1 /* 2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that: (1) source code distributions 7 * retain the above copyright notice and this paragraph in its entirety, (2) 8 * distributions including binary code include the above copyright notice and 9 * this paragraph in its entirety in the documentation or other materials 10 * provided with the distribution, and (3) all advertising materials mentioning 11 * features or use of this software display the following acknowledgement: 12 * ``This product includes software developed by the University of California, 13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 14 * the University nor the names of its contributors may be used to endorse 15 * or promote products derived from this software without specific prior 16 * written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 */ 21 22 #ifdef HAVE_CONFIG_H 23 #include <config.h> 24 #endif 25 26 #ifdef _WIN32 27 #include <ws2tcpip.h> 28 #else 29 #include <sys/socket.h> 30 31 #ifdef __NetBSD__ 32 #include <sys/param.h> 33 #endif 34 35 #include <netinet/in.h> 36 #include <arpa/inet.h> 37 #endif /* _WIN32 */ 38 39 #include <stdlib.h> 40 #include <string.h> 41 #include <memory.h> 42 #include <setjmp.h> 43 #include <stdarg.h> 44 #include <stdio.h> 45 46 #ifdef MSDOS 47 #include "pcap-dos.h" 48 #endif 49 50 #include "pcap-int.h" 51 52 #include "extract.h" 53 54 #include "ethertype.h" 55 #include "nlpid.h" 56 #include "llc.h" 57 #include "gencode.h" 58 #include "ieee80211.h" 59 #include "atmuni31.h" 60 #include "sunatmpos.h" 61 #include "pflog.h" 62 #include "ppp.h" 63 #include "pcap/sll.h" 64 #include "pcap/ipnet.h" 65 #include "arcnet.h" 66 #include "diag-control.h" 67 68 #include "scanner.h" 69 70 #if defined(linux) 71 #include <linux/types.h> 72 #include <linux/if_packet.h> 73 #include <linux/filter.h> 74 #endif 75 76 #ifndef offsetof 77 #define offsetof(s, e) ((size_t)&((s *)0)->e) 78 #endif 79 80 #ifdef _WIN32 81 #ifdef INET6 82 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 83 /* IPv6 address */ 84 struct in6_addr 85 { 86 union 87 { 88 uint8_t u6_addr8[16]; 89 uint16_t u6_addr16[8]; 90 uint32_t u6_addr32[4]; 91 } in6_u; 92 #define s6_addr in6_u.u6_addr8 93 #define s6_addr16 in6_u.u6_addr16 94 #define s6_addr32 in6_u.u6_addr32 95 #define s6_addr64 in6_u.u6_addr64 96 }; 97 98 typedef unsigned short sa_family_t; 99 100 #define __SOCKADDR_COMMON(sa_prefix) \ 101 sa_family_t sa_prefix##family 102 103 /* Ditto, for IPv6. */ 104 struct sockaddr_in6 105 { 106 __SOCKADDR_COMMON (sin6_); 107 uint16_t sin6_port; /* Transport layer port # */ 108 uint32_t sin6_flowinfo; /* IPv6 flow information */ 109 struct in6_addr sin6_addr; /* IPv6 address */ 110 }; 111 112 #ifndef EAI_ADDRFAMILY 113 struct addrinfo { 114 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 115 int ai_family; /* PF_xxx */ 116 int ai_socktype; /* SOCK_xxx */ 117 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 118 size_t ai_addrlen; /* length of ai_addr */ 119 char *ai_canonname; /* canonical name for hostname */ 120 struct sockaddr *ai_addr; /* binary address */ 121 struct addrinfo *ai_next; /* next structure in linked list */ 122 }; 123 #endif /* EAI_ADDRFAMILY */ 124 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 125 #endif /* INET6 */ 126 #else /* _WIN32 */ 127 #include <netdb.h> /* for "struct addrinfo" */ 128 #endif /* _WIN32 */ 129 #include <pcap/namedb.h> 130 131 #include "nametoaddr.h" 132 133 #define ETHERMTU 1500 134 135 #ifndef IPPROTO_HOPOPTS 136 #define IPPROTO_HOPOPTS 0 137 #endif 138 #ifndef IPPROTO_ROUTING 139 #define IPPROTO_ROUTING 43 140 #endif 141 #ifndef IPPROTO_FRAGMENT 142 #define IPPROTO_FRAGMENT 44 143 #endif 144 #ifndef IPPROTO_DSTOPTS 145 #define IPPROTO_DSTOPTS 60 146 #endif 147 #ifndef IPPROTO_SCTP 148 #define IPPROTO_SCTP 132 149 #endif 150 151 #define GENEVE_PORT 6081 152 153 #ifdef HAVE_OS_PROTO_H 154 #include "os-proto.h" 155 #endif 156 157 #define JMP(c) ((c)|BPF_JMP|BPF_K) 158 159 /* 160 * "Push" the current value of the link-layer header type and link-layer 161 * header offset onto a "stack", and set a new value. (It's not a 162 * full-blown stack; we keep only the top two items.) 163 */ 164 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 165 { \ 166 (cs)->prevlinktype = (cs)->linktype; \ 167 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 168 (cs)->linktype = (new_linktype); \ 169 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 170 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 171 (cs)->off_linkhdr.reg = (new_reg); \ 172 (cs)->is_geneve = 0; \ 173 } 174 175 /* 176 * Offset "not set" value. 177 */ 178 #define OFFSET_NOT_SET 0xffffffffU 179 180 /* 181 * Absolute offsets, which are offsets from the beginning of the raw 182 * packet data, are, in the general case, the sum of a variable value 183 * and a constant value; the variable value may be absent, in which 184 * case the offset is only the constant value, and the constant value 185 * may be zero, in which case the offset is only the variable value. 186 * 187 * bpf_abs_offset is a structure containing all that information: 188 * 189 * is_variable is 1 if there's a variable part. 190 * 191 * constant_part is the constant part of the value, possibly zero; 192 * 193 * if is_variable is 1, reg is the register number for a register 194 * containing the variable value if the register has been assigned, 195 * and -1 otherwise. 196 */ 197 typedef struct { 198 int is_variable; 199 u_int constant_part; 200 int reg; 201 } bpf_abs_offset; 202 203 /* 204 * Value passed to gen_load_a() to indicate what the offset argument 205 * is relative to the beginning of. 206 */ 207 enum e_offrel { 208 OR_PACKET, /* full packet data */ 209 OR_LINKHDR, /* link-layer header */ 210 OR_PREVLINKHDR, /* previous link-layer header */ 211 OR_LLC, /* 802.2 LLC header */ 212 OR_PREVMPLSHDR, /* previous MPLS header */ 213 OR_LINKTYPE, /* link-layer type */ 214 OR_LINKPL, /* link-layer payload */ 215 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 216 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 217 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 218 }; 219 220 /* 221 * We divy out chunks of memory rather than call malloc each time so 222 * we don't have to worry about leaking memory. It's probably 223 * not a big deal if all this memory was wasted but if this ever 224 * goes into a library that would probably not be a good idea. 225 * 226 * XXX - this *is* in a library.... 227 */ 228 #define NCHUNKS 16 229 #define CHUNK0SIZE 1024 230 struct chunk { 231 size_t n_left; 232 void *m; 233 }; 234 235 /* Code generator state */ 236 237 struct _compiler_state { 238 jmp_buf top_ctx; 239 pcap_t *bpf_pcap; 240 int error_set; 241 242 struct icode ic; 243 244 int snaplen; 245 246 int linktype; 247 int prevlinktype; 248 int outermostlinktype; 249 250 bpf_u_int32 netmask; 251 int no_optimize; 252 253 /* Hack for handling VLAN and MPLS stacks. */ 254 u_int label_stack_depth; 255 u_int vlan_stack_depth; 256 257 /* XXX */ 258 u_int pcap_fddipad; 259 260 /* 261 * As errors are handled by a longjmp, anything allocated must 262 * be freed in the longjmp handler, so it must be reachable 263 * from that handler. 264 * 265 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 266 * it must be freed with freeaddrinfo(). This variable points to 267 * any addrinfo structure that would need to be freed. 268 */ 269 struct addrinfo *ai; 270 271 /* 272 * Another thing that's allocated is the result of pcap_ether_aton(); 273 * it must be freed with free(). This variable points to any 274 * address that would need to be freed. 275 */ 276 u_char *e; 277 278 /* 279 * Various code constructs need to know the layout of the packet. 280 * These values give the necessary offsets from the beginning 281 * of the packet data. 282 */ 283 284 /* 285 * Absolute offset of the beginning of the link-layer header. 286 */ 287 bpf_abs_offset off_linkhdr; 288 289 /* 290 * If we're checking a link-layer header for a packet encapsulated 291 * in another protocol layer, this is the equivalent information 292 * for the previous layers' link-layer header from the beginning 293 * of the raw packet data. 294 */ 295 bpf_abs_offset off_prevlinkhdr; 296 297 /* 298 * This is the equivalent information for the outermost layers' 299 * link-layer header. 300 */ 301 bpf_abs_offset off_outermostlinkhdr; 302 303 /* 304 * Absolute offset of the beginning of the link-layer payload. 305 */ 306 bpf_abs_offset off_linkpl; 307 308 /* 309 * "off_linktype" is the offset to information in the link-layer 310 * header giving the packet type. This is an absolute offset 311 * from the beginning of the packet. 312 * 313 * For Ethernet, it's the offset of the Ethernet type field; this 314 * means that it must have a value that skips VLAN tags. 315 * 316 * For link-layer types that always use 802.2 headers, it's the 317 * offset of the LLC header; this means that it must have a value 318 * that skips VLAN tags. 319 * 320 * For PPP, it's the offset of the PPP type field. 321 * 322 * For Cisco HDLC, it's the offset of the CHDLC type field. 323 * 324 * For BSD loopback, it's the offset of the AF_ value. 325 * 326 * For Linux cooked sockets, it's the offset of the type field. 327 * 328 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 329 * encapsulation, in which case, IP is assumed. 330 */ 331 bpf_abs_offset off_linktype; 332 333 /* 334 * TRUE if the link layer includes an ATM pseudo-header. 335 */ 336 int is_atm; 337 338 /* 339 * TRUE if "geneve" appeared in the filter; it causes us to 340 * generate code that checks for a Geneve header and assume 341 * that later filters apply to the encapsulated payload. 342 */ 343 int is_geneve; 344 345 /* 346 * TRUE if we need variable length part of VLAN offset 347 */ 348 int is_vlan_vloffset; 349 350 /* 351 * These are offsets for the ATM pseudo-header. 352 */ 353 u_int off_vpi; 354 u_int off_vci; 355 u_int off_proto; 356 357 /* 358 * These are offsets for the MTP2 fields. 359 */ 360 u_int off_li; 361 u_int off_li_hsl; 362 363 /* 364 * These are offsets for the MTP3 fields. 365 */ 366 u_int off_sio; 367 u_int off_opc; 368 u_int off_dpc; 369 u_int off_sls; 370 371 /* 372 * This is the offset of the first byte after the ATM pseudo_header, 373 * or -1 if there is no ATM pseudo-header. 374 */ 375 u_int off_payload; 376 377 /* 378 * These are offsets to the beginning of the network-layer header. 379 * They are relative to the beginning of the link-layer payload 380 * (i.e., they don't include off_linkhdr.constant_part or 381 * off_linkpl.constant_part). 382 * 383 * If the link layer never uses 802.2 LLC: 384 * 385 * "off_nl" and "off_nl_nosnap" are the same. 386 * 387 * If the link layer always uses 802.2 LLC: 388 * 389 * "off_nl" is the offset if there's a SNAP header following 390 * the 802.2 header; 391 * 392 * "off_nl_nosnap" is the offset if there's no SNAP header. 393 * 394 * If the link layer is Ethernet: 395 * 396 * "off_nl" is the offset if the packet is an Ethernet II packet 397 * (we assume no 802.3+802.2+SNAP); 398 * 399 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 400 * with an 802.2 header following it. 401 */ 402 u_int off_nl; 403 u_int off_nl_nosnap; 404 405 /* 406 * Here we handle simple allocation of the scratch registers. 407 * If too many registers are alloc'd, the allocator punts. 408 */ 409 int regused[BPF_MEMWORDS]; 410 int curreg; 411 412 /* 413 * Memory chunks. 414 */ 415 struct chunk chunks[NCHUNKS]; 416 int cur_chunk; 417 }; 418 419 /* 420 * For use by routines outside this file. 421 */ 422 /* VARARGS */ 423 void 424 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...) 425 { 426 va_list ap; 427 428 /* 429 * If we've already set an error, don't override it. 430 * The lexical analyzer reports some errors by setting 431 * the error and then returning a LEX_ERROR token, which 432 * is not recognized by any grammar rule, and thus forces 433 * the parse to stop. We don't want the error reported 434 * by the lexical analyzer to be overwritten by the syntax 435 * error. 436 */ 437 if (!cstate->error_set) { 438 va_start(ap, fmt); 439 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 440 fmt, ap); 441 va_end(ap); 442 cstate->error_set = 1; 443 } 444 } 445 446 /* 447 * For use *ONLY* in routines in this file. 448 */ 449 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...) 450 PCAP_PRINTFLIKE(2, 3); 451 452 /* VARARGS */ 453 static void PCAP_NORETURN 454 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 455 { 456 va_list ap; 457 458 va_start(ap, fmt); 459 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 460 fmt, ap); 461 va_end(ap); 462 longjmp(cstate->top_ctx, 1); 463 /*NOTREACHED*/ 464 #ifdef _AIX 465 PCAP_UNREACHABLE 466 #endif /* _AIX */ 467 } 468 469 static int init_linktype(compiler_state_t *, pcap_t *); 470 471 static void init_regs(compiler_state_t *); 472 static int alloc_reg(compiler_state_t *); 473 static void free_reg(compiler_state_t *, int); 474 475 static void initchunks(compiler_state_t *cstate); 476 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t); 477 static void *newchunk(compiler_state_t *cstate, size_t); 478 static void freechunks(compiler_state_t *cstate); 479 static inline struct block *new_block(compiler_state_t *cstate, int); 480 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 481 static struct block *gen_retblk(compiler_state_t *cstate, int); 482 static inline void syntax(compiler_state_t *cstate); 483 484 static void backpatch(struct block *, struct block *); 485 static void merge(struct block *, struct block *); 486 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 487 u_int, bpf_u_int32); 488 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 489 u_int, bpf_u_int32); 490 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 491 u_int, bpf_u_int32); 492 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 493 u_int, bpf_u_int32); 494 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 495 u_int, bpf_u_int32); 496 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 497 u_int, bpf_u_int32, bpf_u_int32); 498 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 499 u_int, const u_char *); 500 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int, 501 u_int, bpf_u_int32, int, int, bpf_u_int32); 502 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 503 u_int, u_int); 504 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 505 u_int); 506 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 507 static struct block *gen_uncond(compiler_state_t *, int); 508 static inline struct block *gen_true(compiler_state_t *); 509 static inline struct block *gen_false(compiler_state_t *); 510 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32); 511 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32); 512 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32); 513 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *); 514 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 515 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 516 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 517 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 518 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 519 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 520 bpf_abs_offset *); 521 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32); 522 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32); 523 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 524 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32); 525 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 526 int, bpf_u_int32, u_int, u_int); 527 #ifdef INET6 528 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 529 struct in6_addr *, int, bpf_u_int32, u_int, u_int); 530 #endif 531 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 532 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 533 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 534 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 535 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 536 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 537 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 538 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32); 539 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 540 int, int, int); 541 #ifdef INET6 542 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 543 struct in6_addr *, int, int, int); 544 #endif 545 #ifndef INET6 546 static struct block *gen_gateway(compiler_state_t *, const u_char *, 547 struct addrinfo *, int, int); 548 #endif 549 static struct block *gen_ipfrag(compiler_state_t *); 550 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32); 551 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32, 552 bpf_u_int32); 553 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32); 554 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32, 555 bpf_u_int32); 556 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int); 557 static struct block *gen_port(compiler_state_t *, u_int, int, int); 558 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int, 559 bpf_u_int32, int); 560 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int); 561 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int); 562 static struct block *gen_port6(compiler_state_t *, u_int, int, int); 563 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int, 564 bpf_u_int32, int); 565 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int); 566 static int lookup_proto(compiler_state_t *, const char *, int); 567 #if !defined(NO_PROTOCHAIN) 568 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int); 569 #endif /* !defined(NO_PROTOCHAIN) */ 570 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int); 571 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 572 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 573 static struct block *gen_mac_multicast(compiler_state_t *, int); 574 static struct block *gen_len(compiler_state_t *, int, int); 575 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 576 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 577 578 static struct block *gen_ppi_dlt_check(compiler_state_t *); 579 static struct block *gen_atmfield_code_internal(compiler_state_t *, int, 580 bpf_u_int32, int, int); 581 static struct block *gen_atmtype_llc(compiler_state_t *); 582 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 583 584 static void 585 initchunks(compiler_state_t *cstate) 586 { 587 int i; 588 589 for (i = 0; i < NCHUNKS; i++) { 590 cstate->chunks[i].n_left = 0; 591 cstate->chunks[i].m = NULL; 592 } 593 cstate->cur_chunk = 0; 594 } 595 596 static void * 597 newchunk_nolongjmp(compiler_state_t *cstate, size_t n) 598 { 599 struct chunk *cp; 600 int k; 601 size_t size; 602 603 #ifndef __NetBSD__ 604 /* XXX Round up to nearest long. */ 605 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 606 #else 607 /* XXX Round up to structure boundary. */ 608 n = ALIGN(n); 609 #endif 610 611 cp = &cstate->chunks[cstate->cur_chunk]; 612 if (n > cp->n_left) { 613 ++cp; 614 k = ++cstate->cur_chunk; 615 if (k >= NCHUNKS) { 616 bpf_set_error(cstate, "out of memory"); 617 return (NULL); 618 } 619 size = CHUNK0SIZE << k; 620 cp->m = (void *)malloc(size); 621 if (cp->m == NULL) { 622 bpf_set_error(cstate, "out of memory"); 623 return (NULL); 624 } 625 memset((char *)cp->m, 0, size); 626 cp->n_left = size; 627 if (n > size) { 628 bpf_set_error(cstate, "out of memory"); 629 return (NULL); 630 } 631 } 632 cp->n_left -= n; 633 return (void *)((char *)cp->m + cp->n_left); 634 } 635 636 static void * 637 newchunk(compiler_state_t *cstate, size_t n) 638 { 639 void *p; 640 641 p = newchunk_nolongjmp(cstate, n); 642 if (p == NULL) { 643 longjmp(cstate->top_ctx, 1); 644 /*NOTREACHED*/ 645 } 646 return (p); 647 } 648 649 static void 650 freechunks(compiler_state_t *cstate) 651 { 652 int i; 653 654 for (i = 0; i < NCHUNKS; ++i) 655 if (cstate->chunks[i].m != NULL) 656 free(cstate->chunks[i].m); 657 } 658 659 /* 660 * A strdup whose allocations are freed after code generation is over. 661 * This is used by the lexical analyzer, so it can't longjmp; it just 662 * returns NULL on an allocation error, and the callers must check 663 * for it. 664 */ 665 char * 666 sdup(compiler_state_t *cstate, const char *s) 667 { 668 size_t n = strlen(s) + 1; 669 char *cp = newchunk_nolongjmp(cstate, n); 670 671 if (cp == NULL) 672 return (NULL); 673 pcap_strlcpy(cp, s, n); 674 return (cp); 675 } 676 677 static inline struct block * 678 new_block(compiler_state_t *cstate, int code) 679 { 680 struct block *p; 681 682 p = (struct block *)newchunk(cstate, sizeof(*p)); 683 p->s.code = code; 684 p->head = p; 685 686 return p; 687 } 688 689 static inline struct slist * 690 new_stmt(compiler_state_t *cstate, int code) 691 { 692 struct slist *p; 693 694 p = (struct slist *)newchunk(cstate, sizeof(*p)); 695 p->s.code = code; 696 697 return p; 698 } 699 700 static struct block * 701 gen_retblk(compiler_state_t *cstate, int v) 702 { 703 struct block *b = new_block(cstate, BPF_RET|BPF_K); 704 705 b->s.k = v; 706 return b; 707 } 708 709 static inline PCAP_NORETURN_DEF void 710 syntax(compiler_state_t *cstate) 711 { 712 bpf_error(cstate, "syntax error in filter expression"); 713 } 714 715 int 716 pcap_compile(pcap_t *p, struct bpf_program *program, 717 const char *buf, int optimize, bpf_u_int32 mask) 718 { 719 #ifdef _WIN32 720 static int done = 0; 721 #endif 722 compiler_state_t cstate; 723 const char * volatile xbuf = buf; 724 yyscan_t scanner = NULL; 725 volatile YY_BUFFER_STATE in_buffer = NULL; 726 u_int len; 727 int rc; 728 729 /* 730 * If this pcap_t hasn't been activated, it doesn't have a 731 * link-layer type, so we can't use it. 732 */ 733 if (!p->activated) { 734 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 735 "not-yet-activated pcap_t passed to pcap_compile"); 736 return (PCAP_ERROR); 737 } 738 739 #ifdef _WIN32 740 if (!done) 741 pcap_wsockinit(); 742 done = 1; 743 #endif 744 745 #ifdef ENABLE_REMOTE 746 /* 747 * If the device on which we're capturing need to be notified 748 * that a new filter is being compiled, do so. 749 * 750 * This allows them to save a copy of it, in case, for example, 751 * they're implementing a form of remote packet capture, and 752 * want the remote machine to filter out the packets in which 753 * it's sending the packets it's captured. 754 * 755 * XXX - the fact that we happen to be compiling a filter 756 * doesn't necessarily mean we'll be installing it as the 757 * filter for this pcap_t; we might be running it from userland 758 * on captured packets to do packet classification. We really 759 * need a better way of handling this, but this is all that 760 * the WinPcap remote capture code did. 761 */ 762 if (p->save_current_filter_op != NULL) 763 (p->save_current_filter_op)(p, buf); 764 #endif 765 766 initchunks(&cstate); 767 cstate.no_optimize = 0; 768 #ifdef INET6 769 cstate.ai = NULL; 770 #endif 771 cstate.e = NULL; 772 cstate.ic.root = NULL; 773 cstate.ic.cur_mark = 0; 774 cstate.bpf_pcap = p; 775 cstate.error_set = 0; 776 init_regs(&cstate); 777 778 cstate.netmask = mask; 779 780 cstate.snaplen = pcap_snapshot(p); 781 if (cstate.snaplen == 0) { 782 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 783 "snaplen of 0 rejects all packets"); 784 rc = PCAP_ERROR; 785 goto quit; 786 } 787 788 if (pcap_lex_init(&scanner) != 0) 789 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 790 errno, "can't initialize scanner"); 791 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 792 793 /* 794 * Associate the compiler state with the lexical analyzer 795 * state. 796 */ 797 pcap_set_extra(&cstate, scanner); 798 799 if (init_linktype(&cstate, p) == -1) { 800 rc = PCAP_ERROR; 801 goto quit; 802 } 803 if (pcap_parse(scanner, &cstate) != 0) { 804 #ifdef INET6 805 if (cstate.ai != NULL) 806 freeaddrinfo(cstate.ai); 807 #endif 808 if (cstate.e != NULL) 809 free(cstate.e); 810 rc = PCAP_ERROR; 811 goto quit; 812 } 813 814 if (cstate.ic.root == NULL) { 815 /* 816 * Catch errors reported by gen_retblk(). 817 */ 818 if (setjmp(cstate.top_ctx)) { 819 rc = PCAP_ERROR; 820 goto quit; 821 } 822 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 823 } 824 825 if (optimize && !cstate.no_optimize) { 826 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) { 827 /* Failure */ 828 rc = PCAP_ERROR; 829 goto quit; 830 } 831 if (cstate.ic.root == NULL || 832 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) { 833 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 834 "expression rejects all packets"); 835 rc = PCAP_ERROR; 836 goto quit; 837 } 838 } 839 program->bf_insns = icode_to_fcode(&cstate.ic, 840 cstate.ic.root, &len, p->errbuf); 841 if (program->bf_insns == NULL) { 842 /* Failure */ 843 rc = PCAP_ERROR; 844 goto quit; 845 } 846 program->bf_len = len; 847 848 rc = 0; /* We're all okay */ 849 850 quit: 851 /* 852 * Clean up everything for the lexical analyzer. 853 */ 854 if (in_buffer != NULL) 855 pcap__delete_buffer(in_buffer, scanner); 856 if (scanner != NULL) 857 pcap_lex_destroy(scanner); 858 859 /* 860 * Clean up our own allocated memory. 861 */ 862 freechunks(&cstate); 863 864 return (rc); 865 } 866 867 /* 868 * entry point for using the compiler with no pcap open 869 * pass in all the stuff that is needed explicitly instead. 870 */ 871 int 872 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 873 struct bpf_program *program, 874 const char *buf, int optimize, bpf_u_int32 mask) 875 { 876 pcap_t *p; 877 int ret; 878 879 p = pcap_open_dead(linktype_arg, snaplen_arg); 880 if (p == NULL) 881 return (PCAP_ERROR); 882 ret = pcap_compile(p, program, buf, optimize, mask); 883 pcap_close(p); 884 return (ret); 885 } 886 887 /* 888 * Clean up a "struct bpf_program" by freeing all the memory allocated 889 * in it. 890 */ 891 void 892 pcap_freecode(struct bpf_program *program) 893 { 894 program->bf_len = 0; 895 if (program->bf_insns != NULL) { 896 free((char *)program->bf_insns); 897 program->bf_insns = NULL; 898 } 899 } 900 901 /* 902 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 903 * which of the jt and jf fields has been resolved and which is a pointer 904 * back to another unresolved block (or nil). At least one of the fields 905 * in each block is already resolved. 906 */ 907 static void 908 backpatch(struct block *list, struct block *target) 909 { 910 struct block *next; 911 912 while (list) { 913 if (!list->sense) { 914 next = JT(list); 915 JT(list) = target; 916 } else { 917 next = JF(list); 918 JF(list) = target; 919 } 920 list = next; 921 } 922 } 923 924 /* 925 * Merge the lists in b0 and b1, using the 'sense' field to indicate 926 * which of jt and jf is the link. 927 */ 928 static void 929 merge(struct block *b0, struct block *b1) 930 { 931 register struct block **p = &b0; 932 933 /* Find end of list. */ 934 while (*p) 935 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 936 937 /* Concatenate the lists. */ 938 *p = b1; 939 } 940 941 int 942 finish_parse(compiler_state_t *cstate, struct block *p) 943 { 944 struct block *ppi_dlt_check; 945 946 /* 947 * Catch errors reported by us and routines below us, and return -1 948 * on an error. 949 */ 950 if (setjmp(cstate->top_ctx)) 951 return (-1); 952 953 /* 954 * Insert before the statements of the first (root) block any 955 * statements needed to load the lengths of any variable-length 956 * headers into registers. 957 * 958 * XXX - a fancier strategy would be to insert those before the 959 * statements of all blocks that use those lengths and that 960 * have no predecessors that use them, so that we only compute 961 * the lengths if we need them. There might be even better 962 * approaches than that. 963 * 964 * However, those strategies would be more complicated, and 965 * as we don't generate code to compute a length if the 966 * program has no tests that use the length, and as most 967 * tests will probably use those lengths, we would just 968 * postpone computing the lengths so that it's not done 969 * for tests that fail early, and it's not clear that's 970 * worth the effort. 971 */ 972 insert_compute_vloffsets(cstate, p->head); 973 974 /* 975 * For DLT_PPI captures, generate a check of the per-packet 976 * DLT value to make sure it's DLT_IEEE802_11. 977 * 978 * XXX - TurboCap cards use DLT_PPI for Ethernet. 979 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 980 * with appropriate Ethernet information and use that rather 981 * than using something such as DLT_PPI where you don't know 982 * the link-layer header type until runtime, which, in the 983 * general case, would force us to generate both Ethernet *and* 984 * 802.11 code (*and* anything else for which PPI is used) 985 * and choose between them early in the BPF program? 986 */ 987 ppi_dlt_check = gen_ppi_dlt_check(cstate); 988 if (ppi_dlt_check != NULL) 989 gen_and(ppi_dlt_check, p); 990 991 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 992 p->sense = !p->sense; 993 backpatch(p, gen_retblk(cstate, 0)); 994 cstate->ic.root = p->head; 995 return (0); 996 } 997 998 void 999 gen_and(struct block *b0, struct block *b1) 1000 { 1001 backpatch(b0, b1->head); 1002 b0->sense = !b0->sense; 1003 b1->sense = !b1->sense; 1004 merge(b1, b0); 1005 b1->sense = !b1->sense; 1006 b1->head = b0->head; 1007 } 1008 1009 void 1010 gen_or(struct block *b0, struct block *b1) 1011 { 1012 b0->sense = !b0->sense; 1013 backpatch(b0, b1->head); 1014 b0->sense = !b0->sense; 1015 merge(b1, b0); 1016 b1->head = b0->head; 1017 } 1018 1019 void 1020 gen_not(struct block *b) 1021 { 1022 b->sense = !b->sense; 1023 } 1024 1025 static struct block * 1026 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1027 u_int size, bpf_u_int32 v) 1028 { 1029 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 1030 } 1031 1032 static struct block * 1033 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1034 u_int size, bpf_u_int32 v) 1035 { 1036 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 1037 } 1038 1039 static struct block * 1040 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1041 u_int size, bpf_u_int32 v) 1042 { 1043 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 1044 } 1045 1046 static struct block * 1047 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1048 u_int size, bpf_u_int32 v) 1049 { 1050 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 1051 } 1052 1053 static struct block * 1054 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1055 u_int size, bpf_u_int32 v) 1056 { 1057 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 1058 } 1059 1060 static struct block * 1061 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1062 u_int size, bpf_u_int32 v, bpf_u_int32 mask) 1063 { 1064 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 1065 } 1066 1067 static struct block * 1068 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1069 u_int size, const u_char *v) 1070 { 1071 register struct block *b, *tmp; 1072 1073 b = NULL; 1074 while (size >= 4) { 1075 register const u_char *p = &v[size - 4]; 1076 1077 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, 1078 EXTRACT_BE_U_4(p)); 1079 if (b != NULL) 1080 gen_and(b, tmp); 1081 b = tmp; 1082 size -= 4; 1083 } 1084 while (size >= 2) { 1085 register const u_char *p = &v[size - 2]; 1086 1087 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, 1088 EXTRACT_BE_U_2(p)); 1089 if (b != NULL) 1090 gen_and(b, tmp); 1091 b = tmp; 1092 size -= 2; 1093 } 1094 if (size > 0) { 1095 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]); 1096 if (b != NULL) 1097 gen_and(b, tmp); 1098 b = tmp; 1099 } 1100 return b; 1101 } 1102 1103 /* 1104 * AND the field of size "size" at offset "offset" relative to the header 1105 * specified by "offrel" with "mask", and compare it with the value "v" 1106 * with the test specified by "jtype"; if "reverse" is true, the test 1107 * should test the opposite of "jtype". 1108 */ 1109 static struct block * 1110 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1111 u_int size, bpf_u_int32 mask, int jtype, int reverse, 1112 bpf_u_int32 v) 1113 { 1114 struct slist *s, *s2; 1115 struct block *b; 1116 1117 s = gen_load_a(cstate, offrel, offset, size); 1118 1119 if (mask != 0xffffffff) { 1120 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1121 s2->s.k = mask; 1122 sappend(s, s2); 1123 } 1124 1125 b = new_block(cstate, JMP(jtype)); 1126 b->stmts = s; 1127 b->s.k = v; 1128 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1129 gen_not(b); 1130 return b; 1131 } 1132 1133 static int 1134 init_linktype(compiler_state_t *cstate, pcap_t *p) 1135 { 1136 cstate->pcap_fddipad = p->fddipad; 1137 1138 /* 1139 * We start out with only one link-layer header. 1140 */ 1141 cstate->outermostlinktype = pcap_datalink(p); 1142 cstate->off_outermostlinkhdr.constant_part = 0; 1143 cstate->off_outermostlinkhdr.is_variable = 0; 1144 cstate->off_outermostlinkhdr.reg = -1; 1145 1146 cstate->prevlinktype = cstate->outermostlinktype; 1147 cstate->off_prevlinkhdr.constant_part = 0; 1148 cstate->off_prevlinkhdr.is_variable = 0; 1149 cstate->off_prevlinkhdr.reg = -1; 1150 1151 cstate->linktype = cstate->outermostlinktype; 1152 cstate->off_linkhdr.constant_part = 0; 1153 cstate->off_linkhdr.is_variable = 0; 1154 cstate->off_linkhdr.reg = -1; 1155 1156 /* 1157 * XXX 1158 */ 1159 cstate->off_linkpl.constant_part = 0; 1160 cstate->off_linkpl.is_variable = 0; 1161 cstate->off_linkpl.reg = -1; 1162 1163 cstate->off_linktype.constant_part = 0; 1164 cstate->off_linktype.is_variable = 0; 1165 cstate->off_linktype.reg = -1; 1166 1167 /* 1168 * Assume it's not raw ATM with a pseudo-header, for now. 1169 */ 1170 cstate->is_atm = 0; 1171 cstate->off_vpi = OFFSET_NOT_SET; 1172 cstate->off_vci = OFFSET_NOT_SET; 1173 cstate->off_proto = OFFSET_NOT_SET; 1174 cstate->off_payload = OFFSET_NOT_SET; 1175 1176 /* 1177 * And not Geneve. 1178 */ 1179 cstate->is_geneve = 0; 1180 1181 /* 1182 * No variable length VLAN offset by default 1183 */ 1184 cstate->is_vlan_vloffset = 0; 1185 1186 /* 1187 * And assume we're not doing SS7. 1188 */ 1189 cstate->off_li = OFFSET_NOT_SET; 1190 cstate->off_li_hsl = OFFSET_NOT_SET; 1191 cstate->off_sio = OFFSET_NOT_SET; 1192 cstate->off_opc = OFFSET_NOT_SET; 1193 cstate->off_dpc = OFFSET_NOT_SET; 1194 cstate->off_sls = OFFSET_NOT_SET; 1195 1196 cstate->label_stack_depth = 0; 1197 cstate->vlan_stack_depth = 0; 1198 1199 switch (cstate->linktype) { 1200 1201 case DLT_ARCNET: 1202 cstate->off_linktype.constant_part = 2; 1203 cstate->off_linkpl.constant_part = 6; 1204 cstate->off_nl = 0; /* XXX in reality, variable! */ 1205 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1206 break; 1207 1208 case DLT_ARCNET_LINUX: 1209 cstate->off_linktype.constant_part = 4; 1210 cstate->off_linkpl.constant_part = 8; 1211 cstate->off_nl = 0; /* XXX in reality, variable! */ 1212 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1213 break; 1214 1215 case DLT_EN10MB: 1216 cstate->off_linktype.constant_part = 12; 1217 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1218 cstate->off_nl = 0; /* Ethernet II */ 1219 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1220 break; 1221 1222 case DLT_SLIP: 1223 /* 1224 * SLIP doesn't have a link level type. The 16 byte 1225 * header is hacked into our SLIP driver. 