1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 90 #include <linux/types.h> 91 #include <linux/if_packet.h> 92 #include <linux/filter.h> 93 #endif 94 #ifdef HAVE_NET_PFVAR_H 95 #include <sys/socket.h> 96 #include <net/if.h> 97 #include <net/pfvar.h> 98 #include <net/if_pflog.h> 99 #endif 100 #ifndef offsetof 101 #define offsetof(s, e) ((size_t)&((s *)0)->e) 102 #endif 103 #ifdef INET6 104 #ifndef WIN32 105 #include <netdb.h> /* for "struct addrinfo" */ 106 #endif /* WIN32 */ 107 #endif /*INET6*/ 108 #include <pcap/namedb.h> 109 110 #define ETHERMTU 1500 111 112 #ifndef IPPROTO_HOPOPTS 113 #define IPPROTO_HOPOPTS 0 114 #endif 115 #ifndef IPPROTO_ROUTING 116 #define IPPROTO_ROUTING 43 117 #endif 118 #ifndef IPPROTO_FRAGMENT 119 #define IPPROTO_FRAGMENT 44 120 #endif 121 #ifndef IPPROTO_DSTOPTS 122 #define IPPROTO_DSTOPTS 60 123 #endif 124 #ifndef IPPROTO_SCTP 125 #define IPPROTO_SCTP 132 126 #endif 127 128 #ifdef HAVE_OS_PROTO_H 129 #include "os-proto.h" 130 #endif 131 132 #define JMP(c) ((c)|BPF_JMP|BPF_K) 133 134 /* Locals */ 135 static jmp_buf top_ctx; 136 static pcap_t *bpf_pcap; 137 138 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 139 #ifdef WIN32 140 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 141 #else 142 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 143 #endif 144 145 /* XXX */ 146 #ifdef PCAP_FDDIPAD 147 static int pcap_fddipad; 148 #endif 149 150 /* VARARGS */ 151 void 152 bpf_error(const char *fmt, ...) 153 { 154 va_list ap; 155 156 va_start(ap, fmt); 157 if (bpf_pcap != NULL) 158 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 159 fmt, ap); 160 va_end(ap); 161 longjmp(top_ctx, 1); 162 /* NOTREACHED */ 163 } 164 165 static void init_linktype(pcap_t *); 166 167 static void init_regs(void); 168 static int alloc_reg(void); 169 static void free_reg(int); 170 171 static struct block *root; 172 173 /* 174 * Value passed to gen_load_a() to indicate what the offset argument 175 * is relative to. 176 */ 177 enum e_offrel { 178 OR_PACKET, /* relative to the beginning of the packet */ 179 OR_LINK, /* relative to the beginning of the link-layer header */ 180 OR_MACPL, /* relative to the end of the MAC-layer header */ 181 OR_NET, /* relative to the network-layer header */ 182 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 183 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 184 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 185 }; 186 187 #ifdef INET6 188 /* 189 * As errors are handled by a longjmp, anything allocated must be freed 190 * in the longjmp handler, so it must be reachable from that handler. 191 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 192 * it must be freed with freeaddrinfo(). This variable points to any 193 * addrinfo structure that would need to be freed. 194 */ 195 static struct addrinfo *ai; 196 #endif 197 198 /* 199 * We divy out chunks of memory rather than call malloc each time so 200 * we don't have to worry about leaking memory. It's probably 201 * not a big deal if all this memory was wasted but if this ever 202 * goes into a library that would probably not be a good idea. 203 * 204 * XXX - this *is* in a library.... 205 */ 206 #define NCHUNKS 16 207 #define CHUNK0SIZE 1024 208 struct chunk { 209 u_int n_left; 210 void *m; 211 }; 212 213 static struct chunk chunks[NCHUNKS]; 214 static int cur_chunk; 215 216 static void *newchunk(u_int); 217 static void freechunks(void); 218 static inline struct block *new_block(int); 219 static inline struct slist *new_stmt(int); 220 static struct block *gen_retblk(int); 221 static inline void syntax(void); 222 223 static void backpatch(struct block *, struct block *); 224 static void merge(struct block *, struct block *); 225 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 226 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 227 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 228 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 229 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 230 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 231 bpf_u_int32); 232 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 233 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 234 bpf_u_int32, bpf_u_int32, int, bpf_int32); 235 static struct slist *gen_load_llrel(u_int, u_int); 236 static struct slist *gen_load_macplrel(u_int, u_int); 237 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 238 static struct slist *gen_loadx_iphdrlen(void); 239 static struct block *gen_uncond(int); 240 static inline struct block *gen_true(void); 241 static inline struct block *gen_false(void); 242 static struct block *gen_ether_linktype(int); 243 static struct block *gen_ipnet_linktype(int); 244 static struct block *gen_linux_sll_linktype(int); 245 static struct slist *gen_load_prism_llprefixlen(void); 246 static struct slist *gen_load_avs_llprefixlen(void); 247 static struct slist *gen_load_radiotap_llprefixlen(void); 248 static struct slist *gen_load_ppi_llprefixlen(void); 249 static void insert_compute_vloffsets(struct block *); 250 static struct slist *gen_llprefixlen(void); 251 static struct slist *gen_off_macpl(void); 252 static int ethertype_to_ppptype(int); 253 static struct block *gen_linktype(int); 254 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 255 static struct block *gen_llc_linktype(int); 256 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 257 #ifdef INET6 258 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 259 #endif 260 static struct block *gen_ahostop(const u_char *, int); 261 static struct block *gen_ehostop(const u_char *, int); 262 static struct block *gen_fhostop(const u_char *, int); 263 static struct block *gen_thostop(const u_char *, int); 264 static struct block *gen_wlanhostop(const u_char *, int); 265 static struct block *gen_ipfchostop(const u_char *, int); 266 static struct block *gen_dnhostop(bpf_u_int32, int); 267 static struct block *gen_mpls_linktype(int); 268 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 269 #ifdef INET6 270 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 271 #endif 272 #ifndef INET6 273 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 274 #endif 275 static struct block *gen_ipfrag(void); 276 static struct block *gen_portatom(int, bpf_int32); 277 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 278 static struct block *gen_portatom6(int, bpf_int32); 279 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 280 struct block *gen_portop(int, int, int); 281 static struct block *gen_port(int, int, int); 282 struct block *gen_portrangeop(int, int, int, int); 283 static struct block *gen_portrange(int, int, int, int); 284 struct block *gen_portop6(int, int, int); 285 static struct block *gen_port6(int, int, int); 286 struct block *gen_portrangeop6(int, int, int, int); 287 static struct block *gen_portrange6(int, int, int, int); 288 static int lookup_proto(const char *, int); 289 static struct block *gen_protochain(int, int, int); 290 static struct block *gen_proto(int, int, int); 291 static struct slist *xfer_to_x(struct arth *); 292 static struct slist *xfer_to_a(struct arth *); 293 static struct block *gen_mac_multicast(int); 294 static struct block *gen_len(int, int); 295 static struct block *gen_check_802_11_data_frame(void); 296 297 static struct block *gen_ppi_dlt_check(void); 298 static struct block *gen_msg_abbrev(int type); 299 300 static void * 301 newchunk(n) 302 u_int n; 303 { 304 struct chunk *cp; 305 int k; 306 size_t size; 307 308 #ifndef __NetBSD__ 309 /* XXX Round up to nearest long. */ 310 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 311 #else 312 /* XXX Round up to structure boundary. */ 313 n = ALIGN(n); 314 #endif 315 316 cp = &chunks[cur_chunk]; 317 if (n > cp->n_left) { 318 ++cp, k = ++cur_chunk; 319 if (k >= NCHUNKS) 320 bpf_error("out of memory"); 321 size = CHUNK0SIZE << k; 322 cp->m = (void *)malloc(size); 323 if (cp->m == NULL) 324 bpf_error("out of memory"); 325 memset((char *)cp->m, 0, size); 326 cp->n_left = size; 327 if (n > size) 328 bpf_error("out of memory"); 329 } 330 cp->n_left -= n; 331 return (void *)((char *)cp->m + cp->n_left); 332 } 333 334 static void 335 freechunks() 336 { 337 int i; 338 339 cur_chunk = 0; 340 for (i = 0; i < NCHUNKS; ++i) 341 if (chunks[i].m != NULL) { 342 free(chunks[i].m); 343 chunks[i].m = NULL; 344 } 345 } 346 347 /* 348 * A strdup whose allocations are freed after code generation is over. 349 */ 350 char * 351 sdup(s) 352 register const char *s; 353 { 354 int n = strlen(s) + 1; 355 char *cp = newchunk(n); 356 357 strlcpy(cp, s, n); 358 return (cp); 359 } 360 361 static inline struct block * 362 new_block(code) 363 int code; 364 { 365 struct block *p; 366 367 p = (struct block *)newchunk(sizeof(*p)); 368 p->s.code = code; 369 p->head = p; 370 371 return p; 372 } 373 374 static inline struct slist * 375 new_stmt(code) 376 int code; 377 { 378 struct slist *p; 379 380 p = (struct slist *)newchunk(sizeof(*p)); 381 p->s.code = code; 382 383 return p; 384 } 385 386 static struct block * 387 gen_retblk(v) 388 int v; 389 { 390 struct block *b = new_block(BPF_RET|BPF_K); 391 392 b->s.k = v; 393 return b; 394 } 395 396 static inline void 397 syntax() 398 { 399 bpf_error("syntax error in filter expression"); 400 } 401 402 static bpf_u_int32 netmask; 403 static int snaplen; 404 int no_optimize; 405 #ifdef WIN32 406 static int 407 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 408 const char *buf, int optimize, bpf_u_int32 mask); 409 410 int 411 pcap_compile(pcap_t *p, struct bpf_program *program, 412 const char *buf, int optimize, bpf_u_int32 mask) 413 { 414 int result; 415 416 EnterCriticalSection(&g_PcapCompileCriticalSection); 417 418 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 419 420 LeaveCriticalSection(&g_PcapCompileCriticalSection); 421 422 return result; 423 } 424 425 static int 426 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 427 const char *buf, int optimize, bpf_u_int32 mask) 428 #else /* WIN32 */ 429 int 430 pcap_compile(pcap_t *p, struct bpf_program *program, 431 const char *buf, int optimize, bpf_u_int32 mask) 432 #endif /* WIN32 */ 433 { 434 extern int n_errors; 435 const char * volatile xbuf = buf; 436 u_int len; 437 438 /* 439 * If this pcap_t hasn't been activated, it doesn't have a 440 * link-layer type, so we can't use it. 441 */ 442 if (!p->activated) { 443 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 444 "not-yet-activated pcap_t passed to pcap_compile"); 445 return (-1); 446 } 447 no_optimize = 0; 448 n_errors = 0; 449 root = NULL; 450 bpf_pcap = p; 451 init_regs(); 452 if (setjmp(top_ctx)) { 453 #ifdef INET6 454 if (ai != NULL) { 455 freeaddrinfo(ai); 456 ai = NULL; 457 } 458 #endif 459 lex_cleanup(); 460 freechunks(); 461 return (-1); 462 } 463 464 netmask = mask; 465 466 snaplen = pcap_snapshot(p); 467 if (snaplen == 0) { 468 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 469 "snaplen of 0 rejects all packets"); 470 return -1; 471 } 472 473 lex_init(xbuf ? xbuf : ""); 474 init_linktype(p); 475 (void)pcap_parse(); 476 477 if (n_errors) 478 syntax(); 479 480 if (root == NULL) 481 root = gen_retblk(snaplen); 482 483 if (optimize && !no_optimize) { 484 bpf_optimize(&root); 485 if (root == NULL || 486 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 487 bpf_error("expression rejects all packets"); 488 } 489 program->bf_insns = icode_to_fcode(root, &len); 490 program->bf_len = len; 491 492 lex_cleanup(); 493 freechunks(); 494 return (0); 495 } 496 497 /* 498 * entry point for using the compiler with no pcap open 499 * pass in all the stuff that is needed explicitly instead. 500 */ 501 int 502 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 503 struct bpf_program *program, 504 const char *buf, int optimize, bpf_u_int32 mask) 505 { 506 pcap_t *p; 507 int ret; 508 509 p = pcap_open_dead(linktype_arg, snaplen_arg); 510 if (p == NULL) 511 return (-1); 512 ret = pcap_compile(p, program, buf, optimize, mask); 513 pcap_close(p); 514 return (ret); 515 } 516 517 /* 518 * Clean up a "struct bpf_program" by freeing all the memory allocated 519 * in it. 520 */ 521 void 522 pcap_freecode(struct bpf_program *program) 523 { 524 program->bf_len = 0; 525 if (program->bf_insns != NULL) { 526 free((char *)program->bf_insns); 527 program->bf_insns = NULL; 528 } 529 } 530 531 /* 532 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 533 * which of the jt and jf fields has been resolved and which is a pointer 534 * back to another unresolved block (or nil). At least one of the fields 535 * in each block is already resolved. 536 */ 537 static void 538 backpatch(list, target) 539 struct block *list, *target; 540 { 541 struct block *next; 542 543 while (list) { 544 if (!list->sense) { 545 next = JT(list); 546 JT(list) = target; 547 } else { 548 next = JF(list); 549 JF(list) = target; 550 } 551 list = next; 552 } 553 } 554 555 /* 556 * Merge the lists in b0 and b1, using the 'sense' field to indicate 557 * which of jt and jf is the link. 558 */ 559 static void 560 merge(b0, b1) 561 struct block *b0, *b1; 562 { 563 register struct block **p = &b0; 564 565 /* Find end of list. */ 566 while (*p) 567 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 568 569 /* Concatenate the lists. */ 570 *p = b1; 571 } 572 573 void 574 finish_parse(p) 575 struct block *p; 576 { 577 struct block *ppi_dlt_check; 578 579 /* 580 * Insert before the statements of the first (root) block any 581 * statements needed to load the lengths of any variable-length 582 * headers into registers. 583 * 584 * XXX - a fancier strategy would be to insert those before the 585 * statements of all blocks that use those lengths and that 586 * have no predecessors that use them, so that we only compute 587 * the lengths if we need them. There might be even better 588 * approaches than that. 589 * 590 * However, those strategies would be more complicated, and 591 * as we don't generate code to compute a length if the 592 * program has no tests that use the length, and as most 593 * tests will probably use those lengths, we would just 594 * postpone computing the lengths so that it's not done 595 * for tests that fail early, and it's not clear that's 596 * worth the effort. 597 */ 598 insert_compute_vloffsets(p->head); 599 600 /* 601 * For DLT_PPI captures, generate a check of the per-packet 602 * DLT value to make sure it's DLT_IEEE802_11. 603 */ 604 ppi_dlt_check = gen_ppi_dlt_check(); 605 if (ppi_dlt_check != NULL) 606 gen_and(ppi_dlt_check, p); 607 608 backpatch(p, gen_retblk(snaplen)); 609 p->sense = !p->sense; 610 backpatch(p, gen_retblk(0)); 611 root = p->head; 612 } 613 614 void 615 gen_and(b0, b1) 616 struct block *b0, *b1; 617 { 618 backpatch(b0, b1->head); 619 b0->sense = !b0->sense; 620 b1->sense = !b1->sense; 621 merge(b1, b0); 622 b1->sense = !b1->sense; 623 b1->head = b0->head; 624 } 625 626 void 627 gen_or(b0, b1) 628 struct block *b0, *b1; 629 { 630 b0->sense = !b0->sense; 631 backpatch(b0, b1->head); 632 b0->sense = !b0->sense; 633 merge(b1, b0); 634 b1->head = b0->head; 635 } 636 637 void 638 gen_not(b) 639 struct block *b; 640 { 641 b->sense = !b->sense; 642 } 643 644 static struct block * 645 gen_cmp(offrel, offset, size, v) 646 enum e_offrel offrel; 647 u_int offset, size; 648 bpf_int32 v; 649 { 650 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 651 } 652 653 static struct block * 654 gen_cmp_gt(offrel, offset, size, v) 655 enum e_offrel offrel; 656 u_int offset, size; 657 bpf_int32 v; 658 { 659 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 660 } 661 662 static struct block * 663 gen_cmp_ge(offrel, offset, size, v) 664 enum e_offrel offrel; 665 u_int offset, size; 666 bpf_int32 v; 667 { 668 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 669 } 670 671 static struct block * 672 gen_cmp_lt(offrel, offset, size, v) 673 enum e_offrel offrel; 674 u_int offset, size; 675 bpf_int32 v; 676 { 677 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 678 } 679 680 static struct block * 681 gen_cmp_le(offrel, offset, size, v) 682 enum e_offrel offrel; 683 u_int offset, size; 684 bpf_int32 v; 685 { 686 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 687 } 688 689 static struct block * 690 gen_mcmp(offrel, offset, size, v, mask) 691 enum e_offrel offrel; 692 u_int offset, size; 693 bpf_int32 v; 694 bpf_u_int32 mask; 695 { 696 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 697 } 698 699 static struct block * 700 gen_bcmp(offrel, offset, size, v) 701 enum e_offrel offrel; 702 register u_int offset, size; 703 register const u_char *v; 704 { 705 register struct block *b, *tmp; 706 707 b = NULL; 708 while (size >= 4) { 709 register const u_char *p = &v[size - 4]; 710 bpf_int32 w = ((bpf_int32)p[0] << 24) | 711 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 712 713 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 714 if (b != NULL) 715 gen_and(b, tmp); 716 b = tmp; 717 size -= 4; 718 } 719 while (size >= 2) { 720 register const u_char *p = &v[size - 2]; 721 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 722 723 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 724 if (b != NULL) 725 gen_and(b, tmp); 726 b = tmp; 727 size -= 2; 728 } 729 if (size > 0) { 730 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 731 if (b != NULL) 732 gen_and(b, tmp); 733 b = tmp; 734 } 735 return b; 736 } 737 738 /* 739 * AND the field of size "size" at offset "offset" relative to the header 740 * specified by "offrel" with "mask", and compare it with the value "v" 741 * with the test specified by "jtype"; if "reverse" is true, the test 742 * should test the opposite of "jtype". 743 */ 744 static struct block * 745 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 746 enum e_offrel offrel; 747 bpf_int32 v; 748 bpf_u_int32 offset, size, mask, jtype; 749 int reverse; 750 { 751 struct slist *s, *s2; 752 struct block *b; 753 754 s = gen_load_a(offrel, offset, size); 755 756 if (mask != 0xffffffff) { 757 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 758 s2->s.k = mask; 759 sappend(s, s2); 760 } 761 762 b = new_block(JMP(jtype)); 763 b->stmts = s; 764 b->s.k = v; 765 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 766 gen_not(b); 767 return b; 768 } 769 770 /* 771 * Various code constructs need to know the layout of the data link 772 * layer. These variables give the necessary offsets from the beginning 773 * of the packet data. 774 */ 775 776 /* 777 * This is the offset of the beginning of the link-layer header from 778 * the beginning of the raw packet data. 779 * 780 * It's usually 0, except for 802.11 with a fixed-length radio header. 781 * (For 802.11 with a variable-length radio header, we have to generate 782 * code to compute that offset; off_ll is 0 in that case.) 783 */ 784 static u_int off_ll; 785 786 /* 787 * If there's a variable-length header preceding the link-layer header, 788 * "reg_off_ll" is the register number for a register containing the 789 * length of that header, and therefore the offset of the link-layer 790 * header from the beginning of the raw packet data. Otherwise, 791 * "reg_off_ll" is -1. 792 */ 793 static int reg_off_ll; 794 795 /* 796 * This is the offset of the beginning of the MAC-layer header from 797 * the beginning of the link-layer header. 798 * It's usually 0, except for ATM LANE, where it's the offset, relative 799 * to the beginning of the raw packet data, of the Ethernet header, and 800 * for Ethernet with various additional information. 801 */ 802 static u_int off_mac; 803 804 /* 805 * This is the offset of the beginning of the MAC-layer payload, 806 * from the beginning of the raw packet data. 807 * 808 * I.e., it's the sum of the length of the link-layer header (without, 809 * for example, any 802.2 LLC header, so it's the MAC-layer 810 * portion of that header), plus any prefix preceding the 811 * link-layer header. 812 */ 813 static u_int off_macpl; 814 815 /* 816 * This is 1 if the offset of the beginning of the MAC-layer payload 817 * from the beginning of the link-layer header is variable-length. 818 */ 819 static int off_macpl_is_variable; 820 821 /* 822 * If the link layer has variable_length headers, "reg_off_macpl" 823 * is the register number for a register containing the length of the 824 * link-layer header plus the length of any variable-length header 825 * preceding the link-layer header. Otherwise, "reg_off_macpl" 826 * is -1. 827 */ 828 static int reg_off_macpl; 829 830 /* 831 * "off_linktype" is the offset to information in the link-layer header 832 * giving the packet type. This offset is relative to the beginning 833 * of the link-layer header (i.e., it doesn't include off_ll). 834 * 835 * For Ethernet, it's the offset of the Ethernet type field. 836 * 837 * For link-layer types that always use 802.2 headers, it's the 838 * offset of the LLC header. 839 * 840 * For PPP, it's the offset of the PPP type field. 841 * 842 * For Cisco HDLC, it's the offset of the CHDLC type field. 843 * 844 * For BSD loopback, it's the offset of the AF_ value. 845 * 846 * For Linux cooked sockets, it's the offset of the type field. 847 * 848 * It's set to -1 for no encapsulation, in which case, IP is assumed. 849 */ 850 static u_int off_linktype; 851 852 /* 853 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 854 * checks to check the PPP header, assumed to follow a LAN-style link- 855 * layer header and a PPPoE session header. 856 */ 857 static int is_pppoes = 0; 858 859 /* 860 * TRUE if the link layer includes an ATM pseudo-header. 861 */ 862 static int is_atm = 0; 863 864 /* 865 * TRUE if "lane" appeared in the filter; it causes us to generate 866 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 867 */ 868 static int is_lane = 0; 869 870 /* 871 * These are offsets for the ATM pseudo-header. 872 */ 873 static u_int off_vpi; 874 static u_int off_vci; 875 static u_int off_proto; 876 877 /* 878 * These are offsets for the MTP2 fields. 879 */ 880 static u_int off_li; 881 882 /* 883 * These are offsets for the MTP3 fields. 884 */ 885 static u_int off_sio; 886 static u_int off_opc; 887 static u_int off_dpc; 888 static u_int off_sls; 889 890 /* 891 * This is the offset of the first byte after the ATM pseudo_header, 892 * or -1 if there is no ATM pseudo-header. 893 */ 894 static u_int off_payload; 895 896 /* 897 * These are offsets to the beginning of the network-layer header. 898 * They are relative to the beginning of the MAC-layer payload (i.e., 899 * they don't include off_ll or off_macpl). 900 * 901 * If the link layer never uses 802.2 LLC: 902 * 903 * "off_nl" and "off_nl_nosnap" are the same. 904 * 905 * If the link layer always uses 802.2 LLC: 906 * 907 * "off_nl" is the offset if there's a SNAP header following 908 * the 802.2 header; 909 * 910 * "off_nl_nosnap" is the offset if there's no SNAP header. 911 * 912 * If the link layer is Ethernet: 913 * 914 * "off_nl" is the offset if the packet is an Ethernet II packet 915 * (we assume no 802.3+802.2+SNAP); 916 * 917 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 918 * with an 802.2 header following it. 919 */ 920 static u_int off_nl; 921 static u_int off_nl_nosnap; 922 923 static int linktype; 924 925 static void 926 init_linktype(p) 927 pcap_t *p; 928 { 929 linktype = pcap_datalink(p); 930 #ifdef PCAP_FDDIPAD 931 pcap_fddipad = p->fddipad; 932 #endif 933 934 /* 935 * Assume it's not raw ATM with a pseudo-header, for now. 936 */ 937 off_mac = 0; 938 is_atm = 0; 939 is_lane = 0; 940 off_vpi = -1; 941 off_vci = -1; 942 off_proto = -1; 943 off_payload = -1; 944 945 /* 946 * And that we're not doing PPPoE. 947 */ 948 is_pppoes = 0; 949 950 /* 951 * And assume we're not doing SS7. 952 */ 953 off_li = -1; 954 off_sio = -1; 955 off_opc = -1; 956 off_dpc = -1; 957 off_sls = -1; 958 959 /* 960 * Also assume it's not 802.11. 961 */ 962 off_ll = 0; 963 off_macpl = 0; 964 off_macpl_is_variable = 0; 965 966 orig_linktype = -1; 967 orig_nl = -1; 968 label_stack_depth = 0; 969 970 reg_off_ll = -1; 971 reg_off_macpl = -1; 972 973 switch (linktype) { 974 975 case DLT_ARCNET: 976 off_linktype = 2; 977 off_macpl = 6; 978 off_nl = 0; /* XXX in reality, variable! */ 979 off_nl_nosnap = 0; /* no 802.2 LLC */ 980 return; 981 982 case DLT_ARCNET_LINUX: 983 off_linktype = 4; 984 off_macpl = 8; 985 off_nl = 0; /* XXX in reality, variable! */ 986 off_nl_nosnap = 0; /* no 802.2 LLC */ 987 return; 988 989 case DLT_EN10MB: 990 off_linktype = 12; 991 off_macpl = 14; /* Ethernet header length */ 992 off_nl = 0; /* Ethernet II */ 993 off_nl_nosnap = 3; /* 802.3+802.2 */ 994 return; 995 996 case DLT_SLIP: 997 /* 998 * SLIP doesn't have a link level type. The 16 byte 999 * header is hacked into our SLIP driver. 1000 */ 1001 off_linktype = -1; 1002 off_macpl = 16; 1003 off_nl = 0; 1004 off_nl_nosnap = 0; /* no 802.2 LLC */ 1005 return; 1006 1007 case DLT_SLIP_BSDOS: 1008 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1009 off_linktype = -1; 1010 /* XXX end */ 1011 off_macpl = 24; 1012 off_nl = 0; 1013 off_nl_nosnap = 0; /* no 802.2 LLC */ 1014 return; 1015 1016 case DLT_NULL: 1017 case DLT_LOOP: 1018 off_linktype = 0; 1019 off_macpl = 4; 1020 off_nl = 0; 1021 off_nl_nosnap = 0; /* no 802.2 LLC */ 1022 return; 1023 1024 case DLT_ENC: 1025 off_linktype = 0; 1026 off_macpl = 12; 1027 off_nl = 0; 1028 off_nl_nosnap = 0; /* no 802.2 LLC */ 1029 return; 1030 1031 case DLT_PPP: 1032 case DLT_PPP_PPPD: 1033 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1034 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1035 off_linktype = 2; 1036 off_macpl = 4; 1037 off_nl = 0; 1038 off_nl_nosnap = 0; /* no 802.2 LLC */ 1039 return; 1040 1041 case DLT_PPP_ETHER: 1042 /* 1043 * This does no include the Ethernet header, and 1044 * only covers session state. 1045 */ 1046 off_linktype = 6; 1047 off_macpl = 8; 1048 off_nl = 0; 1049 off_nl_nosnap = 0; /* no 802.2 LLC */ 1050 return; 1051 1052 case DLT_PPP_BSDOS: 1053 off_linktype = 5; 1054 off_macpl = 24; 1055 off_nl = 0; 1056 off_nl_nosnap = 0; /* no 802.2 LLC */ 1057 return; 1058 1059 case DLT_FDDI: 1060 /* 1061 * FDDI doesn't really have a link-level type field. 1062 * We set "off_linktype" to the offset of the LLC header. 1063 * 1064 * To check for Ethernet types, we assume that SSAP = SNAP 1065 * is being used and pick out the encapsulated Ethernet type. 1066 * XXX - should we generate code to check for SNAP? 1067 */ 1068 off_linktype = 13; 1069 #ifdef PCAP_FDDIPAD 1070 off_linktype += pcap_fddipad; 1071 #endif 1072 off_macpl = 13; /* FDDI MAC header length */ 1073 #ifdef PCAP_FDDIPAD 1074 off_macpl += pcap_fddipad; 1075 #endif 1076 off_nl = 8; /* 802.2+SNAP */ 1077 off_nl_nosnap = 3; /* 802.2 */ 1078 return; 1079 1080 case DLT_IEEE802: 1081 /* 1082 * Token Ring doesn't really have a link-level type field. 1083 * We set "off_linktype" to the offset of the LLC header. 1084 * 1085 * To check for Ethernet types, we assume that SSAP = SNAP 1086 * is being used and pick out the encapsulated Ethernet type. 1087 * XXX - should we generate code to check for SNAP? 1088 * 1089 * XXX - the header is actually variable-length. 1090 * Some various Linux patched versions gave 38 1091 * as "off_linktype" and 40 as "off_nl"; however, 1092 * if a token ring packet has *no* routing 1093 * information, i.e. is not source-routed, the correct 1094 * values are 20 and 22, as they are in the vanilla code. 1095 * 1096 * A packet is source-routed iff the uppermost bit 1097 * of the first byte of the source address, at an 1098 * offset of 8, has the uppermost bit set. If the 1099 * packet is source-routed, the total number of bytes 1100 * of routing information is 2 plus bits 0x1F00 of 1101 * the 16-bit value at an offset of 14 (shifted right 1102 * 8 - figure out which byte that is). 