1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #include <sys/types.h> 37 #include <sys/socket.h> 38 #endif /* WIN32 */ 39 40 /* 41 * XXX - why was this included even on UNIX? 42 */ 43 #ifdef __MINGW32__ 44 #include "IP6_misc.h" 45 #endif 46 47 #ifndef WIN32 48 49 #ifdef __NetBSD__ 50 #include <sys/param.h> 51 #endif 52 53 #include <netinet/in.h> 54 55 #endif /* WIN32 */ 56 57 #include <stdlib.h> 58 #include <string.h> 59 #include <memory.h> 60 #include <setjmp.h> 61 #include <stdarg.h> 62 63 #ifdef MSDOS 64 #include "pcap-dos.h" 65 #endif 66 67 #include "pcap-int.h" 68 69 #include "ethertype.h" 70 #include "nlpid.h" 71 #include "llc.h" 72 #include "gencode.h" 73 #include "ieee80211.h" 74 #include "atmuni31.h" 75 #include "sunatmpos.h" 76 #include "ppp.h" 77 #include "pcap/sll.h" 78 #include "arcnet.h" 79 #ifdef HAVE_NET_PFVAR_H 80 #include <sys/socket.h> 81 #include <net/if.h> 82 #include <net/pfvar.h> 83 #include <net/if_pflog.h> 84 #endif 85 #ifndef offsetof 86 #define offsetof(s, e) ((size_t)&((s *)0)->e) 87 #endif 88 #ifdef INET6 89 #ifndef WIN32 90 #include <netdb.h> /* for "struct addrinfo" */ 91 #endif /* WIN32 */ 92 #endif /*INET6*/ 93 #include <pcap/namedb.h> 94 95 #define ETHERMTU 1500 96 97 #ifndef IPPROTO_SCTP 98 #define IPPROTO_SCTP 132 99 #endif 100 101 #ifdef HAVE_OS_PROTO_H 102 #include "os-proto.h" 103 #endif 104 105 #define JMP(c) ((c)|BPF_JMP|BPF_K) 106 107 /* Locals */ 108 static jmp_buf top_ctx; 109 static pcap_t *bpf_pcap; 110 111 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 112 #ifdef WIN32 113 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 114 #else 115 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 116 #endif 117 118 /* XXX */ 119 #ifdef PCAP_FDDIPAD 120 static int pcap_fddipad; 121 #endif 122 123 /* VARARGS */ 124 void 125 bpf_error(const char *fmt, ...) 126 { 127 va_list ap; 128 129 va_start(ap, fmt); 130 if (bpf_pcap != NULL) 131 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 132 fmt, ap); 133 va_end(ap); 134 longjmp(top_ctx, 1); 135 /* NOTREACHED */ 136 } 137 138 static void init_linktype(pcap_t *); 139 140 static void init_regs(void); 141 static int alloc_reg(void); 142 static void free_reg(int); 143 144 static struct block *root; 145 146 /* 147 * Value passed to gen_load_a() to indicate what the offset argument 148 * is relative to. 149 */ 150 enum e_offrel { 151 OR_PACKET, /* relative to the beginning of the packet */ 152 OR_LINK, /* relative to the beginning of the link-layer header */ 153 OR_MACPL, /* relative to the end of the MAC-layer header */ 154 OR_NET, /* relative to the network-layer header */ 155 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 156 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 157 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 158 }; 159 160 /* 161 * We divy out chunks of memory rather than call malloc each time so 162 * we don't have to worry about leaking memory. It's probably 163 * not a big deal if all this memory was wasted but if this ever 164 * goes into a library that would probably not be a good idea. 165 * 166 * XXX - this *is* in a library.... 167 */ 168 #define NCHUNKS 16 169 #define CHUNK0SIZE 1024 170 struct chunk { 171 u_int n_left; 172 void *m; 173 }; 174 175 static struct chunk chunks[NCHUNKS]; 176 static int cur_chunk; 177 178 static void *newchunk(u_int); 179 static void freechunks(void); 180 static inline struct block *new_block(int); 181 static inline struct slist *new_stmt(int); 182 static struct block *gen_retblk(int); 183 static inline void syntax(void); 184 185 static void backpatch(struct block *, struct block *); 186 static void merge(struct block *, struct block *); 187 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 188 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 189 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 190 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 191 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 192 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 193 bpf_u_int32); 194 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 195 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 196 bpf_u_int32, bpf_u_int32, int, bpf_int32); 197 static struct slist *gen_load_llrel(u_int, u_int); 198 static struct slist *gen_load_macplrel(u_int, u_int); 199 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 200 static struct slist *gen_loadx_iphdrlen(void); 201 static struct block *gen_uncond(int); 202 static inline struct block *gen_true(void); 203 static inline struct block *gen_false(void); 204 static struct block *gen_ether_linktype(int); 205 static struct block *gen_linux_sll_linktype(int); 206 static struct slist *gen_load_prism_llprefixlen(void); 207 static struct slist *gen_load_avs_llprefixlen(void); 208 static struct slist *gen_load_radiotap_llprefixlen(void); 209 static struct slist *gen_load_ppi_llprefixlen(void); 210 static void insert_compute_vloffsets(struct block *); 211 static struct slist *gen_llprefixlen(void); 212 static struct slist *gen_off_macpl(void); 213 static int ethertype_to_ppptype(int); 214 static struct block *gen_linktype(int); 215 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 216 static struct block *gen_llc_linktype(int); 217 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 218 #ifdef INET6 219 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 220 #endif 221 static struct block *gen_ahostop(const u_char *, int); 222 static struct block *gen_ehostop(const u_char *, int); 223 static struct block *gen_fhostop(const u_char *, int); 224 static struct block *gen_thostop(const u_char *, int); 225 static struct block *gen_wlanhostop(const u_char *, int); 226 static struct block *gen_ipfchostop(const u_char *, int); 227 static struct block *gen_dnhostop(bpf_u_int32, int); 228 static struct block *gen_mpls_linktype(int); 229 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 230 #ifdef INET6 231 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 232 #endif 233 #ifndef INET6 234 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 235 #endif 236 static struct block *gen_ipfrag(void); 237 static struct block *gen_portatom(int, bpf_int32); 238 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 239 #ifdef INET6 240 static struct block *gen_portatom6(int, bpf_int32); 241 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 242 #endif 243 struct block *gen_portop(int, int, int); 244 static struct block *gen_port(int, int, int); 245 struct block *gen_portrangeop(int, int, int, int); 246 static struct block *gen_portrange(int, int, int, int); 247 #ifdef INET6 248 struct block *gen_portop6(int, int, int); 249 static struct block *gen_port6(int, int, int); 250 struct block *gen_portrangeop6(int, int, int, int); 251 static struct block *gen_portrange6(int, int, int, int); 252 #endif 253 static int lookup_proto(const char *, int); 254 static struct block *gen_protochain(int, int, int); 255 static struct block *gen_proto(int, int, int); 256 static struct slist *xfer_to_x(struct arth *); 257 static struct slist *xfer_to_a(struct arth *); 258 static struct block *gen_mac_multicast(int); 259 static struct block *gen_len(int, int); 260 static struct block *gen_check_802_11_data_frame(void); 261 262 static struct block *gen_ppi_dlt_check(void); 263 static struct block *gen_msg_abbrev(int type); 264 265 static void * 266 newchunk(n) 267 u_int n; 268 { 269 struct chunk *cp; 270 int k; 271 size_t size; 272 273 #ifndef __NetBSD__ 274 /* XXX Round up to nearest long. */ 275 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 276 #else 277 /* XXX Round up to structure boundary. */ 278 n = ALIGN(n); 279 #endif 280 281 cp = &chunks[cur_chunk]; 282 if (n > cp->n_left) { 283 ++cp, k = ++cur_chunk; 284 if (k >= NCHUNKS) 285 bpf_error("out of memory"); 286 size = CHUNK0SIZE << k; 287 cp->m = (void *)malloc(size); 288 if (cp->m == NULL) 289 bpf_error("out of memory"); 290 memset((char *)cp->m, 0, size); 291 cp->n_left = size; 292 if (n > size) 293 bpf_error("out of memory"); 294 } 295 cp->n_left -= n; 296 return (void *)((char *)cp->m + cp->n_left); 297 } 298 299 static void 300 freechunks() 301 { 302 int i; 303 304 cur_chunk = 0; 305 for (i = 0; i < NCHUNKS; ++i) 306 if (chunks[i].m != NULL) { 307 free(chunks[i].m); 308 chunks[i].m = NULL; 309 } 310 } 311 312 /* 313 * A strdup whose allocations are freed after code generation is over. 314 */ 315 char * 316 sdup(s) 317 register const char *s; 318 { 319 int n = strlen(s) + 1; 320 char *cp = newchunk(n); 321 322 strlcpy(cp, s, n); 323 return (cp); 324 } 325 326 static inline struct block * 327 new_block(code) 328 int code; 329 { 330 struct block *p; 331 332 p = (struct block *)newchunk(sizeof(*p)); 333 p->s.code = code; 334 p->head = p; 335 336 return p; 337 } 338 339 static inline struct slist * 340 new_stmt(code) 341 int code; 342 { 343 struct slist *p; 344 345 p = (struct slist *)newchunk(sizeof(*p)); 346 p->s.code = code; 347 348 return p; 349 } 350 351 static struct block * 352 gen_retblk(v) 353 int v; 354 { 355 struct block *b = new_block(BPF_RET|BPF_K); 356 357 b->s.k = v; 358 return b; 359 } 360 361 static inline void 362 syntax() 363 { 364 bpf_error("syntax error in filter expression"); 365 } 366 367 static bpf_u_int32 netmask; 368 static int snaplen; 369 int no_optimize; 370 371 int 372 pcap_compile(pcap_t *p, struct bpf_program *program, 373 const char *buf, int optimize, bpf_u_int32 mask) 374 { 375 extern int n_errors; 376 const char * volatile xbuf = buf; 377 int len; 378 379 no_optimize = 0; 380 n_errors = 0; 381 root = NULL; 382 bpf_pcap = p; 383 init_regs(); 384 if (setjmp(top_ctx)) { 385 lex_cleanup(); 386 freechunks(); 387 return (-1); 388 } 389 390 netmask = mask; 391 392 snaplen = pcap_snapshot(p); 393 if (snaplen == 0) { 394 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 395 "snaplen of 0 rejects all packets"); 396 return -1; 397 } 398 399 lex_init(xbuf ? xbuf : ""); 400 init_linktype(p); 401 (void)pcap_parse(); 402 403 if (n_errors) 404 syntax(); 405 406 if (root == NULL) 407 root = gen_retblk(snaplen); 408 409 if (optimize && !no_optimize) { 410 bpf_optimize(&root); 411 if (root == NULL || 412 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 413 bpf_error("expression rejects all packets"); 414 } 415 program->bf_insns = icode_to_fcode(root, &len); 416 program->bf_len = len; 417 418 lex_cleanup(); 419 freechunks(); 420 return (0); 421 } 422 423 /* 424 * entry point for using the compiler with no pcap open 425 * pass in all the stuff that is needed explicitly instead. 426 */ 427 int 428 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 429 struct bpf_program *program, 430 const char *buf, int optimize, bpf_u_int32 mask) 431 { 432 pcap_t *p; 433 int ret; 434 435 p = pcap_open_dead(linktype_arg, snaplen_arg); 436 if (p == NULL) 437 return (-1); 438 ret = pcap_compile(p, program, buf, optimize, mask); 439 pcap_close(p); 440 return (ret); 441 } 442 443 /* 444 * Clean up a "struct bpf_program" by freeing all the memory allocated 445 * in it. 446 */ 447 void 448 pcap_freecode(struct bpf_program *program) 449 { 450 program->bf_len = 0; 451 if (program->bf_insns != NULL) { 452 free((char *)program->bf_insns); 453 program->bf_insns = NULL; 454 } 455 } 456 457 /* 458 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 459 * which of the jt and jf fields has been resolved and which is a pointer 460 * back to another unresolved block (or nil). At least one of the fields 461 * in each block is already resolved. 462 */ 463 static void 464 backpatch(list, target) 465 struct block *list, *target; 466 { 467 struct block *next; 468 469 while (list) { 470 if (!list->sense) { 471 next = JT(list); 472 JT(list) = target; 473 } else { 474 next = JF(list); 475 JF(list) = target; 476 } 477 list = next; 478 } 479 } 480 481 /* 482 * Merge the lists in b0 and b1, using the 'sense' field to indicate 483 * which of jt and jf is the link. 484 */ 485 static void 486 merge(b0, b1) 487 struct block *b0, *b1; 488 { 489 register struct block **p = &b0; 490 491 /* Find end of list. */ 492 while (*p) 493 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 494 495 /* Concatenate the lists. */ 496 *p = b1; 497 } 498 499 void 500 finish_parse(p) 501 struct block *p; 502 { 503 struct block *ppi_dlt_check; 504 505 /* 506 * Insert before the statements of the first (root) block any 507 * statements needed to load the lengths of any variable-length 508 * headers into registers. 509 * 510 * XXX - a fancier strategy would be to insert those before the 511 * statements of all blocks that use those lengths and that 512 * have no predecessors that use them, so that we only compute 513 * the lengths if we need them. There might be even better 514 * approaches than that. 515 * 516 * However, those strategies would be more complicated, and 517 * as we don't generate code to compute a length if the 518 * program has no tests that use the length, and as most 519 * tests will probably use those lengths, we would just 520 * postpone computing the lengths so that it's not done 521 * for tests that fail early, and it's not clear that's 522 * worth the effort. 523 */ 524 insert_compute_vloffsets(p->head); 525 526 /* 527 * For DLT_PPI captures, generate a check of the per-packet 528 * DLT value to make sure it's DLT_IEEE802_11. 529 */ 530 ppi_dlt_check = gen_ppi_dlt_check(); 531 if (ppi_dlt_check != NULL) 532 gen_and(ppi_dlt_check, p); 533 534 backpatch(p, gen_retblk(snaplen)); 535 p->sense = !p->sense; 536 backpatch(p, gen_retblk(0)); 537 root = p->head; 538 } 539 540 void 541 gen_and(b0, b1) 542 struct block *b0, *b1; 543 { 544 backpatch(b0, b1->head); 545 b0->sense = !b0->sense; 546 b1->sense = !b1->sense; 547 merge(b1, b0); 548 b1->sense = !b1->sense; 549 b1->head = b0->head; 550 } 551 552 void 553 gen_or(b0, b1) 554 struct block *b0, *b1; 555 { 556 b0->sense = !b0->sense; 557 backpatch(b0, b1->head); 558 b0->sense = !b0->sense; 559 merge(b1, b0); 560 b1->head = b0->head; 561 } 562 563 void 564 gen_not(b) 565 struct block *b; 566 { 567 b->sense = !b->sense; 568 } 569 570 static struct block * 571 gen_cmp(offrel, offset, size, v) 572 enum e_offrel offrel; 573 u_int offset, size; 574 bpf_int32 v; 575 { 576 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 577 } 578 579 static struct block * 580 gen_cmp_gt(offrel, offset, size, v) 581 enum e_offrel offrel; 582 u_int offset, size; 583 bpf_int32 v; 584 { 585 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 586 } 587 588 static struct block * 589 gen_cmp_ge(offrel, offset, size, v) 590 enum e_offrel offrel; 591 u_int offset, size; 592 bpf_int32 v; 593 { 594 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 595 } 596 597 static struct block * 598 gen_cmp_lt(offrel, offset, size, v) 599 enum e_offrel offrel; 600 u_int offset, size; 601 bpf_int32 v; 602 { 603 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 604 } 605 606 static struct block * 607 gen_cmp_le(offrel, offset, size, v) 608 enum e_offrel offrel; 609 u_int offset, size; 610 bpf_int32 v; 611 { 612 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 613 } 614 615 static struct block * 616 gen_mcmp(offrel, offset, size, v, mask) 617 enum e_offrel offrel; 618 u_int offset, size; 619 bpf_int32 v; 620 bpf_u_int32 mask; 621 { 622 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 623 } 624 625 static struct block * 626 gen_bcmp(offrel, offset, size, v) 627 enum e_offrel offrel; 628 register u_int offset, size; 629 register const u_char *v; 630 { 631 register struct block *b, *tmp; 632 633 b = NULL; 634 while (size >= 4) { 635 register const u_char *p = &v[size - 4]; 636 bpf_int32 w = ((bpf_int32)p[0] << 24) | 637 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 638 639 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 640 if (b != NULL) 641 gen_and(b, tmp); 642 b = tmp; 643 size -= 4; 644 } 645 while (size >= 2) { 646 register const u_char *p = &v[size - 2]; 647 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 648 649 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 650 if (b != NULL) 651 gen_and(b, tmp); 652 b = tmp; 653 size -= 2; 654 } 655 if (size > 0) { 656 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 657 if (b != NULL) 658 gen_and(b, tmp); 659 b = tmp; 660 } 661 return b; 662 } 663 664 /* 665 * AND the field of size "size" at offset "offset" relative to the header 666 * specified by "offrel" with "mask", and compare it with the value "v" 667 * with the test specified by "jtype"; if "reverse" is true, the test 668 * should test the opposite of "jtype". 669 */ 670 static struct block * 671 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 672 enum e_offrel offrel; 673 bpf_int32 v; 674 bpf_u_int32 offset, size, mask, jtype; 675 int reverse; 676 { 677 struct slist *s, *s2; 678 struct block *b; 679 680 s = gen_load_a(offrel, offset, size); 681 682 if (mask != 0xffffffff) { 683 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 684 s2->s.k = mask; 685 sappend(s, s2); 686 } 687 688 b = new_block(JMP(jtype)); 689 b->stmts = s; 690 b->s.k = v; 691 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 692 gen_not(b); 693 return b; 694 } 695 696 /* 697 * Various code constructs need to know the layout of the data link 698 * layer. These variables give the necessary offsets from the beginning 699 * of the packet data. 700 */ 701 702 /* 703 * This is the offset of the beginning of the link-layer header from 704 * the beginning of the raw packet data. 705 * 706 * It's usually 0, except for 802.11 with a fixed-length radio header. 707 * (For 802.11 with a variable-length radio header, we have to generate 708 * code to compute that offset; off_ll is 0 in that case.) 709 */ 710 static u_int off_ll; 711 712 /* 713 * If there's a variable-length header preceding the link-layer header, 714 * "reg_off_ll" is the register number for a register containing the 715 * length of that header, and therefore the offset of the link-layer 716 * header from the beginning of the raw packet data. Otherwise, 717 * "reg_off_ll" is -1. 718 */ 719 static int reg_off_ll; 720 721 /* 722 * This is the offset of the beginning of the MAC-layer header from 723 * the beginning of the link-layer header. 724 * It's usually 0, except for ATM LANE, where it's the offset, relative 725 * to the beginning of the raw packet data, of the Ethernet header. 726 */ 727 static u_int off_mac; 728 729 /* 730 * This is the offset of the beginning of the MAC-layer payload, 731 * from the beginning of the raw packet data. 732 * 733 * I.e., it's the sum of the length of the link-layer header (without, 734 * for example, any 802.2 LLC header, so it's the MAC-layer 735 * portion of that header), plus any prefix preceding the 736 * link-layer header. 737 */ 738 static u_int off_macpl; 739 740 /* 741 * This is 1 if the offset of the beginning of the MAC-layer payload 742 * from the beginning of the link-layer header is variable-length. 743 */ 744 static int off_macpl_is_variable; 745 746 /* 747 * If the link layer has variable_length headers, "reg_off_macpl" 748 * is the register number for a register containing the length of the 749 * link-layer header plus the length of any variable-length header 750 * preceding the link-layer header. Otherwise, "reg_off_macpl" 751 * is -1. 752 */ 753 static int reg_off_macpl; 754 755 /* 756 * "off_linktype" is the offset to information in the link-layer header 757 * giving the packet type. This offset is relative to the beginning 758 * of the link-layer header (i.e., it doesn't include off_ll). 759 * 760 * For Ethernet, it's the offset of the Ethernet type field. 761 * 762 * For link-layer types that always use 802.2 headers, it's the 763 * offset of the LLC header. 764 * 765 * For PPP, it's the offset of the PPP type field. 766 * 767 * For Cisco HDLC, it's the offset of the CHDLC type field. 768 * 769 * For BSD loopback, it's the offset of the AF_ value. 770 * 771 * For Linux cooked sockets, it's the offset of the type field. 772 * 773 * It's set to -1 for no encapsulation, in which case, IP is assumed. 774 */ 775 static u_int off_linktype; 776 777 /* 778 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 779 * checks to check the PPP header, assumed to follow a LAN-style link- 780 * layer header and a PPPoE session header. 781 */ 782 static int is_pppoes = 0; 783 784 /* 785 * TRUE if the link layer includes an ATM pseudo-header. 786 */ 787 static int is_atm = 0; 788 789 /* 790 * TRUE if "lane" appeared in the filter; it causes us to generate 791 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 792 */ 793 static int is_lane = 0; 794 795 /* 796 * These are offsets for the ATM pseudo-header. 797 */ 798 static u_int off_vpi; 799 static u_int off_vci; 800 static u_int off_proto; 801 802 /* 803 * These are offsets for the MTP2 fields. 804 */ 805 static u_int off_li; 806 807 /* 808 * These are offsets for the MTP3 fields. 809 */ 810 static u_int off_sio; 811 static u_int off_opc; 812 static u_int off_dpc; 813 static u_int off_sls; 814 815 /* 816 * This is the offset of the first byte after the ATM pseudo_header, 817 * or -1 if there is no ATM pseudo-header. 818 */ 819 static u_int off_payload; 820 821 /* 822 * These are offsets to the beginning of the network-layer header. 823 * They are relative to the beginning of the MAC-layer payload (i.e., 824 * they don't include off_ll or off_macpl). 825 * 826 * If the link layer never uses 802.2 LLC: 827 * 828 * "off_nl" and "off_nl_nosnap" are the same. 829 * 830 * If the link layer always uses 802.2 LLC: 831 * 832 * "off_nl" is the offset if there's a SNAP header following 833 * the 802.2 header; 834 * 835 * "off_nl_nosnap" is the offset if there's no SNAP header. 836 * 837 * If the link layer is Ethernet: 838 * 839 * "off_nl" is the offset if the packet is an Ethernet II packet 840 * (we assume no 802.3+802.2+SNAP); 841 * 842 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 843 * with an 802.2 header following it. 844 */ 845 static u_int off_nl; 846 static u_int off_nl_nosnap; 847 848 static int linktype; 849 850 static void 851 init_linktype(p) 852 pcap_t *p; 853 { 854 linktype = pcap_datalink(p); 855 #ifdef PCAP_FDDIPAD 856 pcap_fddipad = p->fddipad; 857 #endif 858 859 /* 860 * Assume it's not raw ATM with a pseudo-header, for now. 861 */ 862 off_mac = 0; 863 is_atm = 0; 864 is_lane = 0; 865 off_vpi = -1; 866 off_vci = -1; 867 off_proto = -1; 868 off_payload = -1; 869 870 /* 871 * And that we're not doing PPPoE. 872 */ 873 is_pppoes = 0; 874 875 /* 876 * And assume we're not doing SS7. 877 */ 878 off_li = -1; 879 off_sio = -1; 880 off_opc = -1; 881 off_dpc = -1; 882 off_sls = -1; 883 884 /* 885 * Also assume it's not 802.11. 886 */ 887 off_ll = 0; 888 off_macpl = 0; 889 off_macpl_is_variable = 0; 890 891 orig_linktype = -1; 892 orig_nl = -1; 893 label_stack_depth = 0; 894 895 reg_off_ll = -1; 896 reg_off_macpl = -1; 897 898 switch (linktype) { 899 900 case DLT_ARCNET: 901 off_linktype = 2; 902 off_macpl = 6; 903 off_nl = 0; /* XXX in reality, variable! */ 904 off_nl_nosnap = 0; /* no 802.2 LLC */ 905 return; 906 907 case DLT_ARCNET_LINUX: 908 off_linktype = 4; 909 off_macpl = 8; 910 off_nl = 0; /* XXX in reality, variable! */ 911 off_nl_nosnap = 0; /* no 802.2 LLC */ 912 return; 913 914 case DLT_EN10MB: 915 off_linktype = 12; 916 off_macpl = 14; /* Ethernet header length */ 917 off_nl = 0; /* Ethernet II */ 918 off_nl_nosnap = 3; /* 802.3+802.2 */ 919 return; 920 921 case DLT_SLIP: 922 /* 923 * SLIP doesn't have a link level type. The 16 byte 924 * header is hacked into our SLIP driver. 925 */ 926 off_linktype = -1; 927 off_macpl = 16; 928 off_nl = 0; 929 off_nl_nosnap = 0; /* no 802.2 LLC */ 930 return; 931 932 case DLT_SLIP_BSDOS: 933 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 934 off_linktype = -1; 935 /* XXX end */ 936 off_macpl = 24; 937 off_nl = 0; 938 off_nl_nosnap = 0; /* no 802.2 LLC */ 939 return; 940 941 case DLT_NULL: 942 case DLT_LOOP: 943 off_linktype = 0; 944 off_macpl = 4; 945 off_nl = 0; 946 off_nl_nosnap = 0; /* no 802.2 LLC */ 947 return; 948 949 case DLT_ENC: 950 off_linktype = 0; 951 off_macpl = 12; 952 off_nl = 0; 953 off_nl_nosnap = 0; /* no 802.2 LLC */ 954 return; 955 956 case DLT_PPP: 957 case DLT_PPP_PPPD: 958 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 959 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 960 off_linktype = 2; 961 off_macpl = 4; 962 off_nl = 0; 963 off_nl_nosnap = 0; /* no 802.2 LLC */ 964 return; 965 966 case DLT_PPP_ETHER: 967 /* 968 * This does no include the Ethernet header, and 969 * only covers session state. 970 */ 971 off_linktype = 6; 972 off_macpl = 8; 973 off_nl = 0; 974 off_nl_nosnap = 0; /* no 802.2 LLC */ 975 return; 976 977 case DLT_PPP_BSDOS: 978 off_linktype = 5; 979 off_macpl = 24; 980 off_nl = 0; 981 off_nl_nosnap = 0; /* no 802.2 LLC */ 982 return; 983 984 case DLT_FDDI: 985 /* 986 * FDDI doesn't really have a link-level type field. 987 * We set "off_linktype" to the offset of the LLC header. 988 * 989 * To check for Ethernet types, we assume that SSAP = SNAP 990 * is being used and pick out the encapsulated Ethernet type. 991 * XXX - should we generate code to check for SNAP? 992 */ 993 off_linktype = 13; 994 #ifdef PCAP_FDDIPAD 995 off_linktype += pcap_fddipad; 996 #endif 997 off_macpl = 13; /* FDDI MAC header length */ 998 #ifdef PCAP_FDDIPAD 999 off_macpl += pcap_fddipad; 1000 #endif 1001 off_nl = 8; /* 802.2+SNAP */ 1002 off_nl_nosnap = 3; /* 802.2 */ 1003 return; 1004 1005 case DLT_IEEE802: 1006 /* 1007 * Token Ring doesn't really have a link-level type field. 1008 * We set "off_linktype" to the offset of the LLC header. 1009 * 1010 * To check for Ethernet types, we assume that SSAP = SNAP 1011 * is being used and pick out the encapsulated Ethernet type. 1012 * XXX - should we generate code to check for SNAP? 1013 * 1014 * XXX - the header is actually variable-length. 1015 * Some various Linux patched versions gave 38 1016 * as "off_linktype" and 40 as "off_nl"; however, 1017 * if a token ring packet has *no* routing 1018 * information, i.e. is not source-routed, the correct 1019 * values are 20 and 22, as they are in the vanilla code. 1020 * 1021 * A packet is source-routed iff the uppermost bit 1022 * of the first byte of the source address, at an 1023 * offset of 8, has the uppermost bit set. If the 1024 * packet is source-routed, the total number of bytes 1025 * of routing information is 2 plus bits 0x1F00 of 1026 * the 16-bit value at an offset of 14 (shifted right 1027 * 8 - figure out which byte that is). 1028 */ 1029 off_linktype = 14; 1030 off_macpl = 14; /* Token Ring MAC header length */ 1031 off_nl = 8; /* 802.2+SNAP */ 1032 off_nl_nosnap = 3; /* 802.2 */ 1033 return; 1034 1035 case DLT_IEEE802_11: 1036 case DLT_PRISM_HEADER: 1037 case DLT_IEEE802_11_RADIO_AVS: 1038 case DLT_IEEE802_11_RADIO: 1039 /* 1040 * 802.11 doesn't really have a link-level type field. 