1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.53 2007/09/12 19:17:24 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #include <sys/types.h> 35 #include <sys/socket.h> 36 #endif /* WIN32 */ 37 38 /* 39 * XXX - why was this included even on UNIX? 40 */ 41 #ifdef __MINGW32__ 42 #include "IP6_misc.h" 43 #endif 44 45 #ifndef WIN32 46 47 #ifdef __NetBSD__ 48 #include <sys/param.h> 49 #endif 50 51 #include <netinet/in.h> 52 53 #endif /* WIN32 */ 54 55 #include <stdlib.h> 56 #include <string.h> 57 #include <memory.h> 58 #include <setjmp.h> 59 #include <stdarg.h> 60 61 #ifdef MSDOS 62 #include "pcap-dos.h" 63 #endif 64 65 #include "pcap-int.h" 66 67 #include "ethertype.h" 68 #include "nlpid.h" 69 #include "llc.h" 70 #include "gencode.h" 71 #include "atmuni31.h" 72 #include "sunatmpos.h" 73 #include "ppp.h" 74 #include "sll.h" 75 #include "arcnet.h" 76 #ifdef HAVE_NET_PFVAR_H 77 #include <sys/socket.h> 78 #include <net/if.h> 79 #include <net/pfvar.h> 80 #include <net/if_pflog.h> 81 #endif 82 #ifndef offsetof 83 #define offsetof(s, e) ((size_t)&((s *)0)->e) 84 #endif 85 #ifdef INET6 86 #ifndef WIN32 87 #include <netdb.h> /* for "struct addrinfo" */ 88 #endif /* WIN32 */ 89 #endif /*INET6*/ 90 #include <pcap-namedb.h> 91 92 #define ETHERMTU 1500 93 94 #ifndef IPPROTO_SCTP 95 #define IPPROTO_SCTP 132 96 #endif 97 98 #ifdef HAVE_OS_PROTO_H 99 #include "os-proto.h" 100 #endif 101 102 #define JMP(c) ((c)|BPF_JMP|BPF_K) 103 104 /* Locals */ 105 static jmp_buf top_ctx; 106 static pcap_t *bpf_pcap; 107 108 #ifdef WIN32 109 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 110 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 111 #else 112 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 113 #endif 114 115 /* XXX */ 116 #ifdef PCAP_FDDIPAD 117 static int pcap_fddipad; 118 #endif 119 120 /* VARARGS */ 121 void 122 bpf_error(const char *fmt, ...) 123 { 124 va_list ap; 125 126 va_start(ap, fmt); 127 if (bpf_pcap != NULL) 128 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 129 fmt, ap); 130 va_end(ap); 131 longjmp(top_ctx, 1); 132 /* NOTREACHED */ 133 } 134 135 static void init_linktype(pcap_t *); 136 137 static int alloc_reg(void); 138 static void free_reg(int); 139 140 static struct block *root; 141 142 /* 143 * Value passed to gen_load_a() to indicate what the offset argument 144 * is relative to. 145 */ 146 enum e_offrel { 147 OR_PACKET, /* relative to the beginning of the packet */ 148 OR_LINK, /* relative to the link-layer header */ 149 OR_NET, /* relative to the network-layer header */ 150 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 151 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 152 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 153 }; 154 155 /* 156 * We divy out chunks of memory rather than call malloc each time so 157 * we don't have to worry about leaking memory. It's probably 158 * not a big deal if all this memory was wasted but if this ever 159 * goes into a library that would probably not be a good idea. 160 * 161 * XXX - this *is* in a library.... 162 */ 163 #define NCHUNKS 16 164 #define CHUNK0SIZE 1024 165 struct chunk { 166 u_int n_left; 167 void *m; 168 }; 169 170 static struct chunk chunks[NCHUNKS]; 171 static int cur_chunk; 172 173 static void *newchunk(u_int); 174 static void freechunks(void); 175 static inline struct block *new_block(int); 176 static inline struct slist *new_stmt(int); 177 static struct block *gen_retblk(int); 178 static inline void syntax(void); 179 180 static void backpatch(struct block *, struct block *); 181 static void merge(struct block *, struct block *); 182 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 183 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 184 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 185 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 186 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 187 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 188 bpf_u_int32); 189 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 190 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 191 bpf_u_int32, bpf_u_int32, int, bpf_int32); 192 static struct slist *gen_load_llrel(u_int, u_int); 193 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 194 static struct slist *gen_loadx_iphdrlen(void); 195 static struct block *gen_uncond(int); 196 static inline struct block *gen_true(void); 197 static inline struct block *gen_false(void); 198 static struct block *gen_ether_linktype(int); 199 static struct block *gen_linux_sll_linktype(int); 200 static void insert_radiotap_load_llprefixlen(struct block *); 201 static void insert_ppi_load_llprefixlen(struct block *); 202 static void insert_load_llprefixlen(struct block *); 203 static struct slist *gen_llprefixlen(void); 204 static struct block *gen_linktype(int); 205 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int); 206 static struct block *gen_llc_linktype(int); 207 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 208 #ifdef INET6 209 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 210 #endif 211 static struct block *gen_ahostop(const u_char *, int); 212 static struct block *gen_ehostop(const u_char *, int); 213 static struct block *gen_fhostop(const u_char *, int); 214 static struct block *gen_thostop(const u_char *, int); 215 static struct block *gen_wlanhostop(const u_char *, int); 216 static struct block *gen_ipfchostop(const u_char *, int); 217 static struct block *gen_dnhostop(bpf_u_int32, int); 218 static struct block *gen_mpls_linktype(int); 219 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 220 #ifdef INET6 221 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 222 #endif 223 #ifndef INET6 224 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 225 #endif 226 static struct block *gen_ipfrag(void); 227 static struct block *gen_portatom(int, bpf_int32); 228 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 229 #ifdef INET6 230 static struct block *gen_portatom6(int, bpf_int32); 231 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 232 #endif 233 struct block *gen_portop(int, int, int); 234 static struct block *gen_port(int, int, int); 235 struct block *gen_portrangeop(int, int, int, int); 236 static struct block *gen_portrange(int, int, int, int); 237 #ifdef INET6 238 struct block *gen_portop6(int, int, int); 239 static struct block *gen_port6(int, int, int); 240 struct block *gen_portrangeop6(int, int, int, int); 241 static struct block *gen_portrange6(int, int, int, int); 242 #endif 243 static int lookup_proto(const char *, int); 244 static struct block *gen_protochain(int, int, int); 245 static struct block *gen_proto(int, int, int); 246 static struct slist *xfer_to_x(struct arth *); 247 static struct slist *xfer_to_a(struct arth *); 248 static struct block *gen_mac_multicast(int); 249 static struct block *gen_len(int, int); 250 251 static struct block *gen_ppi_dlt_check(void); 252 static struct block *gen_msg_abbrev(int type); 253 254 static void * 255 newchunk(n) 256 u_int n; 257 { 258 struct chunk *cp; 259 int k; 260 size_t size; 261 262 #ifndef __NetBSD__ 263 /* XXX Round up to nearest long. */ 264 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 265 #else 266 /* XXX Round up to structure boundary. */ 267 n = ALIGN(n); 268 #endif 269 270 cp = &chunks[cur_chunk]; 271 if (n > cp->n_left) { 272 ++cp, k = ++cur_chunk; 273 if (k >= NCHUNKS) 274 bpf_error("out of memory"); 275 size = CHUNK0SIZE << k; 276 cp->m = (void *)malloc(size); 277 if (cp->m == NULL) 278 bpf_error("out of memory"); 279 memset((char *)cp->m, 0, size); 280 cp->n_left = size; 281 if (n > size) 282 bpf_error("out of memory"); 283 } 284 cp->n_left -= n; 285 return (void *)((char *)cp->m + cp->n_left); 286 } 287 288 static void 289 freechunks() 290 { 291 int i; 292 293 cur_chunk = 0; 294 for (i = 0; i < NCHUNKS; ++i) 295 if (chunks[i].m != NULL) { 296 free(chunks[i].m); 297 chunks[i].m = NULL; 298 } 299 } 300 301 /* 302 * A strdup whose allocations are freed after code generation is over. 303 */ 304 char * 305 sdup(s) 306 register const char *s; 307 { 308 int n = strlen(s) + 1; 309 char *cp = newchunk(n); 310 311 strlcpy(cp, s, n); 312 return (cp); 313 } 314 315 static inline struct block * 316 new_block(code) 317 int code; 318 { 319 struct block *p; 320 321 p = (struct block *)newchunk(sizeof(*p)); 322 p->s.code = code; 323 p->head = p; 324 325 return p; 326 } 327 328 static inline struct slist * 329 new_stmt(code) 330 int code; 331 { 332 struct slist *p; 333 334 p = (struct slist *)newchunk(sizeof(*p)); 335 p->s.code = code; 336 337 return p; 338 } 339 340 static struct block * 341 gen_retblk(v) 342 int v; 343 { 344 struct block *b = new_block(BPF_RET|BPF_K); 345 346 b->s.k = v; 347 return b; 348 } 349 350 static inline void 351 syntax() 352 { 353 bpf_error("syntax error in filter expression"); 354 } 355 356 static bpf_u_int32 netmask; 357 static int snaplen; 358 int no_optimize; 359 360 int 361 pcap_compile(pcap_t *p, struct bpf_program *program, 362 const char *buf, int optimize, bpf_u_int32 mask) 363 { 364 extern int n_errors; 365 const char * volatile xbuf = buf; 366 int len; 367 368 no_optimize = 0; 369 n_errors = 0; 370 root = NULL; 371 bpf_pcap = p; 372 if (setjmp(top_ctx)) { 373 lex_cleanup(); 374 freechunks(); 375 return (-1); 376 } 377 378 netmask = mask; 379 380 snaplen = pcap_snapshot(p); 381 if (snaplen == 0) { 382 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 383 "snaplen of 0 rejects all packets"); 384 return -1; 385 } 386 387 lex_init(xbuf ? xbuf : ""); 388 init_linktype(p); 389 (void)pcap_parse(); 390 391 if (n_errors) 392 syntax(); 393 394 if (root == NULL) 395 root = gen_retblk(snaplen); 396 397 if (optimize && !no_optimize) { 398 bpf_optimize(&root); 399 if (root == NULL || 400 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 401 bpf_error("expression rejects all packets"); 402 } 403 program->bf_insns = icode_to_fcode(root, &len); 404 program->bf_len = len; 405 406 lex_cleanup(); 407 freechunks(); 408 return (0); 409 } 410 411 /* 412 * entry point for using the compiler with no pcap open 413 * pass in all the stuff that is needed explicitly instead. 414 */ 415 int 416 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 417 struct bpf_program *program, 418 const char *buf, int optimize, bpf_u_int32 mask) 419 { 420 pcap_t *p; 421 int ret; 422 423 p = pcap_open_dead(linktype_arg, snaplen_arg); 424 if (p == NULL) 425 return (-1); 426 ret = pcap_compile(p, program, buf, optimize, mask); 427 pcap_close(p); 428 return (ret); 429 } 430 431 /* 432 * Clean up a "struct bpf_program" by freeing all the memory allocated 433 * in it. 434 */ 435 void 436 pcap_freecode(struct bpf_program *program) 437 { 438 program->bf_len = 0; 439 if (program->bf_insns != NULL) { 440 free((char *)program->bf_insns); 441 program->bf_insns = NULL; 442 } 443 } 444 445 /* 446 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 447 * which of the jt and jf fields has been resolved and which is a pointer 448 * back to another unresolved block (or nil). At least one of the fields 449 * in each block is already resolved. 450 */ 451 static void 452 backpatch(list, target) 453 struct block *list, *target; 454 { 455 struct block *next; 456 457 while (list) { 458 if (!list->sense) { 459 next = JT(list); 460 JT(list) = target; 461 } else { 462 next = JF(list); 463 JF(list) = target; 464 } 465 list = next; 466 } 467 } 468 469 /* 470 * Merge the lists in b0 and b1, using the 'sense' field to indicate 471 * which of jt and jf is the link. 472 */ 473 static void 474 merge(b0, b1) 475 struct block *b0, *b1; 476 { 477 register struct block **p = &b0; 478 479 /* Find end of list. */ 480 while (*p) 481 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 482 483 /* Concatenate the lists. */ 484 *p = b1; 485 } 486 487 488 void 489 finish_parse(p) 490 struct block *p; 491 { 492 struct block *ppi_dlt_check; 493 494 ppi_dlt_check = gen_ppi_dlt_check(); 495 496 if (ppi_dlt_check != NULL) 497 { 498 gen_and(ppi_dlt_check, p); 499 } 500 501 backpatch(p, gen_retblk(snaplen)); 502 p->sense = !p->sense; 503 backpatch(p, gen_retblk(0)); 504 root = p->head; 505 506 /* 507 * Insert before the statements of the first (root) block any 508 * statements needed to load the lengths of any variable-length 509 * headers into registers. 510 * 511 * XXX - a fancier strategy would be to insert those before the 512 * statements of all blocks that use those lengths and that 513 * have no predecessors that use them, so that we only compute 514 * the lengths if we need them. There might be even better 515 * approaches than that. However, as we're currently only 516 * handling variable-length radiotap headers, and as all 517 * filtering expressions other than raw link[M:N] tests 518 * require the length of that header, doing more for that 519 * header length isn't really worth the effort. 520 */ 521 522 insert_load_llprefixlen(root); 523 } 524 525 void 526 gen_and(b0, b1) 527 struct block *b0, *b1; 528 { 529 backpatch(b0, b1->head); 530 b0->sense = !b0->sense; 531 b1->sense = !b1->sense; 532 merge(b1, b0); 533 b1->sense = !b1->sense; 534 b1->head = b0->head; 535 } 536 537 void 538 gen_or(b0, b1) 539 struct block *b0, *b1; 540 { 541 b0->sense = !b0->sense; 542 backpatch(b0, b1->head); 543 b0->sense = !b0->sense; 544 merge(b1, b0); 545 b1->head = b0->head; 546 } 547 548 void 549 gen_not(b) 550 struct block *b; 551 { 552 b->sense = !b->sense; 553 } 554 555 static struct block * 556 gen_cmp(offrel, offset, size, v) 557 enum e_offrel offrel; 558 u_int offset, size; 559 bpf_int32 v; 560 { 561 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 562 } 563 564 static struct block * 565 gen_cmp_gt(offrel, offset, size, v) 566 enum e_offrel offrel; 567 u_int offset, size; 568 bpf_int32 v; 569 { 570 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 571 } 572 573 static struct block * 574 gen_cmp_ge(offrel, offset, size, v) 575 enum e_offrel offrel; 576 u_int offset, size; 577 bpf_int32 v; 578 { 579 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 580 } 581 582 static struct block * 583 gen_cmp_lt(offrel, offset, size, v) 584 enum e_offrel offrel; 585 u_int offset, size; 586 bpf_int32 v; 587 { 588 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 589 } 590 591 static struct block * 592 gen_cmp_le(offrel, offset, size, v) 593 enum e_offrel offrel; 594 u_int offset, size; 595 bpf_int32 v; 596 { 597 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 598 } 599 600 static struct block * 601 gen_mcmp(offrel, offset, size, v, mask) 602 enum e_offrel offrel; 603 u_int offset, size; 604 bpf_int32 v; 605 bpf_u_int32 mask; 606 { 607 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 608 } 609 610 static struct block * 611 gen_bcmp(offrel, offset, size, v) 612 enum e_offrel offrel; 613 register u_int offset, size; 614 register const u_char *v; 615 { 616 register struct block *b, *tmp; 617 618 b = NULL; 619 while (size >= 4) { 620 register const u_char *p = &v[size - 4]; 621 bpf_int32 w = ((bpf_int32)p[0] << 24) | 622 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 623 624 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 625 if (b != NULL) 626 gen_and(b, tmp); 627 b = tmp; 628 size -= 4; 629 } 630 while (size >= 2) { 631 register const u_char *p = &v[size - 2]; 632 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 633 634 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 635 if (b != NULL) 636 gen_and(b, tmp); 637 b = tmp; 638 size -= 2; 639 } 640 if (size > 0) { 641 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 642 if (b != NULL) 643 gen_and(b, tmp); 644 b = tmp; 645 } 646 return b; 647 } 648 649 /* 650 * AND the field of size "size" at offset "offset" relative to the header 651 * specified by "offrel" with "mask", and compare it with the value "v" 652 * with the test specified by "jtype"; if "reverse" is true, the test 653 * should test the opposite of "jtype". 654 */ 655 static struct block * 656 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 657 enum e_offrel offrel; 658 bpf_int32 v; 659 bpf_u_int32 offset, size, mask, jtype; 660 int reverse; 661 { 662 struct slist *s, *s2; 663 struct block *b; 664 665 s = gen_load_a(offrel, offset, size); 666 667 if (mask != 0xffffffff) { 668 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 669 s2->s.k = mask; 670 sappend(s, s2); 671 } 672 673 b = new_block(JMP(jtype)); 674 b->stmts = s; 675 b->s.k = v; 676 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 677 gen_not(b); 678 return b; 679 } 680 681 /* 682 * Various code constructs need to know the layout of the data link 683 * layer. These variables give the necessary offsets from the beginning 684 * of the packet data. 685 * 686 * If the link layer has variable_length headers, the offsets are offsets 687 * from the end of the link-link-layer header, and "reg_ll_size" is 688 * the register number for a register containing the length of the 689 * link-layer header. Otherwise, "reg_ll_size" is -1. 690 */ 691 static int reg_ll_size; 692 693 /* 694 * This is the offset of the beginning of the link-layer header from 695 * the beginning of the raw packet data. 696 * 697 * It's usually 0, except for 802.11 with a fixed-length radio header. 698 * (For 802.11 with a variable-length radio header, we have to generate 699 * code to compute that offset; off_ll is 0 in that case.) 700 */ 701 static u_int off_ll; 702 703 /* 704 * This is the offset of the beginning of the MAC-layer header. 705 * It's usually 0, except for ATM LANE, where it's the offset, relative 706 * to the beginning of the raw packet data, of the Ethernet header. 707 */ 708 static u_int off_mac; 709 710 /* 711 * "off_linktype" is the offset to information in the link-layer header 712 * giving the packet type. This offset is relative to the beginning 713 * of the link-layer header (i.e., it doesn't include off_ll). 714 * 715 * For Ethernet, it's the offset of the Ethernet type field. 716 * 717 * For link-layer types that always use 802.2 headers, it's the 718 * offset of the LLC header. 719 * 720 * For PPP, it's the offset of the PPP type field. 721 * 722 * For Cisco HDLC, it's the offset of the CHDLC type field. 723 * 724 * For BSD loopback, it's the offset of the AF_ value. 725 * 726 * For Linux cooked sockets, it's the offset of the type field. 727 * 728 * It's set to -1 for no encapsulation, in which case, IP is assumed. 729 */ 730 static u_int off_linktype; 731 732 /* 733 * TRUE if the link layer includes an ATM pseudo-header. 734 */ 735 static int is_atm = 0; 736 737 /* 738 * TRUE if "lane" appeared in the filter; it causes us to generate 739 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 740 */ 741 static int is_lane = 0; 742 743 /* 744 * These are offsets for the ATM pseudo-header. 745 */ 746 static u_int off_vpi; 747 static u_int off_vci; 748 static u_int off_proto; 749 750 /* 751 * These are offsets for the MTP2 fields. 752 */ 753 static u_int off_li; 754 755 /* 756 * These are offsets for the MTP3 fields. 757 */ 758 static u_int off_sio; 759 static u_int off_opc; 760 static u_int off_dpc; 761 static u_int off_sls; 762 763 /* 764 * This is the offset of the first byte after the ATM pseudo_header, 765 * or -1 if there is no ATM pseudo-header. 766 */ 767 static u_int off_payload; 768 769 /* 770 * These are offsets to the beginning of the network-layer header. 771 * They are relative to the beginning of the link-layer header (i.e., 772 * they don't include off_ll). 773 * 774 * If the link layer never uses 802.2 LLC: 775 * 776 * "off_nl" and "off_nl_nosnap" are the same. 777 * 778 * If the link layer always uses 802.2 LLC: 779 * 780 * "off_nl" is the offset if there's a SNAP header following 781 * the 802.2 header; 782 * 783 * "off_nl_nosnap" is the offset if there's no SNAP header. 784 * 785 * If the link layer is Ethernet: 786 * 787 * "off_nl" is the offset if the packet is an Ethernet II packet 788 * (we assume no 802.3+802.2+SNAP); 789 * 790 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 791 * with an 802.2 header following it. 792 */ 793 static u_int off_nl; 794 static u_int off_nl_nosnap; 795 796 static int linktype; 797 798 static void 799 init_linktype(p) 800 pcap_t *p; 801 { 802 linktype = pcap_datalink(p); 803 #ifdef PCAP_FDDIPAD 804 pcap_fddipad = p->fddipad; 805 #endif 806 807 /* 808 * Assume it's not raw ATM with a pseudo-header, for now. 809 */ 810 off_mac = 0; 811 is_atm = 0; 812 is_lane = 0; 813 off_vpi = -1; 814 off_vci = -1; 815 off_proto = -1; 816 off_payload = -1; 817 818 /* 819 * And assume we're not doing SS7. 820 */ 821 off_li = -1; 822 off_sio = -1; 823 off_opc = -1; 824 off_dpc = -1; 825 off_sls = -1; 826 827 /* 828 * Also assume it's not 802.11 with a fixed-length radio header. 829 */ 830 off_ll = 0; 831 832 orig_linktype = -1; 833 orig_nl = -1; 834 label_stack_depth = 0; 835 836 reg_ll_size = -1; 837 838 switch (linktype) { 839 840 case DLT_ARCNET: 841 off_linktype = 2; 842 off_nl = 6; /* XXX in reality, variable! */ 843 off_nl_nosnap = 6; /* no 802.2 LLC */ 844 return; 845 846 case DLT_ARCNET_LINUX: 847 off_linktype = 4; 848 off_nl = 8; /* XXX in reality, variable! */ 849 off_nl_nosnap = 8; /* no 802.2 LLC */ 850 return; 851 852 case DLT_EN10MB: 853 off_linktype = 12; 854 off_nl = 14; /* Ethernet II */ 855 off_nl_nosnap = 17; /* 802.3+802.2 */ 856 return; 857 858 case DLT_SLIP: 859 /* 860 * SLIP doesn't have a link level type. The 16 byte 861 * header is hacked into our SLIP driver. 862 */ 863 off_linktype = -1; 864 off_nl = 16; 865 off_nl_nosnap = 16; /* no 802.2 LLC */ 866 return; 867 868 case DLT_SLIP_BSDOS: 869 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 870 off_linktype = -1; 871 /* XXX end */ 872 off_nl = 24; 873 off_nl_nosnap = 24; /* no 802.2 LLC */ 874 return; 875 876 case DLT_NULL: 877 case DLT_LOOP: 878 off_linktype = 0; 879 off_nl = 4; 880 off_nl_nosnap = 4; /* no 802.2 LLC */ 881 return; 882 883 case DLT_ENC: 884 off_linktype = 0; 885 off_nl = 12; 886 off_nl_nosnap = 12; /* no 802.2 LLC */ 887 return; 888 889 case DLT_PPP: 890 case DLT_PPP_PPPD: 891 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 892 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 893 off_linktype = 2; 894 off_nl = 4; 895 off_nl_nosnap = 4; /* no 802.2 LLC */ 896 return; 897 898 case DLT_PPP_ETHER: 899 /* 900 * This does no include the Ethernet header, and 901 * only covers session state. 902 */ 903 off_linktype = 6; 904 off_nl = 8; 905 off_nl_nosnap = 8; /* no 802.2 LLC */ 906 return; 907 908 case DLT_PPP_BSDOS: 909 off_linktype = 5; 910 off_nl = 24; 911 off_nl_nosnap = 24; /* no 802.2 LLC */ 912 return; 913 914 case DLT_FDDI: 915 /* 916 * FDDI doesn't really have a link-level type field. 917 * We set "off_linktype" to the offset of the LLC header. 918 * 919 * To check for Ethernet types, we assume that SSAP = SNAP 920 * is being used and pick out the encapsulated Ethernet type. 921 * XXX - should we generate code to check for SNAP? 922 */ 923 off_linktype = 13; 924 #ifdef PCAP_FDDIPAD 925 off_linktype += pcap_fddipad; 926 #endif 927 off_nl = 21; /* FDDI+802.2+SNAP */ 928 off_nl_nosnap = 16; /* FDDI+802.2 */ 929 #ifdef PCAP_FDDIPAD 930 off_nl += pcap_fddipad; 931 off_nl_nosnap += pcap_fddipad; 932 #endif 933 return; 934 935 case DLT_IEEE802: 936 /* 937 * Token Ring doesn't really have a link-level type field. 938 * We set "off_linktype" to the offset of the LLC header. 939 * 940 * To check for Ethernet types, we assume that SSAP = SNAP 941 * is being used and pick out the encapsulated Ethernet type. 942 * XXX - should we generate code to check for SNAP? 943 * 944 * XXX - the header is actually variable-length. 