1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 23 #ifdef HAVE_CONFIG_H 24 #include <config.h> 25 #endif 26 27 #include <pcap-types.h> 28 #ifdef _WIN32 29 #include <ws2tcpip.h> 30 #else 31 #include <sys/socket.h> 32 33 #ifdef __NetBSD__ 34 #include <sys/param.h> 35 #endif 36 37 #include <netinet/in.h> 38 #include <arpa/inet.h> 39 #endif /* _WIN32 */ 40 41 #include <stdlib.h> 42 #include <string.h> 43 #include <memory.h> 44 #include <setjmp.h> 45 #include <stdarg.h> 46 47 #ifdef MSDOS 48 #include "pcap-dos.h" 49 #endif 50 51 #include "pcap-int.h" 52 53 #include "extract.h" 54 55 #include "ethertype.h" 56 #include "nlpid.h" 57 #include "llc.h" 58 #include "gencode.h" 59 #include "ieee80211.h" 60 #include "atmuni31.h" 61 #include "sunatmpos.h" 62 #include "ppp.h" 63 #include "pcap/sll.h" 64 #include "pcap/ipnet.h" 65 #include "arcnet.h" 66 67 #include "grammar.h" 68 #include "scanner.h" 69 70 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 71 #include <linux/types.h> 72 #include <linux/if_packet.h> 73 #include <linux/filter.h> 74 #endif 75 76 #ifdef HAVE_NET_PFVAR_H 77 #include <sys/socket.h> 78 #include <net/if.h> 79 #include <net/pfvar.h> 80 #include <net/if_pflog.h> 81 #endif 82 83 #ifndef offsetof 84 #define offsetof(s, e) ((size_t)&((s *)0)->e) 85 #endif 86 87 #ifdef _WIN32 88 #ifdef INET6 89 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 90 /* IPv6 address */ 91 struct in6_addr 92 { 93 union 94 { 95 uint8_t u6_addr8[16]; 96 uint16_t u6_addr16[8]; 97 uint32_t u6_addr32[4]; 98 } in6_u; 99 #define s6_addr in6_u.u6_addr8 100 #define s6_addr16 in6_u.u6_addr16 101 #define s6_addr32 in6_u.u6_addr32 102 #define s6_addr64 in6_u.u6_addr64 103 }; 104 105 typedef unsigned short sa_family_t; 106 107 #define __SOCKADDR_COMMON(sa_prefix) \ 108 sa_family_t sa_prefix##family 109 110 /* Ditto, for IPv6. */ 111 struct sockaddr_in6 112 { 113 __SOCKADDR_COMMON (sin6_); 114 uint16_t sin6_port; /* Transport layer port # */ 115 uint32_t sin6_flowinfo; /* IPv6 flow information */ 116 struct in6_addr sin6_addr; /* IPv6 address */ 117 }; 118 119 #ifndef EAI_ADDRFAMILY 120 struct addrinfo { 121 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 122 int ai_family; /* PF_xxx */ 123 int ai_socktype; /* SOCK_xxx */ 124 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 125 size_t ai_addrlen; /* length of ai_addr */ 126 char *ai_canonname; /* canonical name for hostname */ 127 struct sockaddr *ai_addr; /* binary address */ 128 struct addrinfo *ai_next; /* next structure in linked list */ 129 }; 130 #endif /* EAI_ADDRFAMILY */ 131 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 132 #endif /* INET6 */ 133 #else /* _WIN32 */ 134 #include <netdb.h> /* for "struct addrinfo" */ 135 #endif /* _WIN32 */ 136 #include <pcap/namedb.h> 137 138 #include "nametoaddr.h" 139 140 #define ETHERMTU 1500 141 142 #ifndef ETHERTYPE_TEB 143 #define ETHERTYPE_TEB 0x6558 144 #endif 145 146 #ifndef IPPROTO_HOPOPTS 147 #define IPPROTO_HOPOPTS 0 148 #endif 149 #ifndef IPPROTO_ROUTING 150 #define IPPROTO_ROUTING 43 151 #endif 152 #ifndef IPPROTO_FRAGMENT 153 #define IPPROTO_FRAGMENT 44 154 #endif 155 #ifndef IPPROTO_DSTOPTS 156 #define IPPROTO_DSTOPTS 60 157 #endif 158 #ifndef IPPROTO_SCTP 159 #define IPPROTO_SCTP 132 160 #endif 161 162 #define GENEVE_PORT 6081 163 164 #ifdef HAVE_OS_PROTO_H 165 #include "os-proto.h" 166 #endif 167 168 #define JMP(c) ((c)|BPF_JMP|BPF_K) 169 170 /* 171 * "Push" the current value of the link-layer header type and link-layer 172 * header offset onto a "stack", and set a new value. (It's not a 173 * full-blown stack; we keep only the top two items.) 174 */ 175 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 176 { \ 177 (cs)->prevlinktype = (cs)->linktype; \ 178 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 179 (cs)->linktype = (new_linktype); \ 180 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 181 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 182 (cs)->off_linkhdr.reg = (new_reg); \ 183 (cs)->is_geneve = 0; \ 184 } 185 186 /* 187 * Offset "not set" value. 188 */ 189 #define OFFSET_NOT_SET 0xffffffffU 190 191 /* 192 * Absolute offsets, which are offsets from the beginning of the raw 193 * packet data, are, in the general case, the sum of a variable value 194 * and a constant value; the variable value may be absent, in which 195 * case the offset is only the constant value, and the constant value 196 * may be zero, in which case the offset is only the variable value. 197 * 198 * bpf_abs_offset is a structure containing all that information: 199 * 200 * is_variable is 1 if there's a variable part. 201 * 202 * constant_part is the constant part of the value, possibly zero; 203 * 204 * if is_variable is 1, reg is the register number for a register 205 * containing the variable value if the register has been assigned, 206 * and -1 otherwise. 207 */ 208 typedef struct { 209 int is_variable; 210 u_int constant_part; 211 int reg; 212 } bpf_abs_offset; 213 214 /* 215 * Value passed to gen_load_a() to indicate what the offset argument 216 * is relative to the beginning of. 217 */ 218 enum e_offrel { 219 OR_PACKET, /* full packet data */ 220 OR_LINKHDR, /* link-layer header */ 221 OR_PREVLINKHDR, /* previous link-layer header */ 222 OR_LLC, /* 802.2 LLC header */ 223 OR_PREVMPLSHDR, /* previous MPLS header */ 224 OR_LINKTYPE, /* link-layer type */ 225 OR_LINKPL, /* link-layer payload */ 226 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 227 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 228 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 229 }; 230 231 /* 232 * We divy out chunks of memory rather than call malloc each time so 233 * we don't have to worry about leaking memory. It's probably 234 * not a big deal if all this memory was wasted but if this ever 235 * goes into a library that would probably not be a good idea. 236 * 237 * XXX - this *is* in a library.... 238 */ 239 #define NCHUNKS 16 240 #define CHUNK0SIZE 1024 241 struct chunk { 242 size_t n_left; 243 void *m; 244 }; 245 246 /* Code generator state */ 247 248 struct _compiler_state { 249 jmp_buf top_ctx; 250 pcap_t *bpf_pcap; 251 252 struct icode ic; 253 254 int snaplen; 255 256 int linktype; 257 int prevlinktype; 258 int outermostlinktype; 259 260 bpf_u_int32 netmask; 261 int no_optimize; 262 263 /* Hack for handling VLAN and MPLS stacks. */ 264 u_int label_stack_depth; 265 u_int vlan_stack_depth; 266 267 /* XXX */ 268 u_int pcap_fddipad; 269 270 /* 271 * As errors are handled by a longjmp, anything allocated must 272 * be freed in the longjmp handler, so it must be reachable 273 * from that handler. 274 * 275 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 276 * it must be freed with freeaddrinfo(). This variable points to 277 * any addrinfo structure that would need to be freed. 278 */ 279 struct addrinfo *ai; 280 281 /* 282 * Another thing that's allocated is the result of pcap_ether_aton(); 283 * it must be freed with free(). This variable points to any 284 * address that would need to be freed. 285 */ 286 u_char *e; 287 288 /* 289 * Various code constructs need to know the layout of the packet. 290 * These values give the necessary offsets from the beginning 291 * of the packet data. 292 */ 293 294 /* 295 * Absolute offset of the beginning of the link-layer header. 296 */ 297 bpf_abs_offset off_linkhdr; 298 299 /* 300 * If we're checking a link-layer header for a packet encapsulated 301 * in another protocol layer, this is the equivalent information 302 * for the previous layers' link-layer header from the beginning 303 * of the raw packet data. 304 */ 305 bpf_abs_offset off_prevlinkhdr; 306 307 /* 308 * This is the equivalent information for the outermost layers' 309 * link-layer header. 310 */ 311 bpf_abs_offset off_outermostlinkhdr; 312 313 /* 314 * Absolute offset of the beginning of the link-layer payload. 315 */ 316 bpf_abs_offset off_linkpl; 317 318 /* 319 * "off_linktype" is the offset to information in the link-layer 320 * header giving the packet type. This is an absolute offset 321 * from the beginning of the packet. 322 * 323 * For Ethernet, it's the offset of the Ethernet type field; this 324 * means that it must have a value that skips VLAN tags. 325 * 326 * For link-layer types that always use 802.2 headers, it's the 327 * offset of the LLC header; this means that it must have a value 328 * that skips VLAN tags. 329 * 330 * For PPP, it's the offset of the PPP type field. 331 * 332 * For Cisco HDLC, it's the offset of the CHDLC type field. 333 * 334 * For BSD loopback, it's the offset of the AF_ value. 335 * 336 * For Linux cooked sockets, it's the offset of the type field. 337 * 338 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 339 * encapsulation, in which case, IP is assumed. 340 */ 341 bpf_abs_offset off_linktype; 342 343 /* 344 * TRUE if the link layer includes an ATM pseudo-header. 345 */ 346 int is_atm; 347 348 /* 349 * TRUE if "geneve" appeared in the filter; it causes us to 350 * generate code that checks for a Geneve header and assume 351 * that later filters apply to the encapsulated payload. 352 */ 353 int is_geneve; 354 355 /* 356 * TRUE if we need variable length part of VLAN offset 357 */ 358 int is_vlan_vloffset; 359 360 /* 361 * These are offsets for the ATM pseudo-header. 362 */ 363 u_int off_vpi; 364 u_int off_vci; 365 u_int off_proto; 366 367 /* 368 * These are offsets for the MTP2 fields. 369 */ 370 u_int off_li; 371 u_int off_li_hsl; 372 373 /* 374 * These are offsets for the MTP3 fields. 375 */ 376 u_int off_sio; 377 u_int off_opc; 378 u_int off_dpc; 379 u_int off_sls; 380 381 /* 382 * This is the offset of the first byte after the ATM pseudo_header, 383 * or -1 if there is no ATM pseudo-header. 384 */ 385 u_int off_payload; 386 387 /* 388 * These are offsets to the beginning of the network-layer header. 389 * They are relative to the beginning of the link-layer payload 390 * (i.e., they don't include off_linkhdr.constant_part or 391 * off_linkpl.constant_part). 392 * 393 * If the link layer never uses 802.2 LLC: 394 * 395 * "off_nl" and "off_nl_nosnap" are the same. 396 * 397 * If the link layer always uses 802.2 LLC: 398 * 399 * "off_nl" is the offset if there's a SNAP header following 400 * the 802.2 header; 401 * 402 * "off_nl_nosnap" is the offset if there's no SNAP header. 403 * 404 * If the link layer is Ethernet: 405 * 406 * "off_nl" is the offset if the packet is an Ethernet II packet 407 * (we assume no 802.3+802.2+SNAP); 408 * 409 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 410 * with an 802.2 header following it. 411 */ 412 u_int off_nl; 413 u_int off_nl_nosnap; 414 415 /* 416 * Here we handle simple allocation of the scratch registers. 417 * If too many registers are alloc'd, the allocator punts. 418 */ 419 int regused[BPF_MEMWORDS]; 420 int curreg; 421 422 /* 423 * Memory chunks. 424 */ 425 struct chunk chunks[NCHUNKS]; 426 int cur_chunk; 427 }; 428 429 /* 430 * For use by routines outside this file. 431 */ 432 /* VARARGS */ 433 void 434 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...) 435 { 436 va_list ap; 437 438 va_start(ap, fmt); 439 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 440 fmt, ap); 441 va_end(ap); 442 } 443 444 /* 445 * For use *ONLY* in routines in this file. 446 */ 447 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...) 448 PCAP_PRINTFLIKE(2, 3); 449 450 /* VARARGS */ 451 static void PCAP_NORETURN 452 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 453 { 454 va_list ap; 455 456 va_start(ap, fmt); 457 (void)pcap_vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE, 458 fmt, ap); 459 va_end(ap); 460 longjmp(cstate->top_ctx, 1); 461 /*NOTREACHED*/ 462 } 463 464 static int init_linktype(compiler_state_t *, pcap_t *); 465 466 static void init_regs(compiler_state_t *); 467 static int alloc_reg(compiler_state_t *); 468 static void free_reg(compiler_state_t *, int); 469 470 static void initchunks(compiler_state_t *cstate); 471 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t); 472 static void *newchunk(compiler_state_t *cstate, size_t); 473 static void freechunks(compiler_state_t *cstate); 474 static inline struct block *new_block(compiler_state_t *cstate, int); 475 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 476 static struct block *gen_retblk(compiler_state_t *cstate, int); 477 static inline void syntax(compiler_state_t *cstate); 478 479 static void backpatch(struct block *, struct block *); 480 static void merge(struct block *, struct block *); 481 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 482 u_int, bpf_int32); 483 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 484 u_int, bpf_int32); 485 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 486 u_int, bpf_int32); 487 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 488 u_int, bpf_int32); 489 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 490 u_int, bpf_int32); 491 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 492 u_int, bpf_int32, bpf_u_int32); 493 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 494 u_int, const u_char *); 495 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 496 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 497 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 498 u_int, u_int); 499 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 500 u_int); 501 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 502 static struct block *gen_uncond(compiler_state_t *, int); 503 static inline struct block *gen_true(compiler_state_t *); 504 static inline struct block *gen_false(compiler_state_t *); 505 static struct block *gen_ether_linktype(compiler_state_t *, int); 506 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 507 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 508 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 509 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 510 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 511 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 512 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 513 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 514 bpf_abs_offset *); 515 static int ethertype_to_ppptype(int); 516 static struct block *gen_linktype(compiler_state_t *, int); 517 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 518 static struct block *gen_llc_linktype(compiler_state_t *, int); 519 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 520 int, int, u_int, u_int); 521 #ifdef INET6 522 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 523 struct in6_addr *, int, int, u_int, u_int); 524 #endif 525 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 526 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 527 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 528 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 529 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 530 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 531 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 532 static struct block *gen_mpls_linktype(compiler_state_t *, int); 533 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 534 int, int, int); 535 #ifdef INET6 536 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 537 struct in6_addr *, int, int, int); 538 #endif 539 #ifndef INET6 540 static struct block *gen_gateway(compiler_state_t *, const u_char *, 541 struct addrinfo *, int, int); 542 #endif 543 static struct block *gen_ipfrag(compiler_state_t *); 544 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 545 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 546 bpf_int32); 547 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 548 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 549 bpf_int32); 550 struct block *gen_portop(compiler_state_t *, int, int, int); 551 static struct block *gen_port(compiler_state_t *, int, int, int); 552 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 553 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 554 struct block *gen_portop6(compiler_state_t *, int, int, int); 555 static struct block *gen_port6(compiler_state_t *, int, int, int); 556 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 557 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 558 static int lookup_proto(compiler_state_t *, const char *, int); 559 static struct block *gen_protochain(compiler_state_t *, int, int, int); 560 static struct block *gen_proto(compiler_state_t *, int, int, int); 561 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 562 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 563 static struct block *gen_mac_multicast(compiler_state_t *, int); 564 static struct block *gen_len(compiler_state_t *, int, int); 565 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 566 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 567 568 static struct block *gen_ppi_dlt_check(compiler_state_t *); 569 static struct block *gen_atmfield_code_internal(compiler_state_t *, int, 570 bpf_int32, bpf_u_int32, int); 571 static struct block *gen_atmtype_llc(compiler_state_t *); 572 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 573 574 static void 575 initchunks(compiler_state_t *cstate) 576 { 577 int i; 578 579 for (i = 0; i < NCHUNKS; i++) { 580 cstate->chunks[i].n_left = 0; 581 cstate->chunks[i].m = NULL; 582 } 583 cstate->cur_chunk = 0; 584 } 585 586 static void * 587 newchunk_nolongjmp(compiler_state_t *cstate, size_t n) 588 { 589 struct chunk *cp; 590 int k; 591 size_t size; 592 593 #ifndef __NetBSD__ 594 /* XXX Round up to nearest long. */ 595 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 596 #else 597 /* XXX Round up to structure boundary. */ 598 n = ALIGN(n); 599 #endif 600 601 cp = &cstate->chunks[cstate->cur_chunk]; 602 if (n > cp->n_left) { 603 ++cp; 604 k = ++cstate->cur_chunk; 605 if (k >= NCHUNKS) { 606 bpf_set_error(cstate, "out of memory"); 607 return (NULL); 608 } 609 size = CHUNK0SIZE << k; 610 cp->m = (void *)malloc(size); 611 if (cp->m == NULL) { 612 bpf_set_error(cstate, "out of memory"); 613 return (NULL); 614 } 615 memset((char *)cp->m, 0, size); 616 cp->n_left = size; 617 if (n > size) { 618 bpf_set_error(cstate, "out of memory"); 619 return (NULL); 620 } 621 } 622 cp->n_left -= n; 623 return (void *)((char *)cp->m + cp->n_left); 624 } 625 626 static void * 627 newchunk(compiler_state_t *cstate, size_t n) 628 { 629 void *p; 630 631 p = newchunk_nolongjmp(cstate, n); 632 if (p == NULL) { 633 longjmp(cstate->top_ctx, 1); 634 /*NOTREACHED*/ 635 } 636 return (p); 637 } 638 639 static void 640 freechunks(compiler_state_t *cstate) 641 { 642 int i; 643 644 for (i = 0; i < NCHUNKS; ++i) 645 if (cstate->chunks[i].m != NULL) 646 free(cstate->chunks[i].m); 647 } 648 649 /* 650 * A strdup whose allocations are freed after code generation is over. 651 * This is used by the lexical analyzer, so it can't longjmp; it just 652 * returns NULL on an allocation error, and the callers must check 653 * for it. 654 */ 655 char * 656 sdup(compiler_state_t *cstate, const char *s) 657 { 658 size_t n = strlen(s) + 1; 659 char *cp = newchunk_nolongjmp(cstate, n); 660 661 if (cp == NULL) 662 return (NULL); 663 pcap_strlcpy(cp, s, n); 664 return (cp); 665 } 666 667 static inline struct block * 668 new_block(compiler_state_t *cstate, int code) 669 { 670 struct block *p; 671 672 p = (struct block *)newchunk(cstate, sizeof(*p)); 673 p->s.code = code; 674 p->head = p; 675 676 return p; 677 } 678 679 static inline struct slist * 680 new_stmt(compiler_state_t *cstate, int code) 681 { 682 struct slist *p; 683 684 p = (struct slist *)newchunk(cstate, sizeof(*p)); 685 p->s.code = code; 686 687 return p; 688 } 689 690 static struct block * 691 gen_retblk(compiler_state_t *cstate, int v) 692 { 693 struct block *b = new_block(cstate, BPF_RET|BPF_K); 694 695 b->s.k = v; 696 return b; 697 } 698 699 static inline PCAP_NORETURN_DEF void 700 syntax(compiler_state_t *cstate) 701 { 702 bpf_error(cstate, "syntax error in filter expression"); 703 } 704 705 int 706 pcap_compile(pcap_t *p, struct bpf_program *program, 707 const char *buf, int optimize, bpf_u_int32 mask) 708 { 709 #ifdef _WIN32 710 static int done = 0; 711 #endif 712 compiler_state_t cstate; 713 const char * volatile xbuf = buf; 714 yyscan_t scanner = NULL; 715 volatile YY_BUFFER_STATE in_buffer = NULL; 716 u_int len; 717 int rc; 718 719 /* 720 * If this pcap_t hasn't been activated, it doesn't have a 721 * link-layer type, so we can't use it. 722 */ 723 if (!p->activated) { 724 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 725 "not-yet-activated pcap_t passed to pcap_compile"); 726 return (-1); 727 } 728 729 #ifdef _WIN32 730 if (!done) 731 pcap_wsockinit(); 732 done = 1; 733 #endif 734 735 #ifdef ENABLE_REMOTE 736 /* 737 * If the device on which we're capturing need to be notified 738 * that a new filter is being compiled, do so. 739 * 740 * This allows them to save a copy of it, in case, for example, 741 * they're implementing a form of remote packet capture, and 742 * want the remote machine to filter out the packets in which 743 * it's sending the packets it's captured. 744 * 745 * XXX - the fact that we happen to be compiling a filter 746 * doesn't necessarily mean we'll be installing it as the 747 * filter for this pcap_t; we might be running it from userland 748 * on captured packets to do packet classification. We really 749 * need a better way of handling this, but this is all that 750 * the WinPcap remote capture code did. 751 */ 752 if (p->save_current_filter_op != NULL) 753 (p->save_current_filter_op)(p, buf); 754 #endif 755 756 initchunks(&cstate); 757 cstate.no_optimize = 0; 758 #ifdef INET6 759 cstate.ai = NULL; 760 #endif 761 cstate.e = NULL; 762 cstate.ic.root = NULL; 763 cstate.ic.cur_mark = 0; 764 cstate.bpf_pcap = p; 765 init_regs(&cstate); 766 767 cstate.netmask = mask; 768 769 cstate.snaplen = pcap_snapshot(p); 770 if (cstate.snaplen == 0) { 771 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 772 "snaplen of 0 rejects all packets"); 773 rc = -1; 774 goto quit; 775 } 776 777 if (pcap_lex_init(&scanner) != 0) 778 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 779 errno, "can't initialize scanner"); 780 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 781 782 /* 783 * Associate the compiler state with the lexical analyzer 784 * state. 785 */ 786 pcap_set_extra(&cstate, scanner); 787 788 if (init_linktype(&cstate, p) == -1) { 789 rc = -1; 790 goto quit; 791 } 792 if (pcap_parse(scanner, &cstate) != 0) { 793 #ifdef INET6 794 if (cstate.ai != NULL) 795 freeaddrinfo(cstate.ai); 796 #endif 797 if (cstate.e != NULL) 798 free(cstate.e); 799 rc = -1; 800 goto quit; 801 } 802 803 if (cstate.ic.root == NULL) { 804 /* 805 * Catch errors reported by gen_retblk(). 806 */ 807 if (setjmp(cstate.top_ctx)) { 808 rc = -1; 809 goto quit; 810 } 811 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 812 } 813 814 if (optimize && !cstate.no_optimize) { 815 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) { 816 /* Failure */ 817 rc = -1; 818 goto quit; 819 } 820 if (cstate.ic.root == NULL || 821 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) { 822 (void)pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 823 "expression rejects all packets"); 824 rc = -1; 825 goto quit; 826 } 827 } 828 program->bf_insns = icode_to_fcode(&cstate.ic, 829 cstate.ic.root, &len, p->errbuf); 830 if (program->bf_insns == NULL) { 831 /* Failure */ 832 rc = -1; 833 goto quit; 834 } 835 program->bf_len = len; 836 837 rc = 0; /* We're all okay */ 838 839 quit: 840 /* 841 * Clean up everything for the lexical analyzer. 842 */ 843 if (in_buffer != NULL) 844 pcap__delete_buffer(in_buffer, scanner); 845 if (scanner != NULL) 846 pcap_lex_destroy(scanner); 847 848 /* 849 * Clean up our own allocated memory. 850 */ 851 freechunks(&cstate); 852 853 return (rc); 854 } 855 856 /* 857 * entry point for using the compiler with no pcap open 858 * pass in all the stuff that is needed explicitly instead. 859 */ 860 int 861 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 862 struct bpf_program *program, 863 const char *buf, int optimize, bpf_u_int32 mask) 864 { 865 pcap_t *p; 866 int ret; 867 868 p = pcap_open_dead(linktype_arg, snaplen_arg); 869 if (p == NULL) 870 return (-1); 871 ret = pcap_compile(p, program, buf, optimize, mask); 872 pcap_close(p); 873 return (ret); 874 } 875 876 /* 877 * Clean up a "struct bpf_program" by freeing all the memory allocated 878 * in it. 879 */ 880 void 881 pcap_freecode(struct bpf_program *program) 882 { 883 program->bf_len = 0; 884 if (program->bf_insns != NULL) { 885 free((char *)program->bf_insns); 886 program->bf_insns = NULL; 887 } 888 } 889 890 /* 891 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 892 * which of the jt and jf fields has been resolved and which is a pointer 893 * back to another unresolved block (or nil). At least one of the fields 894 * in each block is already resolved. 895 */ 896 static void 897 backpatch(struct block *list, struct block *target) 898 { 899 struct block *next; 900 901 while (list) { 902 if (!list->sense) { 903 next = JT(list); 904 JT(list) = target; 905 } else { 906 next = JF(list); 907 JF(list) = target; 908 } 909 list = next; 910 } 911 } 912 913 /* 914 * Merge the lists in b0 and b1, using the 'sense' field to indicate 915 * which of jt and jf is the link. 916 */ 917 static void 918 merge(struct block *b0, struct block *b1) 919 { 920 register struct block **p = &b0; 921 922 /* Find end of list. */ 923 while (*p) 924 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 925 926 /* Concatenate the lists. */ 927 *p = b1; 928 } 929 930 int 931 finish_parse(compiler_state_t *cstate, struct block *p) 932 { 933 struct block *ppi_dlt_check; 934 935 /* 936 * Catch errors reported by us and routines below us, and return -1 937 * on an error. 938 */ 939 if (setjmp(cstate->top_ctx)) 940 return (-1); 941 942 /* 943 * Insert before the statements of the first (root) block any 944 * statements needed to load the lengths of any variable-length 945 * headers into registers. 946 * 947 * XXX - a fancier strategy would be to insert those before the 948 * statements of all blocks that use those lengths and that 949 * have no predecessors that use them, so that we only compute 950 * the lengths if we need them. There might be even better 951 * approaches than that. 952 * 953 * However, those strategies would be more complicated, and 954 * as we don't generate code to compute a length if the 955 * program has no tests that use the length, and as most 956 * tests will probably use those lengths, we would just 957 * postpone computing the lengths so that it's not done 958 * for tests that fail early, and it's not clear that's 959 * worth the effort. 960 */ 961 insert_compute_vloffsets(cstate, p->head); 962 963 /* 964 * For DLT_PPI captures, generate a check of the per-packet 965 * DLT value to make sure it's DLT_IEEE802_11. 966 * 967 * XXX - TurboCap cards use DLT_PPI for Ethernet. 968 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 969 * with appropriate Ethernet information and use that rather 970 * than using something such as DLT_PPI where you don't know 971 * the link-layer header type until runtime, which, in the 972 * general case, would force us to generate both Ethernet *and* 973 * 802.11 code (*and* anything else for which PPI is used) 974 * and choose between them early in the BPF program? 975 */ 976 ppi_dlt_check = gen_ppi_dlt_check(cstate); 977 if (ppi_dlt_check != NULL) 978 gen_and(ppi_dlt_check, p); 979 980 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 981 p->sense = !p->sense; 982 backpatch(p, gen_retblk(cstate, 0)); 983 cstate->ic.root = p->head; 984 return (0); 985 } 986 987 void 988 gen_and(struct block *b0, struct block *b1) 989 { 990 backpatch(b0, b1->head); 991 b0->sense = !b0->sense; 992 b1->sense = !b1->sense; 993 merge(b1, b0); 994 b1->sense = !b1->sense; 995 b1->head = b0->head; 996 } 997 998 void 999 gen_or(struct block *b0, struct block *b1) 1000 { 1001 b0->sense = !b0->sense; 1002 backpatch(b0, b1->head); 1003 b0->sense = !b0->sense; 1004 merge(b1, b0); 1005 b1->head = b0->head; 1006 } 1007 1008 void 1009 gen_not(struct block *b) 1010 { 1011 b->sense = !b->sense; 1012 } 1013 1014 static struct block * 1015 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1016 u_int size, bpf_int32 v) 1017 { 1018 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 1019 } 1020 1021 static struct block * 1022 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1023 u_int size, bpf_int32 v) 1024 { 1025 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 1026 } 1027 1028 static struct block * 1029 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1030 u_int size, bpf_int32 v) 1031 { 1032 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 1033 } 1034 1035 static struct block * 1036 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1037 u_int size, bpf_int32 v) 1038 { 1039 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 1040 } 1041 1042 static struct block * 1043 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1044 u_int size, bpf_int32 v) 1045 { 1046 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 1047 } 1048 1049 static struct block * 1050 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1051 u_int size, bpf_int32 v, bpf_u_int32 mask) 1052 { 1053 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 1054 } 1055 1056 static struct block * 1057 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1058 u_int size, const u_char *v) 1059 { 1060 register struct block *b, *tmp; 1061 1062 /* 1063 * XXX - the actual *instructions* do unsigned comparisons on 1064 * most platforms, and the load instructions don't do sign 1065 * extension, so gen_cmp() should really take an unsigned 1066 * value argument. 1067 * 1068 * As the load instructons also don't do sign-extension, we 1069 * fetch the values from the byte array as unsigned. We don't 1070 * want to use the signed versions of the extract calls. 1071 */ 1072 b = NULL; 1073 while (size >= 4) { 1074 register const u_char *p = &v[size - 4]; 1075 1076 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, 1077 (bpf_int32)EXTRACT_32BITS(p)); 1078 if (b != NULL) 1079 gen_and(b, tmp); 1080 b = tmp; 1081 size -= 4; 1082 } 1083 while (size >= 2) { 1084 register const u_char *p = &v[size - 2]; 1085 1086 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, 1087 (bpf_int32)EXTRACT_16BITS(p)); 1088 if (b != NULL) 1089 gen_and(b, tmp); 1090 b = tmp; 1091 size -= 2; 1092 } 1093 if (size > 0) { 1094 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 1095 if (b != NULL) 1096 gen_and(b, tmp); 1097 b = tmp; 1098 } 1099 return b; 1100 } 1101 1102 /* 1103 * AND the field of size "size" at offset "offset" relative to the header 1104 * specified by "offrel" with "mask", and compare it with the value "v" 1105 * with the test specified by "jtype"; if "reverse" is true, the test 1106 * should test the opposite of "jtype". 1107 */ 1108 static struct block * 1109 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1110 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1111 bpf_int32 v) 1112 { 1113 struct slist *s, *s2; 1114 struct block *b; 1115 1116 s = gen_load_a(cstate, offrel, offset, size); 1117 1118 if (mask != 0xffffffff) { 1119 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1120 s2->s.k = mask; 1121 sappend(s, s2); 1122 } 1123 1124 b = new_block(cstate, JMP(jtype)); 1125 b->stmts = s; 1126 b->s.k = v; 1127 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1128 gen_not(b); 1129 return b; 1130 } 1131 1132 static int 1133 init_linktype(compiler_state_t *cstate, pcap_t *p) 1134 { 1135 cstate->pcap_fddipad = p->fddipad; 1136 1137 /* 1138 * We start out with only one link-layer header. 1139 */ 1140 cstate->outermostlinktype = pcap_datalink(p); 1141 cstate->off_outermostlinkhdr.constant_part = 0; 1142 cstate->off_outermostlinkhdr.is_variable = 0; 1143 cstate->off_outermostlinkhdr.reg = -1; 1144 1145 cstate->prevlinktype = cstate->outermostlinktype; 1146 cstate->off_prevlinkhdr.constant_part = 0; 1147 cstate->off_prevlinkhdr.is_variable = 0; 1148 cstate->off_prevlinkhdr.reg = -1; 1149 1150 cstate->linktype = cstate->outermostlinktype; 1151 cstate->off_linkhdr.constant_part = 0; 1152 cstate->off_linkhdr.is_variable = 0; 1153 cstate->off_linkhdr.reg = -1; 1154 1155 /* 1156 * XXX 1157 */ 1158 cstate->off_linkpl.constant_part = 0; 1159 cstate->off_linkpl.is_variable = 0; 1160 cstate->off_linkpl.reg = -1; 1161 1162 cstate->off_linktype.constant_part = 0; 1163 cstate->off_linktype.is_variable = 0; 1164 cstate->off_linktype.reg = -1; 1165 1166 /* 1167 * Assume it's not raw ATM with a pseudo-header, for now. 1168 */ 1169 cstate->is_atm = 0; 1170 cstate->off_vpi = OFFSET_NOT_SET; 1171 cstate->off_vci = OFFSET_NOT_SET; 1172 cstate->off_proto = OFFSET_NOT_SET; 1173 cstate->off_payload = OFFSET_NOT_SET; 1174 1175 /* 1176 * And not Geneve. 1177 */ 1178 cstate->is_geneve = 0; 1179 1180 /* 1181 * No variable length VLAN offset by default 1182 */ 1183 cstate->is_vlan_vloffset = 0; 1184 1185 /* 1186 * And assume we're not doing SS7. 1187 */ 1188 cstate->off_li = OFFSET_NOT_SET; 1189 cstate->off_li_hsl = OFFSET_NOT_SET; 1190 cstate->off_sio = OFFSET_NOT_SET; 1191 cstate->off_opc = OFFSET_NOT_SET; 1192 cstate->off_dpc = OFFSET_NOT_SET; 1193 cstate->off_sls = OFFSET_NOT_SET; 1194 1195 cstate->label_stack_depth = 0; 1196 cstate->vlan_stack_depth = 0; 1197 1198 switch (cstate->linktype) { 1199 1200 case DLT_ARCNET: 1201 cstate->off_linktype.constant_part = 2; 1202 cstate->off_linkpl.constant_part = 6; 1203 cstate->off_nl = 0; /* XXX in reality, variable! */ 1204 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1205 break; 1206 1207 case DLT_ARCNET_LINUX: 1208 cstate->off_linktype.constant_part = 4; 1209 cstate->off_linkpl.constant_part = 8; 1210 cstate->off_nl = 0; /* XXX in reality, variable! */ 1211 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1212 break; 1213 1214 case DLT_EN10MB: 1215 cstate->off_linktype.constant_part = 12; 1216 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1217 cstate->off_nl = 0; /* Ethernet II */ 1218 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1219 break; 1220 1221 case DLT_SLIP: 1222 /* 1223 * SLIP doesn't have a link level type. The 16 byte 1224 * header is hacked into our SLIP driver. 1225 */ 1226 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1227 cstate->off_linkpl.constant_part = 16; 1228 cstate->off_nl = 0; 1229 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1230 break; 1231 1232 case DLT_SLIP_BSDOS: 1233 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1234 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1235 /* XXX end */ 1236 cstate->off_linkpl.constant_part = 24; 1237 cstate->off_nl = 0; 1238 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1239 break; 1240 1241 case DLT_NULL: 1242 case DLT_LOOP: 1243 cstate->off_linktype.constant_part = 0; 1244 cstate->off_linkpl.constant_part = 4; 1245 cstate->off_nl = 0; 1246 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1247 break; 1248 1249 case DLT_ENC: 1250 cstate->off_linktype.constant_part = 0; 1251 cstate->off_linkpl.constant_part = 12; 1252 cstate->off_nl = 0; 1253 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1254 break; 1255 1256 case DLT_PPP: 1257 case DLT_PPP_PPPD: 1258 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1259 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1260 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1261 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1262 cstate->off_nl = 0; 1263 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1264 break; 1265 1266 case DLT_PPP_ETHER: 1267 /* 1268 * This does no include the Ethernet header, and 1269 * only covers session state. 