1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "IP6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #ifdef HAVE_NET_PFVAR_H 90 #include <sys/socket.h> 91 #include <net/if.h> 92 #include <net/pfvar.h> 93 #include <net/if_pflog.h> 94 #endif 95 #ifndef offsetof 96 #define offsetof(s, e) ((size_t)&((s *)0)->e) 97 #endif 98 #ifdef INET6 99 #ifndef WIN32 100 #include <netdb.h> /* for "struct addrinfo" */ 101 #endif /* WIN32 */ 102 #endif /*INET6*/ 103 #include <pcap/namedb.h> 104 105 #define ETHERMTU 1500 106 107 #ifndef IPPROTO_SCTP 108 #define IPPROTO_SCTP 132 109 #endif 110 111 #ifdef HAVE_OS_PROTO_H 112 #include "os-proto.h" 113 #endif 114 115 #define JMP(c) ((c)|BPF_JMP|BPF_K) 116 117 /* Locals */ 118 static jmp_buf top_ctx; 119 static pcap_t *bpf_pcap; 120 121 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 122 #ifdef WIN32 123 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 124 #else 125 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 126 #endif 127 128 /* XXX */ 129 #ifdef PCAP_FDDIPAD 130 static int pcap_fddipad; 131 #endif 132 133 /* VARARGS */ 134 void 135 bpf_error(const char *fmt, ...) 136 { 137 va_list ap; 138 139 va_start(ap, fmt); 140 if (bpf_pcap != NULL) 141 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 142 fmt, ap); 143 va_end(ap); 144 longjmp(top_ctx, 1); 145 /* NOTREACHED */ 146 } 147 148 static void init_linktype(pcap_t *); 149 150 static void init_regs(void); 151 static int alloc_reg(void); 152 static void free_reg(int); 153 154 static struct block *root; 155 156 /* 157 * Value passed to gen_load_a() to indicate what the offset argument 158 * is relative to. 159 */ 160 enum e_offrel { 161 OR_PACKET, /* relative to the beginning of the packet */ 162 OR_LINK, /* relative to the beginning of the link-layer header */ 163 OR_MACPL, /* relative to the end of the MAC-layer header */ 164 OR_NET, /* relative to the network-layer header */ 165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 168 }; 169 170 #ifdef INET6 171 /* 172 * As errors are handled by a longjmp, anything allocated must be freed 173 * in the longjmp handler, so it must be reachable from that handler. 174 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 175 * it must be freed with freeaddrinfo(). This variable points to any 176 * addrinfo structure that would need to be freed. 177 */ 178 static struct addrinfo *ai; 179 #endif 180 181 /* 182 * We divy out chunks of memory rather than call malloc each time so 183 * we don't have to worry about leaking memory. It's probably 184 * not a big deal if all this memory was wasted but if this ever 185 * goes into a library that would probably not be a good idea. 186 * 187 * XXX - this *is* in a library.... 188 */ 189 #define NCHUNKS 16 190 #define CHUNK0SIZE 1024 191 struct chunk { 192 u_int n_left; 193 void *m; 194 }; 195 196 static struct chunk chunks[NCHUNKS]; 197 static int cur_chunk; 198 199 static void *newchunk(u_int); 200 static void freechunks(void); 201 static inline struct block *new_block(int); 202 static inline struct slist *new_stmt(int); 203 static struct block *gen_retblk(int); 204 static inline void syntax(void); 205 206 static void backpatch(struct block *, struct block *); 207 static void merge(struct block *, struct block *); 208 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 209 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 210 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 211 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 212 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 213 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 214 bpf_u_int32); 215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 217 bpf_u_int32, bpf_u_int32, int, bpf_int32); 218 static struct slist *gen_load_llrel(u_int, u_int); 219 static struct slist *gen_load_macplrel(u_int, u_int); 220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 221 static struct slist *gen_loadx_iphdrlen(void); 222 static struct block *gen_uncond(int); 223 static inline struct block *gen_true(void); 224 static inline struct block *gen_false(void); 225 static struct block *gen_ether_linktype(int); 226 static struct block *gen_ipnet_linktype(int); 227 static struct block *gen_linux_sll_linktype(int); 228 static struct slist *gen_load_prism_llprefixlen(void); 229 static struct slist *gen_load_avs_llprefixlen(void); 230 static struct slist *gen_load_radiotap_llprefixlen(void); 231 static struct slist *gen_load_ppi_llprefixlen(void); 232 static void insert_compute_vloffsets(struct block *); 233 static struct slist *gen_llprefixlen(void); 234 static struct slist *gen_off_macpl(void); 235 static int ethertype_to_ppptype(int); 236 static struct block *gen_linktype(int); 237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 238 static struct block *gen_llc_linktype(int); 239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 240 #ifdef INET6 241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 242 #endif 243 static struct block *gen_ahostop(const u_char *, int); 244 static struct block *gen_ehostop(const u_char *, int); 245 static struct block *gen_fhostop(const u_char *, int); 246 static struct block *gen_thostop(const u_char *, int); 247 static struct block *gen_wlanhostop(const u_char *, int); 248 static struct block *gen_ipfchostop(const u_char *, int); 249 static struct block *gen_dnhostop(bpf_u_int32, int); 250 static struct block *gen_mpls_linktype(int); 251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 252 #ifdef INET6 253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 254 #endif 255 #ifndef INET6 256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 257 #endif 258 static struct block *gen_ipfrag(void); 259 static struct block *gen_portatom(int, bpf_int32); 260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 261 #ifdef INET6 262 static struct block *gen_portatom6(int, bpf_int32); 263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 264 #endif 265 struct block *gen_portop(int, int, int); 266 static struct block *gen_port(int, int, int); 267 struct block *gen_portrangeop(int, int, int, int); 268 static struct block *gen_portrange(int, int, int, int); 269 #ifdef INET6 270 struct block *gen_portop6(int, int, int); 271 static struct block *gen_port6(int, int, int); 272 struct block *gen_portrangeop6(int, int, int, int); 273 static struct block *gen_portrange6(int, int, int, int); 274 #endif 275 static int lookup_proto(const char *, int); 276 static struct block *gen_protochain(int, int, int); 277 static struct block *gen_proto(int, int, int); 278 static struct slist *xfer_to_x(struct arth *); 279 static struct slist *xfer_to_a(struct arth *); 280 static struct block *gen_mac_multicast(int); 281 static struct block *gen_len(int, int); 282 static struct block *gen_check_802_11_data_frame(void); 283 284 static struct block *gen_ppi_dlt_check(void); 285 static struct block *gen_msg_abbrev(int type); 286 287 static void * 288 newchunk(n) 289 u_int n; 290 { 291 struct chunk *cp; 292 int k; 293 size_t size; 294 295 #ifndef __NetBSD__ 296 /* XXX Round up to nearest long. */ 297 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 298 #else 299 /* XXX Round up to structure boundary. */ 300 n = ALIGN(n); 301 #endif 302 303 cp = &chunks[cur_chunk]; 304 if (n > cp->n_left) { 305 ++cp, k = ++cur_chunk; 306 if (k >= NCHUNKS) 307 bpf_error("out of memory"); 308 size = CHUNK0SIZE << k; 309 cp->m = (void *)malloc(size); 310 if (cp->m == NULL) 311 bpf_error("out of memory"); 312 memset((char *)cp->m, 0, size); 313 cp->n_left = size; 314 if (n > size) 315 bpf_error("out of memory"); 316 } 317 cp->n_left -= n; 318 return (void *)((char *)cp->m + cp->n_left); 319 } 320 321 static void 322 freechunks() 323 { 324 int i; 325 326 cur_chunk = 0; 327 for (i = 0; i < NCHUNKS; ++i) 328 if (chunks[i].m != NULL) { 329 free(chunks[i].m); 330 chunks[i].m = NULL; 331 } 332 } 333 334 /* 335 * A strdup whose allocations are freed after code generation is over. 336 */ 337 char * 338 sdup(s) 339 register const char *s; 340 { 341 int n = strlen(s) + 1; 342 char *cp = newchunk(n); 343 344 strlcpy(cp, s, n); 345 return (cp); 346 } 347 348 static inline struct block * 349 new_block(code) 350 int code; 351 { 352 struct block *p; 353 354 p = (struct block *)newchunk(sizeof(*p)); 355 p->s.code = code; 356 p->head = p; 357 358 return p; 359 } 360 361 static inline struct slist * 362 new_stmt(code) 363 int code; 364 { 365 struct slist *p; 366 367 p = (struct slist *)newchunk(sizeof(*p)); 368 p->s.code = code; 369 370 return p; 371 } 372 373 static struct block * 374 gen_retblk(v) 375 int v; 376 { 377 struct block *b = new_block(BPF_RET|BPF_K); 378 379 b->s.k = v; 380 return b; 381 } 382 383 static inline void 384 syntax() 385 { 386 bpf_error("syntax error in filter expression"); 387 } 388 389 static bpf_u_int32 netmask; 390 static int snaplen; 391 int no_optimize; 392 #ifdef WIN32 393 static int 394 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 395 const char *buf, int optimize, bpf_u_int32 mask); 396 397 int 398 pcap_compile(pcap_t *p, struct bpf_program *program, 399 const char *buf, int optimize, bpf_u_int32 mask) 400 { 401 int result; 402 403 EnterCriticalSection(&g_PcapCompileCriticalSection); 404 405 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 406 407 LeaveCriticalSection(&g_PcapCompileCriticalSection); 408 409 return result; 410 } 411 412 static int 413 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 414 const char *buf, int optimize, bpf_u_int32 mask) 415 #else /* WIN32 */ 416 int 417 pcap_compile(pcap_t *p, struct bpf_program *program, 418 const char *buf, int optimize, bpf_u_int32 mask) 419 #endif /* WIN32 */ 420 { 421 extern int n_errors; 422 const char * volatile xbuf = buf; 423 int len; 424 425 no_optimize = 0; 426 n_errors = 0; 427 root = NULL; 428 bpf_pcap = p; 429 init_regs(); 430 if (setjmp(top_ctx)) { 431 #ifdef INET6 432 if (ai != NULL) { 433 freeaddrinfo(ai); 434 ai = NULL; 435 } 436 #endif 437 lex_cleanup(); 438 freechunks(); 439 return (-1); 440 } 441 442 netmask = mask; 443 444 snaplen = pcap_snapshot(p); 445 if (snaplen == 0) { 446 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 447 "snaplen of 0 rejects all packets"); 448 return -1; 449 } 450 451 lex_init(xbuf ? xbuf : ""); 452 init_linktype(p); 453 (void)pcap_parse(); 454 455 if (n_errors) 456 syntax(); 457 458 if (root == NULL) 459 root = gen_retblk(snaplen); 460 461 if (optimize && !no_optimize) { 462 bpf_optimize(&root); 463 if (root == NULL || 464 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 465 bpf_error("expression rejects all packets"); 466 } 467 program->bf_insns = icode_to_fcode(root, &len); 468 program->bf_len = len; 469 470 lex_cleanup(); 471 freechunks(); 472 return (0); 473 } 474 475 /* 476 * entry point for using the compiler with no pcap open 477 * pass in all the stuff that is needed explicitly instead. 478 */ 479 int 480 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 481 struct bpf_program *program, 482 const char *buf, int optimize, bpf_u_int32 mask) 483 { 484 pcap_t *p; 485 int ret; 486 487 p = pcap_open_dead(linktype_arg, snaplen_arg); 488 if (p == NULL) 489 return (-1); 490 ret = pcap_compile(p, program, buf, optimize, mask); 491 pcap_close(p); 492 return (ret); 493 } 494 495 /* 496 * Clean up a "struct bpf_program" by freeing all the memory allocated 497 * in it. 498 */ 499 void 500 pcap_freecode(struct bpf_program *program) 501 { 502 program->bf_len = 0; 503 if (program->bf_insns != NULL) { 504 free((char *)program->bf_insns); 505 program->bf_insns = NULL; 506 } 507 } 508 509 /* 510 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 511 * which of the jt and jf fields has been resolved and which is a pointer 512 * back to another unresolved block (or nil). At least one of the fields 513 * in each block is already resolved. 514 */ 515 static void 516 backpatch(list, target) 517 struct block *list, *target; 518 { 519 struct block *next; 520 521 while (list) { 522 if (!list->sense) { 523 next = JT(list); 524 JT(list) = target; 525 } else { 526 next = JF(list); 527 JF(list) = target; 528 } 529 list = next; 530 } 531 } 532 533 /* 534 * Merge the lists in b0 and b1, using the 'sense' field to indicate 535 * which of jt and jf is the link. 536 */ 537 static void 538 merge(b0, b1) 539 struct block *b0, *b1; 540 { 541 register struct block **p = &b0; 542 543 /* Find end of list. */ 544 while (*p) 545 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 546 547 /* Concatenate the lists. */ 548 *p = b1; 549 } 550 551 void 552 finish_parse(p) 553 struct block *p; 554 { 555 struct block *ppi_dlt_check; 556 557 /* 558 * Insert before the statements of the first (root) block any 559 * statements needed to load the lengths of any variable-length 560 * headers into registers. 561 * 562 * XXX - a fancier strategy would be to insert those before the 563 * statements of all blocks that use those lengths and that 564 * have no predecessors that use them, so that we only compute 565 * the lengths if we need them. There might be even better 566 * approaches than that. 567 * 568 * However, those strategies would be more complicated, and 569 * as we don't generate code to compute a length if the 570 * program has no tests that use the length, and as most 571 * tests will probably use those lengths, we would just 572 * postpone computing the lengths so that it's not done 573 * for tests that fail early, and it's not clear that's 574 * worth the effort. 575 */ 576 insert_compute_vloffsets(p->head); 577 578 /* 579 * For DLT_PPI captures, generate a check of the per-packet 580 * DLT value to make sure it's DLT_IEEE802_11. 581 */ 582 ppi_dlt_check = gen_ppi_dlt_check(); 583 if (ppi_dlt_check != NULL) 584 gen_and(ppi_dlt_check, p); 585 586 backpatch(p, gen_retblk(snaplen)); 587 p->sense = !p->sense; 588 backpatch(p, gen_retblk(0)); 589 root = p->head; 590 } 591 592 void 593 gen_and(b0, b1) 594 struct block *b0, *b1; 595 { 596 backpatch(b0, b1->head); 597 b0->sense = !b0->sense; 598 b1->sense = !b1->sense; 599 merge(b1, b0); 600 b1->sense = !b1->sense; 601 b1->head = b0->head; 602 } 603 604 void 605 gen_or(b0, b1) 606 struct block *b0, *b1; 607 { 608 b0->sense = !b0->sense; 609 backpatch(b0, b1->head); 610 b0->sense = !b0->sense; 611 merge(b1, b0); 612 b1->head = b0->head; 613 } 614 615 void 616 gen_not(b) 617 struct block *b; 618 { 619 b->sense = !b->sense; 620 } 621 622 static struct block * 623 gen_cmp(offrel, offset, size, v) 624 enum e_offrel offrel; 625 u_int offset, size; 626 bpf_int32 v; 627 { 628 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 629 } 630 631 static struct block * 632 gen_cmp_gt(offrel, offset, size, v) 633 enum e_offrel offrel; 634 u_int offset, size; 635 bpf_int32 v; 636 { 637 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 638 } 639 640 static struct block * 641 gen_cmp_ge(offrel, offset, size, v) 642 enum e_offrel offrel; 643 u_int offset, size; 644 bpf_int32 v; 645 { 646 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 647 } 648 649 static struct block * 650 gen_cmp_lt(offrel, offset, size, v) 651 enum e_offrel offrel; 652 u_int offset, size; 653 bpf_int32 v; 654 { 655 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 656 } 657 658 static struct block * 659 gen_cmp_le(offrel, offset, size, v) 660 enum e_offrel offrel; 661 u_int offset, size; 662 bpf_int32 v; 663 { 664 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 665 } 666 667 static struct block * 668 gen_mcmp(offrel, offset, size, v, mask) 669 enum e_offrel offrel; 670 u_int offset, size; 671 bpf_int32 v; 672 bpf_u_int32 mask; 673 { 674 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 675 } 676 677 static struct block * 678 gen_bcmp(offrel, offset, size, v) 679 enum e_offrel offrel; 680 register u_int offset, size; 681 register const u_char *v; 682 { 683 register struct block *b, *tmp; 684 685 b = NULL; 686 while (size >= 4) { 687 register const u_char *p = &v[size - 4]; 688 bpf_int32 w = ((bpf_int32)p[0] << 24) | 689 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 690 691 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 692 if (b != NULL) 693 gen_and(b, tmp); 694 b = tmp; 695 size -= 4; 696 } 697 while (size >= 2) { 698 register const u_char *p = &v[size - 2]; 699 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 700 701 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 702 if (b != NULL) 703 gen_and(b, tmp); 704 b = tmp; 705 size -= 2; 706 } 707 if (size > 0) { 708 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 709 if (b != NULL) 710 gen_and(b, tmp); 711 b = tmp; 712 } 713 return b; 714 } 715 716 /* 717 * AND the field of size "size" at offset "offset" relative to the header 718 * specified by "offrel" with "mask", and compare it with the value "v" 719 * with the test specified by "jtype"; if "reverse" is true, the test 720 * should test the opposite of "jtype". 721 */ 722 static struct block * 723 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 724 enum e_offrel offrel; 725 bpf_int32 v; 726 bpf_u_int32 offset, size, mask, jtype; 727 int reverse; 728 { 729 struct slist *s, *s2; 730 struct block *b; 731 732 s = gen_load_a(offrel, offset, size); 733 734 if (mask != 0xffffffff) { 735 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 736 s2->s.k = mask; 737 sappend(s, s2); 738 } 739 740 b = new_block(JMP(jtype)); 741 b->stmts = s; 742 b->s.k = v; 743 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 744 gen_not(b); 745 return b; 746 } 747 748 /* 749 * Various code constructs need to know the layout of the data link 750 * layer. These variables give the necessary offsets from the beginning 751 * of the packet data. 752 */ 753 754 /* 755 * This is the offset of the beginning of the link-layer header from 756 * the beginning of the raw packet data. 757 * 758 * It's usually 0, except for 802.11 with a fixed-length radio header. 759 * (For 802.11 with a variable-length radio header, we have to generate 760 * code to compute that offset; off_ll is 0 in that case.) 761 */ 762 static u_int off_ll; 763 764 /* 765 * If there's a variable-length header preceding the link-layer header, 766 * "reg_off_ll" is the register number for a register containing the 767 * length of that header, and therefore the offset of the link-layer 768 * header from the beginning of the raw packet data. Otherwise, 769 * "reg_off_ll" is -1. 770 */ 771 static int reg_off_ll; 772 773 /* 774 * This is the offset of the beginning of the MAC-layer header from 775 * the beginning of the link-layer header. 776 * It's usually 0, except for ATM LANE, where it's the offset, relative 777 * to the beginning of the raw packet data, of the Ethernet header. 778 */ 779 static u_int off_mac; 780 781 /* 782 * This is the offset of the beginning of the MAC-layer payload, 783 * from the beginning of the raw packet data. 784 * 785 * I.e., it's the sum of the length of the link-layer header (without, 786 * for example, any 802.2 LLC header, so it's the MAC-layer 787 * portion of that header), plus any prefix preceding the 788 * link-layer header. 789 */ 790 static u_int off_macpl; 791 792 /* 793 * This is 1 if the offset of the beginning of the MAC-layer payload 794 * from the beginning of the link-layer header is variable-length. 795 */ 796 static int off_macpl_is_variable; 797 798 /* 799 * If the link layer has variable_length headers, "reg_off_macpl" 800 * is the register number for a register containing the length of the 801 * link-layer header plus the length of any variable-length header 802 * preceding the link-layer header. Otherwise, "reg_off_macpl" 803 * is -1. 804 */ 805 static int reg_off_macpl; 806 807 /* 808 * "off_linktype" is the offset to information in the link-layer header 809 * giving the packet type. This offset is relative to the beginning 810 * of the link-layer header (i.e., it doesn't include off_ll). 811 * 812 * For Ethernet, it's the offset of the Ethernet type field. 813 * 814 * For link-layer types that always use 802.2 headers, it's the 815 * offset of the LLC header. 816 * 817 * For PPP, it's the offset of the PPP type field. 818 * 819 * For Cisco HDLC, it's the offset of the CHDLC type field. 820 * 821 * For BSD loopback, it's the offset of the AF_ value. 822 * 823 * For Linux cooked sockets, it's the offset of the type field. 824 * 825 * It's set to -1 for no encapsulation, in which case, IP is assumed. 826 */ 827 static u_int off_linktype; 828 829 /* 830 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 831 * checks to check the PPP header, assumed to follow a LAN-style link- 832 * layer header and a PPPoE session header. 833 */ 834 static int is_pppoes = 0; 835 836 /* 837 * TRUE if the link layer includes an ATM pseudo-header. 838 */ 839 static int is_atm = 0; 840 841 /* 842 * TRUE if "lane" appeared in the filter; it causes us to generate 843 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 844 */ 845 static int is_lane = 0; 846 847 /* 848 * These are offsets for the ATM pseudo-header. 849 */ 850 static u_int off_vpi; 851 static u_int off_vci; 852 static u_int off_proto; 853 854 /* 855 * These are offsets for the MTP2 fields. 856 */ 857 static u_int off_li; 858 859 /* 860 * These are offsets for the MTP3 fields. 861 */ 862 static u_int off_sio; 863 static u_int off_opc; 864 static u_int off_dpc; 865 static u_int off_sls; 866 867 /* 868 * This is the offset of the first byte after the ATM pseudo_header, 869 * or -1 if there is no ATM pseudo-header. 870 */ 871 static u_int off_payload; 872 873 /* 874 * These are offsets to the beginning of the network-layer header. 875 * They are relative to the beginning of the MAC-layer payload (i.e., 876 * they don't include off_ll or off_macpl). 877 * 878 * If the link layer never uses 802.2 LLC: 879 * 880 * "off_nl" and "off_nl_nosnap" are the same. 881 * 882 * If the link layer always uses 802.2 LLC: 883 * 884 * "off_nl" is the offset if there's a SNAP header following 885 * the 802.2 header; 886 * 887 * "off_nl_nosnap" is the offset if there's no SNAP header. 888 * 889 * If the link layer is Ethernet: 890 * 891 * "off_nl" is the offset if the packet is an Ethernet II packet 892 * (we assume no 802.3+802.2+SNAP); 893 * 894 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 895 * with an 802.2 header following it. 896 */ 897 static u_int off_nl; 898 static u_int off_nl_nosnap; 899 900 static int linktype; 901 902 static void 903 init_linktype(p) 904 pcap_t *p; 905 { 906 linktype = pcap_datalink(p); 907 #ifdef PCAP_FDDIPAD 908 pcap_fddipad = p->fddipad; 909 #endif 910 911 /* 912 * Assume it's not raw ATM with a pseudo-header, for now. 913 */ 914 off_mac = 0; 915 is_atm = 0; 916 is_lane = 0; 917 off_vpi = -1; 918 off_vci = -1; 919 off_proto = -1; 920 off_payload = -1; 921 922 /* 923 * And that we're not doing PPPoE. 924 */ 925 is_pppoes = 0; 926 927 /* 928 * And assume we're not doing SS7. 929 */ 930 off_li = -1; 931 off_sio = -1; 932 off_opc = -1; 933 off_dpc = -1; 934 off_sls = -1; 935 936 /* 937 * Also assume it's not 802.11. 938 */ 939 off_ll = 0; 940 off_macpl = 0; 941 off_macpl_is_variable = 0; 942 943 orig_linktype = -1; 944 orig_nl = -1; 945 label_stack_depth = 0; 946 947 reg_off_ll = -1; 948 reg_off_macpl = -1; 949 950 switch (linktype) { 951 952 case DLT_ARCNET: 953 off_linktype = 2; 954 off_macpl = 6; 955 off_nl = 0; /* XXX in reality, variable! */ 956 off_nl_nosnap = 0; /* no 802.2 LLC */ 957 return; 958 959 case DLT_ARCNET_LINUX: 960 off_linktype = 4; 961 off_macpl = 8; 962 off_nl = 0; /* XXX in reality, variable! */ 963 off_nl_nosnap = 0; /* no 802.2 LLC */ 964 return; 965 966 case DLT_EN10MB: 967 off_linktype = 12; 968 off_macpl = 14; /* Ethernet header length */ 969 off_nl = 0; /* Ethernet II */ 970 off_nl_nosnap = 3; /* 802.3+802.2 */ 971 return; 972 973 case DLT_SLIP: 974 /* 975 * SLIP doesn't have a link level type. The 16 byte 976 * header is hacked into our SLIP driver. 977 */ 978 off_linktype = -1; 979 off_macpl = 16; 980 off_nl = 0; 981 off_nl_nosnap = 0; /* no 802.2 LLC */ 982 return; 983 984 case DLT_SLIP_BSDOS: 985 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 986 off_linktype = -1; 987 /* XXX end */ 988 off_macpl = 24; 989 off_nl = 0; 990 off_nl_nosnap = 0; /* no 802.2 LLC */ 991 return; 992 993 case DLT_NULL: 994 case DLT_LOOP: 995 off_linktype = 0; 996 off_macpl = 4; 997 off_nl = 0; 998 off_nl_nosnap = 0; /* no 802.2 LLC */ 999 return; 1000 1001 case DLT_ENC: 1002 off_linktype = 0; 1003 off_macpl = 12; 1004 off_nl = 0; 1005 off_nl_nosnap = 0; /* no 802.2 LLC */ 1006 return; 1007 1008 case DLT_PPP: 1009 case DLT_PPP_PPPD: 1010 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1011 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1012 off_linktype = 2; 1013 off_macpl = 4; 1014 off_nl = 0; 1015 off_nl_nosnap = 0; /* no 802.2 LLC */ 1016 return; 1017 1018 case DLT_PPP_ETHER: 1019 /* 1020 * This does no include the Ethernet header, and 1021 * only covers session state. 1022 */ 1023 off_linktype = 6; 1024 off_macpl = 8; 1025 off_nl = 0; 1026 off_nl_nosnap = 0; /* no 802.2 LLC */ 1027 return; 1028 1029 case DLT_PPP_BSDOS: 1030 off_linktype = 5; 1031 off_macpl = 24; 1032 off_nl = 0; 1033 off_nl_nosnap = 0; /* no 802.2 LLC */ 1034 return; 1035 1036 case DLT_FDDI: 1037 /* 1038 * FDDI doesn't really have a link-level type field. 1039 * We set "off_linktype" to the offset of the LLC header. 1040 * 1041 * To check for Ethernet types, we assume that SSAP = SNAP 1042 * is being used and pick out the encapsulated Ethernet type. 1043 * XXX - should we generate code to check for SNAP? 1044 */ 1045 off_linktype = 13; 1046 #ifdef PCAP_FDDIPAD 1047 off_linktype += pcap_fddipad; 1048 #endif 1049 off_macpl = 13; /* FDDI MAC header length */ 1050 #ifdef PCAP_FDDIPAD 1051 off_macpl += pcap_fddipad; 1052 #endif 1053 off_nl = 8; /* 802.2+SNAP */ 1054 off_nl_nosnap = 3; /* 802.2 */ 1055 return; 1056 1057 case DLT_IEEE802: 1058 /* 1059 * Token Ring doesn't really have a link-level type field. 1060 * We set "off_linktype" to the offset of the LLC header. 1061 * 1062 * To check for Ethernet types, we assume that SSAP = SNAP 1063 * is being used and pick out the encapsulated Ethernet type. 1064 * XXX - should we generate code to check for SNAP? 1065 * 1066 * XXX - the header is actually variable-length. 1067 * Some various Linux patched versions gave 38 1068 * as "off_linktype" and 40 as "off_nl"; however, 1069 * if a token ring packet has *no* routing 1070 * information, i.e. is not source-routed, the correct 1071 * values are 20 and 22, as they are in the vanilla code. 1072 * 1073 * A packet is source-routed iff the uppermost bit 1074 * of the first byte of the source address, at an 1075 * offset of 8, has the uppermost bit set. If the 1076 * packet is source-routed, the total number of bytes 1077 * of routing information is 2 plus bits 0x1F00 of 1078 * the 16-bit value at an offset of 14 (shifted right 1079 * 8 - figure out which byte that is). 1080 */ 1081 off_linktype = 14; 1082 off_macpl = 14; /* Token Ring MAC header length */ 1083 off_nl = 8; /* 802.2+SNAP */ 1084 off_nl_nosnap = 3; /* 802.2 */ 1085 return; 1086 1087 case DLT_IEEE802_11: 1088 case DLT_PRISM_HEADER: 1089 case DLT_IEEE802_11_RADIO_AVS: 1090 case DLT_IEEE802_11_RADIO: 1091 /* 1092 * 802.11 doesn't really have a link-level type field. 