1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <stdio.h> 27 #include <stddef.h> 28 #include <ctype.h> 29 #include <string.h> 30 #include <fcntl.h> 31 #include <string.h> 32 #include <sys/types.h> 33 #include <sys/time.h> 34 #include <sys/isa_defs.h> 35 36 #include <sys/socket.h> 37 #include <sys/vlan.h> 38 #include <net/if.h> 39 #include <netinet/in_systm.h> 40 #include <netinet/in.h> 41 #include <netinet/ip.h> 42 #include <netinet/if_ether.h> 43 #include <netinet/tcp.h> 44 #include <netinet/udp.h> 45 #include <inet/ip.h> 46 #include <inet/ip6.h> 47 #include <netdb.h> 48 #include <rpc/rpc.h> 49 #include <setjmp.h> 50 51 #include <sys/pfmod.h> 52 #include "snoop.h" 53 #include "snoop_vlan.h" 54 55 /* 56 * This module generates code for the kernel packet filter. 57 * The kernel packet filter is more efficient since it 58 * operates without context switching or moving data into 59 * the capture buffer. On the other hand, it is limited 60 * in its filtering ability i.e. can't cope with variable 61 * length headers, can't compare the packet size, 1 and 4 octet 62 * comparisons are awkward, code space is limited to ENMAXFILTERS 63 * halfwords, etc. 64 * The parser is the same for the user-level packet filter though 65 * more limited in the variety of expressions it can generate 66 * code for. If the pf compiler finds an expression it can't 67 * handle, it tries to set up a split filter in kernel and do the 68 * remaining filtering in userland. If that also fails, it resorts 69 * to userland filter. (See additional comment in pf_compile) 70 */ 71 72 extern struct Pf_ext_packetfilt pf; 73 static ushort_t *pfp; 74 jmp_buf env; 75 76 int eaddr; /* need ethernet addr */ 77 78 int opstack; /* operand stack depth */ 79 80 #define EQ(val) (strcmp(token, val) == 0) 81 #define IPV4_ONLY 0 82 #define IPV6_ONLY 1 83 #define IPV4_AND_IPV6 2 84 85 typedef struct { 86 int transport_protocol; 87 int network_protocol; 88 /* 89 * offset is the offset in bytes from the beginning 90 * of the network protocol header to where the transport 91 * protocol type is. 92 */ 93 int offset; 94 } transport_table_t; 95 96 typedef struct network_table { 97 char *nmt_name; 98 int nmt_val; 99 } network_table_t; 100 101 static network_table_t ether_network_mapping_table[] = { 102 { "pup", ETHERTYPE_PUP }, 103 { "ip", ETHERTYPE_IP }, 104 { "arp", ETHERTYPE_ARP }, 105 { "revarp", ETHERTYPE_REVARP }, 106 { "at", ETHERTYPE_AT }, 107 { "aarp", ETHERTYPE_AARP }, 108 { "vlan", ETHERTYPE_VLAN }, 109 { "ip6", ETHERTYPE_IPV6 }, 110 { "slow", ETHERTYPE_SLOW }, 111 { "ppoed", ETHERTYPE_PPPOED }, 112 { "ppoes", ETHERTYPE_PPPOES }, 113 { "NULL", -1 } 114 115 }; 116 117 static network_table_t ib_network_mapping_table[] = { 118 { "pup", ETHERTYPE_PUP }, 119 { "ip", ETHERTYPE_IP }, 120 { "arp", ETHERTYPE_ARP }, 121 { "revarp", ETHERTYPE_REVARP }, 122 { "at", ETHERTYPE_AT }, 123 { "aarp", ETHERTYPE_AARP }, 124 { "vlan", ETHERTYPE_VLAN }, 125 { "ip6", ETHERTYPE_IPV6 }, 126 { "slow", ETHERTYPE_SLOW }, 127 { "ppoed", ETHERTYPE_PPPOED }, 128 { "ppoes", ETHERTYPE_PPPOES }, 129 { "NULL", -1 } 130 131 }; 132 133 static network_table_t ipnet_network_mapping_table[] = { 134 { "ip", (DL_IPNETINFO_VERSION << 8 | AF_INET) }, 135 { "ip6", (DL_IPNETINFO_VERSION << 8 | AF_INET6) }, 136 { "NULL", -1 } 137 138 }; 139 140 static transport_table_t ether_transport_mapping_table[] = { 141 {IPPROTO_TCP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 142 {IPPROTO_TCP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 143 {IPPROTO_UDP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 144 {IPPROTO_UDP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 145 {IPPROTO_OSPF, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 146 {IPPROTO_OSPF, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 147 {IPPROTO_SCTP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 148 {IPPROTO_SCTP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 149 {IPPROTO_ICMP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 150 {IPPROTO_ICMPV6, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 151 {IPPROTO_ENCAP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 152 {IPPROTO_ESP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 153 {IPPROTO_ESP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 154 {IPPROTO_AH, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 155 {IPPROTO_AH, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 156 {-1, 0, 0} /* must be the final entry */ 157 }; 158 159 static transport_table_t ipnet_transport_mapping_table[] = { 160 {IPPROTO_TCP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 161 IPV4_TYPE_HEADER_OFFSET}, 162 {IPPROTO_TCP, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 163 IPV6_TYPE_HEADER_OFFSET}, 164 {IPPROTO_UDP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 165 IPV4_TYPE_HEADER_OFFSET}, 166 {IPPROTO_UDP, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 167 IPV6_TYPE_HEADER_OFFSET}, 168 {IPPROTO_OSPF, (DL_IPNETINFO_VERSION << 8 | AF_INET), 169 IPV4_TYPE_HEADER_OFFSET}, 170 {IPPROTO_OSPF, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 171 IPV6_TYPE_HEADER_OFFSET}, 172 {IPPROTO_SCTP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 173 IPV4_TYPE_HEADER_OFFSET}, 174 {IPPROTO_SCTP, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 