1270 */ 1271 cstate->off_linktype.constant_part = 6; 1272 cstate->off_linkpl.constant_part = 8; 1273 cstate->off_nl = 0; 1274 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1275 break; 1276 1277 case DLT_PPP_BSDOS: 1278 cstate->off_linktype.constant_part = 5; 1279 cstate->off_linkpl.constant_part = 24; 1280 cstate->off_nl = 0; 1281 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1282 break; 1283 1284 case DLT_FDDI: 1285 /* 1286 * FDDI doesn't really have a link-level type field. 1287 * We set "off_linktype" to the offset of the LLC header. 1288 * 1289 * To check for Ethernet types, we assume that SSAP = SNAP 1290 * is being used and pick out the encapsulated Ethernet type. 1291 * XXX - should we generate code to check for SNAP? 1292 */ 1293 cstate->off_linktype.constant_part = 13; 1294 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1295 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1296 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1297 cstate->off_nl = 8; /* 802.2+SNAP */ 1298 cstate->off_nl_nosnap = 3; /* 802.2 */ 1299 break; 1300 1301 case DLT_IEEE802: 1302 /* 1303 * Token Ring doesn't really have a link-level type field. 1304 * We set "off_linktype" to the offset of the LLC header. 1305 * 1306 * To check for Ethernet types, we assume that SSAP = SNAP 1307 * is being used and pick out the encapsulated Ethernet type. 1308 * XXX - should we generate code to check for SNAP? 1309 * 1310 * XXX - the header is actually variable-length. 1311 * Some various Linux patched versions gave 38 1312 * as "off_linktype" and 40 as "off_nl"; however, 1313 * if a token ring packet has *no* routing 1314 * information, i.e. is not source-routed, the correct 1315 * values are 20 and 22, as they are in the vanilla code. 1316 * 1317 * A packet is source-routed iff the uppermost bit 1318 * of the first byte of the source address, at an 1319 * offset of 8, has the uppermost bit set. If the 1320 * packet is source-routed, the total number of bytes 1321 * of routing information is 2 plus bits 0x1F00 of 1322 * the 16-bit value at an offset of 14 (shifted right 1323 * 8 - figure out which byte that is). 1324 */ 1325 cstate->off_linktype.constant_part = 14; 1326 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1327 cstate->off_nl = 8; /* 802.2+SNAP */ 1328 cstate->off_nl_nosnap = 3; /* 802.2 */ 1329 break; 1330 1331 case DLT_PRISM_HEADER: 1332 case DLT_IEEE802_11_RADIO_AVS: 1333 case DLT_IEEE802_11_RADIO: 1334 cstate->off_linkhdr.is_variable = 1; 1335 /* Fall through, 802.11 doesn't have a variable link 1336 * prefix but is otherwise the same. */ 1337 /* FALLTHROUGH */ 1338 1339 case DLT_IEEE802_11: 1340 /* 1341 * 802.11 doesn't really have a link-level type field. 1342 * We set "off_linktype.constant_part" to the offset of 1343 * the LLC header. 1344 * 1345 * To check for Ethernet types, we assume that SSAP = SNAP 1346 * is being used and pick out the encapsulated Ethernet type. 1347 * XXX - should we generate code to check for SNAP? 1348 * 1349 * We also handle variable-length radio headers here. 1350 * The Prism header is in theory variable-length, but in 1351 * practice it's always 144 bytes long. However, some 1352 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1353 * sometimes or always supply an AVS header, so we 1354 * have to check whether the radio header is a Prism 1355 * header or an AVS header, so, in practice, it's 1356 * variable-length. 1357 */ 1358 cstate->off_linktype.constant_part = 24; 1359 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1360 cstate->off_linkpl.is_variable = 1; 1361 cstate->off_nl = 8; /* 802.2+SNAP */ 1362 cstate->off_nl_nosnap = 3; /* 802.2 */ 1363 break; 1364 1365 case DLT_PPI: 1366 /* 1367 * At the moment we treat PPI the same way that we treat 1368 * normal Radiotap encoded packets. The difference is in 1369 * the function that generates the code at the beginning 1370 * to compute the header length. Since this code generator 1371 * of PPI supports bare 802.11 encapsulation only (i.e. 1372 * the encapsulated DLT should be DLT_IEEE802_11) we 1373 * generate code to check for this too. 1374 */ 1375 cstate->off_linktype.constant_part = 24; 1376 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1377 cstate->off_linkpl.is_variable = 1; 1378 cstate->off_linkhdr.is_variable = 1; 1379 cstate->off_nl = 8; /* 802.2+SNAP */ 1380 cstate->off_nl_nosnap = 3; /* 802.2 */ 1381 break; 1382 1383 case DLT_ATM_RFC1483: 1384 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1385 /* 1386 * assume routed, non-ISO PDUs 1387 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1388 * 1389 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1390 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1391 * latter would presumably be treated the way PPPoE 1392 * should be, so you can do "pppoe and udp port 2049" 1393 * or "pppoa and tcp port 80" and have it check for 1394 * PPPo{A,E} and a PPP protocol of IP and.... 1395 */ 1396 cstate->off_linktype.constant_part = 0; 1397 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1398 cstate->off_nl = 8; /* 802.2+SNAP */ 1399 cstate->off_nl_nosnap = 3; /* 802.2 */ 1400 break; 1401 1402 case DLT_SUNATM: 1403 /* 1404 * Full Frontal ATM; you get AALn PDUs with an ATM 1405 * pseudo-header. 1406 */ 1407 cstate->is_atm = 1; 1408 cstate->off_vpi = SUNATM_VPI_POS; 1409 cstate->off_vci = SUNATM_VCI_POS; 1410 cstate->off_proto = PROTO_POS; 1411 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1412 cstate->off_linktype.constant_part = cstate->off_payload; 1413 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1414 cstate->off_nl = 8; /* 802.2+SNAP */ 1415 cstate->off_nl_nosnap = 3; /* 802.2 */ 1416 break; 1417 1418 case DLT_RAW: 1419 case DLT_IPV4: 1420 case DLT_IPV6: 1421 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1422 cstate->off_linkpl.constant_part = 0; 1423 cstate->off_nl = 0; 1424 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1425 break; 1426 1427 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */ 1428 cstate->off_linktype.constant_part = 14; 1429 cstate->off_linkpl.constant_part = 16; 1430 cstate->off_nl = 0; 1431 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1432 break; 1433 1434 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */ 1435 cstate->off_linktype.constant_part = 0; 1436 cstate->off_linkpl.constant_part = 20; 1437 cstate->off_nl = 0; 1438 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1439 break; 1440 1441 case DLT_LTALK: 1442 /* 1443 * LocalTalk does have a 1-byte type field in the LLAP header, 1444 * but really it just indicates whether there is a "short" or 1445 * "long" DDP packet following. 1446 */ 1447 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1448 cstate->off_linkpl.constant_part = 0; 1449 cstate->off_nl = 0; 1450 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1451 break; 1452 1453 case DLT_IP_OVER_FC: 1454 /* 1455 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1456 * link-level type field. We set "off_linktype" to the 1457 * offset of the LLC header. 1458 * 1459 * To check for Ethernet types, we assume that SSAP = SNAP 1460 * is being used and pick out the encapsulated Ethernet type. 1461 * XXX - should we generate code to check for SNAP? RFC 1462 * 2625 says SNAP should be used. 1463 */ 1464 cstate->off_linktype.constant_part = 16; 1465 cstate->off_linkpl.constant_part = 16; 1466 cstate->off_nl = 8; /* 802.2+SNAP */ 1467 cstate->off_nl_nosnap = 3; /* 802.2 */ 1468 break; 1469 1470 case DLT_FRELAY: 1471 /* 1472 * XXX - we should set this to handle SNAP-encapsulated 1473 * frames (NLPID of 0x80). 1474 */ 1475 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1476 cstate->off_linkpl.constant_part = 0; 1477 cstate->off_nl = 0; 1478 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1479 break; 1480 1481 /* 1482 * the only BPF-interesting FRF.16 frames are non-control frames; 1483 * Frame Relay has a variable length link-layer 1484 * so lets start with offset 4 for now and increments later on (FIXME); 1485 */ 1486 case DLT_MFR: 1487 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1488 cstate->off_linkpl.constant_part = 0; 1489 cstate->off_nl = 4; 1490 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1491 break; 1492 1493 case DLT_APPLE_IP_OVER_IEEE1394: 1494 cstate->off_linktype.constant_part = 16; 1495 cstate->off_linkpl.constant_part = 18; 1496 cstate->off_nl = 0; 1497 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1498 break; 1499 1500 case DLT_SYMANTEC_FIREWALL: 1501 cstate->off_linktype.constant_part = 6; 1502 cstate->off_linkpl.constant_part = 44; 1503 cstate->off_nl = 0; /* Ethernet II */ 1504 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1505 break; 1506 1507 #ifdef HAVE_NET_PFVAR_H 1508 case DLT_PFLOG: 1509 cstate->off_linktype.constant_part = 0; 1510 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1511 cstate->off_nl = 0; 1512 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1513 break; 1514 #endif 1515 1516 case DLT_JUNIPER_MFR: 1517 case DLT_JUNIPER_MLFR: 1518 case DLT_JUNIPER_MLPPP: 1519 case DLT_JUNIPER_PPP: 1520 case DLT_JUNIPER_CHDLC: 1521 case DLT_JUNIPER_FRELAY: 1522 cstate->off_linktype.constant_part = 4; 1523 cstate->off_linkpl.constant_part = 4; 1524 cstate->off_nl = 0; 1525 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1526 break; 1527 1528 case DLT_JUNIPER_ATM1: 1529 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1530 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1531 cstate->off_nl = 0; 1532 cstate->off_nl_nosnap = 10; 1533 break; 1534 1535 case DLT_JUNIPER_ATM2: 1536 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1537 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1538 cstate->off_nl = 0; 1539 cstate->off_nl_nosnap = 10; 1540 break; 1541 1542 /* frames captured on a Juniper PPPoE service PIC 1543 * contain raw ethernet frames */ 1544 case DLT_JUNIPER_PPPOE: 1545 case DLT_JUNIPER_ETHER: 1546 cstate->off_linkpl.constant_part = 14; 1547 cstate->off_linktype.constant_part = 16; 1548 cstate->off_nl = 18; /* Ethernet II */ 1549 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1550 break; 1551 1552 case DLT_JUNIPER_PPPOE_ATM: 1553 cstate->off_linktype.constant_part = 4; 1554 cstate->off_linkpl.constant_part = 6; 1555 cstate->off_nl = 0; 1556 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1557 break; 1558 1559 case DLT_JUNIPER_GGSN: 1560 cstate->off_linktype.constant_part = 6; 1561 cstate->off_linkpl.constant_part = 12; 1562 cstate->off_nl = 0; 1563 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1564 break; 1565 1566 case DLT_JUNIPER_ES: 1567 cstate->off_linktype.constant_part = 6; 1568 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1569 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1570 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1571 break; 1572 1573 case DLT_JUNIPER_MONITOR: 1574 cstate->off_linktype.constant_part = 12; 1575 cstate->off_linkpl.constant_part = 12; 1576 cstate->off_nl = 0; /* raw IP/IP6 header */ 1577 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1578 break; 1579 1580 case DLT_BACNET_MS_TP: 1581 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1582 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1583 cstate->off_nl = OFFSET_NOT_SET; 1584 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1585 break; 1586 1587 case DLT_JUNIPER_SERVICES: 1588 cstate->off_linktype.constant_part = 12; 1589 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1590 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1591 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1592 break; 1593 1594 case DLT_JUNIPER_VP: 1595 cstate->off_linktype.constant_part = 18; 1596 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1597 cstate->off_nl = OFFSET_NOT_SET; 1598 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1599 break; 1600 1601 case DLT_JUNIPER_ST: 1602 cstate->off_linktype.constant_part = 18; 1603 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1604 cstate->off_nl = OFFSET_NOT_SET; 1605 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1606 break; 1607 1608 case DLT_JUNIPER_ISM: 1609 cstate->off_linktype.constant_part = 8; 1610 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1611 cstate->off_nl = OFFSET_NOT_SET; 1612 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1613 break; 1614 1615 case DLT_JUNIPER_VS: 1616 case DLT_JUNIPER_SRX_E2E: 1617 case DLT_JUNIPER_FIBRECHANNEL: 1618 case DLT_JUNIPER_ATM_CEMIC: 1619 cstate->off_linktype.constant_part = 8; 1620 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1621 cstate->off_nl = OFFSET_NOT_SET; 1622 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1623 break; 1624 1625 case DLT_MTP2: 1626 cstate->off_li = 2; 1627 cstate->off_li_hsl = 4; 1628 cstate->off_sio = 3; 1629 cstate->off_opc = 4; 1630 cstate->off_dpc = 4; 1631 cstate->off_sls = 7; 1632 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1633 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1634 cstate->off_nl = OFFSET_NOT_SET; 1635 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1636 break; 1637 1638 case DLT_MTP2_WITH_PHDR: 1639 cstate->off_li = 6; 1640 cstate->off_li_hsl = 8; 1641 cstate->off_sio = 7; 1642 cstate->off_opc = 8; 1643 cstate->off_dpc = 8; 1644 cstate->off_sls = 11; 1645 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1646 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1647 cstate->off_nl = OFFSET_NOT_SET; 1648 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1649 break; 1650 1651 case DLT_ERF: 1652 cstate->off_li = 22; 1653 cstate->off_li_hsl = 24; 1654 cstate->off_sio = 23; 1655 cstate->off_opc = 24; 1656 cstate->off_dpc = 24; 1657 cstate->off_sls = 27; 1658 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1659 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1660 cstate->off_nl = OFFSET_NOT_SET; 1661 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1662 break; 1663 1664 case DLT_PFSYNC: 1665 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1666 cstate->off_linkpl.constant_part = 4; 1667 cstate->off_nl = 0; 1668 cstate->off_nl_nosnap = 0; 1669 break; 1670 1671 case DLT_AX25_KISS: 1672 /* 1673 * Currently, only raw "link[N:M]" filtering is supported. 1674 */ 1675 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1676 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1677 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1678 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1679 break; 1680 1681 case DLT_IPNET: 1682 cstate->off_linktype.constant_part = 1; 1683 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1684 cstate->off_nl = 0; 1685 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1686 break; 1687 1688 case DLT_NETANALYZER: 1689 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1690 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1691 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1692 cstate->off_nl = 0; /* Ethernet II */ 1693 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1694 break; 1695 1696 case DLT_NETANALYZER_TRANSPARENT: 1697 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1698 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1699 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1700 cstate->off_nl = 0; /* Ethernet II */ 1701 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1702 break; 1703 1704 default: 1705 /* 1706 * For values in the range in which we've assigned new 1707 * DLT_ values, only raw "link[N:M]" filtering is supported. 1708 */ 1709 if (cstate->linktype >= DLT_MATCHING_MIN && 1710 cstate->linktype <= DLT_MATCHING_MAX) { 1711 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1712 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1713 cstate->off_nl = OFFSET_NOT_SET; 1714 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1715 } else { 1716 bpf_set_error(cstate, "unknown data link type %d", cstate->linktype); 1717 return (-1); 1718 } 1719 break; 1720 } 1721 1722 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1723 return (0); 1724 } 1725 1726 /* 1727 * Load a value relative to the specified absolute offset. 1728 */ 1729 static struct slist * 1730 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1731 u_int offset, u_int size) 1732 { 1733 struct slist *s, *s2; 1734 1735 s = gen_abs_offset_varpart(cstate, abs_offset); 1736 1737 /* 1738 * If "s" is non-null, it has code to arrange that the X register 1739 * contains the variable part of the absolute offset, so we 1740 * generate a load relative to that, with an offset of 1741 * abs_offset->constant_part + offset. 1742 * 1743 * Otherwise, we can do an absolute load with an offset of 1744 * abs_offset->constant_part + offset. 1745 */ 1746 if (s != NULL) { 1747 /* 1748 * "s" points to a list of statements that puts the 1749 * variable part of the absolute offset into the X register. 1750 * Do an indirect load, to use the X register as an offset. 1751 */ 1752 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1753 s2->s.k = abs_offset->constant_part + offset; 1754 sappend(s, s2); 1755 } else { 1756 /* 1757 * There is no variable part of the absolute offset, so 1758 * just do an absolute load. 1759 */ 1760 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1761 s->s.k = abs_offset->constant_part + offset; 1762 } 1763 return s; 1764 } 1765 1766 /* 1767 * Load a value relative to the beginning of the specified header. 1768 */ 1769 static struct slist * 1770 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1771 u_int size) 1772 { 1773 struct slist *s, *s2; 1774 1775 /* 1776 * Squelch warnings from compilers that *don't* assume that 1777 * offrel always has a valid enum value and therefore don't 1778 * assume that we'll always go through one of the case arms. 1779 * 1780 * If we have a default case, compilers that *do* assume that 1781 * will then complain about the default case code being 1782 * unreachable. 1783 * 1784 * Damned if you do, damned if you don't. 1785 */ 1786 s = NULL; 1787 1788 switch (offrel) { 1789 1790 case OR_PACKET: 1791 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1792 s->s.k = offset; 1793 break; 1794 1795 case OR_LINKHDR: 1796 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1797 break; 1798 1799 case OR_PREVLINKHDR: 1800 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1801 break; 1802 1803 case OR_LLC: 1804 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1805 break; 1806 1807 case OR_PREVMPLSHDR: 1808 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1809 break; 1810 1811 case OR_LINKPL: 1812 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1813 break; 1814 1815 case OR_LINKPL_NOSNAP: 1816 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1817 break; 1818 1819 case OR_LINKTYPE: 1820 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1821 break; 1822 1823 case OR_TRAN_IPV4: 1824 /* 1825 * Load the X register with the length of the IPv4 header 1826 * (plus the offset of the link-layer header, if it's 1827 * preceded by a variable-length header such as a radio 1828 * header), in bytes. 1829 */ 1830 s = gen_loadx_iphdrlen(cstate); 1831 1832 /* 1833 * Load the item at {offset of the link-layer payload} + 1834 * {offset, relative to the start of the link-layer 1835 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1836 * {specified offset}. 1837 * 1838 * If the offset of the link-layer payload is variable, 1839 * the variable part of that offset is included in the 1840 * value in the X register, and we include the constant 1841 * part in the offset of the load. 1842 */ 1843 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1844 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1845 sappend(s, s2); 1846 break; 1847 1848 case OR_TRAN_IPV6: 1849 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1850 break; 1851 } 1852 return s; 1853 } 1854 1855 /* 1856 * Generate code to load into the X register the sum of the length of 1857 * the IPv4 header and the variable part of the offset of the link-layer 1858 * payload. 1859 */ 1860 static struct slist * 1861 gen_loadx_iphdrlen(compiler_state_t *cstate) 1862 { 1863 struct slist *s, *s2; 1864 1865 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1866 if (s != NULL) { 1867 /* 1868 * The offset of the link-layer payload has a variable 1869 * part. "s" points to a list of statements that put 1870 * the variable part of that offset into the X register. 1871 * 1872 * The 4*([k]&0xf) addressing mode can't be used, as we 1873 * don't have a constant offset, so we have to load the 1874 * value in question into the A register and add to it 1875 * the value from the X register. 1876 */ 1877 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1878 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1879 sappend(s, s2); 1880 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1881 s2->s.k = 0xf; 1882 sappend(s, s2); 1883 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1884 s2->s.k = 2; 1885 sappend(s, s2); 1886 1887 /* 1888 * The A register now contains the length of the IP header. 1889 * We need to add to it the variable part of the offset of 1890 * the link-layer payload, which is still in the X 1891 * register, and move the result into the X register. 1892 */ 1893 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1894 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1895 } else { 1896 /* 1897 * The offset of the link-layer payload is a constant, 1898 * so no code was generated to load the (non-existent) 1899 * variable part of that offset. 1900 * 1901 * This means we can use the 4*([k]&0xf) addressing 1902 * mode. Load the length of the IPv4 header, which 1903 * is at an offset of cstate->off_nl from the beginning of 1904 * the link-layer payload, and thus at an offset of 1905 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1906 * of the raw packet data, using that addressing mode. 1907 */ 1908 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1909 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1910 } 1911 return s; 1912 } 1913 1914 1915 static struct block * 1916 gen_uncond(compiler_state_t *cstate, int rsense) 1917 { 1918 struct block *b; 1919 struct slist *s; 1920 1921 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1922 s->s.k = !rsense; 1923 b = new_block(cstate, JMP(BPF_JEQ)); 1924 b->stmts = s; 1925 1926 return b; 1927 } 1928 1929 static inline struct block * 1930 gen_true(compiler_state_t *cstate) 1931 { 1932 return gen_uncond(cstate, 1); 1933 } 1934 1935 static inline struct block * 1936 gen_false(compiler_state_t *cstate) 1937 { 1938 return gen_uncond(cstate, 0); 1939 } 1940 1941 /* 1942 * Byte-swap a 32-bit number. 1943 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1944 * big-endian platforms.) 1945 */ 1946 #define SWAPLONG(y) \ 1947 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1948 1949 /* 1950 * Generate code to match a particular packet type. 1951 * 1952 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1953 * value, if <= ETHERMTU. We use that to determine whether to 1954 * match the type/length field or to check the type/length field for 1955 * a value <= ETHERMTU to see whether it's a type field and then do 1956 * the appropriate test. 1957 */ 1958 static struct block * 1959 gen_ether_linktype(compiler_state_t *cstate, int proto) 1960 { 1961 struct block *b0, *b1; 1962 1963 switch (proto) { 1964 1965 case LLCSAP_ISONS: 1966 case LLCSAP_IP: 1967 case LLCSAP_NETBEUI: 1968 /* 1969 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1970 * so we check the DSAP and SSAP. 1971 * 1972 * LLCSAP_IP checks for IP-over-802.2, rather 1973 * than IP-over-Ethernet or IP-over-SNAP. 1974 * 1975 * XXX - should we check both the DSAP and the 1976 * SSAP, like this, or should we check just the 1977 * DSAP, as we do for other types <= ETHERMTU 1978 * (i.e., other SAP values)? 1979 */ 1980 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1981 gen_not(b0); 1982 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1983 ((proto << 8) | proto)); 1984 gen_and(b0, b1); 1985 return b1; 1986 1987 case LLCSAP_IPX: 1988 /* 1989 * Check for; 1990 * 1991 * Ethernet_II frames, which are Ethernet 1992 * frames with a frame type of ETHERTYPE_IPX; 1993 * 1994 * Ethernet_802.3 frames, which are 802.3 1995 * frames (i.e., the type/length field is 1996 * a length field, <= ETHERMTU, rather than 1997 * a type field) with the first two bytes 1998 * after the Ethernet/802.3 header being 1999 * 0xFFFF; 2000 * 2001 * Ethernet_802.2 frames, which are 802.3 2002 * frames with an 802.2 LLC header and 2003 * with the IPX LSAP as the DSAP in the LLC 2004 * header; 2005 * 2006 * Ethernet_SNAP frames, which are 802.3 2007 * frames with an LLC header and a SNAP 2008 * header and with an OUI of 0x000000 2009 * (encapsulated Ethernet) and a protocol 2010 * ID of ETHERTYPE_IPX in the SNAP header. 2011 * 2012 * XXX - should we generate the same code both 2013 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 2014 */ 2015 2016 /* 2017 * This generates code to check both for the 2018 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 2019 */ 2020 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2021 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 2022 gen_or(b0, b1); 2023 2024 /* 2025 * Now we add code to check for SNAP frames with 2026 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 2027 */ 2028 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2029 gen_or(b0, b1); 2030 2031 /* 2032 * Now we generate code to check for 802.3 2033 * frames in general. 2034 */ 2035 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2036 gen_not(b0); 2037 2038 /* 2039 * Now add the check for 802.3 frames before the 2040 * check for Ethernet_802.2 and Ethernet_802.3, 2041 * as those checks should only be done on 802.3 2042 * frames, not on Ethernet frames. 2043 */ 2044 gen_and(b0, b1); 2045 2046 /* 2047 * Now add the check for Ethernet_II frames, and 2048 * do that before checking for the other frame 2049 * types. 2050 */ 2051 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2052 gen_or(b0, b1); 2053 return b1; 2054 2055 case ETHERTYPE_ATALK: 2056 case ETHERTYPE_AARP: 2057 /* 2058 * EtherTalk (AppleTalk protocols on Ethernet link 2059 * layer) may use 802.2 encapsulation. 2060 */ 2061 2062 /* 2063 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2064 * we check for an Ethernet type field less than 2065 * 1500, which means it's an 802.3 length field. 2066 */ 2067 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2068 gen_not(b0); 2069 2070 /* 2071 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2072 * SNAP packets with an organization code of 2073 * 0x080007 (Apple, for Appletalk) and a protocol 2074 * type of ETHERTYPE_ATALK (Appletalk). 2075 * 2076 * 802.2-encapsulated ETHERTYPE_AARP packets are 2077 * SNAP packets with an organization code of 2078 * 0x000000 (encapsulated Ethernet) and a protocol 2079 * type of ETHERTYPE_AARP (Appletalk ARP). 2080 */ 2081 if (proto == ETHERTYPE_ATALK) 2082 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2083 else /* proto == ETHERTYPE_AARP */ 2084 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2085 gen_and(b0, b1); 2086 2087 /* 2088 * Check for Ethernet encapsulation (Ethertalk 2089 * phase 1?); we just check for the Ethernet 2090 * protocol type. 2091 */ 2092 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2093 2094 gen_or(b0, b1); 2095 return b1; 2096 2097 default: 2098 if (proto <= ETHERMTU) { 2099 /* 2100 * This is an LLC SAP value, so the frames 2101 * that match would be 802.2 frames. 2102 * Check that the frame is an 802.2 frame 2103 * (i.e., that the length/type field is 2104 * a length field, <= ETHERMTU) and 2105 * then check the DSAP. 2106 */ 2107 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 2108 gen_not(b0); 2109 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 2110 gen_and(b0, b1); 2111 return b1; 2112 } else { 2113 /* 2114 * This is an Ethernet type, so compare 2115 * the length/type field with it (if 2116 * the frame is an 802.2 frame, the length 2117 * field will be <= ETHERMTU, and, as 2118 * "proto" is > ETHERMTU, this test 2119 * will fail and the frame won't match, 2120 * which is what we want). 2121 */ 2122 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 2123 (bpf_int32)proto); 2124 } 2125 } 2126 } 2127 2128 static struct block * 2129 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2130 { 2131 /* 2132 * For DLT_NULL, the link-layer header is a 32-bit word 2133 * containing an AF_ value in *host* byte order, and for 2134 * DLT_ENC, the link-layer header begins with a 32-bit 2135 * word containing an AF_ value in host byte order. 2136 * 2137 * In addition, if we're reading a saved capture file, 2138 * the host byte order in the capture may not be the 2139 * same as the host byte order on this machine. 2140 * 2141 * For DLT_LOOP, the link-layer header is a 32-bit 2142 * word containing an AF_ value in *network* byte order. 2143 */ 2144 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2145 /* 2146 * The AF_ value is in host byte order, but the BPF 2147 * interpreter will convert it to network byte order. 2148 * 2149 * If this is a save file, and it's from a machine 2150 * with the opposite byte order to ours, we byte-swap 2151 * the AF_ value. 2152 * 2153 * Then we run it through "htonl()", and generate 2154 * code to compare against the result. 2155 */ 2156 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2157 proto = SWAPLONG(proto); 2158 proto = htonl(proto); 2159 } 2160 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2161 } 2162 2163 /* 2164 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2165 * or IPv6 then we have an error. 2166 */ 2167 static struct block * 2168 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2169 { 2170 switch (proto) { 2171 2172 case ETHERTYPE_IP: 2173 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2174 /*NOTREACHED*/ 2175 2176 case ETHERTYPE_IPV6: 2177 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2178 (bpf_int32)IPH_AF_INET6); 2179 /*NOTREACHED*/ 2180 2181 default: 2182 break; 2183 } 2184 2185 return gen_false(cstate); 2186 } 2187 2188 /* 2189 * Generate code to match a particular packet type. 2190 * 2191 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2192 * value, if <= ETHERMTU. We use that to determine whether to 2193 * match the type field or to check the type field for the special 2194 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2195 */ 2196 static struct block * 2197 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2198 { 2199 struct block *b0, *b1; 2200 2201 switch (proto) { 2202 2203 case LLCSAP_ISONS: 2204 case LLCSAP_IP: 2205 case LLCSAP_NETBEUI: 2206 /* 2207 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2208 * so we check the DSAP and SSAP. 2209 * 2210 * LLCSAP_IP checks for IP-over-802.2, rather 2211 * than IP-over-Ethernet or IP-over-SNAP. 2212 * 2213 * XXX - should we check both the DSAP and the 2214 * SSAP, like this, or should we check just the 2215 * DSAP, as we do for other types <= ETHERMTU 2216 * (i.e., other SAP values)? 2217 */ 2218 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2219 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2220 ((proto << 8) | proto)); 2221 gen_and(b0, b1); 2222 return b1; 2223 2224 case LLCSAP_IPX: 2225 /* 2226 * Ethernet_II frames, which are Ethernet 2227 * frames with a frame type of ETHERTYPE_IPX; 2228 * 2229 * Ethernet_802.3 frames, which have a frame 2230 * type of LINUX_SLL_P_802_3; 2231 * 2232 * Ethernet_802.2 frames, which are 802.3 2233 * frames with an 802.2 LLC header (i.e, have 2234 * a frame type of LINUX_SLL_P_802_2) and 2235 * with the IPX LSAP as the DSAP in the LLC 2236 * header; 2237 * 2238 * Ethernet_SNAP frames, which are 802.3 2239 * frames with an LLC header and a SNAP 2240 * header and with an OUI of 0x000000 2241 * (encapsulated Ethernet) and a protocol 2242 * ID of ETHERTYPE_IPX in the SNAP header. 2243 * 2244 * First, do the checks on LINUX_SLL_P_802_2 2245 * frames; generate the check for either 2246 * Ethernet_802.2 or Ethernet_SNAP frames, and 2247 * then put a check for LINUX_SLL_P_802_2 frames 2248 * before it. 2249 */ 2250 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2251 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2252 gen_or(b0, b1); 2253 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2254 gen_and(b0, b1); 2255 2256 /* 2257 * Now check for 802.3 frames and OR that with 2258 * the previous test. 2259 */ 2260 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2261 gen_or(b0, b1); 2262 2263 /* 2264 * Now add the check for Ethernet_II frames, and 2265 * do that before checking for the other frame 2266 * types. 2267 */ 2268 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2269 gen_or(b0, b1); 2270 return b1; 2271 2272 case ETHERTYPE_ATALK: 2273 case ETHERTYPE_AARP: 2274 /* 2275 * EtherTalk (AppleTalk protocols on Ethernet link 2276 * layer) may use 802.2 encapsulation. 2277 */ 2278 2279 /* 2280 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2281 * we check for the 802.2 protocol type in the 2282 * "Ethernet type" field. 2283 */ 2284 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2285 2286 /* 2287 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2288 * SNAP packets with an organization code of 2289 * 0x080007 (Apple, for Appletalk) and a protocol 2290 * type of ETHERTYPE_ATALK (Appletalk). 2291 * 2292 * 802.2-encapsulated ETHERTYPE_AARP packets are 2293 * SNAP packets with an organization code of 2294 * 0x000000 (encapsulated Ethernet) and a protocol 2295 * type of ETHERTYPE_AARP (Appletalk ARP). 2296 */ 2297 if (proto == ETHERTYPE_ATALK) 2298 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2299 else /* proto == ETHERTYPE_AARP */ 2300 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2301 gen_and(b0, b1); 2302 2303 /* 2304 * Check for Ethernet encapsulation (Ethertalk 2305 * phase 1?); we just check for the Ethernet 2306 * protocol type. 2307 */ 2308 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2309 2310 gen_or(b0, b1); 2311 return b1; 2312 2313 default: 2314 if (proto <= ETHERMTU) { 2315 /* 2316 * This is an LLC SAP value, so the frames 2317 * that match would be 802.2 frames. 2318 * Check for the 802.2 protocol type 2319 * in the "Ethernet type" field, and 2320 * then check the DSAP. 2321 */ 2322 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2323 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2324 (bpf_int32)proto); 2325 gen_and(b0, b1); 2326 return b1; 2327 } else { 2328 /* 2329 * This is an Ethernet type, so compare 2330 * the length/type field with it (if 2331 * the frame is an 802.2 frame, the length 2332 * field will be <= ETHERMTU, and, as 2333 * "proto" is > ETHERMTU, this test 2334 * will fail and the frame won't match, 2335 * which is what we want). 