1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 23 #ifdef HAVE_CONFIG_H 24 #include <config.h> 25 #endif 26 27 #include <pcap-types.h> 28 #ifdef _WIN32 29 #include <ws2tcpip.h> 30 #else 31 #include <sys/socket.h> 32 33 #ifdef __NetBSD__ 34 #include <sys/param.h> 35 #endif 36 37 #include <netinet/in.h> 38 #include <arpa/inet.h> 39 #endif /* _WIN32 */ 40 41 #include <stdlib.h> 42 #include <string.h> 43 #include <memory.h> 44 #include <setjmp.h> 45 #include <stdarg.h> 46 47 #ifdef MSDOS 48 #include "pcap-dos.h" 49 #endif 50 51 #include "pcap-int.h" 52 53 #include "ethertype.h" 54 #include "nlpid.h" 55 #include "llc.h" 56 #include "gencode.h" 57 #include "ieee80211.h" 58 #include "atmuni31.h" 59 #include "sunatmpos.h" 60 #include "ppp.h" 61 #include "pcap/sll.h" 62 #include "pcap/ipnet.h" 63 #include "arcnet.h" 64 65 #include "grammar.h" 66 #include "scanner.h" 67 68 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 69 #include <linux/types.h> 70 #include <linux/if_packet.h> 71 #include <linux/filter.h> 72 #endif 73 74 #ifdef HAVE_NET_PFVAR_H 75 #include <sys/socket.h> 76 #include <net/if.h> 77 #include <net/pfvar.h> 78 #include <net/if_pflog.h> 79 #endif 80 81 #ifndef offsetof 82 #define offsetof(s, e) ((size_t)&((s *)0)->e) 83 #endif 84 85 #ifdef _WIN32 86 #ifdef INET6 87 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) 88 /* IPv6 address */ 89 struct in6_addr 90 { 91 union 92 { 93 uint8_t u6_addr8[16]; 94 uint16_t u6_addr16[8]; 95 uint32_t u6_addr32[4]; 96 } in6_u; 97 #define s6_addr in6_u.u6_addr8 98 #define s6_addr16 in6_u.u6_addr16 99 #define s6_addr32 in6_u.u6_addr32 100 #define s6_addr64 in6_u.u6_addr64 101 }; 102 103 typedef unsigned short sa_family_t; 104 105 #define __SOCKADDR_COMMON(sa_prefix) \ 106 sa_family_t sa_prefix##family 107 108 /* Ditto, for IPv6. */ 109 struct sockaddr_in6 110 { 111 __SOCKADDR_COMMON (sin6_); 112 uint16_t sin6_port; /* Transport layer port # */ 113 uint32_t sin6_flowinfo; /* IPv6 flow information */ 114 struct in6_addr sin6_addr; /* IPv6 address */ 115 }; 116 117 #ifndef EAI_ADDRFAMILY 118 struct addrinfo { 119 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ 120 int ai_family; /* PF_xxx */ 121 int ai_socktype; /* SOCK_xxx */ 122 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 123 size_t ai_addrlen; /* length of ai_addr */ 124 char *ai_canonname; /* canonical name for hostname */ 125 struct sockaddr *ai_addr; /* binary address */ 126 struct addrinfo *ai_next; /* next structure in linked list */ 127 }; 128 #endif /* EAI_ADDRFAMILY */ 129 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */ 130 #endif /* INET6 */ 131 #else /* _WIN32 */ 132 #include <netdb.h> /* for "struct addrinfo" */ 133 #endif /* _WIN32 */ 134 #include <pcap/namedb.h> 135 136 #include "nametoaddr.h" 137 138 #define ETHERMTU 1500 139 140 #ifndef ETHERTYPE_TEB 141 #define ETHERTYPE_TEB 0x6558 142 #endif 143 144 #ifndef IPPROTO_HOPOPTS 145 #define IPPROTO_HOPOPTS 0 146 #endif 147 #ifndef IPPROTO_ROUTING 148 #define IPPROTO_ROUTING 43 149 #endif 150 #ifndef IPPROTO_FRAGMENT 151 #define IPPROTO_FRAGMENT 44 152 #endif 153 #ifndef IPPROTO_DSTOPTS 154 #define IPPROTO_DSTOPTS 60 155 #endif 156 #ifndef IPPROTO_SCTP 157 #define IPPROTO_SCTP 132 158 #endif 159 160 #define GENEVE_PORT 6081 161 162 #ifdef HAVE_OS_PROTO_H 163 #include "os-proto.h" 164 #endif 165 166 #define JMP(c) ((c)|BPF_JMP|BPF_K) 167 168 /* 169 * "Push" the current value of the link-layer header type and link-layer 170 * header offset onto a "stack", and set a new value. (It's not a 171 * full-blown stack; we keep only the top two items.) 172 */ 173 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \ 174 { \ 175 (cs)->prevlinktype = (cs)->linktype; \ 176 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \ 177 (cs)->linktype = (new_linktype); \ 178 (cs)->off_linkhdr.is_variable = (new_is_variable); \ 179 (cs)->off_linkhdr.constant_part = (new_constant_part); \ 180 (cs)->off_linkhdr.reg = (new_reg); \ 181 (cs)->is_geneve = 0; \ 182 } 183 184 /* 185 * Offset "not set" value. 186 */ 187 #define OFFSET_NOT_SET 0xffffffffU 188 189 /* 190 * Absolute offsets, which are offsets from the beginning of the raw 191 * packet data, are, in the general case, the sum of a variable value 192 * and a constant value; the variable value may be absent, in which 193 * case the offset is only the constant value, and the constant value 194 * may be zero, in which case the offset is only the variable value. 195 * 196 * bpf_abs_offset is a structure containing all that information: 197 * 198 * is_variable is 1 if there's a variable part. 199 * 200 * constant_part is the constant part of the value, possibly zero; 201 * 202 * if is_variable is 1, reg is the register number for a register 203 * containing the variable value if the register has been assigned, 204 * and -1 otherwise. 205 */ 206 typedef struct { 207 int is_variable; 208 u_int constant_part; 209 int reg; 210 } bpf_abs_offset; 211 212 /* 213 * Value passed to gen_load_a() to indicate what the offset argument 214 * is relative to the beginning of. 215 */ 216 enum e_offrel { 217 OR_PACKET, /* full packet data */ 218 OR_LINKHDR, /* link-layer header */ 219 OR_PREVLINKHDR, /* previous link-layer header */ 220 OR_LLC, /* 802.2 LLC header */ 221 OR_PREVMPLSHDR, /* previous MPLS header */ 222 OR_LINKTYPE, /* link-layer type */ 223 OR_LINKPL, /* link-layer payload */ 224 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 225 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 226 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 227 }; 228 229 /* 230 * We divy out chunks of memory rather than call malloc each time so 231 * we don't have to worry about leaking memory. It's probably 232 * not a big deal if all this memory was wasted but if this ever 233 * goes into a library that would probably not be a good idea. 234 * 235 * XXX - this *is* in a library.... 236 */ 237 #define NCHUNKS 16 238 #define CHUNK0SIZE 1024 239 struct chunk { 240 size_t n_left; 241 void *m; 242 }; 243 244 /* Code generator state */ 245 246 struct _compiler_state { 247 jmp_buf top_ctx; 248 pcap_t *bpf_pcap; 249 250 struct icode ic; 251 252 int snaplen; 253 254 int linktype; 255 int prevlinktype; 256 int outermostlinktype; 257 258 bpf_u_int32 netmask; 259 int no_optimize; 260 261 /* Hack for handling VLAN and MPLS stacks. */ 262 u_int label_stack_depth; 263 u_int vlan_stack_depth; 264 265 /* XXX */ 266 u_int pcap_fddipad; 267 268 /* 269 * As errors are handled by a longjmp, anything allocated must 270 * be freed in the longjmp handler, so it must be reachable 271 * from that handler. 272 * 273 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 274 * it must be freed with freeaddrinfo(). This variable points to 275 * any addrinfo structure that would need to be freed. 276 */ 277 struct addrinfo *ai; 278 279 /* 280 * Various code constructs need to know the layout of the packet. 281 * These values give the necessary offsets from the beginning 282 * of the packet data. 283 */ 284 285 /* 286 * Absolute offset of the beginning of the link-layer header. 287 */ 288 bpf_abs_offset off_linkhdr; 289 290 /* 291 * If we're checking a link-layer header for a packet encapsulated 292 * in another protocol layer, this is the equivalent information 293 * for the previous layers' link-layer header from the beginning 294 * of the raw packet data. 295 */ 296 bpf_abs_offset off_prevlinkhdr; 297 298 /* 299 * This is the equivalent information for the outermost layers' 300 * link-layer header. 301 */ 302 bpf_abs_offset off_outermostlinkhdr; 303 304 /* 305 * Absolute offset of the beginning of the link-layer payload. 306 */ 307 bpf_abs_offset off_linkpl; 308 309 /* 310 * "off_linktype" is the offset to information in the link-layer 311 * header giving the packet type. This is an absolute offset 312 * from the beginning of the packet. 313 * 314 * For Ethernet, it's the offset of the Ethernet type field; this 315 * means that it must have a value that skips VLAN tags. 316 * 317 * For link-layer types that always use 802.2 headers, it's the 318 * offset of the LLC header; this means that it must have a value 319 * that skips VLAN tags. 320 * 321 * For PPP, it's the offset of the PPP type field. 322 * 323 * For Cisco HDLC, it's the offset of the CHDLC type field. 324 * 325 * For BSD loopback, it's the offset of the AF_ value. 326 * 327 * For Linux cooked sockets, it's the offset of the type field. 328 * 329 * off_linktype.constant_part is set to OFFSET_NOT_SET for no 330 * encapsulation, in which case, IP is assumed. 331 */ 332 bpf_abs_offset off_linktype; 333 334 /* 335 * TRUE if the link layer includes an ATM pseudo-header. 336 */ 337 int is_atm; 338 339 /* 340 * TRUE if "geneve" appeared in the filter; it causes us to 341 * generate code that checks for a Geneve header and assume 342 * that later filters apply to the encapsulated payload. 343 */ 344 int is_geneve; 345 346 /* 347 * TRUE if we need variable length part of VLAN offset 348 */ 349 int is_vlan_vloffset; 350 351 /* 352 * These are offsets for the ATM pseudo-header. 353 */ 354 u_int off_vpi; 355 u_int off_vci; 356 u_int off_proto; 357 358 /* 359 * These are offsets for the MTP2 fields. 360 */ 361 u_int off_li; 362 u_int off_li_hsl; 363 364 /* 365 * These are offsets for the MTP3 fields. 366 */ 367 u_int off_sio; 368 u_int off_opc; 369 u_int off_dpc; 370 u_int off_sls; 371 372 /* 373 * This is the offset of the first byte after the ATM pseudo_header, 374 * or -1 if there is no ATM pseudo-header. 375 */ 376 u_int off_payload; 377 378 /* 379 * These are offsets to the beginning of the network-layer header. 380 * They are relative to the beginning of the link-layer payload 381 * (i.e., they don't include off_linkhdr.constant_part or 382 * off_linkpl.constant_part). 383 * 384 * If the link layer never uses 802.2 LLC: 385 * 386 * "off_nl" and "off_nl_nosnap" are the same. 387 * 388 * If the link layer always uses 802.2 LLC: 389 * 390 * "off_nl" is the offset if there's a SNAP header following 391 * the 802.2 header; 392 * 393 * "off_nl_nosnap" is the offset if there's no SNAP header. 394 * 395 * If the link layer is Ethernet: 396 * 397 * "off_nl" is the offset if the packet is an Ethernet II packet 398 * (we assume no 802.3+802.2+SNAP); 399 * 400 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 401 * with an 802.2 header following it. 402 */ 403 u_int off_nl; 404 u_int off_nl_nosnap; 405 406 /* 407 * Here we handle simple allocation of the scratch registers. 408 * If too many registers are alloc'd, the allocator punts. 409 */ 410 int regused[BPF_MEMWORDS]; 411 int curreg; 412 413 /* 414 * Memory chunks. 415 */ 416 struct chunk chunks[NCHUNKS]; 417 int cur_chunk; 418 }; 419 420 void PCAP_NORETURN 421 bpf_syntax_error(compiler_state_t *cstate, const char *msg) 422 { 423 bpf_error(cstate, "syntax error in filter expression: %s", msg); 424 /* NOTREACHED */ 425 } 426 427 /* VARARGS */ 428 void PCAP_NORETURN 429 bpf_error(compiler_state_t *cstate, const char *fmt, ...) 430 { 431 va_list ap; 432 433 va_start(ap, fmt); 434 if (cstate->bpf_pcap != NULL) 435 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap), 436 PCAP_ERRBUF_SIZE, fmt, ap); 437 va_end(ap); 438 longjmp(cstate->top_ctx, 1); 439 /* NOTREACHED */ 440 } 441 442 static void init_linktype(compiler_state_t *, pcap_t *); 443 444 static void init_regs(compiler_state_t *); 445 static int alloc_reg(compiler_state_t *); 446 static void free_reg(compiler_state_t *, int); 447 448 static void initchunks(compiler_state_t *cstate); 449 static void *newchunk(compiler_state_t *cstate, size_t); 450 static void freechunks(compiler_state_t *cstate); 451 static inline struct block *new_block(compiler_state_t *cstate, int); 452 static inline struct slist *new_stmt(compiler_state_t *cstate, int); 453 static struct block *gen_retblk(compiler_state_t *cstate, int); 454 static inline void syntax(compiler_state_t *cstate); 455 456 static void backpatch(struct block *, struct block *); 457 static void merge(struct block *, struct block *); 458 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int, 459 u_int, bpf_int32); 460 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int, 461 u_int, bpf_int32); 462 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int, 463 u_int, bpf_int32); 464 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int, 465 u_int, bpf_int32); 466 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int, 467 u_int, bpf_int32); 468 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int, 469 u_int, bpf_int32, bpf_u_int32); 470 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int, 471 u_int, const u_char *); 472 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32, 473 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32); 474 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *, 475 u_int, u_int); 476 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int, 477 u_int); 478 static struct slist *gen_loadx_iphdrlen(compiler_state_t *); 479 static struct block *gen_uncond(compiler_state_t *, int); 480 static inline struct block *gen_true(compiler_state_t *); 481 static inline struct block *gen_false(compiler_state_t *); 482 static struct block *gen_ether_linktype(compiler_state_t *, int); 483 static struct block *gen_ipnet_linktype(compiler_state_t *, int); 484 static struct block *gen_linux_sll_linktype(compiler_state_t *, int); 485 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *); 486 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *); 487 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *); 488 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *); 489 static void insert_compute_vloffsets(compiler_state_t *, struct block *); 490 static struct slist *gen_abs_offset_varpart(compiler_state_t *, 491 bpf_abs_offset *); 492 static int ethertype_to_ppptype(int); 493 static struct block *gen_linktype(compiler_state_t *, int); 494 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32); 495 static struct block *gen_llc_linktype(compiler_state_t *, int); 496 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32, 497 int, int, u_int, u_int); 498 #ifdef INET6 499 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *, 500 struct in6_addr *, int, int, u_int, u_int); 501 #endif 502 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int); 503 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int); 504 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int); 505 static struct block *gen_thostop(compiler_state_t *, const u_char *, int); 506 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int); 507 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int); 508 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int); 509 static struct block *gen_mpls_linktype(compiler_state_t *, int); 510 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32, 511 int, int, int); 512 #ifdef INET6 513 static struct block *gen_host6(compiler_state_t *, struct in6_addr *, 514 struct in6_addr *, int, int, int); 515 #endif 516 #ifndef INET6 517 static struct block *gen_gateway(compiler_state_t *, const u_char *, 518 struct addrinfo *, int, int); 519 #endif 520 static struct block *gen_ipfrag(compiler_state_t *); 521 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32); 522 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32, 523 bpf_int32); 524 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32); 525 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32, 526 bpf_int32); 527 struct block *gen_portop(compiler_state_t *, int, int, int); 528 static struct block *gen_port(compiler_state_t *, int, int, int); 529 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int); 530 static struct block *gen_portrange(compiler_state_t *, int, int, int, int); 531 struct block *gen_portop6(compiler_state_t *, int, int, int); 532 static struct block *gen_port6(compiler_state_t *, int, int, int); 533 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int); 534 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int); 535 static int lookup_proto(compiler_state_t *, const char *, int); 536 static struct block *gen_protochain(compiler_state_t *, int, int, int); 537 static struct block *gen_proto(compiler_state_t *, int, int, int); 538 static struct slist *xfer_to_x(compiler_state_t *, struct arth *); 539 static struct slist *xfer_to_a(compiler_state_t *, struct arth *); 540 static struct block *gen_mac_multicast(compiler_state_t *, int); 541 static struct block *gen_len(compiler_state_t *, int, int); 542 static struct block *gen_check_802_11_data_frame(compiler_state_t *); 543 static struct block *gen_geneve_ll_check(compiler_state_t *cstate); 544 545 static struct block *gen_ppi_dlt_check(compiler_state_t *); 546 static struct block *gen_msg_abbrev(compiler_state_t *, int type); 547 548 static void 549 initchunks(compiler_state_t *cstate) 550 { 551 int i; 552 553 for (i = 0; i < NCHUNKS; i++) { 554 cstate->chunks[i].n_left = 0; 555 cstate->chunks[i].m = NULL; 556 } 557 cstate->cur_chunk = 0; 558 } 559 560 static void * 561 newchunk(compiler_state_t *cstate, size_t n) 562 { 563 struct chunk *cp; 564 int k; 565 size_t size; 566 567 #ifndef __NetBSD__ 568 /* XXX Round up to nearest long. */ 569 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 570 #else 571 /* XXX Round up to structure boundary. */ 572 n = ALIGN(n); 573 #endif 574 575 cp = &cstate->chunks[cstate->cur_chunk]; 576 if (n > cp->n_left) { 577 ++cp; 578 k = ++cstate->cur_chunk; 579 if (k >= NCHUNKS) 580 bpf_error(cstate, "out of memory"); 581 size = CHUNK0SIZE << k; 582 cp->m = (void *)malloc(size); 583 if (cp->m == NULL) 584 bpf_error(cstate, "out of memory"); 585 memset((char *)cp->m, 0, size); 586 cp->n_left = size; 587 if (n > size) 588 bpf_error(cstate, "out of memory"); 589 } 590 cp->n_left -= n; 591 return (void *)((char *)cp->m + cp->n_left); 592 } 593 594 static void 595 freechunks(compiler_state_t *cstate) 596 { 597 int i; 598 599 for (i = 0; i < NCHUNKS; ++i) 600 if (cstate->chunks[i].m != NULL) 601 free(cstate->chunks[i].m); 602 } 603 604 /* 605 * A strdup whose allocations are freed after code generation is over. 606 */ 607 char * 608 sdup(compiler_state_t *cstate, const char *s) 609 { 610 size_t n = strlen(s) + 1; 611 char *cp = newchunk(cstate, n); 612 613 strlcpy(cp, s, n); 614 return (cp); 615 } 616 617 static inline struct block * 618 new_block(compiler_state_t *cstate, int code) 619 { 620 struct block *p; 621 622 p = (struct block *)newchunk(cstate, sizeof(*p)); 623 p->s.code = code; 624 p->head = p; 625 626 return p; 627 } 628 629 static inline struct slist * 630 new_stmt(compiler_state_t *cstate, int code) 631 { 632 struct slist *p; 633 634 p = (struct slist *)newchunk(cstate, sizeof(*p)); 635 p->s.code = code; 636 637 return p; 638 } 639 640 static struct block * 641 gen_retblk(compiler_state_t *cstate, int v) 642 { 643 struct block *b = new_block(cstate, BPF_RET|BPF_K); 644 645 b->s.k = v; 646 return b; 647 } 648 649 static inline PCAP_NORETURN_DEF void 650 syntax(compiler_state_t *cstate) 651 { 652 bpf_error(cstate, "syntax error in filter expression"); 653 } 654 655 int 656 pcap_compile(pcap_t *p, struct bpf_program *program, 657 const char *buf, int optimize, bpf_u_int32 mask) 658 { 659 #ifdef _WIN32 660 static int done = 0; 661 #endif 662 compiler_state_t cstate; 663 const char * volatile xbuf = buf; 664 yyscan_t scanner = NULL; 665 YY_BUFFER_STATE in_buffer = NULL; 666 u_int len; 667 int rc; 668 669 /* 670 * If this pcap_t hasn't been activated, it doesn't have a 671 * link-layer type, so we can't use it. 672 */ 673 if (!p->activated) { 674 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 675 "not-yet-activated pcap_t passed to pcap_compile"); 676 return (-1); 677 } 678 679 #ifdef _WIN32 680 if (!done) 681 pcap_wsockinit(); 682 done = 1; 683 #endif 684 685 #ifdef ENABLE_REMOTE 686 /* 687 * If the device on which we're capturing need to be notified 688 * that a new filter is being compiled, do so. 689 * 690 * This allows them to save a copy of it, in case, for example, 691 * they're implementing a form of remote packet capture, and 692 * want the remote machine to filter out the packets in which 693 * it's sending the packets it's captured. 694 * 695 * XXX - the fact that we happen to be compiling a filter 696 * doesn't necessarily mean we'll be installing it as the 697 * filter for this pcap_t; we might be running it from userland 698 * on captured packets to do packet classification. We really 699 * need a better way of handling this, but this is all that 700 * the WinPcap code did. 701 */ 702 if (p->save_current_filter_op != NULL) 703 (p->save_current_filter_op)(p, buf); 704 #endif 705 706 initchunks(&cstate); 707 cstate.no_optimize = 0; 708 #ifdef INET6 709 cstate.ai = NULL; 710 #endif 711 cstate.ic.root = NULL; 712 cstate.ic.cur_mark = 0; 713 cstate.bpf_pcap = p; 714 init_regs(&cstate); 715 716 if (setjmp(cstate.top_ctx)) { 717 #ifdef INET6 718 if (cstate.ai != NULL) 719 freeaddrinfo(cstate.ai); 720 #endif 721 rc = -1; 722 goto quit; 723 } 724 725 cstate.netmask = mask; 726 727 cstate.snaplen = pcap_snapshot(p); 728 if (cstate.snaplen == 0) { 729 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 730 "snaplen of 0 rejects all packets"); 731 rc = -1; 732 goto quit; 733 } 734 735 if (pcap_lex_init(&scanner) != 0) 736 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE, 737 errno, "can't initialize scanner"); 738 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner); 739 740 /* 741 * Associate the compiler state with the lexical analyzer 742 * state. 743 */ 744 pcap_set_extra(&cstate, scanner); 745 746 init_linktype(&cstate, p); 747 (void)pcap_parse(scanner, &cstate); 748 749 if (cstate.ic.root == NULL) 750 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen); 751 752 if (optimize && !cstate.no_optimize) { 753 bpf_optimize(&cstate, &cstate.ic); 754 if (cstate.ic.root == NULL || 755 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) 756 bpf_error(&cstate, "expression rejects all packets"); 757 } 758 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len); 759 program->bf_len = len; 760 761 rc = 0; /* We're all okay */ 762 763 quit: 764 /* 765 * Clean up everything for the lexical analyzer. 766 */ 767 if (in_buffer != NULL) 768 pcap__delete_buffer(in_buffer, scanner); 769 if (scanner != NULL) 770 pcap_lex_destroy(scanner); 771 772 /* 773 * Clean up our own allocated memory. 774 */ 775 freechunks(&cstate); 776 777 return (rc); 778 } 779 780 /* 781 * entry point for using the compiler with no pcap open 782 * pass in all the stuff that is needed explicitly instead. 783 */ 784 int 785 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 786 struct bpf_program *program, 787 const char *buf, int optimize, bpf_u_int32 mask) 788 { 789 pcap_t *p; 790 int ret; 791 792 p = pcap_open_dead(linktype_arg, snaplen_arg); 793 if (p == NULL) 794 return (-1); 795 ret = pcap_compile(p, program, buf, optimize, mask); 796 pcap_close(p); 797 return (ret); 798 } 799 800 /* 801 * Clean up a "struct bpf_program" by freeing all the memory allocated 802 * in it. 803 */ 804 void 805 pcap_freecode(struct bpf_program *program) 806 { 807 program->bf_len = 0; 808 if (program->bf_insns != NULL) { 809 free((char *)program->bf_insns); 810 program->bf_insns = NULL; 811 } 812 } 813 814 /* 815 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 816 * which of the jt and jf fields has been resolved and which is a pointer 817 * back to another unresolved block (or nil). At least one of the fields 818 * in each block is already resolved. 819 */ 820 static void 821 backpatch(struct block *list, struct block *target) 822 { 823 struct block *next; 824 825 while (list) { 826 if (!list->sense) { 827 next = JT(list); 828 JT(list) = target; 829 } else { 830 next = JF(list); 831 JF(list) = target; 832 } 833 list = next; 834 } 835 } 836 837 /* 838 * Merge the lists in b0 and b1, using the 'sense' field to indicate 839 * which of jt and jf is the link. 840 */ 841 static void 842 merge(struct block *b0, struct block *b1) 843 { 844 register struct block **p = &b0; 845 846 /* Find end of list. */ 847 while (*p) 848 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 849 850 /* Concatenate the lists. */ 851 *p = b1; 852 } 853 854 void 855 finish_parse(compiler_state_t *cstate, struct block *p) 856 { 857 struct block *ppi_dlt_check; 858 859 /* 860 * Insert before the statements of the first (root) block any 861 * statements needed to load the lengths of any variable-length 862 * headers into registers. 863 * 864 * XXX - a fancier strategy would be to insert those before the 865 * statements of all blocks that use those lengths and that 866 * have no predecessors that use them, so that we only compute 867 * the lengths if we need them. There might be even better 868 * approaches than that. 869 * 870 * However, those strategies would be more complicated, and 871 * as we don't generate code to compute a length if the 872 * program has no tests that use the length, and as most 873 * tests will probably use those lengths, we would just 874 * postpone computing the lengths so that it's not done 875 * for tests that fail early, and it's not clear that's 876 * worth the effort. 877 */ 878 insert_compute_vloffsets(cstate, p->head); 879 880 /* 881 * For DLT_PPI captures, generate a check of the per-packet 882 * DLT value to make sure it's DLT_IEEE802_11. 883 * 884 * XXX - TurboCap cards use DLT_PPI for Ethernet. 885 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header 886 * with appropriate Ethernet information and use that rather 887 * than using something such as DLT_PPI where you don't know 888 * the link-layer header type until runtime, which, in the 889 * general case, would force us to generate both Ethernet *and* 890 * 802.11 code (*and* anything else for which PPI is used) 891 * and choose between them early in the BPF program? 892 */ 893 ppi_dlt_check = gen_ppi_dlt_check(cstate); 894 if (ppi_dlt_check != NULL) 895 gen_and(ppi_dlt_check, p); 896 897 backpatch(p, gen_retblk(cstate, cstate->snaplen)); 898 p->sense = !p->sense; 899 backpatch(p, gen_retblk(cstate, 0)); 900 cstate->ic.root = p->head; 901 } 902 903 void 904 gen_and(struct block *b0, struct block *b1) 905 { 906 backpatch(b0, b1->head); 907 b0->sense = !b0->sense; 908 b1->sense = !b1->sense; 909 merge(b1, b0); 910 b1->sense = !b1->sense; 911 b1->head = b0->head; 912 } 913 914 void 915 gen_or(struct block *b0, struct block *b1) 916 { 917 b0->sense = !b0->sense; 918 backpatch(b0, b1->head); 919 b0->sense = !b0->sense; 920 merge(b1, b0); 921 b1->head = b0->head; 922 } 923 924 void 925 gen_not(struct block *b) 926 { 927 b->sense = !b->sense; 928 } 929 930 static struct block * 931 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 932 u_int size, bpf_int32 v) 933 { 934 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 935 } 936 937 static struct block * 938 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 939 u_int size, bpf_int32 v) 940 { 941 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 942 } 943 944 static struct block * 945 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 946 u_int size, bpf_int32 v) 947 { 948 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 949 } 950 951 static struct block * 952 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 953 u_int size, bpf_int32 v) 954 { 955 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 956 } 957 958 static struct block * 959 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 960 u_int size, bpf_int32 v) 961 { 962 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 963 } 964 965 static struct block * 966 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 967 u_int size, bpf_int32 v, bpf_u_int32 mask) 968 { 969 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v); 970 } 971 972 static struct block * 973 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 974 u_int size, const u_char *v) 975 { 976 register struct block *b, *tmp; 977 978 b = NULL; 979 while (size >= 4) { 980 register const u_char *p = &v[size - 4]; 981 bpf_int32 w = ((bpf_int32)p[0] << 24) | 982 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 983 984 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w); 985 if (b != NULL) 986 gen_and(b, tmp); 987 b = tmp; 988 size -= 4; 989 } 990 while (size >= 2) { 991 register const u_char *p = &v[size - 2]; 992 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 993 994 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w); 995 if (b != NULL) 996 gen_and(b, tmp); 997 b = tmp; 998 size -= 2; 999 } 1000 if (size > 0) { 1001 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]); 1002 if (b != NULL) 1003 gen_and(b, tmp); 1004 b = tmp; 1005 } 1006 return b; 1007 } 1008 1009 /* 1010 * AND the field of size "size" at offset "offset" relative to the header 1011 * specified by "offrel" with "mask", and compare it with the value "v" 1012 * with the test specified by "jtype"; if "reverse" is true, the test 1013 * should test the opposite of "jtype". 1014 */ 1015 static struct block * 1016 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset, 1017 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse, 1018 bpf_int32 v) 1019 { 1020 struct slist *s, *s2; 1021 struct block *b; 1022 1023 s = gen_load_a(cstate, offrel, offset, size); 1024 1025 if (mask != 0xffffffff) { 1026 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1027 s2->s.k = mask; 1028 sappend(s, s2); 1029 } 1030 1031 b = new_block(cstate, JMP(jtype)); 1032 b->stmts = s; 1033 b->s.k = v; 1034 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 1035 gen_not(b); 1036 return b; 1037 } 1038 1039 static void 1040 init_linktype(compiler_state_t *cstate, pcap_t *p) 1041 { 1042 cstate->pcap_fddipad = p->fddipad; 1043 1044 /* 1045 * We start out with only one link-layer header. 1046 */ 1047 cstate->outermostlinktype = pcap_datalink(p); 1048 cstate->off_outermostlinkhdr.constant_part = 0; 1049 cstate->off_outermostlinkhdr.is_variable = 0; 1050 cstate->off_outermostlinkhdr.reg = -1; 1051 1052 cstate->prevlinktype = cstate->outermostlinktype; 1053 cstate->off_prevlinkhdr.constant_part = 0; 1054 cstate->off_prevlinkhdr.is_variable = 0; 1055 cstate->off_prevlinkhdr.reg = -1; 1056 1057 cstate->linktype = cstate->outermostlinktype; 1058 cstate->off_linkhdr.constant_part = 0; 1059 cstate->off_linkhdr.is_variable = 0; 1060 cstate->off_linkhdr.reg = -1; 1061 1062 /* 1063 * XXX 1064 */ 1065 cstate->off_linkpl.constant_part = 0; 1066 cstate->off_linkpl.is_variable = 0; 1067 cstate->off_linkpl.reg = -1; 1068 1069 cstate->off_linktype.constant_part = 0; 1070 cstate->off_linktype.is_variable = 0; 1071 cstate->off_linktype.reg = -1; 1072 1073 /* 1074 * Assume it's not raw ATM with a pseudo-header, for now. 1075 */ 1076 cstate->is_atm = 0; 1077 cstate->off_vpi = OFFSET_NOT_SET; 1078 cstate->off_vci = OFFSET_NOT_SET; 1079 cstate->off_proto = OFFSET_NOT_SET; 1080 cstate->off_payload = OFFSET_NOT_SET; 1081 1082 /* 1083 * And not Geneve. 1084 */ 1085 cstate->is_geneve = 0; 1086 1087 /* 1088 * No variable length VLAN offset by default 1089 */ 1090 cstate->is_vlan_vloffset = 0; 1091 1092 /* 1093 * And assume we're not doing SS7. 1094 */ 1095 cstate->off_li = OFFSET_NOT_SET; 1096 cstate->off_li_hsl = OFFSET_NOT_SET; 1097 cstate->off_sio = OFFSET_NOT_SET; 1098 cstate->off_opc = OFFSET_NOT_SET; 1099 cstate->off_dpc = OFFSET_NOT_SET; 1100 cstate->off_sls = OFFSET_NOT_SET; 1101 1102 cstate->label_stack_depth = 0; 1103 cstate->vlan_stack_depth = 0; 1104 1105 switch (cstate->linktype) { 1106 1107 case DLT_ARCNET: 1108 cstate->off_linktype.constant_part = 2; 1109 cstate->off_linkpl.constant_part = 6; 1110 cstate->off_nl = 0; /* XXX in reality, variable! */ 1111 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1112 break; 1113 1114 case DLT_ARCNET_LINUX: 1115 cstate->off_linktype.constant_part = 4; 1116 cstate->off_linkpl.constant_part = 8; 1117 cstate->off_nl = 0; /* XXX in reality, variable! */ 1118 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1119 break; 1120 1121 case DLT_EN10MB: 1122 cstate->off_linktype.constant_part = 12; 1123 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */ 1124 cstate->off_nl = 0; /* Ethernet II */ 1125 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1126 break; 1127 1128 case DLT_SLIP: 1129 /* 1130 * SLIP doesn't have a link level type. The 16 byte 1131 * header is hacked into our SLIP driver. 1132 */ 1133 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1134 cstate->off_linkpl.constant_part = 16; 1135 cstate->off_nl = 0; 1136 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1137 break; 1138 1139 case DLT_SLIP_BSDOS: 1140 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1141 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1142 /* XXX end */ 1143 cstate->off_linkpl.constant_part = 24; 1144 cstate->off_nl = 0; 1145 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1146 break; 1147 1148 case DLT_NULL: 1149 case DLT_LOOP: 1150 cstate->off_linktype.constant_part = 0; 1151 cstate->off_linkpl.constant_part = 4; 1152 cstate->off_nl = 0; 1153 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1154 break; 1155 1156 case DLT_ENC: 1157 cstate->off_linktype.constant_part = 0; 1158 cstate->off_linkpl.constant_part = 12; 1159 cstate->off_nl = 0; 1160 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1161 break; 1162 1163 case DLT_PPP: 1164 case DLT_PPP_PPPD: 1165 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1166 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1167 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1168 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1169 cstate->off_nl = 0; 1170 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1171 break; 1172 1173 case DLT_PPP_ETHER: 1174 /* 1175 * This does no include the Ethernet header, and 1176 * only covers session state. 