1103 */ 1104 off_linktype = 14; 1105 off_macpl = 14; /* Token Ring MAC header length */ 1106 off_nl = 8; /* 802.2+SNAP */ 1107 off_nl_nosnap = 3; /* 802.2 */ 1108 return; 1109 1110 case DLT_IEEE802_11: 1111 case DLT_PRISM_HEADER: 1112 case DLT_IEEE802_11_RADIO_AVS: 1113 case DLT_IEEE802_11_RADIO: 1114 /* 1115 * 802.11 doesn't really have a link-level type field. 1116 * We set "off_linktype" to the offset of the LLC header. 1117 * 1118 * To check for Ethernet types, we assume that SSAP = SNAP 1119 * is being used and pick out the encapsulated Ethernet type. 1120 * XXX - should we generate code to check for SNAP? 1121 * 1122 * We also handle variable-length radio headers here. 1123 * The Prism header is in theory variable-length, but in 1124 * practice it's always 144 bytes long. However, some 1125 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1126 * sometimes or always supply an AVS header, so we 1127 * have to check whether the radio header is a Prism 1128 * header or an AVS header, so, in practice, it's 1129 * variable-length. 1130 */ 1131 off_linktype = 24; 1132 off_macpl = 0; /* link-layer header is variable-length */ 1133 off_macpl_is_variable = 1; 1134 off_nl = 8; /* 802.2+SNAP */ 1135 off_nl_nosnap = 3; /* 802.2 */ 1136 return; 1137 1138 case DLT_PPI: 1139 /* 1140 * At the moment we treat PPI the same way that we treat 1141 * normal Radiotap encoded packets. The difference is in 1142 * the function that generates the code at the beginning 1143 * to compute the header length. Since this code generator 1144 * of PPI supports bare 802.11 encapsulation only (i.e. 1145 * the encapsulated DLT should be DLT_IEEE802_11) we 1146 * generate code to check for this too. 1147 */ 1148 off_linktype = 24; 1149 off_macpl = 0; /* link-layer header is variable-length */ 1150 off_macpl_is_variable = 1; 1151 off_nl = 8; /* 802.2+SNAP */ 1152 off_nl_nosnap = 3; /* 802.2 */ 1153 return; 1154 1155 case DLT_ATM_RFC1483: 1156 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1157 /* 1158 * assume routed, non-ISO PDUs 1159 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1160 * 1161 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1162 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1163 * latter would presumably be treated the way PPPoE 1164 * should be, so you can do "pppoe and udp port 2049" 1165 * or "pppoa and tcp port 80" and have it check for 1166 * PPPo{A,E} and a PPP protocol of IP and.... 1167 */ 1168 off_linktype = 0; 1169 off_macpl = 0; /* packet begins with LLC header */ 1170 off_nl = 8; /* 802.2+SNAP */ 1171 off_nl_nosnap = 3; /* 802.2 */ 1172 return; 1173 1174 case DLT_SUNATM: 1175 /* 1176 * Full Frontal ATM; you get AALn PDUs with an ATM 1177 * pseudo-header. 1178 */ 1179 is_atm = 1; 1180 off_vpi = SUNATM_VPI_POS; 1181 off_vci = SUNATM_VCI_POS; 1182 off_proto = PROTO_POS; 1183 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1184 off_payload = SUNATM_PKT_BEGIN_POS; 1185 off_linktype = off_payload; 1186 off_macpl = off_payload; /* if LLC-encapsulated */ 1187 off_nl = 8; /* 802.2+SNAP */ 1188 off_nl_nosnap = 3; /* 802.2 */ 1189 return; 1190 1191 case DLT_RAW: 1192 case DLT_IPV4: 1193 case DLT_IPV6: 1194 off_linktype = -1; 1195 off_macpl = 0; 1196 off_nl = 0; 1197 off_nl_nosnap = 0; /* no 802.2 LLC */ 1198 return; 1199 1200 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1201 off_linktype = 14; 1202 off_macpl = 16; 1203 off_nl = 0; 1204 off_nl_nosnap = 0; /* no 802.2 LLC */ 1205 return; 1206 1207 case DLT_LTALK: 1208 /* 1209 * LocalTalk does have a 1-byte type field in the LLAP header, 1210 * but really it just indicates whether there is a "short" or 1211 * "long" DDP packet following. 1212 */ 1213 off_linktype = -1; 1214 off_macpl = 0; 1215 off_nl = 0; 1216 off_nl_nosnap = 0; /* no 802.2 LLC */ 1217 return; 1218 1219 case DLT_IP_OVER_FC: 1220 /* 1221 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1222 * link-level type field. We set "off_linktype" to the 1223 * offset of the LLC header. 1224 * 1225 * To check for Ethernet types, we assume that SSAP = SNAP 1226 * is being used and pick out the encapsulated Ethernet type. 1227 * XXX - should we generate code to check for SNAP? RFC 1228 * 2625 says SNAP should be used. 1229 */ 1230 off_linktype = 16; 1231 off_macpl = 16; 1232 off_nl = 8; /* 802.2+SNAP */ 1233 off_nl_nosnap = 3; /* 802.2 */ 1234 return; 1235 1236 case DLT_FRELAY: 1237 /* 1238 * XXX - we should set this to handle SNAP-encapsulated 1239 * frames (NLPID of 0x80). 1240 */ 1241 off_linktype = -1; 1242 off_macpl = 0; 1243 off_nl = 0; 1244 off_nl_nosnap = 0; /* no 802.2 LLC */ 1245 return; 1246 1247 /* 1248 * the only BPF-interesting FRF.16 frames are non-control frames; 1249 * Frame Relay has a variable length link-layer 1250 * so lets start with offset 4 for now and increments later on (FIXME); 1251 */ 1252 case DLT_MFR: 1253 off_linktype = -1; 1254 off_macpl = 0; 1255 off_nl = 4; 1256 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1257 return; 1258 1259 case DLT_APPLE_IP_OVER_IEEE1394: 1260 off_linktype = 16; 1261 off_macpl = 18; 1262 off_nl = 0; 1263 off_nl_nosnap = 0; /* no 802.2 LLC */ 1264 return; 1265 1266 case DLT_SYMANTEC_FIREWALL: 1267 off_linktype = 6; 1268 off_macpl = 44; 1269 off_nl = 0; /* Ethernet II */ 1270 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1271 return; 1272 1273 #ifdef HAVE_NET_PFVAR_H 1274 case DLT_PFLOG: 1275 off_linktype = 0; 1276 off_macpl = PFLOG_HDRLEN; 1277 off_nl = 0; 1278 off_nl_nosnap = 0; /* no 802.2 LLC */ 1279 return; 1280 #endif 1281 1282 case DLT_JUNIPER_MFR: 1283 case DLT_JUNIPER_MLFR: 1284 case DLT_JUNIPER_MLPPP: 1285 case DLT_JUNIPER_PPP: 1286 case DLT_JUNIPER_CHDLC: 1287 case DLT_JUNIPER_FRELAY: 1288 off_linktype = 4; 1289 off_macpl = 4; 1290 off_nl = 0; 1291 off_nl_nosnap = -1; /* no 802.2 LLC */ 1292 return; 1293 1294 case DLT_JUNIPER_ATM1: 1295 off_linktype = 4; /* in reality variable between 4-8 */ 1296 off_macpl = 4; /* in reality variable between 4-8 */ 1297 off_nl = 0; 1298 off_nl_nosnap = 10; 1299 return; 1300 1301 case DLT_JUNIPER_ATM2: 1302 off_linktype = 8; /* in reality variable between 8-12 */ 1303 off_macpl = 8; /* in reality variable between 8-12 */ 1304 off_nl = 0; 1305 off_nl_nosnap = 10; 1306 return; 1307 1308 /* frames captured on a Juniper PPPoE service PIC 1309 * contain raw ethernet frames */ 1310 case DLT_JUNIPER_PPPOE: 1311 case DLT_JUNIPER_ETHER: 1312 off_macpl = 14; 1313 off_linktype = 16; 1314 off_nl = 18; /* Ethernet II */ 1315 off_nl_nosnap = 21; /* 802.3+802.2 */ 1316 return; 1317 1318 case DLT_JUNIPER_PPPOE_ATM: 1319 off_linktype = 4; 1320 off_macpl = 6; 1321 off_nl = 0; 1322 off_nl_nosnap = -1; /* no 802.2 LLC */ 1323 return; 1324 1325 case DLT_JUNIPER_GGSN: 1326 off_linktype = 6; 1327 off_macpl = 12; 1328 off_nl = 0; 1329 off_nl_nosnap = -1; /* no 802.2 LLC */ 1330 return; 1331 1332 case DLT_JUNIPER_ES: 1333 off_linktype = 6; 1334 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1335 off_nl = -1; /* not really a network layer but raw IP addresses */ 1336 off_nl_nosnap = -1; /* no 802.2 LLC */ 1337 return; 1338 1339 case DLT_JUNIPER_MONITOR: 1340 off_linktype = 12; 1341 off_macpl = 12; 1342 off_nl = 0; /* raw IP/IP6 header */ 1343 off_nl_nosnap = -1; /* no 802.2 LLC */ 1344 return; 1345 1346 case DLT_JUNIPER_SERVICES: 1347 off_linktype = 12; 1348 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1349 off_nl = -1; /* L3 proto location dep. on cookie type */ 1350 off_nl_nosnap = -1; /* no 802.2 LLC */ 1351 return; 1352 1353 case DLT_JUNIPER_VP: 1354 off_linktype = 18; 1355 off_macpl = -1; 1356 off_nl = -1; 1357 off_nl_nosnap = -1; 1358 return; 1359 1360 case DLT_JUNIPER_ST: 1361 off_linktype = 18; 1362 off_macpl = -1; 1363 off_nl = -1; 1364 off_nl_nosnap = -1; 1365 return; 1366 1367 case DLT_JUNIPER_ISM: 1368 off_linktype = 8; 1369 off_macpl = -1; 1370 off_nl = -1; 1371 off_nl_nosnap = -1; 1372 return; 1373 1374 case DLT_JUNIPER_VS: 1375 case DLT_JUNIPER_SRX_E2E: 1376 case DLT_JUNIPER_FIBRECHANNEL: 1377 case DLT_JUNIPER_ATM_CEMIC: 1378 off_linktype = 8; 1379 off_macpl = -1; 1380 off_nl = -1; 1381 off_nl_nosnap = -1; 1382 return; 1383 1384 case DLT_MTP2: 1385 off_li = 2; 1386 off_sio = 3; 1387 off_opc = 4; 1388 off_dpc = 4; 1389 off_sls = 7; 1390 off_linktype = -1; 1391 off_macpl = -1; 1392 off_nl = -1; 1393 off_nl_nosnap = -1; 1394 return; 1395 1396 case DLT_MTP2_WITH_PHDR: 1397 off_li = 6; 1398 off_sio = 7; 1399 off_opc = 8; 1400 off_dpc = 8; 1401 off_sls = 11; 1402 off_linktype = -1; 1403 off_macpl = -1; 1404 off_nl = -1; 1405 off_nl_nosnap = -1; 1406 return; 1407 1408 case DLT_ERF: 1409 off_li = 22; 1410 off_sio = 23; 1411 off_opc = 24; 1412 off_dpc = 24; 1413 off_sls = 27; 1414 off_linktype = -1; 1415 off_macpl = -1; 1416 off_nl = -1; 1417 off_nl_nosnap = -1; 1418 return; 1419 1420 case DLT_PFSYNC: 1421 off_linktype = -1; 1422 off_macpl = 4; 1423 off_nl = 0; 1424 off_nl_nosnap = 0; 1425 return; 1426 1427 case DLT_AX25_KISS: 1428 /* 1429 * Currently, only raw "link[N:M]" filtering is supported. 1430 */ 1431 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1432 off_macpl = -1; 1433 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1434 off_nl_nosnap = -1; /* no 802.2 LLC */ 1435 off_mac = 1; /* step over the kiss length byte */ 1436 return; 1437 1438 case DLT_IPNET: 1439 off_linktype = 1; 1440 off_macpl = 24; /* ipnet header length */ 1441 off_nl = 0; 1442 off_nl_nosnap = -1; 1443 return; 1444 1445 case DLT_NETANALYZER: 1446 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1447 off_linktype = 16; /* includes 4-byte pseudo-header */ 1448 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1449 off_nl = 0; /* Ethernet II */ 1450 off_nl_nosnap = 3; /* 802.3+802.2 */ 1451 return; 1452 1453 case DLT_NETANALYZER_TRANSPARENT: 1454 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1455 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1456 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1457 off_nl = 0; /* Ethernet II */ 1458 off_nl_nosnap = 3; /* 802.3+802.2 */ 1459 return; 1460 1461 default: 1462 /* 1463 * For values in the range in which we've assigned new 1464 * DLT_ values, only raw "link[N:M]" filtering is supported. 1465 */ 1466 if (linktype >= DLT_MATCHING_MIN && 1467 linktype <= DLT_MATCHING_MAX) { 1468 off_linktype = -1; 1469 off_macpl = -1; 1470 off_nl = -1; 1471 off_nl_nosnap = -1; 1472 return; 1473 } 1474 1475 } 1476 bpf_error("unknown data link type %d", linktype); 1477 /* NOTREACHED */ 1478 } 1479 1480 /* 1481 * Load a value relative to the beginning of the link-layer header. 1482 * The link-layer header doesn't necessarily begin at the beginning 1483 * of the packet data; there might be a variable-length prefix containing 1484 * radio information. 1485 */ 1486 static struct slist * 1487 gen_load_llrel(offset, size) 1488 u_int offset, size; 1489 { 1490 struct slist *s, *s2; 1491 1492 s = gen_llprefixlen(); 1493 1494 /* 1495 * If "s" is non-null, it has code to arrange that the X register 1496 * contains the length of the prefix preceding the link-layer 1497 * header. 1498 * 1499 * Otherwise, the length of the prefix preceding the link-layer 1500 * header is "off_ll". 1501 */ 1502 if (s != NULL) { 1503 /* 1504 * There's a variable-length prefix preceding the 1505 * link-layer header. "s" points to a list of statements 1506 * that put the length of that prefix into the X register. 1507 * do an indirect load, to use the X register as an offset. 1508 */ 1509 s2 = new_stmt(BPF_LD|BPF_IND|size); 1510 s2->s.k = offset; 1511 sappend(s, s2); 1512 } else { 1513 /* 1514 * There is no variable-length header preceding the 1515 * link-layer header; add in off_ll, which, if there's 1516 * a fixed-length header preceding the link-layer header, 1517 * is the length of that header. 1518 */ 1519 s = new_stmt(BPF_LD|BPF_ABS|size); 1520 s->s.k = offset + off_ll; 1521 } 1522 return s; 1523 } 1524 1525 /* 1526 * Load a value relative to the beginning of the MAC-layer payload. 1527 */ 1528 static struct slist * 1529 gen_load_macplrel(offset, size) 1530 u_int offset, size; 1531 { 1532 struct slist *s, *s2; 1533 1534 s = gen_off_macpl(); 1535 1536 /* 1537 * If s is non-null, the offset of the MAC-layer payload is 1538 * variable, and s points to a list of instructions that 1539 * arrange that the X register contains that offset. 1540 * 1541 * Otherwise, the offset of the MAC-layer payload is constant, 1542 * and is in off_macpl. 1543 */ 1544 if (s != NULL) { 1545 /* 1546 * The offset of the MAC-layer payload is in the X 1547 * register. Do an indirect load, to use the X register 1548 * as an offset. 1549 */ 1550 s2 = new_stmt(BPF_LD|BPF_IND|size); 1551 s2->s.k = offset; 1552 sappend(s, s2); 1553 } else { 1554 /* 1555 * The offset of the MAC-layer payload is constant, 1556 * and is in off_macpl; load the value at that offset 1557 * plus the specified offset. 1558 */ 1559 s = new_stmt(BPF_LD|BPF_ABS|size); 1560 s->s.k = off_macpl + offset; 1561 } 1562 return s; 1563 } 1564 1565 /* 1566 * Load a value relative to the beginning of the specified header. 1567 */ 1568 static struct slist * 1569 gen_load_a(offrel, offset, size) 1570 enum e_offrel offrel; 1571 u_int offset, size; 1572 { 1573 struct slist *s, *s2; 1574 1575 switch (offrel) { 1576 1577 case OR_PACKET: 1578 s = new_stmt(BPF_LD|BPF_ABS|size); 1579 s->s.k = offset; 1580 break; 1581 1582 case OR_LINK: 1583 s = gen_load_llrel(offset, size); 1584 break; 1585 1586 case OR_MACPL: 1587 s = gen_load_macplrel(offset, size); 1588 break; 1589 1590 case OR_NET: 1591 s = gen_load_macplrel(off_nl + offset, size); 1592 break; 1593 1594 case OR_NET_NOSNAP: 1595 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1596 break; 1597 1598 case OR_TRAN_IPV4: 1599 /* 1600 * Load the X register with the length of the IPv4 header 1601 * (plus the offset of the link-layer header, if it's 1602 * preceded by a variable-length header such as a radio 1603 * header), in bytes. 1604 */ 1605 s = gen_loadx_iphdrlen(); 1606 1607 /* 1608 * Load the item at {offset of the MAC-layer payload} + 1609 * {offset, relative to the start of the MAC-layer 1610 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1611 * {specified offset}. 1612 * 1613 * (If the offset of the MAC-layer payload is variable, 1614 * it's included in the value in the X register, and 1615 * off_macpl is 0.) 1616 */ 1617 s2 = new_stmt(BPF_LD|BPF_IND|size); 1618 s2->s.k = off_macpl + off_nl + offset; 1619 sappend(s, s2); 1620 break; 1621 1622 case OR_TRAN_IPV6: 1623 s = gen_load_macplrel(off_nl + 40 + offset, size); 1624 break; 1625 1626 default: 1627 abort(); 1628 return NULL; 1629 } 1630 return s; 1631 } 1632 1633 /* 1634 * Generate code to load into the X register the sum of the length of 1635 * the IPv4 header and any variable-length header preceding the link-layer 1636 * header. 1637 */ 1638 static struct slist * 1639 gen_loadx_iphdrlen() 1640 { 1641 struct slist *s, *s2; 1642 1643 s = gen_off_macpl(); 1644 if (s != NULL) { 1645 /* 1646 * There's a variable-length prefix preceding the 1647 * link-layer header, or the link-layer header is itself 1648 * variable-length. "s" points to a list of statements 1649 * that put the offset of the MAC-layer payload into 1650 * the X register. 1651 * 1652 * The 4*([k]&0xf) addressing mode can't be used, as we 1653 * don't have a constant offset, so we have to load the 1654 * value in question into the A register and add to it 1655 * the value from the X register. 1656 */ 1657 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1658 s2->s.k = off_nl; 1659 sappend(s, s2); 1660 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1661 s2->s.k = 0xf; 1662 sappend(s, s2); 1663 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1664 s2->s.k = 2; 1665 sappend(s, s2); 1666 1667 /* 1668 * The A register now contains the length of the 1669 * IP header. We need to add to it the offset of 1670 * the MAC-layer payload, which is still in the X 1671 * register, and move the result into the X register. 1672 */ 1673 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1674 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1675 } else { 1676 /* 1677 * There is no variable-length header preceding the 1678 * link-layer header, and the link-layer header is 1679 * fixed-length; load the length of the IPv4 header, 1680 * which is at an offset of off_nl from the beginning 1681 * of the MAC-layer payload, and thus at an offset 1682 * of off_mac_pl + off_nl from the beginning of the 1683 * raw packet data. 1684 */ 1685 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1686 s->s.k = off_macpl + off_nl; 1687 } 1688 return s; 1689 } 1690 1691 static struct block * 1692 gen_uncond(rsense) 1693 int rsense; 1694 { 1695 struct block *b; 1696 struct slist *s; 1697 1698 s = new_stmt(BPF_LD|BPF_IMM); 1699 s->s.k = !rsense; 1700 b = new_block(JMP(BPF_JEQ)); 1701 b->stmts = s; 1702 1703 return b; 1704 } 1705 1706 static inline struct block * 1707 gen_true() 1708 { 1709 return gen_uncond(1); 1710 } 1711 1712 static inline struct block * 1713 gen_false() 1714 { 1715 return gen_uncond(0); 1716 } 1717 1718 /* 1719 * Byte-swap a 32-bit number. 1720 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1721 * big-endian platforms.) 1722 */ 1723 #define SWAPLONG(y) \ 1724 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1725 1726 /* 1727 * Generate code to match a particular packet type. 1728 * 1729 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1730 * value, if <= ETHERMTU. We use that to determine whether to 1731 * match the type/length field or to check the type/length field for 1732 * a value <= ETHERMTU to see whether it's a type field and then do 1733 * the appropriate test. 1734 */ 1735 static struct block * 1736 gen_ether_linktype(proto) 1737 register int proto; 1738 { 1739 struct block *b0, *b1; 1740 1741 switch (proto) { 1742 1743 case LLCSAP_ISONS: 1744 case LLCSAP_IP: 1745 case LLCSAP_NETBEUI: 1746 /* 1747 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1748 * so we check the DSAP and SSAP. 1749 * 1750 * LLCSAP_IP checks for IP-over-802.2, rather 1751 * than IP-over-Ethernet or IP-over-SNAP. 1752 * 1753 * XXX - should we check both the DSAP and the 1754 * SSAP, like this, or should we check just the 1755 * DSAP, as we do for other types <= ETHERMTU 1756 * (i.e., other SAP values)? 1757 */ 1758 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1759 gen_not(b0); 1760 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1761 ((proto << 8) | proto)); 1762 gen_and(b0, b1); 1763 return b1; 1764 1765 case LLCSAP_IPX: 1766 /* 1767 * Check for; 1768 * 1769 * Ethernet_II frames, which are Ethernet 1770 * frames with a frame type of ETHERTYPE_IPX; 1771 * 1772 * Ethernet_802.3 frames, which are 802.3 1773 * frames (i.e., the type/length field is 1774 * a length field, <= ETHERMTU, rather than 1775 * a type field) with the first two bytes 1776 * after the Ethernet/802.3 header being 1777 * 0xFFFF; 1778 * 1779 * Ethernet_802.2 frames, which are 802.3 1780 * frames with an 802.2 LLC header and 1781 * with the IPX LSAP as the DSAP in the LLC 1782 * header; 1783 * 1784 * Ethernet_SNAP frames, which are 802.3 1785 * frames with an LLC header and a SNAP 1786 * header and with an OUI of 0x000000 1787 * (encapsulated Ethernet) and a protocol 1788 * ID of ETHERTYPE_IPX in the SNAP header. 1789 * 1790 * XXX - should we generate the same code both 1791 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1792 */ 1793 1794 /* 1795 * This generates code to check both for the 1796 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1797 */ 1798 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1799 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1800 gen_or(b0, b1); 1801 1802 /* 1803 * Now we add code to check for SNAP frames with 1804 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1805 */ 1806 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1807 gen_or(b0, b1); 1808 1809 /* 1810 * Now we generate code to check for 802.3 1811 * frames in general. 1812 */ 1813 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1814 gen_not(b0); 1815 1816 /* 1817 * Now add the check for 802.3 frames before the 1818 * check for Ethernet_802.2 and Ethernet_802.3, 1819 * as those checks should only be done on 802.3 1820 * frames, not on Ethernet frames. 1821 */ 1822 gen_and(b0, b1); 1823 1824 /* 1825 * Now add the check for Ethernet_II frames, and 1826 * do that before checking for the other frame 1827 * types. 1828 */ 1829 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1830 (bpf_int32)ETHERTYPE_IPX); 1831 gen_or(b0, b1); 1832 return b1; 1833 1834 case ETHERTYPE_ATALK: 1835 case ETHERTYPE_AARP: 1836 /* 1837 * EtherTalk (AppleTalk protocols on Ethernet link 1838 * layer) may use 802.2 encapsulation. 1839 */ 1840 1841 /* 1842 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1843 * we check for an Ethernet type field less than 1844 * 1500, which means it's an 802.3 length field. 1845 */ 1846 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1847 gen_not(b0); 1848 1849 /* 1850 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1851 * SNAP packets with an organization code of 1852 * 0x080007 (Apple, for Appletalk) and a protocol 1853 * type of ETHERTYPE_ATALK (Appletalk). 1854 * 1855 * 802.2-encapsulated ETHERTYPE_AARP packets are 1856 * SNAP packets with an organization code of 1857 * 0x000000 (encapsulated Ethernet) and a protocol 1858 * type of ETHERTYPE_AARP (Appletalk ARP). 1859 */ 1860 if (proto == ETHERTYPE_ATALK) 1861 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1862 else /* proto == ETHERTYPE_AARP */ 1863 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1864 gen_and(b0, b1); 1865 1866 /* 1867 * Check for Ethernet encapsulation (Ethertalk 1868 * phase 1?); we just check for the Ethernet 1869 * protocol type. 1870 */ 1871 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1872 1873 gen_or(b0, b1); 1874 return b1; 1875 1876 default: 1877 if (proto <= ETHERMTU) { 1878 /* 1879 * This is an LLC SAP value, so the frames 1880 * that match would be 802.2 frames. 1881 * Check that the frame is an 802.2 frame 1882 * (i.e., that the length/type field is 1883 * a length field, <= ETHERMTU) and 1884 * then check the DSAP. 1885 */ 1886 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1887 gen_not(b0); 1888 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1889 (bpf_int32)proto); 1890 gen_and(b0, b1); 1891 return b1; 1892 } else { 1893 /* 1894 * This is an Ethernet type, so compare 1895 * the length/type field with it (if 1896 * the frame is an 802.2 frame, the length 1897 * field will be <= ETHERMTU, and, as 1898 * "proto" is > ETHERMTU, this test 1899 * will fail and the frame won't match, 1900 * which is what we want). 1901 */ 1902 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1903 (bpf_int32)proto); 1904 } 1905 } 1906 } 1907 1908 /* 1909 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1910 * or IPv6 then we have an error. 1911 */ 1912 static struct block * 1913 gen_ipnet_linktype(proto) 1914 register int proto; 1915 { 1916 switch (proto) { 1917 1918 case ETHERTYPE_IP: 1919 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1920 (bpf_int32)IPH_AF_INET); 1921 /* NOTREACHED */ 1922 1923 case ETHERTYPE_IPV6: 1924 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1925 (bpf_int32)IPH_AF_INET6); 1926 /* NOTREACHED */ 1927 1928 default: 1929 break; 1930 } 1931 1932 return gen_false(); 1933 } 1934 1935 /* 1936 * Generate code to match a particular packet type. 1937 * 1938 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1939 * value, if <= ETHERMTU. We use that to determine whether to 1940 * match the type field or to check the type field for the special 1941 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1942 */ 1943 static struct block * 1944 gen_linux_sll_linktype(proto) 1945 register int proto; 1946 { 1947 struct block *b0, *b1; 1948 1949 switch (proto) { 1950 1951 case LLCSAP_ISONS: 1952 case LLCSAP_IP: 1953 case LLCSAP_NETBEUI: 1954 /* 1955 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1956 * so we check the DSAP and SSAP. 1957 * 1958 * LLCSAP_IP checks for IP-over-802.2, rather 1959 * than IP-over-Ethernet or IP-over-SNAP. 1960 * 1961 * XXX - should we check both the DSAP and the 1962 * SSAP, like this, or should we check just the 1963 * DSAP, as we do for other types <= ETHERMTU 1964 * (i.e., other SAP values)? 1965 */ 1966 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1967 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1968 ((proto << 8) | proto)); 1969 gen_and(b0, b1); 1970 return b1; 1971 1972 case LLCSAP_IPX: 1973 /* 1974 * Ethernet_II frames, which are Ethernet 1975 * frames with a frame type of ETHERTYPE_IPX; 1976 * 1977 * Ethernet_802.3 frames, which have a frame 1978 * type of LINUX_SLL_P_802_3; 1979 * 1980 * Ethernet_802.2 frames, which are 802.3 1981 * frames with an 802.2 LLC header (i.e, have 1982 * a frame type of LINUX_SLL_P_802_2) and 1983 * with the IPX LSAP as the DSAP in the LLC 1984 * header; 1985 * 1986 * Ethernet_SNAP frames, which are 802.3 1987 * frames with an LLC header and a SNAP 1988 * header and with an OUI of 0x000000 1989 * (encapsulated Ethernet) and a protocol 1990 * ID of ETHERTYPE_IPX in the SNAP header. 1991 * 1992 * First, do the checks on LINUX_SLL_P_802_2 1993 * frames; generate the check for either 1994 * Ethernet_802.2 or Ethernet_SNAP frames, and 1995 * then put a check for LINUX_SLL_P_802_2 frames 1996 * before it. 1997 */ 1998 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1999 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2000 gen_or(b0, b1); 2001 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2002 gen_and(b0, b1); 2003 2004 /* 2005 * Now check for 802.3 frames and OR that with 2006 * the previous test. 2007 */ 2008 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2009 gen_or(b0, b1); 2010 2011 /* 2012 * Now add the check for Ethernet_II frames, and 2013 * do that before checking for the other frame 2014 * types. 2015 */ 2016 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2017 (bpf_int32)ETHERTYPE_IPX); 2018 gen_or(b0, b1); 2019 return b1; 2020 2021 case ETHERTYPE_ATALK: 2022 case ETHERTYPE_AARP: 2023 /* 2024 * EtherTalk (AppleTalk protocols on Ethernet link 2025 * layer) may use 802.2 encapsulation. 2026 */ 2027 2028 /* 2029 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2030 * we check for the 802.2 protocol type in the 2031 * "Ethernet type" field. 2032 */ 2033 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2034 2035 /* 2036 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2037 * SNAP packets with an organization code of 2038 * 0x080007 (Apple, for Appletalk) and a protocol 2039 * type of ETHERTYPE_ATALK (Appletalk). 2040 * 2041 * 802.2-encapsulated ETHERTYPE_AARP packets are 2042 * SNAP packets with an organization code of 2043 * 0x000000 (encapsulated Ethernet) and a protocol 2044 * type of ETHERTYPE_AARP (Appletalk ARP). 2045 */ 2046 if (proto == ETHERTYPE_ATALK) 2047 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2048 else /* proto == ETHERTYPE_AARP */ 2049 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2050 gen_and(b0, b1); 2051 2052 /* 2053 * Check for Ethernet encapsulation (Ethertalk 2054 * phase 1?); we just check for the Ethernet 2055 * protocol type. 2056 */ 2057 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2058 2059 gen_or(b0, b1); 2060 return b1; 2061 2062 default: 2063 if (proto <= ETHERMTU) { 2064 /* 2065 * This is an LLC SAP value, so the frames 2066 * that match would be 802.2 frames. 2067 * Check for the 802.2 protocol type 2068 * in the "Ethernet type" field, and 2069 * then check the DSAP. 2070 */ 2071 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2072 LINUX_SLL_P_802_2); 2073 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2074 (bpf_int32)proto); 2075 gen_and(b0, b1); 2076 return b1; 2077 } else { 2078 /* 2079 * This is an Ethernet type, so compare 2080 * the length/type field with it (if 2081 * the frame is an 802.2 frame, the length 2082 * field will be <= ETHERMTU, and, as 2083 * "proto" is > ETHERMTU, this test 2084 * will fail and the frame won't match, 2085 * which is what we want). 