1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 #ifndef lint 25 static const char rcsid[] _U_ = 26 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.24 2005/06/20 21:52:53 guy Exp $ (LBL)"; 27 #endif 28 29 #ifdef HAVE_CONFIG_H 30 #include "config.h" 31 #endif 32 33 #ifdef WIN32 34 #include <pcap-stdinc.h> 35 #else /* WIN32 */ 36 #include <sys/types.h> 37 #include <sys/socket.h> 38 #endif /* WIN32 */ 39 40 /* 41 * XXX - why was this included even on UNIX? 42 */ 43 #ifdef __MINGW32__ 44 #include "IP6_misc.h" 45 #endif 46 47 #ifndef WIN32 48 49 #ifdef __NetBSD__ 50 #include <sys/param.h> 51 #endif 52 53 #include <netinet/in.h> 54 55 #endif /* WIN32 */ 56 57 #include <stdlib.h> 58 #include <string.h> 59 #include <memory.h> 60 #include <setjmp.h> 61 #include <stdarg.h> 62 63 #ifdef MSDOS 64 #include "pcap-dos.h" 65 #endif 66 67 #include "pcap-int.h" 68 69 #include "ethertype.h" 70 #include "nlpid.h" 71 #include "llc.h" 72 #include "gencode.h" 73 #include "atmuni31.h" 74 #include "sunatmpos.h" 75 #include "ppp.h" 76 #include "sll.h" 77 #include "arcnet.h" 78 #include "pf.h" 79 #ifndef offsetof 80 #define offsetof(s, e) ((size_t)&((s *)0)->e) 81 #endif 82 #ifdef INET6 83 #ifndef WIN32 84 #include <netdb.h> /* for "struct addrinfo" */ 85 #endif /* WIN32 */ 86 #endif /*INET6*/ 87 #include <pcap-namedb.h> 88 89 #undef ETHERMTU 90 #define ETHERMTU 1500 91 92 #ifndef IPPROTO_SCTP 93 #define IPPROTO_SCTP 132 94 #endif 95 96 #ifdef HAVE_OS_PROTO_H 97 #include "os-proto.h" 98 #endif 99 100 #define JMP(c) ((c)|BPF_JMP|BPF_K) 101 102 /* Locals */ 103 static jmp_buf top_ctx; 104 static pcap_t *bpf_pcap; 105 106 /* Hack for updating VLAN, MPLS offsets. */ 107 static u_int orig_linktype = -1U, orig_nl = -1U; 108 109 /* XXX */ 110 #ifdef PCAP_FDDIPAD 111 static int pcap_fddipad; 112 #endif 113 114 /* VARARGS */ 115 void 116 bpf_error(const char *fmt, ...) 117 { 118 va_list ap; 119 120 va_start(ap, fmt); 121 if (bpf_pcap != NULL) 122 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 123 fmt, ap); 124 va_end(ap); 125 longjmp(top_ctx, 1); 126 /* NOTREACHED */ 127 } 128 129 static void init_linktype(pcap_t *); 130 131 static int alloc_reg(void); 132 static void free_reg(int); 133 134 static struct block *root; 135 136 /* 137 * Value passed to gen_load_a() to indicate what the offset argument 138 * is relative to. 139 */ 140 enum e_offrel { 141 OR_PACKET, /* relative to the beginning of the packet */ 142 OR_LINK, /* relative to the link-layer header */ 143 OR_NET, /* relative to the network-layer header */ 144 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 145 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 146 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 147 }; 148 149 /* 150 * We divy out chunks of memory rather than call malloc each time so 151 * we don't have to worry about leaking memory. It's probably 152 * not a big deal if all this memory was wasted but if this ever 153 * goes into a library that would probably not be a good idea. 154 * 155 * XXX - this *is* in a library.... 156 */ 157 #define NCHUNKS 16 158 #define CHUNK0SIZE 1024 159 struct chunk { 160 u_int n_left; 161 void *m; 162 }; 163 164 static struct chunk chunks[NCHUNKS]; 165 static int cur_chunk; 166 167 static void *newchunk(u_int); 168 static void freechunks(void); 169 static inline struct block *new_block(int); 170 static inline struct slist *new_stmt(int); 171 static struct block *gen_retblk(int); 172 static inline void syntax(void); 173 174 static void backpatch(struct block *, struct block *); 175 static void merge(struct block *, struct block *); 176 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 177 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 178 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 179 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 180 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 181 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 182 bpf_u_int32); 183 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 184 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 185 bpf_u_int32, bpf_u_int32, int, bpf_int32); 186 static struct slist *gen_load_llrel(u_int, u_int); 187 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 188 static struct slist *gen_loadx_iphdrlen(void); 189 static struct block *gen_uncond(int); 190 static inline struct block *gen_true(void); 191 static inline struct block *gen_false(void); 192 static struct block *gen_ether_linktype(int); 193 static struct block *gen_linux_sll_linktype(int); 194 static void insert_radiotap_load_llprefixlen(struct block *); 195 static void insert_load_llprefixlen(struct block *); 196 static struct slist *gen_llprefixlen(void); 197 static struct block *gen_linktype(int); 198 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int); 199 static struct block *gen_llc_linktype(int); 200 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 201 #ifdef INET6 202 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 203 #endif 204 static struct block *gen_ahostop(const u_char *, int); 205 static struct block *gen_ehostop(const u_char *, int); 206 static struct block *gen_fhostop(const u_char *, int); 207 static struct block *gen_thostop(const u_char *, int); 208 static struct block *gen_wlanhostop(const u_char *, int); 209 static struct block *gen_ipfchostop(const u_char *, int); 210 static struct block *gen_dnhostop(bpf_u_int32, int); 211 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int); 212 #ifdef INET6 213 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int); 214 #endif 215 #ifndef INET6 216 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 217 #endif 218 static struct block *gen_ipfrag(void); 219 static struct block *gen_portatom(int, bpf_int32); 220 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 221 #ifdef INET6 222 static struct block *gen_portatom6(int, bpf_int32); 223 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 224 #endif 225 struct block *gen_portop(int, int, int); 226 static struct block *gen_port(int, int, int); 227 struct block *gen_portrangeop(int, int, int, int); 228 static struct block *gen_portrange(int, int, int, int); 229 #ifdef INET6 230 struct block *gen_portop6(int, int, int); 231 static struct block *gen_port6(int, int, int); 232 struct block *gen_portrangeop6(int, int, int, int); 233 static struct block *gen_portrange6(int, int, int, int); 234 #endif 235 static int lookup_proto(const char *, int); 236 static struct block *gen_protochain(int, int, int); 237 static struct block *gen_proto(int, int, int); 238 static struct slist *xfer_to_x(struct arth *); 239 static struct slist *xfer_to_a(struct arth *); 240 static struct block *gen_mac_multicast(int); 241 static struct block *gen_len(int, int); 242 243 static struct block *gen_msg_abbrev(int type); 244 245 static void * 246 newchunk(n) 247 u_int n; 248 { 249 struct chunk *cp; 250 int k; 251 size_t size; 252 253 #ifndef __NetBSD__ 254 /* XXX Round up to nearest long. */ 255 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 256 #else 257 /* XXX Round up to structure boundary. */ 258 n = ALIGN(n); 259 #endif 260 261 cp = &chunks[cur_chunk]; 262 if (n > cp->n_left) { 263 ++cp, k = ++cur_chunk; 264 if (k >= NCHUNKS) 265 bpf_error("out of memory"); 266 size = CHUNK0SIZE << k; 267 cp->m = (void *)malloc(size); 268 if (cp->m == NULL) 269 bpf_error("out of memory"); 270 memset((char *)cp->m, 0, size); 271 cp->n_left = size; 272 if (n > size) 273 bpf_error("out of memory"); 274 } 275 cp->n_left -= n; 276 return (void *)((char *)cp->m + cp->n_left); 277 } 278 279 static void 280 freechunks() 281 { 282 int i; 283 284 cur_chunk = 0; 285 for (i = 0; i < NCHUNKS; ++i) 286 if (chunks[i].m != NULL) { 287 free(chunks[i].m); 288 chunks[i].m = NULL; 289 } 290 } 291 292 /* 293 * A strdup whose allocations are freed after code generation is over. 294 */ 295 char * 296 sdup(s) 297 register const char *s; 298 { 299 int n = strlen(s) + 1; 300 char *cp = newchunk(n); 301 302 strlcpy(cp, s, n); 303 return (cp); 304 } 305 306 static inline struct block * 307 new_block(code) 308 int code; 309 { 310 struct block *p; 311 312 p = (struct block *)newchunk(sizeof(*p)); 313 p->s.code = code; 314 p->head = p; 315 316 return p; 317 } 318 319 static inline struct slist * 320 new_stmt(code) 321 int code; 322 { 323 struct slist *p; 324 325 p = (struct slist *)newchunk(sizeof(*p)); 326 p->s.code = code; 327 328 return p; 329 } 330 331 static struct block * 332 gen_retblk(v) 333 int v; 334 { 335 struct block *b = new_block(BPF_RET|BPF_K); 336 337 b->s.k = v; 338 return b; 339 } 340 341 static inline void 342 syntax() 343 { 344 bpf_error("syntax error in filter expression"); 345 } 346 347 static bpf_u_int32 netmask; 348 static int snaplen; 349 int no_optimize; 350 351 int 352 pcap_compile(pcap_t *p, struct bpf_program *program, 353 char *buf, int optimize, bpf_u_int32 mask) 354 { 355 extern int n_errors; 356 int len; 357 358 no_optimize = 0; 359 n_errors = 0; 360 root = NULL; 361 bpf_pcap = p; 362 if (setjmp(top_ctx)) { 363 lex_cleanup(); 364 freechunks(); 365 return (-1); 366 } 367 368 netmask = mask; 369 370 snaplen = pcap_snapshot(p); 371 if (snaplen == 0) { 372 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 373 "snaplen of 0 rejects all packets"); 374 return -1; 375 } 376 377 lex_init(buf ? buf : ""); 378 init_linktype(p); 379 (void)pcap_parse(); 380 381 if (n_errors) 382 syntax(); 383 384 if (root == NULL) 385 root = gen_retblk(snaplen); 386 387 if (optimize && !no_optimize) { 388 bpf_optimize(&root); 389 if (root == NULL || 390 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 391 bpf_error("expression rejects all packets"); 392 } 393 program->bf_insns = icode_to_fcode(root, &len); 394 program->bf_len = len; 395 396 lex_cleanup(); 397 freechunks(); 398 return (0); 399 } 400 401 /* 402 * entry point for using the compiler with no pcap open 403 * pass in all the stuff that is needed explicitly instead. 404 */ 405 int 406 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 407 struct bpf_program *program, 408 char *buf, int optimize, bpf_u_int32 mask) 409 { 410 pcap_t *p; 411 int ret; 412 413 p = pcap_open_dead(linktype_arg, snaplen_arg); 414 if (p == NULL) 415 return (-1); 416 ret = pcap_compile(p, program, buf, optimize, mask); 417 pcap_close(p); 418 return (ret); 419 } 420 421 /* 422 * Clean up a "struct bpf_program" by freeing all the memory allocated 423 * in it. 424 */ 425 void 426 pcap_freecode(struct bpf_program *program) 427 { 428 program->bf_len = 0; 429 if (program->bf_insns != NULL) { 430 free((char *)program->bf_insns); 431 program->bf_insns = NULL; 432 } 433 } 434 435 /* 436 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 437 * which of the jt and jf fields has been resolved and which is a pointer 438 * back to another unresolved block (or nil). At least one of the fields 439 * in each block is already resolved. 440 */ 441 static void 442 backpatch(list, target) 443 struct block *list, *target; 444 { 445 struct block *next; 446 447 while (list) { 448 if (!list->sense) { 449 next = JT(list); 450 JT(list) = target; 451 } else { 452 next = JF(list); 453 JF(list) = target; 454 } 455 list = next; 456 } 457 } 458 459 /* 460 * Merge the lists in b0 and b1, using the 'sense' field to indicate 461 * which of jt and jf is the link. 462 */ 463 static void 464 merge(b0, b1) 465 struct block *b0, *b1; 466 { 467 register struct block **p = &b0; 468 469 /* Find end of list. */ 470 while (*p) 471 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 472 473 /* Concatenate the lists. */ 474 *p = b1; 475 } 476 477 void 478 finish_parse(p) 479 struct block *p; 480 { 481 backpatch(p, gen_retblk(snaplen)); 482 p->sense = !p->sense; 483 backpatch(p, gen_retblk(0)); 484 root = p->head; 485 486 /* 487 * Insert before the statements of the first (root) block any 488 * statements needed to load the lengths of any variable-length 489 * headers into registers. 490 * 491 * XXX - a fancier strategy would be to insert those before the 492 * statements of all blocks that use those lengths and that 493 * have no predecessors that use them, so that we only compute 494 * the lengths if we need them. There might be even better 495 * approaches than that. However, as we're currently only 496 * handling variable-length radiotap headers, and as all 497 * filtering expressions other than raw link[M:N] tests 498 * require the length of that header, doing more for that 499 * header length isn't really worth the effort. 500 */ 501 insert_load_llprefixlen(root); 502 } 503 504 void 505 gen_and(b0, b1) 506 struct block *b0, *b1; 507 { 508 backpatch(b0, b1->head); 509 b0->sense = !b0->sense; 510 b1->sense = !b1->sense; 511 merge(b1, b0); 512 b1->sense = !b1->sense; 513 b1->head = b0->head; 514 } 515 516 void 517 gen_or(b0, b1) 518 struct block *b0, *b1; 519 { 520 b0->sense = !b0->sense; 521 backpatch(b0, b1->head); 522 b0->sense = !b0->sense; 523 merge(b1, b0); 524 b1->head = b0->head; 525 } 526 527 void 528 gen_not(b) 529 struct block *b; 530 { 531 b->sense = !b->sense; 532 } 533 534 static struct block * 535 gen_cmp(offrel, offset, size, v) 536 enum e_offrel offrel; 537 u_int offset, size; 538 bpf_int32 v; 539 { 540 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 541 } 542 543 static struct block * 544 gen_cmp_gt(offrel, offset, size, v) 545 enum e_offrel offrel; 546 u_int offset, size; 547 bpf_int32 v; 548 { 549 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 550 } 551 552 static struct block * 553 gen_cmp_ge(offrel, offset, size, v) 554 enum e_offrel offrel; 555 u_int offset, size; 556 bpf_int32 v; 557 { 558 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 559 } 560 561 static struct block * 562 gen_cmp_lt(offrel, offset, size, v) 563 enum e_offrel offrel; 564 u_int offset, size; 565 bpf_int32 v; 566 { 567 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 568 } 569 570 static struct block * 571 gen_cmp_le(offrel, offset, size, v) 572 enum e_offrel offrel; 573 u_int offset, size; 574 bpf_int32 v; 575 { 576 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 577 } 578 579 static struct block * 580 gen_mcmp(offrel, offset, size, v, mask) 581 enum e_offrel offrel; 582 u_int offset, size; 583 bpf_int32 v; 584 bpf_u_int32 mask; 585 { 586 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 587 } 588 589 static struct block * 590 gen_bcmp(offrel, offset, size, v) 591 enum e_offrel offrel; 592 register u_int offset, size; 593 register const u_char *v; 594 { 595 register struct block *b, *tmp; 596 597 b = NULL; 598 while (size >= 4) { 599 register const u_char *p = &v[size - 4]; 600 bpf_int32 w = ((bpf_int32)p[0] << 24) | 601 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 602 603 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 604 if (b != NULL) 605 gen_and(b, tmp); 606 b = tmp; 607 size -= 4; 608 } 609 while (size >= 2) { 610 register const u_char *p = &v[size - 2]; 611 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 612 613 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 614 if (b != NULL) 615 gen_and(b, tmp); 616 b = tmp; 617 size -= 2; 618 } 619 if (size > 0) { 620 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 621 if (b != NULL) 622 gen_and(b, tmp); 623 b = tmp; 624 } 625 return b; 626 } 627 628 /* 629 * AND the field of size "size" at offset "offset" relative to the header 630 * specified by "offrel" with "mask", and compare it with the value "v" 631 * with the test specified by "jtype"; if "reverse" is true, the test 632 * should test the opposite of "jtype". 633 */ 634 static struct block * 635 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 636 enum e_offrel offrel; 637 bpf_int32 v; 638 bpf_u_int32 offset, size, mask, jtype; 639 int reverse; 640 { 641 struct slist *s, *s2; 642 struct block *b; 643 644 s = gen_load_a(offrel, offset, size); 645 646 if (mask != 0xffffffff) { 647 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 648 s2->s.k = mask; 649 sappend(s, s2); 650 } 651 652 b = new_block(JMP(jtype)); 653 b->stmts = s; 654 b->s.k = v; 655 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 656 gen_not(b); 657 return b; 658 } 659 660 /* 661 * Various code constructs need to know the layout of the data link 662 * layer. These variables give the necessary offsets from the beginning 663 * of the packet data. 664 * 665 * If the link layer has variable_length headers, the offsets are offsets 666 * from the end of the link-link-layer header, and "reg_ll_size" is 667 * the register number for a register containing the length of the 668 * link-layer header. Otherwise, "reg_ll_size" is -1. 669 */ 670 static int reg_ll_size; 671 672 /* 673 * This is the offset of the beginning of the link-layer header. 674 * It's usually 0, except for 802.11 with a fixed-length radio header. 675 */ 676 static u_int off_ll; 677 678 /* 679 * This is the offset of the beginning of the MAC-layer header. 680 * It's usually 0, except for ATM LANE. 681 */ 682 static u_int off_mac; 683 684 /* 685 * "off_linktype" is the offset to information in the link-layer header 686 * giving the packet type. 687 * 688 * For Ethernet, it's the offset of the Ethernet type field. 689 * 690 * For link-layer types that always use 802.2 headers, it's the 691 * offset of the LLC header. 692 * 693 * For PPP, it's the offset of the PPP type field. 694 * 695 * For Cisco HDLC, it's the offset of the CHDLC type field. 696 * 697 * For BSD loopback, it's the offset of the AF_ value. 698 * 699 * For Linux cooked sockets, it's the offset of the type field. 700 * 701 * It's set to -1 for no encapsulation, in which case, IP is assumed. 702 */ 703 static u_int off_linktype; 704 705 /* 706 * TRUE if the link layer includes an ATM pseudo-header. 707 */ 708 static int is_atm = 0; 709 710 /* 711 * TRUE if "lane" appeared in the filter; it causes us to generate 712 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 713 */ 714 static int is_lane = 0; 715 716 /* 717 * These are offsets for the ATM pseudo-header. 718 */ 719 static u_int off_vpi; 720 static u_int off_vci; 721 static u_int off_proto; 722 723 /* 724 * These are offsets for the MTP3 fields. 725 */ 726 static u_int off_sio; 727 static u_int off_opc; 728 static u_int off_dpc; 729 static u_int off_sls; 730 731 /* 732 * This is the offset of the first byte after the ATM pseudo_header, 733 * or -1 if there is no ATM pseudo-header. 734 */ 735 static u_int off_payload; 736 737 /* 738 * These are offsets to the beginning of the network-layer header. 739 * 740 * If the link layer never uses 802.2 LLC: 741 * 742 * "off_nl" and "off_nl_nosnap" are the same. 743 * 744 * If the link layer always uses 802.2 LLC: 745 * 746 * "off_nl" is the offset if there's a SNAP header following 747 * the 802.2 header; 748 * 749 * "off_nl_nosnap" is the offset if there's no SNAP header. 750 * 751 * If the link layer is Ethernet: 752 * 753 * "off_nl" is the offset if the packet is an Ethernet II packet 754 * (we assume no 802.3+802.2+SNAP); 755 * 756 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 757 * with an 802.2 header following it. 758 */ 759 static u_int off_nl; 760 static u_int off_nl_nosnap; 761 762 static int linktype; 763 764 static void 765 init_linktype(p) 766 pcap_t *p; 767 { 768 linktype = pcap_datalink(p); 769 #ifdef PCAP_FDDIPAD 770 pcap_fddipad = p->fddipad; 771 #endif 772 773 /* 774 * Assume it's not raw ATM with a pseudo-header, for now. 775 */ 776 off_mac = 0; 777 is_atm = 0; 778 is_lane = 0; 779 off_vpi = -1; 780 off_vci = -1; 781 off_proto = -1; 782 off_payload = -1; 783 784 off_sio = -1; 785 off_opc = -1; 786 off_dpc = -1; 787 off_sls = -1; 788 789 /* 790 * Also assume it's not 802.11 with a fixed-length radio header. 791 */ 792 off_ll = 0; 793 794 orig_linktype = -1; 795 orig_nl = -1; 796 797 reg_ll_size = -1; 798 799 switch (linktype) { 800 801 case DLT_ARCNET: 802 off_linktype = 2; 803 off_nl = 6; /* XXX in reality, variable! */ 804 off_nl_nosnap = 6; /* no 802.2 LLC */ 805 return; 806 807 case DLT_ARCNET_LINUX: 808 off_linktype = 4; 809 off_nl = 8; /* XXX in reality, variable! */ 810 off_nl_nosnap = 8; /* no 802.2 LLC */ 811 return; 812 813 case DLT_EN10MB: 814 off_linktype = 12; 815 off_nl = 14; /* Ethernet II */ 816 off_nl_nosnap = 17; /* 802.3+802.2 */ 817 return; 818 819 case DLT_SLIP: 820 /* 821 * SLIP doesn't have a link level type. The 16 byte 822 * header is hacked into our SLIP driver. 823 */ 824 off_linktype = -1; 825 off_nl = 16; 826 off_nl_nosnap = 16; /* no 802.2 LLC */ 827 return; 828 829 case DLT_SLIP_BSDOS: 830 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 831 off_linktype = -1; 832 /* XXX end */ 833 off_nl = 24; 834 off_nl_nosnap = 24; /* no 802.2 LLC */ 835 return; 836 837 case DLT_NULL: 838 case DLT_LOOP: 839 off_linktype = 0; 840 off_nl = 4; 841 off_nl_nosnap = 4; /* no 802.2 LLC */ 842 return; 843 844 case DLT_ENC: 845 off_linktype = 0; 846 off_nl = 12; 847 off_nl_nosnap = 12; /* no 802.2 LLC */ 848 return; 849 850 case DLT_PPP: 851 case DLT_PPP_PPPD: 852 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 853 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 854 off_linktype = 2; 855 off_nl = 4; 856 off_nl_nosnap = 4; /* no 802.2 LLC */ 857 return; 858 859 case DLT_PPP_ETHER: 860 /* 861 * This does no include the Ethernet header, and 862 * only covers session state. 