175 IPV6_TYPE_HEADER_OFFSET}, 176 {IPPROTO_ICMP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 177 IPV4_TYPE_HEADER_OFFSET}, 178 {IPPROTO_ICMPV6, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 179 IPV6_TYPE_HEADER_OFFSET}, 180 {IPPROTO_ENCAP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 181 IPV4_TYPE_HEADER_OFFSET}, 182 {IPPROTO_ESP, (DL_IPNETINFO_VERSION << 8 | AF_INET), 183 IPV4_TYPE_HEADER_OFFSET}, 184 {IPPROTO_ESP, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 185 IPV6_TYPE_HEADER_OFFSET}, 186 {IPPROTO_AH, (DL_IPNETINFO_VERSION << 8 | AF_INET), 187 IPV4_TYPE_HEADER_OFFSET}, 188 {IPPROTO_AH, (DL_IPNETINFO_VERSION << 8 | AF_INET6), 189 IPV6_TYPE_HEADER_OFFSET}, 190 {-1, 0, 0} /* must be the final entry */ 191 }; 192 193 static transport_table_t ib_transport_mapping_table[] = { 194 {IPPROTO_TCP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 195 {IPPROTO_TCP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 196 {IPPROTO_UDP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 197 {IPPROTO_UDP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 198 {IPPROTO_OSPF, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 199 {IPPROTO_OSPF, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 200 {IPPROTO_SCTP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 201 {IPPROTO_SCTP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 202 {IPPROTO_ICMP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 203 {IPPROTO_ICMPV6, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 204 {IPPROTO_ENCAP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 205 {IPPROTO_ESP, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 206 {IPPROTO_ESP, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 207 {IPPROTO_AH, ETHERTYPE_IP, IPV4_TYPE_HEADER_OFFSET}, 208 {IPPROTO_AH, ETHERTYPE_IPV6, IPV6_TYPE_HEADER_OFFSET}, 209 {-1, 0, 0} /* must be the final entry */ 210 }; 211 212 typedef struct datalink { 213 uint_t dl_type; 214 void (*dl_match_fn)(uint_t datatype); 215 transport_table_t *dl_trans_map_tbl; 216 network_table_t *dl_net_map_tbl; 217 int dl_link_header_len; 218 int dl_link_type_offset; 219 int dl_link_dest_offset; 220 int dl_link_src_offset; 221 int dl_link_addr_len; 222 } datalink_t; 223 224 datalink_t dl; 225 226 #define IPV4_SRCADDR_OFFSET (dl.dl_link_header_len + 12) 227 #define IPV4_DSTADDR_OFFSET (dl.dl_link_header_len + 16) 228 #define IPV6_SRCADDR_OFFSET (dl.dl_link_header_len + 8) 229 #define IPV6_DSTADDR_OFFSET (dl.dl_link_header_len + 24) 230 231 #define IPNET_SRCZONE_OFFSET 16 232 #define IPNET_DSTZONE_OFFSET 20 233 234 static int inBrace = 0, inBraceOR = 0; 235 static int foundOR = 0; 236 char *tkp, *sav_tkp; 237 char *token; 238 enum { EOL, ALPHA, NUMBER, FIELD, ADDR_IP, ADDR_ETHER, SPECIAL, 239 ADDR_IP6 } tokentype; 240 uint_t tokenval; 241 242 enum direction { ANY, TO, FROM }; 243 enum direction dir; 244 245 extern void next(); 246 247 static void pf_expression(); 248 static void pf_check_vlan_tag(uint_t offset); 249 static void pf_clear_offset_register(); 250 static void pf_emit_load_offset(uint_t offset); 251 static void pf_match_ethertype(uint_t ethertype); 252 static void pf_match_ipnettype(uint_t type); 253 static void pf_match_ibtype(uint_t type); 254 static void pf_check_transport_protocol(uint_t transport_protocol); 255 static void pf_compare_value_mask_generic(int offset, uint_t len, 256 uint_t val, int mask, uint_t op); 257 static void pf_matchfn(const char *name); 258 259 /* 260 * This pointer points to the function that last generated 261 * instructions to change the offset register. It's used 262 * for comparisons to see if we need to issue more instructions 263 * to change the register. 264 * 265 * It's initialized to pf_clear_offset_register because the offset 266 * register in pfmod is initialized to zero, similar to the state 267 * it would be in after executing the instructions issued by 268 * pf_clear_offset_register. 269 */ 270 static void *last_offset_operation = (void*)pf_clear_offset_register; 271 272 static void 273 pf_emit(x) 274 ushort_t x; 275 { 276 if (pfp > &pf.Pf_Filter[PF_MAXFILTERS - 1]) 277 longjmp(env, 1); 278 *pfp++ = x; 279 } 280 281 static void 282 pf_codeprint(code, len) 283 ushort_t *code; 284 int len; 285 { 286 ushort_t *pc; 287 ushort_t *plast = code + len; 288 int op, action; 289 290 if (len > 0) { 291 printf("Kernel Filter:\n"); 292 } 293 294 for (pc = code; pc < plast; pc++) { 295 printf("\t%3d: ", pc - code); 296 297 op = *pc & 0xfc00; /* high 10 bits */ 298 action = *pc & 0x3ff; /* low 6 bits */ 299 300 switch (action) { 301 case ENF_PUSHLIT: 302 printf("PUSHLIT "); 303 break; 304 case ENF_PUSHZERO: 305 printf("PUSHZERO "); 306 break; 307 #ifdef ENF_PUSHONE 308 case ENF_PUSHONE: 309 printf("PUSHONE "); 310 break; 311 #endif 312 #ifdef ENF_PUSHFFFF 313 case ENF_PUSHFFFF: 314 printf("PUSHFFFF "); 315 break; 316 #endif 317 #ifdef ENF_PUSHFF00 318 case ENF_PUSHFF00: 319 printf("PUSHFF00 "); 320 break; 321 #endif 322 #ifdef ENF_PUSH00FF 323 case ENF_PUSH00FF: 324 printf("PUSH00FF "); 325 break; 326 #endif 327 case ENF_LOAD_OFFSET: 328 printf("LOAD_OFFSET "); 329 break; 330 case ENF_BRTR: 331 printf("BRTR "); 332 break; 333 case ENF_BRFL: 334 printf("BRFL "); 335 break; 336 case ENF_POP: 337 printf("POP "); 338 break; 339 } 