945 * Some various Linux patched versions gave 38 946 * as "off_linktype" and 40 as "off_nl"; however, 947 * if a token ring packet has *no* routing 948 * information, i.e. is not source-routed, the correct 949 * values are 20 and 22, as they are in the vanilla code. 950 * 951 * A packet is source-routed iff the uppermost bit 952 * of the first byte of the source address, at an 953 * offset of 8, has the uppermost bit set. If the 954 * packet is source-routed, the total number of bytes 955 * of routing information is 2 plus bits 0x1F00 of 956 * the 16-bit value at an offset of 14 (shifted right 957 * 8 - figure out which byte that is). 958 */ 959 off_linktype = 14; 960 off_nl = 22; /* Token Ring+802.2+SNAP */ 961 off_nl_nosnap = 17; /* Token Ring+802.2 */ 962 return; 963 964 case DLT_IEEE802_11: 965 /* 966 * 802.11 doesn't really have a link-level type field. 967 * We set "off_linktype" to the offset of the LLC header. 968 * 969 * To check for Ethernet types, we assume that SSAP = SNAP 970 * is being used and pick out the encapsulated Ethernet type. 971 * XXX - should we generate code to check for SNAP? 972 * 973 * XXX - the header is actually variable-length. We 974 * assume a 24-byte link-layer header, as appears in 975 * data frames in networks with no bridges. If the 976 * fromds and tods 802.11 header bits are both set, 977 * it's actually supposed to be 30 bytes. 978 */ 979 off_linktype = 24; 980 off_nl = 32; /* 802.11+802.2+SNAP */ 981 off_nl_nosnap = 27; /* 802.11+802.2 */ 982 return; 983 984 case DLT_PRISM_HEADER: 985 /* 986 * Same as 802.11, but with an additional header before 987 * the 802.11 header, containing a bunch of additional 988 * information including radio-level information. 989 * 990 * The header is 144 bytes long. 991 * 992 * XXX - same variable-length header problem; at least 993 * the Prism header is fixed-length. 994 */ 995 off_ll = 144; 996 off_linktype = 24; 997 off_nl = 32; /* Prism+802.11+802.2+SNAP */ 998 off_nl_nosnap = 27; /* Prism+802.11+802.2 */ 999 return; 1000 1001 case DLT_IEEE802_11_RADIO_AVS: 1002 /* 1003 * Same as 802.11, but with an additional header before 1004 * the 802.11 header, containing a bunch of additional 1005 * information including radio-level information. 1006 * 1007 * The header is 64 bytes long, at least in its 1008 * current incarnation. 1009 * 1010 * XXX - same variable-length header problem, only 1011 * more so; this header is also variable-length, 1012 * with the length being the 32-bit big-endian 1013 * number at an offset of 4 from the beginning 1014 * of the radio header. We should handle that the 1015 * same way we handle the length at the beginning 1016 * of the radiotap header. 1017 * 1018 * XXX - in Linux, do any drivers that supply an AVS 1019 * header supply a link-layer type other than 1020 * ARPHRD_IEEE80211_PRISM? If so, we should map that 1021 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are 1022 * any drivers that supply an AVS header but supply 1023 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll 1024 * have to check the header in the generated code to 1025 * determine whether it's Prism or AVS. 1026 */ 1027 off_ll = 64; 1028 off_linktype = 24; 1029 off_nl = 32; /* Radio+802.11+802.2+SNAP */ 1030 off_nl_nosnap = 27; /* Radio+802.11+802.2 */ 1031 return; 1032 1033 1034 /* 1035 * At the moment we treat PPI as normal Radiotap encoded 1036 * packets. The difference is in the function that generates 1037 * the code at the beginning to compute the header length. 1038 * Since this code generator of PPI supports bare 802.11 1039 * encapsulation only (i.e. the encapsulated DLT should be 1040 * DLT_IEEE802_11) we generate code to check for this too. 1041 */ 1042 case DLT_PPI: 1043 case DLT_IEEE802_11_RADIO: 1044 /* 1045 * Same as 802.11, but with an additional header before 1046 * the 802.11 header, containing a bunch of additional 1047 * information including radio-level information. 1048 * 1049 * The radiotap header is variable length, and we 1050 * generate code to compute its length and store it 1051 * in a register. These offsets are relative to the 1052 * beginning of the 802.11 header. 1053 */ 1054 off_linktype = 24; 1055 off_nl = 32; /* 802.11+802.2+SNAP */ 1056 off_nl_nosnap = 27; /* 802.11+802.2 */ 1057 return; 1058 1059 case DLT_ATM_RFC1483: 1060 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1061 /* 1062 * assume routed, non-ISO PDUs 1063 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1064 * 1065 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1066 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1067 * latter would presumably be treated the way PPPoE 1068 * should be, so you can do "pppoe and udp port 2049" 1069 * or "pppoa and tcp port 80" and have it check for 1070 * PPPo{A,E} and a PPP protocol of IP and.... 1071 */ 1072 off_linktype = 0; 1073 off_nl = 8; /* 802.2+SNAP */ 1074 off_nl_nosnap = 3; /* 802.2 */ 1075 return; 1076 1077 case DLT_SUNATM: 1078 /* 1079 * Full Frontal ATM; you get AALn PDUs with an ATM 1080 * pseudo-header. 1081 */ 1082 is_atm = 1; 1083 off_vpi = SUNATM_VPI_POS; 1084 off_vci = SUNATM_VCI_POS; 1085 off_proto = PROTO_POS; 1086 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */ 1087 off_payload = SUNATM_PKT_BEGIN_POS; 1088 off_linktype = off_payload; 1089 off_nl = off_payload+8; /* 802.2+SNAP */ 1090 off_nl_nosnap = off_payload+3; /* 802.2 */ 1091 return; 1092 1093 case DLT_RAW: 1094 off_linktype = -1; 1095 off_nl = 0; 1096 off_nl_nosnap = 0; /* no 802.2 LLC */ 1097 return; 1098 1099 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1100 off_linktype = 14; 1101 off_nl = 16; 1102 off_nl_nosnap = 16; /* no 802.2 LLC */ 1103 return; 1104 1105 case DLT_LTALK: 1106 /* 1107 * LocalTalk does have a 1-byte type field in the LLAP header, 1108 * but really it just indicates whether there is a "short" or 1109 * "long" DDP packet following. 1110 */ 1111 off_linktype = -1; 1112 off_nl = 0; 1113 off_nl_nosnap = 0; /* no 802.2 LLC */ 1114 return; 1115 1116 case DLT_IP_OVER_FC: 1117 /* 1118 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1119 * link-level type field. We set "off_linktype" to the 1120 * offset of the LLC header. 1121 * 1122 * To check for Ethernet types, we assume that SSAP = SNAP 1123 * is being used and pick out the encapsulated Ethernet type. 1124 * XXX - should we generate code to check for SNAP? RFC 1125 * 2625 says SNAP should be used. 1126 */ 1127 off_linktype = 16; 1128 off_nl = 24; /* IPFC+802.2+SNAP */ 1129 off_nl_nosnap = 19; /* IPFC+802.2 */ 1130 return; 1131 1132 case DLT_FRELAY: 1133 /* 1134 * XXX - we should set this to handle SNAP-encapsulated 1135 * frames (NLPID of 0x80). 1136 */ 1137 off_linktype = -1; 1138 off_nl = 0; 1139 off_nl_nosnap = 0; /* no 802.2 LLC */ 1140 return; 1141 1142 /* 1143 * the only BPF-interesting FRF.16 frames are non-control frames; 1144 * Frame Relay has a variable length link-layer 1145 * so lets start with offset 4 for now and increments later on (FIXME); 1146 */ 1147 case DLT_MFR: 1148 off_linktype = -1; 1149 off_nl = 4; 1150 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1151 return; 1152 1153 case DLT_APPLE_IP_OVER_IEEE1394: 1154 off_linktype = 16; 1155 off_nl = 18; 1156 off_nl_nosnap = 18; /* no 802.2 LLC */ 1157 return; 1158 1159 case DLT_LINUX_IRDA: 1160 /* 1161 * Currently, only raw "link[N:M]" filtering is supported. 1162 */ 1163 off_linktype = -1; 1164 off_nl = -1; 1165 off_nl_nosnap = -1; 1166 return; 1167 1168 case DLT_DOCSIS: 1169 /* 1170 * Currently, only raw "link[N:M]" filtering is supported. 1171 */ 1172 off_linktype = -1; 1173 off_nl = -1; 1174 off_nl_nosnap = -1; 1175 return; 1176 1177 case DLT_SYMANTEC_FIREWALL: 1178 off_linktype = 6; 1179 off_nl = 44; /* Ethernet II */ 1180 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */ 1181 return; 1182 1183 #ifdef HAVE_NET_PFVAR_H 1184 case DLT_PFLOG: 1185 off_linktype = 0; 1186 off_nl = PFLOG_HDRLEN; 1187 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */ 1188 return; 1189 #endif 1190 1191 case DLT_JUNIPER_MFR: 1192 case DLT_JUNIPER_MLFR: 1193 case DLT_JUNIPER_MLPPP: 1194 case DLT_JUNIPER_PPP: 1195 case DLT_JUNIPER_CHDLC: 1196 case DLT_JUNIPER_FRELAY: 1197 off_linktype = 4; 1198 off_nl = 4; 1199 off_nl_nosnap = -1; /* no 802.2 LLC */ 1200 return; 1201 1202 case DLT_JUNIPER_ATM1: 1203 off_linktype = 4; /* in reality variable between 4-8 */ 1204 off_nl = 4; 1205 off_nl_nosnap = 14; 1206 return; 1207 1208 case DLT_JUNIPER_ATM2: 1209 off_linktype = 8; /* in reality variable between 8-12 */ 1210 off_nl = 8; 1211 off_nl_nosnap = 18; 1212 return; 1213 1214 /* frames captured on a Juniper PPPoE service PIC 1215 * contain raw ethernet frames */ 1216 case DLT_JUNIPER_PPPOE: 1217 case DLT_JUNIPER_ETHER: 1218 off_linktype = 16; 1219 off_nl = 18; /* Ethernet II */ 1220 off_nl_nosnap = 21; /* 802.3+802.2 */ 1221 return; 1222 1223 case DLT_JUNIPER_PPPOE_ATM: 1224 off_linktype = 4; 1225 off_nl = 6; 1226 off_nl_nosnap = -1; /* no 802.2 LLC */ 1227 return; 1228 1229 case DLT_JUNIPER_GGSN: 1230 off_linktype = 6; 1231 off_nl = 12; 1232 off_nl_nosnap = -1; /* no 802.2 LLC */ 1233 return; 1234 1235 case DLT_JUNIPER_ES: 1236 off_linktype = 6; 1237 off_nl = -1; /* not really a network layer but raw IP adresses */ 1238 off_nl_nosnap = -1; /* no 802.2 LLC */ 1239 return; 1240 1241 case DLT_JUNIPER_MONITOR: 1242 off_linktype = 12; 1243 off_nl = 12; /* raw IP/IP6 header */ 1244 off_nl_nosnap = -1; /* no 802.2 LLC */ 1245 return; 1246 1247 case DLT_JUNIPER_SERVICES: 1248 off_linktype = 12; 1249 off_nl = -1; /* L3 proto location dep. on cookie type */ 1250 off_nl_nosnap = -1; /* no 802.2 LLC */ 1251 return; 1252 1253 case DLT_JUNIPER_VP: 1254 off_linktype = 18; 1255 off_nl = -1; 1256 off_nl_nosnap = -1; 1257 return; 1258 1259 case DLT_MTP2: 1260 off_li = 2; 1261 off_sio = 3; 1262 off_opc = 4; 1263 off_dpc = 4; 1264 off_sls = 7; 1265 off_linktype = -1; 1266 off_nl = -1; 1267 off_nl_nosnap = -1; 1268 return; 1269 1270 case DLT_MTP2_WITH_PHDR: 1271 off_li = 6; 1272 off_sio = 7; 1273 off_opc = 8; 1274 off_dpc = 8; 1275 off_sls = 11; 1276 off_linktype = -1; 1277 off_nl = -1; 1278 off_nl_nosnap = -1; 1279 return; 1280 1281 #ifdef DLT_PFSYNC 1282 case DLT_PFSYNC: 1283 off_linktype = -1; 1284 off_nl = 4; 1285 off_nl_nosnap = 4; 1286 return; 1287 #endif 1288 1289 case DLT_LINUX_LAPD: 1290 /* 1291 * Currently, only raw "link[N:M]" filtering is supported. 1292 */ 1293 off_linktype = -1; 1294 off_nl = -1; 1295 off_nl_nosnap = -1; 1296 return; 1297 1298 case DLT_USB: 1299 /* 1300 * Currently, only raw "link[N:M]" filtering is supported. 1301 */ 1302 off_linktype = -1; 1303 off_nl = -1; 1304 off_nl_nosnap = -1; 1305 return; 1306 1307 case DLT_BLUETOOTH_HCI_H4: 1308 /* 1309 * Currently, only raw "link[N:M]" filtering is supported. 1310 */ 1311 off_linktype = -1; 1312 off_nl = -1; 1313 off_nl_nosnap = -1; 1314 return; 1315 } 1316 bpf_error("unknown data link type %d", linktype); 1317 /* NOTREACHED */ 1318 } 1319 1320 /* 1321 * Load a value relative to the beginning of the link-layer header. 1322 * The link-layer header doesn't necessarily begin at the beginning 1323 * of the packet data; there might be a variable-length prefix containing 1324 * radio information. 1325 */ 1326 static struct slist * 1327 gen_load_llrel(offset, size) 1328 u_int offset, size; 1329 { 1330 struct slist *s, *s2; 1331 1332 s = gen_llprefixlen(); 1333 1334 /* 1335 * If "s" is non-null, it has code to arrange that the X register 1336 * contains the length of the prefix preceding the link-layer 1337 * header. 1338 * 1339 * Otherwise, the length of the prefix preceding the link-layer 1340 * header is "off_ll". 1341 */ 1342 if (s != NULL) { 1343 /* 1344 * There's a variable-length prefix preceding the 1345 * link-layer header. "s" points to a list of statements 1346 * that put the length of that prefix into the X register. 1347 * do an indirect load, to use the X register as an offset. 1348 */ 1349 s2 = new_stmt(BPF_LD|BPF_IND|size); 1350 s2->s.k = offset; 1351 sappend(s, s2); 1352 } else { 1353 /* 1354 * There is no variable-length header preceding the 1355 * link-layer header; add in off_ll, which, if there's 1356 * a fixed-length header preceding the link-layer header, 1357 * is the length of that header. 1358 */ 1359 s = new_stmt(BPF_LD|BPF_ABS|size); 1360 s->s.k = offset + off_ll; 1361 } 1362 return s; 1363 } 1364 1365 1366 /* 1367 * Load a value relative to the beginning of the specified header. 1368 */ 1369 static struct slist * 1370 gen_load_a(offrel, offset, size) 1371 enum e_offrel offrel; 1372 u_int offset, size; 1373 { 1374 struct slist *s, *s2; 1375 1376 switch (offrel) { 1377 1378 case OR_PACKET: 1379 s = new_stmt(BPF_LD|BPF_ABS|size); 1380 s->s.k = offset; 1381 break; 1382 1383 case OR_LINK: 1384 s = gen_load_llrel(offset, size); 1385 break; 1386 1387 case OR_NET: 1388 s = gen_load_llrel(off_nl + offset, size); 1389 break; 1390 1391 case OR_NET_NOSNAP: 1392 s = gen_load_llrel(off_nl_nosnap + offset, size); 1393 break; 1394 1395 case OR_TRAN_IPV4: 1396 /* 1397 * Load the X register with the length of the IPv4 header 1398 * (plus the offset of the link-layer header, if it's 1399 * preceded by a variable-length header such as a radio 1400 * header), in bytes. 1401 */ 1402 s = gen_loadx_iphdrlen(); 1403 1404 /* 1405 * Load the item at {offset of the link-layer header} + 1406 * {offset, relative to the start of the link-layer 1407 * header, of the IPv4 header} + {length of the IPv4 header} + 1408 * {specified offset}. 1409 * 1410 * (If the link-layer is variable-length, it's included 1411 * in the value in the X register, and off_ll is 0.) 1412 */ 1413 s2 = new_stmt(BPF_LD|BPF_IND|size); 1414 s2->s.k = off_ll + off_nl + offset; 1415 sappend(s, s2); 1416 break; 1417 1418 case OR_TRAN_IPV6: 1419 s = gen_load_llrel(off_nl + 40 + offset, size); 1420 break; 1421 1422 default: 1423 abort(); 1424 return NULL; 1425 } 1426 return s; 1427 } 1428 1429 /* 1430 * Generate code to load into the X register the sum of the length of 1431 * the IPv4 header and any variable-length header preceding the link-layer 1432 * header. 1433 */ 1434 static struct slist * 1435 gen_loadx_iphdrlen() 1436 { 1437 struct slist *s, *s2; 1438 1439 s = gen_llprefixlen(); 1440 if (s != NULL) { 1441 /* 1442 * There's a variable-length prefix preceding the 1443 * link-layer header. "s" points to a list of statements 1444 * that put the length of that prefix into the X register. 1445 * The 4*([k]&0xf) addressing mode can't be used, as we 1446 * don't have a constant offset, so we have to load the 1447 * value in question into the A register and add to it 1448 * the value from the X register. 1449 */ 1450 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1451 s2->s.k = off_nl; 1452 sappend(s, s2); 1453 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1454 s2->s.k = 0xf; 1455 sappend(s, s2); 1456 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1457 s2->s.k = 2; 1458 sappend(s, s2); 1459 1460 /* 1461 * The A register now contains the length of the 1462 * IP header. We need to add to it the length 1463 * of the prefix preceding the link-layer 1464 * header, which is still in the X register, and 1465 * move the result into the X register. 1466 */ 1467 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1468 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1469 } else { 1470 /* 1471 * There is no variable-length header preceding the 1472 * link-layer header; add in off_ll, which, if there's 1473 * a fixed-length header preceding the link-layer header, 1474 * is the length of that header. 1475 */ 1476 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1477 s->s.k = off_ll + off_nl; 1478 } 1479 return s; 1480 } 1481 1482 static struct block * 1483 gen_uncond(rsense) 1484 int rsense; 1485 { 1486 struct block *b; 1487 struct slist *s; 1488 1489 s = new_stmt(BPF_LD|BPF_IMM); 1490 s->s.k = !rsense; 1491 b = new_block(JMP(BPF_JEQ)); 1492 b->stmts = s; 1493 1494 return b; 1495 } 1496 1497 static inline struct block * 1498 gen_true() 1499 { 1500 return gen_uncond(1); 1501 } 1502 1503 static inline struct block * 1504 gen_false() 1505 { 1506 return gen_uncond(0); 1507 } 1508 1509 /* 1510 * Byte-swap a 32-bit number. 1511 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1512 * big-endian platforms.) 1513 */ 1514 #define SWAPLONG(y) \ 1515 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1516 1517 /* 1518 * Generate code to match a particular packet type. 1519 * 1520 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1521 * value, if <= ETHERMTU. We use that to determine whether to 1522 * match the type/length field or to check the type/length field for 1523 * a value <= ETHERMTU to see whether it's a type field and then do 1524 * the appropriate test. 1525 */ 1526 static struct block * 1527 gen_ether_linktype(proto) 1528 register int proto; 1529 { 1530 struct block *b0, *b1; 1531 1532 switch (proto) { 1533 1534 case LLCSAP_ISONS: 1535 case LLCSAP_IP: 1536 case LLCSAP_NETBEUI: 1537 /* 1538 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1539 * so we check the DSAP and SSAP. 1540 * 1541 * LLCSAP_IP checks for IP-over-802.2, rather 1542 * than IP-over-Ethernet or IP-over-SNAP. 1543 * 1544 * XXX - should we check both the DSAP and the 1545 * SSAP, like this, or should we check just the 1546 * DSAP, as we do for other types <= ETHERMTU 1547 * (i.e., other SAP values)? 1548 */ 1549 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1550 gen_not(b0); 1551 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1552 ((proto << 8) | proto)); 1553 gen_and(b0, b1); 1554 return b1; 1555 1556 case LLCSAP_IPX: 1557 /* 1558 * Check for; 1559 * 1560 * Ethernet_II frames, which are Ethernet 1561 * frames with a frame type of ETHERTYPE_IPX; 1562 * 1563 * Ethernet_802.3 frames, which are 802.3 1564 * frames (i.e., the type/length field is 1565 * a length field, <= ETHERMTU, rather than 1566 * a type field) with the first two bytes 1567 * after the Ethernet/802.3 header being 1568 * 0xFFFF; 1569 * 1570 * Ethernet_802.2 frames, which are 802.3 1571 * frames with an 802.2 LLC header and 1572 * with the IPX LSAP as the DSAP in the LLC 1573 * header; 1574 * 1575 * Ethernet_SNAP frames, which are 802.3 1576 * frames with an LLC header and a SNAP 1577 * header and with an OUI of 0x000000 1578 * (encapsulated Ethernet) and a protocol 1579 * ID of ETHERTYPE_IPX in the SNAP header. 1580 * 1581 * XXX - should we generate the same code both 1582 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1583 */ 1584 1585 /* 1586 * This generates code to check both for the 1587 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1588 */ 1589 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1590 (bpf_int32)LLCSAP_IPX); 1591 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, 1592 (bpf_int32)0xFFFF); 1593 gen_or(b0, b1); 1594 1595 /* 1596 * Now we add code to check for SNAP frames with 1597 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1598 */ 1599 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14); 1600 gen_or(b0, b1); 1601 1602 /* 1603 * Now we generate code to check for 802.3 1604 * frames in general. 1605 */ 1606 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1607 gen_not(b0); 1608 1609 /* 1610 * Now add the check for 802.3 frames before the 1611 * check for Ethernet_802.2 and Ethernet_802.3, 1612 * as those checks should only be done on 802.3 1613 * frames, not on Ethernet frames. 1614 */ 1615 gen_and(b0, b1); 1616 1617 /* 1618 * Now add the check for Ethernet_II frames, and 1619 * do that before checking for the other frame 1620 * types. 1621 */ 1622 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1623 (bpf_int32)ETHERTYPE_IPX); 1624 gen_or(b0, b1); 1625 return b1; 1626 1627 case ETHERTYPE_ATALK: 1628 case ETHERTYPE_AARP: 1629 /* 1630 * EtherTalk (AppleTalk protocols on Ethernet link 1631 * layer) may use 802.2 encapsulation. 1632 */ 1633 1634 /* 1635 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1636 * we check for an Ethernet type field less than 1637 * 1500, which means it's an 802.3 length field. 1638 */ 1639 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1640 gen_not(b0); 1641 1642 /* 1643 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1644 * SNAP packets with an organization code of 1645 * 0x080007 (Apple, for Appletalk) and a protocol 1646 * type of ETHERTYPE_ATALK (Appletalk). 1647 * 1648 * 802.2-encapsulated ETHERTYPE_AARP packets are 1649 * SNAP packets with an organization code of 1650 * 0x000000 (encapsulated Ethernet) and a protocol 1651 * type of ETHERTYPE_AARP (Appletalk ARP). 1652 */ 1653 if (proto == ETHERTYPE_ATALK) 1654 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14); 1655 else /* proto == ETHERTYPE_AARP */ 1656 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14); 1657 gen_and(b0, b1); 1658 1659 /* 1660 * Check for Ethernet encapsulation (Ethertalk 1661 * phase 1?); we just check for the Ethernet 1662 * protocol type. 1663 */ 1664 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1665 1666 gen_or(b0, b1); 1667 return b1; 1668 1669 default: 1670 if (proto <= ETHERMTU) { 1671 /* 1672 * This is an LLC SAP value, so the frames 1673 * that match would be 802.2 frames. 1674 * Check that the frame is an 802.2 frame 1675 * (i.e., that the length/type field is 1676 * a length field, <= ETHERMTU) and 1677 * then check the DSAP. 1678 */ 1679 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1680 gen_not(b0); 1681 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1682 (bpf_int32)proto); 1683 gen_and(b0, b1); 1684 return b1; 1685 } else { 1686 /* 1687 * This is an Ethernet type, so compare 1688 * the length/type field with it (if 1689 * the frame is an 802.2 frame, the length 1690 * field will be <= ETHERMTU, and, as 1691 * "proto" is > ETHERMTU, this test 1692 * will fail and the frame won't match, 1693 * which is what we want). 1694 */ 1695 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1696 (bpf_int32)proto); 1697 } 1698 } 1699 } 1700 1701 /* 1702 * Generate code to match a particular packet type. 1703 * 1704 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1705 * value, if <= ETHERMTU. We use that to determine whether to 1706 * match the type field or to check the type field for the special 1707 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1708 */ 1709 static struct block * 1710 gen_linux_sll_linktype(proto) 1711 register int proto; 1712 { 1713 struct block *b0, *b1; 1714 1715 switch (proto) { 1716 1717 case LLCSAP_ISONS: 1718 case LLCSAP_IP: 1719 case LLCSAP_NETBEUI: 1720 /* 1721 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1722 * so we check the DSAP and SSAP. 1723 * 1724 * LLCSAP_IP checks for IP-over-802.2, rather 1725 * than IP-over-Ethernet or IP-over-SNAP. 1726 * 1727 * XXX - should we check both the DSAP and the 1728 * SSAP, like this, or should we check just the 1729 * DSAP, as we do for other types <= ETHERMTU 1730 * (i.e., other SAP values)? 1731 */ 1732 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1733 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32) 1734 ((proto << 8) | proto)); 1735 gen_and(b0, b1); 1736 return b1; 1737 1738 case LLCSAP_IPX: 1739 /* 1740 * Ethernet_II frames, which are Ethernet 1741 * frames with a frame type of ETHERTYPE_IPX; 1742 * 1743 * Ethernet_802.3 frames, which have a frame 1744 * type of LINUX_SLL_P_802_3; 1745 * 1746 * Ethernet_802.2 frames, which are 802.3 1747 * frames with an 802.2 LLC header (i.e, have 1748 * a frame type of LINUX_SLL_P_802_2) and 1749 * with the IPX LSAP as the DSAP in the LLC 1750 * header; 1751 * 1752 * Ethernet_SNAP frames, which are 802.3 1753 * frames with an LLC header and a SNAP 1754 * header and with an OUI of 0x000000 1755 * (encapsulated Ethernet) and a protocol 1756 * ID of ETHERTYPE_IPX in the SNAP header. 