1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 * 22 * $FreeBSD$ 23 */ 24 25 #ifdef HAVE_CONFIG_H 26 #include "config.h" 27 #endif 28 29 #ifdef _WIN32 30 #include <pcap-stdinc.h> 31 #else /* _WIN32 */ 32 #if HAVE_INTTYPES_H 33 #include <inttypes.h> 34 #elif HAVE_STDINT_H 35 #include <stdint.h> 36 #endif 37 #ifdef HAVE_SYS_BITYPES_H 38 #include <sys/bitypes.h> 39 #endif 40 #include <sys/types.h> 41 #include <sys/socket.h> 42 #endif /* _WIN32 */ 43 44 #ifndef _WIN32 45 46 #ifdef __NetBSD__ 47 #include <sys/param.h> 48 #endif 49 50 #include <netinet/in.h> 51 #include <arpa/inet.h> 52 53 #endif /* _WIN32 */ 54 55 #include <stdlib.h> 56 #include <string.h> 57 #include <memory.h> 58 #include <setjmp.h> 59 #include <stdarg.h> 60 61 #ifdef MSDOS 62 #include "pcap-dos.h" 63 #endif 64 65 #include "pcap-int.h" 66 67 #include "ethertype.h" 68 #include "nlpid.h" 69 #include "llc.h" 70 #include "gencode.h" 71 #include "ieee80211.h" 72 #include "atmuni31.h" 73 #include "sunatmpos.h" 74 #include "ppp.h" 75 #include "pcap/sll.h" 76 #include "pcap/ipnet.h" 77 #include "arcnet.h" 78 79 #include "grammar.h" 80 #include "scanner.h" 81 82 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 83 #include <linux/types.h> 84 #include <linux/if_packet.h> 85 #include <linux/filter.h> 86 #endif 87 88 #ifdef HAVE_NET_PFVAR_H 89 #include <sys/socket.h> 90 #include <net/if.h> 91 #include <net/pfvar.h> 92 #include <net/if_pflog.h> 93 #endif 94 95 #ifndef offsetof 96 #define offsetof(s, e) ((size_t)&((s *)0)->e) 97 #endif 98 99 #ifdef INET6 100 #ifdef _WIN32 101 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 102 /* IPv6 address */ 103 struct in6_addr 104 { 105 union 106 { 107 u_int8_t u6_addr8[16]; 108 u_int16_t u6_addr16[8]; 109 u_int32_t u6_addr32[4]; 110 } in6_u; 111 #define s6_addr in6_u.u6_addr8 112 #define s6_addr16 in6_u.u6_addr16 113 #define s6_addr32 in6_u.u6_addr32 114 #define s6_addr64 in6_u.u6_addr64 115 }; 116 117 typedef unsigned short sa_family_t; 118 119 #define __SOCKADDR_COMMON(sa_prefix) \ 120 sa_family_t sa_prefix##family 121 122 /* Ditto, for IPv6. */ 123 struct sockaddr_in6 124 { 125 __SOCKADDR_COMMON (sin6_); 126 u_int16_t sin6_port; /* Transport layer port # */ 127 u_int32_t sin6_flowinfo; /* IPv6 flow information */ 128 struct in6_addr sin6_addr; /* IPv6 address */ 129 }; 130 131 #ifndef EAI_ADDRFAMILY 132 struct addrinfo { 133 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 134 int ai_family; /* PF_xxx */ 135 int ai_socktype; /* SOCK_xxx */ 136 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 137 size_t ai_addrlen; /* length of ai_addr */ 138 char *ai_canonname; /* canonical name for hostname */ 139 struct sockaddr *ai_addr; /* binary address */ 140 struct addrinfo *ai_next; /* next structure in linked list */ 141 }; 142 #endif /* EAI_ADDRFAMILY */ 143 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 144 #else /* _WIN32 */ 145 #include <netdb.h> /* for "struct addrinfo" */ 146 #endif /* _WIN32 */ 147 #endif /* INET6 */ 148 #include <pcap/namedb.h> 149 150 #include "nametoaddr.h" 151 152 #define ETHERMTU 1500 153 154 #ifndef ETHERTYPE_TEB 155 #define ETHERTYPE_TEB 0x6558 156 #endif 157 158 #ifndef IPPROTO_HOPOPTS 159 #define IPPROTO_HOPOPTS 0 160 #endif 161 #ifndef IPPROTO_ROUTING 162 #define IPPROTO_ROUTING 43 163 #endif 164 #ifndef IPPROTO_FRAGMENT 165 #define IPPROTO_FRAGMENT 44 166 #endif 167 #ifndef IPPROTO_DSTOPTS 168 #define IPPROTO_DSTOPTS 60 169 #endif 170 #ifndef IPPROTO_SCTP 171 #define IPPROTO_SCTP 132 172 #endif 173 174 #define GENEVE_PORT 6081 175 176 #ifdef HAVE_OS_PROTO_H 177 #include "os-proto.h" 178 #endif 179 180 #define JMP(c) ((c)|BPF_JMP|BPF_K) 181 182 /* 183 * "Push" the current value of the link-layer header type and link-layer 184 * header offset onto a "stack", and set a new value. (It's not a 185 * full-blown stack; we keep only the top two items.) 186 */ 187 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 188 { \ 189 (cs)->prevlinktype = (cs)->linktype; \ 190 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 191 (cs)->linktype = (new_linktype); \ 192 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 193 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 194 (cs)->off_linkhdr.reg = (new_reg); \ 195 (cs)->is_geneve = 0; \ 196 } 197 198 /* 199 * Offset "not set" value. 200 */ 201 #define OFFSET_NOT_SET 0xffffffffU 202 203 /* 204 * Absolute offsets, which are offsets from the beginning of the raw 205 * packet data, are, in the general case, the sum of a variable value 206 * and a constant value; the variable value may be absent, in which 207 * case the offset is only the constant value, and the constant value 208 * may be zero, in which case the offset is only the variable value. 209 * 210 * bpf_abs_offset is a structure containing all that information: 211 * 212 * is_variable is 1 if there's a variable part. 213 * 214 * constant_part is the constant part of the value, possibly zero; 215 * 216 * if is_variable is 1, reg is the register number for a register 217 * containing the variable value if the register has been assigned, 218 * and -1 otherwise. 219 */ 220 typedef struct { 221 int is_variable; 222 u_int constant_part; 223 int reg; 224 } bpf_abs_offset; 225 226 /* 227 * Value passed to gen_load_a() to indicate what the offset argument 228 * is relative to the beginning of. 229 */ 230 enum e_offrel { 231 OR_PACKET, /* full packet data */ 232 OR_LINKHDR, /* link-layer header */ 233 OR_PREVLINKHDR, /* previous link-layer header */ 234 OR_LLC, /* 802.2 LLC header */ 235 OR_PREVMPLSHDR, /* previous MPLS header */ 236 OR_LINKTYPE, /* link-layer type */ 237 OR_LINKPL, /* link-layer payload */ 238 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 239 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 240 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 241 }; 242 243 /* 244 * We divy out chunks of memory rather than call malloc each time so 245 * we don't have to worry about leaking memory. It's probably 246 * not a big deal if all this memory was wasted but if this ever 247 * goes into a library that would probably not be a good idea. 248 * 249 * XXX - this *is* in a library.... 250 */ 251 #define NCHUNKS 16 252 #define CHUNK0SIZE 1024 253 struct chunk { 254 size_t n_left; 255 void *m; 256 }; 257 258 /* Code generator state */ 259 260 struct _compiler_state { 261 jmp_buf top_ctx; 262 pcap_t *bpf_pcap; 263 264 struct icode ic; 265 266 int snaplen; 267 268 int linktype; 269 int prevlinktype; 270 int outermostlinktype; 271 272 bpf_u_int32 netmask; 273 int no_optimize; 274 275 /* Hack for handling VLAN and MPLS stacks. */ 276 u_int label_stack_depth; 277 u_int vlan_stack_depth; 278 279 /* XXX */ 280 u_int pcap_fddipad; 281 282 #ifdef INET6 283 /* 284 * As errors are handled by a longjmp, anything allocated must 285 * be freed in the longjmp handler, so it must be reachable 286 * from that handler. 287 * 288 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 289 * it must be freed with freeaddrinfo(). This variable points to 290 * any addrinfo structure that would need to be freed. 291 */ 292 struct addrinfo *ai; 293 #endif 294 295 /* 296 * Various code constructs need to know the layout of the packet. 297 * These values give the necessary offsets from the beginning 298 * of the packet data. 299 */ 300 301 /* 302 * Absolute offset of the beginning of the link-layer header. 303 */ 304 bpf_abs_offset off_linkhdr; 305 306 /* 307 * If we're checking a link-layer header for a packet encapsulated 308 * in another protocol layer, this is the equivalent information 309 * for the previous layers' link-layer header from the beginning 310 * of the raw packet data. 311 */ 312 bpf_abs_offset off_prevlinkhdr; 313 314 /* 315 * This is the equivalent information for the outermost layers' 316 * link-layer header. 317 */ 318 bpf_abs_offset off_outermostlinkhdr; 319 320 /* 321 * Absolute offset of the beginning of the link-layer payload. 322 */ 323 bpf_abs_offset off_linkpl; 324 325 /* 326 * "off_linktype" is the offset to information in the link-layer 327 * header giving the packet type. This is an absolute offset 328 * from the beginning of the packet. 329 * 330 * For Ethernet, it's the offset of the Ethernet type field; this 331 * means that it must have a value that skips VLAN tags. 332 * 333 * For link-layer types that always use 802.2 headers, it's the 334 * offset of the LLC header; this means that it must have a value 335 * that skips VLAN tags. 336 * 337 * For PPP, it's the offset of the PPP type field. 338 * 339 * For Cisco HDLC, it's the offset of the CHDLC type field. 340 * 341 * For BSD loopback, it's the offset of the AF_ value. 342 * 343 * For Linux cooked sockets, it's the offset of the type field. 344 * 345 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 346 * encapsulation, in which case, IP is assumed. 347 */ 348 bpf_abs_offset off_linktype; 349 350 /* 351 * TRUE if the link layer includes an ATM pseudo-header. 352 */ 353 int is_atm; 354 355 /* 356 * TRUE if "geneve" appeared in the filter; it causes us to 357 * generate code that checks for a Geneve header and assume 358 * that later filters apply to the encapsulated payload. 359 */ 360 int is_geneve; 361 362 /* 363 * These are offsets for the ATM pseudo-header. 364 */ 365 u_int off_vpi; 366 u_int off_vci; 367 u_int off_proto; 368 369 /* 370 * These are offsets for the MTP2 fields. 371 */ 372 u_int off_li; 373 u_int off_li_hsl; 374 375 /* 376 * These are offsets for the MTP3 fields. 377 */ 378 u_int off_sio; 379 u_int off_opc; 380 u_int off_dpc; 381 u_int off_sls; 382 383 /* 384 * This is the offset of the first byte after the ATM pseudo_header, 385 * or -1 if there is no ATM pseudo-header. 386 */ 387 u_int off_payload; 388 389 /* 390 * These are offsets to the beginning of the network-layer header. 391 * They are relative to the beginning of the link-layer payload 392 * (i.e., they don't include off_linkhdr.constant_part or 393 * off_linkpl.constant_part). 394 * 395 * If the link layer never uses 802.2 LLC: 396 * 397 * "off_nl" and "off_nl_nosnap" are the same. 398 * 399 * If the link layer always uses 802.2 LLC: 400 * 401 * "off_nl" is the offset if there's a SNAP header following 402 * the 802.2 header; 403 * 404 * "off_nl_nosnap" is the offset if there's no SNAP header. 405 * 406 * If the link layer is Ethernet: 407 * 408 * "off_nl" is the offset if the packet is an Ethernet II packet 409 * (we assume no 802.3+802.2+SNAP); 410 * 411 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 412 * with an 802.2 header following it. 413 */ 414 u_int off_nl; 415 u_int off_nl_nosnap; 416 417 /* 418 * Here we handle simple allocation of the scratch registers. 419 * If too many registers are alloc'd, the allocator punts. 420 */ 421 int regused[BPF_MEMWORDS]; 422 int curreg; 423 424 /* 425 * Memory chunks. 426 */ 427 struct chunk chunks[NCHUNKS]; 428 int cur_chunk; 429 }; 430 431 void 432 bpf_syntax_error(compiler_state_t *cstate, const char *msg) 433 { 434 bpf_error(cstate, "syntax error in filter expression: %s", msg); 435 /* NOTREACHED */ 436 } 437 438 /* VARARGS */ 439 void 440 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 441 { 442 va_list ap; 443 444 va_start(ap, fmt); 445 if (cstate->bpf_pcap != NULL) 446 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap), 447 PCAP_ERRBUF_SIZE, fmt, ap); 448 va_end(ap); 449 longjmp(cstate->top_ctx, 1); 450 /* NOTREACHED */ 451 } 452 453 static void init_linktype(compiler_state_t *, pcap_t *); 454 455 static void init_regs(compiler_state_t *); 456 static int alloc_reg(compiler_state_t *); 457 static void free_reg(compiler_state_t *, int); 458 459 static void initchunks(compiler_state_t *cstate); 460 static void *newchunk(compiler_state_t *cstate, size_t); 461 static void freechunks(compiler_state_t *cstate); 462 static inline struct block *new_block(compiler_state_t *cstate, int); 463 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 464 static struct block *gen_retblk(compiler_state_t *cstate, int); 465 static inline void syntax(compiler_state_t *cstate); 466 467 static void backpatch(struct block *, struct block *); 468 static void merge(struct block *, struct block *); 469 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 470 u_int, bpf_int32); 471 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 472 u_int, bpf_int32); 473 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 474 u_int, bpf_int32); 475 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 476 u_int, bpf_int32); 477 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 478 u_int, bpf_int32); 479 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 480 u_int, bpf_int32, bpf_u_int32); 481 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 482 u_int, const u_char *); 483 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 484 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 485 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 486 u_int, u_int); 487 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 488 u_int); 489 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 490 static struct block *gen_uncond(compiler_state_t *, int); 491 static inline struct block *gen_true(compiler_state_t *); 492 static inline struct block *gen_false(compiler_state_t *); 493 static struct block *gen_ether_linktype(compiler_state_t *, int); 494 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 495 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 496 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 497 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 498 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 499 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 500 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 501 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 502 bpf_abs_offset *); 503 static int ethertype_to_ppptype(int); 504 static struct block *gen_linktype(compiler_state_t *, int); 505 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 506 static struct block *gen_llc_linktype(compiler_state_t *, int); 507 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 508 int, int, u_int, u_int); 509 #ifdef INET6 510 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 511 struct in6_addr *, int, int, u_int, u_int); 512 #endif 513 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 514 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 515 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 516 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 517 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 518 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 519 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 520 static struct block *gen_mpls_linktype(compiler_state_t *, int); 521 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 522 int, int, int); 523 #ifdef INET6 524 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 525 struct in6_addr *, int, int, int); 526 #endif 527 #ifndef INET6 528 static struct block *gen_gateway(compiler_state_t *, const u_char *, 529 bpf_u_int32 **, int, int); 530 #endif 531 static struct block *gen_ipfrag(compiler_state_t *); 532 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 533 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 534 bpf_int32); 535 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 536 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 537 bpf_int32); 538 struct block *gen_portop(compiler_state_t *, int, int, int); 539 static struct block *gen_port(compiler_state_t *, int, int, int); 540 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 541 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 542 struct block *gen_portop6(compiler_state_t *, int, int, int); 543 static struct block *gen_port6(compiler_state_t *, int, int, int); 544 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 545 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 546 static int lookup_proto(compiler_state_t *, const char *, int); 547 static struct block *gen_protochain(compiler_state_t *, int, int, int); 548 static struct block *gen_proto(compiler_state_t *, int, int, int); 549 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 550 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 551 static struct block *gen_mac_multicast(compiler_state_t *, int); 552 static struct block *gen_len(compiler_state_t *, int, int); 553 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 554 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 555 556 static struct block *gen_ppi_dlt_check(compiler_state_t *); 557 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 558 559 static void 560 initchunks(compiler_state_t *cstate) 561 { 562 int i; 563 564 for (i = 0; i < NCHUNKS; i++) { 565 cstate->chunks[i].n_left = 0; 566 cstate->chunks[i].m = NULL; 567 } 568 cstate->cur_chunk = 0; 569 } 570 571 static void * 572 newchunk(compiler_state_t *cstate, size_t n) 573 { 574 struct chunk *cp; 575 int k; 576 size_t size; 577 578 #ifndef __NetBSD__ 579 /* XXX Round up to nearest long. */ 580 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 581 #else 582 /* XXX Round up to structure boundary. */ 583 n = ALIGN(n); 584 #endif 585 586 cp = &cstate->chunks[cstate->cur_chunk]; 587 if (n > cp->n_left) { 588 ++cp, k = ++cstate->cur_chunk; 589 if (k >= NCHUNKS) 590 bpf_error(cstate, "out of memory"); 591 size = CHUNK0SIZE << k; 592 cp->m = (void *)malloc(size); 593 if (cp->m == NULL) 594 bpf_error(cstate, "out of memory"); 595 memset((char *)cp->m, 0, size); 596 cp->n_left = size; 597 if (n > size) 598 bpf_error(cstate, "out of memory"); 599 } 600 cp->n_left -= n; 601 return (void *)((char *)cp->m + cp->n_left); 602 } 603 604 static void 605 freechunks(compiler_state_t *cstate) 606 { 607 int i; 608 609 for (i = 0; i < NCHUNKS; ++i) 610 if (cstate->chunks[i].m != NULL) 611 free(cstate->chunks[i].m); 612 } 613 614 /* 615 * A strdup whose allocations are freed after code generation is over. 616 */ 617 char * 618 sdup(compiler_state_t *cstate, const char *s) 619 { 620 size_t n = strlen(s) + 1; 621 char *cp = newchunk(cstate, n); 622 623 strlcpy(cp, s, n); 624 return (cp); 625 } 626 627 static inline struct block * 628 new_block(compiler_state_t *cstate, int code) 629 { 630 struct block *p; 631 632 p = (struct block *)newchunk(cstate, sizeof(*p)); 633 p->s.code = code; 634 p->head = p; 635 636 return p; 637 } 638 639 static inline struct slist * 640 new_stmt(compiler_state_t *cstate, int code) 641 { 642 struct slist *p; 643 644 p = (struct slist *)newchunk(cstate, sizeof(*p)); 645 p->s.code = code; 646 647 return p; 648 } 649 650 static struct block * 651 gen_retblk(compiler_state_t *cstate, int v) 652 { 653 struct block *b = new_block(cstate, BPF_RET|BPF_K); 654 655 b->s.k = v; 656 return b; 657 } 658 659 static inline void 660 syntax(compiler_state_t *cstate) 661 { 662 bpf_error(cstate, "syntax error in filter expression"); 663 } 664 665 int 666 pcap_compile(pcap_t *p, struct bpf_program *program, 667 const char *buf, int optimize, bpf_u_int32 mask) 668 { 669 compiler_state_t cstate; 670 const char * volatile xbuf = buf; 671 yyscan_t scanner = NULL; 672 YY_BUFFER_STATE in_buffer = NULL; 673 u_int len; 674 int rc; 675 676 #ifdef _WIN32 677 static int done = 0; 678 679 if (!done) 680 pcap_wsockinit(); 681 done = 1; 682 #endif 683 684 /* 685 * If this pcap_t hasn't been activated, it doesn't have a 686 * link-layer type, so we can't use it. 687 */ 688 if (!p->activated) { 689 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 690 "not-yet-activated pcap_t passed to pcap_compile"); 691 rc = -1; 692 goto quit; 693 } 694 initchunks(&cstate); 695 cstate.no_optimize = 0; 696 #ifdef INET6 697 cstate.ai = NULL; 698 #endif 699 cstate.ic.root = NULL; 700 cstate.ic.cur_mark = 0; 701 cstate.bpf_pcap = p; 702 init_regs(&cstate); 703 704 if (setjmp(cstate.top_ctx)) { 705 #ifdef INET6 706 if (cstate.ai != NULL) 707 freeaddrinfo(cstate.ai); 708 #endif 709 rc = -1; 710 goto quit; 711 } 712 713 cstate.netmask = mask; 714 715 cstate.snaplen = pcap_snapshot(p); 716 if (cstate.snaplen == 0) { 717 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 718 "snaplen of 0 rejects all packets"); 719 rc = -1; 720 goto quit; 721 } 722 723 if (pcap_lex_init(&scanner) != 0) 724 bpf_error(&cstate, "can't initialize scanner: %s", pcap_strerror(errno)); 725 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 726 727 /* 728 * Associate the compiler state with the lexical analyzer 729 * state. 730 */ 731 pcap_set_extra(&cstate, scanner); 732 733 init_linktype(&cstate, p); 734 (void)pcap_parse(scanner, &cstate); 735 736 if (cstate.ic.root == NULL) 737 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 738 739 if (optimize && !cstate.no_optimize) { 740 bpf_optimize(&cstate, &cstate.ic); 741 if (cstate.ic.root == NULL || 742 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) 743 bpf_error(&cstate, "expression rejects all packets"); 744 } 745 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len); 746 program->bf_len = len; 747 748 rc = 0; /* We're all okay */ 749 750 quit: 751 /* 752 * Clean up everything for the lexical analyzer. 753 */ 754 if (in_buffer != NULL) 755 pcap__delete_buffer(in_buffer, scanner); 756 if (scanner != NULL) 757 pcap_lex_destroy(scanner); 758 759 /* 760 * Clean up our own allocated memory. 761 */ 762 freechunks(&cstate); 763 764 return (rc); 765 } 766 767 /* 768 * entry point for using the compiler with no pcap open 769 * pass in all the stuff that is needed explicitly instead. 770 */ 771 int 772 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 773 struct bpf_program *program, 774 const char *buf, int optimize, bpf_u_int32 mask) 775 { 776 pcap_t *p; 777 int ret; 778 779 p = pcap_open_dead(linktype_arg, snaplen_arg); 780 if (p == NULL) 781 return (-1); 782 ret = pcap_compile(p, program, buf, optimize, mask); 783 pcap_close(p); 784 return (ret); 785 } 786 787 /* 788 * Clean up a "struct bpf_program" by freeing all the memory allocated 789 * in it. 790 */ 791 void 792 pcap_freecode(struct bpf_program *program) 793 { 794 program->bf_len = 0; 795 if (program->bf_insns != NULL) { 796 free((char *)program->bf_insns); 797 program->bf_insns = NULL; 798 } 799 } 800 801 /* 802 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 803 * which of the jt and jf fields has been resolved and which is a pointer 804 * back to another unresolved block (or nil). At least one of the fields 805 * in each block is already resolved. 806 */ 807 static void 808 backpatch(list, target) 809 struct block *list, *target; 810 { 811 struct block *next; 812 813 while (list) { 814 if (!list->sense) { 815 next = JT(list); 816 JT(list) = target; 817 } else { 818 next = JF(list); 819 JF(list) = target; 820 } 821 list = next; 822 } 823 } 824 825 /* 826 * Merge the lists in b0 and b1, using the 'sense' field to indicate 827 * which of jt and jf is the link. 828 */ 829 static void 830 merge(b0, b1) 831 struct block *b0, *b1; 832 { 833 register struct block **p = &b0; 834 835 /* Find end of list. */ 836 while (*p) 837 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 838 839 /* Concatenate the lists. */ 840 *p = b1; 841 } 842 843 void 844 finish_parse(compiler_state_t *cstate, struct block *p) 845 { 846 struct block *ppi_dlt_check; 847 848 /* 849 * Insert before the statements of the first (root) block any 850 * statements needed to load the lengths of any variable-length 851 * headers into registers. 852 * 853 * XXX - a fancier strategy would be to insert those before the 854 * statements of all blocks that use those lengths and that 855 * have no predecessors that use them, so that we only compute 856 * the lengths if we need them. There might be even better 857 * approaches than that. 858 * 859 * However, those strategies would be more complicated, and 860 * as we don't generate code to compute a length if the 861 * program has no tests that use the length, and as most 862 * tests will probably use those lengths, we would just 863 * postpone computing the lengths so that it's not done 864 * for tests that fail early, and it's not clear that's 865 * worth the effort. 866 */ 867 insert_compute_vloffsets(cstate, p->head); 868 869 /* 870 * For DLT_PPI captures, generate a check of the per-packet 871 * DLT value to make sure it's DLT_IEEE802_11. 872 * 873 * XXX - TurboCap cards use DLT_PPI for Ethernet. 874 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 875 * with appropriate Ethernet information and use that rather 876 * than using something such as DLT_PPI where you don't know 877 * the link-layer header type until runtime, which, in the 878 * general case, would force us to generate both Ethernet *and* 879 * 802.11 code (*and* anything else for which PPI is used) 880 * and choose between them early in the BPF program? 881 */ 882 ppi_dlt_check = gen_ppi_dlt_check(cstate); 883 if (ppi_dlt_check != NULL) 884 gen_and(ppi_dlt_check, p); 885 886 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 887 p->sense = !p->sense; 888 backpatch(p, gen_retblk(cstate, 0)); 889 cstate->ic.root = p->head; 890 } 891 892 void 893 gen_and(b0, b1) 894 struct block *b0, *b1; 895 { 896 backpatch(b0, b1->head); 897 b0->sense = !b0->sense; 898 b1->sense = !b1->sense; 899 merge(b1, b0); 900 b1->sense = !b1->sense; 901 b1->head = b0->head; 902 } 903 904 void 905 gen_or(b0, b1) 906 struct block *b0, *b1; 907 { 908 b0->sense = !b0->sense; 909 backpatch(b0, b1->head); 910 b0->sense = !b0->sense; 911 merge(b1, b0); 912 b1->head = b0->head; 913 } 914 915 void 916 gen_not(b) 917 struct block *b; 918 { 919 b->sense = !b->sense; 920 } 921 922 static struct block * 923 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 924 u_int size, bpf_int32 v) 925 { 926 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 927 } 928 929 static struct block * 930 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 931 u_int size, bpf_int32 v) 932 { 933 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 934 } 935 936 static struct block * 937 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 938 u_int size, bpf_int32 v) 939 { 940 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 941 } 942 943 static struct block * 944 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 945 u_int size, bpf_int32 v) 946 { 947 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 948 } 949 950 static struct block * 951 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 952 u_int size, bpf_int32 v) 953 { 954 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 955 } 956 957 static struct block * 958 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 959 u_int size, bpf_int32 v, bpf_u_int32 mask) 960 { 961 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 962 } 963 964 static struct block * 965 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 966 u_int size, const u_char *v) 967 { 968 register struct block *b, *tmp; 969 970 b = NULL; 971 while (size >= 4) { 972 register const u_char *p = &v[size - 4]; 973 bpf_int32 w = ((bpf_int32)p[0] << 24) | 974 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 975 976 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w); 977 if (b != NULL) 978 gen_and(b, tmp); 979 b = tmp; 980 size -= 4; 981 } 982 while (size >= 2) { 983 register const u_char *p = &v[size - 2]; 984 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 985 986 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w); 987 if (b != NULL) 988 gen_and(b, tmp); 989 b = tmp; 990 size -= 2; 991 } 992 if (size > 0) { 993 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 994 if (b != NULL) 995 gen_and(b, tmp); 996 b = tmp; 997 } 998 return b; 999 } 1000 1001 /* 1002 * AND the field of size "size" at offset "offset" relative to the header 1003 * specified by "offrel" with "mask", and compare it with the value "v" 1004 * with the test specified by "jtype"; if "reverse" is true, the test 1005 * should test the opposite of "jtype". 1006 */ 1007 static struct block * 1008 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1009 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1010 bpf_int32 v) 1011 { 1012 struct slist *s, *s2; 1013 struct block *b; 1014 1015 s = gen_load_a(cstate, offrel, offset, size); 1016 1017 if (mask != 0xffffffff) { 1018 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1019 s2->s.k = mask; 1020 sappend(s, s2); 1021 } 1022 1023 b = new_block(cstate, JMP(jtype)); 1024 b->stmts = s; 1025 b->s.k = v; 1026 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1027 gen_not(b); 1028 return b; 1029 } 1030 1031 static void 1032 init_linktype(compiler_state_t *cstate, pcap_t *p) 1033 { 1034 cstate->pcap_fddipad = p->fddipad; 1035 1036 /* 1037 * We start out with only one link-layer header. 1038 */ 1039 cstate->outermostlinktype = pcap_datalink(p); 1040 cstate->off_outermostlinkhdr.constant_part = 0; 1041 cstate->off_outermostlinkhdr.is_variable = 0; 1042 cstate->off_outermostlinkhdr.reg = -1; 1043 1044 cstate->prevlinktype = cstate->outermostlinktype; 1045 cstate->off_prevlinkhdr.constant_part = 0; 1046 cstate->off_prevlinkhdr.is_variable = 0; 1047 cstate->off_prevlinkhdr.reg = -1; 1048 1049 cstate->linktype = cstate->outermostlinktype; 1050 cstate->off_linkhdr.constant_part = 0; 1051 cstate->off_linkhdr.is_variable = 0; 1052 cstate->off_linkhdr.reg = -1; 1053 1054 /* 1055 * XXX 1056 */ 1057 cstate->off_linkpl.constant_part = 0; 1058 cstate->off_linkpl.is_variable = 0; 1059 cstate->off_linkpl.reg = -1; 1060 1061 cstate->off_linktype.constant_part = 0; 1062 cstate->off_linktype.is_variable = 0; 1063 cstate->off_linktype.reg = -1; 1064 1065 /* 1066 * Assume it's not raw ATM with a pseudo-header, for now. 1067 */ 1068 cstate->is_atm = 0; 1069 cstate->off_vpi = -1; 1070 cstate->off_vci = -1; 1071 cstate->off_proto = -1; 1072 cstate->off_payload = -1; 1073 1074 /* 1075 * And not Geneve. 1076 */ 1077 cstate->is_geneve = 0; 1078 1079 /* 1080 * And assume we're not doing SS7. 1081 */ 1082 cstate->off_li = -1; 1083 cstate->off_li_hsl = -1; 1084 cstate->off_sio = -1; 1085 cstate->off_opc = -1; 1086 cstate->off_dpc = -1; 1087 cstate->off_sls = -1; 1088 1089 cstate->label_stack_depth = 0; 1090 cstate->vlan_stack_depth = 0; 1091 1092 switch (cstate->linktype) { 1093 1094 case DLT_ARCNET: 1095 cstate->off_linktype.constant_part = 2; 1096 cstate->off_linkpl.constant_part = 6; 1097 cstate->off_nl = 0; /* XXX in reality, variable! */ 1098 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1099 break; 1100 1101 case DLT_ARCNET_LINUX: 1102 cstate->off_linktype.constant_part = 4; 1103 cstate->off_linkpl.constant_part = 8; 1104 cstate->off_nl = 0; /* XXX in reality, variable! */ 1105 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1106 break; 1107 1108 case DLT_EN10MB: 1109 cstate->off_linktype.constant_part = 12; 1110 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1111 cstate->off_nl = 0; /* Ethernet II */ 1112 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1113 break; 1114 1115 case DLT_SLIP: 1116 /* 1117 * SLIP doesn't have a link level type. The 16 byte 1118 * header is hacked into our SLIP driver. 1119 */ 1120 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1121 cstate->off_linkpl.constant_part = 16; 1122 cstate->off_nl = 0; 1123 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1124 break; 1125 1126 case DLT_SLIP_BSDOS: 1127 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1128 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1129 /* XXX end */ 1130 cstate->off_linkpl.constant_part = 24; 1131 cstate->off_nl = 0; 1132 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1133 break; 1134 1135 case DLT_NULL: 1136 case DLT_LOOP: 1137 cstate->off_linktype.constant_part = 0; 1138 cstate->off_linkpl.constant_part = 4; 1139 cstate->off_nl = 0; 1140 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1141 break; 1142 1143 case DLT_ENC: 1144 cstate->off_linktype.constant_part = 0; 1145 cstate->off_linkpl.constant_part = 12; 1146 cstate->off_nl = 0; 1147 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1148 break; 1149 1150 case DLT_PPP: 1151 case DLT_PPP_PPPD: 1152 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1153 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1154 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1155 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1156 cstate->off_nl = 0; 1157 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1158 break; 1159 1160 case DLT_PPP_ETHER: 1161 /* 1162 * This does no include the Ethernet header, and 1163 * only covers session state. 