1226 */ 1227 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1228 cstate->off_linkpl.constant_part = 16; 1229 cstate->off_nl = 0; 1230 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1231 break; 1232 1233 case DLT_SLIP_BSDOS: 1234 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1235 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1236 /* XXX end */ 1237 cstate->off_linkpl.constant_part = 24; 1238 cstate->off_nl = 0; 1239 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1240 break; 1241 1242 case DLT_NULL: 1243 case DLT_LOOP: 1244 cstate->off_linktype.constant_part = 0; 1245 cstate->off_linkpl.constant_part = 4; 1246 cstate->off_nl = 0; 1247 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1248 break; 1249 1250 case DLT_ENC: 1251 cstate->off_linktype.constant_part = 0; 1252 cstate->off_linkpl.constant_part = 12; 1253 cstate->off_nl = 0; 1254 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1255 break; 1256 1257 case DLT_PPP: 1258 case DLT_PPP_PPPD: 1259 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1260 case DLT_HDLC: /* NetBSD (Cisco) HDLC */ 1261 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1262 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1263 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1264 cstate->off_nl = 0; 1265 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1266 break; 1267 1268 case DLT_PPP_ETHER: 1269 /* 1270 * This does no include the Ethernet header, and 1271 * only covers session state. 1272 */ 1273 cstate->off_linktype.constant_part = 6; 1274 cstate->off_linkpl.constant_part = 8; 1275 cstate->off_nl = 0; 1276 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1277 break; 1278 1279 case DLT_PPP_BSDOS: 1280 cstate->off_linktype.constant_part = 5; 1281 cstate->off_linkpl.constant_part = 24; 1282 cstate->off_nl = 0; 1283 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1284 break; 1285 1286 case DLT_FDDI: 1287 /* 1288 * FDDI doesn't really have a link-level type field. 1289 * We set "off_linktype" to the offset of the LLC header. 1290 * 1291 * To check for Ethernet types, we assume that SSAP = SNAP 1292 * is being used and pick out the encapsulated Ethernet type. 1293 * XXX - should we generate code to check for SNAP? 1294 */ 1295 cstate->off_linktype.constant_part = 13; 1296 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1297 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1298 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1299 cstate->off_nl = 8; /* 802.2+SNAP */ 1300 cstate->off_nl_nosnap = 3; /* 802.2 */ 1301 break; 1302 1303 case DLT_IEEE802: 1304 /* 1305 * Token Ring doesn't really have a link-level type field. 1306 * We set "off_linktype" to the offset of the LLC header. 1307 * 1308 * To check for Ethernet types, we assume that SSAP = SNAP 1309 * is being used and pick out the encapsulated Ethernet type. 1310 * XXX - should we generate code to check for SNAP? 1311 * 1312 * XXX - the header is actually variable-length. 1313 * Some various Linux patched versions gave 38 1314 * as "off_linktype" and 40 as "off_nl"; however, 1315 * if a token ring packet has *no* routing 1316 * information, i.e. is not source-routed, the correct 1317 * values are 20 and 22, as they are in the vanilla code. 1318 * 1319 * A packet is source-routed iff the uppermost bit 1320 * of the first byte of the source address, at an 1321 * offset of 8, has the uppermost bit set. If the 1322 * packet is source-routed, the total number of bytes 1323 * of routing information is 2 plus bits 0x1F00 of 1324 * the 16-bit value at an offset of 14 (shifted right 1325 * 8 - figure out which byte that is). 1326 */ 1327 cstate->off_linktype.constant_part = 14; 1328 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1329 cstate->off_nl = 8; /* 802.2+SNAP */ 1330 cstate->off_nl_nosnap = 3; /* 802.2 */ 1331 break; 1332 1333 case DLT_PRISM_HEADER: 1334 case DLT_IEEE802_11_RADIO_AVS: 1335 case DLT_IEEE802_11_RADIO: 1336 cstate->off_linkhdr.is_variable = 1; 1337 /* Fall through, 802.11 doesn't have a variable link 1338 * prefix but is otherwise the same. */ 1339 /* FALLTHROUGH */ 1340 1341 case DLT_IEEE802_11: 1342 /* 1343 * 802.11 doesn't really have a link-level type field. 1344 * We set "off_linktype.constant_part" to the offset of 1345 * the LLC header. 1346 * 1347 * To check for Ethernet types, we assume that SSAP = SNAP 1348 * is being used and pick out the encapsulated Ethernet type. 1349 * XXX - should we generate code to check for SNAP? 1350 * 1351 * We also handle variable-length radio headers here. 1352 * The Prism header is in theory variable-length, but in 1353 * practice it's always 144 bytes long. However, some 1354 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1355 * sometimes or always supply an AVS header, so we 1356 * have to check whether the radio header is a Prism 1357 * header or an AVS header, so, in practice, it's 1358 * variable-length. 1359 */ 1360 cstate->off_linktype.constant_part = 24; 1361 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1362 cstate->off_linkpl.is_variable = 1; 1363 cstate->off_nl = 8; /* 802.2+SNAP */ 1364 cstate->off_nl_nosnap = 3; /* 802.2 */ 1365 break; 1366 1367 case DLT_PPI: 1368 /* 1369 * At the moment we treat PPI the same way that we treat 1370 * normal Radiotap encoded packets. The difference is in 1371 * the function that generates the code at the beginning 1372 * to compute the header length. Since this code generator 1373 * of PPI supports bare 802.11 encapsulation only (i.e. 1374 * the encapsulated DLT should be DLT_IEEE802_11) we 1375 * generate code to check for this too. 1376 */ 1377 cstate->off_linktype.constant_part = 24; 1378 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1379 cstate->off_linkpl.is_variable = 1; 1380 cstate->off_linkhdr.is_variable = 1; 1381 cstate->off_nl = 8; /* 802.2+SNAP */ 1382 cstate->off_nl_nosnap = 3; /* 802.2 */ 1383 break; 1384 1385 case DLT_ATM_RFC1483: 1386 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1387 /* 1388 * assume routed, non-ISO PDUs 1389 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1390 * 1391 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1392 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1393 * latter would presumably be treated the way PPPoE 1394 * should be, so you can do "pppoe and udp port 2049" 1395 * or "pppoa and tcp port 80" and have it check for 1396 * PPPo{A,E} and a PPP protocol of IP and.... 1397 */ 1398 cstate->off_linktype.constant_part = 0; 1399 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1400 cstate->off_nl = 8; /* 802.2+SNAP */ 1401 cstate->off_nl_nosnap = 3; /* 802.2 */ 1402 break; 1403 1404 case DLT_SUNATM: 1405 /* 1406 * Full Frontal ATM; you get AALn PDUs with an ATM 1407 * pseudo-header. 1408 */ 1409 cstate->is_atm = 1; 1410 cstate->off_vpi = SUNATM_VPI_POS; 1411 cstate->off_vci = SUNATM_VCI_POS; 1412 cstate->off_proto = PROTO_POS; 1413 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1414 cstate->off_linktype.constant_part = cstate->off_payload; 1415 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1416 cstate->off_nl = 8; /* 802.2+SNAP */ 1417 cstate->off_nl_nosnap = 3; /* 802.2 */ 1418 break; 1419 1420 case DLT_RAW: 1421 case DLT_IPV4: 1422 case DLT_IPV6: 1423 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1424 cstate->off_linkpl.constant_part = 0; 1425 cstate->off_nl = 0; 1426 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1427 break; 1428 1429 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */ 1430 cstate->off_linktype.constant_part = 14; 1431 cstate->off_linkpl.constant_part = 16; 1432 cstate->off_nl = 0; 1433 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1434 break; 1435 1436 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */ 1437 cstate->off_linktype.constant_part = 0; 1438 cstate->off_linkpl.constant_part = 20; 1439 cstate->off_nl = 0; 1440 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1441 break; 1442 1443 case DLT_LTALK: 1444 /* 1445 * LocalTalk does have a 1-byte type field in the LLAP header, 1446 * but really it just indicates whether there is a "short" or 1447 * "long" DDP packet following. 1448 */ 1449 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1450 cstate->off_linkpl.constant_part = 0; 1451 cstate->off_nl = 0; 1452 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1453 break; 1454 1455 case DLT_IP_OVER_FC: 1456 /* 1457 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1458 * link-level type field. We set "off_linktype" to the 1459 * offset of the LLC header. 1460 * 1461 * To check for Ethernet types, we assume that SSAP = SNAP 1462 * is being used and pick out the encapsulated Ethernet type. 1463 * XXX - should we generate code to check for SNAP? RFC 1464 * 2625 says SNAP should be used. 1465 */ 1466 cstate->off_linktype.constant_part = 16; 1467 cstate->off_linkpl.constant_part = 16; 1468 cstate->off_nl = 8; /* 802.2+SNAP */ 1469 cstate->off_nl_nosnap = 3; /* 802.2 */ 1470 break; 1471 1472 case DLT_FRELAY: 1473 /* 1474 * XXX - we should set this to handle SNAP-encapsulated 1475 * frames (NLPID of 0x80). 1476 */ 1477 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1478 cstate->off_linkpl.constant_part = 0; 1479 cstate->off_nl = 0; 1480 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1481 break; 1482 1483 /* 1484 * the only BPF-interesting FRF.16 frames are non-control frames; 1485 * Frame Relay has a variable length link-layer 1486 * so lets start with offset 4 for now and increments later on (FIXME); 1487 */ 1488 case DLT_MFR: 1489 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1490 cstate->off_linkpl.constant_part = 0; 1491 cstate->off_nl = 4; 1492 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1493 break; 1494 1495 case DLT_APPLE_IP_OVER_IEEE1394: 1496 cstate->off_linktype.constant_part = 16; 1497 cstate->off_linkpl.constant_part = 18; 1498 cstate->off_nl = 0; 1499 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1500 break; 1501 1502 case DLT_SYMANTEC_FIREWALL: 1503 cstate->off_linktype.constant_part = 6; 1504 cstate->off_linkpl.constant_part = 44; 1505 cstate->off_nl = 0; /* Ethernet II */ 1506 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1507 break; 1508 1509 case DLT_PFLOG: 1510 cstate->off_linktype.constant_part = 0; 1511 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1512 cstate->off_linkpl.is_variable = 1; 1513 cstate->off_nl = 0; 1514 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1515 break; 1516 1517 case DLT_JUNIPER_MFR: 1518 case DLT_JUNIPER_MLFR: 1519 case DLT_JUNIPER_MLPPP: 1520 case DLT_JUNIPER_PPP: 1521 case DLT_JUNIPER_CHDLC: 1522 case DLT_JUNIPER_FRELAY: 1523 cstate->off_linktype.constant_part = 4; 1524 cstate->off_linkpl.constant_part = 4; 1525 cstate->off_nl = 0; 1526 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1527 break; 1528 1529 case DLT_JUNIPER_ATM1: 1530 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1531 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1532 cstate->off_nl = 0; 1533 cstate->off_nl_nosnap = 10; 1534 break; 1535 1536 case DLT_JUNIPER_ATM2: 1537 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1538 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1539 cstate->off_nl = 0; 1540 cstate->off_nl_nosnap = 10; 1541 break; 1542 1543 /* frames captured on a Juniper PPPoE service PIC 1544 * contain raw ethernet frames */ 1545 case DLT_JUNIPER_PPPOE: 1546 case DLT_JUNIPER_ETHER: 1547 cstate->off_linkpl.constant_part = 14; 1548 cstate->off_linktype.constant_part = 16; 1549 cstate->off_nl = 18; /* Ethernet II */ 1550 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1551 break; 1552 1553 case DLT_JUNIPER_PPPOE_ATM: 1554 cstate->off_linktype.constant_part = 4; 1555 cstate->off_linkpl.constant_part = 6; 1556 cstate->off_nl = 0; 1557 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1558 break; 1559 1560 case DLT_JUNIPER_GGSN: 1561 cstate->off_linktype.constant_part = 6; 1562 cstate->off_linkpl.constant_part = 12; 1563 cstate->off_nl = 0; 1564 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1565 break; 1566 1567 case DLT_JUNIPER_ES: 1568 cstate->off_linktype.constant_part = 6; 1569 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1570 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1571 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1572 break; 1573 1574 case DLT_JUNIPER_MONITOR: 1575 cstate->off_linktype.constant_part = 12; 1576 cstate->off_linkpl.constant_part = 12; 1577 cstate->off_nl = 0; /* raw IP/IP6 header */ 1578 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1579 break; 1580 1581 case DLT_BACNET_MS_TP: 1582 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1583 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1584 cstate->off_nl = OFFSET_NOT_SET; 1585 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1586 break; 1587 1588 case DLT_JUNIPER_SERVICES: 1589 cstate->off_linktype.constant_part = 12; 1590 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1591 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1592 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1593 break; 1594 1595 case DLT_JUNIPER_VP: 1596 cstate->off_linktype.constant_part = 18; 1597 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1598 cstate->off_nl = OFFSET_NOT_SET; 1599 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1600 break; 1601 1602 case DLT_JUNIPER_ST: 1603 cstate->off_linktype.constant_part = 18; 1604 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1605 cstate->off_nl = OFFSET_NOT_SET; 1606 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1607 break; 1608 1609 case DLT_JUNIPER_ISM: 1610 cstate->off_linktype.constant_part = 8; 1611 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1612 cstate->off_nl = OFFSET_NOT_SET; 1613 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1614 break; 1615 1616 case DLT_JUNIPER_VS: 1617 case DLT_JUNIPER_SRX_E2E: 1618 case DLT_JUNIPER_FIBRECHANNEL: 1619 case DLT_JUNIPER_ATM_CEMIC: 1620 cstate->off_linktype.constant_part = 8; 1621 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1622 cstate->off_nl = OFFSET_NOT_SET; 1623 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1624 break; 1625 1626 case DLT_MTP2: 1627 cstate->off_li = 2; 1628 cstate->off_li_hsl = 4; 1629 cstate->off_sio = 3; 1630 cstate->off_opc = 4; 1631 cstate->off_dpc = 4; 1632 cstate->off_sls = 7; 1633 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1634 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1635 cstate->off_nl = OFFSET_NOT_SET; 1636 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1637 break; 1638 1639 case DLT_MTP2_WITH_PHDR: 1640 cstate->off_li = 6; 1641 cstate->off_li_hsl = 8; 1642 cstate->off_sio = 7; 1643 cstate->off_opc = 8; 1644 cstate->off_dpc = 8; 1645 cstate->off_sls = 11; 1646 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1647 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1648 cstate->off_nl = OFFSET_NOT_SET; 1649 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1650 break; 1651 1652 case DLT_ERF: 1653 cstate->off_li = 22; 1654 cstate->off_li_hsl = 24; 1655 cstate->off_sio = 23; 1656 cstate->off_opc = 24; 1657 cstate->off_dpc = 24; 1658 cstate->off_sls = 27; 1659 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1660 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1661 cstate->off_nl = OFFSET_NOT_SET; 1662 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1663 break; 1664 1665 case DLT_PFSYNC: 1666 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1667 cstate->off_linkpl.constant_part = 4; 1668 cstate->off_nl = 0; 1669 cstate->off_nl_nosnap = 0; 1670 break; 1671 1672 case DLT_AX25_KISS: 1673 /* 1674 * Currently, only raw "link[N:M]" filtering is supported. 1675 */ 1676 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1677 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1678 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1679 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1680 break; 1681 1682 case DLT_IPNET: 1683 cstate->off_linktype.constant_part = 1; 1684 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1685 cstate->off_nl = 0; 1686 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1687 break; 1688 1689 case DLT_NETANALYZER: 1690 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1691 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1692 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1693 cstate->off_nl = 0; /* Ethernet II */ 1694 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1695 break; 1696 1697 case DLT_NETANALYZER_TRANSPARENT: 1698 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1699 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1700 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1701 cstate->off_nl = 0; /* Ethernet II */ 1702 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1703 break; 1704 1705 default: 1706 /* 1707 * For values in the range in which we've assigned new 1708 * DLT_ values, only raw "link[N:M]" filtering is supported. 1709 */ 1710 if (cstate->linktype >= DLT_MATCHING_MIN && 1711 cstate->linktype <= DLT_MATCHING_MAX) { 1712 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1713 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1714 cstate->off_nl = OFFSET_NOT_SET; 1715 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1716 } else { 1717 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)", 1718 cstate->linktype, DLT_MATCHING_MIN, DLT_MATCHING_MAX); 1719 return (-1); 1720 } 1721 break; 1722 } 1723 1724 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1725 return (0); 1726 } 1727 1728 /* 1729 * Load a value relative to the specified absolute offset. 1730 */ 1731 static struct slist * 1732 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1733 u_int offset, u_int size) 1734 { 1735 struct slist *s, *s2; 1736 1737 s = gen_abs_offset_varpart(cstate, abs_offset); 1738 1739 /* 1740 * If "s" is non-null, it has code to arrange that the X register 1741 * contains the variable part of the absolute offset, so we 1742 * generate a load relative to that, with an offset of 1743 * abs_offset->constant_part + offset. 1744 * 1745 * Otherwise, we can do an absolute load with an offset of 1746 * abs_offset->constant_part + offset. 1747 */ 1748 if (s != NULL) { 1749 /* 1750 * "s" points to a list of statements that puts the 1751 * variable part of the absolute offset into the X register. 1752 * Do an indirect load, to use the X register as an offset. 1753 */ 1754 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1755 s2->s.k = abs_offset->constant_part + offset; 1756 sappend(s, s2); 1757 } else { 1758 /* 1759 * There is no variable part of the absolute offset, so 1760 * just do an absolute load. 1761 */ 1762 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1763 s->s.k = abs_offset->constant_part + offset; 1764 } 1765 return s; 1766 } 1767 1768 /* 1769 * Load a value relative to the beginning of the specified header. 1770 */ 1771 static struct slist * 1772 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1773 u_int size) 1774 { 1775 struct slist *s, *s2; 1776 1777 /* 1778 * Squelch warnings from compilers that *don't* assume that 1779 * offrel always has a valid enum value and therefore don't 1780 * assume that we'll always go through one of the case arms. 1781 * 1782 * If we have a default case, compilers that *do* assume that 1783 * will then complain about the default case code being 1784 * unreachable. 1785 * 1786 * Damned if you do, damned if you don't. 1787 */ 1788 s = NULL; 1789 1790 switch (offrel) { 1791 1792 case OR_PACKET: 1793 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1794 s->s.k = offset; 1795 break; 1796 1797 case OR_LINKHDR: 1798 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1799 break; 1800 1801 case OR_PREVLINKHDR: 1802 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1803 break; 1804 1805 case OR_LLC: 1806 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1807 break; 1808 1809 case OR_PREVMPLSHDR: 1810 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1811 break; 1812 1813 case OR_LINKPL: 1814 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1815 break; 1816 1817 case OR_LINKPL_NOSNAP: 1818 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1819 break; 1820 1821 case OR_LINKTYPE: 1822 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1823 break; 1824 1825 case OR_TRAN_IPV4: 1826 /* 1827 * Load the X register with the length of the IPv4 header 1828 * (plus the offset of the link-layer header, if it's 1829 * preceded by a variable-length header such as a radio 1830 * header), in bytes. 1831 */ 1832 s = gen_loadx_iphdrlen(cstate); 1833 1834 /* 1835 * Load the item at {offset of the link-layer payload} + 1836 * {offset, relative to the start of the link-layer 1837 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1838 * {specified offset}. 1839 * 1840 * If the offset of the link-layer payload is variable, 1841 * the variable part of that offset is included in the 1842 * value in the X register, and we include the constant 1843 * part in the offset of the load. 1844 */ 1845 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1846 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1847 sappend(s, s2); 1848 break; 1849 1850 case OR_TRAN_IPV6: 1851 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1852 break; 1853 } 1854 return s; 1855 } 1856 1857 /* 1858 * Generate code to load into the X register the sum of the length of 1859 * the IPv4 header and the variable part of the offset of the link-layer 1860 * payload. 1861 */ 1862 static struct slist * 1863 gen_loadx_iphdrlen(compiler_state_t *cstate) 1864 { 1865 struct slist *s, *s2; 1866 1867 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1868 if (s != NULL) { 1869 /* 1870 * The offset of the link-layer payload has a variable 1871 * part. "s" points to a list of statements that put 1872 * the variable part of that offset into the X register. 1873 * 1874 * The 4*([k]&0xf) addressing mode can't be used, as we 1875 * don't have a constant offset, so we have to load the 1876 * value in question into the A register and add to it 1877 * the value from the X register. 1878 */ 1879 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1880 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1881 sappend(s, s2); 1882 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1883 s2->s.k = 0xf; 1884 sappend(s, s2); 1885 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1886 s2->s.k = 2; 1887 sappend(s, s2); 1888 1889 /* 1890 * The A register now contains the length of the IP header. 1891 * We need to add to it the variable part of the offset of 1892 * the link-layer payload, which is still in the X 1893 * register, and move the result into the X register. 1894 */ 1895 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1896 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1897 } else { 1898 /* 1899 * The offset of the link-layer payload is a constant, 1900 * so no code was generated to load the (non-existent) 1901 * variable part of that offset. 1902 * 1903 * This means we can use the 4*([k]&0xf) addressing 1904 * mode. Load the length of the IPv4 header, which 1905 * is at an offset of cstate->off_nl from the beginning of 1906 * the link-layer payload, and thus at an offset of 1907 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1908 * of the raw packet data, using that addressing mode. 1909 */ 1910 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1911 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1912 } 1913 return s; 1914 } 1915 1916 1917 static struct block * 1918 gen_uncond(compiler_state_t *cstate, int rsense) 1919 { 1920 struct block *b; 1921 struct slist *s; 1922 1923 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1924 s->s.k = !rsense; 1925 b = new_block(cstate, JMP(BPF_JEQ)); 1926 b->stmts = s; 1927 1928 return b; 1929 } 1930 1931 static inline struct block * 1932 gen_true(compiler_state_t *cstate) 1933 { 1934 return gen_uncond(cstate, 1); 1935 } 1936 1937 static inline struct block * 1938 gen_false(compiler_state_t *cstate) 1939 { 1940 return gen_uncond(cstate, 0); 1941 } 1942 1943 /* 1944 * Byte-swap a 32-bit number. 1945 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1946 * big-endian platforms.) 1947 */ 1948 #define SWAPLONG(y) \ 1949 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1950 1951 /* 1952 * Generate code to match a particular packet type. 1953 * 1954 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1955 * value, if <= ETHERMTU. We use that to determine whether to 1956 * match the type/length field or to check the type/length field for 1957 * a value <= ETHERMTU to see whether it's a type field and then do 1958 * the appropriate test. 1959 */ 1960 static struct block * 1961 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 1962 { 1963 struct block *b0, *b1; 1964 1965 switch (ll_proto) { 1966 1967 case LLCSAP_ISONS: 1968 case LLCSAP_IP: 1969 case LLCSAP_NETBEUI: 1970 /* 1971 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1972 * so we check the DSAP and SSAP. 1973 * 1974 * LLCSAP_IP checks for IP-over-802.2, rather 1975 * than IP-over-Ethernet or IP-over-SNAP. 1976 * 1977 * XXX - should we check both the DSAP and the 1978 * SSAP, like this, or should we check just the 1979 * DSAP, as we do for other types <= ETHERMTU 1980 * (i.e., other SAP values)? 1981 */ 1982 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1983 gen_not(b0); 1984 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto); 1985 gen_and(b0, b1); 1986 return b1; 1987 1988 case LLCSAP_IPX: 1989 /* 1990 * Check for; 1991 * 1992 * Ethernet_II frames, which are Ethernet 1993 * frames with a frame type of ETHERTYPE_IPX; 1994 * 1995 * Ethernet_802.3 frames, which are 802.3 1996 * frames (i.e., the type/length field is 1997 * a length field, <= ETHERMTU, rather than 1998 * a type field) with the first two bytes 1999 * after the Ethernet/802.3 header being 2000 * 0xFFFF; 2001 * 2002 * Ethernet_802.2 frames, which are 802.3 2003 * frames with an 802.2 LLC header and 2004 * with the IPX LSAP as the DSAP in the LLC 2005 * header; 2006 * 2007 * Ethernet_SNAP frames, which are 802.3 2008 * frames with an LLC header and a SNAP 2009 * header and with an OUI of 0x000000 2010 * (encapsulated Ethernet) and a protocol 2011 * ID of ETHERTYPE_IPX in the SNAP header. 2012 * 2013 * XXX - should we generate the same code both 2014 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 2015 */ 2016 2017 /* 2018 * This generates code to check both for the 2019 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 2020 */ 2021 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 2022 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF); 2023 gen_or(b0, b1); 2024 2025 /* 2026 * Now we add code to check for SNAP frames with 2027 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 2028 */ 2029 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2030 gen_or(b0, b1); 2031 2032 /* 2033 * Now we generate code to check for 802.3 2034 * frames in general. 2035 */ 2036 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2037 gen_not(b0); 2038 2039 /* 2040 * Now add the check for 802.3 frames before the 2041 * check for Ethernet_802.2 and Ethernet_802.3, 2042 * as those checks should only be done on 802.3 2043 * frames, not on Ethernet frames. 2044 */ 2045 gen_and(b0, b1); 2046 2047 /* 2048 * Now add the check for Ethernet_II frames, and 2049 * do that before checking for the other frame 2050 * types. 2051 */ 2052 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX); 2053 gen_or(b0, b1); 2054 return b1; 2055 2056 case ETHERTYPE_ATALK: 2057 case ETHERTYPE_AARP: 2058 /* 2059 * EtherTalk (AppleTalk protocols on Ethernet link 2060 * layer) may use 802.2 encapsulation. 2061 */ 2062 2063 /* 2064 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2065 * we check for an Ethernet type field less than 2066 * 1500, which means it's an 802.3 length field. 2067 */ 2068 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2069 gen_not(b0); 2070 2071 /* 2072 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2073 * SNAP packets with an organization code of 2074 * 0x080007 (Apple, for Appletalk) and a protocol 2075 * type of ETHERTYPE_ATALK (Appletalk). 2076 * 2077 * 802.2-encapsulated ETHERTYPE_AARP packets are 2078 * SNAP packets with an organization code of 2079 * 0x000000 (encapsulated Ethernet) and a protocol 2080 * type of ETHERTYPE_AARP (Appletalk ARP). 2081 */ 2082 if (ll_proto == ETHERTYPE_ATALK) 2083 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2084 else /* ll_proto == ETHERTYPE_AARP */ 2085 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2086 gen_and(b0, b1); 2087 2088 /* 2089 * Check for Ethernet encapsulation (Ethertalk 2090 * phase 1?); we just check for the Ethernet 2091 * protocol type. 2092 */ 2093 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2094 2095 gen_or(b0, b1); 2096 return b1; 2097 2098 default: 2099 if (ll_proto <= ETHERMTU) { 2100 /* 2101 * This is an LLC SAP value, so the frames 2102 * that match would be 802.2 frames. 2103 * Check that the frame is an 802.2 frame 2104 * (i.e., that the length/type field is 2105 * a length field, <= ETHERMTU) and 2106 * then check the DSAP. 2107 */ 2108 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2109 gen_not(b0); 2110 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto); 2111 gen_and(b0, b1); 2112 return b1; 2113 } else { 2114 /* 2115 * This is an Ethernet type, so compare 2116 * the length/type field with it (if 2117 * the frame is an 802.2 frame, the length 2118 * field will be <= ETHERMTU, and, as 2119 * "ll_proto" is > ETHERMTU, this test 2120 * will fail and the frame won't match, 2121 * which is what we want). 2122 */ 2123 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2124 } 2125 } 2126 } 2127 2128 static struct block * 2129 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2130 { 2131 /* 2132 * For DLT_NULL, the link-layer header is a 32-bit word 2133 * containing an AF_ value in *host* byte order, and for 2134 * DLT_ENC, the link-layer header begins with a 32-bit 2135 * word containing an AF_ value in host byte order. 2136 * 2137 * In addition, if we're reading a saved capture file, 2138 * the host byte order in the capture may not be the 2139 * same as the host byte order on this machine. 2140 * 2141 * For DLT_LOOP, the link-layer header is a 32-bit 2142 * word containing an AF_ value in *network* byte order. 2143 */ 2144 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2145 /* 2146 * The AF_ value is in host byte order, but the BPF 2147 * interpreter will convert it to network byte order. 2148 * 2149 * If this is a save file, and it's from a machine 2150 * with the opposite byte order to ours, we byte-swap 2151 * the AF_ value. 2152 * 2153 * Then we run it through "htonl()", and generate 2154 * code to compare against the result. 2155 */ 2156 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2157 ll_proto = SWAPLONG(ll_proto); 2158 ll_proto = htonl(ll_proto); 2159 } 2160 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto)); 2161 } 2162 2163 /* 2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2165 * or IPv6 then we have an error. 2166 */ 2167 static struct block * 2168 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2169 { 2170 switch (ll_proto) { 2171 2172 case ETHERTYPE_IP: 2173 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET); 2174 /*NOTREACHED*/ 2175 2176 case ETHERTYPE_IPV6: 2177 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6); 2178 /*NOTREACHED*/ 2179 2180 default: 2181 break; 2182 } 2183 2184 return gen_false(cstate); 2185 } 2186 2187 /* 2188 * Generate code to match a particular packet type. 2189 * 2190 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2191 * value, if <= ETHERMTU. We use that to determine whether to 2192 * match the type field or to check the type field for the special 2193 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2194 */ 2195 static struct block * 2196 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 2197 { 2198 struct block *b0, *b1; 2199 2200 switch (ll_proto) { 2201 2202 case LLCSAP_ISONS: 2203 case LLCSAP_IP: 2204 case LLCSAP_NETBEUI: 2205 /* 2206 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2207 * so we check the DSAP and SSAP. 2208 * 2209 * LLCSAP_IP checks for IP-over-802.2, rather 2210 * than IP-over-Ethernet or IP-over-SNAP. 2211 * 2212 * XXX - should we check both the DSAP and the 2213 * SSAP, like this, or should we check just the 2214 * DSAP, as we do for other types <= ETHERMTU 2215 * (i.e., other SAP values)? 2216 */ 2217 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2218 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto); 2219 gen_and(b0, b1); 2220 return b1; 2221 2222 case LLCSAP_IPX: 2223 /* 2224 * Ethernet_II frames, which are Ethernet 2225 * frames with a frame type of ETHERTYPE_IPX; 2226 * 2227 * Ethernet_802.3 frames, which have a frame 2228 * type of LINUX_SLL_P_802_3; 2229 * 2230 * Ethernet_802.2 frames, which are 802.3 2231 * frames with an 802.2 LLC header (i.e, have 2232 * a frame type of LINUX_SLL_P_802_2) and 2233 * with the IPX LSAP as the DSAP in the LLC 2234 * header; 2235 * 2236 * Ethernet_SNAP frames, which are 802.3 2237 * frames with an LLC header and a SNAP 2238 * header and with an OUI of 0x000000 2239 * (encapsulated Ethernet) and a protocol 2240 * ID of ETHERTYPE_IPX in the SNAP header. 2241 * 2242 * First, do the checks on LINUX_SLL_P_802_2 2243 * frames; generate the check for either 2244 * Ethernet_802.2 or Ethernet_SNAP frames, and 2245 * then put a check for LINUX_SLL_P_802_2 frames 2246 * before it. 2247 */ 2248 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 2249 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2250 gen_or(b0, b1); 2251 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2252 gen_and(b0, b1); 2253 2254 /* 2255 * Now check for 802.3 frames and OR that with 2256 * the previous test. 2257 */ 2258 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2259 gen_or(b0, b1); 2260 2261 /* 2262 * Now add the check for Ethernet_II frames, and 2263 * do that before checking for the other frame 2264 * types. 2265 */ 2266 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX); 2267 gen_or(b0, b1); 2268 return b1; 2269 2270 case ETHERTYPE_ATALK: 2271 case ETHERTYPE_AARP: 2272 /* 2273 * EtherTalk (AppleTalk protocols on Ethernet link 2274 * layer) may use 802.2 encapsulation. 2275 */ 2276 2277 /* 2278 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2279 * we check for the 802.2 protocol type in the 2280 * "Ethernet type" field. 2281 */ 2282 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2283 2284 /* 2285 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2286 * SNAP packets with an organization code of 2287 * 0x080007 (Apple, for Appletalk) and a protocol 2288 * type of ETHERTYPE_ATALK (Appletalk). 2289 * 2290 * 802.2-encapsulated ETHERTYPE_AARP packets are 2291 * SNAP packets with an organization code of 2292 * 0x000000 (encapsulated Ethernet) and a protocol 2293 * type of ETHERTYPE_AARP (Appletalk ARP). 2294 */ 2295 if (ll_proto == ETHERTYPE_ATALK) 2296 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2297 else /* ll_proto == ETHERTYPE_AARP */ 2298 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2299 gen_and(b0, b1); 2300 2301 /* 2302 * Check for Ethernet encapsulation (Ethertalk 2303 * phase 1?); we just check for the Ethernet 2304 * protocol type. 2305 */ 2306 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2307 2308 gen_or(b0, b1); 2309 return b1; 2310 2311 default: 2312 if (ll_proto <= ETHERMTU) { 2313 /* 2314 * This is an LLC SAP value, so the frames 2315 * that match would be 802.2 frames. 2316 * Check for the 802.2 protocol type 2317 * in the "Ethernet type" field, and 2318 * then check the DSAP. 2319 */ 2320 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2321 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2322 ll_proto); 2323 gen_and(b0, b1); 2324 return b1; 2325 } else { 2326 /* 2327 * This is an Ethernet type, so compare 2328 * the length/type field with it (if 2329 * the frame is an 802.2 frame, the length 2330 * field will be <= ETHERMTU, and, as 2331 * "ll_proto" is > ETHERMTU, this test 2332 * will fail and the frame won't match, 2333 * which is what we want). 