1041 * We set "off_linktype" to the offset of the LLC header. 1042 * 1043 * To check for Ethernet types, we assume that SSAP = SNAP 1044 * is being used and pick out the encapsulated Ethernet type. 1045 * XXX - should we generate code to check for SNAP? 1046 * 1047 * We also handle variable-length radio headers here. 1048 * The Prism header is in theory variable-length, but in 1049 * practice it's always 144 bytes long. However, some 1050 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1051 * sometimes or always supply an AVS header, so we 1052 * have to check whether the radio header is a Prism 1053 * header or an AVS header, so, in practice, it's 1054 * variable-length. 1055 */ 1056 off_linktype = 24; 1057 off_macpl = 0; /* link-layer header is variable-length */ 1058 off_macpl_is_variable = 1; 1059 off_nl = 8; /* 802.2+SNAP */ 1060 off_nl_nosnap = 3; /* 802.2 */ 1061 return; 1062 1063 case DLT_PPI: 1064 /* 1065 * At the moment we treat PPI the same way that we treat 1066 * normal Radiotap encoded packets. The difference is in 1067 * the function that generates the code at the beginning 1068 * to compute the header length. Since this code generator 1069 * of PPI supports bare 802.11 encapsulation only (i.e. 1070 * the encapsulated DLT should be DLT_IEEE802_11) we 1071 * generate code to check for this too. 1072 */ 1073 off_linktype = 24; 1074 off_macpl = 0; /* link-layer header is variable-length */ 1075 off_macpl_is_variable = 1; 1076 off_nl = 8; /* 802.2+SNAP */ 1077 off_nl_nosnap = 3; /* 802.2 */ 1078 return; 1079 1080 case DLT_ATM_RFC1483: 1081 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1082 /* 1083 * assume routed, non-ISO PDUs 1084 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1085 * 1086 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1087 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1088 * latter would presumably be treated the way PPPoE 1089 * should be, so you can do "pppoe and udp port 2049" 1090 * or "pppoa and tcp port 80" and have it check for 1091 * PPPo{A,E} and a PPP protocol of IP and.... 1092 */ 1093 off_linktype = 0; 1094 off_macpl = 0; /* packet begins with LLC header */ 1095 off_nl = 8; /* 802.2+SNAP */ 1096 off_nl_nosnap = 3; /* 802.2 */ 1097 return; 1098 1099 case DLT_SUNATM: 1100 /* 1101 * Full Frontal ATM; you get AALn PDUs with an ATM 1102 * pseudo-header. 1103 */ 1104 is_atm = 1; 1105 off_vpi = SUNATM_VPI_POS; 1106 off_vci = SUNATM_VCI_POS; 1107 off_proto = PROTO_POS; 1108 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1109 off_payload = SUNATM_PKT_BEGIN_POS; 1110 off_linktype = off_payload; 1111 off_macpl = off_payload; /* if LLC-encapsulated */ 1112 off_nl = 8; /* 802.2+SNAP */ 1113 off_nl_nosnap = 3; /* 802.2 */ 1114 return; 1115 1116 case DLT_RAW: 1117 off_linktype = -1; 1118 off_macpl = 0; 1119 off_nl = 0; 1120 off_nl_nosnap = 0; /* no 802.2 LLC */ 1121 return; 1122 1123 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1124 off_linktype = 14; 1125 off_macpl = 16; 1126 off_nl = 0; 1127 off_nl_nosnap = 0; /* no 802.2 LLC */ 1128 return; 1129 1130 case DLT_LTALK: 1131 /* 1132 * LocalTalk does have a 1-byte type field in the LLAP header, 1133 * but really it just indicates whether there is a "short" or 1134 * "long" DDP packet following. 1135 */ 1136 off_linktype = -1; 1137 off_macpl = 0; 1138 off_nl = 0; 1139 off_nl_nosnap = 0; /* no 802.2 LLC */ 1140 return; 1141 1142 case DLT_IP_OVER_FC: 1143 /* 1144 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1145 * link-level type field. We set "off_linktype" to the 1146 * offset of the LLC header. 1147 * 1148 * To check for Ethernet types, we assume that SSAP = SNAP 1149 * is being used and pick out the encapsulated Ethernet type. 1150 * XXX - should we generate code to check for SNAP? RFC 1151 * 2625 says SNAP should be used. 1152 */ 1153 off_linktype = 16; 1154 off_macpl = 16; 1155 off_nl = 8; /* 802.2+SNAP */ 1156 off_nl_nosnap = 3; /* 802.2 */ 1157 return; 1158 1159 case DLT_FRELAY: 1160 /* 1161 * XXX - we should set this to handle SNAP-encapsulated 1162 * frames (NLPID of 0x80). 1163 */ 1164 off_linktype = -1; 1165 off_macpl = 0; 1166 off_nl = 0; 1167 off_nl_nosnap = 0; /* no 802.2 LLC */ 1168 return; 1169 1170 /* 1171 * the only BPF-interesting FRF.16 frames are non-control frames; 1172 * Frame Relay has a variable length link-layer 1173 * so lets start with offset 4 for now and increments later on (FIXME); 1174 */ 1175 case DLT_MFR: 1176 off_linktype = -1; 1177 off_macpl = 0; 1178 off_nl = 4; 1179 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1180 return; 1181 1182 case DLT_APPLE_IP_OVER_IEEE1394: 1183 off_linktype = 16; 1184 off_macpl = 18; 1185 off_nl = 0; 1186 off_nl_nosnap = 0; /* no 802.2 LLC */ 1187 return; 1188 1189 case DLT_LINUX_IRDA: 1190 /* 1191 * Currently, only raw "link[N:M]" filtering is supported. 1192 */ 1193 off_linktype = -1; 1194 off_macpl = -1; 1195 off_nl = -1; 1196 off_nl_nosnap = -1; 1197 return; 1198 1199 case DLT_DOCSIS: 1200 /* 1201 * Currently, only raw "link[N:M]" filtering is supported. 1202 */ 1203 off_linktype = -1; 1204 off_macpl = -1; 1205 off_nl = -1; 1206 off_nl_nosnap = -1; 1207 return; 1208 1209 case DLT_SYMANTEC_FIREWALL: 1210 off_linktype = 6; 1211 off_macpl = 44; 1212 off_nl = 0; /* Ethernet II */ 1213 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1214 return; 1215 1216 #ifdef HAVE_NET_PFVAR_H 1217 case DLT_PFLOG: 1218 off_linktype = 0; 1219 off_macpl = PFLOG_HDRLEN; 1220 off_nl = 0; 1221 off_nl_nosnap = 0; /* no 802.2 LLC */ 1222 return; 1223 #endif 1224 1225 case DLT_JUNIPER_MFR: 1226 case DLT_JUNIPER_MLFR: 1227 case DLT_JUNIPER_MLPPP: 1228 case DLT_JUNIPER_PPP: 1229 case DLT_JUNIPER_CHDLC: 1230 case DLT_JUNIPER_FRELAY: 1231 off_linktype = 4; 1232 off_macpl = 4; 1233 off_nl = 0; 1234 off_nl_nosnap = -1; /* no 802.2 LLC */ 1235 return; 1236 1237 case DLT_JUNIPER_ATM1: 1238 off_linktype = 4; /* in reality variable between 4-8 */ 1239 off_macpl = 4; /* in reality variable between 4-8 */ 1240 off_nl = 0; 1241 off_nl_nosnap = 10; 1242 return; 1243 1244 case DLT_JUNIPER_ATM2: 1245 off_linktype = 8; /* in reality variable between 8-12 */ 1246 off_macpl = 8; /* in reality variable between 8-12 */ 1247 off_nl = 0; 1248 off_nl_nosnap = 10; 1249 return; 1250 1251 /* frames captured on a Juniper PPPoE service PIC 1252 * contain raw ethernet frames */ 1253 case DLT_JUNIPER_PPPOE: 1254 case DLT_JUNIPER_ETHER: 1255 off_macpl = 14; 1256 off_linktype = 16; 1257 off_nl = 18; /* Ethernet II */ 1258 off_nl_nosnap = 21; /* 802.3+802.2 */ 1259 return; 1260 1261 case DLT_JUNIPER_PPPOE_ATM: 1262 off_linktype = 4; 1263 off_macpl = 6; 1264 off_nl = 0; 1265 off_nl_nosnap = -1; /* no 802.2 LLC */ 1266 return; 1267 1268 case DLT_JUNIPER_GGSN: 1269 off_linktype = 6; 1270 off_macpl = 12; 1271 off_nl = 0; 1272 off_nl_nosnap = -1; /* no 802.2 LLC */ 1273 return; 1274 1275 case DLT_JUNIPER_ES: 1276 off_linktype = 6; 1277 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1278 off_nl = -1; /* not really a network layer but raw IP addresses */ 1279 off_nl_nosnap = -1; /* no 802.2 LLC */ 1280 return; 1281 1282 case DLT_JUNIPER_MONITOR: 1283 off_linktype = 12; 1284 off_macpl = 12; 1285 off_nl = 0; /* raw IP/IP6 header */ 1286 off_nl_nosnap = -1; /* no 802.2 LLC */ 1287 return; 1288 1289 case DLT_JUNIPER_SERVICES: 1290 off_linktype = 12; 1291 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1292 off_nl = -1; /* L3 proto location dep. on cookie type */ 1293 off_nl_nosnap = -1; /* no 802.2 LLC */ 1294 return; 1295 1296 case DLT_JUNIPER_VP: 1297 off_linktype = 18; 1298 off_macpl = -1; 1299 off_nl = -1; 1300 off_nl_nosnap = -1; 1301 return; 1302 1303 case DLT_JUNIPER_ST: 1304 off_linktype = 18; 1305 off_macpl = -1; 1306 off_nl = -1; 1307 off_nl_nosnap = -1; 1308 return; 1309 1310 case DLT_JUNIPER_ISM: 1311 off_linktype = 8; 1312 off_macpl = -1; 1313 off_nl = -1; 1314 off_nl_nosnap = -1; 1315 return; 1316 1317 case DLT_MTP2: 1318 off_li = 2; 1319 off_sio = 3; 1320 off_opc = 4; 1321 off_dpc = 4; 1322 off_sls = 7; 1323 off_linktype = -1; 1324 off_macpl = -1; 1325 off_nl = -1; 1326 off_nl_nosnap = -1; 1327 return; 1328 1329 case DLT_MTP2_WITH_PHDR: 1330 off_li = 6; 1331 off_sio = 7; 1332 off_opc = 8; 1333 off_dpc = 8; 1334 off_sls = 11; 1335 off_linktype = -1; 1336 off_macpl = -1; 1337 off_nl = -1; 1338 off_nl_nosnap = -1; 1339 return; 1340 1341 case DLT_ERF: 1342 off_li = 22; 1343 off_sio = 23; 1344 off_opc = 24; 1345 off_dpc = 24; 1346 off_sls = 27; 1347 off_linktype = -1; 1348 off_macpl = -1; 1349 off_nl = -1; 1350 off_nl_nosnap = -1; 1351 return; 1352 1353 #ifdef DLT_PFSYNC 1354 case DLT_PFSYNC: 1355 off_linktype = -1; 1356 off_macpl = 4; 1357 off_nl = 0; 1358 off_nl_nosnap = 0; 1359 return; 1360 #endif 1361 1362 case DLT_LINUX_LAPD: 1363 /* 1364 * Currently, only raw "link[N:M]" filtering is supported. 1365 */ 1366 off_linktype = -1; 1367 off_macpl = -1; 1368 off_nl = -1; 1369 off_nl_nosnap = -1; 1370 return; 1371 1372 case DLT_USB: 1373 /* 1374 * Currently, only raw "link[N:M]" filtering is supported. 1375 */ 1376 off_linktype = -1; 1377 off_macpl = -1; 1378 off_nl = -1; 1379 off_nl_nosnap = -1; 1380 return; 1381 1382 case DLT_BLUETOOTH_HCI_H4: 1383 /* 1384 * Currently, only raw "link[N:M]" filtering is supported. 1385 */ 1386 off_linktype = -1; 1387 off_macpl = -1; 1388 off_nl = -1; 1389 off_nl_nosnap = -1; 1390 return; 1391 1392 case DLT_USB_LINUX: 1393 /* 1394 * Currently, only raw "link[N:M]" filtering is supported. 1395 */ 1396 off_linktype = -1; 1397 off_macpl = -1; 1398 off_nl = -1; 1399 off_nl_nosnap = -1; 1400 return; 1401 1402 case DLT_CAN20B: 1403 /* 1404 * Currently, only raw "link[N:M]" filtering is supported. 1405 */ 1406 off_linktype = -1; 1407 off_macpl = -1; 1408 off_nl = -1; 1409 off_nl_nosnap = -1; 1410 return; 1411 1412 case DLT_IEEE802_15_4_LINUX: 1413 /* 1414 * Currently, only raw "link[N:M]" filtering is supported. 1415 */ 1416 off_linktype = -1; 1417 off_macpl = -1; 1418 off_nl = -1; 1419 off_nl_nosnap = -1; 1420 return; 1421 1422 case DLT_IEEE802_16_MAC_CPS_RADIO: 1423 /* 1424 * Currently, only raw "link[N:M]" filtering is supported. 1425 */ 1426 off_linktype = -1; 1427 off_macpl = -1; 1428 off_nl = -1; 1429 off_nl_nosnap = -1; 1430 return; 1431 1432 case DLT_IEEE802_15_4: 1433 /* 1434 * Currently, only raw "link[N:M]" filtering is supported. 1435 */ 1436 off_linktype = -1; 1437 off_macpl = -1; 1438 off_nl = -1; 1439 off_nl_nosnap = -1; 1440 return; 1441 1442 case DLT_SITA: 1443 /* 1444 * Currently, only raw "link[N:M]" filtering is supported. 1445 */ 1446 off_linktype = -1; 1447 off_macpl = -1; 1448 off_nl = -1; 1449 off_nl_nosnap = -1; 1450 return; 1451 1452 case DLT_RAIF1: 1453 /* 1454 * Currently, only raw "link[N:M]" filtering is supported. 1455 */ 1456 off_linktype = -1; 1457 off_macpl = -1; 1458 off_nl = -1; 1459 off_nl_nosnap = -1; 1460 return; 1461 1462 case DLT_IPMB: 1463 /* 1464 * Currently, only raw "link[N:M]" filtering is supported. 1465 */ 1466 off_linktype = -1; 1467 off_macpl = -1; 1468 off_nl = -1; 1469 off_nl_nosnap = -1; 1470 return; 1471 1472 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 1473 /* 1474 * Currently, only raw "link[N:M]" filtering is supported. 1475 */ 1476 off_linktype = -1; 1477 off_macpl = -1; 1478 off_nl = -1; 1479 off_nl_nosnap = -1; 1480 return; 1481 1482 case DLT_AX25_KISS: 1483 /* 1484 * Currently, only raw "link[N:M]" filtering is supported. 1485 */ 1486 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1487 off_macpl = -1; 1488 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1489 off_nl_nosnap = -1; /* no 802.2 LLC */ 1490 off_mac = 1; /* step over the kiss length byte */ 1491 return; 1492 1493 case DLT_IEEE802_15_4_NONASK_PHY: 1494 /* 1495 * Currently, only raw "link[N:M]" filtering is supported. 1496 */ 1497 off_linktype = -1; 1498 off_macpl = -1; 1499 off_nl = -1; 1500 off_nl_nosnap = -1; 1501 return; 1502 } 1503 bpf_error("unknown data link type %d", linktype); 1504 /* NOTREACHED */ 1505 } 1506 1507 /* 1508 * Load a value relative to the beginning of the link-layer header. 1509 * The link-layer header doesn't necessarily begin at the beginning 1510 * of the packet data; there might be a variable-length prefix containing 1511 * radio information. 1512 */ 1513 static struct slist * 1514 gen_load_llrel(offset, size) 1515 u_int offset, size; 1516 { 1517 struct slist *s, *s2; 1518 1519 s = gen_llprefixlen(); 1520 1521 /* 1522 * If "s" is non-null, it has code to arrange that the X register 1523 * contains the length of the prefix preceding the link-layer 1524 * header. 1525 * 1526 * Otherwise, the length of the prefix preceding the link-layer 1527 * header is "off_ll". 1528 */ 1529 if (s != NULL) { 1530 /* 1531 * There's a variable-length prefix preceding the 1532 * link-layer header. "s" points to a list of statements 1533 * that put the length of that prefix into the X register. 1534 * do an indirect load, to use the X register as an offset. 1535 */ 1536 s2 = new_stmt(BPF_LD|BPF_IND|size); 1537 s2->s.k = offset; 1538 sappend(s, s2); 1539 } else { 1540 /* 1541 * There is no variable-length header preceding the 1542 * link-layer header; add in off_ll, which, if there's 1543 * a fixed-length header preceding the link-layer header, 1544 * is the length of that header. 1545 */ 1546 s = new_stmt(BPF_LD|BPF_ABS|size); 1547 s->s.k = offset + off_ll; 1548 } 1549 return s; 1550 } 1551 1552 /* 1553 * Load a value relative to the beginning of the MAC-layer payload. 1554 */ 1555 static struct slist * 1556 gen_load_macplrel(offset, size) 1557 u_int offset, size; 1558 { 1559 struct slist *s, *s2; 1560 1561 s = gen_off_macpl(); 1562 1563 /* 1564 * If s is non-null, the offset of the MAC-layer payload is 1565 * variable, and s points to a list of instructions that 1566 * arrange that the X register contains that offset. 1567 * 1568 * Otherwise, the offset of the MAC-layer payload is constant, 1569 * and is in off_macpl. 1570 */ 1571 if (s != NULL) { 1572 /* 1573 * The offset of the MAC-layer payload is in the X 1574 * register. Do an indirect load, to use the X register 1575 * as an offset. 1576 */ 1577 s2 = new_stmt(BPF_LD|BPF_IND|size); 1578 s2->s.k = offset; 1579 sappend(s, s2); 1580 } else { 1581 /* 1582 * The offset of the MAC-layer payload is constant, 1583 * and is in off_macpl; load the value at that offset 1584 * plus the specified offset. 1585 */ 1586 s = new_stmt(BPF_LD|BPF_ABS|size); 1587 s->s.k = off_macpl + offset; 1588 } 1589 return s; 1590 } 1591 1592 /* 1593 * Load a value relative to the beginning of the specified header. 1594 */ 1595 static struct slist * 1596 gen_load_a(offrel, offset, size) 1597 enum e_offrel offrel; 1598 u_int offset, size; 1599 { 1600 struct slist *s, *s2; 1601 1602 switch (offrel) { 1603 1604 case OR_PACKET: 1605 s = new_stmt(BPF_LD|BPF_ABS|size); 1606 s->s.k = offset; 1607 break; 1608 1609 case OR_LINK: 1610 s = gen_load_llrel(offset, size); 1611 break; 1612 1613 case OR_MACPL: 1614 s = gen_load_macplrel(offset, size); 1615 break; 1616 1617 case OR_NET: 1618 s = gen_load_macplrel(off_nl + offset, size); 1619 break; 1620 1621 case OR_NET_NOSNAP: 1622 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1623 break; 1624 1625 case OR_TRAN_IPV4: 1626 /* 1627 * Load the X register with the length of the IPv4 header 1628 * (plus the offset of the link-layer header, if it's 1629 * preceded by a variable-length header such as a radio 1630 * header), in bytes. 1631 */ 1632 s = gen_loadx_iphdrlen(); 1633 1634 /* 1635 * Load the item at {offset of the MAC-layer payload} + 1636 * {offset, relative to the start of the MAC-layer 1637 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1638 * {specified offset}. 1639 * 1640 * (If the offset of the MAC-layer payload is variable, 1641 * it's included in the value in the X register, and 1642 * off_macpl is 0.) 1643 */ 1644 s2 = new_stmt(BPF_LD|BPF_IND|size); 1645 s2->s.k = off_macpl + off_nl + offset; 1646 sappend(s, s2); 1647 break; 1648 1649 case OR_TRAN_IPV6: 1650 s = gen_load_macplrel(off_nl + 40 + offset, size); 1651 break; 1652 1653 default: 1654 abort(); 1655 return NULL; 1656 } 1657 return s; 1658 } 1659 1660 /* 1661 * Generate code to load into the X register the sum of the length of 1662 * the IPv4 header and any variable-length header preceding the link-layer 1663 * header. 1664 */ 1665 static struct slist * 1666 gen_loadx_iphdrlen() 1667 { 1668 struct slist *s, *s2; 1669 1670 s = gen_off_macpl(); 1671 if (s != NULL) { 1672 /* 1673 * There's a variable-length prefix preceding the 1674 * link-layer header, or the link-layer header is itself 1675 * variable-length. "s" points to a list of statements 1676 * that put the offset of the MAC-layer payload into 1677 * the X register. 1678 * 1679 * The 4*([k]&0xf) addressing mode can't be used, as we 1680 * don't have a constant offset, so we have to load the 1681 * value in question into the A register and add to it 1682 * the value from the X register. 1683 */ 1684 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1685 s2->s.k = off_nl; 1686 sappend(s, s2); 1687 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1688 s2->s.k = 0xf; 1689 sappend(s, s2); 1690 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1691 s2->s.k = 2; 1692 sappend(s, s2); 1693 1694 /* 1695 * The A register now contains the length of the 1696 * IP header. We need to add to it the offset of 1697 * the MAC-layer payload, which is still in the X 1698 * register, and move the result into the X register. 1699 */ 1700 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1701 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1702 } else { 1703 /* 1704 * There is no variable-length header preceding the 1705 * link-layer header, and the link-layer header is 1706 * fixed-length; load the length of the IPv4 header, 1707 * which is at an offset of off_nl from the beginning 1708 * of the MAC-layer payload, and thus at an offset 1709 * of off_mac_pl + off_nl from the beginning of the 1710 * raw packet data. 1711 */ 1712 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1713 s->s.k = off_macpl + off_nl; 1714 } 1715 return s; 1716 } 1717 1718 static struct block * 1719 gen_uncond(rsense) 1720 int rsense; 1721 { 1722 struct block *b; 1723 struct slist *s; 1724 1725 s = new_stmt(BPF_LD|BPF_IMM); 1726 s->s.k = !rsense; 1727 b = new_block(JMP(BPF_JEQ)); 1728 b->stmts = s; 1729 1730 return b; 1731 } 1732 1733 static inline struct block * 1734 gen_true() 1735 { 1736 return gen_uncond(1); 1737 } 1738 1739 static inline struct block * 1740 gen_false() 1741 { 1742 return gen_uncond(0); 1743 } 1744 1745 /* 1746 * Byte-swap a 32-bit number. 1747 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1748 * big-endian platforms.) 1749 */ 1750 #define SWAPLONG(y) \ 1751 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1752 1753 /* 1754 * Generate code to match a particular packet type. 1755 * 1756 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1757 * value, if <= ETHERMTU. We use that to determine whether to 1758 * match the type/length field or to check the type/length field for 1759 * a value <= ETHERMTU to see whether it's a type field and then do 1760 * the appropriate test. 1761 */ 1762 static struct block * 1763 gen_ether_linktype(proto) 1764 register int proto; 1765 { 1766 struct block *b0, *b1; 1767 1768 switch (proto) { 1769 1770 case LLCSAP_ISONS: 1771 case LLCSAP_IP: 1772 case LLCSAP_NETBEUI: 1773 /* 1774 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1775 * so we check the DSAP and SSAP. 1776 * 1777 * LLCSAP_IP checks for IP-over-802.2, rather 1778 * than IP-over-Ethernet or IP-over-SNAP. 1779 * 1780 * XXX - should we check both the DSAP and the 1781 * SSAP, like this, or should we check just the 1782 * DSAP, as we do for other types <= ETHERMTU 1783 * (i.e., other SAP values)? 1784 */ 1785 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1786 gen_not(b0); 1787 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1788 ((proto << 8) | proto)); 1789 gen_and(b0, b1); 1790 return b1; 1791 1792 case LLCSAP_IPX: 1793 /* 1794 * Check for; 1795 * 1796 * Ethernet_II frames, which are Ethernet 1797 * frames with a frame type of ETHERTYPE_IPX; 1798 * 1799 * Ethernet_802.3 frames, which are 802.3 1800 * frames (i.e., the type/length field is 1801 * a length field, <= ETHERMTU, rather than 1802 * a type field) with the first two bytes 1803 * after the Ethernet/802.3 header being 1804 * 0xFFFF; 1805 * 1806 * Ethernet_802.2 frames, which are 802.3 1807 * frames with an 802.2 LLC header and 1808 * with the IPX LSAP as the DSAP in the LLC 1809 * header; 1810 * 1811 * Ethernet_SNAP frames, which are 802.3 1812 * frames with an LLC header and a SNAP 1813 * header and with an OUI of 0x000000 1814 * (encapsulated Ethernet) and a protocol 1815 * ID of ETHERTYPE_IPX in the SNAP header. 1816 * 1817 * XXX - should we generate the same code both 1818 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1819 */ 1820 1821 /* 1822 * This generates code to check both for the 1823 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1824 */ 1825 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1826 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1827 gen_or(b0, b1); 1828 1829 /* 1830 * Now we add code to check for SNAP frames with 1831 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1832 */ 1833 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1834 gen_or(b0, b1); 1835 1836 /* 1837 * Now we generate code to check for 802.3 1838 * frames in general. 1839 */ 1840 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1841 gen_not(b0); 1842 1843 /* 1844 * Now add the check for 802.3 frames before the 1845 * check for Ethernet_802.2 and Ethernet_802.3, 1846 * as those checks should only be done on 802.3 1847 * frames, not on Ethernet frames. 1848 */ 1849 gen_and(b0, b1); 1850 1851 /* 1852 * Now add the check for Ethernet_II frames, and 1853 * do that before checking for the other frame 1854 * types. 1855 */ 1856 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1857 (bpf_int32)ETHERTYPE_IPX); 1858 gen_or(b0, b1); 1859 return b1; 1860 1861 case ETHERTYPE_ATALK: 1862 case ETHERTYPE_AARP: 1863 /* 1864 * EtherTalk (AppleTalk protocols on Ethernet link 1865 * layer) may use 802.2 encapsulation. 1866 */ 1867 1868 /* 1869 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1870 * we check for an Ethernet type field less than 1871 * 1500, which means it's an 802.3 length field. 1872 */ 1873 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1874 gen_not(b0); 1875 1876 /* 1877 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1878 * SNAP packets with an organization code of 1879 * 0x080007 (Apple, for Appletalk) and a protocol 1880 * type of ETHERTYPE_ATALK (Appletalk). 1881 * 1882 * 802.2-encapsulated ETHERTYPE_AARP packets are 1883 * SNAP packets with an organization code of 1884 * 0x000000 (encapsulated Ethernet) and a protocol 1885 * type of ETHERTYPE_AARP (Appletalk ARP). 1886 */ 1887 if (proto == ETHERTYPE_ATALK) 1888 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1889 else /* proto == ETHERTYPE_AARP */ 1890 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1891 gen_and(b0, b1); 1892 1893 /* 1894 * Check for Ethernet encapsulation (Ethertalk 1895 * phase 1?); we just check for the Ethernet 1896 * protocol type. 1897 */ 1898 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1899 1900 gen_or(b0, b1); 1901 return b1; 1902 1903 default: 1904 if (proto <= ETHERMTU) { 1905 /* 1906 * This is an LLC SAP value, so the frames 1907 * that match would be 802.2 frames. 1908 * Check that the frame is an 802.2 frame 1909 * (i.e., that the length/type field is 1910 * a length field, <= ETHERMTU) and 1911 * then check the DSAP. 1912 */ 1913 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1914 gen_not(b0); 1915 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1916 (bpf_int32)proto); 1917 gen_and(b0, b1); 1918 return b1; 1919 } else { 1920 /* 1921 * This is an Ethernet type, so compare 1922 * the length/type field with it (if 1923 * the frame is an 802.2 frame, the length 1924 * field will be <= ETHERMTU, and, as 1925 * "proto" is > ETHERMTU, this test 1926 * will fail and the frame won't match, 1927 * which is what we want). 1928 */ 1929 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1930 (bpf_int32)proto); 1931 } 1932 } 1933 } 1934 1935 /* 1936 * Generate code to match a particular packet type. 1937 * 1938 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1939 * value, if <= ETHERMTU. We use that to determine whether to 1940 * match the type field or to check the type field for the special 1941 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1942 */ 1943 static struct block * 1944 gen_linux_sll_linktype(proto) 1945 register int proto; 1946 { 1947 struct block *b0, *b1; 1948 1949 switch (proto) { 1950 1951 case LLCSAP_ISONS: 1952 case LLCSAP_IP: 1953 case LLCSAP_NETBEUI: 1954 /* 1955 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1956 * so we check the DSAP and SSAP. 1957 * 1958 * LLCSAP_IP checks for IP-over-802.2, rather 1959 * than IP-over-Ethernet or IP-over-SNAP. 1960 * 1961 * XXX - should we check both the DSAP and the 1962 * SSAP, like this, or should we check just the 1963 * DSAP, as we do for other types <= ETHERMTU 1964 * (i.e., other SAP values)? 1965 */ 1966 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1967 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1968 ((proto << 8) | proto)); 1969 gen_and(b0, b1); 1970 return b1; 1971 1972 case LLCSAP_IPX: 1973 /* 1974 * Ethernet_II frames, which are Ethernet 1975 * frames with a frame type of ETHERTYPE_IPX; 1976 * 1977 * Ethernet_802.3 frames, which have a frame 1978 * type of LINUX_SLL_P_802_3; 1979 * 1980 * Ethernet_802.2 frames, which are 802.3 1981 * frames with an 802.2 LLC header (i.e, have 1982 * a frame type of LINUX_SLL_P_802_2) and 1983 * with the IPX LSAP as the DSAP in the LLC 1984 * header; 1985 * 1986 * Ethernet_SNAP frames, which are 802.3 1987 * frames with an LLC header and a SNAP 1988 * header and with an OUI of 0x000000 1989 * (encapsulated Ethernet) and a protocol 1990 * ID of ETHERTYPE_IPX in the SNAP header. 1991 * 1992 * First, do the checks on LINUX_SLL_P_802_2 1993 * frames; generate the check for either 1994 * Ethernet_802.2 or Ethernet_SNAP frames, and 1995 * then put a check for LINUX_SLL_P_802_2 frames 1996 * before it. 1997 */ 1998 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1999 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2000 gen_or(b0, b1); 2001 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2002 gen_and(b0, b1); 2003 2004 /* 2005 * Now check for 802.3 frames and OR that with 2006 * the previous test. 2007 */ 2008 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2009 gen_or(b0, b1); 2010 2011 /* 2012 * Now add the check for Ethernet_II frames, and 2013 * do that before checking for the other frame 2014 * types. 