2336 */ 2337 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2338 } 2339 } 2340 } 2341 2342 static struct slist * 2343 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2344 { 2345 struct slist *s1, *s2; 2346 struct slist *sjeq_avs_cookie; 2347 struct slist *sjcommon; 2348 2349 /* 2350 * This code is not compatible with the optimizer, as 2351 * we are generating jmp instructions within a normal 2352 * slist of instructions 2353 */ 2354 cstate->no_optimize = 1; 2355 2356 /* 2357 * Generate code to load the length of the radio header into 2358 * the register assigned to hold that length, if one has been 2359 * assigned. (If one hasn't been assigned, no code we've 2360 * generated uses that prefix, so we don't need to generate any 2361 * code to load it.) 2362 * 2363 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2364 * or always use the AVS header rather than the Prism header. 2365 * We load a 4-byte big-endian value at the beginning of the 2366 * raw packet data, and see whether, when masked with 0xFFFFF000, 2367 * it's equal to 0x80211000. If so, that indicates that it's 2368 * an AVS header (the masked-out bits are the version number). 2369 * Otherwise, it's a Prism header. 2370 * 2371 * XXX - the Prism header is also, in theory, variable-length, 2372 * but no known software generates headers that aren't 144 2373 * bytes long. 2374 */ 2375 if (cstate->off_linkhdr.reg != -1) { 2376 /* 2377 * Load the cookie. 2378 */ 2379 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2380 s1->s.k = 0; 2381 2382 /* 2383 * AND it with 0xFFFFF000. 2384 */ 2385 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2386 s2->s.k = 0xFFFFF000; 2387 sappend(s1, s2); 2388 2389 /* 2390 * Compare with 0x80211000. 2391 */ 2392 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2393 sjeq_avs_cookie->s.k = 0x80211000; 2394 sappend(s1, sjeq_avs_cookie); 2395 2396 /* 2397 * If it's AVS: 2398 * 2399 * The 4 bytes at an offset of 4 from the beginning of 2400 * the AVS header are the length of the AVS header. 2401 * That field is big-endian. 2402 */ 2403 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2404 s2->s.k = 4; 2405 sappend(s1, s2); 2406 sjeq_avs_cookie->s.jt = s2; 2407 2408 /* 2409 * Now jump to the code to allocate a register 2410 * into which to save the header length and 2411 * store the length there. (The "jump always" 2412 * instruction needs to have the k field set; 2413 * it's added to the PC, so, as we're jumping 2414 * over a single instruction, it should be 1.) 2415 */ 2416 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2417 sjcommon->s.k = 1; 2418 sappend(s1, sjcommon); 2419 2420 /* 2421 * Now for the code that handles the Prism header. 2422 * Just load the length of the Prism header (144) 2423 * into the A register. Have the test for an AVS 2424 * header branch here if we don't have an AVS header. 2425 */ 2426 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2427 s2->s.k = 144; 2428 sappend(s1, s2); 2429 sjeq_avs_cookie->s.jf = s2; 2430 2431 /* 2432 * Now allocate a register to hold that value and store 2433 * it. The code for the AVS header will jump here after 2434 * loading the length of the AVS header. 2435 */ 2436 s2 = new_stmt(cstate, BPF_ST); 2437 s2->s.k = cstate->off_linkhdr.reg; 2438 sappend(s1, s2); 2439 sjcommon->s.jf = s2; 2440 2441 /* 2442 * Now move it into the X register. 2443 */ 2444 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2445 sappend(s1, s2); 2446 2447 return (s1); 2448 } else 2449 return (NULL); 2450 } 2451 2452 static struct slist * 2453 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2454 { 2455 struct slist *s1, *s2; 2456 2457 /* 2458 * Generate code to load the length of the AVS header into 2459 * the register assigned to hold that length, if one has been 2460 * assigned. (If one hasn't been assigned, no code we've 2461 * generated uses that prefix, so we don't need to generate any 2462 * code to load it.) 2463 */ 2464 if (cstate->off_linkhdr.reg != -1) { 2465 /* 2466 * The 4 bytes at an offset of 4 from the beginning of 2467 * the AVS header are the length of the AVS header. 2468 * That field is big-endian. 2469 */ 2470 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2471 s1->s.k = 4; 2472 2473 /* 2474 * Now allocate a register to hold that value and store 2475 * it. 2476 */ 2477 s2 = new_stmt(cstate, BPF_ST); 2478 s2->s.k = cstate->off_linkhdr.reg; 2479 sappend(s1, s2); 2480 2481 /* 2482 * Now move it into the X register. 2483 */ 2484 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2485 sappend(s1, s2); 2486 2487 return (s1); 2488 } else 2489 return (NULL); 2490 } 2491 2492 static struct slist * 2493 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2494 { 2495 struct slist *s1, *s2; 2496 2497 /* 2498 * Generate code to load the length of the radiotap header into 2499 * the register assigned to hold that length, if one has been 2500 * assigned. (If one hasn't been assigned, no code we've 2501 * generated uses that prefix, so we don't need to generate any 2502 * code to load it.) 2503 */ 2504 if (cstate->off_linkhdr.reg != -1) { 2505 /* 2506 * The 2 bytes at offsets of 2 and 3 from the beginning 2507 * of the radiotap header are the length of the radiotap 2508 * header; unfortunately, it's little-endian, so we have 2509 * to load it a byte at a time and construct the value. 2510 */ 2511 2512 /* 2513 * Load the high-order byte, at an offset of 3, shift it 2514 * left a byte, and put the result in the X register. 2515 */ 2516 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2517 s1->s.k = 3; 2518 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2519 sappend(s1, s2); 2520 s2->s.k = 8; 2521 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2522 sappend(s1, s2); 2523 2524 /* 2525 * Load the next byte, at an offset of 2, and OR the 2526 * value from the X register into it. 2527 */ 2528 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2529 sappend(s1, s2); 2530 s2->s.k = 2; 2531 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2532 sappend(s1, s2); 2533 2534 /* 2535 * Now allocate a register to hold that value and store 2536 * it. 2537 */ 2538 s2 = new_stmt(cstate, BPF_ST); 2539 s2->s.k = cstate->off_linkhdr.reg; 2540 sappend(s1, s2); 2541 2542 /* 2543 * Now move it into the X register. 2544 */ 2545 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2546 sappend(s1, s2); 2547 2548 return (s1); 2549 } else 2550 return (NULL); 2551 } 2552 2553 /* 2554 * At the moment we treat PPI as normal Radiotap encoded 2555 * packets. The difference is in the function that generates 2556 * the code at the beginning to compute the header length. 2557 * Since this code generator of PPI supports bare 802.11 2558 * encapsulation only (i.e. the encapsulated DLT should be 2559 * DLT_IEEE802_11) we generate code to check for this too; 2560 * that's done in finish_parse(). 2561 */ 2562 static struct slist * 2563 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2564 { 2565 struct slist *s1, *s2; 2566 2567 /* 2568 * Generate code to load the length of the radiotap header 2569 * into the register assigned to hold that length, if one has 2570 * been assigned. 2571 */ 2572 if (cstate->off_linkhdr.reg != -1) { 2573 /* 2574 * The 2 bytes at offsets of 2 and 3 from the beginning 2575 * of the radiotap header are the length of the radiotap 2576 * header; unfortunately, it's little-endian, so we have 2577 * to load it a byte at a time and construct the value. 2578 */ 2579 2580 /* 2581 * Load the high-order byte, at an offset of 3, shift it 2582 * left a byte, and put the result in the X register. 2583 */ 2584 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2585 s1->s.k = 3; 2586 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2587 sappend(s1, s2); 2588 s2->s.k = 8; 2589 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2590 sappend(s1, s2); 2591 2592 /* 2593 * Load the next byte, at an offset of 2, and OR the 2594 * value from the X register into it. 2595 */ 2596 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2597 sappend(s1, s2); 2598 s2->s.k = 2; 2599 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2600 sappend(s1, s2); 2601 2602 /* 2603 * Now allocate a register to hold that value and store 2604 * it. 2605 */ 2606 s2 = new_stmt(cstate, BPF_ST); 2607 s2->s.k = cstate->off_linkhdr.reg; 2608 sappend(s1, s2); 2609 2610 /* 2611 * Now move it into the X register. 2612 */ 2613 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2614 sappend(s1, s2); 2615 2616 return (s1); 2617 } else 2618 return (NULL); 2619 } 2620 2621 /* 2622 * Load a value relative to the beginning of the link-layer header after the 802.11 2623 * header, i.e. LLC_SNAP. 2624 * The link-layer header doesn't necessarily begin at the beginning 2625 * of the packet data; there might be a variable-length prefix containing 2626 * radio information. 2627 */ 2628 static struct slist * 2629 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2630 { 2631 struct slist *s2; 2632 struct slist *sjset_data_frame_1; 2633 struct slist *sjset_data_frame_2; 2634 struct slist *sjset_qos; 2635 struct slist *sjset_radiotap_flags_present; 2636 struct slist *sjset_radiotap_ext_present; 2637 struct slist *sjset_radiotap_tsft_present; 2638 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2639 struct slist *s_roundup; 2640 2641 if (cstate->off_linkpl.reg == -1) { 2642 /* 2643 * No register has been assigned to the offset of 2644 * the link-layer payload, which means nobody needs 2645 * it; don't bother computing it - just return 2646 * what we already have. 2647 */ 2648 return (s); 2649 } 2650 2651 /* 2652 * This code is not compatible with the optimizer, as 2653 * we are generating jmp instructions within a normal 2654 * slist of instructions 2655 */ 2656 cstate->no_optimize = 1; 2657 2658 /* 2659 * If "s" is non-null, it has code to arrange that the X register 2660 * contains the length of the prefix preceding the link-layer 2661 * header. 2662 * 2663 * Otherwise, the length of the prefix preceding the link-layer 2664 * header is "off_outermostlinkhdr.constant_part". 2665 */ 2666 if (s == NULL) { 2667 /* 2668 * There is no variable-length header preceding the 2669 * link-layer header. 2670 * 2671 * Load the length of the fixed-length prefix preceding 2672 * the link-layer header (if any) into the X register, 2673 * and store it in the cstate->off_linkpl.reg register. 2674 * That length is off_outermostlinkhdr.constant_part. 2675 */ 2676 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2677 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2678 } 2679 2680 /* 2681 * The X register contains the offset of the beginning of the 2682 * link-layer header; add 24, which is the minimum length 2683 * of the MAC header for a data frame, to that, and store it 2684 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2685 * which is at the offset in the X register, with an indexed load. 2686 */ 2687 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2688 sappend(s, s2); 2689 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2690 s2->s.k = 24; 2691 sappend(s, s2); 2692 s2 = new_stmt(cstate, BPF_ST); 2693 s2->s.k = cstate->off_linkpl.reg; 2694 sappend(s, s2); 2695 2696 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2697 s2->s.k = 0; 2698 sappend(s, s2); 2699 2700 /* 2701 * Check the Frame Control field to see if this is a data frame; 2702 * a data frame has the 0x08 bit (b3) in that field set and the 2703 * 0x04 bit (b2) clear. 2704 */ 2705 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2706 sjset_data_frame_1->s.k = 0x08; 2707 sappend(s, sjset_data_frame_1); 2708 2709 /* 2710 * If b3 is set, test b2, otherwise go to the first statement of 2711 * the rest of the program. 2712 */ 2713 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2714 sjset_data_frame_2->s.k = 0x04; 2715 sappend(s, sjset_data_frame_2); 2716 sjset_data_frame_1->s.jf = snext; 2717 2718 /* 2719 * If b2 is not set, this is a data frame; test the QoS bit. 2720 * Otherwise, go to the first statement of the rest of the 2721 * program. 2722 */ 2723 sjset_data_frame_2->s.jt = snext; 2724 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2725 sjset_qos->s.k = 0x80; /* QoS bit */ 2726 sappend(s, sjset_qos); 2727 2728 /* 2729 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2730 * field. 2731 * Otherwise, go to the first statement of the rest of the 2732 * program. 2733 */ 2734 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2735 s2->s.k = cstate->off_linkpl.reg; 2736 sappend(s, s2); 2737 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2738 s2->s.k = 2; 2739 sappend(s, s2); 2740 s2 = new_stmt(cstate, BPF_ST); 2741 s2->s.k = cstate->off_linkpl.reg; 2742 sappend(s, s2); 2743 2744 /* 2745 * If we have a radiotap header, look at it to see whether 2746 * there's Atheros padding between the MAC-layer header 2747 * and the payload. 2748 * 2749 * Note: all of the fields in the radiotap header are 2750 * little-endian, so we byte-swap all of the values 2751 * we test against, as they will be loaded as big-endian 2752 * values. 2753 * 2754 * XXX - in the general case, we would have to scan through 2755 * *all* the presence bits, if there's more than one word of 2756 * presence bits. That would require a loop, meaning that 2757 * we wouldn't be able to run the filter in the kernel. 2758 * 2759 * We assume here that the Atheros adapters that insert the 2760 * annoying padding don't have multiple antennae and therefore 2761 * do not generate radiotap headers with multiple presence words. 2762 */ 2763 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2764 /* 2765 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2766 * in the first presence flag word? 2767 */ 2768 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2769 s2->s.k = 4; 2770 sappend(s, s2); 2771 2772 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2773 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2774 sappend(s, sjset_radiotap_flags_present); 2775 2776 /* 2777 * If not, skip all of this. 2778 */ 2779 sjset_radiotap_flags_present->s.jf = snext; 2780 2781 /* 2782 * Otherwise, is the "extension" bit set in that word? 2783 */ 2784 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2785 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2786 sappend(s, sjset_radiotap_ext_present); 2787 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2788 2789 /* 2790 * If so, skip all of this. 2791 */ 2792 sjset_radiotap_ext_present->s.jt = snext; 2793 2794 /* 2795 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2796 */ 2797 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2798 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2799 sappend(s, sjset_radiotap_tsft_present); 2800 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2801 2802 /* 2803 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2804 * at an offset of 16 from the beginning of the raw packet 2805 * data (8 bytes for the radiotap header and 8 bytes for 2806 * the TSFT field). 2807 * 2808 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2809 * is set. 2810 */ 2811 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2812 s2->s.k = 16; 2813 sappend(s, s2); 2814 sjset_radiotap_tsft_present->s.jt = s2; 2815 2816 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2817 sjset_tsft_datapad->s.k = 0x20; 2818 sappend(s, sjset_tsft_datapad); 2819 2820 /* 2821 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2822 * at an offset of 8 from the beginning of the raw packet 2823 * data (8 bytes for the radiotap header). 2824 * 2825 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2826 * is set. 2827 */ 2828 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2829 s2->s.k = 8; 2830 sappend(s, s2); 2831 sjset_radiotap_tsft_present->s.jf = s2; 2832 2833 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2834 sjset_notsft_datapad->s.k = 0x20; 2835 sappend(s, sjset_notsft_datapad); 2836 2837 /* 2838 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2839 * set, round the length of the 802.11 header to 2840 * a multiple of 4. Do that by adding 3 and then 2841 * dividing by and multiplying by 4, which we do by 2842 * ANDing with ~3. 2843 */ 2844 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2845 s_roundup->s.k = cstate->off_linkpl.reg; 2846 sappend(s, s_roundup); 2847 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2848 s2->s.k = 3; 2849 sappend(s, s2); 2850 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2851 s2->s.k = ~3; 2852 sappend(s, s2); 2853 s2 = new_stmt(cstate, BPF_ST); 2854 s2->s.k = cstate->off_linkpl.reg; 2855 sappend(s, s2); 2856 2857 sjset_tsft_datapad->s.jt = s_roundup; 2858 sjset_tsft_datapad->s.jf = snext; 2859 sjset_notsft_datapad->s.jt = s_roundup; 2860 sjset_notsft_datapad->s.jf = snext; 2861 } else 2862 sjset_qos->s.jf = snext; 2863 2864 return s; 2865 } 2866 2867 static void 2868 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2869 { 2870 struct slist *s; 2871 2872 /* There is an implicit dependency between the link 2873 * payload and link header since the payload computation 2874 * includes the variable part of the header. Therefore, 2875 * if nobody else has allocated a register for the link 2876 * header and we need it, do it now. */ 2877 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2878 cstate->off_linkhdr.reg == -1) 2879 cstate->off_linkhdr.reg = alloc_reg(cstate); 2880 2881 /* 2882 * For link-layer types that have a variable-length header 2883 * preceding the link-layer header, generate code to load 2884 * the offset of the link-layer header into the register 2885 * assigned to that offset, if any. 2886 * 2887 * XXX - this, and the next switch statement, won't handle 2888 * encapsulation of 802.11 or 802.11+radio information in 2889 * some other protocol stack. That's significantly more 2890 * complicated. 2891 */ 2892 switch (cstate->outermostlinktype) { 2893 2894 case DLT_PRISM_HEADER: 2895 s = gen_load_prism_llprefixlen(cstate); 2896 break; 2897 2898 case DLT_IEEE802_11_RADIO_AVS: 2899 s = gen_load_avs_llprefixlen(cstate); 2900 break; 2901 2902 case DLT_IEEE802_11_RADIO: 2903 s = gen_load_radiotap_llprefixlen(cstate); 2904 break; 2905 2906 case DLT_PPI: 2907 s = gen_load_ppi_llprefixlen(cstate); 2908 break; 2909 2910 default: 2911 s = NULL; 2912 break; 2913 } 2914 2915 /* 2916 * For link-layer types that have a variable-length link-layer 2917 * header, generate code to load the offset of the link-layer 2918 * payload into the register assigned to that offset, if any. 2919 */ 2920 switch (cstate->outermostlinktype) { 2921 2922 case DLT_IEEE802_11: 2923 case DLT_PRISM_HEADER: 2924 case DLT_IEEE802_11_RADIO_AVS: 2925 case DLT_IEEE802_11_RADIO: 2926 case DLT_PPI: 2927 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2928 break; 2929 } 2930 2931 /* 2932 * If there there is no initialization yet and we need variable 2933 * length offsets for VLAN, initialize them to zero 2934 */ 2935 if (s == NULL && cstate->is_vlan_vloffset) { 2936 struct slist *s2; 2937 2938 if (cstate->off_linkpl.reg == -1) 2939 cstate->off_linkpl.reg = alloc_reg(cstate); 2940 if (cstate->off_linktype.reg == -1) 2941 cstate->off_linktype.reg = alloc_reg(cstate); 2942 2943 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2944 s->s.k = 0; 2945 s2 = new_stmt(cstate, BPF_ST); 2946 s2->s.k = cstate->off_linkpl.reg; 2947 sappend(s, s2); 2948 s2 = new_stmt(cstate, BPF_ST); 2949 s2->s.k = cstate->off_linktype.reg; 2950 sappend(s, s2); 2951 } 2952 2953 /* 2954 * If we have any offset-loading code, append all the 2955 * existing statements in the block to those statements, 2956 * and make the resulting list the list of statements 2957 * for the block. 2958 */ 2959 if (s != NULL) { 2960 sappend(s, b->stmts); 2961 b->stmts = s; 2962 } 2963 } 2964 2965 static struct block * 2966 gen_ppi_dlt_check(compiler_state_t *cstate) 2967 { 2968 struct slist *s_load_dlt; 2969 struct block *b; 2970 2971 if (cstate->linktype == DLT_PPI) 2972 { 2973 /* Create the statements that check for the DLT 2974 */ 2975 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2976 s_load_dlt->s.k = 4; 2977 2978 b = new_block(cstate, JMP(BPF_JEQ)); 2979 2980 b->stmts = s_load_dlt; 2981 b->s.k = SWAPLONG(DLT_IEEE802_11); 2982 } 2983 else 2984 { 2985 b = NULL; 2986 } 2987 2988 return b; 2989 } 2990 2991 /* 2992 * Take an absolute offset, and: 2993 * 2994 * if it has no variable part, return NULL; 2995 * 2996 * if it has a variable part, generate code to load the register 2997 * containing that variable part into the X register, returning 2998 * a pointer to that code - if no register for that offset has 2999 * been allocated, allocate it first. 3000 * 3001 * (The code to set that register will be generated later, but will 3002 * be placed earlier in the code sequence.) 3003 */ 3004 static struct slist * 3005 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 3006 { 3007 struct slist *s; 3008 3009 if (off->is_variable) { 3010 if (off->reg == -1) { 3011 /* 3012 * We haven't yet assigned a register for the 3013 * variable part of the offset of the link-layer 3014 * header; allocate one. 3015 */ 3016 off->reg = alloc_reg(cstate); 3017 } 3018 3019 /* 3020 * Load the register containing the variable part of the 3021 * offset of the link-layer header into the X register. 3022 */ 3023 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 3024 s->s.k = off->reg; 3025 return s; 3026 } else { 3027 /* 3028 * That offset isn't variable, there's no variable part, 3029 * so we don't need to generate any code. 3030 */ 3031 return NULL; 3032 } 3033 } 3034 3035 /* 3036 * Map an Ethernet type to the equivalent PPP type. 3037 */ 3038 static int 3039 ethertype_to_ppptype(int proto) 3040 { 3041 switch (proto) { 3042 3043 case ETHERTYPE_IP: 3044 proto = PPP_IP; 3045 break; 3046 3047 case ETHERTYPE_IPV6: 3048 proto = PPP_IPV6; 3049 break; 3050 3051 case ETHERTYPE_DN: 3052 proto = PPP_DECNET; 3053 break; 3054 3055 case ETHERTYPE_ATALK: 3056 proto = PPP_APPLE; 3057 break; 3058 3059 case ETHERTYPE_NS: 3060 proto = PPP_NS; 3061 break; 3062 3063 case LLCSAP_ISONS: 3064 proto = PPP_OSI; 3065 break; 3066 3067 case LLCSAP_8021D: 3068 /* 3069 * I'm assuming the "Bridging PDU"s that go 3070 * over PPP are Spanning Tree Protocol 3071 * Bridging PDUs. 3072 */ 3073 proto = PPP_BRPDU; 3074 break; 3075 3076 case LLCSAP_IPX: 3077 proto = PPP_IPX; 3078 break; 3079 } 3080 return (proto); 3081 } 3082 3083 /* 3084 * Generate any tests that, for encapsulation of a link-layer packet 3085 * inside another protocol stack, need to be done to check for those 3086 * link-layer packets (and that haven't already been done by a check 3087 * for that encapsulation). 3088 */ 3089 static struct block * 3090 gen_prevlinkhdr_check(compiler_state_t *cstate) 3091 { 3092 struct block *b0; 3093 3094 if (cstate->is_geneve) 3095 return gen_geneve_ll_check(cstate); 3096 3097 switch (cstate->prevlinktype) { 3098 3099 case DLT_SUNATM: 3100 /* 3101 * This is LANE-encapsulated Ethernet; check that the LANE 3102 * packet doesn't begin with an LE Control marker, i.e. 3103 * that it's data, not a control message. 3104 * 3105 * (We've already generated a test for LANE.) 3106 */ 3107 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 3108 gen_not(b0); 3109 return b0; 3110 3111 default: 3112 /* 3113 * No such tests are necessary. 3114 */ 3115 return NULL; 3116 } 3117 /*NOTREACHED*/ 3118 } 3119 3120 /* 3121 * The three different values we should check for when checking for an 3122 * IPv6 packet with DLT_NULL. 3123 */ 3124 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3125 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3126 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3127 3128 /* 3129 * Generate code to match a particular packet type by matching the 3130 * link-layer type field or fields in the 802.2 LLC header. 3131 * 3132 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3133 * value, if <= ETHERMTU. 3134 */ 3135 static struct block * 3136 gen_linktype(compiler_state_t *cstate, int proto) 3137 { 3138 struct block *b0, *b1, *b2; 3139 const char *description; 3140 3141 /* are we checking MPLS-encapsulated packets? */ 3142 if (cstate->label_stack_depth > 0) { 3143 switch (proto) { 3144 case ETHERTYPE_IP: 3145 case PPP_IP: 3146 /* FIXME add other L3 proto IDs */ 3147 return gen_mpls_linktype(cstate, Q_IP); 3148 3149 case ETHERTYPE_IPV6: 3150 case PPP_IPV6: 3151 /* FIXME add other L3 proto IDs */ 3152 return gen_mpls_linktype(cstate, Q_IPV6); 3153 3154 default: 3155 bpf_error(cstate, "unsupported protocol over mpls"); 3156 /*NOTREACHED*/ 3157 } 3158 } 3159 3160 switch (cstate->linktype) { 3161 3162 case DLT_EN10MB: 3163 case DLT_NETANALYZER: 3164 case DLT_NETANALYZER_TRANSPARENT: 3165 /* Geneve has an EtherType regardless of whether there is an 3166 * L2 header. */ 3167 if (!cstate->is_geneve) 3168 b0 = gen_prevlinkhdr_check(cstate); 3169 else 3170 b0 = NULL; 3171 3172 b1 = gen_ether_linktype(cstate, proto); 3173 if (b0 != NULL) 3174 gen_and(b0, b1); 3175 return b1; 3176 /*NOTREACHED*/ 3177 3178 case DLT_C_HDLC: 3179 switch (proto) { 3180 3181 case LLCSAP_ISONS: 3182 proto = (proto << 8 | LLCSAP_ISONS); 3183 /* fall through */ 3184 3185 default: 3186 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3187 /*NOTREACHED*/ 3188 } 3189 3190 case DLT_IEEE802_11: 3191 case DLT_PRISM_HEADER: 3192 case DLT_IEEE802_11_RADIO_AVS: 3193 case DLT_IEEE802_11_RADIO: 3194 case DLT_PPI: 3195 /* 3196 * Check that we have a data frame. 3197 */ 3198 b0 = gen_check_802_11_data_frame(cstate); 3199 3200 /* 3201 * Now check for the specified link-layer type. 3202 */ 3203 b1 = gen_llc_linktype(cstate, proto); 3204 gen_and(b0, b1); 3205 return b1; 3206 /*NOTREACHED*/ 3207 3208 case DLT_FDDI: 3209 /* 3210 * XXX - check for LLC frames. 3211 */ 3212 return gen_llc_linktype(cstate, proto); 3213 /*NOTREACHED*/ 3214 3215 case DLT_IEEE802: 3216 /* 3217 * XXX - check for LLC PDUs, as per IEEE 802.5. 3218 */ 3219 return gen_llc_linktype(cstate, proto); 3220 /*NOTREACHED*/ 3221 3222 case DLT_ATM_RFC1483: 3223 case DLT_ATM_CLIP: 3224 case DLT_IP_OVER_FC: 3225 return gen_llc_linktype(cstate, proto); 3226 /*NOTREACHED*/ 3227 3228 case DLT_SUNATM: 3229 /* 3230 * Check for an LLC-encapsulated version of this protocol; 3231 * if we were checking for LANE, linktype would no longer 3232 * be DLT_SUNATM. 3233 * 3234 * Check for LLC encapsulation and then check the protocol. 3235 */ 3236 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3237 b1 = gen_llc_linktype(cstate, proto); 3238 gen_and(b0, b1); 3239 return b1; 3240 /*NOTREACHED*/ 3241 3242 case DLT_LINUX_SLL: 3243 return gen_linux_sll_linktype(cstate, proto); 3244 /*NOTREACHED*/ 3245 3246 case DLT_SLIP: 3247 case DLT_SLIP_BSDOS: 3248 case DLT_RAW: 3249 /* 3250 * These types don't provide any type field; packets 3251 * are always IPv4 or IPv6. 3252 * 3253 * XXX - for IPv4, check for a version number of 4, and, 3254 * for IPv6, check for a version number of 6? 3255 */ 3256 switch (proto) { 3257 3258 case ETHERTYPE_IP: 3259 /* Check for a version number of 4. */ 3260 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3261 3262 case ETHERTYPE_IPV6: 3263 /* Check for a version number of 6. */ 3264 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3265 3266 default: 3267 return gen_false(cstate); /* always false */ 3268 } 3269 /*NOTREACHED*/ 3270 3271 case DLT_IPV4: 3272 /* 3273 * Raw IPv4, so no type field. 3274 */ 3275 if (proto == ETHERTYPE_IP) 3276 return gen_true(cstate); /* always true */ 3277 3278 /* Checking for something other than IPv4; always false */ 3279 return gen_false(cstate); 3280 /*NOTREACHED*/ 3281 3282 case DLT_IPV6: 3283 /* 3284 * Raw IPv6, so no type field. 3285 */ 3286 if (proto == ETHERTYPE_IPV6) 3287 return gen_true(cstate); /* always true */ 3288 3289 /* Checking for something other than IPv6; always false */ 3290 return gen_false(cstate); 3291 /*NOTREACHED*/ 3292 3293 case DLT_PPP: 3294 case DLT_PPP_PPPD: 3295 case DLT_PPP_SERIAL: 3296 case DLT_PPP_ETHER: 3297 /* 3298 * We use Ethernet protocol types inside libpcap; 3299 * map them to the corresponding PPP protocol types. 3300 */ 3301 proto = ethertype_to_ppptype(proto); 3302 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3303 /*NOTREACHED*/ 3304 3305 case DLT_PPP_BSDOS: 3306 /* 3307 * We use Ethernet protocol types inside libpcap; 3308 * map them to the corresponding PPP protocol types. 3309 */ 3310 switch (proto) { 3311 3312 case ETHERTYPE_IP: 3313 /* 3314 * Also check for Van Jacobson-compressed IP. 3315 * XXX - do this for other forms of PPP? 3316 */ 3317 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3318 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3319 gen_or(b0, b1); 3320 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3321 gen_or(b1, b0); 3322 return b0; 3323 3324 default: 3325 proto = ethertype_to_ppptype(proto); 3326 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3327 (bpf_int32)proto); 3328 } 3329 /*NOTREACHED*/ 3330 3331 case DLT_NULL: 3332 case DLT_LOOP: 3333 case DLT_ENC: 3334 switch (proto) { 3335 3336 case ETHERTYPE_IP: 3337 return (gen_loopback_linktype(cstate, AF_INET)); 3338 3339 case ETHERTYPE_IPV6: 3340 /* 3341 * AF_ values may, unfortunately, be platform- 3342 * dependent; AF_INET isn't, because everybody 3343 * used 4.2BSD's value, but AF_INET6 is, because 3344 * 4.2BSD didn't have a value for it (given that 3345 * IPv6 didn't exist back in the early 1980's), 3346 * and they all picked their own values. 3347 * 3348 * This means that, if we're reading from a 3349 * savefile, we need to check for all the 3350 * possible values. 3351 * 3352 * If we're doing a live capture, we only need 3353 * to check for this platform's value; however, 3354 * Npcap uses 24, which isn't Windows's AF_INET6 3355 * value. (Given the multiple different values, 3356 * programs that read pcap files shouldn't be 3357 * checking for their platform's AF_INET6 value 3358 * anyway, they should check for all of the 3359 * possible values. and they might as well do 3360 * that even for live captures.) 3361 */ 3362 if (cstate->bpf_pcap->rfile != NULL) { 3363 /* 3364 * Savefile - check for all three 3365 * possible IPv6 values. 3366 */ 3367 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3368 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3369 gen_or(b0, b1); 3370 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3371 gen_or(b0, b1); 3372 return (b1); 3373 } else { 3374 /* 3375 * Live capture, so we only need to 3376 * check for the value used on this 3377 * platform. 3378 */ 3379 #ifdef _WIN32 3380 /* 3381 * Npcap doesn't use Windows's AF_INET6, 3382 * as that collides with AF_IPX on 3383 * some BSDs (both have the value 23). 3384 * Instead, it uses 24. 3385 */ 3386 return (gen_loopback_linktype(cstate, 24)); 3387 #else /* _WIN32 */ 3388 #ifdef AF_INET6 3389 return (gen_loopback_linktype(cstate, AF_INET6)); 3390 #else /* AF_INET6 */ 3391 /* 3392 * I guess this platform doesn't support 3393 * IPv6, so we just reject all packets. 3394 */ 3395 return gen_false(cstate); 3396 #endif /* AF_INET6 */ 3397 #endif /* _WIN32 */ 3398 } 3399 3400 default: 3401 /* 3402 * Not a type on which we support filtering. 3403 * XXX - support those that have AF_ values 3404 * #defined on this platform, at least? 3405 */ 3406 return gen_false(cstate); 3407 } 3408 3409 #ifdef HAVE_NET_PFVAR_H 3410 case DLT_PFLOG: 3411 /* 3412 * af field is host byte order in contrast to the rest of 3413 * the packet. 3414 */ 3415 if (proto == ETHERTYPE_IP) 3416 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3417 BPF_B, (bpf_int32)AF_INET)); 3418 else if (proto == ETHERTYPE_IPV6) 3419 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3420 BPF_B, (bpf_int32)AF_INET6)); 3421 else 3422 return gen_false(cstate); 3423 /*NOTREACHED*/ 3424 #endif /* HAVE_NET_PFVAR_H */ 3425 3426 case DLT_ARCNET: 3427 case DLT_ARCNET_LINUX: 3428 /* 3429 * XXX should we check for first fragment if the protocol 3430 * uses PHDS? 3431 */ 3432 switch (proto) { 3433 3434 default: 3435 return gen_false(cstate); 3436 3437 case ETHERTYPE_IPV6: 3438 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3439 (bpf_int32)ARCTYPE_INET6)); 3440 3441 case ETHERTYPE_IP: 3442 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3443 (bpf_int32)ARCTYPE_IP); 3444 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3445 (bpf_int32)ARCTYPE_IP_OLD); 3446 gen_or(b0, b1); 3447 return (b1); 3448 3449 case ETHERTYPE_ARP: 3450 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3451 (bpf_int32)ARCTYPE_ARP); 3452 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3453 (bpf_int32)ARCTYPE_ARP_OLD); 3454 gen_or(b0, b1); 3455 return (b1); 3456 3457 case ETHERTYPE_REVARP: 3458 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3459 (bpf_int32)ARCTYPE_REVARP)); 3460 3461 case ETHERTYPE_ATALK: 3462 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3463 (bpf_int32)ARCTYPE_ATALK)); 3464 } 3465 /*NOTREACHED*/ 3466 3467 case DLT_LTALK: 3468 switch (proto) { 3469 case ETHERTYPE_ATALK: 3470 return gen_true(cstate); 3471 default: 3472 return gen_false(cstate); 3473 } 3474 /*NOTREACHED*/ 3475 3476 case DLT_FRELAY: 3477 /* 3478 * XXX - assumes a 2-byte Frame Relay header with 3479 * DLCI and flags. What if the address is longer? 3480 */ 3481 switch (proto) { 3482 3483 case ETHERTYPE_IP: 3484 /* 3485 * Check for the special NLPID for IP. 3486 */ 3487 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3488 3489 case ETHERTYPE_IPV6: 3490 /* 3491 * Check for the special NLPID for IPv6. 3492 */ 3493 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3494 3495 case LLCSAP_ISONS: 3496 /* 3497 * Check for several OSI protocols. 3498 * 3499 * Frame Relay packets typically have an OSI 3500 * NLPID at the beginning; we check for each 3501 * of them. 3502 * 3503 * What we check for is the NLPID and a frame 3504 * control field of UI, i.e. 0x03 followed 3505 * by the NLPID. 