863 */ 864 off_linktype = 6; 865 off_nl = 8; 866 off_nl_nosnap = 8; /* no 802.2 LLC */ 867 return; 868 869 case DLT_PPP_BSDOS: 870 off_linktype = 5; 871 off_nl = 24; 872 off_nl_nosnap = 24; /* no 802.2 LLC */ 873 return; 874 875 case DLT_FDDI: 876 /* 877 * FDDI doesn't really have a link-level type field. 878 * We set "off_linktype" to the offset of the LLC header. 879 * 880 * To check for Ethernet types, we assume that SSAP = SNAP 881 * is being used and pick out the encapsulated Ethernet type. 882 * XXX - should we generate code to check for SNAP? 883 */ 884 off_linktype = 13; 885 #ifdef PCAP_FDDIPAD 886 off_linktype += pcap_fddipad; 887 #endif 888 off_nl = 21; /* FDDI+802.2+SNAP */ 889 off_nl_nosnap = 16; /* FDDI+802.2 */ 890 #ifdef PCAP_FDDIPAD 891 off_nl += pcap_fddipad; 892 off_nl_nosnap += pcap_fddipad; 893 #endif 894 return; 895 896 case DLT_IEEE802: 897 /* 898 * Token Ring doesn't really have a link-level type field. 899 * We set "off_linktype" to the offset of the LLC header. 900 * 901 * To check for Ethernet types, we assume that SSAP = SNAP 902 * is being used and pick out the encapsulated Ethernet type. 903 * XXX - should we generate code to check for SNAP? 904 * 905 * XXX - the header is actually variable-length. 906 * Some various Linux patched versions gave 38 907 * as "off_linktype" and 40 as "off_nl"; however, 908 * if a token ring packet has *no* routing 909 * information, i.e. is not source-routed, the correct 910 * values are 20 and 22, as they are in the vanilla code. 911 * 912 * A packet is source-routed iff the uppermost bit 913 * of the first byte of the source address, at an 914 * offset of 8, has the uppermost bit set. If the 915 * packet is source-routed, the total number of bytes 916 * of routing information is 2 plus bits 0x1F00 of 917 * the 16-bit value at an offset of 14 (shifted right 918 * 8 - figure out which byte that is). 919 */ 920 off_linktype = 14; 921 off_nl = 22; /* Token Ring+802.2+SNAP */ 922 off_nl_nosnap = 17; /* Token Ring+802.2 */ 923 return; 924 925 case DLT_IEEE802_11: 926 /* 927 * 802.11 doesn't really have a link-level type field. 928 * We set "off_linktype" to the offset of the LLC header. 929 * 930 * To check for Ethernet types, we assume that SSAP = SNAP 931 * is being used and pick out the encapsulated Ethernet type. 932 * XXX - should we generate code to check for SNAP? 933 * 934 * XXX - the header is actually variable-length. We 935 * assume a 24-byte link-layer header, as appears in 936 * data frames in networks with no bridges. If the 937 * fromds and tods 802.11 header bits are both set, 938 * it's actually supposed to be 30 bytes. 939 */ 940 off_linktype = 24; 941 off_nl = 32; /* 802.11+802.2+SNAP */ 942 off_nl_nosnap = 27; /* 802.11+802.2 */ 943 return; 944 945 case DLT_PRISM_HEADER: 946 /* 947 * Same as 802.11, but with an additional header before 948 * the 802.11 header, containing a bunch of additional 949 * information including radio-level information. 950 * 951 * The header is 144 bytes long. 952 * 953 * XXX - same variable-length header problem; at least 954 * the Prism header is fixed-length. 955 */ 956 off_ll = 144; 957 off_linktype = 144+24; 958 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */ 959 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */ 960 return; 961 962 case DLT_IEEE802_11_RADIO_AVS: 963 /* 964 * Same as 802.11, but with an additional header before 965 * the 802.11 header, containing a bunch of additional 966 * information including radio-level information. 967 * 968 * The header is 64 bytes long, at least in its 969 * current incarnation. 970 * 971 * XXX - same variable-length header problem, only 972 * more so; this header is also variable-length, 973 * with the length being the 32-bit big-endian 974 * number at an offset of 4 from the beginning 975 * of the radio header. 976 */ 977 off_ll = 64; 978 off_linktype = 64+24; 979 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */ 980 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */ 981 return; 982 983 case DLT_IEEE802_11_RADIO: 984 /* 985 * Same as 802.11, but with an additional header before 986 * the 802.11 header, containing a bunch of additional 987 * information including radio-level information. 988 * 989 * The radiotap header is variable length, and we 990 * generate code to compute its length and store it 991 * in a register. These offsets are relative to the 992 * beginning of the 802.11 header. 993 */ 994 off_linktype = 24; 995 off_nl = 32; /* 802.11+802.2+SNAP */ 996 off_nl_nosnap = 27; /* 802.11+802.2 */ 997 return; 998 999 case DLT_ATM_RFC1483: 1000 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1001 /* 1002 * assume routed, non-ISO PDUs 1003 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1004 * 1005 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1006 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1007 * latter would presumably be treated the way PPPoE 1008 * should be, so you can do "pppoe and udp port 2049" 1009 * or "pppoa and tcp port 80" and have it check for 1010 * PPPo{A,E} and a PPP protocol of IP and.... 1011 */ 1012 off_linktype = 0; 1013 off_nl = 8; /* 802.2+SNAP */ 1014 off_nl_nosnap = 3; /* 802.2 */ 1015 return; 1016 1017 case DLT_SUNATM: 1018 /* 1019 * Full Frontal ATM; you get AALn PDUs with an ATM 1020 * pseudo-header. 1021 */ 1022 is_atm = 1; 1023 off_vpi = SUNATM_VPI_POS; 1024 off_vci = SUNATM_VCI_POS; 1025 off_proto = PROTO_POS; 1026 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */ 1027 off_payload = SUNATM_PKT_BEGIN_POS; 1028 off_linktype = off_payload; 1029 off_nl = off_payload+8; /* 802.2+SNAP */ 1030 off_nl_nosnap = off_payload+3; /* 802.2 */ 1031 return; 1032 1033 case DLT_RAW: 1034 off_linktype = -1; 1035 off_nl = 0; 1036 off_nl_nosnap = 0; /* no 802.2 LLC */ 1037 return; 1038 1039 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1040 off_linktype = 14; 1041 off_nl = 16; 1042 off_nl_nosnap = 16; /* no 802.2 LLC */ 1043 return; 1044 1045 case DLT_LTALK: 1046 /* 1047 * LocalTalk does have a 1-byte type field in the LLAP header, 1048 * but really it just indicates whether there is a "short" or 1049 * "long" DDP packet following. 1050 */ 1051 off_linktype = -1; 1052 off_nl = 0; 1053 off_nl_nosnap = 0; /* no 802.2 LLC */ 1054 return; 1055 1056 case DLT_IP_OVER_FC: 1057 /* 1058 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1059 * link-level type field. We set "off_linktype" to the 1060 * offset of the LLC header. 1061 * 1062 * To check for Ethernet types, we assume that SSAP = SNAP 1063 * is being used and pick out the encapsulated Ethernet type. 1064 * XXX - should we generate code to check for SNAP? RFC 1065 * 2625 says SNAP should be used. 1066 */ 1067 off_linktype = 16; 1068 off_nl = 24; /* IPFC+802.2+SNAP */ 1069 off_nl_nosnap = 19; /* IPFC+802.2 */ 1070 return; 1071 1072 case DLT_FRELAY: 1073 /* 1074 * XXX - we should set this to handle SNAP-encapsulated 1075 * frames (NLPID of 0x80). 1076 */ 1077 off_linktype = -1; 1078 off_nl = 0; 1079 off_nl_nosnap = 0; /* no 802.2 LLC */ 1080 return; 1081 1082 case DLT_APPLE_IP_OVER_IEEE1394: 1083 off_linktype = 16; 1084 off_nl = 18; 1085 off_nl_nosnap = 18; /* no 802.2 LLC */ 1086 return; 1087 1088 case DLT_LINUX_IRDA: 1089 /* 1090 * Currently, only raw "link[N:M]" filtering is supported. 1091 */ 1092 off_linktype = -1; 1093 off_nl = -1; 1094 off_nl_nosnap = -1; 1095 return; 1096 1097 case DLT_DOCSIS: 1098 /* 1099 * Currently, only raw "link[N:M]" filtering is supported. 1100 */ 1101 off_linktype = -1; 1102 off_nl = -1; 1103 off_nl_nosnap = -1; 1104 return; 1105 1106 case DLT_SYMANTEC_FIREWALL: 1107 off_linktype = 6; 1108 off_nl = 44; /* Ethernet II */ 1109 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */ 1110 return; 1111 1112 case DLT_PFLOG: 1113 off_linktype = 0; 1114 /* XXX read this from pf.h? */ 1115 off_nl = PFLOG_HDRLEN; 1116 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */ 1117 return; 1118 1119 case DLT_JUNIPER_MLFR: 1120 case DLT_JUNIPER_MLPPP: 1121 off_linktype = 4; 1122 off_nl = 4; 1123 off_nl_nosnap = -1; /* no 802.2 LLC */ 1124 return; 1125 1126 case DLT_JUNIPER_ATM1: 1127 off_linktype = 4; /* in reality variable between 4-8 */ 1128 off_nl = 4; 1129 off_nl_nosnap = 14; 1130 return; 1131 1132 case DLT_JUNIPER_ATM2: 1133 off_linktype = 8; /* in reality variable between 8-12 */ 1134 off_nl = 8; 1135 off_nl_nosnap = 18; 1136 return; 1137 1138 /* frames captured on a Juniper PPPoE service PIC 1139 * contain raw ethernet frames */ 1140 case DLT_JUNIPER_PPPOE: 1141 off_linktype = 16; 1142 off_nl = 18; /* Ethernet II */ 1143 off_nl_nosnap = 21; /* 802.3+802.2 */ 1144 return; 1145 1146 case DLT_JUNIPER_PPPOE_ATM: 1147 off_linktype = 4; 1148 off_nl = 6; 1149 off_nl_nosnap = -1; /* no 802.2 LLC */ 1150 return; 1151 1152 case DLT_JUNIPER_GGSN: 1153 off_linktype = 6; 1154 off_nl = 12; 1155 off_nl_nosnap = -1; /* no 802.2 LLC */ 1156 return; 1157 1158 case DLT_JUNIPER_ES: 1159 off_linktype = 6; 1160 off_nl = -1; /* not really a network layer but raw IP adresses */ 1161 off_nl_nosnap = -1; /* no 802.2 LLC */ 1162 return; 1163 1164 case DLT_JUNIPER_MONITOR: 1165 off_linktype = 12; 1166 off_nl = 12; /* raw IP/IP6 header */ 1167 off_nl_nosnap = -1; /* no 802.2 LLC */ 1168 return; 1169 1170 case DLT_JUNIPER_SERVICES: 1171 off_linktype = 12; 1172 off_nl = -1; /* L3 proto location dep. on cookie type */ 1173 off_nl_nosnap = -1; /* no 802.2 LLC */ 1174 return; 1175 1176 case DLT_MTP2: 1177 off_sio = 3; 1178 off_opc = 4; 1179 off_dpc = 4; 1180 off_sls = 7; 1181 off_linktype = -1; 1182 off_nl = -1; 1183 off_nl_nosnap = -1; 1184 return; 1185 1186 #ifdef DLT_PFSYNC 1187 case DLT_PFSYNC: 1188 off_linktype = -1; 1189 off_nl = 4; 1190 off_nl_nosnap = 4; 1191 return; 1192 #endif 1193 1194 case DLT_LINUX_LAPD: 1195 /* 1196 * Currently, only raw "link[N:M]" filtering is supported. 1197 */ 1198 off_linktype = -1; 1199 off_nl = -1; 1200 off_nl_nosnap = -1; 1201 return; 1202 } 1203 bpf_error("unknown data link type %d", linktype); 1204 /* NOTREACHED */ 1205 } 1206 1207 /* 1208 * Load a value relative to the beginning of the link-layer header. 1209 * The link-layer header doesn't necessarily begin at the beginning 1210 * of the packet data; there might be a variable-length prefix containing 1211 * radio information. 1212 */ 1213 static struct slist * 1214 gen_load_llrel(offset, size) 1215 u_int offset, size; 1216 { 1217 struct slist *s, *s2; 1218 1219 s = gen_llprefixlen(); 1220 1221 /* 1222 * If "s" is non-null, it has code to arrange that the X register 1223 * contains the length of the prefix preceding the link-layer 1224 * header. 1225 */ 1226 if (s != NULL) { 1227 s2 = new_stmt(BPF_LD|BPF_IND|size); 1228 s2->s.k = offset; 1229 sappend(s, s2); 1230 } else { 1231 s = new_stmt(BPF_LD|BPF_ABS|size); 1232 s->s.k = offset; 1233 } 1234 return s; 1235 } 1236 1237 /* 1238 * Load a value relative to the beginning of the specified header. 1239 */ 1240 static struct slist * 1241 gen_load_a(offrel, offset, size) 1242 enum e_offrel offrel; 1243 u_int offset, size; 1244 { 1245 struct slist *s, *s2; 1246 1247 switch (offrel) { 1248 1249 case OR_PACKET: 1250 s = gen_load_llrel(offset, size); 1251 break; 1252 1253 case OR_LINK: 1254 s = gen_load_llrel(off_ll + offset, size); 1255 break; 1256 1257 case OR_NET: 1258 s = gen_load_llrel(off_nl + offset, size); 1259 break; 1260 1261 case OR_NET_NOSNAP: 1262 s = gen_load_llrel(off_nl_nosnap + offset, size); 1263 break; 1264 1265 case OR_TRAN_IPV4: 1266 /* 1267 * Load the X register with the length of the IPv4 header, 1268 * in bytes. 1269 */ 1270 s = gen_loadx_iphdrlen(); 1271 1272 /* 1273 * Load the item at {length of the link-layer header} + 1274 * {length of the IPv4 header} + {specified offset}. 1275 */ 1276 s2 = new_stmt(BPF_LD|BPF_IND|size); 1277 s2->s.k = off_nl + offset; 1278 sappend(s, s2); 1279 break; 1280 1281 case OR_TRAN_IPV6: 1282 s = gen_load_llrel(off_nl + 40 + offset, size); 1283 break; 1284 1285 default: 1286 abort(); 1287 return NULL; 1288 } 1289 return s; 1290 } 1291 1292 /* 1293 * Generate code to load into the X register the sum of the length of 1294 * the IPv4 header and any variable-length header preceding the link-layer 1295 * header. 1296 */ 1297 static struct slist * 1298 gen_loadx_iphdrlen() 1299 { 1300 struct slist *s, *s2; 1301 1302 s = gen_llprefixlen(); 1303 if (s != NULL) { 1304 /* 1305 * There's a variable-length prefix preceding the 1306 * link-layer header. "s" points to a list of statements 1307 * that put the length of that prefix into the X register. 1308 * The 4*([k]&0xf) addressing mode can't be used, as we 1309 * don't have a constant offset, so we have to load the 1310 * value in question into the A register and add to it 1311 * the value from the X register. 1312 */ 1313 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1314 s2->s.k = off_nl; 1315 sappend(s, s2); 1316 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1317 s2->s.k = 0xf; 1318 sappend(s, s2); 1319 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1320 s2->s.k = 2; 1321 sappend(s, s2); 1322 1323 /* 1324 * The A register now contains the length of the 1325 * IP header. We need to add to it the length 1326 * of the prefix preceding the link-layer 1327 * header, which is still in the X register, and 1328 * move the result into the X register. 1329 */ 1330 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1331 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1332 } else { 1333 /* 1334 * There is no variable-length header preceding the 1335 * link-layer header; if there's a fixed-length 1336 * header preceding it, its length is included in 1337 * the off_ variables, so it doesn't need to be added. 1338 */ 1339 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1340 s->s.k = off_nl; 1341 } 1342 return s; 1343 } 1344 1345 static struct block * 1346 gen_uncond(rsense) 1347 int rsense; 1348 { 1349 struct block *b; 1350 struct slist *s; 1351 1352 s = new_stmt(BPF_LD|BPF_IMM); 1353 s->s.k = !rsense; 1354 b = new_block(JMP(BPF_JEQ)); 1355 b->stmts = s; 1356 1357 return b; 1358 } 1359 1360 static inline struct block * 1361 gen_true() 1362 { 1363 return gen_uncond(1); 1364 } 1365 1366 static inline struct block * 1367 gen_false() 1368 { 1369 return gen_uncond(0); 1370 } 1371 1372 /* 1373 * Byte-swap a 32-bit number. 1374 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1375 * big-endian platforms.) 1376 */ 1377 #define SWAPLONG(y) \ 1378 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1379 1380 /* 1381 * Generate code to match a particular packet type. 1382 * 1383 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1384 * value, if <= ETHERMTU. We use that to determine whether to 1385 * match the type/length field or to check the type/length field for 1386 * a value <= ETHERMTU to see whether it's a type field and then do 1387 * the appropriate test. 1388 */ 1389 static struct block * 1390 gen_ether_linktype(proto) 1391 register int proto; 1392 { 1393 struct block *b0, *b1; 1394 1395 switch (proto) { 1396 1397 case LLCSAP_ISONS: 1398 case LLCSAP_IP: 1399 case LLCSAP_NETBEUI: 1400 /* 1401 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1402 * so we check the DSAP and SSAP. 1403 * 1404 * LLCSAP_IP checks for IP-over-802.2, rather 1405 * than IP-over-Ethernet or IP-over-SNAP. 1406 * 1407 * XXX - should we check both the DSAP and the 1408 * SSAP, like this, or should we check just the 1409 * DSAP, as we do for other types <= ETHERMTU 1410 * (i.e., other SAP values)? 1411 */ 1412 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1413 gen_not(b0); 1414 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1415 ((proto << 8) | proto)); 1416 gen_and(b0, b1); 1417 return b1; 1418 1419 case LLCSAP_IPX: 1420 /* 1421 * Check for; 1422 * 1423 * Ethernet_II frames, which are Ethernet 1424 * frames with a frame type of ETHERTYPE_IPX; 1425 * 1426 * Ethernet_802.3 frames, which are 802.3 1427 * frames (i.e., the type/length field is 1428 * a length field, <= ETHERMTU, rather than 1429 * a type field) with the first two bytes 1430 * after the Ethernet/802.3 header being 1431 * 0xFFFF; 1432 * 1433 * Ethernet_802.2 frames, which are 802.3 1434 * frames with an 802.2 LLC header and 1435 * with the IPX LSAP as the DSAP in the LLC 1436 * header; 1437 * 1438 * Ethernet_SNAP frames, which are 802.3 1439 * frames with an LLC header and a SNAP 1440 * header and with an OUI of 0x000000 1441 * (encapsulated Ethernet) and a protocol 1442 * ID of ETHERTYPE_IPX in the SNAP header. 1443 * 1444 * XXX - should we generate the same code both 1445 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1446 */ 1447 1448 /* 1449 * This generates code to check both for the 1450 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1451 */ 1452 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1453 (bpf_int32)LLCSAP_IPX); 1454 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, 1455 (bpf_int32)0xFFFF); 1456 gen_or(b0, b1); 1457 1458 /* 1459 * Now we add code to check for SNAP frames with 1460 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1461 */ 1462 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14); 1463 gen_or(b0, b1); 1464 1465 /* 1466 * Now we generate code to check for 802.3 1467 * frames in general. 1468 */ 1469 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1470 gen_not(b0); 1471 1472 /* 1473 * Now add the check for 802.3 frames before the 1474 * check for Ethernet_802.2 and Ethernet_802.3, 1475 * as those checks should only be done on 802.3 1476 * frames, not on Ethernet frames. 1477 */ 1478 gen_and(b0, b1); 1479 1480 /* 1481 * Now add the check for Ethernet_II frames, and 1482 * do that before checking for the other frame 1483 * types. 1484 */ 1485 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1486 (bpf_int32)ETHERTYPE_IPX); 1487 gen_or(b0, b1); 1488 return b1; 1489 1490 case ETHERTYPE_ATALK: 1491 case ETHERTYPE_AARP: 1492 /* 1493 * EtherTalk (AppleTalk protocols on Ethernet link 1494 * layer) may use 802.2 encapsulation. 1495 */ 1496 1497 /* 1498 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1499 * we check for an Ethernet type field less than 1500 * 1500, which means it's an 802.3 length field. 1501 */ 1502 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1503 gen_not(b0); 1504 1505 /* 1506 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1507 * SNAP packets with an organization code of 1508 * 0x080007 (Apple, for Appletalk) and a protocol 1509 * type of ETHERTYPE_ATALK (Appletalk). 1510 * 1511 * 802.2-encapsulated ETHERTYPE_AARP packets are 1512 * SNAP packets with an organization code of 1513 * 0x000000 (encapsulated Ethernet) and a protocol 1514 * type of ETHERTYPE_AARP (Appletalk ARP). 1515 */ 1516 if (proto == ETHERTYPE_ATALK) 1517 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14); 1518 else /* proto == ETHERTYPE_AARP */ 1519 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14); 1520 gen_and(b0, b1); 1521 1522 /* 1523 * Check for Ethernet encapsulation (Ethertalk 1524 * phase 1?); we just check for the Ethernet 1525 * protocol type. 1526 */ 1527 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1528 1529 gen_or(b0, b1); 1530 return b1; 1531 1532 default: 1533 if (proto <= ETHERMTU) { 1534 /* 1535 * This is an LLC SAP value, so the frames 1536 * that match would be 802.2 frames. 1537 * Check that the frame is an 802.2 frame 1538 * (i.e., that the length/type field is 1539 * a length field, <= ETHERMTU) and 1540 * then check the DSAP. 1541 */ 1542 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1543 gen_not(b0); 1544 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1545 (bpf_int32)proto); 1546 gen_and(b0, b1); 1547 return b1; 1548 } else { 1549 /* 1550 * This is an Ethernet type, so compare 1551 * the length/type field with it (if 1552 * the frame is an 802.2 frame, the length 1553 * field will be <= ETHERMTU, and, as 1554 * "proto" is > ETHERMTU, this test 1555 * will fail and the frame won't match, 1556 * which is what we want). 1557 */ 1558 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1559 (bpf_int32)proto); 1560 } 1561 } 1562 } 1563 1564 /* 1565 * Generate code to match a particular packet type. 1566 * 1567 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1568 * value, if <= ETHERMTU. We use that to determine whether to 1569 * match the type field or to check the type field for the special 1570 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1571 */ 1572 static struct block * 1573 gen_linux_sll_linktype(proto) 1574 register int proto; 1575 { 1576 struct block *b0, *b1; 1577 1578 switch (proto) { 1579 1580 case LLCSAP_ISONS: 1581 case LLCSAP_IP: 1582 case LLCSAP_NETBEUI: 1583 /* 1584 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1585 * so we check the DSAP and SSAP. 1586 * 1587 * LLCSAP_IP checks for IP-over-802.2, rather 1588 * than IP-over-Ethernet or IP-over-SNAP. 1589 * 1590 * XXX - should we check both the DSAP and the 1591 * SSAP, like this, or should we check just the 1592 * DSAP, as we do for other types <= ETHERMTU 1593 * (i.e., other SAP values)? 1594 */ 1595 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1596 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1597 ((proto << 8) | proto)); 1598 gen_and(b0, b1); 1599 return b1; 1600 1601 case LLCSAP_IPX: 1602 /* 1603 * Ethernet_II frames, which are Ethernet 1604 * frames with a frame type of ETHERTYPE_IPX; 1605 * 1606 * Ethernet_802.3 frames, which have a frame 1607 * type of LINUX_SLL_P_802_3; 1608 * 1609 * Ethernet_802.2 frames, which are 802.3 1610 * frames with an 802.2 LLC header (i.e, have 1611 * a frame type of LINUX_SLL_P_802_2) and 1612 * with the IPX LSAP as the DSAP in the LLC 1613 * header; 1614 * 1615 * Ethernet_SNAP frames, which are 802.3 1616 * frames with an LLC header and a SNAP 1617 * header and with an OUI of 0x000000 1618 * (encapsulated Ethernet) and a protocol 1619 * ID of ETHERTYPE_IPX in the SNAP header. 