1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 #ifndef lint 23 static const char rcsid[] _U_ = 24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)"; 25 #endif 26 27 #ifdef HAVE_CONFIG_H 28 #include "config.h" 29 #endif 30 31 #ifdef WIN32 32 #include <pcap-stdinc.h> 33 #else /* WIN32 */ 34 #if HAVE_INTTYPES_H 35 #include <inttypes.h> 36 #elif HAVE_STDINT_H 37 #include <stdint.h> 38 #endif 39 #ifdef HAVE_SYS_BITYPES_H 40 #include <sys/bitypes.h> 41 #endif 42 #include <sys/types.h> 43 #include <sys/socket.h> 44 #endif /* WIN32 */ 45 46 /* 47 * XXX - why was this included even on UNIX? 48 */ 49 #ifdef __MINGW32__ 50 #include "ip6_misc.h" 51 #endif 52 53 #ifndef WIN32 54 55 #ifdef __NetBSD__ 56 #include <sys/param.h> 57 #endif 58 59 #include <netinet/in.h> 60 #include <arpa/inet.h> 61 62 #endif /* WIN32 */ 63 64 #include <stdlib.h> 65 #include <string.h> 66 #include <memory.h> 67 #include <setjmp.h> 68 #include <stdarg.h> 69 70 #ifdef MSDOS 71 #include "pcap-dos.h" 72 #endif 73 74 #include "pcap-int.h" 75 76 #include "ethertype.h" 77 #include "nlpid.h" 78 #include "llc.h" 79 #include "gencode.h" 80 #include "ieee80211.h" 81 #include "atmuni31.h" 82 #include "sunatmpos.h" 83 #include "ppp.h" 84 #include "pcap/sll.h" 85 #include "pcap/ipnet.h" 86 #include "arcnet.h" 87 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 88 #include <linux/types.h> 89 #include <linux/if_packet.h> 90 #include <linux/filter.h> 91 #endif 92 #ifdef HAVE_NET_PFVAR_H 93 #include <sys/socket.h> 94 #include <net/if.h> 95 #include <net/pfvar.h> 96 #include <net/if_pflog.h> 97 #endif 98 #ifndef offsetof 99 #define offsetof(s, e) ((size_t)&((s *)0)->e) 100 #endif 101 #ifdef INET6 102 #ifndef WIN32 103 #include <netdb.h> /* for "struct addrinfo" */ 104 #endif /* WIN32 */ 105 #endif /*INET6*/ 106 #include <pcap/namedb.h> 107 108 #define ETHERMTU 1500 109 110 #ifndef IPPROTO_HOPOPTS 111 #define IPPROTO_HOPOPTS 0 112 #endif 113 #ifndef IPPROTO_ROUTING 114 #define IPPROTO_ROUTING 43 115 #endif 116 #ifndef IPPROTO_FRAGMENT 117 #define IPPROTO_FRAGMENT 44 118 #endif 119 #ifndef IPPROTO_DSTOPTS 120 #define IPPROTO_DSTOPTS 60 121 #endif 122 #ifndef IPPROTO_SCTP 123 #define IPPROTO_SCTP 132 124 #endif 125 126 #ifdef HAVE_OS_PROTO_H 127 #include "os-proto.h" 128 #endif 129 130 #define JMP(c) ((c)|BPF_JMP|BPF_K) 131 132 /* Locals */ 133 static jmp_buf top_ctx; 134 static pcap_t *bpf_pcap; 135 136 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */ 137 #ifdef WIN32 138 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1; 139 #else 140 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U; 141 #endif 142 143 /* XXX */ 144 static int pcap_fddipad; 145 146 /* VARARGS */ 147 void 148 bpf_error(const char *fmt, ...) 149 { 150 va_list ap; 151 152 va_start(ap, fmt); 153 if (bpf_pcap != NULL) 154 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 155 fmt, ap); 156 va_end(ap); 157 longjmp(top_ctx, 1); 158 /* NOTREACHED */ 159 } 160 161 static void init_linktype(pcap_t *); 162 163 static void init_regs(void); 164 static int alloc_reg(void); 165 static void free_reg(int); 166 167 static struct block *root; 168 169 /* 170 * Value passed to gen_load_a() to indicate what the offset argument 171 * is relative to. 172 */ 173 enum e_offrel { 174 OR_PACKET, /* relative to the beginning of the packet */ 175 OR_LINK, /* relative to the beginning of the link-layer header */ 176 OR_MACPL, /* relative to the end of the MAC-layer header */ 177 OR_NET, /* relative to the network-layer header */ 178 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */ 179 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */ 180 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */ 181 }; 182 183 #ifdef INET6 184 /* 185 * As errors are handled by a longjmp, anything allocated must be freed 186 * in the longjmp handler, so it must be reachable from that handler. 187 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 188 * it must be freed with freeaddrinfo(). This variable points to any 189 * addrinfo structure that would need to be freed. 190 */ 191 static struct addrinfo *ai; 192 #endif 193 194 /* 195 * We divy out chunks of memory rather than call malloc each time so 196 * we don't have to worry about leaking memory. It's probably 197 * not a big deal if all this memory was wasted but if this ever 198 * goes into a library that would probably not be a good idea. 199 * 200 * XXX - this *is* in a library.... 201 */ 202 #define NCHUNKS 16 203 #define CHUNK0SIZE 1024 204 struct chunk { 205 u_int n_left; 206 void *m; 207 }; 208 209 static struct chunk chunks[NCHUNKS]; 210 static int cur_chunk; 211 212 static void *newchunk(u_int); 213 static void freechunks(void); 214 static inline struct block *new_block(int); 215 static inline struct slist *new_stmt(int); 216 static struct block *gen_retblk(int); 217 static inline void syntax(void); 218 219 static void backpatch(struct block *, struct block *); 220 static void merge(struct block *, struct block *); 221 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 222 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 223 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 224 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 225 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 226 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 227 bpf_u_int32); 228 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 229 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 230 bpf_u_int32, bpf_u_int32, int, bpf_int32); 231 static struct slist *gen_load_llrel(u_int, u_int); 232 static struct slist *gen_load_macplrel(u_int, u_int); 233 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 234 static struct slist *gen_loadx_iphdrlen(void); 235 static struct block *gen_uncond(int); 236 static inline struct block *gen_true(void); 237 static inline struct block *gen_false(void); 238 static struct block *gen_ether_linktype(int); 239 static struct block *gen_ipnet_linktype(int); 240 static struct block *gen_linux_sll_linktype(int); 241 static struct slist *gen_load_prism_llprefixlen(void); 242 static struct slist *gen_load_avs_llprefixlen(void); 243 static struct slist *gen_load_radiotap_llprefixlen(void); 244 static struct slist *gen_load_ppi_llprefixlen(void); 245 static void insert_compute_vloffsets(struct block *); 246 static struct slist *gen_llprefixlen(void); 247 static struct slist *gen_off_macpl(void); 248 static int ethertype_to_ppptype(int); 249 static struct block *gen_linktype(int); 250 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 251 static struct block *gen_llc_linktype(int); 252 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 253 #ifdef INET6 254 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 255 #endif 256 static struct block *gen_ahostop(const u_char *, int); 257 static struct block *gen_ehostop(const u_char *, int); 258 static struct block *gen_fhostop(const u_char *, int); 259 static struct block *gen_thostop(const u_char *, int); 260 static struct block *gen_wlanhostop(const u_char *, int); 261 static struct block *gen_ipfchostop(const u_char *, int); 262 static struct block *gen_dnhostop(bpf_u_int32, int); 263 static struct block *gen_mpls_linktype(int); 264 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 265 #ifdef INET6 266 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 267 #endif 268 #ifndef INET6 269 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 270 #endif 271 static struct block *gen_ipfrag(void); 272 static struct block *gen_portatom(int, bpf_int32); 273 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 274 static struct block *gen_portatom6(int, bpf_int32); 275 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 276 struct block *gen_portop(int, int, int); 277 static struct block *gen_port(int, int, int); 278 struct block *gen_portrangeop(int, int, int, int); 279 static struct block *gen_portrange(int, int, int, int); 280 struct block *gen_portop6(int, int, int); 281 static struct block *gen_port6(int, int, int); 282 struct block *gen_portrangeop6(int, int, int, int); 283 static struct block *gen_portrange6(int, int, int, int); 284 static int lookup_proto(const char *, int); 285 static struct block *gen_protochain(int, int, int); 286 static struct block *gen_proto(int, int, int); 287 static struct slist *xfer_to_x(struct arth *); 288 static struct slist *xfer_to_a(struct arth *); 289 static struct block *gen_mac_multicast(int); 290 static struct block *gen_len(int, int); 291 static struct block *gen_check_802_11_data_frame(void); 292 293 static struct block *gen_ppi_dlt_check(void); 294 static struct block *gen_msg_abbrev(int type); 295 296 static void * 297 newchunk(n) 298 u_int n; 299 { 300 struct chunk *cp; 301 int k; 302 size_t size; 303 304 #ifndef __NetBSD__ 305 /* XXX Round up to nearest long. */ 306 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 307 #else 308 /* XXX Round up to structure boundary. */ 309 n = ALIGN(n); 310 #endif 311 312 cp = &chunks[cur_chunk]; 313 if (n > cp->n_left) { 314 ++cp, k = ++cur_chunk; 315 if (k >= NCHUNKS) 316 bpf_error("out of memory"); 317 size = CHUNK0SIZE << k; 318 cp->m = (void *)malloc(size); 319 if (cp->m == NULL) 320 bpf_error("out of memory"); 321 memset((char *)cp->m, 0, size); 322 cp->n_left = size; 323 if (n > size) 324 bpf_error("out of memory"); 325 } 326 cp->n_left -= n; 327 return (void *)((char *)cp->m + cp->n_left); 328 } 329 330 static void 331 freechunks() 332 { 333 int i; 334 335 cur_chunk = 0; 336 for (i = 0; i < NCHUNKS; ++i) 337 if (chunks[i].m != NULL) { 338 free(chunks[i].m); 339 chunks[i].m = NULL; 340 } 341 } 342 343 /* 344 * A strdup whose allocations are freed after code generation is over. 345 */ 346 char * 347 sdup(s) 348 register const char *s; 349 { 350 int n = strlen(s) + 1; 351 char *cp = newchunk(n); 352 353 strlcpy(cp, s, n); 354 return (cp); 355 } 356 357 static inline struct block * 358 new_block(code) 359 int code; 360 { 361 struct block *p; 362 363 p = (struct block *)newchunk(sizeof(*p)); 364 p->s.code = code; 365 p->head = p; 366 367 return p; 368 } 369 370 static inline struct slist * 371 new_stmt(code) 372 int code; 373 { 374 struct slist *p; 375 376 p = (struct slist *)newchunk(sizeof(*p)); 377 p->s.code = code; 378 379 return p; 380 } 381 382 static struct block * 383 gen_retblk(v) 384 int v; 385 { 386 struct block *b = new_block(BPF_RET|BPF_K); 387 388 b->s.k = v; 389 return b; 390 } 391 392 static inline void 393 syntax() 394 { 395 bpf_error("syntax error in filter expression"); 396 } 397 398 static bpf_u_int32 netmask; 399 static int snaplen; 400 int no_optimize; 401 #ifdef WIN32 402 static int 403 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 404 const char *buf, int optimize, bpf_u_int32 mask); 405 406 int 407 pcap_compile(pcap_t *p, struct bpf_program *program, 408 const char *buf, int optimize, bpf_u_int32 mask) 409 { 410 int result; 411 412 EnterCriticalSection(&g_PcapCompileCriticalSection); 413 414 result = pcap_compile_unsafe(p, program, buf, optimize, mask); 415 416 LeaveCriticalSection(&g_PcapCompileCriticalSection); 417 418 return result; 419 } 420 421 static int 422 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program, 423 const char *buf, int optimize, bpf_u_int32 mask) 424 #else /* WIN32 */ 425 int 426 pcap_compile(pcap_t *p, struct bpf_program *program, 427 const char *buf, int optimize, bpf_u_int32 mask) 428 #endif /* WIN32 */ 429 { 430 extern int n_errors; 431 const char * volatile xbuf = buf; 432 u_int len; 433 434 /* 435 * If this pcap_t hasn't been activated, it doesn't have a 436 * link-layer type, so we can't use it. 437 */ 438 if (!p->activated) { 439 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 440 "not-yet-activated pcap_t passed to pcap_compile"); 441 return (-1); 442 } 443 no_optimize = 0; 444 n_errors = 0; 445 root = NULL; 446 bpf_pcap = p; 447 init_regs(); 448 if (setjmp(top_ctx)) { 449 #ifdef INET6 450 if (ai != NULL) { 451 freeaddrinfo(ai); 452 ai = NULL; 453 } 454 #endif 455 lex_cleanup(); 456 freechunks(); 457 return (-1); 458 } 459 460 netmask = mask; 461 462 snaplen = pcap_snapshot(p); 463 if (snaplen == 0) { 464 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 465 "snaplen of 0 rejects all packets"); 466 return -1; 467 } 468 469 lex_init(xbuf ? xbuf : ""); 470 init_linktype(p); 471 (void)pcap_parse(); 472 473 if (n_errors) 474 syntax(); 475 476 if (root == NULL) 477 root = gen_retblk(snaplen); 478 479 if (optimize && !no_optimize) { 480 bpf_optimize(&root); 481 if (root == NULL || 482 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 483 bpf_error("expression rejects all packets"); 484 } 485 program->bf_insns = icode_to_fcode(root, &len); 486 program->bf_len = len; 487 488 lex_cleanup(); 489 freechunks(); 490 return (0); 491 } 492 493 /* 494 * entry point for using the compiler with no pcap open 495 * pass in all the stuff that is needed explicitly instead. 496 */ 497 int 498 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 499 struct bpf_program *program, 500 const char *buf, int optimize, bpf_u_int32 mask) 501 { 502 pcap_t *p; 503 int ret; 504 505 p = pcap_open_dead(linktype_arg, snaplen_arg); 506 if (p == NULL) 507 return (-1); 508 ret = pcap_compile(p, program, buf, optimize, mask); 509 pcap_close(p); 510 return (ret); 511 } 512 513 /* 514 * Clean up a "struct bpf_program" by freeing all the memory allocated 515 * in it. 516 */ 517 void 518 pcap_freecode(struct bpf_program *program) 519 { 520 program->bf_len = 0; 521 if (program->bf_insns != NULL) { 522 free((char *)program->bf_insns); 523 program->bf_insns = NULL; 524 } 525 } 526 527 /* 528 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 529 * which of the jt and jf fields has been resolved and which is a pointer 530 * back to another unresolved block (or nil). At least one of the fields 531 * in each block is already resolved. 532 */ 533 static void 534 backpatch(list, target) 535 struct block *list, *target; 536 { 537 struct block *next; 538 539 while (list) { 540 if (!list->sense) { 541 next = JT(list); 542 JT(list) = target; 543 } else { 544 next = JF(list); 545 JF(list) = target; 546 } 547 list = next; 548 } 549 } 550 551 /* 552 * Merge the lists in b0 and b1, using the 'sense' field to indicate 553 * which of jt and jf is the link. 554 */ 555 static void 556 merge(b0, b1) 557 struct block *b0, *b1; 558 { 559 register struct block **p = &b0; 560 561 /* Find end of list. */ 562 while (*p) 563 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 564 565 /* Concatenate the lists. */ 566 *p = b1; 567 } 568 569 void 570 finish_parse(p) 571 struct block *p; 572 { 573 struct block *ppi_dlt_check; 574 575 /* 576 * Insert before the statements of the first (root) block any 577 * statements needed to load the lengths of any variable-length 578 * headers into registers. 579 * 580 * XXX - a fancier strategy would be to insert those before the 581 * statements of all blocks that use those lengths and that 582 * have no predecessors that use them, so that we only compute 583 * the lengths if we need them. There might be even better 584 * approaches than that. 585 * 586 * However, those strategies would be more complicated, and 587 * as we don't generate code to compute a length if the 588 * program has no tests that use the length, and as most 589 * tests will probably use those lengths, we would just 590 * postpone computing the lengths so that it's not done 591 * for tests that fail early, and it's not clear that's 592 * worth the effort. 593 */ 594 insert_compute_vloffsets(p->head); 595 596 /* 597 * For DLT_PPI captures, generate a check of the per-packet 598 * DLT value to make sure it's DLT_IEEE802_11. 599 */ 600 ppi_dlt_check = gen_ppi_dlt_check(); 601 if (ppi_dlt_check != NULL) 602 gen_and(ppi_dlt_check, p); 603 604 backpatch(p, gen_retblk(snaplen)); 605 p->sense = !p->sense; 606 backpatch(p, gen_retblk(0)); 607 root = p->head; 608 } 609 610 void 611 gen_and(b0, b1) 612 struct block *b0, *b1; 613 { 614 backpatch(b0, b1->head); 615 b0->sense = !b0->sense; 616 b1->sense = !b1->sense; 617 merge(b1, b0); 618 b1->sense = !b1->sense; 619 b1->head = b0->head; 620 } 621 622 void 623 gen_or(b0, b1) 624 struct block *b0, *b1; 625 { 626 b0->sense = !b0->sense; 627 backpatch(b0, b1->head); 628 b0->sense = !b0->sense; 629 merge(b1, b0); 630 b1->head = b0->head; 631 } 632 633 void 634 gen_not(b) 635 struct block *b; 636 { 637 b->sense = !b->sense; 638 } 639 640 static struct block * 641 gen_cmp(offrel, offset, size, v) 642 enum e_offrel offrel; 643 u_int offset, size; 644 bpf_int32 v; 645 { 646 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 647 } 648 649 static struct block * 650 gen_cmp_gt(offrel, offset, size, v) 651 enum e_offrel offrel; 652 u_int offset, size; 653 bpf_int32 v; 654 { 655 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 656 } 657 658 static struct block * 659 gen_cmp_ge(offrel, offset, size, v) 660 enum e_offrel offrel; 661 u_int offset, size; 662 bpf_int32 v; 663 { 664 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 665 } 666 667 static struct block * 668 gen_cmp_lt(offrel, offset, size, v) 669 enum e_offrel offrel; 670 u_int offset, size; 671 bpf_int32 v; 672 { 673 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 674 } 675 676 static struct block * 677 gen_cmp_le(offrel, offset, size, v) 678 enum e_offrel offrel; 679 u_int offset, size; 680 bpf_int32 v; 681 { 682 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 683 } 684 685 static struct block * 686 gen_mcmp(offrel, offset, size, v, mask) 687 enum e_offrel offrel; 688 u_int offset, size; 689 bpf_int32 v; 690 bpf_u_int32 mask; 691 { 692 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 693 } 694 695 static struct block * 696 gen_bcmp(offrel, offset, size, v) 697 enum e_offrel offrel; 698 register u_int offset, size; 699 register const u_char *v; 700 { 701 register struct block *b, *tmp; 702 703 b = NULL; 704 while (size >= 4) { 705 register const u_char *p = &v[size - 4]; 706 bpf_int32 w = ((bpf_int32)p[0] << 24) | 707 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 708 709 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 710 if (b != NULL) 711 gen_and(b, tmp); 712 b = tmp; 713 size -= 4; 714 } 715 while (size >= 2) { 716 register const u_char *p = &v[size - 2]; 717 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 718 719 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 720 if (b != NULL) 721 gen_and(b, tmp); 722 b = tmp; 723 size -= 2; 724 } 725 if (size > 0) { 726 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 727 if (b != NULL) 728 gen_and(b, tmp); 729 b = tmp; 730 } 731 return b; 732 } 733 734 /* 735 * AND the field of size "size" at offset "offset" relative to the header 736 * specified by "offrel" with "mask", and compare it with the value "v" 737 * with the test specified by "jtype"; if "reverse" is true, the test 738 * should test the opposite of "jtype". 739 */ 740 static struct block * 741 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 742 enum e_offrel offrel; 743 bpf_int32 v; 744 bpf_u_int32 offset, size, mask, jtype; 745 int reverse; 746 { 747 struct slist *s, *s2; 748 struct block *b; 749 750 s = gen_load_a(offrel, offset, size); 751 752 if (mask != 0xffffffff) { 753 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 754 s2->s.k = mask; 755 sappend(s, s2); 756 } 757 758 b = new_block(JMP(jtype)); 759 b->stmts = s; 760 b->s.k = v; 761 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 762 gen_not(b); 763 return b; 764 } 765 766 /* 767 * Various code constructs need to know the layout of the data link 768 * layer. These variables give the necessary offsets from the beginning 769 * of the packet data. 770 */ 771 772 /* 773 * This is the offset of the beginning of the link-layer header from 774 * the beginning of the raw packet data. 775 * 776 * It's usually 0, except for 802.11 with a fixed-length radio header. 777 * (For 802.11 with a variable-length radio header, we have to generate 778 * code to compute that offset; off_ll is 0 in that case.) 779 */ 780 static u_int off_ll; 781 782 /* 783 * If there's a variable-length header preceding the link-layer header, 784 * "reg_off_ll" is the register number for a register containing the 785 * length of that header, and therefore the offset of the link-layer 786 * header from the beginning of the raw packet data. Otherwise, 787 * "reg_off_ll" is -1. 788 */ 789 static int reg_off_ll; 790 791 /* 792 * This is the offset of the beginning of the MAC-layer header from 793 * the beginning of the link-layer header. 794 * It's usually 0, except for ATM LANE, where it's the offset, relative 795 * to the beginning of the raw packet data, of the Ethernet header, and 796 * for Ethernet with various additional information. 797 */ 798 static u_int off_mac; 799 800 /* 801 * This is the offset of the beginning of the MAC-layer payload, 802 * from the beginning of the raw packet data. 803 * 804 * I.e., it's the sum of the length of the link-layer header (without, 805 * for example, any 802.2 LLC header, so it's the MAC-layer 806 * portion of that header), plus any prefix preceding the 807 * link-layer header. 808 */ 809 static u_int off_macpl; 810 811 /* 812 * This is 1 if the offset of the beginning of the MAC-layer payload 813 * from the beginning of the link-layer header is variable-length. 814 */ 815 static int off_macpl_is_variable; 816 817 /* 818 * If the link layer has variable_length headers, "reg_off_macpl" 819 * is the register number for a register containing the length of the 820 * link-layer header plus the length of any variable-length header 821 * preceding the link-layer header. Otherwise, "reg_off_macpl" 822 * is -1. 823 */ 824 static int reg_off_macpl; 825 826 /* 827 * "off_linktype" is the offset to information in the link-layer header 828 * giving the packet type. This offset is relative to the beginning 829 * of the link-layer header (i.e., it doesn't include off_ll). 830 * 831 * For Ethernet, it's the offset of the Ethernet type field. 832 * 833 * For link-layer types that always use 802.2 headers, it's the 834 * offset of the LLC header. 835 * 836 * For PPP, it's the offset of the PPP type field. 837 * 838 * For Cisco HDLC, it's the offset of the CHDLC type field. 839 * 840 * For BSD loopback, it's the offset of the AF_ value. 841 * 842 * For Linux cooked sockets, it's the offset of the type field. 843 * 844 * It's set to -1 for no encapsulation, in which case, IP is assumed. 845 */ 846 static u_int off_linktype; 847 848 /* 849 * TRUE if "pppoes" appeared in the filter; it causes link-layer type 850 * checks to check the PPP header, assumed to follow a LAN-style link- 851 * layer header and a PPPoE session header. 852 */ 853 static int is_pppoes = 0; 854 855 /* 856 * TRUE if the link layer includes an ATM pseudo-header. 857 */ 858 static int is_atm = 0; 859 860 /* 861 * TRUE if "lane" appeared in the filter; it causes us to generate 862 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM. 863 */ 864 static int is_lane = 0; 865 866 /* 867 * These are offsets for the ATM pseudo-header. 868 */ 869 static u_int off_vpi; 870 static u_int off_vci; 871 static u_int off_proto; 872 873 /* 874 * These are offsets for the MTP2 fields. 875 */ 876 static u_int off_li; 877 static u_int off_li_hsl; 878 879 /* 880 * These are offsets for the MTP3 fields. 881 */ 882 static u_int off_sio; 883 static u_int off_opc; 884 static u_int off_dpc; 885 static u_int off_sls; 886 887 /* 888 * This is the offset of the first byte after the ATM pseudo_header, 889 * or -1 if there is no ATM pseudo-header. 890 */ 891 static u_int off_payload; 892 893 /* 894 * These are offsets to the beginning of the network-layer header. 895 * They are relative to the beginning of the MAC-layer payload (i.e., 896 * they don't include off_ll or off_macpl). 897 * 898 * If the link layer never uses 802.2 LLC: 899 * 900 * "off_nl" and "off_nl_nosnap" are the same. 901 * 902 * If the link layer always uses 802.2 LLC: 903 * 904 * "off_nl" is the offset if there's a SNAP header following 905 * the 802.2 header; 906 * 907 * "off_nl_nosnap" is the offset if there's no SNAP header. 908 * 909 * If the link layer is Ethernet: 910 * 911 * "off_nl" is the offset if the packet is an Ethernet II packet 912 * (we assume no 802.3+802.2+SNAP); 913 * 914 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 915 * with an 802.2 header following it. 916 */ 917 static u_int off_nl; 918 static u_int off_nl_nosnap; 919 920 static int linktype; 921 922 static void 923 init_linktype(p) 924 pcap_t *p; 925 { 926 linktype = pcap_datalink(p); 927 pcap_fddipad = p->fddipad; 928 929 /* 930 * Assume it's not raw ATM with a pseudo-header, for now. 931 */ 932 off_mac = 0; 933 is_atm = 0; 934 is_lane = 0; 935 off_vpi = -1; 936 off_vci = -1; 937 off_proto = -1; 938 off_payload = -1; 939 940 /* 941 * And that we're not doing PPPoE. 942 */ 943 is_pppoes = 0; 944 945 /* 946 * And assume we're not doing SS7. 947 */ 948 off_li = -1; 949 off_li_hsl = -1; 950 off_sio = -1; 951 off_opc = -1; 952 off_dpc = -1; 953 off_sls = -1; 954 955 /* 956 * Also assume it's not 802.11. 957 */ 958 off_ll = 0; 959 off_macpl = 0; 960 off_macpl_is_variable = 0; 961 962 orig_linktype = -1; 963 orig_nl = -1; 964 label_stack_depth = 0; 965 966 reg_off_ll = -1; 967 reg_off_macpl = -1; 968 969 switch (linktype) { 970 971 case DLT_ARCNET: 972 off_linktype = 2; 973 off_macpl = 6; 974 off_nl = 0; /* XXX in reality, variable! */ 975 off_nl_nosnap = 0; /* no 802.2 LLC */ 976 return; 977 978 case DLT_ARCNET_LINUX: 979 off_linktype = 4; 980 off_macpl = 8; 981 off_nl = 0; /* XXX in reality, variable! */ 982 off_nl_nosnap = 0; /* no 802.2 LLC */ 983 return; 984 985 case DLT_EN10MB: 986 off_linktype = 12; 987 off_macpl = 14; /* Ethernet header length */ 988 off_nl = 0; /* Ethernet II */ 989 off_nl_nosnap = 3; /* 802.3+802.2 */ 990 return; 991 992 case DLT_SLIP: 993 /* 994 * SLIP doesn't have a link level type. The 16 byte 995 * header is hacked into our SLIP driver. 996 */ 997 off_linktype = -1; 998 off_macpl = 16; 999 off_nl = 0; 1000 off_nl_nosnap = 0; /* no 802.2 LLC */ 1001 return; 1002 1003 case DLT_SLIP_BSDOS: 1004 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1005 off_linktype = -1; 1006 /* XXX end */ 1007 off_macpl = 24; 1008 off_nl = 0; 1009 off_nl_nosnap = 0; /* no 802.2 LLC */ 1010 return; 1011 1012 case DLT_NULL: 1013 case DLT_LOOP: 1014 off_linktype = 0; 1015 off_macpl = 4; 1016 off_nl = 0; 1017 off_nl_nosnap = 0; /* no 802.2 LLC */ 1018 return; 1019 1020 case DLT_ENC: 1021 off_linktype = 0; 1022 off_macpl = 12; 1023 off_nl = 0; 1024 off_nl_nosnap = 0; /* no 802.2 LLC */ 1025 return; 1026 1027 case DLT_PPP: 1028 case DLT_PPP_PPPD: 1029 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1030 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1031 off_linktype = 2; 1032 off_macpl = 4; 1033 off_nl = 0; 1034 off_nl_nosnap = 0; /* no 802.2 LLC */ 1035 return; 1036 1037 case DLT_PPP_ETHER: 1038 /* 1039 * This does no include the Ethernet header, and 1040 * only covers session state. 1041 */ 1042 off_linktype = 6; 1043 off_macpl = 8; 1044 off_nl = 0; 1045 off_nl_nosnap = 0; /* no 802.2 LLC */ 1046 return; 1047 1048 case DLT_PPP_BSDOS: 1049 off_linktype = 5; 1050 off_macpl = 24; 1051 off_nl = 0; 1052 off_nl_nosnap = 0; /* no 802.2 LLC */ 1053 return; 1054 1055 case DLT_FDDI: 1056 /* 1057 * FDDI doesn't really have a link-level type field. 1058 * We set "off_linktype" to the offset of the LLC header. 1059 * 1060 * To check for Ethernet types, we assume that SSAP = SNAP 1061 * is being used and pick out the encapsulated Ethernet type. 1062 * XXX - should we generate code to check for SNAP? 1063 */ 1064 off_linktype = 13; 1065 off_linktype += pcap_fddipad; 1066 off_macpl = 13; /* FDDI MAC header length */ 1067 off_macpl += pcap_fddipad; 1068 off_nl = 8; /* 802.2+SNAP */ 1069 off_nl_nosnap = 3; /* 802.2 */ 1070 return; 1071 1072 case DLT_IEEE802: 1073 /* 1074 * Token Ring doesn't really have a link-level type field. 1075 * We set "off_linktype" to the offset of the LLC header. 1076 * 1077 * To check for Ethernet types, we assume that SSAP = SNAP 1078 * is being used and pick out the encapsulated Ethernet type. 1079 * XXX - should we generate code to check for SNAP? 1080 * 1081 * XXX - the header is actually variable-length. 