2334 */ 2335 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 2336 } 2337 } 2338 } 2339 2340 /* 2341 * Load a value relative to the beginning of the link-layer header after the 2342 * pflog header. 2343 */ 2344 static struct slist * 2345 gen_load_pflog_llprefixlen(compiler_state_t *cstate) 2346 { 2347 struct slist *s1, *s2; 2348 2349 /* 2350 * Generate code to load the length of the pflog header into 2351 * the register assigned to hold that length, if one has been 2352 * assigned. (If one hasn't been assigned, no code we've 2353 * generated uses that prefix, so we don't need to generate any 2354 * code to load it.) 2355 */ 2356 if (cstate->off_linkpl.reg != -1) { 2357 /* 2358 * The length is in the first byte of the header. 2359 */ 2360 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2361 s1->s.k = 0; 2362 2363 /* 2364 * Round it up to a multiple of 4. 2365 * Add 3, and clear the lower 2 bits. 2366 */ 2367 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2368 s2->s.k = 3; 2369 sappend(s1, s2); 2370 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2371 s2->s.k = 0xfffffffc; 2372 sappend(s1, s2); 2373 2374 /* 2375 * Now allocate a register to hold that value and store 2376 * it. 2377 */ 2378 s2 = new_stmt(cstate, BPF_ST); 2379 s2->s.k = cstate->off_linkpl.reg; 2380 sappend(s1, s2); 2381 2382 /* 2383 * Now move it into the X register. 2384 */ 2385 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2386 sappend(s1, s2); 2387 2388 return (s1); 2389 } else 2390 return (NULL); 2391 } 2392 2393 static struct slist * 2394 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2395 { 2396 struct slist *s1, *s2; 2397 struct slist *sjeq_avs_cookie; 2398 struct slist *sjcommon; 2399 2400 /* 2401 * This code is not compatible with the optimizer, as 2402 * we are generating jmp instructions within a normal 2403 * slist of instructions 2404 */ 2405 cstate->no_optimize = 1; 2406 2407 /* 2408 * Generate code to load the length of the radio header into 2409 * the register assigned to hold that length, if one has been 2410 * assigned. (If one hasn't been assigned, no code we've 2411 * generated uses that prefix, so we don't need to generate any 2412 * code to load it.) 2413 * 2414 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2415 * or always use the AVS header rather than the Prism header. 2416 * We load a 4-byte big-endian value at the beginning of the 2417 * raw packet data, and see whether, when masked with 0xFFFFF000, 2418 * it's equal to 0x80211000. If so, that indicates that it's 2419 * an AVS header (the masked-out bits are the version number). 2420 * Otherwise, it's a Prism header. 2421 * 2422 * XXX - the Prism header is also, in theory, variable-length, 2423 * but no known software generates headers that aren't 144 2424 * bytes long. 2425 */ 2426 if (cstate->off_linkhdr.reg != -1) { 2427 /* 2428 * Load the cookie. 2429 */ 2430 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2431 s1->s.k = 0; 2432 2433 /* 2434 * AND it with 0xFFFFF000. 2435 */ 2436 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2437 s2->s.k = 0xFFFFF000; 2438 sappend(s1, s2); 2439 2440 /* 2441 * Compare with 0x80211000. 2442 */ 2443 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2444 sjeq_avs_cookie->s.k = 0x80211000; 2445 sappend(s1, sjeq_avs_cookie); 2446 2447 /* 2448 * If it's AVS: 2449 * 2450 * The 4 bytes at an offset of 4 from the beginning of 2451 * the AVS header are the length of the AVS header. 2452 * That field is big-endian. 2453 */ 2454 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2455 s2->s.k = 4; 2456 sappend(s1, s2); 2457 sjeq_avs_cookie->s.jt = s2; 2458 2459 /* 2460 * Now jump to the code to allocate a register 2461 * into which to save the header length and 2462 * store the length there. (The "jump always" 2463 * instruction needs to have the k field set; 2464 * it's added to the PC, so, as we're jumping 2465 * over a single instruction, it should be 1.) 2466 */ 2467 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2468 sjcommon->s.k = 1; 2469 sappend(s1, sjcommon); 2470 2471 /* 2472 * Now for the code that handles the Prism header. 2473 * Just load the length of the Prism header (144) 2474 * into the A register. Have the test for an AVS 2475 * header branch here if we don't have an AVS header. 2476 */ 2477 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2478 s2->s.k = 144; 2479 sappend(s1, s2); 2480 sjeq_avs_cookie->s.jf = s2; 2481 2482 /* 2483 * Now allocate a register to hold that value and store 2484 * it. The code for the AVS header will jump here after 2485 * loading the length of the AVS header. 2486 */ 2487 s2 = new_stmt(cstate, BPF_ST); 2488 s2->s.k = cstate->off_linkhdr.reg; 2489 sappend(s1, s2); 2490 sjcommon->s.jf = s2; 2491 2492 /* 2493 * Now move it into the X register. 2494 */ 2495 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2496 sappend(s1, s2); 2497 2498 return (s1); 2499 } else 2500 return (NULL); 2501 } 2502 2503 static struct slist * 2504 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2505 { 2506 struct slist *s1, *s2; 2507 2508 /* 2509 * Generate code to load the length of the AVS header into 2510 * the register assigned to hold that length, if one has been 2511 * assigned. (If one hasn't been assigned, no code we've 2512 * generated uses that prefix, so we don't need to generate any 2513 * code to load it.) 2514 */ 2515 if (cstate->off_linkhdr.reg != -1) { 2516 /* 2517 * The 4 bytes at an offset of 4 from the beginning of 2518 * the AVS header are the length of the AVS header. 2519 * That field is big-endian. 2520 */ 2521 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2522 s1->s.k = 4; 2523 2524 /* 2525 * Now allocate a register to hold that value and store 2526 * it. 2527 */ 2528 s2 = new_stmt(cstate, BPF_ST); 2529 s2->s.k = cstate->off_linkhdr.reg; 2530 sappend(s1, s2); 2531 2532 /* 2533 * Now move it into the X register. 2534 */ 2535 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2536 sappend(s1, s2); 2537 2538 return (s1); 2539 } else 2540 return (NULL); 2541 } 2542 2543 static struct slist * 2544 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2545 { 2546 struct slist *s1, *s2; 2547 2548 /* 2549 * Generate code to load the length of the radiotap header into 2550 * the register assigned to hold that length, if one has been 2551 * assigned. (If one hasn't been assigned, no code we've 2552 * generated uses that prefix, so we don't need to generate any 2553 * code to load it.) 2554 */ 2555 if (cstate->off_linkhdr.reg != -1) { 2556 /* 2557 * The 2 bytes at offsets of 2 and 3 from the beginning 2558 * of the radiotap header are the length of the radiotap 2559 * header; unfortunately, it's little-endian, so we have 2560 * to load it a byte at a time and construct the value. 2561 */ 2562 2563 /* 2564 * Load the high-order byte, at an offset of 3, shift it 2565 * left a byte, and put the result in the X register. 2566 */ 2567 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2568 s1->s.k = 3; 2569 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2570 sappend(s1, s2); 2571 s2->s.k = 8; 2572 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2573 sappend(s1, s2); 2574 2575 /* 2576 * Load the next byte, at an offset of 2, and OR the 2577 * value from the X register into it. 2578 */ 2579 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2580 sappend(s1, s2); 2581 s2->s.k = 2; 2582 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2583 sappend(s1, s2); 2584 2585 /* 2586 * Now allocate a register to hold that value and store 2587 * it. 2588 */ 2589 s2 = new_stmt(cstate, BPF_ST); 2590 s2->s.k = cstate->off_linkhdr.reg; 2591 sappend(s1, s2); 2592 2593 /* 2594 * Now move it into the X register. 2595 */ 2596 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2597 sappend(s1, s2); 2598 2599 return (s1); 2600 } else 2601 return (NULL); 2602 } 2603 2604 /* 2605 * At the moment we treat PPI as normal Radiotap encoded 2606 * packets. The difference is in the function that generates 2607 * the code at the beginning to compute the header length. 2608 * Since this code generator of PPI supports bare 802.11 2609 * encapsulation only (i.e. the encapsulated DLT should be 2610 * DLT_IEEE802_11) we generate code to check for this too; 2611 * that's done in finish_parse(). 2612 */ 2613 static struct slist * 2614 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2615 { 2616 struct slist *s1, *s2; 2617 2618 /* 2619 * Generate code to load the length of the radiotap header 2620 * into the register assigned to hold that length, if one has 2621 * been assigned. 2622 */ 2623 if (cstate->off_linkhdr.reg != -1) { 2624 /* 2625 * The 2 bytes at offsets of 2 and 3 from the beginning 2626 * of the radiotap header are the length of the radiotap 2627 * header; unfortunately, it's little-endian, so we have 2628 * to load it a byte at a time and construct the value. 2629 */ 2630 2631 /* 2632 * Load the high-order byte, at an offset of 3, shift it 2633 * left a byte, and put the result in the X register. 2634 */ 2635 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2636 s1->s.k = 3; 2637 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2638 sappend(s1, s2); 2639 s2->s.k = 8; 2640 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2641 sappend(s1, s2); 2642 2643 /* 2644 * Load the next byte, at an offset of 2, and OR the 2645 * value from the X register into it. 2646 */ 2647 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2648 sappend(s1, s2); 2649 s2->s.k = 2; 2650 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2651 sappend(s1, s2); 2652 2653 /* 2654 * Now allocate a register to hold that value and store 2655 * it. 2656 */ 2657 s2 = new_stmt(cstate, BPF_ST); 2658 s2->s.k = cstate->off_linkhdr.reg; 2659 sappend(s1, s2); 2660 2661 /* 2662 * Now move it into the X register. 2663 */ 2664 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2665 sappend(s1, s2); 2666 2667 return (s1); 2668 } else 2669 return (NULL); 2670 } 2671 2672 /* 2673 * Load a value relative to the beginning of the link-layer header after the 802.11 2674 * header, i.e. LLC_SNAP. 2675 * The link-layer header doesn't necessarily begin at the beginning 2676 * of the packet data; there might be a variable-length prefix containing 2677 * radio information. 2678 */ 2679 static struct slist * 2680 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2681 { 2682 struct slist *s2; 2683 struct slist *sjset_data_frame_1; 2684 struct slist *sjset_data_frame_2; 2685 struct slist *sjset_qos; 2686 struct slist *sjset_radiotap_flags_present; 2687 struct slist *sjset_radiotap_ext_present; 2688 struct slist *sjset_radiotap_tsft_present; 2689 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2690 struct slist *s_roundup; 2691 2692 if (cstate->off_linkpl.reg == -1) { 2693 /* 2694 * No register has been assigned to the offset of 2695 * the link-layer payload, which means nobody needs 2696 * it; don't bother computing it - just return 2697 * what we already have. 2698 */ 2699 return (s); 2700 } 2701 2702 /* 2703 * This code is not compatible with the optimizer, as 2704 * we are generating jmp instructions within a normal 2705 * slist of instructions 2706 */ 2707 cstate->no_optimize = 1; 2708 2709 /* 2710 * If "s" is non-null, it has code to arrange that the X register 2711 * contains the length of the prefix preceding the link-layer 2712 * header. 2713 * 2714 * Otherwise, the length of the prefix preceding the link-layer 2715 * header is "off_outermostlinkhdr.constant_part". 2716 */ 2717 if (s == NULL) { 2718 /* 2719 * There is no variable-length header preceding the 2720 * link-layer header. 2721 * 2722 * Load the length of the fixed-length prefix preceding 2723 * the link-layer header (if any) into the X register, 2724 * and store it in the cstate->off_linkpl.reg register. 2725 * That length is off_outermostlinkhdr.constant_part. 2726 */ 2727 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2728 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2729 } 2730 2731 /* 2732 * The X register contains the offset of the beginning of the 2733 * link-layer header; add 24, which is the minimum length 2734 * of the MAC header for a data frame, to that, and store it 2735 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2736 * which is at the offset in the X register, with an indexed load. 2737 */ 2738 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2739 sappend(s, s2); 2740 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2741 s2->s.k = 24; 2742 sappend(s, s2); 2743 s2 = new_stmt(cstate, BPF_ST); 2744 s2->s.k = cstate->off_linkpl.reg; 2745 sappend(s, s2); 2746 2747 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2748 s2->s.k = 0; 2749 sappend(s, s2); 2750 2751 /* 2752 * Check the Frame Control field to see if this is a data frame; 2753 * a data frame has the 0x08 bit (b3) in that field set and the 2754 * 0x04 bit (b2) clear. 2755 */ 2756 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2757 sjset_data_frame_1->s.k = 0x08; 2758 sappend(s, sjset_data_frame_1); 2759 2760 /* 2761 * If b3 is set, test b2, otherwise go to the first statement of 2762 * the rest of the program. 2763 */ 2764 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2765 sjset_data_frame_2->s.k = 0x04; 2766 sappend(s, sjset_data_frame_2); 2767 sjset_data_frame_1->s.jf = snext; 2768 2769 /* 2770 * If b2 is not set, this is a data frame; test the QoS bit. 2771 * Otherwise, go to the first statement of the rest of the 2772 * program. 2773 */ 2774 sjset_data_frame_2->s.jt = snext; 2775 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2776 sjset_qos->s.k = 0x80; /* QoS bit */ 2777 sappend(s, sjset_qos); 2778 2779 /* 2780 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2781 * field. 2782 * Otherwise, go to the first statement of the rest of the 2783 * program. 2784 */ 2785 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2786 s2->s.k = cstate->off_linkpl.reg; 2787 sappend(s, s2); 2788 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2789 s2->s.k = 2; 2790 sappend(s, s2); 2791 s2 = new_stmt(cstate, BPF_ST); 2792 s2->s.k = cstate->off_linkpl.reg; 2793 sappend(s, s2); 2794 2795 /* 2796 * If we have a radiotap header, look at it to see whether 2797 * there's Atheros padding between the MAC-layer header 2798 * and the payload. 2799 * 2800 * Note: all of the fields in the radiotap header are 2801 * little-endian, so we byte-swap all of the values 2802 * we test against, as they will be loaded as big-endian 2803 * values. 2804 * 2805 * XXX - in the general case, we would have to scan through 2806 * *all* the presence bits, if there's more than one word of 2807 * presence bits. That would require a loop, meaning that 2808 * we wouldn't be able to run the filter in the kernel. 2809 * 2810 * We assume here that the Atheros adapters that insert the 2811 * annoying padding don't have multiple antennae and therefore 2812 * do not generate radiotap headers with multiple presence words. 2813 */ 2814 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2815 /* 2816 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2817 * in the first presence flag word? 2818 */ 2819 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2820 s2->s.k = 4; 2821 sappend(s, s2); 2822 2823 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2824 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2825 sappend(s, sjset_radiotap_flags_present); 2826 2827 /* 2828 * If not, skip all of this. 2829 */ 2830 sjset_radiotap_flags_present->s.jf = snext; 2831 2832 /* 2833 * Otherwise, is the "extension" bit set in that word? 2834 */ 2835 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2836 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2837 sappend(s, sjset_radiotap_ext_present); 2838 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2839 2840 /* 2841 * If so, skip all of this. 2842 */ 2843 sjset_radiotap_ext_present->s.jt = snext; 2844 2845 /* 2846 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2847 */ 2848 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2849 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2850 sappend(s, sjset_radiotap_tsft_present); 2851 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2852 2853 /* 2854 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2855 * at an offset of 16 from the beginning of the raw packet 2856 * data (8 bytes for the radiotap header and 8 bytes for 2857 * the TSFT field). 2858 * 2859 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2860 * is set. 2861 */ 2862 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2863 s2->s.k = 16; 2864 sappend(s, s2); 2865 sjset_radiotap_tsft_present->s.jt = s2; 2866 2867 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2868 sjset_tsft_datapad->s.k = 0x20; 2869 sappend(s, sjset_tsft_datapad); 2870 2871 /* 2872 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2873 * at an offset of 8 from the beginning of the raw packet 2874 * data (8 bytes for the radiotap header). 2875 * 2876 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2877 * is set. 2878 */ 2879 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2880 s2->s.k = 8; 2881 sappend(s, s2); 2882 sjset_radiotap_tsft_present->s.jf = s2; 2883 2884 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2885 sjset_notsft_datapad->s.k = 0x20; 2886 sappend(s, sjset_notsft_datapad); 2887 2888 /* 2889 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2890 * set, round the length of the 802.11 header to 2891 * a multiple of 4. Do that by adding 3 and then 2892 * dividing by and multiplying by 4, which we do by 2893 * ANDing with ~3. 2894 */ 2895 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2896 s_roundup->s.k = cstate->off_linkpl.reg; 2897 sappend(s, s_roundup); 2898 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2899 s2->s.k = 3; 2900 sappend(s, s2); 2901 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2902 s2->s.k = (bpf_u_int32)~3; 2903 sappend(s, s2); 2904 s2 = new_stmt(cstate, BPF_ST); 2905 s2->s.k = cstate->off_linkpl.reg; 2906 sappend(s, s2); 2907 2908 sjset_tsft_datapad->s.jt = s_roundup; 2909 sjset_tsft_datapad->s.jf = snext; 2910 sjset_notsft_datapad->s.jt = s_roundup; 2911 sjset_notsft_datapad->s.jf = snext; 2912 } else 2913 sjset_qos->s.jf = snext; 2914 2915 return s; 2916 } 2917 2918 static void 2919 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2920 { 2921 struct slist *s; 2922 2923 /* There is an implicit dependency between the link 2924 * payload and link header since the payload computation 2925 * includes the variable part of the header. Therefore, 2926 * if nobody else has allocated a register for the link 2927 * header and we need it, do it now. */ 2928 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2929 cstate->off_linkhdr.reg == -1) 2930 cstate->off_linkhdr.reg = alloc_reg(cstate); 2931 2932 /* 2933 * For link-layer types that have a variable-length header 2934 * preceding the link-layer header, generate code to load 2935 * the offset of the link-layer header into the register 2936 * assigned to that offset, if any. 2937 * 2938 * XXX - this, and the next switch statement, won't handle 2939 * encapsulation of 802.11 or 802.11+radio information in 2940 * some other protocol stack. That's significantly more 2941 * complicated. 2942 */ 2943 switch (cstate->outermostlinktype) { 2944 2945 case DLT_PRISM_HEADER: 2946 s = gen_load_prism_llprefixlen(cstate); 2947 break; 2948 2949 case DLT_IEEE802_11_RADIO_AVS: 2950 s = gen_load_avs_llprefixlen(cstate); 2951 break; 2952 2953 case DLT_IEEE802_11_RADIO: 2954 s = gen_load_radiotap_llprefixlen(cstate); 2955 break; 2956 2957 case DLT_PPI: 2958 s = gen_load_ppi_llprefixlen(cstate); 2959 break; 2960 2961 default: 2962 s = NULL; 2963 break; 2964 } 2965 2966 /* 2967 * For link-layer types that have a variable-length link-layer 2968 * header, generate code to load the offset of the link-layer 2969 * payload into the register assigned to that offset, if any. 2970 */ 2971 switch (cstate->outermostlinktype) { 2972 2973 case DLT_IEEE802_11: 2974 case DLT_PRISM_HEADER: 2975 case DLT_IEEE802_11_RADIO_AVS: 2976 case DLT_IEEE802_11_RADIO: 2977 case DLT_PPI: 2978 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2979 break; 2980 2981 case DLT_PFLOG: 2982 s = gen_load_pflog_llprefixlen(cstate); 2983 break; 2984 } 2985 2986 /* 2987 * If there is no initialization yet and we need variable 2988 * length offsets for VLAN, initialize them to zero 2989 */ 2990 if (s == NULL && cstate->is_vlan_vloffset) { 2991 struct slist *s2; 2992 2993 if (cstate->off_linkpl.reg == -1) 2994 cstate->off_linkpl.reg = alloc_reg(cstate); 2995 if (cstate->off_linktype.reg == -1) 2996 cstate->off_linktype.reg = alloc_reg(cstate); 2997 2998 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2999 s->s.k = 0; 3000 s2 = new_stmt(cstate, BPF_ST); 3001 s2->s.k = cstate->off_linkpl.reg; 3002 sappend(s, s2); 3003 s2 = new_stmt(cstate, BPF_ST); 3004 s2->s.k = cstate->off_linktype.reg; 3005 sappend(s, s2); 3006 } 3007 3008 /* 3009 * If we have any offset-loading code, append all the 3010 * existing statements in the block to those statements, 3011 * and make the resulting list the list of statements 3012 * for the block. 3013 */ 3014 if (s != NULL) { 3015 sappend(s, b->stmts); 3016 b->stmts = s; 3017 } 3018 } 3019 3020 static struct block * 3021 gen_ppi_dlt_check(compiler_state_t *cstate) 3022 { 3023 struct slist *s_load_dlt; 3024 struct block *b; 3025 3026 if (cstate->linktype == DLT_PPI) 3027 { 3028 /* Create the statements that check for the DLT 3029 */ 3030 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 3031 s_load_dlt->s.k = 4; 3032 3033 b = new_block(cstate, JMP(BPF_JEQ)); 3034 3035 b->stmts = s_load_dlt; 3036 b->s.k = SWAPLONG(DLT_IEEE802_11); 3037 } 3038 else 3039 { 3040 b = NULL; 3041 } 3042 3043 return b; 3044 } 3045 3046 /* 3047 * Take an absolute offset, and: 3048 * 3049 * if it has no variable part, return NULL; 3050 * 3051 * if it has a variable part, generate code to load the register 3052 * containing that variable part into the X register, returning 3053 * a pointer to that code - if no register for that offset has 3054 * been allocated, allocate it first. 3055 * 3056 * (The code to set that register will be generated later, but will 3057 * be placed earlier in the code sequence.) 3058 */ 3059 static struct slist * 3060 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 3061 { 3062 struct slist *s; 3063 3064 if (off->is_variable) { 3065 if (off->reg == -1) { 3066 /* 3067 * We haven't yet assigned a register for the 3068 * variable part of the offset of the link-layer 3069 * header; allocate one. 3070 */ 3071 off->reg = alloc_reg(cstate); 3072 } 3073 3074 /* 3075 * Load the register containing the variable part of the 3076 * offset of the link-layer header into the X register. 3077 */ 3078 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 3079 s->s.k = off->reg; 3080 return s; 3081 } else { 3082 /* 3083 * That offset isn't variable, there's no variable part, 3084 * so we don't need to generate any code. 3085 */ 3086 return NULL; 3087 } 3088 } 3089 3090 /* 3091 * Map an Ethernet type to the equivalent PPP type. 3092 */ 3093 static bpf_u_int32 3094 ethertype_to_ppptype(bpf_u_int32 ll_proto) 3095 { 3096 switch (ll_proto) { 3097 3098 case ETHERTYPE_IP: 3099 ll_proto = PPP_IP; 3100 break; 3101 3102 case ETHERTYPE_IPV6: 3103 ll_proto = PPP_IPV6; 3104 break; 3105 3106 case ETHERTYPE_DN: 3107 ll_proto = PPP_DECNET; 3108 break; 3109 3110 case ETHERTYPE_ATALK: 3111 ll_proto = PPP_APPLE; 3112 break; 3113 3114 case ETHERTYPE_NS: 3115 ll_proto = PPP_NS; 3116 break; 3117 3118 case LLCSAP_ISONS: 3119 ll_proto = PPP_OSI; 3120 break; 3121 3122 case LLCSAP_8021D: 3123 /* 3124 * I'm assuming the "Bridging PDU"s that go 3125 * over PPP are Spanning Tree Protocol 3126 * Bridging PDUs. 3127 */ 3128 ll_proto = PPP_BRPDU; 3129 break; 3130 3131 case LLCSAP_IPX: 3132 ll_proto = PPP_IPX; 3133 break; 3134 } 3135 return (ll_proto); 3136 } 3137 3138 /* 3139 * Generate any tests that, for encapsulation of a link-layer packet 3140 * inside another protocol stack, need to be done to check for those 3141 * link-layer packets (and that haven't already been done by a check 3142 * for that encapsulation). 3143 */ 3144 static struct block * 3145 gen_prevlinkhdr_check(compiler_state_t *cstate) 3146 { 3147 struct block *b0; 3148 3149 if (cstate->is_geneve) 3150 return gen_geneve_ll_check(cstate); 3151 3152 switch (cstate->prevlinktype) { 3153 3154 case DLT_SUNATM: 3155 /* 3156 * This is LANE-encapsulated Ethernet; check that the LANE 3157 * packet doesn't begin with an LE Control marker, i.e. 3158 * that it's data, not a control message. 3159 * 3160 * (We've already generated a test for LANE.) 3161 */ 3162 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3163 gen_not(b0); 3164 return b0; 3165 3166 default: 3167 /* 3168 * No such tests are necessary. 3169 */ 3170 return NULL; 3171 } 3172 /*NOTREACHED*/ 3173 } 3174 3175 /* 3176 * The three different values we should check for when checking for an 3177 * IPv6 packet with DLT_NULL. 3178 */ 3179 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3180 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3181 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3182 3183 /* 3184 * Generate code to match a particular packet type by matching the 3185 * link-layer type field or fields in the 802.2 LLC header. 3186 * 3187 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3188 * value, if <= ETHERMTU. 3189 */ 3190 static struct block * 3191 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 3192 { 3193 struct block *b0, *b1, *b2; 3194 const char *description; 3195 3196 /* are we checking MPLS-encapsulated packets? */ 3197 if (cstate->label_stack_depth > 0) 3198 return gen_mpls_linktype(cstate, ll_proto); 3199 3200 switch (cstate->linktype) { 3201 3202 case DLT_EN10MB: 3203 case DLT_NETANALYZER: 3204 case DLT_NETANALYZER_TRANSPARENT: 3205 /* Geneve has an EtherType regardless of whether there is an 3206 * L2 header. */ 3207 if (!cstate->is_geneve) 3208 b0 = gen_prevlinkhdr_check(cstate); 3209 else 3210 b0 = NULL; 3211 3212 b1 = gen_ether_linktype(cstate, ll_proto); 3213 if (b0 != NULL) 3214 gen_and(b0, b1); 3215 return b1; 3216 /*NOTREACHED*/ 3217 3218 case DLT_C_HDLC: 3219 case DLT_HDLC: 3220 switch (ll_proto) { 3221 3222 case LLCSAP_ISONS: 3223 ll_proto = (ll_proto << 8 | LLCSAP_ISONS); 3224 /* fall through */ 3225 3226 default: 3227 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 3228 /*NOTREACHED*/ 3229 } 3230 3231 case DLT_IEEE802_11: 3232 case DLT_PRISM_HEADER: 3233 case DLT_IEEE802_11_RADIO_AVS: 3234 case DLT_IEEE802_11_RADIO: 3235 case DLT_PPI: 3236 /* 3237 * Check that we have a data frame. 3238 */ 3239 b0 = gen_check_802_11_data_frame(cstate); 3240 3241 /* 3242 * Now check for the specified link-layer type. 3243 */ 3244 b1 = gen_llc_linktype(cstate, ll_proto); 3245 gen_and(b0, b1); 3246 return b1; 3247 /*NOTREACHED*/ 3248 3249 case DLT_FDDI: 3250 /* 3251 * XXX - check for LLC frames. 3252 */ 3253 return gen_llc_linktype(cstate, ll_proto); 3254 /*NOTREACHED*/ 3255 3256 case DLT_IEEE802: 3257 /* 3258 * XXX - check for LLC PDUs, as per IEEE 802.5. 3259 */ 3260 return gen_llc_linktype(cstate, ll_proto); 3261 /*NOTREACHED*/ 3262 3263 case DLT_ATM_RFC1483: 3264 case DLT_ATM_CLIP: 3265 case DLT_IP_OVER_FC: 3266 return gen_llc_linktype(cstate, ll_proto); 3267 /*NOTREACHED*/ 3268 3269 case DLT_SUNATM: 3270 /* 3271 * Check for an LLC-encapsulated version of this protocol; 3272 * if we were checking for LANE, linktype would no longer 3273 * be DLT_SUNATM. 3274 * 3275 * Check for LLC encapsulation and then check the protocol. 3276 */ 3277 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3278 b1 = gen_llc_linktype(cstate, ll_proto); 3279 gen_and(b0, b1); 3280 return b1; 3281 /*NOTREACHED*/ 3282 3283 case DLT_LINUX_SLL: 3284 return gen_linux_sll_linktype(cstate, ll_proto); 3285 /*NOTREACHED*/ 3286 3287 case DLT_SLIP: 3288 case DLT_SLIP_BSDOS: 3289 case DLT_RAW: 3290 /* 3291 * These types don't provide any type field; packets 3292 * are always IPv4 or IPv6. 3293 * 3294 * XXX - for IPv4, check for a version number of 4, and, 3295 * for IPv6, check for a version number of 6? 3296 */ 3297 switch (ll_proto) { 3298 3299 case ETHERTYPE_IP: 3300 /* Check for a version number of 4. */ 3301 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3302 3303 case ETHERTYPE_IPV6: 3304 /* Check for a version number of 6. */ 3305 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3306 3307 default: 3308 return gen_false(cstate); /* always false */ 3309 } 3310 /*NOTREACHED*/ 3311 3312 case DLT_IPV4: 3313 /* 3314 * Raw IPv4, so no type field. 3315 */ 3316 if (ll_proto == ETHERTYPE_IP) 3317 return gen_true(cstate); /* always true */ 3318 3319 /* Checking for something other than IPv4; always false */ 3320 return gen_false(cstate); 3321 /*NOTREACHED*/ 3322 3323 case DLT_IPV6: 3324 /* 3325 * Raw IPv6, so no type field. 3326 */ 3327 if (ll_proto == ETHERTYPE_IPV6) 3328 return gen_true(cstate); /* always true */ 3329 3330 /* Checking for something other than IPv6; always false */ 3331 return gen_false(cstate); 3332 /*NOTREACHED*/ 3333 3334 case DLT_PPP: 3335 case DLT_PPP_PPPD: 3336 case DLT_PPP_SERIAL: 3337 case DLT_PPP_ETHER: 3338 /* 3339 * We use Ethernet protocol types inside libpcap; 3340 * map them to the corresponding PPP protocol types. 3341 */ 3342 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3343 ethertype_to_ppptype(ll_proto)); 3344 /*NOTREACHED*/ 3345 3346 case DLT_PPP_BSDOS: 3347 /* 3348 * We use Ethernet protocol types inside libpcap; 3349 * map them to the corresponding PPP protocol types. 3350 */ 3351 switch (ll_proto) { 3352 3353 case ETHERTYPE_IP: 3354 /* 3355 * Also check for Van Jacobson-compressed IP. 3356 * XXX - do this for other forms of PPP? 3357 */ 3358 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3359 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3360 gen_or(b0, b1); 3361 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3362 gen_or(b1, b0); 3363 return b0; 3364 3365 default: 3366 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3367 ethertype_to_ppptype(ll_proto)); 3368 } 3369 /*NOTREACHED*/ 3370 3371 case DLT_NULL: 3372 case DLT_LOOP: 3373 case DLT_ENC: 3374 switch (ll_proto) { 3375 3376 case ETHERTYPE_IP: 3377 return (gen_loopback_linktype(cstate, AF_INET)); 3378 3379 case ETHERTYPE_IPV6: 3380 /* 3381 * AF_ values may, unfortunately, be platform- 3382 * dependent; AF_INET isn't, because everybody 3383 * used 4.2BSD's value, but AF_INET6 is, because 3384 * 4.2BSD didn't have a value for it (given that 3385 * IPv6 didn't exist back in the early 1980's), 3386 * and they all picked their own values. 3387 * 3388 * This means that, if we're reading from a 3389 * savefile, we need to check for all the 3390 * possible values. 3391 * 3392 * If we're doing a live capture, we only need 3393 * to check for this platform's value; however, 3394 * Npcap uses 24, which isn't Windows's AF_INET6 3395 * value. (Given the multiple different values, 3396 * programs that read pcap files shouldn't be 3397 * checking for their platform's AF_INET6 value 3398 * anyway, they should check for all of the 3399 * possible values. and they might as well do 3400 * that even for live captures.) 3401 */ 3402 if (cstate->bpf_pcap->rfile != NULL) { 3403 /* 3404 * Savefile - check for all three 3405 * possible IPv6 values. 3406 */ 3407 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3408 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3409 gen_or(b0, b1); 3410 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3411 gen_or(b0, b1); 3412 return (b1); 3413 } else { 3414 /* 3415 * Live capture, so we only need to 3416 * check for the value used on this 3417 * platform. 3418 */ 3419 #ifdef _WIN32 3420 /* 3421 * Npcap doesn't use Windows's AF_INET6, 3422 * as that collides with AF_IPX on 3423 * some BSDs (both have the value 23). 3424 * Instead, it uses 24. 3425 */ 3426 return (gen_loopback_linktype(cstate, 24)); 3427 #else /* _WIN32 */ 3428 #ifdef AF_INET6 3429 return (gen_loopback_linktype(cstate, AF_INET6)); 3430 #else /* AF_INET6 */ 3431 /* 3432 * I guess this platform doesn't support 3433 * IPv6, so we just reject all packets. 3434 */ 3435 return gen_false(cstate); 3436 #endif /* AF_INET6 */ 3437 #endif /* _WIN32 */ 3438 } 3439 3440 default: 3441 /* 3442 * Not a type on which we support filtering. 3443 * XXX - support those that have AF_ values 3444 * #defined on this platform, at least? 3445 */ 3446 return gen_false(cstate); 3447 } 3448 3449 case DLT_PFLOG: 3450 /* 3451 * af field is host byte order in contrast to the rest of 3452 * the packet. 3453 */ 3454 if (ll_proto == ETHERTYPE_IP) 3455 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3456 BPF_B, AF_INET)); 3457 else if (ll_proto == ETHERTYPE_IPV6) 3458 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3459 BPF_B, AF_INET6)); 3460 else 3461 return gen_false(cstate); 3462 /*NOTREACHED*/ 3463 3464 case DLT_ARCNET: 3465 case DLT_ARCNET_LINUX: 3466 /* 3467 * XXX should we check for first fragment if the protocol 3468 * uses PHDS? 3469 */ 3470 switch (ll_proto) { 3471 3472 default: 3473 return gen_false(cstate); 3474 3475 case ETHERTYPE_IPV6: 3476 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3477 ARCTYPE_INET6)); 3478 3479 case ETHERTYPE_IP: 3480 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3481 ARCTYPE_IP); 3482 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3483 ARCTYPE_IP_OLD); 3484 gen_or(b0, b1); 3485 return (b1); 3486 3487 case ETHERTYPE_ARP: 3488 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3489 ARCTYPE_ARP); 3490 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3491 ARCTYPE_ARP_OLD); 3492 gen_or(b0, b1); 3493 return (b1); 3494 3495 case ETHERTYPE_REVARP: 3496 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3497 ARCTYPE_REVARP)); 3498 3499 case ETHERTYPE_ATALK: 3500 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3501 ARCTYPE_ATALK)); 3502 } 3503 /*NOTREACHED*/ 3504 3505 case DLT_LTALK: 3506 switch (ll_proto) { 3507 case ETHERTYPE_ATALK: 3508 return gen_true(cstate); 3509 default: 3510 return gen_false(cstate); 3511 } 3512 /*NOTREACHED*/ 3513 3514 case DLT_FRELAY: 3515 /* 3516 * XXX - assumes a 2-byte Frame Relay header with 3517 * DLCI and flags. What if the address is longer? 3518 */ 3519 switch (ll_proto) { 3520 3521 case ETHERTYPE_IP: 3522 /* 3523 * Check for the special NLPID for IP. 3524 */ 3525 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3526 3527 case ETHERTYPE_IPV6: 3528 /* 3529 * Check for the special NLPID for IPv6. 3530 */ 3531 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3532 3533 case LLCSAP_ISONS: 3534 /* 3535 * Check for several OSI protocols. 3536 * 3537 * Frame Relay packets typically have an OSI 3538 * NLPID at the beginning; we check for each 3539 * of them. 3540 * 3541 * What we check for is the NLPID and a frame 3542 * control field of UI, i.e. 0x03 followed 3543 * by the NLPID. 