1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 25 #ifdef HAVE_CONFIG_H 26 #include "config.h" 27 #endif 28 29 #ifdef WIN32 30 #include <pcap-stdinc.h> 31 #else /* WIN32 */ 32 #if HAVE_INTTYPES_H 33 #include <inttypes.h> 34 #elif HAVE_STDINT_H 35 #include <stdint.h> 36 #endif 37 #ifdef HAVE_SYS_BITYPES_H 38 #include <sys/bitypes.h> 39 #endif 40 #include <sys/types.h> 41 #include <sys/socket.h> 42 #endif /* WIN32 */ 43 44 /* 45 * XXX - why was this included even on UNIX? 46 */ 47 #ifdef __MINGW32__ 48 #include "ip6_misc.h" 49 #endif 50 51 #ifndef WIN32 52 53 #ifdef __NetBSD__ 54 #include <sys/param.h> 55 #endif 56 57 #include <netinet/in.h> 58 #include <arpa/inet.h> 59 60 #endif /* WIN32 */ 61 62 #include <stdlib.h> 63 #include <string.h> 64 #include <memory.h> 65 #include <setjmp.h> 66 #include <stdarg.h> 67 68 #ifdef MSDOS 69 #include "pcap-dos.h" 70 #endif 71 72 #include "pcap-int.h" 73 74 #include "ethertype.h" 75 #include "nlpid.h" 76 #include "llc.h" 77 #include "gencode.h" 78 #include "ieee80211.h" 79 #include "atmuni31.h" 80 #include "sunatmpos.h" 81 #include "ppp.h" 82 #include "pcap/sll.h" 83 #include "pcap/ipnet.h" 84 #include "arcnet.h" 85 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 86 #include <linux/types.h> 87 #include <linux/if_packet.h> 88 #include <linux/filter.h> 89 #endif 90 #ifdef HAVE_NET_PFVAR_H 91 #include <sys/socket.h> 92 #include <net/if.h> 93 #include <net/pfvar.h> 94 #include <net/if_pflog.h> 95 #endif 96 #ifndef offsetof 97 #define offsetof(s, e) ((size_t)&((s *)0)->e) 98 #endif 99 #ifdef INET6 100 #ifndef WIN32 101 #include <netdb.h> /* for "struct addrinfo" */ 102 #endif /* WIN32 */ 103 #endif /*INET6*/ 104 #include <pcap/namedb.h> 105 106 #define ETHERMTU 1500 107 108 #ifndef IPPROTO_HOPOPTS 109 #define IPPROTO_HOPOPTS 0 110 #endif 111 #ifndef IPPROTO_ROUTING 112 #define IPPROTO_ROUTING 43 113 #endif 114 #ifndef IPPROTO_FRAGMENT 115 #define IPPROTO_FRAGMENT 44 116 #endif 117 #ifndef IPPROTO_DSTOPTS 118 #define IPPROTO_DSTOPTS 60 119 #endif 120 #ifndef IPPROTO_SCTP 121 #define IPPROTO_SCTP 132 122 #endif 123 124 #ifdef HAVE_OS_PROTO_H 125 #include "os-proto.h" 126 #endif 127 128 #define JMP(c) ((c)|BPF_JMP|BPF_K) 129 130 /* Locals */ 131 static jmp_buf top_ctx; 132 static pcap_t *bpf_pcap; 133 134 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 135 #ifdef WIN32 136 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 137 #else 138 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 139 #endif 140 141 /* XXX */ 142 static int pcap_fddipad; 143 144 /* VARARGS */ 145 void 146 bpf_error(const char *fmt, ...) 147 { 148 va_list ap; 149 150 va_start(ap, fmt); 151 if (bpf_pcap != NULL) 152 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 153 fmt, ap); 154 va_end(ap); 155 longjmp(top_ctx, 1); 156 /* NOTREACHED */ 157 } 158 159 static void init_linktype(pcap_t *); 160 161 static void init_regs(void); 162 static int alloc_reg(void); 163 static void free_reg(int); 164 165 static struct block *root; 166 167 /* 168 * Value passed to gen_load_a() to indicate what the offset argument 169 * is relative to. 170 */ 171 enum e_offrel { 172 OR_PACKET, /* relative to the beginning of the packet */ 173 OR_LINK, /* relative to the beginning of the link-layer header */ 174 OR_MACPL, /* relative to the end of the MAC-layer header */ 175 OR_NET, /* relative to the network-layer header */ 176 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 177 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 178 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 179 }; 180 181 #ifdef INET6 182 /* 183 * As errors are handled by a longjmp, anything allocated must be freed 184 * in the longjmp handler, so it must be reachable from that handler. 185 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 186 * it must be freed with freeaddrinfo(). This variable points to any 187 * addrinfo structure that would need to be freed. 188 */ 189 static struct addrinfo *ai; 190 #endif 191 192 /* 193 * We divy out chunks of memory rather than call malloc each time so 194 * we don't have to worry about leaking memory. It's probably 195 * not a big deal if all this memory was wasted but if this ever 196 * goes into a library that would probably not be a good idea. 197 * 198 * XXX - this *is* in a library.... 199 */ 200 #define NCHUNKS 16 201 #define CHUNK0SIZE 1024 202 struct chunk { 203 u_int n_left; 204 void *m; 205 }; 206 207 static struct chunk chunks[NCHUNKS]; 208 static int cur_chunk; 209 210 static void *newchunk(u_int); 211 static void freechunks(void); 212 static inline struct block *new_block(int); 213 static inline struct slist *new_stmt(int); 214 static struct block *gen_retblk(int); 215 static inline void syntax(void); 216 217 static void backpatch(struct block *, struct block *); 218 static void merge(struct block *, struct block *); 219 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 220 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 221 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 222 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 223 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 224 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 225 bpf_u_int32); 226 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 227 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 228 bpf_u_int32, bpf_u_int32, int, bpf_int32); 229 static struct slist *gen_load_llrel(u_int, u_int); 230 static struct slist *gen_load_macplrel(u_int, u_int); 231 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 232 static struct slist *gen_loadx_iphdrlen(void); 233 static struct block *gen_uncond(int); 234 static inline struct block *gen_true(void); 235 static inline struct block *gen_false(void); 236 static struct block *gen_ether_linktype(int); 237 static struct block *gen_ipnet_linktype(int); 238 static struct block *gen_linux_sll_linktype(int); 239 static struct slist *gen_load_prism_llprefixlen(void); 240 static struct slist *gen_load_avs_llprefixlen(void); 241 static struct slist *gen_load_radiotap_llprefixlen(void); 242 static struct slist *gen_load_ppi_llprefixlen(void); 243 static void insert_compute_vloffsets(struct block *); 244 static struct slist *gen_llprefixlen(void); 245 static struct slist *gen_off_macpl(void); 246 static int ethertype_to_ppptype(int); 247 static struct block *gen_linktype(int); 248 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 249 static struct block *gen_llc_linktype(int); 250 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 251 #ifdef INET6 252 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 253 #endif 254 static struct block *gen_ahostop(const u_char *, int); 255 static struct block *gen_ehostop(const u_char *, int); 256 static struct block *gen_fhostop(const u_char *, int); 257 static struct block *gen_thostop(const u_char *, int); 258 static struct block *gen_wlanhostop(const u_char *, int); 259 static struct block *gen_ipfchostop(const u_char *, int); 260 static struct block *gen_dnhostop(bpf_u_int32, int); 261 static struct block *gen_mpls_linktype(int); 262 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 263 #ifdef INET6 264 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 265 #endif 266 #ifndef INET6 267 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 268 #endif 269 static struct block *gen_ipfrag(void); 270 static struct block *gen_portatom(int, bpf_int32); 271 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 272 static struct block *gen_portatom6(int, bpf_int32); 273 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 274 struct block *gen_portop(int, int, int); 275 static struct block *gen_port(int, int, int); 276 struct block *gen_portrangeop(int, int, int, int); 277 static struct block *gen_portrange(int, int, int, int); 278 struct block *gen_portop6(int, int, int); 279 static struct block *gen_port6(int, int, int); 280 struct block *gen_portrangeop6(int, int, int, int); 281 static struct block *gen_portrange6(int, int, int, int); 282 static int lookup_proto(const char *, int); 283 static struct block *gen_protochain(int, int, int); 284 static struct block *gen_proto(int, int, int); 285 static struct slist *xfer_to_x(struct arth *); 286 static struct slist *xfer_to_a(struct arth *); 287 static struct block *gen_mac_multicast(int); 288 static struct block *gen_len(int, int); 289 static struct block *gen_check_802_11_data_frame(void); 290 291 static struct block *gen_ppi_dlt_check(void); 292 static struct block *gen_msg_abbrev(int type); 293 294 static void * 295 newchunk(n) 296 u_int n; 297 { 298 struct chunk *cp; 299 int k; 300 size_t size; 301 302 #ifndef __NetBSD__ 303 /* XXX Round up to nearest long. */ 304 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 305 #else 306 /* XXX Round up to structure boundary. */ 307 n = ALIGN(n); 308 #endif 309 310 cp = &chunks[cur_chunk]; 311 if (n > cp->n_left) { 312 ++cp, k = ++cur_chunk; 313 if (k >= NCHUNKS) 314 bpf_error("out of memory"); 315 size = CHUNK0SIZE << k; 316 cp->m = (void *)malloc(size); 317 if (cp->m == NULL) 318 bpf_error("out of memory"); 319 memset((char *)cp->m, 0, size); 320 cp->n_left = size; 321 if (n > size) 322 bpf_error("out of memory"); 323 } 324 cp->n_left -= n; 325 return (void *)((char *)cp->m + cp->n_left); 326 } 327 328 static void 329 freechunks() 330 { 331 int i; 332 333 cur_chunk = 0; 334 for (i = 0; i < NCHUNKS; ++i) 335 if (chunks[i].m != NULL) { 336 free(chunks[i].m); 337 chunks[i].m = NULL; 338 } 339 } 340 341 /* 342 * A strdup whose allocations are freed after code generation is over. 343 */ 344 char * 345 sdup(s) 346 register const char *s; 347 { 348 int n = strlen(s) + 1; 349 char *cp = newchunk(n); 350 351 strlcpy(cp, s, n); 352 return (cp); 353 } 354 355 static inline struct block * 356 new_block(code) 357 int code; 358 { 359 struct block *p; 360 361 p = (struct block *)newchunk(sizeof(*p)); 362 p->s.code = code; 363 p->head = p; 364 365 return p; 366 } 367 368 static inline struct slist * 369 new_stmt(code) 370 int code; 371 { 372 struct slist *p; 373 374 p = (struct slist *)newchunk(sizeof(*p)); 375 p->s.code = code; 376 377 return p; 378 } 379 380 static struct block * 381 gen_retblk(v) 382 int v; 383 { 384 struct block *b = new_block(BPF_RET|BPF_K); 385 386 b->s.k = v; 387 return b; 388 } 389 390 static inline void 391 syntax() 392 { 393 bpf_error("syntax error in filter expression"); 394 } 395 396 static bpf_u_int32 netmask; 397 static int snaplen; 398 int no_optimize; 399 400 int 401 pcap_compile(pcap_t *p, struct bpf_program *program, 402 const char *buf, int optimize, bpf_u_int32 mask) 403 { 404 extern int n_errors; 405 const char * volatile xbuf = buf; 406 u_int len; 407 int rc; 408 409 /* 410 * XXX - single-thread this code path with pthread calls on 411 * UN*X, if the platform supports pthreads? If that requires 412 * a separate -lpthread, we might not want to do that. 413 */ 414 #ifdef WIN32 415 extern int wsockinit (void); 416 static int done = 0; 417 418 if (!done) 419 wsockinit(); 420 done = 1; 421 EnterCriticalSection(&g_PcapCompileCriticalSection); 422 #endif 423 424 /* 425 * If this pcap_t hasn't been activated, it doesn't have a 426 * link-layer type, so we can't use it. 427 */ 428 if (!p->activated) { 429 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 430 "not-yet-activated pcap_t passed to pcap_compile"); 431 rc = -1; 432 goto quit; 433 } 434 no_optimize = 0; 435 n_errors = 0; 436 root = NULL; 437 bpf_pcap = p; 438 init_regs(); 439 440 if (setjmp(top_ctx)) { 441 #ifdef INET6 442 if (ai != NULL) { 443 freeaddrinfo(ai); 444 ai = NULL; 445 } 446 #endif 447 lex_cleanup(); 448 freechunks(); 449 rc = -1; 450 goto quit; 451 } 452 453 netmask = mask; 454 455 snaplen = pcap_snapshot(p); 456 if (snaplen == 0) { 457 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 458 "snaplen of 0 rejects all packets"); 459 rc = -1; 460 goto quit; 461 } 462 463 lex_init(xbuf ? xbuf : ""); 464 init_linktype(p); 465 (void)pcap_parse(); 466 467 if (n_errors) 468 syntax(); 469 470 if (root == NULL) 471 root = gen_retblk(snaplen); 472 473 if (optimize && !no_optimize) { 474 bpf_optimize(&root); 475 if (root == NULL || 476 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 477 bpf_error("expression rejects all packets"); 478 } 479 program->bf_insns = icode_to_fcode(root, &len); 480 program->bf_len = len; 481 482 lex_cleanup(); 483 freechunks(); 484 485 rc = 0; /* We're all okay */ 486 487 quit: 488 489 #ifdef WIN32 490 LeaveCriticalSection(&g_PcapCompileCriticalSection); 491 #endif 492 493 return (rc); 494 } 495 496 /* 497 * entry point for using the compiler with no pcap open 498 * pass in all the stuff that is needed explicitly instead. 499 */ 500 int 501 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 502 struct bpf_program *program, 503 const char *buf, int optimize, bpf_u_int32 mask) 504 { 505 pcap_t *p; 506 int ret; 507 508 p = pcap_open_dead(linktype_arg, snaplen_arg); 509 if (p == NULL) 510 return (-1); 511 ret = pcap_compile(p, program, buf, optimize, mask); 512 pcap_close(p); 513 return (ret); 514 } 515 516 /* 517 * Clean up a "struct bpf_program" by freeing all the memory allocated 518 * in it. 519 */ 520 void 521 pcap_freecode(struct bpf_program *program) 522 { 523 program->bf_len = 0; 524 if (program->bf_insns != NULL) { 525 free((char *)program->bf_insns); 526 program->bf_insns = NULL; 527 } 528 } 529 530 /* 531 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 532 * which of the jt and jf fields has been resolved and which is a pointer 533 * back to another unresolved block (or nil). At least one of the fields 534 * in each block is already resolved. 535 */ 536 static void 537 backpatch(list, target) 538 struct block *list, *target; 539 { 540 struct block *next; 541 542 while (list) { 543 if (!list->sense) { 544 next = JT(list); 545 JT(list) = target; 546 } else { 547 next = JF(list); 548 JF(list) = target; 549 } 550 list = next; 551 } 552 } 553 554 /* 555 * Merge the lists in b0 and b1, using the 'sense' field to indicate 556 * which of jt and jf is the link. 557 */ 558 static void 559 merge(b0, b1) 560 struct block *b0, *b1; 561 { 562 register struct block **p = &b0; 563 564 /* Find end of list. */ 565 while (*p) 566 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 567 568 /* Concatenate the lists. */ 569 *p = b1; 570 } 571 572 void 573 finish_parse(p) 574 struct block *p; 575 { 576 struct block *ppi_dlt_check; 577 578 /* 579 * Insert before the statements of the first (root) block any 580 * statements needed to load the lengths of any variable-length 581 * headers into registers. 582 * 583 * XXX - a fancier strategy would be to insert those before the 584 * statements of all blocks that use those lengths and that 585 * have no predecessors that use them, so that we only compute 586 * the lengths if we need them. There might be even better 587 * approaches than that. 588 * 589 * However, those strategies would be more complicated, and 590 * as we don't generate code to compute a length if the 591 * program has no tests that use the length, and as most 592 * tests will probably use those lengths, we would just 593 * postpone computing the lengths so that it's not done 594 * for tests that fail early, and it's not clear that's 595 * worth the effort. 596 */ 597 insert_compute_vloffsets(p->head); 598 599 /* 600 * For DLT_PPI captures, generate a check of the per-packet 601 * DLT value to make sure it's DLT_IEEE802_11. 602 */ 603 ppi_dlt_check = gen_ppi_dlt_check(); 604 if (ppi_dlt_check != NULL) 605 gen_and(ppi_dlt_check, p); 606 607 backpatch(p, gen_retblk(snaplen)); 608 p->sense = !p->sense; 609 backpatch(p, gen_retblk(0)); 610 root = p->head; 611 } 612 613 void 614 gen_and(b0, b1) 615 struct block *b0, *b1; 616 { 617 backpatch(b0, b1->head); 618 b0->sense = !b0->sense; 619 b1->sense = !b1->sense; 620 merge(b1, b0); 621 b1->sense = !b1->sense; 622 b1->head = b0->head; 623 } 624 625 void 626 gen_or(b0, b1) 627 struct block *b0, *b1; 628 { 629 b0->sense = !b0->sense; 630 backpatch(b0, b1->head); 631 b0->sense = !b0->sense; 632 merge(b1, b0); 633 b1->head = b0->head; 634 } 635 636 void 637 gen_not(b) 638 struct block *b; 639 { 640 b->sense = !b->sense; 641 } 642 643 static struct block * 644 gen_cmp(offrel, offset, size, v) 645 enum e_offrel offrel; 646 u_int offset, size; 647 bpf_int32 v; 648 { 649 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 650 } 651 652 static struct block * 653 gen_cmp_gt(offrel, offset, size, v) 654 enum e_offrel offrel; 655 u_int offset, size; 656 bpf_int32 v; 657 { 658 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 659 } 660 661 static struct block * 662 gen_cmp_ge(offrel, offset, size, v) 663 enum e_offrel offrel; 664 u_int offset, size; 665 bpf_int32 v; 666 { 667 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 668 } 669 670 static struct block * 671 gen_cmp_lt(offrel, offset, size, v) 672 enum e_offrel offrel; 673 u_int offset, size; 674 bpf_int32 v; 675 { 676 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 677 } 678 679 static struct block * 680 gen_cmp_le(offrel, offset, size, v) 681 enum e_offrel offrel; 682 u_int offset, size; 683 bpf_int32 v; 684 { 685 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 686 } 687 688 static struct block * 689 gen_mcmp(offrel, offset, size, v, mask) 690 enum e_offrel offrel; 691 u_int offset, size; 692 bpf_int32 v; 693 bpf_u_int32 mask; 694 { 695 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 696 } 697 698 static struct block * 699 gen_bcmp(offrel, offset, size, v) 700 enum e_offrel offrel; 701 register u_int offset, size; 702 register const u_char *v; 703 { 704 register struct block *b, *tmp; 705 706 b = NULL; 707 while (size >= 4) { 708 register const u_char *p = &v[size - 4]; 709 bpf_int32 w = ((bpf_int32)p[0] << 24) | 710 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 711 712 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 713 if (b != NULL) 714 gen_and(b, tmp); 715 b = tmp; 716 size -= 4; 717 } 718 while (size >= 2) { 719 register const u_char *p = &v[size - 2]; 720 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 721 722 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 723 if (b != NULL) 724 gen_and(b, tmp); 725 b = tmp; 726 size -= 2; 727 } 728 if (size > 0) { 729 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 730 if (b != NULL) 731 gen_and(b, tmp); 732 b = tmp; 733 } 734 return b; 735 } 736 737 /* 738 * AND the field of size "size" at offset "offset" relative to the header 739 * specified by "offrel" with "mask", and compare it with the value "v" 740 * with the test specified by "jtype"; if "reverse" is true, the test 741 * should test the opposite of "jtype". 742 */ 743 static struct block * 744 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 745 enum e_offrel offrel; 746 bpf_int32 v; 747 bpf_u_int32 offset, size, mask, jtype; 748 int reverse; 749 { 750 struct slist *s, *s2; 751 struct block *b; 752 753 s = gen_load_a(offrel, offset, size); 754 755 if (mask != 0xffffffff) { 756 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 757 s2->s.k = mask; 758 sappend(s, s2); 759 } 760 761 b = new_block(JMP(jtype)); 762 b->stmts = s; 763 b->s.k = v; 764 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 765 gen_not(b); 766 return b; 767 } 768 769 /* 770 * Various code constructs need to know the layout of the data link 771 * layer. These variables give the necessary offsets from the beginning 772 * of the packet data. 773 */ 774 775 /* 776 * This is the offset of the beginning of the link-layer header from 777 * the beginning of the raw packet data. 778 * 779 * It's usually 0, except for 802.11 with a fixed-length radio header. 780 * (For 802.11 with a variable-length radio header, we have to generate 781 * code to compute that offset; off_ll is 0 in that case.) 782 */ 783 static u_int off_ll; 784 785 /* 786 * If there's a variable-length header preceding the link-layer header, 787 * "reg_off_ll" is the register number for a register containing the 788 * length of that header, and therefore the offset of the link-layer 789 * header from the beginning of the raw packet data. Otherwise, 790 * "reg_off_ll" is -1. 791 */ 792 static int reg_off_ll; 793 794 /* 795 * This is the offset of the beginning of the MAC-layer header from 796 * the beginning of the link-layer header. 797 * It's usually 0, except for ATM LANE, where it's the offset, relative 798 * to the beginning of the raw packet data, of the Ethernet header, and 799 * for Ethernet with various additional information. 800 */ 801 static u_int off_mac; 802 803 /* 804 * This is the offset of the beginning of the MAC-layer payload, 805 * from the beginning of the raw packet data. 806 * 807 * I.e., it's the sum of the length of the link-layer header (without, 808 * for example, any 802.2 LLC header, so it's the MAC-layer 809 * portion of that header), plus any prefix preceding the 810 * link-layer header. 811 */ 812 static u_int off_macpl; 813 814 /* 815 * This is 1 if the offset of the beginning of the MAC-layer payload 816 * from the beginning of the link-layer header is variable-length. 817 */ 818 static int off_macpl_is_variable; 819 820 /* 821 * If the link layer has variable_length headers, "reg_off_macpl" 822 * is the register number for a register containing the length of the 823 * link-layer header plus the length of any variable-length header 824 * preceding the link-layer header. Otherwise, "reg_off_macpl" 825 * is -1. 826 */ 827 static int reg_off_macpl; 828 829 /* 830 * "off_linktype" is the offset to information in the link-layer header 831 * giving the packet type. This offset is relative to the beginning 832 * of the link-layer header (i.e., it doesn't include off_ll). 833 * 834 * For Ethernet, it's the offset of the Ethernet type field. 835 * 836 * For link-layer types that always use 802.2 headers, it's the 837 * offset of the LLC header. 838 * 839 * For PPP, it's the offset of the PPP type field. 840 * 841 * For Cisco HDLC, it's the offset of the CHDLC type field. 842 * 843 * For BSD loopback, it's the offset of the AF_ value. 844 * 845 * For Linux cooked sockets, it's the offset of the type field. 846 * 847 * It's set to -1 for no encapsulation, in which case, IP is assumed. 848 */ 849 static u_int off_linktype; 850 851 /* 852 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 853 * checks to check the PPP header, assumed to follow a LAN-style link- 854 * layer header and a PPPoE session header. 855 */ 856 static int is_pppoes = 0; 857 858 /* 859 * TRUE if the link layer includes an ATM pseudo-header. 860 */ 861 static int is_atm = 0; 862 863 /* 864 * TRUE if "lane" appeared in the filter; it causes us to generate 865 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 866 */ 867 static int is_lane = 0; 868 869 /* 870 * These are offsets for the ATM pseudo-header. 871 */ 872 static u_int off_vpi; 873 static u_int off_vci; 874 static u_int off_proto; 875 876 /* 877 * These are offsets for the MTP2 fields. 878 */ 879 static u_int off_li; 880 static u_int off_li_hsl; 881 882 /* 883 * These are offsets for the MTP3 fields. 884 */ 885 static u_int off_sio; 886 static u_int off_opc; 887 static u_int off_dpc; 888 static u_int off_sls; 889 890 /* 891 * This is the offset of the first byte after the ATM pseudo_header, 892 * or -1 if there is no ATM pseudo-header. 893 */ 894 static u_int off_payload; 895 896 /* 897 * These are offsets to the beginning of the network-layer header. 898 * They are relative to the beginning of the MAC-layer payload (i.e., 899 * they don't include off_ll or off_macpl). 900 * 901 * If the link layer never uses 802.2 LLC: 902 * 903 * "off_nl" and "off_nl_nosnap" are the same. 904 * 905 * If the link layer always uses 802.2 LLC: 906 * 907 * "off_nl" is the offset if there's a SNAP header following 908 * the 802.2 header; 909 * 910 * "off_nl_nosnap" is the offset if there's no SNAP header. 911 * 912 * If the link layer is Ethernet: 913 * 914 * "off_nl" is the offset if the packet is an Ethernet II packet 915 * (we assume no 802.3+802.2+SNAP); 916 * 917 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 918 * with an 802.2 header following it. 919 */ 920 static u_int off_nl; 921 static u_int off_nl_nosnap; 922 923 static int linktype; 924 925 static void 926 init_linktype(p) 927 pcap_t *p; 928 { 929 linktype = pcap_datalink(p); 930 pcap_fddipad = p->fddipad; 931 932 /* 933 * Assume it's not raw ATM with a pseudo-header, for now. 934 */ 935 off_mac = 0; 936 is_atm = 0; 937 is_lane = 0; 938 off_vpi = -1; 939 off_vci = -1; 940 off_proto = -1; 941 off_payload = -1; 942 943 /* 944 * And that we're not doing PPPoE. 945 */ 946 is_pppoes = 0; 947 948 /* 949 * And assume we're not doing SS7. 950 */ 951 off_li = -1; 952 off_li_hsl = -1; 953 off_sio = -1; 954 off_opc = -1; 955 off_dpc = -1; 956 off_sls = -1; 957 958 /* 959 * Also assume it's not 802.11. 960 */ 961 off_ll = 0; 962 off_macpl = 0; 963 off_macpl_is_variable = 0; 964 965 orig_linktype = -1; 966 orig_nl = -1; 967 label_stack_depth = 0; 968 969 reg_off_ll = -1; 970 reg_off_macpl = -1; 971 972 switch (linktype) { 973 974 case DLT_ARCNET: 975 off_linktype = 2; 976 off_macpl = 6; 977 off_nl = 0; /* XXX in reality, variable! */ 978 off_nl_nosnap = 0; /* no 802.2 LLC */ 979 return; 980 981 case DLT_ARCNET_LINUX: 982 off_linktype = 4; 983 off_macpl = 8; 984 off_nl = 0; /* XXX in reality, variable! */ 985 off_nl_nosnap = 0; /* no 802.2 LLC */ 986 return; 987 988 case DLT_EN10MB: 989 off_linktype = 12; 990 off_macpl = 14; /* Ethernet header length */ 991 off_nl = 0; /* Ethernet II */ 992 off_nl_nosnap = 3; /* 802.3+802.2 */ 993 return; 994 995 case DLT_SLIP: 996 /* 997 * SLIP doesn't have a link level type. The 16 byte 998 * header is hacked into our SLIP driver. 999 */ 1000 off_linktype = -1; 1001 off_macpl = 16; 1002 off_nl = 0; 1003 off_nl_nosnap = 0; /* no 802.2 LLC */ 1004 return; 1005 1006 case DLT_SLIP_BSDOS: 1007 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1008 off_linktype = -1; 1009 /* XXX end */ 1010 off_macpl = 24; 1011 off_nl = 0; 1012 off_nl_nosnap = 0; /* no 802.2 LLC */ 1013 return; 1014 1015 case DLT_NULL: 1016 case DLT_LOOP: 1017 off_linktype = 0; 1018 off_macpl = 4; 1019 off_nl = 0; 1020 off_nl_nosnap = 0; /* no 802.2 LLC */ 1021 return; 1022 1023 case DLT_ENC: 1024 off_linktype = 0; 1025 off_macpl = 12; 1026 off_nl = 0; 1027 off_nl_nosnap = 0; /* no 802.2 LLC */ 1028 return; 1029 1030 case DLT_PPP: 1031 case DLT_PPP_PPPD: 1032 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1033 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1034 off_linktype = 2; 1035 off_macpl = 4; 1036 off_nl = 0; 1037 off_nl_nosnap = 0; /* no 802.2 LLC */ 1038 return; 1039 1040 case DLT_PPP_ETHER: 1041 /* 1042 * This does no include the Ethernet header, and 1043 * only covers session state. 1044 */ 1045 off_linktype = 6; 1046 off_macpl = 8; 1047 off_nl = 0; 1048 off_nl_nosnap = 0; /* no 802.2 LLC */ 1049 return; 1050 1051 case DLT_PPP_BSDOS: 1052 off_linktype = 5; 1053 off_macpl = 24; 1054 off_nl = 0; 1055 off_nl_nosnap = 0; /* no 802.2 LLC */ 1056 return; 1057 1058 case DLT_FDDI: 1059 /* 1060 * FDDI doesn't really have a link-level type field. 1061 * We set "off_linktype" to the offset of the LLC header. 1062 * 1063 * To check for Ethernet types, we assume that SSAP = SNAP 1064 * is being used and pick out the encapsulated Ethernet type. 1065 * XXX - should we generate code to check for SNAP? 1066 */ 1067 off_linktype = 13; 1068 off_linktype += pcap_fddipad; 1069 off_macpl = 13; /* FDDI MAC header length */ 1070 off_macpl += pcap_fddipad; 1071 off_nl = 8; /* 802.2+SNAP */ 1072 off_nl_nosnap = 3; /* 802.2 */ 1073 return; 1074 1075 case DLT_IEEE802: 1076 /* 1077 * Token Ring doesn't really have a link-level type field. 1078 * We set "off_linktype" to the offset of the LLC header. 1079 * 1080 * To check for Ethernet types, we assume that SSAP = SNAP 1081 * is being used and pick out the encapsulated Ethernet type. 1082 * XXX - should we generate code to check for SNAP? 1083 * 1084 * XXX - the header is actually variable-length. 1085 * Some various Linux patched versions gave 38 1086 * as "off_linktype" and 40 as "off_nl"; however, 1087 * if a token ring packet has *no* routing 1088 * information, i.e. is not source-routed, the correct 1089 * values are 20 and 22, as they are in the vanilla code. 1090 * 1091 * A packet is source-routed iff the uppermost bit 1092 * of the first byte of the source address, at an 1093 * offset of 8, has the uppermost bit set. If the 1094 * packet is source-routed, the total number of bytes 1095 * of routing information is 2 plus bits 0x1F00 of 1096 * the 16-bit value at an offset of 14 (shifted right 1097 * 8 - figure out which byte that is). 