1082 * Some various Linux patched versions gave 38 1083 * as "off_linktype" and 40 as "off_nl"; however, 1084 * if a token ring packet has *no* routing 1085 * information, i.e. is not source-routed, the correct 1086 * values are 20 and 22, as they are in the vanilla code. 1087 * 1088 * A packet is source-routed iff the uppermost bit 1089 * of the first byte of the source address, at an 1090 * offset of 8, has the uppermost bit set. If the 1091 * packet is source-routed, the total number of bytes 1092 * of routing information is 2 plus bits 0x1F00 of 1093 * the 16-bit value at an offset of 14 (shifted right 1094 * 8 - figure out which byte that is). 1095 */ 1096 off_linktype = 14; 1097 off_macpl = 14; /* Token Ring MAC header length */ 1098 off_nl = 8; /* 802.2+SNAP */ 1099 off_nl_nosnap = 3; /* 802.2 */ 1100 return; 1101 1102 case DLT_IEEE802_11: 1103 case DLT_PRISM_HEADER: 1104 case DLT_IEEE802_11_RADIO_AVS: 1105 case DLT_IEEE802_11_RADIO: 1106 /* 1107 * 802.11 doesn't really have a link-level type field. 1108 * We set "off_linktype" to the offset of the LLC header. 1109 * 1110 * To check for Ethernet types, we assume that SSAP = SNAP 1111 * is being used and pick out the encapsulated Ethernet type. 1112 * XXX - should we generate code to check for SNAP? 1113 * 1114 * We also handle variable-length radio headers here. 1115 * The Prism header is in theory variable-length, but in 1116 * practice it's always 144 bytes long. However, some 1117 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1118 * sometimes or always supply an AVS header, so we 1119 * have to check whether the radio header is a Prism 1120 * header or an AVS header, so, in practice, it's 1121 * variable-length. 1122 */ 1123 off_linktype = 24; 1124 off_macpl = 0; /* link-layer header is variable-length */ 1125 off_macpl_is_variable = 1; 1126 off_nl = 8; /* 802.2+SNAP */ 1127 off_nl_nosnap = 3; /* 802.2 */ 1128 return; 1129 1130 case DLT_PPI: 1131 /* 1132 * At the moment we treat PPI the same way that we treat 1133 * normal Radiotap encoded packets. The difference is in 1134 * the function that generates the code at the beginning 1135 * to compute the header length. Since this code generator 1136 * of PPI supports bare 802.11 encapsulation only (i.e. 1137 * the encapsulated DLT should be DLT_IEEE802_11) we 1138 * generate code to check for this too. 1139 */ 1140 off_linktype = 24; 1141 off_macpl = 0; /* link-layer header is variable-length */ 1142 off_macpl_is_variable = 1; 1143 off_nl = 8; /* 802.2+SNAP */ 1144 off_nl_nosnap = 3; /* 802.2 */ 1145 return; 1146 1147 case DLT_ATM_RFC1483: 1148 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1149 /* 1150 * assume routed, non-ISO PDUs 1151 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1152 * 1153 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1154 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1155 * latter would presumably be treated the way PPPoE 1156 * should be, so you can do "pppoe and udp port 2049" 1157 * or "pppoa and tcp port 80" and have it check for 1158 * PPPo{A,E} and a PPP protocol of IP and.... 1159 */ 1160 off_linktype = 0; 1161 off_macpl = 0; /* packet begins with LLC header */ 1162 off_nl = 8; /* 802.2+SNAP */ 1163 off_nl_nosnap = 3; /* 802.2 */ 1164 return; 1165 1166 case DLT_SUNATM: 1167 /* 1168 * Full Frontal ATM; you get AALn PDUs with an ATM 1169 * pseudo-header. 1170 */ 1171 is_atm = 1; 1172 off_vpi = SUNATM_VPI_POS; 1173 off_vci = SUNATM_VCI_POS; 1174 off_proto = PROTO_POS; 1175 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */ 1176 off_payload = SUNATM_PKT_BEGIN_POS; 1177 off_linktype = off_payload; 1178 off_macpl = off_payload; /* if LLC-encapsulated */ 1179 off_nl = 8; /* 802.2+SNAP */ 1180 off_nl_nosnap = 3; /* 802.2 */ 1181 return; 1182 1183 case DLT_RAW: 1184 case DLT_IPV4: 1185 case DLT_IPV6: 1186 off_linktype = -1; 1187 off_macpl = 0; 1188 off_nl = 0; 1189 off_nl_nosnap = 0; /* no 802.2 LLC */ 1190 return; 1191 1192 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1193 off_linktype = 14; 1194 off_macpl = 16; 1195 off_nl = 0; 1196 off_nl_nosnap = 0; /* no 802.2 LLC */ 1197 return; 1198 1199 case DLT_LTALK: 1200 /* 1201 * LocalTalk does have a 1-byte type field in the LLAP header, 1202 * but really it just indicates whether there is a "short" or 1203 * "long" DDP packet following. 1204 */ 1205 off_linktype = -1; 1206 off_macpl = 0; 1207 off_nl = 0; 1208 off_nl_nosnap = 0; /* no 802.2 LLC */ 1209 return; 1210 1211 case DLT_IP_OVER_FC: 1212 /* 1213 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1214 * link-level type field. We set "off_linktype" to the 1215 * offset of the LLC header. 1216 * 1217 * To check for Ethernet types, we assume that SSAP = SNAP 1218 * is being used and pick out the encapsulated Ethernet type. 1219 * XXX - should we generate code to check for SNAP? RFC 1220 * 2625 says SNAP should be used. 1221 */ 1222 off_linktype = 16; 1223 off_macpl = 16; 1224 off_nl = 8; /* 802.2+SNAP */ 1225 off_nl_nosnap = 3; /* 802.2 */ 1226 return; 1227 1228 case DLT_FRELAY: 1229 /* 1230 * XXX - we should set this to handle SNAP-encapsulated 1231 * frames (NLPID of 0x80). 1232 */ 1233 off_linktype = -1; 1234 off_macpl = 0; 1235 off_nl = 0; 1236 off_nl_nosnap = 0; /* no 802.2 LLC */ 1237 return; 1238 1239 /* 1240 * the only BPF-interesting FRF.16 frames are non-control frames; 1241 * Frame Relay has a variable length link-layer 1242 * so lets start with offset 4 for now and increments later on (FIXME); 1243 */ 1244 case DLT_MFR: 1245 off_linktype = -1; 1246 off_macpl = 0; 1247 off_nl = 4; 1248 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1249 return; 1250 1251 case DLT_APPLE_IP_OVER_IEEE1394: 1252 off_linktype = 16; 1253 off_macpl = 18; 1254 off_nl = 0; 1255 off_nl_nosnap = 0; /* no 802.2 LLC */ 1256 return; 1257 1258 case DLT_SYMANTEC_FIREWALL: 1259 off_linktype = 6; 1260 off_macpl = 44; 1261 off_nl = 0; /* Ethernet II */ 1262 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1263 return; 1264 1265 #ifdef HAVE_NET_PFVAR_H 1266 case DLT_PFLOG: 1267 off_linktype = 0; 1268 off_macpl = PFLOG_HDRLEN; 1269 off_nl = 0; 1270 off_nl_nosnap = 0; /* no 802.2 LLC */ 1271 return; 1272 #endif 1273 1274 case DLT_JUNIPER_MFR: 1275 case DLT_JUNIPER_MLFR: 1276 case DLT_JUNIPER_MLPPP: 1277 case DLT_JUNIPER_PPP: 1278 case DLT_JUNIPER_CHDLC: 1279 case DLT_JUNIPER_FRELAY: 1280 off_linktype = 4; 1281 off_macpl = 4; 1282 off_nl = 0; 1283 off_nl_nosnap = -1; /* no 802.2 LLC */ 1284 return; 1285 1286 case DLT_JUNIPER_ATM1: 1287 off_linktype = 4; /* in reality variable between 4-8 */ 1288 off_macpl = 4; /* in reality variable between 4-8 */ 1289 off_nl = 0; 1290 off_nl_nosnap = 10; 1291 return; 1292 1293 case DLT_JUNIPER_ATM2: 1294 off_linktype = 8; /* in reality variable between 8-12 */ 1295 off_macpl = 8; /* in reality variable between 8-12 */ 1296 off_nl = 0; 1297 off_nl_nosnap = 10; 1298 return; 1299 1300 /* frames captured on a Juniper PPPoE service PIC 1301 * contain raw ethernet frames */ 1302 case DLT_JUNIPER_PPPOE: 1303 case DLT_JUNIPER_ETHER: 1304 off_macpl = 14; 1305 off_linktype = 16; 1306 off_nl = 18; /* Ethernet II */ 1307 off_nl_nosnap = 21; /* 802.3+802.2 */ 1308 return; 1309 1310 case DLT_JUNIPER_PPPOE_ATM: 1311 off_linktype = 4; 1312 off_macpl = 6; 1313 off_nl = 0; 1314 off_nl_nosnap = -1; /* no 802.2 LLC */ 1315 return; 1316 1317 case DLT_JUNIPER_GGSN: 1318 off_linktype = 6; 1319 off_macpl = 12; 1320 off_nl = 0; 1321 off_nl_nosnap = -1; /* no 802.2 LLC */ 1322 return; 1323 1324 case DLT_JUNIPER_ES: 1325 off_linktype = 6; 1326 off_macpl = -1; /* not really a network layer but raw IP addresses */ 1327 off_nl = -1; /* not really a network layer but raw IP addresses */ 1328 off_nl_nosnap = -1; /* no 802.2 LLC */ 1329 return; 1330 1331 case DLT_JUNIPER_MONITOR: 1332 off_linktype = 12; 1333 off_macpl = 12; 1334 off_nl = 0; /* raw IP/IP6 header */ 1335 off_nl_nosnap = -1; /* no 802.2 LLC */ 1336 return; 1337 1338 case DLT_BACNET_MS_TP: 1339 off_linktype = -1; 1340 off_macpl = -1; 1341 off_nl = -1; 1342 off_nl_nosnap = -1; 1343 return; 1344 1345 case DLT_JUNIPER_SERVICES: 1346 off_linktype = 12; 1347 off_macpl = -1; /* L3 proto location dep. on cookie type */ 1348 off_nl = -1; /* L3 proto location dep. on cookie type */ 1349 off_nl_nosnap = -1; /* no 802.2 LLC */ 1350 return; 1351 1352 case DLT_JUNIPER_VP: 1353 off_linktype = 18; 1354 off_macpl = -1; 1355 off_nl = -1; 1356 off_nl_nosnap = -1; 1357 return; 1358 1359 case DLT_JUNIPER_ST: 1360 off_linktype = 18; 1361 off_macpl = -1; 1362 off_nl = -1; 1363 off_nl_nosnap = -1; 1364 return; 1365 1366 case DLT_JUNIPER_ISM: 1367 off_linktype = 8; 1368 off_macpl = -1; 1369 off_nl = -1; 1370 off_nl_nosnap = -1; 1371 return; 1372 1373 case DLT_JUNIPER_VS: 1374 case DLT_JUNIPER_SRX_E2E: 1375 case DLT_JUNIPER_FIBRECHANNEL: 1376 case DLT_JUNIPER_ATM_CEMIC: 1377 off_linktype = 8; 1378 off_macpl = -1; 1379 off_nl = -1; 1380 off_nl_nosnap = -1; 1381 return; 1382 1383 case DLT_MTP2: 1384 off_li = 2; 1385 off_li_hsl = 4; 1386 off_sio = 3; 1387 off_opc = 4; 1388 off_dpc = 4; 1389 off_sls = 7; 1390 off_linktype = -1; 1391 off_macpl = -1; 1392 off_nl = -1; 1393 off_nl_nosnap = -1; 1394 return; 1395 1396 case DLT_MTP2_WITH_PHDR: 1397 off_li = 6; 1398 off_li_hsl = 8; 1399 off_sio = 7; 1400 off_opc = 8; 1401 off_dpc = 8; 1402 off_sls = 11; 1403 off_linktype = -1; 1404 off_macpl = -1; 1405 off_nl = -1; 1406 off_nl_nosnap = -1; 1407 return; 1408 1409 case DLT_ERF: 1410 off_li = 22; 1411 off_li_hsl = 24; 1412 off_sio = 23; 1413 off_opc = 24; 1414 off_dpc = 24; 1415 off_sls = 27; 1416 off_linktype = -1; 1417 off_macpl = -1; 1418 off_nl = -1; 1419 off_nl_nosnap = -1; 1420 return; 1421 1422 case DLT_PFSYNC: 1423 off_linktype = -1; 1424 off_macpl = 4; 1425 off_nl = 0; 1426 off_nl_nosnap = 0; 1427 return; 1428 1429 case DLT_AX25_KISS: 1430 /* 1431 * Currently, only raw "link[N:M]" filtering is supported. 1432 */ 1433 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */ 1434 off_macpl = -1; 1435 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1436 off_nl_nosnap = -1; /* no 802.2 LLC */ 1437 off_mac = 1; /* step over the kiss length byte */ 1438 return; 1439 1440 case DLT_IPNET: 1441 off_linktype = 1; 1442 off_macpl = 24; /* ipnet header length */ 1443 off_nl = 0; 1444 off_nl_nosnap = -1; 1445 return; 1446 1447 case DLT_NETANALYZER: 1448 off_mac = 4; /* MAC header is past 4-byte pseudo-header */ 1449 off_linktype = 16; /* includes 4-byte pseudo-header */ 1450 off_macpl = 18; /* pseudo-header+Ethernet header length */ 1451 off_nl = 0; /* Ethernet II */ 1452 off_nl_nosnap = 3; /* 802.3+802.2 */ 1453 return; 1454 1455 case DLT_NETANALYZER_TRANSPARENT: 1456 off_mac = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1457 off_linktype = 24; /* includes 4-byte pseudo-header+preamble+SFD */ 1458 off_macpl = 26; /* pseudo-header+preamble+SFD+Ethernet header length */ 1459 off_nl = 0; /* Ethernet II */ 1460 off_nl_nosnap = 3; /* 802.3+802.2 */ 1461 return; 1462 1463 default: 1464 /* 1465 * For values in the range in which we've assigned new 1466 * DLT_ values, only raw "link[N:M]" filtering is supported. 1467 */ 1468 if (linktype >= DLT_MATCHING_MIN && 1469 linktype <= DLT_MATCHING_MAX) { 1470 off_linktype = -1; 1471 off_macpl = -1; 1472 off_nl = -1; 1473 off_nl_nosnap = -1; 1474 return; 1475 } 1476 1477 } 1478 bpf_error("unknown data link type %d", linktype); 1479 /* NOTREACHED */ 1480 } 1481 1482 /* 1483 * Load a value relative to the beginning of the link-layer header. 1484 * The link-layer header doesn't necessarily begin at the beginning 1485 * of the packet data; there might be a variable-length prefix containing 1486 * radio information. 1487 */ 1488 static struct slist * 1489 gen_load_llrel(offset, size) 1490 u_int offset, size; 1491 { 1492 struct slist *s, *s2; 1493 1494 s = gen_llprefixlen(); 1495 1496 /* 1497 * If "s" is non-null, it has code to arrange that the X register 1498 * contains the length of the prefix preceding the link-layer 1499 * header. 1500 * 1501 * Otherwise, the length of the prefix preceding the link-layer 1502 * header is "off_ll". 1503 */ 1504 if (s != NULL) { 1505 /* 1506 * There's a variable-length prefix preceding the 1507 * link-layer header. "s" points to a list of statements 1508 * that put the length of that prefix into the X register. 1509 * do an indirect load, to use the X register as an offset. 1510 */ 1511 s2 = new_stmt(BPF_LD|BPF_IND|size); 1512 s2->s.k = offset; 1513 sappend(s, s2); 1514 } else { 1515 /* 1516 * There is no variable-length header preceding the 1517 * link-layer header; add in off_ll, which, if there's 1518 * a fixed-length header preceding the link-layer header, 1519 * is the length of that header. 1520 */ 1521 s = new_stmt(BPF_LD|BPF_ABS|size); 1522 s->s.k = offset + off_ll; 1523 } 1524 return s; 1525 } 1526 1527 /* 1528 * Load a value relative to the beginning of the MAC-layer payload. 1529 */ 1530 static struct slist * 1531 gen_load_macplrel(offset, size) 1532 u_int offset, size; 1533 { 1534 struct slist *s, *s2; 1535 1536 s = gen_off_macpl(); 1537 1538 /* 1539 * If s is non-null, the offset of the MAC-layer payload is 1540 * variable, and s points to a list of instructions that 1541 * arrange that the X register contains that offset. 1542 * 1543 * Otherwise, the offset of the MAC-layer payload is constant, 1544 * and is in off_macpl. 1545 */ 1546 if (s != NULL) { 1547 /* 1548 * The offset of the MAC-layer payload is in the X 1549 * register. Do an indirect load, to use the X register 1550 * as an offset. 1551 */ 1552 s2 = new_stmt(BPF_LD|BPF_IND|size); 1553 s2->s.k = offset; 1554 sappend(s, s2); 1555 } else { 1556 /* 1557 * The offset of the MAC-layer payload is constant, 1558 * and is in off_macpl; load the value at that offset 1559 * plus the specified offset. 1560 */ 1561 s = new_stmt(BPF_LD|BPF_ABS|size); 1562 s->s.k = off_macpl + offset; 1563 } 1564 return s; 1565 } 1566 1567 /* 1568 * Load a value relative to the beginning of the specified header. 1569 */ 1570 static struct slist * 1571 gen_load_a(offrel, offset, size) 1572 enum e_offrel offrel; 1573 u_int offset, size; 1574 { 1575 struct slist *s, *s2; 1576 1577 switch (offrel) { 1578 1579 case OR_PACKET: 1580 s = new_stmt(BPF_LD|BPF_ABS|size); 1581 s->s.k = offset; 1582 break; 1583 1584 case OR_LINK: 1585 s = gen_load_llrel(offset, size); 1586 break; 1587 1588 case OR_MACPL: 1589 s = gen_load_macplrel(offset, size); 1590 break; 1591 1592 case OR_NET: 1593 s = gen_load_macplrel(off_nl + offset, size); 1594 break; 1595 1596 case OR_NET_NOSNAP: 1597 s = gen_load_macplrel(off_nl_nosnap + offset, size); 1598 break; 1599 1600 case OR_TRAN_IPV4: 1601 /* 1602 * Load the X register with the length of the IPv4 header 1603 * (plus the offset of the link-layer header, if it's 1604 * preceded by a variable-length header such as a radio 1605 * header), in bytes. 1606 */ 1607 s = gen_loadx_iphdrlen(); 1608 1609 /* 1610 * Load the item at {offset of the MAC-layer payload} + 1611 * {offset, relative to the start of the MAC-layer 1612 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1613 * {specified offset}. 1614 * 1615 * (If the offset of the MAC-layer payload is variable, 1616 * it's included in the value in the X register, and 1617 * off_macpl is 0.) 1618 */ 1619 s2 = new_stmt(BPF_LD|BPF_IND|size); 1620 s2->s.k = off_macpl + off_nl + offset; 1621 sappend(s, s2); 1622 break; 1623 1624 case OR_TRAN_IPV6: 1625 s = gen_load_macplrel(off_nl + 40 + offset, size); 1626 break; 1627 1628 default: 1629 abort(); 1630 return NULL; 1631 } 1632 return s; 1633 } 1634 1635 /* 1636 * Generate code to load into the X register the sum of the length of 1637 * the IPv4 header and any variable-length header preceding the link-layer 1638 * header. 1639 */ 1640 static struct slist * 1641 gen_loadx_iphdrlen() 1642 { 1643 struct slist *s, *s2; 1644 1645 s = gen_off_macpl(); 1646 if (s != NULL) { 1647 /* 1648 * There's a variable-length prefix preceding the 1649 * link-layer header, or the link-layer header is itself 1650 * variable-length. "s" points to a list of statements 1651 * that put the offset of the MAC-layer payload into 1652 * the X register. 1653 * 1654 * The 4*([k]&0xf) addressing mode can't be used, as we 1655 * don't have a constant offset, so we have to load the 1656 * value in question into the A register and add to it 1657 * the value from the X register. 1658 */ 1659 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1660 s2->s.k = off_nl; 1661 sappend(s, s2); 1662 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1663 s2->s.k = 0xf; 1664 sappend(s, s2); 1665 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1666 s2->s.k = 2; 1667 sappend(s, s2); 1668 1669 /* 1670 * The A register now contains the length of the 1671 * IP header. We need to add to it the offset of 1672 * the MAC-layer payload, which is still in the X 1673 * register, and move the result into the X register. 1674 */ 1675 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1676 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1677 } else { 1678 /* 1679 * There is no variable-length header preceding the 1680 * link-layer header, and the link-layer header is 1681 * fixed-length; load the length of the IPv4 header, 1682 * which is at an offset of off_nl from the beginning 1683 * of the MAC-layer payload, and thus at an offset 1684 * of off_mac_pl + off_nl from the beginning of the 1685 * raw packet data. 1686 */ 1687 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1688 s->s.k = off_macpl + off_nl; 1689 } 1690 return s; 1691 } 1692 1693 static struct block * 1694 gen_uncond(rsense) 1695 int rsense; 1696 { 1697 struct block *b; 1698 struct slist *s; 1699 1700 s = new_stmt(BPF_LD|BPF_IMM); 1701 s->s.k = !rsense; 1702 b = new_block(JMP(BPF_JEQ)); 1703 b->stmts = s; 1704 1705 return b; 1706 } 1707 1708 static inline struct block * 1709 gen_true() 1710 { 1711 return gen_uncond(1); 1712 } 1713 1714 static inline struct block * 1715 gen_false() 1716 { 1717 return gen_uncond(0); 1718 } 1719 1720 /* 1721 * Byte-swap a 32-bit number. 1722 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1723 * big-endian platforms.) 1724 */ 1725 #define SWAPLONG(y) \ 1726 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1727 1728 /* 1729 * Generate code to match a particular packet type. 1730 * 1731 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1732 * value, if <= ETHERMTU. We use that to determine whether to 1733 * match the type/length field or to check the type/length field for 1734 * a value <= ETHERMTU to see whether it's a type field and then do 1735 * the appropriate test. 1736 */ 1737 static struct block * 1738 gen_ether_linktype(proto) 1739 register int proto; 1740 { 1741 struct block *b0, *b1; 1742 1743 switch (proto) { 1744 1745 case LLCSAP_ISONS: 1746 case LLCSAP_IP: 1747 case LLCSAP_NETBEUI: 1748 /* 1749 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1750 * so we check the DSAP and SSAP. 1751 * 1752 * LLCSAP_IP checks for IP-over-802.2, rather 1753 * than IP-over-Ethernet or IP-over-SNAP. 1754 * 1755 * XXX - should we check both the DSAP and the 1756 * SSAP, like this, or should we check just the 1757 * DSAP, as we do for other types <= ETHERMTU 1758 * (i.e., other SAP values)? 1759 */ 1760 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1761 gen_not(b0); 1762 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1763 ((proto << 8) | proto)); 1764 gen_and(b0, b1); 1765 return b1; 1766 1767 case LLCSAP_IPX: 1768 /* 1769 * Check for; 1770 * 1771 * Ethernet_II frames, which are Ethernet 1772 * frames with a frame type of ETHERTYPE_IPX; 1773 * 1774 * Ethernet_802.3 frames, which are 802.3 1775 * frames (i.e., the type/length field is 1776 * a length field, <= ETHERMTU, rather than 1777 * a type field) with the first two bytes 1778 * after the Ethernet/802.3 header being 1779 * 0xFFFF; 1780 * 1781 * Ethernet_802.2 frames, which are 802.3 1782 * frames with an 802.2 LLC header and 1783 * with the IPX LSAP as the DSAP in the LLC 1784 * header; 1785 * 1786 * Ethernet_SNAP frames, which are 802.3 1787 * frames with an LLC header and a SNAP 1788 * header and with an OUI of 0x000000 1789 * (encapsulated Ethernet) and a protocol 1790 * ID of ETHERTYPE_IPX in the SNAP header. 1791 * 1792 * XXX - should we generate the same code both 1793 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1794 */ 1795 1796 /* 1797 * This generates code to check both for the 1798 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1799 */ 1800 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1801 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF); 1802 gen_or(b0, b1); 1803 1804 /* 1805 * Now we add code to check for SNAP frames with 1806 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1807 */ 1808 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1809 gen_or(b0, b1); 1810 1811 /* 1812 * Now we generate code to check for 802.3 1813 * frames in general. 1814 */ 1815 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1816 gen_not(b0); 1817 1818 /* 1819 * Now add the check for 802.3 frames before the 1820 * check for Ethernet_802.2 and Ethernet_802.3, 1821 * as those checks should only be done on 802.3 1822 * frames, not on Ethernet frames. 1823 */ 1824 gen_and(b0, b1); 1825 1826 /* 1827 * Now add the check for Ethernet_II frames, and 1828 * do that before checking for the other frame 1829 * types. 1830 */ 1831 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 1832 (bpf_int32)ETHERTYPE_IPX); 1833 gen_or(b0, b1); 1834 return b1; 1835 1836 case ETHERTYPE_ATALK: 1837 case ETHERTYPE_AARP: 1838 /* 1839 * EtherTalk (AppleTalk protocols on Ethernet link 1840 * layer) may use 802.2 encapsulation. 1841 */ 1842 1843 /* 1844 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1845 * we check for an Ethernet type field less than 1846 * 1500, which means it's an 802.3 length field. 1847 */ 1848 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1849 gen_not(b0); 1850 1851 /* 1852 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1853 * SNAP packets with an organization code of 1854 * 0x080007 (Apple, for Appletalk) and a protocol 1855 * type of ETHERTYPE_ATALK (Appletalk). 1856 * 1857 * 802.2-encapsulated ETHERTYPE_AARP packets are 1858 * SNAP packets with an organization code of 1859 * 0x000000 (encapsulated Ethernet) and a protocol 1860 * type of ETHERTYPE_AARP (Appletalk ARP). 1861 */ 1862 if (proto == ETHERTYPE_ATALK) 1863 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1864 else /* proto == ETHERTYPE_AARP */ 1865 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1866 gen_and(b0, b1); 1867 1868 /* 1869 * Check for Ethernet encapsulation (Ethertalk 1870 * phase 1?); we just check for the Ethernet 1871 * protocol type. 1872 */ 1873 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 1874 1875 gen_or(b0, b1); 1876 return b1; 1877 1878 default: 1879 if (proto <= ETHERMTU) { 1880 /* 1881 * This is an LLC SAP value, so the frames 1882 * that match would be 802.2 frames. 1883 * Check that the frame is an 802.2 frame 1884 * (i.e., that the length/type field is 1885 * a length field, <= ETHERMTU) and 1886 * then check the DSAP. 1887 */ 1888 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU); 1889 gen_not(b0); 1890 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B, 1891 (bpf_int32)proto); 1892 gen_and(b0, b1); 1893 return b1; 1894 } else { 1895 /* 1896 * This is an Ethernet type, so compare 1897 * the length/type field with it (if 1898 * the frame is an 802.2 frame, the length 1899 * field will be <= ETHERMTU, and, as 1900 * "proto" is > ETHERMTU, this test 1901 * will fail and the frame won't match, 1902 * which is what we want). 1903 */ 1904 return gen_cmp(OR_LINK, off_linktype, BPF_H, 1905 (bpf_int32)proto); 1906 } 1907 } 1908 } 1909 1910 /* 1911 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1912 * or IPv6 then we have an error. 1913 */ 1914 static struct block * 1915 gen_ipnet_linktype(proto) 1916 register int proto; 1917 { 1918 switch (proto) { 1919 1920 case ETHERTYPE_IP: 1921 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1922 (bpf_int32)IPH_AF_INET); 1923 /* NOTREACHED */ 1924 1925 case ETHERTYPE_IPV6: 1926 return gen_cmp(OR_LINK, off_linktype, BPF_B, 1927 (bpf_int32)IPH_AF_INET6); 1928 /* NOTREACHED */ 1929 1930 default: 1931 break; 1932 } 1933 1934 return gen_false(); 1935 } 1936 1937 /* 1938 * Generate code to match a particular packet type. 1939 * 1940 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1941 * value, if <= ETHERMTU. We use that to determine whether to 1942 * match the type field or to check the type field for the special 1943 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1944 */ 1945 static struct block * 1946 gen_linux_sll_linktype(proto) 1947 register int proto; 1948 { 1949 struct block *b0, *b1; 1950 1951 switch (proto) { 1952 1953 case LLCSAP_ISONS: 1954 case LLCSAP_IP: 1955 case LLCSAP_NETBEUI: 1956 /* 1957 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1958 * so we check the DSAP and SSAP. 1959 * 1960 * LLCSAP_IP checks for IP-over-802.2, rather 1961 * than IP-over-Ethernet or IP-over-SNAP. 1962 * 1963 * XXX - should we check both the DSAP and the 1964 * SSAP, like this, or should we check just the 1965 * DSAP, as we do for other types <= ETHERMTU 1966 * (i.e., other SAP values)? 1967 */ 1968 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 1969 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32) 1970 ((proto << 8) | proto)); 1971 gen_and(b0, b1); 1972 return b1; 1973 1974 case LLCSAP_IPX: 1975 /* 1976 * Ethernet_II frames, which are Ethernet 1977 * frames with a frame type of ETHERTYPE_IPX; 1978 * 1979 * Ethernet_802.3 frames, which have a frame 1980 * type of LINUX_SLL_P_802_3; 1981 * 1982 * Ethernet_802.2 frames, which are 802.3 1983 * frames with an 802.2 LLC header (i.e, have 1984 * a frame type of LINUX_SLL_P_802_2) and 1985 * with the IPX LSAP as the DSAP in the LLC 1986 * header; 1987 * 1988 * Ethernet_SNAP frames, which are 802.3 1989 * frames with an LLC header and a SNAP 1990 * header and with an OUI of 0x000000 1991 * (encapsulated Ethernet) and a protocol 1992 * ID of ETHERTYPE_IPX in the SNAP header. 1993 * 1994 * First, do the checks on LINUX_SLL_P_802_2 1995 * frames; generate the check for either 1996 * Ethernet_802.2 or Ethernet_SNAP frames, and 1997 * then put a check for LINUX_SLL_P_802_2 frames 1998 * before it. 1999 */ 2000 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2001 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2002 gen_or(b0, b1); 2003 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2004 gen_and(b0, b1); 2005 2006 /* 2007 * Now check for 802.3 frames and OR that with 2008 * the previous test. 2009 */ 2010 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3); 2011 gen_or(b0, b1); 2012 2013 /* 2014 * Now add the check for Ethernet_II frames, and 2015 * do that before checking for the other frame 2016 * types. 2017 */ 2018 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2019 (bpf_int32)ETHERTYPE_IPX); 2020 gen_or(b0, b1); 2021 return b1; 2022 2023 case ETHERTYPE_ATALK: 2024 case ETHERTYPE_AARP: 2025 /* 2026 * EtherTalk (AppleTalk protocols on Ethernet link 2027 * layer) may use 802.2 encapsulation. 2028 */ 2029 2030 /* 2031 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2032 * we check for the 802.2 protocol type in the 2033 * "Ethernet type" field. 2034 */ 2035 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2); 2036 2037 /* 2038 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2039 * SNAP packets with an organization code of 2040 * 0x080007 (Apple, for Appletalk) and a protocol 2041 * type of ETHERTYPE_ATALK (Appletalk). 2042 * 2043 * 802.2-encapsulated ETHERTYPE_AARP packets are 2044 * SNAP packets with an organization code of 2045 * 0x000000 (encapsulated Ethernet) and a protocol 2046 * type of ETHERTYPE_AARP (Appletalk ARP). 