2086 */ 2087 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2088 (bpf_int32)proto); 2089 } 2090 } 2091 } 2092 2093 static struct slist * 2094 gen_load_prism_llprefixlen() 2095 { 2096 struct slist *s1, *s2; 2097 struct slist *sjeq_avs_cookie; 2098 struct slist *sjcommon; 2099 2100 /* 2101 * This code is not compatible with the optimizer, as 2102 * we are generating jmp instructions within a normal 2103 * slist of instructions 2104 */ 2105 no_optimize = 1; 2106 2107 /* 2108 * Generate code to load the length of the radio header into 2109 * the register assigned to hold that length, if one has been 2110 * assigned. (If one hasn't been assigned, no code we've 2111 * generated uses that prefix, so we don't need to generate any 2112 * code to load it.) 2113 * 2114 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2115 * or always use the AVS header rather than the Prism header. 2116 * We load a 4-byte big-endian value at the beginning of the 2117 * raw packet data, and see whether, when masked with 0xFFFFF000, 2118 * it's equal to 0x80211000. If so, that indicates that it's 2119 * an AVS header (the masked-out bits are the version number). 2120 * Otherwise, it's a Prism header. 2121 * 2122 * XXX - the Prism header is also, in theory, variable-length, 2123 * but no known software generates headers that aren't 144 2124 * bytes long. 2125 */ 2126 if (reg_off_ll != -1) { 2127 /* 2128 * Load the cookie. 2129 */ 2130 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2131 s1->s.k = 0; 2132 2133 /* 2134 * AND it with 0xFFFFF000. 2135 */ 2136 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2137 s2->s.k = 0xFFFFF000; 2138 sappend(s1, s2); 2139 2140 /* 2141 * Compare with 0x80211000. 2142 */ 2143 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2144 sjeq_avs_cookie->s.k = 0x80211000; 2145 sappend(s1, sjeq_avs_cookie); 2146 2147 /* 2148 * If it's AVS: 2149 * 2150 * The 4 bytes at an offset of 4 from the beginning of 2151 * the AVS header are the length of the AVS header. 2152 * That field is big-endian. 2153 */ 2154 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2155 s2->s.k = 4; 2156 sappend(s1, s2); 2157 sjeq_avs_cookie->s.jt = s2; 2158 2159 /* 2160 * Now jump to the code to allocate a register 2161 * into which to save the header length and 2162 * store the length there. (The "jump always" 2163 * instruction needs to have the k field set; 2164 * it's added to the PC, so, as we're jumping 2165 * over a single instruction, it should be 1.) 2166 */ 2167 sjcommon = new_stmt(JMP(BPF_JA)); 2168 sjcommon->s.k = 1; 2169 sappend(s1, sjcommon); 2170 2171 /* 2172 * Now for the code that handles the Prism header. 2173 * Just load the length of the Prism header (144) 2174 * into the A register. Have the test for an AVS 2175 * header branch here if we don't have an AVS header. 2176 */ 2177 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2178 s2->s.k = 144; 2179 sappend(s1, s2); 2180 sjeq_avs_cookie->s.jf = s2; 2181 2182 /* 2183 * Now allocate a register to hold that value and store 2184 * it. The code for the AVS header will jump here after 2185 * loading the length of the AVS header. 2186 */ 2187 s2 = new_stmt(BPF_ST); 2188 s2->s.k = reg_off_ll; 2189 sappend(s1, s2); 2190 sjcommon->s.jf = s2; 2191 2192 /* 2193 * Now move it into the X register. 2194 */ 2195 s2 = new_stmt(BPF_MISC|BPF_TAX); 2196 sappend(s1, s2); 2197 2198 return (s1); 2199 } else 2200 return (NULL); 2201 } 2202 2203 static struct slist * 2204 gen_load_avs_llprefixlen() 2205 { 2206 struct slist *s1, *s2; 2207 2208 /* 2209 * Generate code to load the length of the AVS header into 2210 * the register assigned to hold that length, if one has been 2211 * assigned. (If one hasn't been assigned, no code we've 2212 * generated uses that prefix, so we don't need to generate any 2213 * code to load it.) 2214 */ 2215 if (reg_off_ll != -1) { 2216 /* 2217 * The 4 bytes at an offset of 4 from the beginning of 2218 * the AVS header are the length of the AVS header. 2219 * That field is big-endian. 2220 */ 2221 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2222 s1->s.k = 4; 2223 2224 /* 2225 * Now allocate a register to hold that value and store 2226 * it. 2227 */ 2228 s2 = new_stmt(BPF_ST); 2229 s2->s.k = reg_off_ll; 2230 sappend(s1, s2); 2231 2232 /* 2233 * Now move it into the X register. 2234 */ 2235 s2 = new_stmt(BPF_MISC|BPF_TAX); 2236 sappend(s1, s2); 2237 2238 return (s1); 2239 } else 2240 return (NULL); 2241 } 2242 2243 static struct slist * 2244 gen_load_radiotap_llprefixlen() 2245 { 2246 struct slist *s1, *s2; 2247 2248 /* 2249 * Generate code to load the length of the radiotap header into 2250 * the register assigned to hold that length, if one has been 2251 * assigned. (If one hasn't been assigned, no code we've 2252 * generated uses that prefix, so we don't need to generate any 2253 * code to load it.) 2254 */ 2255 if (reg_off_ll != -1) { 2256 /* 2257 * The 2 bytes at offsets of 2 and 3 from the beginning 2258 * of the radiotap header are the length of the radiotap 2259 * header; unfortunately, it's little-endian, so we have 2260 * to load it a byte at a time and construct the value. 2261 */ 2262 2263 /* 2264 * Load the high-order byte, at an offset of 3, shift it 2265 * left a byte, and put the result in the X register. 2266 */ 2267 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2268 s1->s.k = 3; 2269 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2270 sappend(s1, s2); 2271 s2->s.k = 8; 2272 s2 = new_stmt(BPF_MISC|BPF_TAX); 2273 sappend(s1, s2); 2274 2275 /* 2276 * Load the next byte, at an offset of 2, and OR the 2277 * value from the X register into it. 2278 */ 2279 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2280 sappend(s1, s2); 2281 s2->s.k = 2; 2282 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2283 sappend(s1, s2); 2284 2285 /* 2286 * Now allocate a register to hold that value and store 2287 * it. 2288 */ 2289 s2 = new_stmt(BPF_ST); 2290 s2->s.k = reg_off_ll; 2291 sappend(s1, s2); 2292 2293 /* 2294 * Now move it into the X register. 2295 */ 2296 s2 = new_stmt(BPF_MISC|BPF_TAX); 2297 sappend(s1, s2); 2298 2299 return (s1); 2300 } else 2301 return (NULL); 2302 } 2303 2304 /* 2305 * At the moment we treat PPI as normal Radiotap encoded 2306 * packets. The difference is in the function that generates 2307 * the code at the beginning to compute the header length. 2308 * Since this code generator of PPI supports bare 802.11 2309 * encapsulation only (i.e. the encapsulated DLT should be 2310 * DLT_IEEE802_11) we generate code to check for this too; 2311 * that's done in finish_parse(). 2312 */ 2313 static struct slist * 2314 gen_load_ppi_llprefixlen() 2315 { 2316 struct slist *s1, *s2; 2317 2318 /* 2319 * Generate code to load the length of the radiotap header 2320 * into the register assigned to hold that length, if one has 2321 * been assigned. 2322 */ 2323 if (reg_off_ll != -1) { 2324 /* 2325 * The 2 bytes at offsets of 2 and 3 from the beginning 2326 * of the radiotap header are the length of the radiotap 2327 * header; unfortunately, it's little-endian, so we have 2328 * to load it a byte at a time and construct the value. 2329 */ 2330 2331 /* 2332 * Load the high-order byte, at an offset of 3, shift it 2333 * left a byte, and put the result in the X register. 2334 */ 2335 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2336 s1->s.k = 3; 2337 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2338 sappend(s1, s2); 2339 s2->s.k = 8; 2340 s2 = new_stmt(BPF_MISC|BPF_TAX); 2341 sappend(s1, s2); 2342 2343 /* 2344 * Load the next byte, at an offset of 2, and OR the 2345 * value from the X register into it. 2346 */ 2347 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2348 sappend(s1, s2); 2349 s2->s.k = 2; 2350 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2351 sappend(s1, s2); 2352 2353 /* 2354 * Now allocate a register to hold that value and store 2355 * it. 2356 */ 2357 s2 = new_stmt(BPF_ST); 2358 s2->s.k = reg_off_ll; 2359 sappend(s1, s2); 2360 2361 /* 2362 * Now move it into the X register. 2363 */ 2364 s2 = new_stmt(BPF_MISC|BPF_TAX); 2365 sappend(s1, s2); 2366 2367 return (s1); 2368 } else 2369 return (NULL); 2370 } 2371 2372 /* 2373 * Load a value relative to the beginning of the link-layer header after the 802.11 2374 * header, i.e. LLC_SNAP. 2375 * The link-layer header doesn't necessarily begin at the beginning 2376 * of the packet data; there might be a variable-length prefix containing 2377 * radio information. 2378 */ 2379 static struct slist * 2380 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2381 { 2382 struct slist *s2; 2383 struct slist *sjset_data_frame_1; 2384 struct slist *sjset_data_frame_2; 2385 struct slist *sjset_qos; 2386 struct slist *sjset_radiotap_flags; 2387 struct slist *sjset_radiotap_tsft; 2388 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2389 struct slist *s_roundup; 2390 2391 if (reg_off_macpl == -1) { 2392 /* 2393 * No register has been assigned to the offset of 2394 * the MAC-layer payload, which means nobody needs 2395 * it; don't bother computing it - just return 2396 * what we already have. 2397 */ 2398 return (s); 2399 } 2400 2401 /* 2402 * This code is not compatible with the optimizer, as 2403 * we are generating jmp instructions within a normal 2404 * slist of instructions 2405 */ 2406 no_optimize = 1; 2407 2408 /* 2409 * If "s" is non-null, it has code to arrange that the X register 2410 * contains the length of the prefix preceding the link-layer 2411 * header. 2412 * 2413 * Otherwise, the length of the prefix preceding the link-layer 2414 * header is "off_ll". 2415 */ 2416 if (s == NULL) { 2417 /* 2418 * There is no variable-length header preceding the 2419 * link-layer header. 2420 * 2421 * Load the length of the fixed-length prefix preceding 2422 * the link-layer header (if any) into the X register, 2423 * and store it in the reg_off_macpl register. 2424 * That length is off_ll. 2425 */ 2426 s = new_stmt(BPF_LDX|BPF_IMM); 2427 s->s.k = off_ll; 2428 } 2429 2430 /* 2431 * The X register contains the offset of the beginning of the 2432 * link-layer header; add 24, which is the minimum length 2433 * of the MAC header for a data frame, to that, and store it 2434 * in reg_off_macpl, and then load the Frame Control field, 2435 * which is at the offset in the X register, with an indexed load. 2436 */ 2437 s2 = new_stmt(BPF_MISC|BPF_TXA); 2438 sappend(s, s2); 2439 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2440 s2->s.k = 24; 2441 sappend(s, s2); 2442 s2 = new_stmt(BPF_ST); 2443 s2->s.k = reg_off_macpl; 2444 sappend(s, s2); 2445 2446 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2447 s2->s.k = 0; 2448 sappend(s, s2); 2449 2450 /* 2451 * Check the Frame Control field to see if this is a data frame; 2452 * a data frame has the 0x08 bit (b3) in that field set and the 2453 * 0x04 bit (b2) clear. 2454 */ 2455 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2456 sjset_data_frame_1->s.k = 0x08; 2457 sappend(s, sjset_data_frame_1); 2458 2459 /* 2460 * If b3 is set, test b2, otherwise go to the first statement of 2461 * the rest of the program. 2462 */ 2463 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2464 sjset_data_frame_2->s.k = 0x04; 2465 sappend(s, sjset_data_frame_2); 2466 sjset_data_frame_1->s.jf = snext; 2467 2468 /* 2469 * If b2 is not set, this is a data frame; test the QoS bit. 2470 * Otherwise, go to the first statement of the rest of the 2471 * program. 2472 */ 2473 sjset_data_frame_2->s.jt = snext; 2474 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2475 sjset_qos->s.k = 0x80; /* QoS bit */ 2476 sappend(s, sjset_qos); 2477 2478 /* 2479 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2480 * field. 2481 * Otherwise, go to the first statement of the rest of the 2482 * program. 2483 */ 2484 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2485 s2->s.k = reg_off_macpl; 2486 sappend(s, s2); 2487 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2488 s2->s.k = 2; 2489 sappend(s, s2); 2490 s2 = new_stmt(BPF_ST); 2491 s2->s.k = reg_off_macpl; 2492 sappend(s, s2); 2493 2494 /* 2495 * If we have a radiotap header, look at it to see whether 2496 * there's Atheros padding between the MAC-layer header 2497 * and the payload. 2498 * 2499 * Note: all of the fields in the radiotap header are 2500 * little-endian, so we byte-swap all of the values 2501 * we test against, as they will be loaded as big-endian 2502 * values. 2503 */ 2504 if (linktype == DLT_IEEE802_11_RADIO) { 2505 /* 2506 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2507 * in the presence flag? 2508 */ 2509 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2510 s2->s.k = 4; 2511 sappend(s, s2); 2512 2513 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2514 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2515 sappend(s, sjset_radiotap_flags); 2516 2517 /* 2518 * If not, skip all of this. 2519 */ 2520 sjset_radiotap_flags->s.jf = snext; 2521 2522 /* 2523 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2524 */ 2525 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2526 new_stmt(JMP(BPF_JSET)); 2527 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2528 sappend(s, sjset_radiotap_tsft); 2529 2530 /* 2531 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2532 * at an offset of 16 from the beginning of the raw packet 2533 * data (8 bytes for the radiotap header and 8 bytes for 2534 * the TSFT field). 2535 * 2536 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2537 * is set. 2538 */ 2539 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2540 s2->s.k = 16; 2541 sappend(s, s2); 2542 2543 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2544 sjset_tsft_datapad->s.k = 0x20; 2545 sappend(s, sjset_tsft_datapad); 2546 2547 /* 2548 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2549 * at an offset of 8 from the beginning of the raw packet 2550 * data (8 bytes for the radiotap header). 2551 * 2552 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2553 * is set. 2554 */ 2555 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2556 s2->s.k = 8; 2557 sappend(s, s2); 2558 2559 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2560 sjset_notsft_datapad->s.k = 0x20; 2561 sappend(s, sjset_notsft_datapad); 2562 2563 /* 2564 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2565 * set, round the length of the 802.11 header to 2566 * a multiple of 4. Do that by adding 3 and then 2567 * dividing by and multiplying by 4, which we do by 2568 * ANDing with ~3. 2569 */ 2570 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2571 s_roundup->s.k = reg_off_macpl; 2572 sappend(s, s_roundup); 2573 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2574 s2->s.k = 3; 2575 sappend(s, s2); 2576 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2577 s2->s.k = ~3; 2578 sappend(s, s2); 2579 s2 = new_stmt(BPF_ST); 2580 s2->s.k = reg_off_macpl; 2581 sappend(s, s2); 2582 2583 sjset_tsft_datapad->s.jt = s_roundup; 2584 sjset_tsft_datapad->s.jf = snext; 2585 sjset_notsft_datapad->s.jt = s_roundup; 2586 sjset_notsft_datapad->s.jf = snext; 2587 } else 2588 sjset_qos->s.jf = snext; 2589 2590 return s; 2591 } 2592 2593 static void 2594 insert_compute_vloffsets(b) 2595 struct block *b; 2596 { 2597 struct slist *s; 2598 2599 /* 2600 * For link-layer types that have a variable-length header 2601 * preceding the link-layer header, generate code to load 2602 * the offset of the link-layer header into the register 2603 * assigned to that offset, if any. 2604 */ 2605 switch (linktype) { 2606 2607 case DLT_PRISM_HEADER: 2608 s = gen_load_prism_llprefixlen(); 2609 break; 2610 2611 case DLT_IEEE802_11_RADIO_AVS: 2612 s = gen_load_avs_llprefixlen(); 2613 break; 2614 2615 case DLT_IEEE802_11_RADIO: 2616 s = gen_load_radiotap_llprefixlen(); 2617 break; 2618 2619 case DLT_PPI: 2620 s = gen_load_ppi_llprefixlen(); 2621 break; 2622 2623 default: 2624 s = NULL; 2625 break; 2626 } 2627 2628 /* 2629 * For link-layer types that have a variable-length link-layer 2630 * header, generate code to load the offset of the MAC-layer 2631 * payload into the register assigned to that offset, if any. 2632 */ 2633 switch (linktype) { 2634 2635 case DLT_IEEE802_11: 2636 case DLT_PRISM_HEADER: 2637 case DLT_IEEE802_11_RADIO_AVS: 2638 case DLT_IEEE802_11_RADIO: 2639 case DLT_PPI: 2640 s = gen_load_802_11_header_len(s, b->stmts); 2641 break; 2642 } 2643 2644 /* 2645 * If we have any offset-loading code, append all the 2646 * existing statements in the block to those statements, 2647 * and make the resulting list the list of statements 2648 * for the block. 2649 */ 2650 if (s != NULL) { 2651 sappend(s, b->stmts); 2652 b->stmts = s; 2653 } 2654 } 2655 2656 static struct block * 2657 gen_ppi_dlt_check(void) 2658 { 2659 struct slist *s_load_dlt; 2660 struct block *b; 2661 2662 if (linktype == DLT_PPI) 2663 { 2664 /* Create the statements that check for the DLT 2665 */ 2666 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2667 s_load_dlt->s.k = 4; 2668 2669 b = new_block(JMP(BPF_JEQ)); 2670 2671 b->stmts = s_load_dlt; 2672 b->s.k = SWAPLONG(DLT_IEEE802_11); 2673 } 2674 else 2675 { 2676 b = NULL; 2677 } 2678 2679 return b; 2680 } 2681 2682 static struct slist * 2683 gen_prism_llprefixlen(void) 2684 { 2685 struct slist *s; 2686 2687 if (reg_off_ll == -1) { 2688 /* 2689 * We haven't yet assigned a register for the length 2690 * of the radio header; allocate one. 2691 */ 2692 reg_off_ll = alloc_reg(); 2693 } 2694 2695 /* 2696 * Load the register containing the radio length 2697 * into the X register. 2698 */ 2699 s = new_stmt(BPF_LDX|BPF_MEM); 2700 s->s.k = reg_off_ll; 2701 return s; 2702 } 2703 2704 static struct slist * 2705 gen_avs_llprefixlen(void) 2706 { 2707 struct slist *s; 2708 2709 if (reg_off_ll == -1) { 2710 /* 2711 * We haven't yet assigned a register for the length 2712 * of the AVS header; allocate one. 2713 */ 2714 reg_off_ll = alloc_reg(); 2715 } 2716 2717 /* 2718 * Load the register containing the AVS length 2719 * into the X register. 2720 */ 2721 s = new_stmt(BPF_LDX|BPF_MEM); 2722 s->s.k = reg_off_ll; 2723 return s; 2724 } 2725 2726 static struct slist * 2727 gen_radiotap_llprefixlen(void) 2728 { 2729 struct slist *s; 2730 2731 if (reg_off_ll == -1) { 2732 /* 2733 * We haven't yet assigned a register for the length 2734 * of the radiotap header; allocate one. 2735 */ 2736 reg_off_ll = alloc_reg(); 2737 } 2738 2739 /* 2740 * Load the register containing the radiotap length 2741 * into the X register. 2742 */ 2743 s = new_stmt(BPF_LDX|BPF_MEM); 2744 s->s.k = reg_off_ll; 2745 return s; 2746 } 2747 2748 /* 2749 * At the moment we treat PPI as normal Radiotap encoded 2750 * packets. The difference is in the function that generates 2751 * the code at the beginning to compute the header length. 2752 * Since this code generator of PPI supports bare 802.11 2753 * encapsulation only (i.e. the encapsulated DLT should be 2754 * DLT_IEEE802_11) we generate code to check for this too. 2755 */ 2756 static struct slist * 2757 gen_ppi_llprefixlen(void) 2758 { 2759 struct slist *s; 2760 2761 if (reg_off_ll == -1) { 2762 /* 2763 * We haven't yet assigned a register for the length 2764 * of the radiotap header; allocate one. 2765 */ 2766 reg_off_ll = alloc_reg(); 2767 } 2768 2769 /* 2770 * Load the register containing the PPI length 2771 * into the X register. 2772 */ 2773 s = new_stmt(BPF_LDX|BPF_MEM); 2774 s->s.k = reg_off_ll; 2775 return s; 2776 } 2777 2778 /* 2779 * Generate code to compute the link-layer header length, if necessary, 2780 * putting it into the X register, and to return either a pointer to a 2781 * "struct slist" for the list of statements in that code, or NULL if 2782 * no code is necessary. 2783 */ 2784 static struct slist * 2785 gen_llprefixlen(void) 2786 { 2787 switch (linktype) { 2788 2789 case DLT_PRISM_HEADER: 2790 return gen_prism_llprefixlen(); 2791 2792 case DLT_IEEE802_11_RADIO_AVS: 2793 return gen_avs_llprefixlen(); 2794 2795 case DLT_IEEE802_11_RADIO: 2796 return gen_radiotap_llprefixlen(); 2797 2798 case DLT_PPI: 2799 return gen_ppi_llprefixlen(); 2800 2801 default: 2802 return NULL; 2803 } 2804 } 2805 2806 /* 2807 * Generate code to load the register containing the offset of the 2808 * MAC-layer payload into the X register; if no register for that offset 2809 * has been allocated, allocate it first. 2810 */ 2811 static struct slist * 2812 gen_off_macpl(void) 2813 { 2814 struct slist *s; 2815 2816 if (off_macpl_is_variable) { 2817 if (reg_off_macpl == -1) { 2818 /* 2819 * We haven't yet assigned a register for the offset 2820 * of the MAC-layer payload; allocate one. 2821 */ 2822 reg_off_macpl = alloc_reg(); 2823 } 2824 2825 /* 2826 * Load the register containing the offset of the MAC-layer 2827 * payload into the X register. 2828 */ 2829 s = new_stmt(BPF_LDX|BPF_MEM); 2830 s->s.k = reg_off_macpl; 2831 return s; 2832 } else { 2833 /* 2834 * That offset isn't variable, so we don't need to 2835 * generate any code. 2836 */ 2837 return NULL; 2838 } 2839 } 2840 2841 /* 2842 * Map an Ethernet type to the equivalent PPP type. 2843 */ 2844 static int 2845 ethertype_to_ppptype(proto) 2846 int proto; 2847 { 2848 switch (proto) { 2849 2850 case ETHERTYPE_IP: 2851 proto = PPP_IP; 2852 break; 2853 2854 case ETHERTYPE_IPV6: 2855 proto = PPP_IPV6; 2856 break; 2857 2858 case ETHERTYPE_DN: 2859 proto = PPP_DECNET; 2860 break; 2861 2862 case ETHERTYPE_ATALK: 2863 proto = PPP_APPLE; 2864 break; 2865 2866 case ETHERTYPE_NS: 2867 proto = PPP_NS; 2868 break; 2869 2870 case LLCSAP_ISONS: 2871 proto = PPP_OSI; 2872 break; 2873 2874 case LLCSAP_8021D: 2875 /* 2876 * I'm assuming the "Bridging PDU"s that go 2877 * over PPP are Spanning Tree Protocol 2878 * Bridging PDUs. 2879 */ 2880 proto = PPP_BRPDU; 2881 break; 2882 2883 case LLCSAP_IPX: 2884 proto = PPP_IPX; 2885 break; 2886 } 2887 return (proto); 2888 } 2889 2890 /* 2891 * Generate code to match a particular packet type by matching the 2892 * link-layer type field or fields in the 802.2 LLC header. 2893 * 2894 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2895 * value, if <= ETHERMTU. 2896 */ 2897 static struct block * 2898 gen_linktype(proto) 2899 register int proto; 2900 { 2901 struct block *b0, *b1, *b2; 2902 2903 /* are we checking MPLS-encapsulated packets? */ 2904 if (label_stack_depth > 0) { 2905 switch (proto) { 2906 case ETHERTYPE_IP: 2907 case PPP_IP: 2908 /* FIXME add other L3 proto IDs */ 2909 return gen_mpls_linktype(Q_IP); 2910 2911 case ETHERTYPE_IPV6: 2912 case PPP_IPV6: 2913 /* FIXME add other L3 proto IDs */ 2914 return gen_mpls_linktype(Q_IPV6); 2915 2916 default: 2917 bpf_error("unsupported protocol over mpls"); 2918 /* NOTREACHED */ 2919 } 2920 } 2921 2922 /* 2923 * Are we testing PPPoE packets? 2924 */ 2925 if (is_pppoes) { 2926 /* 2927 * The PPPoE session header is part of the 2928 * MAC-layer payload, so all references 2929 * should be relative to the beginning of 2930 * that payload. 2931 */ 2932 2933 /* 2934 * We use Ethernet protocol types inside libpcap; 2935 * map them to the corresponding PPP protocol types. 2936 */ 2937 proto = ethertype_to_ppptype(proto); 2938 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2939 } 2940 2941 switch (linktype) { 2942 2943 case DLT_EN10MB: 2944 case DLT_NETANALYZER: 2945 case DLT_NETANALYZER_TRANSPARENT: 2946 return gen_ether_linktype(proto); 2947 /*NOTREACHED*/ 2948 break; 2949 2950 case DLT_C_HDLC: 2951 switch (proto) { 2952 2953 case LLCSAP_ISONS: 2954 proto = (proto << 8 | LLCSAP_ISONS); 2955 /* fall through */ 2956 2957 default: 2958 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2959 (bpf_int32)proto); 2960 /*NOTREACHED*/ 2961 break; 2962 } 2963 break; 2964 2965 case DLT_IEEE802_11: 2966 case DLT_PRISM_HEADER: 2967 case DLT_IEEE802_11_RADIO_AVS: 2968 case DLT_IEEE802_11_RADIO: 2969 case DLT_PPI: 2970 /* 2971 * Check that we have a data frame. 2972 */ 2973 b0 = gen_check_802_11_data_frame(); 2974 2975 /* 2976 * Now check for the specified link-layer type. 2977 */ 2978 b1 = gen_llc_linktype(proto); 2979 gen_and(b0, b1); 2980 return b1; 2981 /*NOTREACHED*/ 2982 break; 2983 2984 case DLT_FDDI: 2985 /* 2986 * XXX - check for asynchronous frames, as per RFC 1103. 2987 */ 2988 return gen_llc_linktype(proto); 2989 /*NOTREACHED*/ 2990 break; 2991 2992 case DLT_IEEE802: 2993 /* 2994 * XXX - check for LLC PDUs, as per IEEE 802.5. 2995 */ 2996 return gen_llc_linktype(proto); 2997 /*NOTREACHED*/ 2998 break; 2999 3000 case DLT_ATM_RFC1483: 3001 case DLT_ATM_CLIP: 3002 case DLT_IP_OVER_FC: 3003 return gen_llc_linktype(proto); 3004 /*NOTREACHED*/ 3005 break; 3006 3007 case DLT_SUNATM: 3008 /* 3009 * If "is_lane" is set, check for a LANE-encapsulated 3010 * version of this protocol, otherwise check for an 3011 * LLC-encapsulated version of this protocol. 3012 * 3013 * We assume LANE means Ethernet, not Token Ring. 3014 */ 3015 if (is_lane) { 3016 /* 3017 * Check that the packet doesn't begin with an 3018 * LE Control marker. (We've already generated 3019 * a test for LANE.) 3020 */ 3021 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3022 0xFF00); 3023 gen_not(b0); 3024 3025 /* 3026 * Now generate an Ethernet test. 3027 */ 3028 b1 = gen_ether_linktype(proto); 3029 gen_and(b0, b1); 3030 return b1; 3031 } else { 3032 /* 3033 * Check for LLC encapsulation and then check the 3034 * protocol. 3035 */ 3036 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3037 b1 = gen_llc_linktype(proto); 3038 gen_and(b0, b1); 3039 return b1; 3040 } 3041 /*NOTREACHED*/ 3042 break; 3043 3044 case DLT_LINUX_SLL: 3045 return gen_linux_sll_linktype(proto); 3046 /*NOTREACHED*/ 3047 break; 3048 3049 case DLT_SLIP: 3050 case DLT_SLIP_BSDOS: 3051 case DLT_RAW: 3052 /* 3053 * These types don't provide any type field; packets 3054 * are always IPv4 or IPv6. 3055 * 3056 * XXX - for IPv4, check for a version number of 4, and, 3057 * for IPv6, check for a version number of 6? 3058 */ 3059 switch (proto) { 3060 3061 case ETHERTYPE_IP: 3062 /* Check for a version number of 4. */ 3063 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3064 3065 case ETHERTYPE_IPV6: 3066 /* Check for a version number of 6. */ 3067 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3068 3069 default: 3070 return gen_false(); /* always false */ 3071 } 3072 /*NOTREACHED*/ 3073 break; 3074 3075 case DLT_IPV4: 3076 /* 3077 * Raw IPv4, so no type field. 3078 */ 3079 if (proto == ETHERTYPE_IP) 3080 return gen_true(); /* always true */ 3081 3082 /* Checking for something other than IPv4; always false */ 3083 return gen_false(); 3084 /*NOTREACHED*/ 3085 break; 3086 3087 case DLT_IPV6: 3088 /* 3089 * Raw IPv6, so no type field. 3090 */ 3091 if (proto == ETHERTYPE_IPV6) 3092 return gen_true(); /* always true */ 3093 3094 /* Checking for something other than IPv6; always false */ 3095 return gen_false(); 3096 /*NOTREACHED*/ 3097 break; 3098 3099 case DLT_PPP: 3100 case DLT_PPP_PPPD: 3101 case DLT_PPP_SERIAL: 3102 case DLT_PPP_ETHER: 3103 /* 3104 * We use Ethernet protocol types inside libpcap; 3105 * map them to the corresponding PPP protocol types. 3106 */ 3107 proto = ethertype_to_ppptype(proto); 3108 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3109 /*NOTREACHED*/ 3110 break; 3111 3112 case DLT_PPP_BSDOS: 3113 /* 3114 * We use Ethernet protocol types inside libpcap; 3115 * map them to the corresponding PPP protocol types. 