2015 */ 2016 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2017 (bpf_int32)ETHERTYPE_IPX); 2018 gen_or(b0, b1); 2019 return b1; 2020 2021 case ETHERTYPE_ATALK: 2022 case ETHERTYPE_AARP: 2023 /* 2024 * EtherTalk (AppleTalk protocols on Ethernet link 2025 * layer) may use 802.2 encapsulation. 2026 */ 2027 2028 /* 2029 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2030 * we check for the 802.2 protocol type in the 2031 * "Ethernet type" field. 2032 */ 2033 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2034 2035 /* 2036 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2037 * SNAP packets with an organization code of 2038 * 0x080007 (Apple, for Appletalk) and a protocol 2039 * type of ETHERTYPE_ATALK (Appletalk). 2040 * 2041 * 802.2-encapsulated ETHERTYPE_AARP packets are 2042 * SNAP packets with an organization code of 2043 * 0x000000 (encapsulated Ethernet) and a protocol 2044 * type of ETHERTYPE_AARP (Appletalk ARP). 2045 */ 2046 if (proto == ETHERTYPE_ATALK) 2047 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2048 else /* proto == ETHERTYPE_AARP */ 2049 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2050 gen_and(b0, b1); 2051 2052 /* 2053 * Check for Ethernet encapsulation (Ethertalk 2054 * phase 1?); we just check for the Ethernet 2055 * protocol type. 2056 */ 2057 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2058 2059 gen_or(b0, b1); 2060 return b1; 2061 2062 default: 2063 if (proto <= ETHERMTU) { 2064 /* 2065 * This is an LLC SAP value, so the frames 2066 * that match would be 802.2 frames. 2067 * Check for the 802.2 protocol type 2068 * in the "Ethernet type" field, and 2069 * then check the DSAP. 2070 */ 2071 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2072 LINUX_SLL_P_802_2); 2073 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2074 (bpf_int32)proto); 2075 gen_and(b0, b1); 2076 return b1; 2077 } else { 2078 /* 2079 * This is an Ethernet type, so compare 2080 * the length/type field with it (if 2081 * the frame is an 802.2 frame, the length 2082 * field will be <= ETHERMTU, and, as 2083 * "proto" is > ETHERMTU, this test 2084 * will fail and the frame won't match, 2085 * which is what we want). 2086 */ 2087 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2088 (bpf_int32)proto); 2089 } 2090 } 2091 } 2092 2093 static struct slist * 2094 gen_load_prism_llprefixlen() 2095 { 2096 struct slist *s1, *s2; 2097 struct slist *sjeq_avs_cookie; 2098 struct slist *sjcommon; 2099 2100 /* 2101 * This code is not compatible with the optimizer, as 2102 * we are generating jmp instructions within a normal 2103 * slist of instructions 2104 */ 2105 no_optimize = 1; 2106 2107 /* 2108 * Generate code to load the length of the radio header into 2109 * the register assigned to hold that length, if one has been 2110 * assigned. (If one hasn't been assigned, no code we've 2111 * generated uses that prefix, so we don't need to generate any 2112 * code to load it.) 2113 * 2114 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2115 * or always use the AVS header rather than the Prism header. 2116 * We load a 4-byte big-endian value at the beginning of the 2117 * raw packet data, and see whether, when masked with 0xFFFFF000, 2118 * it's equal to 0x80211000. If so, that indicates that it's 2119 * an AVS header (the masked-out bits are the version number). 2120 * Otherwise, it's a Prism header. 2121 * 2122 * XXX - the Prism header is also, in theory, variable-length, 2123 * but no known software generates headers that aren't 144 2124 * bytes long. 2125 */ 2126 if (reg_off_ll != -1) { 2127 /* 2128 * Load the cookie. 2129 */ 2130 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2131 s1->s.k = 0; 2132 2133 /* 2134 * AND it with 0xFFFFF000. 2135 */ 2136 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2137 s2->s.k = 0xFFFFF000; 2138 sappend(s1, s2); 2139 2140 /* 2141 * Compare with 0x80211000. 2142 */ 2143 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2144 sjeq_avs_cookie->s.k = 0x80211000; 2145 sappend(s1, sjeq_avs_cookie); 2146 2147 /* 2148 * If it's AVS: 2149 * 2150 * The 4 bytes at an offset of 4 from the beginning of 2151 * the AVS header are the length of the AVS header. 2152 * That field is big-endian. 2153 */ 2154 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2155 s2->s.k = 4; 2156 sappend(s1, s2); 2157 sjeq_avs_cookie->s.jt = s2; 2158 2159 /* 2160 * Now jump to the code to allocate a register 2161 * into which to save the header length and 2162 * store the length there. (The "jump always" 2163 * instruction needs to have the k field set; 2164 * it's added to the PC, so, as we're jumping 2165 * over a single instruction, it should be 1.) 2166 */ 2167 sjcommon = new_stmt(JMP(BPF_JA)); 2168 sjcommon->s.k = 1; 2169 sappend(s1, sjcommon); 2170 2171 /* 2172 * Now for the code that handles the Prism header. 2173 * Just load the length of the Prism header (144) 2174 * into the A register. Have the test for an AVS 2175 * header branch here if we don't have an AVS header. 2176 */ 2177 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2178 s2->s.k = 144; 2179 sappend(s1, s2); 2180 sjeq_avs_cookie->s.jf = s2; 2181 2182 /* 2183 * Now allocate a register to hold that value and store 2184 * it. The code for the AVS header will jump here after 2185 * loading the length of the AVS header. 2186 */ 2187 s2 = new_stmt(BPF_ST); 2188 s2->s.k = reg_off_ll; 2189 sappend(s1, s2); 2190 sjcommon->s.jf = s2; 2191 2192 /* 2193 * Now move it into the X register. 2194 */ 2195 s2 = new_stmt(BPF_MISC|BPF_TAX); 2196 sappend(s1, s2); 2197 2198 return (s1); 2199 } else 2200 return (NULL); 2201 } 2202 2203 static struct slist * 2204 gen_load_avs_llprefixlen() 2205 { 2206 struct slist *s1, *s2; 2207 2208 /* 2209 * Generate code to load the length of the AVS header into 2210 * the register assigned to hold that length, if one has been 2211 * assigned. (If one hasn't been assigned, no code we've 2212 * generated uses that prefix, so we don't need to generate any 2213 * code to load it.) 2214 */ 2215 if (reg_off_ll != -1) { 2216 /* 2217 * The 4 bytes at an offset of 4 from the beginning of 2218 * the AVS header are the length of the AVS header. 2219 * That field is big-endian. 2220 */ 2221 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2222 s1->s.k = 4; 2223 2224 /* 2225 * Now allocate a register to hold that value and store 2226 * it. 2227 */ 2228 s2 = new_stmt(BPF_ST); 2229 s2->s.k = reg_off_ll; 2230 sappend(s1, s2); 2231 2232 /* 2233 * Now move it into the X register. 2234 */ 2235 s2 = new_stmt(BPF_MISC|BPF_TAX); 2236 sappend(s1, s2); 2237 2238 return (s1); 2239 } else 2240 return (NULL); 2241 } 2242 2243 static struct slist * 2244 gen_load_radiotap_llprefixlen() 2245 { 2246 struct slist *s1, *s2; 2247 2248 /* 2249 * Generate code to load the length of the radiotap header into 2250 * the register assigned to hold that length, if one has been 2251 * assigned. (If one hasn't been assigned, no code we've 2252 * generated uses that prefix, so we don't need to generate any 2253 * code to load it.) 2254 */ 2255 if (reg_off_ll != -1) { 2256 /* 2257 * The 2 bytes at offsets of 2 and 3 from the beginning 2258 * of the radiotap header are the length of the radiotap 2259 * header; unfortunately, it's little-endian, so we have 2260 * to load it a byte at a time and construct the value. 2261 */ 2262 2263 /* 2264 * Load the high-order byte, at an offset of 3, shift it 2265 * left a byte, and put the result in the X register. 2266 */ 2267 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2268 s1->s.k = 3; 2269 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2270 sappend(s1, s2); 2271 s2->s.k = 8; 2272 s2 = new_stmt(BPF_MISC|BPF_TAX); 2273 sappend(s1, s2); 2274 2275 /* 2276 * Load the next byte, at an offset of 2, and OR the 2277 * value from the X register into it. 2278 */ 2279 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2280 sappend(s1, s2); 2281 s2->s.k = 2; 2282 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2283 sappend(s1, s2); 2284 2285 /* 2286 * Now allocate a register to hold that value and store 2287 * it. 2288 */ 2289 s2 = new_stmt(BPF_ST); 2290 s2->s.k = reg_off_ll; 2291 sappend(s1, s2); 2292 2293 /* 2294 * Now move it into the X register. 2295 */ 2296 s2 = new_stmt(BPF_MISC|BPF_TAX); 2297 sappend(s1, s2); 2298 2299 return (s1); 2300 } else 2301 return (NULL); 2302 } 2303 2304 /* 2305 * At the moment we treat PPI as normal Radiotap encoded 2306 * packets. The difference is in the function that generates 2307 * the code at the beginning to compute the header length. 2308 * Since this code generator of PPI supports bare 802.11 2309 * encapsulation only (i.e. the encapsulated DLT should be 2310 * DLT_IEEE802_11) we generate code to check for this too; 2311 * that's done in finish_parse(). 2312 */ 2313 static struct slist * 2314 gen_load_ppi_llprefixlen() 2315 { 2316 struct slist *s1, *s2; 2317 2318 /* 2319 * Generate code to load the length of the radiotap header 2320 * into the register assigned to hold that length, if one has 2321 * been assigned. 2322 */ 2323 if (reg_off_ll != -1) { 2324 /* 2325 * The 2 bytes at offsets of 2 and 3 from the beginning 2326 * of the radiotap header are the length of the radiotap 2327 * header; unfortunately, it's little-endian, so we have 2328 * to load it a byte at a time and construct the value. 2329 */ 2330 2331 /* 2332 * Load the high-order byte, at an offset of 3, shift it 2333 * left a byte, and put the result in the X register. 2334 */ 2335 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2336 s1->s.k = 3; 2337 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2338 sappend(s1, s2); 2339 s2->s.k = 8; 2340 s2 = new_stmt(BPF_MISC|BPF_TAX); 2341 sappend(s1, s2); 2342 2343 /* 2344 * Load the next byte, at an offset of 2, and OR the 2345 * value from the X register into it. 2346 */ 2347 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2348 sappend(s1, s2); 2349 s2->s.k = 2; 2350 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2351 sappend(s1, s2); 2352 2353 /* 2354 * Now allocate a register to hold that value and store 2355 * it. 2356 */ 2357 s2 = new_stmt(BPF_ST); 2358 s2->s.k = reg_off_ll; 2359 sappend(s1, s2); 2360 2361 /* 2362 * Now move it into the X register. 2363 */ 2364 s2 = new_stmt(BPF_MISC|BPF_TAX); 2365 sappend(s1, s2); 2366 2367 return (s1); 2368 } else 2369 return (NULL); 2370 } 2371 2372 /* 2373 * Load a value relative to the beginning of the link-layer header after the 802.11 2374 * header, i.e. LLC_SNAP. 2375 * The link-layer header doesn't necessarily begin at the beginning 2376 * of the packet data; there might be a variable-length prefix containing 2377 * radio information. 2378 */ 2379 static struct slist * 2380 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2381 { 2382 struct slist *s2; 2383 struct slist *sjset_data_frame_1; 2384 struct slist *sjset_data_frame_2; 2385 struct slist *sjset_qos; 2386 struct slist *sjset_radiotap_flags; 2387 struct slist *sjset_radiotap_tsft; 2388 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2389 struct slist *s_roundup; 2390 2391 if (reg_off_macpl == -1) { 2392 /* 2393 * No register has been assigned to the offset of 2394 * the MAC-layer payload, which means nobody needs 2395 * it; don't bother computing it - just return 2396 * what we already have. 2397 */ 2398 return (s); 2399 } 2400 2401 /* 2402 * This code is not compatible with the optimizer, as 2403 * we are generating jmp instructions within a normal 2404 * slist of instructions 2405 */ 2406 no_optimize = 1; 2407 2408 /* 2409 * If "s" is non-null, it has code to arrange that the X register 2410 * contains the length of the prefix preceding the link-layer 2411 * header. 2412 * 2413 * Otherwise, the length of the prefix preceding the link-layer 2414 * header is "off_ll". 2415 */ 2416 if (s == NULL) { 2417 /* 2418 * There is no variable-length header preceding the 2419 * link-layer header. 2420 * 2421 * Load the length of the fixed-length prefix preceding 2422 * the link-layer header (if any) into the X register, 2423 * and store it in the reg_off_macpl register. 2424 * That length is off_ll. 2425 */ 2426 s = new_stmt(BPF_LDX|BPF_IMM); 2427 s->s.k = off_ll; 2428 } 2429 2430 /* 2431 * The X register contains the offset of the beginning of the 2432 * link-layer header; add 24, which is the minimum length 2433 * of the MAC header for a data frame, to that, and store it 2434 * in reg_off_macpl, and then load the Frame Control field, 2435 * which is at the offset in the X register, with an indexed load. 2436 */ 2437 s2 = new_stmt(BPF_MISC|BPF_TXA); 2438 sappend(s, s2); 2439 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2440 s2->s.k = 24; 2441 sappend(s, s2); 2442 s2 = new_stmt(BPF_ST); 2443 s2->s.k = reg_off_macpl; 2444 sappend(s, s2); 2445 2446 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2447 s2->s.k = 0; 2448 sappend(s, s2); 2449 2450 /* 2451 * Check the Frame Control field to see if this is a data frame; 2452 * a data frame has the 0x08 bit (b3) in that field set and the 2453 * 0x04 bit (b2) clear. 2454 */ 2455 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2456 sjset_data_frame_1->s.k = 0x08; 2457 sappend(s, sjset_data_frame_1); 2458 2459 /* 2460 * If b3 is set, test b2, otherwise go to the first statement of 2461 * the rest of the program. 2462 */ 2463 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2464 sjset_data_frame_2->s.k = 0x04; 2465 sappend(s, sjset_data_frame_2); 2466 sjset_data_frame_1->s.jf = snext; 2467 2468 /* 2469 * If b2 is not set, this is a data frame; test the QoS bit. 2470 * Otherwise, go to the first statement of the rest of the 2471 * program. 2472 */ 2473 sjset_data_frame_2->s.jt = snext; 2474 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2475 sjset_qos->s.k = 0x80; /* QoS bit */ 2476 sappend(s, sjset_qos); 2477 2478 /* 2479 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2480 * field. 2481 * Otherwise, go to the first statement of the rest of the 2482 * program. 2483 */ 2484 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2485 s2->s.k = reg_off_macpl; 2486 sappend(s, s2); 2487 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2488 s2->s.k = 2; 2489 sappend(s, s2); 2490 s2 = new_stmt(BPF_ST); 2491 s2->s.k = reg_off_macpl; 2492 sappend(s, s2); 2493 2494 /* 2495 * If we have a radiotap header, look at it to see whether 2496 * there's Atheros padding between the MAC-layer header 2497 * and the payload. 2498 * 2499 * Note: all of the fields in the radiotap header are 2500 * little-endian, so we byte-swap all of the values 2501 * we test against, as they will be loaded as big-endian 2502 * values. 2503 */ 2504 if (linktype == DLT_IEEE802_11_RADIO) { 2505 /* 2506 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2507 * in the presence flag? 2508 */ 2509 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2510 s2->s.k = 4; 2511 sappend(s, s2); 2512 2513 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2514 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2515 sappend(s, sjset_radiotap_flags); 2516 2517 /* 2518 * If not, skip all of this. 2519 */ 2520 sjset_radiotap_flags->s.jf = snext; 2521 2522 /* 2523 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2524 */ 2525 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2526 new_stmt(JMP(BPF_JSET)); 2527 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2528 sappend(s, sjset_radiotap_tsft); 2529 2530 /* 2531 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2532 * at an offset of 16 from the beginning of the raw packet 2533 * data (8 bytes for the radiotap header and 8 bytes for 2534 * the TSFT field). 2535 * 2536 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2537 * is set. 2538 */ 2539 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2540 s2->s.k = 16; 2541 sappend(s, s2); 2542 2543 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2544 sjset_tsft_datapad->s.k = 0x20; 2545 sappend(s, sjset_tsft_datapad); 2546 2547 /* 2548 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2549 * at an offset of 8 from the beginning of the raw packet 2550 * data (8 bytes for the radiotap header). 2551 * 2552 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2553 * is set. 2554 */ 2555 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2556 s2->s.k = 8; 2557 sappend(s, s2); 2558 2559 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2560 sjset_notsft_datapad->s.k = 0x20; 2561 sappend(s, sjset_notsft_datapad); 2562 2563 /* 2564 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2565 * set, round the length of the 802.11 header to 2566 * a multiple of 4. Do that by adding 3 and then 2567 * dividing by and multiplying by 4, which we do by 2568 * ANDing with ~3. 2569 */ 2570 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2571 s_roundup->s.k = reg_off_macpl; 2572 sappend(s, s_roundup); 2573 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2574 s2->s.k = 3; 2575 sappend(s, s2); 2576 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2577 s2->s.k = ~3; 2578 sappend(s, s2); 2579 s2 = new_stmt(BPF_ST); 2580 s2->s.k = reg_off_macpl; 2581 sappend(s, s2); 2582 2583 sjset_tsft_datapad->s.jt = s_roundup; 2584 sjset_tsft_datapad->s.jf = snext; 2585 sjset_notsft_datapad->s.jt = s_roundup; 2586 sjset_notsft_datapad->s.jf = snext; 2587 } else 2588 sjset_qos->s.jf = snext; 2589 2590 return s; 2591 } 2592 2593 static void 2594 insert_compute_vloffsets(b) 2595 struct block *b; 2596 { 2597 struct slist *s; 2598 2599 /* 2600 * For link-layer types that have a variable-length header 2601 * preceding the link-layer header, generate code to load 2602 * the offset of the link-layer header into the register 2603 * assigned to that offset, if any. 2604 */ 2605 switch (linktype) { 2606 2607 case DLT_PRISM_HEADER: 2608 s = gen_load_prism_llprefixlen(); 2609 break; 2610 2611 case DLT_IEEE802_11_RADIO_AVS: 2612 s = gen_load_avs_llprefixlen(); 2613 break; 2614 2615 case DLT_IEEE802_11_RADIO: 2616 s = gen_load_radiotap_llprefixlen(); 2617 break; 2618 2619 case DLT_PPI: 2620 s = gen_load_ppi_llprefixlen(); 2621 break; 2622 2623 default: 2624 s = NULL; 2625 break; 2626 } 2627 2628 /* 2629 * For link-layer types that have a variable-length link-layer 2630 * header, generate code to load the offset of the MAC-layer 2631 * payload into the register assigned to that offset, if any. 2632 */ 2633 switch (linktype) { 2634 2635 case DLT_IEEE802_11: 2636 case DLT_PRISM_HEADER: 2637 case DLT_IEEE802_11_RADIO_AVS: 2638 case DLT_IEEE802_11_RADIO: 2639 case DLT_PPI: 2640 s = gen_load_802_11_header_len(s, b->stmts); 2641 break; 2642 } 2643 2644 /* 2645 * If we have any offset-loading code, append all the 2646 * existing statements in the block to those statements, 2647 * and make the resulting list the list of statements 2648 * for the block. 2649 */ 2650 if (s != NULL) { 2651 sappend(s, b->stmts); 2652 b->stmts = s; 2653 } 2654 } 2655 2656 static struct block * 2657 gen_ppi_dlt_check(void) 2658 { 2659 struct slist *s_load_dlt; 2660 struct block *b; 2661 2662 if (linktype == DLT_PPI) 2663 { 2664 /* Create the statements that check for the DLT 2665 */ 2666 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2667 s_load_dlt->s.k = 4; 2668 2669 b = new_block(JMP(BPF_JEQ)); 2670 2671 b->stmts = s_load_dlt; 2672 b->s.k = SWAPLONG(DLT_IEEE802_11); 2673 } 2674 else 2675 { 2676 b = NULL; 2677 } 2678 2679 return b; 2680 } 2681 2682 static struct slist * 2683 gen_prism_llprefixlen(void) 2684 { 2685 struct slist *s; 2686 2687 if (reg_off_ll == -1) { 2688 /* 2689 * We haven't yet assigned a register for the length 2690 * of the radio header; allocate one. 2691 */ 2692 reg_off_ll = alloc_reg(); 2693 } 2694 2695 /* 2696 * Load the register containing the radio length 2697 * into the X register. 2698 */ 2699 s = new_stmt(BPF_LDX|BPF_MEM); 2700 s->s.k = reg_off_ll; 2701 return s; 2702 } 2703 2704 static struct slist * 2705 gen_avs_llprefixlen(void) 2706 { 2707 struct slist *s; 2708 2709 if (reg_off_ll == -1) { 2710 /* 2711 * We haven't yet assigned a register for the length 2712 * of the AVS header; allocate one. 2713 */ 2714 reg_off_ll = alloc_reg(); 2715 } 2716 2717 /* 2718 * Load the register containing the AVS length 2719 * into the X register. 2720 */ 2721 s = new_stmt(BPF_LDX|BPF_MEM); 2722 s->s.k = reg_off_ll; 2723 return s; 2724 } 2725 2726 static struct slist * 2727 gen_radiotap_llprefixlen(void) 2728 { 2729 struct slist *s; 2730 2731 if (reg_off_ll == -1) { 2732 /* 2733 * We haven't yet assigned a register for the length 2734 * of the radiotap header; allocate one. 2735 */ 2736 reg_off_ll = alloc_reg(); 2737 } 2738 2739 /* 2740 * Load the register containing the radiotap length 2741 * into the X register. 2742 */ 2743 s = new_stmt(BPF_LDX|BPF_MEM); 2744 s->s.k = reg_off_ll; 2745 return s; 2746 } 2747 2748 /* 2749 * At the moment we treat PPI as normal Radiotap encoded 2750 * packets. The difference is in the function that generates 2751 * the code at the beginning to compute the header length. 2752 * Since this code generator of PPI supports bare 802.11 2753 * encapsulation only (i.e. the encapsulated DLT should be 2754 * DLT_IEEE802_11) we generate code to check for this too. 2755 */ 2756 static struct slist * 2757 gen_ppi_llprefixlen(void) 2758 { 2759 struct slist *s; 2760 2761 if (reg_off_ll == -1) { 2762 /* 2763 * We haven't yet assigned a register for the length 2764 * of the radiotap header; allocate one. 2765 */ 2766 reg_off_ll = alloc_reg(); 2767 } 2768 2769 /* 2770 * Load the register containing the PPI length 2771 * into the X register. 2772 */ 2773 s = new_stmt(BPF_LDX|BPF_MEM); 2774 s->s.k = reg_off_ll; 2775 return s; 2776 } 2777 2778 /* 2779 * Generate code to compute the link-layer header length, if necessary, 2780 * putting it into the X register, and to return either a pointer to a 2781 * "struct slist" for the list of statements in that code, or NULL if 2782 * no code is necessary. 2783 */ 2784 static struct slist * 2785 gen_llprefixlen(void) 2786 { 2787 switch (linktype) { 2788 2789 case DLT_PRISM_HEADER: 2790 return gen_prism_llprefixlen(); 2791 2792 case DLT_IEEE802_11_RADIO_AVS: 2793 return gen_avs_llprefixlen(); 2794 2795 case DLT_IEEE802_11_RADIO: 2796 return gen_radiotap_llprefixlen(); 2797 2798 case DLT_PPI: 2799 return gen_ppi_llprefixlen(); 2800 2801 default: 2802 return NULL; 2803 } 2804 } 2805 2806 /* 2807 * Generate code to load the register containing the offset of the 2808 * MAC-layer payload into the X register; if no register for that offset 2809 * has been allocated, allocate it first. 2810 */ 2811 static struct slist * 2812 gen_off_macpl(void) 2813 { 2814 struct slist *s; 2815 2816 if (off_macpl_is_variable) { 2817 if (reg_off_macpl == -1) { 2818 /* 2819 * We haven't yet assigned a register for the offset 2820 * of the MAC-layer payload; allocate one. 2821 */ 2822 reg_off_macpl = alloc_reg(); 2823 } 2824 2825 /* 2826 * Load the register containing the offset of the MAC-layer 2827 * payload into the X register. 2828 */ 2829 s = new_stmt(BPF_LDX|BPF_MEM); 2830 s->s.k = reg_off_macpl; 2831 return s; 2832 } else { 2833 /* 2834 * That offset isn't variable, so we don't need to 2835 * generate any code. 2836 */ 2837 return NULL; 2838 } 2839 } 2840 2841 /* 2842 * Map an Ethernet type to the equivalent PPP type. 2843 */ 2844 static int 2845 ethertype_to_ppptype(proto) 2846 int proto; 2847 { 2848 switch (proto) { 2849 2850 case ETHERTYPE_IP: 2851 proto = PPP_IP; 2852 break; 2853 2854 #ifdef INET6 2855 case ETHERTYPE_IPV6: 2856 proto = PPP_IPV6; 2857 break; 2858 #endif 2859 2860 case ETHERTYPE_DN: 2861 proto = PPP_DECNET; 2862 break; 2863 2864 case ETHERTYPE_ATALK: 2865 proto = PPP_APPLE; 2866 break; 2867 2868 case ETHERTYPE_NS: 2869 proto = PPP_NS; 2870 break; 2871 2872 case LLCSAP_ISONS: 2873 proto = PPP_OSI; 2874 break; 2875 2876 case LLCSAP_8021D: 2877 /* 2878 * I'm assuming the "Bridging PDU"s that go 2879 * over PPP are Spanning Tree Protocol 2880 * Bridging PDUs. 2881 */ 2882 proto = PPP_BRPDU; 2883 break; 2884 2885 case LLCSAP_IPX: 2886 proto = PPP_IPX; 2887 break; 2888 } 2889 return (proto); 2890 } 2891 2892 /* 2893 * Generate code to match a particular packet type by matching the 2894 * link-layer type field or fields in the 802.2 LLC header. 2895 * 2896 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2897 * value, if <= ETHERMTU. 2898 */ 2899 static struct block * 2900 gen_linktype(proto) 2901 register int proto; 2902 { 2903 struct block *b0, *b1, *b2; 2904 2905 /* are we checking MPLS-encapsulated packets? */ 2906 if (label_stack_depth > 0) { 2907 switch (proto) { 2908 case ETHERTYPE_IP: 2909 case PPP_IP: 2910 /* FIXME add other L3 proto IDs */ 2911 return gen_mpls_linktype(Q_IP); 2912 2913 case ETHERTYPE_IPV6: 2914 case PPP_IPV6: 2915 /* FIXME add other L3 proto IDs */ 2916 return gen_mpls_linktype(Q_IPV6); 2917 2918 default: 2919 bpf_error("unsupported protocol over mpls"); 2920 /* NOTREACHED */ 2921 } 2922 } 2923 2924 /* 2925 * Are we testing PPPoE packets? 2926 */ 2927 if (is_pppoes) { 2928 /* 2929 * The PPPoE session header is part of the 2930 * MAC-layer payload, so all references 2931 * should be relative to the beginning of 2932 * that payload. 2933 */ 2934 2935 /* 2936 * We use Ethernet protocol types inside libpcap; 2937 * map them to the corresponding PPP protocol types. 2938 */ 2939 proto = ethertype_to_ppptype(proto); 2940 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2941 } 2942 2943 switch (linktype) { 2944 2945 case DLT_EN10MB: 2946 return gen_ether_linktype(proto); 2947 /*NOTREACHED*/ 2948 break; 2949 2950 case DLT_C_HDLC: 2951 switch (proto) { 2952 2953 case LLCSAP_ISONS: 2954 proto = (proto << 8 | LLCSAP_ISONS); 2955 /* fall through */ 2956 2957 default: 2958 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2959 (bpf_int32)proto); 2960 /*NOTREACHED*/ 2961 break; 2962 } 2963 break; 2964 2965 case DLT_IEEE802_11: 2966 case DLT_PRISM_HEADER: 2967 case DLT_IEEE802_11_RADIO_AVS: 2968 case DLT_IEEE802_11_RADIO: 2969 case DLT_PPI: 2970 /* 2971 * Check that we have a data frame. 2972 */ 2973 b0 = gen_check_802_11_data_frame(); 2974 2975 /* 2976 * Now check for the specified link-layer type. 2977 */ 2978 b1 = gen_llc_linktype(proto); 2979 gen_and(b0, b1); 2980 return b1; 2981 /*NOTREACHED*/ 2982 break; 2983 2984 case DLT_FDDI: 2985 /* 2986 * XXX - check for asynchronous frames, as per RFC 1103. 2987 */ 2988 return gen_llc_linktype(proto); 2989 /*NOTREACHED*/ 2990 break; 2991 2992 case DLT_IEEE802: 2993 /* 2994 * XXX - check for LLC PDUs, as per IEEE 802.5. 2995 */ 2996 return gen_llc_linktype(proto); 2997 /*NOTREACHED*/ 2998 break; 2999 3000 case DLT_ATM_RFC1483: 3001 case DLT_ATM_CLIP: 3002 case DLT_IP_OVER_FC: 3003 return gen_llc_linktype(proto); 3004 /*NOTREACHED*/ 3005 break; 3006 3007 case DLT_SUNATM: 3008 /* 3009 * If "is_lane" is set, check for a LANE-encapsulated 3010 * version of this protocol, otherwise check for an 3011 * LLC-encapsulated version of this protocol. 