1177 */ 1178 cstate->off_linktype.constant_part = 6; 1179 cstate->off_linkpl.constant_part = 8; 1180 cstate->off_nl = 0; 1181 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1182 break; 1183 1184 case DLT_PPP_BSDOS: 1185 cstate->off_linktype.constant_part = 5; 1186 cstate->off_linkpl.constant_part = 24; 1187 cstate->off_nl = 0; 1188 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1189 break; 1190 1191 case DLT_FDDI: 1192 /* 1193 * FDDI doesn't really have a link-level type field. 1194 * We set "off_linktype" to the offset of the LLC header. 1195 * 1196 * To check for Ethernet types, we assume that SSAP = SNAP 1197 * is being used and pick out the encapsulated Ethernet type. 1198 * XXX - should we generate code to check for SNAP? 1199 */ 1200 cstate->off_linktype.constant_part = 13; 1201 cstate->off_linktype.constant_part += cstate->pcap_fddipad; 1202 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1203 cstate->off_linkpl.constant_part += cstate->pcap_fddipad; 1204 cstate->off_nl = 8; /* 802.2+SNAP */ 1205 cstate->off_nl_nosnap = 3; /* 802.2 */ 1206 break; 1207 1208 case DLT_IEEE802: 1209 /* 1210 * Token Ring doesn't really have a link-level type field. 1211 * We set "off_linktype" to the offset of the LLC header. 1212 * 1213 * To check for Ethernet types, we assume that SSAP = SNAP 1214 * is being used and pick out the encapsulated Ethernet type. 1215 * XXX - should we generate code to check for SNAP? 1216 * 1217 * XXX - the header is actually variable-length. 1218 * Some various Linux patched versions gave 38 1219 * as "off_linktype" and 40 as "off_nl"; however, 1220 * if a token ring packet has *no* routing 1221 * information, i.e. is not source-routed, the correct 1222 * values are 20 and 22, as they are in the vanilla code. 1223 * 1224 * A packet is source-routed iff the uppermost bit 1225 * of the first byte of the source address, at an 1226 * offset of 8, has the uppermost bit set. If the 1227 * packet is source-routed, the total number of bytes 1228 * of routing information is 2 plus bits 0x1F00 of 1229 * the 16-bit value at an offset of 14 (shifted right 1230 * 8 - figure out which byte that is). 1231 */ 1232 cstate->off_linktype.constant_part = 14; 1233 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1234 cstate->off_nl = 8; /* 802.2+SNAP */ 1235 cstate->off_nl_nosnap = 3; /* 802.2 */ 1236 break; 1237 1238 case DLT_PRISM_HEADER: 1239 case DLT_IEEE802_11_RADIO_AVS: 1240 case DLT_IEEE802_11_RADIO: 1241 cstate->off_linkhdr.is_variable = 1; 1242 /* Fall through, 802.11 doesn't have a variable link 1243 * prefix but is otherwise the same. */ 1244 1245 case DLT_IEEE802_11: 1246 /* 1247 * 802.11 doesn't really have a link-level type field. 1248 * We set "off_linktype.constant_part" to the offset of 1249 * the LLC header. 1250 * 1251 * To check for Ethernet types, we assume that SSAP = SNAP 1252 * is being used and pick out the encapsulated Ethernet type. 1253 * XXX - should we generate code to check for SNAP? 1254 * 1255 * We also handle variable-length radio headers here. 1256 * The Prism header is in theory variable-length, but in 1257 * practice it's always 144 bytes long. However, some 1258 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1259 * sometimes or always supply an AVS header, so we 1260 * have to check whether the radio header is a Prism 1261 * header or an AVS header, so, in practice, it's 1262 * variable-length. 1263 */ 1264 cstate->off_linktype.constant_part = 24; 1265 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1266 cstate->off_linkpl.is_variable = 1; 1267 cstate->off_nl = 8; /* 802.2+SNAP */ 1268 cstate->off_nl_nosnap = 3; /* 802.2 */ 1269 break; 1270 1271 case DLT_PPI: 1272 /* 1273 * At the moment we treat PPI the same way that we treat 1274 * normal Radiotap encoded packets. The difference is in 1275 * the function that generates the code at the beginning 1276 * to compute the header length. Since this code generator 1277 * of PPI supports bare 802.11 encapsulation only (i.e. 1278 * the encapsulated DLT should be DLT_IEEE802_11) we 1279 * generate code to check for this too. 1280 */ 1281 cstate->off_linktype.constant_part = 24; 1282 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1283 cstate->off_linkpl.is_variable = 1; 1284 cstate->off_linkhdr.is_variable = 1; 1285 cstate->off_nl = 8; /* 802.2+SNAP */ 1286 cstate->off_nl_nosnap = 3; /* 802.2 */ 1287 break; 1288 1289 case DLT_ATM_RFC1483: 1290 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1291 /* 1292 * assume routed, non-ISO PDUs 1293 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1294 * 1295 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1296 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1297 * latter would presumably be treated the way PPPoE 1298 * should be, so you can do "pppoe and udp port 2049" 1299 * or "pppoa and tcp port 80" and have it check for 1300 * PPPo{A,E} and a PPP protocol of IP and.... 1301 */ 1302 cstate->off_linktype.constant_part = 0; 1303 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1304 cstate->off_nl = 8; /* 802.2+SNAP */ 1305 cstate->off_nl_nosnap = 3; /* 802.2 */ 1306 break; 1307 1308 case DLT_SUNATM: 1309 /* 1310 * Full Frontal ATM; you get AALn PDUs with an ATM 1311 * pseudo-header. 1312 */ 1313 cstate->is_atm = 1; 1314 cstate->off_vpi = SUNATM_VPI_POS; 1315 cstate->off_vci = SUNATM_VCI_POS; 1316 cstate->off_proto = PROTO_POS; 1317 cstate->off_payload = SUNATM_PKT_BEGIN_POS; 1318 cstate->off_linktype.constant_part = cstate->off_payload; 1319 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */ 1320 cstate->off_nl = 8; /* 802.2+SNAP */ 1321 cstate->off_nl_nosnap = 3; /* 802.2 */ 1322 break; 1323 1324 case DLT_RAW: 1325 case DLT_IPV4: 1326 case DLT_IPV6: 1327 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1328 cstate->off_linkpl.constant_part = 0; 1329 cstate->off_nl = 0; 1330 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1331 break; 1332 1333 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1334 cstate->off_linktype.constant_part = 14; 1335 cstate->off_linkpl.constant_part = 16; 1336 cstate->off_nl = 0; 1337 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1338 break; 1339 1340 case DLT_LTALK: 1341 /* 1342 * LocalTalk does have a 1-byte type field in the LLAP header, 1343 * but really it just indicates whether there is a "short" or 1344 * "long" DDP packet following. 1345 */ 1346 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1347 cstate->off_linkpl.constant_part = 0; 1348 cstate->off_nl = 0; 1349 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1350 break; 1351 1352 case DLT_IP_OVER_FC: 1353 /* 1354 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1355 * link-level type field. We set "off_linktype" to the 1356 * offset of the LLC header. 1357 * 1358 * To check for Ethernet types, we assume that SSAP = SNAP 1359 * is being used and pick out the encapsulated Ethernet type. 1360 * XXX - should we generate code to check for SNAP? RFC 1361 * 2625 says SNAP should be used. 1362 */ 1363 cstate->off_linktype.constant_part = 16; 1364 cstate->off_linkpl.constant_part = 16; 1365 cstate->off_nl = 8; /* 802.2+SNAP */ 1366 cstate->off_nl_nosnap = 3; /* 802.2 */ 1367 break; 1368 1369 case DLT_FRELAY: 1370 /* 1371 * XXX - we should set this to handle SNAP-encapsulated 1372 * frames (NLPID of 0x80). 1373 */ 1374 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1375 cstate->off_linkpl.constant_part = 0; 1376 cstate->off_nl = 0; 1377 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1378 break; 1379 1380 /* 1381 * the only BPF-interesting FRF.16 frames are non-control frames; 1382 * Frame Relay has a variable length link-layer 1383 * so lets start with offset 4 for now and increments later on (FIXME); 1384 */ 1385 case DLT_MFR: 1386 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1387 cstate->off_linkpl.constant_part = 0; 1388 cstate->off_nl = 4; 1389 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1390 break; 1391 1392 case DLT_APPLE_IP_OVER_IEEE1394: 1393 cstate->off_linktype.constant_part = 16; 1394 cstate->off_linkpl.constant_part = 18; 1395 cstate->off_nl = 0; 1396 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1397 break; 1398 1399 case DLT_SYMANTEC_FIREWALL: 1400 cstate->off_linktype.constant_part = 6; 1401 cstate->off_linkpl.constant_part = 44; 1402 cstate->off_nl = 0; /* Ethernet II */ 1403 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1404 break; 1405 1406 #ifdef HAVE_NET_PFVAR_H 1407 case DLT_PFLOG: 1408 cstate->off_linktype.constant_part = 0; 1409 cstate->off_linkpl.constant_part = PFLOG_HDRLEN; 1410 cstate->off_nl = 0; 1411 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 1412 break; 1413 #endif 1414 1415 case DLT_JUNIPER_MFR: 1416 case DLT_JUNIPER_MLFR: 1417 case DLT_JUNIPER_MLPPP: 1418 case DLT_JUNIPER_PPP: 1419 case DLT_JUNIPER_CHDLC: 1420 case DLT_JUNIPER_FRELAY: 1421 cstate->off_linktype.constant_part = 4; 1422 cstate->off_linkpl.constant_part = 4; 1423 cstate->off_nl = 0; 1424 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1425 break; 1426 1427 case DLT_JUNIPER_ATM1: 1428 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1429 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1430 cstate->off_nl = 0; 1431 cstate->off_nl_nosnap = 10; 1432 break; 1433 1434 case DLT_JUNIPER_ATM2: 1435 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1436 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1437 cstate->off_nl = 0; 1438 cstate->off_nl_nosnap = 10; 1439 break; 1440 1441 /* frames captured on a Juniper PPPoE service PIC 1442 * contain raw ethernet frames */ 1443 case DLT_JUNIPER_PPPOE: 1444 case DLT_JUNIPER_ETHER: 1445 cstate->off_linkpl.constant_part = 14; 1446 cstate->off_linktype.constant_part = 16; 1447 cstate->off_nl = 18; /* Ethernet II */ 1448 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */ 1449 break; 1450 1451 case DLT_JUNIPER_PPPOE_ATM: 1452 cstate->off_linktype.constant_part = 4; 1453 cstate->off_linkpl.constant_part = 6; 1454 cstate->off_nl = 0; 1455 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1456 break; 1457 1458 case DLT_JUNIPER_GGSN: 1459 cstate->off_linktype.constant_part = 6; 1460 cstate->off_linkpl.constant_part = 12; 1461 cstate->off_nl = 0; 1462 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1463 break; 1464 1465 case DLT_JUNIPER_ES: 1466 cstate->off_linktype.constant_part = 6; 1467 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1468 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */ 1469 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1470 break; 1471 1472 case DLT_JUNIPER_MONITOR: 1473 cstate->off_linktype.constant_part = 12; 1474 cstate->off_linkpl.constant_part = 12; 1475 cstate->off_nl = 0; /* raw IP/IP6 header */ 1476 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1477 break; 1478 1479 case DLT_BACNET_MS_TP: 1480 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1481 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1482 cstate->off_nl = OFFSET_NOT_SET; 1483 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1484 break; 1485 1486 case DLT_JUNIPER_SERVICES: 1487 cstate->off_linktype.constant_part = 12; 1488 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1489 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */ 1490 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1491 break; 1492 1493 case DLT_JUNIPER_VP: 1494 cstate->off_linktype.constant_part = 18; 1495 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1496 cstate->off_nl = OFFSET_NOT_SET; 1497 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1498 break; 1499 1500 case DLT_JUNIPER_ST: 1501 cstate->off_linktype.constant_part = 18; 1502 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1503 cstate->off_nl = OFFSET_NOT_SET; 1504 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1505 break; 1506 1507 case DLT_JUNIPER_ISM: 1508 cstate->off_linktype.constant_part = 8; 1509 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1510 cstate->off_nl = OFFSET_NOT_SET; 1511 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1512 break; 1513 1514 case DLT_JUNIPER_VS: 1515 case DLT_JUNIPER_SRX_E2E: 1516 case DLT_JUNIPER_FIBRECHANNEL: 1517 case DLT_JUNIPER_ATM_CEMIC: 1518 cstate->off_linktype.constant_part = 8; 1519 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1520 cstate->off_nl = OFFSET_NOT_SET; 1521 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1522 break; 1523 1524 case DLT_MTP2: 1525 cstate->off_li = 2; 1526 cstate->off_li_hsl = 4; 1527 cstate->off_sio = 3; 1528 cstate->off_opc = 4; 1529 cstate->off_dpc = 4; 1530 cstate->off_sls = 7; 1531 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1532 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1533 cstate->off_nl = OFFSET_NOT_SET; 1534 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1535 break; 1536 1537 case DLT_MTP2_WITH_PHDR: 1538 cstate->off_li = 6; 1539 cstate->off_li_hsl = 8; 1540 cstate->off_sio = 7; 1541 cstate->off_opc = 8; 1542 cstate->off_dpc = 8; 1543 cstate->off_sls = 11; 1544 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1545 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1546 cstate->off_nl = OFFSET_NOT_SET; 1547 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1548 break; 1549 1550 case DLT_ERF: 1551 cstate->off_li = 22; 1552 cstate->off_li_hsl = 24; 1553 cstate->off_sio = 23; 1554 cstate->off_opc = 24; 1555 cstate->off_dpc = 24; 1556 cstate->off_sls = 27; 1557 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1558 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1559 cstate->off_nl = OFFSET_NOT_SET; 1560 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1561 break; 1562 1563 case DLT_PFSYNC: 1564 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1565 cstate->off_linkpl.constant_part = 4; 1566 cstate->off_nl = 0; 1567 cstate->off_nl_nosnap = 0; 1568 break; 1569 1570 case DLT_AX25_KISS: 1571 /* 1572 * Currently, only raw "link[N:M]" filtering is supported. 1573 */ 1574 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */ 1575 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1576 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */ 1577 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */ 1578 break; 1579 1580 case DLT_IPNET: 1581 cstate->off_linktype.constant_part = 1; 1582 cstate->off_linkpl.constant_part = 24; /* ipnet header length */ 1583 cstate->off_nl = 0; 1584 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1585 break; 1586 1587 case DLT_NETANALYZER: 1588 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1589 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1590 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1591 cstate->off_nl = 0; /* Ethernet II */ 1592 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1593 break; 1594 1595 case DLT_NETANALYZER_TRANSPARENT: 1596 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1597 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 1598 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1599 cstate->off_nl = 0; /* Ethernet II */ 1600 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 1601 break; 1602 1603 default: 1604 /* 1605 * For values in the range in which we've assigned new 1606 * DLT_ values, only raw "link[N:M]" filtering is supported. 1607 */ 1608 if (cstate->linktype >= DLT_MATCHING_MIN && 1609 cstate->linktype <= DLT_MATCHING_MAX) { 1610 cstate->off_linktype.constant_part = OFFSET_NOT_SET; 1611 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; 1612 cstate->off_nl = OFFSET_NOT_SET; 1613 cstate->off_nl_nosnap = OFFSET_NOT_SET; 1614 } else { 1615 bpf_error(cstate, "unknown data link type %d", cstate->linktype); 1616 } 1617 break; 1618 } 1619 1620 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr; 1621 } 1622 1623 /* 1624 * Load a value relative to the specified absolute offset. 1625 */ 1626 static struct slist * 1627 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset, 1628 u_int offset, u_int size) 1629 { 1630 struct slist *s, *s2; 1631 1632 s = gen_abs_offset_varpart(cstate, abs_offset); 1633 1634 /* 1635 * If "s" is non-null, it has code to arrange that the X register 1636 * contains the variable part of the absolute offset, so we 1637 * generate a load relative to that, with an offset of 1638 * abs_offset->constant_part + offset. 1639 * 1640 * Otherwise, we can do an absolute load with an offset of 1641 * abs_offset->constant_part + offset. 1642 */ 1643 if (s != NULL) { 1644 /* 1645 * "s" points to a list of statements that puts the 1646 * variable part of the absolute offset into the X register. 1647 * Do an indirect load, to use the X register as an offset. 1648 */ 1649 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1650 s2->s.k = abs_offset->constant_part + offset; 1651 sappend(s, s2); 1652 } else { 1653 /* 1654 * There is no variable part of the absolute offset, so 1655 * just do an absolute load. 1656 */ 1657 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1658 s->s.k = abs_offset->constant_part + offset; 1659 } 1660 return s; 1661 } 1662 1663 /* 1664 * Load a value relative to the beginning of the specified header. 1665 */ 1666 static struct slist * 1667 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset, 1668 u_int size) 1669 { 1670 struct slist *s, *s2; 1671 1672 switch (offrel) { 1673 1674 case OR_PACKET: 1675 s = new_stmt(cstate, BPF_LD|BPF_ABS|size); 1676 s->s.k = offset; 1677 break; 1678 1679 case OR_LINKHDR: 1680 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size); 1681 break; 1682 1683 case OR_PREVLINKHDR: 1684 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size); 1685 break; 1686 1687 case OR_LLC: 1688 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size); 1689 break; 1690 1691 case OR_PREVMPLSHDR: 1692 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size); 1693 break; 1694 1695 case OR_LINKPL: 1696 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size); 1697 break; 1698 1699 case OR_LINKPL_NOSNAP: 1700 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size); 1701 break; 1702 1703 case OR_LINKTYPE: 1704 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size); 1705 break; 1706 1707 case OR_TRAN_IPV4: 1708 /* 1709 * Load the X register with the length of the IPv4 header 1710 * (plus the offset of the link-layer header, if it's 1711 * preceded by a variable-length header such as a radio 1712 * header), in bytes. 1713 */ 1714 s = gen_loadx_iphdrlen(cstate); 1715 1716 /* 1717 * Load the item at {offset of the link-layer payload} + 1718 * {offset, relative to the start of the link-layer 1719 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1720 * {specified offset}. 1721 * 1722 * If the offset of the link-layer payload is variable, 1723 * the variable part of that offset is included in the 1724 * value in the X register, and we include the constant 1725 * part in the offset of the load. 1726 */ 1727 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size); 1728 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset; 1729 sappend(s, s2); 1730 break; 1731 1732 case OR_TRAN_IPV6: 1733 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size); 1734 break; 1735 1736 default: 1737 abort(); 1738 /* NOTREACHED */ 1739 } 1740 return s; 1741 } 1742 1743 /* 1744 * Generate code to load into the X register the sum of the length of 1745 * the IPv4 header and the variable part of the offset of the link-layer 1746 * payload. 1747 */ 1748 static struct slist * 1749 gen_loadx_iphdrlen(compiler_state_t *cstate) 1750 { 1751 struct slist *s, *s2; 1752 1753 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 1754 if (s != NULL) { 1755 /* 1756 * The offset of the link-layer payload has a variable 1757 * part. "s" points to a list of statements that put 1758 * the variable part of that offset into the X register. 1759 * 1760 * The 4*([k]&0xf) addressing mode can't be used, as we 1761 * don't have a constant offset, so we have to load the 1762 * value in question into the A register and add to it 1763 * the value from the X register. 1764 */ 1765 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 1766 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1767 sappend(s, s2); 1768 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 1769 s2->s.k = 0xf; 1770 sappend(s, s2); 1771 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 1772 s2->s.k = 2; 1773 sappend(s, s2); 1774 1775 /* 1776 * The A register now contains the length of the IP header. 1777 * We need to add to it the variable part of the offset of 1778 * the link-layer payload, which is still in the X 1779 * register, and move the result into the X register. 1780 */ 1781 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 1782 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 1783 } else { 1784 /* 1785 * The offset of the link-layer payload is a constant, 1786 * so no code was generated to load the (non-existent) 1787 * variable part of that offset. 1788 * 1789 * This means we can use the 4*([k]&0xf) addressing 1790 * mode. Load the length of the IPv4 header, which 1791 * is at an offset of cstate->off_nl from the beginning of 1792 * the link-layer payload, and thus at an offset of 1793 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning 1794 * of the raw packet data, using that addressing mode. 1795 */ 1796 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 1797 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 1798 } 1799 return s; 1800 } 1801 1802 1803 static struct block * 1804 gen_uncond(compiler_state_t *cstate, int rsense) 1805 { 1806 struct block *b; 1807 struct slist *s; 1808 1809 s = new_stmt(cstate, BPF_LD|BPF_IMM); 1810 s->s.k = !rsense; 1811 b = new_block(cstate, JMP(BPF_JEQ)); 1812 b->stmts = s; 1813 1814 return b; 1815 } 1816 1817 static inline struct block * 1818 gen_true(compiler_state_t *cstate) 1819 { 1820 return gen_uncond(cstate, 1); 1821 } 1822 1823 static inline struct block * 1824 gen_false(compiler_state_t *cstate) 1825 { 1826 return gen_uncond(cstate, 0); 1827 } 1828 1829 /* 1830 * Byte-swap a 32-bit number. 1831 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1832 * big-endian platforms.) 1833 */ 1834 #define SWAPLONG(y) \ 1835 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1836 1837 /* 1838 * Generate code to match a particular packet type. 1839 * 1840 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1841 * value, if <= ETHERMTU. We use that to determine whether to 1842 * match the type/length field or to check the type/length field for 1843 * a value <= ETHERMTU to see whether it's a type field and then do 1844 * the appropriate test. 1845 */ 1846 static struct block * 1847 gen_ether_linktype(compiler_state_t *cstate, int proto) 1848 { 1849 struct block *b0, *b1; 1850 1851 switch (proto) { 1852 1853 case LLCSAP_ISONS: 1854 case LLCSAP_IP: 1855 case LLCSAP_NETBEUI: 1856 /* 1857 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1858 * so we check the DSAP and SSAP. 1859 * 1860 * LLCSAP_IP checks for IP-over-802.2, rather 1861 * than IP-over-Ethernet or IP-over-SNAP. 1862 * 1863 * XXX - should we check both the DSAP and the 1864 * SSAP, like this, or should we check just the 1865 * DSAP, as we do for other types <= ETHERMTU 1866 * (i.e., other SAP values)? 1867 */ 1868 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1869 gen_not(b0); 1870 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 1871 ((proto << 8) | proto)); 1872 gen_and(b0, b1); 1873 return b1; 1874 1875 case LLCSAP_IPX: 1876 /* 1877 * Check for; 1878 * 1879 * Ethernet_II frames, which are Ethernet 1880 * frames with a frame type of ETHERTYPE_IPX; 1881 * 1882 * Ethernet_802.3 frames, which are 802.3 1883 * frames (i.e., the type/length field is 1884 * a length field, <= ETHERMTU, rather than 1885 * a type field) with the first two bytes 1886 * after the Ethernet/802.3 header being 1887 * 0xFFFF; 1888 * 1889 * Ethernet_802.2 frames, which are 802.3 1890 * frames with an 802.2 LLC header and 1891 * with the IPX LSAP as the DSAP in the LLC 1892 * header; 1893 * 1894 * Ethernet_SNAP frames, which are 802.3 1895 * frames with an LLC header and a SNAP 1896 * header and with an OUI of 0x000000 1897 * (encapsulated Ethernet) and a protocol 1898 * ID of ETHERTYPE_IPX in the SNAP header. 1899 * 1900 * XXX - should we generate the same code both 1901 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1902 */ 1903 1904 /* 1905 * This generates code to check both for the 1906 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1907 */ 1908 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1909 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1910 gen_or(b0, b1); 1911 1912 /* 1913 * Now we add code to check for SNAP frames with 1914 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1915 */ 1916 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 1917 gen_or(b0, b1); 1918 1919 /* 1920 * Now we generate code to check for 802.3 1921 * frames in general. 1922 */ 1923 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1924 gen_not(b0); 1925 1926 /* 1927 * Now add the check for 802.3 frames before the 1928 * check for Ethernet_802.2 and Ethernet_802.3, 1929 * as those checks should only be done on 802.3 1930 * frames, not on Ethernet frames. 1931 */ 1932 gen_and(b0, b1); 1933 1934 /* 1935 * Now add the check for Ethernet_II frames, and 1936 * do that before checking for the other frame 1937 * types. 1938 */ 1939 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1940 gen_or(b0, b1); 1941 return b1; 1942 1943 case ETHERTYPE_ATALK: 1944 case ETHERTYPE_AARP: 1945 /* 1946 * EtherTalk (AppleTalk protocols on Ethernet link 1947 * layer) may use 802.2 encapsulation. 1948 */ 1949 1950 /* 1951 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1952 * we check for an Ethernet type field less than 1953 * 1500, which means it's an 802.3 length field. 1954 */ 1955 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1956 gen_not(b0); 1957 1958 /* 1959 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1960 * SNAP packets with an organization code of 1961 * 0x080007 (Apple, for Appletalk) and a protocol 1962 * type of ETHERTYPE_ATALK (Appletalk). 1963 * 1964 * 802.2-encapsulated ETHERTYPE_AARP packets are 1965 * SNAP packets with an organization code of 1966 * 0x000000 (encapsulated Ethernet) and a protocol 1967 * type of ETHERTYPE_AARP (Appletalk ARP). 1968 */ 1969 if (proto == ETHERTYPE_ATALK) 1970 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 1971 else /* proto == ETHERTYPE_AARP */ 1972 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 1973 gen_and(b0, b1); 1974 1975 /* 1976 * Check for Ethernet encapsulation (Ethertalk 1977 * phase 1?); we just check for the Ethernet 1978 * protocol type. 1979 */ 1980 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1981 1982 gen_or(b0, b1); 1983 return b1; 1984 1985 default: 1986 if (proto <= ETHERMTU) { 1987 /* 1988 * This is an LLC SAP value, so the frames 1989 * that match would be 802.2 frames. 1990 * Check that the frame is an 802.2 frame 1991 * (i.e., that the length/type field is 1992 * a length field, <= ETHERMTU) and 1993 * then check the DSAP. 1994 */ 1995 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1996 gen_not(b0); 1997 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1998 gen_and(b0, b1); 1999 return b1; 2000 } else { 2001 /* 2002 * This is an Ethernet type, so compare 2003 * the length/type field with it (if 2004 * the frame is an 802.2 frame, the length 2005 * field will be <= ETHERMTU, and, as 2006 * "proto" is > ETHERMTU, this test 2007 * will fail and the frame won't match, 2008 * which is what we want). 2009 */ 2010 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 2011 (bpf_int32)proto); 2012 } 2013 } 2014 } 2015 2016 static struct block * 2017 gen_loopback_linktype(compiler_state_t *cstate, int proto) 2018 { 2019 /* 2020 * For DLT_NULL, the link-layer header is a 32-bit word 2021 * containing an AF_ value in *host* byte order, and for 2022 * DLT_ENC, the link-layer header begins with a 32-bit 2023 * word containing an AF_ value in host byte order. 2024 * 2025 * In addition, if we're reading a saved capture file, 2026 * the host byte order in the capture may not be the 2027 * same as the host byte order on this machine. 2028 * 2029 * For DLT_LOOP, the link-layer header is a 32-bit 2030 * word containing an AF_ value in *network* byte order. 2031 */ 2032 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) { 2033 /* 2034 * The AF_ value is in host byte order, but the BPF 2035 * interpreter will convert it to network byte order. 2036 * 2037 * If this is a save file, and it's from a machine 2038 * with the opposite byte order to ours, we byte-swap 2039 * the AF_ value. 2040 * 2041 * Then we run it through "htonl()", and generate 2042 * code to compare against the result. 2043 */ 2044 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped) 2045 proto = SWAPLONG(proto); 2046 proto = htonl(proto); 2047 } 2048 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 2049 } 2050 2051 /* 2052 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 2053 * or IPv6 then we have an error. 2054 */ 2055 static struct block * 2056 gen_ipnet_linktype(compiler_state_t *cstate, int proto) 2057 { 2058 switch (proto) { 2059 2060 case ETHERTYPE_IP: 2061 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 2062 /* NOTREACHED */ 2063 2064 case ETHERTYPE_IPV6: 2065 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 2066 (bpf_int32)IPH_AF_INET6); 2067 /* NOTREACHED */ 2068 2069 default: 2070 break; 2071 } 2072 2073 return gen_false(cstate); 2074 } 2075 2076 /* 2077 * Generate code to match a particular packet type. 2078 * 2079 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2080 * value, if <= ETHERMTU. We use that to determine whether to 2081 * match the type field or to check the type field for the special 2082 * LINUX_SLL_P_802_2 value and then do the appropriate test. 2083 */ 2084 static struct block * 2085 gen_linux_sll_linktype(compiler_state_t *cstate, int proto) 2086 { 2087 struct block *b0, *b1; 2088 2089 switch (proto) { 2090 2091 case LLCSAP_ISONS: 2092 case LLCSAP_IP: 2093 case LLCSAP_NETBEUI: 2094 /* 2095 * OSI protocols and NetBEUI always use 802.2 encapsulation, 2096 * so we check the DSAP and SSAP. 2097 * 2098 * LLCSAP_IP checks for IP-over-802.2, rather 2099 * than IP-over-Ethernet or IP-over-SNAP. 2100 * 2101 * XXX - should we check both the DSAP and the 2102 * SSAP, like this, or should we check just the 2103 * DSAP, as we do for other types <= ETHERMTU 2104 * (i.e., other SAP values)? 2105 */ 2106 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2107 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32) 2108 ((proto << 8) | proto)); 2109 gen_and(b0, b1); 2110 return b1; 2111 2112 case LLCSAP_IPX: 2113 /* 2114 * Ethernet_II frames, which are Ethernet 2115 * frames with a frame type of ETHERTYPE_IPX; 2116 * 2117 * Ethernet_802.3 frames, which have a frame 2118 * type of LINUX_SLL_P_802_3; 2119 * 2120 * Ethernet_802.2 frames, which are 802.3 2121 * frames with an 802.2 LLC header (i.e, have 2122 * a frame type of LINUX_SLL_P_802_2) and 2123 * with the IPX LSAP as the DSAP in the LLC 2124 * header; 2125 * 2126 * Ethernet_SNAP frames, which are 802.3 2127 * frames with an LLC header and a SNAP 2128 * header and with an OUI of 0x000000 2129 * (encapsulated Ethernet) and a protocol 2130 * ID of ETHERTYPE_IPX in the SNAP header. 2131 * 2132 * First, do the checks on LINUX_SLL_P_802_2 2133 * frames; generate the check for either 2134 * Ethernet_802.2 or Ethernet_SNAP frames, and 2135 * then put a check for LINUX_SLL_P_802_2 frames 2136 * before it. 2137 */ 2138 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2139 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX); 2140 gen_or(b0, b1); 2141 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2142 gen_and(b0, b1); 2143 2144 /* 2145 * Now check for 802.3 frames and OR that with 2146 * the previous test. 2147 */ 2148 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2149 gen_or(b0, b1); 2150 2151 /* 2152 * Now add the check for Ethernet_II frames, and 2153 * do that before checking for the other frame 2154 * types. 2155 */ 2156 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2157 gen_or(b0, b1); 2158 return b1; 2159 2160 case ETHERTYPE_ATALK: 2161 case ETHERTYPE_AARP: 2162 /* 2163 * EtherTalk (AppleTalk protocols on Ethernet link 2164 * layer) may use 802.2 encapsulation. 2165 */ 2166 2167 /* 2168 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2169 * we check for the 802.2 protocol type in the 2170 * "Ethernet type" field. 