340 341 if (action >= ENF_PUSHWORD) 342 printf("PUSHWORD %d ", action - ENF_PUSHWORD); 343 344 switch (op) { 345 case ENF_EQ: 346 printf("EQ "); 347 break; 348 case ENF_LT: 349 printf("LT "); 350 break; 351 case ENF_LE: 352 printf("LE "); 353 break; 354 case ENF_GT: 355 printf("GT "); 356 break; 357 case ENF_GE: 358 printf("GE "); 359 break; 360 case ENF_AND: 361 printf("AND "); 362 break; 363 case ENF_OR: 364 printf("OR "); 365 break; 366 case ENF_XOR: 367 printf("XOR "); 368 break; 369 case ENF_COR: 370 printf("COR "); 371 break; 372 case ENF_CAND: 373 printf("CAND "); 374 break; 375 case ENF_CNOR: 376 printf("CNOR "); 377 break; 378 case ENF_CNAND: 379 printf("CNAND "); 380 break; 381 case ENF_NEQ: 382 printf("NEQ "); 383 break; 384 } 385 386 if (action == ENF_PUSHLIT || 387 action == ENF_LOAD_OFFSET || 388 action == ENF_BRTR || 389 action == ENF_BRFL) { 390 pc++; 391 printf("\n\t%3d: %d (0x%04x)", pc - code, *pc, *pc); 392 } 393 394 printf("\n"); 395 } 396 } 397 398 /* 399 * Emit packet filter code to check a 400 * field in the packet for a particular value. 401 * Need different code for each field size. 402 * Since the pf can only compare 16 bit quantities 403 * we have to use masking to compare byte values. 404 * Long word (32 bit) quantities have to be done 405 * as two 16 bit comparisons. 406 */ 407 static void 408 pf_compare_value(int offset, uint_t len, uint_t val) 409 { 410 /* 411 * If the property being filtered on is absent in the media 412 * packet, error out. 413 */ 414 if (offset == -1) 415 pr_err("filter option unsupported on media"); 416 417 switch (len) { 418 case 1: 419 pf_emit(ENF_PUSHWORD + offset / 2); 420 #if defined(_BIG_ENDIAN) 421 if (offset % 2) 422 #else 423 if (!(offset % 2)) 424 #endif 425 { 426 #ifdef ENF_PUSH00FF 427 pf_emit(ENF_PUSH00FF | ENF_AND); 428 #else 429 pf_emit(ENF_PUSHLIT | ENF_AND); 430 pf_emit(0x00FF); 431 #endif 432 pf_emit(ENF_PUSHLIT | ENF_EQ); 433 pf_emit(val); 434 } else { 435 #ifdef ENF_PUSHFF00 436 pf_emit(ENF_PUSHFF00 | ENF_AND); 437 #else 438 pf_emit(ENF_PUSHLIT | ENF_AND); 439 pf_emit(0xFF00); 440 #endif 441 pf_emit(ENF_PUSHLIT | ENF_EQ); 442 pf_emit(val << 8); 443 } 444 break; 445 446 case 2: 447 pf_emit(ENF_PUSHWORD + offset / 2); 448 pf_emit(ENF_PUSHLIT | ENF_EQ); 449 pf_emit((ushort_t)val); 450 break; 451 452 case 4: 453 pf_emit(ENF_PUSHWORD + offset / 2); 454 pf_emit(ENF_PUSHLIT | ENF_EQ); 455 #if defined(_BIG_ENDIAN) 456 pf_emit(val >> 16); 457 #elif defined(_LITTLE_ENDIAN) 458 pf_emit(val & 0xffff); 459 #else 460 #error One of _BIG_ENDIAN and _LITTLE_ENDIAN must be defined 461 #endif 462 pf_emit(ENF_PUSHWORD + (offset / 2) + 1); 463 pf_emit(ENF_PUSHLIT | ENF_EQ); 464 #if defined(_BIG_ENDIAN) 465 pf_emit(val & 0xffff); 466 #else 467 pf_emit(val >> 16); 468 #endif 469 pf_emit(ENF_AND); 470 break; 471 } 472 } 473 474 /* 475 * same as pf_compare_value, but only for emiting code to 476 * compare ipv6 addresses. 477 */ 478 static void 479 pf_compare_value_v6(int offset, uint_t len, struct in6_addr val) 480 { 481 int i; 482 483 for (i = 0; i < len; i += 2) { 484 pf_emit(ENF_PUSHWORD + offset / 2 + i / 2); 485 pf_emit(ENF_PUSHLIT | ENF_EQ); 486 pf_emit(*(uint16_t *)&val.s6_addr[i]); 487 if (i != 0) 488 pf_emit(ENF_AND); 489 } 490 } 491 492 493 /* 494 * Same as above except mask the field value 495 * before doing the comparison. The comparison checks 496 * to make sure the values are equal. 497 */ 498 static void 499 pf_compare_value_mask(int offset, uint_t len, uint_t val, int mask) 500 { 501 pf_compare_value_mask_generic(offset, len, val, mask, ENF_EQ); 502 } 503 504 /* 505 * Same as above except the values are compared to see if they are not 506 * equal. 507 */ 508 static void 509 pf_compare_value_mask_neq(int offset, uint_t len, uint_t val, int mask) 510 { 511 pf_compare_value_mask_generic(offset, len, val, mask, ENF_NEQ); 512 } 513 514 /* 515 * Similar to pf_compare_value. 516 * 517 * This is the utility function that does the actual work to compare 518 * two values using a mask. The comparison operation is passed into 519 * the function. 520 */ 521 static void 522 pf_compare_value_mask_generic(int offset, uint_t len, uint_t val, int mask, 523 uint_t op) 524 { 525 /* 526 * If the property being filtered on is absent in the media 527 * packet, error out. 528 */ 529 if (offset == -1) 530 pr_err("filter option unsupported on media"); 531 532 switch (len) { 533 case 1: 534 pf_emit(ENF_PUSHWORD + offset / 2); 535 #if defined(_BIG_ENDIAN) 536 if (offset % 2) 537 #else 538 if (!offset % 2) 539 #endif 540 { 541 pf_emit(ENF_PUSHLIT | ENF_AND); 542 pf_emit(mask & 0x00ff); 543 pf_emit(ENF_PUSHLIT | op); 544 pf_emit(val); 545 } else { 546 pf_emit(ENF_PUSHLIT | ENF_AND); 547 pf_emit((mask << 8) & 0xff00); 548 pf_emit(ENF_PUSHLIT | op); 549 pf_emit(val << 8); 550 } 551 break; 552 553 case 2: 554 pf_emit(ENF_PUSHWORD + offset / 2); 555 pf_emit(ENF_PUSHLIT | ENF_AND); 556 pf_emit(htons((ushort_t)mask)); 557 pf_emit(ENF_PUSHLIT | op); 558 pf_emit(htons((ushort_t)val)); 559 break; 560 561 case 4: 562 pf_emit(ENF_PUSHWORD + offset / 2); 563 pf_emit(ENF_PUSHLIT | ENF_AND); 564 pf_emit(htons((ushort_t)((mask >> 16) & 0xffff))); 565 pf_emit(ENF_PUSHLIT | op); 566 pf_emit(htons((ushort_t)((val >> 16) & 0xffff))); 567 568 pf_emit(ENF_PUSHWORD + (offset / 2) + 1); 569 pf_emit(ENF_PUSHLIT | ENF_AND); 570 pf_emit(htons((ushort_t)(mask & 0xffff))); 571 pf_emit(ENF_PUSHLIT | op); 572 pf_emit(htons((ushort_t)(val & 0xffff))); 573 574 pf_emit(ENF_AND); 575 break; 576 } 577 } 578 579 /* 580 * Like pf_compare_value() but compare on a 32-bit zoneid value. 