1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.34 2005/09/05 09:08:04 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #include <sys/types.h> 37 #include <sys/socket.h> 38 #endif /* WIN32 */ 39 40 /* 41 * XXX - why was this included even on UNIX? 42 */ 43 #ifdef __MINGW32__ 44 #include "IP6_misc.h" 45 #endif 46 47 #ifndef WIN32 48 49 #ifdef __NetBSD__ 50 #include <sys/param.h> 51 #endif 52 53 #include <netinet/in.h> 54 55 #endif /* WIN32 */ 56 57 #include <stdlib.h> 58 #include <string.h> 59 #include <memory.h> 60 #include <setjmp.h> 61 #include <stdarg.h> 62 63 #ifdef MSDOS 64 #include "pcap-dos.h" 65 #endif 66 67 #include "pcap-int.h" 68 69 #include "ethertype.h" 70 #include "nlpid.h" 71 #include "llc.h" 72 #include "gencode.h" 73 #include "atmuni31.h" 74 #include "sunatmpos.h" 75 #include "ppp.h" 76 #include "sll.h" 77 #include "arcnet.h" 78 #include "pf.h" 79 #ifndef offsetof 80 #define offsetof(s, e) ((size_t)&((s *)0)->e) 81 #endif 82 #ifdef INET6 83 #ifndef WIN32 84 #include <netdb.h> /* for "struct addrinfo" */ 85 #endif /* WIN32 */ 86 #endif /*INET6*/ 87 #include <pcap-namedb.h> 88 89 #define ETHERMTU 1500 90 91 #ifndef IPPROTO_SCTP 92 #define IPPROTO_SCTP 132 93 #endif 94 95 #ifdef HAVE_OS_PROTO_H 96 #include "os-proto.h" 97 #endif 98 99 #define JMP(c) ((c)|BPF_JMP|BPF_K) 100 101 /* Locals */ 102 static jmp_buf top_ctx; 103 static pcap_t *bpf_pcap; 104 105 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 106 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 107 108 /* XXX */ 109 #ifdef PCAP_FDDIPAD 110 static int pcap_fddipad; 111 #endif 112 113 /* VARARGS */ 114 void 115 bpf_error(const char *fmt, ...) 116 { 117 va_list ap; 118 119 va_start(ap, fmt); 120 if (bpf_pcap != NULL) 121 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 122 fmt, ap); 123 va_end(ap); 124 longjmp(top_ctx, 1); 125 /* NOTREACHED */ 126 } 127 128 static void init_linktype(pcap_t *); 129 130 static int alloc_reg(void); 131 static void free_reg(int); 132 133 static struct block *root; 134 135 /* 136 * Value passed to gen_load_a() to indicate what the offset argument 137 * is relative to. 138 */ 139 enum e_offrel { 140 OR_PACKET, /* relative to the beginning of the packet */ 141 OR_LINK, /* relative to the link-layer header */ 142 OR_NET, /* relative to the network-layer header */ 143 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 144 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 145 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 146 }; 147 148 /* 149 * We divy out chunks of memory rather than call malloc each time so 150 * we don't have to worry about leaking memory. It's probably 151 * not a big deal if all this memory was wasted but if this ever 152 * goes into a library that would probably not be a good idea. 153 * 154 * XXX - this *is* in a library.... 155 */ 156 #define NCHUNKS 16 157 #define CHUNK0SIZE 1024 158 struct chunk { 159 u_int n_left; 160 void *m; 161 }; 162 163 static struct chunk chunks[NCHUNKS]; 164 static int cur_chunk; 165 166 static void *newchunk(u_int); 167 static void freechunks(void); 168 static inline struct block *new_block(int); 169 static inline struct slist *new_stmt(int); 170 static struct block *gen_retblk(int); 171 static inline void syntax(void); 172 173 static void backpatch(struct block *, struct block *); 174 static void merge(struct block *, struct block *); 175 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 176 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 177 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 178 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 179 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 180 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 181 bpf_u_int32); 182 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 183 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 184 bpf_u_int32, bpf_u_int32, int, bpf_int32); 185 static struct slist *gen_load_llrel(u_int, u_int); 186 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 187 static struct slist *gen_loadx_iphdrlen(void); 188 static struct block *gen_uncond(int); 189 static inline struct block *gen_true(void); 190 static inline struct block *gen_false(void); 191 static struct block *gen_ether_linktype(int); 192 static struct block *gen_linux_sll_linktype(int); 193 static void insert_radiotap_load_llprefixlen(struct block *); 194 static void insert_load_llprefixlen(struct block *); 195 static struct slist *gen_llprefixlen(void); 196 static struct block *gen_linktype(int); 197 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int); 198 static struct block *gen_llc_linktype(int); 199 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 200 #ifdef INET6 201 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 202 #endif 203 static struct block *gen_ahostop(const u_char *, int); 204 static struct block *gen_ehostop(const u_char *, int); 205 static struct block *gen_fhostop(const u_char *, int); 206 static struct block *gen_thostop(const u_char *, int); 207 static struct block *gen_wlanhostop(const u_char *, int); 208 static struct block *gen_ipfchostop(const u_char *, int); 209 static struct block *gen_dnhostop(bpf_u_int32, int); 210 static struct block *gen_mpls_linktype(int); 211 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int); 212 #ifdef INET6 213 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int); 214 #endif 215 #ifndef INET6 216 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 217 #endif 218 static struct block *gen_ipfrag(void); 219 static struct block *gen_portatom(int, bpf_int32); 220 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 221 #ifdef INET6 222 static struct block *gen_portatom6(int, bpf_int32); 223 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 224 #endif 225 struct block *gen_portop(int, int, int); 226 static struct block *gen_port(int, int, int); 227 struct block *gen_portrangeop(int, int, int, int); 228 static struct block *gen_portrange(int, int, int, int); 229 #ifdef INET6 230 struct block *gen_portop6(int, int, int); 231 static struct block *gen_port6(int, int, int); 232 struct block *gen_portrangeop6(int, int, int, int); 233 static struct block *gen_portrange6(int, int, int, int); 234 #endif 235 static int lookup_proto(const char *, int); 236 static struct block *gen_protochain(int, int, int); 237 static struct block *gen_proto(int, int, int); 238 static struct slist *xfer_to_x(struct arth *); 239 static struct slist *xfer_to_a(struct arth *); 240 static struct block *gen_mac_multicast(int); 241 static struct block *gen_len(int, int); 242 243 static struct block *gen_msg_abbrev(int type); 244 245 static void * 246 newchunk(n) 247 u_int n; 248 { 249 struct chunk *cp; 250 int k; 251 size_t size; 252 253 #ifndef __NetBSD__ 254 /* XXX Round up to nearest long. */ 255 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 256 #else 257 /* XXX Round up to structure boundary. */ 258 n = ALIGN(n); 259 #endif 260 261 cp = &chunks[cur_chunk]; 262 if (n > cp->n_left) { 263 ++cp, k = ++cur_chunk; 264 if (k >= NCHUNKS) 265 bpf_error("out of memory"); 266 size = CHUNK0SIZE << k; 267 cp->m = (void *)malloc(size); 268 if (cp->m == NULL) 269 bpf_error("out of memory"); 270 memset((char *)cp->m, 0, size); 271 cp->n_left = size; 272 if (n > size) 273 bpf_error("out of memory"); 274 } 275 cp->n_left -= n; 276 return (void *)((char *)cp->m + cp->n_left); 277 } 278 279 static void 280 freechunks() 281 { 282 int i; 283 284 cur_chunk = 0; 285 for (i = 0; i < NCHUNKS; ++i) 286 if (chunks[i].m != NULL) { 287 free(chunks[i].m); 288 chunks[i].m = NULL; 289 } 290 } 291 292 /* 293 * A strdup whose allocations are freed after code generation is over. 294 */ 295 char * 296 sdup(s) 297 register const char *s; 298 { 299 int n = strlen(s) + 1; 300 char *cp = newchunk(n); 301 302 strlcpy(cp, s, n); 303 return (cp); 304 } 305 306 static inline struct block * 307 new_block(code) 308 int code; 309 { 310 struct block *p; 311 312 p = (struct block *)newchunk(sizeof(*p)); 313 p->s.code = code; 314 p->head = p; 315 316 return p; 317 } 318 319 static inline struct slist * 320 new_stmt(code) 321 int code; 322 { 323 struct slist *p; 324 325 p = (struct slist *)newchunk(sizeof(*p)); 326 p->s.code = code; 327 328 return p; 329 } 330 331 static struct block * 332 gen_retblk(v) 333 int v; 334 { 335 struct block *b = new_block(BPF_RET|BPF_K); 336 337 b->s.k = v; 338 return b; 339 } 340 341 static inline void 342 syntax() 343 { 344 bpf_error("syntax error in filter expression"); 345 } 346 347 static bpf_u_int32 netmask; 348 static int snaplen; 349 int no_optimize; 350 351 int 352 pcap_compile(pcap_t *p, struct bpf_program *program, 353 char *buf, int optimize, bpf_u_int32 mask) 354 { 355 extern int n_errors; 356 int len; 357 358 no_optimize = 0; 359 n_errors = 0; 360 root = NULL; 361 bpf_pcap = p; 362 if (setjmp(top_ctx)) { 363 lex_cleanup(); 364 freechunks(); 365 return (-1); 366 } 367 368 netmask = mask; 369 370 snaplen = pcap_snapshot(p); 371 if (snaplen == 0) { 372 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 373 "snaplen of 0 rejects all packets"); 374 return -1; 375 } 376 377 lex_init(buf ? buf : ""); 378 init_linktype(p); 379 (void)pcap_parse(); 380 381 if (n_errors) 382 syntax(); 383 384 if (root == NULL) 385 root = gen_retblk(snaplen); 386 387 if (optimize && !no_optimize) { 388 bpf_optimize(&root); 389 if (root == NULL || 390 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 391 bpf_error("expression rejects all packets"); 392 } 393 program->bf_insns = icode_to_fcode(root, &len); 394 program->bf_len = len; 395 396 lex_cleanup(); 397 freechunks(); 398 return (0); 399 } 400 401 /* 402 * entry point for using the compiler with no pcap open 403 * pass in all the stuff that is needed explicitly instead. 404 */ 405 int 406 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 407 struct bpf_program *program, 408 char *buf, int optimize, bpf_u_int32 mask) 409 { 410 pcap_t *p; 411 int ret; 412 413 p = pcap_open_dead(linktype_arg, snaplen_arg); 414 if (p == NULL) 415 return (-1); 416 ret = pcap_compile(p, program, buf, optimize, mask); 417 pcap_close(p); 418 return (ret); 419 } 420 421 /* 422 * Clean up a "struct bpf_program" by freeing all the memory allocated 423 * in it. 424 */ 425 void 426 pcap_freecode(struct bpf_program *program) 427 { 428 program->bf_len = 0; 429 if (program->bf_insns != NULL) { 430 free((char *)program->bf_insns); 431 program->bf_insns = NULL; 432 } 433 } 434 435 /* 436 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 437 * which of the jt and jf fields has been resolved and which is a pointer 438 * back to another unresolved block (or nil). At least one of the fields 439 * in each block is already resolved. 440 */ 441 static void 442 backpatch(list, target) 443 struct block *list, *target; 444 { 445 struct block *next; 446 447 while (list) { 448 if (!list->sense) { 449 next = JT(list); 450 JT(list) = target; 451 } else { 452 next = JF(list); 453 JF(list) = target; 454 } 455 list = next; 456 } 457 } 458 459 /* 460 * Merge the lists in b0 and b1, using the 'sense' field to indicate 461 * which of jt and jf is the link. 462 */ 463 static void 464 merge(b0, b1) 465 struct block *b0, *b1; 466 { 467 register struct block **p = &b0; 468 469 /* Find end of list. */ 470 while (*p) 471 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 472 473 /* Concatenate the lists. */ 474 *p = b1; 475 } 476 477 void 478 finish_parse(p) 479 struct block *p; 480 { 481 backpatch(p, gen_retblk(snaplen)); 482 p->sense = !p->sense; 483 backpatch(p, gen_retblk(0)); 484 root = p->head; 485 486 /* 487 * Insert before the statements of the first (root) block any 488 * statements needed to load the lengths of any variable-length 489 * headers into registers. 490 * 491 * XXX - a fancier strategy would be to insert those before the 492 * statements of all blocks that use those lengths and that 493 * have no predecessors that use them, so that we only compute 494 * the lengths if we need them. There might be even better 495 * approaches than that. However, as we're currently only 496 * handling variable-length radiotap headers, and as all 497 * filtering expressions other than raw link[M:N] tests 498 * require the length of that header, doing more for that 499 * header length isn't really worth the effort. 500 */ 501 insert_load_llprefixlen(root); 502 } 503 504 void 505 gen_and(b0, b1) 506 struct block *b0, *b1; 507 { 508 backpatch(b0, b1->head); 509 b0->sense = !b0->sense; 510 b1->sense = !b1->sense; 511 merge(b1, b0); 512 b1->sense = !b1->sense; 513 b1->head = b0->head; 514 } 515 516 void 517 gen_or(b0, b1) 518 struct block *b0, *b1; 519 { 520 b0->sense = !b0->sense; 521 backpatch(b0, b1->head); 522 b0->sense = !b0->sense; 523 merge(b1, b0); 524 b1->head = b0->head; 525 } 526 527 void 528 gen_not(b) 529 struct block *b; 530 { 531 b->sense = !b->sense; 532 } 533 534 static struct block * 535 gen_cmp(offrel, offset, size, v) 536 enum e_offrel offrel; 537 u_int offset, size; 538 bpf_int32 v; 539 { 540 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 541 } 542 543 static struct block * 544 gen_cmp_gt(offrel, offset, size, v) 545 enum e_offrel offrel; 546 u_int offset, size; 547 bpf_int32 v; 548 { 549 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 550 } 551 552 static struct block * 553 gen_cmp_ge(offrel, offset, size, v) 554 enum e_offrel offrel; 555 u_int offset, size; 556 bpf_int32 v; 557 { 558 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 559 } 560 561 static struct block * 562 gen_cmp_lt(offrel, offset, size, v) 563 enum e_offrel offrel; 564 u_int offset, size; 565 bpf_int32 v; 566 { 567 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 568 } 569 570 static struct block * 571 gen_cmp_le(offrel, offset, size, v) 572 enum e_offrel offrel; 573 u_int offset, size; 574 bpf_int32 v; 575 { 576 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 577 } 578 579 static struct block * 580 gen_mcmp(offrel, offset, size, v, mask) 581 enum e_offrel offrel; 582 u_int offset, size; 583 bpf_int32 v; 584 bpf_u_int32 mask; 585 { 586 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 587 } 588 589 static struct block * 590 gen_bcmp(offrel, offset, size, v) 591 enum e_offrel offrel; 592 register u_int offset, size; 593 register const u_char *v; 594 { 595 register struct block *b, *tmp; 596 597 b = NULL; 598 while (size >= 4) { 599 register const u_char *p = &v[size - 4]; 600 bpf_int32 w = ((bpf_int32)p[0] << 24) | 601 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 602 603 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 604 if (b != NULL) 605 gen_and(b, tmp); 606 b = tmp; 607 size -= 4; 608 } 609 while (size >= 2) { 610 register const u_char *p = &v[size - 2]; 611 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 612 613 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 614 if (b != NULL) 615 gen_and(b, tmp); 616 b = tmp; 617 size -= 2; 618 } 619 if (size > 0) { 620 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 621 if (b != NULL) 622 gen_and(b, tmp); 623 b = tmp; 624 } 625 return b; 626 } 627 628 /* 629 * AND the field of size "size" at offset "offset" relative to the header 630 * specified by "offrel" with "mask", and compare it with the value "v" 631 * with the test specified by "jtype"; if "reverse" is true, the test 632 * should test the opposite of "jtype". 633 */ 634 static struct block * 635 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 636 enum e_offrel offrel; 637 bpf_int32 v; 638 bpf_u_int32 offset, size, mask, jtype; 639 int reverse; 640 { 641 struct slist *s, *s2; 642 struct block *b; 643 644 s = gen_load_a(offrel, offset, size); 645 646 if (mask != 0xffffffff) { 647 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 648 s2->s.k = mask; 649 sappend(s, s2); 650 } 651 652 b = new_block(JMP(jtype)); 653 b->stmts = s; 654 b->s.k = v; 655 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 656 gen_not(b); 657 return b; 658 } 659 660 /* 661 * Various code constructs need to know the layout of the data link 662 * layer. These variables give the necessary offsets from the beginning 663 * of the packet data. 664 * 665 * If the link layer has variable_length headers, the offsets are offsets 666 * from the end of the link-link-layer header, and "reg_ll_size" is 667 * the register number for a register containing the length of the 668 * link-layer header. Otherwise, "reg_ll_size" is -1. 669 */ 670 static int reg_ll_size; 671 672 /* 673 * This is the offset of the beginning of the link-layer header. 674 * It's usually 0, except for 802.11 with a fixed-length radio header. 675 */ 676 static u_int off_ll; 677 678 /* 679 * This is the offset of the beginning of the MAC-layer header. 680 * It's usually 0, except for ATM LANE. 681 */ 682 static u_int off_mac; 683 684 /* 685 * "off_linktype" is the offset to information in the link-layer header 686 * giving the packet type. 687 * 688 * For Ethernet, it's the offset of the Ethernet type field. 689 * 690 * For link-layer types that always use 802.2 headers, it's the 691 * offset of the LLC header. 692 * 693 * For PPP, it's the offset of the PPP type field. 694 * 695 * For Cisco HDLC, it's the offset of the CHDLC type field. 696 * 697 * For BSD loopback, it's the offset of the AF_ value. 698 * 699 * For Linux cooked sockets, it's the offset of the type field. 700 * 701 * It's set to -1 for no encapsulation, in which case, IP is assumed. 702 */ 703 static u_int off_linktype; 704 705 /* 706 * TRUE if the link layer includes an ATM pseudo-header. 707 */ 708 static int is_atm = 0; 709 710 /* 711 * TRUE if "lane" appeared in the filter; it causes us to generate 712 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 713 */ 714 static int is_lane = 0; 715 716 /* 717 * These are offsets for the ATM pseudo-header. 718 */ 719 static u_int off_vpi; 720 static u_int off_vci; 721 static u_int off_proto; 722 723 /* 724 * These are offsets for the MTP3 fields. 725 */ 726 static u_int off_sio; 727 static u_int off_opc; 728 static u_int off_dpc; 729 static u_int off_sls; 730 731 /* 732 * This is the offset of the first byte after the ATM pseudo_header, 733 * or -1 if there is no ATM pseudo-header. 734 */ 735 static u_int off_payload; 736 737 /* 738 * These are offsets to the beginning of the network-layer header. 739 * 740 * If the link layer never uses 802.2 LLC: 741 * 742 * "off_nl" and "off_nl_nosnap" are the same. 743 * 744 * If the link layer always uses 802.2 LLC: 745 * 746 * "off_nl" is the offset if there's a SNAP header following 747 * the 802.2 header; 748 * 749 * "off_nl_nosnap" is the offset if there's no SNAP header. 750 * 751 * If the link layer is Ethernet: 752 * 753 * "off_nl" is the offset if the packet is an Ethernet II packet 754 * (we assume no 802.3+802.2+SNAP); 755 * 756 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 757 * with an 802.2 header following it. 758 */ 759 static u_int off_nl; 760 static u_int off_nl_nosnap; 761 762 static int linktype; 763 764 static void 765 init_linktype(p) 766 pcap_t *p; 767 { 768 linktype = pcap_datalink(p); 769 #ifdef PCAP_FDDIPAD 770 pcap_fddipad = p->fddipad; 771 #endif 772 773 /* 774 * Assume it's not raw ATM with a pseudo-header, for now. 775 */ 776 off_mac = 0; 777 is_atm = 0; 778 is_lane = 0; 779 off_vpi = -1; 780 off_vci = -1; 781 off_proto = -1; 782 off_payload = -1; 783 784 /* 785 * And assume we're not doing SS7. 786 */ 787 off_sio = -1; 788 off_opc = -1; 789 off_dpc = -1; 790 off_sls = -1; 791 792 /* 793 * Also assume it's not 802.11 with a fixed-length radio header. 794 */ 795 off_ll = 0; 796 797 orig_linktype = -1; 798 orig_nl = -1; 799 label_stack_depth = 0; 800 801 reg_ll_size = -1; 802 803 switch (linktype) { 804 805 case DLT_ARCNET: 806 off_linktype = 2; 807 off_nl = 6; /* XXX in reality, variable! */ 808 off_nl_nosnap = 6; /* no 802.2 LLC */ 809 return; 810 811 case DLT_ARCNET_LINUX: 812 off_linktype = 4; 813 off_nl = 8; /* XXX in reality, variable! */ 814 off_nl_nosnap = 8; /* no 802.2 LLC */ 815 return; 816 817 case DLT_EN10MB: 818 off_linktype = 12; 819 off_nl = 14; /* Ethernet II */ 820 off_nl_nosnap = 17; /* 802.3+802.2 */ 821 return; 822 823 case DLT_SLIP: 824 /* 825 * SLIP doesn't have a link level type. The 16 byte 826 * header is hacked into our SLIP driver. 827 */ 828 off_linktype = -1; 829 off_nl = 16; 830 off_nl_nosnap = 16; /* no 802.2 LLC */ 831 return; 832 833 case DLT_SLIP_BSDOS: 834 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 835 off_linktype = -1; 836 /* XXX end */ 837 off_nl = 24; 838 off_nl_nosnap = 24; /* no 802.2 LLC */ 839 return; 840 841 case DLT_NULL: 842 case DLT_LOOP: 843 off_linktype = 0; 844 off_nl = 4; 845 off_nl_nosnap = 4; /* no 802.2 LLC */ 846 return; 847 848 case DLT_ENC: 849 off_linktype = 0; 850 off_nl = 12; 851 off_nl_nosnap = 12; /* no 802.2 LLC */ 852 return; 853 854 case DLT_PPP: 855 case DLT_PPP_PPPD: 856 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 857 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 858 off_linktype = 2; 859 off_nl = 4; 860 off_nl_nosnap = 4; /* no 802.2 LLC */ 861 return; 862 863 case DLT_PPP_ETHER: 864 /* 865 * This does no include the Ethernet header, and 866 * only covers session state. 867 */ 868 off_linktype = 6; 869 off_nl = 8; 870 off_nl_nosnap = 8; /* no 802.2 LLC */ 871 return; 872 873 case DLT_PPP_BSDOS: 874 off_linktype = 5; 875 off_nl = 24; 876 off_nl_nosnap = 24; /* no 802.2 LLC */ 877 return; 878 879 case DLT_FDDI: 880 /* 881 * FDDI doesn't really have a link-level type field. 882 * We set "off_linktype" to the offset of the LLC header. 883 * 884 * To check for Ethernet types, we assume that SSAP = SNAP 885 * is being used and pick out the encapsulated Ethernet type. 886 * XXX - should we generate code to check for SNAP? 887 */ 888 off_linktype = 13; 889 #ifdef PCAP_FDDIPAD 890 off_linktype += pcap_fddipad; 891 #endif 892 off_nl = 21; /* FDDI+802.2+SNAP */ 893 off_nl_nosnap = 16; /* FDDI+802.2 */ 894 #ifdef PCAP_FDDIPAD 895 off_nl += pcap_fddipad; 896 off_nl_nosnap += pcap_fddipad; 897 #endif 898 return; 899 900 case DLT_IEEE802: 901 /* 902 * Token Ring doesn't really have a link-level type field. 