2171 */ 2172 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2173 2174 /* 2175 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2176 * SNAP packets with an organization code of 2177 * 0x080007 (Apple, for Appletalk) and a protocol 2178 * type of ETHERTYPE_ATALK (Appletalk). 2179 * 2180 * 802.2-encapsulated ETHERTYPE_AARP packets are 2181 * SNAP packets with an organization code of 2182 * 0x000000 (encapsulated Ethernet) and a protocol 2183 * type of ETHERTYPE_AARP (Appletalk ARP). 2184 */ 2185 if (proto == ETHERTYPE_ATALK) 2186 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 2187 else /* proto == ETHERTYPE_AARP */ 2188 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP); 2189 gen_and(b0, b1); 2190 2191 /* 2192 * Check for Ethernet encapsulation (Ethertalk 2193 * phase 1?); we just check for the Ethernet 2194 * protocol type. 2195 */ 2196 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2197 2198 gen_or(b0, b1); 2199 return b1; 2200 2201 default: 2202 if (proto <= ETHERMTU) { 2203 /* 2204 * This is an LLC SAP value, so the frames 2205 * that match would be 802.2 frames. 2206 * Check for the 802.2 protocol type 2207 * in the "Ethernet type" field, and 2208 * then check the DSAP. 2209 */ 2210 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2211 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B, 2212 (bpf_int32)proto); 2213 gen_and(b0, b1); 2214 return b1; 2215 } else { 2216 /* 2217 * This is an Ethernet type, so compare 2218 * the length/type field with it (if 2219 * the frame is an 802.2 frame, the length 2220 * field will be <= ETHERMTU, and, as 2221 * "proto" is > ETHERMTU, this test 2222 * will fail and the frame won't match, 2223 * which is what we want). 2224 */ 2225 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2226 } 2227 } 2228 } 2229 2230 static struct slist * 2231 gen_load_prism_llprefixlen(compiler_state_t *cstate) 2232 { 2233 struct slist *s1, *s2; 2234 struct slist *sjeq_avs_cookie; 2235 struct slist *sjcommon; 2236 2237 /* 2238 * This code is not compatible with the optimizer, as 2239 * we are generating jmp instructions within a normal 2240 * slist of instructions 2241 */ 2242 cstate->no_optimize = 1; 2243 2244 /* 2245 * Generate code to load the length of the radio header into 2246 * the register assigned to hold that length, if one has been 2247 * assigned. (If one hasn't been assigned, no code we've 2248 * generated uses that prefix, so we don't need to generate any 2249 * code to load it.) 2250 * 2251 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2252 * or always use the AVS header rather than the Prism header. 2253 * We load a 4-byte big-endian value at the beginning of the 2254 * raw packet data, and see whether, when masked with 0xFFFFF000, 2255 * it's equal to 0x80211000. If so, that indicates that it's 2256 * an AVS header (the masked-out bits are the version number). 2257 * Otherwise, it's a Prism header. 2258 * 2259 * XXX - the Prism header is also, in theory, variable-length, 2260 * but no known software generates headers that aren't 144 2261 * bytes long. 2262 */ 2263 if (cstate->off_linkhdr.reg != -1) { 2264 /* 2265 * Load the cookie. 2266 */ 2267 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2268 s1->s.k = 0; 2269 2270 /* 2271 * AND it with 0xFFFFF000. 2272 */ 2273 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 2274 s2->s.k = 0xFFFFF000; 2275 sappend(s1, s2); 2276 2277 /* 2278 * Compare with 0x80211000. 2279 */ 2280 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ)); 2281 sjeq_avs_cookie->s.k = 0x80211000; 2282 sappend(s1, sjeq_avs_cookie); 2283 2284 /* 2285 * If it's AVS: 2286 * 2287 * The 4 bytes at an offset of 4 from the beginning of 2288 * the AVS header are the length of the AVS header. 2289 * That field is big-endian. 2290 */ 2291 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2292 s2->s.k = 4; 2293 sappend(s1, s2); 2294 sjeq_avs_cookie->s.jt = s2; 2295 2296 /* 2297 * Now jump to the code to allocate a register 2298 * into which to save the header length and 2299 * store the length there. (The "jump always" 2300 * instruction needs to have the k field set; 2301 * it's added to the PC, so, as we're jumping 2302 * over a single instruction, it should be 1.) 2303 */ 2304 sjcommon = new_stmt(cstate, JMP(BPF_JA)); 2305 sjcommon->s.k = 1; 2306 sappend(s1, sjcommon); 2307 2308 /* 2309 * Now for the code that handles the Prism header. 2310 * Just load the length of the Prism header (144) 2311 * into the A register. Have the test for an AVS 2312 * header branch here if we don't have an AVS header. 2313 */ 2314 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2315 s2->s.k = 144; 2316 sappend(s1, s2); 2317 sjeq_avs_cookie->s.jf = s2; 2318 2319 /* 2320 * Now allocate a register to hold that value and store 2321 * it. The code for the AVS header will jump here after 2322 * loading the length of the AVS header. 2323 */ 2324 s2 = new_stmt(cstate, BPF_ST); 2325 s2->s.k = cstate->off_linkhdr.reg; 2326 sappend(s1, s2); 2327 sjcommon->s.jf = s2; 2328 2329 /* 2330 * Now move it into the X register. 2331 */ 2332 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2333 sappend(s1, s2); 2334 2335 return (s1); 2336 } else 2337 return (NULL); 2338 } 2339 2340 static struct slist * 2341 gen_load_avs_llprefixlen(compiler_state_t *cstate) 2342 { 2343 struct slist *s1, *s2; 2344 2345 /* 2346 * Generate code to load the length of the AVS header into 2347 * the register assigned to hold that length, if one has been 2348 * assigned. (If one hasn't been assigned, no code we've 2349 * generated uses that prefix, so we don't need to generate any 2350 * code to load it.) 2351 */ 2352 if (cstate->off_linkhdr.reg != -1) { 2353 /* 2354 * The 4 bytes at an offset of 4 from the beginning of 2355 * the AVS header are the length of the AVS header. 2356 * That field is big-endian. 2357 */ 2358 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2359 s1->s.k = 4; 2360 2361 /* 2362 * Now allocate a register to hold that value and store 2363 * it. 2364 */ 2365 s2 = new_stmt(cstate, BPF_ST); 2366 s2->s.k = cstate->off_linkhdr.reg; 2367 sappend(s1, s2); 2368 2369 /* 2370 * Now move it into the X register. 2371 */ 2372 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2373 sappend(s1, s2); 2374 2375 return (s1); 2376 } else 2377 return (NULL); 2378 } 2379 2380 static struct slist * 2381 gen_load_radiotap_llprefixlen(compiler_state_t *cstate) 2382 { 2383 struct slist *s1, *s2; 2384 2385 /* 2386 * Generate code to load the length of the radiotap header into 2387 * the register assigned to hold that length, if one has been 2388 * assigned. (If one hasn't been assigned, no code we've 2389 * generated uses that prefix, so we don't need to generate any 2390 * code to load it.) 2391 */ 2392 if (cstate->off_linkhdr.reg != -1) { 2393 /* 2394 * The 2 bytes at offsets of 2 and 3 from the beginning 2395 * of the radiotap header are the length of the radiotap 2396 * header; unfortunately, it's little-endian, so we have 2397 * to load it a byte at a time and construct the value. 2398 */ 2399 2400 /* 2401 * Load the high-order byte, at an offset of 3, shift it 2402 * left a byte, and put the result in the X register. 2403 */ 2404 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2405 s1->s.k = 3; 2406 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2407 sappend(s1, s2); 2408 s2->s.k = 8; 2409 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2410 sappend(s1, s2); 2411 2412 /* 2413 * Load the next byte, at an offset of 2, and OR the 2414 * value from the X register into it. 2415 */ 2416 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2417 sappend(s1, s2); 2418 s2->s.k = 2; 2419 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2420 sappend(s1, s2); 2421 2422 /* 2423 * Now allocate a register to hold that value and store 2424 * it. 2425 */ 2426 s2 = new_stmt(cstate, BPF_ST); 2427 s2->s.k = cstate->off_linkhdr.reg; 2428 sappend(s1, s2); 2429 2430 /* 2431 * Now move it into the X register. 2432 */ 2433 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2434 sappend(s1, s2); 2435 2436 return (s1); 2437 } else 2438 return (NULL); 2439 } 2440 2441 /* 2442 * At the moment we treat PPI as normal Radiotap encoded 2443 * packets. The difference is in the function that generates 2444 * the code at the beginning to compute the header length. 2445 * Since this code generator of PPI supports bare 802.11 2446 * encapsulation only (i.e. the encapsulated DLT should be 2447 * DLT_IEEE802_11) we generate code to check for this too; 2448 * that's done in finish_parse(). 2449 */ 2450 static struct slist * 2451 gen_load_ppi_llprefixlen(compiler_state_t *cstate) 2452 { 2453 struct slist *s1, *s2; 2454 2455 /* 2456 * Generate code to load the length of the radiotap header 2457 * into the register assigned to hold that length, if one has 2458 * been assigned. 2459 */ 2460 if (cstate->off_linkhdr.reg != -1) { 2461 /* 2462 * The 2 bytes at offsets of 2 and 3 from the beginning 2463 * of the radiotap header are the length of the radiotap 2464 * header; unfortunately, it's little-endian, so we have 2465 * to load it a byte at a time and construct the value. 2466 */ 2467 2468 /* 2469 * Load the high-order byte, at an offset of 3, shift it 2470 * left a byte, and put the result in the X register. 2471 */ 2472 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2473 s1->s.k = 3; 2474 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K); 2475 sappend(s1, s2); 2476 s2->s.k = 8; 2477 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2478 sappend(s1, s2); 2479 2480 /* 2481 * Load the next byte, at an offset of 2, and OR the 2482 * value from the X register into it. 2483 */ 2484 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 2485 sappend(s1, s2); 2486 s2->s.k = 2; 2487 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X); 2488 sappend(s1, s2); 2489 2490 /* 2491 * Now allocate a register to hold that value and store 2492 * it. 2493 */ 2494 s2 = new_stmt(cstate, BPF_ST); 2495 s2->s.k = cstate->off_linkhdr.reg; 2496 sappend(s1, s2); 2497 2498 /* 2499 * Now move it into the X register. 2500 */ 2501 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX); 2502 sappend(s1, s2); 2503 2504 return (s1); 2505 } else 2506 return (NULL); 2507 } 2508 2509 /* 2510 * Load a value relative to the beginning of the link-layer header after the 802.11 2511 * header, i.e. LLC_SNAP. 2512 * The link-layer header doesn't necessarily begin at the beginning 2513 * of the packet data; there might be a variable-length prefix containing 2514 * radio information. 2515 */ 2516 static struct slist * 2517 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext) 2518 { 2519 struct slist *s2; 2520 struct slist *sjset_data_frame_1; 2521 struct slist *sjset_data_frame_2; 2522 struct slist *sjset_qos; 2523 struct slist *sjset_radiotap_flags_present; 2524 struct slist *sjset_radiotap_ext_present; 2525 struct slist *sjset_radiotap_tsft_present; 2526 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2527 struct slist *s_roundup; 2528 2529 if (cstate->off_linkpl.reg == -1) { 2530 /* 2531 * No register has been assigned to the offset of 2532 * the link-layer payload, which means nobody needs 2533 * it; don't bother computing it - just return 2534 * what we already have. 2535 */ 2536 return (s); 2537 } 2538 2539 /* 2540 * This code is not compatible with the optimizer, as 2541 * we are generating jmp instructions within a normal 2542 * slist of instructions 2543 */ 2544 cstate->no_optimize = 1; 2545 2546 /* 2547 * If "s" is non-null, it has code to arrange that the X register 2548 * contains the length of the prefix preceding the link-layer 2549 * header. 2550 * 2551 * Otherwise, the length of the prefix preceding the link-layer 2552 * header is "off_outermostlinkhdr.constant_part". 2553 */ 2554 if (s == NULL) { 2555 /* 2556 * There is no variable-length header preceding the 2557 * link-layer header. 2558 * 2559 * Load the length of the fixed-length prefix preceding 2560 * the link-layer header (if any) into the X register, 2561 * and store it in the cstate->off_linkpl.reg register. 2562 * That length is off_outermostlinkhdr.constant_part. 2563 */ 2564 s = new_stmt(cstate, BPF_LDX|BPF_IMM); 2565 s->s.k = cstate->off_outermostlinkhdr.constant_part; 2566 } 2567 2568 /* 2569 * The X register contains the offset of the beginning of the 2570 * link-layer header; add 24, which is the minimum length 2571 * of the MAC header for a data frame, to that, and store it 2572 * in cstate->off_linkpl.reg, and then load the Frame Control field, 2573 * which is at the offset in the X register, with an indexed load. 2574 */ 2575 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA); 2576 sappend(s, s2); 2577 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 2578 s2->s.k = 24; 2579 sappend(s, s2); 2580 s2 = new_stmt(cstate, BPF_ST); 2581 s2->s.k = cstate->off_linkpl.reg; 2582 sappend(s, s2); 2583 2584 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 2585 s2->s.k = 0; 2586 sappend(s, s2); 2587 2588 /* 2589 * Check the Frame Control field to see if this is a data frame; 2590 * a data frame has the 0x08 bit (b3) in that field set and the 2591 * 0x04 bit (b2) clear. 2592 */ 2593 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET)); 2594 sjset_data_frame_1->s.k = 0x08; 2595 sappend(s, sjset_data_frame_1); 2596 2597 /* 2598 * If b3 is set, test b2, otherwise go to the first statement of 2599 * the rest of the program. 2600 */ 2601 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET)); 2602 sjset_data_frame_2->s.k = 0x04; 2603 sappend(s, sjset_data_frame_2); 2604 sjset_data_frame_1->s.jf = snext; 2605 2606 /* 2607 * If b2 is not set, this is a data frame; test the QoS bit. 2608 * Otherwise, go to the first statement of the rest of the 2609 * program. 2610 */ 2611 sjset_data_frame_2->s.jt = snext; 2612 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET)); 2613 sjset_qos->s.k = 0x80; /* QoS bit */ 2614 sappend(s, sjset_qos); 2615 2616 /* 2617 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS 2618 * field. 2619 * Otherwise, go to the first statement of the rest of the 2620 * program. 2621 */ 2622 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 2623 s2->s.k = cstate->off_linkpl.reg; 2624 sappend(s, s2); 2625 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2626 s2->s.k = 2; 2627 sappend(s, s2); 2628 s2 = new_stmt(cstate, BPF_ST); 2629 s2->s.k = cstate->off_linkpl.reg; 2630 sappend(s, s2); 2631 2632 /* 2633 * If we have a radiotap header, look at it to see whether 2634 * there's Atheros padding between the MAC-layer header 2635 * and the payload. 2636 * 2637 * Note: all of the fields in the radiotap header are 2638 * little-endian, so we byte-swap all of the values 2639 * we test against, as they will be loaded as big-endian 2640 * values. 2641 * 2642 * XXX - in the general case, we would have to scan through 2643 * *all* the presence bits, if there's more than one word of 2644 * presence bits. That would require a loop, meaning that 2645 * we wouldn't be able to run the filter in the kernel. 2646 * 2647 * We assume here that the Atheros adapters that insert the 2648 * annoying padding don't have multiple antennae and therefore 2649 * do not generate radiotap headers with multiple presence words. 2650 */ 2651 if (cstate->linktype == DLT_IEEE802_11_RADIO) { 2652 /* 2653 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2654 * in the first presence flag word? 2655 */ 2656 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W); 2657 s2->s.k = 4; 2658 sappend(s, s2); 2659 2660 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET)); 2661 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002); 2662 sappend(s, sjset_radiotap_flags_present); 2663 2664 /* 2665 * If not, skip all of this. 2666 */ 2667 sjset_radiotap_flags_present->s.jf = snext; 2668 2669 /* 2670 * Otherwise, is the "extension" bit set in that word? 2671 */ 2672 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET)); 2673 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000); 2674 sappend(s, sjset_radiotap_ext_present); 2675 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present; 2676 2677 /* 2678 * If so, skip all of this. 2679 */ 2680 sjset_radiotap_ext_present->s.jt = snext; 2681 2682 /* 2683 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2684 */ 2685 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET)); 2686 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001); 2687 sappend(s, sjset_radiotap_tsft_present); 2688 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present; 2689 2690 /* 2691 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2692 * at an offset of 16 from the beginning of the raw packet 2693 * data (8 bytes for the radiotap header and 8 bytes for 2694 * the TSFT field). 2695 * 2696 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2697 * is set. 2698 */ 2699 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2700 s2->s.k = 16; 2701 sappend(s, s2); 2702 sjset_radiotap_tsft_present->s.jt = s2; 2703 2704 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2705 sjset_tsft_datapad->s.k = 0x20; 2706 sappend(s, sjset_tsft_datapad); 2707 2708 /* 2709 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2710 * at an offset of 8 from the beginning of the raw packet 2711 * data (8 bytes for the radiotap header). 2712 * 2713 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2714 * is set. 2715 */ 2716 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 2717 s2->s.k = 8; 2718 sappend(s, s2); 2719 sjset_radiotap_tsft_present->s.jf = s2; 2720 2721 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET)); 2722 sjset_notsft_datapad->s.k = 0x20; 2723 sappend(s, sjset_notsft_datapad); 2724 2725 /* 2726 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2727 * set, round the length of the 802.11 header to 2728 * a multiple of 4. Do that by adding 3 and then 2729 * dividing by and multiplying by 4, which we do by 2730 * ANDing with ~3. 2731 */ 2732 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM); 2733 s_roundup->s.k = cstate->off_linkpl.reg; 2734 sappend(s, s_roundup); 2735 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 2736 s2->s.k = 3; 2737 sappend(s, s2); 2738 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM); 2739 s2->s.k = ~3; 2740 sappend(s, s2); 2741 s2 = new_stmt(cstate, BPF_ST); 2742 s2->s.k = cstate->off_linkpl.reg; 2743 sappend(s, s2); 2744 2745 sjset_tsft_datapad->s.jt = s_roundup; 2746 sjset_tsft_datapad->s.jf = snext; 2747 sjset_notsft_datapad->s.jt = s_roundup; 2748 sjset_notsft_datapad->s.jf = snext; 2749 } else 2750 sjset_qos->s.jf = snext; 2751 2752 return s; 2753 } 2754 2755 static void 2756 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b) 2757 { 2758 struct slist *s; 2759 2760 /* There is an implicit dependency between the link 2761 * payload and link header since the payload computation 2762 * includes the variable part of the header. Therefore, 2763 * if nobody else has allocated a register for the link 2764 * header and we need it, do it now. */ 2765 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable && 2766 cstate->off_linkhdr.reg == -1) 2767 cstate->off_linkhdr.reg = alloc_reg(cstate); 2768 2769 /* 2770 * For link-layer types that have a variable-length header 2771 * preceding the link-layer header, generate code to load 2772 * the offset of the link-layer header into the register 2773 * assigned to that offset, if any. 2774 * 2775 * XXX - this, and the next switch statement, won't handle 2776 * encapsulation of 802.11 or 802.11+radio information in 2777 * some other protocol stack. That's significantly more 2778 * complicated. 2779 */ 2780 switch (cstate->outermostlinktype) { 2781 2782 case DLT_PRISM_HEADER: 2783 s = gen_load_prism_llprefixlen(cstate); 2784 break; 2785 2786 case DLT_IEEE802_11_RADIO_AVS: 2787 s = gen_load_avs_llprefixlen(cstate); 2788 break; 2789 2790 case DLT_IEEE802_11_RADIO: 2791 s = gen_load_radiotap_llprefixlen(cstate); 2792 break; 2793 2794 case DLT_PPI: 2795 s = gen_load_ppi_llprefixlen(cstate); 2796 break; 2797 2798 default: 2799 s = NULL; 2800 break; 2801 } 2802 2803 /* 2804 * For link-layer types that have a variable-length link-layer 2805 * header, generate code to load the offset of the link-layer 2806 * payload into the register assigned to that offset, if any. 2807 */ 2808 switch (cstate->outermostlinktype) { 2809 2810 case DLT_IEEE802_11: 2811 case DLT_PRISM_HEADER: 2812 case DLT_IEEE802_11_RADIO_AVS: 2813 case DLT_IEEE802_11_RADIO: 2814 case DLT_PPI: 2815 s = gen_load_802_11_header_len(cstate, s, b->stmts); 2816 break; 2817 } 2818 2819 /* 2820 * If there there is no initialization yet and we need variable 2821 * length offsets for VLAN, initialize them to zero 2822 */ 2823 if (s == NULL && cstate->is_vlan_vloffset) { 2824 struct slist *s2; 2825 2826 if (cstate->off_linkpl.reg == -1) 2827 cstate->off_linkpl.reg = alloc_reg(cstate); 2828 if (cstate->off_linktype.reg == -1) 2829 cstate->off_linktype.reg = alloc_reg(cstate); 2830 2831 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM); 2832 s->s.k = 0; 2833 s2 = new_stmt(cstate, BPF_ST); 2834 s2->s.k = cstate->off_linkpl.reg; 2835 sappend(s, s2); 2836 s2 = new_stmt(cstate, BPF_ST); 2837 s2->s.k = cstate->off_linktype.reg; 2838 sappend(s, s2); 2839 } 2840 2841 /* 2842 * If we have any offset-loading code, append all the 2843 * existing statements in the block to those statements, 2844 * and make the resulting list the list of statements 2845 * for the block. 2846 */ 2847 if (s != NULL) { 2848 sappend(s, b->stmts); 2849 b->stmts = s; 2850 } 2851 } 2852 2853 static struct block * 2854 gen_ppi_dlt_check(compiler_state_t *cstate) 2855 { 2856 struct slist *s_load_dlt; 2857 struct block *b; 2858 2859 if (cstate->linktype == DLT_PPI) 2860 { 2861 /* Create the statements that check for the DLT 2862 */ 2863 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS); 2864 s_load_dlt->s.k = 4; 2865 2866 b = new_block(cstate, JMP(BPF_JEQ)); 2867 2868 b->stmts = s_load_dlt; 2869 b->s.k = SWAPLONG(DLT_IEEE802_11); 2870 } 2871 else 2872 { 2873 b = NULL; 2874 } 2875 2876 return b; 2877 } 2878 2879 /* 2880 * Take an absolute offset, and: 2881 * 2882 * if it has no variable part, return NULL; 2883 * 2884 * if it has a variable part, generate code to load the register 2885 * containing that variable part into the X register, returning 2886 * a pointer to that code - if no register for that offset has 2887 * been allocated, allocate it first. 2888 * 2889 * (The code to set that register will be generated later, but will 2890 * be placed earlier in the code sequence.) 2891 */ 2892 static struct slist * 2893 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off) 2894 { 2895 struct slist *s; 2896 2897 if (off->is_variable) { 2898 if (off->reg == -1) { 2899 /* 2900 * We haven't yet assigned a register for the 2901 * variable part of the offset of the link-layer 2902 * header; allocate one. 2903 */ 2904 off->reg = alloc_reg(cstate); 2905 } 2906 2907 /* 2908 * Load the register containing the variable part of the 2909 * offset of the link-layer header into the X register. 2910 */ 2911 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 2912 s->s.k = off->reg; 2913 return s; 2914 } else { 2915 /* 2916 * That offset isn't variable, there's no variable part, 2917 * so we don't need to generate any code. 2918 */ 2919 return NULL; 2920 } 2921 } 2922 2923 /* 2924 * Map an Ethernet type to the equivalent PPP type. 2925 */ 2926 static int 2927 ethertype_to_ppptype(int proto) 2928 { 2929 switch (proto) { 2930 2931 case ETHERTYPE_IP: 2932 proto = PPP_IP; 2933 break; 2934 2935 case ETHERTYPE_IPV6: 2936 proto = PPP_IPV6; 2937 break; 2938 2939 case ETHERTYPE_DN: 2940 proto = PPP_DECNET; 2941 break; 2942 2943 case ETHERTYPE_ATALK: 2944 proto = PPP_APPLE; 2945 break; 2946 2947 case ETHERTYPE_NS: 2948 proto = PPP_NS; 2949 break; 2950 2951 case LLCSAP_ISONS: 2952 proto = PPP_OSI; 2953 break; 2954 2955 case LLCSAP_8021D: 2956 /* 2957 * I'm assuming the "Bridging PDU"s that go 2958 * over PPP are Spanning Tree Protocol 2959 * Bridging PDUs. 2960 */ 2961 proto = PPP_BRPDU; 2962 break; 2963 2964 case LLCSAP_IPX: 2965 proto = PPP_IPX; 2966 break; 2967 } 2968 return (proto); 2969 } 2970 2971 /* 2972 * Generate any tests that, for encapsulation of a link-layer packet 2973 * inside another protocol stack, need to be done to check for those 2974 * link-layer packets (and that haven't already been done by a check 2975 * for that encapsulation). 2976 */ 2977 static struct block * 2978 gen_prevlinkhdr_check(compiler_state_t *cstate) 2979 { 2980 struct block *b0; 2981 2982 if (cstate->is_geneve) 2983 return gen_geneve_ll_check(cstate); 2984 2985 switch (cstate->prevlinktype) { 2986 2987 case DLT_SUNATM: 2988 /* 2989 * This is LANE-encapsulated Ethernet; check that the LANE 2990 * packet doesn't begin with an LE Control marker, i.e. 2991 * that it's data, not a control message. 2992 * 2993 * (We've already generated a test for LANE.) 2994 */ 2995 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2996 gen_not(b0); 2997 return b0; 2998 2999 default: 3000 /* 3001 * No such tests are necessary. 3002 */ 3003 return NULL; 3004 } 3005 /*NOTREACHED*/ 3006 } 3007 3008 /* 3009 * The three different values we should check for when checking for an 3010 * IPv6 packet with DLT_NULL. 3011 */ 3012 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */ 3013 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */ 3014 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */ 3015 3016 /* 3017 * Generate code to match a particular packet type by matching the 3018 * link-layer type field or fields in the 802.2 LLC header. 3019 * 3020 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3021 * value, if <= ETHERMTU. 3022 */ 3023 static struct block * 3024 gen_linktype(compiler_state_t *cstate, int proto) 3025 { 3026 struct block *b0, *b1, *b2; 3027 const char *description; 3028 3029 /* are we checking MPLS-encapsulated packets? */ 3030 if (cstate->label_stack_depth > 0) { 3031 switch (proto) { 3032 case ETHERTYPE_IP: 3033 case PPP_IP: 3034 /* FIXME add other L3 proto IDs */ 3035 return gen_mpls_linktype(cstate, Q_IP); 3036 3037 case ETHERTYPE_IPV6: 3038 case PPP_IPV6: 3039 /* FIXME add other L3 proto IDs */ 3040 return gen_mpls_linktype(cstate, Q_IPV6); 3041 3042 default: 3043 bpf_error(cstate, "unsupported protocol over mpls"); 3044 /* NOTREACHED */ 3045 } 3046 } 3047 3048 switch (cstate->linktype) { 3049 3050 case DLT_EN10MB: 3051 case DLT_NETANALYZER: 3052 case DLT_NETANALYZER_TRANSPARENT: 3053 /* Geneve has an EtherType regardless of whether there is an 3054 * L2 header. */ 3055 if (!cstate->is_geneve) 3056 b0 = gen_prevlinkhdr_check(cstate); 3057 else 3058 b0 = NULL; 3059 3060 b1 = gen_ether_linktype(cstate, proto); 3061 if (b0 != NULL) 3062 gen_and(b0, b1); 3063 return b1; 3064 /*NOTREACHED*/ 3065 break; 3066 3067 case DLT_C_HDLC: 3068 switch (proto) { 3069 3070 case LLCSAP_ISONS: 3071 proto = (proto << 8 | LLCSAP_ISONS); 3072 /* fall through */ 3073 3074 default: 3075 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3076 /*NOTREACHED*/ 3077 break; 3078 } 3079 break; 3080 3081 case DLT_IEEE802_11: 3082 case DLT_PRISM_HEADER: 3083 case DLT_IEEE802_11_RADIO_AVS: 3084 case DLT_IEEE802_11_RADIO: 3085 case DLT_PPI: 3086 /* 3087 * Check that we have a data frame. 3088 */ 3089 b0 = gen_check_802_11_data_frame(cstate); 3090 3091 /* 3092 * Now check for the specified link-layer type. 3093 */ 3094 b1 = gen_llc_linktype(cstate, proto); 3095 gen_and(b0, b1); 3096 return b1; 3097 /*NOTREACHED*/ 3098 break; 3099 3100 case DLT_FDDI: 3101 /* 3102 * XXX - check for LLC frames. 3103 */ 3104 return gen_llc_linktype(cstate, proto); 3105 /*NOTREACHED*/ 3106 break; 3107 3108 case DLT_IEEE802: 3109 /* 3110 * XXX - check for LLC PDUs, as per IEEE 802.5. 3111 */ 3112 return gen_llc_linktype(cstate, proto); 3113 /*NOTREACHED*/ 3114 break; 3115 3116 case DLT_ATM_RFC1483: 3117 case DLT_ATM_CLIP: 3118 case DLT_IP_OVER_FC: 3119 return gen_llc_linktype(cstate, proto); 3120 /*NOTREACHED*/ 3121 break; 3122 3123 case DLT_SUNATM: 3124 /* 3125 * Check for an LLC-encapsulated version of this protocol; 3126 * if we were checking for LANE, linktype would no longer 3127 * be DLT_SUNATM. 3128 * 3129 * Check for LLC encapsulation and then check the protocol. 3130 */ 3131 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3132 b1 = gen_llc_linktype(cstate, proto); 3133 gen_and(b0, b1); 3134 return b1; 3135 /*NOTREACHED*/ 3136 break; 3137 3138 case DLT_LINUX_SLL: 3139 return gen_linux_sll_linktype(cstate, proto); 3140 /*NOTREACHED*/ 3141 break; 3142 3143 case DLT_SLIP: 3144 case DLT_SLIP_BSDOS: 3145 case DLT_RAW: 3146 /* 3147 * These types don't provide any type field; packets 3148 * are always IPv4 or IPv6. 3149 * 3150 * XXX - for IPv4, check for a version number of 4, and, 3151 * for IPv6, check for a version number of 6? 3152 */ 3153 switch (proto) { 3154 3155 case ETHERTYPE_IP: 3156 /* Check for a version number of 4. */ 3157 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 3158 3159 case ETHERTYPE_IPV6: 3160 /* Check for a version number of 6. */ 3161 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 3162 3163 default: 3164 return gen_false(cstate); /* always false */ 3165 } 3166 /*NOTREACHED*/ 3167 break; 3168 3169 case DLT_IPV4: 3170 /* 3171 * Raw IPv4, so no type field. 3172 */ 3173 if (proto == ETHERTYPE_IP) 3174 return gen_true(cstate); /* always true */ 3175 3176 /* Checking for something other than IPv4; always false */ 3177 return gen_false(cstate); 3178 /*NOTREACHED*/ 3179 break; 3180 3181 case DLT_IPV6: 3182 /* 3183 * Raw IPv6, so no type field. 3184 */ 3185 if (proto == ETHERTYPE_IPV6) 3186 return gen_true(cstate); /* always true */ 3187 3188 /* Checking for something other than IPv6; always false */ 3189 return gen_false(cstate); 3190 /*NOTREACHED*/ 3191 break; 3192 3193 case DLT_PPP: 3194 case DLT_PPP_PPPD: 3195 case DLT_PPP_SERIAL: 3196 case DLT_PPP_ETHER: 3197 /* 3198 * We use Ethernet protocol types inside libpcap; 3199 * map them to the corresponding PPP protocol types. 3200 */ 3201 proto = ethertype_to_ppptype(proto); 3202 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3203 /*NOTREACHED*/ 3204 break; 3205 3206 case DLT_PPP_BSDOS: 3207 /* 3208 * We use Ethernet protocol types inside libpcap; 3209 * map them to the corresponding PPP protocol types. 3210 */ 3211 switch (proto) { 3212 3213 case ETHERTYPE_IP: 3214 /* 3215 * Also check for Van Jacobson-compressed IP. 3216 * XXX - do this for other forms of PPP? 3217 */ 3218 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP); 3219 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3220 gen_or(b0, b1); 3221 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3222 gen_or(b1, b0); 3223 return b0; 3224 3225 default: 3226 proto = ethertype_to_ppptype(proto); 3227 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, 3228 (bpf_int32)proto); 3229 } 3230 /*NOTREACHED*/ 3231 break; 3232 3233 case DLT_NULL: 3234 case DLT_LOOP: 3235 case DLT_ENC: 3236 switch (proto) { 3237 3238 case ETHERTYPE_IP: 3239 return (gen_loopback_linktype(cstate, AF_INET)); 3240 3241 case ETHERTYPE_IPV6: 3242 /* 3243 * AF_ values may, unfortunately, be platform- 3244 * dependent; AF_INET isn't, because everybody 3245 * used 4.2BSD's value, but AF_INET6 is, because 3246 * 4.2BSD didn't have a value for it (given that 3247 * IPv6 didn't exist back in the early 1980's), 3248 * and they all picked their own values. 3249 * 3250 * This means that, if we're reading from a 3251 * savefile, we need to check for all the 3252 * possible values. 3253 * 3254 * If we're doing a live capture, we only need 3255 * to check for this platform's value; however, 3256 * Npcap uses 24, which isn't Windows's AF_INET6 3257 * value. (Given the multiple different values, 3258 * programs that read pcap files shouldn't be 3259 * checking for their platform's AF_INET6 value 3260 * anyway, they should check for all of the 3261 * possible values. and they might as well do 3262 * that even for live captures.) 3263 */ 3264 if (cstate->bpf_pcap->rfile != NULL) { 3265 /* 3266 * Savefile - check for all three 3267 * possible IPv6 values. 3268 */ 3269 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD); 3270 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD); 3271 gen_or(b0, b1); 3272 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN); 3273 gen_or(b0, b1); 3274 return (b1); 3275 } else { 3276 /* 3277 * Live capture, so we only need to 3278 * check for the value used on this 3279 * platform. 3280 */ 3281 #ifdef _WIN32 3282 /* 3283 * Npcap doesn't use Windows's AF_INET6, 3284 * as that collides with AF_IPX on 3285 * some BSDs (both have the value 23). 3286 * Instead, it uses 24. 3287 */ 3288 return (gen_loopback_linktype(cstate, 24)); 3289 #else /* _WIN32 */ 3290 #ifdef AF_INET6 3291 return (gen_loopback_linktype(cstate, AF_INET6)); 3292 #else /* AF_INET6 */ 3293 /* 3294 * I guess this platform doesn't support 3295 * IPv6, so we just reject all packets. 