1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #if HAVE_INTTYPES_H 37 #include <inttypes.h> 38 #elif HAVE_STDINT_H 39 #include <stdint.h> 40 #endif 41 #ifdef HAVE_SYS_BITYPES_H 42 #include <sys/bitypes.h> 43 #endif 44 #include <sys/types.h> 45 #include <sys/socket.h> 46 #endif /* WIN32 */ 47 48 /* 49 * XXX - why was this included even on UNIX? 50 */ 51 #ifdef __MINGW32__ 52 #include "ip6_misc.h" 53 #endif 54 55 #ifndef WIN32 56 57 #ifdef __NetBSD__ 58 #include <sys/param.h> 59 #endif 60 61 #include <netinet/in.h> 62 #include <arpa/inet.h> 63 64 #endif /* WIN32 */ 65 66 #include <stdlib.h> 67 #include <string.h> 68 #include <memory.h> 69 #include <setjmp.h> 70 #include <stdarg.h> 71 72 #ifdef MSDOS 73 #include "pcap-dos.h" 74 #endif 75 76 #include "pcap-int.h" 77 78 #include "ethertype.h" 79 #include "nlpid.h" 80 #include "llc.h" 81 #include "gencode.h" 82 #include "ieee80211.h" 83 #include "atmuni31.h" 84 #include "sunatmpos.h" 85 #include "ppp.h" 86 #include "pcap/sll.h" 87 #include "pcap/ipnet.h" 88 #include "arcnet.h" 89 #ifdef HAVE_NET_PFVAR_H 90 #include <sys/socket.h> 91 #include <net/if.h> 92 #include <net/pfvar.h> 93 #include <net/if_pflog.h> 94 #endif 95 #ifndef offsetof 96 #define offsetof(s, e) ((size_t)&((s *)0)->e) 97 #endif 98 #ifdef INET6 99 #ifndef WIN32 100 #include <netdb.h> /* for "struct addrinfo" */ 101 #endif /* WIN32 */ 102 #endif /*INET6*/ 103 #include <pcap/namedb.h> 104 105 #define ETHERMTU 1500 106 107 #ifndef IPPROTO_SCTP 108 #define IPPROTO_SCTP 132 109 #endif 110 111 #ifdef HAVE_OS_PROTO_H 112 #include "os-proto.h" 113 #endif 114 115 #define JMP(c) ((c)|BPF_JMP|BPF_K) 116 117 /* Locals */ 118 static jmp_buf top_ctx; 119 static pcap_t *bpf_pcap; 120 121 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 122 #ifdef WIN32 123 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 124 #else 125 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 126 #endif 127 128 /* XXX */ 129 #ifdef PCAP_FDDIPAD 130 static int pcap_fddipad; 131 #endif 132 133 /* VARARGS */ 134 void 135 bpf_error(const char *fmt, ...) 136 { 137 va_list ap; 138 139 va_start(ap, fmt); 140 if (bpf_pcap != NULL) 141 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 142 fmt, ap); 143 va_end(ap); 144 longjmp(top_ctx, 1); 145 /* NOTREACHED */ 146 } 147 148 static void init_linktype(pcap_t *); 149 150 static void init_regs(void); 151 static int alloc_reg(void); 152 static void free_reg(int); 153 154 static struct block *root; 155 156 /* 157 * Value passed to gen_load_a() to indicate what the offset argument 158 * is relative to. 159 */ 160 enum e_offrel { 161 OR_PACKET, /* relative to the beginning of the packet */ 162 OR_LINK, /* relative to the beginning of the link-layer header */ 163 OR_MACPL, /* relative to the end of the MAC-layer header */ 164 OR_NET, /* relative to the network-layer header */ 165 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 166 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 167 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 168 }; 169 170 #ifdef INET6 171 /* 172 * As errors are handled by a longjmp, anything allocated must be freed 173 * in the longjmp handler, so it must be reachable from that handler. 174 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 175 * it must be freed with freeaddrinfo(). This variable points to any 176 * addrinfo structure that would need to be freed. 177 */ 178 static struct addrinfo *ai; 179 #endif 180 181 /* 182 * We divy out chunks of memory rather than call malloc each time so 183 * we don't have to worry about leaking memory. It's probably 184 * not a big deal if all this memory was wasted but if this ever 185 * goes into a library that would probably not be a good idea. 186 * 187 * XXX - this *is* in a library.... 188 */ 189 #define NCHUNKS 16 190 #define CHUNK0SIZE 1024 191 struct chunk { 192 u_int n_left; 193 void *m; 194 }; 195 196 static struct chunk chunks[NCHUNKS]; 197 static int cur_chunk; 198 199 static void *newchunk(u_int); 200 static void freechunks(void); 201 static inline struct block *new_block(int); 202 static inline struct slist *new_stmt(int); 203 static struct block *gen_retblk(int); 204 static inline void syntax(void); 205 206 static void backpatch(struct block *, struct block *); 207 static void merge(struct block *, struct block *); 208 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 209 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 210 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 211 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 212 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 213 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 214 bpf_u_int32); 215 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 216 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 217 bpf_u_int32, bpf_u_int32, int, bpf_int32); 218 static struct slist *gen_load_llrel(u_int, u_int); 219 static struct slist *gen_load_macplrel(u_int, u_int); 220 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 221 static struct slist *gen_loadx_iphdrlen(void); 222 static struct block *gen_uncond(int); 223 static inline struct block *gen_true(void); 224 static inline struct block *gen_false(void); 225 static struct block *gen_ether_linktype(int); 226 static struct block *gen_ipnet_linktype(int); 227 static struct block *gen_linux_sll_linktype(int); 228 static struct slist *gen_load_prism_llprefixlen(void); 229 static struct slist *gen_load_avs_llprefixlen(void); 230 static struct slist *gen_load_radiotap_llprefixlen(void); 231 static struct slist *gen_load_ppi_llprefixlen(void); 232 static void insert_compute_vloffsets(struct block *); 233 static struct slist *gen_llprefixlen(void); 234 static struct slist *gen_off_macpl(void); 235 static int ethertype_to_ppptype(int); 236 static struct block *gen_linktype(int); 237 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 238 static struct block *gen_llc_linktype(int); 239 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 240 #ifdef INET6 241 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 242 #endif 243 static struct block *gen_ahostop(const u_char *, int); 244 static struct block *gen_ehostop(const u_char *, int); 245 static struct block *gen_fhostop(const u_char *, int); 246 static struct block *gen_thostop(const u_char *, int); 247 static struct block *gen_wlanhostop(const u_char *, int); 248 static struct block *gen_ipfchostop(const u_char *, int); 249 static struct block *gen_dnhostop(bpf_u_int32, int); 250 static struct block *gen_mpls_linktype(int); 251 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 252 #ifdef INET6 253 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 254 #endif 255 #ifndef INET6 256 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 257 #endif 258 static struct block *gen_ipfrag(void); 259 static struct block *gen_portatom(int, bpf_int32); 260 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 261 #ifdef INET6 262 static struct block *gen_portatom6(int, bpf_int32); 263 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 264 #endif 265 struct block *gen_portop(int, int, int); 266 static struct block *gen_port(int, int, int); 267 struct block *gen_portrangeop(int, int, int, int); 268 static struct block *gen_portrange(int, int, int, int); 269 #ifdef INET6 270 struct block *gen_portop6(int, int, int); 271 static struct block *gen_port6(int, int, int); 272 struct block *gen_portrangeop6(int, int, int, int); 273 static struct block *gen_portrange6(int, int, int, int); 274 #endif 275 static int lookup_proto(const char *, int); 276 static struct block *gen_protochain(int, int, int); 277 static struct block *gen_proto(int, int, int); 278 static struct slist *xfer_to_x(struct arth *); 279 static struct slist *xfer_to_a(struct arth *); 280 static struct block *gen_mac_multicast(int); 281 static struct block *gen_len(int, int); 282 static struct block *gen_check_802_11_data_frame(void); 283 284 static struct block *gen_ppi_dlt_check(void); 285 static struct block *gen_msg_abbrev(int type); 286 287 static void * 288 newchunk(n) 289 u_int n; 290 { 291 struct chunk *cp; 292 int k; 293 size_t size; 294 295 #ifndef __NetBSD__ 296 /* XXX Round up to nearest long. */ 297 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 298 #else 299 /* XXX Round up to structure boundary. */ 300 n = ALIGN(n); 301 #endif 302 303 cp = &chunks[cur_chunk]; 304 if (n > cp->n_left) { 305 ++cp, k = ++cur_chunk; 306 if (k >= NCHUNKS) 307 bpf_error("out of memory"); 308 size = CHUNK0SIZE << k; 309 cp->m = (void *)malloc(size); 310 if (cp->m == NULL) 311 bpf_error("out of memory"); 312 memset((char *)cp->m, 0, size); 313 cp->n_left = size; 314 if (n > size) 315 bpf_error("out of memory"); 316 } 317 cp->n_left -= n; 318 return (void *)((char *)cp->m + cp->n_left); 319 } 320 321 static void 322 freechunks() 323 { 324 int i; 325 326 cur_chunk = 0; 327 for (i = 0; i < NCHUNKS; ++i) 328 if (chunks[i].m != NULL) { 329 free(chunks[i].m); 330 chunks[i].m = NULL; 331 } 332 } 333 334 /* 335 * A strdup whose allocations are freed after code generation is over. 336 */ 337 char * 338 sdup(s) 339 register const char *s; 340 { 341 int n = strlen(s) + 1; 342 char *cp = newchunk(n); 343 344 strlcpy(cp, s, n); 345 return (cp); 346 } 347 348 static inline struct block * 349 new_block(code) 350 int code; 351 { 352 struct block *p; 353 354 p = (struct block *)newchunk(sizeof(*p)); 355 p->s.code = code; 356 p->head = p; 357 358 return p; 359 } 360 361 static inline struct slist * 362 new_stmt(code) 363 int code; 364 { 365 struct slist *p; 366 367 p = (struct slist *)newchunk(sizeof(*p)); 368 p->s.code = code; 369 370 return p; 371 } 372 373 static struct block * 374 gen_retblk(v) 375 int v; 376 { 377 struct block *b = new_block(BPF_RET|BPF_K); 378 379 b->s.k = v; 380 return b; 381 } 382 383 static inline void 384 syntax() 385 { 386 bpf_error("syntax error in filter expression"); 387 } 388 389 static bpf_u_int32 netmask; 390 static int snaplen; 391 int no_optimize; 392 #ifdef WIN32 393 static int 394 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 395 const char *buf, int optimize, bpf_u_int32 mask); 396 397 int 398 pcap_compile(pcap_t *p, struct bpf_program *program, 399 const char *buf, int optimize, bpf_u_int32 mask) 400 { 401 int result; 402 403 EnterCriticalSection(&g_PcapCompileCriticalSection); 404 405 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 406 407 LeaveCriticalSection(&g_PcapCompileCriticalSection); 408 409 return result; 410 } 411 412 static int 413 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 414 const char *buf, int optimize, bpf_u_int32 mask) 415 #else /* WIN32 */ 416 int 417 pcap_compile(pcap_t *p, struct bpf_program *program, 418 const char *buf, int optimize, bpf_u_int32 mask) 419 #endif /* WIN32 */ 420 { 421 extern int n_errors; 422 const char * volatile xbuf = buf; 423 int len; 424 425 no_optimize = 0; 426 n_errors = 0; 427 root = NULL; 428 bpf_pcap = p; 429 init_regs(); 430 if (setjmp(top_ctx)) { 431 #ifdef INET6 432 if (ai != NULL) { 433 freeaddrinfo(ai); 434 ai = NULL; 435 } 436 #endif 437 lex_cleanup(); 438 freechunks(); 439 return (-1); 440 } 441 442 netmask = mask; 443 444 snaplen = pcap_snapshot(p); 445 if (snaplen == 0) { 446 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 447 "snaplen of 0 rejects all packets"); 448 return -1; 449 } 450 451 lex_init(xbuf ? xbuf : ""); 452 init_linktype(p); 453 (void)pcap_parse(); 454 455 if (n_errors) 456 syntax(); 457 458 if (root == NULL) 459 root = gen_retblk(snaplen); 460 461 if (optimize && !no_optimize) { 462 bpf_optimize(&root); 463 if (root == NULL || 464 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 465 bpf_error("expression rejects all packets"); 466 } 467 program->bf_insns = icode_to_fcode(root, &len); 468 program->bf_len = len; 469 470 lex_cleanup(); 471 freechunks(); 472 return (0); 473 } 474 475 /* 476 * entry point for using the compiler with no pcap open 477 * pass in all the stuff that is needed explicitly instead. 478 */ 479 int 480 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 481 struct bpf_program *program, 482 const char *buf, int optimize, bpf_u_int32 mask) 483 { 484 pcap_t *p; 485 int ret; 486 487 p = pcap_open_dead(linktype_arg, snaplen_arg); 488 if (p == NULL) 489 return (-1); 490 ret = pcap_compile(p, program, buf, optimize, mask); 491 pcap_close(p); 492 return (ret); 493 } 494 495 /* 496 * Clean up a "struct bpf_program" by freeing all the memory allocated 497 * in it. 498 */ 499 void 500 pcap_freecode(struct bpf_program *program) 501 { 502 program->bf_len = 0; 503 if (program->bf_insns != NULL) { 504 free((char *)program->bf_insns); 505 program->bf_insns = NULL; 506 } 507 } 508 509 /* 510 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 511 * which of the jt and jf fields has been resolved and which is a pointer 512 * back to another unresolved block (or nil). At least one of the fields 513 * in each block is already resolved. 514 */ 515 static void 516 backpatch(list, target) 517 struct block *list, *target; 518 { 519 struct block *next; 520 521 while (list) { 522 if (!list->sense) { 523 next = JT(list); 524 JT(list) = target; 525 } else { 526 next = JF(list); 527 JF(list) = target; 528 } 529 list = next; 530 } 531 } 532 533 /* 534 * Merge the lists in b0 and b1, using the 'sense' field to indicate 535 * which of jt and jf is the link. 536 */ 537 static void 538 merge(b0, b1) 539 struct block *b0, *b1; 540 { 541 register struct block **p = &b0; 542 543 /* Find end of list. */ 544 while (*p) 545 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 546 547 /* Concatenate the lists. */ 548 *p = b1; 549 } 550 551 void 552 finish_parse(p) 553 struct block *p; 554 { 555 struct block *ppi_dlt_check; 556 557 /* 558 * Insert before the statements of the first (root) block any 559 * statements needed to load the lengths of any variable-length 560 * headers into registers. 561 * 562 * XXX - a fancier strategy would be to insert those before the 563 * statements of all blocks that use those lengths and that 564 * have no predecessors that use them, so that we only compute 565 * the lengths if we need them. There might be even better 566 * approaches than that. 567 * 568 * However, those strategies would be more complicated, and 569 * as we don't generate code to compute a length if the 570 * program has no tests that use the length, and as most 571 * tests will probably use those lengths, we would just 572 * postpone computing the lengths so that it's not done 573 * for tests that fail early, and it's not clear that's 574 * worth the effort. 575 */ 576 insert_compute_vloffsets(p->head); 577 578 /* 579 * For DLT_PPI captures, generate a check of the per-packet 580 * DLT value to make sure it's DLT_IEEE802_11. 581 */ 582 ppi_dlt_check = gen_ppi_dlt_check(); 583 if (ppi_dlt_check != NULL) 584 gen_and(ppi_dlt_check, p); 585 586 backpatch(p, gen_retblk(snaplen)); 587 p->sense = !p->sense; 588 backpatch(p, gen_retblk(0)); 589 root = p->head; 590 } 591 592 void 593 gen_and(b0, b1) 594 struct block *b0, *b1; 595 { 596 backpatch(b0, b1->head); 597 b0->sense = !b0->sense; 598 b1->sense = !b1->sense; 599 merge(b1, b0); 600 b1->sense = !b1->sense; 601 b1->head = b0->head; 602 } 603 604 void 605 gen_or(b0, b1) 606 struct block *b0, *b1; 607 { 608 b0->sense = !b0->sense; 609 backpatch(b0, b1->head); 610 b0->sense = !b0->sense; 611 merge(b1, b0); 612 b1->head = b0->head; 613 } 614 615 void 616 gen_not(b) 617 struct block *b; 618 { 619 b->sense = !b->sense; 620 } 621 622 static struct block * 623 gen_cmp(offrel, offset, size, v) 624 enum e_offrel offrel; 625 u_int offset, size; 626 bpf_int32 v; 627 { 628 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 629 } 630 631 static struct block * 632 gen_cmp_gt(offrel, offset, size, v) 633 enum e_offrel offrel; 634 u_int offset, size; 635 bpf_int32 v; 636 { 637 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 638 } 639 640 static struct block * 641 gen_cmp_ge(offrel, offset, size, v) 642 enum e_offrel offrel; 643 u_int offset, size; 644 bpf_int32 v; 645 { 646 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 647 } 648 649 static struct block * 650 gen_cmp_lt(offrel, offset, size, v) 651 enum e_offrel offrel; 652 u_int offset, size; 653 bpf_int32 v; 654 { 655 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 656 } 657 658 static struct block * 659 gen_cmp_le(offrel, offset, size, v) 660 enum e_offrel offrel; 661 u_int offset, size; 662 bpf_int32 v; 663 { 664 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 665 } 666 667 static struct block * 668 gen_mcmp(offrel, offset, size, v, mask) 669 enum e_offrel offrel; 670 u_int offset, size; 671 bpf_int32 v; 672 bpf_u_int32 mask; 673 { 674 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 675 } 676 677 static struct block * 678 gen_bcmp(offrel, offset, size, v) 679 enum e_offrel offrel; 680 register u_int offset, size; 681 register const u_char *v; 682 { 683 register struct block *b, *tmp; 684 685 b = NULL; 686 while (size >= 4) { 687 register const u_char *p = &v[size - 4]; 688 bpf_int32 w = ((bpf_int32)p[0] << 24) | 689 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 690 691 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 692 if (b != NULL) 693 gen_and(b, tmp); 694 b = tmp; 695 size -= 4; 696 } 697 while (size >= 2) { 698 register const u_char *p = &v[size - 2]; 699 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 700 701 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 702 if (b != NULL) 703 gen_and(b, tmp); 704 b = tmp; 705 size -= 2; 706 } 707 if (size > 0) { 708 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 709 if (b != NULL) 710 gen_and(b, tmp); 711 b = tmp; 712 } 713 return b; 714 } 715 716 /* 717 * AND the field of size "size" at offset "offset" relative to the header 718 * specified by "offrel" with "mask", and compare it with the value "v" 719 * with the test specified by "jtype"; if "reverse" is true, the test 720 * should test the opposite of "jtype". 721 */ 722 static struct block * 723 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 724 enum e_offrel offrel; 725 bpf_int32 v; 726 bpf_u_int32 offset, size, mask, jtype; 727 int reverse; 728 { 729 struct slist *s, *s2; 730 struct block *b; 731 732 s = gen_load_a(offrel, offset, size); 733 734 if (mask != 0xffffffff) { 735 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 736 s2->s.k = mask; 737 sappend(s, s2); 738 } 739 740 b = new_block(JMP(jtype)); 741 b->stmts = s; 742 b->s.k = v; 743 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 744 gen_not(b); 745 return b; 746 } 747 748 /* 749 * Various code constructs need to know the layout of the data link 750 * layer. These variables give the necessary offsets from the beginning 751 * of the packet data. 752 */ 753 754 /* 755 * This is the offset of the beginning of the link-layer header from 756 * the beginning of the raw packet data. 757 * 758 * It's usually 0, except for 802.11 with a fixed-length radio header. 759 * (For 802.11 with a variable-length radio header, we have to generate 760 * code to compute that offset; off_ll is 0 in that case.) 761 */ 762 static u_int off_ll; 763 764 /* 765 * If there's a variable-length header preceding the link-layer header, 766 * "reg_off_ll" is the register number for a register containing the 767 * length of that header, and therefore the offset of the link-layer 768 * header from the beginning of the raw packet data. Otherwise, 769 * "reg_off_ll" is -1. 770 */ 771 static int reg_off_ll; 772 773 /* 774 * This is the offset of the beginning of the MAC-layer header from 775 * the beginning of the link-layer header. 776 * It's usually 0, except for ATM LANE, where it's the offset, relative 777 * to the beginning of the raw packet data, of the Ethernet header, and 778 * for Ethernet with various additional information. 779 */ 780 static u_int off_mac; 781 782 /* 783 * This is the offset of the beginning of the MAC-layer payload, 784 * from the beginning of the raw packet data. 785 * 786 * I.e., it's the sum of the length of the link-layer header (without, 787 * for example, any 802.2 LLC header, so it's the MAC-layer 788 * portion of that header), plus any prefix preceding the 789 * link-layer header. 790 */ 791 static u_int off_macpl; 792 793 /* 794 * This is 1 if the offset of the beginning of the MAC-layer payload 795 * from the beginning of the link-layer header is variable-length. 796 */ 797 static int off_macpl_is_variable; 798 799 /* 800 * If the link layer has variable_length headers, "reg_off_macpl" 801 * is the register number for a register containing the length of the 802 * link-layer header plus the length of any variable-length header 803 * preceding the link-layer header. Otherwise, "reg_off_macpl" 804 * is -1. 805 */ 806 static int reg_off_macpl; 807 808 /* 809 * "off_linktype" is the offset to information in the link-layer header 810 * giving the packet type. This offset is relative to the beginning 811 * of the link-layer header (i.e., it doesn't include off_ll). 812 * 813 * For Ethernet, it's the offset of the Ethernet type field. 814 * 815 * For link-layer types that always use 802.2 headers, it's the 816 * offset of the LLC header. 817 * 818 * For PPP, it's the offset of the PPP type field. 819 * 820 * For Cisco HDLC, it's the offset of the CHDLC type field. 821 * 822 * For BSD loopback, it's the offset of the AF_ value. 823 * 824 * For Linux cooked sockets, it's the offset of the type field. 825 * 826 * It's set to -1 for no encapsulation, in which case, IP is assumed. 827 */ 828 static u_int off_linktype; 829 830 /* 831 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 832 * checks to check the PPP header, assumed to follow a LAN-style link- 833 * layer header and a PPPoE session header. 834 */ 835 static int is_pppoes = 0; 836 837 /* 838 * TRUE if the link layer includes an ATM pseudo-header. 839 */ 840 static int is_atm = 0; 841 842 /* 843 * TRUE if "lane" appeared in the filter; it causes us to generate 844 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 845 */ 846 static int is_lane = 0; 847 848 /* 849 * These are offsets for the ATM pseudo-header. 850 */ 851 static u_int off_vpi; 852 static u_int off_vci; 853 static u_int off_proto; 854 855 /* 856 * These are offsets for the MTP2 fields. 857 */ 858 static u_int off_li; 859 860 /* 861 * These are offsets for the MTP3 fields. 862 */ 863 static u_int off_sio; 864 static u_int off_opc; 865 static u_int off_dpc; 866 static u_int off_sls; 867 868 /* 869 * This is the offset of the first byte after the ATM pseudo_header, 870 * or -1 if there is no ATM pseudo-header. 871 */ 872 static u_int off_payload; 873 874 /* 875 * These are offsets to the beginning of the network-layer header. 876 * They are relative to the beginning of the MAC-layer payload (i.e., 877 * they don't include off_ll or off_macpl). 878 * 879 * If the link layer never uses 802.2 LLC: 880 * 881 * "off_nl" and "off_nl_nosnap" are the same. 882 * 883 * If the link layer always uses 802.2 LLC: 884 * 885 * "off_nl" is the offset if there's a SNAP header following 886 * the 802.2 header; 887 * 888 * "off_nl_nosnap" is the offset if there's no SNAP header. 889 * 890 * If the link layer is Ethernet: 891 * 892 * "off_nl" is the offset if the packet is an Ethernet II packet 893 * (we assume no 802.3+802.2+SNAP); 894 * 895 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 896 * with an 802.2 header following it. 897 */ 898 static u_int off_nl; 899 static u_int off_nl_nosnap; 900 901 static int linktype; 902 903 static void 904 init_linktype(p) 905 pcap_t *p; 906 { 907 linktype = pcap_datalink(p); 908 #ifdef PCAP_FDDIPAD 909 pcap_fddipad = p->fddipad; 910 #endif 911 912 /* 913 * Assume it's not raw ATM with a pseudo-header, for now. 914 */ 915 off_mac = 0; 916 is_atm = 0; 917 is_lane = 0; 918 off_vpi = -1; 919 off_vci = -1; 920 off_proto = -1; 921 off_payload = -1; 922 923 /* 924 * And that we're not doing PPPoE. 925 */ 926 is_pppoes = 0; 927 928 /* 929 * And assume we're not doing SS7. 930 */ 931 off_li = -1; 932 off_sio = -1; 933 off_opc = -1; 934 off_dpc = -1; 935 off_sls = -1; 936 937 /* 938 * Also assume it's not 802.11. 939 */ 940 off_ll = 0; 941 off_macpl = 0; 942 off_macpl_is_variable = 0; 943 944 orig_linktype = -1; 945 orig_nl = -1; 946 label_stack_depth = 0; 947 948 reg_off_ll = -1; 949 reg_off_macpl = -1; 950 951 switch (linktype) { 952 953 case DLT_ARCNET: 954 off_linktype = 2; 955 off_macpl = 6; 956 off_nl = 0; /* XXX in reality, variable! */ 957 off_nl_nosnap = 0; /* no 802.2 LLC */ 958 return; 959 960 case DLT_ARCNET_LINUX: 961 off_linktype = 4; 962 off_macpl = 8; 963 off_nl = 0; /* XXX in reality, variable! */ 964 off_nl_nosnap = 0; /* no 802.2 LLC */ 965 return; 966 967 case DLT_EN10MB: 968 off_linktype = 12; 969 off_macpl = 14; /* Ethernet header length */ 970 off_nl = 0; /* Ethernet II */ 971 off_nl_nosnap = 3; /* 802.3+802.2 */ 972 return; 973 974 case DLT_SLIP: 975 /* 976 * SLIP doesn't have a link level type. The 16 byte 977 * header is hacked into our SLIP driver. 978 */ 979 off_linktype = -1; 980 off_macpl = 16; 981 off_nl = 0; 982 off_nl_nosnap = 0; /* no 802.2 LLC */ 983 return; 984 985 case DLT_SLIP_BSDOS: 986 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 987 off_linktype = -1; 988 /* XXX end */ 989 off_macpl = 24; 990 off_nl = 0; 991 off_nl_nosnap = 0; /* no 802.2 LLC */ 992 return; 993 994 case DLT_NULL: 995 case DLT_LOOP: 996 off_linktype = 0; 997 off_macpl = 4; 998 off_nl = 0; 999 off_nl_nosnap = 0; /* no 802.2 LLC */ 1000 return; 1001 1002 case DLT_ENC: 1003 off_linktype = 0; 1004 off_macpl = 12; 1005 off_nl = 0; 1006 off_nl_nosnap = 0; /* no 802.2 LLC */ 1007 return; 1008 1009 case DLT_PPP: 1010 case DLT_PPP_PPPD: 1011 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1012 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1013 off_linktype = 2; 1014 off_macpl = 4; 1015 off_nl = 0; 1016 off_nl_nosnap = 0; /* no 802.2 LLC */ 1017 return; 1018 1019 case DLT_PPP_ETHER: 1020 /* 1021 * This does no include the Ethernet header, and 1022 * only covers session state. 1023 */ 1024 off_linktype = 6; 1025 off_macpl = 8; 1026 off_nl = 0; 1027 off_nl_nosnap = 0; /* no 802.2 LLC */ 1028 return; 1029 1030 case DLT_PPP_BSDOS: 1031 off_linktype = 5; 1032 off_macpl = 24; 1033 off_nl = 0; 1034 off_nl_nosnap = 0; /* no 802.2 LLC */ 1035 return; 1036 1037 case DLT_FDDI: 1038 /* 1039 * FDDI doesn't really have a link-level type field. 1040 * We set "off_linktype" to the offset of the LLC header. 1041 * 1042 * To check for Ethernet types, we assume that SSAP = SNAP 1043 * is being used and pick out the encapsulated Ethernet type. 1044 * XXX - should we generate code to check for SNAP? 1045 */ 1046 off_linktype = 13; 1047 #ifdef PCAP_FDDIPAD 1048 off_linktype += pcap_fddipad; 1049 #endif 1050 off_macpl = 13; /* FDDI MAC header length */ 1051 #ifdef PCAP_FDDIPAD 1052 off_macpl += pcap_fddipad; 1053 #endif 1054 off_nl = 8; /* 802.2+SNAP */ 1055 off_nl_nosnap = 3; /* 802.2 */ 1056 return; 1057 1058 case DLT_IEEE802: 1059 /* 1060 * Token Ring doesn't really have a link-level type field. 1061 * We set "off_linktype" to the offset of the LLC header. 1062 * 1063 * To check for Ethernet types, we assume that SSAP = SNAP 1064 * is being used and pick out the encapsulated Ethernet type. 1065 * XXX - should we generate code to check for SNAP? 1066 * 1067 * XXX - the header is actually variable-length. 1068 * Some various Linux patched versions gave 38 1069 * as "off_linktype" and 40 as "off_nl"; however, 1070 * if a token ring packet has *no* routing 1071 * information, i.e. is not source-routed, the correct 1072 * values are 20 and 22, as they are in the vanilla code. 1073 * 1074 * A packet is source-routed iff the uppermost bit 1075 * of the first byte of the source address, at an 1076 * offset of 8, has the uppermost bit set. If the 1077 * packet is source-routed, the total number of bytes 1078 * of routing information is 2 plus bits 0x1F00 of 1079 * the 16-bit value at an offset of 14 (shifted right 1080 * 8 - figure out which byte that is). 