1164 */ 1165 cstate->off_linktype.constant_part = 6; 1166 cstate->off_linkpl.constant_part = 8; 1167 cstate->off_nl = 0; 1168 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1169 break; 1170 1171 case DLT_PPP_BSDOS: 1172 cstate->off_linktype.constant_part = 5; 1173 cstate->off_linkpl.constant_part = 24; 1174 cstate->off_nl = 0; 1175 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1176 break; 1177 1178 case DLT_FDDI: 1179 /* 1180 * FDDI doesn't really have a link-level type field. 1181 * We set "off_linktype" to the offset of the LLC header. 1182 * 1183 * To check for Ethernet types, we assume that SSAP = SNAP 1184 * is being used and pick out the encapsulated Ethernet type. 1185 * XXX - should we generate code to check for SNAP? 1186 */ 1187 cstate->off_linktype.constant_part = 13; 1188 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1189 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1190 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1191 cstate->off_nl = 8; /* 802.2+SNAP */ 1192 cstate->off_nl_nosnap = 3; /* 802.2 */ 1193 break; 1194 1195 case DLT_IEEE802: 1196 /* 1197 * Token Ring doesn't really have a link-level type field. 1198 * We set "off_linktype" to the offset of the LLC header. 1199 * 1200 * To check for Ethernet types, we assume that SSAP = SNAP 1201 * is being used and pick out the encapsulated Ethernet type. 1202 * XXX - should we generate code to check for SNAP? 1203 * 1204 * XXX - the header is actually variable-length. 1205 * Some various Linux patched versions gave 38 1206 * as "off_linktype" and 40 as "off_nl"; however, 1207 * if a token ring packet has *no* routing 1208 * information, i.e. is not source-routed, the correct 1209 * values are 20 and 22, as they are in the vanilla code. 1210 * 1211 * A packet is source-routed iff the uppermost bit 1212 * of the first byte of the source address, at an 1213 * offset of 8, has the uppermost bit set. If the 1214 * packet is source-routed, the total number of bytes 1215 * of routing information is 2 plus bits 0x1F00 of 1216 * the 16-bit value at an offset of 14 (shifted right 1217 * 8 - figure out which byte that is). 1218 */ 1219 cstate->off_linktype.constant_part = 14; 1220 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1221 cstate->off_nl = 8; /* 802.2+SNAP */ 1222 cstate->off_nl_nosnap = 3; /* 802.2 */ 1223 break; 1224 1225 case DLT_PRISM_HEADER: 1226 case DLT_IEEE802_11_RADIO_AVS: 1227 case DLT_IEEE802_11_RADIO: 1228 cstate->off_linkhdr.is_variable = 1; 1229 /* Fall through, 802.11 doesn't have a variable link 1230 * prefix but is otherwise the same. */ 1231 1232 case DLT_IEEE802_11: 1233 /* 1234 * 802.11 doesn't really have a link-level type field. 1235 * We set "off_linktype.constant_part" to the offset of 1236 * the LLC header. 1237 * 1238 * To check for Ethernet types, we assume that SSAP = SNAP 1239 * is being used and pick out the encapsulated Ethernet type. 1240 * XXX - should we generate code to check for SNAP? 1241 * 1242 * We also handle variable-length radio headers here. 1243 * The Prism header is in theory variable-length, but in 1244 * practice it's always 144 bytes long. However, some 1245 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1246 * sometimes or always supply an AVS header, so we 1247 * have to check whether the radio header is a Prism 1248 * header or an AVS header, so, in practice, it's 1249 * variable-length. 1250 */ 1251 cstate->off_linktype.constant_part = 24; 1252 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1253 cstate->off_linkpl.is_variable = 1; 1254 cstate->off_nl = 8; /* 802.2+SNAP */ 1255 cstate->off_nl_nosnap = 3; /* 802.2 */ 1256 break; 1257 1258 case DLT_PPI: 1259 /* 1260 * At the moment we treat PPI the same way that we treat 1261 * normal Radiotap encoded packets. The difference is in 1262 * the function that generates the code at the beginning 1263 * to compute the header length. Since this code generator 1264 * of PPI supports bare 802.11 encapsulation only (i.e. 1265 * the encapsulated DLT should be DLT_IEEE802_11) we 1266 * generate code to check for this too. 1267 */ 1268 cstate->off_linktype.constant_part = 24; 1269 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1270 cstate->off_linkpl.is_variable = 1; 1271 cstate->off_linkhdr.is_variable = 1; 1272 cstate->off_nl = 8; /* 802.2+SNAP */ 1273 cstate->off_nl_nosnap = 3; /* 802.2 */ 1274 break; 1275 1276 case DLT_ATM_RFC1483: 1277 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1278 /* 1279 * assume routed, non-ISO PDUs 1280 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1281 * 1282 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1283 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1284 * latter would presumably be treated the way PPPoE 1285 * should be, so you can do "pppoe and udp port 2049" 1286 * or "pppoa and tcp port 80" and have it check for 1287 * PPPo{A,E} and a PPP protocol of IP and.... 1288 */ 1289 cstate->off_linktype.constant_part = 0; 1290 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1291 cstate->off_nl = 8; /* 802.2+SNAP */ 1292 cstate->off_nl_nosnap = 3; /* 802.2 */ 1293 break; 1294 1295 case DLT_SUNATM: 1296 /* 1297 * Full Frontal ATM; you get AALn PDUs with an ATM 1298 * pseudo-header. 1299 */ 1300 cstate->is_atm = 1; 1301 cstate->off_vpi = SUNATM_VPI_POS; 1302 cstate->off_vci = SUNATM_VCI_POS; 1303 cstate->off_proto = PROTO_POS; 1304 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1305 cstate->off_linktype.constant_part = cstate->off_payload; 1306 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1307 cstate->off_nl = 8; /* 802.2+SNAP */ 1308 cstate->off_nl_nosnap = 3; /* 802.2 */ 1309 break; 1310 1311 case DLT_RAW: 1312 case DLT_IPV4: 1313 case DLT_IPV6: 1314 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1315 cstate->off_linkpl.constant_part = 0; 1316 cstate->off_nl = 0; 1317 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1318 break; 1319 1320 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1321 cstate->off_linktype.constant_part = 14; 1322 cstate->off_linkpl.constant_part = 16; 1323 cstate->off_nl = 0; 1324 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1325 break; 1326 1327 case DLT_LTALK: 1328 /* 1329 * LocalTalk does have a 1-byte type field in the LLAP header, 1330 * but really it just indicates whether there is a "short" or 1331 * "long" DDP packet following. 1332 */ 1333 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1334 cstate->off_linkpl.constant_part = 0; 1335 cstate->off_nl = 0; 1336 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1337 break; 1338 1339 case DLT_IP_OVER_FC: 1340 /* 1341 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1342 * link-level type field. We set "off_linktype" to the 1343 * offset of the LLC header. 1344 * 1345 * To check for Ethernet types, we assume that SSAP = SNAP 1346 * is being used and pick out the encapsulated Ethernet type. 1347 * XXX - should we generate code to check for SNAP? RFC 1348 * 2625 says SNAP should be used. 1349 */ 1350 cstate->off_linktype.constant_part = 16; 1351 cstate->off_linkpl.constant_part = 16; 1352 cstate->off_nl = 8; /* 802.2+SNAP */ 1353 cstate->off_nl_nosnap = 3; /* 802.2 */ 1354 break; 1355 1356 case DLT_FRELAY: 1357 /* 1358 * XXX - we should set this to handle SNAP-encapsulated 1359 * frames (NLPID of 0x80). 1360 */ 1361 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1362 cstate->off_linkpl.constant_part = 0; 1363 cstate->off_nl = 0; 1364 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1365 break; 1366 1367 /* 1368 * the only BPF-interesting FRF.16 frames are non-control frames; 1369 * Frame Relay has a variable length link-layer 1370 * so lets start with offset 4 for now and increments later on (FIXME); 1371 */ 1372 case DLT_MFR: 1373 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1374 cstate->off_linkpl.constant_part = 0; 1375 cstate->off_nl = 4; 1376 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1377 break; 1378 1379 case DLT_APPLE_IP_OVER_IEEE1394: 1380 cstate->off_linktype.constant_part = 16; 1381 cstate->off_linkpl.constant_part = 18; 1382 cstate->off_nl = 0; 1383 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1384 break; 1385 1386 case DLT_SYMANTEC_FIREWALL: 1387 cstate->off_linktype.constant_part = 6; 1388 cstate->off_linkpl.constant_part = 44; 1389 cstate->off_nl = 0; /* Ethernet II */ 1390 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1391 break; 1392 1393 #ifdef HAVE_NET_PFVAR_H 1394 case DLT_PFLOG: 1395 cstate->off_linktype.constant_part = 0; 1396 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1397 cstate->off_nl = 0; 1398 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1399 break; 1400 #endif 1401 1402 case DLT_JUNIPER_MFR: 1403 case DLT_JUNIPER_MLFR: 1404 case DLT_JUNIPER_MLPPP: 1405 case DLT_JUNIPER_PPP: 1406 case DLT_JUNIPER_CHDLC: 1407 case DLT_JUNIPER_FRELAY: 1408 cstate->off_linktype.constant_part = 4; 1409 cstate->off_linkpl.constant_part = 4; 1410 cstate->off_nl = 0; 1411 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1412 break; 1413 1414 case DLT_JUNIPER_ATM1: 1415 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1416 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1417 cstate->off_nl = 0; 1418 cstate->off_nl_nosnap = 10; 1419 break; 1420 1421 case DLT_JUNIPER_ATM2: 1422 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1423 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1424 cstate->off_nl = 0; 1425 cstate->off_nl_nosnap = 10; 1426 break; 1427 1428 /* frames captured on a Juniper PPPoE service PIC 1429 * contain raw ethernet frames */ 1430 case DLT_JUNIPER_PPPOE: 1431 case DLT_JUNIPER_ETHER: 1432 cstate->off_linkpl.constant_part = 14; 1433 cstate->off_linktype.constant_part = 16; 1434 cstate->off_nl = 18; /* Ethernet II */ 1435 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1436 break; 1437 1438 case DLT_JUNIPER_PPPOE_ATM: 1439 cstate->off_linktype.constant_part = 4; 1440 cstate->off_linkpl.constant_part = 6; 1441 cstate->off_nl = 0; 1442 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1443 break; 1444 1445 case DLT_JUNIPER_GGSN: 1446 cstate->off_linktype.constant_part = 6; 1447 cstate->off_linkpl.constant_part = 12; 1448 cstate->off_nl = 0; 1449 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1450 break; 1451 1452 case DLT_JUNIPER_ES: 1453 cstate->off_linktype.constant_part = 6; 1454 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1455 cstate->off_nl = -1; /* not really a network layer but raw IP addresses */ 1456 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1457 break; 1458 1459 case DLT_JUNIPER_MONITOR: 1460 cstate->off_linktype.constant_part = 12; 1461 cstate->off_linkpl.constant_part = 12; 1462 cstate->off_nl = 0; /* raw IP/IP6 header */ 1463 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1464 break; 1465 1466 case DLT_BACNET_MS_TP: 1467 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1468 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1469 cstate->off_nl = -1; 1470 cstate->off_nl_nosnap = -1; 1471 break; 1472 1473 case DLT_JUNIPER_SERVICES: 1474 cstate->off_linktype.constant_part = 12; 1475 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1476 cstate->off_nl = -1; /* L3 proto location dep. on cookie type */ 1477 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1478 break; 1479 1480 case DLT_JUNIPER_VP: 1481 cstate->off_linktype.constant_part = 18; 1482 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1483 cstate->off_nl = -1; 1484 cstate->off_nl_nosnap = -1; 1485 break; 1486 1487 case DLT_JUNIPER_ST: 1488 cstate->off_linktype.constant_part = 18; 1489 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1490 cstate->off_nl = -1; 1491 cstate->off_nl_nosnap = -1; 1492 break; 1493 1494 case DLT_JUNIPER_ISM: 1495 cstate->off_linktype.constant_part = 8; 1496 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1497 cstate->off_nl = -1; 1498 cstate->off_nl_nosnap = -1; 1499 break; 1500 1501 case DLT_JUNIPER_VS: 1502 case DLT_JUNIPER_SRX_E2E: 1503 case DLT_JUNIPER_FIBRECHANNEL: 1504 case DLT_JUNIPER_ATM_CEMIC: 1505 cstate->off_linktype.constant_part = 8; 1506 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1507 cstate->off_nl = -1; 1508 cstate->off_nl_nosnap = -1; 1509 break; 1510 1511 case DLT_MTP2: 1512 cstate->off_li = 2; 1513 cstate->off_li_hsl = 4; 1514 cstate->off_sio = 3; 1515 cstate->off_opc = 4; 1516 cstate->off_dpc = 4; 1517 cstate->off_sls = 7; 1518 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1519 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1520 cstate->off_nl = -1; 1521 cstate->off_nl_nosnap = -1; 1522 break; 1523 1524 case DLT_MTP2_WITH_PHDR: 1525 cstate->off_li = 6; 1526 cstate->off_li_hsl = 8; 1527 cstate->off_sio = 7; 1528 cstate->off_opc = 8; 1529 cstate->off_dpc = 8; 1530 cstate->off_sls = 11; 1531 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1532 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1533 cstate->off_nl = -1; 1534 cstate->off_nl_nosnap = -1; 1535 break; 1536 1537 case DLT_ERF: 1538 cstate->off_li = 22; 1539 cstate->off_li_hsl = 24; 1540 cstate->off_sio = 23; 1541 cstate->off_opc = 24; 1542 cstate->off_dpc = 24; 1543 cstate->off_sls = 27; 1544 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1545 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1546 cstate->off_nl = -1; 1547 cstate->off_nl_nosnap = -1; 1548 break; 1549 1550 case DLT_PFSYNC: 1551 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1552 cstate->off_linkpl.constant_part = 4; 1553 cstate->off_nl = 0; 1554 cstate->off_nl_nosnap = 0; 1555 break; 1556 1557 case DLT_AX25_KISS: 1558 /* 1559 * Currently, only raw "link[N:M]" filtering is supported. 1560 */ 1561 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1562 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1563 cstate->off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1564 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */ 1565 break; 1566 1567 case DLT_IPNET: 1568 cstate->off_linktype.constant_part = 1; 1569 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1570 cstate->off_nl = 0; 1571 cstate->off_nl_nosnap = -1; 1572 break; 1573 1574 case DLT_NETANALYZER: 1575 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1576 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1577 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1578 cstate->off_nl = 0; /* Ethernet II */ 1579 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1580 break; 1581 1582 case DLT_NETANALYZER_TRANSPARENT: 1583 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1584 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1585 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1586 cstate->off_nl = 0; /* Ethernet II */ 1587 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1588 break; 1589 1590 default: 1591 /* 1592 * For values in the range in which we've assigned new 1593 * DLT_ values, only raw "link[N:M]" filtering is supported. 1594 */ 1595 if (cstate->linktype >= DLT_MATCHING_MIN && 1596 cstate->linktype <= DLT_MATCHING_MAX) { 1597 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1598 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1599 cstate->off_nl = -1; 1600 cstate->off_nl_nosnap = -1; 1601 } else { 1602 bpf_error(cstate, "unknown data link type %d", cstate->linktype); 1603 } 1604 break; 1605 } 1606 1607 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1608 } 1609 1610 /* 1611 * Load a value relative to the specified absolute offset. 1612 */ 1613 static struct slist * 1614 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1615 u_int offset, u_int size) 1616 { 1617 struct slist *s, *s2; 1618 1619 s = gen_abs_offset_varpart(cstate, abs_offset); 1620 1621 /* 1622 * If "s" is non-null, it has code to arrange that the X register 1623 * contains the variable part of the absolute offset, so we 1624 * generate a load relative to that, with an offset of 1625 * abs_offset->constant_part + offset. 1626 * 1627 * Otherwise, we can do an absolute load with an offset of 1628 * abs_offset->constant_part + offset. 1629 */ 1630 if (s != NULL) { 1631 /* 1632 * "s" points to a list of statements that puts the 1633 * variable part of the absolute offset into the X register. 1634 * Do an indirect load, to use the X register as an offset. 1635 */ 1636 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1637 s2->s.k = abs_offset->constant_part + offset; 1638 sappend(s, s2); 1639 } else { 1640 /* 1641 * There is no variable part of the absolute offset, so 1642 * just do an absolute load. 1643 */ 1644 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1645 s->s.k = abs_offset->constant_part + offset; 1646 } 1647 return s; 1648 } 1649 1650 /* 1651 * Load a value relative to the beginning of the specified header. 1652 */ 1653 static struct slist * 1654 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1655 u_int size) 1656 { 1657 struct slist *s, *s2; 1658 1659 switch (offrel) { 1660 1661 case OR_PACKET: 1662 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1663 s->s.k = offset; 1664 break; 1665 1666 case OR_LINKHDR: 1667 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1668 break; 1669 1670 case OR_PREVLINKHDR: 1671 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1672 break; 1673 1674 case OR_LLC: 1675 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1676 break; 1677 1678 case OR_PREVMPLSHDR: 1679 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1680 break; 1681 1682 case OR_LINKPL: 1683 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1684 break; 1685 1686 case OR_LINKPL_NOSNAP: 1687 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1688 break; 1689 1690 case OR_LINKTYPE: 1691 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1692 break; 1693 1694 case OR_TRAN_IPV4: 1695 /* 1696 * Load the X register with the length of the IPv4 header 1697 * (plus the offset of the link-layer header, if it's 1698 * preceded by a variable-length header such as a radio 1699 * header), in bytes. 1700 */ 1701 s = gen_loadx_iphdrlen(cstate); 1702 1703 /* 1704 * Load the item at {offset of the link-layer payload} + 1705 * {offset, relative to the start of the link-layer 1706 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1707 * {specified offset}. 1708 * 1709 * If the offset of the link-layer payload is variable, 1710 * the variable part of that offset is included in the 1711 * value in the X register, and we include the constant 1712 * part in the offset of the load. 1713 */ 1714 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1715 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1716 sappend(s, s2); 1717 break; 1718 1719 case OR_TRAN_IPV6: 1720 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1721 break; 1722 1723 default: 1724 abort(); 1725 return NULL; 1726 } 1727 return s; 1728 } 1729 1730 /* 1731 * Generate code to load into the X register the sum of the length of 1732 * the IPv4 header and the variable part of the offset of the link-layer 1733 * payload. 1734 */ 1735 static struct slist * 1736 gen_loadx_iphdrlen(compiler_state_t *cstate) 1737 { 1738 struct slist *s, *s2; 1739 1740 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1741 if (s != NULL) { 1742 /* 1743 * The offset of the link-layer payload has a variable 1744 * part. "s" points to a list of statements that put 1745 * the variable part of that offset into the X register. 1746 * 1747 * The 4*([k]&0xf) addressing mode can't be used, as we 1748 * don't have a constant offset, so we have to load the 1749 * value in question into the A register and add to it 1750 * the value from the X register. 1751 */ 1752 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1753 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1754 sappend(s, s2); 1755 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1756 s2->s.k = 0xf; 1757 sappend(s, s2); 1758 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1759 s2->s.k = 2; 1760 sappend(s, s2); 1761 1762 /* 1763 * The A register now contains the length of the IP header. 1764 * We need to add to it the variable part of the offset of 1765 * the link-layer payload, which is still in the X 1766 * register, and move the result into the X register. 1767 */ 1768 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1769 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1770 } else { 1771 /* 1772 * The offset of the link-layer payload is a constant, 1773 * so no code was generated to load the (non-existent) 1774 * variable part of that offset. 1775 * 1776 * This means we can use the 4*([k]&0xf) addressing 1777 * mode. Load the length of the IPv4 header, which 1778 * is at an offset of cstate->off_nl from the beginning of 1779 * the link-layer payload, and thus at an offset of 1780 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1781 * of the raw packet data, using that addressing mode. 1782 */ 1783 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1784 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1785 } 1786 return s; 1787 } 1788 1789 static struct block * 1790 gen_uncond(compiler_state_t *cstate, int rsense) 1791 { 1792 struct block *b; 1793 struct slist *s; 1794 1795 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1796 s->s.k = !rsense; 1797 b = new_block(cstate, JMP(BPF_JEQ)); 1798 b->stmts = s; 1799 1800 return b; 1801 } 1802 1803 static inline struct block * 1804 gen_true(compiler_state_t *cstate) 1805 { 1806 return gen_uncond(cstate, 1); 1807 } 1808 1809 static inline struct block * 1810 gen_false(compiler_state_t *cstate) 1811 { 1812 return gen_uncond(cstate, 0); 1813 } 1814 1815 /* 1816 * Byte-swap a 32-bit number. 1817 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1818 * big-endian platforms.) 1819 */ 1820 #define SWAPLONG(y) \ 1821 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1822 1823 /* 1824 * Generate code to match a particular packet type. 1825 * 1826 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1827 * value, if <= ETHERMTU. We use that to determine whether to 1828 * match the type/length field or to check the type/length field for 1829 * a value <= ETHERMTU to see whether it's a type field and then do 1830 * the appropriate test. 1831 */ 1832 static struct block * 1833 gen_ether_linktype(compiler_state_t *cstate, int proto) 1834 { 1835 struct block *b0, *b1; 1836 1837 switch (proto) { 1838 1839 case LLCSAP_ISONS: 1840 case LLCSAP_IP: 1841 case LLCSAP_NETBEUI: 1842 /* 1843 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1844 * so we check the DSAP and SSAP. 1845 * 1846 * LLCSAP_IP checks for IP-over-802.2, rather 1847 * than IP-over-Ethernet or IP-over-SNAP. 1848 * 1849 * XXX - should we check both the DSAP and the 1850 * SSAP, like this, or should we check just the 1851 * DSAP, as we do for other types <= ETHERMTU 1852 * (i.e., other SAP values)? 1853 */ 1854 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1855 gen_not(b0); 1856 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1857 ((proto << 8) | proto)); 1858 gen_and(b0, b1); 1859 return b1; 1860 1861 case LLCSAP_IPX: 1862 /* 1863 * Check for; 1864 * 1865 * Ethernet_II frames, which are Ethernet 1866 * frames with a frame type of ETHERTYPE_IPX; 1867 * 1868 * Ethernet_802.3 frames, which are 802.3 1869 * frames (i.e., the type/length field is 1870 * a length field, <= ETHERMTU, rather than 1871 * a type field) with the first two bytes 1872 * after the Ethernet/802.3 header being 1873 * 0xFFFF; 1874 * 1875 * Ethernet_802.2 frames, which are 802.3 1876 * frames with an 802.2 LLC header and 1877 * with the IPX LSAP as the DSAP in the LLC 1878 * header; 1879 * 1880 * Ethernet_SNAP frames, which are 802.3 1881 * frames with an LLC header and a SNAP 1882 * header and with an OUI of 0x000000 1883 * (encapsulated Ethernet) and a protocol 1884 * ID of ETHERTYPE_IPX in the SNAP header. 1885 * 1886 * XXX - should we generate the same code both 1887 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1888 */ 1889 1890 /* 1891 * This generates code to check both for the 1892 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1893 */ 1894 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1895 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1896 gen_or(b0, b1); 1897 1898 /* 1899 * Now we add code to check for SNAP frames with 1900 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1901 */ 1902 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 1903 gen_or(b0, b1); 1904 1905 /* 1906 * Now we generate code to check for 802.3 1907 * frames in general. 1908 */ 1909 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1910 gen_not(b0); 1911 1912 /* 1913 * Now add the check for 802.3 frames before the 1914 * check for Ethernet_802.2 and Ethernet_802.3, 1915 * as those checks should only be done on 802.3 1916 * frames, not on Ethernet frames. 1917 */ 1918 gen_and(b0, b1); 1919 1920 /* 1921 * Now add the check for Ethernet_II frames, and 1922 * do that before checking for the other frame 1923 * types. 1924 */ 1925 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1926 gen_or(b0, b1); 1927 return b1; 1928 1929 case ETHERTYPE_ATALK: 1930 case ETHERTYPE_AARP: 1931 /* 1932 * EtherTalk (AppleTalk protocols on Ethernet link 1933 * layer) may use 802.2 encapsulation. 1934 */ 1935 1936 /* 1937 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1938 * we check for an Ethernet type field less than 1939 * 1500, which means it's an 802.3 length field. 1940 */ 1941 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1942 gen_not(b0); 1943 1944 /* 1945 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1946 * SNAP packets with an organization code of 1947 * 0x080007 (Apple, for Appletalk) and a protocol 1948 * type of ETHERTYPE_ATALK (Appletalk). 1949 * 1950 * 802.2-encapsulated ETHERTYPE_AARP packets are 1951 * SNAP packets with an organization code of 1952 * 0x000000 (encapsulated Ethernet) and a protocol 1953 * type of ETHERTYPE_AARP (Appletalk ARP). 1954 */ 1955 if (proto == ETHERTYPE_ATALK) 1956 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 1957 else /* proto == ETHERTYPE_AARP */ 1958 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 1959 gen_and(b0, b1); 1960 1961 /* 1962 * Check for Ethernet encapsulation (Ethertalk 1963 * phase 1?); we just check for the Ethernet 1964 * protocol type. 1965 */ 1966 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1967 1968 gen_or(b0, b1); 1969 return b1; 1970 1971 default: 1972 if (proto <= ETHERMTU) { 1973 /* 1974 * This is an LLC SAP value, so the frames 1975 * that match would be 802.2 frames. 1976 * Check that the frame is an 802.2 frame 1977 * (i.e., that the length/type field is 1978 * a length field, <= ETHERMTU) and 1979 * then check the DSAP. 1980 */ 1981 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1982 gen_not(b0); 1983 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1984 gen_and(b0, b1); 1985 return b1; 1986 } else { 1987 /* 1988 * This is an Ethernet type, so compare 1989 * the length/type field with it (if 1990 * the frame is an 802.2 frame, the length 1991 * field will be <= ETHERMTU, and, as 1992 * "proto" is > ETHERMTU, this test 1993 * will fail and the frame won't match, 1994 * which is what we want). 1995 */ 1996 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 1997 (bpf_int32)proto); 1998 } 1999 } 2000 } 2001 2002 static struct block * 2003 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2004 { 2005 /* 2006 * For DLT_NULL, the link-layer header is a 32-bit word 2007 * containing an AF_ value in *host* byte order, and for 2008 * DLT_ENC, the link-layer header begins with a 32-bit 2009 * word containing an AF_ value in host byte order. 2010 * 2011 * In addition, if we're reading a saved capture file, 2012 * the host byte order in the capture may not be the 2013 * same as the host byte order on this machine. 2014 * 2015 * For DLT_LOOP, the link-layer header is a 32-bit 2016 * word containing an AF_ value in *network* byte order. 2017 */ 2018 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2019 /* 2020 * The AF_ value is in host byte order, but the BPF 2021 * interpreter will convert it to network byte order. 2022 * 2023 * If this is a save file, and it's from a machine 2024 * with the opposite byte order to ours, we byte-swap 2025 * the AF_ value. 2026 * 2027 * Then we run it through "htonl()", and generate 2028 * code to compare against the result. 2029 */ 2030 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2031 proto = SWAPLONG(proto); 2032 proto = htonl(proto); 2033 } 2034 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2035 } 2036 2037 /* 2038 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2039 * or IPv6 then we have an error. 2040 */ 2041 static struct block * 2042 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2043 { 2044 switch (proto) { 2045 2046 case ETHERTYPE_IP: 2047 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2048 /* NOTREACHED */ 2049 2050 case ETHERTYPE_IPV6: 2051 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2052 (bpf_int32)IPH_AF_INET6); 2053 /* NOTREACHED */ 2054 2055 default: 2056 break; 2057 } 2058 2059 return gen_false(cstate); 2060 } 2061 2062 /* 2063 * Generate code to match a particular packet type. 2064 * 2065 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2066 * value, if <= ETHERMTU. We use that to determine whether to 2067 * match the type field or to check the type field for the special 2068 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2069 */ 2070 static struct block * 2071 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2072 { 2073 struct block *b0, *b1; 2074 2075 switch (proto) { 2076 2077 case LLCSAP_ISONS: 2078 case LLCSAP_IP: 2079 case LLCSAP_NETBEUI: 2080 /* 2081 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2082 * so we check the DSAP and SSAP. 2083 * 2084 * LLCSAP_IP checks for IP-over-802.2, rather 2085 * than IP-over-Ethernet or IP-over-SNAP. 2086 * 2087 * XXX - should we check both the DSAP and the 2088 * SSAP, like this, or should we check just the 2089 * DSAP, as we do for other types <= ETHERMTU 2090 * (i.e., other SAP values)? 2091 */ 2092 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2093 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2094 ((proto << 8) | proto)); 2095 gen_and(b0, b1); 2096 return b1; 2097 2098 case LLCSAP_IPX: 2099 /* 2100 * Ethernet_II frames, which are Ethernet 2101 * frames with a frame type of ETHERTYPE_IPX; 2102 * 2103 * Ethernet_802.3 frames, which have a frame 2104 * type of LINUX_SLL_P_802_3; 2105 * 2106 * Ethernet_802.2 frames, which are 802.3 2107 * frames with an 802.2 LLC header (i.e, have 2108 * a frame type of LINUX_SLL_P_802_2) and 2109 * with the IPX LSAP as the DSAP in the LLC 2110 * header; 2111 * 2112 * Ethernet_SNAP frames, which are 802.3 2113 * frames with an LLC header and a SNAP 2114 * header and with an OUI of 0x000000 2115 * (encapsulated Ethernet) and a protocol 2116 * ID of ETHERTYPE_IPX in the SNAP header. 2117 * 2118 * First, do the checks on LINUX_SLL_P_802_2 2119 * frames; generate the check for either 2120 * Ethernet_802.2 or Ethernet_SNAP frames, and 2121 * then put a check for LINUX_SLL_P_802_2 frames 2122 * before it. 2123 */ 2124 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2125 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2126 gen_or(b0, b1); 2127 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2128 gen_and(b0, b1); 2129 2130 /* 2131 * Now check for 802.3 frames and OR that with 2132 * the previous test. 2133 */ 2134 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2135 gen_or(b0, b1); 2136 2137 /* 2138 * Now add the check for Ethernet_II frames, and 2139 * do that before checking for the other frame 2140 * types. 