1093 * We set "off_linktype" to the offset of the LLC header. 1094 * 1095 * To check for Ethernet types, we assume that SSAP = SNAP 1096 * is being used and pick out the encapsulated Ethernet type. 1097 * XXX - should we generate code to check for SNAP? 1098 * 1099 * We also handle variable-length radio headers here. 1100 * The Prism header is in theory variable-length, but in 1101 * practice it's always 144 bytes long. However, some 1102 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1103 * sometimes or always supply an AVS header, so we 1104 * have to check whether the radio header is a Prism 1105 * header or an AVS header, so, in practice, it's 1106 * variable-length. 1107 */ 1108 off_linktype = 24; 1109 off_macpl = 0; /* link-layer header is variable-length */ 1110 off_macpl_is_variable = 1; 1111 off_nl = 8; /* 802.2+SNAP */ 1112 off_nl_nosnap = 3; /* 802.2 */ 1113 return; 1114 1115 case DLT_PPI: 1116 /* 1117 * At the moment we treat PPI the same way that we treat 1118 * normal Radiotap encoded packets. The difference is in 1119 * the function that generates the code at the beginning 1120 * to compute the header length. Since this code generator 1121 * of PPI supports bare 802.11 encapsulation only (i.e. 1122 * the encapsulated DLT should be DLT_IEEE802_11) we 1123 * generate code to check for this too. 1124 */ 1125 off_linktype = 24; 1126 off_macpl = 0; /* link-layer header is variable-length */ 1127 off_macpl_is_variable = 1; 1128 off_nl = 8; /* 802.2+SNAP */ 1129 off_nl_nosnap = 3; /* 802.2 */ 1130 return; 1131 1132 case DLT_ATM_RFC1483: 1133 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1134 /* 1135 * assume routed, non-ISO PDUs 1136 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1137 * 1138 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1139 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1140 * latter would presumably be treated the way PPPoE 1141 * should be, so you can do "pppoe and udp port 2049" 1142 * or "pppoa and tcp port 80" and have it check for 1143 * PPPo{A,E} and a PPP protocol of IP and.... 1144 */ 1145 off_linktype = 0; 1146 off_macpl = 0; /* packet begins with LLC header */ 1147 off_nl = 8; /* 802.2+SNAP */ 1148 off_nl_nosnap = 3; /* 802.2 */ 1149 return; 1150 1151 case DLT_SUNATM: 1152 /* 1153 * Full Frontal ATM; you get AALn PDUs with an ATM 1154 * pseudo-header. 1155 */ 1156 is_atm = 1; 1157 off_vpi = SUNATM_VPI_POS; 1158 off_vci = SUNATM_VCI_POS; 1159 off_proto = PROTO_POS; 1160 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1161 off_payload = SUNATM_PKT_BEGIN_POS; 1162 off_linktype = off_payload; 1163 off_macpl = off_payload; /* if LLC-encapsulated */ 1164 off_nl = 8; /* 802.2+SNAP */ 1165 off_nl_nosnap = 3; /* 802.2 */ 1166 return; 1167 1168 case DLT_RAW: 1169 case DLT_IPV4: 1170 case DLT_IPV6: 1171 off_linktype = -1; 1172 off_macpl = 0; 1173 off_nl = 0; 1174 off_nl_nosnap = 0; /* no 802.2 LLC */ 1175 return; 1176 1177 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1178 off_linktype = 14; 1179 off_macpl = 16; 1180 off_nl = 0; 1181 off_nl_nosnap = 0; /* no 802.2 LLC */ 1182 return; 1183 1184 case DLT_LTALK: 1185 /* 1186 * LocalTalk does have a 1-byte type field in the LLAP header, 1187 * but really it just indicates whether there is a "short" or 1188 * "long" DDP packet following. 1189 */ 1190 off_linktype = -1; 1191 off_macpl = 0; 1192 off_nl = 0; 1193 off_nl_nosnap = 0; /* no 802.2 LLC */ 1194 return; 1195 1196 case DLT_IP_OVER_FC: 1197 /* 1198 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1199 * link-level type field. We set "off_linktype" to the 1200 * offset of the LLC header. 1201 * 1202 * To check for Ethernet types, we assume that SSAP = SNAP 1203 * is being used and pick out the encapsulated Ethernet type. 1204 * XXX - should we generate code to check for SNAP? RFC 1205 * 2625 says SNAP should be used. 1206 */ 1207 off_linktype = 16; 1208 off_macpl = 16; 1209 off_nl = 8; /* 802.2+SNAP */ 1210 off_nl_nosnap = 3; /* 802.2 */ 1211 return; 1212 1213 case DLT_FRELAY: 1214 /* 1215 * XXX - we should set this to handle SNAP-encapsulated 1216 * frames (NLPID of 0x80). 1217 */ 1218 off_linktype = -1; 1219 off_macpl = 0; 1220 off_nl = 0; 1221 off_nl_nosnap = 0; /* no 802.2 LLC */ 1222 return; 1223 1224 /* 1225 * the only BPF-interesting FRF.16 frames are non-control frames; 1226 * Frame Relay has a variable length link-layer 1227 * so lets start with offset 4 for now and increments later on (FIXME); 1228 */ 1229 case DLT_MFR: 1230 off_linktype = -1; 1231 off_macpl = 0; 1232 off_nl = 4; 1233 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1234 return; 1235 1236 case DLT_APPLE_IP_OVER_IEEE1394: 1237 off_linktype = 16; 1238 off_macpl = 18; 1239 off_nl = 0; 1240 off_nl_nosnap = 0; /* no 802.2 LLC */ 1241 return; 1242 1243 case DLT_LINUX_IRDA: 1244 /* 1245 * Currently, only raw "link[N:M]" filtering is supported. 1246 */ 1247 off_linktype = -1; 1248 off_macpl = -1; 1249 off_nl = -1; 1250 off_nl_nosnap = -1; 1251 return; 1252 1253 case DLT_DOCSIS: 1254 /* 1255 * Currently, only raw "link[N:M]" filtering is supported. 1256 */ 1257 off_linktype = -1; 1258 off_macpl = -1; 1259 off_nl = -1; 1260 off_nl_nosnap = -1; 1261 return; 1262 1263 case DLT_SYMANTEC_FIREWALL: 1264 off_linktype = 6; 1265 off_macpl = 44; 1266 off_nl = 0; /* Ethernet II */ 1267 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1268 return; 1269 1270 #ifdef HAVE_NET_PFVAR_H 1271 case DLT_PFLOG: 1272 off_linktype = 0; 1273 off_macpl = PFLOG_HDRLEN; 1274 off_nl = 0; 1275 off_nl_nosnap = 0; /* no 802.2 LLC */ 1276 return; 1277 #endif 1278 1279 case DLT_JUNIPER_MFR: 1280 case DLT_JUNIPER_MLFR: 1281 case DLT_JUNIPER_MLPPP: 1282 case DLT_JUNIPER_PPP: 1283 case DLT_JUNIPER_CHDLC: 1284 case DLT_JUNIPER_FRELAY: 1285 off_linktype = 4; 1286 off_macpl = 4; 1287 off_nl = 0; 1288 off_nl_nosnap = -1; /* no 802.2 LLC */ 1289 return; 1290 1291 case DLT_JUNIPER_ATM1: 1292 off_linktype = 4; /* in reality variable between 4-8 */ 1293 off_macpl = 4; /* in reality variable between 4-8 */ 1294 off_nl = 0; 1295 off_nl_nosnap = 10; 1296 return; 1297 1298 case DLT_JUNIPER_ATM2: 1299 off_linktype = 8; /* in reality variable between 8-12 */ 1300 off_macpl = 8; /* in reality variable between 8-12 */ 1301 off_nl = 0; 1302 off_nl_nosnap = 10; 1303 return; 1304 1305 /* frames captured on a Juniper PPPoE service PIC 1306 * contain raw ethernet frames */ 1307 case DLT_JUNIPER_PPPOE: 1308 case DLT_JUNIPER_ETHER: 1309 off_macpl = 14; 1310 off_linktype = 16; 1311 off_nl = 18; /* Ethernet II */ 1312 off_nl_nosnap = 21; /* 802.3+802.2 */ 1313 return; 1314 1315 case DLT_JUNIPER_PPPOE_ATM: 1316 off_linktype = 4; 1317 off_macpl = 6; 1318 off_nl = 0; 1319 off_nl_nosnap = -1; /* no 802.2 LLC */ 1320 return; 1321 1322 case DLT_JUNIPER_GGSN: 1323 off_linktype = 6; 1324 off_macpl = 12; 1325 off_nl = 0; 1326 off_nl_nosnap = -1; /* no 802.2 LLC */ 1327 return; 1328 1329 case DLT_JUNIPER_ES: 1330 off_linktype = 6; 1331 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1332 off_nl = -1; /* not really a network layer but raw IP addresses */ 1333 off_nl_nosnap = -1; /* no 802.2 LLC */ 1334 return; 1335 1336 case DLT_JUNIPER_MONITOR: 1337 off_linktype = 12; 1338 off_macpl = 12; 1339 off_nl = 0; /* raw IP/IP6 header */ 1340 off_nl_nosnap = -1; /* no 802.2 LLC */ 1341 return; 1342 1343 case DLT_JUNIPER_SERVICES: 1344 off_linktype = 12; 1345 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1346 off_nl = -1; /* L3 proto location dep. on cookie type */ 1347 off_nl_nosnap = -1; /* no 802.2 LLC */ 1348 return; 1349 1350 case DLT_JUNIPER_VP: 1351 off_linktype = 18; 1352 off_macpl = -1; 1353 off_nl = -1; 1354 off_nl_nosnap = -1; 1355 return; 1356 1357 case DLT_JUNIPER_ST: 1358 off_linktype = 18; 1359 off_macpl = -1; 1360 off_nl = -1; 1361 off_nl_nosnap = -1; 1362 return; 1363 1364 case DLT_JUNIPER_ISM: 1365 off_linktype = 8; 1366 off_macpl = -1; 1367 off_nl = -1; 1368 off_nl_nosnap = -1; 1369 return; 1370 1371 case DLT_MTP2: 1372 off_li = 2; 1373 off_sio = 3; 1374 off_opc = 4; 1375 off_dpc = 4; 1376 off_sls = 7; 1377 off_linktype = -1; 1378 off_macpl = -1; 1379 off_nl = -1; 1380 off_nl_nosnap = -1; 1381 return; 1382 1383 case DLT_MTP2_WITH_PHDR: 1384 off_li = 6; 1385 off_sio = 7; 1386 off_opc = 8; 1387 off_dpc = 8; 1388 off_sls = 11; 1389 off_linktype = -1; 1390 off_macpl = -1; 1391 off_nl = -1; 1392 off_nl_nosnap = -1; 1393 return; 1394 1395 case DLT_ERF: 1396 off_li = 22; 1397 off_sio = 23; 1398 off_opc = 24; 1399 off_dpc = 24; 1400 off_sls = 27; 1401 off_linktype = -1; 1402 off_macpl = -1; 1403 off_nl = -1; 1404 off_nl_nosnap = -1; 1405 return; 1406 1407 #ifdef DLT_PFSYNC 1408 case DLT_PFSYNC: 1409 off_linktype = -1; 1410 off_macpl = 4; 1411 off_nl = 0; 1412 off_nl_nosnap = 0; 1413 return; 1414 #endif 1415 1416 case DLT_LINUX_LAPD: 1417 /* 1418 * Currently, only raw "link[N:M]" filtering is supported. 1419 */ 1420 off_linktype = -1; 1421 off_macpl = -1; 1422 off_nl = -1; 1423 off_nl_nosnap = -1; 1424 return; 1425 1426 case DLT_USB: 1427 /* 1428 * Currently, only raw "link[N:M]" filtering is supported. 1429 */ 1430 off_linktype = -1; 1431 off_macpl = -1; 1432 off_nl = -1; 1433 off_nl_nosnap = -1; 1434 return; 1435 1436 case DLT_BLUETOOTH_HCI_H4: 1437 /* 1438 * Currently, only raw "link[N:M]" filtering is supported. 1439 */ 1440 off_linktype = -1; 1441 off_macpl = -1; 1442 off_nl = -1; 1443 off_nl_nosnap = -1; 1444 return; 1445 1446 case DLT_USB_LINUX: 1447 /* 1448 * Currently, only raw "link[N:M]" filtering is supported. 1449 */ 1450 off_linktype = -1; 1451 off_macpl = -1; 1452 off_nl = -1; 1453 off_nl_nosnap = -1; 1454 return; 1455 1456 case DLT_CAN20B: 1457 /* 1458 * Currently, only raw "link[N:M]" filtering is supported. 1459 */ 1460 off_linktype = -1; 1461 off_macpl = -1; 1462 off_nl = -1; 1463 off_nl_nosnap = -1; 1464 return; 1465 1466 case DLT_IEEE802_15_4_LINUX: 1467 /* 1468 * Currently, only raw "link[N:M]" filtering is supported. 1469 */ 1470 off_linktype = -1; 1471 off_macpl = -1; 1472 off_nl = -1; 1473 off_nl_nosnap = -1; 1474 return; 1475 1476 case DLT_IEEE802_16_MAC_CPS_RADIO: 1477 /* 1478 * Currently, only raw "link[N:M]" filtering is supported. 1479 */ 1480 off_linktype = -1; 1481 off_macpl = -1; 1482 off_nl = -1; 1483 off_nl_nosnap = -1; 1484 return; 1485 1486 case DLT_IEEE802_15_4: 1487 /* 1488 * Currently, only raw "link[N:M]" filtering is supported. 1489 */ 1490 off_linktype = -1; 1491 off_macpl = -1; 1492 off_nl = -1; 1493 off_nl_nosnap = -1; 1494 return; 1495 1496 case DLT_SITA: 1497 /* 1498 * Currently, only raw "link[N:M]" filtering is supported. 1499 */ 1500 off_linktype = -1; 1501 off_macpl = -1; 1502 off_nl = -1; 1503 off_nl_nosnap = -1; 1504 return; 1505 1506 case DLT_RAIF1: 1507 /* 1508 * Currently, only raw "link[N:M]" filtering is supported. 1509 */ 1510 off_linktype = -1; 1511 off_macpl = -1; 1512 off_nl = -1; 1513 off_nl_nosnap = -1; 1514 return; 1515 1516 case DLT_IPMB: 1517 /* 1518 * Currently, only raw "link[N:M]" filtering is supported. 1519 */ 1520 off_linktype = -1; 1521 off_macpl = -1; 1522 off_nl = -1; 1523 off_nl_nosnap = -1; 1524 return; 1525 1526 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1527 /* 1528 * Currently, only raw "link[N:M]" filtering is supported. 1529 */ 1530 off_linktype = -1; 1531 off_macpl = -1; 1532 off_nl = -1; 1533 off_nl_nosnap = -1; 1534 return; 1535 1536 case DLT_AX25_KISS: 1537 /* 1538 * Currently, only raw "link[N:M]" filtering is supported. 1539 */ 1540 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1541 off_macpl = -1; 1542 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1543 off_nl_nosnap = -1; /* no 802.2 LLC */ 1544 off_mac = 1; /* step over the kiss length byte */ 1545 return; 1546 1547 case DLT_IEEE802_15_4_NONASK_PHY: 1548 /* 1549 * Currently, only raw "link[N:M]" filtering is supported. 1550 */ 1551 off_linktype = -1; 1552 off_macpl = -1; 1553 off_nl = -1; 1554 off_nl_nosnap = -1; 1555 return; 1556 1557 case DLT_MPLS: 1558 /* 1559 * Currently, only raw "link[N:M]" filtering is supported. 1560 */ 1561 off_linktype = -1; 1562 off_macpl = -1; 1563 off_nl = -1; 1564 off_nl_nosnap = -1; 1565 return; 1566 1567 case DLT_USB_LINUX_MMAPPED: 1568 /* 1569 * Currently, only raw "link[N:M]" filtering is supported. 1570 */ 1571 off_linktype = -1; 1572 off_macpl = -1; 1573 off_nl = -1; 1574 off_nl_nosnap = -1; 1575 return; 1576 1577 case DLT_CAN_SOCKETCAN: 1578 /* 1579 * Currently, only raw "link[N:M]" filtering is supported. 1580 */ 1581 off_linktype = -1; 1582 off_macpl = -1; 1583 off_nl = -1; 1584 off_nl_nosnap = -1; 1585 return; 1586 1587 case DLT_IPNET: 1588 off_linktype = 1; 1589 off_macpl = 24; /* ipnet header length */ 1590 off_nl = 0; 1591 off_nl_nosnap = -1; 1592 return; 1593 } 1594 bpf_error("unknown data link type %d", linktype); 1595 /* NOTREACHED */ 1596 } 1597 1598 /* 1599 * Load a value relative to the beginning of the link-layer header. 1600 * The link-layer header doesn't necessarily begin at the beginning 1601 * of the packet data; there might be a variable-length prefix containing 1602 * radio information. 1603 */ 1604 static struct slist * 1605 gen_load_llrel(offset, size) 1606 u_int offset, size; 1607 { 1608 struct slist *s, *s2; 1609 1610 s = gen_llprefixlen(); 1611 1612 /* 1613 * If "s" is non-null, it has code to arrange that the X register 1614 * contains the length of the prefix preceding the link-layer 1615 * header. 1616 * 1617 * Otherwise, the length of the prefix preceding the link-layer 1618 * header is "off_ll". 1619 */ 1620 if (s != NULL) { 1621 /* 1622 * There's a variable-length prefix preceding the 1623 * link-layer header. "s" points to a list of statements 1624 * that put the length of that prefix into the X register. 1625 * do an indirect load, to use the X register as an offset. 1626 */ 1627 s2 = new_stmt(BPF_LD|BPF_IND|size); 1628 s2->s.k = offset; 1629 sappend(s, s2); 1630 } else { 1631 /* 1632 * There is no variable-length header preceding the 1633 * link-layer header; add in off_ll, which, if there's 1634 * a fixed-length header preceding the link-layer header, 1635 * is the length of that header. 1636 */ 1637 s = new_stmt(BPF_LD|BPF_ABS|size); 1638 s->s.k = offset + off_ll; 1639 } 1640 return s; 1641 } 1642 1643 /* 1644 * Load a value relative to the beginning of the MAC-layer payload. 1645 */ 1646 static struct slist * 1647 gen_load_macplrel(offset, size) 1648 u_int offset, size; 1649 { 1650 struct slist *s, *s2; 1651 1652 s = gen_off_macpl(); 1653 1654 /* 1655 * If s is non-null, the offset of the MAC-layer payload is 1656 * variable, and s points to a list of instructions that 1657 * arrange that the X register contains that offset. 1658 * 1659 * Otherwise, the offset of the MAC-layer payload is constant, 1660 * and is in off_macpl. 1661 */ 1662 if (s != NULL) { 1663 /* 1664 * The offset of the MAC-layer payload is in the X 1665 * register. Do an indirect load, to use the X register 1666 * as an offset. 1667 */ 1668 s2 = new_stmt(BPF_LD|BPF_IND|size); 1669 s2->s.k = offset; 1670 sappend(s, s2); 1671 } else { 1672 /* 1673 * The offset of the MAC-layer payload is constant, 1674 * and is in off_macpl; load the value at that offset 1675 * plus the specified offset. 1676 */ 1677 s = new_stmt(BPF_LD|BPF_ABS|size); 1678 s->s.k = off_macpl + offset; 1679 } 1680 return s; 1681 } 1682 1683 /* 1684 * Load a value relative to the beginning of the specified header. 1685 */ 1686 static struct slist * 1687 gen_load_a(offrel, offset, size) 1688 enum e_offrel offrel; 1689 u_int offset, size; 1690 { 1691 struct slist *s, *s2; 1692 1693 switch (offrel) { 1694 1695 case OR_PACKET: 1696 s = new_stmt(BPF_LD|BPF_ABS|size); 1697 s->s.k = offset; 1698 break; 1699 1700 case OR_LINK: 1701 s = gen_load_llrel(offset, size); 1702 break; 1703 1704 case OR_MACPL: 1705 s = gen_load_macplrel(offset, size); 1706 break; 1707 1708 case OR_NET: 1709 s = gen_load_macplrel(off_nl + offset, size); 1710 break; 1711 1712 case OR_NET_NOSNAP: 1713 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1714 break; 1715 1716 case OR_TRAN_IPV4: 1717 /* 1718 * Load the X register with the length of the IPv4 header 1719 * (plus the offset of the link-layer header, if it's 1720 * preceded by a variable-length header such as a radio 1721 * header), in bytes. 1722 */ 1723 s = gen_loadx_iphdrlen(); 1724 1725 /* 1726 * Load the item at {offset of the MAC-layer payload} + 1727 * {offset, relative to the start of the MAC-layer 1728 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1729 * {specified offset}. 1730 * 1731 * (If the offset of the MAC-layer payload is variable, 1732 * it's included in the value in the X register, and 1733 * off_macpl is 0.) 1734 */ 1735 s2 = new_stmt(BPF_LD|BPF_IND|size); 1736 s2->s.k = off_macpl + off_nl + offset; 1737 sappend(s, s2); 1738 break; 1739 1740 case OR_TRAN_IPV6: 1741 s = gen_load_macplrel(off_nl + 40 + offset, size); 1742 break; 1743 1744 default: 1745 abort(); 1746 return NULL; 1747 } 1748 return s; 1749 } 1750 1751 /* 1752 * Generate code to load into the X register the sum of the length of 1753 * the IPv4 header and any variable-length header preceding the link-layer 1754 * header. 1755 */ 1756 static struct slist * 1757 gen_loadx_iphdrlen() 1758 { 1759 struct slist *s, *s2; 1760 1761 s = gen_off_macpl(); 1762 if (s != NULL) { 1763 /* 1764 * There's a variable-length prefix preceding the 1765 * link-layer header, or the link-layer header is itself 1766 * variable-length. "s" points to a list of statements 1767 * that put the offset of the MAC-layer payload into 1768 * the X register. 1769 * 1770 * The 4*([k]&0xf) addressing mode can't be used, as we 1771 * don't have a constant offset, so we have to load the 1772 * value in question into the A register and add to it 1773 * the value from the X register. 1774 */ 1775 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1776 s2->s.k = off_nl; 1777 sappend(s, s2); 1778 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1779 s2->s.k = 0xf; 1780 sappend(s, s2); 1781 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1782 s2->s.k = 2; 1783 sappend(s, s2); 1784 1785 /* 1786 * The A register now contains the length of the 1787 * IP header. We need to add to it the offset of 1788 * the MAC-layer payload, which is still in the X 1789 * register, and move the result into the X register. 1790 */ 1791 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1792 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1793 } else { 1794 /* 1795 * There is no variable-length header preceding the 1796 * link-layer header, and the link-layer header is 1797 * fixed-length; load the length of the IPv4 header, 1798 * which is at an offset of off_nl from the beginning 1799 * of the MAC-layer payload, and thus at an offset 1800 * of off_mac_pl + off_nl from the beginning of the 1801 * raw packet data. 1802 */ 1803 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1804 s->s.k = off_macpl + off_nl; 1805 } 1806 return s; 1807 } 1808 1809 static struct block * 1810 gen_uncond(rsense) 1811 int rsense; 1812 { 1813 struct block *b; 1814 struct slist *s; 1815 1816 s = new_stmt(BPF_LD|BPF_IMM); 1817 s->s.k = !rsense; 1818 b = new_block(JMP(BPF_JEQ)); 1819 b->stmts = s; 1820 1821 return b; 1822 } 1823 1824 static inline struct block * 1825 gen_true() 1826 { 1827 return gen_uncond(1); 1828 } 1829 1830 static inline struct block * 1831 gen_false() 1832 { 1833 return gen_uncond(0); 1834 } 1835 1836 /* 1837 * Byte-swap a 32-bit number. 1838 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1839 * big-endian platforms.) 1840 */ 1841 #define SWAPLONG(y) \ 1842 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1843 1844 /* 1845 * Generate code to match a particular packet type. 1846 * 1847 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1848 * value, if <= ETHERMTU. We use that to determine whether to 1849 * match the type/length field or to check the type/length field for 1850 * a value <= ETHERMTU to see whether it's a type field and then do 1851 * the appropriate test. 1852 */ 1853 static struct block * 1854 gen_ether_linktype(proto) 1855 register int proto; 1856 { 1857 struct block *b0, *b1; 1858 1859 switch (proto) { 1860 1861 case LLCSAP_ISONS: 1862 case LLCSAP_IP: 1863 case LLCSAP_NETBEUI: 1864 /* 1865 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1866 * so we check the DSAP and SSAP. 1867 * 1868 * LLCSAP_IP checks for IP-over-802.2, rather 1869 * than IP-over-Ethernet or IP-over-SNAP. 1870 * 1871 * XXX - should we check both the DSAP and the 1872 * SSAP, like this, or should we check just the 1873 * DSAP, as we do for other types <= ETHERMTU 1874 * (i.e., other SAP values)? 1875 */ 1876 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1877 gen_not(b0); 1878 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1879 ((proto << 8) | proto)); 1880 gen_and(b0, b1); 1881 return b1; 1882 1883 case LLCSAP_IPX: 1884 /* 1885 * Check for; 1886 * 1887 * Ethernet_II frames, which are Ethernet 1888 * frames with a frame type of ETHERTYPE_IPX; 1889 * 1890 * Ethernet_802.3 frames, which are 802.3 1891 * frames (i.e., the type/length field is 1892 * a length field, <= ETHERMTU, rather than 1893 * a type field) with the first two bytes 1894 * after the Ethernet/802.3 header being 1895 * 0xFFFF; 1896 * 1897 * Ethernet_802.2 frames, which are 802.3 1898 * frames with an 802.2 LLC header and 1899 * with the IPX LSAP as the DSAP in the LLC 1900 * header; 1901 * 1902 * Ethernet_SNAP frames, which are 802.3 1903 * frames with an LLC header and a SNAP 1904 * header and with an OUI of 0x000000 1905 * (encapsulated Ethernet) and a protocol 1906 * ID of ETHERTYPE_IPX in the SNAP header. 1907 * 1908 * XXX - should we generate the same code both 1909 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1910 */ 1911 1912 /* 1913 * This generates code to check both for the 1914 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1915 */ 1916 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1917 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1918 gen_or(b0, b1); 1919 1920 /* 1921 * Now we add code to check for SNAP frames with 1922 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1923 */ 1924 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1925 gen_or(b0, b1); 1926 1927 /* 1928 * Now we generate code to check for 802.3 1929 * frames in general. 1930 */ 1931 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1932 gen_not(b0); 1933 1934 /* 1935 * Now add the check for 802.3 frames before the 1936 * check for Ethernet_802.2 and Ethernet_802.3, 1937 * as those checks should only be done on 802.3 1938 * frames, not on Ethernet frames. 1939 */ 1940 gen_and(b0, b1); 1941 1942 /* 1943 * Now add the check for Ethernet_II frames, and 1944 * do that before checking for the other frame 1945 * types. 1946 */ 1947 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1948 (bpf_int32)ETHERTYPE_IPX); 1949 gen_or(b0, b1); 1950 return b1; 1951 1952 case ETHERTYPE_ATALK: 1953 case ETHERTYPE_AARP: 1954 /* 1955 * EtherTalk (AppleTalk protocols on Ethernet link 1956 * layer) may use 802.2 encapsulation. 1957 */ 1958 1959 /* 1960 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1961 * we check for an Ethernet type field less than 1962 * 1500, which means it's an 802.3 length field. 1963 */ 1964 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1965 gen_not(b0); 1966 1967 /* 1968 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1969 * SNAP packets with an organization code of 1970 * 0x080007 (Apple, for Appletalk) and a protocol 1971 * type of ETHERTYPE_ATALK (Appletalk). 1972 * 1973 * 802.2-encapsulated ETHERTYPE_AARP packets are 1974 * SNAP packets with an organization code of 1975 * 0x000000 (encapsulated Ethernet) and a protocol 1976 * type of ETHERTYPE_AARP (Appletalk ARP). 1977 */ 1978 if (proto == ETHERTYPE_ATALK) 1979 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1980 else /* proto == ETHERTYPE_AARP */ 1981 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1982 gen_and(b0, b1); 1983 1984 /* 1985 * Check for Ethernet encapsulation (Ethertalk 1986 * phase 1?); we just check for the Ethernet 1987 * protocol type. 1988 */ 1989 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1990 1991 gen_or(b0, b1); 1992 return b1; 1993 1994 default: 1995 if (proto <= ETHERMTU) { 1996 /* 1997 * This is an LLC SAP value, so the frames 1998 * that match would be 802.2 frames. 1999 * Check that the frame is an 802.2 frame 2000 * (i.e., that the length/type field is 2001 * a length field, <= ETHERMTU) and 2002 * then check the DSAP. 2003 */ 2004 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 2005 gen_not(b0); 2006 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 2007 (bpf_int32)proto); 2008 gen_and(b0, b1); 2009 return b1; 2010 } else { 2011 /* 2012 * This is an Ethernet type, so compare 2013 * the length/type field with it (if 2014 * the frame is an 802.2 frame, the length 2015 * field will be <= ETHERMTU, and, as 2016 * "proto" is > ETHERMTU, this test 2017 * will fail and the frame won't match, 2018 * which is what we want). 2019 */ 2020 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2021 (bpf_int32)proto); 2022 } 2023 } 2024 } 2025 2026 /* 2027 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2028 * or IPv6 then we have an error. 2029 */ 2030 static struct block * 2031 gen_ipnet_linktype(proto) 2032 register int proto; 2033 { 2034 switch (proto) { 2035 2036 case ETHERTYPE_IP: 2037 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2038 (bpf_int32)IPH_AF_INET); 2039 /* NOTREACHED */ 2040 2041 case ETHERTYPE_IPV6: 2042 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2043 (bpf_int32)IPH_AF_INET6); 2044 /* NOTREACHED */ 2045 2046 default: 2047 break; 2048 } 2049 2050 return gen_false(); 2051 } 2052 2053 /* 2054 * Generate code to match a particular packet type. 2055 * 2056 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2057 * value, if <= ETHERMTU. We use that to determine whether to 2058 * match the type field or to check the type field for the special 2059 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2060 */ 2061 static struct block * 2062 gen_linux_sll_linktype(proto) 2063 register int proto; 2064 { 2065 struct block *b0, *b1; 2066 2067 switch (proto) { 2068 2069 case LLCSAP_ISONS: 2070 case LLCSAP_IP: 2071 case LLCSAP_NETBEUI: 2072 /* 2073 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2074 * so we check the DSAP and SSAP. 2075 * 2076 * LLCSAP_IP checks for IP-over-802.2, rather 2077 * than IP-over-Ethernet or IP-over-SNAP. 2078 * 2079 * XXX - should we check both the DSAP and the 2080 * SSAP, like this, or should we check just the 2081 * DSAP, as we do for other types <= ETHERMTU 2082 * (i.e., other SAP values)? 2083 */ 2084 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2085 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 2086 ((proto << 8) | proto)); 2087 gen_and(b0, b1); 2088 return b1; 2089 2090 case LLCSAP_IPX: 2091 /* 2092 * Ethernet_II frames, which are Ethernet 2093 * frames with a frame type of ETHERTYPE_IPX; 2094 * 2095 * Ethernet_802.3 frames, which have a frame 2096 * type of LINUX_SLL_P_802_3; 2097 * 2098 * Ethernet_802.2 frames, which are 802.3 2099 * frames with an 802.2 LLC header (i.e, have 2100 * a frame type of LINUX_SLL_P_802_2) and 2101 * with the IPX LSAP as the DSAP in the LLC 2102 * header; 2103 * 2104 * Ethernet_SNAP frames, which are 802.3 2105 * frames with an LLC header and a SNAP 2106 * header and with an OUI of 0x000000 2107 * (encapsulated Ethernet) and a protocol 2108 * ID of ETHERTYPE_IPX in the SNAP header. 