3506 */ 3507 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3508 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3509 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3510 gen_or(b1, b2); 3511 gen_or(b0, b2); 3512 return b2; 3513 3514 default: 3515 return gen_false(cstate); 3516 } 3517 /*NOTREACHED*/ 3518 3519 case DLT_MFR: 3520 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3521 3522 case DLT_JUNIPER_MFR: 3523 case DLT_JUNIPER_MLFR: 3524 case DLT_JUNIPER_MLPPP: 3525 case DLT_JUNIPER_ATM1: 3526 case DLT_JUNIPER_ATM2: 3527 case DLT_JUNIPER_PPPOE: 3528 case DLT_JUNIPER_PPPOE_ATM: 3529 case DLT_JUNIPER_GGSN: 3530 case DLT_JUNIPER_ES: 3531 case DLT_JUNIPER_MONITOR: 3532 case DLT_JUNIPER_SERVICES: 3533 case DLT_JUNIPER_ETHER: 3534 case DLT_JUNIPER_PPP: 3535 case DLT_JUNIPER_FRELAY: 3536 case DLT_JUNIPER_CHDLC: 3537 case DLT_JUNIPER_VP: 3538 case DLT_JUNIPER_ST: 3539 case DLT_JUNIPER_ISM: 3540 case DLT_JUNIPER_VS: 3541 case DLT_JUNIPER_SRX_E2E: 3542 case DLT_JUNIPER_FIBRECHANNEL: 3543 case DLT_JUNIPER_ATM_CEMIC: 3544 3545 /* just lets verify the magic number for now - 3546 * on ATM we may have up to 6 different encapsulations on the wire 3547 * and need a lot of heuristics to figure out that the payload 3548 * might be; 3549 * 3550 * FIXME encapsulation specific BPF_ filters 3551 */ 3552 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3553 3554 case DLT_BACNET_MS_TP: 3555 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3556 3557 case DLT_IPNET: 3558 return gen_ipnet_linktype(cstate, proto); 3559 3560 case DLT_LINUX_IRDA: 3561 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3562 3563 case DLT_DOCSIS: 3564 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3565 3566 case DLT_MTP2: 3567 case DLT_MTP2_WITH_PHDR: 3568 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3569 3570 case DLT_ERF: 3571 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3572 3573 case DLT_PFSYNC: 3574 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3575 3576 case DLT_LINUX_LAPD: 3577 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3578 3579 case DLT_USB_FREEBSD: 3580 case DLT_USB_LINUX: 3581 case DLT_USB_LINUX_MMAPPED: 3582 case DLT_USBPCAP: 3583 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3584 3585 case DLT_BLUETOOTH_HCI_H4: 3586 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3587 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3588 3589 case DLT_CAN20B: 3590 case DLT_CAN_SOCKETCAN: 3591 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3592 3593 case DLT_IEEE802_15_4: 3594 case DLT_IEEE802_15_4_LINUX: 3595 case DLT_IEEE802_15_4_NONASK_PHY: 3596 case DLT_IEEE802_15_4_NOFCS: 3597 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3598 3599 case DLT_IEEE802_16_MAC_CPS_RADIO: 3600 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3601 3602 case DLT_SITA: 3603 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3604 3605 case DLT_RAIF1: 3606 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3607 3608 case DLT_IPMB_KONTRON: 3609 case DLT_IPMB_LINUX: 3610 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3611 3612 case DLT_AX25_KISS: 3613 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3614 3615 case DLT_NFLOG: 3616 /* Using the fixed-size NFLOG header it is possible to tell only 3617 * the address family of the packet, other meaningful data is 3618 * either missing or behind TLVs. 3619 */ 3620 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3621 3622 default: 3623 /* 3624 * Does this link-layer header type have a field 3625 * indicating the type of the next protocol? If 3626 * so, off_linktype.constant_part will be the offset of that 3627 * field in the packet; if not, it will be OFFSET_NOT_SET. 3628 */ 3629 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3630 /* 3631 * Yes; assume it's an Ethernet type. (If 3632 * it's not, it needs to be handled specially 3633 * above.) 3634 */ 3635 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3636 /*NOTREACHED */ 3637 } else { 3638 /* 3639 * No; report an error. 3640 */ 3641 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype); 3642 bpf_error(cstate, "%s link-layer type filtering not implemented", 3643 description); 3644 /*NOTREACHED */ 3645 } 3646 } 3647 } 3648 3649 /* 3650 * Check for an LLC SNAP packet with a given organization code and 3651 * protocol type; we check the entire contents of the 802.2 LLC and 3652 * snap headers, checking for DSAP and SSAP of SNAP and a control 3653 * field of 0x03 in the LLC header, and for the specified organization 3654 * code and protocol type in the SNAP header. 3655 */ 3656 static struct block * 3657 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3658 { 3659 u_char snapblock[8]; 3660 3661 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3662 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3663 snapblock[2] = 0x03; /* control = UI */ 3664 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3665 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3666 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3667 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3668 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3669 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3670 } 3671 3672 /* 3673 * Generate code to match frames with an LLC header. 3674 */ 3675 static struct block * 3676 gen_llc_internal(compiler_state_t *cstate) 3677 { 3678 struct block *b0, *b1; 3679 3680 switch (cstate->linktype) { 3681 3682 case DLT_EN10MB: 3683 /* 3684 * We check for an Ethernet type field less than 3685 * 1500, which means it's an 802.3 length field. 3686 */ 3687 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3688 gen_not(b0); 3689 3690 /* 3691 * Now check for the purported DSAP and SSAP not being 3692 * 0xFF, to rule out NetWare-over-802.3. 3693 */ 3694 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3695 gen_not(b1); 3696 gen_and(b0, b1); 3697 return b1; 3698 3699 case DLT_SUNATM: 3700 /* 3701 * We check for LLC traffic. 3702 */ 3703 b0 = gen_atmtype_llc(cstate); 3704 return b0; 3705 3706 case DLT_IEEE802: /* Token Ring */ 3707 /* 3708 * XXX - check for LLC frames. 3709 */ 3710 return gen_true(cstate); 3711 3712 case DLT_FDDI: 3713 /* 3714 * XXX - check for LLC frames. 3715 */ 3716 return gen_true(cstate); 3717 3718 case DLT_ATM_RFC1483: 3719 /* 3720 * For LLC encapsulation, these are defined to have an 3721 * 802.2 LLC header. 3722 * 3723 * For VC encapsulation, they don't, but there's no 3724 * way to check for that; the protocol used on the VC 3725 * is negotiated out of band. 3726 */ 3727 return gen_true(cstate); 3728 3729 case DLT_IEEE802_11: 3730 case DLT_PRISM_HEADER: 3731 case DLT_IEEE802_11_RADIO: 3732 case DLT_IEEE802_11_RADIO_AVS: 3733 case DLT_PPI: 3734 /* 3735 * Check that we have a data frame. 3736 */ 3737 b0 = gen_check_802_11_data_frame(cstate); 3738 return b0; 3739 3740 default: 3741 bpf_error(cstate, "'llc' not supported for %s", 3742 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 3743 /*NOTREACHED*/ 3744 } 3745 } 3746 3747 struct block * 3748 gen_llc(compiler_state_t *cstate) 3749 { 3750 /* 3751 * Catch errors reported by us and routines below us, and return NULL 3752 * on an error. 3753 */ 3754 if (setjmp(cstate->top_ctx)) 3755 return (NULL); 3756 3757 return gen_llc_internal(cstate); 3758 } 3759 3760 struct block * 3761 gen_llc_i(compiler_state_t *cstate) 3762 { 3763 struct block *b0, *b1; 3764 struct slist *s; 3765 3766 /* 3767 * Catch errors reported by us and routines below us, and return NULL 3768 * on an error. 3769 */ 3770 if (setjmp(cstate->top_ctx)) 3771 return (NULL); 3772 3773 /* 3774 * Check whether this is an LLC frame. 3775 */ 3776 b0 = gen_llc_internal(cstate); 3777 3778 /* 3779 * Load the control byte and test the low-order bit; it must 3780 * be clear for I frames. 3781 */ 3782 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3783 b1 = new_block(cstate, JMP(BPF_JSET)); 3784 b1->s.k = 0x01; 3785 b1->stmts = s; 3786 gen_not(b1); 3787 gen_and(b0, b1); 3788 return b1; 3789 } 3790 3791 struct block * 3792 gen_llc_s(compiler_state_t *cstate) 3793 { 3794 struct block *b0, *b1; 3795 3796 /* 3797 * Catch errors reported by us and routines below us, and return NULL 3798 * on an error. 3799 */ 3800 if (setjmp(cstate->top_ctx)) 3801 return (NULL); 3802 3803 /* 3804 * Check whether this is an LLC frame. 3805 */ 3806 b0 = gen_llc_internal(cstate); 3807 3808 /* 3809 * Now compare the low-order 2 bit of the control byte against 3810 * the appropriate value for S frames. 3811 */ 3812 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3813 gen_and(b0, b1); 3814 return b1; 3815 } 3816 3817 struct block * 3818 gen_llc_u(compiler_state_t *cstate) 3819 { 3820 struct block *b0, *b1; 3821 3822 /* 3823 * Catch errors reported by us and routines below us, and return NULL 3824 * on an error. 3825 */ 3826 if (setjmp(cstate->top_ctx)) 3827 return (NULL); 3828 3829 /* 3830 * Check whether this is an LLC frame. 3831 */ 3832 b0 = gen_llc_internal(cstate); 3833 3834 /* 3835 * Now compare the low-order 2 bit of the control byte against 3836 * the appropriate value for U frames. 3837 */ 3838 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3839 gen_and(b0, b1); 3840 return b1; 3841 } 3842 3843 struct block * 3844 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3845 { 3846 struct block *b0, *b1; 3847 3848 /* 3849 * Catch errors reported by us and routines below us, and return NULL 3850 * on an error. 3851 */ 3852 if (setjmp(cstate->top_ctx)) 3853 return (NULL); 3854 3855 /* 3856 * Check whether this is an LLC frame. 3857 */ 3858 b0 = gen_llc_internal(cstate); 3859 3860 /* 3861 * Now check for an S frame with the appropriate type. 3862 */ 3863 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3864 gen_and(b0, b1); 3865 return b1; 3866 } 3867 3868 struct block * 3869 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3870 { 3871 struct block *b0, *b1; 3872 3873 /* 3874 * Catch errors reported by us and routines below us, and return NULL 3875 * on an error. 3876 */ 3877 if (setjmp(cstate->top_ctx)) 3878 return (NULL); 3879 3880 /* 3881 * Check whether this is an LLC frame. 3882 */ 3883 b0 = gen_llc_internal(cstate); 3884 3885 /* 3886 * Now check for a U frame with the appropriate type. 3887 */ 3888 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3889 gen_and(b0, b1); 3890 return b1; 3891 } 3892 3893 /* 3894 * Generate code to match a particular packet type, for link-layer types 3895 * using 802.2 LLC headers. 3896 * 3897 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3898 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3899 * 3900 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3901 * value, if <= ETHERMTU. We use that to determine whether to 3902 * match the DSAP or both DSAP and LSAP or to check the OUI and 3903 * protocol ID in a SNAP header. 3904 */ 3905 static struct block * 3906 gen_llc_linktype(compiler_state_t *cstate, int proto) 3907 { 3908 /* 3909 * XXX - handle token-ring variable-length header. 3910 */ 3911 switch (proto) { 3912 3913 case LLCSAP_IP: 3914 case LLCSAP_ISONS: 3915 case LLCSAP_NETBEUI: 3916 /* 3917 * XXX - should we check both the DSAP and the 3918 * SSAP, like this, or should we check just the 3919 * DSAP, as we do for other SAP values? 3920 */ 3921 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3922 ((proto << 8) | proto)); 3923 3924 case LLCSAP_IPX: 3925 /* 3926 * XXX - are there ever SNAP frames for IPX on 3927 * non-Ethernet 802.x networks? 3928 */ 3929 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3930 (bpf_int32)LLCSAP_IPX); 3931 3932 case ETHERTYPE_ATALK: 3933 /* 3934 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3935 * SNAP packets with an organization code of 3936 * 0x080007 (Apple, for Appletalk) and a protocol 3937 * type of ETHERTYPE_ATALK (Appletalk). 3938 * 3939 * XXX - check for an organization code of 3940 * encapsulated Ethernet as well? 3941 */ 3942 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3943 3944 default: 3945 /* 3946 * XXX - we don't have to check for IPX 802.3 3947 * here, but should we check for the IPX Ethertype? 3948 */ 3949 if (proto <= ETHERMTU) { 3950 /* 3951 * This is an LLC SAP value, so check 3952 * the DSAP. 3953 */ 3954 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3955 } else { 3956 /* 3957 * This is an Ethernet type; we assume that it's 3958 * unlikely that it'll appear in the right place 3959 * at random, and therefore check only the 3960 * location that would hold the Ethernet type 3961 * in a SNAP frame with an organization code of 3962 * 0x000000 (encapsulated Ethernet). 3963 * 3964 * XXX - if we were to check for the SNAP DSAP and 3965 * LSAP, as per XXX, and were also to check for an 3966 * organization code of 0x000000 (encapsulated 3967 * Ethernet), we'd do 3968 * 3969 * return gen_snap(cstate, 0x000000, proto); 3970 * 3971 * here; for now, we don't, as per the above. 3972 * I don't know whether it's worth the extra CPU 3973 * time to do the right check or not. 3974 */ 3975 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3976 } 3977 } 3978 } 3979 3980 static struct block * 3981 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3982 int dir, int proto, u_int src_off, u_int dst_off) 3983 { 3984 struct block *b0, *b1; 3985 u_int offset; 3986 3987 switch (dir) { 3988 3989 case Q_SRC: 3990 offset = src_off; 3991 break; 3992 3993 case Q_DST: 3994 offset = dst_off; 3995 break; 3996 3997 case Q_AND: 3998 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3999 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4000 gen_and(b0, b1); 4001 return b1; 4002 4003 case Q_DEFAULT: 4004 case Q_OR: 4005 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4006 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4007 gen_or(b0, b1); 4008 return b1; 4009 4010 case Q_ADDR1: 4011 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4012 /*NOTREACHED*/ 4013 4014 case Q_ADDR2: 4015 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4016 /*NOTREACHED*/ 4017 4018 case Q_ADDR3: 4019 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4020 /*NOTREACHED*/ 4021 4022 case Q_ADDR4: 4023 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4024 /*NOTREACHED*/ 4025 4026 case Q_RA: 4027 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4028 /*NOTREACHED*/ 4029 4030 case Q_TA: 4031 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4032 /*NOTREACHED*/ 4033 4034 default: 4035 abort(); 4036 /*NOTREACHED*/ 4037 } 4038 b0 = gen_linktype(cstate, proto); 4039 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 4040 gen_and(b0, b1); 4041 return b1; 4042 } 4043 4044 #ifdef INET6 4045 static struct block * 4046 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 4047 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 4048 { 4049 struct block *b0, *b1; 4050 u_int offset; 4051 uint32_t *a, *m; 4052 4053 switch (dir) { 4054 4055 case Q_SRC: 4056 offset = src_off; 4057 break; 4058 4059 case Q_DST: 4060 offset = dst_off; 4061 break; 4062 4063 case Q_AND: 4064 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4065 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4066 gen_and(b0, b1); 4067 return b1; 4068 4069 case Q_DEFAULT: 4070 case Q_OR: 4071 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 4072 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 4073 gen_or(b0, b1); 4074 return b1; 4075 4076 case Q_ADDR1: 4077 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4078 /*NOTREACHED*/ 4079 4080 case Q_ADDR2: 4081 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4082 /*NOTREACHED*/ 4083 4084 case Q_ADDR3: 4085 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4086 /*NOTREACHED*/ 4087 4088 case Q_ADDR4: 4089 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4090 /*NOTREACHED*/ 4091 4092 case Q_RA: 4093 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4094 /*NOTREACHED*/ 4095 4096 case Q_TA: 4097 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4098 /*NOTREACHED*/ 4099 4100 default: 4101 abort(); 4102 /*NOTREACHED*/ 4103 } 4104 /* this order is important */ 4105 a = (uint32_t *)addr; 4106 m = (uint32_t *)mask; 4107 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 4108 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 4109 gen_and(b0, b1); 4110 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 4111 gen_and(b0, b1); 4112 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 4113 gen_and(b0, b1); 4114 b0 = gen_linktype(cstate, proto); 4115 gen_and(b0, b1); 4116 return b1; 4117 } 4118 #endif 4119 4120 static struct block * 4121 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4122 { 4123 register struct block *b0, *b1; 4124 4125 switch (dir) { 4126 case Q_SRC: 4127 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 4128 4129 case Q_DST: 4130 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 4131 4132 case Q_AND: 4133 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4134 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4135 gen_and(b0, b1); 4136 return b1; 4137 4138 case Q_DEFAULT: 4139 case Q_OR: 4140 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 4141 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4142 gen_or(b0, b1); 4143 return b1; 4144 4145 case Q_ADDR1: 4146 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4147 /*NOTREACHED*/ 4148 4149 case Q_ADDR2: 4150 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4151 /*NOTREACHED*/ 4152 4153 case Q_ADDR3: 4154 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4155 /*NOTREACHED*/ 4156 4157 case Q_ADDR4: 4158 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4159 /*NOTREACHED*/ 4160 4161 case Q_RA: 4162 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4163 /*NOTREACHED*/ 4164 4165 case Q_TA: 4166 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4167 /*NOTREACHED*/ 4168 } 4169 abort(); 4170 /*NOTREACHED*/ 4171 } 4172 4173 /* 4174 * Like gen_ehostop, but for DLT_FDDI 4175 */ 4176 static struct block * 4177 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4178 { 4179 struct block *b0, *b1; 4180 4181 switch (dir) { 4182 case Q_SRC: 4183 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4184 4185 case Q_DST: 4186 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4187 4188 case Q_AND: 4189 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4190 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4191 gen_and(b0, b1); 4192 return b1; 4193 4194 case Q_DEFAULT: 4195 case Q_OR: 4196 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4197 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4198 gen_or(b0, b1); 4199 return b1; 4200 4201 case Q_ADDR1: 4202 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4203 /*NOTREACHED*/ 4204 4205 case Q_ADDR2: 4206 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4207 /*NOTREACHED*/ 4208 4209 case Q_ADDR3: 4210 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4211 /*NOTREACHED*/ 4212 4213 case Q_ADDR4: 4214 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4215 /*NOTREACHED*/ 4216 4217 case Q_RA: 4218 bpf_error(cstate, "'ra' is only supported on 802.11"); 4219 /*NOTREACHED*/ 4220 4221 case Q_TA: 4222 bpf_error(cstate, "'ta' is only supported on 802.11"); 4223 /*NOTREACHED*/ 4224 } 4225 abort(); 4226 /*NOTREACHED*/ 4227 } 4228 4229 /* 4230 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4231 */ 4232 static struct block * 4233 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4234 { 4235 register struct block *b0, *b1; 4236 4237 switch (dir) { 4238 case Q_SRC: 4239 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4240 4241 case Q_DST: 4242 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4243 4244 case Q_AND: 4245 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4246 b1 = gen_thostop(cstate, eaddr, Q_DST); 4247 gen_and(b0, b1); 4248 return b1; 4249 4250 case Q_DEFAULT: 4251 case Q_OR: 4252 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4253 b1 = gen_thostop(cstate, eaddr, Q_DST); 4254 gen_or(b0, b1); 4255 return b1; 4256 4257 case Q_ADDR1: 4258 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4259 /*NOTREACHED*/ 4260 4261 case Q_ADDR2: 4262 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4263 /*NOTREACHED*/ 4264 4265 case Q_ADDR3: 4266 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4267 /*NOTREACHED*/ 4268 4269 case Q_ADDR4: 4270 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4271 /*NOTREACHED*/ 4272 4273 case Q_RA: 4274 bpf_error(cstate, "'ra' is only supported on 802.11"); 4275 /*NOTREACHED*/ 4276 4277 case Q_TA: 4278 bpf_error(cstate, "'ta' is only supported on 802.11"); 4279 /*NOTREACHED*/ 4280 } 4281 abort(); 4282 /*NOTREACHED*/ 4283 } 4284 4285 /* 4286 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4287 * various 802.11 + radio headers. 4288 */ 4289 static struct block * 4290 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4291 { 4292 register struct block *b0, *b1, *b2; 4293 register struct slist *s; 4294 4295 #ifdef ENABLE_WLAN_FILTERING_PATCH 4296 /* 4297 * TODO GV 20070613 4298 * We need to disable the optimizer because the optimizer is buggy 4299 * and wipes out some LD instructions generated by the below 4300 * code to validate the Frame Control bits 4301 */ 4302 cstate->no_optimize = 1; 4303 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4304 4305 switch (dir) { 4306 case Q_SRC: 4307 /* 4308 * Oh, yuk. 4309 * 4310 * For control frames, there is no SA. 4311 * 4312 * For management frames, SA is at an 4313 * offset of 10 from the beginning of 4314 * the packet. 4315 * 4316 * For data frames, SA is at an offset 4317 * of 10 from the beginning of the packet 4318 * if From DS is clear, at an offset of 4319 * 16 from the beginning of the packet 4320 * if From DS is set and To DS is clear, 4321 * and an offset of 24 from the beginning 4322 * of the packet if From DS is set and To DS 4323 * is set. 4324 */ 4325 4326 /* 4327 * Generate the tests to be done for data frames 4328 * with From DS set. 4329 * 4330 * First, check for To DS set, i.e. check "link[1] & 0x01". 4331 */ 4332 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4333 b1 = new_block(cstate, JMP(BPF_JSET)); 4334 b1->s.k = 0x01; /* To DS */ 4335 b1->stmts = s; 4336 4337 /* 4338 * If To DS is set, the SA is at 24. 4339 */ 4340 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4341 gen_and(b1, b0); 4342 4343 /* 4344 * Now, check for To DS not set, i.e. check 4345 * "!(link[1] & 0x01)". 4346 */ 4347 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4348 b2 = new_block(cstate, JMP(BPF_JSET)); 4349 b2->s.k = 0x01; /* To DS */ 4350 b2->stmts = s; 4351 gen_not(b2); 4352 4353 /* 4354 * If To DS is not set, the SA is at 16. 4355 */ 4356 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4357 gen_and(b2, b1); 4358 4359 /* 4360 * Now OR together the last two checks. That gives 4361 * the complete set of checks for data frames with 4362 * From DS set. 4363 */ 4364 gen_or(b1, b0); 4365 4366 /* 4367 * Now check for From DS being set, and AND that with 4368 * the ORed-together checks. 4369 */ 4370 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4371 b1 = new_block(cstate, JMP(BPF_JSET)); 4372 b1->s.k = 0x02; /* From DS */ 4373 b1->stmts = s; 4374 gen_and(b1, b0); 4375 4376 /* 4377 * Now check for data frames with From DS not set. 4378 */ 4379 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4380 b2 = new_block(cstate, JMP(BPF_JSET)); 4381 b2->s.k = 0x02; /* From DS */ 4382 b2->stmts = s; 4383 gen_not(b2); 4384 4385 /* 4386 * If From DS isn't set, the SA is at 10. 4387 */ 4388 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4389 gen_and(b2, b1); 4390 4391 /* 4392 * Now OR together the checks for data frames with 4393 * From DS not set and for data frames with From DS 4394 * set; that gives the checks done for data frames. 4395 */ 4396 gen_or(b1, b0); 4397 4398 /* 4399 * Now check for a data frame. 4400 * I.e, check "link[0] & 0x08". 4401 */ 4402 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4403 b1 = new_block(cstate, JMP(BPF_JSET)); 4404 b1->s.k = 0x08; 4405 b1->stmts = s; 4406 4407 /* 4408 * AND that with the checks done for data frames. 4409 */ 4410 gen_and(b1, b0); 4411 4412 /* 4413 * If the high-order bit of the type value is 0, this 4414 * is a management frame. 4415 * I.e, check "!(link[0] & 0x08)". 4416 */ 4417 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4418 b2 = new_block(cstate, JMP(BPF_JSET)); 4419 b2->s.k = 0x08; 4420 b2->stmts = s; 4421 gen_not(b2); 4422 4423 /* 4424 * For management frames, the SA is at 10. 4425 */ 4426 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4427 gen_and(b2, b1); 4428 4429 /* 4430 * OR that with the checks done for data frames. 4431 * That gives the checks done for management and 4432 * data frames. 4433 */ 4434 gen_or(b1, b0); 4435 4436 /* 4437 * If the low-order bit of the type value is 1, 4438 * this is either a control frame or a frame 4439 * with a reserved type, and thus not a 4440 * frame with an SA. 4441 * 4442 * I.e., check "!(link[0] & 0x04)". 4443 */ 4444 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4445 b1 = new_block(cstate, JMP(BPF_JSET)); 4446 b1->s.k = 0x04; 4447 b1->stmts = s; 4448 gen_not(b1); 4449 4450 /* 4451 * AND that with the checks for data and management 4452 * frames. 4453 */ 4454 gen_and(b1, b0); 4455 return b0; 4456 4457 case Q_DST: 4458 /* 4459 * Oh, yuk. 4460 * 4461 * For control frames, there is no DA. 4462 * 4463 * For management frames, DA is at an 4464 * offset of 4 from the beginning of 4465 * the packet. 4466 * 4467 * For data frames, DA is at an offset 4468 * of 4 from the beginning of the packet 4469 * if To DS is clear and at an offset of 4470 * 16 from the beginning of the packet 4471 * if To DS is set. 4472 */ 4473 4474 /* 4475 * Generate the tests to be done for data frames. 4476 * 4477 * First, check for To DS set, i.e. "link[1] & 0x01". 4478 */ 4479 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4480 b1 = new_block(cstate, JMP(BPF_JSET)); 4481 b1->s.k = 0x01; /* To DS */ 4482 b1->stmts = s; 4483 4484 /* 4485 * If To DS is set, the DA is at 16. 4486 */ 4487 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4488 gen_and(b1, b0); 4489 4490 /* 4491 * Now, check for To DS not set, i.e. check 4492 * "!(link[1] & 0x01)". 4493 */ 4494 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4495 b2 = new_block(cstate, JMP(BPF_JSET)); 4496 b2->s.k = 0x01; /* To DS */ 4497 b2->stmts = s; 4498 gen_not(b2); 4499 4500 /* 4501 * If To DS is not set, the DA is at 4. 4502 */ 4503 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4504 gen_and(b2, b1); 4505 4506 /* 4507 * Now OR together the last two checks. That gives 4508 * the complete set of checks for data frames. 4509 */ 4510 gen_or(b1, b0); 4511 4512 /* 4513 * Now check for a data frame. 4514 * I.e, check "link[0] & 0x08". 4515 */ 4516 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4517 b1 = new_block(cstate, JMP(BPF_JSET)); 4518 b1->s.k = 0x08; 4519 b1->stmts = s; 4520 4521 /* 4522 * AND that with the checks done for data frames. 4523 */ 4524 gen_and(b1, b0); 4525 4526 /* 4527 * If the high-order bit of the type value is 0, this 4528 * is a management frame. 4529 * I.e, check "!(link[0] & 0x08)". 4530 */ 4531 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4532 b2 = new_block(cstate, JMP(BPF_JSET)); 4533 b2->s.k = 0x08; 4534 b2->stmts = s; 4535 gen_not(b2); 4536 4537 /* 4538 * For management frames, the DA is at 4. 4539 */ 4540 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4541 gen_and(b2, b1); 4542 4543 /* 4544 * OR that with the checks done for data frames. 4545 * That gives the checks done for management and 4546 * data frames. 4547 */ 4548 gen_or(b1, b0); 4549 4550 /* 4551 * If the low-order bit of the type value is 1, 4552 * this is either a control frame or a frame 4553 * with a reserved type, and thus not a 4554 * frame with an SA. 4555 * 4556 * I.e., check "!(link[0] & 0x04)". 4557 */ 4558 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4559 b1 = new_block(cstate, JMP(BPF_JSET)); 4560 b1->s.k = 0x04; 4561 b1->stmts = s; 4562 gen_not(b1); 4563 4564 /* 4565 * AND that with the checks for data and management 4566 * frames. 4567 */ 4568 gen_and(b1, b0); 4569 return b0; 4570 4571 case Q_AND: 4572 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4573 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4574 gen_and(b0, b1); 4575 return b1; 4576 4577 case Q_DEFAULT: 4578 case Q_OR: 4579 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4580 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4581 gen_or(b0, b1); 4582 return b1; 4583 4584 /* 4585 * XXX - add BSSID keyword? 4586 */ 4587 case Q_ADDR1: 4588 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4589 4590 case Q_ADDR2: 4591 /* 4592 * Not present in CTS or ACK control frames. 4593 */ 4594 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4595 IEEE80211_FC0_TYPE_MASK); 4596 gen_not(b0); 4597 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4598 IEEE80211_FC0_SUBTYPE_MASK); 4599 gen_not(b1); 4600 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4601 IEEE80211_FC0_SUBTYPE_MASK); 4602 gen_not(b2); 4603 gen_and(b1, b2); 4604 gen_or(b0, b2); 4605 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4606 gen_and(b2, b1); 4607 return b1; 4608 4609 case Q_ADDR3: 4610 /* 4611 * Not present in control frames. 4612 */ 4613 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4614 IEEE80211_FC0_TYPE_MASK); 4615 gen_not(b0); 4616 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4617 gen_and(b0, b1); 4618 return b1; 4619 4620 case Q_ADDR4: 4621 /* 4622 * Present only if the direction mask has both "From DS" 4623 * and "To DS" set. Neither control frames nor management 4624 * frames should have both of those set, so we don't 4625 * check the frame type. 4626 */ 4627 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4628 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4629 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4630 gen_and(b0, b1); 4631 return b1; 4632 4633 case Q_RA: 4634 /* 4635 * Not present in management frames; addr1 in other 4636 * frames. 4637 */ 4638 4639 /* 4640 * If the high-order bit of the type value is 0, this 4641 * is a management frame. 4642 * I.e, check "(link[0] & 0x08)". 4643 */ 4644 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4645 b1 = new_block(cstate, JMP(BPF_JSET)); 4646 b1->s.k = 0x08; 4647 b1->stmts = s; 4648 4649 /* 4650 * Check addr1. 4651 */ 4652 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4653 4654 /* 4655 * AND that with the check of addr1. 4656 */ 4657 gen_and(b1, b0); 4658 return (b0); 4659 4660 case Q_TA: 4661 /* 4662 * Not present in management frames; addr2, if present, 4663 * in other frames. 4664 */ 4665 4666 /* 4667 * Not present in CTS or ACK control frames. 4668 */ 4669 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4670 IEEE80211_FC0_TYPE_MASK); 4671 gen_not(b0); 4672 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4673 IEEE80211_FC0_SUBTYPE_MASK); 4674 gen_not(b1); 4675 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4676 IEEE80211_FC0_SUBTYPE_MASK); 4677 gen_not(b2); 4678 gen_and(b1, b2); 4679 gen_or(b0, b2); 4680 4681 /* 4682 * If the high-order bit of the type value is 0, this 4683 * is a management frame. 4684 * I.e, check "(link[0] & 0x08)". 4685 */ 4686 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4687 b1 = new_block(cstate, JMP(BPF_JSET)); 4688 b1->s.k = 0x08; 4689 b1->stmts = s; 4690 4691 /* 4692 * AND that with the check for frames other than 4693 * CTS and ACK frames. 4694 */ 4695 gen_and(b1, b2); 4696 4697 /* 4698 * Check addr2. 4699 */ 4700 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4701 gen_and(b2, b1); 4702 return b1; 4703 } 4704 abort(); 4705 /*NOTREACHED*/ 4706 } 4707 4708 /* 4709 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4710 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4711 * as the RFC states.) 4712 */ 4713 static struct block * 4714 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4715 { 4716 register struct block *b0, *b1; 4717 4718 switch (dir) { 4719 case Q_SRC: 4720 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4721 4722 case Q_DST: 4723 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4724 4725 case Q_AND: 4726 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4727 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4728 gen_and(b0, b1); 4729 return b1; 4730 4731 case Q_DEFAULT: 4732 case Q_OR: 4733 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4734 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4735 gen_or(b0, b1); 4736 return b1; 4737 4738 case Q_ADDR1: 4739 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4740 /*NOTREACHED*/ 4741 4742 case Q_ADDR2: 4743 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4744 /*NOTREACHED*/ 4745 4746 case Q_ADDR3: 4747 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4748 /*NOTREACHED*/ 4749 4750 case Q_ADDR4: 4751 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4752 /*NOTREACHED*/ 4753 4754 case Q_RA: 4755 bpf_error(cstate, "'ra' is only supported on 802.11"); 4756 /*NOTREACHED*/ 4757 4758 case Q_TA: 4759 bpf_error(cstate, "'ta' is only supported on 802.11"); 4760 /*NOTREACHED*/ 4761 } 4762 abort(); 4763 /*NOTREACHED*/ 4764 } 4765 4766 /* 4767 * This is quite tricky because there may be pad bytes in front of the 4768 * DECNET header, and then there are two possible data packet formats that 4769 * carry both src and dst addresses, plus 5 packet types in a format that 4770 * carries only the src node, plus 2 types that use a different format and 4771 * also carry just the src node. 4772 * 4773 * Yuck. 4774 * 4775 * Instead of doing those all right, we just look for data packets with 4776 * 0 or 1 bytes of padding. If you want to look at other packets, that 4777 * will require a lot more hacking. 4778 * 4779 * To add support for filtering on DECNET "areas" (network numbers) 4780 * one would want to add a "mask" argument to this routine. That would 4781 * make the filter even more inefficient, although one could be clever 4782 * and not generate masking instructions if the mask is 0xFFFF. 4783 */ 4784 static struct block * 4785 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4786 { 4787 struct block *b0, *b1, *b2, *tmp; 4788 u_int offset_lh; /* offset if long header is received */ 4789 u_int offset_sh; /* offset if short header is received */ 4790 4791 switch (dir) { 4792 4793 case Q_DST: 4794 offset_sh = 1; /* follows flags */ 4795 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4796 break; 4797 4798 case Q_SRC: 4799 offset_sh = 3; /* follows flags, dstnode */ 4800 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4801 break; 4802 4803 case Q_AND: 4804 /* Inefficient because we do our Calvinball dance twice */ 4805 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4806 b1 = gen_dnhostop(cstate, addr, Q_DST); 4807 gen_and(b0, b1); 4808 return b1; 4809 4810 case Q_DEFAULT: 4811 case Q_OR: 4812 /* Inefficient because we do our Calvinball dance twice */ 4813 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4814 b1 = gen_dnhostop(cstate, addr, Q_DST); 4815 gen_or(b0, b1); 4816 return b1; 4817 4818 case Q_ADDR1: 4819 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4820 /*NOTREACHED*/ 4821 4822 case Q_ADDR2: 4823 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4824 /*NOTREACHED*/ 4825 4826 case Q_ADDR3: 4827 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4828 /*NOTREACHED*/ 4829 4830 case Q_ADDR4: 4831 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 4832 /*NOTREACHED*/ 4833 4834 case Q_RA: 4835 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4836 /*NOTREACHED*/ 4837 4838 case Q_TA: 4839 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 4840 /*NOTREACHED*/ 4841 4842 default: 4843 abort(); 4844 /*NOTREACHED*/ 4845 } 4846 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4847 /* Check for pad = 1, long header case */ 4848 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4849 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4850 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4851 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4852 gen_and(tmp, b1); 4853 /* Check for pad = 0, long header case */ 4854 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4855 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4856 gen_and(tmp, b2); 4857 gen_or(b2, b1); 4858 /* Check for pad = 1, short header case */ 4859 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4860 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4861 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4862 gen_and(tmp, b2); 4863 gen_or(b2, b1); 4864 /* Check for pad = 0, short header case */ 4865 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4866 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4867 gen_and(tmp, b2); 4868 gen_or(b2, b1); 4869 4870 /* Combine with test for cstate->linktype */ 4871 gen_and(b0, b1); 4872 return b1; 4873 } 4874 4875 /* 4876 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4877 * test the bottom-of-stack bit, and then check the version number 4878 * field in the IP header. 