2141 */ 2142 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2143 gen_or(b0, b1); 2144 return b1; 2145 2146 case ETHERTYPE_ATALK: 2147 case ETHERTYPE_AARP: 2148 /* 2149 * EtherTalk (AppleTalk protocols on Ethernet link 2150 * layer) may use 802.2 encapsulation. 2151 */ 2152 2153 /* 2154 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2155 * we check for the 802.2 protocol type in the 2156 * "Ethernet type" field. 2157 */ 2158 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2159 2160 /* 2161 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2162 * SNAP packets with an organization code of 2163 * 0x080007 (Apple, for Appletalk) and a protocol 2164 * type of ETHERTYPE_ATALK (Appletalk). 2165 * 2166 * 802.2-encapsulated ETHERTYPE_AARP packets are 2167 * SNAP packets with an organization code of 2168 * 0x000000 (encapsulated Ethernet) and a protocol 2169 * type of ETHERTYPE_AARP (Appletalk ARP). 2170 */ 2171 if (proto == ETHERTYPE_ATALK) 2172 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2173 else /* proto == ETHERTYPE_AARP */ 2174 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2175 gen_and(b0, b1); 2176 2177 /* 2178 * Check for Ethernet encapsulation (Ethertalk 2179 * phase 1?); we just check for the Ethernet 2180 * protocol type. 2181 */ 2182 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2183 2184 gen_or(b0, b1); 2185 return b1; 2186 2187 default: 2188 if (proto <= ETHERMTU) { 2189 /* 2190 * This is an LLC SAP value, so the frames 2191 * that match would be 802.2 frames. 2192 * Check for the 802.2 protocol type 2193 * in the "Ethernet type" field, and 2194 * then check the DSAP. 2195 */ 2196 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2197 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2198 (bpf_int32)proto); 2199 gen_and(b0, b1); 2200 return b1; 2201 } else { 2202 /* 2203 * This is an Ethernet type, so compare 2204 * the length/type field with it (if 2205 * the frame is an 802.2 frame, the length 2206 * field will be <= ETHERMTU, and, as 2207 * "proto" is > ETHERMTU, this test 2208 * will fail and the frame won't match, 2209 * which is what we want). 2210 */ 2211 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2212 } 2213 } 2214 } 2215 2216 static struct slist * 2217 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2218 { 2219 struct slist *s1, *s2; 2220 struct slist *sjeq_avs_cookie; 2221 struct slist *sjcommon; 2222 2223 /* 2224 * This code is not compatible with the optimizer, as 2225 * we are generating jmp instructions within a normal 2226 * slist of instructions 2227 */ 2228 cstate->no_optimize = 1; 2229 2230 /* 2231 * Generate code to load the length of the radio header into 2232 * the register assigned to hold that length, if one has been 2233 * assigned. (If one hasn't been assigned, no code we've 2234 * generated uses that prefix, so we don't need to generate any 2235 * code to load it.) 2236 * 2237 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2238 * or always use the AVS header rather than the Prism header. 2239 * We load a 4-byte big-endian value at the beginning of the 2240 * raw packet data, and see whether, when masked with 0xFFFFF000, 2241 * it's equal to 0x80211000. If so, that indicates that it's 2242 * an AVS header (the masked-out bits are the version number). 2243 * Otherwise, it's a Prism header. 2244 * 2245 * XXX - the Prism header is also, in theory, variable-length, 2246 * but no known software generates headers that aren't 144 2247 * bytes long. 2248 */ 2249 if (cstate->off_linkhdr.reg != -1) { 2250 /* 2251 * Load the cookie. 2252 */ 2253 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2254 s1->s.k = 0; 2255 2256 /* 2257 * AND it with 0xFFFFF000. 2258 */ 2259 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2260 s2->s.k = 0xFFFFF000; 2261 sappend(s1, s2); 2262 2263 /* 2264 * Compare with 0x80211000. 2265 */ 2266 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2267 sjeq_avs_cookie->s.k = 0x80211000; 2268 sappend(s1, sjeq_avs_cookie); 2269 2270 /* 2271 * If it's AVS: 2272 * 2273 * The 4 bytes at an offset of 4 from the beginning of 2274 * the AVS header are the length of the AVS header. 2275 * That field is big-endian. 2276 */ 2277 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2278 s2->s.k = 4; 2279 sappend(s1, s2); 2280 sjeq_avs_cookie->s.jt = s2; 2281 2282 /* 2283 * Now jump to the code to allocate a register 2284 * into which to save the header length and 2285 * store the length there. (The "jump always" 2286 * instruction needs to have the k field set; 2287 * it's added to the PC, so, as we're jumping 2288 * over a single instruction, it should be 1.) 2289 */ 2290 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2291 sjcommon->s.k = 1; 2292 sappend(s1, sjcommon); 2293 2294 /* 2295 * Now for the code that handles the Prism header. 2296 * Just load the length of the Prism header (144) 2297 * into the A register. Have the test for an AVS 2298 * header branch here if we don't have an AVS header. 2299 */ 2300 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2301 s2->s.k = 144; 2302 sappend(s1, s2); 2303 sjeq_avs_cookie->s.jf = s2; 2304 2305 /* 2306 * Now allocate a register to hold that value and store 2307 * it. The code for the AVS header will jump here after 2308 * loading the length of the AVS header. 2309 */ 2310 s2 = new_stmt(cstate, BPF_ST); 2311 s2->s.k = cstate->off_linkhdr.reg; 2312 sappend(s1, s2); 2313 sjcommon->s.jf = s2; 2314 2315 /* 2316 * Now move it into the X register. 2317 */ 2318 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2319 sappend(s1, s2); 2320 2321 return (s1); 2322 } else 2323 return (NULL); 2324 } 2325 2326 static struct slist * 2327 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2328 { 2329 struct slist *s1, *s2; 2330 2331 /* 2332 * Generate code to load the length of the AVS header into 2333 * the register assigned to hold that length, if one has been 2334 * assigned. (If one hasn't been assigned, no code we've 2335 * generated uses that prefix, so we don't need to generate any 2336 * code to load it.) 2337 */ 2338 if (cstate->off_linkhdr.reg != -1) { 2339 /* 2340 * The 4 bytes at an offset of 4 from the beginning of 2341 * the AVS header are the length of the AVS header. 2342 * That field is big-endian. 2343 */ 2344 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2345 s1->s.k = 4; 2346 2347 /* 2348 * Now allocate a register to hold that value and store 2349 * it. 2350 */ 2351 s2 = new_stmt(cstate, BPF_ST); 2352 s2->s.k = cstate->off_linkhdr.reg; 2353 sappend(s1, s2); 2354 2355 /* 2356 * Now move it into the X register. 2357 */ 2358 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2359 sappend(s1, s2); 2360 2361 return (s1); 2362 } else 2363 return (NULL); 2364 } 2365 2366 static struct slist * 2367 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2368 { 2369 struct slist *s1, *s2; 2370 2371 /* 2372 * Generate code to load the length of the radiotap header into 2373 * the register assigned to hold that length, if one has been 2374 * assigned. (If one hasn't been assigned, no code we've 2375 * generated uses that prefix, so we don't need to generate any 2376 * code to load it.) 2377 */ 2378 if (cstate->off_linkhdr.reg != -1) { 2379 /* 2380 * The 2 bytes at offsets of 2 and 3 from the beginning 2381 * of the radiotap header are the length of the radiotap 2382 * header; unfortunately, it's little-endian, so we have 2383 * to load it a byte at a time and construct the value. 2384 */ 2385 2386 /* 2387 * Load the high-order byte, at an offset of 3, shift it 2388 * left a byte, and put the result in the X register. 2389 */ 2390 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2391 s1->s.k = 3; 2392 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2393 sappend(s1, s2); 2394 s2->s.k = 8; 2395 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2396 sappend(s1, s2); 2397 2398 /* 2399 * Load the next byte, at an offset of 2, and OR the 2400 * value from the X register into it. 2401 */ 2402 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2403 sappend(s1, s2); 2404 s2->s.k = 2; 2405 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2406 sappend(s1, s2); 2407 2408 /* 2409 * Now allocate a register to hold that value and store 2410 * it. 2411 */ 2412 s2 = new_stmt(cstate, BPF_ST); 2413 s2->s.k = cstate->off_linkhdr.reg; 2414 sappend(s1, s2); 2415 2416 /* 2417 * Now move it into the X register. 2418 */ 2419 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2420 sappend(s1, s2); 2421 2422 return (s1); 2423 } else 2424 return (NULL); 2425 } 2426 2427 /* 2428 * At the moment we treat PPI as normal Radiotap encoded 2429 * packets. The difference is in the function that generates 2430 * the code at the beginning to compute the header length. 2431 * Since this code generator of PPI supports bare 802.11 2432 * encapsulation only (i.e. the encapsulated DLT should be 2433 * DLT_IEEE802_11) we generate code to check for this too; 2434 * that's done in finish_parse(). 2435 */ 2436 static struct slist * 2437 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2438 { 2439 struct slist *s1, *s2; 2440 2441 /* 2442 * Generate code to load the length of the radiotap header 2443 * into the register assigned to hold that length, if one has 2444 * been assigned. 2445 */ 2446 if (cstate->off_linkhdr.reg != -1) { 2447 /* 2448 * The 2 bytes at offsets of 2 and 3 from the beginning 2449 * of the radiotap header are the length of the radiotap 2450 * header; unfortunately, it's little-endian, so we have 2451 * to load it a byte at a time and construct the value. 2452 */ 2453 2454 /* 2455 * Load the high-order byte, at an offset of 3, shift it 2456 * left a byte, and put the result in the X register. 2457 */ 2458 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2459 s1->s.k = 3; 2460 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2461 sappend(s1, s2); 2462 s2->s.k = 8; 2463 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2464 sappend(s1, s2); 2465 2466 /* 2467 * Load the next byte, at an offset of 2, and OR the 2468 * value from the X register into it. 2469 */ 2470 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2471 sappend(s1, s2); 2472 s2->s.k = 2; 2473 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2474 sappend(s1, s2); 2475 2476 /* 2477 * Now allocate a register to hold that value and store 2478 * it. 2479 */ 2480 s2 = new_stmt(cstate, BPF_ST); 2481 s2->s.k = cstate->off_linkhdr.reg; 2482 sappend(s1, s2); 2483 2484 /* 2485 * Now move it into the X register. 2486 */ 2487 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2488 sappend(s1, s2); 2489 2490 return (s1); 2491 } else 2492 return (NULL); 2493 } 2494 2495 /* 2496 * Load a value relative to the beginning of the link-layer header after the 802.11 2497 * header, i.e. LLC_SNAP. 2498 * The link-layer header doesn't necessarily begin at the beginning 2499 * of the packet data; there might be a variable-length prefix containing 2500 * radio information. 2501 */ 2502 static struct slist * 2503 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2504 { 2505 struct slist *s2; 2506 struct slist *sjset_data_frame_1; 2507 struct slist *sjset_data_frame_2; 2508 struct slist *sjset_qos; 2509 struct slist *sjset_radiotap_flags_present; 2510 struct slist *sjset_radiotap_ext_present; 2511 struct slist *sjset_radiotap_tsft_present; 2512 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2513 struct slist *s_roundup; 2514 2515 if (cstate->off_linkpl.reg == -1) { 2516 /* 2517 * No register has been assigned to the offset of 2518 * the link-layer payload, which means nobody needs 2519 * it; don't bother computing it - just return 2520 * what we already have. 2521 */ 2522 return (s); 2523 } 2524 2525 /* 2526 * This code is not compatible with the optimizer, as 2527 * we are generating jmp instructions within a normal 2528 * slist of instructions 2529 */ 2530 cstate->no_optimize = 1; 2531 2532 /* 2533 * If "s" is non-null, it has code to arrange that the X register 2534 * contains the length of the prefix preceding the link-layer 2535 * header. 2536 * 2537 * Otherwise, the length of the prefix preceding the link-layer 2538 * header is "off_outermostlinkhdr.constant_part". 2539 */ 2540 if (s == NULL) { 2541 /* 2542 * There is no variable-length header preceding the 2543 * link-layer header. 2544 * 2545 * Load the length of the fixed-length prefix preceding 2546 * the link-layer header (if any) into the X register, 2547 * and store it in the cstate->off_linkpl.reg register. 2548 * That length is off_outermostlinkhdr.constant_part. 2549 */ 2550 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2551 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2552 } 2553 2554 /* 2555 * The X register contains the offset of the beginning of the 2556 * link-layer header; add 24, which is the minimum length 2557 * of the MAC header for a data frame, to that, and store it 2558 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2559 * which is at the offset in the X register, with an indexed load. 2560 */ 2561 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2562 sappend(s, s2); 2563 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2564 s2->s.k = 24; 2565 sappend(s, s2); 2566 s2 = new_stmt(cstate, BPF_ST); 2567 s2->s.k = cstate->off_linkpl.reg; 2568 sappend(s, s2); 2569 2570 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2571 s2->s.k = 0; 2572 sappend(s, s2); 2573 2574 /* 2575 * Check the Frame Control field to see if this is a data frame; 2576 * a data frame has the 0x08 bit (b3) in that field set and the 2577 * 0x04 bit (b2) clear. 2578 */ 2579 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2580 sjset_data_frame_1->s.k = 0x08; 2581 sappend(s, sjset_data_frame_1); 2582 2583 /* 2584 * If b3 is set, test b2, otherwise go to the first statement of 2585 * the rest of the program. 2586 */ 2587 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2588 sjset_data_frame_2->s.k = 0x04; 2589 sappend(s, sjset_data_frame_2); 2590 sjset_data_frame_1->s.jf = snext; 2591 2592 /* 2593 * If b2 is not set, this is a data frame; test the QoS bit. 2594 * Otherwise, go to the first statement of the rest of the 2595 * program. 2596 */ 2597 sjset_data_frame_2->s.jt = snext; 2598 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2599 sjset_qos->s.k = 0x80; /* QoS bit */ 2600 sappend(s, sjset_qos); 2601 2602 /* 2603 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2604 * field. 2605 * Otherwise, go to the first statement of the rest of the 2606 * program. 2607 */ 2608 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2609 s2->s.k = cstate->off_linkpl.reg; 2610 sappend(s, s2); 2611 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2612 s2->s.k = 2; 2613 sappend(s, s2); 2614 s2 = new_stmt(cstate, BPF_ST); 2615 s2->s.k = cstate->off_linkpl.reg; 2616 sappend(s, s2); 2617 2618 /* 2619 * If we have a radiotap header, look at it to see whether 2620 * there's Atheros padding between the MAC-layer header 2621 * and the payload. 2622 * 2623 * Note: all of the fields in the radiotap header are 2624 * little-endian, so we byte-swap all of the values 2625 * we test against, as they will be loaded as big-endian 2626 * values. 2627 * 2628 * XXX - in the general case, we would have to scan through 2629 * *all* the presence bits, if there's more than one word of 2630 * presence bits. That would require a loop, meaning that 2631 * we wouldn't be able to run the filter in the kernel. 2632 * 2633 * We assume here that the Atheros adapters that insert the 2634 * annoying padding don't have multiple antennae and therefore 2635 * do not generate radiotap headers with multiple presence words. 2636 */ 2637 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2638 /* 2639 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2640 * in the first presence flag word? 2641 */ 2642 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2643 s2->s.k = 4; 2644 sappend(s, s2); 2645 2646 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2647 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2648 sappend(s, sjset_radiotap_flags_present); 2649 2650 /* 2651 * If not, skip all of this. 2652 */ 2653 sjset_radiotap_flags_present->s.jf = snext; 2654 2655 /* 2656 * Otherwise, is the "extension" bit set in that word? 2657 */ 2658 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2659 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2660 sappend(s, sjset_radiotap_ext_present); 2661 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2662 2663 /* 2664 * If so, skip all of this. 2665 */ 2666 sjset_radiotap_ext_present->s.jt = snext; 2667 2668 /* 2669 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2670 */ 2671 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2672 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2673 sappend(s, sjset_radiotap_tsft_present); 2674 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2675 2676 /* 2677 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2678 * at an offset of 16 from the beginning of the raw packet 2679 * data (8 bytes for the radiotap header and 8 bytes for 2680 * the TSFT field). 2681 * 2682 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2683 * is set. 2684 */ 2685 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2686 s2->s.k = 16; 2687 sappend(s, s2); 2688 sjset_radiotap_tsft_present->s.jt = s2; 2689 2690 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2691 sjset_tsft_datapad->s.k = 0x20; 2692 sappend(s, sjset_tsft_datapad); 2693 2694 /* 2695 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2696 * at an offset of 8 from the beginning of the raw packet 2697 * data (8 bytes for the radiotap header). 2698 * 2699 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2700 * is set. 2701 */ 2702 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2703 s2->s.k = 8; 2704 sappend(s, s2); 2705 sjset_radiotap_tsft_present->s.jf = s2; 2706 2707 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2708 sjset_notsft_datapad->s.k = 0x20; 2709 sappend(s, sjset_notsft_datapad); 2710 2711 /* 2712 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2713 * set, round the length of the 802.11 header to 2714 * a multiple of 4. Do that by adding 3 and then 2715 * dividing by and multiplying by 4, which we do by 2716 * ANDing with ~3. 2717 */ 2718 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2719 s_roundup->s.k = cstate->off_linkpl.reg; 2720 sappend(s, s_roundup); 2721 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2722 s2->s.k = 3; 2723 sappend(s, s2); 2724 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2725 s2->s.k = ~3; 2726 sappend(s, s2); 2727 s2 = new_stmt(cstate, BPF_ST); 2728 s2->s.k = cstate->off_linkpl.reg; 2729 sappend(s, s2); 2730 2731 sjset_tsft_datapad->s.jt = s_roundup; 2732 sjset_tsft_datapad->s.jf = snext; 2733 sjset_notsft_datapad->s.jt = s_roundup; 2734 sjset_notsft_datapad->s.jf = snext; 2735 } else 2736 sjset_qos->s.jf = snext; 2737 2738 return s; 2739 } 2740 2741 static void 2742 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2743 { 2744 struct slist *s; 2745 2746 /* There is an implicit dependency between the link 2747 * payload and link header since the payload computation 2748 * includes the variable part of the header. Therefore, 2749 * if nobody else has allocated a register for the link 2750 * header and we need it, do it now. */ 2751 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2752 cstate->off_linkhdr.reg == -1) 2753 cstate->off_linkhdr.reg = alloc_reg(cstate); 2754 2755 /* 2756 * For link-layer types that have a variable-length header 2757 * preceding the link-layer header, generate code to load 2758 * the offset of the link-layer header into the register 2759 * assigned to that offset, if any. 2760 * 2761 * XXX - this, and the next switch statement, won't handle 2762 * encapsulation of 802.11 or 802.11+radio information in 2763 * some other protocol stack. That's significantly more 2764 * complicated. 2765 */ 2766 switch (cstate->outermostlinktype) { 2767 2768 case DLT_PRISM_HEADER: 2769 s = gen_load_prism_llprefixlen(cstate); 2770 break; 2771 2772 case DLT_IEEE802_11_RADIO_AVS: 2773 s = gen_load_avs_llprefixlen(cstate); 2774 break; 2775 2776 case DLT_IEEE802_11_RADIO: 2777 s = gen_load_radiotap_llprefixlen(cstate); 2778 break; 2779 2780 case DLT_PPI: 2781 s = gen_load_ppi_llprefixlen(cstate); 2782 break; 2783 2784 default: 2785 s = NULL; 2786 break; 2787 } 2788 2789 /* 2790 * For link-layer types that have a variable-length link-layer 2791 * header, generate code to load the offset of the link-layer 2792 * payload into the register assigned to that offset, if any. 2793 */ 2794 switch (cstate->outermostlinktype) { 2795 2796 case DLT_IEEE802_11: 2797 case DLT_PRISM_HEADER: 2798 case DLT_IEEE802_11_RADIO_AVS: 2799 case DLT_IEEE802_11_RADIO: 2800 case DLT_PPI: 2801 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2802 break; 2803 } 2804 2805 /* 2806 * If we have any offset-loading code, append all the 2807 * existing statements in the block to those statements, 2808 * and make the resulting list the list of statements 2809 * for the block. 2810 */ 2811 if (s != NULL) { 2812 sappend(s, b->stmts); 2813 b->stmts = s; 2814 } 2815 } 2816 2817 static struct block * 2818 gen_ppi_dlt_check(compiler_state_t *cstate) 2819 { 2820 struct slist *s_load_dlt; 2821 struct block *b; 2822 2823 if (cstate->linktype == DLT_PPI) 2824 { 2825 /* Create the statements that check for the DLT 2826 */ 2827 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2828 s_load_dlt->s.k = 4; 2829 2830 b = new_block(cstate, JMP(BPF_JEQ)); 2831 2832 b->stmts = s_load_dlt; 2833 b->s.k = SWAPLONG(DLT_IEEE802_11); 2834 } 2835 else 2836 { 2837 b = NULL; 2838 } 2839 2840 return b; 2841 } 2842 2843 /* 2844 * Take an absolute offset, and: 2845 * 2846 * if it has no variable part, return NULL; 2847 * 2848 * if it has a variable part, generate code to load the register 2849 * containing that variable part into the X register, returning 2850 * a pointer to that code - if no register for that offset has 2851 * been allocated, allocate it first. 2852 * 2853 * (The code to set that register will be generated later, but will 2854 * be placed earlier in the code sequence.) 2855 */ 2856 static struct slist * 2857 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 2858 { 2859 struct slist *s; 2860 2861 if (off->is_variable) { 2862 if (off->reg == -1) { 2863 /* 2864 * We haven't yet assigned a register for the 2865 * variable part of the offset of the link-layer 2866 * header; allocate one. 2867 */ 2868 off->reg = alloc_reg(cstate); 2869 } 2870 2871 /* 2872 * Load the register containing the variable part of the 2873 * offset of the link-layer header into the X register. 2874 */ 2875 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 2876 s->s.k = off->reg; 2877 return s; 2878 } else { 2879 /* 2880 * That offset isn't variable, there's no variable part, 2881 * so we don't need to generate any code. 2882 */ 2883 return NULL; 2884 } 2885 } 2886 2887 /* 2888 * Map an Ethernet type to the equivalent PPP type. 2889 */ 2890 static int 2891 ethertype_to_ppptype(proto) 2892 int proto; 2893 { 2894 switch (proto) { 2895 2896 case ETHERTYPE_IP: 2897 proto = PPP_IP; 2898 break; 2899 2900 case ETHERTYPE_IPV6: 2901 proto = PPP_IPV6; 2902 break; 2903 2904 case ETHERTYPE_DN: 2905 proto = PPP_DECNET; 2906 break; 2907 2908 case ETHERTYPE_ATALK: 2909 proto = PPP_APPLE; 2910 break; 2911 2912 case ETHERTYPE_NS: 2913 proto = PPP_NS; 2914 break; 2915 2916 case LLCSAP_ISONS: 2917 proto = PPP_OSI; 2918 break; 2919 2920 case LLCSAP_8021D: 2921 /* 2922 * I'm assuming the "Bridging PDU"s that go 2923 * over PPP are Spanning Tree Protocol 2924 * Bridging PDUs. 2925 */ 2926 proto = PPP_BRPDU; 2927 break; 2928 2929 case LLCSAP_IPX: 2930 proto = PPP_IPX; 2931 break; 2932 } 2933 return (proto); 2934 } 2935 2936 /* 2937 * Generate any tests that, for encapsulation of a link-layer packet 2938 * inside another protocol stack, need to be done to check for those 2939 * link-layer packets (and that haven't already been done by a check 2940 * for that encapsulation). 2941 */ 2942 static struct block * 2943 gen_prevlinkhdr_check(compiler_state_t *cstate) 2944 { 2945 struct block *b0; 2946 2947 if (cstate->is_geneve) 2948 return gen_geneve_ll_check(cstate); 2949 2950 switch (cstate->prevlinktype) { 2951 2952 case DLT_SUNATM: 2953 /* 2954 * This is LANE-encapsulated Ethernet; check that the LANE 2955 * packet doesn't begin with an LE Control marker, i.e. 2956 * that it's data, not a control message. 2957 * 2958 * (We've already generated a test for LANE.) 2959 */ 2960 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2961 gen_not(b0); 2962 return b0; 2963 2964 default: 2965 /* 2966 * No such tests are necessary. 2967 */ 2968 return NULL; 2969 } 2970 /*NOTREACHED*/ 2971 } 2972 2973 /* 2974 * The three different values we should check for when checking for an 2975 * IPv6 packet with DLT_NULL. 2976 */ 2977 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 2978 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 2979 #define BSD_AFNUM_INET6_DARWIN 30 /* OS X, iOS, other Darwin-based OSes */ 2980 2981 /* 2982 * Generate code to match a particular packet type by matching the 2983 * link-layer type field or fields in the 802.2 LLC header. 2984 * 2985 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2986 * value, if <= ETHERMTU. 2987 */ 2988 static struct block * 2989 gen_linktype(compiler_state_t *cstate, int proto) 2990 { 2991 struct block *b0, *b1, *b2; 2992 const char *description; 2993 2994 /* are we checking MPLS-encapsulated packets? */ 2995 if (cstate->label_stack_depth > 0) { 2996 switch (proto) { 2997 case ETHERTYPE_IP: 2998 case PPP_IP: 2999 /* FIXME add other L3 proto IDs */ 3000 return gen_mpls_linktype(cstate, Q_IP); 3001 3002 case ETHERTYPE_IPV6: 3003 case PPP_IPV6: 3004 /* FIXME add other L3 proto IDs */ 3005 return gen_mpls_linktype(cstate, Q_IPV6); 3006 3007 default: 3008 bpf_error(cstate, "unsupported protocol over mpls"); 3009 /* NOTREACHED */ 3010 } 3011 } 3012 3013 switch (cstate->linktype) { 3014 3015 case DLT_EN10MB: 3016 case DLT_NETANALYZER: 3017 case DLT_NETANALYZER_TRANSPARENT: 3018 /* Geneve has an EtherType regardless of whether there is an 3019 * L2 header. */ 3020 if (!cstate->is_geneve) 3021 b0 = gen_prevlinkhdr_check(cstate); 3022 else 3023 b0 = NULL; 3024 3025 b1 = gen_ether_linktype(cstate, proto); 3026 if (b0 != NULL) 3027 gen_and(b0, b1); 3028 return b1; 3029 /*NOTREACHED*/ 3030 break; 3031 3032 case DLT_C_HDLC: 3033 switch (proto) { 3034 3035 case LLCSAP_ISONS: 3036 proto = (proto << 8 | LLCSAP_ISONS); 3037 /* fall through */ 3038 3039 default: 3040 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3041 /*NOTREACHED*/ 3042 break; 3043 } 3044 break; 3045 3046 case DLT_IEEE802_11: 3047 case DLT_PRISM_HEADER: 3048 case DLT_IEEE802_11_RADIO_AVS: 3049 case DLT_IEEE802_11_RADIO: 3050 case DLT_PPI: 3051 /* 3052 * Check that we have a data frame. 3053 */ 3054 b0 = gen_check_802_11_data_frame(cstate); 3055 3056 /* 3057 * Now check for the specified link-layer type. 3058 */ 3059 b1 = gen_llc_linktype(cstate, proto); 3060 gen_and(b0, b1); 3061 return b1; 3062 /*NOTREACHED*/ 3063 break; 3064 3065 case DLT_FDDI: 3066 /* 3067 * XXX - check for LLC frames. 3068 */ 3069 return gen_llc_linktype(cstate, proto); 3070 /*NOTREACHED*/ 3071 break; 3072 3073 case DLT_IEEE802: 3074 /* 3075 * XXX - check for LLC PDUs, as per IEEE 802.5. 3076 */ 3077 return gen_llc_linktype(cstate, proto); 3078 /*NOTREACHED*/ 3079 break; 3080 3081 case DLT_ATM_RFC1483: 3082 case DLT_ATM_CLIP: 3083 case DLT_IP_OVER_FC: 3084 return gen_llc_linktype(cstate, proto); 3085 /*NOTREACHED*/ 3086 break; 3087 3088 case DLT_SUNATM: 3089 /* 3090 * Check for an LLC-encapsulated version of this protocol; 3091 * if we were checking for LANE, linktype would no longer 3092 * be DLT_SUNATM. 3093 * 3094 * Check for LLC encapsulation and then check the protocol. 3095 */ 3096 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3097 b1 = gen_llc_linktype(cstate, proto); 3098 gen_and(b0, b1); 3099 return b1; 3100 /*NOTREACHED*/ 3101 break; 3102 3103 case DLT_LINUX_SLL: 3104 return gen_linux_sll_linktype(cstate, proto); 3105 /*NOTREACHED*/ 3106 break; 3107 3108 case DLT_SLIP: 3109 case DLT_SLIP_BSDOS: 3110 case DLT_RAW: 3111 /* 3112 * These types don't provide any type field; packets 3113 * are always IPv4 or IPv6. 3114 * 3115 * XXX - for IPv4, check for a version number of 4, and, 3116 * for IPv6, check for a version number of 6? 3117 */ 3118 switch (proto) { 3119 3120 case ETHERTYPE_IP: 3121 /* Check for a version number of 4. */ 3122 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3123 3124 case ETHERTYPE_IPV6: 3125 /* Check for a version number of 6. */ 3126 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3127 3128 default: 3129 return gen_false(cstate); /* always false */ 3130 } 3131 /*NOTREACHED*/ 3132 break; 3133 3134 case DLT_IPV4: 3135 /* 3136 * Raw IPv4, so no type field. 3137 */ 3138 if (proto == ETHERTYPE_IP) 3139 return gen_true(cstate); /* always true */ 3140 3141 /* Checking for something other than IPv4; always false */ 3142 return gen_false(cstate); 3143 /*NOTREACHED*/ 3144 break; 3145 3146 case DLT_IPV6: 3147 /* 3148 * Raw IPv6, so no type field. 3149 */ 3150 if (proto == ETHERTYPE_IPV6) 3151 return gen_true(cstate); /* always true */ 3152 3153 /* Checking for something other than IPv6; always false */ 3154 return gen_false(cstate); 3155 /*NOTREACHED*/ 3156 break; 3157 3158 case DLT_PPP: 3159 case DLT_PPP_PPPD: 3160 case DLT_PPP_SERIAL: 3161 case DLT_PPP_ETHER: 3162 /* 3163 * We use Ethernet protocol types inside libpcap; 3164 * map them to the corresponding PPP protocol types. 3165 */ 3166 proto = ethertype_to_ppptype(proto); 3167 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3168 /*NOTREACHED*/ 3169 break; 3170 3171 case DLT_PPP_BSDOS: 3172 /* 3173 * We use Ethernet protocol types inside libpcap; 3174 * map them to the corresponding PPP protocol types. 3175 */ 3176 switch (proto) { 3177 3178 case ETHERTYPE_IP: 3179 /* 3180 * Also check for Van Jacobson-compressed IP. 3181 * XXX - do this for other forms of PPP? 3182 */ 3183 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3184 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3185 gen_or(b0, b1); 3186 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3187 gen_or(b1, b0); 3188 return b0; 3189 3190 default: 3191 proto = ethertype_to_ppptype(proto); 3192 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3193 (bpf_int32)proto); 3194 } 3195 /*NOTREACHED*/ 3196 break; 3197 3198 case DLT_NULL: 3199 case DLT_LOOP: 3200 case DLT_ENC: 3201 switch (proto) { 3202 3203 case ETHERTYPE_IP: 3204 return (gen_loopback_linktype(cstate, AF_INET)); 3205 3206 case ETHERTYPE_IPV6: 3207 /* 3208 * AF_ values may, unfortunately, be platform- 3209 * dependent; AF_INET isn't, because everybody 3210 * used 4.2BSD's value, but AF_INET6 is, because 3211 * 4.2BSD didn't have a value for it (given that 3212 * IPv6 didn't exist back in the early 1980's), 3213 * and they all picked their own values. 3214 * 3215 * This means that, if we're reading from a 3216 * savefile, we need to check for all the 3217 * possible values. 3218 * 3219 * If we're doing a live capture, we only need 3220 * to check for this platform's value; however, 3221 * Npcap uses 24, which isn't Windows's AF_INET6 3222 * value. (Given the multiple different values, 3223 * programs that read pcap files shouldn't be 3224 * checking for their platform's AF_INET6 value 3225 * anyway, they should check for all of the 3226 * possible values. and they might as well do 3227 * that even for live captures.) 