903 * We set "off_linktype" to the offset of the LLC header. 904 * 905 * To check for Ethernet types, we assume that SSAP = SNAP 906 * is being used and pick out the encapsulated Ethernet type. 907 * XXX - should we generate code to check for SNAP? 908 * 909 * XXX - the header is actually variable-length. 910 * Some various Linux patched versions gave 38 911 * as "off_linktype" and 40 as "off_nl"; however, 912 * if a token ring packet has *no* routing 913 * information, i.e. is not source-routed, the correct 914 * values are 20 and 22, as they are in the vanilla code. 915 * 916 * A packet is source-routed iff the uppermost bit 917 * of the first byte of the source address, at an 918 * offset of 8, has the uppermost bit set. If the 919 * packet is source-routed, the total number of bytes 920 * of routing information is 2 plus bits 0x1F00 of 921 * the 16-bit value at an offset of 14 (shifted right 922 * 8 - figure out which byte that is). 923 */ 924 off_linktype = 14; 925 off_nl = 22; /* Token Ring+802.2+SNAP */ 926 off_nl_nosnap = 17; /* Token Ring+802.2 */ 927 return; 928 929 case DLT_IEEE802_11: 930 /* 931 * 802.11 doesn't really have a link-level type field. 932 * We set "off_linktype" to the offset of the LLC header. 933 * 934 * To check for Ethernet types, we assume that SSAP = SNAP 935 * is being used and pick out the encapsulated Ethernet type. 936 * XXX - should we generate code to check for SNAP? 937 * 938 * XXX - the header is actually variable-length. We 939 * assume a 24-byte link-layer header, as appears in 940 * data frames in networks with no bridges. If the 941 * fromds and tods 802.11 header bits are both set, 942 * it's actually supposed to be 30 bytes. 943 */ 944 off_linktype = 24; 945 off_nl = 32; /* 802.11+802.2+SNAP */ 946 off_nl_nosnap = 27; /* 802.11+802.2 */ 947 return; 948 949 case DLT_PRISM_HEADER: 950 /* 951 * Same as 802.11, but with an additional header before 952 * the 802.11 header, containing a bunch of additional 953 * information including radio-level information. 954 * 955 * The header is 144 bytes long. 956 * 957 * XXX - same variable-length header problem; at least 958 * the Prism header is fixed-length. 959 */ 960 off_ll = 144; 961 off_linktype = 144+24; 962 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */ 963 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */ 964 return; 965 966 case DLT_IEEE802_11_RADIO_AVS: 967 /* 968 * Same as 802.11, but with an additional header before 969 * the 802.11 header, containing a bunch of additional 970 * information including radio-level information. 971 * 972 * The header is 64 bytes long, at least in its 973 * current incarnation. 974 * 975 * XXX - same variable-length header problem, only 976 * more so; this header is also variable-length, 977 * with the length being the 32-bit big-endian 978 * number at an offset of 4 from the beginning 979 * of the radio header. 980 */ 981 off_ll = 64; 982 off_linktype = 64+24; 983 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */ 984 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */ 985 return; 986 987 case DLT_IEEE802_11_RADIO: 988 /* 989 * Same as 802.11, but with an additional header before 990 * the 802.11 header, containing a bunch of additional 991 * information including radio-level information. 992 * 993 * The radiotap header is variable length, and we 994 * generate code to compute its length and store it 995 * in a register. These offsets are relative to the 996 * beginning of the 802.11 header. 997 */ 998 off_linktype = 24; 999 off_nl = 32; /* 802.11+802.2+SNAP */ 1000 off_nl_nosnap = 27; /* 802.11+802.2 */ 1001 return; 1002 1003 case DLT_ATM_RFC1483: 1004 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1005 /* 1006 * assume routed, non-ISO PDUs 1007 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1008 * 1009 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1010 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1011 * latter would presumably be treated the way PPPoE 1012 * should be, so you can do "pppoe and udp port 2049" 1013 * or "pppoa and tcp port 80" and have it check for 1014 * PPPo{A,E} and a PPP protocol of IP and.... 1015 */ 1016 off_linktype = 0; 1017 off_nl = 8; /* 802.2+SNAP */ 1018 off_nl_nosnap = 3; /* 802.2 */ 1019 return; 1020 1021 case DLT_SUNATM: 1022 /* 1023 * Full Frontal ATM; you get AALn PDUs with an ATM 1024 * pseudo-header. 1025 */ 1026 is_atm = 1; 1027 off_vpi = SUNATM_VPI_POS; 1028 off_vci = SUNATM_VCI_POS; 1029 off_proto = PROTO_POS; 1030 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */ 1031 off_payload = SUNATM_PKT_BEGIN_POS; 1032 off_linktype = off_payload; 1033 off_nl = off_payload+8; /* 802.2+SNAP */ 1034 off_nl_nosnap = off_payload+3; /* 802.2 */ 1035 return; 1036 1037 case DLT_RAW: 1038 off_linktype = -1; 1039 off_nl = 0; 1040 off_nl_nosnap = 0; /* no 802.2 LLC */ 1041 return; 1042 1043 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1044 off_linktype = 14; 1045 off_nl = 16; 1046 off_nl_nosnap = 16; /* no 802.2 LLC */ 1047 return; 1048 1049 case DLT_LTALK: 1050 /* 1051 * LocalTalk does have a 1-byte type field in the LLAP header, 1052 * but really it just indicates whether there is a "short" or 1053 * "long" DDP packet following. 1054 */ 1055 off_linktype = -1; 1056 off_nl = 0; 1057 off_nl_nosnap = 0; /* no 802.2 LLC */ 1058 return; 1059 1060 case DLT_IP_OVER_FC: 1061 /* 1062 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1063 * link-level type field. We set "off_linktype" to the 1064 * offset of the LLC header. 1065 * 1066 * To check for Ethernet types, we assume that SSAP = SNAP 1067 * is being used and pick out the encapsulated Ethernet type. 1068 * XXX - should we generate code to check for SNAP? RFC 1069 * 2625 says SNAP should be used. 1070 */ 1071 off_linktype = 16; 1072 off_nl = 24; /* IPFC+802.2+SNAP */ 1073 off_nl_nosnap = 19; /* IPFC+802.2 */ 1074 return; 1075 1076 case DLT_FRELAY: 1077 /* 1078 * XXX - we should set this to handle SNAP-encapsulated 1079 * frames (NLPID of 0x80). 1080 */ 1081 off_linktype = -1; 1082 off_nl = 0; 1083 off_nl_nosnap = 0; /* no 802.2 LLC */ 1084 return; 1085 1086 case DLT_APPLE_IP_OVER_IEEE1394: 1087 off_linktype = 16; 1088 off_nl = 18; 1089 off_nl_nosnap = 18; /* no 802.2 LLC */ 1090 return; 1091 1092 case DLT_LINUX_IRDA: 1093 /* 1094 * Currently, only raw "link[N:M]" filtering is supported. 1095 */ 1096 off_linktype = -1; 1097 off_nl = -1; 1098 off_nl_nosnap = -1; 1099 return; 1100 1101 case DLT_DOCSIS: 1102 /* 1103 * Currently, only raw "link[N:M]" filtering is supported. 1104 */ 1105 off_linktype = -1; 1106 off_nl = -1; 1107 off_nl_nosnap = -1; 1108 return; 1109 1110 case DLT_SYMANTEC_FIREWALL: 1111 off_linktype = 6; 1112 off_nl = 44; /* Ethernet II */ 1113 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */ 1114 return; 1115 1116 case DLT_PFLOG: 1117 off_linktype = 0; 1118 /* XXX read this from pf.h? */ 1119 off_nl = PFLOG_HDRLEN; 1120 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */ 1121 return; 1122 1123 case DLT_JUNIPER_MFR: 1124 case DLT_JUNIPER_MLFR: 1125 case DLT_JUNIPER_MLPPP: 1126 case DLT_JUNIPER_PPP: 1127 case DLT_JUNIPER_CHDLC: 1128 case DLT_JUNIPER_FRELAY: 1129 off_linktype = 4; 1130 off_nl = 4; 1131 off_nl_nosnap = -1; /* no 802.2 LLC */ 1132 return; 1133 1134 case DLT_JUNIPER_ATM1: 1135 off_linktype = 4; /* in reality variable between 4-8 */ 1136 off_nl = 4; 1137 off_nl_nosnap = 14; 1138 return; 1139 1140 case DLT_JUNIPER_ATM2: 1141 off_linktype = 8; /* in reality variable between 8-12 */ 1142 off_nl = 8; 1143 off_nl_nosnap = 18; 1144 return; 1145 1146 /* frames captured on a Juniper PPPoE service PIC 1147 * contain raw ethernet frames */ 1148 case DLT_JUNIPER_PPPOE: 1149 case DLT_JUNIPER_ETHER: 1150 off_linktype = 16; 1151 off_nl = 18; /* Ethernet II */ 1152 off_nl_nosnap = 21; /* 802.3+802.2 */ 1153 return; 1154 1155 case DLT_JUNIPER_PPPOE_ATM: 1156 off_linktype = 4; 1157 off_nl = 6; 1158 off_nl_nosnap = -1; /* no 802.2 LLC */ 1159 return; 1160 1161 case DLT_JUNIPER_GGSN: 1162 off_linktype = 6; 1163 off_nl = 12; 1164 off_nl_nosnap = -1; /* no 802.2 LLC */ 1165 return; 1166 1167 case DLT_JUNIPER_ES: 1168 off_linktype = 6; 1169 off_nl = -1; /* not really a network layer but raw IP adresses */ 1170 off_nl_nosnap = -1; /* no 802.2 LLC */ 1171 return; 1172 1173 case DLT_JUNIPER_MONITOR: 1174 off_linktype = 12; 1175 off_nl = 12; /* raw IP/IP6 header */ 1176 off_nl_nosnap = -1; /* no 802.2 LLC */ 1177 return; 1178 1179 case DLT_JUNIPER_SERVICES: 1180 off_linktype = 12; 1181 off_nl = -1; /* L3 proto location dep. on cookie type */ 1182 off_nl_nosnap = -1; /* no 802.2 LLC */ 1183 return; 1184 1185 case DLT_MTP2: 1186 off_sio = 3; 1187 off_opc = 4; 1188 off_dpc = 4; 1189 off_sls = 7; 1190 off_linktype = -1; 1191 off_nl = -1; 1192 off_nl_nosnap = -1; 1193 return; 1194 1195 #ifdef DLT_PFSYNC 1196 case DLT_PFSYNC: 1197 off_linktype = -1; 1198 off_nl = 4; 1199 off_nl_nosnap = 4; 1200 return; 1201 #endif 1202 1203 case DLT_LINUX_LAPD: 1204 /* 1205 * Currently, only raw "link[N:M]" filtering is supported. 1206 */ 1207 off_linktype = -1; 1208 off_nl = -1; 1209 off_nl_nosnap = -1; 1210 return; 1211 } 1212 bpf_error("unknown data link type %d", linktype); 1213 /* NOTREACHED */ 1214 } 1215 1216 /* 1217 * Load a value relative to the beginning of the link-layer header. 1218 * The link-layer header doesn't necessarily begin at the beginning 1219 * of the packet data; there might be a variable-length prefix containing 1220 * radio information. 1221 */ 1222 static struct slist * 1223 gen_load_llrel(offset, size) 1224 u_int offset, size; 1225 { 1226 struct slist *s, *s2; 1227 1228 s = gen_llprefixlen(); 1229 1230 /* 1231 * If "s" is non-null, it has code to arrange that the X register 1232 * contains the length of the prefix preceding the link-layer 1233 * header. 1234 */ 1235 if (s != NULL) { 1236 s2 = new_stmt(BPF_LD|BPF_IND|size); 1237 s2->s.k = offset; 1238 sappend(s, s2); 1239 } else { 1240 s = new_stmt(BPF_LD|BPF_ABS|size); 1241 s->s.k = offset; 1242 } 1243 return s; 1244 } 1245 1246 /* 1247 * Load a value relative to the beginning of the specified header. 1248 */ 1249 static struct slist * 1250 gen_load_a(offrel, offset, size) 1251 enum e_offrel offrel; 1252 u_int offset, size; 1253 { 1254 struct slist *s, *s2; 1255 1256 switch (offrel) { 1257 1258 case OR_PACKET: 1259 s = gen_load_llrel(offset, size); 1260 break; 1261 1262 case OR_LINK: 1263 s = gen_load_llrel(off_ll + offset, size); 1264 break; 1265 1266 case OR_NET: 1267 s = gen_load_llrel(off_nl + offset, size); 1268 break; 1269 1270 case OR_NET_NOSNAP: 1271 s = gen_load_llrel(off_nl_nosnap + offset, size); 1272 break; 1273 1274 case OR_TRAN_IPV4: 1275 /* 1276 * Load the X register with the length of the IPv4 header, 1277 * in bytes. 1278 */ 1279 s = gen_loadx_iphdrlen(); 1280 1281 /* 1282 * Load the item at {length of the link-layer header} + 1283 * {length of the IPv4 header} + {specified offset}. 1284 */ 1285 s2 = new_stmt(BPF_LD|BPF_IND|size); 1286 s2->s.k = off_nl + offset; 1287 sappend(s, s2); 1288 break; 1289 1290 case OR_TRAN_IPV6: 1291 s = gen_load_llrel(off_nl + 40 + offset, size); 1292 break; 1293 1294 default: 1295 abort(); 1296 return NULL; 1297 } 1298 return s; 1299 } 1300 1301 /* 1302 * Generate code to load into the X register the sum of the length of 1303 * the IPv4 header and any variable-length header preceding the link-layer 1304 * header. 1305 */ 1306 static struct slist * 1307 gen_loadx_iphdrlen() 1308 { 1309 struct slist *s, *s2; 1310 1311 s = gen_llprefixlen(); 1312 if (s != NULL) { 1313 /* 1314 * There's a variable-length prefix preceding the 1315 * link-layer header. "s" points to a list of statements 1316 * that put the length of that prefix into the X register. 1317 * The 4*([k]&0xf) addressing mode can't be used, as we 1318 * don't have a constant offset, so we have to load the 1319 * value in question into the A register and add to it 1320 * the value from the X register. 1321 */ 1322 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1323 s2->s.k = off_nl; 1324 sappend(s, s2); 1325 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1326 s2->s.k = 0xf; 1327 sappend(s, s2); 1328 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1329 s2->s.k = 2; 1330 sappend(s, s2); 1331 1332 /* 1333 * The A register now contains the length of the 1334 * IP header. We need to add to it the length 1335 * of the prefix preceding the link-layer 1336 * header, which is still in the X register, and 1337 * move the result into the X register. 1338 */ 1339 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1340 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1341 } else { 1342 /* 1343 * There is no variable-length header preceding the 1344 * link-layer header; if there's a fixed-length 1345 * header preceding it, its length is included in 1346 * the off_ variables, so it doesn't need to be added. 1347 */ 1348 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1349 s->s.k = off_nl; 1350 } 1351 return s; 1352 } 1353 1354 static struct block * 1355 gen_uncond(rsense) 1356 int rsense; 1357 { 1358 struct block *b; 1359 struct slist *s; 1360 1361 s = new_stmt(BPF_LD|BPF_IMM); 1362 s->s.k = !rsense; 1363 b = new_block(JMP(BPF_JEQ)); 1364 b->stmts = s; 1365 1366 return b; 1367 } 1368 1369 static inline struct block * 1370 gen_true() 1371 { 1372 return gen_uncond(1); 1373 } 1374 1375 static inline struct block * 1376 gen_false() 1377 { 1378 return gen_uncond(0); 1379 } 1380 1381 /* 1382 * Byte-swap a 32-bit number. 1383 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1384 * big-endian platforms.) 1385 */ 1386 #define SWAPLONG(y) \ 1387 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1388 1389 /* 1390 * Generate code to match a particular packet type. 1391 * 1392 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1393 * value, if <= ETHERMTU. We use that to determine whether to 1394 * match the type/length field or to check the type/length field for 1395 * a value <= ETHERMTU to see whether it's a type field and then do 1396 * the appropriate test. 1397 */ 1398 static struct block * 1399 gen_ether_linktype(proto) 1400 register int proto; 1401 { 1402 struct block *b0, *b1; 1403 1404 switch (proto) { 1405 1406 case LLCSAP_ISONS: 1407 case LLCSAP_IP: 1408 case LLCSAP_NETBEUI: 1409 /* 1410 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1411 * so we check the DSAP and SSAP. 1412 * 1413 * LLCSAP_IP checks for IP-over-802.2, rather 1414 * than IP-over-Ethernet or IP-over-SNAP. 1415 * 1416 * XXX - should we check both the DSAP and the 1417 * SSAP, like this, or should we check just the 1418 * DSAP, as we do for other types <= ETHERMTU 1419 * (i.e., other SAP values)? 1420 */ 1421 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1422 gen_not(b0); 1423 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1424 ((proto << 8) | proto)); 1425 gen_and(b0, b1); 1426 return b1; 1427 1428 case LLCSAP_IPX: 1429 /* 1430 * Check for; 1431 * 1432 * Ethernet_II frames, which are Ethernet 1433 * frames with a frame type of ETHERTYPE_IPX; 1434 * 1435 * Ethernet_802.3 frames, which are 802.3 1436 * frames (i.e., the type/length field is 1437 * a length field, <= ETHERMTU, rather than 1438 * a type field) with the first two bytes 1439 * after the Ethernet/802.3 header being 1440 * 0xFFFF; 1441 * 1442 * Ethernet_802.2 frames, which are 802.3 1443 * frames with an 802.2 LLC header and 1444 * with the IPX LSAP as the DSAP in the LLC 1445 * header; 1446 * 1447 * Ethernet_SNAP frames, which are 802.3 1448 * frames with an LLC header and a SNAP 1449 * header and with an OUI of 0x000000 1450 * (encapsulated Ethernet) and a protocol 1451 * ID of ETHERTYPE_IPX in the SNAP header. 1452 * 1453 * XXX - should we generate the same code both 1454 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1455 */ 1456 1457 /* 1458 * This generates code to check both for the 1459 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1460 */ 1461 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1462 (bpf_int32)LLCSAP_IPX); 1463 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, 1464 (bpf_int32)0xFFFF); 1465 gen_or(b0, b1); 1466 1467 /* 1468 * Now we add code to check for SNAP frames with 1469 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1470 */ 1471 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14); 1472 gen_or(b0, b1); 1473 1474 /* 1475 * Now we generate code to check for 802.3 1476 * frames in general. 1477 */ 1478 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1479 gen_not(b0); 1480 1481 /* 1482 * Now add the check for 802.3 frames before the 1483 * check for Ethernet_802.2 and Ethernet_802.3, 1484 * as those checks should only be done on 802.3 1485 * frames, not on Ethernet frames. 1486 */ 1487 gen_and(b0, b1); 1488 1489 /* 1490 * Now add the check for Ethernet_II frames, and 1491 * do that before checking for the other frame 1492 * types. 1493 */ 1494 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1495 (bpf_int32)ETHERTYPE_IPX); 1496 gen_or(b0, b1); 1497 return b1; 1498 1499 case ETHERTYPE_ATALK: 1500 case ETHERTYPE_AARP: 1501 /* 1502 * EtherTalk (AppleTalk protocols on Ethernet link 1503 * layer) may use 802.2 encapsulation. 1504 */ 1505 1506 /* 1507 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1508 * we check for an Ethernet type field less than 1509 * 1500, which means it's an 802.3 length field. 1510 */ 1511 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1512 gen_not(b0); 1513 1514 /* 1515 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1516 * SNAP packets with an organization code of 1517 * 0x080007 (Apple, for Appletalk) and a protocol 1518 * type of ETHERTYPE_ATALK (Appletalk). 1519 * 1520 * 802.2-encapsulated ETHERTYPE_AARP packets are 1521 * SNAP packets with an organization code of 1522 * 0x000000 (encapsulated Ethernet) and a protocol 1523 * type of ETHERTYPE_AARP (Appletalk ARP). 1524 */ 1525 if (proto == ETHERTYPE_ATALK) 1526 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14); 1527 else /* proto == ETHERTYPE_AARP */ 1528 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14); 1529 gen_and(b0, b1); 1530 1531 /* 1532 * Check for Ethernet encapsulation (Ethertalk 1533 * phase 1?); we just check for the Ethernet 1534 * protocol type. 1535 */ 1536 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1537 1538 gen_or(b0, b1); 1539 return b1; 1540 1541 default: 1542 if (proto <= ETHERMTU) { 1543 /* 1544 * This is an LLC SAP value, so the frames 1545 * that match would be 802.2 frames. 1546 * Check that the frame is an 802.2 frame 1547 * (i.e., that the length/type field is 1548 * a length field, <= ETHERMTU) and 1549 * then check the DSAP. 1550 */ 1551 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1552 gen_not(b0); 1553 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1554 (bpf_int32)proto); 1555 gen_and(b0, b1); 1556 return b1; 1557 } else { 1558 /* 1559 * This is an Ethernet type, so compare 1560 * the length/type field with it (if 1561 * the frame is an 802.2 frame, the length 1562 * field will be <= ETHERMTU, and, as 1563 * "proto" is > ETHERMTU, this test 1564 * will fail and the frame won't match, 1565 * which is what we want). 1566 */ 1567 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1568 (bpf_int32)proto); 1569 } 1570 } 1571 } 1572 1573 /* 1574 * Generate code to match a particular packet type. 1575 * 1576 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1577 * value, if <= ETHERMTU. We use that to determine whether to 1578 * match the type field or to check the type field for the special 1579 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1580 */ 1581 static struct block * 1582 gen_linux_sll_linktype(proto) 1583 register int proto; 1584 { 1585 struct block *b0, *b1; 1586 1587 switch (proto) { 1588 1589 case LLCSAP_ISONS: 1590 case LLCSAP_IP: 1591 case LLCSAP_NETBEUI: 1592 /* 1593 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1594 * so we check the DSAP and SSAP. 1595 * 1596 * LLCSAP_IP checks for IP-over-802.2, rather 1597 * than IP-over-Ethernet or IP-over-SNAP. 1598 * 1599 * XXX - should we check both the DSAP and the 1600 * SSAP, like this, or should we check just the 1601 * DSAP, as we do for other types <= ETHERMTU 1602 * (i.e., other SAP values)? 1603 */ 1604 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1605 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1606 ((proto << 8) | proto)); 1607 gen_and(b0, b1); 1608 return b1; 1609 1610 case LLCSAP_IPX: 1611 /* 1612 * Ethernet_II frames, which are Ethernet 1613 * frames with a frame type of ETHERTYPE_IPX; 1614 * 1615 * Ethernet_802.3 frames, which have a frame 1616 * type of LINUX_SLL_P_802_3; 1617 * 1618 * Ethernet_802.2 frames, which are 802.3 1619 * frames with an 802.2 LLC header (i.e, have 1620 * a frame type of LINUX_SLL_P_802_2) and 1621 * with the IPX LSAP as the DSAP in the LLC 1622 * header; 1623 * 1624 * Ethernet_SNAP frames, which are 802.3 1625 * frames with an LLC header and a SNAP 1626 * header and with an OUI of 0x000000 1627 * (encapsulated Ethernet) and a protocol 1628 * ID of ETHERTYPE_IPX in the SNAP header. 1629 * 1630 * First, do the checks on LINUX_SLL_P_802_2 1631 * frames; generate the check for either 1632 * Ethernet_802.2 or Ethernet_SNAP frames, and 1633 * then put a check for LINUX_SLL_P_802_2 frames 1634 * before it. 1635 */ 1636 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1637 (bpf_int32)LLCSAP_IPX); 1638 b1 = gen_snap(0x000000, ETHERTYPE_IPX, 1639 off_linktype + 2); 1640 gen_or(b0, b1); 1641 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1642 gen_and(b0, b1); 1643 1644 /* 1645 * Now check for 802.3 frames and OR that with 1646 * the previous test. 1647 */ 1648 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1649 gen_or(b0, b1); 1650 1651 /* 1652 * Now add the check for Ethernet_II frames, and 1653 * do that before checking for the other frame 1654 * types. 