3296 */ 3297 return gen_false(cstate); 3298 #endif /* AF_INET6 */ 3299 #endif /* _WIN32 */ 3300 } 3301 3302 default: 3303 /* 3304 * Not a type on which we support filtering. 3305 * XXX - support those that have AF_ values 3306 * #defined on this platform, at least? 3307 */ 3308 return gen_false(cstate); 3309 } 3310 3311 #ifdef HAVE_NET_PFVAR_H 3312 case DLT_PFLOG: 3313 /* 3314 * af field is host byte order in contrast to the rest of 3315 * the packet. 3316 */ 3317 if (proto == ETHERTYPE_IP) 3318 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3319 BPF_B, (bpf_int32)AF_INET)); 3320 else if (proto == ETHERTYPE_IPV6) 3321 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af), 3322 BPF_B, (bpf_int32)AF_INET6)); 3323 else 3324 return gen_false(cstate); 3325 /*NOTREACHED*/ 3326 break; 3327 #endif /* HAVE_NET_PFVAR_H */ 3328 3329 case DLT_ARCNET: 3330 case DLT_ARCNET_LINUX: 3331 /* 3332 * XXX should we check for first fragment if the protocol 3333 * uses PHDS? 3334 */ 3335 switch (proto) { 3336 3337 default: 3338 return gen_false(cstate); 3339 3340 case ETHERTYPE_IPV6: 3341 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3342 (bpf_int32)ARCTYPE_INET6)); 3343 3344 case ETHERTYPE_IP: 3345 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3346 (bpf_int32)ARCTYPE_IP); 3347 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3348 (bpf_int32)ARCTYPE_IP_OLD); 3349 gen_or(b0, b1); 3350 return (b1); 3351 3352 case ETHERTYPE_ARP: 3353 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3354 (bpf_int32)ARCTYPE_ARP); 3355 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3356 (bpf_int32)ARCTYPE_ARP_OLD); 3357 gen_or(b0, b1); 3358 return (b1); 3359 3360 case ETHERTYPE_REVARP: 3361 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3362 (bpf_int32)ARCTYPE_REVARP)); 3363 3364 case ETHERTYPE_ATALK: 3365 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, 3366 (bpf_int32)ARCTYPE_ATALK)); 3367 } 3368 /*NOTREACHED*/ 3369 break; 3370 3371 case DLT_LTALK: 3372 switch (proto) { 3373 case ETHERTYPE_ATALK: 3374 return gen_true(cstate); 3375 default: 3376 return gen_false(cstate); 3377 } 3378 /*NOTREACHED*/ 3379 break; 3380 3381 case DLT_FRELAY: 3382 /* 3383 * XXX - assumes a 2-byte Frame Relay header with 3384 * DLCI and flags. What if the address is longer? 3385 */ 3386 switch (proto) { 3387 3388 case ETHERTYPE_IP: 3389 /* 3390 * Check for the special NLPID for IP. 3391 */ 3392 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3393 3394 case ETHERTYPE_IPV6: 3395 /* 3396 * Check for the special NLPID for IPv6. 3397 */ 3398 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3399 3400 case LLCSAP_ISONS: 3401 /* 3402 * Check for several OSI protocols. 3403 * 3404 * Frame Relay packets typically have an OSI 3405 * NLPID at the beginning; we check for each 3406 * of them. 3407 * 3408 * What we check for is the NLPID and a frame 3409 * control field of UI, i.e. 0x03 followed 3410 * by the NLPID. 3411 */ 3412 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3413 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3414 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3415 gen_or(b1, b2); 3416 gen_or(b0, b2); 3417 return b2; 3418 3419 default: 3420 return gen_false(cstate); 3421 } 3422 /*NOTREACHED*/ 3423 break; 3424 3425 case DLT_MFR: 3426 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented"); 3427 3428 case DLT_JUNIPER_MFR: 3429 case DLT_JUNIPER_MLFR: 3430 case DLT_JUNIPER_MLPPP: 3431 case DLT_JUNIPER_ATM1: 3432 case DLT_JUNIPER_ATM2: 3433 case DLT_JUNIPER_PPPOE: 3434 case DLT_JUNIPER_PPPOE_ATM: 3435 case DLT_JUNIPER_GGSN: 3436 case DLT_JUNIPER_ES: 3437 case DLT_JUNIPER_MONITOR: 3438 case DLT_JUNIPER_SERVICES: 3439 case DLT_JUNIPER_ETHER: 3440 case DLT_JUNIPER_PPP: 3441 case DLT_JUNIPER_FRELAY: 3442 case DLT_JUNIPER_CHDLC: 3443 case DLT_JUNIPER_VP: 3444 case DLT_JUNIPER_ST: 3445 case DLT_JUNIPER_ISM: 3446 case DLT_JUNIPER_VS: 3447 case DLT_JUNIPER_SRX_E2E: 3448 case DLT_JUNIPER_FIBRECHANNEL: 3449 case DLT_JUNIPER_ATM_CEMIC: 3450 3451 /* just lets verify the magic number for now - 3452 * on ATM we may have up to 6 different encapsulations on the wire 3453 * and need a lot of heuristics to figure out that the payload 3454 * might be; 3455 * 3456 * FIXME encapsulation specific BPF_ filters 3457 */ 3458 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3459 3460 case DLT_BACNET_MS_TP: 3461 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3462 3463 case DLT_IPNET: 3464 return gen_ipnet_linktype(cstate, proto); 3465 3466 case DLT_LINUX_IRDA: 3467 bpf_error(cstate, "IrDA link-layer type filtering not implemented"); 3468 3469 case DLT_DOCSIS: 3470 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented"); 3471 3472 case DLT_MTP2: 3473 case DLT_MTP2_WITH_PHDR: 3474 bpf_error(cstate, "MTP2 link-layer type filtering not implemented"); 3475 3476 case DLT_ERF: 3477 bpf_error(cstate, "ERF link-layer type filtering not implemented"); 3478 3479 case DLT_PFSYNC: 3480 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented"); 3481 3482 case DLT_LINUX_LAPD: 3483 bpf_error(cstate, "LAPD link-layer type filtering not implemented"); 3484 3485 case DLT_USB_FREEBSD: 3486 case DLT_USB_LINUX: 3487 case DLT_USB_LINUX_MMAPPED: 3488 case DLT_USBPCAP: 3489 bpf_error(cstate, "USB link-layer type filtering not implemented"); 3490 3491 case DLT_BLUETOOTH_HCI_H4: 3492 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3493 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented"); 3494 3495 case DLT_CAN20B: 3496 case DLT_CAN_SOCKETCAN: 3497 bpf_error(cstate, "CAN link-layer type filtering not implemented"); 3498 3499 case DLT_IEEE802_15_4: 3500 case DLT_IEEE802_15_4_LINUX: 3501 case DLT_IEEE802_15_4_NONASK_PHY: 3502 case DLT_IEEE802_15_4_NOFCS: 3503 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented"); 3504 3505 case DLT_IEEE802_16_MAC_CPS_RADIO: 3506 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented"); 3507 3508 case DLT_SITA: 3509 bpf_error(cstate, "SITA link-layer type filtering not implemented"); 3510 3511 case DLT_RAIF1: 3512 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented"); 3513 3514 case DLT_IPMB: 3515 bpf_error(cstate, "IPMB link-layer type filtering not implemented"); 3516 3517 case DLT_AX25_KISS: 3518 bpf_error(cstate, "AX.25 link-layer type filtering not implemented"); 3519 3520 case DLT_NFLOG: 3521 /* Using the fixed-size NFLOG header it is possible to tell only 3522 * the address family of the packet, other meaningful data is 3523 * either missing or behind TLVs. 3524 */ 3525 bpf_error(cstate, "NFLOG link-layer type filtering not implemented"); 3526 3527 default: 3528 /* 3529 * Does this link-layer header type have a field 3530 * indicating the type of the next protocol? If 3531 * so, off_linktype.constant_part will be the offset of that 3532 * field in the packet; if not, it will be OFFSET_NOT_SET. 3533 */ 3534 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) { 3535 /* 3536 * Yes; assume it's an Ethernet type. (If 3537 * it's not, it needs to be handled specially 3538 * above.) 3539 */ 3540 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3541 } else { 3542 /* 3543 * No; report an error. 3544 */ 3545 description = pcap_datalink_val_to_description(cstate->linktype); 3546 if (description != NULL) { 3547 bpf_error(cstate, "%s link-layer type filtering not implemented", 3548 description); 3549 } else { 3550 bpf_error(cstate, "DLT %u link-layer type filtering not implemented", 3551 cstate->linktype); 3552 } 3553 } 3554 break; 3555 } 3556 } 3557 3558 /* 3559 * Check for an LLC SNAP packet with a given organization code and 3560 * protocol type; we check the entire contents of the 802.2 LLC and 3561 * snap headers, checking for DSAP and SSAP of SNAP and a control 3562 * field of 0x03 in the LLC header, and for the specified organization 3563 * code and protocol type in the SNAP header. 3564 */ 3565 static struct block * 3566 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype) 3567 { 3568 u_char snapblock[8]; 3569 3570 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3571 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3572 snapblock[2] = 0x03; /* control = UI */ 3573 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */ 3574 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */ 3575 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */ 3576 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */ 3577 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */ 3578 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock); 3579 } 3580 3581 /* 3582 * Generate code to match frames with an LLC header. 3583 */ 3584 struct block * 3585 gen_llc(compiler_state_t *cstate) 3586 { 3587 struct block *b0, *b1; 3588 3589 switch (cstate->linktype) { 3590 3591 case DLT_EN10MB: 3592 /* 3593 * We check for an Ethernet type field less than 3594 * 1500, which means it's an 802.3 length field. 3595 */ 3596 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3597 gen_not(b0); 3598 3599 /* 3600 * Now check for the purported DSAP and SSAP not being 3601 * 0xFF, to rule out NetWare-over-802.3. 3602 */ 3603 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3604 gen_not(b1); 3605 gen_and(b0, b1); 3606 return b1; 3607 3608 case DLT_SUNATM: 3609 /* 3610 * We check for LLC traffic. 3611 */ 3612 b0 = gen_atmtype_abbrev(cstate, A_LLC); 3613 return b0; 3614 3615 case DLT_IEEE802: /* Token Ring */ 3616 /* 3617 * XXX - check for LLC frames. 3618 */ 3619 return gen_true(cstate); 3620 3621 case DLT_FDDI: 3622 /* 3623 * XXX - check for LLC frames. 3624 */ 3625 return gen_true(cstate); 3626 3627 case DLT_ATM_RFC1483: 3628 /* 3629 * For LLC encapsulation, these are defined to have an 3630 * 802.2 LLC header. 3631 * 3632 * For VC encapsulation, they don't, but there's no 3633 * way to check for that; the protocol used on the VC 3634 * is negotiated out of band. 3635 */ 3636 return gen_true(cstate); 3637 3638 case DLT_IEEE802_11: 3639 case DLT_PRISM_HEADER: 3640 case DLT_IEEE802_11_RADIO: 3641 case DLT_IEEE802_11_RADIO_AVS: 3642 case DLT_PPI: 3643 /* 3644 * Check that we have a data frame. 3645 */ 3646 b0 = gen_check_802_11_data_frame(cstate); 3647 return b0; 3648 3649 default: 3650 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype); 3651 /* NOTREACHED */ 3652 } 3653 } 3654 3655 struct block * 3656 gen_llc_i(compiler_state_t *cstate) 3657 { 3658 struct block *b0, *b1; 3659 struct slist *s; 3660 3661 /* 3662 * Check whether this is an LLC frame. 3663 */ 3664 b0 = gen_llc(cstate); 3665 3666 /* 3667 * Load the control byte and test the low-order bit; it must 3668 * be clear for I frames. 3669 */ 3670 s = gen_load_a(cstate, OR_LLC, 2, BPF_B); 3671 b1 = new_block(cstate, JMP(BPF_JSET)); 3672 b1->s.k = 0x01; 3673 b1->stmts = s; 3674 gen_not(b1); 3675 gen_and(b0, b1); 3676 return b1; 3677 } 3678 3679 struct block * 3680 gen_llc_s(compiler_state_t *cstate) 3681 { 3682 struct block *b0, *b1; 3683 3684 /* 3685 * Check whether this is an LLC frame. 3686 */ 3687 b0 = gen_llc(cstate); 3688 3689 /* 3690 * Now compare the low-order 2 bit of the control byte against 3691 * the appropriate value for S frames. 3692 */ 3693 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3694 gen_and(b0, b1); 3695 return b1; 3696 } 3697 3698 struct block * 3699 gen_llc_u(compiler_state_t *cstate) 3700 { 3701 struct block *b0, *b1; 3702 3703 /* 3704 * Check whether this is an LLC frame. 3705 */ 3706 b0 = gen_llc(cstate); 3707 3708 /* 3709 * Now compare the low-order 2 bit of the control byte against 3710 * the appropriate value for U frames. 3711 */ 3712 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3713 gen_and(b0, b1); 3714 return b1; 3715 } 3716 3717 struct block * 3718 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3719 { 3720 struct block *b0, *b1; 3721 3722 /* 3723 * Check whether this is an LLC frame. 3724 */ 3725 b0 = gen_llc(cstate); 3726 3727 /* 3728 * Now check for an S frame with the appropriate type. 3729 */ 3730 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3731 gen_and(b0, b1); 3732 return b1; 3733 } 3734 3735 struct block * 3736 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype) 3737 { 3738 struct block *b0, *b1; 3739 3740 /* 3741 * Check whether this is an LLC frame. 3742 */ 3743 b0 = gen_llc(cstate); 3744 3745 /* 3746 * Now check for a U frame with the appropriate type. 3747 */ 3748 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3749 gen_and(b0, b1); 3750 return b1; 3751 } 3752 3753 /* 3754 * Generate code to match a particular packet type, for link-layer types 3755 * using 802.2 LLC headers. 3756 * 3757 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3758 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3759 * 3760 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3761 * value, if <= ETHERMTU. We use that to determine whether to 3762 * match the DSAP or both DSAP and LSAP or to check the OUI and 3763 * protocol ID in a SNAP header. 3764 */ 3765 static struct block * 3766 gen_llc_linktype(compiler_state_t *cstate, int proto) 3767 { 3768 /* 3769 * XXX - handle token-ring variable-length header. 3770 */ 3771 switch (proto) { 3772 3773 case LLCSAP_IP: 3774 case LLCSAP_ISONS: 3775 case LLCSAP_NETBEUI: 3776 /* 3777 * XXX - should we check both the DSAP and the 3778 * SSAP, like this, or should we check just the 3779 * DSAP, as we do for other SAP values? 3780 */ 3781 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32) 3782 ((proto << 8) | proto)); 3783 3784 case LLCSAP_IPX: 3785 /* 3786 * XXX - are there ever SNAP frames for IPX on 3787 * non-Ethernet 802.x networks? 3788 */ 3789 return gen_cmp(cstate, OR_LLC, 0, BPF_B, 3790 (bpf_int32)LLCSAP_IPX); 3791 3792 case ETHERTYPE_ATALK: 3793 /* 3794 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3795 * SNAP packets with an organization code of 3796 * 0x080007 (Apple, for Appletalk) and a protocol 3797 * type of ETHERTYPE_ATALK (Appletalk). 3798 * 3799 * XXX - check for an organization code of 3800 * encapsulated Ethernet as well? 3801 */ 3802 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK); 3803 3804 default: 3805 /* 3806 * XXX - we don't have to check for IPX 802.3 3807 * here, but should we check for the IPX Ethertype? 3808 */ 3809 if (proto <= ETHERMTU) { 3810 /* 3811 * This is an LLC SAP value, so check 3812 * the DSAP. 3813 */ 3814 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto); 3815 } else { 3816 /* 3817 * This is an Ethernet type; we assume that it's 3818 * unlikely that it'll appear in the right place 3819 * at random, and therefore check only the 3820 * location that would hold the Ethernet type 3821 * in a SNAP frame with an organization code of 3822 * 0x000000 (encapsulated Ethernet). 3823 * 3824 * XXX - if we were to check for the SNAP DSAP and 3825 * LSAP, as per XXX, and were also to check for an 3826 * organization code of 0x000000 (encapsulated 3827 * Ethernet), we'd do 3828 * 3829 * return gen_snap(cstate, 0x000000, proto); 3830 * 3831 * here; for now, we don't, as per the above. 3832 * I don't know whether it's worth the extra CPU 3833 * time to do the right check or not. 3834 */ 3835 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto); 3836 } 3837 } 3838 } 3839 3840 static struct block * 3841 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 3842 int dir, int proto, u_int src_off, u_int dst_off) 3843 { 3844 struct block *b0, *b1; 3845 u_int offset; 3846 3847 switch (dir) { 3848 3849 case Q_SRC: 3850 offset = src_off; 3851 break; 3852 3853 case Q_DST: 3854 offset = dst_off; 3855 break; 3856 3857 case Q_AND: 3858 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3859 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3860 gen_and(b0, b1); 3861 return b1; 3862 3863 case Q_OR: 3864 case Q_DEFAULT: 3865 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3866 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3867 gen_or(b0, b1); 3868 return b1; 3869 3870 case Q_ADDR1: 3871 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3872 break; 3873 3874 case Q_ADDR2: 3875 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3876 break; 3877 3878 case Q_ADDR3: 3879 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3880 break; 3881 3882 case Q_ADDR4: 3883 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3884 break; 3885 3886 case Q_RA: 3887 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3888 break; 3889 3890 case Q_TA: 3891 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3892 break; 3893 3894 default: 3895 abort(); 3896 } 3897 b0 = gen_linktype(cstate, proto); 3898 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3899 gen_and(b0, b1); 3900 return b1; 3901 } 3902 3903 #ifdef INET6 3904 static struct block * 3905 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr, 3906 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off) 3907 { 3908 struct block *b0, *b1; 3909 u_int offset; 3910 uint32_t *a, *m; 3911 3912 switch (dir) { 3913 3914 case Q_SRC: 3915 offset = src_off; 3916 break; 3917 3918 case Q_DST: 3919 offset = dst_off; 3920 break; 3921 3922 case Q_AND: 3923 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3924 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3925 gen_and(b0, b1); 3926 return b1; 3927 3928 case Q_OR: 3929 case Q_DEFAULT: 3930 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off); 3931 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off); 3932 gen_or(b0, b1); 3933 return b1; 3934 3935 case Q_ADDR1: 3936 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3937 break; 3938 3939 case Q_ADDR2: 3940 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3941 break; 3942 3943 case Q_ADDR3: 3944 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3945 break; 3946 3947 case Q_ADDR4: 3948 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses"); 3949 break; 3950 3951 case Q_RA: 3952 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3953 break; 3954 3955 case Q_TA: 3956 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses"); 3957 break; 3958 3959 default: 3960 abort(); 3961 } 3962 /* this order is important */ 3963 a = (uint32_t *)addr; 3964 m = (uint32_t *)mask; 3965 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3966 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3967 gen_and(b0, b1); 3968 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3969 gen_and(b0, b1); 3970 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3971 gen_and(b0, b1); 3972 b0 = gen_linktype(cstate, proto); 3973 gen_and(b0, b1); 3974 return b1; 3975 } 3976 #endif 3977 3978 static struct block * 3979 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 3980 { 3981 register struct block *b0, *b1; 3982 3983 switch (dir) { 3984 case Q_SRC: 3985 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr); 3986 3987 case Q_DST: 3988 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr); 3989 3990 case Q_AND: 3991 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3992 b1 = gen_ehostop(cstate, eaddr, Q_DST); 3993 gen_and(b0, b1); 3994 return b1; 3995 3996 case Q_DEFAULT: 3997 case Q_OR: 3998 b0 = gen_ehostop(cstate, eaddr, Q_SRC); 3999 b1 = gen_ehostop(cstate, eaddr, Q_DST); 4000 gen_or(b0, b1); 4001 return b1; 4002 4003 case Q_ADDR1: 4004 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers"); 4005 break; 4006 4007 case Q_ADDR2: 4008 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers"); 4009 break; 4010 4011 case Q_ADDR3: 4012 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers"); 4013 break; 4014 4015 case Q_ADDR4: 4016 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers"); 4017 break; 4018 4019 case Q_RA: 4020 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers"); 4021 break; 4022 4023 case Q_TA: 4024 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers"); 4025 break; 4026 } 4027 abort(); 4028 /* NOTREACHED */ 4029 } 4030 4031 /* 4032 * Like gen_ehostop, but for DLT_FDDI 4033 */ 4034 static struct block * 4035 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4036 { 4037 struct block *b0, *b1; 4038 4039 switch (dir) { 4040 case Q_SRC: 4041 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr); 4042 4043 case Q_DST: 4044 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr); 4045 4046 case Q_AND: 4047 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4048 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4049 gen_and(b0, b1); 4050 return b1; 4051 4052 case Q_DEFAULT: 4053 case Q_OR: 4054 b0 = gen_fhostop(cstate, eaddr, Q_SRC); 4055 b1 = gen_fhostop(cstate, eaddr, Q_DST); 4056 gen_or(b0, b1); 4057 return b1; 4058 4059 case Q_ADDR1: 4060 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4061 break; 4062 4063 case Q_ADDR2: 4064 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4065 break; 4066 4067 case Q_ADDR3: 4068 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4069 break; 4070 4071 case Q_ADDR4: 4072 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4073 break; 4074 4075 case Q_RA: 4076 bpf_error(cstate, "'ra' is only supported on 802.11"); 4077 break; 4078 4079 case Q_TA: 4080 bpf_error(cstate, "'ta' is only supported on 802.11"); 4081 break; 4082 } 4083 abort(); 4084 /* NOTREACHED */ 4085 } 4086 4087 /* 4088 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 4089 */ 4090 static struct block * 4091 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4092 { 4093 register struct block *b0, *b1; 4094 4095 switch (dir) { 4096 case Q_SRC: 4097 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr); 4098 4099 case Q_DST: 4100 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4101 4102 case Q_AND: 4103 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4104 b1 = gen_thostop(cstate, eaddr, Q_DST); 4105 gen_and(b0, b1); 4106 return b1; 4107 4108 case Q_DEFAULT: 4109 case Q_OR: 4110 b0 = gen_thostop(cstate, eaddr, Q_SRC); 4111 b1 = gen_thostop(cstate, eaddr, Q_DST); 4112 gen_or(b0, b1); 4113 return b1; 4114 4115 case Q_ADDR1: 4116 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4117 break; 4118 4119 case Q_ADDR2: 4120 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4121 break; 4122 4123 case Q_ADDR3: 4124 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4125 break; 4126 4127 case Q_ADDR4: 4128 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4129 break; 4130 4131 case Q_RA: 4132 bpf_error(cstate, "'ra' is only supported on 802.11"); 4133 break; 4134 4135 case Q_TA: 4136 bpf_error(cstate, "'ta' is only supported on 802.11"); 4137 break; 4138 } 4139 abort(); 4140 /* NOTREACHED */ 4141 } 4142 4143 /* 4144 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 4145 * various 802.11 + radio headers. 4146 */ 4147 static struct block * 4148 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4149 { 4150 register struct block *b0, *b1, *b2; 4151 register struct slist *s; 4152 4153 #ifdef ENABLE_WLAN_FILTERING_PATCH 4154 /* 4155 * TODO GV 20070613 4156 * We need to disable the optimizer because the optimizer is buggy 4157 * and wipes out some LD instructions generated by the below 4158 * code to validate the Frame Control bits 4159 */ 4160 cstate->no_optimize = 1; 4161 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 4162 4163 switch (dir) { 4164 case Q_SRC: 4165 /* 4166 * Oh, yuk. 4167 * 4168 * For control frames, there is no SA. 4169 * 4170 * For management frames, SA is at an 4171 * offset of 10 from the beginning of 4172 * the packet. 4173 * 4174 * For data frames, SA is at an offset 4175 * of 10 from the beginning of the packet 4176 * if From DS is clear, at an offset of 4177 * 16 from the beginning of the packet 4178 * if From DS is set and To DS is clear, 4179 * and an offset of 24 from the beginning 4180 * of the packet if From DS is set and To DS 4181 * is set. 4182 */ 4183 4184 /* 4185 * Generate the tests to be done for data frames 4186 * with From DS set. 4187 * 4188 * First, check for To DS set, i.e. check "link[1] & 0x01". 4189 */ 4190 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4191 b1 = new_block(cstate, JMP(BPF_JSET)); 4192 b1->s.k = 0x01; /* To DS */ 4193 b1->stmts = s; 4194 4195 /* 4196 * If To DS is set, the SA is at 24. 4197 */ 4198 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4199 gen_and(b1, b0); 4200 4201 /* 4202 * Now, check for To DS not set, i.e. check 4203 * "!(link[1] & 0x01)". 4204 */ 4205 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4206 b2 = new_block(cstate, JMP(BPF_JSET)); 4207 b2->s.k = 0x01; /* To DS */ 4208 b2->stmts = s; 4209 gen_not(b2); 4210 4211 /* 4212 * If To DS is not set, the SA is at 16. 4213 */ 4214 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4215 gen_and(b2, b1); 4216 4217 /* 4218 * Now OR together the last two checks. That gives 4219 * the complete set of checks for data frames with 4220 * From DS set. 4221 */ 4222 gen_or(b1, b0); 4223 4224 /* 4225 * Now check for From DS being set, and AND that with 4226 * the ORed-together checks. 4227 */ 4228 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4229 b1 = new_block(cstate, JMP(BPF_JSET)); 4230 b1->s.k = 0x02; /* From DS */ 4231 b1->stmts = s; 4232 gen_and(b1, b0); 4233 4234 /* 4235 * Now check for data frames with From DS not set. 4236 */ 4237 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4238 b2 = new_block(cstate, JMP(BPF_JSET)); 4239 b2->s.k = 0x02; /* From DS */ 4240 b2->stmts = s; 4241 gen_not(b2); 4242 4243 /* 4244 * If From DS isn't set, the SA is at 10. 4245 */ 4246 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4247 gen_and(b2, b1); 4248 4249 /* 4250 * Now OR together the checks for data frames with 4251 * From DS not set and for data frames with From DS 4252 * set; that gives the checks done for data frames. 4253 */ 4254 gen_or(b1, b0); 4255 4256 /* 4257 * Now check for a data frame. 4258 * I.e, check "link[0] & 0x08". 4259 */ 4260 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4261 b1 = new_block(cstate, JMP(BPF_JSET)); 4262 b1->s.k = 0x08; 4263 b1->stmts = s; 4264 4265 /* 4266 * AND that with the checks done for data frames. 4267 */ 4268 gen_and(b1, b0); 4269 4270 /* 4271 * If the high-order bit of the type value is 0, this 4272 * is a management frame. 4273 * I.e, check "!(link[0] & 0x08)". 4274 */ 4275 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4276 b2 = new_block(cstate, JMP(BPF_JSET)); 4277 b2->s.k = 0x08; 4278 b2->stmts = s; 4279 gen_not(b2); 4280 4281 /* 4282 * For management frames, the SA is at 10. 4283 */ 4284 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4285 gen_and(b2, b1); 4286 4287 /* 4288 * OR that with the checks done for data frames. 4289 * That gives the checks done for management and 4290 * data frames. 4291 */ 4292 gen_or(b1, b0); 4293 4294 /* 4295 * If the low-order bit of the type value is 1, 4296 * this is either a control frame or a frame 4297 * with a reserved type, and thus not a 4298 * frame with an SA. 4299 * 4300 * I.e., check "!(link[0] & 0x04)". 4301 */ 4302 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4303 b1 = new_block(cstate, JMP(BPF_JSET)); 4304 b1->s.k = 0x04; 4305 b1->stmts = s; 4306 gen_not(b1); 4307 4308 /* 4309 * AND that with the checks for data and management 4310 * frames. 4311 */ 4312 gen_and(b1, b0); 4313 return b0; 4314 4315 case Q_DST: 4316 /* 4317 * Oh, yuk. 4318 * 4319 * For control frames, there is no DA. 4320 * 4321 * For management frames, DA is at an 4322 * offset of 4 from the beginning of 4323 * the packet. 4324 * 4325 * For data frames, DA is at an offset 4326 * of 4 from the beginning of the packet 4327 * if To DS is clear and at an offset of 4328 * 16 from the beginning of the packet 4329 * if To DS is set. 4330 */ 4331 4332 /* 4333 * Generate the tests to be done for data frames. 4334 * 4335 * First, check for To DS set, i.e. "link[1] & 0x01". 4336 */ 4337 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4338 b1 = new_block(cstate, JMP(BPF_JSET)); 4339 b1->s.k = 0x01; /* To DS */ 4340 b1->stmts = s; 4341 4342 /* 4343 * If To DS is set, the DA is at 16. 4344 */ 4345 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4346 gen_and(b1, b0); 4347 4348 /* 4349 * Now, check for To DS not set, i.e. check 4350 * "!(link[1] & 0x01)". 4351 */ 4352 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 4353 b2 = new_block(cstate, JMP(BPF_JSET)); 4354 b2->s.k = 0x01; /* To DS */ 4355 b2->stmts = s; 4356 gen_not(b2); 4357 4358 /* 4359 * If To DS is not set, the DA is at 4. 4360 */ 4361 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4362 gen_and(b2, b1); 4363 4364 /* 4365 * Now OR together the last two checks. That gives 4366 * the complete set of checks for data frames. 4367 */ 4368 gen_or(b1, b0); 4369 4370 /* 4371 * Now check for a data frame. 4372 * I.e, check "link[0] & 0x08". 4373 */ 4374 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4375 b1 = new_block(cstate, JMP(BPF_JSET)); 4376 b1->s.k = 0x08; 4377 b1->stmts = s; 4378 4379 /* 4380 * AND that with the checks done for data frames. 4381 */ 4382 gen_and(b1, b0); 4383 4384 /* 4385 * If the high-order bit of the type value is 0, this 4386 * is a management frame. 4387 * I.e, check "!(link[0] & 0x08)". 4388 */ 4389 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4390 b2 = new_block(cstate, JMP(BPF_JSET)); 4391 b2->s.k = 0x08; 4392 b2->stmts = s; 4393 gen_not(b2); 4394 4395 /* 4396 * For management frames, the DA is at 4. 4397 */ 4398 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4399 gen_and(b2, b1); 4400 4401 /* 4402 * OR that with the checks done for data frames. 4403 * That gives the checks done for management and 4404 * data frames. 4405 */ 4406 gen_or(b1, b0); 4407 4408 /* 4409 * If the low-order bit of the type value is 1, 4410 * this is either a control frame or a frame 4411 * with a reserved type, and thus not a 4412 * frame with an SA. 4413 * 4414 * I.e., check "!(link[0] & 0x04)". 4415 */ 4416 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4417 b1 = new_block(cstate, JMP(BPF_JSET)); 4418 b1->s.k = 0x04; 4419 b1->stmts = s; 4420 gen_not(b1); 4421 4422 /* 4423 * AND that with the checks for data and management 4424 * frames. 4425 */ 4426 gen_and(b1, b0); 4427 return b0; 4428 4429 case Q_RA: 4430 /* 4431 * Not present in management frames; addr1 in other 4432 * frames. 4433 */ 4434 4435 /* 4436 * If the high-order bit of the type value is 0, this 4437 * is a management frame. 4438 * I.e, check "(link[0] & 0x08)". 4439 */ 4440 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4441 b1 = new_block(cstate, JMP(BPF_JSET)); 4442 b1->s.k = 0x08; 4443 b1->stmts = s; 4444 4445 /* 4446 * Check addr1. 4447 */ 4448 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr); 4449 4450 /* 4451 * AND that with the check of addr1. 4452 */ 4453 gen_and(b1, b0); 4454 return (b0); 4455 4456 case Q_TA: 4457 /* 4458 * Not present in management frames; addr2, if present, 4459 * in other frames. 4460 */ 4461 4462 /* 4463 * Not present in CTS or ACK control frames. 4464 */ 4465 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4466 IEEE80211_FC0_TYPE_MASK); 4467 gen_not(b0); 4468 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4469 IEEE80211_FC0_SUBTYPE_MASK); 4470 gen_not(b1); 4471 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4472 IEEE80211_FC0_SUBTYPE_MASK); 4473 gen_not(b2); 4474 gen_and(b1, b2); 4475 gen_or(b0, b2); 4476 4477 /* 4478 * If the high-order bit of the type value is 0, this 4479 * is a management frame. 4480 * I.e, check "(link[0] & 0x08)". 4481 */ 4482 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 4483 b1 = new_block(cstate, JMP(BPF_JSET)); 4484 b1->s.k = 0x08; 4485 b1->stmts = s; 4486 4487 /* 4488 * AND that with the check for frames other than 4489 * CTS and ACK frames. 4490 */ 4491 gen_and(b1, b2); 4492 4493 /* 4494 * Check addr2. 4495 */ 4496 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4497 gen_and(b2, b1); 4498 return b1; 4499 4500 /* 4501 * XXX - add BSSID keyword? 4502 */ 4503 case Q_ADDR1: 4504 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr)); 4505 4506 case Q_ADDR2: 4507 /* 4508 * Not present in CTS or ACK control frames. 4509 */ 4510 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4511 IEEE80211_FC0_TYPE_MASK); 4512 gen_not(b0); 4513 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4514 IEEE80211_FC0_SUBTYPE_MASK); 4515 gen_not(b1); 4516 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4517 IEEE80211_FC0_SUBTYPE_MASK); 4518 gen_not(b2); 4519 gen_and(b1, b2); 4520 gen_or(b0, b2); 4521 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4522 gen_and(b2, b1); 4523 return b1; 4524 4525 case Q_ADDR3: 4526 /* 4527 * Not present in control frames. 4528 */ 4529 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4530 IEEE80211_FC0_TYPE_MASK); 4531 gen_not(b0); 4532 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr); 4533 gen_and(b0, b1); 4534 return b1; 4535 4536 case Q_ADDR4: 4537 /* 4538 * Present only if the direction mask has both "From DS" 4539 * and "To DS" set. Neither control frames nor management 4540 * frames should have both of those set, so we don't 4541 * check the frame type. 4542 */ 4543 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, 4544 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4545 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr); 4546 gen_and(b0, b1); 4547 return b1; 4548 4549 case Q_AND: 4550 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4551 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4552 gen_and(b0, b1); 4553 return b1; 4554 4555 case Q_DEFAULT: 4556 case Q_OR: 4557 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC); 4558 b1 = gen_wlanhostop(cstate, eaddr, Q_DST); 4559 gen_or(b0, b1); 4560 return b1; 4561 } 4562 abort(); 4563 /* NOTREACHED */ 4564 } 4565 4566 /* 4567 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4568 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4569 * as the RFC states.) 