1 /*#define CHASE_CHAIN*/ 2 /* 3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998 4 * The Regents of the University of California. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that: (1) source code distributions 8 * retain the above copyright notice and this paragraph in its entirety, (2) 9 * distributions including binary code include the above copyright notice and 10 * this paragraph in its entirety in the documentation or other materials 11 * provided with the distribution, and (3) all advertising materials mentioning 12 * features or use of this software display the following acknowledgement: 13 * ``This product includes software developed by the University of California, 14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of 15 * the University nor the names of its contributors may be used to endorse 16 * or promote products derived from this software without specific prior 17 * written permission. 18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED 19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF 20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. 21 */ 22 23 #ifdef HAVE_CONFIG_H 24 #include "config.h" 25 #endif 26 27 #ifdef WIN32 28 #include <pcap-stdinc.h> 29 #else /* WIN32 */ 30 #if HAVE_INTTYPES_H 31 #include <inttypes.h> 32 #elif HAVE_STDINT_H 33 #include <stdint.h> 34 #endif 35 #ifdef HAVE_SYS_BITYPES_H 36 #include <sys/bitypes.h> 37 #endif 38 #include <sys/types.h> 39 #include <sys/socket.h> 40 #endif /* WIN32 */ 41 42 /* 43 * XXX - why was this included even on UNIX? 44 */ 45 #ifdef __MINGW32__ 46 #include "ip6_misc.h" 47 #endif 48 49 #ifndef WIN32 50 51 #ifdef __NetBSD__ 52 #include <sys/param.h> 53 #endif 54 55 #include <netinet/in.h> 56 #include <arpa/inet.h> 57 58 #endif /* WIN32 */ 59 60 #include <stdlib.h> 61 #include <string.h> 62 #include <memory.h> 63 #include <setjmp.h> 64 #include <stdarg.h> 65 66 #ifdef MSDOS 67 #include "pcap-dos.h" 68 #endif 69 70 #include "pcap-int.h" 71 72 #include "ethertype.h" 73 #include "nlpid.h" 74 #include "llc.h" 75 #include "gencode.h" 76 #include "ieee80211.h" 77 #include "atmuni31.h" 78 #include "sunatmpos.h" 79 #include "ppp.h" 80 #include "pcap/sll.h" 81 #include "pcap/ipnet.h" 82 #include "arcnet.h" 83 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 84 #include <linux/types.h> 85 #include <linux/if_packet.h> 86 #include <linux/filter.h> 87 #endif 88 #ifdef HAVE_NET_PFVAR_H 89 #include <sys/socket.h> 90 #include <net/if.h> 91 #include <net/pfvar.h> 92 #include <net/if_pflog.h> 93 #endif 94 #ifndef offsetof 95 #define offsetof(s, e) ((size_t)&((s *)0)->e) 96 #endif 97 #ifdef INET6 98 #ifndef WIN32 99 #include <netdb.h> /* for "struct addrinfo" */ 100 #endif /* WIN32 */ 101 #endif /*INET6*/ 102 #include <pcap/namedb.h> 103 104 #define ETHERMTU 1500 105 106 #ifndef ETHERTYPE_TEB 107 #define ETHERTYPE_TEB 0x6558 108 #endif 109 110 #ifndef IPPROTO_HOPOPTS 111 #define IPPROTO_HOPOPTS 0 112 #endif 113 #ifndef IPPROTO_ROUTING 114 #define IPPROTO_ROUTING 43 115 #endif 116 #ifndef IPPROTO_FRAGMENT 117 #define IPPROTO_FRAGMENT 44 118 #endif 119 #ifndef IPPROTO_DSTOPTS 120 #define IPPROTO_DSTOPTS 60 121 #endif 122 #ifndef IPPROTO_SCTP 123 #define IPPROTO_SCTP 132 124 #endif 125 126 #define GENEVE_PORT 6081 127 128 #ifdef HAVE_OS_PROTO_H 129 #include "os-proto.h" 130 #endif 131 132 #define JMP(c) ((c)|BPF_JMP|BPF_K) 133 134 /* Locals */ 135 static jmp_buf top_ctx; 136 static pcap_t *bpf_pcap; 137 138 /* Hack for handling VLAN and MPLS stacks. */ 139 #ifdef WIN32 140 static u_int label_stack_depth = (u_int)-1, vlan_stack_depth = (u_int)-1; 141 #else 142 static u_int label_stack_depth = -1U, vlan_stack_depth = -1U; 143 #endif 144 145 /* XXX */ 146 static int pcap_fddipad; 147 148 /* VARARGS */ 149 void 150 bpf_error(const char *fmt, ...) 151 { 152 va_list ap; 153 154 va_start(ap, fmt); 155 if (bpf_pcap != NULL) 156 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE, 157 fmt, ap); 158 va_end(ap); 159 longjmp(top_ctx, 1); 160 /* NOTREACHED */ 161 } 162 163 static void init_linktype(pcap_t *); 164 165 static void init_regs(void); 166 static int alloc_reg(void); 167 static void free_reg(int); 168 169 static struct block *root; 170 171 /* 172 * Absolute offsets, which are offsets from the beginning of the raw 173 * packet data, are, in the general case, the sum of a variable value 174 * and a constant value; the variable value may be absent, in which 175 * case the offset is only the constant value, and the constant value 176 * may be zero, in which case the offset is only the variable value. 177 * 178 * bpf_abs_offset is a structure containing all that information: 179 * 180 * is_variable is 1 if there's a variable part. 181 * 182 * constant_part is the constant part of the value, possibly zero; 183 * 184 * if is_variable is 1, reg is the register number for a register 185 * containing the variable value if the register has been assigned, 186 * and -1 otherwise. 187 */ 188 typedef struct { 189 int is_variable; 190 u_int constant_part; 191 int reg; 192 } bpf_abs_offset; 193 194 /* 195 * Value passed to gen_load_a() to indicate what the offset argument 196 * is relative to the beginning of. 197 */ 198 enum e_offrel { 199 OR_PACKET, /* full packet data */ 200 OR_LINKHDR, /* link-layer header */ 201 OR_PREVLINKHDR, /* previous link-layer header */ 202 OR_LLC, /* 802.2 LLC header */ 203 OR_PREVMPLSHDR, /* previous MPLS header */ 204 OR_LINKTYPE, /* link-layer type */ 205 OR_LINKPL, /* link-layer payload */ 206 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */ 207 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */ 208 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */ 209 }; 210 211 #ifdef INET6 212 /* 213 * As errors are handled by a longjmp, anything allocated must be freed 214 * in the longjmp handler, so it must be reachable from that handler. 215 * One thing that's allocated is the result of pcap_nametoaddrinfo(); 216 * it must be freed with freeaddrinfo(). This variable points to any 217 * addrinfo structure that would need to be freed. 218 */ 219 static struct addrinfo *ai; 220 #endif 221 222 /* 223 * We divy out chunks of memory rather than call malloc each time so 224 * we don't have to worry about leaking memory. It's probably 225 * not a big deal if all this memory was wasted but if this ever 226 * goes into a library that would probably not be a good idea. 227 * 228 * XXX - this *is* in a library.... 229 */ 230 #define NCHUNKS 16 231 #define CHUNK0SIZE 1024 232 struct chunk { 233 u_int n_left; 234 void *m; 235 }; 236 237 static struct chunk chunks[NCHUNKS]; 238 static int cur_chunk; 239 240 static void *newchunk(u_int); 241 static void freechunks(void); 242 static inline struct block *new_block(int); 243 static inline struct slist *new_stmt(int); 244 static struct block *gen_retblk(int); 245 static inline void syntax(void); 246 247 static void backpatch(struct block *, struct block *); 248 static void merge(struct block *, struct block *); 249 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32); 250 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32); 251 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32); 252 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32); 253 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32); 254 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32, 255 bpf_u_int32); 256 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *); 257 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32, 258 bpf_u_int32, bpf_u_int32, int, bpf_int32); 259 static struct slist *gen_load_absoffsetrel(bpf_abs_offset *, u_int, u_int); 260 static struct slist *gen_load_a(enum e_offrel, u_int, u_int); 261 static struct slist *gen_loadx_iphdrlen(void); 262 static struct block *gen_uncond(int); 263 static inline struct block *gen_true(void); 264 static inline struct block *gen_false(void); 265 static struct block *gen_ether_linktype(int); 266 static struct block *gen_ipnet_linktype(int); 267 static struct block *gen_linux_sll_linktype(int); 268 static struct slist *gen_load_prism_llprefixlen(void); 269 static struct slist *gen_load_avs_llprefixlen(void); 270 static struct slist *gen_load_radiotap_llprefixlen(void); 271 static struct slist *gen_load_ppi_llprefixlen(void); 272 static void insert_compute_vloffsets(struct block *); 273 static struct slist *gen_abs_offset_varpart(bpf_abs_offset *); 274 static int ethertype_to_ppptype(int); 275 static struct block *gen_linktype(int); 276 static struct block *gen_snap(bpf_u_int32, bpf_u_int32); 277 static struct block *gen_llc_linktype(int); 278 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int); 279 #ifdef INET6 280 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int); 281 #endif 282 static struct block *gen_ahostop(const u_char *, int); 283 static struct block *gen_ehostop(const u_char *, int); 284 static struct block *gen_fhostop(const u_char *, int); 285 static struct block *gen_thostop(const u_char *, int); 286 static struct block *gen_wlanhostop(const u_char *, int); 287 static struct block *gen_ipfchostop(const u_char *, int); 288 static struct block *gen_dnhostop(bpf_u_int32, int); 289 static struct block *gen_mpls_linktype(int); 290 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int); 291 #ifdef INET6 292 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int); 293 #endif 294 #ifndef INET6 295 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int); 296 #endif 297 static struct block *gen_ipfrag(void); 298 static struct block *gen_portatom(int, bpf_int32); 299 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32); 300 static struct block *gen_portatom6(int, bpf_int32); 301 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32); 302 struct block *gen_portop(int, int, int); 303 static struct block *gen_port(int, int, int); 304 struct block *gen_portrangeop(int, int, int, int); 305 static struct block *gen_portrange(int, int, int, int); 306 struct block *gen_portop6(int, int, int); 307 static struct block *gen_port6(int, int, int); 308 struct block *gen_portrangeop6(int, int, int, int); 309 static struct block *gen_portrange6(int, int, int, int); 310 static int lookup_proto(const char *, int); 311 static struct block *gen_protochain(int, int, int); 312 static struct block *gen_proto(int, int, int); 313 static struct slist *xfer_to_x(struct arth *); 314 static struct slist *xfer_to_a(struct arth *); 315 static struct block *gen_mac_multicast(int); 316 static struct block *gen_len(int, int); 317 static struct block *gen_check_802_11_data_frame(void); 318 static struct block *gen_geneve_ll_check(void); 319 320 static struct block *gen_ppi_dlt_check(void); 321 static struct block *gen_msg_abbrev(int type); 322 323 static void * 324 newchunk(n) 325 u_int n; 326 { 327 struct chunk *cp; 328 int k; 329 size_t size; 330 331 #ifndef __NetBSD__ 332 /* XXX Round up to nearest long. */ 333 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1); 334 #else 335 /* XXX Round up to structure boundary. */ 336 n = ALIGN(n); 337 #endif 338 339 cp = &chunks[cur_chunk]; 340 if (n > cp->n_left) { 341 ++cp, k = ++cur_chunk; 342 if (k >= NCHUNKS) 343 bpf_error("out of memory"); 344 size = CHUNK0SIZE << k; 345 cp->m = (void *)malloc(size); 346 if (cp->m == NULL) 347 bpf_error("out of memory"); 348 memset((char *)cp->m, 0, size); 349 cp->n_left = size; 350 if (n > size) 351 bpf_error("out of memory"); 352 } 353 cp->n_left -= n; 354 return (void *)((char *)cp->m + cp->n_left); 355 } 356 357 static void 358 freechunks() 359 { 360 int i; 361 362 cur_chunk = 0; 363 for (i = 0; i < NCHUNKS; ++i) 364 if (chunks[i].m != NULL) { 365 free(chunks[i].m); 366 chunks[i].m = NULL; 367 } 368 } 369 370 /* 371 * A strdup whose allocations are freed after code generation is over. 372 */ 373 char * 374 sdup(s) 375 register const char *s; 376 { 377 int n = strlen(s) + 1; 378 char *cp = newchunk(n); 379 380 strlcpy(cp, s, n); 381 return (cp); 382 } 383 384 static inline struct block * 385 new_block(code) 386 int code; 387 { 388 struct block *p; 389 390 p = (struct block *)newchunk(sizeof(*p)); 391 p->s.code = code; 392 p->head = p; 393 394 return p; 395 } 396 397 static inline struct slist * 398 new_stmt(code) 399 int code; 400 { 401 struct slist *p; 402 403 p = (struct slist *)newchunk(sizeof(*p)); 404 p->s.code = code; 405 406 return p; 407 } 408 409 static struct block * 410 gen_retblk(v) 411 int v; 412 { 413 struct block *b = new_block(BPF_RET|BPF_K); 414 415 b->s.k = v; 416 return b; 417 } 418 419 static inline void 420 syntax() 421 { 422 bpf_error("syntax error in filter expression"); 423 } 424 425 static bpf_u_int32 netmask; 426 static int snaplen; 427 int no_optimize; 428 429 int 430 pcap_compile(pcap_t *p, struct bpf_program *program, 431 const char *buf, int optimize, bpf_u_int32 mask) 432 { 433 extern int n_errors; 434 const char * volatile xbuf = buf; 435 u_int len; 436 int rc; 437 438 /* 439 * XXX - single-thread this code path with pthread calls on 440 * UN*X, if the platform supports pthreads? If that requires 441 * a separate -lpthread, we might not want to do that. 442 */ 443 #ifdef WIN32 444 extern int wsockinit (void); 445 static int done = 0; 446 447 if (!done) 448 wsockinit(); 449 done = 1; 450 EnterCriticalSection(&g_PcapCompileCriticalSection); 451 #endif 452 453 /* 454 * If this pcap_t hasn't been activated, it doesn't have a 455 * link-layer type, so we can't use it. 456 */ 457 if (!p->activated) { 458 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 459 "not-yet-activated pcap_t passed to pcap_compile"); 460 rc = -1; 461 goto quit; 462 } 463 no_optimize = 0; 464 n_errors = 0; 465 root = NULL; 466 bpf_pcap = p; 467 init_regs(); 468 469 if (setjmp(top_ctx)) { 470 #ifdef INET6 471 if (ai != NULL) { 472 freeaddrinfo(ai); 473 ai = NULL; 474 } 475 #endif 476 lex_cleanup(); 477 freechunks(); 478 rc = -1; 479 goto quit; 480 } 481 482 netmask = mask; 483 484 snaplen = pcap_snapshot(p); 485 if (snaplen == 0) { 486 snprintf(p->errbuf, PCAP_ERRBUF_SIZE, 487 "snaplen of 0 rejects all packets"); 488 rc = -1; 489 goto quit; 490 } 491 492 lex_init(xbuf ? xbuf : ""); 493 init_linktype(p); 494 (void)pcap_parse(); 495 496 if (n_errors) 497 syntax(); 498 499 if (root == NULL) 500 root = gen_retblk(snaplen); 501 502 if (optimize && !no_optimize) { 503 bpf_optimize(&root); 504 if (root == NULL || 505 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0)) 506 bpf_error("expression rejects all packets"); 507 } 508 program->bf_insns = icode_to_fcode(root, &len); 509 program->bf_len = len; 510 511 lex_cleanup(); 512 freechunks(); 513 514 rc = 0; /* We're all okay */ 515 516 quit: 517 518 #ifdef WIN32 519 LeaveCriticalSection(&g_PcapCompileCriticalSection); 520 #endif 521 522 return (rc); 523 } 524 525 /* 526 * entry point for using the compiler with no pcap open 527 * pass in all the stuff that is needed explicitly instead. 528 */ 529 int 530 pcap_compile_nopcap(int snaplen_arg, int linktype_arg, 531 struct bpf_program *program, 532 const char *buf, int optimize, bpf_u_int32 mask) 533 { 534 pcap_t *p; 535 int ret; 536 537 p = pcap_open_dead(linktype_arg, snaplen_arg); 538 if (p == NULL) 539 return (-1); 540 ret = pcap_compile(p, program, buf, optimize, mask); 541 pcap_close(p); 542 return (ret); 543 } 544 545 /* 546 * Clean up a "struct bpf_program" by freeing all the memory allocated 547 * in it. 548 */ 549 void 550 pcap_freecode(struct bpf_program *program) 551 { 552 program->bf_len = 0; 553 if (program->bf_insns != NULL) { 554 free((char *)program->bf_insns); 555 program->bf_insns = NULL; 556 } 557 } 558 559 /* 560 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates 561 * which of the jt and jf fields has been resolved and which is a pointer 562 * back to another unresolved block (or nil). At least one of the fields 563 * in each block is already resolved. 564 */ 565 static void 566 backpatch(list, target) 567 struct block *list, *target; 568 { 569 struct block *next; 570 571 while (list) { 572 if (!list->sense) { 573 next = JT(list); 574 JT(list) = target; 575 } else { 576 next = JF(list); 577 JF(list) = target; 578 } 579 list = next; 580 } 581 } 582 583 /* 584 * Merge the lists in b0 and b1, using the 'sense' field to indicate 585 * which of jt and jf is the link. 586 */ 587 static void 588 merge(b0, b1) 589 struct block *b0, *b1; 590 { 591 register struct block **p = &b0; 592 593 /* Find end of list. */ 594 while (*p) 595 p = !