1655 */ 1656 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1657 (bpf_int32)ETHERTYPE_IPX); 1658 gen_or(b0, b1); 1659 return b1; 1660 1661 case ETHERTYPE_ATALK: 1662 case ETHERTYPE_AARP: 1663 /* 1664 * EtherTalk (AppleTalk protocols on Ethernet link 1665 * layer) may use 802.2 encapsulation. 1666 */ 1667 1668 /* 1669 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1670 * we check for the 802.2 protocol type in the 1671 * "Ethernet type" field. 1672 */ 1673 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1674 1675 /* 1676 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1677 * SNAP packets with an organization code of 1678 * 0x080007 (Apple, for Appletalk) and a protocol 1679 * type of ETHERTYPE_ATALK (Appletalk). 1680 * 1681 * 802.2-encapsulated ETHERTYPE_AARP packets are 1682 * SNAP packets with an organization code of 1683 * 0x000000 (encapsulated Ethernet) and a protocol 1684 * type of ETHERTYPE_AARP (Appletalk ARP). 1685 */ 1686 if (proto == ETHERTYPE_ATALK) 1687 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 1688 off_linktype + 2); 1689 else /* proto == ETHERTYPE_AARP */ 1690 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 1691 off_linktype + 2); 1692 gen_and(b0, b1); 1693 1694 /* 1695 * Check for Ethernet encapsulation (Ethertalk 1696 * phase 1?); we just check for the Ethernet 1697 * protocol type. 1698 */ 1699 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1700 1701 gen_or(b0, b1); 1702 return b1; 1703 1704 default: 1705 if (proto <= ETHERMTU) { 1706 /* 1707 * This is an LLC SAP value, so the frames 1708 * that match would be 802.2 frames. 1709 * Check for the 802.2 protocol type 1710 * in the "Ethernet type" field, and 1711 * then check the DSAP. 1712 */ 1713 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1714 LINUX_SLL_P_802_2); 1715 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1716 (bpf_int32)proto); 1717 gen_and(b0, b1); 1718 return b1; 1719 } else { 1720 /* 1721 * This is an Ethernet type, so compare 1722 * the length/type field with it (if 1723 * the frame is an 802.2 frame, the length 1724 * field will be <= ETHERMTU, and, as 1725 * "proto" is > ETHERMTU, this test 1726 * will fail and the frame won't match, 1727 * which is what we want). 1728 */ 1729 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1730 (bpf_int32)proto); 1731 } 1732 } 1733 } 1734 1735 static void 1736 insert_radiotap_load_llprefixlen(b) 1737 struct block *b; 1738 { 1739 struct slist *s1, *s2; 1740 1741 /* 1742 * Prepend to the statements in this block code to load the 1743 * length of the radiotap header into the register assigned 1744 * to hold that length, if one has been assigned. 1745 */ 1746 if (reg_ll_size != -1) { 1747 /* 1748 * The 2 bytes at offsets of 2 and 3 from the beginning 1749 * of the radiotap header are the length of the radiotap 1750 * header; unfortunately, it's little-endian, so we have 1751 * to load it a byte at a time and construct the value. 1752 */ 1753 1754 /* 1755 * Load the high-order byte, at an offset of 3, shift it 1756 * left a byte, and put the result in the X register. 1757 */ 1758 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1759 s1->s.k = 3; 1760 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1761 sappend(s1, s2); 1762 s2->s.k = 8; 1763 s2 = new_stmt(BPF_MISC|BPF_TAX); 1764 sappend(s1, s2); 1765 1766 /* 1767 * Load the next byte, at an offset of 2, and OR the 1768 * value from the X register into it. 1769 */ 1770 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1771 sappend(s1, s2); 1772 s2->s.k = 2; 1773 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1774 sappend(s1, s2); 1775 1776 /* 1777 * Now allocate a register to hold that value and store 1778 * it. 1779 */ 1780 s2 = new_stmt(BPF_ST); 1781 s2->s.k = reg_ll_size; 1782 sappend(s1, s2); 1783 1784 /* 1785 * Now move it into the X register. 1786 */ 1787 s2 = new_stmt(BPF_MISC|BPF_TAX); 1788 sappend(s1, s2); 1789 1790 /* 1791 * Now append all the existing statements in this 1792 * block to these statements. 1793 */ 1794 sappend(s1, b->stmts); 1795 b->stmts = s1; 1796 } 1797 } 1798 1799 1800 static void 1801 insert_load_llprefixlen(b) 1802 struct block *b; 1803 { 1804 switch (linktype) { 1805 1806 case DLT_IEEE802_11_RADIO: 1807 insert_radiotap_load_llprefixlen(b); 1808 } 1809 } 1810 1811 1812 static struct slist * 1813 gen_radiotap_llprefixlen(void) 1814 { 1815 struct slist *s; 1816 1817 if (reg_ll_size == -1) { 1818 /* 1819 * We haven't yet assigned a register for the length 1820 * of the radiotap header; allocate one. 1821 */ 1822 reg_ll_size = alloc_reg(); 1823 } 1824 1825 /* 1826 * Load the register containing the radiotap length 1827 * into the X register. 1828 */ 1829 s = new_stmt(BPF_LDX|BPF_MEM); 1830 s->s.k = reg_ll_size; 1831 return s; 1832 } 1833 1834 /* 1835 * Generate code to compute the link-layer header length, if necessary, 1836 * putting it into the X register, and to return either a pointer to a 1837 * "struct slist" for the list of statements in that code, or NULL if 1838 * no code is necessary. 1839 */ 1840 static struct slist * 1841 gen_llprefixlen(void) 1842 { 1843 switch (linktype) { 1844 1845 case DLT_IEEE802_11_RADIO: 1846 return gen_radiotap_llprefixlen(); 1847 1848 default: 1849 return NULL; 1850 } 1851 } 1852 1853 /* 1854 * Generate code to match a particular packet type by matching the 1855 * link-layer type field or fields in the 802.2 LLC header. 1856 * 1857 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1858 * value, if <= ETHERMTU. 1859 */ 1860 static struct block * 1861 gen_linktype(proto) 1862 register int proto; 1863 { 1864 struct block *b0, *b1, *b2; 1865 1866 /* are we checking MPLS-encapsulated packets? */ 1867 if (label_stack_depth > 0) { 1868 switch (proto) { 1869 case ETHERTYPE_IP: 1870 case PPP_IP: 1871 /* FIXME add other L3 proto IDs */ 1872 return gen_mpls_linktype(Q_IP); 1873 1874 case ETHERTYPE_IPV6: 1875 case PPP_IPV6: 1876 /* FIXME add other L3 proto IDs */ 1877 return gen_mpls_linktype(Q_IPV6); 1878 1879 default: 1880 bpf_error("unsupported protocol over mpls"); 1881 /* NOTREACHED */ 1882 } 1883 } 1884 1885 switch (linktype) { 1886 1887 case DLT_EN10MB: 1888 return gen_ether_linktype(proto); 1889 /*NOTREACHED*/ 1890 break; 1891 1892 case DLT_C_HDLC: 1893 switch (proto) { 1894 1895 case LLCSAP_ISONS: 1896 proto = (proto << 8 | LLCSAP_ISONS); 1897 /* fall through */ 1898 1899 default: 1900 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1901 (bpf_int32)proto); 1902 /*NOTREACHED*/ 1903 break; 1904 } 1905 break; 1906 1907 case DLT_FDDI: 1908 case DLT_IEEE802: 1909 case DLT_IEEE802_11: 1910 case DLT_IEEE802_11_RADIO_AVS: 1911 case DLT_IEEE802_11_RADIO: 1912 case DLT_PRISM_HEADER: 1913 case DLT_ATM_RFC1483: 1914 case DLT_ATM_CLIP: 1915 case DLT_IP_OVER_FC: 1916 return gen_llc_linktype(proto); 1917 /*NOTREACHED*/ 1918 break; 1919 1920 case DLT_SUNATM: 1921 /* 1922 * If "is_lane" is set, check for a LANE-encapsulated 1923 * version of this protocol, otherwise check for an 1924 * LLC-encapsulated version of this protocol. 1925 * 1926 * We assume LANE means Ethernet, not Token Ring. 1927 */ 1928 if (is_lane) { 1929 /* 1930 * Check that the packet doesn't begin with an 1931 * LE Control marker. (We've already generated 1932 * a test for LANE.) 1933 */ 1934 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 1935 0xFF00); 1936 gen_not(b0); 1937 1938 /* 1939 * Now generate an Ethernet test. 1940 */ 1941 b1 = gen_ether_linktype(proto); 1942 gen_and(b0, b1); 1943 return b1; 1944 } else { 1945 /* 1946 * Check for LLC encapsulation and then check the 1947 * protocol. 1948 */ 1949 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 1950 b1 = gen_llc_linktype(proto); 1951 gen_and(b0, b1); 1952 return b1; 1953 } 1954 /*NOTREACHED*/ 1955 break; 1956 1957 case DLT_LINUX_SLL: 1958 return gen_linux_sll_linktype(proto); 1959 /*NOTREACHED*/ 1960 break; 1961 1962 case DLT_SLIP: 1963 case DLT_SLIP_BSDOS: 1964 case DLT_RAW: 1965 /* 1966 * These types don't provide any type field; packets 1967 * are always IP. 1968 * 1969 * XXX - for IPv4, check for a version number of 4, and, 1970 * for IPv6, check for a version number of 6? 1971 */ 1972 switch (proto) { 1973 1974 case ETHERTYPE_IP: 1975 #ifdef INET6 1976 case ETHERTYPE_IPV6: 1977 #endif 1978 return gen_true(); /* always true */ 1979 1980 default: 1981 return gen_false(); /* always false */ 1982 } 1983 /*NOTREACHED*/ 1984 break; 1985 1986 case DLT_PPP: 1987 case DLT_PPP_PPPD: 1988 case DLT_PPP_SERIAL: 1989 case DLT_PPP_ETHER: 1990 /* 1991 * We use Ethernet protocol types inside libpcap; 1992 * map them to the corresponding PPP protocol types. 1993 */ 1994 switch (proto) { 1995 1996 case ETHERTYPE_IP: 1997 proto = PPP_IP; 1998 break; 1999 2000 #ifdef INET6 2001 case ETHERTYPE_IPV6: 2002 proto = PPP_IPV6; 2003 break; 2004 #endif 2005 2006 case ETHERTYPE_DN: 2007 proto = PPP_DECNET; 2008 break; 2009 2010 case ETHERTYPE_ATALK: 2011 proto = PPP_APPLE; 2012 break; 2013 2014 case ETHERTYPE_NS: 2015 proto = PPP_NS; 2016 break; 2017 2018 case LLCSAP_ISONS: 2019 proto = PPP_OSI; 2020 break; 2021 2022 case LLCSAP_8021D: 2023 /* 2024 * I'm assuming the "Bridging PDU"s that go 2025 * over PPP are Spanning Tree Protocol 2026 * Bridging PDUs. 2027 */ 2028 proto = PPP_BRPDU; 2029 break; 2030 2031 case LLCSAP_IPX: 2032 proto = PPP_IPX; 2033 break; 2034 } 2035 break; 2036 2037 case DLT_PPP_BSDOS: 2038 /* 2039 * We use Ethernet protocol types inside libpcap; 2040 * map them to the corresponding PPP protocol types. 2041 */ 2042 switch (proto) { 2043 2044 case ETHERTYPE_IP: 2045 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 2046 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 2047 gen_or(b0, b1); 2048 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 2049 gen_or(b1, b0); 2050 return b0; 2051 2052 #ifdef INET6 2053 case ETHERTYPE_IPV6: 2054 proto = PPP_IPV6; 2055 /* more to go? */ 2056 break; 2057 #endif 2058 2059 case ETHERTYPE_DN: 2060 proto = PPP_DECNET; 2061 break; 2062 2063 case ETHERTYPE_ATALK: 2064 proto = PPP_APPLE; 2065 break; 2066 2067 case ETHERTYPE_NS: 2068 proto = PPP_NS; 2069 break; 2070 2071 case LLCSAP_ISONS: 2072 proto = PPP_OSI; 2073 break; 2074 2075 case LLCSAP_8021D: 2076 /* 2077 * I'm assuming the "Bridging PDU"s that go 2078 * over PPP are Spanning Tree Protocol 2079 * Bridging PDUs. 2080 */ 2081 proto = PPP_BRPDU; 2082 break; 2083 2084 case LLCSAP_IPX: 2085 proto = PPP_IPX; 2086 break; 2087 } 2088 break; 2089 2090 case DLT_NULL: 2091 case DLT_LOOP: 2092 case DLT_ENC: 2093 /* 2094 * For DLT_NULL, the link-layer header is a 32-bit 2095 * word containing an AF_ value in *host* byte order, 2096 * and for DLT_ENC, the link-layer header begins 2097 * with a 32-bit work containing an AF_ value in 2098 * host byte order. 2099 * 2100 * In addition, if we're reading a saved capture file, 2101 * the host byte order in the capture may not be the 2102 * same as the host byte order on this machine. 2103 * 2104 * For DLT_LOOP, the link-layer header is a 32-bit 2105 * word containing an AF_ value in *network* byte order. 2106 * 2107 * XXX - AF_ values may, unfortunately, be platform- 2108 * dependent; for example, FreeBSD's AF_INET6 is 24 2109 * whilst NetBSD's and OpenBSD's is 26. 2110 * 2111 * This means that, when reading a capture file, just 2112 * checking for our AF_INET6 value won't work if the 2113 * capture file came from another OS. 2114 */ 2115 switch (proto) { 2116 2117 case ETHERTYPE_IP: 2118 proto = AF_INET; 2119 break; 2120 2121 #ifdef INET6 2122 case ETHERTYPE_IPV6: 2123 proto = AF_INET6; 2124 break; 2125 #endif 2126 2127 default: 2128 /* 2129 * Not a type on which we support filtering. 2130 * XXX - support those that have AF_ values 2131 * #defined on this platform, at least? 2132 */ 2133 return gen_false(); 2134 } 2135 2136 if (linktype == DLT_NULL || linktype == DLT_ENC) { 2137 /* 2138 * The AF_ value is in host byte order, but 2139 * the BPF interpreter will convert it to 2140 * network byte order. 2141 * 2142 * If this is a save file, and it's from a 2143 * machine with the opposite byte order to 2144 * ours, we byte-swap the AF_ value. 2145 * 2146 * Then we run it through "htonl()", and 2147 * generate code to compare against the result. 2148 */ 2149 if (bpf_pcap->sf.rfile != NULL && 2150 bpf_pcap->sf.swapped) 2151 proto = SWAPLONG(proto); 2152 proto = htonl(proto); 2153 } 2154 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 2155 2156 case DLT_PFLOG: 2157 /* 2158 * af field is host byte order in contrast to the rest of 2159 * the packet. 2160 */ 2161 if (proto == ETHERTYPE_IP) 2162 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2163 BPF_B, (bpf_int32)AF_INET)); 2164 #ifdef INET6 2165 else if (proto == ETHERTYPE_IPV6) 2166 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2167 BPF_B, (bpf_int32)AF_INET6)); 2168 #endif /* INET6 */ 2169 else 2170 return gen_false(); 2171 /*NOTREACHED*/ 2172 break; 2173 2174 case DLT_ARCNET: 2175 case DLT_ARCNET_LINUX: 2176 /* 2177 * XXX should we check for first fragment if the protocol 2178 * uses PHDS? 2179 */ 2180 switch (proto) { 2181 2182 default: 2183 return gen_false(); 2184 2185 #ifdef INET6 2186 case ETHERTYPE_IPV6: 2187 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2188 (bpf_int32)ARCTYPE_INET6)); 2189 #endif /* INET6 */ 2190 2191 case ETHERTYPE_IP: 2192 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2193 (bpf_int32)ARCTYPE_IP); 2194 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2195 (bpf_int32)ARCTYPE_IP_OLD); 2196 gen_or(b0, b1); 2197 return (b1); 2198 2199 case ETHERTYPE_ARP: 2200 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2201 (bpf_int32)ARCTYPE_ARP); 2202 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2203 (bpf_int32)ARCTYPE_ARP_OLD); 2204 gen_or(b0, b1); 2205 return (b1); 2206 2207 case ETHERTYPE_REVARP: 2208 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2209 (bpf_int32)ARCTYPE_REVARP)); 2210 2211 case ETHERTYPE_ATALK: 2212 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2213 (bpf_int32)ARCTYPE_ATALK)); 2214 } 2215 /*NOTREACHED*/ 2216 break; 2217 2218 case DLT_LTALK: 2219 switch (proto) { 2220 case ETHERTYPE_ATALK: 2221 return gen_true(); 2222 default: 2223 return gen_false(); 2224 } 2225 /*NOTREACHED*/ 2226 break; 2227 2228 case DLT_FRELAY: 2229 /* 2230 * XXX - assumes a 2-byte Frame Relay header with 2231 * DLCI and flags. What if the address is longer? 2232 */ 2233 switch (proto) { 2234 2235 case ETHERTYPE_IP: 2236 /* 2237 * Check for the special NLPID for IP. 2238 */ 2239 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 2240 2241 #ifdef INET6 2242 case ETHERTYPE_IPV6: 2243 /* 2244 * Check for the special NLPID for IPv6. 2245 */ 2246 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 2247 #endif 2248 2249 case LLCSAP_ISONS: 2250 /* 2251 * Check for several OSI protocols. 2252 * 2253 * Frame Relay packets typically have an OSI 2254 * NLPID at the beginning; we check for each 2255 * of them. 2256 * 2257 * What we check for is the NLPID and a frame 2258 * control field of UI, i.e. 0x03 followed 2259 * by the NLPID. 2260 */ 2261 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 2262 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 2263 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 2264 gen_or(b1, b2); 2265 gen_or(b0, b2); 2266 return b2; 2267 2268 default: 2269 return gen_false(); 2270 } 2271 /*NOTREACHED*/ 2272 break; 2273 2274 case DLT_JUNIPER_MFR: 2275 case DLT_JUNIPER_MLFR: 2276 case DLT_JUNIPER_MLPPP: 2277 case DLT_JUNIPER_ATM1: 2278 case DLT_JUNIPER_ATM2: 2279 case DLT_JUNIPER_PPPOE: 2280 case DLT_JUNIPER_PPPOE_ATM: 2281 case DLT_JUNIPER_GGSN: 2282 case DLT_JUNIPER_ES: 2283 case DLT_JUNIPER_MONITOR: 2284 case DLT_JUNIPER_SERVICES: 2285 case DLT_JUNIPER_ETHER: 2286 case DLT_JUNIPER_PPP: 2287 case DLT_JUNIPER_FRELAY: 2288 case DLT_JUNIPER_CHDLC: 2289 /* just lets verify the magic number for now - 2290 * on ATM we may have up to 6 different encapsulations on the wire 2291 * and need a lot of heuristics to figure out that the payload 2292 * might be; 2293 * 2294 * FIXME encapsulation specific BPF_ filters 2295 */ 2296 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 2297 2298 case DLT_LINUX_IRDA: 2299 bpf_error("IrDA link-layer type filtering not implemented"); 2300 2301 case DLT_DOCSIS: 2302 bpf_error("DOCSIS link-layer type filtering not implemented"); 2303 2304 case DLT_LINUX_LAPD: 2305 bpf_error("LAPD link-layer type filtering not implemented"); 2306 } 2307 2308 /* 2309 * All the types that have no encapsulation should either be 2310 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 2311 * all packets are IP packets, or should be handled in some 2312 * special case, if none of them are (if some are and some 2313 * aren't, the lack of encapsulation is a problem, as we'd 2314 * have to find some other way of determining the packet type). 2315 * 2316 * Therefore, if "off_linktype" is -1, there's an error. 2317 */ 2318 if (off_linktype == (u_int)-1) 2319 abort(); 2320 2321 /* 2322 * Any type not handled above should always have an Ethernet 2323 * type at an offset of "off_linktype". (PPP is partially 2324 * handled above - the protocol type is mapped from the 2325 * Ethernet and LLC types we use internally to the corresponding 2326 * PPP type - but the PPP type is always specified by a value 2327 * at "off_linktype", so we don't have to do the code generation 2328 * above.) 2329 */ 2330 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2331 } 2332 2333 /* 2334 * Check for an LLC SNAP packet with a given organization code and 2335 * protocol type; we check the entire contents of the 802.2 LLC and 2336 * snap headers, checking for DSAP and SSAP of SNAP and a control 2337 * field of 0x03 in the LLC header, and for the specified organization 2338 * code and protocol type in the SNAP header. 2339 */ 2340 static struct block * 2341 gen_snap(orgcode, ptype, offset) 2342 bpf_u_int32 orgcode; 2343 bpf_u_int32 ptype; 2344 u_int offset; 2345 { 2346 u_char snapblock[8]; 2347 2348 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 2349 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 2350 snapblock[2] = 0x03; /* control = UI */ 2351 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 2352 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 2353 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 2354 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 2355 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 2356 return gen_bcmp(OR_LINK, offset, 8, snapblock); 2357 } 2358 2359 /* 2360 * Generate code to match a particular packet type, for link-layer types 2361 * using 802.2 LLC headers. 2362 * 2363 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 2364 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 2365 * 2366 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2367 * value, if <= ETHERMTU. We use that to determine whether to 2368 * match the DSAP or both DSAP and LSAP or to check the OUI and 2369 * protocol ID in a SNAP header. 2370 */ 2371 static struct block * 2372 gen_llc_linktype(proto) 2373 int proto; 2374 { 2375 /* 2376 * XXX - handle token-ring variable-length header. 2377 */ 2378 switch (proto) { 2379 2380 case LLCSAP_IP: 2381 case LLCSAP_ISONS: 2382 case LLCSAP_NETBEUI: 2383 /* 2384 * XXX - should we check both the DSAP and the 2385 * SSAP, like this, or should we check just the 2386 * DSAP, as we do for other types <= ETHERMTU 2387 * (i.e., other SAP values)? 2388 */ 2389 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32) 2390 ((proto << 8) | proto)); 2391 2392 case LLCSAP_IPX: 2393 /* 2394 * XXX - are there ever SNAP frames for IPX on 2395 * non-Ethernet 802.x networks? 2396 */ 2397 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2398 (bpf_int32)LLCSAP_IPX); 2399 2400 case ETHERTYPE_ATALK: 2401 /* 2402 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2403 * SNAP packets with an organization code of 2404 * 0x080007 (Apple, for Appletalk) and a protocol 2405 * type of ETHERTYPE_ATALK (Appletalk). 2406 * 2407 * XXX - check for an organization code of 2408 * encapsulated Ethernet as well? 2409 */ 2410 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype); 2411 2412 default: 2413 /* 2414 * XXX - we don't have to check for IPX 802.3 2415 * here, but should we check for the IPX Ethertype? 2416 */ 2417 if (proto <= ETHERMTU) { 2418 /* 2419 * This is an LLC SAP value, so check 2420 * the DSAP. 2421 */ 2422 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2423 (bpf_int32)proto); 2424 } else { 2425 /* 2426 * This is an Ethernet type; we assume that it's 2427 * unlikely that it'll appear in the right place 2428 * at random, and therefore check only the 2429 * location that would hold the Ethernet type 2430 * in a SNAP frame with an organization code of 2431 * 0x000000 (encapsulated Ethernet). 2432 * 2433 * XXX - if we were to check for the SNAP DSAP and 2434 * LSAP, as per XXX, and were also to check for an 2435 * organization code of 0x000000 (encapsulated 2436 * Ethernet), we'd do 2437 * 2438 * return gen_snap(0x000000, proto, 2439 * off_linktype); 2440 * 2441 * here; for now, we don't, as per the above. 