1620 * 1621 * First, do the checks on LINUX_SLL_P_802_2 1622 * frames; generate the check for either 1623 * Ethernet_802.2 or Ethernet_SNAP frames, and 1624 * then put a check for LINUX_SLL_P_802_2 frames 1625 * before it. 1626 */ 1627 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1628 (bpf_int32)LLCSAP_IPX); 1629 b1 = gen_snap(0x000000, ETHERTYPE_IPX, 1630 off_linktype + 2); 1631 gen_or(b0, b1); 1632 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1633 gen_and(b0, b1); 1634 1635 /* 1636 * Now check for 802.3 frames and OR that with 1637 * the previous test. 1638 */ 1639 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1640 gen_or(b0, b1); 1641 1642 /* 1643 * Now add the check for Ethernet_II frames, and 1644 * do that before checking for the other frame 1645 * types. 1646 */ 1647 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1648 (bpf_int32)ETHERTYPE_IPX); 1649 gen_or(b0, b1); 1650 return b1; 1651 1652 case ETHERTYPE_ATALK: 1653 case ETHERTYPE_AARP: 1654 /* 1655 * EtherTalk (AppleTalk protocols on Ethernet link 1656 * layer) may use 802.2 encapsulation. 1657 */ 1658 1659 /* 1660 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1661 * we check for the 802.2 protocol type in the 1662 * "Ethernet type" field. 1663 */ 1664 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1665 1666 /* 1667 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1668 * SNAP packets with an organization code of 1669 * 0x080007 (Apple, for Appletalk) and a protocol 1670 * type of ETHERTYPE_ATALK (Appletalk). 1671 * 1672 * 802.2-encapsulated ETHERTYPE_AARP packets are 1673 * SNAP packets with an organization code of 1674 * 0x000000 (encapsulated Ethernet) and a protocol 1675 * type of ETHERTYPE_AARP (Appletalk ARP). 1676 */ 1677 if (proto == ETHERTYPE_ATALK) 1678 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 1679 off_linktype + 2); 1680 else /* proto == ETHERTYPE_AARP */ 1681 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 1682 off_linktype + 2); 1683 gen_and(b0, b1); 1684 1685 /* 1686 * Check for Ethernet encapsulation (Ethertalk 1687 * phase 1?); we just check for the Ethernet 1688 * protocol type. 1689 */ 1690 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1691 1692 gen_or(b0, b1); 1693 return b1; 1694 1695 default: 1696 if (proto <= ETHERMTU) { 1697 /* 1698 * This is an LLC SAP value, so the frames 1699 * that match would be 802.2 frames. 1700 * Check for the 802.2 protocol type 1701 * in the "Ethernet type" field, and 1702 * then check the DSAP. 1703 */ 1704 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1705 LINUX_SLL_P_802_2); 1706 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1707 (bpf_int32)proto); 1708 gen_and(b0, b1); 1709 return b1; 1710 } else { 1711 /* 1712 * This is an Ethernet type, so compare 1713 * the length/type field with it (if 1714 * the frame is an 802.2 frame, the length 1715 * field will be <= ETHERMTU, and, as 1716 * "proto" is > ETHERMTU, this test 1717 * will fail and the frame won't match, 1718 * which is what we want). 1719 */ 1720 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1721 (bpf_int32)proto); 1722 } 1723 } 1724 } 1725 1726 static void 1727 insert_radiotap_load_llprefixlen(b) 1728 struct block *b; 1729 { 1730 struct slist *s1, *s2; 1731 1732 /* 1733 * Prepend to the statements in this block code to load the 1734 * length of the radiotap header into the register assigned 1735 * to hold that length, if one has been assigned. 1736 */ 1737 if (reg_ll_size != -1) { 1738 /* 1739 * The 2 bytes at offsets of 2 and 3 from the beginning 1740 * of the radiotap header are the length of the radiotap 1741 * header; unfortunately, it's little-endian, so we have 1742 * to load it a byte at a time and construct the value. 1743 */ 1744 1745 /* 1746 * Load the high-order byte, at an offset of 3, shift it 1747 * left a byte, and put the result in the X register. 1748 */ 1749 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1750 s1->s.k = 3; 1751 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1752 sappend(s1, s2); 1753 s2->s.k = 8; 1754 s2 = new_stmt(BPF_MISC|BPF_TAX); 1755 sappend(s1, s2); 1756 1757 /* 1758 * Load the next byte, at an offset of 2, and OR the 1759 * value from the X register into it. 1760 */ 1761 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1762 sappend(s1, s2); 1763 s2->s.k = 2; 1764 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1765 sappend(s1, s2); 1766 1767 /* 1768 * Now allocate a register to hold that value and store 1769 * it. 1770 */ 1771 s2 = new_stmt(BPF_ST); 1772 s2->s.k = reg_ll_size; 1773 sappend(s1, s2); 1774 1775 /* 1776 * Now move it into the X register. 1777 */ 1778 s2 = new_stmt(BPF_MISC|BPF_TAX); 1779 sappend(s1, s2); 1780 1781 /* 1782 * Now append all the existing statements in this 1783 * block to these statements. 1784 */ 1785 sappend(s1, b->stmts); 1786 b->stmts = s1; 1787 } 1788 } 1789 1790 1791 static void 1792 insert_load_llprefixlen(b) 1793 struct block *b; 1794 { 1795 switch (linktype) { 1796 1797 case DLT_IEEE802_11_RADIO: 1798 insert_radiotap_load_llprefixlen(b); 1799 } 1800 } 1801 1802 1803 static struct slist * 1804 gen_radiotap_llprefixlen(void) 1805 { 1806 struct slist *s; 1807 1808 if (reg_ll_size == -1) { 1809 /* 1810 * We haven't yet assigned a register for the length 1811 * of the radiotap header; allocate one. 1812 */ 1813 reg_ll_size = alloc_reg(); 1814 } 1815 1816 /* 1817 * Load the register containing the radiotap length 1818 * into the X register. 1819 */ 1820 s = new_stmt(BPF_LDX|BPF_MEM); 1821 s->s.k = reg_ll_size; 1822 return s; 1823 } 1824 1825 /* 1826 * Generate code to compute the link-layer header length, if necessary, 1827 * putting it into the X register, and to return either a pointer to a 1828 * "struct slist" for the list of statements in that code, or NULL if 1829 * no code is necessary. 1830 */ 1831 static struct slist * 1832 gen_llprefixlen(void) 1833 { 1834 switch (linktype) { 1835 1836 case DLT_IEEE802_11_RADIO: 1837 return gen_radiotap_llprefixlen(); 1838 1839 default: 1840 return NULL; 1841 } 1842 } 1843 1844 /* 1845 * Generate code to match a particular packet type by matching the 1846 * link-layer type field or fields in the 802.2 LLC header. 1847 * 1848 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1849 * value, if <= ETHERMTU. 1850 */ 1851 static struct block * 1852 gen_linktype(proto) 1853 register int proto; 1854 { 1855 struct block *b0, *b1, *b2; 1856 1857 switch (linktype) { 1858 1859 case DLT_EN10MB: 1860 return gen_ether_linktype(proto); 1861 /*NOTREACHED*/ 1862 break; 1863 1864 case DLT_C_HDLC: 1865 switch (proto) { 1866 1867 case LLCSAP_ISONS: 1868 proto = (proto << 8 | LLCSAP_ISONS); 1869 /* fall through */ 1870 1871 default: 1872 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1873 (bpf_int32)proto); 1874 /*NOTREACHED*/ 1875 break; 1876 } 1877 break; 1878 1879 case DLT_FDDI: 1880 case DLT_IEEE802: 1881 case DLT_IEEE802_11: 1882 case DLT_IEEE802_11_RADIO_AVS: 1883 case DLT_IEEE802_11_RADIO: 1884 case DLT_PRISM_HEADER: 1885 case DLT_ATM_RFC1483: 1886 case DLT_ATM_CLIP: 1887 case DLT_IP_OVER_FC: 1888 return gen_llc_linktype(proto); 1889 /*NOTREACHED*/ 1890 break; 1891 1892 case DLT_SUNATM: 1893 /* 1894 * If "is_lane" is set, check for a LANE-encapsulated 1895 * version of this protocol, otherwise check for an 1896 * LLC-encapsulated version of this protocol. 1897 * 1898 * We assume LANE means Ethernet, not Token Ring. 1899 */ 1900 if (is_lane) { 1901 /* 1902 * Check that the packet doesn't begin with an 1903 * LE Control marker. (We've already generated 1904 * a test for LANE.) 1905 */ 1906 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 1907 0xFF00); 1908 gen_not(b0); 1909 1910 /* 1911 * Now generate an Ethernet test. 1912 */ 1913 b1 = gen_ether_linktype(proto); 1914 gen_and(b0, b1); 1915 return b1; 1916 } else { 1917 /* 1918 * Check for LLC encapsulation and then check the 1919 * protocol. 1920 */ 1921 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 1922 b1 = gen_llc_linktype(proto); 1923 gen_and(b0, b1); 1924 return b1; 1925 } 1926 /*NOTREACHED*/ 1927 break; 1928 1929 case DLT_LINUX_SLL: 1930 return gen_linux_sll_linktype(proto); 1931 /*NOTREACHED*/ 1932 break; 1933 1934 case DLT_SLIP: 1935 case DLT_SLIP_BSDOS: 1936 case DLT_RAW: 1937 /* 1938 * These types don't provide any type field; packets 1939 * are always IP. 1940 * 1941 * XXX - for IPv4, check for a version number of 4, and, 1942 * for IPv6, check for a version number of 6? 1943 */ 1944 switch (proto) { 1945 1946 case ETHERTYPE_IP: 1947 #ifdef INET6 1948 case ETHERTYPE_IPV6: 1949 #endif 1950 return gen_true(); /* always true */ 1951 1952 default: 1953 return gen_false(); /* always false */ 1954 } 1955 /*NOTREACHED*/ 1956 break; 1957 1958 case DLT_PPP: 1959 case DLT_PPP_PPPD: 1960 case DLT_PPP_SERIAL: 1961 case DLT_PPP_ETHER: 1962 /* 1963 * We use Ethernet protocol types inside libpcap; 1964 * map them to the corresponding PPP protocol types. 1965 */ 1966 switch (proto) { 1967 1968 case ETHERTYPE_IP: 1969 proto = PPP_IP; 1970 break; 1971 1972 #ifdef INET6 1973 case ETHERTYPE_IPV6: 1974 proto = PPP_IPV6; 1975 break; 1976 #endif 1977 1978 case ETHERTYPE_DN: 1979 proto = PPP_DECNET; 1980 break; 1981 1982 case ETHERTYPE_ATALK: 1983 proto = PPP_APPLE; 1984 break; 1985 1986 case ETHERTYPE_NS: 1987 proto = PPP_NS; 1988 break; 1989 1990 case LLCSAP_ISONS: 1991 proto = PPP_OSI; 1992 break; 1993 1994 case LLCSAP_8021D: 1995 /* 1996 * I'm assuming the "Bridging PDU"s that go 1997 * over PPP are Spanning Tree Protocol 1998 * Bridging PDUs. 1999 */ 2000 proto = PPP_BRPDU; 2001 break; 2002 2003 case LLCSAP_IPX: 2004 proto = PPP_IPX; 2005 break; 2006 } 2007 break; 2008 2009 case DLT_PPP_BSDOS: 2010 /* 2011 * We use Ethernet protocol types inside libpcap; 2012 * map them to the corresponding PPP protocol types. 2013 */ 2014 switch (proto) { 2015 2016 case ETHERTYPE_IP: 2017 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 2018 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 2019 gen_or(b0, b1); 2020 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 2021 gen_or(b1, b0); 2022 return b0; 2023 2024 #ifdef INET6 2025 case ETHERTYPE_IPV6: 2026 proto = PPP_IPV6; 2027 /* more to go? */ 2028 break; 2029 #endif 2030 2031 case ETHERTYPE_DN: 2032 proto = PPP_DECNET; 2033 break; 2034 2035 case ETHERTYPE_ATALK: 2036 proto = PPP_APPLE; 2037 break; 2038 2039 case ETHERTYPE_NS: 2040 proto = PPP_NS; 2041 break; 2042 2043 case LLCSAP_ISONS: 2044 proto = PPP_OSI; 2045 break; 2046 2047 case LLCSAP_8021D: 2048 /* 2049 * I'm assuming the "Bridging PDU"s that go 2050 * over PPP are Spanning Tree Protocol 2051 * Bridging PDUs. 2052 */ 2053 proto = PPP_BRPDU; 2054 break; 2055 2056 case LLCSAP_IPX: 2057 proto = PPP_IPX; 2058 break; 2059 } 2060 break; 2061 2062 case DLT_NULL: 2063 case DLT_LOOP: 2064 case DLT_ENC: 2065 /* 2066 * For DLT_NULL, the link-layer header is a 32-bit 2067 * word containing an AF_ value in *host* byte order, 2068 * and for DLT_ENC, the link-layer header begins 2069 * with a 32-bit work containing an AF_ value in 2070 * host byte order. 2071 * 2072 * In addition, if we're reading a saved capture file, 2073 * the host byte order in the capture may not be the 2074 * same as the host byte order on this machine. 2075 * 2076 * For DLT_LOOP, the link-layer header is a 32-bit 2077 * word containing an AF_ value in *network* byte order. 2078 * 2079 * XXX - AF_ values may, unfortunately, be platform- 2080 * dependent; for example, FreeBSD's AF_INET6 is 24 2081 * whilst NetBSD's and OpenBSD's is 26. 2082 * 2083 * This means that, when reading a capture file, just 2084 * checking for our AF_INET6 value won't work if the 2085 * capture file came from another OS. 2086 */ 2087 switch (proto) { 2088 2089 case ETHERTYPE_IP: 2090 proto = AF_INET; 2091 break; 2092 2093 #ifdef INET6 2094 case ETHERTYPE_IPV6: 2095 proto = AF_INET6; 2096 break; 2097 #endif 2098 2099 default: 2100 /* 2101 * Not a type on which we support filtering. 2102 * XXX - support those that have AF_ values 2103 * #defined on this platform, at least? 2104 */ 2105 return gen_false(); 2106 } 2107 2108 if (linktype == DLT_NULL || linktype == DLT_ENC) { 2109 /* 2110 * The AF_ value is in host byte order, but 2111 * the BPF interpreter will convert it to 2112 * network byte order. 2113 * 2114 * If this is a save file, and it's from a 2115 * machine with the opposite byte order to 2116 * ours, we byte-swap the AF_ value. 2117 * 2118 * Then we run it through "htonl()", and 2119 * generate code to compare against the result. 2120 */ 2121 if (bpf_pcap->sf.rfile != NULL && 2122 bpf_pcap->sf.swapped) 2123 proto = SWAPLONG(proto); 2124 proto = htonl(proto); 2125 } 2126 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 2127 2128 case DLT_PFLOG: 2129 /* 2130 * af field is host byte order in contrast to the rest of 2131 * the packet. 2132 */ 2133 if (proto == ETHERTYPE_IP) 2134 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2135 BPF_B, (bpf_int32)AF_INET)); 2136 #ifdef INET6 2137 else if (proto == ETHERTYPE_IPV6) 2138 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2139 BPF_B, (bpf_int32)AF_INET6)); 2140 #endif /* INET6 */ 2141 else 2142 return gen_false(); 2143 /*NOTREACHED*/ 2144 break; 2145 2146 case DLT_ARCNET: 2147 case DLT_ARCNET_LINUX: 2148 /* 2149 * XXX should we check for first fragment if the protocol 2150 * uses PHDS? 2151 */ 2152 switch (proto) { 2153 2154 default: 2155 return gen_false(); 2156 2157 #ifdef INET6 2158 case ETHERTYPE_IPV6: 2159 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2160 (bpf_int32)ARCTYPE_INET6)); 2161 #endif /* INET6 */ 2162 2163 case ETHERTYPE_IP: 2164 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2165 (bpf_int32)ARCTYPE_IP); 2166 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2167 (bpf_int32)ARCTYPE_IP_OLD); 2168 gen_or(b0, b1); 2169 return (b1); 2170 2171 case ETHERTYPE_ARP: 2172 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2173 (bpf_int32)ARCTYPE_ARP); 2174 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2175 (bpf_int32)ARCTYPE_ARP_OLD); 2176 gen_or(b0, b1); 2177 return (b1); 2178 2179 case ETHERTYPE_REVARP: 2180 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2181 (bpf_int32)ARCTYPE_REVARP)); 2182 2183 case ETHERTYPE_ATALK: 2184 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2185 (bpf_int32)ARCTYPE_ATALK)); 2186 } 2187 /*NOTREACHED*/ 2188 break; 2189 2190 case DLT_LTALK: 2191 switch (proto) { 2192 case ETHERTYPE_ATALK: 2193 return gen_true(); 2194 default: 2195 return gen_false(); 2196 } 2197 /*NOTREACHED*/ 2198 break; 2199 2200 case DLT_FRELAY: 2201 /* 2202 * XXX - assumes a 2-byte Frame Relay header with 2203 * DLCI and flags. What if the address is longer? 2204 */ 2205 switch (proto) { 2206 2207 case ETHERTYPE_IP: 2208 /* 2209 * Check for the special NLPID for IP. 2210 */ 2211 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 2212 2213 #ifdef INET6 2214 case ETHERTYPE_IPV6: 2215 /* 2216 * Check for the special NLPID for IPv6. 2217 */ 2218 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 2219 #endif 2220 2221 case LLCSAP_ISONS: 2222 /* 2223 * Check for several OSI protocols. 2224 * 2225 * Frame Relay packets typically have an OSI 2226 * NLPID at the beginning; we check for each 2227 * of them. 2228 * 2229 * What we check for is the NLPID and a frame 2230 * control field of UI, i.e. 0x03 followed 2231 * by the NLPID. 2232 */ 2233 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 2234 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 2235 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 2236 gen_or(b1, b2); 2237 gen_or(b0, b2); 2238 return b2; 2239 2240 default: 2241 return gen_false(); 2242 } 2243 /*NOTREACHED*/ 2244 break; 2245 2246 case DLT_JUNIPER_MLFR: 2247 case DLT_JUNIPER_MLPPP: 2248 case DLT_JUNIPER_ATM1: 2249 case DLT_JUNIPER_ATM2: 2250 case DLT_JUNIPER_PPPOE: 2251 case DLT_JUNIPER_PPPOE_ATM: 2252 case DLT_JUNIPER_GGSN: 2253 case DLT_JUNIPER_ES: 2254 case DLT_JUNIPER_MONITOR: 2255 case DLT_JUNIPER_SERVICES: 2256 /* just lets verify the magic number for now - 2257 * on ATM we may have up to 6 different encapsulations on the wire 2258 * and need a lot of heuristics to figure out that the payload 2259 * might be; 2260 * 2261 * FIXME encapsulation specific BPF_ filters 2262 */ 2263 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 2264 2265 case DLT_LINUX_IRDA: 2266 bpf_error("IrDA link-layer type filtering not implemented"); 2267 2268 case DLT_DOCSIS: 2269 bpf_error("DOCSIS link-layer type filtering not implemented"); 2270 2271 case DLT_LINUX_LAPD: 2272 bpf_error("LAPD link-layer type filtering not implemented"); 2273 } 2274 2275 /* 2276 * All the types that have no encapsulation should either be 2277 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 2278 * all packets are IP packets, or should be handled in some 2279 * special case, if none of them are (if some are and some 2280 * aren't, the lack of encapsulation is a problem, as we'd 2281 * have to find some other way of determining the packet type). 2282 * 2283 * Therefore, if "off_linktype" is -1, there's an error. 2284 */ 2285 if (off_linktype == (u_int)-1) 2286 abort(); 2287 2288 /* 2289 * Any type not handled above should always have an Ethernet 2290 * type at an offset of "off_linktype". (PPP is partially 2291 * handled above - the protocol type is mapped from the 2292 * Ethernet and LLC types we use internally to the corresponding 2293 * PPP type - but the PPP type is always specified by a value 2294 * at "off_linktype", so we don't have to do the code generation 2295 * above.) 2296 */ 2297 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2298 } 2299 2300 /* 2301 * Check for an LLC SNAP packet with a given organization code and 2302 * protocol type; we check the entire contents of the 802.2 LLC and 2303 * snap headers, checking for DSAP and SSAP of SNAP and a control 2304 * field of 0x03 in the LLC header, and for the specified organization 2305 * code and protocol type in the SNAP header. 2306 */ 2307 static struct block * 2308 gen_snap(orgcode, ptype, offset) 2309 bpf_u_int32 orgcode; 2310 bpf_u_int32 ptype; 2311 u_int offset; 2312 { 2313 u_char snapblock[8]; 2314 2315 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 2316 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 2317 snapblock[2] = 0x03; /* control = UI */ 2318 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 2319 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 2320 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 2321 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 2322 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 2323 return gen_bcmp(OR_LINK, offset, 8, snapblock); 2324 } 2325 2326 /* 2327 * Generate code to match a particular packet type, for link-layer types 2328 * using 802.2 LLC headers. 2329 * 2330 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 2331 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 2332 * 2333 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2334 * value, if <= ETHERMTU. We use that to determine whether to 2335 * match the DSAP or both DSAP and LSAP or to check the OUI and 2336 * protocol ID in a SNAP header. 2337 */ 2338 static struct block * 2339 gen_llc_linktype(proto) 2340 int proto; 2341 { 2342 /* 2343 * XXX - handle token-ring variable-length header. 2344 */ 2345 switch (proto) { 2346 2347 case LLCSAP_IP: 2348 case LLCSAP_ISONS: 2349 case LLCSAP_NETBEUI: 2350 /* 2351 * XXX - should we check both the DSAP and the 2352 * SSAP, like this, or should we check just the 2353 * DSAP, as we do for other types <= ETHERMTU 2354 * (i.e., other SAP values)? 2355 */ 2356 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32) 2357 ((proto << 8) | proto)); 2358 2359 case LLCSAP_IPX: 2360 /* 2361 * XXX - are there ever SNAP frames for IPX on 2362 * non-Ethernet 802.x networks? 2363 */ 2364 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2365 (bpf_int32)LLCSAP_IPX); 2366 2367 case ETHERTYPE_ATALK: 2368 /* 2369 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2370 * SNAP packets with an organization code of 2371 * 0x080007 (Apple, for Appletalk) and a protocol 2372 * type of ETHERTYPE_ATALK (Appletalk). 2373 * 2374 * XXX - check for an organization code of 2375 * encapsulated Ethernet as well? 2376 */ 2377 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype); 2378 2379 default: 2380 /* 2381 * XXX - we don't have to check for IPX 802.3 2382 * here, but should we check for the IPX Ethertype? 2383 */ 2384 if (proto <= ETHERMTU) { 2385 /* 2386 * This is an LLC SAP value, so check 2387 * the DSAP. 2388 */ 2389 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2390 (bpf_int32)proto); 2391 } else { 2392 /* 2393 * This is an Ethernet type; we assume that it's 2394 * unlikely that it'll appear in the right place 2395 * at random, and therefore check only the 2396 * location that would hold the Ethernet type 2397 * in a SNAP frame with an organization code of 2398 * 0x000000 (encapsulated Ethernet). 