1081 */ 1082 off_linktype = 14; 1083 off_macpl = 14; /* Token Ring MAC header length */ 1084 off_nl = 8; /* 802.2+SNAP */ 1085 off_nl_nosnap = 3; /* 802.2 */ 1086 return; 1087 1088 case DLT_IEEE802_11: 1089 case DLT_PRISM_HEADER: 1090 case DLT_IEEE802_11_RADIO_AVS: 1091 case DLT_IEEE802_11_RADIO: 1092 /* 1093 * 802.11 doesn't really have a link-level type field. 1094 * We set "off_linktype" to the offset of the LLC header. 1095 * 1096 * To check for Ethernet types, we assume that SSAP = SNAP 1097 * is being used and pick out the encapsulated Ethernet type. 1098 * XXX - should we generate code to check for SNAP? 1099 * 1100 * We also handle variable-length radio headers here. 1101 * The Prism header is in theory variable-length, but in 1102 * practice it's always 144 bytes long. However, some 1103 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1104 * sometimes or always supply an AVS header, so we 1105 * have to check whether the radio header is a Prism 1106 * header or an AVS header, so, in practice, it's 1107 * variable-length. 1108 */ 1109 off_linktype = 24; 1110 off_macpl = 0; /* link-layer header is variable-length */ 1111 off_macpl_is_variable = 1; 1112 off_nl = 8; /* 802.2+SNAP */ 1113 off_nl_nosnap = 3; /* 802.2 */ 1114 return; 1115 1116 case DLT_PPI: 1117 /* 1118 * At the moment we treat PPI the same way that we treat 1119 * normal Radiotap encoded packets. The difference is in 1120 * the function that generates the code at the beginning 1121 * to compute the header length. Since this code generator 1122 * of PPI supports bare 802.11 encapsulation only (i.e. 1123 * the encapsulated DLT should be DLT_IEEE802_11) we 1124 * generate code to check for this too. 1125 */ 1126 off_linktype = 24; 1127 off_macpl = 0; /* link-layer header is variable-length */ 1128 off_macpl_is_variable = 1; 1129 off_nl = 8; /* 802.2+SNAP */ 1130 off_nl_nosnap = 3; /* 802.2 */ 1131 return; 1132 1133 case DLT_ATM_RFC1483: 1134 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1135 /* 1136 * assume routed, non-ISO PDUs 1137 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1138 * 1139 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1140 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1141 * latter would presumably be treated the way PPPoE 1142 * should be, so you can do "pppoe and udp port 2049" 1143 * or "pppoa and tcp port 80" and have it check for 1144 * PPPo{A,E} and a PPP protocol of IP and.... 1145 */ 1146 off_linktype = 0; 1147 off_macpl = 0; /* packet begins with LLC header */ 1148 off_nl = 8; /* 802.2+SNAP */ 1149 off_nl_nosnap = 3; /* 802.2 */ 1150 return; 1151 1152 case DLT_SUNATM: 1153 /* 1154 * Full Frontal ATM; you get AALn PDUs with an ATM 1155 * pseudo-header. 1156 */ 1157 is_atm = 1; 1158 off_vpi = SUNATM_VPI_POS; 1159 off_vci = SUNATM_VCI_POS; 1160 off_proto = PROTO_POS; 1161 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1162 off_payload = SUNATM_PKT_BEGIN_POS; 1163 off_linktype = off_payload; 1164 off_macpl = off_payload; /* if LLC-encapsulated */ 1165 off_nl = 8; /* 802.2+SNAP */ 1166 off_nl_nosnap = 3; /* 802.2 */ 1167 return; 1168 1169 case DLT_RAW: 1170 case DLT_IPV4: 1171 case DLT_IPV6: 1172 off_linktype = -1; 1173 off_macpl = 0; 1174 off_nl = 0; 1175 off_nl_nosnap = 0; /* no 802.2 LLC */ 1176 return; 1177 1178 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1179 off_linktype = 14; 1180 off_macpl = 16; 1181 off_nl = 0; 1182 off_nl_nosnap = 0; /* no 802.2 LLC */ 1183 return; 1184 1185 case DLT_LTALK: 1186 /* 1187 * LocalTalk does have a 1-byte type field in the LLAP header, 1188 * but really it just indicates whether there is a "short" or 1189 * "long" DDP packet following. 1190 */ 1191 off_linktype = -1; 1192 off_macpl = 0; 1193 off_nl = 0; 1194 off_nl_nosnap = 0; /* no 802.2 LLC */ 1195 return; 1196 1197 case DLT_IP_OVER_FC: 1198 /* 1199 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1200 * link-level type field. We set "off_linktype" to the 1201 * offset of the LLC header. 1202 * 1203 * To check for Ethernet types, we assume that SSAP = SNAP 1204 * is being used and pick out the encapsulated Ethernet type. 1205 * XXX - should we generate code to check for SNAP? RFC 1206 * 2625 says SNAP should be used. 1207 */ 1208 off_linktype = 16; 1209 off_macpl = 16; 1210 off_nl = 8; /* 802.2+SNAP */ 1211 off_nl_nosnap = 3; /* 802.2 */ 1212 return; 1213 1214 case DLT_FRELAY: 1215 /* 1216 * XXX - we should set this to handle SNAP-encapsulated 1217 * frames (NLPID of 0x80). 1218 */ 1219 off_linktype = -1; 1220 off_macpl = 0; 1221 off_nl = 0; 1222 off_nl_nosnap = 0; /* no 802.2 LLC */ 1223 return; 1224 1225 /* 1226 * the only BPF-interesting FRF.16 frames are non-control frames; 1227 * Frame Relay has a variable length link-layer 1228 * so lets start with offset 4 for now and increments later on (FIXME); 1229 */ 1230 case DLT_MFR: 1231 off_linktype = -1; 1232 off_macpl = 0; 1233 off_nl = 4; 1234 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1235 return; 1236 1237 case DLT_APPLE_IP_OVER_IEEE1394: 1238 off_linktype = 16; 1239 off_macpl = 18; 1240 off_nl = 0; 1241 off_nl_nosnap = 0; /* no 802.2 LLC */ 1242 return; 1243 1244 case DLT_SYMANTEC_FIREWALL: 1245 off_linktype = 6; 1246 off_macpl = 44; 1247 off_nl = 0; /* Ethernet II */ 1248 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1249 return; 1250 1251 #ifdef HAVE_NET_PFVAR_H 1252 case DLT_PFLOG: 1253 off_linktype = 0; 1254 off_macpl = PFLOG_HDRLEN; 1255 off_nl = 0; 1256 off_nl_nosnap = 0; /* no 802.2 LLC */ 1257 return; 1258 #endif 1259 1260 case DLT_JUNIPER_MFR: 1261 case DLT_JUNIPER_MLFR: 1262 case DLT_JUNIPER_MLPPP: 1263 case DLT_JUNIPER_PPP: 1264 case DLT_JUNIPER_CHDLC: 1265 case DLT_JUNIPER_FRELAY: 1266 off_linktype = 4; 1267 off_macpl = 4; 1268 off_nl = 0; 1269 off_nl_nosnap = -1; /* no 802.2 LLC */ 1270 return; 1271 1272 case DLT_JUNIPER_ATM1: 1273 off_linktype = 4; /* in reality variable between 4-8 */ 1274 off_macpl = 4; /* in reality variable between 4-8 */ 1275 off_nl = 0; 1276 off_nl_nosnap = 10; 1277 return; 1278 1279 case DLT_JUNIPER_ATM2: 1280 off_linktype = 8; /* in reality variable between 8-12 */ 1281 off_macpl = 8; /* in reality variable between 8-12 */ 1282 off_nl = 0; 1283 off_nl_nosnap = 10; 1284 return; 1285 1286 /* frames captured on a Juniper PPPoE service PIC 1287 * contain raw ethernet frames */ 1288 case DLT_JUNIPER_PPPOE: 1289 case DLT_JUNIPER_ETHER: 1290 off_macpl = 14; 1291 off_linktype = 16; 1292 off_nl = 18; /* Ethernet II */ 1293 off_nl_nosnap = 21; /* 802.3+802.2 */ 1294 return; 1295 1296 case DLT_JUNIPER_PPPOE_ATM: 1297 off_linktype = 4; 1298 off_macpl = 6; 1299 off_nl = 0; 1300 off_nl_nosnap = -1; /* no 802.2 LLC */ 1301 return; 1302 1303 case DLT_JUNIPER_GGSN: 1304 off_linktype = 6; 1305 off_macpl = 12; 1306 off_nl = 0; 1307 off_nl_nosnap = -1; /* no 802.2 LLC */ 1308 return; 1309 1310 case DLT_JUNIPER_ES: 1311 off_linktype = 6; 1312 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1313 off_nl = -1; /* not really a network layer but raw IP addresses */ 1314 off_nl_nosnap = -1; /* no 802.2 LLC */ 1315 return; 1316 1317 case DLT_JUNIPER_MONITOR: 1318 off_linktype = 12; 1319 off_macpl = 12; 1320 off_nl = 0; /* raw IP/IP6 header */ 1321 off_nl_nosnap = -1; /* no 802.2 LLC */ 1322 return; 1323 1324 case DLT_JUNIPER_SERVICES: 1325 off_linktype = 12; 1326 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1327 off_nl = -1; /* L3 proto location dep. on cookie type */ 1328 off_nl_nosnap = -1; /* no 802.2 LLC */ 1329 return; 1330 1331 case DLT_JUNIPER_VP: 1332 off_linktype = 18; 1333 off_macpl = -1; 1334 off_nl = -1; 1335 off_nl_nosnap = -1; 1336 return; 1337 1338 case DLT_JUNIPER_ST: 1339 off_linktype = 18; 1340 off_macpl = -1; 1341 off_nl = -1; 1342 off_nl_nosnap = -1; 1343 return; 1344 1345 case DLT_JUNIPER_ISM: 1346 off_linktype = 8; 1347 off_macpl = -1; 1348 off_nl = -1; 1349 off_nl_nosnap = -1; 1350 return; 1351 1352 case DLT_JUNIPER_VS: 1353 case DLT_JUNIPER_SRX_E2E: 1354 case DLT_JUNIPER_FIBRECHANNEL: 1355 case DLT_JUNIPER_ATM_CEMIC: 1356 off_linktype = 8; 1357 off_macpl = -1; 1358 off_nl = -1; 1359 off_nl_nosnap = -1; 1360 return; 1361 1362 case DLT_MTP2: 1363 off_li = 2; 1364 off_sio = 3; 1365 off_opc = 4; 1366 off_dpc = 4; 1367 off_sls = 7; 1368 off_linktype = -1; 1369 off_macpl = -1; 1370 off_nl = -1; 1371 off_nl_nosnap = -1; 1372 return; 1373 1374 case DLT_MTP2_WITH_PHDR: 1375 off_li = 6; 1376 off_sio = 7; 1377 off_opc = 8; 1378 off_dpc = 8; 1379 off_sls = 11; 1380 off_linktype = -1; 1381 off_macpl = -1; 1382 off_nl = -1; 1383 off_nl_nosnap = -1; 1384 return; 1385 1386 case DLT_ERF: 1387 off_li = 22; 1388 off_sio = 23; 1389 off_opc = 24; 1390 off_dpc = 24; 1391 off_sls = 27; 1392 off_linktype = -1; 1393 off_macpl = -1; 1394 off_nl = -1; 1395 off_nl_nosnap = -1; 1396 return; 1397 1398 #ifdef DLT_PFSYNC 1399 case DLT_PFSYNC: 1400 off_linktype = -1; 1401 off_macpl = 4; 1402 off_nl = 0; 1403 off_nl_nosnap = 0; 1404 return; 1405 #endif 1406 1407 case DLT_AX25_KISS: 1408 /* 1409 * Currently, only raw "link[N:M]" filtering is supported. 1410 */ 1411 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1412 off_macpl = -1; 1413 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1414 off_nl_nosnap = -1; /* no 802.2 LLC */ 1415 off_mac = 1; /* step over the kiss length byte */ 1416 return; 1417 1418 case DLT_IPNET: 1419 off_linktype = 1; 1420 off_macpl = 24; /* ipnet header length */ 1421 off_nl = 0; 1422 off_nl_nosnap = -1; 1423 return; 1424 1425 case DLT_NETANALYZER: 1426 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1427 off_linktype = 16; /* includes 4-byte pseudo-header */ 1428 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1429 off_nl = 0; /* Ethernet II */ 1430 off_nl_nosnap = 3; /* 802.3+802.2 */ 1431 return; 1432 1433 case DLT_NETANALYZER_TRANSPARENT: 1434 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1435 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1436 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1437 off_nl = 0; /* Ethernet II */ 1438 off_nl_nosnap = 3; /* 802.3+802.2 */ 1439 return; 1440 1441 default: 1442 /* 1443 * For values in the range in which we've assigned new 1444 * DLT_ values, only raw "link[N:M]" filtering is supported. 1445 */ 1446 if (linktype >= DLT_MATCHING_MIN && 1447 linktype <= DLT_MATCHING_MAX) { 1448 off_linktype = -1; 1449 off_macpl = -1; 1450 off_nl = -1; 1451 off_nl_nosnap = -1; 1452 return; 1453 } 1454 1455 } 1456 bpf_error("unknown data link type %d", linktype); 1457 /* NOTREACHED */ 1458 } 1459 1460 /* 1461 * Load a value relative to the beginning of the link-layer header. 1462 * The link-layer header doesn't necessarily begin at the beginning 1463 * of the packet data; there might be a variable-length prefix containing 1464 * radio information. 1465 */ 1466 static struct slist * 1467 gen_load_llrel(offset, size) 1468 u_int offset, size; 1469 { 1470 struct slist *s, *s2; 1471 1472 s = gen_llprefixlen(); 1473 1474 /* 1475 * If "s" is non-null, it has code to arrange that the X register 1476 * contains the length of the prefix preceding the link-layer 1477 * header. 1478 * 1479 * Otherwise, the length of the prefix preceding the link-layer 1480 * header is "off_ll". 1481 */ 1482 if (s != NULL) { 1483 /* 1484 * There's a variable-length prefix preceding the 1485 * link-layer header. "s" points to a list of statements 1486 * that put the length of that prefix into the X register. 1487 * do an indirect load, to use the X register as an offset. 1488 */ 1489 s2 = new_stmt(BPF_LD|BPF_IND|size); 1490 s2->s.k = offset; 1491 sappend(s, s2); 1492 } else { 1493 /* 1494 * There is no variable-length header preceding the 1495 * link-layer header; add in off_ll, which, if there's 1496 * a fixed-length header preceding the link-layer header, 1497 * is the length of that header. 1498 */ 1499 s = new_stmt(BPF_LD|BPF_ABS|size); 1500 s->s.k = offset + off_ll; 1501 } 1502 return s; 1503 } 1504 1505 /* 1506 * Load a value relative to the beginning of the MAC-layer payload. 1507 */ 1508 static struct slist * 1509 gen_load_macplrel(offset, size) 1510 u_int offset, size; 1511 { 1512 struct slist *s, *s2; 1513 1514 s = gen_off_macpl(); 1515 1516 /* 1517 * If s is non-null, the offset of the MAC-layer payload is 1518 * variable, and s points to a list of instructions that 1519 * arrange that the X register contains that offset. 1520 * 1521 * Otherwise, the offset of the MAC-layer payload is constant, 1522 * and is in off_macpl. 1523 */ 1524 if (s != NULL) { 1525 /* 1526 * The offset of the MAC-layer payload is in the X 1527 * register. Do an indirect load, to use the X register 1528 * as an offset. 1529 */ 1530 s2 = new_stmt(BPF_LD|BPF_IND|size); 1531 s2->s.k = offset; 1532 sappend(s, s2); 1533 } else { 1534 /* 1535 * The offset of the MAC-layer payload is constant, 1536 * and is in off_macpl; load the value at that offset 1537 * plus the specified offset. 1538 */ 1539 s = new_stmt(BPF_LD|BPF_ABS|size); 1540 s->s.k = off_macpl + offset; 1541 } 1542 return s; 1543 } 1544 1545 /* 1546 * Load a value relative to the beginning of the specified header. 1547 */ 1548 static struct slist * 1549 gen_load_a(offrel, offset, size) 1550 enum e_offrel offrel; 1551 u_int offset, size; 1552 { 1553 struct slist *s, *s2; 1554 1555 switch (offrel) { 1556 1557 case OR_PACKET: 1558 s = new_stmt(BPF_LD|BPF_ABS|size); 1559 s->s.k = offset; 1560 break; 1561 1562 case OR_LINK: 1563 s = gen_load_llrel(offset, size); 1564 break; 1565 1566 case OR_MACPL: 1567 s = gen_load_macplrel(offset, size); 1568 break; 1569 1570 case OR_NET: 1571 s = gen_load_macplrel(off_nl + offset, size); 1572 break; 1573 1574 case OR_NET_NOSNAP: 1575 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1576 break; 1577 1578 case OR_TRAN_IPV4: 1579 /* 1580 * Load the X register with the length of the IPv4 header 1581 * (plus the offset of the link-layer header, if it's 1582 * preceded by a variable-length header such as a radio 1583 * header), in bytes. 1584 */ 1585 s = gen_loadx_iphdrlen(); 1586 1587 /* 1588 * Load the item at {offset of the MAC-layer payload} + 1589 * {offset, relative to the start of the MAC-layer 1590 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1591 * {specified offset}. 1592 * 1593 * (If the offset of the MAC-layer payload is variable, 1594 * it's included in the value in the X register, and 1595 * off_macpl is 0.) 1596 */ 1597 s2 = new_stmt(BPF_LD|BPF_IND|size); 1598 s2->s.k = off_macpl + off_nl + offset; 1599 sappend(s, s2); 1600 break; 1601 1602 case OR_TRAN_IPV6: 1603 s = gen_load_macplrel(off_nl + 40 + offset, size); 1604 break; 1605 1606 default: 1607 abort(); 1608 return NULL; 1609 } 1610 return s; 1611 } 1612 1613 /* 1614 * Generate code to load into the X register the sum of the length of 1615 * the IPv4 header and any variable-length header preceding the link-layer 1616 * header. 1617 */ 1618 static struct slist * 1619 gen_loadx_iphdrlen() 1620 { 1621 struct slist *s, *s2; 1622 1623 s = gen_off_macpl(); 1624 if (s != NULL) { 1625 /* 1626 * There's a variable-length prefix preceding the 1627 * link-layer header, or the link-layer header is itself 1628 * variable-length. "s" points to a list of statements 1629 * that put the offset of the MAC-layer payload into 1630 * the X register. 1631 * 1632 * The 4*([k]&0xf) addressing mode can't be used, as we 1633 * don't have a constant offset, so we have to load the 1634 * value in question into the A register and add to it 1635 * the value from the X register. 1636 */ 1637 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1638 s2->s.k = off_nl; 1639 sappend(s, s2); 1640 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1641 s2->s.k = 0xf; 1642 sappend(s, s2); 1643 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1644 s2->s.k = 2; 1645 sappend(s, s2); 1646 1647 /* 1648 * The A register now contains the length of the 1649 * IP header. We need to add to it the offset of 1650 * the MAC-layer payload, which is still in the X 1651 * register, and move the result into the X register. 1652 */ 1653 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1654 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1655 } else { 1656 /* 1657 * There is no variable-length header preceding the 1658 * link-layer header, and the link-layer header is 1659 * fixed-length; load the length of the IPv4 header, 1660 * which is at an offset of off_nl from the beginning 1661 * of the MAC-layer payload, and thus at an offset 1662 * of off_mac_pl + off_nl from the beginning of the 1663 * raw packet data. 1664 */ 1665 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1666 s->s.k = off_macpl + off_nl; 1667 } 1668 return s; 1669 } 1670 1671 static struct block * 1672 gen_uncond(rsense) 1673 int rsense; 1674 { 1675 struct block *b; 1676 struct slist *s; 1677 1678 s = new_stmt(BPF_LD|BPF_IMM); 1679 s->s.k = !rsense; 1680 b = new_block(JMP(BPF_JEQ)); 1681 b->stmts = s; 1682 1683 return b; 1684 } 1685 1686 static inline struct block * 1687 gen_true() 1688 { 1689 return gen_uncond(1); 1690 } 1691 1692 static inline struct block * 1693 gen_false() 1694 { 1695 return gen_uncond(0); 1696 } 1697 1698 /* 1699 * Byte-swap a 32-bit number. 1700 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1701 * big-endian platforms.) 1702 */ 1703 #define SWAPLONG(y) \ 1704 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1705 1706 /* 1707 * Generate code to match a particular packet type. 1708 * 1709 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1710 * value, if <= ETHERMTU. We use that to determine whether to 1711 * match the type/length field or to check the type/length field for 1712 * a value <= ETHERMTU to see whether it's a type field and then do 1713 * the appropriate test. 1714 */ 1715 static struct block * 1716 gen_ether_linktype(proto) 1717 register int proto; 1718 { 1719 struct block *b0, *b1; 1720 1721 switch (proto) { 1722 1723 case LLCSAP_ISONS: 1724 case LLCSAP_IP: 1725 case LLCSAP_NETBEUI: 1726 /* 1727 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1728 * so we check the DSAP and SSAP. 1729 * 1730 * LLCSAP_IP checks for IP-over-802.2, rather 1731 * than IP-over-Ethernet or IP-over-SNAP. 1732 * 1733 * XXX - should we check both the DSAP and the 1734 * SSAP, like this, or should we check just the 1735 * DSAP, as we do for other types <= ETHERMTU 1736 * (i.e., other SAP values)? 1737 */ 1738 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1739 gen_not(b0); 1740 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1741 ((proto << 8) | proto)); 1742 gen_and(b0, b1); 1743 return b1; 1744 1745 case LLCSAP_IPX: 1746 /* 1747 * Check for; 1748 * 1749 * Ethernet_II frames, which are Ethernet 1750 * frames with a frame type of ETHERTYPE_IPX; 1751 * 1752 * Ethernet_802.3 frames, which are 802.3 1753 * frames (i.e., the type/length field is 1754 * a length field, <= ETHERMTU, rather than 1755 * a type field) with the first two bytes 1756 * after the Ethernet/802.3 header being 1757 * 0xFFFF; 1758 * 1759 * Ethernet_802.2 frames, which are 802.3 1760 * frames with an 802.2 LLC header and 1761 * with the IPX LSAP as the DSAP in the LLC 1762 * header; 1763 * 1764 * Ethernet_SNAP frames, which are 802.3 1765 * frames with an LLC header and a SNAP 1766 * header and with an OUI of 0x000000 1767 * (encapsulated Ethernet) and a protocol 1768 * ID of ETHERTYPE_IPX in the SNAP header. 1769 * 1770 * XXX - should we generate the same code both 1771 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1772 */ 1773 1774 /* 1775 * This generates code to check both for the 1776 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1777 */ 1778 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1779 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1780 gen_or(b0, b1); 1781 1782 /* 1783 * Now we add code to check for SNAP frames with 1784 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1785 */ 1786 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1787 gen_or(b0, b1); 1788 1789 /* 1790 * Now we generate code to check for 802.3 1791 * frames in general. 1792 */ 1793 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1794 gen_not(b0); 1795 1796 /* 1797 * Now add the check for 802.3 frames before the 1798 * check for Ethernet_802.2 and Ethernet_802.3, 1799 * as those checks should only be done on 802.3 1800 * frames, not on Ethernet frames. 1801 */ 1802 gen_and(b0, b1); 1803 1804 /* 1805 * Now add the check for Ethernet_II frames, and 1806 * do that before checking for the other frame 1807 * types. 1808 */ 1809 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1810 (bpf_int32)ETHERTYPE_IPX); 1811 gen_or(b0, b1); 1812 return b1; 1813 1814 case ETHERTYPE_ATALK: 1815 case ETHERTYPE_AARP: 1816 /* 1817 * EtherTalk (AppleTalk protocols on Ethernet link 1818 * layer) may use 802.2 encapsulation. 1819 */ 1820 1821 /* 1822 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1823 * we check for an Ethernet type field less than 1824 * 1500, which means it's an 802.3 length field. 1825 */ 1826 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1827 gen_not(b0); 1828 1829 /* 1830 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1831 * SNAP packets with an organization code of 1832 * 0x080007 (Apple, for Appletalk) and a protocol 1833 * type of ETHERTYPE_ATALK (Appletalk). 1834 * 1835 * 802.2-encapsulated ETHERTYPE_AARP packets are 1836 * SNAP packets with an organization code of 1837 * 0x000000 (encapsulated Ethernet) and a protocol 1838 * type of ETHERTYPE_AARP (Appletalk ARP). 1839 */ 1840 if (proto == ETHERTYPE_ATALK) 1841 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1842 else /* proto == ETHERTYPE_AARP */ 1843 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1844 gen_and(b0, b1); 1845 1846 /* 1847 * Check for Ethernet encapsulation (Ethertalk 1848 * phase 1?); we just check for the Ethernet 1849 * protocol type. 1850 */ 1851 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1852 1853 gen_or(b0, b1); 1854 return b1; 1855 1856 default: 1857 if (proto <= ETHERMTU) { 1858 /* 1859 * This is an LLC SAP value, so the frames 1860 * that match would be 802.2 frames. 1861 * Check that the frame is an 802.2 frame 1862 * (i.e., that the length/type field is 1863 * a length field, <= ETHERMTU) and 1864 * then check the DSAP. 1865 */ 1866 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1867 gen_not(b0); 1868 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1869 (bpf_int32)proto); 1870 gen_and(b0, b1); 1871 return b1; 1872 } else { 1873 /* 1874 * This is an Ethernet type, so compare 1875 * the length/type field with it (if 1876 * the frame is an 802.2 frame, the length 1877 * field will be <= ETHERMTU, and, as 1878 * "proto" is > ETHERMTU, this test 1879 * will fail and the frame won't match, 1880 * which is what we want). 1881 */ 1882 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1883 (bpf_int32)proto); 1884 } 1885 } 1886 } 1887 1888 /* 1889 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1890 * or IPv6 then we have an error. 1891 */ 1892 static struct block * 1893 gen_ipnet_linktype(proto) 1894 register int proto; 1895 { 1896 switch (proto) { 1897 1898 case ETHERTYPE_IP: 1899 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1900 (bpf_int32)IPH_AF_INET); 1901 /* NOTREACHED */ 1902 1903 case ETHERTYPE_IPV6: 1904 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1905 (bpf_int32)IPH_AF_INET6); 1906 /* NOTREACHED */ 1907 1908 default: 1909 break; 1910 } 1911 1912 return gen_false(); 1913 } 1914 1915 /* 1916 * Generate code to match a particular packet type. 1917 * 1918 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1919 * value, if <= ETHERMTU. We use that to determine whether to 1920 * match the type field or to check the type field for the special 1921 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1922 */ 1923 static struct block * 1924 gen_linux_sll_linktype(proto) 1925 register int proto; 1926 { 1927 struct block *b0, *b1; 1928 1929 switch (proto) { 1930 1931 case LLCSAP_ISONS: 1932 case LLCSAP_IP: 1933 case LLCSAP_NETBEUI: 1934 /* 1935 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1936 * so we check the DSAP and SSAP. 1937 * 1938 * LLCSAP_IP checks for IP-over-802.2, rather 1939 * than IP-over-Ethernet or IP-over-SNAP. 1940 * 1941 * XXX - should we check both the DSAP and the 1942 * SSAP, like this, or should we check just the 1943 * DSAP, as we do for other types <= ETHERMTU 1944 * (i.e., other SAP values)? 1945 */ 1946 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1947 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1948 ((proto << 8) | proto)); 1949 gen_and(b0, b1); 1950 return b1; 1951 1952 case LLCSAP_IPX: 1953 /* 1954 * Ethernet_II frames, which are Ethernet 1955 * frames with a frame type of ETHERTYPE_IPX; 1956 * 1957 * Ethernet_802.3 frames, which have a frame 1958 * type of LINUX_SLL_P_802_3; 1959 * 1960 * Ethernet_802.2 frames, which are 802.3 1961 * frames with an 802.2 LLC header (i.e, have 1962 * a frame type of LINUX_SLL_P_802_2) and 1963 * with the IPX LSAP as the DSAP in the LLC 1964 * header; 1965 * 1966 * Ethernet_SNAP frames, which are 802.3 1967 * frames with an LLC header and a SNAP 1968 * header and with an OUI of 0x000000 1969 * (encapsulated Ethernet) and a protocol 1970 * ID of ETHERTYPE_IPX in the SNAP header. 1971 * 1972 * First, do the checks on LINUX_SLL_P_802_2 1973 * frames; generate the check for either 1974 * Ethernet_802.2 or Ethernet_SNAP frames, and 1975 * then put a check for LINUX_SLL_P_802_2 frames 1976 * before it. 1977 */ 1978 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1979 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 1980 gen_or(b0, b1); 1981 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1982 gen_and(b0, b1); 1983 1984 /* 1985 * Now check for 802.3 frames and OR that with 1986 * the previous test. 1987 */ 1988 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1989 gen_or(b0, b1); 1990 1991 /* 1992 * Now add the check for Ethernet_II frames, and 1993 * do that before checking for the other frame 1994 * types. 1995 */ 1996 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1997 (bpf_int32)ETHERTYPE_IPX); 1998 gen_or(b0, b1); 1999 return b1; 2000 2001 case ETHERTYPE_ATALK: 2002 case ETHERTYPE_AARP: 2003 /* 2004 * EtherTalk (AppleTalk protocols on Ethernet link 2005 * layer) may use 802.2 encapsulation. 2006 */ 2007 2008 /* 2009 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2010 * we check for the 802.2 protocol type in the 2011 * "Ethernet type" field. 2012 */ 2013 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2014 2015 /* 2016 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2017 * SNAP packets with an organization code of 2018 * 0x080007 (Apple, for Appletalk) and a protocol 2019 * type of ETHERTYPE_ATALK (Appletalk). 2020 * 2021 * 802.2-encapsulated ETHERTYPE_AARP packets are 2022 * SNAP packets with an organization code of 2023 * 0x000000 (encapsulated Ethernet) and a protocol 2024 * type of ETHERTYPE_AARP (Appletalk ARP). 2025 */ 2026 if (proto == ETHERTYPE_ATALK) 2027 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2028 else /* proto == ETHERTYPE_AARP */ 2029 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2030 gen_and(b0, b1); 2031 2032 /* 2033 * Check for Ethernet encapsulation (Ethertalk 2034 * phase 1?); we just check for the Ethernet 2035 * protocol type. 2036 */ 2037 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2038 2039 gen_or(b0, b1); 2040 return b1; 2041 2042 default: 2043 if (proto <= ETHERMTU) { 2044 /* 2045 * This is an LLC SAP value, so the frames 2046 * that match would be 802.2 frames. 