3116 */ 3117 switch (proto) { 3118 3119 case ETHERTYPE_IP: 3120 /* 3121 * Also check for Van Jacobson-compressed IP. 3122 * XXX - do this for other forms of PPP? 3123 */ 3124 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3125 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3126 gen_or(b0, b1); 3127 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3128 gen_or(b1, b0); 3129 return b0; 3130 3131 default: 3132 proto = ethertype_to_ppptype(proto); 3133 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3134 (bpf_int32)proto); 3135 } 3136 /*NOTREACHED*/ 3137 break; 3138 3139 case DLT_NULL: 3140 case DLT_LOOP: 3141 case DLT_ENC: 3142 /* 3143 * For DLT_NULL, the link-layer header is a 32-bit 3144 * word containing an AF_ value in *host* byte order, 3145 * and for DLT_ENC, the link-layer header begins 3146 * with a 32-bit work containing an AF_ value in 3147 * host byte order. 3148 * 3149 * In addition, if we're reading a saved capture file, 3150 * the host byte order in the capture may not be the 3151 * same as the host byte order on this machine. 3152 * 3153 * For DLT_LOOP, the link-layer header is a 32-bit 3154 * word containing an AF_ value in *network* byte order. 3155 * 3156 * XXX - AF_ values may, unfortunately, be platform- 3157 * dependent; for example, FreeBSD's AF_INET6 is 24 3158 * whilst NetBSD's and OpenBSD's is 26. 3159 * 3160 * This means that, when reading a capture file, just 3161 * checking for our AF_INET6 value won't work if the 3162 * capture file came from another OS. 3163 */ 3164 switch (proto) { 3165 3166 case ETHERTYPE_IP: 3167 proto = AF_INET; 3168 break; 3169 3170 #ifdef INET6 3171 case ETHERTYPE_IPV6: 3172 proto = AF_INET6; 3173 break; 3174 #endif 3175 3176 default: 3177 /* 3178 * Not a type on which we support filtering. 3179 * XXX - support those that have AF_ values 3180 * #defined on this platform, at least? 3181 */ 3182 return gen_false(); 3183 } 3184 3185 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3186 /* 3187 * The AF_ value is in host byte order, but 3188 * the BPF interpreter will convert it to 3189 * network byte order. 3190 * 3191 * If this is a save file, and it's from a 3192 * machine with the opposite byte order to 3193 * ours, we byte-swap the AF_ value. 3194 * 3195 * Then we run it through "htonl()", and 3196 * generate code to compare against the result. 3197 */ 3198 if (bpf_pcap->sf.rfile != NULL && 3199 bpf_pcap->sf.swapped) 3200 proto = SWAPLONG(proto); 3201 proto = htonl(proto); 3202 } 3203 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3204 3205 #ifdef HAVE_NET_PFVAR_H 3206 case DLT_PFLOG: 3207 /* 3208 * af field is host byte order in contrast to the rest of 3209 * the packet. 3210 */ 3211 if (proto == ETHERTYPE_IP) 3212 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3213 BPF_B, (bpf_int32)AF_INET)); 3214 else if (proto == ETHERTYPE_IPV6) 3215 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3216 BPF_B, (bpf_int32)AF_INET6)); 3217 else 3218 return gen_false(); 3219 /*NOTREACHED*/ 3220 break; 3221 #endif /* HAVE_NET_PFVAR_H */ 3222 3223 case DLT_ARCNET: 3224 case DLT_ARCNET_LINUX: 3225 /* 3226 * XXX should we check for first fragment if the protocol 3227 * uses PHDS? 3228 */ 3229 switch (proto) { 3230 3231 default: 3232 return gen_false(); 3233 3234 case ETHERTYPE_IPV6: 3235 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3236 (bpf_int32)ARCTYPE_INET6)); 3237 3238 case ETHERTYPE_IP: 3239 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3240 (bpf_int32)ARCTYPE_IP); 3241 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3242 (bpf_int32)ARCTYPE_IP_OLD); 3243 gen_or(b0, b1); 3244 return (b1); 3245 3246 case ETHERTYPE_ARP: 3247 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3248 (bpf_int32)ARCTYPE_ARP); 3249 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3250 (bpf_int32)ARCTYPE_ARP_OLD); 3251 gen_or(b0, b1); 3252 return (b1); 3253 3254 case ETHERTYPE_REVARP: 3255 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3256 (bpf_int32)ARCTYPE_REVARP)); 3257 3258 case ETHERTYPE_ATALK: 3259 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3260 (bpf_int32)ARCTYPE_ATALK)); 3261 } 3262 /*NOTREACHED*/ 3263 break; 3264 3265 case DLT_LTALK: 3266 switch (proto) { 3267 case ETHERTYPE_ATALK: 3268 return gen_true(); 3269 default: 3270 return gen_false(); 3271 } 3272 /*NOTREACHED*/ 3273 break; 3274 3275 case DLT_FRELAY: 3276 /* 3277 * XXX - assumes a 2-byte Frame Relay header with 3278 * DLCI and flags. What if the address is longer? 3279 */ 3280 switch (proto) { 3281 3282 case ETHERTYPE_IP: 3283 /* 3284 * Check for the special NLPID for IP. 3285 */ 3286 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3287 3288 case ETHERTYPE_IPV6: 3289 /* 3290 * Check for the special NLPID for IPv6. 3291 */ 3292 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3293 3294 case LLCSAP_ISONS: 3295 /* 3296 * Check for several OSI protocols. 3297 * 3298 * Frame Relay packets typically have an OSI 3299 * NLPID at the beginning; we check for each 3300 * of them. 3301 * 3302 * What we check for is the NLPID and a frame 3303 * control field of UI, i.e. 0x03 followed 3304 * by the NLPID. 3305 */ 3306 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3307 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3308 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3309 gen_or(b1, b2); 3310 gen_or(b0, b2); 3311 return b2; 3312 3313 default: 3314 return gen_false(); 3315 } 3316 /*NOTREACHED*/ 3317 break; 3318 3319 case DLT_MFR: 3320 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3321 3322 case DLT_JUNIPER_MFR: 3323 case DLT_JUNIPER_MLFR: 3324 case DLT_JUNIPER_MLPPP: 3325 case DLT_JUNIPER_ATM1: 3326 case DLT_JUNIPER_ATM2: 3327 case DLT_JUNIPER_PPPOE: 3328 case DLT_JUNIPER_PPPOE_ATM: 3329 case DLT_JUNIPER_GGSN: 3330 case DLT_JUNIPER_ES: 3331 case DLT_JUNIPER_MONITOR: 3332 case DLT_JUNIPER_SERVICES: 3333 case DLT_JUNIPER_ETHER: 3334 case DLT_JUNIPER_PPP: 3335 case DLT_JUNIPER_FRELAY: 3336 case DLT_JUNIPER_CHDLC: 3337 case DLT_JUNIPER_VP: 3338 case DLT_JUNIPER_ST: 3339 case DLT_JUNIPER_ISM: 3340 case DLT_JUNIPER_VS: 3341 case DLT_JUNIPER_SRX_E2E: 3342 case DLT_JUNIPER_FIBRECHANNEL: 3343 case DLT_JUNIPER_ATM_CEMIC: 3344 3345 /* just lets verify the magic number for now - 3346 * on ATM we may have up to 6 different encapsulations on the wire 3347 * and need a lot of heuristics to figure out that the payload 3348 * might be; 3349 * 3350 * FIXME encapsulation specific BPF_ filters 3351 */ 3352 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3353 3354 case DLT_IPNET: 3355 return gen_ipnet_linktype(proto); 3356 3357 case DLT_LINUX_IRDA: 3358 bpf_error("IrDA link-layer type filtering not implemented"); 3359 3360 case DLT_DOCSIS: 3361 bpf_error("DOCSIS link-layer type filtering not implemented"); 3362 3363 case DLT_MTP2: 3364 case DLT_MTP2_WITH_PHDR: 3365 bpf_error("MTP2 link-layer type filtering not implemented"); 3366 3367 case DLT_ERF: 3368 bpf_error("ERF link-layer type filtering not implemented"); 3369 3370 case DLT_PFSYNC: 3371 bpf_error("PFSYNC link-layer type filtering not implemented"); 3372 3373 case DLT_LINUX_LAPD: 3374 bpf_error("LAPD link-layer type filtering not implemented"); 3375 3376 case DLT_USB: 3377 case DLT_USB_LINUX: 3378 case DLT_USB_LINUX_MMAPPED: 3379 bpf_error("USB link-layer type filtering not implemented"); 3380 3381 case DLT_BLUETOOTH_HCI_H4: 3382 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3383 bpf_error("Bluetooth link-layer type filtering not implemented"); 3384 3385 case DLT_CAN20B: 3386 case DLT_CAN_SOCKETCAN: 3387 bpf_error("CAN link-layer type filtering not implemented"); 3388 3389 case DLT_IEEE802_15_4: 3390 case DLT_IEEE802_15_4_LINUX: 3391 case DLT_IEEE802_15_4_NONASK_PHY: 3392 case DLT_IEEE802_15_4_NOFCS: 3393 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3394 3395 case DLT_IEEE802_16_MAC_CPS_RADIO: 3396 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3397 3398 case DLT_SITA: 3399 bpf_error("SITA link-layer type filtering not implemented"); 3400 3401 case DLT_RAIF1: 3402 bpf_error("RAIF1 link-layer type filtering not implemented"); 3403 3404 case DLT_IPMB: 3405 bpf_error("IPMB link-layer type filtering not implemented"); 3406 3407 case DLT_AX25_KISS: 3408 bpf_error("AX.25 link-layer type filtering not implemented"); 3409 } 3410 3411 /* 3412 * All the types that have no encapsulation should either be 3413 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3414 * all packets are IP packets, or should be handled in some 3415 * special case, if none of them are (if some are and some 3416 * aren't, the lack of encapsulation is a problem, as we'd 3417 * have to find some other way of determining the packet type). 3418 * 3419 * Therefore, if "off_linktype" is -1, there's an error. 3420 */ 3421 if (off_linktype == (u_int)-1) 3422 abort(); 3423 3424 /* 3425 * Any type not handled above should always have an Ethernet 3426 * type at an offset of "off_linktype". 3427 */ 3428 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3429 } 3430 3431 /* 3432 * Check for an LLC SNAP packet with a given organization code and 3433 * protocol type; we check the entire contents of the 802.2 LLC and 3434 * snap headers, checking for DSAP and SSAP of SNAP and a control 3435 * field of 0x03 in the LLC header, and for the specified organization 3436 * code and protocol type in the SNAP header. 3437 */ 3438 static struct block * 3439 gen_snap(orgcode, ptype) 3440 bpf_u_int32 orgcode; 3441 bpf_u_int32 ptype; 3442 { 3443 u_char snapblock[8]; 3444 3445 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3446 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3447 snapblock[2] = 0x03; /* control = UI */ 3448 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3449 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3450 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3451 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3452 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3453 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3454 } 3455 3456 /* 3457 * Generate code to match a particular packet type, for link-layer types 3458 * using 802.2 LLC headers. 3459 * 3460 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3461 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3462 * 3463 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3464 * value, if <= ETHERMTU. We use that to determine whether to 3465 * match the DSAP or both DSAP and LSAP or to check the OUI and 3466 * protocol ID in a SNAP header. 3467 */ 3468 static struct block * 3469 gen_llc_linktype(proto) 3470 int proto; 3471 { 3472 /* 3473 * XXX - handle token-ring variable-length header. 3474 */ 3475 switch (proto) { 3476 3477 case LLCSAP_IP: 3478 case LLCSAP_ISONS: 3479 case LLCSAP_NETBEUI: 3480 /* 3481 * XXX - should we check both the DSAP and the 3482 * SSAP, like this, or should we check just the 3483 * DSAP, as we do for other types <= ETHERMTU 3484 * (i.e., other SAP values)? 3485 */ 3486 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3487 ((proto << 8) | proto)); 3488 3489 case LLCSAP_IPX: 3490 /* 3491 * XXX - are there ever SNAP frames for IPX on 3492 * non-Ethernet 802.x networks? 3493 */ 3494 return gen_cmp(OR_MACPL, 0, BPF_B, 3495 (bpf_int32)LLCSAP_IPX); 3496 3497 case ETHERTYPE_ATALK: 3498 /* 3499 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3500 * SNAP packets with an organization code of 3501 * 0x080007 (Apple, for Appletalk) and a protocol 3502 * type of ETHERTYPE_ATALK (Appletalk). 3503 * 3504 * XXX - check for an organization code of 3505 * encapsulated Ethernet as well? 3506 */ 3507 return gen_snap(0x080007, ETHERTYPE_ATALK); 3508 3509 default: 3510 /* 3511 * XXX - we don't have to check for IPX 802.3 3512 * here, but should we check for the IPX Ethertype? 3513 */ 3514 if (proto <= ETHERMTU) { 3515 /* 3516 * This is an LLC SAP value, so check 3517 * the DSAP. 3518 */ 3519 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3520 } else { 3521 /* 3522 * This is an Ethernet type; we assume that it's 3523 * unlikely that it'll appear in the right place 3524 * at random, and therefore check only the 3525 * location that would hold the Ethernet type 3526 * in a SNAP frame with an organization code of 3527 * 0x000000 (encapsulated Ethernet). 3528 * 3529 * XXX - if we were to check for the SNAP DSAP and 3530 * LSAP, as per XXX, and were also to check for an 3531 * organization code of 0x000000 (encapsulated 3532 * Ethernet), we'd do 3533 * 3534 * return gen_snap(0x000000, proto); 3535 * 3536 * here; for now, we don't, as per the above. 3537 * I don't know whether it's worth the extra CPU 3538 * time to do the right check or not. 3539 */ 3540 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3541 } 3542 } 3543 } 3544 3545 static struct block * 3546 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3547 bpf_u_int32 addr; 3548 bpf_u_int32 mask; 3549 int dir, proto; 3550 u_int src_off, dst_off; 3551 { 3552 struct block *b0, *b1; 3553 u_int offset; 3554 3555 switch (dir) { 3556 3557 case Q_SRC: 3558 offset = src_off; 3559 break; 3560 3561 case Q_DST: 3562 offset = dst_off; 3563 break; 3564 3565 case Q_AND: 3566 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3567 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3568 gen_and(b0, b1); 3569 return b1; 3570 3571 case Q_OR: 3572 case Q_DEFAULT: 3573 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3574 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3575 gen_or(b0, b1); 3576 return b1; 3577 3578 default: 3579 abort(); 3580 } 3581 b0 = gen_linktype(proto); 3582 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3583 gen_and(b0, b1); 3584 return b1; 3585 } 3586 3587 #ifdef INET6 3588 static struct block * 3589 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3590 struct in6_addr *addr; 3591 struct in6_addr *mask; 3592 int dir, proto; 3593 u_int src_off, dst_off; 3594 { 3595 struct block *b0, *b1; 3596 u_int offset; 3597 u_int32_t *a, *m; 3598 3599 switch (dir) { 3600 3601 case Q_SRC: 3602 offset = src_off; 3603 break; 3604 3605 case Q_DST: 3606 offset = dst_off; 3607 break; 3608 3609 case Q_AND: 3610 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3611 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3612 gen_and(b0, b1); 3613 return b1; 3614 3615 case Q_OR: 3616 case Q_DEFAULT: 3617 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3618 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3619 gen_or(b0, b1); 3620 return b1; 3621 3622 default: 3623 abort(); 3624 } 3625 /* this order is important */ 3626 a = (u_int32_t *)addr; 3627 m = (u_int32_t *)mask; 3628 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3629 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3630 gen_and(b0, b1); 3631 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3632 gen_and(b0, b1); 3633 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3634 gen_and(b0, b1); 3635 b0 = gen_linktype(proto); 3636 gen_and(b0, b1); 3637 return b1; 3638 } 3639 #endif 3640 3641 static struct block * 3642 gen_ehostop(eaddr, dir) 3643 register const u_char *eaddr; 3644 register int dir; 3645 { 3646 register struct block *b0, *b1; 3647 3648 switch (dir) { 3649 case Q_SRC: 3650 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3651 3652 case Q_DST: 3653 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3654 3655 case Q_AND: 3656 b0 = gen_ehostop(eaddr, Q_SRC); 3657 b1 = gen_ehostop(eaddr, Q_DST); 3658 gen_and(b0, b1); 3659 return b1; 3660 3661 case Q_DEFAULT: 3662 case Q_OR: 3663 b0 = gen_ehostop(eaddr, Q_SRC); 3664 b1 = gen_ehostop(eaddr, Q_DST); 3665 gen_or(b0, b1); 3666 return b1; 3667 3668 case Q_ADDR1: 3669 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3670 break; 3671 3672 case Q_ADDR2: 3673 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3674 break; 3675 3676 case Q_ADDR3: 3677 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3678 break; 3679 3680 case Q_ADDR4: 3681 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3682 break; 3683 3684 case Q_RA: 3685 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3686 break; 3687 3688 case Q_TA: 3689 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3690 break; 3691 } 3692 abort(); 3693 /* NOTREACHED */ 3694 } 3695 3696 /* 3697 * Like gen_ehostop, but for DLT_FDDI 3698 */ 3699 static struct block * 3700 gen_fhostop(eaddr, dir) 3701 register const u_char *eaddr; 3702 register int dir; 3703 { 3704 struct block *b0, *b1; 3705 3706 switch (dir) { 3707 case Q_SRC: 3708 #ifdef PCAP_FDDIPAD 3709 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3710 #else 3711 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3712 #endif 3713 3714 case Q_DST: 3715 #ifdef PCAP_FDDIPAD 3716 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3717 #else 3718 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3719 #endif 3720 3721 case Q_AND: 3722 b0 = gen_fhostop(eaddr, Q_SRC); 3723 b1 = gen_fhostop(eaddr, Q_DST); 3724 gen_and(b0, b1); 3725 return b1; 3726 3727 case Q_DEFAULT: 3728 case Q_OR: 3729 b0 = gen_fhostop(eaddr, Q_SRC); 3730 b1 = gen_fhostop(eaddr, Q_DST); 3731 gen_or(b0, b1); 3732 return b1; 3733 3734 case Q_ADDR1: 3735 bpf_error("'addr1' is only supported on 802.11"); 3736 break; 3737 3738 case Q_ADDR2: 3739 bpf_error("'addr2' is only supported on 802.11"); 3740 break; 3741 3742 case Q_ADDR3: 3743 bpf_error("'addr3' is only supported on 802.11"); 3744 break; 3745 3746 case Q_ADDR4: 3747 bpf_error("'addr4' is only supported on 802.11"); 3748 break; 3749 3750 case Q_RA: 3751 bpf_error("'ra' is only supported on 802.11"); 3752 break; 3753 3754 case Q_TA: 3755 bpf_error("'ta' is only supported on 802.11"); 3756 break; 3757 } 3758 abort(); 3759 /* NOTREACHED */ 3760 } 3761 3762 /* 3763 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3764 */ 3765 static struct block * 3766 gen_thostop(eaddr, dir) 3767 register const u_char *eaddr; 3768 register int dir; 3769 { 3770 register struct block *b0, *b1; 3771 3772 switch (dir) { 3773 case Q_SRC: 3774 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3775 3776 case Q_DST: 3777 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3778 3779 case Q_AND: 3780 b0 = gen_thostop(eaddr, Q_SRC); 3781 b1 = gen_thostop(eaddr, Q_DST); 3782 gen_and(b0, b1); 3783 return b1; 3784 3785 case Q_DEFAULT: 3786 case Q_OR: 3787 b0 = gen_thostop(eaddr, Q_SRC); 3788 b1 = gen_thostop(eaddr, Q_DST); 3789 gen_or(b0, b1); 3790 return b1; 3791 3792 case Q_ADDR1: 3793 bpf_error("'addr1' is only supported on 802.11"); 3794 break; 3795 3796 case Q_ADDR2: 3797 bpf_error("'addr2' is only supported on 802.11"); 3798 break; 3799 3800 case Q_ADDR3: 3801 bpf_error("'addr3' is only supported on 802.11"); 3802 break; 3803 3804 case Q_ADDR4: 3805 bpf_error("'addr4' is only supported on 802.11"); 3806 break; 3807 3808 case Q_RA: 3809 bpf_error("'ra' is only supported on 802.11"); 3810 break; 3811 3812 case Q_TA: 3813 bpf_error("'ta' is only supported on 802.11"); 3814 break; 3815 } 3816 abort(); 3817 /* NOTREACHED */ 3818 } 3819 3820 /* 3821 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3822 * various 802.11 + radio headers. 3823 */ 3824 static struct block * 3825 gen_wlanhostop(eaddr, dir) 3826 register const u_char *eaddr; 3827 register int dir; 3828 { 3829 register struct block *b0, *b1, *b2; 3830 register struct slist *s; 3831 3832 #ifdef ENABLE_WLAN_FILTERING_PATCH 3833 /* 3834 * TODO GV 20070613 3835 * We need to disable the optimizer because the optimizer is buggy 3836 * and wipes out some LD instructions generated by the below 3837 * code to validate the Frame Control bits 3838 */ 3839 no_optimize = 1; 3840 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3841 3842 switch (dir) { 3843 case Q_SRC: 3844 /* 3845 * Oh, yuk. 3846 * 3847 * For control frames, there is no SA. 3848 * 3849 * For management frames, SA is at an 3850 * offset of 10 from the beginning of 3851 * the packet. 3852 * 3853 * For data frames, SA is at an offset 3854 * of 10 from the beginning of the packet 3855 * if From DS is clear, at an offset of 3856 * 16 from the beginning of the packet 3857 * if From DS is set and To DS is clear, 3858 * and an offset of 24 from the beginning 3859 * of the packet if From DS is set and To DS 3860 * is set. 3861 */ 3862 3863 /* 3864 * Generate the tests to be done for data frames 3865 * with From DS set. 3866 * 3867 * First, check for To DS set, i.e. check "link[1] & 0x01". 3868 */ 3869 s = gen_load_a(OR_LINK, 1, BPF_B); 3870 b1 = new_block(JMP(BPF_JSET)); 3871 b1->s.k = 0x01; /* To DS */ 3872 b1->stmts = s; 3873 3874 /* 3875 * If To DS is set, the SA is at 24. 3876 */ 3877 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3878 gen_and(b1, b0); 3879 3880 /* 3881 * Now, check for To DS not set, i.e. check 3882 * "!(link[1] & 0x01)". 3883 */ 3884 s = gen_load_a(OR_LINK, 1, BPF_B); 3885 b2 = new_block(JMP(BPF_JSET)); 3886 b2->s.k = 0x01; /* To DS */ 3887 b2->stmts = s; 3888 gen_not(b2); 3889 3890 /* 3891 * If To DS is not set, the SA is at 16. 3892 */ 3893 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3894 gen_and(b2, b1); 3895 3896 /* 3897 * Now OR together the last two checks. That gives 3898 * the complete set of checks for data frames with 3899 * From DS set. 3900 */ 3901 gen_or(b1, b0); 3902 3903 /* 3904 * Now check for From DS being set, and AND that with 3905 * the ORed-together checks. 3906 */ 3907 s = gen_load_a(OR_LINK, 1, BPF_B); 3908 b1 = new_block(JMP(BPF_JSET)); 3909 b1->s.k = 0x02; /* From DS */ 3910 b1->stmts = s; 3911 gen_and(b1, b0); 3912 3913 /* 3914 * Now check for data frames with From DS not set. 3915 */ 3916 s = gen_load_a(OR_LINK, 1, BPF_B); 3917 b2 = new_block(JMP(BPF_JSET)); 3918 b2->s.k = 0x02; /* From DS */ 3919 b2->stmts = s; 3920 gen_not(b2); 3921 3922 /* 3923 * If From DS isn't set, the SA is at 10. 3924 */ 3925 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3926 gen_and(b2, b1); 3927 3928 /* 3929 * Now OR together the checks for data frames with 3930 * From DS not set and for data frames with From DS 3931 * set; that gives the checks done for data frames. 3932 */ 3933 gen_or(b1, b0); 3934 3935 /* 3936 * Now check for a data frame. 3937 * I.e, check "link[0] & 0x08". 3938 */ 3939 s = gen_load_a(OR_LINK, 0, BPF_B); 3940 b1 = new_block(JMP(BPF_JSET)); 3941 b1->s.k = 0x08; 3942 b1->stmts = s; 3943 3944 /* 3945 * AND that with the checks done for data frames. 3946 */ 3947 gen_and(b1, b0); 3948 3949 /* 3950 * If the high-order bit of the type value is 0, this 3951 * is a management frame. 3952 * I.e, check "!(link[0] & 0x08)". 3953 */ 3954 s = gen_load_a(OR_LINK, 0, BPF_B); 3955 b2 = new_block(JMP(BPF_JSET)); 3956 b2->s.k = 0x08; 3957 b2->stmts = s; 3958 gen_not(b2); 3959 3960 /* 3961 * For management frames, the SA is at 10. 3962 */ 3963 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3964 gen_and(b2, b1); 3965 3966 /* 3967 * OR that with the checks done for data frames. 3968 * That gives the checks done for management and 3969 * data frames. 3970 */ 3971 gen_or(b1, b0); 3972 3973 /* 3974 * If the low-order bit of the type value is 1, 3975 * this is either a control frame or a frame 3976 * with a reserved type, and thus not a 3977 * frame with an SA. 3978 * 3979 * I.e., check "!(link[0] & 0x04)". 3980 */ 3981 s = gen_load_a(OR_LINK, 0, BPF_B); 3982 b1 = new_block(JMP(BPF_JSET)); 3983 b1->s.k = 0x04; 3984 b1->stmts = s; 3985 gen_not(b1); 3986 3987 /* 3988 * AND that with the checks for data and management 3989 * frames. 3990 */ 3991 gen_and(b1, b0); 3992 return b0; 3993 3994 case Q_DST: 3995 /* 3996 * Oh, yuk. 3997 * 3998 * For control frames, there is no DA. 3999 * 4000 * For management frames, DA is at an 4001 * offset of 4 from the beginning of 4002 * the packet. 4003 * 4004 * For data frames, DA is at an offset 4005 * of 4 from the beginning of the packet 4006 * if To DS is clear and at an offset of 4007 * 16 from the beginning of the packet 4008 * if To DS is set. 4009 */ 4010 4011 /* 4012 * Generate the tests to be done for data frames. 4013 * 4014 * First, check for To DS set, i.e. "link[1] & 0x01". 4015 */ 4016 s = gen_load_a(OR_LINK, 1, BPF_B); 4017 b1 = new_block(JMP(BPF_JSET)); 4018 b1->s.k = 0x01; /* To DS */ 4019 b1->stmts = s; 4020 4021 /* 4022 * If To DS is set, the DA is at 16. 4023 */ 4024 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4025 gen_and(b1, b0); 4026 4027 /* 4028 * Now, check for To DS not set, i.e. check 4029 * "!(link[1] & 0x01)". 4030 */ 4031 s = gen_load_a(OR_LINK, 1, BPF_B); 4032 b2 = new_block(JMP(BPF_JSET)); 4033 b2->s.k = 0x01; /* To DS */ 4034 b2->stmts = s; 4035 gen_not(b2); 4036 4037 /* 4038 * If To DS is not set, the DA is at 4. 4039 */ 4040 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4041 gen_and(b2, b1); 4042 4043 /* 4044 * Now OR together the last two checks. That gives 4045 * the complete set of checks for data frames. 4046 */ 4047 gen_or(b1, b0); 4048 4049 /* 4050 * Now check for a data frame. 4051 * I.e, check "link[0] & 0x08". 4052 */ 4053 s = gen_load_a(OR_LINK, 0, BPF_B); 4054 b1 = new_block(JMP(BPF_JSET)); 4055 b1->s.k = 0x08; 4056 b1->stmts = s; 4057 4058 /* 4059 * AND that with the checks done for data frames. 4060 */ 4061 gen_and(b1, b0); 4062 4063 /* 4064 * If the high-order bit of the type value is 0, this 4065 * is a management frame. 4066 * I.e, check "!(link[0] & 0x08)". 4067 */ 4068 s = gen_load_a(OR_LINK, 0, BPF_B); 4069 b2 = new_block(JMP(BPF_JSET)); 4070 b2->s.k = 0x08; 4071 b2->stmts = s; 4072 gen_not(b2); 4073 4074 /* 4075 * For management frames, the DA is at 4. 4076 */ 4077 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4078 gen_and(b2, b1); 4079 4080 /* 4081 * OR that with the checks done for data frames. 4082 * That gives the checks done for management and 4083 * data frames. 4084 */ 4085 gen_or(b1, b0); 4086 4087 /* 4088 * If the low-order bit of the type value is 1, 4089 * this is either a control frame or a frame 4090 * with a reserved type, and thus not a 4091 * frame with an SA. 4092 * 4093 * I.e., check "!(link[0] & 0x04)". 4094 */ 4095 s = gen_load_a(OR_LINK, 0, BPF_B); 4096 b1 = new_block(JMP(BPF_JSET)); 4097 b1->s.k = 0x04; 4098 b1->stmts = s; 4099 gen_not(b1); 4100 4101 /* 4102 * AND that with the checks for data and management 4103 * frames. 4104 */ 4105 gen_and(b1, b0); 4106 return b0; 4107 4108 case Q_RA: 4109 /* 4110 * Not present in management frames; addr1 in other 4111 * frames. 4112 */ 4113 4114 /* 4115 * If the high-order bit of the type value is 0, this 4116 * is a management frame. 4117 * I.e, check "(link[0] & 0x08)". 4118 */ 4119 s = gen_load_a(OR_LINK, 0, BPF_B); 4120 b1 = new_block(JMP(BPF_JSET)); 4121 b1->s.k = 0x08; 4122 b1->stmts = s; 4123 4124 /* 4125 * Check addr1. 4126 */ 4127 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4128 4129 /* 4130 * AND that with the check of addr1. 4131 */ 4132 gen_and(b1, b0); 4133 return (b0); 4134 4135 case Q_TA: 4136 /* 4137 * Not present in management frames; addr2, if present, 4138 * in other frames. 4139 */ 4140 4141 /* 4142 * Not present in CTS or ACK control frames. 4143 */ 4144 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4145 IEEE80211_FC0_TYPE_MASK); 4146 gen_not(b0); 4147 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4148 IEEE80211_FC0_SUBTYPE_MASK); 4149 gen_not(b1); 4150 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4151 IEEE80211_FC0_SUBTYPE_MASK); 4152 gen_not(b2); 4153 gen_and(b1, b2); 4154 gen_or(b0, b2); 4155 4156 /* 4157 * If the high-order bit of the type value is 0, this 4158 * is a management frame. 4159 * I.e, check "(link[0] & 0x08)". 4160 */ 4161 s = gen_load_a(OR_LINK, 0, BPF_B); 4162 b1 = new_block(JMP(BPF_JSET)); 4163 b1->s.k = 0x08; 4164 b1->stmts = s; 4165 4166 /* 4167 * AND that with the check for frames other than 4168 * CTS and ACK frames. 4169 */ 4170 gen_and(b1, b2); 4171 4172 /* 4173 * Check addr2. 4174 */ 4175 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4176 gen_and(b2, b1); 4177 return b1; 4178 4179 /* 4180 * XXX - add BSSID keyword? 