((*p)->sense) ? &JT(*p) : &JF(*p); 596 597 /* Concatenate the lists. */ 598 *p = b1; 599 } 600 601 void 602 finish_parse(p) 603 struct block *p; 604 { 605 struct block *ppi_dlt_check; 606 607 /* 608 * Insert before the statements of the first (root) block any 609 * statements needed to load the lengths of any variable-length 610 * headers into registers. 611 * 612 * XXX - a fancier strategy would be to insert those before the 613 * statements of all blocks that use those lengths and that 614 * have no predecessors that use them, so that we only compute 615 * the lengths if we need them. There might be even better 616 * approaches than that. 617 * 618 * However, those strategies would be more complicated, and 619 * as we don't generate code to compute a length if the 620 * program has no tests that use the length, and as most 621 * tests will probably use those lengths, we would just 622 * postpone computing the lengths so that it's not done 623 * for tests that fail early, and it's not clear that's 624 * worth the effort. 625 */ 626 insert_compute_vloffsets(p->head); 627 628 /* 629 * For DLT_PPI captures, generate a check of the per-packet 630 * DLT value to make sure it's DLT_IEEE802_11. 631 */ 632 ppi_dlt_check = gen_ppi_dlt_check(); 633 if (ppi_dlt_check != NULL) 634 gen_and(ppi_dlt_check, p); 635 636 backpatch(p, gen_retblk(snaplen)); 637 p->sense = !p->sense; 638 backpatch(p, gen_retblk(0)); 639 root = p->head; 640 } 641 642 void 643 gen_and(b0, b1) 644 struct block *b0, *b1; 645 { 646 backpatch(b0, b1->head); 647 b0->sense = !b0->sense; 648 b1->sense = !b1->sense; 649 merge(b1, b0); 650 b1->sense = !b1->sense; 651 b1->head = b0->head; 652 } 653 654 void 655 gen_or(b0, b1) 656 struct block *b0, *b1; 657 { 658 b0->sense = !b0->sense; 659 backpatch(b0, b1->head); 660 b0->sense = !b0->sense; 661 merge(b1, b0); 662 b1->head = b0->head; 663 } 664 665 void 666 gen_not(b) 667 struct block *b; 668 { 669 b->sense = !b->sense; 670 } 671 672 static struct block * 673 gen_cmp(offrel, offset, size, v) 674 enum e_offrel offrel; 675 u_int offset, size; 676 bpf_int32 v; 677 { 678 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v); 679 } 680 681 static struct block * 682 gen_cmp_gt(offrel, offset, size, v) 683 enum e_offrel offrel; 684 u_int offset, size; 685 bpf_int32 v; 686 { 687 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v); 688 } 689 690 static struct block * 691 gen_cmp_ge(offrel, offset, size, v) 692 enum e_offrel offrel; 693 u_int offset, size; 694 bpf_int32 v; 695 { 696 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v); 697 } 698 699 static struct block * 700 gen_cmp_lt(offrel, offset, size, v) 701 enum e_offrel offrel; 702 u_int offset, size; 703 bpf_int32 v; 704 { 705 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v); 706 } 707 708 static struct block * 709 gen_cmp_le(offrel, offset, size, v) 710 enum e_offrel offrel; 711 u_int offset, size; 712 bpf_int32 v; 713 { 714 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v); 715 } 716 717 static struct block * 718 gen_mcmp(offrel, offset, size, v, mask) 719 enum e_offrel offrel; 720 u_int offset, size; 721 bpf_int32 v; 722 bpf_u_int32 mask; 723 { 724 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v); 725 } 726 727 static struct block * 728 gen_bcmp(offrel, offset, size, v) 729 enum e_offrel offrel; 730 register u_int offset, size; 731 register const u_char *v; 732 { 733 register struct block *b, *tmp; 734 735 b = NULL; 736 while (size >= 4) { 737 register const u_char *p = &v[size - 4]; 738 bpf_int32 w = ((bpf_int32)p[0] << 24) | 739 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3]; 740 741 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w); 742 if (b != NULL) 743 gen_and(b, tmp); 744 b = tmp; 745 size -= 4; 746 } 747 while (size >= 2) { 748 register const u_char *p = &v[size - 2]; 749 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1]; 750 751 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w); 752 if (b != NULL) 753 gen_and(b, tmp); 754 b = tmp; 755 size -= 2; 756 } 757 if (size > 0) { 758 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]); 759 if (b != NULL) 760 gen_and(b, tmp); 761 b = tmp; 762 } 763 return b; 764 } 765 766 /* 767 * AND the field of size "size" at offset "offset" relative to the header 768 * specified by "offrel" with "mask", and compare it with the value "v" 769 * with the test specified by "jtype"; if "reverse" is true, the test 770 * should test the opposite of "jtype". 771 */ 772 static struct block * 773 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v) 774 enum e_offrel offrel; 775 bpf_int32 v; 776 bpf_u_int32 offset, size, mask, jtype; 777 int reverse; 778 { 779 struct slist *s, *s2; 780 struct block *b; 781 782 s = gen_load_a(offrel, offset, size); 783 784 if (mask != 0xffffffff) { 785 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 786 s2->s.k = mask; 787 sappend(s, s2); 788 } 789 790 b = new_block(JMP(jtype)); 791 b->stmts = s; 792 b->s.k = v; 793 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE)) 794 gen_not(b); 795 return b; 796 } 797 798 /* 799 * Various code constructs need to know the layout of the packet. 800 * These variables give the necessary offsets from the beginning 801 * of the packet data. 802 */ 803 804 /* 805 * Absolute offset of the beginning of the link-layer header. 806 */ 807 static bpf_abs_offset off_linkhdr; 808 809 /* 810 * If we're checking a link-layer header for a packet encapsulated in 811 * another protocol layer, this is the equivalent information for the 812 * previous layers' link-layer header from the beginning of the raw 813 * packet data. 814 */ 815 static bpf_abs_offset off_prevlinkhdr; 816 817 /* 818 * This is the equivalent information for the outermost layers' link-layer 819 * header. 820 */ 821 static bpf_abs_offset off_outermostlinkhdr; 822 823 /* 824 * "Push" the current value of the link-layer header type and link-layer 825 * header offset onto a "stack", and set a new value. (It's not a 826 * full-blown stack; we keep only the top two items.) 827 */ 828 #define PUSH_LINKHDR(new_linktype, new_is_variable, new_constant_part, new_reg) \ 829 { \ 830 prevlinktype = new_linktype; \ 831 off_prevlinkhdr = off_linkhdr; \ 832 linktype = new_linktype; \ 833 off_linkhdr.is_variable = new_is_variable; \ 834 off_linkhdr.constant_part = new_constant_part; \ 835 off_linkhdr.reg = new_reg; \ 836 is_geneve = 0; \ 837 } 838 839 /* 840 * Absolute offset of the beginning of the link-layer payload. 841 */ 842 static bpf_abs_offset off_linkpl; 843 844 /* 845 * "off_linktype" is the offset to information in the link-layer header 846 * giving the packet type. This is an absolute offset from the beginning 847 * of the packet. 848 * 849 * For Ethernet, it's the offset of the Ethernet type field; this 850 * means that it must have a value that skips VLAN tags. 851 * 852 * For link-layer types that always use 802.2 headers, it's the 853 * offset of the LLC header; this means that it must have a value 854 * that skips VLAN tags. 855 * 856 * For PPP, it's the offset of the PPP type field. 857 * 858 * For Cisco HDLC, it's the offset of the CHDLC type field. 859 * 860 * For BSD loopback, it's the offset of the AF_ value. 861 * 862 * For Linux cooked sockets, it's the offset of the type field. 863 * 864 * off_linktype.constant_part is set to -1 for no encapsulation, 865 * in which case, IP is assumed. 866 */ 867 static bpf_abs_offset off_linktype; 868 869 /* 870 * TRUE if the link layer includes an ATM pseudo-header. 871 */ 872 static int is_atm = 0; 873 874 /* 875 * TRUE if "geneve" appeared in the filter; it causes us to generate 876 * code that checks for a Geneve header and assume that later filters 877 * apply to the encapsulated payload. 878 */ 879 static int is_geneve = 0; 880 881 /* 882 * These are offsets for the ATM pseudo-header. 883 */ 884 static u_int off_vpi; 885 static u_int off_vci; 886 static u_int off_proto; 887 888 /* 889 * These are offsets for the MTP2 fields. 890 */ 891 static u_int off_li; 892 static u_int off_li_hsl; 893 894 /* 895 * These are offsets for the MTP3 fields. 896 */ 897 static u_int off_sio; 898 static u_int off_opc; 899 static u_int off_dpc; 900 static u_int off_sls; 901 902 /* 903 * This is the offset of the first byte after the ATM pseudo_header, 904 * or -1 if there is no ATM pseudo-header. 905 */ 906 static u_int off_payload; 907 908 /* 909 * These are offsets to the beginning of the network-layer header. 910 * They are relative to the beginning of the link-layer payload (i.e., 911 * they don't include off_linkhdr.constant_part or off_linkpl.constant_part). 912 * 913 * If the link layer never uses 802.2 LLC: 914 * 915 * "off_nl" and "off_nl_nosnap" are the same. 916 * 917 * If the link layer always uses 802.2 LLC: 918 * 919 * "off_nl" is the offset if there's a SNAP header following 920 * the 802.2 header; 921 * 922 * "off_nl_nosnap" is the offset if there's no SNAP header. 923 * 924 * If the link layer is Ethernet: 925 * 926 * "off_nl" is the offset if the packet is an Ethernet II packet 927 * (we assume no 802.3+802.2+SNAP); 928 * 929 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet 930 * with an 802.2 header following it. 931 */ 932 static u_int off_nl; 933 static u_int off_nl_nosnap; 934 935 static int linktype; 936 static int prevlinktype; 937 static int outermostlinktype; 938 939 static void 940 init_linktype(p) 941 pcap_t *p; 942 { 943 pcap_fddipad = p->fddipad; 944 945 /* 946 * We start out with only one link-layer header. 947 */ 948 outermostlinktype = pcap_datalink(p); 949 off_outermostlinkhdr.constant_part = 0; 950 off_outermostlinkhdr.is_variable = 0; 951 off_outermostlinkhdr.reg = -1; 952 953 prevlinktype = outermostlinktype; 954 off_prevlinkhdr.constant_part = 0; 955 off_prevlinkhdr.is_variable = 0; 956 off_prevlinkhdr.reg = -1; 957 958 linktype = outermostlinktype; 959 off_linkhdr.constant_part = 0; 960 off_linkhdr.is_variable = 0; 961 off_linkhdr.reg = -1; 962 963 /* 964 * XXX 965 */ 966 off_linkpl.constant_part = 0; 967 off_linkpl.is_variable = 0; 968 off_linkpl.reg = -1; 969 970 off_linktype.constant_part = 0; 971 off_linktype.is_variable = 0; 972 off_linktype.reg = -1; 973 974 /* 975 * Assume it's not raw ATM with a pseudo-header, for now. 976 */ 977 is_atm = 0; 978 off_vpi = -1; 979 off_vci = -1; 980 off_proto = -1; 981 off_payload = -1; 982 983 /* 984 * And not Geneve. 985 */ 986 is_geneve = 0; 987 988 /* 989 * And assume we're not doing SS7. 990 */ 991 off_li = -1; 992 off_li_hsl = -1; 993 off_sio = -1; 994 off_opc = -1; 995 off_dpc = -1; 996 off_sls = -1; 997 998 label_stack_depth = 0; 999 vlan_stack_depth = 0; 1000 1001 switch (linktype) { 1002 1003 case DLT_ARCNET: 1004 off_linktype.constant_part = 2; 1005 off_linkpl.constant_part = 6; 1006 off_nl = 0; /* XXX in reality, variable! */ 1007 off_nl_nosnap = 0; /* no 802.2 LLC */ 1008 break; 1009 1010 case DLT_ARCNET_LINUX: 1011 off_linktype.constant_part = 4; 1012 off_linkpl.constant_part = 8; 1013 off_nl = 0; /* XXX in reality, variable! */ 1014 off_nl_nosnap = 0; /* no 802.2 LLC */ 1015 break; 1016 1017 case DLT_EN10MB: 1018 off_linktype.constant_part = 12; 1019 off_linkpl.constant_part = 14; /* Ethernet header length */ 1020 off_nl = 0; /* Ethernet II */ 1021 off_nl_nosnap = 3; /* 802.3+802.2 */ 1022 break; 1023 1024 case DLT_SLIP: 1025 /* 1026 * SLIP doesn't have a link level type. The 16 byte 1027 * header is hacked into our SLIP driver. 1028 */ 1029 off_linktype.constant_part = -1; 1030 off_linkpl.constant_part = 16; 1031 off_nl = 0; 1032 off_nl_nosnap = 0; /* no 802.2 LLC */ 1033 break; 1034 1035 case DLT_SLIP_BSDOS: 1036 /* XXX this may be the same as the DLT_PPP_BSDOS case */ 1037 off_linktype.constant_part = -1; 1038 /* XXX end */ 1039 off_linkpl.constant_part = 24; 1040 off_nl = 0; 1041 off_nl_nosnap = 0; /* no 802.2 LLC */ 1042 break; 1043 1044 case DLT_NULL: 1045 case DLT_LOOP: 1046 off_linktype.constant_part = 0; 1047 off_linkpl.constant_part = 4; 1048 off_nl = 0; 1049 off_nl_nosnap = 0; /* no 802.2 LLC */ 1050 break; 1051 1052 case DLT_ENC: 1053 off_linktype.constant_part = 0; 1054 off_linkpl.constant_part = 12; 1055 off_nl = 0; 1056 off_nl_nosnap = 0; /* no 802.2 LLC */ 1057 break; 1058 1059 case DLT_PPP: 1060 case DLT_PPP_PPPD: 1061 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */ 1062 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */ 1063 off_linktype.constant_part = 2; /* skip HDLC-like framing */ 1064 off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */ 1065 off_nl = 0; 1066 off_nl_nosnap = 0; /* no 802.2 LLC */ 1067 break; 1068 1069 case DLT_PPP_ETHER: 1070 /* 1071 * This does no include the Ethernet header, and 1072 * only covers session state. 1073 */ 1074 off_linktype.constant_part = 6; 1075 off_linkpl.constant_part = 8; 1076 off_nl = 0; 1077 off_nl_nosnap = 0; /* no 802.2 LLC */ 1078 break; 1079 1080 case DLT_PPP_BSDOS: 1081 off_linktype.constant_part = 5; 1082 off_linkpl.constant_part = 24; 1083 off_nl = 0; 1084 off_nl_nosnap = 0; /* no 802.2 LLC */ 1085 break; 1086 1087 case DLT_FDDI: 1088 /* 1089 * FDDI doesn't really have a link-level type field. 1090 * We set "off_linktype" to the offset of the LLC header. 1091 * 1092 * To check for Ethernet types, we assume that SSAP = SNAP 1093 * is being used and pick out the encapsulated Ethernet type. 1094 * XXX - should we generate code to check for SNAP? 1095 */ 1096 off_linktype.constant_part = 13; 1097 off_linktype.constant_part += pcap_fddipad; 1098 off_linkpl.constant_part = 13; /* FDDI MAC header length */ 1099 off_linkpl.constant_part += pcap_fddipad; 1100 off_nl = 8; /* 802.2+SNAP */ 1101 off_nl_nosnap = 3; /* 802.2 */ 1102 break; 1103 1104 case DLT_IEEE802: 1105 /* 1106 * Token Ring doesn't really have a link-level type field. 1107 * We set "off_linktype" to the offset of the LLC header. 1108 * 1109 * To check for Ethernet types, we assume that SSAP = SNAP 1110 * is being used and pick out the encapsulated Ethernet type. 1111 * XXX - should we generate code to check for SNAP? 1112 * 1113 * XXX - the header is actually variable-length. 1114 * Some various Linux patched versions gave 38 1115 * as "off_linktype" and 40 as "off_nl"; however, 1116 * if a token ring packet has *no* routing 1117 * information, i.e. is not source-routed, the correct 1118 * values are 20 and 22, as they are in the vanilla code. 1119 * 1120 * A packet is source-routed iff the uppermost bit 1121 * of the first byte of the source address, at an 1122 * offset of 8, has the uppermost bit set. If the 1123 * packet is source-routed, the total number of bytes 1124 * of routing information is 2 plus bits 0x1F00 of 1125 * the 16-bit value at an offset of 14 (shifted right 1126 * 8 - figure out which byte that is). 1127 */ 1128 off_linktype.constant_part = 14; 1129 off_linkpl.constant_part = 14; /* Token Ring MAC header length */ 1130 off_nl = 8; /* 802.2+SNAP */ 1131 off_nl_nosnap = 3; /* 802.2 */ 1132 break; 1133 1134 case DLT_PRISM_HEADER: 1135 case DLT_IEEE802_11_RADIO_AVS: 1136 case DLT_IEEE802_11_RADIO: 1137 off_linkhdr.is_variable = 1; 1138 /* Fall through, 802.11 doesn't have a variable link 1139 * prefix but is otherwise the same. */ 1140 1141 case DLT_IEEE802_11: 1142 /* 1143 * 802.11 doesn't really have a link-level type field. 1144 * We set "off_linktype.constant_part" to the offset of 1145 * the LLC header. 1146 * 1147 * To check for Ethernet types, we assume that SSAP = SNAP 1148 * is being used and pick out the encapsulated Ethernet type. 1149 * XXX - should we generate code to check for SNAP? 1150 * 1151 * We also handle variable-length radio headers here. 1152 * The Prism header is in theory variable-length, but in 1153 * practice it's always 144 bytes long. However, some 1154 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but 1155 * sometimes or always supply an AVS header, so we 1156 * have to check whether the radio header is a Prism 1157 * header or an AVS header, so, in practice, it's 1158 * variable-length. 