1098 */ 1099 off_linktype = 14; 1100 off_macpl = 14; /* Token Ring MAC header length */ 1101 off_nl = 8; /* 802.2+SNAP */ 1102 off_nl_nosnap = 3; /* 802.2 */ 1103 return; 1104 1105 case DLT_IEEE802_11: 1106 case DLT_PRISM_HEADER: 1107 case DLT_IEEE802_11_RADIO_AVS: 1108 case DLT_IEEE802_11_RADIO: 1109 /* 1110 * 802.11 doesn't really have a link-level type field. 1111 * We set "off_linktype" to the offset of the LLC header. 1112 * 1113 * To check for Ethernet types, we assume that SSAP = SNAP 1114 * is being used and pick out the encapsulated Ethernet type. 1115 * XXX - should we generate code to check for SNAP? 1116 * 1117 * We also handle variable-length radio headers here. 1118 * The Prism header is in theory variable-length, but in 1119 * practice it's always 144 bytes long. However, some 1120 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1121 * sometimes or always supply an AVS header, so we 1122 * have to check whether the radio header is a Prism 1123 * header or an AVS header, so, in practice, it's 1124 * variable-length. 1125 */ 1126 off_linktype = 24; 1127 off_macpl = 0; /* link-layer header is variable-length */ 1128 off_macpl_is_variable = 1; 1129 off_nl = 8; /* 802.2+SNAP */ 1130 off_nl_nosnap = 3; /* 802.2 */ 1131 return; 1132 1133 case DLT_PPI: 1134 /* 1135 * At the moment we treat PPI the same way that we treat 1136 * normal Radiotap encoded packets. The difference is in 1137 * the function that generates the code at the beginning 1138 * to compute the header length. Since this code generator 1139 * of PPI supports bare 802.11 encapsulation only (i.e. 1140 * the encapsulated DLT should be DLT_IEEE802_11) we 1141 * generate code to check for this too. 1142 */ 1143 off_linktype = 24; 1144 off_macpl = 0; /* link-layer header is variable-length */ 1145 off_macpl_is_variable = 1; 1146 off_nl = 8; /* 802.2+SNAP */ 1147 off_nl_nosnap = 3; /* 802.2 */ 1148 return; 1149 1150 case DLT_ATM_RFC1483: 1151 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1152 /* 1153 * assume routed, non-ISO PDUs 1154 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1155 * 1156 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1157 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1158 * latter would presumably be treated the way PPPoE 1159 * should be, so you can do "pppoe and udp port 2049" 1160 * or "pppoa and tcp port 80" and have it check for 1161 * PPPo{A,E} and a PPP protocol of IP and.... 1162 */ 1163 off_linktype = 0; 1164 off_macpl = 0; /* packet begins with LLC header */ 1165 off_nl = 8; /* 802.2+SNAP */ 1166 off_nl_nosnap = 3; /* 802.2 */ 1167 return; 1168 1169 case DLT_SUNATM: 1170 /* 1171 * Full Frontal ATM; you get AALn PDUs with an ATM 1172 * pseudo-header. 1173 */ 1174 is_atm = 1; 1175 off_vpi = SUNATM_VPI_POS; 1176 off_vci = SUNATM_VCI_POS; 1177 off_proto = PROTO_POS; 1178 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1179 off_payload = SUNATM_PKT_BEGIN_POS; 1180 off_linktype = off_payload; 1181 off_macpl = off_payload; /* if LLC-encapsulated */ 1182 off_nl = 8; /* 802.2+SNAP */ 1183 off_nl_nosnap = 3; /* 802.2 */ 1184 return; 1185 1186 case DLT_RAW: 1187 case DLT_IPV4: 1188 case DLT_IPV6: 1189 off_linktype = -1; 1190 off_macpl = 0; 1191 off_nl = 0; 1192 off_nl_nosnap = 0; /* no 802.2 LLC */ 1193 return; 1194 1195 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1196 off_linktype = 14; 1197 off_macpl = 16; 1198 off_nl = 0; 1199 off_nl_nosnap = 0; /* no 802.2 LLC */ 1200 return; 1201 1202 case DLT_LTALK: 1203 /* 1204 * LocalTalk does have a 1-byte type field in the LLAP header, 1205 * but really it just indicates whether there is a "short" or 1206 * "long" DDP packet following. 1207 */ 1208 off_linktype = -1; 1209 off_macpl = 0; 1210 off_nl = 0; 1211 off_nl_nosnap = 0; /* no 802.2 LLC */ 1212 return; 1213 1214 case DLT_IP_OVER_FC: 1215 /* 1216 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1217 * link-level type field. We set "off_linktype" to the 1218 * offset of the LLC header. 1219 * 1220 * To check for Ethernet types, we assume that SSAP = SNAP 1221 * is being used and pick out the encapsulated Ethernet type. 1222 * XXX - should we generate code to check for SNAP? RFC 1223 * 2625 says SNAP should be used. 1224 */ 1225 off_linktype = 16; 1226 off_macpl = 16; 1227 off_nl = 8; /* 802.2+SNAP */ 1228 off_nl_nosnap = 3; /* 802.2 */ 1229 return; 1230 1231 case DLT_FRELAY: 1232 /* 1233 * XXX - we should set this to handle SNAP-encapsulated 1234 * frames (NLPID of 0x80). 1235 */ 1236 off_linktype = -1; 1237 off_macpl = 0; 1238 off_nl = 0; 1239 off_nl_nosnap = 0; /* no 802.2 LLC */ 1240 return; 1241 1242 /* 1243 * the only BPF-interesting FRF.16 frames are non-control frames; 1244 * Frame Relay has a variable length link-layer 1245 * so lets start with offset 4 for now and increments later on (FIXME); 1246 */ 1247 case DLT_MFR: 1248 off_linktype = -1; 1249 off_macpl = 0; 1250 off_nl = 4; 1251 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1252 return; 1253 1254 case DLT_APPLE_IP_OVER_IEEE1394: 1255 off_linktype = 16; 1256 off_macpl = 18; 1257 off_nl = 0; 1258 off_nl_nosnap = 0; /* no 802.2 LLC */ 1259 return; 1260 1261 case DLT_SYMANTEC_FIREWALL: 1262 off_linktype = 6; 1263 off_macpl = 44; 1264 off_nl = 0; /* Ethernet II */ 1265 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1266 return; 1267 1268 #ifdef HAVE_NET_PFVAR_H 1269 case DLT_PFLOG: 1270 off_linktype = 0; 1271 off_macpl = PFLOG_HDRLEN; 1272 off_nl = 0; 1273 off_nl_nosnap = 0; /* no 802.2 LLC */ 1274 return; 1275 #endif 1276 1277 case DLT_JUNIPER_MFR: 1278 case DLT_JUNIPER_MLFR: 1279 case DLT_JUNIPER_MLPPP: 1280 case DLT_JUNIPER_PPP: 1281 case DLT_JUNIPER_CHDLC: 1282 case DLT_JUNIPER_FRELAY: 1283 off_linktype = 4; 1284 off_macpl = 4; 1285 off_nl = 0; 1286 off_nl_nosnap = -1; /* no 802.2 LLC */ 1287 return; 1288 1289 case DLT_JUNIPER_ATM1: 1290 off_linktype = 4; /* in reality variable between 4-8 */ 1291 off_macpl = 4; /* in reality variable between 4-8 */ 1292 off_nl = 0; 1293 off_nl_nosnap = 10; 1294 return; 1295 1296 case DLT_JUNIPER_ATM2: 1297 off_linktype = 8; /* in reality variable between 8-12 */ 1298 off_macpl = 8; /* in reality variable between 8-12 */ 1299 off_nl = 0; 1300 off_nl_nosnap = 10; 1301 return; 1302 1303 /* frames captured on a Juniper PPPoE service PIC 1304 * contain raw ethernet frames */ 1305 case DLT_JUNIPER_PPPOE: 1306 case DLT_JUNIPER_ETHER: 1307 off_macpl = 14; 1308 off_linktype = 16; 1309 off_nl = 18; /* Ethernet II */ 1310 off_nl_nosnap = 21; /* 802.3+802.2 */ 1311 return; 1312 1313 case DLT_JUNIPER_PPPOE_ATM: 1314 off_linktype = 4; 1315 off_macpl = 6; 1316 off_nl = 0; 1317 off_nl_nosnap = -1; /* no 802.2 LLC */ 1318 return; 1319 1320 case DLT_JUNIPER_GGSN: 1321 off_linktype = 6; 1322 off_macpl = 12; 1323 off_nl = 0; 1324 off_nl_nosnap = -1; /* no 802.2 LLC */ 1325 return; 1326 1327 case DLT_JUNIPER_ES: 1328 off_linktype = 6; 1329 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1330 off_nl = -1; /* not really a network layer but raw IP addresses */ 1331 off_nl_nosnap = -1; /* no 802.2 LLC */ 1332 return; 1333 1334 case DLT_JUNIPER_MONITOR: 1335 off_linktype = 12; 1336 off_macpl = 12; 1337 off_nl = 0; /* raw IP/IP6 header */ 1338 off_nl_nosnap = -1; /* no 802.2 LLC */ 1339 return; 1340 1341 case DLT_BACNET_MS_TP: 1342 off_linktype = -1; 1343 off_macpl = -1; 1344 off_nl = -1; 1345 off_nl_nosnap = -1; 1346 return; 1347 1348 case DLT_JUNIPER_SERVICES: 1349 off_linktype = 12; 1350 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1351 off_nl = -1; /* L3 proto location dep. on cookie type */ 1352 off_nl_nosnap = -1; /* no 802.2 LLC */ 1353 return; 1354 1355 case DLT_JUNIPER_VP: 1356 off_linktype = 18; 1357 off_macpl = -1; 1358 off_nl = -1; 1359 off_nl_nosnap = -1; 1360 return; 1361 1362 case DLT_JUNIPER_ST: 1363 off_linktype = 18; 1364 off_macpl = -1; 1365 off_nl = -1; 1366 off_nl_nosnap = -1; 1367 return; 1368 1369 case DLT_JUNIPER_ISM: 1370 off_linktype = 8; 1371 off_macpl = -1; 1372 off_nl = -1; 1373 off_nl_nosnap = -1; 1374 return; 1375 1376 case DLT_JUNIPER_VS: 1377 case DLT_JUNIPER_SRX_E2E: 1378 case DLT_JUNIPER_FIBRECHANNEL: 1379 case DLT_JUNIPER_ATM_CEMIC: 1380 off_linktype = 8; 1381 off_macpl = -1; 1382 off_nl = -1; 1383 off_nl_nosnap = -1; 1384 return; 1385 1386 case DLT_MTP2: 1387 off_li = 2; 1388 off_li_hsl = 4; 1389 off_sio = 3; 1390 off_opc = 4; 1391 off_dpc = 4; 1392 off_sls = 7; 1393 off_linktype = -1; 1394 off_macpl = -1; 1395 off_nl = -1; 1396 off_nl_nosnap = -1; 1397 return; 1398 1399 case DLT_MTP2_WITH_PHDR: 1400 off_li = 6; 1401 off_li_hsl = 8; 1402 off_sio = 7; 1403 off_opc = 8; 1404 off_dpc = 8; 1405 off_sls = 11; 1406 off_linktype = -1; 1407 off_macpl = -1; 1408 off_nl = -1; 1409 off_nl_nosnap = -1; 1410 return; 1411 1412 case DLT_ERF: 1413 off_li = 22; 1414 off_li_hsl = 24; 1415 off_sio = 23; 1416 off_opc = 24; 1417 off_dpc = 24; 1418 off_sls = 27; 1419 off_linktype = -1; 1420 off_macpl = -1; 1421 off_nl = -1; 1422 off_nl_nosnap = -1; 1423 return; 1424 1425 case DLT_PFSYNC: 1426 off_linktype = -1; 1427 off_macpl = 4; 1428 off_nl = 0; 1429 off_nl_nosnap = 0; 1430 return; 1431 1432 case DLT_AX25_KISS: 1433 /* 1434 * Currently, only raw "link[N:M]" filtering is supported. 1435 */ 1436 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1437 off_macpl = -1; 1438 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1439 off_nl_nosnap = -1; /* no 802.2 LLC */ 1440 off_mac = 1; /* step over the kiss length byte */ 1441 return; 1442 1443 case DLT_IPNET: 1444 off_linktype = 1; 1445 off_macpl = 24; /* ipnet header length */ 1446 off_nl = 0; 1447 off_nl_nosnap = -1; 1448 return; 1449 1450 case DLT_NETANALYZER: 1451 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1452 off_linktype = 16; /* includes 4-byte pseudo-header */ 1453 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1454 off_nl = 0; /* Ethernet II */ 1455 off_nl_nosnap = 3; /* 802.3+802.2 */ 1456 return; 1457 1458 case DLT_NETANALYZER_TRANSPARENT: 1459 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1460 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1461 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1462 off_nl = 0; /* Ethernet II */ 1463 off_nl_nosnap = 3; /* 802.3+802.2 */ 1464 return; 1465 1466 default: 1467 /* 1468 * For values in the range in which we've assigned new 1469 * DLT_ values, only raw "link[N:M]" filtering is supported. 1470 */ 1471 if (linktype >= DLT_MATCHING_MIN && 1472 linktype <= DLT_MATCHING_MAX) { 1473 off_linktype = -1; 1474 off_macpl = -1; 1475 off_nl = -1; 1476 off_nl_nosnap = -1; 1477 return; 1478 } 1479 1480 } 1481 bpf_error("unknown data link type %d", linktype); 1482 /* NOTREACHED */ 1483 } 1484 1485 /* 1486 * Load a value relative to the beginning of the link-layer header. 1487 * The link-layer header doesn't necessarily begin at the beginning 1488 * of the packet data; there might be a variable-length prefix containing 1489 * radio information. 1490 */ 1491 static struct slist * 1492 gen_load_llrel(offset, size) 1493 u_int offset, size; 1494 { 1495 struct slist *s, *s2; 1496 1497 s = gen_llprefixlen(); 1498 1499 /* 1500 * If "s" is non-null, it has code to arrange that the X register 1501 * contains the length of the prefix preceding the link-layer 1502 * header. 1503 * 1504 * Otherwise, the length of the prefix preceding the link-layer 1505 * header is "off_ll". 1506 */ 1507 if (s != NULL) { 1508 /* 1509 * There's a variable-length prefix preceding the 1510 * link-layer header. "s" points to a list of statements 1511 * that put the length of that prefix into the X register. 1512 * do an indirect load, to use the X register as an offset. 1513 */ 1514 s2 = new_stmt(BPF_LD|BPF_IND|size); 1515 s2->s.k = offset; 1516 sappend(s, s2); 1517 } else { 1518 /* 1519 * There is no variable-length header preceding the 1520 * link-layer header; add in off_ll, which, if there's 1521 * a fixed-length header preceding the link-layer header, 1522 * is the length of that header. 1523 */ 1524 s = new_stmt(BPF_LD|BPF_ABS|size); 1525 s->s.k = offset + off_ll; 1526 } 1527 return s; 1528 } 1529 1530 /* 1531 * Load a value relative to the beginning of the MAC-layer payload. 1532 */ 1533 static struct slist * 1534 gen_load_macplrel(offset, size) 1535 u_int offset, size; 1536 { 1537 struct slist *s, *s2; 1538 1539 s = gen_off_macpl(); 1540 1541 /* 1542 * If s is non-null, the offset of the MAC-layer payload is 1543 * variable, and s points to a list of instructions that 1544 * arrange that the X register contains that offset. 1545 * 1546 * Otherwise, the offset of the MAC-layer payload is constant, 1547 * and is in off_macpl. 1548 */ 1549 if (s != NULL) { 1550 /* 1551 * The offset of the MAC-layer payload is in the X 1552 * register. Do an indirect load, to use the X register 1553 * as an offset. 1554 */ 1555 s2 = new_stmt(BPF_LD|BPF_IND|size); 1556 s2->s.k = offset; 1557 sappend(s, s2); 1558 } else { 1559 /* 1560 * The offset of the MAC-layer payload is constant, 1561 * and is in off_macpl; load the value at that offset 1562 * plus the specified offset. 1563 */ 1564 s = new_stmt(BPF_LD|BPF_ABS|size); 1565 s->s.k = off_macpl + offset; 1566 } 1567 return s; 1568 } 1569 1570 /* 1571 * Load a value relative to the beginning of the specified header. 1572 */ 1573 static struct slist * 1574 gen_load_a(offrel, offset, size) 1575 enum e_offrel offrel; 1576 u_int offset, size; 1577 { 1578 struct slist *s, *s2; 1579 1580 switch (offrel) { 1581 1582 case OR_PACKET: 1583 s = new_stmt(BPF_LD|BPF_ABS|size); 1584 s->s.k = offset; 1585 break; 1586 1587 case OR_LINK: 1588 s = gen_load_llrel(offset, size); 1589 break; 1590 1591 case OR_MACPL: 1592 s = gen_load_macplrel(offset, size); 1593 break; 1594 1595 case OR_NET: 1596 s = gen_load_macplrel(off_nl + offset, size); 1597 break; 1598 1599 case OR_NET_NOSNAP: 1600 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1601 break; 1602 1603 case OR_TRAN_IPV4: 1604 /* 1605 * Load the X register with the length of the IPv4 header 1606 * (plus the offset of the link-layer header, if it's 1607 * preceded by a variable-length header such as a radio 1608 * header), in bytes. 1609 */ 1610 s = gen_loadx_iphdrlen(); 1611 1612 /* 1613 * Load the item at {offset of the MAC-layer payload} + 1614 * {offset, relative to the start of the MAC-layer 1615 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1616 * {specified offset}. 1617 * 1618 * (If the offset of the MAC-layer payload is variable, 1619 * it's included in the value in the X register, and 1620 * off_macpl is 0.) 1621 */ 1622 s2 = new_stmt(BPF_LD|BPF_IND|size); 1623 s2->s.k = off_macpl + off_nl + offset; 1624 sappend(s, s2); 1625 break; 1626 1627 case OR_TRAN_IPV6: 1628 s = gen_load_macplrel(off_nl + 40 + offset, size); 1629 break; 1630 1631 default: 1632 abort(); 1633 return NULL; 1634 } 1635 return s; 1636 } 1637 1638 /* 1639 * Generate code to load into the X register the sum of the length of 1640 * the IPv4 header and any variable-length header preceding the link-layer 1641 * header. 1642 */ 1643 static struct slist * 1644 gen_loadx_iphdrlen() 1645 { 1646 struct slist *s, *s2; 1647 1648 s = gen_off_macpl(); 1649 if (s != NULL) { 1650 /* 1651 * There's a variable-length prefix preceding the 1652 * link-layer header, or the link-layer header is itself 1653 * variable-length. "s" points to a list of statements 1654 * that put the offset of the MAC-layer payload into 1655 * the X register. 1656 * 1657 * The 4*([k]&0xf) addressing mode can't be used, as we 1658 * don't have a constant offset, so we have to load the 1659 * value in question into the A register and add to it 1660 * the value from the X register. 1661 */ 1662 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1663 s2->s.k = off_nl; 1664 sappend(s, s2); 1665 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1666 s2->s.k = 0xf; 1667 sappend(s, s2); 1668 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1669 s2->s.k = 2; 1670 sappend(s, s2); 1671 1672 /* 1673 * The A register now contains the length of the 1674 * IP header. We need to add to it the offset of 1675 * the MAC-layer payload, which is still in the X 1676 * register, and move the result into the X register. 1677 */ 1678 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1679 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1680 } else { 1681 /* 1682 * There is no variable-length header preceding the 1683 * link-layer header, and the link-layer header is 1684 * fixed-length; load the length of the IPv4 header, 1685 * which is at an offset of off_nl from the beginning 1686 * of the MAC-layer payload, and thus at an offset 1687 * of off_mac_pl + off_nl from the beginning of the 1688 * raw packet data. 1689 */ 1690 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1691 s->s.k = off_macpl + off_nl; 1692 } 1693 return s; 1694 } 1695 1696 static struct block * 1697 gen_uncond(rsense) 1698 int rsense; 1699 { 1700 struct block *b; 1701 struct slist *s; 1702 1703 s = new_stmt(BPF_LD|BPF_IMM); 1704 s->s.k = !rsense; 1705 b = new_block(JMP(BPF_JEQ)); 1706 b->stmts = s; 1707 1708 return b; 1709 } 1710 1711 static inline struct block * 1712 gen_true() 1713 { 1714 return gen_uncond(1); 1715 } 1716 1717 static inline struct block * 1718 gen_false() 1719 { 1720 return gen_uncond(0); 1721 } 1722 1723 /* 1724 * Byte-swap a 32-bit number. 1725 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1726 * big-endian platforms.) 1727 */ 1728 #define SWAPLONG(y) \ 1729 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1730 1731 /* 1732 * Generate code to match a particular packet type. 1733 * 1734 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1735 * value, if <= ETHERMTU. We use that to determine whether to 1736 * match the type/length field or to check the type/length field for 1737 * a value <= ETHERMTU to see whether it's a type field and then do 1738 * the appropriate test. 1739 */ 1740 static struct block * 1741 gen_ether_linktype(proto) 1742 register int proto; 1743 { 1744 struct block *b0, *b1; 1745 1746 switch (proto) { 1747 1748 case LLCSAP_ISONS: 1749 case LLCSAP_IP: 1750 case LLCSAP_NETBEUI: 1751 /* 1752 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1753 * so we check the DSAP and SSAP. 1754 * 1755 * LLCSAP_IP checks for IP-over-802.2, rather 1756 * than IP-over-Ethernet or IP-over-SNAP. 1757 * 1758 * XXX - should we check both the DSAP and the 1759 * SSAP, like this, or should we check just the 1760 * DSAP, as we do for other types <= ETHERMTU 1761 * (i.e., other SAP values)? 1762 */ 1763 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1764 gen_not(b0); 1765 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1766 ((proto << 8) | proto)); 1767 gen_and(b0, b1); 1768 return b1; 1769 1770 case LLCSAP_IPX: 1771 /* 1772 * Check for; 1773 * 1774 * Ethernet_II frames, which are Ethernet 1775 * frames with a frame type of ETHERTYPE_IPX; 1776 * 1777 * Ethernet_802.3 frames, which are 802.3 1778 * frames (i.e., the type/length field is 1779 * a length field, <= ETHERMTU, rather than 1780 * a type field) with the first two bytes 1781 * after the Ethernet/802.3 header being 1782 * 0xFFFF; 1783 * 1784 * Ethernet_802.2 frames, which are 802.3 1785 * frames with an 802.2 LLC header and 1786 * with the IPX LSAP as the DSAP in the LLC 1787 * header; 1788 * 1789 * Ethernet_SNAP frames, which are 802.3 1790 * frames with an LLC header and a SNAP 1791 * header and with an OUI of 0x000000 1792 * (encapsulated Ethernet) and a protocol 1793 * ID of ETHERTYPE_IPX in the SNAP header. 1794 * 1795 * XXX - should we generate the same code both 1796 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1797 */ 1798 1799 /* 1800 * This generates code to check both for the 1801 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1802 */ 1803 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1804 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1805 gen_or(b0, b1); 1806 1807 /* 1808 * Now we add code to check for SNAP frames with 1809 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1810 */ 1811 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1812 gen_or(b0, b1); 1813 1814 /* 1815 * Now we generate code to check for 802.3 1816 * frames in general. 1817 */ 1818 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1819 gen_not(b0); 1820 1821 /* 1822 * Now add the check for 802.3 frames before the 1823 * check for Ethernet_802.2 and Ethernet_802.3, 1824 * as those checks should only be done on 802.3 1825 * frames, not on Ethernet frames. 1826 */ 1827 gen_and(b0, b1); 1828 1829 /* 1830 * Now add the check for Ethernet_II frames, and 1831 * do that before checking for the other frame 1832 * types. 1833 */ 1834 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1835 (bpf_int32)ETHERTYPE_IPX); 1836 gen_or(b0, b1); 1837 return b1; 1838 1839 case ETHERTYPE_ATALK: 1840 case ETHERTYPE_AARP: 1841 /* 1842 * EtherTalk (AppleTalk protocols on Ethernet link 1843 * layer) may use 802.2 encapsulation. 1844 */ 1845 1846 /* 1847 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1848 * we check for an Ethernet type field less than 1849 * 1500, which means it's an 802.3 length field. 1850 */ 1851 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1852 gen_not(b0); 1853 1854 /* 1855 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1856 * SNAP packets with an organization code of 1857 * 0x080007 (Apple, for Appletalk) and a protocol 1858 * type of ETHERTYPE_ATALK (Appletalk). 1859 * 1860 * 802.2-encapsulated ETHERTYPE_AARP packets are 1861 * SNAP packets with an organization code of 1862 * 0x000000 (encapsulated Ethernet) and a protocol 1863 * type of ETHERTYPE_AARP (Appletalk ARP). 1864 */ 1865 if (proto == ETHERTYPE_ATALK) 1866 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1867 else /* proto == ETHERTYPE_AARP */ 1868 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1869 gen_and(b0, b1); 1870 1871 /* 1872 * Check for Ethernet encapsulation (Ethertalk 1873 * phase 1?); we just check for the Ethernet 1874 * protocol type. 1875 */ 1876 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1877 1878 gen_or(b0, b1); 1879 return b1; 1880 1881 default: 1882 if (proto <= ETHERMTU) { 1883 /* 1884 * This is an LLC SAP value, so the frames 1885 * that match would be 802.2 frames. 1886 * Check that the frame is an 802.2 frame 1887 * (i.e., that the length/type field is 1888 * a length field, <= ETHERMTU) and 1889 * then check the DSAP. 1890 */ 1891 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1892 gen_not(b0); 1893 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1894 (bpf_int32)proto); 1895 gen_and(b0, b1); 1896 return b1; 1897 } else { 1898 /* 1899 * This is an Ethernet type, so compare 1900 * the length/type field with it (if 1901 * the frame is an 802.2 frame, the length 1902 * field will be <= ETHERMTU, and, as 1903 * "proto" is > ETHERMTU, this test 1904 * will fail and the frame won't match, 1905 * which is what we want). 1906 */ 1907 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1908 (bpf_int32)proto); 1909 } 1910 } 1911 } 1912 1913 /* 1914 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1915 * or IPv6 then we have an error. 1916 */ 1917 static struct block * 1918 gen_ipnet_linktype(proto) 1919 register int proto; 1920 { 1921 switch (proto) { 1922 1923 case ETHERTYPE_IP: 1924 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1925 (bpf_int32)IPH_AF_INET); 1926 /* NOTREACHED */ 1927 1928 case ETHERTYPE_IPV6: 1929 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1930 (bpf_int32)IPH_AF_INET6); 1931 /* NOTREACHED */ 1932 1933 default: 1934 break; 1935 } 1936 1937 return gen_false(); 1938 } 1939 1940 /* 1941 * Generate code to match a particular packet type. 1942 * 1943 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1944 * value, if <= ETHERMTU. We use that to determine whether to 1945 * match the type field or to check the type field for the special 1946 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1947 */ 1948 static struct block * 1949 gen_linux_sll_linktype(proto) 1950 register int proto; 1951 { 1952 struct block *b0, *b1; 1953 1954 switch (proto) { 1955 1956 case LLCSAP_ISONS: 1957 case LLCSAP_IP: 1958 case LLCSAP_NETBEUI: 1959 /* 1960 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1961 * so we check the DSAP and SSAP. 1962 * 1963 * LLCSAP_IP checks for IP-over-802.2, rather 1964 * than IP-over-Ethernet or IP-over-SNAP. 1965 * 1966 * XXX - should we check both the DSAP and the 1967 * SSAP, like this, or should we check just the 1968 * DSAP, as we do for other types <= ETHERMTU 1969 * (i.e., other SAP values)? 1970 */ 1971 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1972 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1973 ((proto << 8) | proto)); 1974 gen_and(b0, b1); 1975 return b1; 1976 1977 case LLCSAP_IPX: 1978 /* 1979 * Ethernet_II frames, which are Ethernet 1980 * frames with a frame type of ETHERTYPE_IPX; 1981 * 1982 * Ethernet_802.3 frames, which have a frame 1983 * type of LINUX_SLL_P_802_3; 1984 * 1985 * Ethernet_802.2 frames, which are 802.3 1986 * frames with an 802.2 LLC header (i.e, have 1987 * a frame type of LINUX_SLL_P_802_2) and 1988 * with the IPX LSAP as the DSAP in the LLC 1989 * header; 1990 * 1991 * Ethernet_SNAP frames, which are 802.3 1992 * frames with an LLC header and a SNAP 1993 * header and with an OUI of 0x000000 1994 * (encapsulated Ethernet) and a protocol 1995 * ID of ETHERTYPE_IPX in the SNAP header. 1996 * 1997 * First, do the checks on LINUX_SLL_P_802_2 1998 * frames; generate the check for either 1999 * Ethernet_802.2 or Ethernet_SNAP frames, and 2000 * then put a check for LINUX_SLL_P_802_2 frames 2001 * before it. 2002 */ 2003 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2004 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2005 gen_or(b0, b1); 2006 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2007 gen_and(b0, b1); 2008 2009 /* 2010 * Now check for 802.3 frames and OR that with 2011 * the previous test. 2012 */ 2013 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2014 gen_or(b0, b1); 2015 2016 /* 2017 * Now add the check for Ethernet_II frames, and 2018 * do that before checking for the other frame 2019 * types. 2020 */ 2021 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2022 (bpf_int32)ETHERTYPE_IPX); 2023 gen_or(b0, b1); 2024 return b1; 2025 2026 case ETHERTYPE_ATALK: 2027 case ETHERTYPE_AARP: 2028 /* 2029 * EtherTalk (AppleTalk protocols on Ethernet link 2030 * layer) may use 802.2 encapsulation. 2031 */ 2032 2033 /* 2034 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2035 * we check for the 802.2 protocol type in the 2036 * "Ethernet type" field. 2037 */ 2038 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2039 2040 /* 2041 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2042 * SNAP packets with an organization code of 2043 * 0x080007 (Apple, for Appletalk) and a protocol 2044 * type of ETHERTYPE_ATALK (Appletalk). 2045 * 2046 * 802.2-encapsulated ETHERTYPE_AARP packets are 2047 * SNAP packets with an organization code of 2048 * 0x000000 (encapsulated Ethernet) and a protocol 2049 * type of ETHERTYPE_AARP (Appletalk ARP). 2050 */ 2051 if (proto == ETHERTYPE_ATALK) 2052 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2053 else /* proto == ETHERTYPE_AARP */ 2054 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2055 gen_and(b0, b1); 2056 2057 /* 2058 * Check for Ethernet encapsulation (Ethertalk 2059 * phase 1?); we just check for the Ethernet 2060 * protocol type. 2061 */ 2062 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2063 2064 gen_or(b0, b1); 2065 return b1; 2066 2067 default: 2068 if (proto <= ETHERMTU) { 2069 /* 2070 * This is an LLC SAP value, so the frames 2071 * that match would be 802.2 frames. 2072 * Check for the 802.2 protocol type 2073 * in the "Ethernet type" field, and 2074 * then check the DSAP. 2075 */ 2076 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2077 LINUX_SLL_P_802_2); 2078 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2079 (bpf_int32)proto); 2080 gen_and(b0, b1); 2081 return b1; 2082 } else { 2083 /* 2084 * This is an Ethernet type, so compare 2085 * the length/type field with it (if 2086 * the frame is an 802.2 frame, the length 2087 * field will be <= ETHERMTU, and, as 2088 * "proto" is > ETHERMTU, this test 2089 * will fail and the frame won't match, 2090 * which is what we want). 