2109 * 2110 * First, do the checks on LINUX_SLL_P_802_2 2111 * frames; generate the check for either 2112 * Ethernet_802.2 or Ethernet_SNAP frames, and 2113 * then put a check for LINUX_SLL_P_802_2 frames 2114 * before it. 2115 */ 2116 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2117 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2118 gen_or(b0, b1); 2119 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2120 gen_and(b0, b1); 2121 2122 /* 2123 * Now check for 802.3 frames and OR that with 2124 * the previous test. 2125 */ 2126 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2127 gen_or(b0, b1); 2128 2129 /* 2130 * Now add the check for Ethernet_II frames, and 2131 * do that before checking for the other frame 2132 * types. 2133 */ 2134 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2135 (bpf_int32)ETHERTYPE_IPX); 2136 gen_or(b0, b1); 2137 return b1; 2138 2139 case ETHERTYPE_ATALK: 2140 case ETHERTYPE_AARP: 2141 /* 2142 * EtherTalk (AppleTalk protocols on Ethernet link 2143 * layer) may use 802.2 encapsulation. 2144 */ 2145 2146 /* 2147 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2148 * we check for the 802.2 protocol type in the 2149 * "Ethernet type" field. 2150 */ 2151 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2152 2153 /* 2154 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2155 * SNAP packets with an organization code of 2156 * 0x080007 (Apple, for Appletalk) and a protocol 2157 * type of ETHERTYPE_ATALK (Appletalk). 2158 * 2159 * 802.2-encapsulated ETHERTYPE_AARP packets are 2160 * SNAP packets with an organization code of 2161 * 0x000000 (encapsulated Ethernet) and a protocol 2162 * type of ETHERTYPE_AARP (Appletalk ARP). 2163 */ 2164 if (proto == ETHERTYPE_ATALK) 2165 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2166 else /* proto == ETHERTYPE_AARP */ 2167 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2168 gen_and(b0, b1); 2169 2170 /* 2171 * Check for Ethernet encapsulation (Ethertalk 2172 * phase 1?); we just check for the Ethernet 2173 * protocol type. 2174 */ 2175 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2176 2177 gen_or(b0, b1); 2178 return b1; 2179 2180 default: 2181 if (proto <= ETHERMTU) { 2182 /* 2183 * This is an LLC SAP value, so the frames 2184 * that match would be 802.2 frames. 2185 * Check for the 802.2 protocol type 2186 * in the "Ethernet type" field, and 2187 * then check the DSAP. 2188 */ 2189 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2190 LINUX_SLL_P_802_2); 2191 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2192 (bpf_int32)proto); 2193 gen_and(b0, b1); 2194 return b1; 2195 } else { 2196 /* 2197 * This is an Ethernet type, so compare 2198 * the length/type field with it (if 2199 * the frame is an 802.2 frame, the length 2200 * field will be <= ETHERMTU, and, as 2201 * "proto" is > ETHERMTU, this test 2202 * will fail and the frame won't match, 2203 * which is what we want). 2204 */ 2205 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2206 (bpf_int32)proto); 2207 } 2208 } 2209 } 2210 2211 static struct slist * 2212 gen_load_prism_llprefixlen() 2213 { 2214 struct slist *s1, *s2; 2215 struct slist *sjeq_avs_cookie; 2216 struct slist *sjcommon; 2217 2218 /* 2219 * This code is not compatible with the optimizer, as 2220 * we are generating jmp instructions within a normal 2221 * slist of instructions 2222 */ 2223 no_optimize = 1; 2224 2225 /* 2226 * Generate code to load the length of the radio header into 2227 * the register assigned to hold that length, if one has been 2228 * assigned. (If one hasn't been assigned, no code we've 2229 * generated uses that prefix, so we don't need to generate any 2230 * code to load it.) 2231 * 2232 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2233 * or always use the AVS header rather than the Prism header. 2234 * We load a 4-byte big-endian value at the beginning of the 2235 * raw packet data, and see whether, when masked with 0xFFFFF000, 2236 * it's equal to 0x80211000. If so, that indicates that it's 2237 * an AVS header (the masked-out bits are the version number). 2238 * Otherwise, it's a Prism header. 2239 * 2240 * XXX - the Prism header is also, in theory, variable-length, 2241 * but no known software generates headers that aren't 144 2242 * bytes long. 2243 */ 2244 if (reg_off_ll != -1) { 2245 /* 2246 * Load the cookie. 2247 */ 2248 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2249 s1->s.k = 0; 2250 2251 /* 2252 * AND it with 0xFFFFF000. 2253 */ 2254 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2255 s2->s.k = 0xFFFFF000; 2256 sappend(s1, s2); 2257 2258 /* 2259 * Compare with 0x80211000. 2260 */ 2261 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2262 sjeq_avs_cookie->s.k = 0x80211000; 2263 sappend(s1, sjeq_avs_cookie); 2264 2265 /* 2266 * If it's AVS: 2267 * 2268 * The 4 bytes at an offset of 4 from the beginning of 2269 * the AVS header are the length of the AVS header. 2270 * That field is big-endian. 2271 */ 2272 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2273 s2->s.k = 4; 2274 sappend(s1, s2); 2275 sjeq_avs_cookie->s.jt = s2; 2276 2277 /* 2278 * Now jump to the code to allocate a register 2279 * into which to save the header length and 2280 * store the length there. (The "jump always" 2281 * instruction needs to have the k field set; 2282 * it's added to the PC, so, as we're jumping 2283 * over a single instruction, it should be 1.) 2284 */ 2285 sjcommon = new_stmt(JMP(BPF_JA)); 2286 sjcommon->s.k = 1; 2287 sappend(s1, sjcommon); 2288 2289 /* 2290 * Now for the code that handles the Prism header. 2291 * Just load the length of the Prism header (144) 2292 * into the A register. Have the test for an AVS 2293 * header branch here if we don't have an AVS header. 2294 */ 2295 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2296 s2->s.k = 144; 2297 sappend(s1, s2); 2298 sjeq_avs_cookie->s.jf = s2; 2299 2300 /* 2301 * Now allocate a register to hold that value and store 2302 * it. The code for the AVS header will jump here after 2303 * loading the length of the AVS header. 2304 */ 2305 s2 = new_stmt(BPF_ST); 2306 s2->s.k = reg_off_ll; 2307 sappend(s1, s2); 2308 sjcommon->s.jf = s2; 2309 2310 /* 2311 * Now move it into the X register. 2312 */ 2313 s2 = new_stmt(BPF_MISC|BPF_TAX); 2314 sappend(s1, s2); 2315 2316 return (s1); 2317 } else 2318 return (NULL); 2319 } 2320 2321 static struct slist * 2322 gen_load_avs_llprefixlen() 2323 { 2324 struct slist *s1, *s2; 2325 2326 /* 2327 * Generate code to load the length of the AVS header into 2328 * the register assigned to hold that length, if one has been 2329 * assigned. (If one hasn't been assigned, no code we've 2330 * generated uses that prefix, so we don't need to generate any 2331 * code to load it.) 2332 */ 2333 if (reg_off_ll != -1) { 2334 /* 2335 * The 4 bytes at an offset of 4 from the beginning of 2336 * the AVS header are the length of the AVS header. 2337 * That field is big-endian. 2338 */ 2339 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2340 s1->s.k = 4; 2341 2342 /* 2343 * Now allocate a register to hold that value and store 2344 * it. 2345 */ 2346 s2 = new_stmt(BPF_ST); 2347 s2->s.k = reg_off_ll; 2348 sappend(s1, s2); 2349 2350 /* 2351 * Now move it into the X register. 2352 */ 2353 s2 = new_stmt(BPF_MISC|BPF_TAX); 2354 sappend(s1, s2); 2355 2356 return (s1); 2357 } else 2358 return (NULL); 2359 } 2360 2361 static struct slist * 2362 gen_load_radiotap_llprefixlen() 2363 { 2364 struct slist *s1, *s2; 2365 2366 /* 2367 * Generate code to load the length of the radiotap header into 2368 * the register assigned to hold that length, if one has been 2369 * assigned. (If one hasn't been assigned, no code we've 2370 * generated uses that prefix, so we don't need to generate any 2371 * code to load it.) 2372 */ 2373 if (reg_off_ll != -1) { 2374 /* 2375 * The 2 bytes at offsets of 2 and 3 from the beginning 2376 * of the radiotap header are the length of the radiotap 2377 * header; unfortunately, it's little-endian, so we have 2378 * to load it a byte at a time and construct the value. 2379 */ 2380 2381 /* 2382 * Load the high-order byte, at an offset of 3, shift it 2383 * left a byte, and put the result in the X register. 2384 */ 2385 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2386 s1->s.k = 3; 2387 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2388 sappend(s1, s2); 2389 s2->s.k = 8; 2390 s2 = new_stmt(BPF_MISC|BPF_TAX); 2391 sappend(s1, s2); 2392 2393 /* 2394 * Load the next byte, at an offset of 2, and OR the 2395 * value from the X register into it. 2396 */ 2397 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2398 sappend(s1, s2); 2399 s2->s.k = 2; 2400 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2401 sappend(s1, s2); 2402 2403 /* 2404 * Now allocate a register to hold that value and store 2405 * it. 2406 */ 2407 s2 = new_stmt(BPF_ST); 2408 s2->s.k = reg_off_ll; 2409 sappend(s1, s2); 2410 2411 /* 2412 * Now move it into the X register. 2413 */ 2414 s2 = new_stmt(BPF_MISC|BPF_TAX); 2415 sappend(s1, s2); 2416 2417 return (s1); 2418 } else 2419 return (NULL); 2420 } 2421 2422 /* 2423 * At the moment we treat PPI as normal Radiotap encoded 2424 * packets. The difference is in the function that generates 2425 * the code at the beginning to compute the header length. 2426 * Since this code generator of PPI supports bare 802.11 2427 * encapsulation only (i.e. the encapsulated DLT should be 2428 * DLT_IEEE802_11) we generate code to check for this too; 2429 * that's done in finish_parse(). 2430 */ 2431 static struct slist * 2432 gen_load_ppi_llprefixlen() 2433 { 2434 struct slist *s1, *s2; 2435 2436 /* 2437 * Generate code to load the length of the radiotap header 2438 * into the register assigned to hold that length, if one has 2439 * been assigned. 2440 */ 2441 if (reg_off_ll != -1) { 2442 /* 2443 * The 2 bytes at offsets of 2 and 3 from the beginning 2444 * of the radiotap header are the length of the radiotap 2445 * header; unfortunately, it's little-endian, so we have 2446 * to load it a byte at a time and construct the value. 2447 */ 2448 2449 /* 2450 * Load the high-order byte, at an offset of 3, shift it 2451 * left a byte, and put the result in the X register. 2452 */ 2453 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2454 s1->s.k = 3; 2455 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2456 sappend(s1, s2); 2457 s2->s.k = 8; 2458 s2 = new_stmt(BPF_MISC|BPF_TAX); 2459 sappend(s1, s2); 2460 2461 /* 2462 * Load the next byte, at an offset of 2, and OR the 2463 * value from the X register into it. 2464 */ 2465 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2466 sappend(s1, s2); 2467 s2->s.k = 2; 2468 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2469 sappend(s1, s2); 2470 2471 /* 2472 * Now allocate a register to hold that value and store 2473 * it. 2474 */ 2475 s2 = new_stmt(BPF_ST); 2476 s2->s.k = reg_off_ll; 2477 sappend(s1, s2); 2478 2479 /* 2480 * Now move it into the X register. 2481 */ 2482 s2 = new_stmt(BPF_MISC|BPF_TAX); 2483 sappend(s1, s2); 2484 2485 return (s1); 2486 } else 2487 return (NULL); 2488 } 2489 2490 /* 2491 * Load a value relative to the beginning of the link-layer header after the 802.11 2492 * header, i.e. LLC_SNAP. 2493 * The link-layer header doesn't necessarily begin at the beginning 2494 * of the packet data; there might be a variable-length prefix containing 2495 * radio information. 2496 */ 2497 static struct slist * 2498 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2499 { 2500 struct slist *s2; 2501 struct slist *sjset_data_frame_1; 2502 struct slist *sjset_data_frame_2; 2503 struct slist *sjset_qos; 2504 struct slist *sjset_radiotap_flags; 2505 struct slist *sjset_radiotap_tsft; 2506 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2507 struct slist *s_roundup; 2508 2509 if (reg_off_macpl == -1) { 2510 /* 2511 * No register has been assigned to the offset of 2512 * the MAC-layer payload, which means nobody needs 2513 * it; don't bother computing it - just return 2514 * what we already have. 2515 */ 2516 return (s); 2517 } 2518 2519 /* 2520 * This code is not compatible with the optimizer, as 2521 * we are generating jmp instructions within a normal 2522 * slist of instructions 2523 */ 2524 no_optimize = 1; 2525 2526 /* 2527 * If "s" is non-null, it has code to arrange that the X register 2528 * contains the length of the prefix preceding the link-layer 2529 * header. 2530 * 2531 * Otherwise, the length of the prefix preceding the link-layer 2532 * header is "off_ll". 2533 */ 2534 if (s == NULL) { 2535 /* 2536 * There is no variable-length header preceding the 2537 * link-layer header. 2538 * 2539 * Load the length of the fixed-length prefix preceding 2540 * the link-layer header (if any) into the X register, 2541 * and store it in the reg_off_macpl register. 2542 * That length is off_ll. 2543 */ 2544 s = new_stmt(BPF_LDX|BPF_IMM); 2545 s->s.k = off_ll; 2546 } 2547 2548 /* 2549 * The X register contains the offset of the beginning of the 2550 * link-layer header; add 24, which is the minimum length 2551 * of the MAC header for a data frame, to that, and store it 2552 * in reg_off_macpl, and then load the Frame Control field, 2553 * which is at the offset in the X register, with an indexed load. 2554 */ 2555 s2 = new_stmt(BPF_MISC|BPF_TXA); 2556 sappend(s, s2); 2557 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2558 s2->s.k = 24; 2559 sappend(s, s2); 2560 s2 = new_stmt(BPF_ST); 2561 s2->s.k = reg_off_macpl; 2562 sappend(s, s2); 2563 2564 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2565 s2->s.k = 0; 2566 sappend(s, s2); 2567 2568 /* 2569 * Check the Frame Control field to see if this is a data frame; 2570 * a data frame has the 0x08 bit (b3) in that field set and the 2571 * 0x04 bit (b2) clear. 2572 */ 2573 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2574 sjset_data_frame_1->s.k = 0x08; 2575 sappend(s, sjset_data_frame_1); 2576 2577 /* 2578 * If b3 is set, test b2, otherwise go to the first statement of 2579 * the rest of the program. 2580 */ 2581 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2582 sjset_data_frame_2->s.k = 0x04; 2583 sappend(s, sjset_data_frame_2); 2584 sjset_data_frame_1->s.jf = snext; 2585 2586 /* 2587 * If b2 is not set, this is a data frame; test the QoS bit. 2588 * Otherwise, go to the first statement of the rest of the 2589 * program. 2590 */ 2591 sjset_data_frame_2->s.jt = snext; 2592 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2593 sjset_qos->s.k = 0x80; /* QoS bit */ 2594 sappend(s, sjset_qos); 2595 2596 /* 2597 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2598 * field. 2599 * Otherwise, go to the first statement of the rest of the 2600 * program. 2601 */ 2602 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2603 s2->s.k = reg_off_macpl; 2604 sappend(s, s2); 2605 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2606 s2->s.k = 2; 2607 sappend(s, s2); 2608 s2 = new_stmt(BPF_ST); 2609 s2->s.k = reg_off_macpl; 2610 sappend(s, s2); 2611 2612 /* 2613 * If we have a radiotap header, look at it to see whether 2614 * there's Atheros padding between the MAC-layer header 2615 * and the payload. 2616 * 2617 * Note: all of the fields in the radiotap header are 2618 * little-endian, so we byte-swap all of the values 2619 * we test against, as they will be loaded as big-endian 2620 * values. 2621 */ 2622 if (linktype == DLT_IEEE802_11_RADIO) { 2623 /* 2624 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2625 * in the presence flag? 2626 */ 2627 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2628 s2->s.k = 4; 2629 sappend(s, s2); 2630 2631 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2632 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2633 sappend(s, sjset_radiotap_flags); 2634 2635 /* 2636 * If not, skip all of this. 2637 */ 2638 sjset_radiotap_flags->s.jf = snext; 2639 2640 /* 2641 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2642 */ 2643 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2644 new_stmt(JMP(BPF_JSET)); 2645 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2646 sappend(s, sjset_radiotap_tsft); 2647 2648 /* 2649 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2650 * at an offset of 16 from the beginning of the raw packet 2651 * data (8 bytes for the radiotap header and 8 bytes for 2652 * the TSFT field). 2653 * 2654 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2655 * is set. 2656 */ 2657 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2658 s2->s.k = 16; 2659 sappend(s, s2); 2660 2661 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2662 sjset_tsft_datapad->s.k = 0x20; 2663 sappend(s, sjset_tsft_datapad); 2664 2665 /* 2666 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2667 * at an offset of 8 from the beginning of the raw packet 2668 * data (8 bytes for the radiotap header). 2669 * 2670 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2671 * is set. 2672 */ 2673 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2674 s2->s.k = 8; 2675 sappend(s, s2); 2676 2677 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2678 sjset_notsft_datapad->s.k = 0x20; 2679 sappend(s, sjset_notsft_datapad); 2680 2681 /* 2682 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2683 * set, round the length of the 802.11 header to 2684 * a multiple of 4. Do that by adding 3 and then 2685 * dividing by and multiplying by 4, which we do by 2686 * ANDing with ~3. 2687 */ 2688 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2689 s_roundup->s.k = reg_off_macpl; 2690 sappend(s, s_roundup); 2691 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2692 s2->s.k = 3; 2693 sappend(s, s2); 2694 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2695 s2->s.k = ~3; 2696 sappend(s, s2); 2697 s2 = new_stmt(BPF_ST); 2698 s2->s.k = reg_off_macpl; 2699 sappend(s, s2); 2700 2701 sjset_tsft_datapad->s.jt = s_roundup; 2702 sjset_tsft_datapad->s.jf = snext; 2703 sjset_notsft_datapad->s.jt = s_roundup; 2704 sjset_notsft_datapad->s.jf = snext; 2705 } else 2706 sjset_qos->s.jf = snext; 2707 2708 return s; 2709 } 2710 2711 static void 2712 insert_compute_vloffsets(b) 2713 struct block *b; 2714 { 2715 struct slist *s; 2716 2717 /* 2718 * For link-layer types that have a variable-length header 2719 * preceding the link-layer header, generate code to load 2720 * the offset of the link-layer header into the register 2721 * assigned to that offset, if any. 2722 */ 2723 switch (linktype) { 2724 2725 case DLT_PRISM_HEADER: 2726 s = gen_load_prism_llprefixlen(); 2727 break; 2728 2729 case DLT_IEEE802_11_RADIO_AVS: 2730 s = gen_load_avs_llprefixlen(); 2731 break; 2732 2733 case DLT_IEEE802_11_RADIO: 2734 s = gen_load_radiotap_llprefixlen(); 2735 break; 2736 2737 case DLT_PPI: 2738 s = gen_load_ppi_llprefixlen(); 2739 break; 2740 2741 default: 2742 s = NULL; 2743 break; 2744 } 2745 2746 /* 2747 * For link-layer types that have a variable-length link-layer 2748 * header, generate code to load the offset of the MAC-layer 2749 * payload into the register assigned to that offset, if any. 2750 */ 2751 switch (linktype) { 2752 2753 case DLT_IEEE802_11: 2754 case DLT_PRISM_HEADER: 2755 case DLT_IEEE802_11_RADIO_AVS: 2756 case DLT_IEEE802_11_RADIO: 2757 case DLT_PPI: 2758 s = gen_load_802_11_header_len(s, b->stmts); 2759 break; 2760 } 2761 2762 /* 2763 * If we have any offset-loading code, append all the 2764 * existing statements in the block to those statements, 2765 * and make the resulting list the list of statements 2766 * for the block. 2767 */ 2768 if (s != NULL) { 2769 sappend(s, b->stmts); 2770 b->stmts = s; 2771 } 2772 } 2773 2774 static struct block * 2775 gen_ppi_dlt_check(void) 2776 { 2777 struct slist *s_load_dlt; 2778 struct block *b; 2779 2780 if (linktype == DLT_PPI) 2781 { 2782 /* Create the statements that check for the DLT 2783 */ 2784 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2785 s_load_dlt->s.k = 4; 2786 2787 b = new_block(JMP(BPF_JEQ)); 2788 2789 b->stmts = s_load_dlt; 2790 b->s.k = SWAPLONG(DLT_IEEE802_11); 2791 } 2792 else 2793 { 2794 b = NULL; 2795 } 2796 2797 return b; 2798 } 2799 2800 static struct slist * 2801 gen_prism_llprefixlen(void) 2802 { 2803 struct slist *s; 2804 2805 if (reg_off_ll == -1) { 2806 /* 2807 * We haven't yet assigned a register for the length 2808 * of the radio header; allocate one. 2809 */ 2810 reg_off_ll = alloc_reg(); 2811 } 2812 2813 /* 2814 * Load the register containing the radio length 2815 * into the X register. 2816 */ 2817 s = new_stmt(BPF_LDX|BPF_MEM); 2818 s->s.k = reg_off_ll; 2819 return s; 2820 } 2821 2822 static struct slist * 2823 gen_avs_llprefixlen(void) 2824 { 2825 struct slist *s; 2826 2827 if (reg_off_ll == -1) { 2828 /* 2829 * We haven't yet assigned a register for the length 2830 * of the AVS header; allocate one. 2831 */ 2832 reg_off_ll = alloc_reg(); 2833 } 2834 2835 /* 2836 * Load the register containing the AVS length 2837 * into the X register. 2838 */ 2839 s = new_stmt(BPF_LDX|BPF_MEM); 2840 s->s.k = reg_off_ll; 2841 return s; 2842 } 2843 2844 static struct slist * 2845 gen_radiotap_llprefixlen(void) 2846 { 2847 struct slist *s; 2848 2849 if (reg_off_ll == -1) { 2850 /* 2851 * We haven't yet assigned a register for the length 2852 * of the radiotap header; allocate one. 2853 */ 2854 reg_off_ll = alloc_reg(); 2855 } 2856 2857 /* 2858 * Load the register containing the radiotap length 2859 * into the X register. 2860 */ 2861 s = new_stmt(BPF_LDX|BPF_MEM); 2862 s->s.k = reg_off_ll; 2863 return s; 2864 } 2865 2866 /* 2867 * At the moment we treat PPI as normal Radiotap encoded 2868 * packets. The difference is in the function that generates 2869 * the code at the beginning to compute the header length. 2870 * Since this code generator of PPI supports bare 802.11 2871 * encapsulation only (i.e. the encapsulated DLT should be 2872 * DLT_IEEE802_11) we generate code to check for this too. 2873 */ 2874 static struct slist * 2875 gen_ppi_llprefixlen(void) 2876 { 2877 struct slist *s; 2878 2879 if (reg_off_ll == -1) { 2880 /* 2881 * We haven't yet assigned a register for the length 2882 * of the radiotap header; allocate one. 2883 */ 2884 reg_off_ll = alloc_reg(); 2885 } 2886 2887 /* 2888 * Load the register containing the PPI length 2889 * into the X register. 2890 */ 2891 s = new_stmt(BPF_LDX|BPF_MEM); 2892 s->s.k = reg_off_ll; 2893 return s; 2894 } 2895 2896 /* 2897 * Generate code to compute the link-layer header length, if necessary, 2898 * putting it into the X register, and to return either a pointer to a 2899 * "struct slist" for the list of statements in that code, or NULL if 2900 * no code is necessary. 2901 */ 2902 static struct slist * 2903 gen_llprefixlen(void) 2904 { 2905 switch (linktype) { 2906 2907 case DLT_PRISM_HEADER: 2908 return gen_prism_llprefixlen(); 2909 2910 case DLT_IEEE802_11_RADIO_AVS: 2911 return gen_avs_llprefixlen(); 2912 2913 case DLT_IEEE802_11_RADIO: 2914 return gen_radiotap_llprefixlen(); 2915 2916 case DLT_PPI: 2917 return gen_ppi_llprefixlen(); 2918 2919 default: 2920 return NULL; 2921 } 2922 } 2923 2924 /* 2925 * Generate code to load the register containing the offset of the 2926 * MAC-layer payload into the X register; if no register for that offset 2927 * has been allocated, allocate it first. 2928 */ 2929 static struct slist * 2930 gen_off_macpl(void) 2931 { 2932 struct slist *s; 2933 2934 if (off_macpl_is_variable) { 2935 if (reg_off_macpl == -1) { 2936 /* 2937 * We haven't yet assigned a register for the offset 2938 * of the MAC-layer payload; allocate one. 2939 */ 2940 reg_off_macpl = alloc_reg(); 2941 } 2942 2943 /* 2944 * Load the register containing the offset of the MAC-layer 2945 * payload into the X register. 2946 */ 2947 s = new_stmt(BPF_LDX|BPF_MEM); 2948 s->s.k = reg_off_macpl; 2949 return s; 2950 } else { 2951 /* 2952 * That offset isn't variable, so we don't need to 2953 * generate any code. 2954 */ 2955 return NULL; 2956 } 2957 } 2958 2959 /* 2960 * Map an Ethernet type to the equivalent PPP type. 2961 */ 2962 static int 2963 ethertype_to_ppptype(proto) 2964 int proto; 2965 { 2966 switch (proto) { 2967 2968 case ETHERTYPE_IP: 2969 proto = PPP_IP; 2970 break; 2971 2972 #ifdef INET6 2973 case ETHERTYPE_IPV6: 2974 proto = PPP_IPV6; 2975 break; 2976 #endif 2977 2978 case ETHERTYPE_DN: 2979 proto = PPP_DECNET; 2980 break; 2981 2982 case ETHERTYPE_ATALK: 2983 proto = PPP_APPLE; 2984 break; 2985 2986 case ETHERTYPE_NS: 2987 proto = PPP_NS; 2988 break; 2989 2990 case LLCSAP_ISONS: 2991 proto = PPP_OSI; 2992 break; 2993 2994 case LLCSAP_8021D: 2995 /* 2996 * I'm assuming the "Bridging PDU"s that go 2997 * over PPP are Spanning Tree Protocol 2998 * Bridging PDUs. 2999 */ 3000 proto = PPP_BRPDU; 3001 break; 3002 3003 case LLCSAP_IPX: 3004 proto = PPP_IPX; 3005 break; 3006 } 3007 return (proto); 3008 } 3009 3010 /* 3011 * Generate code to match a particular packet type by matching the 3012 * link-layer type field or fields in the 802.2 LLC header. 3013 * 3014 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3015 * value, if <= ETHERMTU. 3016 */ 3017 static struct block * 3018 gen_linktype(proto) 3019 register int proto; 3020 { 3021 struct block *b0, *b1, *b2; 3022 3023 /* are we checking MPLS-encapsulated packets? */ 3024 if (label_stack_depth > 0) { 3025 switch (proto) { 3026 case ETHERTYPE_IP: 3027 case PPP_IP: 3028 /* FIXME add other L3 proto IDs */ 3029 return gen_mpls_linktype(Q_IP); 3030 3031 case ETHERTYPE_IPV6: 3032 case PPP_IPV6: 3033 /* FIXME add other L3 proto IDs */ 3034 return gen_mpls_linktype(Q_IPV6); 3035 3036 default: 3037 bpf_error("unsupported protocol over mpls"); 3038 /* NOTREACHED */ 3039 } 3040 } 3041 3042 /* 3043 * Are we testing PPPoE packets? 3044 */ 3045 if (is_pppoes) { 3046 /* 3047 * The PPPoE session header is part of the 3048 * MAC-layer payload, so all references 3049 * should be relative to the beginning of 3050 * that payload. 3051 */ 3052 3053 /* 3054 * We use Ethernet protocol types inside libpcap; 3055 * map them to the corresponding PPP protocol types. 3056 */ 3057 proto = ethertype_to_ppptype(proto); 3058 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 3059 } 3060 3061 switch (linktype) { 3062 3063 case DLT_EN10MB: 3064 return gen_ether_linktype(proto); 3065 /*NOTREACHED*/ 3066 break; 3067 3068 case DLT_C_HDLC: 3069 switch (proto) { 3070 3071 case LLCSAP_ISONS: 3072 proto = (proto << 8 | LLCSAP_ISONS); 3073 /* fall through */ 3074 3075 default: 3076 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3077 (bpf_int32)proto); 3078 /*NOTREACHED*/ 3079 break; 3080 } 3081 break; 3082 3083 case DLT_IEEE802_11: 3084 case DLT_PRISM_HEADER: 3085 case DLT_IEEE802_11_RADIO_AVS: 3086 case DLT_IEEE802_11_RADIO: 3087 case DLT_PPI: 3088 /* 3089 * Check that we have a data frame. 