2047 */ 2048 if (proto == ETHERTYPE_ATALK) 2049 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2050 else /* proto == ETHERTYPE_AARP */ 2051 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2052 gen_and(b0, b1); 2053 2054 /* 2055 * Check for Ethernet encapsulation (Ethertalk 2056 * phase 1?); we just check for the Ethernet 2057 * protocol type. 2058 */ 2059 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 2060 2061 gen_or(b0, b1); 2062 return b1; 2063 2064 default: 2065 if (proto <= ETHERMTU) { 2066 /* 2067 * This is an LLC SAP value, so the frames 2068 * that match would be 802.2 frames. 2069 * Check for the 802.2 protocol type 2070 * in the "Ethernet type" field, and 2071 * then check the DSAP. 2072 */ 2073 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 2074 LINUX_SLL_P_802_2); 2075 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B, 2076 (bpf_int32)proto); 2077 gen_and(b0, b1); 2078 return b1; 2079 } else { 2080 /* 2081 * This is an Ethernet type, so compare 2082 * the length/type field with it (if 2083 * the frame is an 802.2 frame, the length 2084 * field will be <= ETHERMTU, and, as 2085 * "proto" is > ETHERMTU, this test 2086 * will fail and the frame won't match, 2087 * which is what we want). 2088 */ 2089 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2090 (bpf_int32)proto); 2091 } 2092 } 2093 } 2094 2095 static struct slist * 2096 gen_load_prism_llprefixlen() 2097 { 2098 struct slist *s1, *s2; 2099 struct slist *sjeq_avs_cookie; 2100 struct slist *sjcommon; 2101 2102 /* 2103 * This code is not compatible with the optimizer, as 2104 * we are generating jmp instructions within a normal 2105 * slist of instructions 2106 */ 2107 no_optimize = 1; 2108 2109 /* 2110 * Generate code to load the length of the radio header into 2111 * the register assigned to hold that length, if one has been 2112 * assigned. (If one hasn't been assigned, no code we've 2113 * generated uses that prefix, so we don't need to generate any 2114 * code to load it.) 2115 * 2116 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2117 * or always use the AVS header rather than the Prism header. 2118 * We load a 4-byte big-endian value at the beginning of the 2119 * raw packet data, and see whether, when masked with 0xFFFFF000, 2120 * it's equal to 0x80211000. If so, that indicates that it's 2121 * an AVS header (the masked-out bits are the version number). 2122 * Otherwise, it's a Prism header. 2123 * 2124 * XXX - the Prism header is also, in theory, variable-length, 2125 * but no known software generates headers that aren't 144 2126 * bytes long. 2127 */ 2128 if (reg_off_ll != -1) { 2129 /* 2130 * Load the cookie. 2131 */ 2132 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2133 s1->s.k = 0; 2134 2135 /* 2136 * AND it with 0xFFFFF000. 2137 */ 2138 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2139 s2->s.k = 0xFFFFF000; 2140 sappend(s1, s2); 2141 2142 /* 2143 * Compare with 0x80211000. 2144 */ 2145 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2146 sjeq_avs_cookie->s.k = 0x80211000; 2147 sappend(s1, sjeq_avs_cookie); 2148 2149 /* 2150 * If it's AVS: 2151 * 2152 * The 4 bytes at an offset of 4 from the beginning of 2153 * the AVS header are the length of the AVS header. 2154 * That field is big-endian. 2155 */ 2156 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2157 s2->s.k = 4; 2158 sappend(s1, s2); 2159 sjeq_avs_cookie->s.jt = s2; 2160 2161 /* 2162 * Now jump to the code to allocate a register 2163 * into which to save the header length and 2164 * store the length there. (The "jump always" 2165 * instruction needs to have the k field set; 2166 * it's added to the PC, so, as we're jumping 2167 * over a single instruction, it should be 1.) 2168 */ 2169 sjcommon = new_stmt(JMP(BPF_JA)); 2170 sjcommon->s.k = 1; 2171 sappend(s1, sjcommon); 2172 2173 /* 2174 * Now for the code that handles the Prism header. 2175 * Just load the length of the Prism header (144) 2176 * into the A register. Have the test for an AVS 2177 * header branch here if we don't have an AVS header. 2178 */ 2179 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2180 s2->s.k = 144; 2181 sappend(s1, s2); 2182 sjeq_avs_cookie->s.jf = s2; 2183 2184 /* 2185 * Now allocate a register to hold that value and store 2186 * it. The code for the AVS header will jump here after 2187 * loading the length of the AVS header. 2188 */ 2189 s2 = new_stmt(BPF_ST); 2190 s2->s.k = reg_off_ll; 2191 sappend(s1, s2); 2192 sjcommon->s.jf = s2; 2193 2194 /* 2195 * Now move it into the X register. 2196 */ 2197 s2 = new_stmt(BPF_MISC|BPF_TAX); 2198 sappend(s1, s2); 2199 2200 return (s1); 2201 } else 2202 return (NULL); 2203 } 2204 2205 static struct slist * 2206 gen_load_avs_llprefixlen() 2207 { 2208 struct slist *s1, *s2; 2209 2210 /* 2211 * Generate code to load the length of the AVS header into 2212 * the register assigned to hold that length, if one has been 2213 * assigned. (If one hasn't been assigned, no code we've 2214 * generated uses that prefix, so we don't need to generate any 2215 * code to load it.) 2216 */ 2217 if (reg_off_ll != -1) { 2218 /* 2219 * The 4 bytes at an offset of 4 from the beginning of 2220 * the AVS header are the length of the AVS header. 2221 * That field is big-endian. 2222 */ 2223 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2224 s1->s.k = 4; 2225 2226 /* 2227 * Now allocate a register to hold that value and store 2228 * it. 2229 */ 2230 s2 = new_stmt(BPF_ST); 2231 s2->s.k = reg_off_ll; 2232 sappend(s1, s2); 2233 2234 /* 2235 * Now move it into the X register. 2236 */ 2237 s2 = new_stmt(BPF_MISC|BPF_TAX); 2238 sappend(s1, s2); 2239 2240 return (s1); 2241 } else 2242 return (NULL); 2243 } 2244 2245 static struct slist * 2246 gen_load_radiotap_llprefixlen() 2247 { 2248 struct slist *s1, *s2; 2249 2250 /* 2251 * Generate code to load the length of the radiotap header into 2252 * the register assigned to hold that length, if one has been 2253 * assigned. (If one hasn't been assigned, no code we've 2254 * generated uses that prefix, so we don't need to generate any 2255 * code to load it.) 2256 */ 2257 if (reg_off_ll != -1) { 2258 /* 2259 * The 2 bytes at offsets of 2 and 3 from the beginning 2260 * of the radiotap header are the length of the radiotap 2261 * header; unfortunately, it's little-endian, so we have 2262 * to load it a byte at a time and construct the value. 2263 */ 2264 2265 /* 2266 * Load the high-order byte, at an offset of 3, shift it 2267 * left a byte, and put the result in the X register. 2268 */ 2269 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2270 s1->s.k = 3; 2271 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2272 sappend(s1, s2); 2273 s2->s.k = 8; 2274 s2 = new_stmt(BPF_MISC|BPF_TAX); 2275 sappend(s1, s2); 2276 2277 /* 2278 * Load the next byte, at an offset of 2, and OR the 2279 * value from the X register into it. 2280 */ 2281 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2282 sappend(s1, s2); 2283 s2->s.k = 2; 2284 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2285 sappend(s1, s2); 2286 2287 /* 2288 * Now allocate a register to hold that value and store 2289 * it. 2290 */ 2291 s2 = new_stmt(BPF_ST); 2292 s2->s.k = reg_off_ll; 2293 sappend(s1, s2); 2294 2295 /* 2296 * Now move it into the X register. 2297 */ 2298 s2 = new_stmt(BPF_MISC|BPF_TAX); 2299 sappend(s1, s2); 2300 2301 return (s1); 2302 } else 2303 return (NULL); 2304 } 2305 2306 /* 2307 * At the moment we treat PPI as normal Radiotap encoded 2308 * packets. The difference is in the function that generates 2309 * the code at the beginning to compute the header length. 2310 * Since this code generator of PPI supports bare 802.11 2311 * encapsulation only (i.e. the encapsulated DLT should be 2312 * DLT_IEEE802_11) we generate code to check for this too; 2313 * that's done in finish_parse(). 2314 */ 2315 static struct slist * 2316 gen_load_ppi_llprefixlen() 2317 { 2318 struct slist *s1, *s2; 2319 2320 /* 2321 * Generate code to load the length of the radiotap header 2322 * into the register assigned to hold that length, if one has 2323 * been assigned. 2324 */ 2325 if (reg_off_ll != -1) { 2326 /* 2327 * The 2 bytes at offsets of 2 and 3 from the beginning 2328 * of the radiotap header are the length of the radiotap 2329 * header; unfortunately, it's little-endian, so we have 2330 * to load it a byte at a time and construct the value. 2331 */ 2332 2333 /* 2334 * Load the high-order byte, at an offset of 3, shift it 2335 * left a byte, and put the result in the X register. 2336 */ 2337 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2338 s1->s.k = 3; 2339 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2340 sappend(s1, s2); 2341 s2->s.k = 8; 2342 s2 = new_stmt(BPF_MISC|BPF_TAX); 2343 sappend(s1, s2); 2344 2345 /* 2346 * Load the next byte, at an offset of 2, and OR the 2347 * value from the X register into it. 2348 */ 2349 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2350 sappend(s1, s2); 2351 s2->s.k = 2; 2352 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2353 sappend(s1, s2); 2354 2355 /* 2356 * Now allocate a register to hold that value and store 2357 * it. 2358 */ 2359 s2 = new_stmt(BPF_ST); 2360 s2->s.k = reg_off_ll; 2361 sappend(s1, s2); 2362 2363 /* 2364 * Now move it into the X register. 2365 */ 2366 s2 = new_stmt(BPF_MISC|BPF_TAX); 2367 sappend(s1, s2); 2368 2369 return (s1); 2370 } else 2371 return (NULL); 2372 } 2373 2374 /* 2375 * Load a value relative to the beginning of the link-layer header after the 802.11 2376 * header, i.e. LLC_SNAP. 2377 * The link-layer header doesn't necessarily begin at the beginning 2378 * of the packet data; there might be a variable-length prefix containing 2379 * radio information. 2380 */ 2381 static struct slist * 2382 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2383 { 2384 struct slist *s2; 2385 struct slist *sjset_data_frame_1; 2386 struct slist *sjset_data_frame_2; 2387 struct slist *sjset_qos; 2388 struct slist *sjset_radiotap_flags; 2389 struct slist *sjset_radiotap_tsft; 2390 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2391 struct slist *s_roundup; 2392 2393 if (reg_off_macpl == -1) { 2394 /* 2395 * No register has been assigned to the offset of 2396 * the MAC-layer payload, which means nobody needs 2397 * it; don't bother computing it - just return 2398 * what we already have. 2399 */ 2400 return (s); 2401 } 2402 2403 /* 2404 * This code is not compatible with the optimizer, as 2405 * we are generating jmp instructions within a normal 2406 * slist of instructions 2407 */ 2408 no_optimize = 1; 2409 2410 /* 2411 * If "s" is non-null, it has code to arrange that the X register 2412 * contains the length of the prefix preceding the link-layer 2413 * header. 2414 * 2415 * Otherwise, the length of the prefix preceding the link-layer 2416 * header is "off_ll". 2417 */ 2418 if (s == NULL) { 2419 /* 2420 * There is no variable-length header preceding the 2421 * link-layer header. 2422 * 2423 * Load the length of the fixed-length prefix preceding 2424 * the link-layer header (if any) into the X register, 2425 * and store it in the reg_off_macpl register. 2426 * That length is off_ll. 2427 */ 2428 s = new_stmt(BPF_LDX|BPF_IMM); 2429 s->s.k = off_ll; 2430 } 2431 2432 /* 2433 * The X register contains the offset of the beginning of the 2434 * link-layer header; add 24, which is the minimum length 2435 * of the MAC header for a data frame, to that, and store it 2436 * in reg_off_macpl, and then load the Frame Control field, 2437 * which is at the offset in the X register, with an indexed load. 2438 */ 2439 s2 = new_stmt(BPF_MISC|BPF_TXA); 2440 sappend(s, s2); 2441 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2442 s2->s.k = 24; 2443 sappend(s, s2); 2444 s2 = new_stmt(BPF_ST); 2445 s2->s.k = reg_off_macpl; 2446 sappend(s, s2); 2447 2448 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2449 s2->s.k = 0; 2450 sappend(s, s2); 2451 2452 /* 2453 * Check the Frame Control field to see if this is a data frame; 2454 * a data frame has the 0x08 bit (b3) in that field set and the 2455 * 0x04 bit (b2) clear. 2456 */ 2457 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2458 sjset_data_frame_1->s.k = 0x08; 2459 sappend(s, sjset_data_frame_1); 2460 2461 /* 2462 * If b3 is set, test b2, otherwise go to the first statement of 2463 * the rest of the program. 2464 */ 2465 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2466 sjset_data_frame_2->s.k = 0x04; 2467 sappend(s, sjset_data_frame_2); 2468 sjset_data_frame_1->s.jf = snext; 2469 2470 /* 2471 * If b2 is not set, this is a data frame; test the QoS bit. 2472 * Otherwise, go to the first statement of the rest of the 2473 * program. 2474 */ 2475 sjset_data_frame_2->s.jt = snext; 2476 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2477 sjset_qos->s.k = 0x80; /* QoS bit */ 2478 sappend(s, sjset_qos); 2479 2480 /* 2481 * If it's set, add 2 to reg_off_macpl, to skip the QoS 2482 * field. 2483 * Otherwise, go to the first statement of the rest of the 2484 * program. 2485 */ 2486 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2487 s2->s.k = reg_off_macpl; 2488 sappend(s, s2); 2489 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2490 s2->s.k = 2; 2491 sappend(s, s2); 2492 s2 = new_stmt(BPF_ST); 2493 s2->s.k = reg_off_macpl; 2494 sappend(s, s2); 2495 2496 /* 2497 * If we have a radiotap header, look at it to see whether 2498 * there's Atheros padding between the MAC-layer header 2499 * and the payload. 2500 * 2501 * Note: all of the fields in the radiotap header are 2502 * little-endian, so we byte-swap all of the values 2503 * we test against, as they will be loaded as big-endian 2504 * values. 2505 */ 2506 if (linktype == DLT_IEEE802_11_RADIO) { 2507 /* 2508 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2509 * in the presence flag? 2510 */ 2511 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2512 s2->s.k = 4; 2513 sappend(s, s2); 2514 2515 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2516 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2517 sappend(s, sjset_radiotap_flags); 2518 2519 /* 2520 * If not, skip all of this. 2521 */ 2522 sjset_radiotap_flags->s.jf = snext; 2523 2524 /* 2525 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2526 */ 2527 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2528 new_stmt(JMP(BPF_JSET)); 2529 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2530 sappend(s, sjset_radiotap_tsft); 2531 2532 /* 2533 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2534 * at an offset of 16 from the beginning of the raw packet 2535 * data (8 bytes for the radiotap header and 8 bytes for 2536 * the TSFT field). 2537 * 2538 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2539 * is set. 2540 */ 2541 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2542 s2->s.k = 16; 2543 sappend(s, s2); 2544 2545 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2546 sjset_tsft_datapad->s.k = 0x20; 2547 sappend(s, sjset_tsft_datapad); 2548 2549 /* 2550 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2551 * at an offset of 8 from the beginning of the raw packet 2552 * data (8 bytes for the radiotap header). 2553 * 2554 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2555 * is set. 2556 */ 2557 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2558 s2->s.k = 8; 2559 sappend(s, s2); 2560 2561 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2562 sjset_notsft_datapad->s.k = 0x20; 2563 sappend(s, sjset_notsft_datapad); 2564 2565 /* 2566 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2567 * set, round the length of the 802.11 header to 2568 * a multiple of 4. Do that by adding 3 and then 2569 * dividing by and multiplying by 4, which we do by 2570 * ANDing with ~3. 2571 */ 2572 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2573 s_roundup->s.k = reg_off_macpl; 2574 sappend(s, s_roundup); 2575 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2576 s2->s.k = 3; 2577 sappend(s, s2); 2578 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2579 s2->s.k = ~3; 2580 sappend(s, s2); 2581 s2 = new_stmt(BPF_ST); 2582 s2->s.k = reg_off_macpl; 2583 sappend(s, s2); 2584 2585 sjset_tsft_datapad->s.jt = s_roundup; 2586 sjset_tsft_datapad->s.jf = snext; 2587 sjset_notsft_datapad->s.jt = s_roundup; 2588 sjset_notsft_datapad->s.jf = snext; 2589 } else 2590 sjset_qos->s.jf = snext; 2591 2592 return s; 2593 } 2594 2595 static void 2596 insert_compute_vloffsets(b) 2597 struct block *b; 2598 { 2599 struct slist *s; 2600 2601 /* 2602 * For link-layer types that have a variable-length header 2603 * preceding the link-layer header, generate code to load 2604 * the offset of the link-layer header into the register 2605 * assigned to that offset, if any. 2606 */ 2607 switch (linktype) { 2608 2609 case DLT_PRISM_HEADER: 2610 s = gen_load_prism_llprefixlen(); 2611 break; 2612 2613 case DLT_IEEE802_11_RADIO_AVS: 2614 s = gen_load_avs_llprefixlen(); 2615 break; 2616 2617 case DLT_IEEE802_11_RADIO: 2618 s = gen_load_radiotap_llprefixlen(); 2619 break; 2620 2621 case DLT_PPI: 2622 s = gen_load_ppi_llprefixlen(); 2623 break; 2624 2625 default: 2626 s = NULL; 2627 break; 2628 } 2629 2630 /* 2631 * For link-layer types that have a variable-length link-layer 2632 * header, generate code to load the offset of the MAC-layer 2633 * payload into the register assigned to that offset, if any. 2634 */ 2635 switch (linktype) { 2636 2637 case DLT_IEEE802_11: 2638 case DLT_PRISM_HEADER: 2639 case DLT_IEEE802_11_RADIO_AVS: 2640 case DLT_IEEE802_11_RADIO: 2641 case DLT_PPI: 2642 s = gen_load_802_11_header_len(s, b->stmts); 2643 break; 2644 } 2645 2646 /* 2647 * If we have any offset-loading code, append all the 2648 * existing statements in the block to those statements, 2649 * and make the resulting list the list of statements 2650 * for the block. 2651 */ 2652 if (s != NULL) { 2653 sappend(s, b->stmts); 2654 b->stmts = s; 2655 } 2656 } 2657 2658 static struct block * 2659 gen_ppi_dlt_check(void) 2660 { 2661 struct slist *s_load_dlt; 2662 struct block *b; 2663 2664 if (linktype == DLT_PPI) 2665 { 2666 /* Create the statements that check for the DLT 2667 */ 2668 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2669 s_load_dlt->s.k = 4; 2670 2671 b = new_block(JMP(BPF_JEQ)); 2672 2673 b->stmts = s_load_dlt; 2674 b->s.k = SWAPLONG(DLT_IEEE802_11); 2675 } 2676 else 2677 { 2678 b = NULL; 2679 } 2680 2681 return b; 2682 } 2683 2684 static struct slist * 2685 gen_prism_llprefixlen(void) 2686 { 2687 struct slist *s; 2688 2689 if (reg_off_ll == -1) { 2690 /* 2691 * We haven't yet assigned a register for the length 2692 * of the radio header; allocate one. 2693 */ 2694 reg_off_ll = alloc_reg(); 2695 } 2696 2697 /* 2698 * Load the register containing the radio length 2699 * into the X register. 2700 */ 2701 s = new_stmt(BPF_LDX|BPF_MEM); 2702 s->s.k = reg_off_ll; 2703 return s; 2704 } 2705 2706 static struct slist * 2707 gen_avs_llprefixlen(void) 2708 { 2709 struct slist *s; 2710 2711 if (reg_off_ll == -1) { 2712 /* 2713 * We haven't yet assigned a register for the length 2714 * of the AVS header; allocate one. 2715 */ 2716 reg_off_ll = alloc_reg(); 2717 } 2718 2719 /* 2720 * Load the register containing the AVS length 2721 * into the X register. 2722 */ 2723 s = new_stmt(BPF_LDX|BPF_MEM); 2724 s->s.k = reg_off_ll; 2725 return s; 2726 } 2727 2728 static struct slist * 2729 gen_radiotap_llprefixlen(void) 2730 { 2731 struct slist *s; 2732 2733 if (reg_off_ll == -1) { 2734 /* 2735 * We haven't yet assigned a register for the length 2736 * of the radiotap header; allocate one. 2737 */ 2738 reg_off_ll = alloc_reg(); 2739 } 2740 2741 /* 2742 * Load the register containing the radiotap length 2743 * into the X register. 2744 */ 2745 s = new_stmt(BPF_LDX|BPF_MEM); 2746 s->s.k = reg_off_ll; 2747 return s; 2748 } 2749 2750 /* 2751 * At the moment we treat PPI as normal Radiotap encoded 2752 * packets. The difference is in the function that generates 2753 * the code at the beginning to compute the header length. 2754 * Since this code generator of PPI supports bare 802.11 2755 * encapsulation only (i.e. the encapsulated DLT should be 2756 * DLT_IEEE802_11) we generate code to check for this too. 2757 */ 2758 static struct slist * 2759 gen_ppi_llprefixlen(void) 2760 { 2761 struct slist *s; 2762 2763 if (reg_off_ll == -1) { 2764 /* 2765 * We haven't yet assigned a register for the length 2766 * of the radiotap header; allocate one. 2767 */ 2768 reg_off_ll = alloc_reg(); 2769 } 2770 2771 /* 2772 * Load the register containing the PPI length 2773 * into the X register. 2774 */ 2775 s = new_stmt(BPF_LDX|BPF_MEM); 2776 s->s.k = reg_off_ll; 2777 return s; 2778 } 2779 2780 /* 2781 * Generate code to compute the link-layer header length, if necessary, 2782 * putting it into the X register, and to return either a pointer to a 2783 * "struct slist" for the list of statements in that code, or NULL if 2784 * no code is necessary. 2785 */ 2786 static struct slist * 2787 gen_llprefixlen(void) 2788 { 2789 switch (linktype) { 2790 2791 case DLT_PRISM_HEADER: 2792 return gen_prism_llprefixlen(); 2793 2794 case DLT_IEEE802_11_RADIO_AVS: 2795 return gen_avs_llprefixlen(); 2796 2797 case DLT_IEEE802_11_RADIO: 2798 return gen_radiotap_llprefixlen(); 2799 2800 case DLT_PPI: 2801 return gen_ppi_llprefixlen(); 2802 2803 default: 2804 return NULL; 2805 } 2806 } 2807 2808 /* 2809 * Generate code to load the register containing the offset of the 2810 * MAC-layer payload into the X register; if no register for that offset 2811 * has been allocated, allocate it first. 2812 */ 2813 static struct slist * 2814 gen_off_macpl(void) 2815 { 2816 struct slist *s; 2817 2818 if (off_macpl_is_variable) { 2819 if (reg_off_macpl == -1) { 2820 /* 2821 * We haven't yet assigned a register for the offset 2822 * of the MAC-layer payload; allocate one. 2823 */ 2824 reg_off_macpl = alloc_reg(); 2825 } 2826 2827 /* 2828 * Load the register containing the offset of the MAC-layer 2829 * payload into the X register. 2830 */ 2831 s = new_stmt(BPF_LDX|BPF_MEM); 2832 s->s.k = reg_off_macpl; 2833 return s; 2834 } else { 2835 /* 2836 * That offset isn't variable, so we don't need to 2837 * generate any code. 2838 */ 2839 return NULL; 2840 } 2841 } 2842 2843 /* 2844 * Map an Ethernet type to the equivalent PPP type. 2845 */ 2846 static int 2847 ethertype_to_ppptype(proto) 2848 int proto; 2849 { 2850 switch (proto) { 2851 2852 case ETHERTYPE_IP: 2853 proto = PPP_IP; 2854 break; 2855 2856 case ETHERTYPE_IPV6: 2857 proto = PPP_IPV6; 2858 break; 2859 2860 case ETHERTYPE_DN: 2861 proto = PPP_DECNET; 2862 break; 2863 2864 case ETHERTYPE_ATALK: 2865 proto = PPP_APPLE; 2866 break; 2867 2868 case ETHERTYPE_NS: 2869 proto = PPP_NS; 2870 break; 2871 2872 case LLCSAP_ISONS: 2873 proto = PPP_OSI; 2874 break; 2875 2876 case LLCSAP_8021D: 2877 /* 2878 * I'm assuming the "Bridging PDU"s that go 2879 * over PPP are Spanning Tree Protocol 2880 * Bridging PDUs. 2881 */ 2882 proto = PPP_BRPDU; 2883 break; 2884 2885 case LLCSAP_IPX: 2886 proto = PPP_IPX; 2887 break; 2888 } 2889 return (proto); 2890 } 2891 2892 /* 2893 * Generate code to match a particular packet type by matching the 2894 * link-layer type field or fields in the 802.2 LLC header. 2895 * 2896 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2897 * value, if <= ETHERMTU. 2898 */ 2899 static struct block * 2900 gen_linktype(proto) 2901 register int proto; 2902 { 2903 struct block *b0, *b1, *b2; 2904 2905 /* are we checking MPLS-encapsulated packets? */ 2906 if (label_stack_depth > 0) { 2907 switch (proto) { 2908 case ETHERTYPE_IP: 2909 case PPP_IP: 2910 /* FIXME add other L3 proto IDs */ 2911 return gen_mpls_linktype(Q_IP); 2912 2913 case ETHERTYPE_IPV6: 2914 case PPP_IPV6: 2915 /* FIXME add other L3 proto IDs */ 2916 return gen_mpls_linktype(Q_IPV6); 2917 2918 default: 2919 bpf_error("unsupported protocol over mpls"); 2920 /* NOTREACHED */ 2921 } 2922 } 2923 2924 /* 2925 * Are we testing PPPoE packets? 2926 */ 2927 if (is_pppoes) { 2928 /* 2929 * The PPPoE session header is part of the 2930 * MAC-layer payload, so all references 2931 * should be relative to the beginning of 2932 * that payload. 2933 */ 2934 2935 /* 2936 * We use Ethernet protocol types inside libpcap; 2937 * map them to the corresponding PPP protocol types. 2938 */ 2939 proto = ethertype_to_ppptype(proto); 2940 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto); 2941 } 2942 2943 switch (linktype) { 2944 2945 case DLT_EN10MB: 2946 case DLT_NETANALYZER: 2947 case DLT_NETANALYZER_TRANSPARENT: 2948 return gen_ether_linktype(proto); 2949 /*NOTREACHED*/ 2950 break; 2951 2952 case DLT_C_HDLC: 2953 switch (proto) { 2954 2955 case LLCSAP_ISONS: 2956 proto = (proto << 8 | LLCSAP_ISONS); 2957 /* fall through */ 2958 2959 default: 2960 return gen_cmp(OR_LINK, off_linktype, BPF_H, 2961 (bpf_int32)proto); 2962 /*NOTREACHED*/ 2963 break; 2964 } 2965 break; 2966 2967 case DLT_IEEE802_11: 2968 case DLT_PRISM_HEADER: 2969 case DLT_IEEE802_11_RADIO_AVS: 2970 case DLT_IEEE802_11_RADIO: 2971 case DLT_PPI: 2972 /* 2973 * Check that we have a data frame. 2974 */ 2975 b0 = gen_check_802_11_data_frame(); 2976 2977 /* 2978 * Now check for the specified link-layer type. 2979 */ 2980 b1 = gen_llc_linktype(proto); 2981 gen_and(b0, b1); 2982 return b1; 2983 /*NOTREACHED*/ 2984 break; 2985 2986 case DLT_FDDI: 2987 /* 2988 * XXX - check for asynchronous frames, as per RFC 1103. 2989 */ 2990 return gen_llc_linktype(proto); 2991 /*NOTREACHED*/ 2992 break; 2993 2994 case DLT_IEEE802: 2995 /* 2996 * XXX - check for LLC PDUs, as per IEEE 802.5. 2997 */ 2998 return gen_llc_linktype(proto); 2999 /*NOTREACHED*/ 3000 break; 3001 3002 case DLT_ATM_RFC1483: 3003 case DLT_ATM_CLIP: 3004 case DLT_IP_OVER_FC: 3005 return gen_llc_linktype(proto); 3006 /*NOTREACHED*/ 3007 break; 3008 3009 case DLT_SUNATM: 3010 /* 3011 * If "is_lane" is set, check for a LANE-encapsulated 3012 * version of this protocol, otherwise check for an 3013 * LLC-encapsulated version of this protocol. 3014 * 3015 * We assume LANE means Ethernet, not Token Ring. 3016 */ 3017 if (is_lane) { 3018 /* 3019 * Check that the packet doesn't begin with an 3020 * LE Control marker. (We've already generated 3021 * a test for LANE.) 3022 */ 3023 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 3024 0xFF00); 3025 gen_not(b0); 3026 3027 /* 3028 * Now generate an Ethernet test. 3029 */ 3030 b1 = gen_ether_linktype(proto); 3031 gen_and(b0, b1); 3032 return b1; 3033 } else { 3034 /* 3035 * Check for LLC encapsulation and then check the 3036 * protocol. 3037 */ 3038 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 3039 b1 = gen_llc_linktype(proto); 3040 gen_and(b0, b1); 3041 return b1; 3042 } 3043 /*NOTREACHED*/ 3044 break; 3045 3046 case DLT_LINUX_SLL: 3047 return gen_linux_sll_linktype(proto); 3048 /*NOTREACHED*/ 3049 break; 3050 3051 case DLT_SLIP: 3052 case DLT_SLIP_BSDOS: 3053 case DLT_RAW: 3054 /* 3055 * These types don't provide any type field; packets 3056 * are always IPv4 or IPv6. 3057 * 3058 * XXX - for IPv4, check for a version number of 4, and, 3059 * for IPv6, check for a version number of 6? 3060 */ 3061 switch (proto) { 3062 3063 case ETHERTYPE_IP: 3064 /* Check for a version number of 4. */ 3065 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0); 3066 3067 case ETHERTYPE_IPV6: 3068 /* Check for a version number of 6. */ 3069 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0); 3070 3071 default: 3072 return gen_false(); /* always false */ 3073 } 3074 /*NOTREACHED*/ 3075 break; 3076 3077 case DLT_IPV4: 3078 /* 3079 * Raw IPv4, so no type field. 3080 */ 3081 if (proto == ETHERTYPE_IP) 3082 return gen_true(); /* always true */ 3083 3084 /* Checking for something other than IPv4; always false */ 3085 return gen_false(); 3086 /*NOTREACHED*/ 3087 break; 3088 3089 case DLT_IPV6: 3090 /* 3091 * Raw IPv6, so no type field. 3092 */ 3093 if (proto == ETHERTYPE_IPV6) 3094 return gen_true(); /* always true */ 3095 3096 /* Checking for something other than IPv6; always false */ 3097 return gen_false(); 3098 /*NOTREACHED*/ 3099 break; 3100 3101 case DLT_PPP: 3102 case DLT_PPP_PPPD: 3103 case DLT_PPP_SERIAL: 3104 case DLT_PPP_ETHER: 3105 /* 3106 * We use Ethernet protocol types inside libpcap; 3107 * map them to the corresponding PPP protocol types. 