2047 * Check for the 802.2 protocol type 2048 * in the "Ethernet type" field, and 2049 * then check the DSAP. 2050 */ 2051 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2052 LINUX_SLL_P_802_2); 2053 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2054 (bpf_int32)proto); 2055 gen_and(b0, b1); 2056 return b1; 2057 } else { 2058 /* 2059 * This is an Ethernet type, so compare 2060 * the length/type field with it (if 2061 * the frame is an 802.2 frame, the length 2062 * field will be <= ETHERMTU, and, as 2063 * "proto" is > ETHERMTU, this test 2064 * will fail and the frame won't match, 2065 * which is what we want). 2066 */ 2067 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2068 (bpf_int32)proto); 2069 } 2070 } 2071 } 2072 2073 static struct slist * 2074 gen_load_prism_llprefixlen() 2075 { 2076 struct slist *s1, *s2; 2077 struct slist *sjeq_avs_cookie; 2078 struct slist *sjcommon; 2079 2080 /* 2081 * This code is not compatible with the optimizer, as 2082 * we are generating jmp instructions within a normal 2083 * slist of instructions 2084 */ 2085 no_optimize = 1; 2086 2087 /* 2088 * Generate code to load the length of the radio header into 2089 * the register assigned to hold that length, if one has been 2090 * assigned. (If one hasn't been assigned, no code we've 2091 * generated uses that prefix, so we don't need to generate any 2092 * code to load it.) 2093 * 2094 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2095 * or always use the AVS header rather than the Prism header. 2096 * We load a 4-byte big-endian value at the beginning of the 2097 * raw packet data, and see whether, when masked with 0xFFFFF000, 2098 * it's equal to 0x80211000. If so, that indicates that it's 2099 * an AVS header (the masked-out bits are the version number). 2100 * Otherwise, it's a Prism header. 2101 * 2102 * XXX - the Prism header is also, in theory, variable-length, 2103 * but no known software generates headers that aren't 144 2104 * bytes long. 2105 */ 2106 if (reg_off_ll != -1) { 2107 /* 2108 * Load the cookie. 2109 */ 2110 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2111 s1->s.k = 0; 2112 2113 /* 2114 * AND it with 0xFFFFF000. 2115 */ 2116 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2117 s2->s.k = 0xFFFFF000; 2118 sappend(s1, s2); 2119 2120 /* 2121 * Compare with 0x80211000. 2122 */ 2123 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2124 sjeq_avs_cookie->s.k = 0x80211000; 2125 sappend(s1, sjeq_avs_cookie); 2126 2127 /* 2128 * If it's AVS: 2129 * 2130 * The 4 bytes at an offset of 4 from the beginning of 2131 * the AVS header are the length of the AVS header. 2132 * That field is big-endian. 2133 */ 2134 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2135 s2->s.k = 4; 2136 sappend(s1, s2); 2137 sjeq_avs_cookie->s.jt = s2; 2138 2139 /* 2140 * Now jump to the code to allocate a register 2141 * into which to save the header length and 2142 * store the length there. (The "jump always" 2143 * instruction needs to have the k field set; 2144 * it's added to the PC, so, as we're jumping 2145 * over a single instruction, it should be 1.) 2146 */ 2147 sjcommon = new_stmt(JMP(BPF_JA)); 2148 sjcommon->s.k = 1; 2149 sappend(s1, sjcommon); 2150 2151 /* 2152 * Now for the code that handles the Prism header. 2153 * Just load the length of the Prism header (144) 2154 * into the A register. Have the test for an AVS 2155 * header branch here if we don't have an AVS header. 2156 */ 2157 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2158 s2->s.k = 144; 2159 sappend(s1, s2); 2160 sjeq_avs_cookie->s.jf = s2; 2161 2162 /* 2163 * Now allocate a register to hold that value and store 2164 * it. The code for the AVS header will jump here after 2165 * loading the length of the AVS header. 2166 */ 2167 s2 = new_stmt(BPF_ST); 2168 s2->s.k = reg_off_ll; 2169 sappend(s1, s2); 2170 sjcommon->s.jf = s2; 2171 2172 /* 2173 * Now move it into the X register. 2174 */ 2175 s2 = new_stmt(BPF_MISC|BPF_TAX); 2176 sappend(s1, s2); 2177 2178 return (s1); 2179 } else 2180 return (NULL); 2181 } 2182 2183 static struct slist * 2184 gen_load_avs_llprefixlen() 2185 { 2186 struct slist *s1, *s2; 2187 2188 /* 2189 * Generate code to load the length of the AVS header into 2190 * the register assigned to hold that length, if one has been 2191 * assigned. (If one hasn't been assigned, no code we've 2192 * generated uses that prefix, so we don't need to generate any 2193 * code to load it.) 2194 */ 2195 if (reg_off_ll != -1) { 2196 /* 2197 * The 4 bytes at an offset of 4 from the beginning of 2198 * the AVS header are the length of the AVS header. 2199 * That field is big-endian. 2200 */ 2201 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2202 s1->s.k = 4; 2203 2204 /* 2205 * Now allocate a register to hold that value and store 2206 * it. 2207 */ 2208 s2 = new_stmt(BPF_ST); 2209 s2->s.k = reg_off_ll; 2210 sappend(s1, s2); 2211 2212 /* 2213 * Now move it into the X register. 2214 */ 2215 s2 = new_stmt(BPF_MISC|BPF_TAX); 2216 sappend(s1, s2); 2217 2218 return (s1); 2219 } else 2220 return (NULL); 2221 } 2222 2223 static struct slist * 2224 gen_load_radiotap_llprefixlen() 2225 { 2226 struct slist *s1, *s2; 2227 2228 /* 2229 * Generate code to load the length of the radiotap header into 2230 * the register assigned to hold that length, if one has been 2231 * assigned. (If one hasn't been assigned, no code we've 2232 * generated uses that prefix, so we don't need to generate any 2233 * code to load it.) 2234 */ 2235 if (reg_off_ll != -1) { 2236 /* 2237 * The 2 bytes at offsets of 2 and 3 from the beginning 2238 * of the radiotap header are the length of the radiotap 2239 * header; unfortunately, it's little-endian, so we have 2240 * to load it a byte at a time and construct the value. 2241 */ 2242 2243 /* 2244 * Load the high-order byte, at an offset of 3, shift it 2245 * left a byte, and put the result in the X register. 2246 */ 2247 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2248 s1->s.k = 3; 2249 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2250 sappend(s1, s2); 2251 s2->s.k = 8; 2252 s2 = new_stmt(BPF_MISC|BPF_TAX); 2253 sappend(s1, s2); 2254 2255 /* 2256 * Load the next byte, at an offset of 2, and OR the 2257 * value from the X register into it. 2258 */ 2259 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2260 sappend(s1, s2); 2261 s2->s.k = 2; 2262 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2263 sappend(s1, s2); 2264 2265 /* 2266 * Now allocate a register to hold that value and store 2267 * it. 2268 */ 2269 s2 = new_stmt(BPF_ST); 2270 s2->s.k = reg_off_ll; 2271 sappend(s1, s2); 2272 2273 /* 2274 * Now move it into the X register. 2275 */ 2276 s2 = new_stmt(BPF_MISC|BPF_TAX); 2277 sappend(s1, s2); 2278 2279 return (s1); 2280 } else 2281 return (NULL); 2282 } 2283 2284 /* 2285 * At the moment we treat PPI as normal Radiotap encoded 2286 * packets. The difference is in the function that generates 2287 * the code at the beginning to compute the header length. 2288 * Since this code generator of PPI supports bare 802.11 2289 * encapsulation only (i.e. the encapsulated DLT should be 2290 * DLT_IEEE802_11) we generate code to check for this too; 2291 * that's done in finish_parse(). 2292 */ 2293 static struct slist * 2294 gen_load_ppi_llprefixlen() 2295 { 2296 struct slist *s1, *s2; 2297 2298 /* 2299 * Generate code to load the length of the radiotap header 2300 * into the register assigned to hold that length, if one has 2301 * been assigned. 2302 */ 2303 if (reg_off_ll != -1) { 2304 /* 2305 * The 2 bytes at offsets of 2 and 3 from the beginning 2306 * of the radiotap header are the length of the radiotap 2307 * header; unfortunately, it's little-endian, so we have 2308 * to load it a byte at a time and construct the value. 2309 */ 2310 2311 /* 2312 * Load the high-order byte, at an offset of 3, shift it 2313 * left a byte, and put the result in the X register. 2314 */ 2315 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2316 s1->s.k = 3; 2317 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2318 sappend(s1, s2); 2319 s2->s.k = 8; 2320 s2 = new_stmt(BPF_MISC|BPF_TAX); 2321 sappend(s1, s2); 2322 2323 /* 2324 * Load the next byte, at an offset of 2, and OR the 2325 * value from the X register into it. 2326 */ 2327 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2328 sappend(s1, s2); 2329 s2->s.k = 2; 2330 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2331 sappend(s1, s2); 2332 2333 /* 2334 * Now allocate a register to hold that value and store 2335 * it. 2336 */ 2337 s2 = new_stmt(BPF_ST); 2338 s2->s.k = reg_off_ll; 2339 sappend(s1, s2); 2340 2341 /* 2342 * Now move it into the X register. 2343 */ 2344 s2 = new_stmt(BPF_MISC|BPF_TAX); 2345 sappend(s1, s2); 2346 2347 return (s1); 2348 } else 2349 return (NULL); 2350 } 2351 2352 /* 2353 * Load a value relative to the beginning of the link-layer header after the 802.11 2354 * header, i.e. LLC_SNAP. 2355 * The link-layer header doesn't necessarily begin at the beginning 2356 * of the packet data; there might be a variable-length prefix containing 2357 * radio information. 2358 */ 2359 static struct slist * 2360 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2361 { 2362 struct slist *s2; 2363 struct slist *sjset_data_frame_1; 2364 struct slist *sjset_data_frame_2; 2365 struct slist *sjset_qos; 2366 struct slist *sjset_radiotap_flags; 2367 struct slist *sjset_radiotap_tsft; 2368 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2369 struct slist *s_roundup; 2370 2371 if (reg_off_macpl == -1) { 2372 /* 2373 * No register has been assigned to the offset of 2374 * the MAC-layer payload, which means nobody needs 2375 * it; don't bother computing it - just return 2376 * what we already have. 2377 */ 2378 return (s); 2379 } 2380 2381 /* 2382 * This code is not compatible with the optimizer, as 2383 * we are generating jmp instructions within a normal 2384 * slist of instructions 2385 */ 2386 no_optimize = 1; 2387 2388 /* 2389 * If "s" is non-null, it has code to arrange that the X register 2390 * contains the length of the prefix preceding the link-layer 2391 * header. 2392 * 2393 * Otherwise, the length of the prefix preceding the link-layer 2394 * header is "off_ll". 2395 */ 2396 if (s == NULL) { 2397 /* 2398 * There is no variable-length header preceding the 2399 * link-layer header. 2400 * 2401 * Load the length of the fixed-length prefix preceding 2402 * the link-layer header (if any) into the X register, 2403 * and store it in the reg_off_macpl register. 2404 * That length is off_ll. 2405 */ 2406 s = new_stmt(BPF_LDX|BPF_IMM); 2407 s->s.k = off_ll; 2408 } 2409 2410 /* 2411 * The X register contains the offset of the beginning of the 2412 * link-layer header; add 24, which is the minimum length 2413 * of the MAC header for a data frame, to that, and store it 2414 * in reg_off_macpl, and then load the Frame Control field, 2415 * which is at the offset in the X register, with an indexed load. 2416 */ 2417 s2 = new_stmt(BPF_MISC|BPF_TXA); 2418 sappend(s, s2); 2419 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2420 s2->s.k = 24; 2421 sappend(s, s2); 2422 s2 = new_stmt(BPF_ST); 2423 s2->s.k = reg_off_macpl; 2424 sappend(s, s2); 2425 2426 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2427 s2->s.k = 0; 2428 sappend(s, s2); 2429 2430 /* 2431 * Check the Frame Control field to see if this is a data frame; 2432 * a data frame has the 0x08 bit (b3) in that field set and the 2433 * 0x04 bit (b2) clear. 2434 */ 2435 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2436 sjset_data_frame_1->s.k = 0x08; 2437 sappend(s, sjset_data_frame_1); 2438 2439 /* 2440 * If b3 is set, test b2, otherwise go to the first statement of 2441 * the rest of the program. 2442 */ 2443 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2444 sjset_data_frame_2->s.k = 0x04; 2445 sappend(s, sjset_data_frame_2); 2446 sjset_data_frame_1->s.jf = snext; 2447 2448 /* 2449 * If b2 is not set, this is a data frame; test the QoS bit. 2450 * Otherwise, go to the first statement of the rest of the 2451 * program. 2452 */ 2453 sjset_data_frame_2->s.jt = snext; 2454 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2455 sjset_qos->s.k = 0x80; /* QoS bit */ 2456 sappend(s, sjset_qos); 2457 2458 /* 2459 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2460 * field. 2461 * Otherwise, go to the first statement of the rest of the 2462 * program. 2463 */ 2464 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2465 s2->s.k = reg_off_macpl; 2466 sappend(s, s2); 2467 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2468 s2->s.k = 2; 2469 sappend(s, s2); 2470 s2 = new_stmt(BPF_ST); 2471 s2->s.k = reg_off_macpl; 2472 sappend(s, s2); 2473 2474 /* 2475 * If we have a radiotap header, look at it to see whether 2476 * there's Atheros padding between the MAC-layer header 2477 * and the payload. 2478 * 2479 * Note: all of the fields in the radiotap header are 2480 * little-endian, so we byte-swap all of the values 2481 * we test against, as they will be loaded as big-endian 2482 * values. 2483 */ 2484 if (linktype == DLT_IEEE802_11_RADIO) { 2485 /* 2486 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2487 * in the presence flag? 2488 */ 2489 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2490 s2->s.k = 4; 2491 sappend(s, s2); 2492 2493 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2494 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2495 sappend(s, sjset_radiotap_flags); 2496 2497 /* 2498 * If not, skip all of this. 2499 */ 2500 sjset_radiotap_flags->s.jf = snext; 2501 2502 /* 2503 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2504 */ 2505 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2506 new_stmt(JMP(BPF_JSET)); 2507 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2508 sappend(s, sjset_radiotap_tsft); 2509 2510 /* 2511 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2512 * at an offset of 16 from the beginning of the raw packet 2513 * data (8 bytes for the radiotap header and 8 bytes for 2514 * the TSFT field). 2515 * 2516 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2517 * is set. 2518 */ 2519 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2520 s2->s.k = 16; 2521 sappend(s, s2); 2522 2523 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2524 sjset_tsft_datapad->s.k = 0x20; 2525 sappend(s, sjset_tsft_datapad); 2526 2527 /* 2528 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2529 * at an offset of 8 from the beginning of the raw packet 2530 * data (8 bytes for the radiotap header). 2531 * 2532 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2533 * is set. 2534 */ 2535 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2536 s2->s.k = 8; 2537 sappend(s, s2); 2538 2539 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2540 sjset_notsft_datapad->s.k = 0x20; 2541 sappend(s, sjset_notsft_datapad); 2542 2543 /* 2544 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2545 * set, round the length of the 802.11 header to 2546 * a multiple of 4. Do that by adding 3 and then 2547 * dividing by and multiplying by 4, which we do by 2548 * ANDing with ~3. 2549 */ 2550 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2551 s_roundup->s.k = reg_off_macpl; 2552 sappend(s, s_roundup); 2553 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2554 s2->s.k = 3; 2555 sappend(s, s2); 2556 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2557 s2->s.k = ~3; 2558 sappend(s, s2); 2559 s2 = new_stmt(BPF_ST); 2560 s2->s.k = reg_off_macpl; 2561 sappend(s, s2); 2562 2563 sjset_tsft_datapad->s.jt = s_roundup; 2564 sjset_tsft_datapad->s.jf = snext; 2565 sjset_notsft_datapad->s.jt = s_roundup; 2566 sjset_notsft_datapad->s.jf = snext; 2567 } else 2568 sjset_qos->s.jf = snext; 2569 2570 return s; 2571 } 2572 2573 static void 2574 insert_compute_vloffsets(b) 2575 struct block *b; 2576 { 2577 struct slist *s; 2578 2579 /* 2580 * For link-layer types that have a variable-length header 2581 * preceding the link-layer header, generate code to load 2582 * the offset of the link-layer header into the register 2583 * assigned to that offset, if any. 2584 */ 2585 switch (linktype) { 2586 2587 case DLT_PRISM_HEADER: 2588 s = gen_load_prism_llprefixlen(); 2589 break; 2590 2591 case DLT_IEEE802_11_RADIO_AVS: 2592 s = gen_load_avs_llprefixlen(); 2593 break; 2594 2595 case DLT_IEEE802_11_RADIO: 2596 s = gen_load_radiotap_llprefixlen(); 2597 break; 2598 2599 case DLT_PPI: 2600 s = gen_load_ppi_llprefixlen(); 2601 break; 2602 2603 default: 2604 s = NULL; 2605 break; 2606 } 2607 2608 /* 2609 * For link-layer types that have a variable-length link-layer 2610 * header, generate code to load the offset of the MAC-layer 2611 * payload into the register assigned to that offset, if any. 2612 */ 2613 switch (linktype) { 2614 2615 case DLT_IEEE802_11: 2616 case DLT_PRISM_HEADER: 2617 case DLT_IEEE802_11_RADIO_AVS: 2618 case DLT_IEEE802_11_RADIO: 2619 case DLT_PPI: 2620 s = gen_load_802_11_header_len(s, b->stmts); 2621 break; 2622 } 2623 2624 /* 2625 * If we have any offset-loading code, append all the 2626 * existing statements in the block to those statements, 2627 * and make the resulting list the list of statements 2628 * for the block. 2629 */ 2630 if (s != NULL) { 2631 sappend(s, b->stmts); 2632 b->stmts = s; 2633 } 2634 } 2635 2636 static struct block * 2637 gen_ppi_dlt_check(void) 2638 { 2639 struct slist *s_load_dlt; 2640 struct block *b; 2641 2642 if (linktype == DLT_PPI) 2643 { 2644 /* Create the statements that check for the DLT 2645 */ 2646 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2647 s_load_dlt->s.k = 4; 2648 2649 b = new_block(JMP(BPF_JEQ)); 2650 2651 b->stmts = s_load_dlt; 2652 b->s.k = SWAPLONG(DLT_IEEE802_11); 2653 } 2654 else 2655 { 2656 b = NULL; 2657 } 2658 2659 return b; 2660 } 2661 2662 static struct slist * 2663 gen_prism_llprefixlen(void) 2664 { 2665 struct slist *s; 2666 2667 if (reg_off_ll == -1) { 2668 /* 2669 * We haven't yet assigned a register for the length 2670 * of the radio header; allocate one. 2671 */ 2672 reg_off_ll = alloc_reg(); 2673 } 2674 2675 /* 2676 * Load the register containing the radio length 2677 * into the X register. 2678 */ 2679 s = new_stmt(BPF_LDX|BPF_MEM); 2680 s->s.k = reg_off_ll; 2681 return s; 2682 } 2683 2684 static struct slist * 2685 gen_avs_llprefixlen(void) 2686 { 2687 struct slist *s; 2688 2689 if (reg_off_ll == -1) { 2690 /* 2691 * We haven't yet assigned a register for the length 2692 * of the AVS header; allocate one. 2693 */ 2694 reg_off_ll = alloc_reg(); 2695 } 2696 2697 /* 2698 * Load the register containing the AVS length 2699 * into the X register. 2700 */ 2701 s = new_stmt(BPF_LDX|BPF_MEM); 2702 s->s.k = reg_off_ll; 2703 return s; 2704 } 2705 2706 static struct slist * 2707 gen_radiotap_llprefixlen(void) 2708 { 2709 struct slist *s; 2710 2711 if (reg_off_ll == -1) { 2712 /* 2713 * We haven't yet assigned a register for the length 2714 * of the radiotap header; allocate one. 2715 */ 2716 reg_off_ll = alloc_reg(); 2717 } 2718 2719 /* 2720 * Load the register containing the radiotap length 2721 * into the X register. 2722 */ 2723 s = new_stmt(BPF_LDX|BPF_MEM); 2724 s->s.k = reg_off_ll; 2725 return s; 2726 } 2727 2728 /* 2729 * At the moment we treat PPI as normal Radiotap encoded 2730 * packets. The difference is in the function that generates 2731 * the code at the beginning to compute the header length. 2732 * Since this code generator of PPI supports bare 802.11 2733 * encapsulation only (i.e. the encapsulated DLT should be 2734 * DLT_IEEE802_11) we generate code to check for this too. 2735 */ 2736 static struct slist * 2737 gen_ppi_llprefixlen(void) 2738 { 2739 struct slist *s; 2740 2741 if (reg_off_ll == -1) { 2742 /* 2743 * We haven't yet assigned a register for the length 2744 * of the radiotap header; allocate one. 2745 */ 2746 reg_off_ll = alloc_reg(); 2747 } 2748 2749 /* 2750 * Load the register containing the PPI length 2751 * into the X register. 2752 */ 2753 s = new_stmt(BPF_LDX|BPF_MEM); 2754 s->s.k = reg_off_ll; 2755 return s; 2756 } 2757 2758 /* 2759 * Generate code to compute the link-layer header length, if necessary, 2760 * putting it into the X register, and to return either a pointer to a 2761 * "struct slist" for the list of statements in that code, or NULL if 2762 * no code is necessary. 2763 */ 2764 static struct slist * 2765 gen_llprefixlen(void) 2766 { 2767 switch (linktype) { 2768 2769 case DLT_PRISM_HEADER: 2770 return gen_prism_llprefixlen(); 2771 2772 case DLT_IEEE802_11_RADIO_AVS: 2773 return gen_avs_llprefixlen(); 2774 2775 case DLT_IEEE802_11_RADIO: 2776 return gen_radiotap_llprefixlen(); 2777 2778 case DLT_PPI: 2779 return gen_ppi_llprefixlen(); 2780 2781 default: 2782 return NULL; 2783 } 2784 } 2785 2786 /* 2787 * Generate code to load the register containing the offset of the 2788 * MAC-layer payload into the X register; if no register for that offset 2789 * has been allocated, allocate it first. 2790 */ 2791 static struct slist * 2792 gen_off_macpl(void) 2793 { 2794 struct slist *s; 2795 2796 if (off_macpl_is_variable) { 2797 if (reg_off_macpl == -1) { 2798 /* 2799 * We haven't yet assigned a register for the offset 2800 * of the MAC-layer payload; allocate one. 2801 */ 2802 reg_off_macpl = alloc_reg(); 2803 } 2804 2805 /* 2806 * Load the register containing the offset of the MAC-layer 2807 * payload into the X register. 2808 */ 2809 s = new_stmt(BPF_LDX|BPF_MEM); 2810 s->s.k = reg_off_macpl; 2811 return s; 2812 } else { 2813 /* 2814 * That offset isn't variable, so we don't need to 2815 * generate any code. 2816 */ 2817 return NULL; 2818 } 2819 } 2820 2821 /* 2822 * Map an Ethernet type to the equivalent PPP type. 2823 */ 2824 static int 2825 ethertype_to_ppptype(proto) 2826 int proto; 2827 { 2828 switch (proto) { 2829 2830 case ETHERTYPE_IP: 2831 proto = PPP_IP; 2832 break; 2833 2834 #ifdef INET6 2835 case ETHERTYPE_IPV6: 2836 proto = PPP_IPV6; 2837 break; 2838 #endif 2839 2840 case ETHERTYPE_DN: 2841 proto = PPP_DECNET; 2842 break; 2843 2844 case ETHERTYPE_ATALK: 2845 proto = PPP_APPLE; 2846 break; 2847 2848 case ETHERTYPE_NS: 2849 proto = PPP_NS; 2850 break; 2851 2852 case LLCSAP_ISONS: 2853 proto = PPP_OSI; 2854 break; 2855 2856 case LLCSAP_8021D: 2857 /* 2858 * I'm assuming the "Bridging PDU"s that go 2859 * over PPP are Spanning Tree Protocol 2860 * Bridging PDUs. 2861 */ 2862 proto = PPP_BRPDU; 2863 break; 2864 2865 case LLCSAP_IPX: 2866 proto = PPP_IPX; 2867 break; 2868 } 2869 return (proto); 2870 } 2871 2872 /* 2873 * Generate code to match a particular packet type by matching the 2874 * link-layer type field or fields in the 802.2 LLC header. 2875 * 2876 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2877 * value, if <= ETHERMTU. 2878 */ 2879 static struct block * 2880 gen_linktype(proto) 2881 register int proto; 2882 { 2883 struct block *b0, *b1, *b2; 2884 2885 /* are we checking MPLS-encapsulated packets? */ 2886 if (label_stack_depth > 0) { 2887 switch (proto) { 2888 case ETHERTYPE_IP: 2889 case PPP_IP: 2890 /* FIXME add other L3 proto IDs */ 2891 return gen_mpls_linktype(Q_IP); 2892 2893 case ETHERTYPE_IPV6: 2894 case PPP_IPV6: 2895 /* FIXME add other L3 proto IDs */ 2896 return gen_mpls_linktype(Q_IPV6); 2897 2898 default: 2899 bpf_error("unsupported protocol over mpls"); 2900 /* NOTREACHED */ 2901 } 2902 } 2903 2904 /* 2905 * Are we testing PPPoE packets? 2906 */ 2907 if (is_pppoes) { 2908 /* 2909 * The PPPoE session header is part of the 2910 * MAC-layer payload, so all references 2911 * should be relative to the beginning of 2912 * that payload. 2913 */ 2914 2915 /* 2916 * We use Ethernet protocol types inside libpcap; 2917 * map them to the corresponding PPP protocol types. 2918 */ 2919 proto = ethertype_to_ppptype(proto); 2920 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2921 } 2922 2923 switch (linktype) { 2924 2925 case DLT_EN10MB: 2926 case DLT_NETANALYZER: 2927 case DLT_NETANALYZER_TRANSPARENT: 2928 return gen_ether_linktype(proto); 2929 /*NOTREACHED*/ 2930 break; 2931 2932 case DLT_C_HDLC: 2933 switch (proto) { 2934 2935 case LLCSAP_ISONS: 2936 proto = (proto << 8 | LLCSAP_ISONS); 2937 /* fall through */ 2938 2939 default: 2940 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2941 (bpf_int32)proto); 2942 /*NOTREACHED*/ 2943 break; 2944 } 2945 break; 2946 2947 case DLT_IEEE802_11: 2948 case DLT_PRISM_HEADER: 2949 case DLT_IEEE802_11_RADIO_AVS: 2950 case DLT_IEEE802_11_RADIO: 2951 case DLT_PPI: 2952 /* 2953 * Check that we have a data frame. 2954 */ 2955 b0 = gen_check_802_11_data_frame(); 2956 2957 /* 2958 * Now check for the specified link-layer type. 2959 */ 2960 b1 = gen_llc_linktype(proto); 2961 gen_and(b0, b1); 2962 return b1; 2963 /*NOTREACHED*/ 2964 break; 2965 2966 case DLT_FDDI: 2967 /* 2968 * XXX - check for asynchronous frames, as per RFC 1103. 2969 */ 2970 return gen_llc_linktype(proto); 2971 /*NOTREACHED*/ 2972 break; 2973 2974 case DLT_IEEE802: 2975 /* 2976 * XXX - check for LLC PDUs, as per IEEE 802.5. 2977 */ 2978 return gen_llc_linktype(proto); 2979 /*NOTREACHED*/ 2980 break; 2981 2982 case DLT_ATM_RFC1483: 2983 case DLT_ATM_CLIP: 2984 case DLT_IP_OVER_FC: 2985 return gen_llc_linktype(proto); 2986 /*NOTREACHED*/ 2987 break; 2988 2989 case DLT_SUNATM: 2990 /* 2991 * If "is_lane" is set, check for a LANE-encapsulated 2992 * version of this protocol, otherwise check for an 2993 * LLC-encapsulated version of this protocol. 2994 * 2995 * We assume LANE means Ethernet, not Token Ring. 2996 */ 2997 if (is_lane) { 2998 /* 2999 * Check that the packet doesn't begin with an 3000 * LE Control marker. (We've already generated 3001 * a test for LANE.) 3002 */ 3003 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3004 0xFF00); 3005 gen_not(b0); 3006 3007 /* 3008 * Now generate an Ethernet test. 3009 */ 3010 b1 = gen_ether_linktype(proto); 3011 gen_and(b0, b1); 3012 return b1; 3013 } else { 3014 /* 3015 * Check for LLC encapsulation and then check the 3016 * protocol. 3017 */ 3018 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3019 b1 = gen_llc_linktype(proto); 3020 gen_and(b0, b1); 3021 return b1; 3022 } 3023 /*NOTREACHED*/ 3024 break; 3025 3026 case DLT_LINUX_SLL: 3027 return gen_linux_sll_linktype(proto); 3028 /*NOTREACHED*/ 3029 break; 3030 3031 case DLT_SLIP: 3032 case DLT_SLIP_BSDOS: 3033 case DLT_RAW: 3034 /* 3035 * These types don't provide any type field; packets 3036 * are always IPv4 or IPv6. 3037 * 3038 * XXX - for IPv4, check for a version number of 4, and, 3039 * for IPv6, check for a version number of 6? 3040 */ 3041 switch (proto) { 3042 3043 case ETHERTYPE_IP: 3044 /* Check for a version number of 4. */ 3045 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3046 #ifdef INET6 3047 case ETHERTYPE_IPV6: 3048 /* Check for a version number of 6. */ 3049 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3050 #endif 3051 3052 default: 3053 return gen_false(); /* always false */ 3054 } 3055 /*NOTREACHED*/ 3056 break; 3057 3058 case DLT_IPV4: 3059 /* 3060 * Raw IPv4, so no type field. 3061 */ 3062 if (proto == ETHERTYPE_IP) 3063 return gen_true(); /* always true */ 3064 3065 /* Checking for something other than IPv4; always false */ 3066 return gen_false(); 3067 /*NOTREACHED*/ 3068 break; 3069 3070 case DLT_IPV6: 3071 /* 3072 * Raw IPv6, so no type field. 3073 */ 3074 #ifdef INET6 3075 if (proto == ETHERTYPE_IPV6) 3076 return gen_true(); /* always true */ 3077 #endif 3078 3079 /* Checking for something other than IPv6; always false */ 3080 return gen_false(); 3081 /*NOTREACHED*/ 3082 break; 3083 3084 case DLT_PPP: 3085 case DLT_PPP_PPPD: 3086 case DLT_PPP_SERIAL: 3087 case DLT_PPP_ETHER: 3088 /* 3089 * We use Ethernet protocol types inside libpcap; 3090 * map them to the corresponding PPP protocol types. 