2399 * 2400 * XXX - if we were to check for the SNAP DSAP and 2401 * LSAP, as per XXX, and were also to check for an 2402 * organization code of 0x000000 (encapsulated 2403 * Ethernet), we'd do 2404 * 2405 * return gen_snap(0x000000, proto, 2406 * off_linktype); 2407 * 2408 * here; for now, we don't, as per the above. 2409 * I don't know whether it's worth the extra CPU 2410 * time to do the right check or not. 2411 */ 2412 return gen_cmp(OR_LINK, off_linktype+6, BPF_H, 2413 (bpf_int32)proto); 2414 } 2415 } 2416 } 2417 2418 static struct block * 2419 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 2420 bpf_u_int32 addr; 2421 bpf_u_int32 mask; 2422 int dir, proto; 2423 u_int src_off, dst_off; 2424 { 2425 struct block *b0, *b1; 2426 u_int offset; 2427 2428 switch (dir) { 2429 2430 case Q_SRC: 2431 offset = src_off; 2432 break; 2433 2434 case Q_DST: 2435 offset = dst_off; 2436 break; 2437 2438 case Q_AND: 2439 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2440 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2441 gen_and(b0, b1); 2442 return b1; 2443 2444 case Q_OR: 2445 case Q_DEFAULT: 2446 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2447 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2448 gen_or(b0, b1); 2449 return b1; 2450 2451 default: 2452 abort(); 2453 } 2454 b0 = gen_linktype(proto); 2455 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 2456 gen_and(b0, b1); 2457 return b1; 2458 } 2459 2460 #ifdef INET6 2461 static struct block * 2462 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 2463 struct in6_addr *addr; 2464 struct in6_addr *mask; 2465 int dir, proto; 2466 u_int src_off, dst_off; 2467 { 2468 struct block *b0, *b1; 2469 u_int offset; 2470 u_int32_t *a, *m; 2471 2472 switch (dir) { 2473 2474 case Q_SRC: 2475 offset = src_off; 2476 break; 2477 2478 case Q_DST: 2479 offset = dst_off; 2480 break; 2481 2482 case Q_AND: 2483 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2484 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2485 gen_and(b0, b1); 2486 return b1; 2487 2488 case Q_OR: 2489 case Q_DEFAULT: 2490 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2491 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2492 gen_or(b0, b1); 2493 return b1; 2494 2495 default: 2496 abort(); 2497 } 2498 /* this order is important */ 2499 a = (u_int32_t *)addr; 2500 m = (u_int32_t *)mask; 2501 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 2502 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 2503 gen_and(b0, b1); 2504 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 2505 gen_and(b0, b1); 2506 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 2507 gen_and(b0, b1); 2508 b0 = gen_linktype(proto); 2509 gen_and(b0, b1); 2510 return b1; 2511 } 2512 #endif /*INET6*/ 2513 2514 static struct block * 2515 gen_ehostop(eaddr, dir) 2516 register const u_char *eaddr; 2517 register int dir; 2518 { 2519 register struct block *b0, *b1; 2520 2521 switch (dir) { 2522 case Q_SRC: 2523 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 2524 2525 case Q_DST: 2526 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 2527 2528 case Q_AND: 2529 b0 = gen_ehostop(eaddr, Q_SRC); 2530 b1 = gen_ehostop(eaddr, Q_DST); 2531 gen_and(b0, b1); 2532 return b1; 2533 2534 case Q_DEFAULT: 2535 case Q_OR: 2536 b0 = gen_ehostop(eaddr, Q_SRC); 2537 b1 = gen_ehostop(eaddr, Q_DST); 2538 gen_or(b0, b1); 2539 return b1; 2540 } 2541 abort(); 2542 /* NOTREACHED */ 2543 } 2544 2545 /* 2546 * Like gen_ehostop, but for DLT_FDDI 2547 */ 2548 static struct block * 2549 gen_fhostop(eaddr, dir) 2550 register const u_char *eaddr; 2551 register int dir; 2552 { 2553 struct block *b0, *b1; 2554 2555 switch (dir) { 2556 case Q_SRC: 2557 #ifdef PCAP_FDDIPAD 2558 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 2559 #else 2560 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 2561 #endif 2562 2563 case Q_DST: 2564 #ifdef PCAP_FDDIPAD 2565 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 2566 #else 2567 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 2568 #endif 2569 2570 case Q_AND: 2571 b0 = gen_fhostop(eaddr, Q_SRC); 2572 b1 = gen_fhostop(eaddr, Q_DST); 2573 gen_and(b0, b1); 2574 return b1; 2575 2576 case Q_DEFAULT: 2577 case Q_OR: 2578 b0 = gen_fhostop(eaddr, Q_SRC); 2579 b1 = gen_fhostop(eaddr, Q_DST); 2580 gen_or(b0, b1); 2581 return b1; 2582 } 2583 abort(); 2584 /* NOTREACHED */ 2585 } 2586 2587 /* 2588 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 2589 */ 2590 static struct block * 2591 gen_thostop(eaddr, dir) 2592 register const u_char *eaddr; 2593 register int dir; 2594 { 2595 register struct block *b0, *b1; 2596 2597 switch (dir) { 2598 case Q_SRC: 2599 return gen_bcmp(OR_LINK, 8, 6, eaddr); 2600 2601 case Q_DST: 2602 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2603 2604 case Q_AND: 2605 b0 = gen_thostop(eaddr, Q_SRC); 2606 b1 = gen_thostop(eaddr, Q_DST); 2607 gen_and(b0, b1); 2608 return b1; 2609 2610 case Q_DEFAULT: 2611 case Q_OR: 2612 b0 = gen_thostop(eaddr, Q_SRC); 2613 b1 = gen_thostop(eaddr, Q_DST); 2614 gen_or(b0, b1); 2615 return b1; 2616 } 2617 abort(); 2618 /* NOTREACHED */ 2619 } 2620 2621 /* 2622 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) 2623 */ 2624 static struct block * 2625 gen_wlanhostop(eaddr, dir) 2626 register const u_char *eaddr; 2627 register int dir; 2628 { 2629 register struct block *b0, *b1, *b2; 2630 register struct slist *s; 2631 2632 switch (dir) { 2633 case Q_SRC: 2634 /* 2635 * Oh, yuk. 2636 * 2637 * For control frames, there is no SA. 2638 * 2639 * For management frames, SA is at an 2640 * offset of 10 from the beginning of 2641 * the packet. 2642 * 2643 * For data frames, SA is at an offset 2644 * of 10 from the beginning of the packet 2645 * if From DS is clear, at an offset of 2646 * 16 from the beginning of the packet 2647 * if From DS is set and To DS is clear, 2648 * and an offset of 24 from the beginning 2649 * of the packet if From DS is set and To DS 2650 * is set. 2651 */ 2652 2653 /* 2654 * Generate the tests to be done for data frames 2655 * with From DS set. 2656 * 2657 * First, check for To DS set, i.e. check "link[1] & 0x01". 2658 */ 2659 s = gen_load_a(OR_LINK, 1, BPF_B); 2660 b1 = new_block(JMP(BPF_JSET)); 2661 b1->s.k = 0x01; /* To DS */ 2662 b1->stmts = s; 2663 2664 /* 2665 * If To DS is set, the SA is at 24. 2666 */ 2667 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 2668 gen_and(b1, b0); 2669 2670 /* 2671 * Now, check for To DS not set, i.e. check 2672 * "!(link[1] & 0x01)". 2673 */ 2674 s = gen_load_a(OR_LINK, 1, BPF_B); 2675 b2 = new_block(JMP(BPF_JSET)); 2676 b2->s.k = 0x01; /* To DS */ 2677 b2->stmts = s; 2678 gen_not(b2); 2679 2680 /* 2681 * If To DS is not set, the SA is at 16. 2682 */ 2683 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 2684 gen_and(b2, b1); 2685 2686 /* 2687 * Now OR together the last two checks. That gives 2688 * the complete set of checks for data frames with 2689 * From DS set. 2690 */ 2691 gen_or(b1, b0); 2692 2693 /* 2694 * Now check for From DS being set, and AND that with 2695 * the ORed-together checks. 2696 */ 2697 s = gen_load_a(OR_LINK, 1, BPF_B); 2698 b1 = new_block(JMP(BPF_JSET)); 2699 b1->s.k = 0x02; /* From DS */ 2700 b1->stmts = s; 2701 gen_and(b1, b0); 2702 2703 /* 2704 * Now check for data frames with From DS not set. 2705 */ 2706 s = gen_load_a(OR_LINK, 1, BPF_B); 2707 b2 = new_block(JMP(BPF_JSET)); 2708 b2->s.k = 0x02; /* From DS */ 2709 b2->stmts = s; 2710 gen_not(b2); 2711 2712 /* 2713 * If From DS isn't set, the SA is at 10. 2714 */ 2715 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 2716 gen_and(b2, b1); 2717 2718 /* 2719 * Now OR together the checks for data frames with 2720 * From DS not set and for data frames with From DS 2721 * set; that gives the checks done for data frames. 2722 */ 2723 gen_or(b1, b0); 2724 2725 /* 2726 * Now check for a data frame. 2727 * I.e, check "link[0] & 0x08". 2728 */ 2729 gen_load_a(OR_LINK, 0, BPF_B); 2730 b1 = new_block(JMP(BPF_JSET)); 2731 b1->s.k = 0x08; 2732 b1->stmts = s; 2733 2734 /* 2735 * AND that with the checks done for data frames. 2736 */ 2737 gen_and(b1, b0); 2738 2739 /* 2740 * If the high-order bit of the type value is 0, this 2741 * is a management frame. 2742 * I.e, check "!(link[0] & 0x08)". 2743 */ 2744 s = gen_load_a(OR_LINK, 0, BPF_B); 2745 b2 = new_block(JMP(BPF_JSET)); 2746 b2->s.k = 0x08; 2747 b2->stmts = s; 2748 gen_not(b2); 2749 2750 /* 2751 * For management frames, the SA is at 10. 2752 */ 2753 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 2754 gen_and(b2, b1); 2755 2756 /* 2757 * OR that with the checks done for data frames. 2758 * That gives the checks done for management and 2759 * data frames. 2760 */ 2761 gen_or(b1, b0); 2762 2763 /* 2764 * If the low-order bit of the type value is 1, 2765 * this is either a control frame or a frame 2766 * with a reserved type, and thus not a 2767 * frame with an SA. 2768 * 2769 * I.e., check "!(link[0] & 0x04)". 2770 */ 2771 s = gen_load_a(OR_LINK, 0, BPF_B); 2772 b1 = new_block(JMP(BPF_JSET)); 2773 b1->s.k = 0x04; 2774 b1->stmts = s; 2775 gen_not(b1); 2776 2777 /* 2778 * AND that with the checks for data and management 2779 * frames. 2780 */ 2781 gen_and(b1, b0); 2782 return b0; 2783 2784 case Q_DST: 2785 /* 2786 * Oh, yuk. 2787 * 2788 * For control frames, there is no DA. 2789 * 2790 * For management frames, DA is at an 2791 * offset of 4 from the beginning of 2792 * the packet. 2793 * 2794 * For data frames, DA is at an offset 2795 * of 4 from the beginning of the packet 2796 * if To DS is clear and at an offset of 2797 * 16 from the beginning of the packet 2798 * if To DS is set. 2799 */ 2800 2801 /* 2802 * Generate the tests to be done for data frames. 2803 * 2804 * First, check for To DS set, i.e. "link[1] & 0x01". 2805 */ 2806 s = gen_load_a(OR_LINK, 1, BPF_B); 2807 b1 = new_block(JMP(BPF_JSET)); 2808 b1->s.k = 0x01; /* To DS */ 2809 b1->stmts = s; 2810 2811 /* 2812 * If To DS is set, the DA is at 16. 2813 */ 2814 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 2815 gen_and(b1, b0); 2816 2817 /* 2818 * Now, check for To DS not set, i.e. check 2819 * "!(link[1] & 0x01)". 2820 */ 2821 s = gen_load_a(OR_LINK, 1, BPF_B); 2822 b2 = new_block(JMP(BPF_JSET)); 2823 b2->s.k = 0x01; /* To DS */ 2824 b2->stmts = s; 2825 gen_not(b2); 2826 2827 /* 2828 * If To DS is not set, the DA is at 4. 2829 */ 2830 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 2831 gen_and(b2, b1); 2832 2833 /* 2834 * Now OR together the last two checks. That gives 2835 * the complete set of checks for data frames. 2836 */ 2837 gen_or(b1, b0); 2838 2839 /* 2840 * Now check for a data frame. 2841 * I.e, check "link[0] & 0x08". 2842 */ 2843 s = gen_load_a(OR_LINK, 0, BPF_B); 2844 b1 = new_block(JMP(BPF_JSET)); 2845 b1->s.k = 0x08; 2846 b1->stmts = s; 2847 2848 /* 2849 * AND that with the checks done for data frames. 2850 */ 2851 gen_and(b1, b0); 2852 2853 /* 2854 * If the high-order bit of the type value is 0, this 2855 * is a management frame. 2856 * I.e, check "!(link[0] & 0x08)". 2857 */ 2858 s = gen_load_a(OR_LINK, 0, BPF_B); 2859 b2 = new_block(JMP(BPF_JSET)); 2860 b2->s.k = 0x08; 2861 b2->stmts = s; 2862 gen_not(b2); 2863 2864 /* 2865 * For management frames, the DA is at 4. 2866 */ 2867 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 2868 gen_and(b2, b1); 2869 2870 /* 2871 * OR that with the checks done for data frames. 2872 * That gives the checks done for management and 2873 * data frames. 2874 */ 2875 gen_or(b1, b0); 2876 2877 /* 2878 * If the low-order bit of the type value is 1, 2879 * this is either a control frame or a frame 2880 * with a reserved type, and thus not a 2881 * frame with an SA. 2882 * 2883 * I.e., check "!(link[0] & 0x04)". 2884 */ 2885 s = gen_load_a(OR_LINK, 0, BPF_B); 2886 b1 = new_block(JMP(BPF_JSET)); 2887 b1->s.k = 0x04; 2888 b1->stmts = s; 2889 gen_not(b1); 2890 2891 /* 2892 * AND that with the checks for data and management 2893 * frames. 2894 */ 2895 gen_and(b1, b0); 2896 return b0; 2897 2898 case Q_AND: 2899 b0 = gen_wlanhostop(eaddr, Q_SRC); 2900 b1 = gen_wlanhostop(eaddr, Q_DST); 2901 gen_and(b0, b1); 2902 return b1; 2903 2904 case Q_DEFAULT: 2905 case Q_OR: 2906 b0 = gen_wlanhostop(eaddr, Q_SRC); 2907 b1 = gen_wlanhostop(eaddr, Q_DST); 2908 gen_or(b0, b1); 2909 return b1; 2910 } 2911 abort(); 2912 /* NOTREACHED */ 2913 } 2914 2915 /* 2916 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 2917 * (We assume that the addresses are IEEE 48-bit MAC addresses, 2918 * as the RFC states.) 2919 */ 2920 static struct block * 2921 gen_ipfchostop(eaddr, dir) 2922 register const u_char *eaddr; 2923 register int dir; 2924 { 2925 register struct block *b0, *b1; 2926 2927 switch (dir) { 2928 case Q_SRC: 2929 return gen_bcmp(OR_LINK, 10, 6, eaddr); 2930 2931 case Q_DST: 2932 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2933 2934 case Q_AND: 2935 b0 = gen_ipfchostop(eaddr, Q_SRC); 2936 b1 = gen_ipfchostop(eaddr, Q_DST); 2937 gen_and(b0, b1); 2938 return b1; 2939 2940 case Q_DEFAULT: 2941 case Q_OR: 2942 b0 = gen_ipfchostop(eaddr, Q_SRC); 2943 b1 = gen_ipfchostop(eaddr, Q_DST); 2944 gen_or(b0, b1); 2945 return b1; 2946 } 2947 abort(); 2948 /* NOTREACHED */ 2949 } 2950 2951 /* 2952 * This is quite tricky because there may be pad bytes in front of the 2953 * DECNET header, and then there are two possible data packet formats that 2954 * carry both src and dst addresses, plus 5 packet types in a format that 2955 * carries only the src node, plus 2 types that use a different format and 2956 * also carry just the src node. 2957 * 2958 * Yuck. 2959 * 2960 * Instead of doing those all right, we just look for data packets with 2961 * 0 or 1 bytes of padding. If you want to look at other packets, that 2962 * will require a lot more hacking. 2963 * 2964 * To add support for filtering on DECNET "areas" (network numbers) 2965 * one would want to add a "mask" argument to this routine. That would 2966 * make the filter even more inefficient, although one could be clever 2967 * and not generate masking instructions if the mask is 0xFFFF. 2968 */ 2969 static struct block * 2970 gen_dnhostop(addr, dir) 2971 bpf_u_int32 addr; 2972 int dir; 2973 { 2974 struct block *b0, *b1, *b2, *tmp; 2975 u_int offset_lh; /* offset if long header is received */ 2976 u_int offset_sh; /* offset if short header is received */ 2977 2978 switch (dir) { 2979 2980 case Q_DST: 2981 offset_sh = 1; /* follows flags */ 2982 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 2983 break; 2984 2985 case Q_SRC: 2986 offset_sh = 3; /* follows flags, dstnode */ 2987 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 2988 break; 2989 2990 case Q_AND: 2991 /* Inefficient because we do our Calvinball dance twice */ 2992 b0 = gen_dnhostop(addr, Q_SRC); 2993 b1 = gen_dnhostop(addr, Q_DST); 2994 gen_and(b0, b1); 2995 return b1; 2996 2997 case Q_OR: 2998 case Q_DEFAULT: 2999 /* Inefficient because we do our Calvinball dance twice */ 3000 b0 = gen_dnhostop(addr, Q_SRC); 3001 b1 = gen_dnhostop(addr, Q_DST); 3002 gen_or(b0, b1); 3003 return b1; 3004 3005 case Q_ISO: 3006 bpf_error("ISO host filtering not implemented"); 3007 3008 default: 3009 abort(); 3010 } 3011 b0 = gen_linktype(ETHERTYPE_DN); 3012 /* Check for pad = 1, long header case */ 3013 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3014 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 3015 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 3016 BPF_H, (bpf_int32)ntohs(addr)); 3017 gen_and(tmp, b1); 3018 /* Check for pad = 0, long header case */ 3019 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 3020 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr)); 3021 gen_and(tmp, b2); 3022 gen_or(b2, b1); 3023 /* Check for pad = 1, short header case */ 3024 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3025 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 3026 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr)); 3027 gen_and(tmp, b2); 3028 gen_or(b2, b1); 3029 /* Check for pad = 0, short header case */ 3030 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 3031 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr)); 3032 gen_and(tmp, b2); 3033 gen_or(b2, b1); 3034 3035 /* Combine with test for linktype */ 3036 gen_and(b0, b1); 3037 return b1; 3038 } 3039 3040 static struct block * 3041 gen_host(addr, mask, proto, dir) 3042 bpf_u_int32 addr; 3043 bpf_u_int32 mask; 3044 int proto; 3045 int dir; 3046 { 3047 struct block *b0, *b1; 3048 3049 switch (proto) { 3050 3051 case Q_DEFAULT: 3052 b0 = gen_host(addr, mask, Q_IP, dir); 3053 if (off_linktype != (u_int)-1) { 3054 b1 = gen_host(addr, mask, Q_ARP, dir); 3055 gen_or(b0, b1); 3056 b0 = gen_host(addr, mask, Q_RARP, dir); 3057 gen_or(b1, b0); 3058 } 3059 return b0; 3060 3061 case Q_IP: 3062 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 3063 3064 case Q_RARP: 3065 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 3066 3067 case Q_ARP: 3068 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 3069 3070 case Q_TCP: 3071 bpf_error("'tcp' modifier applied to host"); 3072 3073 case Q_SCTP: 3074 bpf_error("'sctp' modifier applied to host"); 3075 3076 case Q_UDP: 3077 bpf_error("'udp' modifier applied to host"); 3078 3079 case Q_ICMP: 3080 bpf_error("'icmp' modifier applied to host"); 3081 3082 case Q_IGMP: 3083 bpf_error("'igmp' modifier applied to host"); 3084 3085 case Q_IGRP: 3086 bpf_error("'igrp' modifier applied to host"); 3087 3088 case Q_PIM: 3089 bpf_error("'pim' modifier applied to host"); 3090 3091 case Q_VRRP: 3092 bpf_error("'vrrp' modifier applied to host"); 3093 3094 case Q_ATALK: 3095 bpf_error("ATALK host filtering not implemented"); 3096 3097 case Q_AARP: 3098 bpf_error("AARP host filtering not implemented"); 3099 3100 case Q_DECNET: 3101 return gen_dnhostop(addr, dir); 3102 3103 case Q_SCA: 3104 bpf_error("SCA host filtering not implemented"); 3105 3106 case Q_LAT: 3107 bpf_error("LAT host filtering not implemented"); 3108 3109 case Q_MOPDL: 3110 bpf_error("MOPDL host filtering not implemented"); 3111 3112 case Q_MOPRC: 3113 bpf_error("MOPRC host filtering not implemented"); 3114 3115 #ifdef INET6 3116 case Q_IPV6: 3117 bpf_error("'ip6' modifier applied to ip host"); 3118 3119 case Q_ICMPV6: 3120 bpf_error("'icmp6' modifier applied to host"); 3121 #endif /* INET6 */ 3122 3123 case Q_AH: 3124 bpf_error("'ah' modifier applied to host"); 3125 3126 case Q_ESP: 3127 bpf_error("'esp' modifier applied to host"); 3128 3129 case Q_ISO: 3130 bpf_error("ISO host filtering not implemented"); 3131 3132 case Q_ESIS: 3133 bpf_error("'esis' modifier applied to host"); 3134 3135 case Q_ISIS: 3136 bpf_error("'isis' modifier applied to host"); 3137 3138 case Q_CLNP: 3139 bpf_error("'clnp' modifier applied to host"); 3140 3141 case Q_STP: 3142 bpf_error("'stp' modifier applied to host"); 3143 3144 case Q_IPX: 3145 bpf_error("IPX host filtering not implemented"); 3146 3147 case Q_NETBEUI: 3148 bpf_error("'netbeui' modifier applied to host"); 3149 3150 case Q_RADIO: 3151 bpf_error("'radio' modifier applied to host"); 3152 3153 default: 3154 abort(); 3155 } 3156 /* NOTREACHED */ 3157 } 3158 3159 #ifdef INET6 3160 static struct block * 3161 gen_host6(addr, mask, proto, dir) 3162 struct in6_addr *addr; 3163 struct in6_addr *mask; 3164 int proto; 3165 int dir; 3166 { 3167 switch (proto) { 3168 3169 case Q_DEFAULT: 3170 return gen_host6(addr, mask, Q_IPV6, dir); 3171 3172 case Q_IP: 3173 bpf_error("'ip' modifier applied to ip6 host"); 3174 3175 case Q_RARP: 3176 bpf_error("'rarp' modifier applied to ip6 host"); 3177 3178 case Q_ARP: 3179 bpf_error("'arp' modifier applied to ip6 host"); 3180 3181 case Q_SCTP: 3182 bpf_error("'sctp' modifier applied to host"); 3183 3184 case Q_TCP: 3185 bpf_error("'tcp' modifier applied to host"); 3186 3187 case Q_UDP: 3188 bpf_error("'udp' modifier applied to host"); 3189 3190 case Q_ICMP: 3191 bpf_error("'icmp' modifier applied to host"); 3192 3193 case Q_IGMP: 3194 bpf_error("'igmp' modifier applied to host"); 3195 3196 case Q_IGRP: 3197 bpf_error("'igrp' modifier applied to host"); 3198 3199 case Q_PIM: 3200 bpf_error("'pim' modifier applied to host"); 3201 3202 case Q_VRRP: 3203 bpf_error("'vrrp' modifier applied to host"); 3204 3205 case Q_ATALK: 3206 bpf_error("ATALK host filtering not implemented"); 3207 3208 case Q_AARP: 3209 bpf_error("AARP host filtering not implemented"); 3210 3211 case Q_DECNET: 3212 bpf_error("'decnet' modifier applied to ip6 host"); 3213 3214 case Q_SCA: 3215 bpf_error("SCA host filtering not implemented"); 3216 3217 case Q_LAT: 3218 bpf_error("LAT host filtering not implemented"); 3219 3220 case Q_MOPDL: 3221 bpf_error("MOPDL host filtering not implemented"); 3222 3223 case Q_MOPRC: 3224 bpf_error("MOPRC host filtering not implemented"); 3225 3226 case Q_IPV6: 3227 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 3228 3229 case Q_ICMPV6: 3230 bpf_error("'icmp6' modifier applied to host"); 3231 3232 case Q_AH: 3233 bpf_error("'ah' modifier applied to host"); 3234 3235 case Q_ESP: 3236 bpf_error("'esp' modifier applied to host"); 3237 3238 case Q_ISO: 3239 bpf_error("ISO host filtering not implemented"); 3240 3241 case Q_ESIS: 3242 bpf_error("'esis' modifier applied to host"); 3243 3244 case Q_ISIS: 3245 bpf_error("'isis' modifier applied to host"); 3246 3247 case Q_CLNP: 3248 bpf_error("'clnp' modifier applied to host"); 3249 3250 case Q_STP: 3251 bpf_error("'stp' modifier applied to host"); 3252 3253 case Q_IPX: 3254 bpf_error("IPX host filtering not implemented"); 3255 3256 case Q_NETBEUI: 3257 bpf_error("'netbeui' modifier applied to host"); 3258 3259 case Q_RADIO: 3260 bpf_error("'radio' modifier applied to host"); 3261 3262 default: 3263 abort(); 3264 } 3265 /* NOTREACHED */ 3266 } 3267 #endif /*INET6*/ 3268 3269 #ifndef INET6 3270 static struct block * 3271 gen_gateway(eaddr, alist, proto, dir) 3272 const u_char *eaddr; 3273 bpf_u_int32 **alist; 3274 int proto; 3275 int dir; 3276 { 3277 struct block *b0, *b1, *tmp; 3278 3279 if (dir != 0) 3280 bpf_error("direction applied to 'gateway'"); 3281 3282 switch (proto) { 3283 case Q_DEFAULT: 3284 case Q_IP: 3285 case Q_ARP: 3286 case Q_RARP: 3287 if (linktype == DLT_EN10MB) 3288 b0 = gen_ehostop(eaddr, Q_OR); 3289 else if (linktype == DLT_FDDI) 3290 b0 = gen_fhostop(eaddr, Q_OR); 3291 else if (linktype == DLT_IEEE802) 3292 b0 = gen_thostop(eaddr, Q_OR); 3293 else if (linktype == DLT_IEEE802_11 || 3294 linktype == DLT_IEEE802_11_RADIO_AVS || 3295 linktype == DLT_IEEE802_11_RADIO || 3296 linktype == DLT_PRISM_HEADER) 3297 b0 = gen_wlanhostop(eaddr, Q_OR); 3298 else if (linktype == DLT_SUNATM && is_lane) { 3299 /* 3300 * Check that the packet doesn't begin with an 3301 * LE Control marker. (We've already generated 3302 * a test for LANE.) 3303 */ 3304 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3305 0xFF00); 3306 gen_not(b1); 3307 3308 /* 3309 * Now check the MAC address. 