3012 * 3013 * We assume LANE means Ethernet, not Token Ring. 3014 */ 3015 if (is_lane) { 3016 /* 3017 * Check that the packet doesn't begin with an 3018 * LE Control marker. (We've already generated 3019 * a test for LANE.) 3020 */ 3021 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3022 0xFF00); 3023 gen_not(b0); 3024 3025 /* 3026 * Now generate an Ethernet test. 3027 */ 3028 b1 = gen_ether_linktype(proto); 3029 gen_and(b0, b1); 3030 return b1; 3031 } else { 3032 /* 3033 * Check for LLC encapsulation and then check the 3034 * protocol. 3035 */ 3036 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3037 b1 = gen_llc_linktype(proto); 3038 gen_and(b0, b1); 3039 return b1; 3040 } 3041 /*NOTREACHED*/ 3042 break; 3043 3044 case DLT_LINUX_SLL: 3045 return gen_linux_sll_linktype(proto); 3046 /*NOTREACHED*/ 3047 break; 3048 3049 case DLT_SLIP: 3050 case DLT_SLIP_BSDOS: 3051 case DLT_RAW: 3052 /* 3053 * These types don't provide any type field; packets 3054 * are always IPv4 or IPv6. 3055 * 3056 * XXX - for IPv4, check for a version number of 4, and, 3057 * for IPv6, check for a version number of 6? 3058 */ 3059 switch (proto) { 3060 3061 case ETHERTYPE_IP: 3062 /* Check for a version number of 4. */ 3063 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3064 #ifdef INET6 3065 case ETHERTYPE_IPV6: 3066 /* Check for a version number of 6. */ 3067 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3068 #endif 3069 3070 default: 3071 return gen_false(); /* always false */ 3072 } 3073 /*NOTREACHED*/ 3074 break; 3075 3076 case DLT_PPP: 3077 case DLT_PPP_PPPD: 3078 case DLT_PPP_SERIAL: 3079 case DLT_PPP_ETHER: 3080 /* 3081 * We use Ethernet protocol types inside libpcap; 3082 * map them to the corresponding PPP protocol types. 3083 */ 3084 proto = ethertype_to_ppptype(proto); 3085 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3086 /*NOTREACHED*/ 3087 break; 3088 3089 case DLT_PPP_BSDOS: 3090 /* 3091 * We use Ethernet protocol types inside libpcap; 3092 * map them to the corresponding PPP protocol types. 3093 */ 3094 switch (proto) { 3095 3096 case ETHERTYPE_IP: 3097 /* 3098 * Also check for Van Jacobson-compressed IP. 3099 * XXX - do this for other forms of PPP? 3100 */ 3101 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3102 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3103 gen_or(b0, b1); 3104 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3105 gen_or(b1, b0); 3106 return b0; 3107 3108 default: 3109 proto = ethertype_to_ppptype(proto); 3110 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3111 (bpf_int32)proto); 3112 } 3113 /*NOTREACHED*/ 3114 break; 3115 3116 case DLT_NULL: 3117 case DLT_LOOP: 3118 case DLT_ENC: 3119 /* 3120 * For DLT_NULL, the link-layer header is a 32-bit 3121 * word containing an AF_ value in *host* byte order, 3122 * and for DLT_ENC, the link-layer header begins 3123 * with a 32-bit work containing an AF_ value in 3124 * host byte order. 3125 * 3126 * In addition, if we're reading a saved capture file, 3127 * the host byte order in the capture may not be the 3128 * same as the host byte order on this machine. 3129 * 3130 * For DLT_LOOP, the link-layer header is a 32-bit 3131 * word containing an AF_ value in *network* byte order. 3132 * 3133 * XXX - AF_ values may, unfortunately, be platform- 3134 * dependent; for example, FreeBSD's AF_INET6 is 24 3135 * whilst NetBSD's and OpenBSD's is 26. 3136 * 3137 * This means that, when reading a capture file, just 3138 * checking for our AF_INET6 value won't work if the 3139 * capture file came from another OS. 3140 */ 3141 switch (proto) { 3142 3143 case ETHERTYPE_IP: 3144 proto = AF_INET; 3145 break; 3146 3147 #ifdef INET6 3148 case ETHERTYPE_IPV6: 3149 proto = AF_INET6; 3150 break; 3151 #endif 3152 3153 default: 3154 /* 3155 * Not a type on which we support filtering. 3156 * XXX - support those that have AF_ values 3157 * #defined on this platform, at least? 3158 */ 3159 return gen_false(); 3160 } 3161 3162 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3163 /* 3164 * The AF_ value is in host byte order, but 3165 * the BPF interpreter will convert it to 3166 * network byte order. 3167 * 3168 * If this is a save file, and it's from a 3169 * machine with the opposite byte order to 3170 * ours, we byte-swap the AF_ value. 3171 * 3172 * Then we run it through "htonl()", and 3173 * generate code to compare against the result. 3174 */ 3175 if (bpf_pcap->sf.rfile != NULL && 3176 bpf_pcap->sf.swapped) 3177 proto = SWAPLONG(proto); 3178 proto = htonl(proto); 3179 } 3180 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3181 3182 #ifdef HAVE_NET_PFVAR_H 3183 case DLT_PFLOG: 3184 /* 3185 * af field is host byte order in contrast to the rest of 3186 * the packet. 3187 */ 3188 if (proto == ETHERTYPE_IP) 3189 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3190 BPF_B, (bpf_int32)AF_INET)); 3191 #ifdef INET6 3192 else if (proto == ETHERTYPE_IPV6) 3193 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3194 BPF_B, (bpf_int32)AF_INET6)); 3195 #endif /* INET6 */ 3196 else 3197 return gen_false(); 3198 /*NOTREACHED*/ 3199 break; 3200 #endif /* HAVE_NET_PFVAR_H */ 3201 3202 case DLT_ARCNET: 3203 case DLT_ARCNET_LINUX: 3204 /* 3205 * XXX should we check for first fragment if the protocol 3206 * uses PHDS? 3207 */ 3208 switch (proto) { 3209 3210 default: 3211 return gen_false(); 3212 3213 #ifdef INET6 3214 case ETHERTYPE_IPV6: 3215 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3216 (bpf_int32)ARCTYPE_INET6)); 3217 #endif /* INET6 */ 3218 3219 case ETHERTYPE_IP: 3220 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3221 (bpf_int32)ARCTYPE_IP); 3222 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3223 (bpf_int32)ARCTYPE_IP_OLD); 3224 gen_or(b0, b1); 3225 return (b1); 3226 3227 case ETHERTYPE_ARP: 3228 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3229 (bpf_int32)ARCTYPE_ARP); 3230 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3231 (bpf_int32)ARCTYPE_ARP_OLD); 3232 gen_or(b0, b1); 3233 return (b1); 3234 3235 case ETHERTYPE_REVARP: 3236 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3237 (bpf_int32)ARCTYPE_REVARP)); 3238 3239 case ETHERTYPE_ATALK: 3240 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3241 (bpf_int32)ARCTYPE_ATALK)); 3242 } 3243 /*NOTREACHED*/ 3244 break; 3245 3246 case DLT_LTALK: 3247 switch (proto) { 3248 case ETHERTYPE_ATALK: 3249 return gen_true(); 3250 default: 3251 return gen_false(); 3252 } 3253 /*NOTREACHED*/ 3254 break; 3255 3256 case DLT_FRELAY: 3257 /* 3258 * XXX - assumes a 2-byte Frame Relay header with 3259 * DLCI and flags. What if the address is longer? 3260 */ 3261 switch (proto) { 3262 3263 case ETHERTYPE_IP: 3264 /* 3265 * Check for the special NLPID for IP. 3266 */ 3267 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3268 3269 #ifdef INET6 3270 case ETHERTYPE_IPV6: 3271 /* 3272 * Check for the special NLPID for IPv6. 3273 */ 3274 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3275 #endif 3276 3277 case LLCSAP_ISONS: 3278 /* 3279 * Check for several OSI protocols. 3280 * 3281 * Frame Relay packets typically have an OSI 3282 * NLPID at the beginning; we check for each 3283 * of them. 3284 * 3285 * What we check for is the NLPID and a frame 3286 * control field of UI, i.e. 0x03 followed 3287 * by the NLPID. 3288 */ 3289 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3290 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3291 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3292 gen_or(b1, b2); 3293 gen_or(b0, b2); 3294 return b2; 3295 3296 default: 3297 return gen_false(); 3298 } 3299 /*NOTREACHED*/ 3300 break; 3301 3302 case DLT_MFR: 3303 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3304 3305 case DLT_JUNIPER_MFR: 3306 case DLT_JUNIPER_MLFR: 3307 case DLT_JUNIPER_MLPPP: 3308 case DLT_JUNIPER_ATM1: 3309 case DLT_JUNIPER_ATM2: 3310 case DLT_JUNIPER_PPPOE: 3311 case DLT_JUNIPER_PPPOE_ATM: 3312 case DLT_JUNIPER_GGSN: 3313 case DLT_JUNIPER_ES: 3314 case DLT_JUNIPER_MONITOR: 3315 case DLT_JUNIPER_SERVICES: 3316 case DLT_JUNIPER_ETHER: 3317 case DLT_JUNIPER_PPP: 3318 case DLT_JUNIPER_FRELAY: 3319 case DLT_JUNIPER_CHDLC: 3320 case DLT_JUNIPER_VP: 3321 case DLT_JUNIPER_ST: 3322 case DLT_JUNIPER_ISM: 3323 /* just lets verify the magic number for now - 3324 * on ATM we may have up to 6 different encapsulations on the wire 3325 * and need a lot of heuristics to figure out that the payload 3326 * might be; 3327 * 3328 * FIXME encapsulation specific BPF_ filters 3329 */ 3330 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3331 3332 case DLT_LINUX_IRDA: 3333 bpf_error("IrDA link-layer type filtering not implemented"); 3334 3335 case DLT_DOCSIS: 3336 bpf_error("DOCSIS link-layer type filtering not implemented"); 3337 3338 case DLT_MTP2: 3339 case DLT_MTP2_WITH_PHDR: 3340 bpf_error("MTP2 link-layer type filtering not implemented"); 3341 3342 case DLT_ERF: 3343 bpf_error("ERF link-layer type filtering not implemented"); 3344 3345 #ifdef DLT_PFSYNC 3346 case DLT_PFSYNC: 3347 bpf_error("PFSYNC link-layer type filtering not implemented"); 3348 #endif 3349 3350 case DLT_LINUX_LAPD: 3351 bpf_error("LAPD link-layer type filtering not implemented"); 3352 3353 case DLT_USB: 3354 case DLT_USB_LINUX: 3355 bpf_error("USB link-layer type filtering not implemented"); 3356 3357 case DLT_BLUETOOTH_HCI_H4: 3358 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3359 bpf_error("Bluetooth link-layer type filtering not implemented"); 3360 3361 case DLT_CAN20B: 3362 bpf_error("CAN20B link-layer type filtering not implemented"); 3363 3364 case DLT_IEEE802_15_4: 3365 case DLT_IEEE802_15_4_LINUX: 3366 case DLT_IEEE802_15_4_NONASK_PHY: 3367 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3368 3369 case DLT_IEEE802_16_MAC_CPS_RADIO: 3370 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3371 3372 case DLT_SITA: 3373 bpf_error("SITA link-layer type filtering not implemented"); 3374 3375 case DLT_RAIF1: 3376 bpf_error("RAIF1 link-layer type filtering not implemented"); 3377 3378 case DLT_IPMB: 3379 bpf_error("IPMB link-layer type filtering not implemented"); 3380 3381 case DLT_AX25_KISS: 3382 bpf_error("AX.25 link-layer type filtering not implemented"); 3383 } 3384 3385 /* 3386 * All the types that have no encapsulation should either be 3387 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3388 * all packets are IP packets, or should be handled in some 3389 * special case, if none of them are (if some are and some 3390 * aren't, the lack of encapsulation is a problem, as we'd 3391 * have to find some other way of determining the packet type). 3392 * 3393 * Therefore, if "off_linktype" is -1, there's an error. 3394 */ 3395 if (off_linktype == (u_int)-1) 3396 abort(); 3397 3398 /* 3399 * Any type not handled above should always have an Ethernet 3400 * type at an offset of "off_linktype". 3401 */ 3402 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3403 } 3404 3405 /* 3406 * Check for an LLC SNAP packet with a given organization code and 3407 * protocol type; we check the entire contents of the 802.2 LLC and 3408 * snap headers, checking for DSAP and SSAP of SNAP and a control 3409 * field of 0x03 in the LLC header, and for the specified organization 3410 * code and protocol type in the SNAP header. 3411 */ 3412 static struct block * 3413 gen_snap(orgcode, ptype) 3414 bpf_u_int32 orgcode; 3415 bpf_u_int32 ptype; 3416 { 3417 u_char snapblock[8]; 3418 3419 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3420 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3421 snapblock[2] = 0x03; /* control = UI */ 3422 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3423 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3424 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3425 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3426 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3427 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3428 } 3429 3430 /* 3431 * Generate code to match a particular packet type, for link-layer types 3432 * using 802.2 LLC headers. 3433 * 3434 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3435 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3436 * 3437 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3438 * value, if <= ETHERMTU. We use that to determine whether to 3439 * match the DSAP or both DSAP and LSAP or to check the OUI and 3440 * protocol ID in a SNAP header. 3441 */ 3442 static struct block * 3443 gen_llc_linktype(proto) 3444 int proto; 3445 { 3446 /* 3447 * XXX - handle token-ring variable-length header. 3448 */ 3449 switch (proto) { 3450 3451 case LLCSAP_IP: 3452 case LLCSAP_ISONS: 3453 case LLCSAP_NETBEUI: 3454 /* 3455 * XXX - should we check both the DSAP and the 3456 * SSAP, like this, or should we check just the 3457 * DSAP, as we do for other types <= ETHERMTU 3458 * (i.e., other SAP values)? 3459 */ 3460 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3461 ((proto << 8) | proto)); 3462 3463 case LLCSAP_IPX: 3464 /* 3465 * XXX - are there ever SNAP frames for IPX on 3466 * non-Ethernet 802.x networks? 3467 */ 3468 return gen_cmp(OR_MACPL, 0, BPF_B, 3469 (bpf_int32)LLCSAP_IPX); 3470 3471 case ETHERTYPE_ATALK: 3472 /* 3473 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3474 * SNAP packets with an organization code of 3475 * 0x080007 (Apple, for Appletalk) and a protocol 3476 * type of ETHERTYPE_ATALK (Appletalk). 3477 * 3478 * XXX - check for an organization code of 3479 * encapsulated Ethernet as well? 3480 */ 3481 return gen_snap(0x080007, ETHERTYPE_ATALK); 3482 3483 default: 3484 /* 3485 * XXX - we don't have to check for IPX 802.3 3486 * here, but should we check for the IPX Ethertype? 3487 */ 3488 if (proto <= ETHERMTU) { 3489 /* 3490 * This is an LLC SAP value, so check 3491 * the DSAP. 3492 */ 3493 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3494 } else { 3495 /* 3496 * This is an Ethernet type; we assume that it's 3497 * unlikely that it'll appear in the right place 3498 * at random, and therefore check only the 3499 * location that would hold the Ethernet type 3500 * in a SNAP frame with an organization code of 3501 * 0x000000 (encapsulated Ethernet). 3502 * 3503 * XXX - if we were to check for the SNAP DSAP and 3504 * LSAP, as per XXX, and were also to check for an 3505 * organization code of 0x000000 (encapsulated 3506 * Ethernet), we'd do 3507 * 3508 * return gen_snap(0x000000, proto); 3509 * 3510 * here; for now, we don't, as per the above. 3511 * I don't know whether it's worth the extra CPU 3512 * time to do the right check or not. 3513 */ 3514 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3515 } 3516 } 3517 } 3518 3519 static struct block * 3520 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3521 bpf_u_int32 addr; 3522 bpf_u_int32 mask; 3523 int dir, proto; 3524 u_int src_off, dst_off; 3525 { 3526 struct block *b0, *b1; 3527 u_int offset; 3528 3529 switch (dir) { 3530 3531 case Q_SRC: 3532 offset = src_off; 3533 break; 3534 3535 case Q_DST: 3536 offset = dst_off; 3537 break; 3538 3539 case Q_AND: 3540 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3541 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3542 gen_and(b0, b1); 3543 return b1; 3544 3545 case Q_OR: 3546 case Q_DEFAULT: 3547 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3548 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3549 gen_or(b0, b1); 3550 return b1; 3551 3552 default: 3553 abort(); 3554 } 3555 b0 = gen_linktype(proto); 3556 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3557 gen_and(b0, b1); 3558 return b1; 3559 } 3560 3561 #ifdef INET6 3562 static struct block * 3563 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3564 struct in6_addr *addr; 3565 struct in6_addr *mask; 3566 int dir, proto; 3567 u_int src_off, dst_off; 3568 { 3569 struct block *b0, *b1; 3570 u_int offset; 3571 u_int32_t *a, *m; 3572 3573 switch (dir) { 3574 3575 case Q_SRC: 3576 offset = src_off; 3577 break; 3578 3579 case Q_DST: 3580 offset = dst_off; 3581 break; 3582 3583 case Q_AND: 3584 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3585 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3586 gen_and(b0, b1); 3587 return b1; 3588 3589 case Q_OR: 3590 case Q_DEFAULT: 3591 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3592 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3593 gen_or(b0, b1); 3594 return b1; 3595 3596 default: 3597 abort(); 3598 } 3599 /* this order is important */ 3600 a = (u_int32_t *)addr; 3601 m = (u_int32_t *)mask; 3602 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3603 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3604 gen_and(b0, b1); 3605 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3606 gen_and(b0, b1); 3607 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3608 gen_and(b0, b1); 3609 b0 = gen_linktype(proto); 3610 gen_and(b0, b1); 3611 return b1; 3612 } 3613 #endif /*INET6*/ 3614 3615 static struct block * 3616 gen_ehostop(eaddr, dir) 3617 register const u_char *eaddr; 3618 register int dir; 3619 { 3620 register struct block *b0, *b1; 3621 3622 switch (dir) { 3623 case Q_SRC: 3624 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3625 3626 case Q_DST: 3627 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3628 3629 case Q_AND: 3630 b0 = gen_ehostop(eaddr, Q_SRC); 3631 b1 = gen_ehostop(eaddr, Q_DST); 3632 gen_and(b0, b1); 3633 return b1; 3634 3635 case Q_DEFAULT: 3636 case Q_OR: 3637 b0 = gen_ehostop(eaddr, Q_SRC); 3638 b1 = gen_ehostop(eaddr, Q_DST); 3639 gen_or(b0, b1); 3640 return b1; 3641 } 3642 abort(); 3643 /* NOTREACHED */ 3644 } 3645 3646 /* 3647 * Like gen_ehostop, but for DLT_FDDI 3648 */ 3649 static struct block * 3650 gen_fhostop(eaddr, dir) 3651 register const u_char *eaddr; 3652 register int dir; 3653 { 3654 struct block *b0, *b1; 3655 3656 switch (dir) { 3657 case Q_SRC: 3658 #ifdef PCAP_FDDIPAD 3659 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3660 #else 3661 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3662 #endif 3663 3664 case Q_DST: 3665 #ifdef PCAP_FDDIPAD 3666 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3667 #else 3668 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3669 #endif 3670 3671 case Q_AND: 3672 b0 = gen_fhostop(eaddr, Q_SRC); 3673 b1 = gen_fhostop(eaddr, Q_DST); 3674 gen_and(b0, b1); 3675 return b1; 3676 3677 case Q_DEFAULT: 3678 case Q_OR: 3679 b0 = gen_fhostop(eaddr, Q_SRC); 3680 b1 = gen_fhostop(eaddr, Q_DST); 3681 gen_or(b0, b1); 3682 return b1; 3683 } 3684 abort(); 3685 /* NOTREACHED */ 3686 } 3687 3688 /* 3689 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3690 */ 3691 static struct block * 3692 gen_thostop(eaddr, dir) 3693 register const u_char *eaddr; 3694 register int dir; 3695 { 3696 register struct block *b0, *b1; 3697 3698 switch (dir) { 3699 case Q_SRC: 3700 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3701 3702 case Q_DST: 3703 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3704 3705 case Q_AND: 3706 b0 = gen_thostop(eaddr, Q_SRC); 3707 b1 = gen_thostop(eaddr, Q_DST); 3708 gen_and(b0, b1); 3709 return b1; 3710 3711 case Q_DEFAULT: 3712 case Q_OR: 3713 b0 = gen_thostop(eaddr, Q_SRC); 3714 b1 = gen_thostop(eaddr, Q_DST); 3715 gen_or(b0, b1); 3716 return b1; 3717 } 3718 abort(); 3719 /* NOTREACHED */ 3720 } 3721 3722 /* 3723 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3724 * various 802.11 + radio headers. 3725 */ 3726 static struct block * 3727 gen_wlanhostop(eaddr, dir) 3728 register const u_char *eaddr; 3729 register int dir; 3730 { 3731 register struct block *b0, *b1, *b2; 3732 register struct slist *s; 3733 3734 #ifdef ENABLE_WLAN_FILTERING_PATCH 3735 /* 3736 * TODO GV 20070613 3737 * We need to disable the optimizer because the optimizer is buggy 3738 * and wipes out some LD instructions generated by the below 3739 * code to validate the Frame Control bits 3740 */ 3741 no_optimize = 1; 3742 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3743 3744 switch (dir) { 3745 case Q_SRC: 3746 /* 3747 * Oh, yuk. 3748 * 3749 * For control frames, there is no SA. 3750 * 3751 * For management frames, SA is at an 3752 * offset of 10 from the beginning of 3753 * the packet. 3754 * 3755 * For data frames, SA is at an offset 3756 * of 10 from the beginning of the packet 3757 * if From DS is clear, at an offset of 3758 * 16 from the beginning of the packet 3759 * if From DS is set and To DS is clear, 3760 * and an offset of 24 from the beginning 3761 * of the packet if From DS is set and To DS 3762 * is set. 3763 */ 3764 3765 /* 3766 * Generate the tests to be done for data frames 3767 * with From DS set. 3768 * 3769 * First, check for To DS set, i.e. check "link[1] & 0x01". 3770 */ 3771 s = gen_load_a(OR_LINK, 1, BPF_B); 3772 b1 = new_block(JMP(BPF_JSET)); 3773 b1->s.k = 0x01; /* To DS */ 3774 b1->stmts = s; 3775 3776 /* 3777 * If To DS is set, the SA is at 24. 3778 */ 3779 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3780 gen_and(b1, b0); 3781 3782 /* 3783 * Now, check for To DS not set, i.e. check 3784 * "!(link[1] & 0x01)". 3785 */ 3786 s = gen_load_a(OR_LINK, 1, BPF_B); 3787 b2 = new_block(JMP(BPF_JSET)); 3788 b2->s.k = 0x01; /* To DS */ 3789 b2->stmts = s; 3790 gen_not(b2); 3791 3792 /* 3793 * If To DS is not set, the SA is at 16. 3794 */ 3795 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3796 gen_and(b2, b1); 3797 3798 /* 3799 * Now OR together the last two checks. That gives 3800 * the complete set of checks for data frames with 3801 * From DS set. 3802 */ 3803 gen_or(b1, b0); 3804 3805 /* 3806 * Now check for From DS being set, and AND that with 3807 * the ORed-together checks. 3808 */ 3809 s = gen_load_a(OR_LINK, 1, BPF_B); 3810 b1 = new_block(JMP(BPF_JSET)); 3811 b1->s.k = 0x02; /* From DS */ 3812 b1->stmts = s; 3813 gen_and(b1, b0); 3814 3815 /* 3816 * Now check for data frames with From DS not set. 3817 */ 3818 s = gen_load_a(OR_LINK, 1, BPF_B); 3819 b2 = new_block(JMP(BPF_JSET)); 3820 b2->s.k = 0x02; /* From DS */ 3821 b2->stmts = s; 3822 gen_not(b2); 3823 3824 /* 3825 * If From DS isn't set, the SA is at 10. 3826 */ 3827 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3828 gen_and(b2, b1); 3829 3830 /* 3831 * Now OR together the checks for data frames with 3832 * From DS not set and for data frames with From DS 3833 * set; that gives the checks done for data frames. 3834 */ 3835 gen_or(b1, b0); 3836 3837 /* 3838 * Now check for a data frame. 3839 * I.e, check "link[0] & 0x08". 3840 */ 3841 s = gen_load_a(OR_LINK, 0, BPF_B); 3842 b1 = new_block(JMP(BPF_JSET)); 3843 b1->s.k = 0x08; 3844 b1->stmts = s; 3845 3846 /* 3847 * AND that with the checks done for data frames. 3848 */ 3849 gen_and(b1, b0); 3850 3851 /* 3852 * If the high-order bit of the type value is 0, this 3853 * is a management frame. 3854 * I.e, check "!(link[0] & 0x08)". 3855 */ 3856 s = gen_load_a(OR_LINK, 0, BPF_B); 3857 b2 = new_block(JMP(BPF_JSET)); 3858 b2->s.k = 0x08; 3859 b2->stmts = s; 3860 gen_not(b2); 3861 3862 /* 3863 * For management frames, the SA is at 10. 3864 */ 3865 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3866 gen_and(b2, b1); 3867 3868 /* 3869 * OR that with the checks done for data frames. 3870 * That gives the checks done for management and 3871 * data frames. 3872 */ 3873 gen_or(b1, b0); 3874 3875 /* 3876 * If the low-order bit of the type value is 1, 3877 * this is either a control frame or a frame 3878 * with a reserved type, and thus not a 3879 * frame with an SA. 3880 * 3881 * I.e., check "!(link[0] & 0x04)". 3882 */ 3883 s = gen_load_a(OR_LINK, 0, BPF_B); 3884 b1 = new_block(JMP(BPF_JSET)); 3885 b1->s.k = 0x04; 3886 b1->stmts = s; 3887 gen_not(b1); 3888 3889 /* 3890 * AND that with the checks for data and management 3891 * frames. 3892 */ 3893 gen_and(b1, b0); 3894 return b0; 3895 3896 case Q_DST: 3897 /* 3898 * Oh, yuk. 3899 * 3900 * For control frames, there is no DA. 3901 * 3902 * For management frames, DA is at an 3903 * offset of 4 from the beginning of 3904 * the packet. 3905 * 3906 * For data frames, DA is at an offset 3907 * of 4 from the beginning of the packet 3908 * if To DS is clear and at an offset of 3909 * 16 from the beginning of the packet 3910 * if To DS is set. 3911 */ 3912 3913 /* 3914 * Generate the tests to be done for data frames. 3915 * 3916 * First, check for To DS set, i.e. "link[1] & 0x01". 3917 */ 3918 s = gen_load_a(OR_LINK, 1, BPF_B); 3919 b1 = new_block(JMP(BPF_JSET)); 3920 b1->s.k = 0x01; /* To DS */ 3921 b1->stmts = s; 3922 3923 /* 3924 * If To DS is set, the DA is at 16. 3925 */ 3926 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3927 gen_and(b1, b0); 3928 3929 /* 3930 * Now, check for To DS not set, i.e. check 3931 * "!(link[1] & 0x01)". 3932 */ 3933 s = gen_load_a(OR_LINK, 1, BPF_B); 3934 b2 = new_block(JMP(BPF_JSET)); 3935 b2->s.k = 0x01; /* To DS */ 3936 b2->stmts = s; 3937 gen_not(b2); 3938 3939 /* 3940 * If To DS is not set, the DA is at 4. 3941 */ 3942 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3943 gen_and(b2, b1); 3944 3945 /* 3946 * Now OR together the last two checks. That gives 3947 * the complete set of checks for data frames. 3948 */ 3949 gen_or(b1, b0); 3950 3951 /* 3952 * Now check for a data frame. 3953 * I.e, check "link[0] & 0x08". 3954 */ 3955 s = gen_load_a(OR_LINK, 0, BPF_B); 3956 b1 = new_block(JMP(BPF_JSET)); 3957 b1->s.k = 0x08; 3958 b1->stmts = s; 3959 3960 /* 3961 * AND that with the checks done for data frames. 3962 */ 3963 gen_and(b1, b0); 3964 3965 /* 3966 * If the high-order bit of the type value is 0, this 3967 * is a management frame. 3968 * I.e, check "!(link[0] & 0x08)". 3969 */ 3970 s = gen_load_a(OR_LINK, 0, BPF_B); 3971 b2 = new_block(JMP(BPF_JSET)); 3972 b2->s.k = 0x08; 3973 b2->stmts = s; 3974 gen_not(b2); 3975 3976 /* 3977 * For management frames, the DA is at 4. 3978 */ 3979 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3980 gen_and(b2, b1); 3981 3982 /* 3983 * OR that with the checks done for data frames. 3984 * That gives the checks done for management and 3985 * data frames. 3986 */ 3987 gen_or(b1, b0); 3988 3989 /* 3990 * If the low-order bit of the type value is 1, 3991 * this is either a control frame or a frame 3992 * with a reserved type, and thus not a 3993 * frame with an SA. 3994 * 3995 * I.e., check "!(link[0] & 0x04)". 3996 */ 3997 s = gen_load_a(OR_LINK, 0, BPF_B); 3998 b1 = new_block(JMP(BPF_JSET)); 3999 b1->s.k = 0x04; 4000 b1->stmts = s; 4001 gen_not(b1); 4002 4003 /* 4004 * AND that with the checks for data and management 4005 * frames. 4006 */ 4007 gen_and(b1, b0); 4008 return b0; 4009 4010 /* 4011 * XXX - add RA, TA, and BSSID keywords? 