3090 */ 3091 b0 = gen_check_802_11_data_frame(); 3092 3093 /* 3094 * Now check for the specified link-layer type. 3095 */ 3096 b1 = gen_llc_linktype(proto); 3097 gen_and(b0, b1); 3098 return b1; 3099 /*NOTREACHED*/ 3100 break; 3101 3102 case DLT_FDDI: 3103 /* 3104 * XXX - check for asynchronous frames, as per RFC 1103. 3105 */ 3106 return gen_llc_linktype(proto); 3107 /*NOTREACHED*/ 3108 break; 3109 3110 case DLT_IEEE802: 3111 /* 3112 * XXX - check for LLC PDUs, as per IEEE 802.5. 3113 */ 3114 return gen_llc_linktype(proto); 3115 /*NOTREACHED*/ 3116 break; 3117 3118 case DLT_ATM_RFC1483: 3119 case DLT_ATM_CLIP: 3120 case DLT_IP_OVER_FC: 3121 return gen_llc_linktype(proto); 3122 /*NOTREACHED*/ 3123 break; 3124 3125 case DLT_SUNATM: 3126 /* 3127 * If "is_lane" is set, check for a LANE-encapsulated 3128 * version of this protocol, otherwise check for an 3129 * LLC-encapsulated version of this protocol. 3130 * 3131 * We assume LANE means Ethernet, not Token Ring. 3132 */ 3133 if (is_lane) { 3134 /* 3135 * Check that the packet doesn't begin with an 3136 * LE Control marker. (We've already generated 3137 * a test for LANE.) 3138 */ 3139 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3140 0xFF00); 3141 gen_not(b0); 3142 3143 /* 3144 * Now generate an Ethernet test. 3145 */ 3146 b1 = gen_ether_linktype(proto); 3147 gen_and(b0, b1); 3148 return b1; 3149 } else { 3150 /* 3151 * Check for LLC encapsulation and then check the 3152 * protocol. 3153 */ 3154 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3155 b1 = gen_llc_linktype(proto); 3156 gen_and(b0, b1); 3157 return b1; 3158 } 3159 /*NOTREACHED*/ 3160 break; 3161 3162 case DLT_LINUX_SLL: 3163 return gen_linux_sll_linktype(proto); 3164 /*NOTREACHED*/ 3165 break; 3166 3167 case DLT_SLIP: 3168 case DLT_SLIP_BSDOS: 3169 case DLT_RAW: 3170 /* 3171 * These types don't provide any type field; packets 3172 * are always IPv4 or IPv6. 3173 * 3174 * XXX - for IPv4, check for a version number of 4, and, 3175 * for IPv6, check for a version number of 6? 3176 */ 3177 switch (proto) { 3178 3179 case ETHERTYPE_IP: 3180 /* Check for a version number of 4. */ 3181 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3182 #ifdef INET6 3183 case ETHERTYPE_IPV6: 3184 /* Check for a version number of 6. */ 3185 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3186 #endif 3187 3188 default: 3189 return gen_false(); /* always false */ 3190 } 3191 /*NOTREACHED*/ 3192 break; 3193 3194 case DLT_IPV4: 3195 /* 3196 * Raw IPv4, so no type field. 3197 */ 3198 if (proto == ETHERTYPE_IP) 3199 return gen_true(); /* always true */ 3200 3201 /* Checking for something other than IPv4; always false */ 3202 return gen_false(); 3203 /*NOTREACHED*/ 3204 break; 3205 3206 case DLT_IPV6: 3207 /* 3208 * Raw IPv6, so no type field. 3209 */ 3210 #ifdef INET6 3211 if (proto == ETHERTYPE_IPV6) 3212 return gen_true(); /* always true */ 3213 #endif 3214 3215 /* Checking for something other than IPv6; always false */ 3216 return gen_false(); 3217 /*NOTREACHED*/ 3218 break; 3219 3220 case DLT_PPP: 3221 case DLT_PPP_PPPD: 3222 case DLT_PPP_SERIAL: 3223 case DLT_PPP_ETHER: 3224 /* 3225 * We use Ethernet protocol types inside libpcap; 3226 * map them to the corresponding PPP protocol types. 3227 */ 3228 proto = ethertype_to_ppptype(proto); 3229 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3230 /*NOTREACHED*/ 3231 break; 3232 3233 case DLT_PPP_BSDOS: 3234 /* 3235 * We use Ethernet protocol types inside libpcap; 3236 * map them to the corresponding PPP protocol types. 3237 */ 3238 switch (proto) { 3239 3240 case ETHERTYPE_IP: 3241 /* 3242 * Also check for Van Jacobson-compressed IP. 3243 * XXX - do this for other forms of PPP? 3244 */ 3245 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3246 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3247 gen_or(b0, b1); 3248 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3249 gen_or(b1, b0); 3250 return b0; 3251 3252 default: 3253 proto = ethertype_to_ppptype(proto); 3254 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3255 (bpf_int32)proto); 3256 } 3257 /*NOTREACHED*/ 3258 break; 3259 3260 case DLT_NULL: 3261 case DLT_LOOP: 3262 case DLT_ENC: 3263 /* 3264 * For DLT_NULL, the link-layer header is a 32-bit 3265 * word containing an AF_ value in *host* byte order, 3266 * and for DLT_ENC, the link-layer header begins 3267 * with a 32-bit work containing an AF_ value in 3268 * host byte order. 3269 * 3270 * In addition, if we're reading a saved capture file, 3271 * the host byte order in the capture may not be the 3272 * same as the host byte order on this machine. 3273 * 3274 * For DLT_LOOP, the link-layer header is a 32-bit 3275 * word containing an AF_ value in *network* byte order. 3276 * 3277 * XXX - AF_ values may, unfortunately, be platform- 3278 * dependent; for example, FreeBSD's AF_INET6 is 24 3279 * whilst NetBSD's and OpenBSD's is 26. 3280 * 3281 * This means that, when reading a capture file, just 3282 * checking for our AF_INET6 value won't work if the 3283 * capture file came from another OS. 3284 */ 3285 switch (proto) { 3286 3287 case ETHERTYPE_IP: 3288 proto = AF_INET; 3289 break; 3290 3291 #ifdef INET6 3292 case ETHERTYPE_IPV6: 3293 proto = AF_INET6; 3294 break; 3295 #endif 3296 3297 default: 3298 /* 3299 * Not a type on which we support filtering. 3300 * XXX - support those that have AF_ values 3301 * #defined on this platform, at least? 3302 */ 3303 return gen_false(); 3304 } 3305 3306 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3307 /* 3308 * The AF_ value is in host byte order, but 3309 * the BPF interpreter will convert it to 3310 * network byte order. 3311 * 3312 * If this is a save file, and it's from a 3313 * machine with the opposite byte order to 3314 * ours, we byte-swap the AF_ value. 3315 * 3316 * Then we run it through "htonl()", and 3317 * generate code to compare against the result. 3318 */ 3319 if (bpf_pcap->sf.rfile != NULL && 3320 bpf_pcap->sf.swapped) 3321 proto = SWAPLONG(proto); 3322 proto = htonl(proto); 3323 } 3324 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3325 3326 #ifdef HAVE_NET_PFVAR_H 3327 case DLT_PFLOG: 3328 /* 3329 * af field is host byte order in contrast to the rest of 3330 * the packet. 3331 */ 3332 if (proto == ETHERTYPE_IP) 3333 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3334 BPF_B, (bpf_int32)AF_INET)); 3335 #ifdef INET6 3336 else if (proto == ETHERTYPE_IPV6) 3337 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3338 BPF_B, (bpf_int32)AF_INET6)); 3339 #endif /* INET6 */ 3340 else 3341 return gen_false(); 3342 /*NOTREACHED*/ 3343 break; 3344 #endif /* HAVE_NET_PFVAR_H */ 3345 3346 case DLT_ARCNET: 3347 case DLT_ARCNET_LINUX: 3348 /* 3349 * XXX should we check for first fragment if the protocol 3350 * uses PHDS? 3351 */ 3352 switch (proto) { 3353 3354 default: 3355 return gen_false(); 3356 3357 #ifdef INET6 3358 case ETHERTYPE_IPV6: 3359 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3360 (bpf_int32)ARCTYPE_INET6)); 3361 #endif /* INET6 */ 3362 3363 case ETHERTYPE_IP: 3364 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3365 (bpf_int32)ARCTYPE_IP); 3366 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3367 (bpf_int32)ARCTYPE_IP_OLD); 3368 gen_or(b0, b1); 3369 return (b1); 3370 3371 case ETHERTYPE_ARP: 3372 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3373 (bpf_int32)ARCTYPE_ARP); 3374 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3375 (bpf_int32)ARCTYPE_ARP_OLD); 3376 gen_or(b0, b1); 3377 return (b1); 3378 3379 case ETHERTYPE_REVARP: 3380 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3381 (bpf_int32)ARCTYPE_REVARP)); 3382 3383 case ETHERTYPE_ATALK: 3384 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3385 (bpf_int32)ARCTYPE_ATALK)); 3386 } 3387 /*NOTREACHED*/ 3388 break; 3389 3390 case DLT_LTALK: 3391 switch (proto) { 3392 case ETHERTYPE_ATALK: 3393 return gen_true(); 3394 default: 3395 return gen_false(); 3396 } 3397 /*NOTREACHED*/ 3398 break; 3399 3400 case DLT_FRELAY: 3401 /* 3402 * XXX - assumes a 2-byte Frame Relay header with 3403 * DLCI and flags. What if the address is longer? 3404 */ 3405 switch (proto) { 3406 3407 case ETHERTYPE_IP: 3408 /* 3409 * Check for the special NLPID for IP. 3410 */ 3411 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3412 3413 #ifdef INET6 3414 case ETHERTYPE_IPV6: 3415 /* 3416 * Check for the special NLPID for IPv6. 3417 */ 3418 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3419 #endif 3420 3421 case LLCSAP_ISONS: 3422 /* 3423 * Check for several OSI protocols. 3424 * 3425 * Frame Relay packets typically have an OSI 3426 * NLPID at the beginning; we check for each 3427 * of them. 3428 * 3429 * What we check for is the NLPID and a frame 3430 * control field of UI, i.e. 0x03 followed 3431 * by the NLPID. 3432 */ 3433 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3434 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3435 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3436 gen_or(b1, b2); 3437 gen_or(b0, b2); 3438 return b2; 3439 3440 default: 3441 return gen_false(); 3442 } 3443 /*NOTREACHED*/ 3444 break; 3445 3446 case DLT_MFR: 3447 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3448 3449 case DLT_JUNIPER_MFR: 3450 case DLT_JUNIPER_MLFR: 3451 case DLT_JUNIPER_MLPPP: 3452 case DLT_JUNIPER_ATM1: 3453 case DLT_JUNIPER_ATM2: 3454 case DLT_JUNIPER_PPPOE: 3455 case DLT_JUNIPER_PPPOE_ATM: 3456 case DLT_JUNIPER_GGSN: 3457 case DLT_JUNIPER_ES: 3458 case DLT_JUNIPER_MONITOR: 3459 case DLT_JUNIPER_SERVICES: 3460 case DLT_JUNIPER_ETHER: 3461 case DLT_JUNIPER_PPP: 3462 case DLT_JUNIPER_FRELAY: 3463 case DLT_JUNIPER_CHDLC: 3464 case DLT_JUNIPER_VP: 3465 case DLT_JUNIPER_ST: 3466 case DLT_JUNIPER_ISM: 3467 /* just lets verify the magic number for now - 3468 * on ATM we may have up to 6 different encapsulations on the wire 3469 * and need a lot of heuristics to figure out that the payload 3470 * might be; 3471 * 3472 * FIXME encapsulation specific BPF_ filters 3473 */ 3474 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3475 3476 case DLT_IPNET: 3477 return gen_ipnet_linktype(proto); 3478 3479 case DLT_LINUX_IRDA: 3480 bpf_error("IrDA link-layer type filtering not implemented"); 3481 3482 case DLT_DOCSIS: 3483 bpf_error("DOCSIS link-layer type filtering not implemented"); 3484 3485 case DLT_MTP2: 3486 case DLT_MTP2_WITH_PHDR: 3487 bpf_error("MTP2 link-layer type filtering not implemented"); 3488 3489 case DLT_ERF: 3490 bpf_error("ERF link-layer type filtering not implemented"); 3491 3492 #ifdef DLT_PFSYNC 3493 case DLT_PFSYNC: 3494 bpf_error("PFSYNC link-layer type filtering not implemented"); 3495 #endif 3496 3497 case DLT_LINUX_LAPD: 3498 bpf_error("LAPD link-layer type filtering not implemented"); 3499 3500 case DLT_USB: 3501 case DLT_USB_LINUX: 3502 case DLT_USB_LINUX_MMAPPED: 3503 bpf_error("USB link-layer type filtering not implemented"); 3504 3505 case DLT_BLUETOOTH_HCI_H4: 3506 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3507 bpf_error("Bluetooth link-layer type filtering not implemented"); 3508 3509 case DLT_CAN20B: 3510 case DLT_CAN_SOCKETCAN: 3511 bpf_error("CAN link-layer type filtering not implemented"); 3512 3513 case DLT_IEEE802_15_4: 3514 case DLT_IEEE802_15_4_LINUX: 3515 case DLT_IEEE802_15_4_NONASK_PHY: 3516 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3517 3518 case DLT_IEEE802_16_MAC_CPS_RADIO: 3519 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3520 3521 case DLT_SITA: 3522 bpf_error("SITA link-layer type filtering not implemented"); 3523 3524 case DLT_RAIF1: 3525 bpf_error("RAIF1 link-layer type filtering not implemented"); 3526 3527 case DLT_IPMB: 3528 bpf_error("IPMB link-layer type filtering not implemented"); 3529 3530 case DLT_AX25_KISS: 3531 bpf_error("AX.25 link-layer type filtering not implemented"); 3532 } 3533 3534 /* 3535 * All the types that have no encapsulation should either be 3536 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3537 * all packets are IP packets, or should be handled in some 3538 * special case, if none of them are (if some are and some 3539 * aren't, the lack of encapsulation is a problem, as we'd 3540 * have to find some other way of determining the packet type). 3541 * 3542 * Therefore, if "off_linktype" is -1, there's an error. 3543 */ 3544 if (off_linktype == (u_int)-1) 3545 abort(); 3546 3547 /* 3548 * Any type not handled above should always have an Ethernet 3549 * type at an offset of "off_linktype". 3550 */ 3551 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3552 } 3553 3554 /* 3555 * Check for an LLC SNAP packet with a given organization code and 3556 * protocol type; we check the entire contents of the 802.2 LLC and 3557 * snap headers, checking for DSAP and SSAP of SNAP and a control 3558 * field of 0x03 in the LLC header, and for the specified organization 3559 * code and protocol type in the SNAP header. 3560 */ 3561 static struct block * 3562 gen_snap(orgcode, ptype) 3563 bpf_u_int32 orgcode; 3564 bpf_u_int32 ptype; 3565 { 3566 u_char snapblock[8]; 3567 3568 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3569 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3570 snapblock[2] = 0x03; /* control = UI */ 3571 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3572 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3573 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3574 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3575 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3576 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3577 } 3578 3579 /* 3580 * Generate code to match a particular packet type, for link-layer types 3581 * using 802.2 LLC headers. 3582 * 3583 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3584 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3585 * 3586 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3587 * value, if <= ETHERMTU. We use that to determine whether to 3588 * match the DSAP or both DSAP and LSAP or to check the OUI and 3589 * protocol ID in a SNAP header. 3590 */ 3591 static struct block * 3592 gen_llc_linktype(proto) 3593 int proto; 3594 { 3595 /* 3596 * XXX - handle token-ring variable-length header. 3597 */ 3598 switch (proto) { 3599 3600 case LLCSAP_IP: 3601 case LLCSAP_ISONS: 3602 case LLCSAP_NETBEUI: 3603 /* 3604 * XXX - should we check both the DSAP and the 3605 * SSAP, like this, or should we check just the 3606 * DSAP, as we do for other types <= ETHERMTU 3607 * (i.e., other SAP values)? 3608 */ 3609 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3610 ((proto << 8) | proto)); 3611 3612 case LLCSAP_IPX: 3613 /* 3614 * XXX - are there ever SNAP frames for IPX on 3615 * non-Ethernet 802.x networks? 3616 */ 3617 return gen_cmp(OR_MACPL, 0, BPF_B, 3618 (bpf_int32)LLCSAP_IPX); 3619 3620 case ETHERTYPE_ATALK: 3621 /* 3622 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3623 * SNAP packets with an organization code of 3624 * 0x080007 (Apple, for Appletalk) and a protocol 3625 * type of ETHERTYPE_ATALK (Appletalk). 3626 * 3627 * XXX - check for an organization code of 3628 * encapsulated Ethernet as well? 3629 */ 3630 return gen_snap(0x080007, ETHERTYPE_ATALK); 3631 3632 default: 3633 /* 3634 * XXX - we don't have to check for IPX 802.3 3635 * here, but should we check for the IPX Ethertype? 3636 */ 3637 if (proto <= ETHERMTU) { 3638 /* 3639 * This is an LLC SAP value, so check 3640 * the DSAP. 3641 */ 3642 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3643 } else { 3644 /* 3645 * This is an Ethernet type; we assume that it's 3646 * unlikely that it'll appear in the right place 3647 * at random, and therefore check only the 3648 * location that would hold the Ethernet type 3649 * in a SNAP frame with an organization code of 3650 * 0x000000 (encapsulated Ethernet). 3651 * 3652 * XXX - if we were to check for the SNAP DSAP and 3653 * LSAP, as per XXX, and were also to check for an 3654 * organization code of 0x000000 (encapsulated 3655 * Ethernet), we'd do 3656 * 3657 * return gen_snap(0x000000, proto); 3658 * 3659 * here; for now, we don't, as per the above. 3660 * I don't know whether it's worth the extra CPU 3661 * time to do the right check or not. 3662 */ 3663 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3664 } 3665 } 3666 } 3667 3668 static struct block * 3669 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3670 bpf_u_int32 addr; 3671 bpf_u_int32 mask; 3672 int dir, proto; 3673 u_int src_off, dst_off; 3674 { 3675 struct block *b0, *b1; 3676 u_int offset; 3677 3678 switch (dir) { 3679 3680 case Q_SRC: 3681 offset = src_off; 3682 break; 3683 3684 case Q_DST: 3685 offset = dst_off; 3686 break; 3687 3688 case Q_AND: 3689 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3690 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3691 gen_and(b0, b1); 3692 return b1; 3693 3694 case Q_OR: 3695 case Q_DEFAULT: 3696 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3697 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3698 gen_or(b0, b1); 3699 return b1; 3700 3701 default: 3702 abort(); 3703 } 3704 b0 = gen_linktype(proto); 3705 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3706 gen_and(b0, b1); 3707 return b1; 3708 } 3709 3710 #ifdef INET6 3711 static struct block * 3712 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3713 struct in6_addr *addr; 3714 struct in6_addr *mask; 3715 int dir, proto; 3716 u_int src_off, dst_off; 3717 { 3718 struct block *b0, *b1; 3719 u_int offset; 3720 u_int32_t *a, *m; 3721 3722 switch (dir) { 3723 3724 case Q_SRC: 3725 offset = src_off; 3726 break; 3727 3728 case Q_DST: 3729 offset = dst_off; 3730 break; 3731 3732 case Q_AND: 3733 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3734 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3735 gen_and(b0, b1); 3736 return b1; 3737 3738 case Q_OR: 3739 case Q_DEFAULT: 3740 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3741 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3742 gen_or(b0, b1); 3743 return b1; 3744 3745 default: 3746 abort(); 3747 } 3748 /* this order is important */ 3749 a = (u_int32_t *)addr; 3750 m = (u_int32_t *)mask; 3751 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3752 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3753 gen_and(b0, b1); 3754 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3755 gen_and(b0, b1); 3756 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3757 gen_and(b0, b1); 3758 b0 = gen_linktype(proto); 3759 gen_and(b0, b1); 3760 return b1; 3761 } 3762 #endif /*INET6*/ 3763 3764 static struct block * 3765 gen_ehostop(eaddr, dir) 3766 register const u_char *eaddr; 3767 register int dir; 3768 { 3769 register struct block *b0, *b1; 3770 3771 switch (dir) { 3772 case Q_SRC: 3773 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3774 3775 case Q_DST: 3776 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3777 3778 case Q_AND: 3779 b0 = gen_ehostop(eaddr, Q_SRC); 3780 b1 = gen_ehostop(eaddr, Q_DST); 3781 gen_and(b0, b1); 3782 return b1; 3783 3784 case Q_DEFAULT: 3785 case Q_OR: 3786 b0 = gen_ehostop(eaddr, Q_SRC); 3787 b1 = gen_ehostop(eaddr, Q_DST); 3788 gen_or(b0, b1); 3789 return b1; 3790 } 3791 abort(); 3792 /* NOTREACHED */ 3793 } 3794 3795 /* 3796 * Like gen_ehostop, but for DLT_FDDI 3797 */ 3798 static struct block * 3799 gen_fhostop(eaddr, dir) 3800 register const u_char *eaddr; 3801 register int dir; 3802 { 3803 struct block *b0, *b1; 3804 3805 switch (dir) { 3806 case Q_SRC: 3807 #ifdef PCAP_FDDIPAD 3808 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3809 #else 3810 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3811 #endif 3812 3813 case Q_DST: 3814 #ifdef PCAP_FDDIPAD 3815 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3816 #else 3817 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3818 #endif 3819 3820 case Q_AND: 3821 b0 = gen_fhostop(eaddr, Q_SRC); 3822 b1 = gen_fhostop(eaddr, Q_DST); 3823 gen_and(b0, b1); 3824 return b1; 3825 3826 case Q_DEFAULT: 3827 case Q_OR: 3828 b0 = gen_fhostop(eaddr, Q_SRC); 3829 b1 = gen_fhostop(eaddr, Q_DST); 3830 gen_or(b0, b1); 3831 return b1; 3832 } 3833 abort(); 3834 /* NOTREACHED */ 3835 } 3836 3837 /* 3838 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3839 */ 3840 static struct block * 3841 gen_thostop(eaddr, dir) 3842 register const u_char *eaddr; 3843 register int dir; 3844 { 3845 register struct block *b0, *b1; 3846 3847 switch (dir) { 3848 case Q_SRC: 3849 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3850 3851 case Q_DST: 3852 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3853 3854 case Q_AND: 3855 b0 = gen_thostop(eaddr, Q_SRC); 3856 b1 = gen_thostop(eaddr, Q_DST); 3857 gen_and(b0, b1); 3858 return b1; 3859 3860 case Q_DEFAULT: 3861 case Q_OR: 3862 b0 = gen_thostop(eaddr, Q_SRC); 3863 b1 = gen_thostop(eaddr, Q_DST); 3864 gen_or(b0, b1); 3865 return b1; 3866 } 3867 abort(); 3868 /* NOTREACHED */ 3869 } 3870 3871 /* 3872 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3873 * various 802.11 + radio headers. 3874 */ 3875 static struct block * 3876 gen_wlanhostop(eaddr, dir) 3877 register const u_char *eaddr; 3878 register int dir; 3879 { 3880 register struct block *b0, *b1, *b2; 3881 register struct slist *s; 3882 3883 #ifdef ENABLE_WLAN_FILTERING_PATCH 3884 /* 3885 * TODO GV 20070613 3886 * We need to disable the optimizer because the optimizer is buggy 3887 * and wipes out some LD instructions generated by the below 3888 * code to validate the Frame Control bits 3889 */ 3890 no_optimize = 1; 3891 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3892 3893 switch (dir) { 3894 case Q_SRC: 3895 /* 3896 * Oh, yuk. 3897 * 3898 * For control frames, there is no SA. 3899 * 3900 * For management frames, SA is at an 3901 * offset of 10 from the beginning of 3902 * the packet. 3903 * 3904 * For data frames, SA is at an offset 3905 * of 10 from the beginning of the packet 3906 * if From DS is clear, at an offset of 3907 * 16 from the beginning of the packet 3908 * if From DS is set and To DS is clear, 3909 * and an offset of 24 from the beginning 3910 * of the packet if From DS is set and To DS 3911 * is set. 3912 */ 3913 3914 /* 3915 * Generate the tests to be done for data frames 3916 * with From DS set. 3917 * 3918 * First, check for To DS set, i.e. check "link[1] & 0x01". 3919 */ 3920 s = gen_load_a(OR_LINK, 1, BPF_B); 3921 b1 = new_block(JMP(BPF_JSET)); 3922 b1->s.k = 0x01; /* To DS */ 3923 b1->stmts = s; 3924 3925 /* 3926 * If To DS is set, the SA is at 24. 3927 */ 3928 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3929 gen_and(b1, b0); 3930 3931 /* 3932 * Now, check for To DS not set, i.e. check 3933 * "!(link[1] & 0x01)". 3934 */ 3935 s = gen_load_a(OR_LINK, 1, BPF_B); 3936 b2 = new_block(JMP(BPF_JSET)); 3937 b2->s.k = 0x01; /* To DS */ 3938 b2->stmts = s; 3939 gen_not(b2); 3940 3941 /* 3942 * If To DS is not set, the SA is at 16. 3943 */ 3944 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3945 gen_and(b2, b1); 3946 3947 /* 3948 * Now OR together the last two checks. That gives 3949 * the complete set of checks for data frames with 3950 * From DS set. 3951 */ 3952 gen_or(b1, b0); 3953 3954 /* 3955 * Now check for From DS being set, and AND that with 3956 * the ORed-together checks. 3957 */ 3958 s = gen_load_a(OR_LINK, 1, BPF_B); 3959 b1 = new_block(JMP(BPF_JSET)); 3960 b1->s.k = 0x02; /* From DS */ 3961 b1->stmts = s; 3962 gen_and(b1, b0); 3963 3964 /* 3965 * Now check for data frames with From DS not set. 3966 */ 3967 s = gen_load_a(OR_LINK, 1, BPF_B); 3968 b2 = new_block(JMP(BPF_JSET)); 3969 b2->s.k = 0x02; /* From DS */ 3970 b2->stmts = s; 3971 gen_not(b2); 3972 3973 /* 3974 * If From DS isn't set, the SA is at 10. 3975 */ 3976 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3977 gen_and(b2, b1); 3978 3979 /* 3980 * Now OR together the checks for data frames with 3981 * From DS not set and for data frames with From DS 3982 * set; that gives the checks done for data frames. 3983 */ 3984 gen_or(b1, b0); 3985 3986 /* 3987 * Now check for a data frame. 3988 * I.e, check "link[0] & 0x08". 3989 */ 3990 s = gen_load_a(OR_LINK, 0, BPF_B); 3991 b1 = new_block(JMP(BPF_JSET)); 3992 b1->s.k = 0x08; 3993 b1->stmts = s; 3994 3995 /* 3996 * AND that with the checks done for data frames. 3997 */ 3998 gen_and(b1, b0); 3999 4000 /* 4001 * If the high-order bit of the type value is 0, this 4002 * is a management frame. 4003 * I.e, check "!(link[0] & 0x08)". 4004 */ 4005 s = gen_load_a(OR_LINK, 0, BPF_B); 4006 b2 = new_block(JMP(BPF_JSET)); 4007 b2->s.k = 0x08; 4008 b2->stmts = s; 4009 gen_not(b2); 4010 4011 /* 4012 * For management frames, the SA is at 10. 4013 */ 4014 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4015 gen_and(b2, b1); 4016 4017 /* 4018 * OR that with the checks done for data frames. 4019 * That gives the checks done for management and 4020 * data frames. 4021 */ 4022 gen_or(b1, b0); 4023 4024 /* 4025 * If the low-order bit of the type value is 1, 4026 * this is either a control frame or a frame 4027 * with a reserved type, and thus not a 4028 * frame with an SA. 4029 * 4030 * I.e., check "!(link[0] & 0x04)". 4031 */ 4032 s = gen_load_a(OR_LINK, 0, BPF_B); 4033 b1 = new_block(JMP(BPF_JSET)); 4034 b1->s.k = 0x04; 4035 b1->stmts = s; 4036 gen_not(b1); 4037 4038 /* 4039 * AND that with the checks for data and management 4040 * frames. 4041 */ 4042 gen_and(b1, b0); 4043 return b0; 4044 4045 case Q_DST: 4046 /* 4047 * Oh, yuk. 4048 * 4049 * For control frames, there is no DA. 4050 * 4051 * For management frames, DA is at an 4052 * offset of 4 from the beginning of 4053 * the packet. 4054 * 4055 * For data frames, DA is at an offset 4056 * of 4 from the beginning of the packet 4057 * if To DS is clear and at an offset of 4058 * 16 from the beginning of the packet 4059 * if To DS is set. 4060 */ 4061 4062 /* 4063 * Generate the tests to be done for data frames. 4064 * 4065 * First, check for To DS set, i.e. "link[1] & 0x01". 4066 */ 4067 s = gen_load_a(OR_LINK, 1, BPF_B); 4068 b1 = new_block(JMP(BPF_JSET)); 4069 b1->s.k = 0x01; /* To DS */ 4070 b1->stmts = s; 4071 4072 /* 4073 * If To DS is set, the DA is at 16. 4074 */ 4075 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4076 gen_and(b1, b0); 4077 4078 /* 4079 * Now, check for To DS not set, i.e. check 4080 * "!(link[1] & 0x01)". 4081 */ 4082 s = gen_load_a(OR_LINK, 1, BPF_B); 4083 b2 = new_block(JMP(BPF_JSET)); 4084 b2->s.k = 0x01; /* To DS */ 4085 b2->stmts = s; 4086 gen_not(b2); 4087 4088 /* 4089 * If To DS is not set, the DA is at 4. 4090 */ 4091 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4092 gen_and(b2, b1); 4093 4094 /* 4095 * Now OR together the last two checks. That gives 4096 * the complete set of checks for data frames. 4097 */ 4098 gen_or(b1, b0); 4099 4100 /* 4101 * Now check for a data frame. 4102 * I.e, check "link[0] & 0x08". 4103 */ 4104 s = gen_load_a(OR_LINK, 0, BPF_B); 4105 b1 = new_block(JMP(BPF_JSET)); 4106 b1->s.k = 0x08; 4107 b1->stmts = s; 4108 4109 /* 4110 * AND that with the checks done for data frames. 4111 */ 4112 gen_and(b1, b0); 4113 4114 /* 4115 * If the high-order bit of the type value is 0, this 4116 * is a management frame. 4117 * I.e, check "!(link[0] & 0x08)". 4118 */ 4119 s = gen_load_a(OR_LINK, 0, BPF_B); 4120 b2 = new_block(JMP(BPF_JSET)); 4121 b2->s.k = 0x08; 4122 b2->stmts = s; 4123 gen_not(b2); 4124 4125 /* 4126 * For management frames, the DA is at 4. 