3228 */ 3229 if (cstate->bpf_pcap->rfile != NULL) { 3230 /* 3231 * Savefile - check for all three 3232 * possible IPv6 values. 3233 */ 3234 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3235 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3236 gen_or(b0, b1); 3237 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3238 gen_or(b0, b1); 3239 return (b1); 3240 } else { 3241 /* 3242 * Live capture, so we only need to 3243 * check for the value used on this 3244 * platform. 3245 */ 3246 #ifdef _WIN32 3247 /* 3248 * Npcap doesn't use Windows's AF_INET6, 3249 * as that collides with AF_IPX on 3250 * some BSDs (both have the value 23). 3251 * Instead, it uses 24. 3252 */ 3253 return (gen_loopback_linktype(cstate, 24)); 3254 #else /* _WIN32 */ 3255 #ifdef AF_INET6 3256 return (gen_loopback_linktype(cstate, AF_INET6)); 3257 #else /* AF_INET6 */ 3258 /* 3259 * I guess this platform doesn't support 3260 * IPv6, so we just reject all packets. 3261 */ 3262 return gen_false(cstate); 3263 #endif /* AF_INET6 */ 3264 #endif /* _WIN32 */ 3265 } 3266 3267 default: 3268 /* 3269 * Not a type on which we support filtering. 3270 * XXX - support those that have AF_ values 3271 * #defined on this platform, at least? 3272 */ 3273 return gen_false(cstate); 3274 } 3275 3276 #ifdef HAVE_NET_PFVAR_H 3277 case DLT_PFLOG: 3278 /* 3279 * af field is host byte order in contrast to the rest of 3280 * the packet. 3281 */ 3282 if (proto == ETHERTYPE_IP) 3283 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3284 BPF_B, (bpf_int32)AF_INET)); 3285 else if (proto == ETHERTYPE_IPV6) 3286 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3287 BPF_B, (bpf_int32)AF_INET6)); 3288 else 3289 return gen_false(cstate); 3290 /*NOTREACHED*/ 3291 break; 3292 #endif /* HAVE_NET_PFVAR_H */ 3293 3294 case DLT_ARCNET: 3295 case DLT_ARCNET_LINUX: 3296 /* 3297 * XXX should we check for first fragment if the protocol 3298 * uses PHDS? 3299 */ 3300 switch (proto) { 3301 3302 default: 3303 return gen_false(cstate); 3304 3305 case ETHERTYPE_IPV6: 3306 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3307 (bpf_int32)ARCTYPE_INET6)); 3308 3309 case ETHERTYPE_IP: 3310 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3311 (bpf_int32)ARCTYPE_IP); 3312 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3313 (bpf_int32)ARCTYPE_IP_OLD); 3314 gen_or(b0, b1); 3315 return (b1); 3316 3317 case ETHERTYPE_ARP: 3318 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3319 (bpf_int32)ARCTYPE_ARP); 3320 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3321 (bpf_int32)ARCTYPE_ARP_OLD); 3322 gen_or(b0, b1); 3323 return (b1); 3324 3325 case ETHERTYPE_REVARP: 3326 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3327 (bpf_int32)ARCTYPE_REVARP)); 3328 3329 case ETHERTYPE_ATALK: 3330 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3331 (bpf_int32)ARCTYPE_ATALK)); 3332 } 3333 /*NOTREACHED*/ 3334 break; 3335 3336 case DLT_LTALK: 3337 switch (proto) { 3338 case ETHERTYPE_ATALK: 3339 return gen_true(cstate); 3340 default: 3341 return gen_false(cstate); 3342 } 3343 /*NOTREACHED*/ 3344 break; 3345 3346 case DLT_FRELAY: 3347 /* 3348 * XXX - assumes a 2-byte Frame Relay header with 3349 * DLCI and flags. What if the address is longer? 3350 */ 3351 switch (proto) { 3352 3353 case ETHERTYPE_IP: 3354 /* 3355 * Check for the special NLPID for IP. 3356 */ 3357 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3358 3359 case ETHERTYPE_IPV6: 3360 /* 3361 * Check for the special NLPID for IPv6. 3362 */ 3363 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3364 3365 case LLCSAP_ISONS: 3366 /* 3367 * Check for several OSI protocols. 3368 * 3369 * Frame Relay packets typically have an OSI 3370 * NLPID at the beginning; we check for each 3371 * of them. 3372 * 3373 * What we check for is the NLPID and a frame 3374 * control field of UI, i.e. 0x03 followed 3375 * by the NLPID. 3376 */ 3377 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3378 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3379 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3380 gen_or(b1, b2); 3381 gen_or(b0, b2); 3382 return b2; 3383 3384 default: 3385 return gen_false(cstate); 3386 } 3387 /*NOTREACHED*/ 3388 break; 3389 3390 case DLT_MFR: 3391 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3392 3393 case DLT_JUNIPER_MFR: 3394 case DLT_JUNIPER_MLFR: 3395 case DLT_JUNIPER_MLPPP: 3396 case DLT_JUNIPER_ATM1: 3397 case DLT_JUNIPER_ATM2: 3398 case DLT_JUNIPER_PPPOE: 3399 case DLT_JUNIPER_PPPOE_ATM: 3400 case DLT_JUNIPER_GGSN: 3401 case DLT_JUNIPER_ES: 3402 case DLT_JUNIPER_MONITOR: 3403 case DLT_JUNIPER_SERVICES: 3404 case DLT_JUNIPER_ETHER: 3405 case DLT_JUNIPER_PPP: 3406 case DLT_JUNIPER_FRELAY: 3407 case DLT_JUNIPER_CHDLC: 3408 case DLT_JUNIPER_VP: 3409 case DLT_JUNIPER_ST: 3410 case DLT_JUNIPER_ISM: 3411 case DLT_JUNIPER_VS: 3412 case DLT_JUNIPER_SRX_E2E: 3413 case DLT_JUNIPER_FIBRECHANNEL: 3414 case DLT_JUNIPER_ATM_CEMIC: 3415 3416 /* just lets verify the magic number for now - 3417 * on ATM we may have up to 6 different encapsulations on the wire 3418 * and need a lot of heuristics to figure out that the payload 3419 * might be; 3420 * 3421 * FIXME encapsulation specific BPF_ filters 3422 */ 3423 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3424 3425 case DLT_BACNET_MS_TP: 3426 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3427 3428 case DLT_IPNET: 3429 return gen_ipnet_linktype(cstate, proto); 3430 3431 case DLT_LINUX_IRDA: 3432 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3433 3434 case DLT_DOCSIS: 3435 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3436 3437 case DLT_MTP2: 3438 case DLT_MTP2_WITH_PHDR: 3439 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3440 3441 case DLT_ERF: 3442 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3443 3444 case DLT_PFSYNC: 3445 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3446 3447 case DLT_LINUX_LAPD: 3448 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3449 3450 case DLT_USB_FREEBSD: 3451 case DLT_USB_LINUX: 3452 case DLT_USB_LINUX_MMAPPED: 3453 case DLT_USBPCAP: 3454 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3455 3456 case DLT_BLUETOOTH_HCI_H4: 3457 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3458 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3459 3460 case DLT_CAN20B: 3461 case DLT_CAN_SOCKETCAN: 3462 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3463 3464 case DLT_IEEE802_15_4: 3465 case DLT_IEEE802_15_4_LINUX: 3466 case DLT_IEEE802_15_4_NONASK_PHY: 3467 case DLT_IEEE802_15_4_NOFCS: 3468 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3469 3470 case DLT_IEEE802_16_MAC_CPS_RADIO: 3471 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3472 3473 case DLT_SITA: 3474 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3475 3476 case DLT_RAIF1: 3477 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3478 3479 case DLT_IPMB: 3480 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3481 3482 case DLT_AX25_KISS: 3483 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3484 3485 case DLT_NFLOG: 3486 /* Using the fixed-size NFLOG header it is possible to tell only 3487 * the address family of the packet, other meaningful data is 3488 * either missing or behind TLVs. 3489 */ 3490 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3491 3492 default: 3493 /* 3494 * Does this link-layer header type have a field 3495 * indicating the type of the next protocol? If 3496 * so, off_linktype.constant_part will be the offset of that 3497 * field in the packet; if not, it will be OFFSET_NOT_SET. 3498 */ 3499 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3500 /* 3501 * Yes; assume it's an Ethernet type. (If 3502 * it's not, it needs to be handled specially 3503 * above.) 3504 */ 3505 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3506 } else { 3507 /* 3508 * No; report an error. 3509 */ 3510 description = pcap_datalink_val_to_description(cstate->linktype); 3511 if (description != NULL) { 3512 bpf_error(cstate, "%s link-layer type filtering not implemented", 3513 description); 3514 } else { 3515 bpf_error(cstate, "DLT %u link-layer type filtering not implemented", 3516 cstate->linktype); 3517 } 3518 } 3519 break; 3520 } 3521 } 3522 3523 /* 3524 * Check for an LLC SNAP packet with a given organization code and 3525 * protocol type; we check the entire contents of the 802.2 LLC and 3526 * snap headers, checking for DSAP and SSAP of SNAP and a control 3527 * field of 0x03 in the LLC header, and for the specified organization 3528 * code and protocol type in the SNAP header. 3529 */ 3530 static struct block * 3531 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3532 { 3533 u_char snapblock[8]; 3534 3535 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3536 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3537 snapblock[2] = 0x03; /* control = UI */ 3538 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3539 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3540 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3541 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3542 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3543 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3544 } 3545 3546 /* 3547 * Generate code to match frames with an LLC header. 3548 */ 3549 struct block * 3550 gen_llc(compiler_state_t *cstate) 3551 { 3552 struct block *b0, *b1; 3553 3554 switch (cstate->linktype) { 3555 3556 case DLT_EN10MB: 3557 /* 3558 * We check for an Ethernet type field less than 3559 * 1500, which means it's an 802.3 length field. 3560 */ 3561 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3562 gen_not(b0); 3563 3564 /* 3565 * Now check for the purported DSAP and SSAP not being 3566 * 0xFF, to rule out NetWare-over-802.3. 3567 */ 3568 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3569 gen_not(b1); 3570 gen_and(b0, b1); 3571 return b1; 3572 3573 case DLT_SUNATM: 3574 /* 3575 * We check for LLC traffic. 3576 */ 3577 b0 = gen_atmtype_abbrev(cstate, A_LLC); 3578 return b0; 3579 3580 case DLT_IEEE802: /* Token Ring */ 3581 /* 3582 * XXX - check for LLC frames. 3583 */ 3584 return gen_true(cstate); 3585 3586 case DLT_FDDI: 3587 /* 3588 * XXX - check for LLC frames. 3589 */ 3590 return gen_true(cstate); 3591 3592 case DLT_ATM_RFC1483: 3593 /* 3594 * For LLC encapsulation, these are defined to have an 3595 * 802.2 LLC header. 3596 * 3597 * For VC encapsulation, they don't, but there's no 3598 * way to check for that; the protocol used on the VC 3599 * is negotiated out of band. 3600 */ 3601 return gen_true(cstate); 3602 3603 case DLT_IEEE802_11: 3604 case DLT_PRISM_HEADER: 3605 case DLT_IEEE802_11_RADIO: 3606 case DLT_IEEE802_11_RADIO_AVS: 3607 case DLT_PPI: 3608 /* 3609 * Check that we have a data frame. 3610 */ 3611 b0 = gen_check_802_11_data_frame(cstate); 3612 return b0; 3613 3614 default: 3615 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype); 3616 /* NOTREACHED */ 3617 } 3618 } 3619 3620 struct block * 3621 gen_llc_i(compiler_state_t *cstate) 3622 { 3623 struct block *b0, *b1; 3624 struct slist *s; 3625 3626 /* 3627 * Check whether this is an LLC frame. 3628 */ 3629 b0 = gen_llc(cstate); 3630 3631 /* 3632 * Load the control byte and test the low-order bit; it must 3633 * be clear for I frames. 3634 */ 3635 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3636 b1 = new_block(cstate, JMP(BPF_JSET)); 3637 b1->s.k = 0x01; 3638 b1->stmts = s; 3639 gen_not(b1); 3640 gen_and(b0, b1); 3641 return b1; 3642 } 3643 3644 struct block * 3645 gen_llc_s(compiler_state_t *cstate) 3646 { 3647 struct block *b0, *b1; 3648 3649 /* 3650 * Check whether this is an LLC frame. 3651 */ 3652 b0 = gen_llc(cstate); 3653 3654 /* 3655 * Now compare the low-order 2 bit of the control byte against 3656 * the appropriate value for S frames. 3657 */ 3658 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3659 gen_and(b0, b1); 3660 return b1; 3661 } 3662 3663 struct block * 3664 gen_llc_u(compiler_state_t *cstate) 3665 { 3666 struct block *b0, *b1; 3667 3668 /* 3669 * Check whether this is an LLC frame. 3670 */ 3671 b0 = gen_llc(cstate); 3672 3673 /* 3674 * Now compare the low-order 2 bit of the control byte against 3675 * the appropriate value for U frames. 3676 */ 3677 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3678 gen_and(b0, b1); 3679 return b1; 3680 } 3681 3682 struct block * 3683 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3684 { 3685 struct block *b0, *b1; 3686 3687 /* 3688 * Check whether this is an LLC frame. 3689 */ 3690 b0 = gen_llc(cstate); 3691 3692 /* 3693 * Now check for an S frame with the appropriate type. 3694 */ 3695 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3696 gen_and(b0, b1); 3697 return b1; 3698 } 3699 3700 struct block * 3701 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3702 { 3703 struct block *b0, *b1; 3704 3705 /* 3706 * Check whether this is an LLC frame. 3707 */ 3708 b0 = gen_llc(cstate); 3709 3710 /* 3711 * Now check for a U frame with the appropriate type. 3712 */ 3713 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3714 gen_and(b0, b1); 3715 return b1; 3716 } 3717 3718 /* 3719 * Generate code to match a particular packet type, for link-layer types 3720 * using 802.2 LLC headers. 3721 * 3722 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3723 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3724 * 3725 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3726 * value, if <= ETHERMTU. We use that to determine whether to 3727 * match the DSAP or both DSAP and LSAP or to check the OUI and 3728 * protocol ID in a SNAP header. 3729 */ 3730 static struct block * 3731 gen_llc_linktype(compiler_state_t *cstate, int proto) 3732 { 3733 /* 3734 * XXX - handle token-ring variable-length header. 3735 */ 3736 switch (proto) { 3737 3738 case LLCSAP_IP: 3739 case LLCSAP_ISONS: 3740 case LLCSAP_NETBEUI: 3741 /* 3742 * XXX - should we check both the DSAP and the 3743 * SSAP, like this, or should we check just the 3744 * DSAP, as we do for other SAP values? 3745 */ 3746 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3747 ((proto << 8) | proto)); 3748 3749 case LLCSAP_IPX: 3750 /* 3751 * XXX - are there ever SNAP frames for IPX on 3752 * non-Ethernet 802.x networks? 3753 */ 3754 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3755 (bpf_int32)LLCSAP_IPX); 3756 3757 case ETHERTYPE_ATALK: 3758 /* 3759 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3760 * SNAP packets with an organization code of 3761 * 0x080007 (Apple, for Appletalk) and a protocol 3762 * type of ETHERTYPE_ATALK (Appletalk). 3763 * 3764 * XXX - check for an organization code of 3765 * encapsulated Ethernet as well? 3766 */ 3767 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3768 3769 default: 3770 /* 3771 * XXX - we don't have to check for IPX 802.3 3772 * here, but should we check for the IPX Ethertype? 3773 */ 3774 if (proto <= ETHERMTU) { 3775 /* 3776 * This is an LLC SAP value, so check 3777 * the DSAP. 3778 */ 3779 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3780 } else { 3781 /* 3782 * This is an Ethernet type; we assume that it's 3783 * unlikely that it'll appear in the right place 3784 * at random, and therefore check only the 3785 * location that would hold the Ethernet type 3786 * in a SNAP frame with an organization code of 3787 * 0x000000 (encapsulated Ethernet). 3788 * 3789 * XXX - if we were to check for the SNAP DSAP and 3790 * LSAP, as per XXX, and were also to check for an 3791 * organization code of 0x000000 (encapsulated 3792 * Ethernet), we'd do 3793 * 3794 * return gen_snap(cstate, 0x000000, proto); 3795 * 3796 * here; for now, we don't, as per the above. 3797 * I don't know whether it's worth the extra CPU 3798 * time to do the right check or not. 3799 */ 3800 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3801 } 3802 } 3803 } 3804 3805 static struct block * 3806 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3807 int dir, int proto, u_int src_off, u_int dst_off) 3808 { 3809 struct block *b0, *b1; 3810 u_int offset; 3811 3812 switch (dir) { 3813 3814 case Q_SRC: 3815 offset = src_off; 3816 break; 3817 3818 case Q_DST: 3819 offset = dst_off; 3820 break; 3821 3822 case Q_AND: 3823 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3824 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3825 gen_and(b0, b1); 3826 return b1; 3827 3828 case Q_OR: 3829 case Q_DEFAULT: 3830 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3831 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3832 gen_or(b0, b1); 3833 return b1; 3834 3835 default: 3836 abort(); 3837 } 3838 b0 = gen_linktype(cstate, proto); 3839 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3840 gen_and(b0, b1); 3841 return b1; 3842 } 3843 3844 #ifdef INET6 3845 static struct block * 3846 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 3847 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 3848 { 3849 struct block *b0, *b1; 3850 u_int offset; 3851 u_int32_t *a, *m; 3852 3853 switch (dir) { 3854 3855 case Q_SRC: 3856 offset = src_off; 3857 break; 3858 3859 case Q_DST: 3860 offset = dst_off; 3861 break; 3862 3863 case Q_AND: 3864 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3865 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3866 gen_and(b0, b1); 3867 return b1; 3868 3869 case Q_OR: 3870 case Q_DEFAULT: 3871 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3872 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3873 gen_or(b0, b1); 3874 return b1; 3875 3876 default: 3877 abort(); 3878 } 3879 /* this order is important */ 3880 a = (u_int32_t *)addr; 3881 m = (u_int32_t *)mask; 3882 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3883 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3884 gen_and(b0, b1); 3885 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3886 gen_and(b0, b1); 3887 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3888 gen_and(b0, b1); 3889 b0 = gen_linktype(cstate, proto); 3890 gen_and(b0, b1); 3891 return b1; 3892 } 3893 #endif 3894 3895 static struct block * 3896 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3897 { 3898 register struct block *b0, *b1; 3899 3900 switch (dir) { 3901 case Q_SRC: 3902 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 3903 3904 case Q_DST: 3905 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 3906 3907 case Q_AND: 3908 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3909 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3910 gen_and(b0, b1); 3911 return b1; 3912 3913 case Q_DEFAULT: 3914 case Q_OR: 3915 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3916 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3917 gen_or(b0, b1); 3918 return b1; 3919 3920 case Q_ADDR1: 3921 bpf_error(cstate, "'addr1' is only supported on 802.11 with 802.11 headers"); 3922 break; 3923 3924 case Q_ADDR2: 3925 bpf_error(cstate, "'addr2' is only supported on 802.11 with 802.11 headers"); 3926 break; 3927 3928 case Q_ADDR3: 3929 bpf_error(cstate, "'addr3' is only supported on 802.11 with 802.11 headers"); 3930 break; 3931 3932 case Q_ADDR4: 3933 bpf_error(cstate, "'addr4' is only supported on 802.11 with 802.11 headers"); 3934 break; 3935 3936 case Q_RA: 3937 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 3938 break; 3939 3940 case Q_TA: 3941 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 3942 break; 3943 } 3944 abort(); 3945 /* NOTREACHED */ 3946 } 3947 3948 /* 3949 * Like gen_ehostop, but for DLT_FDDI 3950 */ 3951 static struct block * 3952 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3953 { 3954 struct block *b0, *b1; 3955 3956 switch (dir) { 3957 case Q_SRC: 3958 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 3959 3960 case Q_DST: 3961 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 3962 3963 case Q_AND: 3964 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3965 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3966 gen_and(b0, b1); 3967 return b1; 3968 3969 case Q_DEFAULT: 3970 case Q_OR: 3971 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 3972 b1 = gen_fhostop(cstate, eaddr, Q_DST); 3973 gen_or(b0, b1); 3974 return b1; 3975 3976 case Q_ADDR1: 3977 bpf_error(cstate, "'addr1' is only supported on 802.11"); 3978 break; 3979 3980 case Q_ADDR2: 3981 bpf_error(cstate, "'addr2' is only supported on 802.11"); 3982 break; 3983 3984 case Q_ADDR3: 3985 bpf_error(cstate, "'addr3' is only supported on 802.11"); 3986 break; 3987 3988 case Q_ADDR4: 3989 bpf_error(cstate, "'addr4' is only supported on 802.11"); 3990 break; 3991 3992 case Q_RA: 3993 bpf_error(cstate, "'ra' is only supported on 802.11"); 3994 break; 3995 3996 case Q_TA: 3997 bpf_error(cstate, "'ta' is only supported on 802.11"); 3998 break; 3999 } 4000 abort(); 4001 /* NOTREACHED */ 4002 } 4003 4004 /* 4005 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4006 */ 4007 static struct block * 4008 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4009 { 4010 register struct block *b0, *b1; 4011 4012 switch (dir) { 4013 case Q_SRC: 4014 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4015 4016 case Q_DST: 4017 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4018 4019 case Q_AND: 4020 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4021 b1 = gen_thostop(cstate, eaddr, Q_DST); 4022 gen_and(b0, b1); 4023 return b1; 4024 4025 case Q_DEFAULT: 4026 case Q_OR: 4027 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4028 b1 = gen_thostop(cstate, eaddr, Q_DST); 4029 gen_or(b0, b1); 4030 return b1; 4031 4032 case Q_ADDR1: 4033 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4034 break; 4035 4036 case Q_ADDR2: 4037 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4038 break; 4039 4040 case Q_ADDR3: 4041 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4042 break; 4043 4044 case Q_ADDR4: 4045 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4046 break; 4047 4048 case Q_RA: 4049 bpf_error(cstate, "'ra' is only supported on 802.11"); 4050 break; 4051 4052 case Q_TA: 4053 bpf_error(cstate, "'ta' is only supported on 802.11"); 4054 break; 4055 } 4056 abort(); 4057 /* NOTREACHED */ 4058 } 4059 4060 /* 4061 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4062 * various 802.11 + radio headers. 4063 */ 4064 static struct block * 4065 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4066 { 4067 register struct block *b0, *b1, *b2; 4068 register struct slist *s; 4069 4070 #ifdef ENABLE_WLAN_FILTERING_PATCH 4071 /* 4072 * TODO GV 20070613 4073 * We need to disable the optimizer because the optimizer is buggy 4074 * and wipes out some LD instructions generated by the below 4075 * code to validate the Frame Control bits 4076 */ 4077 cstate->no_optimize = 1; 4078 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4079 4080 switch (dir) { 4081 case Q_SRC: 4082 /* 4083 * Oh, yuk. 4084 * 4085 * For control frames, there is no SA. 4086 * 4087 * For management frames, SA is at an 4088 * offset of 10 from the beginning of 4089 * the packet. 4090 * 4091 * For data frames, SA is at an offset 4092 * of 10 from the beginning of the packet 4093 * if From DS is clear, at an offset of 4094 * 16 from the beginning of the packet 4095 * if From DS is set and To DS is clear, 4096 * and an offset of 24 from the beginning 4097 * of the packet if From DS is set and To DS 4098 * is set. 4099 */ 4100 4101 /* 4102 * Generate the tests to be done for data frames 4103 * with From DS set. 4104 * 4105 * First, check for To DS set, i.e. check "link[1] & 0x01". 4106 */ 4107 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4108 b1 = new_block(cstate, JMP(BPF_JSET)); 4109 b1->s.k = 0x01; /* To DS */ 4110 b1->stmts = s; 4111 4112 /* 4113 * If To DS is set, the SA is at 24. 4114 */ 4115 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4116 gen_and(b1, b0); 4117 4118 /* 4119 * Now, check for To DS not set, i.e. check 4120 * "!(link[1] & 0x01)". 4121 */ 4122 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4123 b2 = new_block(cstate, JMP(BPF_JSET)); 4124 b2->s.k = 0x01; /* To DS */ 4125 b2->stmts = s; 4126 gen_not(b2); 4127 4128 /* 4129 * If To DS is not set, the SA is at 16. 4130 */ 4131 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4132 gen_and(b2, b1); 4133 4134 /* 4135 * Now OR together the last two checks. That gives 4136 * the complete set of checks for data frames with 4137 * From DS set. 4138 */ 4139 gen_or(b1, b0); 4140 4141 /* 4142 * Now check for From DS being set, and AND that with 4143 * the ORed-together checks. 4144 */ 4145 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4146 b1 = new_block(cstate, JMP(BPF_JSET)); 4147 b1->s.k = 0x02; /* From DS */ 4148 b1->stmts = s; 4149 gen_and(b1, b0); 4150 4151 /* 4152 * Now check for data frames with From DS not set. 4153 */ 4154 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4155 b2 = new_block(cstate, JMP(BPF_JSET)); 4156 b2->s.k = 0x02; /* From DS */ 4157 b2->stmts = s; 4158 gen_not(b2); 4159 4160 /* 4161 * If From DS isn't set, the SA is at 10. 4162 */ 4163 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4164 gen_and(b2, b1); 4165 4166 /* 4167 * Now OR together the checks for data frames with 4168 * From DS not set and for data frames with From DS 4169 * set; that gives the checks done for data frames. 4170 */ 4171 gen_or(b1, b0); 4172 4173 /* 4174 * Now check for a data frame. 4175 * I.e, check "link[0] & 0x08". 4176 */ 4177 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4178 b1 = new_block(cstate, JMP(BPF_JSET)); 4179 b1->s.k = 0x08; 4180 b1->stmts = s; 4181 4182 /* 4183 * AND that with the checks done for data frames. 4184 */ 4185 gen_and(b1, b0); 4186 4187 /* 4188 * If the high-order bit of the type value is 0, this 4189 * is a management frame. 4190 * I.e, check "!(link[0] & 0x08)". 4191 */ 4192 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4193 b2 = new_block(cstate, JMP(BPF_JSET)); 4194 b2->s.k = 0x08; 4195 b2->stmts = s; 4196 gen_not(b2); 4197 4198 /* 4199 * For management frames, the SA is at 10. 4200 */ 4201 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4202 gen_and(b2, b1); 4203 4204 /* 4205 * OR that with the checks done for data frames. 4206 * That gives the checks done for management and 4207 * data frames. 4208 */ 4209 gen_or(b1, b0); 4210 4211 /* 4212 * If the low-order bit of the type value is 1, 4213 * this is either a control frame or a frame 4214 * with a reserved type, and thus not a 4215 * frame with an SA. 4216 * 4217 * I.e., check "!(link[0] & 0x04)". 4218 */ 4219 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4220 b1 = new_block(cstate, JMP(BPF_JSET)); 4221 b1->s.k = 0x04; 4222 b1->stmts = s; 4223 gen_not(b1); 4224 4225 /* 4226 * AND that with the checks for data and management 4227 * frames. 4228 */ 4229 gen_and(b1, b0); 4230 return b0; 4231 4232 case Q_DST: 4233 /* 4234 * Oh, yuk. 4235 * 4236 * For control frames, there is no DA. 4237 * 4238 * For management frames, DA is at an 4239 * offset of 4 from the beginning of 4240 * the packet. 4241 * 4242 * For data frames, DA is at an offset 4243 * of 4 from the beginning of the packet 4244 * if To DS is clear and at an offset of 4245 * 16 from the beginning of the packet 4246 * if To DS is set. 4247 */ 4248 4249 /* 4250 * Generate the tests to be done for data frames. 4251 * 4252 * First, check for To DS set, i.e. "link[1] & 0x01". 4253 */ 4254 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4255 b1 = new_block(cstate, JMP(BPF_JSET)); 4256 b1->s.k = 0x01; /* To DS */ 4257 b1->stmts = s; 4258 4259 /* 4260 * If To DS is set, the DA is at 16. 4261 */ 4262 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4263 gen_and(b1, b0); 4264 4265 /* 4266 * Now, check for To DS not set, i.e. check 4267 * "!(link[1] & 0x01)". 4268 */ 4269 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4270 b2 = new_block(cstate, JMP(BPF_JSET)); 4271 b2->s.k = 0x01; /* To DS */ 4272 b2->stmts = s; 4273 gen_not(b2); 4274 4275 /* 4276 * If To DS is not set, the DA is at 4. 4277 */ 4278 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4279 gen_and(b2, b1); 4280 4281 /* 4282 * Now OR together the last two checks. That gives 4283 * the complete set of checks for data frames. 4284 */ 4285 gen_or(b1, b0); 4286 4287 /* 4288 * Now check for a data frame. 4289 * I.e, check "link[0] & 0x08". 4290 */ 4291 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4292 b1 = new_block(cstate, JMP(BPF_JSET)); 4293 b1->s.k = 0x08; 4294 b1->stmts = s; 4295 4296 /* 4297 * AND that with the checks done for data frames. 4298 */ 4299 gen_and(b1, b0); 4300 4301 /* 4302 * If the high-order bit of the type value is 0, this 4303 * is a management frame. 4304 * I.e, check "!(link[0] & 0x08)". 4305 */ 4306 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4307 b2 = new_block(cstate, JMP(BPF_JSET)); 4308 b2->s.k = 0x08; 4309 b2->stmts = s; 4310 gen_not(b2); 4311 4312 /* 4313 * For management frames, the DA is at 4. 4314 */ 4315 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4316 gen_and(b2, b1); 4317 4318 /* 4319 * OR that with the checks done for data frames. 4320 * That gives the checks done for management and 4321 * data frames. 4322 */ 4323 gen_or(b1, b0); 4324 4325 /* 4326 * If the low-order bit of the type value is 1, 4327 * this is either a control frame or a frame 4328 * with a reserved type, and thus not a 4329 * frame with an SA. 4330 * 4331 * I.e., check "!(link[0] & 0x04)". 4332 */ 4333 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4334 b1 = new_block(cstate, JMP(BPF_JSET)); 4335 b1->s.k = 0x04; 4336 b1->stmts = s; 4337 gen_not(b1); 4338 4339 /* 4340 * AND that with the checks for data and management 4341 * frames. 4342 */ 4343 gen_and(b1, b0); 4344 return b0; 4345 4346 case Q_RA: 4347 /* 4348 * Not present in management frames; addr1 in other 4349 * frames. 4350 */ 4351 4352 /* 4353 * If the high-order bit of the type value is 0, this 4354 * is a management frame. 4355 * I.e, check "(link[0] & 0x08)". 4356 */ 4357 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4358 b1 = new_block(cstate, JMP(BPF_JSET)); 4359 b1->s.k = 0x08; 4360 b1->stmts = s; 4361 4362 /* 4363 * Check addr1. 4364 */ 4365 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4366 4367 /* 4368 * AND that with the check of addr1. 4369 */ 4370 gen_and(b1, b0); 4371 return (b0); 4372 4373 case Q_TA: 4374 /* 4375 * Not present in management frames; addr2, if present, 4376 * in other frames. 4377 */ 4378 4379 /* 4380 * Not present in CTS or ACK control frames. 4381 */ 4382 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4383 IEEE80211_FC0_TYPE_MASK); 4384 gen_not(b0); 4385 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4386 IEEE80211_FC0_SUBTYPE_MASK); 4387 gen_not(b1); 4388 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4389 IEEE80211_FC0_SUBTYPE_MASK); 4390 gen_not(b2); 4391 gen_and(b1, b2); 4392 gen_or(b0, b2); 4393 4394 /* 4395 * If the high-order bit of the type value is 0, this 4396 * is a management frame. 4397 * I.e, check "(link[0] & 0x08)". 4398 */ 4399 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4400 b1 = new_block(cstate, JMP(BPF_JSET)); 4401 b1->s.k = 0x08; 4402 b1->stmts = s; 4403 4404 /* 4405 * AND that with the check for frames other than 4406 * CTS and ACK frames. 4407 */ 4408 gen_and(b1, b2); 4409 4410 /* 4411 * Check addr2. 4412 */ 4413 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4414 gen_and(b2, b1); 4415 return b1; 4416 4417 /* 4418 * XXX - add BSSID keyword? 4419 */ 4420 case Q_ADDR1: 4421 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4422 4423 case Q_ADDR2: 4424 /* 4425 * Not present in CTS or ACK control frames. 