581 * The argument val passed in is in network byte order. 582 */ 583 static void 584 pf_compare_zoneid(int offset, uint32_t val) 585 { 586 int i; 587 588 for (i = 0; i < sizeof (uint32_t) / 2; i ++) { 589 pf_emit(ENF_PUSHWORD + offset / 2 + i); 590 pf_emit(ENF_PUSHLIT | ENF_EQ); 591 pf_emit(((uint16_t *)&val)[i]); 592 if (i != 0) 593 pf_emit(ENF_AND); 594 } 595 } 596 597 /* 598 * Generate pf code to match an IPv4 or IPv6 address. 599 */ 600 static void 601 pf_ipaddr_match(which, hostname, inet_type) 602 enum direction which; 603 char *hostname; 604 int inet_type; 605 { 606 bool_t found_host; 607 uint_t *addr4ptr; 608 uint_t addr4; 609 struct in6_addr *addr6ptr; 610 int h_addr_index; 611 struct hostent *hp = NULL; 612 int error_num = 0; 613 boolean_t first = B_TRUE; 614 int pass = 0; 615 int i; 616 617 /* 618 * The addr4offset and addr6offset variables simplify the code which 619 * generates the address comparison filter. With these two variables, 620 * duplicate code need not exist for the TO and FROM case. 621 * A value of -1 describes the ANY case (TO and FROM). 622 */ 623 int addr4offset; 624 int addr6offset; 625 626 found_host = 0; 627 628 if (tokentype == ADDR_IP) { 629 hp = getipnodebyname(hostname, AF_INET, 0, &error_num); 630 if (hp == NULL) { 631 if (error_num == TRY_AGAIN) { 632 pr_err("could not resolve %s (try again later)", 633 hostname); 634 } else { 635 pr_err("could not resolve %s", hostname); 636 } 637 } 638 inet_type = IPV4_ONLY; 639 } else if (tokentype == ADDR_IP6) { 640 hp = getipnodebyname(hostname, AF_INET6, 0, &error_num); 641 if (hp == NULL) { 642 if (error_num == TRY_AGAIN) { 643 pr_err("could not resolve %s (try again later)", 644 hostname); 645 } else { 646 pr_err("could not resolve %s", hostname); 647 } 648 } 649 inet_type = IPV6_ONLY; 650 } else if (tokentype == ALPHA) { 651 /* Some hostname i.e. tokentype is ALPHA */ 652 switch (inet_type) { 653 case IPV4_ONLY: 654 /* Only IPv4 address is needed */ 655 hp = getipnodebyname(hostname, AF_INET, 0, &error_num); 656 if (hp != NULL) { 657 found_host = 1; 658 } 659 break; 660 case IPV6_ONLY: 661 /* Only IPv6 address is needed */ 662 hp = getipnodebyname(hostname, AF_INET6, 0, &error_num); 663 if (hp != NULL) { 664 found_host = 1; 665 } 666 break; 667 case IPV4_AND_IPV6: 668 /* Both IPv4 and IPv6 are needed */ 669 hp = getipnodebyname(hostname, AF_INET6, 670 AI_ALL | AI_V4MAPPED, &error_num); 671 if (hp != NULL) { 672 found_host = 1; 673 } 674 break; 675 default: 676 found_host = 0; 677 } 678 679 if (!found_host) { 680 if (error_num == TRY_AGAIN) { 681 pr_err("could not resolve %s (try again later)", 682 hostname); 683 } else { 684 pr_err("could not resolve %s", hostname); 685 } 686 } 687 } else { 688 pr_err("unknown token type: %s", hostname); 689 } 690 691 switch (which) { 692 case TO: 693 addr4offset = IPV4_DSTADDR_OFFSET; 694 addr6offset = IPV6_DSTADDR_OFFSET; 695 break; 696 case FROM: 697 addr4offset = IPV4_SRCADDR_OFFSET; 698 addr6offset = IPV6_SRCADDR_OFFSET; 699 break; 700 case ANY: 701 addr4offset = -1; 702 addr6offset = -1; 703 break; 704 } 705 706 if (hp != NULL && hp->h_addrtype == AF_INET) { 707 pf_matchfn("ip"); 708 if (dl.dl_type == DL_ETHER) 709 pf_check_vlan_tag(ENCAP_ETHERTYPE_OFF/2); 710 h_addr_index = 0; 711 addr4ptr = (uint_t *)hp->h_addr_list[h_addr_index]; 712 while (addr4ptr != NULL) { 713 if (addr4offset == -1) { 714 pf_compare_value(IPV4_SRCADDR_OFFSET, 4, 715 *addr4ptr); 716 if (h_addr_index != 0) 717 pf_emit(ENF_OR); 718 pf_compare_value(IPV4_DSTADDR_OFFSET, 4, 719 *addr4ptr); 720 pf_emit(ENF_OR); 721 } else { 722 pf_compare_value(addr4offset, 4, 723 *addr4ptr); 724 if (h_addr_index != 0) 725 pf_emit(ENF_OR); 726 } 727 addr4ptr = (uint_t *)hp->h_addr_list[++h_addr_index]; 728 } 729 pf_emit(ENF_AND); 730 } else { 731 /* first pass: IPv4 addresses */ 732 h_addr_index = 0; 733 addr6ptr = (struct in6_addr *)hp->h_addr_list[h_addr_index]; 734 first = B_TRUE; 735 while (addr6ptr != NULL) { 736 if (IN6_IS_ADDR_V4MAPPED(addr6ptr)) { 737 if (first) { 738 pf_matchfn("ip"); 739 if (dl.dl_type == DL_ETHER) { 740 pf_check_vlan_tag( 741 ENCAP_ETHERTYPE_OFF/2); 742 } 743 pass++; 744 } 745 IN6_V4MAPPED_TO_INADDR(addr6ptr, 746 (struct in_addr *)&addr4); 747 if (addr4offset == -1) { 748 pf_compare_value(IPV4_SRCADDR_OFFSET, 4, 749 addr4); 750 if (!first) 751 pf_emit(ENF_OR); 752 pf_compare_value(IPV4_DSTADDR_OFFSET, 4, 753 addr4); 754 pf_emit(ENF_OR); 755 } else { 756 pf_compare_value(addr4offset, 4, 757 addr4); 758 if (!first) 759 pf_emit(ENF_OR); 760 } 761 if (first) 762 first = B_FALSE; 763 } 764 addr6ptr = (struct in6_addr *) 765 hp->h_addr_list[++h_addr_index]; 766 } 767 if (!first) { 768 pf_emit(ENF_AND); 769 } 770 /* second pass: IPv6 addresses */ 771 h_addr_index = 0; 772 addr6ptr = (struct in6_addr *)hp->h_addr_list[h_addr_index]; 773 first = B_TRUE; 774 while (addr6ptr != NULL) { 775 if (!IN6_IS_ADDR_V4MAPPED(addr6ptr)) { 776 if (first) { 777 pf_matchfn("ip6"); 778 if (dl.dl_type == DL_ETHER) { 779 pf_check_vlan_tag( 780 ENCAP_ETHERTYPE_OFF/2); 