 7195 case A_OAM: 7196 if (!is_atm) 7197 bpf_error("'oam' supported only on raw ATM"); 7198 b1 = gen_atmmulti_abbrev(A_OAMF4); 7199 break; 7200 7201 case A_OAMF4: 7202 if (!is_atm) 7203 bpf_error("'oamf4' supported only on raw ATM"); 7204 /* OAM F4 type */ 7205 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7206 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 7207 gen_or(b0, b1); 7208 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7209 gen_and(b0, b1); 7210 break; 7211 7212 case A_CONNECTMSG: 7213 /* 7214 * Get Q.2931 signalling messages for switched 7215 * virtual connection 7216 */ 7217 if (!is_atm) 7218 bpf_error("'connectmsg' supported only on raw ATM"); 7219 b0 = gen_msg_abbrev(A_SETUP); 7220 b1 = gen_msg_abbrev(A_CALLPROCEED); 7221 gen_or(b0, b1); 7222 b0 = gen_msg_abbrev(A_CONNECT); 7223 gen_or(b0, b1); 7224 b0 = gen_msg_abbrev(A_CONNECTACK); 7225 gen_or(b0, b1); 7226 b0 = gen_msg_abbrev(A_RELEASE); 7227 gen_or(b0, b1); 7228 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7229 gen_or(b0, b1); 7230 b0 = gen_atmtype_abbrev(A_SC); 7231 gen_and(b0, b1); 7232 break; 7233 7234 case A_METACONNECT: 7235 if (!is_atm) 7236 bpf_error("'metaconnect' supported only on raw ATM"); 7237 b0 = gen_msg_abbrev(A_SETUP); 7238 b1 = gen_msg_abbrev(A_CALLPROCEED); 7239 gen_or(b0, b1); 7240 b0 = gen_msg_abbrev(A_CONNECT); 7241 gen_or(b0, b1); 7242 b0 = gen_msg_abbrev(A_RELEASE); 7243 gen_or(b0, b1); 7244 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7245 gen_or(b0, b1); 7246 b0 = gen_atmtype_abbrev(A_METAC); 7247 gen_and(b0, b1); 7248 break; 7249 7250 default: 7251 abort(); 7252 } 7253 return b1; 7254 } 7255