4181 */ 4182 case Q_ADDR1: 4183 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4184 4185 case Q_ADDR2: 4186 /* 4187 * Not present in CTS or ACK control frames. 4188 */ 4189 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4190 IEEE80211_FC0_TYPE_MASK); 4191 gen_not(b0); 4192 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4193 IEEE80211_FC0_SUBTYPE_MASK); 4194 gen_not(b1); 4195 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4196 IEEE80211_FC0_SUBTYPE_MASK); 4197 gen_not(b2); 4198 gen_and(b1, b2); 4199 gen_or(b0, b2); 4200 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4201 gen_and(b2, b1); 4202 return b1; 4203 4204 case Q_ADDR3: 4205 /* 4206 * Not present in control frames. 4207 */ 4208 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4209 IEEE80211_FC0_TYPE_MASK); 4210 gen_not(b0); 4211 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4212 gen_and(b0, b1); 4213 return b1; 4214 4215 case Q_ADDR4: 4216 /* 4217 * Present only if the direction mask has both "From DS" 4218 * and "To DS" set. Neither control frames nor management 4219 * frames should have both of those set, so we don't 4220 * check the frame type. 4221 */ 4222 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4223 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4224 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4225 gen_and(b0, b1); 4226 return b1; 4227 4228 case Q_AND: 4229 b0 = gen_wlanhostop(eaddr, Q_SRC); 4230 b1 = gen_wlanhostop(eaddr, Q_DST); 4231 gen_and(b0, b1); 4232 return b1; 4233 4234 case Q_DEFAULT: 4235 case Q_OR: 4236 b0 = gen_wlanhostop(eaddr, Q_SRC); 4237 b1 = gen_wlanhostop(eaddr, Q_DST); 4238 gen_or(b0, b1); 4239 return b1; 4240 } 4241 abort(); 4242 /* NOTREACHED */ 4243 } 4244 4245 /* 4246 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4247 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4248 * as the RFC states.) 4249 */ 4250 static struct block * 4251 gen_ipfchostop(eaddr, dir) 4252 register const u_char *eaddr; 4253 register int dir; 4254 { 4255 register struct block *b0, *b1; 4256 4257 switch (dir) { 4258 case Q_SRC: 4259 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4260 4261 case Q_DST: 4262 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4263 4264 case Q_AND: 4265 b0 = gen_ipfchostop(eaddr, Q_SRC); 4266 b1 = gen_ipfchostop(eaddr, Q_DST); 4267 gen_and(b0, b1); 4268 return b1; 4269 4270 case Q_DEFAULT: 4271 case Q_OR: 4272 b0 = gen_ipfchostop(eaddr, Q_SRC); 4273 b1 = gen_ipfchostop(eaddr, Q_DST); 4274 gen_or(b0, b1); 4275 return b1; 4276 4277 case Q_ADDR1: 4278 bpf_error("'addr1' is only supported on 802.11"); 4279 break; 4280 4281 case Q_ADDR2: 4282 bpf_error("'addr2' is only supported on 802.11"); 4283 break; 4284 4285 case Q_ADDR3: 4286 bpf_error("'addr3' is only supported on 802.11"); 4287 break; 4288 4289 case Q_ADDR4: 4290 bpf_error("'addr4' is only supported on 802.11"); 4291 break; 4292 4293 case Q_RA: 4294 bpf_error("'ra' is only supported on 802.11"); 4295 break; 4296 4297 case Q_TA: 4298 bpf_error("'ta' is only supported on 802.11"); 4299 break; 4300 } 4301 abort(); 4302 /* NOTREACHED */ 4303 } 4304 4305 /* 4306 * This is quite tricky because there may be pad bytes in front of the 4307 * DECNET header, and then there are two possible data packet formats that 4308 * carry both src and dst addresses, plus 5 packet types in a format that 4309 * carries only the src node, plus 2 types that use a different format and 4310 * also carry just the src node. 4311 * 4312 * Yuck. 4313 * 4314 * Instead of doing those all right, we just look for data packets with 4315 * 0 or 1 bytes of padding. If you want to look at other packets, that 4316 * will require a lot more hacking. 4317 * 4318 * To add support for filtering on DECNET "areas" (network numbers) 4319 * one would want to add a "mask" argument to this routine. That would 4320 * make the filter even more inefficient, although one could be clever 4321 * and not generate masking instructions if the mask is 0xFFFF. 4322 */ 4323 static struct block * 4324 gen_dnhostop(addr, dir) 4325 bpf_u_int32 addr; 4326 int dir; 4327 { 4328 struct block *b0, *b1, *b2, *tmp; 4329 u_int offset_lh; /* offset if long header is received */ 4330 u_int offset_sh; /* offset if short header is received */ 4331 4332 switch (dir) { 4333 4334 case Q_DST: 4335 offset_sh = 1; /* follows flags */ 4336 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4337 break; 4338 4339 case Q_SRC: 4340 offset_sh = 3; /* follows flags, dstnode */ 4341 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4342 break; 4343 4344 case Q_AND: 4345 /* Inefficient because we do our Calvinball dance twice */ 4346 b0 = gen_dnhostop(addr, Q_SRC); 4347 b1 = gen_dnhostop(addr, Q_DST); 4348 gen_and(b0, b1); 4349 return b1; 4350 4351 case Q_OR: 4352 case Q_DEFAULT: 4353 /* Inefficient because we do our Calvinball dance twice */ 4354 b0 = gen_dnhostop(addr, Q_SRC); 4355 b1 = gen_dnhostop(addr, Q_DST); 4356 gen_or(b0, b1); 4357 return b1; 4358 4359 case Q_ISO: 4360 bpf_error("ISO host filtering not implemented"); 4361 4362 default: 4363 abort(); 4364 } 4365 b0 = gen_linktype(ETHERTYPE_DN); 4366 /* Check for pad = 1, long header case */ 4367 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4368 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4369 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4370 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4371 gen_and(tmp, b1); 4372 /* Check for pad = 0, long header case */ 4373 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4374 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4375 gen_and(tmp, b2); 4376 gen_or(b2, b1); 4377 /* Check for pad = 1, short header case */ 4378 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4379 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4380 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4381 gen_and(tmp, b2); 4382 gen_or(b2, b1); 4383 /* Check for pad = 0, short header case */ 4384 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4385 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4386 gen_and(tmp, b2); 4387 gen_or(b2, b1); 4388 4389 /* Combine with test for linktype */ 4390 gen_and(b0, b1); 4391 return b1; 4392 } 4393 4394 /* 4395 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4396 * test the bottom-of-stack bit, and then check the version number 4397 * field in the IP header. 4398 */ 4399 static struct block * 4400 gen_mpls_linktype(proto) 4401 int proto; 4402 { 4403 struct block *b0, *b1; 4404 4405 switch (proto) { 4406 4407 case Q_IP: 4408 /* match the bottom-of-stack bit */ 4409 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4410 /* match the IPv4 version number */ 4411 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4412 gen_and(b0, b1); 4413 return b1; 4414 4415 case Q_IPV6: 4416 /* match the bottom-of-stack bit */ 4417 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4418 /* match the IPv4 version number */ 4419 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4420 gen_and(b0, b1); 4421 return b1; 4422 4423 default: 4424 abort(); 4425 } 4426 } 4427 4428 static struct block * 4429 gen_host(addr, mask, proto, dir, type) 4430 bpf_u_int32 addr; 4431 bpf_u_int32 mask; 4432 int proto; 4433 int dir; 4434 int type; 4435 { 4436 struct block *b0, *b1; 4437 const char *typestr; 4438 4439 if (type == Q_NET) 4440 typestr = "net"; 4441 else 4442 typestr = "host"; 4443 4444 switch (proto) { 4445 4446 case Q_DEFAULT: 4447 b0 = gen_host(addr, mask, Q_IP, dir, type); 4448 /* 4449 * Only check for non-IPv4 addresses if we're not 4450 * checking MPLS-encapsulated packets. 4451 */ 4452 if (label_stack_depth == 0) { 4453 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4454 gen_or(b0, b1); 4455 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4456 gen_or(b1, b0); 4457 } 4458 return b0; 4459 4460 case Q_IP: 4461 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4462 4463 case Q_RARP: 4464 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4465 4466 case Q_ARP: 4467 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4468 4469 case Q_TCP: 4470 bpf_error("'tcp' modifier applied to %s", typestr); 4471 4472 case Q_SCTP: 4473 bpf_error("'sctp' modifier applied to %s", typestr); 4474 4475 case Q_UDP: 4476 bpf_error("'udp' modifier applied to %s", typestr); 4477 4478 case Q_ICMP: 4479 bpf_error("'icmp' modifier applied to %s", typestr); 4480 4481 case Q_IGMP: 4482 bpf_error("'igmp' modifier applied to %s", typestr); 4483 4484 case Q_IGRP: 4485 bpf_error("'igrp' modifier applied to %s", typestr); 4486 4487 case Q_PIM: 4488 bpf_error("'pim' modifier applied to %s", typestr); 4489 4490 case Q_VRRP: 4491 bpf_error("'vrrp' modifier applied to %s", typestr); 4492 4493 case Q_CARP: 4494 bpf_error("'carp' modifier applied to %s", typestr); 4495 4496 case Q_ATALK: 4497 bpf_error("ATALK host filtering not implemented"); 4498 4499 case Q_AARP: 4500 bpf_error("AARP host filtering not implemented"); 4501 4502 case Q_DECNET: 4503 return gen_dnhostop(addr, dir); 4504 4505 case Q_SCA: 4506 bpf_error("SCA host filtering not implemented"); 4507 4508 case Q_LAT: 4509 bpf_error("LAT host filtering not implemented"); 4510 4511 case Q_MOPDL: 4512 bpf_error("MOPDL host filtering not implemented"); 4513 4514 case Q_MOPRC: 4515 bpf_error("MOPRC host filtering not implemented"); 4516 4517 case Q_IPV6: 4518 bpf_error("'ip6' modifier applied to ip host"); 4519 4520 case Q_ICMPV6: 4521 bpf_error("'icmp6' modifier applied to %s", typestr); 4522 4523 case Q_AH: 4524 bpf_error("'ah' modifier applied to %s", typestr); 4525 4526 case Q_ESP: 4527 bpf_error("'esp' modifier applied to %s", typestr); 4528 4529 case Q_ISO: 4530 bpf_error("ISO host filtering not implemented"); 4531 4532 case Q_ESIS: 4533 bpf_error("'esis' modifier applied to %s", typestr); 4534 4535 case Q_ISIS: 4536 bpf_error("'isis' modifier applied to %s", typestr); 4537 4538 case Q_CLNP: 4539 bpf_error("'clnp' modifier applied to %s", typestr); 4540 4541 case Q_STP: 4542 bpf_error("'stp' modifier applied to %s", typestr); 4543 4544 case Q_IPX: 4545 bpf_error("IPX host filtering not implemented"); 4546 4547 case Q_NETBEUI: 4548 bpf_error("'netbeui' modifier applied to %s", typestr); 4549 4550 case Q_RADIO: 4551 bpf_error("'radio' modifier applied to %s", typestr); 4552 4553 default: 4554 abort(); 4555 } 4556 /* NOTREACHED */ 4557 } 4558 4559 #ifdef INET6 4560 static struct block * 4561 gen_host6(addr, mask, proto, dir, type) 4562 struct in6_addr *addr; 4563 struct in6_addr *mask; 4564 int proto; 4565 int dir; 4566 int type; 4567 { 4568 const char *typestr; 4569 4570 if (type == Q_NET) 4571 typestr = "net"; 4572 else 4573 typestr = "host"; 4574 4575 switch (proto) { 4576 4577 case Q_DEFAULT: 4578 return gen_host6(addr, mask, Q_IPV6, dir, type); 4579 4580 case Q_IP: 4581 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4582 4583 case Q_RARP: 4584 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4585 4586 case Q_ARP: 4587 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4588 4589 case Q_SCTP: 4590 bpf_error("'sctp' modifier applied to %s", typestr); 4591 4592 case Q_TCP: 4593 bpf_error("'tcp' modifier applied to %s", typestr); 4594 4595 case Q_UDP: 4596 bpf_error("'udp' modifier applied to %s", typestr); 4597 4598 case Q_ICMP: 4599 bpf_error("'icmp' modifier applied to %s", typestr); 4600 4601 case Q_IGMP: 4602 bpf_error("'igmp' modifier applied to %s", typestr); 4603 4604 case Q_IGRP: 4605 bpf_error("'igrp' modifier applied to %s", typestr); 4606 4607 case Q_PIM: 4608 bpf_error("'pim' modifier applied to %s", typestr); 4609 4610 case Q_VRRP: 4611 bpf_error("'vrrp' modifier applied to %s", typestr); 4612 4613 case Q_CARP: 4614 bpf_error("'carp' modifier applied to %s", typestr); 4615 4616 case Q_ATALK: 4617 bpf_error("ATALK host filtering not implemented"); 4618 4619 case Q_AARP: 4620 bpf_error("AARP host filtering not implemented"); 4621 4622 case Q_DECNET: 4623 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4624 4625 case Q_SCA: 4626 bpf_error("SCA host filtering not implemented"); 4627 4628 case Q_LAT: 4629 bpf_error("LAT host filtering not implemented"); 4630 4631 case Q_MOPDL: 4632 bpf_error("MOPDL host filtering not implemented"); 4633 4634 case Q_MOPRC: 4635 bpf_error("MOPRC host filtering not implemented"); 4636 4637 case Q_IPV6: 4638 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4639 4640 case Q_ICMPV6: 4641 bpf_error("'icmp6' modifier applied to %s", typestr); 4642 4643 case Q_AH: 4644 bpf_error("'ah' modifier applied to %s", typestr); 4645 4646 case Q_ESP: 4647 bpf_error("'esp' modifier applied to %s", typestr); 4648 4649 case Q_ISO: 4650 bpf_error("ISO host filtering not implemented"); 4651 4652 case Q_ESIS: 4653 bpf_error("'esis' modifier applied to %s", typestr); 4654 4655 case Q_ISIS: 4656 bpf_error("'isis' modifier applied to %s", typestr); 4657 4658 case Q_CLNP: 4659 bpf_error("'clnp' modifier applied to %s", typestr); 4660 4661 case Q_STP: 4662 bpf_error("'stp' modifier applied to %s", typestr); 4663 4664 case Q_IPX: 4665 bpf_error("IPX host filtering not implemented"); 4666 4667 case Q_NETBEUI: 4668 bpf_error("'netbeui' modifier applied to %s", typestr); 4669 4670 case Q_RADIO: 4671 bpf_error("'radio' modifier applied to %s", typestr); 4672 4673 default: 4674 abort(); 4675 } 4676 /* NOTREACHED */ 4677 } 4678 #endif 4679 4680 #ifndef INET6 4681 static struct block * 4682 gen_gateway(eaddr, alist, proto, dir) 4683 const u_char *eaddr; 4684 bpf_u_int32 **alist; 4685 int proto; 4686 int dir; 4687 { 4688 struct block *b0, *b1, *tmp; 4689 4690 if (dir != 0) 4691 bpf_error("direction applied to 'gateway'"); 4692 4693 switch (proto) { 4694 case Q_DEFAULT: 4695 case Q_IP: 4696 case Q_ARP: 4697 case Q_RARP: 4698 switch (linktype) { 4699 case DLT_EN10MB: 4700 case DLT_NETANALYZER: 4701 case DLT_NETANALYZER_TRANSPARENT: 4702 b0 = gen_ehostop(eaddr, Q_OR); 4703 break; 4704 case DLT_FDDI: 4705 b0 = gen_fhostop(eaddr, Q_OR); 4706 break; 4707 case DLT_IEEE802: 4708 b0 = gen_thostop(eaddr, Q_OR); 4709 break; 4710 case DLT_IEEE802_11: 4711 case DLT_PRISM_HEADER: 4712 case DLT_IEEE802_11_RADIO_AVS: 4713 case DLT_IEEE802_11_RADIO: 4714 case DLT_PPI: 4715 b0 = gen_wlanhostop(eaddr, Q_OR); 4716 break; 4717 case DLT_SUNATM: 4718 if (!is_lane) 4719 bpf_error( 4720 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4721 /* 4722 * Check that the packet doesn't begin with an 4723 * LE Control marker. (We've already generated 4724 * a test for LANE.) 4725 */ 4726 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4727 BPF_H, 0xFF00); 4728 gen_not(b1); 4729 4730 /* 4731 * Now check the MAC address. 4732 */ 4733 b0 = gen_ehostop(eaddr, Q_OR); 4734 gen_and(b1, b0); 4735 break; 4736 case DLT_IP_OVER_FC: 4737 b0 = gen_ipfchostop(eaddr, Q_OR); 4738 break; 4739 default: 4740 bpf_error( 4741 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4742 } 4743 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4744 while (*alist) { 4745 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4746 Q_HOST); 4747 gen_or(b1, tmp); 4748 b1 = tmp; 4749 } 4750 gen_not(b1); 4751 gen_and(b0, b1); 4752 return b1; 4753 } 4754 bpf_error("illegal modifier of 'gateway'"); 4755 /* NOTREACHED */ 4756 } 4757 #endif 4758 4759 struct block * 4760 gen_proto_abbrev(proto) 4761 int proto; 4762 { 4763 struct block *b0; 4764 struct block *b1; 4765 4766 switch (proto) { 4767 4768 case Q_SCTP: 4769 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4770 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4771 gen_or(b0, b1); 4772 break; 4773 4774 case Q_TCP: 4775 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4776 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4777 gen_or(b0, b1); 4778 break; 4779 4780 case Q_UDP: 4781 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4782 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4783 gen_or(b0, b1); 4784 break; 4785 4786 case Q_ICMP: 4787 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4788 break; 4789 4790 #ifndef IPPROTO_IGMP 4791 #define IPPROTO_IGMP 2 4792 #endif 4793 4794 case Q_IGMP: 4795 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4796 break; 4797 4798 #ifndef IPPROTO_IGRP 4799 #define IPPROTO_IGRP 9 4800 #endif 4801 case Q_IGRP: 4802 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4803 break; 4804 4805 #ifndef IPPROTO_PIM 4806 #define IPPROTO_PIM 103 4807 #endif 4808 4809 case Q_PIM: 4810 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4811 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4812 gen_or(b0, b1); 4813 break; 4814 4815 #ifndef IPPROTO_VRRP 4816 #define IPPROTO_VRRP 112 4817 #endif 4818 4819 case Q_VRRP: 4820 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4821 break; 4822 4823 #ifndef IPPROTO_CARP 4824 #define IPPROTO_CARP 112 4825 #endif 4826 4827 case Q_CARP: 4828 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4829 break; 4830 4831 case Q_IP: 4832 b1 = gen_linktype(ETHERTYPE_IP); 4833 break; 4834 4835 case Q_ARP: 4836 b1 = gen_linktype(ETHERTYPE_ARP); 4837 break; 4838 4839 case Q_RARP: 4840 b1 = gen_linktype(ETHERTYPE_REVARP); 4841 break; 4842 4843 case Q_LINK: 4844 bpf_error("link layer applied in wrong context"); 4845 4846 case Q_ATALK: 4847 b1 = gen_linktype(ETHERTYPE_ATALK); 4848 break; 4849 4850 case Q_AARP: 4851 b1 = gen_linktype(ETHERTYPE_AARP); 4852 break; 4853 4854 case Q_DECNET: 4855 b1 = gen_linktype(ETHERTYPE_DN); 4856 break; 4857 4858 case Q_SCA: 4859 b1 = gen_linktype(ETHERTYPE_SCA); 4860 break; 4861 4862 case Q_LAT: 4863 b1 = gen_linktype(ETHERTYPE_LAT); 4864 break; 4865 4866 case Q_MOPDL: 4867 b1 = gen_linktype(ETHERTYPE_MOPDL); 4868 break; 4869 4870 case Q_MOPRC: 4871 b1 = gen_linktype(ETHERTYPE_MOPRC); 4872 break; 4873 4874 case Q_IPV6: 4875 b1 = gen_linktype(ETHERTYPE_IPV6); 4876 break; 4877 4878 #ifndef IPPROTO_ICMPV6 4879 #define IPPROTO_ICMPV6 58 4880 #endif 4881 case Q_ICMPV6: 4882 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4883 break; 4884 4885 #ifndef IPPROTO_AH 4886 #define IPPROTO_AH 51 4887 #endif 4888 case Q_AH: 4889 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4890 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4891 gen_or(b0, b1); 4892 break; 4893 4894 #ifndef IPPROTO_ESP 4895 #define IPPROTO_ESP 50 4896 #endif 4897 case Q_ESP: 4898 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4899 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4900 gen_or(b0, b1); 4901 break; 4902 4903 case Q_ISO: 4904 b1 = gen_linktype(LLCSAP_ISONS); 4905 break; 4906 4907 case Q_ESIS: 4908 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4909 break; 4910 4911 case Q_ISIS: 4912 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4913 break; 4914 4915 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4916 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4917 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4918 gen_or(b0, b1); 4919 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4920 gen_or(b0, b1); 4921 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4922 gen_or(b0, b1); 4923 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4924 gen_or(b0, b1); 4925 break; 4926 4927 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4928 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4929 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4930 gen_or(b0, b1); 4931 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4932 gen_or(b0, b1); 4933 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4934 gen_or(b0, b1); 4935 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4936 gen_or(b0, b1); 4937 break; 4938 4939 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4940 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4941 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4942 gen_or(b0, b1); 4943 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4944 gen_or(b0, b1); 4945 break; 4946 4947 case Q_ISIS_LSP: 4948 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4949 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4950 gen_or(b0, b1); 4951 break; 4952 4953 case Q_ISIS_SNP: 4954 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4955 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4956 gen_or(b0, b1); 4957 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4958 gen_or(b0, b1); 4959 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4960 gen_or(b0, b1); 4961 break; 4962 4963 case Q_ISIS_CSNP: 4964 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4965 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4966 gen_or(b0, b1); 4967 break; 4968 4969 case Q_ISIS_PSNP: 4970 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4971 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4972 gen_or(b0, b1); 4973 break; 4974 4975 case Q_CLNP: 4976 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4977 break; 4978 4979 case Q_STP: 4980 b1 = gen_linktype(LLCSAP_8021D); 4981 break; 4982 4983 case Q_IPX: 4984 b1 = gen_linktype(LLCSAP_IPX); 4985 break; 4986 4987 case Q_NETBEUI: 4988 b1 = gen_linktype(LLCSAP_NETBEUI); 4989 break; 4990 4991 case Q_RADIO: 4992 bpf_error("'radio' is not a valid protocol type"); 4993 4994 default: 4995 abort(); 4996 } 4997 return b1; 4998 } 4999 5000 static struct block * 5001 gen_ipfrag() 5002 { 5003 struct slist *s; 5004 struct block *b; 5005 5006 /* not IPv4 frag other than the first frag */ 5007 s = gen_load_a(OR_NET, 6, BPF_H); 5008 b = new_block(JMP(BPF_JSET)); 5009 b->s.k = 0x1fff; 5010 b->stmts = s; 5011 gen_not(b); 5012 5013 return b; 5014 } 5015 5016 /* 5017 * Generate a comparison to a port value in the transport-layer header 5018 * at the specified offset from the beginning of that header. 5019 * 5020 * XXX - this handles a variable-length prefix preceding the link-layer 5021 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5022 * variable-length link-layer headers (such as Token Ring or 802.11 5023 * headers). 5024 */ 5025 static struct block * 5026 gen_portatom(off, v) 5027 int off; 5028 bpf_int32 v; 5029 { 5030 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5031 } 5032 5033 static struct block * 5034 gen_portatom6(off, v) 5035 int off; 5036 bpf_int32 v; 5037 { 5038 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5039 } 5040 5041 struct block * 5042 gen_portop(port, proto, dir) 5043 int port, proto, dir; 5044 { 5045 struct block *b0, *b1, *tmp; 5046 5047 /* ip proto 'proto' and not a fragment other than the first fragment */ 5048 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5049 b0 = gen_ipfrag(); 5050 gen_and(tmp, b0); 5051 5052 switch (dir) { 5053 case Q_SRC: 5054 b1 = gen_portatom(0, (bpf_int32)port); 5055 break; 5056 5057 case Q_DST: 5058 b1 = gen_portatom(2, (bpf_int32)port); 5059 break; 5060 5061 case Q_OR: 5062 case Q_DEFAULT: 5063 tmp = gen_portatom(0, (bpf_int32)port); 5064 b1 = gen_portatom(2, (bpf_int32)port); 5065 gen_or(tmp, b1); 5066 break; 5067 5068 case Q_AND: 5069 tmp = gen_portatom(0, (bpf_int32)port); 5070 b1 = gen_portatom(2, (bpf_int32)port); 5071 gen_and(tmp, b1); 5072 break; 5073 5074 default: 5075 abort(); 5076 } 5077 gen_and(b0, b1); 5078 5079 return b1; 5080 } 5081 5082 static struct block * 5083 gen_port(port, ip_proto, dir) 5084 int port; 5085 int ip_proto; 5086 int dir; 5087 { 5088 struct block *b0, *b1, *tmp; 5089 5090 /* 5091 * ether proto ip 5092 * 5093 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5094 * not LLC encapsulation with LLCSAP_IP. 5095 * 5096 * For IEEE 802 networks - which includes 802.5 token ring 5097 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5098 * says that SNAP encapsulation is used, not LLC encapsulation 5099 * with LLCSAP_IP. 5100 * 5101 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5102 * RFC 2225 say that SNAP encapsulation is used, not LLC 5103 * encapsulation with LLCSAP_IP. 5104 * 5105 * So we always check for ETHERTYPE_IP. 5106 */ 5107 b0 = gen_linktype(ETHERTYPE_IP); 5108 5109 switch (ip_proto) { 5110 case IPPROTO_UDP: 5111 case IPPROTO_TCP: 5112 case IPPROTO_SCTP: 5113 b1 = gen_portop(port, ip_proto, dir); 5114 break; 5115 5116 case PROTO_UNDEF: 5117 tmp = gen_portop(port, IPPROTO_TCP, dir); 5118 b1 = gen_portop(port, IPPROTO_UDP, dir); 5119 gen_or(tmp, b1); 5120 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5121 gen_or(tmp, b1); 5122 break; 5123 5124 default: 5125 abort(); 5126 } 5127 gen_and(b0, b1); 5128 return b1; 5129 } 5130 5131 struct block * 5132 gen_portop6(port, proto, dir) 5133 int port, proto, dir; 5134 { 5135 struct block *b0, *b1, *tmp; 5136 5137 /* ip6 proto 'proto' */ 5138 /* XXX - catch the first fragment of a fragmented packet? */ 5139 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5140 5141 switch (dir) { 5142 case Q_SRC: 5143 b1 = gen_portatom6(0, (bpf_int32)port); 5144 break; 5145 5146 case Q_DST: 5147 b1 = gen_portatom6(2, (bpf_int32)port); 5148 break; 5149 5150 case Q_OR: 5151 case Q_DEFAULT: 5152 tmp = gen_portatom6(0, (bpf_int32)port); 5153 b1 = gen_portatom6(2, (bpf_int32)port); 5154 gen_or(tmp, b1); 5155 break; 5156 5157 case Q_AND: 5158 tmp = gen_portatom6(0, (bpf_int32)port); 5159 b1 = gen_portatom6(2, (bpf_int32)port); 5160 gen_and(tmp, b1); 5161 break; 5162 5163 default: 5164 abort(); 5165 } 5166 gen_and(b0, b1); 5167 5168 return b1; 5169 } 5170 5171 static struct block * 5172 gen_port6(port, ip_proto, dir) 5173 int port; 5174 int ip_proto; 5175 int dir; 5176 { 5177 struct block *b0, *b1, *tmp; 5178 5179 /* link proto ip6 */ 5180 b0 = gen_linktype(ETHERTYPE_IPV6); 5181 5182 switch (ip_proto) { 5183 case IPPROTO_UDP: 5184 case IPPROTO_TCP: 5185 case IPPROTO_SCTP: 5186 b1 = gen_portop6(port, ip_proto, dir); 5187 break; 5188 5189 case PROTO_UNDEF: 5190 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5191 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5192 gen_or(tmp, b1); 5193 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5194 gen_or(tmp, b1); 5195 break; 5196 5197 default: 5198 abort(); 5199 } 5200 gen_and(b0, b1); 5201 return b1; 5202 } 5203 5204 /* gen_portrange code */ 5205 static struct block * 5206 gen_portrangeatom(off, v1, v2) 5207 int off; 5208 bpf_int32 v1, v2; 5209 { 5210 struct block *b1, *b2; 5211 5212 if (v1 > v2) { 5213 /* 5214 * Reverse the order of the ports, so v1 is the lower one. 5215 */ 5216 bpf_int32 vtemp; 5217 5218 vtemp = v1; 5219 v1 = v2; 5220 v2 = vtemp; 5221 } 5222 5223 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5224 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5225 5226 gen_and(b1, b2); 5227 5228 return b2; 5229 } 5230 5231 struct block * 5232 gen_portrangeop(port1, port2, proto, dir) 5233 int port1, port2; 5234 int proto; 5235 int dir; 5236 { 5237 struct block *b0, *b1, *tmp; 5238 5239 /* ip proto 'proto' and not a fragment other than the first fragment */ 5240 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5241 b0 = gen_ipfrag(); 5242 gen_and(tmp, b0); 5243 5244 switch (dir) { 5245 case Q_SRC: 5246 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5247 break; 5248 5249 case Q_DST: 5250 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5251 break; 5252 5253 case Q_OR: 5254 case Q_DEFAULT: 5255 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5256 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5257 gen_or(tmp, b1); 5258 break; 5259 5260 case Q_AND: 5261 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5262 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5263 gen_and(tmp, b1); 5264 break; 5265 5266 default: 5267 abort(); 5268 } 5269 gen_and(b0, b1); 5270 5271 return b1; 5272 } 5273 5274 static struct block * 5275 gen_portrange(port1, port2, ip_proto, dir) 5276 int port1, port2; 5277 int ip_proto; 5278 int dir; 5279 { 5280 struct block *b0, *b1, *tmp; 5281 5282 /* link proto ip */ 5283 b0 = gen_linktype(ETHERTYPE_IP); 5284 5285 switch (ip_proto) { 5286 case IPPROTO_UDP: 