2091 */ 2092 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2093 (bpf_int32)proto); 2094 } 2095 } 2096 } 2097 2098 static struct slist * 2099 gen_load_prism_llprefixlen() 2100 { 2101 struct slist *s1, *s2; 2102 struct slist *sjeq_avs_cookie; 2103 struct slist *sjcommon; 2104 2105 /* 2106 * This code is not compatible with the optimizer, as 2107 * we are generating jmp instructions within a normal 2108 * slist of instructions 2109 */ 2110 no_optimize = 1; 2111 2112 /* 2113 * Generate code to load the length of the radio header into 2114 * the register assigned to hold that length, if one has been 2115 * assigned. (If one hasn't been assigned, no code we've 2116 * generated uses that prefix, so we don't need to generate any 2117 * code to load it.) 2118 * 2119 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2120 * or always use the AVS header rather than the Prism header. 2121 * We load a 4-byte big-endian value at the beginning of the 2122 * raw packet data, and see whether, when masked with 0xFFFFF000, 2123 * it's equal to 0x80211000. If so, that indicates that it's 2124 * an AVS header (the masked-out bits are the version number). 2125 * Otherwise, it's a Prism header. 2126 * 2127 * XXX - the Prism header is also, in theory, variable-length, 2128 * but no known software generates headers that aren't 144 2129 * bytes long. 2130 */ 2131 if (reg_off_ll != -1) { 2132 /* 2133 * Load the cookie. 2134 */ 2135 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2136 s1->s.k = 0; 2137 2138 /* 2139 * AND it with 0xFFFFF000. 2140 */ 2141 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2142 s2->s.k = 0xFFFFF000; 2143 sappend(s1, s2); 2144 2145 /* 2146 * Compare with 0x80211000. 2147 */ 2148 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2149 sjeq_avs_cookie->s.k = 0x80211000; 2150 sappend(s1, sjeq_avs_cookie); 2151 2152 /* 2153 * If it's AVS: 2154 * 2155 * The 4 bytes at an offset of 4 from the beginning of 2156 * the AVS header are the length of the AVS header. 2157 * That field is big-endian. 2158 */ 2159 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2160 s2->s.k = 4; 2161 sappend(s1, s2); 2162 sjeq_avs_cookie->s.jt = s2; 2163 2164 /* 2165 * Now jump to the code to allocate a register 2166 * into which to save the header length and 2167 * store the length there. (The "jump always" 2168 * instruction needs to have the k field set; 2169 * it's added to the PC, so, as we're jumping 2170 * over a single instruction, it should be 1.) 2171 */ 2172 sjcommon = new_stmt(JMP(BPF_JA)); 2173 sjcommon->s.k = 1; 2174 sappend(s1, sjcommon); 2175 2176 /* 2177 * Now for the code that handles the Prism header. 2178 * Just load the length of the Prism header (144) 2179 * into the A register. Have the test for an AVS 2180 * header branch here if we don't have an AVS header. 2181 */ 2182 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2183 s2->s.k = 144; 2184 sappend(s1, s2); 2185 sjeq_avs_cookie->s.jf = s2; 2186 2187 /* 2188 * Now allocate a register to hold that value and store 2189 * it. The code for the AVS header will jump here after 2190 * loading the length of the AVS header. 2191 */ 2192 s2 = new_stmt(BPF_ST); 2193 s2->s.k = reg_off_ll; 2194 sappend(s1, s2); 2195 sjcommon->s.jf = s2; 2196 2197 /* 2198 * Now move it into the X register. 2199 */ 2200 s2 = new_stmt(BPF_MISC|BPF_TAX); 2201 sappend(s1, s2); 2202 2203 return (s1); 2204 } else 2205 return (NULL); 2206 } 2207 2208 static struct slist * 2209 gen_load_avs_llprefixlen() 2210 { 2211 struct slist *s1, *s2; 2212 2213 /* 2214 * Generate code to load the length of the AVS header into 2215 * the register assigned to hold that length, if one has been 2216 * assigned. (If one hasn't been assigned, no code we've 2217 * generated uses that prefix, so we don't need to generate any 2218 * code to load it.) 2219 */ 2220 if (reg_off_ll != -1) { 2221 /* 2222 * The 4 bytes at an offset of 4 from the beginning of 2223 * the AVS header are the length of the AVS header. 2224 * That field is big-endian. 2225 */ 2226 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2227 s1->s.k = 4; 2228 2229 /* 2230 * Now allocate a register to hold that value and store 2231 * it. 2232 */ 2233 s2 = new_stmt(BPF_ST); 2234 s2->s.k = reg_off_ll; 2235 sappend(s1, s2); 2236 2237 /* 2238 * Now move it into the X register. 2239 */ 2240 s2 = new_stmt(BPF_MISC|BPF_TAX); 2241 sappend(s1, s2); 2242 2243 return (s1); 2244 } else 2245 return (NULL); 2246 } 2247 2248 static struct slist * 2249 gen_load_radiotap_llprefixlen() 2250 { 2251 struct slist *s1, *s2; 2252 2253 /* 2254 * Generate code to load the length of the radiotap header into 2255 * the register assigned to hold that length, if one has been 2256 * assigned. (If one hasn't been assigned, no code we've 2257 * generated uses that prefix, so we don't need to generate any 2258 * code to load it.) 2259 */ 2260 if (reg_off_ll != -1) { 2261 /* 2262 * The 2 bytes at offsets of 2 and 3 from the beginning 2263 * of the radiotap header are the length of the radiotap 2264 * header; unfortunately, it's little-endian, so we have 2265 * to load it a byte at a time and construct the value. 2266 */ 2267 2268 /* 2269 * Load the high-order byte, at an offset of 3, shift it 2270 * left a byte, and put the result in the X register. 2271 */ 2272 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2273 s1->s.k = 3; 2274 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2275 sappend(s1, s2); 2276 s2->s.k = 8; 2277 s2 = new_stmt(BPF_MISC|BPF_TAX); 2278 sappend(s1, s2); 2279 2280 /* 2281 * Load the next byte, at an offset of 2, and OR the 2282 * value from the X register into it. 2283 */ 2284 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2285 sappend(s1, s2); 2286 s2->s.k = 2; 2287 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2288 sappend(s1, s2); 2289 2290 /* 2291 * Now allocate a register to hold that value and store 2292 * it. 2293 */ 2294 s2 = new_stmt(BPF_ST); 2295 s2->s.k = reg_off_ll; 2296 sappend(s1, s2); 2297 2298 /* 2299 * Now move it into the X register. 2300 */ 2301 s2 = new_stmt(BPF_MISC|BPF_TAX); 2302 sappend(s1, s2); 2303 2304 return (s1); 2305 } else 2306 return (NULL); 2307 } 2308 2309 /* 2310 * At the moment we treat PPI as normal Radiotap encoded 2311 * packets. The difference is in the function that generates 2312 * the code at the beginning to compute the header length. 2313 * Since this code generator of PPI supports bare 802.11 2314 * encapsulation only (i.e. the encapsulated DLT should be 2315 * DLT_IEEE802_11) we generate code to check for this too; 2316 * that's done in finish_parse(). 2317 */ 2318 static struct slist * 2319 gen_load_ppi_llprefixlen() 2320 { 2321 struct slist *s1, *s2; 2322 2323 /* 2324 * Generate code to load the length of the radiotap header 2325 * into the register assigned to hold that length, if one has 2326 * been assigned. 2327 */ 2328 if (reg_off_ll != -1) { 2329 /* 2330 * The 2 bytes at offsets of 2 and 3 from the beginning 2331 * of the radiotap header are the length of the radiotap 2332 * header; unfortunately, it's little-endian, so we have 2333 * to load it a byte at a time and construct the value. 2334 */ 2335 2336 /* 2337 * Load the high-order byte, at an offset of 3, shift it 2338 * left a byte, and put the result in the X register. 2339 */ 2340 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2341 s1->s.k = 3; 2342 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2343 sappend(s1, s2); 2344 s2->s.k = 8; 2345 s2 = new_stmt(BPF_MISC|BPF_TAX); 2346 sappend(s1, s2); 2347 2348 /* 2349 * Load the next byte, at an offset of 2, and OR the 2350 * value from the X register into it. 2351 */ 2352 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2353 sappend(s1, s2); 2354 s2->s.k = 2; 2355 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2356 sappend(s1, s2); 2357 2358 /* 2359 * Now allocate a register to hold that value and store 2360 * it. 2361 */ 2362 s2 = new_stmt(BPF_ST); 2363 s2->s.k = reg_off_ll; 2364 sappend(s1, s2); 2365 2366 /* 2367 * Now move it into the X register. 2368 */ 2369 s2 = new_stmt(BPF_MISC|BPF_TAX); 2370 sappend(s1, s2); 2371 2372 return (s1); 2373 } else 2374 return (NULL); 2375 } 2376 2377 /* 2378 * Load a value relative to the beginning of the link-layer header after the 802.11 2379 * header, i.e. LLC_SNAP. 2380 * The link-layer header doesn't necessarily begin at the beginning 2381 * of the packet data; there might be a variable-length prefix containing 2382 * radio information. 2383 */ 2384 static struct slist * 2385 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2386 { 2387 struct slist *s2; 2388 struct slist *sjset_data_frame_1; 2389 struct slist *sjset_data_frame_2; 2390 struct slist *sjset_qos; 2391 struct slist *sjset_radiotap_flags; 2392 struct slist *sjset_radiotap_tsft; 2393 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2394 struct slist *s_roundup; 2395 2396 if (reg_off_macpl == -1) { 2397 /* 2398 * No register has been assigned to the offset of 2399 * the MAC-layer payload, which means nobody needs 2400 * it; don't bother computing it - just return 2401 * what we already have. 2402 */ 2403 return (s); 2404 } 2405 2406 /* 2407 * This code is not compatible with the optimizer, as 2408 * we are generating jmp instructions within a normal 2409 * slist of instructions 2410 */ 2411 no_optimize = 1; 2412 2413 /* 2414 * If "s" is non-null, it has code to arrange that the X register 2415 * contains the length of the prefix preceding the link-layer 2416 * header. 2417 * 2418 * Otherwise, the length of the prefix preceding the link-layer 2419 * header is "off_ll". 2420 */ 2421 if (s == NULL) { 2422 /* 2423 * There is no variable-length header preceding the 2424 * link-layer header. 2425 * 2426 * Load the length of the fixed-length prefix preceding 2427 * the link-layer header (if any) into the X register, 2428 * and store it in the reg_off_macpl register. 2429 * That length is off_ll. 2430 */ 2431 s = new_stmt(BPF_LDX|BPF_IMM); 2432 s->s.k = off_ll; 2433 } 2434 2435 /* 2436 * The X register contains the offset of the beginning of the 2437 * link-layer header; add 24, which is the minimum length 2438 * of the MAC header for a data frame, to that, and store it 2439 * in reg_off_macpl, and then load the Frame Control field, 2440 * which is at the offset in the X register, with an indexed load. 2441 */ 2442 s2 = new_stmt(BPF_MISC|BPF_TXA); 2443 sappend(s, s2); 2444 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2445 s2->s.k = 24; 2446 sappend(s, s2); 2447 s2 = new_stmt(BPF_ST); 2448 s2->s.k = reg_off_macpl; 2449 sappend(s, s2); 2450 2451 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2452 s2->s.k = 0; 2453 sappend(s, s2); 2454 2455 /* 2456 * Check the Frame Control field to see if this is a data frame; 2457 * a data frame has the 0x08 bit (b3) in that field set and the 2458 * 0x04 bit (b2) clear. 2459 */ 2460 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2461 sjset_data_frame_1->s.k = 0x08; 2462 sappend(s, sjset_data_frame_1); 2463 2464 /* 2465 * If b3 is set, test b2, otherwise go to the first statement of 2466 * the rest of the program. 2467 */ 2468 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2469 sjset_data_frame_2->s.k = 0x04; 2470 sappend(s, sjset_data_frame_2); 2471 sjset_data_frame_1->s.jf = snext; 2472 2473 /* 2474 * If b2 is not set, this is a data frame; test the QoS bit. 2475 * Otherwise, go to the first statement of the rest of the 2476 * program. 2477 */ 2478 sjset_data_frame_2->s.jt = snext; 2479 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2480 sjset_qos->s.k = 0x80; /* QoS bit */ 2481 sappend(s, sjset_qos); 2482 2483 /* 2484 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2485 * field. 2486 * Otherwise, go to the first statement of the rest of the 2487 * program. 2488 */ 2489 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2490 s2->s.k = reg_off_macpl; 2491 sappend(s, s2); 2492 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2493 s2->s.k = 2; 2494 sappend(s, s2); 2495 s2 = new_stmt(BPF_ST); 2496 s2->s.k = reg_off_macpl; 2497 sappend(s, s2); 2498 2499 /* 2500 * If we have a radiotap header, look at it to see whether 2501 * there's Atheros padding between the MAC-layer header 2502 * and the payload. 2503 * 2504 * Note: all of the fields in the radiotap header are 2505 * little-endian, so we byte-swap all of the values 2506 * we test against, as they will be loaded as big-endian 2507 * values. 2508 */ 2509 if (linktype == DLT_IEEE802_11_RADIO) { 2510 /* 2511 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2512 * in the presence flag? 2513 */ 2514 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2515 s2->s.k = 4; 2516 sappend(s, s2); 2517 2518 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2519 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2520 sappend(s, sjset_radiotap_flags); 2521 2522 /* 2523 * If not, skip all of this. 2524 */ 2525 sjset_radiotap_flags->s.jf = snext; 2526 2527 /* 2528 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2529 */ 2530 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2531 new_stmt(JMP(BPF_JSET)); 2532 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2533 sappend(s, sjset_radiotap_tsft); 2534 2535 /* 2536 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2537 * at an offset of 16 from the beginning of the raw packet 2538 * data (8 bytes for the radiotap header and 8 bytes for 2539 * the TSFT field). 2540 * 2541 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2542 * is set. 2543 */ 2544 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2545 s2->s.k = 16; 2546 sappend(s, s2); 2547 2548 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2549 sjset_tsft_datapad->s.k = 0x20; 2550 sappend(s, sjset_tsft_datapad); 2551 2552 /* 2553 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2554 * at an offset of 8 from the beginning of the raw packet 2555 * data (8 bytes for the radiotap header). 2556 * 2557 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2558 * is set. 2559 */ 2560 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2561 s2->s.k = 8; 2562 sappend(s, s2); 2563 2564 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2565 sjset_notsft_datapad->s.k = 0x20; 2566 sappend(s, sjset_notsft_datapad); 2567 2568 /* 2569 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2570 * set, round the length of the 802.11 header to 2571 * a multiple of 4. Do that by adding 3 and then 2572 * dividing by and multiplying by 4, which we do by 2573 * ANDing with ~3. 2574 */ 2575 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2576 s_roundup->s.k = reg_off_macpl; 2577 sappend(s, s_roundup); 2578 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2579 s2->s.k = 3; 2580 sappend(s, s2); 2581 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2582 s2->s.k = ~3; 2583 sappend(s, s2); 2584 s2 = new_stmt(BPF_ST); 2585 s2->s.k = reg_off_macpl; 2586 sappend(s, s2); 2587 2588 sjset_tsft_datapad->s.jt = s_roundup; 2589 sjset_tsft_datapad->s.jf = snext; 2590 sjset_notsft_datapad->s.jt = s_roundup; 2591 sjset_notsft_datapad->s.jf = snext; 2592 } else 2593 sjset_qos->s.jf = snext; 2594 2595 return s; 2596 } 2597 2598 static void 2599 insert_compute_vloffsets(b) 2600 struct block *b; 2601 { 2602 struct slist *s; 2603 2604 /* 2605 * For link-layer types that have a variable-length header 2606 * preceding the link-layer header, generate code to load 2607 * the offset of the link-layer header into the register 2608 * assigned to that offset, if any. 2609 */ 2610 switch (linktype) { 2611 2612 case DLT_PRISM_HEADER: 2613 s = gen_load_prism_llprefixlen(); 2614 break; 2615 2616 case DLT_IEEE802_11_RADIO_AVS: 2617 s = gen_load_avs_llprefixlen(); 2618 break; 2619 2620 case DLT_IEEE802_11_RADIO: 2621 s = gen_load_radiotap_llprefixlen(); 2622 break; 2623 2624 case DLT_PPI: 2625 s = gen_load_ppi_llprefixlen(); 2626 break; 2627 2628 default: 2629 s = NULL; 2630 break; 2631 } 2632 2633 /* 2634 * For link-layer types that have a variable-length link-layer 2635 * header, generate code to load the offset of the MAC-layer 2636 * payload into the register assigned to that offset, if any. 2637 */ 2638 switch (linktype) { 2639 2640 case DLT_IEEE802_11: 2641 case DLT_PRISM_HEADER: 2642 case DLT_IEEE802_11_RADIO_AVS: 2643 case DLT_IEEE802_11_RADIO: 2644 case DLT_PPI: 2645 s = gen_load_802_11_header_len(s, b->stmts); 2646 break; 2647 } 2648 2649 /* 2650 * If we have any offset-loading code, append all the 2651 * existing statements in the block to those statements, 2652 * and make the resulting list the list of statements 2653 * for the block. 2654 */ 2655 if (s != NULL) { 2656 sappend(s, b->stmts); 2657 b->stmts = s; 2658 } 2659 } 2660 2661 static struct block * 2662 gen_ppi_dlt_check(void) 2663 { 2664 struct slist *s_load_dlt; 2665 struct block *b; 2666 2667 if (linktype == DLT_PPI) 2668 { 2669 /* Create the statements that check for the DLT 2670 */ 2671 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2672 s_load_dlt->s.k = 4; 2673 2674 b = new_block(JMP(BPF_JEQ)); 2675 2676 b->stmts = s_load_dlt; 2677 b->s.k = SWAPLONG(DLT_IEEE802_11); 2678 } 2679 else 2680 { 2681 b = NULL; 2682 } 2683 2684 return b; 2685 } 2686 2687 static struct slist * 2688 gen_prism_llprefixlen(void) 2689 { 2690 struct slist *s; 2691 2692 if (reg_off_ll == -1) { 2693 /* 2694 * We haven't yet assigned a register for the length 2695 * of the radio header; allocate one. 2696 */ 2697 reg_off_ll = alloc_reg(); 2698 } 2699 2700 /* 2701 * Load the register containing the radio length 2702 * into the X register. 2703 */ 2704 s = new_stmt(BPF_LDX|BPF_MEM); 2705 s->s.k = reg_off_ll; 2706 return s; 2707 } 2708 2709 static struct slist * 2710 gen_avs_llprefixlen(void) 2711 { 2712 struct slist *s; 2713 2714 if (reg_off_ll == -1) { 2715 /* 2716 * We haven't yet assigned a register for the length 2717 * of the AVS header; allocate one. 2718 */ 2719 reg_off_ll = alloc_reg(); 2720 } 2721 2722 /* 2723 * Load the register containing the AVS length 2724 * into the X register. 2725 */ 2726 s = new_stmt(BPF_LDX|BPF_MEM); 2727 s->s.k = reg_off_ll; 2728 return s; 2729 } 2730 2731 static struct slist * 2732 gen_radiotap_llprefixlen(void) 2733 { 2734 struct slist *s; 2735 2736 if (reg_off_ll == -1) { 2737 /* 2738 * We haven't yet assigned a register for the length 2739 * of the radiotap header; allocate one. 2740 */ 2741 reg_off_ll = alloc_reg(); 2742 } 2743 2744 /* 2745 * Load the register containing the radiotap length 2746 * into the X register. 2747 */ 2748 s = new_stmt(BPF_LDX|BPF_MEM); 2749 s->s.k = reg_off_ll; 2750 return s; 2751 } 2752 2753 /* 2754 * At the moment we treat PPI as normal Radiotap encoded 2755 * packets. The difference is in the function that generates 2756 * the code at the beginning to compute the header length. 2757 * Since this code generator of PPI supports bare 802.11 2758 * encapsulation only (i.e. the encapsulated DLT should be 2759 * DLT_IEEE802_11) we generate code to check for this too. 2760 */ 2761 static struct slist * 2762 gen_ppi_llprefixlen(void) 2763 { 2764 struct slist *s; 2765 2766 if (reg_off_ll == -1) { 2767 /* 2768 * We haven't yet assigned a register for the length 2769 * of the radiotap header; allocate one. 2770 */ 2771 reg_off_ll = alloc_reg(); 2772 } 2773 2774 /* 2775 * Load the register containing the PPI length 2776 * into the X register. 2777 */ 2778 s = new_stmt(BPF_LDX|BPF_MEM); 2779 s->s.k = reg_off_ll; 2780 return s; 2781 } 2782 2783 /* 2784 * Generate code to compute the link-layer header length, if necessary, 2785 * putting it into the X register, and to return either a pointer to a 2786 * "struct slist" for the list of statements in that code, or NULL if 2787 * no code is necessary. 2788 */ 2789 static struct slist * 2790 gen_llprefixlen(void) 2791 { 2792 switch (linktype) { 2793 2794 case DLT_PRISM_HEADER: 2795 return gen_prism_llprefixlen(); 2796 2797 case DLT_IEEE802_11_RADIO_AVS: 2798 return gen_avs_llprefixlen(); 2799 2800 case DLT_IEEE802_11_RADIO: 2801 return gen_radiotap_llprefixlen(); 2802 2803 case DLT_PPI: 2804 return gen_ppi_llprefixlen(); 2805 2806 default: 2807 return NULL; 2808 } 2809 } 2810 2811 /* 2812 * Generate code to load the register containing the offset of the 2813 * MAC-layer payload into the X register; if no register for that offset 2814 * has been allocated, allocate it first. 2815 */ 2816 static struct slist * 2817 gen_off_macpl(void) 2818 { 2819 struct slist *s; 2820 2821 if (off_macpl_is_variable) { 2822 if (reg_off_macpl == -1) { 2823 /* 2824 * We haven't yet assigned a register for the offset 2825 * of the MAC-layer payload; allocate one. 2826 */ 2827 reg_off_macpl = alloc_reg(); 2828 } 2829 2830 /* 2831 * Load the register containing the offset of the MAC-layer 2832 * payload into the X register. 2833 */ 2834 s = new_stmt(BPF_LDX|BPF_MEM); 2835 s->s.k = reg_off_macpl; 2836 return s; 2837 } else { 2838 /* 2839 * That offset isn't variable, so we don't need to 2840 * generate any code. 2841 */ 2842 return NULL; 2843 } 2844 } 2845 2846 /* 2847 * Map an Ethernet type to the equivalent PPP type. 2848 */ 2849 static int 2850 ethertype_to_ppptype(proto) 2851 int proto; 2852 { 2853 switch (proto) { 2854 2855 case ETHERTYPE_IP: 2856 proto = PPP_IP; 2857 break; 2858 2859 case ETHERTYPE_IPV6: 2860 proto = PPP_IPV6; 2861 break; 2862 2863 case ETHERTYPE_DN: 2864 proto = PPP_DECNET; 2865 break; 2866 2867 case ETHERTYPE_ATALK: 2868 proto = PPP_APPLE; 2869 break; 2870 2871 case ETHERTYPE_NS: 2872 proto = PPP_NS; 2873 break; 2874 2875 case LLCSAP_ISONS: 2876 proto = PPP_OSI; 2877 break; 2878 2879 case LLCSAP_8021D: 2880 /* 2881 * I'm assuming the "Bridging PDU"s that go 2882 * over PPP are Spanning Tree Protocol 2883 * Bridging PDUs. 2884 */ 2885 proto = PPP_BRPDU; 2886 break; 2887 2888 case LLCSAP_IPX: 2889 proto = PPP_IPX; 2890 break; 2891 } 2892 return (proto); 2893 } 2894 2895 /* 2896 * Generate code to match a particular packet type by matching the 2897 * link-layer type field or fields in the 802.2 LLC header. 2898 * 2899 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2900 * value, if <= ETHERMTU. 2901 */ 2902 static struct block * 2903 gen_linktype(proto) 2904 register int proto; 2905 { 2906 struct block *b0, *b1, *b2; 2907 const char *description; 2908 2909 /* are we checking MPLS-encapsulated packets? */ 2910 if (label_stack_depth > 0) { 2911 switch (proto) { 2912 case ETHERTYPE_IP: 2913 case PPP_IP: 2914 /* FIXME add other L3 proto IDs */ 2915 return gen_mpls_linktype(Q_IP); 2916 2917 case ETHERTYPE_IPV6: 2918 case PPP_IPV6: 2919 /* FIXME add other L3 proto IDs */ 2920 return gen_mpls_linktype(Q_IPV6); 2921 2922 default: 2923 bpf_error("unsupported protocol over mpls"); 2924 /* NOTREACHED */ 2925 } 2926 } 2927 2928 /* 2929 * Are we testing PPPoE packets? 2930 */ 2931 if (is_pppoes) { 2932 /* 2933 * The PPPoE session header is part of the 2934 * MAC-layer payload, so all references 2935 * should be relative to the beginning of 2936 * that payload. 2937 */ 2938 2939 /* 2940 * We use Ethernet protocol types inside libpcap; 2941 * map them to the corresponding PPP protocol types. 2942 */ 2943 proto = ethertype_to_ppptype(proto); 2944 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2945 } 2946 2947 switch (linktype) { 2948 2949 case DLT_EN10MB: 2950 case DLT_NETANALYZER: 2951 case DLT_NETANALYZER_TRANSPARENT: 2952 return gen_ether_linktype(proto); 2953 /*NOTREACHED*/ 2954 break; 2955 2956 case DLT_C_HDLC: 2957 switch (proto) { 2958 2959 case LLCSAP_ISONS: 2960 proto = (proto << 8 | LLCSAP_ISONS); 2961 /* fall through */ 2962 2963 default: 2964 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2965 (bpf_int32)proto); 2966 /*NOTREACHED*/ 2967 break; 2968 } 2969 break; 2970 2971 case DLT_IEEE802_11: 2972 case DLT_PRISM_HEADER: 2973 case DLT_IEEE802_11_RADIO_AVS: 2974 case DLT_IEEE802_11_RADIO: 2975 case DLT_PPI: 2976 /* 2977 * Check that we have a data frame. 2978 */ 2979 b0 = gen_check_802_11_data_frame(); 2980 2981 /* 2982 * Now check for the specified link-layer type. 2983 */ 2984 b1 = gen_llc_linktype(proto); 2985 gen_and(b0, b1); 2986 return b1; 2987 /*NOTREACHED*/ 2988 break; 2989 2990 case DLT_FDDI: 2991 /* 2992 * XXX - check for LLC frames. 2993 */ 2994 return gen_llc_linktype(proto); 2995 /*NOTREACHED*/ 2996 break; 2997 2998 case DLT_IEEE802: 2999 /* 3000 * XXX - check for LLC PDUs, as per IEEE 802.5. 3001 */ 3002 return gen_llc_linktype(proto); 3003 /*NOTREACHED*/ 3004 break; 3005 3006 case DLT_ATM_RFC1483: 3007 case DLT_ATM_CLIP: 3008 case DLT_IP_OVER_FC: 3009 return gen_llc_linktype(proto); 3010 /*NOTREACHED*/ 3011 break; 3012 3013 case DLT_SUNATM: 3014 /* 3015 * If "is_lane" is set, check for a LANE-encapsulated 3016 * version of this protocol, otherwise check for an 3017 * LLC-encapsulated version of this protocol. 3018 * 3019 * We assume LANE means Ethernet, not Token Ring. 3020 */ 3021 if (is_lane) { 3022 /* 3023 * Check that the packet doesn't begin with an 3024 * LE Control marker. (We've already generated 3025 * a test for LANE.) 3026 */ 3027 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3028 0xFF00); 3029 gen_not(b0); 3030 3031 /* 3032 * Now generate an Ethernet test. 3033 */ 3034 b1 = gen_ether_linktype(proto); 3035 gen_and(b0, b1); 3036 return b1; 3037 } else { 3038 /* 3039 * Check for LLC encapsulation and then check the 3040 * protocol. 3041 */ 3042 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3043 b1 = gen_llc_linktype(proto); 3044 gen_and(b0, b1); 3045 return b1; 3046 } 3047 /*NOTREACHED*/ 3048 break; 3049 3050 case DLT_LINUX_SLL: 3051 return gen_linux_sll_linktype(proto); 3052 /*NOTREACHED*/ 3053 break; 3054 3055 case DLT_SLIP: 3056 case DLT_SLIP_BSDOS: 3057 case DLT_RAW: 3058 /* 3059 * These types don't provide any type field; packets 3060 * are always IPv4 or IPv6. 3061 * 3062 * XXX - for IPv4, check for a version number of 4, and, 3063 * for IPv6, check for a version number of 6? 3064 */ 3065 switch (proto) { 3066 3067 case ETHERTYPE_IP: 3068 /* Check for a version number of 4. */ 3069 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3070 3071 case ETHERTYPE_IPV6: 3072 /* Check for a version number of 6. */ 3073 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3074 3075 default: 3076 return gen_false(); /* always false */ 3077 } 3078 /*NOTREACHED*/ 3079 break; 3080 3081 case DLT_IPV4: 3082 /* 3083 * Raw IPv4, so no type field. 3084 */ 3085 if (proto == ETHERTYPE_IP) 3086 return gen_true(); /* always true */ 3087 3088 /* Checking for something other than IPv4; always false */ 3089 return gen_false(); 3090 /*NOTREACHED*/ 3091 break; 3092 3093 case DLT_IPV6: 3094 /* 3095 * Raw IPv6, so no type field. 3096 */ 3097 if (proto == ETHERTYPE_IPV6) 3098 return gen_true(); /* always true */ 3099 3100 /* Checking for something other than IPv6; always false */ 3101 return gen_false(); 3102 /*NOTREACHED*/ 3103 break; 3104 3105 case DLT_PPP: 3106 case DLT_PPP_PPPD: 3107 case DLT_PPP_SERIAL: 3108 case DLT_PPP_ETHER: 3109 /* 3110 * We use Ethernet protocol types inside libpcap; 3111 * map them to the corresponding PPP protocol types. 3112 */ 3113 proto = ethertype_to_ppptype(proto); 3114 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3115 /*NOTREACHED*/ 3116 break; 3117 3118 case DLT_PPP_BSDOS: 3119 /* 3120 * We use Ethernet protocol types inside libpcap; 3121 * map them to the corresponding PPP protocol types. 3122 */ 3123 switch (proto) { 3124 3125 case ETHERTYPE_IP: 3126 /* 3127 * Also check for Van Jacobson-compressed IP. 3128 * XXX - do this for other forms of PPP? 3129 */ 3130 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3131 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3132 gen_or(b0, b1); 3133 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3134 gen_or(b1, b0); 3135 return b0; 3136 3137 default: 3138 proto = ethertype_to_ppptype(proto); 3139 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3140 (bpf_int32)proto); 3141 } 3142 /*NOTREACHED*/ 3143 break; 3144 3145 case DLT_NULL: 3146 case DLT_LOOP: 3147 case DLT_ENC: 3148 /* 3149 * For DLT_NULL, the link-layer header is a 32-bit 3150 * word containing an AF_ value in *host* byte order, 3151 * and for DLT_ENC, the link-layer header begins 3152 * with a 32-bit work containing an AF_ value in 3153 * host byte order. 3154 * 3155 * In addition, if we're reading a saved capture file, 3156 * the host byte order in the capture may not be the 3157 * same as the host byte order on this machine. 3158 * 3159 * For DLT_LOOP, the link-layer header is a 32-bit 3160 * word containing an AF_ value in *network* byte order. 3161 * 3162 * XXX - AF_ values may, unfortunately, be platform- 3163 * dependent; for example, FreeBSD's AF_INET6 is 24 3164 * whilst NetBSD's and OpenBSD's is 26. 