1159 */ 1160 off_linktype.constant_part = 24; 1161 off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1162 off_linkpl.is_variable = 1; 1163 off_nl = 8; /* 802.2+SNAP */ 1164 off_nl_nosnap = 3; /* 802.2 */ 1165 break; 1166 1167 case DLT_PPI: 1168 /* 1169 * At the moment we treat PPI the same way that we treat 1170 * normal Radiotap encoded packets. The difference is in 1171 * the function that generates the code at the beginning 1172 * to compute the header length. Since this code generator 1173 * of PPI supports bare 802.11 encapsulation only (i.e. 1174 * the encapsulated DLT should be DLT_IEEE802_11) we 1175 * generate code to check for this too. 1176 */ 1177 off_linktype.constant_part = 24; 1178 off_linkpl.constant_part = 0; /* link-layer header is variable-length */ 1179 off_linkpl.is_variable = 1; 1180 off_linkhdr.is_variable = 1; 1181 off_nl = 8; /* 802.2+SNAP */ 1182 off_nl_nosnap = 3; /* 802.2 */ 1183 break; 1184 1185 case DLT_ATM_RFC1483: 1186 case DLT_ATM_CLIP: /* Linux ATM defines this */ 1187 /* 1188 * assume routed, non-ISO PDUs 1189 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00) 1190 * 1191 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS, 1192 * or PPP with the PPP NLPID (e.g., PPPoA)? The 1193 * latter would presumably be treated the way PPPoE 1194 * should be, so you can do "pppoe and udp port 2049" 1195 * or "pppoa and tcp port 80" and have it check for 1196 * PPPo{A,E} and a PPP protocol of IP and.... 1197 */ 1198 off_linktype.constant_part = 0; 1199 off_linkpl.constant_part = 0; /* packet begins with LLC header */ 1200 off_nl = 8; /* 802.2+SNAP */ 1201 off_nl_nosnap = 3; /* 802.2 */ 1202 break; 1203 1204 case DLT_SUNATM: 1205 /* 1206 * Full Frontal ATM; you get AALn PDUs with an ATM 1207 * pseudo-header. 1208 */ 1209 is_atm = 1; 1210 off_vpi = SUNATM_VPI_POS; 1211 off_vci = SUNATM_VCI_POS; 1212 off_proto = PROTO_POS; 1213 off_payload = SUNATM_PKT_BEGIN_POS; 1214 off_linktype.constant_part = off_payload; 1215 off_linkpl.constant_part = off_payload; /* if LLC-encapsulated */ 1216 off_nl = 8; /* 802.2+SNAP */ 1217 off_nl_nosnap = 3; /* 802.2 */ 1218 break; 1219 1220 case DLT_RAW: 1221 case DLT_IPV4: 1222 case DLT_IPV6: 1223 off_linktype.constant_part = -1; 1224 off_linkpl.constant_part = 0; 1225 off_nl = 0; 1226 off_nl_nosnap = 0; /* no 802.2 LLC */ 1227 break; 1228 1229 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */ 1230 off_linktype.constant_part = 14; 1231 off_linkpl.constant_part = 16; 1232 off_nl = 0; 1233 off_nl_nosnap = 0; /* no 802.2 LLC */ 1234 break; 1235 1236 case DLT_LTALK: 1237 /* 1238 * LocalTalk does have a 1-byte type field in the LLAP header, 1239 * but really it just indicates whether there is a "short" or 1240 * "long" DDP packet following. 1241 */ 1242 off_linktype.constant_part = -1; 1243 off_linkpl.constant_part = 0; 1244 off_nl = 0; 1245 off_nl_nosnap = 0; /* no 802.2 LLC */ 1246 break; 1247 1248 case DLT_IP_OVER_FC: 1249 /* 1250 * RFC 2625 IP-over-Fibre-Channel doesn't really have a 1251 * link-level type field. We set "off_linktype" to the 1252 * offset of the LLC header. 1253 * 1254 * To check for Ethernet types, we assume that SSAP = SNAP 1255 * is being used and pick out the encapsulated Ethernet type. 1256 * XXX - should we generate code to check for SNAP? RFC 1257 * 2625 says SNAP should be used. 1258 */ 1259 off_linktype.constant_part = 16; 1260 off_linkpl.constant_part = 16; 1261 off_nl = 8; /* 802.2+SNAP */ 1262 off_nl_nosnap = 3; /* 802.2 */ 1263 break; 1264 1265 case DLT_FRELAY: 1266 /* 1267 * XXX - we should set this to handle SNAP-encapsulated 1268 * frames (NLPID of 0x80). 1269 */ 1270 off_linktype.constant_part = -1; 1271 off_linkpl.constant_part = 0; 1272 off_nl = 0; 1273 off_nl_nosnap = 0; /* no 802.2 LLC */ 1274 break; 1275 1276 /* 1277 * the only BPF-interesting FRF.16 frames are non-control frames; 1278 * Frame Relay has a variable length link-layer 1279 * so lets start with offset 4 for now and increments later on (FIXME); 1280 */ 1281 case DLT_MFR: 1282 off_linktype.constant_part = -1; 1283 off_linkpl.constant_part = 0; 1284 off_nl = 4; 1285 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */ 1286 break; 1287 1288 case DLT_APPLE_IP_OVER_IEEE1394: 1289 off_linktype.constant_part = 16; 1290 off_linkpl.constant_part = 18; 1291 off_nl = 0; 1292 off_nl_nosnap = 0; /* no 802.2 LLC */ 1293 break; 1294 1295 case DLT_SYMANTEC_FIREWALL: 1296 off_linktype.constant_part = 6; 1297 off_linkpl.constant_part = 44; 1298 off_nl = 0; /* Ethernet II */ 1299 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */ 1300 break; 1301 1302 #ifdef HAVE_NET_PFVAR_H 1303 case DLT_PFLOG: 1304 off_linktype.constant_part = 0; 1305 off_linkpl.constant_part = PFLOG_HDRLEN; 1306 off_nl = 0; 1307 off_nl_nosnap = 0; /* no 802.2 LLC */ 1308 break; 1309 #endif 1310 1311 case DLT_JUNIPER_MFR: 1312 case DLT_JUNIPER_MLFR: 1313 case DLT_JUNIPER_MLPPP: 1314 case DLT_JUNIPER_PPP: 1315 case DLT_JUNIPER_CHDLC: 1316 case DLT_JUNIPER_FRELAY: 1317 off_linktype.constant_part = 4; 1318 off_linkpl.constant_part = 4; 1319 off_nl = 0; 1320 off_nl_nosnap = -1; /* no 802.2 LLC */ 1321 break; 1322 1323 case DLT_JUNIPER_ATM1: 1324 off_linktype.constant_part = 4; /* in reality variable between 4-8 */ 1325 off_linkpl.constant_part = 4; /* in reality variable between 4-8 */ 1326 off_nl = 0; 1327 off_nl_nosnap = 10; 1328 break; 1329 1330 case DLT_JUNIPER_ATM2: 1331 off_linktype.constant_part = 8; /* in reality variable between 8-12 */ 1332 off_linkpl.constant_part = 8; /* in reality variable between 8-12 */ 1333 off_nl = 0; 1334 off_nl_nosnap = 10; 1335 break; 1336 1337 /* frames captured on a Juniper PPPoE service PIC 1338 * contain raw ethernet frames */ 1339 case DLT_JUNIPER_PPPOE: 1340 case DLT_JUNIPER_ETHER: 1341 off_linkpl.constant_part = 14; 1342 off_linktype.constant_part = 16; 1343 off_nl = 18; /* Ethernet II */ 1344 off_nl_nosnap = 21; /* 802.3+802.2 */ 1345 break; 1346 1347 case DLT_JUNIPER_PPPOE_ATM: 1348 off_linktype.constant_part = 4; 1349 off_linkpl.constant_part = 6; 1350 off_nl = 0; 1351 off_nl_nosnap = -1; /* no 802.2 LLC */ 1352 break; 1353 1354 case DLT_JUNIPER_GGSN: 1355 off_linktype.constant_part = 6; 1356 off_linkpl.constant_part = 12; 1357 off_nl = 0; 1358 off_nl_nosnap = -1; /* no 802.2 LLC */ 1359 break; 1360 1361 case DLT_JUNIPER_ES: 1362 off_linktype.constant_part = 6; 1363 off_linkpl.constant_part = -1; /* not really a network layer but raw IP addresses */ 1364 off_nl = -1; /* not really a network layer but raw IP addresses */ 1365 off_nl_nosnap = -1; /* no 802.2 LLC */ 1366 break; 1367 1368 case DLT_JUNIPER_MONITOR: 1369 off_linktype.constant_part = 12; 1370 off_linkpl.constant_part = 12; 1371 off_nl = 0; /* raw IP/IP6 header */ 1372 off_nl_nosnap = -1; /* no 802.2 LLC */ 1373 break; 1374 1375 case DLT_BACNET_MS_TP: 1376 off_linktype.constant_part = -1; 1377 off_linkpl.constant_part = -1; 1378 off_nl = -1; 1379 off_nl_nosnap = -1; 1380 break; 1381 1382 case DLT_JUNIPER_SERVICES: 1383 off_linktype.constant_part = 12; 1384 off_linkpl.constant_part = -1; /* L3 proto location dep. on cookie type */ 1385 off_nl = -1; /* L3 proto location dep. on cookie type */ 1386 off_nl_nosnap = -1; /* no 802.2 LLC */ 1387 break; 1388 1389 case DLT_JUNIPER_VP: 1390 off_linktype.constant_part = 18; 1391 off_linkpl.constant_part = -1; 1392 off_nl = -1; 1393 off_nl_nosnap = -1; 1394 break; 1395 1396 case DLT_JUNIPER_ST: 1397 off_linktype.constant_part = 18; 1398 off_linkpl.constant_part = -1; 1399 off_nl = -1; 1400 off_nl_nosnap = -1; 1401 break; 1402 1403 case DLT_JUNIPER_ISM: 1404 off_linktype.constant_part = 8; 1405 off_linkpl.constant_part = -1; 1406 off_nl = -1; 1407 off_nl_nosnap = -1; 1408 break; 1409 1410 case DLT_JUNIPER_VS: 1411 case DLT_JUNIPER_SRX_E2E: 1412 case DLT_JUNIPER_FIBRECHANNEL: 1413 case DLT_JUNIPER_ATM_CEMIC: 1414 off_linktype.constant_part = 8; 1415 off_linkpl.constant_part = -1; 1416 off_nl = -1; 1417 off_nl_nosnap = -1; 1418 break; 1419 1420 case DLT_MTP2: 1421 off_li = 2; 1422 off_li_hsl = 4; 1423 off_sio = 3; 1424 off_opc = 4; 1425 off_dpc = 4; 1426 off_sls = 7; 1427 off_linktype.constant_part = -1; 1428 off_linkpl.constant_part = -1; 1429 off_nl = -1; 1430 off_nl_nosnap = -1; 1431 break; 1432 1433 case DLT_MTP2_WITH_PHDR: 1434 off_li = 6; 1435 off_li_hsl = 8; 1436 off_sio = 7; 1437 off_opc = 8; 1438 off_dpc = 8; 1439 off_sls = 11; 1440 off_linktype.constant_part = -1; 1441 off_linkpl.constant_part = -1; 1442 off_nl = -1; 1443 off_nl_nosnap = -1; 1444 break; 1445 1446 case DLT_ERF: 1447 off_li = 22; 1448 off_li_hsl = 24; 1449 off_sio = 23; 1450 off_opc = 24; 1451 off_dpc = 24; 1452 off_sls = 27; 1453 off_linktype.constant_part = -1; 1454 off_linkpl.constant_part = -1; 1455 off_nl = -1; 1456 off_nl_nosnap = -1; 1457 break; 1458 1459 case DLT_PFSYNC: 1460 off_linktype.constant_part = -1; 1461 off_linkpl.constant_part = 4; 1462 off_nl = 0; 1463 off_nl_nosnap = 0; 1464 break; 1465 1466 case DLT_AX25_KISS: 1467 /* 1468 * Currently, only raw "link[N:M]" filtering is supported. 1469 */ 1470 off_linktype.constant_part = -1; /* variable, min 15, max 71 steps of 7 */ 1471 off_linkpl.constant_part = -1; 1472 off_nl = -1; /* variable, min 16, max 71 steps of 7 */ 1473 off_nl_nosnap = -1; /* no 802.2 LLC */ 1474 break; 1475 1476 case DLT_IPNET: 1477 off_linktype.constant_part = 1; 1478 off_linkpl.constant_part = 24; /* ipnet header length */ 1479 off_nl = 0; 1480 off_nl_nosnap = -1; 1481 break; 1482 1483 case DLT_NETANALYZER: 1484 off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */ 1485 off_linktype.constant_part = off_linkhdr.constant_part + 12; 1486 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */ 1487 off_nl = 0; /* Ethernet II */ 1488 off_nl_nosnap = 3; /* 802.3+802.2 */ 1489 break; 1490 1491 case DLT_NETANALYZER_TRANSPARENT: 1492 off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */ 1493 off_linktype.constant_part = off_linkhdr.constant_part + 12; 1494 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */ 1495 off_nl = 0; /* Ethernet II */ 1496 off_nl_nosnap = 3; /* 802.3+802.2 */ 1497 break; 1498 1499 default: 1500 /* 1501 * For values in the range in which we've assigned new 1502 * DLT_ values, only raw "link[N:M]" filtering is supported. 1503 */ 1504 if (linktype >= DLT_MATCHING_MIN && 1505 linktype <= DLT_MATCHING_MAX) { 1506 off_linktype.constant_part = -1; 1507 off_linkpl.constant_part = -1; 1508 off_nl = -1; 1509 off_nl_nosnap = -1; 1510 } else { 1511 bpf_error("unknown data link type %d", linktype); 1512 } 1513 break; 1514 } 1515 1516 off_outermostlinkhdr = off_prevlinkhdr = off_linkhdr; 1517 } 1518 1519 /* 1520 * Load a value relative to the specified absolute offset. 1521 */ 1522 static struct slist * 1523 gen_load_absoffsetrel(bpf_abs_offset *abs_offset, u_int offset, u_int size) 1524 { 1525 struct slist *s, *s2; 1526 1527 s = gen_abs_offset_varpart(abs_offset); 1528 1529 /* 1530 * If "s" is non-null, it has code to arrange that the X register 1531 * contains the variable part of the absolute offset, so we 1532 * generate a load relative to that, with an offset of 1533 * abs_offset->constant_part + offset. 1534 * 1535 * Otherwise, we can do an absolute load with an offset of 1536 * abs_offset->constant_part + offset. 1537 */ 1538 if (s != NULL) { 1539 /* 1540 * "s" points to a list of statements that puts the 1541 * variable part of the absolute offset into the X register. 1542 * Do an indirect load, to use the X register as an offset. 1543 */ 1544 s2 = new_stmt(BPF_LD|BPF_IND|size); 1545 s2->s.k = abs_offset->constant_part + offset; 1546 sappend(s, s2); 1547 } else { 1548 /* 1549 * There is no variable part of the absolute offset, so 1550 * just do an absolute load. 1551 */ 1552 s = new_stmt(BPF_LD|BPF_ABS|size); 1553 s->s.k = abs_offset->constant_part + offset; 1554 } 1555 return s; 1556 } 1557 1558 /* 1559 * Load a value relative to the beginning of the specified header. 1560 */ 1561 static struct slist * 1562 gen_load_a(offrel, offset, size) 1563 enum e_offrel offrel; 1564 u_int offset, size; 1565 { 1566 struct slist *s, *s2; 1567 1568 switch (offrel) { 1569 1570 case OR_PACKET: 1571 s = new_stmt(BPF_LD|BPF_ABS|size); 1572 s->s.k = offset; 1573 break; 1574 1575 case OR_LINKHDR: 1576 s = gen_load_absoffsetrel(&off_linkhdr, offset, size); 1577 break; 1578 1579 case OR_PREVLINKHDR: 1580 s = gen_load_absoffsetrel(&off_prevlinkhdr, offset, size); 1581 break; 1582 1583 case OR_LLC: 1584 s = gen_load_absoffsetrel(&off_linkpl, offset, size); 1585 break; 1586 1587 case OR_PREVMPLSHDR: 1588 s = gen_load_absoffsetrel(&off_linkpl, off_nl - 4 + offset, size); 1589 break; 1590 1591 case OR_LINKPL: 1592 s = gen_load_absoffsetrel(&off_linkpl, off_nl + offset, size); 1593 break; 1594 1595 case OR_LINKPL_NOSNAP: 1596 s = gen_load_absoffsetrel(&off_linkpl, off_nl_nosnap + offset, size); 1597 break; 1598 1599 case OR_LINKTYPE: 1600 s = gen_load_absoffsetrel(&off_linktype, offset, size); 1601 break; 1602 1603 case OR_TRAN_IPV4: 1604 /* 1605 * Load the X register with the length of the IPv4 header 1606 * (plus the offset of the link-layer header, if it's 1607 * preceded by a variable-length header such as a radio 1608 * header), in bytes. 1609 */ 1610 s = gen_loadx_iphdrlen(); 1611 1612 /* 1613 * Load the item at {offset of the link-layer payload} + 1614 * {offset, relative to the start of the link-layer 1615 * paylod, of the IPv4 header} + {length of the IPv4 header} + 1616 * {specified offset}. 1617 * 1618 * If the offset of the link-layer payload is variable, 1619 * the variable part of that offset is included in the 1620 * value in the X register, and we include the constant 1621 * part in the offset of the load. 1622 */ 1623 s2 = new_stmt(BPF_LD|BPF_IND|size); 1624 s2->s.k = off_linkpl.constant_part + off_nl + offset; 1625 sappend(s, s2); 1626 break; 1627 1628 case OR_TRAN_IPV6: 1629 s = gen_load_absoffsetrel(&off_linkpl, off_nl + 40 + offset, size); 1630 break; 1631 1632 default: 1633 abort(); 1634 return NULL; 1635 } 1636 return s; 1637 } 1638 1639 /* 1640 * Generate code to load into the X register the sum of the length of 1641 * the IPv4 header and the variable part of the offset of the link-layer 1642 * payload. 1643 */ 1644 static struct slist * 1645 gen_loadx_iphdrlen() 1646 { 1647 struct slist *s, *s2; 1648 1649 s = gen_abs_offset_varpart(&off_linkpl); 1650 if (s != NULL) { 1651 /* 1652 * The offset of the link-layer payload has a variable 1653 * part. "s" points to a list of statements that put 1654 * the variable part of that offset into the X register. 1655 * 1656 * The 4*([k]&0xf) addressing mode can't be used, as we 1657 * don't have a constant offset, so we have to load the 1658 * value in question into the A register and add to it 1659 * the value from the X register. 1660 */ 1661 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 1662 s2->s.k = off_linkpl.constant_part + off_nl; 1663 sappend(s, s2); 1664 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 1665 s2->s.k = 0xf; 1666 sappend(s, s2); 1667 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 1668 s2->s.k = 2; 1669 sappend(s, s2); 1670 1671 /* 1672 * The A register now contains the length of the IP header. 1673 * We need to add to it the variable part of the offset of 1674 * the link-layer payload, which is still in the X 1675 * register, and move the result into the X register. 1676 */ 1677 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 1678 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 1679 } else { 1680 /* 1681 * The offset of the link-layer payload is a constant, 1682 * so no code was generated to load the (non-existent) 1683 * variable part of that offset. 1684 * 1685 * This means we can use the 4*([k]&0xf) addressing 1686 * mode. Load the length of the IPv4 header, which 1687 * is at an offset of off_nl from the beginning of 1688 * the link-layer payload, and thus at an offset of 1689 * off_linkpl.constant_part + off_nl from the beginning 1690 * of the raw packet data, using that addressing mode. 1691 */ 1692 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 1693 s->s.k = off_linkpl.constant_part + off_nl; 1694 } 1695 return s; 1696 } 1697 1698 static struct block * 1699 gen_uncond(rsense) 1700 int rsense; 1701 { 1702 struct block *b; 1703 struct slist *s; 1704 1705 s = new_stmt(BPF_LD|BPF_IMM); 1706 s->s.k = !rsense; 1707 b = new_block(JMP(BPF_JEQ)); 1708 b->stmts = s; 1709 1710 return b; 1711 } 1712 1713 static inline struct block * 1714 gen_true() 1715 { 1716 return gen_uncond(1); 1717 } 1718 1719 static inline struct block * 1720 gen_false() 1721 { 1722 return gen_uncond(0); 1723 } 1724 1725 /* 1726 * Byte-swap a 32-bit number. 1727 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on 1728 * big-endian platforms.) 