3108 */ 3109 proto = ethertype_to_ppptype(proto); 3110 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3111 /*NOTREACHED*/ 3112 break; 3113 3114 case DLT_PPP_BSDOS: 3115 /* 3116 * We use Ethernet protocol types inside libpcap; 3117 * map them to the corresponding PPP protocol types. 3118 */ 3119 switch (proto) { 3120 3121 case ETHERTYPE_IP: 3122 /* 3123 * Also check for Van Jacobson-compressed IP. 3124 * XXX - do this for other forms of PPP? 3125 */ 3126 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP); 3127 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC); 3128 gen_or(b0, b1); 3129 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC); 3130 gen_or(b1, b0); 3131 return b0; 3132 3133 default: 3134 proto = ethertype_to_ppptype(proto); 3135 return gen_cmp(OR_LINK, off_linktype, BPF_H, 3136 (bpf_int32)proto); 3137 } 3138 /*NOTREACHED*/ 3139 break; 3140 3141 case DLT_NULL: 3142 case DLT_LOOP: 3143 case DLT_ENC: 3144 /* 3145 * For DLT_NULL, the link-layer header is a 32-bit 3146 * word containing an AF_ value in *host* byte order, 3147 * and for DLT_ENC, the link-layer header begins 3148 * with a 32-bit work containing an AF_ value in 3149 * host byte order. 3150 * 3151 * In addition, if we're reading a saved capture file, 3152 * the host byte order in the capture may not be the 3153 * same as the host byte order on this machine. 3154 * 3155 * For DLT_LOOP, the link-layer header is a 32-bit 3156 * word containing an AF_ value in *network* byte order. 3157 * 3158 * XXX - AF_ values may, unfortunately, be platform- 3159 * dependent; for example, FreeBSD's AF_INET6 is 24 3160 * whilst NetBSD's and OpenBSD's is 26. 3161 * 3162 * This means that, when reading a capture file, just 3163 * checking for our AF_INET6 value won't work if the 3164 * capture file came from another OS. 3165 */ 3166 switch (proto) { 3167 3168 case ETHERTYPE_IP: 3169 proto = AF_INET; 3170 break; 3171 3172 #ifdef INET6 3173 case ETHERTYPE_IPV6: 3174 proto = AF_INET6; 3175 break; 3176 #endif 3177 3178 default: 3179 /* 3180 * Not a type on which we support filtering. 3181 * XXX - support those that have AF_ values 3182 * #defined on this platform, at least? 3183 */ 3184 return gen_false(); 3185 } 3186 3187 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3188 /* 3189 * The AF_ value is in host byte order, but 3190 * the BPF interpreter will convert it to 3191 * network byte order. 3192 * 3193 * If this is a save file, and it's from a 3194 * machine with the opposite byte order to 3195 * ours, we byte-swap the AF_ value. 3196 * 3197 * Then we run it through "htonl()", and 3198 * generate code to compare against the result. 3199 */ 3200 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped) 3201 proto = SWAPLONG(proto); 3202 proto = htonl(proto); 3203 } 3204 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto)); 3205 3206 #ifdef HAVE_NET_PFVAR_H 3207 case DLT_PFLOG: 3208 /* 3209 * af field is host byte order in contrast to the rest of 3210 * the packet. 3211 */ 3212 if (proto == ETHERTYPE_IP) 3213 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3214 BPF_B, (bpf_int32)AF_INET)); 3215 else if (proto == ETHERTYPE_IPV6) 3216 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af), 3217 BPF_B, (bpf_int32)AF_INET6)); 3218 else 3219 return gen_false(); 3220 /*NOTREACHED*/ 3221 break; 3222 #endif /* HAVE_NET_PFVAR_H */ 3223 3224 case DLT_ARCNET: 3225 case DLT_ARCNET_LINUX: 3226 /* 3227 * XXX should we check for first fragment if the protocol 3228 * uses PHDS? 3229 */ 3230 switch (proto) { 3231 3232 default: 3233 return gen_false(); 3234 3235 case ETHERTYPE_IPV6: 3236 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3237 (bpf_int32)ARCTYPE_INET6)); 3238 3239 case ETHERTYPE_IP: 3240 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3241 (bpf_int32)ARCTYPE_IP); 3242 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3243 (bpf_int32)ARCTYPE_IP_OLD); 3244 gen_or(b0, b1); 3245 return (b1); 3246 3247 case ETHERTYPE_ARP: 3248 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3249 (bpf_int32)ARCTYPE_ARP); 3250 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B, 3251 (bpf_int32)ARCTYPE_ARP_OLD); 3252 gen_or(b0, b1); 3253 return (b1); 3254 3255 case ETHERTYPE_REVARP: 3256 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3257 (bpf_int32)ARCTYPE_REVARP)); 3258 3259 case ETHERTYPE_ATALK: 3260 return (gen_cmp(OR_LINK, off_linktype, BPF_B, 3261 (bpf_int32)ARCTYPE_ATALK)); 3262 } 3263 /*NOTREACHED*/ 3264 break; 3265 3266 case DLT_LTALK: 3267 switch (proto) { 3268 case ETHERTYPE_ATALK: 3269 return gen_true(); 3270 default: 3271 return gen_false(); 3272 } 3273 /*NOTREACHED*/ 3274 break; 3275 3276 case DLT_FRELAY: 3277 /* 3278 * XXX - assumes a 2-byte Frame Relay header with 3279 * DLCI and flags. What if the address is longer? 3280 */ 3281 switch (proto) { 3282 3283 case ETHERTYPE_IP: 3284 /* 3285 * Check for the special NLPID for IP. 3286 */ 3287 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc); 3288 3289 case ETHERTYPE_IPV6: 3290 /* 3291 * Check for the special NLPID for IPv6. 3292 */ 3293 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e); 3294 3295 case LLCSAP_ISONS: 3296 /* 3297 * Check for several OSI protocols. 3298 * 3299 * Frame Relay packets typically have an OSI 3300 * NLPID at the beginning; we check for each 3301 * of them. 3302 * 3303 * What we check for is the NLPID and a frame 3304 * control field of UI, i.e. 0x03 followed 3305 * by the NLPID. 3306 */ 3307 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3308 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3309 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3310 gen_or(b1, b2); 3311 gen_or(b0, b2); 3312 return b2; 3313 3314 default: 3315 return gen_false(); 3316 } 3317 /*NOTREACHED*/ 3318 break; 3319 3320 case DLT_MFR: 3321 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3322 3323 case DLT_JUNIPER_MFR: 3324 case DLT_JUNIPER_MLFR: 3325 case DLT_JUNIPER_MLPPP: 3326 case DLT_JUNIPER_ATM1: 3327 case DLT_JUNIPER_ATM2: 3328 case DLT_JUNIPER_PPPOE: 3329 case DLT_JUNIPER_PPPOE_ATM: 3330 case DLT_JUNIPER_GGSN: 3331 case DLT_JUNIPER_ES: 3332 case DLT_JUNIPER_MONITOR: 3333 case DLT_JUNIPER_SERVICES: 3334 case DLT_JUNIPER_ETHER: 3335 case DLT_JUNIPER_PPP: 3336 case DLT_JUNIPER_FRELAY: 3337 case DLT_JUNIPER_CHDLC: 3338 case DLT_JUNIPER_VP: 3339 case DLT_JUNIPER_ST: 3340 case DLT_JUNIPER_ISM: 3341 case DLT_JUNIPER_VS: 3342 case DLT_JUNIPER_SRX_E2E: 3343 case DLT_JUNIPER_FIBRECHANNEL: 3344 case DLT_JUNIPER_ATM_CEMIC: 3345 3346 /* just lets verify the magic number for now - 3347 * on ATM we may have up to 6 different encapsulations on the wire 3348 * and need a lot of heuristics to figure out that the payload 3349 * might be; 3350 * 3351 * FIXME encapsulation specific BPF_ filters 3352 */ 3353 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3354 3355 case DLT_BACNET_MS_TP: 3356 return gen_mcmp(OR_LINK, 0, BPF_W, 0x55FF0000, 0xffff0000); 3357 3358 case DLT_IPNET: 3359 return gen_ipnet_linktype(proto); 3360 3361 case DLT_LINUX_IRDA: 3362 bpf_error("IrDA link-layer type filtering not implemented"); 3363 3364 case DLT_DOCSIS: 3365 bpf_error("DOCSIS link-layer type filtering not implemented"); 3366 3367 case DLT_MTP2: 3368 case DLT_MTP2_WITH_PHDR: 3369 bpf_error("MTP2 link-layer type filtering not implemented"); 3370 3371 case DLT_ERF: 3372 bpf_error("ERF link-layer type filtering not implemented"); 3373 3374 case DLT_PFSYNC: 3375 bpf_error("PFSYNC link-layer type filtering not implemented"); 3376 3377 case DLT_LINUX_LAPD: 3378 bpf_error("LAPD link-layer type filtering not implemented"); 3379 3380 case DLT_USB: 3381 case DLT_USB_LINUX: 3382 case DLT_USB_LINUX_MMAPPED: 3383 bpf_error("USB link-layer type filtering not implemented"); 3384 3385 case DLT_BLUETOOTH_HCI_H4: 3386 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3387 bpf_error("Bluetooth link-layer type filtering not implemented"); 3388 3389 case DLT_CAN20B: 3390 case DLT_CAN_SOCKETCAN: 3391 bpf_error("CAN link-layer type filtering not implemented"); 3392 3393 case DLT_IEEE802_15_4: 3394 case DLT_IEEE802_15_4_LINUX: 3395 case DLT_IEEE802_15_4_NONASK_PHY: 3396 case DLT_IEEE802_15_4_NOFCS: 3397 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3398 3399 case DLT_IEEE802_16_MAC_CPS_RADIO: 3400 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3401 3402 case DLT_SITA: 3403 bpf_error("SITA link-layer type filtering not implemented"); 3404 3405 case DLT_RAIF1: 3406 bpf_error("RAIF1 link-layer type filtering not implemented"); 3407 3408 case DLT_IPMB: 3409 bpf_error("IPMB link-layer type filtering not implemented"); 3410 3411 case DLT_AX25_KISS: 3412 bpf_error("AX.25 link-layer type filtering not implemented"); 3413 } 3414 3415 /* 3416 * All the types that have no encapsulation should either be 3417 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if 3418 * all packets are IP packets, or should be handled in some 3419 * special case, if none of them are (if some are and some 3420 * aren't, the lack of encapsulation is a problem, as we'd 3421 * have to find some other way of determining the packet type). 3422 * 3423 * Therefore, if "off_linktype" is -1, there's an error. 3424 */ 3425 if (off_linktype == (u_int)-1) 3426 abort(); 3427 3428 /* 3429 * Any type not handled above should always have an Ethernet 3430 * type at an offset of "off_linktype". 3431 */ 3432 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto); 3433 } 3434 3435 /* 3436 * Check for an LLC SNAP packet with a given organization code and 3437 * protocol type; we check the entire contents of the 802.2 LLC and 3438 * snap headers, checking for DSAP and SSAP of SNAP and a control 3439 * field of 0x03 in the LLC header, and for the specified organization 3440 * code and protocol type in the SNAP header. 3441 */ 3442 static struct block * 3443 gen_snap(orgcode, ptype) 3444 bpf_u_int32 orgcode; 3445 bpf_u_int32 ptype; 3446 { 3447 u_char snapblock[8]; 3448 3449 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3450 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3451 snapblock[2] = 0x03; /* control = UI */ 3452 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3453 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3454 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3455 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3456 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3457 return gen_bcmp(OR_MACPL, 0, 8, snapblock); 3458 } 3459 3460 /* 3461 * Generate code to match a particular packet type, for link-layer types 3462 * using 802.2 LLC headers. 3463 * 3464 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3465 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3466 * 3467 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3468 * value, if <= ETHERMTU. We use that to determine whether to 3469 * match the DSAP or both DSAP and LSAP or to check the OUI and 3470 * protocol ID in a SNAP header. 3471 */ 3472 static struct block * 3473 gen_llc_linktype(proto) 3474 int proto; 3475 { 3476 /* 3477 * XXX - handle token-ring variable-length header. 3478 */ 3479 switch (proto) { 3480 3481 case LLCSAP_IP: 3482 case LLCSAP_ISONS: 3483 case LLCSAP_NETBEUI: 3484 /* 3485 * XXX - should we check both the DSAP and the 3486 * SSAP, like this, or should we check just the 3487 * DSAP, as we do for other types <= ETHERMTU 3488 * (i.e., other SAP values)? 3489 */ 3490 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32) 3491 ((proto << 8) | proto)); 3492 3493 case LLCSAP_IPX: 3494 /* 3495 * XXX - are there ever SNAP frames for IPX on 3496 * non-Ethernet 802.x networks? 3497 */ 3498 return gen_cmp(OR_MACPL, 0, BPF_B, 3499 (bpf_int32)LLCSAP_IPX); 3500 3501 case ETHERTYPE_ATALK: 3502 /* 3503 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3504 * SNAP packets with an organization code of 3505 * 0x080007 (Apple, for Appletalk) and a protocol 3506 * type of ETHERTYPE_ATALK (Appletalk). 3507 * 3508 * XXX - check for an organization code of 3509 * encapsulated Ethernet as well? 3510 */ 3511 return gen_snap(0x080007, ETHERTYPE_ATALK); 3512 3513 default: 3514 /* 3515 * XXX - we don't have to check for IPX 802.3 3516 * here, but should we check for the IPX Ethertype? 3517 */ 3518 if (proto <= ETHERMTU) { 3519 /* 3520 * This is an LLC SAP value, so check 3521 * the DSAP. 3522 */ 3523 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto); 3524 } else { 3525 /* 3526 * This is an Ethernet type; we assume that it's 3527 * unlikely that it'll appear in the right place 3528 * at random, and therefore check only the 3529 * location that would hold the Ethernet type 3530 * in a SNAP frame with an organization code of 3531 * 0x000000 (encapsulated Ethernet). 3532 * 3533 * XXX - if we were to check for the SNAP DSAP and 3534 * LSAP, as per XXX, and were also to check for an 3535 * organization code of 0x000000 (encapsulated 3536 * Ethernet), we'd do 3537 * 3538 * return gen_snap(0x000000, proto); 3539 * 3540 * here; for now, we don't, as per the above. 3541 * I don't know whether it's worth the extra CPU 3542 * time to do the right check or not. 3543 */ 3544 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto); 3545 } 3546 } 3547 } 3548 3549 static struct block * 3550 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3551 bpf_u_int32 addr; 3552 bpf_u_int32 mask; 3553 int dir, proto; 3554 u_int src_off, dst_off; 3555 { 3556 struct block *b0, *b1; 3557 u_int offset; 3558 3559 switch (dir) { 3560 3561 case Q_SRC: 3562 offset = src_off; 3563 break; 3564 3565 case Q_DST: 3566 offset = dst_off; 3567 break; 3568 3569 case Q_AND: 3570 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3571 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3572 gen_and(b0, b1); 3573 return b1; 3574 3575 case Q_OR: 3576 case Q_DEFAULT: 3577 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3578 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3579 gen_or(b0, b1); 3580 return b1; 3581 3582 default: 3583 abort(); 3584 } 3585 b0 = gen_linktype(proto); 3586 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask); 3587 gen_and(b0, b1); 3588 return b1; 3589 } 3590 3591 #ifdef INET6 3592 static struct block * 3593 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3594 struct in6_addr *addr; 3595 struct in6_addr *mask; 3596 int dir, proto; 3597 u_int src_off, dst_off; 3598 { 3599 struct block *b0, *b1; 3600 u_int offset; 3601 u_int32_t *a, *m; 3602 3603 switch (dir) { 3604 3605 case Q_SRC: 3606 offset = src_off; 3607 break; 3608 3609 case Q_DST: 3610 offset = dst_off; 3611 break; 3612 3613 case Q_AND: 3614 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3615 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3616 gen_and(b0, b1); 3617 return b1; 3618 3619 case Q_OR: 3620 case Q_DEFAULT: 3621 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3622 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3623 gen_or(b0, b1); 3624 return b1; 3625 3626 default: 3627 abort(); 3628 } 3629 /* this order is important */ 3630 a = (u_int32_t *)addr; 3631 m = (u_int32_t *)mask; 3632 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3633 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3634 gen_and(b0, b1); 3635 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3636 gen_and(b0, b1); 3637 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3638 gen_and(b0, b1); 3639 b0 = gen_linktype(proto); 3640 gen_and(b0, b1); 3641 return b1; 3642 } 3643 #endif 3644 3645 static struct block * 3646 gen_ehostop(eaddr, dir) 3647 register const u_char *eaddr; 3648 register int dir; 3649 { 3650 register struct block *b0, *b1; 3651 3652 switch (dir) { 3653 case Q_SRC: 3654 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr); 3655 3656 case Q_DST: 3657 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr); 3658 3659 case Q_AND: 3660 b0 = gen_ehostop(eaddr, Q_SRC); 3661 b1 = gen_ehostop(eaddr, Q_DST); 3662 gen_and(b0, b1); 3663 return b1; 3664 3665 case Q_DEFAULT: 3666 case Q_OR: 3667 b0 = gen_ehostop(eaddr, Q_SRC); 3668 b1 = gen_ehostop(eaddr, Q_DST); 3669 gen_or(b0, b1); 3670 return b1; 3671 3672 case Q_ADDR1: 3673 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3674 break; 3675 3676 case Q_ADDR2: 3677 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3678 break; 3679 3680 case Q_ADDR3: 3681 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3682 break; 3683 3684 case Q_ADDR4: 3685 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3686 break; 3687 3688 case Q_RA: 3689 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3690 break; 3691 3692 case Q_TA: 3693 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3694 break; 3695 } 3696 abort(); 3697 /* NOTREACHED */ 3698 } 3699 3700 /* 3701 * Like gen_ehostop, but for DLT_FDDI 3702 */ 3703 static struct block * 3704 gen_fhostop(eaddr, dir) 3705 register const u_char *eaddr; 3706 register int dir; 3707 { 3708 struct block *b0, *b1; 3709 3710 switch (dir) { 3711 case Q_SRC: 3712 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr); 3713 3714 case Q_DST: 3715 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr); 3716 3717 case Q_AND: 3718 b0 = gen_fhostop(eaddr, Q_SRC); 3719 b1 = gen_fhostop(eaddr, Q_DST); 3720 gen_and(b0, b1); 3721 return b1; 3722 3723 case Q_DEFAULT: 3724 case Q_OR: 3725 b0 = gen_fhostop(eaddr, Q_SRC); 3726 b1 = gen_fhostop(eaddr, Q_DST); 3727 gen_or(b0, b1); 3728 return b1; 3729 3730 case Q_ADDR1: 3731 bpf_error("'addr1' is only supported on 802.11"); 3732 break; 3733 3734 case Q_ADDR2: 3735 bpf_error("'addr2' is only supported on 802.11"); 3736 break; 3737 3738 case Q_ADDR3: 3739 bpf_error("'addr3' is only supported on 802.11"); 3740 break; 3741 3742 case Q_ADDR4: 3743 bpf_error("'addr4' is only supported on 802.11"); 3744 break; 3745 3746 case Q_RA: 3747 bpf_error("'ra' is only supported on 802.11"); 3748 break; 3749 3750 case Q_TA: 3751 bpf_error("'ta' is only supported on 802.11"); 3752 break; 3753 } 3754 abort(); 3755 /* NOTREACHED */ 3756 } 3757 3758 /* 3759 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3760 */ 3761 static struct block * 3762 gen_thostop(eaddr, dir) 3763 register const u_char *eaddr; 3764 register int dir; 3765 { 3766 register struct block *b0, *b1; 3767 3768 switch (dir) { 3769 case Q_SRC: 3770 return gen_bcmp(OR_LINK, 8, 6, eaddr); 3771 3772 case Q_DST: 3773 return gen_bcmp(OR_LINK, 2, 6, eaddr); 3774 3775 case Q_AND: 3776 b0 = gen_thostop(eaddr, Q_SRC); 3777 b1 = gen_thostop(eaddr, Q_DST); 3778 gen_and(b0, b1); 3779 return b1; 3780 3781 case Q_DEFAULT: 3782 case Q_OR: 3783 b0 = gen_thostop(eaddr, Q_SRC); 3784 b1 = gen_thostop(eaddr, Q_DST); 3785 gen_or(b0, b1); 3786 return b1; 3787 3788 case Q_ADDR1: 3789 bpf_error("'addr1' is only supported on 802.11"); 3790 break; 3791 3792 case Q_ADDR2: 3793 bpf_error("'addr2' is only supported on 802.11"); 3794 break; 3795 3796 case Q_ADDR3: 3797 bpf_error("'addr3' is only supported on 802.11"); 3798 break; 3799 3800 case Q_ADDR4: 3801 bpf_error("'addr4' is only supported on 802.11"); 3802 break; 3803 3804 case Q_RA: 3805 bpf_error("'ra' is only supported on 802.11"); 3806 break; 3807 3808 case Q_TA: 3809 bpf_error("'ta' is only supported on 802.11"); 3810 break; 3811 } 3812 abort(); 3813 /* NOTREACHED */ 3814 } 3815 3816 /* 3817 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3818 * various 802.11 + radio headers. 3819 */ 3820 static struct block * 3821 gen_wlanhostop(eaddr, dir) 3822 register const u_char *eaddr; 3823 register int dir; 3824 { 3825 register struct block *b0, *b1, *b2; 3826 register struct slist *s; 3827 3828 #ifdef ENABLE_WLAN_FILTERING_PATCH 3829 /* 3830 * TODO GV 20070613 3831 * We need to disable the optimizer because the optimizer is buggy 3832 * and wipes out some LD instructions generated by the below 3833 * code to validate the Frame Control bits 3834 */ 3835 no_optimize = 1; 3836 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3837 3838 switch (dir) { 3839 case Q_SRC: 3840 /* 3841 * Oh, yuk. 3842 * 3843 * For control frames, there is no SA. 3844 * 3845 * For management frames, SA is at an 3846 * offset of 10 from the beginning of 3847 * the packet. 3848 * 3849 * For data frames, SA is at an offset 3850 * of 10 from the beginning of the packet 3851 * if From DS is clear, at an offset of 3852 * 16 from the beginning of the packet 3853 * if From DS is set and To DS is clear, 3854 * and an offset of 24 from the beginning 3855 * of the packet if From DS is set and To DS 3856 * is set. 3857 */ 3858 3859 /* 3860 * Generate the tests to be done for data frames 3861 * with From DS set. 3862 * 3863 * First, check for To DS set, i.e. check "link[1] & 0x01". 3864 */ 3865 s = gen_load_a(OR_LINK, 1, BPF_B); 3866 b1 = new_block(JMP(BPF_JSET)); 3867 b1->s.k = 0x01; /* To DS */ 3868 b1->stmts = s; 3869 3870 /* 3871 * If To DS is set, the SA is at 24. 3872 */ 3873 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr); 3874 gen_and(b1, b0); 3875 3876 /* 3877 * Now, check for To DS not set, i.e. check 3878 * "!(link[1] & 0x01)". 3879 */ 3880 s = gen_load_a(OR_LINK, 1, BPF_B); 3881 b2 = new_block(JMP(BPF_JSET)); 3882 b2->s.k = 0x01; /* To DS */ 3883 b2->stmts = s; 3884 gen_not(b2); 3885 3886 /* 3887 * If To DS is not set, the SA is at 16. 3888 */ 3889 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 3890 gen_and(b2, b1); 3891 3892 /* 3893 * Now OR together the last two checks. That gives 3894 * the complete set of checks for data frames with 3895 * From DS set. 3896 */ 3897 gen_or(b1, b0); 3898 3899 /* 3900 * Now check for From DS being set, and AND that with 3901 * the ORed-together checks. 3902 */ 3903 s = gen_load_a(OR_LINK, 1, BPF_B); 3904 b1 = new_block(JMP(BPF_JSET)); 3905 b1->s.k = 0x02; /* From DS */ 3906 b1->stmts = s; 3907 gen_and(b1, b0); 3908 3909 /* 3910 * Now check for data frames with From DS not set. 3911 */ 3912 s = gen_load_a(OR_LINK, 1, BPF_B); 3913 b2 = new_block(JMP(BPF_JSET)); 3914 b2->s.k = 0x02; /* From DS */ 3915 b2->stmts = s; 3916 gen_not(b2); 3917 3918 /* 3919 * If From DS isn't set, the SA is at 10. 3920 */ 3921 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3922 gen_and(b2, b1); 3923 3924 /* 3925 * Now OR together the checks for data frames with 3926 * From DS not set and for data frames with From DS 3927 * set; that gives the checks done for data frames. 3928 */ 3929 gen_or(b1, b0); 3930 3931 /* 3932 * Now check for a data frame. 3933 * I.e, check "link[0] & 0x08". 3934 */ 3935 s = gen_load_a(OR_LINK, 0, BPF_B); 3936 b1 = new_block(JMP(BPF_JSET)); 3937 b1->s.k = 0x08; 3938 b1->stmts = s; 3939 3940 /* 3941 * AND that with the checks done for data frames. 3942 */ 3943 gen_and(b1, b0); 3944 3945 /* 3946 * If the high-order bit of the type value is 0, this 3947 * is a management frame. 3948 * I.e, check "!(link[0] & 0x08)". 3949 */ 3950 s = gen_load_a(OR_LINK, 0, BPF_B); 3951 b2 = new_block(JMP(BPF_JSET)); 3952 b2->s.k = 0x08; 3953 b2->stmts = s; 3954 gen_not(b2); 3955 3956 /* 3957 * For management frames, the SA is at 10. 3958 */ 3959 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 3960 gen_and(b2, b1); 3961 3962 /* 3963 * OR that with the checks done for data frames. 3964 * That gives the checks done for management and 3965 * data frames. 3966 */ 3967 gen_or(b1, b0); 3968 3969 /* 3970 * If the low-order bit of the type value is 1, 3971 * this is either a control frame or a frame 3972 * with a reserved type, and thus not a 3973 * frame with an SA. 3974 * 3975 * I.e., check "!(link[0] & 0x04)". 3976 */ 3977 s = gen_load_a(OR_LINK, 0, BPF_B); 3978 b1 = new_block(JMP(BPF_JSET)); 3979 b1->s.k = 0x04; 3980 b1->stmts = s; 3981 gen_not(b1); 3982 3983 /* 3984 * AND that with the checks for data and management 3985 * frames. 3986 */ 3987 gen_and(b1, b0); 3988 return b0; 3989 3990 case Q_DST: 3991 /* 3992 * Oh, yuk. 3993 * 3994 * For control frames, there is no DA. 3995 * 3996 * For management frames, DA is at an 3997 * offset of 4 from the beginning of 3998 * the packet. 3999 * 4000 * For data frames, DA is at an offset 4001 * of 4 from the beginning of the packet 4002 * if To DS is clear and at an offset of 4003 * 16 from the beginning of the packet 4004 * if To DS is set. 4005 */ 4006 4007 /* 4008 * Generate the tests to be done for data frames. 4009 * 4010 * First, check for To DS set, i.e. "link[1] & 0x01". 4011 */ 4012 s = gen_load_a(OR_LINK, 1, BPF_B); 4013 b1 = new_block(JMP(BPF_JSET)); 4014 b1->s.k = 0x01; /* To DS */ 4015 b1->stmts = s; 4016 4017 /* 4018 * If To DS is set, the DA is at 16. 4019 */ 4020 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4021 gen_and(b1, b0); 4022 4023 /* 4024 * Now, check for To DS not set, i.e. check 4025 * "!(link[1] & 0x01)". 4026 */ 4027 s = gen_load_a(OR_LINK, 1, BPF_B); 4028 b2 = new_block(JMP(BPF_JSET)); 4029 b2->s.k = 0x01; /* To DS */ 4030 b2->stmts = s; 4031 gen_not(b2); 4032 4033 /* 4034 * If To DS is not set, the DA is at 4. 4035 */ 4036 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4037 gen_and(b2, b1); 4038 4039 /* 4040 * Now OR together the last two checks. That gives 4041 * the complete set of checks for data frames. 4042 */ 4043 gen_or(b1, b0); 4044 4045 /* 4046 * Now check for a data frame. 4047 * I.e, check "link[0] & 0x08". 4048 */ 4049 s = gen_load_a(OR_LINK, 0, BPF_B); 4050 b1 = new_block(JMP(BPF_JSET)); 4051 b1->s.k = 0x08; 4052 b1->stmts = s; 4053 4054 /* 4055 * AND that with the checks done for data frames. 4056 */ 4057 gen_and(b1, b0); 4058 4059 /* 4060 * If the high-order bit of the type value is 0, this 4061 * is a management frame. 4062 * I.e, check "!(link[0] & 0x08)". 4063 */ 4064 s = gen_load_a(OR_LINK, 0, BPF_B); 4065 b2 = new_block(JMP(BPF_JSET)); 4066 b2->s.k = 0x08; 4067 b2->stmts = s; 4068 gen_not(b2); 4069 4070 /* 4071 * For management frames, the DA is at 4. 4072 */ 4073 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4074 gen_and(b2, b1); 4075 4076 /* 4077 * OR that with the checks done for data frames. 4078 * That gives the checks done for management and 4079 * data frames. 4080 */ 4081 gen_or(b1, b0); 4082 4083 /* 4084 * If the low-order bit of the type value is 1, 4085 * this is either a control frame or a frame 4086 * with a reserved type, and thus not a 4087 * frame with an SA. 4088 * 4089 * I.e., check "!(link[0] & 0x04)". 4090 */ 4091 s = gen_load_a(OR_LINK, 0, BPF_B); 4092 b1 = new_block(JMP(BPF_JSET)); 4093 b1->s.k = 0x04; 4094 b1->stmts = s; 4095 gen_not(b1); 4096 4097 /* 4098 * AND that with the checks for data and management 4099 * frames. 4100 */ 4101 gen_and(b1, b0); 4102 return b0; 4103 4104 case Q_RA: 4105 /* 4106 * Not present in management frames; addr1 in other 4107 * frames. 4108 */ 4109 4110 /* 4111 * If the high-order bit of the type value is 0, this 4112 * is a management frame. 4113 * I.e, check "(link[0] & 0x08)". 4114 */ 4115 s = gen_load_a(OR_LINK, 0, BPF_B); 4116 b1 = new_block(JMP(BPF_JSET)); 4117 b1->s.k = 0x08; 4118 b1->stmts = s; 4119 4120 /* 4121 * Check addr1. 4122 */ 4123 b0 = gen_bcmp(OR_LINK, 4, 6, eaddr); 4124 4125 /* 4126 * AND that with the check of addr1. 4127 */ 4128 gen_and(b1, b0); 4129 return (b0); 4130 4131 case Q_TA: 4132 /* 4133 * Not present in management frames; addr2, if present, 4134 * in other frames. 4135 */ 4136 4137 /* 4138 * Not present in CTS or ACK control frames. 4139 */ 4140 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4141 IEEE80211_FC0_TYPE_MASK); 4142 gen_not(b0); 4143 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4144 IEEE80211_FC0_SUBTYPE_MASK); 4145 gen_not(b1); 4146 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4147 IEEE80211_FC0_SUBTYPE_MASK); 4148 gen_not(b2); 4149 gen_and(b1, b2); 4150 gen_or(b0, b2); 4151 4152 /* 4153 * If the high-order bit of the type value is 0, this 4154 * is a management frame. 4155 * I.e, check "(link[0] & 0x08)". 4156 */ 4157 s = gen_load_a(OR_LINK, 0, BPF_B); 4158 b1 = new_block(JMP(BPF_JSET)); 4159 b1->s.k = 0x08; 4160 b1->stmts = s; 4161 4162 /* 4163 * AND that with the check for frames other than 4164 * CTS and ACK frames. 4165 */ 4166 gen_and(b1, b2); 4167 4168 /* 4169 * Check addr2. 4170 */ 4171 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4172 gen_and(b2, b1); 4173 return b1; 4174 4175 /* 4176 * XXX - add BSSID keyword? 4177 */ 4178 case Q_ADDR1: 4179 return (gen_bcmp(OR_LINK, 4, 6, eaddr)); 4180 4181 case Q_ADDR2: 4182 /* 4183 * Not present in CTS or ACK control frames. 