4426 */ 4427 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4428 IEEE80211_FC0_TYPE_MASK); 4429 gen_not(b0); 4430 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4431 IEEE80211_FC0_SUBTYPE_MASK); 4432 gen_not(b1); 4433 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4434 IEEE80211_FC0_SUBTYPE_MASK); 4435 gen_not(b2); 4436 gen_and(b1, b2); 4437 gen_or(b0, b2); 4438 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4439 gen_and(b2, b1); 4440 return b1; 4441 4442 case Q_ADDR3: 4443 /* 4444 * Not present in control frames. 4445 */ 4446 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4447 IEEE80211_FC0_TYPE_MASK); 4448 gen_not(b0); 4449 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4450 gen_and(b0, b1); 4451 return b1; 4452 4453 case Q_ADDR4: 4454 /* 4455 * Present only if the direction mask has both "From DS" 4456 * and "To DS" set. Neither control frames nor management 4457 * frames should have both of those set, so we don't 4458 * check the frame type. 4459 */ 4460 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4461 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4462 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4463 gen_and(b0, b1); 4464 return b1; 4465 4466 case Q_AND: 4467 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4468 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4469 gen_and(b0, b1); 4470 return b1; 4471 4472 case Q_DEFAULT: 4473 case Q_OR: 4474 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4475 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4476 gen_or(b0, b1); 4477 return b1; 4478 } 4479 abort(); 4480 /* NOTREACHED */ 4481 } 4482 4483 /* 4484 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4485 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4486 * as the RFC states.) 4487 */ 4488 static struct block * 4489 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4490 { 4491 register struct block *b0, *b1; 4492 4493 switch (dir) { 4494 case Q_SRC: 4495 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4496 4497 case Q_DST: 4498 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4499 4500 case Q_AND: 4501 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4502 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4503 gen_and(b0, b1); 4504 return b1; 4505 4506 case Q_DEFAULT: 4507 case Q_OR: 4508 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4509 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4510 gen_or(b0, b1); 4511 return b1; 4512 4513 case Q_ADDR1: 4514 bpf_error(cstate, "'addr1' is only supported on 802.11"); 4515 break; 4516 4517 case Q_ADDR2: 4518 bpf_error(cstate, "'addr2' is only supported on 802.11"); 4519 break; 4520 4521 case Q_ADDR3: 4522 bpf_error(cstate, "'addr3' is only supported on 802.11"); 4523 break; 4524 4525 case Q_ADDR4: 4526 bpf_error(cstate, "'addr4' is only supported on 802.11"); 4527 break; 4528 4529 case Q_RA: 4530 bpf_error(cstate, "'ra' is only supported on 802.11"); 4531 break; 4532 4533 case Q_TA: 4534 bpf_error(cstate, "'ta' is only supported on 802.11"); 4535 break; 4536 } 4537 abort(); 4538 /* NOTREACHED */ 4539 } 4540 4541 /* 4542 * This is quite tricky because there may be pad bytes in front of the 4543 * DECNET header, and then there are two possible data packet formats that 4544 * carry both src and dst addresses, plus 5 packet types in a format that 4545 * carries only the src node, plus 2 types that use a different format and 4546 * also carry just the src node. 4547 * 4548 * Yuck. 4549 * 4550 * Instead of doing those all right, we just look for data packets with 4551 * 0 or 1 bytes of padding. If you want to look at other packets, that 4552 * will require a lot more hacking. 4553 * 4554 * To add support for filtering on DECNET "areas" (network numbers) 4555 * one would want to add a "mask" argument to this routine. That would 4556 * make the filter even more inefficient, although one could be clever 4557 * and not generate masking instructions if the mask is 0xFFFF. 4558 */ 4559 static struct block * 4560 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4561 { 4562 struct block *b0, *b1, *b2, *tmp; 4563 u_int offset_lh; /* offset if long header is received */ 4564 u_int offset_sh; /* offset if short header is received */ 4565 4566 switch (dir) { 4567 4568 case Q_DST: 4569 offset_sh = 1; /* follows flags */ 4570 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4571 break; 4572 4573 case Q_SRC: 4574 offset_sh = 3; /* follows flags, dstnode */ 4575 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4576 break; 4577 4578 case Q_AND: 4579 /* Inefficient because we do our Calvinball dance twice */ 4580 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4581 b1 = gen_dnhostop(cstate, addr, Q_DST); 4582 gen_and(b0, b1); 4583 return b1; 4584 4585 case Q_OR: 4586 case Q_DEFAULT: 4587 /* Inefficient because we do our Calvinball dance twice */ 4588 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4589 b1 = gen_dnhostop(cstate, addr, Q_DST); 4590 gen_or(b0, b1); 4591 return b1; 4592 4593 case Q_ISO: 4594 bpf_error(cstate, "ISO host filtering not implemented"); 4595 4596 default: 4597 abort(); 4598 } 4599 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4600 /* Check for pad = 1, long header case */ 4601 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4602 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4603 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4604 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4605 gen_and(tmp, b1); 4606 /* Check for pad = 0, long header case */ 4607 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4608 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4609 gen_and(tmp, b2); 4610 gen_or(b2, b1); 4611 /* Check for pad = 1, short header case */ 4612 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4613 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4614 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4615 gen_and(tmp, b2); 4616 gen_or(b2, b1); 4617 /* Check for pad = 0, short header case */ 4618 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4619 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4620 gen_and(tmp, b2); 4621 gen_or(b2, b1); 4622 4623 /* Combine with test for cstate->linktype */ 4624 gen_and(b0, b1); 4625 return b1; 4626 } 4627 4628 /* 4629 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4630 * test the bottom-of-stack bit, and then check the version number 4631 * field in the IP header. 4632 */ 4633 static struct block * 4634 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4635 { 4636 struct block *b0, *b1; 4637 4638 switch (proto) { 4639 4640 case Q_IP: 4641 /* match the bottom-of-stack bit */ 4642 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4643 /* match the IPv4 version number */ 4644 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4645 gen_and(b0, b1); 4646 return b1; 4647 4648 case Q_IPV6: 4649 /* match the bottom-of-stack bit */ 4650 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4651 /* match the IPv4 version number */ 4652 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4653 gen_and(b0, b1); 4654 return b1; 4655 4656 default: 4657 abort(); 4658 } 4659 } 4660 4661 static struct block * 4662 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4663 int proto, int dir, int type) 4664 { 4665 struct block *b0, *b1; 4666 const char *typestr; 4667 4668 if (type == Q_NET) 4669 typestr = "net"; 4670 else 4671 typestr = "host"; 4672 4673 switch (proto) { 4674 4675 case Q_DEFAULT: 4676 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4677 /* 4678 * Only check for non-IPv4 addresses if we're not 4679 * checking MPLS-encapsulated packets. 4680 */ 4681 if (cstate->label_stack_depth == 0) { 4682 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4683 gen_or(b0, b1); 4684 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4685 gen_or(b1, b0); 4686 } 4687 return b0; 4688 4689 case Q_IP: 4690 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4691 4692 case Q_RARP: 4693 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4694 4695 case Q_ARP: 4696 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4697 4698 case Q_TCP: 4699 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4700 4701 case Q_SCTP: 4702 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4703 4704 case Q_UDP: 4705 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4706 4707 case Q_ICMP: 4708 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4709 4710 case Q_IGMP: 4711 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4712 4713 case Q_IGRP: 4714 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4715 4716 case Q_PIM: 4717 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4718 4719 case Q_VRRP: 4720 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4721 4722 case Q_CARP: 4723 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4724 4725 case Q_ATALK: 4726 bpf_error(cstate, "ATALK host filtering not implemented"); 4727 4728 case Q_AARP: 4729 bpf_error(cstate, "AARP host filtering not implemented"); 4730 4731 case Q_DECNET: 4732 return gen_dnhostop(cstate, addr, dir); 4733 4734 case Q_SCA: 4735 bpf_error(cstate, "SCA host filtering not implemented"); 4736 4737 case Q_LAT: 4738 bpf_error(cstate, "LAT host filtering not implemented"); 4739 4740 case Q_MOPDL: 4741 bpf_error(cstate, "MOPDL host filtering not implemented"); 4742 4743 case Q_MOPRC: 4744 bpf_error(cstate, "MOPRC host filtering not implemented"); 4745 4746 case Q_IPV6: 4747 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4748 4749 case Q_ICMPV6: 4750 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4751 4752 case Q_AH: 4753 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4754 4755 case Q_ESP: 4756 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4757 4758 case Q_ISO: 4759 bpf_error(cstate, "ISO host filtering not implemented"); 4760 4761 case Q_ESIS: 4762 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4763 4764 case Q_ISIS: 4765 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4766 4767 case Q_CLNP: 4768 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4769 4770 case Q_STP: 4771 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4772 4773 case Q_IPX: 4774 bpf_error(cstate, "IPX host filtering not implemented"); 4775 4776 case Q_NETBEUI: 4777 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4778 4779 case Q_RADIO: 4780 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4781 4782 default: 4783 abort(); 4784 } 4785 /* NOTREACHED */ 4786 } 4787 4788 #ifdef INET6 4789 static struct block * 4790 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 4791 struct in6_addr *mask, int proto, int dir, int type) 4792 { 4793 const char *typestr; 4794 4795 if (type == Q_NET) 4796 typestr = "net"; 4797 else 4798 typestr = "host"; 4799 4800 switch (proto) { 4801 4802 case Q_DEFAULT: 4803 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 4804 4805 case Q_LINK: 4806 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 4807 4808 case Q_IP: 4809 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 4810 4811 case Q_RARP: 4812 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 4813 4814 case Q_ARP: 4815 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 4816 4817 case Q_SCTP: 4818 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4819 4820 case Q_TCP: 4821 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4822 4823 case Q_UDP: 4824 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4825 4826 case Q_ICMP: 4827 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4828 4829 case Q_IGMP: 4830 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4831 4832 case Q_IGRP: 4833 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4834 4835 case Q_PIM: 4836 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4837 4838 case Q_VRRP: 4839 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4840 4841 case Q_CARP: 4842 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4843 4844 case Q_ATALK: 4845 bpf_error(cstate, "ATALK host filtering not implemented"); 4846 4847 case Q_AARP: 4848 bpf_error(cstate, "AARP host filtering not implemented"); 4849 4850 case Q_DECNET: 4851 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 4852 4853 case Q_SCA: 4854 bpf_error(cstate, "SCA host filtering not implemented"); 4855 4856 case Q_LAT: 4857 bpf_error(cstate, "LAT host filtering not implemented"); 4858 4859 case Q_MOPDL: 4860 bpf_error(cstate, "MOPDL host filtering not implemented"); 4861 4862 case Q_MOPRC: 4863 bpf_error(cstate, "MOPRC host filtering not implemented"); 4864 4865 case Q_IPV6: 4866 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4867 4868 case Q_ICMPV6: 4869 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4870 4871 case Q_AH: 4872 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4873 4874 case Q_ESP: 4875 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4876 4877 case Q_ISO: 4878 bpf_error(cstate, "ISO host filtering not implemented"); 4879 4880 case Q_ESIS: 4881 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4882 4883 case Q_ISIS: 4884 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4885 4886 case Q_CLNP: 4887 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4888 4889 case Q_STP: 4890 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4891 4892 case Q_IPX: 4893 bpf_error(cstate, "IPX host filtering not implemented"); 4894 4895 case Q_NETBEUI: 4896 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4897 4898 case Q_RADIO: 4899 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4900 4901 default: 4902 abort(); 4903 } 4904 /* NOTREACHED */ 4905 } 4906 #endif 4907 4908 #ifndef INET6 4909 static struct block * 4910 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, bpf_u_int32 **alist, 4911 int proto, int dir) 4912 { 4913 struct block *b0, *b1, *tmp; 4914 4915 if (dir != 0) 4916 bpf_error(cstate, "direction applied to 'gateway'"); 4917 4918 switch (proto) { 4919 case Q_DEFAULT: 4920 case Q_IP: 4921 case Q_ARP: 4922 case Q_RARP: 4923 switch (cstate->linktype) { 4924 case DLT_EN10MB: 4925 case DLT_NETANALYZER: 4926 case DLT_NETANALYZER_TRANSPARENT: 4927 b1 = gen_prevlinkhdr_check(cstate); 4928 b0 = gen_ehostop(cstate, eaddr, Q_OR); 4929 if (b1 != NULL) 4930 gen_and(b1, b0); 4931 break; 4932 case DLT_FDDI: 4933 b0 = gen_fhostop(cstate, eaddr, Q_OR); 4934 break; 4935 case DLT_IEEE802: 4936 b0 = gen_thostop(cstate, eaddr, Q_OR); 4937 break; 4938 case DLT_IEEE802_11: 4939 case DLT_PRISM_HEADER: 4940 case DLT_IEEE802_11_RADIO_AVS: 4941 case DLT_IEEE802_11_RADIO: 4942 case DLT_PPI: 4943 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 4944 break; 4945 case DLT_SUNATM: 4946 /* 4947 * This is LLC-multiplexed traffic; if it were 4948 * LANE, cstate->linktype would have been set to 4949 * DLT_EN10MB. 4950 */ 4951 bpf_error(cstate, 4952 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4953 break; 4954 case DLT_IP_OVER_FC: 4955 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 4956 break; 4957 default: 4958 bpf_error(cstate, 4959 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4960 } 4961 b1 = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4962 while (*alist) { 4963 tmp = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, 4964 Q_HOST); 4965 gen_or(b1, tmp); 4966 b1 = tmp; 4967 } 4968 gen_not(b1); 4969 gen_and(b0, b1); 4970 return b1; 4971 } 4972 bpf_error(cstate, "illegal modifier of 'gateway'"); 4973 /* NOTREACHED */ 4974 } 4975 #endif 4976 4977 struct block * 4978 gen_proto_abbrev(compiler_state_t *cstate, int proto) 4979 { 4980 struct block *b0; 4981 struct block *b1; 4982 4983 switch (proto) { 4984 4985 case Q_SCTP: 4986 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4987 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4988 gen_or(b0, b1); 4989 break; 4990 4991 case Q_TCP: 4992 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 4993 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4994 gen_or(b0, b1); 4995 break; 4996 4997 case Q_UDP: 4998 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 4999 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5000 gen_or(b0, b1); 5001 break; 5002 5003 case Q_ICMP: 5004 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5005 break; 5006 5007 #ifndef IPPROTO_IGMP 5008 #define IPPROTO_IGMP 2 5009 #endif 5010 5011 case Q_IGMP: 5012 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5013 break; 5014 5015 #ifndef IPPROTO_IGRP 5016 #define IPPROTO_IGRP 9 5017 #endif 5018 case Q_IGRP: 5019 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5020 break; 5021 5022 #ifndef IPPROTO_PIM 5023 #define IPPROTO_PIM 103 5024 #endif 5025 5026 case Q_PIM: 5027 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5028 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5029 gen_or(b0, b1); 5030 break; 5031 5032 #ifndef IPPROTO_VRRP 5033 #define IPPROTO_VRRP 112 5034 #endif 5035 5036 case Q_VRRP: 5037 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5038 break; 5039 5040 #ifndef IPPROTO_CARP 5041 #define IPPROTO_CARP 112 5042 #endif 5043 5044 case Q_CARP: 5045 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5046 break; 5047 5048 case Q_IP: 5049 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5050 break; 5051 5052 case Q_ARP: 5053 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5054 break; 5055 5056 case Q_RARP: 5057 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5058 break; 5059 5060 case Q_LINK: 5061 bpf_error(cstate, "link layer applied in wrong context"); 5062 5063 case Q_ATALK: 5064 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5065 break; 5066 5067 case Q_AARP: 5068 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5069 break; 5070 5071 case Q_DECNET: 5072 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5073 break; 5074 5075 case Q_SCA: 5076 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5077 break; 5078 5079 case Q_LAT: 5080 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5081 break; 5082 5083 case Q_MOPDL: 5084 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5085 break; 5086 5087 case Q_MOPRC: 5088 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5089 break; 5090 5091 case Q_IPV6: 5092 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5093 break; 5094 5095 #ifndef IPPROTO_ICMPV6 5096 #define IPPROTO_ICMPV6 58 5097 #endif 5098 case Q_ICMPV6: 5099 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5100 break; 5101 5102 #ifndef IPPROTO_AH 5103 #define IPPROTO_AH 51 5104 #endif 5105 case Q_AH: 5106 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5107 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5108 gen_or(b0, b1); 5109 break; 5110 5111 #ifndef IPPROTO_ESP 5112 #define IPPROTO_ESP 50 5113 #endif 5114 case Q_ESP: 5115 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5116 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5117 gen_or(b0, b1); 5118 break; 5119 5120 case Q_ISO: 5121 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5122 break; 5123 5124 case Q_ESIS: 5125 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5126 break; 5127 5128 case Q_ISIS: 5129 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5130 break; 5131 5132 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5133 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5134 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5135 gen_or(b0, b1); 5136 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5137 gen_or(b0, b1); 5138 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5139 gen_or(b0, b1); 5140 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5141 gen_or(b0, b1); 5142 break; 5143 5144 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5145 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5146 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5147 gen_or(b0, b1); 5148 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5149 gen_or(b0, b1); 5150 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5151 gen_or(b0, b1); 5152 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5153 gen_or(b0, b1); 5154 break; 5155 5156 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5157 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5158 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5159 gen_or(b0, b1); 5160 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5161 gen_or(b0, b1); 5162 break; 5163 5164 case Q_ISIS_LSP: 5165 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5166 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5167 gen_or(b0, b1); 5168 break; 5169 5170 case Q_ISIS_SNP: 5171 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5172 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5173 gen_or(b0, b1); 5174 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5175 gen_or(b0, b1); 5176 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5177 gen_or(b0, b1); 5178 break; 5179 5180 case Q_ISIS_CSNP: 5181 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5182 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5183 gen_or(b0, b1); 5184 break; 5185 5186 case Q_ISIS_PSNP: 5187 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5188 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5189 gen_or(b0, b1); 5190 break; 5191 5192 case Q_CLNP: 5193 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5194 break; 5195 5196 case Q_STP: 5197 b1 = gen_linktype(cstate, LLCSAP_8021D); 5198 break; 5199 5200 case Q_IPX: 5201 b1 = gen_linktype(cstate, LLCSAP_IPX); 5202 break; 5203 5204 case Q_NETBEUI: 5205 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5206 break; 5207 5208 case Q_RADIO: 5209 bpf_error(cstate, "'radio' is not a valid protocol type"); 5210 5211 default: 5212 abort(); 5213 } 5214 return b1; 5215 } 5216 5217 static struct block * 5218 gen_ipfrag(compiler_state_t *cstate) 5219 { 5220 struct slist *s; 5221 struct block *b; 5222 5223 /* not IPv4 frag other than the first frag */ 5224 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5225 b = new_block(cstate, JMP(BPF_JSET)); 5226 b->s.k = 0x1fff; 5227 b->stmts = s; 5228 gen_not(b); 5229 5230 return b; 5231 } 5232 5233 /* 5234 * Generate a comparison to a port value in the transport-layer header 5235 * at the specified offset from the beginning of that header. 5236 * 5237 * XXX - this handles a variable-length prefix preceding the link-layer 5238 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5239 * variable-length link-layer headers (such as Token Ring or 802.11 5240 * headers). 5241 */ 5242 static struct block * 5243 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5244 { 5245 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5246 } 5247 5248 static struct block * 5249 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5250 { 5251 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5252 } 5253 5254 struct block * 5255 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5256 { 5257 struct block *b0, *b1, *tmp; 5258 5259 /* ip proto 'proto' and not a fragment other than the first fragment */ 5260 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5261 b0 = gen_ipfrag(cstate); 5262 gen_and(tmp, b0); 5263 5264 switch (dir) { 5265 case Q_SRC: 5266 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5267 break; 5268 5269 case Q_DST: 5270 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5271 break; 5272 5273 case Q_OR: 5274 case Q_DEFAULT: 5275 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5276 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5277 gen_or(tmp, b1); 5278 break; 5279 5280 case Q_AND: 5281 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5282 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5283 gen_and(tmp, b1); 5284 break; 5285 5286 default: 5287 abort(); 5288 } 5289 gen_and(b0, b1); 5290 5291 return b1; 5292 } 5293 5294 static struct block * 5295 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5296 { 5297 struct block *b0, *b1, *tmp; 5298 5299 /* 5300 * ether proto ip 5301 * 5302 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5303 * not LLC encapsulation with LLCSAP_IP. 5304 * 5305 * For IEEE 802 networks - which includes 802.5 token ring 5306 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5307 * says that SNAP encapsulation is used, not LLC encapsulation 5308 * with LLCSAP_IP. 5309 * 5310 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5311 * RFC 2225 say that SNAP encapsulation is used, not LLC 5312 * encapsulation with LLCSAP_IP. 5313 * 5314 * So we always check for ETHERTYPE_IP. 5315 */ 5316 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5317 5318 switch (ip_proto) { 5319 case IPPROTO_UDP: 5320 case IPPROTO_TCP: 5321 case IPPROTO_SCTP: 5322 b1 = gen_portop(cstate, port, ip_proto, dir); 5323 break; 5324 5325 case PROTO_UNDEF: 5326 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5327 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5328 gen_or(tmp, b1); 5329 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5330 gen_or(tmp, b1); 5331 break; 5332 5333 default: 5334 abort(); 5335 } 5336 gen_and(b0, b1); 5337 return b1; 5338 } 5339 5340 struct block * 5341 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5342 { 5343 struct block *b0, *b1, *tmp; 5344 5345 /* ip6 proto 'proto' */ 5346 /* XXX - catch the first fragment of a fragmented packet? */ 5347 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5348 5349 switch (dir) { 5350 case Q_SRC: 5351 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5352 break; 5353 5354 case Q_DST: 5355 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5356 break; 5357 5358 case Q_OR: 5359 case Q_DEFAULT: 5360 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5361 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5362 gen_or(tmp, b1); 5363 break; 5364 5365 case Q_AND: 5366 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5367 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5368 gen_and(tmp, b1); 5369 break; 5370 5371 default: 5372 abort(); 5373 } 5374 gen_and(b0, b1); 5375 5376 return b1; 5377 } 5378 5379 static struct block * 5380 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5381 { 5382 struct block *b0, *b1, *tmp; 5383 5384 /* link proto ip6 */ 5385 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5386 5387 switch (ip_proto) { 5388 case IPPROTO_UDP: 5389 case IPPROTO_TCP: 5390 case IPPROTO_SCTP: 5391 b1 = gen_portop6(cstate, port, ip_proto, dir); 5392 break; 5393 5394 case PROTO_UNDEF: 5395 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5396 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5397 gen_or(tmp, b1); 5398 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5399 gen_or(tmp, b1); 5400 break; 5401 5402 default: 5403 abort(); 5404 } 5405 gen_and(b0, b1); 5406 return b1; 5407 } 5408 5409 /* gen_portrange code */ 5410 static struct block * 5411 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5412 bpf_int32 v2) 5413 { 5414 struct block *b1, *b2; 5415 5416 if (v1 > v2) { 5417 /* 5418 * Reverse the order of the ports, so v1 is the lower one. 5419 */ 5420 bpf_int32 vtemp; 5421 5422 vtemp = v1; 5423 v1 = v2; 5424 v2 = vtemp; 5425 } 5426 5427 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5428 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5429 5430 gen_and(b1, b2); 5431 5432 return b2; 5433 } 5434 5435 struct block * 5436 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5437 int dir) 5438 { 5439 struct block *b0, *b1, *tmp; 5440 5441 /* ip proto 'proto' and not a fragment other than the first fragment */ 5442 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5443 b0 = gen_ipfrag(cstate); 5444 gen_and(tmp, b0); 5445 5446 switch (dir) { 5447 case Q_SRC: 5448 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5449 break; 5450 5451 case Q_DST: 5452 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5453 break; 5454 5455 case Q_OR: 5456 case Q_DEFAULT: 5457 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5458 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5459 gen_or(tmp, b1); 5460 break; 5461 5462 case Q_AND: 5463 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5464 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5465 gen_and(tmp, b1); 5466 break; 5467 5468 default: 5469 abort(); 5470 } 5471 gen_and(b0, b1); 5472 5473 return b1; 5474 } 5475 5476 static struct block * 5477 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5478 int dir) 5479 { 5480 struct block *b0, *b1, *tmp; 5481 5482 /* link proto ip */ 5483 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5484 5485 switch (ip_proto) { 5486 case IPPROTO_UDP: 5487 case IPPROTO_TCP: 5488 case IPPROTO_SCTP: 5489 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5490 break; 5491 5492 case PROTO_UNDEF: 5493 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5494 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5495 gen_or(tmp, b1); 5496 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5497 gen_or(tmp, b1); 5498 break; 5499 5500 default: 5501 abort(); 5502 } 5503 gen_and(b0, b1); 5504 return b1; 5505 } 5506 5507 static struct block * 5508 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5509 bpf_int32 v2) 5510 { 5511 struct block *b1, *b2; 5512 5513 if (v1 > v2) { 5514 /* 5515 * Reverse the order of the ports, so v1 is the lower one. 5516 */ 5517 bpf_int32 vtemp; 5518 5519 vtemp = v1; 5520 v1 = v2; 5521 v2 = vtemp; 5522 } 5523 5524 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5525 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5526 5527 gen_and(b1, b2); 5528 5529 return b2; 5530 } 5531 5532 struct block * 5533 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5534 int dir) 5535 { 5536 struct block *b0, *b1, *tmp; 5537 5538 /* ip6 proto 'proto' */ 5539 /* XXX - catch the first fragment of a fragmented packet? */ 5540 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5541 5542 switch (dir) { 5543 case Q_SRC: 5544 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5545 break; 5546 5547 case Q_DST: 5548 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5549 break; 5550 5551 case Q_OR: 5552 case Q_DEFAULT: 5553 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5554 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5555 gen_or(tmp, b1); 5556 break; 5557 5558 case Q_AND: 5559 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5560 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5561 gen_and(tmp, b1); 5562 break; 5563 5564 default: 5565 abort(); 5566 } 5567 gen_and(b0, b1); 5568 5569 return b1; 5570 } 5571 5572 static struct block * 5573 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5574 int dir) 5575 { 5576 struct block *b0, *b1, *tmp; 5577 5578 /* link proto ip6 */ 5579 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5580 5581 switch (ip_proto) { 5582 case IPPROTO_UDP: 5583 case IPPROTO_TCP: 5584 case IPPROTO_SCTP: 5585 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5586 break; 5587 5588 case PROTO_UNDEF: 5589 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5590 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5591 gen_or(tmp, b1); 5592 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5593 gen_or(tmp, b1); 5594 break; 5595 5596 default: 5597 abort(); 5598 } 5599 gen_and(b0, b1); 5600 return b1; 5601 } 5602 5603 static int 5604 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5605 { 5606 register int v; 5607 5608 switch (proto) { 5609 5610 case Q_DEFAULT: 5611 case Q_IP: 5612 case Q_IPV6: 5613 v = pcap_nametoproto(name); 5614 if (v == PROTO_UNDEF) 5615 bpf_error(cstate, "unknown ip proto '%s'", name); 5616 break; 5617 5618 case Q_LINK: 5619 /* XXX should look up h/w protocol type based on cstate->linktype */ 5620 v = pcap_nametoeproto(name); 5621 if (v == PROTO_UNDEF) { 5622 v = pcap_nametollc(name); 5623 if (v == PROTO_UNDEF) 5624 bpf_error(cstate, "unknown ether proto '%s'", name); 5625 } 5626 break; 5627 5628 case Q_ISO: 5629 if (strcmp(name, "esis") == 0) 5630 v = ISO9542_ESIS; 5631 else if (strcmp(name, "isis") == 0) 5632 v = ISO10589_ISIS; 5633 else if (strcmp(name, "clnp") == 0) 5634 v = ISO8473_CLNP; 5635 else 5636 bpf_error(cstate, "unknown osi proto '%s'", name); 5637 break; 5638 5639 default: 5640 v = PROTO_UNDEF; 5641 break; 5642 } 5643 return v; 5644 } 5645 5646 #if 0 5647 struct stmt * 5648 gen_joinsp(s, n) 5649 struct stmt **s; 5650 int n; 5651 { 5652 return NULL; 5653 } 5654 #endif 5655 5656 static struct block * 5657 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 5658 { 5659 #ifdef NO_PROTOCHAIN 5660 return gen_proto(cstate, v, proto, dir); 5661 #else 5662 struct block *b0, *b; 5663 struct slist *s[100]; 5664 int fix2, fix3, fix4, fix5; 5665 int ahcheck, again, end; 5666 int i, max; 5667 int reg2 = alloc_reg(cstate); 5668 5669 memset(s, 0, sizeof(s)); 5670 fix3 = fix4 = fix5 = 0; 5671 5672 switch (proto) { 5673 case Q_IP: 5674 case Q_IPV6: 5675 break; 5676 case Q_DEFAULT: 5677 b0 = gen_protochain(cstate, v, Q_IP, dir); 5678 b = gen_protochain(cstate, v, Q_IPV6, dir); 5679 gen_or(b0, b); 5680 return b; 5681 default: 5682 bpf_error(cstate, "bad protocol applied for 'protochain'"); 5683 /*NOTREACHED*/ 5684 } 5685 5686 /* 5687 * We don't handle variable-length prefixes before the link-layer 5688 * header, or variable-length link-layer headers, here yet. 5689 * We might want to add BPF instructions to do the protochain 5690 * work, to simplify that and, on platforms that have a BPF 5691 * interpreter with the new instructions, let the filtering 5692 * be done in the kernel. (We already require a modified BPF 5693 * engine to do the protochain stuff, to support backward 5694 * branches, and backward branch support is unlikely to appear 5695 * in kernel BPF engines.) 