1729 */ 1730 #define SWAPLONG(y) \ 1731 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff)) 1732 1733 /* 1734 * Generate code to match a particular packet type. 1735 * 1736 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1737 * value, if <= ETHERMTU. We use that to determine whether to 1738 * match the type/length field or to check the type/length field for 1739 * a value <= ETHERMTU to see whether it's a type field and then do 1740 * the appropriate test. 1741 */ 1742 static struct block * 1743 gen_ether_linktype(proto) 1744 register int proto; 1745 { 1746 struct block *b0, *b1; 1747 1748 switch (proto) { 1749 1750 case LLCSAP_ISONS: 1751 case LLCSAP_IP: 1752 case LLCSAP_NETBEUI: 1753 /* 1754 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1755 * so we check the DSAP and SSAP. 1756 * 1757 * LLCSAP_IP checks for IP-over-802.2, rather 1758 * than IP-over-Ethernet or IP-over-SNAP. 1759 * 1760 * XXX - should we check both the DSAP and the 1761 * SSAP, like this, or should we check just the 1762 * DSAP, as we do for other types <= ETHERMTU 1763 * (i.e., other SAP values)? 1764 */ 1765 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1766 gen_not(b0); 1767 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32) 1768 ((proto << 8) | proto)); 1769 gen_and(b0, b1); 1770 return b1; 1771 1772 case LLCSAP_IPX: 1773 /* 1774 * Check for; 1775 * 1776 * Ethernet_II frames, which are Ethernet 1777 * frames with a frame type of ETHERTYPE_IPX; 1778 * 1779 * Ethernet_802.3 frames, which are 802.3 1780 * frames (i.e., the type/length field is 1781 * a length field, <= ETHERMTU, rather than 1782 * a type field) with the first two bytes 1783 * after the Ethernet/802.3 header being 1784 * 0xFFFF; 1785 * 1786 * Ethernet_802.2 frames, which are 802.3 1787 * frames with an 802.2 LLC header and 1788 * with the IPX LSAP as the DSAP in the LLC 1789 * header; 1790 * 1791 * Ethernet_SNAP frames, which are 802.3 1792 * frames with an LLC header and a SNAP 1793 * header and with an OUI of 0x000000 1794 * (encapsulated Ethernet) and a protocol 1795 * ID of ETHERTYPE_IPX in the SNAP header. 1796 * 1797 * XXX - should we generate the same code both 1798 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX? 1799 */ 1800 1801 /* 1802 * This generates code to check both for the 1803 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3. 1804 */ 1805 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 1806 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 1807 gen_or(b0, b1); 1808 1809 /* 1810 * Now we add code to check for SNAP frames with 1811 * ETHERTYPE_IPX, i.e. Ethernet_SNAP. 1812 */ 1813 b0 = gen_snap(0x000000, ETHERTYPE_IPX); 1814 gen_or(b0, b1); 1815 1816 /* 1817 * Now we generate code to check for 802.3 1818 * frames in general. 1819 */ 1820 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1821 gen_not(b0); 1822 1823 /* 1824 * Now add the check for 802.3 frames before the 1825 * check for Ethernet_802.2 and Ethernet_802.3, 1826 * as those checks should only be done on 802.3 1827 * frames, not on Ethernet frames. 1828 */ 1829 gen_and(b0, b1); 1830 1831 /* 1832 * Now add the check for Ethernet_II frames, and 1833 * do that before checking for the other frame 1834 * types. 1835 */ 1836 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 1837 gen_or(b0, b1); 1838 return b1; 1839 1840 case ETHERTYPE_ATALK: 1841 case ETHERTYPE_AARP: 1842 /* 1843 * EtherTalk (AppleTalk protocols on Ethernet link 1844 * layer) may use 802.2 encapsulation. 1845 */ 1846 1847 /* 1848 * Check for 802.2 encapsulation (EtherTalk phase 2?); 1849 * we check for an Ethernet type field less than 1850 * 1500, which means it's an 802.3 length field. 1851 */ 1852 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1853 gen_not(b0); 1854 1855 /* 1856 * 802.2-encapsulated ETHERTYPE_ATALK packets are 1857 * SNAP packets with an organization code of 1858 * 0x080007 (Apple, for Appletalk) and a protocol 1859 * type of ETHERTYPE_ATALK (Appletalk). 1860 * 1861 * 802.2-encapsulated ETHERTYPE_AARP packets are 1862 * SNAP packets with an organization code of 1863 * 0x000000 (encapsulated Ethernet) and a protocol 1864 * type of ETHERTYPE_AARP (Appletalk ARP). 1865 */ 1866 if (proto == ETHERTYPE_ATALK) 1867 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 1868 else /* proto == ETHERTYPE_AARP */ 1869 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 1870 gen_and(b0, b1); 1871 1872 /* 1873 * Check for Ethernet encapsulation (Ethertalk 1874 * phase 1?); we just check for the Ethernet 1875 * protocol type. 1876 */ 1877 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 1878 1879 gen_or(b0, b1); 1880 return b1; 1881 1882 default: 1883 if (proto <= ETHERMTU) { 1884 /* 1885 * This is an LLC SAP value, so the frames 1886 * that match would be 802.2 frames. 1887 * Check that the frame is an 802.2 frame 1888 * (i.e., that the length/type field is 1889 * a length field, <= ETHERMTU) and 1890 * then check the DSAP. 1891 */ 1892 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 1893 gen_not(b0); 1894 b1 = gen_cmp(OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto); 1895 gen_and(b0, b1); 1896 return b1; 1897 } else { 1898 /* 1899 * This is an Ethernet type, so compare 1900 * the length/type field with it (if 1901 * the frame is an 802.2 frame, the length 1902 * field will be <= ETHERMTU, and, as 1903 * "proto" is > ETHERMTU, this test 1904 * will fail and the frame won't match, 1905 * which is what we want). 1906 */ 1907 return gen_cmp(OR_LINKTYPE, 0, BPF_H, 1908 (bpf_int32)proto); 1909 } 1910 } 1911 } 1912 1913 /* 1914 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4 1915 * or IPv6 then we have an error. 1916 */ 1917 static struct block * 1918 gen_ipnet_linktype(proto) 1919 register int proto; 1920 { 1921 switch (proto) { 1922 1923 case ETHERTYPE_IP: 1924 return gen_cmp(OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET); 1925 /* NOTREACHED */ 1926 1927 case ETHERTYPE_IPV6: 1928 return gen_cmp(OR_LINKTYPE, 0, BPF_B, 1929 (bpf_int32)IPH_AF_INET6); 1930 /* NOTREACHED */ 1931 1932 default: 1933 break; 1934 } 1935 1936 return gen_false(); 1937 } 1938 1939 /* 1940 * Generate code to match a particular packet type. 1941 * 1942 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 1943 * value, if <= ETHERMTU. We use that to determine whether to 1944 * match the type field or to check the type field for the special 1945 * LINUX_SLL_P_802_2 value and then do the appropriate test. 1946 */ 1947 static struct block * 1948 gen_linux_sll_linktype(proto) 1949 register int proto; 1950 { 1951 struct block *b0, *b1; 1952 1953 switch (proto) { 1954 1955 case LLCSAP_ISONS: 1956 case LLCSAP_IP: 1957 case LLCSAP_NETBEUI: 1958 /* 1959 * OSI protocols and NetBEUI always use 802.2 encapsulation, 1960 * so we check the DSAP and SSAP. 1961 * 1962 * LLCSAP_IP checks for IP-over-802.2, rather 1963 * than IP-over-Ethernet or IP-over-SNAP. 1964 * 1965 * XXX - should we check both the DSAP and the 1966 * SSAP, like this, or should we check just the 1967 * DSAP, as we do for other types <= ETHERMTU 1968 * (i.e., other SAP values)? 1969 */ 1970 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 1971 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32) 1972 ((proto << 8) | proto)); 1973 gen_and(b0, b1); 1974 return b1; 1975 1976 case LLCSAP_IPX: 1977 /* 1978 * Ethernet_II frames, which are Ethernet 1979 * frames with a frame type of ETHERTYPE_IPX; 1980 * 1981 * Ethernet_802.3 frames, which have a frame 1982 * type of LINUX_SLL_P_802_3; 1983 * 1984 * Ethernet_802.2 frames, which are 802.3 1985 * frames with an 802.2 LLC header (i.e, have 1986 * a frame type of LINUX_SLL_P_802_2) and 1987 * with the IPX LSAP as the DSAP in the LLC 1988 * header; 1989 * 1990 * Ethernet_SNAP frames, which are 802.3 1991 * frames with an LLC header and a SNAP 1992 * header and with an OUI of 0x000000 1993 * (encapsulated Ethernet) and a protocol 1994 * ID of ETHERTYPE_IPX in the SNAP header. 1995 * 1996 * First, do the checks on LINUX_SLL_P_802_2 1997 * frames; generate the check for either 1998 * Ethernet_802.2 or Ethernet_SNAP frames, and 1999 * then put a check for LINUX_SLL_P_802_2 frames 2000 * before it. 2001 */ 2002 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX); 2003 b1 = gen_snap(0x000000, ETHERTYPE_IPX); 2004 gen_or(b0, b1); 2005 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2006 gen_and(b0, b1); 2007 2008 /* 2009 * Now check for 802.3 frames and OR that with 2010 * the previous test. 2011 */ 2012 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3); 2013 gen_or(b0, b1); 2014 2015 /* 2016 * Now add the check for Ethernet_II frames, and 2017 * do that before checking for the other frame 2018 * types. 2019 */ 2020 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX); 2021 gen_or(b0, b1); 2022 return b1; 2023 2024 case ETHERTYPE_ATALK: 2025 case ETHERTYPE_AARP: 2026 /* 2027 * EtherTalk (AppleTalk protocols on Ethernet link 2028 * layer) may use 802.2 encapsulation. 2029 */ 2030 2031 /* 2032 * Check for 802.2 encapsulation (EtherTalk phase 2?); 2033 * we check for the 802.2 protocol type in the 2034 * "Ethernet type" field. 2035 */ 2036 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2037 2038 /* 2039 * 802.2-encapsulated ETHERTYPE_ATALK packets are 2040 * SNAP packets with an organization code of 2041 * 0x080007 (Apple, for Appletalk) and a protocol 2042 * type of ETHERTYPE_ATALK (Appletalk). 2043 * 2044 * 802.2-encapsulated ETHERTYPE_AARP packets are 2045 * SNAP packets with an organization code of 2046 * 0x000000 (encapsulated Ethernet) and a protocol 2047 * type of ETHERTYPE_AARP (Appletalk ARP). 2048 */ 2049 if (proto == ETHERTYPE_ATALK) 2050 b1 = gen_snap(0x080007, ETHERTYPE_ATALK); 2051 else /* proto == ETHERTYPE_AARP */ 2052 b1 = gen_snap(0x000000, ETHERTYPE_AARP); 2053 gen_and(b0, b1); 2054 2055 /* 2056 * Check for Ethernet encapsulation (Ethertalk 2057 * phase 1?); we just check for the Ethernet 2058 * protocol type. 2059 */ 2060 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2061 2062 gen_or(b0, b1); 2063 return b1; 2064 2065 default: 2066 if (proto <= ETHERMTU) { 2067 /* 2068 * This is an LLC SAP value, so the frames 2069 * that match would be 802.2 frames. 2070 * Check for the 802.2 protocol type 2071 * in the "Ethernet type" field, and 2072 * then check the DSAP. 2073 */ 2074 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2); 2075 b1 = gen_cmp(OR_LINKHDR, off_linkpl.constant_part, BPF_B, 2076 (bpf_int32)proto); 2077 gen_and(b0, b1); 2078 return b1; 2079 } else { 2080 /* 2081 * This is an Ethernet type, so compare 2082 * the length/type field with it (if 2083 * the frame is an 802.2 frame, the length 2084 * field will be <= ETHERMTU, and, as 2085 * "proto" is > ETHERMTU, this test 2086 * will fail and the frame won't match, 2087 * which is what we want). 2088 */ 2089 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2090 } 2091 } 2092 } 2093 2094 static struct slist * 2095 gen_load_prism_llprefixlen() 2096 { 2097 struct slist *s1, *s2; 2098 struct slist *sjeq_avs_cookie; 2099 struct slist *sjcommon; 2100 2101 /* 2102 * This code is not compatible with the optimizer, as 2103 * we are generating jmp instructions within a normal 2104 * slist of instructions 2105 */ 2106 no_optimize = 1; 2107 2108 /* 2109 * Generate code to load the length of the radio header into 2110 * the register assigned to hold that length, if one has been 2111 * assigned. (If one hasn't been assigned, no code we've 2112 * generated uses that prefix, so we don't need to generate any 2113 * code to load it.) 2114 * 2115 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes 2116 * or always use the AVS header rather than the Prism header. 2117 * We load a 4-byte big-endian value at the beginning of the 2118 * raw packet data, and see whether, when masked with 0xFFFFF000, 2119 * it's equal to 0x80211000. If so, that indicates that it's 2120 * an AVS header (the masked-out bits are the version number). 2121 * Otherwise, it's a Prism header. 2122 * 2123 * XXX - the Prism header is also, in theory, variable-length, 2124 * but no known software generates headers that aren't 144 2125 * bytes long. 2126 */ 2127 if (off_linkhdr.reg != -1) { 2128 /* 2129 * Load the cookie. 2130 */ 2131 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2132 s1->s.k = 0; 2133 2134 /* 2135 * AND it with 0xFFFFF000. 2136 */ 2137 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 2138 s2->s.k = 0xFFFFF000; 2139 sappend(s1, s2); 2140 2141 /* 2142 * Compare with 0x80211000. 2143 */ 2144 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ)); 2145 sjeq_avs_cookie->s.k = 0x80211000; 2146 sappend(s1, sjeq_avs_cookie); 2147 2148 /* 2149 * If it's AVS: 2150 * 2151 * The 4 bytes at an offset of 4 from the beginning of 2152 * the AVS header are the length of the AVS header. 2153 * That field is big-endian. 2154 */ 2155 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2156 s2->s.k = 4; 2157 sappend(s1, s2); 2158 sjeq_avs_cookie->s.jt = s2; 2159 2160 /* 2161 * Now jump to the code to allocate a register 2162 * into which to save the header length and 2163 * store the length there. (The "jump always" 2164 * instruction needs to have the k field set; 2165 * it's added to the PC, so, as we're jumping 2166 * over a single instruction, it should be 1.) 2167 */ 2168 sjcommon = new_stmt(JMP(BPF_JA)); 2169 sjcommon->s.k = 1; 2170 sappend(s1, sjcommon); 2171 2172 /* 2173 * Now for the code that handles the Prism header. 2174 * Just load the length of the Prism header (144) 2175 * into the A register. Have the test for an AVS 2176 * header branch here if we don't have an AVS header. 2177 */ 2178 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM); 2179 s2->s.k = 144; 2180 sappend(s1, s2); 2181 sjeq_avs_cookie->s.jf = s2; 2182 2183 /* 2184 * Now allocate a register to hold that value and store 2185 * it. The code for the AVS header will jump here after 2186 * loading the length of the AVS header. 2187 */ 2188 s2 = new_stmt(BPF_ST); 2189 s2->s.k = off_linkhdr.reg; 2190 sappend(s1, s2); 2191 sjcommon->s.jf = s2; 2192 2193 /* 2194 * Now move it into the X register. 2195 */ 2196 s2 = new_stmt(BPF_MISC|BPF_TAX); 2197 sappend(s1, s2); 2198 2199 return (s1); 2200 } else 2201 return (NULL); 2202 } 2203 2204 static struct slist * 2205 gen_load_avs_llprefixlen() 2206 { 2207 struct slist *s1, *s2; 2208 2209 /* 2210 * Generate code to load the length of the AVS header into 2211 * the register assigned to hold that length, if one has been 2212 * assigned. (If one hasn't been assigned, no code we've 2213 * generated uses that prefix, so we don't need to generate any 2214 * code to load it.) 2215 */ 2216 if (off_linkhdr.reg != -1) { 2217 /* 2218 * The 4 bytes at an offset of 4 from the beginning of 2219 * the AVS header are the length of the AVS header. 2220 * That field is big-endian. 2221 */ 2222 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2223 s1->s.k = 4; 2224 2225 /* 2226 * Now allocate a register to hold that value and store 2227 * it. 2228 */ 2229 s2 = new_stmt(BPF_ST); 2230 s2->s.k = off_linkhdr.reg; 2231 sappend(s1, s2); 2232 2233 /* 2234 * Now move it into the X register. 2235 */ 2236 s2 = new_stmt(BPF_MISC|BPF_TAX); 2237 sappend(s1, s2); 2238 2239 return (s1); 2240 } else 2241 return (NULL); 2242 } 2243 2244 static struct slist * 2245 gen_load_radiotap_llprefixlen() 2246 { 2247 struct slist *s1, *s2; 2248 2249 /* 2250 * Generate code to load the length of the radiotap header into 2251 * the register assigned to hold that length, if one has been 2252 * assigned. (If one hasn't been assigned, no code we've 2253 * generated uses that prefix, so we don't need to generate any 2254 * code to load it.) 2255 */ 2256 if (off_linkhdr.reg != -1) { 2257 /* 2258 * The 2 bytes at offsets of 2 and 3 from the beginning 2259 * of the radiotap header are the length of the radiotap 2260 * header; unfortunately, it's little-endian, so we have 2261 * to load it a byte at a time and construct the value. 2262 */ 2263 2264 /* 2265 * Load the high-order byte, at an offset of 3, shift it 2266 * left a byte, and put the result in the X register. 2267 */ 2268 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2269 s1->s.k = 3; 2270 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2271 sappend(s1, s2); 2272 s2->s.k = 8; 2273 s2 = new_stmt(BPF_MISC|BPF_TAX); 2274 sappend(s1, s2); 2275 2276 /* 2277 * Load the next byte, at an offset of 2, and OR the 2278 * value from the X register into it. 2279 */ 2280 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2281 sappend(s1, s2); 2282 s2->s.k = 2; 2283 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2284 sappend(s1, s2); 2285 2286 /* 2287 * Now allocate a register to hold that value and store 2288 * it. 2289 */ 2290 s2 = new_stmt(BPF_ST); 2291 s2->s.k = off_linkhdr.reg; 2292 sappend(s1, s2); 2293 2294 /* 2295 * Now move it into the X register. 