2442 * I don't know whether it's worth the extra CPU 2443 * time to do the right check or not. 2444 */ 2445 return gen_cmp(OR_LINK, off_linktype+6, BPF_H, 2446 (bpf_int32)proto); 2447 } 2448 } 2449 } 2450 2451 static struct block * 2452 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 2453 bpf_u_int32 addr; 2454 bpf_u_int32 mask; 2455 int dir, proto; 2456 u_int src_off, dst_off; 2457 { 2458 struct block *b0, *b1; 2459 u_int offset; 2460 2461 switch (dir) { 2462 2463 case Q_SRC: 2464 offset = src_off; 2465 break; 2466 2467 case Q_DST: 2468 offset = dst_off; 2469 break; 2470 2471 case Q_AND: 2472 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2473 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2474 gen_and(b0, b1); 2475 return b1; 2476 2477 case Q_OR: 2478 case Q_DEFAULT: 2479 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2480 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2481 gen_or(b0, b1); 2482 return b1; 2483 2484 default: 2485 abort(); 2486 } 2487 b0 = gen_linktype(proto); 2488 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 2489 gen_and(b0, b1); 2490 return b1; 2491 } 2492 2493 #ifdef INET6 2494 static struct block * 2495 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 2496 struct in6_addr *addr; 2497 struct in6_addr *mask; 2498 int dir, proto; 2499 u_int src_off, dst_off; 2500 { 2501 struct block *b0, *b1; 2502 u_int offset; 2503 u_int32_t *a, *m; 2504 2505 switch (dir) { 2506 2507 case Q_SRC: 2508 offset = src_off; 2509 break; 2510 2511 case Q_DST: 2512 offset = dst_off; 2513 break; 2514 2515 case Q_AND: 2516 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2517 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2518 gen_and(b0, b1); 2519 return b1; 2520 2521 case Q_OR: 2522 case Q_DEFAULT: 2523 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2524 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2525 gen_or(b0, b1); 2526 return b1; 2527 2528 default: 2529 abort(); 2530 } 2531 /* this order is important */ 2532 a = (u_int32_t *)addr; 2533 m = (u_int32_t *)mask; 2534 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 2535 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 2536 gen_and(b0, b1); 2537 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 2538 gen_and(b0, b1); 2539 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 2540 gen_and(b0, b1); 2541 b0 = gen_linktype(proto); 2542 gen_and(b0, b1); 2543 return b1; 2544 } 2545 #endif /*INET6*/ 2546 2547 static struct block * 2548 gen_ehostop(eaddr, dir) 2549 register const u_char *eaddr; 2550 register int dir; 2551 { 2552 register struct block *b0, *b1; 2553 2554 switch (dir) { 2555 case Q_SRC: 2556 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 2557 2558 case Q_DST: 2559 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 2560 2561 case Q_AND: 2562 b0 = gen_ehostop(eaddr, Q_SRC); 2563 b1 = gen_ehostop(eaddr, Q_DST); 2564 gen_and(b0, b1); 2565 return b1; 2566 2567 case Q_DEFAULT: 2568 case Q_OR: 2569 b0 = gen_ehostop(eaddr, Q_SRC); 2570 b1 = gen_ehostop(eaddr, Q_DST); 2571 gen_or(b0, b1); 2572 return b1; 2573 } 2574 abort(); 2575 /* NOTREACHED */ 2576 } 2577 2578 /* 2579 * Like gen_ehostop, but for DLT_FDDI 2580 */ 2581 static struct block * 2582 gen_fhostop(eaddr, dir) 2583 register const u_char *eaddr; 2584 register int dir; 2585 { 2586 struct block *b0, *b1; 2587 2588 switch (dir) { 2589 case Q_SRC: 2590 #ifdef PCAP_FDDIPAD 2591 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 2592 #else 2593 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 2594 #endif 2595 2596 case Q_DST: 2597 #ifdef PCAP_FDDIPAD 2598 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 2599 #else 2600 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 2601 #endif 2602 2603 case Q_AND: 2604 b0 = gen_fhostop(eaddr, Q_SRC); 2605 b1 = gen_fhostop(eaddr, Q_DST); 2606 gen_and(b0, b1); 2607 return b1; 2608 2609 case Q_DEFAULT: 2610 case Q_OR: 2611 b0 = gen_fhostop(eaddr, Q_SRC); 2612 b1 = gen_fhostop(eaddr, Q_DST); 2613 gen_or(b0, b1); 2614 return b1; 2615 } 2616 abort(); 2617 /* NOTREACHED */ 2618 } 2619 2620 /* 2621 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 2622 */ 2623 static struct block * 2624 gen_thostop(eaddr, dir) 2625 register const u_char *eaddr; 2626 register int dir; 2627 { 2628 register struct block *b0, *b1; 2629 2630 switch (dir) { 2631 case Q_SRC: 2632 return gen_bcmp(OR_LINK, 8, 6, eaddr); 2633 2634 case Q_DST: 2635 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2636 2637 case Q_AND: 2638 b0 = gen_thostop(eaddr, Q_SRC); 2639 b1 = gen_thostop(eaddr, Q_DST); 2640 gen_and(b0, b1); 2641 return b1; 2642 2643 case Q_DEFAULT: 2644 case Q_OR: 2645 b0 = gen_thostop(eaddr, Q_SRC); 2646 b1 = gen_thostop(eaddr, Q_DST); 2647 gen_or(b0, b1); 2648 return b1; 2649 } 2650 abort(); 2651 /* NOTREACHED */ 2652 } 2653 2654 /* 2655 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) 2656 */ 2657 static struct block * 2658 gen_wlanhostop(eaddr, dir) 2659 register const u_char *eaddr; 2660 register int dir; 2661 { 2662 register struct block *b0, *b1, *b2; 2663 register struct slist *s; 2664 2665 switch (dir) { 2666 case Q_SRC: 2667 /* 2668 * Oh, yuk. 2669 * 2670 * For control frames, there is no SA. 2671 * 2672 * For management frames, SA is at an 2673 * offset of 10 from the beginning of 2674 * the packet. 2675 * 2676 * For data frames, SA is at an offset 2677 * of 10 from the beginning of the packet 2678 * if From DS is clear, at an offset of 2679 * 16 from the beginning of the packet 2680 * if From DS is set and To DS is clear, 2681 * and an offset of 24 from the beginning 2682 * of the packet if From DS is set and To DS 2683 * is set. 2684 */ 2685 2686 /* 2687 * Generate the tests to be done for data frames 2688 * with From DS set. 2689 * 2690 * First, check for To DS set, i.e. check "link[1] & 0x01". 2691 */ 2692 s = gen_load_a(OR_LINK, 1, BPF_B); 2693 b1 = new_block(JMP(BPF_JSET)); 2694 b1->s.k = 0x01; /* To DS */ 2695 b1->stmts = s; 2696 2697 /* 2698 * If To DS is set, the SA is at 24. 2699 */ 2700 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 2701 gen_and(b1, b0); 2702 2703 /* 2704 * Now, check for To DS not set, i.e. check 2705 * "!(link[1] & 0x01)". 2706 */ 2707 s = gen_load_a(OR_LINK, 1, BPF_B); 2708 b2 = new_block(JMP(BPF_JSET)); 2709 b2->s.k = 0x01; /* To DS */ 2710 b2->stmts = s; 2711 gen_not(b2); 2712 2713 /* 2714 * If To DS is not set, the SA is at 16. 2715 */ 2716 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 2717 gen_and(b2, b1); 2718 2719 /* 2720 * Now OR together the last two checks. That gives 2721 * the complete set of checks for data frames with 2722 * From DS set. 2723 */ 2724 gen_or(b1, b0); 2725 2726 /* 2727 * Now check for From DS being set, and AND that with 2728 * the ORed-together checks. 2729 */ 2730 s = gen_load_a(OR_LINK, 1, BPF_B); 2731 b1 = new_block(JMP(BPF_JSET)); 2732 b1->s.k = 0x02; /* From DS */ 2733 b1->stmts = s; 2734 gen_and(b1, b0); 2735 2736 /* 2737 * Now check for data frames with From DS not set. 2738 */ 2739 s = gen_load_a(OR_LINK, 1, BPF_B); 2740 b2 = new_block(JMP(BPF_JSET)); 2741 b2->s.k = 0x02; /* From DS */ 2742 b2->stmts = s; 2743 gen_not(b2); 2744 2745 /* 2746 * If From DS isn't set, the SA is at 10. 2747 */ 2748 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 2749 gen_and(b2, b1); 2750 2751 /* 2752 * Now OR together the checks for data frames with 2753 * From DS not set and for data frames with From DS 2754 * set; that gives the checks done for data frames. 2755 */ 2756 gen_or(b1, b0); 2757 2758 /* 2759 * Now check for a data frame. 2760 * I.e, check "link[0] & 0x08". 2761 */ 2762 gen_load_a(OR_LINK, 0, BPF_B); 2763 b1 = new_block(JMP(BPF_JSET)); 2764 b1->s.k = 0x08; 2765 b1->stmts = s; 2766 2767 /* 2768 * AND that with the checks done for data frames. 2769 */ 2770 gen_and(b1, b0); 2771 2772 /* 2773 * If the high-order bit of the type value is 0, this 2774 * is a management frame. 2775 * I.e, check "!(link[0] & 0x08)". 2776 */ 2777 s = gen_load_a(OR_LINK, 0, BPF_B); 2778 b2 = new_block(JMP(BPF_JSET)); 2779 b2->s.k = 0x08; 2780 b2->stmts = s; 2781 gen_not(b2); 2782 2783 /* 2784 * For management frames, the SA is at 10. 2785 */ 2786 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 2787 gen_and(b2, b1); 2788 2789 /* 2790 * OR that with the checks done for data frames. 2791 * That gives the checks done for management and 2792 * data frames. 2793 */ 2794 gen_or(b1, b0); 2795 2796 /* 2797 * If the low-order bit of the type value is 1, 2798 * this is either a control frame or a frame 2799 * with a reserved type, and thus not a 2800 * frame with an SA. 2801 * 2802 * I.e., check "!(link[0] & 0x04)". 2803 */ 2804 s = gen_load_a(OR_LINK, 0, BPF_B); 2805 b1 = new_block(JMP(BPF_JSET)); 2806 b1->s.k = 0x04; 2807 b1->stmts = s; 2808 gen_not(b1); 2809 2810 /* 2811 * AND that with the checks for data and management 2812 * frames. 2813 */ 2814 gen_and(b1, b0); 2815 return b0; 2816 2817 case Q_DST: 2818 /* 2819 * Oh, yuk. 2820 * 2821 * For control frames, there is no DA. 2822 * 2823 * For management frames, DA is at an 2824 * offset of 4 from the beginning of 2825 * the packet. 2826 * 2827 * For data frames, DA is at an offset 2828 * of 4 from the beginning of the packet 2829 * if To DS is clear and at an offset of 2830 * 16 from the beginning of the packet 2831 * if To DS is set. 2832 */ 2833 2834 /* 2835 * Generate the tests to be done for data frames. 2836 * 2837 * First, check for To DS set, i.e. "link[1] & 0x01". 2838 */ 2839 s = gen_load_a(OR_LINK, 1, BPF_B); 2840 b1 = new_block(JMP(BPF_JSET)); 2841 b1->s.k = 0x01; /* To DS */ 2842 b1->stmts = s; 2843 2844 /* 2845 * If To DS is set, the DA is at 16. 2846 */ 2847 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 2848 gen_and(b1, b0); 2849 2850 /* 2851 * Now, check for To DS not set, i.e. check 2852 * "!(link[1] & 0x01)". 2853 */ 2854 s = gen_load_a(OR_LINK, 1, BPF_B); 2855 b2 = new_block(JMP(BPF_JSET)); 2856 b2->s.k = 0x01; /* To DS */ 2857 b2->stmts = s; 2858 gen_not(b2); 2859 2860 /* 2861 * If To DS is not set, the DA is at 4. 2862 */ 2863 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 2864 gen_and(b2, b1); 2865 2866 /* 2867 * Now OR together the last two checks. That gives 2868 * the complete set of checks for data frames. 2869 */ 2870 gen_or(b1, b0); 2871 2872 /* 2873 * Now check for a data frame. 2874 * I.e, check "link[0] & 0x08". 2875 */ 2876 s = gen_load_a(OR_LINK, 0, BPF_B); 2877 b1 = new_block(JMP(BPF_JSET)); 2878 b1->s.k = 0x08; 2879 b1->stmts = s; 2880 2881 /* 2882 * AND that with the checks done for data frames. 2883 */ 2884 gen_and(b1, b0); 2885 2886 /* 2887 * If the high-order bit of the type value is 0, this 2888 * is a management frame. 2889 * I.e, check "!(link[0] & 0x08)". 2890 */ 2891 s = gen_load_a(OR_LINK, 0, BPF_B); 2892 b2 = new_block(JMP(BPF_JSET)); 2893 b2->s.k = 0x08; 2894 b2->stmts = s; 2895 gen_not(b2); 2896 2897 /* 2898 * For management frames, the DA is at 4. 2899 */ 2900 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 2901 gen_and(b2, b1); 2902 2903 /* 2904 * OR that with the checks done for data frames. 2905 * That gives the checks done for management and 2906 * data frames. 2907 */ 2908 gen_or(b1, b0); 2909 2910 /* 2911 * If the low-order bit of the type value is 1, 2912 * this is either a control frame or a frame 2913 * with a reserved type, and thus not a 2914 * frame with an SA. 2915 * 2916 * I.e., check "!(link[0] & 0x04)". 2917 */ 2918 s = gen_load_a(OR_LINK, 0, BPF_B); 2919 b1 = new_block(JMP(BPF_JSET)); 2920 b1->s.k = 0x04; 2921 b1->stmts = s; 2922 gen_not(b1); 2923 2924 /* 2925 * AND that with the checks for data and management 2926 * frames. 2927 */ 2928 gen_and(b1, b0); 2929 return b0; 2930 2931 case Q_AND: 2932 b0 = gen_wlanhostop(eaddr, Q_SRC); 2933 b1 = gen_wlanhostop(eaddr, Q_DST); 2934 gen_and(b0, b1); 2935 return b1; 2936 2937 case Q_DEFAULT: 2938 case Q_OR: 2939 b0 = gen_wlanhostop(eaddr, Q_SRC); 2940 b1 = gen_wlanhostop(eaddr, Q_DST); 2941 gen_or(b0, b1); 2942 return b1; 2943 } 2944 abort(); 2945 /* NOTREACHED */ 2946 } 2947 2948 /* 2949 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 2950 * (We assume that the addresses are IEEE 48-bit MAC addresses, 2951 * as the RFC states.) 2952 */ 2953 static struct block * 2954 gen_ipfchostop(eaddr, dir) 2955 register const u_char *eaddr; 2956 register int dir; 2957 { 2958 register struct block *b0, *b1; 2959 2960 switch (dir) { 2961 case Q_SRC: 2962 return gen_bcmp(OR_LINK, 10, 6, eaddr); 2963 2964 case Q_DST: 2965 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2966 2967 case Q_AND: 2968 b0 = gen_ipfchostop(eaddr, Q_SRC); 2969 b1 = gen_ipfchostop(eaddr, Q_DST); 2970 gen_and(b0, b1); 2971 return b1; 2972 2973 case Q_DEFAULT: 2974 case Q_OR: 2975 b0 = gen_ipfchostop(eaddr, Q_SRC); 2976 b1 = gen_ipfchostop(eaddr, Q_DST); 2977 gen_or(b0, b1); 2978 return b1; 2979 } 2980 abort(); 2981 /* NOTREACHED */ 2982 } 2983 2984 /* 2985 * This is quite tricky because there may be pad bytes in front of the 2986 * DECNET header, and then there are two possible data packet formats that 2987 * carry both src and dst addresses, plus 5 packet types in a format that 2988 * carries only the src node, plus 2 types that use a different format and 2989 * also carry just the src node. 2990 * 2991 * Yuck. 2992 * 2993 * Instead of doing those all right, we just look for data packets with 2994 * 0 or 1 bytes of padding. If you want to look at other packets, that 2995 * will require a lot more hacking. 2996 * 2997 * To add support for filtering on DECNET "areas" (network numbers) 2998 * one would want to add a "mask" argument to this routine. That would 2999 * make the filter even more inefficient, although one could be clever 3000 * and not generate masking instructions if the mask is 0xFFFF. 3001 */ 3002 static struct block * 3003 gen_dnhostop(addr, dir) 3004 bpf_u_int32 addr; 3005 int dir; 3006 { 3007 struct block *b0, *b1, *b2, *tmp; 3008 u_int offset_lh; /* offset if long header is received */ 3009 u_int offset_sh; /* offset if short header is received */ 3010 3011 switch (dir) { 3012 3013 case Q_DST: 3014 offset_sh = 1; /* follows flags */ 3015 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 3016 break; 3017 3018 case Q_SRC: 3019 offset_sh = 3; /* follows flags, dstnode */ 3020 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 3021 break; 3022 3023 case Q_AND: 3024 /* Inefficient because we do our Calvinball dance twice */ 3025 b0 = gen_dnhostop(addr, Q_SRC); 3026 b1 = gen_dnhostop(addr, Q_DST); 3027 gen_and(b0, b1); 3028 return b1; 3029 3030 case Q_OR: 3031 case Q_DEFAULT: 3032 /* Inefficient because we do our Calvinball dance twice */ 3033 b0 = gen_dnhostop(addr, Q_SRC); 3034 b1 = gen_dnhostop(addr, Q_DST); 3035 gen_or(b0, b1); 3036 return b1; 3037 3038 case Q_ISO: 3039 bpf_error("ISO host filtering not implemented"); 3040 3041 default: 3042 abort(); 3043 } 3044 b0 = gen_linktype(ETHERTYPE_DN); 3045 /* Check for pad = 1, long header case */ 3046 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3047 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 3048 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 3049 BPF_H, (bpf_int32)ntohs(addr)); 3050 gen_and(tmp, b1); 3051 /* Check for pad = 0, long header case */ 3052 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 3053 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr)); 3054 gen_and(tmp, b2); 3055 gen_or(b2, b1); 3056 /* Check for pad = 1, short header case */ 3057 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3058 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 3059 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr)); 3060 gen_and(tmp, b2); 3061 gen_or(b2, b1); 3062 /* Check for pad = 0, short header case */ 3063 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 3064 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr)); 3065 gen_and(tmp, b2); 3066 gen_or(b2, b1); 3067 3068 /* Combine with test for linktype */ 3069 gen_and(b0, b1); 3070 return b1; 3071 } 3072 3073 /* 3074 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 3075 * test the bottom-of-stack bit, and then check the version number 3076 * field in the IP header. 3077 */ 3078 static struct block * 3079 gen_mpls_linktype(proto) 3080 int proto; 3081 { 3082 struct block *b0, *b1; 3083 3084 switch (proto) { 3085 3086 case Q_IP: 3087 /* match the bottom-of-stack bit */ 3088 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3089 /* match the IPv4 version number */ 3090 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 3091 gen_and(b0, b1); 3092 return b1; 3093 3094 case Q_IPV6: 3095 /* match the bottom-of-stack bit */ 3096 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3097 /* match the IPv4 version number */ 3098 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 3099 gen_and(b0, b1); 3100 return b1; 3101 3102 default: 3103 abort(); 3104 } 3105 } 3106 3107 static struct block * 3108 gen_host(addr, mask, proto, dir) 3109 bpf_u_int32 addr; 3110 bpf_u_int32 mask; 3111 int proto; 3112 int dir; 3113 { 3114 struct block *b0, *b1; 3115 3116 switch (proto) { 3117 3118 case Q_DEFAULT: 3119 b0 = gen_host(addr, mask, Q_IP, dir); 3120 /* 3121 * Only check for non-IPv4 addresses if we're not 3122 * checking MPLS-encapsulated packets. 3123 */ 3124 if (label_stack_depth == 0) { 3125 b1 = gen_host(addr, mask, Q_ARP, dir); 3126 gen_or(b0, b1); 3127 b0 = gen_host(addr, mask, Q_RARP, dir); 3128 gen_or(b1, b0); 3129 } 3130 return b0; 3131 3132 case Q_IP: 3133 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 3134 3135 case Q_RARP: 3136 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 3137 3138 case Q_ARP: 3139 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 3140 3141 case Q_TCP: 3142 bpf_error("'tcp' modifier applied to host"); 3143 3144 case Q_SCTP: 3145 bpf_error("'sctp' modifier applied to host"); 3146 3147 case Q_UDP: 3148 bpf_error("'udp' modifier applied to host"); 3149 3150 case Q_ICMP: 3151 bpf_error("'icmp' modifier applied to host"); 3152 3153 case Q_IGMP: 3154 bpf_error("'igmp' modifier applied to host"); 3155 3156 case Q_IGRP: 3157 bpf_error("'igrp' modifier applied to host"); 3158 3159 case Q_PIM: 3160 bpf_error("'pim' modifier applied to host"); 3161 3162 case Q_VRRP: 3163 bpf_error("'vrrp' modifier applied to host"); 3164 3165 case Q_ATALK: 3166 bpf_error("ATALK host filtering not implemented"); 3167 3168 case Q_AARP: 3169 bpf_error("AARP host filtering not implemented"); 3170 3171 case Q_DECNET: 3172 return gen_dnhostop(addr, dir); 3173 3174 case Q_SCA: 3175 bpf_error("SCA host filtering not implemented"); 3176 3177 case Q_LAT: 3178 bpf_error("LAT host filtering not implemented"); 3179 3180 case Q_MOPDL: 3181 bpf_error("MOPDL host filtering not implemented"); 3182 3183 case Q_MOPRC: 3184 bpf_error("MOPRC host filtering not implemented"); 3185 3186 #ifdef INET6 3187 case Q_IPV6: 3188 bpf_error("'ip6' modifier applied to ip host"); 3189 3190 case Q_ICMPV6: 3191 bpf_error("'icmp6' modifier applied to host"); 3192 #endif /* INET6 */ 3193 3194 case Q_AH: 3195 bpf_error("'ah' modifier applied to host"); 3196 3197 case Q_ESP: 3198 bpf_error("'esp' modifier applied to host"); 3199 3200 case Q_ISO: 3201 bpf_error("ISO host filtering not implemented"); 3202 3203 case Q_ESIS: 3204 bpf_error("'esis' modifier applied to host"); 3205 3206 case Q_ISIS: 3207 bpf_error("'isis' modifier applied to host"); 3208 3209 case Q_CLNP: 3210 bpf_error("'clnp' modifier applied to host"); 3211 3212 case Q_STP: 3213 bpf_error("'stp' modifier applied to host"); 3214 3215 case Q_IPX: 3216 bpf_error("IPX host filtering not implemented"); 3217 3218 case Q_NETBEUI: 3219 bpf_error("'netbeui' modifier applied to host"); 3220 3221 case Q_RADIO: 3222 bpf_error("'radio' modifier applied to host"); 3223 3224 default: 3225 abort(); 3226 } 3227 /* NOTREACHED */ 3228 } 3229 3230 #ifdef INET6 3231 static struct block * 3232 gen_host6(addr, mask, proto, dir) 3233 struct in6_addr *addr; 3234 struct in6_addr *mask; 3235 int proto; 3236 int dir; 3237 { 3238 switch (proto) { 3239 3240 case Q_DEFAULT: 3241 return gen_host6(addr, mask, Q_IPV6, dir); 3242 3243 case Q_IP: 3244 bpf_error("'ip' modifier applied to ip6 host"); 3245 3246 case Q_RARP: 3247 bpf_error("'rarp' modifier applied to ip6 host"); 3248 3249 case Q_ARP: 3250 bpf_error("'arp' modifier applied to ip6 host"); 3251 3252 case Q_SCTP: 3253 bpf_error("'sctp' modifier applied to host"); 3254 3255 case Q_TCP: 3256 bpf_error("'tcp' modifier applied to host"); 3257 3258 case Q_UDP: 3259 bpf_error("'udp' modifier applied to host"); 3260 3261 case Q_ICMP: 3262 bpf_error("'icmp' modifier applied to host"); 3263 3264 case Q_IGMP: 3265 bpf_error("'igmp' modifier applied to host"); 3266 3267 case Q_IGRP: 3268 bpf_error("'igrp' modifier applied to host"); 3269 3270 case Q_PIM: 3271 bpf_error("'pim' modifier applied to host"); 3272 3273 case Q_VRRP: 3274 bpf_error("'vrrp' modifier applied to host"); 3275 3276 case Q_ATALK: 3277 bpf_error("ATALK host filtering not implemented"); 3278 3279 case Q_AARP: 3280 bpf_error("AARP host filtering not implemented"); 3281 3282 case Q_DECNET: 3283 bpf_error("'decnet' modifier applied to ip6 host"); 3284 3285 case Q_SCA: 3286 bpf_error("SCA host filtering not implemented"); 3287 3288 case Q_LAT: 3289 bpf_error("LAT host filtering not implemented"); 3290 3291 case Q_MOPDL: 3292 bpf_error("MOPDL host filtering not implemented"); 3293 3294 case Q_MOPRC: 3295 bpf_error("MOPRC host filtering not implemented"); 3296 3297 case Q_IPV6: 3298 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 3299 3300 case Q_ICMPV6: 3301 bpf_error("'icmp6' modifier applied to host"); 3302 3303 case Q_AH: 3304 bpf_error("'ah' modifier applied to host"); 3305 3306 case Q_ESP: 3307 bpf_error("'esp' modifier applied to host"); 3308 3309 case Q_ISO: 3310 bpf_error("ISO host filtering not implemented"); 3311 3312 case Q_ESIS: 3313 bpf_error("'esis' modifier applied to host"); 3314 3315 case Q_ISIS: 3316 bpf_error("'isis' modifier applied to host"); 3317 3318 case Q_CLNP: 3319 bpf_error("'clnp' modifier applied to host"); 3320 3321 case Q_STP: 3322 bpf_error("'stp' modifier applied to host"); 3323 3324 case Q_IPX: 3325 bpf_error("IPX host filtering not implemented"); 3326 3327 case Q_NETBEUI: 3328 bpf_error("'netbeui' modifier applied to host"); 3329 3330 case Q_RADIO: 3331 bpf_error("'radio' modifier applied to host"); 3332 3333 default: 3334 abort(); 3335 } 3336 /* NOTREACHED */ 3337 } 3338 #endif /*INET6*/ 3339 3340 #ifndef INET6 3341 static struct block * 3342 gen_gateway(eaddr, alist, proto, dir) 3343 const u_char *eaddr; 3344 bpf_u_int32 **alist; 3345 int proto; 3346 int dir; 3347 { 3348 struct block *b0, *b1, *tmp; 3349 3350 if (dir != 0) 3351 bpf_error("direction applied to 'gateway'"); 3352 3353 switch (proto) { 3354 case Q_DEFAULT: 3355 case Q_IP: 3356 case Q_ARP: 3357 case Q_RARP: 3358 if (linktype == DLT_EN10MB) 3359 b0 = gen_ehostop(eaddr, Q_OR); 3360 else if (linktype == DLT_FDDI) 3361 b0 = gen_fhostop(eaddr, Q_OR); 3362 else if (linktype == DLT_IEEE802) 3363 b0 = gen_thostop(eaddr, Q_OR); 3364 else if (linktype == DLT_IEEE802_11 || 3365 linktype == DLT_IEEE802_11_RADIO_AVS || 3366 linktype == DLT_IEEE802_11_RADIO || 3367 linktype == DLT_PRISM_HEADER) 3368 b0 = gen_wlanhostop(eaddr, Q_OR); 3369 else if (linktype == DLT_SUNATM && is_lane) { 3370 /* 3371 * Check that the packet doesn't begin with an 3372 * LE Control marker. (We've already generated 3373 * a test for LANE.) 3374 */ 3375 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3376 0xFF00); 3377 gen_not(b1); 3378 3379 /* 3380 * Now check the MAC address. 