5287 case IPPROTO_TCP: 5288 case IPPROTO_SCTP: 5289 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5290 break; 5291 5292 case PROTO_UNDEF: 5293 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5294 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5295 gen_or(tmp, b1); 5296 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5297 gen_or(tmp, b1); 5298 break; 5299 5300 default: 5301 abort(); 5302 } 5303 gen_and(b0, b1); 5304 return b1; 5305 } 5306 5307 static struct block * 5308 gen_portrangeatom6(off, v1, v2) 5309 int off; 5310 bpf_int32 v1, v2; 5311 { 5312 struct block *b1, *b2; 5313 5314 if (v1 > v2) { 5315 /* 5316 * Reverse the order of the ports, so v1 is the lower one. 5317 */ 5318 bpf_int32 vtemp; 5319 5320 vtemp = v1; 5321 v1 = v2; 5322 v2 = vtemp; 5323 } 5324 5325 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5326 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5327 5328 gen_and(b1, b2); 5329 5330 return b2; 5331 } 5332 5333 struct block * 5334 gen_portrangeop6(port1, port2, proto, dir) 5335 int port1, port2; 5336 int proto; 5337 int dir; 5338 { 5339 struct block *b0, *b1, *tmp; 5340 5341 /* ip6 proto 'proto' */ 5342 /* XXX - catch the first fragment of a fragmented packet? */ 5343 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5344 5345 switch (dir) { 5346 case Q_SRC: 5347 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5348 break; 5349 5350 case Q_DST: 5351 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5352 break; 5353 5354 case Q_OR: 5355 case Q_DEFAULT: 5356 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5357 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5358 gen_or(tmp, b1); 5359 break; 5360 5361 case Q_AND: 5362 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5363 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5364 gen_and(tmp, b1); 5365 break; 5366 5367 default: 5368 abort(); 5369 } 5370 gen_and(b0, b1); 5371 5372 return b1; 5373 } 5374 5375 static struct block * 5376 gen_portrange6(port1, port2, ip_proto, dir) 5377 int port1, port2; 5378 int ip_proto; 5379 int dir; 5380 { 5381 struct block *b0, *b1, *tmp; 5382 5383 /* link proto ip6 */ 5384 b0 = gen_linktype(ETHERTYPE_IPV6); 5385 5386 switch (ip_proto) { 5387 case IPPROTO_UDP: 5388 case IPPROTO_TCP: 5389 case IPPROTO_SCTP: 5390 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5391 break; 5392 5393 case PROTO_UNDEF: 5394 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5395 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5396 gen_or(tmp, b1); 5397 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5398 gen_or(tmp, b1); 5399 break; 5400 5401 default: 5402 abort(); 5403 } 5404 gen_and(b0, b1); 5405 return b1; 5406 } 5407 5408 static int 5409 lookup_proto(name, proto) 5410 register const char *name; 5411 register int proto; 5412 { 5413 register int v; 5414 5415 switch (proto) { 5416 5417 case Q_DEFAULT: 5418 case Q_IP: 5419 case Q_IPV6: 5420 v = pcap_nametoproto(name); 5421 if (v == PROTO_UNDEF) 5422 bpf_error("unknown ip proto '%s'", name); 5423 break; 5424 5425 case Q_LINK: 5426 /* XXX should look up h/w protocol type based on linktype */ 5427 v = pcap_nametoeproto(name); 5428 if (v == PROTO_UNDEF) { 5429 v = pcap_nametollc(name); 5430 if (v == PROTO_UNDEF) 5431 bpf_error("unknown ether proto '%s'", name); 5432 } 5433 break; 5434 5435 case Q_ISO: 5436 if (strcmp(name, "esis") == 0) 5437 v = ISO9542_ESIS; 5438 else if (strcmp(name, "isis") == 0) 5439 v = ISO10589_ISIS; 5440 else if (strcmp(name, "clnp") == 0) 5441 v = ISO8473_CLNP; 5442 else 5443 bpf_error("unknown osi proto '%s'", name); 5444 break; 5445 5446 default: 5447 v = PROTO_UNDEF; 5448 break; 5449 } 5450 return v; 5451 } 5452 5453 #if 0 5454 struct stmt * 5455 gen_joinsp(s, n) 5456 struct stmt **s; 5457 int n; 5458 { 5459 return NULL; 5460 } 5461 #endif 5462 5463 static struct block * 5464 gen_protochain(v, proto, dir) 5465 int v; 5466 int proto; 5467 int dir; 5468 { 5469 #ifdef NO_PROTOCHAIN 5470 return gen_proto(v, proto, dir); 5471 #else 5472 struct block *b0, *b; 5473 struct slist *s[100]; 5474 int fix2, fix3, fix4, fix5; 5475 int ahcheck, again, end; 5476 int i, max; 5477 int reg2 = alloc_reg(); 5478 5479 memset(s, 0, sizeof(s)); 5480 fix2 = fix3 = fix4 = fix5 = 0; 5481 5482 switch (proto) { 5483 case Q_IP: 5484 case Q_IPV6: 5485 break; 5486 case Q_DEFAULT: 5487 b0 = gen_protochain(v, Q_IP, dir); 5488 b = gen_protochain(v, Q_IPV6, dir); 5489 gen_or(b0, b); 5490 return b; 5491 default: 5492 bpf_error("bad protocol applied for 'protochain'"); 5493 /*NOTREACHED*/ 5494 } 5495 5496 /* 5497 * We don't handle variable-length prefixes before the link-layer 5498 * header, or variable-length link-layer headers, here yet. 5499 * We might want to add BPF instructions to do the protochain 5500 * work, to simplify that and, on platforms that have a BPF 5501 * interpreter with the new instructions, let the filtering 5502 * be done in the kernel. (We already require a modified BPF 5503 * engine to do the protochain stuff, to support backward 5504 * branches, and backward branch support is unlikely to appear 5505 * in kernel BPF engines.) 5506 */ 5507 switch (linktype) { 5508 5509 case DLT_IEEE802_11: 5510 case DLT_PRISM_HEADER: 5511 case DLT_IEEE802_11_RADIO_AVS: 5512 case DLT_IEEE802_11_RADIO: 5513 case DLT_PPI: 5514 bpf_error("'protochain' not supported with 802.11"); 5515 } 5516 5517 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5518 5519 /* 5520 * s[0] is a dummy entry to protect other BPF insn from damage 5521 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5522 * hard to find interdependency made by jump table fixup. 5523 */ 5524 i = 0; 5525 s[i] = new_stmt(0); /*dummy*/ 5526 i++; 5527 5528 switch (proto) { 5529 case Q_IP: 5530 b0 = gen_linktype(ETHERTYPE_IP); 5531 5532 /* A = ip->ip_p */ 5533 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5534 s[i]->s.k = off_macpl + off_nl + 9; 5535 i++; 5536 /* X = ip->ip_hl << 2 */ 5537 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5538 s[i]->s.k = off_macpl + off_nl; 5539 i++; 5540 break; 5541 5542 case Q_IPV6: 5543 b0 = gen_linktype(ETHERTYPE_IPV6); 5544 5545 /* A = ip6->ip_nxt */ 5546 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5547 s[i]->s.k = off_macpl + off_nl + 6; 5548 i++; 5549 /* X = sizeof(struct ip6_hdr) */ 5550 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5551 s[i]->s.k = 40; 5552 i++; 5553 break; 5554 5555 default: 5556 bpf_error("unsupported proto to gen_protochain"); 5557 /*NOTREACHED*/ 5558 } 5559 5560 /* again: if (A == v) goto end; else fall through; */ 5561 again = i; 5562 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5563 s[i]->s.k = v; 5564 s[i]->s.jt = NULL; /*later*/ 5565 s[i]->s.jf = NULL; /*update in next stmt*/ 5566 fix5 = i; 5567 i++; 5568 5569 #ifndef IPPROTO_NONE 5570 #define IPPROTO_NONE 59 5571 #endif 5572 /* if (A == IPPROTO_NONE) goto end */ 5573 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5574 s[i]->s.jt = NULL; /*later*/ 5575 s[i]->s.jf = NULL; /*update in next stmt*/ 5576 s[i]->s.k = IPPROTO_NONE; 5577 s[fix5]->s.jf = s[i]; 5578 fix2 = i; 5579 i++; 5580 5581 if (proto == Q_IPV6) { 5582 int v6start, v6end, v6advance, j; 5583 5584 v6start = i; 5585 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5586 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5587 s[i]->s.jt = NULL; /*later*/ 5588 s[i]->s.jf = NULL; /*update in next stmt*/ 5589 s[i]->s.k = IPPROTO_HOPOPTS; 5590 s[fix2]->s.jf = s[i]; 5591 i++; 5592 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5593 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5594 s[i]->s.jt = NULL; /*later*/ 5595 s[i]->s.jf = NULL; /*update in next stmt*/ 5596 s[i]->s.k = IPPROTO_DSTOPTS; 5597 i++; 5598 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5599 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5600 s[i]->s.jt = NULL; /*later*/ 5601 s[i]->s.jf = NULL; /*update in next stmt*/ 5602 s[i]->s.k = IPPROTO_ROUTING; 5603 i++; 5604 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5605 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5606 s[i]->s.jt = NULL; /*later*/ 5607 s[i]->s.jf = NULL; /*later*/ 5608 s[i]->s.k = IPPROTO_FRAGMENT; 5609 fix3 = i; 5610 v6end = i; 5611 i++; 5612 5613 /* v6advance: */ 5614 v6advance = i; 5615 5616 /* 5617 * in short, 5618 * A = P[X + packet head]; 5619 * X = X + (P[X + packet head + 1] + 1) * 8; 5620 */ 5621 /* A = P[X + packet head] */ 5622 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5623 s[i]->s.k = off_macpl + off_nl; 5624 i++; 5625 /* MEM[reg2] = A */ 5626 s[i] = new_stmt(BPF_ST); 5627 s[i]->s.k = reg2; 5628 i++; 5629 /* A = P[X + packet head + 1]; */ 5630 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5631 s[i]->s.k = off_macpl + off_nl + 1; 5632 i++; 5633 /* A += 1 */ 5634 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5635 s[i]->s.k = 1; 5636 i++; 5637 /* A *= 8 */ 5638 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5639 s[i]->s.k = 8; 5640 i++; 5641 /* A += X */ 5642 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5643 s[i]->s.k = 0; 5644 i++; 5645 /* X = A; */ 5646 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5647 i++; 5648 /* A = MEM[reg2] */ 5649 s[i] = new_stmt(BPF_LD|BPF_MEM); 5650 s[i]->s.k = reg2; 5651 i++; 5652 5653 /* goto again; (must use BPF_JA for backward jump) */ 5654 s[i] = new_stmt(BPF_JMP|BPF_JA); 5655 s[i]->s.k = again - i - 1; 5656 s[i - 1]->s.jf = s[i]; 5657 i++; 5658 5659 /* fixup */ 5660 for (j = v6start; j <= v6end; j++) 5661 s[j]->s.jt = s[v6advance]; 5662 } else { 5663 /* nop */ 5664 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5665 s[i]->s.k = 0; 5666 s[fix2]->s.jf = s[i]; 5667 i++; 5668 } 5669 5670 /* ahcheck: */ 5671 ahcheck = i; 5672 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5673 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5674 s[i]->s.jt = NULL; /*later*/ 5675 s[i]->s.jf = NULL; /*later*/ 5676 s[i]->s.k = IPPROTO_AH; 5677 if (fix3) 5678 s[fix3]->s.jf = s[ahcheck]; 5679 fix4 = i; 5680 i++; 5681 5682 /* 5683 * in short, 5684 * A = P[X]; 5685 * X = X + (P[X + 1] + 2) * 4; 5686 */ 5687 /* A = X */ 5688 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5689 i++; 5690 /* A = P[X + packet head]; */ 5691 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5692 s[i]->s.k = off_macpl + off_nl; 5693 i++; 5694 /* MEM[reg2] = A */ 5695 s[i] = new_stmt(BPF_ST); 5696 s[i]->s.k = reg2; 5697 i++; 5698 /* A = X */ 5699 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5700 i++; 5701 /* A += 1 */ 5702 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5703 s[i]->s.k = 1; 5704 i++; 5705 /* X = A */ 5706 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5707 i++; 5708 /* A = P[X + packet head] */ 5709 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5710 s[i]->s.k = off_macpl + off_nl; 5711 i++; 5712 /* A += 2 */ 5713 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5714 s[i]->s.k = 2; 5715 i++; 5716 /* A *= 4 */ 5717 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5718 s[i]->s.k = 4; 5719 i++; 5720 /* X = A; */ 5721 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5722 i++; 5723 /* A = MEM[reg2] */ 5724 s[i] = new_stmt(BPF_LD|BPF_MEM); 5725 s[i]->s.k = reg2; 5726 i++; 5727 5728 /* goto again; (must use BPF_JA for backward jump) */ 5729 s[i] = new_stmt(BPF_JMP|BPF_JA); 5730 s[i]->s.k = again - i - 1; 5731 i++; 5732 5733 /* end: nop */ 5734 end = i; 5735 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5736 s[i]->s.k = 0; 5737 s[fix2]->s.jt = s[end]; 5738 s[fix4]->s.jf = s[end]; 5739 s[fix5]->s.jt = s[end]; 5740 i++; 5741 5742 /* 5743 * make slist chain 5744 */ 5745 max = i; 5746 for (i = 0; i < max - 1; i++) 5747 s[i]->next = s[i + 1]; 5748 s[max - 1]->next = NULL; 5749 5750 /* 5751 * emit final check 5752 */ 5753 b = new_block(JMP(BPF_JEQ)); 5754 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5755 b->s.k = v; 5756 5757 free_reg(reg2); 5758 5759 gen_and(b0, b); 5760 return b; 5761 #endif 5762 } 5763 5764 static struct block * 5765 gen_check_802_11_data_frame() 5766 { 5767 struct slist *s; 5768 struct block *b0, *b1; 5769 5770 /* 5771 * A data frame has the 0x08 bit (b3) in the frame control field set 5772 * and the 0x04 bit (b2) clear. 5773 */ 5774 s = gen_load_a(OR_LINK, 0, BPF_B); 5775 b0 = new_block(JMP(BPF_JSET)); 5776 b0->s.k = 0x08; 5777 b0->stmts = s; 5778 5779 s = gen_load_a(OR_LINK, 0, BPF_B); 5780 b1 = new_block(JMP(BPF_JSET)); 5781 b1->s.k = 0x04; 5782 b1->stmts = s; 5783 gen_not(b1); 5784 5785 gen_and(b1, b0); 5786 5787 return b0; 5788 } 5789 5790 /* 5791 * Generate code that checks whether the packet is a packet for protocol 5792 * <proto> and whether the type field in that protocol's header has 5793 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5794 * IP packet and checks the protocol number in the IP header against <v>. 5795 * 5796 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5797 * against Q_IP and Q_IPV6. 5798 */ 5799 static struct block * 5800 gen_proto(v, proto, dir) 5801 int v; 5802 int proto; 5803 int dir; 5804 { 5805 struct block *b0, *b1; 5806 #ifndef CHASE_CHAIN 5807 struct block *b2; 5808 #endif 5809 5810 if (dir != Q_DEFAULT) 5811 bpf_error("direction applied to 'proto'"); 5812 5813 switch (proto) { 5814 case Q_DEFAULT: 5815 b0 = gen_proto(v, Q_IP, dir); 5816 b1 = gen_proto(v, Q_IPV6, dir); 5817 gen_or(b0, b1); 5818 return b1; 5819 5820 case Q_IP: 5821 /* 5822 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5823 * not LLC encapsulation with LLCSAP_IP. 5824 * 5825 * For IEEE 802 networks - which includes 802.5 token ring 5826 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5827 * says that SNAP encapsulation is used, not LLC encapsulation 5828 * with LLCSAP_IP. 5829 * 5830 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5831 * RFC 2225 say that SNAP encapsulation is used, not LLC 5832 * encapsulation with LLCSAP_IP. 5833 * 5834 * So we always check for ETHERTYPE_IP. 5835 */ 5836 b0 = gen_linktype(ETHERTYPE_IP); 5837 #ifndef CHASE_CHAIN 5838 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5839 #else 5840 b1 = gen_protochain(v, Q_IP); 5841 #endif 5842 gen_and(b0, b1); 5843 return b1; 5844 5845 case Q_ISO: 5846 switch (linktype) { 5847 5848 case DLT_FRELAY: 5849 /* 5850 * Frame Relay packets typically have an OSI 5851 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5852 * generates code to check for all the OSI 5853 * NLPIDs, so calling it and then adding a check 5854 * for the particular NLPID for which we're 5855 * looking is bogus, as we can just check for 5856 * the NLPID. 5857 * 5858 * What we check for is the NLPID and a frame 5859 * control field value of UI, i.e. 0x03 followed 5860 * by the NLPID. 5861 * 5862 * XXX - assumes a 2-byte Frame Relay header with 5863 * DLCI and flags. What if the address is longer? 5864 * 5865 * XXX - what about SNAP-encapsulated frames? 5866 */ 5867 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5868 /*NOTREACHED*/ 5869 break; 5870 5871 case DLT_C_HDLC: 5872 /* 5873 * Cisco uses an Ethertype lookalike - for OSI, 5874 * it's 0xfefe. 5875 */ 5876 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5877 /* OSI in C-HDLC is stuffed with a fudge byte */ 5878 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5879 gen_and(b0, b1); 5880 return b1; 5881 5882 default: 5883 b0 = gen_linktype(LLCSAP_ISONS); 5884 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5885 gen_and(b0, b1); 5886 return b1; 5887 } 5888 5889 case Q_ISIS: 5890 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5891 /* 5892 * 4 is the offset of the PDU type relative to the IS-IS 5893 * header. 5894 */ 5895 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5896 gen_and(b0, b1); 5897 return b1; 5898 5899 case Q_ARP: 5900 bpf_error("arp does not encapsulate another protocol"); 5901 /* NOTREACHED */ 5902 5903 case Q_RARP: 5904 bpf_error("rarp does not encapsulate another protocol"); 5905 /* NOTREACHED */ 5906 5907 case Q_ATALK: 5908 bpf_error("atalk encapsulation is not specifiable"); 5909 /* NOTREACHED */ 5910 5911 case Q_DECNET: 5912 bpf_error("decnet encapsulation is not specifiable"); 5913 /* NOTREACHED */ 5914 5915 case Q_SCA: 5916 bpf_error("sca does not encapsulate another protocol"); 5917 /* NOTREACHED */ 5918 5919 case Q_LAT: 5920 bpf_error("lat does not encapsulate another protocol"); 5921 /* NOTREACHED */ 5922 5923 case Q_MOPRC: 5924 bpf_error("moprc does not encapsulate another protocol"); 5925 /* NOTREACHED */ 5926 5927 case Q_MOPDL: 5928 bpf_error("mopdl does not encapsulate another protocol"); 5929 /* NOTREACHED */ 5930 5931 case Q_LINK: 5932 return gen_linktype(v); 5933 5934 case Q_UDP: 5935 bpf_error("'udp proto' is bogus"); 5936 /* NOTREACHED */ 5937 5938 case Q_TCP: 5939 bpf_error("'tcp proto' is bogus"); 5940 /* NOTREACHED */ 5941 5942 case Q_SCTP: 5943 bpf_error("'sctp proto' is bogus"); 5944 /* NOTREACHED */ 5945 5946 case Q_ICMP: 5947 bpf_error("'icmp proto' is bogus"); 5948 /* NOTREACHED */ 5949 5950 case Q_IGMP: 5951 bpf_error("'igmp proto' is bogus"); 5952 /* NOTREACHED */ 5953 5954 case Q_IGRP: 5955 bpf_error("'igrp proto' is bogus"); 5956 /* NOTREACHED */ 5957 5958 case Q_PIM: 5959 bpf_error("'pim proto' is bogus"); 5960 /* NOTREACHED */ 5961 5962 case Q_VRRP: 5963 bpf_error("'vrrp proto' is bogus"); 5964 /* NOTREACHED */ 5965 5966 case Q_CARP: 5967 bpf_error("'carp proto' is bogus"); 5968 /* NOTREACHED */ 5969 5970 case Q_IPV6: 5971 b0 = gen_linktype(ETHERTYPE_IPV6); 5972 #ifndef CHASE_CHAIN 5973 /* 5974 * Also check for a fragment header before the final 5975 * header. 5976 */ 5977 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 5978 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 5979 gen_and(b2, b1); 5980 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5981 gen_or(b2, b1); 5982 #else 5983 b1 = gen_protochain(v, Q_IPV6); 5984 #endif 5985 gen_and(b0, b1); 5986 return b1; 5987 5988 case Q_ICMPV6: 5989 bpf_error("'icmp6 proto' is bogus"); 5990 5991 case Q_AH: 5992 bpf_error("'ah proto' is bogus"); 5993 5994 case Q_ESP: 5995 bpf_error("'ah proto' is bogus"); 5996 5997 case Q_STP: 5998 bpf_error("'stp proto' is bogus"); 5999 6000 case Q_IPX: 6001 bpf_error("'ipx proto' is bogus"); 6002 6003 case Q_NETBEUI: 6004 bpf_error("'netbeui proto' is bogus"); 6005 6006 case Q_RADIO: 6007 bpf_error("'radio proto' is bogus"); 6008 6009 default: 6010 abort(); 6011 /* NOTREACHED */ 6012 } 6013 /* NOTREACHED */ 6014 } 6015 6016 struct block * 6017 gen_scode(name, q) 6018 register const char *name; 6019 struct qual q; 6020 { 6021 int proto = q.proto; 6022 int dir = q.dir; 6023 int tproto; 6024 u_char *eaddr; 6025 bpf_u_int32 mask, addr; 6026 #ifndef INET6 6027 bpf_u_int32 **alist; 6028 #else 6029 int tproto6; 6030 struct sockaddr_in *sin4; 6031 struct sockaddr_in6 *sin6; 6032 struct addrinfo *res, *res0; 6033 struct in6_addr mask128; 6034 #endif /*INET6*/ 6035 struct block *b, *tmp; 6036 int port, real_proto; 6037 int port1, port2; 6038 6039 switch (q.addr) { 6040 6041 case Q_NET: 6042 addr = pcap_nametonetaddr(name); 6043 if (addr == 0) 6044 bpf_error("unknown network '%s'", name); 6045 /* Left justify network addr and calculate its network mask */ 6046 mask = 0xffffffff; 6047 while (addr && (addr & 0xff000000) == 0) { 6048 addr <<= 8; 6049 mask <<= 8; 6050 } 6051 return gen_host(addr, mask, proto, dir, q.addr); 6052 6053 case Q_DEFAULT: 6054 case Q_HOST: 6055 if (proto == Q_LINK) { 6056 switch (linktype) { 6057 6058 case DLT_EN10MB: 6059 case DLT_NETANALYZER: 6060 case DLT_NETANALYZER_TRANSPARENT: 6061 eaddr = pcap_ether_hostton(name); 6062 if (eaddr == NULL) 6063 bpf_error( 6064 "unknown ether host '%s'", name); 6065 b = gen_ehostop(eaddr, dir); 6066 free(eaddr); 6067 return b; 6068 6069 case DLT_FDDI: 6070 eaddr = pcap_ether_hostton(name); 6071 if (eaddr == NULL) 6072 bpf_error( 6073 "unknown FDDI host '%s'", name); 6074 b = gen_fhostop(eaddr, dir); 6075 free(eaddr); 6076 return b; 6077 6078 case DLT_IEEE802: 6079 eaddr = pcap_ether_hostton(name); 6080 if (eaddr == NULL) 6081 bpf_error( 6082 "unknown token ring host '%s'", name); 6083 b = gen_thostop(eaddr, dir); 6084 free(eaddr); 6085 return b; 6086 6087 case DLT_IEEE802_11: 6088 case DLT_PRISM_HEADER: 6089 case DLT_IEEE802_11_RADIO_AVS: 6090 case DLT_IEEE802_11_RADIO: 6091 case DLT_PPI: 6092 eaddr = pcap_ether_hostton(name); 6093 if (eaddr == NULL) 6094 bpf_error( 6095 "unknown 802.11 host '%s'", name); 6096 b = gen_wlanhostop(eaddr, dir); 6097 free(eaddr); 6098 return b; 6099 6100 case DLT_IP_OVER_FC: 6101 eaddr = pcap_ether_hostton(name); 6102 if (eaddr == NULL) 6103 bpf_error( 6104 "unknown Fibre Channel host '%s'", name); 6105 b = gen_ipfchostop(eaddr, dir); 6106 free(eaddr); 6107 return b; 6108 6109 case DLT_SUNATM: 6110 if (!is_lane) 6111 break; 6112 6113 /* 6114 * Check that the packet doesn't begin 6115 * with an LE Control marker. (We've 6116 * already generated a test for LANE.) 6117 */ 6118 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6119 BPF_H, 0xFF00); 6120 gen_not(tmp); 6121 6122 eaddr = pcap_ether_hostton(name); 6123 if (eaddr == NULL) 6124 bpf_error( 6125 "unknown ether host '%s'", name); 6126 b = gen_ehostop(eaddr, dir); 6127 gen_and(tmp, b); 6128 free(eaddr); 6129 return b; 6130 } 6131 6132 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6133 } else if (proto == Q_DECNET) { 6134 unsigned short dn_addr = __pcap_nametodnaddr(name); 6135 /* 6136 * I don't think DECNET hosts can be multihomed, so 6137 * there is no need to build up a list of addresses 6138 */ 6139 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6140 } else { 6141 #ifndef INET6 6142 alist = pcap_nametoaddr(name); 6143 if (alist == NULL || *alist == NULL) 6144 bpf_error("unknown host '%s'", name); 6145 tproto = proto; 6146 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6147 tproto = Q_IP; 6148 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6149 while (*alist) { 6150 tmp = gen_host(**alist++, 0xffffffff, 6151 tproto, dir, q.addr); 6152 gen_or(b, tmp); 6153 b = tmp; 6154 } 6155 return b; 6156 #else 6157 memset(&mask128, 0xff, sizeof(mask128)); 6158 res0 = res = pcap_nametoaddrinfo(name); 6159 if (res == NULL) 6160 bpf_error("unknown host '%s'", name); 6161 ai = res; 6162 b = tmp = NULL; 6163 tproto = tproto6 = proto; 6164 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6165 tproto = Q_IP; 6166 tproto6 = Q_IPV6; 6167 } 6168 for (res = res0; res; res = res->ai_next) { 6169 switch (res->ai_family) { 6170 case AF_INET: 6171 if (tproto == Q_IPV6) 6172 continue; 6173 6174 sin4 = (struct sockaddr_in *) 6175 res->ai_addr; 6176 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6177 0xffffffff, tproto, dir, q.addr); 6178 break; 6179 case AF_INET6: 6180 if (tproto6 == Q_IP) 6181 continue; 6182 6183 sin6 = (struct sockaddr_in6 *) 6184 res->ai_addr; 6185 tmp = gen_host6(&sin6->sin6_addr, 6186 &mask128, tproto6, dir, q.addr); 6187 break; 6188 default: 6189 continue; 6190 } 6191 if (b) 6192 gen_or(b, tmp); 6193 b = tmp; 6194 } 6195 ai = NULL; 6196 freeaddrinfo(res0); 6197 if (b == NULL) { 6198 bpf_error("unknown host '%s'%s", name, 6199 (proto == Q_DEFAULT) 6200 ? "" 6201 : " for specified address family"); 6202 } 6203 return b; 6204 #endif /*INET6*/ 6205 } 6206 6207 case Q_PORT: 6208 if (proto != Q_DEFAULT && 6209 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6210 bpf_error("illegal qualifier of 'port'"); 6211 if (pcap_nametoport(name, &port, &real_proto) == 0) 6212 bpf_error("unknown port '%s'", name); 6213 if (proto == Q_UDP) { 6214 if (real_proto == IPPROTO_TCP) 6215 bpf_error("port '%s' is tcp", name); 6216 else if (real_proto == IPPROTO_SCTP) 6217 bpf_error("port '%s' is sctp", name); 6218 else 6219 /* override PROTO_UNDEF */ 6220 real_proto = IPPROTO_UDP; 6221 } 6222 if (proto == Q_TCP) { 6223 if (real_proto == IPPROTO_UDP) 6224 bpf_error("port '%s' is udp", name); 6225 6226 else if (real_proto == IPPROTO_SCTP) 6227 bpf_error("port '%s' is sctp", name); 6228 else 6229 /* override PROTO_UNDEF */ 6230 real_proto = IPPROTO_TCP; 6231 } 6232 if (proto == Q_SCTP) { 6233 if (real_proto == IPPROTO_UDP) 6234 bpf_error("port '%s' is udp", name); 6235 6236 else if (real_proto == IPPROTO_TCP) 6237 bpf_error("port '%s' is tcp", name); 6238 else 6239 /* override PROTO_UNDEF */ 6240 real_proto = IPPROTO_SCTP; 6241 } 6242 if (port < 0) 6243 bpf_error("illegal port number %d < 0", port); 6244 if (port > 65535) 6245 bpf_error("illegal port number %d > 65535", port); 6246 b = gen_port(port, real_proto, dir); 6247 gen_or(gen_port6(port, real_proto, dir), b); 6248 return b; 6249 6250 case Q_PORTRANGE: 6251 if (proto != Q_DEFAULT && 6252 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6253 bpf_error("illegal qualifier of 'portrange'"); 6254 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6255 bpf_error("unknown port in range '%s'", name); 6256 if (proto == Q_UDP) { 6257 if (real_proto == IPPROTO_TCP) 6258 bpf_error("port in range '%s' is tcp", name); 6259 else if (real_proto == IPPROTO_SCTP) 6260 bpf_error("port in range '%s' is sctp", name); 6261 else 6262 /* override PROTO_UNDEF */ 6263 real_proto = IPPROTO_UDP; 6264 } 6265 if (proto == Q_TCP) { 6266 if (real_proto == IPPROTO_UDP) 6267 bpf_error("port in range '%s' is udp", name); 6268 else if (real_proto == IPPROTO_SCTP) 6269 bpf_error("port in range '%s' is sctp", name); 6270 else 6271 /* override PROTO_UNDEF */ 6272 real_proto = IPPROTO_TCP; 6273 } 6274 if (proto == Q_SCTP) { 6275 if (real_proto == IPPROTO_UDP) 6276 bpf_error("port in range '%s' is udp", name); 6277 else if (real_proto == IPPROTO_TCP) 6278 bpf_error("port in range '%s' is tcp", name); 6279 else 6280 /* override PROTO_UNDEF */ 6281 real_proto = IPPROTO_SCTP; 6282 } 6283 if (port1 < 0) 6284 bpf_error("illegal port number %d < 0", port1); 6285 if (port1 > 65535) 6286 bpf_error("illegal port number %d > 65535", port1); 6287 if (port2 < 0) 6288 bpf_error("illegal port number %d < 0", port2); 6289 if (port2 > 65535) 6290 bpf_error("illegal port number %d > 65535", port2); 6291 6292 b = gen_portrange(port1, port2, real_proto, dir); 6293 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6294 return b; 6295 6296 case Q_GATEWAY: 6297 #ifndef INET6 6298 eaddr = pcap_ether_hostton(name); 6299 if (eaddr == NULL) 6300 bpf_error("unknown ether host: %s", name); 6301 6302 alist = pcap_nametoaddr(name); 6303 if (alist == NULL || *alist == NULL) 6304 bpf_error("unknown host '%s'", name); 6305 b = gen_gateway(eaddr, alist, proto, dir); 6306 free(eaddr); 6307 return b; 6308 #else 6309 bpf_error("'gateway' not supported in this configuration"); 6310 #endif /*INET6*/ 6311 6312 case Q_PROTO: 6313 real_proto = lookup_proto(name, proto); 6314 if (real_proto >= 0) 6315 return gen_proto(real_proto, proto, dir); 6316 else 6317 bpf_error("unknown protocol: %s", name); 6318 6319 case Q_PROTOCHAIN: 6320 real_proto = lookup_proto(name, proto); 6321 if (real_proto >= 0) 6322 return gen_protochain(real_proto, proto, dir); 6323 else 6324 bpf_error("unknown protocol: %s", name); 6325 6326 case Q_UNDEF: 6327 syntax(); 6328 /* NOTREACHED */ 6329 } 6330 abort(); 6331 /* NOTREACHED */ 6332 } 6333 6334 struct block * 6335 gen_mcode(s1, s2, masklen, q) 6336 register const char *s1, *s2; 6337 register int masklen; 6338 struct qual q; 6339 { 6340 register int nlen, mlen; 6341 bpf_u_int32 n, m; 6342 6343 nlen = __pcap_atoin(s1, &n); 6344 /* Promote short ipaddr */ 6345 n <<= 32 - nlen; 6346 6347 if (s2 != NULL) { 6348 mlen = __pcap_atoin(s2, &m); 6349 /* Promote short ipaddr */ 6350 m <<= 32 - mlen; 6351 if ((n & ~m) != 0) 6352 bpf_error("non-network bits set in \"%s mask %s\"", 6353 s1, s2); 6354 } else { 6355 /* Convert mask len to mask */ 6356 if (masklen > 32) 6357 bpf_error("mask length must be <= 32"); 6358 if (masklen == 0) { 6359 /* 6360 * X << 32 is not guaranteed by C to be 0; it's 6361 * undefined. 