2296 */ 2297 s2 = new_stmt(BPF_MISC|BPF_TAX); 2298 sappend(s1, s2); 2299 2300 return (s1); 2301 } else 2302 return (NULL); 2303 } 2304 2305 /* 2306 * At the moment we treat PPI as normal Radiotap encoded 2307 * packets. The difference is in the function that generates 2308 * the code at the beginning to compute the header length. 2309 * Since this code generator of PPI supports bare 802.11 2310 * encapsulation only (i.e. the encapsulated DLT should be 2311 * DLT_IEEE802_11) we generate code to check for this too; 2312 * that's done in finish_parse(). 2313 */ 2314 static struct slist * 2315 gen_load_ppi_llprefixlen() 2316 { 2317 struct slist *s1, *s2; 2318 2319 /* 2320 * Generate code to load the length of the radiotap header 2321 * into the register assigned to hold that length, if one has 2322 * been assigned. 2323 */ 2324 if (off_linkhdr.reg != -1) { 2325 /* 2326 * The 2 bytes at offsets of 2 and 3 from the beginning 2327 * of the radiotap header are the length of the radiotap 2328 * header; unfortunately, it's little-endian, so we have 2329 * to load it a byte at a time and construct the value. 2330 */ 2331 2332 /* 2333 * Load the high-order byte, at an offset of 3, shift it 2334 * left a byte, and put the result in the X register. 2335 */ 2336 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2337 s1->s.k = 3; 2338 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K); 2339 sappend(s1, s2); 2340 s2->s.k = 8; 2341 s2 = new_stmt(BPF_MISC|BPF_TAX); 2342 sappend(s1, s2); 2343 2344 /* 2345 * Load the next byte, at an offset of 2, and OR the 2346 * value from the X register into it. 2347 */ 2348 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS); 2349 sappend(s1, s2); 2350 s2->s.k = 2; 2351 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X); 2352 sappend(s1, s2); 2353 2354 /* 2355 * Now allocate a register to hold that value and store 2356 * it. 2357 */ 2358 s2 = new_stmt(BPF_ST); 2359 s2->s.k = off_linkhdr.reg; 2360 sappend(s1, s2); 2361 2362 /* 2363 * Now move it into the X register. 2364 */ 2365 s2 = new_stmt(BPF_MISC|BPF_TAX); 2366 sappend(s1, s2); 2367 2368 return (s1); 2369 } else 2370 return (NULL); 2371 } 2372 2373 /* 2374 * Load a value relative to the beginning of the link-layer header after the 802.11 2375 * header, i.e. LLC_SNAP. 2376 * The link-layer header doesn't necessarily begin at the beginning 2377 * of the packet data; there might be a variable-length prefix containing 2378 * radio information. 2379 */ 2380 static struct slist * 2381 gen_load_802_11_header_len(struct slist *s, struct slist *snext) 2382 { 2383 struct slist *s2; 2384 struct slist *sjset_data_frame_1; 2385 struct slist *sjset_data_frame_2; 2386 struct slist *sjset_qos; 2387 struct slist *sjset_radiotap_flags; 2388 struct slist *sjset_radiotap_tsft; 2389 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad; 2390 struct slist *s_roundup; 2391 2392 if (off_linkpl.reg == -1) { 2393 /* 2394 * No register has been assigned to the offset of 2395 * the link-layer payload, which means nobody needs 2396 * it; don't bother computing it - just return 2397 * what we already have. 2398 */ 2399 return (s); 2400 } 2401 2402 /* 2403 * This code is not compatible with the optimizer, as 2404 * we are generating jmp instructions within a normal 2405 * slist of instructions 2406 */ 2407 no_optimize = 1; 2408 2409 /* 2410 * If "s" is non-null, it has code to arrange that the X register 2411 * contains the length of the prefix preceding the link-layer 2412 * header. 2413 * 2414 * Otherwise, the length of the prefix preceding the link-layer 2415 * header is "off_outermostlinkhdr.constant_part". 2416 */ 2417 if (s == NULL) { 2418 /* 2419 * There is no variable-length header preceding the 2420 * link-layer header. 2421 * 2422 * Load the length of the fixed-length prefix preceding 2423 * the link-layer header (if any) into the X register, 2424 * and store it in the off_linkpl.reg register. 2425 * That length is off_outermostlinkhdr.constant_part. 2426 */ 2427 s = new_stmt(BPF_LDX|BPF_IMM); 2428 s->s.k = off_outermostlinkhdr.constant_part; 2429 } 2430 2431 /* 2432 * The X register contains the offset of the beginning of the 2433 * link-layer header; add 24, which is the minimum length 2434 * of the MAC header for a data frame, to that, and store it 2435 * in off_linkpl.reg, and then load the Frame Control field, 2436 * which is at the offset in the X register, with an indexed load. 2437 */ 2438 s2 = new_stmt(BPF_MISC|BPF_TXA); 2439 sappend(s, s2); 2440 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 2441 s2->s.k = 24; 2442 sappend(s, s2); 2443 s2 = new_stmt(BPF_ST); 2444 s2->s.k = off_linkpl.reg; 2445 sappend(s, s2); 2446 2447 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B); 2448 s2->s.k = 0; 2449 sappend(s, s2); 2450 2451 /* 2452 * Check the Frame Control field to see if this is a data frame; 2453 * a data frame has the 0x08 bit (b3) in that field set and the 2454 * 0x04 bit (b2) clear. 2455 */ 2456 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET)); 2457 sjset_data_frame_1->s.k = 0x08; 2458 sappend(s, sjset_data_frame_1); 2459 2460 /* 2461 * If b3 is set, test b2, otherwise go to the first statement of 2462 * the rest of the program. 2463 */ 2464 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET)); 2465 sjset_data_frame_2->s.k = 0x04; 2466 sappend(s, sjset_data_frame_2); 2467 sjset_data_frame_1->s.jf = snext; 2468 2469 /* 2470 * If b2 is not set, this is a data frame; test the QoS bit. 2471 * Otherwise, go to the first statement of the rest of the 2472 * program. 2473 */ 2474 sjset_data_frame_2->s.jt = snext; 2475 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET)); 2476 sjset_qos->s.k = 0x80; /* QoS bit */ 2477 sappend(s, sjset_qos); 2478 2479 /* 2480 * If it's set, add 2 to off_linkpl.reg, to skip the QoS 2481 * field. 2482 * Otherwise, go to the first statement of the rest of the 2483 * program. 2484 */ 2485 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM); 2486 s2->s.k = off_linkpl.reg; 2487 sappend(s, s2); 2488 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2489 s2->s.k = 2; 2490 sappend(s, s2); 2491 s2 = new_stmt(BPF_ST); 2492 s2->s.k = off_linkpl.reg; 2493 sappend(s, s2); 2494 2495 /* 2496 * If we have a radiotap header, look at it to see whether 2497 * there's Atheros padding between the MAC-layer header 2498 * and the payload. 2499 * 2500 * Note: all of the fields in the radiotap header are 2501 * little-endian, so we byte-swap all of the values 2502 * we test against, as they will be loaded as big-endian 2503 * values. 2504 */ 2505 if (linktype == DLT_IEEE802_11_RADIO) { 2506 /* 2507 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set 2508 * in the presence flag? 2509 */ 2510 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W); 2511 s2->s.k = 4; 2512 sappend(s, s2); 2513 2514 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET)); 2515 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002); 2516 sappend(s, sjset_radiotap_flags); 2517 2518 /* 2519 * If not, skip all of this. 2520 */ 2521 sjset_radiotap_flags->s.jf = snext; 2522 2523 /* 2524 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set? 2525 */ 2526 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt = 2527 new_stmt(JMP(BPF_JSET)); 2528 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001); 2529 sappend(s, sjset_radiotap_tsft); 2530 2531 /* 2532 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is 2533 * at an offset of 16 from the beginning of the raw packet 2534 * data (8 bytes for the radiotap header and 8 bytes for 2535 * the TSFT field). 2536 * 2537 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2538 * is set. 2539 */ 2540 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2541 s2->s.k = 16; 2542 sappend(s, s2); 2543 2544 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET)); 2545 sjset_tsft_datapad->s.k = 0x20; 2546 sappend(s, sjset_tsft_datapad); 2547 2548 /* 2549 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is 2550 * at an offset of 8 from the beginning of the raw packet 2551 * data (8 bytes for the radiotap header). 2552 * 2553 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20) 2554 * is set. 2555 */ 2556 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B); 2557 s2->s.k = 8; 2558 sappend(s, s2); 2559 2560 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET)); 2561 sjset_notsft_datapad->s.k = 0x20; 2562 sappend(s, sjset_notsft_datapad); 2563 2564 /* 2565 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is 2566 * set, round the length of the 802.11 header to 2567 * a multiple of 4. Do that by adding 3 and then 2568 * dividing by and multiplying by 4, which we do by 2569 * ANDing with ~3. 2570 */ 2571 s_roundup = new_stmt(BPF_LD|BPF_MEM); 2572 s_roundup->s.k = off_linkpl.reg; 2573 sappend(s, s_roundup); 2574 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM); 2575 s2->s.k = 3; 2576 sappend(s, s2); 2577 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM); 2578 s2->s.k = ~3; 2579 sappend(s, s2); 2580 s2 = new_stmt(BPF_ST); 2581 s2->s.k = off_linkpl.reg; 2582 sappend(s, s2); 2583 2584 sjset_tsft_datapad->s.jt = s_roundup; 2585 sjset_tsft_datapad->s.jf = snext; 2586 sjset_notsft_datapad->s.jt = s_roundup; 2587 sjset_notsft_datapad->s.jf = snext; 2588 } else 2589 sjset_qos->s.jf = snext; 2590 2591 return s; 2592 } 2593 2594 static void 2595 insert_compute_vloffsets(b) 2596 struct block *b; 2597 { 2598 struct slist *s; 2599 2600 /* There is an implicit dependency between the link 2601 * payload and link header since the payload computation 2602 * includes the variable part of the header. Therefore, 2603 * if nobody else has allocated a register for the link 2604 * header and we need it, do it now. */ 2605 if (off_linkpl.reg != -1 && off_linkhdr.is_variable && 2606 off_linkhdr.reg == -1) 2607 off_linkhdr.reg = alloc_reg(); 2608 2609 /* 2610 * For link-layer types that have a variable-length header 2611 * preceding the link-layer header, generate code to load 2612 * the offset of the link-layer header into the register 2613 * assigned to that offset, if any. 2614 * 2615 * XXX - this, and the next switch statement, won't handle 2616 * encapsulation of 802.11 or 802.11+radio information in 2617 * some other protocol stack. That's significantly more 2618 * complicated. 2619 */ 2620 switch (outermostlinktype) { 2621 2622 case DLT_PRISM_HEADER: 2623 s = gen_load_prism_llprefixlen(); 2624 break; 2625 2626 case DLT_IEEE802_11_RADIO_AVS: 2627 s = gen_load_avs_llprefixlen(); 2628 break; 2629 2630 case DLT_IEEE802_11_RADIO: 2631 s = gen_load_radiotap_llprefixlen(); 2632 break; 2633 2634 case DLT_PPI: 2635 s = gen_load_ppi_llprefixlen(); 2636 break; 2637 2638 default: 2639 s = NULL; 2640 break; 2641 } 2642 2643 /* 2644 * For link-layer types that have a variable-length link-layer 2645 * header, generate code to load the offset of the link-layer 2646 * payload into the register assigned to that offset, if any. 2647 */ 2648 switch (outermostlinktype) { 2649 2650 case DLT_IEEE802_11: 2651 case DLT_PRISM_HEADER: 2652 case DLT_IEEE802_11_RADIO_AVS: 2653 case DLT_IEEE802_11_RADIO: 2654 case DLT_PPI: 2655 s = gen_load_802_11_header_len(s, b->stmts); 2656 break; 2657 } 2658 2659 /* 2660 * If we have any offset-loading code, append all the 2661 * existing statements in the block to those statements, 2662 * and make the resulting list the list of statements 2663 * for the block. 2664 */ 2665 if (s != NULL) { 2666 sappend(s, b->stmts); 2667 b->stmts = s; 2668 } 2669 } 2670 2671 static struct block * 2672 gen_ppi_dlt_check(void) 2673 { 2674 struct slist *s_load_dlt; 2675 struct block *b; 2676 2677 if (linktype == DLT_PPI) 2678 { 2679 /* Create the statements that check for the DLT 2680 */ 2681 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS); 2682 s_load_dlt->s.k = 4; 2683 2684 b = new_block(JMP(BPF_JEQ)); 2685 2686 b->stmts = s_load_dlt; 2687 b->s.k = SWAPLONG(DLT_IEEE802_11); 2688 } 2689 else 2690 { 2691 b = NULL; 2692 } 2693 2694 return b; 2695 } 2696 2697 /* 2698 * Take an absolute offset, and: 2699 * 2700 * if it has no variable part, return NULL; 2701 * 2702 * if it has a variable part, generate code to load the register 2703 * containing that variable part into the X register, returning 2704 * a pointer to that code - if no register for that offset has 2705 * been allocated, allocate it first. 2706 * 2707 * (The code to set that register will be generated later, but will 2708 * be placed earlier in the code sequence.) 2709 */ 2710 static struct slist * 2711 gen_abs_offset_varpart(bpf_abs_offset *off) 2712 { 2713 struct slist *s; 2714 2715 if (off->is_variable) { 2716 if (off->reg == -1) { 2717 /* 2718 * We haven't yet assigned a register for the 2719 * variable part of the offset of the link-layer 2720 * header; allocate one. 2721 */ 2722 off->reg = alloc_reg(); 2723 } 2724 2725 /* 2726 * Load the register containing the variable part of the 2727 * offset of the link-layer header into the X register. 2728 */ 2729 s = new_stmt(BPF_LDX|BPF_MEM); 2730 s->s.k = off->reg; 2731 return s; 2732 } else { 2733 /* 2734 * That offset isn't variable, there's no variable part, 2735 * so we don't need to generate any code. 2736 */ 2737 return NULL; 2738 } 2739 } 2740 2741 /* 2742 * Map an Ethernet type to the equivalent PPP type. 2743 */ 2744 static int 2745 ethertype_to_ppptype(proto) 2746 int proto; 2747 { 2748 switch (proto) { 2749 2750 case ETHERTYPE_IP: 2751 proto = PPP_IP; 2752 break; 2753 2754 case ETHERTYPE_IPV6: 2755 proto = PPP_IPV6; 2756 break; 2757 2758 case ETHERTYPE_DN: 2759 proto = PPP_DECNET; 2760 break; 2761 2762 case ETHERTYPE_ATALK: 2763 proto = PPP_APPLE; 2764 break; 2765 2766 case ETHERTYPE_NS: 2767 proto = PPP_NS; 2768 break; 2769 2770 case LLCSAP_ISONS: 2771 proto = PPP_OSI; 2772 break; 2773 2774 case LLCSAP_8021D: 2775 /* 2776 * I'm assuming the "Bridging PDU"s that go 2777 * over PPP are Spanning Tree Protocol 2778 * Bridging PDUs. 2779 */ 2780 proto = PPP_BRPDU; 2781 break; 2782 2783 case LLCSAP_IPX: 2784 proto = PPP_IPX; 2785 break; 2786 } 2787 return (proto); 2788 } 2789 2790 /* 2791 * Generate any tests that, for encapsulation of a link-layer packet 2792 * inside another protocol stack, need to be done to check for those 2793 * link-layer packets (and that haven't already been done by a check 2794 * for that encapsulation). 2795 */ 2796 static struct block * 2797 gen_prevlinkhdr_check(void) 2798 { 2799 struct block *b0; 2800 2801 if (is_geneve) 2802 return gen_geneve_ll_check(); 2803 2804 switch (prevlinktype) { 2805 2806 case DLT_SUNATM: 2807 /* 2808 * This is LANE-encapsulated Ethernet; check that the LANE 2809 * packet doesn't begin with an LE Control marker, i.e. 2810 * that it's data, not a control message. 2811 * 2812 * (We've already generated a test for LANE.) 2813 */ 2814 b0 = gen_cmp(OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00); 2815 gen_not(b0); 2816 return b0; 2817 2818 default: 2819 /* 2820 * No such tests are necessary. 2821 */ 2822 return NULL; 2823 } 2824 /*NOTREACHED*/ 2825 } 2826 2827 /* 2828 * Generate code to match a particular packet type by matching the 2829 * link-layer type field or fields in the 802.2 LLC header. 2830 * 2831 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 2832 * value, if <= ETHERMTU. 2833 */ 2834 static struct block * 2835 gen_linktype(proto) 2836 register int proto; 2837 { 2838 struct block *b0, *b1, *b2; 2839 const char *description; 2840 2841 /* are we checking MPLS-encapsulated packets? */ 2842 if (label_stack_depth > 0) { 2843 switch (proto) { 2844 case ETHERTYPE_IP: 2845 case PPP_IP: 2846 /* FIXME add other L3 proto IDs */ 2847 return gen_mpls_linktype(Q_IP); 2848 2849 case ETHERTYPE_IPV6: 2850 case PPP_IPV6: 2851 /* FIXME add other L3 proto IDs */ 2852 return gen_mpls_linktype(Q_IPV6); 2853 2854 default: 2855 bpf_error("unsupported protocol over mpls"); 2856 /* NOTREACHED */ 2857 } 2858 } 2859 2860 switch (linktype) { 2861 2862 case DLT_EN10MB: 2863 case DLT_NETANALYZER: 2864 case DLT_NETANALYZER_TRANSPARENT: 2865 /* Geneve has an EtherType regardless of whether there is an 2866 * L2 header. */ 2867 if (!is_geneve) 2868 b0 = gen_prevlinkhdr_check(); 2869 else 2870 b0 = NULL; 2871 2872 b1 = gen_ether_linktype(proto); 2873 if (b0 != NULL) 2874 gen_and(b0, b1); 2875 return b1; 2876 /*NOTREACHED*/ 2877 break; 2878 2879 case DLT_C_HDLC: 2880 switch (proto) { 2881 2882 case LLCSAP_ISONS: 2883 proto = (proto << 8 | LLCSAP_ISONS); 2884 /* fall through */ 2885 2886 default: 2887 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 2888 /*NOTREACHED*/ 2889 break; 2890 } 2891 break; 2892 2893 case DLT_IEEE802_11: 2894 case DLT_PRISM_HEADER: 2895 case DLT_IEEE802_11_RADIO_AVS: 2896 case DLT_IEEE802_11_RADIO: 2897 case DLT_PPI: 2898 /* 2899 * Check that we have a data frame. 