4570 */ 4571 static struct block * 4572 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 4573 { 4574 register struct block *b0, *b1; 4575 4576 switch (dir) { 4577 case Q_SRC: 4578 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr); 4579 4580 case Q_DST: 4581 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr); 4582 4583 case Q_AND: 4584 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4585 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4586 gen_and(b0, b1); 4587 return b1; 4588 4589 case Q_DEFAULT: 4590 case Q_OR: 4591 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC); 4592 b1 = gen_ipfchostop(cstate, eaddr, Q_DST); 4593 gen_or(b0, b1); 4594 return b1; 4595 4596 case Q_ADDR1: 4597 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 4598 break; 4599 4600 case Q_ADDR2: 4601 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 4602 break; 4603 4604 case Q_ADDR3: 4605 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 4606 break; 4607 4608 case Q_ADDR4: 4609 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 4610 break; 4611 4612 case Q_RA: 4613 bpf_error(cstate, "'ra' is only supported on 802.11"); 4614 break; 4615 4616 case Q_TA: 4617 bpf_error(cstate, "'ta' is only supported on 802.11"); 4618 break; 4619 } 4620 abort(); 4621 /* NOTREACHED */ 4622 } 4623 4624 /* 4625 * This is quite tricky because there may be pad bytes in front of the 4626 * DECNET header, and then there are two possible data packet formats that 4627 * carry both src and dst addresses, plus 5 packet types in a format that 4628 * carries only the src node, plus 2 types that use a different format and 4629 * also carry just the src node. 4630 * 4631 * Yuck. 4632 * 4633 * Instead of doing those all right, we just look for data packets with 4634 * 0 or 1 bytes of padding. If you want to look at other packets, that 4635 * will require a lot more hacking. 4636 * 4637 * To add support for filtering on DECNET "areas" (network numbers) 4638 * one would want to add a "mask" argument to this routine. That would 4639 * make the filter even more inefficient, although one could be clever 4640 * and not generate masking instructions if the mask is 0xFFFF. 4641 */ 4642 static struct block * 4643 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir) 4644 { 4645 struct block *b0, *b1, *b2, *tmp; 4646 u_int offset_lh; /* offset if long header is received */ 4647 u_int offset_sh; /* offset if short header is received */ 4648 4649 switch (dir) { 4650 4651 case Q_DST: 4652 offset_sh = 1; /* follows flags */ 4653 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4654 break; 4655 4656 case Q_SRC: 4657 offset_sh = 3; /* follows flags, dstnode */ 4658 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4659 break; 4660 4661 case Q_AND: 4662 /* Inefficient because we do our Calvinball dance twice */ 4663 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4664 b1 = gen_dnhostop(cstate, addr, Q_DST); 4665 gen_and(b0, b1); 4666 return b1; 4667 4668 case Q_OR: 4669 case Q_DEFAULT: 4670 /* Inefficient because we do our Calvinball dance twice */ 4671 b0 = gen_dnhostop(cstate, addr, Q_SRC); 4672 b1 = gen_dnhostop(cstate, addr, Q_DST); 4673 gen_or(b0, b1); 4674 return b1; 4675 4676 case Q_ISO: 4677 bpf_error(cstate, "ISO host filtering not implemented"); 4678 4679 default: 4680 abort(); 4681 } 4682 b0 = gen_linktype(cstate, ETHERTYPE_DN); 4683 /* Check for pad = 1, long header case */ 4684 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4685 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4686 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh, 4687 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4688 gen_and(tmp, b1); 4689 /* Check for pad = 0, long header case */ 4690 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4691 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4692 gen_and(tmp, b2); 4693 gen_or(b2, b1); 4694 /* Check for pad = 1, short header case */ 4695 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 4696 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4697 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4698 gen_and(tmp, b2); 4699 gen_or(b2, b1); 4700 /* Check for pad = 0, short header case */ 4701 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4702 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4703 gen_and(tmp, b2); 4704 gen_or(b2, b1); 4705 4706 /* Combine with test for cstate->linktype */ 4707 gen_and(b0, b1); 4708 return b1; 4709 } 4710 4711 /* 4712 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4713 * test the bottom-of-stack bit, and then check the version number 4714 * field in the IP header. 4715 */ 4716 static struct block * 4717 gen_mpls_linktype(compiler_state_t *cstate, int proto) 4718 { 4719 struct block *b0, *b1; 4720 4721 switch (proto) { 4722 4723 case Q_IP: 4724 /* match the bottom-of-stack bit */ 4725 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4726 /* match the IPv4 version number */ 4727 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4728 gen_and(b0, b1); 4729 return b1; 4730 4731 case Q_IPV6: 4732 /* match the bottom-of-stack bit */ 4733 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01); 4734 /* match the IPv4 version number */ 4735 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4736 gen_and(b0, b1); 4737 return b1; 4738 4739 default: 4740 abort(); 4741 } 4742 } 4743 4744 static struct block * 4745 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask, 4746 int proto, int dir, int type) 4747 { 4748 struct block *b0, *b1; 4749 const char *typestr; 4750 4751 if (type == Q_NET) 4752 typestr = "net"; 4753 else 4754 typestr = "host"; 4755 4756 switch (proto) { 4757 4758 case Q_DEFAULT: 4759 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type); 4760 /* 4761 * Only check for non-IPv4 addresses if we're not 4762 * checking MPLS-encapsulated packets. 4763 */ 4764 if (cstate->label_stack_depth == 0) { 4765 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type); 4766 gen_or(b0, b1); 4767 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type); 4768 gen_or(b1, b0); 4769 } 4770 return b0; 4771 4772 case Q_IP: 4773 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16); 4774 4775 case Q_RARP: 4776 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4777 4778 case Q_ARP: 4779 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4780 4781 case Q_TCP: 4782 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4783 4784 case Q_SCTP: 4785 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4786 4787 case Q_UDP: 4788 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4789 4790 case Q_ICMP: 4791 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4792 4793 case Q_IGMP: 4794 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4795 4796 case Q_IGRP: 4797 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4798 4799 case Q_PIM: 4800 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4801 4802 case Q_VRRP: 4803 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4804 4805 case Q_CARP: 4806 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4807 4808 case Q_ATALK: 4809 bpf_error(cstate, "ATALK host filtering not implemented"); 4810 4811 case Q_AARP: 4812 bpf_error(cstate, "AARP host filtering not implemented"); 4813 4814 case Q_DECNET: 4815 return gen_dnhostop(cstate, addr, dir); 4816 4817 case Q_SCA: 4818 bpf_error(cstate, "SCA host filtering not implemented"); 4819 4820 case Q_LAT: 4821 bpf_error(cstate, "LAT host filtering not implemented"); 4822 4823 case Q_MOPDL: 4824 bpf_error(cstate, "MOPDL host filtering not implemented"); 4825 4826 case Q_MOPRC: 4827 bpf_error(cstate, "MOPRC host filtering not implemented"); 4828 4829 case Q_IPV6: 4830 bpf_error(cstate, "'ip6' modifier applied to ip host"); 4831 4832 case Q_ICMPV6: 4833 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4834 4835 case Q_AH: 4836 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4837 4838 case Q_ESP: 4839 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4840 4841 case Q_ISO: 4842 bpf_error(cstate, "ISO host filtering not implemented"); 4843 4844 case Q_ESIS: 4845 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4846 4847 case Q_ISIS: 4848 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4849 4850 case Q_CLNP: 4851 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4852 4853 case Q_STP: 4854 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4855 4856 case Q_IPX: 4857 bpf_error(cstate, "IPX host filtering not implemented"); 4858 4859 case Q_NETBEUI: 4860 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4861 4862 case Q_RADIO: 4863 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4864 4865 default: 4866 abort(); 4867 } 4868 /* NOTREACHED */ 4869 } 4870 4871 #ifdef INET6 4872 static struct block * 4873 gen_host6(compiler_state_t *cstate, struct in6_addr *addr, 4874 struct in6_addr *mask, int proto, int dir, int type) 4875 { 4876 const char *typestr; 4877 4878 if (type == Q_NET) 4879 typestr = "net"; 4880 else 4881 typestr = "host"; 4882 4883 switch (proto) { 4884 4885 case Q_DEFAULT: 4886 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type); 4887 4888 case Q_LINK: 4889 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr); 4890 4891 case Q_IP: 4892 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr); 4893 4894 case Q_RARP: 4895 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr); 4896 4897 case Q_ARP: 4898 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr); 4899 4900 case Q_SCTP: 4901 bpf_error(cstate, "'sctp' modifier applied to %s", typestr); 4902 4903 case Q_TCP: 4904 bpf_error(cstate, "'tcp' modifier applied to %s", typestr); 4905 4906 case Q_UDP: 4907 bpf_error(cstate, "'udp' modifier applied to %s", typestr); 4908 4909 case Q_ICMP: 4910 bpf_error(cstate, "'icmp' modifier applied to %s", typestr); 4911 4912 case Q_IGMP: 4913 bpf_error(cstate, "'igmp' modifier applied to %s", typestr); 4914 4915 case Q_IGRP: 4916 bpf_error(cstate, "'igrp' modifier applied to %s", typestr); 4917 4918 case Q_PIM: 4919 bpf_error(cstate, "'pim' modifier applied to %s", typestr); 4920 4921 case Q_VRRP: 4922 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr); 4923 4924 case Q_CARP: 4925 bpf_error(cstate, "'carp' modifier applied to %s", typestr); 4926 4927 case Q_ATALK: 4928 bpf_error(cstate, "ATALK host filtering not implemented"); 4929 4930 case Q_AARP: 4931 bpf_error(cstate, "AARP host filtering not implemented"); 4932 4933 case Q_DECNET: 4934 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr); 4935 4936 case Q_SCA: 4937 bpf_error(cstate, "SCA host filtering not implemented"); 4938 4939 case Q_LAT: 4940 bpf_error(cstate, "LAT host filtering not implemented"); 4941 4942 case Q_MOPDL: 4943 bpf_error(cstate, "MOPDL host filtering not implemented"); 4944 4945 case Q_MOPRC: 4946 bpf_error(cstate, "MOPRC host filtering not implemented"); 4947 4948 case Q_IPV6: 4949 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4950 4951 case Q_ICMPV6: 4952 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr); 4953 4954 case Q_AH: 4955 bpf_error(cstate, "'ah' modifier applied to %s", typestr); 4956 4957 case Q_ESP: 4958 bpf_error(cstate, "'esp' modifier applied to %s", typestr); 4959 4960 case Q_ISO: 4961 bpf_error(cstate, "ISO host filtering not implemented"); 4962 4963 case Q_ESIS: 4964 bpf_error(cstate, "'esis' modifier applied to %s", typestr); 4965 4966 case Q_ISIS: 4967 bpf_error(cstate, "'isis' modifier applied to %s", typestr); 4968 4969 case Q_CLNP: 4970 bpf_error(cstate, "'clnp' modifier applied to %s", typestr); 4971 4972 case Q_STP: 4973 bpf_error(cstate, "'stp' modifier applied to %s", typestr); 4974 4975 case Q_IPX: 4976 bpf_error(cstate, "IPX host filtering not implemented"); 4977 4978 case Q_NETBEUI: 4979 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr); 4980 4981 case Q_RADIO: 4982 bpf_error(cstate, "'radio' modifier applied to %s", typestr); 4983 4984 default: 4985 abort(); 4986 } 4987 /* NOTREACHED */ 4988 } 4989 #endif 4990 4991 #ifndef INET6 4992 static struct block * 4993 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, 4994 struct addrinfo *alist, int proto, int dir) 4995 { 4996 struct block *b0, *b1, *tmp; 4997 struct addrinfo *ai; 4998 struct sockaddr_in *sin; 4999 5000 if (dir != 0) 5001 bpf_error(cstate, "direction applied to 'gateway'"); 5002 5003 switch (proto) { 5004 case Q_DEFAULT: 5005 case Q_IP: 5006 case Q_ARP: 5007 case Q_RARP: 5008 switch (cstate->linktype) { 5009 case DLT_EN10MB: 5010 case DLT_NETANALYZER: 5011 case DLT_NETANALYZER_TRANSPARENT: 5012 b1 = gen_prevlinkhdr_check(cstate); 5013 b0 = gen_ehostop(cstate, eaddr, Q_OR); 5014 if (b1 != NULL) 5015 gen_and(b1, b0); 5016 break; 5017 case DLT_FDDI: 5018 b0 = gen_fhostop(cstate, eaddr, Q_OR); 5019 break; 5020 case DLT_IEEE802: 5021 b0 = gen_thostop(cstate, eaddr, Q_OR); 5022 break; 5023 case DLT_IEEE802_11: 5024 case DLT_PRISM_HEADER: 5025 case DLT_IEEE802_11_RADIO_AVS: 5026 case DLT_IEEE802_11_RADIO: 5027 case DLT_PPI: 5028 b0 = gen_wlanhostop(cstate, eaddr, Q_OR); 5029 break; 5030 case DLT_SUNATM: 5031 /* 5032 * This is LLC-multiplexed traffic; if it were 5033 * LANE, cstate->linktype would have been set to 5034 * DLT_EN10MB. 5035 */ 5036 bpf_error(cstate, 5037 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5038 break; 5039 case DLT_IP_OVER_FC: 5040 b0 = gen_ipfchostop(cstate, eaddr, Q_OR); 5041 break; 5042 default: 5043 bpf_error(cstate, 5044 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5045 } 5046 b1 = NULL; 5047 for (ai = alist; ai != NULL; ai = ai->ai_next) { 5048 /* 5049 * Does it have an address? 5050 */ 5051 if (ai->ai_addr != NULL) { 5052 /* 5053 * Yes. Is it an IPv4 address? 5054 */ 5055 if (ai->ai_addr->sa_family == AF_INET) { 5056 /* 5057 * Generate an entry for it. 5058 */ 5059 sin = (struct sockaddr_in *)ai->ai_addr; 5060 tmp = gen_host(cstate, 5061 ntohl(sin->sin_addr.s_addr), 5062 0xffffffff, proto, Q_OR, Q_HOST); 5063 /* 5064 * Is it the *first* IPv4 address? 5065 */ 5066 if (b1 == NULL) { 5067 /* 5068 * Yes, so start with it. 5069 */ 5070 b1 = tmp; 5071 } else { 5072 /* 5073 * No, so OR it into the 5074 * existing set of 5075 * addresses. 5076 */ 5077 gen_or(b1, tmp); 5078 b1 = tmp; 5079 } 5080 } 5081 } 5082 } 5083 if (b1 == NULL) { 5084 /* 5085 * No IPv4 addresses found. 5086 */ 5087 return (NULL); 5088 } 5089 gen_not(b1); 5090 gen_and(b0, b1); 5091 return b1; 5092 } 5093 bpf_error(cstate, "illegal modifier of 'gateway'"); 5094 /* NOTREACHED */ 5095 } 5096 #endif 5097 5098 struct block * 5099 gen_proto_abbrev(compiler_state_t *cstate, int proto) 5100 { 5101 struct block *b0; 5102 struct block *b1; 5103 5104 switch (proto) { 5105 5106 case Q_SCTP: 5107 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT); 5108 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 5109 gen_or(b0, b1); 5110 break; 5111 5112 case Q_TCP: 5113 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT); 5114 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 5115 gen_or(b0, b1); 5116 break; 5117 5118 case Q_UDP: 5119 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT); 5120 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 5121 gen_or(b0, b1); 5122 break; 5123 5124 case Q_ICMP: 5125 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT); 5126 break; 5127 5128 #ifndef IPPROTO_IGMP 5129 #define IPPROTO_IGMP 2 5130 #endif 5131 5132 case Q_IGMP: 5133 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT); 5134 break; 5135 5136 #ifndef IPPROTO_IGRP 5137 #define IPPROTO_IGRP 9 5138 #endif 5139 case Q_IGRP: 5140 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT); 5141 break; 5142 5143 #ifndef IPPROTO_PIM 5144 #define IPPROTO_PIM 103 5145 #endif 5146 5147 case Q_PIM: 5148 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT); 5149 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 5150 gen_or(b0, b1); 5151 break; 5152 5153 #ifndef IPPROTO_VRRP 5154 #define IPPROTO_VRRP 112 5155 #endif 5156 5157 case Q_VRRP: 5158 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT); 5159 break; 5160 5161 #ifndef IPPROTO_CARP 5162 #define IPPROTO_CARP 112 5163 #endif 5164 5165 case Q_CARP: 5166 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT); 5167 break; 5168 5169 case Q_IP: 5170 b1 = gen_linktype(cstate, ETHERTYPE_IP); 5171 break; 5172 5173 case Q_ARP: 5174 b1 = gen_linktype(cstate, ETHERTYPE_ARP); 5175 break; 5176 5177 case Q_RARP: 5178 b1 = gen_linktype(cstate, ETHERTYPE_REVARP); 5179 break; 5180 5181 case Q_LINK: 5182 bpf_error(cstate, "link layer applied in wrong context"); 5183 5184 case Q_ATALK: 5185 b1 = gen_linktype(cstate, ETHERTYPE_ATALK); 5186 break; 5187 5188 case Q_AARP: 5189 b1 = gen_linktype(cstate, ETHERTYPE_AARP); 5190 break; 5191 5192 case Q_DECNET: 5193 b1 = gen_linktype(cstate, ETHERTYPE_DN); 5194 break; 5195 5196 case Q_SCA: 5197 b1 = gen_linktype(cstate, ETHERTYPE_SCA); 5198 break; 5199 5200 case Q_LAT: 5201 b1 = gen_linktype(cstate, ETHERTYPE_LAT); 5202 break; 5203 5204 case Q_MOPDL: 5205 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL); 5206 break; 5207 5208 case Q_MOPRC: 5209 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC); 5210 break; 5211 5212 case Q_IPV6: 5213 b1 = gen_linktype(cstate, ETHERTYPE_IPV6); 5214 break; 5215 5216 #ifndef IPPROTO_ICMPV6 5217 #define IPPROTO_ICMPV6 58 5218 #endif 5219 case Q_ICMPV6: 5220 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 5221 break; 5222 5223 #ifndef IPPROTO_AH 5224 #define IPPROTO_AH 51 5225 #endif 5226 case Q_AH: 5227 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT); 5228 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT); 5229 gen_or(b0, b1); 5230 break; 5231 5232 #ifndef IPPROTO_ESP 5233 #define IPPROTO_ESP 50 5234 #endif 5235 case Q_ESP: 5236 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT); 5237 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 5238 gen_or(b0, b1); 5239 break; 5240 5241 case Q_ISO: 5242 b1 = gen_linktype(cstate, LLCSAP_ISONS); 5243 break; 5244 5245 case Q_ESIS: 5246 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT); 5247 break; 5248 5249 case Q_ISIS: 5250 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5251 break; 5252 5253 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5254 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5255 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5256 gen_or(b0, b1); 5257 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5258 gen_or(b0, b1); 5259 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5260 gen_or(b0, b1); 5261 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5262 gen_or(b0, b1); 5263 break; 5264 5265 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5266 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5267 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5268 gen_or(b0, b1); 5269 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5270 gen_or(b0, b1); 5271 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5272 gen_or(b0, b1); 5273 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5274 gen_or(b0, b1); 5275 break; 5276 5277 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5278 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5279 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5280 gen_or(b0, b1); 5281 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5282 gen_or(b0, b1); 5283 break; 5284 5285 case Q_ISIS_LSP: 5286 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5287 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5288 gen_or(b0, b1); 5289 break; 5290 5291 case Q_ISIS_SNP: 5292 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5293 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5294 gen_or(b0, b1); 5295 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5296 gen_or(b0, b1); 5297 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5298 gen_or(b0, b1); 5299 break; 5300 5301 case Q_ISIS_CSNP: 5302 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5303 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5304 gen_or(b0, b1); 5305 break; 5306 5307 case Q_ISIS_PSNP: 5308 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5309 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5310 gen_or(b0, b1); 5311 break; 5312 5313 case Q_CLNP: 5314 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5315 break; 5316 5317 case Q_STP: 5318 b1 = gen_linktype(cstate, LLCSAP_8021D); 5319 break; 5320 5321 case Q_IPX: 5322 b1 = gen_linktype(cstate, LLCSAP_IPX); 5323 break; 5324 5325 case Q_NETBEUI: 5326 b1 = gen_linktype(cstate, LLCSAP_NETBEUI); 5327 break; 5328 5329 case Q_RADIO: 5330 bpf_error(cstate, "'radio' is not a valid protocol type"); 5331 5332 default: 5333 abort(); 5334 } 5335 return b1; 5336 } 5337 5338 static struct block * 5339 gen_ipfrag(compiler_state_t *cstate) 5340 { 5341 struct slist *s; 5342 struct block *b; 5343 5344 /* not IPv4 frag other than the first frag */ 5345 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H); 5346 b = new_block(cstate, JMP(BPF_JSET)); 5347 b->s.k = 0x1fff; 5348 b->stmts = s; 5349 gen_not(b); 5350 5351 return b; 5352 } 5353 5354 /* 5355 * Generate a comparison to a port value in the transport-layer header 5356 * at the specified offset from the beginning of that header. 5357 * 5358 * XXX - this handles a variable-length prefix preceding the link-layer 5359 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5360 * variable-length link-layer headers (such as Token Ring or 802.11 5361 * headers). 5362 */ 5363 static struct block * 5364 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v) 5365 { 5366 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v); 5367 } 5368 5369 static struct block * 5370 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v) 5371 { 5372 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v); 5373 } 5374 5375 struct block * 5376 gen_portop(compiler_state_t *cstate, int port, int proto, int dir) 5377 { 5378 struct block *b0, *b1, *tmp; 5379 5380 /* ip proto 'proto' and not a fragment other than the first fragment */ 5381 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5382 b0 = gen_ipfrag(cstate); 5383 gen_and(tmp, b0); 5384 5385 switch (dir) { 5386 case Q_SRC: 5387 b1 = gen_portatom(cstate, 0, (bpf_int32)port); 5388 break; 5389 5390 case Q_DST: 5391 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5392 break; 5393 5394 case Q_OR: 5395 case Q_DEFAULT: 5396 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5397 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5398 gen_or(tmp, b1); 5399 break; 5400 5401 case Q_AND: 5402 tmp = gen_portatom(cstate, 0, (bpf_int32)port); 5403 b1 = gen_portatom(cstate, 2, (bpf_int32)port); 5404 gen_and(tmp, b1); 5405 break; 5406 5407 default: 5408 abort(); 5409 } 5410 gen_and(b0, b1); 5411 5412 return b1; 5413 } 5414 5415 static struct block * 5416 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir) 5417 { 5418 struct block *b0, *b1, *tmp; 5419 5420 /* 5421 * ether proto ip 5422 * 5423 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5424 * not LLC encapsulation with LLCSAP_IP. 5425 * 5426 * For IEEE 802 networks - which includes 802.5 token ring 5427 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5428 * says that SNAP encapsulation is used, not LLC encapsulation 5429 * with LLCSAP_IP. 5430 * 5431 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5432 * RFC 2225 say that SNAP encapsulation is used, not LLC 5433 * encapsulation with LLCSAP_IP. 5434 * 5435 * So we always check for ETHERTYPE_IP. 5436 */ 5437 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5438 5439 switch (ip_proto) { 5440 case IPPROTO_UDP: 5441 case IPPROTO_TCP: 5442 case IPPROTO_SCTP: 5443 b1 = gen_portop(cstate, port, ip_proto, dir); 5444 break; 5445 5446 case PROTO_UNDEF: 5447 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir); 5448 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir); 5449 gen_or(tmp, b1); 5450 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir); 5451 gen_or(tmp, b1); 5452 break; 5453 5454 default: 5455 abort(); 5456 } 5457 gen_and(b0, b1); 5458 return b1; 5459 } 5460 5461 struct block * 5462 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir) 5463 { 5464 struct block *b0, *b1, *tmp; 5465 5466 /* ip6 proto 'proto' */ 5467 /* XXX - catch the first fragment of a fragmented packet? */ 5468 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5469 5470 switch (dir) { 5471 case Q_SRC: 5472 b1 = gen_portatom6(cstate, 0, (bpf_int32)port); 5473 break; 5474 5475 case Q_DST: 5476 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5477 break; 5478 5479 case Q_OR: 5480 case Q_DEFAULT: 5481 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5482 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5483 gen_or(tmp, b1); 5484 break; 5485 5486 case Q_AND: 5487 tmp = gen_portatom6(cstate, 0, (bpf_int32)port); 5488 b1 = gen_portatom6(cstate, 2, (bpf_int32)port); 5489 gen_and(tmp, b1); 5490 break; 5491 5492 default: 5493 abort(); 5494 } 5495 gen_and(b0, b1); 5496 5497 return b1; 5498 } 5499 5500 static struct block * 5501 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir) 5502 { 5503 struct block *b0, *b1, *tmp; 5504 5505 /* link proto ip6 */ 5506 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5507 5508 switch (ip_proto) { 5509 case IPPROTO_UDP: 5510 case IPPROTO_TCP: 5511 case IPPROTO_SCTP: 5512 b1 = gen_portop6(cstate, port, ip_proto, dir); 5513 break; 5514 5515 case PROTO_UNDEF: 5516 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir); 5517 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir); 5518 gen_or(tmp, b1); 5519 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir); 5520 gen_or(tmp, b1); 5521 break; 5522 5523 default: 5524 abort(); 5525 } 5526 gen_and(b0, b1); 5527 return b1; 5528 } 5529 5530 /* gen_portrange code */ 5531 static struct block * 5532 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1, 5533 bpf_int32 v2) 5534 { 5535 struct block *b1, *b2; 5536 5537 if (v1 > v2) { 5538 /* 5539 * Reverse the order of the ports, so v1 is the lower one. 5540 */ 5541 bpf_int32 vtemp; 5542 5543 vtemp = v1; 5544 v1 = v2; 5545 v2 = vtemp; 5546 } 5547 5548 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1); 5549 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2); 5550 5551 gen_and(b1, b2); 5552 5553 return b2; 5554 } 5555 5556 struct block * 5557 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto, 5558 int dir) 5559 { 5560 struct block *b0, *b1, *tmp; 5561 5562 /* ip proto 'proto' and not a fragment other than the first fragment */ 5563 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5564 b0 = gen_ipfrag(cstate); 5565 gen_and(tmp, b0); 5566 5567 switch (dir) { 5568 case Q_SRC: 5569 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5570 break; 5571 5572 case Q_DST: 5573 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5574 break; 5575 5576 case Q_OR: 5577 case Q_DEFAULT: 5578 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5579 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5580 gen_or(tmp, b1); 5581 break; 5582 5583 case Q_AND: 5584 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5585 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5586 gen_and(tmp, b1); 5587 break; 5588 5589 default: 5590 abort(); 5591 } 5592 gen_and(b0, b1); 5593 5594 return b1; 5595 } 5596 5597 static struct block * 5598 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5599 int dir) 5600 { 5601 struct block *b0, *b1, *tmp; 5602 5603 /* link proto ip */ 5604 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5605 5606 switch (ip_proto) { 5607 case IPPROTO_UDP: 5608 case IPPROTO_TCP: 5609 case IPPROTO_SCTP: 5610 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir); 5611 break; 5612 5613 case PROTO_UNDEF: 5614 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir); 5615 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir); 5616 gen_or(tmp, b1); 5617 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir); 5618 gen_or(tmp, b1); 5619 break; 5620 5621 default: 5622 abort(); 5623 } 5624 gen_and(b0, b1); 5625 return b1; 5626 } 5627 5628 static struct block * 5629 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1, 5630 bpf_int32 v2) 5631 { 5632 struct block *b1, *b2; 5633 5634 if (v1 > v2) { 5635 /* 5636 * Reverse the order of the ports, so v1 is the lower one. 5637 */ 5638 bpf_int32 vtemp; 5639 5640 vtemp = v1; 5641 v1 = v2; 5642 v2 = vtemp; 5643 } 5644 5645 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1); 5646 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2); 5647 5648 gen_and(b1, b2); 5649 5650 return b2; 5651 } 5652 5653 struct block * 5654 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto, 5655 int dir) 5656 { 5657 struct block *b0, *b1, *tmp; 5658 5659 /* ip6 proto 'proto' */ 5660 /* XXX - catch the first fragment of a fragmented packet? */ 5661 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5662 5663 switch (dir) { 5664 case Q_SRC: 5665 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5666 break; 5667 5668 case Q_DST: 5669 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5670 break; 5671 5672 case Q_OR: 5673 case Q_DEFAULT: 5674 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5675 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5676 gen_or(tmp, b1); 5677 break; 5678 5679 case Q_AND: 5680 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2); 5681 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2); 5682 gen_and(tmp, b1); 5683 break; 5684 5685 default: 5686 abort(); 5687 } 5688 gen_and(b0, b1); 5689 5690 return b1; 5691 } 5692 5693 static struct block * 5694 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto, 5695 int dir) 5696 { 5697 struct block *b0, *b1, *tmp; 5698 5699 /* link proto ip6 */ 5700 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5701 5702 switch (ip_proto) { 5703 case IPPROTO_UDP: 5704 case IPPROTO_TCP: 5705 case IPPROTO_SCTP: 5706 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir); 5707 break; 5708 5709 case PROTO_UNDEF: 5710 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir); 5711 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir); 5712 gen_or(tmp, b1); 5713 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir); 5714 gen_or(tmp, b1); 5715 break; 5716 5717 default: 5718 abort(); 5719 } 5720 gen_and(b0, b1); 5721 return b1; 5722 } 5723 5724 static int 5725 lookup_proto(compiler_state_t *cstate, const char *name, int proto) 5726 { 5727 register int v; 5728 5729 switch (proto) { 5730 5731 case Q_DEFAULT: 5732 case Q_IP: 5733 case Q_IPV6: 5734 v = pcap_nametoproto(name); 5735 if (v == PROTO_UNDEF) 5736 bpf_error(cstate, "unknown ip proto '%s'", name); 5737 break; 5738 5739 case Q_LINK: 5740 /* XXX should look up h/w protocol type based on cstate->linktype */ 5741 v = pcap_nametoeproto(name); 5742 if (v == PROTO_UNDEF) { 5743 v = pcap_nametollc(name); 5744 if (v == PROTO_UNDEF) 5745 bpf_error(cstate, "unknown ether proto '%s'", name); 5746 } 5747 break; 5748 5749 case Q_ISO: 5750 if (strcmp(name, "esis") == 0) 5751 v = ISO9542_ESIS; 5752 else if (strcmp(name, "isis") == 0) 5753 v = ISO10589_ISIS; 5754 else if (strcmp(name, "clnp") == 0) 5755 v = ISO8473_CLNP; 5756 else 5757 bpf_error(cstate, "unknown osi proto '%s'", name); 5758 break; 5759 5760 default: 5761 v = PROTO_UNDEF; 5762 break; 5763 } 5764 return v; 5765 } 5766 5767 #if 0 5768 struct stmt * 5769 gen_joinsp(struct stmt **s, int n) 5770 { 5771 return NULL; 5772 } 5773 #endif 5774 5775 static struct block * 5776 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir) 5777 { 5778 #ifdef NO_PROTOCHAIN 5779 return gen_proto(cstate, v, proto, dir); 5780 #else 5781 struct block *b0, *b; 5782 struct slist *s[100]; 5783 int fix2, fix3, fix4, fix5; 5784 int ahcheck, again, end; 5785 int i, max; 5786 int reg2 = alloc_reg(cstate); 5787 5788 memset(s, 0, sizeof(s)); 5789 fix3 = fix4 = fix5 = 0; 5790 5791 switch (proto) { 5792 case Q_IP: 5793 case Q_IPV6: 5794 break; 5795 case Q_DEFAULT: 5796 b0 = gen_protochain(cstate, v, Q_IP, dir); 5797 b = gen_protochain(cstate, v, Q_IPV6, dir); 5798 gen_or(b0, b); 5799 return b; 5800 default: 5801 bpf_error(cstate, "bad protocol applied for 'protochain'"); 5802 /*NOTREACHED*/ 5803 } 5804 5805 /* 5806 * We don't handle variable-length prefixes before the link-layer 5807 * header, or variable-length link-layer headers, here yet. 5808 * We might want to add BPF instructions to do the protochain 5809 * work, to simplify that and, on platforms that have a BPF 5810 * interpreter with the new instructions, let the filtering 5811 * be done in the kernel. (We already require a modified BPF 5812 * engine to do the protochain stuff, to support backward 5813 * branches, and backward branch support is unlikely to appear 5814 * in kernel BPF engines.) 