3544 */ 3545 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3546 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3547 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3548 gen_or(b1, b2); 3549 gen_or(b0, b2); 3550 return b2; 3551 3552 default: 3553 return gen_false(cstate); 3554 } 3555 /*NOTREACHED*/ 3556 3557 case DLT_MFR: 3558 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3559 3560 case DLT_JUNIPER_MFR: 3561 case DLT_JUNIPER_MLFR: 3562 case DLT_JUNIPER_MLPPP: 3563 case DLT_JUNIPER_ATM1: 3564 case DLT_JUNIPER_ATM2: 3565 case DLT_JUNIPER_PPPOE: 3566 case DLT_JUNIPER_PPPOE_ATM: 3567 case DLT_JUNIPER_GGSN: 3568 case DLT_JUNIPER_ES: 3569 case DLT_JUNIPER_MONITOR: 3570 case DLT_JUNIPER_SERVICES: 3571 case DLT_JUNIPER_ETHER: 3572 case DLT_JUNIPER_PPP: 3573 case DLT_JUNIPER_FRELAY: 3574 case DLT_JUNIPER_CHDLC: 3575 case DLT_JUNIPER_VP: 3576 case DLT_JUNIPER_ST: 3577 case DLT_JUNIPER_ISM: 3578 case DLT_JUNIPER_VS: 3579 case DLT_JUNIPER_SRX_E2E: 3580 case DLT_JUNIPER_FIBRECHANNEL: 3581 case DLT_JUNIPER_ATM_CEMIC: 3582 3583 /* just lets verify the magic number for now - 3584 * on ATM we may have up to 6 different encapsulations on the wire 3585 * and need a lot of heuristics to figure out that the payload 3586 * might be; 3587 * 3588 * FIXME encapsulation specific BPF_ filters 3589 */ 3590 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3591 3592 case DLT_BACNET_MS_TP: 3593 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3594 3595 case DLT_IPNET: 3596 return gen_ipnet_linktype(cstate, ll_proto); 3597 3598 case DLT_LINUX_IRDA: 3599 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3600 3601 case DLT_DOCSIS: 3602 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3603 3604 case DLT_MTP2: 3605 case DLT_MTP2_WITH_PHDR: 3606 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3607 3608 case DLT_ERF: 3609 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3610 3611 case DLT_PFSYNC: 3612 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3613 3614 case DLT_LINUX_LAPD: 3615 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3616 3617 case DLT_USB_FREEBSD: 3618 case DLT_USB_LINUX: 3619 case DLT_USB_LINUX_MMAPPED: 3620 case DLT_USBPCAP: 3621 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3622 3623 case DLT_BLUETOOTH_HCI_H4: 3624 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3625 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3626 3627 case DLT_CAN20B: 3628 case DLT_CAN_SOCKETCAN: 3629 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3630 3631 case DLT_IEEE802_15_4: 3632 case DLT_IEEE802_15_4_LINUX: 3633 case DLT_IEEE802_15_4_NONASK_PHY: 3634 case DLT_IEEE802_15_4_NOFCS: 3635 case DLT_IEEE802_15_4_TAP: 3636 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3637 3638 case DLT_IEEE802_16_MAC_CPS_RADIO: 3639 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3640 3641 case DLT_SITA: 3642 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3643 3644 case DLT_RAIF1: 3645 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3646 3647 case DLT_IPMB_KONTRON: 3648 case DLT_IPMB_LINUX: 3649 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3650 3651 case DLT_AX25_KISS: 3652 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3653 3654 case DLT_NFLOG: 3655 /* Using the fixed-size NFLOG header it is possible to tell only 3656 * the address family of the packet, other meaningful data is 3657 * either missing or behind TLVs. 3658 */ 3659 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3660 3661 default: 3662 /* 3663 * Does this link-layer header type have a field 3664 * indicating the type of the next protocol? If 3665 * so, off_linktype.constant_part will be the offset of that 3666 * field in the packet; if not, it will be OFFSET_NOT_SET. 3667 */ 3668 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3669 /* 3670 * Yes; assume it's an Ethernet type. (If 3671 * it's not, it needs to be handled specially 3672 * above.) 3673 */ 3674 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto); 3675 /*NOTREACHED */ 3676 } else { 3677 /* 3678 * No; report an error. 3679 */ 3680 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype); 3681 bpf_error(cstate, "%s link-layer type filtering not implemented", 3682 description); 3683 /*NOTREACHED */ 3684 } 3685 } 3686 } 3687 3688 /* 3689 * Check for an LLC SNAP packet with a given organization code and 3690 * protocol type; we check the entire contents of the 802.2 LLC and 3691 * snap headers, checking for DSAP and SSAP of SNAP and a control 3692 * field of 0x03 in the LLC header, and for the specified organization 3693 * code and protocol type in the SNAP header. 3694 */ 3695 static struct block * 3696 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3697 { 3698 u_char snapblock[8]; 3699 3700 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3701 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3702 snapblock[2] = 0x03; /* control = UI */ 3703 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3704 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3705 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3706 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3707 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3708 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3709 } 3710 3711 /* 3712 * Generate code to match frames with an LLC header. 3713 */ 3714 static struct block * 3715 gen_llc_internal(compiler_state_t *cstate) 3716 { 3717 struct block *b0, *b1; 3718 3719 switch (cstate->linktype) { 3720 3721 case DLT_EN10MB: 3722 /* 3723 * We check for an Ethernet type field less than 3724 * 1500, which means it's an 802.3 length field. 3725 */ 3726 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3727 gen_not(b0); 3728 3729 /* 3730 * Now check for the purported DSAP and SSAP not being 3731 * 0xFF, to rule out NetWare-over-802.3. 3732 */ 3733 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF); 3734 gen_not(b1); 3735 gen_and(b0, b1); 3736 return b1; 3737 3738 case DLT_SUNATM: 3739 /* 3740 * We check for LLC traffic. 3741 */ 3742 b0 = gen_atmtype_llc(cstate); 3743 return b0; 3744 3745 case DLT_IEEE802: /* Token Ring */ 3746 /* 3747 * XXX - check for LLC frames. 3748 */ 3749 return gen_true(cstate); 3750 3751 case DLT_FDDI: 3752 /* 3753 * XXX - check for LLC frames. 3754 */ 3755 return gen_true(cstate); 3756 3757 case DLT_ATM_RFC1483: 3758 /* 3759 * For LLC encapsulation, these are defined to have an 3760 * 802.2 LLC header. 3761 * 3762 * For VC encapsulation, they don't, but there's no 3763 * way to check for that; the protocol used on the VC 3764 * is negotiated out of band. 3765 */ 3766 return gen_true(cstate); 3767 3768 case DLT_IEEE802_11: 3769 case DLT_PRISM_HEADER: 3770 case DLT_IEEE802_11_RADIO: 3771 case DLT_IEEE802_11_RADIO_AVS: 3772 case DLT_PPI: 3773 /* 3774 * Check that we have a data frame. 3775 */ 3776 b0 = gen_check_802_11_data_frame(cstate); 3777 return b0; 3778 3779 default: 3780 bpf_error(cstate, "'llc' not supported for %s", 3781 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 3782 /*NOTREACHED*/ 3783 } 3784 } 3785 3786 struct block * 3787 gen_llc(compiler_state_t *cstate) 3788 { 3789 /* 3790 * Catch errors reported by us and routines below us, and return NULL 3791 * on an error. 3792 */ 3793 if (setjmp(cstate->top_ctx)) 3794 return (NULL); 3795 3796 return gen_llc_internal(cstate); 3797 } 3798 3799 struct block * 3800 gen_llc_i(compiler_state_t *cstate) 3801 { 3802 struct block *b0, *b1; 3803 struct slist *s; 3804 3805 /* 3806 * Catch errors reported by us and routines below us, and return NULL 3807 * on an error. 3808 */ 3809 if (setjmp(cstate->top_ctx)) 3810 return (NULL); 3811 3812 /* 3813 * Check whether this is an LLC frame. 3814 */ 3815 b0 = gen_llc_internal(cstate); 3816 3817 /* 3818 * Load the control byte and test the low-order bit; it must 3819 * be clear for I frames. 3820 */ 3821 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3822 b1 = new_block(cstate, JMP(BPF_JSET)); 3823 b1->s.k = 0x01; 3824 b1->stmts = s; 3825 gen_not(b1); 3826 gen_and(b0, b1); 3827 return b1; 3828 } 3829 3830 struct block * 3831 gen_llc_s(compiler_state_t *cstate) 3832 { 3833 struct block *b0, *b1; 3834 3835 /* 3836 * Catch errors reported by us and routines below us, and return NULL 3837 * on an error. 3838 */ 3839 if (setjmp(cstate->top_ctx)) 3840 return (NULL); 3841 3842 /* 3843 * Check whether this is an LLC frame. 3844 */ 3845 b0 = gen_llc_internal(cstate); 3846 3847 /* 3848 * Now compare the low-order 2 bit of the control byte against 3849 * the appropriate value for S frames. 3850 */ 3851 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3852 gen_and(b0, b1); 3853 return b1; 3854 } 3855 3856 struct block * 3857 gen_llc_u(compiler_state_t *cstate) 3858 { 3859 struct block *b0, *b1; 3860 3861 /* 3862 * Catch errors reported by us and routines below us, and return NULL 3863 * on an error. 3864 */ 3865 if (setjmp(cstate->top_ctx)) 3866 return (NULL); 3867 3868 /* 3869 * Check whether this is an LLC frame. 3870 */ 3871 b0 = gen_llc_internal(cstate); 3872 3873 /* 3874 * Now compare the low-order 2 bit of the control byte against 3875 * the appropriate value for U frames. 3876 */ 3877 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3878 gen_and(b0, b1); 3879 return b1; 3880 } 3881 3882 struct block * 3883 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3884 { 3885 struct block *b0, *b1; 3886 3887 /* 3888 * Catch errors reported by us and routines below us, and return NULL 3889 * on an error. 3890 */ 3891 if (setjmp(cstate->top_ctx)) 3892 return (NULL); 3893 3894 /* 3895 * Check whether this is an LLC frame. 3896 */ 3897 b0 = gen_llc_internal(cstate); 3898 3899 /* 3900 * Now check for an S frame with the appropriate type. 3901 */ 3902 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3903 gen_and(b0, b1); 3904 return b1; 3905 } 3906 3907 struct block * 3908 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3909 { 3910 struct block *b0, *b1; 3911 3912 /* 3913 * Catch errors reported by us and routines below us, and return NULL 3914 * on an error. 3915 */ 3916 if (setjmp(cstate->top_ctx)) 3917 return (NULL); 3918 3919 /* 3920 * Check whether this is an LLC frame. 3921 */ 3922 b0 = gen_llc_internal(cstate); 3923 3924 /* 3925 * Now check for a U frame with the appropriate type. 3926 */ 3927 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3928 gen_and(b0, b1); 3929 return b1; 3930 } 3931 3932 /* 3933 * Generate code to match a particular packet type, for link-layer types 3934 * using 802.2 LLC headers. 3935 * 3936 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3937 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3938 * 3939 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3940 * value, if <= ETHERMTU. We use that to determine whether to 3941 * match the DSAP or both DSAP and LSAP or to check the OUI and 3942 * protocol ID in a SNAP header. 3943 */ 3944 static struct block * 3945 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 3946 { 3947 /* 3948 * XXX - handle token-ring variable-length header. 3949 */ 3950 switch (ll_proto) { 3951 3952 case LLCSAP_IP: 3953 case LLCSAP_ISONS: 3954 case LLCSAP_NETBEUI: 3955 /* 3956 * XXX - should we check both the DSAP and the 3957 * SSAP, like this, or should we check just the 3958 * DSAP, as we do for other SAP values? 3959 */ 3960 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3961 ((ll_proto << 8) | ll_proto)); 3962 3963 case LLCSAP_IPX: 3964 /* 3965 * XXX - are there ever SNAP frames for IPX on 3966 * non-Ethernet 802.x networks? 3967 */ 3968 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX); 3969 3970 case ETHERTYPE_ATALK: 3971 /* 3972 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3973 * SNAP packets with an organization code of 3974 * 0x080007 (Apple, for Appletalk) and a protocol 3975 * type of ETHERTYPE_ATALK (Appletalk). 3976 * 3977 * XXX - check for an organization code of 3978 * encapsulated Ethernet as well? 3979 */ 3980 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3981 3982 default: 3983 /* 3984 * XXX - we don't have to check for IPX 802.3 3985 * here, but should we check for the IPX Ethertype? 3986 */ 3987 if (ll_proto <= ETHERMTU) { 3988 /* 3989 * This is an LLC SAP value, so check 3990 * the DSAP. 3991 */ 3992 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto); 3993 } else { 3994 /* 3995 * This is an Ethernet type; we assume that it's 3996 * unlikely that it'll appear in the right place 3997 * at random, and therefore check only the 3998 * location that would hold the Ethernet type 3999 * in a SNAP frame with an organization code of 4000 * 0x000000 (encapsulated Ethernet). 4001 * 4002 * XXX - if we were to check for the SNAP DSAP and 4003 * LSAP, as per XXX, and were also to check for an 4004 * organization code of 0x000000 (encapsulated 4005 * Ethernet), we'd do 4006 * 4007 * return gen_snap(cstate, 0x000000, ll_proto); 4008 * 4009 * here; for now, we don't, as per the above. 4010 * I don't know whether it's worth the extra CPU 4011 * time to do the right check or not. 4012 */ 4013 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto); 4014 } 4015 } 4016 } 4017 4018 static struct block * 4019 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4020 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off) 4021 { 4022 struct block *b0, *b1; 4023 u_int offset; 4024 4025 switch (dir) { 4026 4027 case Q_SRC: 4028 offset = src_off; 4029 break; 4030 4031 case Q_DST: 4032 offset = dst_off; 4033 break; 4034 4035 case Q_AND: 4036 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4037 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4038 gen_and(b0, b1); 4039 return b1; 4040 4041 case Q_DEFAULT: 4042 case Q_OR: 4043 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4044 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4045 gen_or(b0, b1); 4046 return b1; 4047 4048 case Q_ADDR1: 4049 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4050 /*NOTREACHED*/ 4051 4052 case Q_ADDR2: 4053 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4054 /*NOTREACHED*/ 4055 4056 case Q_ADDR3: 4057 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4058 /*NOTREACHED*/ 4059 4060 case Q_ADDR4: 4061 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4062 /*NOTREACHED*/ 4063 4064 case Q_RA: 4065 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4066 /*NOTREACHED*/ 4067 4068 case Q_TA: 4069 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4070 /*NOTREACHED*/ 4071 4072 default: 4073 abort(); 4074 /*NOTREACHED*/ 4075 } 4076 b0 = gen_linktype(cstate, ll_proto); 4077 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask); 4078 gen_and(b0, b1); 4079 return b1; 4080 } 4081 4082 #ifdef INET6 4083 static struct block * 4084 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 4085 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off, 4086 u_int dst_off) 4087 { 4088 struct block *b0, *b1; 4089 u_int offset; 4090 uint32_t *a, *m; 4091 4092 switch (dir) { 4093 4094 case Q_SRC: 4095 offset = src_off; 4096 break; 4097 4098 case Q_DST: 4099 offset = dst_off; 4100 break; 4101 4102 case Q_AND: 4103 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4104 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4105 gen_and(b0, b1); 4106 return b1; 4107 4108 case Q_DEFAULT: 4109 case Q_OR: 4110 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off); 4111 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off); 4112 gen_or(b0, b1); 4113 return b1; 4114 4115 case Q_ADDR1: 4116 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4117 /*NOTREACHED*/ 4118 4119 case Q_ADDR2: 4120 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4121 /*NOTREACHED*/ 4122 4123 case Q_ADDR3: 4124 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4125 /*NOTREACHED*/ 4126 4127 case Q_ADDR4: 4128 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4129 /*NOTREACHED*/ 4130 4131 case Q_RA: 4132 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4133 /*NOTREACHED*/ 4134 4135 case Q_TA: 4136 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4137 /*NOTREACHED*/ 4138 4139 default: 4140 abort(); 4141 /*NOTREACHED*/ 4142 } 4143 /* this order is important */ 4144 a = (uint32_t *)addr; 4145 m = (uint32_t *)mask; 4146 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 4147 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 4148 gen_and(b0, b1); 4149 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 4150 gen_and(b0, b1); 4151 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 4152 gen_and(b0, b1); 4153 b0 = gen_linktype(cstate, ll_proto); 4154 gen_and(b0, b1); 4155 return b1; 4156 } 4157 #endif 4158 4159 static struct block * 4160 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4161 { 4162 register struct block *b0, *b1; 4163 4164 switch (dir) { 4165 case Q_SRC: 4166 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 4167 4168 case Q_DST: 4169 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 4170 4171 case Q_AND: 4172 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4173 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4174 gen_and(b0, b1); 4175 return b1; 4176 4177 case Q_DEFAULT: 4178 case Q_OR: 4179 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4180 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4181 gen_or(b0, b1); 4182 return b1; 4183 4184 case Q_ADDR1: 4185 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4186 /*NOTREACHED*/ 4187 4188 case Q_ADDR2: 4189 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4190 /*NOTREACHED*/ 4191 4192 case Q_ADDR3: 4193 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4194 /*NOTREACHED*/ 4195 4196 case Q_ADDR4: 4197 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4198 /*NOTREACHED*/ 4199 4200 case Q_RA: 4201 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4202 /*NOTREACHED*/ 4203 4204 case Q_TA: 4205 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4206 /*NOTREACHED*/ 4207 } 4208 abort(); 4209 /*NOTREACHED*/ 4210 } 4211 4212 /* 4213 * Like gen_ehostop, but for DLT_FDDI 4214 */ 4215 static struct block * 4216 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4217 { 4218 struct block *b0, *b1; 4219 4220 switch (dir) { 4221 case Q_SRC: 4222 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4223 4224 case Q_DST: 4225 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4226 4227 case Q_AND: 4228 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4229 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4230 gen_and(b0, b1); 4231 return b1; 4232 4233 case Q_DEFAULT: 4234 case Q_OR: 4235 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4236 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4237 gen_or(b0, b1); 4238 return b1; 4239 4240 case Q_ADDR1: 4241 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4242 /*NOTREACHED*/ 4243 4244 case Q_ADDR2: 4245 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4246 /*NOTREACHED*/ 4247 4248 case Q_ADDR3: 4249 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4250 /*NOTREACHED*/ 4251 4252 case Q_ADDR4: 4253 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4254 /*NOTREACHED*/ 4255 4256 case Q_RA: 4257 bpf_error(cstate, "'ra' is only supported on 802.11"); 4258 /*NOTREACHED*/ 4259 4260 case Q_TA: 4261 bpf_error(cstate, "'ta' is only supported on 802.11"); 4262 /*NOTREACHED*/ 4263 } 4264 abort(); 4265 /*NOTREACHED*/ 4266 } 4267 4268 /* 4269 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4270 */ 4271 static struct block * 4272 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4273 { 4274 register struct block *b0, *b1; 4275 4276 switch (dir) { 4277 case Q_SRC: 4278 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4279 4280 case Q_DST: 4281 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4282 4283 case Q_AND: 4284 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4285 b1 = gen_thostop(cstate, eaddr, Q_DST); 4286 gen_and(b0, b1); 4287 return b1; 4288 4289 case Q_DEFAULT: 4290 case Q_OR: 4291 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4292 b1 = gen_thostop(cstate, eaddr, Q_DST); 4293 gen_or(b0, b1); 4294 return b1; 4295 4296 case Q_ADDR1: 4297 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4298 /*NOTREACHED*/ 4299 4300 case Q_ADDR2: 4301 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4302 /*NOTREACHED*/ 4303 4304 case Q_ADDR3: 4305 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4306 /*NOTREACHED*/ 4307 4308 case Q_ADDR4: 4309 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4310 /*NOTREACHED*/ 4311 4312 case Q_RA: 4313 bpf_error(cstate, "'ra' is only supported on 802.11"); 4314 /*NOTREACHED*/ 4315 4316 case Q_TA: 4317 bpf_error(cstate, "'ta' is only supported on 802.11"); 4318 /*NOTREACHED*/ 4319 } 4320 abort(); 4321 /*NOTREACHED*/ 4322 } 4323 4324 /* 4325 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4326 * various 802.11 + radio headers. 4327 */ 4328 static struct block * 4329 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4330 { 4331 register struct block *b0, *b1, *b2; 4332 register struct slist *s; 4333 4334 #ifdef ENABLE_WLAN_FILTERING_PATCH 4335 /* 4336 * TODO GV 20070613 4337 * We need to disable the optimizer because the optimizer is buggy 4338 * and wipes out some LD instructions generated by the below 4339 * code to validate the Frame Control bits 4340 */ 4341 cstate->no_optimize = 1; 4342 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4343 4344 switch (dir) { 4345 case Q_SRC: 4346 /* 4347 * Oh, yuk. 4348 * 4349 * For control frames, there is no SA. 4350 * 4351 * For management frames, SA is at an 4352 * offset of 10 from the beginning of 4353 * the packet. 4354 * 4355 * For data frames, SA is at an offset 4356 * of 10 from the beginning of the packet 4357 * if From DS is clear, at an offset of 4358 * 16 from the beginning of the packet 4359 * if From DS is set and To DS is clear, 4360 * and an offset of 24 from the beginning 4361 * of the packet if From DS is set and To DS 4362 * is set. 4363 */ 4364 4365 /* 4366 * Generate the tests to be done for data frames 4367 * with From DS set. 4368 * 4369 * First, check for To DS set, i.e. check "link[1] & 0x01". 4370 */ 4371 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4372 b1 = new_block(cstate, JMP(BPF_JSET)); 4373 b1->s.k = 0x01; /* To DS */ 4374 b1->stmts = s; 4375 4376 /* 4377 * If To DS is set, the SA is at 24. 4378 */ 4379 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4380 gen_and(b1, b0); 4381 4382 /* 4383 * Now, check for To DS not set, i.e. check 4384 * "!(link[1] & 0x01)". 4385 */ 4386 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4387 b2 = new_block(cstate, JMP(BPF_JSET)); 4388 b2->s.k = 0x01; /* To DS */ 4389 b2->stmts = s; 4390 gen_not(b2); 4391 4392 /* 4393 * If To DS is not set, the SA is at 16. 4394 */ 4395 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4396 gen_and(b2, b1); 4397 4398 /* 4399 * Now OR together the last two checks. That gives 4400 * the complete set of checks for data frames with 4401 * From DS set. 4402 */ 4403 gen_or(b1, b0); 4404 4405 /* 4406 * Now check for From DS being set, and AND that with 4407 * the ORed-together checks. 4408 */ 4409 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4410 b1 = new_block(cstate, JMP(BPF_JSET)); 4411 b1->s.k = 0x02; /* From DS */ 4412 b1->stmts = s; 4413 gen_and(b1, b0); 4414 4415 /* 4416 * Now check for data frames with From DS not set. 4417 */ 4418 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4419 b2 = new_block(cstate, JMP(BPF_JSET)); 4420 b2->s.k = 0x02; /* From DS */ 4421 b2->stmts = s; 4422 gen_not(b2); 4423 4424 /* 4425 * If From DS isn't set, the SA is at 10. 4426 */ 4427 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4428 gen_and(b2, b1); 4429 4430 /* 4431 * Now OR together the checks for data frames with 4432 * From DS not set and for data frames with From DS 4433 * set; that gives the checks done for data frames. 4434 */ 4435 gen_or(b1, b0); 4436 4437 /* 4438 * Now check for a data frame. 4439 * I.e, check "link[0] & 0x08". 4440 */ 4441 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4442 b1 = new_block(cstate, JMP(BPF_JSET)); 4443 b1->s.k = 0x08; 4444 b1->stmts = s; 4445 4446 /* 4447 * AND that with the checks done for data frames. 4448 */ 4449 gen_and(b1, b0); 4450 4451 /* 4452 * If the high-order bit of the type value is 0, this 4453 * is a management frame. 4454 * I.e, check "!(link[0] & 0x08)". 4455 */ 4456 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4457 b2 = new_block(cstate, JMP(BPF_JSET)); 4458 b2->s.k = 0x08; 4459 b2->stmts = s; 4460 gen_not(b2); 4461 4462 /* 4463 * For management frames, the SA is at 10. 4464 */ 4465 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4466 gen_and(b2, b1); 4467 4468 /* 4469 * OR that with the checks done for data frames. 4470 * That gives the checks done for management and 4471 * data frames. 4472 */ 4473 gen_or(b1, b0); 4474 4475 /* 4476 * If the low-order bit of the type value is 1, 4477 * this is either a control frame or a frame 4478 * with a reserved type, and thus not a 4479 * frame with an SA. 4480 * 4481 * I.e., check "!(link[0] & 0x04)". 4482 */ 4483 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4484 b1 = new_block(cstate, JMP(BPF_JSET)); 4485 b1->s.k = 0x04; 4486 b1->stmts = s; 4487 gen_not(b1); 4488 4489 /* 4490 * AND that with the checks for data and management 4491 * frames. 4492 */ 4493 gen_and(b1, b0); 4494 return b0; 4495 4496 case Q_DST: 4497 /* 4498 * Oh, yuk. 4499 * 4500 * For control frames, there is no DA. 4501 * 4502 * For management frames, DA is at an 4503 * offset of 4 from the beginning of 4504 * the packet. 4505 * 4506 * For data frames, DA is at an offset 4507 * of 4 from the beginning of the packet 4508 * if To DS is clear and at an offset of 4509 * 16 from the beginning of the packet 4510 * if To DS is set. 4511 */ 4512 4513 /* 4514 * Generate the tests to be done for data frames. 4515 * 4516 * First, check for To DS set, i.e. "link[1] & 0x01". 4517 */ 4518 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4519 b1 = new_block(cstate, JMP(BPF_JSET)); 4520 b1->s.k = 0x01; /* To DS */ 4521 b1->stmts = s; 4522 4523 /* 4524 * If To DS is set, the DA is at 16. 4525 */ 4526 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4527 gen_and(b1, b0); 4528 4529 /* 4530 * Now, check for To DS not set, i.e. check 4531 * "!(link[1] & 0x01)". 4532 */ 4533 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4534 b2 = new_block(cstate, JMP(BPF_JSET)); 4535 b2->s.k = 0x01; /* To DS */ 4536 b2->stmts = s; 4537 gen_not(b2); 4538 4539 /* 4540 * If To DS is not set, the DA is at 4. 4541 */ 4542 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4543 gen_and(b2, b1); 4544 4545 /* 4546 * Now OR together the last two checks. That gives 4547 * the complete set of checks for data frames. 4548 */ 4549 gen_or(b1, b0); 4550 4551 /* 4552 * Now check for a data frame. 4553 * I.e, check "link[0] & 0x08". 4554 */ 4555 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4556 b1 = new_block(cstate, JMP(BPF_JSET)); 4557 b1->s.k = 0x08; 4558 b1->stmts = s; 4559 4560 /* 4561 * AND that with the checks done for data frames. 4562 */ 4563 gen_and(b1, b0); 4564 4565 /* 4566 * If the high-order bit of the type value is 0, this 4567 * is a management frame. 4568 * I.e, check "!(link[0] & 0x08)". 4569 */ 4570 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4571 b2 = new_block(cstate, JMP(BPF_JSET)); 4572 b2->s.k = 0x08; 4573 b2->stmts = s; 4574 gen_not(b2); 4575 4576 /* 4577 * For management frames, the DA is at 4. 4578 */ 4579 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4580 gen_and(b2, b1); 4581 4582 /* 4583 * OR that with the checks done for data frames. 4584 * That gives the checks done for management and 4585 * data frames. 4586 */ 4587 gen_or(b1, b0); 4588 4589 /* 4590 * If the low-order bit of the type value is 1, 4591 * this is either a control frame or a frame 4592 * with a reserved type, and thus not a 4593 * frame with an SA. 4594 * 4595 * I.e., check "!(link[0] & 0x04)". 4596 */ 4597 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4598 b1 = new_block(cstate, JMP(BPF_JSET)); 4599 b1->s.k = 0x04; 4600 b1->stmts = s; 4601 gen_not(b1); 4602 4603 /* 4604 * AND that with the checks for data and management 4605 * frames. 4606 */ 4607 gen_and(b1, b0); 4608 return b0; 4609 4610 case Q_AND: 4611 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4612 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4613 gen_and(b0, b1); 4614 return b1; 4615 4616 case Q_DEFAULT: 4617 case Q_OR: 4618 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4619 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4620 gen_or(b0, b1); 4621 return b1; 4622 4623 /* 4624 * XXX - add BSSID keyword? 4625 */ 4626 case Q_ADDR1: 4627 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4628 4629 case Q_ADDR2: 4630 /* 4631 * Not present in CTS or ACK control frames. 4632 */ 4633 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4634 IEEE80211_FC0_TYPE_MASK); 4635 gen_not(b0); 4636 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4637 IEEE80211_FC0_SUBTYPE_MASK); 4638 gen_not(b1); 4639 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4640 IEEE80211_FC0_SUBTYPE_MASK); 4641 gen_not(b2); 4642 gen_and(b1, b2); 4643 gen_or(b0, b2); 4644 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4645 gen_and(b2, b1); 4646 return b1; 4647 4648 case Q_ADDR3: 4649 /* 4650 * Not present in control frames. 4651 */ 4652 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4653 IEEE80211_FC0_TYPE_MASK); 4654 gen_not(b0); 4655 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4656 gen_and(b0, b1); 4657 return b1; 4658 4659 case Q_ADDR4: 4660 /* 4661 * Present only if the direction mask has both "From DS" 4662 * and "To DS" set. Neither control frames nor management 4663 * frames should have both of those set, so we don't 4664 * check the frame type. 4665 */ 4666 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4667 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4668 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4669 gen_and(b0, b1); 4670 return b1; 4671 4672 case Q_RA: 4673 /* 4674 * Not present in management frames; addr1 in other 4675 * frames. 4676 */ 4677 4678 /* 4679 * If the high-order bit of the type value is 0, this 4680 * is a management frame. 4681 * I.e, check "(link[0] & 0x08)". 4682 */ 4683 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4684 b1 = new_block(cstate, JMP(BPF_JSET)); 4685 b1->s.k = 0x08; 4686 b1->stmts = s; 4687 4688 /* 4689 * Check addr1. 4690 */ 4691 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4692 4693 /* 4694 * AND that with the check of addr1. 4695 */ 4696 gen_and(b1, b0); 4697 return (b0); 4698 4699 case Q_TA: 4700 /* 4701 * Not present in management frames; addr2, if present, 4702 * in other frames. 4703 */ 4704 4705 /* 4706 * Not present in CTS or ACK control frames. 4707 */ 4708 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4709 IEEE80211_FC0_TYPE_MASK); 4710 gen_not(b0); 4711 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4712 IEEE80211_FC0_SUBTYPE_MASK); 4713 gen_not(b1); 4714 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4715 IEEE80211_FC0_SUBTYPE_MASK); 4716 gen_not(b2); 4717 gen_and(b1, b2); 4718 gen_or(b0, b2); 4719 4720 /* 4721 * If the high-order bit of the type value is 0, this 4722 * is a management frame. 4723 * I.e, check "(link[0] & 0x08)". 4724 */ 4725 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4726 b1 = new_block(cstate, JMP(BPF_JSET)); 4727 b1->s.k = 0x08; 4728 b1->stmts = s; 4729 4730 /* 4731 * AND that with the check for frames other than 4732 * CTS and ACK frames. 4733 */ 4734 gen_and(b1, b2); 4735 4736 /* 4737 * Check addr2. 4738 */ 4739 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4740 gen_and(b2, b1); 4741 return b1; 4742 } 4743 abort(); 4744 /*NOTREACHED*/ 4745 } 4746 4747 /* 4748 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4749 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4750 * as the RFC states.) 4751 */ 4752 static struct block * 4753 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4754 { 4755 register struct block *b0, *b1; 4756 4757 switch (dir) { 4758 case Q_SRC: 4759 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4760 4761 case Q_DST: 4762 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4763 4764 case Q_AND: 4765 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4766 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4767 gen_and(b0, b1); 4768 return b1; 4769 4770 case Q_DEFAULT: 4771 case Q_OR: 4772 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4773 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4774 gen_or(b0, b1); 4775 return b1; 4776 4777 case Q_ADDR1: 4778 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4779 /*NOTREACHED*/ 4780 4781 case Q_ADDR2: 4782 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4783 /*NOTREACHED*/ 4784 4785 case Q_ADDR3: 4786 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4787 /*NOTREACHED*/ 4788 4789 case Q_ADDR4: 4790 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4791 /*NOTREACHED*/ 4792 4793 case Q_RA: 4794 bpf_error(cstate, "'ra' is only supported on 802.11"); 4795 /*NOTREACHED*/ 4796 4797 case Q_TA: 4798 bpf_error(cstate, "'ta' is only supported on 802.11"); 4799 /*NOTREACHED*/ 4800 } 4801 abort(); 4802 /*NOTREACHED*/ 4803 } 4804 4805 /* 4806 * This is quite tricky because there may be pad bytes in front of the 4807 * DECNET header, and then there are two possible data packet formats that 4808 * carry both src and dst addresses, plus 5 packet types in a format that 4809 * carries only the src node, plus 2 types that use a different format and 4810 * also carry just the src node. 4811 * 4812 * Yuck. 4813 * 4814 * Instead of doing those all right, we just look for data packets with 4815 * 0 or 1 bytes of padding. If you want to look at other packets, that 4816 * will require a lot more hacking. 4817 * 4818 * To add support for filtering on DECNET "areas" (network numbers) 4819 * one would want to add a "mask" argument to this routine. That would 4820 * make the filter even more inefficient, although one could be clever 4821 * and not generate masking instructions if the mask is 0xFFFF. 4822 */ 4823 static struct block * 4824 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4825 { 4826 struct block *b0, *b1, *b2, *tmp; 4827 u_int offset_lh; /* offset if long header is received */ 4828 u_int offset_sh; /* offset if short header is received */ 4829 4830 switch (dir) { 4831 4832 case Q_DST: 4833 offset_sh = 1; /* follows flags */ 4834 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4835 break; 4836 4837 case Q_SRC: 4838 offset_sh = 3; /* follows flags, dstnode */ 4839 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4840 break; 4841 4842 case Q_AND: 4843 /* Inefficient because we do our Calvinball dance twice */ 4844 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4845 b1 = gen_dnhostop(cstate, addr, Q_DST); 4846 gen_and(b0, b1); 4847 return b1; 4848 4849 case Q_DEFAULT: 4850 case Q_OR: 4851 /* Inefficient because we do our Calvinball dance twice */ 4852 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4853 b1 = gen_dnhostop(cstate, addr, Q_DST); 4854 gen_or(b0, b1); 4855 return b1; 4856 4857 case Q_ADDR1: 4858 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4859 /*NOTREACHED*/ 4860 4861 case Q_ADDR2: 4862 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4863 /*NOTREACHED*/ 4864 4865 case Q_ADDR3: 4866 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4867 /*NOTREACHED*/ 4868 4869 case Q_ADDR4: 4870 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4871 /*NOTREACHED*/ 4872 4873 case Q_RA: 4874 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4875 /*NOTREACHED*/ 4876 4877 case Q_TA: 4878 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4879 /*NOTREACHED*/ 4880 4881 default: 4882 abort(); 4883 /*NOTREACHED*/ 4884 } 4885 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4886 /* Check for pad = 1, long header case */ 4887 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4888 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF)); 4889 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4890 BPF_H, (bpf_u_int32)ntohs((u_short)addr)); 4891 gen_and(tmp, b1); 4892 /* Check for pad = 0, long header case */ 4893 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06, 4894 (bpf_u_int32)0x7); 4895 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, 4896 (bpf_u_int32)ntohs((u_short)addr)); 4897 gen_and(tmp, b2); 4898 gen_or(b2, b1); 4899 /* Check for pad = 1, short header case */ 4900 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4901 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF)); 4902 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, 4903 (bpf_u_int32)ntohs((u_short)addr)); 4904 gen_and(tmp, b2); 4905 gen_or(b2, b1); 4906 /* Check for pad = 0, short header case */ 4907 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02, 4908 (bpf_u_int32)0x7); 4909 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, 4910 (bpf_u_int32)ntohs((u_short)addr)); 4911 gen_and(tmp, b2); 4912 gen_or(b2, b1); 4913 4914 /* Combine with test for cstate->linktype */ 4915 gen_and(b0, b1); 4916 return b1; 4917 } 4918 4919 /* 4920 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4921 * test the bottom-of-stack bit, and then check the version number 4922 * field in the IP header. 