4879 */ 4880 static struct block * 4881 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4882 { 4883 struct block *b0, *b1; 4884 4885 switch (proto) { 4886 4887 case Q_IP: 4888 /* match the bottom-of-stack bit */ 4889 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4890 /* match the IPv4 version number */ 4891 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4892 gen_and(b0, b1); 4893 return b1; 4894 4895 case Q_IPV6: 4896 /* match the bottom-of-stack bit */ 4897 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4898 /* match the IPv4 version number */ 4899 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4900 gen_and(b0, b1); 4901 return b1; 4902 4903 default: 4904 abort(); 4905 } 4906 } 4907 4908 static struct block * 4909 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4910 int proto, int dir, int type) 4911 { 4912 struct block *b0, *b1; 4913 const char *typestr; 4914 4915 if (type == Q_NET) 4916 typestr = "net"; 4917 else 4918 typestr = "host"; 4919 4920 switch (proto) { 4921 4922 case Q_DEFAULT: 4923 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4924 /* 4925 * Only check for non-IPv4 addresses if we're not 4926 * checking MPLS-encapsulated packets. 4927 */ 4928 if (cstate->label_stack_depth == 0) { 4929 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4930 gen_or(b0, b1); 4931 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4932 gen_or(b1, b0); 4933 } 4934 return b0; 4935 4936 case Q_LINK: 4937 bpf_error(cstate, "link-layer modifier applied to %s", typestr); 4938 4939 case Q_IP: 4940 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4941 4942 case Q_RARP: 4943 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4944 4945 case Q_ARP: 4946 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4947 4948 case Q_SCTP: 4949 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4950 4951 case Q_TCP: 4952 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4953 4954 case Q_UDP: 4955 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4956 4957 case Q_ICMP: 4958 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4959 4960 case Q_IGMP: 4961 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4962 4963 case Q_IGRP: 4964 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4965 4966 case Q_ATALK: 4967 bpf_error(cstate, "AppleTalk host filtering not implemented"); 4968 4969 case Q_DECNET: 4970 return gen_dnhostop(cstate, addr, dir); 4971 4972 case Q_LAT: 4973 bpf_error(cstate, "LAT host filtering not implemented"); 4974 4975 case Q_SCA: 4976 bpf_error(cstate, "SCA host filtering not implemented"); 4977 4978 case Q_MOPRC: 4979 bpf_error(cstate, "MOPRC host filtering not implemented"); 4980 4981 case Q_MOPDL: 4982 bpf_error(cstate, "MOPDL host filtering not implemented"); 4983 4984 case Q_IPV6: 4985 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4986 4987 case Q_ICMPV6: 4988 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4989 4990 case Q_AH: 4991 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4992 4993 case Q_ESP: 4994 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4995 4996 case Q_PIM: 4997 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4998 4999 case Q_VRRP: 5000 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 5001 5002 case Q_AARP: 5003 bpf_error(cstate, "AARP host filtering not implemented"); 5004 5005 case Q_ISO: 5006 bpf_error(cstate, "ISO host filtering not implemented"); 5007 5008 case Q_ESIS: 5009 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 5010 5011 case Q_ISIS: 5012 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 5013 5014 case Q_CLNP: 5015 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 5016 5017 case Q_STP: 5018 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 5019 5020 case Q_IPX: 5021 bpf_error(cstate, "IPX host filtering not implemented"); 5022 5023 case Q_NETBEUI: 5024 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 5025 5026 case Q_ISIS_L1: 5027 bpf_error(cstate, "'l1' modifier applied to %s", typestr); 5028 5029 case Q_ISIS_L2: 5030 bpf_error(cstate, "'l2' modifier applied to %s", typestr); 5031 5032 case Q_ISIS_IIH: 5033 bpf_error(cstate, "'iih' modifier applied to %s", typestr); 5034 5035 case Q_ISIS_SNP: 5036 bpf_error(cstate, "'snp' modifier applied to %s", typestr); 5037 5038 case Q_ISIS_CSNP: 5039 bpf_error(cstate, "'csnp' modifier applied to %s", typestr); 5040 5041 case Q_ISIS_PSNP: 5042 bpf_error(cstate, "'psnp' modifier applied to %s", typestr); 5043 5044 case Q_ISIS_LSP: 5045 bpf_error(cstate, "'lsp' modifier applied to %s", typestr); 5046 5047 case Q_RADIO: 5048 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 5049 5050 case Q_CARP: 5051 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 5052 5053 default: 5054 abort(); 5055 } 5056 /*NOTREACHED*/ 5057 } 5058 5059 #ifdef INET6 5060 static struct block * 5061 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 5062 struct in6_addr *mask, int proto, int dir, int type) 5063 { 5064 const char *typestr; 5065 5066 if (type == Q_NET) 5067 typestr = "net"; 5068 else 5069 typestr = "host"; 5070 5071 switch (proto) { 5072 5073 case Q_DEFAULT: 5074 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 5075 5076 case Q_LINK: 5077 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 5078 5079 case Q_IP: 5080 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 5081 5082 case Q_RARP: 5083 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 5084 5085 case Q_ARP: 5086 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 5087 5088 case Q_SCTP: 5089 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr); 5090 5091 case Q_TCP: 5092 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr); 5093 5094 case Q_UDP: 5095 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr); 5096 5097 case Q_ICMP: 5098 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr); 5099 5100 case Q_IGMP: 5101 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr); 5102 5103 case Q_IGRP: 5104 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr); 5105 5106 case Q_ATALK: 5107 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr); 5108 5109 case Q_DECNET: 5110 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 5111 5112 case Q_LAT: 5113 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr); 5114 5115 case Q_SCA: 5116 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr); 5117 5118 case Q_MOPRC: 5119 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr); 5120 5121 case Q_MOPDL: 5122 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr); 5123 5124 case Q_IPV6: 5125 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 5126 5127 case Q_ICMPV6: 5128 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr); 5129 5130 case Q_AH: 5131 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr); 5132 5133 case Q_ESP: 5134 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr); 5135 5136 case Q_PIM: 5137 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr); 5138 5139 case Q_VRRP: 5140 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr); 5141 5142 case Q_AARP: 5143 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr); 5144 5145 case Q_ISO: 5146 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr); 5147 5148 case Q_ESIS: 5149 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr); 5150 5151 case Q_ISIS: 5152 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr); 5153 5154 case Q_CLNP: 5155 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr); 5156 5157 case Q_STP: 5158 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr); 5159 5160 case Q_IPX: 5161 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr); 5162 5163 case Q_NETBEUI: 5164 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr); 5165 5166 case Q_ISIS_L1: 5167 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr); 5168 5169 case Q_ISIS_L2: 5170 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr); 5171 5172 case Q_ISIS_IIH: 5173 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr); 5174 5175 case Q_ISIS_SNP: 5176 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr); 5177 5178 case Q_ISIS_CSNP: 5179 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr); 5180 5181 case Q_ISIS_PSNP: 5182 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr); 5183 5184 case Q_ISIS_LSP: 5185 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr); 5186 5187 case Q_RADIO: 5188 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr); 5189 5190 case Q_CARP: 5191 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr); 5192 5193 default: 5194 abort(); 5195 } 5196 /*NOTREACHED*/ 5197 } 5198 #endif 5199 5200 #ifndef INET6 5201 static struct block * 5202 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 5203 struct addrinfo *alist, int proto, int dir) 5204 { 5205 struct block *b0, *b1, *tmp; 5206 struct addrinfo *ai; 5207 struct sockaddr_in *sin; 5208 5209 if (dir != 0) 5210 bpf_error(cstate, "direction applied to 'gateway'"); 5211 5212 switch (proto) { 5213 case Q_DEFAULT: 5214 case Q_IP: 5215 case Q_ARP: 5216 case Q_RARP: 5217 switch (cstate->linktype) { 5218 case DLT_EN10MB: 5219 case DLT_NETANALYZER: 5220 case DLT_NETANALYZER_TRANSPARENT: 5221 b1 = gen_prevlinkhdr_check(cstate); 5222 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5223 if (b1 != NULL) 5224 gen_and(b1, b0); 5225 break; 5226 case DLT_FDDI: 5227 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5228 break; 5229 case DLT_IEEE802: 5230 b0 = gen_thostop(cstate, eaddr, Q_OR); 5231 break; 5232 case DLT_IEEE802_11: 5233 case DLT_PRISM_HEADER: 5234 case DLT_IEEE802_11_RADIO_AVS: 5235 case DLT_IEEE802_11_RADIO: 5236 case DLT_PPI: 5237 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5238 break; 5239 case DLT_SUNATM: 5240 /* 5241 * This is LLC-multiplexed traffic; if it were 5242 * LANE, cstate->linktype would have been set to 5243 * DLT_EN10MB. 5244 */ 5245 bpf_error(cstate, 5246 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5247 break; 5248 case DLT_IP_OVER_FC: 5249 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5250 break; 5251 default: 5252 bpf_error(cstate, 5253 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5254 } 5255 b1 = NULL; 5256 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5257 /* 5258 * Does it have an address? 5259 */ 5260 if (ai->ai_addr != NULL) { 5261 /* 5262 * Yes. Is it an IPv4 address? 5263 */ 5264 if (ai->ai_addr->sa_family == AF_INET) { 5265 /* 5266 * Generate an entry for it. 5267 */ 5268 sin = (struct sockaddr_in *)ai->ai_addr; 5269 tmp = gen_host(cstate, 5270 ntohl(sin->sin_addr.s_addr), 5271 0xffffffff, proto, Q_OR, Q_HOST); 5272 /* 5273 * Is it the *first* IPv4 address? 5274 */ 5275 if (b1 == NULL) { 5276 /* 5277 * Yes, so start with it. 5278 */ 5279 b1 = tmp; 5280 } else { 5281 /* 5282 * No, so OR it into the 5283 * existing set of 5284 * addresses. 5285 */ 5286 gen_or(b1, tmp); 5287 b1 = tmp; 5288 } 5289 } 5290 } 5291 } 5292 if (b1 == NULL) { 5293 /* 5294 * No IPv4 addresses found. 5295 */ 5296 return (NULL); 5297 } 5298 gen_not(b1); 5299 gen_and(b0, b1); 5300 return b1; 5301 } 5302 bpf_error(cstate, "illegal modifier of 'gateway'"); 5303 /*NOTREACHED*/ 5304 } 5305 #endif 5306 5307 static struct block * 5308 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto) 5309 { 5310 struct block *b0; 5311 struct block *b1; 5312 5313 switch (proto) { 5314 5315 case Q_SCTP: 5316 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 5317 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 5318 gen_or(b0, b1); 5319 break; 5320 5321 case Q_TCP: 5322 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 5323 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 5324 gen_or(b0, b1); 5325 break; 5326 5327 case Q_UDP: 5328 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 5329 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5330 gen_or(b0, b1); 5331 break; 5332 5333 case Q_ICMP: 5334 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5335 break; 5336 5337 #ifndef IPPROTO_IGMP 5338 #define IPPROTO_IGMP 2 5339 #endif 5340 5341 case Q_IGMP: 5342 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5343 break; 5344 5345 #ifndef IPPROTO_IGRP 5346 #define IPPROTO_IGRP 9 5347 #endif 5348 case Q_IGRP: 5349 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5350 break; 5351 5352 #ifndef IPPROTO_PIM 5353 #define IPPROTO_PIM 103 5354 #endif 5355 5356 case Q_PIM: 5357 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5358 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5359 gen_or(b0, b1); 5360 break; 5361 5362 #ifndef IPPROTO_VRRP 5363 #define IPPROTO_VRRP 112 5364 #endif 5365 5366 case Q_VRRP: 5367 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5368 break; 5369 5370 #ifndef IPPROTO_CARP 5371 #define IPPROTO_CARP 112 5372 #endif 5373 5374 case Q_CARP: 5375 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5376 break; 5377 5378 case Q_IP: 5379 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5380 break; 5381 5382 case Q_ARP: 5383 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5384 break; 5385 5386 case Q_RARP: 5387 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5388 break; 5389 5390 case Q_LINK: 5391 bpf_error(cstate, "link layer applied in wrong context"); 5392 5393 case Q_ATALK: 5394 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5395 break; 5396 5397 case Q_AARP: 5398 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5399 break; 5400 5401 case Q_DECNET: 5402 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5403 break; 5404 5405 case Q_SCA: 5406 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5407 break; 5408 5409 case Q_LAT: 5410 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5411 break; 5412 5413 case Q_MOPDL: 5414 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5415 break; 5416 5417 case Q_MOPRC: 5418 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5419 break; 5420 5421 case Q_IPV6: 5422 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5423 break; 5424 5425 #ifndef IPPROTO_ICMPV6 5426 #define IPPROTO_ICMPV6 58 5427 #endif 5428 case Q_ICMPV6: 5429 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5430 break; 5431 5432 #ifndef IPPROTO_AH 5433 #define IPPROTO_AH 51 5434 #endif 5435 case Q_AH: 5436 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5437 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5438 gen_or(b0, b1); 5439 break; 5440 5441 #ifndef IPPROTO_ESP 5442 #define IPPROTO_ESP 50 5443 #endif 5444 case Q_ESP: 5445 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5446 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5447 gen_or(b0, b1); 5448 break; 5449 5450 case Q_ISO: 5451 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5452 break; 5453 5454 case Q_ESIS: 5455 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5456 break; 5457 5458 case Q_ISIS: 5459 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5460 break; 5461 5462 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5463 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5464 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5465 gen_or(b0, b1); 5466 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5467 gen_or(b0, b1); 5468 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5469 gen_or(b0, b1); 5470 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5471 gen_or(b0, b1); 5472 break; 5473 5474 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5475 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5476 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5477 gen_or(b0, b1); 5478 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5479 gen_or(b0, b1); 5480 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5481 gen_or(b0, b1); 5482 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5483 gen_or(b0, b1); 5484 break; 5485 5486 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5487 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5488 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5489 gen_or(b0, b1); 5490 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5491 gen_or(b0, b1); 5492 break; 5493 5494 case Q_ISIS_LSP: 5495 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5496 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5497 gen_or(b0, b1); 5498 break; 5499 5500 case Q_ISIS_SNP: 5501 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5502 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5503 gen_or(b0, b1); 5504 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5505 gen_or(b0, b1); 5506 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5507 gen_or(b0, b1); 5508 break; 5509 5510 case Q_ISIS_CSNP: 5511 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5512 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5513 gen_or(b0, b1); 5514 break; 5515 5516 case Q_ISIS_PSNP: 5517 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5518 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5519 gen_or(b0, b1); 5520 break; 5521 5522 case Q_CLNP: 5523 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5524 break; 5525 5526 case Q_STP: 5527 b1 = gen_linktype(cstate, LLCSAP_8021D); 5528 break; 5529 5530 case Q_IPX: 5531 b1 = gen_linktype(cstate, LLCSAP_IPX); 5532 break; 5533 5534 case Q_NETBEUI: 5535 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5536 break; 5537 5538 case Q_RADIO: 5539 bpf_error(cstate, "'radio' is not a valid protocol type"); 5540 5541 default: 5542 abort(); 5543 } 5544 return b1; 5545 } 5546 5547 struct block * 5548 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5549 { 5550 /* 5551 * Catch errors reported by us and routines below us, and return NULL 5552 * on an error. 5553 */ 5554 if (setjmp(cstate->top_ctx)) 5555 return (NULL); 5556 5557 return gen_proto_abbrev_internal(cstate, proto); 5558 } 5559 5560 static struct block * 5561 gen_ipfrag(compiler_state_t *cstate) 5562 { 5563 struct slist *s; 5564 struct block *b; 5565 5566 /* not IPv4 frag other than the first frag */ 5567 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5568 b = new_block(cstate, JMP(BPF_JSET)); 5569 b->s.k = 0x1fff; 5570 b->stmts = s; 5571 gen_not(b); 5572 5573 return b; 5574 } 5575 5576 /* 5577 * Generate a comparison to a port value in the transport-layer header 5578 * at the specified offset from the beginning of that header. 5579 * 5580 * XXX - this handles a variable-length prefix preceding the link-layer 5581 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5582 * variable-length link-layer headers (such as Token Ring or 802.11 5583 * headers). 5584 */ 5585 static struct block * 5586 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5587 { 5588 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5589 } 5590 5591 static struct block * 5592 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5593 { 5594 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5595 } 5596 5597 struct block * 5598 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5599 { 5600 struct block *b0, *b1, *tmp; 5601 5602 /* ip proto 'proto' and not a fragment other than the first fragment */ 5603 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5604 b0 = gen_ipfrag(cstate); 5605 gen_and(tmp, b0); 5606 5607 switch (dir) { 5608 case Q_SRC: 5609 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5610 break; 5611 5612 case Q_DST: 5613 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5614 break; 5615 5616 case Q_AND: 5617 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5618 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5619 gen_and(tmp, b1); 5620 break; 5621 5622 case Q_DEFAULT: 5623 case Q_OR: 5624 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5625 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5626 gen_or(tmp, b1); 5627 break; 5628 5629 case Q_ADDR1: 5630 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports"); 5631 /*NOTREACHED*/ 5632 5633 case Q_ADDR2: 5634 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports"); 5635 /*NOTREACHED*/ 5636 5637 case Q_ADDR3: 5638 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports"); 5639 /*NOTREACHED*/ 5640 5641 case Q_ADDR4: 5642 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports"); 5643 /*NOTREACHED*/ 5644 5645 case Q_RA: 5646 bpf_error(cstate, "'ra' is not a valid qualifier for ports"); 5647 /*NOTREACHED*/ 5648 5649 case Q_TA: 5650 bpf_error(cstate, "'ta' is not a valid qualifier for ports"); 5651 /*NOTREACHED*/ 5652 5653 default: 5654 abort(); 5655 /*NOTREACHED*/ 5656 } 5657 gen_and(b0, b1); 5658 5659 return b1; 5660 } 5661 5662 static struct block * 5663 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5664 { 5665 struct block *b0, *b1, *tmp; 5666 5667 /* 5668 * ether proto ip 5669 * 5670 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5671 * not LLC encapsulation with LLCSAP_IP. 5672 * 5673 * For IEEE 802 networks - which includes 802.5 token ring 5674 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5675 * says that SNAP encapsulation is used, not LLC encapsulation 5676 * with LLCSAP_IP. 5677 * 5678 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5679 * RFC 2225 say that SNAP encapsulation is used, not LLC 5680 * encapsulation with LLCSAP_IP. 5681 * 5682 * So we always check for ETHERTYPE_IP. 5683 */ 5684 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5685 5686 switch (ip_proto) { 5687 case IPPROTO_UDP: 5688 case IPPROTO_TCP: 5689 case IPPROTO_SCTP: 5690 b1 = gen_portop(cstate, port, ip_proto, dir); 5691 break; 5692 5693 case PROTO_UNDEF: 5694 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5695 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5696 gen_or(tmp, b1); 5697 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5698 gen_or(tmp, b1); 5699 break; 5700 5701 default: 5702 abort(); 5703 } 5704 gen_and(b0, b1); 5705 return b1; 5706 } 5707 5708 struct block * 5709 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5710 { 5711 struct block *b0, *b1, *tmp; 5712 5713 /* ip6 proto 'proto' */ 5714 /* XXX - catch the first fragment of a fragmented packet? */ 5715 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5716 5717 switch (dir) { 5718 case Q_SRC: 5719 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5720 break; 5721 5722 case Q_DST: 5723 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5724 break; 5725 5726 case Q_AND: 5727 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5728 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5729 gen_and(tmp, b1); 5730 break; 5731 5732 case Q_DEFAULT: 5733 case Q_OR: 5734 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5735 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5736 gen_or(tmp, b1); 5737 break; 5738 5739 default: 5740 abort(); 5741 } 5742 gen_and(b0, b1); 5743 5744 return b1; 5745 } 5746 5747 static struct block * 5748 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5749 { 5750 struct block *b0, *b1, *tmp; 5751 5752 /* link proto ip6 */ 5753 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5754 5755 switch (ip_proto) { 5756 case IPPROTO_UDP: 5757 case IPPROTO_TCP: 5758 case IPPROTO_SCTP: 5759 b1 = gen_portop6(cstate, port, ip_proto, dir); 5760 break; 5761 5762 case PROTO_UNDEF: 5763 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5764 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5765 gen_or(tmp, b1); 5766 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5767 gen_or(tmp, b1); 5768 break; 5769 5770 default: 5771 abort(); 5772 } 5773 gen_and(b0, b1); 5774 return b1; 5775 } 5776 5777 /* gen_portrange code */ 5778 static struct block * 5779 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5780 bpf_int32 v2) 5781 { 5782 struct block *b1, *b2; 5783 5784 if (v1 > v2) { 5785 /* 5786 * Reverse the order of the ports, so v1 is the lower one. 5787 */ 5788 bpf_int32 vtemp; 5789 5790 vtemp = v1; 5791 v1 = v2; 5792 v2 = vtemp; 5793 } 5794 5795 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5796 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5797 5798 gen_and(b1, b2); 5799 5800 return b2; 5801 } 5802 5803 struct block * 5804 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5805 int dir) 5806 { 5807 struct block *b0, *b1, *tmp; 5808 5809 /* ip proto 'proto' and not a fragment other than the first fragment */ 5810 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5811 b0 = gen_ipfrag(cstate); 5812 gen_and(tmp, b0); 5813 5814 switch (dir) { 5815 case Q_SRC: 5816 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5817 break; 5818 5819 case Q_DST: 5820 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5821 break; 5822 5823 case Q_AND: 5824 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5825 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5826 gen_and(tmp, b1); 5827 break; 5828 5829 case Q_DEFAULT: 5830 case Q_OR: 5831 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5832 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5833 gen_or(tmp, b1); 5834 break; 5835 5836 case Q_ADDR1: 5837 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges"); 5838 /*NOTREACHED*/ 5839 5840 case Q_ADDR2: 5841 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges"); 5842 /*NOTREACHED*/ 5843 5844 case Q_ADDR3: 5845 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges"); 5846 /*NOTREACHED*/ 5847 5848 case Q_ADDR4: 5849 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges"); 5850 /*NOTREACHED*/ 5851 5852 case Q_RA: 5853 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges"); 5854 /*NOTREACHED*/ 5855 5856 case Q_TA: 5857 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges"); 5858 /*NOTREACHED*/ 5859 5860 default: 5861 abort(); 5862 /*NOTREACHED*/ 5863 } 5864 gen_and(b0, b1); 5865 5866 return b1; 5867 } 5868 5869 static struct block * 5870 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5871 int dir) 5872 { 5873 struct block *b0, *b1, *tmp; 5874 5875 /* link proto ip */ 5876 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5877 5878 switch (ip_proto) { 5879 case IPPROTO_UDP: 5880 case IPPROTO_TCP: 5881 case IPPROTO_SCTP: 5882 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5883 break; 5884 5885 case PROTO_UNDEF: 5886 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5887 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5888 gen_or(tmp, b1); 5889 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5890 gen_or(tmp, b1); 5891 break; 5892 5893 default: 5894 abort(); 5895 } 5896 gen_and(b0, b1); 5897 return b1; 5898 } 5899 5900 static struct block * 5901 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5902 bpf_int32 v2) 5903 { 5904 struct block *b1, *b2; 5905 5906 if (v1 > v2) { 5907 /* 5908 * Reverse the order of the ports, so v1 is the lower one. 5909 */ 5910 bpf_int32 vtemp; 5911 5912 vtemp = v1; 5913 v1 = v2; 5914 v2 = vtemp; 5915 } 5916 5917 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5918 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5919 5920 gen_and(b1, b2); 5921 5922 return b2; 5923 } 5924 5925 struct block * 5926 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5927 int dir) 5928 { 5929 struct block *b0, *b1, *tmp; 5930 5931 /* ip6 proto 'proto' */ 5932 /* XXX - catch the first fragment of a fragmented packet? */ 5933 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5934 5935 switch (dir) { 5936 case Q_SRC: 5937 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5938 break; 5939 5940 case Q_DST: 5941 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5942 break; 5943 5944 case Q_AND: 5945 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5946 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5947 gen_and(tmp, b1); 5948 break; 5949 5950 case Q_DEFAULT: 5951 case Q_OR: 5952 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5953 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5954 gen_or(tmp, b1); 5955 break; 5956 5957 default: 5958 abort(); 5959 } 5960 gen_and(b0, b1); 5961 5962 return b1; 5963 } 5964 5965 static struct block * 5966 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5967 int dir) 5968 { 5969 struct block *b0, *b1, *tmp; 5970 5971 /* link proto ip6 */ 5972 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5973 5974 switch (ip_proto) { 5975 case IPPROTO_UDP: 5976 case IPPROTO_TCP: 5977 case IPPROTO_SCTP: 5978 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5979 break; 5980 5981 case PROTO_UNDEF: 5982 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5983 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5984 gen_or(tmp, b1); 5985 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5986 gen_or(tmp, b1); 5987 break; 5988 5989 default: 5990 abort(); 5991 } 5992 gen_and(b0, b1); 5993 return b1; 5994 } 5995 5996 static int 5997 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5998 { 5999 register int v; 6000 6001 switch (proto) { 6002 6003 case Q_DEFAULT: 6004 case Q_IP: 6005 case Q_IPV6: 6006 v = pcap_nametoproto(name); 6007 if (v == PROTO_UNDEF) 6008 bpf_error(cstate, "unknown ip proto '%s'", name); 6009 break; 6010 6011 case Q_LINK: 6012 /* XXX should look up h/w protocol type based on cstate->linktype */ 6013 v = pcap_nametoeproto(name); 6014 if (v == PROTO_UNDEF) { 6015 v = pcap_nametollc(name); 6016 if (v == PROTO_UNDEF) 6017 bpf_error(cstate, "unknown ether proto '%s'", name); 6018 } 6019 break; 6020 6021 case Q_ISO: 6022 if (strcmp(name, "esis") == 0) 6023 v = ISO9542_ESIS; 6024 else if (strcmp(name, "isis") == 0) 6025 v = ISO10589_ISIS; 6026 else if (strcmp(name, "clnp") == 0) 6027 v = ISO8473_CLNP; 6028 else 6029 bpf_error(cstate, "unknown osi proto '%s'", name); 6030 break; 6031 6032 default: 6033 v = PROTO_UNDEF; 6034 break; 6035 } 6036 return v; 6037 } 6038 6039 #if 0 6040 struct stmt * 6041 gen_joinsp(struct stmt **s, int n) 6042 { 6043 return NULL; 6044 } 6045 #endif 6046 6047 static struct block * 6048 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 6049 { 6050 #ifdef NO_PROTOCHAIN 6051 return gen_proto(cstate, v, proto, dir); 6052 #else 6053 struct block *b0, *b; 6054 struct slist *s[100]; 6055 int fix2, fix3, fix4, fix5; 6056 int ahcheck, again, end; 6057 int i, max; 6058 int reg2 = alloc_reg(cstate); 6059 6060 memset(s, 0, sizeof(s)); 6061 fix3 = fix4 = fix5 = 0; 6062 6063 switch (proto) { 6064 case Q_IP: 6065 case Q_IPV6: 6066 break; 6067 case Q_DEFAULT: 6068 b0 = gen_protochain(cstate, v, Q_IP, dir); 6069 b = gen_protochain(cstate, v, Q_IPV6, dir); 6070 gen_or(b0, b); 6071 return b; 6072 default: 6073 bpf_error(cstate, "bad protocol applied for 'protochain'"); 6074 /*NOTREACHED*/ 6075 } 6076 6077 /* 6078 * We don't handle variable-length prefixes before the link-layer 6079 * header, or variable-length link-layer headers, here yet. 6080 * We might want to add BPF instructions to do the protochain 6081 * work, to simplify that and, on platforms that have a BPF 6082 * interpreter with the new instructions, let the filtering 6083 * be done in the kernel. (We already require a modified BPF 6084 * engine to do the protochain stuff, to support backward 6085 * branches, and backward branch support is unlikely to appear 6086 * in kernel BPF engines.) 6087 */ 6088 if (cstate->off_linkpl.is_variable) 6089 bpf_error(cstate, "'protochain' not supported with variable length headers"); 6090 6091 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */ 6092 6093 /* 6094 * s[0] is a dummy entry to protect other BPF insn from damage 6095 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 6096 * hard to find interdependency made by jump table fixup. 6097 */ 6098 i = 0; 6099 s[i] = new_stmt(cstate, 0); /*dummy*/ 6100 i++; 6101 6102 switch (proto) { 6103 case Q_IP: 6104 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6105 6106 /* A = ip->ip_p */ 6107 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6108 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 6109 i++; 6110 /* X = ip->ip_hl << 2 */ 6111 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 6112 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6113 i++; 6114 break; 6115 6116 case Q_IPV6: 6117 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6118 6119 /* A = ip6->ip_nxt */ 6120 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 6121 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 6122 i++; 6123 /* X = sizeof(struct ip6_hdr) */ 6124 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 6125 s[i]->s.k = 40; 6126 i++; 6127 break; 6128 6129 default: 6130 bpf_error(cstate, "unsupported proto to gen_protochain"); 6131 /*NOTREACHED*/ 6132 } 6133 6134 /* again: if (A == v) goto end; else fall through; */ 6135 again = i; 6136 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6137 s[i]->s.k = v; 6138 s[i]->s.jt = NULL; /*later*/ 6139 s[i]->s.jf = NULL; /*update in next stmt*/ 6140 fix5 = i; 6141 i++; 6142 6143 #ifndef IPPROTO_NONE 6144 #define IPPROTO_NONE 59 6145 #endif 6146 /* if (A == IPPROTO_NONE) goto end */ 6147 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6148 s[i]->s.jt = NULL; /*later*/ 6149 s[i]->s.jf = NULL; /*update in next stmt*/ 6150 s[i]->s.k = IPPROTO_NONE; 6151 s[fix5]->s.jf = s[i]; 6152 fix2 = i; 6153 i++; 6154 6155 if (proto == Q_IPV6) { 6156 int v6start, v6end, v6advance, j; 6157 6158 v6start = i; 6159 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 6160 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6161 s[i]->s.jt = NULL; /*later*/ 6162 s[i]->s.jf = NULL; /*update in next stmt*/ 6163 s[i]->s.k = IPPROTO_HOPOPTS; 6164 s[fix2]->s.jf = s[i]; 6165 i++; 6166 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 6167 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6168 s[i]->s.jt = NULL; /*later*/ 6169 s[i]->s.jf = NULL; /*update in next stmt*/ 6170 s[i]->s.k = IPPROTO_DSTOPTS; 6171 i++; 6172 /* if (A == IPPROTO_ROUTING) goto v6advance */ 6173 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6174 s[i]->s.jt = NULL; /*later*/ 6175 s[i]->s.jf = NULL; /*update in next stmt*/ 6176 s[i]->s.k = IPPROTO_ROUTING; 6177 i++; 6178 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 6179 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6180 s[i]->s.jt = NULL; /*later*/ 6181 s[i]->s.jf = NULL; /*later*/ 6182 s[i]->s.k = IPPROTO_FRAGMENT; 6183 fix3 = i; 6184 v6end = i; 6185 i++; 6186 6187 /* v6advance: */ 6188 v6advance = i; 6189 6190 /* 6191 * in short, 6192 * A = P[X + packet head]; 6193 * X = X + (P[X + packet head + 1] + 1) * 8; 6194 */ 6195 /* A = P[X + packet head] */ 6196 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6197 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6198 i++; 6199 /* MEM[reg2] = A */ 6200 s[i] = new_stmt(cstate, BPF_ST); 6201 s[i]->s.k = reg2; 6202 i++; 6203 /* A = P[X + packet head + 1]; */ 6204 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6205 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 6206 i++; 6207 /* A += 1 */ 6208 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6209 s[i]->s.k = 1; 6210 i++; 6211 /* A *= 8 */ 6212 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6213 s[i]->s.k = 8; 6214 i++; 6215 /* A += X */ 6216 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 6217 s[i]->s.k = 0; 6218 i++; 6219 /* X = A; */ 6220 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6221 i++; 6222 /* A = MEM[reg2] */ 6223 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6224 s[i]->s.k = reg2; 6225 i++; 6226 6227 /* goto again; (must use BPF_JA for backward jump) */ 6228 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6229 s[i]->s.k = again - i - 1; 6230 s[i - 1]->s.jf = s[i]; 6231 i++; 6232 6233 /* fixup */ 6234 for (j = v6start; j <= v6end; j++) 6235 s[j]->s.jt = s[v6advance]; 6236 } else { 6237 /* nop */ 6238 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6239 s[i]->s.k = 0; 6240 s[fix2]->s.jf = s[i]; 6241 i++; 6242 } 6243 6244 /* ahcheck: */ 6245 ahcheck = i; 6246 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 6247 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 6248 s[i]->s.jt = NULL; /*later*/ 6249 s[i]->s.jf = NULL; /*later*/ 6250 s[i]->s.k = IPPROTO_AH; 6251 if (fix3) 6252 s[fix3]->s.jf = s[ahcheck]; 6253 fix4 = i; 6254 i++; 6255 6256 /* 6257 * in short, 6258 * A = P[X]; 6259 * X = X + (P[X + 1] + 2) * 4; 6260 */ 6261 /* A = X */ 6262 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6263 i++; 6264 /* A = P[X + packet head]; */ 6265 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6266 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6267 i++; 6268 /* MEM[reg2] = A */ 6269 s[i] = new_stmt(cstate, BPF_ST); 6270 s[i]->s.k = reg2; 6271 i++; 6272 /* A = X */ 6273 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6274 i++; 6275 /* A += 1 */ 6276 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6277 s[i]->s.k = 1; 6278 i++; 6279 /* X = A */ 6280 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6281 i++; 6282 /* A = P[X + packet head] */ 6283 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6284 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6285 i++; 6286 /* A += 2 */ 6287 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6288 s[i]->s.k = 2; 6289 i++; 6290 /* A *= 4 */ 6291 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6292 s[i]->s.k = 4; 6293 i++; 6294 /* X = A; */ 6295 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6296 i++; 6297 /* A = MEM[reg2] */ 6298 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6299 s[i]->s.k = reg2; 6300 i++; 6301 6302 /* goto again; (must use BPF_JA for backward jump) */ 6303 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6304 s[i]->s.k = again - i - 1; 6305 i++; 6306 6307 /* end: nop */ 6308 end = i; 6309 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6310 s[i]->s.k = 0; 6311 s[fix2]->s.jt = s[end]; 6312 s[fix4]->s.jf = s[end]; 6313 s[fix5]->s.jt = s[end]; 6314 i++; 6315 6316 /* 6317 * make slist chain 6318 */ 6319 max = i; 6320 for (i = 0; i < max - 1; i++) 6321 s[i]->next = s[i + 1]; 6322 s[max - 1]->next = NULL; 6323 6324 /* 6325 * emit final check 6326 */ 6327 b = new_block(cstate, JMP(BPF_JEQ)); 6328 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6329 b->s.k = v; 6330 6331 free_reg(cstate, reg2); 6332 6333 gen_and(b0, b); 6334 return b; 6335 #endif 6336 } 6337 6338 static struct block * 6339 gen_check_802_11_data_frame(compiler_state_t *cstate) 6340 { 6341 struct slist *s; 6342 struct block *b0, *b1; 6343 6344 /* 6345 * A data frame has the 0x08 bit (b3) in the frame control field set 6346 * and the 0x04 bit (b2) clear. 