4012 */ 4013 case Q_ADDR1: 4014 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4015 4016 case Q_ADDR2: 4017 /* 4018 * Not present in CTS or ACK control frames. 4019 */ 4020 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4021 IEEE80211_FC0_TYPE_MASK); 4022 gen_not(b0); 4023 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4024 IEEE80211_FC0_SUBTYPE_MASK); 4025 gen_not(b1); 4026 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4027 IEEE80211_FC0_SUBTYPE_MASK); 4028 gen_not(b2); 4029 gen_and(b1, b2); 4030 gen_or(b0, b2); 4031 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4032 gen_and(b2, b1); 4033 return b1; 4034 4035 case Q_ADDR3: 4036 /* 4037 * Not present in control frames. 4038 */ 4039 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4040 IEEE80211_FC0_TYPE_MASK); 4041 gen_not(b0); 4042 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4043 gen_and(b0, b1); 4044 return b1; 4045 4046 case Q_ADDR4: 4047 /* 4048 * Present only if the direction mask has both "From DS" 4049 * and "To DS" set. Neither control frames nor management 4050 * frames should have both of those set, so we don't 4051 * check the frame type. 4052 */ 4053 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4054 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4055 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4056 gen_and(b0, b1); 4057 return b1; 4058 4059 case Q_AND: 4060 b0 = gen_wlanhostop(eaddr, Q_SRC); 4061 b1 = gen_wlanhostop(eaddr, Q_DST); 4062 gen_and(b0, b1); 4063 return b1; 4064 4065 case Q_DEFAULT: 4066 case Q_OR: 4067 b0 = gen_wlanhostop(eaddr, Q_SRC); 4068 b1 = gen_wlanhostop(eaddr, Q_DST); 4069 gen_or(b0, b1); 4070 return b1; 4071 } 4072 abort(); 4073 /* NOTREACHED */ 4074 } 4075 4076 /* 4077 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4078 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4079 * as the RFC states.) 4080 */ 4081 static struct block * 4082 gen_ipfchostop(eaddr, dir) 4083 register const u_char *eaddr; 4084 register int dir; 4085 { 4086 register struct block *b0, *b1; 4087 4088 switch (dir) { 4089 case Q_SRC: 4090 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4091 4092 case Q_DST: 4093 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4094 4095 case Q_AND: 4096 b0 = gen_ipfchostop(eaddr, Q_SRC); 4097 b1 = gen_ipfchostop(eaddr, Q_DST); 4098 gen_and(b0, b1); 4099 return b1; 4100 4101 case Q_DEFAULT: 4102 case Q_OR: 4103 b0 = gen_ipfchostop(eaddr, Q_SRC); 4104 b1 = gen_ipfchostop(eaddr, Q_DST); 4105 gen_or(b0, b1); 4106 return b1; 4107 } 4108 abort(); 4109 /* NOTREACHED */ 4110 } 4111 4112 /* 4113 * This is quite tricky because there may be pad bytes in front of the 4114 * DECNET header, and then there are two possible data packet formats that 4115 * carry both src and dst addresses, plus 5 packet types in a format that 4116 * carries only the src node, plus 2 types that use a different format and 4117 * also carry just the src node. 4118 * 4119 * Yuck. 4120 * 4121 * Instead of doing those all right, we just look for data packets with 4122 * 0 or 1 bytes of padding. If you want to look at other packets, that 4123 * will require a lot more hacking. 4124 * 4125 * To add support for filtering on DECNET "areas" (network numbers) 4126 * one would want to add a "mask" argument to this routine. That would 4127 * make the filter even more inefficient, although one could be clever 4128 * and not generate masking instructions if the mask is 0xFFFF. 4129 */ 4130 static struct block * 4131 gen_dnhostop(addr, dir) 4132 bpf_u_int32 addr; 4133 int dir; 4134 { 4135 struct block *b0, *b1, *b2, *tmp; 4136 u_int offset_lh; /* offset if long header is received */ 4137 u_int offset_sh; /* offset if short header is received */ 4138 4139 switch (dir) { 4140 4141 case Q_DST: 4142 offset_sh = 1; /* follows flags */ 4143 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4144 break; 4145 4146 case Q_SRC: 4147 offset_sh = 3; /* follows flags, dstnode */ 4148 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4149 break; 4150 4151 case Q_AND: 4152 /* Inefficient because we do our Calvinball dance twice */ 4153 b0 = gen_dnhostop(addr, Q_SRC); 4154 b1 = gen_dnhostop(addr, Q_DST); 4155 gen_and(b0, b1); 4156 return b1; 4157 4158 case Q_OR: 4159 case Q_DEFAULT: 4160 /* Inefficient because we do our Calvinball dance twice */ 4161 b0 = gen_dnhostop(addr, Q_SRC); 4162 b1 = gen_dnhostop(addr, Q_DST); 4163 gen_or(b0, b1); 4164 return b1; 4165 4166 case Q_ISO: 4167 bpf_error("ISO host filtering not implemented"); 4168 4169 default: 4170 abort(); 4171 } 4172 b0 = gen_linktype(ETHERTYPE_DN); 4173 /* Check for pad = 1, long header case */ 4174 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4175 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4176 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4177 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4178 gen_and(tmp, b1); 4179 /* Check for pad = 0, long header case */ 4180 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4181 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4182 gen_and(tmp, b2); 4183 gen_or(b2, b1); 4184 /* Check for pad = 1, short header case */ 4185 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4186 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4187 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4188 gen_and(tmp, b2); 4189 gen_or(b2, b1); 4190 /* Check for pad = 0, short header case */ 4191 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4192 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4193 gen_and(tmp, b2); 4194 gen_or(b2, b1); 4195 4196 /* Combine with test for linktype */ 4197 gen_and(b0, b1); 4198 return b1; 4199 } 4200 4201 /* 4202 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4203 * test the bottom-of-stack bit, and then check the version number 4204 * field in the IP header. 4205 */ 4206 static struct block * 4207 gen_mpls_linktype(proto) 4208 int proto; 4209 { 4210 struct block *b0, *b1; 4211 4212 switch (proto) { 4213 4214 case Q_IP: 4215 /* match the bottom-of-stack bit */ 4216 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4217 /* match the IPv4 version number */ 4218 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4219 gen_and(b0, b1); 4220 return b1; 4221 4222 case Q_IPV6: 4223 /* match the bottom-of-stack bit */ 4224 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4225 /* match the IPv4 version number */ 4226 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4227 gen_and(b0, b1); 4228 return b1; 4229 4230 default: 4231 abort(); 4232 } 4233 } 4234 4235 static struct block * 4236 gen_host(addr, mask, proto, dir, type) 4237 bpf_u_int32 addr; 4238 bpf_u_int32 mask; 4239 int proto; 4240 int dir; 4241 int type; 4242 { 4243 struct block *b0, *b1; 4244 const char *typestr; 4245 4246 if (type == Q_NET) 4247 typestr = "net"; 4248 else 4249 typestr = "host"; 4250 4251 switch (proto) { 4252 4253 case Q_DEFAULT: 4254 b0 = gen_host(addr, mask, Q_IP, dir, type); 4255 /* 4256 * Only check for non-IPv4 addresses if we're not 4257 * checking MPLS-encapsulated packets. 4258 */ 4259 if (label_stack_depth == 0) { 4260 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4261 gen_or(b0, b1); 4262 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4263 gen_or(b1, b0); 4264 } 4265 return b0; 4266 4267 case Q_IP: 4268 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4269 4270 case Q_RARP: 4271 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4272 4273 case Q_ARP: 4274 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4275 4276 case Q_TCP: 4277 bpf_error("'tcp' modifier applied to %s", typestr); 4278 4279 case Q_SCTP: 4280 bpf_error("'sctp' modifier applied to %s", typestr); 4281 4282 case Q_UDP: 4283 bpf_error("'udp' modifier applied to %s", typestr); 4284 4285 case Q_ICMP: 4286 bpf_error("'icmp' modifier applied to %s", typestr); 4287 4288 case Q_IGMP: 4289 bpf_error("'igmp' modifier applied to %s", typestr); 4290 4291 case Q_IGRP: 4292 bpf_error("'igrp' modifier applied to %s", typestr); 4293 4294 case Q_PIM: 4295 bpf_error("'pim' modifier applied to %s", typestr); 4296 4297 case Q_VRRP: 4298 bpf_error("'vrrp' modifier applied to %s", typestr); 4299 4300 case Q_ATALK: 4301 bpf_error("ATALK host filtering not implemented"); 4302 4303 case Q_AARP: 4304 bpf_error("AARP host filtering not implemented"); 4305 4306 case Q_DECNET: 4307 return gen_dnhostop(addr, dir); 4308 4309 case Q_SCA: 4310 bpf_error("SCA host filtering not implemented"); 4311 4312 case Q_LAT: 4313 bpf_error("LAT host filtering not implemented"); 4314 4315 case Q_MOPDL: 4316 bpf_error("MOPDL host filtering not implemented"); 4317 4318 case Q_MOPRC: 4319 bpf_error("MOPRC host filtering not implemented"); 4320 4321 #ifdef INET6 4322 case Q_IPV6: 4323 bpf_error("'ip6' modifier applied to ip host"); 4324 4325 case Q_ICMPV6: 4326 bpf_error("'icmp6' modifier applied to %s", typestr); 4327 #endif /* INET6 */ 4328 4329 case Q_AH: 4330 bpf_error("'ah' modifier applied to %s", typestr); 4331 4332 case Q_ESP: 4333 bpf_error("'esp' modifier applied to %s", typestr); 4334 4335 case Q_ISO: 4336 bpf_error("ISO host filtering not implemented"); 4337 4338 case Q_ESIS: 4339 bpf_error("'esis' modifier applied to %s", typestr); 4340 4341 case Q_ISIS: 4342 bpf_error("'isis' modifier applied to %s", typestr); 4343 4344 case Q_CLNP: 4345 bpf_error("'clnp' modifier applied to %s", typestr); 4346 4347 case Q_STP: 4348 bpf_error("'stp' modifier applied to %s", typestr); 4349 4350 case Q_IPX: 4351 bpf_error("IPX host filtering not implemented"); 4352 4353 case Q_NETBEUI: 4354 bpf_error("'netbeui' modifier applied to %s", typestr); 4355 4356 case Q_RADIO: 4357 bpf_error("'radio' modifier applied to %s", typestr); 4358 4359 default: 4360 abort(); 4361 } 4362 /* NOTREACHED */ 4363 } 4364 4365 #ifdef INET6 4366 static struct block * 4367 gen_host6(addr, mask, proto, dir, type) 4368 struct in6_addr *addr; 4369 struct in6_addr *mask; 4370 int proto; 4371 int dir; 4372 int type; 4373 { 4374 const char *typestr; 4375 4376 if (type == Q_NET) 4377 typestr = "net"; 4378 else 4379 typestr = "host"; 4380 4381 switch (proto) { 4382 4383 case Q_DEFAULT: 4384 return gen_host6(addr, mask, Q_IPV6, dir, type); 4385 4386 case Q_IP: 4387 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4388 4389 case Q_RARP: 4390 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4391 4392 case Q_ARP: 4393 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4394 4395 case Q_SCTP: 4396 bpf_error("'sctp' modifier applied to %s", typestr); 4397 4398 case Q_TCP: 4399 bpf_error("'tcp' modifier applied to %s", typestr); 4400 4401 case Q_UDP: 4402 bpf_error("'udp' modifier applied to %s", typestr); 4403 4404 case Q_ICMP: 4405 bpf_error("'icmp' modifier applied to %s", typestr); 4406 4407 case Q_IGMP: 4408 bpf_error("'igmp' modifier applied to %s", typestr); 4409 4410 case Q_IGRP: 4411 bpf_error("'igrp' modifier applied to %s", typestr); 4412 4413 case Q_PIM: 4414 bpf_error("'pim' modifier applied to %s", typestr); 4415 4416 case Q_VRRP: 4417 bpf_error("'vrrp' modifier applied to %s", typestr); 4418 4419 case Q_ATALK: 4420 bpf_error("ATALK host filtering not implemented"); 4421 4422 case Q_AARP: 4423 bpf_error("AARP host filtering not implemented"); 4424 4425 case Q_DECNET: 4426 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4427 4428 case Q_SCA: 4429 bpf_error("SCA host filtering not implemented"); 4430 4431 case Q_LAT: 4432 bpf_error("LAT host filtering not implemented"); 4433 4434 case Q_MOPDL: 4435 bpf_error("MOPDL host filtering not implemented"); 4436 4437 case Q_MOPRC: 4438 bpf_error("MOPRC host filtering not implemented"); 4439 4440 case Q_IPV6: 4441 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4442 4443 case Q_ICMPV6: 4444 bpf_error("'icmp6' modifier applied to %s", typestr); 4445 4446 case Q_AH: 4447 bpf_error("'ah' modifier applied to %s", typestr); 4448 4449 case Q_ESP: 4450 bpf_error("'esp' modifier applied to %s", typestr); 4451 4452 case Q_ISO: 4453 bpf_error("ISO host filtering not implemented"); 4454 4455 case Q_ESIS: 4456 bpf_error("'esis' modifier applied to %s", typestr); 4457 4458 case Q_ISIS: 4459 bpf_error("'isis' modifier applied to %s", typestr); 4460 4461 case Q_CLNP: 4462 bpf_error("'clnp' modifier applied to %s", typestr); 4463 4464 case Q_STP: 4465 bpf_error("'stp' modifier applied to %s", typestr); 4466 4467 case Q_IPX: 4468 bpf_error("IPX host filtering not implemented"); 4469 4470 case Q_NETBEUI: 4471 bpf_error("'netbeui' modifier applied to %s", typestr); 4472 4473 case Q_RADIO: 4474 bpf_error("'radio' modifier applied to %s", typestr); 4475 4476 default: 4477 abort(); 4478 } 4479 /* NOTREACHED */ 4480 } 4481 #endif /*INET6*/ 4482 4483 #ifndef INET6 4484 static struct block * 4485 gen_gateway(eaddr, alist, proto, dir) 4486 const u_char *eaddr; 4487 bpf_u_int32 **alist; 4488 int proto; 4489 int dir; 4490 { 4491 struct block *b0, *b1, *tmp; 4492 4493 if (dir != 0) 4494 bpf_error("direction applied to 'gateway'"); 4495 4496 switch (proto) { 4497 case Q_DEFAULT: 4498 case Q_IP: 4499 case Q_ARP: 4500 case Q_RARP: 4501 switch (linktype) { 4502 case DLT_EN10MB: 4503 b0 = gen_ehostop(eaddr, Q_OR); 4504 break; 4505 case DLT_FDDI: 4506 b0 = gen_fhostop(eaddr, Q_OR); 4507 break; 4508 case DLT_IEEE802: 4509 b0 = gen_thostop(eaddr, Q_OR); 4510 break; 4511 case DLT_IEEE802_11: 4512 case DLT_PRISM_HEADER: 4513 case DLT_IEEE802_11_RADIO_AVS: 4514 case DLT_IEEE802_11_RADIO: 4515 case DLT_PPI: 4516 b0 = gen_wlanhostop(eaddr, Q_OR); 4517 break; 4518 case DLT_SUNATM: 4519 if (is_lane) { 4520 /* 4521 * Check that the packet doesn't begin with an 4522 * LE Control marker. (We've already generated 4523 * a test for LANE.) 4524 */ 4525 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4526 BPF_H, 0xFF00); 4527 gen_not(b1); 4528 4529 /* 4530 * Now check the MAC address. 4531 */ 4532 b0 = gen_ehostop(eaddr, Q_OR); 4533 gen_and(b1, b0); 4534 } 4535 break; 4536 case DLT_IP_OVER_FC: 4537 b0 = gen_ipfchostop(eaddr, Q_OR); 4538 break; 4539 default: 4540 bpf_error( 4541 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 4542 } 4543 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4544 while (*alist) { 4545 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4546 Q_HOST); 4547 gen_or(b1, tmp); 4548 b1 = tmp; 4549 } 4550 gen_not(b1); 4551 gen_and(b0, b1); 4552 return b1; 4553 } 4554 bpf_error("illegal modifier of 'gateway'"); 4555 /* NOTREACHED */ 4556 } 4557 #endif 4558 4559 struct block * 4560 gen_proto_abbrev(proto) 4561 int proto; 4562 { 4563 struct block *b0; 4564 struct block *b1; 4565 4566 switch (proto) { 4567 4568 case Q_SCTP: 4569 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4570 #ifdef INET6 4571 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4572 gen_or(b0, b1); 4573 #endif 4574 break; 4575 4576 case Q_TCP: 4577 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4578 #ifdef INET6 4579 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4580 gen_or(b0, b1); 4581 #endif 4582 break; 4583 4584 case Q_UDP: 4585 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4586 #ifdef INET6 4587 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4588 gen_or(b0, b1); 4589 #endif 4590 break; 4591 4592 case Q_ICMP: 4593 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4594 break; 4595 4596 #ifndef IPPROTO_IGMP 4597 #define IPPROTO_IGMP 2 4598 #endif 4599 4600 case Q_IGMP: 4601 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4602 break; 4603 4604 #ifndef IPPROTO_IGRP 4605 #define IPPROTO_IGRP 9 4606 #endif 4607 case Q_IGRP: 4608 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4609 break; 4610 4611 #ifndef IPPROTO_PIM 4612 #define IPPROTO_PIM 103 4613 #endif 4614 4615 case Q_PIM: 4616 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4617 #ifdef INET6 4618 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4619 gen_or(b0, b1); 4620 #endif 4621 break; 4622 4623 #ifndef IPPROTO_VRRP 4624 #define IPPROTO_VRRP 112 4625 #endif 4626 4627 case Q_VRRP: 4628 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4629 break; 4630 4631 case Q_IP: 4632 b1 = gen_linktype(ETHERTYPE_IP); 4633 break; 4634 4635 case Q_ARP: 4636 b1 = gen_linktype(ETHERTYPE_ARP); 4637 break; 4638 4639 case Q_RARP: 4640 b1 = gen_linktype(ETHERTYPE_REVARP); 4641 break; 4642 4643 case Q_LINK: 4644 bpf_error("link layer applied in wrong context"); 4645 4646 case Q_ATALK: 4647 b1 = gen_linktype(ETHERTYPE_ATALK); 4648 break; 4649 4650 case Q_AARP: 4651 b1 = gen_linktype(ETHERTYPE_AARP); 4652 break; 4653 4654 case Q_DECNET: 4655 b1 = gen_linktype(ETHERTYPE_DN); 4656 break; 4657 4658 case Q_SCA: 4659 b1 = gen_linktype(ETHERTYPE_SCA); 4660 break; 4661 4662 case Q_LAT: 4663 b1 = gen_linktype(ETHERTYPE_LAT); 4664 break; 4665 4666 case Q_MOPDL: 4667 b1 = gen_linktype(ETHERTYPE_MOPDL); 4668 break; 4669 4670 case Q_MOPRC: 4671 b1 = gen_linktype(ETHERTYPE_MOPRC); 4672 break; 4673 4674 #ifdef INET6 4675 case Q_IPV6: 4676 b1 = gen_linktype(ETHERTYPE_IPV6); 4677 break; 4678 4679 #ifndef IPPROTO_ICMPV6 4680 #define IPPROTO_ICMPV6 58 4681 #endif 4682 case Q_ICMPV6: 4683 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4684 break; 4685 #endif /* INET6 */ 4686 4687 #ifndef IPPROTO_AH 4688 #define IPPROTO_AH 51 4689 #endif 4690 case Q_AH: 4691 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4692 #ifdef INET6 4693 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4694 gen_or(b0, b1); 4695 #endif 4696 break; 4697 4698 #ifndef IPPROTO_ESP 4699 #define IPPROTO_ESP 50 4700 #endif 4701 case Q_ESP: 4702 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4703 #ifdef INET6 4704 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4705 gen_or(b0, b1); 4706 #endif 4707 break; 4708 4709 case Q_ISO: 4710 b1 = gen_linktype(LLCSAP_ISONS); 4711 break; 4712 4713 case Q_ESIS: 4714 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4715 break; 4716 4717 case Q_ISIS: 4718 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4719 break; 4720 4721 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4722 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4723 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4724 gen_or(b0, b1); 4725 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4726 gen_or(b0, b1); 4727 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4728 gen_or(b0, b1); 4729 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4730 gen_or(b0, b1); 4731 break; 4732 4733 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4734 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4735 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4736 gen_or(b0, b1); 4737 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4738 gen_or(b0, b1); 4739 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4740 gen_or(b0, b1); 4741 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4742 gen_or(b0, b1); 4743 break; 4744 4745 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4746 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4747 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4748 gen_or(b0, b1); 4749 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4750 gen_or(b0, b1); 4751 break; 4752 4753 case Q_ISIS_LSP: 4754 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4755 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4756 gen_or(b0, b1); 4757 break; 4758 4759 case Q_ISIS_SNP: 4760 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4761 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4762 gen_or(b0, b1); 4763 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4764 gen_or(b0, b1); 4765 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4766 gen_or(b0, b1); 4767 break; 4768 4769 case Q_ISIS_CSNP: 4770 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4771 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4772 gen_or(b0, b1); 4773 break; 4774 4775 case Q_ISIS_PSNP: 4776 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4777 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4778 gen_or(b0, b1); 4779 break; 4780 4781 case Q_CLNP: 4782 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4783 break; 4784 4785 case Q_STP: 4786 b1 = gen_linktype(LLCSAP_8021D); 4787 break; 4788 4789 case Q_IPX: 4790 b1 = gen_linktype(LLCSAP_IPX); 4791 break; 4792 4793 case Q_NETBEUI: 4794 b1 = gen_linktype(LLCSAP_NETBEUI); 4795 break; 4796 4797 case Q_RADIO: 4798 bpf_error("'radio' is not a valid protocol type"); 4799 4800 default: 4801 abort(); 4802 } 4803 return b1; 4804 } 4805 4806 static struct block * 4807 gen_ipfrag() 4808 { 4809 struct slist *s; 4810 struct block *b; 4811 4812 /* not ip frag */ 4813 s = gen_load_a(OR_NET, 6, BPF_H); 4814 b = new_block(JMP(BPF_JSET)); 4815 b->s.k = 0x1fff; 4816 b->stmts = s; 4817 gen_not(b); 4818 4819 return b; 4820 } 4821 4822 /* 4823 * Generate a comparison to a port value in the transport-layer header 4824 * at the specified offset from the beginning of that header. 4825 * 4826 * XXX - this handles a variable-length prefix preceding the link-layer 4827 * header, such as the radiotap or AVS radio prefix, but doesn't handle 4828 * variable-length link-layer headers (such as Token Ring or 802.11 4829 * headers). 4830 */ 4831 static struct block * 4832 gen_portatom(off, v) 4833 int off; 4834 bpf_int32 v; 4835 { 4836 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 4837 } 4838 4839 #ifdef INET6 4840 static struct block * 4841 gen_portatom6(off, v) 4842 int off; 4843 bpf_int32 v; 4844 { 4845 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4846 } 4847 #endif/*INET6*/ 4848 4849 struct block * 4850 gen_portop(port, proto, dir) 4851 int port, proto, dir; 4852 { 4853 struct block *b0, *b1, *tmp; 4854 4855 /* ip proto 'proto' */ 4856 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4857 b0 = gen_ipfrag(); 4858 gen_and(tmp, b0); 4859 4860 switch (dir) { 4861 case Q_SRC: 4862 b1 = gen_portatom(0, (bpf_int32)port); 4863 break; 4864 4865 case Q_DST: 4866 b1 = gen_portatom(2, (bpf_int32)port); 4867 break; 4868 4869 case Q_OR: 4870 case Q_DEFAULT: 4871 tmp = gen_portatom(0, (bpf_int32)port); 4872 b1 = gen_portatom(2, (bpf_int32)port); 4873 gen_or(tmp, b1); 4874 break; 4875 4876 case Q_AND: 4877 tmp = gen_portatom(0, (bpf_int32)port); 4878 b1 = gen_portatom(2, (bpf_int32)port); 4879 gen_and(tmp, b1); 4880 break; 4881 4882 default: 4883 abort(); 4884 } 4885 gen_and(b0, b1); 4886 4887 return b1; 4888 } 4889 4890 static struct block * 4891 gen_port(port, ip_proto, dir) 4892 int port; 4893 int ip_proto; 4894 int dir; 4895 { 4896 struct block *b0, *b1, *tmp; 4897 4898 /* 4899 * ether proto ip 4900 * 4901 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4902 * not LLC encapsulation with LLCSAP_IP. 4903 * 4904 * For IEEE 802 networks - which includes 802.5 token ring 4905 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4906 * says that SNAP encapsulation is used, not LLC encapsulation 4907 * with LLCSAP_IP. 4908 * 4909 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4910 * RFC 2225 say that SNAP encapsulation is used, not LLC 4911 * encapsulation with LLCSAP_IP. 4912 * 4913 * So we always check for ETHERTYPE_IP. 4914 */ 4915 b0 = gen_linktype(ETHERTYPE_IP); 4916 4917 switch (ip_proto) { 4918 case IPPROTO_UDP: 4919 case IPPROTO_TCP: 4920 case IPPROTO_SCTP: 4921 b1 = gen_portop(port, ip_proto, dir); 4922 break; 4923 4924 case PROTO_UNDEF: 4925 tmp = gen_portop(port, IPPROTO_TCP, dir); 4926 b1 = gen_portop(port, IPPROTO_UDP, dir); 4927 gen_or(tmp, b1); 4928 tmp = gen_portop(port, IPPROTO_SCTP, dir); 4929 gen_or(tmp, b1); 4930 break; 4931 4932 default: 4933 abort(); 4934 } 4935 gen_and(b0, b1); 4936 return b1; 4937 } 4938 4939 #ifdef INET6 4940 struct block * 4941 gen_portop6(port, proto, dir) 4942 int port, proto, dir; 4943 { 4944 struct block *b0, *b1, *tmp; 4945 4946 /* ip6 proto 'proto' */ 4947 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4948 4949 switch (dir) { 4950 case Q_SRC: 4951 b1 = gen_portatom6(0, (bpf_int32)port); 4952 break; 4953 4954 case Q_DST: 4955 b1 = gen_portatom6(2, (bpf_int32)port); 4956 break; 4957 4958 case Q_OR: 4959 case Q_DEFAULT: 4960 tmp = gen_portatom6(0, (bpf_int32)port); 4961 b1 = gen_portatom6(2, (bpf_int32)port); 4962 gen_or(tmp, b1); 4963 break; 4964 4965 case Q_AND: 4966 tmp = gen_portatom6(0, (bpf_int32)port); 4967 b1 = gen_portatom6(2, (bpf_int32)port); 4968 gen_and(tmp, b1); 4969 break; 4970 4971 default: 4972 abort(); 4973 } 4974 gen_and(b0, b1); 4975 4976 return b1; 4977 } 4978 4979 static struct block * 4980 gen_port6(port, ip_proto, dir) 4981 int port; 4982 int ip_proto; 4983 int dir; 4984 { 4985 struct block *b0, *b1, *tmp; 4986 4987 /* link proto ip6 */ 4988 b0 = gen_linktype(ETHERTYPE_IPV6); 4989 4990 switch (ip_proto) { 4991 case IPPROTO_UDP: 4992 case IPPROTO_TCP: 4993 case IPPROTO_SCTP: 4994 b1 = gen_portop6(port, ip_proto, dir); 4995 break; 4996 4997 case PROTO_UNDEF: 4998 tmp = gen_portop6(port, IPPROTO_TCP, dir); 4999 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5000 gen_or(tmp, b1); 5001 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5002 gen_or(tmp, b1); 5003 break; 5004 5005 default: 5006 abort(); 5007 } 5008 gen_and(b0, b1); 5009 return b1; 5010 } 5011 #endif /* INET6 */ 5012 5013 /* gen_portrange code */ 5014 static struct block * 5015 gen_portrangeatom(off, v1, v2) 5016 int off; 5017 bpf_int32 v1, v2; 5018 { 5019 struct block *b1, *b2; 5020 5021 if (v1 > v2) { 5022 /* 5023 * Reverse the order of the ports, so v1 is the lower one. 5024 */ 5025 bpf_int32 vtemp; 5026 5027 vtemp = v1; 5028 v1 = v2; 5029 v2 = vtemp; 5030 } 5031 5032 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5033 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5034 5035 gen_and(b1, b2); 5036 5037 return b2; 5038 } 5039 5040 struct block * 5041 gen_portrangeop(port1, port2, proto, dir) 5042 int port1, port2; 5043 int proto; 5044 int dir; 5045 { 5046 struct block *b0, *b1, *tmp; 5047 5048 /* ip proto 'proto' */ 5049 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5050 b0 = gen_ipfrag(); 5051 gen_and(tmp, b0); 5052 5053 switch (dir) { 5054 case Q_SRC: 5055 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5056 break; 5057 5058 case Q_DST: 5059 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5060 break; 5061 5062 case Q_OR: 5063 case Q_DEFAULT: 5064 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5065 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5066 gen_or(tmp, b1); 5067 break; 5068 5069 case Q_AND: 5070 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5071 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5072 gen_and(tmp, b1); 5073 break; 5074 5075 default: 5076 abort(); 5077 } 5078 gen_and(b0, b1); 5079 5080 return b1; 5081 } 5082 5083 static struct block * 5084 gen_portrange(port1, port2, ip_proto, dir) 5085 int port1, port2; 5086 int ip_proto; 5087 int dir; 5088 { 5089 struct block *b0, *b1, *tmp; 5090 5091 /* link proto ip */ 5092 b0 = gen_linktype(ETHERTYPE_IP); 5093 5094 switch (ip_proto) { 5095 case IPPROTO_UDP: 5096 case IPPROTO_TCP: 5097 case IPPROTO_SCTP: 5098 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5099 break; 5100 5101 case PROTO_UNDEF: 5102 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5103 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5104 gen_or(tmp, b1); 5105 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5106 gen_or(tmp, b1); 5107 break; 5108 5109 default: 5110 abort(); 5111 } 5112 gen_and(b0, b1); 5113 return b1; 5114 } 5115 5116 #ifdef INET6 5117 static struct block * 5118 gen_portrangeatom6(off, v1, v2) 5119 int off; 5120 bpf_int32 v1, v2; 5121 { 5122 struct block *b1, *b2; 5123 5124 if (v1 > v2) { 5125 /* 5126 * Reverse the order of the ports, so v1 is the lower one. 5127 */ 5128 bpf_int32 vtemp; 5129 5130 vtemp = v1; 5131 v1 = v2; 5132 v2 = vtemp; 5133 } 5134 5135 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5136 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5137 5138 gen_and(b1, b2); 5139 5140 return b2; 5141 } 5142 5143 struct block * 5144 gen_portrangeop6(port1, port2, proto, dir) 5145 int port1, port2; 5146 int proto; 5147 int dir; 5148 { 5149 struct block *b0, *b1, *tmp; 5150 5151 /* ip6 proto 'proto' */ 5152 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5153 5154 switch (dir) { 5155 case Q_SRC: 5156 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5157 break; 5158 5159 case Q_DST: 5160 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5161 break; 5162 5163 case Q_OR: 5164 case Q_DEFAULT: 5165 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5166 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5167 gen_or(tmp, b1); 5168 break; 5169 5170 case Q_AND: 5171 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5172 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5173 gen_and(tmp, b1); 5174 break; 5175 5176 default: 5177 abort(); 5178 } 5179 gen_and(b0, b1); 5180 5181 return b1; 5182 } 5183 5184 static struct block * 5185 gen_portrange6(port1, port2, ip_proto, dir) 5186 int port1, port2; 5187 int ip_proto; 5188 int dir; 5189 { 5190 struct block *b0, *b1, *tmp; 5191 5192 /* link proto ip6 */ 5193 b0 = gen_linktype(ETHERTYPE_IPV6); 5194 5195 switch (ip_proto) { 5196 case IPPROTO_UDP: 5197 case IPPROTO_TCP: 5198 case IPPROTO_SCTP: 5199 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5200 break; 5201 5202 case PROTO_UNDEF: 5203 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5204 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5205 gen_or(tmp, b1); 5206 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5207 gen_or(tmp, b1); 5208 break; 5209 5210 default: 5211 abort(); 5212 } 5213 gen_and(b0, b1); 5214 return b1; 5215 } 5216 #endif /* INET6 */ 5217 5218 static int 5219 lookup_proto(name, proto) 5220 register const char *name; 5221 register int proto; 5222 { 5223 register int v; 5224 5225 switch (proto) { 5226 5227 case Q_DEFAULT: 5228 case Q_IP: 5229 case Q_IPV6: 5230 v = pcap_nametoproto(name); 5231 if (v == PROTO_UNDEF) 5232 bpf_error("unknown ip proto '%s'", name); 5233 break; 5234 5235 case Q_LINK: 5236 /* XXX should look up h/w protocol type based on linktype */ 5237 v = pcap_nametoeproto(name); 5238 if (v == PROTO_UNDEF) { 5239 v = pcap_nametollc(name); 5240 if (v == PROTO_UNDEF) 5241 bpf_error("unknown ether proto '%s'", name); 5242 } 5243 break; 5244 5245 case Q_ISO: 5246 if (strcmp(name, "esis") == 0) 5247 v = ISO9542_ESIS; 5248 else if (strcmp(name, "isis") == 0) 5249 v = ISO10589_ISIS; 5250 else if (strcmp(name, "clnp") == 0) 5251 v = ISO8473_CLNP; 5252 else 5253 bpf_error("unknown osi proto '%s'", name); 5254 break; 5255 5256 default: 5257 v = PROTO_UNDEF; 5258 break; 5259 } 5260 return v; 5261 } 5262 5263 #if 0 5264 struct stmt * 5265 gen_joinsp(s, n) 5266 struct stmt **s; 5267 int n; 5268 { 5269 return NULL; 5270 } 5271 #endif 5272 5273 static struct block * 5274 gen_protochain(v, proto, dir) 5275 int v; 5276 int proto; 5277 int dir; 5278 { 5279 #ifdef NO_PROTOCHAIN 5280 return gen_proto(v, proto, dir); 5281 #else 5282 struct block *b0, *b; 5283 struct slist *s[100]; 5284 int fix2, fix3, fix4, fix5; 5285 int ahcheck, again, end; 5286 int i, max; 5287 int reg2 = alloc_reg(); 5288 5289 memset(s, 0, sizeof(s)); 5290 fix2 = fix3 = fix4 = fix5 = 0; 5291 5292 switch (proto) { 5293 case Q_IP: 5294 case Q_IPV6: 5295 break; 5296 case Q_DEFAULT: 5297 b0 = gen_protochain(v, Q_IP, dir); 5298 b = gen_protochain(v, Q_IPV6, dir); 5299 gen_or(b0, b); 5300 return b; 5301 default: 5302 bpf_error("bad protocol applied for 'protochain'"); 5303 /*NOTREACHED*/ 5304 } 5305 5306 /* 5307 * We don't handle variable-length prefixes before the link-layer 5308 * header, or variable-length link-layer headers, here yet. 5309 * We might want to add BPF instructions to do the protochain 5310 * work, to simplify that and, on platforms that have a BPF 5311 * interpreter with the new instructions, let the filtering 5312 * be done in the kernel. (We already require a modified BPF 5313 * engine to do the protochain stuff, to support backward 5314 * branches, and backward branch support is unlikely to appear 5315 * in kernel BPF engines.) 5316 */ 5317 switch (linktype) { 5318 5319 case DLT_IEEE802_11: 5320 case DLT_PRISM_HEADER: 5321 case DLT_IEEE802_11_RADIO_AVS: 5322 case DLT_IEEE802_11_RADIO: 5323 case DLT_PPI: 5324 bpf_error("'protochain' not supported with 802.11"); 5325 } 5326 5327 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5328 5329 /* 5330 * s[0] is a dummy entry to protect other BPF insn from damage 5331 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5332 * hard to find interdependency made by jump table fixup. 5333 */ 5334 i = 0; 5335 s[i] = new_stmt(0); /*dummy*/ 5336 i++; 5337 5338 switch (proto) { 5339 case Q_IP: 5340 b0 = gen_linktype(ETHERTYPE_IP); 5341 5342 /* A = ip->ip_p */ 5343 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5344 s[i]->s.k = off_macpl + off_nl + 9; 5345 i++; 5346 /* X = ip->ip_hl << 2 */ 5347 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5348 s[i]->s.k = off_macpl + off_nl; 5349 i++; 5350 break; 5351 #ifdef INET6 5352 case Q_IPV6: 5353 b0 = gen_linktype(ETHERTYPE_IPV6); 5354 5355 /* A = ip6->ip_nxt */ 5356 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5357 s[i]->s.k = off_macpl + off_nl + 6; 5358 i++; 5359 /* X = sizeof(struct ip6_hdr) */ 5360 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5361 s[i]->s.k = 40; 5362 i++; 5363 break; 5364 #endif 5365 default: 5366 bpf_error("unsupported proto to gen_protochain"); 5367 /*NOTREACHED*/ 5368 } 5369 5370 /* again: if (A == v) goto end; else fall through; */ 5371 again = i; 5372 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5373 s[i]->s.k = v; 5374 s[i]->s.jt = NULL; /*later*/ 5375 s[i]->s.jf = NULL; /*update in next stmt*/ 5376 fix5 = i; 5377 i++; 5378 5379 #ifndef IPPROTO_NONE 5380 #define IPPROTO_NONE 59 5381 #endif 5382 /* if (A == IPPROTO_NONE) goto end */ 5383 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5384 s[i]->s.jt = NULL; /*later*/ 5385 s[i]->s.jf = NULL; /*update in next stmt*/ 5386 s[i]->s.k = IPPROTO_NONE; 5387 s[fix5]->s.jf = s[i]; 5388 fix2 = i; 5389 i++; 5390 5391 #ifdef INET6 5392 if (proto == Q_IPV6) { 5393 int v6start, v6end, v6advance, j; 5394 5395 v6start = i; 5396 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5397 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5398 s[i]->s.jt = NULL; /*later*/ 5399 s[i]->s.jf = NULL; /*update in next stmt*/ 5400 s[i]->s.k = IPPROTO_HOPOPTS; 5401 s[fix2]->s.jf = s[i]; 5402 i++; 5403 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5404 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5405 s[i]->s.jt = NULL; /*later*/ 5406 s[i]->s.jf = NULL; /*update in next stmt*/ 5407 s[i]->s.k = IPPROTO_DSTOPTS; 5408 i++; 5409 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5410 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5411 s[i]->s.jt = NULL; /*later*/ 5412 s[i]->s.jf = NULL; /*update in next stmt*/ 5413 s[i]->s.k = IPPROTO_ROUTING; 5414 i++; 5415 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5416 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5417 s[i]->s.jt = NULL; /*later*/ 5418 s[i]->s.jf = NULL; /*later*/ 5419 s[i]->s.k = IPPROTO_FRAGMENT; 5420 fix3 = i; 5421 v6end = i; 5422 i++; 5423 5424 /* v6advance: */ 5425 v6advance = i; 5426 5427 /* 5428 * in short, 5429 * A = P[X]; 5430 * X = X + (P[X + 1] + 1) * 8; 5431 */ 5432 /* A = X */ 5433 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5434 i++; 5435 /* A = P[X + packet head] */ 5436 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5437 s[i]->s.k = off_macpl + off_nl; 5438 i++; 5439 /* MEM[reg2] = A */ 5440 s[i] = new_stmt(BPF_ST); 5441 s[i]->s.k = reg2; 5442 i++; 5443 /* A = X */ 5444 s[i] = new_stmt(BPF_MISC|BPF_TXA); 5445 i++; 5446 /* A += 1 */ 5447 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5448 s[i]->s.k = 1; 5449 i++; 5450 /* X = A */ 5451 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5452 i++; 5453 /* A = P[X + packet head]; */ 5454 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5455 s[i]->s.k = off_macpl + off_nl; 5456 i++; 5457 /* A += 1 */ 5458 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5459 s[i]->s.k = 1; 5460 i++; 5461 /* A *= 8 */ 5462 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5463 s[i]->s.k = 8; 5464 i++; 5465 /* X = A; */ 5466 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5467 i++; 5468 /* A = MEM[reg2] */ 5469 s[i] = new_stmt(BPF_LD|BPF_MEM); 5470 s[i]->s.k = reg2; 5471 i++; 5472 5473 /* goto again; (must use BPF_JA for backward jump) */ 5474 s[i] = new_stmt(BPF_JMP|BPF_JA); 5475 s[i]->s.k = again - i - 1; 5476 s[i - 1]->s.jf = s[i]; 5477 i++; 5478 5479 /* fixup */ 5480 for (j = v6start; j <= v6end; j++) 5481 s[j]->s.jt = s[v6advance]; 5482 } else 5483 #endif 5484 { 5485 /* nop */ 5486 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5487 s[i]->s.k = 0; 5488 s[fix2]->s.jf = s[i]; 5489 i++; 5490 } 5491 5492 /* ahcheck: */ 5493 ahcheck = i; 5494 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5495 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5496 s[i]->s.jt = NULL; /*later*/ 5497 s[i]->s.jf = NULL; /*later*/ 5498 s[i]->s.k = IPPROTO_AH; 5499 if (fix3) 5500 s[fix3]->s.jf = s[ahcheck]; 5501 fix4 = i; 5502 i++; 5503 5504 /* 5505 * in short, 5506 * A = P[X]; 5507 * X = X + (P[X + 1] + 2) * 4; 5508 */ 5509 /* A = X */ 5510 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5511 i++; 5512 /* A = P[X + packet head]; */ 5513 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5514 s[i]->s.k = off_macpl + off_nl; 5515 i++; 5516 /* MEM[reg2] = A */ 5517 s[i] = new_stmt(BPF_ST); 5518 s[i]->s.k = reg2; 5519 i++; 5520 /* A = X */ 5521 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5522 i++; 5523 /* A += 1 */ 5524 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5525 s[i]->s.k = 1; 5526 i++; 5527 /* X = A */ 5528 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5529 i++; 5530 /* A = P[X + packet head] */ 5531 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5532 s[i]->s.k = off_macpl + off_nl; 5533 i++; 5534 /* A += 2 */ 5535 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5536 s[i]->s.k = 2; 5537 i++; 5538 /* A *= 4 */ 5539 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5540 s[i]->s.k = 4; 5541 i++; 5542 /* X = A; */ 5543 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5544 i++; 5545 /* A = MEM[reg2] */ 5546 s[i] = new_stmt(BPF_LD|BPF_MEM); 5547 s[i]->s.k = reg2; 5548 i++; 5549 5550 /* goto again; (must use BPF_JA for backward jump) */ 5551 s[i] = new_stmt(BPF_JMP|BPF_JA); 5552 s[i]->s.k = again - i - 1; 5553 i++; 5554 5555 /* end: nop */ 5556 end = i; 5557 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5558 s[i]->s.k = 0; 5559 s[fix2]->s.jt = s[end]; 5560 s[fix4]->s.jf = s[end]; 5561 s[fix5]->s.jt = s[end]; 5562 i++; 5563 5564 /* 5565 * make slist chain 5566 */ 5567 max = i; 5568 for (i = 0; i < max - 1; i++) 5569 s[i]->next = s[i + 1]; 5570 s[max - 1]->next = NULL; 5571 5572 /* 5573 * emit final check 5574 */ 5575 b = new_block(JMP(BPF_JEQ)); 5576 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5577 b->s.k = v; 5578 5579 free_reg(reg2); 5580 5581 gen_and(b0, b); 5582 return b; 5583 #endif 5584 } 5585 5586 static struct block * 5587 gen_check_802_11_data_frame() 5588 { 5589 struct slist *s; 5590 struct block *b0, *b1; 5591 5592 /* 5593 * A data frame has the 0x08 bit (b3) in the frame control field set 5594 * and the 0x04 bit (b2) clear. 5595 */ 5596 s = gen_load_a(OR_LINK, 0, BPF_B); 5597 b0 = new_block(JMP(BPF_JSET)); 5598 b0->s.k = 0x08; 5599 b0->stmts = s; 5600 5601 s = gen_load_a(OR_LINK, 0, BPF_B); 5602 b1 = new_block(JMP(BPF_JSET)); 5603 b1->s.k = 0x04; 5604 b1->stmts = s; 5605 gen_not(b1); 5606 5607 gen_and(b1, b0); 5608 5609 return b0; 5610 } 5611 5612 /* 5613 * Generate code that checks whether the packet is a packet for protocol 5614 * <proto> and whether the type field in that protocol's header has 5615 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5616 * IP packet and checks the protocol number in the IP header against <v>. 5617 * 5618 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5619 * against Q_IP and Q_IPV6. 5620 */ 5621 static struct block * 5622 gen_proto(v, proto, dir) 5623 int v; 5624 int proto; 5625 int dir; 5626 { 5627 struct block *b0, *b1; 5628 5629 if (dir != Q_DEFAULT) 5630 bpf_error("direction applied to 'proto'"); 5631 5632 switch (proto) { 5633 case Q_DEFAULT: 5634 #ifdef INET6 5635 b0 = gen_proto(v, Q_IP, dir); 5636 b1 = gen_proto(v, Q_IPV6, dir); 5637 gen_or(b0, b1); 5638 return b1; 5639 #else 5640 /*FALLTHROUGH*/ 5641 #endif 5642 case Q_IP: 5643 /* 5644 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5645 * not LLC encapsulation with LLCSAP_IP. 5646 * 5647 * For IEEE 802 networks - which includes 802.5 token ring 5648 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5649 * says that SNAP encapsulation is used, not LLC encapsulation 5650 * with LLCSAP_IP. 5651 * 5652 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5653 * RFC 2225 say that SNAP encapsulation is used, not LLC 5654 * encapsulation with LLCSAP_IP. 5655 * 5656 * So we always check for ETHERTYPE_IP. 5657 */ 5658 b0 = gen_linktype(ETHERTYPE_IP); 5659 #ifndef CHASE_CHAIN 5660 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5661 #else 5662 b1 = gen_protochain(v, Q_IP); 5663 #endif 5664 gen_and(b0, b1); 5665 return b1; 5666 5667 case Q_ISO: 5668 switch (linktype) { 5669 5670 case DLT_FRELAY: 5671 /* 5672 * Frame Relay packets typically have an OSI 5673 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5674 * generates code to check for all the OSI 5675 * NLPIDs, so calling it and then adding a check 5676 * for the particular NLPID for which we're 5677 * looking is bogus, as we can just check for 5678 * the NLPID. 5679 * 5680 * What we check for is the NLPID and a frame 5681 * control field value of UI, i.e. 0x03 followed 5682 * by the NLPID. 5683 * 5684 * XXX - assumes a 2-byte Frame Relay header with 5685 * DLCI and flags. What if the address is longer? 5686 * 5687 * XXX - what about SNAP-encapsulated frames? 5688 */ 5689 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5690 /*NOTREACHED*/ 5691 break; 5692 5693 case DLT_C_HDLC: 5694 /* 5695 * Cisco uses an Ethertype lookalike - for OSI, 5696 * it's 0xfefe. 5697 */ 5698 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5699 /* OSI in C-HDLC is stuffed with a fudge byte */ 5700 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5701 gen_and(b0, b1); 5702 return b1; 5703 5704 default: 5705 b0 = gen_linktype(LLCSAP_ISONS); 5706 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5707 gen_and(b0, b1); 5708 return b1; 5709 } 5710 5711 case Q_ISIS: 5712 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5713 /* 5714 * 4 is the offset of the PDU type relative to the IS-IS 5715 * header. 5716 */ 5717 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5718 gen_and(b0, b1); 5719 return b1; 5720 5721 case Q_ARP: 5722 bpf_error("arp does not encapsulate another protocol"); 5723 /* NOTREACHED */ 5724 5725 case Q_RARP: 5726 bpf_error("rarp does not encapsulate another protocol"); 5727 /* NOTREACHED */ 5728 5729 case Q_ATALK: 5730 bpf_error("atalk encapsulation is not specifiable"); 5731 /* NOTREACHED */ 5732 5733 case Q_DECNET: 5734 bpf_error("decnet encapsulation is not specifiable"); 5735 /* NOTREACHED */ 5736 5737 case Q_SCA: 5738 bpf_error("sca does not encapsulate another protocol"); 5739 /* NOTREACHED */ 5740 5741 case Q_LAT: 5742 bpf_error("lat does not encapsulate another protocol"); 5743 /* NOTREACHED */ 5744 5745 case Q_MOPRC: 5746 bpf_error("moprc does not encapsulate another protocol"); 5747 /* NOTREACHED */ 5748 5749 case Q_MOPDL: 5750 bpf_error("mopdl does not encapsulate another protocol"); 5751 /* NOTREACHED */ 5752 5753 case Q_LINK: 5754 return gen_linktype(v); 5755 5756 case Q_UDP: 5757 bpf_error("'udp proto' is bogus"); 5758 /* NOTREACHED */ 5759 5760 case Q_TCP: 5761 bpf_error("'tcp proto' is bogus"); 5762 /* NOTREACHED */ 5763 5764 case Q_SCTP: 5765 bpf_error("'sctp proto' is bogus"); 5766 /* NOTREACHED */ 5767 5768 case Q_ICMP: 5769 bpf_error("'icmp proto' is bogus"); 5770 /* NOTREACHED */ 5771 5772 case Q_IGMP: 5773 bpf_error("'igmp proto' is bogus"); 5774 /* NOTREACHED */ 5775 5776 case Q_IGRP: 5777 bpf_error("'igrp proto' is bogus"); 5778 /* NOTREACHED */ 5779 5780 case Q_PIM: 5781 bpf_error("'pim proto' is bogus"); 5782 /* NOTREACHED */ 5783 5784 case Q_VRRP: 5785 bpf_error("'vrrp proto' is bogus"); 5786 /* NOTREACHED */ 5787 5788 #ifdef INET6 5789 case Q_IPV6: 5790 b0 = gen_linktype(ETHERTYPE_IPV6); 5791 #ifndef CHASE_CHAIN 5792 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5793 #else 5794 b1 = gen_protochain(v, Q_IPV6); 5795 #endif 5796 gen_and(b0, b1); 5797 return b1; 5798 5799 case Q_ICMPV6: 5800 bpf_error("'icmp6 proto' is bogus"); 5801 #endif /* INET6 */ 5802 5803 case Q_AH: 5804 bpf_error("'ah proto' is bogus"); 5805 5806 case Q_ESP: 5807 bpf_error("'ah proto' is bogus"); 5808 5809 case Q_STP: 5810 bpf_error("'stp proto' is bogus"); 5811 5812 case Q_IPX: 5813 bpf_error("'ipx proto' is bogus"); 5814 5815 case Q_NETBEUI: 5816 bpf_error("'netbeui proto' is bogus"); 5817 5818 case Q_RADIO: 5819 bpf_error("'radio proto' is bogus"); 5820 5821 default: 5822 abort(); 5823 /* NOTREACHED */ 5824 } 5825 /* NOTREACHED */ 5826 } 5827 5828 struct block * 5829 gen_scode(name, q) 5830 register const char *name; 5831 struct qual q; 5832 { 5833 int proto = q.proto; 5834 int dir = q.dir; 5835 int tproto; 5836 u_char *eaddr; 5837 bpf_u_int32 mask, addr; 5838 #ifndef INET6 5839 bpf_u_int32 **alist; 5840 #else 5841 int tproto6; 5842 struct sockaddr_in *sin4; 5843 struct sockaddr_in6 *sin6; 5844 struct addrinfo *res, *res0; 5845 struct in6_addr mask128; 5846 #endif /*INET6*/ 5847 struct block *b, *tmp; 5848 int port, real_proto; 5849 int port1, port2; 5850 5851 switch (q.addr) { 5852 5853 case Q_NET: 5854 addr = pcap_nametonetaddr(name); 5855 if (addr == 0) 5856 bpf_error("unknown network '%s'", name); 5857 /* Left justify network addr and calculate its network mask */ 5858 mask = 0xffffffff; 5859 while (addr && (addr & 0xff000000) == 0) { 5860 addr <<= 8; 5861 mask <<= 8; 5862 } 5863 return gen_host(addr, mask, proto, dir, q.addr); 5864 5865 case Q_DEFAULT: 5866 case Q_HOST: 5867 if (proto == Q_LINK) { 5868 switch (linktype) { 5869 5870 case DLT_EN10MB: 5871 eaddr = pcap_ether_hostton(name); 5872 if (eaddr == NULL) 5873 bpf_error( 5874 "unknown ether host '%s'", name); 5875 b = gen_ehostop(eaddr, dir); 5876 free(eaddr); 5877 return b; 5878 5879 case DLT_FDDI: 5880 eaddr = pcap_ether_hostton(name); 5881 if (eaddr == NULL) 5882 bpf_error( 5883 "unknown FDDI host '%s'", name); 5884 b = gen_fhostop(eaddr, dir); 5885 free(eaddr); 5886 return b; 5887 5888 case DLT_IEEE802: 5889 eaddr = pcap_ether_hostton(name); 5890 if (eaddr == NULL) 5891 bpf_error( 5892 "unknown token ring host '%s'", name); 5893 b = gen_thostop(eaddr, dir); 5894 free(eaddr); 5895 return b; 5896 5897 case DLT_IEEE802_11: 5898 case DLT_PRISM_HEADER: 5899 case DLT_IEEE802_11_RADIO_AVS: 5900 case DLT_IEEE802_11_RADIO: 5901 case DLT_PPI: 5902 eaddr = pcap_ether_hostton(name); 5903 if (eaddr == NULL) 5904 bpf_error( 5905 "unknown 802.11 host '%s'", name); 5906 b = gen_wlanhostop(eaddr, dir); 5907 free(eaddr); 5908 return b; 5909 5910 case DLT_IP_OVER_FC: 5911 eaddr = pcap_ether_hostton(name); 5912 if (eaddr == NULL) 5913 bpf_error( 5914 "unknown Fibre Channel host '%s'", name); 5915 b = gen_ipfchostop(eaddr, dir); 5916 free(eaddr); 5917 return b; 5918 5919 case DLT_SUNATM: 5920 if (!is_lane) 5921 break; 5922 5923 /* 5924 * Check that the packet doesn't begin 5925 * with an LE Control marker. (We've 5926 * already generated a test for LANE.) 5927 */ 5928 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 5929 BPF_H, 0xFF00); 5930 gen_not(tmp); 5931 5932 eaddr = pcap_ether_hostton(name); 5933 if (eaddr == NULL) 5934 bpf_error( 5935 "unknown ether host '%s'", name); 5936 b = gen_ehostop(eaddr, dir); 5937 gen_and(tmp, b); 5938 free(eaddr); 5939 return b; 5940 } 5941 5942 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 5943 } else if (proto == Q_DECNET) { 5944 unsigned short dn_addr = __pcap_nametodnaddr(name); 5945 /* 5946 * I don't think DECNET hosts can be multihomed, so 5947 * there is no need to build up a list of addresses 5948 */ 5949 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 5950 } else { 5951 #ifndef INET6 5952 alist = pcap_nametoaddr(name); 5953 if (alist == NULL || *alist == NULL) 5954 bpf_error("unknown host '%s'", name); 5955 tproto = proto; 5956 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 5957 tproto = Q_IP; 5958 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 5959 while (*alist) { 5960 tmp = gen_host(**alist++, 0xffffffff, 5961 tproto, dir, q.addr); 5962 gen_or(b, tmp); 5963 b = tmp; 5964 } 5965 return b; 5966 #else 5967 memset(&mask128, 0xff, sizeof(mask128)); 5968 res0 = res = pcap_nametoaddrinfo(name); 5969 if (res == NULL) 5970 bpf_error("unknown host '%s'", name); 5971 b = tmp = NULL; 5972 tproto = tproto6 = proto; 5973 if (off_linktype == -1 && tproto == Q_DEFAULT) { 5974 tproto = Q_IP; 5975 tproto6 = Q_IPV6; 5976 } 5977 for (res = res0; res; res = res->ai_next) { 5978 switch (res->ai_family) { 5979 case AF_INET: 5980 if (tproto == Q_IPV6) 5981 continue; 5982 5983 sin4 = (struct sockaddr_in *) 5984 res->ai_addr; 5985 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 5986 0xffffffff, tproto, dir, q.addr); 5987 break; 5988 case AF_INET6: 5989 if (tproto6 == Q_IP) 5990 continue; 5991 5992 sin6 = (struct sockaddr_in6 *) 5993 res->ai_addr; 5994 tmp = gen_host6(&sin6->sin6_addr, 5995 &mask128, tproto6, dir, q.addr); 5996 break; 5997 default: 5998 continue; 5999 } 6000 if (b) 6001 gen_or(b, tmp); 6002 b = tmp; 6003 } 6004 freeaddrinfo(res0); 6005 if (b == NULL) { 6006 bpf_error("unknown host '%s'%s", name, 6007 (proto == Q_DEFAULT) 6008 ? "" 6009 : " for specified address family"); 6010 } 6011 return b; 6012 #endif /*INET6*/ 6013 } 6014 6015 case Q_PORT: 6016 if (proto != Q_DEFAULT && 6017 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6018 bpf_error("illegal qualifier of 'port'"); 6019 if (pcap_nametoport(name, &port, &real_proto) == 0) 6020 bpf_error("unknown port '%s'", name); 6021 if (proto == Q_UDP) { 6022 if (real_proto == IPPROTO_TCP) 6023 bpf_error("port '%s' is tcp", name); 6024 else if (real_proto == IPPROTO_SCTP) 6025 bpf_error("port '%s' is sctp", name); 6026 else 6027 /* override PROTO_UNDEF */ 6028 real_proto = IPPROTO_UDP; 6029 } 6030 if (proto == Q_TCP) { 6031 if (real_proto == IPPROTO_UDP) 6032 bpf_error("port '%s' is udp", name); 6033 6034 else if (real_proto == IPPROTO_SCTP) 6035 bpf_error("port '%s' is sctp", name); 6036 else 6037 /* override PROTO_UNDEF */ 6038 real_proto = IPPROTO_TCP; 6039 } 6040 if (proto == Q_SCTP) { 6041 if (real_proto == IPPROTO_UDP) 6042 bpf_error("port '%s' is udp", name); 6043 6044 else if (real_proto == IPPROTO_TCP) 6045 bpf_error("port '%s' is tcp", name); 6046 else 6047 /* override PROTO_UNDEF */ 6048 real_proto = IPPROTO_SCTP; 6049 } 6050 #ifndef INET6 6051 return gen_port(port, real_proto, dir); 6052 #else 6053 b = gen_port(port, real_proto, dir); 6054 gen_or(gen_port6(port, real_proto, dir), b); 6055 return b; 6056 #endif /* INET6 */ 6057 6058 case Q_PORTRANGE: 6059 if (proto != Q_DEFAULT && 6060 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6061 bpf_error("illegal qualifier of 'portrange'"); 6062 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6063 bpf_error("unknown port in range '%s'", name); 6064 if (proto == Q_UDP) { 6065 if (real_proto == IPPROTO_TCP) 6066 bpf_error("port in range '%s' is tcp", name); 6067 else if (real_proto == IPPROTO_SCTP) 6068 bpf_error("port in range '%s' is sctp", name); 6069 else 6070 /* override PROTO_UNDEF */ 6071 real_proto = IPPROTO_UDP; 6072 } 6073 if (proto == Q_TCP) { 6074 if (real_proto == IPPROTO_UDP) 6075 bpf_error("port in range '%s' is udp", name); 6076 else if (real_proto == IPPROTO_SCTP) 6077 bpf_error("port in range '%s' is sctp", name); 6078 else 6079 /* override PROTO_UNDEF */ 6080 real_proto = IPPROTO_TCP; 6081 } 6082 if (proto == Q_SCTP) { 6083 if (real_proto == IPPROTO_UDP) 6084 bpf_error("port in range '%s' is udp", name); 6085 else if (real_proto == IPPROTO_TCP) 6086 bpf_error("port in range '%s' is tcp", name); 6087 else 6088 /* override PROTO_UNDEF */ 6089 real_proto = IPPROTO_SCTP; 6090 } 6091 #ifndef INET6 6092 return gen_portrange(port1, port2, real_proto, dir); 6093 #else 6094 b = gen_portrange(port1, port2, real_proto, dir); 6095 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6096 return b; 6097 #endif /* INET6 */ 6098 6099 case Q_GATEWAY: 6100 #ifndef INET6 6101 eaddr = pcap_ether_hostton(name); 6102 if (eaddr == NULL) 6103 bpf_error("unknown ether host: %s", name); 6104 6105 alist = pcap_nametoaddr(name); 6106 if (alist == NULL || *alist == NULL) 6107 bpf_error("unknown host '%s'", name); 6108 b = gen_gateway(eaddr, alist, proto, dir); 6109 free(eaddr); 6110 return b; 6111 #else 6112 bpf_error("'gateway' not supported in this configuration"); 6113 #endif /*INET6*/ 6114 6115 case Q_PROTO: 6116 real_proto = lookup_proto(name, proto); 6117 if (real_proto >= 0) 6118 return gen_proto(real_proto, proto, dir); 6119 else 6120 bpf_error("unknown protocol: %s", name); 6121 6122 case Q_PROTOCHAIN: 6123 real_proto = lookup_proto(name, proto); 6124 if (real_proto >= 0) 6125 return gen_protochain(real_proto, proto, dir); 6126 else 6127 bpf_error("unknown protocol: %s", name); 6128 6129 case Q_UNDEF: 6130 syntax(); 6131 /* NOTREACHED */ 6132 } 6133 abort(); 6134 /* NOTREACHED */ 6135 } 6136 6137 struct block * 6138 gen_mcode(s1, s2, masklen, q) 6139 register const char *s1, *s2; 6140 register int masklen; 6141 struct qual q; 6142 { 6143 register int nlen, mlen; 6144 bpf_u_int32 n, m; 6145 6146 nlen = __pcap_atoin(s1, &n); 6147 /* Promote short ipaddr */ 6148 n <<= 32 - nlen; 6149 6150 if (s2 != NULL) { 6151 mlen = __pcap_atoin(s2, &m); 6152 /* Promote short ipaddr */ 6153 m <<= 32 - mlen; 6154 if ((n & ~m) != 0) 6155 bpf_error("non-network bits set in \"%s mask %s\"", 6156 s1, s2); 6157 } else { 6158 /* Convert mask len to mask */ 6159 if (masklen > 32) 6160 bpf_error("mask length must be <= 32"); 6161 if (masklen == 0) { 6162 /* 6163 * X << 32 is not guaranteed by C to be 0; it's 6164 * undefined. 