2900 */ 2901 b0 = gen_check_802_11_data_frame(); 2902 2903 /* 2904 * Now check for the specified link-layer type. 2905 */ 2906 b1 = gen_llc_linktype(proto); 2907 gen_and(b0, b1); 2908 return b1; 2909 /*NOTREACHED*/ 2910 break; 2911 2912 case DLT_FDDI: 2913 /* 2914 * XXX - check for LLC frames. 2915 */ 2916 return gen_llc_linktype(proto); 2917 /*NOTREACHED*/ 2918 break; 2919 2920 case DLT_IEEE802: 2921 /* 2922 * XXX - check for LLC PDUs, as per IEEE 802.5. 2923 */ 2924 return gen_llc_linktype(proto); 2925 /*NOTREACHED*/ 2926 break; 2927 2928 case DLT_ATM_RFC1483: 2929 case DLT_ATM_CLIP: 2930 case DLT_IP_OVER_FC: 2931 return gen_llc_linktype(proto); 2932 /*NOTREACHED*/ 2933 break; 2934 2935 case DLT_SUNATM: 2936 /* 2937 * Check for an LLC-encapsulated version of this protocol; 2938 * if we were checking for LANE, linktype would no longer 2939 * be DLT_SUNATM. 2940 * 2941 * Check for LLC encapsulation and then check the protocol. 2942 */ 2943 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 2944 b1 = gen_llc_linktype(proto); 2945 gen_and(b0, b1); 2946 return b1; 2947 /*NOTREACHED*/ 2948 break; 2949 2950 case DLT_LINUX_SLL: 2951 return gen_linux_sll_linktype(proto); 2952 /*NOTREACHED*/ 2953 break; 2954 2955 case DLT_SLIP: 2956 case DLT_SLIP_BSDOS: 2957 case DLT_RAW: 2958 /* 2959 * These types don't provide any type field; packets 2960 * are always IPv4 or IPv6. 2961 * 2962 * XXX - for IPv4, check for a version number of 4, and, 2963 * for IPv6, check for a version number of 6? 2964 */ 2965 switch (proto) { 2966 2967 case ETHERTYPE_IP: 2968 /* Check for a version number of 4. */ 2969 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x40, 0xF0); 2970 2971 case ETHERTYPE_IPV6: 2972 /* Check for a version number of 6. */ 2973 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x60, 0xF0); 2974 2975 default: 2976 return gen_false(); /* always false */ 2977 } 2978 /*NOTREACHED*/ 2979 break; 2980 2981 case DLT_IPV4: 2982 /* 2983 * Raw IPv4, so no type field. 2984 */ 2985 if (proto == ETHERTYPE_IP) 2986 return gen_true(); /* always true */ 2987 2988 /* Checking for something other than IPv4; always false */ 2989 return gen_false(); 2990 /*NOTREACHED*/ 2991 break; 2992 2993 case DLT_IPV6: 2994 /* 2995 * Raw IPv6, so no type field. 2996 */ 2997 if (proto == ETHERTYPE_IPV6) 2998 return gen_true(); /* always true */ 2999 3000 /* Checking for something other than IPv6; always false */ 3001 return gen_false(); 3002 /*NOTREACHED*/ 3003 break; 3004 3005 case DLT_PPP: 3006 case DLT_PPP_PPPD: 3007 case DLT_PPP_SERIAL: 3008 case DLT_PPP_ETHER: 3009 /* 3010 * We use Ethernet protocol types inside libpcap; 3011 * map them to the corresponding PPP protocol types. 3012 */ 3013 proto = ethertype_to_ppptype(proto); 3014 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3015 /*NOTREACHED*/ 3016 break; 3017 3018 case DLT_PPP_BSDOS: 3019 /* 3020 * We use Ethernet protocol types inside libpcap; 3021 * map them to the corresponding PPP protocol types. 3022 */ 3023 switch (proto) { 3024 3025 case ETHERTYPE_IP: 3026 /* 3027 * Also check for Van Jacobson-compressed IP. 3028 * XXX - do this for other forms of PPP? 3029 */ 3030 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_IP); 3031 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJC); 3032 gen_or(b0, b1); 3033 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJNC); 3034 gen_or(b1, b0); 3035 return b0; 3036 3037 default: 3038 proto = ethertype_to_ppptype(proto); 3039 return gen_cmp(OR_LINKTYPE, 0, BPF_H, 3040 (bpf_int32)proto); 3041 } 3042 /*NOTREACHED*/ 3043 break; 3044 3045 case DLT_NULL: 3046 case DLT_LOOP: 3047 case DLT_ENC: 3048 /* 3049 * For DLT_NULL, the link-layer header is a 32-bit 3050 * word containing an AF_ value in *host* byte order, 3051 * and for DLT_ENC, the link-layer header begins 3052 * with a 32-bit work containing an AF_ value in 3053 * host byte order. 3054 * 3055 * In addition, if we're reading a saved capture file, 3056 * the host byte order in the capture may not be the 3057 * same as the host byte order on this machine. 3058 * 3059 * For DLT_LOOP, the link-layer header is a 32-bit 3060 * word containing an AF_ value in *network* byte order. 3061 * 3062 * XXX - AF_ values may, unfortunately, be platform- 3063 * dependent; for example, FreeBSD's AF_INET6 is 24 3064 * whilst NetBSD's and OpenBSD's is 26. 3065 * 3066 * This means that, when reading a capture file, just 3067 * checking for our AF_INET6 value won't work if the 3068 * capture file came from another OS. 3069 */ 3070 switch (proto) { 3071 3072 case ETHERTYPE_IP: 3073 proto = AF_INET; 3074 break; 3075 3076 #ifdef INET6 3077 case ETHERTYPE_IPV6: 3078 proto = AF_INET6; 3079 break; 3080 #endif 3081 3082 default: 3083 /* 3084 * Not a type on which we support filtering. 3085 * XXX - support those that have AF_ values 3086 * #defined on this platform, at least? 3087 */ 3088 return gen_false(); 3089 } 3090 3091 if (linktype == DLT_NULL || linktype == DLT_ENC) { 3092 /* 3093 * The AF_ value is in host byte order, but 3094 * the BPF interpreter will convert it to 3095 * network byte order. 3096 * 3097 * If this is a save file, and it's from a 3098 * machine with the opposite byte order to 3099 * ours, we byte-swap the AF_ value. 3100 * 3101 * Then we run it through "htonl()", and 3102 * generate code to compare against the result. 3103 */ 3104 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped) 3105 proto = SWAPLONG(proto); 3106 proto = htonl(proto); 3107 } 3108 return (gen_cmp(OR_LINKHDR, 0, BPF_W, (bpf_int32)proto)); 3109 3110 #ifdef HAVE_NET_PFVAR_H 3111 case DLT_PFLOG: 3112 /* 3113 * af field is host byte order in contrast to the rest of 3114 * the packet. 3115 */ 3116 if (proto == ETHERTYPE_IP) 3117 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af), 3118 BPF_B, (bpf_int32)AF_INET)); 3119 else if (proto == ETHERTYPE_IPV6) 3120 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af), 3121 BPF_B, (bpf_int32)AF_INET6)); 3122 else 3123 return gen_false(); 3124 /*NOTREACHED*/ 3125 break; 3126 #endif /* HAVE_NET_PFVAR_H */ 3127 3128 case DLT_ARCNET: 3129 case DLT_ARCNET_LINUX: 3130 /* 3131 * XXX should we check for first fragment if the protocol 3132 * uses PHDS? 3133 */ 3134 switch (proto) { 3135 3136 default: 3137 return gen_false(); 3138 3139 case ETHERTYPE_IPV6: 3140 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3141 (bpf_int32)ARCTYPE_INET6)); 3142 3143 case ETHERTYPE_IP: 3144 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3145 (bpf_int32)ARCTYPE_IP); 3146 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3147 (bpf_int32)ARCTYPE_IP_OLD); 3148 gen_or(b0, b1); 3149 return (b1); 3150 3151 case ETHERTYPE_ARP: 3152 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3153 (bpf_int32)ARCTYPE_ARP); 3154 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B, 3155 (bpf_int32)ARCTYPE_ARP_OLD); 3156 gen_or(b0, b1); 3157 return (b1); 3158 3159 case ETHERTYPE_REVARP: 3160 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3161 (bpf_int32)ARCTYPE_REVARP)); 3162 3163 case ETHERTYPE_ATALK: 3164 return (gen_cmp(OR_LINKTYPE, 0, BPF_B, 3165 (bpf_int32)ARCTYPE_ATALK)); 3166 } 3167 /*NOTREACHED*/ 3168 break; 3169 3170 case DLT_LTALK: 3171 switch (proto) { 3172 case ETHERTYPE_ATALK: 3173 return gen_true(); 3174 default: 3175 return gen_false(); 3176 } 3177 /*NOTREACHED*/ 3178 break; 3179 3180 case DLT_FRELAY: 3181 /* 3182 * XXX - assumes a 2-byte Frame Relay header with 3183 * DLCI and flags. What if the address is longer? 3184 */ 3185 switch (proto) { 3186 3187 case ETHERTYPE_IP: 3188 /* 3189 * Check for the special NLPID for IP. 3190 */ 3191 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc); 3192 3193 case ETHERTYPE_IPV6: 3194 /* 3195 * Check for the special NLPID for IPv6. 3196 */ 3197 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e); 3198 3199 case LLCSAP_ISONS: 3200 /* 3201 * Check for several OSI protocols. 3202 * 3203 * Frame Relay packets typically have an OSI 3204 * NLPID at the beginning; we check for each 3205 * of them. 3206 * 3207 * What we check for is the NLPID and a frame 3208 * control field of UI, i.e. 0x03 followed 3209 * by the NLPID. 3210 */ 3211 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP); 3212 b1 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS); 3213 b2 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS); 3214 gen_or(b1, b2); 3215 gen_or(b0, b2); 3216 return b2; 3217 3218 default: 3219 return gen_false(); 3220 } 3221 /*NOTREACHED*/ 3222 break; 3223 3224 case DLT_MFR: 3225 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented"); 3226 3227 case DLT_JUNIPER_MFR: 3228 case DLT_JUNIPER_MLFR: 3229 case DLT_JUNIPER_MLPPP: 3230 case DLT_JUNIPER_ATM1: 3231 case DLT_JUNIPER_ATM2: 3232 case DLT_JUNIPER_PPPOE: 3233 case DLT_JUNIPER_PPPOE_ATM: 3234 case DLT_JUNIPER_GGSN: 3235 case DLT_JUNIPER_ES: 3236 case DLT_JUNIPER_MONITOR: 3237 case DLT_JUNIPER_SERVICES: 3238 case DLT_JUNIPER_ETHER: 3239 case DLT_JUNIPER_PPP: 3240 case DLT_JUNIPER_FRELAY: 3241 case DLT_JUNIPER_CHDLC: 3242 case DLT_JUNIPER_VP: 3243 case DLT_JUNIPER_ST: 3244 case DLT_JUNIPER_ISM: 3245 case DLT_JUNIPER_VS: 3246 case DLT_JUNIPER_SRX_E2E: 3247 case DLT_JUNIPER_FIBRECHANNEL: 3248 case DLT_JUNIPER_ATM_CEMIC: 3249 3250 /* just lets verify the magic number for now - 3251 * on ATM we may have up to 6 different encapsulations on the wire 3252 * and need a lot of heuristics to figure out that the payload 3253 * might be; 3254 * 3255 * FIXME encapsulation specific BPF_ filters 3256 */ 3257 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */ 3258 3259 case DLT_BACNET_MS_TP: 3260 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000); 3261 3262 case DLT_IPNET: 3263 return gen_ipnet_linktype(proto); 3264 3265 case DLT_LINUX_IRDA: 3266 bpf_error("IrDA link-layer type filtering not implemented"); 3267 3268 case DLT_DOCSIS: 3269 bpf_error("DOCSIS link-layer type filtering not implemented"); 3270 3271 case DLT_MTP2: 3272 case DLT_MTP2_WITH_PHDR: 3273 bpf_error("MTP2 link-layer type filtering not implemented"); 3274 3275 case DLT_ERF: 3276 bpf_error("ERF link-layer type filtering not implemented"); 3277 3278 case DLT_PFSYNC: 3279 bpf_error("PFSYNC link-layer type filtering not implemented"); 3280 3281 case DLT_LINUX_LAPD: 3282 bpf_error("LAPD link-layer type filtering not implemented"); 3283 3284 case DLT_USB: 3285 case DLT_USB_LINUX: 3286 case DLT_USB_LINUX_MMAPPED: 3287 bpf_error("USB link-layer type filtering not implemented"); 3288 3289 case DLT_BLUETOOTH_HCI_H4: 3290 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR: 3291 bpf_error("Bluetooth link-layer type filtering not implemented"); 3292 3293 case DLT_CAN20B: 3294 case DLT_CAN_SOCKETCAN: 3295 bpf_error("CAN link-layer type filtering not implemented"); 3296 3297 case DLT_IEEE802_15_4: 3298 case DLT_IEEE802_15_4_LINUX: 3299 case DLT_IEEE802_15_4_NONASK_PHY: 3300 case DLT_IEEE802_15_4_NOFCS: 3301 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented"); 3302 3303 case DLT_IEEE802_16_MAC_CPS_RADIO: 3304 bpf_error("IEEE 802.16 link-layer type filtering not implemented"); 3305 3306 case DLT_SITA: 3307 bpf_error("SITA link-layer type filtering not implemented"); 3308 3309 case DLT_RAIF1: 3310 bpf_error("RAIF1 link-layer type filtering not implemented"); 3311 3312 case DLT_IPMB: 3313 bpf_error("IPMB link-layer type filtering not implemented"); 3314 3315 case DLT_AX25_KISS: 3316 bpf_error("AX.25 link-layer type filtering not implemented"); 3317 3318 case DLT_NFLOG: 3319 /* Using the fixed-size NFLOG header it is possible to tell only 3320 * the address family of the packet, other meaningful data is 3321 * either missing or behind TLVs. 3322 */ 3323 bpf_error("NFLOG link-layer type filtering not implemented"); 3324 3325 default: 3326 /* 3327 * Does this link-layer header type have a field 3328 * indicating the type of the next protocol? If 3329 * so, off_linktype.constant_part will be the offset of that 3330 * field in the packet; if not, it will be -1. 3331 */ 3332 if (off_linktype.constant_part != (u_int)-1) { 3333 /* 3334 * Yes; assume it's an Ethernet type. (If 3335 * it's not, it needs to be handled specially 3336 * above.) 3337 */ 3338 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto); 3339 } else { 3340 /* 3341 * No; report an error. 3342 */ 3343 description = pcap_datalink_val_to_description(linktype); 3344 if (description != NULL) { 3345 bpf_error("%s link-layer type filtering not implemented", 3346 description); 3347 } else { 3348 bpf_error("DLT %u link-layer type filtering not implemented", 3349 linktype); 3350 } 3351 } 3352 break; 3353 } 3354 } 3355 3356 /* 3357 * Check for an LLC SNAP packet with a given organization code and 3358 * protocol type; we check the entire contents of the 802.2 LLC and 3359 * snap headers, checking for DSAP and SSAP of SNAP and a control 3360 * field of 0x03 in the LLC header, and for the specified organization 3361 * code and protocol type in the SNAP header. 3362 */ 3363 static struct block * 3364 gen_snap(orgcode, ptype) 3365 bpf_u_int32 orgcode; 3366 bpf_u_int32 ptype; 3367 { 3368 u_char snapblock[8]; 3369 3370 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */ 3371 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */ 3372 snapblock[2] = 0x03; /* control = UI */ 3373 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */ 3374 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */ 3375 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */ 3376 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */ 3377 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */ 3378 return gen_bcmp(OR_LLC, 0, 8, snapblock); 3379 } 3380 3381 /* 3382 * Generate code to match frames with an LLC header. 3383 */ 3384 struct block * 3385 gen_llc(void) 3386 { 3387 struct block *b0, *b1; 3388 3389 switch (linktype) { 3390 3391 case DLT_EN10MB: 3392 /* 3393 * We check for an Ethernet type field less than 3394 * 1500, which means it's an 802.3 length field. 3395 */ 3396 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU); 3397 gen_not(b0); 3398 3399 /* 3400 * Now check for the purported DSAP and SSAP not being 3401 * 0xFF, to rule out NetWare-over-802.3. 3402 */ 3403 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF); 3404 gen_not(b1); 3405 gen_and(b0, b1); 3406 return b1; 3407 3408 case DLT_SUNATM: 3409 /* 3410 * We check for LLC traffic. 3411 */ 3412 b0 = gen_atmtype_abbrev(A_LLC); 3413 return b0; 3414 3415 case DLT_IEEE802: /* Token Ring */ 3416 /* 3417 * XXX - check for LLC frames. 3418 */ 3419 return gen_true(); 3420 3421 case DLT_FDDI: 3422 /* 3423 * XXX - check for LLC frames. 3424 */ 3425 return gen_true(); 3426 3427 case DLT_ATM_RFC1483: 3428 /* 3429 * For LLC encapsulation, these are defined to have an 3430 * 802.2 LLC header. 3431 * 3432 * For VC encapsulation, they don't, but there's no 3433 * way to check for that; the protocol used on the VC 3434 * is negotiated out of band. 3435 */ 3436 return gen_true(); 3437 3438 case DLT_IEEE802_11: 3439 case DLT_PRISM_HEADER: 3440 case DLT_IEEE802_11_RADIO: 3441 case DLT_IEEE802_11_RADIO_AVS: 3442 case DLT_PPI: 3443 /* 3444 * Check that we have a data frame. 3445 */ 3446 b0 = gen_check_802_11_data_frame(); 3447 return b0; 3448 3449 default: 3450 bpf_error("'llc' not supported for linktype %d", linktype); 3451 /* NOTREACHED */ 3452 } 3453 } 3454 3455 struct block * 3456 gen_llc_i(void) 3457 { 3458 struct block *b0, *b1; 3459 struct slist *s; 3460 3461 /* 3462 * Check whether this is an LLC frame. 3463 */ 3464 b0 = gen_llc(); 3465 3466 /* 3467 * Load the control byte and test the low-order bit; it must 3468 * be clear for I frames. 3469 */ 3470 s = gen_load_a(OR_LLC, 2, BPF_B); 3471 b1 = new_block(JMP(BPF_JSET)); 3472 b1->s.k = 0x01; 3473 b1->stmts = s; 3474 gen_not(b1); 3475 gen_and(b0, b1); 3476 return b1; 3477 } 3478 3479 struct block * 3480 gen_llc_s(void) 3481 { 3482 struct block *b0, *b1; 3483 3484 /* 3485 * Check whether this is an LLC frame. 3486 */ 3487 b0 = gen_llc(); 3488 3489 /* 3490 * Now compare the low-order 2 bit of the control byte against 3491 * the appropriate value for S frames. 3492 */ 3493 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03); 3494 gen_and(b0, b1); 3495 return b1; 3496 } 3497 3498 struct block * 3499 gen_llc_u(void) 3500 { 3501 struct block *b0, *b1; 3502 3503 /* 3504 * Check whether this is an LLC frame. 