3165 * 3166 * This means that, when reading a capture file, just 3167 * checking for our AF_INET6 value won't work if the 3168 * capture file came from another OS. 3169 */ 3170 switch (proto) { 3171 3172 case ETHERTYPE_IP: 3173 proto = AF_INET; 3174 break; 3175 3176 #ifdef INET6 3177 case ETHERTYPE_IPV6: 3178 proto = AF_INET6; 3179 break; 3180 #endif 3181 3182 default: 3183 /* 3184 * Not a type on which we support filtering. 3185 * XXX - support those that have AF_ values 3186 * #defined on this platform, at least? 3187 */ 3188 return gen_false(); 3189 } 3190 3191 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3192 /* 3193 * The AF_ value is in host byte order, but 3194 * the BPF interpreter will convert it to 3195 * network byte order. 3196 * 3197 * If this is a save file, and it's from a 3198 * machine with the opposite byte order to 3199 * ours, we byte-swap the AF_ value. 3200 * 3201 * Then we run it through "htonl()", and 3202 * generate code to compare against the result. 3203 */ 3204 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped) 3205 proto = SWAPLONG(proto); 3206 proto = htonl(proto); 3207 } 3208 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3209 3210 #ifdef HAVE_NET_PFVAR_H 3211 case DLT_PFLOG: 3212 /* 3213 * af field is host byte order in contrast to the rest of 3214 * the packet. 3215 */ 3216 if (proto == ETHERTYPE_IP) 3217 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3218 BPF_B, (bpf_int32)AF_INET)); 3219 else if (proto == ETHERTYPE_IPV6) 3220 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3221 BPF_B, (bpf_int32)AF_INET6)); 3222 else 3223 return gen_false(); 3224 /*NOTREACHED*/ 3225 break; 3226 #endif /* HAVE_NET_PFVAR_H */ 3227 3228 case DLT_ARCNET: 3229 case DLT_ARCNET_LINUX: 3230 /* 3231 * XXX should we check for first fragment if the protocol 3232 * uses PHDS? 3233 */ 3234 switch (proto) { 3235 3236 default: 3237 return gen_false(); 3238 3239 case ETHERTYPE_IPV6: 3240 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3241 (bpf_int32)ARCTYPE_INET6)); 3242 3243 case ETHERTYPE_IP: 3244 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3245 (bpf_int32)ARCTYPE_IP); 3246 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3247 (bpf_int32)ARCTYPE_IP_OLD); 3248 gen_or(b0, b1); 3249 return (b1); 3250 3251 case ETHERTYPE_ARP: 3252 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3253 (bpf_int32)ARCTYPE_ARP); 3254 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3255 (bpf_int32)ARCTYPE_ARP_OLD); 3256 gen_or(b0, b1); 3257 return (b1); 3258 3259 case ETHERTYPE_REVARP: 3260 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3261 (bpf_int32)ARCTYPE_REVARP)); 3262 3263 case ETHERTYPE_ATALK: 3264 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3265 (bpf_int32)ARCTYPE_ATALK)); 3266 } 3267 /*NOTREACHED*/ 3268 break; 3269 3270 case DLT_LTALK: 3271 switch (proto) { 3272 case ETHERTYPE_ATALK: 3273 return gen_true(); 3274 default: 3275 return gen_false(); 3276 } 3277 /*NOTREACHED*/ 3278 break; 3279 3280 case DLT_FRELAY: 3281 /* 3282 * XXX - assumes a 2-byte Frame Relay header with 3283 * DLCI and flags. What if the address is longer? 3284 */ 3285 switch (proto) { 3286 3287 case ETHERTYPE_IP: 3288 /* 3289 * Check for the special NLPID for IP. 3290 */ 3291 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3292 3293 case ETHERTYPE_IPV6: 3294 /* 3295 * Check for the special NLPID for IPv6. 3296 */ 3297 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3298 3299 case LLCSAP_ISONS: 3300 /* 3301 * Check for several OSI protocols. 3302 * 3303 * Frame Relay packets typically have an OSI 3304 * NLPID at the beginning; we check for each 3305 * of them. 3306 * 3307 * What we check for is the NLPID and a frame 3308 * control field of UI, i.e. 0x03 followed 3309 * by the NLPID. 3310 */ 3311 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3312 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3313 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3314 gen_or(b1, b2); 3315 gen_or(b0, b2); 3316 return b2; 3317 3318 default: 3319 return gen_false(); 3320 } 3321 /*NOTREACHED*/ 3322 break; 3323 3324 case DLT_MFR: 3325 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3326 3327 case DLT_JUNIPER_MFR: 3328 case DLT_JUNIPER_MLFR: 3329 case DLT_JUNIPER_MLPPP: 3330 case DLT_JUNIPER_ATM1: 3331 case DLT_JUNIPER_ATM2: 3332 case DLT_JUNIPER_PPPOE: 3333 case DLT_JUNIPER_PPPOE_ATM: 3334 case DLT_JUNIPER_GGSN: 3335 case DLT_JUNIPER_ES: 3336 case DLT_JUNIPER_MONITOR: 3337 case DLT_JUNIPER_SERVICES: 3338 case DLT_JUNIPER_ETHER: 3339 case DLT_JUNIPER_PPP: 3340 case DLT_JUNIPER_FRELAY: 3341 case DLT_JUNIPER_CHDLC: 3342 case DLT_JUNIPER_VP: 3343 case DLT_JUNIPER_ST: 3344 case DLT_JUNIPER_ISM: 3345 case DLT_JUNIPER_VS: 3346 case DLT_JUNIPER_SRX_E2E: 3347 case DLT_JUNIPER_FIBRECHANNEL: 3348 case DLT_JUNIPER_ATM_CEMIC: 3349 3350 /* just lets verify the magic number for now - 3351 * on ATM we may have up to 6 different encapsulations on the wire 3352 * and need a lot of heuristics to figure out that the payload 3353 * might be; 3354 * 3355 * FIXME encapsulation specific BPF_ filters 3356 */ 3357 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3358 3359 case DLT_BACNET_MS_TP: 3360 return gen_mcmp(OR_LINK, 0, BPF_W, 0x55FF0000, 0xffff0000); 3361 3362 case DLT_IPNET: 3363 return gen_ipnet_linktype(proto); 3364 3365 case DLT_LINUX_IRDA: 3366 bpf_error("IrDA link-layer type filtering not implemented"); 3367 3368 case DLT_DOCSIS: 3369 bpf_error("DOCSIS link-layer type filtering not implemented"); 3370 3371 case DLT_MTP2: 3372 case DLT_MTP2_WITH_PHDR: 3373 bpf_error("MTP2 link-layer type filtering not implemented"); 3374 3375 case DLT_ERF: 3376 bpf_error("ERF link-layer type filtering not implemented"); 3377 3378 case DLT_PFSYNC: 3379 bpf_error("PFSYNC link-layer type filtering not implemented"); 3380 3381 case DLT_LINUX_LAPD: 3382 bpf_error("LAPD link-layer type filtering not implemented"); 3383 3384 case DLT_USB: 3385 case DLT_USB_LINUX: 3386 case DLT_USB_LINUX_MMAPPED: 3387 bpf_error("USB link-layer type filtering not implemented"); 3388 3389 case DLT_BLUETOOTH_HCI_H4: 3390 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3391 bpf_error("Bluetooth link-layer type filtering not implemented"); 3392 3393 case DLT_CAN20B: 3394 case DLT_CAN_SOCKETCAN: 3395 bpf_error("CAN link-layer type filtering not implemented"); 3396 3397 case DLT_IEEE802_15_4: 3398 case DLT_IEEE802_15_4_LINUX: 3399 case DLT_IEEE802_15_4_NONASK_PHY: 3400 case DLT_IEEE802_15_4_NOFCS: 3401 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3402 3403 case DLT_IEEE802_16_MAC_CPS_RADIO: 3404 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3405 3406 case DLT_SITA: 3407 bpf_error("SITA link-layer type filtering not implemented"); 3408 3409 case DLT_RAIF1: 3410 bpf_error("RAIF1 link-layer type filtering not implemented"); 3411 3412 case DLT_IPMB: 3413 bpf_error("IPMB link-layer type filtering not implemented"); 3414 3415 case DLT_AX25_KISS: 3416 bpf_error("AX.25 link-layer type filtering not implemented"); 3417 3418 case DLT_NFLOG: 3419 /* Using the fixed-size NFLOG header it is possible to tell only 3420 * the address family of the packet, other meaningful data is 3421 * either missing or behind TLVs. 3422 */ 3423 bpf_error("NFLOG link-layer type filtering not implemented"); 3424 3425 default: 3426 /* 3427 * Does this link-layer header type have a field 3428 * indicating the type of the next protocol? If 3429 * so, off_linktype will be the offset of that 3430 * field in the packet; if not, it will be -1. 3431 */ 3432 if (off_linktype != (u_int)-1) { 3433 /* 3434 * Yes; assume it's an Ethernet type. (If 3435 * it's not, it needs to be handled specially 3436 * above.) 3437 */ 3438 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3439 } else { 3440 /* 3441 * No; report an error. 3442 */ 3443 description = pcap_datalink_val_to_description(linktype); 3444 if (description != NULL) { 3445 bpf_error("%s link-layer type filtering not implemented", 3446 description); 3447 } else { 3448 bpf_error("DLT %u link-layer type filtering not implemented", 3449 linktype); 3450 } 3451 } 3452 break; 3453 } 3454 } 3455 3456 /* 3457 * Check for an LLC SNAP packet with a given organization code and 3458 * protocol type; we check the entire contents of the 802.2 LLC and 3459 * snap headers, checking for DSAP and SSAP of SNAP and a control 3460 * field of 0x03 in the LLC header, and for the specified organization 3461 * code and protocol type in the SNAP header. 3462 */ 3463 static struct block * 3464 gen_snap(orgcode, ptype) 3465 bpf_u_int32 orgcode; 3466 bpf_u_int32 ptype; 3467 { 3468 u_char snapblock[8]; 3469 3470 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3471 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3472 snapblock[2] = 0x03; /* control = UI */ 3473 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3474 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3475 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3476 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3477 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3478 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3479 } 3480 3481 /* 3482 * Generate code to match frames with an LLC header. 3483 */ 3484 struct block * 3485 gen_llc(void) 3486 { 3487 struct block *b0, *b1; 3488 3489 switch (linktype) { 3490 3491 case DLT_EN10MB: 3492 /* 3493 * We check for an Ethernet type field less than 3494 * 1500, which means it's an 802.3 length field. 3495 */ 3496 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 3497 gen_not(b0); 3498 3499 /* 3500 * Now check for the purported DSAP and SSAP not being 3501 * 0xFF, to rule out NetWare-over-802.3. 3502 */ 3503 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 3504 gen_not(b1); 3505 gen_and(b0, b1); 3506 return b1; 3507 3508 case DLT_SUNATM: 3509 /* 3510 * We check for LLC traffic. 3511 */ 3512 b0 = gen_atmtype_abbrev(A_LLC); 3513 return b0; 3514 3515 case DLT_IEEE802: /* Token Ring */ 3516 /* 3517 * XXX - check for LLC frames. 3518 */ 3519 return gen_true(); 3520 3521 case DLT_FDDI: 3522 /* 3523 * XXX - check for LLC frames. 3524 */ 3525 return gen_true(); 3526 3527 case DLT_ATM_RFC1483: 3528 /* 3529 * For LLC encapsulation, these are defined to have an 3530 * 802.2 LLC header. 3531 * 3532 * For VC encapsulation, they don't, but there's no 3533 * way to check for that; the protocol used on the VC 3534 * is negotiated out of band. 3535 */ 3536 return gen_true(); 3537 3538 case DLT_IEEE802_11: 3539 case DLT_PRISM_HEADER: 3540 case DLT_IEEE802_11_RADIO: 3541 case DLT_IEEE802_11_RADIO_AVS: 3542 case DLT_PPI: 3543 /* 3544 * Check that we have a data frame. 3545 */ 3546 b0 = gen_check_802_11_data_frame(); 3547 return b0; 3548 3549 default: 3550 bpf_error("'llc' not supported for linktype %d", linktype); 3551 /* NOTREACHED */ 3552 } 3553 } 3554 3555 struct block * 3556 gen_llc_i(void) 3557 { 3558 struct block *b0, *b1; 3559 struct slist *s; 3560 3561 /* 3562 * Check whether this is an LLC frame. 3563 */ 3564 b0 = gen_llc(); 3565 3566 /* 3567 * Load the control byte and test the low-order bit; it must 3568 * be clear for I frames. 3569 */ 3570 s = gen_load_a(OR_MACPL, 2, BPF_B); 3571 b1 = new_block(JMP(BPF_JSET)); 3572 b1->s.k = 0x01; 3573 b1->stmts = s; 3574 gen_not(b1); 3575 gen_and(b0, b1); 3576 return b1; 3577 } 3578 3579 struct block * 3580 gen_llc_s(void) 3581 { 3582 struct block *b0, *b1; 3583 3584 /* 3585 * Check whether this is an LLC frame. 3586 */ 3587 b0 = gen_llc(); 3588 3589 /* 3590 * Now compare the low-order 2 bit of the control byte against 3591 * the appropriate value for S frames. 3592 */ 3593 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, LLC_S_FMT, 0x03); 3594 gen_and(b0, b1); 3595 return b1; 3596 } 3597 3598 struct block * 3599 gen_llc_u(void) 3600 { 3601 struct block *b0, *b1; 3602 3603 /* 3604 * Check whether this is an LLC frame. 3605 */ 3606 b0 = gen_llc(); 3607 3608 /* 3609 * Now compare the low-order 2 bit of the control byte against 3610 * the appropriate value for U frames. 3611 */ 3612 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, LLC_U_FMT, 0x03); 3613 gen_and(b0, b1); 3614 return b1; 3615 } 3616 3617 struct block * 3618 gen_llc_s_subtype(bpf_u_int32 subtype) 3619 { 3620 struct block *b0, *b1; 3621 3622 /* 3623 * Check whether this is an LLC frame. 3624 */ 3625 b0 = gen_llc(); 3626 3627 /* 3628 * Now check for an S frame with the appropriate type. 3629 */ 3630 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3631 gen_and(b0, b1); 3632 return b1; 3633 } 3634 3635 struct block * 3636 gen_llc_u_subtype(bpf_u_int32 subtype) 3637 { 3638 struct block *b0, *b1; 3639 3640 /* 3641 * Check whether this is an LLC frame. 3642 */ 3643 b0 = gen_llc(); 3644 3645 /* 3646 * Now check for a U frame with the appropriate type. 3647 */ 3648 b1 = gen_mcmp(OR_MACPL, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3649 gen_and(b0, b1); 3650 return b1; 3651 } 3652 3653 /* 3654 * Generate code to match a particular packet type, for link-layer types 3655 * using 802.2 LLC headers. 3656 * 3657 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3658 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3659 * 3660 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3661 * value, if <= ETHERMTU. We use that to determine whether to 3662 * match the DSAP or both DSAP and LSAP or to check the OUI and 3663 * protocol ID in a SNAP header. 3664 */ 3665 static struct block * 3666 gen_llc_linktype(proto) 3667 int proto; 3668 { 3669 /* 3670 * XXX - handle token-ring variable-length header. 3671 */ 3672 switch (proto) { 3673 3674 case LLCSAP_IP: 3675 case LLCSAP_ISONS: 3676 case LLCSAP_NETBEUI: 3677 /* 3678 * XXX - should we check both the DSAP and the 3679 * SSAP, like this, or should we check just the 3680 * DSAP, as we do for other types <= ETHERMTU 3681 * (i.e., other SAP values)? 3682 */ 3683 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3684 ((proto << 8) | proto)); 3685 3686 case LLCSAP_IPX: 3687 /* 3688 * XXX - are there ever SNAP frames for IPX on 3689 * non-Ethernet 802.x networks? 3690 */ 3691 return gen_cmp(OR_MACPL, 0, BPF_B, 3692 (bpf_int32)LLCSAP_IPX); 3693 3694 case ETHERTYPE_ATALK: 3695 /* 3696 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3697 * SNAP packets with an organization code of 3698 * 0x080007 (Apple, for Appletalk) and a protocol 3699 * type of ETHERTYPE_ATALK (Appletalk). 3700 * 3701 * XXX - check for an organization code of 3702 * encapsulated Ethernet as well? 3703 */ 3704 return gen_snap(0x080007, ETHERTYPE_ATALK); 3705 3706 default: 3707 /* 3708 * XXX - we don't have to check for IPX 802.3 3709 * here, but should we check for the IPX Ethertype? 3710 */ 3711 if (proto <= ETHERMTU) { 3712 /* 3713 * This is an LLC SAP value, so check 3714 * the DSAP. 3715 */ 3716 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3717 } else { 3718 /* 3719 * This is an Ethernet type; we assume that it's 3720 * unlikely that it'll appear in the right place 3721 * at random, and therefore check only the 3722 * location that would hold the Ethernet type 3723 * in a SNAP frame with an organization code of 3724 * 0x000000 (encapsulated Ethernet). 3725 * 3726 * XXX - if we were to check for the SNAP DSAP and 3727 * LSAP, as per XXX, and were also to check for an 3728 * organization code of 0x000000 (encapsulated 3729 * Ethernet), we'd do 3730 * 3731 * return gen_snap(0x000000, proto); 3732 * 3733 * here; for now, we don't, as per the above. 3734 * I don't know whether it's worth the extra CPU 3735 * time to do the right check or not. 3736 */ 3737 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3738 } 3739 } 3740 } 3741 3742 static struct block * 3743 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3744 bpf_u_int32 addr; 3745 bpf_u_int32 mask; 3746 int dir, proto; 3747 u_int src_off, dst_off; 3748 { 3749 struct block *b0, *b1; 3750 u_int offset; 3751 3752 switch (dir) { 3753 3754 case Q_SRC: 3755 offset = src_off; 3756 break; 3757 3758 case Q_DST: 3759 offset = dst_off; 3760 break; 3761 3762 case Q_AND: 3763 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3764 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3765 gen_and(b0, b1); 3766 return b1; 3767 3768 case Q_OR: 3769 case Q_DEFAULT: 3770 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3771 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3772 gen_or(b0, b1); 3773 return b1; 3774 3775 default: 3776 abort(); 3777 } 3778 b0 = gen_linktype(proto); 3779 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3780 gen_and(b0, b1); 3781 return b1; 3782 } 3783 3784 #ifdef INET6 3785 static struct block * 3786 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3787 struct in6_addr *addr; 3788 struct in6_addr *mask; 3789 int dir, proto; 3790 u_int src_off, dst_off; 3791 { 3792 struct block *b0, *b1; 3793 u_int offset; 3794 u_int32_t *a, *m; 3795 3796 switch (dir) { 3797 3798 case Q_SRC: 3799 offset = src_off; 3800 break; 3801 3802 case Q_DST: 3803 offset = dst_off; 3804 break; 3805 3806 case Q_AND: 3807 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3808 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3809 gen_and(b0, b1); 3810 return b1; 3811 3812 case Q_OR: 3813 case Q_DEFAULT: 3814 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3815 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3816 gen_or(b0, b1); 3817 return b1; 3818 3819 default: 3820 abort(); 3821 } 3822 /* this order is important */ 3823 a = (u_int32_t *)addr; 3824 m = (u_int32_t *)mask; 3825 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3826 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3827 gen_and(b0, b1); 3828 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3829 gen_and(b0, b1); 3830 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3831 gen_and(b0, b1); 3832 b0 = gen_linktype(proto); 3833 gen_and(b0, b1); 3834 return b1; 3835 } 3836 #endif 3837 3838 static struct block * 3839 gen_ehostop(eaddr, dir) 3840 register const u_char *eaddr; 3841 register int dir; 3842 { 3843 register struct block *b0, *b1; 3844 3845 switch (dir) { 3846 case Q_SRC: 3847 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3848 3849 case Q_DST: 3850 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3851 3852 case Q_AND: 3853 b0 = gen_ehostop(eaddr, Q_SRC); 3854 b1 = gen_ehostop(eaddr, Q_DST); 3855 gen_and(b0, b1); 3856 return b1; 3857 3858 case Q_DEFAULT: 3859 case Q_OR: 3860 b0 = gen_ehostop(eaddr, Q_SRC); 3861 b1 = gen_ehostop(eaddr, Q_DST); 3862 gen_or(b0, b1); 3863 return b1; 3864 3865 case Q_ADDR1: 3866 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3867 break; 3868 3869 case Q_ADDR2: 3870 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3871 break; 3872 3873 case Q_ADDR3: 3874 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3875 break; 3876 3877 case Q_ADDR4: 3878 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3879 break; 3880 3881 case Q_RA: 3882 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3883 break; 3884 3885 case Q_TA: 3886 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3887 break; 3888 } 3889 abort(); 3890 /* NOTREACHED */ 3891 } 3892 3893 /* 3894 * Like gen_ehostop, but for DLT_FDDI 3895 */ 3896 static struct block * 3897 gen_fhostop(eaddr, dir) 3898 register const u_char *eaddr; 3899 register int dir; 3900 { 3901 struct block *b0, *b1; 3902 3903 switch (dir) { 3904 case Q_SRC: 3905 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3906 3907 case Q_DST: 3908 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3909 3910 case Q_AND: 3911 b0 = gen_fhostop(eaddr, Q_SRC); 3912 b1 = gen_fhostop(eaddr, Q_DST); 3913 gen_and(b0, b1); 3914 return b1; 3915 3916 case Q_DEFAULT: 3917 case Q_OR: 3918 b0 = gen_fhostop(eaddr, Q_SRC); 3919 b1 = gen_fhostop(eaddr, Q_DST); 3920 gen_or(b0, b1); 3921 return b1; 3922 3923 case Q_ADDR1: 3924 bpf_error("'addr1' is only supported on 802.11"); 3925 break; 3926 3927 case Q_ADDR2: 3928 bpf_error("'addr2' is only supported on 802.11"); 3929 break; 3930 3931 case Q_ADDR3: 3932 bpf_error("'addr3' is only supported on 802.11"); 3933 break; 3934 3935 case Q_ADDR4: 3936 bpf_error("'addr4' is only supported on 802.11"); 3937 break; 3938 3939 case Q_RA: 3940 bpf_error("'ra' is only supported on 802.11"); 3941 break; 3942 3943 case Q_TA: 3944 bpf_error("'ta' is only supported on 802.11"); 3945 break; 3946 } 3947 abort(); 3948 /* NOTREACHED */ 3949 } 3950 3951 /* 3952 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3953 */ 3954 static struct block * 3955 gen_thostop(eaddr, dir) 3956 register const u_char *eaddr; 3957 register int dir; 3958 { 3959 register struct block *b0, *b1; 3960 3961 switch (dir) { 3962 case Q_SRC: 3963 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3964 3965 case Q_DST: 3966 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3967 3968 case Q_AND: 3969 b0 = gen_thostop(eaddr, Q_SRC); 3970 b1 = gen_thostop(eaddr, Q_DST); 3971 gen_and(b0, b1); 3972 return b1; 3973 3974 case Q_DEFAULT: 3975 case Q_OR: 3976 b0 = gen_thostop(eaddr, Q_SRC); 3977 b1 = gen_thostop(eaddr, Q_DST); 3978 gen_or(b0, b1); 3979 return b1; 3980 3981 case Q_ADDR1: 3982 bpf_error("'addr1' is only supported on 802.11"); 3983 break; 3984 3985 case Q_ADDR2: 3986 bpf_error("'addr2' is only supported on 802.11"); 3987 break; 3988 3989 case Q_ADDR3: 3990 bpf_error("'addr3' is only supported on 802.11"); 3991 break; 3992 3993 case Q_ADDR4: 3994 bpf_error("'addr4' is only supported on 802.11"); 3995 break; 3996 3997 case Q_RA: 3998 bpf_error("'ra' is only supported on 802.11"); 3999 break; 4000 4001 case Q_TA: 4002 bpf_error("'ta' is only supported on 802.11"); 4003 break; 4004 } 4005 abort(); 4006 /* NOTREACHED */ 4007 } 4008 4009 /* 4010 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4011 * various 802.11 + radio headers. 4012 */ 4013 static struct block * 4014 gen_wlanhostop(eaddr, dir) 4015 register const u_char *eaddr; 4016 register int dir; 4017 { 4018 register struct block *b0, *b1, *b2; 4019 register struct slist *s; 4020 4021 #ifdef ENABLE_WLAN_FILTERING_PATCH 4022 /* 4023 * TODO GV 20070613 4024 * We need to disable the optimizer because the optimizer is buggy 4025 * and wipes out some LD instructions generated by the below 4026 * code to validate the Frame Control bits 4027 */ 4028 no_optimize = 1; 4029 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4030 4031 switch (dir) { 4032 case Q_SRC: 4033 /* 4034 * Oh, yuk. 4035 * 4036 * For control frames, there is no SA. 4037 * 4038 * For management frames, SA is at an 4039 * offset of 10 from the beginning of 4040 * the packet. 4041 * 4042 * For data frames, SA is at an offset 4043 * of 10 from the beginning of the packet 4044 * if From DS is clear, at an offset of 4045 * 16 from the beginning of the packet 4046 * if From DS is set and To DS is clear, 4047 * and an offset of 24 from the beginning 4048 * of the packet if From DS is set and To DS 4049 * is set. 4050 */ 4051 4052 /* 4053 * Generate the tests to be done for data frames 4054 * with From DS set. 4055 * 4056 * First, check for To DS set, i.e. check "link[1] & 0x01". 4057 */ 4058 s = gen_load_a(OR_LINK, 1, BPF_B); 4059 b1 = new_block(JMP(BPF_JSET)); 4060 b1->s.k = 0x01; /* To DS */ 4061 b1->stmts = s; 4062 4063 /* 4064 * If To DS is set, the SA is at 24. 4065 */ 4066 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4067 gen_and(b1, b0); 4068 4069 /* 4070 * Now, check for To DS not set, i.e. check 4071 * "!(link[1] & 0x01)". 4072 */ 4073 s = gen_load_a(OR_LINK, 1, BPF_B); 4074 b2 = new_block(JMP(BPF_JSET)); 4075 b2->s.k = 0x01; /* To DS */ 4076 b2->stmts = s; 4077 gen_not(b2); 4078 4079 /* 4080 * If To DS is not set, the SA is at 16. 4081 */ 4082 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4083 gen_and(b2, b1); 4084 4085 /* 4086 * Now OR together the last two checks. That gives 4087 * the complete set of checks for data frames with 4088 * From DS set. 4089 */ 4090 gen_or(b1, b0); 4091 4092 /* 4093 * Now check for From DS being set, and AND that with 4094 * the ORed-together checks. 4095 */ 4096 s = gen_load_a(OR_LINK, 1, BPF_B); 4097 b1 = new_block(JMP(BPF_JSET)); 4098 b1->s.k = 0x02; /* From DS */ 4099 b1->stmts = s; 4100 gen_and(b1, b0); 4101 4102 /* 4103 * Now check for data frames with From DS not set. 4104 */ 4105 s = gen_load_a(OR_LINK, 1, BPF_B); 4106 b2 = new_block(JMP(BPF_JSET)); 4107 b2->s.k = 0x02; /* From DS */ 4108 b2->stmts = s; 4109 gen_not(b2); 4110 4111 /* 4112 * If From DS isn't set, the SA is at 10. 4113 */ 4114 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4115 gen_and(b2, b1); 4116 4117 /* 4118 * Now OR together the checks for data frames with 4119 * From DS not set and for data frames with From DS 4120 * set; that gives the checks done for data frames. 4121 */ 4122 gen_or(b1, b0); 4123 4124 /* 4125 * Now check for a data frame. 4126 * I.e, check "link[0] & 0x08". 4127 */ 4128 s = gen_load_a(OR_LINK, 0, BPF_B); 4129 b1 = new_block(JMP(BPF_JSET)); 4130 b1->s.k = 0x08; 4131 b1->stmts = s; 4132 4133 /* 4134 * AND that with the checks done for data frames. 4135 */ 4136 gen_and(b1, b0); 4137 4138 /* 4139 * If the high-order bit of the type value is 0, this 4140 * is a management frame. 4141 * I.e, check "!(link[0] & 0x08)". 4142 */ 4143 s = gen_load_a(OR_LINK, 0, BPF_B); 4144 b2 = new_block(JMP(BPF_JSET)); 4145 b2->s.k = 0x08; 4146 b2->stmts = s; 4147 gen_not(b2); 4148 4149 /* 4150 * For management frames, the SA is at 10. 4151 */ 4152 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4153 gen_and(b2, b1); 4154 4155 /* 4156 * OR that with the checks done for data frames. 4157 * That gives the checks done for management and 4158 * data frames. 4159 */ 4160 gen_or(b1, b0); 4161 4162 /* 4163 * If the low-order bit of the type value is 1, 4164 * this is either a control frame or a frame 4165 * with a reserved type, and thus not a 4166 * frame with an SA. 4167 * 4168 * I.e., check "!(link[0] & 0x04)". 4169 */ 4170 s = gen_load_a(OR_LINK, 0, BPF_B); 4171 b1 = new_block(JMP(BPF_JSET)); 4172 b1->s.k = 0x04; 4173 b1->stmts = s; 4174 gen_not(b1); 4175 4176 /* 4177 * AND that with the checks for data and management 4178 * frames. 4179 */ 4180 gen_and(b1, b0); 4181 return b0; 4182 4183 case Q_DST: 4184 /* 4185 * Oh, yuk. 4186 * 4187 * For control frames, there is no DA. 4188 * 4189 * For management frames, DA is at an 4190 * offset of 4 from the beginning of 4191 * the packet. 4192 * 4193 * For data frames, DA is at an offset 4194 * of 4 from the beginning of the packet 4195 * if To DS is clear and at an offset of 4196 * 16 from the beginning of the packet 4197 * if To DS is set. 4198 */ 4199 4200 /* 4201 * Generate the tests to be done for data frames. 4202 * 4203 * First, check for To DS set, i.e. "link[1] & 0x01". 4204 */ 4205 s = gen_load_a(OR_LINK, 1, BPF_B); 4206 b1 = new_block(JMP(BPF_JSET)); 4207 b1->s.k = 0x01; /* To DS */ 4208 b1->stmts = s; 4209 4210 /* 4211 * If To DS is set, the DA is at 16. 4212 */ 4213 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4214 gen_and(b1, b0); 4215 4216 /* 4217 * Now, check for To DS not set, i.e. check 4218 * "!(link[1] & 0x01)". 4219 */ 4220 s = gen_load_a(OR_LINK, 1, BPF_B); 4221 b2 = new_block(JMP(BPF_JSET)); 4222 b2->s.k = 0x01; /* To DS */ 4223 b2->stmts = s; 4224 gen_not(b2); 4225 4226 /* 4227 * If To DS is not set, the DA is at 4. 4228 */ 4229 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4230 gen_and(b2, b1); 4231 4232 /* 4233 * Now OR together the last two checks. That gives 4234 * the complete set of checks for data frames. 4235 */ 4236 gen_or(b1, b0); 4237 4238 /* 4239 * Now check for a data frame. 4240 * I.e, check "link[0] & 0x08". 4241 */ 4242 s = gen_load_a(OR_LINK, 0, BPF_B); 4243 b1 = new_block(JMP(BPF_JSET)); 4244 b1->s.k = 0x08; 4245 b1->stmts = s; 4246 4247 /* 4248 * AND that with the checks done for data frames. 4249 */ 4250 gen_and(b1, b0); 4251 4252 /* 4253 * If the high-order bit of the type value is 0, this 4254 * is a management frame. 4255 * I.e, check "!(link[0] & 0x08)". 4256 */ 4257 s = gen_load_a(OR_LINK, 0, BPF_B); 4258 b2 = new_block(JMP(BPF_JSET)); 4259 b2->s.k = 0x08; 4260 b2->stmts = s; 4261 gen_not(b2); 4262 4263 /* 4264 * For management frames, the DA is at 4. 4265 */ 4266 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4267 gen_and(b2, b1); 4268 4269 /* 4270 * OR that with the checks done for data frames. 4271 * That gives the checks done for management and 4272 * data frames. 4273 */ 4274 gen_or(b1, b0); 4275 4276 /* 4277 * If the low-order bit of the type value is 1, 4278 * this is either a control frame or a frame 4279 * with a reserved type, and thus not a 4280 * frame with an SA. 4281 * 4282 * I.e., check "!(link[0] & 0x04)". 4283 */ 4284 s = gen_load_a(OR_LINK, 0, BPF_B); 4285 b1 = new_block(JMP(BPF_JSET)); 4286 b1->s.k = 0x04; 4287 b1->stmts = s; 4288 gen_not(b1); 4289 4290 /* 4291 * AND that with the checks for data and management 4292 * frames. 