6165 */ 6166 m = 0; 6167 } else 6168 m = 0xffffffff << (32 - masklen); 6169 if ((n & ~m) != 0) 6170 bpf_error("non-network bits set in \"%s/%d\"", 6171 s1, masklen); 6172 } 6173 6174 switch (q.addr) { 6175 6176 case Q_NET: 6177 return gen_host(n, m, q.proto, q.dir, q.addr); 6178 6179 default: 6180 bpf_error("Mask syntax for networks only"); 6181 /* NOTREACHED */ 6182 } 6183 /* NOTREACHED */ 6184 return NULL; 6185 } 6186 6187 struct block * 6188 gen_ncode(s, v, q) 6189 register const char *s; 6190 bpf_u_int32 v; 6191 struct qual q; 6192 { 6193 bpf_u_int32 mask; 6194 int proto = q.proto; 6195 int dir = q.dir; 6196 register int vlen; 6197 6198 if (s == NULL) 6199 vlen = 32; 6200 else if (q.proto == Q_DECNET) 6201 vlen = __pcap_atodn(s, &v); 6202 else 6203 vlen = __pcap_atoin(s, &v); 6204 6205 switch (q.addr) { 6206 6207 case Q_DEFAULT: 6208 case Q_HOST: 6209 case Q_NET: 6210 if (proto == Q_DECNET) 6211 return gen_host(v, 0, proto, dir, q.addr); 6212 else if (proto == Q_LINK) { 6213 bpf_error("illegal link layer address"); 6214 } else { 6215 mask = 0xffffffff; 6216 if (s == NULL && q.addr == Q_NET) { 6217 /* Promote short net number */ 6218 while (v && (v & 0xff000000) == 0) { 6219 v <<= 8; 6220 mask <<= 8; 6221 } 6222 } else { 6223 /* Promote short ipaddr */ 6224 v <<= 32 - vlen; 6225 mask <<= 32 - vlen; 6226 } 6227 return gen_host(v, mask, proto, dir, q.addr); 6228 } 6229 6230 case Q_PORT: 6231 if (proto == Q_UDP) 6232 proto = IPPROTO_UDP; 6233 else if (proto == Q_TCP) 6234 proto = IPPROTO_TCP; 6235 else if (proto == Q_SCTP) 6236 proto = IPPROTO_SCTP; 6237 else if (proto == Q_DEFAULT) 6238 proto = PROTO_UNDEF; 6239 else 6240 bpf_error("illegal qualifier of 'port'"); 6241 6242 #ifndef INET6 6243 return gen_port((int)v, proto, dir); 6244 #else 6245 { 6246 struct block *b; 6247 b = gen_port((int)v, proto, dir); 6248 gen_or(gen_port6((int)v, proto, dir), b); 6249 return b; 6250 } 6251 #endif /* INET6 */ 6252 6253 case Q_PORTRANGE: 6254 if (proto == Q_UDP) 6255 proto = IPPROTO_UDP; 6256 else if (proto == Q_TCP) 6257 proto = IPPROTO_TCP; 6258 else if (proto == Q_SCTP) 6259 proto = IPPROTO_SCTP; 6260 else if (proto == Q_DEFAULT) 6261 proto = PROTO_UNDEF; 6262 else 6263 bpf_error("illegal qualifier of 'portrange'"); 6264 6265 #ifndef INET6 6266 return gen_portrange((int)v, (int)v, proto, dir); 6267 #else 6268 { 6269 struct block *b; 6270 b = gen_portrange((int)v, (int)v, proto, dir); 6271 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6272 return b; 6273 } 6274 #endif /* INET6 */ 6275 6276 case Q_GATEWAY: 6277 bpf_error("'gateway' requires a name"); 6278 /* NOTREACHED */ 6279 6280 case Q_PROTO: 6281 return gen_proto((int)v, proto, dir); 6282 6283 case Q_PROTOCHAIN: 6284 return gen_protochain((int)v, proto, dir); 6285 6286 case Q_UNDEF: 6287 syntax(); 6288 /* NOTREACHED */ 6289 6290 default: 6291 abort(); 6292 /* NOTREACHED */ 6293 } 6294 /* NOTREACHED */ 6295 } 6296 6297 #ifdef INET6 6298 struct block * 6299 gen_mcode6(s1, s2, masklen, q) 6300 register const char *s1, *s2; 6301 register int masklen; 6302 struct qual q; 6303 { 6304 struct addrinfo *res; 6305 struct in6_addr *addr; 6306 struct in6_addr mask; 6307 struct block *b; 6308 u_int32_t *a, *m; 6309 6310 if (s2) 6311 bpf_error("no mask %s supported", s2); 6312 6313 res = pcap_nametoaddrinfo(s1); 6314 if (!res) 6315 bpf_error("invalid ip6 address %s", s1); 6316 if (res->ai_next) 6317 bpf_error("%s resolved to multiple address", s1); 6318 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6319 6320 if (sizeof(mask) * 8 < masklen) 6321 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6322 memset(&mask, 0, sizeof(mask)); 6323 memset(&mask, 0xff, masklen / 8); 6324 if (masklen % 8) { 6325 mask.s6_addr[masklen / 8] = 6326 (0xff << (8 - masklen % 8)) & 0xff; 6327 } 6328 6329 a = (u_int32_t *)addr; 6330 m = (u_int32_t *)&mask; 6331 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6332 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6333 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6334 } 6335 6336 switch (q.addr) { 6337 6338 case Q_DEFAULT: 6339 case Q_HOST: 6340 if (masklen != 128) 6341 bpf_error("Mask syntax for networks only"); 6342 /* FALLTHROUGH */ 6343 6344 case Q_NET: 6345 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6346 freeaddrinfo(res); 6347 return b; 6348 6349 default: 6350 bpf_error("invalid qualifier against IPv6 address"); 6351 /* NOTREACHED */ 6352 } 6353 return NULL; 6354 } 6355 #endif /*INET6*/ 6356 6357 struct block * 6358 gen_ecode(eaddr, q) 6359 register const u_char *eaddr; 6360 struct qual q; 6361 { 6362 struct block *b, *tmp; 6363 6364 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6365 switch (linktype) { 6366 case DLT_EN10MB: 6367 return gen_ehostop(eaddr, (int)q.dir); 6368 case DLT_FDDI: 6369 return gen_fhostop(eaddr, (int)q.dir); 6370 case DLT_IEEE802: 6371 return gen_thostop(eaddr, (int)q.dir); 6372 case DLT_IEEE802_11: 6373 case DLT_PRISM_HEADER: 6374 case DLT_IEEE802_11_RADIO_AVS: 6375 case DLT_IEEE802_11_RADIO: 6376 case DLT_PPI: 6377 return gen_wlanhostop(eaddr, (int)q.dir); 6378 case DLT_SUNATM: 6379 if (is_lane) { 6380 /* 6381 * Check that the packet doesn't begin with an 6382 * LE Control marker. (We've already generated 6383 * a test for LANE.) 6384 */ 6385 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6386 0xFF00); 6387 gen_not(tmp); 6388 6389 /* 6390 * Now check the MAC address. 6391 */ 6392 b = gen_ehostop(eaddr, (int)q.dir); 6393 gen_and(tmp, b); 6394 return b; 6395 } 6396 break; 6397 case DLT_IP_OVER_FC: 6398 return gen_ipfchostop(eaddr, (int)q.dir); 6399 default: 6400 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6401 break; 6402 } 6403 } 6404 bpf_error("ethernet address used in non-ether expression"); 6405 /* NOTREACHED */ 6406 return NULL; 6407 } 6408 6409 void 6410 sappend(s0, s1) 6411 struct slist *s0, *s1; 6412 { 6413 /* 6414 * This is definitely not the best way to do this, but the 6415 * lists will rarely get long. 6416 */ 6417 while (s0->next) 6418 s0 = s0->next; 6419 s0->next = s1; 6420 } 6421 6422 static struct slist * 6423 xfer_to_x(a) 6424 struct arth *a; 6425 { 6426 struct slist *s; 6427 6428 s = new_stmt(BPF_LDX|BPF_MEM); 6429 s->s.k = a->regno; 6430 return s; 6431 } 6432 6433 static struct slist * 6434 xfer_to_a(a) 6435 struct arth *a; 6436 { 6437 struct slist *s; 6438 6439 s = new_stmt(BPF_LD|BPF_MEM); 6440 s->s.k = a->regno; 6441 return s; 6442 } 6443 6444 /* 6445 * Modify "index" to use the value stored into its register as an 6446 * offset relative to the beginning of the header for the protocol 6447 * "proto", and allocate a register and put an item "size" bytes long 6448 * (1, 2, or 4) at that offset into that register, making it the register 6449 * for "index". 6450 */ 6451 struct arth * 6452 gen_load(proto, inst, size) 6453 int proto; 6454 struct arth *inst; 6455 int size; 6456 { 6457 struct slist *s, *tmp; 6458 struct block *b; 6459 int regno = alloc_reg(); 6460 6461 free_reg(inst->regno); 6462 switch (size) { 6463 6464 default: 6465 bpf_error("data size must be 1, 2, or 4"); 6466 6467 case 1: 6468 size = BPF_B; 6469 break; 6470 6471 case 2: 6472 size = BPF_H; 6473 break; 6474 6475 case 4: 6476 size = BPF_W; 6477 break; 6478 } 6479 switch (proto) { 6480 default: 6481 bpf_error("unsupported index operation"); 6482 6483 case Q_RADIO: 6484 /* 6485 * The offset is relative to the beginning of the packet 6486 * data, if we have a radio header. (If we don't, this 6487 * is an error.) 6488 */ 6489 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6490 linktype != DLT_IEEE802_11_RADIO && 6491 linktype != DLT_PRISM_HEADER) 6492 bpf_error("radio information not present in capture"); 6493 6494 /* 6495 * Load into the X register the offset computed into the 6496 * register specifed by "index". 6497 */ 6498 s = xfer_to_x(inst); 6499 6500 /* 6501 * Load the item at that offset. 6502 */ 6503 tmp = new_stmt(BPF_LD|BPF_IND|size); 6504 sappend(s, tmp); 6505 sappend(inst->s, s); 6506 break; 6507 6508 case Q_LINK: 6509 /* 6510 * The offset is relative to the beginning of 6511 * the link-layer header. 6512 * 6513 * XXX - what about ATM LANE? Should the index be 6514 * relative to the beginning of the AAL5 frame, so 6515 * that 0 refers to the beginning of the LE Control 6516 * field, or relative to the beginning of the LAN 6517 * frame, so that 0 refers, for Ethernet LANE, to 6518 * the beginning of the destination address? 6519 */ 6520 s = gen_llprefixlen(); 6521 6522 /* 6523 * If "s" is non-null, it has code to arrange that the 6524 * X register contains the length of the prefix preceding 6525 * the link-layer header. Add to it the offset computed 6526 * into the register specified by "index", and move that 6527 * into the X register. Otherwise, just load into the X 6528 * register the offset computed into the register specifed 6529 * by "index". 6530 */ 6531 if (s != NULL) { 6532 sappend(s, xfer_to_a(inst)); 6533 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6534 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6535 } else 6536 s = xfer_to_x(inst); 6537 6538 /* 6539 * Load the item at the sum of the offset we've put in the 6540 * X register and the offset of the start of the link 6541 * layer header (which is 0 if the radio header is 6542 * variable-length; that header length is what we put 6543 * into the X register and then added to the index). 6544 */ 6545 tmp = new_stmt(BPF_LD|BPF_IND|size); 6546 tmp->s.k = off_ll; 6547 sappend(s, tmp); 6548 sappend(inst->s, s); 6549 break; 6550 6551 case Q_IP: 6552 case Q_ARP: 6553 case Q_RARP: 6554 case Q_ATALK: 6555 case Q_DECNET: 6556 case Q_SCA: 6557 case Q_LAT: 6558 case Q_MOPRC: 6559 case Q_MOPDL: 6560 #ifdef INET6 6561 case Q_IPV6: 6562 #endif 6563 /* 6564 * The offset is relative to the beginning of 6565 * the network-layer header. 6566 * XXX - are there any cases where we want 6567 * off_nl_nosnap? 6568 */ 6569 s = gen_off_macpl(); 6570 6571 /* 6572 * If "s" is non-null, it has code to arrange that the 6573 * X register contains the offset of the MAC-layer 6574 * payload. Add to it the offset computed into the 6575 * register specified by "index", and move that into 6576 * the X register. Otherwise, just load into the X 6577 * register the offset computed into the register specifed 6578 * by "index". 6579 */ 6580 if (s != NULL) { 6581 sappend(s, xfer_to_a(inst)); 6582 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6583 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6584 } else 6585 s = xfer_to_x(inst); 6586 6587 /* 6588 * Load the item at the sum of the offset we've put in the 6589 * X register, the offset of the start of the network 6590 * layer header from the beginning of the MAC-layer 6591 * payload, and the purported offset of the start of the 6592 * MAC-layer payload (which might be 0 if there's a 6593 * variable-length prefix before the link-layer header 6594 * or the link-layer header itself is variable-length; 6595 * the variable-length offset of the start of the 6596 * MAC-layer payload is what we put into the X register 6597 * and then added to the index). 6598 */ 6599 tmp = new_stmt(BPF_LD|BPF_IND|size); 6600 tmp->s.k = off_macpl + off_nl; 6601 sappend(s, tmp); 6602 sappend(inst->s, s); 6603 6604 /* 6605 * Do the computation only if the packet contains 6606 * the protocol in question. 6607 */ 6608 b = gen_proto_abbrev(proto); 6609 if (inst->b) 6610 gen_and(inst->b, b); 6611 inst->b = b; 6612 break; 6613 6614 case Q_SCTP: 6615 case Q_TCP: 6616 case Q_UDP: 6617 case Q_ICMP: 6618 case Q_IGMP: 6619 case Q_IGRP: 6620 case Q_PIM: 6621 case Q_VRRP: 6622 /* 6623 * The offset is relative to the beginning of 6624 * the transport-layer header. 6625 * 6626 * Load the X register with the length of the IPv4 header 6627 * (plus the offset of the link-layer header, if it's 6628 * a variable-length header), in bytes. 6629 * 6630 * XXX - are there any cases where we want 6631 * off_nl_nosnap? 6632 * XXX - we should, if we're built with 6633 * IPv6 support, generate code to load either 6634 * IPv4, IPv6, or both, as appropriate. 6635 */ 6636 s = gen_loadx_iphdrlen(); 6637 6638 /* 6639 * The X register now contains the sum of the length 6640 * of any variable-length header preceding the link-layer 6641 * header, any variable-length link-layer header, and the 6642 * length of the network-layer header. 6643 * 6644 * Load into the A register the offset relative to 6645 * the beginning of the transport layer header, 6646 * add the X register to that, move that to the 6647 * X register, and load with an offset from the 6648 * X register equal to the offset of the network 6649 * layer header relative to the beginning of 6650 * the MAC-layer payload plus the fixed-length 6651 * portion of the offset of the MAC-layer payload 6652 * from the beginning of the raw packet data. 6653 */ 6654 sappend(s, xfer_to_a(inst)); 6655 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6656 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6657 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6658 tmp->s.k = off_macpl + off_nl; 6659 sappend(inst->s, s); 6660 6661 /* 6662 * Do the computation only if the packet contains 6663 * the protocol in question - which is true only 6664 * if this is an IP datagram and is the first or 6665 * only fragment of that datagram. 6666 */ 6667 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6668 if (inst->b) 6669 gen_and(inst->b, b); 6670 #ifdef INET6 6671 gen_and(gen_proto_abbrev(Q_IP), b); 6672 #endif 6673 inst->b = b; 6674 break; 6675 #ifdef INET6 6676 case Q_ICMPV6: 6677 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6678 /*NOTREACHED*/ 6679 #endif 6680 } 6681 inst->regno = regno; 6682 s = new_stmt(BPF_ST); 6683 s->s.k = regno; 6684 sappend(inst->s, s); 6685 6686 return inst; 6687 } 6688 6689 struct block * 6690 gen_relation(code, a0, a1, reversed) 6691 int code; 6692 struct arth *a0, *a1; 6693 int reversed; 6694 { 6695 struct slist *s0, *s1, *s2; 6696 struct block *b, *tmp; 6697 6698 s0 = xfer_to_x(a1); 6699 s1 = xfer_to_a(a0); 6700 if (code == BPF_JEQ) { 6701 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6702 b = new_block(JMP(code)); 6703 sappend(s1, s2); 6704 } 6705 else 6706 b = new_block(BPF_JMP|code|BPF_X); 6707 if (reversed) 6708 gen_not(b); 6709 6710 sappend(s0, s1); 6711 sappend(a1->s, s0); 6712 sappend(a0->s, a1->s); 6713 6714 b->stmts = a0->s; 6715 6716 free_reg(a0->regno); 6717 free_reg(a1->regno); 6718 6719 /* 'and' together protocol checks */ 6720 if (a0->b) { 6721 if (a1->b) { 6722 gen_and(a0->b, tmp = a1->b); 6723 } 6724 else 6725 tmp = a0->b; 6726 } else 6727 tmp = a1->b; 6728 6729 if (tmp) 6730 gen_and(tmp, b); 6731 6732 return b; 6733 } 6734 6735 struct arth * 6736 gen_loadlen() 6737 { 6738 int regno = alloc_reg(); 6739 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6740 struct slist *s; 6741 6742 s = new_stmt(BPF_LD|BPF_LEN); 6743 s->next = new_stmt(BPF_ST); 6744 s->next->s.k = regno; 6745 a->s = s; 6746 a->regno = regno; 6747 6748 return a; 6749 } 6750 6751 struct arth * 6752 gen_loadi(val) 6753 int val; 6754 { 6755 struct arth *a; 6756 struct slist *s; 6757 int reg; 6758 6759 a = (struct arth *)newchunk(sizeof(*a)); 6760 6761 reg = alloc_reg(); 6762 6763 s = new_stmt(BPF_LD|BPF_IMM); 6764 s->s.k = val; 6765 s->next = new_stmt(BPF_ST); 6766 s->next->s.k = reg; 6767 a->s = s; 6768 a->regno = reg; 6769 6770 return a; 6771 } 6772 6773 struct arth * 6774 gen_neg(a) 6775 struct arth *a; 6776 { 6777 struct slist *s; 6778 6779 s = xfer_to_a(a); 6780 sappend(a->s, s); 6781 s = new_stmt(BPF_ALU|BPF_NEG); 6782 s->s.k = 0; 6783 sappend(a->s, s); 6784 s = new_stmt(BPF_ST); 6785 s->s.k = a->regno; 6786 sappend(a->s, s); 6787 6788 return a; 6789 } 6790 6791 struct arth * 6792 gen_arth(code, a0, a1) 6793 int code; 6794 struct arth *a0, *a1; 6795 { 6796 struct slist *s0, *s1, *s2; 6797 6798 s0 = xfer_to_x(a1); 6799 s1 = xfer_to_a(a0); 6800 s2 = new_stmt(BPF_ALU|BPF_X|code); 6801 6802 sappend(s1, s2); 6803 sappend(s0, s1); 6804 sappend(a1->s, s0); 6805 sappend(a0->s, a1->s); 6806 6807 free_reg(a0->regno); 6808 free_reg(a1->regno); 6809 6810 s0 = new_stmt(BPF_ST); 6811 a0->regno = s0->s.k = alloc_reg(); 6812 sappend(a0->s, s0); 6813 6814 return a0; 6815 } 6816 6817 /* 6818 * Here we handle simple allocation of the scratch registers. 6819 * If too many registers are alloc'd, the allocator punts. 6820 */ 6821 static int regused[BPF_MEMWORDS]; 6822 static int curreg; 6823 6824 /* 6825 * Initialize the table of used registers and the current register. 6826 */ 6827 static void 6828 init_regs() 6829 { 6830 curreg = 0; 6831 memset(regused, 0, sizeof regused); 6832 } 6833 6834 /* 6835 * Return the next free register. 6836 */ 6837 static int 6838 alloc_reg() 6839 { 6840 int n = BPF_MEMWORDS; 6841 6842 while (--n >= 0) { 6843 if (regused[curreg]) 6844 curreg = (curreg + 1) % BPF_MEMWORDS; 6845 else { 6846 regused[curreg] = 1; 6847 return curreg; 6848 } 6849 } 6850 bpf_error("too many registers needed to evaluate expression"); 6851 /* NOTREACHED */ 6852 return 0; 6853 } 6854 6855 /* 6856 * Return a register to the table so it can 6857 * be used later. 6858 */ 6859 static void 6860 free_reg(n) 6861 int n; 6862 { 6863 regused[n] = 0; 6864 } 6865 6866 static struct block * 6867 gen_len(jmp, n) 6868 int jmp, n; 6869 { 6870 struct slist *s; 6871 struct block *b; 6872 6873 s = new_stmt(BPF_LD|BPF_LEN); 6874 b = new_block(JMP(jmp)); 6875 b->stmts = s; 6876 b->s.k = n; 6877 6878 return b; 6879 } 6880 6881 struct block * 6882 gen_greater(n) 6883 int n; 6884 { 6885 return gen_len(BPF_JGE, n); 6886 } 6887 6888 /* 6889 * Actually, this is less than or equal. 6890 */ 6891 struct block * 6892 gen_less(n) 6893 int n; 6894 { 6895 struct block *b; 6896 6897 b = gen_len(BPF_JGT, n); 6898 gen_not(b); 6899 6900 return b; 6901 } 6902 6903 /* 6904 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6905 * the beginning of the link-layer header. 6906 * XXX - that means you can't test values in the radiotap header, but 6907 * as that header is difficult if not impossible to parse generally 6908 * without a loop, that might not be a severe problem. A new keyword 6909 * "radio" could be added for that, although what you'd really want 6910 * would be a way of testing particular radio header values, which 6911 * would generate code appropriate to the radio header in question. 6912 */ 6913 struct block * 6914 gen_byteop(op, idx, val) 6915 int op, idx, val; 6916 { 6917 struct block *b; 6918 struct slist *s; 6919 6920 switch (op) { 6921 default: 6922 abort(); 6923 6924 case '=': 6925 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6926 6927 case '<': 6928 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6929 return b; 6930 6931 case '>': 6932 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6933 return b; 6934 6935 case '|': 6936 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 6937 break; 6938 6939 case '&': 6940 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 6941 break; 6942 } 6943 s->s.k = val; 6944 b = new_block(JMP(BPF_JEQ)); 6945 b->stmts = s; 6946 gen_not(b); 6947 6948 return b; 6949 } 6950 6951 static u_char abroadcast[] = { 0x0 }; 6952 6953 struct block * 6954 gen_broadcast(proto) 6955 int proto; 6956 { 6957 bpf_u_int32 hostmask; 6958 struct block *b0, *b1, *b2; 6959 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 6960 6961 switch (proto) { 6962 6963 case Q_DEFAULT: 6964 case Q_LINK: 6965 switch (linktype) { 6966 case DLT_ARCNET: 6967 case DLT_ARCNET_LINUX: 6968 return gen_ahostop(abroadcast, Q_DST); 6969 case DLT_EN10MB: 6970 return gen_ehostop(ebroadcast, Q_DST); 6971 case DLT_FDDI: 6972 return gen_fhostop(ebroadcast, Q_DST); 6973 case DLT_IEEE802: 6974 return gen_thostop(ebroadcast, Q_DST); 6975 case DLT_IEEE802_11: 6976 case DLT_PRISM_HEADER: 6977 case DLT_IEEE802_11_RADIO_AVS: 6978 case DLT_IEEE802_11_RADIO: 6979 case DLT_PPI: 6980 return gen_wlanhostop(ebroadcast, Q_DST); 6981 case DLT_IP_OVER_FC: 6982 return gen_ipfchostop(ebroadcast, Q_DST); 6983 case DLT_SUNATM: 6984 if (is_lane) { 6985 /* 6986 * Check that the packet doesn't begin with an 6987 * LE Control marker. (We've already generated 6988 * a test for LANE.) 6989 */ 6990 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6991 BPF_H, 0xFF00); 6992 gen_not(b1); 6993 6994 /* 6995 * Now check the MAC address. 6996 */ 6997 b0 = gen_ehostop(ebroadcast, Q_DST); 6998 gen_and(b1, b0); 6999 return b0; 7000 } 7001 break; 7002 default: 7003 bpf_error("not a broadcast link"); 7004 } 7005 break; 7006 7007 case Q_IP: 7008 b0 = gen_linktype(ETHERTYPE_IP); 7009 hostmask = ~netmask; 7010 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7011 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7012 (bpf_int32)(~0 & hostmask), hostmask); 7013 gen_or(b1, b2); 7014 gen_and(b0, b2); 7015 return b2; 7016 } 7017 bpf_error("only link-layer/IP broadcast filters supported"); 7018 /* NOTREACHED */ 7019 return NULL; 7020 } 7021 7022 /* 7023 * Generate code to test the low-order bit of a MAC address (that's 7024 * the bottom bit of the *first* byte). 7025 */ 7026 static struct block * 7027 gen_mac_multicast(offset) 7028 int offset; 7029 { 7030 register struct block *b0; 7031 register struct slist *s; 7032 7033 /* link[offset] & 1 != 0 */ 7034 s = gen_load_a(OR_LINK, offset, BPF_B); 7035 b0 = new_block(JMP(BPF_JSET)); 7036 b0->s.k = 1; 7037 b0->stmts = s; 7038 return b0; 7039 } 7040 7041 struct block * 7042 gen_multicast(proto) 7043 int proto; 7044 { 7045 register struct block *b0, *b1, *b2; 7046 register struct slist *s; 7047 7048 switch (proto) { 7049 7050 case Q_DEFAULT: 7051 case Q_LINK: 7052 switch (linktype) { 7053 case DLT_ARCNET: 7054 case DLT_ARCNET_LINUX: 7055 /* all ARCnet multicasts use the same address */ 7056 return gen_ahostop(abroadcast, Q_DST); 7057 case DLT_EN10MB: 7058 /* ether[0] & 1 != 0 */ 7059 return gen_mac_multicast(0); 7060 case DLT_FDDI: 7061 /* 7062 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7063 * 7064 * XXX - was that referring to bit-order issues? 7065 */ 7066 /* fddi[1] & 1 != 0 */ 7067 return gen_mac_multicast(1); 7068 case DLT_IEEE802: 7069 /* tr[2] & 1 != 0 */ 7070 return gen_mac_multicast(2); 7071 case DLT_IEEE802_11: 7072 case DLT_PRISM_HEADER: 7073 case DLT_IEEE802_11_RADIO_AVS: 7074 case DLT_IEEE802_11_RADIO: 7075 case DLT_PPI: 7076 /* 7077 * Oh, yuk. 7078 * 7079 * For control frames, there is no DA. 7080 * 7081 * For management frames, DA is at an 7082 * offset of 4 from the beginning of 7083 * the packet. 7084 * 7085 * For data frames, DA is at an offset 7086 * of 4 from the beginning of the packet 7087 * if To DS is clear and at an offset of 7088 * 16 from the beginning of the packet 7089 * if To DS is set. 7090 */ 7091 7092 /* 7093 * Generate the tests to be done for data frames. 7094 * 7095 * First, check for To DS set, i.e. "link[1] & 0x01". 7096 */ 7097 s = gen_load_a(OR_LINK, 1, BPF_B); 7098 b1 = new_block(JMP(BPF_JSET)); 7099 b1->s.k = 0x01; /* To DS */ 7100 b1->stmts = s; 7101 7102 /* 7103 * If To DS is set, the DA is at 16. 7104 */ 7105 b0 = gen_mac_multicast(16); 7106 gen_and(b1, b0); 7107 7108 /* 7109 * Now, check for To DS not set, i.e. check 7110 * "!(link[1] & 0x01)". 7111 */ 7112 s = gen_load_a(OR_LINK, 1, BPF_B); 7113 b2 = new_block(JMP(BPF_JSET)); 7114 b2->s.k = 0x01; /* To DS */ 7115 b2->stmts = s; 7116 gen_not(b2); 7117 7118 /* 7119 * If To DS is not set, the DA is at 4. 7120 */ 7121 b1 = gen_mac_multicast(4); 7122 gen_and(b2, b1); 7123 7124 /* 7125 * Now OR together the last two checks. That gives 7126 * the complete set of checks for data frames. 7127 */ 7128 gen_or(b1, b0); 7129 7130 /* 7131 * Now check for a data frame. 7132 * I.e, check "link[0] & 0x08". 7133 */ 7134 s = gen_load_a(OR_LINK, 0, BPF_B); 7135 b1 = new_block(JMP(BPF_JSET)); 7136 b1->s.k = 0x08; 7137 b1->stmts = s; 7138 7139 /* 7140 * AND that with the checks done for data frames. 7141 */ 7142 gen_and(b1, b0); 7143 7144 /* 7145 * If the high-order bit of the type value is 0, this 7146 * is a management frame. 7147 * I.e, check "!(link[0] & 0x08)". 7148 */ 7149 s = gen_load_a(OR_LINK, 0, BPF_B); 7150 b2 = new_block(JMP(BPF_JSET)); 7151 b2->s.k = 0x08; 7152 b2->stmts = s; 7153 gen_not(b2); 7154 7155 /* 7156 * For management frames, the DA is at 4. 7157 */ 7158 b1 = gen_mac_multicast(4); 7159 gen_and(b2, b1); 7160 7161 /* 7162 * OR that with the checks done for data frames. 7163 * That gives the checks done for management and 7164 * data frames. 7165 */ 7166 gen_or(b1, b0); 7167 7168 /* 7169 * If the low-order bit of the type value is 1, 7170 * this is either a control frame or a frame 7171 * with a reserved type, and thus not a 7172 * frame with an SA. 7173 * 7174 * I.e., check "!(link[0] & 0x04)". 7175 */ 7176 s = gen_load_a(OR_LINK, 0, BPF_B); 7177 b1 = new_block(JMP(BPF_JSET)); 7178 b1->s.k = 0x04; 7179 b1->stmts = s; 7180 gen_not(b1); 7181 7182 /* 7183 * AND that with the checks for data and management 7184 * frames. 7185 */ 7186 gen_and(b1, b0); 7187 return b0; 7188 case DLT_IP_OVER_FC: 7189 b0 = gen_mac_multicast(2); 7190 return b0; 7191 case DLT_SUNATM: 7192 if (is_lane) { 7193 /* 7194 * Check that the packet doesn't begin with an 7195 * LE Control marker. (We've already generated 7196 * a test for LANE.) 7197 */ 7198 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7199 BPF_H, 0xFF00); 7200 gen_not(b1); 7201 7202 /* ether[off_mac] & 1 != 0 */ 7203 b0 = gen_mac_multicast(off_mac); 7204 gen_and(b1, b0); 7205 return b0; 7206 } 7207 break; 7208 default: 7209 break; 7210 } 7211 /* Link not known to support multicasts */ 7212 break; 7213 7214 case Q_IP: 7215 b0 = gen_linktype(ETHERTYPE_IP); 7216 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7217 gen_and(b0, b1); 7218 return b1; 7219 7220 #ifdef INET6 7221 case Q_IPV6: 7222 b0 = gen_linktype(ETHERTYPE_IPV6); 7223 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7224 gen_and(b0, b1); 7225 return b1; 7226 #endif /* INET6 */ 7227 } 7228 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7229 /* NOTREACHED */ 7230 return NULL; 7231 } 7232 7233 /* 7234 * generate command for inbound/outbound. It's here so we can 7235 * make it link-type specific. 'dir' = 0 implies "inbound", 7236 * = 1 implies "outbound". 