4923 */ 4924 static struct block * 4925 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto) 4926 { 4927 struct block *b0, *b1; 4928 4929 switch (ll_proto) { 4930 4931 case ETHERTYPE_IP: 4932 /* match the bottom-of-stack bit */ 4933 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4934 /* match the IPv4 version number */ 4935 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4936 gen_and(b0, b1); 4937 return b1; 4938 4939 case ETHERTYPE_IPV6: 4940 /* match the bottom-of-stack bit */ 4941 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4942 /* match the IPv4 version number */ 4943 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4944 gen_and(b0, b1); 4945 return b1; 4946 4947 default: 4948 /* FIXME add other L3 proto IDs */ 4949 bpf_error(cstate, "unsupported protocol over mpls"); 4950 /*NOTREACHED*/ 4951 } 4952 } 4953 4954 static struct block * 4955 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4956 int proto, int dir, int type) 4957 { 4958 struct block *b0, *b1; 4959 const char *typestr; 4960 4961 if (type == Q_NET) 4962 typestr = "net"; 4963 else 4964 typestr = "host"; 4965 4966 switch (proto) { 4967 4968 case Q_DEFAULT: 4969 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4970 /* 4971 * Only check for non-IPv4 addresses if we're not 4972 * checking MPLS-encapsulated packets. 4973 */ 4974 if (cstate->label_stack_depth == 0) { 4975 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4976 gen_or(b0, b1); 4977 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4978 gen_or(b1, b0); 4979 } 4980 return b0; 4981 4982 case Q_LINK: 4983 bpf_error(cstate, "link-layer modifier applied to %s", typestr); 4984 4985 case Q_IP: 4986 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4987 4988 case Q_RARP: 4989 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4990 4991 case Q_ARP: 4992 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4993 4994 case Q_SCTP: 4995 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4996 4997 case Q_TCP: 4998 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4999 5000 case Q_UDP: 5001 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 5002 5003 case Q_ICMP: 5004 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 5005 5006 case Q_IGMP: 5007 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 5008 5009 case Q_IGRP: 5010 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 5011 5012 case Q_ATALK: 5013 bpf_error(cstate, "AppleTalk host filtering not implemented"); 5014 5015 case Q_DECNET: 5016 return gen_dnhostop(cstate, addr, dir); 5017 5018 case Q_LAT: 5019 bpf_error(cstate, "LAT host filtering not implemented"); 5020 5021 case Q_SCA: 5022 bpf_error(cstate, "SCA host filtering not implemented"); 5023 5024 case Q_MOPRC: 5025 bpf_error(cstate, "MOPRC host filtering not implemented"); 5026 5027 case Q_MOPDL: 5028 bpf_error(cstate, "MOPDL host filtering not implemented"); 5029 5030 case Q_IPV6: 5031 bpf_error(cstate, "'ip6' modifier applied to ip host"); 5032 5033 case Q_ICMPV6: 5034 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 5035 5036 case Q_AH: 5037 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 5038 5039 case Q_ESP: 5040 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 5041 5042 case Q_PIM: 5043 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 5044 5045 case Q_VRRP: 5046 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 5047 5048 case Q_AARP: 5049 bpf_error(cstate, "AARP host filtering not implemented"); 5050 5051 case Q_ISO: 5052 bpf_error(cstate, "ISO host filtering not implemented"); 5053 5054 case Q_ESIS: 5055 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 5056 5057 case Q_ISIS: 5058 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 5059 5060 case Q_CLNP: 5061 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 5062 5063 case Q_STP: 5064 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 5065 5066 case Q_IPX: 5067 bpf_error(cstate, "IPX host filtering not implemented"); 5068 5069 case Q_NETBEUI: 5070 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 5071 5072 case Q_ISIS_L1: 5073 bpf_error(cstate, "'l1' modifier applied to %s", typestr); 5074 5075 case Q_ISIS_L2: 5076 bpf_error(cstate, "'l2' modifier applied to %s", typestr); 5077 5078 case Q_ISIS_IIH: 5079 bpf_error(cstate, "'iih' modifier applied to %s", typestr); 5080 5081 case Q_ISIS_SNP: 5082 bpf_error(cstate, "'snp' modifier applied to %s", typestr); 5083 5084 case Q_ISIS_CSNP: 5085 bpf_error(cstate, "'csnp' modifier applied to %s", typestr); 5086 5087 case Q_ISIS_PSNP: 5088 bpf_error(cstate, "'psnp' modifier applied to %s", typestr); 5089 5090 case Q_ISIS_LSP: 5091 bpf_error(cstate, "'lsp' modifier applied to %s", typestr); 5092 5093 case Q_RADIO: 5094 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 5095 5096 case Q_CARP: 5097 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 5098 5099 default: 5100 abort(); 5101 } 5102 /*NOTREACHED*/ 5103 } 5104 5105 #ifdef INET6 5106 static struct block * 5107 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 5108 struct in6_addr *mask, int proto, int dir, int type) 5109 { 5110 const char *typestr; 5111 5112 if (type == Q_NET) 5113 typestr = "net"; 5114 else 5115 typestr = "host"; 5116 5117 switch (proto) { 5118 5119 case Q_DEFAULT: 5120 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 5121 5122 case Q_LINK: 5123 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 5124 5125 case Q_IP: 5126 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 5127 5128 case Q_RARP: 5129 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 5130 5131 case Q_ARP: 5132 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 5133 5134 case Q_SCTP: 5135 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr); 5136 5137 case Q_TCP: 5138 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr); 5139 5140 case Q_UDP: 5141 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr); 5142 5143 case Q_ICMP: 5144 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr); 5145 5146 case Q_IGMP: 5147 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr); 5148 5149 case Q_IGRP: 5150 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr); 5151 5152 case Q_ATALK: 5153 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr); 5154 5155 case Q_DECNET: 5156 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 5157 5158 case Q_LAT: 5159 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr); 5160 5161 case Q_SCA: 5162 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr); 5163 5164 case Q_MOPRC: 5165 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr); 5166 5167 case Q_MOPDL: 5168 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr); 5169 5170 case Q_IPV6: 5171 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 5172 5173 case Q_ICMPV6: 5174 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr); 5175 5176 case Q_AH: 5177 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr); 5178 5179 case Q_ESP: 5180 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr); 5181 5182 case Q_PIM: 5183 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr); 5184 5185 case Q_VRRP: 5186 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr); 5187 5188 case Q_AARP: 5189 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr); 5190 5191 case Q_ISO: 5192 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr); 5193 5194 case Q_ESIS: 5195 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr); 5196 5197 case Q_ISIS: 5198 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr); 5199 5200 case Q_CLNP: 5201 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr); 5202 5203 case Q_STP: 5204 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr); 5205 5206 case Q_IPX: 5207 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr); 5208 5209 case Q_NETBEUI: 5210 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr); 5211 5212 case Q_ISIS_L1: 5213 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr); 5214 5215 case Q_ISIS_L2: 5216 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr); 5217 5218 case Q_ISIS_IIH: 5219 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr); 5220 5221 case Q_ISIS_SNP: 5222 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr); 5223 5224 case Q_ISIS_CSNP: 5225 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr); 5226 5227 case Q_ISIS_PSNP: 5228 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr); 5229 5230 case Q_ISIS_LSP: 5231 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr); 5232 5233 case Q_RADIO: 5234 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr); 5235 5236 case Q_CARP: 5237 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr); 5238 5239 default: 5240 abort(); 5241 } 5242 /*NOTREACHED*/ 5243 } 5244 #endif 5245 5246 #ifndef INET6 5247 static struct block * 5248 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 5249 struct addrinfo *alist, int proto, int dir) 5250 { 5251 struct block *b0, *b1, *tmp; 5252 struct addrinfo *ai; 5253 struct sockaddr_in *sin; 5254 5255 if (dir != 0) 5256 bpf_error(cstate, "direction applied to 'gateway'"); 5257 5258 switch (proto) { 5259 case Q_DEFAULT: 5260 case Q_IP: 5261 case Q_ARP: 5262 case Q_RARP: 5263 switch (cstate->linktype) { 5264 case DLT_EN10MB: 5265 case DLT_NETANALYZER: 5266 case DLT_NETANALYZER_TRANSPARENT: 5267 b1 = gen_prevlinkhdr_check(cstate); 5268 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5269 if (b1 != NULL) 5270 gen_and(b1, b0); 5271 break; 5272 case DLT_FDDI: 5273 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5274 break; 5275 case DLT_IEEE802: 5276 b0 = gen_thostop(cstate, eaddr, Q_OR); 5277 break; 5278 case DLT_IEEE802_11: 5279 case DLT_PRISM_HEADER: 5280 case DLT_IEEE802_11_RADIO_AVS: 5281 case DLT_IEEE802_11_RADIO: 5282 case DLT_PPI: 5283 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5284 break; 5285 case DLT_SUNATM: 5286 /* 5287 * This is LLC-multiplexed traffic; if it were 5288 * LANE, cstate->linktype would have been set to 5289 * DLT_EN10MB. 5290 */ 5291 bpf_error(cstate, 5292 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5293 break; 5294 case DLT_IP_OVER_FC: 5295 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5296 break; 5297 default: 5298 bpf_error(cstate, 5299 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5300 } 5301 b1 = NULL; 5302 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5303 /* 5304 * Does it have an address? 5305 */ 5306 if (ai->ai_addr != NULL) { 5307 /* 5308 * Yes. Is it an IPv4 address? 5309 */ 5310 if (ai->ai_addr->sa_family == AF_INET) { 5311 /* 5312 * Generate an entry for it. 5313 */ 5314 sin = (struct sockaddr_in *)ai->ai_addr; 5315 tmp = gen_host(cstate, 5316 ntohl(sin->sin_addr.s_addr), 5317 0xffffffff, proto, Q_OR, Q_HOST); 5318 /* 5319 * Is it the *first* IPv4 address? 5320 */ 5321 if (b1 == NULL) { 5322 /* 5323 * Yes, so start with it. 5324 */ 5325 b1 = tmp; 5326 } else { 5327 /* 5328 * No, so OR it into the 5329 * existing set of 5330 * addresses. 5331 */ 5332 gen_or(b1, tmp); 5333 b1 = tmp; 5334 } 5335 } 5336 } 5337 } 5338 if (b1 == NULL) { 5339 /* 5340 * No IPv4 addresses found. 5341 */ 5342 return (NULL); 5343 } 5344 gen_not(b1); 5345 gen_and(b0, b1); 5346 return b1; 5347 } 5348 bpf_error(cstate, "illegal modifier of 'gateway'"); 5349 /*NOTREACHED*/ 5350 } 5351 #endif 5352 5353 static struct block * 5354 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto) 5355 { 5356 struct block *b0; 5357 struct block *b1; 5358 5359 switch (proto) { 5360 5361 case Q_SCTP: 5362 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT, Q_DEFAULT); 5363 break; 5364 5365 case Q_TCP: 5366 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT, Q_DEFAULT); 5367 break; 5368 5369 case Q_UDP: 5370 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT, Q_DEFAULT); 5371 break; 5372 5373 case Q_ICMP: 5374 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5375 break; 5376 5377 #ifndef IPPROTO_IGMP 5378 #define IPPROTO_IGMP 2 5379 #endif 5380 5381 case Q_IGMP: 5382 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5383 break; 5384 5385 #ifndef IPPROTO_IGRP 5386 #define IPPROTO_IGRP 9 5387 #endif 5388 case Q_IGRP: 5389 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5390 break; 5391 5392 #ifndef IPPROTO_PIM 5393 #define IPPROTO_PIM 103 5394 #endif 5395 5396 case Q_PIM: 5397 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT, Q_DEFAULT); 5398 break; 5399 5400 #ifndef IPPROTO_VRRP 5401 #define IPPROTO_VRRP 112 5402 #endif 5403 5404 case Q_VRRP: 5405 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5406 break; 5407 5408 #ifndef IPPROTO_CARP 5409 #define IPPROTO_CARP 112 5410 #endif 5411 5412 case Q_CARP: 5413 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5414 break; 5415 5416 case Q_IP: 5417 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5418 break; 5419 5420 case Q_ARP: 5421 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5422 break; 5423 5424 case Q_RARP: 5425 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5426 break; 5427 5428 case Q_LINK: 5429 bpf_error(cstate, "link layer applied in wrong context"); 5430 5431 case Q_ATALK: 5432 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5433 break; 5434 5435 case Q_AARP: 5436 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5437 break; 5438 5439 case Q_DECNET: 5440 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5441 break; 5442 5443 case Q_SCA: 5444 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5445 break; 5446 5447 case Q_LAT: 5448 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5449 break; 5450 5451 case Q_MOPDL: 5452 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5453 break; 5454 5455 case Q_MOPRC: 5456 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5457 break; 5458 5459 case Q_IPV6: 5460 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5461 break; 5462 5463 #ifndef IPPROTO_ICMPV6 5464 #define IPPROTO_ICMPV6 58 5465 #endif 5466 case Q_ICMPV6: 5467 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5468 break; 5469 5470 #ifndef IPPROTO_AH 5471 #define IPPROTO_AH 51 5472 #endif 5473 case Q_AH: 5474 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT, Q_DEFAULT); 5475 break; 5476 5477 #ifndef IPPROTO_ESP 5478 #define IPPROTO_ESP 50 5479 #endif 5480 case Q_ESP: 5481 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT, Q_DEFAULT); 5482 break; 5483 5484 case Q_ISO: 5485 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5486 break; 5487 5488 case Q_ESIS: 5489 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5490 break; 5491 5492 case Q_ISIS: 5493 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5494 break; 5495 5496 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5497 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5498 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5499 gen_or(b0, b1); 5500 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5501 gen_or(b0, b1); 5502 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5503 gen_or(b0, b1); 5504 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5505 gen_or(b0, b1); 5506 break; 5507 5508 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5509 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5510 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5511 gen_or(b0, b1); 5512 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5513 gen_or(b0, b1); 5514 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5515 gen_or(b0, b1); 5516 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5517 gen_or(b0, b1); 5518 break; 5519 5520 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5521 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5522 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5523 gen_or(b0, b1); 5524 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5525 gen_or(b0, b1); 5526 break; 5527 5528 case Q_ISIS_LSP: 5529 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5530 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5531 gen_or(b0, b1); 5532 break; 5533 5534 case Q_ISIS_SNP: 5535 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5536 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5537 gen_or(b0, b1); 5538 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5539 gen_or(b0, b1); 5540 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5541 gen_or(b0, b1); 5542 break; 5543 5544 case Q_ISIS_CSNP: 5545 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5546 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5547 gen_or(b0, b1); 5548 break; 5549 5550 case Q_ISIS_PSNP: 5551 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5552 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5553 gen_or(b0, b1); 5554 break; 5555 5556 case Q_CLNP: 5557 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5558 break; 5559 5560 case Q_STP: 5561 b1 = gen_linktype(cstate, LLCSAP_8021D); 5562 break; 5563 5564 case Q_IPX: 5565 b1 = gen_linktype(cstate, LLCSAP_IPX); 5566 break; 5567 5568 case Q_NETBEUI: 5569 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5570 break; 5571 5572 case Q_RADIO: 5573 bpf_error(cstate, "'radio' is not a valid protocol type"); 5574 5575 default: 5576 abort(); 5577 } 5578 return b1; 5579 } 5580 5581 struct block * 5582 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5583 { 5584 /* 5585 * Catch errors reported by us and routines below us, and return NULL 5586 * on an error. 5587 */ 5588 if (setjmp(cstate->top_ctx)) 5589 return (NULL); 5590 5591 return gen_proto_abbrev_internal(cstate, proto); 5592 } 5593 5594 static struct block * 5595 gen_ipfrag(compiler_state_t *cstate) 5596 { 5597 struct slist *s; 5598 struct block *b; 5599 5600 /* not IPv4 frag other than the first frag */ 5601 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5602 b = new_block(cstate, JMP(BPF_JSET)); 5603 b->s.k = 0x1fff; 5604 b->stmts = s; 5605 gen_not(b); 5606 5607 return b; 5608 } 5609 5610 /* 5611 * Generate a comparison to a port value in the transport-layer header 5612 * at the specified offset from the beginning of that header. 5613 * 5614 * XXX - this handles a variable-length prefix preceding the link-layer 5615 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5616 * variable-length link-layer headers (such as Token Ring or 802.11 5617 * headers). 5618 */ 5619 static struct block * 5620 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v) 5621 { 5622 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5623 } 5624 5625 static struct block * 5626 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v) 5627 { 5628 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5629 } 5630 5631 static struct block * 5632 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir) 5633 { 5634 struct block *b0, *b1, *tmp; 5635 5636 /* ip proto 'proto' and not a fragment other than the first fragment */ 5637 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto); 5638 b0 = gen_ipfrag(cstate); 5639 gen_and(tmp, b0); 5640 5641 switch (dir) { 5642 case Q_SRC: 5643 b1 = gen_portatom(cstate, 0, port); 5644 break; 5645 5646 case Q_DST: 5647 b1 = gen_portatom(cstate, 2, port); 5648 break; 5649 5650 case Q_AND: 5651 tmp = gen_portatom(cstate, 0, port); 5652 b1 = gen_portatom(cstate, 2, port); 5653 gen_and(tmp, b1); 5654 break; 5655 5656 case Q_DEFAULT: 5657 case Q_OR: 5658 tmp = gen_portatom(cstate, 0, port); 5659 b1 = gen_portatom(cstate, 2, port); 5660 gen_or(tmp, b1); 5661 break; 5662 5663 case Q_ADDR1: 5664 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports"); 5665 /*NOTREACHED*/ 5666 5667 case Q_ADDR2: 5668 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports"); 5669 /*NOTREACHED*/ 5670 5671 case Q_ADDR3: 5672 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports"); 5673 /*NOTREACHED*/ 5674 5675 case Q_ADDR4: 5676 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports"); 5677 /*NOTREACHED*/ 5678 5679 case Q_RA: 5680 bpf_error(cstate, "'ra' is not a valid qualifier for ports"); 5681 /*NOTREACHED*/ 5682 5683 case Q_TA: 5684 bpf_error(cstate, "'ta' is not a valid qualifier for ports"); 5685 /*NOTREACHED*/ 5686 5687 default: 5688 abort(); 5689 /*NOTREACHED*/ 5690 } 5691 gen_and(b0, b1); 5692 5693 return b1; 5694 } 5695 5696 static struct block * 5697 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir) 5698 { 5699 struct block *b0, *b1, *tmp; 5700 5701 /* 5702 * ether proto ip 5703 * 5704 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5705 * not LLC encapsulation with LLCSAP_IP. 5706 * 5707 * For IEEE 802 networks - which includes 802.5 token ring 5708 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5709 * says that SNAP encapsulation is used, not LLC encapsulation 5710 * with LLCSAP_IP. 5711 * 5712 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5713 * RFC 2225 say that SNAP encapsulation is used, not LLC 5714 * encapsulation with LLCSAP_IP. 5715 * 5716 * So we always check for ETHERTYPE_IP. 5717 */ 5718 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5719 5720 switch (ip_proto) { 5721 case IPPROTO_UDP: 5722 case IPPROTO_TCP: 5723 case IPPROTO_SCTP: 5724 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir); 5725 break; 5726 5727 case PROTO_UNDEF: 5728 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5729 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5730 gen_or(tmp, b1); 5731 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5732 gen_or(tmp, b1); 5733 break; 5734 5735 default: 5736 abort(); 5737 } 5738 gen_and(b0, b1); 5739 return b1; 5740 } 5741 5742 struct block * 5743 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir) 5744 { 5745 struct block *b0, *b1, *tmp; 5746 5747 /* ip6 proto 'proto' */ 5748 /* XXX - catch the first fragment of a fragmented packet? */ 5749 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto); 5750 5751 switch (dir) { 5752 case Q_SRC: 5753 b1 = gen_portatom6(cstate, 0, port); 5754 break; 5755 5756 case Q_DST: 5757 b1 = gen_portatom6(cstate, 2, port); 5758 break; 5759 5760 case Q_AND: 5761 tmp = gen_portatom6(cstate, 0, port); 5762 b1 = gen_portatom6(cstate, 2, port); 5763 gen_and(tmp, b1); 5764 break; 5765 5766 case Q_DEFAULT: 5767 case Q_OR: 5768 tmp = gen_portatom6(cstate, 0, port); 5769 b1 = gen_portatom6(cstate, 2, port); 5770 gen_or(tmp, b1); 5771 break; 5772 5773 default: 5774 abort(); 5775 } 5776 gen_and(b0, b1); 5777 5778 return b1; 5779 } 5780 5781 static struct block * 5782 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir) 5783 { 5784 struct block *b0, *b1, *tmp; 5785 5786 /* link proto ip6 */ 5787 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5788 5789 switch (ip_proto) { 5790 case IPPROTO_UDP: 5791 case IPPROTO_TCP: 5792 case IPPROTO_SCTP: 5793 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir); 5794 break; 5795 5796 case PROTO_UNDEF: 5797 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5798 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5799 gen_or(tmp, b1); 5800 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5801 gen_or(tmp, b1); 5802 break; 5803 5804 default: 5805 abort(); 5806 } 5807 gen_and(b0, b1); 5808 return b1; 5809 } 5810 5811 /* gen_portrange code */ 5812 static struct block * 5813 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1, 5814 bpf_u_int32 v2) 5815 { 5816 struct block *b1, *b2; 5817 5818 if (v1 > v2) { 5819 /* 5820 * Reverse the order of the ports, so v1 is the lower one. 5821 */ 5822 bpf_u_int32 vtemp; 5823 5824 vtemp = v1; 5825 v1 = v2; 5826 v2 = vtemp; 5827 } 5828 5829 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5830 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5831 5832 gen_and(b1, b2); 5833 5834 return b2; 5835 } 5836 5837 static struct block * 5838 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2, 5839 bpf_u_int32 proto, int dir) 5840 { 5841 struct block *b0, *b1, *tmp; 5842 5843 /* ip proto 'proto' and not a fragment other than the first fragment */ 5844 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto); 5845 b0 = gen_ipfrag(cstate); 5846 gen_and(tmp, b0); 5847 5848 switch (dir) { 5849 case Q_SRC: 5850 b1 = gen_portrangeatom(cstate, 0, port1, port2); 5851 break; 5852 5853 case Q_DST: 5854 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5855 break; 5856 5857 case Q_AND: 5858 tmp = gen_portrangeatom(cstate, 0, port1, port2); 5859 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5860 gen_and(tmp, b1); 5861 break; 5862 5863 case Q_DEFAULT: 5864 case Q_OR: 5865 tmp = gen_portrangeatom(cstate, 0, port1, port2); 5866 b1 = gen_portrangeatom(cstate, 2, port1, port2); 5867 gen_or(tmp, b1); 5868 break; 5869 5870 case Q_ADDR1: 5871 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges"); 5872 /*NOTREACHED*/ 5873 5874 case Q_ADDR2: 5875 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges"); 5876 /*NOTREACHED*/ 5877 5878 case Q_ADDR3: 5879 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges"); 5880 /*NOTREACHED*/ 5881 5882 case Q_ADDR4: 5883 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges"); 5884 /*NOTREACHED*/ 5885 5886 case Q_RA: 5887 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges"); 5888 /*NOTREACHED*/ 5889 5890 case Q_TA: 5891 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges"); 5892 /*NOTREACHED*/ 5893 5894 default: 5895 abort(); 5896 /*NOTREACHED*/ 5897 } 5898 gen_and(b0, b1); 5899 5900 return b1; 5901 } 5902 5903 static struct block * 5904 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto, 5905 int dir) 5906 { 5907 struct block *b0, *b1, *tmp; 5908 5909 /* link proto ip */ 5910 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5911 5912 switch (ip_proto) { 5913 case IPPROTO_UDP: 5914 case IPPROTO_TCP: 5915 case IPPROTO_SCTP: 5916 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto, 5917 dir); 5918 break; 5919 5920 case PROTO_UNDEF: 5921 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5922 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5923 gen_or(tmp, b1); 5924 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5925 gen_or(tmp, b1); 5926 break; 5927 5928 default: 5929 abort(); 5930 } 5931 gen_and(b0, b1); 5932 return b1; 5933 } 5934 5935 static struct block * 5936 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1, 5937 bpf_u_int32 v2) 5938 { 5939 struct block *b1, *b2; 5940 5941 if (v1 > v2) { 5942 /* 5943 * Reverse the order of the ports, so v1 is the lower one. 5944 */ 5945 bpf_u_int32 vtemp; 5946 5947 vtemp = v1; 5948 v1 = v2; 5949 v2 = vtemp; 5950 } 5951 5952 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5953 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5954 5955 gen_and(b1, b2); 5956 5957 return b2; 5958 } 5959 5960 static struct block * 5961 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2, 5962 bpf_u_int32 proto, int dir) 5963 { 5964 struct block *b0, *b1, *tmp; 5965 5966 /* ip6 proto 'proto' */ 5967 /* XXX - catch the first fragment of a fragmented packet? */ 5968 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto); 5969 5970 switch (dir) { 5971 case Q_SRC: 5972 b1 = gen_portrangeatom6(cstate, 0, port1, port2); 5973 break; 5974 5975 case Q_DST: 5976 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5977 break; 5978 5979 case Q_AND: 5980 tmp = gen_portrangeatom6(cstate, 0, port1, port2); 5981 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5982 gen_and(tmp, b1); 5983 break; 5984 5985 case Q_DEFAULT: 5986 case Q_OR: 5987 tmp = gen_portrangeatom6(cstate, 0, port1, port2); 5988 b1 = gen_portrangeatom6(cstate, 2, port1, port2); 5989 gen_or(tmp, b1); 5990 break; 5991 5992 default: 5993 abort(); 5994 } 5995 gen_and(b0, b1); 5996 5997 return b1; 5998 } 5999 6000 static struct block * 6001 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto, 6002 int dir) 6003 { 6004 struct block *b0, *b1, *tmp; 6005 6006 /* link proto ip6 */ 6007 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6008 6009 switch (ip_proto) { 6010 case IPPROTO_UDP: 6011 case IPPROTO_TCP: 6012 case IPPROTO_SCTP: 6013 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto, 6014 dir); 6015 break; 6016 6017 case PROTO_UNDEF: 6018 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 6019 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 6020 gen_or(tmp, b1); 6021 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 6022 gen_or(tmp, b1); 6023 break; 6024 6025 default: 6026 abort(); 6027 } 6028 gen_and(b0, b1); 6029 return b1; 6030 } 6031 6032 static int 6033 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 6034 { 6035 register int v; 6036 6037 switch (proto) { 6038 6039 case Q_DEFAULT: 6040 case Q_IP: 6041 case Q_IPV6: 6042 v = pcap_nametoproto(name); 6043 if (v == PROTO_UNDEF) 6044 bpf_error(cstate, "unknown ip proto '%s'", name); 6045 break; 6046 6047 case Q_LINK: 6048 /* XXX should look up h/w protocol type based on cstate->linktype */ 6049 v = pcap_nametoeproto(name); 6050 if (v == PROTO_UNDEF) { 6051 v = pcap_nametollc(name); 6052 if (v == PROTO_UNDEF) 6053 bpf_error(cstate, "unknown ether proto '%s'", name); 6054 } 6055 break; 6056 6057 case Q_ISO: 6058 if (strcmp(name, "esis") == 0) 6059 v = ISO9542_ESIS; 6060 else if (strcmp(name, "isis") == 0) 6061 v = ISO10589_ISIS; 6062 else if (strcmp(name, "clnp") == 0) 6063 v = ISO8473_CLNP; 6064 else 6065 bpf_error(cstate, "unknown osi proto '%s'", name); 6066 break; 6067 6068 default: 6069 v = PROTO_UNDEF; 6070 break; 6071 } 6072 return v; 6073 } 6074 6075 #if !defined(NO_PROTOCHAIN) 6076 static struct block * 6077 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto) 6078 { 6079 struct block *b0, *b; 6080 struct slist *s[100]; 6081 int fix2, fix3, fix4, fix5; 6082 int ahcheck, again, end; 6083 int i, max; 6084 int reg2 = alloc_reg(cstate); 6085 6086 memset(s, 0, sizeof(s)); 6087 fix3 = fix4 = fix5 = 0; 6088 6089 switch (proto) { 6090 case Q_IP: 6091 case Q_IPV6: 6092 break; 6093 case Q_DEFAULT: 6094 b0 = gen_protochain(cstate, v, Q_IP); 6095 b = gen_protochain(cstate, v, Q_IPV6); 6096 gen_or(b0, b); 6097 return b; 6098 default: 6099 bpf_error(cstate, "bad protocol applied for 'protochain'"); 6100 /*NOTREACHED*/ 6101 } 6102 6103 /* 6104 * We don't handle variable-length prefixes before the link-layer 6105 * header, or variable-length link-layer headers, here yet. 6106 * We might want to add BPF instructions to do the protochain 6107 * work, to simplify that and, on platforms that have a BPF 6108 * interpreter with the new instructions, let the filtering 6109 * be done in the kernel. (We already require a modified BPF 6110 * engine to do the protochain stuff, to support backward 6111 * branches, and backward branch support is unlikely to appear 6112 * in kernel BPF engines.) 6113 */ 6114 if (cstate->off_linkpl.is_variable) 6115 bpf_error(cstate, "'protochain' not supported with variable length headers"); 6116 6117 /* 6118 * To quote a comment in optimize.c: 6119 * 6120 * "These data structures are used in a Cocke and Shwarz style 6121 * value numbering scheme. Since the flowgraph is acyclic, 6122 * exit values can be propagated from a node's predecessors 6123 * provided it is uniquely defined." 6124 * 6125 * "Acyclic" means "no backward branches", which means "no 6126 * loops", so we have to turn the optimizer off. 6127 */ 6128 cstate->no_optimize = 1; 6129 6130 /* 6131 * s[0] is a dummy entry to protect other BPF insn from damage 6132 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 6133 * hard to find interdependency made by jump table fixup. 