781 } 782 pass++; 783 } 784 if (addr6offset == -1) { 785 pf_compare_value_v6(IPV6_SRCADDR_OFFSET, 786 16, *addr6ptr); 787 if (!first) 788 pf_emit(ENF_OR); 789 pf_compare_value_v6(IPV6_DSTADDR_OFFSET, 790 16, *addr6ptr); 791 pf_emit(ENF_OR); 792 } else { 793 pf_compare_value_v6(addr6offset, 16, 794 *addr6ptr); 795 if (!first) 796 pf_emit(ENF_OR); 797 } 798 if (first) 799 first = B_FALSE; 800 } 801 addr6ptr = (struct in6_addr *) 802 hp->h_addr_list[++h_addr_index]; 803 } 804 if (!first) { 805 pf_emit(ENF_AND); 806 } 807 if (pass == 2) { 808 pf_emit(ENF_OR); 809 } 810 } 811 812 if (hp != NULL) { 813 freehostent(hp); 814 } 815 } 816 817 818 static void 819 pf_compare_address(int offset, uint_t len, uchar_t *addr) 820 { 821 uint32_t val; 822 uint16_t sval; 823 boolean_t didone = B_FALSE; 824 825 /* 826 * If the property being filtered on is absent in the media 827 * packet, error out. 828 */ 829 if (offset == -1) 830 pr_err("filter option unsupported on media"); 831 832 while (len > 0) { 833 if (len >= 4) { 834 (void) memcpy(&val, addr, 4); 835 pf_compare_value(offset, 4, val); 836 addr += 4; 837 offset += 4; 838 len -= 4; 839 } else if (len >= 2) { 840 (void) memcpy(&sval, addr, 2); 841 pf_compare_value(offset, 2, sval); 842 addr += 2; 843 offset += 2; 844 len -= 2; 845 } else { 846 pf_compare_value(offset++, 1, *addr++); 847 len--; 848 } 849 if (didone) 850 pf_emit(ENF_AND); 851 didone = B_TRUE; 852 } 853 } 854 855 /* 856 * Compare ethernet addresses. 857 */ 858 static void 859 pf_etheraddr_match(which, hostname) 860 enum direction which; 861 char *hostname; 862 { 863 struct ether_addr e, *ep = NULL; 864 865 if (isxdigit(*hostname)) 866 ep = ether_aton(hostname); 867 if (ep == NULL) { 868 if (ether_hostton(hostname, &e)) 869 if (!arp_for_ether(hostname, &e)) 870 pr_err("cannot obtain ether addr for %s", 871 hostname); 872 ep = &e; 873 } 874 875 pf_clear_offset_register(); 876 877 switch (which) { 878 case TO: 879 pf_compare_address(dl.dl_link_dest_offset, dl.dl_link_addr_len, 880 (uchar_t *)ep); 881 break; 882 case FROM: 883 pf_compare_address(dl.dl_link_src_offset, dl.dl_link_addr_len, 884 (uchar_t *)ep); 885 break; 886 case ANY: 887 pf_compare_address(dl.dl_link_dest_offset, dl.dl_link_addr_len, 888 (uchar_t *)ep); 889 pf_compare_address(dl.dl_link_src_offset, dl.dl_link_addr_len, 890 (uchar_t *)ep); 891 pf_emit(ENF_OR); 892 break; 893 } 894 } 895 896 /* 897 * Emit code to compare the network part of 898 * an IP address. 899 */ 900 static void 901 pf_netaddr_match(which, netname) 902 enum direction which; 903 char *netname; 904 { 905 uint_t addr; 906 uint_t mask = 0xff000000; 907 struct netent *np; 908 909 if (isdigit(*netname)) { 910 addr = inet_network(netname); 911 } else { 912 np = getnetbyname(netname); 913 if (np == NULL) 914 pr_err("net %s not known", netname); 915 addr = np->n_net; 916 } 917 918 /* 919 * Left justify the address and figure 920 * out a mask based on the supplied address. 921 * Set the mask according to the number of zero 922 * low-order bytes. 923 * Note: this works only for whole octet masks. 924 */ 925 if (addr) { 926 while ((addr & ~mask) != 0) { 927 mask |= (mask >> 8); 928 } 929 } 930 931 pf_check_vlan_tag(ENCAP_ETHERTYPE_OFF/2); 932 933 switch (which) { 934 case TO: 935 pf_compare_value_mask(IPV4_DSTADDR_OFFSET, 4, addr, mask); 936 break; 937 case FROM: 938 pf_compare_value_mask(IPV4_SRCADDR_OFFSET, 4, addr, mask); 939 break; 940 case ANY: 941 pf_compare_value_mask(IPV4_SRCADDR_OFFSET, 4, addr, mask); 942 pf_compare_value_mask(IPV4_DSTADDR_OFFSET, 4, addr, mask); 943 pf_emit(ENF_OR); 944 break; 945 } 946 } 947 948 /* 949 * Emit code to match on src or destination zoneid. 950 * The zoneid passed in is in network byte order. 951 */ 952 static void 953 pf_match_zone(enum direction which, uint32_t zoneid) 954 { 955 if (dl.dl_type != DL_IPNET) 956 pr_err("zone filter option unsupported on media"); 957 958 switch (which) { 959 case TO: 960 pf_compare_zoneid(IPNET_DSTZONE_OFFSET, zoneid); 961 break; 962 case FROM: 963 pf_compare_zoneid(IPNET_SRCZONE_OFFSET, zoneid); 964 break; 965 case ANY: 966 pf_compare_zoneid(IPNET_SRCZONE_OFFSET, zoneid); 967 pf_compare_zoneid(IPNET_DSTZONE_OFFSET, zoneid); 968 pf_emit(ENF_OR); 969 break; 970 } 971 } 972 973 /* 974 * A helper function to keep the code to emit instructions 975 * to change the offset register in one place. 976 * 977 * INPUTS: offset - An value representing an offset in 16-bit 978 * words. 979 * OUTPUTS: If there is enough room in the storage for the 980 * packet filtering program, instructions to load 981 * a constant to the offset register. Otherwise, 982 * nothing. 983 */ 984 static void 985 pf_emit_load_offset(uint_t offset) 986 { 987 pf_emit(ENF_LOAD_OFFSET | ENF_NOP); 988 pf_emit(offset); 989 } 990 991 /* 992 * Clear pfmod's offset register. 993 * 994 * INPUTS: none 995 * OUTPUTS: Instructions to clear the offset register if 996 * there is enough space remaining in the packet 997 * filtering program structure's storage, and 998 * the last thing done to the offset register was 999 * not clearing the offset register. Otherwise, 1000 * nothing. 