3505 */ 3506 b0 = gen_llc(); 3507 3508 /* 3509 * Now compare the low-order 2 bit of the control byte against 3510 * the appropriate value for U frames. 3511 */ 3512 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03); 3513 gen_and(b0, b1); 3514 return b1; 3515 } 3516 3517 struct block * 3518 gen_llc_s_subtype(bpf_u_int32 subtype) 3519 { 3520 struct block *b0, *b1; 3521 3522 /* 3523 * Check whether this is an LLC frame. 3524 */ 3525 b0 = gen_llc(); 3526 3527 /* 3528 * Now check for an S frame with the appropriate type. 3529 */ 3530 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK); 3531 gen_and(b0, b1); 3532 return b1; 3533 } 3534 3535 struct block * 3536 gen_llc_u_subtype(bpf_u_int32 subtype) 3537 { 3538 struct block *b0, *b1; 3539 3540 /* 3541 * Check whether this is an LLC frame. 3542 */ 3543 b0 = gen_llc(); 3544 3545 /* 3546 * Now check for a U frame with the appropriate type. 3547 */ 3548 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK); 3549 gen_and(b0, b1); 3550 return b1; 3551 } 3552 3553 /* 3554 * Generate code to match a particular packet type, for link-layer types 3555 * using 802.2 LLC headers. 3556 * 3557 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used 3558 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues. 3559 * 3560 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP 3561 * value, if <= ETHERMTU. We use that to determine whether to 3562 * match the DSAP or both DSAP and LSAP or to check the OUI and 3563 * protocol ID in a SNAP header. 3564 */ 3565 static struct block * 3566 gen_llc_linktype(proto) 3567 int proto; 3568 { 3569 /* 3570 * XXX - handle token-ring variable-length header. 3571 */ 3572 switch (proto) { 3573 3574 case LLCSAP_IP: 3575 case LLCSAP_ISONS: 3576 case LLCSAP_NETBEUI: 3577 /* 3578 * XXX - should we check both the DSAP and the 3579 * SSAP, like this, or should we check just the 3580 * DSAP, as we do for other SAP values? 3581 */ 3582 return gen_cmp(OR_LLC, 0, BPF_H, (bpf_u_int32) 3583 ((proto << 8) | proto)); 3584 3585 case LLCSAP_IPX: 3586 /* 3587 * XXX - are there ever SNAP frames for IPX on 3588 * non-Ethernet 802.x networks? 3589 */ 3590 return gen_cmp(OR_LLC, 0, BPF_B, 3591 (bpf_int32)LLCSAP_IPX); 3592 3593 case ETHERTYPE_ATALK: 3594 /* 3595 * 802.2-encapsulated ETHERTYPE_ATALK packets are 3596 * SNAP packets with an organization code of 3597 * 0x080007 (Apple, for Appletalk) and a protocol 3598 * type of ETHERTYPE_ATALK (Appletalk). 3599 * 3600 * XXX - check for an organization code of 3601 * encapsulated Ethernet as well? 3602 */ 3603 return gen_snap(0x080007, ETHERTYPE_ATALK); 3604 3605 default: 3606 /* 3607 * XXX - we don't have to check for IPX 802.3 3608 * here, but should we check for the IPX Ethertype? 3609 */ 3610 if (proto <= ETHERMTU) { 3611 /* 3612 * This is an LLC SAP value, so check 3613 * the DSAP. 3614 */ 3615 return gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)proto); 3616 } else { 3617 /* 3618 * This is an Ethernet type; we assume that it's 3619 * unlikely that it'll appear in the right place 3620 * at random, and therefore check only the 3621 * location that would hold the Ethernet type 3622 * in a SNAP frame with an organization code of 3623 * 0x000000 (encapsulated Ethernet). 3624 * 3625 * XXX - if we were to check for the SNAP DSAP and 3626 * LSAP, as per XXX, and were also to check for an 3627 * organization code of 0x000000 (encapsulated 3628 * Ethernet), we'd do 3629 * 3630 * return gen_snap(0x000000, proto); 3631 * 3632 * here; for now, we don't, as per the above. 3633 * I don't know whether it's worth the extra CPU 3634 * time to do the right check or not. 3635 */ 3636 return gen_cmp(OR_LLC, 6, BPF_H, (bpf_int32)proto); 3637 } 3638 } 3639 } 3640 3641 static struct block * 3642 gen_hostop(addr, mask, dir, proto, src_off, dst_off) 3643 bpf_u_int32 addr; 3644 bpf_u_int32 mask; 3645 int dir, proto; 3646 u_int src_off, dst_off; 3647 { 3648 struct block *b0, *b1; 3649 u_int offset; 3650 3651 switch (dir) { 3652 3653 case Q_SRC: 3654 offset = src_off; 3655 break; 3656 3657 case Q_DST: 3658 offset = dst_off; 3659 break; 3660 3661 case Q_AND: 3662 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3663 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3664 gen_and(b0, b1); 3665 return b1; 3666 3667 case Q_OR: 3668 case Q_DEFAULT: 3669 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off); 3670 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off); 3671 gen_or(b0, b1); 3672 return b1; 3673 3674 default: 3675 abort(); 3676 } 3677 b0 = gen_linktype(proto); 3678 b1 = gen_mcmp(OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask); 3679 gen_and(b0, b1); 3680 return b1; 3681 } 3682 3683 #ifdef INET6 3684 static struct block * 3685 gen_hostop6(addr, mask, dir, proto, src_off, dst_off) 3686 struct in6_addr *addr; 3687 struct in6_addr *mask; 3688 int dir, proto; 3689 u_int src_off, dst_off; 3690 { 3691 struct block *b0, *b1; 3692 u_int offset; 3693 u_int32_t *a, *m; 3694 3695 switch (dir) { 3696 3697 case Q_SRC: 3698 offset = src_off; 3699 break; 3700 3701 case Q_DST: 3702 offset = dst_off; 3703 break; 3704 3705 case Q_AND: 3706 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3707 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3708 gen_and(b0, b1); 3709 return b1; 3710 3711 case Q_OR: 3712 case Q_DEFAULT: 3713 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off); 3714 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off); 3715 gen_or(b0, b1); 3716 return b1; 3717 3718 default: 3719 abort(); 3720 } 3721 /* this order is important */ 3722 a = (u_int32_t *)addr; 3723 m = (u_int32_t *)mask; 3724 b1 = gen_mcmp(OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3])); 3725 b0 = gen_mcmp(OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2])); 3726 gen_and(b0, b1); 3727 b0 = gen_mcmp(OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1])); 3728 gen_and(b0, b1); 3729 b0 = gen_mcmp(OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0])); 3730 gen_and(b0, b1); 3731 b0 = gen_linktype(proto); 3732 gen_and(b0, b1); 3733 return b1; 3734 } 3735 #endif 3736 3737 static struct block * 3738 gen_ehostop(eaddr, dir) 3739 register const u_char *eaddr; 3740 register int dir; 3741 { 3742 register struct block *b0, *b1; 3743 3744 switch (dir) { 3745 case Q_SRC: 3746 return gen_bcmp(OR_LINKHDR, 6, 6, eaddr); 3747 3748 case Q_DST: 3749 return gen_bcmp(OR_LINKHDR, 0, 6, eaddr); 3750 3751 case Q_AND: 3752 b0 = gen_ehostop(eaddr, Q_SRC); 3753 b1 = gen_ehostop(eaddr, Q_DST); 3754 gen_and(b0, b1); 3755 return b1; 3756 3757 case Q_DEFAULT: 3758 case Q_OR: 3759 b0 = gen_ehostop(eaddr, Q_SRC); 3760 b1 = gen_ehostop(eaddr, Q_DST); 3761 gen_or(b0, b1); 3762 return b1; 3763 3764 case Q_ADDR1: 3765 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers"); 3766 break; 3767 3768 case Q_ADDR2: 3769 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers"); 3770 break; 3771 3772 case Q_ADDR3: 3773 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers"); 3774 break; 3775 3776 case Q_ADDR4: 3777 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers"); 3778 break; 3779 3780 case Q_RA: 3781 bpf_error("'ra' is only supported on 802.11 with 802.11 headers"); 3782 break; 3783 3784 case Q_TA: 3785 bpf_error("'ta' is only supported on 802.11 with 802.11 headers"); 3786 break; 3787 } 3788 abort(); 3789 /* NOTREACHED */ 3790 } 3791 3792 /* 3793 * Like gen_ehostop, but for DLT_FDDI 3794 */ 3795 static struct block * 3796 gen_fhostop(eaddr, dir) 3797 register const u_char *eaddr; 3798 register int dir; 3799 { 3800 struct block *b0, *b1; 3801 3802 switch (dir) { 3803 case Q_SRC: 3804 return gen_bcmp(OR_LINKHDR, 6 + 1 + pcap_fddipad, 6, eaddr); 3805 3806 case Q_DST: 3807 return gen_bcmp(OR_LINKHDR, 0 + 1 + pcap_fddipad, 6, eaddr); 3808 3809 case Q_AND: 3810 b0 = gen_fhostop(eaddr, Q_SRC); 3811 b1 = gen_fhostop(eaddr, Q_DST); 3812 gen_and(b0, b1); 3813 return b1; 3814 3815 case Q_DEFAULT: 3816 case Q_OR: 3817 b0 = gen_fhostop(eaddr, Q_SRC); 3818 b1 = gen_fhostop(eaddr, Q_DST); 3819 gen_or(b0, b1); 3820 return b1; 3821 3822 case Q_ADDR1: 3823 bpf_error("'addr1' is only supported on 802.11"); 3824 break; 3825 3826 case Q_ADDR2: 3827 bpf_error("'addr2' is only supported on 802.11"); 3828 break; 3829 3830 case Q_ADDR3: 3831 bpf_error("'addr3' is only supported on 802.11"); 3832 break; 3833 3834 case Q_ADDR4: 3835 bpf_error("'addr4' is only supported on 802.11"); 3836 break; 3837 3838 case Q_RA: 3839 bpf_error("'ra' is only supported on 802.11"); 3840 break; 3841 3842 case Q_TA: 3843 bpf_error("'ta' is only supported on 802.11"); 3844 break; 3845 } 3846 abort(); 3847 /* NOTREACHED */ 3848 } 3849 3850 /* 3851 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring) 3852 */ 3853 static struct block * 3854 gen_thostop(eaddr, dir) 3855 register const u_char *eaddr; 3856 register int dir; 3857 { 3858 register struct block *b0, *b1; 3859 3860 switch (dir) { 3861 case Q_SRC: 3862 return gen_bcmp(OR_LINKHDR, 8, 6, eaddr); 3863 3864 case Q_DST: 3865 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr); 3866 3867 case Q_AND: 3868 b0 = gen_thostop(eaddr, Q_SRC); 3869 b1 = gen_thostop(eaddr, Q_DST); 3870 gen_and(b0, b1); 3871 return b1; 3872 3873 case Q_DEFAULT: 3874 case Q_OR: 3875 b0 = gen_thostop(eaddr, Q_SRC); 3876 b1 = gen_thostop(eaddr, Q_DST); 3877 gen_or(b0, b1); 3878 return b1; 3879 3880 case Q_ADDR1: 3881 bpf_error("'addr1' is only supported on 802.11"); 3882 break; 3883 3884 case Q_ADDR2: 3885 bpf_error("'addr2' is only supported on 802.11"); 3886 break; 3887 3888 case Q_ADDR3: 3889 bpf_error("'addr3' is only supported on 802.11"); 3890 break; 3891 3892 case Q_ADDR4: 3893 bpf_error("'addr4' is only supported on 802.11"); 3894 break; 3895 3896 case Q_RA: 3897 bpf_error("'ra' is only supported on 802.11"); 3898 break; 3899 3900 case Q_TA: 3901 bpf_error("'ta' is only supported on 802.11"); 3902 break; 3903 } 3904 abort(); 3905 /* NOTREACHED */ 3906 } 3907 3908 /* 3909 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and 3910 * various 802.11 + radio headers. 3911 */ 3912 static struct block * 3913 gen_wlanhostop(eaddr, dir) 3914 register const u_char *eaddr; 3915 register int dir; 3916 { 3917 register struct block *b0, *b1, *b2; 3918 register struct slist *s; 3919 3920 #ifdef ENABLE_WLAN_FILTERING_PATCH 3921 /* 3922 * TODO GV 20070613 3923 * We need to disable the optimizer because the optimizer is buggy 3924 * and wipes out some LD instructions generated by the below 3925 * code to validate the Frame Control bits 3926 */ 3927 no_optimize = 1; 3928 #endif /* ENABLE_WLAN_FILTERING_PATCH */ 3929 3930 switch (dir) { 3931 case Q_SRC: 3932 /* 3933 * Oh, yuk. 3934 * 3935 * For control frames, there is no SA. 3936 * 3937 * For management frames, SA is at an 3938 * offset of 10 from the beginning of 3939 * the packet. 3940 * 3941 * For data frames, SA is at an offset 3942 * of 10 from the beginning of the packet 3943 * if From DS is clear, at an offset of 3944 * 16 from the beginning of the packet 3945 * if From DS is set and To DS is clear, 3946 * and an offset of 24 from the beginning 3947 * of the packet if From DS is set and To DS 3948 * is set. 3949 */ 3950 3951 /* 3952 * Generate the tests to be done for data frames 3953 * with From DS set. 3954 * 3955 * First, check for To DS set, i.e. check "link[1] & 0x01". 3956 */ 3957 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 3958 b1 = new_block(JMP(BPF_JSET)); 3959 b1->s.k = 0x01; /* To DS */ 3960 b1->stmts = s; 3961 3962 /* 3963 * If To DS is set, the SA is at 24. 3964 */ 3965 b0 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr); 3966 gen_and(b1, b0); 3967 3968 /* 3969 * Now, check for To DS not set, i.e. check 3970 * "!(link[1] & 0x01)". 3971 */ 3972 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 3973 b2 = new_block(JMP(BPF_JSET)); 3974 b2->s.k = 0x01; /* To DS */ 3975 b2->stmts = s; 3976 gen_not(b2); 3977 3978 /* 3979 * If To DS is not set, the SA is at 16. 3980 */ 3981 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 3982 gen_and(b2, b1); 3983 3984 /* 3985 * Now OR together the last two checks. That gives 3986 * the complete set of checks for data frames with 3987 * From DS set. 3988 */ 3989 gen_or(b1, b0); 3990 3991 /* 3992 * Now check for From DS being set, and AND that with 3993 * the ORed-together checks. 3994 */ 3995 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 3996 b1 = new_block(JMP(BPF_JSET)); 3997 b1->s.k = 0x02; /* From DS */ 3998 b1->stmts = s; 3999 gen_and(b1, b0); 4000 4001 /* 4002 * Now check for data frames with From DS not set. 4003 */ 4004 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4005 b2 = new_block(JMP(BPF_JSET)); 4006 b2->s.k = 0x02; /* From DS */ 4007 b2->stmts = s; 4008 gen_not(b2); 4009 4010 /* 4011 * If From DS isn't set, the SA is at 10. 4012 */ 4013 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4014 gen_and(b2, b1); 4015 4016 /* 4017 * Now OR together the checks for data frames with 4018 * From DS not set and for data frames with From DS 4019 * set; that gives the checks done for data frames. 4020 */ 4021 gen_or(b1, b0); 4022 4023 /* 4024 * Now check for a data frame. 4025 * I.e, check "link[0] & 0x08". 4026 */ 4027 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4028 b1 = new_block(JMP(BPF_JSET)); 4029 b1->s.k = 0x08; 4030 b1->stmts = s; 4031 4032 /* 4033 * AND that with the checks done for data frames. 4034 */ 4035 gen_and(b1, b0); 4036 4037 /* 4038 * If the high-order bit of the type value is 0, this 4039 * is a management frame. 4040 * I.e, check "!(link[0] & 0x08)". 4041 */ 4042 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4043 b2 = new_block(JMP(BPF_JSET)); 4044 b2->s.k = 0x08; 4045 b2->stmts = s; 4046 gen_not(b2); 4047 4048 /* 4049 * For management frames, the SA is at 10. 4050 */ 4051 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4052 gen_and(b2, b1); 4053 4054 /* 4055 * OR that with the checks done for data frames. 4056 * That gives the checks done for management and 4057 * data frames. 4058 */ 4059 gen_or(b1, b0); 4060 4061 /* 4062 * If the low-order bit of the type value is 1, 4063 * this is either a control frame or a frame 4064 * with a reserved type, and thus not a 4065 * frame with an SA. 4066 * 4067 * I.e., check "!(link[0] & 0x04)". 4068 */ 4069 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4070 b1 = new_block(JMP(BPF_JSET)); 4071 b1->s.k = 0x04; 4072 b1->stmts = s; 4073 gen_not(b1); 4074 4075 /* 4076 * AND that with the checks for data and management 4077 * frames. 4078 */ 4079 gen_and(b1, b0); 4080 return b0; 4081 4082 case Q_DST: 4083 /* 4084 * Oh, yuk. 4085 * 4086 * For control frames, there is no DA. 4087 * 4088 * For management frames, DA is at an 4089 * offset of 4 from the beginning of 4090 * the packet. 4091 * 4092 * For data frames, DA is at an offset 4093 * of 4 from the beginning of the packet 4094 * if To DS is clear and at an offset of 4095 * 16 from the beginning of the packet 4096 * if To DS is set. 4097 */ 4098 4099 /* 4100 * Generate the tests to be done for data frames. 4101 * 4102 * First, check for To DS set, i.e. "link[1] & 0x01". 4103 */ 4104 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4105 b1 = new_block(JMP(BPF_JSET)); 4106 b1->s.k = 0x01; /* To DS */ 4107 b1->stmts = s; 4108 4109 /* 4110 * If To DS is set, the DA is at 16. 4111 */ 4112 b0 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 4113 gen_and(b1, b0); 4114 4115 /* 4116 * Now, check for To DS not set, i.e. check 4117 * "!(link[1] & 0x01)". 4118 */ 4119 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 4120 b2 = new_block(JMP(BPF_JSET)); 4121 b2->s.k = 0x01; /* To DS */ 4122 b2->stmts = s; 4123 gen_not(b2); 4124 4125 /* 4126 * If To DS is not set, the DA is at 4. 4127 */ 4128 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4129 gen_and(b2, b1); 4130 4131 /* 4132 * Now OR together the last two checks. That gives 4133 * the complete set of checks for data frames. 4134 */ 4135 gen_or(b1, b0); 4136 4137 /* 4138 * Now check for a data frame. 4139 * I.e, check "link[0] & 0x08". 4140 */ 4141 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4142 b1 = new_block(JMP(BPF_JSET)); 4143 b1->s.k = 0x08; 4144 b1->stmts = s; 4145 4146 /* 4147 * AND that with the checks done for data frames. 4148 */ 4149 gen_and(b1, b0); 4150 4151 /* 4152 * If the high-order bit of the type value is 0, this 4153 * is a management frame. 4154 * I.e, check "!(link[0] & 0x08)". 4155 */ 4156 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4157 b2 = new_block(JMP(BPF_JSET)); 4158 b2->s.k = 0x08; 4159 b2->stmts = s; 4160 gen_not(b2); 4161 4162 /* 4163 * For management frames, the DA is at 4. 