3091 */ 3092 proto = ethertype_to_ppptype(proto); 3093 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3094 /*NOTREACHED*/ 3095 break; 3096 3097 case DLT_PPP_BSDOS: 3098 /* 3099 * We use Ethernet protocol types inside libpcap; 3100 * map them to the corresponding PPP protocol types. 3101 */ 3102 switch (proto) { 3103 3104 case ETHERTYPE_IP: 3105 /* 3106 * Also check for Van Jacobson-compressed IP. 3107 * XXX - do this for other forms of PPP? 3108 */ 3109 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3110 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3111 gen_or(b0, b1); 3112 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3113 gen_or(b1, b0); 3114 return b0; 3115 3116 default: 3117 proto = ethertype_to_ppptype(proto); 3118 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3119 (bpf_int32)proto); 3120 } 3121 /*NOTREACHED*/ 3122 break; 3123 3124 case DLT_NULL: 3125 case DLT_LOOP: 3126 case DLT_ENC: 3127 /* 3128 * For DLT_NULL, the link-layer header is a 32-bit 3129 * word containing an AF_ value in *host* byte order, 3130 * and for DLT_ENC, the link-layer header begins 3131 * with a 32-bit work containing an AF_ value in 3132 * host byte order. 3133 * 3134 * In addition, if we're reading a saved capture file, 3135 * the host byte order in the capture may not be the 3136 * same as the host byte order on this machine. 3137 * 3138 * For DLT_LOOP, the link-layer header is a 32-bit 3139 * word containing an AF_ value in *network* byte order. 3140 * 3141 * XXX - AF_ values may, unfortunately, be platform- 3142 * dependent; for example, FreeBSD's AF_INET6 is 24 3143 * whilst NetBSD's and OpenBSD's is 26. 3144 * 3145 * This means that, when reading a capture file, just 3146 * checking for our AF_INET6 value won't work if the 3147 * capture file came from another OS. 3148 */ 3149 switch (proto) { 3150 3151 case ETHERTYPE_IP: 3152 proto = AF_INET; 3153 break; 3154 3155 #ifdef INET6 3156 case ETHERTYPE_IPV6: 3157 proto = AF_INET6; 3158 break; 3159 #endif 3160 3161 default: 3162 /* 3163 * Not a type on which we support filtering. 3164 * XXX - support those that have AF_ values 3165 * #defined on this platform, at least? 3166 */ 3167 return gen_false(); 3168 } 3169 3170 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3171 /* 3172 * The AF_ value is in host byte order, but 3173 * the BPF interpreter will convert it to 3174 * network byte order. 3175 * 3176 * If this is a save file, and it's from a 3177 * machine with the opposite byte order to 3178 * ours, we byte-swap the AF_ value. 3179 * 3180 * Then we run it through "htonl()", and 3181 * generate code to compare against the result. 3182 */ 3183 if (bpf_pcap->sf.rfile != NULL && 3184 bpf_pcap->sf.swapped) 3185 proto = SWAPLONG(proto); 3186 proto = htonl(proto); 3187 } 3188 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3189 3190 #ifdef HAVE_NET_PFVAR_H 3191 case DLT_PFLOG: 3192 /* 3193 * af field is host byte order in contrast to the rest of 3194 * the packet. 3195 */ 3196 if (proto == ETHERTYPE_IP) 3197 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3198 BPF_B, (bpf_int32)AF_INET)); 3199 #ifdef INET6 3200 else if (proto == ETHERTYPE_IPV6) 3201 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3202 BPF_B, (bpf_int32)AF_INET6)); 3203 #endif /* INET6 */ 3204 else 3205 return gen_false(); 3206 /*NOTREACHED*/ 3207 break; 3208 #endif /* HAVE_NET_PFVAR_H */ 3209 3210 case DLT_ARCNET: 3211 case DLT_ARCNET_LINUX: 3212 /* 3213 * XXX should we check for first fragment if the protocol 3214 * uses PHDS? 3215 */ 3216 switch (proto) { 3217 3218 default: 3219 return gen_false(); 3220 3221 #ifdef INET6 3222 case ETHERTYPE_IPV6: 3223 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3224 (bpf_int32)ARCTYPE_INET6)); 3225 #endif /* INET6 */ 3226 3227 case ETHERTYPE_IP: 3228 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3229 (bpf_int32)ARCTYPE_IP); 3230 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3231 (bpf_int32)ARCTYPE_IP_OLD); 3232 gen_or(b0, b1); 3233 return (b1); 3234 3235 case ETHERTYPE_ARP: 3236 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3237 (bpf_int32)ARCTYPE_ARP); 3238 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3239 (bpf_int32)ARCTYPE_ARP_OLD); 3240 gen_or(b0, b1); 3241 return (b1); 3242 3243 case ETHERTYPE_REVARP: 3244 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3245 (bpf_int32)ARCTYPE_REVARP)); 3246 3247 case ETHERTYPE_ATALK: 3248 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3249 (bpf_int32)ARCTYPE_ATALK)); 3250 } 3251 /*NOTREACHED*/ 3252 break; 3253 3254 case DLT_LTALK: 3255 switch (proto) { 3256 case ETHERTYPE_ATALK: 3257 return gen_true(); 3258 default: 3259 return gen_false(); 3260 } 3261 /*NOTREACHED*/ 3262 break; 3263 3264 case DLT_FRELAY: 3265 /* 3266 * XXX - assumes a 2-byte Frame Relay header with 3267 * DLCI and flags. What if the address is longer? 3268 */ 3269 switch (proto) { 3270 3271 case ETHERTYPE_IP: 3272 /* 3273 * Check for the special NLPID for IP. 3274 */ 3275 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3276 3277 #ifdef INET6 3278 case ETHERTYPE_IPV6: 3279 /* 3280 * Check for the special NLPID for IPv6. 3281 */ 3282 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3283 #endif 3284 3285 case LLCSAP_ISONS: 3286 /* 3287 * Check for several OSI protocols. 3288 * 3289 * Frame Relay packets typically have an OSI 3290 * NLPID at the beginning; we check for each 3291 * of them. 3292 * 3293 * What we check for is the NLPID and a frame 3294 * control field of UI, i.e. 0x03 followed 3295 * by the NLPID. 3296 */ 3297 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3298 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3299 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3300 gen_or(b1, b2); 3301 gen_or(b0, b2); 3302 return b2; 3303 3304 default: 3305 return gen_false(); 3306 } 3307 /*NOTREACHED*/ 3308 break; 3309 3310 case DLT_MFR: 3311 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3312 3313 case DLT_JUNIPER_MFR: 3314 case DLT_JUNIPER_MLFR: 3315 case DLT_JUNIPER_MLPPP: 3316 case DLT_JUNIPER_ATM1: 3317 case DLT_JUNIPER_ATM2: 3318 case DLT_JUNIPER_PPPOE: 3319 case DLT_JUNIPER_PPPOE_ATM: 3320 case DLT_JUNIPER_GGSN: 3321 case DLT_JUNIPER_ES: 3322 case DLT_JUNIPER_MONITOR: 3323 case DLT_JUNIPER_SERVICES: 3324 case DLT_JUNIPER_ETHER: 3325 case DLT_JUNIPER_PPP: 3326 case DLT_JUNIPER_FRELAY: 3327 case DLT_JUNIPER_CHDLC: 3328 case DLT_JUNIPER_VP: 3329 case DLT_JUNIPER_ST: 3330 case DLT_JUNIPER_ISM: 3331 case DLT_JUNIPER_VS: 3332 case DLT_JUNIPER_SRX_E2E: 3333 case DLT_JUNIPER_FIBRECHANNEL: 3334 case DLT_JUNIPER_ATM_CEMIC: 3335 3336 /* just lets verify the magic number for now - 3337 * on ATM we may have up to 6 different encapsulations on the wire 3338 * and need a lot of heuristics to figure out that the payload 3339 * might be; 3340 * 3341 * FIXME encapsulation specific BPF_ filters 3342 */ 3343 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3344 3345 case DLT_IPNET: 3346 return gen_ipnet_linktype(proto); 3347 3348 case DLT_LINUX_IRDA: 3349 bpf_error("IrDA link-layer type filtering not implemented"); 3350 3351 case DLT_DOCSIS: 3352 bpf_error("DOCSIS link-layer type filtering not implemented"); 3353 3354 case DLT_MTP2: 3355 case DLT_MTP2_WITH_PHDR: 3356 bpf_error("MTP2 link-layer type filtering not implemented"); 3357 3358 case DLT_ERF: 3359 bpf_error("ERF link-layer type filtering not implemented"); 3360 3361 #ifdef DLT_PFSYNC 3362 case DLT_PFSYNC: 3363 bpf_error("PFSYNC link-layer type filtering not implemented"); 3364 #endif 3365 3366 case DLT_LINUX_LAPD: 3367 bpf_error("LAPD link-layer type filtering not implemented"); 3368 3369 case DLT_USB: 3370 case DLT_USB_LINUX: 3371 case DLT_USB_LINUX_MMAPPED: 3372 bpf_error("USB link-layer type filtering not implemented"); 3373 3374 case DLT_BLUETOOTH_HCI_H4: 3375 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3376 bpf_error("Bluetooth link-layer type filtering not implemented"); 3377 3378 case DLT_CAN20B: 3379 case DLT_CAN_SOCKETCAN: 3380 bpf_error("CAN link-layer type filtering not implemented"); 3381 3382 case DLT_IEEE802_15_4: 3383 case DLT_IEEE802_15_4_LINUX: 3384 case DLT_IEEE802_15_4_NONASK_PHY: 3385 case DLT_IEEE802_15_4_NOFCS: 3386 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3387 3388 case DLT_IEEE802_16_MAC_CPS_RADIO: 3389 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3390 3391 case DLT_SITA: 3392 bpf_error("SITA link-layer type filtering not implemented"); 3393 3394 case DLT_RAIF1: 3395 bpf_error("RAIF1 link-layer type filtering not implemented"); 3396 3397 case DLT_IPMB: 3398 bpf_error("IPMB link-layer type filtering not implemented"); 3399 3400 case DLT_AX25_KISS: 3401 bpf_error("AX.25 link-layer type filtering not implemented"); 3402 } 3403 3404 /* 3405 * All the types that have no encapsulation should either be 3406 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3407 * all packets are IP packets, or should be handled in some 3408 * special case, if none of them are (if some are and some 3409 * aren't, the lack of encapsulation is a problem, as we'd 3410 * have to find some other way of determining the packet type). 3411 * 3412 * Therefore, if "off_linktype" is -1, there's an error. 3413 */ 3414 if (off_linktype == (u_int)-1) 3415 abort(); 3416 3417 /* 3418 * Any type not handled above should always have an Ethernet 3419 * type at an offset of "off_linktype". 3420 */ 3421 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3422 } 3423 3424 /* 3425 * Check for an LLC SNAP packet with a given organization code and 3426 * protocol type; we check the entire contents of the 802.2 LLC and 3427 * snap headers, checking for DSAP and SSAP of SNAP and a control 3428 * field of 0x03 in the LLC header, and for the specified organization 3429 * code and protocol type in the SNAP header. 3430 */ 3431 static struct block * 3432 gen_snap(orgcode, ptype) 3433 bpf_u_int32 orgcode; 3434 bpf_u_int32 ptype; 3435 { 3436 u_char snapblock[8]; 3437 3438 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3439 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3440 snapblock[2] = 0x03; /* control = UI */ 3441 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3442 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3443 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3444 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3445 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3446 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3447 } 3448 3449 /* 3450 * Generate code to match a particular packet type, for link-layer types 3451 * using 802.2 LLC headers. 3452 * 3453 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3454 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3455 * 3456 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3457 * value, if <= ETHERMTU. We use that to determine whether to 3458 * match the DSAP or both DSAP and LSAP or to check the OUI and 3459 * protocol ID in a SNAP header. 3460 */ 3461 static struct block * 3462 gen_llc_linktype(proto) 3463 int proto; 3464 { 3465 /* 3466 * XXX - handle token-ring variable-length header. 3467 */ 3468 switch (proto) { 3469 3470 case LLCSAP_IP: 3471 case LLCSAP_ISONS: 3472 case LLCSAP_NETBEUI: 3473 /* 3474 * XXX - should we check both the DSAP and the 3475 * SSAP, like this, or should we check just the 3476 * DSAP, as we do for other types <= ETHERMTU 3477 * (i.e., other SAP values)? 3478 */ 3479 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3480 ((proto << 8) | proto)); 3481 3482 case LLCSAP_IPX: 3483 /* 3484 * XXX - are there ever SNAP frames for IPX on 3485 * non-Ethernet 802.x networks? 3486 */ 3487 return gen_cmp(OR_MACPL, 0, BPF_B, 3488 (bpf_int32)LLCSAP_IPX); 3489 3490 case ETHERTYPE_ATALK: 3491 /* 3492 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3493 * SNAP packets with an organization code of 3494 * 0x080007 (Apple, for Appletalk) and a protocol 3495 * type of ETHERTYPE_ATALK (Appletalk). 3496 * 3497 * XXX - check for an organization code of 3498 * encapsulated Ethernet as well? 3499 */ 3500 return gen_snap(0x080007, ETHERTYPE_ATALK); 3501 3502 default: 3503 /* 3504 * XXX - we don't have to check for IPX 802.3 3505 * here, but should we check for the IPX Ethertype? 3506 */ 3507 if (proto <= ETHERMTU) { 3508 /* 3509 * This is an LLC SAP value, so check 3510 * the DSAP. 3511 */ 3512 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3513 } else { 3514 /* 3515 * This is an Ethernet type; we assume that it's 3516 * unlikely that it'll appear in the right place 3517 * at random, and therefore check only the 3518 * location that would hold the Ethernet type 3519 * in a SNAP frame with an organization code of 3520 * 0x000000 (encapsulated Ethernet). 3521 * 3522 * XXX - if we were to check for the SNAP DSAP and 3523 * LSAP, as per XXX, and were also to check for an 3524 * organization code of 0x000000 (encapsulated 3525 * Ethernet), we'd do 3526 * 3527 * return gen_snap(0x000000, proto); 3528 * 3529 * here; for now, we don't, as per the above. 3530 * I don't know whether it's worth the extra CPU 3531 * time to do the right check or not. 3532 */ 3533 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3534 } 3535 } 3536 } 3537 3538 static struct block * 3539 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3540 bpf_u_int32 addr; 3541 bpf_u_int32 mask; 3542 int dir, proto; 3543 u_int src_off, dst_off; 3544 { 3545 struct block *b0, *b1; 3546 u_int offset; 3547 3548 switch (dir) { 3549 3550 case Q_SRC: 3551 offset = src_off; 3552 break; 3553 3554 case Q_DST: 3555 offset = dst_off; 3556 break; 3557 3558 case Q_AND: 3559 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3560 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3561 gen_and(b0, b1); 3562 return b1; 3563 3564 case Q_OR: 3565 case Q_DEFAULT: 3566 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3567 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3568 gen_or(b0, b1); 3569 return b1; 3570 3571 default: 3572 abort(); 3573 } 3574 b0 = gen_linktype(proto); 3575 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3576 gen_and(b0, b1); 3577 return b1; 3578 } 3579 3580 #ifdef INET6 3581 static struct block * 3582 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3583 struct in6_addr *addr; 3584 struct in6_addr *mask; 3585 int dir, proto; 3586 u_int src_off, dst_off; 3587 { 3588 struct block *b0, *b1; 3589 u_int offset; 3590 u_int32_t *a, *m; 3591 3592 switch (dir) { 3593 3594 case Q_SRC: 3595 offset = src_off; 3596 break; 3597 3598 case Q_DST: 3599 offset = dst_off; 3600 break; 3601 3602 case Q_AND: 3603 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3604 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3605 gen_and(b0, b1); 3606 return b1; 3607 3608 case Q_OR: 3609 case Q_DEFAULT: 3610 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3611 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3612 gen_or(b0, b1); 3613 return b1; 3614 3615 default: 3616 abort(); 3617 } 3618 /* this order is important */ 3619 a = (u_int32_t *)addr; 3620 m = (u_int32_t *)mask; 3621 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3622 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3623 gen_and(b0, b1); 3624 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3625 gen_and(b0, b1); 3626 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3627 gen_and(b0, b1); 3628 b0 = gen_linktype(proto); 3629 gen_and(b0, b1); 3630 return b1; 3631 } 3632 #endif /*INET6*/ 3633 3634 static struct block * 3635 gen_ehostop(eaddr, dir) 3636 register const u_char *eaddr; 3637 register int dir; 3638 { 3639 register struct block *b0, *b1; 3640 3641 switch (dir) { 3642 case Q_SRC: 3643 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3644 3645 case Q_DST: 3646 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3647 3648 case Q_AND: 3649 b0 = gen_ehostop(eaddr, Q_SRC); 3650 b1 = gen_ehostop(eaddr, Q_DST); 3651 gen_and(b0, b1); 3652 return b1; 3653 3654 case Q_DEFAULT: 3655 case Q_OR: 3656 b0 = gen_ehostop(eaddr, Q_SRC); 3657 b1 = gen_ehostop(eaddr, Q_DST); 3658 gen_or(b0, b1); 3659 return b1; 3660 3661 case Q_ADDR1: 3662 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3663 break; 3664 3665 case Q_ADDR2: 3666 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3667 break; 3668 3669 case Q_ADDR3: 3670 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3671 break; 3672 3673 case Q_ADDR4: 3674 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3675 break; 3676 3677 case Q_RA: 3678 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3679 break; 3680 3681 case Q_TA: 3682 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3683 break; 3684 } 3685 abort(); 3686 /* NOTREACHED */ 3687 } 3688 3689 /* 3690 * Like gen_ehostop, but for DLT_FDDI 3691 */ 3692 static struct block * 3693 gen_fhostop(eaddr, dir) 3694 register const u_char *eaddr; 3695 register int dir; 3696 { 3697 struct block *b0, *b1; 3698 3699 switch (dir) { 3700 case Q_SRC: 3701 #ifdef PCAP_FDDIPAD 3702 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3703 #else 3704 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 3705 #endif 3706 3707 case Q_DST: 3708 #ifdef PCAP_FDDIPAD 3709 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3710 #else 3711 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 3712 #endif 3713 3714 case Q_AND: 3715 b0 = gen_fhostop(eaddr, Q_SRC); 3716 b1 = gen_fhostop(eaddr, Q_DST); 3717 gen_and(b0, b1); 3718 return b1; 3719 3720 case Q_DEFAULT: 3721 case Q_OR: 3722 b0 = gen_fhostop(eaddr, Q_SRC); 3723 b1 = gen_fhostop(eaddr, Q_DST); 3724 gen_or(b0, b1); 3725 return b1; 3726 3727 case Q_ADDR1: 3728 bpf_error("'addr1' is only supported on 802.11"); 3729 break; 3730 3731 case Q_ADDR2: 3732 bpf_error("'addr2' is only supported on 802.11"); 3733 break; 3734 3735 case Q_ADDR3: 3736 bpf_error("'addr3' is only supported on 802.11"); 3737 break; 3738 3739 case Q_ADDR4: 3740 bpf_error("'addr4' is only supported on 802.11"); 3741 break; 3742 3743 case Q_RA: 3744 bpf_error("'ra' is only supported on 802.11"); 3745 break; 3746 3747 case Q_TA: 3748 bpf_error("'ta' is only supported on 802.11"); 3749 break; 3750 } 3751 abort(); 3752 /* NOTREACHED */ 3753 } 3754 3755 /* 3756 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3757 */ 3758 static struct block * 3759 gen_thostop(eaddr, dir) 3760 register const u_char *eaddr; 3761 register int dir; 3762 { 3763 register struct block *b0, *b1; 3764 3765 switch (dir) { 3766 case Q_SRC: 3767 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3768 3769 case Q_DST: 3770 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3771 3772 case Q_AND: 3773 b0 = gen_thostop(eaddr, Q_SRC); 3774 b1 = gen_thostop(eaddr, Q_DST); 3775 gen_and(b0, b1); 3776 return b1; 3777 3778 case Q_DEFAULT: 3779 case Q_OR: 3780 b0 = gen_thostop(eaddr, Q_SRC); 3781 b1 = gen_thostop(eaddr, Q_DST); 3782 gen_or(b0, b1); 3783 return b1; 3784 3785 case Q_ADDR1: 3786 bpf_error("'addr1' is only supported on 802.11"); 3787 break; 3788 3789 case Q_ADDR2: 3790 bpf_error("'addr2' is only supported on 802.11"); 3791 break; 3792 3793 case Q_ADDR3: 3794 bpf_error("'addr3' is only supported on 802.11"); 3795 break; 3796 3797 case Q_ADDR4: 3798 bpf_error("'addr4' is only supported on 802.11"); 3799 break; 3800 3801 case Q_RA: 3802 bpf_error("'ra' is only supported on 802.11"); 3803 break; 3804 3805 case Q_TA: 3806 bpf_error("'ta' is only supported on 802.11"); 3807 break; 3808 } 3809 abort(); 3810 /* NOTREACHED */ 3811 } 3812 3813 /* 3814 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3815 * various 802.11 + radio headers. 3816 */ 3817 static struct block * 3818 gen_wlanhostop(eaddr, dir) 3819 register const u_char *eaddr; 3820 register int dir; 3821 { 3822 register struct block *b0, *b1, *b2; 3823 register struct slist *s; 3824 3825 #ifdef ENABLE_WLAN_FILTERING_PATCH 3826 /* 3827 * TODO GV 20070613 3828 * We need to disable the optimizer because the optimizer is buggy 3829 * and wipes out some LD instructions generated by the below 3830 * code to validate the Frame Control bits 3831 */ 3832 no_optimize = 1; 3833 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3834 3835 switch (dir) { 3836 case Q_SRC: 3837 /* 3838 * Oh, yuk. 3839 * 3840 * For control frames, there is no SA. 3841 * 3842 * For management frames, SA is at an 3843 * offset of 10 from the beginning of 3844 * the packet. 3845 * 3846 * For data frames, SA is at an offset 3847 * of 10 from the beginning of the packet 3848 * if From DS is clear, at an offset of 3849 * 16 from the beginning of the packet 3850 * if From DS is set and To DS is clear, 3851 * and an offset of 24 from the beginning 3852 * of the packet if From DS is set and To DS 3853 * is set. 3854 */ 3855 3856 /* 3857 * Generate the tests to be done for data frames 3858 * with From DS set. 3859 * 3860 * First, check for To DS set, i.e. check "link[1] & 0x01". 3861 */ 3862 s = gen_load_a(OR_LINK, 1, BPF_B); 3863 b1 = new_block(JMP(BPF_JSET)); 3864 b1->s.k = 0x01; /* To DS */ 3865 b1->stmts = s; 3866 3867 /* 3868 * If To DS is set, the SA is at 24. 3869 */ 3870 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3871 gen_and(b1, b0); 3872 3873 /* 3874 * Now, check for To DS not set, i.e. check 3875 * "!(link[1] & 0x01)". 3876 */ 3877 s = gen_load_a(OR_LINK, 1, BPF_B); 3878 b2 = new_block(JMP(BPF_JSET)); 3879 b2->s.k = 0x01; /* To DS */ 3880 b2->stmts = s; 3881 gen_not(b2); 3882 3883 /* 3884 * If To DS is not set, the SA is at 16. 3885 */ 3886 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3887 gen_and(b2, b1); 3888 3889 /* 3890 * Now OR together the last two checks. That gives 3891 * the complete set of checks for data frames with 3892 * From DS set. 3893 */ 3894 gen_or(b1, b0); 3895 3896 /* 3897 * Now check for From DS being set, and AND that with 3898 * the ORed-together checks. 3899 */ 3900 s = gen_load_a(OR_LINK, 1, BPF_B); 3901 b1 = new_block(JMP(BPF_JSET)); 3902 b1->s.k = 0x02; /* From DS */ 3903 b1->stmts = s; 3904 gen_and(b1, b0); 3905 3906 /* 3907 * Now check for data frames with From DS not set. 3908 */ 3909 s = gen_load_a(OR_LINK, 1, BPF_B); 3910 b2 = new_block(JMP(BPF_JSET)); 3911 b2->s.k = 0x02; /* From DS */ 3912 b2->stmts = s; 3913 gen_not(b2); 3914 3915 /* 3916 * If From DS isn't set, the SA is at 10. 3917 */ 3918 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3919 gen_and(b2, b1); 3920 3921 /* 3922 * Now OR together the checks for data frames with 3923 * From DS not set and for data frames with From DS 3924 * set; that gives the checks done for data frames. 3925 */ 3926 gen_or(b1, b0); 3927 3928 /* 3929 * Now check for a data frame. 3930 * I.e, check "link[0] & 0x08". 3931 */ 3932 s = gen_load_a(OR_LINK, 0, BPF_B); 3933 b1 = new_block(JMP(BPF_JSET)); 3934 b1->s.k = 0x08; 3935 b1->stmts = s; 3936 3937 /* 3938 * AND that with the checks done for data frames. 3939 */ 3940 gen_and(b1, b0); 3941 3942 /* 3943 * If the high-order bit of the type value is 0, this 3944 * is a management frame. 3945 * I.e, check "!(link[0] & 0x08)". 3946 */ 3947 s = gen_load_a(OR_LINK, 0, BPF_B); 3948 b2 = new_block(JMP(BPF_JSET)); 3949 b2->s.k = 0x08; 3950 b2->stmts = s; 3951 gen_not(b2); 3952 3953 /* 3954 * For management frames, the SA is at 10. 3955 */ 3956 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3957 gen_and(b2, b1); 3958 3959 /* 3960 * OR that with the checks done for data frames. 3961 * That gives the checks done for management and 3962 * data frames. 3963 */ 3964 gen_or(b1, b0); 3965 3966 /* 3967 * If the low-order bit of the type value is 1, 3968 * this is either a control frame or a frame 3969 * with a reserved type, and thus not a 3970 * frame with an SA. 3971 * 3972 * I.e., check "!(link[0] & 0x04)". 3973 */ 3974 s = gen_load_a(OR_LINK, 0, BPF_B); 3975 b1 = new_block(JMP(BPF_JSET)); 3976 b1->s.k = 0x04; 3977 b1->stmts = s; 3978 gen_not(b1); 3979 3980 /* 3981 * AND that with the checks for data and management 3982 * frames. 3983 */ 3984 gen_and(b1, b0); 3985 return b0; 3986 3987 case Q_DST: 3988 /* 3989 * Oh, yuk. 3990 * 3991 * For control frames, there is no DA. 3992 * 3993 * For management frames, DA is at an 3994 * offset of 4 from the beginning of 3995 * the packet. 3996 * 3997 * For data frames, DA is at an offset 3998 * of 4 from the beginning of the packet 3999 * if To DS is clear and at an offset of 4000 * 16 from the beginning of the packet 4001 * if To DS is set. 4002 */ 4003 4004 /* 4005 * Generate the tests to be done for data frames. 4006 * 4007 * First, check for To DS set, i.e. "link[1] & 0x01". 4008 */ 4009 s = gen_load_a(OR_LINK, 1, BPF_B); 4010 b1 = new_block(JMP(BPF_JSET)); 4011 b1->s.k = 0x01; /* To DS */ 4012 b1->stmts = s; 4013 4014 /* 4015 * If To DS is set, the DA is at 16. 4016 */ 4017 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4018 gen_and(b1, b0); 4019 4020 /* 4021 * Now, check for To DS not set, i.e. check 4022 * "!(link[1] & 0x01)". 4023 */ 4024 s = gen_load_a(OR_LINK, 1, BPF_B); 4025 b2 = new_block(JMP(BPF_JSET)); 4026 b2->s.k = 0x01; /* To DS */ 4027 b2->stmts = s; 4028 gen_not(b2); 4029 4030 /* 4031 * If To DS is not set, the DA is at 4. 4032 */ 4033 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4034 gen_and(b2, b1); 4035 4036 /* 4037 * Now OR together the last two checks. That gives 4038 * the complete set of checks for data frames. 4039 */ 4040 gen_or(b1, b0); 4041 4042 /* 4043 * Now check for a data frame. 4044 * I.e, check "link[0] & 0x08". 4045 */ 4046 s = gen_load_a(OR_LINK, 0, BPF_B); 4047 b1 = new_block(JMP(BPF_JSET)); 4048 b1->s.k = 0x08; 4049 b1->stmts = s; 4050 4051 /* 4052 * AND that with the checks done for data frames. 4053 */ 4054 gen_and(b1, b0); 4055 4056 /* 4057 * If the high-order bit of the type value is 0, this 4058 * is a management frame. 4059 * I.e, check "!(link[0] & 0x08)". 4060 */ 4061 s = gen_load_a(OR_LINK, 0, BPF_B); 4062 b2 = new_block(JMP(BPF_JSET)); 4063 b2->s.k = 0x08; 4064 b2->stmts = s; 4065 gen_not(b2); 4066 4067 /* 4068 * For management frames, the DA is at 4. 4069 */ 4070 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4071 gen_and(b2, b1); 4072 4073 /* 4074 * OR that with the checks done for data frames. 4075 * That gives the checks done for management and 4076 * data frames. 4077 */ 4078 gen_or(b1, b0); 4079 4080 /* 4081 * If the low-order bit of the type value is 1, 4082 * this is either a control frame or a frame 4083 * with a reserved type, and thus not a 4084 * frame with an SA. 4085 * 4086 * I.e., check "!(link[0] & 0x04)". 4087 */ 4088 s = gen_load_a(OR_LINK, 0, BPF_B); 4089 b1 = new_block(JMP(BPF_JSET)); 4090 b1->s.k = 0x04; 4091 b1->stmts = s; 4092 gen_not(b1); 4093 4094 /* 4095 * AND that with the checks for data and management 4096 * frames. 4097 */ 4098 gen_and(b1, b0); 4099 return b0; 4100 4101 case Q_RA: 4102 /* 4103 * Not present in management frames; addr1 in other 4104 * frames. 4105 */ 4106 4107 /* 4108 * If the high-order bit of the type value is 0, this 4109 * is a management frame. 4110 * I.e, check "(link[0] & 0x08)". 4111 */ 4112 s = gen_load_a(OR_LINK, 0, BPF_B); 4113 b1 = new_block(JMP(BPF_JSET)); 4114 b1->s.k = 0x08; 4115 b1->stmts = s; 4116 4117 /* 4118 * Check addr1. 4119 */ 4120 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4121 4122 /* 4123 * AND that with the check of addr1. 4124 */ 4125 gen_and(b1, b0); 4126 return (b0); 4127 4128 case Q_TA: 4129 /* 4130 * Not present in management frames; addr2, if present, 4131 * in other frames. 4132 */ 4133 4134 /* 4135 * Not present in CTS or ACK control frames. 4136 */ 4137 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4138 IEEE80211_FC0_TYPE_MASK); 4139 gen_not(b0); 4140 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4141 IEEE80211_FC0_SUBTYPE_MASK); 4142 gen_not(b1); 4143 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4144 IEEE80211_FC0_SUBTYPE_MASK); 4145 gen_not(b2); 4146 gen_and(b1, b2); 4147 gen_or(b0, b2); 4148 4149 /* 4150 * If the high-order bit of the type value is 0, this 4151 * is a management frame. 4152 * I.e, check "(link[0] & 0x08)". 