1001 */ 1002 static void 1003 pf_clear_offset_register() 1004 { 1005 if (last_offset_operation != (void*)pf_clear_offset_register) { 1006 pf_emit_load_offset(0); 1007 last_offset_operation = (void*)pf_clear_offset_register; 1008 } 1009 } 1010 1011 /* 1012 * This function will issue opcodes to check if a packet 1013 * is VLAN tagged, and if so, update the offset register 1014 * with the appropriate offset. 1015 * 1016 * Note that if the packet is not VLAN tagged, then the offset 1017 * register will be cleared. 1018 * 1019 * If the interface type is not an ethernet type, then this 1020 * function returns without doing anything. 1021 * 1022 * If the last attempt to change the offset register occured because 1023 * of a call to this function that was called with the same offset, 1024 * then we don't issue packet filtering instructions. 1025 * 1026 * INPUTS: offset - an offset in 16 bit words. The function 1027 * will set the offset register to this 1028 * value if the packet is VLAN tagged. 1029 * OUTPUTS: If the conditions are met, packet filtering instructions. 1030 */ 1031 static void 1032 pf_check_vlan_tag(uint_t offset) 1033 { 1034 static uint_t last_offset = 0; 1035 1036 if ((interface->mac_type == DL_ETHER || 1037 interface->mac_type == DL_CSMACD) && 1038 (last_offset_operation != (void*)pf_check_vlan_tag || 1039 last_offset != offset)) { 1040 /* 1041 * First thing is to clear the offset register. 1042 * We don't know what state it is in, and if it 1043 * is not zero, then we have no idea what we load 1044 * when we execute ENF_PUSHWORD. 1045 */ 1046 pf_clear_offset_register(); 1047 1048 /* 1049 * Check the ethertype. 1050 */ 1051 pf_compare_value(dl.dl_link_type_offset, 2, 1052 htons(ETHERTYPE_VLAN)); 1053 1054 /* 1055 * And if it's not VLAN, don't load offset to the offset 1056 * register. 1057 */ 1058 pf_emit(ENF_BRFL | ENF_NOP); 1059 pf_emit(3); 1060 1061 /* 1062 * Otherwise, load offset to the offset register. 1063 */ 1064 pf_emit_load_offset(offset); 1065 1066 /* 1067 * Now get rid of the results of the comparison, 1068 * we don't want the results of the comparison to affect 1069 * other logic in the packet filtering program. 1070 */ 1071 pf_emit(ENF_POP | ENF_NOP); 1072 1073 /* 1074 * Set the last operation at the end, or any time 1075 * after the call to pf_clear_offset because 1076 * pf_clear_offset uses it. 1077 */ 1078 last_offset_operation = (void*)pf_check_vlan_tag; 1079 last_offset = offset; 1080 } 1081 } 1082 1083 /* 1084 * Utility function used to emit packet filtering code 1085 * to match an ethertype. 1086 * 1087 * INPUTS: ethertype - The ethertype we want to check for. 1088 * Don't call htons on the ethertype before 1089 * calling this function. 1090 * OUTPUTS: If there is sufficient storage available, packet 1091 * filtering code to check an ethertype. Otherwise, 1092 * nothing. 1093 */ 1094 static void 1095 pf_match_ethertype(uint_t ethertype) 1096 { 1097 /* 1098 * If the user wants to filter on ethertype VLAN, 1099 * then clear the offset register so that the offset 1100 * for ENF_PUSHWORD points to the right place in the 1101 * packet. 1102 * 1103 * Otherwise, call pf_check_vlan_tag to set the offset 1104 * register such that the contents of the offset register 1105 * plus the argument for ENF_PUSHWORD point to the right 1106 * part of the packet, whether or not the packet is VLAN 1107 * tagged. We call pf_check_vlan_tag with an offset of 1108 * two words because if the packet is VLAN tagged, we have 1109 * to move past the ethertype in the ethernet header, and 1110 * past the lower two octets of the VLAN header to get to 1111 * the ethertype in the VLAN header. 1112 */ 1113 if (ethertype == ETHERTYPE_VLAN) 1114 pf_clear_offset_register(); 1115 else 1116 pf_check_vlan_tag(2); 1117 1118 pf_compare_value(dl.dl_link_type_offset, 2, htons(ethertype)); 1119 } 1120 1121 static void 1122 pf_match_ipnettype(uint_t type) 1123 { 1124 pf_compare_value(dl.dl_link_type_offset, 2, htons(type)); 1125 } 1126 1127 static void 1128 pf_match_ibtype(uint_t type) 1129 { 1130 pf_compare_value(dl.dl_link_type_offset, 2, htons(type)); 1131 } 1132 1133 /* 1134 * This function uses the table above to generate a 1135 * piece of a packet filtering program to check a transport 1136 * protocol type. 1137 * 1138 * INPUTS: tranport_protocol - the transport protocol we're 1139 * interested in. 1140 * OUTPUTS: If there is sufficient storage, then packet filtering 1141 * code to check a transport protocol type. Otherwise, 1142 * nothing. 1143 */ 1144 static void 1145 pf_check_transport_protocol(uint_t transport_protocol) 1146 { 1147 int i; 1148 uint_t number_of_matches = 0; 1149 1150 for (i = 0; dl.dl_trans_map_tbl[i].transport_protocol != -1; i++) { 1151 if (transport_protocol == 1152 (uint_t)dl.dl_trans_map_tbl[i].transport_protocol) { 1153 number_of_matches++; 1154 dl.dl_match_fn(dl.dl_trans_map_tbl[i].network_protocol); 1155 pf_check_vlan_tag(ENCAP_ETHERTYPE_OFF/2); 1156 pf_compare_value(dl.dl_trans_map_tbl[i].offset + 1157 dl.dl_link_header_len, 1, 1158 transport_protocol); 1159 pf_emit(ENF_AND); 1160 if (number_of_matches > 1) { 1161 /* 1162 * Since we have two or more matches, in 1163 * order to have a correct and complete 1164 * program we need to OR the result of 1165 * each block of comparisons together. 