3310 */ 3311 b0 = gen_ehostop(eaddr, Q_OR); 3312 gen_and(b1, b0); 3313 } else if (linktype == DLT_IP_OVER_FC) 3314 b0 = gen_ipfchostop(eaddr, Q_OR); 3315 else 3316 bpf_error( 3317 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 3318 3319 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR); 3320 while (*alist) { 3321 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR); 3322 gen_or(b1, tmp); 3323 b1 = tmp; 3324 } 3325 gen_not(b1); 3326 gen_and(b0, b1); 3327 return b1; 3328 } 3329 bpf_error("illegal modifier of 'gateway'"); 3330 /* NOTREACHED */ 3331 } 3332 #endif 3333 3334 struct block * 3335 gen_proto_abbrev(proto) 3336 int proto; 3337 { 3338 struct block *b0; 3339 struct block *b1; 3340 3341 switch (proto) { 3342 3343 case Q_SCTP: 3344 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 3345 #ifdef INET6 3346 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 3347 gen_or(b0, b1); 3348 #endif 3349 break; 3350 3351 case Q_TCP: 3352 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 3353 #ifdef INET6 3354 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 3355 gen_or(b0, b1); 3356 #endif 3357 break; 3358 3359 case Q_UDP: 3360 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 3361 #ifdef INET6 3362 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 3363 gen_or(b0, b1); 3364 #endif 3365 break; 3366 3367 case Q_ICMP: 3368 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 3369 break; 3370 3371 #ifndef IPPROTO_IGMP 3372 #define IPPROTO_IGMP 2 3373 #endif 3374 3375 case Q_IGMP: 3376 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 3377 break; 3378 3379 #ifndef IPPROTO_IGRP 3380 #define IPPROTO_IGRP 9 3381 #endif 3382 case Q_IGRP: 3383 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 3384 break; 3385 3386 #ifndef IPPROTO_PIM 3387 #define IPPROTO_PIM 103 3388 #endif 3389 3390 case Q_PIM: 3391 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 3392 #ifdef INET6 3393 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 3394 gen_or(b0, b1); 3395 #endif 3396 break; 3397 3398 #ifndef IPPROTO_VRRP 3399 #define IPPROTO_VRRP 112 3400 #endif 3401 3402 case Q_VRRP: 3403 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 3404 break; 3405 3406 case Q_IP: 3407 b1 = gen_linktype(ETHERTYPE_IP); 3408 break; 3409 3410 case Q_ARP: 3411 b1 = gen_linktype(ETHERTYPE_ARP); 3412 break; 3413 3414 case Q_RARP: 3415 b1 = gen_linktype(ETHERTYPE_REVARP); 3416 break; 3417 3418 case Q_LINK: 3419 bpf_error("link layer applied in wrong context"); 3420 3421 case Q_ATALK: 3422 b1 = gen_linktype(ETHERTYPE_ATALK); 3423 break; 3424 3425 case Q_AARP: 3426 b1 = gen_linktype(ETHERTYPE_AARP); 3427 break; 3428 3429 case Q_DECNET: 3430 b1 = gen_linktype(ETHERTYPE_DN); 3431 break; 3432 3433 case Q_SCA: 3434 b1 = gen_linktype(ETHERTYPE_SCA); 3435 break; 3436 3437 case Q_LAT: 3438 b1 = gen_linktype(ETHERTYPE_LAT); 3439 break; 3440 3441 case Q_MOPDL: 3442 b1 = gen_linktype(ETHERTYPE_MOPDL); 3443 break; 3444 3445 case Q_MOPRC: 3446 b1 = gen_linktype(ETHERTYPE_MOPRC); 3447 break; 3448 3449 #ifdef INET6 3450 case Q_IPV6: 3451 b1 = gen_linktype(ETHERTYPE_IPV6); 3452 break; 3453 3454 #ifndef IPPROTO_ICMPV6 3455 #define IPPROTO_ICMPV6 58 3456 #endif 3457 case Q_ICMPV6: 3458 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 3459 break; 3460 #endif /* INET6 */ 3461 3462 #ifndef IPPROTO_AH 3463 #define IPPROTO_AH 51 3464 #endif 3465 case Q_AH: 3466 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 3467 #ifdef INET6 3468 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 3469 gen_or(b0, b1); 3470 #endif 3471 break; 3472 3473 #ifndef IPPROTO_ESP 3474 #define IPPROTO_ESP 50 3475 #endif 3476 case Q_ESP: 3477 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 3478 #ifdef INET6 3479 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 3480 gen_or(b0, b1); 3481 #endif 3482 break; 3483 3484 case Q_ISO: 3485 b1 = gen_linktype(LLCSAP_ISONS); 3486 break; 3487 3488 case Q_ESIS: 3489 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 3490 break; 3491 3492 case Q_ISIS: 3493 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 3494 break; 3495 3496 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 3497 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3498 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3499 gen_or(b0, b1); 3500 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3501 gen_or(b0, b1); 3502 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3503 gen_or(b0, b1); 3504 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3505 gen_or(b0, b1); 3506 break; 3507 3508 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 3509 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3510 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3511 gen_or(b0, b1); 3512 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3513 gen_or(b0, b1); 3514 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3515 gen_or(b0, b1); 3516 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3517 gen_or(b0, b1); 3518 break; 3519 3520 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 3521 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3522 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3523 gen_or(b0, b1); 3524 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 3525 gen_or(b0, b1); 3526 break; 3527 3528 case Q_ISIS_LSP: 3529 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3530 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3531 gen_or(b0, b1); 3532 break; 3533 3534 case Q_ISIS_SNP: 3535 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3536 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3537 gen_or(b0, b1); 3538 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3539 gen_or(b0, b1); 3540 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3541 gen_or(b0, b1); 3542 break; 3543 3544 case Q_ISIS_CSNP: 3545 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3546 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3547 gen_or(b0, b1); 3548 break; 3549 3550 case Q_ISIS_PSNP: 3551 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3552 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3553 gen_or(b0, b1); 3554 break; 3555 3556 case Q_CLNP: 3557 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 3558 break; 3559 3560 case Q_STP: 3561 b1 = gen_linktype(LLCSAP_8021D); 3562 break; 3563 3564 case Q_IPX: 3565 b1 = gen_linktype(LLCSAP_IPX); 3566 break; 3567 3568 case Q_NETBEUI: 3569 b1 = gen_linktype(LLCSAP_NETBEUI); 3570 break; 3571 3572 case Q_RADIO: 3573 bpf_error("'radio' is not a valid protocol type"); 3574 3575 default: 3576 abort(); 3577 } 3578 return b1; 3579 } 3580 3581 static struct block * 3582 gen_ipfrag() 3583 { 3584 struct slist *s; 3585 struct block *b; 3586 3587 /* not ip frag */ 3588 s = gen_load_a(OR_NET, 6, BPF_H); 3589 b = new_block(JMP(BPF_JSET)); 3590 b->s.k = 0x1fff; 3591 b->stmts = s; 3592 gen_not(b); 3593 3594 return b; 3595 } 3596 3597 /* 3598 * Generate a comparison to a port value in the transport-layer header 3599 * at the specified offset from the beginning of that header. 3600 * 3601 * XXX - this handles a variable-length prefix preceding the link-layer 3602 * header, such as the radiotap or AVS radio prefix, but doesn't handle 3603 * variable-length link-layer headers (such as Token Ring or 802.11 3604 * headers). 3605 */ 3606 static struct block * 3607 gen_portatom(off, v) 3608 int off; 3609 bpf_int32 v; 3610 { 3611 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 3612 } 3613 3614 #ifdef INET6 3615 static struct block * 3616 gen_portatom6(off, v) 3617 int off; 3618 bpf_int32 v; 3619 { 3620 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 3621 } 3622 #endif/*INET6*/ 3623 3624 struct block * 3625 gen_portop(port, proto, dir) 3626 int port, proto, dir; 3627 { 3628 struct block *b0, *b1, *tmp; 3629 3630 /* ip proto 'proto' */ 3631 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 3632 b0 = gen_ipfrag(); 3633 gen_and(tmp, b0); 3634 3635 switch (dir) { 3636 case Q_SRC: 3637 b1 = gen_portatom(0, (bpf_int32)port); 3638 break; 3639 3640 case Q_DST: 3641 b1 = gen_portatom(2, (bpf_int32)port); 3642 break; 3643 3644 case Q_OR: 3645 case Q_DEFAULT: 3646 tmp = gen_portatom(0, (bpf_int32)port); 3647 b1 = gen_portatom(2, (bpf_int32)port); 3648 gen_or(tmp, b1); 3649 break; 3650 3651 case Q_AND: 3652 tmp = gen_portatom(0, (bpf_int32)port); 3653 b1 = gen_portatom(2, (bpf_int32)port); 3654 gen_and(tmp, b1); 3655 break; 3656 3657 default: 3658 abort(); 3659 } 3660 gen_and(b0, b1); 3661 3662 return b1; 3663 } 3664 3665 static struct block * 3666 gen_port(port, ip_proto, dir) 3667 int port; 3668 int ip_proto; 3669 int dir; 3670 { 3671 struct block *b0, *b1, *tmp; 3672 3673 /* 3674 * ether proto ip 3675 * 3676 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 3677 * not LLC encapsulation with LLCSAP_IP. 3678 * 3679 * For IEEE 802 networks - which includes 802.5 token ring 3680 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 3681 * says that SNAP encapsulation is used, not LLC encapsulation 3682 * with LLCSAP_IP. 3683 * 3684 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 3685 * RFC 2225 say that SNAP encapsulation is used, not LLC 3686 * encapsulation with LLCSAP_IP. 3687 * 3688 * So we always check for ETHERTYPE_IP. 3689 */ 3690 b0 = gen_linktype(ETHERTYPE_IP); 3691 3692 switch (ip_proto) { 3693 case IPPROTO_UDP: 3694 case IPPROTO_TCP: 3695 case IPPROTO_SCTP: 3696 b1 = gen_portop(port, ip_proto, dir); 3697 break; 3698 3699 case PROTO_UNDEF: 3700 tmp = gen_portop(port, IPPROTO_TCP, dir); 3701 b1 = gen_portop(port, IPPROTO_UDP, dir); 3702 gen_or(tmp, b1); 3703 tmp = gen_portop(port, IPPROTO_SCTP, dir); 3704 gen_or(tmp, b1); 3705 break; 3706 3707 default: 3708 abort(); 3709 } 3710 gen_and(b0, b1); 3711 return b1; 3712 } 3713 3714 #ifdef INET6 3715 struct block * 3716 gen_portop6(port, proto, dir) 3717 int port, proto, dir; 3718 { 3719 struct block *b0, *b1, *tmp; 3720 3721 /* ip6 proto 'proto' */ 3722 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 3723 3724 switch (dir) { 3725 case Q_SRC: 3726 b1 = gen_portatom6(0, (bpf_int32)port); 3727 break; 3728 3729 case Q_DST: 3730 b1 = gen_portatom6(2, (bpf_int32)port); 3731 break; 3732 3733 case Q_OR: 3734 case Q_DEFAULT: 3735 tmp = gen_portatom6(0, (bpf_int32)port); 3736 b1 = gen_portatom6(2, (bpf_int32)port); 3737 gen_or(tmp, b1); 3738 break; 3739 3740 case Q_AND: 3741 tmp = gen_portatom6(0, (bpf_int32)port); 3742 b1 = gen_portatom6(2, (bpf_int32)port); 3743 gen_and(tmp, b1); 3744 break; 3745 3746 default: 3747 abort(); 3748 } 3749 gen_and(b0, b1); 3750 3751 return b1; 3752 } 3753 3754 static struct block * 3755 gen_port6(port, ip_proto, dir) 3756 int port; 3757 int ip_proto; 3758 int dir; 3759 { 3760 struct block *b0, *b1, *tmp; 3761 3762 /* link proto ip6 */ 3763 b0 = gen_linktype(ETHERTYPE_IPV6); 3764 3765 switch (ip_proto) { 3766 case IPPROTO_UDP: 3767 case IPPROTO_TCP: 3768 case IPPROTO_SCTP: 3769 b1 = gen_portop6(port, ip_proto, dir); 3770 break; 3771 3772 case PROTO_UNDEF: 3773 tmp = gen_portop6(port, IPPROTO_TCP, dir); 3774 b1 = gen_portop6(port, IPPROTO_UDP, dir); 3775 gen_or(tmp, b1); 3776 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 3777 gen_or(tmp, b1); 3778 break; 3779 3780 default: 3781 abort(); 3782 } 3783 gen_and(b0, b1); 3784 return b1; 3785 } 3786 #endif /* INET6 */ 3787 3788 /* gen_portrange code */ 3789 static struct block * 3790 gen_portrangeatom(off, v1, v2) 3791 int off; 3792 bpf_int32 v1, v2; 3793 { 3794 struct block *b1, *b2; 3795 3796 if (v1 > v2) { 3797 /* 3798 * Reverse the order of the ports, so v1 is the lower one. 3799 */ 3800 bpf_int32 vtemp; 3801 3802 vtemp = v1; 3803 v1 = v2; 3804 v2 = vtemp; 3805 } 3806 3807 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 3808 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 3809 3810 gen_and(b1, b2); 3811 3812 return b2; 3813 } 3814 3815 struct block * 3816 gen_portrangeop(port1, port2, proto, dir) 3817 int port1, port2; 3818 int proto; 3819 int dir; 3820 { 3821 struct block *b0, *b1, *tmp; 3822 3823 /* ip proto 'proto' */ 3824 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 3825 b0 = gen_ipfrag(); 3826 gen_and(tmp, b0); 3827 3828 switch (dir) { 3829 case Q_SRC: 3830 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3831 break; 3832 3833 case Q_DST: 3834 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3835 break; 3836 3837 case Q_OR: 3838 case Q_DEFAULT: 3839 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3840 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3841 gen_or(tmp, b1); 3842 break; 3843 3844 case Q_AND: 3845 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 3846 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 3847 gen_and(tmp, b1); 3848 break; 3849 3850 default: 3851 abort(); 3852 } 3853 gen_and(b0, b1); 3854 3855 return b1; 3856 } 3857 3858 static struct block * 3859 gen_portrange(port1, port2, ip_proto, dir) 3860 int port1, port2; 3861 int ip_proto; 3862 int dir; 3863 { 3864 struct block *b0, *b1, *tmp; 3865 3866 /* link proto ip */ 3867 b0 = gen_linktype(ETHERTYPE_IP); 3868 3869 switch (ip_proto) { 3870 case IPPROTO_UDP: 3871 case IPPROTO_TCP: 3872 case IPPROTO_SCTP: 3873 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 3874 break; 3875 3876 case PROTO_UNDEF: 3877 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 3878 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 3879 gen_or(tmp, b1); 3880 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 3881 gen_or(tmp, b1); 3882 break; 3883 3884 default: 3885 abort(); 3886 } 3887 gen_and(b0, b1); 3888 return b1; 3889 } 3890 3891 #ifdef INET6 3892 static struct block * 3893 gen_portrangeatom6(off, v1, v2) 3894 int off; 3895 bpf_int32 v1, v2; 3896 { 3897 struct block *b1, *b2; 3898 3899 if (v1 > v2) { 3900 /* 3901 * Reverse the order of the ports, so v1 is the lower one. 3902 */ 3903 bpf_int32 vtemp; 3904 3905 vtemp = v1; 3906 v1 = v2; 3907 v2 = vtemp; 3908 } 3909 3910 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 3911 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 3912 3913 gen_and(b1, b2); 3914 3915 return b2; 3916 } 3917 3918 struct block * 3919 gen_portrangeop6(port1, port2, proto, dir) 3920 int port1, port2; 3921 int proto; 3922 int dir; 3923 { 3924 struct block *b0, *b1, *tmp; 3925 3926 /* ip6 proto 'proto' */ 3927 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 3928 3929 switch (dir) { 3930 case Q_SRC: 3931 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 3932 break; 3933 3934 case Q_DST: 3935 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 3936 break; 3937 3938 case Q_OR: 3939 case Q_DEFAULT: 3940 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 3941 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 3942 gen_or(tmp, b1); 3943 break; 3944 3945 case Q_AND: 3946 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 3947 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 3948 gen_and(tmp, b1); 3949 break; 3950 3951 default: 3952 abort(); 3953 } 3954 gen_and(b0, b1); 3955 3956 return b1; 3957 } 3958 3959 static struct block * 3960 gen_portrange6(port1, port2, ip_proto, dir) 3961 int port1, port2; 3962 int ip_proto; 3963 int dir; 3964 { 3965 struct block *b0, *b1, *tmp; 3966 3967 /* link proto ip6 */ 3968 b0 = gen_linktype(ETHERTYPE_IPV6); 3969 3970 switch (ip_proto) { 3971 case IPPROTO_UDP: 3972 case IPPROTO_TCP: 3973 case IPPROTO_SCTP: 3974 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 3975 break; 3976 3977 case PROTO_UNDEF: 3978 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 3979 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 3980 gen_or(tmp, b1); 3981 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 3982 gen_or(tmp, b1); 3983 break; 3984 3985 default: 3986 abort(); 3987 } 3988 gen_and(b0, b1); 3989 return b1; 3990 } 3991 #endif /* INET6 */ 3992 3993 static int 3994 lookup_proto(name, proto) 3995 register const char *name; 3996 register int proto; 3997 { 3998 register int v; 3999 4000 switch (proto) { 4001 4002 case Q_DEFAULT: 4003 case Q_IP: 4004 case Q_IPV6: 4005 v = pcap_nametoproto(name); 4006 if (v == PROTO_UNDEF) 4007 bpf_error("unknown ip proto '%s'", name); 4008 break; 4009 4010 case Q_LINK: 4011 /* XXX should look up h/w protocol type based on linktype */ 4012 v = pcap_nametoeproto(name); 4013 if (v == PROTO_UNDEF) { 4014 v = pcap_nametollc(name); 4015 if (v == PROTO_UNDEF) 4016 bpf_error("unknown ether proto '%s'", name); 4017 } 4018 break; 4019 4020 case Q_ISO: 4021 if (strcmp(name, "esis") == 0) 4022 v = ISO9542_ESIS; 4023 else if (strcmp(name, "isis") == 0) 4024 v = ISO10589_ISIS; 4025 else if (strcmp(name, "clnp") == 0) 4026 v = ISO8473_CLNP; 4027 else 4028 bpf_error("unknown osi proto '%s'", name); 4029 break; 4030 4031 default: 4032 v = PROTO_UNDEF; 4033 break; 4034 } 4035 return v; 4036 } 4037 4038 #if 0 4039 struct stmt * 4040 gen_joinsp(s, n) 4041 struct stmt **s; 4042 int n; 4043 { 4044 return NULL; 4045 } 4046 #endif 4047 4048 static struct block * 4049 gen_protochain(v, proto, dir) 4050 int v; 4051 int proto; 4052 int dir; 4053 { 4054 #ifdef NO_PROTOCHAIN 4055 return gen_proto(v, proto, dir); 4056 #else 4057 struct block *b0, *b; 4058 struct slist *s[100]; 4059 int fix2, fix3, fix4, fix5; 4060 int ahcheck, again, end; 4061 int i, max; 4062 int reg2 = alloc_reg(); 4063 4064 memset(s, 0, sizeof(s)); 4065 fix2 = fix3 = fix4 = fix5 = 0; 4066 4067 switch (proto) { 4068 case Q_IP: 4069 case Q_IPV6: 4070 break; 4071 case Q_DEFAULT: 4072 b0 = gen_protochain(v, Q_IP, dir); 4073 b = gen_protochain(v, Q_IPV6, dir); 4074 gen_or(b0, b); 4075 return b; 4076 default: 4077 bpf_error("bad protocol applied for 'protochain'"); 4078 /*NOTREACHED*/ 4079 } 4080 4081 /* 4082 * We don't handle variable-length radiotap here headers yet. 4083 * We might want to add BPF instructions to do the protochain 4084 * work, to simplify that and, on platforms that have a BPF 4085 * interpreter with the new instructions, let the filtering 4086 * be done in the kernel. (We already require a modified BPF 4087 * engine to do the protochain stuff, to support backward 4088 * branches, and backward branch support is unlikely to appear 4089 * in kernel BPF engines.) 4090 */ 4091 if (linktype == DLT_IEEE802_11_RADIO) 4092 bpf_error("'protochain' not supported with radiotap headers"); 4093 4094 no_optimize = 1; /*this code is not compatible with optimzer yet */ 4095 4096 /* 4097 * s[0] is a dummy entry to protect other BPF insn from damage 4098 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 4099 * hard to find interdependency made by jump table fixup. 