4127 */ 4128 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4129 gen_and(b2, b1); 4130 4131 /* 4132 * OR that with the checks done for data frames. 4133 * That gives the checks done for management and 4134 * data frames. 4135 */ 4136 gen_or(b1, b0); 4137 4138 /* 4139 * If the low-order bit of the type value is 1, 4140 * this is either a control frame or a frame 4141 * with a reserved type, and thus not a 4142 * frame with an SA. 4143 * 4144 * I.e., check "!(link[0] & 0x04)". 4145 */ 4146 s = gen_load_a(OR_LINK, 0, BPF_B); 4147 b1 = new_block(JMP(BPF_JSET)); 4148 b1->s.k = 0x04; 4149 b1->stmts = s; 4150 gen_not(b1); 4151 4152 /* 4153 * AND that with the checks for data and management 4154 * frames. 4155 */ 4156 gen_and(b1, b0); 4157 return b0; 4158 4159 /* 4160 * XXX - add RA, TA, and BSSID keywords? 4161 */ 4162 case Q_ADDR1: 4163 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4164 4165 case Q_ADDR2: 4166 /* 4167 * Not present in CTS or ACK control frames. 4168 */ 4169 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4170 IEEE80211_FC0_TYPE_MASK); 4171 gen_not(b0); 4172 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4173 IEEE80211_FC0_SUBTYPE_MASK); 4174 gen_not(b1); 4175 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4176 IEEE80211_FC0_SUBTYPE_MASK); 4177 gen_not(b2); 4178 gen_and(b1, b2); 4179 gen_or(b0, b2); 4180 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4181 gen_and(b2, b1); 4182 return b1; 4183 4184 case Q_ADDR3: 4185 /* 4186 * Not present in control frames. 4187 */ 4188 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4189 IEEE80211_FC0_TYPE_MASK); 4190 gen_not(b0); 4191 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4192 gen_and(b0, b1); 4193 return b1; 4194 4195 case Q_ADDR4: 4196 /* 4197 * Present only if the direction mask has both "From DS" 4198 * and "To DS" set. Neither control frames nor management 4199 * frames should have both of those set, so we don't 4200 * check the frame type. 4201 */ 4202 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4203 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4204 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4205 gen_and(b0, b1); 4206 return b1; 4207 4208 case Q_AND: 4209 b0 = gen_wlanhostop(eaddr, Q_SRC); 4210 b1 = gen_wlanhostop(eaddr, Q_DST); 4211 gen_and(b0, b1); 4212 return b1; 4213 4214 case Q_DEFAULT: 4215 case Q_OR: 4216 b0 = gen_wlanhostop(eaddr, Q_SRC); 4217 b1 = gen_wlanhostop(eaddr, Q_DST); 4218 gen_or(b0, b1); 4219 return b1; 4220 } 4221 abort(); 4222 /* NOTREACHED */ 4223 } 4224 4225 /* 4226 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4227 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4228 * as the RFC states.) 4229 */ 4230 static struct block * 4231 gen_ipfchostop(eaddr, dir) 4232 register const u_char *eaddr; 4233 register int dir; 4234 { 4235 register struct block *b0, *b1; 4236 4237 switch (dir) { 4238 case Q_SRC: 4239 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4240 4241 case Q_DST: 4242 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4243 4244 case Q_AND: 4245 b0 = gen_ipfchostop(eaddr, Q_SRC); 4246 b1 = gen_ipfchostop(eaddr, Q_DST); 4247 gen_and(b0, b1); 4248 return b1; 4249 4250 case Q_DEFAULT: 4251 case Q_OR: 4252 b0 = gen_ipfchostop(eaddr, Q_SRC); 4253 b1 = gen_ipfchostop(eaddr, Q_DST); 4254 gen_or(b0, b1); 4255 return b1; 4256 } 4257 abort(); 4258 /* NOTREACHED */ 4259 } 4260 4261 /* 4262 * This is quite tricky because there may be pad bytes in front of the 4263 * DECNET header, and then there are two possible data packet formats that 4264 * carry both src and dst addresses, plus 5 packet types in a format that 4265 * carries only the src node, plus 2 types that use a different format and 4266 * also carry just the src node. 4267 * 4268 * Yuck. 4269 * 4270 * Instead of doing those all right, we just look for data packets with 4271 * 0 or 1 bytes of padding. If you want to look at other packets, that 4272 * will require a lot more hacking. 4273 * 4274 * To add support for filtering on DECNET "areas" (network numbers) 4275 * one would want to add a "mask" argument to this routine. That would 4276 * make the filter even more inefficient, although one could be clever 4277 * and not generate masking instructions if the mask is 0xFFFF. 4278 */ 4279 static struct block * 4280 gen_dnhostop(addr, dir) 4281 bpf_u_int32 addr; 4282 int dir; 4283 { 4284 struct block *b0, *b1, *b2, *tmp; 4285 u_int offset_lh; /* offset if long header is received */ 4286 u_int offset_sh; /* offset if short header is received */ 4287 4288 switch (dir) { 4289 4290 case Q_DST: 4291 offset_sh = 1; /* follows flags */ 4292 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4293 break; 4294 4295 case Q_SRC: 4296 offset_sh = 3; /* follows flags, dstnode */ 4297 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4298 break; 4299 4300 case Q_AND: 4301 /* Inefficient because we do our Calvinball dance twice */ 4302 b0 = gen_dnhostop(addr, Q_SRC); 4303 b1 = gen_dnhostop(addr, Q_DST); 4304 gen_and(b0, b1); 4305 return b1; 4306 4307 case Q_OR: 4308 case Q_DEFAULT: 4309 /* Inefficient because we do our Calvinball dance twice */ 4310 b0 = gen_dnhostop(addr, Q_SRC); 4311 b1 = gen_dnhostop(addr, Q_DST); 4312 gen_or(b0, b1); 4313 return b1; 4314 4315 case Q_ISO: 4316 bpf_error("ISO host filtering not implemented"); 4317 4318 default: 4319 abort(); 4320 } 4321 b0 = gen_linktype(ETHERTYPE_DN); 4322 /* Check for pad = 1, long header case */ 4323 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4324 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4325 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4326 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4327 gen_and(tmp, b1); 4328 /* Check for pad = 0, long header case */ 4329 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4330 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4331 gen_and(tmp, b2); 4332 gen_or(b2, b1); 4333 /* Check for pad = 1, short header case */ 4334 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4335 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4336 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4337 gen_and(tmp, b2); 4338 gen_or(b2, b1); 4339 /* Check for pad = 0, short header case */ 4340 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4341 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4342 gen_and(tmp, b2); 4343 gen_or(b2, b1); 4344 4345 /* Combine with test for linktype */ 4346 gen_and(b0, b1); 4347 return b1; 4348 } 4349 4350 /* 4351 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4352 * test the bottom-of-stack bit, and then check the version number 4353 * field in the IP header. 4354 */ 4355 static struct block * 4356 gen_mpls_linktype(proto) 4357 int proto; 4358 { 4359 struct block *b0, *b1; 4360 4361 switch (proto) { 4362 4363 case Q_IP: 4364 /* match the bottom-of-stack bit */ 4365 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4366 /* match the IPv4 version number */ 4367 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4368 gen_and(b0, b1); 4369 return b1; 4370 4371 case Q_IPV6: 4372 /* match the bottom-of-stack bit */ 4373 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4374 /* match the IPv4 version number */ 4375 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4376 gen_and(b0, b1); 4377 return b1; 4378 4379 default: 4380 abort(); 4381 } 4382 } 4383 4384 static struct block * 4385 gen_host(addr, mask, proto, dir, type) 4386 bpf_u_int32 addr; 4387 bpf_u_int32 mask; 4388 int proto; 4389 int dir; 4390 int type; 4391 { 4392 struct block *b0, *b1; 4393 const char *typestr; 4394 4395 if (type == Q_NET) 4396 typestr = "net"; 4397 else 4398 typestr = "host"; 4399 4400 switch (proto) { 4401 4402 case Q_DEFAULT: 4403 b0 = gen_host(addr, mask, Q_IP, dir, type); 4404 /* 4405 * Only check for non-IPv4 addresses if we're not 4406 * checking MPLS-encapsulated packets. 4407 */ 4408 if (label_stack_depth == 0) { 4409 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4410 gen_or(b0, b1); 4411 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4412 gen_or(b1, b0); 4413 } 4414 return b0; 4415 4416 case Q_IP: 4417 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4418 4419 case Q_RARP: 4420 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4421 4422 case Q_ARP: 4423 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4424 4425 case Q_TCP: 4426 bpf_error("'tcp' modifier applied to %s", typestr); 4427 4428 case Q_SCTP: 4429 bpf_error("'sctp' modifier applied to %s", typestr); 4430 4431 case Q_UDP: 4432 bpf_error("'udp' modifier applied to %s", typestr); 4433 4434 case Q_ICMP: 4435 bpf_error("'icmp' modifier applied to %s", typestr); 4436 4437 case Q_IGMP: 4438 bpf_error("'igmp' modifier applied to %s", typestr); 4439 4440 case Q_IGRP: 4441 bpf_error("'igrp' modifier applied to %s", typestr); 4442 4443 case Q_PIM: 4444 bpf_error("'pim' modifier applied to %s", typestr); 4445 4446 case Q_VRRP: 4447 bpf_error("'vrrp' modifier applied to %s", typestr); 4448 4449 case Q_ATALK: 4450 bpf_error("ATALK host filtering not implemented"); 4451 4452 case Q_AARP: 4453 bpf_error("AARP host filtering not implemented"); 4454 4455 case Q_DECNET: 4456 return gen_dnhostop(addr, dir); 4457 4458 case Q_SCA: 4459 bpf_error("SCA host filtering not implemented"); 4460 4461 case Q_LAT: 4462 bpf_error("LAT host filtering not implemented"); 4463 4464 case Q_MOPDL: 4465 bpf_error("MOPDL host filtering not implemented"); 4466 4467 case Q_MOPRC: 4468 bpf_error("MOPRC host filtering not implemented"); 4469 4470 #ifdef INET6 4471 case Q_IPV6: 4472 bpf_error("'ip6' modifier applied to ip host"); 4473 4474 case Q_ICMPV6: 4475 bpf_error("'icmp6' modifier applied to %s", typestr); 4476 #endif /* INET6 */ 4477 4478 case Q_AH: 4479 bpf_error("'ah' modifier applied to %s", typestr); 4480 4481 case Q_ESP: 4482 bpf_error("'esp' modifier applied to %s", typestr); 4483 4484 case Q_ISO: 4485 bpf_error("ISO host filtering not implemented"); 4486 4487 case Q_ESIS: 4488 bpf_error("'esis' modifier applied to %s", typestr); 4489 4490 case Q_ISIS: 4491 bpf_error("'isis' modifier applied to %s", typestr); 4492 4493 case Q_CLNP: 4494 bpf_error("'clnp' modifier applied to %s", typestr); 4495 4496 case Q_STP: 4497 bpf_error("'stp' modifier applied to %s", typestr); 4498 4499 case Q_IPX: 4500 bpf_error("IPX host filtering not implemented"); 4501 4502 case Q_NETBEUI: 4503 bpf_error("'netbeui' modifier applied to %s", typestr); 4504 4505 case Q_RADIO: 4506 bpf_error("'radio' modifier applied to %s", typestr); 4507 4508 default: 4509 abort(); 4510 } 4511 /* NOTREACHED */ 4512 } 4513 4514 #ifdef INET6 4515 static struct block * 4516 gen_host6(addr, mask, proto, dir, type) 4517 struct in6_addr *addr; 4518 struct in6_addr *mask; 4519 int proto; 4520 int dir; 4521 int type; 4522 { 4523 const char *typestr; 4524 4525 if (type == Q_NET) 4526 typestr = "net"; 4527 else 4528 typestr = "host"; 4529 4530 switch (proto) { 4531 4532 case Q_DEFAULT: 4533 return gen_host6(addr, mask, Q_IPV6, dir, type); 4534 4535 case Q_IP: 4536 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4537 4538 case Q_RARP: 4539 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4540 4541 case Q_ARP: 4542 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4543 4544 case Q_SCTP: 4545 bpf_error("'sctp' modifier applied to %s", typestr); 4546 4547 case Q_TCP: 4548 bpf_error("'tcp' modifier applied to %s", typestr); 4549 4550 case Q_UDP: 4551 bpf_error("'udp' modifier applied to %s", typestr); 4552 4553 case Q_ICMP: 4554 bpf_error("'icmp' modifier applied to %s", typestr); 4555 4556 case Q_IGMP: 4557 bpf_error("'igmp' modifier applied to %s", typestr); 4558 4559 case Q_IGRP: 4560 bpf_error("'igrp' modifier applied to %s", typestr); 4561 4562 case Q_PIM: 4563 bpf_error("'pim' modifier applied to %s", typestr); 4564 4565 case Q_VRRP: 4566 bpf_error("'vrrp' modifier applied to %s", typestr); 4567 4568 case Q_ATALK: 4569 bpf_error("ATALK host filtering not implemented"); 4570 4571 case Q_AARP: 4572 bpf_error("AARP host filtering not implemented"); 4573 4574 case Q_DECNET: 4575 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4576 4577 case Q_SCA: 4578 bpf_error("SCA host filtering not implemented"); 4579 4580 case Q_LAT: 4581 bpf_error("LAT host filtering not implemented"); 4582 4583 case Q_MOPDL: 4584 bpf_error("MOPDL host filtering not implemented"); 4585 4586 case Q_MOPRC: 4587 bpf_error("MOPRC host filtering not implemented"); 4588 4589 case Q_IPV6: 4590 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4591 4592 case Q_ICMPV6: 4593 bpf_error("'icmp6' modifier applied to %s", typestr); 4594 4595 case Q_AH: 4596 bpf_error("'ah' modifier applied to %s", typestr); 4597 4598 case Q_ESP: 4599 bpf_error("'esp' modifier applied to %s", typestr); 4600 4601 case Q_ISO: 4602 bpf_error("ISO host filtering not implemented"); 4603 4604 case Q_ESIS: 4605 bpf_error("'esis' modifier applied to %s", typestr); 4606 4607 case Q_ISIS: 4608 bpf_error("'isis' modifier applied to %s", typestr); 4609 4610 case Q_CLNP: 4611 bpf_error("'clnp' modifier applied to %s", typestr); 4612 4613 case Q_STP: 4614 bpf_error("'stp' modifier applied to %s", typestr); 4615 4616 case Q_IPX: 4617 bpf_error("IPX host filtering not implemented"); 4618 4619 case Q_NETBEUI: 4620 bpf_error("'netbeui' modifier applied to %s", typestr); 4621 4622 case Q_RADIO: 4623 bpf_error("'radio' modifier applied to %s", typestr); 4624 4625 default: 4626 abort(); 4627 } 4628 /* NOTREACHED */ 4629 } 4630 #endif /*INET6*/ 4631 4632 #ifndef INET6 4633 static struct block * 4634 gen_gateway(eaddr, alist, proto, dir) 4635 const u_char *eaddr; 4636 bpf_u_int32 **alist; 4637 int proto; 4638 int dir; 4639 { 4640 struct block *b0, *b1, *tmp; 4641 4642 if (dir != 0) 4643 bpf_error("direction applied to 'gateway'"); 4644 4645 switch (proto) { 4646 case Q_DEFAULT: 4647 case Q_IP: 4648 case Q_ARP: 4649 case Q_RARP: 4650 switch (linktype) { 4651 case DLT_EN10MB: 4652 b0 = gen_ehostop(eaddr, Q_OR); 4653 break; 4654 case DLT_FDDI: 4655 b0 = gen_fhostop(eaddr, Q_OR); 4656 break; 4657 case DLT_IEEE802: 4658 b0 = gen_thostop(eaddr, Q_OR); 4659 break; 4660 case DLT_IEEE802_11: 4661 case DLT_PRISM_HEADER: 4662 case DLT_IEEE802_11_RADIO_AVS: 4663 case DLT_IEEE802_11_RADIO: 4664 case DLT_PPI: 4665 b0 = gen_wlanhostop(eaddr, Q_OR); 4666 break; 4667 case DLT_SUNATM: 4668 if (!is_lane) 4669 bpf_error( 4670 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4671 /* 4672 * Check that the packet doesn't begin with an 4673 * LE Control marker. (We've already generated 4674 * a test for LANE.) 4675 */ 4676 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4677 BPF_H, 0xFF00); 4678 gen_not(b1); 4679 4680 /* 4681 * Now check the MAC address. 4682 */ 4683 b0 = gen_ehostop(eaddr, Q_OR); 4684 gen_and(b1, b0); 4685 break; 4686 case DLT_IP_OVER_FC: 4687 b0 = gen_ipfchostop(eaddr, Q_OR); 4688 break; 4689 default: 4690 bpf_error( 4691 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4692 } 4693 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4694 while (*alist) { 4695 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4696 Q_HOST); 4697 gen_or(b1, tmp); 4698 b1 = tmp; 4699 } 4700 gen_not(b1); 4701 gen_and(b0, b1); 4702 return b1; 4703 } 4704 bpf_error("illegal modifier of 'gateway'"); 4705 /* NOTREACHED */ 4706 } 4707 #endif 4708 4709 struct block * 4710 gen_proto_abbrev(proto) 4711 int proto; 4712 { 4713 struct block *b0; 4714 struct block *b1; 4715 4716 switch (proto) { 4717 4718 case Q_SCTP: 4719 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4720 #ifdef INET6 4721 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4722 gen_or(b0, b1); 4723 #endif 4724 break; 4725 4726 case Q_TCP: 4727 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4728 #ifdef INET6 4729 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4730 gen_or(b0, b1); 4731 #endif 4732 break; 4733 4734 case Q_UDP: 4735 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4736 #ifdef INET6 4737 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4738 gen_or(b0, b1); 4739 #endif 4740 break; 4741 4742 case Q_ICMP: 4743 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4744 break; 4745 4746 #ifndef IPPROTO_IGMP 4747 #define IPPROTO_IGMP 2 4748 #endif 4749 4750 case Q_IGMP: 4751 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4752 break; 4753 4754 #ifndef IPPROTO_IGRP 4755 #define IPPROTO_IGRP 9 4756 #endif 4757 case Q_IGRP: 4758 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4759 break; 4760 4761 #ifndef IPPROTO_PIM 4762 #define IPPROTO_PIM 103 4763 #endif 4764 4765 case Q_PIM: 4766 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4767 #ifdef INET6 4768 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4769 gen_or(b0, b1); 4770 #endif 4771 break; 4772 4773 #ifndef IPPROTO_VRRP 4774 #define IPPROTO_VRRP 112 4775 #endif 4776 4777 case Q_VRRP: 4778 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4779 break; 4780 4781 case Q_IP: 4782 b1 = gen_linktype(ETHERTYPE_IP); 4783 break; 4784 4785 case Q_ARP: 4786 b1 = gen_linktype(ETHERTYPE_ARP); 4787 break; 4788 4789 case Q_RARP: 4790 b1 = gen_linktype(ETHERTYPE_REVARP); 4791 break; 4792 4793 case Q_LINK: 4794 bpf_error("link layer applied in wrong context"); 4795 4796 case Q_ATALK: 4797 b1 = gen_linktype(ETHERTYPE_ATALK); 4798 break; 4799 4800 case Q_AARP: 4801 b1 = gen_linktype(ETHERTYPE_AARP); 4802 break; 4803 4804 case Q_DECNET: 4805 b1 = gen_linktype(ETHERTYPE_DN); 4806 break; 4807 4808 case Q_SCA: 4809 b1 = gen_linktype(ETHERTYPE_SCA); 4810 break; 4811 4812 case Q_LAT: 4813 b1 = gen_linktype(ETHERTYPE_LAT); 4814 break; 4815 4816 case Q_MOPDL: 4817 b1 = gen_linktype(ETHERTYPE_MOPDL); 4818 break; 4819 4820 case Q_MOPRC: 4821 b1 = gen_linktype(ETHERTYPE_MOPRC); 4822 break; 4823 4824 #ifdef INET6 4825 case Q_IPV6: 4826 b1 = gen_linktype(ETHERTYPE_IPV6); 4827 break; 4828 4829 #ifndef IPPROTO_ICMPV6 4830 #define IPPROTO_ICMPV6 58 4831 #endif 4832 case Q_ICMPV6: 4833 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4834 break; 4835 #endif /* INET6 */ 4836 4837 #ifndef IPPROTO_AH 4838 #define IPPROTO_AH 51 4839 #endif 4840 case Q_AH: 4841 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4842 #ifdef INET6 4843 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4844 gen_or(b0, b1); 4845 #endif 4846 break; 4847 4848 #ifndef IPPROTO_ESP 4849 #define IPPROTO_ESP 50 4850 #endif 4851 case Q_ESP: 4852 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4853 #ifdef INET6 4854 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4855 gen_or(b0, b1); 4856 #endif 4857 break; 4858 4859 case Q_ISO: 4860 b1 = gen_linktype(LLCSAP_ISONS); 4861 break; 4862 4863 case Q_ESIS: 4864 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4865 break; 4866 4867 case Q_ISIS: 4868 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4869 break; 4870 4871 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4872 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4873 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4874 gen_or(b0, b1); 4875 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4876 gen_or(b0, b1); 4877 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4878 gen_or(b0, b1); 4879 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4880 gen_or(b0, b1); 4881 break; 4882 4883 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4884 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4885 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4886 gen_or(b0, b1); 4887 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4888 gen_or(b0, b1); 4889 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4890 gen_or(b0, b1); 4891 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4892 gen_or(b0, b1); 4893 break; 4894 4895 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4896 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4897 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4898 gen_or(b0, b1); 4899 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4900 gen_or(b0, b1); 4901 break; 4902 4903 case Q_ISIS_LSP: 4904 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4905 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4906 gen_or(b0, b1); 4907 break; 4908 4909 case Q_ISIS_SNP: 4910 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4911 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4912 gen_or(b0, b1); 4913 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4914 gen_or(b0, b1); 4915 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4916 gen_or(b0, b1); 4917 break; 4918 4919 case Q_ISIS_CSNP: 4920 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4921 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4922 gen_or(b0, b1); 4923 break; 4924 4925 case Q_ISIS_PSNP: 4926 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4927 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4928 gen_or(b0, b1); 4929 break; 4930 4931 case Q_CLNP: 4932 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4933 break; 4934 4935 case Q_STP: 4936 b1 = gen_linktype(LLCSAP_8021D); 4937 break; 4938 4939 case Q_IPX: 4940 b1 = gen_linktype(LLCSAP_IPX); 4941 break; 4942 4943 case Q_NETBEUI: 4944 b1 = gen_linktype(LLCSAP_NETBEUI); 4945 break; 4946 4947 case Q_RADIO: 4948 bpf_error("'radio' is not a valid protocol type"); 4949 4950 default: 4951 abort(); 4952 } 4953 return b1; 4954 } 4955 4956 static struct block * 4957 gen_ipfrag() 4958 { 4959 struct slist *s; 4960 struct block *b; 4961 4962 /* not ip frag */ 4963 s = gen_load_a(OR_NET, 6, BPF_H); 4964 b = new_block(JMP(BPF_JSET)); 4965 b->s.k = 0x1fff; 4966 b->stmts = s; 4967 gen_not(b); 4968 4969 return b; 4970 } 4971 4972 /* 4973 * Generate a comparison to a port value in the transport-layer header 4974 * at the specified offset from the beginning of that header. 4975 * 4976 * XXX - this handles a variable-length prefix preceding the link-layer 4977 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4978 * variable-length link-layer headers (such as Token Ring or 802.11 4979 * headers). 4980 */ 4981 static struct block * 4982 gen_portatom(off, v) 4983 int off; 4984 bpf_int32 v; 4985 { 4986 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4987 } 4988 4989 #ifdef INET6 4990 static struct block * 4991 gen_portatom6(off, v) 4992 int off; 4993 bpf_int32 v; 4994 { 4995 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4996 } 4997 #endif/*INET6*/ 4998 4999 struct block * 5000 gen_portop(port, proto, dir) 5001 int port, proto, dir; 5002 { 5003 struct block *b0, *b1, *tmp; 5004 5005 /* ip proto 'proto' */ 5006 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5007 b0 = gen_ipfrag(); 5008 gen_and(tmp, b0); 5009 5010 switch (dir) { 5011 case Q_SRC: 5012 b1 = gen_portatom(0, (bpf_int32)port); 5013 break; 5014 5015 case Q_DST: 5016 b1 = gen_portatom(2, (bpf_int32)port); 5017 break; 5018 5019 case Q_OR: 5020 case Q_DEFAULT: 5021 tmp = gen_portatom(0, (bpf_int32)port); 5022 b1 = gen_portatom(2, (bpf_int32)port); 5023 gen_or(tmp, b1); 5024 break; 5025 5026 case Q_AND: 5027 tmp = gen_portatom(0, (bpf_int32)port); 5028 b1 = gen_portatom(2, (bpf_int32)port); 5029 gen_and(tmp, b1); 5030 break; 5031 5032 default: 5033 abort(); 5034 } 5035 gen_and(b0, b1); 5036 5037 return b1; 5038 } 5039 5040 static struct block * 5041 gen_port(port, ip_proto, dir) 5042 int port; 5043 int ip_proto; 5044 int dir; 5045 { 5046 struct block *b0, *b1, *tmp; 5047 5048 /* 5049 * ether proto ip 5050 * 5051 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5052 * not LLC encapsulation with LLCSAP_IP. 5053 * 5054 * For IEEE 802 networks - which includes 802.5 token ring 5055 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5056 * says that SNAP encapsulation is used, not LLC encapsulation 5057 * with LLCSAP_IP. 5058 * 5059 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5060 * RFC 2225 say that SNAP encapsulation is used, not LLC 5061 * encapsulation with LLCSAP_IP. 5062 * 5063 * So we always check for ETHERTYPE_IP. 5064 */ 5065 b0 = gen_linktype(ETHERTYPE_IP); 5066 5067 switch (ip_proto) { 5068 case IPPROTO_UDP: 5069 case IPPROTO_TCP: 5070 case IPPROTO_SCTP: 5071 b1 = gen_portop(port, ip_proto, dir); 5072 break; 5073 5074 case PROTO_UNDEF: 5075 tmp = gen_portop(port, IPPROTO_TCP, dir); 5076 b1 = gen_portop(port, IPPROTO_UDP, dir); 5077 gen_or(tmp, b1); 5078 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5079 gen_or(tmp, b1); 5080 break; 5081 5082 default: 5083 abort(); 5084 } 5085 gen_and(b0, b1); 5086 return b1; 5087 } 5088 5089 #ifdef INET6 5090 struct block * 5091 gen_portop6(port, proto, dir) 5092 int port, proto, dir; 5093 { 5094 struct block *b0, *b1, *tmp; 5095 5096 /* ip6 proto 'proto' */ 5097 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5098 5099 switch (dir) { 5100 case Q_SRC: 5101 b1 = gen_portatom6(0, (bpf_int32)port); 5102 break; 5103 5104 case Q_DST: 5105 b1 = gen_portatom6(2, (bpf_int32)port); 5106 break; 5107 5108 case Q_OR: 5109 case Q_DEFAULT: 5110 tmp = gen_portatom6(0, (bpf_int32)port); 5111 b1 = gen_portatom6(2, (bpf_int32)port); 5112 gen_or(tmp, b1); 5113 break; 5114 5115 case Q_AND: 5116 tmp = gen_portatom6(0, (bpf_int32)port); 5117 b1 = gen_portatom6(2, (bpf_int32)port); 5118 gen_and(tmp, b1); 5119 break; 5120 5121 default: 5122 abort(); 5123 } 5124 gen_and(b0, b1); 5125 5126 return b1; 5127 } 5128 5129 static struct block * 5130 gen_port6(port, ip_proto, dir) 5131 int port; 5132 int ip_proto; 5133 int dir; 5134 { 5135 struct block *b0, *b1, *tmp; 5136 5137 /* link proto ip6 */ 5138 b0 = gen_linktype(ETHERTYPE_IPV6); 5139 5140 switch (ip_proto) { 5141 case IPPROTO_UDP: 5142 case IPPROTO_TCP: 5143 case IPPROTO_SCTP: 5144 b1 = gen_portop6(port, ip_proto, dir); 5145 break; 5146 5147 case PROTO_UNDEF: 5148 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5149 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5150 gen_or(tmp, b1); 5151 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5152 gen_or(tmp, b1); 5153 break; 5154 5155 default: 5156 abort(); 5157 } 5158 gen_and(b0, b1); 5159 return b1; 5160 } 5161 #endif /* INET6 */ 5162 5163 /* gen_portrange code */ 5164 static struct block * 5165 gen_portrangeatom(off, v1, v2) 5166 int off; 5167 bpf_int32 v1, v2; 5168 { 5169 struct block *b1, *b2; 5170 5171 if (v1 > v2) { 5172 /* 5173 * Reverse the order of the ports, so v1 is the lower one. 5174 */ 5175 bpf_int32 vtemp; 5176 5177 vtemp = v1; 5178 v1 = v2; 5179 v2 = vtemp; 5180 } 5181 5182 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5183 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5184 5185 gen_and(b1, b2); 5186 5187 return b2; 5188 } 5189 5190 struct block * 5191 gen_portrangeop(port1, port2, proto, dir) 5192 int port1, port2; 5193 int proto; 5194 int dir; 5195 { 5196 struct block *b0, *b1, *tmp; 5197 5198 /* ip proto 'proto' */ 5199 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5200 b0 = gen_ipfrag(); 5201 gen_and(tmp, b0); 5202 5203 switch (dir) { 5204 case Q_SRC: 5205 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5206 break; 5207 5208 case Q_DST: 5209 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5210 break; 5211 5212 case Q_OR: 5213 case Q_DEFAULT: 5214 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5215 