1757 * 1758 * First, do the checks on LINUX_SLL_P_802_2 1759 * frames; generate the check for either 1760 * Ethernet_802.2 or Ethernet_SNAP frames, and 1761 * then put a check for LINUX_SLL_P_802_2 frames 1762 * before it. 1763 */ 1764 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1765 (bpf_int32)LLCSAP_IPX); 1766 b1 = gen_snap(0x000000, ETHERTYPE_IPX, 1767 off_linktype + 2); 1768 gen_or(b0, b1); 1769 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1770 gen_and(b0, b1); 1771 1772 /* 1773 * Now check for 802.3 frames and OR that with 1774 * the previous test. 1775 */ 1776 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 1777 gen_or(b0, b1); 1778 1779 /* 1780 * Now add the check for Ethernet_II frames, and 1781 * do that before checking for the other frame 1782 * types. 1783 */ 1784 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1785 (bpf_int32)ETHERTYPE_IPX); 1786 gen_or(b0, b1); 1787 return b1; 1788 1789 case ETHERTYPE_ATALK: 1790 case ETHERTYPE_AARP: 1791 /* 1792 * EtherTalk (AppleTalk protocols on Ethernet link 1793 * layer) may use 802.2 encapsulation. 1794 */ 1795 1796 /* 1797 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1798 * we check for the 802.2 protocol type in the 1799 * "Ethernet type" field. 1800 */ 1801 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1802 1803 /* 1804 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1805 * SNAP packets with an organization code of 1806 * 0x080007 (Apple, for Appletalk) and a protocol 1807 * type of ETHERTYPE_ATALK (Appletalk). 1808 * 1809 * 802.2-encapsulated ETHERTYPE_AARP packets are 1810 * SNAP packets with an organization code of 1811 * 0x000000 (encapsulated Ethernet) and a protocol 1812 * type of ETHERTYPE_AARP (Appletalk ARP). 1813 */ 1814 if (proto == ETHERTYPE_ATALK) 1815 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 1816 off_linktype + 2); 1817 else /* proto == ETHERTYPE_AARP */ 1818 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 1819 off_linktype + 2); 1820 gen_and(b0, b1); 1821 1822 /* 1823 * Check for Ethernet encapsulation (Ethertalk 1824 * phase 1?); we just check for the Ethernet 1825 * protocol type. 1826 */ 1827 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1828 1829 gen_or(b0, b1); 1830 return b1; 1831 1832 default: 1833 if (proto <= ETHERMTU) { 1834 /* 1835 * This is an LLC SAP value, so the frames 1836 * that match would be 802.2 frames. 1837 * Check for the 802.2 protocol type 1838 * in the "Ethernet type" field, and 1839 * then check the DSAP. 1840 */ 1841 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1842 LINUX_SLL_P_802_2); 1843 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1844 (bpf_int32)proto); 1845 gen_and(b0, b1); 1846 return b1; 1847 } else { 1848 /* 1849 * This is an Ethernet type, so compare 1850 * the length/type field with it (if 1851 * the frame is an 802.2 frame, the length 1852 * field will be <= ETHERMTU, and, as 1853 * "proto" is > ETHERMTU, this test 1854 * will fail and the frame won't match, 1855 * which is what we want). 1856 */ 1857 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1858 (bpf_int32)proto); 1859 } 1860 } 1861 } 1862 1863 static void 1864 insert_radiotap_load_llprefixlen(b) 1865 struct block *b; 1866 { 1867 struct slist *s1, *s2; 1868 1869 /* 1870 * Prepend to the statements in this block code to load the 1871 * length of the radiotap header into the register assigned 1872 * to hold that length, if one has been assigned. 1873 */ 1874 if (reg_ll_size != -1) { 1875 /* 1876 * The 2 bytes at offsets of 2 and 3 from the beginning 1877 * of the radiotap header are the length of the radiotap 1878 * header; unfortunately, it's little-endian, so we have 1879 * to load it a byte at a time and construct the value. 1880 */ 1881 1882 /* 1883 * Load the high-order byte, at an offset of 3, shift it 1884 * left a byte, and put the result in the X register. 1885 */ 1886 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1887 s1->s.k = 3; 1888 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1889 sappend(s1, s2); 1890 s2->s.k = 8; 1891 s2 = new_stmt(BPF_MISC|BPF_TAX); 1892 sappend(s1, s2); 1893 1894 /* 1895 * Load the next byte, at an offset of 2, and OR the 1896 * value from the X register into it. 1897 */ 1898 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1899 sappend(s1, s2); 1900 s2->s.k = 2; 1901 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1902 sappend(s1, s2); 1903 1904 /* 1905 * Now allocate a register to hold that value and store 1906 * it. 1907 */ 1908 s2 = new_stmt(BPF_ST); 1909 s2->s.k = reg_ll_size; 1910 sappend(s1, s2); 1911 1912 /* 1913 * Now move it into the X register. 1914 */ 1915 s2 = new_stmt(BPF_MISC|BPF_TAX); 1916 sappend(s1, s2); 1917 1918 /* 1919 * Now append all the existing statements in this 1920 * block to these statements. 1921 */ 1922 sappend(s1, b->stmts); 1923 b->stmts = s1; 1924 } 1925 } 1926 1927 /* 1928 * At the moment we treat PPI as normal Radiotap encoded 1929 * packets. The difference is in the function that generates 1930 * the code at the beginning to compute the header length. 1931 * Since this code generator of PPI supports bare 802.11 1932 * encapsulation only (i.e. the encapsulated DLT should be 1933 * DLT_IEEE802_11) we generate code to check for this too. 1934 */ 1935 static void 1936 insert_ppi_load_llprefixlen(b) 1937 struct block *b; 1938 { 1939 struct slist *s1, *s2; 1940 1941 /* 1942 * Prepend to the statements in this block code to load the 1943 * length of the radiotap header into the register assigned 1944 * to hold that length, if one has been assigned. 1945 */ 1946 if (reg_ll_size != -1) { 1947 /* 1948 * The 2 bytes at offsets of 2 and 3 from the beginning 1949 * of the radiotap header are the length of the radiotap 1950 * header; unfortunately, it's little-endian, so we have 1951 * to load it a byte at a time and construct the value. 1952 */ 1953 1954 /* 1955 * Load the high-order byte, at an offset of 3, shift it 1956 * left a byte, and put the result in the X register. 1957 */ 1958 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1959 s1->s.k = 3; 1960 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1961 sappend(s1, s2); 1962 s2->s.k = 8; 1963 s2 = new_stmt(BPF_MISC|BPF_TAX); 1964 sappend(s1, s2); 1965 1966 /* 1967 * Load the next byte, at an offset of 2, and OR the 1968 * value from the X register into it. 1969 */ 1970 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 1971 sappend(s1, s2); 1972 s2->s.k = 2; 1973 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 1974 sappend(s1, s2); 1975 1976 /* 1977 * Now allocate a register to hold that value and store 1978 * it. 1979 */ 1980 s2 = new_stmt(BPF_ST); 1981 s2->s.k = reg_ll_size; 1982 sappend(s1, s2); 1983 1984 /* 1985 * Now move it into the X register. 1986 */ 1987 s2 = new_stmt(BPF_MISC|BPF_TAX); 1988 sappend(s1, s2); 1989 1990 /* 1991 * Now append all the existing statements in this 1992 * block to these statements. 1993 */ 1994 sappend(s1, b->stmts); 1995 b->stmts = s1; 1996 1997 } 1998 } 1999 2000 static struct block * 2001 gen_ppi_dlt_check(void) 2002 { 2003 struct slist *s_load_dlt; 2004 struct block *b; 2005 2006 if (linktype == DLT_PPI) 2007 { 2008 /* Create the statements that check for the DLT 2009 */ 2010 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2011 s_load_dlt->s.k = 4; 2012 2013 b = new_block(JMP(BPF_JEQ)); 2014 2015 b->stmts = s_load_dlt; 2016 b->s.k = SWAPLONG(DLT_IEEE802_11); 2017 } 2018 else 2019 { 2020 b = NULL; 2021 } 2022 2023 return b; 2024 } 2025 2026 static void 2027 insert_load_llprefixlen(b) 2028 struct block *b; 2029 { 2030 switch (linktype) { 2031 2032 /* 2033 * At the moment we treat PPI as normal Radiotap encoded 2034 * packets. The difference is in the function that generates 2035 * the code at the beginning to compute the header length. 2036 * Since this code generator of PPI supports bare 802.11 2037 * encapsulation only (i.e. the encapsulated DLT should be 2038 * DLT_IEEE802_11) we generate code to check for this too. 2039 */ 2040 case DLT_PPI: 2041 insert_ppi_load_llprefixlen(b); 2042 break; 2043 2044 case DLT_IEEE802_11_RADIO: 2045 insert_radiotap_load_llprefixlen(b); 2046 break; 2047 } 2048 } 2049 2050 2051 static struct slist * 2052 gen_radiotap_llprefixlen(void) 2053 { 2054 struct slist *s; 2055 2056 if (reg_ll_size == -1) { 2057 /* 2058 * We haven't yet assigned a register for the length 2059 * of the radiotap header; allocate one. 2060 */ 2061 reg_ll_size = alloc_reg(); 2062 } 2063 2064 /* 2065 * Load the register containing the radiotap length 2066 * into the X register. 2067 */ 2068 s = new_stmt(BPF_LDX|BPF_MEM); 2069 s->s.k = reg_ll_size; 2070 return s; 2071 } 2072 2073 /* 2074 * At the moment we treat PPI as normal Radiotap encoded 2075 * packets. The difference is in the function that generates 2076 * the code at the beginning to compute the header length. 2077 * Since this code generator of PPI supports bare 802.11 2078 * encapsulation only (i.e. the encapsulated DLT should be 2079 * DLT_IEEE802_11) we generate code to check for this too. 2080 */ 2081 static struct slist * 2082 gen_ppi_llprefixlen(void) 2083 { 2084 struct slist *s; 2085 2086 if (reg_ll_size == -1) { 2087 /* 2088 * We haven't yet assigned a register for the length 2089 * of the radiotap header; allocate one. 2090 */ 2091 reg_ll_size = alloc_reg(); 2092 } 2093 2094 /* 2095 * Load the register containing the radiotap length 2096 * into the X register. 2097 */ 2098 s = new_stmt(BPF_LDX|BPF_MEM); 2099 s->s.k = reg_ll_size; 2100 return s; 2101 } 2102 2103 2104 2105 /* 2106 * Generate code to compute the link-layer header length, if necessary, 2107 * putting it into the X register, and to return either a pointer to a 2108 * "struct slist" for the list of statements in that code, or NULL if 2109 * no code is necessary. 2110 */ 2111 static struct slist * 2112 gen_llprefixlen(void) 2113 { 2114 switch (linktype) { 2115 2116 case DLT_PPI: 2117 return gen_ppi_llprefixlen(); 2118 2119 2120 case DLT_IEEE802_11_RADIO: 2121 return gen_radiotap_llprefixlen(); 2122 2123 default: 2124 return NULL; 2125 } 2126 } 2127 2128 /* 2129 * Generate code to match a particular packet type by matching the 2130 * link-layer type field or fields in the 802.2 LLC header. 2131 * 2132 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2133 * value, if <= ETHERMTU. 2134 */ 2135 static struct block * 2136 gen_linktype(proto) 2137 register int proto; 2138 { 2139 struct block *b0, *b1, *b2; 2140 2141 /* are we checking MPLS-encapsulated packets? */ 2142 if (label_stack_depth > 0) { 2143 switch (proto) { 2144 case ETHERTYPE_IP: 2145 case PPP_IP: 2146 /* FIXME add other L3 proto IDs */ 2147 return gen_mpls_linktype(Q_IP); 2148 2149 case ETHERTYPE_IPV6: 2150 case PPP_IPV6: 2151 /* FIXME add other L3 proto IDs */ 2152 return gen_mpls_linktype(Q_IPV6); 2153 2154 default: 2155 bpf_error("unsupported protocol over mpls"); 2156 /* NOTREACHED */ 2157 } 2158 } 2159 2160 switch (linktype) { 2161 2162 case DLT_EN10MB: 2163 return gen_ether_linktype(proto); 2164 /*NOTREACHED*/ 2165 break; 2166 2167 case DLT_C_HDLC: 2168 switch (proto) { 2169 2170 case LLCSAP_ISONS: 2171 proto = (proto << 8 | LLCSAP_ISONS); 2172 /* fall through */ 2173 2174 default: 2175 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2176 (bpf_int32)proto); 2177 /*NOTREACHED*/ 2178 break; 2179 } 2180 break; 2181 2182 case DLT_PPI: 2183 case DLT_FDDI: 2184 case DLT_IEEE802: 2185 case DLT_IEEE802_11: 2186 case DLT_IEEE802_11_RADIO_AVS: 2187 case DLT_IEEE802_11_RADIO: 2188 case DLT_PRISM_HEADER: 2189 case DLT_ATM_RFC1483: 2190 case DLT_ATM_CLIP: 2191 case DLT_IP_OVER_FC: 2192 return gen_llc_linktype(proto); 2193 /*NOTREACHED*/ 2194 break; 2195 2196 case DLT_SUNATM: 2197 /* 2198 * If "is_lane" is set, check for a LANE-encapsulated 2199 * version of this protocol, otherwise check for an 2200 * LLC-encapsulated version of this protocol. 2201 * 2202 * We assume LANE means Ethernet, not Token Ring. 2203 */ 2204 if (is_lane) { 2205 /* 2206 * Check that the packet doesn't begin with an 2207 * LE Control marker. (We've already generated 2208 * a test for LANE.) 2209 */ 2210 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 2211 0xFF00); 2212 gen_not(b0); 2213 2214 /* 2215 * Now generate an Ethernet test. 2216 */ 2217 b1 = gen_ether_linktype(proto); 2218 gen_and(b0, b1); 2219 return b1; 2220 } else { 2221 /* 2222 * Check for LLC encapsulation and then check the 2223 * protocol. 2224 */ 2225 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 2226 b1 = gen_llc_linktype(proto); 2227 gen_and(b0, b1); 2228 return b1; 2229 } 2230 /*NOTREACHED*/ 2231 break; 2232 2233 case DLT_LINUX_SLL: 2234 return gen_linux_sll_linktype(proto); 2235 /*NOTREACHED*/ 2236 break; 2237 2238 case DLT_SLIP: 2239 case DLT_SLIP_BSDOS: 2240 case DLT_RAW: 2241 /* 2242 * These types don't provide any type field; packets 2243 * are always IPv4 or IPv6. 2244 * 2245 * XXX - for IPv4, check for a version number of 4, and, 2246 * for IPv6, check for a version number of 6? 2247 */ 2248 switch (proto) { 2249 2250 case ETHERTYPE_IP: 2251 /* Check for a version number of 4. */ 2252 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 2253 #ifdef INET6 2254 case ETHERTYPE_IPV6: 2255 /* Check for a version number of 6. */ 2256 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 2257 #endif 2258 2259 default: 2260 return gen_false(); /* always false */ 2261 } 2262 /*NOTREACHED*/ 2263 break; 2264 2265 case DLT_PPP: 2266 case DLT_PPP_PPPD: 2267 case DLT_PPP_SERIAL: 2268 case DLT_PPP_ETHER: 2269 /* 2270 * We use Ethernet protocol types inside libpcap; 2271 * map them to the corresponding PPP protocol types. 2272 */ 2273 switch (proto) { 2274 2275 case ETHERTYPE_IP: 2276 proto = PPP_IP; 2277 break; 2278 2279 #ifdef INET6 2280 case ETHERTYPE_IPV6: 2281 proto = PPP_IPV6; 2282 break; 2283 #endif 2284 2285 case ETHERTYPE_DN: 2286 proto = PPP_DECNET; 2287 break; 2288 2289 case ETHERTYPE_ATALK: 2290 proto = PPP_APPLE; 2291 break; 2292 2293 case ETHERTYPE_NS: 2294 proto = PPP_NS; 2295 break; 2296 2297 case LLCSAP_ISONS: 2298 proto = PPP_OSI; 2299 break; 2300 2301 case LLCSAP_8021D: 2302 /* 2303 * I'm assuming the "Bridging PDU"s that go 2304 * over PPP are Spanning Tree Protocol 2305 * Bridging PDUs. 2306 */ 2307 proto = PPP_BRPDU; 2308 break; 2309 2310 case LLCSAP_IPX: 2311 proto = PPP_IPX; 2312 break; 2313 } 2314 break; 2315 2316 case DLT_PPP_BSDOS: 2317 /* 2318 * We use Ethernet protocol types inside libpcap; 2319 * map them to the corresponding PPP protocol types. 2320 */ 2321 switch (proto) { 2322 2323 case ETHERTYPE_IP: 2324 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 2325 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 2326 gen_or(b0, b1); 2327 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 2328 gen_or(b1, b0); 2329 return b0; 2330 2331 #ifdef INET6 2332 case ETHERTYPE_IPV6: 2333 proto = PPP_IPV6; 2334 /* more to go? */ 2335 break; 2336 #endif 2337 2338 case ETHERTYPE_DN: 2339 proto = PPP_DECNET; 2340 break; 2341 2342 case ETHERTYPE_ATALK: 2343 proto = PPP_APPLE; 2344 break; 2345 2346 case ETHERTYPE_NS: 2347 proto = PPP_NS; 2348 break; 2349 2350 case LLCSAP_ISONS: 2351 proto = PPP_OSI; 2352 break; 2353 2354 case LLCSAP_8021D: 2355 /* 2356 * I'm assuming the "Bridging PDU"s that go 2357 * over PPP are Spanning Tree Protocol 2358 * Bridging PDUs. 2359 */ 2360 proto = PPP_BRPDU; 2361 break; 2362 2363 case LLCSAP_IPX: 2364 proto = PPP_IPX; 2365 break; 2366 } 2367 break; 2368 2369 case DLT_NULL: 2370 case DLT_LOOP: 2371 case DLT_ENC: 2372 /* 2373 * For DLT_NULL, the link-layer header is a 32-bit 2374 * word containing an AF_ value in *host* byte order, 2375 * and for DLT_ENC, the link-layer header begins 2376 * with a 32-bit work containing an AF_ value in 2377 * host byte order. 2378 * 2379 * In addition, if we're reading a saved capture file, 2380 * the host byte order in the capture may not be the 2381 * same as the host byte order on this machine. 2382 * 2383 * For DLT_LOOP, the link-layer header is a 32-bit 2384 * word containing an AF_ value in *network* byte order. 2385 * 2386 * XXX - AF_ values may, unfortunately, be platform- 2387 * dependent; for example, FreeBSD's AF_INET6 is 24 2388 * whilst NetBSD's and OpenBSD's is 26. 2389 * 2390 * This means that, when reading a capture file, just 2391 * checking for our AF_INET6 value won't work if the 2392 * capture file came from another OS. 2393 */ 2394 switch (proto) { 2395 2396 case ETHERTYPE_IP: 2397 proto = AF_INET; 2398 break; 2399 2400 #ifdef INET6 2401 case ETHERTYPE_IPV6: 2402 proto = AF_INET6; 2403 break; 2404 #endif 2405 2406 default: 2407 /* 2408 * Not a type on which we support filtering. 2409 * XXX - support those that have AF_ values 2410 * #defined on this platform, at least? 2411 */ 2412 return gen_false(); 2413 } 2414 2415 if (linktype == DLT_NULL || linktype == DLT_ENC) { 2416 /* 2417 * The AF_ value is in host byte order, but 2418 * the BPF interpreter will convert it to 2419 * network byte order. 2420 * 2421 * If this is a save file, and it's from a 2422 * machine with the opposite byte order to 2423 * ours, we byte-swap the AF_ value. 2424 * 2425 * Then we run it through "htonl()", and 2426 * generate code to compare against the result. 2427 */ 2428 if (bpf_pcap->sf.rfile != NULL && 2429 bpf_pcap->sf.swapped) 2430 proto = SWAPLONG(proto); 2431 proto = htonl(proto); 2432 } 2433 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 2434 2435 #ifdef HAVE_NET_PFVAR_H 2436 case DLT_PFLOG: 2437 /* 2438 * af field is host byte order in contrast to the rest of 2439 * the packet. 2440 */ 2441 if (proto == ETHERTYPE_IP) 2442 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2443 BPF_B, (bpf_int32)AF_INET)); 2444 #ifdef INET6 2445 else if (proto == ETHERTYPE_IPV6) 2446 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 2447 BPF_B, (bpf_int32)AF_INET6)); 2448 #endif /* INET6 */ 2449 else 2450 return gen_false(); 2451 /*NOTREACHED*/ 2452 break; 2453 #endif /* HAVE_NET_PFVAR_H */ 2454 2455 case DLT_ARCNET: 2456 case DLT_ARCNET_LINUX: 2457 /* 2458 * XXX should we check for first fragment if the protocol 2459 * uses PHDS? 2460 */ 2461 switch (proto) { 2462 2463 default: 2464 return gen_false(); 2465 2466 #ifdef INET6 2467 case ETHERTYPE_IPV6: 2468 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2469 (bpf_int32)ARCTYPE_INET6)); 2470 #endif /* INET6 */ 2471 2472 case ETHERTYPE_IP: 2473 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2474 (bpf_int32)ARCTYPE_IP); 2475 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2476 (bpf_int32)ARCTYPE_IP_OLD); 2477 gen_or(b0, b1); 2478 return (b1); 2479 2480 case ETHERTYPE_ARP: 2481 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2482 (bpf_int32)ARCTYPE_ARP); 2483 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 2484 (bpf_int32)ARCTYPE_ARP_OLD); 2485 gen_or(b0, b1); 2486 return (b1); 2487 2488 case ETHERTYPE_REVARP: 2489 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2490 (bpf_int32)ARCTYPE_REVARP)); 2491 2492 case ETHERTYPE_ATALK: 2493 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 2494 (bpf_int32)ARCTYPE_ATALK)); 2495 } 2496 /*NOTREACHED*/ 2497 break; 2498 2499 case DLT_LTALK: 2500 switch (proto) { 2501 case ETHERTYPE_ATALK: 2502 return gen_true(); 2503 default: 2504 return gen_false(); 2505 } 2506 /*NOTREACHED*/ 2507 break; 2508 2509 case DLT_FRELAY: 2510 /* 2511 * XXX - assumes a 2-byte Frame Relay header with 2512 * DLCI and flags. What if the address is longer? 2513 */ 2514 switch (proto) { 2515 2516 case ETHERTYPE_IP: 2517 /* 2518 * Check for the special NLPID for IP. 2519 */ 2520 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 2521 2522 #ifdef INET6 2523 case ETHERTYPE_IPV6: 2524 /* 2525 * Check for the special NLPID for IPv6. 2526 */ 2527 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 2528 #endif 2529 2530 case LLCSAP_ISONS: 2531 /* 2532 * Check for several OSI protocols. 2533 * 2534 * Frame Relay packets typically have an OSI 2535 * NLPID at the beginning; we check for each 2536 * of them. 2537 * 2538 * What we check for is the NLPID and a frame 2539 * control field of UI, i.e. 0x03 followed 2540 * by the NLPID. 2541 */ 2542 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 2543 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 2544 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 2545 gen_or(b1, b2); 2546 gen_or(b0, b2); 2547 return b2; 2548 2549 default: 2550 return gen_false(); 2551 } 2552 /*NOTREACHED*/ 2553 break; 2554 2555 case DLT_JUNIPER_MFR: 2556 case DLT_JUNIPER_MLFR: 2557 case DLT_JUNIPER_MLPPP: 2558 case DLT_JUNIPER_ATM1: 2559 case DLT_JUNIPER_ATM2: 2560 case DLT_JUNIPER_PPPOE: 2561 case DLT_JUNIPER_PPPOE_ATM: 2562 case DLT_JUNIPER_GGSN: 2563 case DLT_JUNIPER_ES: 2564 case DLT_JUNIPER_MONITOR: 2565 case DLT_JUNIPER_SERVICES: 2566 case DLT_JUNIPER_ETHER: 2567 case DLT_JUNIPER_PPP: 2568 case DLT_JUNIPER_FRELAY: 2569 case DLT_JUNIPER_CHDLC: 2570 case DLT_JUNIPER_VP: 2571 /* just lets verify the magic number for now - 2572 * on ATM we may have up to 6 different encapsulations on the wire 2573 * and need a lot of heuristics to figure out that the payload 2574 * might be; 2575 * 2576 * FIXME encapsulation specific BPF_ filters 2577 */ 2578 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 2579 2580 case DLT_LINUX_IRDA: 2581 bpf_error("IrDA link-layer type filtering not implemented"); 2582 2583 case DLT_DOCSIS: 2584 bpf_error("DOCSIS link-layer type filtering not implemented"); 2585 2586 case DLT_LINUX_LAPD: 2587 bpf_error("LAPD link-layer type filtering not implemented"); 2588 } 2589 2590 /* 2591 * All the types that have no encapsulation should either be 2592 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 2593 * all packets are IP packets, or should be handled in some 2594 * special case, if none of them are (if some are and some 2595 * aren't, the lack of encapsulation is a problem, as we'd 2596 * have to find some other way of determining the packet type). 2597 * 2598 * Therefore, if "off_linktype" is -1, there's an error. 2599 */ 2600 if (off_linktype == (u_int)-1) 2601 abort(); 2602 2603 /* 2604 * Any type not handled above should always have an Ethernet 2605 * type at an offset of "off_linktype". (PPP is partially 2606 * handled above - the protocol type is mapped from the 2607 * Ethernet and LLC types we use internally to the corresponding 2608 * PPP type - but the PPP type is always specified by a value 2609 * at "off_linktype", so we don't have to do the code generation 2610 * above.) 2611 */ 2612 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2613 } 2614 2615 /* 2616 * Check for an LLC SNAP packet with a given organization code and 2617 * protocol type; we check the entire contents of the 802.2 LLC and 2618 * snap headers, checking for DSAP and SSAP of SNAP and a control 2619 * field of 0x03 in the LLC header, and for the specified organization 2620 * code and protocol type in the SNAP header. 