7237 */ 7238 struct block * 7239 gen_inbound(dir) 7240 int dir; 7241 { 7242 register struct block *b0; 7243 7244 /* 7245 * Only some data link types support inbound/outbound qualifiers. 7246 */ 7247 switch (linktype) { 7248 case DLT_SLIP: 7249 b0 = gen_relation(BPF_JEQ, 7250 gen_load(Q_LINK, gen_loadi(0), 1), 7251 gen_loadi(0), 7252 dir); 7253 break; 7254 7255 case DLT_LINUX_SLL: 7256 if (dir) { 7257 /* 7258 * Match packets sent by this machine. 7259 */ 7260 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7261 } else { 7262 /* 7263 * Match packets sent to this machine. 7264 * (No broadcast or multicast packets, or 7265 * packets sent to some other machine and 7266 * received promiscuously.) 7267 * 7268 * XXX - packets sent to other machines probably 7269 * shouldn't be matched, but what about broadcast 7270 * or multicast packets we received? 7271 */ 7272 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7273 } 7274 break; 7275 7276 #ifdef HAVE_NET_PFVAR_H 7277 case DLT_PFLOG: 7278 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7279 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7280 break; 7281 #endif 7282 7283 case DLT_PPP_PPPD: 7284 if (dir) { 7285 /* match outgoing packets */ 7286 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7287 } else { 7288 /* match incoming packets */ 7289 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7290 } 7291 break; 7292 7293 case DLT_JUNIPER_MFR: 7294 case DLT_JUNIPER_MLFR: 7295 case DLT_JUNIPER_MLPPP: 7296 case DLT_JUNIPER_ATM1: 7297 case DLT_JUNIPER_ATM2: 7298 case DLT_JUNIPER_PPPOE: 7299 case DLT_JUNIPER_PPPOE_ATM: 7300 case DLT_JUNIPER_GGSN: 7301 case DLT_JUNIPER_ES: 7302 case DLT_JUNIPER_MONITOR: 7303 case DLT_JUNIPER_SERVICES: 7304 case DLT_JUNIPER_ETHER: 7305 case DLT_JUNIPER_PPP: 7306 case DLT_JUNIPER_FRELAY: 7307 case DLT_JUNIPER_CHDLC: 7308 case DLT_JUNIPER_VP: 7309 case DLT_JUNIPER_ST: 7310 case DLT_JUNIPER_ISM: 7311 /* juniper flags (including direction) are stored 7312 * the byte after the 3-byte magic number */ 7313 if (dir) { 7314 /* match outgoing packets */ 7315 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7316 } else { 7317 /* match incoming packets */ 7318 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7319 } 7320 break; 7321 7322 default: 7323 bpf_error("inbound/outbound not supported on linktype %d", 7324 linktype); 7325 b0 = NULL; 7326 /* NOTREACHED */ 7327 } 7328 return (b0); 7329 } 7330 7331 #ifdef HAVE_NET_PFVAR_H 7332 /* PF firewall log matched interface */ 7333 struct block * 7334 gen_pf_ifname(const char *ifname) 7335 { 7336 struct block *b0; 7337 u_int len, off; 7338 7339 if (linktype != DLT_PFLOG) { 7340 bpf_error("ifname supported only on PF linktype"); 7341 /* NOTREACHED */ 7342 } 7343 len = sizeof(((struct pfloghdr *)0)->ifname); 7344 off = offsetof(struct pfloghdr, ifname); 7345 if (strlen(ifname) >= len) { 7346 bpf_error("ifname interface names can only be %d characters", 7347 len-1); 7348 /* NOTREACHED */ 7349 } 7350 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7351 return (b0); 7352 } 7353 7354 /* PF firewall log ruleset name */ 7355 struct block * 7356 gen_pf_ruleset(char *ruleset) 7357 { 7358 struct block *b0; 7359 7360 if (linktype != DLT_PFLOG) { 7361 bpf_error("ruleset supported only on PF linktype"); 7362 /* NOTREACHED */ 7363 } 7364 7365 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7366 bpf_error("ruleset names can only be %ld characters", 7367 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7368 /* NOTREACHED */ 7369 } 7370 7371 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7372 strlen(ruleset), (const u_char *)ruleset); 7373 return (b0); 7374 } 7375 7376 /* PF firewall log rule number */ 7377 struct block * 7378 gen_pf_rnr(int rnr) 7379 { 7380 struct block *b0; 7381 7382 if (linktype != DLT_PFLOG) { 7383 bpf_error("rnr supported only on PF linktype"); 7384 /* NOTREACHED */ 7385 } 7386 7387 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7388 (bpf_int32)rnr); 7389 return (b0); 7390 } 7391 7392 /* PF firewall log sub-rule number */ 7393 struct block * 7394 gen_pf_srnr(int srnr) 7395 { 7396 struct block *b0; 7397 7398 if (linktype != DLT_PFLOG) { 7399 bpf_error("srnr supported only on PF linktype"); 7400 /* NOTREACHED */ 7401 } 7402 7403 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7404 (bpf_int32)srnr); 7405 return (b0); 7406 } 7407 7408 /* PF firewall log reason code */ 7409 struct block * 7410 gen_pf_reason(int reason) 7411 { 7412 struct block *b0; 7413 7414 if (linktype != DLT_PFLOG) { 7415 bpf_error("reason supported only on PF linktype"); 7416 /* NOTREACHED */ 7417 } 7418 7419 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7420 (bpf_int32)reason); 7421 return (b0); 7422 } 7423 7424 /* PF firewall log action */ 7425 struct block * 7426 gen_pf_action(int action) 7427 { 7428 struct block *b0; 7429 7430 if (linktype != DLT_PFLOG) { 7431 bpf_error("action supported only on PF linktype"); 7432 /* NOTREACHED */ 7433 } 7434 7435 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7436 (bpf_int32)action); 7437 return (b0); 7438 } 7439 #else /* !HAVE_NET_PFVAR_H */ 7440 struct block * 7441 gen_pf_ifname(const char *ifname) 7442 { 7443 bpf_error("libpcap was compiled without pf support"); 7444 /* NOTREACHED */ 7445 return (NULL); 7446 } 7447 7448 struct block * 7449 gen_pf_ruleset(char *ruleset) 7450 { 7451 bpf_error("libpcap was compiled on a machine without pf support"); 7452 /* NOTREACHED */ 7453 return (NULL); 7454 } 7455 7456 struct block * 7457 gen_pf_rnr(int rnr) 7458 { 7459 bpf_error("libpcap was compiled on a machine without pf support"); 7460 /* NOTREACHED */ 7461 return (NULL); 7462 } 7463 7464 struct block * 7465 gen_pf_srnr(int srnr) 7466 { 7467 bpf_error("libpcap was compiled on a machine without pf support"); 7468 /* NOTREACHED */ 7469 return (NULL); 7470 } 7471 7472 struct block * 7473 gen_pf_reason(int reason) 7474 { 7475 bpf_error("libpcap was compiled on a machine without pf support"); 7476 /* NOTREACHED */ 7477 return (NULL); 7478 } 7479 7480 struct block * 7481 gen_pf_action(int action) 7482 { 7483 bpf_error("libpcap was compiled on a machine without pf support"); 7484 /* NOTREACHED */ 7485 return (NULL); 7486 } 7487 #endif /* HAVE_NET_PFVAR_H */ 7488 7489 /* IEEE 802.11 wireless header */ 7490 struct block * 7491 gen_p80211_type(int type, int mask) 7492 { 7493 struct block *b0; 7494 7495 switch (linktype) { 7496 7497 case DLT_IEEE802_11: 7498 case DLT_PRISM_HEADER: 7499 case DLT_IEEE802_11_RADIO_AVS: 7500 case DLT_IEEE802_11_RADIO: 7501 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7502 (bpf_int32)mask); 7503 break; 7504 7505 default: 7506 bpf_error("802.11 link-layer types supported only on 802.11"); 7507 /* NOTREACHED */ 7508 } 7509 7510 return (b0); 7511 } 7512 7513 struct block * 7514 gen_p80211_fcdir(int fcdir) 7515 { 7516 struct block *b0; 7517 7518 switch (linktype) { 7519 7520 case DLT_IEEE802_11: 7521 case DLT_PRISM_HEADER: 7522 case DLT_IEEE802_11_RADIO_AVS: 7523 case DLT_IEEE802_11_RADIO: 7524 break; 7525 7526 default: 7527 bpf_error("frame direction supported only with 802.11 headers"); 7528 /* NOTREACHED */ 7529 } 7530 7531 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7532 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7533 7534 return (b0); 7535 } 7536 7537 struct block * 7538 gen_acode(eaddr, q) 7539 register const u_char *eaddr; 7540 struct qual q; 7541 { 7542 switch (linktype) { 7543 7544 case DLT_ARCNET: 7545 case DLT_ARCNET_LINUX: 7546 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7547 q.proto == Q_LINK) 7548 return (gen_ahostop(eaddr, (int)q.dir)); 7549 else { 7550 bpf_error("ARCnet address used in non-arc expression"); 7551 /* NOTREACHED */ 7552 } 7553 break; 7554 7555 default: 7556 bpf_error("aid supported only on ARCnet"); 7557 /* NOTREACHED */ 7558 } 7559 bpf_error("ARCnet address used in non-arc expression"); 7560 /* NOTREACHED */ 7561 return NULL; 7562 } 7563 7564 static struct block * 7565 gen_ahostop(eaddr, dir) 7566 register const u_char *eaddr; 7567 register int dir; 7568 { 7569 register struct block *b0, *b1; 7570 7571 switch (dir) { 7572 /* src comes first, different from Ethernet */ 7573 case Q_SRC: 7574 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7575 7576 case Q_DST: 7577 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7578 7579 case Q_AND: 7580 b0 = gen_ahostop(eaddr, Q_SRC); 7581 b1 = gen_ahostop(eaddr, Q_DST); 7582 gen_and(b0, b1); 7583 return b1; 7584 7585 case Q_DEFAULT: 7586 case Q_OR: 7587 b0 = gen_ahostop(eaddr, Q_SRC); 7588 b1 = gen_ahostop(eaddr, Q_DST); 7589 gen_or(b0, b1); 7590 return b1; 7591 } 7592 abort(); 7593 /* NOTREACHED */ 7594 } 7595 7596 /* 7597 * support IEEE 802.1Q VLAN trunk over ethernet 7598 */ 7599 struct block * 7600 gen_vlan(vlan_num) 7601 int vlan_num; 7602 { 7603 struct block *b0, *b1; 7604 7605 /* can't check for VLAN-encapsulated packets inside MPLS */ 7606 if (label_stack_depth > 0) 7607 bpf_error("no VLAN match after MPLS"); 7608 7609 /* 7610 * Check for a VLAN packet, and then change the offsets to point 7611 * to the type and data fields within the VLAN packet. Just 7612 * increment the offsets, so that we can support a hierarchy, e.g. 7613 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7614 * VLAN 100. 7615 * 7616 * XXX - this is a bit of a kludge. If we were to split the 7617 * compiler into a parser that parses an expression and 7618 * generates an expression tree, and a code generator that 7619 * takes an expression tree (which could come from our 7620 * parser or from some other parser) and generates BPF code, 7621 * we could perhaps make the offsets parameters of routines 7622 * and, in the handler for an "AND" node, pass to subnodes 7623 * other than the VLAN node the adjusted offsets. 7624 * 7625 * This would mean that "vlan" would, instead of changing the 7626 * behavior of *all* tests after it, change only the behavior 7627 * of tests ANDed with it. That would change the documented 7628 * semantics of "vlan", which might break some expressions. 7629 * However, it would mean that "(vlan and ip) or ip" would check 7630 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7631 * checking only for VLAN-encapsulated IP, so that could still 7632 * be considered worth doing; it wouldn't break expressions 7633 * that are of the form "vlan and ..." or "vlan N and ...", 7634 * which I suspect are the most common expressions involving 7635 * "vlan". "vlan or ..." doesn't necessarily do what the user 7636 * would really want, now, as all the "or ..." tests would 7637 * be done assuming a VLAN, even though the "or" could be viewed 7638 * as meaning "or, if this isn't a VLAN packet...". 7639 */ 7640 orig_nl = off_nl; 7641 7642 switch (linktype) { 7643 7644 case DLT_EN10MB: 7645 /* check for VLAN */ 7646 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7647 (bpf_int32)ETHERTYPE_8021Q); 7648 7649 /* If a specific VLAN is requested, check VLAN id */ 7650 if (vlan_num >= 0) { 7651 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7652 (bpf_int32)vlan_num, 0x0fff); 7653 gen_and(b0, b1); 7654 b0 = b1; 7655 } 7656 7657 off_macpl += 4; 7658 off_linktype += 4; 7659 #if 0 7660 off_nl_nosnap += 4; 7661 off_nl += 4; 7662 #endif 7663 break; 7664 7665 default: 7666 bpf_error("no VLAN support for data link type %d", 7667 linktype); 7668 /*NOTREACHED*/ 7669 } 7670 7671 return (b0); 7672 } 7673 7674 /* 7675 * support for MPLS 7676 */ 7677 struct block * 7678 gen_mpls(label_num) 7679 int label_num; 7680 { 7681 struct block *b0,*b1; 7682 7683 /* 7684 * Change the offsets to point to the type and data fields within 7685 * the MPLS packet. Just increment the offsets, so that we 7686 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7687 * capture packets with an outer label of 100000 and an inner 7688 * label of 1024. 7689 * 7690 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7691 */ 7692 orig_nl = off_nl; 7693 7694 if (label_stack_depth > 0) { 7695 /* just match the bottom-of-stack bit clear */ 7696 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7697 } else { 7698 /* 7699 * Indicate that we're checking MPLS-encapsulated headers, 7700 * to make sure higher level code generators don't try to 7701 * match against IP-related protocols such as Q_ARP, Q_RARP 7702 * etc. 7703 */ 7704 switch (linktype) { 7705 7706 case DLT_C_HDLC: /* fall through */ 7707 case DLT_EN10MB: 7708 b0 = gen_linktype(ETHERTYPE_MPLS); 7709 break; 7710 7711 case DLT_PPP: 7712 b0 = gen_linktype(PPP_MPLS_UCAST); 7713 break; 7714 7715 /* FIXME add other DLT_s ... 7716 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7717 * leave it for now */ 7718 7719 default: 7720 bpf_error("no MPLS support for data link type %d", 7721 linktype); 7722 b0 = NULL; 7723 /*NOTREACHED*/ 7724 break; 7725 } 7726 } 7727 7728 /* If a specific MPLS label is requested, check it */ 7729 if (label_num >= 0) { 7730 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 7731 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 7732 0xfffff000); /* only compare the first 20 bits */ 7733 gen_and(b0, b1); 7734 b0 = b1; 7735 } 7736 7737 off_nl_nosnap += 4; 7738 off_nl += 4; 7739 label_stack_depth++; 7740 return (b0); 7741 } 7742 7743 /* 7744 * Support PPPOE discovery and session. 7745 */ 7746 struct block * 7747 gen_pppoed() 7748 { 7749 /* check for PPPoE discovery */ 7750 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 7751 } 7752 7753 struct block * 7754 gen_pppoes() 7755 { 7756 struct block *b0; 7757 7758 /* 7759 * Test against the PPPoE session link-layer type. 7760 */ 7761 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 7762 7763 /* 7764 * Change the offsets to point to the type and data fields within 7765 * the PPP packet, and note that this is PPPoE rather than 7766 * raw PPP. 7767 * 7768 * XXX - this is a bit of a kludge. If we were to split the 7769 * compiler into a parser that parses an expression and 7770 * generates an expression tree, and a code generator that 7771 * takes an expression tree (which could come from our 7772 * parser or from some other parser) and generates BPF code, 7773 * we could perhaps make the offsets parameters of routines 7774 * and, in the handler for an "AND" node, pass to subnodes 7775 * other than the PPPoE node the adjusted offsets. 7776 * 7777 * This would mean that "pppoes" would, instead of changing the 7778 * behavior of *all* tests after it, change only the behavior 7779 * of tests ANDed with it. That would change the documented 7780 * semantics of "pppoes", which might break some expressions. 7781 * However, it would mean that "(pppoes and ip) or ip" would check 7782 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7783 * checking only for VLAN-encapsulated IP, so that could still 7784 * be considered worth doing; it wouldn't break expressions 7785 * that are of the form "pppoes and ..." which I suspect are the 7786 * most common expressions involving "pppoes". "pppoes or ..." 7787 * doesn't necessarily do what the user would really want, now, 7788 * as all the "or ..." tests would be done assuming PPPoE, even 7789 * though the "or" could be viewed as meaning "or, if this isn't 7790 * a PPPoE packet...". 7791 */ 7792 orig_linktype = off_linktype; /* save original values */ 7793 orig_nl = off_nl; 7794 is_pppoes = 1; 7795 7796 /* 7797 * The "network-layer" protocol is PPPoE, which has a 6-byte 7798 * PPPoE header, followed by a PPP packet. 7799 * 7800 * There is no HDLC encapsulation for the PPP packet (it's 7801 * encapsulated in PPPoES instead), so the link-layer type 7802 * starts at the first byte of the PPP packet. For PPPoE, 7803 * that offset is relative to the beginning of the total 7804 * link-layer payload, including any 802.2 LLC header, so 7805 * it's 6 bytes past off_nl. 7806 */ 7807 off_linktype = off_nl + 6; 7808 7809 /* 7810 * The network-layer offsets are relative to the beginning 7811 * of the MAC-layer payload; that's past the 6-byte 7812 * PPPoE header and the 2-byte PPP header. 7813 */ 7814 off_nl = 6+2; 7815 off_nl_nosnap = 6+2; 7816 7817 return b0; 7818 } 7819 7820 struct block * 7821 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 7822 int atmfield; 7823 bpf_int32 jvalue; 7824 bpf_u_int32 jtype; 7825 int reverse; 7826 { 7827 struct block *b0; 7828 7829 switch (atmfield) { 7830 7831 case A_VPI: 7832 if (!is_atm) 7833 bpf_error("'vpi' supported only on raw ATM"); 7834 if (off_vpi == (u_int)-1) 7835 abort(); 7836 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 7837 reverse, jvalue); 7838 break; 7839 7840 case A_VCI: 7841 if (!is_atm) 7842 bpf_error("'vci' supported only on raw ATM"); 7843 if (off_vci == (u_int)-1) 7844 abort(); 7845 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 7846 reverse, jvalue); 7847 break; 7848 7849 case A_PROTOTYPE: 7850 if (off_proto == (u_int)-1) 7851 abort(); /* XXX - this isn't on FreeBSD */ 7852 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 7853 reverse, jvalue); 7854 break; 7855 7856 case A_MSGTYPE: 7857 if (off_payload == (u_int)-1) 7858 abort(); 7859 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 7860 0xffffffff, jtype, reverse, jvalue); 7861 break; 7862 7863 case A_CALLREFTYPE: 7864 if (!is_atm) 7865 bpf_error("'callref' supported only on raw ATM"); 7866 if (off_proto == (u_int)-1) 7867 abort(); 7868 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 7869 jtype, reverse, jvalue); 7870 break; 7871 7872 default: 7873 abort(); 7874 } 7875 return b0; 7876 } 7877 7878 struct block * 7879 gen_atmtype_abbrev(type) 7880 int type; 7881 { 7882 struct block *b0, *b1; 7883 7884 switch (type) { 7885 7886 case A_METAC: 7887 /* Get all packets in Meta signalling Circuit */ 7888 if (!is_atm) 7889 bpf_error("'metac' supported only on raw ATM"); 7890 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7891 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 7892 gen_and(b0, b1); 7893 break; 7894 7895 case A_BCC: 7896 /* Get all packets in Broadcast Circuit*/ 7897 if (!is_atm) 7898 bpf_error("'bcc' supported only on raw ATM"); 7899 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7900 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 7901 gen_and(b0, b1); 7902 break; 7903 7904 case A_OAMF4SC: 7905 /* Get all cells in Segment OAM F4 circuit*/ 7906 if (!is_atm) 7907 bpf_error("'oam4sc' supported only on raw ATM"); 7908 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7909 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7910 gen_and(b0, b1); 7911 break; 7912 7913 case A_OAMF4EC: 7914 /* Get all cells in End-to-End OAM F4 Circuit*/ 7915 if (!is_atm) 7916 bpf_error("'oam4ec' supported only on raw ATM"); 7917 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7918 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 7919 gen_and(b0, b1); 7920 break; 7921 7922 case A_SC: 7923 /* Get all packets in connection Signalling Circuit */ 7924 if (!is_atm) 7925 bpf_error("'sc' supported only on raw ATM"); 7926 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7927 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 7928 gen_and(b0, b1); 7929 break; 7930 7931 case A_ILMIC: 7932 /* Get all packets in ILMI Circuit */ 7933 if (!is_atm) 7934 bpf_error("'ilmic' supported only on raw ATM"); 7935 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7936 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 7937 gen_and(b0, b1); 7938 break; 7939 7940 case A_LANE: 7941 /* Get all LANE packets */ 7942 if (!is_atm) 7943 bpf_error("'lane' supported only on raw ATM"); 7944 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 7945 7946 /* 7947 * Arrange that all subsequent tests assume LANE 7948 * rather than LLC-encapsulated packets, and set 7949 * the offsets appropriately for LANE-encapsulated 7950 * Ethernet. 7951 * 7952 * "off_mac" is the offset of the Ethernet header, 7953 * which is 2 bytes past the ATM pseudo-header 7954 * (skipping the pseudo-header and 2-byte LE Client 7955 * field). The other offsets are Ethernet offsets 7956 * relative to "off_mac". 7957 */ 7958 is_lane = 1; 7959 off_mac = off_payload + 2; /* MAC header */ 7960 off_linktype = off_mac + 12; 7961 off_macpl = off_mac + 14; /* Ethernet */ 7962 off_nl = 0; /* Ethernet II */ 7963 off_nl_nosnap = 3; /* 802.3+802.2 */ 7964 break; 7965 7966 case A_LLC: 7967 /* Get all LLC-encapsulated packets */ 7968 if (!is_atm) 7969 bpf_error("'llc' supported only on raw ATM"); 7970 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 7971 is_lane = 0; 7972 break; 7973 7974 default: 7975 abort(); 7976 } 7977 return b1; 7978 } 7979 7980 /* 7981 * Filtering for MTP2 messages based on li value 7982 * FISU, length is null 7983 * LSSU, length is 1 or 2 7984 * MSU, length is 3 or more 7985 */ 7986 struct block * 7987 gen_mtp2type_abbrev(type) 7988 int type; 7989 { 7990 struct block *b0, *b1; 7991 7992 switch (type) { 7993 7994 case M_FISU: 7995 if ( (linktype != DLT_MTP2) && 7996 (linktype != DLT_ERF) && 7997 (linktype != DLT_MTP2_WITH_PHDR) ) 7998 bpf_error("'fisu' supported only on MTP2"); 7999 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8000 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8001 break; 8002 8003 case M_LSSU: 8004 if ( (linktype != DLT_MTP2) && 8005 (linktype != DLT_ERF) && 8006 (linktype != DLT_MTP2_WITH_PHDR) ) 8007 bpf_error("'lssu' supported only on MTP2"); 8008 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8009 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8010 gen_and(b1, b0); 8011 break; 8012 8013 case M_MSU: 8014 if ( (linktype != DLT_MTP2) && 8015 (linktype != DLT_ERF) && 8016 (linktype != DLT_MTP2_WITH_PHDR) ) 8017 bpf_error("'msu' supported only on MTP2"); 8018 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8019 break; 8020 8021 default: 8022 abort(); 8023 } 8024 return b0; 8025 } 8026 8027 struct block * 8028 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8029 int mtp3field; 8030 bpf_u_int32 jvalue; 8031 bpf_u_int32 jtype; 8032 int reverse; 8033 { 8034 struct block *b0; 8035 bpf_u_int32 val1 , val2 , val3; 8036 8037 switch (mtp3field) { 8038 8039 case M_SIO: 8040 if (off_sio == (u_int)-1) 8041 bpf_error("'sio' supported only on SS7"); 8042 /* sio coded on 1 byte so max value 255 */ 8043 if(jvalue > 255) 8044 bpf_error("sio value %u too big; max value = 255", 8045 jvalue); 8046 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8047 (u_int)jtype, reverse, (u_int)jvalue); 8048 break; 8049 8050 case M_OPC: 8051 if (off_opc == (u_int)-1) 8052 bpf_error("'opc' supported only on SS7"); 8053 /* opc coded on 14 bits so max value 16383 */ 8054 if (jvalue > 16383) 8055 bpf_error("opc value %u too big; max value = 16383", 8056 jvalue); 8057 /* the following instructions are made to convert jvalue 8058 * to the form used to write opc in an ss7 message*/ 8059 val1 = jvalue & 0x00003c00; 8060 val1 = val1 >>10; 8061 val2 = jvalue & 0x000003fc; 8062 val2 = val2 <<6; 8063 val3 = jvalue & 0x00000003; 8064 val3 = val3 <<22; 8065 jvalue = val1 + val2 + val3; 8066 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8067 (u_int)jtype, reverse, (u_int)jvalue); 8068 break; 8069 8070 case M_DPC: 8071 if (off_dpc == (u_int)-1) 8072 bpf_error("'dpc' supported only on SS7"); 8073 /* dpc coded on 14 bits so max value 16383 */ 8074 if (jvalue > 16383) 8075 bpf_error("dpc value %u too big; max value = 16383", 8076 jvalue); 8077 /* the following instructions are made to convert jvalue 8078 * to the forme used to write dpc in an ss7 message*/ 8079 val1 = jvalue & 0x000000ff; 8080 val1 = val1 << 24; 8081 val2 = jvalue & 0x00003f00; 8082 val2 = val2 << 8; 8083 jvalue = val1 + val2; 8084 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8085 (u_int)jtype, reverse, (u_int)jvalue); 8086 break; 8087 8088 case M_SLS: 8089 if (off_sls == (u_int)-1) 8090 bpf_error("'sls' supported only on SS7"); 8091 /* sls coded on 4 bits so max value 15 */ 8092 if (jvalue > 15) 8093 bpf_error("sls value %u too big; max value = 15", 8094 jvalue); 8095 /* the following instruction is made to convert jvalue 8096 * to the forme used to write sls in an ss7 message*/ 8097 jvalue = jvalue << 4; 8098 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8099 (u_int)jtype,reverse, (u_int)jvalue); 8100 break; 8101 8102 default: 8103 abort(); 8104 } 8105 return b0; 8106 } 8107 8108 static struct block * 8109 gen_msg_abbrev(type) 8110 int type; 8111 { 8112 struct block *b1; 8113 8114 /* 8115 * Q.2931 signalling protocol messages for handling virtual circuits 8116 * establishment and teardown 8117 */ 8118 switch (type) { 8119 8120 case A_SETUP: 8121 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8122 break; 8123 8124 case A_CALLPROCEED: 8125 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8126 break; 8127 8128 case A_CONNECT: 8129 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8130 break; 8131 8132 case A_CONNECTACK: 8133 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8134 break; 8135 8136 case A_RELEASE: 8137 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8138 break; 8139 8140 case A_RELEASE_DONE: 8141 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8142 break; 8143 8144 default: 8145 abort(); 8146 } 8147 return b1; 8148 } 8149 8150 struct block * 8151 gen_atmmulti_abbrev(type) 8152 int type; 8153 { 8154 struct block *b0, *b1; 8155 8156 switch (type) { 8157 8158 case A_OAM: 8159 if (!is_atm) 8160 bpf_error("'oam' supported only on raw ATM"); 8161 b1 = gen_atmmulti_abbrev(A_OAMF4); 8162 break; 8163 8164 case A_OAMF4: 8165 if (!is_atm) 8166 bpf_error("'oamf4' supported only on raw ATM"); 8167 /* OAM F4 type */ 8168 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8169 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8170 gen_or(b0, b1); 8171 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8172 gen_and(b0, b1); 8173 break; 8174 8175 case A_CONNECTMSG: 8176 /* 8177 * Get Q.2931 signalling messages for switched 8178 * virtual connection 8179 */ 8180 if (!is_atm) 8181 bpf_error("'connectmsg' supported only on raw ATM"); 8182 b0 = gen_msg_abbrev(A_SETUP); 8183 b1 = gen_msg_abbrev(A_CALLPROCEED); 8184 gen_or(b0, b1); 8185 b0 = gen_msg_abbrev(A_CONNECT); 8186 gen_or(b0, b1); 8187 b0 = gen_msg_abbrev(A_CONNECTACK); 8188 gen_or(b0, b1); 8189 b0 = gen_msg_abbrev(A_RELEASE); 8190 gen_or(b0, b1); 8191 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8192 gen_or(b0, b1); 8193 b0 = gen_atmtype_abbrev(A_SC); 8194 gen_and(b0, b1); 8195 break; 8196 8197 case A_METACONNECT: 8198 if (!is_atm) 8199 bpf_error("'metaconnect' supported only on raw ATM"); 8200 b0 = gen_msg_abbrev(A_SETUP); 8201 b1 = gen_msg_abbrev(A_CALLPROCEED); 8202 gen_or(b0, b1); 8203 b0 = gen_msg_abbrev(A_CONNECT); 8204 gen_or(b0, b1); 8205 b0 = gen_msg_abbrev(A_RELEASE); 8206 gen_or(b0, b1); 8207 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8208 gen_or(b0, b1); 8209 b0 = gen_atmtype_abbrev(A_METAC); 8210 gen_and(b0, b1); 8211 break; 8212 8213 default: 8214 abort(); 8215 } 8216 return b1; 8217 } 8218