4184 */ 4185 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4186 IEEE80211_FC0_TYPE_MASK); 4187 gen_not(b0); 4188 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4189 IEEE80211_FC0_SUBTYPE_MASK); 4190 gen_not(b1); 4191 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4192 IEEE80211_FC0_SUBTYPE_MASK); 4193 gen_not(b2); 4194 gen_and(b1, b2); 4195 gen_or(b0, b2); 4196 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr); 4197 gen_and(b2, b1); 4198 return b1; 4199 4200 case Q_ADDR3: 4201 /* 4202 * Not present in control frames. 4203 */ 4204 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4205 IEEE80211_FC0_TYPE_MASK); 4206 gen_not(b0); 4207 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr); 4208 gen_and(b0, b1); 4209 return b1; 4210 4211 case Q_ADDR4: 4212 /* 4213 * Present only if the direction mask has both "From DS" 4214 * and "To DS" set. Neither control frames nor management 4215 * frames should have both of those set, so we don't 4216 * check the frame type. 4217 */ 4218 b0 = gen_mcmp(OR_LINK, 1, BPF_B, 4219 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4220 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr); 4221 gen_and(b0, b1); 4222 return b1; 4223 4224 case Q_AND: 4225 b0 = gen_wlanhostop(eaddr, Q_SRC); 4226 b1 = gen_wlanhostop(eaddr, Q_DST); 4227 gen_and(b0, b1); 4228 return b1; 4229 4230 case Q_DEFAULT: 4231 case Q_OR: 4232 b0 = gen_wlanhostop(eaddr, Q_SRC); 4233 b1 = gen_wlanhostop(eaddr, Q_DST); 4234 gen_or(b0, b1); 4235 return b1; 4236 } 4237 abort(); 4238 /* NOTREACHED */ 4239 } 4240 4241 /* 4242 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4243 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4244 * as the RFC states.) 4245 */ 4246 static struct block * 4247 gen_ipfchostop(eaddr, dir) 4248 register const u_char *eaddr; 4249 register int dir; 4250 { 4251 register struct block *b0, *b1; 4252 4253 switch (dir) { 4254 case Q_SRC: 4255 return gen_bcmp(OR_LINK, 10, 6, eaddr); 4256 4257 case Q_DST: 4258 return gen_bcmp(OR_LINK, 2, 6, eaddr); 4259 4260 case Q_AND: 4261 b0 = gen_ipfchostop(eaddr, Q_SRC); 4262 b1 = gen_ipfchostop(eaddr, Q_DST); 4263 gen_and(b0, b1); 4264 return b1; 4265 4266 case Q_DEFAULT: 4267 case Q_OR: 4268 b0 = gen_ipfchostop(eaddr, Q_SRC); 4269 b1 = gen_ipfchostop(eaddr, Q_DST); 4270 gen_or(b0, b1); 4271 return b1; 4272 4273 case Q_ADDR1: 4274 bpf_error("'addr1' is only supported on 802.11"); 4275 break; 4276 4277 case Q_ADDR2: 4278 bpf_error("'addr2' is only supported on 802.11"); 4279 break; 4280 4281 case Q_ADDR3: 4282 bpf_error("'addr3' is only supported on 802.11"); 4283 break; 4284 4285 case Q_ADDR4: 4286 bpf_error("'addr4' is only supported on 802.11"); 4287 break; 4288 4289 case Q_RA: 4290 bpf_error("'ra' is only supported on 802.11"); 4291 break; 4292 4293 case Q_TA: 4294 bpf_error("'ta' is only supported on 802.11"); 4295 break; 4296 } 4297 abort(); 4298 /* NOTREACHED */ 4299 } 4300 4301 /* 4302 * This is quite tricky because there may be pad bytes in front of the 4303 * DECNET header, and then there are two possible data packet formats that 4304 * carry both src and dst addresses, plus 5 packet types in a format that 4305 * carries only the src node, plus 2 types that use a different format and 4306 * also carry just the src node. 4307 * 4308 * Yuck. 4309 * 4310 * Instead of doing those all right, we just look for data packets with 4311 * 0 or 1 bytes of padding. If you want to look at other packets, that 4312 * will require a lot more hacking. 4313 * 4314 * To add support for filtering on DECNET "areas" (network numbers) 4315 * one would want to add a "mask" argument to this routine. That would 4316 * make the filter even more inefficient, although one could be clever 4317 * and not generate masking instructions if the mask is 0xFFFF. 4318 */ 4319 static struct block * 4320 gen_dnhostop(addr, dir) 4321 bpf_u_int32 addr; 4322 int dir; 4323 { 4324 struct block *b0, *b1, *b2, *tmp; 4325 u_int offset_lh; /* offset if long header is received */ 4326 u_int offset_sh; /* offset if short header is received */ 4327 4328 switch (dir) { 4329 4330 case Q_DST: 4331 offset_sh = 1; /* follows flags */ 4332 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4333 break; 4334 4335 case Q_SRC: 4336 offset_sh = 3; /* follows flags, dstnode */ 4337 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4338 break; 4339 4340 case Q_AND: 4341 /* Inefficient because we do our Calvinball dance twice */ 4342 b0 = gen_dnhostop(addr, Q_SRC); 4343 b1 = gen_dnhostop(addr, Q_DST); 4344 gen_and(b0, b1); 4345 return b1; 4346 4347 case Q_OR: 4348 case Q_DEFAULT: 4349 /* Inefficient because we do our Calvinball dance twice */ 4350 b0 = gen_dnhostop(addr, Q_SRC); 4351 b1 = gen_dnhostop(addr, Q_DST); 4352 gen_or(b0, b1); 4353 return b1; 4354 4355 case Q_ISO: 4356 bpf_error("ISO host filtering not implemented"); 4357 4358 default: 4359 abort(); 4360 } 4361 b0 = gen_linktype(ETHERTYPE_DN); 4362 /* Check for pad = 1, long header case */ 4363 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4364 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4365 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh, 4366 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4367 gen_and(tmp, b1); 4368 /* Check for pad = 0, long header case */ 4369 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4370 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4371 gen_and(tmp, b2); 4372 gen_or(b2, b1); 4373 /* Check for pad = 1, short header case */ 4374 tmp = gen_mcmp(OR_NET, 2, BPF_H, 4375 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4376 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4377 gen_and(tmp, b2); 4378 gen_or(b2, b1); 4379 /* Check for pad = 0, short header case */ 4380 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4381 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4382 gen_and(tmp, b2); 4383 gen_or(b2, b1); 4384 4385 /* Combine with test for linktype */ 4386 gen_and(b0, b1); 4387 return b1; 4388 } 4389 4390 /* 4391 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4392 * test the bottom-of-stack bit, and then check the version number 4393 * field in the IP header. 4394 */ 4395 static struct block * 4396 gen_mpls_linktype(proto) 4397 int proto; 4398 { 4399 struct block *b0, *b1; 4400 4401 switch (proto) { 4402 4403 case Q_IP: 4404 /* match the bottom-of-stack bit */ 4405 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4406 /* match the IPv4 version number */ 4407 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0); 4408 gen_and(b0, b1); 4409 return b1; 4410 4411 case Q_IPV6: 4412 /* match the bottom-of-stack bit */ 4413 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01); 4414 /* match the IPv4 version number */ 4415 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0); 4416 gen_and(b0, b1); 4417 return b1; 4418 4419 default: 4420 abort(); 4421 } 4422 } 4423 4424 static struct block * 4425 gen_host(addr, mask, proto, dir, type) 4426 bpf_u_int32 addr; 4427 bpf_u_int32 mask; 4428 int proto; 4429 int dir; 4430 int type; 4431 { 4432 struct block *b0, *b1; 4433 const char *typestr; 4434 4435 if (type == Q_NET) 4436 typestr = "net"; 4437 else 4438 typestr = "host"; 4439 4440 switch (proto) { 4441 4442 case Q_DEFAULT: 4443 b0 = gen_host(addr, mask, Q_IP, dir, type); 4444 /* 4445 * Only check for non-IPv4 addresses if we're not 4446 * checking MPLS-encapsulated packets. 4447 */ 4448 if (label_stack_depth == 0) { 4449 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4450 gen_or(b0, b1); 4451 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4452 gen_or(b1, b0); 4453 } 4454 return b0; 4455 4456 case Q_IP: 4457 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4458 4459 case Q_RARP: 4460 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4461 4462 case Q_ARP: 4463 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4464 4465 case Q_TCP: 4466 bpf_error("'tcp' modifier applied to %s", typestr); 4467 4468 case Q_SCTP: 4469 bpf_error("'sctp' modifier applied to %s", typestr); 4470 4471 case Q_UDP: 4472 bpf_error("'udp' modifier applied to %s", typestr); 4473 4474 case Q_ICMP: 4475 bpf_error("'icmp' modifier applied to %s", typestr); 4476 4477 case Q_IGMP: 4478 bpf_error("'igmp' modifier applied to %s", typestr); 4479 4480 case Q_IGRP: 4481 bpf_error("'igrp' modifier applied to %s", typestr); 4482 4483 case Q_PIM: 4484 bpf_error("'pim' modifier applied to %s", typestr); 4485 4486 case Q_VRRP: 4487 bpf_error("'vrrp' modifier applied to %s", typestr); 4488 4489 case Q_CARP: 4490 bpf_error("'carp' modifier applied to %s", typestr); 4491 4492 case Q_ATALK: 4493 bpf_error("ATALK host filtering not implemented"); 4494 4495 case Q_AARP: 4496 bpf_error("AARP host filtering not implemented"); 4497 4498 case Q_DECNET: 4499 return gen_dnhostop(addr, dir); 4500 4501 case Q_SCA: 4502 bpf_error("SCA host filtering not implemented"); 4503 4504 case Q_LAT: 4505 bpf_error("LAT host filtering not implemented"); 4506 4507 case Q_MOPDL: 4508 bpf_error("MOPDL host filtering not implemented"); 4509 4510 case Q_MOPRC: 4511 bpf_error("MOPRC host filtering not implemented"); 4512 4513 case Q_IPV6: 4514 bpf_error("'ip6' modifier applied to ip host"); 4515 4516 case Q_ICMPV6: 4517 bpf_error("'icmp6' modifier applied to %s", typestr); 4518 4519 case Q_AH: 4520 bpf_error("'ah' modifier applied to %s", typestr); 4521 4522 case Q_ESP: 4523 bpf_error("'esp' modifier applied to %s", typestr); 4524 4525 case Q_ISO: 4526 bpf_error("ISO host filtering not implemented"); 4527 4528 case Q_ESIS: 4529 bpf_error("'esis' modifier applied to %s", typestr); 4530 4531 case Q_ISIS: 4532 bpf_error("'isis' modifier applied to %s", typestr); 4533 4534 case Q_CLNP: 4535 bpf_error("'clnp' modifier applied to %s", typestr); 4536 4537 case Q_STP: 4538 bpf_error("'stp' modifier applied to %s", typestr); 4539 4540 case Q_IPX: 4541 bpf_error("IPX host filtering not implemented"); 4542 4543 case Q_NETBEUI: 4544 bpf_error("'netbeui' modifier applied to %s", typestr); 4545 4546 case Q_RADIO: 4547 bpf_error("'radio' modifier applied to %s", typestr); 4548 4549 default: 4550 abort(); 4551 } 4552 /* NOTREACHED */ 4553 } 4554 4555 #ifdef INET6 4556 static struct block * 4557 gen_host6(addr, mask, proto, dir, type) 4558 struct in6_addr *addr; 4559 struct in6_addr *mask; 4560 int proto; 4561 int dir; 4562 int type; 4563 { 4564 const char *typestr; 4565 4566 if (type == Q_NET) 4567 typestr = "net"; 4568 else 4569 typestr = "host"; 4570 4571 switch (proto) { 4572 4573 case Q_DEFAULT: 4574 return gen_host6(addr, mask, Q_IPV6, dir, type); 4575 4576 case Q_LINK: 4577 bpf_error("link-layer modifier applied to ip6 %s", typestr); 4578 4579 case Q_IP: 4580 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4581 4582 case Q_RARP: 4583 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4584 4585 case Q_ARP: 4586 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4587 4588 case Q_SCTP: 4589 bpf_error("'sctp' modifier applied to %s", typestr); 4590 4591 case Q_TCP: 4592 bpf_error("'tcp' modifier applied to %s", typestr); 4593 4594 case Q_UDP: 4595 bpf_error("'udp' modifier applied to %s", typestr); 4596 4597 case Q_ICMP: 4598 bpf_error("'icmp' modifier applied to %s", typestr); 4599 4600 case Q_IGMP: 4601 bpf_error("'igmp' modifier applied to %s", typestr); 4602 4603 case Q_IGRP: 4604 bpf_error("'igrp' modifier applied to %s", typestr); 4605 4606 case Q_PIM: 4607 bpf_error("'pim' modifier applied to %s", typestr); 4608 4609 case Q_VRRP: 4610 bpf_error("'vrrp' modifier applied to %s", typestr); 4611 4612 case Q_CARP: 4613 bpf_error("'carp' modifier applied to %s", typestr); 4614 4615 case Q_ATALK: 4616 bpf_error("ATALK host filtering not implemented"); 4617 4618 case Q_AARP: 4619 bpf_error("AARP host filtering not implemented"); 4620 4621 case Q_DECNET: 4622 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4623 4624 case Q_SCA: 4625 bpf_error("SCA host filtering not implemented"); 4626 4627 case Q_LAT: 4628 bpf_error("LAT host filtering not implemented"); 4629 4630 case Q_MOPDL: 4631 bpf_error("MOPDL host filtering not implemented"); 4632 4633 case Q_MOPRC: 4634 bpf_error("MOPRC host filtering not implemented"); 4635 4636 case Q_IPV6: 4637 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4638 4639 case Q_ICMPV6: 4640 bpf_error("'icmp6' modifier applied to %s", typestr); 4641 4642 case Q_AH: 4643 bpf_error("'ah' modifier applied to %s", typestr); 4644 4645 case Q_ESP: 4646 bpf_error("'esp' modifier applied to %s", typestr); 4647 4648 case Q_ISO: 4649 bpf_error("ISO host filtering not implemented"); 4650 4651 case Q_ESIS: 4652 bpf_error("'esis' modifier applied to %s", typestr); 4653 4654 case Q_ISIS: 4655 bpf_error("'isis' modifier applied to %s", typestr); 4656 4657 case Q_CLNP: 4658 bpf_error("'clnp' modifier applied to %s", typestr); 4659 4660 case Q_STP: 4661 bpf_error("'stp' modifier applied to %s", typestr); 4662 4663 case Q_IPX: 4664 bpf_error("IPX host filtering not implemented"); 4665 4666 case Q_NETBEUI: 4667 bpf_error("'netbeui' modifier applied to %s", typestr); 4668 4669 case Q_RADIO: 4670 bpf_error("'radio' modifier applied to %s", typestr); 4671 4672 default: 4673 abort(); 4674 } 4675 /* NOTREACHED */ 4676 } 4677 #endif 4678 4679 #ifndef INET6 4680 static struct block * 4681 gen_gateway(eaddr, alist, proto, dir) 4682 const u_char *eaddr; 4683 bpf_u_int32 **alist; 4684 int proto; 4685 int dir; 4686 { 4687 struct block *b0, *b1, *tmp; 4688 4689 if (dir != 0) 4690 bpf_error("direction applied to 'gateway'"); 4691 4692 switch (proto) { 4693 case Q_DEFAULT: 4694 case Q_IP: 4695 case Q_ARP: 4696 case Q_RARP: 4697 switch (linktype) { 4698 case DLT_EN10MB: 4699 case DLT_NETANALYZER: 4700 case DLT_NETANALYZER_TRANSPARENT: 4701 b0 = gen_ehostop(eaddr, Q_OR); 4702 break; 4703 case DLT_FDDI: 4704 b0 = gen_fhostop(eaddr, Q_OR); 4705 break; 4706 case DLT_IEEE802: 4707 b0 = gen_thostop(eaddr, Q_OR); 4708 break; 4709 case DLT_IEEE802_11: 4710 case DLT_PRISM_HEADER: 4711 case DLT_IEEE802_11_RADIO_AVS: 4712 case DLT_IEEE802_11_RADIO: 4713 case DLT_PPI: 4714 b0 = gen_wlanhostop(eaddr, Q_OR); 4715 break; 4716 case DLT_SUNATM: 4717 if (!is_lane) 4718 bpf_error( 4719 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4720 /* 4721 * Check that the packet doesn't begin with an 4722 * LE Control marker. (We've already generated 4723 * a test for LANE.) 4724 */ 4725 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 4726 BPF_H, 0xFF00); 4727 gen_not(b1); 4728 4729 /* 4730 * Now check the MAC address. 4731 */ 4732 b0 = gen_ehostop(eaddr, Q_OR); 4733 gen_and(b1, b0); 4734 break; 4735 case DLT_IP_OVER_FC: 4736 b0 = gen_ipfchostop(eaddr, Q_OR); 4737 break; 4738 default: 4739 bpf_error( 4740 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4741 } 4742 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4743 while (*alist) { 4744 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4745 Q_HOST); 4746 gen_or(b1, tmp); 4747 b1 = tmp; 4748 } 4749 gen_not(b1); 4750 gen_and(b0, b1); 4751 return b1; 4752 } 4753 bpf_error("illegal modifier of 'gateway'"); 4754 /* NOTREACHED */ 4755 } 4756 #endif 4757 4758 struct block * 4759 gen_proto_abbrev(proto) 4760 int proto; 4761 { 4762 struct block *b0; 4763 struct block *b1; 4764 4765 switch (proto) { 4766 4767 case Q_SCTP: 4768 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4769 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4770 gen_or(b0, b1); 4771 break; 4772 4773 case Q_TCP: 4774 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4775 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4776 gen_or(b0, b1); 4777 break; 4778 4779 case Q_UDP: 4780 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4781 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4782 gen_or(b0, b1); 4783 break; 4784 4785 case Q_ICMP: 4786 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4787 break; 4788 4789 #ifndef IPPROTO_IGMP 4790 #define IPPROTO_IGMP 2 4791 #endif 4792 4793 case Q_IGMP: 4794 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4795 break; 4796 4797 #ifndef IPPROTO_IGRP 4798 #define IPPROTO_IGRP 9 4799 #endif 4800 case Q_IGRP: 4801 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4802 break; 4803 4804 #ifndef IPPROTO_PIM 4805 #define IPPROTO_PIM 103 4806 #endif 4807 4808 case Q_PIM: 4809 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4810 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4811 gen_or(b0, b1); 4812 break; 4813 4814 #ifndef IPPROTO_VRRP 4815 #define IPPROTO_VRRP 112 4816 #endif 4817 4818 case Q_VRRP: 4819 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4820 break; 4821 4822 #ifndef IPPROTO_CARP 4823 #define IPPROTO_CARP 112 4824 #endif 4825 4826 case Q_CARP: 4827 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4828 break; 4829 4830 case Q_IP: 4831 b1 = gen_linktype(ETHERTYPE_IP); 4832 break; 4833 4834 case Q_ARP: 4835 b1 = gen_linktype(ETHERTYPE_ARP); 4836 break; 4837 4838 case Q_RARP: 4839 b1 = gen_linktype(ETHERTYPE_REVARP); 4840 break; 4841 4842 case Q_LINK: 4843 bpf_error("link layer applied in wrong context"); 4844 4845 case Q_ATALK: 4846 b1 = gen_linktype(ETHERTYPE_ATALK); 4847 break; 4848 4849 case Q_AARP: 4850 b1 = gen_linktype(ETHERTYPE_AARP); 4851 break; 4852 4853 case Q_DECNET: 4854 b1 = gen_linktype(ETHERTYPE_DN); 4855 break; 4856 4857 case Q_SCA: 4858 b1 = gen_linktype(ETHERTYPE_SCA); 4859 break; 4860 4861 case Q_LAT: 4862 b1 = gen_linktype(ETHERTYPE_LAT); 4863 break; 4864 4865 case Q_MOPDL: 4866 b1 = gen_linktype(ETHERTYPE_MOPDL); 4867 break; 4868 4869 case Q_MOPRC: 4870 b1 = gen_linktype(ETHERTYPE_MOPRC); 4871 break; 4872 4873 case Q_IPV6: 4874 b1 = gen_linktype(ETHERTYPE_IPV6); 4875 break; 4876 4877 #ifndef IPPROTO_ICMPV6 4878 #define IPPROTO_ICMPV6 58 4879 #endif 4880 case Q_ICMPV6: 4881 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4882 break; 4883 4884 #ifndef IPPROTO_AH 4885 #define IPPROTO_AH 51 4886 #endif 4887 case Q_AH: 4888 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4889 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4890 gen_or(b0, b1); 4891 break; 4892 4893 #ifndef IPPROTO_ESP 4894 #define IPPROTO_ESP 50 4895 #endif 4896 case Q_ESP: 4897 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4898 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4899 gen_or(b0, b1); 4900 break; 4901 4902 case Q_ISO: 4903 b1 = gen_linktype(LLCSAP_ISONS); 4904 break; 4905 4906 case Q_ESIS: 4907 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4908 break; 4909 4910 case Q_ISIS: 4911 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4912 break; 4913 4914 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 4915 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4916 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4917 gen_or(b0, b1); 4918 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4919 gen_or(b0, b1); 4920 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4921 gen_or(b0, b1); 4922 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4923 gen_or(b0, b1); 4924 break; 4925 4926 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 4927 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4928 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 4929 gen_or(b0, b1); 4930 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4931 gen_or(b0, b1); 4932 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4933 gen_or(b0, b1); 4934 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4935 gen_or(b0, b1); 4936 break; 4937 4938 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 4939 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 4940 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 4941 gen_or(b0, b1); 4942 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 4943 gen_or(b0, b1); 4944 break; 4945 4946 case Q_ISIS_LSP: 4947 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 4948 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 4949 gen_or(b0, b1); 4950 break; 4951 4952 case Q_ISIS_SNP: 4953 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4954 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4955 gen_or(b0, b1); 4956 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4957 gen_or(b0, b1); 4958 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4959 gen_or(b0, b1); 4960 break; 4961 4962 case Q_ISIS_CSNP: 4963 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 4964 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 4965 gen_or(b0, b1); 4966 break; 4967 4968 case Q_ISIS_PSNP: 4969 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 4970 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 4971 gen_or(b0, b1); 4972 break; 4973 4974 case Q_CLNP: 4975 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 4976 break; 4977 4978 case Q_STP: 4979 b1 = gen_linktype(LLCSAP_8021D); 4980 break; 4981 4982 case Q_IPX: 4983 b1 = gen_linktype(LLCSAP_IPX); 4984 break; 4985 4986 case Q_NETBEUI: 4987 b1 = gen_linktype(LLCSAP_NETBEUI); 4988 break; 4989 4990 case Q_RADIO: 4991 bpf_error("'radio' is not a valid protocol type"); 4992 4993 default: 4994 abort(); 4995 } 4996 return b1; 4997 } 4998 4999 static struct block * 5000 gen_ipfrag() 5001 { 5002 struct slist *s; 5003 struct block *b; 5004 5005 /* not IPv4 frag other than the first frag */ 5006 s = gen_load_a(OR_NET, 6, BPF_H); 5007 b = new_block(JMP(BPF_JSET)); 5008 b->s.k = 0x1fff; 5009 b->stmts = s; 5010 gen_not(b); 5011 5012 return b; 5013 } 5014 5015 /* 5016 * Generate a comparison to a port value in the transport-layer header 5017 * at the specified offset from the beginning of that header. 5018 * 5019 * XXX - this handles a variable-length prefix preceding the link-layer 5020 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5021 * variable-length link-layer headers (such as Token Ring or 802.11 5022 * headers). 5023 */ 5024 static struct block * 5025 gen_portatom(off, v) 5026 int off; 5027 bpf_int32 v; 5028 { 5029 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5030 } 5031 5032 static struct block * 5033 gen_portatom6(off, v) 5034 int off; 5035 bpf_int32 v; 5036 { 5037 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5038 } 5039 5040 struct block * 5041 gen_portop(port, proto, dir) 5042 int port, proto, dir; 5043 { 5044 struct block *b0, *b1, *tmp; 5045 5046 /* ip proto 'proto' and not a fragment other than the first fragment */ 5047 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5048 b0 = gen_ipfrag(); 5049 gen_and(tmp, b0); 5050 5051 switch (dir) { 5052 case Q_SRC: 5053 b1 = gen_portatom(0, (bpf_int32)port); 5054 break; 5055 5056 case Q_DST: 5057 b1 = gen_portatom(2, (bpf_int32)port); 5058 break; 5059 5060 case Q_OR: 5061 case Q_DEFAULT: 5062 tmp = gen_portatom(0, (bpf_int32)port); 5063 b1 = gen_portatom(2, (bpf_int32)port); 5064 gen_or(tmp, b1); 5065 break; 5066 5067 case Q_AND: 5068 tmp = gen_portatom(0, (bpf_int32)port); 5069 b1 = gen_portatom(2, (bpf_int32)port); 5070 gen_and(tmp, b1); 5071 break; 5072 5073 default: 5074 abort(); 5075 } 5076 gen_and(b0, b1); 5077 5078 return b1; 5079 } 5080 5081 static struct block * 5082 gen_port(port, ip_proto, dir) 5083 int port; 5084 int ip_proto; 5085 int dir; 5086 { 5087 struct block *b0, *b1, *tmp; 5088 5089 /* 5090 * ether proto ip 5091 * 5092 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5093 * not LLC encapsulation with LLCSAP_IP. 5094 * 5095 * For IEEE 802 networks - which includes 802.5 token ring 5096 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5097 * says that SNAP encapsulation is used, not LLC encapsulation 5098 * with LLCSAP_IP. 5099 * 5100 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5101 * RFC 2225 say that SNAP encapsulation is used, not LLC 5102 * encapsulation with LLCSAP_IP. 5103 * 5104 * So we always check for ETHERTYPE_IP. 5105 */ 5106 b0 = gen_linktype(ETHERTYPE_IP); 5107 5108 switch (ip_proto) { 5109 case IPPROTO_UDP: 5110 case IPPROTO_TCP: 5111 case IPPROTO_SCTP: 5112 b1 = gen_portop(port, ip_proto, dir); 5113 break; 5114 5115 case PROTO_UNDEF: 5116 tmp = gen_portop(port, IPPROTO_TCP, dir); 5117 b1 = gen_portop(port, IPPROTO_UDP, dir); 5118 gen_or(tmp, b1); 5119 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5120 gen_or(tmp, b1); 5121 break; 5122 5123 default: 5124 abort(); 5125 } 5126 gen_and(b0, b1); 5127 return b1; 5128 } 5129 5130 struct block * 5131 gen_portop6(port, proto, dir) 5132 int port, proto, dir; 5133 { 5134 struct block *b0, *b1, *tmp; 5135 5136 /* ip6 proto 'proto' */ 5137 /* XXX - catch the first fragment of a fragmented packet? */ 5138 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5139 5140 switch (dir) { 5141 case Q_SRC: 5142 b1 = gen_portatom6(0, (bpf_int32)port); 5143 break; 5144 5145 case Q_DST: 5146 b1 = gen_portatom6(2, (bpf_int32)port); 5147 break; 5148 5149 case Q_OR: 5150 case Q_DEFAULT: 5151 tmp = gen_portatom6(0, (bpf_int32)port); 5152 b1 = gen_portatom6(2, (bpf_int32)port); 5153 gen_or(tmp, b1); 5154 break; 5155 5156 case Q_AND: 5157 tmp = gen_portatom6(0, (bpf_int32)port); 5158 b1 = gen_portatom6(2, (bpf_int32)port); 5159 gen_and(tmp, b1); 5160 break; 5161 5162 default: 5163 abort(); 5164 } 5165 gen_and(b0, b1); 5166 5167 return b1; 5168 } 5169 5170 static struct block * 5171 gen_port6(port, ip_proto, dir) 5172 int port; 5173 int ip_proto; 5174 int dir; 5175 { 5176 struct block *b0, *b1, *tmp; 5177 5178 /* link proto ip6 */ 5179 b0 = gen_linktype(ETHERTYPE_IPV6); 5180 5181 switch (ip_proto) { 5182 case IPPROTO_UDP: 5183 case IPPROTO_TCP: 5184 case IPPROTO_SCTP: 5185 b1 = gen_portop6(port, ip_proto, dir); 5186 break; 5187 5188 case PROTO_UNDEF: 5189 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5190 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5191 gen_or(tmp, b1); 5192 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5193 gen_or(tmp, b1); 5194 break; 5195 5196 default: 5197 abort(); 5198 } 5199 gen_and(b0, b1); 5200 return b1; 5201 } 5202 5203 /* gen_portrange code */ 5204 static struct block * 5205 gen_portrangeatom(off, v1, v2) 5206 int off; 5207 bpf_int32 v1, v2; 5208 { 5209 struct block *b1, *b2; 5210 5211 if (v1 > v2) { 5212 /* 5213 * Reverse the order of the ports, so v1 is the lower one. 5214 */ 5215 bpf_int32 vtemp; 5216 5217 vtemp = v1; 5218 v1 = v2; 5219 v2 = vtemp; 5220 } 5221 5222 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5223 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5224 5225 gen_and(b1, b2); 5226 5227 return b2; 5228 } 5229 5230 struct block * 5231 gen_portrangeop(port1, port2, proto, dir) 5232 int port1, port2; 5233 int proto; 5234 int dir; 5235 { 5236 struct block *b0, *b1, *tmp; 5237 5238 /* ip proto 'proto' and not a fragment other than the first fragment */ 5239 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto); 5240 b0 = gen_ipfrag(); 5241 gen_and(tmp, b0); 5242 5243 switch (dir) { 5244 case Q_SRC: 5245 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5246 break; 5247 5248 case Q_DST: 5249 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5250 break; 5251 5252 case Q_OR: 5253 case Q_DEFAULT: 5254 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5255 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5256 gen_or(tmp, b1); 5257 break; 5258 5259 case Q_AND: 5260 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5261 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5262 gen_and(tmp, b1); 5263 break; 5264 5265 default: 5266 abort(); 5267 } 5268 gen_and(b0, b1); 5269 5270 return b1; 5271 } 5272 5273 static struct block * 5274 gen_portrange(port1, port2, ip_proto, dir) 5275 int port1, port2; 5276 int ip_proto; 5277 int dir; 5278 { 5279 struct block *b0, *b1, *tmp; 5280 5281 /* link proto ip */ 5282 b0 = gen_linktype(ETHERTYPE_IP); 5283 5284 switch (ip_proto) { 5285 case IPPROTO_UDP: 5286 case IPPROTO_TCP: 5287 case IPPROTO_SCTP: 5288 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5289 break; 5290 5291 case PROTO_UNDEF: 5292 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5293 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5294 gen_or(tmp, b1); 5295 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5296 gen_or(tmp, b1); 5297 break; 5298 5299 default: 5300 abort(); 5301 } 5302 gen_and(b0, b1); 5303 return b1; 5304 } 5305 5306 static struct