2621 */ 2622 static struct block * 2623 gen_snap(orgcode, ptype, offset) 2624 bpf_u_int32 orgcode; 2625 bpf_u_int32 ptype; 2626 u_int offset; 2627 { 2628 u_char snapblock[8]; 2629 2630 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 2631 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 2632 snapblock[2] = 0x03; /* control = UI */ 2633 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 2634 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 2635 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 2636 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 2637 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 2638 return gen_bcmp(OR_LINK, offset, 8, snapblock); 2639 } 2640 2641 /* 2642 * Generate code to match a particular packet type, for link-layer types 2643 * using 802.2 LLC headers. 2644 * 2645 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 2646 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 2647 * 2648 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2649 * value, if <= ETHERMTU. We use that to determine whether to 2650 * match the DSAP or both DSAP and LSAP or to check the OUI and 2651 * protocol ID in a SNAP header. 2652 */ 2653 static struct block * 2654 gen_llc_linktype(proto) 2655 int proto; 2656 { 2657 /* 2658 * XXX - handle token-ring variable-length header. 2659 */ 2660 switch (proto) { 2661 2662 case LLCSAP_IP: 2663 case LLCSAP_ISONS: 2664 case LLCSAP_NETBEUI: 2665 /* 2666 * XXX - should we check both the DSAP and the 2667 * SSAP, like this, or should we check just the 2668 * DSAP, as we do for other types <= ETHERMTU 2669 * (i.e., other SAP values)? 2670 */ 2671 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32) 2672 ((proto << 8) | proto)); 2673 2674 case LLCSAP_IPX: 2675 /* 2676 * XXX - are there ever SNAP frames for IPX on 2677 * non-Ethernet 802.x networks? 2678 */ 2679 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2680 (bpf_int32)LLCSAP_IPX); 2681 2682 case ETHERTYPE_ATALK: 2683 /* 2684 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2685 * SNAP packets with an organization code of 2686 * 0x080007 (Apple, for Appletalk) and a protocol 2687 * type of ETHERTYPE_ATALK (Appletalk). 2688 * 2689 * XXX - check for an organization code of 2690 * encapsulated Ethernet as well? 2691 */ 2692 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype); 2693 2694 default: 2695 /* 2696 * XXX - we don't have to check for IPX 802.3 2697 * here, but should we check for the IPX Ethertype? 2698 */ 2699 if (proto <= ETHERMTU) { 2700 /* 2701 * This is an LLC SAP value, so check 2702 * the DSAP. 2703 */ 2704 return gen_cmp(OR_LINK, off_linktype, BPF_B, 2705 (bpf_int32)proto); 2706 } else { 2707 /* 2708 * This is an Ethernet type; we assume that it's 2709 * unlikely that it'll appear in the right place 2710 * at random, and therefore check only the 2711 * location that would hold the Ethernet type 2712 * in a SNAP frame with an organization code of 2713 * 0x000000 (encapsulated Ethernet). 2714 * 2715 * XXX - if we were to check for the SNAP DSAP and 2716 * LSAP, as per XXX, and were also to check for an 2717 * organization code of 0x000000 (encapsulated 2718 * Ethernet), we'd do 2719 * 2720 * return gen_snap(0x000000, proto, 2721 * off_linktype); 2722 * 2723 * here; for now, we don't, as per the above. 2724 * I don't know whether it's worth the extra CPU 2725 * time to do the right check or not. 2726 */ 2727 return gen_cmp(OR_LINK, off_linktype+6, BPF_H, 2728 (bpf_int32)proto); 2729 } 2730 } 2731 } 2732 2733 static struct block * 2734 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 2735 bpf_u_int32 addr; 2736 bpf_u_int32 mask; 2737 int dir, proto; 2738 u_int src_off, dst_off; 2739 { 2740 struct block *b0, *b1; 2741 u_int offset; 2742 2743 switch (dir) { 2744 2745 case Q_SRC: 2746 offset = src_off; 2747 break; 2748 2749 case Q_DST: 2750 offset = dst_off; 2751 break; 2752 2753 case Q_AND: 2754 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2755 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2756 gen_and(b0, b1); 2757 return b1; 2758 2759 case Q_OR: 2760 case Q_DEFAULT: 2761 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 2762 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 2763 gen_or(b0, b1); 2764 return b1; 2765 2766 default: 2767 abort(); 2768 } 2769 b0 = gen_linktype(proto); 2770 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 2771 gen_and(b0, b1); 2772 return b1; 2773 } 2774 2775 #ifdef INET6 2776 static struct block * 2777 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 2778 struct in6_addr *addr; 2779 struct in6_addr *mask; 2780 int dir, proto; 2781 u_int src_off, dst_off; 2782 { 2783 struct block *b0, *b1; 2784 u_int offset; 2785 u_int32_t *a, *m; 2786 2787 switch (dir) { 2788 2789 case Q_SRC: 2790 offset = src_off; 2791 break; 2792 2793 case Q_DST: 2794 offset = dst_off; 2795 break; 2796 2797 case Q_AND: 2798 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2799 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2800 gen_and(b0, b1); 2801 return b1; 2802 2803 case Q_OR: 2804 case Q_DEFAULT: 2805 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 2806 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 2807 gen_or(b0, b1); 2808 return b1; 2809 2810 default: 2811 abort(); 2812 } 2813 /* this order is important */ 2814 a = (u_int32_t *)addr; 2815 m = (u_int32_t *)mask; 2816 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 2817 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 2818 gen_and(b0, b1); 2819 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 2820 gen_and(b0, b1); 2821 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 2822 gen_and(b0, b1); 2823 b0 = gen_linktype(proto); 2824 gen_and(b0, b1); 2825 return b1; 2826 } 2827 #endif /*INET6*/ 2828 2829 static struct block * 2830 gen_ehostop(eaddr, dir) 2831 register const u_char *eaddr; 2832 register int dir; 2833 { 2834 register struct block *b0, *b1; 2835 2836 switch (dir) { 2837 case Q_SRC: 2838 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 2839 2840 case Q_DST: 2841 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 2842 2843 case Q_AND: 2844 b0 = gen_ehostop(eaddr, Q_SRC); 2845 b1 = gen_ehostop(eaddr, Q_DST); 2846 gen_and(b0, b1); 2847 return b1; 2848 2849 case Q_DEFAULT: 2850 case Q_OR: 2851 b0 = gen_ehostop(eaddr, Q_SRC); 2852 b1 = gen_ehostop(eaddr, Q_DST); 2853 gen_or(b0, b1); 2854 return b1; 2855 } 2856 abort(); 2857 /* NOTREACHED */ 2858 } 2859 2860 /* 2861 * Like gen_ehostop, but for DLT_FDDI 2862 */ 2863 static struct block * 2864 gen_fhostop(eaddr, dir) 2865 register const u_char *eaddr; 2866 register int dir; 2867 { 2868 struct block *b0, *b1; 2869 2870 switch (dir) { 2871 case Q_SRC: 2872 #ifdef PCAP_FDDIPAD 2873 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 2874 #else 2875 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr); 2876 #endif 2877 2878 case Q_DST: 2879 #ifdef PCAP_FDDIPAD 2880 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 2881 #else 2882 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr); 2883 #endif 2884 2885 case Q_AND: 2886 b0 = gen_fhostop(eaddr, Q_SRC); 2887 b1 = gen_fhostop(eaddr, Q_DST); 2888 gen_and(b0, b1); 2889 return b1; 2890 2891 case Q_DEFAULT: 2892 case Q_OR: 2893 b0 = gen_fhostop(eaddr, Q_SRC); 2894 b1 = gen_fhostop(eaddr, Q_DST); 2895 gen_or(b0, b1); 2896 return b1; 2897 } 2898 abort(); 2899 /* NOTREACHED */ 2900 } 2901 2902 /* 2903 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 2904 */ 2905 static struct block * 2906 gen_thostop(eaddr, dir) 2907 register const u_char *eaddr; 2908 register int dir; 2909 { 2910 register struct block *b0, *b1; 2911 2912 switch (dir) { 2913 case Q_SRC: 2914 return gen_bcmp(OR_LINK, 8, 6, eaddr); 2915 2916 case Q_DST: 2917 return gen_bcmp(OR_LINK, 2, 6, eaddr); 2918 2919 case Q_AND: 2920 b0 = gen_thostop(eaddr, Q_SRC); 2921 b1 = gen_thostop(eaddr, Q_DST); 2922 gen_and(b0, b1); 2923 return b1; 2924 2925 case Q_DEFAULT: 2926 case Q_OR: 2927 b0 = gen_thostop(eaddr, Q_SRC); 2928 b1 = gen_thostop(eaddr, Q_DST); 2929 gen_or(b0, b1); 2930 return b1; 2931 } 2932 abort(); 2933 /* NOTREACHED */ 2934 } 2935 2936 /* 2937 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) 2938 */ 2939 static struct block * 2940 gen_wlanhostop(eaddr, dir) 2941 register const u_char *eaddr; 2942 register int dir; 2943 { 2944 register struct block *b0, *b1, *b2; 2945 register struct slist *s; 2946 2947 switch (dir) { 2948 case Q_SRC: 2949 /* 2950 * Oh, yuk. 2951 * 2952 * For control frames, there is no SA. 2953 * 2954 * For management frames, SA is at an 2955 * offset of 10 from the beginning of 2956 * the packet. 2957 * 2958 * For data frames, SA is at an offset 2959 * of 10 from the beginning of the packet 2960 * if From DS is clear, at an offset of 2961 * 16 from the beginning of the packet 2962 * if From DS is set and To DS is clear, 2963 * and an offset of 24 from the beginning 2964 * of the packet if From DS is set and To DS 2965 * is set. 2966 */ 2967 2968 /* 2969 * Generate the tests to be done for data frames 2970 * with From DS set. 2971 * 2972 * First, check for To DS set, i.e. check "link[1] & 0x01". 2973 */ 2974 s = gen_load_a(OR_LINK, 1, BPF_B); 2975 b1 = new_block(JMP(BPF_JSET)); 2976 b1->s.k = 0x01; /* To DS */ 2977 b1->stmts = s; 2978 2979 /* 2980 * If To DS is set, the SA is at 24. 2981 */ 2982 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 2983 gen_and(b1, b0); 2984 2985 /* 2986 * Now, check for To DS not set, i.e. check 2987 * "!(link[1] & 0x01)". 2988 */ 2989 s = gen_load_a(OR_LINK, 1, BPF_B); 2990 b2 = new_block(JMP(BPF_JSET)); 2991 b2->s.k = 0x01; /* To DS */ 2992 b2->stmts = s; 2993 gen_not(b2); 2994 2995 /* 2996 * If To DS is not set, the SA is at 16. 2997 */ 2998 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 2999 gen_and(b2, b1); 3000 3001 /* 3002 * Now OR together the last two checks. That gives 3003 * the complete set of checks for data frames with 3004 * From DS set. 3005 */ 3006 gen_or(b1, b0); 3007 3008 /* 3009 * Now check for From DS being set, and AND that with 3010 * the ORed-together checks. 3011 */ 3012 s = gen_load_a(OR_LINK, 1, BPF_B); 3013 b1 = new_block(JMP(BPF_JSET)); 3014 b1->s.k = 0x02; /* From DS */ 3015 b1->stmts = s; 3016 gen_and(b1, b0); 3017 3018 /* 3019 * Now check for data frames with From DS not set. 3020 */ 3021 s = gen_load_a(OR_LINK, 1, BPF_B); 3022 b2 = new_block(JMP(BPF_JSET)); 3023 b2->s.k = 0x02; /* From DS */ 3024 b2->stmts = s; 3025 gen_not(b2); 3026 3027 /* 3028 * If From DS isn't set, the SA is at 10. 3029 */ 3030 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3031 gen_and(b2, b1); 3032 3033 /* 3034 * Now OR together the checks for data frames with 3035 * From DS not set and for data frames with From DS 3036 * set; that gives the checks done for data frames. 3037 */ 3038 gen_or(b1, b0); 3039 3040 /* 3041 * Now check for a data frame. 3042 * I.e, check "link[0] & 0x08". 3043 */ 3044 gen_load_a(OR_LINK, 0, BPF_B); 3045 b1 = new_block(JMP(BPF_JSET)); 3046 b1->s.k = 0x08; 3047 b1->stmts = s; 3048 3049 /* 3050 * AND that with the checks done for data frames. 3051 */ 3052 gen_and(b1, b0); 3053 3054 /* 3055 * If the high-order bit of the type value is 0, this 3056 * is a management frame. 3057 * I.e, check "!(link[0] & 0x08)". 3058 */ 3059 s = gen_load_a(OR_LINK, 0, BPF_B); 3060 b2 = new_block(JMP(BPF_JSET)); 3061 b2->s.k = 0x08; 3062 b2->stmts = s; 3063 gen_not(b2); 3064 3065 /* 3066 * For management frames, the SA is at 10. 3067 */ 3068 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3069 gen_and(b2, b1); 3070 3071 /* 3072 * OR that with the checks done for data frames. 3073 * That gives the checks done for management and 3074 * data frames. 3075 */ 3076 gen_or(b1, b0); 3077 3078 /* 3079 * If the low-order bit of the type value is 1, 3080 * this is either a control frame or a frame 3081 * with a reserved type, and thus not a 3082 * frame with an SA. 3083 * 3084 * I.e., check "!(link[0] & 0x04)". 3085 */ 3086 s = gen_load_a(OR_LINK, 0, BPF_B); 3087 b1 = new_block(JMP(BPF_JSET)); 3088 b1->s.k = 0x04; 3089 b1->stmts = s; 3090 gen_not(b1); 3091 3092 /* 3093 * AND that with the checks for data and management 3094 * frames. 3095 */ 3096 gen_and(b1, b0); 3097 return b0; 3098 3099 case Q_DST: 3100 /* 3101 * Oh, yuk. 3102 * 3103 * For control frames, there is no DA. 3104 * 3105 * For management frames, DA is at an 3106 * offset of 4 from the beginning of 3107 * the packet. 3108 * 3109 * For data frames, DA is at an offset 3110 * of 4 from the beginning of the packet 3111 * if To DS is clear and at an offset of 3112 * 16 from the beginning of the packet 3113 * if To DS is set. 3114 */ 3115 3116 /* 3117 * Generate the tests to be done for data frames. 3118 * 3119 * First, check for To DS set, i.e. "link[1] & 0x01". 3120 */ 3121 s = gen_load_a(OR_LINK, 1, BPF_B); 3122 b1 = new_block(JMP(BPF_JSET)); 3123 b1->s.k = 0x01; /* To DS */ 3124 b1->stmts = s; 3125 3126 /* 3127 * If To DS is set, the DA is at 16. 3128 */ 3129 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3130 gen_and(b1, b0); 3131 3132 /* 3133 * Now, check for To DS not set, i.e. check 3134 * "!(link[1] & 0x01)". 3135 */ 3136 s = gen_load_a(OR_LINK, 1, BPF_B); 3137 b2 = new_block(JMP(BPF_JSET)); 3138 b2->s.k = 0x01; /* To DS */ 3139 b2->stmts = s; 3140 gen_not(b2); 3141 3142 /* 3143 * If To DS is not set, the DA is at 4. 3144 */ 3145 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3146 gen_and(b2, b1); 3147 3148 /* 3149 * Now OR together the last two checks. That gives 3150 * the complete set of checks for data frames. 3151 */ 3152 gen_or(b1, b0); 3153 3154 /* 3155 * Now check for a data frame. 3156 * I.e, check "link[0] & 0x08". 3157 */ 3158 s = gen_load_a(OR_LINK, 0, BPF_B); 3159 b1 = new_block(JMP(BPF_JSET)); 3160 b1->s.k = 0x08; 3161 b1->stmts = s; 3162 3163 /* 3164 * AND that with the checks done for data frames. 3165 */ 3166 gen_and(b1, b0); 3167 3168 /* 3169 * If the high-order bit of the type value is 0, this 3170 * is a management frame. 3171 * I.e, check "!(link[0] & 0x08)". 3172 */ 3173 s = gen_load_a(OR_LINK, 0, BPF_B); 3174 b2 = new_block(JMP(BPF_JSET)); 3175 b2->s.k = 0x08; 3176 b2->stmts = s; 3177 gen_not(b2); 3178 3179 /* 3180 * For management frames, the DA is at 4. 3181 */ 3182 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 3183 gen_and(b2, b1); 3184 3185 /* 3186 * OR that with the checks done for data frames. 3187 * That gives the checks done for management and 3188 * data frames. 3189 */ 3190 gen_or(b1, b0); 3191 3192 /* 3193 * If the low-order bit of the type value is 1, 3194 * this is either a control frame or a frame 3195 * with a reserved type, and thus not a 3196 * frame with an SA. 3197 * 3198 * I.e., check "!(link[0] & 0x04)". 3199 */ 3200 s = gen_load_a(OR_LINK, 0, BPF_B); 3201 b1 = new_block(JMP(BPF_JSET)); 3202 b1->s.k = 0x04; 3203 b1->stmts = s; 3204 gen_not(b1); 3205 3206 /* 3207 * AND that with the checks for data and management 3208 * frames. 3209 */ 3210 gen_and(b1, b0); 3211 return b0; 3212 3213 case Q_AND: 3214 b0 = gen_wlanhostop(eaddr, Q_SRC); 3215 b1 = gen_wlanhostop(eaddr, Q_DST); 3216 gen_and(b0, b1); 3217 return b1; 3218 3219 case Q_DEFAULT: 3220 case Q_OR: 3221 b0 = gen_wlanhostop(eaddr, Q_SRC); 3222 b1 = gen_wlanhostop(eaddr, Q_DST); 3223 gen_or(b0, b1); 3224 return b1; 3225 } 3226 abort(); 3227 /* NOTREACHED */ 3228 } 3229 3230 /* 3231 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 3232 * (We assume that the addresses are IEEE 48-bit MAC addresses, 3233 * as the RFC states.) 3234 */ 3235 static struct block * 3236 gen_ipfchostop(eaddr, dir) 3237 register const u_char *eaddr; 3238 register int dir; 3239 { 3240 register struct block *b0, *b1; 3241 3242 switch (dir) { 3243 case Q_SRC: 3244 return gen_bcmp(OR_LINK, 10, 6, eaddr); 3245 3246 case Q_DST: 3247 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3248 3249 case Q_AND: 3250 b0 = gen_ipfchostop(eaddr, Q_SRC); 3251 b1 = gen_ipfchostop(eaddr, Q_DST); 3252 gen_and(b0, b1); 3253 return b1; 3254 3255 case Q_DEFAULT: 3256 case Q_OR: 3257 b0 = gen_ipfchostop(eaddr, Q_SRC); 3258 b1 = gen_ipfchostop(eaddr, Q_DST); 3259 gen_or(b0, b1); 3260 return b1; 3261 } 3262 abort(); 3263 /* NOTREACHED */ 3264 } 3265 3266 /* 3267 * This is quite tricky because there may be pad bytes in front of the 3268 * DECNET header, and then there are two possible data packet formats that 3269 * carry both src and dst addresses, plus 5 packet types in a format that 3270 * carries only the src node, plus 2 types that use a different format and 3271 * also carry just the src node. 3272 * 3273 * Yuck. 3274 * 3275 * Instead of doing those all right, we just look for data packets with 3276 * 0 or 1 bytes of padding. If you want to look at other packets, that 3277 * will require a lot more hacking. 3278 * 3279 * To add support for filtering on DECNET "areas" (network numbers) 3280 * one would want to add a "mask" argument to this routine. That would 3281 * make the filter even more inefficient, although one could be clever 3282 * and not generate masking instructions if the mask is 0xFFFF. 3283 */ 3284 static struct block * 3285 gen_dnhostop(addr, dir) 3286 bpf_u_int32 addr; 3287 int dir; 3288 { 3289 struct block *b0, *b1, *b2, *tmp; 3290 u_int offset_lh; /* offset if long header is received */ 3291 u_int offset_sh; /* offset if short header is received */ 3292 3293 switch (dir) { 3294 3295 case Q_DST: 3296 offset_sh = 1; /* follows flags */ 3297 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 3298 break; 3299 3300 case Q_SRC: 3301 offset_sh = 3; /* follows flags, dstnode */ 3302 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 3303 break; 3304 3305 case Q_AND: 3306 /* Inefficient because we do our Calvinball dance twice */ 3307 b0 = gen_dnhostop(addr, Q_SRC); 3308 b1 = gen_dnhostop(addr, Q_DST); 3309 gen_and(b0, b1); 3310 return b1; 3311 3312 case Q_OR: 3313 case Q_DEFAULT: 3314 /* Inefficient because we do our Calvinball dance twice */ 3315 b0 = gen_dnhostop(addr, Q_SRC); 3316 b1 = gen_dnhostop(addr, Q_DST); 3317 gen_or(b0, b1); 3318 return b1; 3319 3320 case Q_ISO: 3321 bpf_error("ISO host filtering not implemented"); 3322 3323 default: 3324 abort(); 3325 } 3326 b0 = gen_linktype(ETHERTYPE_DN); 3327 /* Check for pad = 1, long header case */ 3328 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3329 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 3330 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 3331 BPF_H, (bpf_int32)ntohs((u_short)addr)); 3332 gen_and(tmp, b1); 3333 /* Check for pad = 0, long header case */ 3334 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 3335 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3336 gen_and(tmp, b2); 3337 gen_or(b2, b1); 3338 /* Check for pad = 1, short header case */ 3339 tmp = gen_mcmp(OR_NET, 2, BPF_H, 3340 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 3341 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3342 gen_and(tmp, b2); 3343 gen_or(b2, b1); 3344 /* Check for pad = 0, short header case */ 3345 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 3346 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 3347 gen_and(tmp, b2); 3348 gen_or(b2, b1); 3349 3350 /* Combine with test for linktype */ 3351 gen_and(b0, b1); 3352 return b1; 3353 } 3354 3355 /* 3356 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 3357 * test the bottom-of-stack bit, and then check the version number 3358 * field in the IP header. 3359 */ 3360 static struct block * 3361 gen_mpls_linktype(proto) 3362 int proto; 3363 { 3364 struct block *b0, *b1; 3365 3366 switch (proto) { 3367 3368 case Q_IP: 3369 /* match the bottom-of-stack bit */ 3370 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3371 /* match the IPv4 version number */ 3372 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 3373 gen_and(b0, b1); 3374 return b1; 3375 3376 case Q_IPV6: 3377 /* match the bottom-of-stack bit */ 3378 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 3379 /* match the IPv4 version number */ 3380 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 3381 gen_and(b0, b1); 3382 return b1; 3383 3384 default: 3385 abort(); 3386 } 3387 } 3388 3389 static struct block * 3390 gen_host(addr, mask, proto, dir, type) 3391 bpf_u_int32 addr; 3392 bpf_u_int32 mask; 3393 int proto; 3394 int dir; 3395 int type; 3396 { 3397 struct block *b0, *b1; 3398 const char *typestr; 3399 3400 if (type == Q_NET) 3401 typestr = "net"; 3402 else 3403 typestr = "host"; 3404 3405 switch (proto) { 3406 3407 case Q_DEFAULT: 3408 b0 = gen_host(addr, mask, Q_IP, dir, type); 3409 /* 3410 * Only check for non-IPv4 addresses if we're not 3411 * checking MPLS-encapsulated packets. 