3381 */ 3382 b0 = gen_ehostop(eaddr, Q_OR); 3383 gen_and(b1, b0); 3384 } else if (linktype == DLT_IP_OVER_FC) 3385 b0 = gen_ipfchostop(eaddr, Q_OR); 3386 else 3387 bpf_error( 3388 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 3389 3390 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR); 3391 while (*alist) { 3392 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR); 3393 gen_or(b1, tmp); 3394 b1 = tmp; 3395 } 3396 gen_not(b1); 3397 gen_and(b0, b1); 3398 return b1; 3399 } 3400 bpf_error("illegal modifier of 'gateway'"); 3401 /* NOTREACHED */ 3402 } 3403 #endif 3404 3405 struct block * 3406 gen_proto_abbrev(proto) 3407 int proto; 3408 { 3409 struct block *b0; 3410 struct block *b1; 3411 3412 switch (proto) { 3413 3414 case Q_SCTP: 3415 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 3416 #ifdef INET6 3417 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 3418 gen_or(b0, b1); 3419 #endif 3420 break; 3421 3422 case Q_TCP: 3423 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 3424 #ifdef INET6 3425 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 3426 gen_or(b0, b1); 3427 #endif 3428 break; 3429 3430 case Q_UDP: 3431 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 3432 #ifdef INET6 3433 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 3434 gen_or(b0, b1); 3435 #endif 3436 break; 3437 3438 case Q_ICMP: 3439 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 3440 break; 3441 3442 #ifndef IPPROTO_IGMP 3443 #define IPPROTO_IGMP 2 3444 #endif 3445 3446 case Q_IGMP: 3447 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 3448 break; 3449 3450 #ifndef IPPROTO_IGRP 3451 #define IPPROTO_IGRP 9 3452 #endif 3453 case Q_IGRP: 3454 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 3455 break; 3456 3457 #ifndef IPPROTO_PIM 3458 #define IPPROTO_PIM 103 3459 #endif 3460 3461 case Q_PIM: 3462 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 3463 #ifdef INET6 3464 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 3465 gen_or(b0, b1); 3466 #endif 3467 break; 3468 3469 #ifndef IPPROTO_VRRP 3470 #define IPPROTO_VRRP 112 3471 #endif 3472 3473 case Q_VRRP: 3474 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 3475 break; 3476 3477 case Q_IP: 3478 b1 = gen_linktype(ETHERTYPE_IP); 3479 break; 3480 3481 case Q_ARP: 3482 b1 = gen_linktype(ETHERTYPE_ARP); 3483 break; 3484 3485 case Q_RARP: 3486 b1 = gen_linktype(ETHERTYPE_REVARP); 3487 break; 3488 3489 case Q_LINK: 3490 bpf_error("link layer applied in wrong context"); 3491 3492 case Q_ATALK: 3493 b1 = gen_linktype(ETHERTYPE_ATALK); 3494 break; 3495 3496 case Q_AARP: 3497 b1 = gen_linktype(ETHERTYPE_AARP); 3498 break; 3499 3500 case Q_DECNET: 3501 b1 = gen_linktype(ETHERTYPE_DN); 3502 break; 3503 3504 case Q_SCA: 3505 b1 = gen_linktype(ETHERTYPE_SCA); 3506 break; 3507 3508 case Q_LAT: 3509 b1 = gen_linktype(ETHERTYPE_LAT); 3510 break; 3511 3512 case Q_MOPDL: 3513 b1 = gen_linktype(ETHERTYPE_MOPDL); 3514 break; 3515 3516 case Q_MOPRC: 3517 b1 = gen_linktype(ETHERTYPE_MOPRC); 3518 break; 3519 3520 #ifdef INET6 3521 case Q_IPV6: 3522 b1 = gen_linktype(ETHERTYPE_IPV6); 3523 break; 3524 3525 #ifndef IPPROTO_ICMPV6 3526 #define IPPROTO_ICMPV6 58 3527 #endif 3528 case Q_ICMPV6: 3529 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 3530 break; 3531 #endif /* INET6 */ 3532 3533 #ifndef IPPROTO_AH 3534 #define IPPROTO_AH 51 3535 #endif 3536 case Q_AH: 3537 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 3538 #ifdef INET6 3539 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 3540 gen_or(b0, b1); 3541 #endif 3542 break; 3543 3544 #ifndef IPPROTO_ESP 3545 #define IPPROTO_ESP 50 3546 #endif 3547 case Q_ESP: 3548 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 3549 #ifdef INET6 3550 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 3551 gen_or(b0, b1); 3552 #endif 3553 break; 3554 3555 case Q_ISO: 3556 b1 = gen_linktype(LLCSAP_ISONS); 3557 break; 3558 3559 case Q_ESIS: 3560 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 3561 break; 3562 3563 case Q_ISIS: 3564 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 3565 break; 3566 3567 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 3568 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3569 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3570 gen_or(b0, b1); 3571 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3572 gen_or(b0, b1); 3573 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3574 gen_or(b0, b1); 3575 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3576 gen_or(b0, b1); 3577 break; 3578 3579 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 3580 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3581 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3582 gen_or(b0, b1); 3583 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3584 gen_or(b0, b1); 3585 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3586 gen_or(b0, b1); 3587 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3588 gen_or(b0, b1); 3589 break; 3590 3591 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 3592 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3593 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3594 gen_or(b0, b1); 3595 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 3596 gen_or(b0, b1); 3597 break; 3598 3599 case Q_ISIS_LSP: 3600 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3601 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3602 gen_or(b0, b1); 3603 break; 3604 3605 case Q_ISIS_SNP: 3606 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3607 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3608 gen_or(b0, b1); 3609 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3610 gen_or(b0, b1); 3611 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3612 gen_or(b0, b1); 3613 break; 3614 3615 case Q_ISIS_CSNP: 3616 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3617 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3618 gen_or(b0, b1); 3619 break; 3620 3621 case Q_ISIS_PSNP: 3622 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3623 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3624 gen_or(b0, b1); 3625 break; 3626 3627 case Q_CLNP: 3628 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 3629 break; 3630 3631 case Q_STP: 3632 b1 = gen_linktype(LLCSAP_8021D); 3633 break; 3634 3635 case Q_IPX: 3636 b1 = gen_linktype(LLCSAP_IPX); 3637 break; 3638 3639 case Q_NETBEUI: 3640 b1 = gen_linktype(LLCSAP_NETBEUI); 3641 break; 3642 3643 case Q_RADIO: 3644 bpf_error("'radio' is not a valid protocol type"); 3645 3646 default: 3647 abort(); 3648 } 3649 return b1; 3650 } 3651 3652 static struct block * 3653 gen_ipfrag() 3654 { 3655 struct slist *s; 3656 struct block *b; 3657 3658 /* not ip frag */ 3659 s = gen_load_a(OR_NET, 6, BPF_H); 3660 b = new_block(JMP(BPF_JSET)); 3661 b->s.k = 0x1fff; 3662 b->stmts = s; 3663 gen_not(b); 3664 3665 return b; 3666 } 3667 3668 /* 3669 * Generate a comparison to a port value in the transport-layer header 3670 * at the specified offset from the beginning of that header. 3671 * 3672 * XXX - this handles a variable-length prefix preceding the link-layer 3673 * header, such as the radiotap or AVS radio prefix, but doesn't handle 3674 * variable-length link-layer headers (such as Token Ring or 802.11 3675 * headers). 3676 */ 3677 static struct block * 3678 gen_portatom(off, v) 3679 int off; 3680 bpf_int32 v; 3681 { 3682 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 3683 } 3684 3685 #ifdef INET6 3686 static struct block * 3687 gen_portatom6(off, v) 3688 int off; 3689 bpf_int32 v; 3690 { 3691 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 3692 } 3693 #endif/*INET6*/ 3694 3695 struct block * 3696 gen_portop(port, proto, dir) 3697 int port, proto, dir; 3698 { 3699 struct block *b0, *b1, *tmp; 3700 3701 /* ip proto 'proto' */ 3702 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 3703 b0 = gen_ipfrag(); 3704 gen_and(tmp, b0); 3705 3706 switch (dir) { 3707 case Q_SRC: 3708 b1 = gen_portatom(0, (bpf_int32)port); 3709 break; 3710 3711 case Q_DST: 3712 b1 = gen_portatom(2, (bpf_int32)port); 3713 break; 3714 3715 case Q_OR: 3716 case Q_DEFAULT: 3717 tmp = gen_portatom(0, (bpf_int32)port); 3718 b1 = gen_portatom(2, (bpf_int32)port); 3719 gen_or(tmp, b1); 3720 break; 3721 3722 case Q_AND: 3723 tmp = gen_portatom(0, (bpf_int32)port); 3724 b1 = gen_portatom(2, (bpf_int32)port); 3725 gen_and(tmp, b1); 3726 break; 3727 3728 default: 3729 abort(); 3730 } 3731 gen_and(b0, b1); 3732 3733 return b1; 3734 } 3735 3736 static struct block * 3737 gen_port(port, ip_proto, dir) 3738 int port; 3739 int ip_proto; 3740 int dir; 3741 { 3742 struct block *b0, *b1, *tmp; 3743 3744 /* 3745 * ether proto ip 3746 * 3747 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 3748 * not LLC encapsulation with LLCSAP_IP. 3749 * 3750 * For IEEE 802 networks - which includes 802.5 token ring 3751 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 3752 * says that SNAP encapsulation is used, not LLC encapsulation 3753 * with LLCSAP_IP. 3754 * 3755 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 3756 * RFC 2225 say that SNAP encapsulation is used, not LLC 3757 * encapsulation with LLCSAP_IP. 3758 * 3759 * So we always check for ETHERTYPE_IP. 3760 */ 3761 b0 = gen_linktype(ETHERTYPE_IP); 3762 3763 switch (ip_proto) { 3764 case IPPROTO_UDP: 3765 case IPPROTO_TCP: 3766 case IPPROTO_SCTP: 3767 b1 = gen_portop(port, ip_proto, dir); 3768 break; 3769 3770 case PROTO_UNDEF: 3771 tmp = gen_portop(port, IPPROTO_TCP, dir); 3772 b1 = gen_portop(port, IPPROTO_UDP, dir); 3773 gen_or(tmp, b1); 3774 tmp = gen_portop(port, IPPROTO_SCTP, dir); 3775 gen_or(tmp, b1); 3776 break; 3777 3778 default: 3779 abort(); 3780 } 3781 gen_and(b0, b1); 3782 return b1; 3783 } 3784 3785 #ifdef INET6 3786 struct block * 3787 gen_portop6(port, proto, dir) 3788 int port, proto, dir; 3789 { 3790 struct block *b0, *b1, *tmp; 3791 3792 /* ip6 proto 'proto' */ 3793 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 3794 3795 switch (dir) { 3796 case Q_SRC: 3797 b1 = gen_portatom6(0, (bpf_int32)port); 3798 break; 3799 3800 case Q_DST: 3801 b1 = gen_portatom6(2, (bpf_int32)port); 3802 break; 3803 3804 case Q_OR: 3805 case Q_DEFAULT: 3806 tmp = gen_portatom6(0, (bpf_int32)port); 3807 b1 = gen_portatom6(2, (bpf_int32)port); 3808 gen_or(tmp, b1); 3809 break; 3810 3811 case Q_AND: 3812 tmp = gen_portatom6(0, (bpf_int32)port); 3813 b1 = gen_portatom6(2, (bpf_int32)port); 3814 gen_and(tmp, b1); 3815 break; 3816 3817 default: 3818 abort(); 3819 } 3820 gen_and(b0, b1); 3821 3822 return b1; 3823 } 3824 3825 static struct block * 3826 gen_port6(port, ip_proto, dir) 3827 int port; 3828 int ip_proto; 3829 int dir; 3830 { 3831 struct block *b0, *b1, *tmp; 3832 3833 /* link proto ip6 */ 3834 b0 = gen_linktype(ETHERTYPE_IPV6); 3835 3836 switch (ip_proto) { 3837 case IPPROTO_UDP: 3838 case IPPROTO_TCP: 3839 case IPPROTO_SCTP: 3840 b1 = gen_portop6(port, ip_proto, dir); 3841 break; 3842 3843 case PROTO_UNDEF: 3844 tmp = gen_portop6(port, IPPROTO_TCP, dir); 3845 b1 = gen_portop6(port, IPPROTO_UDP, dir); 3846 gen_or(tmp, b1); 3847 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 3848 gen_or(tmp, b1); 3849 break; 3850 3851 default: 3852 abort(); 3853 } 3854 gen_and(b0, b1); 3855 return b1; 3856 } 3857 #endif /* INET6 */ 3858 3859 /* gen_portrange code */ 3860 static struct block * 3861 gen_portrangeatom(off, v1, v2) 3862 int off; 3863 bpf_int32 v1, v2; 3864 { 3865 struct block *b1, *b2; 3866 3867 if (v1 > v2) { 3868 /* 3869 * Reverse the order of the ports, so v1 is the lower one. 3870 */ 3871 bpf_int32 vtemp; 3872 3873 vtemp = v1; 3874 v1 = v2; 3875 v2 = vtemp; 3876 } 3877 3878 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 3879 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 3880 3881 gen_and(b1, b2); 3882 3883 return b2; 3884 } 3885 3886 struct block * 3887 gen_portrangeop(port1, port2, proto, dir) 3888 int port1, port2; 3889 int proto; 3890 int dir; 3891 { 3892 struct block *b0, *b1, *tmp; 3893 3894 /* ip proto 'proto' */ 3895 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 3896 b0 = gen_ipfrag(); 3897 gen_and(tmp, b0); 3898 3899 switch (dir) { 3900 case Q_SRC: 3901 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3902 break; 3903 3904 case Q_DST: 3905 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3906 break; 3907 3908 case Q_OR: 3909 case Q_DEFAULT: 3910 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3911 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3912 gen_or(tmp, b1); 3913 break; 3914 3915 case Q_AND: 3916 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3917 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3918 gen_and(tmp, b1); 3919 break; 3920 3921 default: 3922 abort(); 3923 } 3924 gen_and(b0, b1); 3925 3926 return b1; 3927 } 3928 3929 static struct block * 3930 gen_portrange(port1, port2, ip_proto, dir) 3931 int port1, port2; 3932 int ip_proto; 3933 int dir; 3934 { 3935 struct block *b0, *b1, *tmp; 3936 3937 /* link proto ip */ 3938 b0 = gen_linktype(ETHERTYPE_IP); 3939 3940 switch (ip_proto) { 3941 case IPPROTO_UDP: 3942 case IPPROTO_TCP: 3943 case IPPROTO_SCTP: 3944 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 3945 break; 3946 3947 case PROTO_UNDEF: 3948 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 3949 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 3950 gen_or(tmp, b1); 3951 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 3952 gen_or(tmp, b1); 3953 break; 3954 3955 default: 3956 abort(); 3957 } 3958 gen_and(b0, b1); 3959 return b1; 3960 } 3961 3962 #ifdef INET6 3963 static struct block * 3964 gen_portrangeatom6(off, v1, v2) 3965 int off; 3966 bpf_int32 v1, v2; 3967 { 3968 struct block *b1, *b2; 3969 3970 if (v1 > v2) { 3971 /* 3972 * Reverse the order of the ports, so v1 is the lower one. 3973 */ 3974 bpf_int32 vtemp; 3975 3976 vtemp = v1; 3977 v1 = v2; 3978 v2 = vtemp; 3979 } 3980 3981 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 3982 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 3983 3984 gen_and(b1, b2); 3985 3986 return b2; 3987 } 3988 3989 struct block * 3990 gen_portrangeop6(port1, port2, proto, dir) 3991 int port1, port2; 3992 int proto; 3993 int dir; 3994 { 3995 struct block *b0, *b1, *tmp; 3996 3997 /* ip6 proto 'proto' */ 3998 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 3999 4000 switch (dir) { 4001 case Q_SRC: 4002 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4003 break; 4004 4005 case Q_DST: 4006 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4007 break; 4008 4009 case Q_OR: 4010 case Q_DEFAULT: 4011 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4012 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4013 gen_or(tmp, b1); 4014 break; 4015 4016 case Q_AND: 4017 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4018 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4019 gen_and(tmp, b1); 4020 break; 4021 4022 default: 4023 abort(); 4024 } 4025 gen_and(b0, b1); 4026 4027 return b1; 4028 } 4029 4030 static struct block * 4031 gen_portrange6(port1, port2, ip_proto, dir) 4032 int port1, port2; 4033 int ip_proto; 4034 int dir; 4035 { 4036 struct block *b0, *b1, *tmp; 4037 4038 /* link proto ip6 */ 4039 b0 = gen_linktype(ETHERTYPE_IPV6); 4040 4041 switch (ip_proto) { 4042 case IPPROTO_UDP: 4043 case IPPROTO_TCP: 4044 case IPPROTO_SCTP: 4045 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 4046 break; 4047 4048 case PROTO_UNDEF: 4049 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 4050 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 4051 gen_or(tmp, b1); 4052 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 4053 gen_or(tmp, b1); 4054 break; 4055 4056 default: 4057 abort(); 4058 } 4059 gen_and(b0, b1); 4060 return b1; 4061 } 4062 #endif /* INET6 */ 4063 4064 static int 4065 lookup_proto(name, proto) 4066 register const char *name; 4067 register int proto; 4068 { 4069 register int v; 4070 4071 switch (proto) { 4072 4073 case Q_DEFAULT: 4074 case Q_IP: 4075 case Q_IPV6: 4076 v = pcap_nametoproto(name); 4077 if (v == PROTO_UNDEF) 4078 bpf_error("unknown ip proto '%s'", name); 4079 break; 4080 4081 case Q_LINK: 4082 /* XXX should look up h/w protocol type based on linktype */ 4083 v = pcap_nametoeproto(name); 4084 if (v == PROTO_UNDEF) { 4085 v = pcap_nametollc(name); 4086 if (v == PROTO_UNDEF) 4087 bpf_error("unknown ether proto '%s'", name); 4088 } 4089 break; 4090 4091 case Q_ISO: 4092 if (strcmp(name, "esis") == 0) 4093 v = ISO9542_ESIS; 4094 else if (strcmp(name, "isis") == 0) 4095 v = ISO10589_ISIS; 4096 else if (strcmp(name, "clnp") == 0) 4097 v = ISO8473_CLNP; 4098 else 4099 bpf_error("unknown osi proto '%s'", name); 4100 break; 4101 4102 default: 4103 v = PROTO_UNDEF; 4104 break; 4105 } 4106 return v; 4107 } 4108 4109 #if 0 4110 struct stmt * 4111 gen_joinsp(s, n) 4112 struct stmt **s; 4113 int n; 4114 { 4115 return NULL; 4116 } 4117 #endif 4118 4119 static struct block * 4120 gen_protochain(v, proto, dir) 4121 int v; 4122 int proto; 4123 int dir; 4124 { 4125 #ifdef NO_PROTOCHAIN 4126 return gen_proto(v, proto, dir); 4127 #else 4128 struct block *b0, *b; 4129 struct slist *s[100]; 4130 int fix2, fix3, fix4, fix5; 4131 int ahcheck, again, end; 4132 int i, max; 4133 int reg2 = alloc_reg(); 4134 4135 memset(s, 0, sizeof(s)); 4136 fix2 = fix3 = fix4 = fix5 = 0; 4137 4138 switch (proto) { 4139 case Q_IP: 4140 case Q_IPV6: 4141 break; 4142 case Q_DEFAULT: 4143 b0 = gen_protochain(v, Q_IP, dir); 4144 b = gen_protochain(v, Q_IPV6, dir); 4145 gen_or(b0, b); 4146 return b; 4147 default: 4148 bpf_error("bad protocol applied for 'protochain'"); 4149 /*NOTREACHED*/ 4150 } 4151 4152 /* 4153 * We don't handle variable-length radiotap here headers yet. 4154 * We might want to add BPF instructions to do the protochain 4155 * work, to simplify that and, on platforms that have a BPF 4156 * interpreter with the new instructions, let the filtering 4157 * be done in the kernel. (We already require a modified BPF 4158 * engine to do the protochain stuff, to support backward 4159 * branches, and backward branch support is unlikely to appear 4160 * in kernel BPF engines.) 4161 */ 4162 if (linktype == DLT_IEEE802_11_RADIO) 4163 bpf_error("'protochain' not supported with radiotap headers"); 4164 4165 no_optimize = 1; /*this code is not compatible with optimzer yet */ 4166 4167 /* 4168 * s[0] is a dummy entry to protect other BPF insn from damage 4169 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 4170 * hard to find interdependency made by jump table fixup. 