6347 */ 6348 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6349 b0 = new_block(cstate, JMP(BPF_JSET)); 6350 b0->s.k = 0x08; 6351 b0->stmts = s; 6352 6353 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6354 b1 = new_block(cstate, JMP(BPF_JSET)); 6355 b1->s.k = 0x04; 6356 b1->stmts = s; 6357 gen_not(b1); 6358 6359 gen_and(b1, b0); 6360 6361 return b0; 6362 } 6363 6364 /* 6365 * Generate code that checks whether the packet is a packet for protocol 6366 * <proto> and whether the type field in that protocol's header has 6367 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6368 * IP packet and checks the protocol number in the IP header against <v>. 6369 * 6370 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6371 * against Q_IP and Q_IPV6. 6372 */ 6373 static struct block * 6374 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 6375 { 6376 struct block *b0, *b1; 6377 #ifndef CHASE_CHAIN 6378 struct block *b2; 6379 #endif 6380 6381 if (dir != Q_DEFAULT) 6382 bpf_error(cstate, "direction applied to 'proto'"); 6383 6384 switch (proto) { 6385 case Q_DEFAULT: 6386 b0 = gen_proto(cstate, v, Q_IP, dir); 6387 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6388 gen_or(b0, b1); 6389 return b1; 6390 6391 case Q_LINK: 6392 return gen_linktype(cstate, v); 6393 6394 case Q_IP: 6395 /* 6396 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6397 * not LLC encapsulation with LLCSAP_IP. 6398 * 6399 * For IEEE 802 networks - which includes 802.5 token ring 6400 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6401 * says that SNAP encapsulation is used, not LLC encapsulation 6402 * with LLCSAP_IP. 6403 * 6404 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6405 * RFC 2225 say that SNAP encapsulation is used, not LLC 6406 * encapsulation with LLCSAP_IP. 6407 * 6408 * So we always check for ETHERTYPE_IP. 6409 */ 6410 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6411 #ifndef CHASE_CHAIN 6412 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6413 #else 6414 b1 = gen_protochain(cstate, v, Q_IP); 6415 #endif 6416 gen_and(b0, b1); 6417 return b1; 6418 6419 case Q_ARP: 6420 bpf_error(cstate, "arp does not encapsulate another protocol"); 6421 /*NOTREACHED*/ 6422 6423 case Q_RARP: 6424 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6425 /*NOTREACHED*/ 6426 6427 case Q_SCTP: 6428 bpf_error(cstate, "'sctp proto' is bogus"); 6429 /*NOTREACHED*/ 6430 6431 case Q_TCP: 6432 bpf_error(cstate, "'tcp proto' is bogus"); 6433 /*NOTREACHED*/ 6434 6435 case Q_UDP: 6436 bpf_error(cstate, "'udp proto' is bogus"); 6437 /*NOTREACHED*/ 6438 6439 case Q_ICMP: 6440 bpf_error(cstate, "'icmp proto' is bogus"); 6441 /*NOTREACHED*/ 6442 6443 case Q_IGMP: 6444 bpf_error(cstate, "'igmp proto' is bogus"); 6445 /*NOTREACHED*/ 6446 6447 case Q_IGRP: 6448 bpf_error(cstate, "'igrp proto' is bogus"); 6449 /*NOTREACHED*/ 6450 6451 case Q_ATALK: 6452 bpf_error(cstate, "AppleTalk encapsulation is not specifiable"); 6453 /*NOTREACHED*/ 6454 6455 case Q_DECNET: 6456 bpf_error(cstate, "DECNET encapsulation is not specifiable"); 6457 /*NOTREACHED*/ 6458 6459 case Q_LAT: 6460 bpf_error(cstate, "LAT does not encapsulate another protocol"); 6461 /*NOTREACHED*/ 6462 6463 case Q_SCA: 6464 bpf_error(cstate, "SCA does not encapsulate another protocol"); 6465 /*NOTREACHED*/ 6466 6467 case Q_MOPRC: 6468 bpf_error(cstate, "MOPRC does not encapsulate another protocol"); 6469 /*NOTREACHED*/ 6470 6471 case Q_MOPDL: 6472 bpf_error(cstate, "MOPDL does not encapsulate another protocol"); 6473 /*NOTREACHED*/ 6474 6475 case Q_IPV6: 6476 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6477 #ifndef CHASE_CHAIN 6478 /* 6479 * Also check for a fragment header before the final 6480 * header. 6481 */ 6482 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6483 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6484 gen_and(b2, b1); 6485 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6486 gen_or(b2, b1); 6487 #else 6488 b1 = gen_protochain(cstate, v, Q_IPV6); 6489 #endif 6490 gen_and(b0, b1); 6491 return b1; 6492 6493 case Q_ICMPV6: 6494 bpf_error(cstate, "'icmp6 proto' is bogus"); 6495 /*NOTREACHED*/ 6496 6497 case Q_AH: 6498 bpf_error(cstate, "'ah proto' is bogus"); 6499 /*NOTREACHED*/ 6500 6501 case Q_ESP: 6502 bpf_error(cstate, "'ah proto' is bogus"); 6503 /*NOTREACHED*/ 6504 6505 case Q_PIM: 6506 bpf_error(cstate, "'pim proto' is bogus"); 6507 /*NOTREACHED*/ 6508 6509 case Q_VRRP: 6510 bpf_error(cstate, "'vrrp proto' is bogus"); 6511 /*NOTREACHED*/ 6512 6513 case Q_AARP: 6514 bpf_error(cstate, "'aarp proto' is bogus"); 6515 /*NOTREACHED*/ 6516 6517 case Q_ISO: 6518 switch (cstate->linktype) { 6519 6520 case DLT_FRELAY: 6521 /* 6522 * Frame Relay packets typically have an OSI 6523 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6524 * generates code to check for all the OSI 6525 * NLPIDs, so calling it and then adding a check 6526 * for the particular NLPID for which we're 6527 * looking is bogus, as we can just check for 6528 * the NLPID. 6529 * 6530 * What we check for is the NLPID and a frame 6531 * control field value of UI, i.e. 0x03 followed 6532 * by the NLPID. 6533 * 6534 * XXX - assumes a 2-byte Frame Relay header with 6535 * DLCI and flags. What if the address is longer? 6536 * 6537 * XXX - what about SNAP-encapsulated frames? 6538 */ 6539 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6540 /*NOTREACHED*/ 6541 6542 case DLT_C_HDLC: 6543 /* 6544 * Cisco uses an Ethertype lookalike - for OSI, 6545 * it's 0xfefe. 6546 */ 6547 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6548 /* OSI in C-HDLC is stuffed with a fudge byte */ 6549 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6550 gen_and(b0, b1); 6551 return b1; 6552 6553 default: 6554 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6555 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6556 gen_and(b0, b1); 6557 return b1; 6558 } 6559 6560 case Q_ESIS: 6561 bpf_error(cstate, "'esis proto' is bogus"); 6562 /*NOTREACHED*/ 6563 6564 case Q_ISIS: 6565 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6566 /* 6567 * 4 is the offset of the PDU type relative to the IS-IS 6568 * header. 6569 */ 6570 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6571 gen_and(b0, b1); 6572 return b1; 6573 6574 case Q_CLNP: 6575 bpf_error(cstate, "'clnp proto' is not supported"); 6576 /*NOTREACHED*/ 6577 6578 case Q_STP: 6579 bpf_error(cstate, "'stp proto' is bogus"); 6580 /*NOTREACHED*/ 6581 6582 case Q_IPX: 6583 bpf_error(cstate, "'ipx proto' is bogus"); 6584 /*NOTREACHED*/ 6585 6586 case Q_NETBEUI: 6587 bpf_error(cstate, "'netbeui proto' is bogus"); 6588 /*NOTREACHED*/ 6589 6590 case Q_ISIS_L1: 6591 bpf_error(cstate, "'l1 proto' is bogus"); 6592 /*NOTREACHED*/ 6593 6594 case Q_ISIS_L2: 6595 bpf_error(cstate, "'l2 proto' is bogus"); 6596 /*NOTREACHED*/ 6597 6598 case Q_ISIS_IIH: 6599 bpf_error(cstate, "'iih proto' is bogus"); 6600 /*NOTREACHED*/ 6601 6602 case Q_ISIS_SNP: 6603 bpf_error(cstate, "'snp proto' is bogus"); 6604 /*NOTREACHED*/ 6605 6606 case Q_ISIS_CSNP: 6607 bpf_error(cstate, "'csnp proto' is bogus"); 6608 /*NOTREACHED*/ 6609 6610 case Q_ISIS_PSNP: 6611 bpf_error(cstate, "'psnp proto' is bogus"); 6612 /*NOTREACHED*/ 6613 6614 case Q_ISIS_LSP: 6615 bpf_error(cstate, "'lsp proto' is bogus"); 6616 /*NOTREACHED*/ 6617 6618 case Q_RADIO: 6619 bpf_error(cstate, "'radio proto' is bogus"); 6620 /*NOTREACHED*/ 6621 6622 case Q_CARP: 6623 bpf_error(cstate, "'carp proto' is bogus"); 6624 /*NOTREACHED*/ 6625 6626 default: 6627 abort(); 6628 /*NOTREACHED*/ 6629 } 6630 /*NOTREACHED*/ 6631 } 6632 6633 struct block * 6634 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6635 { 6636 int proto = q.proto; 6637 int dir = q.dir; 6638 int tproto; 6639 u_char *eaddr; 6640 bpf_u_int32 mask, addr; 6641 struct addrinfo *res, *res0; 6642 struct sockaddr_in *sin4; 6643 #ifdef INET6 6644 int tproto6; 6645 struct sockaddr_in6 *sin6; 6646 struct in6_addr mask128; 6647 #endif /*INET6*/ 6648 struct block *b, *tmp; 6649 int port, real_proto; 6650 int port1, port2; 6651 6652 /* 6653 * Catch errors reported by us and routines below us, and return NULL 6654 * on an error. 6655 */ 6656 if (setjmp(cstate->top_ctx)) 6657 return (NULL); 6658 6659 switch (q.addr) { 6660 6661 case Q_NET: 6662 addr = pcap_nametonetaddr(name); 6663 if (addr == 0) 6664 bpf_error(cstate, "unknown network '%s'", name); 6665 /* Left justify network addr and calculate its network mask */ 6666 mask = 0xffffffff; 6667 while (addr && (addr & 0xff000000) == 0) { 6668 addr <<= 8; 6669 mask <<= 8; 6670 } 6671 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6672 6673 case Q_DEFAULT: 6674 case Q_HOST: 6675 if (proto == Q_LINK) { 6676 switch (cstate->linktype) { 6677 6678 case DLT_EN10MB: 6679 case DLT_NETANALYZER: 6680 case DLT_NETANALYZER_TRANSPARENT: 6681 eaddr = pcap_ether_hostton(name); 6682 if (eaddr == NULL) 6683 bpf_error(cstate, 6684 "unknown ether host '%s'", name); 6685 tmp = gen_prevlinkhdr_check(cstate); 6686 b = gen_ehostop(cstate, eaddr, dir); 6687 if (tmp != NULL) 6688 gen_and(tmp, b); 6689 free(eaddr); 6690 return b; 6691 6692 case DLT_FDDI: 6693 eaddr = pcap_ether_hostton(name); 6694 if (eaddr == NULL) 6695 bpf_error(cstate, 6696 "unknown FDDI host '%s'", name); 6697 b = gen_fhostop(cstate, eaddr, dir); 6698 free(eaddr); 6699 return b; 6700 6701 case DLT_IEEE802: 6702 eaddr = pcap_ether_hostton(name); 6703 if (eaddr == NULL) 6704 bpf_error(cstate, 6705 "unknown token ring host '%s'", name); 6706 b = gen_thostop(cstate, eaddr, dir); 6707 free(eaddr); 6708 return b; 6709 6710 case DLT_IEEE802_11: 6711 case DLT_PRISM_HEADER: 6712 case DLT_IEEE802_11_RADIO_AVS: 6713 case DLT_IEEE802_11_RADIO: 6714 case DLT_PPI: 6715 eaddr = pcap_ether_hostton(name); 6716 if (eaddr == NULL) 6717 bpf_error(cstate, 6718 "unknown 802.11 host '%s'", name); 6719 b = gen_wlanhostop(cstate, eaddr, dir); 6720 free(eaddr); 6721 return b; 6722 6723 case DLT_IP_OVER_FC: 6724 eaddr = pcap_ether_hostton(name); 6725 if (eaddr == NULL) 6726 bpf_error(cstate, 6727 "unknown Fibre Channel host '%s'", name); 6728 b = gen_ipfchostop(cstate, eaddr, dir); 6729 free(eaddr); 6730 return b; 6731 } 6732 6733 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6734 } else if (proto == Q_DECNET) { 6735 unsigned short dn_addr; 6736 6737 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6738 #ifdef DECNETLIB 6739 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6740 #else 6741 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6742 name); 6743 #endif 6744 } 6745 /* 6746 * I don't think DECNET hosts can be multihomed, so 6747 * there is no need to build up a list of addresses 6748 */ 6749 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6750 } else { 6751 #ifdef INET6 6752 memset(&mask128, 0xff, sizeof(mask128)); 6753 #endif 6754 res0 = res = pcap_nametoaddrinfo(name); 6755 if (res == NULL) 6756 bpf_error(cstate, "unknown host '%s'", name); 6757 cstate->ai = res; 6758 b = tmp = NULL; 6759 tproto = proto; 6760 #ifdef INET6 6761 tproto6 = proto; 6762 #endif 6763 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6764 tproto == Q_DEFAULT) { 6765 tproto = Q_IP; 6766 #ifdef INET6 6767 tproto6 = Q_IPV6; 6768 #endif 6769 } 6770 for (res = res0; res; res = res->ai_next) { 6771 switch (res->ai_family) { 6772 case AF_INET: 6773 #ifdef INET6 6774 if (tproto == Q_IPV6) 6775 continue; 6776 #endif 6777 6778 sin4 = (struct sockaddr_in *) 6779 res->ai_addr; 6780 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6781 0xffffffff, tproto, dir, q.addr); 6782 break; 6783 #ifdef INET6 6784 case AF_INET6: 6785 if (tproto6 == Q_IP) 6786 continue; 6787 6788 sin6 = (struct sockaddr_in6 *) 6789 res->ai_addr; 6790 tmp = gen_host6(cstate, &sin6->sin6_addr, 6791 &mask128, tproto6, dir, q.addr); 6792 break; 6793 #endif 6794 default: 6795 continue; 6796 } 6797 if (b) 6798 gen_or(b, tmp); 6799 b = tmp; 6800 } 6801 cstate->ai = NULL; 6802 freeaddrinfo(res0); 6803 if (b == NULL) { 6804 bpf_error(cstate, "unknown host '%s'%s", name, 6805 (proto == Q_DEFAULT) 6806 ? "" 6807 : " for specified address family"); 6808 } 6809 return b; 6810 } 6811 6812 case Q_PORT: 6813 if (proto != Q_DEFAULT && 6814 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6815 bpf_error(cstate, "illegal qualifier of 'port'"); 6816 if (pcap_nametoport(name, &port, &real_proto) == 0) 6817 bpf_error(cstate, "unknown port '%s'", name); 6818 if (proto == Q_UDP) { 6819 if (real_proto == IPPROTO_TCP) 6820 bpf_error(cstate, "port '%s' is tcp", name); 6821 else if (real_proto == IPPROTO_SCTP) 6822 bpf_error(cstate, "port '%s' is sctp", name); 6823 else 6824 /* override PROTO_UNDEF */ 6825 real_proto = IPPROTO_UDP; 6826 } 6827 if (proto == Q_TCP) { 6828 if (real_proto == IPPROTO_UDP) 6829 bpf_error(cstate, "port '%s' is udp", name); 6830 6831 else if (real_proto == IPPROTO_SCTP) 6832 bpf_error(cstate, "port '%s' is sctp", name); 6833 else 6834 /* override PROTO_UNDEF */ 6835 real_proto = IPPROTO_TCP; 6836 } 6837 if (proto == Q_SCTP) { 6838 if (real_proto == IPPROTO_UDP) 6839 bpf_error(cstate, "port '%s' is udp", name); 6840 6841 else if (real_proto == IPPROTO_TCP) 6842 bpf_error(cstate, "port '%s' is tcp", name); 6843 else 6844 /* override PROTO_UNDEF */ 6845 real_proto = IPPROTO_SCTP; 6846 } 6847 if (port < 0) 6848 bpf_error(cstate, "illegal port number %d < 0", port); 6849 if (port > 65535) 6850 bpf_error(cstate, "illegal port number %d > 65535", port); 6851 b = gen_port(cstate, port, real_proto, dir); 6852 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6853 return b; 6854 6855 case Q_PORTRANGE: 6856 if (proto != Q_DEFAULT && 6857 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6858 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6859 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6860 bpf_error(cstate, "unknown port in range '%s'", name); 6861 if (proto == Q_UDP) { 6862 if (real_proto == IPPROTO_TCP) 6863 bpf_error(cstate, "port in range '%s' is tcp", name); 6864 else if (real_proto == IPPROTO_SCTP) 6865 bpf_error(cstate, "port in range '%s' is sctp", name); 6866 else 6867 /* override PROTO_UNDEF */ 6868 real_proto = IPPROTO_UDP; 6869 } 6870 if (proto == Q_TCP) { 6871 if (real_proto == IPPROTO_UDP) 6872 bpf_error(cstate, "port in range '%s' is udp", name); 6873 else if (real_proto == IPPROTO_SCTP) 6874 bpf_error(cstate, "port in range '%s' is sctp", name); 6875 else 6876 /* override PROTO_UNDEF */ 6877 real_proto = IPPROTO_TCP; 6878 } 6879 if (proto == Q_SCTP) { 6880 if (real_proto == IPPROTO_UDP) 6881 bpf_error(cstate, "port in range '%s' is udp", name); 6882 else if (real_proto == IPPROTO_TCP) 6883 bpf_error(cstate, "port in range '%s' is tcp", name); 6884 else 6885 /* override PROTO_UNDEF */ 6886 real_proto = IPPROTO_SCTP; 6887 } 6888 if (port1 < 0) 6889 bpf_error(cstate, "illegal port number %d < 0", port1); 6890 if (port1 > 65535) 6891 bpf_error(cstate, "illegal port number %d > 65535", port1); 6892 if (port2 < 0) 6893 bpf_error(cstate, "illegal port number %d < 0", port2); 6894 if (port2 > 65535) 6895 bpf_error(cstate, "illegal port number %d > 65535", port2); 6896 6897 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6898 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6899 return b; 6900 6901 case Q_GATEWAY: 6902 #ifndef INET6 6903 eaddr = pcap_ether_hostton(name); 6904 if (eaddr == NULL) 6905 bpf_error(cstate, "unknown ether host: %s", name); 6906 6907 res = pcap_nametoaddrinfo(name); 6908 cstate->ai = res; 6909 if (res == NULL) 6910 bpf_error(cstate, "unknown host '%s'", name); 6911 b = gen_gateway(cstate, eaddr, res, proto, dir); 6912 cstate->ai = NULL; 6913 freeaddrinfo(res); 6914 if (b == NULL) 6915 bpf_error(cstate, "unknown host '%s'", name); 6916 return b; 6917 #else 6918 bpf_error(cstate, "'gateway' not supported in this configuration"); 6919 #endif /*INET6*/ 6920 6921 case Q_PROTO: 6922 real_proto = lookup_proto(cstate, name, proto); 6923 if (real_proto >= 0) 6924 return gen_proto(cstate, real_proto, proto, dir); 6925 else 6926 bpf_error(cstate, "unknown protocol: %s", name); 6927 6928 case Q_PROTOCHAIN: 6929 real_proto = lookup_proto(cstate, name, proto); 6930 if (real_proto >= 0) 6931 return gen_protochain(cstate, real_proto, proto, dir); 6932 else 6933 bpf_error(cstate, "unknown protocol: %s", name); 6934 6935 case Q_UNDEF: 6936 syntax(cstate); 6937 /*NOTREACHED*/ 6938 } 6939 abort(); 6940 /*NOTREACHED*/ 6941 } 6942 6943 struct block * 6944 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6945 unsigned int masklen, struct qual q) 6946 { 6947 register int nlen, mlen; 6948 bpf_u_int32 n, m; 6949 6950 /* 6951 * Catch errors reported by us and routines below us, and return NULL 6952 * on an error. 6953 */ 6954 if (setjmp(cstate->top_ctx)) 6955 return (NULL); 6956 6957 nlen = __pcap_atoin(s1, &n); 6958 if (nlen < 0) 6959 bpf_error(cstate, "invalid IPv4 address '%s'", s1); 6960 /* Promote short ipaddr */ 6961 n <<= 32 - nlen; 6962 6963 if (s2 != NULL) { 6964 mlen = __pcap_atoin(s2, &m); 6965 if (mlen < 0) 6966 bpf_error(cstate, "invalid IPv4 address '%s'", s2); 6967 /* Promote short ipaddr */ 6968 m <<= 32 - mlen; 6969 if ((n & ~m) != 0) 6970 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6971 s1, s2); 6972 } else { 6973 /* Convert mask len to mask */ 6974 if (masklen > 32) 6975 bpf_error(cstate, "mask length must be <= 32"); 6976 if (masklen == 0) { 6977 /* 6978 * X << 32 is not guaranteed by C to be 0; it's 6979 * undefined. 6980 */ 6981 m = 0; 6982 } else 6983 m = 0xffffffff << (32 - masklen); 6984 if ((n & ~m) != 0) 6985 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6986 s1, masklen); 6987 } 6988 6989 switch (q.addr) { 6990 6991 case Q_NET: 6992 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6993 6994 default: 6995 bpf_error(cstate, "Mask syntax for networks only"); 6996 /*NOTREACHED*/ 6997 } 6998 /*NOTREACHED*/ 6999 } 7000 7001 struct block * 7002 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 7003 { 7004 bpf_u_int32 mask; 7005 int proto; 7006 int dir; 7007 register int vlen; 7008 7009 /* 7010 * Catch errors reported by us and routines below us, and return NULL 7011 * on an error. 7012 */ 7013 if (setjmp(cstate->top_ctx)) 7014 return (NULL); 7015 7016 proto = q.proto; 7017 dir = q.dir; 7018 if (s == NULL) 7019 vlen = 32; 7020 else if (q.proto == Q_DECNET) { 7021 vlen = __pcap_atodn(s, &v); 7022 if (vlen == 0) 7023 bpf_error(cstate, "malformed decnet address '%s'", s); 7024 } else { 7025 vlen = __pcap_atoin(s, &v); 7026 if (vlen < 0) 7027 bpf_error(cstate, "invalid IPv4 address '%s'", s); 7028 } 7029 7030 switch (q.addr) { 7031 7032 case Q_DEFAULT: 7033 case Q_HOST: 7034 case Q_NET: 7035 if (proto == Q_DECNET) 7036 return gen_host(cstate, v, 0, proto, dir, q.addr); 7037 else if (proto == Q_LINK) { 7038 bpf_error(cstate, "illegal link layer address"); 7039 } else { 7040 mask = 0xffffffff; 7041 if (s == NULL && q.addr == Q_NET) { 7042 /* Promote short net number */ 7043 while (v && (v & 0xff000000) == 0) { 7044 v <<= 8; 7045 mask <<= 8; 7046 } 7047 } else { 7048 /* Promote short ipaddr */ 7049 v <<= 32 - vlen; 7050 mask <<= 32 - vlen ; 7051 } 7052 return gen_host(cstate, v, mask, proto, dir, q.addr); 7053 } 7054 7055 case Q_PORT: 7056 if (proto == Q_UDP) 7057 proto = IPPROTO_UDP; 7058 else if (proto == Q_TCP) 7059 proto = IPPROTO_TCP; 7060 else if (proto == Q_SCTP) 7061 proto = IPPROTO_SCTP; 7062 else if (proto == Q_DEFAULT) 7063 proto = PROTO_UNDEF; 7064 else 7065 bpf_error(cstate, "illegal qualifier of 'port'"); 7066 7067 if (v > 65535) 7068 bpf_error(cstate, "illegal port number %u > 65535", v); 7069 7070 { 7071 struct block *b; 7072 b = gen_port(cstate, (int)v, proto, dir); 7073 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 7074 return b; 7075 } 7076 7077 case Q_PORTRANGE: 7078 if (proto == Q_UDP) 7079 proto = IPPROTO_UDP; 7080 else if (proto == Q_TCP) 7081 proto = IPPROTO_TCP; 7082 else if (proto == Q_SCTP) 7083 proto = IPPROTO_SCTP; 7084 else if (proto == Q_DEFAULT) 7085 proto = PROTO_UNDEF; 7086 else 7087 bpf_error(cstate, "illegal qualifier of 'portrange'"); 7088 7089 if (v > 65535) 7090 bpf_error(cstate, "illegal port number %u > 65535", v); 7091 7092 { 7093 struct block *b; 7094 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 7095 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 7096 return b; 7097 } 7098 7099 case Q_GATEWAY: 7100 bpf_error(cstate, "'gateway' requires a name"); 7101 /*NOTREACHED*/ 7102 7103 case Q_PROTO: 7104 return gen_proto(cstate, (int)v, proto, dir); 7105 7106 case Q_PROTOCHAIN: 7107 return gen_protochain(cstate, (int)v, proto, dir); 7108 7109 case Q_UNDEF: 7110 syntax(cstate); 7111 /*NOTREACHED*/ 7112 7113 default: 7114 abort(); 7115 /*NOTREACHED*/ 7116 } 7117 /*NOTREACHED*/ 7118 } 7119 7120 #ifdef INET6 7121 struct block * 7122 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 7123 unsigned int masklen, struct qual q) 7124 { 7125 struct addrinfo *res; 7126 struct in6_addr *addr; 7127 struct in6_addr mask; 7128 struct block *b; 7129 uint32_t *a, *m; 7130 7131 /* 7132 * Catch errors reported by us and routines below us, and return NULL 7133 * on an error. 7134 */ 7135 if (setjmp(cstate->top_ctx)) 7136 return (NULL); 7137 7138 if (s2) 7139 bpf_error(cstate, "no mask %s supported", s2); 7140 7141 res = pcap_nametoaddrinfo(s1); 7142 if (!res) 7143 bpf_error(cstate, "invalid ip6 address %s", s1); 7144 cstate->ai = res; 7145 if (res->ai_next) 7146 bpf_error(cstate, "%s resolved to multiple address", s1); 7147 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 7148 7149 if (sizeof(mask) * 8 < masklen) 7150 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 7151 memset(&mask, 0, sizeof(mask)); 7152 memset(&mask, 0xff, masklen / 8); 7153 if (masklen % 8) { 7154 mask.s6_addr[masklen / 8] = 7155 (0xff << (8 - masklen % 8)) & 0xff; 7156 } 7157 7158 a = (uint32_t *)addr; 7159 m = (uint32_t *)&mask; 7160 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 7161 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 7162 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 7163 } 7164 7165 switch (q.addr) { 7166 7167 case Q_DEFAULT: 7168 case Q_HOST: 7169 if (masklen != 128) 7170 bpf_error(cstate, "Mask syntax for networks only"); 7171 /* FALLTHROUGH */ 7172 7173 case Q_NET: 7174 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 7175 cstate->ai = NULL; 7176 freeaddrinfo(res); 7177 return b; 7178 7179 default: 7180 bpf_error(cstate, "invalid qualifier against IPv6 address"); 7181 /*NOTREACHED*/ 7182 } 7183 } 7184 #endif /*INET6*/ 7185 7186 struct block * 7187 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q) 7188 { 7189 struct block *b, *tmp; 7190 7191 /* 7192 * Catch errors reported by us and routines below us, and return NULL 7193 * on an error. 7194 */ 7195 if (setjmp(cstate->top_ctx)) 7196 return (NULL); 7197 7198 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 7199 cstate->e = pcap_ether_aton(s); 7200 if (cstate->e == NULL) 7201 bpf_error(cstate, "malloc"); 7202 switch (cstate->linktype) { 7203 case DLT_EN10MB: 7204 case DLT_NETANALYZER: 7205 case DLT_NETANALYZER_TRANSPARENT: 7206 tmp = gen_prevlinkhdr_check(cstate); 7207 b = gen_ehostop(cstate, cstate->e, (int)q.dir); 7208 if (tmp != NULL) 7209 gen_and(tmp, b); 7210 break; 7211 case DLT_FDDI: 7212 b = gen_fhostop(cstate, cstate->e, (int)q.dir); 7213 break; 7214 case DLT_IEEE802: 7215 b = gen_thostop(cstate, cstate->e, (int)q.dir); 7216 break; 7217 case DLT_IEEE802_11: 7218 case DLT_PRISM_HEADER: 7219 case DLT_IEEE802_11_RADIO_AVS: 7220 case DLT_IEEE802_11_RADIO: 7221 case DLT_PPI: 7222 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir); 7223 break; 7224 case DLT_IP_OVER_FC: 7225 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir); 7226 break; 7227 default: 7228 free(cstate->e); 7229 cstate->e = NULL; 7230 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 7231 /*NOTREACHED*/ 7232 } 7233 free(cstate->e); 7234 cstate->e = NULL; 7235 return (b); 7236 } 7237 bpf_error(cstate, "ethernet address used in non-ether expression"); 7238 /*NOTREACHED*/ 7239 } 7240 7241 void 7242 sappend(struct slist *s0, struct slist *s1) 7243 { 7244 /* 7245 * This is definitely not the best way to do this, but the 7246 * lists will rarely get long. 7247 */ 7248 while (s0->next) 7249 s0 = s0->next; 7250 s0->next = s1; 7251 } 7252 7253 static struct slist * 7254 xfer_to_x(compiler_state_t *cstate, struct arth *a) 7255 { 7256 struct slist *s; 7257 7258 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 7259 s->s.k = a->regno; 7260 return s; 7261 } 7262 7263 static struct slist * 7264 xfer_to_a(compiler_state_t *cstate, struct arth *a) 7265 { 7266 struct slist *s; 7267 7268 s = new_stmt(cstate, BPF_LD|BPF_MEM); 7269 s->s.k = a->regno; 7270 return s; 7271 } 7272 7273 /* 7274 * Modify "index" to use the value stored into its register as an 7275 * offset relative to the beginning of the header for the protocol 7276 * "proto", and allocate a register and put an item "size" bytes long 7277 * (1, 2, or 4) at that offset into that register, making it the register 7278 * for "index". 7279 */ 7280 static struct arth * 7281 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst, int size) 7282 { 7283 struct slist *s, *tmp; 7284 struct block *b; 7285 int regno = alloc_reg(cstate); 7286 7287 free_reg(cstate, inst->regno); 7288 switch (size) { 7289 7290 default: 7291 bpf_error(cstate, "data size must be 1, 2, or 4"); 7292 7293 case 1: 7294 size = BPF_B; 7295 break; 7296 7297 case 2: 7298 size = BPF_H; 7299 break; 7300 7301 case 4: 7302 size = BPF_W; 7303 break; 7304 } 7305 switch (proto) { 7306 default: 7307 bpf_error(cstate, "unsupported index operation"); 7308 7309 case Q_RADIO: 7310 /* 7311 * The offset is relative to the beginning of the packet 7312 * data, if we have a radio header. (If we don't, this 7313 * is an error.) 7314 */ 7315 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 7316 cstate->linktype != DLT_IEEE802_11_RADIO && 7317 cstate->linktype != DLT_PRISM_HEADER) 7318 bpf_error(cstate, "radio information not present in capture"); 7319 7320 /* 7321 * Load into the X register the offset computed into the 7322 * register specified by "index". 7323 */ 7324 s = xfer_to_x(cstate, inst); 7325 7326 /* 7327 * Load the item at that offset. 7328 */ 7329 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7330 sappend(s, tmp); 7331 sappend(inst->s, s); 7332 break; 7333 7334 case Q_LINK: 7335 /* 7336 * The offset is relative to the beginning of 7337 * the link-layer header. 7338 * 7339 * XXX - what about ATM LANE? Should the index be 7340 * relative to the beginning of the AAL5 frame, so 7341 * that 0 refers to the beginning of the LE Control 7342 * field, or relative to the beginning of the LAN 7343 * frame, so that 0 refers, for Ethernet LANE, to 7344 * the beginning of the destination address? 7345 */ 7346 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 7347 7348 /* 7349 * If "s" is non-null, it has code to arrange that the 7350 * X register contains the length of the prefix preceding 7351 * the link-layer header. Add to it the offset computed 7352 * into the register specified by "index", and move that 7353 * into the X register. Otherwise, just load into the X 7354 * register the offset computed into the register specified 7355 * by "index". 7356 */ 7357 if (s != NULL) { 7358 sappend(s, xfer_to_a(cstate, inst)); 7359 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7360 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7361 } else 7362 s = xfer_to_x(cstate, inst); 7363 7364 /* 7365 * Load the item at the sum of the offset we've put in the 7366 * X register and the offset of the start of the link 7367 * layer header (which is 0 if the radio header is 7368 * variable-length; that header length is what we put 7369 * into the X register and then added to the index). 7370 */ 7371 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7372 tmp->s.k = cstate->off_linkhdr.constant_part; 7373 sappend(s, tmp); 7374 sappend(inst->s, s); 7375 break; 7376 7377 case Q_IP: 7378 case Q_ARP: 7379 case Q_RARP: 7380 case Q_ATALK: 7381 case Q_DECNET: 7382 case Q_SCA: 7383 case Q_LAT: 7384 case Q_MOPRC: 7385 case Q_MOPDL: 7386 case Q_IPV6: 7387 /* 7388 * The offset is relative to the beginning of 7389 * the network-layer header. 7390 * XXX - are there any cases where we want 7391 * cstate->off_nl_nosnap? 7392 */ 7393 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7394 7395 /* 7396 * If "s" is non-null, it has code to arrange that the 7397 * X register contains the variable part of the offset 7398 * of the link-layer payload. Add to it the offset 7399 * computed into the register specified by "index", 7400 * and move that into the X register. Otherwise, just 7401 * load into the X register the offset computed into 7402 * the register specified by "index". 7403 */ 7404 if (s != NULL) { 7405 sappend(s, xfer_to_a(cstate, inst)); 7406 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7407 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7408 } else 7409 s = xfer_to_x(cstate, inst); 7410 7411 /* 7412 * Load the item at the sum of the offset we've put in the 7413 * X register, the offset of the start of the network 7414 * layer header from the beginning of the link-layer 7415 * payload, and the constant part of the offset of the 7416 * start of the link-layer payload. 7417 */ 7418 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7419 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7420 sappend(s, tmp); 7421 sappend(inst->s, s); 7422 7423 /* 7424 * Do the computation only if the packet contains 7425 * the protocol in question. 7426 */ 7427 b = gen_proto_abbrev_internal(cstate, proto); 7428 if (inst->b) 7429 gen_and(inst->b, b); 7430 inst->b = b; 7431 break; 7432 7433 case Q_SCTP: 7434 case Q_TCP: 7435 case Q_UDP: 7436 case Q_ICMP: 7437 case Q_IGMP: 7438 case Q_IGRP: 7439 case Q_PIM: 7440 case Q_VRRP: 7441 case Q_CARP: 7442 /* 7443 * The offset is relative to the beginning of 7444 * the transport-layer header. 7445 * 7446 * Load the X register with the length of the IPv4 header 7447 * (plus the offset of the link-layer header, if it's 7448 * a variable-length header), in bytes. 7449 * 7450 * XXX - are there any cases where we want 7451 * cstate->off_nl_nosnap? 7452 * XXX - we should, if we're built with 7453 * IPv6 support, generate code to load either 7454 * IPv4, IPv6, or both, as appropriate. 7455 */ 7456 s = gen_loadx_iphdrlen(cstate); 7457 7458 /* 7459 * The X register now contains the sum of the variable 7460 * part of the offset of the link-layer payload and the 7461 * length of the network-layer header. 7462 * 7463 * Load into the A register the offset relative to 7464 * the beginning of the transport layer header, 7465 * add the X register to that, move that to the 7466 * X register, and load with an offset from the 7467 * X register equal to the sum of the constant part of 7468 * the offset of the link-layer payload and the offset, 7469 * relative to the beginning of the link-layer payload, 7470 * of the network-layer header. 7471 */ 7472 sappend(s, xfer_to_a(cstate, inst)); 7473 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7474 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7475 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 7476 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7477 sappend(inst->s, s); 7478 7479 /* 7480 * Do the computation only if the packet contains 7481 * the protocol in question - which is true only 7482 * if this is an IP datagram and is the first or 7483 * only fragment of that datagram. 7484 */ 7485 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate)); 7486 if (inst->b) 7487 gen_and(inst->b, b); 7488 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b); 7489 inst->b = b; 7490 break; 7491 case Q_ICMPV6: 7492 /* 7493 * Do the computation only if the packet contains 7494 * the protocol in question. 7495 */ 7496 b = gen_proto_abbrev_internal(cstate, Q_IPV6); 7497 if (inst->b) { 7498 gen_and(inst->b, b); 7499 } 7500 inst->b = b; 7501 7502 /* 7503 * Check if we have an icmp6 next header 7504 */ 7505 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7506 if (inst->b) { 7507 gen_and(inst->b, b); 7508 } 7509 inst->b = b; 7510 7511 7512 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7513 /* 7514 * If "s" is non-null, it has code to arrange that the 7515 * X register contains the variable part of the offset 7516 * of the link-layer payload. Add to it the offset 7517 * computed into the register specified by "index", 7518 * and move that into the X register. Otherwise, just 7519 * load into the X register the offset computed into 7520 * the register specified by "index". 