4100 */ 4101 i = 0; 4102 s[i] = new_stmt(0); /*dummy*/ 4103 i++; 4104 4105 switch (proto) { 4106 case Q_IP: 4107 b0 = gen_linktype(ETHERTYPE_IP); 4108 4109 /* A = ip->ip_p */ 4110 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4111 s[i]->s.k = off_nl + 9; 4112 i++; 4113 /* X = ip->ip_hl << 2 */ 4114 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 4115 s[i]->s.k = off_nl; 4116 i++; 4117 break; 4118 #ifdef INET6 4119 case Q_IPV6: 4120 b0 = gen_linktype(ETHERTYPE_IPV6); 4121 4122 /* A = ip6->ip_nxt */ 4123 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4124 s[i]->s.k = off_nl + 6; 4125 i++; 4126 /* X = sizeof(struct ip6_hdr) */ 4127 s[i] = new_stmt(BPF_LDX|BPF_IMM); 4128 s[i]->s.k = 40; 4129 i++; 4130 break; 4131 #endif 4132 default: 4133 bpf_error("unsupported proto to gen_protochain"); 4134 /*NOTREACHED*/ 4135 } 4136 4137 /* again: if (A == v) goto end; else fall through; */ 4138 again = i; 4139 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4140 s[i]->s.k = v; 4141 s[i]->s.jt = NULL; /*later*/ 4142 s[i]->s.jf = NULL; /*update in next stmt*/ 4143 fix5 = i; 4144 i++; 4145 4146 #ifndef IPPROTO_NONE 4147 #define IPPROTO_NONE 59 4148 #endif 4149 /* if (A == IPPROTO_NONE) goto end */ 4150 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4151 s[i]->s.jt = NULL; /*later*/ 4152 s[i]->s.jf = NULL; /*update in next stmt*/ 4153 s[i]->s.k = IPPROTO_NONE; 4154 s[fix5]->s.jf = s[i]; 4155 fix2 = i; 4156 i++; 4157 4158 #ifdef INET6 4159 if (proto == Q_IPV6) { 4160 int v6start, v6end, v6advance, j; 4161 4162 v6start = i; 4163 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 4164 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4165 s[i]->s.jt = NULL; /*later*/ 4166 s[i]->s.jf = NULL; /*update in next stmt*/ 4167 s[i]->s.k = IPPROTO_HOPOPTS; 4168 s[fix2]->s.jf = s[i]; 4169 i++; 4170 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 4171 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4172 s[i]->s.jt = NULL; /*later*/ 4173 s[i]->s.jf = NULL; /*update in next stmt*/ 4174 s[i]->s.k = IPPROTO_DSTOPTS; 4175 i++; 4176 /* if (A == IPPROTO_ROUTING) goto v6advance */ 4177 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4178 s[i]->s.jt = NULL; /*later*/ 4179 s[i]->s.jf = NULL; /*update in next stmt*/ 4180 s[i]->s.k = IPPROTO_ROUTING; 4181 i++; 4182 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 4183 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4184 s[i]->s.jt = NULL; /*later*/ 4185 s[i]->s.jf = NULL; /*later*/ 4186 s[i]->s.k = IPPROTO_FRAGMENT; 4187 fix3 = i; 4188 v6end = i; 4189 i++; 4190 4191 /* v6advance: */ 4192 v6advance = i; 4193 4194 /* 4195 * in short, 4196 * A = P[X]; 4197 * X = X + (P[X + 1] + 1) * 8; 4198 */ 4199 /* A = X */ 4200 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4201 i++; 4202 /* A = P[X + packet head] */ 4203 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4204 s[i]->s.k = off_nl; 4205 i++; 4206 /* MEM[reg2] = A */ 4207 s[i] = new_stmt(BPF_ST); 4208 s[i]->s.k = reg2; 4209 i++; 4210 /* A = X */ 4211 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4212 i++; 4213 /* A += 1 */ 4214 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4215 s[i]->s.k = 1; 4216 i++; 4217 /* X = A */ 4218 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4219 i++; 4220 /* A = P[X + packet head]; */ 4221 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4222 s[i]->s.k = off_nl; 4223 i++; 4224 /* A += 1 */ 4225 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4226 s[i]->s.k = 1; 4227 i++; 4228 /* A *= 8 */ 4229 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4230 s[i]->s.k = 8; 4231 i++; 4232 /* X = A; */ 4233 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4234 i++; 4235 /* A = MEM[reg2] */ 4236 s[i] = new_stmt(BPF_LD|BPF_MEM); 4237 s[i]->s.k = reg2; 4238 i++; 4239 4240 /* goto again; (must use BPF_JA for backward jump) */ 4241 s[i] = new_stmt(BPF_JMP|BPF_JA); 4242 s[i]->s.k = again - i - 1; 4243 s[i - 1]->s.jf = s[i]; 4244 i++; 4245 4246 /* fixup */ 4247 for (j = v6start; j <= v6end; j++) 4248 s[j]->s.jt = s[v6advance]; 4249 } else 4250 #endif 4251 { 4252 /* nop */ 4253 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4254 s[i]->s.k = 0; 4255 s[fix2]->s.jf = s[i]; 4256 i++; 4257 } 4258 4259 /* ahcheck: */ 4260 ahcheck = i; 4261 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 4262 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4263 s[i]->s.jt = NULL; /*later*/ 4264 s[i]->s.jf = NULL; /*later*/ 4265 s[i]->s.k = IPPROTO_AH; 4266 if (fix3) 4267 s[fix3]->s.jf = s[ahcheck]; 4268 fix4 = i; 4269 i++; 4270 4271 /* 4272 * in short, 4273 * A = P[X]; 4274 * X = X + (P[X + 1] + 2) * 4; 4275 */ 4276 /* A = X */ 4277 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4278 i++; 4279 /* A = P[X + packet head]; */ 4280 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4281 s[i]->s.k = off_nl; 4282 i++; 4283 /* MEM[reg2] = A */ 4284 s[i] = new_stmt(BPF_ST); 4285 s[i]->s.k = reg2; 4286 i++; 4287 /* A = X */ 4288 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4289 i++; 4290 /* A += 1 */ 4291 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4292 s[i]->s.k = 1; 4293 i++; 4294 /* X = A */ 4295 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4296 i++; 4297 /* A = P[X + packet head] */ 4298 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4299 s[i]->s.k = off_nl; 4300 i++; 4301 /* A += 2 */ 4302 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4303 s[i]->s.k = 2; 4304 i++; 4305 /* A *= 4 */ 4306 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4307 s[i]->s.k = 4; 4308 i++; 4309 /* X = A; */ 4310 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4311 i++; 4312 /* A = MEM[reg2] */ 4313 s[i] = new_stmt(BPF_LD|BPF_MEM); 4314 s[i]->s.k = reg2; 4315 i++; 4316 4317 /* goto again; (must use BPF_JA for backward jump) */ 4318 s[i] = new_stmt(BPF_JMP|BPF_JA); 4319 s[i]->s.k = again - i - 1; 4320 i++; 4321 4322 /* end: nop */ 4323 end = i; 4324 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4325 s[i]->s.k = 0; 4326 s[fix2]->s.jt = s[end]; 4327 s[fix4]->s.jf = s[end]; 4328 s[fix5]->s.jt = s[end]; 4329 i++; 4330 4331 /* 4332 * make slist chain 4333 */ 4334 max = i; 4335 for (i = 0; i < max - 1; i++) 4336 s[i]->next = s[i + 1]; 4337 s[max - 1]->next = NULL; 4338 4339 /* 4340 * emit final check 4341 */ 4342 b = new_block(JMP(BPF_JEQ)); 4343 b->stmts = s[1]; /*remember, s[0] is dummy*/ 4344 b->s.k = v; 4345 4346 free_reg(reg2); 4347 4348 gen_and(b0, b); 4349 return b; 4350 #endif 4351 } 4352 4353 /* 4354 * Generate code that checks whether the packet is a packet for protocol 4355 * <proto> and whether the type field in that protocol's header has 4356 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 4357 * IP packet and checks the protocol number in the IP header against <v>. 4358 * 4359 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 4360 * against Q_IP and Q_IPV6. 4361 */ 4362 static struct block * 4363 gen_proto(v, proto, dir) 4364 int v; 4365 int proto; 4366 int dir; 4367 { 4368 struct block *b0, *b1; 4369 4370 if (dir != Q_DEFAULT) 4371 bpf_error("direction applied to 'proto'"); 4372 4373 switch (proto) { 4374 case Q_DEFAULT: 4375 #ifdef INET6 4376 b0 = gen_proto(v, Q_IP, dir); 4377 b1 = gen_proto(v, Q_IPV6, dir); 4378 gen_or(b0, b1); 4379 return b1; 4380 #else 4381 /*FALLTHROUGH*/ 4382 #endif 4383 case Q_IP: 4384 /* 4385 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4386 * not LLC encapsulation with LLCSAP_IP. 4387 * 4388 * For IEEE 802 networks - which includes 802.5 token ring 4389 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4390 * says that SNAP encapsulation is used, not LLC encapsulation 4391 * with LLCSAP_IP. 4392 * 4393 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4394 * RFC 2225 say that SNAP encapsulation is used, not LLC 4395 * encapsulation with LLCSAP_IP. 4396 * 4397 * So we always check for ETHERTYPE_IP. 4398 */ 4399 b0 = gen_linktype(ETHERTYPE_IP); 4400 #ifndef CHASE_CHAIN 4401 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 4402 #else 4403 b1 = gen_protochain(v, Q_IP); 4404 #endif 4405 gen_and(b0, b1); 4406 return b1; 4407 4408 case Q_ISO: 4409 switch (linktype) { 4410 4411 case DLT_FRELAY: 4412 /* 4413 * Frame Relay packets typically have an OSI 4414 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 4415 * generates code to check for all the OSI 4416 * NLPIDs, so calling it and then adding a check 4417 * for the particular NLPID for which we're 4418 * looking is bogus, as we can just check for 4419 * the NLPID. 4420 * 4421 * What we check for is the NLPID and a frame 4422 * control field value of UI, i.e. 0x03 followed 4423 * by the NLPID. 4424 * 4425 * XXX - assumes a 2-byte Frame Relay header with 4426 * DLCI and flags. What if the address is longer? 4427 * 4428 * XXX - what about SNAP-encapsulated frames? 4429 */ 4430 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 4431 /*NOTREACHED*/ 4432 break; 4433 4434 case DLT_C_HDLC: 4435 /* 4436 * Cisco uses an Ethertype lookalike - for OSI, 4437 * it's 0xfefe. 4438 */ 4439 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 4440 /* OSI in C-HDLC is stuffed with a fudge byte */ 4441 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 4442 gen_and(b0, b1); 4443 return b1; 4444 4445 default: 4446 b0 = gen_linktype(LLCSAP_ISONS); 4447 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 4448 gen_and(b0, b1); 4449 return b1; 4450 } 4451 4452 case Q_ISIS: 4453 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4454 /* 4455 * 4 is the offset of the PDU type relative to the IS-IS 4456 * header. 4457 */ 4458 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 4459 gen_and(b0, b1); 4460 return b1; 4461 4462 case Q_ARP: 4463 bpf_error("arp does not encapsulate another protocol"); 4464 /* NOTREACHED */ 4465 4466 case Q_RARP: 4467 bpf_error("rarp does not encapsulate another protocol"); 4468 /* NOTREACHED */ 4469 4470 case Q_ATALK: 4471 bpf_error("atalk encapsulation is not specifiable"); 4472 /* NOTREACHED */ 4473 4474 case Q_DECNET: 4475 bpf_error("decnet encapsulation is not specifiable"); 4476 /* NOTREACHED */ 4477 4478 case Q_SCA: 4479 bpf_error("sca does not encapsulate another protocol"); 4480 /* NOTREACHED */ 4481 4482 case Q_LAT: 4483 bpf_error("lat does not encapsulate another protocol"); 4484 /* NOTREACHED */ 4485 4486 case Q_MOPRC: 4487 bpf_error("moprc does not encapsulate another protocol"); 4488 /* NOTREACHED */ 4489 4490 case Q_MOPDL: 4491 bpf_error("mopdl does not encapsulate another protocol"); 4492 /* NOTREACHED */ 4493 4494 case Q_LINK: 4495 return gen_linktype(v); 4496 4497 case Q_UDP: 4498 bpf_error("'udp proto' is bogus"); 4499 /* NOTREACHED */ 4500 4501 case Q_TCP: 4502 bpf_error("'tcp proto' is bogus"); 4503 /* NOTREACHED */ 4504 4505 case Q_SCTP: 4506 bpf_error("'sctp proto' is bogus"); 4507 /* NOTREACHED */ 4508 4509 case Q_ICMP: 4510 bpf_error("'icmp proto' is bogus"); 4511 /* NOTREACHED */ 4512 4513 case Q_IGMP: 4514 bpf_error("'igmp proto' is bogus"); 4515 /* NOTREACHED */ 4516 4517 case Q_IGRP: 4518 bpf_error("'igrp proto' is bogus"); 4519 /* NOTREACHED */ 4520 4521 case Q_PIM: 4522 bpf_error("'pim proto' is bogus"); 4523 /* NOTREACHED */ 4524 4525 case Q_VRRP: 4526 bpf_error("'vrrp proto' is bogus"); 4527 /* NOTREACHED */ 4528 4529 #ifdef INET6 4530 case Q_IPV6: 4531 b0 = gen_linktype(ETHERTYPE_IPV6); 4532 #ifndef CHASE_CHAIN 4533 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 4534 #else 4535 b1 = gen_protochain(v, Q_IPV6); 4536 #endif 4537 gen_and(b0, b1); 4538 return b1; 4539 4540 case Q_ICMPV6: 4541 bpf_error("'icmp6 proto' is bogus"); 4542 #endif /* INET6 */ 4543 4544 case Q_AH: 4545 bpf_error("'ah proto' is bogus"); 4546 4547 case Q_ESP: 4548 bpf_error("'ah proto' is bogus"); 4549 4550 case Q_STP: 4551 bpf_error("'stp proto' is bogus"); 4552 4553 case Q_IPX: 4554 bpf_error("'ipx proto' is bogus"); 4555 4556 case Q_NETBEUI: 4557 bpf_error("'netbeui proto' is bogus"); 4558 4559 case Q_RADIO: 4560 bpf_error("'radio proto' is bogus"); 4561 4562 default: 4563 abort(); 4564 /* NOTREACHED */ 4565 } 4566 /* NOTREACHED */ 4567 } 4568 4569 struct block * 4570 gen_scode(name, q) 4571 register const char *name; 4572 struct qual q; 4573 { 4574 int proto = q.proto; 4575 int dir = q.dir; 4576 int tproto; 4577 u_char *eaddr; 4578 bpf_u_int32 mask, addr; 4579 #ifndef INET6 4580 bpf_u_int32 **alist; 4581 #else 4582 int tproto6; 4583 struct sockaddr_in *sin; 4584 struct sockaddr_in6 *sin6; 4585 struct addrinfo *res, *res0; 4586 struct in6_addr mask128; 4587 #endif /*INET6*/ 4588 struct block *b, *tmp; 4589 int port, real_proto; 4590 int port1, port2; 4591 4592 switch (q.addr) { 4593 4594 case Q_NET: 4595 addr = pcap_nametonetaddr(name); 4596 if (addr == 0) 4597 bpf_error("unknown network '%s'", name); 4598 /* Left justify network addr and calculate its network mask */ 4599 mask = 0xffffffff; 4600 while (addr && (addr & 0xff000000) == 0) { 4601 addr <<= 8; 4602 mask <<= 8; 4603 } 4604 return gen_host(addr, mask, proto, dir); 4605 4606 case Q_DEFAULT: 4607 case Q_HOST: 4608 if (proto == Q_LINK) { 4609 switch (linktype) { 4610 4611 case DLT_EN10MB: 4612 eaddr = pcap_ether_hostton(name); 4613 if (eaddr == NULL) 4614 bpf_error( 4615 "unknown ether host '%s'", name); 4616 b = gen_ehostop(eaddr, dir); 4617 free(eaddr); 4618 return b; 4619 4620 case DLT_FDDI: 4621 eaddr = pcap_ether_hostton(name); 4622 if (eaddr == NULL) 4623 bpf_error( 4624 "unknown FDDI host '%s'", name); 4625 b = gen_fhostop(eaddr, dir); 4626 free(eaddr); 4627 return b; 4628 4629 case DLT_IEEE802: 4630 eaddr = pcap_ether_hostton(name); 4631 if (eaddr == NULL) 4632 bpf_error( 4633 "unknown token ring host '%s'", name); 4634 b = gen_thostop(eaddr, dir); 4635 free(eaddr); 4636 return b; 4637 4638 case DLT_IEEE802_11: 4639 case DLT_IEEE802_11_RADIO_AVS: 4640 case DLT_IEEE802_11_RADIO: 4641 case DLT_PRISM_HEADER: 4642 eaddr = pcap_ether_hostton(name); 4643 if (eaddr == NULL) 4644 bpf_error( 4645 "unknown 802.11 host '%s'", name); 4646 b = gen_wlanhostop(eaddr, dir); 4647 free(eaddr); 4648 return b; 4649 4650 case DLT_IP_OVER_FC: 4651 eaddr = pcap_ether_hostton(name); 4652 if (eaddr == NULL) 4653 bpf_error( 4654 "unknown Fibre Channel host '%s'", name); 4655 b = gen_ipfchostop(eaddr, dir); 4656 free(eaddr); 4657 return b; 4658 4659 case DLT_SUNATM: 4660 if (!is_lane) 4661 break; 4662 4663 /* 4664 * Check that the packet doesn't begin 4665 * with an LE Control marker. (We've 4666 * already generated a test for LANE.) 4667 */ 4668 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4669 BPF_H, 0xFF00); 4670 gen_not(tmp); 4671 4672 eaddr = pcap_ether_hostton(name); 4673 if (eaddr == NULL) 4674 bpf_error( 4675 "unknown ether host '%s'", name); 4676 b = gen_ehostop(eaddr, dir); 4677 gen_and(tmp, b); 4678 free(eaddr); 4679 return b; 4680 } 4681 4682 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 4683 } else if (proto == Q_DECNET) { 4684 unsigned short dn_addr = __pcap_nametodnaddr(name); 4685 /* 4686 * I don't think DECNET hosts can be multihomed, so 4687 * there is no need to build up a list of addresses 4688 */ 4689 return (gen_host(dn_addr, 0, proto, dir)); 4690 } else { 4691 #ifndef INET6 4692 alist = pcap_nametoaddr(name); 4693 if (alist == NULL || *alist == NULL) 4694 bpf_error("unknown host '%s'", name); 4695 tproto = proto; 4696 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 4697 tproto = Q_IP; 4698 b = gen_host(**alist++, 0xffffffff, tproto, dir); 4699 while (*alist) { 4700 tmp = gen_host(**alist++, 0xffffffff, 4701 tproto, dir); 4702 gen_or(b, tmp); 4703 b = tmp; 4704 } 4705 return b; 4706 #else 4707 memset(&mask128, 0xff, sizeof(mask128)); 4708 res0 = res = pcap_nametoaddrinfo(name); 4709 if (res == NULL) 4710 bpf_error("unknown host '%s'", name); 4711 b = tmp = NULL; 4712 tproto = tproto6 = proto; 4713 if (off_linktype == -1 && tproto == Q_DEFAULT) { 4714 tproto = Q_IP; 4715 tproto6 = Q_IPV6; 4716 } 4717 for (res = res0; res; res = res->ai_next) { 4718 switch (res->ai_family) { 4719 case AF_INET: 4720 if (tproto == Q_IPV6) 4721 continue; 4722 4723 sin = (struct sockaddr_in *) 4724 res->ai_addr; 4725 tmp = gen_host(ntohl(sin->sin_addr.s_addr), 4726 0xffffffff, tproto, dir); 4727 break; 4728 case AF_INET6: 4729 if (tproto6 == Q_IP) 4730 continue; 4731 4732 sin6 = (struct sockaddr_in6 *) 4733 res->ai_addr; 4734 tmp = gen_host6(&sin6->sin6_addr, 4735 &mask128, tproto6, dir); 4736 break; 4737 default: 4738 continue; 4739 } 4740 if (b) 4741 gen_or(b, tmp); 4742 b = tmp; 4743 } 4744 freeaddrinfo(res0); 4745 if (b == NULL) { 4746 bpf_error("unknown host '%s'%s", name, 4747 (proto == Q_DEFAULT) 4748 ? "" 4749 : " for specified address family"); 4750 } 4751 return b; 4752 #endif /*INET6*/ 4753 } 4754 4755 case Q_PORT: 4756 if (proto != Q_DEFAULT && 4757 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 4758 bpf_error("illegal qualifier of 'port'"); 4759 if (pcap_nametoport(name, &port, &real_proto) == 0) 4760 bpf_error("unknown port '%s'", name); 4761 if (proto == Q_UDP) { 4762 if (real_proto == IPPROTO_TCP) 4763 bpf_error("port '%s' is tcp", name); 4764 else if (real_proto == IPPROTO_SCTP) 4765 bpf_error("port '%s' is sctp", name); 4766 else 4767 /* override PROTO_UNDEF */ 4768 real_proto = IPPROTO_UDP; 4769 } 4770 if (proto == Q_TCP) { 4771 if (real_proto == IPPROTO_UDP) 4772 bpf_error("port '%s' is udp", name); 4773 4774 else if (real_proto == IPPROTO_SCTP) 4775 bpf_error("port '%s' is sctp", name); 4776 else 4777 /* override PROTO_UNDEF */ 4778 real_proto = IPPROTO_TCP; 4779 } 4780 if (proto == Q_SCTP) { 4781 if (real_proto == IPPROTO_UDP) 4782 bpf_error("port '%s' is udp", name); 4783 4784 else if (real_proto == IPPROTO_TCP) 4785 bpf_error("port '%s' is tcp", name); 4786 else 4787 /* override PROTO_UNDEF */ 4788 real_proto = IPPROTO_SCTP; 4789 } 4790 #ifndef INET6 4791 return gen_port(port, real_proto, dir); 4792 #else 4793 { 4794 struct block *b; 4795 b = gen_port(port, real_proto, dir); 4796 gen_or(gen_port6(port, real_proto, dir), b); 4797 return b; 4798 } 4799 #endif /* INET6 */ 4800 4801 case Q_PORTRANGE: 4802 if (proto != Q_DEFAULT && 4803 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 4804 bpf_error("illegal qualifier of 'portrange'"); 4805 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 4806 bpf_error("unknown port in range '%s'", name); 4807 if (proto == Q_UDP) { 4808 if (real_proto == IPPROTO_TCP) 4809 bpf_error("port in range '%s' is tcp", name); 4810 else if (real_proto == IPPROTO_SCTP) 4811 bpf_error("port in range '%s' is sctp", name); 4812 else 4813 /* override PROTO_UNDEF */ 4814 real_proto = IPPROTO_UDP; 4815 } 4816 if (proto == Q_TCP) { 4817 if (real_proto == IPPROTO_UDP) 4818 bpf_error("port in range '%s' is udp", name); 4819 else if (real_proto == IPPROTO_SCTP) 4820 bpf_error("port in range '%s' is sctp", name); 4821 else 4822 /* override PROTO_UNDEF */ 4823 real_proto = IPPROTO_TCP; 4824 } 4825 if (proto == Q_SCTP) { 4826 if (real_proto == IPPROTO_UDP) 4827 bpf_error("port in range '%s' is udp", name); 4828 else if (real_proto == IPPROTO_TCP) 4829 bpf_error("port in range '%s' is tcp", name); 4830 else 4831 /* override PROTO_UNDEF */ 4832 real_proto = IPPROTO_SCTP; 4833 } 4834 #ifndef INET6 4835 return gen_portrange(port1, port2, real_proto, dir); 4836 #else 4837 { 4838 struct block *b; 4839 b = gen_portrange(port1, port2, real_proto, dir); 4840 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 4841 return b; 4842 } 4843 #endif /* INET6 */ 4844 4845 case Q_GATEWAY: 4846 #ifndef INET6 4847 eaddr = pcap_ether_hostton(name); 4848 if (eaddr == NULL) 4849 bpf_error("unknown ether host: %s", name); 4850 4851 alist = pcap_nametoaddr(name); 4852 if (alist == NULL || *alist == NULL) 4853 bpf_error("unknown host '%s'", name); 4854 b = gen_gateway(eaddr, alist, proto, dir); 4855 free(eaddr); 4856 return b; 4857 #else 4858 bpf_error("'gateway' not supported in this configuration"); 4859 #endif /*INET6*/ 4860 4861 case Q_PROTO: 4862 real_proto = lookup_proto(name, proto); 4863 if (real_proto >= 0) 4864 return gen_proto(real_proto, proto, dir); 4865 else 4866 bpf_error("unknown protocol: %s", name); 4867 4868 case Q_PROTOCHAIN: 4869 real_proto = lookup_proto(name, proto); 4870 if (real_proto >= 0) 4871 return gen_protochain(real_proto, proto, dir); 4872 else 4873 bpf_error("unknown protocol: %s", name); 4874 4875 4876 case Q_UNDEF: 4877 syntax(); 4878 /* NOTREACHED */ 4879 } 4880 abort(); 4881 /* NOTREACHED */ 4882 } 4883 4884 struct block * 4885 gen_mcode(s1, s2, masklen, q) 4886 register const char *s1, *s2; 4887 register int masklen; 4888 struct qual q; 4889 { 4890 register int nlen, mlen; 4891 bpf_u_int32 n, m; 4892 4893 nlen = __pcap_atoin(s1, &n); 4894 /* Promote short ipaddr */ 4895 n <<= 32 - nlen; 4896 4897 if (s2 != NULL) { 4898 mlen = __pcap_atoin(s2, &m); 4899 /* Promote short ipaddr */ 4900 m <<= 32 - mlen; 4901 if ((n & ~m) != 0) 4902 bpf_error("non-network bits set in \"%s mask %s\"", 4903 s1, s2); 4904 } else { 4905 /* Convert mask len to mask */ 4906 if (masklen > 32) 4907 bpf_error("mask length must be <= 32"); 4908 m = 0xffffffff << (32 - masklen); 4909 if ((n & ~m) != 0) 4910 bpf_error("non-network bits set in \"%s/%d\"", 4911 s1, masklen); 4912 } 4913 4914 switch (q.addr) { 4915 4916 case Q_NET: 4917 return gen_host(n, m, q.proto, q.dir); 4918 4919 default: 4920 bpf_error("Mask syntax for networks only"); 4921 /* NOTREACHED */ 4922 } 4923 /* NOTREACHED */ 4924 } 4925 4926 struct block * 4927 gen_ncode(s, v, q) 4928 register const char *s; 4929 bpf_u_int32 v; 4930 struct qual q; 4931 { 4932 bpf_u_int32 mask; 4933 int proto = q.proto; 4934 int dir = q.dir; 4935 register int vlen; 4936 4937 if (s == NULL) 4938 vlen = 32; 4939 else if (q.proto == Q_DECNET) 4940 vlen = __pcap_atodn(s, &v); 4941 else 4942 vlen = __pcap_atoin(s, &v); 4943 4944 switch (q.addr) { 4945 4946 case Q_DEFAULT: 4947 case Q_HOST: 4948 case Q_NET: 4949 if (proto == Q_DECNET) 4950 return gen_host(v, 0, proto, dir); 4951 else if (proto == Q_LINK) { 4952 bpf_error("illegal link layer address"); 4953 } else { 4954 mask = 0xffffffff; 4955 if (s == NULL && q.addr == Q_NET) { 4956 /* Promote short net number */ 4957 while (v && (v & 0xff000000) == 0) { 4958 v <<= 8; 4959 mask <<= 8; 4960 } 4961 } else { 4962 /* Promote short ipaddr */ 4963 v <<= 32 - vlen; 4964 mask <<= 32 - vlen; 4965 } 4966 return gen_host(v, mask, proto, dir); 4967 } 4968 4969 case Q_PORT: 4970 if (proto == Q_UDP) 4971 proto = IPPROTO_UDP; 4972 else if (proto == Q_TCP) 4973 proto = IPPROTO_TCP; 4974 else if (proto == Q_SCTP) 4975 proto = IPPROTO_SCTP; 4976 else if (proto == Q_DEFAULT) 4977 proto = PROTO_UNDEF; 4978 else 4979 bpf_error("illegal qualifier of 'port'"); 4980 4981 #ifndef INET6 4982 return gen_port((int)v, proto, dir); 4983 #else 4984 { 4985 struct block *b; 4986 b = gen_port((int)v, proto, dir); 4987 gen_or(gen_port6((int)v, proto, dir), b); 4988 return b; 4989 } 4990 #endif /* INET6 */ 4991 4992 case Q_PORTRANGE: 4993 if (proto == Q_UDP) 4994 proto = IPPROTO_UDP; 4995 else if (proto == Q_TCP) 4996 proto = IPPROTO_TCP; 4997 else