4171 */ 4172 i = 0; 4173 s[i] = new_stmt(0); /*dummy*/ 4174 i++; 4175 4176 switch (proto) { 4177 case Q_IP: 4178 b0 = gen_linktype(ETHERTYPE_IP); 4179 4180 /* A = ip->ip_p */ 4181 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4182 s[i]->s.k = off_nl + 9; 4183 i++; 4184 /* X = ip->ip_hl << 2 */ 4185 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 4186 s[i]->s.k = off_nl; 4187 i++; 4188 break; 4189 #ifdef INET6 4190 case Q_IPV6: 4191 b0 = gen_linktype(ETHERTYPE_IPV6); 4192 4193 /* A = ip6->ip_nxt */ 4194 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4195 s[i]->s.k = off_nl + 6; 4196 i++; 4197 /* X = sizeof(struct ip6_hdr) */ 4198 s[i] = new_stmt(BPF_LDX|BPF_IMM); 4199 s[i]->s.k = 40; 4200 i++; 4201 break; 4202 #endif 4203 default: 4204 bpf_error("unsupported proto to gen_protochain"); 4205 /*NOTREACHED*/ 4206 } 4207 4208 /* again: if (A == v) goto end; else fall through; */ 4209 again = i; 4210 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4211 s[i]->s.k = v; 4212 s[i]->s.jt = NULL; /*later*/ 4213 s[i]->s.jf = NULL; /*update in next stmt*/ 4214 fix5 = i; 4215 i++; 4216 4217 #ifndef IPPROTO_NONE 4218 #define IPPROTO_NONE 59 4219 #endif 4220 /* if (A == IPPROTO_NONE) goto end */ 4221 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4222 s[i]->s.jt = NULL; /*later*/ 4223 s[i]->s.jf = NULL; /*update in next stmt*/ 4224 s[i]->s.k = IPPROTO_NONE; 4225 s[fix5]->s.jf = s[i]; 4226 fix2 = i; 4227 i++; 4228 4229 #ifdef INET6 4230 if (proto == Q_IPV6) { 4231 int v6start, v6end, v6advance, j; 4232 4233 v6start = i; 4234 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 4235 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4236 s[i]->s.jt = NULL; /*later*/ 4237 s[i]->s.jf = NULL; /*update in next stmt*/ 4238 s[i]->s.k = IPPROTO_HOPOPTS; 4239 s[fix2]->s.jf = s[i]; 4240 i++; 4241 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 4242 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4243 s[i]->s.jt = NULL; /*later*/ 4244 s[i]->s.jf = NULL; /*update in next stmt*/ 4245 s[i]->s.k = IPPROTO_DSTOPTS; 4246 i++; 4247 /* if (A == IPPROTO_ROUTING) goto v6advance */ 4248 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4249 s[i]->s.jt = NULL; /*later*/ 4250 s[i]->s.jf = NULL; /*update in next stmt*/ 4251 s[i]->s.k = IPPROTO_ROUTING; 4252 i++; 4253 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 4254 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4255 s[i]->s.jt = NULL; /*later*/ 4256 s[i]->s.jf = NULL; /*later*/ 4257 s[i]->s.k = IPPROTO_FRAGMENT; 4258 fix3 = i; 4259 v6end = i; 4260 i++; 4261 4262 /* v6advance: */ 4263 v6advance = i; 4264 4265 /* 4266 * in short, 4267 * A = P[X]; 4268 * X = X + (P[X + 1] + 1) * 8; 4269 */ 4270 /* A = X */ 4271 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4272 i++; 4273 /* A = P[X + packet head] */ 4274 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4275 s[i]->s.k = off_nl; 4276 i++; 4277 /* MEM[reg2] = A */ 4278 s[i] = new_stmt(BPF_ST); 4279 s[i]->s.k = reg2; 4280 i++; 4281 /* A = X */ 4282 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4283 i++; 4284 /* A += 1 */ 4285 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4286 s[i]->s.k = 1; 4287 i++; 4288 /* X = A */ 4289 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4290 i++; 4291 /* A = P[X + packet head]; */ 4292 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4293 s[i]->s.k = off_nl; 4294 i++; 4295 /* A += 1 */ 4296 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4297 s[i]->s.k = 1; 4298 i++; 4299 /* A *= 8 */ 4300 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4301 s[i]->s.k = 8; 4302 i++; 4303 /* X = A; */ 4304 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4305 i++; 4306 /* A = MEM[reg2] */ 4307 s[i] = new_stmt(BPF_LD|BPF_MEM); 4308 s[i]->s.k = reg2; 4309 i++; 4310 4311 /* goto again; (must use BPF_JA for backward jump) */ 4312 s[i] = new_stmt(BPF_JMP|BPF_JA); 4313 s[i]->s.k = again - i - 1; 4314 s[i - 1]->s.jf = s[i]; 4315 i++; 4316 4317 /* fixup */ 4318 for (j = v6start; j <= v6end; j++) 4319 s[j]->s.jt = s[v6advance]; 4320 } else 4321 #endif 4322 { 4323 /* nop */ 4324 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4325 s[i]->s.k = 0; 4326 s[fix2]->s.jf = s[i]; 4327 i++; 4328 } 4329 4330 /* ahcheck: */ 4331 ahcheck = i; 4332 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 4333 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4334 s[i]->s.jt = NULL; /*later*/ 4335 s[i]->s.jf = NULL; /*later*/ 4336 s[i]->s.k = IPPROTO_AH; 4337 if (fix3) 4338 s[fix3]->s.jf = s[ahcheck]; 4339 fix4 = i; 4340 i++; 4341 4342 /* 4343 * in short, 4344 * A = P[X]; 4345 * X = X + (P[X + 1] + 2) * 4; 4346 */ 4347 /* A = X */ 4348 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4349 i++; 4350 /* A = P[X + packet head]; */ 4351 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4352 s[i]->s.k = off_nl; 4353 i++; 4354 /* MEM[reg2] = A */ 4355 s[i] = new_stmt(BPF_ST); 4356 s[i]->s.k = reg2; 4357 i++; 4358 /* A = X */ 4359 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4360 i++; 4361 /* A += 1 */ 4362 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4363 s[i]->s.k = 1; 4364 i++; 4365 /* X = A */ 4366 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4367 i++; 4368 /* A = P[X + packet head] */ 4369 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4370 s[i]->s.k = off_nl; 4371 i++; 4372 /* A += 2 */ 4373 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4374 s[i]->s.k = 2; 4375 i++; 4376 /* A *= 4 */ 4377 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4378 s[i]->s.k = 4; 4379 i++; 4380 /* X = A; */ 4381 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4382 i++; 4383 /* A = MEM[reg2] */ 4384 s[i] = new_stmt(BPF_LD|BPF_MEM); 4385 s[i]->s.k = reg2; 4386 i++; 4387 4388 /* goto again; (must use BPF_JA for backward jump) */ 4389 s[i] = new_stmt(BPF_JMP|BPF_JA); 4390 s[i]->s.k = again - i - 1; 4391 i++; 4392 4393 /* end: nop */ 4394 end = i; 4395 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4396 s[i]->s.k = 0; 4397 s[fix2]->s.jt = s[end]; 4398 s[fix4]->s.jf = s[end]; 4399 s[fix5]->s.jt = s[end]; 4400 i++; 4401 4402 /* 4403 * make slist chain 4404 */ 4405 max = i; 4406 for (i = 0; i < max - 1; i++) 4407 s[i]->next = s[i + 1]; 4408 s[max - 1]->next = NULL; 4409 4410 /* 4411 * emit final check 4412 */ 4413 b = new_block(JMP(BPF_JEQ)); 4414 b->stmts = s[1]; /*remember, s[0] is dummy*/ 4415 b->s.k = v; 4416 4417 free_reg(reg2); 4418 4419 gen_and(b0, b); 4420 return b; 4421 #endif 4422 } 4423 4424 /* 4425 * Generate code that checks whether the packet is a packet for protocol 4426 * <proto> and whether the type field in that protocol's header has 4427 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 4428 * IP packet and checks the protocol number in the IP header against <v>. 4429 * 4430 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 4431 * against Q_IP and Q_IPV6. 4432 */ 4433 static struct block * 4434 gen_proto(v, proto, dir) 4435 int v; 4436 int proto; 4437 int dir; 4438 { 4439 struct block *b0, *b1; 4440 4441 if (dir != Q_DEFAULT) 4442 bpf_error("direction applied to 'proto'"); 4443 4444 switch (proto) { 4445 case Q_DEFAULT: 4446 #ifdef INET6 4447 b0 = gen_proto(v, Q_IP, dir); 4448 b1 = gen_proto(v, Q_IPV6, dir); 4449 gen_or(b0, b1); 4450 return b1; 4451 #else 4452 /*FALLTHROUGH*/ 4453 #endif 4454 case Q_IP: 4455 /* 4456 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4457 * not LLC encapsulation with LLCSAP_IP. 4458 * 4459 * For IEEE 802 networks - which includes 802.5 token ring 4460 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4461 * says that SNAP encapsulation is used, not LLC encapsulation 4462 * with LLCSAP_IP. 4463 * 4464 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4465 * RFC 2225 say that SNAP encapsulation is used, not LLC 4466 * encapsulation with LLCSAP_IP. 4467 * 4468 * So we always check for ETHERTYPE_IP. 4469 */ 4470 4471 b0 = gen_linktype(ETHERTYPE_IP); 4472 #ifndef CHASE_CHAIN 4473 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 4474 #else 4475 b1 = gen_protochain(v, Q_IP); 4476 #endif 4477 gen_and(b0, b1); 4478 return b1; 4479 4480 case Q_ISO: 4481 switch (linktype) { 4482 4483 case DLT_FRELAY: 4484 /* 4485 * Frame Relay packets typically have an OSI 4486 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 4487 * generates code to check for all the OSI 4488 * NLPIDs, so calling it and then adding a check 4489 * for the particular NLPID for which we're 4490 * looking is bogus, as we can just check for 4491 * the NLPID. 4492 * 4493 * What we check for is the NLPID and a frame 4494 * control field value of UI, i.e. 0x03 followed 4495 * by the NLPID. 4496 * 4497 * XXX - assumes a 2-byte Frame Relay header with 4498 * DLCI and flags. What if the address is longer? 4499 * 4500 * XXX - what about SNAP-encapsulated frames? 4501 */ 4502 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 4503 /*NOTREACHED*/ 4504 break; 4505 4506 case DLT_C_HDLC: 4507 /* 4508 * Cisco uses an Ethertype lookalike - for OSI, 4509 * it's 0xfefe. 4510 */ 4511 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 4512 /* OSI in C-HDLC is stuffed with a fudge byte */ 4513 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 4514 gen_and(b0, b1); 4515 return b1; 4516 4517 default: 4518 b0 = gen_linktype(LLCSAP_ISONS); 4519 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 4520 gen_and(b0, b1); 4521 return b1; 4522 } 4523 4524 case Q_ISIS: 4525 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4526 /* 4527 * 4 is the offset of the PDU type relative to the IS-IS 4528 * header. 4529 */ 4530 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 4531 gen_and(b0, b1); 4532 return b1; 4533 4534 case Q_ARP: 4535 bpf_error("arp does not encapsulate another protocol"); 4536 /* NOTREACHED */ 4537 4538 case Q_RARP: 4539 bpf_error("rarp does not encapsulate another protocol"); 4540 /* NOTREACHED */ 4541 4542 case Q_ATALK: 4543 bpf_error("atalk encapsulation is not specifiable"); 4544 /* NOTREACHED */ 4545 4546 case Q_DECNET: 4547 bpf_error("decnet encapsulation is not specifiable"); 4548 /* NOTREACHED */ 4549 4550 case Q_SCA: 4551 bpf_error("sca does not encapsulate another protocol"); 4552 /* NOTREACHED */ 4553 4554 case Q_LAT: 4555 bpf_error("lat does not encapsulate another protocol"); 4556 /* NOTREACHED */ 4557 4558 case Q_MOPRC: 4559 bpf_error("moprc does not encapsulate another protocol"); 4560 /* NOTREACHED */ 4561 4562 case Q_MOPDL: 4563 bpf_error("mopdl does not encapsulate another protocol"); 4564 /* NOTREACHED */ 4565 4566 case Q_LINK: 4567 return gen_linktype(v); 4568 4569 case Q_UDP: 4570 bpf_error("'udp proto' is bogus"); 4571 /* NOTREACHED */ 4572 4573 case Q_TCP: 4574 bpf_error("'tcp proto' is bogus"); 4575 /* NOTREACHED */ 4576 4577 case Q_SCTP: 4578 bpf_error("'sctp proto' is bogus"); 4579 /* NOTREACHED */ 4580 4581 case Q_ICMP: 4582 bpf_error("'icmp proto' is bogus"); 4583 /* NOTREACHED */ 4584 4585 case Q_IGMP: 4586 bpf_error("'igmp proto' is bogus"); 4587 /* NOTREACHED */ 4588 4589 case Q_IGRP: 4590 bpf_error("'igrp proto' is bogus"); 4591 /* NOTREACHED */ 4592 4593 case Q_PIM: 4594 bpf_error("'pim proto' is bogus"); 4595 /* NOTREACHED */ 4596 4597 case Q_VRRP: 4598 bpf_error("'vrrp proto' is bogus"); 4599 /* NOTREACHED */ 4600 4601 #ifdef INET6 4602 case Q_IPV6: 4603 b0 = gen_linktype(ETHERTYPE_IPV6); 4604 #ifndef CHASE_CHAIN 4605 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 4606 #else 4607 b1 = gen_protochain(v, Q_IPV6); 4608 #endif 4609 gen_and(b0, b1); 4610 return b1; 4611 4612 case Q_ICMPV6: 4613 bpf_error("'icmp6 proto' is bogus"); 4614 #endif /* INET6 */ 4615 4616 case Q_AH: 4617 bpf_error("'ah proto' is bogus"); 4618 4619 case Q_ESP: 4620 bpf_error("'ah proto' is bogus"); 4621 4622 case Q_STP: 4623 bpf_error("'stp proto' is bogus"); 4624 4625 case Q_IPX: 4626 bpf_error("'ipx proto' is bogus"); 4627 4628 case Q_NETBEUI: 4629 bpf_error("'netbeui proto' is bogus"); 4630 4631 case Q_RADIO: 4632 bpf_error("'radio proto' is bogus"); 4633 4634 default: 4635 abort(); 4636 /* NOTREACHED */ 4637 } 4638 /* NOTREACHED */ 4639 } 4640 4641 struct block * 4642 gen_scode(name, q) 4643 register const char *name; 4644 struct qual q; 4645 { 4646 int proto = q.proto; 4647 int dir = q.dir; 4648 int tproto; 4649 u_char *eaddr; 4650 bpf_u_int32 mask, addr; 4651 #ifndef INET6 4652 bpf_u_int32 **alist; 4653 #else 4654 int tproto6; 4655 struct sockaddr_in *sin; 4656 struct sockaddr_in6 *sin6; 4657 struct addrinfo *res, *res0; 4658 struct in6_addr mask128; 4659 #endif /*INET6*/ 4660 struct block *b, *tmp; 4661 int port, real_proto; 4662 int port1, port2; 4663 4664 switch (q.addr) { 4665 4666 case Q_NET: 4667 addr = pcap_nametonetaddr(name); 4668 if (addr == 0) 4669 bpf_error("unknown network '%s'", name); 4670 /* Left justify network addr and calculate its network mask */ 4671 mask = 0xffffffff; 4672 while (addr && (addr & 0xff000000) == 0) { 4673 addr <<= 8; 4674 mask <<= 8; 4675 } 4676 return gen_host(addr, mask, proto, dir); 4677 4678 case Q_DEFAULT: 4679 case Q_HOST: 4680 if (proto == Q_LINK) { 4681 switch (linktype) { 4682 4683 case DLT_EN10MB: 4684 eaddr = pcap_ether_hostton(name); 4685 if (eaddr == NULL) 4686 bpf_error( 4687 "unknown ether host '%s'", name); 4688 b = gen_ehostop(eaddr, dir); 4689 free(eaddr); 4690 return b; 4691 4692 case DLT_FDDI: 4693 eaddr = pcap_ether_hostton(name); 4694 if (eaddr == NULL) 4695 bpf_error( 4696 "unknown FDDI host '%s'", name); 4697 b = gen_fhostop(eaddr, dir); 4698 free(eaddr); 4699 return b; 4700 4701 case DLT_IEEE802: 4702 eaddr = pcap_ether_hostton(name); 4703 if (eaddr == NULL) 4704 bpf_error( 4705 "unknown token ring host '%s'", name); 4706 b = gen_thostop(eaddr, dir); 4707 free(eaddr); 4708 return b; 4709 4710 case DLT_IEEE802_11: 4711 case DLT_IEEE802_11_RADIO_AVS: 4712 case DLT_IEEE802_11_RADIO: 4713 case DLT_PRISM_HEADER: 4714 eaddr = pcap_ether_hostton(name); 4715 if (eaddr == NULL) 4716 bpf_error( 4717 "unknown 802.11 host '%s'", name); 4718 b = gen_wlanhostop(eaddr, dir); 4719 free(eaddr); 4720 return b; 4721 4722 case DLT_IP_OVER_FC: 4723 eaddr = pcap_ether_hostton(name); 4724 if (eaddr == NULL) 4725 bpf_error( 4726 "unknown Fibre Channel host '%s'", name); 4727 b = gen_ipfchostop(eaddr, dir); 4728 free(eaddr); 4729 return b; 4730 4731 case DLT_SUNATM: 4732 if (!is_lane) 4733 break; 4734 4735 /* 4736 * Check that the packet doesn't begin 4737 * with an LE Control marker. (We've 4738 * already generated a test for LANE.) 4739 */ 4740 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4741 BPF_H, 0xFF00); 4742 gen_not(tmp); 4743 4744 eaddr = pcap_ether_hostton(name); 4745 if (eaddr == NULL) 4746 bpf_error( 4747 "unknown ether host '%s'", name); 4748 b = gen_ehostop(eaddr, dir); 4749 gen_and(tmp, b); 4750 free(eaddr); 4751 return b; 4752 } 4753 4754 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 4755 } else if (proto == Q_DECNET) { 4756 unsigned short dn_addr = __pcap_nametodnaddr(name); 4757 /* 4758 * I don't think DECNET hosts can be multihomed, so 4759 * there is no need to build up a list of addresses 4760 */ 4761 return (gen_host(dn_addr, 0, proto, dir)); 4762 } else { 4763 #ifndef INET6 4764 alist = pcap_nametoaddr(name); 4765 if (alist == NULL || *alist == NULL) 4766 bpf_error("unknown host '%s'", name); 4767 tproto = proto; 4768 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 4769 tproto = Q_IP; 4770 b = gen_host(**alist++, 0xffffffff, tproto, dir); 4771 while (*alist) { 4772 tmp = gen_host(**alist++, 0xffffffff, 4773 tproto, dir); 4774 gen_or(b, tmp); 4775 b = tmp; 4776 } 4777 return b; 4778 #else 4779 memset(&mask128, 0xff, sizeof(mask128)); 4780 res0 = res = pcap_nametoaddrinfo(name); 4781 if (res == NULL) 4782 bpf_error("unknown host '%s'", name); 4783 b = tmp = NULL; 4784 tproto = tproto6 = proto; 4785 if (off_linktype == -1 && tproto == Q_DEFAULT) { 4786 tproto = Q_IP; 4787 tproto6 = Q_IPV6; 4788 } 4789 for (res = res0; res; res = res->ai_next) { 4790 switch (res->ai_family) { 4791 case AF_INET: 4792 if (tproto == Q_IPV6) 4793 continue; 4794 4795 sin = (struct sockaddr_in *) 4796 res->ai_addr; 4797 tmp = gen_host(ntohl(sin->sin_addr.s_addr), 4798 0xffffffff, tproto, dir); 4799 break; 4800 case AF_INET6: 4801 if (tproto6 == Q_IP) 4802 continue; 4803 4804 sin6 = (struct sockaddr_in6 *) 4805 res->ai_addr; 4806 tmp = gen_host6(&sin6->sin6_addr, 4807 &mask128, tproto6, dir); 4808 break; 4809 default: 4810 continue; 4811 } 4812 if (b) 4813 gen_or(b, tmp); 4814 b = tmp; 4815 } 4816 freeaddrinfo(res0); 4817 if (b == NULL) { 4818 bpf_error("unknown host '%s'%s", name, 4819 (proto == Q_DEFAULT) 4820 ? "" 4821 : " for specified address family"); 4822 } 4823 return b; 4824 #endif /*INET6*/ 4825 } 4826 4827 case Q_PORT: 4828 if (proto != Q_DEFAULT && 4829 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 4830 bpf_error("illegal qualifier of 'port'"); 4831 if (pcap_nametoport(name, &port, &real_proto) == 0) 4832 bpf_error("unknown port '%s'", name); 4833 if (proto == Q_UDP) { 4834 if (real_proto == IPPROTO_TCP) 4835 bpf_error("port '%s' is tcp", name); 4836 else if (real_proto == IPPROTO_SCTP) 4837 bpf_error("port '%s' is sctp", name); 4838 else 4839 /* override PROTO_UNDEF */ 4840 real_proto = IPPROTO_UDP; 4841 } 4842 if (proto == Q_TCP) { 4843 if (real_proto == IPPROTO_UDP) 4844 bpf_error("port '%s' is udp", name); 4845 4846 else if (real_proto == IPPROTO_SCTP) 4847 bpf_error("port '%s' is sctp", name); 4848 else 4849 /* override PROTO_UNDEF */ 4850 real_proto = IPPROTO_TCP; 4851 } 4852 if (proto == Q_SCTP) { 4853 if (real_proto == IPPROTO_UDP) 4854 bpf_error("port '%s' is udp", name); 4855 4856 else if (real_proto == IPPROTO_TCP) 4857 bpf_error("port '%s' is tcp", name); 4858 else 4859 /* override PROTO_UNDEF */ 4860 real_proto = IPPROTO_SCTP; 4861 } 4862 #ifndef INET6 4863 return gen_port(port, real_proto, dir); 4864 #else 4865 { 4866 struct block *b; 4867 b = gen_port(port, real_proto, dir); 4868 gen_or(gen_port6(port, real_proto, dir), b); 4869 return b; 4870 } 4871 #endif /* INET6 */ 4872 4873 case Q_PORTRANGE: 4874 if (proto != Q_DEFAULT && 4875 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 4876 bpf_error("illegal qualifier of 'portrange'"); 4877 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 4878 bpf_error("unknown port in range '%s'", name); 4879 if (proto == Q_UDP) { 4880 if (real_proto == IPPROTO_TCP) 4881 bpf_error("port in range '%s' is tcp", name); 4882 else if (real_proto == IPPROTO_SCTP) 4883 bpf_error("port in range '%s' is sctp", name); 4884 else 4885 /* override PROTO_UNDEF */ 4886 real_proto = IPPROTO_UDP; 4887 } 4888 if (proto == Q_TCP) { 4889 if (real_proto == IPPROTO_UDP) 4890 bpf_error("port in range '%s' is udp", name); 4891 else if (real_proto == IPPROTO_SCTP) 4892 bpf_error("port in range '%s' is sctp", name); 4893 else 4894 /* override PROTO_UNDEF */ 4895 real_proto = IPPROTO_TCP; 4896 } 4897 if (proto == Q_SCTP) { 4898 if (real_proto == IPPROTO_UDP) 4899 bpf_error("port in range '%s' is udp", name); 4900 else if (real_proto == IPPROTO_TCP) 4901 bpf_error("port in range '%s' is tcp", name); 4902 else 4903 /* override PROTO_UNDEF */ 4904 real_proto = IPPROTO_SCTP; 4905 } 4906 #ifndef INET6 4907 return gen_portrange(port1, port2, real_proto, dir); 4908 #else 4909 { 4910 struct block *b; 4911 b = gen_portrange(port1, port2, real_proto, dir); 4912 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 4913 return b; 4914 } 4915 #endif /* INET6 */ 4916 4917 case Q_GATEWAY: 4918 #ifndef INET6 4919 eaddr = pcap_ether_hostton(name); 4920 if (eaddr == NULL) 4921 bpf_error("unknown ether host: %s", name); 4922 4923 alist = pcap_nametoaddr(name); 4924 if (alist == NULL || *alist == NULL) 4925 bpf_error("unknown host '%s'", name); 4926 b = gen_gateway(eaddr, alist, proto, dir); 4927 free(eaddr); 4928 return b; 4929 #else 4930 bpf_error("'gateway' not supported in this configuration"); 4931 #endif /*INET6*/ 4932 4933 case Q_PROTO: 4934 real_proto = lookup_proto(name, proto); 4935 if (real_proto >= 0) 4936 return gen_proto(real_proto, proto, dir); 4937 else 4938 bpf_error("unknown protocol: %s", name); 4939 4940 case Q_PROTOCHAIN: 4941 real_proto = lookup_proto(name, proto); 4942 if (real_proto >= 0) 4943 return gen_protochain(real_proto, proto, dir); 4944 else 4945 bpf_error("unknown protocol: %s", name); 4946 4947 4948 case Q_UNDEF: 4949 syntax(); 4950 /* NOTREACHED */ 4951 } 4952 abort(); 4953 /* NOTREACHED */ 4954 } 4955 4956 struct block * 4957 gen_mcode(s1, s2, masklen, q) 4958 register const char *s1, *s2; 4959 register int masklen; 4960 struct qual q; 4961 { 4962 register int nlen, mlen; 4963 bpf_u_int32 n, m; 4964 4965 nlen = __pcap_atoin(s1, &n); 4966 /* Promote short ipaddr */ 4967 n <<= 32 - nlen; 4968 4969 if (s2 != NULL) { 4970 mlen = __pcap_atoin(s2, &m); 4971 /* Promote short ipaddr */ 4972 m <<= 32 - mlen; 4973 if ((n & ~m) != 0) 4974 bpf_error("non-network bits set in \"%s mask %s\"", 4975 s1, s2); 4976 } else { 4977 /* Convert mask len to mask */ 4978 if (masklen > 32) 4979 bpf_error("mask length must be <= 32"); 4980 m = 0xffffffff << (32 - masklen); 4981 if ((n & ~m) != 0) 4982 bpf_error("non-network bits set in \"%s/%d\"", 4983 s1, masklen); 4984 } 4985 4986 switch (q.addr) { 4987 4988 case Q_NET: 4989 return gen_host(n, m, q.proto, q.dir); 4990 4991 default: 4992 bpf_error("Mask syntax for networks only"); 4993 /* NOTREACHED */ 4994 } 4995 /* NOTREACHED */ 4996 } 4997 4998 struct block * 4999 gen_ncode(s, v, q) 5000 register const char *s; 5001 bpf_u_int32 v; 5002 struct qual q; 5003 { 5004 bpf_u_int32 mask; 5005 int proto = q.proto; 5006 int dir = q.dir; 5007 register int vlen; 5008 5009 if (s == NULL) 5010 vlen = 32; 5011 else if (q.proto == Q_DECNET) 5012 vlen = __pcap_atodn(s, &v); 5013 else 5014 vlen = __pcap_atoin(s, &v); 5015 5016 switch (q.addr) { 5017 5018 case Q_DEFAULT: 5019 case Q_HOST: 5020 case Q_NET: 5021 if (proto == Q_DECNET) 5022 return gen_host(v, 0, proto, dir); 5023 else if (proto == Q_LINK) { 5024 bpf_error("illegal link layer address"); 5025 } else { 5026 mask = 0xffffffff; 5027 if (s == NULL && q.addr == Q_NET) { 5028 /* Promote short net number */ 5029 while (v && (v & 0xff000000) == 0) { 5030 v <<= 8; 5031 mask <<= 8; 5032 } 5033 } else { 5034 /* Promote short ipaddr */ 5035 v <<= 32 - vlen; 5036 mask <<= 32 - vlen; 5037 } 5038 return gen_host(v, mask, proto, dir); 5039 } 5040 5041 case Q_PORT: 5042 if (proto == Q_UDP) 5043 proto = IPPROTO_UDP; 5044 else if (proto == Q_TCP) 5045 proto = IPPROTO_TCP; 5046 else if (proto == Q_SCTP) 5047 proto = IPPROTO_SCTP; 5048 else if (proto == Q_DEFAULT) 5049 proto = PROTO_UNDEF; 5050 else 5051 bpf_error("illegal qualifier of 'port'"); 5052 5053 #ifndef INET6 5054 return gen_port((int)v, proto, dir); 5055 #else 5056 { 5057 struct block *b; 5058 b = gen_port((int)v, proto, dir); 5059 gen_or(gen_port6((int)v, proto, dir), b); 5060 return b; 5061 } 5062 #endif /* INET6 */ 5063 5064 case Q_PORTRANGE: 5065 if (proto == Q_UDP) 5066 proto = IPPROTO_UDP; 5067 else if (proto == Q_TCP) 5068 proto = IPPROTO_TCP; 5069 else if (proto == Q_SCTP) 5070 proto = IPPROTO_SCTP; 5071 else if (proto == Q_DEFAULT) 5072 proto = PROTO_UNDEF; 5073 else 5074 bpf_error("illegal qualifier of 'portrange'"); 5075 5076 #ifndef INET6 5077 return gen_portrange((int)v, (int)v, proto, dir); 5078 #else 5079 { 5080 struct block *b; 5081 b = gen_portrange((int)v, (int)v, proto, dir); 5082 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 5083 return b; 5084 } 5085 #endif /* INET6 */ 5086 5087 case Q_GATEWAY: 5088 bpf_error("'gateway' requires a name"); 5089 /* NOTREACHED */ 5090 5091 case Q_PROTO: 5092 return gen_proto((int)v, proto, dir); 5093 5094 case Q_PROTOCHAIN: 5095 return gen_protochain((int)v, proto, dir); 5096 5097 case Q_UNDEF: 5098 syntax(); 5099 /* NOTREACHED */ 5100 5101 default: 5102 abort(); 5103 /* NOTREACHED */ 5104 } 5105 /* NOTREACHED */ 5106 } 5107 5108 #ifdef INET6 5109 struct block * 5110 gen_mcode6(s1, s2, masklen, q) 5111 register const char *s1, *s2; 5112 register int masklen; 5113 struct qual q; 5114 { 5115 struct addrinfo *res; 5116 struct in6_addr *addr; 5117 struct in6_addr mask; 5118 struct block *b; 5119 u_int32_t *a, *m; 5120 5121 if (s2) 5122 bpf_error("no mask %s supported", s2); 5123 5124 res = pcap_nametoaddrinfo(s1); 5125 if (!res) 5126 bpf_error("invalid ip6 address %s", s1); 5127 if (res->ai_next) 5128 bpf_error("%s resolved to multiple address", s1); 5129 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 5130 5131 if (sizeof(mask) * 8 < masklen) 5132 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 5133 memset(&mask, 0, sizeof(mask)); 5134 memset(&mask, 0xff, masklen / 8); 5135 if (masklen % 8) { 5136 mask.s6_addr[masklen / 8] = 5137 (0xff << (8 - masklen % 8)) & 0xff; 5138 } 5139 5140 a = (u_int32_t *)addr; 5141 m = (u_int32_t *)&mask; 5142 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 5143 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 5144 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 5145 } 5146 5147 switch (q.addr) { 5148 5149 case Q_DEFAULT: 5150 case Q_HOST: 5151 if (masklen != 128) 5152 bpf_error("Mask syntax for networks only"); 5153 /* FALLTHROUGH */ 5154 5155 case Q_NET: 5156 b = gen_host6(addr, &mask, q.proto, q.dir); 5157 freeaddrinfo(res); 5158 return b; 5159 5160 default: 5161 bpf_error("invalid qualifier against IPv6 address"); 5162 /* NOTREACHED */ 5163 } 5164 } 5165 #endif /*INET6*/ 5166 5167 struct block * 5168 gen_ecode(eaddr, q) 5169 register const u_char *eaddr; 5170 struct qual q; 5171 { 5172 struct block *b, *tmp; 5173 5174 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 5175 if (linktype == DLT_EN10MB) 5176 return gen_ehostop(eaddr, (int)q.dir); 5177 if (linktype == DLT_FDDI) 5178 return gen_fhostop(eaddr, (int)q.dir); 5179 if (linktype == DLT_IEEE802) 5180 return gen_thostop(eaddr, (int)q.dir); 5181 if (linktype == DLT_IEEE802_11 || 5182 linktype == DLT_IEEE802_11_RADIO_AVS || 5183 linktype == DLT_IEEE802_11_RADIO || 5184 linktype == DLT_PRISM_HEADER) 5185 return gen_wlanhostop(eaddr, (int)q.dir); 5186 if (linktype == DLT_SUNATM && is_lane) { 5187 /* 5188 * Check that the packet doesn't begin with an 5189 * LE Control marker. (We've already generated 5190 * a test for LANE.) 5191 */ 5192 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5193 0xFF00); 5194 gen_not(tmp); 5195 5196 /* 5197 * Now check the MAC address. 