7521 */ 7522 if (s != NULL) { 7523 sappend(s, xfer_to_a(cstate, inst)); 7524 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7525 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7526 } else { 7527 s = xfer_to_x(cstate, inst); 7528 } 7529 7530 /* 7531 * Load the item at the sum of the offset we've put in the 7532 * X register, the offset of the start of the network 7533 * layer header from the beginning of the link-layer 7534 * payload, and the constant part of the offset of the 7535 * start of the link-layer payload. 7536 */ 7537 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7538 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7539 7540 sappend(s, tmp); 7541 sappend(inst->s, s); 7542 7543 break; 7544 } 7545 inst->regno = regno; 7546 s = new_stmt(cstate, BPF_ST); 7547 s->s.k = regno; 7548 sappend(inst->s, s); 7549 7550 return inst; 7551 } 7552 7553 struct arth * 7554 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 7555 { 7556 /* 7557 * Catch errors reported by us and routines below us, and return NULL 7558 * on an error. 7559 */ 7560 if (setjmp(cstate->top_ctx)) 7561 return (NULL); 7562 7563 return gen_load_internal(cstate, proto, inst, size); 7564 } 7565 7566 static struct block * 7567 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0, 7568 struct arth *a1, int reversed) 7569 { 7570 struct slist *s0, *s1, *s2; 7571 struct block *b, *tmp; 7572 7573 s0 = xfer_to_x(cstate, a1); 7574 s1 = xfer_to_a(cstate, a0); 7575 if (code == BPF_JEQ) { 7576 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7577 b = new_block(cstate, JMP(code)); 7578 sappend(s1, s2); 7579 } 7580 else 7581 b = new_block(cstate, BPF_JMP|code|BPF_X); 7582 if (reversed) 7583 gen_not(b); 7584 7585 sappend(s0, s1); 7586 sappend(a1->s, s0); 7587 sappend(a0->s, a1->s); 7588 7589 b->stmts = a0->s; 7590 7591 free_reg(cstate, a0->regno); 7592 free_reg(cstate, a1->regno); 7593 7594 /* 'and' together protocol checks */ 7595 if (a0->b) { 7596 if (a1->b) { 7597 gen_and(a0->b, tmp = a1->b); 7598 } 7599 else 7600 tmp = a0->b; 7601 } else 7602 tmp = a1->b; 7603 7604 if (tmp) 7605 gen_and(tmp, b); 7606 7607 return b; 7608 } 7609 7610 struct block * 7611 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7612 struct arth *a1, int reversed) 7613 { 7614 /* 7615 * Catch errors reported by us and routines below us, and return NULL 7616 * on an error. 7617 */ 7618 if (setjmp(cstate->top_ctx)) 7619 return (NULL); 7620 7621 return gen_relation_internal(cstate, code, a0, a1, reversed); 7622 } 7623 7624 struct arth * 7625 gen_loadlen(compiler_state_t *cstate) 7626 { 7627 int regno; 7628 struct arth *a; 7629 struct slist *s; 7630 7631 /* 7632 * Catch errors reported by us and routines below us, and return NULL 7633 * on an error. 7634 */ 7635 if (setjmp(cstate->top_ctx)) 7636 return (NULL); 7637 7638 regno = alloc_reg(cstate); 7639 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7640 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7641 s->next = new_stmt(cstate, BPF_ST); 7642 s->next->s.k = regno; 7643 a->s = s; 7644 a->regno = regno; 7645 7646 return a; 7647 } 7648 7649 static struct arth * 7650 gen_loadi_internal(compiler_state_t *cstate, int val) 7651 { 7652 struct arth *a; 7653 struct slist *s; 7654 int reg; 7655 7656 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7657 7658 reg = alloc_reg(cstate); 7659 7660 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7661 s->s.k = val; 7662 s->next = new_stmt(cstate, BPF_ST); 7663 s->next->s.k = reg; 7664 a->s = s; 7665 a->regno = reg; 7666 7667 return a; 7668 } 7669 7670 struct arth * 7671 gen_loadi(compiler_state_t *cstate, int val) 7672 { 7673 /* 7674 * Catch errors reported by us and routines below us, and return NULL 7675 * on an error. 7676 */ 7677 if (setjmp(cstate->top_ctx)) 7678 return (NULL); 7679 7680 return gen_loadi_internal(cstate, val); 7681 } 7682 7683 /* 7684 * The a_arg dance is to avoid annoying whining by compilers that 7685 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7686 * It's not *used* after setjmp returns. 7687 */ 7688 struct arth * 7689 gen_neg(compiler_state_t *cstate, struct arth *a_arg) 7690 { 7691 struct arth *a = a_arg; 7692 struct slist *s; 7693 7694 /* 7695 * Catch errors reported by us and routines below us, and return NULL 7696 * on an error. 7697 */ 7698 if (setjmp(cstate->top_ctx)) 7699 return (NULL); 7700 7701 s = xfer_to_a(cstate, a); 7702 sappend(a->s, s); 7703 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7704 s->s.k = 0; 7705 sappend(a->s, s); 7706 s = new_stmt(cstate, BPF_ST); 7707 s->s.k = a->regno; 7708 sappend(a->s, s); 7709 7710 return a; 7711 } 7712 7713 /* 7714 * The a0_arg dance is to avoid annoying whining by compilers that 7715 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 7716 * It's not *used* after setjmp returns. 7717 */ 7718 struct arth * 7719 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg, 7720 struct arth *a1) 7721 { 7722 struct arth *a0 = a0_arg; 7723 struct slist *s0, *s1, *s2; 7724 7725 /* 7726 * Catch errors reported by us and routines below us, and return NULL 7727 * on an error. 7728 */ 7729 if (setjmp(cstate->top_ctx)) 7730 return (NULL); 7731 7732 /* 7733 * Disallow division by, or modulus by, zero; we do this here 7734 * so that it gets done even if the optimizer is disabled. 7735 * 7736 * Also disallow shifts by a value greater than 31; we do this 7737 * here, for the same reason. 7738 */ 7739 if (code == BPF_DIV) { 7740 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7741 bpf_error(cstate, "division by zero"); 7742 } else if (code == BPF_MOD) { 7743 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7744 bpf_error(cstate, "modulus by zero"); 7745 } else if (code == BPF_LSH || code == BPF_RSH) { 7746 /* 7747 * XXX - we need to make up our minds as to what integers 7748 * are signed and what integers are unsigned in BPF programs 7749 * and in our IR. 7750 */ 7751 if (a1->s->s.code == (BPF_LD|BPF_IMM) && 7752 (a1->s->s.k < 0 || a1->s->s.k > 31)) 7753 bpf_error(cstate, "shift by more than 31 bits"); 7754 } 7755 s0 = xfer_to_x(cstate, a1); 7756 s1 = xfer_to_a(cstate, a0); 7757 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7758 7759 sappend(s1, s2); 7760 sappend(s0, s1); 7761 sappend(a1->s, s0); 7762 sappend(a0->s, a1->s); 7763 7764 free_reg(cstate, a0->regno); 7765 free_reg(cstate, a1->regno); 7766 7767 s0 = new_stmt(cstate, BPF_ST); 7768 a0->regno = s0->s.k = alloc_reg(cstate); 7769 sappend(a0->s, s0); 7770 7771 return a0; 7772 } 7773 7774 /* 7775 * Initialize the table of used registers and the current register. 7776 */ 7777 static void 7778 init_regs(compiler_state_t *cstate) 7779 { 7780 cstate->curreg = 0; 7781 memset(cstate->regused, 0, sizeof cstate->regused); 7782 } 7783 7784 /* 7785 * Return the next free register. 7786 */ 7787 static int 7788 alloc_reg(compiler_state_t *cstate) 7789 { 7790 int n = BPF_MEMWORDS; 7791 7792 while (--n >= 0) { 7793 if (cstate->regused[cstate->curreg]) 7794 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7795 else { 7796 cstate->regused[cstate->curreg] = 1; 7797 return cstate->curreg; 7798 } 7799 } 7800 bpf_error(cstate, "too many registers needed to evaluate expression"); 7801 /*NOTREACHED*/ 7802 } 7803 7804 /* 7805 * Return a register to the table so it can 7806 * be used later. 7807 */ 7808 static void 7809 free_reg(compiler_state_t *cstate, int n) 7810 { 7811 cstate->regused[n] = 0; 7812 } 7813 7814 static struct block * 7815 gen_len(compiler_state_t *cstate, int jmp, int n) 7816 { 7817 struct slist *s; 7818 struct block *b; 7819 7820 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7821 b = new_block(cstate, JMP(jmp)); 7822 b->stmts = s; 7823 b->s.k = n; 7824 7825 return b; 7826 } 7827 7828 struct block * 7829 gen_greater(compiler_state_t *cstate, int n) 7830 { 7831 /* 7832 * Catch errors reported by us and routines below us, and return NULL 7833 * on an error. 7834 */ 7835 if (setjmp(cstate->top_ctx)) 7836 return (NULL); 7837 7838 return gen_len(cstate, BPF_JGE, n); 7839 } 7840 7841 /* 7842 * Actually, this is less than or equal. 7843 */ 7844 struct block * 7845 gen_less(compiler_state_t *cstate, int n) 7846 { 7847 struct block *b; 7848 7849 /* 7850 * Catch errors reported by us and routines below us, and return NULL 7851 * on an error. 7852 */ 7853 if (setjmp(cstate->top_ctx)) 7854 return (NULL); 7855 7856 b = gen_len(cstate, BPF_JGT, n); 7857 gen_not(b); 7858 7859 return b; 7860 } 7861 7862 /* 7863 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7864 * the beginning of the link-layer header. 7865 * XXX - that means you can't test values in the radiotap header, but 7866 * as that header is difficult if not impossible to parse generally 7867 * without a loop, that might not be a severe problem. A new keyword 7868 * "radio" could be added for that, although what you'd really want 7869 * would be a way of testing particular radio header values, which 7870 * would generate code appropriate to the radio header in question. 7871 */ 7872 struct block * 7873 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7874 { 7875 struct block *b; 7876 struct slist *s; 7877 7878 /* 7879 * Catch errors reported by us and routines below us, and return NULL 7880 * on an error. 7881 */ 7882 if (setjmp(cstate->top_ctx)) 7883 return (NULL); 7884 7885 switch (op) { 7886 default: 7887 abort(); 7888 7889 case '=': 7890 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7891 7892 case '<': 7893 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7894 return b; 7895 7896 case '>': 7897 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7898 return b; 7899 7900 case '|': 7901 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7902 break; 7903 7904 case '&': 7905 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7906 break; 7907 } 7908 s->s.k = val; 7909 b = new_block(cstate, JMP(BPF_JEQ)); 7910 b->stmts = s; 7911 gen_not(b); 7912 7913 return b; 7914 } 7915 7916 static const u_char abroadcast[] = { 0x0 }; 7917 7918 struct block * 7919 gen_broadcast(compiler_state_t *cstate, int proto) 7920 { 7921 bpf_u_int32 hostmask; 7922 struct block *b0, *b1, *b2; 7923 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7924 7925 /* 7926 * Catch errors reported by us and routines below us, and return NULL 7927 * on an error. 7928 */ 7929 if (setjmp(cstate->top_ctx)) 7930 return (NULL); 7931 7932 switch (proto) { 7933 7934 case Q_DEFAULT: 7935 case Q_LINK: 7936 switch (cstate->linktype) { 7937 case DLT_ARCNET: 7938 case DLT_ARCNET_LINUX: 7939 return gen_ahostop(cstate, abroadcast, Q_DST); 7940 case DLT_EN10MB: 7941 case DLT_NETANALYZER: 7942 case DLT_NETANALYZER_TRANSPARENT: 7943 b1 = gen_prevlinkhdr_check(cstate); 7944 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7945 if (b1 != NULL) 7946 gen_and(b1, b0); 7947 return b0; 7948 case DLT_FDDI: 7949 return gen_fhostop(cstate, ebroadcast, Q_DST); 7950 case DLT_IEEE802: 7951 return gen_thostop(cstate, ebroadcast, Q_DST); 7952 case DLT_IEEE802_11: 7953 case DLT_PRISM_HEADER: 7954 case DLT_IEEE802_11_RADIO_AVS: 7955 case DLT_IEEE802_11_RADIO: 7956 case DLT_PPI: 7957 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7958 case DLT_IP_OVER_FC: 7959 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7960 default: 7961 bpf_error(cstate, "not a broadcast link"); 7962 } 7963 /*NOTREACHED*/ 7964 7965 case Q_IP: 7966 /* 7967 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7968 * as an indication that we don't know the netmask, and fail 7969 * in that case. 7970 */ 7971 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7972 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7973 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7974 hostmask = ~cstate->netmask; 7975 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7976 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7977 (bpf_int32)(~0 & hostmask), hostmask); 7978 gen_or(b1, b2); 7979 gen_and(b0, b2); 7980 return b2; 7981 } 7982 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7983 /*NOTREACHED*/ 7984 } 7985 7986 /* 7987 * Generate code to test the low-order bit of a MAC address (that's 7988 * the bottom bit of the *first* byte). 7989 */ 7990 static struct block * 7991 gen_mac_multicast(compiler_state_t *cstate, int offset) 7992 { 7993 register struct block *b0; 7994 register struct slist *s; 7995 7996 /* link[offset] & 1 != 0 */ 7997 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7998 b0 = new_block(cstate, JMP(BPF_JSET)); 7999 b0->s.k = 1; 8000 b0->stmts = s; 8001 return b0; 8002 } 8003 8004 struct block * 8005 gen_multicast(compiler_state_t *cstate, int proto) 8006 { 8007 register struct block *b0, *b1, *b2; 8008 register struct slist *s; 8009 8010 /* 8011 * Catch errors reported by us and routines below us, and return NULL 8012 * on an error. 8013 */ 8014 if (setjmp(cstate->top_ctx)) 8015 return (NULL); 8016 8017 switch (proto) { 8018 8019 case Q_DEFAULT: 8020 case Q_LINK: 8021 switch (cstate->linktype) { 8022 case DLT_ARCNET: 8023 case DLT_ARCNET_LINUX: 8024 /* all ARCnet multicasts use the same address */ 8025 return gen_ahostop(cstate, abroadcast, Q_DST); 8026 case DLT_EN10MB: 8027 case DLT_NETANALYZER: 8028 case DLT_NETANALYZER_TRANSPARENT: 8029 b1 = gen_prevlinkhdr_check(cstate); 8030 /* ether[0] & 1 != 0 */ 8031 b0 = gen_mac_multicast(cstate, 0); 8032 if (b1 != NULL) 8033 gen_and(b1, b0); 8034 return b0; 8035 case DLT_FDDI: 8036 /* 8037 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 8038 * 8039 * XXX - was that referring to bit-order issues? 8040 */ 8041 /* fddi[1] & 1 != 0 */ 8042 return gen_mac_multicast(cstate, 1); 8043 case DLT_IEEE802: 8044 /* tr[2] & 1 != 0 */ 8045 return gen_mac_multicast(cstate, 2); 8046 case DLT_IEEE802_11: 8047 case DLT_PRISM_HEADER: 8048 case DLT_IEEE802_11_RADIO_AVS: 8049 case DLT_IEEE802_11_RADIO: 8050 case DLT_PPI: 8051 /* 8052 * Oh, yuk. 8053 * 8054 * For control frames, there is no DA. 8055 * 8056 * For management frames, DA is at an 8057 * offset of 4 from the beginning of 8058 * the packet. 8059 * 8060 * For data frames, DA is at an offset 8061 * of 4 from the beginning of the packet 8062 * if To DS is clear and at an offset of 8063 * 16 from the beginning of the packet 8064 * if To DS is set. 8065 */ 8066 8067 /* 8068 * Generate the tests to be done for data frames. 8069 * 8070 * First, check for To DS set, i.e. "link[1] & 0x01". 8071 */ 8072 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8073 b1 = new_block(cstate, JMP(BPF_JSET)); 8074 b1->s.k = 0x01; /* To DS */ 8075 b1->stmts = s; 8076 8077 /* 8078 * If To DS is set, the DA is at 16. 8079 */ 8080 b0 = gen_mac_multicast(cstate, 16); 8081 gen_and(b1, b0); 8082 8083 /* 8084 * Now, check for To DS not set, i.e. check 8085 * "!(link[1] & 0x01)". 8086 */ 8087 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 8088 b2 = new_block(cstate, JMP(BPF_JSET)); 8089 b2->s.k = 0x01; /* To DS */ 8090 b2->stmts = s; 8091 gen_not(b2); 8092 8093 /* 8094 * If To DS is not set, the DA is at 4. 8095 */ 8096 b1 = gen_mac_multicast(cstate, 4); 8097 gen_and(b2, b1); 8098 8099 /* 8100 * Now OR together the last two checks. That gives 8101 * the complete set of checks for data frames. 8102 */ 8103 gen_or(b1, b0); 8104 8105 /* 8106 * Now check for a data frame. 8107 * I.e, check "link[0] & 0x08". 8108 */ 8109 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8110 b1 = new_block(cstate, JMP(BPF_JSET)); 8111 b1->s.k = 0x08; 8112 b1->stmts = s; 8113 8114 /* 8115 * AND that with the checks done for data frames. 8116 */ 8117 gen_and(b1, b0); 8118 8119 /* 8120 * If the high-order bit of the type value is 0, this 8121 * is a management frame. 8122 * I.e, check "!(link[0] & 0x08)". 8123 */ 8124 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8125 b2 = new_block(cstate, JMP(BPF_JSET)); 8126 b2->s.k = 0x08; 8127 b2->stmts = s; 8128 gen_not(b2); 8129 8130 /* 8131 * For management frames, the DA is at 4. 8132 */ 8133 b1 = gen_mac_multicast(cstate, 4); 8134 gen_and(b2, b1); 8135 8136 /* 8137 * OR that with the checks done for data frames. 8138 * That gives the checks done for management and 8139 * data frames. 8140 */ 8141 gen_or(b1, b0); 8142 8143 /* 8144 * If the low-order bit of the type value is 1, 8145 * this is either a control frame or a frame 8146 * with a reserved type, and thus not a 8147 * frame with an SA. 8148 * 8149 * I.e., check "!(link[0] & 0x04)". 8150 */ 8151 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 8152 b1 = new_block(cstate, JMP(BPF_JSET)); 8153 b1->s.k = 0x04; 8154 b1->stmts = s; 8155 gen_not(b1); 8156 8157 /* 8158 * AND that with the checks for data and management 8159 * frames. 8160 */ 8161 gen_and(b1, b0); 8162 return b0; 8163 case DLT_IP_OVER_FC: 8164 b0 = gen_mac_multicast(cstate, 2); 8165 return b0; 8166 default: 8167 break; 8168 } 8169 /* Link not known to support multicasts */ 8170 break; 8171 8172 case Q_IP: 8173 b0 = gen_linktype(cstate, ETHERTYPE_IP); 8174 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 8175 gen_and(b0, b1); 8176 return b1; 8177 8178 case Q_IPV6: 8179 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 8180 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 8181 gen_and(b0, b1); 8182 return b1; 8183 } 8184 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 8185 /*NOTREACHED*/ 8186 } 8187 8188 /* 8189 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 8190 * Outbound traffic is sent by this machine, while inbound traffic is 8191 * sent by a remote machine (and may include packets destined for a 8192 * unicast or multicast link-layer address we are not subscribing to). 8193 * These are the same definitions implemented by pcap_setdirection(). 8194 * Capturing only unicast traffic destined for this host is probably 8195 * better accomplished using a higher-layer filter. 8196 */ 8197 struct block * 8198 gen_inbound(compiler_state_t *cstate, int dir) 8199 { 8200 register struct block *b0; 8201 8202 /* 8203 * Catch errors reported by us and routines below us, and return NULL 8204 * on an error. 8205 */ 8206 if (setjmp(cstate->top_ctx)) 8207 return (NULL); 8208 8209 /* 8210 * Only some data link types support inbound/outbound qualifiers. 8211 */ 8212 switch (cstate->linktype) { 8213 case DLT_SLIP: 8214 b0 = gen_relation_internal(cstate, BPF_JEQ, 8215 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1), 8216 gen_loadi_internal(cstate, 0), 8217 dir); 8218 break; 8219 8220 case DLT_IPNET: 8221 if (dir) { 8222 /* match outgoing packets */ 8223 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 8224 } else { 8225 /* match incoming packets */ 8226 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 8227 } 8228 break; 8229 8230 case DLT_LINUX_SLL: 8231 /* match outgoing packets */ 8232 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 8233 if (!dir) { 8234 /* to filter on inbound traffic, invert the match */ 8235 gen_not(b0); 8236 } 8237 break; 8238 8239 case DLT_LINUX_SLL2: 8240 /* match outgoing packets */ 8241 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING); 8242 if (!dir) { 8243 /* to filter on inbound traffic, invert the match */ 8244 gen_not(b0); 8245 } 8246 break; 8247 8248 #ifdef HAVE_NET_PFVAR_H 8249 case DLT_PFLOG: 8250 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 8251 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 8252 break; 8253 #endif 8254 8255 case DLT_PPP_PPPD: 8256 if (dir) { 8257 /* match outgoing packets */ 8258 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 8259 } else { 8260 /* match incoming packets */ 8261 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 8262 } 8263 break; 8264 8265 case DLT_JUNIPER_MFR: 8266 case DLT_JUNIPER_MLFR: 8267 case DLT_JUNIPER_MLPPP: 8268 case DLT_JUNIPER_ATM1: 8269 case DLT_JUNIPER_ATM2: 8270 case DLT_JUNIPER_PPPOE: 8271 case DLT_JUNIPER_PPPOE_ATM: 8272 case DLT_JUNIPER_GGSN: 8273 case DLT_JUNIPER_ES: 8274 case DLT_JUNIPER_MONITOR: 8275 case DLT_JUNIPER_SERVICES: 8276 case DLT_JUNIPER_ETHER: 8277 case DLT_JUNIPER_PPP: 8278 case DLT_JUNIPER_FRELAY: 8279 case DLT_JUNIPER_CHDLC: 8280 case DLT_JUNIPER_VP: 8281 case DLT_JUNIPER_ST: 8282 case DLT_JUNIPER_ISM: 8283 case DLT_JUNIPER_VS: 8284 case DLT_JUNIPER_SRX_E2E: 8285 case DLT_JUNIPER_FIBRECHANNEL: 8286 case DLT_JUNIPER_ATM_CEMIC: 8287 8288 /* juniper flags (including direction) are stored 8289 * the byte after the 3-byte magic number */ 8290 if (dir) { 8291 /* match outgoing packets */ 8292 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 8293 } else { 8294 /* match incoming packets */ 8295 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 8296 } 8297 break; 8298 8299 default: 8300 /* 8301 * If we have packet meta-data indicating a direction, 8302 * and that metadata can be checked by BPF code, check 8303 * it. Otherwise, give up, as this link-layer type has 8304 * nothing in the packet data. 8305 * 8306 * Currently, the only platform where a BPF filter can 8307 * check that metadata is Linux with the in-kernel 8308 * BPF interpreter. If other packet capture mechanisms 8309 * and BPF filters also supported this, it would be 8310 * nice. It would be even better if they made that 8311 * metadata available so that we could provide it 8312 * with newer capture APIs, allowing it to be saved 8313 * in pcapng files. 8314 */ 8315 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 8316 /* 8317 * This is Linux with PF_PACKET support. 8318 * If this is a *live* capture, we can look at 8319 * special meta-data in the filter expression; 8320 * if it's a savefile, we can't. 8321 */ 8322 if (cstate->bpf_pcap->rfile != NULL) { 8323 /* We have a FILE *, so this is a savefile */ 8324 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles", 8325 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8326 b0 = NULL; 8327 /*NOTREACHED*/ 8328 } 8329 /* match outgoing packets */ 8330 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 8331 PACKET_OUTGOING); 8332 if (!dir) { 8333 /* to filter on inbound traffic, invert the match */ 8334 gen_not(b0); 8335 } 8336 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 8337 bpf_error(cstate, "inbound/outbound not supported on %s", 8338 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 8339 /*NOTREACHED*/ 8340 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 8341 } 8342 return (b0); 8343 } 8344 8345 #ifdef HAVE_NET_PFVAR_H 8346 /* PF firewall log matched interface */ 8347 struct block * 8348 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 8349 { 8350 struct block *b0; 8351 u_int len, off; 8352 8353 /* 8354 * Catch errors reported by us and routines below us, and return NULL 8355 * on an error. 8356 */ 8357 if (setjmp(cstate->top_ctx)) 8358 return (NULL); 8359 8360 if (cstate->linktype != DLT_PFLOG) { 8361 bpf_error(cstate, "ifname supported only on PF linktype"); 8362 /*NOTREACHED*/ 8363 } 8364 len = sizeof(((struct pfloghdr *)0)->ifname); 8365 off = offsetof(struct pfloghdr, ifname); 8366 if (strlen(ifname) >= len) { 8367 bpf_error(cstate, "ifname interface names can only be %d characters", 8368 len-1); 8369 /*NOTREACHED*/ 8370 } 8371 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname), 8372 (const u_char *)ifname); 8373 return (b0); 8374 } 8375 8376 /* PF firewall log ruleset name */ 8377 struct block * 8378 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 8379 { 8380 struct block *b0; 8381 8382 /* 8383 * Catch errors reported by us and routines below us, and return NULL 8384 * on an error. 8385 */ 8386 if (setjmp(cstate->top_ctx)) 8387 return (NULL); 8388 8389 if (cstate->linktype != DLT_PFLOG) { 8390 bpf_error(cstate, "ruleset supported only on PF linktype"); 8391 /*NOTREACHED*/ 8392 } 8393 8394 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 8395 bpf_error(cstate, "ruleset names can only be %ld characters", 8396 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 8397 /*NOTREACHED*/ 8398 } 8399 8400 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 8401 (u_int)strlen(ruleset), (const u_char *)ruleset); 8402 return (b0); 8403 } 8404 8405 /* PF firewall log rule number */ 8406 struct block * 8407 gen_pf_rnr(compiler_state_t *cstate, int rnr) 8408 { 8409 struct block *b0; 8410 8411 /* 8412 * Catch errors reported by us and routines below us, and return NULL 8413 * on an error. 8414 */ 8415 if (setjmp(cstate->top_ctx)) 8416 return (NULL); 8417 8418 if (cstate->linktype != DLT_PFLOG) { 8419 bpf_error(cstate, "rnr supported only on PF linktype"); 8420 /*NOTREACHED*/ 8421 } 8422 8423 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 8424 (bpf_int32)rnr); 8425 return (b0); 8426 } 8427 8428 /* PF firewall log sub-rule number */ 8429 struct block * 8430 gen_pf_srnr(compiler_state_t *cstate, int srnr) 8431 { 8432 struct block *b0; 8433 8434 /* 8435 * Catch errors reported by us and routines below us, and return NULL 8436 * on an error. 8437 */ 8438 if (setjmp(cstate->top_ctx)) 8439 return (NULL); 8440 8441 if (cstate->linktype != DLT_PFLOG) { 8442 bpf_error(cstate, "srnr supported only on PF linktype"); 8443 /*NOTREACHED*/ 8444 } 8445 8446 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 8447 (bpf_int32)srnr); 8448 return (b0); 8449 } 8450 8451 /* PF firewall log reason code */ 8452 struct block * 8453 gen_pf_reason(compiler_state_t *cstate, int reason) 8454 { 8455 struct block *b0; 8456 8457 /* 8458 * Catch errors reported by us and routines below us, and return NULL 8459 * on an error. 8460 */ 8461 if (setjmp(cstate->top_ctx)) 8462 return (NULL); 8463 8464 if (cstate->linktype != DLT_PFLOG) { 8465 bpf_error(cstate, "reason supported only on PF linktype"); 8466 /*NOTREACHED*/ 8467 } 8468 8469 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 8470 (bpf_int32)reason); 8471 return (b0); 8472 } 8473 8474 /* PF firewall log action */ 8475 struct block * 8476 gen_pf_action(compiler_state_t *cstate, int action) 8477 { 8478 struct block *b0; 8479 8480 /* 8481 * Catch errors reported by us and routines below us, and return NULL 8482 * on an error. 8483 */ 8484 if (setjmp(cstate->top_ctx)) 8485 return (NULL); 8486 8487 if (cstate->linktype != DLT_PFLOG) { 8488 bpf_error(cstate, "action supported only on PF linktype"); 8489 /*NOTREACHED*/ 8490 } 8491 8492 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 8493 (bpf_int32)action); 8494 return (b0); 8495 } 8496 #else /* !HAVE_NET_PFVAR_H */ 8497 struct block * 8498 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_) 8499 { 8500 /* 8501 * Catch errors reported by us and routines below us, and return NULL 8502 * on an error. 8503 */ 8504 if (setjmp(cstate->top_ctx)) 8505 return (NULL); 8506 8507 bpf_error(cstate, "libpcap was compiled without pf support"); 8508 /*NOTREACHED*/ 8509 } 8510 8511 struct block * 8512 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_) 8513 { 8514 /* 8515 * Catch errors reported by us and routines below us, and return NULL 8516 * on an error. 8517 */ 8518 if (setjmp(cstate->top_ctx)) 8519 return (NULL); 8520 8521 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8522 /*NOTREACHED*/ 8523 } 8524 8525 struct block * 8526 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_) 8527 { 8528 /* 8529 * Catch errors reported by us and routines below us, and return NULL 8530 * on an error. 8531 */ 8532 if (setjmp(cstate->top_ctx)) 8533 return (NULL); 8534 8535 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8536 /*NOTREACHED*/ 8537 } 8538 8539 struct block * 8540 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_) 8541 { 8542 /* 8543 * Catch errors reported by us and routines below us, and return NULL 8544 * on an error. 8545 */ 8546 if (setjmp(cstate->top_ctx)) 8547 return (NULL); 8548 8549 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8550 /*NOTREACHED*/ 8551 } 8552 8553 struct block * 8554 gen_pf_reason(compiler_state_t *cstate, int reason _U_) 8555 { 8556 /* 8557 * Catch errors reported by us and routines below us, and return NULL 8558 * on an error. 8559 */ 8560 if (setjmp(cstate->top_ctx)) 8561 return (NULL); 8562 8563 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8564 /*NOTREACHED*/ 8565 } 8566 8567 struct block * 8568 gen_pf_action(compiler_state_t *cstate, int action _U_) 8569 { 8570 /* 8571 * Catch errors reported by us and routines below us, and return NULL 8572 * on an error. 8573 */ 8574 if (setjmp(cstate->top_ctx)) 8575 return (NULL); 8576 8577 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 8578 /*NOTREACHED*/ 8579 } 8580 #endif /* HAVE_NET_PFVAR_H */ 8581 8582 /* IEEE 802.11 wireless header */ 8583 struct block * 8584 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 8585 { 8586 struct block *b0; 8587 8588 /* 8589 * Catch errors reported by us and routines below us, and return NULL 8590 * on an error. 8591 */ 8592 if (setjmp(cstate->top_ctx)) 8593 return (NULL); 8594 8595 switch (cstate->linktype) { 8596 8597 case DLT_IEEE802_11: 8598 case DLT_PRISM_HEADER: 8599 case DLT_IEEE802_11_RADIO_AVS: 8600 case DLT_IEEE802_11_RADIO: 8601 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 8602 (bpf_int32)mask); 8603 break; 8604 8605 default: 8606 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8607 /*NOTREACHED*/ 8608 } 8609 8610 return (b0); 8611 } 8612 8613 struct block * 8614 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 8615 { 8616 struct block *b0; 8617 8618 /* 8619 * Catch errors reported by us and routines below us, and return NULL 8620 * on an error. 8621 */ 8622 if (setjmp(cstate->top_ctx)) 8623 return (NULL); 8624 8625 switch (cstate->linktype) { 8626 8627 case DLT_IEEE802_11: 8628 case DLT_PRISM_HEADER: 8629 case DLT_IEEE802_11_RADIO_AVS: 8630 case DLT_IEEE802_11_RADIO: 8631 break; 8632 8633 default: 8634 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8635 /*NOTREACHED*/ 8636 } 8637 8638 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 8639 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 8640 8641 return (b0); 8642 } 8643 8644 struct block * 8645 gen_acode(compiler_state_t *cstate, const char *s, struct qual q) 8646 { 8647 struct block *b; 8648 8649 /* 8650 * Catch errors reported by us and routines below us, and return NULL 8651 * on an error. 8652 */ 8653 if (setjmp(cstate->top_ctx)) 8654 return (NULL); 8655 8656 switch (cstate->linktype) { 8657 8658 case DLT_ARCNET: 8659 case DLT_ARCNET_LINUX: 8660 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8661 q.proto == Q_LINK) { 8662 cstate->e = pcap_ether_aton(s); 8663 if (cstate->e == NULL) 8664 bpf_error(cstate, "malloc"); 8665 b = gen_ahostop(cstate, cstate->e, (int)q.dir); 8666 free(cstate->e); 8667 cstate->e = NULL; 8668 return (b); 8669 } else 8670 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8671 /*NOTREACHED*/ 8672 8673 default: 8674 bpf_error(cstate, "aid supported only on ARCnet"); 8675 /*NOTREACHED*/ 8676 } 8677 } 8678 8679 static struct block * 8680 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8681 { 8682 register struct block *b0, *b1; 8683 8684 switch (dir) { 8685 /* src comes first, different from Ethernet */ 8686 case Q_SRC: 8687 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8688 8689 case Q_DST: 8690 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8691 8692 case Q_AND: 8693 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8694 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8695 gen_and(b0, b1); 8696 return b1; 8697 8698 case Q_DEFAULT: 8699 case Q_OR: 8700 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8701 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8702 gen_or(b0, b1); 8703 return b1; 8704 8705 case Q_ADDR1: 8706 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8707 /*NOTREACHED*/ 8708 8709 case Q_ADDR2: 8710 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8711 /*NOTREACHED*/ 8712 8713 case Q_ADDR3: 8714 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8715 /*NOTREACHED*/ 8716 8717 case Q_ADDR4: 8718 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8719 /*NOTREACHED*/ 8720 8721 case Q_RA: 8722 bpf_error(cstate, "'ra' is only supported on 802.11"); 8723 /*NOTREACHED*/ 8724 8725 case Q_TA: 8726 bpf_error(cstate, "'ta' is only supported on 802.11"); 8727 /*NOTREACHED*/ 8728 } 8729 abort(); 8730 /*NOTREACHED*/ 8731 } 8732 8733 static struct block * 8734 gen_vlan_tpid_test(compiler_state_t *cstate) 8735 { 8736 struct block *b0, *b1; 8737 8738 /* check for VLAN, including QinQ */ 8739 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8740 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8741 gen_or(b0,b1); 8742 b0 = b1; 8743 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8744 gen_or(b0,b1); 8745 8746 return b1; 8747 } 8748 8749 static struct block * 8750 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num) 8751 { 8752 if (vlan_num > 0x0fff) { 8753 bpf_error(cstate, "VLAN tag %u greater than maximum %u", 8754 vlan_num, 0x0fff); 8755 } 8756 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff); 8757 } 8758 8759 static struct block * 8760 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8761 int has_vlan_tag) 8762 { 8763 struct block *b0, *b1; 8764 8765 b0 = gen_vlan_tpid_test(cstate); 8766 8767 if (has_vlan_tag) { 8768 b1 = gen_vlan_vid_test(cstate, vlan_num); 8769 gen_and(b0, b1); 8770 b0 = b1; 8771 } 8772 8773 /* 8774 * Both payload and link header type follow the VLAN tags so that 8775 * both need to be updated. 8776 */ 8777 cstate->off_linkpl.constant_part += 4; 8778 cstate->off_linktype.constant_part += 4; 8779 8780 return b0; 8781 } 8782 8783 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8784 /* add v to variable part of off */ 8785 static void 8786 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s) 8787 { 8788 struct slist *s2; 8789 8790 if (!off->is_variable) 8791 off->is_variable = 1; 8792 if (off->reg == -1) 8793 off->reg = alloc_reg(cstate); 8794 8795 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8796 s2->s.k = off->reg; 8797 sappend(s, s2); 8798 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8799 s2->s.k = v; 8800 sappend(s, s2); 8801 s2 = new_stmt(cstate, BPF_ST); 8802 s2->s.k = off->reg; 8803 sappend(s, s2); 8804 } 8805 8806 /* 8807 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8808 * and link type offsets first 8809 */ 8810 static void 8811 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8812 { 8813 struct slist s; 8814 8815 /* offset determined at run time, shift variable part */ 8816 s.next = NULL; 8817 cstate->is_vlan_vloffset = 1; 8818 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8819 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8820 8821 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8822 sappend(s.next, b_tpid->head->stmts); 8823 b_tpid->head->stmts = s.next; 8824 } 8825 8826 /* 8827 * patch block b_vid (VLAN id test) to load VID value either from packet 8828 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8829 */ 8830 static void 8831 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8832 { 8833 struct slist *s, *s2, *sjeq; 8834 unsigned cnt; 8835 8836 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8837 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8838 8839 /* true -> next instructions, false -> beginning of b_vid */ 8840 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8841 sjeq->s.k = 1; 8842 sjeq->s.jf = b_vid->stmts; 8843 sappend(s, sjeq); 8844 8845 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8846 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8847 sappend(s, s2); 8848 sjeq->s.jt = s2; 8849 8850 /* Jump to the test in b_vid. We need to jump one instruction before 8851 * the end of the b_vid block so that we only skip loading the TCI 8852 * from packet data and not the 'and' instruction extractging VID. 8853 */ 8854 cnt = 0; 8855 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8856 cnt++; 8857 s2 = new_stmt(cstate, JMP(BPF_JA)); 8858 s2->s.k = cnt - 1; 8859 sappend(s, s2); 8860 8861 /* insert our statements at the beginning of b_vid */ 8862 sappend(s, b_vid->stmts); 8863 b_vid->stmts = s; 8864 } 8865 8866 /* 8867 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8868 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8869 * tag can be either in metadata or in packet data; therefore if the 8870 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8871 * header for VLAN tag. As the decision is done at run time, we need 8872 * update variable part of the offsets 8873 */ 8874 static struct block * 8875 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num, 8876 int has_vlan_tag) 8877 { 8878 struct block *b0, *b_tpid, *b_vid = NULL; 8879 struct slist *s; 8880 8881 /* generate new filter code based on extracting packet 8882 * metadata */ 8883 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8884 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8885 8886 b0 = new_block(cstate, JMP(BPF_JEQ)); 8887 b0->stmts = s; 8888 b0->s.k = 1; 8889 8890 /* 8891 * This is tricky. We need to insert the statements updating variable 8892 * parts of offsets before the the traditional TPID and VID tests so 8893 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8894 * we do not want this update to affect those checks. That's why we 8895 * generate both test blocks first and insert the statements updating 8896 * variable parts of both offsets after that. This wouldn't work if 8897 * there already were variable length link header when entering this 8898 * function but gen_vlan_bpf_extensions() isn't called in that case. 8899 */ 8900 b_tpid = gen_vlan_tpid_test(cstate); 8901 if (has_vlan_tag) 8902 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8903 8904 gen_vlan_patch_tpid_test(cstate, b_tpid); 8905 gen_or(b0, b_tpid); 8906 b0 = b_tpid; 8907 8908 if (has_vlan_tag) { 8909 gen_vlan_patch_vid_test(cstate, b_vid); 8910 gen_and(b0, b_vid); 8911 b0 = b_vid; 8912 } 8913 8914 return b0; 8915 } 8916 #endif 8917 8918 /* 8919 * support IEEE 802.1Q VLAN trunk over ethernet 8920 */ 8921 struct block * 8922 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag) 8923 { 8924 struct block *b0; 8925 8926 /* 8927 * Catch errors reported by us and routines below us, and return NULL 8928 * on an error. 