6134 */ 6135 i = 0; 6136 s[i] = new_stmt(cstate, 0); /*dummy*/ 6137 i++; 6138 6139 switch (proto) { 6140 case Q_IP: 6141 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6142 6143 /* A = ip->ip_p */ 6144 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6145 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 6146 i++; 6147 /* X = ip->ip_hl << 2 */ 6148 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 6149 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6150 i++; 6151 break; 6152 6153 case Q_IPV6: 6154 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6155 6156 /* A = ip6->ip_nxt */ 6157 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6158 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 6159 i++; 6160 /* X = sizeof(struct ip6_hdr) */ 6161 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 6162 s[i]->s.k = 40; 6163 i++; 6164 break; 6165 6166 default: 6167 bpf_error(cstate, "unsupported proto to gen_protochain"); 6168 /*NOTREACHED*/ 6169 } 6170 6171 /* again: if (A == v) goto end; else fall through; */ 6172 again = i; 6173 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6174 s[i]->s.k = v; 6175 s[i]->s.jt = NULL; /*later*/ 6176 s[i]->s.jf = NULL; /*update in next stmt*/ 6177 fix5 = i; 6178 i++; 6179 6180 #ifndef IPPROTO_NONE 6181 #define IPPROTO_NONE 59 6182 #endif 6183 /* if (A == IPPROTO_NONE) goto end */ 6184 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6185 s[i]->s.jt = NULL; /*later*/ 6186 s[i]->s.jf = NULL; /*update in next stmt*/ 6187 s[i]->s.k = IPPROTO_NONE; 6188 s[fix5]->s.jf = s[i]; 6189 fix2 = i; 6190 i++; 6191 6192 if (proto == Q_IPV6) { 6193 int v6start, v6end, v6advance, j; 6194 6195 v6start = i; 6196 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 6197 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6198 s[i]->s.jt = NULL; /*later*/ 6199 s[i]->s.jf = NULL; /*update in next stmt*/ 6200 s[i]->s.k = IPPROTO_HOPOPTS; 6201 s[fix2]->s.jf = s[i]; 6202 i++; 6203 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 6204 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6205 s[i]->s.jt = NULL; /*later*/ 6206 s[i]->s.jf = NULL; /*update in next stmt*/ 6207 s[i]->s.k = IPPROTO_DSTOPTS; 6208 i++; 6209 /* if (A == IPPROTO_ROUTING) goto v6advance */ 6210 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6211 s[i]->s.jt = NULL; /*later*/ 6212 s[i]->s.jf = NULL; /*update in next stmt*/ 6213 s[i]->s.k = IPPROTO_ROUTING; 6214 i++; 6215 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 6216 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6217 s[i]->s.jt = NULL; /*later*/ 6218 s[i]->s.jf = NULL; /*later*/ 6219 s[i]->s.k = IPPROTO_FRAGMENT; 6220 fix3 = i; 6221 v6end = i; 6222 i++; 6223 6224 /* v6advance: */ 6225 v6advance = i; 6226 6227 /* 6228 * in short, 6229 * A = P[X + packet head]; 6230 * X = X + (P[X + packet head + 1] + 1) * 8; 6231 */ 6232 /* A = P[X + packet head] */ 6233 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6234 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6235 i++; 6236 /* MEM[reg2] = A */ 6237 s[i] = new_stmt(cstate, BPF_ST); 6238 s[i]->s.k = reg2; 6239 i++; 6240 /* A = P[X + packet head + 1]; */ 6241 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6242 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 6243 i++; 6244 /* A += 1 */ 6245 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6246 s[i]->s.k = 1; 6247 i++; 6248 /* A *= 8 */ 6249 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6250 s[i]->s.k = 8; 6251 i++; 6252 /* A += X */ 6253 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 6254 s[i]->s.k = 0; 6255 i++; 6256 /* X = A; */ 6257 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6258 i++; 6259 /* A = MEM[reg2] */ 6260 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6261 s[i]->s.k = reg2; 6262 i++; 6263 6264 /* goto again; (must use BPF_JA for backward jump) */ 6265 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6266 s[i]->s.k = again - i - 1; 6267 s[i - 1]->s.jf = s[i]; 6268 i++; 6269 6270 /* fixup */ 6271 for (j = v6start; j <= v6end; j++) 6272 s[j]->s.jt = s[v6advance]; 6273 } else { 6274 /* nop */ 6275 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6276 s[i]->s.k = 0; 6277 s[fix2]->s.jf = s[i]; 6278 i++; 6279 } 6280 6281 /* ahcheck: */ 6282 ahcheck = i; 6283 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 6284 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6285 s[i]->s.jt = NULL; /*later*/ 6286 s[i]->s.jf = NULL; /*later*/ 6287 s[i]->s.k = IPPROTO_AH; 6288 if (fix3) 6289 s[fix3]->s.jf = s[ahcheck]; 6290 fix4 = i; 6291 i++; 6292 6293 /* 6294 * in short, 6295 * A = P[X]; 6296 * X = X + (P[X + 1] + 2) * 4; 6297 */ 6298 /* A = X */ 6299 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6300 i++; 6301 /* A = P[X + packet head]; */ 6302 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6303 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6304 i++; 6305 /* MEM[reg2] = A */ 6306 s[i] = new_stmt(cstate, BPF_ST); 6307 s[i]->s.k = reg2; 6308 i++; 6309 /* A = X */ 6310 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6311 i++; 6312 /* A += 1 */ 6313 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6314 s[i]->s.k = 1; 6315 i++; 6316 /* X = A */ 6317 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6318 i++; 6319 /* A = P[X + packet head] */ 6320 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6321 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6322 i++; 6323 /* A += 2 */ 6324 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6325 s[i]->s.k = 2; 6326 i++; 6327 /* A *= 4 */ 6328 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6329 s[i]->s.k = 4; 6330 i++; 6331 /* X = A; */ 6332 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6333 i++; 6334 /* A = MEM[reg2] */ 6335 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6336 s[i]->s.k = reg2; 6337 i++; 6338 6339 /* goto again; (must use BPF_JA for backward jump) */ 6340 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6341 s[i]->s.k = again - i - 1; 6342 i++; 6343 6344 /* end: nop */ 6345 end = i; 6346 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6347 s[i]->s.k = 0; 6348 s[fix2]->s.jt = s[end]; 6349 s[fix4]->s.jf = s[end]; 6350 s[fix5]->s.jt = s[end]; 6351 i++; 6352 6353 /* 6354 * make slist chain 6355 */ 6356 max = i; 6357 for (i = 0; i < max - 1; i++) 6358 s[i]->next = s[i + 1]; 6359 s[max - 1]->next = NULL; 6360 6361 /* 6362 * emit final check 6363 */ 6364 b = new_block(cstate, JMP(BPF_JEQ)); 6365 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6366 b->s.k = v; 6367 6368 free_reg(cstate, reg2); 6369 6370 gen_and(b0, b); 6371 return b; 6372 } 6373 #endif /* !defined(NO_PROTOCHAIN) */ 6374 6375 static struct block * 6376 gen_check_802_11_data_frame(compiler_state_t *cstate) 6377 { 6378 struct slist *s; 6379 struct block *b0, *b1; 6380 6381 /* 6382 * A data frame has the 0x08 bit (b3) in the frame control field set 6383 * and the 0x04 bit (b2) clear. 6384 */ 6385 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6386 b0 = new_block(cstate, JMP(BPF_JSET)); 6387 b0->s.k = 0x08; 6388 b0->stmts = s; 6389 6390 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6391 b1 = new_block(cstate, JMP(BPF_JSET)); 6392 b1->s.k = 0x04; 6393 b1->stmts = s; 6394 gen_not(b1); 6395 6396 gen_and(b1, b0); 6397 6398 return b0; 6399 } 6400 6401 /* 6402 * Generate code that checks whether the packet is a packet for protocol 6403 * <proto> and whether the type field in that protocol's header has 6404 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6405 * IP packet and checks the protocol number in the IP header against <v>. 6406 * 6407 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6408 * against Q_IP and Q_IPV6. 6409 */ 6410 static struct block * 6411 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir) 6412 { 6413 struct block *b0, *b1; 6414 struct block *b2; 6415 6416 if (dir != Q_DEFAULT) 6417 bpf_error(cstate, "direction applied to 'proto'"); 6418 6419 switch (proto) { 6420 case Q_DEFAULT: 6421 b0 = gen_proto(cstate, v, Q_IP, dir); 6422 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6423 gen_or(b0, b1); 6424 return b1; 6425 6426 case Q_LINK: 6427 return gen_linktype(cstate, v); 6428 6429 case Q_IP: 6430 /* 6431 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6432 * not LLC encapsulation with LLCSAP_IP. 6433 * 6434 * For IEEE 802 networks - which includes 802.5 token ring 6435 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6436 * says that SNAP encapsulation is used, not LLC encapsulation 6437 * with LLCSAP_IP. 6438 * 6439 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6440 * RFC 2225 say that SNAP encapsulation is used, not LLC 6441 * encapsulation with LLCSAP_IP. 6442 * 6443 * So we always check for ETHERTYPE_IP. 6444 */ 6445 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6446 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v); 6447 gen_and(b0, b1); 6448 return b1; 6449 6450 case Q_ARP: 6451 bpf_error(cstate, "arp does not encapsulate another protocol"); 6452 /*NOTREACHED*/ 6453 6454 case Q_RARP: 6455 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6456 /*NOTREACHED*/ 6457 6458 case Q_SCTP: 6459 bpf_error(cstate, "'sctp proto' is bogus"); 6460 /*NOTREACHED*/ 6461 6462 case Q_TCP: 6463 bpf_error(cstate, "'tcp proto' is bogus"); 6464 /*NOTREACHED*/ 6465 6466 case Q_UDP: 6467 bpf_error(cstate, "'udp proto' is bogus"); 6468 /*NOTREACHED*/ 6469 6470 case Q_ICMP: 6471 bpf_error(cstate, "'icmp proto' is bogus"); 6472 /*NOTREACHED*/ 6473 6474 case Q_IGMP: 6475 bpf_error(cstate, "'igmp proto' is bogus"); 6476 /*NOTREACHED*/ 6477 6478 case Q_IGRP: 6479 bpf_error(cstate, "'igrp proto' is bogus"); 6480 /*NOTREACHED*/ 6481 6482 case Q_ATALK: 6483 bpf_error(cstate, "AppleTalk encapsulation is not specifiable"); 6484 /*NOTREACHED*/ 6485 6486 case Q_DECNET: 6487 bpf_error(cstate, "DECNET encapsulation is not specifiable"); 6488 /*NOTREACHED*/ 6489 6490 case Q_LAT: 6491 bpf_error(cstate, "LAT does not encapsulate another protocol"); 6492 /*NOTREACHED*/ 6493 6494 case Q_SCA: 6495 bpf_error(cstate, "SCA does not encapsulate another protocol"); 6496 /*NOTREACHED*/ 6497 6498 case Q_MOPRC: 6499 bpf_error(cstate, "MOPRC does not encapsulate another protocol"); 6500 /*NOTREACHED*/ 6501 6502 case Q_MOPDL: 6503 bpf_error(cstate, "MOPDL does not encapsulate another protocol"); 6504 /*NOTREACHED*/ 6505 6506 case Q_IPV6: 6507 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6508 /* 6509 * Also check for a fragment header before the final 6510 * header. 6511 */ 6512 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6513 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v); 6514 gen_and(b2, b1); 6515 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v); 6516 gen_or(b2, b1); 6517 gen_and(b0, b1); 6518 return b1; 6519 6520 case Q_ICMPV6: 6521 bpf_error(cstate, "'icmp6 proto' is bogus"); 6522 /*NOTREACHED*/ 6523 6524 case Q_AH: 6525 bpf_error(cstate, "'ah proto' is bogus"); 6526 /*NOTREACHED*/ 6527 6528 case Q_ESP: 6529 bpf_error(cstate, "'esp proto' is bogus"); 6530 /*NOTREACHED*/ 6531 6532 case Q_PIM: 6533 bpf_error(cstate, "'pim proto' is bogus"); 6534 /*NOTREACHED*/ 6535 6536 case Q_VRRP: 6537 bpf_error(cstate, "'vrrp proto' is bogus"); 6538 /*NOTREACHED*/ 6539 6540 case Q_AARP: 6541 bpf_error(cstate, "'aarp proto' is bogus"); 6542 /*NOTREACHED*/ 6543 6544 case Q_ISO: 6545 switch (cstate->linktype) { 6546 6547 case DLT_FRELAY: 6548 /* 6549 * Frame Relay packets typically have an OSI 6550 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6551 * generates code to check for all the OSI 6552 * NLPIDs, so calling it and then adding a check 6553 * for the particular NLPID for which we're 6554 * looking is bogus, as we can just check for 6555 * the NLPID. 6556 * 6557 * What we check for is the NLPID and a frame 6558 * control field value of UI, i.e. 0x03 followed 6559 * by the NLPID. 6560 * 6561 * XXX - assumes a 2-byte Frame Relay header with 6562 * DLCI and flags. What if the address is longer? 6563 * 6564 * XXX - what about SNAP-encapsulated frames? 6565 */ 6566 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6567 /*NOTREACHED*/ 6568 6569 case DLT_C_HDLC: 6570 case DLT_HDLC: 6571 /* 6572 * Cisco uses an Ethertype lookalike - for OSI, 6573 * it's 0xfefe. 6574 */ 6575 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6576 /* OSI in C-HDLC is stuffed with a fudge byte */ 6577 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v); 6578 gen_and(b0, b1); 6579 return b1; 6580 6581 default: 6582 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6583 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v); 6584 gen_and(b0, b1); 6585 return b1; 6586 } 6587 6588 case Q_ESIS: 6589 bpf_error(cstate, "'esis proto' is bogus"); 6590 /*NOTREACHED*/ 6591 6592 case Q_ISIS: 6593 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6594 /* 6595 * 4 is the offset of the PDU type relative to the IS-IS 6596 * header. 6597 */ 6598 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v); 6599 gen_and(b0, b1); 6600 return b1; 6601 6602 case Q_CLNP: 6603 bpf_error(cstate, "'clnp proto' is not supported"); 6604 /*NOTREACHED*/ 6605 6606 case Q_STP: 6607 bpf_error(cstate, "'stp proto' is bogus"); 6608 /*NOTREACHED*/ 6609 6610 case Q_IPX: 6611 bpf_error(cstate, "'ipx proto' is bogus"); 6612 /*NOTREACHED*/ 6613 6614 case Q_NETBEUI: 6615 bpf_error(cstate, "'netbeui proto' is bogus"); 6616 /*NOTREACHED*/ 6617 6618 case Q_ISIS_L1: 6619 bpf_error(cstate, "'l1 proto' is bogus"); 6620 /*NOTREACHED*/ 6621 6622 case Q_ISIS_L2: 6623 bpf_error(cstate, "'l2 proto' is bogus"); 6624 /*NOTREACHED*/ 6625 6626 case Q_ISIS_IIH: 6627 bpf_error(cstate, "'iih proto' is bogus"); 6628 /*NOTREACHED*/ 6629 6630 case Q_ISIS_SNP: 6631 bpf_error(cstate, "'snp proto' is bogus"); 6632 /*NOTREACHED*/ 6633 6634 case Q_ISIS_CSNP: 6635 bpf_error(cstate, "'csnp proto' is bogus"); 6636 /*NOTREACHED*/ 6637 6638 case Q_ISIS_PSNP: 6639 bpf_error(cstate, "'psnp proto' is bogus"); 6640 /*NOTREACHED*/ 6641 6642 case Q_ISIS_LSP: 6643 bpf_error(cstate, "'lsp proto' is bogus"); 6644 /*NOTREACHED*/ 6645 6646 case Q_RADIO: 6647 bpf_error(cstate, "'radio proto' is bogus"); 6648 /*NOTREACHED*/ 6649 6650 case Q_CARP: 6651 bpf_error(cstate, "'carp proto' is bogus"); 6652 /*NOTREACHED*/ 6653 6654 default: 6655 abort(); 6656 /*NOTREACHED*/ 6657 } 6658 /*NOTREACHED*/ 6659 } 6660 6661 struct block * 6662 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6663 { 6664 int proto = q.proto; 6665 int dir = q.dir; 6666 int tproto; 6667 u_char *eaddr; 6668 bpf_u_int32 mask, addr; 6669 struct addrinfo *res, *res0; 6670 struct sockaddr_in *sin4; 6671 #ifdef INET6 6672 int tproto6; 6673 struct sockaddr_in6 *sin6; 6674 struct in6_addr mask128; 6675 #endif /*INET6*/ 6676 struct block *b, *tmp; 6677 int port, real_proto; 6678 int port1, port2; 6679 6680 /* 6681 * Catch errors reported by us and routines below us, and return NULL 6682 * on an error. 6683 */ 6684 if (setjmp(cstate->top_ctx)) 6685 return (NULL); 6686 6687 switch (q.addr) { 6688 6689 case Q_NET: 6690 addr = pcap_nametonetaddr(name); 6691 if (addr == 0) 6692 bpf_error(cstate, "unknown network '%s'", name); 6693 /* Left justify network addr and calculate its network mask */ 6694 mask = 0xffffffff; 6695 while (addr && (addr & 0xff000000) == 0) { 6696 addr <<= 8; 6697 mask <<= 8; 6698 } 6699 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6700 6701 case Q_DEFAULT: 6702 case Q_HOST: 6703 if (proto == Q_LINK) { 6704 switch (cstate->linktype) { 6705 6706 case DLT_EN10MB: 6707 case DLT_NETANALYZER: 6708 case DLT_NETANALYZER_TRANSPARENT: 6709 eaddr = pcap_ether_hostton(name); 6710 if (eaddr == NULL) 6711 bpf_error(cstate, 6712 "unknown ether host '%s'", name); 6713 tmp = gen_prevlinkhdr_check(cstate); 6714 b = gen_ehostop(cstate, eaddr, dir); 6715 if (tmp != NULL) 6716 gen_and(tmp, b); 6717 free(eaddr); 6718 return b; 6719 6720 case DLT_FDDI: 6721 eaddr = pcap_ether_hostton(name); 6722 if (eaddr == NULL) 6723 bpf_error(cstate, 6724 "unknown FDDI host '%s'", name); 6725 b = gen_fhostop(cstate, eaddr, dir); 6726 free(eaddr); 6727 return b; 6728 6729 case DLT_IEEE802: 6730 eaddr = pcap_ether_hostton(name); 6731 if (eaddr == NULL) 6732 bpf_error(cstate, 6733 "unknown token ring host '%s'", name); 6734 b = gen_thostop(cstate, eaddr, dir); 6735 free(eaddr); 6736 return b; 6737 6738 case DLT_IEEE802_11: 6739 case DLT_PRISM_HEADER: 6740 case DLT_IEEE802_11_RADIO_AVS: 6741 case DLT_IEEE802_11_RADIO: 6742 case DLT_PPI: 6743 eaddr = pcap_ether_hostton(name); 6744 if (eaddr == NULL) 6745 bpf_error(cstate, 6746 "unknown 802.11 host '%s'", name); 6747 b = gen_wlanhostop(cstate, eaddr, dir); 6748 free(eaddr); 6749 return b; 6750 6751 case DLT_IP_OVER_FC: 6752 eaddr = pcap_ether_hostton(name); 6753 if (eaddr == NULL) 6754 bpf_error(cstate, 6755 "unknown Fibre Channel host '%s'", name); 6756 b = gen_ipfchostop(cstate, eaddr, dir); 6757 free(eaddr); 6758 return b; 6759 } 6760 6761 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6762 } else if (proto == Q_DECNET) { 6763 unsigned short dn_addr; 6764 6765 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6766 #ifdef DECNETLIB 6767 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6768 #else 6769 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6770 name); 6771 #endif 6772 } 6773 /* 6774 * I don't think DECNET hosts can be multihomed, so 6775 * there is no need to build up a list of addresses 6776 */ 6777 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6778 } else { 6779 #ifdef INET6 6780 memset(&mask128, 0xff, sizeof(mask128)); 6781 #endif 6782 res0 = res = pcap_nametoaddrinfo(name); 6783 if (res == NULL) 6784 bpf_error(cstate, "unknown host '%s'", name); 6785 cstate->ai = res; 6786 b = tmp = NULL; 6787 tproto = proto; 6788 #ifdef INET6 6789 tproto6 = proto; 6790 #endif 6791 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6792 tproto == Q_DEFAULT) { 6793 tproto = Q_IP; 6794 #ifdef INET6 6795 tproto6 = Q_IPV6; 6796 #endif 6797 } 6798 for (res = res0; res; res = res->ai_next) { 6799 switch (res->ai_family) { 6800 case AF_INET: 6801 #ifdef INET6 6802 if (tproto == Q_IPV6) 6803 continue; 6804 #endif 6805 6806 sin4 = (struct sockaddr_in *) 6807 res->ai_addr; 6808 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6809 0xffffffff, tproto, dir, q.addr); 6810 break; 6811 #ifdef INET6 6812 case AF_INET6: 6813 if (tproto6 == Q_IP) 6814 continue; 6815 6816 sin6 = (struct sockaddr_in6 *) 6817 res->ai_addr; 6818 tmp = gen_host6(cstate, &sin6->sin6_addr, 6819 &mask128, tproto6, dir, q.addr); 6820 break; 6821 #endif 6822 default: 6823 continue; 6824 } 6825 if (b) 6826 gen_or(b, tmp); 6827 b = tmp; 6828 } 6829 cstate->ai = NULL; 6830 freeaddrinfo(res0); 6831 if (b == NULL) { 6832 bpf_error(cstate, "unknown host '%s'%s", name, 6833 (proto == Q_DEFAULT) 6834 ? "" 6835 : " for specified address family"); 6836 } 6837 return b; 6838 } 6839 6840 case Q_PORT: 6841 if (proto != Q_DEFAULT && 6842 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6843 bpf_error(cstate, "illegal qualifier of 'port'"); 6844 if (pcap_nametoport(name, &port, &real_proto) == 0) 6845 bpf_error(cstate, "unknown port '%s'", name); 6846 if (proto == Q_UDP) { 6847 if (real_proto == IPPROTO_TCP) 6848 bpf_error(cstate, "port '%s' is tcp", name); 6849 else if (real_proto == IPPROTO_SCTP) 6850 bpf_error(cstate, "port '%s' is sctp", name); 6851 else 6852 /* override PROTO_UNDEF */ 6853 real_proto = IPPROTO_UDP; 6854 } 6855 if (proto == Q_TCP) { 6856 if (real_proto == IPPROTO_UDP) 6857 bpf_error(cstate, "port '%s' is udp", name); 6858 6859 else if (real_proto == IPPROTO_SCTP) 6860 bpf_error(cstate, "port '%s' is sctp", name); 6861 else 6862 /* override PROTO_UNDEF */ 6863 real_proto = IPPROTO_TCP; 6864 } 6865 if (proto == Q_SCTP) { 6866 if (real_proto == IPPROTO_UDP) 6867 bpf_error(cstate, "port '%s' is udp", name); 6868 6869 else if (real_proto == IPPROTO_TCP) 6870 bpf_error(cstate, "port '%s' is tcp", name); 6871 else 6872 /* override PROTO_UNDEF */ 6873 real_proto = IPPROTO_SCTP; 6874 } 6875 if (port < 0) 6876 bpf_error(cstate, "illegal port number %d < 0", port); 6877 if (port > 65535) 6878 bpf_error(cstate, "illegal port number %d > 65535", port); 6879 b = gen_port(cstate, port, real_proto, dir); 6880 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6881 return b; 6882 6883 case Q_PORTRANGE: 6884 if (proto != Q_DEFAULT && 6885 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6886 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6887 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6888 bpf_error(cstate, "unknown port in range '%s'", name); 6889 if (proto == Q_UDP) { 6890 if (real_proto == IPPROTO_TCP) 6891 bpf_error(cstate, "port in range '%s' is tcp", name); 6892 else if (real_proto == IPPROTO_SCTP) 6893 bpf_error(cstate, "port in range '%s' is sctp", name); 6894 else 6895 /* override PROTO_UNDEF */ 6896 real_proto = IPPROTO_UDP; 6897 } 6898 if (proto == Q_TCP) { 6899 if (real_proto == IPPROTO_UDP) 6900 bpf_error(cstate, "port in range '%s' is udp", name); 6901 else if (real_proto == IPPROTO_SCTP) 6902 bpf_error(cstate, "port in range '%s' is sctp", name); 6903 else 6904 /* override PROTO_UNDEF */ 6905 real_proto = IPPROTO_TCP; 6906 } 6907 if (proto == Q_SCTP) { 6908 if (real_proto == IPPROTO_UDP) 6909 bpf_error(cstate, "port in range '%s' is udp", name); 6910 else if (real_proto == IPPROTO_TCP) 6911 bpf_error(cstate, "port in range '%s' is tcp", name); 6912 else 6913 /* override PROTO_UNDEF */ 6914 real_proto = IPPROTO_SCTP; 6915 } 6916 if (port1 < 0) 6917 bpf_error(cstate, "illegal port number %d < 0", port1); 6918 if (port1 > 65535) 6919 bpf_error(cstate, "illegal port number %d > 65535", port1); 6920 if (port2 < 0) 6921 bpf_error(cstate, "illegal port number %d < 0", port2); 6922 if (port2 > 65535) 6923 bpf_error(cstate, "illegal port number %d > 65535", port2); 6924 6925 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6926 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6927 return b; 6928 6929 case Q_GATEWAY: 6930 #ifndef INET6 6931 eaddr = pcap_ether_hostton(name); 6932 if (eaddr == NULL) 6933 bpf_error(cstate, "unknown ether host: %s", name); 6934 6935 res = pcap_nametoaddrinfo(name); 6936 cstate->ai = res; 6937 if (res == NULL) 6938 bpf_error(cstate, "unknown host '%s'", name); 6939 b = gen_gateway(cstate, eaddr, res, proto, dir); 6940 cstate->ai = NULL; 6941 freeaddrinfo(res); 6942 if (b == NULL) 6943 bpf_error(cstate, "unknown host '%s'", name); 6944 return b; 6945 #else 6946 bpf_error(cstate, "'gateway' not supported in this configuration"); 6947 #endif /*INET6*/ 6948 6949 case Q_PROTO: 6950 real_proto = lookup_proto(cstate, name, proto); 6951 if (real_proto >= 0) 6952 return gen_proto(cstate, real_proto, proto, dir); 6953 else 6954 bpf_error(cstate, "unknown protocol: %s", name); 6955 6956 #if !defined(NO_PROTOCHAIN) 6957 case Q_PROTOCHAIN: 6958 real_proto = lookup_proto(cstate, name, proto); 6959 if (real_proto >= 0) 6960 return gen_protochain(cstate, real_proto, proto); 6961 else 6962 bpf_error(cstate, "unknown protocol: %s", name); 6963 #endif /* !defined(NO_PROTOCHAIN) */ 6964 6965 case Q_UNDEF: 6966 syntax(cstate); 6967 /*NOTREACHED*/ 6968 } 6969 abort(); 6970 /*NOTREACHED*/ 6971 } 6972 6973 struct block * 6974 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6975 bpf_u_int32 masklen, struct qual q) 6976 { 6977 register int nlen, mlen; 6978 bpf_u_int32 n, m; 6979 6980 /* 6981 * Catch errors reported by us and routines below us, and return NULL 6982 * on an error. 6983 */ 6984 if (setjmp(cstate->top_ctx)) 6985 return (NULL); 6986 6987 nlen = __pcap_atoin(s1, &n); 6988 if (nlen < 0) 6989 bpf_error(cstate, "invalid IPv4 address '%s'", s1); 6990 /* Promote short ipaddr */ 6991 n <<= 32 - nlen; 6992 6993 if (s2 != NULL) { 6994 mlen = __pcap_atoin(s2, &m); 6995 if (mlen < 0) 6996 bpf_error(cstate, "invalid IPv4 address '%s'", s2); 6997 /* Promote short ipaddr */ 6998 m <<= 32 - mlen; 6999 if ((n & ~m) != 0) 7000 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 7001 s1, s2); 7002 } else { 7003 /* Convert mask len to mask */ 7004 if (masklen > 32) 7005 bpf_error(cstate, "mask length must be <= 32"); 7006 if (masklen == 0) { 7007 /* 7008 * X << 32 is not guaranteed by C to be 0; it's 7009 * undefined. 7010 */ 7011 m = 0; 7012 } else 7013 m = 0xffffffff << (32 - masklen); 7014 if ((n & ~m) != 0) 7015 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 7016 s1, masklen); 7017 } 7018 7019 switch (q.addr) { 7020 7021 case Q_NET: 7022 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 7023 7024 default: 7025 bpf_error(cstate, "Mask syntax for networks only"); 7026 /*NOTREACHED*/ 7027 } 7028 /*NOTREACHED*/ 7029 } 7030 7031 struct block * 7032 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 7033 { 7034 bpf_u_int32 mask; 7035 int proto; 7036 int dir; 7037 register int vlen; 7038 7039 /* 7040 * Catch errors reported by us and routines below us, and return NULL 7041 * on an error. 7042 */ 7043 if (setjmp(cstate->top_ctx)) 7044 return (NULL); 7045 7046 proto = q.proto; 7047 dir = q.dir; 7048 if (s == NULL) 7049 vlen = 32; 7050 else if (q.proto == Q_DECNET) { 7051 vlen = __pcap_atodn(s, &v); 7052 if (vlen == 0) 7053 bpf_error(cstate, "malformed decnet address '%s'", s); 7054 } else { 7055 vlen = __pcap_atoin(s, &v); 7056 if (vlen < 0) 7057 bpf_error(cstate, "invalid IPv4 address '%s'", s); 7058 } 7059 7060 switch (q.addr) { 7061 7062 case Q_DEFAULT: 7063 case Q_HOST: 7064 case Q_NET: 7065 if (proto == Q_DECNET) 7066 return gen_host(cstate, v, 0, proto, dir, q.addr); 7067 else if (proto == Q_LINK) { 7068 bpf_error(cstate, "illegal link layer address"); 7069 } else { 7070 mask = 0xffffffff; 7071 if (s == NULL && q.addr == Q_NET) { 7072 /* Promote short net number */ 7073 while (v && (v & 0xff000000) == 0) { 7074 v <<= 8; 7075 mask <<= 8; 7076 } 7077 } else { 7078 /* Promote short ipaddr */ 7079 v <<= 32 - vlen; 7080 mask <<= 32 - vlen ; 7081 } 7082 return gen_host(cstate, v, mask, proto, dir, q.addr); 7083 } 7084 7085 case Q_PORT: 7086 if (proto == Q_UDP) 7087 proto = IPPROTO_UDP; 7088 else if (proto == Q_TCP) 7089 proto = IPPROTO_TCP; 7090 else if (proto == Q_SCTP) 7091 proto = IPPROTO_SCTP; 7092 else if (proto == Q_DEFAULT) 7093 proto = PROTO_UNDEF; 7094 else 7095 bpf_error(cstate, "illegal qualifier of 'port'"); 7096 7097 if (v > 65535) 7098 bpf_error(cstate, "illegal port number %u > 65535", v); 7099 7100 { 7101 struct block *b; 7102 b = gen_port(cstate, v, proto, dir); 7103 gen_or(gen_port6(cstate, v, proto, dir), b); 7104 return b; 7105 } 7106 7107 case Q_PORTRANGE: 7108 if (proto == Q_UDP) 7109 proto = IPPROTO_UDP; 7110 else if (proto == Q_TCP) 7111 proto = IPPROTO_TCP; 7112 else if (proto == Q_SCTP) 7113 proto = IPPROTO_SCTP; 7114 else if (proto == Q_DEFAULT) 7115 proto = PROTO_UNDEF; 7116 else 7117 bpf_error(cstate, "illegal qualifier of 'portrange'"); 7118 7119 if (v > 65535) 7120 bpf_error(cstate, "illegal port number %u > 65535", v); 7121 7122 { 7123 struct block *b; 7124 b = gen_portrange(cstate, v, v, proto, dir); 7125 gen_or(gen_portrange6(cstate, v, v, proto, dir), b); 7126 return b; 7127 } 7128 7129 case Q_GATEWAY: 7130 bpf_error(cstate, "'gateway' requires a name"); 7131 /*NOTREACHED*/ 7132 7133 case Q_PROTO: 7134 return gen_proto(cstate, v, proto, dir); 7135 7136 #if !defined(NO_PROTOCHAIN) 7137 case Q_PROTOCHAIN: 7138 return gen_protochain(cstate, v, proto); 7139 #endif 7140 7141 case Q_UNDEF: 7142 syntax(cstate); 7143 /*NOTREACHED*/ 7144 7145 default: 7146 abort(); 7147 /*NOTREACHED*/ 7148 } 7149 /*NOTREACHED*/ 7150 } 7151 7152 #ifdef INET6 7153 struct block * 7154 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 7155 bpf_u_int32 masklen, struct qual q) 7156 { 7157 struct addrinfo *res; 7158 struct in6_addr *addr; 7159 struct in6_addr mask; 7160 struct block *b; 7161 uint32_t *a, *m; 7162 7163 /* 7164 * Catch errors reported by us and routines below us, and return NULL 7165 * on an error. 7166 */ 7167 if (setjmp(cstate->top_ctx)) 7168 return (NULL); 7169 7170 if (s2) 7171 bpf_error(cstate, "no mask %s supported", s2); 7172 7173 res = pcap_nametoaddrinfo(s1); 7174 if (!res) 7175 bpf_error(cstate, "invalid ip6 address %s", s1); 7176 cstate->ai = res; 7177 if (res->ai_next) 7178 bpf_error(cstate, "%s resolved to multiple address", s1); 7179 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 7180 7181 if (masklen > sizeof(mask.s6_addr) * 8) 7182 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8)); 7183 memset(&mask, 0, sizeof(mask)); 7184 memset(&mask.s6_addr, 0xff, masklen / 8); 7185 if (masklen % 8) { 7186 mask.s6_addr[masklen / 8] = 7187 (0xff << (8 - masklen % 8)) & 0xff; 7188 } 7189 7190 a = (uint32_t *)addr; 7191 m = (uint32_t *)&mask; 7192 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 7193 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 7194 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 7195 } 7196 7197 switch (q.addr) { 7198 7199 case Q_DEFAULT: 7200 case Q_HOST: 7201 if (masklen != 128) 7202 bpf_error(cstate, "Mask syntax for networks only"); 7203 /* FALLTHROUGH */ 7204 7205 case Q_NET: 7206 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 7207 cstate->ai = NULL; 7208 freeaddrinfo(res); 7209 return b; 7210 7211 default: 7212 bpf_error(cstate, "invalid qualifier against IPv6 address"); 7213 /*NOTREACHED*/ 7214 } 7215 } 7216 #endif /*INET6*/ 7217 7218 struct block * 7219 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q) 7220 { 7221 struct block *b, *tmp; 7222 7223 /* 7224 * Catch errors reported by us and routines below us, and return NULL 7225 * on an error. 7226 */ 7227 if (setjmp(cstate->top_ctx)) 7228 return (NULL); 7229 7230 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 7231 cstate->e = pcap_ether_aton(s); 7232 if (cstate->e == NULL) 7233 bpf_error(cstate, "malloc"); 7234 switch (cstate->linktype) { 7235 case DLT_EN10MB: 7236 case DLT_NETANALYZER: 7237 case DLT_NETANALYZER_TRANSPARENT: 7238 tmp = gen_prevlinkhdr_check(cstate); 7239 b = gen_ehostop(cstate, cstate->e, (int)q.dir); 7240 if (tmp != NULL) 7241 gen_and(tmp, b); 7242 break; 7243 case DLT_FDDI: 7244 b = gen_fhostop(cstate, cstate->e, (int)q.dir); 7245 break; 7246 case DLT_IEEE802: 7247 b = gen_thostop(cstate, cstate->e, (int)q.dir); 7248 break; 7249 case DLT_IEEE802_11: 7250 case DLT_PRISM_HEADER: 7251 case DLT_IEEE802_11_RADIO_AVS: 7252 case DLT_IEEE802_11_RADIO: 7253 case DLT_PPI: 7254 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir); 7255 break; 7256 case DLT_IP_OVER_FC: 7257 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir); 7258 break; 7259 default: 7260 free(cstate->e); 7261 cstate->e = NULL; 7262 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 7263 /*NOTREACHED*/ 7264 } 7265 free(cstate->e); 7266 cstate->e = NULL; 7267 return (b); 7268 } 7269 bpf_error(cstate, "ethernet address used in non-ether expression"); 7270 /*NOTREACHED*/ 7271 } 7272 7273 void 7274 sappend(struct slist *s0, struct slist *s1) 7275 { 7276 /* 7277 * This is definitely not the best way to do this, but the 7278 * lists will rarely get long. 7279 */ 7280 while (s0->next) 7281 s0 = s0->next; 7282 s0->next = s1; 7283 } 7284 7285 static struct slist * 7286 xfer_to_x(compiler_state_t *cstate, struct arth *a) 7287 { 7288 struct slist *s; 7289 7290 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 7291 s->s.k = a->regno; 7292 return s; 7293 } 7294 7295 static struct slist * 7296 xfer_to_a(compiler_state_t *cstate, struct arth *a) 7297 { 7298 struct slist *s; 7299 7300 s = new_stmt(cstate, BPF_LD|BPF_MEM); 7301 s->s.k = a->regno; 7302 return s; 7303 } 7304 7305 /* 7306 * Modify "index" to use the value stored into its register as an 7307 * offset relative to the beginning of the header for the protocol 7308 * "proto", and allocate a register and put an item "size" bytes long 7309 * (1, 2, or 4) at that offset into that register, making it the register 7310 * for "index". 7311 */ 7312 static struct arth * 7313 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst, 7314 bpf_u_int32 size) 7315 { 7316 int size_code; 7317 struct slist *s, *tmp; 7318 struct block *b; 7319 int regno = alloc_reg(cstate); 7320 7321 free_reg(cstate, inst->regno); 7322 switch (size) { 7323 7324 default: 7325 bpf_error(cstate, "data size must be 1, 2, or 4"); 7326 /*NOTREACHED*/ 7327 7328 case 1: 7329 size_code = BPF_B; 7330 break; 7331 7332 case 2: 7333 size_code = BPF_H; 7334 break; 7335 7336 case 4: 7337 size_code = BPF_W; 7338 break; 7339 } 7340 switch (proto) { 7341 default: 7342 bpf_error(cstate, "unsupported index operation"); 7343 7344 case Q_RADIO: 7345 /* 7346 * The offset is relative to the beginning of the packet 7347 * data, if we have a radio header. (If we don't, this 7348 * is an error.) 7349 */ 7350 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 7351 cstate->linktype != DLT_IEEE802_11_RADIO && 7352 cstate->linktype != DLT_PRISM_HEADER) 7353 bpf_error(cstate, "radio information not present in capture"); 7354 7355 /* 7356 * Load into the X register the offset computed into the 7357 * register specified by "index". 7358 */ 7359 s = xfer_to_x(cstate, inst); 7360 7361 /* 7362 * Load the item at that offset. 7363 */ 7364 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7365 sappend(s, tmp); 7366 sappend(inst->s, s); 7367 break; 7368 7369 case Q_LINK: 7370 /* 7371 * The offset is relative to the beginning of 7372 * the link-layer header. 7373 * 7374 * XXX - what about ATM LANE? Should the index be 7375 * relative to the beginning of the AAL5 frame, so 7376 * that 0 refers to the beginning of the LE Control 7377 * field, or relative to the beginning of the LAN 7378 * frame, so that 0 refers, for Ethernet LANE, to 7379 * the beginning of the destination address? 7380 */ 7381 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 7382 7383 /* 7384 * If "s" is non-null, it has code to arrange that the 7385 * X register contains the length of the prefix preceding 7386 * the link-layer header. Add to it the offset computed 7387 * into the register specified by "index", and move that 7388 * into the X register. Otherwise, just load into the X 7389 * register the offset computed into the register specified 7390 * by "index". 7391 */ 7392 if (s != NULL) { 7393 sappend(s, xfer_to_a(cstate, inst)); 7394 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7395 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7396 } else 7397 s = xfer_to_x(cstate, inst); 7398 7399 /* 7400 * Load the item at the sum of the offset we've put in the 7401 * X register and the offset of the start of the link 7402 * layer header (which is 0 if the radio header is 7403 * variable-length; that header length is what we put 7404 * into the X register and then added to the index). 7405 */ 7406 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7407 tmp->s.k = cstate->off_linkhdr.constant_part; 7408 sappend(s, tmp); 7409 sappend(inst->s, s); 7410 break; 7411 7412 case Q_IP: 7413 case Q_ARP: 7414 case Q_RARP: 7415 case Q_ATALK: 7416 case Q_DECNET: 7417 case Q_SCA: 7418 case Q_LAT: 7419 case Q_MOPRC: 7420 case Q_MOPDL: 7421 case Q_IPV6: 7422 /* 7423 * The offset is relative to the beginning of 7424 * the network-layer header. 7425 * XXX - are there any cases where we want 7426 * cstate->off_nl_nosnap? 7427 */ 7428 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7429 7430 /* 7431 * If "s" is non-null, it has code to arrange that the 7432 * X register contains the variable part of the offset 7433 * of the link-layer payload. Add to it the offset 7434 * computed into the register specified by "index", 7435 * and move that into the X register. Otherwise, just 7436 * load into the X register the offset computed into 7437 * the register specified by "index". 7438 */ 7439 if (s != NULL) { 7440 sappend(s, xfer_to_a(cstate, inst)); 7441 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7442 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7443 } else 7444 s = xfer_to_x(cstate, inst); 7445 7446 /* 7447 * Load the item at the sum of the offset we've put in the 7448 * X register, the offset of the start of the network 7449 * layer header from the beginning of the link-layer 7450 * payload, and the constant part of the offset of the 7451 * start of the link-layer payload. 7452 */ 7453 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7454 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7455 sappend(s, tmp); 7456 sappend(inst->s, s); 7457 7458 /* 7459 * Do the computation only if the packet contains 7460 * the protocol in question. 7461 */ 7462 b = gen_proto_abbrev_internal(cstate, proto); 7463 if (inst->b) 7464 gen_and(inst->b, b); 7465 inst->b = b; 7466 break; 7467 7468 case Q_SCTP: 7469 case Q_TCP: 7470 case Q_UDP: 7471 case Q_ICMP: 7472 case Q_IGMP: 7473 case Q_IGRP: 7474 case Q_PIM: 7475 case Q_VRRP: 7476 case Q_CARP: 7477 /* 7478 * The offset is relative to the beginning of 7479 * the transport-layer header. 7480 * 7481 * Load the X register with the length of the IPv4 header 7482 * (plus the offset of the link-layer header, if it's 7483 * a variable-length header), in bytes. 7484 * 7485 * XXX - are there any cases where we want 7486 * cstate->off_nl_nosnap? 7487 * XXX - we should, if we're built with 7488 * IPv6 support, generate code to load either 7489 * IPv4, IPv6, or both, as appropriate. 7490 */ 7491 s = gen_loadx_iphdrlen(cstate); 7492 7493 /* 7494 * The X register now contains the sum of the variable 7495 * part of the offset of the link-layer payload and the 7496 * length of the network-layer header. 7497 * 7498 * Load into the A register the offset relative to 7499 * the beginning of the transport layer header, 7500 * add the X register to that, move that to the 7501 * X register, and load with an offset from the 7502 * X register equal to the sum of the constant part of 7503 * the offset of the link-layer payload and the offset, 7504 * relative to the beginning of the link-layer payload, 7505 * of the network-layer header. 7506 */ 7507 sappend(s, xfer_to_a(cstate, inst)); 7508 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7509 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7510 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code)); 7511 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7512 sappend(inst->s, s); 7513 7514 /* 7515 * Do the computation only if the packet contains 7516 * the protocol in question - which is true only 7517 * if this is an IP datagram and is the first or 7518 * only fragment of that datagram. 