5815 */ 5816 if (cstate->off_linkpl.is_variable) 5817 bpf_error(cstate, "'protochain' not supported with variable length headers"); 5818 5819 cstate->no_optimize = 1; /* this code is not compatible with optimizer yet */ 5820 5821 /* 5822 * s[0] is a dummy entry to protect other BPF insn from damage 5823 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5824 * hard to find interdependency made by jump table fixup. 5825 */ 5826 i = 0; 5827 s[i] = new_stmt(cstate, 0); /*dummy*/ 5828 i++; 5829 5830 switch (proto) { 5831 case Q_IP: 5832 b0 = gen_linktype(cstate, ETHERTYPE_IP); 5833 5834 /* A = ip->ip_p */ 5835 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5836 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9; 5837 i++; 5838 /* X = ip->ip_hl << 2 */ 5839 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B); 5840 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5841 i++; 5842 break; 5843 5844 case Q_IPV6: 5845 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 5846 5847 /* A = ip6->ip_nxt */ 5848 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B); 5849 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6; 5850 i++; 5851 /* X = sizeof(struct ip6_hdr) */ 5852 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM); 5853 s[i]->s.k = 40; 5854 i++; 5855 break; 5856 5857 default: 5858 bpf_error(cstate, "unsupported proto to gen_protochain"); 5859 /*NOTREACHED*/ 5860 } 5861 5862 /* again: if (A == v) goto end; else fall through; */ 5863 again = i; 5864 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5865 s[i]->s.k = v; 5866 s[i]->s.jt = NULL; /*later*/ 5867 s[i]->s.jf = NULL; /*update in next stmt*/ 5868 fix5 = i; 5869 i++; 5870 5871 #ifndef IPPROTO_NONE 5872 #define IPPROTO_NONE 59 5873 #endif 5874 /* if (A == IPPROTO_NONE) goto end */ 5875 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5876 s[i]->s.jt = NULL; /*later*/ 5877 s[i]->s.jf = NULL; /*update in next stmt*/ 5878 s[i]->s.k = IPPROTO_NONE; 5879 s[fix5]->s.jf = s[i]; 5880 fix2 = i; 5881 i++; 5882 5883 if (proto == Q_IPV6) { 5884 int v6start, v6end, v6advance, j; 5885 5886 v6start = i; 5887 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5888 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5889 s[i]->s.jt = NULL; /*later*/ 5890 s[i]->s.jf = NULL; /*update in next stmt*/ 5891 s[i]->s.k = IPPROTO_HOPOPTS; 5892 s[fix2]->s.jf = s[i]; 5893 i++; 5894 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5895 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5896 s[i]->s.jt = NULL; /*later*/ 5897 s[i]->s.jf = NULL; /*update in next stmt*/ 5898 s[i]->s.k = IPPROTO_DSTOPTS; 5899 i++; 5900 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5901 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5902 s[i]->s.jt = NULL; /*later*/ 5903 s[i]->s.jf = NULL; /*update in next stmt*/ 5904 s[i]->s.k = IPPROTO_ROUTING; 5905 i++; 5906 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5907 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5908 s[i]->s.jt = NULL; /*later*/ 5909 s[i]->s.jf = NULL; /*later*/ 5910 s[i]->s.k = IPPROTO_FRAGMENT; 5911 fix3 = i; 5912 v6end = i; 5913 i++; 5914 5915 /* v6advance: */ 5916 v6advance = i; 5917 5918 /* 5919 * in short, 5920 * A = P[X + packet head]; 5921 * X = X + (P[X + packet head + 1] + 1) * 8; 5922 */ 5923 /* A = P[X + packet head] */ 5924 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5925 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5926 i++; 5927 /* MEM[reg2] = A */ 5928 s[i] = new_stmt(cstate, BPF_ST); 5929 s[i]->s.k = reg2; 5930 i++; 5931 /* A = P[X + packet head + 1]; */ 5932 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5933 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1; 5934 i++; 5935 /* A += 1 */ 5936 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5937 s[i]->s.k = 1; 5938 i++; 5939 /* A *= 8 */ 5940 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 5941 s[i]->s.k = 8; 5942 i++; 5943 /* A += X */ 5944 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 5945 s[i]->s.k = 0; 5946 i++; 5947 /* X = A; */ 5948 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 5949 i++; 5950 /* A = MEM[reg2] */ 5951 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 5952 s[i]->s.k = reg2; 5953 i++; 5954 5955 /* goto again; (must use BPF_JA for backward jump) */ 5956 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 5957 s[i]->s.k = again - i - 1; 5958 s[i - 1]->s.jf = s[i]; 5959 i++; 5960 5961 /* fixup */ 5962 for (j = v6start; j <= v6end; j++) 5963 s[j]->s.jt = s[v6advance]; 5964 } else { 5965 /* nop */ 5966 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 5967 s[i]->s.k = 0; 5968 s[fix2]->s.jf = s[i]; 5969 i++; 5970 } 5971 5972 /* ahcheck: */ 5973 ahcheck = i; 5974 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5975 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K); 5976 s[i]->s.jt = NULL; /*later*/ 5977 s[i]->s.jf = NULL; /*later*/ 5978 s[i]->s.k = IPPROTO_AH; 5979 if (fix3) 5980 s[fix3]->s.jf = s[ahcheck]; 5981 fix4 = i; 5982 i++; 5983 5984 /* 5985 * in short, 5986 * A = P[X]; 5987 * X = X + (P[X + 1] + 2) * 4; 5988 */ 5989 /* A = X */ 5990 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 5991 i++; 5992 /* A = P[X + packet head]; */ 5993 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 5994 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 5995 i++; 5996 /* MEM[reg2] = A */ 5997 s[i] = new_stmt(cstate, BPF_ST); 5998 s[i]->s.k = reg2; 5999 i++; 6000 /* A = X */ 6001 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA); 6002 i++; 6003 /* A += 1 */ 6004 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6005 s[i]->s.k = 1; 6006 i++; 6007 /* X = A */ 6008 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6009 i++; 6010 /* A = P[X + packet head] */ 6011 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 6012 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 6013 i++; 6014 /* A += 2 */ 6015 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6016 s[i]->s.k = 2; 6017 i++; 6018 /* A *= 4 */ 6019 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 6020 s[i]->s.k = 4; 6021 i++; 6022 /* X = A; */ 6023 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX); 6024 i++; 6025 /* A = MEM[reg2] */ 6026 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM); 6027 s[i]->s.k = reg2; 6028 i++; 6029 6030 /* goto again; (must use BPF_JA for backward jump) */ 6031 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA); 6032 s[i]->s.k = again - i - 1; 6033 i++; 6034 6035 /* end: nop */ 6036 end = i; 6037 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 6038 s[i]->s.k = 0; 6039 s[fix2]->s.jt = s[end]; 6040 s[fix4]->s.jf = s[end]; 6041 s[fix5]->s.jt = s[end]; 6042 i++; 6043 6044 /* 6045 * make slist chain 6046 */ 6047 max = i; 6048 for (i = 0; i < max - 1; i++) 6049 s[i]->next = s[i + 1]; 6050 s[max - 1]->next = NULL; 6051 6052 /* 6053 * emit final check 6054 */ 6055 b = new_block(cstate, JMP(BPF_JEQ)); 6056 b->stmts = s[1]; /*remember, s[0] is dummy*/ 6057 b->s.k = v; 6058 6059 free_reg(cstate, reg2); 6060 6061 gen_and(b0, b); 6062 return b; 6063 #endif 6064 } 6065 6066 static struct block * 6067 gen_check_802_11_data_frame(compiler_state_t *cstate) 6068 { 6069 struct slist *s; 6070 struct block *b0, *b1; 6071 6072 /* 6073 * A data frame has the 0x08 bit (b3) in the frame control field set 6074 * and the 0x04 bit (b2) clear. 6075 */ 6076 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6077 b0 = new_block(cstate, JMP(BPF_JSET)); 6078 b0->s.k = 0x08; 6079 b0->stmts = s; 6080 6081 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 6082 b1 = new_block(cstate, JMP(BPF_JSET)); 6083 b1->s.k = 0x04; 6084 b1->stmts = s; 6085 gen_not(b1); 6086 6087 gen_and(b1, b0); 6088 6089 return b0; 6090 } 6091 6092 /* 6093 * Generate code that checks whether the packet is a packet for protocol 6094 * <proto> and whether the type field in that protocol's header has 6095 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 6096 * IP packet and checks the protocol number in the IP header against <v>. 6097 * 6098 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 6099 * against Q_IP and Q_IPV6. 6100 */ 6101 static struct block * 6102 gen_proto(compiler_state_t *cstate, int v, int proto, int dir) 6103 { 6104 struct block *b0, *b1; 6105 #ifndef CHASE_CHAIN 6106 struct block *b2; 6107 #endif 6108 6109 if (dir != Q_DEFAULT) 6110 bpf_error(cstate, "direction applied to 'proto'"); 6111 6112 switch (proto) { 6113 case Q_DEFAULT: 6114 b0 = gen_proto(cstate, v, Q_IP, dir); 6115 b1 = gen_proto(cstate, v, Q_IPV6, dir); 6116 gen_or(b0, b1); 6117 return b1; 6118 6119 case Q_IP: 6120 /* 6121 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 6122 * not LLC encapsulation with LLCSAP_IP. 6123 * 6124 * For IEEE 802 networks - which includes 802.5 token ring 6125 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 6126 * says that SNAP encapsulation is used, not LLC encapsulation 6127 * with LLCSAP_IP. 6128 * 6129 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 6130 * RFC 2225 say that SNAP encapsulation is used, not LLC 6131 * encapsulation with LLCSAP_IP. 6132 * 6133 * So we always check for ETHERTYPE_IP. 6134 */ 6135 b0 = gen_linktype(cstate, ETHERTYPE_IP); 6136 #ifndef CHASE_CHAIN 6137 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v); 6138 #else 6139 b1 = gen_protochain(cstate, v, Q_IP); 6140 #endif 6141 gen_and(b0, b1); 6142 return b1; 6143 6144 case Q_ISO: 6145 switch (cstate->linktype) { 6146 6147 case DLT_FRELAY: 6148 /* 6149 * Frame Relay packets typically have an OSI 6150 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)" 6151 * generates code to check for all the OSI 6152 * NLPIDs, so calling it and then adding a check 6153 * for the particular NLPID for which we're 6154 * looking is bogus, as we can just check for 6155 * the NLPID. 6156 * 6157 * What we check for is the NLPID and a frame 6158 * control field value of UI, i.e. 0x03 followed 6159 * by the NLPID. 6160 * 6161 * XXX - assumes a 2-byte Frame Relay header with 6162 * DLCI and flags. What if the address is longer? 6163 * 6164 * XXX - what about SNAP-encapsulated frames? 6165 */ 6166 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 6167 /*NOTREACHED*/ 6168 break; 6169 6170 case DLT_C_HDLC: 6171 /* 6172 * Cisco uses an Ethertype lookalike - for OSI, 6173 * it's 0xfefe. 6174 */ 6175 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS); 6176 /* OSI in C-HDLC is stuffed with a fudge byte */ 6177 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 6178 gen_and(b0, b1); 6179 return b1; 6180 6181 default: 6182 b0 = gen_linktype(cstate, LLCSAP_ISONS); 6183 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 6184 gen_and(b0, b1); 6185 return b1; 6186 } 6187 6188 case Q_ISIS: 6189 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT); 6190 /* 6191 * 4 is the offset of the PDU type relative to the IS-IS 6192 * header. 6193 */ 6194 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 6195 gen_and(b0, b1); 6196 return b1; 6197 6198 case Q_ARP: 6199 bpf_error(cstate, "arp does not encapsulate another protocol"); 6200 /* NOTREACHED */ 6201 6202 case Q_RARP: 6203 bpf_error(cstate, "rarp does not encapsulate another protocol"); 6204 /* NOTREACHED */ 6205 6206 case Q_ATALK: 6207 bpf_error(cstate, "atalk encapsulation is not specifiable"); 6208 /* NOTREACHED */ 6209 6210 case Q_DECNET: 6211 bpf_error(cstate, "decnet encapsulation is not specifiable"); 6212 /* NOTREACHED */ 6213 6214 case Q_SCA: 6215 bpf_error(cstate, "sca does not encapsulate another protocol"); 6216 /* NOTREACHED */ 6217 6218 case Q_LAT: 6219 bpf_error(cstate, "lat does not encapsulate another protocol"); 6220 /* NOTREACHED */ 6221 6222 case Q_MOPRC: 6223 bpf_error(cstate, "moprc does not encapsulate another protocol"); 6224 /* NOTREACHED */ 6225 6226 case Q_MOPDL: 6227 bpf_error(cstate, "mopdl does not encapsulate another protocol"); 6228 /* NOTREACHED */ 6229 6230 case Q_LINK: 6231 return gen_linktype(cstate, v); 6232 6233 case Q_UDP: 6234 bpf_error(cstate, "'udp proto' is bogus"); 6235 /* NOTREACHED */ 6236 6237 case Q_TCP: 6238 bpf_error(cstate, "'tcp proto' is bogus"); 6239 /* NOTREACHED */ 6240 6241 case Q_SCTP: 6242 bpf_error(cstate, "'sctp proto' is bogus"); 6243 /* NOTREACHED */ 6244 6245 case Q_ICMP: 6246 bpf_error(cstate, "'icmp proto' is bogus"); 6247 /* NOTREACHED */ 6248 6249 case Q_IGMP: 6250 bpf_error(cstate, "'igmp proto' is bogus"); 6251 /* NOTREACHED */ 6252 6253 case Q_IGRP: 6254 bpf_error(cstate, "'igrp proto' is bogus"); 6255 /* NOTREACHED */ 6256 6257 case Q_PIM: 6258 bpf_error(cstate, "'pim proto' is bogus"); 6259 /* NOTREACHED */ 6260 6261 case Q_VRRP: 6262 bpf_error(cstate, "'vrrp proto' is bogus"); 6263 /* NOTREACHED */ 6264 6265 case Q_CARP: 6266 bpf_error(cstate, "'carp proto' is bogus"); 6267 /* NOTREACHED */ 6268 6269 case Q_IPV6: 6270 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 6271 #ifndef CHASE_CHAIN 6272 /* 6273 * Also check for a fragment header before the final 6274 * header. 6275 */ 6276 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6277 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6278 gen_and(b2, b1); 6279 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6280 gen_or(b2, b1); 6281 #else 6282 b1 = gen_protochain(cstate, v, Q_IPV6); 6283 #endif 6284 gen_and(b0, b1); 6285 return b1; 6286 6287 case Q_ICMPV6: 6288 bpf_error(cstate, "'icmp6 proto' is bogus"); 6289 6290 case Q_AH: 6291 bpf_error(cstate, "'ah proto' is bogus"); 6292 6293 case Q_ESP: 6294 bpf_error(cstate, "'ah proto' is bogus"); 6295 6296 case Q_STP: 6297 bpf_error(cstate, "'stp proto' is bogus"); 6298 6299 case Q_IPX: 6300 bpf_error(cstate, "'ipx proto' is bogus"); 6301 6302 case Q_NETBEUI: 6303 bpf_error(cstate, "'netbeui proto' is bogus"); 6304 6305 case Q_RADIO: 6306 bpf_error(cstate, "'radio proto' is bogus"); 6307 6308 default: 6309 abort(); 6310 /* NOTREACHED */ 6311 } 6312 /* NOTREACHED */ 6313 } 6314 6315 struct block * 6316 gen_scode(compiler_state_t *cstate, const char *name, struct qual q) 6317 { 6318 int proto = q.proto; 6319 int dir = q.dir; 6320 int tproto; 6321 u_char *eaddr; 6322 bpf_u_int32 mask, addr; 6323 struct addrinfo *res, *res0; 6324 struct sockaddr_in *sin4; 6325 #ifdef INET6 6326 int tproto6; 6327 struct sockaddr_in6 *sin6; 6328 struct in6_addr mask128; 6329 #endif /*INET6*/ 6330 struct block *b, *tmp; 6331 int port, real_proto; 6332 int port1, port2; 6333 6334 switch (q.addr) { 6335 6336 case Q_NET: 6337 addr = pcap_nametonetaddr(name); 6338 if (addr == 0) 6339 bpf_error(cstate, "unknown network '%s'", name); 6340 /* Left justify network addr and calculate its network mask */ 6341 mask = 0xffffffff; 6342 while (addr && (addr & 0xff000000) == 0) { 6343 addr <<= 8; 6344 mask <<= 8; 6345 } 6346 return gen_host(cstate, addr, mask, proto, dir, q.addr); 6347 6348 case Q_DEFAULT: 6349 case Q_HOST: 6350 if (proto == Q_LINK) { 6351 switch (cstate->linktype) { 6352 6353 case DLT_EN10MB: 6354 case DLT_NETANALYZER: 6355 case DLT_NETANALYZER_TRANSPARENT: 6356 eaddr = pcap_ether_hostton(name); 6357 if (eaddr == NULL) 6358 bpf_error(cstate, 6359 "unknown ether host '%s'", name); 6360 tmp = gen_prevlinkhdr_check(cstate); 6361 b = gen_ehostop(cstate, eaddr, dir); 6362 if (tmp != NULL) 6363 gen_and(tmp, b); 6364 free(eaddr); 6365 return b; 6366 6367 case DLT_FDDI: 6368 eaddr = pcap_ether_hostton(name); 6369 if (eaddr == NULL) 6370 bpf_error(cstate, 6371 "unknown FDDI host '%s'", name); 6372 b = gen_fhostop(cstate, eaddr, dir); 6373 free(eaddr); 6374 return b; 6375 6376 case DLT_IEEE802: 6377 eaddr = pcap_ether_hostton(name); 6378 if (eaddr == NULL) 6379 bpf_error(cstate, 6380 "unknown token ring host '%s'", name); 6381 b = gen_thostop(cstate, eaddr, dir); 6382 free(eaddr); 6383 return b; 6384 6385 case DLT_IEEE802_11: 6386 case DLT_PRISM_HEADER: 6387 case DLT_IEEE802_11_RADIO_AVS: 6388 case DLT_IEEE802_11_RADIO: 6389 case DLT_PPI: 6390 eaddr = pcap_ether_hostton(name); 6391 if (eaddr == NULL) 6392 bpf_error(cstate, 6393 "unknown 802.11 host '%s'", name); 6394 b = gen_wlanhostop(cstate, eaddr, dir); 6395 free(eaddr); 6396 return b; 6397 6398 case DLT_IP_OVER_FC: 6399 eaddr = pcap_ether_hostton(name); 6400 if (eaddr == NULL) 6401 bpf_error(cstate, 6402 "unknown Fibre Channel host '%s'", name); 6403 b = gen_ipfchostop(cstate, eaddr, dir); 6404 free(eaddr); 6405 return b; 6406 } 6407 6408 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6409 } else if (proto == Q_DECNET) { 6410 unsigned short dn_addr; 6411 6412 if (!__pcap_nametodnaddr(name, &dn_addr)) { 6413 #ifdef DECNETLIB 6414 bpf_error(cstate, "unknown decnet host name '%s'\n", name); 6415 #else 6416 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n", 6417 name); 6418 #endif 6419 } 6420 /* 6421 * I don't think DECNET hosts can be multihomed, so 6422 * there is no need to build up a list of addresses 6423 */ 6424 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr)); 6425 } else { 6426 #ifdef INET6 6427 memset(&mask128, 0xff, sizeof(mask128)); 6428 #endif 6429 res0 = res = pcap_nametoaddrinfo(name); 6430 if (res == NULL) 6431 bpf_error(cstate, "unknown host '%s'", name); 6432 cstate->ai = res; 6433 b = tmp = NULL; 6434 tproto = proto; 6435 #ifdef INET6 6436 tproto6 = proto; 6437 #endif 6438 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET && 6439 tproto == Q_DEFAULT) { 6440 tproto = Q_IP; 6441 #ifdef INET6 6442 tproto6 = Q_IPV6; 6443 #endif 6444 } 6445 for (res = res0; res; res = res->ai_next) { 6446 switch (res->ai_family) { 6447 case AF_INET: 6448 #ifdef INET6 6449 if (tproto == Q_IPV6) 6450 continue; 6451 #endif 6452 6453 sin4 = (struct sockaddr_in *) 6454 res->ai_addr; 6455 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr), 6456 0xffffffff, tproto, dir, q.addr); 6457 break; 6458 #ifdef INET6 6459 case AF_INET6: 6460 if (tproto6 == Q_IP) 6461 continue; 6462 6463 sin6 = (struct sockaddr_in6 *) 6464 res->ai_addr; 6465 tmp = gen_host6(cstate, &sin6->sin6_addr, 6466 &mask128, tproto6, dir, q.addr); 6467 break; 6468 #endif 6469 default: 6470 continue; 6471 } 6472 if (b) 6473 gen_or(b, tmp); 6474 b = tmp; 6475 } 6476 cstate->ai = NULL; 6477 freeaddrinfo(res0); 6478 if (b == NULL) { 6479 bpf_error(cstate, "unknown host '%s'%s", name, 6480 (proto == Q_DEFAULT) 6481 ? "" 6482 : " for specified address family"); 6483 } 6484 return b; 6485 } 6486 6487 case Q_PORT: 6488 if (proto != Q_DEFAULT && 6489 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6490 bpf_error(cstate, "illegal qualifier of 'port'"); 6491 if (pcap_nametoport(name, &port, &real_proto) == 0) 6492 bpf_error(cstate, "unknown port '%s'", name); 6493 if (proto == Q_UDP) { 6494 if (real_proto == IPPROTO_TCP) 6495 bpf_error(cstate, "port '%s' is tcp", name); 6496 else if (real_proto == IPPROTO_SCTP) 6497 bpf_error(cstate, "port '%s' is sctp", name); 6498 else 6499 /* override PROTO_UNDEF */ 6500 real_proto = IPPROTO_UDP; 6501 } 6502 if (proto == Q_TCP) { 6503 if (real_proto == IPPROTO_UDP) 6504 bpf_error(cstate, "port '%s' is udp", name); 6505 6506 else if (real_proto == IPPROTO_SCTP) 6507 bpf_error(cstate, "port '%s' is sctp", name); 6508 else 6509 /* override PROTO_UNDEF */ 6510 real_proto = IPPROTO_TCP; 6511 } 6512 if (proto == Q_SCTP) { 6513 if (real_proto == IPPROTO_UDP) 6514 bpf_error(cstate, "port '%s' is udp", name); 6515 6516 else if (real_proto == IPPROTO_TCP) 6517 bpf_error(cstate, "port '%s' is tcp", name); 6518 else 6519 /* override PROTO_UNDEF */ 6520 real_proto = IPPROTO_SCTP; 6521 } 6522 if (port < 0) 6523 bpf_error(cstate, "illegal port number %d < 0", port); 6524 if (port > 65535) 6525 bpf_error(cstate, "illegal port number %d > 65535", port); 6526 b = gen_port(cstate, port, real_proto, dir); 6527 gen_or(gen_port6(cstate, port, real_proto, dir), b); 6528 return b; 6529 6530 case Q_PORTRANGE: 6531 if (proto != Q_DEFAULT && 6532 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6533 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6534 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6535 bpf_error(cstate, "unknown port in range '%s'", name); 6536 if (proto == Q_UDP) { 6537 if (real_proto == IPPROTO_TCP) 6538 bpf_error(cstate, "port in range '%s' is tcp", name); 6539 else if (real_proto == IPPROTO_SCTP) 6540 bpf_error(cstate, "port in range '%s' is sctp", name); 6541 else 6542 /* override PROTO_UNDEF */ 6543 real_proto = IPPROTO_UDP; 6544 } 6545 if (proto == Q_TCP) { 6546 if (real_proto == IPPROTO_UDP) 6547 bpf_error(cstate, "port in range '%s' is udp", name); 6548 else if (real_proto == IPPROTO_SCTP) 6549 bpf_error(cstate, "port in range '%s' is sctp", name); 6550 else 6551 /* override PROTO_UNDEF */ 6552 real_proto = IPPROTO_TCP; 6553 } 6554 if (proto == Q_SCTP) { 6555 if (real_proto == IPPROTO_UDP) 6556 bpf_error(cstate, "port in range '%s' is udp", name); 6557 else if (real_proto == IPPROTO_TCP) 6558 bpf_error(cstate, "port in range '%s' is tcp", name); 6559 else 6560 /* override PROTO_UNDEF */ 6561 real_proto = IPPROTO_SCTP; 6562 } 6563 if (port1 < 0) 6564 bpf_error(cstate, "illegal port number %d < 0", port1); 6565 if (port1 > 65535) 6566 bpf_error(cstate, "illegal port number %d > 65535", port1); 6567 if (port2 < 0) 6568 bpf_error(cstate, "illegal port number %d < 0", port2); 6569 if (port2 > 65535) 6570 bpf_error(cstate, "illegal port number %d > 65535", port2); 6571 6572 b = gen_portrange(cstate, port1, port2, real_proto, dir); 6573 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b); 6574 return b; 6575 6576 case Q_GATEWAY: 6577 #ifndef INET6 6578 eaddr = pcap_ether_hostton(name); 6579 if (eaddr == NULL) 6580 bpf_error(cstate, "unknown ether host: %s", name); 6581 6582 res = pcap_nametoaddrinfo(name); 6583 cstate->ai = res; 6584 if (res == NULL) 6585 bpf_error(cstate, "unknown host '%s'", name); 6586 b = gen_gateway(cstate, eaddr, res, proto, dir); 6587 cstate->ai = NULL; 6588 freeaddrinfo(res); 6589 if (b == NULL) 6590 bpf_error(cstate, "unknown host '%s'", name); 6591 return b; 6592 #else 6593 bpf_error(cstate, "'gateway' not supported in this configuration"); 6594 #endif /*INET6*/ 6595 6596 case Q_PROTO: 6597 real_proto = lookup_proto(cstate, name, proto); 6598 if (real_proto >= 0) 6599 return gen_proto(cstate, real_proto, proto, dir); 6600 else 6601 bpf_error(cstate, "unknown protocol: %s", name); 6602 6603 case Q_PROTOCHAIN: 6604 real_proto = lookup_proto(cstate, name, proto); 6605 if (real_proto >= 0) 6606 return gen_protochain(cstate, real_proto, proto, dir); 6607 else 6608 bpf_error(cstate, "unknown protocol: %s", name); 6609 6610 case Q_UNDEF: 6611 syntax(cstate); 6612 /* NOTREACHED */ 6613 } 6614 abort(); 6615 /* NOTREACHED */ 6616 } 6617 6618 struct block * 6619 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2, 6620 unsigned int masklen, struct qual q) 6621 { 6622 register int nlen, mlen; 6623 bpf_u_int32 n, m; 6624 6625 nlen = __pcap_atoin(s1, &n); 6626 /* Promote short ipaddr */ 6627 n <<= 32 - nlen; 6628 6629 if (s2 != NULL) { 6630 mlen = __pcap_atoin(s2, &m); 6631 /* Promote short ipaddr */ 6632 m <<= 32 - mlen; 6633 if ((n & ~m) != 0) 6634 bpf_error(cstate, "non-network bits set in \"%s mask %s\"", 6635 s1, s2); 6636 } else { 6637 /* Convert mask len to mask */ 6638 if (masklen > 32) 6639 bpf_error(cstate, "mask length must be <= 32"); 6640 if (masklen == 0) { 6641 /* 6642 * X << 32 is not guaranteed by C to be 0; it's 6643 * undefined. 6644 */ 6645 m = 0; 6646 } else 6647 m = 0xffffffff << (32 - masklen); 6648 if ((n & ~m) != 0) 6649 bpf_error(cstate, "non-network bits set in \"%s/%d\"", 6650 s1, masklen); 6651 } 6652 6653 switch (q.addr) { 6654 6655 case Q_NET: 6656 return gen_host(cstate, n, m, q.proto, q.dir, q.addr); 6657 6658 default: 6659 bpf_error(cstate, "Mask syntax for networks only"); 6660 /* NOTREACHED */ 6661 } 6662 /* NOTREACHED */ 6663 } 6664 6665 struct block * 6666 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q) 6667 { 6668 bpf_u_int32 mask; 6669 int proto = q.proto; 6670 int dir = q.dir; 6671 register int vlen; 6672 6673 if (s == NULL) 6674 vlen = 32; 6675 else if (q.proto == Q_DECNET) { 6676 vlen = __pcap_atodn(s, &v); 6677 if (vlen == 0) 6678 bpf_error(cstate, "malformed decnet address '%s'", s); 6679 } else 6680 vlen = __pcap_atoin(s, &v); 6681 6682 switch (q.addr) { 6683 6684 case Q_DEFAULT: 6685 case Q_HOST: 6686 case Q_NET: 6687 if (proto == Q_DECNET) 6688 return gen_host(cstate, v, 0, proto, dir, q.addr); 6689 else if (proto == Q_LINK) { 6690 bpf_error(cstate, "illegal link layer address"); 6691 } else { 6692 mask = 0xffffffff; 6693 if (s == NULL && q.addr == Q_NET) { 6694 /* Promote short net number */ 6695 while (v && (v & 0xff000000) == 0) { 6696 v <<= 8; 6697 mask <<= 8; 6698 } 6699 } else { 6700 /* Promote short ipaddr */ 6701 v <<= 32 - vlen; 6702 mask <<= 32 - vlen ; 6703 } 6704 return gen_host(cstate, v, mask, proto, dir, q.addr); 6705 } 6706 6707 case Q_PORT: 6708 if (proto == Q_UDP) 6709 proto = IPPROTO_UDP; 6710 else if (proto == Q_TCP) 6711 proto = IPPROTO_TCP; 6712 else if (proto == Q_SCTP) 6713 proto = IPPROTO_SCTP; 6714 else if (proto == Q_DEFAULT) 6715 proto = PROTO_UNDEF; 6716 else 6717 bpf_error(cstate, "illegal qualifier of 'port'"); 6718 6719 if (v > 65535) 6720 bpf_error(cstate, "illegal port number %u > 65535", v); 6721 6722 { 6723 struct block *b; 6724 b = gen_port(cstate, (int)v, proto, dir); 6725 gen_or(gen_port6(cstate, (int)v, proto, dir), b); 6726 return b; 6727 } 6728 6729 case Q_PORTRANGE: 6730 if (proto == Q_UDP) 6731 proto = IPPROTO_UDP; 6732 else if (proto == Q_TCP) 6733 proto = IPPROTO_TCP; 6734 else if (proto == Q_SCTP) 6735 proto = IPPROTO_SCTP; 6736 else if (proto == Q_DEFAULT) 6737 proto = PROTO_UNDEF; 6738 else 6739 bpf_error(cstate, "illegal qualifier of 'portrange'"); 6740 6741 if (v > 65535) 6742 bpf_error(cstate, "illegal port number %u > 65535", v); 6743 6744 { 6745 struct block *b; 6746 b = gen_portrange(cstate, (int)v, (int)v, proto, dir); 6747 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b); 6748 return b; 6749 } 6750 6751 case Q_GATEWAY: 6752 bpf_error(cstate, "'gateway' requires a name"); 6753 /* NOTREACHED */ 6754 6755 case Q_PROTO: 6756 return gen_proto(cstate, (int)v, proto, dir); 6757 6758 case Q_PROTOCHAIN: 6759 return gen_protochain(cstate, (int)v, proto, dir); 6760 6761 case Q_UNDEF: 6762 syntax(cstate); 6763 /* NOTREACHED */ 6764 6765 default: 6766 abort(); 6767 /* NOTREACHED */ 6768 } 6769 /* NOTREACHED */ 6770 } 6771 6772 #ifdef INET6 6773 struct block * 6774 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2, 6775 unsigned int masklen, struct qual q) 6776 { 6777 struct addrinfo *res; 6778 struct in6_addr *addr; 6779 struct in6_addr mask; 6780 struct block *b; 6781 uint32_t *a, *m; 6782 6783 if (s2) 6784 bpf_error(cstate, "no mask %s supported", s2); 6785 6786 res = pcap_nametoaddrinfo(s1); 6787 if (!res) 6788 bpf_error(cstate, "invalid ip6 address %s", s1); 6789 cstate->ai = res; 6790 if (res->ai_next) 6791 bpf_error(cstate, "%s resolved to multiple address", s1); 6792 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6793 6794 if (sizeof(mask) * 8 < masklen) 6795 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6796 memset(&mask, 0, sizeof(mask)); 6797 memset(&mask, 0xff, masklen / 8); 6798 if (masklen % 8) { 6799 mask.s6_addr[masklen / 8] = 6800 (0xff << (8 - masklen % 8)) & 0xff; 6801 } 6802 6803 a = (uint32_t *)addr; 6804 m = (uint32_t *)&mask; 6805 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6806 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6807 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen); 6808 } 6809 6810 switch (q.addr) { 6811 6812 case Q_DEFAULT: 6813 case Q_HOST: 6814 if (masklen != 128) 6815 bpf_error(cstate, "Mask syntax for networks only"); 6816 /* FALLTHROUGH */ 6817 6818 case Q_NET: 6819 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr); 6820 cstate->ai = NULL; 6821 freeaddrinfo(res); 6822 return b; 6823 6824 default: 6825 bpf_error(cstate, "invalid qualifier against IPv6 address"); 6826 /* NOTREACHED */ 6827 } 6828 } 6829 #endif /*INET6*/ 6830 6831 struct block * 6832 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 6833 { 6834 struct block *b, *tmp; 6835 6836 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6837 switch (cstate->linktype) { 6838 case DLT_EN10MB: 6839 case DLT_NETANALYZER: 6840 case DLT_NETANALYZER_TRANSPARENT: 6841 tmp = gen_prevlinkhdr_check(cstate); 6842 b = gen_ehostop(cstate, eaddr, (int)q.dir); 6843 if (tmp != NULL) 6844 gen_and(tmp, b); 6845 return b; 6846 case DLT_FDDI: 6847 return gen_fhostop(cstate, eaddr, (int)q.dir); 6848 case DLT_IEEE802: 6849 return gen_thostop(cstate, eaddr, (int)q.dir); 6850 case DLT_IEEE802_11: 6851 case DLT_PRISM_HEADER: 6852 case DLT_IEEE802_11_RADIO_AVS: 6853 case DLT_IEEE802_11_RADIO: 6854 case DLT_PPI: 6855 return gen_wlanhostop(cstate, eaddr, (int)q.dir); 6856 case DLT_IP_OVER_FC: 6857 return gen_ipfchostop(cstate, eaddr, (int)q.dir); 6858 default: 6859 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6860 break; 6861 } 6862 } 6863 bpf_error(cstate, "ethernet address used in non-ether expression"); 6864 /* NOTREACHED */ 6865 } 6866 6867 void 6868 sappend(struct slist *s0, struct slist *s1) 6869 { 6870 /* 6871 * This is definitely not the best way to do this, but the 6872 * lists will rarely get long. 6873 */ 6874 while (s0->next) 6875 s0 = s0->next; 6876 s0->next = s1; 6877 } 6878 6879 static struct slist * 6880 xfer_to_x(compiler_state_t *cstate, struct arth *a) 6881 { 6882 struct slist *s; 6883 6884 s = new_stmt(cstate, BPF_LDX|BPF_MEM); 6885 s->s.k = a->regno; 6886 return s; 6887 } 6888 6889 static struct slist * 6890 xfer_to_a(compiler_state_t *cstate, struct arth *a) 6891 { 6892 struct slist *s; 6893 6894 s = new_stmt(cstate, BPF_LD|BPF_MEM); 6895 s->s.k = a->regno; 6896 return s; 6897 } 6898 6899 /* 6900 * Modify "index" to use the value stored into its register as an 6901 * offset relative to the beginning of the header for the protocol 6902 * "proto", and allocate a register and put an item "size" bytes long 6903 * (1, 2, or 4) at that offset into that register, making it the register 6904 * for "index". 6905 */ 6906 struct arth * 6907 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size) 6908 { 6909 struct slist *s, *tmp; 6910 struct block *b; 6911 int regno = alloc_reg(cstate); 6912 6913 free_reg(cstate, inst->regno); 6914 switch (size) { 6915 6916 default: 6917 bpf_error(cstate, "data size must be 1, 2, or 4"); 6918 6919 case 1: 6920 size = BPF_B; 6921 break; 6922 6923 case 2: 6924 size = BPF_H; 6925 break; 6926 6927 case 4: 6928 size = BPF_W; 6929 break; 6930 } 6931 switch (proto) { 6932 default: 6933 bpf_error(cstate, "unsupported index operation"); 6934 6935 case Q_RADIO: 6936 /* 6937 * The offset is relative to the beginning of the packet 6938 * data, if we have a radio header. (If we don't, this 6939 * is an error.) 6940 */ 6941 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS && 6942 cstate->linktype != DLT_IEEE802_11_RADIO && 6943 cstate->linktype != DLT_PRISM_HEADER) 6944 bpf_error(cstate, "radio information not present in capture"); 6945 6946 /* 6947 * Load into the X register the offset computed into the 6948 * register specified by "index". 6949 */ 6950 s = xfer_to_x(cstate, inst); 6951 6952 /* 6953 * Load the item at that offset. 6954 */ 6955 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6956 sappend(s, tmp); 6957 sappend(inst->s, s); 6958 break; 6959 6960 case Q_LINK: 6961 /* 6962 * The offset is relative to the beginning of 6963 * the link-layer header. 6964 * 6965 * XXX - what about ATM LANE? Should the index be 6966 * relative to the beginning of the AAL5 frame, so 6967 * that 0 refers to the beginning of the LE Control 6968 * field, or relative to the beginning of the LAN 6969 * frame, so that 0 refers, for Ethernet LANE, to 6970 * the beginning of the destination address? 6971 */ 6972 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr); 6973 6974 /* 6975 * If "s" is non-null, it has code to arrange that the 6976 * X register contains the length of the prefix preceding 6977 * the link-layer header. Add to it the offset computed 6978 * into the register specified by "index", and move that 6979 * into the X register. Otherwise, just load into the X 6980 * register the offset computed into the register specified 6981 * by "index". 6982 */ 6983 if (s != NULL) { 6984 sappend(s, xfer_to_a(cstate, inst)); 6985 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 6986 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 6987 } else 6988 s = xfer_to_x(cstate, inst); 6989 6990 /* 6991 * Load the item at the sum of the offset we've put in the 6992 * X register and the offset of the start of the link 6993 * layer header (which is 0 if the radio header is 6994 * variable-length; that header length is what we put 6995 * into the X register and then added to the index). 6996 */ 6997 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 6998 tmp->s.k = cstate->off_linkhdr.constant_part; 6999 sappend(s, tmp); 7000 sappend(inst->s, s); 7001 break; 7002 7003 case Q_IP: 7004 case Q_ARP: 7005 case Q_RARP: 7006 case Q_ATALK: 7007 case Q_DECNET: 7008 case Q_SCA: 7009 case Q_LAT: 7010 case Q_MOPRC: 7011 case Q_MOPDL: 7012 case Q_IPV6: 7013 /* 7014 * The offset is relative to the beginning of 7015 * the network-layer header. 