5198 */ 5199 b = gen_ehostop(eaddr, (int)q.dir); 5200 gen_and(tmp, b); 5201 return b; 5202 } 5203 if (linktype == DLT_IP_OVER_FC) 5204 return gen_ipfchostop(eaddr, (int)q.dir); 5205 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5206 } 5207 bpf_error("ethernet address used in non-ether expression"); 5208 /* NOTREACHED */ 5209 } 5210 5211 void 5212 sappend(s0, s1) 5213 struct slist *s0, *s1; 5214 { 5215 /* 5216 * This is definitely not the best way to do this, but the 5217 * lists will rarely get long. 5218 */ 5219 while (s0->next) 5220 s0 = s0->next; 5221 s0->next = s1; 5222 } 5223 5224 static struct slist * 5225 xfer_to_x(a) 5226 struct arth *a; 5227 { 5228 struct slist *s; 5229 5230 s = new_stmt(BPF_LDX|BPF_MEM); 5231 s->s.k = a->regno; 5232 return s; 5233 } 5234 5235 static struct slist * 5236 xfer_to_a(a) 5237 struct arth *a; 5238 { 5239 struct slist *s; 5240 5241 s = new_stmt(BPF_LD|BPF_MEM); 5242 s->s.k = a->regno; 5243 return s; 5244 } 5245 5246 /* 5247 * Modify "index" to use the value stored into its register as an 5248 * offset relative to the beginning of the header for the protocol 5249 * "proto", and allocate a register and put an item "size" bytes long 5250 * (1, 2, or 4) at that offset into that register, making it the register 5251 * for "index". 5252 */ 5253 struct arth * 5254 gen_load(proto, index, size) 5255 int proto; 5256 struct arth *index; 5257 int size; 5258 { 5259 struct slist *s, *tmp; 5260 struct block *b; 5261 int regno = alloc_reg(); 5262 5263 free_reg(index->regno); 5264 switch (size) { 5265 5266 default: 5267 bpf_error("data size must be 1, 2, or 4"); 5268 5269 case 1: 5270 size = BPF_B; 5271 break; 5272 5273 case 2: 5274 size = BPF_H; 5275 break; 5276 5277 case 4: 5278 size = BPF_W; 5279 break; 5280 } 5281 switch (proto) { 5282 default: 5283 bpf_error("unsupported index operation"); 5284 5285 case Q_RADIO: 5286 /* 5287 * The offset is relative to the beginning of the packet 5288 * data, if we have a radio header. (If we don't, this 5289 * is an error.) 5290 */ 5291 if (linktype != DLT_IEEE802_11_RADIO_AVS && 5292 linktype != DLT_IEEE802_11_RADIO && 5293 linktype != DLT_PRISM_HEADER) 5294 bpf_error("radio information not present in capture"); 5295 5296 /* 5297 * Load into the X register the offset computed into the 5298 * register specifed by "index". 5299 */ 5300 s = xfer_to_x(index); 5301 5302 /* 5303 * Load the item at that offset. 5304 */ 5305 tmp = new_stmt(BPF_LD|BPF_IND|size); 5306 sappend(s, tmp); 5307 sappend(index->s, s); 5308 break; 5309 5310 case Q_LINK: 5311 /* 5312 * The offset is relative to the beginning of 5313 * the link-layer header. 5314 * 5315 * XXX - what about ATM LANE? Should the index be 5316 * relative to the beginning of the AAL5 frame, so 5317 * that 0 refers to the beginning of the LE Control 5318 * field, or relative to the beginning of the LAN 5319 * frame, so that 0 refers, for Ethernet LANE, to 5320 * the beginning of the destination address? 5321 */ 5322 s = gen_llprefixlen(); 5323 5324 /* 5325 * If "s" is non-null, it has code to arrange that the 5326 * X register contains the length of the prefix preceding 5327 * the link-layer header. Add to it the offset computed 5328 * into the register specified by "index", and move that 5329 * into the X register. Otherwise, just load into the X 5330 * register the offset computed into the register specifed 5331 * by "index". 5332 */ 5333 if (s != NULL) { 5334 sappend(s, xfer_to_a(index)); 5335 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5336 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5337 } else 5338 s = xfer_to_x(index); 5339 5340 /* 5341 * Load the item at the sum of the offset we've put in the 5342 * X register and the offset of the start of the link 5343 * layer header (which is 0 if the radio header is 5344 * variable-length; that header length is what we put 5345 * into the X register and then added to the index). 5346 */ 5347 tmp = new_stmt(BPF_LD|BPF_IND|size); 5348 tmp->s.k = off_ll; 5349 sappend(s, tmp); 5350 sappend(index->s, s); 5351 break; 5352 5353 case Q_IP: 5354 case Q_ARP: 5355 case Q_RARP: 5356 case Q_ATALK: 5357 case Q_DECNET: 5358 case Q_SCA: 5359 case Q_LAT: 5360 case Q_MOPRC: 5361 case Q_MOPDL: 5362 #ifdef INET6 5363 case Q_IPV6: 5364 #endif 5365 /* 5366 * The offset is relative to the beginning of 5367 * the network-layer header. 5368 * XXX - are there any cases where we want 5369 * off_nl_nosnap? 5370 */ 5371 s = gen_llprefixlen(); 5372 5373 /* 5374 * If "s" is non-null, it has code to arrange that the 5375 * X register contains the length of the prefix preceding 5376 * the link-layer header. Add to it the offset computed 5377 * into the register specified by "index", and move that 5378 * into the X register. Otherwise, just load into the X 5379 * register the offset computed into the register specifed 5380 * by "index". 5381 */ 5382 if (s != NULL) { 5383 sappend(s, xfer_to_a(index)); 5384 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5385 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5386 } else 5387 s = xfer_to_x(index); 5388 5389 /* 5390 * Load the item at the sum of the offset we've put in the 5391 * X register and the offset of the start of the network 5392 * layer header. 5393 */ 5394 tmp = new_stmt(BPF_LD|BPF_IND|size); 5395 tmp->s.k = off_nl; 5396 sappend(s, tmp); 5397 sappend(index->s, s); 5398 5399 /* 5400 * Do the computation only if the packet contains 5401 * the protocol in question. 5402 */ 5403 b = gen_proto_abbrev(proto); 5404 if (index->b) 5405 gen_and(index->b, b); 5406 index->b = b; 5407 break; 5408 5409 case Q_SCTP: 5410 case Q_TCP: 5411 case Q_UDP: 5412 case Q_ICMP: 5413 case Q_IGMP: 5414 case Q_IGRP: 5415 case Q_PIM: 5416 case Q_VRRP: 5417 /* 5418 * The offset is relative to the beginning of 5419 * the transport-layer header. 5420 * XXX - are there any cases where we want 5421 * off_nl_nosnap? 5422 * XXX - we should, if we're built with 5423 * IPv6 support, generate code to load either 5424 * IPv4, IPv6, or both, as appropriate. 5425 */ 5426 s = gen_loadx_iphdrlen(); 5427 5428 /* 5429 * The X register now contains the sum of the offset 5430 * of the beginning of the link-layer header and 5431 * the length of the network-layer header. Load 5432 * into the A register the offset relative to 5433 * the beginning of the transport layer header, 5434 * add the X register to that, move that to the 5435 * X register, and load with an offset from the 5436 * X register equal to the offset of the network 5437 * layer header relative to the beginning of 5438 * the link-layer header. 5439 */ 5440 sappend(s, xfer_to_a(index)); 5441 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5442 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5443 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 5444 tmp->s.k = off_nl; 5445 sappend(index->s, s); 5446 5447 /* 5448 * Do the computation only if the packet contains 5449 * the protocol in question - which is true only 5450 * if this is an IP datagram and is the first or 5451 * only fragment of that datagram. 5452 */ 5453 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 5454 if (index->b) 5455 gen_and(index->b, b); 5456 #ifdef INET6 5457 gen_and(gen_proto_abbrev(Q_IP), b); 5458 #endif 5459 index->b = b; 5460 break; 5461 #ifdef INET6 5462 case Q_ICMPV6: 5463 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 5464 /*NOTREACHED*/ 5465 #endif 5466 } 5467 index->regno = regno; 5468 s = new_stmt(BPF_ST); 5469 s->s.k = regno; 5470 sappend(index->s, s); 5471 5472 return index; 5473 } 5474 5475 struct block * 5476 gen_relation(code, a0, a1, reversed) 5477 int code; 5478 struct arth *a0, *a1; 5479 int reversed; 5480 { 5481 struct slist *s0, *s1, *s2; 5482 struct block *b, *tmp; 5483 5484 s0 = xfer_to_x(a1); 5485 s1 = xfer_to_a(a0); 5486 if (code == BPF_JEQ) { 5487 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 5488 b = new_block(JMP(code)); 5489 sappend(s1, s2); 5490 } 5491 else 5492 b = new_block(BPF_JMP|code|BPF_X); 5493 if (reversed) 5494 gen_not(b); 5495 5496 sappend(s0, s1); 5497 sappend(a1->s, s0); 5498 sappend(a0->s, a1->s); 5499 5500 b->stmts = a0->s; 5501 5502 free_reg(a0->regno); 5503 free_reg(a1->regno); 5504 5505 /* 'and' together protocol checks */ 5506 if (a0->b) { 5507 if (a1->b) { 5508 gen_and(a0->b, tmp = a1->b); 5509 } 5510 else 5511 tmp = a0->b; 5512 } else 5513 tmp = a1->b; 5514 5515 if (tmp) 5516 gen_and(tmp, b); 5517 5518 return b; 5519 } 5520 5521 struct arth * 5522 gen_loadlen() 5523 { 5524 int regno = alloc_reg(); 5525 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 5526 struct slist *s; 5527 5528 s = new_stmt(BPF_LD|BPF_LEN); 5529 s->next = new_stmt(BPF_ST); 5530 s->next->s.k = regno; 5531 a->s = s; 5532 a->regno = regno; 5533 5534 return a; 5535 } 5536 5537 struct arth * 5538 gen_loadi(val) 5539 int val; 5540 { 5541 struct arth *a; 5542 struct slist *s; 5543 int reg; 5544 5545 a = (struct arth *)newchunk(sizeof(*a)); 5546 5547 reg = alloc_reg(); 5548 5549 s = new_stmt(BPF_LD|BPF_IMM); 5550 s->s.k = val; 5551 s->next = new_stmt(BPF_ST); 5552 s->next->s.k = reg; 5553 a->s = s; 5554 a->regno = reg; 5555 5556 return a; 5557 } 5558 5559 struct arth * 5560 gen_neg(a) 5561 struct arth *a; 5562 { 5563 struct slist *s; 5564 5565 s = xfer_to_a(a); 5566 sappend(a->s, s); 5567 s = new_stmt(BPF_ALU|BPF_NEG); 5568 s->s.k = 0; 5569 sappend(a->s, s); 5570 s = new_stmt(BPF_ST); 5571 s->s.k = a->regno; 5572 sappend(a->s, s); 5573 5574 return a; 5575 } 5576 5577 struct arth * 5578 gen_arth(code, a0, a1) 5579 int code; 5580 struct arth *a0, *a1; 5581 { 5582 struct slist *s0, *s1, *s2; 5583 5584 s0 = xfer_to_x(a1); 5585 s1 = xfer_to_a(a0); 5586 s2 = new_stmt(BPF_ALU|BPF_X|code); 5587 5588 sappend(s1, s2); 5589 sappend(s0, s1); 5590 sappend(a1->s, s0); 5591 sappend(a0->s, a1->s); 5592 5593 free_reg(a0->regno); 5594 free_reg(a1->regno); 5595 5596 s0 = new_stmt(BPF_ST); 5597 a0->regno = s0->s.k = alloc_reg(); 5598 sappend(a0->s, s0); 5599 5600 return a0; 5601 } 5602 5603 /* 5604 * Here we handle simple allocation of the scratch registers. 5605 * If too many registers are alloc'd, the allocator punts. 5606 */ 5607 static int regused[BPF_MEMWORDS]; 5608 static int curreg; 5609 5610 /* 5611 * Return the next free register. 5612 */ 5613 static int 5614 alloc_reg() 5615 { 5616 int n = BPF_MEMWORDS; 5617 5618 while (--n >= 0) { 5619 if (regused[curreg]) 5620 curreg = (curreg + 1) % BPF_MEMWORDS; 5621 else { 5622 regused[curreg] = 1; 5623 return curreg; 5624 } 5625 } 5626 bpf_error("too many registers needed to evaluate expression"); 5627 /* NOTREACHED */ 5628 } 5629 5630 /* 5631 * Return a register to the table so it can 5632 * be used later. 5633 */ 5634 static void 5635 free_reg(n) 5636 int n; 5637 { 5638 regused[n] = 0; 5639 } 5640 5641 static struct block * 5642 gen_len(jmp, n) 5643 int jmp, n; 5644 { 5645 struct slist *s; 5646 struct block *b; 5647 5648 s = new_stmt(BPF_LD|BPF_LEN); 5649 b = new_block(JMP(jmp)); 5650 b->stmts = s; 5651 b->s.k = n; 5652 5653 return b; 5654 } 5655 5656 struct block * 5657 gen_greater(n) 5658 int n; 5659 { 5660 return gen_len(BPF_JGE, n); 5661 } 5662 5663 /* 5664 * Actually, this is less than or equal. 5665 */ 5666 struct block * 5667 gen_less(n) 5668 int n; 5669 { 5670 struct block *b; 5671 5672 b = gen_len(BPF_JGT, n); 5673 gen_not(b); 5674 5675 return b; 5676 } 5677 5678 /* 5679 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 5680 * the beginning of the link-layer header. 5681 * XXX - that means you can't test values in the radiotap header, but 5682 * as that header is difficult if not impossible to parse generally 5683 * without a loop, that might not be a severe problem. A new keyword 5684 * "radio" could be added for that, although what you'd really want 5685 * would be a way of testing particular radio header values, which 5686 * would generate code appropriate to the radio header in question. 5687 */ 5688 struct block * 5689 gen_byteop(op, idx, val) 5690 int op, idx, val; 5691 { 5692 struct block *b; 5693 struct slist *s; 5694 5695 switch (op) { 5696 default: 5697 abort(); 5698 5699 case '=': 5700 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5701 5702 case '<': 5703 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5704 return b; 5705 5706 case '>': 5707 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5708 return b; 5709 5710 case '|': 5711 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 5712 break; 5713 5714 case '&': 5715 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 5716 break; 5717 } 5718 s->s.k = val; 5719 b = new_block(JMP(BPF_JEQ)); 5720 b->stmts = s; 5721 gen_not(b); 5722 5723 return b; 5724 } 5725 5726 static u_char abroadcast[] = { 0x0 }; 5727 5728 struct block * 5729 gen_broadcast(proto) 5730 int proto; 5731 { 5732 bpf_u_int32 hostmask; 5733 struct block *b0, *b1, *b2; 5734 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 5735 5736 switch (proto) { 5737 5738 case Q_DEFAULT: 5739 case Q_LINK: 5740 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 5741 return gen_ahostop(abroadcast, Q_DST); 5742 if (linktype == DLT_EN10MB) 5743 return gen_ehostop(ebroadcast, Q_DST); 5744 if (linktype == DLT_FDDI) 5745 return gen_fhostop(ebroadcast, Q_DST); 5746 if (linktype == DLT_IEEE802) 5747 return gen_thostop(ebroadcast, Q_DST); 5748 if (linktype == DLT_IEEE802_11 || 5749 linktype == DLT_IEEE802_11_RADIO_AVS || 5750 linktype == DLT_IEEE802_11_RADIO || 5751 linktype == DLT_PRISM_HEADER) 5752 return gen_wlanhostop(ebroadcast, Q_DST); 5753 if (linktype == DLT_IP_OVER_FC) 5754 return gen_ipfchostop(ebroadcast, Q_DST); 5755 if (linktype == DLT_SUNATM && is_lane) { 5756 /* 5757 * Check that the packet doesn't begin with an 5758 * LE Control marker. (We've already generated 5759 * a test for LANE.) 5760 */ 5761 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5762 0xFF00); 5763 gen_not(b1); 5764 5765 /* 5766 * Now check the MAC address. 5767 */ 5768 b0 = gen_ehostop(ebroadcast, Q_DST); 5769 gen_and(b1, b0); 5770 return b0; 5771 } 5772 bpf_error("not a broadcast link"); 5773 break; 5774 5775 case Q_IP: 5776 b0 = gen_linktype(ETHERTYPE_IP); 5777 hostmask = ~netmask; 5778 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 5779 b2 = gen_mcmp(OR_NET, 16, BPF_W, 5780 (bpf_int32)(~0 & hostmask), hostmask); 5781 gen_or(b1, b2); 5782 gen_and(b0, b2); 5783 return b2; 5784 } 5785 bpf_error("only link-layer/IP broadcast filters supported"); 5786 /* NOTREACHED */ 5787 } 5788 5789 /* 5790 * Generate code to test the low-order bit of a MAC address (that's 5791 * the bottom bit of the *first* byte). 5792 */ 5793 static struct block * 5794 gen_mac_multicast(offset) 5795 int offset; 5796 { 5797 register struct block *b0; 5798 register struct slist *s; 5799 5800 /* link[offset] & 1 != 0 */ 5801 s = gen_load_a(OR_LINK, offset, BPF_B); 5802 b0 = new_block(JMP(BPF_JSET)); 5803 b0->s.k = 1; 5804 b0->stmts = s; 5805 return b0; 5806 } 5807 5808 struct block * 5809 gen_multicast(proto) 5810 int proto; 5811 { 5812 register struct block *b0, *b1, *b2; 5813 register struct slist *s; 5814 5815 switch (proto) { 5816 5817 case Q_DEFAULT: 5818 case Q_LINK: 5819 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 5820 /* all ARCnet multicasts use the same address */ 5821 return gen_ahostop(abroadcast, Q_DST); 5822 5823 if (linktype == DLT_EN10MB) { 5824 /* ether[0] & 1 != 0 */ 5825 return gen_mac_multicast(0); 5826 } 5827 5828 if (linktype == DLT_FDDI) { 5829 /* 5830 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 5831 * 5832 * XXX - was that referring to bit-order issues? 5833 */ 5834 /* fddi[1] & 1 != 0 */ 5835 return gen_mac_multicast(1); 5836 } 5837 5838 if (linktype == DLT_IEEE802) { 5839 /* tr[2] & 1 != 0 */ 5840 return gen_mac_multicast(2); 5841 } 5842 5843 if (linktype == DLT_IEEE802_11 || 5844 linktype == DLT_IEEE802_11_RADIO_AVS || 5845 linktype == DLT_IEEE802_11_RADIO || 5846 linktype == DLT_PRISM_HEADER) { 5847 /* 5848 * Oh, yuk. 5849 * 5850 * For control frames, there is no DA. 5851 * 5852 * For management frames, DA is at an 5853 * offset of 4 from the beginning of 5854 * the packet. 5855 * 5856 * For data frames, DA is at an offset 5857 * of 4 from the beginning of the packet 5858 * if To DS is clear and at an offset of 5859 * 16 from the beginning of the packet 5860 * if To DS is set. 5861 */ 5862 5863 /* 5864 * Generate the tests to be done for data frames. 5865 * 5866 * First, check for To DS set, i.e. "link[1] & 0x01". 5867 */ 5868 s = gen_load_a(OR_LINK, 1, BPF_B); 5869 b1 = new_block(JMP(BPF_JSET)); 5870 b1->s.k = 0x01; /* To DS */ 5871 b1->stmts = s; 5872 5873 /* 5874 * If To DS is set, the DA is at 16. 5875 */ 5876 b0 = gen_mac_multicast(16); 5877 gen_and(b1, b0); 5878 5879 /* 5880 * Now, check for To DS not set, i.e. check 5881 * "!(link[1] & 0x01)". 5882 */ 5883 s = gen_load_a(OR_LINK, 1, BPF_B); 5884 b2 = new_block(JMP(BPF_JSET)); 5885 b2->s.k = 0x01; /* To DS */ 5886 b2->stmts = s; 5887 gen_not(b2); 5888 5889 /* 5890 * If To DS is not set, the DA is at 4. 5891 */ 5892 b1 = gen_mac_multicast(4); 5893 gen_and(b2, b1); 5894 5895 /* 5896 * Now OR together the last two checks. That gives 5897 * the complete set of checks for data frames. 5898 */ 5899 gen_or(b1, b0); 5900 5901 /* 5902 * Now check for a data frame. 5903 * I.e, check "link[0] & 0x08". 5904 */ 5905 s = gen_load_a(OR_LINK, 0, BPF_B); 5906 b1 = new_block(JMP(BPF_JSET)); 5907 b1->s.k = 0x08; 5908 b1->stmts = s; 5909 5910 /* 5911 * AND that with the checks done for data frames. 5912 */ 5913 gen_and(b1, b0); 5914 5915 /* 5916 * If the high-order bit of the type value is 0, this 5917 * is a management frame. 5918 * I.e, check "!(link[0] & 0x08)". 5919 */ 5920 s = gen_load_a(OR_LINK, 0, BPF_B); 5921 b2 = new_block(JMP(BPF_JSET)); 5922 b2->s.k = 0x08; 5923 b2->stmts = s; 5924 gen_not(b2); 5925 5926 /* 5927 * For management frames, the DA is at 4. 5928 */ 5929 b1 = gen_mac_multicast(4); 5930 gen_and(b2, b1); 5931 5932 /* 5933 * OR that with the checks done for data frames. 5934 * That gives the checks done for management and 5935 * data frames. 5936 */ 5937 gen_or(b1, b0); 5938 5939 /* 5940 * If the low-order bit of the type value is 1, 5941 * this is either a control frame or a frame 5942 * with a reserved type, and thus not a 5943 * frame with an SA. 5944 * 5945 * I.e., check "!(link[0] & 0x04)". 5946 */ 5947 s = gen_load_a(OR_LINK, 0, BPF_B); 5948 b1 = new_block(JMP(BPF_JSET)); 5949 b1->s.k = 0x04; 5950 b1->stmts = s; 5951 gen_not(b1); 5952 5953 /* 5954 * AND that with the checks for data and management 5955 * frames. 5956 */ 5957 gen_and(b1, b0); 5958 return b0; 5959 } 5960 5961 if (linktype == DLT_IP_OVER_FC) { 5962 b0 = gen_mac_multicast(2); 5963 return b0; 5964 } 5965 5966 if (linktype == DLT_SUNATM && is_lane) { 5967 /* 5968 * Check that the packet doesn't begin with an 5969 * LE Control marker. (We've already generated 5970 * a test for LANE.) 5971 */ 5972 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5973 0xFF00); 5974 gen_not(b1); 5975 5976 /* ether[off_mac] & 1 != 0 */ 5977 b0 = gen_mac_multicast(off_mac); 5978 gen_and(b1, b0); 5979 return b0; 5980 } 5981 5982 /* Link not known to support multicasts */ 5983 break; 5984 5985 case Q_IP: 5986 b0 = gen_linktype(ETHERTYPE_IP); 5987 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 5988 gen_and(b0, b1); 5989 return b1; 5990 5991 #ifdef INET6 5992 case Q_IPV6: 5993 b0 = gen_linktype(ETHERTYPE_IPV6); 5994 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 5995 gen_and(b0, b1); 5996 return b1; 5997 #endif /* INET6 */ 5998 } 5999 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 6000 /* NOTREACHED */ 6001 } 6002 6003 /* 6004 * generate command for inbound/outbound. It's here so we can 6005 * make it link-type specific. 'dir' = 0 implies "inbound", 6006 * = 1 implies "outbound". 6007 */ 6008 struct block * 6009 gen_inbound(dir) 6010 int dir; 6011 { 6012 register struct block *b0; 6013 6014 /* 6015 * Only some data link types support inbound/outbound qualifiers. 6016 */ 6017 switch (linktype) { 6018 case DLT_SLIP: 6019 b0 = gen_relation(BPF_JEQ, 6020 gen_load(Q_LINK, gen_loadi(0), 1), 6021 gen_loadi(0), 6022 dir); 6023 break; 6024 6025 case DLT_LINUX_SLL: 6026 if (dir) { 6027 /* 6028 * Match packets sent by this machine. 6029 */ 6030 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 6031 } else { 6032 /* 6033 * Match packets sent to this machine. 6034 * (No broadcast or multicast packets, or 6035 * packets sent to some other machine and 6036 * received promiscuously.) 6037 * 6038 * XXX - packets sent to other machines probably 6039 * shouldn't be matched, but what about broadcast 6040 * or multicast packets we received? 