3412 */ 3413 if (label_stack_depth == 0) { 3414 b1 = gen_host(addr, mask, Q_ARP, dir, type); 3415 gen_or(b0, b1); 3416 b0 = gen_host(addr, mask, Q_RARP, dir, type); 3417 gen_or(b1, b0); 3418 } 3419 return b0; 3420 3421 case Q_IP: 3422 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 3423 3424 case Q_RARP: 3425 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 3426 3427 case Q_ARP: 3428 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 3429 3430 case Q_TCP: 3431 bpf_error("'tcp' modifier applied to %s", typestr); 3432 3433 case Q_SCTP: 3434 bpf_error("'sctp' modifier applied to %s", typestr); 3435 3436 case Q_UDP: 3437 bpf_error("'udp' modifier applied to %s", typestr); 3438 3439 case Q_ICMP: 3440 bpf_error("'icmp' modifier applied to %s", typestr); 3441 3442 case Q_IGMP: 3443 bpf_error("'igmp' modifier applied to %s", typestr); 3444 3445 case Q_IGRP: 3446 bpf_error("'igrp' modifier applied to %s", typestr); 3447 3448 case Q_PIM: 3449 bpf_error("'pim' modifier applied to %s", typestr); 3450 3451 case Q_VRRP: 3452 bpf_error("'vrrp' modifier applied to %s", typestr); 3453 3454 case Q_ATALK: 3455 bpf_error("ATALK host filtering not implemented"); 3456 3457 case Q_AARP: 3458 bpf_error("AARP host filtering not implemented"); 3459 3460 case Q_DECNET: 3461 return gen_dnhostop(addr, dir); 3462 3463 case Q_SCA: 3464 bpf_error("SCA host filtering not implemented"); 3465 3466 case Q_LAT: 3467 bpf_error("LAT host filtering not implemented"); 3468 3469 case Q_MOPDL: 3470 bpf_error("MOPDL host filtering not implemented"); 3471 3472 case Q_MOPRC: 3473 bpf_error("MOPRC host filtering not implemented"); 3474 3475 #ifdef INET6 3476 case Q_IPV6: 3477 bpf_error("'ip6' modifier applied to ip host"); 3478 3479 case Q_ICMPV6: 3480 bpf_error("'icmp6' modifier applied to %s", typestr); 3481 #endif /* INET6 */ 3482 3483 case Q_AH: 3484 bpf_error("'ah' modifier applied to %s", typestr); 3485 3486 case Q_ESP: 3487 bpf_error("'esp' modifier applied to %s", typestr); 3488 3489 case Q_ISO: 3490 bpf_error("ISO host filtering not implemented"); 3491 3492 case Q_ESIS: 3493 bpf_error("'esis' modifier applied to %s", typestr); 3494 3495 case Q_ISIS: 3496 bpf_error("'isis' modifier applied to %s", typestr); 3497 3498 case Q_CLNP: 3499 bpf_error("'clnp' modifier applied to %s", typestr); 3500 3501 case Q_STP: 3502 bpf_error("'stp' modifier applied to %s", typestr); 3503 3504 case Q_IPX: 3505 bpf_error("IPX host filtering not implemented"); 3506 3507 case Q_NETBEUI: 3508 bpf_error("'netbeui' modifier applied to %s", typestr); 3509 3510 case Q_RADIO: 3511 bpf_error("'radio' modifier applied to %s", typestr); 3512 3513 default: 3514 abort(); 3515 } 3516 /* NOTREACHED */ 3517 } 3518 3519 #ifdef INET6 3520 static struct block * 3521 gen_host6(addr, mask, proto, dir, type) 3522 struct in6_addr *addr; 3523 struct in6_addr *mask; 3524 int proto; 3525 int dir; 3526 int type; 3527 { 3528 const char *typestr; 3529 3530 if (type == Q_NET) 3531 typestr = "net"; 3532 else 3533 typestr = "host"; 3534 3535 switch (proto) { 3536 3537 case Q_DEFAULT: 3538 return gen_host6(addr, mask, Q_IPV6, dir, type); 3539 3540 case Q_IP: 3541 bpf_error("'ip' modifier applied to ip6 %s", typestr); 3542 3543 case Q_RARP: 3544 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 3545 3546 case Q_ARP: 3547 bpf_error("'arp' modifier applied to ip6 %s", typestr); 3548 3549 case Q_SCTP: 3550 bpf_error("'sctp' modifier applied to %s", typestr); 3551 3552 case Q_TCP: 3553 bpf_error("'tcp' modifier applied to %s", typestr); 3554 3555 case Q_UDP: 3556 bpf_error("'udp' modifier applied to %s", typestr); 3557 3558 case Q_ICMP: 3559 bpf_error("'icmp' modifier applied to %s", typestr); 3560 3561 case Q_IGMP: 3562 bpf_error("'igmp' modifier applied to %s", typestr); 3563 3564 case Q_IGRP: 3565 bpf_error("'igrp' modifier applied to %s", typestr); 3566 3567 case Q_PIM: 3568 bpf_error("'pim' modifier applied to %s", typestr); 3569 3570 case Q_VRRP: 3571 bpf_error("'vrrp' modifier applied to %s", typestr); 3572 3573 case Q_ATALK: 3574 bpf_error("ATALK host filtering not implemented"); 3575 3576 case Q_AARP: 3577 bpf_error("AARP host filtering not implemented"); 3578 3579 case Q_DECNET: 3580 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 3581 3582 case Q_SCA: 3583 bpf_error("SCA host filtering not implemented"); 3584 3585 case Q_LAT: 3586 bpf_error("LAT host filtering not implemented"); 3587 3588 case Q_MOPDL: 3589 bpf_error("MOPDL host filtering not implemented"); 3590 3591 case Q_MOPRC: 3592 bpf_error("MOPRC host filtering not implemented"); 3593 3594 case Q_IPV6: 3595 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 3596 3597 case Q_ICMPV6: 3598 bpf_error("'icmp6' modifier applied to %s", typestr); 3599 3600 case Q_AH: 3601 bpf_error("'ah' modifier applied to %s", typestr); 3602 3603 case Q_ESP: 3604 bpf_error("'esp' modifier applied to %s", typestr); 3605 3606 case Q_ISO: 3607 bpf_error("ISO host filtering not implemented"); 3608 3609 case Q_ESIS: 3610 bpf_error("'esis' modifier applied to %s", typestr); 3611 3612 case Q_ISIS: 3613 bpf_error("'isis' modifier applied to %s", typestr); 3614 3615 case Q_CLNP: 3616 bpf_error("'clnp' modifier applied to %s", typestr); 3617 3618 case Q_STP: 3619 bpf_error("'stp' modifier applied to %s", typestr); 3620 3621 case Q_IPX: 3622 bpf_error("IPX host filtering not implemented"); 3623 3624 case Q_NETBEUI: 3625 bpf_error("'netbeui' modifier applied to %s", typestr); 3626 3627 case Q_RADIO: 3628 bpf_error("'radio' modifier applied to %s", typestr); 3629 3630 default: 3631 abort(); 3632 } 3633 /* NOTREACHED */ 3634 } 3635 #endif /*INET6*/ 3636 3637 #ifndef INET6 3638 static struct block * 3639 gen_gateway(eaddr, alist, proto, dir) 3640 const u_char *eaddr; 3641 bpf_u_int32 **alist; 3642 int proto; 3643 int dir; 3644 { 3645 struct block *b0, *b1, *tmp; 3646 3647 if (dir != 0) 3648 bpf_error("direction applied to 'gateway'"); 3649 3650 switch (proto) { 3651 case Q_DEFAULT: 3652 case Q_IP: 3653 case Q_ARP: 3654 case Q_RARP: 3655 switch (linktype) { 3656 case DLT_EN10MB: 3657 b0 = gen_ehostop(eaddr, Q_OR); 3658 break; 3659 case DLT_FDDI: 3660 b0 = gen_fhostop(eaddr, Q_OR); 3661 break; 3662 case DLT_IEEE802: 3663 b0 = gen_thostop(eaddr, Q_OR); 3664 break; 3665 case DLT_IEEE802_11: 3666 case DLT_IEEE802_11_RADIO_AVS: 3667 case DLT_PPI: 3668 case DLT_IEEE802_11_RADIO: 3669 case DLT_PRISM_HEADER: 3670 b0 = gen_wlanhostop(eaddr, Q_OR); 3671 break; 3672 case DLT_SUNATM: 3673 if (is_lane) { 3674 /* 3675 * Check that the packet doesn't begin with an 3676 * LE Control marker. (We've already generated 3677 * a test for LANE.) 3678 */ 3679 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3680 0xFF00); 3681 gen_not(b1); 3682 3683 /* 3684 * Now check the MAC address. 3685 */ 3686 b0 = gen_ehostop(eaddr, Q_OR); 3687 gen_and(b1, b0); 3688 } 3689 break; 3690 case DLT_IP_OVER_FC: 3691 b0 = gen_ipfchostop(eaddr, Q_OR); 3692 break; 3693 default: 3694 bpf_error( 3695 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel"); 3696 } 3697 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 3698 while (*alist) { 3699 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 3700 Q_HOST); 3701 gen_or(b1, tmp); 3702 b1 = tmp; 3703 } 3704 gen_not(b1); 3705 gen_and(b0, b1); 3706 return b1; 3707 } 3708 bpf_error("illegal modifier of 'gateway'"); 3709 /* NOTREACHED */ 3710 } 3711 #endif 3712 3713 struct block * 3714 gen_proto_abbrev(proto) 3715 int proto; 3716 { 3717 struct block *b0; 3718 struct block *b1; 3719 3720 switch (proto) { 3721 3722 case Q_SCTP: 3723 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 3724 #ifdef INET6 3725 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 3726 gen_or(b0, b1); 3727 #endif 3728 break; 3729 3730 case Q_TCP: 3731 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 3732 #ifdef INET6 3733 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 3734 gen_or(b0, b1); 3735 #endif 3736 break; 3737 3738 case Q_UDP: 3739 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 3740 #ifdef INET6 3741 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 3742 gen_or(b0, b1); 3743 #endif 3744 break; 3745 3746 case Q_ICMP: 3747 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 3748 break; 3749 3750 #ifndef IPPROTO_IGMP 3751 #define IPPROTO_IGMP 2 3752 #endif 3753 3754 case Q_IGMP: 3755 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 3756 break; 3757 3758 #ifndef IPPROTO_IGRP 3759 #define IPPROTO_IGRP 9 3760 #endif 3761 case Q_IGRP: 3762 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 3763 break; 3764 3765 #ifndef IPPROTO_PIM 3766 #define IPPROTO_PIM 103 3767 #endif 3768 3769 case Q_PIM: 3770 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 3771 #ifdef INET6 3772 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 3773 gen_or(b0, b1); 3774 #endif 3775 break; 3776 3777 #ifndef IPPROTO_VRRP 3778 #define IPPROTO_VRRP 112 3779 #endif 3780 3781 case Q_VRRP: 3782 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 3783 break; 3784 3785 case Q_IP: 3786 b1 = gen_linktype(ETHERTYPE_IP); 3787 break; 3788 3789 case Q_ARP: 3790 b1 = gen_linktype(ETHERTYPE_ARP); 3791 break; 3792 3793 case Q_RARP: 3794 b1 = gen_linktype(ETHERTYPE_REVARP); 3795 break; 3796 3797 case Q_LINK: 3798 bpf_error("link layer applied in wrong context"); 3799 3800 case Q_ATALK: 3801 b1 = gen_linktype(ETHERTYPE_ATALK); 3802 break; 3803 3804 case Q_AARP: 3805 b1 = gen_linktype(ETHERTYPE_AARP); 3806 break; 3807 3808 case Q_DECNET: 3809 b1 = gen_linktype(ETHERTYPE_DN); 3810 break; 3811 3812 case Q_SCA: 3813 b1 = gen_linktype(ETHERTYPE_SCA); 3814 break; 3815 3816 case Q_LAT: 3817 b1 = gen_linktype(ETHERTYPE_LAT); 3818 break; 3819 3820 case Q_MOPDL: 3821 b1 = gen_linktype(ETHERTYPE_MOPDL); 3822 break; 3823 3824 case Q_MOPRC: 3825 b1 = gen_linktype(ETHERTYPE_MOPRC); 3826 break; 3827 3828 #ifdef INET6 3829 case Q_IPV6: 3830 b1 = gen_linktype(ETHERTYPE_IPV6); 3831 break; 3832 3833 #ifndef IPPROTO_ICMPV6 3834 #define IPPROTO_ICMPV6 58 3835 #endif 3836 case Q_ICMPV6: 3837 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 3838 break; 3839 #endif /* INET6 */ 3840 3841 #ifndef IPPROTO_AH 3842 #define IPPROTO_AH 51 3843 #endif 3844 case Q_AH: 3845 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 3846 #ifdef INET6 3847 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 3848 gen_or(b0, b1); 3849 #endif 3850 break; 3851 3852 #ifndef IPPROTO_ESP 3853 #define IPPROTO_ESP 50 3854 #endif 3855 case Q_ESP: 3856 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 3857 #ifdef INET6 3858 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 3859 gen_or(b0, b1); 3860 #endif 3861 break; 3862 3863 case Q_ISO: 3864 b1 = gen_linktype(LLCSAP_ISONS); 3865 break; 3866 3867 case Q_ESIS: 3868 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 3869 break; 3870 3871 case Q_ISIS: 3872 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 3873 break; 3874 3875 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 3876 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3877 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3878 gen_or(b0, b1); 3879 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3880 gen_or(b0, b1); 3881 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3882 gen_or(b0, b1); 3883 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3884 gen_or(b0, b1); 3885 break; 3886 3887 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 3888 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3889 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 3890 gen_or(b0, b1); 3891 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3892 gen_or(b0, b1); 3893 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3894 gen_or(b0, b1); 3895 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3896 gen_or(b0, b1); 3897 break; 3898 3899 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 3900 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 3901 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 3902 gen_or(b0, b1); 3903 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 3904 gen_or(b0, b1); 3905 break; 3906 3907 case Q_ISIS_LSP: 3908 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 3909 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 3910 gen_or(b0, b1); 3911 break; 3912 3913 case Q_ISIS_SNP: 3914 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3915 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3916 gen_or(b0, b1); 3917 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3918 gen_or(b0, b1); 3919 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3920 gen_or(b0, b1); 3921 break; 3922 3923 case Q_ISIS_CSNP: 3924 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 3925 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 3926 gen_or(b0, b1); 3927 break; 3928 3929 case Q_ISIS_PSNP: 3930 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 3931 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 3932 gen_or(b0, b1); 3933 break; 3934 3935 case Q_CLNP: 3936 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 3937 break; 3938 3939 case Q_STP: 3940 b1 = gen_linktype(LLCSAP_8021D); 3941 break; 3942 3943 case Q_IPX: 3944 b1 = gen_linktype(LLCSAP_IPX); 3945 break; 3946 3947 case Q_NETBEUI: 3948 b1 = gen_linktype(LLCSAP_NETBEUI); 3949 break; 3950 3951 case Q_RADIO: 3952 bpf_error("'radio' is not a valid protocol type"); 3953 3954 default: 3955 abort(); 3956 } 3957 return b1; 3958 } 3959 3960 static struct block * 3961 gen_ipfrag() 3962 { 3963 struct slist *s; 3964 struct block *b; 3965 3966 /* not ip frag */ 3967 s = gen_load_a(OR_NET, 6, BPF_H); 3968 b = new_block(JMP(BPF_JSET)); 3969 b->s.k = 0x1fff; 3970 b->stmts = s; 3971 gen_not(b); 3972 3973 return b; 3974 } 3975 3976 /* 3977 * Generate a comparison to a port value in the transport-layer header 3978 * at the specified offset from the beginning of that header. 3979 * 3980 * XXX - this handles a variable-length prefix preceding the link-layer 3981 * header, such as the radiotap or AVS radio prefix, but doesn't handle 3982 * variable-length link-layer headers (such as Token Ring or 802.11 3983 * headers). 3984 */ 3985 static struct block * 3986 gen_portatom(off, v) 3987 int off; 3988 bpf_int32 v; 3989 { 3990 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 3991 } 3992 3993 #ifdef INET6 3994 static struct block * 3995 gen_portatom6(off, v) 3996 int off; 3997 bpf_int32 v; 3998 { 3999 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 4000 } 4001 #endif/*INET6*/ 4002 4003 struct block * 4004 gen_portop(port, proto, dir) 4005 int port, proto, dir; 4006 { 4007 struct block *b0, *b1, *tmp; 4008 4009 /* ip proto 'proto' */ 4010 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4011 b0 = gen_ipfrag(); 4012 gen_and(tmp, b0); 4013 4014 switch (dir) { 4015 case Q_SRC: 4016 b1 = gen_portatom(0, (bpf_int32)port); 4017 break; 4018 4019 case Q_DST: 4020 b1 = gen_portatom(2, (bpf_int32)port); 4021 break; 4022 4023 case Q_OR: 4024 case Q_DEFAULT: 4025 tmp = gen_portatom(0, (bpf_int32)port); 4026 b1 = gen_portatom(2, (bpf_int32)port); 4027 gen_or(tmp, b1); 4028 break; 4029 4030 case Q_AND: 4031 tmp = gen_portatom(0, (bpf_int32)port); 4032 b1 = gen_portatom(2, (bpf_int32)port); 4033 gen_and(tmp, b1); 4034 break; 4035 4036 default: 4037 abort(); 4038 } 4039 gen_and(b0, b1); 4040 4041 return b1; 4042 } 4043 4044 static struct block * 4045 gen_port(port, ip_proto, dir) 4046 int port; 4047 int ip_proto; 4048 int dir; 4049 { 4050 struct block *b0, *b1, *tmp; 4051 4052 /* 4053 * ether proto ip 4054 * 4055 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4056 * not LLC encapsulation with LLCSAP_IP. 4057 * 4058 * For IEEE 802 networks - which includes 802.5 token ring 4059 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4060 * says that SNAP encapsulation is used, not LLC encapsulation 4061 * with LLCSAP_IP. 4062 * 4063 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4064 * RFC 2225 say that SNAP encapsulation is used, not LLC 4065 * encapsulation with LLCSAP_IP. 4066 * 4067 * So we always check for ETHERTYPE_IP. 4068 */ 4069 b0 = gen_linktype(ETHERTYPE_IP); 4070 4071 switch (ip_proto) { 4072 case IPPROTO_UDP: 4073 case IPPROTO_TCP: 4074 case IPPROTO_SCTP: 4075 b1 = gen_portop(port, ip_proto, dir); 4076 break; 4077 4078 case PROTO_UNDEF: 4079 tmp = gen_portop(port, IPPROTO_TCP, dir); 4080 b1 = gen_portop(port, IPPROTO_UDP, dir); 4081 gen_or(tmp, b1); 4082 tmp = gen_portop(port, IPPROTO_SCTP, dir); 4083 gen_or(tmp, b1); 4084 break; 4085 4086 default: 4087 abort(); 4088 } 4089 gen_and(b0, b1); 4090 return b1; 4091 } 4092 4093 #ifdef INET6 4094 struct block * 4095 gen_portop6(port, proto, dir) 4096 int port, proto, dir; 4097 { 4098 struct block *b0, *b1, *tmp; 4099 4100 /* ip6 proto 'proto' */ 4101 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4102 4103 switch (dir) { 4104 case Q_SRC: 4105 b1 = gen_portatom6(0, (bpf_int32)port); 4106 break; 4107 4108 case Q_DST: 4109 b1 = gen_portatom6(2, (bpf_int32)port); 4110 break; 4111 4112 case Q_OR: 4113 case Q_DEFAULT: 4114 tmp = gen_portatom6(0, (bpf_int32)port); 4115 b1 = gen_portatom6(2, (bpf_int32)port); 4116 gen_or(tmp, b1); 4117 break; 4118 4119 case Q_AND: 4120 tmp = gen_portatom6(0, (bpf_int32)port); 4121 b1 = gen_portatom6(2, (bpf_int32)port); 4122 gen_and(tmp, b1); 4123 break; 4124 4125 default: 4126 abort(); 4127 } 4128 gen_and(b0, b1); 4129 4130 return b1; 4131 } 4132 4133 static struct block * 4134 gen_port6(port, ip_proto, dir) 4135 int port; 4136 int ip_proto; 4137 int dir; 4138 { 4139 struct block *b0, *b1, *tmp; 4140 4141 /* link proto ip6 */ 4142 b0 = gen_linktype(ETHERTYPE_IPV6); 4143 4144 switch (ip_proto) { 4145 case IPPROTO_UDP: 4146 case IPPROTO_TCP: 4147 case IPPROTO_SCTP: 4148 b1 = gen_portop6(port, ip_proto, dir); 4149 break; 4150 4151 case PROTO_UNDEF: 4152 tmp = gen_portop6(port, IPPROTO_TCP, dir); 4153 b1 = gen_portop6(port, IPPROTO_UDP, dir); 4154 gen_or(tmp, b1); 4155 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 4156 gen_or(tmp, b1); 4157 break; 4158 4159 default: 4160 abort(); 4161 } 4162 gen_and(b0, b1); 4163 return b1; 4164 } 4165 #endif /* INET6 */ 4166 4167 /* gen_portrange code */ 4168 static struct block * 4169 gen_portrangeatom(off, v1, v2) 4170 int off; 4171 bpf_int32 v1, v2; 4172 { 4173 struct block *b1, *b2; 4174 4175 if (v1 > v2) { 4176 /* 4177 * Reverse the order of the ports, so v1 is the lower one. 4178 */ 4179 bpf_int32 vtemp; 4180 4181 vtemp = v1; 4182 v1 = v2; 4183 v2 = vtemp; 4184 } 4185 4186 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 4187 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 4188 4189 gen_and(b1, b2); 4190 4191 return b2; 4192 } 4193 4194 struct block * 4195 gen_portrangeop(port1, port2, proto, dir) 4196 int port1, port2; 4197 int proto; 4198 int dir; 4199 { 4200 struct block *b0, *b1, *tmp; 4201 4202 /* ip proto 'proto' */ 4203 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 4204 b0 = gen_ipfrag(); 4205 gen_and(tmp, b0); 4206 4207 switch (dir) { 4208 case Q_SRC: 4209 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4210 break; 4211 4212 case Q_DST: 4213 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4214 break; 4215 4216 case Q_OR: 4217 case Q_DEFAULT: 4218 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4219 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4220 gen_or(tmp, b1); 4221 break; 4222 4223 case Q_AND: 4224 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 4225 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 4226 gen_and(tmp, b1); 4227 break; 4228 4229 default: 4230 abort(); 4231 } 4232 gen_and(b0, b1); 4233 4234 return b1; 4235 } 4236 4237 static struct block * 4238 gen_portrange(port1, port2, ip_proto, dir) 4239 int port1, port2; 4240 int ip_proto; 4241 int dir; 4242 { 4243 struct block *b0, *b1, *tmp; 4244 4245 /* link proto ip */ 4246 b0 = gen_linktype(ETHERTYPE_IP); 4247 4248 switch (ip_proto) { 4249 case IPPROTO_UDP: 4250 case IPPROTO_TCP: 4251 case IPPROTO_SCTP: 4252 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 4253 break; 4254 4255 case PROTO_UNDEF: 4256 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 4257 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 4258 gen_or(tmp, b1); 4259 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 4260 gen_or(tmp, b1); 4261 break; 4262 4263 default: 4264 abort(); 4265 } 4266 gen_and(b0, b1); 4267 return b1; 4268 } 4269 4270 #ifdef INET6 4271 static struct block * 4272 gen_portrangeatom6(off, v1, v2) 4273 int off; 4274 bpf_int32 v1, v2; 4275 { 4276 struct block *b1, *b2; 4277 4278 if (v1 > v2) { 4279 /* 4280 * Reverse the order of the ports, so v1 is the lower one. 4281 */ 4282 bpf_int32 vtemp; 4283 4284 vtemp = v1; 4285 v1 = v2; 4286 v2 = vtemp; 4287 } 4288 4289 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 4290 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 4291 4292 gen_and(b1, b2); 4293 4294 return b2; 4295 } 4296 4297 struct block * 4298 gen_portrangeop6(port1, port2, proto, dir) 4299 int port1, port2; 4300 int proto; 4301 int dir; 4302 { 4303 struct block *b0, *b1, *tmp; 4304 4305 /* ip6 proto 'proto' */ 4306 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 4307 4308 switch (dir) { 4309 case Q_SRC: 4310 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4311 break; 4312 4313 case Q_DST: 4314 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4315 break; 4316 4317 case Q_OR: 4318 case Q_DEFAULT: 4319 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4320 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4321 gen_or(tmp, b1); 4322 break; 4323 4324 case Q_AND: 4325 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 4326 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 4327 gen_and(tmp, b1); 4328 break; 4329 4330 default: 4331 abort(); 4332 } 4333 gen_and(b0, b1); 4334 4335 return b1; 4336 } 4337 4338 static struct block * 4339 gen_portrange6(port1, port2, ip_proto, dir) 4340 int port1, port2; 4341 int ip_proto; 4342 int dir; 4343 { 4344 struct block *b0, *b1, *tmp; 4345 4346 /* link proto ip6 */ 4347 b0 = gen_linktype(ETHERTYPE_IPV6); 4348 4349 switch (ip_proto) { 4350 case IPPROTO_UDP: 4351 case IPPROTO_TCP: 4352 case IPPROTO_SCTP: 4353 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 4354 break; 4355 4356 case PROTO_UNDEF: 4357 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 4358 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 4359 gen_or(tmp, b1); 4360 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 4361 gen_or(tmp, b1); 4362 break; 4363 4364 default: 4365 abort(); 4366 } 4367 gen_and(b0, b1); 4368 return b1; 4369 } 4370 #endif /* INET6 */ 4371 4372 static int 4373 lookup_proto(name, proto) 4374 register const char *name; 4375 register int proto; 4376 { 4377 register int v; 4378 4379 switch (proto) { 4380 4381 case Q_DEFAULT: 4382 case Q_IP: 4383 case Q_IPV6: 4384 v = pcap_nametoproto(name); 4385 if (v == PROTO_UNDEF) 4386 bpf_error("unknown ip proto '%s'", name); 4387 break; 4388 4389 case Q_LINK: 4390 /* XXX should look up h/w protocol type based on linktype */ 4391 v = pcap_nametoeproto(name); 4392 if (v == PROTO_UNDEF) { 4393 v = pcap_nametollc(name); 4394 if (v == PROTO_UNDEF) 4395 bpf_error("unknown ether proto '%s'", name); 4396 } 4397 break; 4398 4399 case Q_ISO: 4400 if (strcmp(name, "esis") == 0) 4401 v = ISO9542_ESIS; 4402 else if (strcmp(name, "isis") == 0) 4403 v = ISO10589_ISIS; 4404 else if (strcmp(name, "clnp") == 0) 4405 v = ISO8473_CLNP; 4406 else 4407 bpf_error("unknown osi proto '%s'", name); 4408 break; 4409 4410 default: 4411 v = PROTO_UNDEF; 4412 break; 4413 } 4414 return v; 4415 } 4416 4417 #if 0 4418 struct stmt * 4419 gen_joinsp(s, n) 4420 struct stmt **s; 4421 int n; 4422 { 4423 return NULL; 4424 } 4425 #endif 4426 4427 static struct block * 4428 gen_protochain(v, proto, dir) 4429 int v; 4430 int proto; 4431 int dir; 4432 { 4433 #ifdef NO_PROTOCHAIN 4434 return gen_proto(v, proto, dir); 4435 #else 4436 struct block *b0, *b; 4437 struct slist *s[100]; 4438 int fix2, fix3, fix4, fix5; 4439 int ahcheck, again, end; 4440 int i, max; 4441 int reg2 = alloc_reg(); 4442 4443 memset(s, 0, sizeof(s)); 4444 fix2 = fix3 = fix4 = fix5 = 0; 4445 4446 switch (proto) { 4447 case Q_IP: 4448 case Q_IPV6: 4449 break; 4450 case Q_DEFAULT: 4451 b0 = gen_protochain(v, Q_IP, dir); 4452 b = gen_protochain(v, Q_IPV6, dir); 4453 gen_or(b0, b); 4454 return b; 4455 default: 4456 bpf_error("bad protocol applied for 'protochain'"); 4457 /*NOTREACHED*/ 4458 } 4459 4460 /* 4461 * We don't handle variable-length radiotap here headers yet. 4462 * We might want to add BPF instructions to do the protochain 4463 * work, to simplify that and, on platforms that have a BPF 4464 * interpreter with the new instructions, let the filtering 4465 * be done in the kernel. (We already require a modified BPF 4466 * engine to do the protochain stuff, to support backward 4467 * branches, and backward branch support is unlikely to appear 4468 * in kernel BPF engines.) 4469 */ 4470 if (linktype == DLT_IEEE802_11_RADIO) 4471 bpf_error("'protochain' not supported with radiotap headers"); 4472 4473 if (linktype == DLT_PPI) 4474 bpf_error("'protochain' not supported with PPI headers"); 4475 4476 no_optimize = 1; /*this code is not compatible with optimzer yet */ 4477 4478 /* 4479 * s[0] is a dummy entry to protect other BPF insn from damage 4480 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 4481 * hard to find interdependency made by jump table fixup. 