7519 */ 7520 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate)); 7521 if (inst->b) 7522 gen_and(inst->b, b); 7523 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b); 7524 inst->b = b; 7525 break; 7526 case Q_ICMPV6: 7527 /* 7528 * Do the computation only if the packet contains 7529 * the protocol in question. 7530 */ 7531 b = gen_proto_abbrev_internal(cstate, Q_IPV6); 7532 if (inst->b) { 7533 gen_and(inst->b, b); 7534 } 7535 inst->b = b; 7536 7537 /* 7538 * Check if we have an icmp6 next header 7539 */ 7540 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7541 if (inst->b) { 7542 gen_and(inst->b, b); 7543 } 7544 inst->b = b; 7545 7546 7547 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7548 /* 7549 * If "s" is non-null, it has code to arrange that the 7550 * X register contains the variable part of the offset 7551 * of the link-layer payload. Add to it the offset 7552 * computed into the register specified by "index", 7553 * and move that into the X register. Otherwise, just 7554 * load into the X register the offset computed into 7555 * the register specified by "index". 7556 */ 7557 if (s != NULL) { 7558 sappend(s, xfer_to_a(cstate, inst)); 7559 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7560 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7561 } else { 7562 s = xfer_to_x(cstate, inst); 7563 } 7564 7565 /* 7566 * Load the item at the sum of the offset we've put in the 7567 * X register, the offset of the start of the network 7568 * layer header from the beginning of the link-layer 7569 * payload, and the constant part of the offset of the 7570 * start of the link-layer payload. 7571 */ 7572 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code); 7573 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7574 7575 sappend(s, tmp); 7576 sappend(inst->s, s); 7577 7578 break; 7579 } 7580 inst->regno = regno; 7581 s = new_stmt(cstate, BPF_ST); 7582 s->s.k = regno; 7583 sappend(inst->s, s); 7584 7585 return inst; 7586 } 7587 7588 struct arth * 7589 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, 7590 bpf_u_int32 size) 7591 { 7592 /* 7593 * Catch errors reported by us and routines below us, and return NULL 7594 * on an error. 7595 */ 7596 if (setjmp(cstate->top_ctx)) 7597 return (NULL); 7598 7599 return gen_load_internal(cstate, proto, inst, size); 7600 } 7601 7602 static struct block * 7603 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0, 7604 struct arth *a1, int reversed) 7605 { 7606 struct slist *s0, *s1, *s2; 7607 struct block *b, *tmp; 7608 7609 s0 = xfer_to_x(cstate, a1); 7610 s1 = xfer_to_a(cstate, a0); 7611 if (code == BPF_JEQ) { 7612 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7613 b = new_block(cstate, JMP(code)); 7614 sappend(s1, s2); 7615 } 7616 else 7617 b = new_block(cstate, BPF_JMP|code|BPF_X); 7618 if (reversed) 7619 gen_not(b); 7620 7621 sappend(s0, s1); 7622 sappend(a1->s, s0); 7623 sappend(a0->s, a1->s); 7624 7625 b->stmts = a0->s; 7626 7627 free_reg(cstate, a0->regno); 7628 free_reg(cstate, a1->regno); 7629 7630 /* 'and' together protocol checks */ 7631 if (a0->b) { 7632 if (a1->b) { 7633 gen_and(a0->b, tmp = a1->b); 7634 } 7635 else 7636 tmp = a0->b; 7637 } else 7638 tmp = a1->b; 7639 7640 if (tmp) 7641 gen_and(tmp, b); 7642 7643 return b; 7644 } 7645 7646 struct block * 7647 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7648 struct arth *a1, int reversed) 7649 { 7650 /* 7651 * Catch errors reported by us and routines below us, and return NULL 7652 * on an error. 7653 */ 7654 if (setjmp(cstate->top_ctx)) 7655 return (NULL); 7656 7657 return gen_relation_internal(cstate, code, a0, a1, reversed); 7658 } 7659 7660 struct arth * 7661 gen_loadlen(compiler_state_t *cstate) 7662 { 7663 int regno; 7664 struct arth *a; 7665 struct slist *s; 7666 7667 /* 7668 * Catch errors reported by us and routines below us, and return NULL 7669 * on an error. 7670 */ 7671 if (setjmp(cstate->top_ctx)) 7672 return (NULL); 7673 7674 regno = alloc_reg(cstate); 7675 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7676 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7677 s->next = new_stmt(cstate, BPF_ST); 7678 s->next->s.k = regno; 7679 a->s = s; 7680 a->regno = regno; 7681 7682 return a; 7683 } 7684 7685 static struct arth * 7686 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val) 7687 { 7688 struct arth *a; 7689 struct slist *s; 7690 int reg; 7691 7692 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7693 7694 reg = alloc_reg(cstate); 7695 7696 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7697 s->s.k = val; 7698 s->next = new_stmt(cstate, BPF_ST); 7699 s->next->s.k = reg; 7700 a->s = s; 7701 a->regno = reg; 7702 7703 return a; 7704 } 7705 7706 struct arth * 7707 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val) 7708 { 7709 /* 7710 * Catch errors reported by us and routines below us, and return NULL 7711 * on an error. 7712 */ 7713 if (setjmp(cstate->top_ctx)) 7714 return (NULL); 7715 7716 return gen_loadi_internal(cstate, val); 7717 } 7718 7719 /* 7720 * The a_arg dance is to avoid annoying whining by compilers that 7721 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7722 * It's not *used* after setjmp returns. 7723 */ 7724 struct arth * 7725 gen_neg(compiler_state_t *cstate, struct arth *a_arg) 7726 { 7727 struct arth *a = a_arg; 7728 struct slist *s; 7729 7730 /* 7731 * Catch errors reported by us and routines below us, and return NULL 7732 * on an error. 7733 */ 7734 if (setjmp(cstate->top_ctx)) 7735 return (NULL); 7736 7737 s = xfer_to_a(cstate, a); 7738 sappend(a->s, s); 7739 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7740 s->s.k = 0; 7741 sappend(a->s, s); 7742 s = new_stmt(cstate, BPF_ST); 7743 s->s.k = a->regno; 7744 sappend(a->s, s); 7745 7746 return a; 7747 } 7748 7749 /* 7750 * The a0_arg dance is to avoid annoying whining by compilers that 7751 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7752 * It's not *used* after setjmp returns. 7753 */ 7754 struct arth * 7755 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg, 7756 struct arth *a1) 7757 { 7758 struct arth *a0 = a0_arg; 7759 struct slist *s0, *s1, *s2; 7760 7761 /* 7762 * Catch errors reported by us and routines below us, and return NULL 7763 * on an error. 7764 */ 7765 if (setjmp(cstate->top_ctx)) 7766 return (NULL); 7767 7768 /* 7769 * Disallow division by, or modulus by, zero; we do this here 7770 * so that it gets done even if the optimizer is disabled. 7771 * 7772 * Also disallow shifts by a value greater than 31; we do this 7773 * here, for the same reason. 7774 */ 7775 if (code == BPF_DIV) { 7776 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7777 bpf_error(cstate, "division by zero"); 7778 } else if (code == BPF_MOD) { 7779 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7780 bpf_error(cstate, "modulus by zero"); 7781 } else if (code == BPF_LSH || code == BPF_RSH) { 7782 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31) 7783 bpf_error(cstate, "shift by more than 31 bits"); 7784 } 7785 s0 = xfer_to_x(cstate, a1); 7786 s1 = xfer_to_a(cstate, a0); 7787 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7788 7789 sappend(s1, s2); 7790 sappend(s0, s1); 7791 sappend(a1->s, s0); 7792 sappend(a0->s, a1->s); 7793 7794 free_reg(cstate, a0->regno); 7795 free_reg(cstate, a1->regno); 7796 7797 s0 = new_stmt(cstate, BPF_ST); 7798 a0->regno = s0->s.k = alloc_reg(cstate); 7799 sappend(a0->s, s0); 7800 7801 return a0; 7802 } 7803 7804 /* 7805 * Initialize the table of used registers and the current register. 7806 */ 7807 static void 7808 init_regs(compiler_state_t *cstate) 7809 { 7810 cstate->curreg = 0; 7811 memset(cstate->regused, 0, sizeof cstate->regused); 7812 } 7813 7814 /* 7815 * Return the next free register. 7816 */ 7817 static int 7818 alloc_reg(compiler_state_t *cstate) 7819 { 7820 int n = BPF_MEMWORDS; 7821 7822 while (--n >= 0) { 7823 if (cstate->regused[cstate->curreg]) 7824 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7825 else { 7826 cstate->regused[cstate->curreg] = 1; 7827 return cstate->curreg; 7828 } 7829 } 7830 bpf_error(cstate, "too many registers needed to evaluate expression"); 7831 /*NOTREACHED*/ 7832 } 7833 7834 /* 7835 * Return a register to the table so it can 7836 * be used later. 7837 */ 7838 static void 7839 free_reg(compiler_state_t *cstate, int n) 7840 { 7841 cstate->regused[n] = 0; 7842 } 7843 7844 static struct block * 7845 gen_len(compiler_state_t *cstate, int jmp, int n) 7846 { 7847 struct slist *s; 7848 struct block *b; 7849 7850 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7851 b = new_block(cstate, JMP(jmp)); 7852 b->stmts = s; 7853 b->s.k = n; 7854 7855 return b; 7856 } 7857 7858 struct block * 7859 gen_greater(compiler_state_t *cstate, int n) 7860 { 7861 /* 7862 * Catch errors reported by us and routines below us, and return NULL 7863 * on an error. 7864 */ 7865 if (setjmp(cstate->top_ctx)) 7866 return (NULL); 7867 7868 return gen_len(cstate, BPF_JGE, n); 7869 } 7870 7871 /* 7872 * Actually, this is less than or equal. 7873 */ 7874 struct block * 7875 gen_less(compiler_state_t *cstate, int n) 7876 { 7877 struct block *b; 7878 7879 /* 7880 * Catch errors reported by us and routines below us, and return NULL 7881 * on an error. 7882 */ 7883 if (setjmp(cstate->top_ctx)) 7884 return (NULL); 7885 7886 b = gen_len(cstate, BPF_JGT, n); 7887 gen_not(b); 7888 7889 return b; 7890 } 7891 7892 /* 7893 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7894 * the beginning of the link-layer header. 7895 * XXX - that means you can't test values in the radiotap header, but 7896 * as that header is difficult if not impossible to parse generally 7897 * without a loop, that might not be a severe problem. A new keyword 7898 * "radio" could be added for that, although what you'd really want 7899 * would be a way of testing particular radio header values, which 7900 * would generate code appropriate to the radio header in question. 7901 */ 7902 struct block * 7903 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val) 7904 { 7905 struct block *b; 7906 struct slist *s; 7907 7908 /* 7909 * Catch errors reported by us and routines below us, and return NULL 7910 * on an error. 7911 */ 7912 if (setjmp(cstate->top_ctx)) 7913 return (NULL); 7914 7915 switch (op) { 7916 default: 7917 abort(); 7918 7919 case '=': 7920 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7921 7922 case '<': 7923 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7924 return b; 7925 7926 case '>': 7927 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val); 7928 return b; 7929 7930 case '|': 7931 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7932 break; 7933 7934 case '&': 7935 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7936 break; 7937 } 7938 s->s.k = val; 7939 b = new_block(cstate, JMP(BPF_JEQ)); 7940 b->stmts = s; 7941 gen_not(b); 7942 7943 return b; 7944 } 7945 7946 static const u_char abroadcast[] = { 0x0 }; 7947 7948 struct block * 7949 gen_broadcast(compiler_state_t *cstate, int proto) 7950 { 7951 bpf_u_int32 hostmask; 7952 struct block *b0, *b1, *b2; 7953 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7954 7955 /* 7956 * Catch errors reported by us and routines below us, and return NULL 7957 * on an error. 7958 */ 7959 if (setjmp(cstate->top_ctx)) 7960 return (NULL); 7961 7962 switch (proto) { 7963 7964 case Q_DEFAULT: 7965 case Q_LINK: 7966 switch (cstate->linktype) { 7967 case DLT_ARCNET: 7968 case DLT_ARCNET_LINUX: 7969 return gen_ahostop(cstate, abroadcast, Q_DST); 7970 case DLT_EN10MB: 7971 case DLT_NETANALYZER: 7972 case DLT_NETANALYZER_TRANSPARENT: 7973 b1 = gen_prevlinkhdr_check(cstate); 7974 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7975 if (b1 != NULL) 7976 gen_and(b1, b0); 7977 return b0; 7978 case DLT_FDDI: 7979 return gen_fhostop(cstate, ebroadcast, Q_DST); 7980 case DLT_IEEE802: 7981 return gen_thostop(cstate, ebroadcast, Q_DST); 7982 case DLT_IEEE802_11: 7983 case DLT_PRISM_HEADER: 7984 case DLT_IEEE802_11_RADIO_AVS: 7985 case DLT_IEEE802_11_RADIO: 7986 case DLT_PPI: 7987 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7988 case DLT_IP_OVER_FC: 7989 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7990 default: 7991 bpf_error(cstate, "not a broadcast link"); 7992 } 7993 /*NOTREACHED*/ 7994 7995 case Q_IP: 7996 /* 7997 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7998 * as an indication that we don't know the netmask, and fail 7999 * in that case. 8000 */ 8001 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 8002 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 8003 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8004 hostmask = ~cstate->netmask; 8005 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask); 8006 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 8007 ~0 & hostmask, hostmask); 8008 gen_or(b1, b2); 8009 gen_and(b0, b2); 8010 return b2; 8011 } 8012 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 8013 /*NOTREACHED*/ 8014 } 8015 8016 /* 8017 * Generate code to test the low-order bit of a MAC address (that's 8018 * the bottom bit of the *first* byte). 8019 */ 8020 static struct block * 8021 gen_mac_multicast(compiler_state_t *cstate, int offset) 8022 { 8023 register struct block *b0; 8024 register struct slist *s; 8025 8026 /* link[offset] & 1 != 0 */ 8027 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 8028 b0 = new_block(cstate, JMP(BPF_JSET)); 8029 b0->s.k = 1; 8030 b0->stmts = s; 8031 return b0; 8032 } 8033 8034 struct block * 8035 gen_multicast(compiler_state_t *cstate, int proto) 8036 { 8037 register struct block *b0, *b1, *b2; 8038 register struct slist *s; 8039 8040 /* 8041 * Catch errors reported by us and routines below us, and return NULL 8042 * on an error. 8043 */ 8044 if (setjmp(cstate->top_ctx)) 8045 return (NULL); 8046 8047 switch (proto) { 8048 8049 case Q_DEFAULT: 8050 case Q_LINK: 8051 switch (cstate->linktype) { 8052 case DLT_ARCNET: 8053 case DLT_ARCNET_LINUX: 8054 /* all ARCnet multicasts use the same address */ 8055 return gen_ahostop(cstate, abroadcast, Q_DST); 8056 case DLT_EN10MB: 8057 case DLT_NETANALYZER: 8058 case DLT_NETANALYZER_TRANSPARENT: 8059 b1 = gen_prevlinkhdr_check(cstate); 8060 /* ether[0] & 1 != 0 */ 8061 b0 = gen_mac_multicast(cstate, 0); 8062 if (b1 != NULL) 8063 gen_and(b1, b0); 8064 return b0; 8065 case DLT_FDDI: 8066 /* 8067 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 8068 * 8069 * XXX - was that referring to bit-order issues? 8070 */ 8071 /* fddi[1] & 1 != 0 */ 8072 return gen_mac_multicast(cstate, 1); 8073 case DLT_IEEE802: 8074 /* tr[2] & 1 != 0 */ 8075 return gen_mac_multicast(cstate, 2); 8076 case DLT_IEEE802_11: 8077 case DLT_PRISM_HEADER: 8078 case DLT_IEEE802_11_RADIO_AVS: 8079 case DLT_IEEE802_11_RADIO: 8080 case DLT_PPI: 8081 /* 8082 * Oh, yuk. 8083 * 8084 * For control frames, there is no DA. 8085 * 8086 * For management frames, DA is at an 8087 * offset of 4 from the beginning of 8088 * the packet. 8089 * 8090 * For data frames, DA is at an offset 8091 * of 4 from the beginning of the packet 8092 * if To DS is clear and at an offset of 8093 * 16 from the beginning of the packet 8094 * if To DS is set. 8095 */ 8096 8097 /* 8098 * Generate the tests to be done for data frames. 8099 * 8100 * First, check for To DS set, i.e. "link[1] & 0x01". 8101 */ 8102 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8103 b1 = new_block(cstate, JMP(BPF_JSET)); 8104 b1->s.k = 0x01; /* To DS */ 8105 b1->stmts = s; 8106 8107 /* 8108 * If To DS is set, the DA is at 16. 8109 */ 8110 b0 = gen_mac_multicast(cstate, 16); 8111 gen_and(b1, b0); 8112 8113 /* 8114 * Now, check for To DS not set, i.e. check 8115 * "!(link[1] & 0x01)". 8116 */ 8117 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8118 b2 = new_block(cstate, JMP(BPF_JSET)); 8119 b2->s.k = 0x01; /* To DS */ 8120 b2->stmts = s; 8121 gen_not(b2); 8122 8123 /* 8124 * If To DS is not set, the DA is at 4. 8125 */ 8126 b1 = gen_mac_multicast(cstate, 4); 8127 gen_and(b2, b1); 8128 8129 /* 8130 * Now OR together the last two checks. That gives 8131 * the complete set of checks for data frames. 8132 */ 8133 gen_or(b1, b0); 8134 8135 /* 8136 * Now check for a data frame. 8137 * I.e, check "link[0] & 0x08". 8138 */ 8139 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8140 b1 = new_block(cstate, JMP(BPF_JSET)); 8141 b1->s.k = 0x08; 8142 b1->stmts = s; 8143 8144 /* 8145 * AND that with the checks done for data frames. 8146 */ 8147 gen_and(b1, b0); 8148 8149 /* 8150 * If the high-order bit of the type value is 0, this 8151 * is a management frame. 8152 * I.e, check "!(link[0] & 0x08)". 8153 */ 8154 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8155 b2 = new_block(cstate, JMP(BPF_JSET)); 8156 b2->s.k = 0x08; 8157 b2->stmts = s; 8158 gen_not(b2); 8159 8160 /* 8161 * For management frames, the DA is at 4. 8162 */ 8163 b1 = gen_mac_multicast(cstate, 4); 8164 gen_and(b2, b1); 8165 8166 /* 8167 * OR that with the checks done for data frames. 8168 * That gives the checks done for management and 8169 * data frames. 8170 */ 8171 gen_or(b1, b0); 8172 8173 /* 8174 * If the low-order bit of the type value is 1, 8175 * this is either a control frame or a frame 8176 * with a reserved type, and thus not a 8177 * frame with an SA. 8178 * 8179 * I.e., check "!(link[0] & 0x04)". 8180 */ 8181 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8182 b1 = new_block(cstate, JMP(BPF_JSET)); 8183 b1->s.k = 0x04; 8184 b1->stmts = s; 8185 gen_not(b1); 8186 8187 /* 8188 * AND that with the checks for data and management 8189 * frames. 8190 */ 8191 gen_and(b1, b0); 8192 return b0; 8193 case DLT_IP_OVER_FC: 8194 b0 = gen_mac_multicast(cstate, 2); 8195 return b0; 8196 default: 8197 break; 8198 } 8199 /* Link not known to support multicasts */ 8200 break; 8201 8202 case Q_IP: 8203 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8204 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224); 8205 gen_and(b0, b1); 8206 return b1; 8207 8208 case Q_IPV6: 8209 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 8210 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255); 8211 gen_and(b0, b1); 8212 return b1; 8213 } 8214 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 8215 /*NOTREACHED*/ 8216 } 8217 8218 struct block * 8219 gen_ifindex(compiler_state_t *cstate, int ifindex) 8220 { 8221 register struct block *b0; 8222 8223 /* 8224 * Catch errors reported by us and routines below us, and return NULL 8225 * on an error. 8226 */ 8227 if (setjmp(cstate->top_ctx)) 8228 return (NULL); 8229 8230 /* 8231 * Only some data link types support ifindex qualifiers. 8232 */ 8233 switch (cstate->linktype) { 8234 case DLT_LINUX_SLL2: 8235 /* match packets on this interface */ 8236 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex); 8237 break; 8238 default: 8239 #if defined(linux) 8240 /* 8241 * This is Linux; we require PF_PACKET support. 8242 * If this is a *live* capture, we can look at 8243 * special meta-data in the filter expression; 8244 * if it's a savefile, we can't. 8245 */ 8246 if (cstate->bpf_pcap->rfile != NULL) { 8247 /* We have a FILE *, so this is a savefile */ 8248 bpf_error(cstate, "ifindex not supported on %s when reading savefiles", 8249 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8250 b0 = NULL; 8251 /*NOTREACHED*/ 8252 } 8253 /* match ifindex */ 8254 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W, 8255 ifindex); 8256 #else /* defined(linux) */ 8257 bpf_error(cstate, "ifindex not supported on %s", 8258 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8259 /*NOTREACHED*/ 8260 #endif /* defined(linux) */ 8261 } 8262 return (b0); 8263 } 8264 8265 /* 8266 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 8267 * Outbound traffic is sent by this machine, while inbound traffic is 8268 * sent by a remote machine (and may include packets destined for a 8269 * unicast or multicast link-layer address we are not subscribing to). 8270 * These are the same definitions implemented by pcap_setdirection(). 8271 * Capturing only unicast traffic destined for this host is probably 8272 * better accomplished using a higher-layer filter. 8273 */ 8274 struct block * 8275 gen_inbound(compiler_state_t *cstate, int dir) 8276 { 8277 register struct block *b0; 8278 8279 /* 8280 * Catch errors reported by us and routines below us, and return NULL 8281 * on an error. 8282 */ 8283 if (setjmp(cstate->top_ctx)) 8284 return (NULL); 8285 8286 /* 8287 * Only some data link types support inbound/outbound qualifiers. 8288 */ 8289 switch (cstate->linktype) { 8290 case DLT_SLIP: 8291 b0 = gen_relation_internal(cstate, BPF_JEQ, 8292 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1), 8293 gen_loadi_internal(cstate, 0), 8294 dir); 8295 break; 8296 8297 case DLT_IPNET: 8298 if (dir) { 8299 /* match outgoing packets */ 8300 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 8301 } else { 8302 /* match incoming packets */ 8303 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 8304 } 8305 break; 8306 8307 case DLT_LINUX_SLL: 8308 /* match outgoing packets */ 8309 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 8310 if (!dir) { 8311 /* to filter on inbound traffic, invert the match */ 8312 gen_not(b0); 8313 } 8314 break; 8315 8316 case DLT_LINUX_SLL2: 8317 /* match outgoing packets */ 8318 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING); 8319 if (!dir) { 8320 /* to filter on inbound traffic, invert the match */ 8321 gen_not(b0); 8322 } 8323 break; 8324 8325 case DLT_PFLOG: 8326 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 8327 ((dir == 0) ? PF_IN : PF_OUT)); 8328 break; 8329 8330 case DLT_PPP_PPPD: 8331 if (dir) { 8332 /* match outgoing packets */ 8333 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 8334 } else { 8335 /* match incoming packets */ 8336 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 8337 } 8338 break; 8339 8340 case DLT_JUNIPER_MFR: 8341 case DLT_JUNIPER_MLFR: 8342 case DLT_JUNIPER_MLPPP: 8343 case DLT_JUNIPER_ATM1: 8344 case DLT_JUNIPER_ATM2: 8345 case DLT_JUNIPER_PPPOE: 8346 case DLT_JUNIPER_PPPOE_ATM: 8347 case DLT_JUNIPER_GGSN: 8348 case DLT_JUNIPER_ES: 8349 case DLT_JUNIPER_MONITOR: 8350 case DLT_JUNIPER_SERVICES: 8351 case DLT_JUNIPER_ETHER: 8352 case DLT_JUNIPER_PPP: 8353 case DLT_JUNIPER_FRELAY: 8354 case DLT_JUNIPER_CHDLC: 8355 case DLT_JUNIPER_VP: 8356 case DLT_JUNIPER_ST: 8357 case DLT_JUNIPER_ISM: 8358 case DLT_JUNIPER_VS: 8359 case DLT_JUNIPER_SRX_E2E: 8360 case DLT_JUNIPER_FIBRECHANNEL: 8361 case DLT_JUNIPER_ATM_CEMIC: 8362 8363 /* juniper flags (including direction) are stored 8364 * the byte after the 3-byte magic number */ 8365 if (dir) { 8366 /* match outgoing packets */ 8367 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 8368 } else { 8369 /* match incoming packets */ 8370 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 8371 } 8372 break; 8373 8374 default: 8375 /* 8376 * If we have packet meta-data indicating a direction, 8377 * and that metadata can be checked by BPF code, check 8378 * it. Otherwise, give up, as this link-layer type has 8379 * nothing in the packet data. 8380 * 8381 * Currently, the only platform where a BPF filter can 8382 * check that metadata is Linux with the in-kernel 8383 * BPF interpreter. If other packet capture mechanisms 8384 * and BPF filters also supported this, it would be 8385 * nice. It would be even better if they made that 8386 * metadata available so that we could provide it 8387 * with newer capture APIs, allowing it to be saved 8388 * in pcapng files. 8389 */ 8390 #if defined(linux) 8391 /* 8392 * This is Linux; we require PF_PACKET support. 8393 * If this is a *live* capture, we can look at 8394 * special meta-data in the filter expression; 8395 * if it's a savefile, we can't. 8396 */ 8397 if (cstate->bpf_pcap->rfile != NULL) { 8398 /* We have a FILE *, so this is a savefile */ 8399 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles", 8400 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8401 /*NOTREACHED*/ 8402 } 8403 /* match outgoing packets */ 8404 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 8405 PACKET_OUTGOING); 8406 if (!dir) { 8407 /* to filter on inbound traffic, invert the match */ 8408 gen_not(b0); 8409 } 8410 #else /* defined(linux) */ 8411 bpf_error(cstate, "inbound/outbound not supported on %s", 8412 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8413 /*NOTREACHED*/ 8414 #endif /* defined(linux) */ 8415 } 8416 return (b0); 8417 } 8418 8419 /* PF firewall log matched interface */ 8420 struct block * 8421 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 8422 { 8423 struct block *b0; 8424 u_int len, off; 8425 8426 /* 8427 * Catch errors reported by us and routines below us, and return NULL 8428 * on an error. 8429 */ 8430 if (setjmp(cstate->top_ctx)) 8431 return (NULL); 8432 8433 if (cstate->linktype != DLT_PFLOG) { 8434 bpf_error(cstate, "ifname supported only on PF linktype"); 8435 /*NOTREACHED*/ 8436 } 8437 len = sizeof(((struct pfloghdr *)0)->ifname); 8438 off = offsetof(struct pfloghdr, ifname); 8439 if (strlen(ifname) >= len) { 8440 bpf_error(cstate, "ifname interface names can only be %d characters", 8441 len-1); 8442 /*NOTREACHED*/ 8443 } 8444 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname), 8445 (const u_char *)ifname); 8446 return (b0); 8447 } 8448 8449 /* PF firewall log ruleset name */ 8450 struct block * 8451 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 8452 { 8453 struct block *b0; 8454 8455 /* 8456 * Catch errors reported by us and routines below us, and return NULL 8457 * on an error. 8458 */ 8459 if (setjmp(cstate->top_ctx)) 8460 return (NULL); 8461 8462 if (cstate->linktype != DLT_PFLOG) { 8463 bpf_error(cstate, "ruleset supported only on PF linktype"); 8464 /*NOTREACHED*/ 8465 } 8466 8467 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 8468 bpf_error(cstate, "ruleset names can only be %ld characters", 8469 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 8470 /*NOTREACHED*/ 8471 } 8472 8473 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 8474 (u_int)strlen(ruleset), (const u_char *)ruleset); 8475 return (b0); 8476 } 8477 8478 /* PF firewall log rule number */ 8479 struct block * 8480 gen_pf_rnr(compiler_state_t *cstate, int rnr) 8481 { 8482 struct block *b0; 8483 8484 /* 8485 * Catch errors reported by us and routines below us, and return NULL 8486 * on an error. 8487 */ 8488 if (setjmp(cstate->top_ctx)) 8489 return (NULL); 8490 8491 if (cstate->linktype != DLT_PFLOG) { 8492 bpf_error(cstate, "rnr supported only on PF linktype"); 8493 /*NOTREACHED*/ 8494 } 8495 8496 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 8497 (bpf_u_int32)rnr); 8498 return (b0); 8499 } 8500 8501 /* PF firewall log sub-rule number */ 8502 struct block * 8503 gen_pf_srnr(compiler_state_t *cstate, int srnr) 8504 { 8505 struct block *b0; 8506 8507 /* 8508 * Catch errors reported by us and routines below us, and return NULL 8509 * on an error. 8510 */ 8511 if (setjmp(cstate->top_ctx)) 8512 return (NULL); 8513 8514 if (cstate->linktype != DLT_PFLOG) { 8515 bpf_error(cstate, "srnr supported only on PF linktype"); 8516 /*NOTREACHED*/ 8517 } 8518 8519 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 8520 (bpf_u_int32)srnr); 8521 return (b0); 8522 } 8523 8524 /* PF firewall log reason code */ 8525 struct block * 8526 gen_pf_reason(compiler_state_t *cstate, int reason) 8527 { 8528 struct block *b0; 8529 8530 /* 8531 * Catch errors reported by us and routines below us, and return NULL 8532 * on an error. 8533 */ 8534 if (setjmp(cstate->top_ctx)) 8535 return (NULL); 8536 8537 if (cstate->linktype != DLT_PFLOG) { 8538 bpf_error(cstate, "reason supported only on PF linktype"); 8539 /*NOTREACHED*/ 8540 } 8541 8542 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 8543 (bpf_u_int32)reason); 8544 return (b0); 8545 } 8546 8547 /* PF firewall log action */ 8548 struct block * 8549 gen_pf_action(compiler_state_t *cstate, int action) 8550 { 8551 struct block *b0; 8552 8553 /* 8554 * Catch errors reported by us and routines below us, and return NULL 8555 * on an error. 8556 */ 8557 if (setjmp(cstate->top_ctx)) 8558 return (NULL); 8559 8560 if (cstate->linktype != DLT_PFLOG) { 8561 bpf_error(cstate, "action supported only on PF linktype"); 8562 /*NOTREACHED*/ 8563 } 8564 8565 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 8566 (bpf_u_int32)action); 8567 return (b0); 8568 } 8569 8570 /* IEEE 802.11 wireless header */ 8571 struct block * 8572 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask) 8573 { 8574 struct block *b0; 8575 8576 /* 8577 * Catch errors reported by us and routines below us, and return NULL 8578 * on an error. 8579 */ 8580 if (setjmp(cstate->top_ctx)) 8581 return (NULL); 8582 8583 switch (cstate->linktype) { 8584 8585 case DLT_IEEE802_11: 8586 case DLT_PRISM_HEADER: 8587 case DLT_IEEE802_11_RADIO_AVS: 8588 case DLT_IEEE802_11_RADIO: 8589 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask); 8590 break; 8591 8592 default: 8593 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8594 /*NOTREACHED*/ 8595 } 8596 8597 return (b0); 8598 } 8599 8600 struct block * 8601 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir) 8602 { 8603 struct block *b0; 8604 8605 /* 8606 * Catch errors reported by us and routines below us, and return NULL 8607 * on an error. 8608 */ 8609 if (setjmp(cstate->top_ctx)) 8610 return (NULL); 8611 8612 switch (cstate->linktype) { 8613 8614 case DLT_IEEE802_11: 8615 case DLT_PRISM_HEADER: 8616 case DLT_IEEE802_11_RADIO_AVS: 8617 case DLT_IEEE802_11_RADIO: 8618 break; 8619 8620 default: 8621 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8622 /*NOTREACHED*/ 8623 } 8624 8625 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir, 8626 IEEE80211_FC1_DIR_MASK); 8627 8628 return (b0); 8629 } 8630 8631 struct block * 8632 gen_acode(compiler_state_t *cstate, const char *s, struct qual q) 8633 { 8634 struct block *b; 8635 8636 /* 8637 * Catch errors reported by us and routines below us, and return NULL 8638 * on an error. 8639 */ 8640 if (setjmp(cstate->top_ctx)) 8641 return (NULL); 8642 8643 switch (cstate->linktype) { 8644 8645 case DLT_ARCNET: 8646 case DLT_ARCNET_LINUX: 8647 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8648 q.proto == Q_LINK) { 8649 cstate->e = pcap_ether_aton(s); 8650 if (cstate->e == NULL) 8651 bpf_error(cstate, "malloc"); 8652 b = gen_ahostop(cstate, cstate->e, (int)q.dir); 8653 free(cstate->e); 8654 cstate->e = NULL; 8655 return (b); 8656 } else 8657 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8658 /*NOTREACHED*/ 8659 8660 default: 8661 bpf_error(cstate, "aid supported only on ARCnet"); 8662 /*NOTREACHED*/ 8663 } 8664 } 8665 8666 static struct block * 8667 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8668 { 8669 register struct block *b0, *b1; 8670 8671 switch (dir) { 8672 /* src comes first, different from Ethernet */ 8673 case Q_SRC: 8674 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8675 8676 case Q_DST: 8677 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8678 8679 case Q_AND: 8680 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8681 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8682 gen_and(b0, b1); 8683 return b1; 8684 8685 case Q_DEFAULT: 8686 case Q_OR: 8687 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8688 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8689 gen_or(b0, b1); 8690 return b1; 8691 8692 case Q_ADDR1: 8693 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8694 /*NOTREACHED*/ 8695 8696 case Q_ADDR2: 8697 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8698 /*NOTREACHED*/ 8699 8700 case Q_ADDR3: 8701 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8702 /*NOTREACHED*/ 8703 8704 case Q_ADDR4: 8705 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8706 /*NOTREACHED*/ 8707 8708 case Q_RA: 8709 bpf_error(cstate, "'ra' is only supported on 802.11"); 8710 /*NOTREACHED*/ 8711 8712 case Q_TA: 8713 bpf_error(cstate, "'ta' is only supported on 802.11"); 8714 /*NOTREACHED*/ 8715 } 8716 abort(); 8717 /*NOTREACHED*/ 8718 } 8719 8720 static struct block * 8721 gen_vlan_tpid_test(compiler_state_t *cstate) 8722 { 8723 struct block *b0, *b1; 8724 8725 /* check for VLAN, including 802.1ad and QinQ */ 8726 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8727 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8728 gen_or(b0,b1); 8729 b0 = b1; 8730 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8731 gen_or(b0,b1); 8732 8733 return b1; 8734 } 8735 8736 static struct block * 8737 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num) 8738 { 8739 if (vlan_num > 0x0fff) { 8740 bpf_error(cstate, "VLAN tag %u greater than maximum %u", 8741 vlan_num, 0x0fff); 8742 } 8743 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff); 8744 } 8745 8746 static struct block * 8747 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8748 int has_vlan_tag) 8749 { 8750 struct block *b0, *b1; 8751 8752 b0 = gen_vlan_tpid_test(cstate); 8753 8754 if (has_vlan_tag) { 8755 b1 = gen_vlan_vid_test(cstate, vlan_num); 8756 gen_and(b0, b1); 8757 b0 = b1; 8758 } 8759 8760 /* 8761 * Both payload and link header type follow the VLAN tags so that 8762 * both need to be updated. 8763 */ 8764 cstate->off_linkpl.constant_part += 4; 8765 cstate->off_linktype.constant_part += 4; 8766 8767 return b0; 8768 } 8769 8770 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8771 /* add v to variable part of off */ 8772 static void 8773 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, 8774 bpf_u_int32 v, struct slist *s) 8775 { 8776 struct slist *s2; 8777 8778 if (!off->is_variable) 8779 off->is_variable = 1; 8780 if (off->reg == -1) 8781 off->reg = alloc_reg(cstate); 8782 8783 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8784 s2->s.k = off->reg; 8785 sappend(s, s2); 8786 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8787 s2->s.k = v; 8788 sappend(s, s2); 8789 s2 = new_stmt(cstate, BPF_ST); 8790 s2->s.k = off->reg; 8791 sappend(s, s2); 8792 } 8793 8794 /* 8795 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8796 * and link type offsets first 8797 */ 8798 static void 8799 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8800 { 8801 struct slist s; 8802 8803 /* offset determined at run time, shift variable part */ 8804 s.next = NULL; 8805 cstate->is_vlan_vloffset = 1; 8806 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8807 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8808 8809 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8810 sappend(s.next, b_tpid->head->stmts); 8811 b_tpid->head->stmts = s.next; 8812 } 8813 8814 /* 8815 * patch block b_vid (VLAN id test) to load VID value either from packet 8816 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8817 */ 8818 static void 8819 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8820 { 8821 struct slist *s, *s2, *sjeq; 8822 unsigned cnt; 8823 8824 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8825 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8826 8827 /* true -> next instructions, false -> beginning of b_vid */ 8828 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8829 sjeq->s.k = 1; 8830 sjeq->s.jf = b_vid->stmts; 8831 sappend(s, sjeq); 8832 8833 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8834 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8835 sappend(s, s2); 8836 sjeq->s.jt = s2; 8837 8838 /* Jump to the test in b_vid. We need to jump one instruction before 8839 * the end of the b_vid block so that we only skip loading the TCI 8840 * from packet data and not the 'and' instruction extractging VID. 8841 */ 8842 cnt = 0; 8843 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8844 cnt++; 8845 s2 = new_stmt(cstate, JMP(BPF_JA)); 8846 s2->s.k = cnt - 1; 8847 sappend(s, s2); 8848 8849 /* insert our statements at the beginning of b_vid */ 8850 sappend(s, b_vid->stmts); 8851 b_vid->stmts = s; 8852 } 8853 8854 /* 8855 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8856 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8857 * tag can be either in metadata or in packet data; therefore if the 8858 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8859 * header for VLAN tag. As the decision is done at run time, we need 8860 * update variable part of the offsets 8861 */ 8862 static struct block * 8863 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8864 int has_vlan_tag) 8865 { 8866 struct block *b0, *b_tpid, *b_vid = NULL; 8867 struct slist *s; 8868 8869 /* generate new filter code based on extracting packet 8870 * metadata */ 8871 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8872 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8873 8874 b0 = new_block(cstate, JMP(BPF_JEQ)); 8875 b0->stmts = s; 8876 b0->s.k = 1; 8877 8878 /* 8879 * This is tricky. We need to insert the statements updating variable 8880 * parts of offsets before the traditional TPID and VID tests so 8881 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8882 * we do not want this update to affect those checks. That's why we 8883 * generate both test blocks first and insert the statements updating 8884 * variable parts of both offsets after that. This wouldn't work if 8885 * there already were variable length link header when entering this 8886 * function but gen_vlan_bpf_extensions() isn't called in that case. 8887 */ 8888 b_tpid = gen_vlan_tpid_test(cstate); 8889 if (has_vlan_tag) 8890 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8891 8892 gen_vlan_patch_tpid_test(cstate, b_tpid); 8893 gen_or(b0, b_tpid); 8894 b0 = b_tpid; 8895 8896 if (has_vlan_tag) { 8897 gen_vlan_patch_vid_test(cstate, b_vid); 8898 gen_and(b0, b_vid); 8899 b0 = b_vid; 8900 } 8901 8902 return b0; 8903 } 8904 #endif 8905 8906 /* 8907 * support IEEE 802.1Q VLAN trunk over ethernet 8908 */ 8909 struct block * 8910 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag) 8911 { 8912 struct block *b0; 8913 8914 /* 8915 * Catch errors reported by us and routines below us, and return NULL 8916 * on an error. 