4293 */ 4294 gen_and(b1, b0); 4295 return b0; 4296 4297 case Q_RA: 4298 /* 4299 * Not present in management frames; addr1 in other 4300 * frames. 4301 */ 4302 4303 /* 4304 * If the high-order bit of the type value is 0, this 4305 * is a management frame. 4306 * I.e, check "(link[0] & 0x08)". 4307 */ 4308 s = gen_load_a(OR_LINK, 0, BPF_B); 4309 b1 = new_block(JMP(BPF_JSET)); 4310 b1->s.k = 0x08; 4311 b1->stmts = s; 4312 4313 /* 4314 * Check addr1. 4315 */ 4316 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4317 4318 /* 4319 * AND that with the check of addr1. 4320 */ 4321 gen_and(b1, b0); 4322 return (b0); 4323 4324 case Q_TA: 4325 /* 4326 * Not present in management frames; addr2, if present, 4327 * in other frames. 4328 */ 4329 4330 /* 4331 * Not present in CTS or ACK control frames. 4332 */ 4333 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4334 IEEE80211_FC0_TYPE_MASK); 4335 gen_not(b0); 4336 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4337 IEEE80211_FC0_SUBTYPE_MASK); 4338 gen_not(b1); 4339 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4340 IEEE80211_FC0_SUBTYPE_MASK); 4341 gen_not(b2); 4342 gen_and(b1, b2); 4343 gen_or(b0, b2); 4344 4345 /* 4346 * If the high-order bit of the type value is 0, this 4347 * is a management frame. 4348 * I.e, check "(link[0] & 0x08)". 4349 */ 4350 s = gen_load_a(OR_LINK, 0, BPF_B); 4351 b1 = new_block(JMP(BPF_JSET)); 4352 b1->s.k = 0x08; 4353 b1->stmts = s; 4354 4355 /* 4356 * AND that with the check for frames other than 4357 * CTS and ACK frames. 4358 */ 4359 gen_and(b1, b2); 4360 4361 /* 4362 * Check addr2. 4363 */ 4364 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4365 gen_and(b2, b1); 4366 return b1; 4367 4368 /* 4369 * XXX - add BSSID keyword? 4370 */ 4371 case Q_ADDR1: 4372 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4373 4374 case Q_ADDR2: 4375 /* 4376 * Not present in CTS or ACK control frames. 4377 */ 4378 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4379 IEEE80211_FC0_TYPE_MASK); 4380 gen_not(b0); 4381 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4382 IEEE80211_FC0_SUBTYPE_MASK); 4383 gen_not(b1); 4384 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4385 IEEE80211_FC0_SUBTYPE_MASK); 4386 gen_not(b2); 4387 gen_and(b1, b2); 4388 gen_or(b0, b2); 4389 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4390 gen_and(b2, b1); 4391 return b1; 4392 4393 case Q_ADDR3: 4394 /* 4395 * Not present in control frames. 4396 */ 4397 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4398 IEEE80211_FC0_TYPE_MASK); 4399 gen_not(b0); 4400 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4401 gen_and(b0, b1); 4402 return b1; 4403 4404 case Q_ADDR4: 4405 /* 4406 * Present only if the direction mask has both "From DS" 4407 * and "To DS" set. Neither control frames nor management 4408 * frames should have both of those set, so we don't 4409 * check the frame type. 4410 */ 4411 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4412 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4413 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4414 gen_and(b0, b1); 4415 return b1; 4416 4417 case Q_AND: 4418 b0 = gen_wlanhostop(eaddr, Q_SRC); 4419 b1 = gen_wlanhostop(eaddr, Q_DST); 4420 gen_and(b0, b1); 4421 return b1; 4422 4423 case Q_DEFAULT: 4424 case Q_OR: 4425 b0 = gen_wlanhostop(eaddr, Q_SRC); 4426 b1 = gen_wlanhostop(eaddr, Q_DST); 4427 gen_or(b0, b1); 4428 return b1; 4429 } 4430 abort(); 4431 /* NOTREACHED */ 4432 } 4433 4434 /* 4435 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4436 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4437 * as the RFC states.) 4438 */ 4439 static struct block * 4440 gen_ipfchostop(eaddr, dir) 4441 register const u_char *eaddr; 4442 register int dir; 4443 { 4444 register struct block *b0, *b1; 4445 4446 switch (dir) { 4447 case Q_SRC: 4448 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4449 4450 case Q_DST: 4451 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4452 4453 case Q_AND: 4454 b0 = gen_ipfchostop(eaddr, Q_SRC); 4455 b1 = gen_ipfchostop(eaddr, Q_DST); 4456 gen_and(b0, b1); 4457 return b1; 4458 4459 case Q_DEFAULT: 4460 case Q_OR: 4461 b0 = gen_ipfchostop(eaddr, Q_SRC); 4462 b1 = gen_ipfchostop(eaddr, Q_DST); 4463 gen_or(b0, b1); 4464 return b1; 4465 4466 case Q_ADDR1: 4467 bpf_error("'addr1' is only supported on 802.11"); 4468 break; 4469 4470 case Q_ADDR2: 4471 bpf_error("'addr2' is only supported on 802.11"); 4472 break; 4473 4474 case Q_ADDR3: 4475 bpf_error("'addr3' is only supported on 802.11"); 4476 break; 4477 4478 case Q_ADDR4: 4479 bpf_error("'addr4' is only supported on 802.11"); 4480 break; 4481 4482 case Q_RA: 4483 bpf_error("'ra' is only supported on 802.11"); 4484 break; 4485 4486 case Q_TA: 4487 bpf_error("'ta' is only supported on 802.11"); 4488 break; 4489 } 4490 abort(); 4491 /* NOTREACHED */ 4492 } 4493 4494 /* 4495 * This is quite tricky because there may be pad bytes in front of the 4496 * DECNET header, and then there are two possible data packet formats that 4497 * carry both src and dst addresses, plus 5 packet types in a format that 4498 * carries only the src node, plus 2 types that use a different format and 4499 * also carry just the src node. 4500 * 4501 * Yuck. 4502 * 4503 * Instead of doing those all right, we just look for data packets with 4504 * 0 or 1 bytes of padding. If you want to look at other packets, that 4505 * will require a lot more hacking. 4506 * 4507 * To add support for filtering on DECNET "areas" (network numbers) 4508 * one would want to add a "mask" argument to this routine. That would 4509 * make the filter even more inefficient, although one could be clever 4510 * and not generate masking instructions if the mask is 0xFFFF. 4511 */ 4512 static struct block * 4513 gen_dnhostop(addr, dir) 4514 bpf_u_int32 addr; 4515 int dir; 4516 { 4517 struct block *b0, *b1, *b2, *tmp; 4518 u_int offset_lh; /* offset if long header is received */ 4519 u_int offset_sh; /* offset if short header is received */ 4520 4521 switch (dir) { 4522 4523 case Q_DST: 4524 offset_sh = 1; /* follows flags */ 4525 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4526 break; 4527 4528 case Q_SRC: 4529 offset_sh = 3; /* follows flags, dstnode */ 4530 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4531 break; 4532 4533 case Q_AND: 4534 /* Inefficient because we do our Calvinball dance twice */ 4535 b0 = gen_dnhostop(addr, Q_SRC); 4536 b1 = gen_dnhostop(addr, Q_DST); 4537 gen_and(b0, b1); 4538 return b1; 4539 4540 case Q_OR: 4541 case Q_DEFAULT: 4542 /* Inefficient because we do our Calvinball dance twice */ 4543 b0 = gen_dnhostop(addr, Q_SRC); 4544 b1 = gen_dnhostop(addr, Q_DST); 4545 gen_or(b0, b1); 4546 return b1; 4547 4548 case Q_ISO: 4549 bpf_error("ISO host filtering not implemented"); 4550 4551 default: 4552 abort(); 4553 } 4554 b0 = gen_linktype(ETHERTYPE_DN); 4555 /* Check for pad = 1, long header case */ 4556 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4557 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4558 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4559 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4560 gen_and(tmp, b1); 4561 /* Check for pad = 0, long header case */ 4562 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4563 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4564 gen_and(tmp, b2); 4565 gen_or(b2, b1); 4566 /* Check for pad = 1, short header case */ 4567 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4568 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4569 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4570 gen_and(tmp, b2); 4571 gen_or(b2, b1); 4572 /* Check for pad = 0, short header case */ 4573 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4574 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4575 gen_and(tmp, b2); 4576 gen_or(b2, b1); 4577 4578 /* Combine with test for linktype */ 4579 gen_and(b0, b1); 4580 return b1; 4581 } 4582 4583 /* 4584 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4585 * test the bottom-of-stack bit, and then check the version number 4586 * field in the IP header. 4587 */ 4588 static struct block * 4589 gen_mpls_linktype(proto) 4590 int proto; 4591 { 4592 struct block *b0, *b1; 4593 4594 switch (proto) { 4595 4596 case Q_IP: 4597 /* match the bottom-of-stack bit */ 4598 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4599 /* match the IPv4 version number */ 4600 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4601 gen_and(b0, b1); 4602 return b1; 4603 4604 case Q_IPV6: 4605 /* match the bottom-of-stack bit */ 4606 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4607 /* match the IPv4 version number */ 4608 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4609 gen_and(b0, b1); 4610 return b1; 4611 4612 default: 4613 abort(); 4614 } 4615 } 4616 4617 static struct block * 4618 gen_host(addr, mask, proto, dir, type) 4619 bpf_u_int32 addr; 4620 bpf_u_int32 mask; 4621 int proto; 4622 int dir; 4623 int type; 4624 { 4625 struct block *b0, *b1; 4626 const char *typestr; 4627 4628 if (type == Q_NET) 4629 typestr = "net"; 4630 else 4631 typestr = "host"; 4632 4633 switch (proto) { 4634 4635 case Q_DEFAULT: 4636 b0 = gen_host(addr, mask, Q_IP, dir, type); 4637 /* 4638 * Only check for non-IPv4 addresses if we're not 4639 * checking MPLS-encapsulated packets. 4640 */ 4641 if (label_stack_depth == 0) { 4642 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4643 gen_or(b0, b1); 4644 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4645 gen_or(b1, b0); 4646 } 4647 return b0; 4648 4649 case Q_IP: 4650 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4651 4652 case Q_RARP: 4653 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4654 4655 case Q_ARP: 4656 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4657 4658 case Q_TCP: 4659 bpf_error("'tcp' modifier applied to %s", typestr); 4660 4661 case Q_SCTP: 4662 bpf_error("'sctp' modifier applied to %s", typestr); 4663 4664 case Q_UDP: 4665 bpf_error("'udp' modifier applied to %s", typestr); 4666 4667 case Q_ICMP: 4668 bpf_error("'icmp' modifier applied to %s", typestr); 4669 4670 case Q_IGMP: 4671 bpf_error("'igmp' modifier applied to %s", typestr); 4672 4673 case Q_IGRP: 4674 bpf_error("'igrp' modifier applied to %s", typestr); 4675 4676 case Q_PIM: 4677 bpf_error("'pim' modifier applied to %s", typestr); 4678 4679 case Q_VRRP: 4680 bpf_error("'vrrp' modifier applied to %s", typestr); 4681 4682 case Q_CARP: 4683 bpf_error("'carp' modifier applied to %s", typestr); 4684 4685 case Q_ATALK: 4686 bpf_error("ATALK host filtering not implemented"); 4687 4688 case Q_AARP: 4689 bpf_error("AARP host filtering not implemented"); 4690 4691 case Q_DECNET: 4692 return gen_dnhostop(addr, dir); 4693 4694 case Q_SCA: 4695 bpf_error("SCA host filtering not implemented"); 4696 4697 case Q_LAT: 4698 bpf_error("LAT host filtering not implemented"); 4699 4700 case Q_MOPDL: 4701 bpf_error("MOPDL host filtering not implemented"); 4702 4703 case Q_MOPRC: 4704 bpf_error("MOPRC host filtering not implemented"); 4705 4706 case Q_IPV6: 4707 bpf_error("'ip6' modifier applied to ip host"); 4708 4709 case Q_ICMPV6: 4710 bpf_error("'icmp6' modifier applied to %s", typestr); 4711 4712 case Q_AH: 4713 bpf_error("'ah' modifier applied to %s", typestr); 4714 4715 case Q_ESP: 4716 bpf_error("'esp' modifier applied to %s", typestr); 4717 4718 case Q_ISO: 4719 bpf_error("ISO host filtering not implemented"); 4720 4721 case Q_ESIS: 4722 bpf_error("'esis' modifier applied to %s", typestr); 4723 4724 case Q_ISIS: 4725 bpf_error("'isis' modifier applied to %s", typestr); 4726 4727 case Q_CLNP: 4728 bpf_error("'clnp' modifier applied to %s", typestr); 4729 4730 case Q_STP: 4731 bpf_error("'stp' modifier applied to %s", typestr); 4732 4733 case Q_IPX: 4734 bpf_error("IPX host filtering not implemented"); 4735 4736 case Q_NETBEUI: 4737 bpf_error("'netbeui' modifier applied to %s", typestr); 4738 4739 case Q_RADIO: 4740 bpf_error("'radio' modifier applied to %s", typestr); 4741 4742 default: 4743 abort(); 4744 } 4745 /* NOTREACHED */ 4746 } 4747 4748 #ifdef INET6 4749 static struct block * 4750 gen_host6(addr, mask, proto, dir, type) 4751 struct in6_addr *addr; 4752 struct in6_addr *mask; 4753 int proto; 4754 int dir; 4755 int type; 4756 { 4757 const char *typestr; 4758 4759 if (type == Q_NET) 4760 typestr = "net"; 4761 else 4762 typestr = "host"; 4763 4764 switch (proto) { 4765 4766 case Q_DEFAULT: 4767 return gen_host6(addr, mask, Q_IPV6, dir, type); 4768 4769 case Q_LINK: 4770 bpf_error("link-layer modifier applied to ip6 %s", typestr); 4771 4772 case Q_IP: 4773 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4774 4775 case Q_RARP: 4776 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4777 4778 case Q_ARP: 4779 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4780 4781 case Q_SCTP: 4782 bpf_error("'sctp' modifier applied to %s", typestr); 4783 4784 case Q_TCP: 4785 bpf_error("'tcp' modifier applied to %s", typestr); 4786 4787 case Q_UDP: 4788 bpf_error("'udp' modifier applied to %s", typestr); 4789 4790 case Q_ICMP: 4791 bpf_error("'icmp' modifier applied to %s", typestr); 4792 4793 case Q_IGMP: 4794 bpf_error("'igmp' modifier applied to %s", typestr); 4795 4796 case Q_IGRP: 4797 bpf_error("'igrp' modifier applied to %s", typestr); 4798 4799 case Q_PIM: 4800 bpf_error("'pim' modifier applied to %s", typestr); 4801 4802 case Q_VRRP: 4803 bpf_error("'vrrp' modifier applied to %s", typestr); 4804 4805 case Q_CARP: 4806 bpf_error("'carp' modifier applied to %s", typestr); 4807 4808 case Q_ATALK: 4809 bpf_error("ATALK host filtering not implemented"); 4810 4811 case Q_AARP: 4812 bpf_error("AARP host filtering not implemented"); 4813 4814 case Q_DECNET: 4815 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4816 4817 case Q_SCA: 4818 bpf_error("SCA host filtering not implemented"); 4819 4820 case Q_LAT: 4821 bpf_error("LAT host filtering not implemented"); 4822 4823 case Q_MOPDL: 4824 bpf_error("MOPDL host filtering not implemented"); 4825 4826 case Q_MOPRC: 4827 bpf_error("MOPRC host filtering not implemented"); 4828 4829 case Q_IPV6: 4830 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4831 4832 case Q_ICMPV6: 4833 bpf_error("'icmp6' modifier applied to %s", typestr); 4834 4835 case Q_AH: 4836 bpf_error("'ah' modifier applied to %s", typestr); 4837 4838 case Q_ESP: 4839 bpf_error("'esp' modifier applied to %s", typestr); 4840 4841 case Q_ISO: 4842 bpf_error("ISO host filtering not implemented"); 4843 4844 case Q_ESIS: 4845 bpf_error("'esis' modifier applied to %s", typestr); 4846 4847 case Q_ISIS: 4848 bpf_error("'isis' modifier applied to %s", typestr); 4849 4850 case Q_CLNP: 4851 bpf_error("'clnp' modifier applied to %s", typestr); 4852 4853 case Q_STP: 4854 bpf_error("'stp' modifier applied to %s", typestr); 4855 4856 case Q_IPX: 4857 bpf_error("IPX host filtering not implemented"); 4858 4859 case Q_NETBEUI: 4860 bpf_error("'netbeui' modifier applied to %s", typestr); 4861 4862 case Q_RADIO: 4863 bpf_error("'radio' modifier applied to %s", typestr); 4864 4865 default: 4866 abort(); 4867 } 4868 /* NOTREACHED */ 4869 } 4870 #endif 4871 4872 #ifndef INET6 4873 static struct block * 4874 gen_gateway(eaddr, alist, proto, dir) 4875 const u_char *eaddr; 4876 bpf_u_int32 **alist; 4877 int proto; 4878 int dir; 4879 { 4880 struct block *b0, *b1, *tmp; 4881 4882 if (dir != 0) 4883 bpf_error("direction applied to 'gateway'"); 4884 4885 switch (proto) { 4886 case Q_DEFAULT: 4887 case Q_IP: 4888 case Q_ARP: 4889 case Q_RARP: 4890 switch (linktype) { 4891 case DLT_EN10MB: 4892 case DLT_NETANALYZER: 4893 case DLT_NETANALYZER_TRANSPARENT: 4894 b0 = gen_ehostop(eaddr, Q_OR); 4895 break; 4896 case DLT_FDDI: 4897 b0 = gen_fhostop(eaddr, Q_OR); 4898 break; 4899 case DLT_IEEE802: 4900 b0 = gen_thostop(eaddr, Q_OR); 4901 break; 4902 case DLT_IEEE802_11: 4903 case DLT_PRISM_HEADER: 4904 case DLT_IEEE802_11_RADIO_AVS: 4905 case DLT_IEEE802_11_RADIO: 4906 case DLT_PPI: 4907 b0 = gen_wlanhostop(eaddr, Q_OR); 4908 break; 4909 case DLT_SUNATM: 4910 if (!is_lane) 4911 bpf_error( 4912 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4913 /* 4914 * Check that the packet doesn't begin with an 4915 * LE Control marker. (We've already generated 4916 * a test for LANE.) 4917 */ 4918 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4919 BPF_H, 0xFF00); 4920 gen_not(b1); 4921 4922 /* 4923 * Now check the MAC address. 4924 */ 4925 b0 = gen_ehostop(eaddr, Q_OR); 4926 gen_and(b1, b0); 4927 break; 4928 case DLT_IP_OVER_FC: 4929 b0 = gen_ipfchostop(eaddr, Q_OR); 4930 break; 4931 default: 4932 bpf_error( 4933 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4934 } 4935 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4936 while (*alist) { 4937 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4938 Q_HOST); 4939 gen_or(b1, tmp); 4940 b1 = tmp; 4941 } 4942 gen_not(b1); 4943 gen_and(b0, b1); 4944 return b1; 4945 } 4946 bpf_error("illegal modifier of 'gateway'"); 4947 /* NOTREACHED */ 4948 } 4949 #endif 4950 4951 struct block * 4952 gen_proto_abbrev(proto) 4953 int proto; 4954 { 4955 struct block *b0; 4956 struct block *b1; 4957 4958 switch (proto) { 4959 4960 case Q_SCTP: 4961 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4962 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4963 gen_or(b0, b1); 4964 break; 4965 4966 case Q_TCP: 4967 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4968 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4969 gen_or(b0, b1); 4970 break; 4971 4972 case Q_UDP: 4973 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4974 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4975 gen_or(b0, b1); 4976 break; 4977 4978 case Q_ICMP: 4979 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4980 break; 4981 4982 #ifndef IPPROTO_IGMP 4983 #define IPPROTO_IGMP 2 4984 #endif 4985 4986 case Q_IGMP: 4987 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4988 break; 4989 4990 #ifndef IPPROTO_IGRP 4991 #define IPPROTO_IGRP 9 4992 #endif 4993 case Q_IGRP: 4994 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4995 break; 4996 4997 #ifndef IPPROTO_PIM 4998 #define IPPROTO_PIM 103 4999 #endif 5000 5001 case Q_PIM: 5002 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 5003 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5004 gen_or(b0, b1); 5005 break; 5006 5007 #ifndef IPPROTO_VRRP 5008 #define IPPROTO_VRRP 112 5009 #endif 5010 5011 case Q_VRRP: 5012 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5013 break; 5014 5015 #ifndef IPPROTO_CARP 5016 #define IPPROTO_CARP 112 5017 #endif 5018 5019 case Q_CARP: 5020 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 5021 break; 5022 5023 case Q_IP: 5024 b1 = gen_linktype(ETHERTYPE_IP); 5025 break; 5026 5027 case Q_ARP: 5028 b1 = gen_linktype(ETHERTYPE_ARP); 5029 break; 5030 5031 case Q_RARP: 5032 b1 = gen_linktype(ETHERTYPE_REVARP); 5033 break; 5034 5035 case Q_LINK: 5036 bpf_error("link layer applied in wrong context"); 5037 5038 case Q_ATALK: 5039 b1 = gen_linktype(ETHERTYPE_ATALK); 5040 break; 5041 5042 case Q_AARP: 5043 b1 = gen_linktype(ETHERTYPE_AARP); 5044 break; 5045 5046 case Q_DECNET: 5047 b1 = gen_linktype(ETHERTYPE_DN); 5048 break; 5049 5050 case Q_SCA: 5051 b1 = gen_linktype(ETHERTYPE_SCA); 5052 break; 5053 5054 case Q_LAT: 5055 b1 = gen_linktype(ETHERTYPE_LAT); 5056 break; 5057 5058 case Q_MOPDL: 5059 b1 = gen_linktype(ETHERTYPE_MOPDL); 5060 break; 5061 5062 case Q_MOPRC: 5063 b1 = gen_linktype(ETHERTYPE_MOPRC); 5064 break; 5065 5066 case Q_IPV6: 5067 b1 = gen_linktype(ETHERTYPE_IPV6); 5068 break; 5069 5070 #ifndef IPPROTO_ICMPV6 5071 #define IPPROTO_ICMPV6 58 5072 #endif 5073 case Q_ICMPV6: 5074 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5075 break; 5076 5077 #ifndef IPPROTO_AH 5078 #define IPPROTO_AH 51 5079 #endif 5080 case Q_AH: 5081 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 5082 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5083 gen_or(b0, b1); 5084 break; 5085 5086 #ifndef IPPROTO_ESP 5087 #define IPPROTO_ESP 50 5088 #endif 5089 case Q_ESP: 5090 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 5091 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5092 gen_or(b0, b1); 5093 break; 5094 5095 case Q_ISO: 5096 b1 = gen_linktype(LLCSAP_ISONS); 5097 break; 5098 5099 case Q_ESIS: 5100 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5101 break; 5102 5103 case Q_ISIS: 5104 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5105 break; 5106 5107 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5108 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5109 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5110 gen_or(b0, b1); 5111 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5112 gen_or(b0, b1); 5113 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5114 gen_or(b0, b1); 5115 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5116 gen_or(b0, b1); 5117 break; 5118 5119 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5120 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5121 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5122 gen_or(b0, b1); 5123 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5124 gen_or(b0, b1); 5125 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5126 gen_or(b0, b1); 5127 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5128 gen_or(b0, b1); 5129 break; 5130 5131 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5132 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5133 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5134 gen_or(b0, b1); 5135 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5136 gen_or(b0, b1); 5137 break; 5138 5139 case Q_ISIS_LSP: 5140 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5141 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5142 gen_or(b0, b1); 5143 break; 5144 5145 case Q_ISIS_SNP: 5146 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5147 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5148 gen_or(b0, b1); 5149 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5150 gen_or(b0, b1); 5151 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5152 gen_or(b0, b1); 5153 break; 5154 5155 case Q_ISIS_CSNP: 5156 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5157 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5158 gen_or(b0, b1); 5159 break; 5160 5161 case Q_ISIS_PSNP: 5162 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5163 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5164 gen_or(b0, b1); 5165 break; 5166 5167 case Q_CLNP: 5168 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5169 break; 5170 5171 case Q_STP: 5172 b1 = gen_linktype(LLCSAP_8021D); 5173 break; 5174 5175 case Q_IPX: 5176 b1 = gen_linktype(LLCSAP_IPX); 5177 break; 5178 5179 case Q_NETBEUI: 5180 b1 = gen_linktype(LLCSAP_NETBEUI); 5181 break; 5182 5183 case Q_RADIO: 5184 bpf_error("'radio' is not a valid protocol type"); 5185 5186 default: 5187 abort(); 5188 } 5189 return b1; 5190 } 5191 5192 static struct block * 5193 gen_ipfrag() 5194 { 5195 struct slist *s; 5196 struct block *b; 5197 5198 /* not IPv4 frag other than the first frag */ 5199 s = gen_load_a(OR_NET, 6, BPF_H); 5200 b = new_block(JMP(BPF_JSET)); 5201 b->s.k = 0x1fff; 5202 b->stmts = s; 5203 gen_not(b); 5204 5205 return b; 5206 } 5207 5208 /* 5209 * Generate a comparison to a port value in the transport-layer header 5210 * at the specified offset from the beginning of that header. 5211 * 5212 * XXX - this handles a variable-length prefix preceding the link-layer 5213 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5214 * variable-length link-layer headers (such as Token Ring or 802.11 5215 * headers). 5216 */ 5217 static struct block * 5218 gen_portatom(off, v) 5219 int off; 5220 bpf_int32 v; 5221 { 5222 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5223 } 5224 5225 static struct block * 5226 gen_portatom6(off, v) 5227 int off; 5228 bpf_int32 v; 5229 { 5230 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5231 } 5232 5233 struct block * 5234 gen_portop(port, proto, dir) 5235 int port, proto, dir; 5236 { 5237 struct block *b0, *b1, *tmp; 5238 5239 /* ip proto 'proto' and not a fragment other than the first fragment */ 5240 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5241 b0 = gen_ipfrag(); 5242 gen_and(tmp, b0); 5243 5244 switch (dir) { 5245 case Q_SRC: 5246 b1 = gen_portatom(0, (bpf_int32)port); 5247 break; 5248 5249 case Q_DST: 5250 b1 = gen_portatom(2, (bpf_int32)port); 5251 break; 5252 5253 case Q_OR: 5254 case Q_DEFAULT: 5255 tmp = gen_portatom(0, (bpf_int32)port); 5256 b1 = gen_portatom(2, (bpf_int32)port); 5257 gen_or(tmp, b1); 5258 break; 5259 5260 case Q_AND: 5261 tmp = gen_portatom(0, (bpf_int32)port); 5262 b1 = gen_portatom(2, (bpf_int32)port); 5263 gen_and(tmp, b1); 5264 break; 5265 5266 default: 5267 abort(); 5268 } 5269 gen_and(b0, b1); 5270 5271 return b1; 5272 } 5273 5274 static struct block * 5275 gen_port(port, ip_proto, dir) 5276 int port; 5277 int ip_proto; 5278 int dir; 5279 { 5280 struct block *b0, *b1, *tmp; 5281 5282 /* 5283 * ether proto ip 5284 * 5285 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5286 * not LLC encapsulation with LLCSAP_IP. 5287 * 5288 * For IEEE 802 networks - which includes 802.5 token ring 5289 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5290 * says that SNAP encapsulation is used, not LLC encapsulation 5291 * with LLCSAP_IP. 5292 * 5293 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5294 * RFC 2225 say that SNAP encapsulation is used, not LLC 5295 * encapsulation with LLCSAP_IP. 5296 * 5297 * So we always check for ETHERTYPE_IP. 5298 */ 5299 b0 = gen_linktype(ETHERTYPE_IP); 5300 5301 switch (ip_proto) { 5302 case IPPROTO_UDP: 5303 case IPPROTO_TCP: 5304 case IPPROTO_SCTP: 5305 b1 = gen_portop(port, ip_proto, dir); 5306 break; 5307 5308 case PROTO_UNDEF: 5309 tmp = gen_portop(port, IPPROTO_TCP, dir); 5310 b1 = gen_portop(port, IPPROTO_UDP, dir); 5311 gen_or(tmp, b1); 5312 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5313 gen_or(tmp, b1); 5314 break; 5315 5316 default: 5317 abort(); 5318 } 5319 gen_and(b0, b1); 5320 return b1; 5321 } 5322 5323 struct block * 5324 gen_portop6(port, proto, dir) 5325 int port, proto, dir; 5326 { 5327 struct block *b0, *b1, *tmp; 5328 5329 /* ip6 proto 'proto' */ 5330 /* XXX - catch the first fragment of a fragmented packet? */ 5331 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5332 5333 switch (dir) { 5334 case Q_SRC: 5335 b1 = gen_portatom6(0, (bpf_int32)port); 5336 break; 5337 5338 case Q_DST: 5339 b1 = gen_portatom6(2, (bpf_int32)port); 5340 break; 5341 5342 case Q_OR: 5343 case Q_DEFAULT: 5344 tmp = gen_portatom6(0, (bpf_int32)port); 5345 b1 = gen_portatom6(2, (bpf_int32)port); 5346 gen_or(tmp, b1); 5347 break; 5348 5349 case Q_AND: 5350 tmp = gen_portatom6(0, (bpf_int32)port); 5351 b1 = gen_portatom6(2, (bpf_int32)port); 5352 gen_and(tmp, b1); 5353 break; 5354 5355 default: 5356 abort(); 5357 } 5358 gen_and(b0, b1); 5359 5360 return b1; 5361 } 5362 5363 static struct block * 5364 gen_port6(port, ip_proto, dir) 5365 int port; 5366 int ip_proto; 5367 int dir; 5368 { 5369 struct block *b0, *b1, *tmp; 5370 5371 /* link proto ip6 */ 5372 b0 = gen_linktype(ETHERTYPE_IPV6); 5373 5374 switch (ip_proto) { 5375 case IPPROTO_UDP: 5376 case IPPROTO_TCP: 5377 case IPPROTO_SCTP: 5378 b1 = gen_portop6(port, ip_proto, dir); 5379 break; 5380 5381 case PROTO_UNDEF: 5382 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5383 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5384 gen_or(tmp, b1); 5385 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5386 gen_or(tmp, b1); 5387 break; 5388 5389 default: 5390 abort(); 5391 } 5392 gen_and(b0, b1); 5393 return b1; 5394 } 5395 5396 /* gen_portrange code */ 5397 static struct block * 5398 gen_portrangeatom(off, v1, v2) 5399 int off; 5400 bpf_int32 v1, v2; 5401 { 5402 struct block *b1, *b2; 5403 5404 if (v1 > v2) { 5405 /* 5406 * Reverse the order of the ports, so v1 is the lower one. 5407 */ 5408 bpf_int32 vtemp; 5409 5410 vtemp = v1; 5411 v1 = v2; 5412 v2 = vtemp; 5413 } 5414 5415 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5416 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5417 5418 gen_and(b1, b2); 5419 5420 return b2; 5421 } 5422 5423 struct block * 5424 gen_portrangeop(port1, port2, proto, dir) 5425 int port1, port2; 5426 int proto; 5427 int dir; 5428 { 5429 struct block *b0, *b1, *tmp; 5430 5431 /* ip proto 'proto' and not a fragment other than the first fragment */ 5432 