4482 */ 4483 i = 0; 4484 s[i] = new_stmt(0); /*dummy*/ 4485 i++; 4486 4487 switch (proto) { 4488 case Q_IP: 4489 b0 = gen_linktype(ETHERTYPE_IP); 4490 4491 /* A = ip->ip_p */ 4492 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4493 s[i]->s.k = off_ll + off_nl + 9; 4494 i++; 4495 /* X = ip->ip_hl << 2 */ 4496 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 4497 s[i]->s.k = off_ll + off_nl; 4498 i++; 4499 break; 4500 #ifdef INET6 4501 case Q_IPV6: 4502 b0 = gen_linktype(ETHERTYPE_IPV6); 4503 4504 /* A = ip6->ip_nxt */ 4505 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 4506 s[i]->s.k = off_ll + off_nl + 6; 4507 i++; 4508 /* X = sizeof(struct ip6_hdr) */ 4509 s[i] = new_stmt(BPF_LDX|BPF_IMM); 4510 s[i]->s.k = 40; 4511 i++; 4512 break; 4513 #endif 4514 default: 4515 bpf_error("unsupported proto to gen_protochain"); 4516 /*NOTREACHED*/ 4517 } 4518 4519 /* again: if (A == v) goto end; else fall through; */ 4520 again = i; 4521 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4522 s[i]->s.k = v; 4523 s[i]->s.jt = NULL; /*later*/ 4524 s[i]->s.jf = NULL; /*update in next stmt*/ 4525 fix5 = i; 4526 i++; 4527 4528 #ifndef IPPROTO_NONE 4529 #define IPPROTO_NONE 59 4530 #endif 4531 /* if (A == IPPROTO_NONE) goto end */ 4532 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4533 s[i]->s.jt = NULL; /*later*/ 4534 s[i]->s.jf = NULL; /*update in next stmt*/ 4535 s[i]->s.k = IPPROTO_NONE; 4536 s[fix5]->s.jf = s[i]; 4537 fix2 = i; 4538 i++; 4539 4540 #ifdef INET6 4541 if (proto == Q_IPV6) { 4542 int v6start, v6end, v6advance, j; 4543 4544 v6start = i; 4545 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 4546 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4547 s[i]->s.jt = NULL; /*later*/ 4548 s[i]->s.jf = NULL; /*update in next stmt*/ 4549 s[i]->s.k = IPPROTO_HOPOPTS; 4550 s[fix2]->s.jf = s[i]; 4551 i++; 4552 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 4553 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4554 s[i]->s.jt = NULL; /*later*/ 4555 s[i]->s.jf = NULL; /*update in next stmt*/ 4556 s[i]->s.k = IPPROTO_DSTOPTS; 4557 i++; 4558 /* if (A == IPPROTO_ROUTING) goto v6advance */ 4559 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4560 s[i]->s.jt = NULL; /*later*/ 4561 s[i]->s.jf = NULL; /*update in next stmt*/ 4562 s[i]->s.k = IPPROTO_ROUTING; 4563 i++; 4564 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 4565 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4566 s[i]->s.jt = NULL; /*later*/ 4567 s[i]->s.jf = NULL; /*later*/ 4568 s[i]->s.k = IPPROTO_FRAGMENT; 4569 fix3 = i; 4570 v6end = i; 4571 i++; 4572 4573 /* v6advance: */ 4574 v6advance = i; 4575 4576 /* 4577 * in short, 4578 * A = P[X]; 4579 * X = X + (P[X + 1] + 1) * 8; 4580 */ 4581 /* A = X */ 4582 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4583 i++; 4584 /* A = P[X + packet head] */ 4585 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4586 s[i]->s.k = off_ll + off_nl; 4587 i++; 4588 /* MEM[reg2] = A */ 4589 s[i] = new_stmt(BPF_ST); 4590 s[i]->s.k = reg2; 4591 i++; 4592 /* A = X */ 4593 s[i] = new_stmt(BPF_MISC|BPF_TXA); 4594 i++; 4595 /* A += 1 */ 4596 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4597 s[i]->s.k = 1; 4598 i++; 4599 /* X = A */ 4600 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4601 i++; 4602 /* A = P[X + packet head]; */ 4603 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4604 s[i]->s.k = off_ll + off_nl; 4605 i++; 4606 /* A += 1 */ 4607 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4608 s[i]->s.k = 1; 4609 i++; 4610 /* A *= 8 */ 4611 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4612 s[i]->s.k = 8; 4613 i++; 4614 /* X = A; */ 4615 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4616 i++; 4617 /* A = MEM[reg2] */ 4618 s[i] = new_stmt(BPF_LD|BPF_MEM); 4619 s[i]->s.k = reg2; 4620 i++; 4621 4622 /* goto again; (must use BPF_JA for backward jump) */ 4623 s[i] = new_stmt(BPF_JMP|BPF_JA); 4624 s[i]->s.k = again - i - 1; 4625 s[i - 1]->s.jf = s[i]; 4626 i++; 4627 4628 /* fixup */ 4629 for (j = v6start; j <= v6end; j++) 4630 s[j]->s.jt = s[v6advance]; 4631 } else 4632 #endif 4633 { 4634 /* nop */ 4635 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4636 s[i]->s.k = 0; 4637 s[fix2]->s.jf = s[i]; 4638 i++; 4639 } 4640 4641 /* ahcheck: */ 4642 ahcheck = i; 4643 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 4644 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 4645 s[i]->s.jt = NULL; /*later*/ 4646 s[i]->s.jf = NULL; /*later*/ 4647 s[i]->s.k = IPPROTO_AH; 4648 if (fix3) 4649 s[fix3]->s.jf = s[ahcheck]; 4650 fix4 = i; 4651 i++; 4652 4653 /* 4654 * in short, 4655 * A = P[X]; 4656 * X = X + (P[X + 1] + 2) * 4; 4657 */ 4658 /* A = X */ 4659 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4660 i++; 4661 /* A = P[X + packet head]; */ 4662 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4663 s[i]->s.k = off_ll + off_nl; 4664 i++; 4665 /* MEM[reg2] = A */ 4666 s[i] = new_stmt(BPF_ST); 4667 s[i]->s.k = reg2; 4668 i++; 4669 /* A = X */ 4670 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 4671 i++; 4672 /* A += 1 */ 4673 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4674 s[i]->s.k = 1; 4675 i++; 4676 /* X = A */ 4677 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4678 i++; 4679 /* A = P[X + packet head] */ 4680 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 4681 s[i]->s.k = off_ll + off_nl; 4682 i++; 4683 /* A += 2 */ 4684 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4685 s[i]->s.k = 2; 4686 i++; 4687 /* A *= 4 */ 4688 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 4689 s[i]->s.k = 4; 4690 i++; 4691 /* X = A; */ 4692 s[i] = new_stmt(BPF_MISC|BPF_TAX); 4693 i++; 4694 /* A = MEM[reg2] */ 4695 s[i] = new_stmt(BPF_LD|BPF_MEM); 4696 s[i]->s.k = reg2; 4697 i++; 4698 4699 /* goto again; (must use BPF_JA for backward jump) */ 4700 s[i] = new_stmt(BPF_JMP|BPF_JA); 4701 s[i]->s.k = again - i - 1; 4702 i++; 4703 4704 /* end: nop */ 4705 end = i; 4706 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 4707 s[i]->s.k = 0; 4708 s[fix2]->s.jt = s[end]; 4709 s[fix4]->s.jf = s[end]; 4710 s[fix5]->s.jt = s[end]; 4711 i++; 4712 4713 /* 4714 * make slist chain 4715 */ 4716 max = i; 4717 for (i = 0; i < max - 1; i++) 4718 s[i]->next = s[i + 1]; 4719 s[max - 1]->next = NULL; 4720 4721 /* 4722 * emit final check 4723 */ 4724 b = new_block(JMP(BPF_JEQ)); 4725 b->stmts = s[1]; /*remember, s[0] is dummy*/ 4726 b->s.k = v; 4727 4728 free_reg(reg2); 4729 4730 gen_and(b0, b); 4731 return b; 4732 #endif 4733 } 4734 4735 4736 /* 4737 * Generate code that checks whether the packet is a packet for protocol 4738 * <proto> and whether the type field in that protocol's header has 4739 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 4740 * IP packet and checks the protocol number in the IP header against <v>. 4741 * 4742 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 4743 * against Q_IP and Q_IPV6. 4744 */ 4745 static struct block * 4746 gen_proto(v, proto, dir) 4747 int v; 4748 int proto; 4749 int dir; 4750 { 4751 struct block *b0, *b1; 4752 4753 if (dir != Q_DEFAULT) 4754 bpf_error("direction applied to 'proto'"); 4755 4756 switch (proto) { 4757 case Q_DEFAULT: 4758 #ifdef INET6 4759 b0 = gen_proto(v, Q_IP, dir); 4760 b1 = gen_proto(v, Q_IPV6, dir); 4761 gen_or(b0, b1); 4762 return b1; 4763 #else 4764 /*FALLTHROUGH*/ 4765 #endif 4766 case Q_IP: 4767 /* 4768 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 4769 * not LLC encapsulation with LLCSAP_IP. 4770 * 4771 * For IEEE 802 networks - which includes 802.5 token ring 4772 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 4773 * says that SNAP encapsulation is used, not LLC encapsulation 4774 * with LLCSAP_IP. 4775 * 4776 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 4777 * RFC 2225 say that SNAP encapsulation is used, not LLC 4778 * encapsulation with LLCSAP_IP. 4779 * 4780 * So we always check for ETHERTYPE_IP. 4781 */ 4782 b0 = gen_linktype(ETHERTYPE_IP); 4783 #ifndef CHASE_CHAIN 4784 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 4785 #else 4786 b1 = gen_protochain(v, Q_IP); 4787 #endif 4788 gen_and(b0, b1); 4789 return b1; 4790 4791 case Q_ISO: 4792 switch (linktype) { 4793 4794 case DLT_FRELAY: 4795 /* 4796 * Frame Relay packets typically have an OSI 4797 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 4798 * generates code to check for all the OSI 4799 * NLPIDs, so calling it and then adding a check 4800 * for the particular NLPID for which we're 4801 * looking is bogus, as we can just check for 4802 * the NLPID. 4803 * 4804 * What we check for is the NLPID and a frame 4805 * control field value of UI, i.e. 0x03 followed 4806 * by the NLPID. 4807 * 4808 * XXX - assumes a 2-byte Frame Relay header with 4809 * DLCI and flags. What if the address is longer? 4810 * 4811 * XXX - what about SNAP-encapsulated frames? 4812 */ 4813 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 4814 /*NOTREACHED*/ 4815 break; 4816 4817 case DLT_C_HDLC: 4818 /* 4819 * Cisco uses an Ethertype lookalike - for OSI, 4820 * it's 0xfefe. 4821 */ 4822 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 4823 /* OSI in C-HDLC is stuffed with a fudge byte */ 4824 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 4825 gen_and(b0, b1); 4826 return b1; 4827 4828 default: 4829 b0 = gen_linktype(LLCSAP_ISONS); 4830 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 4831 gen_and(b0, b1); 4832 return b1; 4833 } 4834 4835 case Q_ISIS: 4836 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4837 /* 4838 * 4 is the offset of the PDU type relative to the IS-IS 4839 * header. 4840 */ 4841 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 4842 gen_and(b0, b1); 4843 return b1; 4844 4845 case Q_ARP: 4846 bpf_error("arp does not encapsulate another protocol"); 4847 /* NOTREACHED */ 4848 4849 case Q_RARP: 4850 bpf_error("rarp does not encapsulate another protocol"); 4851 /* NOTREACHED */ 4852 4853 case Q_ATALK: 4854 bpf_error("atalk encapsulation is not specifiable"); 4855 /* NOTREACHED */ 4856 4857 case Q_DECNET: 4858 bpf_error("decnet encapsulation is not specifiable"); 4859 /* NOTREACHED */ 4860 4861 case Q_SCA: 4862 bpf_error("sca does not encapsulate another protocol"); 4863 /* NOTREACHED */ 4864 4865 case Q_LAT: 4866 bpf_error("lat does not encapsulate another protocol"); 4867 /* NOTREACHED */ 4868 4869 case Q_MOPRC: 4870 bpf_error("moprc does not encapsulate another protocol"); 4871 /* NOTREACHED */ 4872 4873 case Q_MOPDL: 4874 bpf_error("mopdl does not encapsulate another protocol"); 4875 /* NOTREACHED */ 4876 4877 case Q_LINK: 4878 return gen_linktype(v); 4879 4880 case Q_UDP: 4881 bpf_error("'udp proto' is bogus"); 4882 /* NOTREACHED */ 4883 4884 case Q_TCP: 4885 bpf_error("'tcp proto' is bogus"); 4886 /* NOTREACHED */ 4887 4888 case Q_SCTP: 4889 bpf_error("'sctp proto' is bogus"); 4890 /* NOTREACHED */ 4891 4892 case Q_ICMP: 4893 bpf_error("'icmp proto' is bogus"); 4894 /* NOTREACHED */ 4895 4896 case Q_IGMP: 4897 bpf_error("'igmp proto' is bogus"); 4898 /* NOTREACHED */ 4899 4900 case Q_IGRP: 4901 bpf_error("'igrp proto' is bogus"); 4902 /* NOTREACHED */ 4903 4904 case Q_PIM: 4905 bpf_error("'pim proto' is bogus"); 4906 /* NOTREACHED */ 4907 4908 case Q_VRRP: 4909 bpf_error("'vrrp proto' is bogus"); 4910 /* NOTREACHED */ 4911 4912 #ifdef INET6 4913 case Q_IPV6: 4914 b0 = gen_linktype(ETHERTYPE_IPV6); 4915 #ifndef CHASE_CHAIN 4916 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 4917 #else 4918 b1 = gen_protochain(v, Q_IPV6); 4919 #endif 4920 gen_and(b0, b1); 4921 return b1; 4922 4923 case Q_ICMPV6: 4924 bpf_error("'icmp6 proto' is bogus"); 4925 #endif /* INET6 */ 4926 4927 case Q_AH: 4928 bpf_error("'ah proto' is bogus"); 4929 4930 case Q_ESP: 4931 bpf_error("'ah proto' is bogus"); 4932 4933 case Q_STP: 4934 bpf_error("'stp proto' is bogus"); 4935 4936 case Q_IPX: 4937 bpf_error("'ipx proto' is bogus"); 4938 4939 case Q_NETBEUI: 4940 bpf_error("'netbeui proto' is bogus"); 4941 4942 case Q_RADIO: 4943 bpf_error("'radio proto' is bogus"); 4944 4945 default: 4946 abort(); 4947 /* NOTREACHED */ 4948 } 4949 /* NOTREACHED */ 4950 } 4951 4952 struct block * 4953 gen_scode(name, q) 4954 register const char *name; 4955 struct qual q; 4956 { 4957 int proto = q.proto; 4958 int dir = q.dir; 4959 int tproto; 4960 u_char *eaddr; 4961 bpf_u_int32 mask, addr; 4962 #ifndef INET6 4963 bpf_u_int32 **alist; 4964 #else 4965 int tproto6; 4966 struct sockaddr_in *sin4; 4967 struct sockaddr_in6 *sin6; 4968 struct addrinfo *res, *res0; 4969 struct in6_addr mask128; 4970 #endif /*INET6*/ 4971 struct block *b, *tmp; 4972 int port, real_proto; 4973 int port1, port2; 4974 4975 switch (q.addr) { 4976 4977 case Q_NET: 4978 addr = pcap_nametonetaddr(name); 4979 if (addr == 0) 4980 bpf_error("unknown network '%s'", name); 4981 /* Left justify network addr and calculate its network mask */ 4982 mask = 0xffffffff; 4983 while (addr && (addr & 0xff000000) == 0) { 4984 addr <<= 8; 4985 mask <<= 8; 4986 } 4987 return gen_host(addr, mask, proto, dir, q.addr); 4988 4989 case Q_DEFAULT: 4990 case Q_HOST: 4991 if (proto == Q_LINK) { 4992 switch (linktype) { 4993 4994 case DLT_EN10MB: 4995 eaddr = pcap_ether_hostton(name); 4996 if (eaddr == NULL) 4997 bpf_error( 4998 "unknown ether host '%s'", name); 4999 b = gen_ehostop(eaddr, dir); 5000 free(eaddr); 5001 return b; 5002 5003 case DLT_FDDI: 5004 eaddr = pcap_ether_hostton(name); 5005 if (eaddr == NULL) 5006 bpf_error( 5007 "unknown FDDI host '%s'", name); 5008 b = gen_fhostop(eaddr, dir); 5009 free(eaddr); 5010 return b; 5011 5012 case DLT_IEEE802: 5013 eaddr = pcap_ether_hostton(name); 5014 if (eaddr == NULL) 5015 bpf_error( 5016 "unknown token ring host '%s'", name); 5017 b = gen_thostop(eaddr, dir); 5018 free(eaddr); 5019 return b; 5020 5021 case DLT_IEEE802_11: 5022 case DLT_IEEE802_11_RADIO_AVS: 5023 case DLT_IEEE802_11_RADIO: 5024 case DLT_PRISM_HEADER: 5025 case DLT_PPI: 5026 eaddr = pcap_ether_hostton(name); 5027 if (eaddr == NULL) 5028 bpf_error( 5029 "unknown 802.11 host '%s'", name); 5030 b = gen_wlanhostop(eaddr, dir); 5031 free(eaddr); 5032 return b; 5033 5034 case DLT_IP_OVER_FC: 5035 eaddr = pcap_ether_hostton(name); 5036 if (eaddr == NULL) 5037 bpf_error( 5038 "unknown Fibre Channel host '%s'", name); 5039 b = gen_ipfchostop(eaddr, dir); 5040 free(eaddr); 5041 return b; 5042 5043 case DLT_SUNATM: 5044 if (!is_lane) 5045 break; 5046 5047 /* 5048 * Check that the packet doesn't begin 5049 * with an LE Control marker. (We've 5050 * already generated a test for LANE.) 5051 */ 5052 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 5053 BPF_H, 0xFF00); 5054 gen_not(tmp); 5055 5056 eaddr = pcap_ether_hostton(name); 5057 if (eaddr == NULL) 5058 bpf_error( 5059 "unknown ether host '%s'", name); 5060 b = gen_ehostop(eaddr, dir); 5061 gen_and(tmp, b); 5062 free(eaddr); 5063 return b; 5064 } 5065 5066 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 5067 } else if (proto == Q_DECNET) { 5068 unsigned short dn_addr = __pcap_nametodnaddr(name); 5069 /* 5070 * I don't think DECNET hosts can be multihomed, so 5071 * there is no need to build up a list of addresses 5072 */ 5073 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 5074 } else { 5075 #ifndef INET6 5076 alist = pcap_nametoaddr(name); 5077 if (alist == NULL || *alist == NULL) 5078 bpf_error("unknown host '%s'", name); 5079 tproto = proto; 5080 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 5081 tproto = Q_IP; 5082 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 5083 while (*alist) { 5084 tmp = gen_host(**alist++, 0xffffffff, 5085 tproto, dir, q.addr); 5086 gen_or(b, tmp); 5087 b = tmp; 5088 } 5089 return b; 5090 #else 5091 memset(&mask128, 0xff, sizeof(mask128)); 5092 res0 = res = pcap_nametoaddrinfo(name); 5093 if (res == NULL) 5094 bpf_error("unknown host '%s'", name); 5095 b = tmp = NULL; 5096 tproto = tproto6 = proto; 5097 if (off_linktype == -1 && tproto == Q_DEFAULT) { 5098 tproto = Q_IP; 5099 tproto6 = Q_IPV6; 5100 } 5101 for (res = res0; res; res = res->ai_next) { 5102 switch (res->ai_family) { 5103 case AF_INET: 5104 if (tproto == Q_IPV6) 5105 continue; 5106 5107 sin4 = (struct sockaddr_in *) 5108 res->ai_addr; 5109 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 5110 0xffffffff, tproto, dir, q.addr); 5111 break; 5112 case AF_INET6: 5113 if (tproto6 == Q_IP) 5114 continue; 5115 5116 sin6 = (struct sockaddr_in6 *) 5117 res->ai_addr; 5118 tmp = gen_host6(&sin6->sin6_addr, 5119 &mask128, tproto6, dir, q.addr); 5120 break; 5121 default: 5122 continue; 5123 } 5124 if (b) 5125 gen_or(b, tmp); 5126 b = tmp; 5127 } 5128 freeaddrinfo(res0); 5129 if (b == NULL) { 5130 bpf_error("unknown host '%s'%s", name, 5131 (proto == Q_DEFAULT) 5132 ? "" 5133 : " for specified address family"); 5134 } 5135 return b; 5136 #endif /*INET6*/ 5137 } 5138 5139 case Q_PORT: 5140 if (proto != Q_DEFAULT && 5141 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5142 bpf_error("illegal qualifier of 'port'"); 5143 if (pcap_nametoport(name, &port, &real_proto) == 0) 5144 bpf_error("unknown port '%s'", name); 5145 if (proto == Q_UDP) { 5146 if (real_proto == IPPROTO_TCP) 5147 bpf_error("port '%s' is tcp", name); 5148 else if (real_proto == IPPROTO_SCTP) 5149 bpf_error("port '%s' is sctp", name); 5150 else 5151 /* override PROTO_UNDEF */ 5152 real_proto = IPPROTO_UDP; 5153 } 5154 if (proto == Q_TCP) { 5155 if (real_proto == IPPROTO_UDP) 5156 bpf_error("port '%s' is udp", name); 5157 5158 else if (real_proto == IPPROTO_SCTP) 5159 bpf_error("port '%s' is sctp", name); 5160 else 5161 /* override PROTO_UNDEF */ 5162 real_proto = IPPROTO_TCP; 5163 } 5164 if (proto == Q_SCTP) { 5165 if (real_proto == IPPROTO_UDP) 5166 bpf_error("port '%s' is udp", name); 5167 5168 else if (real_proto == IPPROTO_TCP) 5169 bpf_error("port '%s' is tcp", name); 5170 else 5171 /* override PROTO_UNDEF */ 5172 real_proto = IPPROTO_SCTP; 5173 } 5174 #ifndef INET6 5175 return gen_port(port, real_proto, dir); 5176 #else 5177 b = gen_port(port, real_proto, dir); 5178 gen_or(gen_port6(port, real_proto, dir), b); 5179 return b; 5180 #endif /* INET6 */ 5181 5182 case Q_PORTRANGE: 5183 if (proto != Q_DEFAULT && 5184 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 5185 bpf_error("illegal qualifier of 'portrange'"); 5186 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 5187 bpf_error("unknown port in range '%s'", name); 5188 if (proto == Q_UDP) { 5189 if (real_proto == IPPROTO_TCP) 5190 bpf_error("port in range '%s' is tcp", name); 5191 else if (real_proto == IPPROTO_SCTP) 5192 bpf_error("port in range '%s' is sctp", name); 5193 else 5194 /* override PROTO_UNDEF */ 5195 real_proto = IPPROTO_UDP; 5196 } 5197 if (proto == Q_TCP) { 5198 if (real_proto == IPPROTO_UDP) 5199 bpf_error("port in range '%s' is udp", name); 5200 else if (real_proto == IPPROTO_SCTP) 5201 bpf_error("port in range '%s' is sctp", name); 5202 else 5203 /* override PROTO_UNDEF */ 5204 real_proto = IPPROTO_TCP; 5205 } 5206 if (proto == Q_SCTP) { 5207 if (real_proto == IPPROTO_UDP) 5208 bpf_error("port in range '%s' is udp", name); 5209 else if (real_proto == IPPROTO_TCP) 5210 bpf_error("port in range '%s' is tcp", name); 5211 else 5212 /* override PROTO_UNDEF */ 5213 real_proto = IPPROTO_SCTP; 5214 } 5215 #ifndef INET6 5216 return gen_portrange(port1, port2, real_proto, dir); 5217 #else 5218 b = gen_portrange(port1, port2, real_proto, dir); 5219 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 5220 return b; 5221 #endif /* INET6 */ 5222 5223 case Q_GATEWAY: 5224 #ifndef INET6 5225 eaddr = pcap_ether_hostton(name); 5226 if (eaddr == NULL) 5227 bpf_error("unknown ether host: %s", name); 5228 5229 alist = pcap_nametoaddr(name); 5230 if (alist == NULL || *alist == NULL) 5231 bpf_error("unknown host '%s'", name); 5232 b = gen_gateway(eaddr, alist, proto, dir); 5233 free(eaddr); 5234 return b; 5235 #else 5236 bpf_error("'gateway' not supported in this configuration"); 5237 #endif /*INET6*/ 5238 5239 case Q_PROTO: 5240 real_proto = lookup_proto(name, proto); 5241 if (real_proto >= 0) 5242 return gen_proto(real_proto, proto, dir); 5243 else 5244 bpf_error("unknown protocol: %s", name); 5245 5246 case Q_PROTOCHAIN: 5247 real_proto = lookup_proto(name, proto); 5248 if (real_proto >= 0) 5249 return gen_protochain(real_proto, proto, dir); 5250 else 5251 bpf_error("unknown protocol: %s", name); 5252 5253 5254 case Q_UNDEF: 5255 syntax(); 5256 /* NOTREACHED */ 5257 } 5258 abort(); 5259 /* NOTREACHED */ 5260 } 5261 5262 struct block * 5263 gen_mcode(s1, s2, masklen, q) 5264 register const char *s1, *s2; 5265 register int masklen; 5266 struct qual q; 5267 { 5268 register int nlen, mlen; 5269 bpf_u_int32 n, m; 5270 5271 nlen = __pcap_atoin(s1, &n); 5272 /* Promote short ipaddr */ 5273 n <<= 32 - nlen; 5274 5275 if (s2 != NULL) { 5276 mlen = __pcap_atoin(s2, &m); 5277 /* Promote short ipaddr */ 5278 m <<= 32 - mlen; 5279 if ((n & ~m) != 0) 5280 bpf_error("non-network bits set in \"%s mask %s\"", 5281 s1, s2); 5282 } else { 5283 /* Convert mask len to mask */ 5284 if (masklen > 32) 5285 bpf_error("mask length must be <= 32"); 5286 if (masklen == 0) { 5287 /* 5288 * X << 32 is not guaranteed by C to be 0; it's 5289 * undefined. 5290 */ 5291 m = 0; 5292 } else 5293 m = 0xffffffff << (32 - masklen); 5294 if ((n & ~m) != 0) 5295 bpf_error("non-network bits set in \"%s/%d\"", 5296 s1, masklen); 5297 } 5298 5299 switch (q.addr) { 5300 5301 case Q_NET: 5302 return gen_host(n, m, q.proto, q.dir, q.addr); 5303 5304 default: 5305 bpf_error("Mask syntax for networks only"); 5306 /* NOTREACHED */ 5307 } 5308 /* NOTREACHED */ 5309 return NULL; 5310 } 5311 5312 struct block * 5313 gen_ncode(s, v, q) 5314 register const char *s; 5315 bpf_u_int32 v; 5316 struct qual q; 5317 { 5318 bpf_u_int32 mask; 5319 int proto = q.proto; 5320 int dir = q.dir; 5321 register int vlen; 5322 5323 if (s == NULL) 5324 vlen = 32; 5325 else if (q.proto == Q_DECNET) 5326 vlen = __pcap_atodn(s, &v); 5327 else 5328 vlen = __pcap_atoin(s, &v); 5329 5330 switch (q.addr) { 5331 5332 case Q_DEFAULT: 5333 case Q_HOST: 5334 case Q_NET: 5335 if (proto == Q_DECNET) 5336 return gen_host(v, 0, proto, dir, q.addr); 5337 else if (proto == Q_LINK) { 5338 bpf_error("illegal link layer address"); 5339 } else { 5340 mask = 0xffffffff; 5341 if (s == NULL && q.addr == Q_NET) { 5342 /* Promote short net number */ 5343 while (v && (v & 0xff000000) == 0) { 5344 v <<= 8; 5345 mask <<= 8; 5346 } 5347 } else { 5348 /* Promote short ipaddr */ 5349 v <<= 32 - vlen; 5350 mask <<= 32 - vlen; 5351 } 5352 return gen_host(v, mask, proto, dir, q.addr); 5353 } 5354 5355 case Q_PORT: 5356 if (proto == Q_UDP) 5357 proto = IPPROTO_UDP; 5358 else if (proto == Q_TCP) 5359 proto = IPPROTO_TCP; 5360 else if (proto == Q_SCTP) 5361 proto = IPPROTO_SCTP; 5362 else if (proto == Q_DEFAULT) 5363 proto = PROTO_UNDEF; 5364 else 5365 bpf_error("illegal qualifier of 'port'"); 5366 5367 #ifndef INET6 5368 return gen_port((int)v, proto, dir); 5369 #else 5370 { 5371 struct block *b; 5372 b = gen_port((int)v, proto, dir); 5373 gen_or(gen_port6((int)v, proto, dir), b); 5374 return b; 5375 } 5376 #endif /* INET6 */ 5377 5378 case Q_PORTRANGE: 5379 if (proto == Q_UDP) 5380 proto = IPPROTO_UDP; 5381 else if (proto == Q_TCP) 5382 proto = IPPROTO_TCP; 5383 else if (proto == Q_SCTP) 5384 proto = IPPROTO_SCTP; 5385 else if (proto == Q_DEFAULT) 5386 proto = PROTO_UNDEF; 5387 else 5388 bpf_error("illegal qualifier of 'portrange'"); 5389 5390 #ifndef INET6 5391 return gen_portrange((int)v, (int)v, proto, dir); 5392 #else 5393 { 5394 struct block *b; 5395 b = gen_portrange((int)v, (int)v, proto, dir); 5396 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 5397 return b; 5398 } 5399 #endif /* INET6 */ 5400 5401 case Q_GATEWAY: 5402 bpf_error("'gateway' requires a name"); 5403 /* NOTREACHED */ 5404 5405 case Q_PROTO: 5406 return gen_proto((int)v, proto, dir); 5407 5408 case Q_PROTOCHAIN: 5409 return gen_protochain((int)v, proto, dir); 5410 5411 case Q_UNDEF: 5412 syntax(); 5413 /* NOTREACHED */ 5414 5415 default: 5416 abort(); 5417 /* NOTREACHED */ 5418 } 5419 /* NOTREACHED */ 5420 } 5421 5422 #ifdef INET6 5423 struct block * 5424 gen_mcode6(s1, s2, masklen, q) 5425 register const char *s1, *s2; 5426 register int masklen; 5427 struct qual q; 5428 { 5429 struct addrinfo *res; 5430 struct in6_addr *addr; 5431 struct in6_addr mask; 5432 struct block *b; 5433 u_int32_t *a, *m; 5434 5435 if (s2) 5436 bpf_error("no mask %s supported", s2); 5437 5438 res = pcap_nametoaddrinfo(s1); 5439 if (!res) 5440 bpf_error("invalid ip6 address %s", s1); 5441 if (res->ai_next) 5442 bpf_error("%s resolved to multiple address", s1); 5443 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 5444 5445 if (sizeof(mask) * 8 < masklen) 5446 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 5447 memset(&mask, 0, sizeof(mask)); 5448 memset(&mask, 0xff, masklen / 8); 5449 if (masklen % 8) { 5450 mask.s6_addr[masklen / 8] = 5451 (0xff << (8 - masklen % 8)) & 0xff; 5452 } 5453 5454 a = (u_int32_t *)addr; 5455 m = (u_int32_t *)&mask; 5456 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 5457 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 5458 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 5459 } 5460 5461 switch (q.addr) { 5462 5463 case Q_DEFAULT: 5464 case Q_HOST: 5465 if (masklen != 128) 5466 bpf_error("Mask syntax for networks only"); 5467 /* FALLTHROUGH */ 5468 5469 case Q_NET: 5470 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 5471 freeaddrinfo(res); 5472 return b; 5473 5474 default: 5475 bpf_error("invalid qualifier against IPv6 address"); 5476 /* NOTREACHED */ 5477 } 5478 return NULL; 5479 } 5480 #endif /*INET6*/ 5481 5482 struct block * 5483 gen_ecode(eaddr, q) 5484 register const u_char *eaddr; 5485 struct qual q; 5486 { 5487 struct block *b, *tmp; 5488 5489 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 5490 switch (linktype) { 5491 case DLT_EN10MB: 5492 return gen_ehostop(eaddr, (int)q.dir); 5493 case DLT_FDDI: 5494 return gen_fhostop(eaddr, (int)q.dir); 5495 case DLT_IEEE802: 5496 return gen_thostop(eaddr, (int)q.dir); 5497 case DLT_IEEE802_11: 5498 case DLT_IEEE802_11_RADIO_AVS: 5499 case DLT_IEEE802_11_RADIO: 5500 case DLT_PRISM_HEADER: 5501 case DLT_PPI: 5502 return gen_wlanhostop(eaddr, (int)q.dir); 5503 case DLT_SUNATM: 5504 if (is_lane) { 5505 /* 5506 * Check that the packet doesn't begin with an 5507 * LE Control marker. (We've already generated 5508 * a test for LANE.) 5509 */ 5510 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 5511 0xFF00); 5512 gen_not(tmp); 5513 5514 /* 5515 * Now check the MAC address. 