4153 */ 4154 s = gen_load_a(OR_LINK, 0, BPF_B); 4155 b1 = new_block(JMP(BPF_JSET)); 4156 b1->s.k = 0x08; 4157 b1->stmts = s; 4158 4159 /* 4160 * AND that with the check for frames other than 4161 * CTS and ACK frames. 4162 */ 4163 gen_and(b1, b2); 4164 4165 /* 4166 * Check addr2. 4167 */ 4168 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4169 gen_and(b2, b1); 4170 return b1; 4171 4172 /* 4173 * XXX - add BSSID keyword? 4174 */ 4175 case Q_ADDR1: 4176 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4177 4178 case Q_ADDR2: 4179 /* 4180 * Not present in CTS or ACK control frames. 4181 */ 4182 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4183 IEEE80211_FC0_TYPE_MASK); 4184 gen_not(b0); 4185 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4186 IEEE80211_FC0_SUBTYPE_MASK); 4187 gen_not(b1); 4188 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4189 IEEE80211_FC0_SUBTYPE_MASK); 4190 gen_not(b2); 4191 gen_and(b1, b2); 4192 gen_or(b0, b2); 4193 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4194 gen_and(b2, b1); 4195 return b1; 4196 4197 case Q_ADDR3: 4198 /* 4199 * Not present in control frames. 4200 */ 4201 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4202 IEEE80211_FC0_TYPE_MASK); 4203 gen_not(b0); 4204 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4205 gen_and(b0, b1); 4206 return b1; 4207 4208 case Q_ADDR4: 4209 /* 4210 * Present only if the direction mask has both "From DS" 4211 * and "To DS" set. Neither control frames nor management 4212 * frames should have both of those set, so we don't 4213 * check the frame type. 4214 */ 4215 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4216 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4217 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4218 gen_and(b0, b1); 4219 return b1; 4220 4221 case Q_AND: 4222 b0 = gen_wlanhostop(eaddr, Q_SRC); 4223 b1 = gen_wlanhostop(eaddr, Q_DST); 4224 gen_and(b0, b1); 4225 return b1; 4226 4227 case Q_DEFAULT: 4228 case Q_OR: 4229 b0 = gen_wlanhostop(eaddr, Q_SRC); 4230 b1 = gen_wlanhostop(eaddr, Q_DST); 4231 gen_or(b0, b1); 4232 return b1; 4233 } 4234 abort(); 4235 /* NOTREACHED */ 4236 } 4237 4238 /* 4239 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4240 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4241 * as the RFC states.) 4242 */ 4243 static struct block * 4244 gen_ipfchostop(eaddr, dir) 4245 register const u_char *eaddr; 4246 register int dir; 4247 { 4248 register struct block *b0, *b1; 4249 4250 switch (dir) { 4251 case Q_SRC: 4252 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4253 4254 case Q_DST: 4255 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4256 4257 case Q_AND: 4258 b0 = gen_ipfchostop(eaddr, Q_SRC); 4259 b1 = gen_ipfchostop(eaddr, Q_DST); 4260 gen_and(b0, b1); 4261 return b1; 4262 4263 case Q_DEFAULT: 4264 case Q_OR: 4265 b0 = gen_ipfchostop(eaddr, Q_SRC); 4266 b1 = gen_ipfchostop(eaddr, Q_DST); 4267 gen_or(b0, b1); 4268 return b1; 4269 4270 case Q_ADDR1: 4271 bpf_error("'addr1' is only supported on 802.11"); 4272 break; 4273 4274 case Q_ADDR2: 4275 bpf_error("'addr2' is only supported on 802.11"); 4276 break; 4277 4278 case Q_ADDR3: 4279 bpf_error("'addr3' is only supported on 802.11"); 4280 break; 4281 4282 case Q_ADDR4: 4283 bpf_error("'addr4' is only supported on 802.11"); 4284 break; 4285 4286 case Q_RA: 4287 bpf_error("'ra' is only supported on 802.11"); 4288 break; 4289 4290 case Q_TA: 4291 bpf_error("'ta' is only supported on 802.11"); 4292 break; 4293 } 4294 abort(); 4295 /* NOTREACHED */ 4296 } 4297 4298 /* 4299 * This is quite tricky because there may be pad bytes in front of the 4300 * DECNET header, and then there are two possible data packet formats that 4301 * carry both src and dst addresses, plus 5 packet types in a format that 4302 * carries only the src node, plus 2 types that use a different format and 4303 * also carry just the src node. 4304 * 4305 * Yuck. 4306 * 4307 * Instead of doing those all right, we just look for data packets with 4308 * 0 or 1 bytes of padding. If you want to look at other packets, that 4309 * will require a lot more hacking. 4310 * 4311 * To add support for filtering on DECNET "areas" (network numbers) 4312 * one would want to add a "mask" argument to this routine. That would 4313 * make the filter even more inefficient, although one could be clever 4314 * and not generate masking instructions if the mask is 0xFFFF. 4315 */ 4316 static struct block * 4317 gen_dnhostop(addr, dir) 4318 bpf_u_int32 addr; 4319 int dir; 4320 { 4321 struct block *b0, *b1, *b2, *tmp; 4322 u_int offset_lh; /* offset if long header is received */ 4323 u_int offset_sh; /* offset if short header is received */ 4324 4325 switch (dir) { 4326 4327 case Q_DST: 4328 offset_sh = 1; /* follows flags */ 4329 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4330 break; 4331 4332 case Q_SRC: 4333 offset_sh = 3; /* follows flags, dstnode */ 4334 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4335 break; 4336 4337 case Q_AND: 4338 /* Inefficient because we do our Calvinball dance twice */ 4339 b0 = gen_dnhostop(addr, Q_SRC); 4340 b1 = gen_dnhostop(addr, Q_DST); 4341 gen_and(b0, b1); 4342 return b1; 4343 4344 case Q_OR: 4345 case Q_DEFAULT: 4346 /* Inefficient because we do our Calvinball dance twice */ 4347 b0 = gen_dnhostop(addr, Q_SRC); 4348 b1 = gen_dnhostop(addr, Q_DST); 4349 gen_or(b0, b1); 4350 return b1; 4351 4352 case Q_ISO: 4353 bpf_error("ISO host filtering not implemented"); 4354 4355 default: 4356 abort(); 4357 } 4358 b0 = gen_linktype(ETHERTYPE_DN); 4359 /* Check for pad = 1, long header case */ 4360 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4361 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4362 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4363 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4364 gen_and(tmp, b1); 4365 /* Check for pad = 0, long header case */ 4366 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4367 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4368 gen_and(tmp, b2); 4369 gen_or(b2, b1); 4370 /* Check for pad = 1, short header case */ 4371 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4372 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4373 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4374 gen_and(tmp, b2); 4375 gen_or(b2, b1); 4376 /* Check for pad = 0, short header case */ 4377 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4378 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4379 gen_and(tmp, b2); 4380 gen_or(b2, b1); 4381 4382 /* Combine with test for linktype */ 4383 gen_and(b0, b1); 4384 return b1; 4385 } 4386 4387 /* 4388 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4389 * test the bottom-of-stack bit, and then check the version number 4390 * field in the IP header. 4391 */ 4392 static struct block * 4393 gen_mpls_linktype(proto) 4394 int proto; 4395 { 4396 struct block *b0, *b1; 4397 4398 switch (proto) { 4399 4400 case Q_IP: 4401 /* match the bottom-of-stack bit */ 4402 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4403 /* match the IPv4 version number */ 4404 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4405 gen_and(b0, b1); 4406 return b1; 4407 4408 case Q_IPV6: 4409 /* match the bottom-of-stack bit */ 4410 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4411 /* match the IPv4 version number */ 4412 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4413 gen_and(b0, b1); 4414 return b1; 4415 4416 default: 4417 abort(); 4418 } 4419 } 4420 4421 static struct block * 4422 gen_host(addr, mask, proto, dir, type) 4423 bpf_u_int32 addr; 4424 bpf_u_int32 mask; 4425 int proto; 4426 int dir; 4427 int type; 4428 { 4429 struct block *b0, *b1; 4430 const char *typestr; 4431 4432 if (type == Q_NET) 4433 typestr = "net"; 4434 else 4435 typestr = "host"; 4436 4437 switch (proto) { 4438 4439 case Q_DEFAULT: 4440 b0 = gen_host(addr, mask, Q_IP, dir, type); 4441 /* 4442 * Only check for non-IPv4 addresses if we're not 4443 * checking MPLS-encapsulated packets. 4444 */ 4445 if (label_stack_depth == 0) { 4446 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4447 gen_or(b0, b1); 4448 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4449 gen_or(b1, b0); 4450 } 4451 return b0; 4452 4453 case Q_IP: 4454 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4455 4456 case Q_RARP: 4457 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4458 4459 case Q_ARP: 4460 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4461 4462 case Q_TCP: 4463 bpf_error("'tcp' modifier applied to %s", typestr); 4464 4465 case Q_SCTP: 4466 bpf_error("'sctp' modifier applied to %s", typestr); 4467 4468 case Q_UDP: 4469 bpf_error("'udp' modifier applied to %s", typestr); 4470 4471 case Q_ICMP: 4472 bpf_error("'icmp' modifier applied to %s", typestr); 4473 4474 case Q_IGMP: 4475 bpf_error("'igmp' modifier applied to %s", typestr); 4476 4477 case Q_IGRP: 4478 bpf_error("'igrp' modifier applied to %s", typestr); 4479 4480 case Q_PIM: 4481 bpf_error("'pim' modifier applied to %s", typestr); 4482 4483 case Q_VRRP: 4484 bpf_error("'vrrp' modifier applied to %s", typestr); 4485 4486 case Q_CARP: 4487 bpf_error("'carp' modifier applied to %s", typestr); 4488 4489 case Q_ATALK: 4490 bpf_error("ATALK host filtering not implemented"); 4491 4492 case Q_AARP: 4493 bpf_error("AARP host filtering not implemented"); 4494 4495 case Q_DECNET: 4496 return gen_dnhostop(addr, dir); 4497 4498 case Q_SCA: 4499 bpf_error("SCA host filtering not implemented"); 4500 4501 case Q_LAT: 4502 bpf_error("LAT host filtering not implemented"); 4503 4504 case Q_MOPDL: 4505 bpf_error("MOPDL host filtering not implemented"); 4506 4507 case Q_MOPRC: 4508 bpf_error("MOPRC host filtering not implemented"); 4509 4510 #ifdef INET6 4511 case Q_IPV6: 4512 bpf_error("'ip6' modifier applied to ip host"); 4513 4514 case Q_ICMPV6: 4515 bpf_error("'icmp6' modifier applied to %s", typestr); 4516 #endif /* INET6 */ 4517 4518 case Q_AH: 4519 bpf_error("'ah' modifier applied to %s", typestr); 4520 4521 case Q_ESP: 4522 bpf_error("'esp' modifier applied to %s", typestr); 4523 4524 case Q_ISO: 4525 bpf_error("ISO host filtering not implemented"); 4526 4527 case Q_ESIS: 4528 bpf_error("'esis' modifier applied to %s", typestr); 4529 4530 case Q_ISIS: 4531 bpf_error("'isis' modifier applied to %s", typestr); 4532 4533 case Q_CLNP: 4534 bpf_error("'clnp' modifier applied to %s", typestr); 4535 4536 case Q_STP: 4537 bpf_error("'stp' modifier applied to %s", typestr); 4538 4539 case Q_IPX: 4540 bpf_error("IPX host filtering not implemented"); 4541 4542 case Q_NETBEUI: 4543 bpf_error("'netbeui' modifier applied to %s", typestr); 4544 4545 case Q_RADIO: 4546 bpf_error("'radio' modifier applied to %s", typestr); 4547 4548 default: 4549 abort(); 4550 } 4551 /* NOTREACHED */ 4552 } 4553 4554 #ifdef INET6 4555 static struct block * 4556 gen_host6(addr, mask, proto, dir, type) 4557 struct in6_addr *addr; 4558 struct in6_addr *mask; 4559 int proto; 4560 int dir; 4561 int type; 4562 { 4563 const char *typestr; 4564 4565 if (type == Q_NET) 4566 typestr = "net"; 4567 else 4568 typestr = "host"; 4569 4570 switch (proto) { 4571 4572 case Q_DEFAULT: 4573 return gen_host6(addr, mask, Q_IPV6, dir, type); 4574 4575 case Q_IP: 4576 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4577 4578 case Q_RARP: 4579 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4580 4581 case Q_ARP: 4582 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4583 4584 case Q_SCTP: 4585 bpf_error("'sctp' modifier applied to %s", typestr); 4586 4587 case Q_TCP: 4588 bpf_error("'tcp' modifier applied to %s", typestr); 4589 4590 case Q_UDP: 4591 bpf_error("'udp' modifier applied to %s", typestr); 4592 4593 case Q_ICMP: 4594 bpf_error("'icmp' modifier applied to %s", typestr); 4595 4596 case Q_IGMP: 4597 bpf_error("'igmp' modifier applied to %s", typestr); 4598 4599 case Q_IGRP: 4600 bpf_error("'igrp' modifier applied to %s", typestr); 4601 4602 case Q_PIM: 4603 bpf_error("'pim' modifier applied to %s", typestr); 4604 4605 case Q_VRRP: 4606 bpf_error("'vrrp' modifier applied to %s", typestr); 4607 4608 case Q_CARP: 4609 bpf_error("'carp' modifier applied to %s", typestr); 4610 4611 case Q_ATALK: 4612 bpf_error("ATALK host filtering not implemented"); 4613 4614 case Q_AARP: 4615 bpf_error("AARP host filtering not implemented"); 4616 4617 case Q_DECNET: 4618 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4619 4620 case Q_SCA: 4621 bpf_error("SCA host filtering not implemented"); 4622 4623 case Q_LAT: 4624 bpf_error("LAT host filtering not implemented"); 4625 4626 case Q_MOPDL: 4627 bpf_error("MOPDL host filtering not implemented"); 4628 4629 case Q_MOPRC: 4630 bpf_error("MOPRC host filtering not implemented"); 4631 4632 case Q_IPV6: 4633 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4634 4635 case Q_ICMPV6: 4636 bpf_error("'icmp6' modifier applied to %s", typestr); 4637 4638 case Q_AH: 4639 bpf_error("'ah' modifier applied to %s", typestr); 4640 4641 case Q_ESP: 4642 bpf_error("'esp' modifier applied to %s", typestr); 4643 4644 case Q_ISO: 4645 bpf_error("ISO host filtering not implemented"); 4646 4647 case Q_ESIS: 4648 bpf_error("'esis' modifier applied to %s", typestr); 4649 4650 case Q_ISIS: 4651 bpf_error("'isis' modifier applied to %s", typestr); 4652 4653 case Q_CLNP: 4654 bpf_error("'clnp' modifier applied to %s", typestr); 4655 4656 case Q_STP: 4657 bpf_error("'stp' modifier applied to %s", typestr); 4658 4659 case Q_IPX: 4660 bpf_error("IPX host filtering not implemented"); 4661 4662 case Q_NETBEUI: 4663 bpf_error("'netbeui' modifier applied to %s", typestr); 4664 4665 case Q_RADIO: 4666 bpf_error("'radio' modifier applied to %s", typestr); 4667 4668 default: 4669 abort(); 4670 } 4671 /* NOTREACHED */ 4672 } 4673 #endif /*INET6*/ 4674 4675 #ifndef INET6 4676 static struct block * 4677 gen_gateway(eaddr, alist, proto, dir) 4678 const u_char *eaddr; 4679 bpf_u_int32 **alist; 4680 int proto; 4681 int dir; 4682 { 4683 struct block *b0, *b1, *tmp; 4684 4685 if (dir != 0) 4686 bpf_error("direction applied to 'gateway'"); 4687 4688 switch (proto) { 4689 case Q_DEFAULT: 4690 case Q_IP: 4691 case Q_ARP: 4692 case Q_RARP: 4693 switch (linktype) { 4694 case DLT_EN10MB: 4695 case DLT_NETANALYZER: 4696 case DLT_NETANALYZER_TRANSPARENT: 4697 b0 = gen_ehostop(eaddr, Q_OR); 4698 break; 4699 case DLT_FDDI: 4700 b0 = gen_fhostop(eaddr, Q_OR); 4701 break; 4702 case DLT_IEEE802: 4703 b0 = gen_thostop(eaddr, Q_OR); 4704 break; 4705 case DLT_IEEE802_11: 4706 case DLT_PRISM_HEADER: 4707 case DLT_IEEE802_11_RADIO_AVS: 4708 case DLT_IEEE802_11_RADIO: 4709 case DLT_PPI: 4710 b0 = gen_wlanhostop(eaddr, Q_OR); 4711 break; 4712 case DLT_SUNATM: 4713 if (!is_lane) 4714 bpf_error( 4715 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4716 /* 4717 * Check that the packet doesn't begin with an 4718 * LE Control marker. (We've already generated 4719 * a test for LANE.) 4720 */ 4721 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4722 BPF_H, 0xFF00); 4723 gen_not(b1); 4724 4725 /* 4726 * Now check the MAC address. 4727 */ 4728 b0 = gen_ehostop(eaddr, Q_OR); 4729 gen_and(b1, b0); 4730 break; 4731 case DLT_IP_OVER_FC: 4732 b0 = gen_ipfchostop(eaddr, Q_OR); 4733 break; 4734 default: 4735 bpf_error( 4736 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4737 } 4738 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4739 while (*alist) { 4740 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4741 Q_HOST); 4742 gen_or(b1, tmp); 4743 b1 = tmp; 4744 } 4745 gen_not(b1); 4746 gen_and(b0, b1); 4747 return b1; 4748 } 4749 bpf_error("illegal modifier of 'gateway'"); 4750 /* NOTREACHED */ 4751 } 4752 #endif 4753 4754 struct block * 4755 gen_proto_abbrev(proto) 4756 int proto; 4757 { 4758 struct block *b0; 4759 struct block *b1; 4760 4761 switch (proto) { 4762 4763 case Q_SCTP: 4764 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4765 #ifdef INET6 4766 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4767 gen_or(b0, b1); 4768 #endif 4769 break; 4770 4771 case Q_TCP: 4772 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4773 #ifdef INET6 4774 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4775 gen_or(b0, b1); 4776 #endif 4777 break; 4778 4779 case Q_UDP: 4780 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4781 #ifdef INET6 4782 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4783 gen_or(b0, b1); 4784 #endif 4785 break; 4786 4787 case Q_ICMP: 4788 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4789 break; 4790 4791 #ifndef IPPROTO_IGMP 4792 #define IPPROTO_IGMP 2 4793 #endif 4794 4795 case Q_IGMP: 4796 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4797 break; 4798 4799 #ifndef IPPROTO_IGRP 4800 #define IPPROTO_IGRP 9 4801 #endif 4802 case Q_IGRP: 4803 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4804 break; 4805 4806 #ifndef IPPROTO_PIM 4807 #define IPPROTO_PIM 103 4808 #endif 4809 4810 case Q_PIM: 4811 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4812 #ifdef INET6 4813 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4814 gen_or(b0, b1); 4815 #endif 4816 break; 4817 4818 #ifndef IPPROTO_VRRP 4819 #define IPPROTO_VRRP 112 4820 #endif 4821 4822 case Q_VRRP: 4823 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4824 break; 4825 4826 #ifndef IPPROTO_CARP 4827 #define IPPROTO_CARP 112 4828 #endif 4829 4830 case Q_CARP: 4831 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4832 break; 4833 4834 case Q_IP: 4835 b1 = gen_linktype(ETHERTYPE_IP); 4836 break; 4837 4838 case Q_ARP: 4839 b1 = gen_linktype(ETHERTYPE_ARP); 4840 break; 4841 4842 case Q_RARP: 4843 b1 = gen_linktype(ETHERTYPE_REVARP); 4844 break; 4845 4846 case Q_LINK: 4847 bpf_error("link layer applied in wrong context"); 4848 4849 case Q_ATALK: 4850 b1 = gen_linktype(ETHERTYPE_ATALK); 4851 break; 4852 4853 case Q_AARP: 4854 b1 = gen_linktype(ETHERTYPE_AARP); 4855 break; 4856 4857 case Q_DECNET: 4858 b1 = gen_linktype(ETHERTYPE_DN); 4859 break; 4860 4861 case Q_SCA: 4862 b1 = gen_linktype(ETHERTYPE_SCA); 4863 break; 4864 4865 case Q_LAT: 4866 b1 = gen_linktype(ETHERTYPE_LAT); 4867 break; 4868 4869 case Q_MOPDL: 4870 b1 = gen_linktype(ETHERTYPE_MOPDL); 4871 break; 4872 4873 case Q_MOPRC: 4874 b1 = gen_linktype(ETHERTYPE_MOPRC); 4875 break; 4876 4877 #ifdef INET6 4878 case Q_IPV6: 4879 b1 = gen_linktype(ETHERTYPE_IPV6); 4880 break; 4881 4882 #ifndef IPPROTO_ICMPV6 4883 #define IPPROTO_ICMPV6 58 4884 #endif 4885 case Q_ICMPV6: 4886 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4887 break; 4888 #endif /* INET6 */ 4889 4890 #ifndef IPPROTO_AH 4891 #define IPPROTO_AH 51 4892 #endif 4893 case Q_AH: 4894 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4895 #ifdef INET6 4896 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4897 gen_or(b0, b1); 4898 #endif 4899 break; 4900 4901 #ifndef IPPROTO_ESP 4902 #define IPPROTO_ESP 50 4903 #endif 4904 case Q_ESP: 4905 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4906 #ifdef INET6 4907 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4908 gen_or(b0, b1); 4909 #endif 4910 break; 4911 4912 case Q_ISO: 4913 b1 = gen_linktype(LLCSAP_ISONS); 4914 break; 4915 4916 case Q_ESIS: 4917 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4918 break; 4919 4920 case Q_ISIS: 4921 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4922 break; 4923 4924 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4925 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4926 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4927 gen_or(b0, b1); 4928 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4929 gen_or(b0, b1); 4930 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4931 gen_or(b0, b1); 4932 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4933 gen_or(b0, b1); 4934 break; 4935 4936 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4937 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4938 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4939 gen_or(b0, b1); 4940 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4941 gen_or(b0, b1); 4942 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4943 gen_or(b0, b1); 4944 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4945 gen_or(b0, b1); 4946 break; 4947 4948 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4949 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4950 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4951 gen_or(b0, b1); 4952 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4953 gen_or(b0, b1); 4954 break; 4955 4956 case Q_ISIS_LSP: 4957 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4958 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4959 gen_or(b0, b1); 4960 break; 4961 4962 case Q_ISIS_SNP: 4963 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4964 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4965 gen_or(b0, b1); 4966 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4967 gen_or(b0, b1); 4968 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4969 gen_or(b0, b1); 4970 break; 4971 4972 case Q_ISIS_CSNP: 4973 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4974 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4975 gen_or(b0, b1); 4976 break; 4977 4978 case Q_ISIS_PSNP: 4979 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4980 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4981 gen_or(b0, b1); 4982 break; 4983 4984 case Q_CLNP: 4985 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4986 break; 4987 4988 case Q_STP: 4989 b1 = gen_linktype(LLCSAP_8021D); 4990 break; 4991 4992 case Q_IPX: 4993 b1 = gen_linktype(LLCSAP_IPX); 4994 break; 4995 4996 case Q_NETBEUI: 4997 b1 = gen_linktype(LLCSAP_NETBEUI); 4998 break; 4999 5000 case Q_RADIO: 5001 bpf_error("'radio' is not a valid protocol type"); 5002 5003 default: 5004 abort(); 5005 } 5006 return b1; 5007 } 5008 5009 static struct block * 5010 gen_ipfrag() 5011 { 5012 struct slist *s; 5013 struct block *b; 5014 5015 /* not IPv4 frag other than the first frag */ 5016 s = gen_load_a(OR_NET, 6, BPF_H); 5017 b = new_block(JMP(BPF_JSET)); 5018 b->s.k = 0x1fff; 5019 b->stmts = s; 5020 gen_not(b); 5021 5022 return b; 5023 } 5024 5025 /* 5026 * Generate a comparison to a port value in the transport-layer header 5027 * at the specified offset from the beginning of that header. 5028 * 5029 * XXX - this handles a variable-length prefix preceding the link-layer 5030 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5031 * variable-length link-layer headers (such as Token Ring or 802.11 5032 * headers). 5033 */ 5034 static struct block * 5035 gen_portatom(off, v) 5036 int off; 5037 bpf_int32 v; 5038 { 5039 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5040 } 5041 5042 #ifdef INET6 5043 static struct block * 5044 gen_portatom6(off, v) 5045 int off; 5046 bpf_int32 v; 5047 { 5048 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5049 } 5050 #endif/*INET6*/ 5051 5052 struct block * 5053 gen_portop(port, proto, dir) 5054 int port, proto, dir; 5055 { 5056 struct block *b0, *b1, *tmp; 5057 5058 /* ip proto 'proto' and not a fragment other than the first fragment */ 5059 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5060 b0 = gen_ipfrag(); 5061 gen_and(tmp, b0); 5062 5063 switch (dir) { 5064 case Q_SRC: 5065 b1 = gen_portatom(0, (bpf_int32)port); 5066 break; 5067 5068 case Q_DST: 5069 b1 = gen_portatom(2, (bpf_int32)port); 5070 break; 5071 5072 case Q_OR: 5073 case Q_DEFAULT: 5074 tmp = gen_portatom(0, (bpf_int32)port); 5075 b1 = gen_portatom(2, (bpf_int32)port); 5076 gen_or(tmp, b1); 5077 break; 5078 5079 case Q_AND: 5080 tmp = gen_portatom(0, (bpf_int32)port); 5081 b1 = gen_portatom(2, (bpf_int32)port); 5082 gen_and(tmp, b1); 5083 break; 5084 5085 default: 5086 abort(); 5087 } 5088 gen_and(b0, b1); 5089 5090 return b1; 5091 } 5092 5093 static struct block * 5094 gen_port(port, ip_proto, dir) 5095 int port; 5096 int ip_proto; 5097 int dir; 5098 { 5099 struct block *b0, *b1, *tmp; 5100 5101 /* 5102 * ether proto ip 5103 * 5104 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5105 * not LLC encapsulation with LLCSAP_IP. 5106 * 5107 * For IEEE 802 networks - which includes 802.5 token ring 5108 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5109 * says that SNAP encapsulation is used, not LLC encapsulation 5110 * with LLCSAP_IP. 5111 * 5112 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5113 * RFC 2225 say that SNAP encapsulation is used, not LLC 5114 * encapsulation with LLCSAP_IP. 5115 * 5116 * So we always check for ETHERTYPE_IP. 5117 */ 5118 b0 = gen_linktype(ETHERTYPE_IP); 5119 5120 switch (ip_proto) { 5121 case IPPROTO_UDP: 5122 case IPPROTO_TCP: 5123 case IPPROTO_SCTP: 5124 b1 = gen_portop(port, ip_proto, dir); 5125 break; 5126 5127 case PROTO_UNDEF: 5128 tmp = gen_portop(port, IPPROTO_TCP, dir); 5129 b1 = gen_portop(port, IPPROTO_UDP, dir); 5130 gen_or(tmp, b1); 5131 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5132 gen_or(tmp, b1); 5133 break; 5134 5135 default: 5136 abort(); 5137 } 5138 gen_and(b0, b1); 5139 return b1; 5140 } 5141 5142 #ifdef INET6 5143 struct block * 5144 gen_portop6(port, proto, dir) 5145 int port, proto, dir; 5146 { 5147 struct block *b0, *b1, *tmp; 5148 5149 /* ip6 proto 'proto' */ 5150 /* XXX - catch the first fragment of a fragmented packet? */ 5151 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5152 5153 switch (dir) { 5154 case Q_SRC: 5155 b1 = gen_portatom6(0, (bpf_int32)port); 5156 break; 5157 5158 case Q_DST: 5159 b1 = gen_portatom6(2, (bpf_int32)port); 5160 break; 5161 5162 case Q_OR: 5163 case Q_DEFAULT: 5164 tmp = gen_portatom6(0, (bpf_int32)port); 5165 b1 = gen_portatom6(2, (bpf_int32)port); 5166 gen_or(tmp, b1); 5167 break; 5168 5169 case Q_AND: 5170 tmp = gen_portatom6(0, (bpf_int32)port); 5171 b1 = gen_portatom6(2, (bpf_int32)port); 5172 gen_and(tmp, b1); 5173 break; 5174 5175 default: 5176 abort(); 5177 } 5178 gen_and(b0, b1); 5179 5180 return b1; 5181 } 5182 5183 static struct block * 5184 gen_port6(port, ip_proto, dir) 5185 int port; 5186 int ip_proto; 5187 int dir; 5188 { 5189 struct block *b0, *b1, *tmp; 5190 5191 /* link proto ip6 */ 5192 b0 = gen_linktype(ETHERTYPE_IPV6); 5193 5194 switch (ip_proto) { 5195 case IPPROTO_UDP: 5196 case IPPROTO_TCP: 5197 case IPPROTO_SCTP: 5198 b1 = gen_portop6(port, ip_proto, dir); 5199 break; 5200 5201 case PROTO_UNDEF: 5202 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5203 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5204 gen_or(tmp, b1); 5205 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5206 gen_or(tmp, b1); 5207 break; 5208 5209 default: 5210 abort(); 5211 } 5212 gen_and(b0, b1); 5213 return b1; 5214 } 5215 #endif /* INET6 */ 5216 5217 /* gen_portrange code */ 5218 static struct block * 5219 gen_portrangeatom(off, v1, v2) 5220 int off; 5221 bpf_int32 v1, v2; 5222 { 5223 struct block *b1, *b2; 5224 5225 if (v1 > v2) { 5226 /* 5227 * Reverse the order of the ports, so v1 is the lower one. 5228 */ 5229 bpf_int32 vtemp; 5230 5231 vtemp = v1; 5232 v1 = v2; 5233 v2 = vtemp; 5234 } 5235 5236 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5237 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5238 5239 gen_and(b1, b2); 5240 5241 return b2; 5242 } 5243 5244 struct block * 5245 gen_portrangeop(port1, port2, proto, dir) 5246 int port1, port2; 5247 int proto; 5248 int dir; 5249 { 5250 struct block *b0, *b1, *tmp; 5251 5252 /* ip proto 'proto' and not a fragment other than the first fragment */ 5253 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5254 b0 = gen_ipfrag(); 5255 gen_and(tmp, b0); 5256 5257 switch (dir) { 5258 case Q_SRC: 5259 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5260 break; 5261 5262 case Q_DST: 5263 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5264 break; 5265 5266 case Q_OR: 5267 case Q_DEFAULT: 5268 