block * 5307 gen_portrangeatom6(off, v1, v2) 5308 int off; 5309 bpf_int32 v1, v2; 5310 { 5311 struct block *b1, *b2; 5312 5313 if (v1 > v2) { 5314 /* 5315 * Reverse the order of the ports, so v1 is the lower one. 5316 */ 5317 bpf_int32 vtemp; 5318 5319 vtemp = v1; 5320 v1 = v2; 5321 v2 = vtemp; 5322 } 5323 5324 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5325 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5326 5327 gen_and(b1, b2); 5328 5329 return b2; 5330 } 5331 5332 struct block * 5333 gen_portrangeop6(port1, port2, proto, dir) 5334 int port1, port2; 5335 int proto; 5336 int dir; 5337 { 5338 struct block *b0, *b1, *tmp; 5339 5340 /* ip6 proto 'proto' */ 5341 /* XXX - catch the first fragment of a fragmented packet? */ 5342 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto); 5343 5344 switch (dir) { 5345 case Q_SRC: 5346 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5347 break; 5348 5349 case Q_DST: 5350 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5351 break; 5352 5353 case Q_OR: 5354 case Q_DEFAULT: 5355 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5356 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5357 gen_or(tmp, b1); 5358 break; 5359 5360 case Q_AND: 5361 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5362 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5363 gen_and(tmp, b1); 5364 break; 5365 5366 default: 5367 abort(); 5368 } 5369 gen_and(b0, b1); 5370 5371 return b1; 5372 } 5373 5374 static struct block * 5375 gen_portrange6(port1, port2, ip_proto, dir) 5376 int port1, port2; 5377 int ip_proto; 5378 int dir; 5379 { 5380 struct block *b0, *b1, *tmp; 5381 5382 /* link proto ip6 */ 5383 b0 = gen_linktype(ETHERTYPE_IPV6); 5384 5385 switch (ip_proto) { 5386 case IPPROTO_UDP: 5387 case IPPROTO_TCP: 5388 case IPPROTO_SCTP: 5389 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5390 break; 5391 5392 case PROTO_UNDEF: 5393 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5394 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5395 gen_or(tmp, b1); 5396 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5397 gen_or(tmp, b1); 5398 break; 5399 5400 default: 5401 abort(); 5402 } 5403 gen_and(b0, b1); 5404 return b1; 5405 } 5406 5407 static int 5408 lookup_proto(name, proto) 5409 register const char *name; 5410 register int proto; 5411 { 5412 register int v; 5413 5414 switch (proto) { 5415 5416 case Q_DEFAULT: 5417 case Q_IP: 5418 case Q_IPV6: 5419 v = pcap_nametoproto(name); 5420 if (v == PROTO_UNDEF) 5421 bpf_error("unknown ip proto '%s'", name); 5422 break; 5423 5424 case Q_LINK: 5425 /* XXX should look up h/w protocol type based on linktype */ 5426 v = pcap_nametoeproto(name); 5427 if (v == PROTO_UNDEF) { 5428 v = pcap_nametollc(name); 5429 if (v == PROTO_UNDEF) 5430 bpf_error("unknown ether proto '%s'", name); 5431 } 5432 break; 5433 5434 case Q_ISO: 5435 if (strcmp(name, "esis") == 0) 5436 v = ISO9542_ESIS; 5437 else if (strcmp(name, "isis") == 0) 5438 v = ISO10589_ISIS; 5439 else if (strcmp(name, "clnp") == 0) 5440 v = ISO8473_CLNP; 5441 else 5442 bpf_error("unknown osi proto '%s'", name); 5443 break; 5444 5445 default: 5446 v = PROTO_UNDEF; 5447 break; 5448 } 5449 return v; 5450 } 5451 5452 #if 0 5453 struct stmt * 5454 gen_joinsp(s, n) 5455 struct stmt **s; 5456 int n; 5457 { 5458 return NULL; 5459 } 5460 #endif 5461 5462 static struct block * 5463 gen_protochain(v, proto, dir) 5464 int v; 5465 int proto; 5466 int dir; 5467 { 5468 #ifdef NO_PROTOCHAIN 5469 return gen_proto(v, proto, dir); 5470 #else 5471 struct block *b0, *b; 5472 struct slist *s[100]; 5473 int fix2, fix3, fix4, fix5; 5474 int ahcheck, again, end; 5475 int i, max; 5476 int reg2 = alloc_reg(); 5477 5478 memset(s, 0, sizeof(s)); 5479 fix2 = fix3 = fix4 = fix5 = 0; 5480 5481 switch (proto) { 5482 case Q_IP: 5483 case Q_IPV6: 5484 break; 5485 case Q_DEFAULT: 5486 b0 = gen_protochain(v, Q_IP, dir); 5487 b = gen_protochain(v, Q_IPV6, dir); 5488 gen_or(b0, b); 5489 return b; 5490 default: 5491 bpf_error("bad protocol applied for 'protochain'"); 5492 /*NOTREACHED*/ 5493 } 5494 5495 /* 5496 * We don't handle variable-length prefixes before the link-layer 5497 * header, or variable-length link-layer headers, here yet. 5498 * We might want to add BPF instructions to do the protochain 5499 * work, to simplify that and, on platforms that have a BPF 5500 * interpreter with the new instructions, let the filtering 5501 * be done in the kernel. (We already require a modified BPF 5502 * engine to do the protochain stuff, to support backward 5503 * branches, and backward branch support is unlikely to appear 5504 * in kernel BPF engines.) 5505 */ 5506 switch (linktype) { 5507 5508 case DLT_IEEE802_11: 5509 case DLT_PRISM_HEADER: 5510 case DLT_IEEE802_11_RADIO_AVS: 5511 case DLT_IEEE802_11_RADIO: 5512 case DLT_PPI: 5513 bpf_error("'protochain' not supported with 802.11"); 5514 } 5515 5516 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5517 5518 /* 5519 * s[0] is a dummy entry to protect other BPF insn from damage 5520 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5521 * hard to find interdependency made by jump table fixup. 5522 */ 5523 i = 0; 5524 s[i] = new_stmt(0); /*dummy*/ 5525 i++; 5526 5527 switch (proto) { 5528 case Q_IP: 5529 b0 = gen_linktype(ETHERTYPE_IP); 5530 5531 /* A = ip->ip_p */ 5532 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5533 s[i]->s.k = off_macpl + off_nl + 9; 5534 i++; 5535 /* X = ip->ip_hl << 2 */ 5536 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5537 s[i]->s.k = off_macpl + off_nl; 5538 i++; 5539 break; 5540 5541 case Q_IPV6: 5542 b0 = gen_linktype(ETHERTYPE_IPV6); 5543 5544 /* A = ip6->ip_nxt */ 5545 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5546 s[i]->s.k = off_macpl + off_nl + 6; 5547 i++; 5548 /* X = sizeof(struct ip6_hdr) */ 5549 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5550 s[i]->s.k = 40; 5551 i++; 5552 break; 5553 5554 default: 5555 bpf_error("unsupported proto to gen_protochain"); 5556 /*NOTREACHED*/ 5557 } 5558 5559 /* again: if (A == v) goto end; else fall through; */ 5560 again = i; 5561 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5562 s[i]->s.k = v; 5563 s[i]->s.jt = NULL; /*later*/ 5564 s[i]->s.jf = NULL; /*update in next stmt*/ 5565 fix5 = i; 5566 i++; 5567 5568 #ifndef IPPROTO_NONE 5569 #define IPPROTO_NONE 59 5570 #endif 5571 /* if (A == IPPROTO_NONE) goto end */ 5572 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5573 s[i]->s.jt = NULL; /*later*/ 5574 s[i]->s.jf = NULL; /*update in next stmt*/ 5575 s[i]->s.k = IPPROTO_NONE; 5576 s[fix5]->s.jf = s[i]; 5577 fix2 = i; 5578 i++; 5579 5580 if (proto == Q_IPV6) { 5581 int v6start, v6end, v6advance, j; 5582 5583 v6start = i; 5584 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5585 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5586 s[i]->s.jt = NULL; /*later*/ 5587 s[i]->s.jf = NULL; /*update in next stmt*/ 5588 s[i]->s.k = IPPROTO_HOPOPTS; 5589 s[fix2]->s.jf = s[i]; 5590 i++; 5591 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5592 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5593 s[i]->s.jt = NULL; /*later*/ 5594 s[i]->s.jf = NULL; /*update in next stmt*/ 5595 s[i]->s.k = IPPROTO_DSTOPTS; 5596 i++; 5597 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5598 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5599 s[i]->s.jt = NULL; /*later*/ 5600 s[i]->s.jf = NULL; /*update in next stmt*/ 5601 s[i]->s.k = IPPROTO_ROUTING; 5602 i++; 5603 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5604 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5605 s[i]->s.jt = NULL; /*later*/ 5606 s[i]->s.jf = NULL; /*later*/ 5607 s[i]->s.k = IPPROTO_FRAGMENT; 5608 fix3 = i; 5609 v6end = i; 5610 i++; 5611 5612 /* v6advance: */ 5613 v6advance = i; 5614 5615 /* 5616 * in short, 5617 * A = P[X + packet head]; 5618 * X = X + (P[X + packet head + 1] + 1) * 8; 5619 */ 5620 /* A = P[X + packet head] */ 5621 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5622 s[i]->s.k = off_macpl + off_nl; 5623 i++; 5624 /* MEM[reg2] = A */ 5625 s[i] = new_stmt(BPF_ST); 5626 s[i]->s.k = reg2; 5627 i++; 5628 /* A = P[X + packet head + 1]; */ 5629 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5630 s[i]->s.k = off_macpl + off_nl + 1; 5631 i++; 5632 /* A += 1 */ 5633 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5634 s[i]->s.k = 1; 5635 i++; 5636 /* A *= 8 */ 5637 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5638 s[i]->s.k = 8; 5639 i++; 5640 /* A += X */ 5641 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5642 s[i]->s.k = 0; 5643 i++; 5644 /* X = A; */ 5645 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5646 i++; 5647 /* A = MEM[reg2] */ 5648 s[i] = new_stmt(BPF_LD|BPF_MEM); 5649 s[i]->s.k = reg2; 5650 i++; 5651 5652 /* goto again; (must use BPF_JA for backward jump) */ 5653 s[i] = new_stmt(BPF_JMP|BPF_JA); 5654 s[i]->s.k = again - i - 1; 5655 s[i - 1]->s.jf = s[i]; 5656 i++; 5657 5658 /* fixup */ 5659 for (j = v6start; j <= v6end; j++) 5660 s[j]->s.jt = s[v6advance]; 5661 } else { 5662 /* nop */ 5663 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5664 s[i]->s.k = 0; 5665 s[fix2]->s.jf = s[i]; 5666 i++; 5667 } 5668 5669 /* ahcheck: */ 5670 ahcheck = i; 5671 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5672 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5673 s[i]->s.jt = NULL; /*later*/ 5674 s[i]->s.jf = NULL; /*later*/ 5675 s[i]->s.k = IPPROTO_AH; 5676 if (fix3) 5677 s[fix3]->s.jf = s[ahcheck]; 5678 fix4 = i; 5679 i++; 5680 5681 /* 5682 * in short, 5683 * A = P[X]; 5684 * X = X + (P[X + 1] + 2) * 4; 5685 */ 5686 /* A = X */ 5687 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5688 i++; 5689 /* A = P[X + packet head]; */ 5690 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5691 s[i]->s.k = off_macpl + off_nl; 5692 i++; 5693 /* MEM[reg2] = A */ 5694 s[i] = new_stmt(BPF_ST); 5695 s[i]->s.k = reg2; 5696 i++; 5697 /* A = X */ 5698 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5699 i++; 5700 /* A += 1 */ 5701 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5702 s[i]->s.k = 1; 5703 i++; 5704 /* X = A */ 5705 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5706 i++; 5707 /* A = P[X + packet head] */ 5708 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5709 s[i]->s.k = off_macpl + off_nl; 5710 i++; 5711 /* A += 2 */ 5712 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5713 s[i]->s.k = 2; 5714 i++; 5715 /* A *= 4 */ 5716 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5717 s[i]->s.k = 4; 5718 i++; 5719 /* X = A; */ 5720 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5721 i++; 5722 /* A = MEM[reg2] */ 5723 s[i] = new_stmt(BPF_LD|BPF_MEM); 5724 s[i]->s.k = reg2; 5725 i++; 5726 5727 /* goto again; (must use BPF_JA for backward jump) */ 5728 s[i] = new_stmt(BPF_JMP|BPF_JA); 5729 s[i]->s.k = again - i - 1; 5730 i++; 5731 5732 /* end: nop */ 5733 end = i; 5734 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5735 s[i]->s.k = 0; 5736 s[fix2]->s.jt = s[end]; 5737 s[fix4]->s.jf = s[end]; 5738 s[fix5]->s.jt = s[end]; 5739 i++; 5740 5741 /* 5742 * make slist chain 5743 */ 5744 max = i; 5745 for (i = 0; i < max - 1; i++) 5746 s[i]->next = s[i + 1]; 5747 s[max - 1]->next = NULL; 5748 5749 /* 5750 * emit final check 5751 */ 5752 b = new_block(JMP(BPF_JEQ)); 5753 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5754 b->s.k = v; 5755 5756 free_reg(reg2); 5757 5758 gen_and(b0, b); 5759 return b; 5760 #endif 5761 } 5762 5763 static struct block * 5764 gen_check_802_11_data_frame() 5765 { 5766 struct slist *s; 5767 struct block *b0, *b1; 5768 5769 /* 5770 * A data frame has the 0x08 bit (b3) in the frame control field set 5771 * and the 0x04 bit (b2) clear. 5772 */ 5773 s = gen_load_a(OR_LINK, 0, BPF_B); 5774 b0 = new_block(JMP(BPF_JSET)); 5775 b0->s.k = 0x08; 5776 b0->stmts = s; 5777 5778 s = gen_load_a(OR_LINK, 0, BPF_B); 5779 b1 = new_block(JMP(BPF_JSET)); 5780 b1->s.k = 0x04; 5781 b1->stmts = s; 5782 gen_not(b1); 5783 5784 gen_and(b1, b0); 5785 5786 return b0; 5787 } 5788 5789 /* 5790 * Generate code that checks whether the packet is a packet for protocol 5791 * <proto> and whether the type field in that protocol's header has 5792 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5793 * IP packet and checks the protocol number in the IP header against <v>. 5794 * 5795 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5796 * against Q_IP and Q_IPV6. 5797 */ 5798 static struct block * 5799 gen_proto(v, proto, dir) 5800 int v; 5801 int proto; 5802 int dir; 5803 { 5804 struct block *b0, *b1; 5805 #ifndef CHASE_CHAIN 5806 struct block *b2; 5807 #endif 5808 5809 if (dir != Q_DEFAULT) 5810 bpf_error("direction applied to 'proto'"); 5811 5812 switch (proto) { 5813 case Q_DEFAULT: 5814 b0 = gen_proto(v, Q_IP, dir); 5815 b1 = gen_proto(v, Q_IPV6, dir); 5816 gen_or(b0, b1); 5817 return b1; 5818 5819 case Q_IP: 5820 /* 5821 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5822 * not LLC encapsulation with LLCSAP_IP. 5823 * 5824 * For IEEE 802 networks - which includes 802.5 token ring 5825 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5826 * says that SNAP encapsulation is used, not LLC encapsulation 5827 * with LLCSAP_IP. 5828 * 5829 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5830 * RFC 2225 say that SNAP encapsulation is used, not LLC 5831 * encapsulation with LLCSAP_IP. 5832 * 5833 * So we always check for ETHERTYPE_IP. 5834 */ 5835 b0 = gen_linktype(ETHERTYPE_IP); 5836 #ifndef CHASE_CHAIN 5837 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v); 5838 #else 5839 b1 = gen_protochain(v, Q_IP); 5840 #endif 5841 gen_and(b0, b1); 5842 return b1; 5843 5844 case Q_ISO: 5845 switch (linktype) { 5846 5847 case DLT_FRELAY: 5848 /* 5849 * Frame Relay packets typically have an OSI 5850 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5851 * generates code to check for all the OSI 5852 * NLPIDs, so calling it and then adding a check 5853 * for the particular NLPID for which we're 5854 * looking is bogus, as we can just check for 5855 * the NLPID. 5856 * 5857 * What we check for is the NLPID and a frame 5858 * control field value of UI, i.e. 0x03 followed 5859 * by the NLPID. 5860 * 5861 * XXX - assumes a 2-byte Frame Relay header with 5862 * DLCI and flags. What if the address is longer? 5863 * 5864 * XXX - what about SNAP-encapsulated frames? 5865 */ 5866 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v); 5867 /*NOTREACHED*/ 5868 break; 5869 5870 case DLT_C_HDLC: 5871 /* 5872 * Cisco uses an Ethertype lookalike - for OSI, 5873 * it's 0xfefe. 5874 */ 5875 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5876 /* OSI in C-HDLC is stuffed with a fudge byte */ 5877 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v); 5878 gen_and(b0, b1); 5879 return b1; 5880 5881 default: 5882 b0 = gen_linktype(LLCSAP_ISONS); 5883 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v); 5884 gen_and(b0, b1); 5885 return b1; 5886 } 5887 5888 case Q_ISIS: 5889 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5890 /* 5891 * 4 is the offset of the PDU type relative to the IS-IS 5892 * header. 5893 */ 5894 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v); 5895 gen_and(b0, b1); 5896 return b1; 5897 5898 case Q_ARP: 5899 bpf_error("arp does not encapsulate another protocol"); 5900 /* NOTREACHED */ 5901 5902 case Q_RARP: 5903 bpf_error("rarp does not encapsulate another protocol"); 5904 /* NOTREACHED */ 5905 5906 case Q_ATALK: 5907 bpf_error("atalk encapsulation is not specifiable"); 5908 /* NOTREACHED */ 5909 5910 case Q_DECNET: 5911 bpf_error("decnet encapsulation is not specifiable"); 5912 /* NOTREACHED */ 5913 5914 case Q_SCA: 5915 bpf_error("sca does not encapsulate another protocol"); 5916 /* NOTREACHED */ 5917 5918 case Q_LAT: 5919 bpf_error("lat does not encapsulate another protocol"); 5920 /* NOTREACHED */ 5921 5922 case Q_MOPRC: 5923 bpf_error("moprc does not encapsulate another protocol"); 5924 /* NOTREACHED */ 5925 5926 case Q_MOPDL: 5927 bpf_error("mopdl does not encapsulate another protocol"); 5928 /* NOTREACHED */ 5929 5930 case Q_LINK: 5931 return gen_linktype(v); 5932 5933 case Q_UDP: 5934 bpf_error("'udp proto' is bogus"); 5935 /* NOTREACHED */ 5936 5937 case Q_TCP: 5938 bpf_error("'tcp proto' is bogus"); 5939 /* NOTREACHED */ 5940 5941 case Q_SCTP: 5942 bpf_error("'sctp proto' is bogus"); 5943 /* NOTREACHED */ 5944 5945 case Q_ICMP: 5946 bpf_error("'icmp proto' is bogus"); 5947 /* NOTREACHED */ 5948 5949 case Q_IGMP: 5950 bpf_error("'igmp proto' is bogus"); 5951 /* NOTREACHED */ 5952 5953 case Q_IGRP: 5954 bpf_error("'igrp proto' is bogus"); 5955 /* NOTREACHED */ 5956 5957 case Q_PIM: 5958 bpf_error("'pim proto' is bogus"); 5959 /* NOTREACHED */ 5960 5961 case Q_VRRP: 5962 bpf_error("'vrrp proto' is bogus"); 5963 /* NOTREACHED */ 5964 5965 case Q_CARP: 5966 bpf_error("'carp proto' is bogus"); 5967 /* NOTREACHED */ 5968 5969 case Q_IPV6: 5970 b0 = gen_linktype(ETHERTYPE_IPV6); 5971 #ifndef CHASE_CHAIN 5972 /* 5973 * Also check for a fragment header before the final 5974 * header. 5975 */ 5976 b2 = gen_cmp(OR_NET, 6, BPF_B, IPPROTO_FRAGMENT); 5977 b1 = gen_cmp(OR_NET, 40, BPF_B, (bpf_int32)v); 5978 gen_and(b2, b1); 5979 b2 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v); 5980 gen_or(b2, b1); 5981 #else 5982 b1 = gen_protochain(v, Q_IPV6); 5983 #endif 5984 gen_and(b0, b1); 5985 return b1; 5986 5987 case Q_ICMPV6: 5988 bpf_error("'icmp6 proto' is bogus"); 5989 5990 case Q_AH: 5991 bpf_error("'ah proto' is bogus"); 5992 5993 case Q_ESP: 5994 bpf_error("'ah proto' is bogus"); 5995 5996 case Q_STP: 5997 bpf_error("'stp proto' is bogus"); 5998 5999 case Q_IPX: 6000 bpf_error("'ipx proto' is bogus"); 6001 6002 case Q_NETBEUI: 6003 bpf_error("'netbeui proto' is bogus"); 6004 6005 case Q_RADIO: 6006 bpf_error("'radio proto' is bogus"); 6007 6008 default: 6009 abort(); 6010 /* NOTREACHED */ 6011 } 6012 /* NOTREACHED */ 6013 } 6014 6015 struct block * 6016 gen_scode(name, q) 6017 register const char *name; 6018 struct qual q; 6019 { 6020 int proto = q.proto; 6021 int dir = q.dir; 6022 int tproto; 6023 u_char *eaddr; 6024 bpf_u_int32 mask, addr; 6025 #ifndef INET6 6026 bpf_u_int32 **alist; 6027 #else 6028 int tproto6; 6029 struct sockaddr_in *sin4; 6030 struct sockaddr_in6 *sin6; 6031 struct addrinfo *res, *res0; 6032 struct in6_addr mask128; 6033 #endif /*INET6*/ 6034 struct block *b, *tmp; 6035 int port, real_proto; 6036 int port1, port2; 6037 6038 switch (q.addr) { 6039 6040 case Q_NET: 6041 addr = pcap_nametonetaddr(name); 6042 if (addr == 0) 6043 bpf_error("unknown network '%s'", name); 6044 /* Left justify network addr and calculate its network mask */ 6045 mask = 0xffffffff; 6046 while (addr && (addr & 0xff000000) == 0) { 6047 addr <<= 8; 6048 mask <<= 8; 6049 } 6050 return gen_host(addr, mask, proto, dir, q.addr); 6051 6052 case Q_DEFAULT: 6053 case Q_HOST: 6054 if (proto == Q_LINK) { 6055 switch (linktype) { 6056 6057 case DLT_EN10MB: 6058 case DLT_NETANALYZER: 6059 case DLT_NETANALYZER_TRANSPARENT: 6060 eaddr = pcap_ether_hostton(name); 6061 if (eaddr == NULL) 6062 bpf_error( 6063 "unknown ether host '%s'", name); 6064 b = gen_ehostop(eaddr, dir); 6065 free(eaddr); 6066 return b; 6067 6068 case DLT_FDDI: 6069 eaddr = pcap_ether_hostton(name); 6070 if (eaddr == NULL) 6071 bpf_error( 6072 "unknown FDDI host '%s'", name); 6073 b = gen_fhostop(eaddr, dir); 6074 free(eaddr); 6075 return b; 6076 6077 case DLT_IEEE802: 6078 eaddr = pcap_ether_hostton(name); 6079 if (eaddr == NULL) 6080 bpf_error( 6081 "unknown token ring host '%s'", name); 6082 b = gen_thostop(eaddr, dir); 6083 free(eaddr); 6084 return b; 6085 6086 case DLT_IEEE802_11: 6087 case DLT_PRISM_HEADER: 6088 case DLT_IEEE802_11_RADIO_AVS: 6089 case DLT_IEEE802_11_RADIO: 6090 case DLT_PPI: 6091 eaddr = pcap_ether_hostton(name); 6092 if (eaddr == NULL) 6093 bpf_error( 6094 "unknown 802.11 host '%s'", name); 6095 b = gen_wlanhostop(eaddr, dir); 6096 free(eaddr); 6097 return b; 6098 6099 case DLT_IP_OVER_FC: 6100 eaddr = pcap_ether_hostton(name); 6101 if (eaddr == NULL) 6102 bpf_error( 6103 "unknown Fibre Channel host '%s'", name); 6104 b = gen_ipfchostop(eaddr, dir); 6105 free(eaddr); 6106 return b; 6107 6108 case DLT_SUNATM: 6109 if (!is_lane) 6110 break; 6111 6112 /* 6113 * Check that the packet doesn't begin 6114 * with an LE Control marker. (We've 6115 * already generated a test for LANE.) 6116 */ 6117 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 6118 BPF_H, 0xFF00); 6119 gen_not(tmp); 6120 6121 eaddr = pcap_ether_hostton(name); 6122 if (eaddr == NULL) 6123 bpf_error( 6124 "unknown ether host '%s'", name); 6125 b = gen_ehostop(eaddr, dir); 6126 gen_and(tmp, b); 6127 free(eaddr); 6128 return b; 6129 } 6130 6131 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6132 } else if (proto == Q_DECNET) { 6133 unsigned short dn_addr = __pcap_nametodnaddr(name); 6134 /* 6135 * I don't think DECNET hosts can be multihomed, so 6136 * there is no need to build up a list of addresses 6137 */ 6138 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6139 } else { 6140 #ifndef INET6 6141 alist = pcap_nametoaddr(name); 6142 if (alist == NULL || *alist == NULL) 6143 bpf_error("unknown host '%s'", name); 6144 tproto = proto; 6145 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT) 6146 tproto = Q_IP; 6147 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6148 while (*alist) { 6149 tmp = gen_host(**alist++, 0xffffffff, 6150 tproto, dir, q.addr); 6151 gen_or(b, tmp); 6152 b = tmp; 6153 } 6154 return b; 6155 #else 6156 memset(&mask128, 0xff, sizeof(mask128)); 6157 res0 = res = pcap_nametoaddrinfo(name); 6158 if (res == NULL) 6159 bpf_error("unknown host '%s'", name); 6160 ai = res; 6161 b = tmp = NULL; 6162 tproto = tproto6 = proto; 6163 if (off_linktype == -1 && tproto == Q_DEFAULT) { 6164 tproto = Q_IP; 6165 tproto6 = Q_IPV6; 6166 } 6167 for (res = res0; res; res = res->ai_next) { 6168 switch (res->ai_family) { 6169 case AF_INET: 6170 if (tproto == Q_IPV6) 6171 continue; 6172 6173 sin4 = (struct sockaddr_in *) 6174 res->ai_addr; 6175 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6176 0xffffffff, tproto, dir, q.addr); 6177 break; 6178 case AF_INET6: 6179 if (tproto6 == Q_IP) 6180 continue; 6181 6182 sin6 = (struct sockaddr_in6 *) 6183 res->ai_addr; 6184 tmp = gen_host6(&sin6->sin6_addr, 6185 &mask128, tproto6, dir, q.addr); 6186 break; 6187 default: 6188 continue; 6189 } 6190 if (b) 6191 gen_or(b, tmp); 6192 b = tmp; 6193 } 6194 ai = NULL; 6195 freeaddrinfo(res0); 6196 if (b == NULL) { 6197 bpf_error("unknown host '%s'%s", name, 6198 (proto == Q_DEFAULT) 6199 ? "" 6200 : " for specified address family"); 6201 } 6202 return b; 6203 #endif /*INET6*/ 6204 } 6205 6206 case Q_PORT: 6207 if (proto != Q_DEFAULT && 6208 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6209 bpf_error("illegal qualifier of 'port'"); 6210 if (pcap_nametoport(name, &port, &real_proto) == 0) 6211 bpf_error("unknown port '%s'", name); 6212 if (proto == Q_UDP) { 6213 if (real_proto == IPPROTO_TCP) 6214 bpf_error("port '%s' is tcp", name); 6215 else if (real_proto == IPPROTO_SCTP) 6216 bpf_error("port '%s' is sctp", name); 6217 else 6218 /* override PROTO_UNDEF */ 6219 real_proto = IPPROTO_UDP; 6220 } 6221 if (proto == Q_TCP) { 6222 if (real_proto == IPPROTO_UDP) 6223 bpf_error("port '%s' is udp", name); 6224 6225 else if (real_proto == IPPROTO_SCTP) 6226 bpf_error("port '%s' is sctp", name); 6227 else 6228 /* override PROTO_UNDEF */ 6229 real_proto = IPPROTO_TCP; 6230 } 6231 if (proto == Q_SCTP) { 6232 if (real_proto == IPPROTO_UDP) 6233 bpf_error("port '%s' is udp", name); 6234 6235 else if (real_proto == IPPROTO_TCP) 6236 bpf_error("port '%s' is tcp", name); 6237 else 6238 /* override PROTO_UNDEF */ 6239 real_proto = IPPROTO_SCTP; 6240 } 6241 if (port < 0) 6242 bpf_error("illegal port number %d < 0", port); 6243 if (port > 65535) 6244 bpf_error("illegal port number %d > 65535", port); 6245 b = gen_port(port, real_proto, dir); 6246 gen_or(gen_port6(port, real_proto, dir), b); 6247 return b; 6248 6249 case Q_PORTRANGE: 6250 if (proto != Q_DEFAULT && 6251 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6252 bpf_error("illegal qualifier of 'portrange'"); 6253 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6254 bpf_error("unknown port in range '%s'", name); 6255 if (proto == Q_UDP) { 6256 if (real_proto == IPPROTO_TCP) 6257 bpf_error("port in range '%s' is tcp", name); 6258 else if (real_proto == IPPROTO_SCTP) 6259 bpf_error("port in range '%s' is sctp", name); 6260 else 6261 /* override PROTO_UNDEF */ 6262 real_proto = IPPROTO_UDP; 6263 } 6264 if (proto == Q_TCP) { 6265 if (real_proto == IPPROTO_UDP) 6266 bpf_error("port in range '%s' is udp", name); 6267 else if (real_proto == IPPROTO_SCTP) 6268 bpf_error("port in range '%s' is sctp", name); 6269 else 6270 /* override PROTO_UNDEF */ 6271 real_proto = IPPROTO_TCP; 6272 } 6273 if (proto == Q_SCTP) { 6274 if (real_proto == IPPROTO_UDP) 6275 bpf_error("port in range '%s' is udp", name); 6276 else if (real_proto == IPPROTO_TCP) 6277 bpf_error("port in range '%s' is tcp", name); 6278 else 6279 /* override PROTO_UNDEF */ 6280 real_proto = IPPROTO_SCTP; 6281 } 6282 if (port1 < 0) 6283 bpf_error("illegal port number %d < 0", port1); 6284 if (port1 > 65535) 6285 bpf_error("illegal port number %d > 65535", port1); 6286 if (port2 < 0) 6287 bpf_error("illegal port number %d < 0", port2); 6288 if (port2 > 65535) 6289 bpf_error("illegal port number %d > 65535", port2); 6290 6291 b = gen_portrange(port1, port2, real_proto, dir); 6292 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6293 return b; 6294 6295 case Q_GATEWAY: 6296 #ifndef INET6 6297 eaddr = pcap_ether_hostton(name); 6298 if (eaddr == NULL) 6299 bpf_error("unknown ether host: %s", name); 6300 6301 alist = pcap_nametoaddr(name); 6302 if (alist == NULL || *alist == NULL) 6303 bpf_error("unknown host '%s'", name); 6304 b = gen_gateway(eaddr, alist, proto, dir); 6305 free(eaddr); 6306 return b; 6307 #else 6308 bpf_error("'gateway' not supported in this configuration"); 6309 #endif /*INET6*/ 6310 6311 case Q_PROTO: 6312 real_proto = lookup_proto(name, proto); 6313 if (real_proto >= 0) 6314 return gen_proto(real_proto, proto, dir); 6315 else 6316 bpf_error("unknown protocol: %s", name); 6317 6318 case Q_PROTOCHAIN: 6319 real_proto = lookup_proto(name, proto); 6320 if (real_proto >= 0) 6321 return gen_protochain(real_proto, proto, dir); 6322 else 6323 bpf_error("unknown protocol: %s", name); 6324 6325 case Q_UNDEF: 6326 syntax(); 6327 /* NOTREACHED */ 6328 } 6329 abort(); 6330 /* NOTREACHED */ 6331 } 6332 6333 struct block * 6334 gen_mcode(s1, s2, masklen, q) 6335 register const char *s1, *s2; 6336 register int masklen; 6337 struct qual q; 6338 { 6339 register int nlen, mlen; 6340 bpf_u_int32 n, m; 6341 6342 nlen = __pcap_atoin(s1, &n); 6343 /* Promote short ipaddr */ 6344 n <<= 32 - nlen; 6345 6346 if (s2 != NULL) { 6347 mlen = __pcap_atoin(s2, &m); 6348 /* Promote short ipaddr */ 6349 m <<= 32 - mlen; 6350 if ((n & ~m) != 0) 6351 bpf_error("non-network bits set in \"%s mask %s\"", 6352 s1, s2); 6353 } else { 6354 /* Convert mask len to mask */ 6355 if (masklen > 32) 6356 bpf_error("mask length must be <= 32"); 6357 if (masklen == 0) { 6358 /* 6359 * X << 32 is not guaranteed by C to be 0; it's 6360 * undefined. 