5516 */ 5517 b = gen_ehostop(eaddr, (int)q.dir); 5518 gen_and(tmp, b); 5519 return b; 5520 } 5521 break; 5522 case DLT_IP_OVER_FC: 5523 return gen_ipfchostop(eaddr, (int)q.dir); 5524 default: 5525 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 5526 break; 5527 } 5528 } 5529 bpf_error("ethernet address used in non-ether expression"); 5530 /* NOTREACHED */ 5531 return NULL; 5532 } 5533 5534 void 5535 sappend(s0, s1) 5536 struct slist *s0, *s1; 5537 { 5538 /* 5539 * This is definitely not the best way to do this, but the 5540 * lists will rarely get long. 5541 */ 5542 while (s0->next) 5543 s0 = s0->next; 5544 s0->next = s1; 5545 } 5546 5547 static struct slist * 5548 xfer_to_x(a) 5549 struct arth *a; 5550 { 5551 struct slist *s; 5552 5553 s = new_stmt(BPF_LDX|BPF_MEM); 5554 s->s.k = a->regno; 5555 return s; 5556 } 5557 5558 static struct slist * 5559 xfer_to_a(a) 5560 struct arth *a; 5561 { 5562 struct slist *s; 5563 5564 s = new_stmt(BPF_LD|BPF_MEM); 5565 s->s.k = a->regno; 5566 return s; 5567 } 5568 5569 /* 5570 * Modify "index" to use the value stored into its register as an 5571 * offset relative to the beginning of the header for the protocol 5572 * "proto", and allocate a register and put an item "size" bytes long 5573 * (1, 2, or 4) at that offset into that register, making it the register 5574 * for "index". 5575 */ 5576 struct arth * 5577 gen_load(proto, inst, size) 5578 int proto; 5579 struct arth *inst; 5580 int size; 5581 { 5582 struct slist *s, *tmp; 5583 struct block *b; 5584 int regno = alloc_reg(); 5585 5586 free_reg(inst->regno); 5587 switch (size) { 5588 5589 default: 5590 bpf_error("data size must be 1, 2, or 4"); 5591 5592 case 1: 5593 size = BPF_B; 5594 break; 5595 5596 case 2: 5597 size = BPF_H; 5598 break; 5599 5600 case 4: 5601 size = BPF_W; 5602 break; 5603 } 5604 switch (proto) { 5605 default: 5606 bpf_error("unsupported index operation"); 5607 5608 case Q_RADIO: 5609 /* 5610 * The offset is relative to the beginning of the packet 5611 * data, if we have a radio header. (If we don't, this 5612 * is an error.) 5613 */ 5614 if (linktype != DLT_IEEE802_11_RADIO_AVS && 5615 linktype != DLT_IEEE802_11_RADIO && 5616 linktype != DLT_PRISM_HEADER) 5617 bpf_error("radio information not present in capture"); 5618 5619 /* 5620 * Load into the X register the offset computed into the 5621 * register specifed by "index". 5622 */ 5623 s = xfer_to_x(inst); 5624 5625 /* 5626 * Load the item at that offset. 5627 */ 5628 tmp = new_stmt(BPF_LD|BPF_IND|size); 5629 sappend(s, tmp); 5630 sappend(inst->s, s); 5631 break; 5632 5633 case Q_LINK: 5634 /* 5635 * The offset is relative to the beginning of 5636 * the link-layer header. 5637 * 5638 * XXX - what about ATM LANE? Should the index be 5639 * relative to the beginning of the AAL5 frame, so 5640 * that 0 refers to the beginning of the LE Control 5641 * field, or relative to the beginning of the LAN 5642 * frame, so that 0 refers, for Ethernet LANE, to 5643 * the beginning of the destination address? 5644 */ 5645 s = gen_llprefixlen(); 5646 5647 /* 5648 * If "s" is non-null, it has code to arrange that the 5649 * X register contains the length of the prefix preceding 5650 * the link-layer header. Add to it the offset computed 5651 * into the register specified by "index", and move that 5652 * into the X register. Otherwise, just load into the X 5653 * register the offset computed into the register specifed 5654 * by "index". 5655 */ 5656 if (s != NULL) { 5657 sappend(s, xfer_to_a(inst)); 5658 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5659 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5660 } else 5661 s = xfer_to_x(inst); 5662 5663 /* 5664 * Load the item at the sum of the offset we've put in the 5665 * X register and the offset of the start of the link 5666 * layer header (which is 0 if the radio header is 5667 * variable-length; that header length is what we put 5668 * into the X register and then added to the index). 5669 */ 5670 tmp = new_stmt(BPF_LD|BPF_IND|size); 5671 tmp->s.k = off_ll; 5672 sappend(s, tmp); 5673 sappend(inst->s, s); 5674 break; 5675 5676 case Q_IP: 5677 case Q_ARP: 5678 case Q_RARP: 5679 case Q_ATALK: 5680 case Q_DECNET: 5681 case Q_SCA: 5682 case Q_LAT: 5683 case Q_MOPRC: 5684 case Q_MOPDL: 5685 #ifdef INET6 5686 case Q_IPV6: 5687 #endif 5688 /* 5689 * The offset is relative to the beginning of 5690 * the network-layer header. 5691 * XXX - are there any cases where we want 5692 * off_nl_nosnap? 5693 */ 5694 s = gen_llprefixlen(); 5695 5696 /* 5697 * If "s" is non-null, it has code to arrange that the 5698 * X register contains the length of the prefix preceding 5699 * the link-layer header. Add to it the offset computed 5700 * into the register specified by "index", and move that 5701 * into the X register. Otherwise, just load into the X 5702 * register the offset computed into the register specifed 5703 * by "index". 5704 */ 5705 if (s != NULL) { 5706 sappend(s, xfer_to_a(inst)); 5707 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5708 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5709 } else 5710 s = xfer_to_x(inst); 5711 5712 /* 5713 * Load the item at the sum of the offset we've put in the 5714 * X register, the offset of the start of the network 5715 * layer header, and the offset of the start of the link 5716 * layer header (which is 0 if the radio header is 5717 * variable-length; that header length is what we put 5718 * into the X register and then added to the index). 5719 */ 5720 tmp = new_stmt(BPF_LD|BPF_IND|size); 5721 tmp->s.k = off_ll + off_nl; 5722 sappend(s, tmp); 5723 sappend(inst->s, s); 5724 5725 /* 5726 * Do the computation only if the packet contains 5727 * the protocol in question. 5728 */ 5729 b = gen_proto_abbrev(proto); 5730 if (inst->b) 5731 gen_and(inst->b, b); 5732 inst->b = b; 5733 break; 5734 5735 case Q_SCTP: 5736 case Q_TCP: 5737 case Q_UDP: 5738 case Q_ICMP: 5739 case Q_IGMP: 5740 case Q_IGRP: 5741 case Q_PIM: 5742 case Q_VRRP: 5743 /* 5744 * The offset is relative to the beginning of 5745 * the transport-layer header. 5746 * 5747 * Load the X register with the length of the IPv4 header 5748 * (plus the offset of the link-layer header, if it's 5749 * a variable-length header), in bytes. 5750 * 5751 * XXX - are there any cases where we want 5752 * off_nl_nosnap? 5753 * XXX - we should, if we're built with 5754 * IPv6 support, generate code to load either 5755 * IPv4, IPv6, or both, as appropriate. 5756 */ 5757 s = gen_loadx_iphdrlen(); 5758 5759 /* 5760 * The X register now contains the sum of the length 5761 * of any variable-length header preceding the link-layer 5762 * header and the length of the network-layer header. 5763 * Load into the A register the offset relative to 5764 * the beginning of the transport layer header, 5765 * add the X register to that, move that to the 5766 * X register, and load with an offset from the 5767 * X register equal to the offset of the network 5768 * layer header relative to the beginning of 5769 * the link-layer header plus the length of any 5770 * fixed-length header preceding the link-layer 5771 * header. 5772 */ 5773 sappend(s, xfer_to_a(inst)); 5774 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 5775 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 5776 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 5777 tmp->s.k = off_ll + off_nl; 5778 sappend(inst->s, s); 5779 5780 /* 5781 * Do the computation only if the packet contains 5782 * the protocol in question - which is true only 5783 * if this is an IP datagram and is the first or 5784 * only fragment of that datagram. 5785 */ 5786 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 5787 if (inst->b) 5788 gen_and(inst->b, b); 5789 #ifdef INET6 5790 gen_and(gen_proto_abbrev(Q_IP), b); 5791 #endif 5792 inst->b = b; 5793 break; 5794 #ifdef INET6 5795 case Q_ICMPV6: 5796 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 5797 /*NOTREACHED*/ 5798 #endif 5799 } 5800 inst->regno = regno; 5801 s = new_stmt(BPF_ST); 5802 s->s.k = regno; 5803 sappend(inst->s, s); 5804 5805 return inst; 5806 } 5807 5808 struct block * 5809 gen_relation(code, a0, a1, reversed) 5810 int code; 5811 struct arth *a0, *a1; 5812 int reversed; 5813 { 5814 struct slist *s0, *s1, *s2; 5815 struct block *b, *tmp; 5816 5817 s0 = xfer_to_x(a1); 5818 s1 = xfer_to_a(a0); 5819 if (code == BPF_JEQ) { 5820 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 5821 b = new_block(JMP(code)); 5822 sappend(s1, s2); 5823 } 5824 else 5825 b = new_block(BPF_JMP|code|BPF_X); 5826 if (reversed) 5827 gen_not(b); 5828 5829 sappend(s0, s1); 5830 sappend(a1->s, s0); 5831 sappend(a0->s, a1->s); 5832 5833 b->stmts = a0->s; 5834 5835 free_reg(a0->regno); 5836 free_reg(a1->regno); 5837 5838 /* 'and' together protocol checks */ 5839 if (a0->b) { 5840 if (a1->b) { 5841 gen_and(a0->b, tmp = a1->b); 5842 } 5843 else 5844 tmp = a0->b; 5845 } else 5846 tmp = a1->b; 5847 5848 if (tmp) 5849 gen_and(tmp, b); 5850 5851 return b; 5852 } 5853 5854 struct arth * 5855 gen_loadlen() 5856 { 5857 int regno = alloc_reg(); 5858 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 5859 struct slist *s; 5860 5861 s = new_stmt(BPF_LD|BPF_LEN); 5862 s->next = new_stmt(BPF_ST); 5863 s->next->s.k = regno; 5864 a->s = s; 5865 a->regno = regno; 5866 5867 return a; 5868 } 5869 5870 struct arth * 5871 gen_loadi(val) 5872 int val; 5873 { 5874 struct arth *a; 5875 struct slist *s; 5876 int reg; 5877 5878 a = (struct arth *)newchunk(sizeof(*a)); 5879 5880 reg = alloc_reg(); 5881 5882 s = new_stmt(BPF_LD|BPF_IMM); 5883 s->s.k = val; 5884 s->next = new_stmt(BPF_ST); 5885 s->next->s.k = reg; 5886 a->s = s; 5887 a->regno = reg; 5888 5889 return a; 5890 } 5891 5892 struct arth * 5893 gen_neg(a) 5894 struct arth *a; 5895 { 5896 struct slist *s; 5897 5898 s = xfer_to_a(a); 5899 sappend(a->s, s); 5900 s = new_stmt(BPF_ALU|BPF_NEG); 5901 s->s.k = 0; 5902 sappend(a->s, s); 5903 s = new_stmt(BPF_ST); 5904 s->s.k = a->regno; 5905 sappend(a->s, s); 5906 5907 return a; 5908 } 5909 5910 struct arth * 5911 gen_arth(code, a0, a1) 5912 int code; 5913 struct arth *a0, *a1; 5914 { 5915 struct slist *s0, *s1, *s2; 5916 5917 s0 = xfer_to_x(a1); 5918 s1 = xfer_to_a(a0); 5919 s2 = new_stmt(BPF_ALU|BPF_X|code); 5920 5921 sappend(s1, s2); 5922 sappend(s0, s1); 5923 sappend(a1->s, s0); 5924 sappend(a0->s, a1->s); 5925 5926 free_reg(a0->regno); 5927 free_reg(a1->regno); 5928 5929 s0 = new_stmt(BPF_ST); 5930 a0->regno = s0->s.k = alloc_reg(); 5931 sappend(a0->s, s0); 5932 5933 return a0; 5934 } 5935 5936 /* 5937 * Here we handle simple allocation of the scratch registers. 5938 * If too many registers are alloc'd, the allocator punts. 5939 */ 5940 static int regused[BPF_MEMWORDS]; 5941 static int curreg; 5942 5943 /* 5944 * Return the next free register. 5945 */ 5946 static int 5947 alloc_reg() 5948 { 5949 int n = BPF_MEMWORDS; 5950 5951 while (--n >= 0) { 5952 if (regused[curreg]) 5953 curreg = (curreg + 1) % BPF_MEMWORDS; 5954 else { 5955 regused[curreg] = 1; 5956 return curreg; 5957 } 5958 } 5959 bpf_error("too many registers needed to evaluate expression"); 5960 /* NOTREACHED */ 5961 return 0; 5962 } 5963 5964 /* 5965 * Return a register to the table so it can 5966 * be used later. 5967 */ 5968 static void 5969 free_reg(n) 5970 int n; 5971 { 5972 regused[n] = 0; 5973 } 5974 5975 static struct block * 5976 gen_len(jmp, n) 5977 int jmp, n; 5978 { 5979 struct slist *s; 5980 struct block *b; 5981 5982 s = new_stmt(BPF_LD|BPF_LEN); 5983 b = new_block(JMP(jmp)); 5984 b->stmts = s; 5985 b->s.k = n; 5986 5987 return b; 5988 } 5989 5990 struct block * 5991 gen_greater(n) 5992 int n; 5993 { 5994 return gen_len(BPF_JGE, n); 5995 } 5996 5997 /* 5998 * Actually, this is less than or equal. 5999 */ 6000 struct block * 6001 gen_less(n) 6002 int n; 6003 { 6004 struct block *b; 6005 6006 b = gen_len(BPF_JGT, n); 6007 gen_not(b); 6008 6009 return b; 6010 } 6011 6012 /* 6013 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 6014 * the beginning of the link-layer header. 6015 * XXX - that means you can't test values in the radiotap header, but 6016 * as that header is difficult if not impossible to parse generally 6017 * without a loop, that might not be a severe problem. A new keyword 6018 * "radio" could be added for that, although what you'd really want 6019 * would be a way of testing particular radio header values, which 6020 * would generate code appropriate to the radio header in question. 6021 */ 6022 struct block * 6023 gen_byteop(op, idx, val) 6024 int op, idx, val; 6025 { 6026 struct block *b; 6027 struct slist *s; 6028 6029 switch (op) { 6030 default: 6031 abort(); 6032 6033 case '=': 6034 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6035 6036 case '<': 6037 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6038 return b; 6039 6040 case '>': 6041 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 6042 return b; 6043 6044 case '|': 6045 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 6046 break; 6047 6048 case '&': 6049 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 6050 break; 6051 } 6052 s->s.k = val; 6053 b = new_block(JMP(BPF_JEQ)); 6054 b->stmts = s; 6055 gen_not(b); 6056 6057 return b; 6058 } 6059 6060 static u_char abroadcast[] = { 0x0 }; 6061 6062 struct block * 6063 gen_broadcast(proto) 6064 int proto; 6065 { 6066 bpf_u_int32 hostmask; 6067 struct block *b0, *b1, *b2; 6068 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 6069 6070 switch (proto) { 6071 6072 case Q_DEFAULT: 6073 case Q_LINK: 6074 switch (linktype) { 6075 case DLT_ARCNET: 6076 case DLT_ARCNET_LINUX: 6077 return gen_ahostop(abroadcast, Q_DST); 6078 case DLT_EN10MB: 6079 return gen_ehostop(ebroadcast, Q_DST); 6080 case DLT_FDDI: 6081 return gen_fhostop(ebroadcast, Q_DST); 6082 case DLT_IEEE802: 6083 return gen_thostop(ebroadcast, Q_DST); 6084 case DLT_IEEE802_11: 6085 case DLT_IEEE802_11_RADIO_AVS: 6086 case DLT_IEEE802_11_RADIO: 6087 case DLT_PPI: 6088 case DLT_PRISM_HEADER: 6089 return gen_wlanhostop(ebroadcast, Q_DST); 6090 case DLT_IP_OVER_FC: 6091 return gen_ipfchostop(ebroadcast, Q_DST); 6092 case DLT_SUNATM: 6093 if (is_lane) { 6094 /* 6095 * Check that the packet doesn't begin with an 6096 * LE Control marker. (We've already generated 6097 * a test for LANE.) 6098 */ 6099 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6100 0xFF00); 6101 gen_not(b1); 6102 6103 /* 6104 * Now check the MAC address. 6105 */ 6106 b0 = gen_ehostop(ebroadcast, Q_DST); 6107 gen_and(b1, b0); 6108 return b0; 6109 } 6110 break; 6111 default: 6112 bpf_error("not a broadcast link"); 6113 } 6114 break; 6115 6116 case Q_IP: 6117 b0 = gen_linktype(ETHERTYPE_IP); 6118 hostmask = ~netmask; 6119 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 6120 b2 = gen_mcmp(OR_NET, 16, BPF_W, 6121 (bpf_int32)(~0 & hostmask), hostmask); 6122 gen_or(b1, b2); 6123 gen_and(b0, b2); 6124 return b2; 6125 } 6126 bpf_error("only link-layer/IP broadcast filters supported"); 6127 /* NOTREACHED */ 6128 return NULL; 6129 } 6130 6131 /* 6132 * Generate code to test the low-order bit of a MAC address (that's 6133 * the bottom bit of the *first* byte). 6134 */ 6135 static struct block * 6136 gen_mac_multicast(offset) 6137 int offset; 6138 { 6139 register struct block *b0; 6140 register struct slist *s; 6141 6142 /* link[offset] & 1 != 0 */ 6143 s = gen_load_a(OR_LINK, offset, BPF_B); 6144 b0 = new_block(JMP(BPF_JSET)); 6145 b0->s.k = 1; 6146 b0->stmts = s; 6147 return b0; 6148 } 6149 6150 struct block * 6151 gen_multicast(proto) 6152 int proto; 6153 { 6154 register struct block *b0, *b1, *b2; 6155 register struct slist *s; 6156 6157 switch (proto) { 6158 6159 case Q_DEFAULT: 6160 case Q_LINK: 6161 switch (linktype) { 6162 case DLT_ARCNET: 6163 case DLT_ARCNET_LINUX: 6164 /* all ARCnet multicasts use the same address */ 6165 return gen_ahostop(abroadcast, Q_DST); 6166 case DLT_EN10MB: 6167 /* ether[0] & 1 != 0 */ 6168 return gen_mac_multicast(0); 6169 case DLT_FDDI: 6170 /* 6171 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 6172 * 6173 * XXX - was that referring to bit-order issues? 6174 */ 6175 /* fddi[1] & 1 != 0 */ 6176 return gen_mac_multicast(1); 6177 case DLT_IEEE802: 6178 /* tr[2] & 1 != 0 */ 6179 return gen_mac_multicast(2); 6180 case DLT_IEEE802_11: 6181 case DLT_IEEE802_11_RADIO_AVS: 6182 case DLT_PPI: 6183 case DLT_IEEE802_11_RADIO: 6184 case DLT_PRISM_HEADER: 6185 /* 6186 * Oh, yuk. 6187 * 6188 * For control frames, there is no DA. 6189 * 6190 * For management frames, DA is at an 6191 * offset of 4 from the beginning of 6192 * the packet. 6193 * 6194 * For data frames, DA is at an offset 6195 * of 4 from the beginning of the packet 6196 * if To DS is clear and at an offset of 6197 * 16 from the beginning of the packet 6198 * if To DS is set. 6199 */ 6200 6201 /* 6202 * Generate the tests to be done for data frames. 6203 * 6204 * First, check for To DS set, i.e. "link[1] & 0x01". 6205 */ 6206 s = gen_load_a(OR_LINK, 1, BPF_B); 6207 b1 = new_block(JMP(BPF_JSET)); 6208 b1->s.k = 0x01; /* To DS */ 6209 b1->stmts = s; 6210 6211 /* 6212 * If To DS is set, the DA is at 16. 6213 */ 6214 b0 = gen_mac_multicast(16); 6215 gen_and(b1, b0); 6216 6217 /* 6218 * Now, check for To DS not set, i.e. check 6219 * "!(link[1] & 0x01)". 6220 */ 6221 s = gen_load_a(OR_LINK, 1, BPF_B); 6222 b2 = new_block(JMP(BPF_JSET)); 6223 b2->s.k = 0x01; /* To DS */ 6224 b2->stmts = s; 6225 gen_not(b2); 6226 6227 /* 6228 * If To DS is not set, the DA is at 4. 6229 */ 6230 b1 = gen_mac_multicast(4); 6231 gen_and(b2, b1); 6232 6233 /* 6234 * Now OR together the last two checks. That gives 6235 * the complete set of checks for data frames. 6236 */ 6237 gen_or(b1, b0); 6238 6239 /* 6240 * Now check for a data frame. 6241 * I.e, check "link[0] & 0x08". 6242 */ 6243 s = gen_load_a(OR_LINK, 0, BPF_B); 6244 b1 = new_block(JMP(BPF_JSET)); 6245 b1->s.k = 0x08; 6246 b1->stmts = s; 6247 6248 /* 6249 * AND that with the checks done for data frames. 6250 */ 6251 gen_and(b1, b0); 6252 6253 /* 6254 * If the high-order bit of the type value is 0, this 6255 * is a management frame. 6256 * I.e, check "!(link[0] & 0x08)". 6257 */ 6258 s = gen_load_a(OR_LINK, 0, BPF_B); 6259 b2 = new_block(JMP(BPF_JSET)); 6260 b2->s.k = 0x08; 6261 b2->stmts = s; 6262 gen_not(b2); 6263 6264 /* 6265 * For management frames, the DA is at 4. 6266 */ 6267 b1 = gen_mac_multicast(4); 6268 gen_and(b2, b1); 6269 6270 /* 6271 * OR that with the checks done for data frames. 6272 * That gives the checks done for management and 6273 * data frames. 6274 */ 6275 gen_or(b1, b0); 6276 6277 /* 6278 * If the low-order bit of the type value is 1, 6279 * this is either a control frame or a frame 6280 * with a reserved type, and thus not a 6281 * frame with an SA. 6282 * 6283 * I.e., check "!(link[0] & 0x04)". 6284 */ 6285 s = gen_load_a(OR_LINK, 0, BPF_B); 6286 b1 = new_block(JMP(BPF_JSET)); 6287 b1->s.k = 0x04; 6288 b1->stmts = s; 6289 gen_not(b1); 6290 6291 /* 6292 * AND that with the checks for data and management 6293 * frames. 6294 */ 6295 gen_and(b1, b0); 6296 return b0; 6297 case DLT_IP_OVER_FC: 6298 b0 = gen_mac_multicast(2); 6299 return b0; 6300 case DLT_SUNATM: 6301 if (is_lane) { 6302 /* 6303 * Check that the packet doesn't begin with an 6304 * LE Control marker. (We've already generated 6305 * a test for LANE.) 6306 */ 6307 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6308 0xFF00); 6309 gen_not(b1); 6310 6311 /* ether[off_mac] & 1 != 0 */ 6312 b0 = gen_mac_multicast(off_mac); 6313 gen_and(b1, b0); 6314 return b0; 6315 } 6316 break; 6317 default: 6318 break; 6319 } 6320 /* Link not known to support multicasts */ 6321 break; 6322 6323 case Q_IP: 6324 b0 = gen_linktype(ETHERTYPE_IP); 6325 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 6326 gen_and(b0, b1); 6327 return b1; 6328 6329 #ifdef INET6 6330 case Q_IPV6: 6331 b0 = gen_linktype(ETHERTYPE_IPV6); 6332 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 6333 gen_and(b0, b1); 6334 return b1; 6335 #endif /* INET6 */ 6336 } 6337 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 6338 /* NOTREACHED */ 6339 return NULL; 6340 } 6341 6342 /* 6343 * generate command for inbound/outbound. It's here so we can 6344 * make it link-type specific. 'dir' = 0 implies "inbound", 6345 * = 1 implies "outbound". 6346 */ 6347 struct block * 6348 gen_inbound(dir) 6349 int dir; 6350 { 6351 register struct block *b0; 6352 6353 /* 6354 * Only some data link types support inbound/outbound qualifiers. 6355 */ 6356 switch (linktype) { 6357 case DLT_SLIP: 6358 b0 = gen_relation(BPF_JEQ, 6359 gen_load(Q_LINK, gen_loadi(0), 1), 6360 gen_loadi(0), 6361 dir); 6362 break; 6363 6364 case DLT_LINUX_SLL: 6365 if (dir) { 6366 /* 6367 * Match packets sent by this machine. 6368 */ 6369 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 6370 } else { 6371 /* 6372 * Match packets sent to this machine. 6373 * (No broadcast or multicast packets, or 6374 * packets sent to some other machine and 6375 * received promiscuously.) 6376 * 6377 * XXX - packets sent to other machines probably 6378 * shouldn't be matched, but what about broadcast 6379 * or multicast packets we received? 