6362 */ 6363 m = 0; 6364 } else 6365 m = 0xffffffff << (32 - masklen); 6366 if ((n & ~m) != 0) 6367 bpf_error("non-network bits set in \"%s/%d\"", 6368 s1, masklen); 6369 } 6370 6371 switch (q.addr) { 6372 6373 case Q_NET: 6374 return gen_host(n, m, q.proto, q.dir, q.addr); 6375 6376 default: 6377 bpf_error("Mask syntax for networks only"); 6378 /* NOTREACHED */ 6379 } 6380 /* NOTREACHED */ 6381 return NULL; 6382 } 6383 6384 struct block * 6385 gen_ncode(s, v, q) 6386 register const char *s; 6387 bpf_u_int32 v; 6388 struct qual q; 6389 { 6390 bpf_u_int32 mask; 6391 int proto = q.proto; 6392 int dir = q.dir; 6393 register int vlen; 6394 6395 if (s == NULL) 6396 vlen = 32; 6397 else if (q.proto == Q_DECNET) 6398 vlen = __pcap_atodn(s, &v); 6399 else 6400 vlen = __pcap_atoin(s, &v); 6401 6402 switch (q.addr) { 6403 6404 case Q_DEFAULT: 6405 case Q_HOST: 6406 case Q_NET: 6407 if (proto == Q_DECNET) 6408 return gen_host(v, 0, proto, dir, q.addr); 6409 else if (proto == Q_LINK) { 6410 bpf_error("illegal link layer address"); 6411 } else { 6412 mask = 0xffffffff; 6413 if (s == NULL && q.addr == Q_NET) { 6414 /* Promote short net number */ 6415 while (v && (v & 0xff000000) == 0) { 6416 v <<= 8; 6417 mask <<= 8; 6418 } 6419 } else { 6420 /* Promote short ipaddr */ 6421 v <<= 32 - vlen; 6422 mask <<= 32 - vlen; 6423 } 6424 return gen_host(v, mask, proto, dir, q.addr); 6425 } 6426 6427 case Q_PORT: 6428 if (proto == Q_UDP) 6429 proto = IPPROTO_UDP; 6430 else if (proto == Q_TCP) 6431 proto = IPPROTO_TCP; 6432 else if (proto == Q_SCTP) 6433 proto = IPPROTO_SCTP; 6434 else if (proto == Q_DEFAULT) 6435 proto = PROTO_UNDEF; 6436 else 6437 bpf_error("illegal qualifier of 'port'"); 6438 6439 if (v > 65535) 6440 bpf_error("illegal port number %u > 65535", v); 6441 6442 { 6443 struct block *b; 6444 b = gen_port((int)v, proto, dir); 6445 gen_or(gen_port6((int)v, proto, dir), b); 6446 return b; 6447 } 6448 6449 case Q_PORTRANGE: 6450 if (proto == Q_UDP) 6451 proto = IPPROTO_UDP; 6452 else if (proto == Q_TCP) 6453 proto = IPPROTO_TCP; 6454 else if (proto == Q_SCTP) 6455 proto = IPPROTO_SCTP; 6456 else if (proto == Q_DEFAULT) 6457 proto = PROTO_UNDEF; 6458 else 6459 bpf_error("illegal qualifier of 'portrange'"); 6460 6461 if (v > 65535) 6462 bpf_error("illegal port number %u > 65535", v); 6463 6464 { 6465 struct block *b; 6466 b = gen_portrange((int)v, (int)v, proto, dir); 6467 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6468 return b; 6469 } 6470 6471 case Q_GATEWAY: 6472 bpf_error("'gateway' requires a name"); 6473 /* NOTREACHED */ 6474 6475 case Q_PROTO: 6476 return gen_proto((int)v, proto, dir); 6477 6478 case Q_PROTOCHAIN: 6479 return gen_protochain((int)v, proto, dir); 6480 6481 case Q_UNDEF: 6482 syntax(); 6483 /* NOTREACHED */ 6484 6485 default: 6486 abort(); 6487 /* NOTREACHED */ 6488 } 6489 /* NOTREACHED */ 6490 } 6491 6492 #ifdef INET6 6493 struct block * 6494 gen_mcode6(s1, s2, masklen, q) 6495 register const char *s1, *s2; 6496 register int masklen; 6497 struct qual q; 6498 { 6499 struct addrinfo *res; 6500 struct in6_addr *addr; 6501 struct in6_addr mask; 6502 struct block *b; 6503 u_int32_t *a, *m; 6504 6505 if (s2) 6506 bpf_error("no mask %s supported", s2); 6507 6508 res = pcap_nametoaddrinfo(s1); 6509 if (!res) 6510 bpf_error("invalid ip6 address %s", s1); 6511 ai = res; 6512 if (res->ai_next) 6513 bpf_error("%s resolved to multiple address", s1); 6514 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6515 6516 if (sizeof(mask) * 8 < masklen) 6517 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6518 memset(&mask, 0, sizeof(mask)); 6519 memset(&mask, 0xff, masklen / 8); 6520 if (masklen % 8) { 6521 mask.s6_addr[masklen / 8] = 6522 (0xff << (8 - masklen % 8)) & 0xff; 6523 } 6524 6525 a = (u_int32_t *)addr; 6526 m = (u_int32_t *)&mask; 6527 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6528 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6529 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6530 } 6531 6532 switch (q.addr) { 6533 6534 case Q_DEFAULT: 6535 case Q_HOST: 6536 if (masklen != 128) 6537 bpf_error("Mask syntax for networks only"); 6538 /* FALLTHROUGH */ 6539 6540 case Q_NET: 6541 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6542 ai = NULL; 6543 freeaddrinfo(res); 6544 return b; 6545 6546 default: 6547 bpf_error("invalid qualifier against IPv6 address"); 6548 /* NOTREACHED */ 6549 } 6550 return NULL; 6551 } 6552 #endif /*INET6*/ 6553 6554 struct block * 6555 gen_ecode(eaddr, q) 6556 register const u_char *eaddr; 6557 struct qual q; 6558 { 6559 struct block *b, *tmp; 6560 6561 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6562 switch (linktype) { 6563 case DLT_EN10MB: 6564 case DLT_NETANALYZER: 6565 case DLT_NETANALYZER_TRANSPARENT: 6566 return gen_ehostop(eaddr, (int)q.dir); 6567 case DLT_FDDI: 6568 return gen_fhostop(eaddr, (int)q.dir); 6569 case DLT_IEEE802: 6570 return gen_thostop(eaddr, (int)q.dir); 6571 case DLT_IEEE802_11: 6572 case DLT_PRISM_HEADER: 6573 case DLT_IEEE802_11_RADIO_AVS: 6574 case DLT_IEEE802_11_RADIO: 6575 case DLT_PPI: 6576 return gen_wlanhostop(eaddr, (int)q.dir); 6577 case DLT_SUNATM: 6578 if (is_lane) { 6579 /* 6580 * Check that the packet doesn't begin with an 6581 * LE Control marker. (We've already generated 6582 * a test for LANE.) 6583 */ 6584 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6585 0xFF00); 6586 gen_not(tmp); 6587 6588 /* 6589 * Now check the MAC address. 6590 */ 6591 b = gen_ehostop(eaddr, (int)q.dir); 6592 gen_and(tmp, b); 6593 return b; 6594 } 6595 break; 6596 case DLT_IP_OVER_FC: 6597 return gen_ipfchostop(eaddr, (int)q.dir); 6598 default: 6599 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6600 break; 6601 } 6602 } 6603 bpf_error("ethernet address used in non-ether expression"); 6604 /* NOTREACHED */ 6605 return NULL; 6606 } 6607 6608 void 6609 sappend(s0, s1) 6610 struct slist *s0, *s1; 6611 { 6612 /* 6613 * This is definitely not the best way to do this, but the 6614 * lists will rarely get long. 6615 */ 6616 while (s0->next) 6617 s0 = s0->next; 6618 s0->next = s1; 6619 } 6620 6621 static struct slist * 6622 xfer_to_x(a) 6623 struct arth *a; 6624 { 6625 struct slist *s; 6626 6627 s = new_stmt(BPF_LDX|BPF_MEM); 6628 s->s.k = a->regno; 6629 return s; 6630 } 6631 6632 static struct slist * 6633 xfer_to_a(a) 6634 struct arth *a; 6635 { 6636 struct slist *s; 6637 6638 s = new_stmt(BPF_LD|BPF_MEM); 6639 s->s.k = a->regno; 6640 return s; 6641 } 6642 6643 /* 6644 * Modify "index" to use the value stored into its register as an 6645 * offset relative to the beginning of the header for the protocol 6646 * "proto", and allocate a register and put an item "size" bytes long 6647 * (1, 2, or 4) at that offset into that register, making it the register 6648 * for "index". 6649 */ 6650 struct arth * 6651 gen_load(proto, inst, size) 6652 int proto; 6653 struct arth *inst; 6654 int size; 6655 { 6656 struct slist *s, *tmp; 6657 struct block *b; 6658 int regno = alloc_reg(); 6659 6660 free_reg(inst->regno); 6661 switch (size) { 6662 6663 default: 6664 bpf_error("data size must be 1, 2, or 4"); 6665 6666 case 1: 6667 size = BPF_B; 6668 break; 6669 6670 case 2: 6671 size = BPF_H; 6672 break; 6673 6674 case 4: 6675 size = BPF_W; 6676 break; 6677 } 6678 switch (proto) { 6679 default: 6680 bpf_error("unsupported index operation"); 6681 6682 case Q_RADIO: 6683 /* 6684 * The offset is relative to the beginning of the packet 6685 * data, if we have a radio header. (If we don't, this 6686 * is an error.) 6687 */ 6688 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6689 linktype != DLT_IEEE802_11_RADIO && 6690 linktype != DLT_PRISM_HEADER) 6691 bpf_error("radio information not present in capture"); 6692 6693 /* 6694 * Load into the X register the offset computed into the 6695 * register specified by "index". 6696 */ 6697 s = xfer_to_x(inst); 6698 6699 /* 6700 * Load the item at that offset. 6701 */ 6702 tmp = new_stmt(BPF_LD|BPF_IND|size); 6703 sappend(s, tmp); 6704 sappend(inst->s, s); 6705 break; 6706 6707 case Q_LINK: 6708 /* 6709 * The offset is relative to the beginning of 6710 * the link-layer header. 6711 * 6712 * XXX - what about ATM LANE? Should the index be 6713 * relative to the beginning of the AAL5 frame, so 6714 * that 0 refers to the beginning of the LE Control 6715 * field, or relative to the beginning of the LAN 6716 * frame, so that 0 refers, for Ethernet LANE, to 6717 * the beginning of the destination address? 6718 */ 6719 s = gen_llprefixlen(); 6720 6721 /* 6722 * If "s" is non-null, it has code to arrange that the 6723 * X register contains the length of the prefix preceding 6724 * the link-layer header. Add to it the offset computed 6725 * into the register specified by "index", and move that 6726 * into the X register. Otherwise, just load into the X 6727 * register the offset computed into the register specified 6728 * by "index". 6729 */ 6730 if (s != NULL) { 6731 sappend(s, xfer_to_a(inst)); 6732 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6733 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6734 } else 6735 s = xfer_to_x(inst); 6736 6737 /* 6738 * Load the item at the sum of the offset we've put in the 6739 * X register and the offset of the start of the link 6740 * layer header (which is 0 if the radio header is 6741 * variable-length; that header length is what we put 6742 * into the X register and then added to the index). 6743 */ 6744 tmp = new_stmt(BPF_LD|BPF_IND|size); 6745 tmp->s.k = off_ll; 6746 sappend(s, tmp); 6747 sappend(inst->s, s); 6748 break; 6749 6750 case Q_IP: 6751 case Q_ARP: 6752 case Q_RARP: 6753 case Q_ATALK: 6754 case Q_DECNET: 6755 case Q_SCA: 6756 case Q_LAT: 6757 case Q_MOPRC: 6758 case Q_MOPDL: 6759 case Q_IPV6: 6760 /* 6761 * The offset is relative to the beginning of 6762 * the network-layer header. 6763 * XXX - are there any cases where we want 6764 * off_nl_nosnap? 6765 */ 6766 s = gen_off_macpl(); 6767 6768 /* 6769 * If "s" is non-null, it has code to arrange that the 6770 * X register contains the offset of the MAC-layer 6771 * payload. Add to it the offset computed into the 6772 * register specified by "index", and move that into 6773 * the X register. Otherwise, just load into the X 6774 * register the offset computed into the register specified 6775 * by "index". 6776 */ 6777 if (s != NULL) { 6778 sappend(s, xfer_to_a(inst)); 6779 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6780 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6781 } else 6782 s = xfer_to_x(inst); 6783 6784 /* 6785 * Load the item at the sum of the offset we've put in the 6786 * X register, the offset of the start of the network 6787 * layer header from the beginning of the MAC-layer 6788 * payload, and the purported offset of the start of the 6789 * MAC-layer payload (which might be 0 if there's a 6790 * variable-length prefix before the link-layer header 6791 * or the link-layer header itself is variable-length; 6792 * the variable-length offset of the start of the 6793 * MAC-layer payload is what we put into the X register 6794 * and then added to the index). 6795 */ 6796 tmp = new_stmt(BPF_LD|BPF_IND|size); 6797 tmp->s.k = off_macpl + off_nl; 6798 sappend(s, tmp); 6799 sappend(inst->s, s); 6800 6801 /* 6802 * Do the computation only if the packet contains 6803 * the protocol in question. 6804 */ 6805 b = gen_proto_abbrev(proto); 6806 if (inst->b) 6807 gen_and(inst->b, b); 6808 inst->b = b; 6809 break; 6810 6811 case Q_SCTP: 6812 case Q_TCP: 6813 case Q_UDP: 6814 case Q_ICMP: 6815 case Q_IGMP: 6816 case Q_IGRP: 6817 case Q_PIM: 6818 case Q_VRRP: 6819 case Q_CARP: 6820 /* 6821 * The offset is relative to the beginning of 6822 * the transport-layer header. 6823 * 6824 * Load the X register with the length of the IPv4 header 6825 * (plus the offset of the link-layer header, if it's 6826 * a variable-length header), in bytes. 6827 * 6828 * XXX - are there any cases where we want 6829 * off_nl_nosnap? 6830 * XXX - we should, if we're built with 6831 * IPv6 support, generate code to load either 6832 * IPv4, IPv6, or both, as appropriate. 6833 */ 6834 s = gen_loadx_iphdrlen(); 6835 6836 /* 6837 * The X register now contains the sum of the length 6838 * of any variable-length header preceding the link-layer 6839 * header, any variable-length link-layer header, and the 6840 * length of the network-layer header. 6841 * 6842 * Load into the A register the offset relative to 6843 * the beginning of the transport layer header, 6844 * add the X register to that, move that to the 6845 * X register, and load with an offset from the 6846 * X register equal to the offset of the network 6847 * layer header relative to the beginning of 6848 * the MAC-layer payload plus the fixed-length 6849 * portion of the offset of the MAC-layer payload 6850 * from the beginning of the raw packet data. 6851 */ 6852 sappend(s, xfer_to_a(inst)); 6853 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6854 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6855 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6856 tmp->s.k = off_macpl + off_nl; 6857 sappend(inst->s, s); 6858 6859 /* 6860 * Do the computation only if the packet contains 6861 * the protocol in question - which is true only 6862 * if this is an IP datagram and is the first or 6863 * only fragment of that datagram. 6864 */ 6865 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6866 if (inst->b) 6867 gen_and(inst->b, b); 6868 gen_and(gen_proto_abbrev(Q_IP), b); 6869 inst->b = b; 6870 break; 6871 case Q_ICMPV6: 6872 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6873 /*NOTREACHED*/ 6874 } 6875 inst->regno = regno; 6876 s = new_stmt(BPF_ST); 6877 s->s.k = regno; 6878 sappend(inst->s, s); 6879 6880 return inst; 6881 } 6882 6883 struct block * 6884 gen_relation(code, a0, a1, reversed) 6885 int code; 6886 struct arth *a0, *a1; 6887 int reversed; 6888 { 6889 struct slist *s0, *s1, *s2; 6890 struct block *b, *tmp; 6891 6892 s0 = xfer_to_x(a1); 6893 s1 = xfer_to_a(a0); 6894 if (code == BPF_JEQ) { 6895 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6896 b = new_block(JMP(code)); 6897 sappend(s1, s2); 6898 } 6899 else 6900 b = new_block(BPF_JMP|code|BPF_X); 6901 if (reversed) 6902 gen_not(b); 6903 6904 sappend(s0, s1); 6905 sappend(a1->s, s0); 6906 sappend(a0->s, a1->s); 6907 6908 b->stmts = a0->s; 6909 6910 free_reg(a0->regno); 6911 free_reg(a1->regno); 6912 6913 /* 'and' together protocol checks */ 6914 if (a0->b) { 6915 if (a1->b) { 6916 gen_and(a0->b, tmp = a1->b); 6917 } 6918 else 6919 tmp = a0->b; 6920 } else 6921 tmp = a1->b; 6922 6923 if (tmp) 6924 gen_and(tmp, b); 6925 6926 return b; 6927 } 6928 6929 struct arth * 6930 gen_loadlen() 6931 { 6932 int regno = alloc_reg(); 6933 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6934 struct slist *s; 6935 6936 s = new_stmt(BPF_LD|BPF_LEN); 6937 s->next = new_stmt(BPF_ST); 6938 s->next->s.k = regno; 6939 a->s = s; 6940 a->regno = regno; 6941 6942 return a; 6943 } 6944 6945 struct arth * 6946 gen_loadi(val) 6947 int val; 6948 { 6949 struct arth *a; 6950 struct slist *s; 6951 int reg; 6952 6953 a = (struct arth *)newchunk(sizeof(*a)); 6954 6955 reg = alloc_reg(); 6956 6957 s = new_stmt(BPF_LD|BPF_IMM); 6958 s->s.k = val; 6959 s->next = new_stmt(BPF_ST); 6960 s->next->s.k = reg; 6961 a->s = s; 6962 a->regno = reg; 6963 6964 return a; 6965 } 6966 6967 struct arth * 6968 gen_neg(a) 6969 struct arth *a; 6970 { 6971 struct slist *s; 6972 6973 s = xfer_to_a(a); 6974 sappend(a->s, s); 6975 s = new_stmt(BPF_ALU|BPF_NEG); 6976 s->s.k = 0; 6977 sappend(a->s, s); 6978 s = new_stmt(BPF_ST); 6979 s->s.k = a->regno; 6980 sappend(a->s, s); 6981 6982 return a; 6983 } 6984 6985 struct arth * 6986 gen_arth(code, a0, a1) 6987 int code; 6988 struct arth *a0, *a1; 6989 { 6990 struct slist *s0, *s1, *s2; 6991 6992 s0 = xfer_to_x(a1); 6993 s1 = xfer_to_a(a0); 6994 s2 = new_stmt(BPF_ALU|BPF_X|code); 6995 6996 sappend(s1, s2); 6997 sappend(s0, s1); 6998 sappend(a1->s, s0); 6999 sappend(a0->s, a1->s); 7000 7001 free_reg(a0->regno); 7002 free_reg(a1->regno); 7003 7004 s0 = new_stmt(BPF_ST); 7005 a0->regno = s0->s.k = alloc_reg(); 7006 sappend(a0->s, s0); 7007 7008 return a0; 7009 } 7010 7011 /* 7012 * Here we handle simple allocation of the scratch registers. 7013 * If too many registers are alloc'd, the allocator punts. 7014 */ 7015 static int regused[BPF_MEMWORDS]; 7016 static int curreg; 7017 7018 /* 7019 * Initialize the table of used registers and the current register. 7020 */ 7021 static void 7022 init_regs() 7023 { 7024 curreg = 0; 7025 memset(regused, 0, sizeof regused); 7026 } 7027 7028 /* 7029 * Return the next free register. 7030 */ 7031 static int 7032 alloc_reg() 7033 { 7034 int n = BPF_MEMWORDS; 7035 7036 while (--n >= 0) { 7037 if (regused[curreg]) 7038 curreg = (curreg + 1) % BPF_MEMWORDS; 7039 else { 7040 regused[curreg] = 1; 7041 return curreg; 7042 } 7043 } 7044 bpf_error("too many registers needed to evaluate expression"); 7045 /* NOTREACHED */ 7046 return 0; 7047 } 7048 7049 /* 7050 * Return a register to the table so it can 7051 * be used later. 7052 */ 7053 static void 7054 free_reg(n) 7055 int n; 7056 { 7057 regused[n] = 0; 7058 } 7059 7060 static struct block * 7061 gen_len(jmp, n) 7062 int jmp, n; 7063 { 7064 struct slist *s; 7065 struct block *b; 7066 7067 s = new_stmt(BPF_LD|BPF_LEN); 7068 b = new_block(JMP(jmp)); 7069 b->stmts = s; 7070 b->s.k = n; 7071 7072 return b; 7073 } 7074 7075 struct block * 7076 gen_greater(n) 7077 int n; 7078 { 7079 return gen_len(BPF_JGE, n); 7080 } 7081 7082 /* 7083 * Actually, this is less than or equal. 7084 */ 7085 struct block * 7086 gen_less(n) 7087 int n; 7088 { 7089 struct block *b; 7090 7091 b = gen_len(BPF_JGT, n); 7092 gen_not(b); 7093 7094 return b; 7095 } 7096 7097 /* 7098 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7099 * the beginning of the link-layer header. 7100 * XXX - that means you can't test values in the radiotap header, but 7101 * as that header is difficult if not impossible to parse generally 7102 * without a loop, that might not be a severe problem. A new keyword 7103 * "radio" could be added for that, although what you'd really want 7104 * would be a way of testing particular radio header values, which 7105 * would generate code appropriate to the radio header in question. 7106 */ 7107 struct block * 7108 gen_byteop(op, idx, val) 7109 int op, idx, val; 7110 { 7111 struct block *b; 7112 struct slist *s; 7113 7114 switch (op) { 7115 default: 7116 abort(); 7117 7118 case '=': 7119 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7120 7121 case '<': 7122 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7123 return b; 7124 7125 case '>': 7126 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7127 return b; 7128 7129 case '|': 7130 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7131 break; 7132 7133 case '&': 7134 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7135 break; 7136 } 7137 s->s.k = val; 7138 b = new_block(JMP(BPF_JEQ)); 7139 b->stmts = s; 7140 gen_not(b); 7141 7142 return b; 7143 } 7144 7145 static u_char abroadcast[] = { 0x0 }; 7146 7147 struct block * 7148 gen_broadcast(proto) 7149 int proto; 7150 { 7151 bpf_u_int32 hostmask; 7152 struct block *b0, *b1, *b2; 7153 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7154 7155 switch (proto) { 7156 7157 case Q_DEFAULT: 7158 case Q_LINK: 7159 switch (linktype) { 7160 case DLT_ARCNET: 7161 case DLT_ARCNET_LINUX: 7162 return gen_ahostop(abroadcast, Q_DST); 7163 case DLT_EN10MB: 7164 case DLT_NETANALYZER: 7165 case DLT_NETANALYZER_TRANSPARENT: 7166 return gen_ehostop(ebroadcast, Q_DST); 7167 case DLT_FDDI: 7168 return gen_fhostop(ebroadcast, Q_DST); 7169 case DLT_IEEE802: 7170 return gen_thostop(ebroadcast, Q_DST); 7171 case DLT_IEEE802_11: 7172 case DLT_PRISM_HEADER: 7173 case DLT_IEEE802_11_RADIO_AVS: 7174 case DLT_IEEE802_11_RADIO: 7175 case DLT_PPI: 7176 return gen_wlanhostop(ebroadcast, Q_DST); 7177 case DLT_IP_OVER_FC: 7178 return gen_ipfchostop(ebroadcast, Q_DST); 7179 case DLT_SUNATM: 7180 if (is_lane) { 7181 /* 7182 * Check that the packet doesn't begin with an 7183 * LE Control marker. (We've already generated 7184 * a test for LANE.) 7185 */ 7186 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7187 BPF_H, 0xFF00); 7188 gen_not(b1); 7189 7190 /* 7191 * Now check the MAC address. 7192 */ 7193 b0 = gen_ehostop(ebroadcast, Q_DST); 7194 gen_and(b1, b0); 7195 return b0; 7196 } 7197 break; 7198 default: 7199 bpf_error("not a broadcast link"); 7200 } 7201 break; 7202 7203 case Q_IP: 7204 /* 7205 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7206 * as an indication that we don't know the netmask, and fail 7207 * in that case. 7208 */ 7209 if (netmask == PCAP_NETMASK_UNKNOWN) 7210 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7211 b0 = gen_linktype(ETHERTYPE_IP); 7212 hostmask = ~netmask; 7213 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7214 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7215 (bpf_int32)(~0 & hostmask), hostmask); 7216 gen_or(b1, b2); 7217 gen_and(b0, b2); 7218 return b2; 7219 } 7220 bpf_error("only link-layer/IP broadcast filters supported"); 7221 /* NOTREACHED */ 7222 return NULL; 7223 } 7224 7225 /* 7226 * Generate code to test the low-order bit of a MAC address (that's 7227 * the bottom bit of the *first* byte). 7228 */ 7229 static struct block * 7230 gen_mac_multicast(offset) 7231 int offset; 7232 { 7233 register struct block *b0; 7234 register struct slist *s; 7235 7236 /* link[offset] & 1 != 0 */ 7237 s = gen_load_a(OR_LINK, offset, BPF_B); 7238 b0 = new_block(JMP(BPF_JSET)); 7239 b0->s.k = 1; 7240 b0->stmts = s; 7241 return b0; 7242 } 7243 7244 struct block * 7245 gen_multicast(proto) 7246 int proto; 7247 { 7248 register struct block *b0, *b1, *b2; 7249 register struct slist *s; 7250 7251 switch (proto) { 7252 7253 case Q_DEFAULT: 7254 case Q_LINK: 7255 switch (linktype) { 7256 case DLT_ARCNET: 7257 case DLT_ARCNET_LINUX: 7258 /* all ARCnet multicasts use the same address */ 7259 return gen_ahostop(abroadcast, Q_DST); 7260 case DLT_EN10MB: 7261 case DLT_NETANALYZER: 7262 case DLT_NETANALYZER_TRANSPARENT: 7263 /* ether[0] & 1 != 0 */ 7264 return gen_mac_multicast(0); 7265 case DLT_FDDI: 7266 /* 7267 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7268 * 7269 * XXX - was that referring to bit-order issues? 7270 */ 7271 /* fddi[1] & 1 != 0 */ 7272 return gen_mac_multicast(1); 7273 case DLT_IEEE802: 7274 /* tr[2] & 1 != 0 */ 7275 return gen_mac_multicast(2); 7276 case DLT_IEEE802_11: 7277 case DLT_PRISM_HEADER: 7278 case DLT_IEEE802_11_RADIO_AVS: 7279 case DLT_IEEE802_11_RADIO: 7280 case DLT_PPI: 7281 /* 7282 * Oh, yuk. 7283 * 7284 * For control frames, there is no DA. 7285 * 7286 * For management frames, DA is at an 7287 * offset of 4 from the beginning of 7288 * the packet. 7289 * 7290 * For data frames, DA is at an offset 7291 * of 4 from the beginning of the packet 7292 * if To DS is clear and at an offset of 7293 * 16 from the beginning of the packet 7294 * if To DS is set. 7295 */ 7296 7297 /* 7298 * Generate the tests to be done for data frames. 7299 * 7300 * First, check for To DS set, i.e. "link[1] & 0x01". 7301 */ 7302 s = gen_load_a(OR_LINK, 1, BPF_B); 7303 b1 = new_block(JMP(BPF_JSET)); 7304 b1->s.k = 0x01; /* To DS */ 7305 b1->stmts = s; 7306 7307 /* 7308 * If To DS is set, the DA is at 16. 7309 */ 7310 b0 = gen_mac_multicast(16); 7311 gen_and(b1, b0); 7312 7313 /* 7314 * Now, check for To DS not set, i.e. check 7315 * "!(link[1] & 0x01)". 7316 */ 7317 s = gen_load_a(OR_LINK, 1, BPF_B); 7318 b2 = new_block(JMP(BPF_JSET)); 7319 b2->s.k = 0x01; /* To DS */ 7320 b2->stmts = s; 7321 gen_not(b2); 7322 7323 /* 7324 * If To DS is not set, the DA is at 4. 7325 */ 7326 b1 = gen_mac_multicast(4); 7327 gen_and(b2, b1); 7328 7329 /* 7330 * Now OR together the last two checks. That gives 7331 * the complete set of checks for data frames. 7332 */ 7333 gen_or(b1, b0); 7334 7335 /* 7336 * Now check for a data frame. 7337 * I.e, check "link[0] & 0x08". 7338 */ 7339 s = gen_load_a(OR_LINK, 0, BPF_B); 7340 b1 = new_block(JMP(BPF_JSET)); 7341 b1->s.k = 0x08; 7342 b1->stmts = s; 7343 7344 /* 7345 * AND that with the checks done for data frames. 7346 */ 7347 gen_and(b1, b0); 7348 7349 /* 7350 * If the high-order bit of the type value is 0, this 7351 * is a management frame. 7352 * I.e, check "!(link[0] & 0x08)". 7353 */ 7354 s = gen_load_a(OR_LINK, 0, BPF_B); 7355 b2 = new_block(JMP(BPF_JSET)); 7356 b2->s.k = 0x08; 7357 b2->stmts = s; 7358 gen_not(b2); 7359 7360 /* 7361 * For management frames, the DA is at 4. 7362 */ 7363 b1 = gen_mac_multicast(4); 7364 gen_and(b2, b1); 7365 7366 /* 7367 * OR that with the checks done for data frames. 7368 * That gives the checks done for management and 7369 * data frames. 7370 */ 7371 gen_or(b1, b0); 7372 7373 /* 7374 * If the low-order bit of the type value is 1, 7375 * this is either a control frame or a frame 7376 * with a reserved type, and thus not a 7377 * frame with an SA. 7378 * 7379 * I.e., check "!(link[0] & 0x04)". 7380 */ 7381 s = gen_load_a(OR_LINK, 0, BPF_B); 7382 b1 = new_block(JMP(BPF_JSET)); 7383 b1->s.k = 0x04; 7384 b1->stmts = s; 7385 gen_not(b1); 7386 7387 /* 7388 * AND that with the checks for data and management 7389 * frames. 7390 */ 7391 gen_and(b1, b0); 7392 return b0; 7393 case DLT_IP_OVER_FC: 7394 b0 = gen_mac_multicast(2); 7395 return b0; 7396 case DLT_SUNATM: 7397 if (is_lane) { 7398 /* 7399 * Check that the packet doesn't begin with an 7400 * LE Control marker. (We've already generated 7401 * a test for LANE.) 7402 */ 7403 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7404 BPF_H, 0xFF00); 7405 gen_not(b1); 7406 7407 /* ether[off_mac] & 1 != 0 */ 7408 b0 = gen_mac_multicast(off_mac); 7409 gen_and(b1, b0); 7410 return b0; 7411 } 7412 break; 7413 default: 7414 break; 7415 } 7416 /* Link not known to support multicasts */ 7417 break; 7418 7419 case Q_IP: 7420 b0 = gen_linktype(ETHERTYPE_IP); 7421 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7422 gen_and(b0, b1); 7423 return b1; 7424 7425 case Q_IPV6: 7426 b0 = gen_linktype(ETHERTYPE_IPV6); 7427 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7428 gen_and(b0, b1); 7429 return b1; 7430 } 7431 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7432 /* NOTREACHED */ 7433 return NULL; 7434 } 7435 7436 /* 7437 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7438 * Outbound traffic is sent by this machine, while inbound traffic is 7439 * sent by a remote machine (and may include packets destined for a 7440 * unicast or multicast link-layer address we are not subscribing to). 7441 * These are the same definitions implemented by pcap_setdirection(). 7442 * Capturing only unicast traffic destined for this host is probably 7443 * better accomplished using a higher-layer filter. 7444 */ 7445 struct block * 7446 gen_inbound(dir) 7447 int dir; 7448 { 7449 register struct block *b0; 7450 7451 /* 7452 * Only some data link types support inbound/outbound qualifiers. 