1166 */ 1167 pf_emit(ENF_OR); 1168 } 1169 } 1170 } 1171 } 1172 1173 static void 1174 pf_matchfn(const char *proto) 1175 { 1176 int i; 1177 1178 for (i = 0; dl.dl_net_map_tbl[i].nmt_val != -1; i++) { 1179 if (strcmp(proto, dl.dl_net_map_tbl[i].nmt_name) == 0) { 1180 dl.dl_match_fn(dl.dl_net_map_tbl[i].nmt_val); 1181 break; 1182 } 1183 } 1184 } 1185 1186 static void 1187 pf_primary() 1188 { 1189 for (;;) { 1190 if (tokentype == FIELD) 1191 break; 1192 1193 if (EQ("ip")) { 1194 pf_matchfn("ip"); 1195 opstack++; 1196 next(); 1197 break; 1198 } 1199 1200 if (EQ("ip6")) { 1201 pf_matchfn("ip6"); 1202 opstack++; 1203 next(); 1204 break; 1205 } 1206 1207 if (EQ("pppoe")) { 1208 pf_matchfn("pppoe"); 1209 pf_match_ethertype(ETHERTYPE_PPPOES); 1210 pf_emit(ENF_OR); 1211 opstack++; 1212 next(); 1213 break; 1214 } 1215 1216 if (EQ("pppoed")) { 1217 pf_matchfn("pppoed"); 1218 opstack++; 1219 next(); 1220 break; 1221 } 1222 1223 if (EQ("pppoes")) { 1224 pf_matchfn("pppoes"); 1225 opstack++; 1226 next(); 1227 break; 1228 } 1229 1230 if (EQ("arp")) { 1231 pf_matchfn("arp"); 1232 opstack++; 1233 next(); 1234 break; 1235 } 1236 1237 if (EQ("vlan")) { 1238 pf_matchfn("vlan"); 1239 pf_compare_value_mask_neq(VLAN_ID_OFFSET, 2, 1240 0, VLAN_ID_MASK); 1241 pf_emit(ENF_AND); 1242 opstack++; 1243 next(); 1244 break; 1245 } 1246 1247 if (EQ("vlan-id")) { 1248 next(); 1249 if (tokentype != NUMBER) 1250 pr_err("VLAN ID expected"); 1251 pf_matchfn("vlan-id"); 1252 pf_compare_value_mask(VLAN_ID_OFFSET, 2, tokenval, 1253 VLAN_ID_MASK); 1254 pf_emit(ENF_AND); 1255 opstack++; 1256 next(); 1257 break; 1258 } 1259 1260 if (EQ("rarp")) { 1261 pf_matchfn("rarp"); 1262 opstack++; 1263 next(); 1264 break; 1265 } 1266 1267 if (EQ("tcp")) { 1268 pf_check_transport_protocol(IPPROTO_TCP); 1269 opstack++; 1270 next(); 1271 break; 1272 } 1273 1274 if (EQ("udp")) { 1275 pf_check_transport_protocol(IPPROTO_UDP); 1276 opstack++; 1277 next(); 1278 break; 1279 } 1280 1281 if (EQ("ospf")) { 1282 pf_check_transport_protocol(IPPROTO_OSPF); 1283 opstack++; 1284 next(); 1285 break; 1286 } 1287 1288 1289 if (EQ("sctp")) { 1290 pf_check_transport_protocol(IPPROTO_SCTP); 1291 opstack++; 1292 next(); 1293 break; 1294 } 1295 1296 if (EQ("icmp")) { 1297 pf_check_transport_protocol(IPPROTO_ICMP); 1298 opstack++; 1299 next(); 1300 break; 1301 } 1302 1303 if (EQ("icmp6")) { 1304 pf_check_transport_protocol(IPPROTO_ICMPV6); 1305 opstack++; 1306 next(); 1307 break; 1308 } 1309 1310 if (EQ("ip-in-ip")) { 1311 pf_check_transport_protocol(IPPROTO_ENCAP); 1312 opstack++; 1313 next(); 1314 break; 1315 } 1316 1317 if (EQ("esp")) { 1318 pf_check_transport_protocol(IPPROTO_ESP); 1319 opstack++; 1320 next(); 1321 break; 1322 } 1323 1324 if (EQ("ah")) { 1325 pf_check_transport_protocol(IPPROTO_AH); 1326 opstack++; 1327 next(); 1328 break; 1329 } 1330 1331 if (EQ("(")) { 1332 inBrace++; 1333 next(); 1334 pf_expression(); 1335 if (EQ(")")) { 1336 if (inBrace) 1337 inBraceOR--; 1338 inBrace--; 1339 next(); 1340 } 1341 break; 1342 } 1343 1344 if (EQ("to") || EQ("dst")) { 1345 dir = TO; 1346 next(); 1347 continue; 1348 } 1349 1350 if (EQ("from") || EQ("src")) { 1351 dir = FROM; 1352 next(); 1353 continue; 1354 } 1355 1356 if (EQ("ether")) { 1357 eaddr = 1; 1358 next(); 1359 continue; 1360 } 1361 1362 if (EQ("inet")) { 1363 next(); 1364 if (EQ("host")) 1365 next(); 1366 if (tokentype != ALPHA && tokentype != ADDR_IP) 1367 pr_err("host/IPv4 addr expected after inet"); 1368 pf_ipaddr_match(dir, token, IPV4_ONLY); 1369 opstack++; 1370 next(); 1371 break; 1372 } 1373 1374 if (EQ("inet6")) { 1375 next(); 1376 if (EQ("host")) 1377 next(); 1378 if (tokentype != ALPHA && tokentype != ADDR_IP6) 1379 pr_err("host/IPv6 addr expected after inet6"); 1380 pf_ipaddr_match(dir, token, IPV6_ONLY); 1381 opstack++; 1382 next(); 1383 break; 1384 } 1385 1386 if (EQ("proto")) { 1387 next(); 1388 if (tokentype != NUMBER) 1389 pr_err("IP proto type expected"); 1390 pf_check_vlan_tag(ENCAP_ETHERTYPE_OFF/2); 1391 pf_compare_value( 1392 IPV4_TYPE_HEADER_OFFSET + dl.dl_link_header_len, 1, 1393 tokenval); 1394 opstack++; 1395 next(); 1396 break; 1397 } 1398 1399 if (EQ("broadcast")) { 1400 pf_clear_offset_register(); 1401 pf_compare_value(dl.dl_link_dest_offset, 4, 0xffffffff); 1402 opstack++; 1403 next(); 1404 break; 1405 } 1406 1407 if (EQ("multicast")) { 1408 pf_clear_offset_register(); 1409 pf_compare_value_mask( 1410 dl.dl_link_dest_offset, 1, 0x01, 0x01); 1411 opstack++; 1412 next(); 1413 break; 1414 } 1415 1416 if (EQ("ethertype")) { 1417 next(); 1418 if (tokentype != NUMBER) 1419 pr_err("ether type expected"); 1420 pf_match_ethertype(tokenval); 1421 opstack++; 1422 next(); 1423 break; 1424 } 1425 1426 if (EQ("net") || EQ("dstnet") || EQ("srcnet")) { 1427 if (EQ("dstnet")) 1428 dir = TO; 1429 else if (EQ("srcnet")) 1430 dir = FROM; 1431 next(); 1432 pf_netaddr_match(dir, token); 1433 dir = ANY; 1434 opstack++; 1435 next(); 1436 break; 1437 } 1438 1439 if (EQ("zone")) { 1440 next(); 1441 if (tokentype != NUMBER) 1442 pr_err("zoneid expected after inet"); 1443 pf_match_zone(dir, BE_32((uint32_t)(tokenval))); 1444 opstack++; 1445 next(); 1446 break; 1447 } 1448 1449 /* 1450 * Give up on anything that's obviously 1451 * not a primary. 