6041 */ 6042 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 6043 } 6044 break; 6045 6046 case DLT_PFLOG: 6047 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 6048 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 6049 break; 6050 6051 case DLT_PPP_PPPD: 6052 if (dir) { 6053 /* match outgoing packets */ 6054 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 6055 } else { 6056 /* match incoming packets */ 6057 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 6058 } 6059 break; 6060 6061 case DLT_JUNIPER_MFR: 6062 case DLT_JUNIPER_MLFR: 6063 case DLT_JUNIPER_MLPPP: 6064 case DLT_JUNIPER_ATM1: 6065 case DLT_JUNIPER_ATM2: 6066 case DLT_JUNIPER_PPPOE: 6067 case DLT_JUNIPER_PPPOE_ATM: 6068 case DLT_JUNIPER_GGSN: 6069 case DLT_JUNIPER_ES: 6070 case DLT_JUNIPER_MONITOR: 6071 case DLT_JUNIPER_SERVICES: 6072 case DLT_JUNIPER_ETHER: 6073 case DLT_JUNIPER_PPP: 6074 case DLT_JUNIPER_FRELAY: 6075 case DLT_JUNIPER_CHDLC: 6076 /* juniper flags (including direction) are stored 6077 * the byte after the 3-byte magic number */ 6078 if (dir) { 6079 /* match outgoing packets */ 6080 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 6081 } else { 6082 /* match incoming packets */ 6083 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 6084 } 6085 break; 6086 6087 default: 6088 bpf_error("inbound/outbound not supported on linktype %d", 6089 linktype); 6090 b0 = NULL; 6091 /* NOTREACHED */ 6092 } 6093 return (b0); 6094 } 6095 6096 /* PF firewall log matched interface */ 6097 struct block * 6098 gen_pf_ifname(const char *ifname) 6099 { 6100 struct block *b0; 6101 u_int len, off; 6102 6103 if (linktype == DLT_PFLOG) { 6104 len = sizeof(((struct pfloghdr *)0)->ifname); 6105 off = offsetof(struct pfloghdr, ifname); 6106 } else { 6107 bpf_error("ifname not supported on linktype 0x%x", linktype); 6108 /* NOTREACHED */ 6109 } 6110 if (strlen(ifname) >= len) { 6111 bpf_error("ifname interface names can only be %d characters", 6112 len-1); 6113 /* NOTREACHED */ 6114 } 6115 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 6116 return (b0); 6117 } 6118 6119 /* PF firewall log ruleset name */ 6120 struct block * 6121 gen_pf_ruleset(char *ruleset) 6122 { 6123 struct block *b0; 6124 6125 if (linktype != DLT_PFLOG) { 6126 bpf_error("ruleset not supported on linktype 0x%x", linktype); 6127 /* NOTREACHED */ 6128 } 6129 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 6130 bpf_error("ruleset names can only be %ld characters", 6131 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 6132 /* NOTREACHED */ 6133 } 6134 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 6135 strlen(ruleset), (const u_char *)ruleset); 6136 return (b0); 6137 } 6138 6139 /* PF firewall log rule number */ 6140 struct block * 6141 gen_pf_rnr(int rnr) 6142 { 6143 struct block *b0; 6144 6145 if (linktype == DLT_PFLOG) { 6146 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 6147 (bpf_int32)rnr); 6148 } else { 6149 bpf_error("rnr not supported on linktype 0x%x", linktype); 6150 /* NOTREACHED */ 6151 } 6152 6153 return (b0); 6154 } 6155 6156 /* PF firewall log sub-rule number */ 6157 struct block * 6158 gen_pf_srnr(int srnr) 6159 { 6160 struct block *b0; 6161 6162 if (linktype != DLT_PFLOG) { 6163 bpf_error("srnr not supported on linktype 0x%x", linktype); 6164 /* NOTREACHED */ 6165 } 6166 6167 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 6168 (bpf_int32)srnr); 6169 return (b0); 6170 } 6171 6172 /* PF firewall log reason code */ 6173 struct block * 6174 gen_pf_reason(int reason) 6175 { 6176 struct block *b0; 6177 6178 if (linktype == DLT_PFLOG) { 6179 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 6180 (bpf_int32)reason); 6181 } else { 6182 bpf_error("reason not supported on linktype 0x%x", linktype); 6183 /* NOTREACHED */ 6184 } 6185 6186 return (b0); 6187 } 6188 6189 /* PF firewall log action */ 6190 struct block * 6191 gen_pf_action(int action) 6192 { 6193 struct block *b0; 6194 6195 if (linktype == DLT_PFLOG) { 6196 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 6197 (bpf_int32)action); 6198 } else { 6199 bpf_error("action not supported on linktype 0x%x", linktype); 6200 /* NOTREACHED */ 6201 } 6202 6203 return (b0); 6204 } 6205 6206 struct block * 6207 gen_acode(eaddr, q) 6208 register const u_char *eaddr; 6209 struct qual q; 6210 { 6211 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6212 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 6213 return gen_ahostop(eaddr, (int)q.dir); 6214 } 6215 bpf_error("ARCnet address used in non-arc expression"); 6216 /* NOTREACHED */ 6217 } 6218 6219 static struct block * 6220 gen_ahostop(eaddr, dir) 6221 register const u_char *eaddr; 6222 register int dir; 6223 { 6224 register struct block *b0, *b1; 6225 6226 switch (dir) { 6227 /* src comes first, different from Ethernet */ 6228 case Q_SRC: 6229 return gen_bcmp(OR_LINK, 0, 1, eaddr); 6230 6231 case Q_DST: 6232 return gen_bcmp(OR_LINK, 1, 1, eaddr); 6233 6234 case Q_AND: 6235 b0 = gen_ahostop(eaddr, Q_SRC); 6236 b1 = gen_ahostop(eaddr, Q_DST); 6237 gen_and(b0, b1); 6238 return b1; 6239 6240 case Q_DEFAULT: 6241 case Q_OR: 6242 b0 = gen_ahostop(eaddr, Q_SRC); 6243 b1 = gen_ahostop(eaddr, Q_DST); 6244 gen_or(b0, b1); 6245 return b1; 6246 } 6247 abort(); 6248 /* NOTREACHED */ 6249 } 6250 6251 /* 6252 * support IEEE 802.1Q VLAN trunk over ethernet 6253 */ 6254 struct block * 6255 gen_vlan(vlan_num) 6256 int vlan_num; 6257 { 6258 struct block *b0, *b1; 6259 6260 /* can't check for VLAN-encapsulated packets inside MPLS */ 6261 if (label_stack_depth > 0) 6262 bpf_error("no VLAN match after MPLS"); 6263 6264 /* 6265 * Change the offsets to point to the type and data fields within 6266 * the VLAN packet. Just increment the offsets, so that we 6267 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to 6268 * capture VLAN 200 encapsulated within VLAN 100. 6269 * 6270 * XXX - this is a bit of a kludge. If we were to split the 6271 * compiler into a parser that parses an expression and 6272 * generates an expression tree, and a code generator that 6273 * takes an expression tree (which could come from our 6274 * parser or from some other parser) and generates BPF code, 6275 * we could perhaps make the offsets parameters of routines 6276 * and, in the handler for an "AND" node, pass to subnodes 6277 * other than the VLAN node the adjusted offsets. 6278 * 6279 * This would mean that "vlan" would, instead of changing the 6280 * behavior of *all* tests after it, change only the behavior 6281 * of tests ANDed with it. That would change the documented 6282 * semantics of "vlan", which might break some expressions. 6283 * However, it would mean that "(vlan and ip) or ip" would check 6284 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6285 * checking only for VLAN-encapsulated IP, so that could still 6286 * be considered worth doing; it wouldn't break expressions 6287 * that are of the form "vlan and ..." or "vlan N and ...", 6288 * which I suspect are the most common expressions involving 6289 * "vlan". "vlan or ..." doesn't necessarily do what the user 6290 * would really want, now, as all the "or ..." tests would 6291 * be done assuming a VLAN, even though the "or" could be viewed 6292 * as meaning "or, if this isn't a VLAN packet...". 6293 */ 6294 orig_linktype = off_linktype; /* save original values */ 6295 orig_nl = off_nl; 6296 6297 switch (linktype) { 6298 6299 case DLT_EN10MB: 6300 off_linktype += 4; 6301 off_nl_nosnap += 4; 6302 off_nl += 4; 6303 break; 6304 6305 default: 6306 bpf_error("no VLAN support for data link type %d", 6307 linktype); 6308 /*NOTREACHED*/ 6309 } 6310 6311 /* check for VLAN */ 6312 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q); 6313 6314 /* If a specific VLAN is requested, check VLAN id */ 6315 if (vlan_num >= 0) { 6316 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num, 6317 0x0fff); 6318 gen_and(b0, b1); 6319 b0 = b1; 6320 } 6321 6322 return (b0); 6323 } 6324 6325 /* 6326 * support for MPLS 6327 */ 6328 struct block * 6329 gen_mpls(label_num) 6330 int label_num; 6331 { 6332 struct block *b0,*b1; 6333 6334 /* 6335 * Change the offsets to point to the type and data fields within 6336 * the MPLS packet. Just increment the offsets, so that we 6337 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 6338 * capture packets with an outer label of 100000 and an inner 6339 * label of 1024. 6340 * 6341 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 6342 */ 6343 orig_nl = off_nl; 6344 6345 if (label_stack_depth > 0) { 6346 /* just match the bottom-of-stack bit clear */ 6347 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01); 6348 } else { 6349 /* 6350 * Indicate that we're checking MPLS-encapsulated headers, 6351 * to make sure higher level code generators don't try to 6352 * match against IP-related protocols such as Q_ARP, Q_RARP 6353 * etc. 6354 */ 6355 switch (linktype) { 6356 6357 case DLT_C_HDLC: /* fall through */ 6358 case DLT_EN10MB: 6359 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 6360 (bpf_int32)ETHERTYPE_MPLS); 6361 break; 6362 6363 case DLT_PPP: 6364 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 6365 (bpf_int32)PPP_MPLS_UCAST); 6366 break; 6367 6368 /* FIXME add other DLT_s ... 6369 * for Frame-Relay/and ATM this may get messy due to SNAP headers 6370 * leave it for now */ 6371 6372 default: 6373 bpf_error("no MPLS support for data link type %d", 6374 linktype); 6375 b0 = NULL; 6376 /*NOTREACHED*/ 6377 break; 6378 } 6379 } 6380 6381 /* If a specific MPLS label is requested, check it */ 6382 if (label_num >= 0) { 6383 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 6384 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num, 6385 0xfffff000); /* only compare the first 20 bits */ 6386 gen_and(b0, b1); 6387 b0 = b1; 6388 } 6389 6390 off_nl_nosnap += 4; 6391 off_nl += 4; 6392 label_stack_depth++; 6393 return (b0); 6394 } 6395 6396 /* 6397 * Support PPPOE discovery and session. 6398 */ 6399 struct block * 6400 gen_pppoed() 6401 { 6402 /* check for PPPoE discovery */ 6403 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 6404 } 6405 6406 struct block * 6407 gen_pppoes() 6408 { 6409 struct block *b0; 6410 6411 /* 6412 * Test against the PPPoE session link-layer type. 6413 */ 6414 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 6415 6416 /* 6417 * Change the offsets to point to the type and data fields within 6418 * the PPP packet. 6419 * 6420 * XXX - this is a bit of a kludge. If we were to split the 6421 * compiler into a parser that parses an expression and 6422 * generates an expression tree, and a code generator that 6423 * takes an expression tree (which could come from our 6424 * parser or from some other parser) and generates BPF code, 6425 * we could perhaps make the offsets parameters of routines 6426 * and, in the handler for an "AND" node, pass to subnodes 6427 * other than the PPPoE node the adjusted offsets. 6428 * 6429 * This would mean that "pppoes" would, instead of changing the 6430 * behavior of *all* tests after it, change only the behavior 6431 * of tests ANDed with it. That would change the documented 6432 * semantics of "pppoes", which might break some expressions. 6433 * However, it would mean that "(pppoes and ip) or ip" would check 6434 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6435 * checking only for VLAN-encapsulated IP, so that could still 6436 * be considered worth doing; it wouldn't break expressions 6437 * that are of the form "pppoes and ..." which I suspect are the 6438 * most common expressions involving "pppoes". "pppoes or ..." 6439 * doesn't necessarily do what the user would really want, now, 6440 * as all the "or ..." tests would be done assuming PPPoE, even 6441 * though the "or" could be viewed as meaning "or, if this isn't 6442 * a PPPoE packet...". 6443 */ 6444 orig_linktype = off_linktype; /* save original values */ 6445 orig_nl = off_nl; 6446 6447 /* 6448 * The "network-layer" protocol is PPPoE, which has a 6-byte 6449 * PPPoE header, followed by PPP payload, so we set the 6450 * offsets to the network layer offset plus 6 bytes for 6451 * the PPPoE header plus the values appropriate for PPP when 6452 * encapsulated in Ethernet (which means there's no HDLC 6453 * encapsulation). 6454 */ 6455 off_linktype = orig_nl + 6; 6456 off_nl = orig_nl + 6 + 2; 6457 off_nl_nosnap = orig_nl + 6 + 2; 6458 6459 /* 6460 * Set the link-layer type to PPP, as all subsequent tests will 6461 * be on the encapsulated PPP header. 6462 */ 6463 linktype = DLT_PPP; 6464 6465 return b0; 6466 } 6467 6468 struct block * 6469 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 6470 int atmfield; 6471 bpf_int32 jvalue; 6472 bpf_u_int32 jtype; 6473 int reverse; 6474 { 6475 struct block *b0; 6476 6477 switch (atmfield) { 6478 6479 case A_VPI: 6480 if (!is_atm) 6481 bpf_error("'vpi' supported only on raw ATM"); 6482 if (off_vpi == (u_int)-1) 6483 abort(); 6484 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 6485 reverse, jvalue); 6486 break; 6487 6488 case A_VCI: 6489 if (!is_atm) 6490 bpf_error("'vci' supported only on raw ATM"); 6491 if (off_vci == (u_int)-1) 6492 abort(); 6493 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 6494 reverse, jvalue); 6495 break; 6496 6497 case A_PROTOTYPE: 6498 if (off_proto == (u_int)-1) 6499 abort(); /* XXX - this isn't on FreeBSD */ 6500 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 6501 reverse, jvalue); 6502 break; 6503 6504 case A_MSGTYPE: 6505 if (off_payload == (u_int)-1) 6506 abort(); 6507 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 6508 0xffffffff, jtype, reverse, jvalue); 6509 break; 6510 6511 case A_CALLREFTYPE: 6512 if (!is_atm) 6513 bpf_error("'callref' supported only on raw ATM"); 6514 if (off_proto == (u_int)-1) 6515 abort(); 6516 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 6517 jtype, reverse, jvalue); 6518 break; 6519 6520 default: 6521 abort(); 6522 } 6523 return b0; 6524 } 6525 6526 struct block * 6527 gen_atmtype_abbrev(type) 6528 int type; 6529 { 6530 struct block *b0, *b1; 6531 6532 switch (type) { 6533 6534 case A_METAC: 6535 /* Get all packets in Meta signalling Circuit */ 6536 if (!is_atm) 6537 bpf_error("'metac' supported only on raw ATM"); 6538 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6539 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 6540 gen_and(b0, b1); 6541 break; 6542 6543 case A_BCC: 6544 /* Get all packets in Broadcast Circuit*/ 6545 if (!is_atm) 6546 bpf_error("'bcc' supported only on raw ATM"); 6547 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6548 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 6549 gen_and(b0, b1); 6550 break; 6551 6552 case A_OAMF4SC: 6553 /* Get all cells in Segment OAM F4 circuit*/ 6554 if (!is_atm) 6555 bpf_error("'oam4sc' supported only on raw ATM"); 6556 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6557 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6558 gen_and(b0, b1); 6559 break; 6560 6561 case A_OAMF4EC: 6562 /* Get all cells in End-to-End OAM F4 Circuit*/ 6563 if (!is_atm) 6564 bpf_error("'oam4ec' supported only on raw ATM"); 6565 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6566 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6567 gen_and(b0, b1); 6568 break; 6569 6570 case A_SC: 6571 /* Get all packets in connection Signalling Circuit */ 6572 if (!is_atm) 6573 bpf_error("'sc' supported only on raw ATM"); 6574 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6575 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 6576 gen_and(b0, b1); 6577 break; 6578 6579 case A_ILMIC: 6580 /* Get all packets in ILMI Circuit */ 6581 if (!is_atm) 6582 bpf_error("'ilmic' supported only on raw ATM"); 6583 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6584 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 6585 gen_and(b0, b1); 6586 break; 6587 6588 case A_LANE: 6589 /* Get all LANE packets */ 6590 if (!is_atm) 6591 bpf_error("'lane' supported only on raw ATM"); 6592 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 6593 6594 /* 6595 * Arrange that all subsequent tests assume LANE 6596 * rather than LLC-encapsulated packets, and set 6597 * the offsets appropriately for LANE-encapsulated 6598 * Ethernet. 6599 * 6600 * "off_mac" is the offset of the Ethernet header, 6601 * which is 2 bytes past the ATM pseudo-header 6602 * (skipping the pseudo-header and 2-byte LE Client 6603 * field). The other offsets are Ethernet offsets 6604 * relative to "off_mac". 6605 */ 6606 is_lane = 1; 6607 off_mac = off_payload + 2; /* MAC header */ 6608 off_linktype = off_mac + 12; 6609 off_nl = off_mac + 14; /* Ethernet II */ 6610 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */ 6611 break; 6612 6613 case A_LLC: 6614 /* Get all LLC-encapsulated packets */ 6615 if (!is_atm) 6616 bpf_error("'llc' supported only on raw ATM"); 6617 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 6618 is_lane = 0; 6619 break; 6620 6621 default: 6622 abort(); 6623 } 6624 return b1; 6625 } 6626 6627 struct block * 6628 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 6629 int mtp3field; 6630 bpf_u_int32 jvalue; 6631 bpf_u_int32 jtype; 6632 int reverse; 6633 { 6634 struct block *b0; 6635 bpf_u_int32 val1 , val2 , val3; 6636 6637 switch (mtp3field) { 6638 6639 case M_SIO: 6640 if (off_sio == (u_int)-1) 6641 bpf_error("'sio' supported only on SS7"); 6642 /* sio coded on 1 byte so max value 255 */ 6643 if(jvalue > 255) 6644 bpf_error("sio value %u too big; max value = 255", 6645 jvalue); 6646 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 6647 (u_int)jtype, reverse, (u_int)jvalue); 6648 break; 6649 6650 case M_OPC: 6651 if (off_opc == (u_int)-1) 6652 bpf_error("'opc' supported only on SS7"); 6653 /* opc coded on 14 bits so max value 16383 */ 6654 if (jvalue > 16383) 6655 bpf_error("opc value %u too big; max value = 16383", 6656 jvalue); 6657 /* the following instructions are made to convert jvalue 6658 * to the form used to write opc in an ss7 message*/ 6659 val1 = jvalue & 0x00003c00; 6660 val1 = val1 >>10; 6661 val2 = jvalue & 0x000003fc; 6662 val2 = val2 <<6; 6663 val3 = jvalue & 0x00000003; 6664 val3 = val3 <<22; 6665 jvalue = val1 + val2 + val3; 6666 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 6667 (u_int)jtype, reverse, (u_int)jvalue); 6668 break; 6669 6670 case M_DPC: 6671 if (off_dpc == (u_int)-1) 6672 bpf_error("'dpc' supported only on SS7"); 6673 /* dpc coded on 14 bits so max value 16383 */ 6674 if (jvalue > 16383) 6675 bpf_error("dpc value %u too big; max value = 16383", 6676 jvalue); 6677 /* the following instructions are made to convert jvalue 6678 * to the forme used to write dpc in an ss7 message*/ 6679 val1 = jvalue & 0x000000ff; 6680 val1 = val1 << 24; 6681 val2 = jvalue & 0x00003f00; 6682 val2 = val2 << 8; 6683 jvalue = val1 + val2; 6684 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 6685 (u_int)jtype, reverse, (u_int)jvalue); 6686 break; 6687 6688 case M_SLS: 6689 if (off_sls == (u_int)-1) 6690 bpf_error("'sls' supported only on SS7"); 6691 /* sls coded on 4 bits so max value 15 */ 6692 if (jvalue > 15) 6693 bpf_error("sls value %u too big; max value = 15", 6694 jvalue); 6695 /* the following instruction is made to convert jvalue 6696 * to the forme used to write sls in an ss7 message*/ 6697 jvalue = jvalue << 4; 6698 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 6699 (u_int)jtype,reverse, (u_int)jvalue); 6700 break; 6701 6702 default: 6703 abort(); 6704 } 6705 return b0; 6706 } 6707 6708 static struct block * 6709 gen_msg_abbrev(type) 6710 int type; 6711 { 6712 struct block *b1; 6713 6714 /* 6715 * Q.2931 signalling protocol messages for handling virtual circuits 6716 * establishment and teardown 6717 */ 6718 switch (type) { 6719 6720 case A_SETUP: 6721 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 6722 break; 6723 6724 case A_CALLPROCEED: 6725 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 6726 break; 6727 6728 case A_CONNECT: 6729 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 6730 break; 6731 6732 case A_CONNECTACK: 6733 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 6734 break; 6735 6736 case A_RELEASE: 6737 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 6738 break; 6739 6740 case A_RELEASE_DONE: 6741 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 6742 break; 6743 6744 default: 6745 abort(); 6746 } 6747 return b1; 6748 } 6749 6750 struct block * 6751 gen_atmmulti_abbrev(type) 6752 int type; 6753 { 6754 struct block *b0, *b1; 6755 6756 switch (type) { 6757 6758 case A_OAM: 6759 if (!is_atm) 6760 bpf_error("'oam' supported only on raw ATM"); 6761 b1 = gen_atmmulti_abbrev(A_OAMF4); 6762 break; 6763 6764 case A_OAMF4: 6765 if (!is_atm) 6766 bpf_error("'oamf4' supported only on raw ATM"); 6767 /* OAM F4 type */ 6768 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6769 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6770 gen_or(b0, b1); 6771 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6772 gen_and(b0, b1); 6773 break; 6774 6775 case A_CONNECTMSG: 6776 /* 6777 * Get Q.2931 signalling messages for switched 6778 * virtual connection 6779 */ 6780 if (!is_atm) 6781 bpf_error("'connectmsg' supported only on raw ATM"); 6782 b0 = gen_msg_abbrev(A_SETUP); 6783 b1 = gen_msg_abbrev(A_CALLPROCEED); 6784 gen_or(b0, b1); 6785 b0 = gen_msg_abbrev(A_CONNECT); 6786 gen_or(b0, b1); 6787 b0 = gen_msg_abbrev(A_CONNECTACK); 6788 gen_or(b0, b1); 6789 b0 = gen_msg_abbrev(A_RELEASE); 6790 gen_or(b0, b1); 6791 b0 = gen_msg_abbrev(A_RELEASE_DONE); 6792 gen_or(b0, b1); 6793 b0 = gen_atmtype_abbrev(A_SC); 6794 gen_and(b0, b1); 6795 break; 6796 6797 case A_METACONNECT: 6798 if (!is_atm) 6799 bpf_error("'metaconnect' supported only on raw ATM"); 6800 b0 = gen_msg_abbrev(A_SETUP); 6801 b1 = gen_msg_abbrev(A_CALLPROCEED); 6802 gen_or(b0, b1); 6803 b0 = gen_msg_abbrev(A_CONNECT); 6804 gen_or(b0, b1); 6805 b0 = gen_msg_abbrev(A_RELEASE); 6806 gen_or(b0, b1); 6807 b0 = gen_msg_abbrev(A_RELEASE_DONE); 6808 gen_or(b0, b1); 6809 b0 = gen_atmtype_abbrev(A_METAC); 6810 gen_and(b0, b1); 6811 break; 6812 6813 default: 6814 abort(); 6815 } 6816 return b1; 6817 } 6818