8929 */ 8930 if (setjmp(cstate->top_ctx)) 8931 return (NULL); 8932 8933 /* can't check for VLAN-encapsulated packets inside MPLS */ 8934 if (cstate->label_stack_depth > 0) 8935 bpf_error(cstate, "no VLAN match after MPLS"); 8936 8937 /* 8938 * Check for a VLAN packet, and then change the offsets to point 8939 * to the type and data fields within the VLAN packet. Just 8940 * increment the offsets, so that we can support a hierarchy, e.g. 8941 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8942 * VLAN 100. 8943 * 8944 * XXX - this is a bit of a kludge. If we were to split the 8945 * compiler into a parser that parses an expression and 8946 * generates an expression tree, and a code generator that 8947 * takes an expression tree (which could come from our 8948 * parser or from some other parser) and generates BPF code, 8949 * we could perhaps make the offsets parameters of routines 8950 * and, in the handler for an "AND" node, pass to subnodes 8951 * other than the VLAN node the adjusted offsets. 8952 * 8953 * This would mean that "vlan" would, instead of changing the 8954 * behavior of *all* tests after it, change only the behavior 8955 * of tests ANDed with it. That would change the documented 8956 * semantics of "vlan", which might break some expressions. 8957 * However, it would mean that "(vlan and ip) or ip" would check 8958 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8959 * checking only for VLAN-encapsulated IP, so that could still 8960 * be considered worth doing; it wouldn't break expressions 8961 * that are of the form "vlan and ..." or "vlan N and ...", 8962 * which I suspect are the most common expressions involving 8963 * "vlan". "vlan or ..." doesn't necessarily do what the user 8964 * would really want, now, as all the "or ..." tests would 8965 * be done assuming a VLAN, even though the "or" could be viewed 8966 * as meaning "or, if this isn't a VLAN packet...". 8967 */ 8968 switch (cstate->linktype) { 8969 8970 case DLT_EN10MB: 8971 case DLT_NETANALYZER: 8972 case DLT_NETANALYZER_TRANSPARENT: 8973 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8974 /* Verify that this is the outer part of the packet and 8975 * not encapsulated somehow. */ 8976 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8977 cstate->off_linkhdr.constant_part == 8978 cstate->off_outermostlinkhdr.constant_part) { 8979 /* 8980 * Do we need special VLAN handling? 8981 */ 8982 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8983 b0 = gen_vlan_bpf_extensions(cstate, vlan_num, 8984 has_vlan_tag); 8985 else 8986 b0 = gen_vlan_no_bpf_extensions(cstate, 8987 vlan_num, has_vlan_tag); 8988 } else 8989 #endif 8990 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, 8991 has_vlan_tag); 8992 break; 8993 8994 case DLT_IEEE802_11: 8995 case DLT_PRISM_HEADER: 8996 case DLT_IEEE802_11_RADIO_AVS: 8997 case DLT_IEEE802_11_RADIO: 8998 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag); 8999 break; 9000 9001 default: 9002 bpf_error(cstate, "no VLAN support for %s", 9003 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9004 /*NOTREACHED*/ 9005 } 9006 9007 cstate->vlan_stack_depth++; 9008 9009 return (b0); 9010 } 9011 9012 /* 9013 * support for MPLS 9014 * 9015 * The label_num_arg dance is to avoid annoying whining by compilers that 9016 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9017 * It's not *used* after setjmp returns. 9018 */ 9019 struct block * 9020 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg, 9021 int has_label_num) 9022 { 9023 volatile bpf_u_int32 label_num = label_num_arg; 9024 struct block *b0, *b1; 9025 9026 /* 9027 * Catch errors reported by us and routines below us, and return NULL 9028 * on an error. 9029 */ 9030 if (setjmp(cstate->top_ctx)) 9031 return (NULL); 9032 9033 if (cstate->label_stack_depth > 0) { 9034 /* just match the bottom-of-stack bit clear */ 9035 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 9036 } else { 9037 /* 9038 * We're not in an MPLS stack yet, so check the link-layer 9039 * type against MPLS. 9040 */ 9041 switch (cstate->linktype) { 9042 9043 case DLT_C_HDLC: /* fall through */ 9044 case DLT_EN10MB: 9045 case DLT_NETANALYZER: 9046 case DLT_NETANALYZER_TRANSPARENT: 9047 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 9048 break; 9049 9050 case DLT_PPP: 9051 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 9052 break; 9053 9054 /* FIXME add other DLT_s ... 9055 * for Frame-Relay/and ATM this may get messy due to SNAP headers 9056 * leave it for now */ 9057 9058 default: 9059 bpf_error(cstate, "no MPLS support for %s", 9060 pcap_datalink_val_to_description_or_dlt(cstate->linktype)); 9061 /*NOTREACHED*/ 9062 } 9063 } 9064 9065 /* If a specific MPLS label is requested, check it */ 9066 if (has_label_num) { 9067 if (label_num > 0xFFFFF) { 9068 bpf_error(cstate, "MPLS label %u greater than maximum %u", 9069 label_num, 0xFFFFF); 9070 } 9071 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 9072 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 9073 0xfffff000); /* only compare the first 20 bits */ 9074 gen_and(b0, b1); 9075 b0 = b1; 9076 } 9077 9078 /* 9079 * Change the offsets to point to the type and data fields within 9080 * the MPLS packet. Just increment the offsets, so that we 9081 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 9082 * capture packets with an outer label of 100000 and an inner 9083 * label of 1024. 9084 * 9085 * Increment the MPLS stack depth as well; this indicates that 9086 * we're checking MPLS-encapsulated headers, to make sure higher 9087 * level code generators don't try to match against IP-related 9088 * protocols such as Q_ARP, Q_RARP etc. 9089 * 9090 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 9091 */ 9092 cstate->off_nl_nosnap += 4; 9093 cstate->off_nl += 4; 9094 cstate->label_stack_depth++; 9095 return (b0); 9096 } 9097 9098 /* 9099 * Support PPPOE discovery and session. 9100 */ 9101 struct block * 9102 gen_pppoed(compiler_state_t *cstate) 9103 { 9104 /* 9105 * Catch errors reported by us and routines below us, and return NULL 9106 * on an error. 9107 */ 9108 if (setjmp(cstate->top_ctx)) 9109 return (NULL); 9110 9111 /* check for PPPoE discovery */ 9112 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 9113 } 9114 9115 struct block * 9116 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num) 9117 { 9118 struct block *b0, *b1; 9119 9120 /* 9121 * Catch errors reported by us and routines below us, and return NULL 9122 * on an error. 9123 */ 9124 if (setjmp(cstate->top_ctx)) 9125 return (NULL); 9126 9127 /* 9128 * Test against the PPPoE session link-layer type. 9129 */ 9130 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 9131 9132 /* If a specific session is requested, check PPPoE session id */ 9133 if (has_sess_num) { 9134 if (sess_num > 0x0000ffff) { 9135 bpf_error(cstate, "PPPoE session number %u greater than maximum %u", 9136 sess_num, 0x0000ffff); 9137 } 9138 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 9139 (bpf_int32)sess_num, 0x0000ffff); 9140 gen_and(b0, b1); 9141 b0 = b1; 9142 } 9143 9144 /* 9145 * Change the offsets to point to the type and data fields within 9146 * the PPP packet, and note that this is PPPoE rather than 9147 * raw PPP. 9148 * 9149 * XXX - this is a bit of a kludge. See the comments in 9150 * gen_vlan(). 9151 * 9152 * The "network-layer" protocol is PPPoE, which has a 6-byte 9153 * PPPoE header, followed by a PPP packet. 9154 * 9155 * There is no HDLC encapsulation for the PPP packet (it's 9156 * encapsulated in PPPoES instead), so the link-layer type 9157 * starts at the first byte of the PPP packet. For PPPoE, 9158 * that offset is relative to the beginning of the total 9159 * link-layer payload, including any 802.2 LLC header, so 9160 * it's 6 bytes past cstate->off_nl. 9161 */ 9162 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 9163 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 9164 cstate->off_linkpl.reg); 9165 9166 cstate->off_linktype = cstate->off_linkhdr; 9167 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 9168 9169 cstate->off_nl = 0; 9170 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 9171 9172 return b0; 9173 } 9174 9175 /* Check that this is Geneve and the VNI is correct if 9176 * specified. Parameterized to handle both IPv4 and IPv6. */ 9177 static struct block * 9178 gen_geneve_check(compiler_state_t *cstate, 9179 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 9180 enum e_offrel offrel, bpf_u_int32 vni, int has_vni) 9181 { 9182 struct block *b0, *b1; 9183 9184 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 9185 9186 /* Check that we are operating on version 0. Otherwise, we 9187 * can't decode the rest of the fields. The version is 2 bits 9188 * in the first byte of the Geneve header. */ 9189 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 9190 gen_and(b0, b1); 9191 b0 = b1; 9192 9193 if (has_vni) { 9194 if (vni > 0xffffff) { 9195 bpf_error(cstate, "Geneve VNI %u greater than maximum %u", 9196 vni, 0xffffff); 9197 } 9198 vni <<= 8; /* VNI is in the upper 3 bytes */ 9199 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 9200 0xffffff00); 9201 gen_and(b0, b1); 9202 b0 = b1; 9203 } 9204 9205 return b0; 9206 } 9207 9208 /* The IPv4 and IPv6 Geneve checks need to do two things: 9209 * - Verify that this actually is Geneve with the right VNI. 9210 * - Place the IP header length (plus variable link prefix if 9211 * needed) into register A to be used later to compute 9212 * the inner packet offsets. */ 9213 static struct block * 9214 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9215 { 9216 struct block *b0, *b1; 9217 struct slist *s, *s1; 9218 9219 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni); 9220 9221 /* Load the IP header length into A. */ 9222 s = gen_loadx_iphdrlen(cstate); 9223 9224 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9225 sappend(s, s1); 9226 9227 /* Forcibly append these statements to the true condition 9228 * of the protocol check by creating a new block that is 9229 * always true and ANDing them. */ 9230 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9231 b1->stmts = s; 9232 b1->s.k = 0; 9233 9234 gen_and(b0, b1); 9235 9236 return b1; 9237 } 9238 9239 static struct block * 9240 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9241 { 9242 struct block *b0, *b1; 9243 struct slist *s, *s1; 9244 9245 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni); 9246 9247 /* Load the IP header length. We need to account for a 9248 * variable length link prefix if there is one. */ 9249 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 9250 if (s) { 9251 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 9252 s1->s.k = 40; 9253 sappend(s, s1); 9254 9255 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9256 s1->s.k = 0; 9257 sappend(s, s1); 9258 } else { 9259 s = new_stmt(cstate, BPF_LD|BPF_IMM); 9260 s->s.k = 40; 9261 } 9262 9263 /* Forcibly append these statements to the true condition 9264 * of the protocol check by creating a new block that is 9265 * always true and ANDing them. */ 9266 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9267 sappend(s, s1); 9268 9269 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9270 b1->stmts = s; 9271 b1->s.k = 0; 9272 9273 gen_and(b0, b1); 9274 9275 return b1; 9276 } 9277 9278 /* We need to store three values based on the Geneve header:: 9279 * - The offset of the linktype. 9280 * - The offset of the end of the Geneve header. 9281 * - The offset of the end of the encapsulated MAC header. */ 9282 static struct slist * 9283 gen_geneve_offsets(compiler_state_t *cstate) 9284 { 9285 struct slist *s, *s1, *s_proto; 9286 9287 /* First we need to calculate the offset of the Geneve header 9288 * itself. This is composed of the IP header previously calculated 9289 * (include any variable link prefix) and stored in A plus the 9290 * fixed sized headers (fixed link prefix, MAC length, and UDP 9291 * header). */ 9292 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9293 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 9294 9295 /* Stash this in X since we'll need it later. */ 9296 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9297 sappend(s, s1); 9298 9299 /* The EtherType in Geneve is 2 bytes in. Calculate this and 9300 * store it. */ 9301 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9302 s1->s.k = 2; 9303 sappend(s, s1); 9304 9305 cstate->off_linktype.reg = alloc_reg(cstate); 9306 cstate->off_linktype.is_variable = 1; 9307 cstate->off_linktype.constant_part = 0; 9308 9309 s1 = new_stmt(cstate, BPF_ST); 9310 s1->s.k = cstate->off_linktype.reg; 9311 sappend(s, s1); 9312 9313 /* Load the Geneve option length and mask and shift to get the 9314 * number of bytes. It is stored in the first byte of the Geneve 9315 * header. */ 9316 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 9317 s1->s.k = 0; 9318 sappend(s, s1); 9319 9320 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 9321 s1->s.k = 0x3f; 9322 sappend(s, s1); 9323 9324 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 9325 s1->s.k = 4; 9326 sappend(s, s1); 9327 9328 /* Add in the rest of the Geneve base header. */ 9329 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9330 s1->s.k = 8; 9331 sappend(s, s1); 9332 9333 /* Add the Geneve header length to its offset and store. */ 9334 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 9335 s1->s.k = 0; 9336 sappend(s, s1); 9337 9338 /* Set the encapsulated type as Ethernet. Even though we may 9339 * not actually have Ethernet inside there are two reasons this 9340 * is useful: 9341 * - The linktype field is always in EtherType format regardless 9342 * of whether it is in Geneve or an inner Ethernet frame. 9343 * - The only link layer that we have specific support for is 9344 * Ethernet. We will confirm that the packet actually is 9345 * Ethernet at runtime before executing these checks. */ 9346 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 9347 9348 s1 = new_stmt(cstate, BPF_ST); 9349 s1->s.k = cstate->off_linkhdr.reg; 9350 sappend(s, s1); 9351 9352 /* Calculate whether we have an Ethernet header or just raw IP/ 9353 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 9354 * and linktype by 14 bytes so that the network header can be found 9355 * seamlessly. Otherwise, keep what we've calculated already. */ 9356 9357 /* We have a bare jmp so we can't use the optimizer. */ 9358 cstate->no_optimize = 1; 9359 9360 /* Load the EtherType in the Geneve header, 2 bytes in. */ 9361 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 9362 s1->s.k = 2; 9363 sappend(s, s1); 9364 9365 /* Load X with the end of the Geneve header. */ 9366 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9367 s1->s.k = cstate->off_linkhdr.reg; 9368 sappend(s, s1); 9369 9370 /* Check if the EtherType is Transparent Ethernet Bridging. At the 9371 * end of this check, we should have the total length in X. In 9372 * the non-Ethernet case, it's already there. */ 9373 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 9374 s_proto->s.k = ETHERTYPE_TEB; 9375 sappend(s, s_proto); 9376 9377 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 9378 sappend(s, s1); 9379 s_proto->s.jt = s1; 9380 9381 /* Since this is Ethernet, use the EtherType of the payload 9382 * directly as the linktype. Overwrite what we already have. */ 9383 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9384 s1->s.k = 12; 9385 sappend(s, s1); 9386 9387 s1 = new_stmt(cstate, BPF_ST); 9388 s1->s.k = cstate->off_linktype.reg; 9389 sappend(s, s1); 9390 9391 /* Advance two bytes further to get the end of the Ethernet 9392 * header. */ 9393 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 9394 s1->s.k = 2; 9395 sappend(s, s1); 9396 9397 /* Move the result to X. */ 9398 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 9399 sappend(s, s1); 9400 9401 /* Store the final result of our linkpl calculation. */ 9402 cstate->off_linkpl.reg = alloc_reg(cstate); 9403 cstate->off_linkpl.is_variable = 1; 9404 cstate->off_linkpl.constant_part = 0; 9405 9406 s1 = new_stmt(cstate, BPF_STX); 9407 s1->s.k = cstate->off_linkpl.reg; 9408 sappend(s, s1); 9409 s_proto->s.jf = s1; 9410 9411 cstate->off_nl = 0; 9412 9413 return s; 9414 } 9415 9416 /* Check to see if this is a Geneve packet. */ 9417 struct block * 9418 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni) 9419 { 9420 struct block *b0, *b1; 9421 struct slist *s; 9422 9423 /* 9424 * Catch errors reported by us and routines below us, and return NULL 9425 * on an error. 9426 */ 9427 if (setjmp(cstate->top_ctx)) 9428 return (NULL); 9429 9430 b0 = gen_geneve4(cstate, vni, has_vni); 9431 b1 = gen_geneve6(cstate, vni, has_vni); 9432 9433 gen_or(b0, b1); 9434 b0 = b1; 9435 9436 /* Later filters should act on the payload of the Geneve frame, 9437 * update all of the header pointers. Attach this code so that 9438 * it gets executed in the event that the Geneve filter matches. */ 9439 s = gen_geneve_offsets(cstate); 9440 9441 b1 = gen_true(cstate); 9442 sappend(s, b1->stmts); 9443 b1->stmts = s; 9444 9445 gen_and(b0, b1); 9446 9447 cstate->is_geneve = 1; 9448 9449 return b1; 9450 } 9451 9452 /* Check that the encapsulated frame has a link layer header 9453 * for Ethernet filters. */ 9454 static struct block * 9455 gen_geneve_ll_check(compiler_state_t *cstate) 9456 { 9457 struct block *b0; 9458 struct slist *s, *s1; 9459 9460 /* The easiest way to see if there is a link layer present 9461 * is to check if the link layer header and payload are not 9462 * the same. */ 9463 9464 /* Geneve always generates pure variable offsets so we can 9465 * compare only the registers. */ 9466 s = new_stmt(cstate, BPF_LD|BPF_MEM); 9467 s->s.k = cstate->off_linkhdr.reg; 9468 9469 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 9470 s1->s.k = cstate->off_linkpl.reg; 9471 sappend(s, s1); 9472 9473 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 9474 b0->stmts = s; 9475 b0->s.k = 0; 9476 gen_not(b0); 9477 9478 return b0; 9479 } 9480 9481 static struct block * 9482 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield, 9483 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse) 9484 { 9485 struct block *b0; 9486 9487 switch (atmfield) { 9488 9489 case A_VPI: 9490 if (!cstate->is_atm) 9491 bpf_error(cstate, "'vpi' supported only on raw ATM"); 9492 if (cstate->off_vpi == OFFSET_NOT_SET) 9493 abort(); 9494 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 9495 reverse, jvalue); 9496 break; 9497 9498 case A_VCI: 9499 if (!cstate->is_atm) 9500 bpf_error(cstate, "'vci' supported only on raw ATM"); 9501 if (cstate->off_vci == OFFSET_NOT_SET) 9502 abort(); 9503 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 9504 reverse, jvalue); 9505 break; 9506 9507 case A_PROTOTYPE: 9508 if (cstate->off_proto == OFFSET_NOT_SET) 9509 abort(); /* XXX - this isn't on FreeBSD */ 9510 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 9511 reverse, jvalue); 9512 break; 9513 9514 case A_MSGTYPE: 9515 if (cstate->off_payload == OFFSET_NOT_SET) 9516 abort(); 9517 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 9518 0xffffffff, jtype, reverse, jvalue); 9519 break; 9520 9521 case A_CALLREFTYPE: 9522 if (!cstate->is_atm) 9523 bpf_error(cstate, "'callref' supported only on raw ATM"); 9524 if (cstate->off_proto == OFFSET_NOT_SET) 9525 abort(); 9526 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 9527 jtype, reverse, jvalue); 9528 break; 9529 9530 default: 9531 abort(); 9532 } 9533 return b0; 9534 } 9535 9536 static struct block * 9537 gen_atmtype_metac(compiler_state_t *cstate) 9538 { 9539 struct block *b0, *b1; 9540 9541 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9542 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0); 9543 gen_and(b0, b1); 9544 return b1; 9545 } 9546 9547 static struct block * 9548 gen_atmtype_sc(compiler_state_t *cstate) 9549 { 9550 struct block *b0, *b1; 9551 9552 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9553 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0); 9554 gen_and(b0, b1); 9555 return b1; 9556 } 9557 9558 static struct block * 9559 gen_atmtype_llc(compiler_state_t *cstate) 9560 { 9561 struct block *b0; 9562 9563 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 9564 cstate->linktype = cstate->prevlinktype; 9565 return b0; 9566 } 9567 9568 struct block * 9569 gen_atmfield_code(compiler_state_t *cstate, int atmfield, 9570 bpf_int32 jvalue, bpf_u_int32 jtype, int reverse) 9571 { 9572 /* 9573 * Catch errors reported by us and routines below us, and return NULL 9574 * on an error. 9575 */ 9576 if (setjmp(cstate->top_ctx)) 9577 return (NULL); 9578 9579 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype, 9580 reverse); 9581 } 9582 9583 struct block * 9584 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 9585 { 9586 struct block *b0, *b1; 9587 9588 /* 9589 * Catch errors reported by us and routines below us, and return NULL 9590 * on an error. 9591 */ 9592 if (setjmp(cstate->top_ctx)) 9593 return (NULL); 9594 9595 switch (type) { 9596 9597 case A_METAC: 9598 /* Get all packets in Meta signalling Circuit */ 9599 if (!cstate->is_atm) 9600 bpf_error(cstate, "'metac' supported only on raw ATM"); 9601 b1 = gen_atmtype_metac(cstate); 9602 break; 9603 9604 case A_BCC: 9605 /* Get all packets in Broadcast Circuit*/ 9606 if (!cstate->is_atm) 9607 bpf_error(cstate, "'bcc' supported only on raw ATM"); 9608 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9609 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0); 9610 gen_and(b0, b1); 9611 break; 9612 9613 case A_OAMF4SC: 9614 /* Get all cells in Segment OAM F4 circuit*/ 9615 if (!cstate->is_atm) 9616 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 9617 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9618 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9619 gen_and(b0, b1); 9620 break; 9621 9622 case A_OAMF4EC: 9623 /* Get all cells in End-to-End OAM F4 Circuit*/ 9624 if (!cstate->is_atm) 9625 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 9626 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9627 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9628 gen_and(b0, b1); 9629 break; 9630 9631 case A_SC: 9632 /* Get all packets in connection Signalling Circuit */ 9633 if (!cstate->is_atm) 9634 bpf_error(cstate, "'sc' supported only on raw ATM"); 9635 b1 = gen_atmtype_sc(cstate); 9636 break; 9637 9638 case A_ILMIC: 9639 /* Get all packets in ILMI Circuit */ 9640 if (!cstate->is_atm) 9641 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 9642 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9643 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0); 9644 gen_and(b0, b1); 9645 break; 9646 9647 case A_LANE: 9648 /* Get all LANE packets */ 9649 if (!cstate->is_atm) 9650 bpf_error(cstate, "'lane' supported only on raw ATM"); 9651 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 9652 9653 /* 9654 * Arrange that all subsequent tests assume LANE 9655 * rather than LLC-encapsulated packets, and set 9656 * the offsets appropriately for LANE-encapsulated 9657 * Ethernet. 9658 * 9659 * We assume LANE means Ethernet, not Token Ring. 9660 */ 9661 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 9662 cstate->off_payload + 2, /* Ethernet header */ 9663 -1); 9664 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 9665 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 9666 cstate->off_nl = 0; /* Ethernet II */ 9667 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 9668 break; 9669 9670 case A_LLC: 9671 /* Get all LLC-encapsulated packets */ 9672 if (!cstate->is_atm) 9673 bpf_error(cstate, "'llc' supported only on raw ATM"); 9674 b1 = gen_atmtype_llc(cstate); 9675 break; 9676 9677 default: 9678 abort(); 9679 } 9680 return b1; 9681 } 9682 9683 /* 9684 * Filtering for MTP2 messages based on li value 9685 * FISU, length is null 9686 * LSSU, length is 1 or 2 9687 * MSU, length is 3 or more 9688 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 9689 */ 9690 struct block * 9691 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 9692 { 9693 struct block *b0, *b1; 9694 9695 /* 9696 * Catch errors reported by us and routines below us, and return NULL 9697 * on an error. 9698 */ 9699 if (setjmp(cstate->top_ctx)) 9700 return (NULL); 9701 9702 switch (type) { 9703 9704 case M_FISU: 9705 if ( (cstate->linktype != DLT_MTP2) && 9706 (cstate->linktype != DLT_ERF) && 9707 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9708 bpf_error(cstate, "'fisu' supported only on MTP2"); 9709 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9710 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 9711 break; 9712 9713 case M_LSSU: 9714 if ( (cstate->linktype != DLT_MTP2) && 9715 (cstate->linktype != DLT_ERF) && 9716 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9717 bpf_error(cstate, "'lssu' supported only on MTP2"); 9718 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 9719 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 9720 gen_and(b1, b0); 9721 break; 9722 9723 case M_MSU: 9724 if ( (cstate->linktype != DLT_MTP2) && 9725 (cstate->linktype != DLT_ERF) && 9726 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9727 bpf_error(cstate, "'msu' supported only on MTP2"); 9728 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 9729 break; 9730 9731 case MH_FISU: 9732 if ( (cstate->linktype != DLT_MTP2) && 9733 (cstate->linktype != DLT_ERF) && 9734 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9735 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9736 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9737 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 9738 break; 9739 9740 case MH_LSSU: 9741 if ( (cstate->linktype != DLT_MTP2) && 9742 (cstate->linktype != DLT_ERF) && 9743 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9744 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9745 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 9746 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 9747 gen_and(b1, b0); 9748 break; 9749 9750 case MH_MSU: 9751 if ( (cstate->linktype != DLT_MTP2) && 9752 (cstate->linktype != DLT_ERF) && 9753 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9754 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9755 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 9756 break; 9757 9758 default: 9759 abort(); 9760 } 9761 return b0; 9762 } 9763 9764 /* 9765 * The jvalue_arg dance is to avoid annoying whining by compilers that 9766 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*? 9767 * It's not *used* after setjmp returns. 9768 */ 9769 struct block * 9770 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, 9771 bpf_u_int32 jvalue_arg, bpf_u_int32 jtype, int reverse) 9772 { 9773 volatile bpf_u_int32 jvalue = jvalue_arg; 9774 struct block *b0; 9775 bpf_u_int32 val1 , val2 , val3; 9776 u_int newoff_sio; 9777 u_int newoff_opc; 9778 u_int newoff_dpc; 9779 u_int newoff_sls; 9780 9781 /* 9782 * Catch errors reported by us and routines below us, and return NULL 9783 * on an error. 9784 */ 9785 if (setjmp(cstate->top_ctx)) 9786 return (NULL); 9787 9788 newoff_sio = cstate->off_sio; 9789 newoff_opc = cstate->off_opc; 9790 newoff_dpc = cstate->off_dpc; 9791 newoff_sls = cstate->off_sls; 9792 switch (mtp3field) { 9793 9794 case MH_SIO: 9795 newoff_sio += 3; /* offset for MTP2_HSL */ 9796 /* FALLTHROUGH */ 9797 9798 case M_SIO: 9799 if (cstate->off_sio == OFFSET_NOT_SET) 9800 bpf_error(cstate, "'sio' supported only on SS7"); 9801 /* sio coded on 1 byte so max value 255 */ 9802 if(jvalue > 255) 9803 bpf_error(cstate, "sio value %u too big; max value = 255", 9804 jvalue); 9805 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 9806 (u_int)jtype, reverse, (u_int)jvalue); 9807 break; 9808 9809 case MH_OPC: 9810 newoff_opc += 3; 9811 9812 /* FALLTHROUGH */ 9813 case M_OPC: 9814 if (cstate->off_opc == OFFSET_NOT_SET) 9815 bpf_error(cstate, "'opc' supported only on SS7"); 9816 /* opc coded on 14 bits so max value 16383 */ 9817 if (jvalue > 16383) 9818 bpf_error(cstate, "opc value %u too big; max value = 16383", 9819 jvalue); 9820 /* the following instructions are made to convert jvalue 9821 * to the form used to write opc in an ss7 message*/ 9822 val1 = jvalue & 0x00003c00; 9823 val1 = val1 >>10; 9824 val2 = jvalue & 0x000003fc; 9825 val2 = val2 <<6; 9826 val3 = jvalue & 0x00000003; 9827 val3 = val3 <<22; 9828 jvalue = val1 + val2 + val3; 9829 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 9830 (u_int)jtype, reverse, (u_int)jvalue); 9831 break; 9832 9833 case MH_DPC: 9834 newoff_dpc += 3; 9835 /* FALLTHROUGH */ 9836 9837 case M_DPC: 9838 if (cstate->off_dpc == OFFSET_NOT_SET) 9839 bpf_error(cstate, "'dpc' supported only on SS7"); 9840 /* dpc coded on 14 bits so max value 16383 */ 9841 if (jvalue > 16383) 9842 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9843 jvalue); 9844 /* the following instructions are made to convert jvalue 9845 * to the forme used to write dpc in an ss7 message*/ 9846 val1 = jvalue & 0x000000ff; 9847 val1 = val1 << 24; 9848 val2 = jvalue & 0x00003f00; 9849 val2 = val2 << 8; 9850 jvalue = val1 + val2; 9851 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 9852 (u_int)jtype, reverse, (u_int)jvalue); 9853 break; 9854 9855 case MH_SLS: 9856 newoff_sls += 3; 9857 /* FALLTHROUGH */ 9858 9859 case M_SLS: 9860 if (cstate->off_sls == OFFSET_NOT_SET) 9861 bpf_error(cstate, "'sls' supported only on SS7"); 9862 /* sls coded on 4 bits so max value 15 */ 9863 if (jvalue > 15) 9864 bpf_error(cstate, "sls value %u too big; max value = 15", 9865 jvalue); 9866 /* the following instruction is made to convert jvalue 9867 * to the forme used to write sls in an ss7 message*/ 9868 jvalue = jvalue << 4; 9869 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 9870 (u_int)jtype,reverse, (u_int)jvalue); 9871 break; 9872 9873 default: 9874 abort(); 9875 } 9876 return b0; 9877 } 9878 9879 static struct block * 9880 gen_msg_abbrev(compiler_state_t *cstate, int type) 9881 { 9882 struct block *b1; 9883 9884 /* 9885 * Q.2931 signalling protocol messages for handling virtual circuits 9886 * establishment and teardown 9887 */ 9888 switch (type) { 9889 9890 case A_SETUP: 9891 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9892 break; 9893 9894 case A_CALLPROCEED: 9895 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9896 break; 9897 9898 case A_CONNECT: 9899 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9900 break; 9901 9902 case A_CONNECTACK: 9903 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9904 break; 9905 9906 case A_RELEASE: 9907 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9908 break; 9909 9910 case A_RELEASE_DONE: 9911 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9912 break; 9913 9914 default: 9915 abort(); 9916 } 9917 return b1; 9918 } 9919 9920 struct block * 9921 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9922 { 9923 struct block *b0, *b1; 9924 9925 /* 9926 * Catch errors reported by us and routines below us, and return NULL 9927 * on an error. 9928 */ 9929 if (setjmp(cstate->top_ctx)) 9930 return (NULL); 9931 9932 switch (type) { 9933 9934 case A_OAM: 9935 if (!cstate->is_atm) 9936 bpf_error(cstate, "'oam' supported only on raw ATM"); 9937 /* OAM F4 type */ 9938 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9939 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9940 gen_or(b0, b1); 9941 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9942 gen_and(b0, b1); 9943 break; 9944 9945 case A_OAMF4: 9946 if (!cstate->is_atm) 9947 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9948 /* OAM F4 type */ 9949 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0); 9950 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0); 9951 gen_or(b0, b1); 9952 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0); 9953 gen_and(b0, b1); 9954 break; 9955 9956 case A_CONNECTMSG: 9957 /* 9958 * Get Q.2931 signalling messages for switched 9959 * virtual connection 9960 */ 9961 if (!cstate->is_atm) 9962 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9963 b0 = gen_msg_abbrev(cstate, A_SETUP); 9964 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9965 gen_or(b0, b1); 9966 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9967 gen_or(b0, b1); 9968 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9969 gen_or(b0, b1); 9970 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9971 gen_or(b0, b1); 9972 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9973 gen_or(b0, b1); 9974 b0 = gen_atmtype_sc(cstate); 9975 gen_and(b0, b1); 9976 break; 9977 9978 case A_METACONNECT: 9979 if (!cstate->is_atm) 9980 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9981 b0 = gen_msg_abbrev(cstate, A_SETUP); 9982 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9983 gen_or(b0, b1); 9984 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9985 gen_or(b0, b1); 9986 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9987 gen_or(b0, b1); 9988 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9989 gen_or(b0, b1); 9990 b0 = gen_atmtype_metac(cstate); 9991 gen_and(b0, b1); 9992 break; 9993 9994 default: 9995 abort(); 9996 } 9997 return b1; 9998 } 9999