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5269 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5270 gen_or(tmp, b1); 5271 break; 5272 5273 case Q_AND: 5274 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5275 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5276 gen_and(tmp, b1); 5277 break; 5278 5279 default: 5280 abort(); 5281 } 5282 gen_and(b0, b1); 5283 5284 return b1; 5285 } 5286 5287 static struct block * 5288 gen_portrange(port1, port2, ip_proto, dir) 5289 int port1, port2; 5290 int ip_proto; 5291 int dir; 5292 { 5293 struct block *b0, *b1, *tmp; 5294 5295 /* link proto ip */ 5296 b0 = gen_linktype(ETHERTYPE_IP); 5297 5298 switch (ip_proto) { 5299 case IPPROTO_UDP: 5300 case IPPROTO_TCP: 5301 case IPPROTO_SCTP: 5302 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5303 break; 5304 5305 case PROTO_UNDEF: 5306 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5307 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5308 gen_or(tmp, b1); 5309 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5310 gen_or(tmp, b1); 5311 break; 5312 5313 default: 5314 abort(); 5315 } 5316 gen_and(b0, b1); 5317 return b1; 5318 } 5319 5320 #ifdef INET6 5321 static struct block * 5322 gen_portrangeatom6(off, v1, v2) 5323 int off; 5324 bpf_int32 v1, v2; 5325 { 5326 struct block *b1, *b2; 5327 5328 if (v1 > v2) { 5329 /* 5330 * Reverse the order of the ports, so v1 is the lower one. 5331 */ 5332 bpf_int32 vtemp; 5333 5334 vtemp = v1; 5335 v1 = v2; 5336 v2 = vtemp; 5337 } 5338 5339 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5340 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5341 5342 gen_and(b1, b2); 5343 5344 return b2; 5345 } 5346 5347 struct block * 5348 gen_portrangeop6(port1, port2, proto, dir) 5349 int port1, port2; 5350 int proto; 5351 int dir; 5352 { 5353 struct block *b0, *b1, *tmp; 5354 5355 /* ip6 proto 'proto' */ 5356 /* XXX - catch the first fragment of a fragmented packet? */ 5357 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5358 5359 switch (dir) { 5360 case Q_SRC: 5361 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5362 break; 5363 5364 case Q_DST: 5365 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5366 break; 5367 5368 case Q_OR: 5369 case Q_DEFAULT: 5370 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5371 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5372 gen_or(tmp, b1); 5373 break; 5374 5375 case Q_AND: 5376 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5377 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5378 gen_and(tmp, b1); 5379 break; 5380 5381 default: 5382 abort(); 5383 } 5384 gen_and(b0, b1); 5385 5386 return b1; 5387 } 5388 5389 static struct block * 5390 gen_portrange6(port1, port2, ip_proto, dir) 5391 int port1, port2; 5392 int ip_proto; 5393 int dir; 5394 { 5395 struct block *b0, *b1, *tmp; 5396 5397 /* link proto ip6 */ 5398 b0 = gen_linktype(ETHERTYPE_IPV6); 5399 5400 switch (ip_proto) { 5401 case IPPROTO_UDP: 5402 case IPPROTO_TCP: 5403 case IPPROTO_SCTP: 5404 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5405 break; 5406 5407 case PROTO_UNDEF: 5408 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5409 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5410 gen_or(tmp, b1); 5411 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5412 gen_or(tmp, b1); 5413 break; 5414 5415 default: 5416 abort(); 5417 } 5418 gen_and(b0, b1); 5419 return b1; 5420 } 5421 #endif /* INET6 */ 5422 5423 static int 5424 lookup_proto(name, proto) 5425 register const char *name; 5426 register int proto; 5427 { 5428 register int v; 5429 5430 switch (proto) { 5431 5432 case Q_DEFAULT: 5433 case Q_IP: 5434 case Q_IPV6: 5435 v = pcap_nametoproto(name); 5436 if (v == PROTO_UNDEF) 5437 bpf_error("unknown ip proto '%s'", name); 5438 break; 5439 5440 case Q_LINK: 5441 /* XXX should look up h/w protocol type based on linktype */ 5442 v = pcap_nametoeproto(name); 5443 if (v == PROTO_UNDEF) { 5444 v = pcap_nametollc(name); 5445 if (v == PROTO_UNDEF) 5446 bpf_error("unknown ether proto '%s'", name); 5447 } 5448 break; 5449 5450 case Q_ISO: 5451 if (strcmp(name, "esis") == 0) 5452 v = ISO9542_ESIS; 5453 else if (strcmp(name, "isis") == 0) 5454 v = ISO10589_ISIS; 5455 else if (strcmp(name, "clnp") == 0) 5456 v = ISO8473_CLNP; 5457 else 5458 bpf_error("unknown osi proto '%s'", name); 5459 break; 5460 5461 default: 5462 v = PROTO_UNDEF; 5463 break; 5464 } 5465 return v; 5466 } 5467 5468 #if 0 5469 struct stmt * 5470 gen_joinsp(s, n) 5471 struct stmt **s; 5472 int n; 5473 { 5474 return NULL; 5475 } 5476 #endif 5477 5478 static struct block * 5479 gen_protochain(v, proto, dir) 5480 int v; 5481 int proto; 5482 int dir; 5483 { 5484 #ifdef NO_PROTOCHAIN 5485 return gen_proto(v, proto, dir); 5486 #else 5487 struct block *b0, *b; 5488 struct slist *s[100]; 5489 int fix2, fix3, fix4, fix5; 5490 int ahcheck, again, end; 5491 int i, max; 5492 int reg2 = alloc_reg(); 5493 5494 memset(s, 0, sizeof(s)); 5495 fix2 = fix3 = fix4 = fix5 = 0; 5496 5497 switch (proto) { 5498 case Q_IP: 5499 case Q_IPV6: 5500 break; 5501 case Q_DEFAULT: 5502 b0 = gen_protochain(v, Q_IP, dir); 5503 b = gen_protochain(v, Q_IPV6, dir); 5504 gen_or(b0, b); 5505 return b; 5506 default: 5507 bpf_error("bad protocol applied for 'protochain'"); 5508 /*NOTREACHED*/ 5509 } 5510 5511 /* 5512 * We don't handle variable-length prefixes before the link-layer 5513 * header, or variable-length link-layer headers, here yet. 5514 * We might want to add BPF instructions to do the protochain 5515 * work, to simplify that and, on platforms that have a BPF 5516 * interpreter with the new instructions, let the filtering 5517 * be done in the kernel. (We already require a modified BPF 5518 * engine to do the protochain stuff, to support backward 5519 * branches, and backward branch support is unlikely to appear 5520 * in kernel BPF engines.) 5521 */ 5522 switch (linktype) { 5523 5524 case DLT_IEEE802_11: 5525 case DLT_PRISM_HEADER: 5526 case DLT_IEEE802_11_RADIO_AVS: 5527 case DLT_IEEE802_11_RADIO: 5528 case DLT_PPI: 5529 bpf_error("'protochain' not supported with 802.11"); 5530 } 5531 5532 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5533 5534 /* 5535 * s[0] is a dummy entry to protect other BPF insn from damage 5536 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5537 * hard to find interdependency made by jump table fixup. 5538 */ 5539 i = 0; 5540 s[i] = new_stmt(0); /*dummy*/ 5541 i++; 5542 5543 switch (proto) { 5544 case Q_IP: 5545 b0 = gen_linktype(ETHERTYPE_IP); 5546 5547 /* A = ip->ip_p */ 5548 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5549 s[i]->s.k = off_macpl + off_nl + 9; 5550 i++; 5551 /* X = ip->ip_hl << 2 */ 5552 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5553 s[i]->s.k = off_macpl + off_nl; 5554 i++; 5555 break; 5556 #ifdef INET6 5557 case Q_IPV6: 5558 b0 = gen_linktype(ETHERTYPE_IPV6); 5559 5560 /* A = ip6->ip_nxt */ 5561 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5562 s[i]->s.k = off_macpl + off_nl + 6; 5563 i++; 5564 /* X = sizeof(struct ip6_hdr) */ 5565 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5566 s[i]->s.k = 40; 5567 i++; 5568 break; 5569 #endif 5570 default: 5571 bpf_error("unsupported proto to gen_protochain"); 5572 /*NOTREACHED*/ 5573 } 5574 5575 /* again: if (A == v) goto end; else fall through; */ 5576 again = i; 5577 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5578 s[i]->s.k = v; 5579 s[i]->s.jt = NULL; /*later*/ 5580 s[i]->s.jf = NULL; /*update in next stmt*/ 5581 fix5 = i; 5582 i++; 5583 5584 #ifndef IPPROTO_NONE 5585 #define IPPROTO_NONE 59 5586 #endif 5587 /* if (A == IPPROTO_NONE) goto end */ 5588 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5589 s[i]->s.jt = NULL; /*later*/ 5590 s[i]->s.jf = NULL; /*update in next stmt*/ 5591 s[i]->s.k = IPPROTO_NONE; 5592 s[fix5]->s.jf = s[i]; 5593 fix2 = i; 5594 i++; 5595 5596 #ifdef INET6 5597 if (proto == Q_IPV6) { 5598 int v6start, v6end, v6advance, j; 5599 5600 v6start = i; 5601 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5602 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5603 s[i]->s.jt = NULL; /*later*/ 5604 s[i]->s.jf = NULL; /*update in next stmt*/ 5605 s[i]->s.k = IPPROTO_HOPOPTS; 5606 s[fix2]->s.jf = s[i]; 5607 i++; 5608 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5609 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5610 s[i]->s.jt = NULL; /*later*/ 5611 s[i]->s.jf = NULL; /*update in next stmt*/ 5612 s[i]->s.k = IPPROTO_DSTOPTS; 5613 i++; 5614 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5615 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5616 s[i]->s.jt = NULL; /*later*/ 5617 s[i]->s.jf = NULL; /*update in next stmt*/ 5618 s[i]->s.k = IPPROTO_ROUTING; 5619 i++; 5620 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5621 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5622 s[i]->s.jt = NULL; /*later*/ 5623 s[i]->s.jf = NULL; /*later*/ 5624 s[i]->s.k = IPPROTO_FRAGMENT; 5625 fix3 = i; 5626 v6end = i; 5627 i++; 5628 5629 /* v6advance: */ 5630 v6advance = i; 5631 5632 /* 5633 * in short, 5634 * A = P[X + packet head]; 5635 * X = X + (P[X + packet head + 1] + 1) * 8; 5636 */ 5637 /* A = P[X + packet head] */ 5638 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5639 s[i]->s.k = off_macpl + off_nl; 5640 i++; 5641 /* MEM[reg2] = A */ 5642 s[i] = new_stmt(BPF_ST); 5643 s[i]->s.k = reg2; 5644 i++; 5645 /* A = P[X + packet head + 1]; */ 5646 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5647 s[i]->s.k = off_macpl + off_nl + 1; 5648 i++; 5649 /* A += 1 */ 5650 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5651 s[i]->s.k = 1; 5652 i++; 5653 /* A *= 8 */ 5654 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5655 s[i]->s.k = 8; 5656 i++; 5657 /* A += X */ 5658 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5659 s[i]->s.k = 0; 5660 i++; 5661 /* X = A; */ 5662 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5663 i++; 5664 /* A = MEM[reg2] */ 5665 s[i] = new_stmt(BPF_LD|BPF_MEM); 5666 s[i]->s.k = reg2; 5667 i++; 5668 5669 /* goto again; (must use BPF_JA for backward jump) */ 5670 s[i] = new_stmt(BPF_JMP|BPF_JA); 5671 s[i]->s.k = again - i - 1; 5672 s[i - 1]->s.jf = s[i]; 5673 i++; 5674 5675 /* fixup */ 5676 for (j = v6start; j <= v6end; j++) 5677 s[j]->s.jt = s[v6advance]; 5678 } else 5679 #endif 5680 { 5681 /* nop */ 5682 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5683 s[i]->s.k = 0; 5684 s[fix2]->s.jf = s[i]; 5685 i++; 5686 } 5687 5688 /* ahcheck: */ 5689 ahcheck = i; 5690 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5691 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5692 s[i]->s.jt = NULL; /*later*/ 5693 s[i]->s.jf = NULL; /*later*/ 5694 s[i]->s.k = IPPROTO_AH; 5695 if (fix3) 5696 s[fix3]->s.jf = s[ahcheck]; 5697 fix4 = i; 5698 i++; 5699 5700 /* 5701 * in short, 5702 * A = P[X]; 5703 * X = X + (P[X + 1] + 2) * 4; 5704 */ 5705 /* A = X */ 5706 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5707 i++; 5708 /* A = P[X + packet head]; */ 5709 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5710 s[i]->s.k = off_macpl + off_nl; 5711 i++; 5712 /* MEM[reg2] = A */ 5713 s[i] = new_stmt(BPF_ST); 5714 s[i]->s.k = reg2; 5715 i++; 5716 /* A = X */ 5717 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5718 i++; 5719 /* A += 1 */ 5720 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5721 s[i]->s.k = 1; 5722 i++; 5723 /* X = A */ 5724 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5725 i++; 5726 /* A = P[X + packet head] */ 5727 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5728 s[i]->s.k = off_macpl + off_nl; 5729 i++; 5730 /* A += 2 */ 5731 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5732 s[i]->s.k = 2; 5733 i++; 5734 /* A *= 4 */ 5735 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5736 s[i]->s.k = 4; 5737 i++; 5738 /* X = A; */ 5739 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5740 i++; 5741 /* A = MEM[reg2] */ 5742 s[i] = new_stmt(BPF_LD|BPF_MEM); 5743 s[i]->s.k = reg2; 5744 i++; 5745 5746 /* goto again; (must use BPF_JA for backward jump) */ 5747 s[i] = new_stmt(BPF_JMP|BPF_JA); 5748 s[i]->s.k = again - i - 1; 5749 i++; 5750 5751 /* end: nop */ 5752 end = i; 5753 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5754 s[i]->s.k = 0; 5755 s[fix2]->s.jt = s[end]; 5756 s[fix4]->s.jf = s[end]; 5757 s[fix5]->s.jt = s[end]; 5758 i++; 5759 5760 /* 5761 * make slist chain 5762 */ 5763 max = i; 5764 for (i = 0; i < max - 1; i++) 5765 s[i]->next = s[i + 1]; 5766 s[max - 1]->next = NULL; 5767 5768 /* 5769 * emit final check 5770 */ 5771 b = new_block(JMP(BPF_JEQ)); 5772 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5773 b->s.k = v; 5774 5775 free_reg(reg2); 5776 5777 gen_and(b0, b); 5778 return b; 5779 #endif 5780 } 5781 5782 static struct block * 5783 gen_check_802_11_data_frame() 5784 { 5785 struct slist *s; 5786 struct block *b0, *b1; 5787 5788 /* 5789 * A data frame has the 0x08 bit (b3) in the frame control field set 5790 * and the 0x04 bit (b2) clear. 5791 */ 5792 s = gen_load_a(OR_LINK, 0, BPF_B); 5793 b0 = new_block(JMP(BPF_JSET)); 5794 b0->s.k = 0x08; 5795 b0->stmts = s; 5796 5797 s = gen_load_a(OR_LINK, 0, BPF_B); 5798 b1 = new_block(JMP(BPF_JSET)); 5799 b1->s.k = 0x04; 5800 b1->stmts = s; 5801 gen_not(b1); 5802 5803 gen_and(b1, b0); 5804 5805 return b0; 5806 } 5807 5808 /* 5809 * Generate code that checks whether the packet is a packet for protocol 5810 * <proto> and whether the type field in that protocol's header has 5811 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5812 * IP packet and checks the protocol number in the IP header against <v>. 5813 * 5814 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5815 * against Q_IP and Q_IPV6. 5816 */ 5817 static struct block * 5818 gen_proto(v, proto, dir) 5819 int v; 5820 int proto; 5821 int dir; 5822 { 5823 struct block *b0, *b1; 5824 5825 if (dir != Q_DEFAULT) 5826 bpf_error("direction applied to 'proto'"); 5827 5828 switch (proto) { 5829 case Q_DEFAULT: 5830 #ifdef INET6 5831 b0 = gen_proto(v, Q_IP, dir); 5832 b1 = gen_proto(v, Q_IPV6, dir); 5833 gen_or(b0, b1); 5834 return b1; 5835 #else 5836 /*FALLTHROUGH*/ 5837 #endif 5838 case Q_IP: 5839 /* 5840 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5841 * not LLC encapsulation with LLCSAP_IP. 5842 * 5843 * For IEEE 802 networks - which includes 802.5 token ring 5844 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5845 * says that SNAP encapsulation is used, not LLC encapsulation 5846 * with LLCSAP_IP. 5847 * 5848 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5849 * RFC 2225 say that SNAP encapsulation is used, not LLC 5850 * encapsulation with LLCSAP_IP. 5851 * 5852 * So we always check for ETHERTYPE_IP. 5853 */ 5854 b0 = gen_linktype(ETHERTYPE_IP); 5855 #ifndef CHASE_CHAIN 5856 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5857 #else 5858 b1 = gen_protochain(v, Q_IP); 5859 #endif 5860 gen_and(b0, b1); 5861 return b1; 5862 5863 case Q_ISO: 5864 switch (linktype) { 5865 5866 case DLT_FRELAY: 5867 /* 5868 * Frame Relay packets typically have an OSI 5869 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5870 * generates code to check for all the OSI 5871 * NLPIDs, so calling it and then adding a check 5872 * for the particular NLPID for which we're 5873 * looking is bogus, as we can just check for 5874 * the NLPID. 5875 * 5876 * What we check for is the NLPID and a frame 5877 * control field value of UI, i.e. 0x03 followed 5878 * by the NLPID. 5879 * 5880 * XXX - assumes a 2-byte Frame Relay header with 5881 * DLCI and flags. What if the address is longer? 5882 * 5883 * XXX - what about SNAP-encapsulated frames? 5884 */ 5885 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5886 /*NOTREACHED*/ 5887 break; 5888 5889 case DLT_C_HDLC: 5890 /* 5891 * Cisco uses an Ethertype lookalike - for OSI, 5892 * it's 0xfefe. 5893 */ 5894 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5895 /* OSI in C-HDLC is stuffed with a fudge byte */ 5896 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5897 gen_and(b0, b1); 5898 return b1; 5899 5900 default: 5901 b0 = gen_linktype(LLCSAP_ISONS); 5902 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5903 gen_and(b0, b1); 5904 return b1; 5905 } 5906 5907 case Q_ISIS: 5908 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5909 /* 5910 * 4 is the offset of the PDU type relative to the IS-IS 5911 * header. 5912 */ 5913 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5914 gen_and(b0, b1); 5915 return b1; 5916 5917 case Q_ARP: 5918 bpf_error("arp does not encapsulate another protocol"); 5919 /* NOTREACHED */ 5920 5921 case Q_RARP: 5922 bpf_error("rarp does not encapsulate another protocol"); 5923 /* NOTREACHED */ 5924 5925 case Q_ATALK: 5926 bpf_error("atalk encapsulation is not specifiable"); 5927 /* NOTREACHED */ 5928 5929 case Q_DECNET: 5930 bpf_error("decnet encapsulation is not specifiable"); 5931 /* NOTREACHED */ 5932 5933 case Q_SCA: 5934 bpf_error("sca does not encapsulate another protocol"); 5935 /* NOTREACHED */ 5936 5937 case Q_LAT: 5938 bpf_error("lat does not encapsulate another protocol"); 5939 /* NOTREACHED */ 5940 5941 case Q_MOPRC: 5942 bpf_error("moprc does not encapsulate another protocol"); 5943 /* NOTREACHED */ 5944 5945 case Q_MOPDL: 5946 bpf_error("mopdl does not encapsulate another protocol"); 5947 /* NOTREACHED */ 5948 5949 case Q_LINK: 5950 return gen_linktype(v); 5951 5952 case Q_UDP: 5953 bpf_error("'udp proto' is bogus"); 5954 /* NOTREACHED */ 5955 5956 case Q_TCP: 5957 bpf_error("'tcp proto' is bogus"); 5958 /* NOTREACHED */ 5959 5960 case Q_SCTP: 5961 bpf_error("'sctp proto' is bogus"); 5962 /* NOTREACHED */ 5963 5964 case Q_ICMP: 5965 bpf_error("'icmp proto' is bogus"); 5966 /* NOTREACHED */ 5967 5968 case Q_IGMP: 5969 bpf_error("'igmp proto' is bogus"); 5970 /* NOTREACHED */ 5971 5972 case Q_IGRP: 5973 bpf_error("'igrp proto' is bogus"); 5974 /* NOTREACHED */ 5975 5976 case Q_PIM: 5977 bpf_error("'pim proto' is bogus"); 5978 /* NOTREACHED */ 5979 5980 case Q_VRRP: 5981 bpf_error("'vrrp proto' is bogus"); 5982 /* NOTREACHED */ 5983 5984 case Q_CARP: 5985 bpf_error("'carp proto' is bogus"); 5986 /* NOTREACHED */ 5987 5988 #ifdef INET6 5989 case Q_IPV6: 5990 b0 = gen_linktype(ETHERTYPE_IPV6); 5991 #ifndef CHASE_CHAIN 5992 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5993 #else 5994 b1 = gen_protochain(v, Q_IPV6); 5995 #endif 5996 gen_and(b0, b1); 5997 return b1; 5998 5999 case Q_ICMPV6: 6000 bpf_error("'icmp6 proto' is bogus"); 6001 #endif /* INET6 */ 6002 6003 case Q_AH: 6004 bpf_error("'ah proto' is bogus"); 6005 6006 case Q_ESP: 6007 bpf_error("'ah proto' is bogus"); 6008 6009 case Q_STP: 6010 bpf_error("'stp proto' is bogus"); 6011 6012 case Q_IPX: 6013 bpf_error("'ipx proto' is bogus"); 6014 6015 case Q_NETBEUI: 6016 bpf_error("'netbeui proto' is bogus"); 6017 6018 case Q_RADIO: 6019 bpf_error("'radio proto' is bogus"); 6020 6021 default: 6022 abort(); 6023 /* NOTREACHED */ 6024 } 6025 /* NOTREACHED */ 6026 } 6027 6028 struct block * 6029 gen_scode(name, q) 6030 register const char *name; 6031 struct qual q; 6032 { 6033 int proto = q.proto; 6034 int dir = q.dir; 6035 int tproto; 6036 u_char *eaddr; 6037 bpf_u_int32 mask, addr; 6038 #ifndef INET6 6039 bpf_u_int32 **alist; 6040 #else 6041 int tproto6; 6042 struct sockaddr_in *sin4; 6043 struct sockaddr_in6 *sin6; 6044 struct addrinfo *res, *res0; 6045 struct in6_addr mask128; 6046 #endif /*INET6*/ 6047 struct block *b, *tmp; 6048 int port, real_proto; 6049 int port1, port2; 6050 6051 switch (q.addr) { 6052 6053 case Q_NET: 6054 addr = pcap_nametonetaddr(name); 6055 if (addr == 0) 6056 bpf_error("unknown network '%s'", name); 6057 /* Left justify network addr and calculate its network mask */ 6058 mask = 0xffffffff; 6059 while (addr && (addr & 0xff000000) == 0) { 6060 addr <<= 8; 6061 mask <<= 8; 6062 } 6063 return gen_host(addr, mask, proto, dir, q.addr); 6064 6065 case Q_DEFAULT: 6066 case Q_HOST: 6067 if (proto == Q_LINK) { 6068 switch (linktype) { 6069 6070 case DLT_EN10MB: 6071 case DLT_NETANALYZER: 6072 case DLT_NETANALYZER_TRANSPARENT: 6073 eaddr = pcap_ether_hostton(name); 6074 if (eaddr == NULL) 6075 bpf_error( 6076 "unknown ether host '%s'", name); 6077 b = gen_ehostop(eaddr, dir); 6078 free(eaddr); 6079 return b; 6080 6081 case DLT_FDDI: 6082 eaddr = pcap_ether_hostton(name); 6083 if (eaddr == NULL) 6084 bpf_error( 6085 "unknown FDDI host '%s'", name); 6086 b = gen_fhostop(eaddr, dir); 6087 free(eaddr); 6088 return b; 6089 6090 case DLT_IEEE802: 6091 eaddr = pcap_ether_hostton(name); 6092 if (eaddr == NULL) 6093 bpf_error( 6094 "unknown token ring host '%s'", name); 6095 b = gen_thostop(eaddr, dir); 6096 free(eaddr); 6097 return b; 6098 6099 case DLT_IEEE802_11: 6100 case DLT_PRISM_HEADER: 6101 case DLT_IEEE802_11_RADIO_AVS: 6102 case DLT_IEEE802_11_RADIO: 6103 case DLT_PPI: 6104 eaddr = pcap_ether_hostton(name); 6105 if (eaddr == NULL) 6106 bpf_error( 6107 "unknown 802.11 host '%s'", name); 6108 b = gen_wlanhostop(eaddr, dir); 6109 free(eaddr); 6110 return b; 6111 6112 case DLT_IP_OVER_FC: 6113 eaddr = pcap_ether_hostton(name); 6114 if (eaddr == NULL) 6115 bpf_error( 6116 "unknown Fibre Channel host '%s'", name); 6117 b = gen_ipfchostop(eaddr, dir); 6118 free(eaddr); 6119 return b; 6120 6121 case DLT_SUNATM: 6122 if (!is_lane) 6123 break; 6124 6125 /* 6126 * Check that the packet doesn't begin 6127 * with an LE Control marker. (We've 6128 * already generated a test for LANE.) 6129 */ 6130 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6131 BPF_H, 0xFF00); 6132 gen_not(tmp); 6133 6134 eaddr = pcap_ether_hostton(name); 6135 if (eaddr == NULL) 6136 bpf_error( 6137 "unknown ether host '%s'", name); 6138 b = gen_ehostop(eaddr, dir); 6139 gen_and(tmp, b); 6140 free(eaddr); 6141 return b; 6142 } 6143 6144 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6145 } else if (proto == Q_DECNET) { 6146 unsigned short dn_addr = __pcap_nametodnaddr(name); 6147 /* 6148 * I don't think DECNET hosts can be multihomed, so 6149 * there is no need to build up a list of addresses 6150 */ 6151 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6152 } else { 6153 #ifndef INET6 6154 alist = pcap_nametoaddr(name); 6155 if (alist == NULL || *alist == NULL) 6156 bpf_error("unknown host '%s'", name); 6157 tproto = proto; 6158 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6159 tproto = Q_IP; 6160 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6161 while (*alist) { 6162 tmp = gen_host(**alist++, 0xffffffff, 6163 tproto, dir, q.addr); 6164 gen_or(b, tmp); 6165 b = tmp; 6166 } 6167 return b; 6168 #else 6169 memset(&mask128, 0xff, sizeof(mask128)); 6170 res0 = res = pcap_nametoaddrinfo(name); 6171 if (res == NULL) 6172 bpf_error("unknown host '%s'", name); 6173 ai = res; 6174 b = tmp = NULL; 6175 tproto = tproto6 = proto; 6176 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6177 tproto = Q_IP; 6178 tproto6 = Q_IPV6; 6179 } 6180 for (res = res0; res; res = res->ai_next) { 6181 switch (res->ai_family) { 6182 case AF_INET: 6183 if (tproto == Q_IPV6) 6184 continue; 6185 6186 sin4 = (struct sockaddr_in *) 6187 res->ai_addr; 6188 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6189 0xffffffff, tproto, dir, q.addr); 6190 break; 6191 case AF_INET6: 6192 if (tproto6 == Q_IP) 6193 continue; 6194 6195 sin6 = (struct sockaddr_in6 *) 6196 res->ai_addr; 6197 tmp = gen_host6(&sin6->sin6_addr, 6198 &mask128, tproto6, dir, q.addr); 6199 break; 6200 default: 6201 continue; 6202 } 6203 if (b) 6204 gen_or(b, tmp); 6205 b = tmp; 6206 } 6207 ai = NULL; 6208 freeaddrinfo(res0); 6209 if (b == NULL) { 6210 bpf_error("unknown host '%s'%s", name, 6211 (proto == Q_DEFAULT) 6212 ? "" 6213 : " for specified address family"); 6214 } 6215 return b; 6216 #endif /*INET6*/ 6217 } 6218 6219 case Q_PORT: 6220 if (proto != Q_DEFAULT && 6221 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6222 bpf_error("illegal qualifier of 'port'"); 6223 if (pcap_nametoport(name, &port, &real_proto) == 0) 6224 bpf_error("unknown port '%s'", name); 6225 if (proto == Q_UDP) { 6226 if (real_proto == IPPROTO_TCP) 6227 bpf_error("port '%s' is tcp", name); 6228 else if (real_proto == IPPROTO_SCTP) 6229 bpf_error("port '%s' is sctp", name); 6230 else 6231 /* override PROTO_UNDEF */ 6232 real_proto = IPPROTO_UDP; 6233 } 6234 if (proto == Q_TCP) { 6235 if (real_proto == IPPROTO_UDP) 6236 bpf_error("port '%s' is udp", name); 6237 6238 else if (real_proto == IPPROTO_SCTP) 6239 bpf_error("port '%s' is sctp", name); 6240 else 6241 /* override PROTO_UNDEF */ 6242 real_proto = IPPROTO_TCP; 6243 } 6244 if (proto == Q_SCTP) { 6245 if (real_proto == IPPROTO_UDP) 6246 bpf_error("port '%s' is udp", name); 6247 6248 else if (real_proto == IPPROTO_TCP) 6249 bpf_error("port '%s' is tcp", name); 6250 else 6251 /* override PROTO_UNDEF */ 6252 real_proto = IPPROTO_SCTP; 6253 } 6254 if (port < 0) 6255 bpf_error("illegal port number %d < 0", port); 6256 if (port > 65535) 6257 bpf_error("illegal port number %d > 65535", port); 6258 #ifndef INET6 6259 return gen_port(port, real_proto, dir); 6260 #else 6261 b = gen_port(port, real_proto, dir); 6262 gen_or(gen_port6(port, real_proto, dir), b); 6263 return b; 6264 #endif /* INET6 */ 6265 6266 case Q_PORTRANGE: 6267 if (proto != Q_DEFAULT && 6268 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6269 bpf_error("illegal qualifier of 'portrange'"); 6270 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6271 bpf_error("unknown port in range '%s'", name); 6272 if (proto == Q_UDP) { 6273 if (real_proto == IPPROTO_TCP) 6274 bpf_error("port in range '%s' is tcp", name); 6275 else if (real_proto == IPPROTO_SCTP) 6276 bpf_error("port in range '%s' is sctp", name); 6277 else 6278 /* override PROTO_UNDEF */ 6279 real_proto = IPPROTO_UDP; 6280 } 6281 if (proto == Q_TCP) { 6282 if (real_proto == IPPROTO_UDP) 6283 bpf_error("port in range '%s' is udp", name); 6284 else if (real_proto == IPPROTO_SCTP) 6285 bpf_error("port in range '%s' is sctp", name); 6286 else 6287 /* override PROTO_UNDEF */ 6288 real_proto = IPPROTO_TCP; 6289 } 6290 if (proto == Q_SCTP) { 6291 if (real_proto == IPPROTO_UDP) 6292 bpf_error("port in range '%s' is udp", name); 6293 else if (real_proto == IPPROTO_TCP) 6294 bpf_error("port in range '%s' is tcp", name); 6295 else 6296 /* override PROTO_UNDEF */ 6297 real_proto = IPPROTO_SCTP; 6298 } 6299 if (port1 < 0) 6300 bpf_error("illegal port number %d < 0", port1); 6301 if (port1 > 65535) 6302 bpf_error("illegal port number %d > 65535", port1); 6303 if (port2 < 0) 6304 bpf_error("illegal port number %d < 0", port2); 6305 if (port2 > 65535) 6306 bpf_error("illegal port number %d > 65535", port2); 6307 6308 #ifndef INET6 6309 return gen_portrange(port1, port2, real_proto, dir); 6310 #else 6311 b = gen_portrange(port1, port2, real_proto, dir); 6312 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6313 return b; 6314 #endif /* INET6 */ 6315 6316 case Q_GATEWAY: 6317 #ifndef INET6 6318 eaddr = pcap_ether_hostton(name); 6319 if (eaddr == NULL) 6320 bpf_error("unknown ether host: %s", name); 6321 6322 alist = pcap_nametoaddr(name); 6323 if (alist == NULL || *alist == NULL) 6324 bpf_error("unknown host '%s'", name); 6325 b = gen_gateway(eaddr, alist, proto, dir); 6326 free(eaddr); 6327 return b; 6328 #else 6329 bpf_error("'gateway' not supported in this configuration"); 6330 #endif /*INET6*/ 6331 6332 case Q_PROTO: 6333 real_proto = lookup_proto(name, proto); 6334 if (real_proto >= 0) 6335 return gen_proto(real_proto, proto, dir); 6336 else 6337 bpf_error("unknown protocol: %s", name); 6338 6339 case Q_PROTOCHAIN: 6340 real_proto = lookup_proto(name, proto); 6341 if (real_proto >= 0) 6342 return gen_protochain(real_proto, proto, dir); 6343 else 6344 bpf_error("unknown protocol: %s", name); 6345 6346 case Q_UNDEF: 6347 syntax(); 6348 /* NOTREACHED */ 6349 } 6350 abort(); 6351 /* NOTREACHED */ 6352 } 6353 6354 struct block * 6355 gen_mcode(s1, s2, masklen, q) 6356 register const char *s1, *s2; 6357 register int masklen; 6358 struct qual q; 6359 { 6360 register int nlen, mlen; 6361 bpf_u_int32 n, m; 6362 6363 nlen = __pcap_atoin(s1, &n); 6364 /* Promote short ipaddr */ 6365 n <<= 32 - nlen; 6366 6367 if (s2 != NULL) { 6368 mlen = __pcap_atoin(s2, &m); 6369 /* Promote short ipaddr */ 6370 m <<= 32 - mlen; 6371 if ((n & ~m) != 0) 6372 bpf_error("non-network bits set in \"%s mask %s\"", 6373 s1, s2); 6374 } else { 6375 /* Convert mask len to mask */ 6376 if (masklen > 32) 6377 bpf_error("mask length must be <= 32"); 6378 if (masklen == 0) { 6379 /* 6380 * X << 32 is not guaranteed by C to be 0; it's 6381 * undefined. 