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5216 gen_or(tmp, b1); 5217 break; 5218 5219 case Q_AND: 5220 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5221 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5222 gen_and(tmp, b1); 5223 break; 5224 5225 default: 5226 abort(); 5227 } 5228 gen_and(b0, b1); 5229 5230 return b1; 5231 } 5232 5233 static struct block * 5234 gen_portrange(port1, port2, ip_proto, dir) 5235 int port1, port2; 5236 int ip_proto; 5237 int dir; 5238 { 5239 struct block *b0, *b1, *tmp; 5240 5241 /* link proto ip */ 5242 b0 = gen_linktype(ETHERTYPE_IP); 5243 5244 switch (ip_proto) { 5245 case IPPROTO_UDP: 5246 case IPPROTO_TCP: 5247 case IPPROTO_SCTP: 5248 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5249 break; 5250 5251 case PROTO_UNDEF: 5252 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5253 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5254 gen_or(tmp, b1); 5255 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5256 gen_or(tmp, b1); 5257 break; 5258 5259 default: 5260 abort(); 5261 } 5262 gen_and(b0, b1); 5263 return b1; 5264 } 5265 5266 #ifdef INET6 5267 static struct block * 5268 gen_portrangeatom6(off, v1, v2) 5269 int off; 5270 bpf_int32 v1, v2; 5271 { 5272 struct block *b1, *b2; 5273 5274 if (v1 > v2) { 5275 /* 5276 * Reverse the order of the ports, so v1 is the lower one. 5277 */ 5278 bpf_int32 vtemp; 5279 5280 vtemp = v1; 5281 v1 = v2; 5282 v2 = vtemp; 5283 } 5284 5285 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5286 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5287 5288 gen_and(b1, b2); 5289 5290 return b2; 5291 } 5292 5293 struct block * 5294 gen_portrangeop6(port1, port2, proto, dir) 5295 int port1, port2; 5296 int proto; 5297 int dir; 5298 { 5299 struct block *b0, *b1, *tmp; 5300 5301 /* ip6 proto 'proto' */ 5302 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5303 5304 switch (dir) { 5305 case Q_SRC: 5306 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5307 break; 5308 5309 case Q_DST: 5310 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5311 break; 5312 5313 case Q_OR: 5314 case Q_DEFAULT: 5315 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5316 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5317 gen_or(tmp, b1); 5318 break; 5319 5320 case Q_AND: 5321 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5322 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5323 gen_and(tmp, b1); 5324 break; 5325 5326 default: 5327 abort(); 5328 } 5329 gen_and(b0, b1); 5330 5331 return b1; 5332 } 5333 5334 static struct block * 5335 gen_portrange6(port1, port2, ip_proto, dir) 5336 int port1, port2; 5337 int ip_proto; 5338 int dir; 5339 { 5340 struct block *b0, *b1, *tmp; 5341 5342 /* link proto ip6 */ 5343 b0 = gen_linktype(ETHERTYPE_IPV6); 5344 5345 switch (ip_proto) { 5346 case IPPROTO_UDP: 5347 case IPPROTO_TCP: 5348 case IPPROTO_SCTP: 5349 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5350 break; 5351 5352 case PROTO_UNDEF: 5353 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5354 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5355 gen_or(tmp, b1); 5356 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5357 gen_or(tmp, b1); 5358 break; 5359 5360 default: 5361 abort(); 5362 } 5363 gen_and(b0, b1); 5364 return b1; 5365 } 5366 #endif /* INET6 */ 5367 5368 static int 5369 lookup_proto(name, proto) 5370 register const char *name; 5371 register int proto; 5372 { 5373 register int v; 5374 5375 switch (proto) { 5376 5377 case Q_DEFAULT: 5378 case Q_IP: 5379 case Q_IPV6: 5380 v = pcap_nametoproto(name); 5381 if (v == PROTO_UNDEF) 5382 bpf_error("unknown ip proto '%s'", name); 5383 break; 5384 5385 case Q_LINK: 5386 /* XXX should look up h/w protocol type based on linktype */ 5387 v = pcap_nametoeproto(name); 5388 if (v == PROTO_UNDEF) { 5389 v = pcap_nametollc(name); 5390 if (v == PROTO_UNDEF) 5391 bpf_error("unknown ether proto '%s'", name); 5392 } 5393 break; 5394 5395 case Q_ISO: 5396 if (strcmp(name, "esis") == 0) 5397 v = ISO9542_ESIS; 5398 else if (strcmp(name, "isis") == 0) 5399 v = ISO10589_ISIS; 5400 else if (strcmp(name, "clnp") == 0) 5401 v = ISO8473_CLNP; 5402 else 5403 bpf_error("unknown osi proto '%s'", name); 5404 break; 5405 5406 default: 5407 v = PROTO_UNDEF; 5408 break; 5409 } 5410 return v; 5411 } 5412 5413 #if 0 5414 struct stmt * 5415 gen_joinsp(s, n) 5416 struct stmt **s; 5417 int n; 5418 { 5419 return NULL; 5420 } 5421 #endif 5422 5423 static struct block * 5424 gen_protochain(v, proto, dir) 5425 int v; 5426 int proto; 5427 int dir; 5428 { 5429 #ifdef NO_PROTOCHAIN 5430 return gen_proto(v, proto, dir); 5431 #else 5432 struct block *b0, *b; 5433 struct slist *s[100]; 5434 int fix2, fix3, fix4, fix5; 5435 int ahcheck, again, end; 5436 int i, max; 5437 int reg2 = alloc_reg(); 5438 5439 memset(s, 0, sizeof(s)); 5440 fix2 = fix3 = fix4 = fix5 = 0; 5441 5442 switch (proto) { 5443 case Q_IP: 5444 case Q_IPV6: 5445 break; 5446 case Q_DEFAULT: 5447 b0 = gen_protochain(v, Q_IP, dir); 5448 b = gen_protochain(v, Q_IPV6, dir); 5449 gen_or(b0, b); 5450 return b; 5451 default: 5452 bpf_error("bad protocol applied for 'protochain'"); 5453 /*NOTREACHED*/ 5454 } 5455 5456 /* 5457 * We don't handle variable-length prefixes before the link-layer 5458 * header, or variable-length link-layer headers, here yet. 5459 * We might want to add BPF instructions to do the protochain 5460 * work, to simplify that and, on platforms that have a BPF 5461 * interpreter with the new instructions, let the filtering 5462 * be done in the kernel. (We already require a modified BPF 5463 * engine to do the protochain stuff, to support backward 5464 * branches, and backward branch support is unlikely to appear 5465 * in kernel BPF engines.) 5466 */ 5467 switch (linktype) { 5468 5469 case DLT_IEEE802_11: 5470 case DLT_PRISM_HEADER: 5471 case DLT_IEEE802_11_RADIO_AVS: 5472 case DLT_IEEE802_11_RADIO: 5473 case DLT_PPI: 5474 bpf_error("'protochain' not supported with 802.11"); 5475 } 5476 5477 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5478 5479 /* 5480 * s[0] is a dummy entry to protect other BPF insn from damage 5481 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5482 * hard to find interdependency made by jump table fixup. 5483 */ 5484 i = 0; 5485 s[i] = new_stmt(0); /*dummy*/ 5486 i++; 5487 5488 switch (proto) { 5489 case Q_IP: 5490 b0 = gen_linktype(ETHERTYPE_IP); 5491 5492 /* A = ip->ip_p */ 5493 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5494 s[i]->s.k = off_macpl + off_nl + 9; 5495 i++; 5496 /* X = ip->ip_hl << 2 */ 5497 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5498 s[i]->s.k = off_macpl + off_nl; 5499 i++; 5500 break; 5501 #ifdef INET6 5502 case Q_IPV6: 5503 b0 = gen_linktype(ETHERTYPE_IPV6); 5504 5505 /* A = ip6->ip_nxt */ 5506 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5507 s[i]->s.k = off_macpl + off_nl + 6; 5508 i++; 5509 /* X = sizeof(struct ip6_hdr) */ 5510 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5511 s[i]->s.k = 40; 5512 i++; 5513 break; 5514 #endif 5515 default: 5516 bpf_error("unsupported proto to gen_protochain"); 5517 /*NOTREACHED*/ 5518 } 5519 5520 /* again: if (A == v) goto end; else fall through; */ 5521 again = i; 5522 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5523 s[i]->s.k = v; 5524 s[i]->s.jt = NULL; /*later*/ 5525 s[i]->s.jf = NULL; /*update in next stmt*/ 5526 fix5 = i; 5527 i++; 5528 5529 #ifndef IPPROTO_NONE 5530 #define IPPROTO_NONE 59 5531 #endif 5532 /* if (A == IPPROTO_NONE) goto end */ 5533 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5534 s[i]->s.jt = NULL; /*later*/ 5535 s[i]->s.jf = NULL; /*update in next stmt*/ 5536 s[i]->s.k = IPPROTO_NONE; 5537 s[fix5]->s.jf = s[i]; 5538 fix2 = i; 5539 i++; 5540 5541 #ifdef INET6 5542 if (proto == Q_IPV6) { 5543 int v6start, v6end, v6advance, j; 5544 5545 v6start = i; 5546 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5547 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5548 s[i]->s.jt = NULL; /*later*/ 5549 s[i]->s.jf = NULL; /*update in next stmt*/ 5550 s[i]->s.k = IPPROTO_HOPOPTS; 5551 s[fix2]->s.jf = s[i]; 5552 i++; 5553 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5554 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5555 s[i]->s.jt = NULL; /*later*/ 5556 s[i]->s.jf = NULL; /*update in next stmt*/ 5557 s[i]->s.k = IPPROTO_DSTOPTS; 5558 i++; 5559 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5560 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5561 s[i]->s.jt = NULL; /*later*/ 5562 s[i]->s.jf = NULL; /*update in next stmt*/ 5563 s[i]->s.k = IPPROTO_ROUTING; 5564 i++; 5565 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5566 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5567 s[i]->s.jt = NULL; /*later*/ 5568 s[i]->s.jf = NULL; /*later*/ 5569 s[i]->s.k = IPPROTO_FRAGMENT; 5570 fix3 = i; 5571 v6end = i; 5572 i++; 5573 5574 /* v6advance: */ 5575 v6advance = i; 5576 5577 /* 5578 * in short, 5579 * A = P[X]; 5580 * X = X + (P[X + 1] + 1) * 8; 5581 */ 5582 /* A = X */ 5583 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5584 i++; 5585 /* A = P[X + packet head] */ 5586 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5587 s[i]->s.k = off_macpl + off_nl; 5588 i++; 5589 /* MEM[reg2] = A */ 5590 s[i] = new_stmt(BPF_ST); 5591 s[i]->s.k = reg2; 5592 i++; 5593 /* A = X */ 5594 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5595 i++; 5596 /* A += 1 */ 5597 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5598 s[i]->s.k = 1; 5599 i++; 5600 /* X = A */ 5601 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5602 i++; 5603 /* A = P[X + packet head]; */ 5604 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5605 s[i]->s.k = off_macpl + off_nl; 5606 i++; 5607 /* A += 1 */ 5608 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5609 s[i]->s.k = 1; 5610 i++; 5611 /* A *= 8 */ 5612 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5613 s[i]->s.k = 8; 5614 i++; 5615 /* X = A; */ 5616 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5617 i++; 5618 /* A = MEM[reg2] */ 5619 s[i] = new_stmt(BPF_LD|BPF_MEM); 5620 s[i]->s.k = reg2; 5621 i++; 5622 5623 /* goto again; (must use BPF_JA for backward jump) */ 5624 s[i] = new_stmt(BPF_JMP|BPF_JA); 5625 s[i]->s.k = again - i - 1; 5626 s[i - 1]->s.jf = s[i]; 5627 i++; 5628 5629 /* fixup */ 5630 for (j = v6start; j <= v6end; j++) 5631 s[j]->s.jt = s[v6advance]; 5632 } else 5633 #endif 5634 { 5635 /* nop */ 5636 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5637 s[i]->s.k = 0; 5638 s[fix2]->s.jf = s[i]; 5639 i++; 5640 } 5641 5642 /* ahcheck: */ 5643 ahcheck = i; 5644 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5645 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5646 s[i]->s.jt = NULL; /*later*/ 5647 s[i]->s.jf = NULL; /*later*/ 5648 s[i]->s.k = IPPROTO_AH; 5649 if (fix3) 5650 s[fix3]->s.jf = s[ahcheck]; 5651 fix4 = i; 5652 i++; 5653 5654 /* 5655 * in short, 5656 * A = P[X]; 5657 * X = X + (P[X + 1] + 2) * 4; 5658 */ 5659 /* A = X */ 5660 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5661 i++; 5662 /* A = P[X + packet head]; */ 5663 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5664 s[i]->s.k = off_macpl + off_nl; 5665 i++; 5666 /* MEM[reg2] = A */ 5667 s[i] = new_stmt(BPF_ST); 5668 s[i]->s.k = reg2; 5669 i++; 5670 /* A = X */ 5671 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5672 i++; 5673 /* A += 1 */ 5674 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5675 s[i]->s.k = 1; 5676 i++; 5677 /* X = A */ 5678 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5679 i++; 5680 /* A = P[X + packet head] */ 5681 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5682 s[i]->s.k = off_macpl + off_nl; 5683 i++; 5684 /* A += 2 */ 5685 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5686 s[i]->s.k = 2; 5687 i++; 5688 /* A *= 4 */ 5689 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5690 s[i]->s.k = 4; 5691 i++; 5692 /* X = A; */ 5693 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5694 i++; 5695 /* A = MEM[reg2] */ 5696 s[i] = new_stmt(BPF_LD|BPF_MEM); 5697 s[i]->s.k = reg2; 5698 i++; 5699 5700 /* goto again; (must use BPF_JA for backward jump) */ 5701 s[i] = new_stmt(BPF_JMP|BPF_JA); 5702 s[i]->s.k = again - i - 1; 5703 i++; 5704 5705 /* end: nop */ 5706 end = i; 5707 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5708 s[i]->s.k = 0; 5709 s[fix2]->s.jt = s[end]; 5710 s[fix4]->s.jf = s[end]; 5711 s[fix5]->s.jt = s[end]; 5712 i++; 5713 5714 /* 5715 * make slist chain 5716 */ 5717 max = i; 5718 for (i = 0; i < max - 1; i++) 5719 s[i]->next = s[i + 1]; 5720 s[max - 1]->next = NULL; 5721 5722 /* 5723 * emit final check 5724 */ 5725 b = new_block(JMP(BPF_JEQ)); 5726 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5727 b->s.k = v; 5728 5729 free_reg(reg2); 5730 5731 gen_and(b0, b); 5732 return b; 5733 #endif 5734 } 5735 5736 static struct block * 5737 gen_check_802_11_data_frame() 5738 { 5739 struct slist *s; 5740 struct block *b0, *b1; 5741 5742 /* 5743 * A data frame has the 0x08 bit (b3) in the frame control field set 5744 * and the 0x04 bit (b2) clear. 5745 */ 5746 s = gen_load_a(OR_LINK, 0, BPF_B); 5747 b0 = new_block(JMP(BPF_JSET)); 5748 b0->s.k = 0x08; 5749 b0->stmts = s; 5750 5751 s = gen_load_a(OR_LINK, 0, BPF_B); 5752 b1 = new_block(JMP(BPF_JSET)); 5753 b1->s.k = 0x04; 5754 b1->stmts = s; 5755 gen_not(b1); 5756 5757 gen_and(b1, b0); 5758 5759 return b0; 5760 } 5761 5762 /* 5763 * Generate code that checks whether the packet is a packet for protocol 5764 * <proto> and whether the type field in that protocol's header has 5765 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5766 * IP packet and checks the protocol number in the IP header against <v>. 5767 * 5768 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5769 * against Q_IP and Q_IPV6. 5770 */ 5771 static struct block * 5772 gen_proto(v, proto, dir) 5773 int v; 5774 int proto; 5775 int dir; 5776 { 5777 struct block *b0, *b1; 5778 5779 if (dir != Q_DEFAULT) 5780 bpf_error("direction applied to 'proto'"); 5781 5782 switch (proto) { 5783 case Q_DEFAULT: 5784 #ifdef INET6 5785 b0 = gen_proto(v, Q_IP, dir); 5786 b1 = gen_proto(v, Q_IPV6, dir); 5787 gen_or(b0, b1); 5788 return b1; 5789 #else 5790 /*FALLTHROUGH*/ 5791 #endif 5792 case Q_IP: 5793 /* 5794 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5795 * not LLC encapsulation with LLCSAP_IP. 5796 * 5797 * For IEEE 802 networks - which includes 802.5 token ring 5798 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5799 * says that SNAP encapsulation is used, not LLC encapsulation 5800 * with LLCSAP_IP. 5801 * 5802 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5803 * RFC 2225 say that SNAP encapsulation is used, not LLC 5804 * encapsulation with LLCSAP_IP. 5805 * 5806 * So we always check for ETHERTYPE_IP. 5807 */ 5808 b0 = gen_linktype(ETHERTYPE_IP); 5809 #ifndef CHASE_CHAIN 5810 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5811 #else 5812 b1 = gen_protochain(v, Q_IP); 5813 #endif 5814 gen_and(b0, b1); 5815 return b1; 5816 5817 case Q_ISO: 5818 switch (linktype) { 5819 5820 case DLT_FRELAY: 5821 /* 5822 * Frame Relay packets typically have an OSI 5823 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5824 * generates code to check for all the OSI 5825 * NLPIDs, so calling it and then adding a check 5826 * for the particular NLPID for which we're 5827 * looking is bogus, as we can just check for 5828 * the NLPID. 5829 * 5830 * What we check for is the NLPID and a frame 5831 * control field value of UI, i.e. 0x03 followed 5832 * by the NLPID. 5833 * 5834 * XXX - assumes a 2-byte Frame Relay header with 5835 * DLCI and flags. What if the address is longer? 5836 * 5837 * XXX - what about SNAP-encapsulated frames? 5838 */ 5839 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5840 /*NOTREACHED*/ 5841 break; 5842 5843 case DLT_C_HDLC: 5844 /* 5845 * Cisco uses an Ethertype lookalike - for OSI, 5846 * it's 0xfefe. 5847 */ 5848 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5849 /* OSI in C-HDLC is stuffed with a fudge byte */ 5850 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5851 gen_and(b0, b1); 5852 return b1; 5853 5854 default: 5855 b0 = gen_linktype(LLCSAP_ISONS); 5856 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5857 gen_and(b0, b1); 5858 return b1; 5859 } 5860 5861 case Q_ISIS: 5862 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5863 /* 5864 * 4 is the offset of the PDU type relative to the IS-IS 5865 * header. 5866 */ 5867 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5868 gen_and(b0, b1); 5869 return b1; 5870 5871 case Q_ARP: 5872 bpf_error("arp does not encapsulate another protocol"); 5873 /* NOTREACHED */ 5874 5875 case Q_RARP: 5876 bpf_error("rarp does not encapsulate another protocol"); 5877 /* NOTREACHED */ 5878 5879 case Q_ATALK: 5880 bpf_error("atalk encapsulation is not specifiable"); 5881 /* NOTREACHED */ 5882 5883 case Q_DECNET: 5884 bpf_error("decnet encapsulation is not specifiable"); 5885 /* NOTREACHED */ 5886 5887 case Q_SCA: 5888 bpf_error("sca does not encapsulate another protocol"); 5889 /* NOTREACHED */ 5890 5891 case Q_LAT: 5892 bpf_error("lat does not encapsulate another protocol"); 5893 /* NOTREACHED */ 5894 5895 case Q_MOPRC: 5896 bpf_error("moprc does not encapsulate another protocol"); 5897 /* NOTREACHED */ 5898 5899 case Q_MOPDL: 5900 bpf_error("mopdl does not encapsulate another protocol"); 5901 /* NOTREACHED */ 5902 5903 case Q_LINK: 5904 return gen_linktype(v); 5905 5906 case Q_UDP: 5907 bpf_error("'udp proto' is bogus"); 5908 /* NOTREACHED */ 5909 5910 case Q_TCP: 5911 bpf_error("'tcp proto' is bogus"); 5912 /* NOTREACHED */ 5913 5914 case Q_SCTP: 5915 bpf_error("'sctp proto' is bogus"); 5916 /* NOTREACHED */ 5917 5918 case Q_ICMP: 5919 bpf_error("'icmp proto' is bogus"); 5920 /* NOTREACHED */ 5921 5922 case Q_IGMP: 5923 bpf_error("'igmp proto' is bogus"); 5924 /* NOTREACHED */ 5925 5926 case Q_IGRP: 5927 bpf_error("'igrp proto' is bogus"); 5928 /* NOTREACHED */ 5929 5930 case Q_PIM: 5931 bpf_error("'pim proto' is bogus"); 5932 /* NOTREACHED */ 5933 5934 case Q_VRRP: 5935 bpf_error("'vrrp proto' is bogus"); 5936 /* NOTREACHED */ 5937 5938 #ifdef INET6 5939 case Q_IPV6: 5940 b0 = gen_linktype(ETHERTYPE_IPV6); 5941 #ifndef CHASE_CHAIN 5942 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5943 #else 5944 b1 = gen_protochain(v, Q_IPV6); 5945 #endif 5946 gen_and(b0, b1); 5947 return b1; 5948 5949 case Q_ICMPV6: 5950 bpf_error("'icmp6 proto' is bogus"); 5951 #endif /* INET6 */ 5952 5953 case Q_AH: 5954 bpf_error("'ah proto' is bogus"); 5955 5956 case Q_ESP: 5957 bpf_error("'ah proto' is bogus"); 5958 5959 case Q_STP: 5960 bpf_error("'stp proto' is bogus"); 5961 5962 case Q_IPX: 5963 bpf_error("'ipx proto' is bogus"); 5964 5965 case Q_NETBEUI: 5966 bpf_error("'netbeui proto' is bogus"); 5967 5968 case Q_RADIO: 5969 bpf_error("'radio proto' is bogus"); 5970 5971 default: 5972 abort(); 5973 /* NOTREACHED */ 5974 } 5975 /* NOTREACHED */ 5976 } 5977 5978 struct block * 5979 gen_scode(name, q) 5980 register const char *name; 5981 struct qual q; 5982 { 5983 int proto = q.proto; 5984 int dir = q.dir; 5985 int tproto; 5986 u_char *eaddr; 5987 bpf_u_int32 mask, addr; 5988 #ifndef INET6 5989 bpf_u_int32 **alist; 5990 #else 5991 int tproto6; 5992 struct sockaddr_in *sin4; 5993 struct sockaddr_in6 *sin6; 5994 struct addrinfo *res, *res0; 5995 struct in6_addr mask128; 5996 #endif /*INET6*/ 5997 struct block *b, *tmp; 5998 int port, real_proto; 5999 int port1, port2; 6000 6001 switch (q.addr) { 6002 6003 case Q_NET: 6004 addr = pcap_nametonetaddr(name); 6005 if (addr == 0) 6006 bpf_error("unknown network '%s'", name); 6007 /* Left justify network addr and calculate its network mask */ 6008 mask = 0xffffffff; 6009 while (addr && (addr & 0xff000000) == 0) { 6010 addr <<= 8; 6011 mask <<= 8; 6012 } 6013 return gen_host(addr, mask, proto, dir, q.addr); 6014 6015 case Q_DEFAULT: 6016 case Q_HOST: 6017 if (proto == Q_LINK) { 6018 switch (linktype) { 6019 6020 case DLT_EN10MB: 6021 eaddr = pcap_ether_hostton(name); 6022 if (eaddr == NULL) 6023 bpf_error( 6024 "unknown ether host '%s'", name); 6025 b = gen_ehostop(eaddr, dir); 6026 free(eaddr); 6027 return b; 6028 6029 case DLT_FDDI: 6030 eaddr = pcap_ether_hostton(name); 6031 if (eaddr == NULL) 6032 bpf_error( 6033 "unknown FDDI host '%s'", name); 6034 b = gen_fhostop(eaddr, dir); 6035 free(eaddr); 6036 return b; 6037 6038 case DLT_IEEE802: 6039 eaddr = pcap_ether_hostton(name); 6040 if (eaddr == NULL) 6041 bpf_error( 6042 "unknown token ring host '%s'", name); 6043 b = gen_thostop(eaddr, dir); 6044 free(eaddr); 6045 return b; 6046 6047 case DLT_IEEE802_11: 6048 case DLT_PRISM_HEADER: 6049 case DLT_IEEE802_11_RADIO_AVS: 6050 case DLT_IEEE802_11_RADIO: 6051 case DLT_PPI: 6052 eaddr = pcap_ether_hostton(name); 6053 if (eaddr == NULL) 6054 bpf_error( 6055 "unknown 802.11 host '%s'", name); 6056 b = gen_wlanhostop(eaddr, dir); 6057 free(eaddr); 6058 return b; 6059 6060 case DLT_IP_OVER_FC: 6061 eaddr = pcap_ether_hostton(name); 6062 if (eaddr == NULL) 6063 bpf_error( 6064 "unknown Fibre Channel host '%s'", name); 6065 b = gen_ipfchostop(eaddr, dir); 6066 free(eaddr); 6067 return b; 6068 6069 case DLT_SUNATM: 6070 if (!is_lane) 6071 break; 6072 6073 /* 6074 * Check that the packet doesn't begin 6075 * with an LE Control marker. (We've 6076 * already generated a test for LANE.) 6077 */ 6078 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6079 BPF_H, 0xFF00); 6080 gen_not(tmp); 6081 6082 eaddr = pcap_ether_hostton(name); 6083 if (eaddr == NULL) 6084 bpf_error( 6085 "unknown ether host '%s'", name); 6086 b = gen_ehostop(eaddr, dir); 6087 gen_and(tmp, b); 6088 free(eaddr); 6089 return b; 6090 } 6091 6092 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6093 } else if (proto == Q_DECNET) { 6094 unsigned short dn_addr = __pcap_nametodnaddr(name); 6095 /* 6096 * I don't think DECNET hosts can be multihomed, so 6097 * there is no need to build up a list of addresses 6098 */ 6099 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6100 } else { 6101 #ifndef INET6 6102 alist = pcap_nametoaddr(name); 6103 if (alist == NULL || *alist == NULL) 6104 bpf_error("unknown host '%s'", name); 6105 tproto = proto; 6106 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6107 tproto = Q_IP; 6108 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6109 while (*alist) { 6110 tmp = gen_host(**alist++, 0xffffffff, 6111 tproto, dir, q.addr); 6112 gen_or(b, tmp); 6113 b = tmp; 6114 } 6115 return b; 6116 #else 6117 memset(&mask128, 0xff, sizeof(mask128)); 6118 res0 = res = pcap_nametoaddrinfo(name); 6119 if (res == NULL) 6120 bpf_error("unknown host '%s'", name); 6121 ai = res; 6122 b = tmp = NULL; 6123 tproto = tproto6 = proto; 6124 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6125 tproto = Q_IP; 6126 tproto6 = Q_IPV6; 6127 } 6128 for (res = res0; res; res = res->ai_next) { 6129 switch (res->ai_family) { 6130 case AF_INET: 6131 if (tproto == Q_IPV6) 6132 continue; 6133 6134 sin4 = (struct sockaddr_in *) 6135 res->ai_addr; 6136 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6137 0xffffffff, tproto, dir, q.addr); 6138 break; 6139 case AF_INET6: 6140 if (tproto6 == Q_IP) 6141 continue; 6142 6143 sin6 = (struct sockaddr_in6 *) 6144 res->ai_addr; 6145 tmp = gen_host6(&sin6->sin6_addr, 6146 &mask128, tproto6, dir, q.addr); 6147 break; 6148 default: 6149 continue; 6150 } 6151 if (b) 6152 gen_or(b, tmp); 6153 b = tmp; 6154 } 6155 ai = NULL; 6156 freeaddrinfo(res0); 6157 if (b == NULL) { 6158 bpf_error("unknown host '%s'%s", name, 6159 (proto == Q_DEFAULT) 6160 ? "" 6161 : " for specified address family"); 6162 } 6163 return b; 6164 #endif /*INET6*/ 6165 } 6166 6167 case Q_PORT: 6168 if (proto != Q_DEFAULT && 6169 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6170 bpf_error("illegal qualifier of 'port'"); 6171 if (pcap_nametoport(name, &port, &real_proto) == 0) 6172 bpf_error("unknown port '%s'", name); 6173 if (proto == Q_UDP) { 6174 if (real_proto == IPPROTO_TCP) 6175 bpf_error("port '%s' is tcp", name); 6176 else if (real_proto == IPPROTO_SCTP) 6177 bpf_error("port '%s' is sctp", name); 6178 else 6179 /* override PROTO_UNDEF */ 6180 real_proto = IPPROTO_UDP; 6181 } 6182 if (proto == Q_TCP) { 6183 if (real_proto == IPPROTO_UDP) 6184 bpf_error("port '%s' is udp", name); 6185 6186 else if (real_proto == IPPROTO_SCTP) 6187 bpf_error("port '%s' is sctp", name); 6188 else 6189 /* override PROTO_UNDEF */ 6190 real_proto = IPPROTO_TCP; 6191 } 6192 if (proto == Q_SCTP) { 6193 if (real_proto == IPPROTO_UDP) 6194 bpf_error("port '%s' is udp", name); 6195 6196 else if (real_proto == IPPROTO_TCP) 6197 bpf_error("port '%s' is tcp", name); 6198 else 6199 /* override PROTO_UNDEF */ 6200 real_proto = IPPROTO_SCTP; 6201 } 6202 #ifndef INET6 6203 return gen_port(port, real_proto, dir); 6204 #else 6205 b = gen_port(port, real_proto, dir); 6206 gen_or(gen_port6(port, real_proto, dir), b); 6207 return b; 6208 #endif /* INET6 */ 6209 6210 case Q_PORTRANGE: 6211 if (proto != Q_DEFAULT && 6212 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6213 bpf_error("illegal qualifier of 'portrange'"); 6214 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6215 bpf_error("unknown port in range '%s'", name); 6216 if (proto == Q_UDP) { 6217 if (real_proto == IPPROTO_TCP) 6218 bpf_error("port in range '%s' is tcp", name); 6219 else if (real_proto == IPPROTO_SCTP) 6220 bpf_error("port in range '%s' is sctp", name); 6221 else 6222 /* override PROTO_UNDEF */ 6223 real_proto = IPPROTO_UDP; 6224 } 6225 if (proto == Q_TCP) { 6226 if (real_proto == IPPROTO_UDP) 6227 bpf_error("port in range '%s' is udp", name); 6228 else if (real_proto == IPPROTO_SCTP) 6229 bpf_error("port in range '%s' is sctp", name); 6230 else 6231 /* override PROTO_UNDEF */ 6232 real_proto = IPPROTO_TCP; 6233 } 6234 if (proto == Q_SCTP) { 6235 if (real_proto == IPPROTO_UDP) 6236 bpf_error("port in range '%s' is udp", name); 6237 else if (real_proto == IPPROTO_TCP) 6238 bpf_error("port in range '%s' is tcp", name); 6239 else 6240 /* override PROTO_UNDEF */ 6241 real_proto = IPPROTO_SCTP; 6242 } 6243 #ifndef INET6 6244 return gen_portrange(port1, port2, real_proto, dir); 6245 #else 6246 b = gen_portrange(port1, port2, real_proto, dir); 6247 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6248 return b; 6249 #endif /* INET6 */ 6250 6251 case Q_GATEWAY: 6252 #ifndef INET6 6253 eaddr = pcap_ether_hostton(name); 6254 if (eaddr == NULL) 6255 bpf_error("unknown ether host: %s", name); 6256 6257 alist = pcap_nametoaddr(name); 6258 if (alist == NULL || *alist == NULL) 6259 bpf_error("unknown host '%s'", name); 6260 b = gen_gateway(eaddr, alist, proto, dir); 6261 free(eaddr); 6262 return b; 6263 #else 6264 bpf_error("'gateway' not supported in this configuration"); 6265 #endif /*INET6*/ 6266 6267 case Q_PROTO: 6268 real_proto = lookup_proto(name, proto); 6269 if (real_proto >= 0) 6270 return gen_proto(real_proto, proto, dir); 6271 else 6272 bpf_error("unknown protocol: %s", name); 6273 6274 case Q_PROTOCHAIN: 6275 real_proto = lookup_proto(name, proto); 6276 if (real_proto >= 0) 6277 return gen_protochain(real_proto, proto, dir); 6278 else 6279 bpf_error("unknown protocol: %s", name); 6280 6281 case Q_UNDEF: 6282 syntax(); 6283 /* NOTREACHED */ 6284 } 6285 abort(); 6286 /* NOTREACHED */ 6287 } 6288 6289 struct block * 6290 gen_mcode(s1, s2, masklen, q) 6291 register const char *s1, *s2; 6292 register int masklen; 6293 struct qual q; 6294 { 6295 register int nlen, mlen; 6296 bpf_u_int32 n, m; 6297 6298 nlen = __pcap_atoin(s1, &n); 6299 /* Promote short ipaddr */ 6300 n <<= 32 - nlen; 6301 6302 if (s2 != NULL) { 6303 mlen = __pcap_atoin(s2, &m); 6304 /* Promote short ipaddr */ 6305 m <<= 32 - mlen; 6306 if ((n & ~m) != 0) 6307 bpf_error("non-network bits set in \"%s mask %s\"", 6308 s1, s2); 6309 } else { 6310 /* Convert mask len to mask */ 6311 if (masklen > 32) 6312 bpf_error("mask length must be <= 32"); 6313 if (masklen == 0) { 6314 /* 6315 * X << 32 is not guaranteed by C to be 0; it's 6316 * undefined. 