7016 * XXX - are there any cases where we want 7017 * cstate->off_nl_nosnap? 7018 */ 7019 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7020 7021 /* 7022 * If "s" is non-null, it has code to arrange that the 7023 * X register contains the variable part of the offset 7024 * of the link-layer payload. Add to it the offset 7025 * computed into the register specified by "index", 7026 * and move that into the X register. Otherwise, just 7027 * load into the X register the offset computed into 7028 * the register specified by "index". 7029 */ 7030 if (s != NULL) { 7031 sappend(s, xfer_to_a(cstate, inst)); 7032 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7033 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7034 } else 7035 s = xfer_to_x(cstate, inst); 7036 7037 /* 7038 * Load the item at the sum of the offset we've put in the 7039 * X register, the offset of the start of the network 7040 * layer header from the beginning of the link-layer 7041 * payload, and the constant part of the offset of the 7042 * start of the link-layer payload. 7043 */ 7044 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7045 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7046 sappend(s, tmp); 7047 sappend(inst->s, s); 7048 7049 /* 7050 * Do the computation only if the packet contains 7051 * the protocol in question. 7052 */ 7053 b = gen_proto_abbrev(cstate, proto); 7054 if (inst->b) 7055 gen_and(inst->b, b); 7056 inst->b = b; 7057 break; 7058 7059 case Q_SCTP: 7060 case Q_TCP: 7061 case Q_UDP: 7062 case Q_ICMP: 7063 case Q_IGMP: 7064 case Q_IGRP: 7065 case Q_PIM: 7066 case Q_VRRP: 7067 case Q_CARP: 7068 /* 7069 * The offset is relative to the beginning of 7070 * the transport-layer header. 7071 * 7072 * Load the X register with the length of the IPv4 header 7073 * (plus the offset of the link-layer header, if it's 7074 * a variable-length header), in bytes. 7075 * 7076 * XXX - are there any cases where we want 7077 * cstate->off_nl_nosnap? 7078 * XXX - we should, if we're built with 7079 * IPv6 support, generate code to load either 7080 * IPv4, IPv6, or both, as appropriate. 7081 */ 7082 s = gen_loadx_iphdrlen(cstate); 7083 7084 /* 7085 * The X register now contains the sum of the variable 7086 * part of the offset of the link-layer payload and the 7087 * length of the network-layer header. 7088 * 7089 * Load into the A register the offset relative to 7090 * the beginning of the transport layer header, 7091 * add the X register to that, move that to the 7092 * X register, and load with an offset from the 7093 * X register equal to the sum of the constant part of 7094 * the offset of the link-layer payload and the offset, 7095 * relative to the beginning of the link-layer payload, 7096 * of the network-layer header. 7097 */ 7098 sappend(s, xfer_to_a(cstate, inst)); 7099 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7100 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7101 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size)); 7102 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl; 7103 sappend(inst->s, s); 7104 7105 /* 7106 * Do the computation only if the packet contains 7107 * the protocol in question - which is true only 7108 * if this is an IP datagram and is the first or 7109 * only fragment of that datagram. 7110 */ 7111 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate)); 7112 if (inst->b) 7113 gen_and(inst->b, b); 7114 gen_and(gen_proto_abbrev(cstate, Q_IP), b); 7115 inst->b = b; 7116 break; 7117 case Q_ICMPV6: 7118 /* 7119 * Do the computation only if the packet contains 7120 * the protocol in question. 7121 */ 7122 b = gen_proto_abbrev(cstate, Q_IPV6); 7123 if (inst->b) { 7124 gen_and(inst->b, b); 7125 } 7126 inst->b = b; 7127 7128 /* 7129 * Check if we have an icmp6 next header 7130 */ 7131 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58); 7132 if (inst->b) { 7133 gen_and(inst->b, b); 7134 } 7135 inst->b = b; 7136 7137 7138 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 7139 /* 7140 * If "s" is non-null, it has code to arrange that the 7141 * X register contains the variable part of the offset 7142 * of the link-layer payload. Add to it the offset 7143 * computed into the register specified by "index", 7144 * and move that into the X register. Otherwise, just 7145 * load into the X register the offset computed into 7146 * the register specified by "index". 7147 */ 7148 if (s != NULL) { 7149 sappend(s, xfer_to_a(cstate, inst)); 7150 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X)); 7151 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX)); 7152 } else { 7153 s = xfer_to_x(cstate, inst); 7154 } 7155 7156 /* 7157 * Load the item at the sum of the offset we've put in the 7158 * X register, the offset of the start of the network 7159 * layer header from the beginning of the link-layer 7160 * payload, and the constant part of the offset of the 7161 * start of the link-layer payload. 7162 */ 7163 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size); 7164 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40; 7165 7166 sappend(s, tmp); 7167 sappend(inst->s, s); 7168 7169 break; 7170 } 7171 inst->regno = regno; 7172 s = new_stmt(cstate, BPF_ST); 7173 s->s.k = regno; 7174 sappend(inst->s, s); 7175 7176 return inst; 7177 } 7178 7179 struct block * 7180 gen_relation(compiler_state_t *cstate, int code, struct arth *a0, 7181 struct arth *a1, int reversed) 7182 { 7183 struct slist *s0, *s1, *s2; 7184 struct block *b, *tmp; 7185 7186 s0 = xfer_to_x(cstate, a1); 7187 s1 = xfer_to_a(cstate, a0); 7188 if (code == BPF_JEQ) { 7189 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X); 7190 b = new_block(cstate, JMP(code)); 7191 sappend(s1, s2); 7192 } 7193 else 7194 b = new_block(cstate, BPF_JMP|code|BPF_X); 7195 if (reversed) 7196 gen_not(b); 7197 7198 sappend(s0, s1); 7199 sappend(a1->s, s0); 7200 sappend(a0->s, a1->s); 7201 7202 b->stmts = a0->s; 7203 7204 free_reg(cstate, a0->regno); 7205 free_reg(cstate, a1->regno); 7206 7207 /* 'and' together protocol checks */ 7208 if (a0->b) { 7209 if (a1->b) { 7210 gen_and(a0->b, tmp = a1->b); 7211 } 7212 else 7213 tmp = a0->b; 7214 } else 7215 tmp = a1->b; 7216 7217 if (tmp) 7218 gen_and(tmp, b); 7219 7220 return b; 7221 } 7222 7223 struct arth * 7224 gen_loadlen(compiler_state_t *cstate) 7225 { 7226 int regno = alloc_reg(cstate); 7227 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a)); 7228 struct slist *s; 7229 7230 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7231 s->next = new_stmt(cstate, BPF_ST); 7232 s->next->s.k = regno; 7233 a->s = s; 7234 a->regno = regno; 7235 7236 return a; 7237 } 7238 7239 struct arth * 7240 gen_loadi(compiler_state_t *cstate, int val) 7241 { 7242 struct arth *a; 7243 struct slist *s; 7244 int reg; 7245 7246 a = (struct arth *)newchunk(cstate, sizeof(*a)); 7247 7248 reg = alloc_reg(cstate); 7249 7250 s = new_stmt(cstate, BPF_LD|BPF_IMM); 7251 s->s.k = val; 7252 s->next = new_stmt(cstate, BPF_ST); 7253 s->next->s.k = reg; 7254 a->s = s; 7255 a->regno = reg; 7256 7257 return a; 7258 } 7259 7260 struct arth * 7261 gen_neg(compiler_state_t *cstate, struct arth *a) 7262 { 7263 struct slist *s; 7264 7265 s = xfer_to_a(cstate, a); 7266 sappend(a->s, s); 7267 s = new_stmt(cstate, BPF_ALU|BPF_NEG); 7268 s->s.k = 0; 7269 sappend(a->s, s); 7270 s = new_stmt(cstate, BPF_ST); 7271 s->s.k = a->regno; 7272 sappend(a->s, s); 7273 7274 return a; 7275 } 7276 7277 struct arth * 7278 gen_arth(compiler_state_t *cstate, int code, struct arth *a0, 7279 struct arth *a1) 7280 { 7281 struct slist *s0, *s1, *s2; 7282 7283 /* 7284 * Disallow division by, or modulus by, zero; we do this here 7285 * so that it gets done even if the optimizer is disabled. 7286 */ 7287 if (code == BPF_DIV) { 7288 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7289 bpf_error(cstate, "division by zero"); 7290 } else if (code == BPF_MOD) { 7291 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0) 7292 bpf_error(cstate, "modulus by zero"); 7293 } 7294 s0 = xfer_to_x(cstate, a1); 7295 s1 = xfer_to_a(cstate, a0); 7296 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code); 7297 7298 sappend(s1, s2); 7299 sappend(s0, s1); 7300 sappend(a1->s, s0); 7301 sappend(a0->s, a1->s); 7302 7303 free_reg(cstate, a0->regno); 7304 free_reg(cstate, a1->regno); 7305 7306 s0 = new_stmt(cstate, BPF_ST); 7307 a0->regno = s0->s.k = alloc_reg(cstate); 7308 sappend(a0->s, s0); 7309 7310 return a0; 7311 } 7312 7313 /* 7314 * Initialize the table of used registers and the current register. 7315 */ 7316 static void 7317 init_regs(compiler_state_t *cstate) 7318 { 7319 cstate->curreg = 0; 7320 memset(cstate->regused, 0, sizeof cstate->regused); 7321 } 7322 7323 /* 7324 * Return the next free register. 7325 */ 7326 static int 7327 alloc_reg(compiler_state_t *cstate) 7328 { 7329 int n = BPF_MEMWORDS; 7330 7331 while (--n >= 0) { 7332 if (cstate->regused[cstate->curreg]) 7333 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS; 7334 else { 7335 cstate->regused[cstate->curreg] = 1; 7336 return cstate->curreg; 7337 } 7338 } 7339 bpf_error(cstate, "too many registers needed to evaluate expression"); 7340 /* NOTREACHED */ 7341 } 7342 7343 /* 7344 * Return a register to the table so it can 7345 * be used later. 7346 */ 7347 static void 7348 free_reg(compiler_state_t *cstate, int n) 7349 { 7350 cstate->regused[n] = 0; 7351 } 7352 7353 static struct block * 7354 gen_len(compiler_state_t *cstate, int jmp, int n) 7355 { 7356 struct slist *s; 7357 struct block *b; 7358 7359 s = new_stmt(cstate, BPF_LD|BPF_LEN); 7360 b = new_block(cstate, JMP(jmp)); 7361 b->stmts = s; 7362 b->s.k = n; 7363 7364 return b; 7365 } 7366 7367 struct block * 7368 gen_greater(compiler_state_t *cstate, int n) 7369 { 7370 return gen_len(cstate, BPF_JGE, n); 7371 } 7372 7373 /* 7374 * Actually, this is less than or equal. 7375 */ 7376 struct block * 7377 gen_less(compiler_state_t *cstate, int n) 7378 { 7379 struct block *b; 7380 7381 b = gen_len(cstate, BPF_JGT, n); 7382 gen_not(b); 7383 7384 return b; 7385 } 7386 7387 /* 7388 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7389 * the beginning of the link-layer header. 7390 * XXX - that means you can't test values in the radiotap header, but 7391 * as that header is difficult if not impossible to parse generally 7392 * without a loop, that might not be a severe problem. A new keyword 7393 * "radio" could be added for that, although what you'd really want 7394 * would be a way of testing particular radio header values, which 7395 * would generate code appropriate to the radio header in question. 7396 */ 7397 struct block * 7398 gen_byteop(compiler_state_t *cstate, int op, int idx, int val) 7399 { 7400 struct block *b; 7401 struct slist *s; 7402 7403 switch (op) { 7404 default: 7405 abort(); 7406 7407 case '=': 7408 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7409 7410 case '<': 7411 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7412 return b; 7413 7414 case '>': 7415 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7416 return b; 7417 7418 case '|': 7419 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K); 7420 break; 7421 7422 case '&': 7423 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 7424 break; 7425 } 7426 s->s.k = val; 7427 b = new_block(cstate, JMP(BPF_JEQ)); 7428 b->stmts = s; 7429 gen_not(b); 7430 7431 return b; 7432 } 7433 7434 static const u_char abroadcast[] = { 0x0 }; 7435 7436 struct block * 7437 gen_broadcast(compiler_state_t *cstate, int proto) 7438 { 7439 bpf_u_int32 hostmask; 7440 struct block *b0, *b1, *b2; 7441 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7442 7443 switch (proto) { 7444 7445 case Q_DEFAULT: 7446 case Q_LINK: 7447 switch (cstate->linktype) { 7448 case DLT_ARCNET: 7449 case DLT_ARCNET_LINUX: 7450 return gen_ahostop(cstate, abroadcast, Q_DST); 7451 case DLT_EN10MB: 7452 case DLT_NETANALYZER: 7453 case DLT_NETANALYZER_TRANSPARENT: 7454 b1 = gen_prevlinkhdr_check(cstate); 7455 b0 = gen_ehostop(cstate, ebroadcast, Q_DST); 7456 if (b1 != NULL) 7457 gen_and(b1, b0); 7458 return b0; 7459 case DLT_FDDI: 7460 return gen_fhostop(cstate, ebroadcast, Q_DST); 7461 case DLT_IEEE802: 7462 return gen_thostop(cstate, ebroadcast, Q_DST); 7463 case DLT_IEEE802_11: 7464 case DLT_PRISM_HEADER: 7465 case DLT_IEEE802_11_RADIO_AVS: 7466 case DLT_IEEE802_11_RADIO: 7467 case DLT_PPI: 7468 return gen_wlanhostop(cstate, ebroadcast, Q_DST); 7469 case DLT_IP_OVER_FC: 7470 return gen_ipfchostop(cstate, ebroadcast, Q_DST); 7471 default: 7472 bpf_error(cstate, "not a broadcast link"); 7473 } 7474 break; 7475 7476 case Q_IP: 7477 /* 7478 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7479 * as an indication that we don't know the netmask, and fail 7480 * in that case. 7481 */ 7482 if (cstate->netmask == PCAP_NETMASK_UNKNOWN) 7483 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported"); 7484 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7485 hostmask = ~cstate->netmask; 7486 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7487 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 7488 (bpf_int32)(~0 & hostmask), hostmask); 7489 gen_or(b1, b2); 7490 gen_and(b0, b2); 7491 return b2; 7492 } 7493 bpf_error(cstate, "only link-layer/IP broadcast filters supported"); 7494 /* NOTREACHED */ 7495 } 7496 7497 /* 7498 * Generate code to test the low-order bit of a MAC address (that's 7499 * the bottom bit of the *first* byte). 7500 */ 7501 static struct block * 7502 gen_mac_multicast(compiler_state_t *cstate, int offset) 7503 { 7504 register struct block *b0; 7505 register struct slist *s; 7506 7507 /* link[offset] & 1 != 0 */ 7508 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B); 7509 b0 = new_block(cstate, JMP(BPF_JSET)); 7510 b0->s.k = 1; 7511 b0->stmts = s; 7512 return b0; 7513 } 7514 7515 struct block * 7516 gen_multicast(compiler_state_t *cstate, int proto) 7517 { 7518 register struct block *b0, *b1, *b2; 7519 register struct slist *s; 7520 7521 switch (proto) { 7522 7523 case Q_DEFAULT: 7524 case Q_LINK: 7525 switch (cstate->linktype) { 7526 case DLT_ARCNET: 7527 case DLT_ARCNET_LINUX: 7528 /* all ARCnet multicasts use the same address */ 7529 return gen_ahostop(cstate, abroadcast, Q_DST); 7530 case DLT_EN10MB: 7531 case DLT_NETANALYZER: 7532 case DLT_NETANALYZER_TRANSPARENT: 7533 b1 = gen_prevlinkhdr_check(cstate); 7534 /* ether[0] & 1 != 0 */ 7535 b0 = gen_mac_multicast(cstate, 0); 7536 if (b1 != NULL) 7537 gen_and(b1, b0); 7538 return b0; 7539 case DLT_FDDI: 7540 /* 7541 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7542 * 7543 * XXX - was that referring to bit-order issues? 7544 */ 7545 /* fddi[1] & 1 != 0 */ 7546 return gen_mac_multicast(cstate, 1); 7547 case DLT_IEEE802: 7548 /* tr[2] & 1 != 0 */ 7549 return gen_mac_multicast(cstate, 2); 7550 case DLT_IEEE802_11: 7551 case DLT_PRISM_HEADER: 7552 case DLT_IEEE802_11_RADIO_AVS: 7553 case DLT_IEEE802_11_RADIO: 7554 case DLT_PPI: 7555 /* 7556 * Oh, yuk. 7557 * 7558 * For control frames, there is no DA. 7559 * 7560 * For management frames, DA is at an 7561 * offset of 4 from the beginning of 7562 * the packet. 7563 * 7564 * For data frames, DA is at an offset 7565 * of 4 from the beginning of the packet 7566 * if To DS is clear and at an offset of 7567 * 16 from the beginning of the packet 7568 * if To DS is set. 7569 */ 7570 7571 /* 7572 * Generate the tests to be done for data frames. 7573 * 7574 * First, check for To DS set, i.e. "link[1] & 0x01". 7575 */ 7576 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7577 b1 = new_block(cstate, JMP(BPF_JSET)); 7578 b1->s.k = 0x01; /* To DS */ 7579 b1->stmts = s; 7580 7581 /* 7582 * If To DS is set, the DA is at 16. 7583 */ 7584 b0 = gen_mac_multicast(cstate, 16); 7585 gen_and(b1, b0); 7586 7587 /* 7588 * Now, check for To DS not set, i.e. check 7589 * "!(link[1] & 0x01)". 7590 */ 7591 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B); 7592 b2 = new_block(cstate, JMP(BPF_JSET)); 7593 b2->s.k = 0x01; /* To DS */ 7594 b2->stmts = s; 7595 gen_not(b2); 7596 7597 /* 7598 * If To DS is not set, the DA is at 4. 7599 */ 7600 b1 = gen_mac_multicast(cstate, 4); 7601 gen_and(b2, b1); 7602 7603 /* 7604 * Now OR together the last two checks. That gives 7605 * the complete set of checks for data frames. 7606 */ 7607 gen_or(b1, b0); 7608 7609 /* 7610 * Now check for a data frame. 7611 * I.e, check "link[0] & 0x08". 7612 */ 7613 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7614 b1 = new_block(cstate, JMP(BPF_JSET)); 7615 b1->s.k = 0x08; 7616 b1->stmts = s; 7617 7618 /* 7619 * AND that with the checks done for data frames. 7620 */ 7621 gen_and(b1, b0); 7622 7623 /* 7624 * If the high-order bit of the type value is 0, this 7625 * is a management frame. 7626 * I.e, check "!(link[0] & 0x08)". 7627 */ 7628 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7629 b2 = new_block(cstate, JMP(BPF_JSET)); 7630 b2->s.k = 0x08; 7631 b2->stmts = s; 7632 gen_not(b2); 7633 7634 /* 7635 * For management frames, the DA is at 4. 7636 */ 7637 b1 = gen_mac_multicast(cstate, 4); 7638 gen_and(b2, b1); 7639 7640 /* 7641 * OR that with the checks done for data frames. 7642 * That gives the checks done for management and 7643 * data frames. 7644 */ 7645 gen_or(b1, b0); 7646 7647 /* 7648 * If the low-order bit of the type value is 1, 7649 * this is either a control frame or a frame 7650 * with a reserved type, and thus not a 7651 * frame with an SA. 7652 * 7653 * I.e., check "!(link[0] & 0x04)". 7654 */ 7655 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B); 7656 b1 = new_block(cstate, JMP(BPF_JSET)); 7657 b1->s.k = 0x04; 7658 b1->stmts = s; 7659 gen_not(b1); 7660 7661 /* 7662 * AND that with the checks for data and management 7663 * frames. 7664 */ 7665 gen_and(b1, b0); 7666 return b0; 7667 case DLT_IP_OVER_FC: 7668 b0 = gen_mac_multicast(cstate, 2); 7669 return b0; 7670 default: 7671 break; 7672 } 7673 /* Link not known to support multicasts */ 7674 break; 7675 7676 case Q_IP: 7677 b0 = gen_linktype(cstate, ETHERTYPE_IP); 7678 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7679 gen_and(b0, b1); 7680 return b1; 7681 7682 case Q_IPV6: 7683 b0 = gen_linktype(cstate, ETHERTYPE_IPV6); 7684 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7685 gen_and(b0, b1); 7686 return b1; 7687 } 7688 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7689 /* NOTREACHED */ 7690 } 7691 7692 /* 7693 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7694 * Outbound traffic is sent by this machine, while inbound traffic is 7695 * sent by a remote machine (and may include packets destined for a 7696 * unicast or multicast link-layer address we are not subscribing to). 7697 * These are the same definitions implemented by pcap_setdirection(). 7698 * Capturing only unicast traffic destined for this host is probably 7699 * better accomplished using a higher-layer filter. 7700 */ 7701 struct block * 7702 gen_inbound(compiler_state_t *cstate, int dir) 7703 { 7704 register struct block *b0; 7705 7706 /* 7707 * Only some data link types support inbound/outbound qualifiers. 7708 */ 7709 switch (cstate->linktype) { 7710 case DLT_SLIP: 7711 b0 = gen_relation(cstate, BPF_JEQ, 7712 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1), 7713 gen_loadi(cstate, 0), 7714 dir); 7715 break; 7716 7717 case DLT_IPNET: 7718 if (dir) { 7719 /* match outgoing packets */ 7720 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7721 } else { 7722 /* match incoming packets */ 7723 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7724 } 7725 break; 7726 7727 case DLT_LINUX_SLL: 7728 /* match outgoing packets */ 7729 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7730 if (!dir) { 7731 /* to filter on inbound traffic, invert the match */ 7732 gen_not(b0); 7733 } 7734 break; 7735 7736 #ifdef HAVE_NET_PFVAR_H 7737 case DLT_PFLOG: 7738 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7739 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7740 break; 7741 #endif 7742 7743 case DLT_PPP_PPPD: 7744 if (dir) { 7745 /* match outgoing packets */ 7746 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7747 } else { 7748 /* match incoming packets */ 7749 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7750 } 7751 break; 7752 7753 case DLT_JUNIPER_MFR: 7754 case DLT_JUNIPER_MLFR: 7755 case DLT_JUNIPER_MLPPP: 7756 case DLT_JUNIPER_ATM1: 7757 case DLT_JUNIPER_ATM2: 7758 case DLT_JUNIPER_PPPOE: 7759 case DLT_JUNIPER_PPPOE_ATM: 7760 case DLT_JUNIPER_GGSN: 7761 case DLT_JUNIPER_ES: 7762 case DLT_JUNIPER_MONITOR: 7763 case DLT_JUNIPER_SERVICES: 7764 case DLT_JUNIPER_ETHER: 7765 case DLT_JUNIPER_PPP: 7766 case DLT_JUNIPER_FRELAY: 7767 case DLT_JUNIPER_CHDLC: 7768 case DLT_JUNIPER_VP: 7769 case DLT_JUNIPER_ST: 7770 case DLT_JUNIPER_ISM: 7771 case DLT_JUNIPER_VS: 7772 case DLT_JUNIPER_SRX_E2E: 7773 case DLT_JUNIPER_FIBRECHANNEL: 7774 case DLT_JUNIPER_ATM_CEMIC: 7775 7776 /* juniper flags (including direction) are stored 7777 * the byte after the 3-byte magic number */ 7778 if (dir) { 7779 /* match outgoing packets */ 7780 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01); 7781 } else { 7782 /* match incoming packets */ 7783 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01); 7784 } 7785 break; 7786 7787 default: 7788 /* 7789 * If we have packet meta-data indicating a direction, 7790 * and that metadata can be checked by BPF code, check 7791 * it. Otherwise, give up, as this link-layer type has 7792 * nothing in the packet data. 7793 * 7794 * Currently, the only platform where a BPF filter can 7795 * check that metadata is Linux with the in-kernel 7796 * BPF interpreter. If other packet capture mechanisms 7797 * and BPF filters also supported this, it would be 7798 * nice. It would be even better if they made that 7799 * metadata available so that we could provide it 7800 * with newer capture APIs, allowing it to be saved 7801 * in pcapng files. 7802 */ 7803 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7804 /* 7805 * This is Linux with PF_PACKET support. 7806 * If this is a *live* capture, we can look at 7807 * special meta-data in the filter expression; 7808 * if it's a savefile, we can't. 7809 */ 7810 if (cstate->bpf_pcap->rfile != NULL) { 7811 /* We have a FILE *, so this is a savefile */ 7812 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles", 7813 cstate->linktype); 7814 b0 = NULL; 7815 /* NOTREACHED */ 7816 } 7817 /* match outgoing packets */ 7818 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7819 PACKET_OUTGOING); 7820 if (!dir) { 7821 /* to filter on inbound traffic, invert the match */ 7822 gen_not(b0); 7823 } 7824 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7825 bpf_error(cstate, "inbound/outbound not supported on linktype %d", 7826 cstate->linktype); 7827 /* NOTREACHED */ 7828 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7829 } 7830 return (b0); 7831 } 7832 7833 #ifdef HAVE_NET_PFVAR_H 7834 /* PF firewall log matched interface */ 7835 struct block * 7836 gen_pf_ifname(compiler_state_t *cstate, const char *ifname) 7837 { 7838 struct block *b0; 7839 u_int len, off; 7840 7841 if (cstate->linktype != DLT_PFLOG) { 7842 bpf_error(cstate, "ifname supported only on PF linktype"); 7843 /* NOTREACHED */ 7844 } 7845 len = sizeof(((struct pfloghdr *)0)->ifname); 7846 off = offsetof(struct pfloghdr, ifname); 7847 if (strlen(ifname) >= len) { 7848 bpf_error(cstate, "ifname interface names can only be %d characters", 7849 len-1); 7850 /* NOTREACHED */ 7851 } 7852 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7853 return (b0); 7854 } 7855 7856 /* PF firewall log ruleset name */ 7857 struct block * 7858 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset) 7859 { 7860 struct block *b0; 7861 7862 if (cstate->linktype != DLT_PFLOG) { 7863 bpf_error(cstate, "ruleset supported only on PF linktype"); 7864 /* NOTREACHED */ 7865 } 7866 7867 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7868 bpf_error(cstate, "ruleset names can only be %ld characters", 7869 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7870 /* NOTREACHED */ 7871 } 7872 7873 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7874 strlen(ruleset), (const u_char *)ruleset); 7875 return (b0); 7876 } 7877 7878 /* PF firewall log rule number */ 7879 struct block * 7880 gen_pf_rnr(compiler_state_t *cstate, int rnr) 7881 { 7882 struct block *b0; 7883 7884 if (cstate->linktype != DLT_PFLOG) { 7885 bpf_error(cstate, "rnr supported only on PF linktype"); 7886 /* NOTREACHED */ 7887 } 7888 7889 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7890 (bpf_int32)rnr); 7891 return (b0); 7892 } 7893 7894 /* PF firewall log sub-rule number */ 7895 struct block * 7896 gen_pf_srnr(compiler_state_t *cstate, int srnr) 7897 { 7898 struct block *b0; 7899 7900 if (cstate->linktype != DLT_PFLOG) { 7901 bpf_error(cstate, "srnr supported only on PF linktype"); 7902 /* NOTREACHED */ 7903 } 7904 7905 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7906 (bpf_int32)srnr); 7907 return (b0); 7908 } 7909 7910 /* PF firewall log reason code */ 7911 struct block * 7912 gen_pf_reason(compiler_state_t *cstate, int reason) 7913 { 7914 struct block *b0; 7915 7916 if (cstate->linktype != DLT_PFLOG) { 7917 bpf_error(cstate, "reason supported only on PF linktype"); 7918 /* NOTREACHED */ 7919 } 7920 7921 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7922 (bpf_int32)reason); 7923 return (b0); 7924 } 7925 7926 /* PF firewall log action */ 7927 struct block * 7928 gen_pf_action(compiler_state_t *cstate, int action) 7929 { 7930 struct block *b0; 7931 7932 if (cstate->linktype != DLT_PFLOG) { 7933 bpf_error(cstate, "action supported only on PF linktype"); 7934 /* NOTREACHED */ 7935 } 7936 7937 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7938 (bpf_int32)action); 7939 return (b0); 7940 } 7941 #else /* !HAVE_NET_PFVAR_H */ 7942 struct block * 7943 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_) 7944 { 7945 bpf_error(cstate, "libpcap was compiled without pf support"); 7946 /* NOTREACHED */ 7947 } 7948 7949 struct block * 7950 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_) 7951 { 7952 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7953 /* NOTREACHED */ 7954 } 7955 7956 struct block * 7957 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_) 7958 { 7959 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7960 /* NOTREACHED */ 7961 } 7962 7963 struct block * 7964 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_) 7965 { 7966 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7967 /* NOTREACHED */ 7968 } 7969 7970 struct block * 7971 gen_pf_reason(compiler_state_t *cstate, int reason _U_) 7972 { 7973 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7974 /* NOTREACHED */ 7975 } 7976 7977 struct block * 7978 gen_pf_action(compiler_state_t *cstate, int action _U_) 7979 { 7980 bpf_error(cstate, "libpcap was compiled on a machine without pf support"); 7981 /* NOTREACHED */ 7982 } 7983 #endif /* HAVE_NET_PFVAR_H */ 7984 7985 /* IEEE 802.11 wireless header */ 7986 struct block * 7987 gen_p80211_type(compiler_state_t *cstate, int type, int mask) 7988 { 7989 struct block *b0; 7990 7991 switch (cstate->linktype) { 7992 7993 case DLT_IEEE802_11: 7994 case DLT_PRISM_HEADER: 7995 case DLT_IEEE802_11_RADIO_AVS: 7996 case DLT_IEEE802_11_RADIO: 7997 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7998 (bpf_int32)mask); 7999 break; 8000 8001 default: 8002 bpf_error(cstate, "802.11 link-layer types supported only on 802.11"); 8003 /* NOTREACHED */ 8004 } 8005 8006 return (b0); 8007 } 8008 8009 struct block * 8010 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir) 8011 { 8012 struct block *b0; 8013 8014 switch (cstate->linktype) { 8015 8016 case DLT_IEEE802_11: 8017 case DLT_PRISM_HEADER: 8018 case DLT_IEEE802_11_RADIO_AVS: 8019 case DLT_IEEE802_11_RADIO: 8020 break; 8021 8022 default: 8023 bpf_error(cstate, "frame direction supported only with 802.11 headers"); 8024 /* NOTREACHED */ 8025 } 8026 8027 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 8028 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 8029 8030 return (b0); 8031 } 8032 8033 struct block * 8034 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q) 8035 { 8036 switch (cstate->linktype) { 8037 8038 case DLT_ARCNET: 8039 case DLT_ARCNET_LINUX: 8040 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 8041 q.proto == Q_LINK) 8042 return (gen_ahostop(cstate, eaddr, (int)q.dir)); 8043 else { 8044 bpf_error(cstate, "ARCnet address used in non-arc expression"); 8045 /* NOTREACHED */ 8046 } 8047 break; 8048 8049 default: 8050 bpf_error(cstate, "aid supported only on ARCnet"); 8051 /* NOTREACHED */ 8052 } 8053 } 8054 8055 static struct block * 8056 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir) 8057 { 8058 register struct block *b0, *b1; 8059 8060 switch (dir) { 8061 /* src comes first, different from Ethernet */ 8062 case Q_SRC: 8063 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr); 8064 8065 case Q_DST: 8066 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr); 8067 8068 case Q_AND: 8069 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8070 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8071 gen_and(b0, b1); 8072 return b1; 8073 8074 case Q_DEFAULT: 8075 case Q_OR: 8076 b0 = gen_ahostop(cstate, eaddr, Q_SRC); 8077 b1 = gen_ahostop(cstate, eaddr, Q_DST); 8078 gen_or(b0, b1); 8079 return b1; 8080 8081 case Q_ADDR1: 8082 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11"); 8083 break; 8084 8085 case Q_ADDR2: 8086 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11"); 8087 break; 8088 8089 case Q_ADDR3: 8090 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11"); 8091 break; 8092 8093 case Q_ADDR4: 8094 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11"); 8095 break; 8096 8097 case Q_RA: 8098 bpf_error(cstate, "'ra' is only supported on 802.11"); 8099 break; 8100 8101 case Q_TA: 8102 bpf_error(cstate, "'ta' is only supported on 802.11"); 8103 break; 8104 } 8105 abort(); 8106 /* NOTREACHED */ 8107 } 8108 8109 static struct block * 8110 gen_vlan_tpid_test(compiler_state_t *cstate) 8111 { 8112 struct block *b0, *b1; 8113 8114 /* check for VLAN, including QinQ */ 8115 b0 = gen_linktype(cstate, ETHERTYPE_8021Q); 8116 b1 = gen_linktype(cstate, ETHERTYPE_8021AD); 8117 gen_or(b0,b1); 8118 b0 = b1; 8119 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ); 8120 gen_or(b0,b1); 8121 8122 return b1; 8123 } 8124 8125 static struct block * 8126 gen_vlan_vid_test(compiler_state_t *cstate, int vlan_num) 8127 { 8128 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff); 8129 } 8130 8131 static struct block * 8132 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num) 8133 { 8134 struct block *b0, *b1; 8135 8136 b0 = gen_vlan_tpid_test(cstate); 8137 8138 if (vlan_num >= 0) { 8139 b1 = gen_vlan_vid_test(cstate, vlan_num); 8140 gen_and(b0, b1); 8141 b0 = b1; 8142 } 8143 8144 /* 8145 * Both payload and link header type follow the VLAN tags so that 8146 * both need to be updated. 