6361 */ 6362 m = 0; 6363 } else 6364 m = 0xffffffff << (32 - masklen); 6365 if ((n & ~m) != 0) 6366 bpf_error("non-network bits set in \"%s/%d\"", 6367 s1, masklen); 6368 } 6369 6370 switch (q.addr) { 6371 6372 case Q_NET: 6373 return gen_host(n, m, q.proto, q.dir, q.addr); 6374 6375 default: 6376 bpf_error("Mask syntax for networks only"); 6377 /* NOTREACHED */ 6378 } 6379 /* NOTREACHED */ 6380 return NULL; 6381 } 6382 6383 struct block * 6384 gen_ncode(s, v, q) 6385 register const char *s; 6386 bpf_u_int32 v; 6387 struct qual q; 6388 { 6389 bpf_u_int32 mask; 6390 int proto = q.proto; 6391 int dir = q.dir; 6392 register int vlen; 6393 6394 if (s == NULL) 6395 vlen = 32; 6396 else if (q.proto == Q_DECNET) 6397 vlen = __pcap_atodn(s, &v); 6398 else 6399 vlen = __pcap_atoin(s, &v); 6400 6401 switch (q.addr) { 6402 6403 case Q_DEFAULT: 6404 case Q_HOST: 6405 case Q_NET: 6406 if (proto == Q_DECNET) 6407 return gen_host(v, 0, proto, dir, q.addr); 6408 else if (proto == Q_LINK) { 6409 bpf_error("illegal link layer address"); 6410 } else { 6411 mask = 0xffffffff; 6412 if (s == NULL && q.addr == Q_NET) { 6413 /* Promote short net number */ 6414 while (v && (v & 0xff000000) == 0) { 6415 v <<= 8; 6416 mask <<= 8; 6417 } 6418 } else { 6419 /* Promote short ipaddr */ 6420 v <<= 32 - vlen; 6421 mask <<= 32 - vlen; 6422 } 6423 return gen_host(v, mask, proto, dir, q.addr); 6424 } 6425 6426 case Q_PORT: 6427 if (proto == Q_UDP) 6428 proto = IPPROTO_UDP; 6429 else if (proto == Q_TCP) 6430 proto = IPPROTO_TCP; 6431 else if (proto == Q_SCTP) 6432 proto = IPPROTO_SCTP; 6433 else if (proto == Q_DEFAULT) 6434 proto = PROTO_UNDEF; 6435 else 6436 bpf_error("illegal qualifier of 'port'"); 6437 6438 if (v > 65535) 6439 bpf_error("illegal port number %u > 65535", v); 6440 6441 { 6442 struct block *b; 6443 b = gen_port((int)v, proto, dir); 6444 gen_or(gen_port6((int)v, proto, dir), b); 6445 return b; 6446 } 6447 6448 case Q_PORTRANGE: 6449 if (proto == Q_UDP) 6450 proto = IPPROTO_UDP; 6451 else if (proto == Q_TCP) 6452 proto = IPPROTO_TCP; 6453 else if (proto == Q_SCTP) 6454 proto = IPPROTO_SCTP; 6455 else if (proto == Q_DEFAULT) 6456 proto = PROTO_UNDEF; 6457 else 6458 bpf_error("illegal qualifier of 'portrange'"); 6459 6460 if (v > 65535) 6461 bpf_error("illegal port number %u > 65535", v); 6462 6463 { 6464 struct block *b; 6465 b = gen_portrange((int)v, (int)v, proto, dir); 6466 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6467 return b; 6468 } 6469 6470 case Q_GATEWAY: 6471 bpf_error("'gateway' requires a name"); 6472 /* NOTREACHED */ 6473 6474 case Q_PROTO: 6475 return gen_proto((int)v, proto, dir); 6476 6477 case Q_PROTOCHAIN: 6478 return gen_protochain((int)v, proto, dir); 6479 6480 case Q_UNDEF: 6481 syntax(); 6482 /* NOTREACHED */ 6483 6484 default: 6485 abort(); 6486 /* NOTREACHED */ 6487 } 6488 /* NOTREACHED */ 6489 } 6490 6491 #ifdef INET6 6492 struct block * 6493 gen_mcode6(s1, s2, masklen, q) 6494 register const char *s1, *s2; 6495 register int masklen; 6496 struct qual q; 6497 { 6498 struct addrinfo *res; 6499 struct in6_addr *addr; 6500 struct in6_addr mask; 6501 struct block *b; 6502 u_int32_t *a, *m; 6503 6504 if (s2) 6505 bpf_error("no mask %s supported", s2); 6506 6507 res = pcap_nametoaddrinfo(s1); 6508 if (!res) 6509 bpf_error("invalid ip6 address %s", s1); 6510 ai = res; 6511 if (res->ai_next) 6512 bpf_error("%s resolved to multiple address", s1); 6513 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6514 6515 if (sizeof(mask) * 8 < masklen) 6516 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6517 memset(&mask, 0, sizeof(mask)); 6518 memset(&mask, 0xff, masklen / 8); 6519 if (masklen % 8) { 6520 mask.s6_addr[masklen / 8] = 6521 (0xff << (8 - masklen % 8)) & 0xff; 6522 } 6523 6524 a = (u_int32_t *)addr; 6525 m = (u_int32_t *)&mask; 6526 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6527 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6528 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6529 } 6530 6531 switch (q.addr) { 6532 6533 case Q_DEFAULT: 6534 case Q_HOST: 6535 if (masklen != 128) 6536 bpf_error("Mask syntax for networks only"); 6537 /* FALLTHROUGH */ 6538 6539 case Q_NET: 6540 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6541 ai = NULL; 6542 freeaddrinfo(res); 6543 return b; 6544 6545 default: 6546 bpf_error("invalid qualifier against IPv6 address"); 6547 /* NOTREACHED */ 6548 } 6549 return NULL; 6550 } 6551 #endif /*INET6*/ 6552 6553 struct block * 6554 gen_ecode(eaddr, q) 6555 register const u_char *eaddr; 6556 struct qual q; 6557 { 6558 struct block *b, *tmp; 6559 6560 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6561 switch (linktype) { 6562 case DLT_EN10MB: 6563 case DLT_NETANALYZER: 6564 case DLT_NETANALYZER_TRANSPARENT: 6565 return gen_ehostop(eaddr, (int)q.dir); 6566 case DLT_FDDI: 6567 return gen_fhostop(eaddr, (int)q.dir); 6568 case DLT_IEEE802: 6569 return gen_thostop(eaddr, (int)q.dir); 6570 case DLT_IEEE802_11: 6571 case DLT_PRISM_HEADER: 6572 case DLT_IEEE802_11_RADIO_AVS: 6573 case DLT_IEEE802_11_RADIO: 6574 case DLT_PPI: 6575 return gen_wlanhostop(eaddr, (int)q.dir); 6576 case DLT_SUNATM: 6577 if (is_lane) { 6578 /* 6579 * Check that the packet doesn't begin with an 6580 * LE Control marker. (We've already generated 6581 * a test for LANE.) 6582 */ 6583 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H, 6584 0xFF00); 6585 gen_not(tmp); 6586 6587 /* 6588 * Now check the MAC address. 6589 */ 6590 b = gen_ehostop(eaddr, (int)q.dir); 6591 gen_and(tmp, b); 6592 return b; 6593 } 6594 break; 6595 case DLT_IP_OVER_FC: 6596 return gen_ipfchostop(eaddr, (int)q.dir); 6597 default: 6598 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6599 break; 6600 } 6601 } 6602 bpf_error("ethernet address used in non-ether expression"); 6603 /* NOTREACHED */ 6604 return NULL; 6605 } 6606 6607 void 6608 sappend(s0, s1) 6609 struct slist *s0, *s1; 6610 { 6611 /* 6612 * This is definitely not the best way to do this, but the 6613 * lists will rarely get long. 6614 */ 6615 while (s0->next) 6616 s0 = s0->next; 6617 s0->next = s1; 6618 } 6619 6620 static struct slist * 6621 xfer_to_x(a) 6622 struct arth *a; 6623 { 6624 struct slist *s; 6625 6626 s = new_stmt(BPF_LDX|BPF_MEM); 6627 s->s.k = a->regno; 6628 return s; 6629 } 6630 6631 static struct slist * 6632 xfer_to_a(a) 6633 struct arth *a; 6634 { 6635 struct slist *s; 6636 6637 s = new_stmt(BPF_LD|BPF_MEM); 6638 s->s.k = a->regno; 6639 return s; 6640 } 6641 6642 /* 6643 * Modify "index" to use the value stored into its register as an 6644 * offset relative to the beginning of the header for the protocol 6645 * "proto", and allocate a register and put an item "size" bytes long 6646 * (1, 2, or 4) at that offset into that register, making it the register 6647 * for "index". 6648 */ 6649 struct arth * 6650 gen_load(proto, inst, size) 6651 int proto; 6652 struct arth *inst; 6653 int size; 6654 { 6655 struct slist *s, *tmp; 6656 struct block *b; 6657 int regno = alloc_reg(); 6658 6659 free_reg(inst->regno); 6660 switch (size) { 6661 6662 default: 6663 bpf_error("data size must be 1, 2, or 4"); 6664 6665 case 1: 6666 size = BPF_B; 6667 break; 6668 6669 case 2: 6670 size = BPF_H; 6671 break; 6672 6673 case 4: 6674 size = BPF_W; 6675 break; 6676 } 6677 switch (proto) { 6678 default: 6679 bpf_error("unsupported index operation"); 6680 6681 case Q_RADIO: 6682 /* 6683 * The offset is relative to the beginning of the packet 6684 * data, if we have a radio header. (If we don't, this 6685 * is an error.) 6686 */ 6687 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6688 linktype != DLT_IEEE802_11_RADIO && 6689 linktype != DLT_PRISM_HEADER) 6690 bpf_error("radio information not present in capture"); 6691 6692 /* 6693 * Load into the X register the offset computed into the 6694 * register specified by "index". 6695 */ 6696 s = xfer_to_x(inst); 6697 6698 /* 6699 * Load the item at that offset. 6700 */ 6701 tmp = new_stmt(BPF_LD|BPF_IND|size); 6702 sappend(s, tmp); 6703 sappend(inst->s, s); 6704 break; 6705 6706 case Q_LINK: 6707 /* 6708 * The offset is relative to the beginning of 6709 * the link-layer header. 6710 * 6711 * XXX - what about ATM LANE? Should the index be 6712 * relative to the beginning of the AAL5 frame, so 6713 * that 0 refers to the beginning of the LE Control 6714 * field, or relative to the beginning of the LAN 6715 * frame, so that 0 refers, for Ethernet LANE, to 6716 * the beginning of the destination address? 6717 */ 6718 s = gen_llprefixlen(); 6719 6720 /* 6721 * If "s" is non-null, it has code to arrange that the 6722 * X register contains the length of the prefix preceding 6723 * the link-layer header. Add to it the offset computed 6724 * into the register specified by "index", and move that 6725 * into the X register. Otherwise, just load into the X 6726 * register the offset computed into the register specified 6727 * by "index". 6728 */ 6729 if (s != NULL) { 6730 sappend(s, xfer_to_a(inst)); 6731 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6732 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6733 } else 6734 s = xfer_to_x(inst); 6735 6736 /* 6737 * Load the item at the sum of the offset we've put in the 6738 * X register and the offset of the start of the link 6739 * layer header (which is 0 if the radio header is 6740 * variable-length; that header length is what we put 6741 * into the X register and then added to the index). 6742 */ 6743 tmp = new_stmt(BPF_LD|BPF_IND|size); 6744 tmp->s.k = off_ll; 6745 sappend(s, tmp); 6746 sappend(inst->s, s); 6747 break; 6748 6749 case Q_IP: 6750 case Q_ARP: 6751 case Q_RARP: 6752 case Q_ATALK: 6753 case Q_DECNET: 6754 case Q_SCA: 6755 case Q_LAT: 6756 case Q_MOPRC: 6757 case Q_MOPDL: 6758 case Q_IPV6: 6759 /* 6760 * The offset is relative to the beginning of 6761 * the network-layer header. 6762 * XXX - are there any cases where we want 6763 * off_nl_nosnap? 6764 */ 6765 s = gen_off_macpl(); 6766 6767 /* 6768 * If "s" is non-null, it has code to arrange that the 6769 * X register contains the offset of the MAC-layer 6770 * payload. Add to it the offset computed into the 6771 * register specified by "index", and move that into 6772 * the X register. Otherwise, just load into the X 6773 * register the offset computed into the register specified 6774 * by "index". 6775 */ 6776 if (s != NULL) { 6777 sappend(s, xfer_to_a(inst)); 6778 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6779 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6780 } else 6781 s = xfer_to_x(inst); 6782 6783 /* 6784 * Load the item at the sum of the offset we've put in the 6785 * X register, the offset of the start of the network 6786 * layer header from the beginning of the MAC-layer 6787 * payload, and the purported offset of the start of the 6788 * MAC-layer payload (which might be 0 if there's a 6789 * variable-length prefix before the link-layer header 6790 * or the link-layer header itself is variable-length; 6791 * the variable-length offset of the start of the 6792 * MAC-layer payload is what we put into the X register 6793 * and then added to the index). 6794 */ 6795 tmp = new_stmt(BPF_LD|BPF_IND|size); 6796 tmp->s.k = off_macpl + off_nl; 6797 sappend(s, tmp); 6798 sappend(inst->s, s); 6799 6800 /* 6801 * Do the computation only if the packet contains 6802 * the protocol in question. 6803 */ 6804 b = gen_proto_abbrev(proto); 6805 if (inst->b) 6806 gen_and(inst->b, b); 6807 inst->b = b; 6808 break; 6809 6810 case Q_SCTP: 6811 case Q_TCP: 6812 case Q_UDP: 6813 case Q_ICMP: 6814 case Q_IGMP: 6815 case Q_IGRP: 6816 case Q_PIM: 6817 case Q_VRRP: 6818 case Q_CARP: 6819 /* 6820 * The offset is relative to the beginning of 6821 * the transport-layer header. 6822 * 6823 * Load the X register with the length of the IPv4 header 6824 * (plus the offset of the link-layer header, if it's 6825 * a variable-length header), in bytes. 6826 * 6827 * XXX - are there any cases where we want 6828 * off_nl_nosnap? 6829 * XXX - we should, if we're built with 6830 * IPv6 support, generate code to load either 6831 * IPv4, IPv6, or both, as appropriate. 6832 */ 6833 s = gen_loadx_iphdrlen(); 6834 6835 /* 6836 * The X register now contains the sum of the length 6837 * of any variable-length header preceding the link-layer 6838 * header, any variable-length link-layer header, and the 6839 * length of the network-layer header. 6840 * 6841 * Load into the A register the offset relative to 6842 * the beginning of the transport layer header, 6843 * add the X register to that, move that to the 6844 * X register, and load with an offset from the 6845 * X register equal to the offset of the network 6846 * layer header relative to the beginning of 6847 * the MAC-layer payload plus the fixed-length 6848 * portion of the offset of the MAC-layer payload 6849 * from the beginning of the raw packet data. 6850 */ 6851 sappend(s, xfer_to_a(inst)); 6852 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6853 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6854 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6855 tmp->s.k = off_macpl + off_nl; 6856 sappend(inst->s, s); 6857 6858 /* 6859 * Do the computation only if the packet contains 6860 * the protocol in question - which is true only 6861 * if this is an IP datagram and is the first or 6862 * only fragment of that datagram. 6863 */ 6864 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6865 if (inst->b) 6866 gen_and(inst->b, b); 6867 gen_and(gen_proto_abbrev(Q_IP), b); 6868 inst->b = b; 6869 break; 6870 case Q_ICMPV6: 6871 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6872 /*NOTREACHED*/ 6873 } 6874 inst->regno = regno; 6875 s = new_stmt(BPF_ST); 6876 s->s.k = regno; 6877 sappend(inst->s, s); 6878 6879 return inst; 6880 } 6881 6882 struct block * 6883 gen_relation(code, a0, a1, reversed) 6884 int code; 6885 struct arth *a0, *a1; 6886 int reversed; 6887 { 6888 struct slist *s0, *s1, *s2; 6889 struct block *b, *tmp; 6890 6891 s0 = xfer_to_x(a1); 6892 s1 = xfer_to_a(a0); 6893 if (code == BPF_JEQ) { 6894 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6895 b = new_block(JMP(code)); 6896 sappend(s1, s2); 6897 } 6898 else 6899 b = new_block(BPF_JMP|code|BPF_X); 6900 if (reversed) 6901 gen_not(b); 6902 6903 sappend(s0, s1); 6904 sappend(a1->s, s0); 6905 sappend(a0->s, a1->s); 6906 6907 b->stmts = a0->s; 6908 6909 free_reg(a0->regno); 6910 free_reg(a1->regno); 6911 6912 /* 'and' together protocol checks */ 6913 if (a0->b) { 6914 if (a1->b) { 6915 gen_and(a0->b, tmp = a1->b); 6916 } 6917 else 6918 tmp = a0->b; 6919 } else 6920 tmp = a1->b; 6921 6922 if (tmp) 6923 gen_and(tmp, b); 6924 6925 return b; 6926 } 6927 6928 struct arth * 6929 gen_loadlen() 6930 { 6931 int regno = alloc_reg(); 6932 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6933 struct slist *s; 6934 6935 s = new_stmt(BPF_LD|BPF_LEN); 6936 s->next = new_stmt(BPF_ST); 6937 s->next->s.k = regno; 6938 a->s = s; 6939 a->regno = regno; 6940 6941 return a; 6942 } 6943 6944 struct arth * 6945 gen_loadi(val) 6946 int val; 6947 { 6948 struct arth *a; 6949 struct slist *s; 6950 int reg; 6951 6952 a = (struct arth *)newchunk(sizeof(*a)); 6953 6954 reg = alloc_reg(); 6955 6956 s = new_stmt(BPF_LD|BPF_IMM); 6957 s->s.k = val; 6958 s->next = new_stmt(BPF_ST); 6959 s->next->s.k = reg; 6960 a->s = s; 6961 a->regno = reg; 6962 6963 return a; 6964 } 6965 6966 struct arth * 6967 gen_neg(a) 6968 struct arth *a; 6969 { 6970 struct slist *s; 6971 6972 s = xfer_to_a(a); 6973 sappend(a->s, s); 6974 s = new_stmt(BPF_ALU|BPF_NEG); 6975 s->s.k = 0; 6976 sappend(a->s, s); 6977 s = new_stmt(BPF_ST); 6978 s->s.k = a->regno; 6979 sappend(a->s, s); 6980 6981 return a; 6982 } 6983 6984 struct arth * 6985 gen_arth(code, a0, a1) 6986 int code; 6987 struct arth *a0, *a1; 6988 { 6989 struct slist *s0, *s1, *s2; 6990 6991 s0 = xfer_to_x(a1); 6992 s1 = xfer_to_a(a0); 6993 s2 = new_stmt(BPF_ALU|BPF_X|code); 6994 6995 sappend(s1, s2); 6996 sappend(s0, s1); 6997 sappend(a1->s, s0); 6998 sappend(a0->s, a1->s); 6999 7000 free_reg(a0->regno); 7001 free_reg(a1->regno); 7002 7003 s0 = new_stmt(BPF_ST); 7004 a0->regno = s0->s.k = alloc_reg(); 7005 sappend(a0->s, s0); 7006 7007 return a0; 7008 } 7009 7010 /* 7011 * Here we handle simple allocation of the scratch registers. 7012 * If too many registers are alloc'd, the allocator punts. 7013 */ 7014 static int regused[BPF_MEMWORDS]; 7015 static int curreg; 7016 7017 /* 7018 * Initialize the table of used registers and the current register. 7019 */ 7020 static void 7021 init_regs() 7022 { 7023 curreg = 0; 7024 memset(regused, 0, sizeof regused); 7025 } 7026 7027 /* 7028 * Return the next free register. 7029 */ 7030 static int 7031 alloc_reg() 7032 { 7033 int n = BPF_MEMWORDS; 7034 7035 while (--n >= 0) { 7036 if (regused[curreg]) 7037 curreg = (curreg + 1) % BPF_MEMWORDS; 7038 else { 7039 regused[curreg] = 1; 7040 return curreg; 7041 } 7042 } 7043 bpf_error("too many registers needed to evaluate expression"); 7044 /* NOTREACHED */ 7045 return 0; 7046 } 7047 7048 /* 7049 * Return a register to the table so it can 7050 * be used later. 7051 */ 7052 static void 7053 free_reg(n) 7054 int n; 7055 { 7056 regused[n] = 0; 7057 } 7058 7059 static struct block * 7060 gen_len(jmp, n) 7061 int jmp, n; 7062 { 7063 struct slist *s; 7064 struct block *b; 7065 7066 s = new_stmt(BPF_LD|BPF_LEN); 7067 b = new_block(JMP(jmp)); 7068 b->stmts = s; 7069 b->s.k = n; 7070 7071 return b; 7072 } 7073 7074 struct block * 7075 gen_greater(n) 7076 int n; 7077 { 7078 return gen_len(BPF_JGE, n); 7079 } 7080 7081 /* 7082 * Actually, this is less than or equal. 7083 */ 7084 struct block * 7085 gen_less(n) 7086 int n; 7087 { 7088 struct block *b; 7089 7090 b = gen_len(BPF_JGT, n); 7091 gen_not(b); 7092 7093 return b; 7094 } 7095 7096 /* 7097 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7098 * the beginning of the link-layer header. 7099 * XXX - that means you can't test values in the radiotap header, but 7100 * as that header is difficult if not impossible to parse generally 7101 * without a loop, that might not be a severe problem. A new keyword 7102 * "radio" could be added for that, although what you'd really want 7103 * would be a way of testing particular radio header values, which 7104 * would generate code appropriate to the radio header in question. 7105 */ 7106 struct block * 7107 gen_byteop(op, idx, val) 7108 int op, idx, val; 7109 { 7110 struct block *b; 7111 struct slist *s; 7112 7113 switch (op) { 7114 default: 7115 abort(); 7116 7117 case '=': 7118 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7119 7120 case '<': 7121 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7122 return b; 7123 7124 case '>': 7125 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val); 7126 return b; 7127 7128 case '|': 7129 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7130 break; 7131 7132 case '&': 7133 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7134 break; 7135 } 7136 s->s.k = val; 7137 b = new_block(JMP(BPF_JEQ)); 7138 b->stmts = s; 7139 gen_not(b); 7140 7141 return b; 7142 } 7143 7144 static u_char abroadcast[] = { 0x0 }; 7145 7146 struct block * 7147 gen_broadcast(proto) 7148 int proto; 7149 { 7150 bpf_u_int32 hostmask; 7151 struct block *b0, *b1, *b2; 7152 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7153 7154 switch (proto) { 7155 7156 case Q_DEFAULT: 7157 case Q_LINK: 7158 switch (linktype) { 7159 case DLT_ARCNET: 7160 case DLT_ARCNET_LINUX: 7161 return gen_ahostop(abroadcast, Q_DST); 7162 case DLT_EN10MB: 7163 case DLT_NETANALYZER: 7164 case DLT_NETANALYZER_TRANSPARENT: 7165 return gen_ehostop(ebroadcast, Q_DST); 7166 case DLT_FDDI: 7167 return gen_fhostop(ebroadcast, Q_DST); 7168 case DLT_IEEE802: 7169 return gen_thostop(ebroadcast, Q_DST); 7170 case DLT_IEEE802_11: 7171 case DLT_PRISM_HEADER: 7172 case DLT_IEEE802_11_RADIO_AVS: 7173 case DLT_IEEE802_11_RADIO: 7174 case DLT_PPI: 7175 return gen_wlanhostop(ebroadcast, Q_DST); 7176 case DLT_IP_OVER_FC: 7177 return gen_ipfchostop(ebroadcast, Q_DST); 7178 case DLT_SUNATM: 7179 if (is_lane) { 7180 /* 7181 * Check that the packet doesn't begin with an 7182 * LE Control marker. (We've already generated 7183 * a test for LANE.) 7184 */ 7185 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7186 BPF_H, 0xFF00); 7187 gen_not(b1); 7188 7189 /* 7190 * Now check the MAC address. 7191 */ 7192 b0 = gen_ehostop(ebroadcast, Q_DST); 7193 gen_and(b1, b0); 7194 return b0; 7195 } 7196 break; 7197 default: 7198 bpf_error("not a broadcast link"); 7199 } 7200 break; 7201 7202 case Q_IP: 7203 /* 7204 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7205 * as an indication that we don't know the netmask, and fail 7206 * in that case. 7207 */ 7208 if (netmask == PCAP_NETMASK_UNKNOWN) 7209 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7210 b0 = gen_linktype(ETHERTYPE_IP); 7211 hostmask = ~netmask; 7212 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask); 7213 b2 = gen_mcmp(OR_NET, 16, BPF_W, 7214 (bpf_int32)(~0 & hostmask), hostmask); 7215 gen_or(b1, b2); 7216 gen_and(b0, b2); 7217 return b2; 7218 } 7219 bpf_error("only link-layer/IP broadcast filters supported"); 7220 /* NOTREACHED */ 7221 return NULL; 7222 } 7223 7224 /* 7225 * Generate code to test the low-order bit of a MAC address (that's 7226 * the bottom bit of the *first* byte). 7227 */ 7228 static struct block * 7229 gen_mac_multicast(offset) 7230 int offset; 7231 { 7232 register struct block *b0; 7233 register struct slist *s; 7234 7235 /* link[offset] & 1 != 0 */ 7236 s = gen_load_a(OR_LINK, offset, BPF_B); 7237 b0 = new_block(JMP(BPF_JSET)); 7238 b0->s.k = 1; 7239 b0->stmts = s; 7240 return b0; 7241 } 7242 7243 struct block * 7244 gen_multicast(proto) 7245 int proto; 7246 { 7247 register struct block *b0, *b1, *b2; 7248 register struct slist *s; 7249 7250 switch (proto) { 7251 7252 case Q_DEFAULT: 7253 case Q_LINK: 7254 switch (linktype) { 7255 case DLT_ARCNET: 7256 case DLT_ARCNET_LINUX: 7257 /* all ARCnet multicasts use the same address */ 7258 return gen_ahostop(abroadcast, Q_DST); 7259 case DLT_EN10MB: 7260 case DLT_NETANALYZER: 7261 case DLT_NETANALYZER_TRANSPARENT: 7262 /* ether[0] & 1 != 0 */ 7263 return gen_mac_multicast(0); 7264 case DLT_FDDI: 7265 /* 7266 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7267 * 7268 * XXX - was that referring to bit-order issues? 7269 */ 7270 /* fddi[1] & 1 != 0 */ 7271 return gen_mac_multicast(1); 7272 case DLT_IEEE802: 7273 /* tr[2] & 1 != 0 */ 7274 return gen_mac_multicast(2); 7275 case DLT_IEEE802_11: 7276 case DLT_PRISM_HEADER: 7277 case DLT_IEEE802_11_RADIO_AVS: 7278 case DLT_IEEE802_11_RADIO: 7279 case DLT_PPI: 7280 /* 7281 * Oh, yuk. 7282 * 7283 * For control frames, there is no DA. 7284 * 7285 * For management frames, DA is at an 7286 * offset of 4 from the beginning of 7287 * the packet. 7288 * 7289 * For data frames, DA is at an offset 7290 * of 4 from the beginning of the packet 7291 * if To DS is clear and at an offset of 7292 * 16 from the beginning of the packet 7293 * if To DS is set. 7294 */ 7295 7296 /* 7297 * Generate the tests to be done for data frames. 7298 * 7299 * First, check for To DS set, i.e. "link[1] & 0x01". 7300 */ 7301 s = gen_load_a(OR_LINK, 1, BPF_B); 7302 b1 = new_block(JMP(BPF_JSET)); 7303 b1->s.k = 0x01; /* To DS */ 7304 b1->stmts = s; 7305 7306 /* 7307 * If To DS is set, the DA is at 16. 7308 */ 7309 b0 = gen_mac_multicast(16); 7310 gen_and(b1, b0); 7311 7312 /* 7313 * Now, check for To DS not set, i.e. check 7314 * "!(link[1] & 0x01)". 7315 */ 7316 s = gen_load_a(OR_LINK, 1, BPF_B); 7317 b2 = new_block(JMP(BPF_JSET)); 7318 b2->s.k = 0x01; /* To DS */ 7319 b2->stmts = s; 7320 gen_not(b2); 7321 7322 /* 7323 * If To DS is not set, the DA is at 4. 7324 */ 7325 b1 = gen_mac_multicast(4); 7326 gen_and(b2, b1); 7327 7328 /* 7329 * Now OR together the last two checks. That gives 7330 * the complete set of checks for data frames. 7331 */ 7332 gen_or(b1, b0); 7333 7334 /* 7335 * Now check for a data frame. 7336 * I.e, check "link[0] & 0x08". 7337 */ 7338 s = gen_load_a(OR_LINK, 0, BPF_B); 7339 b1 = new_block(JMP(BPF_JSET)); 7340 b1->s.k = 0x08; 7341 b1->stmts = s; 7342 7343 /* 7344 * AND that with the checks done for data frames. 7345 */ 7346 gen_and(b1, b0); 7347 7348 /* 7349 * If the high-order bit of the type value is 0, this 7350 * is a management frame. 7351 * I.e, check "!(link[0] & 0x08)". 7352 */ 7353 s = gen_load_a(OR_LINK, 0, BPF_B); 7354 b2 = new_block(JMP(BPF_JSET)); 7355 b2->s.k = 0x08; 7356 b2->stmts = s; 7357 gen_not(b2); 7358 7359 /* 7360 * For management frames, the DA is at 4. 7361 */ 7362 b1 = gen_mac_multicast(4); 7363 gen_and(b2, b1); 7364 7365 /* 7366 * OR that with the checks done for data frames. 7367 * That gives the checks done for management and 7368 * data frames. 7369 */ 7370 gen_or(b1, b0); 7371 7372 /* 7373 * If the low-order bit of the type value is 1, 7374 * this is either a control frame or a frame 7375 * with a reserved type, and thus not a 7376 * frame with an SA. 7377 * 7378 * I.e., check "!(link[0] & 0x04)". 7379 */ 7380 s = gen_load_a(OR_LINK, 0, BPF_B); 7381 b1 = new_block(JMP(BPF_JSET)); 7382 b1->s.k = 0x04; 7383 b1->stmts = s; 7384 gen_not(b1); 7385 7386 /* 7387 * AND that with the checks for data and management 7388 * frames. 7389 */ 7390 gen_and(b1, b0); 7391 return b0; 7392 case DLT_IP_OVER_FC: 7393 b0 = gen_mac_multicast(2); 7394 return b0; 7395 case DLT_SUNATM: 7396 if (is_lane) { 7397 /* 7398 * Check that the packet doesn't begin with an 7399 * LE Control marker. (We've already generated 7400 * a test for LANE.) 7401 */ 7402 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, 7403 BPF_H, 0xFF00); 7404 gen_not(b1); 7405 7406 /* ether[off_mac] & 1 != 0 */ 7407 b0 = gen_mac_multicast(off_mac); 7408 gen_and(b1, b0); 7409 return b0; 7410 } 7411 break; 7412 default: 7413 break; 7414 } 7415 /* Link not known to support multicasts */ 7416 break; 7417 7418 case Q_IP: 7419 b0 = gen_linktype(ETHERTYPE_IP); 7420 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224); 7421 gen_and(b0, b1); 7422 return b1; 7423 7424 case Q_IPV6: 7425 b0 = gen_linktype(ETHERTYPE_IPV6); 7426 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255); 7427 gen_and(b0, b1); 7428 return b1; 7429 } 7430 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7431 /* NOTREACHED */ 7432 return NULL; 7433 } 7434 7435 /* 7436 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7437 * Outbound traffic is sent by this machine, while inbound traffic is 7438 * sent by a remote machine (and may include packets destined for a 7439 * unicast or multicast link-layer address we are not subscribing to). 7440 * These are the same definitions implemented by pcap_setdirection(). 7441 * Capturing only unicast traffic destined for this host is probably 7442 * better accomplished using a higher-layer filter. 7443 */ 7444 struct block * 7445 gen_inbound(dir) 7446 int dir; 7447 { 7448 register struct block *b0; 7449 7450 /* 7451 * Only some data link types support inbound/outbound qualifiers. 7452 */ 7453 switch (linktype) { 7454 case DLT_SLIP: 7455 b0 = gen_relation(BPF_JEQ, 7456 gen_load(Q_LINK, gen_loadi(0), 1), 7457 gen_loadi(0), 7458 dir); 7459 break; 7460 7461 case DLT_IPNET: 7462 if (dir) { 7463 /* match outgoing packets */ 7464 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_OUTBOUND); 7465 } else { 7466 /* match incoming packets */ 7467 b0 = gen_cmp(OR_LINK, 2, BPF_H, IPNET_INBOUND); 7468 } 7469 break; 7470 7471 case DLT_LINUX_SLL: 7472 /* match outgoing packets */ 7473 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING); 7474 if (!dir) { 7475 /* to filter on inbound traffic, invert the match */ 7476 gen_not(b0); 7477 } 7478 break; 7479 7480 #ifdef HAVE_NET_PFVAR_H 7481 case DLT_PFLOG: 7482 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B, 7483 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7484 break; 7485 #endif 7486 7487 case DLT_PPP_PPPD: 7488 if (dir) { 7489 /* match outgoing packets */ 7490 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT); 7491 } else { 7492 /* match incoming packets */ 7493 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN); 7494 } 7495 break; 7496 7497 case DLT_JUNIPER_MFR: 7498 case DLT_JUNIPER_MLFR: 7499 case DLT_JUNIPER_MLPPP: 7500 case DLT_JUNIPER_ATM1: 7501 case DLT_JUNIPER_ATM2: 7502 case DLT_JUNIPER_PPPOE: 7503 case DLT_JUNIPER_PPPOE_ATM: 7504 case DLT_JUNIPER_GGSN: 7505 case DLT_JUNIPER_ES: 7506 case DLT_JUNIPER_MONITOR: 7507 case DLT_JUNIPER_SERVICES: 7508 case DLT_JUNIPER_ETHER: 7509 case DLT_JUNIPER_PPP: 7510 case DLT_JUNIPER_FRELAY: 7511 case DLT_JUNIPER_CHDLC: 7512 case DLT_JUNIPER_VP: 7513 case DLT_JUNIPER_ST: 7514 case DLT_JUNIPER_ISM: 7515 case DLT_JUNIPER_VS: 7516 case DLT_JUNIPER_SRX_E2E: 7517 case DLT_JUNIPER_FIBRECHANNEL: 7518 case DLT_JUNIPER_ATM_CEMIC: 7519 7520 /* juniper flags (including direction) are stored 7521 * the byte after the 3-byte magic number */ 7522 if (dir) { 7523 /* match outgoing packets */ 7524 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01); 7525 } else { 7526 /* match incoming packets */ 7527 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01); 7528 } 7529 break; 7530 7531 default: 7532 /* 7533 * If we have packet meta-data indicating a direction, 7534 * check it, otherwise give up as this link-layer type 7535 * has nothing in the packet data. 7536 */ 7537 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7538 /* 7539 * This is Linux with PF_PACKET support. 