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5433 b0 = gen_ipfrag(); 5434 gen_and(tmp, b0); 5435 5436 switch (dir) { 5437 case Q_SRC: 5438 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5439 break; 5440 5441 case Q_DST: 5442 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5443 break; 5444 5445 case Q_OR: 5446 case Q_DEFAULT: 5447 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5448 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5449 gen_or(tmp, b1); 5450 break; 5451 5452 case Q_AND: 5453 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5454 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5455 gen_and(tmp, b1); 5456 break; 5457 5458 default: 5459 abort(); 5460 } 5461 gen_and(b0, b1); 5462 5463 return b1; 5464 } 5465 5466 static struct block * 5467 gen_portrange(port1, port2, ip_proto, dir) 5468 int port1, port2; 5469 int ip_proto; 5470 int dir; 5471 { 5472 struct block *b0, *b1, *tmp; 5473 5474 /* link proto ip */ 5475 b0 = gen_linktype(ETHERTYPE_IP); 5476 5477 switch (ip_proto) { 5478 case IPPROTO_UDP: 5479 case IPPROTO_TCP: 5480 case IPPROTO_SCTP: 5481 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5482 break; 5483 5484 case PROTO_UNDEF: 5485 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5486 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5487 gen_or(tmp, b1); 5488 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5489 gen_or(tmp, b1); 5490 break; 5491 5492 default: 5493 abort(); 5494 } 5495 gen_and(b0, b1); 5496 return b1; 5497 } 5498 5499 static struct block * 5500 gen_portrangeatom6(off, v1, v2) 5501 int off; 5502 bpf_int32 v1, v2; 5503 { 5504 struct block *b1, *b2; 5505 5506 if (v1 > v2) { 5507 /* 5508 * Reverse the order of the ports, so v1 is the lower one. 5509 */ 5510 bpf_int32 vtemp; 5511 5512 vtemp = v1; 5513 v1 = v2; 5514 v2 = vtemp; 5515 } 5516 5517 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5518 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5519 5520 gen_and(b1, b2); 5521 5522 return b2; 5523 } 5524 5525 struct block * 5526 gen_portrangeop6(port1, port2, proto, dir) 5527 int port1, port2; 5528 int proto; 5529 int dir; 5530 { 5531 struct block *b0, *b1, *tmp; 5532 5533 /* ip6 proto 'proto' */ 5534 /* XXX - catch the first fragment of a fragmented packet? */ 5535 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5536 5537 switch (dir) { 5538 case Q_SRC: 5539 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5540 break; 5541 5542 case Q_DST: 5543 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5544 break; 5545 5546 case Q_OR: 5547 case Q_DEFAULT: 5548 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5549 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5550 gen_or(tmp, b1); 5551 break; 5552 5553 case Q_AND: 5554 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5555 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5556 gen_and(tmp, b1); 5557 break; 5558 5559 default: 5560 abort(); 5561 } 5562 gen_and(b0, b1); 5563 5564 return b1; 5565 } 5566 5567 static struct block * 5568 gen_portrange6(port1, port2, ip_proto, dir) 5569 int port1, port2; 5570 int ip_proto; 5571 int dir; 5572 { 5573 struct block *b0, *b1, *tmp; 5574 5575 /* link proto ip6 */ 5576 b0 = gen_linktype(ETHERTYPE_IPV6); 5577 5578 switch (ip_proto) { 5579 case IPPROTO_UDP: 5580 case IPPROTO_TCP: 5581 case IPPROTO_SCTP: 5582 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5583 break; 5584 5585 case PROTO_UNDEF: 5586 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5587 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5588 gen_or(tmp, b1); 5589 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5590 gen_or(tmp, b1); 5591 break; 5592 5593 default: 5594 abort(); 5595 } 5596 gen_and(b0, b1); 5597 return b1; 5598 } 5599 5600 static int 5601 lookup_proto(name, proto) 5602 register const char *name; 5603 register int proto; 5604 { 5605 register int v; 5606 5607 switch (proto) { 5608 5609 case Q_DEFAULT: 5610 case Q_IP: 5611 case Q_IPV6: 5612 v = pcap_nametoproto(name); 5613 if (v == PROTO_UNDEF) 5614 bpf_error("unknown ip proto '%s'", name); 5615 break; 5616 5617 case Q_LINK: 5618 /* XXX should look up h/w protocol type based on linktype */ 5619 v = pcap_nametoeproto(name); 5620 if (v == PROTO_UNDEF) { 5621 v = pcap_nametollc(name); 5622 if (v == PROTO_UNDEF) 5623 bpf_error("unknown ether proto '%s'", name); 5624 } 5625 break; 5626 5627 case Q_ISO: 5628 if (strcmp(name, "esis") == 0) 5629 v = ISO9542_ESIS; 5630 else if (strcmp(name, "isis") == 0) 5631 v = ISO10589_ISIS; 5632 else if (strcmp(name, "clnp") == 0) 5633 v = ISO8473_CLNP; 5634 else 5635 bpf_error("unknown osi proto '%s'", name); 5636 break; 5637 5638 default: 5639 v = PROTO_UNDEF; 5640 break; 5641 } 5642 return v; 5643 } 5644 5645 #if 0 5646 struct stmt * 5647 gen_joinsp(s, n) 5648 struct stmt **s; 5649 int n; 5650 { 5651 return NULL; 5652 } 5653 #endif 5654 5655 static struct block * 5656 gen_protochain(v, proto, dir) 5657 int v; 5658 int proto; 5659 int dir; 5660 { 5661 #ifdef NO_PROTOCHAIN 5662 return gen_proto(v, proto, dir); 5663 #else 5664 struct block *b0, *b; 5665 struct slist *s[100]; 5666 int fix2, fix3, fix4, fix5; 5667 int ahcheck, again, end; 5668 int i, max; 5669 int reg2 = alloc_reg(); 5670 5671 memset(s, 0, sizeof(s)); 5672 fix2 = fix3 = fix4 = fix5 = 0; 5673 5674 switch (proto) { 5675 case Q_IP: 5676 case Q_IPV6: 5677 break; 5678 case Q_DEFAULT: 5679 b0 = gen_protochain(v, Q_IP, dir); 5680 b = gen_protochain(v, Q_IPV6, dir); 5681 gen_or(b0, b); 5682 return b; 5683 default: 5684 bpf_error("bad protocol applied for 'protochain'"); 5685 /*NOTREACHED*/ 5686 } 5687 5688 /* 5689 * We don't handle variable-length prefixes before the link-layer 5690 * header, or variable-length link-layer headers, here yet. 5691 * We might want to add BPF instructions to do the protochain 5692 * work, to simplify that and, on platforms that have a BPF 5693 * interpreter with the new instructions, let the filtering 5694 * be done in the kernel. (We already require a modified BPF 5695 * engine to do the protochain stuff, to support backward 5696 * branches, and backward branch support is unlikely to appear 5697 * in kernel BPF engines.) 5698 */ 5699 switch (linktype) { 5700 5701 case DLT_IEEE802_11: 5702 case DLT_PRISM_HEADER: 5703 case DLT_IEEE802_11_RADIO_AVS: 5704 case DLT_IEEE802_11_RADIO: 5705 case DLT_PPI: 5706 bpf_error("'protochain' not supported with 802.11"); 5707 } 5708 5709 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5710 5711 /* 5712 * s[0] is a dummy entry to protect other BPF insn from damage 5713 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5714 * hard to find interdependency made by jump table fixup. 5715 */ 5716 i = 0; 5717 s[i] = new_stmt(0); /*dummy*/ 5718 i++; 5719 5720 switch (proto) { 5721 case Q_IP: 5722 b0 = gen_linktype(ETHERTYPE_IP); 5723 5724 /* A = ip->ip_p */ 5725 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5726 s[i]->s.k = off_macpl + off_nl + 9; 5727 i++; 5728 /* X = ip->ip_hl << 2 */ 5729 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5730 s[i]->s.k = off_macpl + off_nl; 5731 i++; 5732 break; 5733 5734 case Q_IPV6: 5735 b0 = gen_linktype(ETHERTYPE_IPV6); 5736 5737 /* A = ip6->ip_nxt */ 5738 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5739 s[i]->s.k = off_macpl + off_nl + 6; 5740 i++; 5741 /* X = sizeof(struct ip6_hdr) */ 5742 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5743 s[i]->s.k = 40; 5744 i++; 5745 break; 5746 5747 default: 5748 bpf_error("unsupported proto to gen_protochain"); 5749 /*NOTREACHED*/ 5750 } 5751 5752 /* again: if (A == v) goto end; else fall through; */ 5753 again = i; 5754 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5755 s[i]->s.k = v; 5756 s[i]->s.jt = NULL; /*later*/ 5757 s[i]->s.jf = NULL; /*update in next stmt*/ 5758 fix5 = i; 5759 i++; 5760 5761 #ifndef IPPROTO_NONE 5762 #define IPPROTO_NONE 59 5763 #endif 5764 /* if (A == IPPROTO_NONE) goto end */ 5765 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5766 s[i]->s.jt = NULL; /*later*/ 5767 s[i]->s.jf = NULL; /*update in next stmt*/ 5768 s[i]->s.k = IPPROTO_NONE; 5769 s[fix5]->s.jf = s[i]; 5770 fix2 = i; 5771 i++; 5772 5773 if (proto == Q_IPV6) { 5774 int v6start, v6end, v6advance, j; 5775 5776 v6start = i; 5777 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5778 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5779 s[i]->s.jt = NULL; /*later*/ 5780 s[i]->s.jf = NULL; /*update in next stmt*/ 5781 s[i]->s.k = IPPROTO_HOPOPTS; 5782 s[fix2]->s.jf = s[i]; 5783 i++; 5784 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5785 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5786 s[i]->s.jt = NULL; /*later*/ 5787 s[i]->s.jf = NULL; /*update in next stmt*/ 5788 s[i]->s.k = IPPROTO_DSTOPTS; 5789 i++; 5790 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5791 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5792 s[i]->s.jt = NULL; /*later*/ 5793 s[i]->s.jf = NULL; /*update in next stmt*/ 5794 s[i]->s.k = IPPROTO_ROUTING; 5795 i++; 5796 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5797 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5798 s[i]->s.jt = NULL; /*later*/ 5799 s[i]->s.jf = NULL; /*later*/ 5800 s[i]->s.k = IPPROTO_FRAGMENT; 5801 fix3 = i; 5802 v6end = i; 5803 i++; 5804 5805 /* v6advance: */ 5806 v6advance = i; 5807 5808 /* 5809 * in short, 5810 * A = P[X + packet head]; 5811 * X = X + (P[X + packet head + 1] + 1) * 8; 5812 */ 5813 /* A = P[X + packet head] */ 5814 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5815 s[i]->s.k = off_macpl + off_nl; 5816 i++; 5817 /* MEM[reg2] = A */ 5818 s[i] = new_stmt(BPF_ST); 5819 s[i]->s.k = reg2; 5820 i++; 5821 /* A = P[X + packet head + 1]; */ 5822 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5823 s[i]->s.k = off_macpl + off_nl + 1; 5824 i++; 5825 /* A += 1 */ 5826 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5827 s[i]->s.k = 1; 5828 i++; 5829 /* A *= 8 */ 5830 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5831 s[i]->s.k = 8; 5832 i++; 5833 /* A += X */ 5834 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5835 s[i]->s.k = 0; 5836 i++; 5837 /* X = A; */ 5838 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5839 i++; 5840 /* A = MEM[reg2] */ 5841 s[i] = new_stmt(BPF_LD|BPF_MEM); 5842 s[i]->s.k = reg2; 5843 i++; 5844 5845 /* goto again; (must use BPF_JA for backward jump) */ 5846 s[i] = new_stmt(BPF_JMP|BPF_JA); 5847 s[i]->s.k = again - i - 1; 5848 s[i - 1]->s.jf = s[i]; 5849 i++; 5850 5851 /* fixup */ 5852 for (j = v6start; j <= v6end; j++) 5853 s[j]->s.jt = s[v6advance]; 5854 } else { 5855 /* nop */ 5856 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5857 s[i]->s.k = 0; 5858 s[fix2]->s.jf = s[i]; 5859 i++; 5860 } 5861 5862 /* ahcheck: */ 5863 ahcheck = i; 5864 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5865 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5866 s[i]->s.jt = NULL; /*later*/ 5867 s[i]->s.jf = NULL; /*later*/ 5868 s[i]->s.k = IPPROTO_AH; 5869 if (fix3) 5870 s[fix3]->s.jf = s[ahcheck]; 5871 fix4 = i; 5872 i++; 5873 5874 /* 5875 * in short, 5876 * A = P[X]; 5877 * X = X + (P[X + 1] + 2) * 4; 5878 */ 5879 /* A = X */ 5880 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5881 i++; 5882 /* A = P[X + packet head]; */ 5883 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5884 s[i]->s.k = off_macpl + off_nl; 5885 i++; 5886 /* MEM[reg2] = A */ 5887 s[i] = new_stmt(BPF_ST); 5888 s[i]->s.k = reg2; 5889 i++; 5890 /* A = X */ 5891 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5892 i++; 5893 /* A += 1 */ 5894 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5895 s[i]->s.k = 1; 5896 i++; 5897 /* X = A */ 5898 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5899 i++; 5900 /* A = P[X + packet head] */ 5901 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5902 s[i]->s.k = off_macpl + off_nl; 5903 i++; 5904 /* A += 2 */ 5905 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5906 s[i]->s.k = 2; 5907 i++; 5908 /* A *= 4 */ 5909 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5910 s[i]->s.k = 4; 5911 i++; 5912 /* X = A; */ 5913 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5914 i++; 5915 /* A = MEM[reg2] */ 5916 s[i] = new_stmt(BPF_LD|BPF_MEM); 5917 s[i]->s.k = reg2; 5918 i++; 5919 5920 /* goto again; (must use BPF_JA for backward jump) */ 5921 s[i] = new_stmt(BPF_JMP|BPF_JA); 5922 s[i]->s.k = again - i - 1; 5923 i++; 5924 5925 /* end: nop */ 5926 end = i; 5927 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5928 s[i]->s.k = 0; 5929 s[fix2]->s.jt = s[end]; 5930 s[fix4]->s.jf = s[end]; 5931 s[fix5]->s.jt = s[end]; 5932 i++; 5933 5934 /* 5935 * make slist chain 5936 */ 5937 max = i; 5938 for (i = 0; i < max - 1; i++) 5939 s[i]->next = s[i + 1]; 5940 s[max - 1]->next = NULL; 5941 5942 /* 5943 * emit final check 5944 */ 5945 b = new_block(JMP(BPF_JEQ)); 5946 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5947 b->s.k = v; 5948 5949 free_reg(reg2); 5950 5951 gen_and(b0, b); 5952 return b; 5953 #endif 5954 } 5955 5956 static struct block * 5957 gen_check_802_11_data_frame() 5958 { 5959 struct slist *s; 5960 struct block *b0, *b1; 5961 5962 /* 5963 * A data frame has the 0x08 bit (b3) in the frame control field set 5964 * and the 0x04 bit (b2) clear. 5965 */ 5966 s = gen_load_a(OR_LINK, 0, BPF_B); 5967 b0 = new_block(JMP(BPF_JSET)); 5968 b0->s.k = 0x08; 5969 b0->stmts = s; 5970 5971 s = gen_load_a(OR_LINK, 0, BPF_B); 5972 b1 = new_block(JMP(BPF_JSET)); 5973 b1->s.k = 0x04; 5974 b1->stmts = s; 5975 gen_not(b1); 5976 5977 gen_and(b1, b0); 5978 5979 return b0; 5980 } 5981 5982 /* 5983 * Generate code that checks whether the packet is a packet for protocol 5984 * <proto> and whether the type field in that protocol's header has 5985 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5986 * IP packet and checks the protocol number in the IP header against <v>. 5987 * 5988 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5989 * against Q_IP and Q_IPV6. 5990 */ 5991 static struct block * 5992 gen_proto(v, proto, dir) 5993 int v; 5994 int proto; 5995 int dir; 5996 { 5997 struct block *b0, *b1; 5998 #ifndef CHASE_CHAIN 5999 struct block *b2; 6000 #endif 6001 6002 if (dir != Q_DEFAULT) 6003 bpf_error("direction applied to 'proto'"); 6004 6005 switch (proto) { 6006 case Q_DEFAULT: 6007 b0 = gen_proto(v, Q_IP, dir); 6008 b1 = gen_proto(v, Q_IPV6, dir); 6009 gen_or(b0, b1); 6010 return b1; 6011 6012 case Q_IP: 6013 /* 6014 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6015 * not LLC encapsulation with LLCSAP_IP. 6016 * 6017 * For IEEE 802 networks - which includes 802.5 token ring 6018 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6019 * says that SNAP encapsulation is used, not LLC encapsulation 6020 * with LLCSAP_IP. 6021 * 6022 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6023 * RFC 2225 say that SNAP encapsulation is used, not LLC 6024 * encapsulation with LLCSAP_IP. 6025 * 6026 * So we always check for ETHERTYPE_IP. 6027 */ 6028 b0 = gen_linktype(ETHERTYPE_IP); 6029 #ifndef CHASE_CHAIN 6030 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 6031 #else 6032 b1 = gen_protochain(v, Q_IP); 6033 #endif 6034 gen_and(b0, b1); 6035 return b1; 6036 6037 case Q_ISO: 6038 switch (linktype) { 6039 6040 case DLT_FRELAY: 6041 /* 6042 * Frame Relay packets typically have an OSI 6043 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 6044 * generates code to check for all the OSI 6045 * NLPIDs, so calling it and then adding a check 6046 * for the particular NLPID for which we're 6047 * looking is bogus, as we can just check for 6048 * the NLPID. 6049 * 6050 * What we check for is the NLPID and a frame 6051 * control field value of UI, i.e. 0x03 followed 6052 * by the NLPID. 6053 * 6054 * XXX - assumes a 2-byte Frame Relay header with 6055 * DLCI and flags. What if the address is longer? 6056 * 6057 * XXX - what about SNAP-encapsulated frames? 6058 */ 6059 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 6060 /*NOTREACHED*/ 6061 break; 6062 6063 case DLT_C_HDLC: 6064 /* 6065 * Cisco uses an Ethertype lookalike - for OSI, 6066 * it's 0xfefe. 6067 */ 6068 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6069 /* OSI in C-HDLC is stuffed with a fudge byte */ 6070 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 6071 gen_and(b0, b1); 6072 return b1; 6073 6074 default: 6075 b0 = gen_linktype(LLCSAP_ISONS); 6076 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 6077 gen_and(b0, b1); 6078 return b1; 6079 } 6080 6081 case Q_ISIS: 6082 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6083 /* 6084 * 4 is the offset of the PDU type relative to the IS-IS 6085 * header. 6086 */ 6087 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 6088 gen_and(b0, b1); 6089 return b1; 6090 6091 case Q_ARP: 6092 bpf_error("arp does not encapsulate another protocol"); 6093 /* NOTREACHED */ 6094 6095 case Q_RARP: 6096 bpf_error("rarp does not encapsulate another protocol"); 6097 /* NOTREACHED */ 6098 6099 case Q_ATALK: 6100 bpf_error("atalk encapsulation is not specifiable"); 6101 /* NOTREACHED */ 6102 6103 case Q_DECNET: 6104 bpf_error("decnet encapsulation is not specifiable"); 6105 /* NOTREACHED */ 6106 6107 case Q_SCA: 6108 bpf_error("sca does not encapsulate another protocol"); 6109 /* NOTREACHED */ 6110 6111 case Q_LAT: 6112 bpf_error("lat does not encapsulate another protocol"); 6113 /* NOTREACHED */ 6114 6115 case Q_MOPRC: 6116 bpf_error("moprc does not encapsulate another protocol"); 6117 /* NOTREACHED */ 6118 6119 case Q_MOPDL: 6120 bpf_error("mopdl does not encapsulate another protocol"); 6121 /* NOTREACHED */ 6122 6123 case Q_LINK: 6124 return gen_linktype(v); 6125 6126 case Q_UDP: 6127 bpf_error("'udp proto' is bogus"); 6128 /* NOTREACHED */ 6129 6130 case Q_TCP: 6131 bpf_error("'tcp proto' is bogus"); 6132 /* NOTREACHED */ 6133 6134 case Q_SCTP: 6135 bpf_error("'sctp proto' is bogus"); 6136 /* NOTREACHED */ 6137 6138 case Q_ICMP: 6139 bpf_error("'icmp proto' is bogus"); 6140 /* NOTREACHED */ 6141 6142 case Q_IGMP: 6143 bpf_error("'igmp proto' is bogus"); 6144 /* NOTREACHED */ 6145 6146 case Q_IGRP: 6147 bpf_error("'igrp proto' is bogus"); 6148 /* NOTREACHED */ 6149 6150 case Q_PIM: 6151 bpf_error("'pim proto' is bogus"); 6152 /* NOTREACHED */ 6153 6154 case Q_VRRP: 6155 bpf_error("'vrrp proto' is bogus"); 6156 /* NOTREACHED */ 6157 6158 case Q_CARP: 6159 bpf_error("'carp proto' is bogus"); 6160 /* NOTREACHED */ 6161 6162 case Q_IPV6: 6163 b0 = gen_linktype(ETHERTYPE_IPV6); 6164 #ifndef CHASE_CHAIN 6165 /* 6166 * Also check for a fragment header before the final 6167 * header. 6168 */ 6169 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 6170 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 6171 gen_and(b2, b1); 6172 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 6173 gen_or(b2, b1); 6174 #else 6175 b1 = gen_protochain(v, Q_IPV6); 6176 #endif 6177 gen_and(b0, b1); 6178 return b1; 6179 6180 case Q_ICMPV6: 6181 bpf_error("'icmp6 proto' is bogus"); 6182 6183 case Q_AH: 6184 bpf_error("'ah proto' is bogus"); 6185 6186 case Q_ESP: 6187 bpf_error("'ah proto' is bogus"); 6188 6189 case Q_STP: 6190 bpf_error("'stp proto' is bogus"); 6191 6192 case Q_IPX: 6193 bpf_error("'ipx proto' is bogus"); 6194 6195 case Q_NETBEUI: 6196 bpf_error("'netbeui proto' is bogus"); 6197 6198 case Q_RADIO: 6199 bpf_error("'radio proto' is bogus"); 6200 6201 default: 6202 abort(); 6203 /* NOTREACHED */ 6204 } 6205 /* NOTREACHED */ 6206 } 6207 6208 struct block * 6209 gen_scode(name, q) 6210 register const char *name; 6211 struct qual q; 6212 { 6213 int proto = q.proto; 6214 int dir = q.dir; 6215 int tproto; 6216 u_char *eaddr; 6217 bpf_u_int32 mask, addr; 6218 #ifndef INET6 6219 bpf_u_int32 **alist; 6220 #else 6221 int tproto6; 6222 struct sockaddr_in *sin4; 6223 struct sockaddr_in6 *sin6; 6224 struct addrinfo *res, *res0; 6225 struct in6_addr mask128; 6226 #endif /*INET6*/ 6227 struct block *b, *tmp; 6228 int port, real_proto; 6229 int port1, port2; 6230 6231 switch (q.addr) { 6232 6233 case Q_NET: 6234 addr = pcap_nametonetaddr(name); 6235 if (addr == 0) 6236 bpf_error("unknown network '%s'", name); 6237 /* Left justify network addr and calculate its network mask */ 6238 mask = 0xffffffff; 6239 while (addr && (addr & 0xff000000) == 0) { 6240 addr <<= 8; 6241 mask <<= 8; 6242 } 6243 return gen_host(addr, mask, proto, dir, q.addr); 6244 6245 case Q_DEFAULT: 6246 case Q_HOST: 6247 if (proto == Q_LINK) { 6248 switch (linktype) { 6249 6250 case DLT_EN10MB: 6251 case DLT_NETANALYZER: 6252 case DLT_NETANALYZER_TRANSPARENT: 6253 eaddr = pcap_ether_hostton(name); 6254 if (eaddr == NULL) 6255 bpf_error( 6256 "unknown ether host '%s'", name); 6257 b = gen_ehostop(eaddr, dir); 6258 free(eaddr); 6259 return b; 6260 6261 case DLT_FDDI: 6262 eaddr = pcap_ether_hostton(name); 6263 if (eaddr == NULL) 6264 bpf_error( 6265 "unknown FDDI host '%s'", name); 6266 b = gen_fhostop(eaddr, dir); 6267 free(eaddr); 6268 return b; 6269 6270 case DLT_IEEE802: 6271 eaddr = pcap_ether_hostton(name); 6272 if (eaddr == NULL) 6273 bpf_error( 6274 "unknown token ring host '%s'", name); 6275 b = gen_thostop(eaddr, dir); 6276 free(eaddr); 6277 return b; 6278 6279 case DLT_IEEE802_11: 6280 case DLT_PRISM_HEADER: 6281 case DLT_IEEE802_11_RADIO_AVS: 6282 case DLT_IEEE802_11_RADIO: 6283 case DLT_PPI: 6284 eaddr = pcap_ether_hostton(name); 6285 if (eaddr == NULL) 6286 bpf_error( 6287 "unknown 802.11 host '%s'", name); 6288 b = gen_wlanhostop(eaddr, dir); 6289 free(eaddr); 6290 return b; 6291 6292 case DLT_IP_OVER_FC: 6293 eaddr = pcap_ether_hostton(name); 6294 if (eaddr == NULL) 6295 bpf_error( 6296 "unknown Fibre Channel host '%s'", name); 6297 b = gen_ipfchostop(eaddr, dir); 6298 free(eaddr); 6299 return b; 6300 6301 case DLT_SUNATM: 6302 if (!is_lane) 6303 break; 6304 6305 /* 6306 * Check that the packet doesn't begin 6307 * with an LE Control marker. (We've 6308 * already generated a test for LANE.) 6309 */ 6310 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6311 BPF_H, 0xFF00); 6312 gen_not(tmp); 6313 6314 eaddr = pcap_ether_hostton(name); 6315 if (eaddr == NULL) 6316 bpf_error( 6317 "unknown ether host '%s'", name); 6318 b = gen_ehostop(eaddr, dir); 6319 gen_and(tmp, b); 6320 free(eaddr); 6321 return b; 6322 } 6323 6324 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6325 } else if (proto == Q_DECNET) { 6326 unsigned short dn_addr = __pcap_nametodnaddr(name); 6327 /* 6328 * I don't think DECNET hosts can be multihomed, so 6329 * there is no need to build up a list of addresses 6330 */ 6331 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6332 } else { 6333 #ifndef INET6 6334 alist = pcap_nametoaddr(name); 6335 if (alist == NULL || *alist == NULL) 6336 bpf_error("unknown host '%s'", name); 6337 tproto = proto; 6338 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6339 tproto = Q_IP; 6340 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6341 while (*alist) { 6342 tmp = gen_host(**alist++, 0xffffffff, 6343 tproto, dir, q.addr); 6344 gen_or(b, tmp); 6345 b = tmp; 6346 } 6347 return b; 6348 #else 6349 memset(&mask128, 0xff, sizeof(mask128)); 6350 res0 = res = pcap_nametoaddrinfo(name); 6351 if (res == NULL) 6352 bpf_error("unknown host '%s'", name); 6353 ai = res; 6354 b = tmp = NULL; 6355 tproto = tproto6 = proto; 6356 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6357 tproto = Q_IP; 6358 tproto6 = Q_IPV6; 6359 } 6360 for (res = res0; res; res = res->ai_next) { 6361 switch (res->ai_family) { 6362 case AF_INET: 6363 if (tproto == Q_IPV6) 6364 continue; 6365 6366 sin4 = (struct sockaddr_in *) 6367 res->ai_addr; 6368 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6369 0xffffffff, tproto, dir, q.addr); 6370 break; 6371 case AF_INET6: 6372 if (tproto6 == Q_IP) 6373 continue; 6374 6375 sin6 = (struct sockaddr_in6 *) 6376 res->ai_addr; 6377 tmp = gen_host6(&sin6->sin6_addr, 6378 &mask128, tproto6, dir, q.addr); 6379 break; 6380 default: 6381 continue; 6382 } 6383 if (b) 6384 gen_or(b, tmp); 6385 b = tmp; 6386 } 6387 ai = NULL; 6388 freeaddrinfo(res0); 6389 if (b == NULL) { 6390 bpf_error("unknown host '%s'%s", name, 6391 (proto == Q_DEFAULT) 6392 ? "" 6393 : " for specified address family"); 6394 } 6395 return b; 6396 #endif /*INET6*/ 6397 } 6398 6399 case Q_PORT: 6400 if (proto != Q_DEFAULT && 6401 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6402 bpf_error("illegal qualifier of 'port'"); 6403 if (pcap_nametoport(name, &port, &real_proto) == 0) 6404 bpf_error("unknown port '%s'", name); 6405 if (proto == Q_UDP) { 6406 if (real_proto == IPPROTO_TCP) 6407 bpf_error("port '%s' is tcp", name); 6408 else if (real_proto == IPPROTO_SCTP) 6409 bpf_error("port '%s' is sctp", name); 6410 else 6411 /* override PROTO_UNDEF */ 6412 real_proto = IPPROTO_UDP; 6413 } 6414 if (proto == Q_TCP) { 6415 if (real_proto == IPPROTO_UDP) 6416 bpf_error("port '%s' is udp", name); 6417 6418 else if (real_proto == IPPROTO_SCTP) 6419 bpf_error("port '%s' is sctp", name); 6420 else 6421 /* override PROTO_UNDEF */ 6422 real_proto = IPPROTO_TCP; 6423 } 6424 if (proto == Q_SCTP) { 6425 if (real_proto == IPPROTO_UDP) 6426 bpf_error("port '%s' is udp", name); 6427 6428 else if (real_proto == IPPROTO_TCP) 6429 bpf_error("port '%s' is tcp", name); 6430 else 6431 /* override PROTO_UNDEF */ 6432 real_proto = IPPROTO_SCTP; 6433 } 6434 if (port < 0) 6435 bpf_error("illegal port number %d < 0", port); 6436 if (port > 65535) 6437 bpf_error("illegal port number %d > 65535", port); 6438 b = gen_port(port, real_proto, dir); 6439 gen_or(gen_port6(port, real_proto, dir), b); 6440 return b; 6441 6442 case Q_PORTRANGE: 6443 if (proto != Q_DEFAULT && 6444 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6445 bpf_error("illegal qualifier of 'portrange'"); 6446 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6447 bpf_error("unknown port in range '%s'", name); 6448 if (proto == Q_UDP) { 6449 if (real_proto == IPPROTO_TCP) 6450 bpf_error("port in range '%s' is tcp", name); 6451 else if (real_proto == IPPROTO_SCTP) 6452 bpf_error("port in range '%s' is sctp", name); 6453 else 6454 /* override PROTO_UNDEF */ 6455 real_proto = IPPROTO_UDP; 6456 } 6457 if (proto == Q_TCP) { 6458 if (real_proto == IPPROTO_UDP) 6459 bpf_error("port in range '%s' is udp", name); 6460 else if (real_proto == IPPROTO_SCTP) 6461 bpf_error("port in range '%s' is sctp", name); 6462 else 6463 /* override PROTO_UNDEF */ 6464 real_proto = IPPROTO_TCP; 6465 } 6466 if (proto == Q_SCTP) { 6467 if (real_proto == IPPROTO_UDP) 6468 bpf_error("port in range '%s' is udp", name); 6469 else if (real_proto == IPPROTO_TCP) 6470 bpf_error("port in range '%s' is tcp", name); 6471 else 6472 /* override PROTO_UNDEF */ 6473 real_proto = IPPROTO_SCTP; 6474 } 6475 if (port1 < 0) 6476 bpf_error("illegal port number %d < 0", port1); 6477 if (port1 > 65535) 6478 bpf_error("illegal port number %d > 65535", port1); 6479 if (port2 < 0) 6480 bpf_error("illegal port number %d < 0", port2); 6481 if (port2 > 65535) 6482 bpf_error("illegal port number %d > 65535", port2); 6483 6484 b = gen_portrange(port1, port2, real_proto, dir); 6485 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6486 return b; 6487 6488 case Q_GATEWAY: 6489 #ifndef INET6 6490 eaddr = pcap_ether_hostton(name); 6491 if (eaddr == NULL) 6492 bpf_error("unknown ether host: %s", name); 6493 6494 alist = pcap_nametoaddr(name); 6495 if (alist == NULL || *alist == NULL) 6496 bpf_error("unknown host '%s'", name); 6497 b = gen_gateway(eaddr, alist, proto, dir); 6498 free(eaddr); 6499 return b; 6500 #else 6501 bpf_error("'gateway' not supported in this configuration"); 6502 #endif /*INET6*/ 6503 6504 case Q_PROTO: 6505 real_proto = lookup_proto(name, proto); 6506 if (real_proto >= 0) 6507 return gen_proto(real_proto, proto, dir); 6508 else 6509 bpf_error("unknown protocol: %s", name); 6510 6511 case Q_PROTOCHAIN: 6512 real_proto = lookup_proto(name, proto); 6513 if (real_proto >= 0) 6514 return gen_protochain(real_proto, proto, dir); 6515 else 6516 bpf_error("unknown protocol: %s", name); 6517 6518 case Q_UNDEF: 6519 syntax(); 6520 /* NOTREACHED */ 6521 } 6522 abort(); 6523 /* NOTREACHED */ 6524 } 6525 6526 struct block * 6527 gen_mcode(s1, s2, masklen, q) 6528 register const char *s1, *s2; 6529 register int masklen; 6530 struct qual q; 6531 { 6532 register int nlen, mlen; 6533 bpf_u_int32 n, m; 6534 6535 nlen = __pcap_atoin(s1, &n); 6536 /* Promote short ipaddr */ 6537 n <<= 32 - nlen; 6538 6539 if (s2 != NULL) { 6540 mlen = __pcap_atoin(s2, &m); 6541 /* Promote short ipaddr */ 6542 m <<= 32 - mlen; 6543 if ((n & ~m) != 0) 6544 bpf_error("non-network bits set in \"%s mask %s\"", 6545 s1, s2); 6546 } else { 6547 /* Convert mask len to mask */ 6548 if (masklen > 32) 6549 bpf_error("mask length must be <= 32"); 6550 if (masklen == 0) { 6551 /* 6552 * X << 32 is not guaranteed by C to be 0; it's 6553 * undefined. 