6317 */ 6318 m = 0; 6319 } else 6320 m = 0xffffffff << (32 - masklen); 6321 if ((n & ~m) != 0) 6322 bpf_error("non-network bits set in \"%s/%d\"", 6323 s1, masklen); 6324 } 6325 6326 switch (q.addr) { 6327 6328 case Q_NET: 6329 return gen_host(n, m, q.proto, q.dir, q.addr); 6330 6331 default: 6332 bpf_error("Mask syntax for networks only"); 6333 /* NOTREACHED */ 6334 } 6335 /* NOTREACHED */ 6336 return NULL; 6337 } 6338 6339 struct block * 6340 gen_ncode(s, v, q) 6341 register const char *s; 6342 bpf_u_int32 v; 6343 struct qual q; 6344 { 6345 bpf_u_int32 mask; 6346 int proto = q.proto; 6347 int dir = q.dir; 6348 register int vlen; 6349 6350 if (s == NULL) 6351 vlen = 32; 6352 else if (q.proto == Q_DECNET) 6353 vlen = __pcap_atodn(s, &v); 6354 else 6355 vlen = __pcap_atoin(s, &v); 6356 6357 switch (q.addr) { 6358 6359 case Q_DEFAULT: 6360 case Q_HOST: 6361 case Q_NET: 6362 if (proto == Q_DECNET) 6363 return gen_host(v, 0, proto, dir, q.addr); 6364 else if (proto == Q_LINK) { 6365 bpf_error("illegal link layer address"); 6366 } else { 6367 mask = 0xffffffff; 6368 if (s == NULL && q.addr == Q_NET) { 6369 /* Promote short net number */ 6370 while (v && (v & 0xff000000) == 0) { 6371 v <<= 8; 6372 mask <<= 8; 6373 } 6374 } else { 6375 /* Promote short ipaddr */ 6376 v <<= 32 - vlen; 6377 mask <<= 32 - vlen; 6378 } 6379 return gen_host(v, mask, proto, dir, q.addr); 6380 } 6381 6382 case Q_PORT: 6383 if (proto == Q_UDP) 6384 proto = IPPROTO_UDP; 6385 else if (proto == Q_TCP) 6386 proto = IPPROTO_TCP; 6387 else if (proto == Q_SCTP) 6388 proto = IPPROTO_SCTP; 6389 else if (proto == Q_DEFAULT) 6390 proto = PROTO_UNDEF; 6391 else 6392 bpf_error("illegal qualifier of 'port'"); 6393 6394 #ifndef INET6 6395 return gen_port((int)v, proto, dir); 6396 #else 6397 { 6398 struct block *b; 6399 b = gen_port((int)v, proto, dir); 6400 gen_or(gen_port6((int)v, proto, dir), b); 6401 return b; 6402 } 6403 #endif /* INET6 */ 6404 6405 case Q_PORTRANGE: 6406 if (proto == Q_UDP) 6407 proto = IPPROTO_UDP; 6408 else if (proto == Q_TCP) 6409 proto = IPPROTO_TCP; 6410 else if (proto == Q_SCTP) 6411 proto = IPPROTO_SCTP; 6412 else if (proto == Q_DEFAULT) 6413 proto = PROTO_UNDEF; 6414 else 6415 bpf_error("illegal qualifier of 'portrange'"); 6416 6417 #ifndef INET6 6418 return gen_portrange((int)v, (int)v, proto, dir); 6419 #else 6420 { 6421 struct block *b; 6422 b = gen_portrange((int)v, (int)v, proto, dir); 6423 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6424 return b; 6425 } 6426 #endif /* INET6 */ 6427 6428 case Q_GATEWAY: 6429 bpf_error("'gateway' requires a name"); 6430 /* NOTREACHED */ 6431 6432 case Q_PROTO: 6433 return gen_proto((int)v, proto, dir); 6434 6435 case Q_PROTOCHAIN: 6436 return gen_protochain((int)v, proto, dir); 6437 6438 case Q_UNDEF: 6439 syntax(); 6440 /* NOTREACHED */ 6441 6442 default: 6443 abort(); 6444 /* NOTREACHED */ 6445 } 6446 /* NOTREACHED */ 6447 } 6448 6449 #ifdef INET6 6450 struct block * 6451 gen_mcode6(s1, s2, masklen, q) 6452 register const char *s1, *s2; 6453 register int masklen; 6454 struct qual q; 6455 { 6456 struct addrinfo *res; 6457 struct in6_addr *addr; 6458 struct in6_addr mask; 6459 struct block *b; 6460 u_int32_t *a, *m; 6461 6462 if (s2) 6463 bpf_error("no mask %s supported", s2); 6464 6465 res = pcap_nametoaddrinfo(s1); 6466 if (!res) 6467 bpf_error("invalid ip6 address %s", s1); 6468 ai = res; 6469 if (res->ai_next) 6470 bpf_error("%s resolved to multiple address", s1); 6471 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6472 6473 if (sizeof(mask) * 8 < masklen) 6474 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6475 memset(&mask, 0, sizeof(mask)); 6476 memset(&mask, 0xff, masklen / 8); 6477 if (masklen % 8) { 6478 mask.s6_addr[masklen / 8] = 6479 (0xff << (8 - masklen % 8)) & 0xff; 6480 } 6481 6482 a = (u_int32_t *)addr; 6483 m = (u_int32_t *)&mask; 6484 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6485 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6486 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6487 } 6488 6489 switch (q.addr) { 6490 6491 case Q_DEFAULT: 6492 case Q_HOST: 6493 if (masklen != 128) 6494 bpf_error("Mask syntax for networks only"); 6495 /* FALLTHROUGH */ 6496 6497 case Q_NET: 6498 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6499 ai = NULL; 6500 freeaddrinfo(res); 6501 return b; 6502 6503 default: 6504 bpf_error("invalid qualifier against IPv6 address"); 6505 /* NOTREACHED */ 6506 } 6507 return NULL; 6508 } 6509 #endif /*INET6*/ 6510 6511 struct block * 6512 gen_ecode(eaddr, q) 6513 register const u_char *eaddr; 6514 struct qual q; 6515 { 6516 struct block *b, *tmp; 6517 6518 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6519 switch (linktype) { 6520 case DLT_EN10MB: 6521 return gen_ehostop(eaddr, (int)q.dir); 6522 case DLT_FDDI: 6523 return gen_fhostop(eaddr, (int)q.dir); 6524 case DLT_IEEE802: 6525 return gen_thostop(eaddr, (int)q.dir); 6526 case DLT_IEEE802_11: 6527 case DLT_PRISM_HEADER: 6528 case DLT_IEEE802_11_RADIO_AVS: 6529 case DLT_IEEE802_11_RADIO: 6530 case DLT_PPI: 6531 return gen_wlanhostop(eaddr, (int)q.dir); 6532 case DLT_SUNATM: 6533 if (is_lane) { 6534 /* 6535 * Check that the packet doesn't begin with an 6536 * LE Control marker. (We've already generated 6537 * a test for LANE.) 6538 */ 6539 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6540 0xFF00); 6541 gen_not(tmp); 6542 6543 /* 6544 * Now check the MAC address. 6545 */ 6546 b = gen_ehostop(eaddr, (int)q.dir); 6547 gen_and(tmp, b); 6548 return b; 6549 } 6550 break; 6551 case DLT_IP_OVER_FC: 6552 return gen_ipfchostop(eaddr, (int)q.dir); 6553 default: 6554 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6555 break; 6556 } 6557 } 6558 bpf_error("ethernet address used in non-ether expression"); 6559 /* NOTREACHED */ 6560 return NULL; 6561 } 6562 6563 void 6564 sappend(s0, s1) 6565 struct slist *s0, *s1; 6566 { 6567 /* 6568 * This is definitely not the best way to do this, but the 6569 * lists will rarely get long. 6570 */ 6571 while (s0->next) 6572 s0 = s0->next; 6573 s0->next = s1; 6574 } 6575 6576 static struct slist * 6577 xfer_to_x(a) 6578 struct arth *a; 6579 { 6580 struct slist *s; 6581 6582 s = new_stmt(BPF_LDX|BPF_MEM); 6583 s->s.k = a->regno; 6584 return s; 6585 } 6586 6587 static struct slist * 6588 xfer_to_a(a) 6589 struct arth *a; 6590 { 6591 struct slist *s; 6592 6593 s = new_stmt(BPF_LD|BPF_MEM); 6594 s->s.k = a->regno; 6595 return s; 6596 } 6597 6598 /* 6599 * Modify "index" to use the value stored into its register as an 6600 * offset relative to the beginning of the header for the protocol 6601 * "proto", and allocate a register and put an item "size" bytes long 6602 * (1, 2, or 4) at that offset into that register, making it the register 6603 * for "index". 6604 */ 6605 struct arth * 6606 gen_load(proto, inst, size) 6607 int proto; 6608 struct arth *inst; 6609 int size; 6610 { 6611 struct slist *s, *tmp; 6612 struct block *b; 6613 int regno = alloc_reg(); 6614 6615 free_reg(inst->regno); 6616 switch (size) { 6617 6618 default: 6619 bpf_error("data size must be 1, 2, or 4"); 6620 6621 case 1: 6622 size = BPF_B; 6623 break; 6624 6625 case 2: 6626 size = BPF_H; 6627 break; 6628 6629 case 4: 6630 size = BPF_W; 6631 break; 6632 } 6633 switch (proto) { 6634 default: 6635 bpf_error("unsupported index operation"); 6636 6637 case Q_RADIO: 6638 /* 6639 * The offset is relative to the beginning of the packet 6640 * data, if we have a radio header. (If we don't, this 6641 * is an error.) 6642 */ 6643 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6644 linktype != DLT_IEEE802_11_RADIO && 6645 linktype != DLT_PRISM_HEADER) 6646 bpf_error("radio information not present in capture"); 6647 6648 /* 6649 * Load into the X register the offset computed into the 6650 * register specifed by "index". 6651 */ 6652 s = xfer_to_x(inst); 6653 6654 /* 6655 * Load the item at that offset. 6656 */ 6657 tmp = new_stmt(BPF_LD|BPF_IND|size); 6658 sappend(s, tmp); 6659 sappend(inst->s, s); 6660 break; 6661 6662 case Q_LINK: 6663 /* 6664 * The offset is relative to the beginning of 6665 * the link-layer header. 6666 * 6667 * XXX - what about ATM LANE? Should the index be 6668 * relative to the beginning of the AAL5 frame, so 6669 * that 0 refers to the beginning of the LE Control 6670 * field, or relative to the beginning of the LAN 6671 * frame, so that 0 refers, for Ethernet LANE, to 6672 * the beginning of the destination address? 6673 */ 6674 s = gen_llprefixlen(); 6675 6676 /* 6677 * If "s" is non-null, it has code to arrange that the 6678 * X register contains the length of the prefix preceding 6679 * the link-layer header. Add to it the offset computed 6680 * into the register specified by "index", and move that 6681 * into the X register. Otherwise, just load into the X 6682 * register the offset computed into the register specifed 6683 * by "index". 6684 */ 6685 if (s != NULL) { 6686 sappend(s, xfer_to_a(inst)); 6687 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6688 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6689 } else 6690 s = xfer_to_x(inst); 6691 6692 /* 6693 * Load the item at the sum of the offset we've put in the 6694 * X register and the offset of the start of the link 6695 * layer header (which is 0 if the radio header is 6696 * variable-length; that header length is what we put 6697 * into the X register and then added to the index). 6698 */ 6699 tmp = new_stmt(BPF_LD|BPF_IND|size); 6700 tmp->s.k = off_ll; 6701 sappend(s, tmp); 6702 sappend(inst->s, s); 6703 break; 6704 6705 case Q_IP: 6706 case Q_ARP: 6707 case Q_RARP: 6708 case Q_ATALK: 6709 case Q_DECNET: 6710 case Q_SCA: 6711 case Q_LAT: 6712 case Q_MOPRC: 6713 case Q_MOPDL: 6714 #ifdef INET6 6715 case Q_IPV6: 6716 #endif 6717 /* 6718 * The offset is relative to the beginning of 6719 * the network-layer header. 6720 * XXX - are there any cases where we want 6721 * off_nl_nosnap? 6722 */ 6723 s = gen_off_macpl(); 6724 6725 /* 6726 * If "s" is non-null, it has code to arrange that the 6727 * X register contains the offset of the MAC-layer 6728 * payload. Add to it the offset computed into the 6729 * register specified by "index", and move that into 6730 * the X register. Otherwise, just load into the X 6731 * register the offset computed into the register specifed 6732 * by "index". 6733 */ 6734 if (s != NULL) { 6735 sappend(s, xfer_to_a(inst)); 6736 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6737 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6738 } else 6739 s = xfer_to_x(inst); 6740 6741 /* 6742 * Load the item at the sum of the offset we've put in the 6743 * X register, the offset of the start of the network 6744 * layer header from the beginning of the MAC-layer 6745 * payload, and the purported offset of the start of the 6746 * MAC-layer payload (which might be 0 if there's a 6747 * variable-length prefix before the link-layer header 6748 * or the link-layer header itself is variable-length; 6749 * the variable-length offset of the start of the 6750 * MAC-layer payload is what we put into the X register 6751 * and then added to the index). 6752 */ 6753 tmp = new_stmt(BPF_LD|BPF_IND|size); 6754 tmp->s.k = off_macpl + off_nl; 6755 sappend(s, tmp); 6756 sappend(inst->s, s); 6757 6758 /* 6759 * Do the computation only if the packet contains 6760 * the protocol in question. 6761 */ 6762 b = gen_proto_abbrev(proto); 6763 if (inst->b) 6764 gen_and(inst->b, b); 6765 inst->b = b; 6766 break; 6767 6768 case Q_SCTP: 6769 case Q_TCP: 6770 case Q_UDP: 6771 case Q_ICMP: 6772 case Q_IGMP: 6773 case Q_IGRP: 6774 case Q_PIM: 6775 case Q_VRRP: 6776 /* 6777 * The offset is relative to the beginning of 6778 * the transport-layer header. 6779 * 6780 * Load the X register with the length of the IPv4 header 6781 * (plus the offset of the link-layer header, if it's 6782 * a variable-length header), in bytes. 6783 * 6784 * XXX - are there any cases where we want 6785 * off_nl_nosnap? 6786 * XXX - we should, if we're built with 6787 * IPv6 support, generate code to load either 6788 * IPv4, IPv6, or both, as appropriate. 6789 */ 6790 s = gen_loadx_iphdrlen(); 6791 6792 /* 6793 * The X register now contains the sum of the length 6794 * of any variable-length header preceding the link-layer 6795 * header, any variable-length link-layer header, and the 6796 * length of the network-layer header. 6797 * 6798 * Load into the A register the offset relative to 6799 * the beginning of the transport layer header, 6800 * add the X register to that, move that to the 6801 * X register, and load with an offset from the 6802 * X register equal to the offset of the network 6803 * layer header relative to the beginning of 6804 * the MAC-layer payload plus the fixed-length 6805 * portion of the offset of the MAC-layer payload 6806 * from the beginning of the raw packet data. 6807 */ 6808 sappend(s, xfer_to_a(inst)); 6809 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6810 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6811 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6812 tmp->s.k = off_macpl + off_nl; 6813 sappend(inst->s, s); 6814 6815 /* 6816 * Do the computation only if the packet contains 6817 * the protocol in question - which is true only 6818 * if this is an IP datagram and is the first or 6819 * only fragment of that datagram. 6820 */ 6821 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6822 if (inst->b) 6823 gen_and(inst->b, b); 6824 #ifdef INET6 6825 gen_and(gen_proto_abbrev(Q_IP), b); 6826 #endif 6827 inst->b = b; 6828 break; 6829 #ifdef INET6 6830 case Q_ICMPV6: 6831 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6832 /*NOTREACHED*/ 6833 #endif 6834 } 6835 inst->regno = regno; 6836 s = new_stmt(BPF_ST); 6837 s->s.k = regno; 6838 sappend(inst->s, s); 6839 6840 return inst; 6841 } 6842 6843 struct block * 6844 gen_relation(code, a0, a1, reversed) 6845 int code; 6846 struct arth *a0, *a1; 6847 int reversed; 6848 { 6849 struct slist *s0, *s1, *s2; 6850 struct block *b, *tmp; 6851 6852 s0 = xfer_to_x(a1); 6853 s1 = xfer_to_a(a0); 6854 if (code == BPF_JEQ) { 6855 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6856 b = new_block(JMP(code)); 6857 sappend(s1, s2); 6858 } 6859 else 6860 b = new_block(BPF_JMP|code|BPF_X); 6861 if (reversed) 6862 gen_not(b); 6863 6864 sappend(s0, s1); 6865 sappend(a1->s, s0); 6866 sappend(a0->s, a1->s); 6867 6868 b->stmts = a0->s; 6869 6870 free_reg(a0->regno); 6871 free_reg(a1->regno); 6872 6873 /* 'and' together protocol checks */ 6874 if (a0->b) { 6875 if (a1->b) { 6876 gen_and(a0->b, tmp = a1->b); 6877 } 6878 else 6879 tmp = a0->b; 6880 } else 6881 tmp = a1->b; 6882 6883 if (tmp) 6884 gen_and(tmp, b); 6885 6886 return b; 6887 } 6888 6889 struct arth * 6890 gen_loadlen() 6891 { 6892 int regno = alloc_reg(); 6893 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6894 struct slist *s; 6895 6896 s = new_stmt(BPF_LD|BPF_LEN); 6897 s->next = new_stmt(BPF_ST); 6898 s->next->s.k = regno; 6899 a->s = s; 6900 a->regno = regno; 6901 6902 return a; 6903 } 6904 6905 struct arth * 6906 gen_loadi(val) 6907 int val; 6908 { 6909 struct arth *a; 6910 struct slist *s; 6911 int reg; 6912 6913 a = (struct arth *)newchunk(sizeof(*a)); 6914 6915 reg = alloc_reg(); 6916 6917 s = new_stmt(BPF_LD|BPF_IMM); 6918 s->s.k = val; 6919 s->next = new_stmt(BPF_ST); 6920 s->next->s.k = reg; 6921 a->s = s; 6922 a->regno = reg; 6923 6924 return a; 6925 } 6926 6927 struct arth * 6928 gen_neg(a) 6929 struct arth *a; 6930 { 6931 struct slist *s; 6932 6933 s = xfer_to_a(a); 6934 sappend(a->s, s); 6935 s = new_stmt(BPF_ALU|BPF_NEG); 6936 s->s.k = 0; 6937 sappend(a->s, s); 6938 s = new_stmt(BPF_ST); 6939 s->s.k = a->regno; 6940 sappend(a->s, s); 6941 6942 return a; 6943 } 6944 6945 struct arth * 6946 gen_arth(code, a0, a1) 6947 int code; 6948 struct arth *a0, *a1; 6949 { 6950 struct slist *s0, *s1, *s2; 6951 6952 s0 = xfer_to_x(a1); 6953 s1 = xfer_to_a(a0); 6954 s2 = new_stmt(BPF_ALU|BPF_X|code); 6955 6956 sappend(s1, s2); 6957 sappend(s0, s1); 6958 sappend(a1->s, s0); 6959 sappend(a0->s, a1->s); 6960 6961 free_reg(a0->regno); 6962 free_reg(a1->regno); 6963 6964 s0 = new_stmt(BPF_ST); 6965 a0->regno = s0->s.k = alloc_reg(); 6966 sappend(a0->s, s0); 6967 6968 return a0; 6969 } 6970 6971 /* 6972 * Here we handle simple allocation of the scratch registers. 6973 * If too many registers are alloc'd, the allocator punts. 6974 */ 6975 static int regused[BPF_MEMWORDS]; 6976 static int curreg; 6977 6978 /* 6979 * Initialize the table of used registers and the current register. 6980 */ 6981 static void 6982 init_regs() 6983 { 6984 curreg = 0; 6985 memset(regused, 0, sizeof regused); 6986 } 6987 6988 /* 6989 * Return the next free register. 6990 */ 6991 static int 6992 alloc_reg() 6993 { 6994 int n = BPF_MEMWORDS; 6995 6996 while (--n >= 0) { 6997 if (regused[curreg]) 6998 curreg = (curreg + 1) % BPF_MEMWORDS; 6999 else { 7000 regused[curreg] = 1; 7001 return curreg; 7002 } 7003 } 7004 bpf_error("too many registers needed to evaluate expression"); 7005 /* NOTREACHED */ 7006 return 0; 7007 } 7008 7009 /* 7010 * Return a register to the table so it can 7011 * be used later. 7012 */ 7013 static void 7014 free_reg(n) 7015 int n; 7016 { 7017 regused[n] = 0; 7018 } 7019 7020 static struct block * 7021 gen_len(jmp, n) 7022 int jmp, n; 7023 { 7024 struct slist *s; 7025 struct block *b; 7026 7027 s = new_stmt(BPF_LD|BPF_LEN); 7028 b = new_block(JMP(jmp)); 7029 b->stmts = s; 7030 b->s.k = n; 7031 7032 return b; 7033 } 7034 7035 struct block * 7036 gen_greater(n) 7037 int n; 7038 { 7039 return gen_len(BPF_JGE, n); 7040 } 7041 7042 /* 7043 * Actually, this is less than or equal. 7044 */ 7045 struct block * 7046 gen_less(n) 7047 int n; 7048 { 7049 struct block *b; 7050 7051 b = gen_len(BPF_JGT, n); 7052 gen_not(b); 7053 7054 return b; 7055 } 7056 7057 /* 7058 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7059 * the beginning of the link-layer header. 7060 * XXX - that means you can't test values in the radiotap header, but 7061 * as that header is difficult if not impossible to parse generally 7062 * without a loop, that might not be a severe problem. A new keyword 7063 * "radio" could be added for that, although what you'd really want 7064 * would be a way of testing particular radio header values, which 7065 * would generate code appropriate to the radio header in question. 7066 */ 7067 struct block * 7068 gen_byteop(op, idx, val) 7069 int op, idx, val; 7070 { 7071 struct block *b; 7072 struct slist *s; 7073 7074 switch (op) { 7075 default: 7076 abort(); 7077 7078 case '=': 7079 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7080 7081 case '<': 7082 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7083 return b; 7084 7085 case '>': 7086 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7087 return b; 7088 7089 case '|': 7090 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7091 break; 7092 7093 case '&': 7094 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7095 break; 7096 } 7097 s->s.k = val; 7098 b = new_block(JMP(BPF_JEQ)); 7099 b->stmts = s; 7100 gen_not(b); 7101 7102 return b; 7103 } 7104 7105 static u_char abroadcast[] = { 0x0 }; 7106 7107 struct block * 7108 gen_broadcast(proto) 7109 int proto; 7110 { 7111 bpf_u_int32 hostmask; 7112 struct block *b0, *b1, *b2; 7113 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7114 7115 switch (proto) { 7116 7117 case Q_DEFAULT: 7118 case Q_LINK: 7119 switch (linktype) { 7120 case DLT_ARCNET: 7121 case DLT_ARCNET_LINUX: 7122 return gen_ahostop(abroadcast, Q_DST); 7123 case DLT_EN10MB: 7124 return gen_ehostop(ebroadcast, Q_DST); 7125 case DLT_FDDI: 7126 return gen_fhostop(ebroadcast, Q_DST); 7127 case DLT_IEEE802: 7128 return gen_thostop(ebroadcast, Q_DST); 7129 case DLT_IEEE802_11: 7130 case DLT_PRISM_HEADER: 7131 case DLT_IEEE802_11_RADIO_AVS: 7132 case DLT_IEEE802_11_RADIO: 7133 case DLT_PPI: 7134 return gen_wlanhostop(ebroadcast, Q_DST); 7135 case DLT_IP_OVER_FC: 7136 return gen_ipfchostop(ebroadcast, Q_DST); 7137 case DLT_SUNATM: 7138 if (is_lane) { 7139 /* 7140 * Check that the packet doesn't begin with an 7141 * LE Control marker. (We've already generated 7142 * a test for LANE.) 7143 */ 7144 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7145 BPF_H, 0xFF00); 7146 gen_not(b1); 7147 7148 /* 7149 * Now check the MAC address. 7150 */ 7151 b0 = gen_ehostop(ebroadcast, Q_DST); 7152 gen_and(b1, b0); 7153 return b0; 7154 } 7155 break; 7156 default: 7157 bpf_error("not a broadcast link"); 7158 } 7159 break; 7160 7161 case Q_IP: 7162 /* 7163 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7164 * as an indication that we don't know the netmask, and fail 7165 * in that case. 7166 */ 7167 if (netmask == PCAP_NETMASK_UNKNOWN) 7168 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7169 b0 = gen_linktype(ETHERTYPE_IP); 7170 hostmask = ~netmask; 7171 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7172 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7173 (bpf_int32)(~0 & hostmask), hostmask); 7174 gen_or(b1, b2); 7175 gen_and(b0, b2); 7176 return b2; 7177 } 7178 bpf_error("only link-layer/IP broadcast filters supported"); 7179 /* NOTREACHED */ 7180 return NULL; 7181 } 7182 7183 /* 7184 * Generate code to test the low-order bit of a MAC address (that's 7185 * the bottom bit of the *first* byte). 7186 */ 7187 static struct block * 7188 gen_mac_multicast(offset) 7189 int offset; 7190 { 7191 register struct block *b0; 7192 register struct slist *s; 7193 7194 /* link[offset] & 1 != 0 */ 7195 s = gen_load_a(OR_LINK, offset, BPF_B); 7196 b0 = new_block(JMP(BPF_JSET)); 7197 b0->s.k = 1; 7198 b0->stmts = s; 7199 return b0; 7200 } 7201 7202 struct block * 7203 gen_multicast(proto) 7204 int proto; 7205 { 7206 register struct block *b0, *b1, *b2; 7207 register struct slist *s; 7208 7209 switch (proto) { 7210 7211 case Q_DEFAULT: 7212 case Q_LINK: 7213 switch (linktype) { 7214 case DLT_ARCNET: 7215 case DLT_ARCNET_LINUX: 7216 /* all ARCnet multicasts use the same address */ 7217 return gen_ahostop(abroadcast, Q_DST); 7218 case DLT_EN10MB: 7219 /* ether[0] & 1 != 0 */ 7220 return gen_mac_multicast(0); 7221 case DLT_FDDI: 7222 /* 7223 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7224 * 7225 * XXX - was that referring to bit-order issues? 7226 */ 7227 /* fddi[1] & 1 != 0 */ 7228 return gen_mac_multicast(1); 7229 case DLT_IEEE802: 7230 /* tr[2] & 1 != 0 */ 7231 return gen_mac_multicast(2); 7232 case DLT_IEEE802_11: 7233 case DLT_PRISM_HEADER: 7234 case DLT_IEEE802_11_RADIO_AVS: 7235 case DLT_IEEE802_11_RADIO: 7236 case DLT_PPI: 7237 /* 7238 * Oh, yuk. 7239 * 7240 * For control frames, there is no DA. 7241 * 7242 * For management frames, DA is at an 7243 * offset of 4 from the beginning of 7244 * the packet. 7245 * 7246 * For data frames, DA is at an offset 7247 * of 4 from the beginning of the packet 7248 * if To DS is clear and at an offset of 7249 * 16 from the beginning of the packet 7250 * if To DS is set. 7251 */ 7252 7253 /* 7254 * Generate the tests to be done for data frames. 7255 * 7256 * First, check for To DS set, i.e. "link[1] & 0x01". 7257 */ 7258 s = gen_load_a(OR_LINK, 1, BPF_B); 7259 b1 = new_block(JMP(BPF_JSET)); 7260 b1->s.k = 0x01; /* To DS */ 7261 b1->stmts = s; 7262 7263 /* 7264 * If To DS is set, the DA is at 16. 7265 */ 7266 b0 = gen_mac_multicast(16); 7267 gen_and(b1, b0); 7268 7269 /* 7270 * Now, check for To DS not set, i.e. check 7271 * "!(link[1] & 0x01)". 7272 */ 7273 s = gen_load_a(OR_LINK, 1, BPF_B); 7274 b2 = new_block(JMP(BPF_JSET)); 7275 b2->s.k = 0x01; /* To DS */ 7276 b2->stmts = s; 7277 gen_not(b2); 7278 7279 /* 7280 * If To DS is not set, the DA is at 4. 7281 */ 7282 b1 = gen_mac_multicast(4); 7283 gen_and(b2, b1); 7284 7285 /* 7286 * Now OR together the last two checks. That gives 7287 * the complete set of checks for data frames. 7288 */ 7289 gen_or(b1, b0); 7290 7291 /* 7292 * Now check for a data frame. 7293 * I.e, check "link[0] & 0x08". 7294 */ 7295 s = gen_load_a(OR_LINK, 0, BPF_B); 7296 b1 = new_block(JMP(BPF_JSET)); 7297 b1->s.k = 0x08; 7298 b1->stmts = s; 7299 7300 /* 7301 * AND that with the checks done for data frames. 7302 */ 7303 gen_and(b1, b0); 7304 7305 /* 7306 * If the high-order bit of the type value is 0, this 7307 * is a management frame. 7308 * I.e, check "!(link[0] & 0x08)". 7309 */ 7310 s = gen_load_a(OR_LINK, 0, BPF_B); 7311 b2 = new_block(JMP(BPF_JSET)); 7312 b2->s.k = 0x08; 7313 b2->stmts = s; 7314 gen_not(b2); 7315 7316 /* 7317 * For management frames, the DA is at 4. 7318 */ 7319 b1 = gen_mac_multicast(4); 7320 gen_and(b2, b1); 7321 7322 /* 7323 * OR that with the checks done for data frames. 7324 * That gives the checks done for management and 7325 * data frames. 7326 */ 7327 gen_or(b1, b0); 7328 7329 /* 7330 * If the low-order bit of the type value is 1, 7331 * this is either a control frame or a frame 7332 * with a reserved type, and thus not a 7333 * frame with an SA. 7334 * 7335 * I.e., check "!(link[0] & 0x04)". 7336 */ 7337 s = gen_load_a(OR_LINK, 0, BPF_B); 7338 b1 = new_block(JMP(BPF_JSET)); 7339 b1->s.k = 0x04; 7340 b1->stmts = s; 7341 gen_not(b1); 7342 7343 /* 7344 * AND that with the checks for data and management 7345 * frames. 7346 */ 7347 gen_and(b1, b0); 7348 return b0; 7349 case DLT_IP_OVER_FC: 7350 b0 = gen_mac_multicast(2); 7351 return b0; 7352 case DLT_SUNATM: 7353 if (is_lane) { 7354 /* 7355 * Check that the packet doesn't begin with an 7356 * LE Control marker. (We've already generated 7357 * a test for LANE.) 7358 */ 7359 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7360 BPF_H, 0xFF00); 7361 gen_not(b1); 7362 7363 /* ether[off_mac] & 1 != 0 */ 7364 b0 = gen_mac_multicast(off_mac); 7365 gen_and(b1, b0); 7366 return b0; 7367 } 7368 break; 7369 default: 7370 break; 7371 } 7372 /* Link not known to support multicasts */ 7373 break; 7374 7375 case Q_IP: 7376 b0 = gen_linktype(ETHERTYPE_IP); 7377 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7378 gen_and(b0, b1); 7379 return b1; 7380 7381 #ifdef INET6 7382 case Q_IPV6: 7383 b0 = gen_linktype(ETHERTYPE_IPV6); 7384 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7385 gen_and(b0, b1); 7386 return b1; 7387 #endif /* INET6 */ 7388 } 7389 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7390 /* NOTREACHED */ 7391 return NULL; 7392 } 7393 7394 /* 7395 * generate command for inbound/outbound. It's here so we can 7396 * make it link-type specific. 