if (proto == Q_SCTP) 4998 proto = IPPROTO_SCTP; 4999 else if (proto == Q_DEFAULT) 5000 proto = PROTO_UNDEF; 5001 else 5002 bpf_error("illegal qualifier of 'portrange'"); 5003 5004 #ifndef INET6 5005 return gen_portrange((int)v, (int)v, proto, dir); 5006 #else 5007 { 5008 struct block *b; 5009 b = gen_portrange((int)v, (int)v, proto, dir); 5010 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 5011 return b; 5012 } 5013 #endif /* INET6 */ 5014 5015 case Q_GATEWAY: 5016 bpf_error("'gateway' requires a name"); 5017 /* NOTREACHED */ 5018 5019 case Q_PROTO: 5020 return gen_proto((int)v, proto, dir); 5021 5022 case Q_PROTOCHAIN: 5023 return gen_protochain((int)v, proto, dir); 5024 5025 case Q_UNDEF: 5026 syntax(); 5027 /* NOTREACHED */ 5028 5029 default: 5030 abort(); 5031 /* NOTREACHED */ 5032 } 5033 /* NOTREACHED */ 5034 } 5035 5036 #ifdef INET6 5037 struct block * 5038 gen_mcode6(s1, s2, masklen, q) 5039 register const char *s1, *s2; 5040 register int masklen; 5041 struct qual q; 5042 { 5043 struct addrinfo *res; 5044 struct in6_addr *addr; 5045 struct in6_addr mask; 5046 struct block *b; 5047 u_int32_t *a, *m; 5048 5049 if (s2) 5050 bpf_error("no mask %s supported", s2); 5051 5052 res = pcap_nametoaddrinfo(s1); 5053 if (!res) 5054 bpf_error("invalid ip6 address %s", s1); 5055 if (res->ai_next) 5056 bpf_error("%s resolved to multiple address", s1); 5057 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 5058 5059 if (sizeof(mask) * 8 < masklen) 5060 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 5061 memset(&mask, 0, sizeof(mask)); 5062 memset(&mask, 0xff, masklen / 8); 5063 if (masklen % 8) { 5064 mask.s6_addr[masklen / 8] = 5065 (0xff << (8 - masklen % 8)) & 0xff; 5066 } 5067 5068 a = (u_int32_t *)addr; 5069 m = (u_int32_t *)&mask; 5070 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 5071 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 5072 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 5073 } 5074 5075 switch (q.addr) { 5076 5077 case Q_DEFAULT: 5078 case Q_HOST: 5079 if (masklen != 128) 5080 bpf_error("Mask syntax for networks only"); 5081 /* FALLTHROUGH */ 5082 5083 case Q_NET: 5084 b = gen_host6(addr, &mask, q.proto, q.dir); 5085 freeaddrinfo(res); 5086 return b; 5087 5088 default: 5089 bpf_error("invalid qualifier against IPv6 address"); 5090 /* NOTREACHED */ 5091 } 5092 } 5093 #endif /*INET6*/ 5094 5095 struct block * 5096 gen_ecode(eaddr, q) 5097 register const u_char *eaddr; 5098 struct qual q; 5099 { 5100 struct block *b, *tmp; 5101 5102 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 5103 if (linktype == DLT_EN10MB) 5104 return gen_ehostop(eaddr, (int)q.dir); 5105 if (linktype == DLT_FDDI) 5106 return gen_fhostop(eaddr, (int)q.dir); 5107 if (linktype == DLT_IEEE802) 5108 return gen_thostop(eaddr, (int)q.dir); 5109 if (linktype == DLT_IEEE802_11 || 5110 linktype == DLT_IEEE802_11_RADIO_AVS || 5111 linktype == DLT_IEEE802_11_RADIO || 5112 linktype == DLT_PRISM_HEADER) 5113 return gen_wlanhostop(eaddr, (int)q.dir); 5114 if (linktype == DLT_SUNATM && is_lane) { 5115 /* 5116 * Check that the packet doesn't begin with an 5117 * LE Control marker. (We've already generated 5118 * a test for LANE.) 5119 */ 5120 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5121 0xFF00); 5122 gen_not(tmp); 5123 5124 /* 5125 * Now check the MAC address. 5126 */ 5127 b = gen_ehostop(eaddr, (int)q.dir); 5128 gen_and(tmp, b); 5129 return b; 5130 } 5131 if (linktype == DLT_IP_OVER_FC) 5132 return gen_ipfchostop(eaddr, (int)q.dir); 5133 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5134 } 5135 bpf_error("ethernet address used in non-ether expression"); 5136 /* NOTREACHED */ 5137 } 5138 5139 void 5140 sappend(s0, s1) 5141 struct slist *s0, *s1; 5142 { 5143 /* 5144 * This is definitely not the best way to do this, but the 5145 * lists will rarely get long. 5146 */ 5147 while (s0->next) 5148 s0 = s0->next; 5149 s0->next = s1; 5150 } 5151 5152 static struct slist * 5153 xfer_to_x(a) 5154 struct arth *a; 5155 { 5156 struct slist *s; 5157 5158 s = new_stmt(BPF_LDX|BPF_MEM); 5159 s->s.k = a->regno; 5160 return s; 5161 } 5162 5163 static struct slist * 5164 xfer_to_a(a) 5165 struct arth *a; 5166 { 5167 struct slist *s; 5168 5169 s = new_stmt(BPF_LD|BPF_MEM); 5170 s->s.k = a->regno; 5171 return s; 5172 } 5173 5174 /* 5175 * Modify "index" to use the value stored into its register as an 5176 * offset relative to the beginning of the header for the protocol 5177 * "proto", and allocate a register and put an item "size" bytes long 5178 * (1, 2, or 4) at that offset into that register, making it the register 5179 * for "index". 5180 */ 5181 struct arth * 5182 gen_load(proto, index, size) 5183 int proto; 5184 struct arth *index; 5185 int size; 5186 { 5187 struct slist *s, *tmp; 5188 struct block *b; 5189 int regno = alloc_reg(); 5190 5191 free_reg(index->regno); 5192 switch (size) { 5193 5194 default: 5195 bpf_error("data size must be 1, 2, or 4"); 5196 5197 case 1: 5198 size = BPF_B; 5199 break; 5200 5201 case 2: 5202 size = BPF_H; 5203 break; 5204 5205 case 4: 5206 size = BPF_W; 5207 break; 5208 } 5209 switch (proto) { 5210 default: 5211 bpf_error("unsupported index operation"); 5212 5213 case Q_RADIO: 5214 /* 5215 * The offset is relative to the beginning of the packet 5216 * data, if we have a radio header. (If we don't, this 5217 * is an error.) 5218 */ 5219 if (linktype != DLT_IEEE802_11_RADIO_AVS && 5220 linktype != DLT_IEEE802_11_RADIO && 5221 linktype != DLT_PRISM_HEADER) 5222 bpf_error("radio information not present in capture"); 5223 5224 /* 5225 * Load into the X register the offset computed into the 5226 * register specifed by "index". 5227 */ 5228 s = xfer_to_x(index); 5229 5230 /* 5231 * Load the item at that offset. 5232 */ 5233 tmp = new_stmt(BPF_LD|BPF_IND|size); 5234 sappend(s, tmp); 5235 sappend(index->s, s); 5236 break; 5237 5238 case Q_LINK: 5239 /* 5240 * The offset is relative to the beginning of 5241 * the link-layer header. 5242 * 5243 * XXX - what about ATM LANE? Should the index be 5244 * relative to the beginning of the AAL5 frame, so 5245 * that 0 refers to the beginning of the LE Control 5246 * field, or relative to the beginning of the LAN 5247 * frame, so that 0 refers, for Ethernet LANE, to 5248 * the beginning of the destination address? 5249 */ 5250 s = gen_llprefixlen(); 5251 5252 /* 5253 * If "s" is non-null, it has code to arrange that the 5254 * X register contains the length of the prefix preceding 5255 * the link-layer header. Add to it the offset computed 5256 * into the register specified by "index", and move that 5257 * into the X register. Otherwise, just load into the X 5258 * register the offset computed into the register specifed 5259 * by "index". 5260 */ 5261 if (s != NULL) { 5262 sappend(s, xfer_to_a(index)); 5263 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5264 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5265 } else 5266 s = xfer_to_x(index); 5267 5268 /* 5269 * Load the item at the sum of the offset we've put in the 5270 * X register and the offset of the start of the link 5271 * layer header (which is 0 if the radio header is 5272 * variable-length; that header length is what we put 5273 * into the X register and then added to the index). 5274 */ 5275 tmp = new_stmt(BPF_LD|BPF_IND|size); 5276 tmp->s.k = off_ll; 5277 sappend(s, tmp); 5278 sappend(index->s, s); 5279 break; 5280 5281 case Q_IP: 5282 case Q_ARP: 5283 case Q_RARP: 5284 case Q_ATALK: 5285 case Q_DECNET: 5286 case Q_SCA: 5287 case Q_LAT: 5288 case Q_MOPRC: 5289 case Q_MOPDL: 5290 #ifdef INET6 5291 case Q_IPV6: 5292 #endif 5293 /* 5294 * The offset is relative to the beginning of 5295 * the network-layer header. 5296 * XXX - are there any cases where we want 5297 * off_nl_nosnap? 5298 */ 5299 s = gen_llprefixlen(); 5300 5301 /* 5302 * If "s" is non-null, it has code to arrange that the 5303 * X register contains the length of the prefix preceding 5304 * the link-layer header. Add to it the offset computed 5305 * into the register specified by "index", and move that 5306 * into the X register. Otherwise, just load into the X 5307 * register the offset computed into the register specifed 5308 * by "index". 5309 */ 5310 if (s != NULL) { 5311 sappend(s, xfer_to_a(index)); 5312 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5313 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5314 } else 5315 s = xfer_to_x(index); 5316 5317 /* 5318 * Load the item at the sum of the offset we've put in the 5319 * X register and the offset of the start of the network 5320 * layer header. 5321 */ 5322 tmp = new_stmt(BPF_LD|BPF_IND|size); 5323 tmp->s.k = off_nl; 5324 sappend(s, tmp); 5325 sappend(index->s, s); 5326 5327 /* 5328 * Do the computation only if the packet contains 5329 * the protocol in question. 5330 */ 5331 b = gen_proto_abbrev(proto); 5332 if (index->b) 5333 gen_and(index->b, b); 5334 index->b = b; 5335 break; 5336 5337 case Q_SCTP: 5338 case Q_TCP: 5339 case Q_UDP: 5340 case Q_ICMP: 5341 case Q_IGMP: 5342 case Q_IGRP: 5343 case Q_PIM: 5344 case Q_VRRP: 5345 /* 5346 * The offset is relative to the beginning of 5347 * the transport-layer header. 5348 * XXX - are there any cases where we want 5349 * off_nl_nosnap? 5350 * XXX - we should, if we're built with 5351 * IPv6 support, generate code to load either 5352 * IPv4, IPv6, or both, as appropriate. 5353 */ 5354 s = gen_loadx_iphdrlen(); 5355 5356 /* 5357 * The X register now contains the sum of the offset 5358 * of the beginning of the link-layer header and 5359 * the length of the network-layer header. Load 5360 * into the A register the offset relative to 5361 * the beginning of the transport layer header, 5362 * add the X register to that, move that to the 5363 * X register, and load with an offset from the 5364 * X register equal to the offset of the network 5365 * layer header relative to the beginning of 5366 * the link-layer header. 5367 */ 5368 sappend(s, xfer_to_a(index)); 5369 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5370 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5371 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 5372 tmp->s.k = off_nl; 5373 sappend(index->s, s); 5374 5375 /* 5376 * Do the computation only if the packet contains 5377 * the protocol in question - which is true only 5378 * if this is an IP datagram and is the first or 5379 * only fragment of that datagram. 5380 */ 5381 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 5382 if (index->b) 5383 gen_and(index->b, b); 5384 #ifdef INET6 5385 gen_and(gen_proto_abbrev(Q_IP), b); 5386 #endif 5387 index->b = b; 5388 break; 5389 #ifdef INET6 5390 case Q_ICMPV6: 5391 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 5392 /*NOTREACHED*/ 5393 #endif 5394 } 5395 index->regno = regno; 5396 s = new_stmt(BPF_ST); 5397 s->s.k = regno; 5398 sappend(index->s, s); 5399 5400 return index; 5401 } 5402 5403 struct block * 5404 gen_relation(code, a0, a1, reversed) 5405 int code; 5406 struct arth *a0, *a1; 5407 int reversed; 5408 { 5409 struct slist *s0, *s1, *s2; 5410 struct block *b, *tmp; 5411 5412 s0 = xfer_to_x(a1); 5413 s1 = xfer_to_a(a0); 5414 if (code == BPF_JEQ) { 5415 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 5416 b = new_block(JMP(code)); 5417 sappend(s1, s2); 5418 } 5419 else 5420 b = new_block(BPF_JMP|code|BPF_X); 5421 if (reversed) 5422 gen_not(b); 5423 5424 sappend(s0, s1); 5425 sappend(a1->s, s0); 5426 sappend(a0->s, a1->s); 5427 5428 b->stmts = a0->s; 5429 5430 free_reg(a0->regno); 5431 free_reg(a1->regno); 5432 5433 /* 'and' together protocol checks */ 5434 if (a0->b) { 5435 if (a1->b) { 5436 gen_and(a0->b, tmp = a1->b); 5437 } 5438 else 5439 tmp = a0->b; 5440 } else 5441 tmp = a1->b; 5442 5443 if (tmp) 5444 gen_and(tmp, b); 5445 5446 return b; 5447 } 5448 5449 struct arth * 5450 gen_loadlen() 5451 { 5452 int regno = alloc_reg(); 5453 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 5454 struct slist *s; 5455 5456 s = new_stmt(BPF_LD|BPF_LEN); 5457 s->next = new_stmt(BPF_ST); 5458 s->next->s.k = regno; 5459 a->s = s; 5460 a->regno = regno; 5461 5462 return a; 5463 } 5464 5465 struct arth * 5466 gen_loadi(val) 5467 int val; 5468 { 5469 struct arth *a; 5470 struct slist *s; 5471 int reg; 5472 5473 a = (struct arth *)newchunk(sizeof(*a)); 5474 5475 reg = alloc_reg(); 5476 5477 s = new_stmt(BPF_LD|BPF_IMM); 5478 s->s.k = val; 5479 s->next = new_stmt(BPF_ST); 5480 s->next->s.k = reg; 5481 a->s = s; 5482 a->regno = reg; 5483 5484 return a; 5485 } 5486 5487 struct arth * 5488 gen_neg(a) 5489 struct arth *a; 5490 { 5491 struct slist *s; 5492 5493 s = xfer_to_a(a); 5494 sappend(a->s, s); 5495 s = new_stmt(BPF_ALU|BPF_NEG); 5496 s->s.k = 0; 5497 sappend(a->s, s); 5498 s = new_stmt(BPF_ST); 5499 s->s.k = a->regno; 5500 sappend(a->s, s); 5501 5502 return a; 5503 } 5504 5505 struct arth * 5506 gen_arth(code, a0, a1) 5507 int code; 5508 struct arth *a0, *a1; 5509 { 5510 struct slist *s0, *s1, *s2; 5511 5512 s0 = xfer_to_x(a1); 5513 s1 = xfer_to_a(a0); 5514 s2 = new_stmt(BPF_ALU|BPF_X|code); 5515 5516 sappend(s1, s2); 5517 sappend(s0, s1); 5518 sappend(a1->s, s0); 5519 sappend(a0->s, a1->s); 5520 5521 free_reg(a0->regno); 5522 free_reg(a1->regno); 5523 5524 s0 = new_stmt(BPF_ST); 5525 a0->regno = s0->s.k = alloc_reg(); 5526 sappend(a0->s, s0); 5527 5528 return a0; 5529 } 5530 5531 /* 5532 * Here we handle simple allocation of the scratch registers. 5533 * If too many registers are alloc'd, the allocator punts. 5534 */ 5535 static int regused[BPF_MEMWORDS]; 5536 static int curreg; 5537 5538 /* 5539 * Return the next free register. 5540 */ 5541 static int 5542 alloc_reg() 5543 { 5544 int n = BPF_MEMWORDS; 5545 5546 while (--n >= 0) { 5547 if (regused[curreg]) 5548 curreg = (curreg + 1) % BPF_MEMWORDS; 5549 else { 5550 regused[curreg] = 1; 5551 return curreg; 5552 } 5553 } 5554 bpf_error("too many registers needed to evaluate expression"); 5555 /* NOTREACHED */ 5556 } 5557 5558 /* 5559 * Return a register to the table so it can 5560 * be used later. 5561 */ 5562 static void 5563 free_reg(n) 5564 int n; 5565 { 5566 regused[n] = 0; 5567 } 5568 5569 static struct block * 5570 gen_len(jmp, n) 5571 int jmp, n; 5572 { 5573 struct slist *s; 5574 struct block *b; 5575 5576 s = new_stmt(BPF_LD|BPF_LEN); 5577 b = new_block(JMP(jmp)); 5578 b->stmts = s; 5579 b->s.k = n; 5580 5581 return b; 5582 } 5583 5584 struct block * 5585 gen_greater(n) 5586 int n; 5587 { 5588 return gen_len(BPF_JGE, n); 5589 } 5590 5591 /* 5592 * Actually, this is less than or equal. 5593 */ 5594 struct block * 5595 gen_less(n) 5596 int n; 5597 { 5598 struct block *b; 5599 5600 b = gen_len(BPF_JGT, n); 5601 gen_not(b); 5602 5603 return b; 5604 } 5605 5606 /* 5607 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 5608 * the beginning of the link-layer header. 5609 * XXX - that means you can't test values in the radiotap header, but 5610 * as that header is difficult if not impossible to parse generally 5611 * without a loop, that might not be a severe problem. A new keyword 5612 * "radio" could be added for that, although what you'd really want 5613 * would be a way of testing particular radio header values, which 5614 * would generate code appropriate to the radio header in question. 5615 */ 5616 struct block * 5617 gen_byteop(op, idx, val) 5618 int op, idx, val; 5619 { 5620 struct block *b; 5621 struct slist *s; 5622 5623 switch (op) { 5624 default: 5625 abort(); 5626 5627 case '=': 5628 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5629 5630 case '<': 5631 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5632 return b; 5633 5634 case '>': 5635 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 5636 return b; 5637 5638 case '|': 5639 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 5640 break; 5641 5642 case '&': 5643 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 5644 break; 5645 } 5646 s->s.k = val; 5647 b = new_block(JMP(BPF_JEQ)); 5648 b->stmts = s; 5649 gen_not(b); 5650 5651 return b; 5652 } 5653 5654 static u_char abroadcast[] = { 0x0 }; 5655 5656 struct block * 5657 gen_broadcast(proto) 5658 int proto; 5659 { 5660 bpf_u_int32 hostmask; 5661 struct block *b0, *b1, *b2; 5662 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 5663 5664 switch (proto) { 5665 5666 case Q_DEFAULT: 5667 case Q_LINK: 5668 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 5669 return gen_ahostop(abroadcast, Q_DST); 5670 if (linktype == DLT_EN10MB) 5671 return gen_ehostop(ebroadcast, Q_DST); 5672 if (linktype == DLT_FDDI) 5673 return gen_fhostop(ebroadcast, Q_DST); 5674 if (linktype == DLT_IEEE802) 5675 return gen_thostop(ebroadcast, Q_DST); 5676 if (linktype == DLT_IEEE802_11 || 5677 linktype == DLT_IEEE802_11_RADIO_AVS || 5678 linktype == DLT_IEEE802_11_RADIO || 5679 linktype == DLT_PRISM_HEADER) 5680 return gen_wlanhostop(ebroadcast, Q_DST); 5681 if (linktype == DLT_IP_OVER_FC) 5682 return gen_ipfchostop(ebroadcast, Q_DST); 5683 if (linktype == DLT_SUNATM && is_lane) { 5684 /* 5685 * Check that the packet doesn't begin with an 5686 * LE Control marker. (We've already generated 5687 * a test for LANE.) 5688 */ 5689 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5690 0xFF00); 5691 gen_not(b1); 5692 5693 /* 5694 * Now check the MAC address. 5695 */ 5696 b0 = gen_ehostop(ebroadcast, Q_DST); 5697 gen_and(b1, b0); 5698 return b0; 5699 } 5700 bpf_error("not a broadcast link"); 5701 break; 5702 5703 case Q_IP: 5704 b0 = gen_linktype(ETHERTYPE_IP); 5705 hostmask = ~netmask; 5706 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 5707 b2 = gen_mcmp(OR_NET, 16, BPF_W, 5708 (bpf_int32)(~0 & hostmask), hostmask); 5709 gen_or(b1, b2); 5710 gen_and(b0, b2); 5711 return b2; 5712 } 5713 bpf_error("only link-layer/IP broadcast filters supported"); 5714 /* NOTREACHED */ 5715 } 5716 5717 /* 5718 * Generate code to test the low-order bit of a MAC address (that's 5719 * the bottom bit of the *first* byte). 5720 */ 5721 static struct block * 5722 gen_mac_multicast(offset) 5723 int offset; 5724 { 5725 register struct block *b0; 5726 register struct slist *s; 5727 5728 /* link[offset] & 1 != 0 */ 5729 s = gen_load_a(OR_LINK, offset, BPF_B); 5730 b0 = new_block(JMP(BPF_JSET)); 5731 b0->s.k = 1; 5732 b0->stmts = s; 5733 return b0; 5734 } 5735 5736 struct block * 5737 gen_multicast(proto) 5738 int proto; 5739 { 5740 register struct block *b0, *b1, *b2; 5741 register struct slist *s; 5742 5743 switch (proto) { 5744 5745 case Q_DEFAULT: 5746 case Q_LINK: 5747 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 5748 /* all ARCnet multicasts use the same address */ 5749 return gen_ahostop(abroadcast, Q_DST); 5750 5751 if (linktype == DLT_EN10MB) { 5752 /* ether[0] & 1 != 0 */ 5753 return gen_mac_multicast(0); 5754 } 5755 5756 if (linktype == DLT_FDDI) { 5757 /* 5758 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 5759 * 5760 * XXX - was that referring to bit-order issues? 5761 */ 5762 /* fddi[1] & 1 != 0 */ 5763 return gen_mac_multicast(1); 5764 } 5765 5766 if (linktype == DLT_IEEE802) { 5767 /* tr[2] & 1 != 0 */ 5768 return gen_mac_multicast(2); 5769 } 5770 5771 if (linktype == DLT_IEEE802_11 || 5772 linktype == DLT_IEEE802_11_RADIO_AVS || 5773 linktype == DLT_IEEE802_11_RADIO || 5774 linktype == DLT_PRISM_HEADER) { 5775 /* 5776 * Oh, yuk. 5777 * 5778 * For control frames, there is no DA. 5779 * 5780 * For management frames, DA is at an 5781 * offset of 4 from the beginning of 5782 * the packet. 5783 * 5784 * For data frames, DA is at an offset 5785 * of 4 from the beginning of the packet 5786 * if To DS is clear and at an offset of 5787 * 16 from the beginning of the packet 5788 * if To DS is set. 5789 */ 5790 5791 /* 5792 * Generate the tests to be done for data frames. 5793 * 5794 * First, check for To DS set, i.e. "link[1] & 0x01". 5795 */ 5796 s = gen_load_a(OR_LINK, 1, BPF_B); 5797 b1 = new_block(JMP(BPF_JSET)); 5798 b1->s.k = 0x01; /* To DS */ 5799 b1->stmts = s; 5800 5801 /* 5802 * If To DS is set, the DA is at 16. 5803 */ 5804 b0 = gen_mac_multicast(16); 5805 gen_and(b1, b0); 5806 5807 /* 5808 * Now, check for To DS not set, i.e. check 5809 * "!(link[1] & 0x01)". 5810 */ 5811 s = gen_load_a(OR_LINK, 1, BPF_B); 5812 b2 = new_block(JMP(BPF_JSET)); 5813 b2->s.k = 0x01; /* To DS */ 5814 b2->stmts = s; 5815 gen_not(b2); 5816 5817 /* 5818 * If To DS is not set, the DA is at 4. 5819 */ 5820 b1 = gen_mac_multicast(4); 5821 gen_and(b2, b1); 5822 5823 /* 5824 * Now OR together the last two checks. That gives 5825 * the complete set of checks for data frames. 5826 */ 5827 gen_or(b1, b0); 5828 5829 /* 5830 * Now check for a data frame. 5831 * I.e, check "link[0] & 0x08". 5832 */ 5833 s = gen_load_a(OR_LINK, 0, BPF_B); 5834 b1 = new_block(JMP(BPF_JSET)); 5835 b1->s.k = 0x08; 5836 b1->stmts = s; 5837 5838 /* 5839 * AND that with the checks done for data frames. 5840 */ 5841 gen_and(b1, b0); 5842 5843 /* 5844 * If the high-order bit of the type value is 0, this 5845 * is a management frame. 5846 * I.e, check "!(link[0] & 0x08)". 5847 */ 5848 s = gen_load_a(OR_LINK, 0, BPF_B); 5849 b2 = new_block(JMP(BPF_JSET)); 5850 b2->s.k = 0x08; 5851 b2->stmts = s; 5852 gen_not(b2); 5853 5854 /* 5855 * For management frames, the DA is at 4. 5856 */ 5857 b1 = gen_mac_multicast(4); 5858 gen_and(b2, b1); 5859 5860 /* 5861 * OR that with the checks done for data frames. 5862 * That gives the checks done for management and 5863 * data frames. 