5696 */ 5697 if (cstate->off_linkpl.is_variable) 5698 bpf_error(cstate, "'protochain' not supported with variable length headers"); 5699 5700 cstate->no_optimize = 1; /*this code is not compatible with optimzer yet */ 5701 5702 /* 5703 * s[0] is a dummy entry to protect other BPF insn from damage 5704 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5705 * hard to find interdependency made by jump table fixup. 5706 */ 5707 i = 0; 5708 s[i] = new_stmt(cstate, 0); /*dummy*/ 5709 i++; 5710 5711 switch (proto) { 5712 case Q_IP: 5713 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5714 5715 /* A = ip->ip_p */ 5716 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5717 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 5718 i++; 5719 /* X = ip->ip_hl << 2 */ 5720 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 5721 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5722 i++; 5723 break; 5724 5725 case Q_IPV6: 5726 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5727 5728 /* A = ip6->ip_nxt */ 5729 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5730 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 5731 i++; 5732 /* X = sizeof(struct ip6_hdr) */ 5733 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 5734 s[i]->s.k = 40; 5735 i++; 5736 break; 5737 5738 default: 5739 bpf_error(cstate, "unsupported proto to gen_protochain"); 5740 /*NOTREACHED*/ 5741 } 5742 5743 /* again: if (A == v) goto end; else fall through; */ 5744 again = i; 5745 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5746 s[i]->s.k = v; 5747 s[i]->s.jt = NULL; /*later*/ 5748 s[i]->s.jf = NULL; /*update in next stmt*/ 5749 fix5 = i; 5750 i++; 5751 5752 #ifndef IPPROTO_NONE 5753 #define IPPROTO_NONE 59 5754 #endif 5755 /* if (A == IPPROTO_NONE) goto end */ 5756 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5757 s[i]->s.jt = NULL; /*later*/ 5758 s[i]->s.jf = NULL; /*update in next stmt*/ 5759 s[i]->s.k = IPPROTO_NONE; 5760 s[fix5]->s.jf = s[i]; 5761 fix2 = i; 5762 i++; 5763 5764 if (proto == Q_IPV6) { 5765 int v6start, v6end, v6advance, j; 5766 5767 v6start = i; 5768 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5769 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5770 s[i]->s.jt = NULL; /*later*/ 5771 s[i]->s.jf = NULL; /*update in next stmt*/ 5772 s[i]->s.k = IPPROTO_HOPOPTS; 5773 s[fix2]->s.jf = s[i]; 5774 i++; 5775 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5776 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5777 s[i]->s.jt = NULL; /*later*/ 5778 s[i]->s.jf = NULL; /*update in next stmt*/ 5779 s[i]->s.k = IPPROTO_DSTOPTS; 5780 i++; 5781 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5782 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5783 s[i]->s.jt = NULL; /*later*/ 5784 s[i]->s.jf = NULL; /*update in next stmt*/ 5785 s[i]->s.k = IPPROTO_ROUTING; 5786 i++; 5787 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5788 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5789 s[i]->s.jt = NULL; /*later*/ 5790 s[i]->s.jf = NULL; /*later*/ 5791 s[i]->s.k = IPPROTO_FRAGMENT; 5792 fix3 = i; 5793 v6end = i; 5794 i++; 5795 5796 /* v6advance: */ 5797 v6advance = i; 5798 5799 /* 5800 * in short, 5801 * A = P[X + packet head]; 5802 * X = X + (P[X + packet head + 1] + 1) * 8; 5803 */ 5804 /* A = P[X + packet head] */ 5805 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5806 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5807 i++; 5808 /* MEM[reg2] = A */ 5809 s[i] = new_stmt(cstate, BPF_ST); 5810 s[i]->s.k = reg2; 5811 i++; 5812 /* A = P[X + packet head + 1]; */ 5813 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5814 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 5815 i++; 5816 /* A += 1 */ 5817 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5818 s[i]->s.k = 1; 5819 i++; 5820 /* A *= 8 */ 5821 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5822 s[i]->s.k = 8; 5823 i++; 5824 /* A += X */ 5825 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 5826 s[i]->s.k = 0; 5827 i++; 5828 /* X = A; */ 5829 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5830 i++; 5831 /* A = MEM[reg2] */ 5832 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5833 s[i]->s.k = reg2; 5834 i++; 5835 5836 /* goto again; (must use BPF_JA for backward jump) */ 5837 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5838 s[i]->s.k = again - i - 1; 5839 s[i - 1]->s.jf = s[i]; 5840 i++; 5841 5842 /* fixup */ 5843 for (j = v6start; j <= v6end; j++) 5844 s[j]->s.jt = s[v6advance]; 5845 } else { 5846 /* nop */ 5847 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5848 s[i]->s.k = 0; 5849 s[fix2]->s.jf = s[i]; 5850 i++; 5851 } 5852 5853 /* ahcheck: */ 5854 ahcheck = i; 5855 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5856 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5857 s[i]->s.jt = NULL; /*later*/ 5858 s[i]->s.jf = NULL; /*later*/ 5859 s[i]->s.k = IPPROTO_AH; 5860 if (fix3) 5861 s[fix3]->s.jf = s[ahcheck]; 5862 fix4 = i; 5863 i++; 5864 5865 /* 5866 * in short, 5867 * A = P[X]; 5868 * X = X + (P[X + 1] + 2) * 4; 5869 */ 5870 /* A = X */ 5871 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5872 i++; 5873 /* A = P[X + packet head]; */ 5874 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5875 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5876 i++; 5877 /* MEM[reg2] = A */ 5878 s[i] = new_stmt(cstate, BPF_ST); 5879 s[i]->s.k = reg2; 5880 i++; 5881 /* A = X */ 5882 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5883 i++; 5884 /* A += 1 */ 5885 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5886 s[i]->s.k = 1; 5887 i++; 5888 /* X = A */ 5889 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5890 i++; 5891 /* A = P[X + packet head] */ 5892 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5893 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5894 i++; 5895 /* A += 2 */ 5896 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5897 s[i]->s.k = 2; 5898 i++; 5899 /* A *= 4 */ 5900 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5901 s[i]->s.k = 4; 5902 i++; 5903 /* X = A; */ 5904 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5905 i++; 5906 /* A = MEM[reg2] */ 5907 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5908 s[i]->s.k = reg2; 5909 i++; 5910 5911 /* goto again; (must use BPF_JA for backward jump) */ 5912 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5913 s[i]->s.k = again - i - 1; 5914 i++; 5915 5916 /* end: nop */ 5917 end = i; 5918 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5919 s[i]->s.k = 0; 5920 s[fix2]->s.jt = s[end]; 5921 s[fix4]->s.jf = s[end]; 5922 s[fix5]->s.jt = s[end]; 5923 i++; 5924 5925 /* 5926 * make slist chain 5927 */ 5928 max = i; 5929 for (i = 0; i < max - 1; i++) 5930 s[i]->next = s[i + 1]; 5931 s[max - 1]->next = NULL; 5932 5933 /* 5934 * emit final check 5935 */ 5936 b = new_block(cstate, JMP(BPF_JEQ)); 5937 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5938 b->s.k = v; 5939 5940 free_reg(cstate, reg2); 5941 5942 gen_and(b0, b); 5943 return b; 5944 #endif 5945 } 5946 5947 static struct block * 5948 gen_check_802_11_data_frame(compiler_state_t *cstate) 5949 { 5950 struct slist *s; 5951 struct block *b0, *b1; 5952 5953 /* 5954 * A data frame has the 0x08 bit (b3) in the frame control field set 5955 * and the 0x04 bit (b2) clear. 5956 */ 5957 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5958 b0 = new_block(cstate, JMP(BPF_JSET)); 5959 b0->s.k = 0x08; 5960 b0->stmts = s; 5961 5962 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 5963 b1 = new_block(cstate, JMP(BPF_JSET)); 5964 b1->s.k = 0x04; 5965 b1->stmts = s; 5966 gen_not(b1); 5967 5968 gen_and(b1, b0); 5969 5970 return b0; 5971 } 5972 5973 /* 5974 * Generate code that checks whether the packet is a packet for protocol 5975 * <proto> and whether the type field in that protocol's header has 5976 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5977 * IP packet and checks the protocol number in the IP header against <v>. 5978 * 5979 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5980 * against Q_IP and Q_IPV6. 5981 */ 5982 static struct block * 5983 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 5984 { 5985 struct block *b0, *b1; 5986 #ifndef CHASE_CHAIN 5987 struct block *b2; 5988 #endif 5989 5990 if (dir != Q_DEFAULT) 5991 bpf_error(cstate, "direction applied to 'proto'"); 5992 5993 switch (proto) { 5994 case Q_DEFAULT: 5995 b0 = gen_proto(cstate, v, Q_IP, dir); 5996 b1 = gen_proto(cstate, v, Q_IPV6, dir); 5997 gen_or(b0, b1); 5998 return b1; 5999 6000 case Q_IP: 6001 /* 6002 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6003 * not LLC encapsulation with LLCSAP_IP. 6004 * 6005 * For IEEE 802 networks - which includes 802.5 token ring 6006 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6007 * says that SNAP encapsulation is used, not LLC encapsulation 6008 * with LLCSAP_IP. 6009 * 6010 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6011 * RFC 2225 say that SNAP encapsulation is used, not LLC 6012 * encapsulation with LLCSAP_IP. 6013 * 6014 * So we always check for ETHERTYPE_IP. 6015 */ 6016 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6017 #ifndef CHASE_CHAIN 6018 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6019 #else 6020 b1 = gen_protochain(cstate, v, Q_IP); 6021 #endif 6022 gen_and(b0, b1); 6023 return b1; 6024 6025 case Q_ISO: 6026 switch (cstate->linktype) { 6027 6028 case DLT_FRELAY: 6029 /* 6030 * Frame Relay packets typically have an OSI 6031 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6032 * generates code to check for all the OSI 6033 * NLPIDs, so calling it and then adding a check 6034 * for the particular NLPID for which we're 6035 * looking is bogus, as we can just check for 6036 * the NLPID. 6037 * 6038 * What we check for is the NLPID and a frame 6039 * control field value of UI, i.e. 0x03 followed 6040 * by the NLPID. 6041 * 6042 * XXX - assumes a 2-byte Frame Relay header with 6043 * DLCI and flags. What if the address is longer? 6044 * 6045 * XXX - what about SNAP-encapsulated frames? 6046 */ 6047 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6048 /*NOTREACHED*/ 6049 break; 6050 6051 case DLT_C_HDLC: 6052 /* 6053 * Cisco uses an Ethertype lookalike - for OSI, 6054 * it's 0xfefe. 6055 */ 6056 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6057 /* OSI in C-HDLC is stuffed with a fudge byte */ 6058 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6059 gen_and(b0, b1); 6060 return b1; 6061 6062 default: 6063 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6064 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6065 gen_and(b0, b1); 6066 return b1; 6067 } 6068 6069 case Q_ISIS: 6070 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6071 /* 6072 * 4 is the offset of the PDU type relative to the IS-IS 6073 * header. 6074 */ 6075 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6076 gen_and(b0, b1); 6077 return b1; 6078 6079 case Q_ARP: 6080 bpf_error(cstate, "arp does not encapsulate another protocol"); 6081 /* NOTREACHED */ 6082 6083 case Q_RARP: 6084 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6085 /* NOTREACHED */ 6086 6087 case Q_ATALK: 6088 bpf_error(cstate, "atalk encapsulation is not specifiable"); 6089 /* NOTREACHED */ 6090 6091 case Q_DECNET: 6092 bpf_error(cstate, "decnet encapsulation is not specifiable"); 6093 /* NOTREACHED */ 6094 6095 case Q_SCA: 6096 bpf_error(cstate, "sca does not encapsulate another protocol"); 6097 /* NOTREACHED */ 6098 6099 case Q_LAT: 6100 bpf_error(cstate, "lat does not encapsulate another protocol"); 6101 /* NOTREACHED */ 6102 6103 case Q_MOPRC: 6104 bpf_error(cstate, "moprc does not encapsulate another protocol"); 6105 /* NOTREACHED */ 6106 6107 case Q_MOPDL: 6108 bpf_error(cstate, "mopdl does not encapsulate another protocol"); 6109 /* NOTREACHED */ 6110 6111 case Q_LINK: 6112 return gen_linktype(cstate, v); 6113 6114 case Q_UDP: 6115 bpf_error(cstate, "'udp proto' is bogus"); 6116 /* NOTREACHED */ 6117 6118 case Q_TCP: 6119 bpf_error(cstate, "'tcp proto' is bogus"); 6120 /* NOTREACHED */ 6121 6122 case Q_SCTP: 6123 bpf_error(cstate, "'sctp proto' is bogus"); 6124 /* NOTREACHED */ 6125 6126 case Q_ICMP: 6127 bpf_error(cstate, "'icmp proto' is bogus"); 6128 /* NOTREACHED */ 6129 6130 case Q_IGMP: 6131 bpf_error(cstate, "'igmp proto' is bogus"); 6132 /* NOTREACHED */ 6133 6134 case Q_IGRP: 6135 bpf_error(cstate, "'igrp proto' is bogus"); 6136 /* NOTREACHED */ 6137 6138 case Q_PIM: 6139 bpf_error(cstate, "'pim proto' is bogus"); 6140 /* NOTREACHED */ 6141 6142 case Q_VRRP: 6143 bpf_error(cstate, "'vrrp proto' is bogus"); 6144 /* NOTREACHED */ 6145 6146 case Q_CARP: 6147 bpf_error(cstate, "'carp proto' is bogus"); 6148 /* NOTREACHED */ 6149 6150 case Q_IPV6: 6151 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6152 #ifndef CHASE_CHAIN 6153 /* 6154 * Also check for a fragment header before the final 6155 * header. 6156 */ 6157 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6158 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6159 gen_and(b2, b1); 6160 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6161 gen_or(b2, b1); 6162 #else 6163 b1 = gen_protochain(cstate, v, Q_IPV6); 6164 #endif 6165 gen_and(b0, b1); 6166 return b1; 6167 6168 case Q_ICMPV6: 6169 bpf_error(cstate, "'icmp6 proto' is bogus"); 6170 6171 case Q_AH: 6172 bpf_error(cstate, "'ah proto' is bogus"); 6173 6174 case Q_ESP: 6175 bpf_error(cstate, "'ah proto' is bogus"); 6176 6177 case Q_STP: 6178 bpf_error(cstate, "'stp proto' is bogus"); 6179 6180 case Q_IPX: 6181 bpf_error(cstate, "'ipx proto' is bogus"); 6182 6183 case Q_NETBEUI: 6184 bpf_error(cstate, "'netbeui proto' is bogus"); 6185 6186 case Q_RADIO: 6187 bpf_error(cstate, "'radio proto' is bogus"); 6188 6189 default: 6190 abort(); 6191 /* NOTREACHED */ 6192 } 6193 /* NOTREACHED */ 6194 } 6195 6196 struct block * 6197 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6198 { 6199 int proto = q.proto; 6200 int dir = q.dir; 6201 int tproto; 6202 u_char *eaddr; 6203 bpf_u_int32 mask, addr; 6204 #ifndef INET6 6205 bpf_u_int32 **alist; 6206 #else 6207 int tproto6; 6208 struct sockaddr_in *sin4; 6209 struct sockaddr_in6 *sin6; 6210 struct addrinfo *res, *res0; 6211 struct in6_addr mask128; 6212 #endif /*INET6*/ 6213 struct block *b, *tmp; 6214 int port, real_proto; 6215 int port1, port2; 6216 6217 switch (q.addr) { 6218 6219 case Q_NET: 6220 addr = pcap_nametonetaddr(name); 6221 if (addr == 0) 6222 bpf_error(cstate, "unknown network '%s'", name); 6223 /* Left justify network addr and calculate its network mask */ 6224 mask = 0xffffffff; 6225 while (addr && (addr & 0xff000000) == 0) { 6226 addr <<= 8; 6227 mask <<= 8; 6228 } 6229 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6230 6231 case Q_DEFAULT: 6232 case Q_HOST: 6233 if (proto == Q_LINK) { 6234 switch (cstate->linktype) { 6235 6236 case DLT_EN10MB: 6237 case DLT_NETANALYZER: 6238 case DLT_NETANALYZER_TRANSPARENT: 6239 eaddr = pcap_ether_hostton(name); 6240 if (eaddr == NULL) 6241 bpf_error(cstate, 6242 "unknown ether host '%s'", name); 6243 tmp = gen_prevlinkhdr_check(cstate); 6244 b = gen_ehostop(cstate, eaddr, dir); 6245 if (tmp != NULL) 6246 gen_and(tmp, b); 6247 free(eaddr); 6248 return b; 6249 6250 case DLT_FDDI: 6251 eaddr = pcap_ether_hostton(name); 6252 if (eaddr == NULL) 6253 bpf_error(cstate, 6254 "unknown FDDI host '%s'", name); 6255 b = gen_fhostop(cstate, eaddr, dir); 6256 free(eaddr); 6257 return b; 6258 6259 case DLT_IEEE802: 6260 eaddr = pcap_ether_hostton(name); 6261 if (eaddr == NULL) 6262 bpf_error(cstate, 6263 "unknown token ring host '%s'", name); 6264 b = gen_thostop(cstate, eaddr, dir); 6265 free(eaddr); 6266 return b; 6267 6268 case DLT_IEEE802_11: 6269 case DLT_PRISM_HEADER: 6270 case DLT_IEEE802_11_RADIO_AVS: 6271 case DLT_IEEE802_11_RADIO: 6272 case DLT_PPI: 6273 eaddr = pcap_ether_hostton(name); 6274 if (eaddr == NULL) 6275 bpf_error(cstate, 6276 "unknown 802.11 host '%s'", name); 6277 b = gen_wlanhostop(cstate, eaddr, dir); 6278 free(eaddr); 6279 return b; 6280 6281 case DLT_IP_OVER_FC: 6282 eaddr = pcap_ether_hostton(name); 6283 if (eaddr == NULL) 6284 bpf_error(cstate, 6285 "unknown Fibre Channel host '%s'", name); 6286 b = gen_ipfchostop(cstate, eaddr, dir); 6287 free(eaddr); 6288 return b; 6289 } 6290 6291 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6292 } else if (proto == Q_DECNET) { 6293 unsigned short dn_addr; 6294 6295 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6296 #ifdef DECNETLIB 6297 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6298 #else 6299 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6300 name); 6301 #endif 6302 } 6303 /* 6304 * I don't think DECNET hosts can be multihomed, so 6305 * there is no need to build up a list of addresses 6306 */ 6307 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6308 } else { 6309 #ifndef INET6 6310 alist = pcap_nametoaddr(name); 6311 if (alist == NULL || *alist == NULL) 6312 bpf_error(cstate, "unknown host '%s'", name); 6313 tproto = proto; 6314 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6315 tproto == Q_DEFAULT) 6316 tproto = Q_IP; 6317 b = gen_host(cstate, **alist++, 0xffffffff, tproto, dir, q.addr); 6318 while (*alist) { 6319 tmp = gen_host(cstate, **alist++, 0xffffffff, 6320 tproto, dir, q.addr); 6321 gen_or(b, tmp); 6322 b = tmp; 6323 } 6324 return b; 6325 #else 6326 memset(&mask128, 0xff, sizeof(mask128)); 6327 res0 = res = pcap_nametoaddrinfo(name); 6328 if (res == NULL) 6329 bpf_error(cstate, "unknown host '%s'", name); 6330 cstate->ai = res; 6331 b = tmp = NULL; 6332 tproto = tproto6 = proto; 6333 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6334 tproto == Q_DEFAULT) { 6335 tproto = Q_IP; 6336 tproto6 = Q_IPV6; 6337 } 6338 for (res = res0; res; res = res->ai_next) { 6339 switch (res->ai_family) { 6340 case AF_INET: 6341 if (tproto == Q_IPV6) 6342 continue; 6343 6344 sin4 = (struct sockaddr_in *) 6345 res->ai_addr; 6346 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6347 0xffffffff, tproto, dir, q.addr); 6348 break; 6349 case AF_INET6: 6350 if (tproto6 == Q_IP) 6351 continue; 6352 6353 sin6 = (struct sockaddr_in6 *) 6354 res->ai_addr; 6355 tmp = gen_host6(cstate, &sin6->sin6_addr, 6356 &mask128, tproto6, dir, q.addr); 6357 break; 6358 default: 6359 continue; 6360 } 6361 if (b) 6362 gen_or(b, tmp); 6363 b = tmp; 6364 } 6365 cstate->ai = NULL; 6366 freeaddrinfo(res0); 6367 if (b == NULL) { 6368 bpf_error(cstate, "unknown host '%s'%s", name, 6369 (proto == Q_DEFAULT) 6370 ? "" 6371 : " for specified address family"); 6372 } 6373 return b; 6374 #endif /*INET6*/ 6375 } 6376 6377 case Q_PORT: 6378 if (proto != Q_DEFAULT && 6379 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6380 bpf_error(cstate, "illegal qualifier of 'port'"); 6381 if (pcap_nametoport(name, &port, &real_proto) == 0) 6382 bpf_error(cstate, "unknown port '%s'", name); 6383 if (proto == Q_UDP) { 6384 if (real_proto == IPPROTO_TCP) 6385 bpf_error(cstate, "port '%s' is tcp", name); 6386 else if (real_proto == IPPROTO_SCTP) 6387 bpf_error(cstate, "port '%s' is sctp", name); 6388 else 6389 /* override PROTO_UNDEF */ 6390 real_proto = IPPROTO_UDP; 6391 } 6392 if (proto == Q_TCP) { 6393 if (real_proto == IPPROTO_UDP) 6394 bpf_error(cstate, "port '%s' is udp", name); 6395 6396 else if (real_proto == IPPROTO_SCTP) 6397 bpf_error(cstate, "port '%s' is sctp", name); 6398 else 6399 /* override PROTO_UNDEF */ 6400 real_proto = IPPROTO_TCP; 6401 } 6402 if (proto == Q_SCTP) { 6403 if (real_proto == IPPROTO_UDP) 6404 bpf_error(cstate, "port '%s' is udp", name); 6405 6406 else if (real_proto == IPPROTO_TCP) 6407 bpf_error(cstate, "port '%s' is tcp", name); 6408 else 6409 /* override PROTO_UNDEF */ 6410 real_proto = IPPROTO_SCTP; 6411 } 6412 if (port < 0) 6413 bpf_error(cstate, "illegal port number %d < 0", port); 6414 if (port > 65535) 6415 bpf_error(cstate, "illegal port number %d > 65535", port); 6416 b = gen_port(cstate, port, real_proto, dir); 6417 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6418 return b; 6419 6420 case Q_PORTRANGE: 6421 if (proto != Q_DEFAULT && 6422 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6423 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6424 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6425 bpf_error(cstate, "unknown port in range '%s'", name); 6426 if (proto == Q_UDP) { 6427 if (real_proto == IPPROTO_TCP) 6428 bpf_error(cstate, "port in range '%s' is tcp", name); 6429 else if (real_proto == IPPROTO_SCTP) 6430 bpf_error(cstate, "port in range '%s' is sctp", name); 6431 else 6432 /* override PROTO_UNDEF */ 6433 real_proto = IPPROTO_UDP; 6434 } 6435 if (proto == Q_TCP) { 6436 if (real_proto == IPPROTO_UDP) 6437 bpf_error(cstate, "port in range '%s' is udp", name); 6438 else if (real_proto == IPPROTO_SCTP) 6439 bpf_error(cstate, "port in range '%s' is sctp", name); 6440 else 6441 /* override PROTO_UNDEF */ 6442 real_proto = IPPROTO_TCP; 6443 } 6444 if (proto == Q_SCTP) { 6445 if (real_proto == IPPROTO_UDP) 6446 bpf_error(cstate, "port in range '%s' is udp", name); 6447 else if (real_proto == IPPROTO_TCP) 6448 bpf_error(cstate, "port in range '%s' is tcp", name); 6449 else 6450 /* override PROTO_UNDEF */ 6451 real_proto = IPPROTO_SCTP; 6452 } 6453 if (port1 < 0) 6454 bpf_error(cstate, "illegal port number %d < 0", port1); 6455 if (port1 > 65535) 6456 bpf_error(cstate, "illegal port number %d > 65535", port1); 6457 if (port2 < 0) 6458 bpf_error(cstate, "illegal port number %d < 0", port2); 6459 if (port2 > 65535) 6460 bpf_error(cstate, "illegal port number %d > 65535", port2); 6461 6462 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6463 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6464 return b; 6465 6466 case Q_GATEWAY: 6467 #ifndef INET6 6468 eaddr = pcap_ether_hostton(name); 6469 if (eaddr == NULL) 6470 bpf_error(cstate, "unknown ether host: %s", name); 6471 6472 alist = pcap_nametoaddr(name); 6473 if (alist == NULL || *alist == NULL) 6474 bpf_error(cstate, "unknown host '%s'", name); 6475 b = gen_gateway(cstate, eaddr, alist, proto, dir); 6476 free(eaddr); 6477 return b; 6478 #else 6479 bpf_error(cstate, "'gateway' not supported in this configuration"); 6480 #endif /*INET6*/ 6481 6482 case Q_PROTO: 6483 real_proto = lookup_proto(cstate, name, proto); 6484 if (real_proto >= 0) 6485 return gen_proto(cstate, real_proto, proto, dir); 6486 else 6487 bpf_error(cstate, "unknown protocol: %s", name); 6488 6489 case Q_PROTOCHAIN: 6490 real_proto = lookup_proto(cstate, name, proto); 6491 if (real_proto >= 0) 6492 return gen_protochain(cstate, real_proto, proto, dir); 6493 else 6494 bpf_error(cstate, "unknown protocol: %s", name); 6495 6496 case Q_UNDEF: 6497 syntax(cstate); 6498 /* NOTREACHED */ 6499 } 6500 abort(); 6501 /* NOTREACHED */ 6502 } 6503 6504 struct block * 6505 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6506 unsigned int masklen, struct qual q) 6507 { 6508 register int nlen, mlen; 6509 bpf_u_int32 n, m; 6510 6511 nlen = __pcap_atoin(s1, &n); 6512 /* Promote short ipaddr */ 6513 n <<= 32 - nlen; 6514 6515 if (s2 != NULL) { 6516 mlen = __pcap_atoin(s2, &m); 6517 /* Promote short ipaddr */ 6518 m <<= 32 - mlen; 6519 if ((n & ~m) != 0) 6520 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6521 s1, s2); 6522 } else { 6523 /* Convert mask len to mask */ 6524 if (masklen > 32) 6525 bpf_error(cstate, "mask length must be <= 32"); 6526 if (masklen == 0) { 6527 /* 6528 * X << 32 is not guaranteed by C to be 0; it's 6529 * undefined. 6530 */ 6531 m = 0; 6532 } else 6533 m = 0xffffffff << (32 - masklen); 6534 if ((n & ~m) != 0) 6535 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6536 s1, masklen); 6537 } 6538 6539 switch (q.addr) { 6540 6541 case Q_NET: 6542 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6543 6544 default: 6545 bpf_error(cstate, "Mask syntax for networks only"); 6546 /* NOTREACHED */ 6547 } 6548 /* NOTREACHED */ 6549 return NULL; 6550 } 6551 6552 struct block * 6553 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 6554 { 6555 bpf_u_int32 mask; 6556 int proto = q.proto; 6557 int dir = q.dir; 6558 register int vlen; 6559 6560 if (s == NULL) 6561 vlen = 32; 6562 else if (q.proto == Q_DECNET) { 6563 vlen = __pcap_atodn(s, &v); 6564 if (vlen == 0) 6565 bpf_error(cstate, "malformed decnet address '%s'", s); 6566 } else 6567 vlen = __pcap_atoin(s, &v); 6568 6569 switch (q.addr) { 6570 6571 case Q_DEFAULT: 6572 case Q_HOST: 6573 case Q_NET: 6574 if (proto == Q_DECNET) 6575 return gen_host(cstate, v, 0, proto, dir, q.addr); 6576 else if (proto == Q_LINK) { 6577 bpf_error(cstate, "illegal link layer address"); 6578 } else { 6579 mask = 0xffffffff; 6580 if (s == NULL && q.addr == Q_NET) { 6581 /* Promote short net number */ 6582 while (v && (v & 0xff000000) == 0) { 6583 v <<= 8; 6584 mask <<= 8; 6585 } 6586 } else { 6587 /* Promote short ipaddr */ 6588 v <<= 32 - vlen; 6589 mask <<= 32 - vlen ; 6590 } 6591 return gen_host(cstate, v, mask, proto, dir, q.addr); 6592 } 6593 6594 case Q_PORT: 6595 if (proto == Q_UDP) 6596 proto = IPPROTO_UDP; 6597 else if (proto == Q_TCP) 6598 proto = IPPROTO_TCP; 6599 else if (proto == Q_SCTP) 6600 proto = IPPROTO_SCTP; 6601 else if (proto == Q_DEFAULT) 6602 proto = PROTO_UNDEF; 6603 else 6604 bpf_error(cstate, "illegal qualifier of 'port'"); 6605 6606 if (v > 65535) 6607 bpf_error(cstate, "illegal port number %u > 65535", v); 6608 6609 { 6610 struct block *b; 6611 b = gen_port(cstate, (int)v, proto, dir); 6612 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 6613 return b; 6614 } 6615 6616 case Q_PORTRANGE: 6617 if (proto == Q_UDP) 6618 proto = IPPROTO_UDP; 6619 else if (proto == Q_TCP) 6620 proto = IPPROTO_TCP; 6621 else if (proto == Q_SCTP) 6622 proto = IPPROTO_SCTP; 6623 else if (proto == Q_DEFAULT) 6624 proto = PROTO_UNDEF; 6625 else 6626 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6627 6628 if (v > 65535) 6629 bpf_error(cstate, "illegal port number %u > 65535", v); 6630 6631 { 6632 struct block *b; 6633 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 6634 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 6635 return b; 6636 } 6637 6638 case Q_GATEWAY: 6639 bpf_error(cstate, "'gateway' requires a name"); 6640 /* NOTREACHED */ 6641 6642 case Q_PROTO: 6643 return gen_proto(cstate, (int)v, proto, dir); 6644 6645 case Q_PROTOCHAIN: 6646 return gen_protochain(cstate, (int)v, proto, dir); 6647 6648 case Q_UNDEF: 6649 syntax(cstate); 6650 /* NOTREACHED */ 6651 6652 default: 6653 abort(); 6654 /* NOTREACHED */ 6655 } 6656 /* NOTREACHED */ 6657 } 6658 6659 #ifdef INET6 6660 struct block * 6661 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 6662 unsigned int masklen, struct qual q) 6663 { 6664 struct addrinfo *res; 6665 struct in6_addr *addr; 6666 struct in6_addr mask; 6667 struct block *b; 6668 u_int32_t *a, *m; 6669 6670 if (s2) 6671 bpf_error(cstate, "no mask %s supported", s2); 6672 6673 res = pcap_nametoaddrinfo(s1); 6674 if (!res) 6675 bpf_error(cstate, "invalid ip6 address %s", s1); 6676 cstate->ai = res; 6677 if (res->ai_next) 6678 bpf_error(cstate, "%s resolved to multiple address", s1); 6679 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6680 6681 if (sizeof(mask) * 8 < masklen) 6682 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6683 memset(&mask, 0, sizeof(mask)); 6684 memset(&mask, 0xff, masklen / 8); 6685 if (masklen % 8) { 6686 mask.s6_addr[masklen / 8] = 6687 (0xff << (8 - masklen % 8)) & 0xff; 6688 } 6689 6690 a = (u_int32_t *)addr; 6691 m = (u_int32_t *)&mask; 6692 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6693 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6694 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 6695 } 6696 6697 switch (q.addr) { 6698 6699 case Q_DEFAULT: 6700 case Q_HOST: 6701 if (masklen != 128) 6702 bpf_error(cstate, "Mask syntax for networks only"); 6703 /* FALLTHROUGH */ 6704 6705 case Q_NET: 6706 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 6707 cstate->ai = NULL; 6708 freeaddrinfo(res); 6709 return b; 6710 6711 default: 6712 bpf_error(cstate, "invalid qualifier against IPv6 address"); 6713 /* NOTREACHED */ 6714 } 6715 return NULL; 6716 } 6717 #endif /*INET6*/ 6718 6719 struct block * 6720 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 6721 { 6722 struct block *b, *tmp; 6723 6724 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6725 switch (cstate->linktype) { 6726 case DLT_EN10MB: 6727 case DLT_NETANALYZER: 6728 case DLT_NETANALYZER_TRANSPARENT: 6729 tmp = gen_prevlinkhdr_check(cstate); 6730 b = gen_ehostop(cstate, eaddr, (int)q.dir); 6731 if (tmp != NULL) 6732 gen_and(tmp, b); 6733 return b; 6734 case DLT_FDDI: 6735 return gen_fhostop(cstate, eaddr, (int)q.dir); 6736 case DLT_IEEE802: 6737 return gen_thostop(cstate, eaddr, (int)q.dir); 6738 case DLT_IEEE802_11: 6739 case DLT_PRISM_HEADER: 6740 case DLT_IEEE802_11_RADIO_AVS: 6741 case DLT_IEEE802_11_RADIO: 6742 case DLT_PPI: 6743 return gen_wlanhostop(cstate, eaddr, (int)q.dir); 6744 case DLT_IP_OVER_FC: 6745 return gen_ipfchostop(cstate, eaddr, (int)q.dir); 6746 default: 6747 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6748 break; 6749 } 6750 } 6751 bpf_error(cstate, "ethernet address used in non-ether expression"); 6752 /* NOTREACHED */ 6753 return NULL; 6754 } 6755 6756 void 6757 sappend(s0, s1) 6758 struct slist *s0, *s1; 6759 { 6760 /* 6761 * This is definitely not the best way to do this, but the 6762 * lists will rarely get long. 6763 */ 6764 while (s0->next) 6765 s0 = s0->next; 6766 s0->next = s1; 6767 } 6768 6769 static struct slist * 6770 xfer_to_x(compiler_state_t *cstate, struct arth *a) 6771 { 6772 struct slist *s; 6773 6774 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 6775 s->s.k = a->regno; 6776 return s; 6777 } 6778 6779 static struct slist * 6780 xfer_to_a(compiler_state_t *cstate, struct arth *a) 6781 { 6782 struct slist *s; 6783 6784 s = new_stmt(cstate, BPF_LD|BPF_MEM); 6785 s->s.k = a->regno; 6786 return s; 6787 } 6788 6789 /* 6790 * Modify "index" to use the value stored into its register as an 6791 * offset relative to the beginning of the header for the protocol 6792 * "proto", and allocate a register and put an item "size" bytes long 6793 * (1, 2, or 4) at that offset into that register, making it the register 6794 * for "index". 