'dir' = 0 implies "inbound", 7397 * = 1 implies "outbound". 7398 */ 7399 struct block * 7400 gen_inbound(dir) 7401 int dir; 7402 { 7403 register struct block *b0; 7404 7405 /* 7406 * Only some data link types support inbound/outbound qualifiers. 7407 */ 7408 switch (linktype) { 7409 case DLT_SLIP: 7410 b0 = gen_relation(BPF_JEQ, 7411 gen_load(Q_LINK, gen_loadi(0), 1), 7412 gen_loadi(0), 7413 dir); 7414 break; 7415 7416 case DLT_IPNET: 7417 if (dir) { 7418 /* match outgoing packets */ 7419 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7420 } else { 7421 /* match incoming packets */ 7422 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7423 } 7424 break; 7425 7426 case DLT_LINUX_SLL: 7427 if (dir) { 7428 /* 7429 * Match packets sent by this machine. 7430 */ 7431 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7432 } else { 7433 /* 7434 * Match packets sent to this machine. 7435 * (No broadcast or multicast packets, or 7436 * packets sent to some other machine and 7437 * received promiscuously.) 7438 * 7439 * XXX - packets sent to other machines probably 7440 * shouldn't be matched, but what about broadcast 7441 * or multicast packets we received? 7442 */ 7443 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7444 } 7445 break; 7446 7447 #ifdef HAVE_NET_PFVAR_H 7448 case DLT_PFLOG: 7449 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7450 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7451 break; 7452 #endif 7453 7454 case DLT_PPP_PPPD: 7455 if (dir) { 7456 /* match outgoing packets */ 7457 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7458 } else { 7459 /* match incoming packets */ 7460 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7461 } 7462 break; 7463 7464 case DLT_JUNIPER_MFR: 7465 case DLT_JUNIPER_MLFR: 7466 case DLT_JUNIPER_MLPPP: 7467 case DLT_JUNIPER_ATM1: 7468 case DLT_JUNIPER_ATM2: 7469 case DLT_JUNIPER_PPPOE: 7470 case DLT_JUNIPER_PPPOE_ATM: 7471 case DLT_JUNIPER_GGSN: 7472 case DLT_JUNIPER_ES: 7473 case DLT_JUNIPER_MONITOR: 7474 case DLT_JUNIPER_SERVICES: 7475 case DLT_JUNIPER_ETHER: 7476 case DLT_JUNIPER_PPP: 7477 case DLT_JUNIPER_FRELAY: 7478 case DLT_JUNIPER_CHDLC: 7479 case DLT_JUNIPER_VP: 7480 case DLT_JUNIPER_ST: 7481 case DLT_JUNIPER_ISM: 7482 /* juniper flags (including direction) are stored 7483 * the byte after the 3-byte magic number */ 7484 if (dir) { 7485 /* match outgoing packets */ 7486 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7487 } else { 7488 /* match incoming packets */ 7489 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7490 } 7491 break; 7492 7493 default: 7494 bpf_error("inbound/outbound not supported on linktype %d", 7495 linktype); 7496 b0 = NULL; 7497 /* NOTREACHED */ 7498 } 7499 return (b0); 7500 } 7501 7502 #ifdef HAVE_NET_PFVAR_H 7503 /* PF firewall log matched interface */ 7504 struct block * 7505 gen_pf_ifname(const char *ifname) 7506 { 7507 struct block *b0; 7508 u_int len, off; 7509 7510 if (linktype != DLT_PFLOG) { 7511 bpf_error("ifname supported only on PF linktype"); 7512 /* NOTREACHED */ 7513 } 7514 len = sizeof(((struct pfloghdr *)0)->ifname); 7515 off = offsetof(struct pfloghdr, ifname); 7516 if (strlen(ifname) >= len) { 7517 bpf_error("ifname interface names can only be %d characters", 7518 len-1); 7519 /* NOTREACHED */ 7520 } 7521 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7522 return (b0); 7523 } 7524 7525 /* PF firewall log ruleset name */ 7526 struct block * 7527 gen_pf_ruleset(char *ruleset) 7528 { 7529 struct block *b0; 7530 7531 if (linktype != DLT_PFLOG) { 7532 bpf_error("ruleset supported only on PF linktype"); 7533 /* NOTREACHED */ 7534 } 7535 7536 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7537 bpf_error("ruleset names can only be %ld characters", 7538 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7539 /* NOTREACHED */ 7540 } 7541 7542 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7543 strlen(ruleset), (const u_char *)ruleset); 7544 return (b0); 7545 } 7546 7547 /* PF firewall log rule number */ 7548 struct block * 7549 gen_pf_rnr(int rnr) 7550 { 7551 struct block *b0; 7552 7553 if (linktype != DLT_PFLOG) { 7554 bpf_error("rnr supported only on PF linktype"); 7555 /* NOTREACHED */ 7556 } 7557 7558 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7559 (bpf_int32)rnr); 7560 return (b0); 7561 } 7562 7563 /* PF firewall log sub-rule number */ 7564 struct block * 7565 gen_pf_srnr(int srnr) 7566 { 7567 struct block *b0; 7568 7569 if (linktype != DLT_PFLOG) { 7570 bpf_error("srnr supported only on PF linktype"); 7571 /* NOTREACHED */ 7572 } 7573 7574 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7575 (bpf_int32)srnr); 7576 return (b0); 7577 } 7578 7579 /* PF firewall log reason code */ 7580 struct block * 7581 gen_pf_reason(int reason) 7582 { 7583 struct block *b0; 7584 7585 if (linktype != DLT_PFLOG) { 7586 bpf_error("reason supported only on PF linktype"); 7587 /* NOTREACHED */ 7588 } 7589 7590 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7591 (bpf_int32)reason); 7592 return (b0); 7593 } 7594 7595 /* PF firewall log action */ 7596 struct block * 7597 gen_pf_action(int action) 7598 { 7599 struct block *b0; 7600 7601 if (linktype != DLT_PFLOG) { 7602 bpf_error("action supported only on PF linktype"); 7603 /* NOTREACHED */ 7604 } 7605 7606 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7607 (bpf_int32)action); 7608 return (b0); 7609 } 7610 #else /* !HAVE_NET_PFVAR_H */ 7611 struct block * 7612 gen_pf_ifname(const char *ifname) 7613 { 7614 bpf_error("libpcap was compiled without pf support"); 7615 /* NOTREACHED */ 7616 return (NULL); 7617 } 7618 7619 struct block * 7620 gen_pf_ruleset(char *ruleset) 7621 { 7622 bpf_error("libpcap was compiled on a machine without pf support"); 7623 /* NOTREACHED */ 7624 return (NULL); 7625 } 7626 7627 struct block * 7628 gen_pf_rnr(int rnr) 7629 { 7630 bpf_error("libpcap was compiled on a machine without pf support"); 7631 /* NOTREACHED */ 7632 return (NULL); 7633 } 7634 7635 struct block * 7636 gen_pf_srnr(int srnr) 7637 { 7638 bpf_error("libpcap was compiled on a machine without pf support"); 7639 /* NOTREACHED */ 7640 return (NULL); 7641 } 7642 7643 struct block * 7644 gen_pf_reason(int reason) 7645 { 7646 bpf_error("libpcap was compiled on a machine without pf support"); 7647 /* NOTREACHED */ 7648 return (NULL); 7649 } 7650 7651 struct block * 7652 gen_pf_action(int action) 7653 { 7654 bpf_error("libpcap was compiled on a machine without pf support"); 7655 /* NOTREACHED */ 7656 return (NULL); 7657 } 7658 #endif /* HAVE_NET_PFVAR_H */ 7659 7660 /* IEEE 802.11 wireless header */ 7661 struct block * 7662 gen_p80211_type(int type, int mask) 7663 { 7664 struct block *b0; 7665 7666 switch (linktype) { 7667 7668 case DLT_IEEE802_11: 7669 case DLT_PRISM_HEADER: 7670 case DLT_IEEE802_11_RADIO_AVS: 7671 case DLT_IEEE802_11_RADIO: 7672 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7673 (bpf_int32)mask); 7674 break; 7675 7676 default: 7677 bpf_error("802.11 link-layer types supported only on 802.11"); 7678 /* NOTREACHED */ 7679 } 7680 7681 return (b0); 7682 } 7683 7684 struct block * 7685 gen_p80211_fcdir(int fcdir) 7686 { 7687 struct block *b0; 7688 7689 switch (linktype) { 7690 7691 case DLT_IEEE802_11: 7692 case DLT_PRISM_HEADER: 7693 case DLT_IEEE802_11_RADIO_AVS: 7694 case DLT_IEEE802_11_RADIO: 7695 break; 7696 7697 default: 7698 bpf_error("frame direction supported only with 802.11 headers"); 7699 /* NOTREACHED */ 7700 } 7701 7702 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7703 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7704 7705 return (b0); 7706 } 7707 7708 struct block * 7709 gen_acode(eaddr, q) 7710 register const u_char *eaddr; 7711 struct qual q; 7712 { 7713 switch (linktype) { 7714 7715 case DLT_ARCNET: 7716 case DLT_ARCNET_LINUX: 7717 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7718 q.proto == Q_LINK) 7719 return (gen_ahostop(eaddr, (int)q.dir)); 7720 else { 7721 bpf_error("ARCnet address used in non-arc expression"); 7722 /* NOTREACHED */ 7723 } 7724 break; 7725 7726 default: 7727 bpf_error("aid supported only on ARCnet"); 7728 /* NOTREACHED */ 7729 } 7730 bpf_error("ARCnet address used in non-arc expression"); 7731 /* NOTREACHED */ 7732 return NULL; 7733 } 7734 7735 static struct block * 7736 gen_ahostop(eaddr, dir) 7737 register const u_char *eaddr; 7738 register int dir; 7739 { 7740 register struct block *b0, *b1; 7741 7742 switch (dir) { 7743 /* src comes first, different from Ethernet */ 7744 case Q_SRC: 7745 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7746 7747 case Q_DST: 7748 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7749 7750 case Q_AND: 7751 b0 = gen_ahostop(eaddr, Q_SRC); 7752 b1 = gen_ahostop(eaddr, Q_DST); 7753 gen_and(b0, b1); 7754 return b1; 7755 7756 case Q_DEFAULT: 7757 case Q_OR: 7758 b0 = gen_ahostop(eaddr, Q_SRC); 7759 b1 = gen_ahostop(eaddr, Q_DST); 7760 gen_or(b0, b1); 7761 return b1; 7762 } 7763 abort(); 7764 /* NOTREACHED */ 7765 } 7766 7767 /* 7768 * support IEEE 802.1Q VLAN trunk over ethernet 7769 */ 7770 struct block * 7771 gen_vlan(vlan_num) 7772 int vlan_num; 7773 { 7774 struct block *b0, *b1; 7775 7776 /* can't check for VLAN-encapsulated packets inside MPLS */ 7777 if (label_stack_depth > 0) 7778 bpf_error("no VLAN match after MPLS"); 7779 7780 /* 7781 * Check for a VLAN packet, and then change the offsets to point 7782 * to the type and data fields within the VLAN packet. Just 7783 * increment the offsets, so that we can support a hierarchy, e.g. 7784 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7785 * VLAN 100. 7786 * 7787 * XXX - this is a bit of a kludge. If we were to split the 7788 * compiler into a parser that parses an expression and 7789 * generates an expression tree, and a code generator that 7790 * takes an expression tree (which could come from our 7791 * parser or from some other parser) and generates BPF code, 7792 * we could perhaps make the offsets parameters of routines 7793 * and, in the handler for an "AND" node, pass to subnodes 7794 * other than the VLAN node the adjusted offsets. 7795 * 7796 * This would mean that "vlan" would, instead of changing the 7797 * behavior of *all* tests after it, change only the behavior 7798 * of tests ANDed with it. That would change the documented 7799 * semantics of "vlan", which might break some expressions. 7800 * However, it would mean that "(vlan and ip) or ip" would check 7801 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7802 * checking only for VLAN-encapsulated IP, so that could still 7803 * be considered worth doing; it wouldn't break expressions 7804 * that are of the form "vlan and ..." or "vlan N and ...", 7805 * which I suspect are the most common expressions involving 7806 * "vlan". "vlan or ..." doesn't necessarily do what the user 7807 * would really want, now, as all the "or ..." tests would 7808 * be done assuming a VLAN, even though the "or" could be viewed 7809 * as meaning "or, if this isn't a VLAN packet...". 7810 */ 7811 orig_nl = off_nl; 7812 7813 switch (linktype) { 7814 7815 case DLT_EN10MB: 7816 /* check for VLAN */ 7817 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7818 (bpf_int32)ETHERTYPE_8021Q); 7819 7820 /* If a specific VLAN is requested, check VLAN id */ 7821 if (vlan_num >= 0) { 7822 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7823 (bpf_int32)vlan_num, 0x0fff); 7824 gen_and(b0, b1); 7825 b0 = b1; 7826 } 7827 7828 off_macpl += 4; 7829 off_linktype += 4; 7830 #if 0 7831 off_nl_nosnap += 4; 7832 off_nl += 4; 7833 #endif 7834 break; 7835 7836 default: 7837 bpf_error("no VLAN support for data link type %d", 7838 linktype); 7839 /*NOTREACHED*/ 7840 } 7841 7842 return (b0); 7843 } 7844 7845 /* 7846 * support for MPLS 7847 */ 7848 struct block * 7849 gen_mpls(label_num) 7850 int label_num; 7851 { 7852 struct block *b0,*b1; 7853 7854 /* 7855 * Change the offsets to point to the type and data fields within 7856 * the MPLS packet. Just increment the offsets, so that we 7857 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7858 * capture packets with an outer label of 100000 and an inner 7859 * label of 1024. 7860 * 7861 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7862 */ 7863 orig_nl = off_nl; 7864 7865 if (label_stack_depth > 0) { 7866 /* just match the bottom-of-stack bit clear */ 7867 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7868 } else { 7869 /* 7870 * Indicate that we're checking MPLS-encapsulated headers, 7871 * to make sure higher level code generators don't try to 7872 * match against IP-related protocols such as Q_ARP, Q_RARP 7873 * etc. 7874 */ 7875 switch (linktype) { 7876 7877 case DLT_C_HDLC: /* fall through */ 7878 case DLT_EN10MB: 7879 b0 = gen_linktype(ETHERTYPE_MPLS); 7880 break; 7881 7882 case DLT_PPP: 7883 b0 = gen_linktype(PPP_MPLS_UCAST); 7884 break; 7885 7886 /* FIXME add other DLT_s ... 7887 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7888 * leave it for now */ 7889 7890 default: 7891 bpf_error("no MPLS support for data link type %d", 7892 linktype); 7893 b0 = NULL; 7894 /*NOTREACHED*/ 7895 break; 7896 } 7897 } 7898 7899 /* If a specific MPLS label is requested, check it */ 7900 if (label_num >= 0) { 7901 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7902 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 7903 0xfffff000); /* only compare the first 20 bits */ 7904 gen_and(b0, b1); 7905 b0 = b1; 7906 } 7907 7908 off_nl_nosnap += 4; 7909 off_nl += 4; 7910 label_stack_depth++; 7911 return (b0); 7912 } 7913 7914 /* 7915 * Support PPPOE discovery and session. 7916 */ 7917 struct block * 7918 gen_pppoed() 7919 { 7920 /* check for PPPoE discovery */ 7921 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 7922 } 7923 7924 struct block * 7925 gen_pppoes() 7926 { 7927 struct block *b0; 7928 7929 /* 7930 * Test against the PPPoE session link-layer type. 7931 */ 7932 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 7933 7934 /* 7935 * Change the offsets to point to the type and data fields within 7936 * the PPP packet, and note that this is PPPoE rather than 7937 * raw PPP. 7938 * 7939 * XXX - this is a bit of a kludge. If we were to split the 7940 * compiler into a parser that parses an expression and 7941 * generates an expression tree, and a code generator that 7942 * takes an expression tree (which could come from our 7943 * parser or from some other parser) and generates BPF code, 7944 * we could perhaps make the offsets parameters of routines 7945 * and, in the handler for an "AND" node, pass to subnodes 7946 * other than the PPPoE node the adjusted offsets. 7947 * 7948 * This would mean that "pppoes" would, instead of changing the 7949 * behavior of *all* tests after it, change only the behavior 7950 * of tests ANDed with it. That would change the documented 7951 * semantics of "pppoes", which might break some expressions. 7952 * However, it would mean that "(pppoes and ip) or ip" would check 7953 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7954 * checking only for VLAN-encapsulated IP, so that could still 7955 * be considered worth doing; it wouldn't break expressions 7956 * that are of the form "pppoes and ..." which I suspect are the 7957 * most common expressions involving "pppoes". "pppoes or ..." 7958 * doesn't necessarily do what the user would really want, now, 7959 * as all the "or ..." tests would be done assuming PPPoE, even 7960 * though the "or" could be viewed as meaning "or, if this isn't 7961 * a PPPoE packet...". 7962 */ 7963 orig_linktype = off_linktype; /* save original values */ 7964 orig_nl = off_nl; 7965 is_pppoes = 1; 7966 7967 /* 7968 * The "network-layer" protocol is PPPoE, which has a 6-byte 7969 * PPPoE header, followed by a PPP packet. 7970 * 7971 * There is no HDLC encapsulation for the PPP packet (it's 7972 * encapsulated in PPPoES instead), so the link-layer type 7973 * starts at the first byte of the PPP packet. For PPPoE, 7974 * that offset is relative to the beginning of the total 7975 * link-layer payload, including any 802.2 LLC header, so 7976 * it's 6 bytes past off_nl. 7977 */ 7978 off_linktype = off_nl + 6; 7979 7980 /* 7981 * The network-layer offsets are relative to the beginning 7982 * of the MAC-layer payload; that's past the 6-byte 7983 * PPPoE header and the 2-byte PPP header. 7984 */ 7985 off_nl = 6+2; 7986 off_nl_nosnap = 6+2; 7987 7988 return b0; 7989 } 7990 7991 struct block * 7992 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7993 int atmfield; 7994 bpf_int32 jvalue; 7995 bpf_u_int32 jtype; 7996 int reverse; 7997 { 7998 struct block *b0; 7999 8000 switch (atmfield) { 8001 8002 case A_VPI: 8003 if (!is_atm) 8004 bpf_error("'vpi' supported only on raw ATM"); 8005 if (off_vpi == (u_int)-1) 8006 abort(); 8007 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8008 reverse, jvalue); 8009 break; 8010 8011 case A_VCI: 8012 if (!is_atm) 8013 bpf_error("'vci' supported only on raw ATM"); 8014 if (off_vci == (u_int)-1) 8015 abort(); 8016 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8017 reverse, jvalue); 8018 break; 8019 8020 case A_PROTOTYPE: 8021 if (off_proto == (u_int)-1) 8022 abort(); /* XXX - this isn't on FreeBSD */ 8023 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8024 reverse, jvalue); 8025 break; 8026 8027 case A_MSGTYPE: 8028 if (off_payload == (u_int)-1) 8029 abort(); 8030 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8031 0xffffffff, jtype, reverse, jvalue); 8032 break; 8033 8034 case A_CALLREFTYPE: 8035 if (!is_atm) 8036 bpf_error("'callref' supported only on raw ATM"); 8037 if (off_proto == (u_int)-1) 8038 abort(); 8039 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8040 jtype, reverse, jvalue); 8041 break; 8042 8043 default: 8044 abort(); 8045 } 8046 return b0; 8047 } 8048 8049 struct block * 8050 gen_atmtype_abbrev(type) 8051 int type; 8052 { 8053 struct block *b0, *b1; 8054 8055 switch (type) { 8056 8057 case A_METAC: 8058 /* Get all packets in Meta signalling Circuit */ 8059 if (!is_atm) 8060 bpf_error("'metac' supported only on raw ATM"); 8061 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8062 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8063 gen_and(b0, b1); 8064 break; 8065 8066 case A_BCC: 8067 /* Get all packets in Broadcast Circuit*/ 8068 if (!is_atm) 8069 bpf_error("'bcc' supported only on raw ATM"); 8070 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8071 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8072 gen_and(b0, b1); 8073 break; 8074 8075 case A_OAMF4SC: 8076 /* Get all cells in Segment OAM F4 circuit*/ 8077 if (!is_atm) 8078 bpf_error("'oam4sc' supported only on raw ATM"); 8079 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8080 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8081 gen_and(b0, b1); 8082 break; 8083 8084 case A_OAMF4EC: 8085 /* Get all cells in End-to-End OAM F4 Circuit*/ 8086 if (!is_atm) 8087 bpf_error("'oam4ec' supported only on raw ATM"); 8088 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8089 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8090 gen_and(b0, b1); 8091 break; 8092 8093 case A_SC: 8094 /* Get all packets in connection Signalling Circuit */ 8095 if (!is_atm) 8096 bpf_error("'sc' supported only on raw ATM"); 8097 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8098 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8099 gen_and(b0, b1); 8100 break; 8101 8102 case A_ILMIC: 8103 /* Get all packets in ILMI Circuit */ 8104 if (!is_atm) 8105 bpf_error("'ilmic' supported only on raw ATM"); 8106 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8107 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8108 gen_and(b0, b1); 8109 break; 8110 8111 case A_LANE: 8112 /* Get all LANE packets */ 8113 if (!is_atm) 8114 bpf_error("'lane' supported only on raw ATM"); 8115 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8116 8117 /* 8118 * Arrange that all subsequent tests assume LANE 8119 * rather than LLC-encapsulated packets, and set 8120 * the offsets appropriately for LANE-encapsulated 8121 * Ethernet. 8122 * 8123 * "off_mac" is the offset of the Ethernet header, 8124 * which is 2 bytes past the ATM pseudo-header 8125 * (skipping the pseudo-header and 2-byte LE Client 8126 * field). The other offsets are Ethernet offsets 8127 * relative to "off_mac". 8128 */ 8129 is_lane = 1; 8130 off_mac = off_payload + 2; /* MAC header */ 8131 off_linktype = off_mac + 12; 8132 off_macpl = off_mac + 14; /* Ethernet */ 8133 off_nl = 0; /* Ethernet II */ 8134 off_nl_nosnap = 3; /* 802.3+802.2 */ 8135 break; 8136 8137 case A_LLC: 8138 /* Get all LLC-encapsulated packets */ 8139 if (!is_atm) 8140 bpf_error("'llc' supported only on raw ATM"); 8141 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8142 is_lane = 0; 8143 break; 8144 8145 default: 8146 abort(); 8147 } 8148 return b1; 8149 } 8150 8151 /* 8152 * Filtering for MTP2 messages based on li value 8153 * FISU, length is null 8154 * LSSU, length is 1 or 2 8155 * MSU, length is 3 or more 8156 */ 8157 struct block * 8158 gen_mtp2type_abbrev(type) 8159 int type; 8160 { 8161 struct block *b0, *b1; 8162 8163 switch (type) { 8164 8165 case M_FISU: 8166 if ( (linktype != DLT_MTP2) && 8167 (linktype != DLT_ERF) && 8168 (linktype != DLT_MTP2_WITH_PHDR) ) 8169 bpf_error("'fisu' supported only on MTP2"); 8170 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8171 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8172 break; 8173 8174 case M_LSSU: 8175 if ( (linktype != DLT_MTP2) && 8176 (linktype != DLT_ERF) && 8177 (linktype != DLT_MTP2_WITH_PHDR) ) 8178 bpf_error("'lssu' supported only on MTP2"); 8179 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8180 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8181 gen_and(b1, b0); 8182 break; 8183 8184 case M_MSU: 8185 if ( (linktype != DLT_MTP2) && 8186 (linktype != DLT_ERF) && 8187 (linktype != DLT_MTP2_WITH_PHDR) ) 8188 bpf_error("'msu' supported only on MTP2"); 8189 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8190 break; 8191 8192 default: 8193 abort(); 8194 } 8195 return b0; 8196 } 8197 8198 struct block * 8199 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8200 int mtp3field; 8201 bpf_u_int32 jvalue; 8202 bpf_u_int32 jtype; 8203 int reverse; 8204 { 8205 struct block *b0; 8206 bpf_u_int32 val1 , val2 , val3; 8207 8208 switch (mtp3field) { 8209 8210 case M_SIO: 8211 if (off_sio == (u_int)-1) 8212 bpf_error("'sio' supported only on SS7"); 8213 /* sio coded on 1 byte so max value 255 */ 8214 if(jvalue > 255) 8215 bpf_error("sio value %u too big; max value = 255", 8216 jvalue); 8217 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8218 (u_int)jtype, reverse, (u_int)jvalue); 8219 break; 8220 8221 case M_OPC: 8222 if (off_opc == (u_int)-1) 8223 bpf_error("'opc' supported only on SS7"); 8224 /* opc coded on 14 bits so max value 16383 */ 8225 if (jvalue > 16383) 8226 bpf_error("opc value %u too big; max value = 16383", 8227 jvalue); 8228 /* the following instructions are made to convert jvalue 8229 * to the form used to write opc in an ss7 message*/ 8230 val1 = jvalue & 0x00003c00; 8231 val1 = val1 >>10; 8232 val2 = jvalue & 0x000003fc; 8233 val2 = val2 <<6; 8234 val3 = jvalue & 0x00000003; 8235 val3 = val3 <<22; 8236 jvalue = val1 + val2 + val3; 8237 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8238 (u_int)jtype, reverse, (u_int)jvalue); 8239 break; 8240 8241 case M_DPC: 8242 if (off_dpc == (u_int)-1) 8243 bpf_error("'dpc' supported only on SS7"); 8244 /* dpc coded on 14 bits so max value 16383 */ 8245 if (jvalue > 16383) 8246 bpf_error("dpc value %u too big; max value = 16383", 8247 jvalue); 8248 /* the following instructions are made to convert jvalue 8249 * to the forme used to write dpc in an ss7 message*/ 8250 val1 = jvalue & 0x000000ff; 8251 val1 = val1 << 24; 8252 val2 = jvalue & 0x00003f00; 8253 val2 = val2 << 8; 8254 jvalue = val1 + val2; 8255 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8256 (u_int)jtype, reverse, (u_int)jvalue); 8257 break; 8258 8259 case M_SLS: 8260 if (off_sls == (u_int)-1) 8261 bpf_error("'sls' supported only on SS7"); 8262 /* sls coded on 4 bits so max value 15 */ 8263 if (jvalue > 15) 8264 bpf_error("sls value %u too big; max value = 15", 8265 jvalue); 8266 /* the following instruction is made to convert jvalue 8267 * to the forme used to write sls in an ss7 message*/ 8268 jvalue = jvalue << 4; 8269 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8270 (u_int)jtype,reverse, (u_int)jvalue); 8271 break; 8272 8273 default: 8274 abort(); 8275 } 8276 return b0; 8277 } 8278 8279 static struct block * 8280 gen_msg_abbrev(type) 8281 int type; 8282 { 8283 struct block *b1; 8284 8285 /* 8286 * Q.2931 signalling protocol messages for handling virtual circuits 8287 * establishment and teardown 8288 */ 8289 switch (type) { 8290 8291 case A_SETUP: 8292 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8293 break; 8294 8295 case A_CALLPROCEED: 8296 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8297 break; 8298 8299 case A_CONNECT: 8300 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8301 break; 8302 8303 case A_CONNECTACK: 8304 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8305 break; 8306 8307 case A_RELEASE: 8308 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8309 break; 8310 8311 case A_RELEASE_DONE: 8312 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8313 break; 8314 8315 default: 8316 abort(); 8317 } 8318 return b1; 8319 } 8320 8321 struct block * 8322 gen_atmmulti_abbrev(type) 8323 int type; 8324 { 8325 struct block *b0, *b1; 8326 8327 switch (type) { 8328 8329 case A_OAM: 8330 if (!is_atm) 8331 bpf_error("'oam' supported only on raw ATM"); 8332 b1 = gen_atmmulti_abbrev(A_OAMF4); 8333 break; 8334 8335 case A_OAMF4: 8336 if (!is_atm) 8337 bpf_error("'oamf4' supported only on raw ATM"); 8338 /* OAM F4 type */ 8339 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8340 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8341 gen_or(b0, b1); 8342 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8343 gen_and(b0, b1); 8344 break; 8345 8346 case A_CONNECTMSG: 8347 /* 8348 * Get Q.2931 signalling messages for switched 8349 * virtual connection 8350 */ 8351 if (!is_atm) 8352 bpf_error("'connectmsg' supported only on raw ATM"); 8353 b0 = gen_msg_abbrev(A_SETUP); 8354 b1 = gen_msg_abbrev(A_CALLPROCEED); 8355 gen_or(b0, b1); 8356 b0 = gen_msg_abbrev(A_CONNECT); 8357 gen_or(b0, b1); 8358 b0 = gen_msg_abbrev(A_CONNECTACK); 8359 gen_or(b0, b1); 8360 b0 = gen_msg_abbrev(A_RELEASE); 8361 gen_or(b0, b1); 8362 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8363 gen_or(b0, b1); 8364 b0 = gen_atmtype_abbrev(A_SC); 8365 gen_and(b0, b1); 8366 break; 8367 8368 case A_METACONNECT: 8369 if (!is_atm) 8370 bpf_error("'metaconnect' supported only on raw ATM"); 8371 b0 = gen_msg_abbrev(A_SETUP); 8372 b1 = gen_msg_abbrev(A_CALLPROCEED); 8373 gen_or(b0, b1); 8374 b0 = gen_msg_abbrev(A_CONNECT); 8375 gen_or(b0, b1); 8376 b0 = gen_msg_abbrev(A_RELEASE); 8377 gen_or(b0, b1); 8378 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8379 gen_or(b0, b1); 8380 b0 = gen_atmtype_abbrev(A_METAC); 8381 gen_and(b0, b1); 8382 break; 8383 8384 default: 8385 abort(); 8386 } 8387 return b1; 8388 } 8389