6382 */ 6383 m = 0; 6384 } else 6385 m = 0xffffffff << (32 - masklen); 6386 if ((n & ~m) != 0) 6387 bpf_error("non-network bits set in \"%s/%d\"", 6388 s1, masklen); 6389 } 6390 6391 switch (q.addr) { 6392 6393 case Q_NET: 6394 return gen_host(n, m, q.proto, q.dir, q.addr); 6395 6396 default: 6397 bpf_error("Mask syntax for networks only"); 6398 /* NOTREACHED */ 6399 } 6400 /* NOTREACHED */ 6401 return NULL; 6402 } 6403 6404 struct block * 6405 gen_ncode(s, v, q) 6406 register const char *s; 6407 bpf_u_int32 v; 6408 struct qual q; 6409 { 6410 bpf_u_int32 mask; 6411 int proto = q.proto; 6412 int dir = q.dir; 6413 register int vlen; 6414 6415 if (s == NULL) 6416 vlen = 32; 6417 else if (q.proto == Q_DECNET) 6418 vlen = __pcap_atodn(s, &v); 6419 else 6420 vlen = __pcap_atoin(s, &v); 6421 6422 switch (q.addr) { 6423 6424 case Q_DEFAULT: 6425 case Q_HOST: 6426 case Q_NET: 6427 if (proto == Q_DECNET) 6428 return gen_host(v, 0, proto, dir, q.addr); 6429 else if (proto == Q_LINK) { 6430 bpf_error("illegal link layer address"); 6431 } else { 6432 mask = 0xffffffff; 6433 if (s == NULL && q.addr == Q_NET) { 6434 /* Promote short net number */ 6435 while (v && (v & 0xff000000) == 0) { 6436 v <<= 8; 6437 mask <<= 8; 6438 } 6439 } else { 6440 /* Promote short ipaddr */ 6441 v <<= 32 - vlen; 6442 mask <<= 32 - vlen; 6443 } 6444 return gen_host(v, mask, proto, dir, q.addr); 6445 } 6446 6447 case Q_PORT: 6448 if (proto == Q_UDP) 6449 proto = IPPROTO_UDP; 6450 else if (proto == Q_TCP) 6451 proto = IPPROTO_TCP; 6452 else if (proto == Q_SCTP) 6453 proto = IPPROTO_SCTP; 6454 else if (proto == Q_DEFAULT) 6455 proto = PROTO_UNDEF; 6456 else 6457 bpf_error("illegal qualifier of 'port'"); 6458 6459 if (v > 65535) 6460 bpf_error("illegal port number %u > 65535", v); 6461 6462 #ifndef INET6 6463 return gen_port((int)v, proto, dir); 6464 #else 6465 { 6466 struct block *b; 6467 b = gen_port((int)v, proto, dir); 6468 gen_or(gen_port6((int)v, proto, dir), b); 6469 return b; 6470 } 6471 #endif /* INET6 */ 6472 6473 case Q_PORTRANGE: 6474 if (proto == Q_UDP) 6475 proto = IPPROTO_UDP; 6476 else if (proto == Q_TCP) 6477 proto = IPPROTO_TCP; 6478 else if (proto == Q_SCTP) 6479 proto = IPPROTO_SCTP; 6480 else if (proto == Q_DEFAULT) 6481 proto = PROTO_UNDEF; 6482 else 6483 bpf_error("illegal qualifier of 'portrange'"); 6484 6485 if (v > 65535) 6486 bpf_error("illegal port number %u > 65535", v); 6487 6488 #ifndef INET6 6489 return gen_portrange((int)v, (int)v, proto, dir); 6490 #else 6491 { 6492 struct block *b; 6493 b = gen_portrange((int)v, (int)v, proto, dir); 6494 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6495 return b; 6496 } 6497 #endif /* INET6 */ 6498 6499 case Q_GATEWAY: 6500 bpf_error("'gateway' requires a name"); 6501 /* NOTREACHED */ 6502 6503 case Q_PROTO: 6504 return gen_proto((int)v, proto, dir); 6505 6506 case Q_PROTOCHAIN: 6507 return gen_protochain((int)v, proto, dir); 6508 6509 case Q_UNDEF: 6510 syntax(); 6511 /* NOTREACHED */ 6512 6513 default: 6514 abort(); 6515 /* NOTREACHED */ 6516 } 6517 /* NOTREACHED */ 6518 } 6519 6520 #ifdef INET6 6521 struct block * 6522 gen_mcode6(s1, s2, masklen, q) 6523 register const char *s1, *s2; 6524 register int masklen; 6525 struct qual q; 6526 { 6527 struct addrinfo *res; 6528 struct in6_addr *addr; 6529 struct in6_addr mask; 6530 struct block *b; 6531 u_int32_t *a, *m; 6532 6533 if (s2) 6534 bpf_error("no mask %s supported", s2); 6535 6536 res = pcap_nametoaddrinfo(s1); 6537 if (!res) 6538 bpf_error("invalid ip6 address %s", s1); 6539 ai = res; 6540 if (res->ai_next) 6541 bpf_error("%s resolved to multiple address", s1); 6542 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6543 6544 if (sizeof(mask) * 8 < masklen) 6545 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6546 memset(&mask, 0, sizeof(mask)); 6547 memset(&mask, 0xff, masklen / 8); 6548 if (masklen % 8) { 6549 mask.s6_addr[masklen / 8] = 6550 (0xff << (8 - masklen % 8)) & 0xff; 6551 } 6552 6553 a = (u_int32_t *)addr; 6554 m = (u_int32_t *)&mask; 6555 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6556 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6557 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6558 } 6559 6560 switch (q.addr) { 6561 6562 case Q_DEFAULT: 6563 case Q_HOST: 6564 if (masklen != 128) 6565 bpf_error("Mask syntax for networks only"); 6566 /* FALLTHROUGH */ 6567 6568 case Q_NET: 6569 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6570 ai = NULL; 6571 freeaddrinfo(res); 6572 return b; 6573 6574 default: 6575 bpf_error("invalid qualifier against IPv6 address"); 6576 /* NOTREACHED */ 6577 } 6578 return NULL; 6579 } 6580 #endif /*INET6*/ 6581 6582 struct block * 6583 gen_ecode(eaddr, q) 6584 register const u_char *eaddr; 6585 struct qual q; 6586 { 6587 struct block *b, *tmp; 6588 6589 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6590 switch (linktype) { 6591 case DLT_EN10MB: 6592 case DLT_NETANALYZER: 6593 case DLT_NETANALYZER_TRANSPARENT: 6594 return gen_ehostop(eaddr, (int)q.dir); 6595 case DLT_FDDI: 6596 return gen_fhostop(eaddr, (int)q.dir); 6597 case DLT_IEEE802: 6598 return gen_thostop(eaddr, (int)q.dir); 6599 case DLT_IEEE802_11: 6600 case DLT_PRISM_HEADER: 6601 case DLT_IEEE802_11_RADIO_AVS: 6602 case DLT_IEEE802_11_RADIO: 6603 case DLT_PPI: 6604 return gen_wlanhostop(eaddr, (int)q.dir); 6605 case DLT_SUNATM: 6606 if (is_lane) { 6607 /* 6608 * Check that the packet doesn't begin with an 6609 * LE Control marker. (We've already generated 6610 * a test for LANE.) 6611 */ 6612 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6613 0xFF00); 6614 gen_not(tmp); 6615 6616 /* 6617 * Now check the MAC address. 6618 */ 6619 b = gen_ehostop(eaddr, (int)q.dir); 6620 gen_and(tmp, b); 6621 return b; 6622 } 6623 break; 6624 case DLT_IP_OVER_FC: 6625 return gen_ipfchostop(eaddr, (int)q.dir); 6626 default: 6627 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6628 break; 6629 } 6630 } 6631 bpf_error("ethernet address used in non-ether expression"); 6632 /* NOTREACHED */ 6633 return NULL; 6634 } 6635 6636 void 6637 sappend(s0, s1) 6638 struct slist *s0, *s1; 6639 { 6640 /* 6641 * This is definitely not the best way to do this, but the 6642 * lists will rarely get long. 6643 */ 6644 while (s0->next) 6645 s0 = s0->next; 6646 s0->next = s1; 6647 } 6648 6649 static struct slist * 6650 xfer_to_x(a) 6651 struct arth *a; 6652 { 6653 struct slist *s; 6654 6655 s = new_stmt(BPF_LDX|BPF_MEM); 6656 s->s.k = a->regno; 6657 return s; 6658 } 6659 6660 static struct slist * 6661 xfer_to_a(a) 6662 struct arth *a; 6663 { 6664 struct slist *s; 6665 6666 s = new_stmt(BPF_LD|BPF_MEM); 6667 s->s.k = a->regno; 6668 return s; 6669 } 6670 6671 /* 6672 * Modify "index" to use the value stored into its register as an 6673 * offset relative to the beginning of the header for the protocol 6674 * "proto", and allocate a register and put an item "size" bytes long 6675 * (1, 2, or 4) at that offset into that register, making it the register 6676 * for "index". 6677 */ 6678 struct arth * 6679 gen_load(proto, inst, size) 6680 int proto; 6681 struct arth *inst; 6682 int size; 6683 { 6684 struct slist *s, *tmp; 6685 struct block *b; 6686 int regno = alloc_reg(); 6687 6688 free_reg(inst->regno); 6689 switch (size) { 6690 6691 default: 6692 bpf_error("data size must be 1, 2, or 4"); 6693 6694 case 1: 6695 size = BPF_B; 6696 break; 6697 6698 case 2: 6699 size = BPF_H; 6700 break; 6701 6702 case 4: 6703 size = BPF_W; 6704 break; 6705 } 6706 switch (proto) { 6707 default: 6708 bpf_error("unsupported index operation"); 6709 6710 case Q_RADIO: 6711 /* 6712 * The offset is relative to the beginning of the packet 6713 * data, if we have a radio header. (If we don't, this 6714 * is an error.) 6715 */ 6716 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6717 linktype != DLT_IEEE802_11_RADIO && 6718 linktype != DLT_PRISM_HEADER) 6719 bpf_error("radio information not present in capture"); 6720 6721 /* 6722 * Load into the X register the offset computed into the 6723 * register specified by "index". 6724 */ 6725 s = xfer_to_x(inst); 6726 6727 /* 6728 * Load the item at that offset. 6729 */ 6730 tmp = new_stmt(BPF_LD|BPF_IND|size); 6731 sappend(s, tmp); 6732 sappend(inst->s, s); 6733 break; 6734 6735 case Q_LINK: 6736 /* 6737 * The offset is relative to the beginning of 6738 * the link-layer header. 6739 * 6740 * XXX - what about ATM LANE? Should the index be 6741 * relative to the beginning of the AAL5 frame, so 6742 * that 0 refers to the beginning of the LE Control 6743 * field, or relative to the beginning of the LAN 6744 * frame, so that 0 refers, for Ethernet LANE, to 6745 * the beginning of the destination address? 6746 */ 6747 s = gen_llprefixlen(); 6748 6749 /* 6750 * If "s" is non-null, it has code to arrange that the 6751 * X register contains the length of the prefix preceding 6752 * the link-layer header. Add to it the offset computed 6753 * into the register specified by "index", and move that 6754 * into the X register. Otherwise, just load into the X 6755 * register the offset computed into the register specified 6756 * by "index". 6757 */ 6758 if (s != NULL) { 6759 sappend(s, xfer_to_a(inst)); 6760 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6761 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6762 } else 6763 s = xfer_to_x(inst); 6764 6765 /* 6766 * Load the item at the sum of the offset we've put in the 6767 * X register and the offset of the start of the link 6768 * layer header (which is 0 if the radio header is 6769 * variable-length; that header length is what we put 6770 * into the X register and then added to the index). 6771 */ 6772 tmp = new_stmt(BPF_LD|BPF_IND|size); 6773 tmp->s.k = off_ll; 6774 sappend(s, tmp); 6775 sappend(inst->s, s); 6776 break; 6777 6778 case Q_IP: 6779 case Q_ARP: 6780 case Q_RARP: 6781 case Q_ATALK: 6782 case Q_DECNET: 6783 case Q_SCA: 6784 case Q_LAT: 6785 case Q_MOPRC: 6786 case Q_MOPDL: 6787 #ifdef INET6 6788 case Q_IPV6: 6789 #endif 6790 /* 6791 * The offset is relative to the beginning of 6792 * the network-layer header. 6793 * XXX - are there any cases where we want 6794 * off_nl_nosnap? 6795 */ 6796 s = gen_off_macpl(); 6797 6798 /* 6799 * If "s" is non-null, it has code to arrange that the 6800 * X register contains the offset of the MAC-layer 6801 * payload. Add to it the offset computed into the 6802 * register specified by "index", and move that into 6803 * the X register. Otherwise, just load into the X 6804 * register the offset computed into the register specified 6805 * by "index". 6806 */ 6807 if (s != NULL) { 6808 sappend(s, xfer_to_a(inst)); 6809 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6810 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6811 } else 6812 s = xfer_to_x(inst); 6813 6814 /* 6815 * Load the item at the sum of the offset we've put in the 6816 * X register, the offset of the start of the network 6817 * layer header from the beginning of the MAC-layer 6818 * payload, and the purported offset of the start of the 6819 * MAC-layer payload (which might be 0 if there's a 6820 * variable-length prefix before the link-layer header 6821 * or the link-layer header itself is variable-length; 6822 * the variable-length offset of the start of the 6823 * MAC-layer payload is what we put into the X register 6824 * and then added to the index). 6825 */ 6826 tmp = new_stmt(BPF_LD|BPF_IND|size); 6827 tmp->s.k = off_macpl + off_nl; 6828 sappend(s, tmp); 6829 sappend(inst->s, s); 6830 6831 /* 6832 * Do the computation only if the packet contains 6833 * the protocol in question. 6834 */ 6835 b = gen_proto_abbrev(proto); 6836 if (inst->b) 6837 gen_and(inst->b, b); 6838 inst->b = b; 6839 break; 6840 6841 case Q_SCTP: 6842 case Q_TCP: 6843 case Q_UDP: 6844 case Q_ICMP: 6845 case Q_IGMP: 6846 case Q_IGRP: 6847 case Q_PIM: 6848 case Q_VRRP: 6849 case Q_CARP: 6850 /* 6851 * The offset is relative to the beginning of 6852 * the transport-layer header. 6853 * 6854 * Load the X register with the length of the IPv4 header 6855 * (plus the offset of the link-layer header, if it's 6856 * a variable-length header), in bytes. 6857 * 6858 * XXX - are there any cases where we want 6859 * off_nl_nosnap? 6860 * XXX - we should, if we're built with 6861 * IPv6 support, generate code to load either 6862 * IPv4, IPv6, or both, as appropriate. 6863 */ 6864 s = gen_loadx_iphdrlen(); 6865 6866 /* 6867 * The X register now contains the sum of the length 6868 * of any variable-length header preceding the link-layer 6869 * header, any variable-length link-layer header, and the 6870 * length of the network-layer header. 6871 * 6872 * Load into the A register the offset relative to 6873 * the beginning of the transport layer header, 6874 * add the X register to that, move that to the 6875 * X register, and load with an offset from the 6876 * X register equal to the offset of the network 6877 * layer header relative to the beginning of 6878 * the MAC-layer payload plus the fixed-length 6879 * portion of the offset of the MAC-layer payload 6880 * from the beginning of the raw packet data. 6881 */ 6882 sappend(s, xfer_to_a(inst)); 6883 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6884 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6885 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6886 tmp->s.k = off_macpl + off_nl; 6887 sappend(inst->s, s); 6888 6889 /* 6890 * Do the computation only if the packet contains 6891 * the protocol in question - which is true only 6892 * if this is an IP datagram and is the first or 6893 * only fragment of that datagram. 6894 */ 6895 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6896 if (inst->b) 6897 gen_and(inst->b, b); 6898 #ifdef INET6 6899 gen_and(gen_proto_abbrev(Q_IP), b); 6900 #endif 6901 inst->b = b; 6902 break; 6903 #ifdef INET6 6904 case Q_ICMPV6: 6905 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6906 /*NOTREACHED*/ 6907 #endif 6908 } 6909 inst->regno = regno; 6910 s = new_stmt(BPF_ST); 6911 s->s.k = regno; 6912 sappend(inst->s, s); 6913 6914 return inst; 6915 } 6916 6917 struct block * 6918 gen_relation(code, a0, a1, reversed) 6919 int code; 6920 struct arth *a0, *a1; 6921 int reversed; 6922 { 6923 struct slist *s0, *s1, *s2; 6924 struct block *b, *tmp; 6925 6926 s0 = xfer_to_x(a1); 6927 s1 = xfer_to_a(a0); 6928 if (code == BPF_JEQ) { 6929 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6930 b = new_block(JMP(code)); 6931 sappend(s1, s2); 6932 } 6933 else 6934 b = new_block(BPF_JMP|code|BPF_X); 6935 if (reversed) 6936 gen_not(b); 6937 6938 sappend(s0, s1); 6939 sappend(a1->s, s0); 6940 sappend(a0->s, a1->s); 6941 6942 b->stmts = a0->s; 6943 6944 free_reg(a0->regno); 6945 free_reg(a1->regno); 6946 6947 /* 'and' together protocol checks */ 6948 if (a0->b) { 6949 if (a1->b) { 6950 gen_and(a0->b, tmp = a1->b); 6951 } 6952 else 6953 tmp = a0->b; 6954 } else 6955 tmp = a1->b; 6956 6957 if (tmp) 6958 gen_and(tmp, b); 6959 6960 return b; 6961 } 6962 6963 struct arth * 6964 gen_loadlen() 6965 { 6966 int regno = alloc_reg(); 6967 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6968 struct slist *s; 6969 6970 s = new_stmt(BPF_LD|BPF_LEN); 6971 s->next = new_stmt(BPF_ST); 6972 s->next->s.k = regno; 6973 a->s = s; 6974 a->regno = regno; 6975 6976 return a; 6977 } 6978 6979 struct arth * 6980 gen_loadi(val) 6981 int val; 6982 { 6983 struct arth *a; 6984 struct slist *s; 6985 int reg; 6986 6987 a = (struct arth *)newchunk(sizeof(*a)); 6988 6989 reg = alloc_reg(); 6990 6991 s = new_stmt(BPF_LD|BPF_IMM); 6992 s->s.k = val; 6993 s->next = new_stmt(BPF_ST); 6994 s->next->s.k = reg; 6995 a->s = s; 6996 a->regno = reg; 6997 6998 return a; 6999 } 7000 7001 struct arth * 7002 gen_neg(a) 7003 struct arth *a; 7004 { 7005 struct slist *s; 7006 7007 s = xfer_to_a(a); 7008 sappend(a->s, s); 7009 s = new_stmt(BPF_ALU|BPF_NEG); 7010 s->s.k = 0; 7011 sappend(a->s, s); 7012 s = new_stmt(BPF_ST); 7013 s->s.k = a->regno; 7014 sappend(a->s, s); 7015 7016 return a; 7017 } 7018 7019 struct arth * 7020 gen_arth(code, a0, a1) 7021 int code; 7022 struct arth *a0, *a1; 7023 { 7024 struct slist *s0, *s1, *s2; 7025 7026 s0 = xfer_to_x(a1); 7027 s1 = xfer_to_a(a0); 7028 s2 = new_stmt(BPF_ALU|BPF_X|code); 7029 7030 sappend(s1, s2); 7031 sappend(s0, s1); 7032 sappend(a1->s, s0); 7033 sappend(a0->s, a1->s); 7034 7035 free_reg(a0->regno); 7036 free_reg(a1->regno); 7037 7038 s0 = new_stmt(BPF_ST); 7039 a0->regno = s0->s.k = alloc_reg(); 7040 sappend(a0->s, s0); 7041 7042 return a0; 7043 } 7044 7045 /* 7046 * Here we handle simple allocation of the scratch registers. 7047 * If too many registers are alloc'd, the allocator punts. 7048 */ 7049 static int regused[BPF_MEMWORDS]; 7050 static int curreg; 7051 7052 /* 7053 * Initialize the table of used registers and the current register. 7054 */ 7055 static void 7056 init_regs() 7057 { 7058 curreg = 0; 7059 memset(regused, 0, sizeof regused); 7060 } 7061 7062 /* 7063 * Return the next free register. 7064 */ 7065 static int 7066 alloc_reg() 7067 { 7068 int n = BPF_MEMWORDS; 7069 7070 while (--n >= 0) { 7071 if (regused[curreg]) 7072 curreg = (curreg + 1) % BPF_MEMWORDS; 7073 else { 7074 regused[curreg] = 1; 7075 return curreg; 7076 } 7077 } 7078 bpf_error("too many registers needed to evaluate expression"); 7079 /* NOTREACHED */ 7080 return 0; 7081 } 7082 7083 /* 7084 * Return a register to the table so it can 7085 * be used later. 7086 */ 7087 static void 7088 free_reg(n) 7089 int n; 7090 { 7091 regused[n] = 0; 7092 } 7093 7094 static struct block * 7095 gen_len(jmp, n) 7096 int jmp, n; 7097 { 7098 struct slist *s; 7099 struct block *b; 7100 7101 s = new_stmt(BPF_LD|BPF_LEN); 7102 b = new_block(JMP(jmp)); 7103 b->stmts = s; 7104 b->s.k = n; 7105 7106 return b; 7107 } 7108 7109 struct block * 7110 gen_greater(n) 7111 int n; 7112 { 7113 return gen_len(BPF_JGE, n); 7114 } 7115 7116 /* 7117 * Actually, this is less than or equal. 7118 */ 7119 struct block * 7120 gen_less(n) 7121 int n; 7122 { 7123 struct block *b; 7124 7125 b = gen_len(BPF_JGT, n); 7126 gen_not(b); 7127 7128 return b; 7129 } 7130 7131 /* 7132 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7133 * the beginning of the link-layer header. 7134 * XXX - that means you can't test values in the radiotap header, but 7135 * as that header is difficult if not impossible to parse generally 7136 * without a loop, that might not be a severe problem. A new keyword 7137 * "radio" could be added for that, although what you'd really want 7138 * would be a way of testing particular radio header values, which 7139 * would generate code appropriate to the radio header in question. 7140 */ 7141 struct block * 7142 gen_byteop(op, idx, val) 7143 int op, idx, val; 7144 { 7145 struct block *b; 7146 struct slist *s; 7147 7148 switch (op) { 7149 default: 7150 abort(); 7151 7152 case '=': 7153 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7154 7155 case '<': 7156 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7157 return b; 7158 7159 case '>': 7160 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7161 return b; 7162 7163 case '|': 7164 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7165 break; 7166 7167 case '&': 7168 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7169 break; 7170 } 7171 s->s.k = val; 7172 b = new_block(JMP(BPF_JEQ)); 7173 b->stmts = s; 7174 gen_not(b); 7175 7176 return b; 7177 } 7178 7179 static u_char abroadcast[] = { 0x0 }; 7180 7181 struct block * 7182 gen_broadcast(proto) 7183 int proto; 7184 { 7185 bpf_u_int32 hostmask; 7186 struct block *b0, *b1, *b2; 7187 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7188 7189 switch (proto) { 7190 7191 case Q_DEFAULT: 7192 case Q_LINK: 7193 switch (linktype) { 7194 case DLT_ARCNET: 7195 case DLT_ARCNET_LINUX: 7196 return gen_ahostop(abroadcast, Q_DST); 7197 case DLT_EN10MB: 7198 case DLT_NETANALYZER: 7199 case DLT_NETANALYZER_TRANSPARENT: 7200 return gen_ehostop(ebroadcast, Q_DST); 7201 case DLT_FDDI: 7202 return gen_fhostop(ebroadcast, Q_DST); 7203 case DLT_IEEE802: 7204 return gen_thostop(ebroadcast, Q_DST); 7205 case DLT_IEEE802_11: 7206 case DLT_PRISM_HEADER: 7207 case DLT_IEEE802_11_RADIO_AVS: 7208 case DLT_IEEE802_11_RADIO: 7209 case DLT_PPI: 7210 return gen_wlanhostop(ebroadcast, Q_DST); 7211 case DLT_IP_OVER_FC: 7212 return gen_ipfchostop(ebroadcast, Q_DST); 7213 case DLT_SUNATM: 7214 if (is_lane) { 7215 /* 7216 * Check that the packet doesn't begin with an 7217 * LE Control marker. (We've already generated 7218 * a test for LANE.) 7219 */ 7220 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7221 BPF_H, 0xFF00); 7222 gen_not(b1); 7223 7224 /* 7225 * Now check the MAC address. 7226 */ 7227 b0 = gen_ehostop(ebroadcast, Q_DST); 7228 gen_and(b1, b0); 7229 return b0; 7230 } 7231 break; 7232 default: 7233 bpf_error("not a broadcast link"); 7234 } 7235 break; 7236 7237 case Q_IP: 7238 /* 7239 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7240 * as an indication that we don't know the netmask, and fail 7241 * in that case. 7242 */ 7243 if (netmask == PCAP_NETMASK_UNKNOWN) 7244 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7245 b0 = gen_linktype(ETHERTYPE_IP); 7246 hostmask = ~netmask; 7247 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7248 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7249 (bpf_int32)(~0 & hostmask), hostmask); 7250 gen_or(b1, b2); 7251 gen_and(b0, b2); 7252 return b2; 7253 } 7254 bpf_error("only link-layer/IP broadcast filters supported"); 7255 /* NOTREACHED */ 7256 return NULL; 7257 } 7258 7259 /* 7260 * Generate code to test the low-order bit of a MAC address (that's 7261 * the bottom bit of the *first* byte). 7262 */ 7263 static struct block * 7264 gen_mac_multicast(offset) 7265 int offset; 7266 { 7267 register struct block *b0; 7268 register struct slist *s; 7269 7270 /* link[offset] & 1 != 0 */ 7271 s = gen_load_a(OR_LINK, offset, BPF_B); 7272 b0 = new_block(JMP(BPF_JSET)); 7273 b0->s.k = 1; 7274 b0->stmts = s; 7275 return b0; 7276 } 7277 7278 struct block * 7279 gen_multicast(proto) 7280 int proto; 7281 { 7282 register struct block *b0, *b1, *b2; 7283 register struct slist *s; 7284 7285 switch (proto) { 7286 7287 case Q_DEFAULT: 7288 case Q_LINK: 7289 switch (linktype) { 7290 case DLT_ARCNET: 7291 case DLT_ARCNET_LINUX: 7292 /* all ARCnet multicasts use the same address */ 7293 return gen_ahostop(abroadcast, Q_DST); 7294 case DLT_EN10MB: 7295 case DLT_NETANALYZER: 7296 case DLT_NETANALYZER_TRANSPARENT: 7297 /* ether[0] & 1 != 0 */ 7298 return gen_mac_multicast(0); 7299 case DLT_FDDI: 7300 /* 7301 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7302 * 7303 * XXX - was that referring to bit-order issues? 7304 */ 7305 /* fddi[1] & 1 != 0 */ 7306 return gen_mac_multicast(1); 7307 case DLT_IEEE802: 7308 /* tr[2] & 1 != 0 */ 7309 return gen_mac_multicast(2); 7310 case DLT_IEEE802_11: 7311 case DLT_PRISM_HEADER: 7312 case DLT_IEEE802_11_RADIO_AVS: 7313 case DLT_IEEE802_11_RADIO: 7314 case DLT_PPI: 7315 /* 7316 * Oh, yuk. 7317 * 7318 * For control frames, there is no DA. 7319 * 7320 * For management frames, DA is at an 7321 * offset of 4 from the beginning of 7322 * the packet. 7323 * 7324 * For data frames, DA is at an offset 7325 * of 4 from the beginning of the packet 7326 * if To DS is clear and at an offset of 7327 * 16 from the beginning of the packet 7328 * if To DS is set. 7329 */ 7330 7331 /* 7332 * Generate the tests to be done for data frames. 7333 * 7334 * First, check for To DS set, i.e. "link[1] & 0x01". 7335 */ 7336 s = gen_load_a(OR_LINK, 1, BPF_B); 7337 b1 = new_block(JMP(BPF_JSET)); 7338 b1->s.k = 0x01; /* To DS */ 7339 b1->stmts = s; 7340 7341 /* 7342 * If To DS is set, the DA is at 16. 7343 */ 7344 b0 = gen_mac_multicast(16); 7345 gen_and(b1, b0); 7346 7347 /* 7348 * Now, check for To DS not set, i.e. check 7349 * "!(link[1] & 0x01)". 7350 */ 7351 s = gen_load_a(OR_LINK, 1, BPF_B); 7352 b2 = new_block(JMP(BPF_JSET)); 7353 b2->s.k = 0x01; /* To DS */ 7354 b2->stmts = s; 7355 gen_not(b2); 7356 7357 /* 7358 * If To DS is not set, the DA is at 4. 7359 */ 7360 b1 = gen_mac_multicast(4); 7361 gen_and(b2, b1); 7362 7363 /* 7364 * Now OR together the last two checks. That gives 7365 * the complete set of checks for data frames. 7366 */ 7367 gen_or(b1, b0); 7368 7369 /* 7370 * Now check for a data frame. 7371 * I.e, check "link[0] & 0x08". 7372 */ 7373 s = gen_load_a(OR_LINK, 0, BPF_B); 7374 b1 = new_block(JMP(BPF_JSET)); 7375 b1->s.k = 0x08; 7376 b1->stmts = s; 7377 7378 /* 7379 * AND that with the checks done for data frames. 7380 */ 7381 gen_and(b1, b0); 7382 7383 /* 7384 * If the high-order bit of the type value is 0, this 7385 * is a management frame. 7386 * I.e, check "!(link[0] & 0x08)". 7387 */ 7388 s = gen_load_a(OR_LINK, 0, BPF_B); 7389 b2 = new_block(JMP(BPF_JSET)); 7390 b2->s.k = 0x08; 7391 b2->stmts = s; 7392 gen_not(b2); 7393 7394 /* 7395 * For management frames, the DA is at 4. 7396 */ 7397 b1 = gen_mac_multicast(4); 7398 gen_and(b2, b1); 7399 7400 /* 7401 * OR that with the checks done for data frames. 7402 * That gives the checks done for management and 7403 * data frames. 7404 */ 7405 gen_or(b1, b0); 7406 7407 /* 7408 * If the low-order bit of the type value is 1, 7409 * this is either a control frame or a frame 7410 * with a reserved type, and thus not a 7411 * frame with an SA. 7412 * 7413 * I.e., check "!(link[0] & 0x04)". 7414 */ 7415 s = gen_load_a(OR_LINK, 0, BPF_B); 7416 b1 = new_block(JMP(BPF_JSET)); 7417 b1->s.k = 0x04; 7418 b1->stmts = s; 7419 gen_not(b1); 7420 7421 /* 7422 * AND that with the checks for data and management 7423 * frames. 7424 */ 7425 gen_and(b1, b0); 7426 return b0; 7427 case DLT_IP_OVER_FC: 7428 b0 = gen_mac_multicast(2); 7429 return b0; 7430 case DLT_SUNATM: 7431 if (is_lane) { 7432 /* 7433 * Check that the packet doesn't begin with an 7434 * LE Control marker. (We've already generated 7435 * a test for LANE.) 7436 */ 7437 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7438 BPF_H, 0xFF00); 7439 gen_not(b1); 7440 7441 /* ether[off_mac] & 1 != 0 */ 7442 b0 = gen_mac_multicast(off_mac); 7443 gen_and(b1, b0); 7444 return b0; 7445 } 7446 break; 7447 default: 7448 break; 7449 } 7450 /* Link not known to support multicasts */ 7451 break; 7452 7453 case Q_IP: 7454 b0 = gen_linktype(ETHERTYPE_IP); 7455 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7456 gen_and(b0, b1); 7457 return b1; 7458 7459 #ifdef INET6 7460 case Q_IPV6: 7461 b0 = gen_linktype(ETHERTYPE_IPV6); 7462 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7463 gen_and(b0, b1); 7464 return b1; 7465 #endif /* INET6 */ 7466 } 7467 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7468 /* NOTREACHED */ 7469 return NULL; 7470 } 7471 7472 /* 7473 * generate command for inbound/outbound. It's here so we can 7474 * make it link-type specific. 'dir' = 0 implies "inbound", 7475 * = 1 implies "outbound". 7476 */ 7477 struct block * 7478 gen_inbound(dir) 7479 int dir; 7480 { 7481 register struct block *b0; 7482 7483 /* 7484 * Only some data link types support inbound/outbound qualifiers. 