6554 */ 6555 m = 0; 6556 } else 6557 m = 0xffffffff << (32 - masklen); 6558 if ((n & ~m) != 0) 6559 bpf_error("non-network bits set in \"%s/%d\"", 6560 s1, masklen); 6561 } 6562 6563 switch (q.addr) { 6564 6565 case Q_NET: 6566 return gen_host(n, m, q.proto, q.dir, q.addr); 6567 6568 default: 6569 bpf_error("Mask syntax for networks only"); 6570 /* NOTREACHED */ 6571 } 6572 /* NOTREACHED */ 6573 return NULL; 6574 } 6575 6576 struct block * 6577 gen_ncode(s, v, q) 6578 register const char *s; 6579 bpf_u_int32 v; 6580 struct qual q; 6581 { 6582 bpf_u_int32 mask; 6583 int proto = q.proto; 6584 int dir = q.dir; 6585 register int vlen; 6586 6587 if (s == NULL) 6588 vlen = 32; 6589 else if (q.proto == Q_DECNET) 6590 vlen = __pcap_atodn(s, &v); 6591 else 6592 vlen = __pcap_atoin(s, &v); 6593 6594 switch (q.addr) { 6595 6596 case Q_DEFAULT: 6597 case Q_HOST: 6598 case Q_NET: 6599 if (proto == Q_DECNET) 6600 return gen_host(v, 0, proto, dir, q.addr); 6601 else if (proto == Q_LINK) { 6602 bpf_error("illegal link layer address"); 6603 } else { 6604 mask = 0xffffffff; 6605 if (s == NULL && q.addr == Q_NET) { 6606 /* Promote short net number */ 6607 while (v && (v & 0xff000000) == 0) { 6608 v <<= 8; 6609 mask <<= 8; 6610 } 6611 } else { 6612 /* Promote short ipaddr */ 6613 v <<= 32 - vlen; 6614 mask <<= 32 - vlen; 6615 } 6616 return gen_host(v, mask, proto, dir, q.addr); 6617 } 6618 6619 case Q_PORT: 6620 if (proto == Q_UDP) 6621 proto = IPPROTO_UDP; 6622 else if (proto == Q_TCP) 6623 proto = IPPROTO_TCP; 6624 else if (proto == Q_SCTP) 6625 proto = IPPROTO_SCTP; 6626 else if (proto == Q_DEFAULT) 6627 proto = PROTO_UNDEF; 6628 else 6629 bpf_error("illegal qualifier of 'port'"); 6630 6631 if (v > 65535) 6632 bpf_error("illegal port number %u > 65535", v); 6633 6634 { 6635 struct block *b; 6636 b = gen_port((int)v, proto, dir); 6637 gen_or(gen_port6((int)v, proto, dir), b); 6638 return b; 6639 } 6640 6641 case Q_PORTRANGE: 6642 if (proto == Q_UDP) 6643 proto = IPPROTO_UDP; 6644 else if (proto == Q_TCP) 6645 proto = IPPROTO_TCP; 6646 else if (proto == Q_SCTP) 6647 proto = IPPROTO_SCTP; 6648 else if (proto == Q_DEFAULT) 6649 proto = PROTO_UNDEF; 6650 else 6651 bpf_error("illegal qualifier of 'portrange'"); 6652 6653 if (v > 65535) 6654 bpf_error("illegal port number %u > 65535", v); 6655 6656 { 6657 struct block *b; 6658 b = gen_portrange((int)v, (int)v, proto, dir); 6659 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6660 return b; 6661 } 6662 6663 case Q_GATEWAY: 6664 bpf_error("'gateway' requires a name"); 6665 /* NOTREACHED */ 6666 6667 case Q_PROTO: 6668 return gen_proto((int)v, proto, dir); 6669 6670 case Q_PROTOCHAIN: 6671 return gen_protochain((int)v, proto, dir); 6672 6673 case Q_UNDEF: 6674 syntax(); 6675 /* NOTREACHED */ 6676 6677 default: 6678 abort(); 6679 /* NOTREACHED */ 6680 } 6681 /* NOTREACHED */ 6682 } 6683 6684 #ifdef INET6 6685 struct block * 6686 gen_mcode6(s1, s2, masklen, q) 6687 register const char *s1, *s2; 6688 register int masklen; 6689 struct qual q; 6690 { 6691 struct addrinfo *res; 6692 struct in6_addr *addr; 6693 struct in6_addr mask; 6694 struct block *b; 6695 u_int32_t *a, *m; 6696 6697 if (s2) 6698 bpf_error("no mask %s supported", s2); 6699 6700 res = pcap_nametoaddrinfo(s1); 6701 if (!res) 6702 bpf_error("invalid ip6 address %s", s1); 6703 ai = res; 6704 if (res->ai_next) 6705 bpf_error("%s resolved to multiple address", s1); 6706 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6707 6708 if (sizeof(mask) * 8 < masklen) 6709 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6710 memset(&mask, 0, sizeof(mask)); 6711 memset(&mask, 0xff, masklen / 8); 6712 if (masklen % 8) { 6713 mask.s6_addr[masklen / 8] = 6714 (0xff << (8 - masklen % 8)) & 0xff; 6715 } 6716 6717 a = (u_int32_t *)addr; 6718 m = (u_int32_t *)&mask; 6719 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6720 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6721 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6722 } 6723 6724 switch (q.addr) { 6725 6726 case Q_DEFAULT: 6727 case Q_HOST: 6728 if (masklen != 128) 6729 bpf_error("Mask syntax for networks only"); 6730 /* FALLTHROUGH */ 6731 6732 case Q_NET: 6733 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6734 ai = NULL; 6735 freeaddrinfo(res); 6736 return b; 6737 6738 default: 6739 bpf_error("invalid qualifier against IPv6 address"); 6740 /* NOTREACHED */ 6741 } 6742 return NULL; 6743 } 6744 #endif /*INET6*/ 6745 6746 struct block * 6747 gen_ecode(eaddr, q) 6748 register const u_char *eaddr; 6749 struct qual q; 6750 { 6751 struct block *b, *tmp; 6752 6753 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6754 switch (linktype) { 6755 case DLT_EN10MB: 6756 case DLT_NETANALYZER: 6757 case DLT_NETANALYZER_TRANSPARENT: 6758 return gen_ehostop(eaddr, (int)q.dir); 6759 case DLT_FDDI: 6760 return gen_fhostop(eaddr, (int)q.dir); 6761 case DLT_IEEE802: 6762 return gen_thostop(eaddr, (int)q.dir); 6763 case DLT_IEEE802_11: 6764 case DLT_PRISM_HEADER: 6765 case DLT_IEEE802_11_RADIO_AVS: 6766 case DLT_IEEE802_11_RADIO: 6767 case DLT_PPI: 6768 return gen_wlanhostop(eaddr, (int)q.dir); 6769 case DLT_SUNATM: 6770 if (is_lane) { 6771 /* 6772 * Check that the packet doesn't begin with an 6773 * LE Control marker. (We've already generated 6774 * a test for LANE.) 6775 */ 6776 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6777 0xFF00); 6778 gen_not(tmp); 6779 6780 /* 6781 * Now check the MAC address. 6782 */ 6783 b = gen_ehostop(eaddr, (int)q.dir); 6784 gen_and(tmp, b); 6785 return b; 6786 } 6787 break; 6788 case DLT_IP_OVER_FC: 6789 return gen_ipfchostop(eaddr, (int)q.dir); 6790 default: 6791 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6792 break; 6793 } 6794 } 6795 bpf_error("ethernet address used in non-ether expression"); 6796 /* NOTREACHED */ 6797 return NULL; 6798 } 6799 6800 void 6801 sappend(s0, s1) 6802 struct slist *s0, *s1; 6803 { 6804 /* 6805 * This is definitely not the best way to do this, but the 6806 * lists will rarely get long. 6807 */ 6808 while (s0->next) 6809 s0 = s0->next; 6810 s0->next = s1; 6811 } 6812 6813 static struct slist * 6814 xfer_to_x(a) 6815 struct arth *a; 6816 { 6817 struct slist *s; 6818 6819 s = new_stmt(BPF_LDX|BPF_MEM); 6820 s->s.k = a->regno; 6821 return s; 6822 } 6823 6824 static struct slist * 6825 xfer_to_a(a) 6826 struct arth *a; 6827 { 6828 struct slist *s; 6829 6830 s = new_stmt(BPF_LD|BPF_MEM); 6831 s->s.k = a->regno; 6832 return s; 6833 } 6834 6835 /* 6836 * Modify "index" to use the value stored into its register as an 6837 * offset relative to the beginning of the header for the protocol 6838 * "proto", and allocate a register and put an item "size" bytes long 6839 * (1, 2, or 4) at that offset into that register, making it the register 6840 * for "index". 6841 */ 6842 struct arth * 6843 gen_load(proto, inst, size) 6844 int proto; 6845 struct arth *inst; 6846 int size; 6847 { 6848 struct slist *s, *tmp; 6849 struct block *b; 6850 int regno = alloc_reg(); 6851 6852 free_reg(inst->regno); 6853 switch (size) { 6854 6855 default: 6856 bpf_error("data size must be 1, 2, or 4"); 6857 6858 case 1: 6859 size = BPF_B; 6860 break; 6861 6862 case 2: 6863 size = BPF_H; 6864 break; 6865 6866 case 4: 6867 size = BPF_W; 6868 break; 6869 } 6870 switch (proto) { 6871 default: 6872 bpf_error("unsupported index operation"); 6873 6874 case Q_RADIO: 6875 /* 6876 * The offset is relative to the beginning of the packet 6877 * data, if we have a radio header. (If we don't, this 6878 * is an error.) 6879 */ 6880 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6881 linktype != DLT_IEEE802_11_RADIO && 6882 linktype != DLT_PRISM_HEADER) 6883 bpf_error("radio information not present in capture"); 6884 6885 /* 6886 * Load into the X register the offset computed into the 6887 * register specified by "index". 6888 */ 6889 s = xfer_to_x(inst); 6890 6891 /* 6892 * Load the item at that offset. 6893 */ 6894 tmp = new_stmt(BPF_LD|BPF_IND|size); 6895 sappend(s, tmp); 6896 sappend(inst->s, s); 6897 break; 6898 6899 case Q_LINK: 6900 /* 6901 * The offset is relative to the beginning of 6902 * the link-layer header. 6903 * 6904 * XXX - what about ATM LANE? Should the index be 6905 * relative to the beginning of the AAL5 frame, so 6906 * that 0 refers to the beginning of the LE Control 6907 * field, or relative to the beginning of the LAN 6908 * frame, so that 0 refers, for Ethernet LANE, to 6909 * the beginning of the destination address? 6910 */ 6911 s = gen_llprefixlen(); 6912 6913 /* 6914 * If "s" is non-null, it has code to arrange that the 6915 * X register contains the length of the prefix preceding 6916 * the link-layer header. Add to it the offset computed 6917 * into the register specified by "index", and move that 6918 * into the X register. Otherwise, just load into the X 6919 * register the offset computed into the register specified 6920 * by "index". 6921 */ 6922 if (s != NULL) { 6923 sappend(s, xfer_to_a(inst)); 6924 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6925 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6926 } else 6927 s = xfer_to_x(inst); 6928 6929 /* 6930 * Load the item at the sum of the offset we've put in the 6931 * X register and the offset of the start of the link 6932 * layer header (which is 0 if the radio header is 6933 * variable-length; that header length is what we put 6934 * into the X register and then added to the index). 6935 */ 6936 tmp = new_stmt(BPF_LD|BPF_IND|size); 6937 tmp->s.k = off_ll; 6938 sappend(s, tmp); 6939 sappend(inst->s, s); 6940 break; 6941 6942 case Q_IP: 6943 case Q_ARP: 6944 case Q_RARP: 6945 case Q_ATALK: 6946 case Q_DECNET: 6947 case Q_SCA: 6948 case Q_LAT: 6949 case Q_MOPRC: 6950 case Q_MOPDL: 6951 case Q_IPV6: 6952 /* 6953 * The offset is relative to the beginning of 6954 * the network-layer header. 6955 * XXX - are there any cases where we want 6956 * off_nl_nosnap? 6957 */ 6958 s = gen_off_macpl(); 6959 6960 /* 6961 * If "s" is non-null, it has code to arrange that the 6962 * X register contains the offset of the MAC-layer 6963 * payload. Add to it the offset computed into the 6964 * register specified by "index", and move that into 6965 * the X register. Otherwise, just load into the X 6966 * register the offset computed into the register specified 6967 * by "index". 6968 */ 6969 if (s != NULL) { 6970 sappend(s, xfer_to_a(inst)); 6971 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6972 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6973 } else 6974 s = xfer_to_x(inst); 6975 6976 /* 6977 * Load the item at the sum of the offset we've put in the 6978 * X register, the offset of the start of the network 6979 * layer header from the beginning of the MAC-layer 6980 * payload, and the purported offset of the start of the 6981 * MAC-layer payload (which might be 0 if there's a 6982 * variable-length prefix before the link-layer header 6983 * or the link-layer header itself is variable-length; 6984 * the variable-length offset of the start of the 6985 * MAC-layer payload is what we put into the X register 6986 * and then added to the index). 6987 */ 6988 tmp = new_stmt(BPF_LD|BPF_IND|size); 6989 tmp->s.k = off_macpl + off_nl; 6990 sappend(s, tmp); 6991 sappend(inst->s, s); 6992 6993 /* 6994 * Do the computation only if the packet contains 6995 * the protocol in question. 6996 */ 6997 b = gen_proto_abbrev(proto); 6998 if (inst->b) 6999 gen_and(inst->b, b); 7000 inst->b = b; 7001 break; 7002 7003 case Q_SCTP: 7004 case Q_TCP: 7005 case Q_UDP: 7006 case Q_ICMP: 7007 case Q_IGMP: 7008 case Q_IGRP: 7009 case Q_PIM: 7010 case Q_VRRP: 7011 case Q_CARP: 7012 /* 7013 * The offset is relative to the beginning of 7014 * the transport-layer header. 7015 * 7016 * Load the X register with the length of the IPv4 header 7017 * (plus the offset of the link-layer header, if it's 7018 * a variable-length header), in bytes. 7019 * 7020 * XXX - are there any cases where we want 7021 * off_nl_nosnap? 7022 * XXX - we should, if we're built with 7023 * IPv6 support, generate code to load either 7024 * IPv4, IPv6, or both, as appropriate. 7025 */ 7026 s = gen_loadx_iphdrlen(); 7027 7028 /* 7029 * The X register now contains the sum of the length 7030 * of any variable-length header preceding the link-layer 7031 * header, any variable-length link-layer header, and the 7032 * length of the network-layer header. 7033 * 7034 * Load into the A register the offset relative to 7035 * the beginning of the transport layer header, 7036 * add the X register to that, move that to the 7037 * X register, and load with an offset from the 7038 * X register equal to the offset of the network 7039 * layer header relative to the beginning of 7040 * the MAC-layer payload plus the fixed-length 7041 * portion of the offset of the MAC-layer payload 7042 * from the beginning of the raw packet data. 7043 */ 7044 sappend(s, xfer_to_a(inst)); 7045 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 7046 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 7047 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 7048 tmp->s.k = off_macpl + off_nl; 7049 sappend(inst->s, s); 7050 7051 /* 7052 * Do the computation only if the packet contains 7053 * the protocol in question - which is true only 7054 * if this is an IP datagram and is the first or 7055 * only fragment of that datagram. 7056 */ 7057 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 7058 if (inst->b) 7059 gen_and(inst->b, b); 7060 gen_and(gen_proto_abbrev(Q_IP), b); 7061 inst->b = b; 7062 break; 7063 case Q_ICMPV6: 7064 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 7065 /*NOTREACHED*/ 7066 } 7067 inst->regno = regno; 7068 s = new_stmt(BPF_ST); 7069 s->s.k = regno; 7070 sappend(inst->s, s); 7071 7072 return inst; 7073 } 7074 7075 struct block * 7076 gen_relation(code, a0, a1, reversed) 7077 int code; 7078 struct arth *a0, *a1; 7079 int reversed; 7080 { 7081 struct slist *s0, *s1, *s2; 7082 struct block *b, *tmp; 7083 7084 s0 = xfer_to_x(a1); 7085 s1 = xfer_to_a(a0); 7086 if (code == BPF_JEQ) { 7087 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 7088 b = new_block(JMP(code)); 7089 sappend(s1, s2); 7090 } 7091 else 7092 b = new_block(BPF_JMP|code|BPF_X); 7093 if (reversed) 7094 gen_not(b); 7095 7096 sappend(s0, s1); 7097 sappend(a1->s, s0); 7098 sappend(a0->s, a1->s); 7099 7100 b->stmts = a0->s; 7101 7102 free_reg(a0->regno); 7103 free_reg(a1->regno); 7104 7105 /* 'and' together protocol checks */ 7106 if (a0->b) { 7107 if (a1->b) { 7108 gen_and(a0->b, tmp = a1->b); 7109 } 7110 else 7111 tmp = a0->b; 7112 } else 7113 tmp = a1->b; 7114 7115 if (tmp) 7116 gen_and(tmp, b); 7117 7118 return b; 7119 } 7120 7121 struct arth * 7122 gen_loadlen() 7123 { 7124 int regno = alloc_reg(); 7125 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 7126 struct slist *s; 7127 7128 s = new_stmt(BPF_LD|BPF_LEN); 7129 s->next = new_stmt(BPF_ST); 7130 s->next->s.k = regno; 7131 a->s = s; 7132 a->regno = regno; 7133 7134 return a; 7135 } 7136 7137 struct arth * 7138 gen_loadi(val) 7139 int val; 7140 { 7141 struct arth *a; 7142 struct slist *s; 7143 int reg; 7144 7145 a = (struct arth *)newchunk(sizeof(*a)); 7146 7147 reg = alloc_reg(); 7148 7149 s = new_stmt(BPF_LD|BPF_IMM); 7150 s->s.k = val; 7151 s->next = new_stmt(BPF_ST); 7152 s->next->s.k = reg; 7153 a->s = s; 7154 a->regno = reg; 7155 7156 return a; 7157 } 7158 7159 struct arth * 7160 gen_neg(a) 7161 struct arth *a; 7162 { 7163 struct slist *s; 7164 7165 s = xfer_to_a(a); 7166 sappend(a->s, s); 7167 s = new_stmt(BPF_ALU|BPF_NEG); 7168 s->s.k = 0; 7169 sappend(a->s, s); 7170 s = new_stmt(BPF_ST); 7171 s->s.k = a->regno; 7172 sappend(a->s, s); 7173 7174 return a; 7175 } 7176 7177 struct arth * 7178 gen_arth(code, a0, a1) 7179 int code; 7180 struct arth *a0, *a1; 7181 { 7182 struct slist *s0, *s1, *s2; 7183 7184 s0 = xfer_to_x(a1); 7185 s1 = xfer_to_a(a0); 7186 s2 = new_stmt(BPF_ALU|BPF_X|code); 7187 7188 sappend(s1, s2); 7189 sappend(s0, s1); 7190 sappend(a1->s, s0); 7191 sappend(a0->s, a1->s); 7192 7193 free_reg(a0->regno); 7194 free_reg(a1->regno); 7195 7196 s0 = new_stmt(BPF_ST); 7197 a0->regno = s0->s.k = alloc_reg(); 7198 sappend(a0->s, s0); 7199 7200 return a0; 7201 } 7202 7203 /* 7204 * Here we handle simple allocation of the scratch registers. 7205 * If too many registers are alloc'd, the allocator punts. 7206 */ 7207 static int regused[BPF_MEMWORDS]; 7208 static int curreg; 7209 7210 /* 7211 * Initialize the table of used registers and the current register. 7212 */ 7213 static void 7214 init_regs() 7215 { 7216 curreg = 0; 7217 memset(regused, 0, sizeof regused); 7218 } 7219 7220 /* 7221 * Return the next free register. 7222 */ 7223 static int 7224 alloc_reg() 7225 { 7226 int n = BPF_MEMWORDS; 7227 7228 while (--n >= 0) { 7229 if (regused[curreg]) 7230 curreg = (curreg + 1) % BPF_MEMWORDS; 7231 else { 7232 regused[curreg] = 1; 7233 return curreg; 7234 } 7235 } 7236 bpf_error("too many registers needed to evaluate expression"); 7237 /* NOTREACHED */ 7238 return 0; 7239 } 7240 7241 /* 7242 * Return a register to the table so it can 7243 * be used later. 7244 */ 7245 static void 7246 free_reg(n) 7247 int n; 7248 { 7249 regused[n] = 0; 7250 } 7251 7252 static struct block * 7253 gen_len(jmp, n) 7254 int jmp, n; 7255 { 7256 struct slist *s; 7257 struct block *b; 7258 7259 s = new_stmt(BPF_LD|BPF_LEN); 7260 b = new_block(JMP(jmp)); 7261 b->stmts = s; 7262 b->s.k = n; 7263 7264 return b; 7265 } 7266 7267 struct block * 7268 gen_greater(n) 7269 int n; 7270 { 7271 return gen_len(BPF_JGE, n); 7272 } 7273 7274 /* 7275 * Actually, this is less than or equal. 7276 */ 7277 struct block * 7278 gen_less(n) 7279 int n; 7280 { 7281 struct block *b; 7282 7283 b = gen_len(BPF_JGT, n); 7284 gen_not(b); 7285 7286 return b; 7287 } 7288 7289 /* 7290 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7291 * the beginning of the link-layer header. 7292 * XXX - that means you can't test values in the radiotap header, but 7293 * as that header is difficult if not impossible to parse generally 7294 * without a loop, that might not be a severe problem. A new keyword 7295 * "radio" could be added for that, although what you'd really want 7296 * would be a way of testing particular radio header values, which 7297 * would generate code appropriate to the radio header in question. 7298 */ 7299 struct block * 7300 gen_byteop(op, idx, val) 7301 int op, idx, val; 7302 { 7303 struct block *b; 7304 struct slist *s; 7305 7306 switch (op) { 7307 default: 7308 abort(); 7309 7310 case '=': 7311 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7312 7313 case '<': 7314 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7315 return b; 7316 7317 case '>': 7318 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7319 return b; 7320 7321 case '|': 7322 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7323 break; 7324 7325 case '&': 7326 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7327 break; 7328 } 7329 s->s.k = val; 7330 b = new_block(JMP(BPF_JEQ)); 7331 b->stmts = s; 7332 gen_not(b); 7333 7334 return b; 7335 } 7336 7337 static u_char abroadcast[] = { 0x0 }; 7338 7339 struct block * 7340 gen_broadcast(proto) 7341 int proto; 7342 { 7343 bpf_u_int32 hostmask; 7344 struct block *b0, *b1, *b2; 7345 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7346 7347 switch (proto) { 7348 7349 case Q_DEFAULT: 7350 case Q_LINK: 7351 switch (linktype) { 7352 case DLT_ARCNET: 7353 case DLT_ARCNET_LINUX: 7354 return gen_ahostop(abroadcast, Q_DST); 7355 case DLT_EN10MB: 7356 case DLT_NETANALYZER: 7357 case DLT_NETANALYZER_TRANSPARENT: 7358 return gen_ehostop(ebroadcast, Q_DST); 7359 case DLT_FDDI: 7360 return gen_fhostop(ebroadcast, Q_DST); 7361 case DLT_IEEE802: 7362 return gen_thostop(ebroadcast, Q_DST); 7363 case DLT_IEEE802_11: 7364 case DLT_PRISM_HEADER: 7365 case DLT_IEEE802_11_RADIO_AVS: 7366 case DLT_IEEE802_11_RADIO: 7367 case DLT_PPI: 7368 return gen_wlanhostop(ebroadcast, Q_DST); 7369 case DLT_IP_OVER_FC: 7370 return gen_ipfchostop(ebroadcast, Q_DST); 7371 case DLT_SUNATM: 7372 if (is_lane) { 7373 /* 7374 * Check that the packet doesn't begin with an 7375 * LE Control marker. (We've already generated 7376 * a test for LANE.) 7377 */ 7378 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7379 BPF_H, 0xFF00); 7380 gen_not(b1); 7381 7382 /* 7383 * Now check the MAC address. 7384 */ 7385 b0 = gen_ehostop(ebroadcast, Q_DST); 7386 gen_and(b1, b0); 7387 return b0; 7388 } 7389 break; 7390 default: 7391 bpf_error("not a broadcast link"); 7392 } 7393 break; 7394 7395 case Q_IP: 7396 /* 7397 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7398 * as an indication that we don't know the netmask, and fail 7399 * in that case. 7400 */ 7401 if (netmask == PCAP_NETMASK_UNKNOWN) 7402 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7403 b0 = gen_linktype(ETHERTYPE_IP); 7404 hostmask = ~netmask; 7405 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7406 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7407 (bpf_int32)(~0 & hostmask), hostmask); 7408 gen_or(b1, b2); 7409 gen_and(b0, b2); 7410 return b2; 7411 } 7412 bpf_error("only link-layer/IP broadcast filters supported"); 7413 /* NOTREACHED */ 7414 return NULL; 7415 } 7416 7417 /* 7418 * Generate code to test the low-order bit of a MAC address (that's 7419 * the bottom bit of the *first* byte). 7420 */ 7421 static struct block * 7422 gen_mac_multicast(offset) 7423 int offset; 7424 { 7425 register struct block *b0; 7426 register struct slist *s; 7427 7428 /* link[offset] & 1 != 0 */ 7429 s = gen_load_a(OR_LINK, offset, BPF_B); 7430 b0 = new_block(JMP(BPF_JSET)); 7431 b0->s.k = 1; 7432 b0->stmts = s; 7433 return b0; 7434 } 7435 7436 struct block * 7437 gen_multicast(proto) 7438 int proto; 7439 { 7440 register struct block *b0, *b1, *b2; 7441 register struct slist *s; 7442 7443 switch (proto) { 7444 7445 case Q_DEFAULT: 7446 case Q_LINK: 7447 switch (linktype) { 7448 case DLT_ARCNET: 7449 case DLT_ARCNET_LINUX: 7450 /* all ARCnet multicasts use the same address */ 7451 return gen_ahostop(abroadcast, Q_DST); 7452 case DLT_EN10MB: 7453 case DLT_NETANALYZER: 7454 case DLT_NETANALYZER_TRANSPARENT: 7455 /* ether[0] & 1 != 0 */ 7456 return gen_mac_multicast(0); 7457 case DLT_FDDI: 7458 /* 7459 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7460 * 7461 * XXX - was that referring to bit-order issues? 7462 */ 7463 /* fddi[1] & 1 != 0 */ 7464 return gen_mac_multicast(1); 7465 case DLT_IEEE802: 7466 /* tr[2] & 1 != 0 */ 7467 return gen_mac_multicast(2); 7468 case DLT_IEEE802_11: 7469 case DLT_PRISM_HEADER: 7470 case DLT_IEEE802_11_RADIO_AVS: 7471 case DLT_IEEE802_11_RADIO: 7472 case DLT_PPI: 7473 /* 7474 * Oh, yuk. 7475 * 7476 * For control frames, there is no DA. 7477 * 7478 * For management frames, DA is at an 7479 * offset of 4 from the beginning of 7480 * the packet. 7481 * 7482 * For data frames, DA is at an offset 7483 * of 4 from the beginning of the packet 7484 * if To DS is clear and at an offset of 7485 * 16 from the beginning of the packet 7486 * if To DS is set. 7487 */ 7488 7489 /* 7490 * Generate the tests to be done for data frames. 7491 * 7492 * First, check for To DS set, i.e. "link[1] & 0x01". 7493 */ 7494 s = gen_load_a(OR_LINK, 1, BPF_B); 7495 b1 = new_block(JMP(BPF_JSET)); 7496 b1->s.k = 0x01; /* To DS */ 7497 b1->stmts = s; 7498 7499 /* 7500 * If To DS is set, the DA is at 16. 7501 */ 7502 b0 = gen_mac_multicast(16); 7503 gen_and(b1, b0); 7504 7505 /* 7506 * Now, check for To DS not set, i.e. check 7507 * "!(link[1] & 0x01)". 7508 */ 7509 s = gen_load_a(OR_LINK, 1, BPF_B); 7510 b2 = new_block(JMP(BPF_JSET)); 7511 b2->s.k = 0x01; /* To DS */ 7512 b2->stmts = s; 7513 gen_not(b2); 7514 7515 /* 7516 * If To DS is not set, the DA is at 4. 7517 */ 7518 b1 = gen_mac_multicast(4); 7519 gen_and(b2, b1); 7520 7521 /* 7522 * Now OR together the last two checks. That gives 7523 * the complete set of checks for data frames. 7524 */ 7525 gen_or(b1, b0); 7526 7527 /* 7528 * Now check for a data frame. 7529 * I.e, check "link[0] & 0x08". 7530 */ 7531 s = gen_load_a(OR_LINK, 0, BPF_B); 7532 b1 = new_block(JMP(BPF_JSET)); 7533 b1->s.k = 0x08; 7534 b1->stmts = s; 7535 7536 /* 7537 * AND that with the checks done for data frames. 7538 */ 7539 gen_and(b1, b0); 7540 7541 /* 7542 * If the high-order bit of the type value is 0, this 7543 * is a management frame. 7544 * I.e, check "!(link[0] & 0x08)". 7545 */ 7546 s = gen_load_a(OR_LINK, 0, BPF_B); 7547 b2 = new_block(JMP(BPF_JSET)); 7548 b2->s.k = 0x08; 7549 b2->stmts = s; 7550 gen_not(b2); 7551 7552 /* 7553 * For management frames, the DA is at 4. 7554 */ 7555 b1 = gen_mac_multicast(4); 7556 gen_and(b2, b1); 7557 7558 /* 7559 * OR that with the checks done for data frames. 7560 * That gives the checks done for management and 7561 * data frames. 7562 */ 7563 gen_or(b1, b0); 7564 7565 /* 7566 * If the low-order bit of the type value is 1, 7567 * this is either a control frame or a frame 7568 * with a reserved type, and thus not a 7569 * frame with an SA. 7570 * 7571 * I.e., check "!(link[0] & 0x04)". 7572 */ 7573 s = gen_load_a(OR_LINK, 0, BPF_B); 7574 b1 = new_block(JMP(BPF_JSET)); 7575 b1->s.k = 0x04; 7576 b1->stmts = s; 7577 gen_not(b1); 7578 7579 /* 7580 * AND that with the checks for data and management 7581 * frames. 7582 */ 7583 gen_and(b1, b0); 7584 return b0; 7585 case DLT_IP_OVER_FC: 7586 b0 = gen_mac_multicast(2); 7587 return b0; 7588 case DLT_SUNATM: 7589 if (is_lane) { 7590 /* 7591 * Check that the packet doesn't begin with an 7592 * LE Control marker. (We've already generated 7593 * a test for LANE.) 7594 */ 7595 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7596 BPF_H, 0xFF00); 7597 gen_not(b1); 7598 7599 /* ether[off_mac] & 1 != 0 */ 7600 b0 = gen_mac_multicast(off_mac); 7601 gen_and(b1, b0); 7602 return b0; 7603 } 7604 break; 7605 default: 7606 break; 7607 } 7608 /* Link not known to support multicasts */ 7609 break; 7610 7611 case Q_IP: 7612 b0 = gen_linktype(ETHERTYPE_IP); 7613 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7614 gen_and(b0, b1); 7615 return b1; 7616 7617 case Q_IPV6: 7618 b0 = gen_linktype(ETHERTYPE_IPV6); 7619 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7620 gen_and(b0, b1); 7621 return b1; 7622 } 7623 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7624 /* NOTREACHED */ 7625 return NULL; 7626 } 7627 7628 /* 7629 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7630 * Outbound traffic is sent by this machine, while inbound traffic is 7631 * sent by a remote machine (and may include packets destined for a 7632 * unicast or multicast link-layer address we are not subscribing to). 7633 * These are the same definitions implemented by pcap_setdirection(). 7634 * Capturing only unicast traffic destined for this host is probably 7635 * better accomplished using a higher-layer filter. 7636 */ 7637 struct block * 7638 gen_inbound(dir) 7639 int dir; 7640 { 7641 register struct block *b0; 7642 7643 /* 7644 * Only some data link types support inbound/outbound qualifiers. 7645 */ 7646 switch (linktype) { 7647 case DLT_SLIP: 7648 b0 = gen_relation(BPF_JEQ, 7649 gen_load(Q_LINK, gen_loadi(0), 1), 7650 gen_loadi(0), 7651 dir); 7652 break; 7653 7654 case DLT_IPNET: 7655 if (dir) { 7656 /* match outgoing packets */ 7657 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7658 } else { 7659 /* match incoming packets */ 7660 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7661 } 7662 break; 7663 7664 case DLT_LINUX_SLL: 7665 /* match outgoing packets */ 7666 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7667 if (!dir) { 7668 /* to filter on inbound traffic, invert the match */ 7669 gen_not(b0); 7670 } 7671 break; 7672 7673 #ifdef HAVE_NET_PFVAR_H 7674 case DLT_PFLOG: 7675 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7676 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7677 break; 7678 #endif 7679 7680 case DLT_PPP_PPPD: 7681 if (dir) { 7682 /* match outgoing packets */ 7683 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7684 } else { 7685 /* match incoming packets */ 7686 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7687 } 7688 break; 7689 7690 case DLT_JUNIPER_MFR: 7691 case DLT_JUNIPER_MLFR: 7692 case DLT_JUNIPER_MLPPP: 7693 case DLT_JUNIPER_ATM1: 7694 case DLT_JUNIPER_ATM2: 7695 case DLT_JUNIPER_PPPOE: 7696 case DLT_JUNIPER_PPPOE_ATM: 7697 case DLT_JUNIPER_GGSN: 7698 case DLT_JUNIPER_ES: 7699 case DLT_JUNIPER_MONITOR: 7700 case DLT_JUNIPER_SERVICES: 7701 case DLT_JUNIPER_ETHER: 7702 case DLT_JUNIPER_PPP: 7703 case DLT_JUNIPER_FRELAY: 7704 case DLT_JUNIPER_CHDLC: 7705 case DLT_JUNIPER_VP: 7706 case DLT_JUNIPER_ST: 7707 case DLT_JUNIPER_ISM: 7708 case DLT_JUNIPER_VS: 7709 case DLT_JUNIPER_SRX_E2E: 7710 case DLT_JUNIPER_FIBRECHANNEL: 7711 case DLT_JUNIPER_ATM_CEMIC: 7712 7713 /* juniper flags (including direction) are stored 7714 * the byte after the 3-byte magic number */ 7715 if (dir) { 7716 /* match outgoing packets */ 7717 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7718 } else { 7719 /* match incoming packets */ 7720 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7721 } 7722 break; 7723 7724 default: 7725 /* 7726 * If we have packet meta-data indicating a direction, 7727 * check it, otherwise give up as this link-layer type 7728 * has nothing in the packet data. 7729 */ 7730 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7731 /* 7732 * This is Linux with PF_PACKET support. 