7453 */ 7454 switch (linktype) { 7455 case DLT_SLIP: 7456 b0 = gen_relation(BPF_JEQ, 7457 gen_load(Q_LINK, gen_loadi(0), 1), 7458 gen_loadi(0), 7459 dir); 7460 break; 7461 7462 case DLT_IPNET: 7463 if (dir) { 7464 /* match outgoing packets */ 7465 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7466 } else { 7467 /* match incoming packets */ 7468 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7469 } 7470 break; 7471 7472 case DLT_LINUX_SLL: 7473 /* match outgoing packets */ 7474 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7475 if (!dir) { 7476 /* to filter on inbound traffic, invert the match */ 7477 gen_not(b0); 7478 } 7479 break; 7480 7481 #ifdef HAVE_NET_PFVAR_H 7482 case DLT_PFLOG: 7483 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7484 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7485 break; 7486 #endif 7487 7488 case DLT_PPP_PPPD: 7489 if (dir) { 7490 /* match outgoing packets */ 7491 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7492 } else { 7493 /* match incoming packets */ 7494 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7495 } 7496 break; 7497 7498 case DLT_JUNIPER_MFR: 7499 case DLT_JUNIPER_MLFR: 7500 case DLT_JUNIPER_MLPPP: 7501 case DLT_JUNIPER_ATM1: 7502 case DLT_JUNIPER_ATM2: 7503 case DLT_JUNIPER_PPPOE: 7504 case DLT_JUNIPER_PPPOE_ATM: 7505 case DLT_JUNIPER_GGSN: 7506 case DLT_JUNIPER_ES: 7507 case DLT_JUNIPER_MONITOR: 7508 case DLT_JUNIPER_SERVICES: 7509 case DLT_JUNIPER_ETHER: 7510 case DLT_JUNIPER_PPP: 7511 case DLT_JUNIPER_FRELAY: 7512 case DLT_JUNIPER_CHDLC: 7513 case DLT_JUNIPER_VP: 7514 case DLT_JUNIPER_ST: 7515 case DLT_JUNIPER_ISM: 7516 case DLT_JUNIPER_VS: 7517 case DLT_JUNIPER_SRX_E2E: 7518 case DLT_JUNIPER_FIBRECHANNEL: 7519 case DLT_JUNIPER_ATM_CEMIC: 7520 7521 /* juniper flags (including direction) are stored 7522 * the byte after the 3-byte magic number */ 7523 if (dir) { 7524 /* match outgoing packets */ 7525 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7526 } else { 7527 /* match incoming packets */ 7528 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7529 } 7530 break; 7531 7532 default: 7533 /* 7534 * If we have packet meta-data indicating a direction, 7535 * check it, otherwise give up as this link-layer type 7536 * has nothing in the packet data. 7537 */ 7538 #if defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7539 /* 7540 * We infer that this is Linux with PF_PACKET support. 7541 * If this is a *live* capture, we can look at 7542 * special meta-data in the filter expression; 7543 * if it's a savefile, we can't. 7544 */ 7545 if (bpf_pcap->sf.rfile != NULL) { 7546 /* We have a FILE *, so this is a savefile */ 7547 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7548 linktype); 7549 b0 = NULL; 7550 /* NOTREACHED */ 7551 } 7552 /* match outgoing packets */ 7553 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7554 PACKET_OUTGOING); 7555 if (!dir) { 7556 /* to filter on inbound traffic, invert the match */ 7557 gen_not(b0); 7558 } 7559 #else /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7560 bpf_error("inbound/outbound not supported on linktype %d", 7561 linktype); 7562 b0 = NULL; 7563 /* NOTREACHED */ 7564 #endif /* defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7565 } 7566 return (b0); 7567 } 7568 7569 #ifdef HAVE_NET_PFVAR_H 7570 /* PF firewall log matched interface */ 7571 struct block * 7572 gen_pf_ifname(const char *ifname) 7573 { 7574 struct block *b0; 7575 u_int len, off; 7576 7577 if (linktype != DLT_PFLOG) { 7578 bpf_error("ifname supported only on PF linktype"); 7579 /* NOTREACHED */ 7580 } 7581 len = sizeof(((struct pfloghdr *)0)->ifname); 7582 off = offsetof(struct pfloghdr, ifname); 7583 if (strlen(ifname) >= len) { 7584 bpf_error("ifname interface names can only be %d characters", 7585 len-1); 7586 /* NOTREACHED */ 7587 } 7588 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7589 return (b0); 7590 } 7591 7592 /* PF firewall log ruleset name */ 7593 struct block * 7594 gen_pf_ruleset(char *ruleset) 7595 { 7596 struct block *b0; 7597 7598 if (linktype != DLT_PFLOG) { 7599 bpf_error("ruleset supported only on PF linktype"); 7600 /* NOTREACHED */ 7601 } 7602 7603 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7604 bpf_error("ruleset names can only be %ld characters", 7605 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7606 /* NOTREACHED */ 7607 } 7608 7609 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7610 strlen(ruleset), (const u_char *)ruleset); 7611 return (b0); 7612 } 7613 7614 /* PF firewall log rule number */ 7615 struct block * 7616 gen_pf_rnr(int rnr) 7617 { 7618 struct block *b0; 7619 7620 if (linktype != DLT_PFLOG) { 7621 bpf_error("rnr supported only on PF linktype"); 7622 /* NOTREACHED */ 7623 } 7624 7625 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7626 (bpf_int32)rnr); 7627 return (b0); 7628 } 7629 7630 /* PF firewall log sub-rule number */ 7631 struct block * 7632 gen_pf_srnr(int srnr) 7633 { 7634 struct block *b0; 7635 7636 if (linktype != DLT_PFLOG) { 7637 bpf_error("srnr supported only on PF linktype"); 7638 /* NOTREACHED */ 7639 } 7640 7641 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7642 (bpf_int32)srnr); 7643 return (b0); 7644 } 7645 7646 /* PF firewall log reason code */ 7647 struct block * 7648 gen_pf_reason(int reason) 7649 { 7650 struct block *b0; 7651 7652 if (linktype != DLT_PFLOG) { 7653 bpf_error("reason supported only on PF linktype"); 7654 /* NOTREACHED */ 7655 } 7656 7657 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7658 (bpf_int32)reason); 7659 return (b0); 7660 } 7661 7662 /* PF firewall log action */ 7663 struct block * 7664 gen_pf_action(int action) 7665 { 7666 struct block *b0; 7667 7668 if (linktype != DLT_PFLOG) { 7669 bpf_error("action supported only on PF linktype"); 7670 /* NOTREACHED */ 7671 } 7672 7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7674 (bpf_int32)action); 7675 return (b0); 7676 } 7677 #else /* !HAVE_NET_PFVAR_H */ 7678 struct block * 7679 gen_pf_ifname(const char *ifname) 7680 { 7681 bpf_error("libpcap was compiled without pf support"); 7682 /* NOTREACHED */ 7683 return (NULL); 7684 } 7685 7686 struct block * 7687 gen_pf_ruleset(char *ruleset) 7688 { 7689 bpf_error("libpcap was compiled on a machine without pf support"); 7690 /* NOTREACHED */ 7691 return (NULL); 7692 } 7693 7694 struct block * 7695 gen_pf_rnr(int rnr) 7696 { 7697 bpf_error("libpcap was compiled on a machine without pf support"); 7698 /* NOTREACHED */ 7699 return (NULL); 7700 } 7701 7702 struct block * 7703 gen_pf_srnr(int srnr) 7704 { 7705 bpf_error("libpcap was compiled on a machine without pf support"); 7706 /* NOTREACHED */ 7707 return (NULL); 7708 } 7709 7710 struct block * 7711 gen_pf_reason(int reason) 7712 { 7713 bpf_error("libpcap was compiled on a machine without pf support"); 7714 /* NOTREACHED */ 7715 return (NULL); 7716 } 7717 7718 struct block * 7719 gen_pf_action(int action) 7720 { 7721 bpf_error("libpcap was compiled on a machine without pf support"); 7722 /* NOTREACHED */ 7723 return (NULL); 7724 } 7725 #endif /* HAVE_NET_PFVAR_H */ 7726 7727 /* IEEE 802.11 wireless header */ 7728 struct block * 7729 gen_p80211_type(int type, int mask) 7730 { 7731 struct block *b0; 7732 7733 switch (linktype) { 7734 7735 case DLT_IEEE802_11: 7736 case DLT_PRISM_HEADER: 7737 case DLT_IEEE802_11_RADIO_AVS: 7738 case DLT_IEEE802_11_RADIO: 7739 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7740 (bpf_int32)mask); 7741 break; 7742 7743 default: 7744 bpf_error("802.11 link-layer types supported only on 802.11"); 7745 /* NOTREACHED */ 7746 } 7747 7748 return (b0); 7749 } 7750 7751 struct block * 7752 gen_p80211_fcdir(int fcdir) 7753 { 7754 struct block *b0; 7755 7756 switch (linktype) { 7757 7758 case DLT_IEEE802_11: 7759 case DLT_PRISM_HEADER: 7760 case DLT_IEEE802_11_RADIO_AVS: 7761 case DLT_IEEE802_11_RADIO: 7762 break; 7763 7764 default: 7765 bpf_error("frame direction supported only with 802.11 headers"); 7766 /* NOTREACHED */ 7767 } 7768 7769 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7770 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7771 7772 return (b0); 7773 } 7774 7775 struct block * 7776 gen_acode(eaddr, q) 7777 register const u_char *eaddr; 7778 struct qual q; 7779 { 7780 switch (linktype) { 7781 7782 case DLT_ARCNET: 7783 case DLT_ARCNET_LINUX: 7784 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7785 q.proto == Q_LINK) 7786 return (gen_ahostop(eaddr, (int)q.dir)); 7787 else { 7788 bpf_error("ARCnet address used in non-arc expression"); 7789 /* NOTREACHED */ 7790 } 7791 break; 7792 7793 default: 7794 bpf_error("aid supported only on ARCnet"); 7795 /* NOTREACHED */ 7796 } 7797 bpf_error("ARCnet address used in non-arc expression"); 7798 /* NOTREACHED */ 7799 return NULL; 7800 } 7801 7802 static struct block * 7803 gen_ahostop(eaddr, dir) 7804 register const u_char *eaddr; 7805 register int dir; 7806 { 7807 register struct block *b0, *b1; 7808 7809 switch (dir) { 7810 /* src comes first, different from Ethernet */ 7811 case Q_SRC: 7812 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7813 7814 case Q_DST: 7815 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7816 7817 case Q_AND: 7818 b0 = gen_ahostop(eaddr, Q_SRC); 7819 b1 = gen_ahostop(eaddr, Q_DST); 7820 gen_and(b0, b1); 7821 return b1; 7822 7823 case Q_DEFAULT: 7824 case Q_OR: 7825 b0 = gen_ahostop(eaddr, Q_SRC); 7826 b1 = gen_ahostop(eaddr, Q_DST); 7827 gen_or(b0, b1); 7828 return b1; 7829 7830 case Q_ADDR1: 7831 bpf_error("'addr1' is only supported on 802.11"); 7832 break; 7833 7834 case Q_ADDR2: 7835 bpf_error("'addr2' is only supported on 802.11"); 7836 break; 7837 7838 case Q_ADDR3: 7839 bpf_error("'addr3' is only supported on 802.11"); 7840 break; 7841 7842 case Q_ADDR4: 7843 bpf_error("'addr4' is only supported on 802.11"); 7844 break; 7845 7846 case Q_RA: 7847 bpf_error("'ra' is only supported on 802.11"); 7848 break; 7849 7850 case Q_TA: 7851 bpf_error("'ta' is only supported on 802.11"); 7852 break; 7853 } 7854 abort(); 7855 /* NOTREACHED */ 7856 } 7857 7858 /* 7859 * support IEEE 802.1Q VLAN trunk over ethernet 7860 */ 7861 struct block * 7862 gen_vlan(vlan_num) 7863 int vlan_num; 7864 { 7865 struct block *b0, *b1; 7866 7867 /* can't check for VLAN-encapsulated packets inside MPLS */ 7868 if (label_stack_depth > 0) 7869 bpf_error("no VLAN match after MPLS"); 7870 7871 /* 7872 * Check for a VLAN packet, and then change the offsets to point 7873 * to the type and data fields within the VLAN packet. Just 7874 * increment the offsets, so that we can support a hierarchy, e.g. 7875 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7876 * VLAN 100. 7877 * 7878 * XXX - this is a bit of a kludge. If we were to split the 7879 * compiler into a parser that parses an expression and 7880 * generates an expression tree, and a code generator that 7881 * takes an expression tree (which could come from our 7882 * parser or from some other parser) and generates BPF code, 7883 * we could perhaps make the offsets parameters of routines 7884 * and, in the handler for an "AND" node, pass to subnodes 7885 * other than the VLAN node the adjusted offsets. 7886 * 7887 * This would mean that "vlan" would, instead of changing the 7888 * behavior of *all* tests after it, change only the behavior 7889 * of tests ANDed with it. That would change the documented 7890 * semantics of "vlan", which might break some expressions. 7891 * However, it would mean that "(vlan and ip) or ip" would check 7892 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7893 * checking only for VLAN-encapsulated IP, so that could still 7894 * be considered worth doing; it wouldn't break expressions 7895 * that are of the form "vlan and ..." or "vlan N and ...", 7896 * which I suspect are the most common expressions involving 7897 * "vlan". "vlan or ..." doesn't necessarily do what the user 7898 * would really want, now, as all the "or ..." tests would 7899 * be done assuming a VLAN, even though the "or" could be viewed 7900 * as meaning "or, if this isn't a VLAN packet...". 7901 */ 7902 orig_nl = off_nl; 7903 7904 switch (linktype) { 7905 7906 case DLT_EN10MB: 7907 case DLT_NETANALYZER: 7908 case DLT_NETANALYZER_TRANSPARENT: 7909 /* check for VLAN, including QinQ */ 7910 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7911 (bpf_int32)ETHERTYPE_8021Q); 7912 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7913 (bpf_int32)ETHERTYPE_8021QINQ); 7914 gen_or(b0,b1); 7915 b0 = b1; 7916 7917 /* If a specific VLAN is requested, check VLAN id */ 7918 if (vlan_num >= 0) { 7919 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7920 (bpf_int32)vlan_num, 0x0fff); 7921 gen_and(b0, b1); 7922 b0 = b1; 7923 } 7924 7925 off_macpl += 4; 7926 off_linktype += 4; 7927 #if 0 7928 off_nl_nosnap += 4; 7929 off_nl += 4; 7930 #endif 7931 break; 7932 7933 default: 7934 bpf_error("no VLAN support for data link type %d", 7935 linktype); 7936 /*NOTREACHED*/ 7937 } 7938 7939 return (b0); 7940 } 7941 7942 /* 7943 * support for MPLS 7944 */ 7945 struct block * 7946 gen_mpls(label_num) 7947 int label_num; 7948 { 7949 struct block *b0,*b1; 7950 7951 /* 7952 * Change the offsets to point to the type and data fields within 7953 * the MPLS packet. Just increment the offsets, so that we 7954 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7955 * capture packets with an outer label of 100000 and an inner 7956 * label of 1024. 7957 * 7958 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7959 */ 7960 orig_nl = off_nl; 7961 7962 if (label_stack_depth > 0) { 7963 /* just match the bottom-of-stack bit clear */ 7964 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7965 } else { 7966 /* 7967 * Indicate that we're checking MPLS-encapsulated headers, 7968 * to make sure higher level code generators don't try to 7969 * match against IP-related protocols such as Q_ARP, Q_RARP 7970 * etc. 7971 */ 7972 switch (linktype) { 7973 7974 case DLT_C_HDLC: /* fall through */ 7975 case DLT_EN10MB: 7976 case DLT_NETANALYZER: 7977 case DLT_NETANALYZER_TRANSPARENT: 7978 b0 = gen_linktype(ETHERTYPE_MPLS); 7979 break; 7980 7981 case DLT_PPP: 7982 b0 = gen_linktype(PPP_MPLS_UCAST); 7983 break; 7984 7985 /* FIXME add other DLT_s ... 7986 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7987 * leave it for now */ 7988 7989 default: 7990 bpf_error("no MPLS support for data link type %d", 7991 linktype); 7992 b0 = NULL; 7993 /*NOTREACHED*/ 7994 break; 7995 } 7996 } 7997 7998 /* If a specific MPLS label is requested, check it */ 7999 if (label_num >= 0) { 8000 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8001 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8002 0xfffff000); /* only compare the first 20 bits */ 8003 gen_and(b0, b1); 8004 b0 = b1; 8005 } 8006 8007 off_nl_nosnap += 4; 8008 off_nl += 4; 8009 label_stack_depth++; 8010 return (b0); 8011 } 8012 8013 /* 8014 * Support PPPOE discovery and session. 8015 */ 8016 struct block * 8017 gen_pppoed() 8018 { 8019 /* check for PPPoE discovery */ 8020 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8021 } 8022 8023 struct block * 8024 gen_pppoes() 8025 { 8026 struct block *b0; 8027 8028 /* 8029 * Test against the PPPoE session link-layer type. 8030 */ 8031 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8032 8033 /* 8034 * Change the offsets to point to the type and data fields within 8035 * the PPP packet, and note that this is PPPoE rather than 8036 * raw PPP. 8037 * 8038 * XXX - this is a bit of a kludge. If we were to split the 8039 * compiler into a parser that parses an expression and 8040 * generates an expression tree, and a code generator that 8041 * takes an expression tree (which could come from our 8042 * parser or from some other parser) and generates BPF code, 8043 * we could perhaps make the offsets parameters of routines 8044 * and, in the handler for an "AND" node, pass to subnodes 8045 * other than the PPPoE node the adjusted offsets. 8046 * 8047 * This would mean that "pppoes" would, instead of changing the 8048 * behavior of *all* tests after it, change only the behavior 8049 * of tests ANDed with it. That would change the documented 8050 * semantics of "pppoes", which might break some expressions. 8051 * However, it would mean that "(pppoes and ip) or ip" would check 8052 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8053 * checking only for VLAN-encapsulated IP, so that could still 8054 * be considered worth doing; it wouldn't break expressions 8055 * that are of the form "pppoes and ..." which I suspect are the 8056 * most common expressions involving "pppoes". "pppoes or ..." 8057 * doesn't necessarily do what the user would really want, now, 8058 * as all the "or ..." tests would be done assuming PPPoE, even 8059 * though the "or" could be viewed as meaning "or, if this isn't 8060 * a PPPoE packet...". 8061 */ 8062 orig_linktype = off_linktype; /* save original values */ 8063 orig_nl = off_nl; 8064 is_pppoes = 1; 8065 8066 /* 8067 * The "network-layer" protocol is PPPoE, which has a 6-byte 8068 * PPPoE header, followed by a PPP packet. 8069 * 8070 * There is no HDLC encapsulation for the PPP packet (it's 8071 * encapsulated in PPPoES instead), so the link-layer type 8072 * starts at the first byte of the PPP packet. For PPPoE, 8073 * that offset is relative to the beginning of the total 8074 * link-layer payload, including any 802.2 LLC header, so 8075 * it's 6 bytes past off_nl. 8076 */ 8077 off_linktype = off_nl + 6; 8078 8079 /* 8080 * The network-layer offsets are relative to the beginning 8081 * of the MAC-layer payload; that's past the 6-byte 8082 * PPPoE header and the 2-byte PPP header. 8083 */ 8084 off_nl = 6+2; 8085 off_nl_nosnap = 6+2; 8086 8087 return b0; 8088 } 8089 8090 struct block * 8091 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8092 int atmfield; 8093 bpf_int32 jvalue; 8094 bpf_u_int32 jtype; 8095 int reverse; 8096 { 8097 struct block *b0; 8098 8099 switch (atmfield) { 8100 8101 case A_VPI: 8102 if (!is_atm) 8103 bpf_error("'vpi' supported only on raw ATM"); 8104 if (off_vpi == (u_int)-1) 8105 abort(); 8106 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8107 reverse, jvalue); 8108 break; 8109 8110 case A_VCI: 8111 if (!is_atm) 8112 bpf_error("'vci' supported only on raw ATM"); 8113 if (off_vci == (u_int)-1) 8114 abort(); 8115 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8116 reverse, jvalue); 8117 break; 8118 8119 case A_PROTOTYPE: 8120 if (off_proto == (u_int)-1) 8121 abort(); /* XXX - this isn't on FreeBSD */ 8122 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8123 reverse, jvalue); 8124 break; 8125 8126 case A_MSGTYPE: 8127 if (off_payload == (u_int)-1) 8128 abort(); 8129 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8130 0xffffffff, jtype, reverse, jvalue); 8131 break; 8132 8133 case A_CALLREFTYPE: 8134 if (!is_atm) 8135 bpf_error("'callref' supported only on raw ATM"); 8136 if (off_proto == (u_int)-1) 8137 abort(); 8138 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8139 jtype, reverse, jvalue); 8140 break; 8141 8142 default: 8143 abort(); 8144 } 8145 return b0; 8146 } 8147 8148 struct block * 8149 gen_atmtype_abbrev(type) 8150 int type; 8151 { 8152 struct block *b0, *b1; 8153 8154 switch (type) { 8155 8156 case A_METAC: 8157 /* Get all packets in Meta signalling Circuit */ 8158 if (!is_atm) 8159 bpf_error("'metac' supported only on raw ATM"); 8160 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8161 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8162 gen_and(b0, b1); 8163 break; 8164 8165 case A_BCC: 8166 /* Get all packets in Broadcast Circuit*/ 8167 if (!is_atm) 8168 bpf_error("'bcc' supported only on raw ATM"); 8169 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8170 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8171 gen_and(b0, b1); 8172 break; 8173 8174 case A_OAMF4SC: 8175 /* Get all cells in Segment OAM F4 circuit*/ 8176 if (!is_atm) 8177 bpf_error("'oam4sc' supported only on raw ATM"); 8178 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8179 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8180 gen_and(b0, b1); 8181 break; 8182 8183 case A_OAMF4EC: 8184 /* Get all cells in End-to-End OAM F4 Circuit*/ 8185 if (!is_atm) 8186 bpf_error("'oam4ec' supported only on raw ATM"); 8187 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8188 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8189 gen_and(b0, b1); 8190 break; 8191 8192 case A_SC: 8193 /* Get all packets in connection Signalling Circuit */ 8194 if (!is_atm) 8195 bpf_error("'sc' supported only on raw ATM"); 8196 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8197 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8198 gen_and(b0, b1); 8199 break; 8200 8201 case A_ILMIC: 8202 /* Get all packets in ILMI Circuit */ 8203 if (!is_atm) 8204 bpf_error("'ilmic' supported only on raw ATM"); 8205 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8206 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8207 gen_and(b0, b1); 8208 break; 8209 8210 case A_LANE: 8211 /* Get all LANE packets */ 8212 if (!is_atm) 8213 bpf_error("'lane' supported only on raw ATM"); 8214 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8215 8216 /* 8217 * Arrange that all subsequent tests assume LANE 8218 * rather than LLC-encapsulated packets, and set 8219 * the offsets appropriately for LANE-encapsulated 8220 * Ethernet. 8221 * 8222 * "off_mac" is the offset of the Ethernet header, 8223 * which is 2 bytes past the ATM pseudo-header 8224 * (skipping the pseudo-header and 2-byte LE Client 8225 * field). The other offsets are Ethernet offsets 8226 * relative to "off_mac". 8227 */ 8228 is_lane = 1; 8229 off_mac = off_payload + 2; /* MAC header */ 8230 off_linktype = off_mac + 12; 8231 off_macpl = off_mac + 14; /* Ethernet */ 8232 off_nl = 0; /* Ethernet II */ 8233 off_nl_nosnap = 3; /* 802.3+802.2 */ 8234 break; 8235 8236 case A_LLC: 8237 /* Get all LLC-encapsulated packets */ 8238 if (!is_atm) 8239 bpf_error("'llc' supported only on raw ATM"); 8240 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8241 is_lane = 0; 8242 break; 8243 8244 default: 8245 abort(); 8246 } 8247 return b1; 8248 } 8249 8250 /* 8251 * Filtering for MTP2 messages based on li value 8252 * FISU, length is null 8253 * LSSU, length is 1 or 2 8254 * MSU, length is 3 or more 8255 */ 8256 struct block * 8257 gen_mtp2type_abbrev(type) 8258 int type; 8259 { 8260 struct block *b0, *b1; 8261 8262 switch (type) { 8263 8264 case M_FISU: 8265 if ( (linktype != DLT_MTP2) && 8266 (linktype != DLT_ERF) && 8267 (linktype != DLT_MTP2_WITH_PHDR) ) 8268 bpf_error("'fisu' supported only on MTP2"); 8269 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8270 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8271 break; 8272 8273 case M_LSSU: 8274 if ( (linktype != DLT_MTP2) && 8275 (linktype != DLT_ERF) && 8276 (linktype != DLT_MTP2_WITH_PHDR) ) 8277 bpf_error("'lssu' supported only on MTP2"); 8278 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8279 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8280 gen_and(b1, b0); 8281 break; 8282 8283 case M_MSU: 8284 if ( (linktype != DLT_MTP2) && 8285 (linktype != DLT_ERF) && 8286 (linktype != DLT_MTP2_WITH_PHDR) ) 8287 bpf_error("'msu' supported only on MTP2"); 8288 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8289 break; 8290 8291 default: 8292 abort(); 8293 } 8294 return b0; 8295 } 8296 8297 struct block * 8298 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8299 int mtp3field; 8300 bpf_u_int32 jvalue; 8301 bpf_u_int32 jtype; 8302 int reverse; 8303 { 8304 struct block *b0; 8305 bpf_u_int32 val1 , val2 , val3; 8306 8307 switch (mtp3field) { 8308 8309 case M_SIO: 8310 if (off_sio == (u_int)-1) 8311 bpf_error("'sio' supported only on SS7"); 8312 /* sio coded on 1 byte so max value 255 */ 8313 if(jvalue > 255) 8314 bpf_error("sio value %u too big; max value = 255", 8315 jvalue); 8316 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8317 (u_int)jtype, reverse, (u_int)jvalue); 8318 break; 8319 8320 case M_OPC: 8321 if (off_opc == (u_int)-1) 8322 bpf_error("'opc' supported only on SS7"); 8323 /* opc coded on 14 bits so max value 16383 */ 8324 if (jvalue > 16383) 8325 bpf_error("opc value %u too big; max value = 16383", 8326 jvalue); 8327 /* the following instructions are made to convert jvalue 8328 * to the form used to write opc in an ss7 message*/ 8329 val1 = jvalue & 0x00003c00; 8330 val1 = val1 >>10; 8331 val2 = jvalue & 0x000003fc; 8332 val2 = val2 <<6; 8333 val3 = jvalue & 0x00000003; 8334 val3 = val3 <<22; 8335 jvalue = val1 + val2 + val3; 8336 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8337 (u_int)jtype, reverse, (u_int)jvalue); 8338 break; 8339 8340 case M_DPC: 8341 if (off_dpc == (u_int)-1) 8342 bpf_error("'dpc' supported only on SS7"); 8343 /* dpc coded on 14 bits so max value 16383 */ 8344 if (jvalue > 16383) 8345 bpf_error("dpc value %u too big; max value = 16383", 8346 jvalue); 8347 /* the following instructions are made to convert jvalue 8348 * to the forme used to write dpc in an ss7 message*/ 8349 val1 = jvalue & 0x000000ff; 8350 val1 = val1 << 24; 8351 val2 = jvalue & 0x00003f00; 8352 val2 = val2 << 8; 8353 jvalue = val1 + val2; 8354 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8355 (u_int)jtype, reverse, (u_int)jvalue); 8356 break; 8357 8358 case M_SLS: 8359 if (off_sls == (u_int)-1) 8360 bpf_error("'sls' supported only on SS7"); 8361 /* sls coded on 4 bits so max value 15 */ 8362 if (jvalue > 15) 8363 bpf_error("sls value %u too big; max value = 15", 8364 jvalue); 8365 /* the following instruction is made to convert jvalue 8366 * to the forme used to write sls in an ss7 message*/ 8367 jvalue = jvalue << 4; 8368 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8369 (u_int)jtype,reverse, (u_int)jvalue); 8370 break; 8371 8372 default: 8373 abort(); 8374 } 8375 return b0; 8376 } 8377 8378 static struct block * 8379 gen_msg_abbrev(type) 8380 int type; 8381 { 8382 struct block *b1; 8383 8384 /* 8385 * Q.2931 signalling protocol messages for handling virtual circuits 8386 * establishment and teardown 8387 */ 8388 switch (type) { 8389 8390 case A_SETUP: 8391 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8392 break; 8393 8394 case A_CALLPROCEED: 8395 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8396 break; 8397 8398 case A_CONNECT: 8399 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8400 break; 8401 8402 case A_CONNECTACK: 8403 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8404 break; 8405 8406 case A_RELEASE: 8407 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8408 break; 8409 8410 case A_RELEASE_DONE: 8411 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8412 break; 8413 8414 default: 8415 abort(); 8416 } 8417 return b1; 8418 } 8419 8420 struct block * 8421 gen_atmmulti_abbrev(type) 8422 int type; 8423 { 8424 struct block *b0, *b1; 8425 8426 switch (type) { 8427 8428 case A_OAM: 8429 if (!is_atm) 8430 bpf_error("'oam' supported only on raw ATM"); 8431 b1 = gen_atmmulti_abbrev(A_OAMF4); 8432 break; 8433 8434 case A_OAMF4: 8435 if (!is_atm) 8436 bpf_error("'oamf4' supported only on raw ATM"); 8437 /* OAM F4 type */ 8438 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8439 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8440 gen_or(b0, b1); 8441 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8442 gen_and(b0, b1); 8443 break; 8444 8445 case A_CONNECTMSG: 8446 /* 8447 * Get Q.2931 signalling messages for switched 8448 * virtual connection 8449 */ 8450 if (!is_atm) 8451 bpf_error("'connectmsg' supported only on raw ATM"); 8452 b0 = gen_msg_abbrev(A_SETUP); 8453 b1 = gen_msg_abbrev(A_CALLPROCEED); 8454 gen_or(b0, b1); 8455 b0 = gen_msg_abbrev(A_CONNECT); 8456 gen_or(b0, b1); 8457 b0 = gen_msg_abbrev(A_CONNECTACK); 8458 gen_or(b0, b1); 8459 b0 = gen_msg_abbrev(A_RELEASE); 8460 gen_or(b0, b1); 8461 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8462 gen_or(b0, b1); 8463 b0 = gen_atmtype_abbrev(A_SC); 8464 gen_and(b0, b1); 8465 break; 8466 8467 case A_METACONNECT: 8468 if (!is_atm) 8469 bpf_error("'metaconnect' supported only on raw ATM"); 8470 b0 = gen_msg_abbrev(A_SETUP); 8471 b1 = gen_msg_abbrev(A_CALLPROCEED); 8472 gen_or(b0, b1); 8473 b0 = gen_msg_abbrev(A_CONNECT); 8474 gen_or(b0, b1); 8475 b0 = gen_msg_abbrev(A_RELEASE); 8476 gen_or(b0, b1); 8477 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8478 gen_or(b0, b1); 8479 b0 = gen_atmtype_abbrev(A_METAC); 8480 gen_and(b0, b1); 8481 break; 8482 8483 default: 8484 abort(); 8485 } 8486 return b1; 8487 } 8488