5864 */ 5865 gen_or(b1, b0); 5866 5867 /* 5868 * If the low-order bit of the type value is 1, 5869 * this is either a control frame or a frame 5870 * with a reserved type, and thus not a 5871 * frame with an SA. 5872 * 5873 * I.e., check "!(link[0] & 0x04)". 5874 */ 5875 s = gen_load_a(OR_LINK, 0, BPF_B); 5876 b1 = new_block(JMP(BPF_JSET)); 5877 b1->s.k = 0x04; 5878 b1->stmts = s; 5879 gen_not(b1); 5880 5881 /* 5882 * AND that with the checks for data and management 5883 * frames. 5884 */ 5885 gen_and(b1, b0); 5886 return b0; 5887 } 5888 5889 if (linktype == DLT_IP_OVER_FC) { 5890 b0 = gen_mac_multicast(2); 5891 return b0; 5892 } 5893 5894 if (linktype == DLT_SUNATM && is_lane) { 5895 /* 5896 * Check that the packet doesn't begin with an 5897 * LE Control marker. (We've already generated 5898 * a test for LANE.) 5899 */ 5900 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5901 0xFF00); 5902 gen_not(b1); 5903 5904 /* ether[off_mac] & 1 != 0 */ 5905 b0 = gen_mac_multicast(off_mac); 5906 gen_and(b1, b0); 5907 return b0; 5908 } 5909 5910 /* Link not known to support multicasts */ 5911 break; 5912 5913 case Q_IP: 5914 b0 = gen_linktype(ETHERTYPE_IP); 5915 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 5916 gen_and(b0, b1); 5917 return b1; 5918 5919 #ifdef INET6 5920 case Q_IPV6: 5921 b0 = gen_linktype(ETHERTYPE_IPV6); 5922 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 5923 gen_and(b0, b1); 5924 return b1; 5925 #endif /* INET6 */ 5926 } 5927 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 5928 /* NOTREACHED */ 5929 } 5930 5931 /* 5932 * generate command for inbound/outbound. It's here so we can 5933 * make it link-type specific. 'dir' = 0 implies "inbound", 5934 * = 1 implies "outbound". 5935 */ 5936 struct block * 5937 gen_inbound(dir) 5938 int dir; 5939 { 5940 register struct block *b0; 5941 5942 /* 5943 * Only some data link types support inbound/outbound qualifiers. 5944 */ 5945 switch (linktype) { 5946 case DLT_SLIP: 5947 b0 = gen_relation(BPF_JEQ, 5948 gen_load(Q_LINK, gen_loadi(0), 1), 5949 gen_loadi(0), 5950 dir); 5951 break; 5952 5953 case DLT_LINUX_SLL: 5954 if (dir) { 5955 /* 5956 * Match packets sent by this machine. 5957 */ 5958 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 5959 } else { 5960 /* 5961 * Match packets sent to this machine. 5962 * (No broadcast or multicast packets, or 5963 * packets sent to some other machine and 5964 * received promiscuously.) 5965 * 5966 * XXX - packets sent to other machines probably 5967 * shouldn't be matched, but what about broadcast 5968 * or multicast packets we received? 5969 */ 5970 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 5971 } 5972 break; 5973 5974 case DLT_PFLOG: 5975 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 5976 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 5977 break; 5978 5979 case DLT_PPP_PPPD: 5980 if (dir) { 5981 /* match outgoing packets */ 5982 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 5983 } else { 5984 /* match incoming packets */ 5985 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 5986 } 5987 break; 5988 5989 case DLT_JUNIPER_MLFR: 5990 case DLT_JUNIPER_MLPPP: 5991 case DLT_JUNIPER_ATM1: 5992 case DLT_JUNIPER_ATM2: 5993 case DLT_JUNIPER_PPPOE: 5994 case DLT_JUNIPER_PPPOE_ATM: 5995 case DLT_JUNIPER_GGSN: 5996 case DLT_JUNIPER_ES: 5997 case DLT_JUNIPER_MONITOR: 5998 case DLT_JUNIPER_SERVICES: 5999 /* juniper flags (including direction) are stored 6000 * the byte after the 3-byte magic number */ 6001 if (dir) { 6002 /* match outgoing packets */ 6003 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 6004 } else { 6005 /* match incoming packets */ 6006 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 6007 } 6008 break; 6009 6010 default: 6011 bpf_error("inbound/outbound not supported on linktype %d", 6012 linktype); 6013 b0 = NULL; 6014 /* NOTREACHED */ 6015 } 6016 return (b0); 6017 } 6018 6019 /* PF firewall log matched interface */ 6020 struct block * 6021 gen_pf_ifname(const char *ifname) 6022 { 6023 struct block *b0; 6024 u_int len, off; 6025 6026 if (linktype == DLT_PFLOG) { 6027 len = sizeof(((struct pfloghdr *)0)->ifname); 6028 off = offsetof(struct pfloghdr, ifname); 6029 } else { 6030 bpf_error("ifname not supported on linktype 0x%x", linktype); 6031 /* NOTREACHED */ 6032 } 6033 if (strlen(ifname) >= len) { 6034 bpf_error("ifname interface names can only be %d characters", 6035 len-1); 6036 /* NOTREACHED */ 6037 } 6038 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 6039 return (b0); 6040 } 6041 6042 /* PF firewall log matched interface */ 6043 struct block * 6044 gen_pf_ruleset(char *ruleset) 6045 { 6046 struct block *b0; 6047 6048 if (linktype != DLT_PFLOG) { 6049 bpf_error("ruleset not supported on linktype 0x%x", linktype); 6050 /* NOTREACHED */ 6051 } 6052 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 6053 bpf_error("ruleset names can only be %ld characters", 6054 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 6055 /* NOTREACHED */ 6056 } 6057 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 6058 strlen(ruleset), (const u_char *)ruleset); 6059 return (b0); 6060 } 6061 6062 /* PF firewall log rule number */ 6063 struct block * 6064 gen_pf_rnr(int rnr) 6065 { 6066 struct block *b0; 6067 6068 if (linktype == DLT_PFLOG) { 6069 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 6070 (bpf_int32)rnr); 6071 } else { 6072 bpf_error("rnr not supported on linktype 0x%x", linktype); 6073 /* NOTREACHED */ 6074 } 6075 6076 return (b0); 6077 } 6078 6079 /* PF firewall log sub-rule number */ 6080 struct block * 6081 gen_pf_srnr(int srnr) 6082 { 6083 struct block *b0; 6084 6085 if (linktype != DLT_PFLOG) { 6086 bpf_error("srnr not supported on linktype 0x%x", linktype); 6087 /* NOTREACHED */ 6088 } 6089 6090 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 6091 (bpf_int32)srnr); 6092 return (b0); 6093 } 6094 6095 /* PF firewall log reason code */ 6096 struct block * 6097 gen_pf_reason(int reason) 6098 { 6099 struct block *b0; 6100 6101 if (linktype == DLT_PFLOG) { 6102 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 6103 (bpf_int32)reason); 6104 } else { 6105 bpf_error("reason not supported on linktype 0x%x", linktype); 6106 /* NOTREACHED */ 6107 } 6108 6109 return (b0); 6110 } 6111 6112 /* PF firewall log action */ 6113 struct block * 6114 gen_pf_action(int action) 6115 { 6116 struct block *b0; 6117 6118 if (linktype == DLT_PFLOG) { 6119 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 6120 (bpf_int32)action); 6121 } else { 6122 bpf_error("action not supported on linktype 0x%x", linktype); 6123 /* NOTREACHED */ 6124 } 6125 6126 return (b0); 6127 } 6128 6129 struct block * 6130 gen_acode(eaddr, q) 6131 register const u_char *eaddr; 6132 struct qual q; 6133 { 6134 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6135 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 6136 return gen_ahostop(eaddr, (int)q.dir); 6137 } 6138 bpf_error("ARCnet address used in non-arc expression"); 6139 /* NOTREACHED */ 6140 } 6141 6142 static struct block * 6143 gen_ahostop(eaddr, dir) 6144 register const u_char *eaddr; 6145 register int dir; 6146 { 6147 register struct block *b0, *b1; 6148 6149 switch (dir) { 6150 /* src comes first, different from Ethernet */ 6151 case Q_SRC: 6152 return gen_bcmp(OR_LINK, 0, 1, eaddr); 6153 6154 case Q_DST: 6155 return gen_bcmp(OR_LINK, 1, 1, eaddr); 6156 6157 case Q_AND: 6158 b0 = gen_ahostop(eaddr, Q_SRC); 6159 b1 = gen_ahostop(eaddr, Q_DST); 6160 gen_and(b0, b1); 6161 return b1; 6162 6163 case Q_DEFAULT: 6164 case Q_OR: 6165 b0 = gen_ahostop(eaddr, Q_SRC); 6166 b1 = gen_ahostop(eaddr, Q_DST); 6167 gen_or(b0, b1); 6168 return b1; 6169 } 6170 abort(); 6171 /* NOTREACHED */ 6172 } 6173 6174 /* 6175 * support IEEE 802.1Q VLAN trunk over ethernet 6176 */ 6177 struct block * 6178 gen_vlan(vlan_num) 6179 int vlan_num; 6180 { 6181 struct block *b0; 6182 6183 /* 6184 * Change the offsets to point to the type and data fields within 6185 * the VLAN packet. Just increment the offsets, so that we 6186 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to 6187 * capture VLAN 200 encapsulated within VLAN 100. 6188 * 6189 * XXX - this is a bit of a kludge. If we were to split the 6190 * compiler into a parser that parses an expression and 6191 * generates an expression tree, and a code generator that 6192 * takes an expression tree (which could come from our 6193 * parser or from some other parser) and generates BPF code, 6194 * we could perhaps make the offsets parameters of routines 6195 * and, in the handler for an "AND" node, pass to subnodes 6196 * other than the VLAN node the adjusted offsets. 6197 * 6198 * This would mean that "vlan" would, instead of changing the 6199 * behavior of *all* tests after it, change only the behavior 6200 * of tests ANDed with it. That would change the documented 6201 * semantics of "vlan", which might break some expressions. 6202 * However, it would mean that "(vlan and ip) or ip" would check 6203 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6204 * checking only for VLAN-encapsulated IP, so that could still 6205 * be considered worth doing; it wouldn't break expressions 6206 * that are of the form "vlan and ..." or "vlan N and ...", 6207 * which I suspect are the most common expressions involving 6208 * "vlan". "vlan or ..." doesn't necessarily do what the user 6209 * would really want, now, as all the "or ..." tests would 6210 * be done assuming a VLAN, even though the "or" could be viewed 6211 * as meaning "or, if this isn't a VLAN packet...". 6212 */ 6213 orig_linktype = off_linktype; /* save original values */ 6214 orig_nl = off_nl; 6215 6216 switch (linktype) { 6217 6218 case DLT_EN10MB: 6219 off_linktype += 4; 6220 off_nl_nosnap += 4; 6221 off_nl += 4; 6222 break; 6223 6224 default: 6225 bpf_error("no VLAN support for data link type %d", 6226 linktype); 6227 /*NOTREACHED*/ 6228 } 6229 6230 /* check for VLAN */ 6231 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q); 6232 6233 /* If a specific VLAN is requested, check VLAN id */ 6234 if (vlan_num >= 0) { 6235 struct block *b1; 6236 6237 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num, 6238 0x0fff); 6239 gen_and(b0, b1); 6240 b0 = b1; 6241 } 6242 6243 return (b0); 6244 } 6245 6246 /* 6247 * support for MPLS 6248 */ 6249 struct block * 6250 gen_mpls(label_num) 6251 int label_num; 6252 { 6253 struct block *b0; 6254 6255 /* 6256 * Change the offsets to point to the type and data fields within 6257 * the MPLS packet. Just increment the offsets, so that we 6258 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 6259 * capture packets with an outer label of 100000 and an inner 6260 * label of 1024. 6261 * 6262 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 6263 */ 6264 orig_linktype = off_linktype; /* save original values */ 6265 orig_nl = off_nl; 6266 6267 switch (linktype) { 6268 6269 case DLT_C_HDLC: /* fall through */ 6270 case DLT_EN10MB: 6271 off_nl_nosnap += 4; 6272 off_nl += 4; 6273 6274 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, 6275 (bpf_int32)ETHERTYPE_MPLS); 6276 break; 6277 6278 case DLT_PPP: 6279 off_nl_nosnap += 4; 6280 off_nl += 4; 6281 6282 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, 6283 (bpf_int32)PPP_MPLS_UCAST); 6284 break; 6285 6286 /* FIXME add other DLT_s ... 6287 * for Frame-Relay/and ATM this may get messy due to SNAP headers 6288 * leave it for now */ 6289 6290 default: 6291 bpf_error("no MPLS support for data link type %d", 6292 linktype); 6293 b0 = NULL; 6294 /*NOTREACHED*/ 6295 break; 6296 } 6297 6298 /* If a specific MPLS label is requested, check it */ 6299 if (label_num >= 0) { 6300 struct block *b1; 6301 6302 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 6303 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num, 6304 0xfffff000); /* only compare the first 20 bits */ 6305 gen_and(b0, b1); 6306 b0 = b1; 6307 } 6308 6309 return (b0); 6310 } 6311 6312 struct block * 6313 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 6314 int atmfield; 6315 bpf_int32 jvalue; 6316 bpf_u_int32 jtype; 6317 int reverse; 6318 { 6319 struct block *b0; 6320 6321 switch (atmfield) { 6322 6323 case A_VPI: 6324 if (!is_atm) 6325 bpf_error("'vpi' supported only on raw ATM"); 6326 if (off_vpi == (u_int)-1) 6327 abort(); 6328 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 6329 reverse, jvalue); 6330 break; 6331 6332 case A_VCI: 6333 if (!is_atm) 6334 bpf_error("'vci' supported only on raw ATM"); 6335 if (off_vci == (u_int)-1) 6336 abort(); 6337 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 6338 reverse, jvalue); 6339 break; 6340 6341 case A_PROTOTYPE: 6342 if (off_proto == (u_int)-1) 6343 abort(); /* XXX - this isn't on FreeBSD */ 6344 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 6345 reverse, jvalue); 6346 break; 6347 6348 case A_MSGTYPE: 6349 if (off_payload == (u_int)-1) 6350 abort(); 6351 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 6352 0xffffffff, jtype, reverse, jvalue); 6353 break; 6354 6355 case A_CALLREFTYPE: 6356 if (!is_atm) 6357 bpf_error("'callref' supported only on raw ATM"); 6358 if (off_proto == (u_int)-1) 6359 abort(); 6360 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 6361 jtype, reverse, jvalue); 6362 break; 6363 6364 default: 6365 abort(); 6366 } 6367 return b0; 6368 } 6369 6370 struct block * 6371 gen_atmtype_abbrev(type) 6372 int type; 6373 { 6374 struct block *b0, *b1; 6375 6376 switch (type) { 6377 6378 case A_METAC: 6379 /* Get all packets in Meta signalling Circuit */ 6380 if (!is_atm) 6381 bpf_error("'metac' supported only on raw ATM"); 6382 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6383 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 6384 gen_and(b0, b1); 6385 break; 6386 6387 case A_BCC: 6388 /* Get all packets in Broadcast Circuit*/ 6389 if (!is_atm) 6390 bpf_error("'bcc' supported only on raw ATM"); 6391 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6392 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 6393 gen_and(b0, b1); 6394 break; 6395 6396 case A_OAMF4SC: 6397 /* Get all cells in Segment OAM F4 circuit*/ 6398 if (!is_atm) 6399 bpf_error("'oam4sc' supported only on raw ATM"); 6400 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6401 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6402 gen_and(b0, b1); 6403 break; 6404 6405 case A_OAMF4EC: 6406 /* Get all cells in End-to-End OAM F4 Circuit*/ 6407 if (!is_atm) 6408 bpf_error("'oam4ec' supported only on raw ATM"); 6409 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6410 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6411 gen_and(b0, b1); 6412 break; 6413 6414 case A_SC: 6415 /* Get all packets in connection Signalling Circuit */ 6416 if (!is_atm) 6417 bpf_error("'sc' supported only on raw ATM"); 6418 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6419 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 6420 gen_and(b0, b1); 6421 break; 6422 6423 case A_ILMIC: 6424 /* Get all packets in ILMI Circuit */ 6425 if (!is_atm) 6426 bpf_error("'ilmic' supported only on raw ATM"); 6427 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6428 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 6429 gen_and(b0, b1); 6430 break; 6431 6432 case A_LANE: 6433 /* Get all LANE packets */ 6434 if (!is_atm) 6435 bpf_error("'lane' supported only on raw ATM"); 6436 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 6437 6438 /* 6439 * Arrange that all subsequent tests assume LANE 6440 * rather than LLC-encapsulated packets, and set 6441 * the offsets appropriately for LANE-encapsulated 6442 * Ethernet. 6443 * 6444 * "off_mac" is the offset of the Ethernet header, 6445 * which is 2 bytes past the ATM pseudo-header 6446 * (skipping the pseudo-header and 2-byte LE Client 6447 * field). The other offsets are Ethernet offsets 6448 * relative to "off_mac". 6449 */ 6450 is_lane = 1; 6451 off_mac = off_payload + 2; /* MAC header */ 6452 off_linktype = off_mac + 12; 6453 off_nl = off_mac + 14; /* Ethernet II */ 6454 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */ 6455 break; 6456 6457 case A_LLC: 6458 /* Get all LLC-encapsulated packets */ 6459 if (!is_atm) 6460 bpf_error("'llc' supported only on raw ATM"); 6461 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 6462 is_lane = 0; 6463 break; 6464 6465 default: 6466 abort(); 6467 } 6468 return b1; 6469 } 6470 6471 struct block * 6472 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 6473 int mtp3field; 6474 bpf_u_int32 jvalue; 6475 bpf_u_int32 jtype; 6476 int reverse; 6477 { 6478 struct block *b0; 6479 bpf_u_int32 val1 , val2 , val3; 6480 6481 switch (mtp3field) { 6482 6483 case M_SIO: 6484 if (off_sio == (u_int)-1) 6485 bpf_error("'sio' supported only on SS7"); 6486 /* sio coded on 1 byte so max value 255 */ 6487 if(jvalue > 255) 6488 bpf_error("sio value %u too big; max value = 255", 6489 jvalue); 6490 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 6491 (u_int)jtype, reverse, (u_int)jvalue); 6492 break; 6493 6494 case M_OPC: 6495 if (off_opc == (u_int)-1) 6496 bpf_error("'opc' supported only on SS7"); 6497 /* opc coded on 14 bits so max value 16383 */ 6498 if (jvalue > 16383) 6499 bpf_error("opc value %u too big; max value = 16383", 6500 jvalue); 6501 /* the following instructions are made to convert jvalue 6502 * to the form used to write opc in an ss7 message*/ 6503 val1 = jvalue & 0x00003c00; 6504 val1 = val1 >>10; 6505 val2 = jvalue & 0x000003fc; 6506 val2 = val2 <<6; 6507 val3 = jvalue & 0x00000003; 6508 val3 = val3 <<22; 6509 jvalue = val1 + val2 + val3; 6510 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 6511 (u_int)jtype, reverse, (u_int)jvalue); 6512 break; 6513 6514 case M_DPC: 6515 if (off_dpc == (u_int)-1) 6516 bpf_error("'dpc' supported only on SS7"); 6517 /* dpc coded on 14 bits so max value 16383 */ 6518 if (jvalue > 16383) 6519 bpf_error("dpc value %u too big; max value = 16383", 6520 jvalue); 6521 /* the following instructions are made to convert jvalue 6522 * to the forme used to write dpc in an ss7 message*/ 6523 val1 = jvalue & 0x000000ff; 6524 val1 = val1 << 24; 6525 val2 = jvalue & 0x00003f00; 6526 val2 = val2 << 8; 6527 jvalue = val1 + val2; 6528 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 6529 (u_int)jtype, reverse, (u_int)jvalue); 6530 break; 6531 6532 case M_SLS: 6533 if (off_sls == (u_int)-1) 6534 bpf_error("'sls' supported only on SS7"); 6535 /* sls coded on 4 bits so max value 15 */ 6536 if (jvalue > 15) 6537 bpf_error("sls value %u too big; max value = 15", 6538 jvalue); 6539 /* the following instruction is made to convert jvalue 6540 * to the forme used to write sls in an ss7 message*/ 6541 jvalue = jvalue << 4; 6542 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 6543 (u_int)jtype,reverse, (u_int)jvalue); 6544 break; 6545 6546 default: 6547 abort(); 6548 } 6549 return b0; 6550 } 6551 6552 static struct block * 6553 gen_msg_abbrev(type) 6554 int type; 6555 { 6556 struct block *b1; 6557 6558 /* 6559 * Q.2931 signalling protocol messages for handling virtual circuits 6560 * establishment and teardown 6561 */ 6562 switch (type) { 6563 6564 case A_SETUP: 6565 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 6566 break; 6567 6568 case A_CALLPROCEED: 6569 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 6570 break; 6571 6572 case A_CONNECT: 6573 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 6574 break; 6575 6576 case A_CONNECTACK: 6577 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 6578 break; 6579 6580 case A_RELEASE: 6581 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 6582 break; 6583 6584 case A_RELEASE_DONE: 6585 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 6586 break; 6587 6588 default: 6589 abort(); 6590 } 6591 return b1; 6592 } 6593 6594 struct block * 6595 gen_atmmulti_abbrev(type) 6596 int type; 6597 { 6598 struct block *b0, *b1; 6599 6600 switch (type) { 6601 6602 case A_OAM: 6603 if (!is_atm) 6604 bpf_error("'oam' supported only on raw ATM"); 6605 b1 = gen_atmmulti_abbrev(A_OAMF4); 6606 break; 6607 6608 case A_OAMF4: 6609 if (!is_atm) 6610 bpf_error("'oamf4' supported only on raw ATM"); 6611 /* OAM F4 type */ 6612 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6613 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6614 gen_or(b0, b1); 6615 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6616 gen_and(b0, b1); 6617 break; 6618 6619 case A_CONNECTMSG: 6620 /* 6621 * Get Q.2931 signalling messages for switched 6622 * virtual connection 6623 */ 6624 if (!is_atm) 6625 bpf_error("'connectmsg' supported only on raw ATM"); 6626 b0 = gen_msg_abbrev(A_SETUP); 6627 b1 = gen_msg_abbrev(A_CALLPROCEED); 6628 gen_or(b0, b1); 6629 b0 = gen_msg_abbrev(A_CONNECT); 6630 gen_or(b0, b1); 6631 b0 = gen_msg_abbrev(A_CONNECTACK); 6632 gen_or(b0, b1); 6633 b0 = gen_msg_abbrev(A_RELEASE); 6634 gen_or(b0, b1); 6635 b0 = gen_msg_abbrev(A_RELEASE_DONE); 6636 gen_or(b0, b1); 6637 b0 = gen_atmtype_abbrev(A_SC); 6638 gen_and(b0, b1); 6639 break; 6640 6641 case A_METACONNECT: 6642 if (!is_atm) 6643 bpf_error("'metaconnect' supported only on raw ATM"); 6644 b0 = gen_msg_abbrev(A_SETUP); 6645 b1 = gen_msg_abbrev(A_CALLPROCEED); 6646 gen_or(b0, b1); 6647 b0 = gen_msg_abbrev(A_CONNECT); 6648 gen_or(b0, b1); 6649 b0 = gen_msg_abbrev(A_RELEASE); 6650 gen_or(b0, b1); 6651 b0 = gen_msg_abbrev(A_RELEASE_DONE); 6652 gen_or(b0, b1); 6653 b0 = gen_atmtype_abbrev(A_METAC); 6654 gen_and(b0, b1); 6655 break; 6656 6657 default: 6658 abort(); 6659 } 6660 return b1; 6661 } 6662