8917 */ 8918 if (setjmp(cstate->top_ctx)) 8919 return (NULL); 8920 8921 /* can't check for VLAN-encapsulated packets inside MPLS */ 8922 if (cstate->label_stack_depth > 0) 8923 bpf_error(cstate, "no VLAN match after MPLS"); 8924 8925 /* 8926 * Check for a VLAN packet, and then change the offsets to point 8927 * to the type and data fields within the VLAN packet. Just 8928 * increment the offsets, so that we can support a hierarchy, e.g. 8929 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8930 * VLAN 100. 8931 * 8932 * XXX - this is a bit of a kludge. If we were to split the 8933 * compiler into a parser that parses an expression and 8934 * generates an expression tree, and a code generator that 8935 * takes an expression tree (which could come from our 8936 * parser or from some other parser) and generates BPF code, 8937 * we could perhaps make the offsets parameters of routines 8938 * and, in the handler for an "AND" node, pass to subnodes 8939 * other than the VLAN node the adjusted offsets. 8940 * 8941 * This would mean that "vlan" would, instead of changing the 8942 * behavior of *all* tests after it, change only the behavior 8943 * of tests ANDed with it. That would change the documented 8944 * semantics of "vlan", which might break some expressions. 8945 * However, it would mean that "(vlan and ip) or ip" would check 8946 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8947 * checking only for VLAN-encapsulated IP, so that could still 8948 * be considered worth doing; it wouldn't break expressions 8949 * that are of the form "vlan and ..." or "vlan N and ...", 8950 * which I suspect are the most common expressions involving 8951 * "vlan". "vlan or ..." doesn't necessarily do what the user 8952 * would really want, now, as all the "or ..." tests would 8953 * be done assuming a VLAN, even though the "or" could be viewed 8954 * as meaning "or, if this isn't a VLAN packet...". 8955 */ 8956 switch (cstate->linktype) { 8957 8958 case DLT_EN10MB: 8959 case DLT_NETANALYZER: 8960 case DLT_NETANALYZER_TRANSPARENT: 8961 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8962 /* Verify that this is the outer part of the packet and 8963 * not encapsulated somehow. */ 8964 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8965 cstate->off_linkhdr.constant_part == 8966 cstate->off_outermostlinkhdr.constant_part) { 8967 /* 8968 * Do we need special VLAN handling? 8969 */ 8970 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8971 b0 = gen_vlan_bpf_extensions(cstate, vlan_num, 8972 has_vlan_tag); 8973 else 8974 b0 = gen_vlan_no_bpf_extensions(cstate, 8975 vlan_num, has_vlan_tag); 8976 } else 8977 #endif 8978 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, 8979 has_vlan_tag); 8980 break; 8981 8982 case DLT_IEEE802_11: 8983 case DLT_PRISM_HEADER: 8984 case DLT_IEEE802_11_RADIO_AVS: 8985 case DLT_IEEE802_11_RADIO: 8986 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag); 8987 break; 8988 8989 default: 8990 bpf_error(cstate, "no VLAN support for %s", 8991 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8992 /*NOTREACHED*/ 8993 } 8994 8995 cstate->vlan_stack_depth++; 8996 8997 return (b0); 8998 } 8999 9000 /* 9001 * support for MPLS 9002 * 9003 * The label_num_arg dance is to avoid annoying whining by compilers that 9004 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9005 * It's not *used* after setjmp returns. 9006 */ 9007 struct block * 9008 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg, 9009 int has_label_num) 9010 { 9011 volatile bpf_u_int32 label_num = label_num_arg; 9012 struct block *b0, *b1; 9013 9014 /* 9015 * Catch errors reported by us and routines below us, and return NULL 9016 * on an error. 9017 */ 9018 if (setjmp(cstate->top_ctx)) 9019 return (NULL); 9020 9021 if (cstate->label_stack_depth > 0) { 9022 /* just match the bottom-of-stack bit clear */ 9023 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 9024 } else { 9025 /* 9026 * We're not in an MPLS stack yet, so check the link-layer 9027 * type against MPLS. 9028 */ 9029 switch (cstate->linktype) { 9030 9031 case DLT_C_HDLC: /* fall through */ 9032 case DLT_HDLC: 9033 case DLT_EN10MB: 9034 case DLT_NETANALYZER: 9035 case DLT_NETANALYZER_TRANSPARENT: 9036 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 9037 break; 9038 9039 case DLT_PPP: 9040 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 9041 break; 9042 9043 /* FIXME add other DLT_s ... 9044 * for Frame-Relay/and ATM this may get messy due to SNAP headers 9045 * leave it for now */ 9046 9047 default: 9048 bpf_error(cstate, "no MPLS support for %s", 9049 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9050 /*NOTREACHED*/ 9051 } 9052 } 9053 9054 /* If a specific MPLS label is requested, check it */ 9055 if (has_label_num) { 9056 if (label_num > 0xFFFFF) { 9057 bpf_error(cstate, "MPLS label %u greater than maximum %u", 9058 label_num, 0xFFFFF); 9059 } 9060 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 9061 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num, 9062 0xfffff000); /* only compare the first 20 bits */ 9063 gen_and(b0, b1); 9064 b0 = b1; 9065 } 9066 9067 /* 9068 * Change the offsets to point to the type and data fields within 9069 * the MPLS packet. Just increment the offsets, so that we 9070 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 9071 * capture packets with an outer label of 100000 and an inner 9072 * label of 1024. 9073 * 9074 * Increment the MPLS stack depth as well; this indicates that 9075 * we're checking MPLS-encapsulated headers, to make sure higher 9076 * level code generators don't try to match against IP-related 9077 * protocols such as Q_ARP, Q_RARP etc. 9078 * 9079 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 9080 */ 9081 cstate->off_nl_nosnap += 4; 9082 cstate->off_nl += 4; 9083 cstate->label_stack_depth++; 9084 return (b0); 9085 } 9086 9087 /* 9088 * Support PPPOE discovery and session. 9089 */ 9090 struct block * 9091 gen_pppoed(compiler_state_t *cstate) 9092 { 9093 /* 9094 * Catch errors reported by us and routines below us, and return NULL 9095 * on an error. 9096 */ 9097 if (setjmp(cstate->top_ctx)) 9098 return (NULL); 9099 9100 /* check for PPPoE discovery */ 9101 return gen_linktype(cstate, ETHERTYPE_PPPOED); 9102 } 9103 9104 struct block * 9105 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num) 9106 { 9107 struct block *b0, *b1; 9108 9109 /* 9110 * Catch errors reported by us and routines below us, and return NULL 9111 * on an error. 9112 */ 9113 if (setjmp(cstate->top_ctx)) 9114 return (NULL); 9115 9116 /* 9117 * Test against the PPPoE session link-layer type. 9118 */ 9119 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES); 9120 9121 /* If a specific session is requested, check PPPoE session id */ 9122 if (has_sess_num) { 9123 if (sess_num > 0x0000ffff) { 9124 bpf_error(cstate, "PPPoE session number %u greater than maximum %u", 9125 sess_num, 0x0000ffff); 9126 } 9127 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff); 9128 gen_and(b0, b1); 9129 b0 = b1; 9130 } 9131 9132 /* 9133 * Change the offsets to point to the type and data fields within 9134 * the PPP packet, and note that this is PPPoE rather than 9135 * raw PPP. 9136 * 9137 * XXX - this is a bit of a kludge. See the comments in 9138 * gen_vlan(). 9139 * 9140 * The "network-layer" protocol is PPPoE, which has a 6-byte 9141 * PPPoE header, followed by a PPP packet. 9142 * 9143 * There is no HDLC encapsulation for the PPP packet (it's 9144 * encapsulated in PPPoES instead), so the link-layer type 9145 * starts at the first byte of the PPP packet. For PPPoE, 9146 * that offset is relative to the beginning of the total 9147 * link-layer payload, including any 802.2 LLC header, so 9148 * it's 6 bytes past cstate->off_nl. 9149 */ 9150 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 9151 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 9152 cstate->off_linkpl.reg); 9153 9154 cstate->off_linktype = cstate->off_linkhdr; 9155 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 9156 9157 cstate->off_nl = 0; 9158 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 9159 9160 return b0; 9161 } 9162 9163 /* Check that this is Geneve and the VNI is correct if 9164 * specified. Parameterized to handle both IPv4 and IPv6. */ 9165 static struct block * 9166 gen_geneve_check(compiler_state_t *cstate, 9167 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int), 9168 enum e_offrel offrel, bpf_u_int32 vni, int has_vni) 9169 { 9170 struct block *b0, *b1; 9171 9172 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 9173 9174 /* Check that we are operating on version 0. Otherwise, we 9175 * can't decode the rest of the fields. The version is 2 bits 9176 * in the first byte of the Geneve header. */ 9177 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0); 9178 gen_and(b0, b1); 9179 b0 = b1; 9180 9181 if (has_vni) { 9182 if (vni > 0xffffff) { 9183 bpf_error(cstate, "Geneve VNI %u greater than maximum %u", 9184 vni, 0xffffff); 9185 } 9186 vni <<= 8; /* VNI is in the upper 3 bytes */ 9187 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00); 9188 gen_and(b0, b1); 9189 b0 = b1; 9190 } 9191 9192 return b0; 9193 } 9194 9195 /* The IPv4 and IPv6 Geneve checks need to do two things: 9196 * - Verify that this actually is Geneve with the right VNI. 9197 * - Place the IP header length (plus variable link prefix if 9198 * needed) into register A to be used later to compute 9199 * the inner packet offsets. */ 9200 static struct block * 9201 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9202 { 9203 struct block *b0, *b1; 9204 struct slist *s, *s1; 9205 9206 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni); 9207 9208 /* Load the IP header length into A. */ 9209 s = gen_loadx_iphdrlen(cstate); 9210 9211 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9212 sappend(s, s1); 9213 9214 /* Forcibly append these statements to the true condition 9215 * of the protocol check by creating a new block that is 9216 * always true and ANDing them. */ 9217 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9218 b1->stmts = s; 9219 b1->s.k = 0; 9220 9221 gen_and(b0, b1); 9222 9223 return b1; 9224 } 9225 9226 static struct block * 9227 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9228 { 9229 struct block *b0, *b1; 9230 struct slist *s, *s1; 9231 9232 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni); 9233 9234 /* Load the IP header length. We need to account for a 9235 * variable length link prefix if there is one. */ 9236 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 9237 if (s) { 9238 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 9239 s1->s.k = 40; 9240 sappend(s, s1); 9241 9242 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9243 s1->s.k = 0; 9244 sappend(s, s1); 9245 } else { 9246 s = new_stmt(cstate, BPF_LD|BPF_IMM); 9247 s->s.k = 40; 9248 } 9249 9250 /* Forcibly append these statements to the true condition 9251 * of the protocol check by creating a new block that is 9252 * always true and ANDing them. */ 9253 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9254 sappend(s, s1); 9255 9256 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9257 b1->stmts = s; 9258 b1->s.k = 0; 9259 9260 gen_and(b0, b1); 9261 9262 return b1; 9263 } 9264 9265 /* We need to store three values based on the Geneve header:: 9266 * - The offset of the linktype. 9267 * - The offset of the end of the Geneve header. 9268 * - The offset of the end of the encapsulated MAC header. */ 9269 static struct slist * 9270 gen_geneve_offsets(compiler_state_t *cstate) 9271 { 9272 struct slist *s, *s1, *s_proto; 9273 9274 /* First we need to calculate the offset of the Geneve header 9275 * itself. This is composed of the IP header previously calculated 9276 * (include any variable link prefix) and stored in A plus the 9277 * fixed sized headers (fixed link prefix, MAC length, and UDP 9278 * header). */ 9279 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9280 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 9281 9282 /* Stash this in X since we'll need it later. */ 9283 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9284 sappend(s, s1); 9285 9286 /* The EtherType in Geneve is 2 bytes in. Calculate this and 9287 * store it. */ 9288 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9289 s1->s.k = 2; 9290 sappend(s, s1); 9291 9292 cstate->off_linktype.reg = alloc_reg(cstate); 9293 cstate->off_linktype.is_variable = 1; 9294 cstate->off_linktype.constant_part = 0; 9295 9296 s1 = new_stmt(cstate, BPF_ST); 9297 s1->s.k = cstate->off_linktype.reg; 9298 sappend(s, s1); 9299 9300 /* Load the Geneve option length and mask and shift to get the 9301 * number of bytes. It is stored in the first byte of the Geneve 9302 * header. */ 9303 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 9304 s1->s.k = 0; 9305 sappend(s, s1); 9306 9307 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 9308 s1->s.k = 0x3f; 9309 sappend(s, s1); 9310 9311 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 9312 s1->s.k = 4; 9313 sappend(s, s1); 9314 9315 /* Add in the rest of the Geneve base header. */ 9316 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9317 s1->s.k = 8; 9318 sappend(s, s1); 9319 9320 /* Add the Geneve header length to its offset and store. */ 9321 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9322 s1->s.k = 0; 9323 sappend(s, s1); 9324 9325 /* Set the encapsulated type as Ethernet. Even though we may 9326 * not actually have Ethernet inside there are two reasons this 9327 * is useful: 9328 * - The linktype field is always in EtherType format regardless 9329 * of whether it is in Geneve or an inner Ethernet frame. 9330 * - The only link layer that we have specific support for is 9331 * Ethernet. We will confirm that the packet actually is 9332 * Ethernet at runtime before executing these checks. */ 9333 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 9334 9335 s1 = new_stmt(cstate, BPF_ST); 9336 s1->s.k = cstate->off_linkhdr.reg; 9337 sappend(s, s1); 9338 9339 /* Calculate whether we have an Ethernet header or just raw IP/ 9340 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 9341 * and linktype by 14 bytes so that the network header can be found 9342 * seamlessly. Otherwise, keep what we've calculated already. */ 9343 9344 /* We have a bare jmp so we can't use the optimizer. */ 9345 cstate->no_optimize = 1; 9346 9347 /* Load the EtherType in the Geneve header, 2 bytes in. */ 9348 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 9349 s1->s.k = 2; 9350 sappend(s, s1); 9351 9352 /* Load X with the end of the Geneve header. */ 9353 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9354 s1->s.k = cstate->off_linkhdr.reg; 9355 sappend(s, s1); 9356 9357 /* Check if the EtherType is Transparent Ethernet Bridging. At the 9358 * end of this check, we should have the total length in X. In 9359 * the non-Ethernet case, it's already there. */ 9360 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 9361 s_proto->s.k = ETHERTYPE_TEB; 9362 sappend(s, s_proto); 9363 9364 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9365 sappend(s, s1); 9366 s_proto->s.jt = s1; 9367 9368 /* Since this is Ethernet, use the EtherType of the payload 9369 * directly as the linktype. Overwrite what we already have. */ 9370 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9371 s1->s.k = 12; 9372 sappend(s, s1); 9373 9374 s1 = new_stmt(cstate, BPF_ST); 9375 s1->s.k = cstate->off_linktype.reg; 9376 sappend(s, s1); 9377 9378 /* Advance two bytes further to get the end of the Ethernet 9379 * header. */ 9380 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9381 s1->s.k = 2; 9382 sappend(s, s1); 9383 9384 /* Move the result to X. */ 9385 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9386 sappend(s, s1); 9387 9388 /* Store the final result of our linkpl calculation. */ 9389 cstate->off_linkpl.reg = alloc_reg(cstate); 9390 cstate->off_linkpl.is_variable = 1; 9391 cstate->off_linkpl.constant_part = 0; 9392 9393 s1 = new_stmt(cstate, BPF_STX); 9394 s1->s.k = cstate->off_linkpl.reg; 9395 sappend(s, s1); 9396 s_proto->s.jf = s1; 9397 9398 cstate->off_nl = 0; 9399 9400 return s; 9401 } 9402 9403 /* Check to see if this is a Geneve packet. */ 9404 struct block * 9405 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9406 { 9407 struct block *b0, *b1; 9408 struct slist *s; 9409 9410 /* 9411 * Catch errors reported by us and routines below us, and return NULL 9412 * on an error. 9413 */ 9414 if (setjmp(cstate->top_ctx)) 9415 return (NULL); 9416 9417 b0 = gen_geneve4(cstate, vni, has_vni); 9418 b1 = gen_geneve6(cstate, vni, has_vni); 9419 9420 gen_or(b0, b1); 9421 b0 = b1; 9422 9423 /* Later filters should act on the payload of the Geneve frame, 9424 * update all of the header pointers. Attach this code so that 9425 * it gets executed in the event that the Geneve filter matches. */ 9426 s = gen_geneve_offsets(cstate); 9427 9428 b1 = gen_true(cstate); 9429 sappend(s, b1->stmts); 9430 b1->stmts = s; 9431 9432 gen_and(b0, b1); 9433 9434 cstate->is_geneve = 1; 9435 9436 return b1; 9437 } 9438 9439 /* Check that the encapsulated frame has a link layer header 9440 * for Ethernet filters. */ 9441 static struct block * 9442 gen_geneve_ll_check(compiler_state_t *cstate) 9443 { 9444 struct block *b0; 9445 struct slist *s, *s1; 9446 9447 /* The easiest way to see if there is a link layer present 9448 * is to check if the link layer header and payload are not 9449 * the same. */ 9450 9451 /* Geneve always generates pure variable offsets so we can 9452 * compare only the registers. */ 9453 s = new_stmt(cstate, BPF_LD|BPF_MEM); 9454 s->s.k = cstate->off_linkhdr.reg; 9455 9456 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9457 s1->s.k = cstate->off_linkpl.reg; 9458 sappend(s, s1); 9459 9460 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9461 b0->stmts = s; 9462 b0->s.k = 0; 9463 gen_not(b0); 9464 9465 return b0; 9466 } 9467 9468 static struct block * 9469 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield, 9470 bpf_u_int32 jvalue, int jtype, int reverse) 9471 { 9472 struct block *b0; 9473 9474 switch (atmfield) { 9475 9476 case A_VPI: 9477 if (!cstate->is_atm) 9478 bpf_error(cstate, "'vpi' supported only on raw ATM"); 9479 if (cstate->off_vpi == OFFSET_NOT_SET) 9480 abort(); 9481 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 9482 0xffffffffU, jtype, reverse, jvalue); 9483 break; 9484 9485 case A_VCI: 9486 if (!cstate->is_atm) 9487 bpf_error(cstate, "'vci' supported only on raw ATM"); 9488 if (cstate->off_vci == OFFSET_NOT_SET) 9489 abort(); 9490 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 9491 0xffffffffU, jtype, reverse, jvalue); 9492 break; 9493 9494 case A_PROTOTYPE: 9495 if (cstate->off_proto == OFFSET_NOT_SET) 9496 abort(); /* XXX - this isn't on FreeBSD */ 9497 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 9498 0x0fU, jtype, reverse, jvalue); 9499 break; 9500 9501 case A_MSGTYPE: 9502 if (cstate->off_payload == OFFSET_NOT_SET) 9503 abort(); 9504 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 9505 0xffffffffU, jtype, reverse, jvalue); 9506 break; 9507 9508 case A_CALLREFTYPE: 9509 if (!cstate->is_atm) 9510 bpf_error(cstate, "'callref' supported only on raw ATM"); 9511 if (cstate->off_proto == OFFSET_NOT_SET) 9512 abort(); 9513 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 9514 0xffffffffU, jtype, reverse, jvalue); 9515 break; 9516 9517 default: 9518 abort(); 9519 } 9520 return b0; 9521 } 9522 9523 static struct block * 9524 gen_atmtype_metac(compiler_state_t *cstate) 9525 { 9526 struct block *b0, *b1; 9527 9528 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9529 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0); 9530 gen_and(b0, b1); 9531 return b1; 9532 } 9533 9534 static struct block * 9535 gen_atmtype_sc(compiler_state_t *cstate) 9536 { 9537 struct block *b0, *b1; 9538 9539 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9540 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0); 9541 gen_and(b0, b1); 9542 return b1; 9543 } 9544 9545 static struct block * 9546 gen_atmtype_llc(compiler_state_t *cstate) 9547 { 9548 struct block *b0; 9549 9550 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 9551 cstate->linktype = cstate->prevlinktype; 9552 return b0; 9553 } 9554 9555 struct block * 9556 gen_atmfield_code(compiler_state_t *cstate, int atmfield, 9557 bpf_u_int32 jvalue, int jtype, int reverse) 9558 { 9559 /* 9560 * Catch errors reported by us and routines below us, and return NULL 9561 * on an error. 9562 */ 9563 if (setjmp(cstate->top_ctx)) 9564 return (NULL); 9565 9566 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype, 9567 reverse); 9568 } 9569 9570 struct block * 9571 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 9572 { 9573 struct block *b0, *b1; 9574 9575 /* 9576 * Catch errors reported by us and routines below us, and return NULL 9577 * on an error. 9578 */ 9579 if (setjmp(cstate->top_ctx)) 9580 return (NULL); 9581 9582 switch (type) { 9583 9584 case A_METAC: 9585 /* Get all packets in Meta signalling Circuit */ 9586 if (!cstate->is_atm) 9587 bpf_error(cstate, "'metac' supported only on raw ATM"); 9588 b1 = gen_atmtype_metac(cstate); 9589 break; 9590 9591 case A_BCC: 9592 /* Get all packets in Broadcast Circuit*/ 9593 if (!cstate->is_atm) 9594 bpf_error(cstate, "'bcc' supported only on raw ATM"); 9595 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9596 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0); 9597 gen_and(b0, b1); 9598 break; 9599 9600 case A_OAMF4SC: 9601 /* Get all cells in Segment OAM F4 circuit*/ 9602 if (!cstate->is_atm) 9603 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 9604 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9605 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9606 gen_and(b0, b1); 9607 break; 9608 9609 case A_OAMF4EC: 9610 /* Get all cells in End-to-End OAM F4 Circuit*/ 9611 if (!cstate->is_atm) 9612 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 9613 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9614 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9615 gen_and(b0, b1); 9616 break; 9617 9618 case A_SC: 9619 /* Get all packets in connection Signalling Circuit */ 9620 if (!cstate->is_atm) 9621 bpf_error(cstate, "'sc' supported only on raw ATM"); 9622 b1 = gen_atmtype_sc(cstate); 9623 break; 9624 9625 case A_ILMIC: 9626 /* Get all packets in ILMI Circuit */ 9627 if (!cstate->is_atm) 9628 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 9629 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9630 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0); 9631 gen_and(b0, b1); 9632 break; 9633 9634 case A_LANE: 9635 /* Get all LANE packets */ 9636 if (!cstate->is_atm) 9637 bpf_error(cstate, "'lane' supported only on raw ATM"); 9638 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 9639 9640 /* 9641 * Arrange that all subsequent tests assume LANE 9642 * rather than LLC-encapsulated packets, and set 9643 * the offsets appropriately for LANE-encapsulated 9644 * Ethernet. 9645 * 9646 * We assume LANE means Ethernet, not Token Ring. 9647 */ 9648 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 9649 cstate->off_payload + 2, /* Ethernet header */ 9650 -1); 9651 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 9652 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 9653 cstate->off_nl = 0; /* Ethernet II */ 9654 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 9655 break; 9656 9657 case A_LLC: 9658 /* Get all LLC-encapsulated packets */ 9659 if (!cstate->is_atm) 9660 bpf_error(cstate, "'llc' supported only on raw ATM"); 9661 b1 = gen_atmtype_llc(cstate); 9662 break; 9663 9664 default: 9665 abort(); 9666 } 9667 return b1; 9668 } 9669 9670 /* 9671 * Filtering for MTP2 messages based on li value 9672 * FISU, length is null 9673 * LSSU, length is 1 or 2 9674 * MSU, length is 3 or more 9675 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 9676 */ 9677 struct block * 9678 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 9679 { 9680 struct block *b0, *b1; 9681 9682 /* 9683 * Catch errors reported by us and routines below us, and return NULL 9684 * on an error. 9685 */ 9686 if (setjmp(cstate->top_ctx)) 9687 return (NULL); 9688 9689 switch (type) { 9690 9691 case M_FISU: 9692 if ( (cstate->linktype != DLT_MTP2) && 9693 (cstate->linktype != DLT_ERF) && 9694 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9695 bpf_error(cstate, "'fisu' supported only on MTP2"); 9696 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9697 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9698 0x3fU, BPF_JEQ, 0, 0U); 9699 break; 9700 9701 case M_LSSU: 9702 if ( (cstate->linktype != DLT_MTP2) && 9703 (cstate->linktype != DLT_ERF) && 9704 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9705 bpf_error(cstate, "'lssu' supported only on MTP2"); 9706 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9707 0x3fU, BPF_JGT, 1, 2U); 9708 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9709 0x3fU, BPF_JGT, 0, 0U); 9710 gen_and(b1, b0); 9711 break; 9712 9713 case M_MSU: 9714 if ( (cstate->linktype != DLT_MTP2) && 9715 (cstate->linktype != DLT_ERF) && 9716 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9717 bpf_error(cstate, "'msu' supported only on MTP2"); 9718 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 9719 0x3fU, BPF_JGT, 0, 2U); 9720 break; 9721 9722 case MH_FISU: 9723 if ( (cstate->linktype != DLT_MTP2) && 9724 (cstate->linktype != DLT_ERF) && 9725 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9726 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9727 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9728 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9729 0xff80U, BPF_JEQ, 0, 0U); 9730 break; 9731 9732 case MH_LSSU: 9733 if ( (cstate->linktype != DLT_MTP2) && 9734 (cstate->linktype != DLT_ERF) && 9735 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9736 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9737 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9738 0xff80U, BPF_JGT, 1, 0x0100U); 9739 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9740 0xff80U, BPF_JGT, 0, 0U); 9741 gen_and(b1, b0); 9742 break; 9743 9744 case MH_MSU: 9745 if ( (cstate->linktype != DLT_MTP2) && 9746 (cstate->linktype != DLT_ERF) && 9747 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9748 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9749 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 9750 0xff80U, BPF_JGT, 0, 0x0100U); 9751 break; 9752 9753 default: 9754 abort(); 9755 } 9756 return b0; 9757 } 9758 9759 /* 9760 * The jvalue_arg dance is to avoid annoying whining by compilers that 9761 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9762 * It's not *used* after setjmp returns. 9763 */ 9764 struct block * 9765 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, 9766 bpf_u_int32 jvalue_arg, int jtype, int reverse) 9767 { 9768 volatile bpf_u_int32 jvalue = jvalue_arg; 9769 struct block *b0; 9770 bpf_u_int32 val1 , val2 , val3; 9771 u_int newoff_sio; 9772 u_int newoff_opc; 9773 u_int newoff_dpc; 9774 u_int newoff_sls; 9775 9776 /* 9777 * Catch errors reported by us and routines below us, and return NULL 9778 * on an error. 9779 */ 9780 if (setjmp(cstate->top_ctx)) 9781 return (NULL); 9782 9783 newoff_sio = cstate->off_sio; 9784 newoff_opc = cstate->off_opc; 9785 newoff_dpc = cstate->off_dpc; 9786 newoff_sls = cstate->off_sls; 9787 switch (mtp3field) { 9788 9789 case MH_SIO: 9790 newoff_sio += 3; /* offset for MTP2_HSL */ 9791 /* FALLTHROUGH */ 9792 9793 case M_SIO: 9794 if (cstate->off_sio == OFFSET_NOT_SET) 9795 bpf_error(cstate, "'sio' supported only on SS7"); 9796 /* sio coded on 1 byte so max value 255 */ 9797 if(jvalue > 255) 9798 bpf_error(cstate, "sio value %u too big; max value = 255", 9799 jvalue); 9800 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU, 9801 jtype, reverse, jvalue); 9802 break; 9803 9804 case MH_OPC: 9805 newoff_opc += 3; 9806 9807 /* FALLTHROUGH */ 9808 case M_OPC: 9809 if (cstate->off_opc == OFFSET_NOT_SET) 9810 bpf_error(cstate, "'opc' supported only on SS7"); 9811 /* opc coded on 14 bits so max value 16383 */ 9812 if (jvalue > 16383) 9813 bpf_error(cstate, "opc value %u too big; max value = 16383", 9814 jvalue); 9815 /* the following instructions are made to convert jvalue 9816 * to the form used to write opc in an ss7 message*/ 9817 val1 = jvalue & 0x00003c00; 9818 val1 = val1 >>10; 9819 val2 = jvalue & 0x000003fc; 9820 val2 = val2 <<6; 9821 val3 = jvalue & 0x00000003; 9822 val3 = val3 <<22; 9823 jvalue = val1 + val2 + val3; 9824 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU, 9825 jtype, reverse, jvalue); 9826 break; 9827 9828 case MH_DPC: 9829 newoff_dpc += 3; 9830 /* FALLTHROUGH */ 9831 9832 case M_DPC: 9833 if (cstate->off_dpc == OFFSET_NOT_SET) 9834 bpf_error(cstate, "'dpc' supported only on SS7"); 9835 /* dpc coded on 14 bits so max value 16383 */ 9836 if (jvalue > 16383) 9837 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9838 jvalue); 9839 /* the following instructions are made to convert jvalue 9840 * to the forme used to write dpc in an ss7 message*/ 9841 val1 = jvalue & 0x000000ff; 9842 val1 = val1 << 24; 9843 val2 = jvalue & 0x00003f00; 9844 val2 = val2 << 8; 9845 jvalue = val1 + val2; 9846 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U, 9847 jtype, reverse, jvalue); 9848 break; 9849 9850 case MH_SLS: 9851 newoff_sls += 3; 9852 /* FALLTHROUGH */ 9853 9854 case M_SLS: 9855 if (cstate->off_sls == OFFSET_NOT_SET) 9856 bpf_error(cstate, "'sls' supported only on SS7"); 9857 /* sls coded on 4 bits so max value 15 */ 9858 if (jvalue > 15) 9859 bpf_error(cstate, "sls value %u too big; max value = 15", 9860 jvalue); 9861 /* the following instruction is made to convert jvalue 9862 * to the forme used to write sls in an ss7 message*/ 9863 jvalue = jvalue << 4; 9864 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U, 9865 jtype, reverse, jvalue); 9866 break; 9867 9868 default: 9869 abort(); 9870 } 9871 return b0; 9872 } 9873 9874 static struct block * 9875 gen_msg_abbrev(compiler_state_t *cstate, int type) 9876 { 9877 struct block *b1; 9878 9879 /* 9880 * Q.2931 signalling protocol messages for handling virtual circuits 9881 * establishment and teardown 9882 */ 9883 switch (type) { 9884 9885 case A_SETUP: 9886 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9887 break; 9888 9889 case A_CALLPROCEED: 9890 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9891 break; 9892 9893 case A_CONNECT: 9894 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9895 break; 9896 9897 case A_CONNECTACK: 9898 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9899 break; 9900 9901 case A_RELEASE: 9902 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9903 break; 9904 9905 case A_RELEASE_DONE: 9906 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9907 break; 9908 9909 default: 9910 abort(); 9911 } 9912 return b1; 9913 } 9914 9915 struct block * 9916 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9917 { 9918 struct block *b0, *b1; 9919 9920 /* 9921 * Catch errors reported by us and routines below us, and return NULL 9922 * on an error. 9923 */ 9924 if (setjmp(cstate->top_ctx)) 9925 return (NULL); 9926 9927 switch (type) { 9928 9929 case A_OAM: 9930 if (!cstate->is_atm) 9931 bpf_error(cstate, "'oam' supported only on raw ATM"); 9932 /* OAM F4 type */ 9933 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9934 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9935 gen_or(b0, b1); 9936 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9937 gen_and(b0, b1); 9938 break; 9939 9940 case A_OAMF4: 9941 if (!cstate->is_atm) 9942 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9943 /* OAM F4 type */ 9944 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9945 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9946 gen_or(b0, b1); 9947 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9948 gen_and(b0, b1); 9949 break; 9950 9951 case A_CONNECTMSG: 9952 /* 9953 * Get Q.2931 signalling messages for switched 9954 * virtual connection 9955 */ 9956 if (!cstate->is_atm) 9957 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9958 b0 = gen_msg_abbrev(cstate, A_SETUP); 9959 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9960 gen_or(b0, b1); 9961 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9962 gen_or(b0, b1); 9963 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9964 gen_or(b0, b1); 9965 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9966 gen_or(b0, b1); 9967 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9968 gen_or(b0, b1); 9969 b0 = gen_atmtype_sc(cstate); 9970 gen_and(b0, b1); 9971 break; 9972 9973 case A_METACONNECT: 9974 if (!cstate->is_atm) 9975 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9976 b0 = gen_msg_abbrev(cstate, A_SETUP); 9977 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9978 gen_or(b0, b1); 9979 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9980 gen_or(b0, b1); 9981 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9982 gen_or(b0, b1); 9983 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9984 gen_or(b0, b1); 9985 b0 = gen_atmtype_metac(cstate); 9986 gen_and(b0, b1); 9987 break; 9988 9989 default: 9990 abort(); 9991 } 9992 return b1; 9993 } 9994