6380 */ 6381 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST); 6382 } 6383 break; 6384 6385 #ifdef HAVE_NET_PFVAR_H 6386 case DLT_PFLOG: 6387 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 6388 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 6389 break; 6390 #endif 6391 6392 case DLT_PPP_PPPD: 6393 if (dir) { 6394 /* match outgoing packets */ 6395 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 6396 } else { 6397 /* match incoming packets */ 6398 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 6399 } 6400 break; 6401 6402 case DLT_JUNIPER_MFR: 6403 case DLT_JUNIPER_MLFR: 6404 case DLT_JUNIPER_MLPPP: 6405 case DLT_JUNIPER_ATM1: 6406 case DLT_JUNIPER_ATM2: 6407 case DLT_JUNIPER_PPPOE: 6408 case DLT_JUNIPER_PPPOE_ATM: 6409 case DLT_JUNIPER_GGSN: 6410 case DLT_JUNIPER_ES: 6411 case DLT_JUNIPER_MONITOR: 6412 case DLT_JUNIPER_SERVICES: 6413 case DLT_JUNIPER_ETHER: 6414 case DLT_JUNIPER_PPP: 6415 case DLT_JUNIPER_FRELAY: 6416 case DLT_JUNIPER_CHDLC: 6417 case DLT_JUNIPER_VP: 6418 /* juniper flags (including direction) are stored 6419 * the byte after the 3-byte magic number */ 6420 if (dir) { 6421 /* match outgoing packets */ 6422 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 6423 } else { 6424 /* match incoming packets */ 6425 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 6426 } 6427 break; 6428 6429 default: 6430 bpf_error("inbound/outbound not supported on linktype %d", 6431 linktype); 6432 b0 = NULL; 6433 /* NOTREACHED */ 6434 } 6435 return (b0); 6436 } 6437 6438 #ifdef HAVE_NET_PFVAR_H 6439 /* PF firewall log matched interface */ 6440 struct block * 6441 gen_pf_ifname(const char *ifname) 6442 { 6443 struct block *b0; 6444 u_int len, off; 6445 6446 if (linktype == DLT_PFLOG) { 6447 len = sizeof(((struct pfloghdr *)0)->ifname); 6448 off = offsetof(struct pfloghdr, ifname); 6449 } else { 6450 bpf_error("ifname not supported on linktype 0x%x", linktype); 6451 /* NOTREACHED */ 6452 } 6453 if (strlen(ifname) >= len) { 6454 bpf_error("ifname interface names can only be %d characters", 6455 len-1); 6456 /* NOTREACHED */ 6457 } 6458 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 6459 return (b0); 6460 } 6461 6462 /* PF firewall log ruleset name */ 6463 struct block * 6464 gen_pf_ruleset(char *ruleset) 6465 { 6466 struct block *b0; 6467 6468 if (linktype != DLT_PFLOG) { 6469 bpf_error("ruleset not supported on linktype 0x%x", linktype); 6470 /* NOTREACHED */ 6471 } 6472 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 6473 bpf_error("ruleset names can only be %ld characters", 6474 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 6475 /* NOTREACHED */ 6476 } 6477 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 6478 strlen(ruleset), (const u_char *)ruleset); 6479 return (b0); 6480 } 6481 6482 /* PF firewall log rule number */ 6483 struct block * 6484 gen_pf_rnr(int rnr) 6485 { 6486 struct block *b0; 6487 6488 if (linktype == DLT_PFLOG) { 6489 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 6490 (bpf_int32)rnr); 6491 } else { 6492 bpf_error("rnr not supported on linktype 0x%x", linktype); 6493 /* NOTREACHED */ 6494 } 6495 6496 return (b0); 6497 } 6498 6499 /* PF firewall log sub-rule number */ 6500 struct block * 6501 gen_pf_srnr(int srnr) 6502 { 6503 struct block *b0; 6504 6505 if (linktype != DLT_PFLOG) { 6506 bpf_error("srnr not supported on linktype 0x%x", linktype); 6507 /* NOTREACHED */ 6508 } 6509 6510 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 6511 (bpf_int32)srnr); 6512 return (b0); 6513 } 6514 6515 /* PF firewall log reason code */ 6516 struct block * 6517 gen_pf_reason(int reason) 6518 { 6519 struct block *b0; 6520 6521 if (linktype == DLT_PFLOG) { 6522 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 6523 (bpf_int32)reason); 6524 } else { 6525 bpf_error("reason not supported on linktype 0x%x", linktype); 6526 /* NOTREACHED */ 6527 } 6528 6529 return (b0); 6530 } 6531 6532 /* PF firewall log action */ 6533 struct block * 6534 gen_pf_action(int action) 6535 { 6536 struct block *b0; 6537 6538 if (linktype == DLT_PFLOG) { 6539 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 6540 (bpf_int32)action); 6541 } else { 6542 bpf_error("action not supported on linktype 0x%x", linktype); 6543 /* NOTREACHED */ 6544 } 6545 6546 return (b0); 6547 } 6548 #else /* !HAVE_NET_PFVAR_H */ 6549 struct block * 6550 gen_pf_ifname(const char *ifname) 6551 { 6552 bpf_error("libpcap was compiled without pf support"); 6553 /* NOTREACHED */ 6554 return (NULL); 6555 } 6556 6557 struct block * 6558 gen_pf_ruleset(char *ruleset) 6559 { 6560 bpf_error("libpcap was compiled on a machine without pf support"); 6561 /* NOTREACHED */ 6562 return (NULL); 6563 } 6564 6565 struct block * 6566 gen_pf_rnr(int rnr) 6567 { 6568 bpf_error("libpcap was compiled on a machine without pf support"); 6569 /* NOTREACHED */ 6570 return (NULL); 6571 } 6572 6573 struct block * 6574 gen_pf_srnr(int srnr) 6575 { 6576 bpf_error("libpcap was compiled on a machine without pf support"); 6577 /* NOTREACHED */ 6578 return (NULL); 6579 } 6580 6581 struct block * 6582 gen_pf_reason(int reason) 6583 { 6584 bpf_error("libpcap was compiled on a machine without pf support"); 6585 /* NOTREACHED */ 6586 return (NULL); 6587 } 6588 6589 struct block * 6590 gen_pf_action(int action) 6591 { 6592 bpf_error("libpcap was compiled on a machine without pf support"); 6593 /* NOTREACHED */ 6594 return (NULL); 6595 } 6596 #endif /* HAVE_NET_PFVAR_H */ 6597 6598 struct block * 6599 gen_acode(eaddr, q) 6600 register const u_char *eaddr; 6601 struct qual q; 6602 { 6603 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6604 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX) 6605 return gen_ahostop(eaddr, (int)q.dir); 6606 } 6607 bpf_error("ARCnet address used in non-arc expression"); 6608 /* NOTREACHED */ 6609 return NULL; 6610 } 6611 6612 static struct block * 6613 gen_ahostop(eaddr, dir) 6614 register const u_char *eaddr; 6615 register int dir; 6616 { 6617 register struct block *b0, *b1; 6618 6619 switch (dir) { 6620 /* src comes first, different from Ethernet */ 6621 case Q_SRC: 6622 return gen_bcmp(OR_LINK, 0, 1, eaddr); 6623 6624 case Q_DST: 6625 return gen_bcmp(OR_LINK, 1, 1, eaddr); 6626 6627 case Q_AND: 6628 b0 = gen_ahostop(eaddr, Q_SRC); 6629 b1 = gen_ahostop(eaddr, Q_DST); 6630 gen_and(b0, b1); 6631 return b1; 6632 6633 case Q_DEFAULT: 6634 case Q_OR: 6635 b0 = gen_ahostop(eaddr, Q_SRC); 6636 b1 = gen_ahostop(eaddr, Q_DST); 6637 gen_or(b0, b1); 6638 return b1; 6639 } 6640 abort(); 6641 /* NOTREACHED */ 6642 } 6643 6644 /* 6645 * support IEEE 802.1Q VLAN trunk over ethernet 6646 */ 6647 struct block * 6648 gen_vlan(vlan_num) 6649 int vlan_num; 6650 { 6651 struct block *b0, *b1; 6652 6653 /* can't check for VLAN-encapsulated packets inside MPLS */ 6654 if (label_stack_depth > 0) 6655 bpf_error("no VLAN match after MPLS"); 6656 6657 /* 6658 * Change the offsets to point to the type and data fields within 6659 * the VLAN packet. Just increment the offsets, so that we 6660 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to 6661 * capture VLAN 200 encapsulated within VLAN 100. 6662 * 6663 * XXX - this is a bit of a kludge. If we were to split the 6664 * compiler into a parser that parses an expression and 6665 * generates an expression tree, and a code generator that 6666 * takes an expression tree (which could come from our 6667 * parser or from some other parser) and generates BPF code, 6668 * we could perhaps make the offsets parameters of routines 6669 * and, in the handler for an "AND" node, pass to subnodes 6670 * other than the VLAN node the adjusted offsets. 6671 * 6672 * This would mean that "vlan" would, instead of changing the 6673 * behavior of *all* tests after it, change only the behavior 6674 * of tests ANDed with it. That would change the documented 6675 * semantics of "vlan", which might break some expressions. 6676 * However, it would mean that "(vlan and ip) or ip" would check 6677 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6678 * checking only for VLAN-encapsulated IP, so that could still 6679 * be considered worth doing; it wouldn't break expressions 6680 * that are of the form "vlan and ..." or "vlan N and ...", 6681 * which I suspect are the most common expressions involving 6682 * "vlan". "vlan or ..." doesn't necessarily do what the user 6683 * would really want, now, as all the "or ..." tests would 6684 * be done assuming a VLAN, even though the "or" could be viewed 6685 * as meaning "or, if this isn't a VLAN packet...". 6686 */ 6687 orig_linktype = off_linktype; /* save original values */ 6688 orig_nl = off_nl; 6689 6690 switch (linktype) { 6691 6692 case DLT_EN10MB: 6693 off_linktype += 4; 6694 off_nl_nosnap += 4; 6695 off_nl += 4; 6696 break; 6697 6698 default: 6699 bpf_error("no VLAN support for data link type %d", 6700 linktype); 6701 /*NOTREACHED*/ 6702 } 6703 6704 /* check for VLAN */ 6705 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q); 6706 6707 /* If a specific VLAN is requested, check VLAN id */ 6708 if (vlan_num >= 0) { 6709 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num, 6710 0x0fff); 6711 gen_and(b0, b1); 6712 b0 = b1; 6713 } 6714 6715 return (b0); 6716 } 6717 6718 /* 6719 * support for MPLS 6720 */ 6721 struct block * 6722 gen_mpls(label_num) 6723 int label_num; 6724 { 6725 struct block *b0,*b1; 6726 6727 /* 6728 * Change the offsets to point to the type and data fields within 6729 * the MPLS packet. Just increment the offsets, so that we 6730 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 6731 * capture packets with an outer label of 100000 and an inner 6732 * label of 1024. 6733 * 6734 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 6735 */ 6736 orig_nl = off_nl; 6737 6738 if (label_stack_depth > 0) { 6739 /* just match the bottom-of-stack bit clear */ 6740 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01); 6741 } else { 6742 /* 6743 * Indicate that we're checking MPLS-encapsulated headers, 6744 * to make sure higher level code generators don't try to 6745 * match against IP-related protocols such as Q_ARP, Q_RARP 6746 * etc. 6747 */ 6748 switch (linktype) { 6749 6750 case DLT_C_HDLC: /* fall through */ 6751 case DLT_EN10MB: 6752 b0 = gen_linktype(ETHERTYPE_MPLS); 6753 break; 6754 6755 case DLT_PPP: 6756 b0 = gen_linktype(PPP_MPLS_UCAST); 6757 break; 6758 6759 /* FIXME add other DLT_s ... 6760 * for Frame-Relay/and ATM this may get messy due to SNAP headers 6761 * leave it for now */ 6762 6763 default: 6764 bpf_error("no MPLS support for data link type %d", 6765 linktype); 6766 b0 = NULL; 6767 /*NOTREACHED*/ 6768 break; 6769 } 6770 } 6771 6772 /* If a specific MPLS label is requested, check it */ 6773 if (label_num >= 0) { 6774 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 6775 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num, 6776 0xfffff000); /* only compare the first 20 bits */ 6777 gen_and(b0, b1); 6778 b0 = b1; 6779 } 6780 6781 off_nl_nosnap += 4; 6782 off_nl += 4; 6783 label_stack_depth++; 6784 return (b0); 6785 } 6786 6787 /* 6788 * Support PPPOE discovery and session. 6789 */ 6790 struct block * 6791 gen_pppoed() 6792 { 6793 /* check for PPPoE discovery */ 6794 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 6795 } 6796 6797 struct block * 6798 gen_pppoes() 6799 { 6800 struct block *b0; 6801 6802 /* 6803 * Test against the PPPoE session link-layer type. 6804 */ 6805 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 6806 6807 /* 6808 * Change the offsets to point to the type and data fields within 6809 * the PPP packet. 6810 * 6811 * XXX - this is a bit of a kludge. If we were to split the 6812 * compiler into a parser that parses an expression and 6813 * generates an expression tree, and a code generator that 6814 * takes an expression tree (which could come from our 6815 * parser or from some other parser) and generates BPF code, 6816 * we could perhaps make the offsets parameters of routines 6817 * and, in the handler for an "AND" node, pass to subnodes 6818 * other than the PPPoE node the adjusted offsets. 6819 * 6820 * This would mean that "pppoes" would, instead of changing the 6821 * behavior of *all* tests after it, change only the behavior 6822 * of tests ANDed with it. That would change the documented 6823 * semantics of "pppoes", which might break some expressions. 6824 * However, it would mean that "(pppoes and ip) or ip" would check 6825 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 6826 * checking only for VLAN-encapsulated IP, so that could still 6827 * be considered worth doing; it wouldn't break expressions 6828 * that are of the form "pppoes and ..." which I suspect are the 6829 * most common expressions involving "pppoes". "pppoes or ..." 6830 * doesn't necessarily do what the user would really want, now, 6831 * as all the "or ..." tests would be done assuming PPPoE, even 6832 * though the "or" could be viewed as meaning "or, if this isn't 6833 * a PPPoE packet...". 6834 */ 6835 orig_linktype = off_linktype; /* save original values */ 6836 orig_nl = off_nl; 6837 6838 /* 6839 * The "network-layer" protocol is PPPoE, which has a 6-byte 6840 * PPPoE header, followed by PPP payload, so we set the 6841 * offsets to the network layer offset plus 6 bytes for 6842 * the PPPoE header plus the values appropriate for PPP when 6843 * encapsulated in Ethernet (which means there's no HDLC 6844 * encapsulation). 6845 */ 6846 off_linktype = orig_nl + 6; 6847 off_nl = orig_nl + 6 + 2; 6848 off_nl_nosnap = orig_nl + 6 + 2; 6849 6850 /* 6851 * Set the link-layer type to PPP, as all subsequent tests will 6852 * be on the encapsulated PPP header. 6853 */ 6854 linktype = DLT_PPP; 6855 6856 return b0; 6857 } 6858 6859 struct block * 6860 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 6861 int atmfield; 6862 bpf_int32 jvalue; 6863 bpf_u_int32 jtype; 6864 int reverse; 6865 { 6866 struct block *b0; 6867 6868 switch (atmfield) { 6869 6870 case A_VPI: 6871 if (!is_atm) 6872 bpf_error("'vpi' supported only on raw ATM"); 6873 if (off_vpi == (u_int)-1) 6874 abort(); 6875 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 6876 reverse, jvalue); 6877 break; 6878 6879 case A_VCI: 6880 if (!is_atm) 6881 bpf_error("'vci' supported only on raw ATM"); 6882 if (off_vci == (u_int)-1) 6883 abort(); 6884 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 6885 reverse, jvalue); 6886 break; 6887 6888 case A_PROTOTYPE: 6889 if (off_proto == (u_int)-1) 6890 abort(); /* XXX - this isn't on FreeBSD */ 6891 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 6892 reverse, jvalue); 6893 break; 6894 6895 case A_MSGTYPE: 6896 if (off_payload == (u_int)-1) 6897 abort(); 6898 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 6899 0xffffffff, jtype, reverse, jvalue); 6900 break; 6901 6902 case A_CALLREFTYPE: 6903 if (!is_atm) 6904 bpf_error("'callref' supported only on raw ATM"); 6905 if (off_proto == (u_int)-1) 6906 abort(); 6907 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 6908 jtype, reverse, jvalue); 6909 break; 6910 6911 default: 6912 abort(); 6913 } 6914 return b0; 6915 } 6916 6917 struct block * 6918 gen_atmtype_abbrev(type) 6919 int type; 6920 { 6921 struct block *b0, *b1; 6922 6923 switch (type) { 6924 6925 case A_METAC: 6926 /* Get all packets in Meta signalling Circuit */ 6927 if (!is_atm) 6928 bpf_error("'metac' supported only on raw ATM"); 6929 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6930 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 6931 gen_and(b0, b1); 6932 break; 6933 6934 case A_BCC: 6935 /* Get all packets in Broadcast Circuit*/ 6936 if (!is_atm) 6937 bpf_error("'bcc' supported only on raw ATM"); 6938 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6939 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 6940 gen_and(b0, b1); 6941 break; 6942 6943 case A_OAMF4SC: 6944 /* Get all cells in Segment OAM F4 circuit*/ 6945 if (!is_atm) 6946 bpf_error("'oam4sc' supported only on raw ATM"); 6947 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6948 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 6949 gen_and(b0, b1); 6950 break; 6951 6952 case A_OAMF4EC: 6953 /* Get all cells in End-to-End OAM F4 Circuit*/ 6954 if (!is_atm) 6955 bpf_error("'oam4ec' supported only on raw ATM"); 6956 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6957 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 6958 gen_and(b0, b1); 6959 break; 6960 6961 case A_SC: 6962 /* Get all packets in connection Signalling Circuit */ 6963 if (!is_atm) 6964 bpf_error("'sc' supported only on raw ATM"); 6965 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6966 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 6967 gen_and(b0, b1); 6968 break; 6969 6970 case A_ILMIC: 6971 /* Get all packets in ILMI Circuit */ 6972 if (!is_atm) 6973 bpf_error("'ilmic' supported only on raw ATM"); 6974 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 6975 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 6976 gen_and(b0, b1); 6977 break; 6978 6979 case A_LANE: 6980 /* Get all LANE packets */ 6981 if (!is_atm) 6982 bpf_error("'lane' supported only on raw ATM"); 6983 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 6984 6985 /* 6986 * Arrange that all subsequent tests assume LANE 6987 * rather than LLC-encapsulated packets, and set 6988 * the offsets appropriately for LANE-encapsulated 6989 * Ethernet. 6990 * 6991 * "off_mac" is the offset of the Ethernet header, 6992 * which is 2 bytes past the ATM pseudo-header 6993 * (skipping the pseudo-header and 2-byte LE Client 6994 * field). The other offsets are Ethernet offsets 6995 * relative to "off_mac". 6996 */ 6997 is_lane = 1; 6998 off_mac = off_payload + 2; /* MAC header */ 6999 off_linktype = off_mac + 12; 7000 off_nl = off_mac + 14; /* Ethernet II */ 7001 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */ 7002 break; 7003 7004 case A_LLC: 7005 /* Get all LLC-encapsulated packets */ 7006 if (!is_atm) 7007 bpf_error("'llc' supported only on raw ATM"); 7008 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 7009 is_lane = 0; 7010 break; 7011 7012 default: 7013 abort(); 7014 } 7015 return b1; 7016 } 7017 7018 /* 7019 * Filtering for MTP2 messages based on li value 7020 * FISU, length is null 7021 * LSSU, length is 1 or 2 7022 * MSU, length is 3 or more 7023 */ 7024 struct block * 7025 gen_mtp2type_abbrev(type) 7026 int type; 7027 { 7028 struct block *b0, *b1; 7029 7030 switch (type) { 7031 7032 case M_FISU: 7033 if ( (linktype != DLT_MTP2) && 7034 (linktype != DLT_MTP2_WITH_PHDR) ) 7035 bpf_error("'fisu' supported only on MTP2"); 7036 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 7037 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 7038 break; 7039 7040 case M_LSSU: 7041 if ( (linktype != DLT_MTP2) && 7042 (linktype != DLT_MTP2_WITH_PHDR) ) 7043 bpf_error("'lssu' supported only on MTP2"); 7044 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 7045 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 7046 gen_and(b1, b0); 7047 break; 7048 7049 case M_MSU: 7050 if ( (linktype != DLT_MTP2) && 7051 (linktype != DLT_MTP2_WITH_PHDR) ) 7052 bpf_error("'msu' supported only on MTP2"); 7053 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 7054 break; 7055 7056 default: 7057 abort(); 7058 } 7059 return b0; 7060 } 7061 7062 struct block * 7063 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 7064 int mtp3field; 7065 bpf_u_int32 jvalue; 7066 bpf_u_int32 jtype; 7067 int reverse; 7068 { 7069 struct block *b0; 7070 bpf_u_int32 val1 , val2 , val3; 7071 7072 switch (mtp3field) { 7073 7074 case M_SIO: 7075 if (off_sio == (u_int)-1) 7076 bpf_error("'sio' supported only on SS7"); 7077 /* sio coded on 1 byte so max value 255 */ 7078 if(jvalue > 255) 7079 bpf_error("sio value %u too big; max value = 255", 7080 jvalue); 7081 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff, 7082 (u_int)jtype, reverse, (u_int)jvalue); 7083 break; 7084 7085 case M_OPC: 7086 if (off_opc == (u_int)-1) 7087 bpf_error("'opc' supported only on SS7"); 7088 /* opc coded on 14 bits so max value 16383 */ 7089 if (jvalue > 16383) 7090 bpf_error("opc value %u too big; max value = 16383", 7091 jvalue); 7092 /* the following instructions are made to convert jvalue 7093 * to the form used to write opc in an ss7 message*/ 7094 val1 = jvalue & 0x00003c00; 7095 val1 = val1 >>10; 7096 val2 = jvalue & 0x000003fc; 7097 val2 = val2 <<6; 7098 val3 = jvalue & 0x00000003; 7099 val3 = val3 <<22; 7100 jvalue = val1 + val2 + val3; 7101 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f, 7102 (u_int)jtype, reverse, (u_int)jvalue); 7103 break; 7104 7105 case M_DPC: 7106 if (off_dpc == (u_int)-1) 7107 bpf_error("'dpc' supported only on SS7"); 7108 /* dpc coded on 14 bits so max value 16383 */ 7109 if (jvalue > 16383) 7110 bpf_error("dpc value %u too big; max value = 16383", 7111 jvalue); 7112 /* the following instructions are made to convert jvalue 7113 * to the forme used to write dpc in an ss7 message*/ 7114 val1 = jvalue & 0x000000ff; 7115 val1 = val1 << 24; 7116 val2 = jvalue & 0x00003f00; 7117 val2 = val2 << 8; 7118 jvalue = val1 + val2; 7119 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000, 7120 (u_int)jtype, reverse, (u_int)jvalue); 7121 break; 7122 7123 case M_SLS: 7124 if (off_sls == (u_int)-1) 7125 bpf_error("'sls' supported only on SS7"); 7126 /* sls coded on 4 bits so max value 15 */ 7127 if (jvalue > 15) 7128 bpf_error("sls value %u too big; max value = 15", 7129 jvalue); 7130 /* the following instruction is made to convert jvalue 7131 * to the forme used to write sls in an ss7 message*/ 7132 jvalue = jvalue << 4; 7133 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0, 7134 (u_int)jtype,reverse, (u_int)jvalue); 7135 break; 7136 7137 default: 7138 abort(); 7139 } 7140 return b0; 7141 } 7142 7143 static struct block * 7144 gen_msg_abbrev(type) 7145 int type; 7146 { 7147 struct block *b1; 7148 7149 /* 7150 * Q.2931 signalling protocol messages for handling virtual circuits 7151 * establishment and teardown 7152 */ 7153 switch (type) { 7154 7155 case A_SETUP: 7156 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 7157 break; 7158 7159 case A_CALLPROCEED: 7160 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 7161 break; 7162 7163 case A_CONNECT: 7164 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 7165 break; 7166 7167 case A_CONNECTACK: 7168 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 7169 break; 7170 7171 case A_RELEASE: 7172 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 7173 break; 7174 7175 case A_RELEASE_DONE: 7176 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 7177 break; 7178 7179 default: 7180 abort(); 7181 } 7182 return b1; 7183 } 7184 7185 struct block * 7186 gen_atmmulti_abbrev(type) 7187 int type; 7188 { 7189 struct block *b0, *b1; 7190 7191 switch (type) { 7192 7193 case A_OAM: 7194 if (!is_atm) 7195 bpf_error("'oam' supported only on raw ATM"); 7196 b1 = gen_atmmulti_abbrev(A_OAMF4); 7197 break; 7198 7199 case A_OAMF4: 7200 if (!is_atm) 7201 bpf_error("'oamf4' supported only on raw ATM"); 7202 /* OAM F4 type */ 7203 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 7204 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 7205 gen_or(b0, b1); 7206 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 7207 gen_and(b0, b1); 7208 break; 7209 7210 case A_CONNECTMSG: 7211 /* 7212 * Get Q.2931 signalling messages for switched 7213 * virtual connection 7214 */ 7215 if (!is_atm) 7216 bpf_error("'connectmsg' supported only on raw ATM"); 7217 b0 = gen_msg_abbrev(A_SETUP); 7218 b1 = gen_msg_abbrev(A_CALLPROCEED); 7219 gen_or(b0, b1); 7220 b0 = gen_msg_abbrev(A_CONNECT); 7221 gen_or(b0, b1); 7222 b0 = gen_msg_abbrev(A_CONNECTACK); 7223 gen_or(b0, b1); 7224 b0 = gen_msg_abbrev(A_RELEASE); 7225 gen_or(b0, b1); 7226 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7227 gen_or(b0, b1); 7228 b0 = gen_atmtype_abbrev(A_SC); 7229 gen_and(b0, b1); 7230 break; 7231 7232 case A_METACONNECT: 7233 if (!is_atm) 7234 bpf_error("'metaconnect' supported only on raw ATM"); 7235 b0 = gen_msg_abbrev(A_SETUP); 7236 b1 = gen_msg_abbrev(A_CALLPROCEED); 7237 gen_or(b0, b1); 7238 b0 = gen_msg_abbrev(A_CONNECT); 7239 gen_or(b0, b1); 7240 b0 = gen_msg_abbrev(A_RELEASE); 7241 gen_or(b0, b1); 7242 b0 = gen_msg_abbrev(A_RELEASE_DONE); 7243 gen_or(b0, b1); 7244 b0 = gen_atmtype_abbrev(A_METAC); 7245 gen_and(b0, b1); 7246 break; 7247 7248 default: 7249 abort(); 7250 } 7251 return b1; 7252 } 7253