1452 */ 1453 if (EQ("and") || EQ("or") || 1454 EQ("not") || EQ("decnet") || EQ("apple") || 1455 EQ("length") || EQ("less") || EQ("greater") || 1456 EQ("port") || EQ("srcport") || EQ("dstport") || 1457 EQ("rpc") || EQ("gateway") || EQ("nofrag") || 1458 EQ("bootp") || EQ("dhcp") || EQ("dhcp6") || 1459 EQ("slp") || EQ("ldap")) { 1460 break; 1461 } 1462 1463 if (EQ("host") || EQ("between") || 1464 tokentype == ALPHA || /* assume its a hostname */ 1465 tokentype == ADDR_IP || 1466 tokentype == ADDR_IP6 || 1467 tokentype == ADDR_ETHER) { 1468 if (EQ("host") || EQ("between")) 1469 next(); 1470 if (eaddr || tokentype == ADDR_ETHER) { 1471 pf_etheraddr_match(dir, token); 1472 } else if (tokentype == ALPHA) { 1473 pf_ipaddr_match(dir, token, IPV4_AND_IPV6); 1474 } else if (tokentype == ADDR_IP) { 1475 pf_ipaddr_match(dir, token, IPV4_ONLY); 1476 } else { 1477 pf_ipaddr_match(dir, token, IPV6_ONLY); 1478 } 1479 dir = ANY; 1480 eaddr = 0; 1481 opstack++; 1482 next(); 1483 break; 1484 } 1485 1486 break; /* unknown token */ 1487 } 1488 } 1489 1490 static void 1491 pf_alternation() 1492 { 1493 int s = opstack; 1494 1495 pf_primary(); 1496 for (;;) { 1497 if (EQ("and")) 1498 next(); 1499 pf_primary(); 1500 if (opstack != s + 2) 1501 break; 1502 pf_emit(ENF_AND); 1503 opstack--; 1504 } 1505 } 1506 1507 static void 1508 pf_expression() 1509 { 1510 pf_alternation(); 1511 while (EQ("or") || EQ(",")) { 1512 if (inBrace) 1513 inBraceOR++; 1514 else 1515 foundOR++; 1516 next(); 1517 pf_alternation(); 1518 pf_emit(ENF_OR); 1519 opstack--; 1520 } 1521 } 1522 1523 /* 1524 * Attempt to compile the expression 1525 * in the string "e". If we can generate 1526 * pf code for it then return 1 - otherwise 1527 * return 0 and leave it up to the user-level 1528 * filter. 1529 */ 1530 int 1531 pf_compile(e, print) 1532 char *e; 1533 int print; 1534 { 1535 char *argstr; 1536 char *sav_str, *ptr, *sav_ptr; 1537 int inBr = 0, aheadOR = 0; 1538 1539 argstr = strdup(e); 1540 sav_str = e; 1541 tkp = argstr; 1542 dir = ANY; 1543 1544 pfp = &pf.Pf_Filter[0]; 1545 if (setjmp(env)) { 1546 return (0); 1547 } 1548 1549 /* 1550 * Set media specific packet offsets that this code uses. 1551 */ 1552 if (interface->mac_type == DL_ETHER) { 1553 dl.dl_type = DL_ETHER; 1554 dl.dl_match_fn = pf_match_ethertype; 1555 dl.dl_trans_map_tbl = ether_transport_mapping_table; 1556 dl.dl_net_map_tbl = ether_network_mapping_table; 1557 dl.dl_link_header_len = 14; 1558 dl.dl_link_type_offset = 12; 1559 dl.dl_link_dest_offset = 0; 1560 dl.dl_link_src_offset = 6; 1561 dl.dl_link_addr_len = 6; 1562 } 1563 1564 if (interface->mac_type == DL_IB) { 1565 dl.dl_type = DL_IB; 1566 dl.dl_link_header_len = 4; 1567 dl.dl_link_type_offset = 0; 1568 dl.dl_link_dest_offset = dl.dl_link_src_offset = -1; 1569 dl.dl_link_addr_len = 20; 1570 dl.dl_match_fn = pf_match_ibtype; 1571 dl.dl_trans_map_tbl = ib_transport_mapping_table; 1572 dl.dl_net_map_tbl = ib_network_mapping_table; 1573 } 1574 1575 if (interface->mac_type == DL_IPNET) { 1576 dl.dl_type = DL_IPNET; 1577 dl.dl_link_header_len = 24; 1578 dl.dl_link_type_offset = 0; 1579 dl.dl_link_dest_offset = dl.dl_link_src_offset = -1; 1580 dl.dl_link_addr_len = -1; 1581 dl.dl_match_fn = pf_match_ipnettype; 1582 dl.dl_trans_map_tbl = ipnet_transport_mapping_table; 1583 dl.dl_net_map_tbl = ipnet_network_mapping_table; 1584 } 1585 1586 next(); 1587 pf_expression(); 1588 1589 if (tokentype != EOL) { 1590 /* 1591 * The idea here is to do as much filtering as possible in 1592 * the kernel. So even if we find a token we don't understand, 1593 * we try to see if we can still set up a portion of the filter 1594 * in the kernel and use the userland filter to filter the 1595 * remaining stuff. Obviously, if our filter expression is of 1596 * type A AND B, we can filter A in kernel and then apply B 1597 * to the packets that got through. The same is not true for 1598 * a filter of type A OR B. We can't apply A first and then B 1599 * on the packets filtered through A. 1600 * 1601 * (We need to keep track of the fact when we find an OR, 1602 * and the fact that we are inside brackets when we find OR. 1603 * The variable 'foundOR' tells us if there was an OR behind, 1604 * 'inBraceOR' tells us if we found an OR before we could find 1605 * the end brace i.e. ')', and variable 'aheadOR' checks if 1606 * there is an OR in the expression ahead. if either of these 1607 * cases become true, we can't split the filtering) 1608 */ 1609 1610 if (foundOR || inBraceOR) { 1611 /* FORGET IN KERNEL FILTERING */ 1612 return (0); 1613 } else { 1614 1615 /* CHECK IF NO OR AHEAD */ 1616 sav_ptr = (char *)((uintptr_t)sav_str + 1617 (uintptr_t)sav_tkp - 1618 (uintptr_t)argstr); 1619 ptr = sav_ptr; 1620 while (*ptr != '\0') { 1621 switch (*ptr) { 1622 case '(': 1623 inBr++; 1624 break; 1625 case ')': 1626 inBr--; 1627 break; 1628 case 'o': 1629 case 'O': 1630 if ((*(ptr + 1) == 'R' || 1631 *(ptr + 1) == 'r') && !inBr) 1632 aheadOR = 1; 1633 break; 1634 case ',': 1635 if (!inBr) 1636 aheadOR = 1; 1637 break; 1638 } 1639 ptr++; 1640 } 1641 if (!aheadOR) { 1642 /* NO OR AHEAD, SPLIT UP THE FILTERING */ 1643 pf.Pf_FilterLen = pfp - &pf.Pf_Filter[0]; 1644 pf.Pf_Priority = 5; 1645 if (print) { 1646 pf_codeprint(&pf.Pf_Filter[0], 1647 pf.Pf_FilterLen); 1648 } 1649 compile(sav_ptr, print); 1650 return (2); 1651 } else 1652 return (0); 1653 } 1654 } 1655 1656 pf.Pf_FilterLen = pfp - &pf.Pf_Filter[0]; 1657 pf.Pf_Priority = 5; /* unimportant, so long as > 2 */ 1658 if (print) { 1659 pf_codeprint(&pf.Pf_Filter[0], pf.Pf_FilterLen); 1660 } 1661 return (1); 1662 } 1663