6795 */ 6796 struct arth * 6797 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 6798 { 6799 struct slist *s, *tmp; 6800 struct block *b; 6801 int regno = alloc_reg(cstate); 6802 6803 free_reg(cstate, inst->regno); 6804 switch (size) { 6805 6806 default: 6807 bpf_error(cstate, "data size must be 1, 2, or 4"); 6808 6809 case 1: 6810 size = BPF_B; 6811 break; 6812 6813 case 2: 6814 size = BPF_H; 6815 break; 6816 6817 case 4: 6818 size = BPF_W; 6819 break; 6820 } 6821 switch (proto) { 6822 default: 6823 bpf_error(cstate, "unsupported index operation"); 6824 6825 case Q_RADIO: 6826 /* 6827 * The offset is relative to the beginning of the packet 6828 * data, if we have a radio header. (If we don't, this 6829 * is an error.) 6830 */ 6831 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 6832 cstate->linktype != DLT_IEEE802_11_RADIO && 6833 cstate->linktype != DLT_PRISM_HEADER) 6834 bpf_error(cstate, "radio information not present in capture"); 6835 6836 /* 6837 * Load into the X register the offset computed into the 6838 * register specified by "index". 6839 */ 6840 s = xfer_to_x(cstate, inst); 6841 6842 /* 6843 * Load the item at that offset. 6844 */ 6845 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6846 sappend(s, tmp); 6847 sappend(inst->s, s); 6848 break; 6849 6850 case Q_LINK: 6851 /* 6852 * The offset is relative to the beginning of 6853 * the link-layer header. 6854 * 6855 * XXX - what about ATM LANE? Should the index be 6856 * relative to the beginning of the AAL5 frame, so 6857 * that 0 refers to the beginning of the LE Control 6858 * field, or relative to the beginning of the LAN 6859 * frame, so that 0 refers, for Ethernet LANE, to 6860 * the beginning of the destination address? 6861 */ 6862 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 6863 6864 /* 6865 * If "s" is non-null, it has code to arrange that the 6866 * X register contains the length of the prefix preceding 6867 * the link-layer header. Add to it the offset computed 6868 * into the register specified by "index", and move that 6869 * into the X register. Otherwise, just load into the X 6870 * register the offset computed into the register specified 6871 * by "index". 6872 */ 6873 if (s != NULL) { 6874 sappend(s, xfer_to_a(cstate, inst)); 6875 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6876 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6877 } else 6878 s = xfer_to_x(cstate, inst); 6879 6880 /* 6881 * Load the item at the sum of the offset we've put in the 6882 * X register and the offset of the start of the link 6883 * layer header (which is 0 if the radio header is 6884 * variable-length; that header length is what we put 6885 * into the X register and then added to the index). 6886 */ 6887 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6888 tmp->s.k = cstate->off_linkhdr.constant_part; 6889 sappend(s, tmp); 6890 sappend(inst->s, s); 6891 break; 6892 6893 case Q_IP: 6894 case Q_ARP: 6895 case Q_RARP: 6896 case Q_ATALK: 6897 case Q_DECNET: 6898 case Q_SCA: 6899 case Q_LAT: 6900 case Q_MOPRC: 6901 case Q_MOPDL: 6902 case Q_IPV6: 6903 /* 6904 * The offset is relative to the beginning of 6905 * the network-layer header. 6906 * XXX - are there any cases where we want 6907 * cstate->off_nl_nosnap? 6908 */ 6909 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 6910 6911 /* 6912 * If "s" is non-null, it has code to arrange that the 6913 * X register contains the variable part of the offset 6914 * of the link-layer payload. Add to it the offset 6915 * computed into the register specified by "index", 6916 * and move that into the X register. Otherwise, just 6917 * load into the X register the offset computed into 6918 * the register specified by "index". 6919 */ 6920 if (s != NULL) { 6921 sappend(s, xfer_to_a(cstate, inst)); 6922 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6923 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6924 } else 6925 s = xfer_to_x(cstate, inst); 6926 6927 /* 6928 * Load the item at the sum of the offset we've put in the 6929 * X register, the offset of the start of the network 6930 * layer header from the beginning of the link-layer 6931 * payload, and the constant part of the offset of the 6932 * start of the link-layer payload. 6933 */ 6934 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6935 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6936 sappend(s, tmp); 6937 sappend(inst->s, s); 6938 6939 /* 6940 * Do the computation only if the packet contains 6941 * the protocol in question. 6942 */ 6943 b = gen_proto_abbrev(cstate, proto); 6944 if (inst->b) 6945 gen_and(inst->b, b); 6946 inst->b = b; 6947 break; 6948 6949 case Q_SCTP: 6950 case Q_TCP: 6951 case Q_UDP: 6952 case Q_ICMP: 6953 case Q_IGMP: 6954 case Q_IGRP: 6955 case Q_PIM: 6956 case Q_VRRP: 6957 case Q_CARP: 6958 /* 6959 * The offset is relative to the beginning of 6960 * the transport-layer header. 6961 * 6962 * Load the X register with the length of the IPv4 header 6963 * (plus the offset of the link-layer header, if it's 6964 * a variable-length header), in bytes. 6965 * 6966 * XXX - are there any cases where we want 6967 * cstate->off_nl_nosnap? 6968 * XXX - we should, if we're built with 6969 * IPv6 support, generate code to load either 6970 * IPv4, IPv6, or both, as appropriate. 6971 */ 6972 s = gen_loadx_iphdrlen(cstate); 6973 6974 /* 6975 * The X register now contains the sum of the variable 6976 * part of the offset of the link-layer payload and the 6977 * length of the network-layer header. 6978 * 6979 * Load into the A register the offset relative to 6980 * the beginning of the transport layer header, 6981 * add the X register to that, move that to the 6982 * X register, and load with an offset from the 6983 * X register equal to the sum of the constant part of 6984 * the offset of the link-layer payload and the offset, 6985 * relative to the beginning of the link-layer payload, 6986 * of the network-layer header. 6987 */ 6988 sappend(s, xfer_to_a(cstate, inst)); 6989 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6990 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6991 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 6992 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6993 sappend(inst->s, s); 6994 6995 /* 6996 * Do the computation only if the packet contains 6997 * the protocol in question - which is true only 6998 * if this is an IP datagram and is the first or 6999 * only fragment of that datagram. 7000 */ 7001 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate)); 7002 if (inst->b) 7003 gen_and(inst->b, b); 7004 gen_and(gen_proto_abbrev(cstate, Q_IP), b); 7005 inst->b = b; 7006 break; 7007 case Q_ICMPV6: 7008 bpf_error(cstate, "IPv6 upper-layer protocol is not supported by proto[x]"); 7009 /*NOTREACHED*/ 7010 } 7011 inst->regno = regno; 7012 s = new_stmt(cstate, BPF_ST); 7013 s->s.k = regno; 7014 sappend(inst->s, s); 7015 7016 return inst; 7017 } 7018 7019 struct block * 7020 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7021 struct arth *a1, int reversed) 7022 { 7023 struct slist *s0, *s1, *s2; 7024 struct block *b, *tmp; 7025 7026 s0 = xfer_to_x(cstate, a1); 7027 s1 = xfer_to_a(cstate, a0); 7028 if (code == BPF_JEQ) { 7029 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7030 b = new_block(cstate, JMP(code)); 7031 sappend(s1, s2); 7032 } 7033 else 7034 b = new_block(cstate, BPF_JMP|code|BPF_X); 7035 if (reversed) 7036 gen_not(b); 7037 7038 sappend(s0, s1); 7039 sappend(a1->s, s0); 7040 sappend(a0->s, a1->s); 7041 7042 b->stmts = a0->s; 7043 7044 free_reg(cstate, a0->regno); 7045 free_reg(cstate, a1->regno); 7046 7047 /* 'and' together protocol checks */ 7048 if (a0->b) { 7049 if (a1->b) { 7050 gen_and(a0->b, tmp = a1->b); 7051 } 7052 else 7053 tmp = a0->b; 7054 } else 7055 tmp = a1->b; 7056 7057 if (tmp) 7058 gen_and(tmp, b); 7059 7060 return b; 7061 } 7062 7063 struct arth * 7064 gen_loadlen(compiler_state_t *cstate) 7065 { 7066 int regno = alloc_reg(cstate); 7067 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a)); 7068 struct slist *s; 7069 7070 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7071 s->next = new_stmt(cstate, BPF_ST); 7072 s->next->s.k = regno; 7073 a->s = s; 7074 a->regno = regno; 7075 7076 return a; 7077 } 7078 7079 struct arth * 7080 gen_loadi(compiler_state_t *cstate, int val) 7081 { 7082 struct arth *a; 7083 struct slist *s; 7084 int reg; 7085 7086 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7087 7088 reg = alloc_reg(cstate); 7089 7090 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7091 s->s.k = val; 7092 s->next = new_stmt(cstate, BPF_ST); 7093 s->next->s.k = reg; 7094 a->s = s; 7095 a->regno = reg; 7096 7097 return a; 7098 } 7099 7100 struct arth * 7101 gen_neg(compiler_state_t *cstate, struct arth *a) 7102 { 7103 struct slist *s; 7104 7105 s = xfer_to_a(cstate, a); 7106 sappend(a->s, s); 7107 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7108 s->s.k = 0; 7109 sappend(a->s, s); 7110 s = new_stmt(cstate, BPF_ST); 7111 s->s.k = a->regno; 7112 sappend(a->s, s); 7113 7114 return a; 7115 } 7116 7117 struct arth * 7118 gen_arth(compiler_state_t *cstate, int code, struct arth *a0, 7119 struct arth *a1) 7120 { 7121 struct slist *s0, *s1, *s2; 7122 7123 /* 7124 * Disallow division by, or modulus by, zero; we do this here 7125 * so that it gets done even if the optimizer is disabled. 7126 */ 7127 if (code == BPF_DIV) { 7128 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7129 bpf_error(cstate, "division by zero"); 7130 } else if (code == BPF_MOD) { 7131 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7132 bpf_error(cstate, "modulus by zero"); 7133 } 7134 s0 = xfer_to_x(cstate, a1); 7135 s1 = xfer_to_a(cstate, a0); 7136 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7137 7138 sappend(s1, s2); 7139 sappend(s0, s1); 7140 sappend(a1->s, s0); 7141 sappend(a0->s, a1->s); 7142 7143 free_reg(cstate, a0->regno); 7144 free_reg(cstate, a1->regno); 7145 7146 s0 = new_stmt(cstate, BPF_ST); 7147 a0->regno = s0->s.k = alloc_reg(cstate); 7148 sappend(a0->s, s0); 7149 7150 return a0; 7151 } 7152 7153 /* 7154 * Initialize the table of used registers and the current register. 7155 */ 7156 static void 7157 init_regs(compiler_state_t *cstate) 7158 { 7159 cstate->curreg = 0; 7160 memset(cstate->regused, 0, sizeof cstate->regused); 7161 } 7162 7163 /* 7164 * Return the next free register. 7165 */ 7166 static int 7167 alloc_reg(compiler_state_t *cstate) 7168 { 7169 int n = BPF_MEMWORDS; 7170 7171 while (--n >= 0) { 7172 if (cstate->regused[cstate->curreg]) 7173 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7174 else { 7175 cstate->regused[cstate->curreg] = 1; 7176 return cstate->curreg; 7177 } 7178 } 7179 bpf_error(cstate, "too many registers needed to evaluate expression"); 7180 /* NOTREACHED */ 7181 return 0; 7182 } 7183 7184 /* 7185 * Return a register to the table so it can 7186 * be used later. 7187 */ 7188 static void 7189 free_reg(compiler_state_t *cstate, int n) 7190 { 7191 cstate->regused[n] = 0; 7192 } 7193 7194 static struct block * 7195 gen_len(compiler_state_t *cstate, int jmp, int n) 7196 { 7197 struct slist *s; 7198 struct block *b; 7199 7200 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7201 b = new_block(cstate, JMP(jmp)); 7202 b->stmts = s; 7203 b->s.k = n; 7204 7205 return b; 7206 } 7207 7208 struct block * 7209 gen_greater(compiler_state_t *cstate, int n) 7210 { 7211 return gen_len(cstate, BPF_JGE, n); 7212 } 7213 7214 /* 7215 * Actually, this is less than or equal. 7216 */ 7217 struct block * 7218 gen_less(compiler_state_t *cstate, int n) 7219 { 7220 struct block *b; 7221 7222 b = gen_len(cstate, BPF_JGT, n); 7223 gen_not(b); 7224 7225 return b; 7226 } 7227 7228 /* 7229 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7230 * the beginning of the link-layer header. 7231 * XXX - that means you can't test values in the radiotap header, but 7232 * as that header is difficult if not impossible to parse generally 7233 * without a loop, that might not be a severe problem. A new keyword 7234 * "radio" could be added for that, although what you'd really want 7235 * would be a way of testing particular radio header values, which 7236 * would generate code appropriate to the radio header in question. 7237 */ 7238 struct block * 7239 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7240 { 7241 struct block *b; 7242 struct slist *s; 7243 7244 switch (op) { 7245 default: 7246 abort(); 7247 7248 case '=': 7249 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7250 7251 case '<': 7252 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7253 return b; 7254 7255 case '>': 7256 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7257 return b; 7258 7259 case '|': 7260 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7261 break; 7262 7263 case '&': 7264 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7265 break; 7266 } 7267 s->s.k = val; 7268 b = new_block(cstate, JMP(BPF_JEQ)); 7269 b->stmts = s; 7270 gen_not(b); 7271 7272 return b; 7273 } 7274 7275 static const u_char abroadcast[] = { 0x0 }; 7276 7277 struct block * 7278 gen_broadcast(compiler_state_t *cstate, int proto) 7279 { 7280 bpf_u_int32 hostmask; 7281 struct block *b0, *b1, *b2; 7282 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7283 7284 switch (proto) { 7285 7286 case Q_DEFAULT: 7287 case Q_LINK: 7288 switch (cstate->linktype) { 7289 case DLT_ARCNET: 7290 case DLT_ARCNET_LINUX: 7291 return gen_ahostop(cstate, abroadcast, Q_DST); 7292 case DLT_EN10MB: 7293 case DLT_NETANALYZER: 7294 case DLT_NETANALYZER_TRANSPARENT: 7295 b1 = gen_prevlinkhdr_check(cstate); 7296 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7297 if (b1 != NULL) 7298 gen_and(b1, b0); 7299 return b0; 7300 case DLT_FDDI: 7301 return gen_fhostop(cstate, ebroadcast, Q_DST); 7302 case DLT_IEEE802: 7303 return gen_thostop(cstate, ebroadcast, Q_DST); 7304 case DLT_IEEE802_11: 7305 case DLT_PRISM_HEADER: 7306 case DLT_IEEE802_11_RADIO_AVS: 7307 case DLT_IEEE802_11_RADIO: 7308 case DLT_PPI: 7309 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7310 case DLT_IP_OVER_FC: 7311 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7312 default: 7313 bpf_error(cstate, "not a broadcast link"); 7314 } 7315 break; 7316 7317 case Q_IP: 7318 /* 7319 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7320 * as an indication that we don't know the netmask, and fail 7321 * in that case. 7322 */ 7323 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7324 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7325 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7326 hostmask = ~cstate->netmask; 7327 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7328 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7329 (bpf_int32)(~0 & hostmask), hostmask); 7330 gen_or(b1, b2); 7331 gen_and(b0, b2); 7332 return b2; 7333 } 7334 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7335 /* NOTREACHED */ 7336 return NULL; 7337 } 7338 7339 /* 7340 * Generate code to test the low-order bit of a MAC address (that's 7341 * the bottom bit of the *first* byte). 7342 */ 7343 static struct block * 7344 gen_mac_multicast(compiler_state_t *cstate, int offset) 7345 { 7346 register struct block *b0; 7347 register struct slist *s; 7348 7349 /* link[offset] & 1 != 0 */ 7350 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7351 b0 = new_block(cstate, JMP(BPF_JSET)); 7352 b0->s.k = 1; 7353 b0->stmts = s; 7354 return b0; 7355 } 7356 7357 struct block * 7358 gen_multicast(compiler_state_t *cstate, int proto) 7359 { 7360 register struct block *b0, *b1, *b2; 7361 register struct slist *s; 7362 7363 switch (proto) { 7364 7365 case Q_DEFAULT: 7366 case Q_LINK: 7367 switch (cstate->linktype) { 7368 case DLT_ARCNET: 7369 case DLT_ARCNET_LINUX: 7370 /* all ARCnet multicasts use the same address */ 7371 return gen_ahostop(cstate, abroadcast, Q_DST); 7372 case DLT_EN10MB: 7373 case DLT_NETANALYZER: 7374 case DLT_NETANALYZER_TRANSPARENT: 7375 b1 = gen_prevlinkhdr_check(cstate); 7376 /* ether[0] & 1 != 0 */ 7377 b0 = gen_mac_multicast(cstate, 0); 7378 if (b1 != NULL) 7379 gen_and(b1, b0); 7380 return b0; 7381 case DLT_FDDI: 7382 /* 7383 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7384 * 7385 * XXX - was that referring to bit-order issues? 7386 */ 7387 /* fddi[1] & 1 != 0 */ 7388 return gen_mac_multicast(cstate, 1); 7389 case DLT_IEEE802: 7390 /* tr[2] & 1 != 0 */ 7391 return gen_mac_multicast(cstate, 2); 7392 case DLT_IEEE802_11: 7393 case DLT_PRISM_HEADER: 7394 case DLT_IEEE802_11_RADIO_AVS: 7395 case DLT_IEEE802_11_RADIO: 7396 case DLT_PPI: 7397 /* 7398 * Oh, yuk. 7399 * 7400 * For control frames, there is no DA. 7401 * 7402 * For management frames, DA is at an 7403 * offset of 4 from the beginning of 7404 * the packet. 7405 * 7406 * For data frames, DA is at an offset 7407 * of 4 from the beginning of the packet 7408 * if To DS is clear and at an offset of 7409 * 16 from the beginning of the packet 7410 * if To DS is set. 7411 */ 7412 7413 /* 7414 * Generate the tests to be done for data frames. 7415 * 7416 * First, check for To DS set, i.e. "link[1] & 0x01". 7417 */ 7418 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7419 b1 = new_block(cstate, JMP(BPF_JSET)); 7420 b1->s.k = 0x01; /* To DS */ 7421 b1->stmts = s; 7422 7423 /* 7424 * If To DS is set, the DA is at 16. 7425 */ 7426 b0 = gen_mac_multicast(cstate, 16); 7427 gen_and(b1, b0); 7428 7429 /* 7430 * Now, check for To DS not set, i.e. check 7431 * "!(link[1] & 0x01)". 7432 */ 7433 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7434 b2 = new_block(cstate, JMP(BPF_JSET)); 7435 b2->s.k = 0x01; /* To DS */ 7436 b2->stmts = s; 7437 gen_not(b2); 7438 7439 /* 7440 * If To DS is not set, the DA is at 4. 7441 */ 7442 b1 = gen_mac_multicast(cstate, 4); 7443 gen_and(b2, b1); 7444 7445 /* 7446 * Now OR together the last two checks. That gives 7447 * the complete set of checks for data frames. 7448 */ 7449 gen_or(b1, b0); 7450 7451 /* 7452 * Now check for a data frame. 7453 * I.e, check "link[0] & 0x08". 7454 */ 7455 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7456 b1 = new_block(cstate, JMP(BPF_JSET)); 7457 b1->s.k = 0x08; 7458 b1->stmts = s; 7459 7460 /* 7461 * AND that with the checks done for data frames. 7462 */ 7463 gen_and(b1, b0); 7464 7465 /* 7466 * If the high-order bit of the type value is 0, this 7467 * is a management frame. 7468 * I.e, check "!(link[0] & 0x08)". 7469 */ 7470 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7471 b2 = new_block(cstate, JMP(BPF_JSET)); 7472 b2->s.k = 0x08; 7473 b2->stmts = s; 7474 gen_not(b2); 7475 7476 /* 7477 * For management frames, the DA is at 4. 7478 */ 7479 b1 = gen_mac_multicast(cstate, 4); 7480 gen_and(b2, b1); 7481 7482 /* 7483 * OR that with the checks done for data frames. 7484 * That gives the checks done for management and 7485 * data frames. 7486 */ 7487 gen_or(b1, b0); 7488 7489 /* 7490 * If the low-order bit of the type value is 1, 7491 * this is either a control frame or a frame 7492 * with a reserved type, and thus not a 7493 * frame with an SA. 7494 * 7495 * I.e., check "!(link[0] & 0x04)". 7496 */ 7497 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7498 b1 = new_block(cstate, JMP(BPF_JSET)); 7499 b1->s.k = 0x04; 7500 b1->stmts = s; 7501 gen_not(b1); 7502 7503 /* 7504 * AND that with the checks for data and management 7505 * frames. 7506 */ 7507 gen_and(b1, b0); 7508 return b0; 7509 case DLT_IP_OVER_FC: 7510 b0 = gen_mac_multicast(cstate, 2); 7511 return b0; 7512 default: 7513 break; 7514 } 7515 /* Link not known to support multicasts */ 7516 break; 7517 7518 case Q_IP: 7519 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7520 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7521 gen_and(b0, b1); 7522 return b1; 7523 7524 case Q_IPV6: 7525 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 7526 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7527 gen_and(b0, b1); 7528 return b1; 7529 } 7530 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7531 /* NOTREACHED */ 7532 return NULL; 7533 } 7534 7535 /* 7536 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7537 * Outbound traffic is sent by this machine, while inbound traffic is 7538 * sent by a remote machine (and may include packets destined for a 7539 * unicast or multicast link-layer address we are not subscribing to). 7540 * These are the same definitions implemented by pcap_setdirection(). 7541 * Capturing only unicast traffic destined for this host is probably 7542 * better accomplished using a higher-layer filter. 7543 */ 7544 struct block * 7545 gen_inbound(compiler_state_t *cstate, int dir) 7546 { 7547 register struct block *b0; 7548 7549 /* 7550 * Only some data link types support inbound/outbound qualifiers. 7551 */ 7552 switch (cstate->linktype) { 7553 case DLT_SLIP: 7554 b0 = gen_relation(cstate, BPF_JEQ, 7555 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1), 7556 gen_loadi(cstate, 0), 7557 dir); 7558 break; 7559 7560 case DLT_IPNET: 7561 if (dir) { 7562 /* match outgoing packets */ 7563 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7564 } else { 7565 /* match incoming packets */ 7566 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7567 } 7568 break; 7569 7570 case DLT_LINUX_SLL: 7571 /* match outgoing packets */ 7572 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7573 if (!dir) { 7574 /* to filter on inbound traffic, invert the match */ 7575 gen_not(b0); 7576 } 7577 break; 7578 7579 #ifdef HAVE_NET_PFVAR_H 7580 case DLT_PFLOG: 7581 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7582 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7583 break; 7584 #endif 7585 7586 case DLT_PPP_PPPD: 7587 if (dir) { 7588 /* match outgoing packets */ 7589 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7590 } else { 7591 /* match incoming packets */ 7592 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7593 } 7594 break; 7595 7596 case DLT_JUNIPER_MFR: 7597 case DLT_JUNIPER_MLFR: 7598 case DLT_JUNIPER_MLPPP: 7599 case DLT_JUNIPER_ATM1: 7600 case DLT_JUNIPER_ATM2: 7601 case DLT_JUNIPER_PPPOE: 7602 case DLT_JUNIPER_PPPOE_ATM: 7603 case DLT_JUNIPER_GGSN: 7604 case DLT_JUNIPER_ES: 7605 case DLT_JUNIPER_MONITOR: 7606 case DLT_JUNIPER_SERVICES: 7607 case DLT_JUNIPER_ETHER: 7608 case DLT_JUNIPER_PPP: 7609 case DLT_JUNIPER_FRELAY: 7610 case DLT_JUNIPER_CHDLC: 7611 case DLT_JUNIPER_VP: 7612 case DLT_JUNIPER_ST: 7613 case DLT_JUNIPER_ISM: 7614 case DLT_JUNIPER_VS: 7615 case DLT_JUNIPER_SRX_E2E: 7616 case DLT_JUNIPER_FIBRECHANNEL: 7617 case DLT_JUNIPER_ATM_CEMIC: 7618 7619 /* juniper flags (including direction) are stored 7620 * the byte after the 3-byte magic number */ 7621 if (dir) { 7622 /* match outgoing packets */ 7623 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 7624 } else { 7625 /* match incoming packets */ 7626 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 7627 } 7628 break; 7629 7630 default: 7631 /* 7632 * If we have packet meta-data indicating a direction, 7633 * check it, otherwise give up as this link-layer type 7634 * has nothing in the packet data. 7635 */ 7636 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7637 /* 7638 * This is Linux with PF_PACKET support. 7639 * If this is a *live* capture, we can look at 7640 * special meta-data in the filter expression; 7641 * if it's a savefile, we can't. 7642 */ 7643 if (cstate->bpf_pcap->rfile != NULL) { 7644 /* We have a FILE *, so this is a savefile */ 7645 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles", 7646 cstate->linktype); 7647 b0 = NULL; 7648 /* NOTREACHED */ 7649 } 7650 /* match outgoing packets */ 7651 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7652 PACKET_OUTGOING); 7653 if (!dir) { 7654 /* to filter on inbound traffic, invert the match */ 7655 gen_not(b0); 7656 } 7657 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7658 bpf_error(cstate, "inbound/outbound not supported on linktype %d", 7659 cstate->linktype); 7660 b0 = NULL; 7661 /* NOTREACHED */ 7662 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7663 } 7664 return (b0); 7665 } 7666 7667 #ifdef HAVE_NET_PFVAR_H 7668 /* PF firewall log matched interface */ 7669 struct block * 7670 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7671 { 7672 struct block *b0; 7673 u_int len, off; 7674 7675 if (cstate->linktype != DLT_PFLOG) { 7676 bpf_error(cstate, "ifname supported only on PF linktype"); 7677 /* NOTREACHED */ 7678 } 7679 len = sizeof(((struct pfloghdr *)0)->ifname); 7680 off = offsetof(struct pfloghdr, ifname); 7681 if (strlen(ifname) >= len) { 7682 bpf_error(cstate, "ifname interface names can only be %d characters", 7683 len-1); 7684 /* NOTREACHED */ 7685 } 7686 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7687 return (b0); 7688 } 7689 7690 /* PF firewall log ruleset name */ 7691 struct block * 7692 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7693 { 7694 struct block *b0; 7695 7696 if (cstate->linktype != DLT_PFLOG) { 7697 bpf_error(cstate, "ruleset supported only on PF linktype"); 7698 /* NOTREACHED */ 7699 } 7700 7701 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7702 bpf_error(cstate, "ruleset names can only be %ld characters", 7703 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7704 /* NOTREACHED */ 7705 } 7706 7707 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7708 strlen(ruleset), (const u_char *)ruleset); 7709 return (b0); 7710 } 7711 7712 /* PF firewall log rule number */ 7713 struct block * 7714 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7715 { 7716 struct block *b0; 7717 7718 if (cstate->linktype != DLT_PFLOG) { 7719 bpf_error(cstate, "rnr supported only on PF linktype"); 7720 /* NOTREACHED */ 7721 } 7722 7723 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7724 (bpf_int32)rnr); 7725 return (b0); 7726 } 7727 7728 /* PF firewall log sub-rule number */ 7729 struct block * 7730 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7731 { 7732 struct block *b0; 7733 7734 if (cstate->linktype != DLT_PFLOG) { 7735 bpf_error(cstate, "srnr supported only on PF linktype"); 7736 /* NOTREACHED */ 7737 } 7738 7739 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7740 (bpf_int32)srnr); 7741 return (b0); 7742 } 7743 7744 /* PF firewall log reason code */ 7745 struct block * 7746 gen_pf_reason(compiler_state_t *cstate, int reason) 7747 { 7748 struct block *b0; 7749 7750 if (cstate->linktype != DLT_PFLOG) { 7751 bpf_error(cstate, "reason supported only on PF linktype"); 7752 /* NOTREACHED */ 7753 } 7754 7755 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7756 (bpf_int32)reason); 7757 return (b0); 7758 } 7759 7760 /* PF firewall log action */ 7761 struct block * 7762 gen_pf_action(compiler_state_t *cstate, int action) 7763 { 7764 struct block *b0; 7765 7766 if (cstate->linktype != DLT_PFLOG) { 7767 bpf_error(cstate, "action supported only on PF linktype"); 7768 /* NOTREACHED */ 7769 } 7770 7771 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7772 (bpf_int32)action); 7773 return (b0); 7774 } 7775 #else /* !HAVE_NET_PFVAR_H */ 7776 struct block * 7777 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7778 { 7779 bpf_error(cstate, "libpcap was compiled without pf support"); 7780 /* NOTREACHED */ 7781 return (NULL); 7782 } 7783 7784 struct block * 7785 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7786 { 7787 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7788 /* NOTREACHED */ 7789 return (NULL); 7790 } 7791 7792 struct block * 7793 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7794 { 7795 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7796 /* NOTREACHED */ 7797 return (NULL); 7798 } 7799 7800 struct block * 7801 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7802 { 7803 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7804 /* NOTREACHED */ 7805 return (NULL); 7806 } 7807 7808 struct block * 7809 gen_pf_reason(compiler_state_t *cstate, int reason) 7810 { 7811 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7812 /* NOTREACHED */ 7813 return (NULL); 7814 } 7815 7816 struct block * 7817 gen_pf_action(compiler_state_t *cstate, int action) 7818 { 7819 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7820 /* NOTREACHED */ 7821 return (NULL); 7822 } 7823 #endif /* HAVE_NET_PFVAR_H */ 7824 7825 /* IEEE 802.11 wireless header */ 7826 struct block * 7827 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 7828 { 7829 struct block *b0; 7830 7831 switch (cstate->linktype) { 7832 7833 case DLT_IEEE802_11: 7834 case DLT_PRISM_HEADER: 7835 case DLT_IEEE802_11_RADIO_AVS: 7836 case DLT_IEEE802_11_RADIO: 7837 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7838 (bpf_int32)mask); 7839 break; 7840 7841 default: 7842 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 7843 /* NOTREACHED */ 7844 } 7845 7846 return (b0); 7847 } 7848 7849 struct block * 7850 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 7851 { 7852 struct block *b0; 7853 7854 switch (cstate->linktype) { 7855 7856 case DLT_IEEE802_11: 7857 case DLT_PRISM_HEADER: 7858 case DLT_IEEE802_11_RADIO_AVS: 7859 case DLT_IEEE802_11_RADIO: 7860 break; 7861 7862 default: 7863 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 7864 /* NOTREACHED */ 7865 } 7866 7867 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 7868 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7869 7870 return (b0); 7871 } 7872 7873 struct block * 7874 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 7875 { 7876 switch (cstate->linktype) { 7877 7878 case DLT_ARCNET: 7879 case DLT_ARCNET_LINUX: 7880 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7881 q.proto == Q_LINK) 7882 return (gen_ahostop(cstate, eaddr, (int)q.dir)); 7883 else { 7884 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7885 /* NOTREACHED */ 7886 } 7887 break; 7888 7889 default: 7890 bpf_error(cstate, "aid supported only on ARCnet"); 7891 /* NOTREACHED */ 7892 } 7893 bpf_error(cstate, "ARCnet address used in non-arc expression"); 7894 /* NOTREACHED */ 7895 return NULL; 7896 } 7897 7898 static struct block * 7899 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 7900 { 7901 register struct block *b0, *b1; 7902 7903 switch (dir) { 7904 /* src comes first, different from Ethernet */ 7905 case Q_SRC: 7906 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 7907 7908 case Q_DST: 7909 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 7910 7911 case Q_AND: 7912 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7913 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7914 gen_and(b0, b1); 7915 return b1; 7916 7917 case Q_DEFAULT: 7918 case Q_OR: 7919 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 7920 b1 = gen_ahostop(cstate, eaddr, Q_DST); 7921 gen_or(b0, b1); 7922 return b1; 7923 7924 case Q_ADDR1: 7925 bpf_error(cstate, "'addr1' is only supported on 802.11"); 7926 break; 7927 7928 case Q_ADDR2: 7929 bpf_error(cstate, "'addr2' is only supported on 802.11"); 7930 break; 7931 7932 case Q_ADDR3: 7933 bpf_error(cstate, "'addr3' is only supported on 802.11"); 7934 break; 7935 7936 case Q_ADDR4: 7937 bpf_error(cstate, "'addr4' is only supported on 802.11"); 7938 break; 7939 7940 case Q_RA: 7941 bpf_error(cstate, "'ra' is only supported on 802.11"); 7942 break; 7943 7944 case Q_TA: 7945 bpf_error(cstate, "'ta' is only supported on 802.11"); 7946 break; 7947 } 7948 abort(); 7949 /* NOTREACHED */ 7950 } 7951 7952 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7953 static struct block * 7954 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7955 { 7956 struct block *b0, *b1; 7957 struct slist *s; 7958 7959 /* generate new filter code based on extracting packet 7960 * metadata */ 7961 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7962 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 7963 7964 b0 = new_block(cstate, JMP(BPF_JEQ)); 7965 b0->stmts = s; 7966 b0->s.k = 1; 7967 7968 if (vlan_num >= 0) { 7969 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 7970 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 7971 7972 b1 = new_block(cstate, JMP(BPF_JEQ)); 7973 b1->stmts = s; 7974 b1->s.k = (bpf_int32) vlan_num; 7975 7976 gen_and(b0,b1); 7977 b0 = b1; 7978 } 7979 7980 return b0; 7981 } 7982 #endif 7983 7984 static struct block * 7985 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num) 7986 { 7987 struct block *b0, *b1; 7988 7989 /* check for VLAN, including QinQ */ 7990 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 7991 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 7992 gen_or(b0,b1); 7993 b0 = b1; 7994 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 7995 gen_or(b0,b1); 7996 b0 = b1; 7997 7998 /* If a specific VLAN is requested, check VLAN id */ 7999 if (vlan_num >= 0) { 8000 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, 8001 (bpf_int32)vlan_num, 0x0fff); 8002 gen_and(b0, b1); 8003 b0 = b1; 8004 } 8005 8006 /* 8007 * The payload follows the full header, including the 8008 * VLAN tags, so skip past this VLAN tag. 8009 */ 8010 cstate->off_linkpl.constant_part += 4; 8011 8012 /* 8013 * The link-layer type information follows the VLAN tags, so 8014 * skip past this VLAN tag. 8015 */ 8016 cstate->off_linktype.constant_part += 4; 8017 8018 return b0; 8019 } 8020 8021 /* 8022 * support IEEE 802.1Q VLAN trunk over ethernet 8023 */ 8024 struct block * 8025 gen_vlan(compiler_state_t *cstate, int vlan_num) 8026 { 8027 struct block *b0; 8028 8029 /* can't check for VLAN-encapsulated packets inside MPLS */ 8030 if (cstate->label_stack_depth > 0) 8031 bpf_error(cstate, "no VLAN match after MPLS"); 8032 8033 /* 8034 * Check for a VLAN packet, and then change the offsets to point 8035 * to the type and data fields within the VLAN packet. Just 8036 * increment the offsets, so that we can support a hierarchy, e.g. 8037 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8038 * VLAN 100. 