7733 * If this is a *live* capture, we can look at 7734 * special meta-data in the filter expression; 7735 * if it's a savefile, we can't. 7736 */ 7737 if (bpf_pcap->rfile != NULL) { 7738 /* We have a FILE *, so this is a savefile */ 7739 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7740 linktype); 7741 b0 = NULL; 7742 /* NOTREACHED */ 7743 } 7744 /* match outgoing packets */ 7745 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7746 PACKET_OUTGOING); 7747 if (!dir) { 7748 /* to filter on inbound traffic, invert the match */ 7749 gen_not(b0); 7750 } 7751 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7752 bpf_error("inbound/outbound not supported on linktype %d", 7753 linktype); 7754 b0 = NULL; 7755 /* NOTREACHED */ 7756 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7757 } 7758 return (b0); 7759 } 7760 7761 #ifdef HAVE_NET_PFVAR_H 7762 /* PF firewall log matched interface */ 7763 struct block * 7764 gen_pf_ifname(const char *ifname) 7765 { 7766 struct block *b0; 7767 u_int len, off; 7768 7769 if (linktype != DLT_PFLOG) { 7770 bpf_error("ifname supported only on PF linktype"); 7771 /* NOTREACHED */ 7772 } 7773 len = sizeof(((struct pfloghdr *)0)->ifname); 7774 off = offsetof(struct pfloghdr, ifname); 7775 if (strlen(ifname) >= len) { 7776 bpf_error("ifname interface names can only be %d characters", 7777 len-1); 7778 /* NOTREACHED */ 7779 } 7780 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7781 return (b0); 7782 } 7783 7784 /* PF firewall log ruleset name */ 7785 struct block * 7786 gen_pf_ruleset(char *ruleset) 7787 { 7788 struct block *b0; 7789 7790 if (linktype != DLT_PFLOG) { 7791 bpf_error("ruleset supported only on PF linktype"); 7792 /* NOTREACHED */ 7793 } 7794 7795 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7796 bpf_error("ruleset names can only be %ld characters", 7797 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7798 /* NOTREACHED */ 7799 } 7800 7801 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7802 strlen(ruleset), (const u_char *)ruleset); 7803 return (b0); 7804 } 7805 7806 /* PF firewall log rule number */ 7807 struct block * 7808 gen_pf_rnr(int rnr) 7809 { 7810 struct block *b0; 7811 7812 if (linktype != DLT_PFLOG) { 7813 bpf_error("rnr supported only on PF linktype"); 7814 /* NOTREACHED */ 7815 } 7816 7817 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7818 (bpf_int32)rnr); 7819 return (b0); 7820 } 7821 7822 /* PF firewall log sub-rule number */ 7823 struct block * 7824 gen_pf_srnr(int srnr) 7825 { 7826 struct block *b0; 7827 7828 if (linktype != DLT_PFLOG) { 7829 bpf_error("srnr supported only on PF linktype"); 7830 /* NOTREACHED */ 7831 } 7832 7833 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7834 (bpf_int32)srnr); 7835 return (b0); 7836 } 7837 7838 /* PF firewall log reason code */ 7839 struct block * 7840 gen_pf_reason(int reason) 7841 { 7842 struct block *b0; 7843 7844 if (linktype != DLT_PFLOG) { 7845 bpf_error("reason supported only on PF linktype"); 7846 /* NOTREACHED */ 7847 } 7848 7849 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7850 (bpf_int32)reason); 7851 return (b0); 7852 } 7853 7854 /* PF firewall log action */ 7855 struct block * 7856 gen_pf_action(int action) 7857 { 7858 struct block *b0; 7859 7860 if (linktype != DLT_PFLOG) { 7861 bpf_error("action supported only on PF linktype"); 7862 /* NOTREACHED */ 7863 } 7864 7865 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7866 (bpf_int32)action); 7867 return (b0); 7868 } 7869 #else /* !HAVE_NET_PFVAR_H */ 7870 struct block * 7871 gen_pf_ifname(const char *ifname) 7872 { 7873 bpf_error("libpcap was compiled without pf support"); 7874 /* NOTREACHED */ 7875 return (NULL); 7876 } 7877 7878 struct block * 7879 gen_pf_ruleset(char *ruleset) 7880 { 7881 bpf_error("libpcap was compiled on a machine without pf support"); 7882 /* NOTREACHED */ 7883 return (NULL); 7884 } 7885 7886 struct block * 7887 gen_pf_rnr(int rnr) 7888 { 7889 bpf_error("libpcap was compiled on a machine without pf support"); 7890 /* NOTREACHED */ 7891 return (NULL); 7892 } 7893 7894 struct block * 7895 gen_pf_srnr(int srnr) 7896 { 7897 bpf_error("libpcap was compiled on a machine without pf support"); 7898 /* NOTREACHED */ 7899 return (NULL); 7900 } 7901 7902 struct block * 7903 gen_pf_reason(int reason) 7904 { 7905 bpf_error("libpcap was compiled on a machine without pf support"); 7906 /* NOTREACHED */ 7907 return (NULL); 7908 } 7909 7910 struct block * 7911 gen_pf_action(int action) 7912 { 7913 bpf_error("libpcap was compiled on a machine without pf support"); 7914 /* NOTREACHED */ 7915 return (NULL); 7916 } 7917 #endif /* HAVE_NET_PFVAR_H */ 7918 7919 /* IEEE 802.11 wireless header */ 7920 struct block * 7921 gen_p80211_type(int type, int mask) 7922 { 7923 struct block *b0; 7924 7925 switch (linktype) { 7926 7927 case DLT_IEEE802_11: 7928 case DLT_PRISM_HEADER: 7929 case DLT_IEEE802_11_RADIO_AVS: 7930 case DLT_IEEE802_11_RADIO: 7931 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7932 (bpf_int32)mask); 7933 break; 7934 7935 default: 7936 bpf_error("802.11 link-layer types supported only on 802.11"); 7937 /* NOTREACHED */ 7938 } 7939 7940 return (b0); 7941 } 7942 7943 struct block * 7944 gen_p80211_fcdir(int fcdir) 7945 { 7946 struct block *b0; 7947 7948 switch (linktype) { 7949 7950 case DLT_IEEE802_11: 7951 case DLT_PRISM_HEADER: 7952 case DLT_IEEE802_11_RADIO_AVS: 7953 case DLT_IEEE802_11_RADIO: 7954 break; 7955 7956 default: 7957 bpf_error("frame direction supported only with 802.11 headers"); 7958 /* NOTREACHED */ 7959 } 7960 7961 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7962 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7963 7964 return (b0); 7965 } 7966 7967 struct block * 7968 gen_acode(eaddr, q) 7969 register const u_char *eaddr; 7970 struct qual q; 7971 { 7972 switch (linktype) { 7973 7974 case DLT_ARCNET: 7975 case DLT_ARCNET_LINUX: 7976 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7977 q.proto == Q_LINK) 7978 return (gen_ahostop(eaddr, (int)q.dir)); 7979 else { 7980 bpf_error("ARCnet address used in non-arc expression"); 7981 /* NOTREACHED */ 7982 } 7983 break; 7984 7985 default: 7986 bpf_error("aid supported only on ARCnet"); 7987 /* NOTREACHED */ 7988 } 7989 bpf_error("ARCnet address used in non-arc expression"); 7990 /* NOTREACHED */ 7991 return NULL; 7992 } 7993 7994 static struct block * 7995 gen_ahostop(eaddr, dir) 7996 register const u_char *eaddr; 7997 register int dir; 7998 { 7999 register struct block *b0, *b1; 8000 8001 switch (dir) { 8002 /* src comes first, different from Ethernet */ 8003 case Q_SRC: 8004 return gen_bcmp(OR_LINK, 0, 1, eaddr); 8005 8006 case Q_DST: 8007 return gen_bcmp(OR_LINK, 1, 1, eaddr); 8008 8009 case Q_AND: 8010 b0 = gen_ahostop(eaddr, Q_SRC); 8011 b1 = gen_ahostop(eaddr, Q_DST); 8012 gen_and(b0, b1); 8013 return b1; 8014 8015 case Q_DEFAULT: 8016 case Q_OR: 8017 b0 = gen_ahostop(eaddr, Q_SRC); 8018 b1 = gen_ahostop(eaddr, Q_DST); 8019 gen_or(b0, b1); 8020 return b1; 8021 8022 case Q_ADDR1: 8023 bpf_error("'addr1' is only supported on 802.11"); 8024 break; 8025 8026 case Q_ADDR2: 8027 bpf_error("'addr2' is only supported on 802.11"); 8028 break; 8029 8030 case Q_ADDR3: 8031 bpf_error("'addr3' is only supported on 802.11"); 8032 break; 8033 8034 case Q_ADDR4: 8035 bpf_error("'addr4' is only supported on 802.11"); 8036 break; 8037 8038 case Q_RA: 8039 bpf_error("'ra' is only supported on 802.11"); 8040 break; 8041 8042 case Q_TA: 8043 bpf_error("'ta' is only supported on 802.11"); 8044 break; 8045 } 8046 abort(); 8047 /* NOTREACHED */ 8048 } 8049 8050 /* 8051 * support IEEE 802.1Q VLAN trunk over ethernet 8052 */ 8053 struct block * 8054 gen_vlan(vlan_num) 8055 int vlan_num; 8056 { 8057 struct block *b0, *b1; 8058 8059 /* can't check for VLAN-encapsulated packets inside MPLS */ 8060 if (label_stack_depth > 0) 8061 bpf_error("no VLAN match after MPLS"); 8062 8063 /* 8064 * Check for a VLAN packet, and then change the offsets to point 8065 * to the type and data fields within the VLAN packet. Just 8066 * increment the offsets, so that we can support a hierarchy, e.g. 8067 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8068 * VLAN 100. 8069 * 8070 * XXX - this is a bit of a kludge. If we were to split the 8071 * compiler into a parser that parses an expression and 8072 * generates an expression tree, and a code generator that 8073 * takes an expression tree (which could come from our 8074 * parser or from some other parser) and generates BPF code, 8075 * we could perhaps make the offsets parameters of routines 8076 * and, in the handler for an "AND" node, pass to subnodes 8077 * other than the VLAN node the adjusted offsets. 8078 * 8079 * This would mean that "vlan" would, instead of changing the 8080 * behavior of *all* tests after it, change only the behavior 8081 * of tests ANDed with it. That would change the documented 8082 * semantics of "vlan", which might break some expressions. 8083 * However, it would mean that "(vlan and ip) or ip" would check 8084 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8085 * checking only for VLAN-encapsulated IP, so that could still 8086 * be considered worth doing; it wouldn't break expressions 8087 * that are of the form "vlan and ..." or "vlan N and ...", 8088 * which I suspect are the most common expressions involving 8089 * "vlan". "vlan or ..." doesn't necessarily do what the user 8090 * would really want, now, as all the "or ..." tests would 8091 * be done assuming a VLAN, even though the "or" could be viewed 8092 * as meaning "or, if this isn't a VLAN packet...". 8093 */ 8094 orig_nl = off_nl; 8095 8096 switch (linktype) { 8097 8098 case DLT_EN10MB: 8099 case DLT_NETANALYZER: 8100 case DLT_NETANALYZER_TRANSPARENT: 8101 /* check for VLAN, including QinQ */ 8102 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 8103 (bpf_int32)ETHERTYPE_8021Q); 8104 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 8105 (bpf_int32)ETHERTYPE_8021QINQ); 8106 gen_or(b0,b1); 8107 b0 = b1; 8108 8109 /* If a specific VLAN is requested, check VLAN id */ 8110 if (vlan_num >= 0) { 8111 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 8112 (bpf_int32)vlan_num, 0x0fff); 8113 gen_and(b0, b1); 8114 b0 = b1; 8115 } 8116 8117 off_macpl += 4; 8118 off_linktype += 4; 8119 #if 0 8120 off_nl_nosnap += 4; 8121 off_nl += 4; 8122 #endif 8123 break; 8124 8125 default: 8126 bpf_error("no VLAN support for data link type %d", 8127 linktype); 8128 /*NOTREACHED*/ 8129 } 8130 8131 return (b0); 8132 } 8133 8134 /* 8135 * support for MPLS 8136 */ 8137 struct block * 8138 gen_mpls(label_num) 8139 int label_num; 8140 { 8141 struct block *b0,*b1; 8142 8143 /* 8144 * Change the offsets to point to the type and data fields within 8145 * the MPLS packet. Just increment the offsets, so that we 8146 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8147 * capture packets with an outer label of 100000 and an inner 8148 * label of 1024. 8149 * 8150 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8151 */ 8152 orig_nl = off_nl; 8153 8154 if (label_stack_depth > 0) { 8155 /* just match the bottom-of-stack bit clear */ 8156 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 8157 } else { 8158 /* 8159 * Indicate that we're checking MPLS-encapsulated headers, 8160 * to make sure higher level code generators don't try to 8161 * match against IP-related protocols such as Q_ARP, Q_RARP 8162 * etc. 8163 */ 8164 switch (linktype) { 8165 8166 case DLT_C_HDLC: /* fall through */ 8167 case DLT_EN10MB: 8168 case DLT_NETANALYZER: 8169 case DLT_NETANALYZER_TRANSPARENT: 8170 b0 = gen_linktype(ETHERTYPE_MPLS); 8171 break; 8172 8173 case DLT_PPP: 8174 b0 = gen_linktype(PPP_MPLS_UCAST); 8175 break; 8176 8177 /* FIXME add other DLT_s ... 8178 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8179 * leave it for now */ 8180 8181 default: 8182 bpf_error("no MPLS support for data link type %d", 8183 linktype); 8184 b0 = NULL; 8185 /*NOTREACHED*/ 8186 break; 8187 } 8188 } 8189 8190 /* If a specific MPLS label is requested, check it */ 8191 if (label_num >= 0) { 8192 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8193 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8194 0xfffff000); /* only compare the first 20 bits */ 8195 gen_and(b0, b1); 8196 b0 = b1; 8197 } 8198 8199 off_nl_nosnap += 4; 8200 off_nl += 4; 8201 label_stack_depth++; 8202 return (b0); 8203 } 8204 8205 /* 8206 * Support PPPOE discovery and session. 8207 */ 8208 struct block * 8209 gen_pppoed() 8210 { 8211 /* check for PPPoE discovery */ 8212 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8213 } 8214 8215 struct block * 8216 gen_pppoes(sess_num) 8217 int sess_num; 8218 { 8219 struct block *b0, *b1; 8220 8221 /* 8222 * Test against the PPPoE session link-layer type. 8223 */ 8224 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8225 8226 /* 8227 * Change the offsets to point to the type and data fields within 8228 * the PPP packet, and note that this is PPPoE rather than 8229 * raw PPP. 8230 * 8231 * XXX - this is a bit of a kludge. If we were to split the 8232 * compiler into a parser that parses an expression and 8233 * generates an expression tree, and a code generator that 8234 * takes an expression tree (which could come from our 8235 * parser or from some other parser) and generates BPF code, 8236 * we could perhaps make the offsets parameters of routines 8237 * and, in the handler for an "AND" node, pass to subnodes 8238 * other than the PPPoE node the adjusted offsets. 8239 * 8240 * This would mean that "pppoes" would, instead of changing the 8241 * behavior of *all* tests after it, change only the behavior 8242 * of tests ANDed with it. That would change the documented 8243 * semantics of "pppoes", which might break some expressions. 8244 * However, it would mean that "(pppoes and ip) or ip" would check 8245 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8246 * checking only for VLAN-encapsulated IP, so that could still 8247 * be considered worth doing; it wouldn't break expressions 8248 * that are of the form "pppoes and ..." which I suspect are the 8249 * most common expressions involving "pppoes". "pppoes or ..." 8250 * doesn't necessarily do what the user would really want, now, 8251 * as all the "or ..." tests would be done assuming PPPoE, even 8252 * though the "or" could be viewed as meaning "or, if this isn't 8253 * a PPPoE packet...". 8254 */ 8255 orig_linktype = off_linktype; /* save original values */ 8256 orig_nl = off_nl; 8257 is_pppoes = 1; 8258 8259 /* If a specific session is requested, check PPPoE session id */ 8260 if (sess_num >= 0) { 8261 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, 8262 (bpf_int32)sess_num, 0x0000ffff); 8263 gen_and(b0, b1); 8264 b0 = b1; 8265 } 8266 8267 /* 8268 * The "network-layer" protocol is PPPoE, which has a 6-byte 8269 * PPPoE header, followed by a PPP packet. 8270 * 8271 * There is no HDLC encapsulation for the PPP packet (it's 8272 * encapsulated in PPPoES instead), so the link-layer type 8273 * starts at the first byte of the PPP packet. For PPPoE, 8274 * that offset is relative to the beginning of the total 8275 * link-layer payload, including any 802.2 LLC header, so 8276 * it's 6 bytes past off_nl. 8277 */ 8278 off_linktype = off_nl + 6; 8279 8280 /* 8281 * The network-layer offsets are relative to the beginning 8282 * of the MAC-layer payload; that's past the 6-byte 8283 * PPPoE header and the 2-byte PPP header. 8284 */ 8285 off_nl = 6+2; 8286 off_nl_nosnap = 6+2; 8287 8288 return b0; 8289 } 8290 8291 struct block * 8292 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8293 int atmfield; 8294 bpf_int32 jvalue; 8295 bpf_u_int32 jtype; 8296 int reverse; 8297 { 8298 struct block *b0; 8299 8300 switch (atmfield) { 8301 8302 case A_VPI: 8303 if (!is_atm) 8304 bpf_error("'vpi' supported only on raw ATM"); 8305 if (off_vpi == (u_int)-1) 8306 abort(); 8307 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8308 reverse, jvalue); 8309 break; 8310 8311 case A_VCI: 8312 if (!is_atm) 8313 bpf_error("'vci' supported only on raw ATM"); 8314 if (off_vci == (u_int)-1) 8315 abort(); 8316 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8317 reverse, jvalue); 8318 break; 8319 8320 case A_PROTOTYPE: 8321 if (off_proto == (u_int)-1) 8322 abort(); /* XXX - this isn't on FreeBSD */ 8323 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8324 reverse, jvalue); 8325 break; 8326 8327 case A_MSGTYPE: 8328 if (off_payload == (u_int)-1) 8329 abort(); 8330 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8331 0xffffffff, jtype, reverse, jvalue); 8332 break; 8333 8334 case A_CALLREFTYPE: 8335 if (!is_atm) 8336 bpf_error("'callref' supported only on raw ATM"); 8337 if (off_proto == (u_int)-1) 8338 abort(); 8339 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8340 jtype, reverse, jvalue); 8341 break; 8342 8343 default: 8344 abort(); 8345 } 8346 return b0; 8347 } 8348 8349 struct block * 8350 gen_atmtype_abbrev(type) 8351 int type; 8352 { 8353 struct block *b0, *b1; 8354 8355 switch (type) { 8356 8357 case A_METAC: 8358 /* Get all packets in Meta signalling Circuit */ 8359 if (!is_atm) 8360 bpf_error("'metac' supported only on raw ATM"); 8361 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8362 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8363 gen_and(b0, b1); 8364 break; 8365 8366 case A_BCC: 8367 /* Get all packets in Broadcast Circuit*/ 8368 if (!is_atm) 8369 bpf_error("'bcc' supported only on raw ATM"); 8370 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8371 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8372 gen_and(b0, b1); 8373 break; 8374 8375 case A_OAMF4SC: 8376 /* Get all cells in Segment OAM F4 circuit*/ 8377 if (!is_atm) 8378 bpf_error("'oam4sc' supported only on raw ATM"); 8379 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8380 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8381 gen_and(b0, b1); 8382 break; 8383 8384 case A_OAMF4EC: 8385 /* Get all cells in End-to-End OAM F4 Circuit*/ 8386 if (!is_atm) 8387 bpf_error("'oam4ec' supported only on raw ATM"); 8388 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8389 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8390 gen_and(b0, b1); 8391 break; 8392 8393 case A_SC: 8394 /* Get all packets in connection Signalling Circuit */ 8395 if (!is_atm) 8396 bpf_error("'sc' supported only on raw ATM"); 8397 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8398 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8399 gen_and(b0, b1); 8400 break; 8401 8402 case A_ILMIC: 8403 /* Get all packets in ILMI Circuit */ 8404 if (!is_atm) 8405 bpf_error("'ilmic' supported only on raw ATM"); 8406 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8407 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8408 gen_and(b0, b1); 8409 break; 8410 8411 case A_LANE: 8412 /* Get all LANE packets */ 8413 if (!is_atm) 8414 bpf_error("'lane' supported only on raw ATM"); 8415 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8416 8417 /* 8418 * Arrange that all subsequent tests assume LANE 8419 * rather than LLC-encapsulated packets, and set 8420 * the offsets appropriately for LANE-encapsulated 8421 * Ethernet. 8422 * 8423 * "off_mac" is the offset of the Ethernet header, 8424 * which is 2 bytes past the ATM pseudo-header 8425 * (skipping the pseudo-header and 2-byte LE Client 8426 * field). The other offsets are Ethernet offsets 8427 * relative to "off_mac". 8428 */ 8429 is_lane = 1; 8430 off_mac = off_payload + 2; /* MAC header */ 8431 off_linktype = off_mac + 12; 8432 off_macpl = off_mac + 14; /* Ethernet */ 8433 off_nl = 0; /* Ethernet II */ 8434 off_nl_nosnap = 3; /* 802.3+802.2 */ 8435 break; 8436 8437 case A_LLC: 8438 /* Get all LLC-encapsulated packets */ 8439 if (!is_atm) 8440 bpf_error("'llc' supported only on raw ATM"); 8441 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8442 is_lane = 0; 8443 break; 8444 8445 default: 8446 abort(); 8447 } 8448 return b1; 8449 } 8450 8451 /* 8452 * Filtering for MTP2 messages based on li value 8453 * FISU, length is null 8454 * LSSU, length is 1 or 2 8455 * MSU, length is 3 or more 8456 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8457 */ 8458 struct block * 8459 gen_mtp2type_abbrev(type) 8460 int type; 8461 { 8462 struct block *b0, *b1; 8463 8464 switch (type) { 8465 8466 case M_FISU: 8467 if ( (linktype != DLT_MTP2) && 8468 (linktype != DLT_ERF) && 8469 (linktype != DLT_MTP2_WITH_PHDR) ) 8470 bpf_error("'fisu' supported only on MTP2"); 8471 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8472 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8473 break; 8474 8475 case M_LSSU: 8476 if ( (linktype != DLT_MTP2) && 8477 (linktype != DLT_ERF) && 8478 (linktype != DLT_MTP2_WITH_PHDR) ) 8479 bpf_error("'lssu' supported only on MTP2"); 8480 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8481 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8482 gen_and(b1, b0); 8483 break; 8484 8485 case M_MSU: 8486 if ( (linktype != DLT_MTP2) && 8487 (linktype != DLT_ERF) && 8488 (linktype != DLT_MTP2_WITH_PHDR) ) 8489 bpf_error("'msu' supported only on MTP2"); 8490 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8491 break; 8492 8493 case MH_FISU: 8494 if ( (linktype != DLT_MTP2) && 8495 (linktype != DLT_ERF) && 8496 (linktype != DLT_MTP2_WITH_PHDR) ) 8497 bpf_error("'hfisu' supported only on MTP2_HSL"); 8498 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8499 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8500 break; 8501 8502 case MH_LSSU: 8503 if ( (linktype != DLT_MTP2) && 8504 (linktype != DLT_ERF) && 8505 (linktype != DLT_MTP2_WITH_PHDR) ) 8506 bpf_error("'hlssu' supported only on MTP2_HSL"); 8507 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8508 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8509 gen_and(b1, b0); 8510 break; 8511 8512 case MH_MSU: 8513 if ( (linktype != DLT_MTP2) && 8514 (linktype != DLT_ERF) && 8515 (linktype != DLT_MTP2_WITH_PHDR) ) 8516 bpf_error("'hmsu' supported only on MTP2_HSL"); 8517 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8518 break; 8519 8520 default: 8521 abort(); 8522 } 8523 return b0; 8524 } 8525 8526 struct block * 8527 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8528 int mtp3field; 8529 bpf_u_int32 jvalue; 8530 bpf_u_int32 jtype; 8531 int reverse; 8532 { 8533 struct block *b0; 8534 bpf_u_int32 val1 , val2 , val3; 8535 u_int newoff_sio=off_sio; 8536 u_int newoff_opc=off_opc; 8537 u_int newoff_dpc=off_dpc; 8538 u_int newoff_sls=off_sls; 8539 8540 switch (mtp3field) { 8541 8542 case MH_SIO: 8543 newoff_sio += 3; /* offset for MTP2_HSL */ 8544 /* FALLTHROUGH */ 8545 8546 case M_SIO: 8547 if (off_sio == (u_int)-1) 8548 bpf_error("'sio' supported only on SS7"); 8549 /* sio coded on 1 byte so max value 255 */ 8550 if(jvalue > 255) 8551 bpf_error("sio value %u too big; max value = 255", 8552 jvalue); 8553 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8554 (u_int)jtype, reverse, (u_int)jvalue); 8555 break; 8556 8557 case MH_OPC: 8558 newoff_opc+=3; 8559 case M_OPC: 8560 if (off_opc == (u_int)-1) 8561 bpf_error("'opc' supported only on SS7"); 8562 /* opc coded on 14 bits so max value 16383 */ 8563 if (jvalue > 16383) 8564 bpf_error("opc value %u too big; max value = 16383", 8565 jvalue); 8566 /* the following instructions are made to convert jvalue 8567 * to the form used to write opc in an ss7 message*/ 8568 val1 = jvalue & 0x00003c00; 8569 val1 = val1 >>10; 8570 val2 = jvalue & 0x000003fc; 8571 val2 = val2 <<6; 8572 val3 = jvalue & 0x00000003; 8573 val3 = val3 <<22; 8574 jvalue = val1 + val2 + val3; 8575 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8576 (u_int)jtype, reverse, (u_int)jvalue); 8577 break; 8578 8579 case MH_DPC: 8580 newoff_dpc += 3; 8581 /* FALLTHROUGH */ 8582 8583 case M_DPC: 8584 if (off_dpc == (u_int)-1) 8585 bpf_error("'dpc' supported only on SS7"); 8586 /* dpc coded on 14 bits so max value 16383 */ 8587 if (jvalue > 16383) 8588 bpf_error("dpc value %u too big; max value = 16383", 8589 jvalue); 8590 /* the following instructions are made to convert jvalue 8591 * to the forme used to write dpc in an ss7 message*/ 8592 val1 = jvalue & 0x000000ff; 8593 val1 = val1 << 24; 8594 val2 = jvalue & 0x00003f00; 8595 val2 = val2 << 8; 8596 jvalue = val1 + val2; 8597 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8598 (u_int)jtype, reverse, (u_int)jvalue); 8599 break; 8600 8601 case MH_SLS: 8602 newoff_sls+=3; 8603 case M_SLS: 8604 if (off_sls == (u_int)-1) 8605 bpf_error("'sls' supported only on SS7"); 8606 /* sls coded on 4 bits so max value 15 */ 8607 if (jvalue > 15) 8608 bpf_error("sls value %u too big; max value = 15", 8609 jvalue); 8610 /* the following instruction is made to convert jvalue 8611 * to the forme used to write sls in an ss7 message*/ 8612 jvalue = jvalue << 4; 8613 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0, 8614 (u_int)jtype,reverse, (u_int)jvalue); 8615 break; 8616 8617 default: 8618 abort(); 8619 } 8620 return b0; 8621 } 8622 8623 static struct block * 8624 gen_msg_abbrev(type) 8625 int type; 8626 { 8627 struct block *b1; 8628 8629 /* 8630 * Q.2931 signalling protocol messages for handling virtual circuits 8631 * establishment and teardown 8632 */ 8633 switch (type) { 8634 8635 case A_SETUP: 8636 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8637 break; 8638 8639 case A_CALLPROCEED: 8640 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8641 break; 8642 8643 case A_CONNECT: 8644 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8645 break; 8646 8647 case A_CONNECTACK: 8648 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8649 break; 8650 8651 case A_RELEASE: 8652 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8653 break; 8654 8655 case A_RELEASE_DONE: 8656 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8657 break; 8658 8659 default: 8660 abort(); 8661 } 8662 return b1; 8663 } 8664 8665 struct block * 8666 gen_atmmulti_abbrev(type) 8667 int type; 8668 { 8669 struct block *b0, *b1; 8670 8671 switch (type) { 8672 8673 case A_OAM: 8674 if (!is_atm) 8675 bpf_error("'oam' supported only on raw ATM"); 8676 b1 = gen_atmmulti_abbrev(A_OAMF4); 8677 break; 8678 8679 case A_OAMF4: 8680 if (!is_atm) 8681 bpf_error("'oamf4' supported only on raw ATM"); 8682 /* OAM F4 type */ 8683 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8684 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8685 gen_or(b0, b1); 8686 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8687 gen_and(b0, b1); 8688 break; 8689 8690 case A_CONNECTMSG: 8691 /* 8692 * Get Q.2931 signalling messages for switched 8693 * virtual connection 8694 */ 8695 if (!is_atm) 8696 bpf_error("'connectmsg' supported only on raw ATM"); 8697 b0 = gen_msg_abbrev(A_SETUP); 8698 b1 = gen_msg_abbrev(A_CALLPROCEED); 8699 gen_or(b0, b1); 8700 b0 = gen_msg_abbrev(A_CONNECT); 8701 gen_or(b0, b1); 8702 b0 = gen_msg_abbrev(A_CONNECTACK); 8703 gen_or(b0, b1); 8704 b0 = gen_msg_abbrev(A_RELEASE); 8705 gen_or(b0, b1); 8706 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8707 gen_or(b0, b1); 8708 b0 = gen_atmtype_abbrev(A_SC); 8709 gen_and(b0, b1); 8710 break; 8711 8712 case A_METACONNECT: 8713 if (!is_atm) 8714 bpf_error("'metaconnect' supported only on raw ATM"); 8715 b0 = gen_msg_abbrev(A_SETUP); 8716 b1 = gen_msg_abbrev(A_CALLPROCEED); 8717 gen_or(b0, b1); 8718 b0 = gen_msg_abbrev(A_CONNECT); 8719 gen_or(b0, b1); 8720 b0 = gen_msg_abbrev(A_RELEASE); 8721 gen_or(b0, b1); 8722 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8723 gen_or(b0, b1); 8724 b0 = gen_atmtype_abbrev(A_METAC); 8725 gen_and(b0, b1); 8726 break; 8727 8728 default: 8729 abort(); 8730 } 8731 return b1; 8732 } 8733