8147 */ 8148 cstate->off_linkpl.constant_part += 4; 8149 cstate->off_linktype.constant_part += 4; 8150 8151 return b0; 8152 } 8153 8154 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8155 /* add v to variable part of off */ 8156 static void 8157 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s) 8158 { 8159 struct slist *s2; 8160 8161 if (!off->is_variable) 8162 off->is_variable = 1; 8163 if (off->reg == -1) 8164 off->reg = alloc_reg(cstate); 8165 8166 s2 = new_stmt(cstate, BPF_LD|BPF_MEM); 8167 s2->s.k = off->reg; 8168 sappend(s, s2); 8169 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM); 8170 s2->s.k = v; 8171 sappend(s, s2); 8172 s2 = new_stmt(cstate, BPF_ST); 8173 s2->s.k = off->reg; 8174 sappend(s, s2); 8175 } 8176 8177 /* 8178 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload 8179 * and link type offsets first 8180 */ 8181 static void 8182 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid) 8183 { 8184 struct slist s; 8185 8186 /* offset determined at run time, shift variable part */ 8187 s.next = NULL; 8188 cstate->is_vlan_vloffset = 1; 8189 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s); 8190 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s); 8191 8192 /* we get a pointer to a chain of or-ed blocks, patch first of them */ 8193 sappend(s.next, b_tpid->head->stmts); 8194 b_tpid->head->stmts = s.next; 8195 } 8196 8197 /* 8198 * patch block b_vid (VLAN id test) to load VID value either from packet 8199 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true 8200 */ 8201 static void 8202 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid) 8203 { 8204 struct slist *s, *s2, *sjeq; 8205 unsigned cnt; 8206 8207 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8208 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8209 8210 /* true -> next instructions, false -> beginning of b_vid */ 8211 sjeq = new_stmt(cstate, JMP(BPF_JEQ)); 8212 sjeq->s.k = 1; 8213 sjeq->s.jf = b_vid->stmts; 8214 sappend(s, sjeq); 8215 8216 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8217 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 8218 sappend(s, s2); 8219 sjeq->s.jt = s2; 8220 8221 /* jump to the test in b_vid (bypass loading VID from packet data) */ 8222 cnt = 0; 8223 for (s2 = b_vid->stmts; s2; s2 = s2->next) 8224 cnt++; 8225 s2 = new_stmt(cstate, JMP(BPF_JA)); 8226 s2->s.k = cnt; 8227 sappend(s, s2); 8228 8229 /* insert our statements at the beginning of b_vid */ 8230 sappend(s, b_vid->stmts); 8231 b_vid->stmts = s; 8232 } 8233 8234 /* 8235 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF 8236 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN 8237 * tag can be either in metadata or in packet data; therefore if the 8238 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link 8239 * header for VLAN tag. As the decision is done at run time, we need 8240 * update variable part of the offsets 8241 */ 8242 static struct block * 8243 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num) 8244 { 8245 struct block *b0, *b_tpid, *b_vid = NULL; 8246 struct slist *s; 8247 8248 /* generate new filter code based on extracting packet 8249 * metadata */ 8250 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS); 8251 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 8252 8253 b0 = new_block(cstate, JMP(BPF_JEQ)); 8254 b0->stmts = s; 8255 b0->s.k = 1; 8256 8257 /* 8258 * This is tricky. We need to insert the statements updating variable 8259 * parts of offsets before the the traditional TPID and VID tests so 8260 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but 8261 * we do not want this update to affect those checks. That's why we 8262 * generate both test blocks first and insert the statements updating 8263 * variable parts of both offsets after that. This wouldn't work if 8264 * there already were variable length link header when entering this 8265 * function but gen_vlan_bpf_extensions() isn't called in that case. 8266 */ 8267 b_tpid = gen_vlan_tpid_test(cstate); 8268 if (vlan_num >= 0) 8269 b_vid = gen_vlan_vid_test(cstate, vlan_num); 8270 8271 gen_vlan_patch_tpid_test(cstate, b_tpid); 8272 gen_or(b0, b_tpid); 8273 b0 = b_tpid; 8274 8275 if (vlan_num >= 0) { 8276 gen_vlan_patch_vid_test(cstate, b_vid); 8277 gen_and(b0, b_vid); 8278 b0 = b_vid; 8279 } 8280 8281 return b0; 8282 } 8283 #endif 8284 8285 /* 8286 * support IEEE 802.1Q VLAN trunk over ethernet 8287 */ 8288 struct block * 8289 gen_vlan(compiler_state_t *cstate, int vlan_num) 8290 { 8291 struct block *b0; 8292 8293 /* can't check for VLAN-encapsulated packets inside MPLS */ 8294 if (cstate->label_stack_depth > 0) 8295 bpf_error(cstate, "no VLAN match after MPLS"); 8296 8297 /* 8298 * Check for a VLAN packet, and then change the offsets to point 8299 * to the type and data fields within the VLAN packet. Just 8300 * increment the offsets, so that we can support a hierarchy, e.g. 8301 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 8302 * VLAN 100. 8303 * 8304 * XXX - this is a bit of a kludge. If we were to split the 8305 * compiler into a parser that parses an expression and 8306 * generates an expression tree, and a code generator that 8307 * takes an expression tree (which could come from our 8308 * parser or from some other parser) and generates BPF code, 8309 * we could perhaps make the offsets parameters of routines 8310 * and, in the handler for an "AND" node, pass to subnodes 8311 * other than the VLAN node the adjusted offsets. 8312 * 8313 * This would mean that "vlan" would, instead of changing the 8314 * behavior of *all* tests after it, change only the behavior 8315 * of tests ANDed with it. That would change the documented 8316 * semantics of "vlan", which might break some expressions. 8317 * However, it would mean that "(vlan and ip) or ip" would check 8318 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8319 * checking only for VLAN-encapsulated IP, so that could still 8320 * be considered worth doing; it wouldn't break expressions 8321 * that are of the form "vlan and ..." or "vlan N and ...", 8322 * which I suspect are the most common expressions involving 8323 * "vlan". "vlan or ..." doesn't necessarily do what the user 8324 * would really want, now, as all the "or ..." tests would 8325 * be done assuming a VLAN, even though the "or" could be viewed 8326 * as meaning "or, if this isn't a VLAN packet...". 8327 */ 8328 switch (cstate->linktype) { 8329 8330 case DLT_EN10MB: 8331 case DLT_NETANALYZER: 8332 case DLT_NETANALYZER_TRANSPARENT: 8333 #if defined(SKF_AD_VLAN_TAG_PRESENT) 8334 /* Verify that this is the outer part of the packet and 8335 * not encapsulated somehow. */ 8336 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable && 8337 cstate->off_linkhdr.constant_part == 8338 cstate->off_outermostlinkhdr.constant_part) { 8339 /* 8340 * Do we need special VLAN handling? 8341 */ 8342 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 8343 b0 = gen_vlan_bpf_extensions(cstate, vlan_num); 8344 else 8345 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8346 } else 8347 #endif 8348 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8349 break; 8350 8351 case DLT_IEEE802_11: 8352 case DLT_PRISM_HEADER: 8353 case DLT_IEEE802_11_RADIO_AVS: 8354 case DLT_IEEE802_11_RADIO: 8355 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num); 8356 break; 8357 8358 default: 8359 bpf_error(cstate, "no VLAN support for data link type %d", 8360 cstate->linktype); 8361 /*NOTREACHED*/ 8362 } 8363 8364 cstate->vlan_stack_depth++; 8365 8366 return (b0); 8367 } 8368 8369 /* 8370 * support for MPLS 8371 */ 8372 struct block * 8373 gen_mpls(compiler_state_t *cstate, int label_num) 8374 { 8375 struct block *b0, *b1; 8376 8377 if (cstate->label_stack_depth > 0) { 8378 /* just match the bottom-of-stack bit clear */ 8379 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8380 } else { 8381 /* 8382 * We're not in an MPLS stack yet, so check the link-layer 8383 * type against MPLS. 8384 */ 8385 switch (cstate->linktype) { 8386 8387 case DLT_C_HDLC: /* fall through */ 8388 case DLT_EN10MB: 8389 case DLT_NETANALYZER: 8390 case DLT_NETANALYZER_TRANSPARENT: 8391 b0 = gen_linktype(cstate, ETHERTYPE_MPLS); 8392 break; 8393 8394 case DLT_PPP: 8395 b0 = gen_linktype(cstate, PPP_MPLS_UCAST); 8396 break; 8397 8398 /* FIXME add other DLT_s ... 8399 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8400 * leave it for now */ 8401 8402 default: 8403 bpf_error(cstate, "no MPLS support for data link type %d", 8404 cstate->linktype); 8405 /*NOTREACHED*/ 8406 break; 8407 } 8408 } 8409 8410 /* If a specific MPLS label is requested, check it */ 8411 if (label_num >= 0) { 8412 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8413 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8414 0xfffff000); /* only compare the first 20 bits */ 8415 gen_and(b0, b1); 8416 b0 = b1; 8417 } 8418 8419 /* 8420 * Change the offsets to point to the type and data fields within 8421 * the MPLS packet. Just increment the offsets, so that we 8422 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8423 * capture packets with an outer label of 100000 and an inner 8424 * label of 1024. 8425 * 8426 * Increment the MPLS stack depth as well; this indicates that 8427 * we're checking MPLS-encapsulated headers, to make sure higher 8428 * level code generators don't try to match against IP-related 8429 * protocols such as Q_ARP, Q_RARP etc. 8430 * 8431 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8432 */ 8433 cstate->off_nl_nosnap += 4; 8434 cstate->off_nl += 4; 8435 cstate->label_stack_depth++; 8436 return (b0); 8437 } 8438 8439 /* 8440 * Support PPPOE discovery and session. 8441 */ 8442 struct block * 8443 gen_pppoed(compiler_state_t *cstate) 8444 { 8445 /* check for PPPoE discovery */ 8446 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED); 8447 } 8448 8449 struct block * 8450 gen_pppoes(compiler_state_t *cstate, int sess_num) 8451 { 8452 struct block *b0, *b1; 8453 8454 /* 8455 * Test against the PPPoE session link-layer type. 8456 */ 8457 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES); 8458 8459 /* If a specific session is requested, check PPPoE session id */ 8460 if (sess_num >= 0) { 8461 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, 8462 (bpf_int32)sess_num, 0x0000ffff); 8463 gen_and(b0, b1); 8464 b0 = b1; 8465 } 8466 8467 /* 8468 * Change the offsets to point to the type and data fields within 8469 * the PPP packet, and note that this is PPPoE rather than 8470 * raw PPP. 8471 * 8472 * XXX - this is a bit of a kludge. If we were to split the 8473 * compiler into a parser that parses an expression and 8474 * generates an expression tree, and a code generator that 8475 * takes an expression tree (which could come from our 8476 * parser or from some other parser) and generates BPF code, 8477 * we could perhaps make the offsets parameters of routines 8478 * and, in the handler for an "AND" node, pass to subnodes 8479 * other than the PPPoE node the adjusted offsets. 8480 * 8481 * This would mean that "pppoes" would, instead of changing the 8482 * behavior of *all* tests after it, change only the behavior 8483 * of tests ANDed with it. That would change the documented 8484 * semantics of "pppoes", which might break some expressions. 8485 * However, it would mean that "(pppoes and ip) or ip" would check 8486 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8487 * checking only for VLAN-encapsulated IP, so that could still 8488 * be considered worth doing; it wouldn't break expressions 8489 * that are of the form "pppoes and ..." which I suspect are the 8490 * most common expressions involving "pppoes". "pppoes or ..." 8491 * doesn't necessarily do what the user would really want, now, 8492 * as all the "or ..." tests would be done assuming PPPoE, even 8493 * though the "or" could be viewed as meaning "or, if this isn't 8494 * a PPPoE packet...". 8495 * 8496 * The "network-layer" protocol is PPPoE, which has a 6-byte 8497 * PPPoE header, followed by a PPP packet. 8498 * 8499 * There is no HDLC encapsulation for the PPP packet (it's 8500 * encapsulated in PPPoES instead), so the link-layer type 8501 * starts at the first byte of the PPP packet. For PPPoE, 8502 * that offset is relative to the beginning of the total 8503 * link-layer payload, including any 802.2 LLC header, so 8504 * it's 6 bytes past cstate->off_nl. 8505 */ 8506 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable, 8507 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */ 8508 cstate->off_linkpl.reg); 8509 8510 cstate->off_linktype = cstate->off_linkhdr; 8511 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2; 8512 8513 cstate->off_nl = 0; 8514 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */ 8515 8516 return b0; 8517 } 8518 8519 /* Check that this is Geneve and the VNI is correct if 8520 * specified. Parameterized to handle both IPv4 and IPv6. */ 8521 static struct block * 8522 gen_geneve_check(compiler_state_t *cstate, 8523 struct block *(*gen_portfn)(compiler_state_t *, int, int, int), 8524 enum e_offrel offrel, int vni) 8525 { 8526 struct block *b0, *b1; 8527 8528 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST); 8529 8530 /* Check that we are operating on version 0. Otherwise, we 8531 * can't decode the rest of the fields. The version is 2 bits 8532 * in the first byte of the Geneve header. */ 8533 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8534 gen_and(b0, b1); 8535 b0 = b1; 8536 8537 if (vni >= 0) { 8538 vni <<= 8; /* VNI is in the upper 3 bytes */ 8539 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni, 8540 0xffffff00); 8541 gen_and(b0, b1); 8542 b0 = b1; 8543 } 8544 8545 return b0; 8546 } 8547 8548 /* The IPv4 and IPv6 Geneve checks need to do two things: 8549 * - Verify that this actually is Geneve with the right VNI. 8550 * - Place the IP header length (plus variable link prefix if 8551 * needed) into register A to be used later to compute 8552 * the inner packet offsets. */ 8553 static struct block * 8554 gen_geneve4(compiler_state_t *cstate, int vni) 8555 { 8556 struct block *b0, *b1; 8557 struct slist *s, *s1; 8558 8559 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni); 8560 8561 /* Load the IP header length into A. */ 8562 s = gen_loadx_iphdrlen(cstate); 8563 8564 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8565 sappend(s, s1); 8566 8567 /* Forcibly append these statements to the true condition 8568 * of the protocol check by creating a new block that is 8569 * always true and ANDing them. */ 8570 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8571 b1->stmts = s; 8572 b1->s.k = 0; 8573 8574 gen_and(b0, b1); 8575 8576 return b1; 8577 } 8578 8579 static struct block * 8580 gen_geneve6(compiler_state_t *cstate, int vni) 8581 { 8582 struct block *b0, *b1; 8583 struct slist *s, *s1; 8584 8585 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni); 8586 8587 /* Load the IP header length. We need to account for a 8588 * variable length link prefix if there is one. */ 8589 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl); 8590 if (s) { 8591 s1 = new_stmt(cstate, BPF_LD|BPF_IMM); 8592 s1->s.k = 40; 8593 sappend(s, s1); 8594 8595 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8596 s1->s.k = 0; 8597 sappend(s, s1); 8598 } else { 8599 s = new_stmt(cstate, BPF_LD|BPF_IMM); 8600 s->s.k = 40; 8601 } 8602 8603 /* Forcibly append these statements to the true condition 8604 * of the protocol check by creating a new block that is 8605 * always true and ANDing them. */ 8606 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8607 sappend(s, s1); 8608 8609 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8610 b1->stmts = s; 8611 b1->s.k = 0; 8612 8613 gen_and(b0, b1); 8614 8615 return b1; 8616 } 8617 8618 /* We need to store three values based on the Geneve header:: 8619 * - The offset of the linktype. 8620 * - The offset of the end of the Geneve header. 8621 * - The offset of the end of the encapsulated MAC header. */ 8622 static struct slist * 8623 gen_geneve_offsets(compiler_state_t *cstate) 8624 { 8625 struct slist *s, *s1, *s_proto; 8626 8627 /* First we need to calculate the offset of the Geneve header 8628 * itself. This is composed of the IP header previously calculated 8629 * (include any variable link prefix) and stored in A plus the 8630 * fixed sized headers (fixed link prefix, MAC length, and UDP 8631 * header). */ 8632 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8633 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8; 8634 8635 /* Stash this in X since we'll need it later. */ 8636 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8637 sappend(s, s1); 8638 8639 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8640 * store it. */ 8641 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8642 s1->s.k = 2; 8643 sappend(s, s1); 8644 8645 cstate->off_linktype.reg = alloc_reg(cstate); 8646 cstate->off_linktype.is_variable = 1; 8647 cstate->off_linktype.constant_part = 0; 8648 8649 s1 = new_stmt(cstate, BPF_ST); 8650 s1->s.k = cstate->off_linktype.reg; 8651 sappend(s, s1); 8652 8653 /* Load the Geneve option length and mask and shift to get the 8654 * number of bytes. It is stored in the first byte of the Geneve 8655 * header. */ 8656 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B); 8657 s1->s.k = 0; 8658 sappend(s, s1); 8659 8660 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K); 8661 s1->s.k = 0x3f; 8662 sappend(s, s1); 8663 8664 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K); 8665 s1->s.k = 4; 8666 sappend(s, s1); 8667 8668 /* Add in the rest of the Geneve base header. */ 8669 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8670 s1->s.k = 8; 8671 sappend(s, s1); 8672 8673 /* Add the Geneve header length to its offset and store. */ 8674 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X); 8675 s1->s.k = 0; 8676 sappend(s, s1); 8677 8678 /* Set the encapsulated type as Ethernet. Even though we may 8679 * not actually have Ethernet inside there are two reasons this 8680 * is useful: 8681 * - The linktype field is always in EtherType format regardless 8682 * of whether it is in Geneve or an inner Ethernet frame. 8683 * - The only link layer that we have specific support for is 8684 * Ethernet. We will confirm that the packet actually is 8685 * Ethernet at runtime before executing these checks. */ 8686 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate)); 8687 8688 s1 = new_stmt(cstate, BPF_ST); 8689 s1->s.k = cstate->off_linkhdr.reg; 8690 sappend(s, s1); 8691 8692 /* Calculate whether we have an Ethernet header or just raw IP/ 8693 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8694 * and linktype by 14 bytes so that the network header can be found 8695 * seamlessly. Otherwise, keep what we've calculated already. */ 8696 8697 /* We have a bare jmp so we can't use the optimizer. */ 8698 cstate->no_optimize = 1; 8699 8700 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8701 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H); 8702 s1->s.k = 2; 8703 sappend(s, s1); 8704 8705 /* Load X with the end of the Geneve header. */ 8706 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8707 s1->s.k = cstate->off_linkhdr.reg; 8708 sappend(s, s1); 8709 8710 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8711 * end of this check, we should have the total length in X. In 8712 * the non-Ethernet case, it's already there. */ 8713 s_proto = new_stmt(cstate, JMP(BPF_JEQ)); 8714 s_proto->s.k = ETHERTYPE_TEB; 8715 sappend(s, s_proto); 8716 8717 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA); 8718 sappend(s, s1); 8719 s_proto->s.jt = s1; 8720 8721 /* Since this is Ethernet, use the EtherType of the payload 8722 * directly as the linktype. Overwrite what we already have. */ 8723 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8724 s1->s.k = 12; 8725 sappend(s, s1); 8726 8727 s1 = new_stmt(cstate, BPF_ST); 8728 s1->s.k = cstate->off_linktype.reg; 8729 sappend(s, s1); 8730 8731 /* Advance two bytes further to get the end of the Ethernet 8732 * header. */ 8733 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K); 8734 s1->s.k = 2; 8735 sappend(s, s1); 8736 8737 /* Move the result to X. */ 8738 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX); 8739 sappend(s, s1); 8740 8741 /* Store the final result of our linkpl calculation. */ 8742 cstate->off_linkpl.reg = alloc_reg(cstate); 8743 cstate->off_linkpl.is_variable = 1; 8744 cstate->off_linkpl.constant_part = 0; 8745 8746 s1 = new_stmt(cstate, BPF_STX); 8747 s1->s.k = cstate->off_linkpl.reg; 8748 sappend(s, s1); 8749 s_proto->s.jf = s1; 8750 8751 cstate->off_nl = 0; 8752 8753 return s; 8754 } 8755 8756 /* Check to see if this is a Geneve packet. */ 8757 struct block * 8758 gen_geneve(compiler_state_t *cstate, int vni) 8759 { 8760 struct block *b0, *b1; 8761 struct slist *s; 8762 8763 b0 = gen_geneve4(cstate, vni); 8764 b1 = gen_geneve6(cstate, vni); 8765 8766 gen_or(b0, b1); 8767 b0 = b1; 8768 8769 /* Later filters should act on the payload of the Geneve frame, 8770 * update all of the header pointers. Attach this code so that 8771 * it gets executed in the event that the Geneve filter matches. */ 8772 s = gen_geneve_offsets(cstate); 8773 8774 b1 = gen_true(cstate); 8775 sappend(s, b1->stmts); 8776 b1->stmts = s; 8777 8778 gen_and(b0, b1); 8779 8780 cstate->is_geneve = 1; 8781 8782 return b1; 8783 } 8784 8785 /* Check that the encapsulated frame has a link layer header 8786 * for Ethernet filters. */ 8787 static struct block * 8788 gen_geneve_ll_check(compiler_state_t *cstate) 8789 { 8790 struct block *b0; 8791 struct slist *s, *s1; 8792 8793 /* The easiest way to see if there is a link layer present 8794 * is to check if the link layer header and payload are not 8795 * the same. */ 8796 8797 /* Geneve always generates pure variable offsets so we can 8798 * compare only the registers. */ 8799 s = new_stmt(cstate, BPF_LD|BPF_MEM); 8800 s->s.k = cstate->off_linkhdr.reg; 8801 8802 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM); 8803 s1->s.k = cstate->off_linkpl.reg; 8804 sappend(s, s1); 8805 8806 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X); 8807 b0->stmts = s; 8808 b0->s.k = 0; 8809 gen_not(b0); 8810 8811 return b0; 8812 } 8813 8814 struct block * 8815 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue, 8816 bpf_u_int32 jtype, int reverse) 8817 { 8818 struct block *b0; 8819 8820 switch (atmfield) { 8821 8822 case A_VPI: 8823 if (!cstate->is_atm) 8824 bpf_error(cstate, "'vpi' supported only on raw ATM"); 8825 if (cstate->off_vpi == OFFSET_NOT_SET) 8826 abort(); 8827 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype, 8828 reverse, jvalue); 8829 break; 8830 8831 case A_VCI: 8832 if (!cstate->is_atm) 8833 bpf_error(cstate, "'vci' supported only on raw ATM"); 8834 if (cstate->off_vci == OFFSET_NOT_SET) 8835 abort(); 8836 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype, 8837 reverse, jvalue); 8838 break; 8839 8840 case A_PROTOTYPE: 8841 if (cstate->off_proto == OFFSET_NOT_SET) 8842 abort(); /* XXX - this isn't on FreeBSD */ 8843 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype, 8844 reverse, jvalue); 8845 break; 8846 8847 case A_MSGTYPE: 8848 if (cstate->off_payload == OFFSET_NOT_SET) 8849 abort(); 8850 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B, 8851 0xffffffff, jtype, reverse, jvalue); 8852 break; 8853 8854 case A_CALLREFTYPE: 8855 if (!cstate->is_atm) 8856 bpf_error(cstate, "'callref' supported only on raw ATM"); 8857 if (cstate->off_proto == OFFSET_NOT_SET) 8858 abort(); 8859 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff, 8860 jtype, reverse, jvalue); 8861 break; 8862 8863 default: 8864 abort(); 8865 } 8866 return b0; 8867 } 8868 8869 struct block * 8870 gen_atmtype_abbrev(compiler_state_t *cstate, int type) 8871 { 8872 struct block *b0, *b1; 8873 8874 switch (type) { 8875 8876 case A_METAC: 8877 /* Get all packets in Meta signalling Circuit */ 8878 if (!cstate->is_atm) 8879 bpf_error(cstate, "'metac' supported only on raw ATM"); 8880 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8881 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0); 8882 gen_and(b0, b1); 8883 break; 8884 8885 case A_BCC: 8886 /* Get all packets in Broadcast Circuit*/ 8887 if (!cstate->is_atm) 8888 bpf_error(cstate, "'bcc' supported only on raw ATM"); 8889 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8890 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0); 8891 gen_and(b0, b1); 8892 break; 8893 8894 case A_OAMF4SC: 8895 /* Get all cells in Segment OAM F4 circuit*/ 8896 if (!cstate->is_atm) 8897 bpf_error(cstate, "'oam4sc' supported only on raw ATM"); 8898 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8899 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 8900 gen_and(b0, b1); 8901 break; 8902 8903 case A_OAMF4EC: 8904 /* Get all cells in End-to-End OAM F4 Circuit*/ 8905 if (!cstate->is_atm) 8906 bpf_error(cstate, "'oam4ec' supported only on raw ATM"); 8907 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8908 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 8909 gen_and(b0, b1); 8910 break; 8911 8912 case A_SC: 8913 /* Get all packets in connection Signalling Circuit */ 8914 if (!cstate->is_atm) 8915 bpf_error(cstate, "'sc' supported only on raw ATM"); 8916 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8917 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0); 8918 gen_and(b0, b1); 8919 break; 8920 8921 case A_ILMIC: 8922 /* Get all packets in ILMI Circuit */ 8923 if (!cstate->is_atm) 8924 bpf_error(cstate, "'ilmic' supported only on raw ATM"); 8925 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 8926 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0); 8927 gen_and(b0, b1); 8928 break; 8929 8930 case A_LANE: 8931 /* Get all LANE packets */ 8932 if (!cstate->is_atm) 8933 bpf_error(cstate, "'lane' supported only on raw ATM"); 8934 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8935 8936 /* 8937 * Arrange that all subsequent tests assume LANE 8938 * rather than LLC-encapsulated packets, and set 8939 * the offsets appropriately for LANE-encapsulated 8940 * Ethernet. 8941 * 8942 * We assume LANE means Ethernet, not Token Ring. 8943 */ 8944 PUSH_LINKHDR(cstate, DLT_EN10MB, 0, 8945 cstate->off_payload + 2, /* Ethernet header */ 8946 -1); 8947 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12; 8948 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */ 8949 cstate->off_nl = 0; /* Ethernet II */ 8950 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */ 8951 break; 8952 8953 case A_LLC: 8954 /* Get all LLC-encapsulated packets */ 8955 if (!cstate->is_atm) 8956 bpf_error(cstate, "'llc' supported only on raw ATM"); 8957 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8958 cstate->linktype = cstate->prevlinktype; 8959 break; 8960 8961 default: 8962 abort(); 8963 } 8964 return b1; 8965 } 8966 8967 /* 8968 * Filtering for MTP2 messages based on li value 8969 * FISU, length is null 8970 * LSSU, length is 1 or 2 8971 * MSU, length is 3 or more 8972 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8973 */ 8974 struct block * 8975 gen_mtp2type_abbrev(compiler_state_t *cstate, int type) 8976 { 8977 struct block *b0, *b1; 8978 8979 switch (type) { 8980 8981 case M_FISU: 8982 if ( (cstate->linktype != DLT_MTP2) && 8983 (cstate->linktype != DLT_ERF) && 8984 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8985 bpf_error(cstate, "'fisu' supported only on MTP2"); 8986 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 8987 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8988 break; 8989 8990 case M_LSSU: 8991 if ( (cstate->linktype != DLT_MTP2) && 8992 (cstate->linktype != DLT_ERF) && 8993 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 8994 bpf_error(cstate, "'lssu' supported only on MTP2"); 8995 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8996 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8997 gen_and(b1, b0); 8998 break; 8999 9000 case M_MSU: 9001 if ( (cstate->linktype != DLT_MTP2) && 9002 (cstate->linktype != DLT_ERF) && 9003 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9004 bpf_error(cstate, "'msu' supported only on MTP2"); 9005 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 9006 break; 9007 9008 case MH_FISU: 9009 if ( (cstate->linktype != DLT_MTP2) && 9010 (cstate->linktype != DLT_ERF) && 9011 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9012 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL"); 9013 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */ 9014 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 9015 break; 9016 9017 case MH_LSSU: 9018 if ( (cstate->linktype != DLT_MTP2) && 9019 (cstate->linktype != DLT_ERF) && 9020 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9021 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL"); 9022 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 9023 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 9024 gen_and(b1, b0); 9025 break; 9026 9027 case MH_MSU: 9028 if ( (cstate->linktype != DLT_MTP2) && 9029 (cstate->linktype != DLT_ERF) && 9030 (cstate->linktype != DLT_MTP2_WITH_PHDR) ) 9031 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL"); 9032 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 9033 break; 9034 9035 default: 9036 abort(); 9037 } 9038 return b0; 9039 } 9040 9041 struct block * 9042 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue, 9043 bpf_u_int32 jtype, int reverse) 9044 { 9045 struct block *b0; 9046 bpf_u_int32 val1 , val2 , val3; 9047 u_int newoff_sio = cstate->off_sio; 9048 u_int newoff_opc = cstate->off_opc; 9049 u_int newoff_dpc = cstate->off_dpc; 9050 u_int newoff_sls = cstate->off_sls; 9051 9052 switch (mtp3field) { 9053 9054 case MH_SIO: 9055 newoff_sio += 3; /* offset for MTP2_HSL */ 9056 /* FALLTHROUGH */ 9057 9058 case M_SIO: 9059 if (cstate->off_sio == OFFSET_NOT_SET) 9060 bpf_error(cstate, "'sio' supported only on SS7"); 9061 /* sio coded on 1 byte so max value 255 */ 9062 if(jvalue > 255) 9063 bpf_error(cstate, "sio value %u too big; max value = 255", 9064 jvalue); 9065 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 9066 (u_int)jtype, reverse, (u_int)jvalue); 9067 break; 9068 9069 case MH_OPC: 9070 newoff_opc+=3; 9071 case M_OPC: 9072 if (cstate->off_opc == OFFSET_NOT_SET) 9073 bpf_error(cstate, "'opc' supported only on SS7"); 9074 /* opc coded on 14 bits so max value 16383 */ 9075 if (jvalue > 16383) 9076 bpf_error(cstate, "opc value %u too big; max value = 16383", 9077 jvalue); 9078 /* the following instructions are made to convert jvalue 9079 * to the form used to write opc in an ss7 message*/ 9080 val1 = jvalue & 0x00003c00; 9081 val1 = val1 >>10; 9082 val2 = jvalue & 0x000003fc; 9083 val2 = val2 <<6; 9084 val3 = jvalue & 0x00000003; 9085 val3 = val3 <<22; 9086 jvalue = val1 + val2 + val3; 9087 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 9088 (u_int)jtype, reverse, (u_int)jvalue); 9089 break; 9090 9091 case MH_DPC: 9092 newoff_dpc += 3; 9093 /* FALLTHROUGH */ 9094 9095 case M_DPC: 9096 if (cstate->off_dpc == OFFSET_NOT_SET) 9097 bpf_error(cstate, "'dpc' supported only on SS7"); 9098 /* dpc coded on 14 bits so max value 16383 */ 9099 if (jvalue > 16383) 9100 bpf_error(cstate, "dpc value %u too big; max value = 16383", 9101 jvalue); 9102 /* the following instructions are made to convert jvalue 9103 * to the forme used to write dpc in an ss7 message*/ 9104 val1 = jvalue & 0x000000ff; 9105 val1 = val1 << 24; 9106 val2 = jvalue & 0x00003f00; 9107 val2 = val2 << 8; 9108 jvalue = val1 + val2; 9109 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 9110 (u_int)jtype, reverse, (u_int)jvalue); 9111 break; 9112 9113 case MH_SLS: 9114 newoff_sls+=3; 9115 case M_SLS: 9116 if (cstate->off_sls == OFFSET_NOT_SET) 9117 bpf_error(cstate, "'sls' supported only on SS7"); 9118 /* sls coded on 4 bits so max value 15 */ 9119 if (jvalue > 15) 9120 bpf_error(cstate, "sls value %u too big; max value = 15", 9121 jvalue); 9122 /* the following instruction is made to convert jvalue 9123 * to the forme used to write sls in an ss7 message*/ 9124 jvalue = jvalue << 4; 9125 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0, 9126 (u_int)jtype,reverse, (u_int)jvalue); 9127 break; 9128 9129 default: 9130 abort(); 9131 } 9132 return b0; 9133 } 9134 9135 static struct block * 9136 gen_msg_abbrev(compiler_state_t *cstate, int type) 9137 { 9138 struct block *b1; 9139 9140 /* 9141 * Q.2931 signalling protocol messages for handling virtual circuits 9142 * establishment and teardown 9143 */ 9144 switch (type) { 9145 9146 case A_SETUP: 9147 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0); 9148 break; 9149 9150 case A_CALLPROCEED: 9151 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 9152 break; 9153 9154 case A_CONNECT: 9155 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0); 9156 break; 9157 9158 case A_CONNECTACK: 9159 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 9160 break; 9161 9162 case A_RELEASE: 9163 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0); 9164 break; 9165 9166 case A_RELEASE_DONE: 9167 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 9168 break; 9169 9170 default: 9171 abort(); 9172 } 9173 return b1; 9174 } 9175 9176 struct block * 9177 gen_atmmulti_abbrev(compiler_state_t *cstate, int type) 9178 { 9179 struct block *b0, *b1; 9180 9181 switch (type) { 9182 9183 case A_OAM: 9184 if (!cstate->is_atm) 9185 bpf_error(cstate, "'oam' supported only on raw ATM"); 9186 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4); 9187 break; 9188 9189 case A_OAMF4: 9190 if (!cstate->is_atm) 9191 bpf_error(cstate, "'oamf4' supported only on raw ATM"); 9192 /* OAM F4 type */ 9193 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0); 9194 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0); 9195 gen_or(b0, b1); 9196 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0); 9197 gen_and(b0, b1); 9198 break; 9199 9200 case A_CONNECTMSG: 9201 /* 9202 * Get Q.2931 signalling messages for switched 9203 * virtual connection 9204 */ 9205 if (!cstate->is_atm) 9206 bpf_error(cstate, "'connectmsg' supported only on raw ATM"); 9207 b0 = gen_msg_abbrev(cstate, A_SETUP); 9208 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9209 gen_or(b0, b1); 9210 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9211 gen_or(b0, b1); 9212 b0 = gen_msg_abbrev(cstate, A_CONNECTACK); 9213 gen_or(b0, b1); 9214 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9215 gen_or(b0, b1); 9216 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9217 gen_or(b0, b1); 9218 b0 = gen_atmtype_abbrev(cstate, A_SC); 9219 gen_and(b0, b1); 9220 break; 9221 9222 case A_METACONNECT: 9223 if (!cstate->is_atm) 9224 bpf_error(cstate, "'metaconnect' supported only on raw ATM"); 9225 b0 = gen_msg_abbrev(cstate, A_SETUP); 9226 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED); 9227 gen_or(b0, b1); 9228 b0 = gen_msg_abbrev(cstate, A_CONNECT); 9229 gen_or(b0, b1); 9230 b0 = gen_msg_abbrev(cstate, A_RELEASE); 9231 gen_or(b0, b1); 9232 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE); 9233 gen_or(b0, b1); 9234 b0 = gen_atmtype_abbrev(cstate, A_METAC); 9235 gen_and(b0, b1); 9236 break; 9237 9238 default: 9239 abort(); 9240 } 9241 return b1; 9242 } 9243