8039 * 8040 * XXX - this is a bit of a kludge. If we were to split the 8041 * compiler into a parser that parses an expression and 8042 * generates an expression tree, and a code generator that 8043 * takes an expression tree (which could come from our 8044 * parser or from some other parser) and generates BPF code, 8045 * we could perhaps make the offsets parameters of routines 8046 * and, in the handler for an "AND" node, pass to subnodes 8047 * other than the VLAN node the adjusted offsets. 8048 * 8049 * This would mean that "vlan" would, instead of changing the 8050 * behavior of *all* tests after it, change only the behavior 8051 * of tests ANDed with it. That would change the documented 8052 * semantics of "vlan", which might break some expressions. 8053 * However, it would mean that "(vlan and ip) or ip" would check 8054 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8055 * checking only for VLAN-encapsulated IP, so that could still 8056 * be considered worth doing; it wouldn't break expressions 8057 * that are of the form "vlan and ..." or "vlan N and ...", 8058 * which I suspect are the most common expressions involving 8059 * "vlan". "vlan or ..." doesn't necessarily do what the user 8060 * would really want, now, as all the "or ..." tests would 8061 * be done assuming a VLAN, even though the "or" could be viewed 8062 * as meaning "or, if this isn't a VLAN packet...". 8063 */ 8064 switch (cstate->linktype) { 8065 8066 case DLT_EN10MB: 8067 case DLT_NETANALYZER: 8068 case DLT_NETANALYZER_TRANSPARENT: 8069 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 8070 /* Verify that this is the outer part of the packet and 8071 * not encapsulated somehow. */ 8072 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8073 cstate->off_linkhdr.constant_part == 8074 cstate->off_outermostlinkhdr.constant_part) { 8075 /* 8076 * Do we need special VLAN handling? 8077 */ 8078 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8079 b0 = gen_vlan_bpf_extensions(cstate, vlan_num); 8080 else 8081 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8082 } else 8083 #endif 8084 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8085 break; 8086 8087 case DLT_IEEE802_11: 8088 case DLT_PRISM_HEADER: 8089 case DLT_IEEE802_11_RADIO_AVS: 8090 case DLT_IEEE802_11_RADIO: 8091 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8092 break; 8093 8094 default: 8095 bpf_error(cstate, "no VLAN support for data link type %d", 8096 cstate->linktype); 8097 /*NOTREACHED*/ 8098 } 8099 8100 cstate->vlan_stack_depth++; 8101 8102 return (b0); 8103 } 8104 8105 /* 8106 * support for MPLS 8107 */ 8108 struct block * 8109 gen_mpls(compiler_state_t *cstate, int label_num) 8110 { 8111 struct block *b0, *b1; 8112 8113 if (cstate->label_stack_depth > 0) { 8114 /* just match the bottom-of-stack bit clear */ 8115 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8116 } else { 8117 /* 8118 * We're not in an MPLS stack yet, so check the link-layer 8119 * type against MPLS. 8120 */ 8121 switch (cstate->linktype) { 8122 8123 case DLT_C_HDLC: /* fall through */ 8124 case DLT_EN10MB: 8125 case DLT_NETANALYZER: 8126 case DLT_NETANALYZER_TRANSPARENT: 8127 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 8128 break; 8129 8130 case DLT_PPP: 8131 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 8132 break; 8133 8134 /* FIXME add other DLT_s ... 8135 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8136 * leave it for now */ 8137 8138 default: 8139 bpf_error(cstate, "no MPLS support for data link type %d", 8140 cstate->linktype); 8141 b0 = NULL; 8142 /*NOTREACHED*/ 8143 break; 8144 } 8145 } 8146 8147 /* If a specific MPLS label is requested, check it */ 8148 if (label_num >= 0) { 8149 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8150 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8151 0xfffff000); /* only compare the first 20 bits */ 8152 gen_and(b0, b1); 8153 b0 = b1; 8154 } 8155 8156 /* 8157 * Change the offsets to point to the type and data fields within 8158 * the MPLS packet. Just increment the offsets, so that we 8159 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8160 * capture packets with an outer label of 100000 and an inner 8161 * label of 1024. 8162 * 8163 * Increment the MPLS stack depth as well; this indicates that 8164 * we're checking MPLS-encapsulated headers, to make sure higher 8165 * level code generators don't try to match against IP-related 8166 * protocols such as Q_ARP, Q_RARP etc. 8167 * 8168 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8169 */ 8170 cstate->off_nl_nosnap += 4; 8171 cstate->off_nl += 4; 8172 cstate->label_stack_depth++; 8173 return (b0); 8174 } 8175 8176 /* 8177 * Support PPPOE discovery and session. 8178 */ 8179 struct block * 8180 gen_pppoed(compiler_state_t *cstate) 8181 { 8182 /* check for PPPoE discovery */ 8183 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 8184 } 8185 8186 struct block * 8187 gen_pppoes(compiler_state_t *cstate, int sess_num) 8188 { 8189 struct block *b0, *b1; 8190 8191 /* 8192 * Test against the PPPoE session link-layer type. 8193 */ 8194 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 8195 8196 /* If a specific session is requested, check PPPoE session id */ 8197 if (sess_num >= 0) { 8198 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 8199 (bpf_int32)sess_num, 0x0000ffff); 8200 gen_and(b0, b1); 8201 b0 = b1; 8202 } 8203 8204 /* 8205 * Change the offsets to point to the type and data fields within 8206 * the PPP packet, and note that this is PPPoE rather than 8207 * raw PPP. 8208 * 8209 * XXX - this is a bit of a kludge. If we were to split the 8210 * compiler into a parser that parses an expression and 8211 * generates an expression tree, and a code generator that 8212 * takes an expression tree (which could come from our 8213 * parser or from some other parser) and generates BPF code, 8214 * we could perhaps make the offsets parameters of routines 8215 * and, in the handler for an "AND" node, pass to subnodes 8216 * other than the PPPoE node the adjusted offsets. 8217 * 8218 * This would mean that "pppoes" would, instead of changing the 8219 * behavior of *all* tests after it, change only the behavior 8220 * of tests ANDed with it. That would change the documented 8221 * semantics of "pppoes", which might break some expressions. 8222 * However, it would mean that "(pppoes and ip) or ip" would check 8223 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8224 * checking only for VLAN-encapsulated IP, so that could still 8225 * be considered worth doing; it wouldn't break expressions 8226 * that are of the form "pppoes and ..." which I suspect are the 8227 * most common expressions involving "pppoes". "pppoes or ..." 8228 * doesn't necessarily do what the user would really want, now, 8229 * as all the "or ..." tests would be done assuming PPPoE, even 8230 * though the "or" could be viewed as meaning "or, if this isn't 8231 * a PPPoE packet...". 8232 * 8233 * The "network-layer" protocol is PPPoE, which has a 6-byte 8234 * PPPoE header, followed by a PPP packet. 8235 * 8236 * There is no HDLC encapsulation for the PPP packet (it's 8237 * encapsulated in PPPoES instead), so the link-layer type 8238 * starts at the first byte of the PPP packet. For PPPoE, 8239 * that offset is relative to the beginning of the total 8240 * link-layer payload, including any 802.2 LLC header, so 8241 * it's 6 bytes past cstate->off_nl. 8242 */ 8243 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 8244 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 8245 cstate->off_linkpl.reg); 8246 8247 cstate->off_linktype = cstate->off_linkhdr; 8248 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 8249 8250 cstate->off_nl = 0; 8251 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 8252 8253 return b0; 8254 } 8255 8256 /* Check that this is Geneve and the VNI is correct if 8257 * specified. Parameterized to handle both IPv4 and IPv6. */ 8258 static struct block * 8259 gen_geneve_check(compiler_state_t *cstate, 8260 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 8261 enum e_offrel offrel, int vni) 8262 { 8263 struct block *b0, *b1; 8264 8265 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 8266 8267 /* Check that we are operating on version 0. Otherwise, we 8268 * can't decode the rest of the fields. The version is 2 bits 8269 * in the first byte of the Geneve header. */ 8270 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8271 gen_and(b0, b1); 8272 b0 = b1; 8273 8274 if (vni >= 0) { 8275 vni <<= 8; /* VNI is in the upper 3 bytes */ 8276 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 8277 0xffffff00); 8278 gen_and(b0, b1); 8279 b0 = b1; 8280 } 8281 8282 return b0; 8283 } 8284 8285 /* The IPv4 and IPv6 Geneve checks need to do two things: 8286 * - Verify that this actually is Geneve with the right VNI. 8287 * - Place the IP header length (plus variable link prefix if 8288 * needed) into register A to be used later to compute 8289 * the inner packet offsets. */ 8290 static struct block * 8291 gen_geneve4(compiler_state_t *cstate, int vni) 8292 { 8293 struct block *b0, *b1; 8294 struct slist *s, *s1; 8295 8296 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni); 8297 8298 /* Load the IP header length into A. */ 8299 s = gen_loadx_iphdrlen(cstate); 8300 8301 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8302 sappend(s, s1); 8303 8304 /* Forcibly append these statements to the true condition 8305 * of the protocol check by creating a new block that is 8306 * always true and ANDing them. */ 8307 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8308 b1->stmts = s; 8309 b1->s.k = 0; 8310 8311 gen_and(b0, b1); 8312 8313 return b1; 8314 } 8315 8316 static struct block * 8317 gen_geneve6(compiler_state_t *cstate, int vni) 8318 { 8319 struct block *b0, *b1; 8320 struct slist *s, *s1; 8321 8322 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni); 8323 8324 /* Load the IP header length. We need to account for a 8325 * variable length link prefix if there is one. */ 8326 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 8327 if (s) { 8328 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 8329 s1->s.k = 40; 8330 sappend(s, s1); 8331 8332 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8333 s1->s.k = 0; 8334 sappend(s, s1); 8335 } else { 8336 s = new_stmt(cstate, BPF_LD|BPF_IMM); 8337 s->s.k = 40; 8338 } 8339 8340 /* Forcibly append these statements to the true condition 8341 * of the protocol check by creating a new block that is 8342 * always true and ANDing them. */ 8343 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8344 sappend(s, s1); 8345 8346 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8347 b1->stmts = s; 8348 b1->s.k = 0; 8349 8350 gen_and(b0, b1); 8351 8352 return b1; 8353 } 8354 8355 /* We need to store three values based on the Geneve header:: 8356 * - The offset of the linktype. 8357 * - The offset of the end of the Geneve header. 8358 * - The offset of the end of the encapsulated MAC header. */ 8359 static struct slist * 8360 gen_geneve_offsets(compiler_state_t *cstate) 8361 { 8362 struct slist *s, *s1, *s_proto; 8363 8364 /* First we need to calculate the offset of the Geneve header 8365 * itself. This is composed of the IP header previously calculated 8366 * (include any variable link prefix) and stored in A plus the 8367 * fixed sized headers (fixed link prefix, MAC length, and UDP 8368 * header). */ 8369 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8370 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 8371 8372 /* Stash this in X since we'll need it later. */ 8373 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8374 sappend(s, s1); 8375 8376 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8377 * store it. */ 8378 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8379 s1->s.k = 2; 8380 sappend(s, s1); 8381 8382 cstate->off_linktype.reg = alloc_reg(cstate); 8383 cstate->off_linktype.is_variable = 1; 8384 cstate->off_linktype.constant_part = 0; 8385 8386 s1 = new_stmt(cstate, BPF_ST); 8387 s1->s.k = cstate->off_linktype.reg; 8388 sappend(s, s1); 8389 8390 /* Load the Geneve option length and mask and shift to get the 8391 * number of bytes. It is stored in the first byte of the Geneve 8392 * header. */ 8393 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 8394 s1->s.k = 0; 8395 sappend(s, s1); 8396 8397 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 8398 s1->s.k = 0x3f; 8399 sappend(s, s1); 8400 8401 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 8402 s1->s.k = 4; 8403 sappend(s, s1); 8404 8405 /* Add in the rest of the Geneve base header. */ 8406 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8407 s1->s.k = 8; 8408 sappend(s, s1); 8409 8410 /* Add the Geneve header length to its offset and store. */ 8411 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8412 s1->s.k = 0; 8413 sappend(s, s1); 8414 8415 /* Set the encapsulated type as Ethernet. Even though we may 8416 * not actually have Ethernet inside there are two reasons this 8417 * is useful: 8418 * - The linktype field is always in EtherType format regardless 8419 * of whether it is in Geneve or an inner Ethernet frame. 8420 * - The only link layer that we have specific support for is 8421 * Ethernet. We will confirm that the packet actually is 8422 * Ethernet at runtime before executing these checks. */ 8423 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 8424 8425 s1 = new_stmt(cstate, BPF_ST); 8426 s1->s.k = cstate->off_linkhdr.reg; 8427 sappend(s, s1); 8428 8429 /* Calculate whether we have an Ethernet header or just raw IP/ 8430 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8431 * and linktype by 14 bytes so that the network header can be found 8432 * seamlessly. Otherwise, keep what we've calculated already. */ 8433 8434 /* We have a bare jmp so we can't use the optimizer. */ 8435 cstate->no_optimize = 1; 8436 8437 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8438 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 8439 s1->s.k = 2; 8440 sappend(s, s1); 8441 8442 /* Load X with the end of the Geneve header. */ 8443 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8444 s1->s.k = cstate->off_linkhdr.reg; 8445 sappend(s, s1); 8446 8447 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8448 * end of this check, we should have the total length in X. In 8449 * the non-Ethernet case, it's already there. */ 8450 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 8451 s_proto->s.k = ETHERTYPE_TEB; 8452 sappend(s, s_proto); 8453 8454 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8455 sappend(s, s1); 8456 s_proto->s.jt = s1; 8457 8458 /* Since this is Ethernet, use the EtherType of the payload 8459 * directly as the linktype. Overwrite what we already have. */ 8460 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8461 s1->s.k = 12; 8462 sappend(s, s1); 8463 8464 s1 = new_stmt(cstate, BPF_ST); 8465 s1->s.k = cstate->off_linktype.reg; 8466 sappend(s, s1); 8467 8468 /* Advance two bytes further to get the end of the Ethernet 8469 * header. */ 8470 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8471 s1->s.k = 2; 8472 sappend(s, s1); 8473 8474 /* Move the result to X. */ 8475 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8476 sappend(s, s1); 8477 8478 /* Store the final result of our linkpl calculation. */ 8479 cstate->off_linkpl.reg = alloc_reg(cstate); 8480 cstate->off_linkpl.is_variable = 1; 8481 cstate->off_linkpl.constant_part = 0; 8482 8483 s1 = new_stmt(cstate, BPF_STX); 8484 s1->s.k = cstate->off_linkpl.reg; 8485 sappend(s, s1); 8486 s_proto->s.jf = s1; 8487 8488 cstate->off_nl = 0; 8489 8490 return s; 8491 } 8492 8493 /* Check to see if this is a Geneve packet. */ 8494 struct block * 8495 gen_geneve(compiler_state_t *cstate, int vni) 8496 { 8497 struct block *b0, *b1; 8498 struct slist *s; 8499 8500 b0 = gen_geneve4(cstate, vni); 8501 b1 = gen_geneve6(cstate, vni); 8502 8503 gen_or(b0, b1); 8504 b0 = b1; 8505 8506 /* Later filters should act on the payload of the Geneve frame, 8507 * update all of the header pointers. Attach this code so that 8508 * it gets executed in the event that the Geneve filter matches. */ 8509 s = gen_geneve_offsets(cstate); 8510 8511 b1 = gen_true(cstate); 8512 sappend(s, b1->stmts); 8513 b1->stmts = s; 8514 8515 gen_and(b0, b1); 8516 8517 cstate->is_geneve = 1; 8518 8519 return b1; 8520 } 8521 8522 /* Check that the encapsulated frame has a link layer header 8523 * for Ethernet filters. */ 8524 static struct block * 8525 gen_geneve_ll_check(compiler_state_t *cstate) 8526 { 8527 struct block *b0; 8528 struct slist *s, *s1; 8529 8530 /* The easiest way to see if there is a link layer present 8531 * is to check if the link layer header and payload are not 8532 * the same. */ 8533 8534 /* Geneve always generates pure variable offsets so we can 8535 * compare only the registers. */ 8536 s = new_stmt(cstate, BPF_LD|BPF_MEM); 8537 s->s.k = cstate->off_linkhdr.reg; 8538 8539 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8540 s1->s.k = cstate->off_linkpl.reg; 8541 sappend(s, s1); 8542 8543 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8544 b0->stmts = s; 8545 b0->s.k = 0; 8546 gen_not(b0); 8547 8548 return b0; 8549 } 8550 8551 struct block * 8552 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue, 8553 bpf_u_int32 jtype, int reverse) 8554 { 8555 struct block *b0; 8556 8557 switch (atmfield) { 8558 8559 case A_VPI: 8560 if (!cstate->is_atm) 8561 bpf_error(cstate, "'vpi' supported only on raw ATM"); 8562 if (cstate->off_vpi == (u_int)-1) 8563 abort(); 8564 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 8565 reverse, jvalue); 8566 break; 8567 8568 case A_VCI: 8569 if (!cstate->is_atm) 8570 bpf_error(cstate, "'vci' supported only on raw ATM"); 8571 if (cstate->off_vci == (u_int)-1) 8572 abort(); 8573 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 8574 reverse, jvalue); 8575 break; 8576 8577 case A_PROTOTYPE: 8578 if (cstate->off_proto == (u_int)-1) 8579 abort(); /* XXX - this isn't on FreeBSD */ 8580 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 8581 reverse, jvalue); 8582 break; 8583 8584 case A_MSGTYPE: 8585 if (cstate->off_payload == (u_int)-1) 8586 abort(); 8587 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 8588 0xffffffff, jtype, reverse, jvalue); 8589 break; 8590 8591 case A_CALLREFTYPE: 8592 if (!cstate->is_atm) 8593 bpf_error(cstate, "'callref' supported only on raw ATM"); 8594 if (cstate->off_proto == (u_int)-1) 8595 abort(); 8596 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 8597 jtype, reverse, jvalue); 8598 break; 8599 8600 default: 8601 abort(); 8602 } 8603 return b0; 8604 } 8605 8606 struct block * 8607 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 8608 { 8609 struct block *b0, *b1; 8610 8611 switch (type) { 8612 8613 case A_METAC: 8614 /* Get all packets in Meta signalling Circuit */ 8615 if (!cstate->is_atm) 8616 bpf_error(cstate, "'metac' supported only on raw ATM"); 8617 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8618 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0); 8619 gen_and(b0, b1); 8620 break; 8621 8622 case A_BCC: 8623 /* Get all packets in Broadcast Circuit*/ 8624 if (!cstate->is_atm) 8625 bpf_error(cstate, "'bcc' supported only on raw ATM"); 8626 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8627 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0); 8628 gen_and(b0, b1); 8629 break; 8630 8631 case A_OAMF4SC: 8632 /* Get all cells in Segment OAM F4 circuit*/ 8633 if (!cstate->is_atm) 8634 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 8635 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8636 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8637 gen_and(b0, b1); 8638 break; 8639 8640 case A_OAMF4EC: 8641 /* Get all cells in End-to-End OAM F4 Circuit*/ 8642 if (!cstate->is_atm) 8643 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 8644 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8645 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8646 gen_and(b0, b1); 8647 break; 8648 8649 case A_SC: 8650 /* Get all packets in connection Signalling Circuit */ 8651 if (!cstate->is_atm) 8652 bpf_error(cstate, "'sc' supported only on raw ATM"); 8653 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8654 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0); 8655 gen_and(b0, b1); 8656 break; 8657 8658 case A_ILMIC: 8659 /* Get all packets in ILMI Circuit */ 8660 if (!cstate->is_atm) 8661 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 8662 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8663 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0); 8664 gen_and(b0, b1); 8665 break; 8666 8667 case A_LANE: 8668 /* Get all LANE packets */ 8669 if (!cstate->is_atm) 8670 bpf_error(cstate, "'lane' supported only on raw ATM"); 8671 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8672 8673 /* 8674 * Arrange that all subsequent tests assume LANE 8675 * rather than LLC-encapsulated packets, and set 8676 * the offsets appropriately for LANE-encapsulated 8677 * Ethernet. 8678 * 8679 * We assume LANE means Ethernet, not Token Ring. 8680 */ 8681 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 8682 cstate->off_payload + 2, /* Ethernet header */ 8683 -1); 8684 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 8685 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 8686 cstate->off_nl = 0; /* Ethernet II */ 8687 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 8688 break; 8689 8690 case A_LLC: 8691 /* Get all LLC-encapsulated packets */ 8692 if (!cstate->is_atm) 8693 bpf_error(cstate, "'llc' supported only on raw ATM"); 8694 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8695 cstate->linktype = cstate->prevlinktype; 8696 break; 8697 8698 default: 8699 abort(); 8700 } 8701 return b1; 8702 } 8703 8704 /* 8705 * Filtering for MTP2 messages based on li value 8706 * FISU, length is null 8707 * LSSU, length is 1 or 2 8708 * MSU, length is 3 or more 8709 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8710 */ 8711 struct block * 8712 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 8713 { 8714 struct block *b0, *b1; 8715 8716 switch (type) { 8717 8718 case M_FISU: 8719 if ( (cstate->linktype != DLT_MTP2) && 8720 (cstate->linktype != DLT_ERF) && 8721 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8722 bpf_error(cstate, "'fisu' supported only on MTP2"); 8723 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8724 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8725 break; 8726 8727 case M_LSSU: 8728 if ( (cstate->linktype != DLT_MTP2) && 8729 (cstate->linktype != DLT_ERF) && 8730 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8731 bpf_error(cstate, "'lssu' supported only on MTP2"); 8732 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8733 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8734 gen_and(b1, b0); 8735 break; 8736 8737 case M_MSU: 8738 if ( (cstate->linktype != DLT_MTP2) && 8739 (cstate->linktype != DLT_ERF) && 8740 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8741 bpf_error(cstate, "'msu' supported only on MTP2"); 8742 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8743 break; 8744 8745 case MH_FISU: 8746 if ( (cstate->linktype != DLT_MTP2) && 8747 (cstate->linktype != DLT_ERF) && 8748 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8749 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 8750 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8751 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8752 break; 8753 8754 case MH_LSSU: 8755 if ( (cstate->linktype != DLT_MTP2) && 8756 (cstate->linktype != DLT_ERF) && 8757 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8758 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 8759 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8760 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8761 gen_and(b1, b0); 8762 break; 8763 8764 case MH_MSU: 8765 if ( (cstate->linktype != DLT_MTP2) && 8766 (cstate->linktype != DLT_ERF) && 8767 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8768 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 8769 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8770 break; 8771 8772 default: 8773 abort(); 8774 } 8775 return b0; 8776 } 8777 8778 struct block * 8779 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue, 8780 bpf_u_int32 jtype, int reverse) 8781 { 8782 struct block *b0; 8783 bpf_u_int32 val1 , val2 , val3; 8784 u_int newoff_sio = cstate->off_sio; 8785 u_int newoff_opc = cstate->off_opc; 8786 u_int newoff_dpc = cstate->off_dpc; 8787 u_int newoff_sls = cstate->off_sls; 8788 8789 switch (mtp3field) { 8790 8791 case MH_SIO: 8792 newoff_sio += 3; /* offset for MTP2_HSL */ 8793 /* FALLTHROUGH */ 8794 8795 case M_SIO: 8796 if (cstate->off_sio == (u_int)-1) 8797 bpf_error(cstate, "'sio' supported only on SS7"); 8798 /* sio coded on 1 byte so max value 255 */ 8799 if(jvalue > 255) 8800 bpf_error(cstate, "sio value %u too big; max value = 255", 8801 jvalue); 8802 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8803 (u_int)jtype, reverse, (u_int)jvalue); 8804 break; 8805 8806 case MH_OPC: 8807 newoff_opc+=3; 8808 case M_OPC: 8809 if (cstate->off_opc == (u_int)-1) 8810 bpf_error(cstate, "'opc' supported only on SS7"); 8811 /* opc coded on 14 bits so max value 16383 */ 8812 if (jvalue > 16383) 8813 bpf_error(cstate, "opc value %u too big; max value = 16383", 8814 jvalue); 8815 /* the following instructions are made to convert jvalue 8816 * to the form used to write opc in an ss7 message*/ 8817 val1 = jvalue & 0x00003c00; 8818 val1 = val1 >>10; 8819 val2 = jvalue & 0x000003fc; 8820 val2 = val2 <<6; 8821 val3 = jvalue & 0x00000003; 8822 val3 = val3 <<22; 8823 jvalue = val1 + val2 + val3; 8824 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8825 (u_int)jtype, reverse, (u_int)jvalue); 8826 break; 8827 8828 case MH_DPC: 8829 newoff_dpc += 3; 8830 /* FALLTHROUGH */ 8831 8832 case M_DPC: 8833 if (cstate->off_dpc == (u_int)-1) 8834 bpf_error(cstate, "'dpc' supported only on SS7"); 8835 /* dpc coded on 14 bits so max value 16383 */ 8836 if (jvalue > 16383) 8837 bpf_error(cstate, "dpc value %u too big; max value = 16383", 8838 jvalue); 8839 /* the following instructions are made to convert jvalue 8840 * to the forme used to write dpc in an ss7 message*/ 8841 val1 = jvalue & 0x000000ff; 8842 val1 = val1 << 24; 8843 val2 = jvalue & 0x00003f00; 8844 val2 = val2 << 8; 8845 jvalue = val1 + val2; 8846 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8847 (u_int)jtype, reverse, (u_int)jvalue); 8848 break; 8849 8850 case MH_SLS: 8851 newoff_sls+=3; 8852 case M_SLS: 8853 if (cstate->off_sls == (u_int)-1) 8854 bpf_error(cstate, "'sls' supported only on SS7"); 8855 /* sls coded on 4 bits so max value 15 */ 8856 if (jvalue > 15) 8857 bpf_error(cstate, "sls value %u too big; max value = 15", 8858 jvalue); 8859 /* the following instruction is made to convert jvalue 8860 * to the forme used to write sls in an ss7 message*/ 8861 jvalue = jvalue << 4; 8862 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 8863 (u_int)jtype,reverse, (u_int)jvalue); 8864 break; 8865 8866 default: 8867 abort(); 8868 } 8869 return b0; 8870 } 8871 8872 static struct block * 8873 gen_msg_abbrev(compiler_state_t *cstate, int type) 8874 { 8875 struct block *b1; 8876 8877 /* 8878 * Q.2931 signalling protocol messages for handling virtual circuits 8879 * establishment and teardown 8880 */ 8881 switch (type) { 8882 8883 case A_SETUP: 8884 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 8885 break; 8886 8887 case A_CALLPROCEED: 8888 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8889 break; 8890 8891 case A_CONNECT: 8892 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8893 break; 8894 8895 case A_CONNECTACK: 8896 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8897 break; 8898 8899 case A_RELEASE: 8900 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8901 break; 8902 8903 case A_RELEASE_DONE: 8904 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8905 break; 8906 8907 default: 8908 abort(); 8909 } 8910 return b1; 8911 } 8912 8913 struct block * 8914 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 8915 { 8916 struct block *b0, *b1; 8917 8918 switch (type) { 8919 8920 case A_OAM: 8921 if (!cstate->is_atm) 8922 bpf_error(cstate, "'oam' supported only on raw ATM"); 8923 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4); 8924 break; 8925 8926 case A_OAMF4: 8927 if (!cstate->is_atm) 8928 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 8929 /* OAM F4 type */ 8930 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8931 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8932 gen_or(b0, b1); 8933 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8934 gen_and(b0, b1); 8935 break; 8936 8937 case A_CONNECTMSG: 8938 /* 8939 * Get Q.2931 signalling messages for switched 8940 * virtual connection 8941 */ 8942 if (!cstate->is_atm) 8943 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 8944 b0 = gen_msg_abbrev(cstate, A_SETUP); 8945 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8946 gen_or(b0, b1); 8947 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8948 gen_or(b0, b1); 8949 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 8950 gen_or(b0, b1); 8951 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8952 gen_or(b0, b1); 8953 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8954 gen_or(b0, b1); 8955 b0 = gen_atmtype_abbrev(cstate, A_SC); 8956 gen_and(b0, b1); 8957 break; 8958 8959 case A_METACONNECT: 8960 if (!cstate->is_atm) 8961 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 8962 b0 = gen_msg_abbrev(cstate, A_SETUP); 8963 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 8964 gen_or(b0, b1); 8965 b0 = gen_msg_abbrev(cstate, A_CONNECT); 8966 gen_or(b0, b1); 8967 b0 = gen_msg_abbrev(cstate, A_RELEASE); 8968 gen_or(b0, b1); 8969 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 8970 gen_or(b0, b1); 8971 b0 = gen_atmtype_abbrev(cstate, A_METAC); 8972 gen_and(b0, b1); 8973 break; 8974 8975 default: 8976 abort(); 8977 } 8978 return b1; 8979 } 8980