7540 * If this is a *live* capture, we can look at 7541 * special meta-data in the filter expression; 7542 * if it's a savefile, we can't. 7543 */ 7544 if (bpf_pcap->rfile != NULL) { 7545 /* We have a FILE *, so this is a savefile */ 7546 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7547 linktype); 7548 b0 = NULL; 7549 /* NOTREACHED */ 7550 } 7551 /* match outgoing packets */ 7552 b0 = gen_cmp(OR_LINK, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7553 PACKET_OUTGOING); 7554 if (!dir) { 7555 /* to filter on inbound traffic, invert the match */ 7556 gen_not(b0); 7557 } 7558 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7559 bpf_error("inbound/outbound not supported on linktype %d", 7560 linktype); 7561 b0 = NULL; 7562 /* NOTREACHED */ 7563 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7564 } 7565 return (b0); 7566 } 7567 7568 #ifdef HAVE_NET_PFVAR_H 7569 /* PF firewall log matched interface */ 7570 struct block * 7571 gen_pf_ifname(const char *ifname) 7572 { 7573 struct block *b0; 7574 u_int len, off; 7575 7576 if (linktype != DLT_PFLOG) { 7577 bpf_error("ifname supported only on PF linktype"); 7578 /* NOTREACHED */ 7579 } 7580 len = sizeof(((struct pfloghdr *)0)->ifname); 7581 off = offsetof(struct pfloghdr, ifname); 7582 if (strlen(ifname) >= len) { 7583 bpf_error("ifname interface names can only be %d characters", 7584 len-1); 7585 /* NOTREACHED */ 7586 } 7587 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname); 7588 return (b0); 7589 } 7590 7591 /* PF firewall log ruleset name */ 7592 struct block * 7593 gen_pf_ruleset(char *ruleset) 7594 { 7595 struct block *b0; 7596 7597 if (linktype != DLT_PFLOG) { 7598 bpf_error("ruleset supported only on PF linktype"); 7599 /* NOTREACHED */ 7600 } 7601 7602 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7603 bpf_error("ruleset names can only be %ld characters", 7604 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7605 /* NOTREACHED */ 7606 } 7607 7608 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset), 7609 strlen(ruleset), (const u_char *)ruleset); 7610 return (b0); 7611 } 7612 7613 /* PF firewall log rule number */ 7614 struct block * 7615 gen_pf_rnr(int rnr) 7616 { 7617 struct block *b0; 7618 7619 if (linktype != DLT_PFLOG) { 7620 bpf_error("rnr supported only on PF linktype"); 7621 /* NOTREACHED */ 7622 } 7623 7624 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W, 7625 (bpf_int32)rnr); 7626 return (b0); 7627 } 7628 7629 /* PF firewall log sub-rule number */ 7630 struct block * 7631 gen_pf_srnr(int srnr) 7632 { 7633 struct block *b0; 7634 7635 if (linktype != DLT_PFLOG) { 7636 bpf_error("srnr supported only on PF linktype"); 7637 /* NOTREACHED */ 7638 } 7639 7640 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W, 7641 (bpf_int32)srnr); 7642 return (b0); 7643 } 7644 7645 /* PF firewall log reason code */ 7646 struct block * 7647 gen_pf_reason(int reason) 7648 { 7649 struct block *b0; 7650 7651 if (linktype != DLT_PFLOG) { 7652 bpf_error("reason supported only on PF linktype"); 7653 /* NOTREACHED */ 7654 } 7655 7656 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B, 7657 (bpf_int32)reason); 7658 return (b0); 7659 } 7660 7661 /* PF firewall log action */ 7662 struct block * 7663 gen_pf_action(int action) 7664 { 7665 struct block *b0; 7666 7667 if (linktype != DLT_PFLOG) { 7668 bpf_error("action supported only on PF linktype"); 7669 /* NOTREACHED */ 7670 } 7671 7672 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B, 7673 (bpf_int32)action); 7674 return (b0); 7675 } 7676 #else /* !HAVE_NET_PFVAR_H */ 7677 struct block * 7678 gen_pf_ifname(const char *ifname) 7679 { 7680 bpf_error("libpcap was compiled without pf support"); 7681 /* NOTREACHED */ 7682 return (NULL); 7683 } 7684 7685 struct block * 7686 gen_pf_ruleset(char *ruleset) 7687 { 7688 bpf_error("libpcap was compiled on a machine without pf support"); 7689 /* NOTREACHED */ 7690 return (NULL); 7691 } 7692 7693 struct block * 7694 gen_pf_rnr(int rnr) 7695 { 7696 bpf_error("libpcap was compiled on a machine without pf support"); 7697 /* NOTREACHED */ 7698 return (NULL); 7699 } 7700 7701 struct block * 7702 gen_pf_srnr(int srnr) 7703 { 7704 bpf_error("libpcap was compiled on a machine without pf support"); 7705 /* NOTREACHED */ 7706 return (NULL); 7707 } 7708 7709 struct block * 7710 gen_pf_reason(int reason) 7711 { 7712 bpf_error("libpcap was compiled on a machine without pf support"); 7713 /* NOTREACHED */ 7714 return (NULL); 7715 } 7716 7717 struct block * 7718 gen_pf_action(int action) 7719 { 7720 bpf_error("libpcap was compiled on a machine without pf support"); 7721 /* NOTREACHED */ 7722 return (NULL); 7723 } 7724 #endif /* HAVE_NET_PFVAR_H */ 7725 7726 /* IEEE 802.11 wireless header */ 7727 struct block * 7728 gen_p80211_type(int type, int mask) 7729 { 7730 struct block *b0; 7731 7732 switch (linktype) { 7733 7734 case DLT_IEEE802_11: 7735 case DLT_PRISM_HEADER: 7736 case DLT_IEEE802_11_RADIO_AVS: 7737 case DLT_IEEE802_11_RADIO: 7738 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type, 7739 (bpf_int32)mask); 7740 break; 7741 7742 default: 7743 bpf_error("802.11 link-layer types supported only on 802.11"); 7744 /* NOTREACHED */ 7745 } 7746 7747 return (b0); 7748 } 7749 7750 struct block * 7751 gen_p80211_fcdir(int fcdir) 7752 { 7753 struct block *b0; 7754 7755 switch (linktype) { 7756 7757 case DLT_IEEE802_11: 7758 case DLT_PRISM_HEADER: 7759 case DLT_IEEE802_11_RADIO_AVS: 7760 case DLT_IEEE802_11_RADIO: 7761 break; 7762 7763 default: 7764 bpf_error("frame direction supported only with 802.11 headers"); 7765 /* NOTREACHED */ 7766 } 7767 7768 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir, 7769 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7770 7771 return (b0); 7772 } 7773 7774 struct block * 7775 gen_acode(eaddr, q) 7776 register const u_char *eaddr; 7777 struct qual q; 7778 { 7779 switch (linktype) { 7780 7781 case DLT_ARCNET: 7782 case DLT_ARCNET_LINUX: 7783 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7784 q.proto == Q_LINK) 7785 return (gen_ahostop(eaddr, (int)q.dir)); 7786 else { 7787 bpf_error("ARCnet address used in non-arc expression"); 7788 /* NOTREACHED */ 7789 } 7790 break; 7791 7792 default: 7793 bpf_error("aid supported only on ARCnet"); 7794 /* NOTREACHED */ 7795 } 7796 bpf_error("ARCnet address used in non-arc expression"); 7797 /* NOTREACHED */ 7798 return NULL; 7799 } 7800 7801 static struct block * 7802 gen_ahostop(eaddr, dir) 7803 register const u_char *eaddr; 7804 register int dir; 7805 { 7806 register struct block *b0, *b1; 7807 7808 switch (dir) { 7809 /* src comes first, different from Ethernet */ 7810 case Q_SRC: 7811 return gen_bcmp(OR_LINK, 0, 1, eaddr); 7812 7813 case Q_DST: 7814 return gen_bcmp(OR_LINK, 1, 1, eaddr); 7815 7816 case Q_AND: 7817 b0 = gen_ahostop(eaddr, Q_SRC); 7818 b1 = gen_ahostop(eaddr, Q_DST); 7819 gen_and(b0, b1); 7820 return b1; 7821 7822 case Q_DEFAULT: 7823 case Q_OR: 7824 b0 = gen_ahostop(eaddr, Q_SRC); 7825 b1 = gen_ahostop(eaddr, Q_DST); 7826 gen_or(b0, b1); 7827 return b1; 7828 7829 case Q_ADDR1: 7830 bpf_error("'addr1' is only supported on 802.11"); 7831 break; 7832 7833 case Q_ADDR2: 7834 bpf_error("'addr2' is only supported on 802.11"); 7835 break; 7836 7837 case Q_ADDR3: 7838 bpf_error("'addr3' is only supported on 802.11"); 7839 break; 7840 7841 case Q_ADDR4: 7842 bpf_error("'addr4' is only supported on 802.11"); 7843 break; 7844 7845 case Q_RA: 7846 bpf_error("'ra' is only supported on 802.11"); 7847 break; 7848 7849 case Q_TA: 7850 bpf_error("'ta' is only supported on 802.11"); 7851 break; 7852 } 7853 abort(); 7854 /* NOTREACHED */ 7855 } 7856 7857 /* 7858 * support IEEE 802.1Q VLAN trunk over ethernet 7859 */ 7860 struct block * 7861 gen_vlan(vlan_num) 7862 int vlan_num; 7863 { 7864 struct block *b0, *b1; 7865 7866 /* can't check for VLAN-encapsulated packets inside MPLS */ 7867 if (label_stack_depth > 0) 7868 bpf_error("no VLAN match after MPLS"); 7869 7870 /* 7871 * Check for a VLAN packet, and then change the offsets to point 7872 * to the type and data fields within the VLAN packet. Just 7873 * increment the offsets, so that we can support a hierarchy, e.g. 7874 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7875 * VLAN 100. 7876 * 7877 * XXX - this is a bit of a kludge. If we were to split the 7878 * compiler into a parser that parses an expression and 7879 * generates an expression tree, and a code generator that 7880 * takes an expression tree (which could come from our 7881 * parser or from some other parser) and generates BPF code, 7882 * we could perhaps make the offsets parameters of routines 7883 * and, in the handler for an "AND" node, pass to subnodes 7884 * other than the VLAN node the adjusted offsets. 7885 * 7886 * This would mean that "vlan" would, instead of changing the 7887 * behavior of *all* tests after it, change only the behavior 7888 * of tests ANDed with it. That would change the documented 7889 * semantics of "vlan", which might break some expressions. 7890 * However, it would mean that "(vlan and ip) or ip" would check 7891 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7892 * checking only for VLAN-encapsulated IP, so that could still 7893 * be considered worth doing; it wouldn't break expressions 7894 * that are of the form "vlan and ..." or "vlan N and ...", 7895 * which I suspect are the most common expressions involving 7896 * "vlan". "vlan or ..." doesn't necessarily do what the user 7897 * would really want, now, as all the "or ..." tests would 7898 * be done assuming a VLAN, even though the "or" could be viewed 7899 * as meaning "or, if this isn't a VLAN packet...". 7900 */ 7901 orig_nl = off_nl; 7902 7903 switch (linktype) { 7904 7905 case DLT_EN10MB: 7906 case DLT_NETANALYZER: 7907 case DLT_NETANALYZER_TRANSPARENT: 7908 /* check for VLAN, including QinQ */ 7909 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7910 (bpf_int32)ETHERTYPE_8021Q); 7911 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, 7912 (bpf_int32)ETHERTYPE_8021QINQ); 7913 gen_or(b0,b1); 7914 b0 = b1; 7915 7916 /* If a specific VLAN is requested, check VLAN id */ 7917 if (vlan_num >= 0) { 7918 b1 = gen_mcmp(OR_MACPL, 0, BPF_H, 7919 (bpf_int32)vlan_num, 0x0fff); 7920 gen_and(b0, b1); 7921 b0 = b1; 7922 } 7923 7924 off_macpl += 4; 7925 off_linktype += 4; 7926 #if 0 7927 off_nl_nosnap += 4; 7928 off_nl += 4; 7929 #endif 7930 break; 7931 7932 default: 7933 bpf_error("no VLAN support for data link type %d", 7934 linktype); 7935 /*NOTREACHED*/ 7936 } 7937 7938 return (b0); 7939 } 7940 7941 /* 7942 * support for MPLS 7943 */ 7944 struct block * 7945 gen_mpls(label_num) 7946 int label_num; 7947 { 7948 struct block *b0,*b1; 7949 7950 /* 7951 * Change the offsets to point to the type and data fields within 7952 * the MPLS packet. Just increment the offsets, so that we 7953 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 7954 * capture packets with an outer label of 100000 and an inner 7955 * label of 1024. 7956 * 7957 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 7958 */ 7959 orig_nl = off_nl; 7960 7961 if (label_stack_depth > 0) { 7962 /* just match the bottom-of-stack bit clear */ 7963 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01); 7964 } else { 7965 /* 7966 * Indicate that we're checking MPLS-encapsulated headers, 7967 * to make sure higher level code generators don't try to 7968 * match against IP-related protocols such as Q_ARP, Q_RARP 7969 * etc. 7970 */ 7971 switch (linktype) { 7972 7973 case DLT_C_HDLC: /* fall through */ 7974 case DLT_EN10MB: 7975 case DLT_NETANALYZER: 7976 case DLT_NETANALYZER_TRANSPARENT: 7977 b0 = gen_linktype(ETHERTYPE_MPLS); 7978 break; 7979 7980 case DLT_PPP: 7981 b0 = gen_linktype(PPP_MPLS_UCAST); 7982 break; 7983 7984 /* FIXME add other DLT_s ... 7985 * for Frame-Relay/and ATM this may get messy due to SNAP headers 7986 * leave it for now */ 7987 7988 default: 7989 bpf_error("no MPLS support for data link type %d", 7990 linktype); 7991 b0 = NULL; 7992 /*NOTREACHED*/ 7993 break; 7994 } 7995 } 7996 7997 /* If a specific MPLS label is requested, check it */ 7998 if (label_num >= 0) { 7999 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8000 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num, 8001 0xfffff000); /* only compare the first 20 bits */ 8002 gen_and(b0, b1); 8003 b0 = b1; 8004 } 8005 8006 off_nl_nosnap += 4; 8007 off_nl += 4; 8008 label_stack_depth++; 8009 return (b0); 8010 } 8011 8012 /* 8013 * Support PPPOE discovery and session. 8014 */ 8015 struct block * 8016 gen_pppoed() 8017 { 8018 /* check for PPPoE discovery */ 8019 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8020 } 8021 8022 struct block * 8023 gen_pppoes(sess_num) 8024 int sess_num; 8025 { 8026 struct block *b0, *b1; 8027 8028 /* 8029 * Test against the PPPoE session link-layer type. 8030 */ 8031 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8032 8033 /* 8034 * Change the offsets to point to the type and data fields within 8035 * the PPP packet, and note that this is PPPoE rather than 8036 * raw PPP. 8037 * 8038 * XXX - this is a bit of a kludge. If we were to split the 8039 * compiler into a parser that parses an expression and 8040 * generates an expression tree, and a code generator that 8041 * takes an expression tree (which could come from our 8042 * parser or from some other parser) and generates BPF code, 8043 * we could perhaps make the offsets parameters of routines 8044 * and, in the handler for an "AND" node, pass to subnodes 8045 * other than the PPPoE node the adjusted offsets. 8046 * 8047 * This would mean that "pppoes" would, instead of changing the 8048 * behavior of *all* tests after it, change only the behavior 8049 * of tests ANDed with it. That would change the documented 8050 * semantics of "pppoes", which might break some expressions. 8051 * However, it would mean that "(pppoes and ip) or ip" would check 8052 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8053 * checking only for VLAN-encapsulated IP, so that could still 8054 * be considered worth doing; it wouldn't break expressions 8055 * that are of the form "pppoes and ..." which I suspect are the 8056 * most common expressions involving "pppoes". "pppoes or ..." 8057 * doesn't necessarily do what the user would really want, now, 8058 * as all the "or ..." tests would be done assuming PPPoE, even 8059 * though the "or" could be viewed as meaning "or, if this isn't 8060 * a PPPoE packet...". 8061 */ 8062 orig_linktype = off_linktype; /* save original values */ 8063 orig_nl = off_nl; 8064 is_pppoes = 1; 8065 8066 /* If a specific session is requested, check PPPoE session id */ 8067 if (sess_num >= 0) { 8068 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, 8069 (bpf_int32)sess_num, 0x0000ffff); 8070 gen_and(b0, b1); 8071 b0 = b1; 8072 } 8073 8074 /* 8075 * The "network-layer" protocol is PPPoE, which has a 6-byte 8076 * PPPoE header, followed by a PPP packet. 8077 * 8078 * There is no HDLC encapsulation for the PPP packet (it's 8079 * encapsulated in PPPoES instead), so the link-layer type 8080 * starts at the first byte of the PPP packet. For PPPoE, 8081 * that offset is relative to the beginning of the total 8082 * link-layer payload, including any 802.2 LLC header, so 8083 * it's 6 bytes past off_nl. 8084 */ 8085 off_linktype = off_nl + 6; 8086 8087 /* 8088 * The network-layer offsets are relative to the beginning 8089 * of the MAC-layer payload; that's past the 6-byte 8090 * PPPoE header and the 2-byte PPP header. 8091 */ 8092 off_nl = 6+2; 8093 off_nl_nosnap = 6+2; 8094 8095 return b0; 8096 } 8097 8098 struct block * 8099 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8100 int atmfield; 8101 bpf_int32 jvalue; 8102 bpf_u_int32 jtype; 8103 int reverse; 8104 { 8105 struct block *b0; 8106 8107 switch (atmfield) { 8108 8109 case A_VPI: 8110 if (!is_atm) 8111 bpf_error("'vpi' supported only on raw ATM"); 8112 if (off_vpi == (u_int)-1) 8113 abort(); 8114 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype, 8115 reverse, jvalue); 8116 break; 8117 8118 case A_VCI: 8119 if (!is_atm) 8120 bpf_error("'vci' supported only on raw ATM"); 8121 if (off_vci == (u_int)-1) 8122 abort(); 8123 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype, 8124 reverse, jvalue); 8125 break; 8126 8127 case A_PROTOTYPE: 8128 if (off_proto == (u_int)-1) 8129 abort(); /* XXX - this isn't on FreeBSD */ 8130 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype, 8131 reverse, jvalue); 8132 break; 8133 8134 case A_MSGTYPE: 8135 if (off_payload == (u_int)-1) 8136 abort(); 8137 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B, 8138 0xffffffff, jtype, reverse, jvalue); 8139 break; 8140 8141 case A_CALLREFTYPE: 8142 if (!is_atm) 8143 bpf_error("'callref' supported only on raw ATM"); 8144 if (off_proto == (u_int)-1) 8145 abort(); 8146 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff, 8147 jtype, reverse, jvalue); 8148 break; 8149 8150 default: 8151 abort(); 8152 } 8153 return b0; 8154 } 8155 8156 struct block * 8157 gen_atmtype_abbrev(type) 8158 int type; 8159 { 8160 struct block *b0, *b1; 8161 8162 switch (type) { 8163 8164 case A_METAC: 8165 /* Get all packets in Meta signalling Circuit */ 8166 if (!is_atm) 8167 bpf_error("'metac' supported only on raw ATM"); 8168 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8169 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8170 gen_and(b0, b1); 8171 break; 8172 8173 case A_BCC: 8174 /* Get all packets in Broadcast Circuit*/ 8175 if (!is_atm) 8176 bpf_error("'bcc' supported only on raw ATM"); 8177 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8178 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8179 gen_and(b0, b1); 8180 break; 8181 8182 case A_OAMF4SC: 8183 /* Get all cells in Segment OAM F4 circuit*/ 8184 if (!is_atm) 8185 bpf_error("'oam4sc' supported only on raw ATM"); 8186 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8187 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8188 gen_and(b0, b1); 8189 break; 8190 8191 case A_OAMF4EC: 8192 /* Get all cells in End-to-End OAM F4 Circuit*/ 8193 if (!is_atm) 8194 bpf_error("'oam4ec' supported only on raw ATM"); 8195 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8196 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8197 gen_and(b0, b1); 8198 break; 8199 8200 case A_SC: 8201 /* Get all packets in connection Signalling Circuit */ 8202 if (!is_atm) 8203 bpf_error("'sc' supported only on raw ATM"); 8204 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8205 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8206 gen_and(b0, b1); 8207 break; 8208 8209 case A_ILMIC: 8210 /* Get all packets in ILMI Circuit */ 8211 if (!is_atm) 8212 bpf_error("'ilmic' supported only on raw ATM"); 8213 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8214 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8215 gen_and(b0, b1); 8216 break; 8217 8218 case A_LANE: 8219 /* Get all LANE packets */ 8220 if (!is_atm) 8221 bpf_error("'lane' supported only on raw ATM"); 8222 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8223 8224 /* 8225 * Arrange that all subsequent tests assume LANE 8226 * rather than LLC-encapsulated packets, and set 8227 * the offsets appropriately for LANE-encapsulated 8228 * Ethernet. 8229 * 8230 * "off_mac" is the offset of the Ethernet header, 8231 * which is 2 bytes past the ATM pseudo-header 8232 * (skipping the pseudo-header and 2-byte LE Client 8233 * field). The other offsets are Ethernet offsets 8234 * relative to "off_mac". 8235 */ 8236 is_lane = 1; 8237 off_mac = off_payload + 2; /* MAC header */ 8238 off_linktype = off_mac + 12; 8239 off_macpl = off_mac + 14; /* Ethernet */ 8240 off_nl = 0; /* Ethernet II */ 8241 off_nl_nosnap = 3; /* 802.3+802.2 */ 8242 break; 8243 8244 case A_LLC: 8245 /* Get all LLC-encapsulated packets */ 8246 if (!is_atm) 8247 bpf_error("'llc' supported only on raw ATM"); 8248 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8249 is_lane = 0; 8250 break; 8251 8252 default: 8253 abort(); 8254 } 8255 return b1; 8256 } 8257 8258 /* 8259 * Filtering for MTP2 messages based on li value 8260 * FISU, length is null 8261 * LSSU, length is 1 or 2 8262 * MSU, length is 3 or more 8263 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8264 */ 8265 struct block * 8266 gen_mtp2type_abbrev(type) 8267 int type; 8268 { 8269 struct block *b0, *b1; 8270 8271 switch (type) { 8272 8273 case M_FISU: 8274 if ( (linktype != DLT_MTP2) && 8275 (linktype != DLT_ERF) && 8276 (linktype != DLT_MTP2_WITH_PHDR) ) 8277 bpf_error("'fisu' supported only on MTP2"); 8278 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8279 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8280 break; 8281 8282 case M_LSSU: 8283 if ( (linktype != DLT_MTP2) && 8284 (linktype != DLT_ERF) && 8285 (linktype != DLT_MTP2_WITH_PHDR) ) 8286 bpf_error("'lssu' supported only on MTP2"); 8287 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8288 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8289 gen_and(b1, b0); 8290 break; 8291 8292 case M_MSU: 8293 if ( (linktype != DLT_MTP2) && 8294 (linktype != DLT_ERF) && 8295 (linktype != DLT_MTP2_WITH_PHDR) ) 8296 bpf_error("'msu' supported only on MTP2"); 8297 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8298 break; 8299 8300 case MH_FISU: 8301 if ( (linktype != DLT_MTP2) && 8302 (linktype != DLT_ERF) && 8303 (linktype != DLT_MTP2_WITH_PHDR) ) 8304 bpf_error("'hfisu' supported only on MTP2_HSL"); 8305 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8306 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8307 break; 8308 8309 case MH_LSSU: 8310 if ( (linktype != DLT_MTP2) && 8311 (linktype != DLT_ERF) && 8312 (linktype != DLT_MTP2_WITH_PHDR) ) 8313 bpf_error("'hlssu' supported only on MTP2_HSL"); 8314 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8315 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8316 gen_and(b1, b0); 8317 break; 8318 8319 case MH_MSU: 8320 if ( (linktype != DLT_MTP2) && 8321 (linktype != DLT_ERF) && 8322 (linktype != DLT_MTP2_WITH_PHDR) ) 8323 bpf_error("'hmsu' supported only on MTP2_HSL"); 8324 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8325 break; 8326 8327 default: 8328 abort(); 8329 } 8330 return b0; 8331 } 8332 8333 struct block * 8334 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8335 int mtp3field; 8336 bpf_u_int32 jvalue; 8337 bpf_u_int32 jtype; 8338 int reverse; 8339 { 8340 struct block *b0; 8341 bpf_u_int32 val1 , val2 , val3; 8342 u_int newoff_sio=off_sio; 8343 u_int newoff_opc=off_opc; 8344 u_int newoff_dpc=off_dpc; 8345 u_int newoff_sls=off_sls; 8346 8347 switch (mtp3field) { 8348 8349 case MH_SIO: 8350 newoff_sio += 3; /* offset for MTP2_HSL */ 8351 /* FALLTHROUGH */ 8352 8353 case M_SIO: 8354 if (off_sio == (u_int)-1) 8355 bpf_error("'sio' supported only on SS7"); 8356 /* sio coded on 1 byte so max value 255 */ 8357 if(jvalue > 255) 8358 bpf_error("sio value %u too big; max value = 255", 8359 jvalue); 8360 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8361 (u_int)jtype, reverse, (u_int)jvalue); 8362 break; 8363 8364 case MH_OPC: 8365 newoff_opc+=3; 8366 case M_OPC: 8367 if (off_opc == (u_int)-1) 8368 bpf_error("'opc' supported only on SS7"); 8369 /* opc coded on 14 bits so max value 16383 */ 8370 if (jvalue > 16383) 8371 bpf_error("opc value %u too big; max value = 16383", 8372 jvalue); 8373 /* the following instructions are made to convert jvalue 8374 * to the form used to write opc in an ss7 message*/ 8375 val1 = jvalue & 0x00003c00; 8376 val1 = val1 >>10; 8377 val2 = jvalue & 0x000003fc; 8378 val2 = val2 <<6; 8379 val3 = jvalue & 0x00000003; 8380 val3 = val3 <<22; 8381 jvalue = val1 + val2 + val3; 8382 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8383 (u_int)jtype, reverse, (u_int)jvalue); 8384 break; 8385 8386 case MH_DPC: 8387 newoff_dpc += 3; 8388 /* FALLTHROUGH */ 8389 8390 case M_DPC: 8391 if (off_dpc == (u_int)-1) 8392 bpf_error("'dpc' supported only on SS7"); 8393 /* dpc coded on 14 bits so max value 16383 */ 8394 if (jvalue > 16383) 8395 bpf_error("dpc value %u too big; max value = 16383", 8396 jvalue); 8397 /* the following instructions are made to convert jvalue 8398 * to the forme used to write dpc in an ss7 message*/ 8399 val1 = jvalue & 0x000000ff; 8400 val1 = val1 << 24; 8401 val2 = jvalue & 0x00003f00; 8402 val2 = val2 << 8; 8403 jvalue = val1 + val2; 8404 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8405 (u_int)jtype, reverse, (u_int)jvalue); 8406 break; 8407 8408 case MH_SLS: 8409 newoff_sls+=3; 8410 case M_SLS: 8411 if (off_sls == (u_int)-1) 8412 bpf_error("'sls' supported only on SS7"); 8413 /* sls coded on 4 bits so max value 15 */ 8414 if (jvalue > 15) 8415 bpf_error("sls value %u too big; max value = 15", 8416 jvalue); 8417 /* the following instruction is made to convert jvalue 8418 * to the forme used to write sls in an ss7 message*/ 8419 jvalue = jvalue << 4; 8420 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0, 8421 (u_int)jtype,reverse, (u_int)jvalue); 8422 break; 8423 8424 default: 8425 abort(); 8426 } 8427 return b0; 8428 } 8429 8430 static struct block * 8431 gen_msg_abbrev(type) 8432 int type; 8433 { 8434 struct block *b1; 8435 8436 /* 8437 * Q.2931 signalling protocol messages for handling virtual circuits 8438 * establishment and teardown 8439 */ 8440 switch (type) { 8441 8442 case A_SETUP: 8443 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8444 break; 8445 8446 case A_CALLPROCEED: 8447 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8448 break; 8449 8450 case A_CONNECT: 8451 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8452 break; 8453 8454 case A_CONNECTACK: 8455 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8456 break; 8457 8458 case A_RELEASE: 8459 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8460 break; 8461 8462 case A_RELEASE_DONE: 8463 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8464 break; 8465 8466 default: 8467 abort(); 8468 } 8469 return b1; 8470 } 8471 8472 struct block * 8473 gen_atmmulti_abbrev(type) 8474 int type; 8475 { 8476 struct block *b0, *b1; 8477 8478 switch (type) { 8479 8480 case A_OAM: 8481 if (!is_atm) 8482 bpf_error("'oam' supported only on raw ATM"); 8483 b1 = gen_atmmulti_abbrev(A_OAMF4); 8484 break; 8485 8486 case A_OAMF4: 8487 if (!is_atm) 8488 bpf_error("'oamf4' supported only on raw ATM"); 8489 /* OAM F4 type */ 8490 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8491 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8492 gen_or(b0, b1); 8493 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8494 gen_and(b0, b1); 8495 break; 8496 8497 case A_CONNECTMSG: 8498 /* 8499 * Get Q.2931 signalling messages for switched 8500 * virtual connection 8501 */ 8502 if (!is_atm) 8503 bpf_error("'connectmsg' supported only on raw ATM"); 8504 b0 = gen_msg_abbrev(A_SETUP); 8505 b1 = gen_msg_abbrev(A_CALLPROCEED); 8506 gen_or(b0, b1); 8507 b0 = gen_msg_abbrev(A_CONNECT); 8508 gen_or(b0, b1); 8509 b0 = gen_msg_abbrev(A_CONNECTACK); 8510 gen_or(b0, b1); 8511 b0 = gen_msg_abbrev(A_RELEASE); 8512 gen_or(b0, b1); 8513 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8514 gen_or(b0, b1); 8515 b0 = gen_atmtype_abbrev(A_SC); 8516 gen_and(b0, b1); 8517 break; 8518 8519 case A_METACONNECT: 8520 if (!is_atm) 8521 bpf_error("'metaconnect' supported only on raw ATM"); 8522 b0 = gen_msg_abbrev(A_SETUP); 8523 b1 = gen_msg_abbrev(A_CALLPROCEED); 8524 gen_or(b0, b1); 8525 b0 = gen_msg_abbrev(A_CONNECT); 8526 gen_or(b0, b1); 8527 b0 = gen_msg_abbrev(A_RELEASE); 8528 gen_or(b0, b1); 8529 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8530 gen_or(b0, b1); 8531 b0 = gen_atmtype_abbrev(A_METAC); 8532 gen_and(b0, b1); 8533 break; 8534 8535 default: 8536 abort(); 8537 } 8538 return b1; 8539 } 8540