7485 */ 7486 switch (linktype) { 7487 case DLT_SLIP: 7488 b0 = gen_relation(BPF_JEQ, 7489 gen_load(Q_LINK, gen_loadi(0), 1), 7490 gen_loadi(0), 7491 dir); 7492 break; 7493 7494 case DLT_IPNET: 7495 if (dir) { 7496 /* match outgoing packets */ 7497 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7498 } else { 7499 /* match incoming packets */ 7500 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7501 } 7502 break; 7503 7504 case DLT_LINUX_SLL: 7505 if (dir) { 7506 /* 7507 * Match packets sent by this machine. 7508 */ 7509 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7510 } else { 7511 /* 7512 * Match packets sent to this machine. 7513 * (No broadcast or multicast packets, or 7514 * packets sent to some other machine and 7515 * received promiscuously.) 7516 * 7517 * XXX - packets sent to other machines probably 7518 * shouldn't be matched, but what about broadcast 7519 * or multicast packets we received? 7520 */ 7521 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 7522 } 7523 break; 7524 7525 #ifdef HAVE_NET_PFVAR_H 7526 case DLT_PFLOG: 7527 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7528 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7529 break; 7530 #endif 7531 7532 case DLT_PPP_PPPD: 7533 if (dir) { 7534 /* match outgoing packets */ 7535 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7536 } else { 7537 /* match incoming packets */ 7538 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7539 } 7540 break; 7541 7542 case DLT_JUNIPER_MFR: 7543 case DLT_JUNIPER_MLFR: 7544 case DLT_JUNIPER_MLPPP: 7545 case DLT_JUNIPER_ATM1: 7546 case DLT_JUNIPER_ATM2: 7547 case DLT_JUNIPER_PPPOE: 7548 case DLT_JUNIPER_PPPOE_ATM: 7549 case DLT_JUNIPER_GGSN: 7550 case DLT_JUNIPER_ES: 7551 case DLT_JUNIPER_MONITOR: 7552 case DLT_JUNIPER_SERVICES: 7553 case DLT_JUNIPER_ETHER: 7554 case DLT_JUNIPER_PPP: 7555 case DLT_JUNIPER_FRELAY: 7556 case DLT_JUNIPER_CHDLC: 7557 case DLT_JUNIPER_VP: 7558 case DLT_JUNIPER_ST: 7559 case DLT_JUNIPER_ISM: 7560 case DLT_JUNIPER_VS: 7561 case DLT_JUNIPER_SRX_E2E: 7562 case DLT_JUNIPER_FIBRECHANNEL: 7563 case DLT_JUNIPER_ATM_CEMIC: 7564 7565 /* juniper flags (including direction) are stored 7566 * the byte after the 3-byte magic number */ 7567 if (dir) { 7568 /* match outgoing packets */ 7569 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7570 } else { 7571 /* match incoming packets */ 7572 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7573 } 7574 break; 7575 7576 default: 7577 bpf_error("inbound/outbound not supported on linktype %d", 7578 linktype); 7579 b0 = NULL; 7580 /* NOTREACHED */ 7581 } 7582 return (b0); 7583 } 7584 7585 #ifdef HAVE_NET_PFVAR_H 7586 /* PF firewall log matched interface */ 7587 struct block * 7588 gen_pf_ifname(const char *ifname) 7589 { 7590 struct block *b0; 7591 u_int len, off; 7592 7593 if (linktype != DLT_PFLOG) { 7594 bpf_error("ifname supported only on PF linktype"); 7595 /* NOTREACHED */ 7596 } 7597 len = sizeof(((struct pfloghdr *)0)->ifname); 7598 off = offsetof(struct pfloghdr, ifname); 7599 if (strlen(ifname) >= len) { 7600 bpf_error("ifname interface names can only be %d characters", 7601 len-1); 7602 /* NOTREACHED */ 7603 } 7604 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7605 return (b0); 7606 } 7607 7608 /* PF firewall log ruleset name */ 7609 struct block * 7610 gen_pf_ruleset(char *ruleset) 7611 { 7612 struct block *b0; 7613 7614 if (linktype != DLT_PFLOG) { 7615 bpf_error("ruleset supported only on PF linktype"); 7616 /* NOTREACHED */ 7617 } 7618 7619 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7620 bpf_error("ruleset names can only be %ld characters", 7621 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7622 /* NOTREACHED */ 7623 } 7624 7625 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7626 strlen(ruleset), (const u_char *)ruleset); 7627 return (b0); 7628 } 7629 7630 /* PF firewall log rule number */ 7631 struct block * 7632 gen_pf_rnr(int rnr) 7633 { 7634 struct block *b0; 7635 7636 if (linktype != DLT_PFLOG) { 7637 bpf_error("rnr supported only on PF linktype"); 7638 /* NOTREACHED */ 7639 } 7640 7641 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7642 (bpf_int32)rnr); 7643 return (b0); 7644 } 7645 7646 /* PF firewall log sub-rule number */ 7647 struct block * 7648 gen_pf_srnr(int srnr) 7649 { 7650 struct block *b0; 7651 7652 if (linktype != DLT_PFLOG) { 7653 bpf_error("srnr supported only on PF linktype"); 7654 /* NOTREACHED */ 7655 } 7656 7657 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7658 (bpf_int32)srnr); 7659 return (b0); 7660 } 7661 7662 /* PF firewall log reason code */ 7663 struct block * 7664 gen_pf_reason(int reason) 7665 { 7666 struct block *b0; 7667 7668 if (linktype != DLT_PFLOG) { 7669 bpf_error("reason supported only on PF linktype"); 7670 /* NOTREACHED */ 7671 } 7672 7673 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7674 (bpf_int32)reason); 7675 return (b0); 7676 } 7677 7678 /* PF firewall log action */ 7679 struct block * 7680 gen_pf_action(int action) 7681 { 7682 struct block *b0; 7683 7684 if (linktype != DLT_PFLOG) { 7685 bpf_error("action supported only on PF linktype"); 7686 /* NOTREACHED */ 7687 } 7688 7689 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7690 (bpf_int32)action); 7691 return (b0); 7692 } 7693 #else /* !HAVE_NET_PFVAR_H */ 7694 struct block * 7695 gen_pf_ifname(const char *ifname) 7696 { 7697 bpf_error("libpcap was compiled without pf support"); 7698 /* NOTREACHED */ 7699 return (NULL); 7700 } 7701 7702 struct block * 7703 gen_pf_ruleset(char *ruleset) 7704 { 7705 bpf_error("libpcap was compiled on a machine without pf support"); 7706 /* NOTREACHED */ 7707 return (NULL); 7708 } 7709 7710 struct block * 7711 gen_pf_rnr(int rnr) 7712 { 7713 bpf_error("libpcap was compiled on a machine without pf support"); 7714 /* NOTREACHED */ 7715 return (NULL); 7716 } 7717 7718 struct block * 7719 gen_pf_srnr(int srnr) 7720 { 7721 bpf_error("libpcap was compiled on a machine without pf support"); 7722 /* NOTREACHED */ 7723 return (NULL); 7724 } 7725 7726 struct block * 7727 gen_pf_reason(int reason) 7728 { 7729 bpf_error("libpcap was compiled on a machine without pf support"); 7730 /* NOTREACHED */ 7731 return (NULL); 7732 } 7733 7734 struct block * 7735 gen_pf_action(int action) 7736 { 7737 bpf_error("libpcap was compiled on a machine without pf support"); 7738 /* NOTREACHED */ 7739 return (NULL); 7740 } 7741 #endif /* HAVE_NET_PFVAR_H */ 7742 7743 /* IEEE 802.11 wireless header */ 7744 struct block * 7745 gen_p80211_type(int type, int mask) 7746 { 7747 struct block *b0; 7748 7749 switch (linktype) { 7750 7751 case DLT_IEEE802_11: 7752 case DLT_PRISM_HEADER: 7753 case DLT_IEEE802_11_RADIO_AVS: 7754 case DLT_IEEE802_11_RADIO: 7755 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7756 (bpf_int32)mask); 7757 break; 7758 7759 default: 7760 bpf_error("802.11 link-layer types supported only on 802.11"); 7761 /* NOTREACHED */ 7762 } 7763 7764 return (b0); 7765 } 7766 7767 struct block * 7768 gen_p80211_fcdir(int fcdir) 7769 { 7770 struct block *b0; 7771 7772 switch (linktype) { 7773 7774 case DLT_IEEE802_11: 7775 case DLT_PRISM_HEADER: 7776 case DLT_IEEE802_11_RADIO_AVS: 7777 case DLT_IEEE802_11_RADIO: 7778 break; 7779 7780 default: 7781 bpf_error("frame direction supported only with 802.11 headers"); 7782 /* NOTREACHED */ 7783 } 7784 7785 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7786 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7787 7788 return (b0); 7789 } 7790 7791 struct block * 7792 gen_acode(eaddr, q) 7793 register const u_char *eaddr; 7794 struct qual q; 7795 { 7796 switch (linktype) { 7797 7798 case DLT_ARCNET: 7799 case DLT_ARCNET_LINUX: 7800 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7801 q.proto == Q_LINK) 7802 return (gen_ahostop(eaddr, (int)q.dir)); 7803 else { 7804 bpf_error("ARCnet address used in non-arc expression"); 7805 /* NOTREACHED */ 7806 } 7807 break; 7808 7809 default: 7810 bpf_error("aid supported only on ARCnet"); 7811 /* NOTREACHED */ 7812 } 7813 bpf_error("ARCnet address used in non-arc expression"); 7814 /* NOTREACHED */ 7815 return NULL; 7816 } 7817 7818 static struct block * 7819 gen_ahostop(eaddr, dir) 7820 register const u_char *eaddr; 7821 register int dir; 7822 { 7823 register struct block *b0, *b1; 7824 7825 switch (dir) { 7826 /* src comes first, different from Ethernet */ 7827 case Q_SRC: 7828 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7829 7830 case Q_DST: 7831 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7832 7833 case Q_AND: 7834 b0 = gen_ahostop(eaddr, Q_SRC); 7835 b1 = gen_ahostop(eaddr, Q_DST); 7836 gen_and(b0, b1); 7837 return b1; 7838 7839 case Q_DEFAULT: 7840 case Q_OR: 7841 b0 = gen_ahostop(eaddr, Q_SRC); 7842 b1 = gen_ahostop(eaddr, Q_DST); 7843 gen_or(b0, b1); 7844 return b1; 7845 7846 case Q_ADDR1: 7847 bpf_error("'addr1' is only supported on 802.11"); 7848 break; 7849 7850 case Q_ADDR2: 7851 bpf_error("'addr2' is only supported on 802.11"); 7852 break; 7853 7854 case Q_ADDR3: 7855 bpf_error("'addr3' is only supported on 802.11"); 7856 break; 7857 7858 case Q_ADDR4: 7859 bpf_error("'addr4' is only supported on 802.11"); 7860 break; 7861 7862 case Q_RA: 7863 bpf_error("'ra' is only supported on 802.11"); 7864 break; 7865 7866 case Q_TA: 7867 bpf_error("'ta' is only supported on 802.11"); 7868 break; 7869 } 7870 abort(); 7871 /* NOTREACHED */ 7872 } 7873 7874 /* 7875 * support IEEE 802.1Q VLAN trunk over ethernet 7876 */ 7877 struct block * 7878 gen_vlan(vlan_num) 7879 int vlan_num; 7880 { 7881 struct block *b0, *b1; 7882 7883 /* can't check for VLAN-encapsulated packets inside MPLS */ 7884 if (label_stack_depth > 0) 7885 bpf_error("no VLAN match after MPLS"); 7886 7887 /* 7888 * Check for a VLAN packet, and then change the offsets to point 7889 * to the type and data fields within the VLAN packet. Just 7890 * increment the offsets, so that we can support a hierarchy, e.g. 7891 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7892 * VLAN 100. 7893 * 7894 * XXX - this is a bit of a kludge. If we were to split the 7895 * compiler into a parser that parses an expression and 7896 * generates an expression tree, and a code generator that 7897 * takes an expression tree (which could come from our 7898 * parser or from some other parser) and generates BPF code, 7899 * we could perhaps make the offsets parameters of routines 7900 * and, in the handler for an "AND" node, pass to subnodes 7901 * other than the VLAN node the adjusted offsets. 7902 * 7903 * This would mean that "vlan" would, instead of changing the 7904 * behavior of *all* tests after it, change only the behavior 7905 * of tests ANDed with it. That would change the documented 7906 * semantics of "vlan", which might break some expressions. 7907 * However, it would mean that "(vlan and ip) or ip" would check 7908 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7909 * checking only for VLAN-encapsulated IP, so that could still 7910 * be considered worth doing; it wouldn't break expressions 7911 * that are of the form "vlan and ..." or "vlan N and ...", 7912 * which I suspect are the most common expressions involving 7913 * "vlan". "vlan or ..." doesn't necessarily do what the user 7914 * would really want, now, as all the "or ..." tests would 7915 * be done assuming a VLAN, even though the "or" could be viewed 7916 * as meaning "or, if this isn't a VLAN packet...". 7917 */ 7918 orig_nl = off_nl; 7919 7920 switch (linktype) { 7921 7922 case DLT_EN10MB: 7923 case DLT_NETANALYZER: 7924 case DLT_NETANALYZER_TRANSPARENT: 7925 /* check for VLAN, including QinQ */ 7926 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7927 (bpf_int32)ETHERTYPE_8021Q); 7928 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7929 (bpf_int32)ETHERTYPE_8021QINQ); 7930 gen_or(b0,b1); 7931 b0 = b1; 7932 7933 /* If a specific VLAN is requested, check VLAN id */ 7934 if (vlan_num >= 0) { 7935 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7936 (bpf_int32)vlan_num, 0x0fff); 7937 gen_and(b0, b1); 7938 b0 = b1; 7939 } 7940 7941 off_macpl += 4; 7942 off_linktype += 4; 7943 #if 0 7944 off_nl_nosnap += 4; 7945 off_nl += 4; 7946 #endif 7947 break; 7948 7949 default: 7950 bpf_error("no VLAN support for data link type %d", 7951 linktype); 7952 /*NOTREACHED*/ 7953 } 7954 7955 return (b0); 7956 } 7957 7958 /* 7959 * support for MPLS 7960 */ 7961 struct block * 7962 gen_mpls(label_num) 7963 int label_num; 7964 { 7965 struct block *b0,*b1; 7966 7967 /* 7968 * Change the offsets to point to the type and data fields within 7969 * the MPLS packet. Just increment the offsets, so that we 7970 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7971 * capture packets with an outer label of 100000 and an inner 7972 * label of 1024. 7973 * 7974 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7975 */ 7976 orig_nl = off_nl; 7977 7978 if (label_stack_depth > 0) { 7979 /* just match the bottom-of-stack bit clear */ 7980 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7981 } else { 7982 /* 7983 * Indicate that we're checking MPLS-encapsulated headers, 7984 * to make sure higher level code generators don't try to 7985 * match against IP-related protocols such as Q_ARP, Q_RARP 7986 * etc. 7987 */ 7988 switch (linktype) { 7989 7990 case DLT_C_HDLC: /* fall through */ 7991 case DLT_EN10MB: 7992 case DLT_NETANALYZER: 7993 case DLT_NETANALYZER_TRANSPARENT: 7994 b0 = gen_linktype(ETHERTYPE_MPLS); 7995 break; 7996 7997 case DLT_PPP: 7998 b0 = gen_linktype(PPP_MPLS_UCAST); 7999 break; 8000 8001 /* FIXME add other DLT_s ... 8002 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8003 * leave it for now */ 8004 8005 default: 8006 bpf_error("no MPLS support for data link type %d", 8007 linktype); 8008 b0 = NULL; 8009 /*NOTREACHED*/ 8010 break; 8011 } 8012 } 8013 8014 /* If a specific MPLS label is requested, check it */ 8015 if (label_num >= 0) { 8016 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8017 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8018 0xfffff000); /* only compare the first 20 bits */ 8019 gen_and(b0, b1); 8020 b0 = b1; 8021 } 8022 8023 off_nl_nosnap += 4; 8024 off_nl += 4; 8025 label_stack_depth++; 8026 return (b0); 8027 } 8028 8029 /* 8030 * Support PPPOE discovery and session. 8031 */ 8032 struct block * 8033 gen_pppoed() 8034 { 8035 /* check for PPPoE discovery */ 8036 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8037 } 8038 8039 struct block * 8040 gen_pppoes() 8041 { 8042 struct block *b0; 8043 8044 /* 8045 * Test against the PPPoE session link-layer type. 8046 */ 8047 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8048 8049 /* 8050 * Change the offsets to point to the type and data fields within 8051 * the PPP packet, and note that this is PPPoE rather than 8052 * raw PPP. 8053 * 8054 * XXX - this is a bit of a kludge. If we were to split the 8055 * compiler into a parser that parses an expression and 8056 * generates an expression tree, and a code generator that 8057 * takes an expression tree (which could come from our 8058 * parser or from some other parser) and generates BPF code, 8059 * we could perhaps make the offsets parameters of routines 8060 * and, in the handler for an "AND" node, pass to subnodes 8061 * other than the PPPoE node the adjusted offsets. 8062 * 8063 * This would mean that "pppoes" would, instead of changing the 8064 * behavior of *all* tests after it, change only the behavior 8065 * of tests ANDed with it. That would change the documented 8066 * semantics of "pppoes", which might break some expressions. 8067 * However, it would mean that "(pppoes and ip) or ip" would check 8068 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8069 * checking only for VLAN-encapsulated IP, so that could still 8070 * be considered worth doing; it wouldn't break expressions 8071 * that are of the form "pppoes and ..." which I suspect are the 8072 * most common expressions involving "pppoes". "pppoes or ..." 8073 * doesn't necessarily do what the user would really want, now, 8074 * as all the "or ..." tests would be done assuming PPPoE, even 8075 * though the "or" could be viewed as meaning "or, if this isn't 8076 * a PPPoE packet...". 8077 */ 8078 orig_linktype = off_linktype; /* save original values */ 8079 orig_nl = off_nl; 8080 is_pppoes = 1; 8081 8082 /* 8083 * The "network-layer" protocol is PPPoE, which has a 6-byte 8084 * PPPoE header, followed by a PPP packet. 8085 * 8086 * There is no HDLC encapsulation for the PPP packet (it's 8087 * encapsulated in PPPoES instead), so the link-layer type 8088 * starts at the first byte of the PPP packet. For PPPoE, 8089 * that offset is relative to the beginning of the total 8090 * link-layer payload, including any 802.2 LLC header, so 8091 * it's 6 bytes past off_nl. 8092 */ 8093 off_linktype = off_nl + 6; 8094 8095 /* 8096 * The network-layer offsets are relative to the beginning 8097 * of the MAC-layer payload; that's past the 6-byte 8098 * PPPoE header and the 2-byte PPP header. 8099 */ 8100 off_nl = 6+2; 8101 off_nl_nosnap = 6+2; 8102 8103 return b0; 8104 } 8105 8106 struct block * 8107 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8108 int atmfield; 8109 bpf_int32 jvalue; 8110 bpf_u_int32 jtype; 8111 int reverse; 8112 { 8113 struct block *b0; 8114 8115 switch (atmfield) { 8116 8117 case A_VPI: 8118 if (!is_atm) 8119 bpf_error("'vpi' supported only on raw ATM"); 8120 if (off_vpi == (u_int)-1) 8121 abort(); 8122 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8123 reverse, jvalue); 8124 break; 8125 8126 case A_VCI: 8127 if (!is_atm) 8128 bpf_error("'vci' supported only on raw ATM"); 8129 if (off_vci == (u_int)-1) 8130 abort(); 8131 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8132 reverse, jvalue); 8133 break; 8134 8135 case A_PROTOTYPE: 8136 if (off_proto == (u_int)-1) 8137 abort(); /* XXX - this isn't on FreeBSD */ 8138 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8139 reverse, jvalue); 8140 break; 8141 8142 case A_MSGTYPE: 8143 if (off_payload == (u_int)-1) 8144 abort(); 8145 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8146 0xffffffff, jtype, reverse, jvalue); 8147 break; 8148 8149 case A_CALLREFTYPE: 8150 if (!is_atm) 8151 bpf_error("'callref' supported only on raw ATM"); 8152 if (off_proto == (u_int)-1) 8153 abort(); 8154 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8155 jtype, reverse, jvalue); 8156 break; 8157 8158 default: 8159 abort(); 8160 } 8161 return b0; 8162 } 8163 8164 struct block * 8165 gen_atmtype_abbrev(type) 8166 int type; 8167 { 8168 struct block *b0, *b1; 8169 8170 switch (type) { 8171 8172 case A_METAC: 8173 /* Get all packets in Meta signalling Circuit */ 8174 if (!is_atm) 8175 bpf_error("'metac' supported only on raw ATM"); 8176 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8177 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8178 gen_and(b0, b1); 8179 break; 8180 8181 case A_BCC: 8182 /* Get all packets in Broadcast Circuit*/ 8183 if (!is_atm) 8184 bpf_error("'bcc' supported only on raw ATM"); 8185 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8186 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8187 gen_and(b0, b1); 8188 break; 8189 8190 case A_OAMF4SC: 8191 /* Get all cells in Segment OAM F4 circuit*/ 8192 if (!is_atm) 8193 bpf_error("'oam4sc' supported only on raw ATM"); 8194 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8195 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8196 gen_and(b0, b1); 8197 break; 8198 8199 case A_OAMF4EC: 8200 /* Get all cells in End-to-End OAM F4 Circuit*/ 8201 if (!is_atm) 8202 bpf_error("'oam4ec' supported only on raw ATM"); 8203 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8204 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8205 gen_and(b0, b1); 8206 break; 8207 8208 case A_SC: 8209 /* Get all packets in connection Signalling Circuit */ 8210 if (!is_atm) 8211 bpf_error("'sc' supported only on raw ATM"); 8212 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8213 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8214 gen_and(b0, b1); 8215 break; 8216 8217 case A_ILMIC: 8218 /* Get all packets in ILMI Circuit */ 8219 if (!is_atm) 8220 bpf_error("'ilmic' supported only on raw ATM"); 8221 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8222 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8223 gen_and(b0, b1); 8224 break; 8225 8226 case A_LANE: 8227 /* Get all LANE packets */ 8228 if (!is_atm) 8229 bpf_error("'lane' supported only on raw ATM"); 8230 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8231 8232 /* 8233 * Arrange that all subsequent tests assume LANE 8234 * rather than LLC-encapsulated packets, and set 8235 * the offsets appropriately for LANE-encapsulated 8236 * Ethernet. 8237 * 8238 * "off_mac" is the offset of the Ethernet header, 8239 * which is 2 bytes past the ATM pseudo-header 8240 * (skipping the pseudo-header and 2-byte LE Client 8241 * field). The other offsets are Ethernet offsets 8242 * relative to "off_mac". 8243 */ 8244 is_lane = 1; 8245 off_mac = off_payload + 2; /* MAC header */ 8246 off_linktype = off_mac + 12; 8247 off_macpl = off_mac + 14; /* Ethernet */ 8248 off_nl = 0; /* Ethernet II */ 8249 off_nl_nosnap = 3; /* 802.3+802.2 */ 8250 break; 8251 8252 case A_LLC: 8253 /* Get all LLC-encapsulated packets */ 8254 if (!is_atm) 8255 bpf_error("'llc' supported only on raw ATM"); 8256 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8257 is_lane = 0; 8258 break; 8259 8260 default: 8261 abort(); 8262 } 8263 return b1; 8264 } 8265 8266 /* 8267 * Filtering for MTP2 messages based on li value 8268 * FISU, length is null 8269 * LSSU, length is 1 or 2 8270 * MSU, length is 3 or more 8271 */ 8272 struct block * 8273 gen_mtp2type_abbrev(type) 8274 int type; 8275 { 8276 struct block *b0, *b1; 8277 8278 switch (type) { 8279 8280 case M_FISU: 8281 if ( (linktype != DLT_MTP2) && 8282 (linktype != DLT_ERF) && 8283 (linktype != DLT_MTP2_WITH_PHDR) ) 8284 bpf_error("'fisu' supported only on MTP2"); 8285 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8286 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8287 break; 8288 8289 case M_LSSU: 8290 if ( (linktype != DLT_MTP2) && 8291 (linktype != DLT_ERF) && 8292 (linktype != DLT_MTP2_WITH_PHDR) ) 8293 bpf_error("'lssu' supported only on MTP2"); 8294 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8295 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8296 gen_and(b1, b0); 8297 break; 8298 8299 case M_MSU: 8300 if ( (linktype != DLT_MTP2) && 8301 (linktype != DLT_ERF) && 8302 (linktype != DLT_MTP2_WITH_PHDR) ) 8303 bpf_error("'msu' supported only on MTP2"); 8304 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8305 break; 8306 8307 default: 8308 abort(); 8309 } 8310 return b0; 8311 } 8312 8313 struct block * 8314 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8315 int mtp3field; 8316 bpf_u_int32 jvalue; 8317 bpf_u_int32 jtype; 8318 int reverse; 8319 { 8320 struct block *b0; 8321 bpf_u_int32 val1 , val2 , val3; 8322 8323 switch (mtp3field) { 8324 8325 case M_SIO: 8326 if (off_sio == (u_int)-1) 8327 bpf_error("'sio' supported only on SS7"); 8328 /* sio coded on 1 byte so max value 255 */ 8329 if(jvalue > 255) 8330 bpf_error("sio value %u too big; max value = 255", 8331 jvalue); 8332 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 8333 (u_int)jtype, reverse, (u_int)jvalue); 8334 break; 8335 8336 case M_OPC: 8337 if (off_opc == (u_int)-1) 8338 bpf_error("'opc' supported only on SS7"); 8339 /* opc coded on 14 bits so max value 16383 */ 8340 if (jvalue > 16383) 8341 bpf_error("opc value %u too big; max value = 16383", 8342 jvalue); 8343 /* the following instructions are made to convert jvalue 8344 * to the form used to write opc in an ss7 message*/ 8345 val1 = jvalue & 0x00003c00; 8346 val1 = val1 >>10; 8347 val2 = jvalue & 0x000003fc; 8348 val2 = val2 <<6; 8349 val3 = jvalue & 0x00000003; 8350 val3 = val3 <<22; 8351 jvalue = val1 + val2 + val3; 8352 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 8353 (u_int)jtype, reverse, (u_int)jvalue); 8354 break; 8355 8356 case M_DPC: 8357 if (off_dpc == (u_int)-1) 8358 bpf_error("'dpc' supported only on SS7"); 8359 /* dpc coded on 14 bits so max value 16383 */ 8360 if (jvalue > 16383) 8361 bpf_error("dpc value %u too big; max value = 16383", 8362 jvalue); 8363 /* the following instructions are made to convert jvalue 8364 * to the forme used to write dpc in an ss7 message*/ 8365 val1 = jvalue & 0x000000ff; 8366 val1 = val1 << 24; 8367 val2 = jvalue & 0x00003f00; 8368 val2 = val2 << 8; 8369 jvalue = val1 + val2; 8370 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 8371 (u_int)jtype, reverse, (u_int)jvalue); 8372 break; 8373 8374 case M_SLS: 8375 if (off_sls == (u_int)-1) 8376 bpf_error("'sls' supported only on SS7"); 8377 /* sls coded on 4 bits so max value 15 */ 8378 if (jvalue > 15) 8379 bpf_error("sls value %u too big; max value = 15", 8380 jvalue); 8381 /* the following instruction is made to convert jvalue 8382 * to the forme used to write sls in an ss7 message*/ 8383 jvalue = jvalue << 4; 8384 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 8385 (u_int)jtype,reverse, (u_int)jvalue); 8386 break; 8387 8388 default: 8389 abort(); 8390 } 8391 return b0; 8392 } 8393 8394 static struct block * 8395 gen_msg_abbrev(type) 8396 int type; 8397 { 8398 struct block *b1; 8399 8400 /* 8401 * Q.2931 signalling protocol messages for handling virtual circuits 8402 * establishment and teardown 8403 */ 8404 switch (type) { 8405 8406 case A_SETUP: 8407 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8408 break; 8409 8410 case A_CALLPROCEED: 8411 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8412 break; 8413 8414 case A_CONNECT: 8415 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8416 break; 8417 8418 case A_CONNECTACK: 8419 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8420 break; 8421 8422 case A_RELEASE: 8423 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8424 break; 8425 8426 case A_RELEASE_DONE: 8427 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8428 break; 8429 8430 default: 8431 abort(); 8432 } 8433 return b1; 8434 } 8435 8436 struct block * 8437 gen_atmmulti_abbrev(type) 8438 int type; 8439 { 8440 struct block *b0, *b1; 8441 8442 switch (type) { 8443 8444 case A_OAM: 8445 if (!is_atm) 8446 bpf_error("'oam' supported only on raw ATM"); 8447 b1 = gen_atmmulti_abbrev(A_OAMF4); 8448 break; 8449 8450 case A_OAMF4: 8451 if (!is_atm) 8452 bpf_error("'oamf4' supported only on raw ATM"); 8453 /* OAM F4 type */ 8454 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8455 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8456 gen_or(b0, b1); 8457 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8458 gen_and(b0, b1); 8459 break; 8460 8461 case A_CONNECTMSG: 8462 /* 8463 * Get Q.2931 signalling messages for switched 8464 * virtual connection 8465 */ 8466 if (!is_atm) 8467 bpf_error("'connectmsg' supported only on raw ATM"); 8468 b0 = gen_msg_abbrev(A_SETUP); 8469 b1 = gen_msg_abbrev(A_CALLPROCEED); 8470 gen_or(b0, b1); 8471 b0 = gen_msg_abbrev(A_CONNECT); 8472 gen_or(b0, b1); 8473 b0 = gen_msg_abbrev(A_CONNECTACK); 8474 gen_or(b0, b1); 8475 b0 = gen_msg_abbrev(A_RELEASE); 8476 gen_or(b0, b1); 8477 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8478 gen_or(b0, b1); 8479 b0 = gen_atmtype_abbrev(A_SC); 8480 gen_and(b0, b1); 8481 break; 8482 8483 case A_METACONNECT: 8484 if (!is_atm) 8485 bpf_error("'metaconnect' supported only on raw ATM"); 8486 b0 = gen_msg_abbrev(A_SETUP); 8487 b1 = gen_msg_abbrev(A_CALLPROCEED); 8488 gen_or(b0, b1); 8489 b0 = gen_msg_abbrev(A_CONNECT); 8490 gen_or(b0, b1); 8491 b0 = gen_msg_abbrev(A_RELEASE); 8492 gen_or(b0, b1); 8493 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8494 gen_or(b0, b1); 8495 b0 = gen_atmtype_abbrev(A_METAC); 8496 gen_and(b0, b1); 8497 break; 8498 8499 default: 8500 abort(); 8501 } 8502 return b1; 8503 } 8504