4164 */ 4165 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4166 gen_and(b2, b1); 4167 4168 /* 4169 * OR that with the checks done for data frames. 4170 * That gives the checks done for management and 4171 * data frames. 4172 */ 4173 gen_or(b1, b0); 4174 4175 /* 4176 * If the low-order bit of the type value is 1, 4177 * this is either a control frame or a frame 4178 * with a reserved type, and thus not a 4179 * frame with an SA. 4180 * 4181 * I.e., check "!(link[0] & 0x04)". 4182 */ 4183 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4184 b1 = new_block(JMP(BPF_JSET)); 4185 b1->s.k = 0x04; 4186 b1->stmts = s; 4187 gen_not(b1); 4188 4189 /* 4190 * AND that with the checks for data and management 4191 * frames. 4192 */ 4193 gen_and(b1, b0); 4194 return b0; 4195 4196 case Q_RA: 4197 /* 4198 * Not present in management frames; addr1 in other 4199 * frames. 4200 */ 4201 4202 /* 4203 * If the high-order bit of the type value is 0, this 4204 * is a management frame. 4205 * I.e, check "(link[0] & 0x08)". 4206 */ 4207 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4208 b1 = new_block(JMP(BPF_JSET)); 4209 b1->s.k = 0x08; 4210 b1->stmts = s; 4211 4212 /* 4213 * Check addr1. 4214 */ 4215 b0 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr); 4216 4217 /* 4218 * AND that with the check of addr1. 4219 */ 4220 gen_and(b1, b0); 4221 return (b0); 4222 4223 case Q_TA: 4224 /* 4225 * Not present in management frames; addr2, if present, 4226 * in other frames. 4227 */ 4228 4229 /* 4230 * Not present in CTS or ACK control frames. 4231 */ 4232 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4233 IEEE80211_FC0_TYPE_MASK); 4234 gen_not(b0); 4235 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4236 IEEE80211_FC0_SUBTYPE_MASK); 4237 gen_not(b1); 4238 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4239 IEEE80211_FC0_SUBTYPE_MASK); 4240 gen_not(b2); 4241 gen_and(b1, b2); 4242 gen_or(b0, b2); 4243 4244 /* 4245 * If the high-order bit of the type value is 0, this 4246 * is a management frame. 4247 * I.e, check "(link[0] & 0x08)". 4248 */ 4249 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 4250 b1 = new_block(JMP(BPF_JSET)); 4251 b1->s.k = 0x08; 4252 b1->stmts = s; 4253 4254 /* 4255 * AND that with the check for frames other than 4256 * CTS and ACK frames. 4257 */ 4258 gen_and(b1, b2); 4259 4260 /* 4261 * Check addr2. 4262 */ 4263 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4264 gen_and(b2, b1); 4265 return b1; 4266 4267 /* 4268 * XXX - add BSSID keyword? 4269 */ 4270 case Q_ADDR1: 4271 return (gen_bcmp(OR_LINKHDR, 4, 6, eaddr)); 4272 4273 case Q_ADDR2: 4274 /* 4275 * Not present in CTS or ACK control frames. 4276 */ 4277 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4278 IEEE80211_FC0_TYPE_MASK); 4279 gen_not(b0); 4280 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS, 4281 IEEE80211_FC0_SUBTYPE_MASK); 4282 gen_not(b1); 4283 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK, 4284 IEEE80211_FC0_SUBTYPE_MASK); 4285 gen_not(b2); 4286 gen_and(b1, b2); 4287 gen_or(b0, b2); 4288 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4289 gen_and(b2, b1); 4290 return b1; 4291 4292 case Q_ADDR3: 4293 /* 4294 * Not present in control frames. 4295 */ 4296 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL, 4297 IEEE80211_FC0_TYPE_MASK); 4298 gen_not(b0); 4299 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr); 4300 gen_and(b0, b1); 4301 return b1; 4302 4303 case Q_ADDR4: 4304 /* 4305 * Present only if the direction mask has both "From DS" 4306 * and "To DS" set. Neither control frames nor management 4307 * frames should have both of those set, so we don't 4308 * check the frame type. 4309 */ 4310 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, 4311 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK); 4312 b1 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr); 4313 gen_and(b0, b1); 4314 return b1; 4315 4316 case Q_AND: 4317 b0 = gen_wlanhostop(eaddr, Q_SRC); 4318 b1 = gen_wlanhostop(eaddr, Q_DST); 4319 gen_and(b0, b1); 4320 return b1; 4321 4322 case Q_DEFAULT: 4323 case Q_OR: 4324 b0 = gen_wlanhostop(eaddr, Q_SRC); 4325 b1 = gen_wlanhostop(eaddr, Q_DST); 4326 gen_or(b0, b1); 4327 return b1; 4328 } 4329 abort(); 4330 /* NOTREACHED */ 4331 } 4332 4333 /* 4334 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel. 4335 * (We assume that the addresses are IEEE 48-bit MAC addresses, 4336 * as the RFC states.) 4337 */ 4338 static struct block * 4339 gen_ipfchostop(eaddr, dir) 4340 register const u_char *eaddr; 4341 register int dir; 4342 { 4343 register struct block *b0, *b1; 4344 4345 switch (dir) { 4346 case Q_SRC: 4347 return gen_bcmp(OR_LINKHDR, 10, 6, eaddr); 4348 4349 case Q_DST: 4350 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr); 4351 4352 case Q_AND: 4353 b0 = gen_ipfchostop(eaddr, Q_SRC); 4354 b1 = gen_ipfchostop(eaddr, Q_DST); 4355 gen_and(b0, b1); 4356 return b1; 4357 4358 case Q_DEFAULT: 4359 case Q_OR: 4360 b0 = gen_ipfchostop(eaddr, Q_SRC); 4361 b1 = gen_ipfchostop(eaddr, Q_DST); 4362 gen_or(b0, b1); 4363 return b1; 4364 4365 case Q_ADDR1: 4366 bpf_error("'addr1' is only supported on 802.11"); 4367 break; 4368 4369 case Q_ADDR2: 4370 bpf_error("'addr2' is only supported on 802.11"); 4371 break; 4372 4373 case Q_ADDR3: 4374 bpf_error("'addr3' is only supported on 802.11"); 4375 break; 4376 4377 case Q_ADDR4: 4378 bpf_error("'addr4' is only supported on 802.11"); 4379 break; 4380 4381 case Q_RA: 4382 bpf_error("'ra' is only supported on 802.11"); 4383 break; 4384 4385 case Q_TA: 4386 bpf_error("'ta' is only supported on 802.11"); 4387 break; 4388 } 4389 abort(); 4390 /* NOTREACHED */ 4391 } 4392 4393 /* 4394 * This is quite tricky because there may be pad bytes in front of the 4395 * DECNET header, and then there are two possible data packet formats that 4396 * carry both src and dst addresses, plus 5 packet types in a format that 4397 * carries only the src node, plus 2 types that use a different format and 4398 * also carry just the src node. 4399 * 4400 * Yuck. 4401 * 4402 * Instead of doing those all right, we just look for data packets with 4403 * 0 or 1 bytes of padding. If you want to look at other packets, that 4404 * will require a lot more hacking. 4405 * 4406 * To add support for filtering on DECNET "areas" (network numbers) 4407 * one would want to add a "mask" argument to this routine. That would 4408 * make the filter even more inefficient, although one could be clever 4409 * and not generate masking instructions if the mask is 0xFFFF. 4410 */ 4411 static struct block * 4412 gen_dnhostop(addr, dir) 4413 bpf_u_int32 addr; 4414 int dir; 4415 { 4416 struct block *b0, *b1, *b2, *tmp; 4417 u_int offset_lh; /* offset if long header is received */ 4418 u_int offset_sh; /* offset if short header is received */ 4419 4420 switch (dir) { 4421 4422 case Q_DST: 4423 offset_sh = 1; /* follows flags */ 4424 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */ 4425 break; 4426 4427 case Q_SRC: 4428 offset_sh = 3; /* follows flags, dstnode */ 4429 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */ 4430 break; 4431 4432 case Q_AND: 4433 /* Inefficient because we do our Calvinball dance twice */ 4434 b0 = gen_dnhostop(addr, Q_SRC); 4435 b1 = gen_dnhostop(addr, Q_DST); 4436 gen_and(b0, b1); 4437 return b1; 4438 4439 case Q_OR: 4440 case Q_DEFAULT: 4441 /* Inefficient because we do our Calvinball dance twice */ 4442 b0 = gen_dnhostop(addr, Q_SRC); 4443 b1 = gen_dnhostop(addr, Q_DST); 4444 gen_or(b0, b1); 4445 return b1; 4446 4447 case Q_ISO: 4448 bpf_error("ISO host filtering not implemented"); 4449 4450 default: 4451 abort(); 4452 } 4453 b0 = gen_linktype(ETHERTYPE_DN); 4454 /* Check for pad = 1, long header case */ 4455 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H, 4456 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF)); 4457 b1 = gen_cmp(OR_LINKPL, 2 + 1 + offset_lh, 4458 BPF_H, (bpf_int32)ntohs((u_short)addr)); 4459 gen_and(tmp, b1); 4460 /* Check for pad = 0, long header case */ 4461 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7); 4462 b2 = gen_cmp(OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4463 gen_and(tmp, b2); 4464 gen_or(b2, b1); 4465 /* Check for pad = 1, short header case */ 4466 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H, 4467 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF)); 4468 b2 = gen_cmp(OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4469 gen_and(tmp, b2); 4470 gen_or(b2, b1); 4471 /* Check for pad = 0, short header case */ 4472 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7); 4473 b2 = gen_cmp(OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr)); 4474 gen_and(tmp, b2); 4475 gen_or(b2, b1); 4476 4477 /* Combine with test for linktype */ 4478 gen_and(b0, b1); 4479 return b1; 4480 } 4481 4482 /* 4483 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets; 4484 * test the bottom-of-stack bit, and then check the version number 4485 * field in the IP header. 4486 */ 4487 static struct block * 4488 gen_mpls_linktype(proto) 4489 int proto; 4490 { 4491 struct block *b0, *b1; 4492 4493 switch (proto) { 4494 4495 case Q_IP: 4496 /* match the bottom-of-stack bit */ 4497 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4498 /* match the IPv4 version number */ 4499 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x40, 0xf0); 4500 gen_and(b0, b1); 4501 return b1; 4502 4503 case Q_IPV6: 4504 /* match the bottom-of-stack bit */ 4505 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01); 4506 /* match the IPv4 version number */ 4507 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x60, 0xf0); 4508 gen_and(b0, b1); 4509 return b1; 4510 4511 default: 4512 abort(); 4513 } 4514 } 4515 4516 static struct block * 4517 gen_host(addr, mask, proto, dir, type) 4518 bpf_u_int32 addr; 4519 bpf_u_int32 mask; 4520 int proto; 4521 int dir; 4522 int type; 4523 { 4524 struct block *b0, *b1; 4525 const char *typestr; 4526 4527 if (type == Q_NET) 4528 typestr = "net"; 4529 else 4530 typestr = "host"; 4531 4532 switch (proto) { 4533 4534 case Q_DEFAULT: 4535 b0 = gen_host(addr, mask, Q_IP, dir, type); 4536 /* 4537 * Only check for non-IPv4 addresses if we're not 4538 * checking MPLS-encapsulated packets. 4539 */ 4540 if (label_stack_depth == 0) { 4541 b1 = gen_host(addr, mask, Q_ARP, dir, type); 4542 gen_or(b0, b1); 4543 b0 = gen_host(addr, mask, Q_RARP, dir, type); 4544 gen_or(b1, b0); 4545 } 4546 return b0; 4547 4548 case Q_IP: 4549 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16); 4550 4551 case Q_RARP: 4552 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24); 4553 4554 case Q_ARP: 4555 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24); 4556 4557 case Q_TCP: 4558 bpf_error("'tcp' modifier applied to %s", typestr); 4559 4560 case Q_SCTP: 4561 bpf_error("'sctp' modifier applied to %s", typestr); 4562 4563 case Q_UDP: 4564 bpf_error("'udp' modifier applied to %s", typestr); 4565 4566 case Q_ICMP: 4567 bpf_error("'icmp' modifier applied to %s", typestr); 4568 4569 case Q_IGMP: 4570 bpf_error("'igmp' modifier applied to %s", typestr); 4571 4572 case Q_IGRP: 4573 bpf_error("'igrp' modifier applied to %s", typestr); 4574 4575 case Q_PIM: 4576 bpf_error("'pim' modifier applied to %s", typestr); 4577 4578 case Q_VRRP: 4579 bpf_error("'vrrp' modifier applied to %s", typestr); 4580 4581 case Q_CARP: 4582 bpf_error("'carp' modifier applied to %s", typestr); 4583 4584 case Q_ATALK: 4585 bpf_error("ATALK host filtering not implemented"); 4586 4587 case Q_AARP: 4588 bpf_error("AARP host filtering not implemented"); 4589 4590 case Q_DECNET: 4591 return gen_dnhostop(addr, dir); 4592 4593 case Q_SCA: 4594 bpf_error("SCA host filtering not implemented"); 4595 4596 case Q_LAT: 4597 bpf_error("LAT host filtering not implemented"); 4598 4599 case Q_MOPDL: 4600 bpf_error("MOPDL host filtering not implemented"); 4601 4602 case Q_MOPRC: 4603 bpf_error("MOPRC host filtering not implemented"); 4604 4605 case Q_IPV6: 4606 bpf_error("'ip6' modifier applied to ip host"); 4607 4608 case Q_ICMPV6: 4609 bpf_error("'icmp6' modifier applied to %s", typestr); 4610 4611 case Q_AH: 4612 bpf_error("'ah' modifier applied to %s", typestr); 4613 4614 case Q_ESP: 4615 bpf_error("'esp' modifier applied to %s", typestr); 4616 4617 case Q_ISO: 4618 bpf_error("ISO host filtering not implemented"); 4619 4620 case Q_ESIS: 4621 bpf_error("'esis' modifier applied to %s", typestr); 4622 4623 case Q_ISIS: 4624 bpf_error("'isis' modifier applied to %s", typestr); 4625 4626 case Q_CLNP: 4627 bpf_error("'clnp' modifier applied to %s", typestr); 4628 4629 case Q_STP: 4630 bpf_error("'stp' modifier applied to %s", typestr); 4631 4632 case Q_IPX: 4633 bpf_error("IPX host filtering not implemented"); 4634 4635 case Q_NETBEUI: 4636 bpf_error("'netbeui' modifier applied to %s", typestr); 4637 4638 case Q_RADIO: 4639 bpf_error("'radio' modifier applied to %s", typestr); 4640 4641 default: 4642 abort(); 4643 } 4644 /* NOTREACHED */ 4645 } 4646 4647 #ifdef INET6 4648 static struct block * 4649 gen_host6(addr, mask, proto, dir, type) 4650 struct in6_addr *addr; 4651 struct in6_addr *mask; 4652 int proto; 4653 int dir; 4654 int type; 4655 { 4656 const char *typestr; 4657 4658 if (type == Q_NET) 4659 typestr = "net"; 4660 else 4661 typestr = "host"; 4662 4663 switch (proto) { 4664 4665 case Q_DEFAULT: 4666 return gen_host6(addr, mask, Q_IPV6, dir, type); 4667 4668 case Q_LINK: 4669 bpf_error("link-layer modifier applied to ip6 %s", typestr); 4670 4671 case Q_IP: 4672 bpf_error("'ip' modifier applied to ip6 %s", typestr); 4673 4674 case Q_RARP: 4675 bpf_error("'rarp' modifier applied to ip6 %s", typestr); 4676 4677 case Q_ARP: 4678 bpf_error("'arp' modifier applied to ip6 %s", typestr); 4679 4680 case Q_SCTP: 4681 bpf_error("'sctp' modifier applied to %s", typestr); 4682 4683 case Q_TCP: 4684 bpf_error("'tcp' modifier applied to %s", typestr); 4685 4686 case Q_UDP: 4687 bpf_error("'udp' modifier applied to %s", typestr); 4688 4689 case Q_ICMP: 4690 bpf_error("'icmp' modifier applied to %s", typestr); 4691 4692 case Q_IGMP: 4693 bpf_error("'igmp' modifier applied to %s", typestr); 4694 4695 case Q_IGRP: 4696 bpf_error("'igrp' modifier applied to %s", typestr); 4697 4698 case Q_PIM: 4699 bpf_error("'pim' modifier applied to %s", typestr); 4700 4701 case Q_VRRP: 4702 bpf_error("'vrrp' modifier applied to %s", typestr); 4703 4704 case Q_CARP: 4705 bpf_error("'carp' modifier applied to %s", typestr); 4706 4707 case Q_ATALK: 4708 bpf_error("ATALK host filtering not implemented"); 4709 4710 case Q_AARP: 4711 bpf_error("AARP host filtering not implemented"); 4712 4713 case Q_DECNET: 4714 bpf_error("'decnet' modifier applied to ip6 %s", typestr); 4715 4716 case Q_SCA: 4717 bpf_error("SCA host filtering not implemented"); 4718 4719 case Q_LAT: 4720 bpf_error("LAT host filtering not implemented"); 4721 4722 case Q_MOPDL: 4723 bpf_error("MOPDL host filtering not implemented"); 4724 4725 case Q_MOPRC: 4726 bpf_error("MOPRC host filtering not implemented"); 4727 4728 case Q_IPV6: 4729 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24); 4730 4731 case Q_ICMPV6: 4732 bpf_error("'icmp6' modifier applied to %s", typestr); 4733 4734 case Q_AH: 4735 bpf_error("'ah' modifier applied to %s", typestr); 4736 4737 case Q_ESP: 4738 bpf_error("'esp' modifier applied to %s", typestr); 4739 4740 case Q_ISO: 4741 bpf_error("ISO host filtering not implemented"); 4742 4743 case Q_ESIS: 4744 bpf_error("'esis' modifier applied to %s", typestr); 4745 4746 case Q_ISIS: 4747 bpf_error("'isis' modifier applied to %s", typestr); 4748 4749 case Q_CLNP: 4750 bpf_error("'clnp' modifier applied to %s", typestr); 4751 4752 case Q_STP: 4753 bpf_error("'stp' modifier applied to %s", typestr); 4754 4755 case Q_IPX: 4756 bpf_error("IPX host filtering not implemented"); 4757 4758 case Q_NETBEUI: 4759 bpf_error("'netbeui' modifier applied to %s", typestr); 4760 4761 case Q_RADIO: 4762 bpf_error("'radio' modifier applied to %s", typestr); 4763 4764 default: 4765 abort(); 4766 } 4767 /* NOTREACHED */ 4768 } 4769 #endif 4770 4771 #ifndef INET6 4772 static struct block * 4773 gen_gateway(eaddr, alist, proto, dir) 4774 const u_char *eaddr; 4775 bpf_u_int32 **alist; 4776 int proto; 4777 int dir; 4778 { 4779 struct block *b0, *b1, *tmp; 4780 4781 if (dir != 0) 4782 bpf_error("direction applied to 'gateway'"); 4783 4784 switch (proto) { 4785 case Q_DEFAULT: 4786 case Q_IP: 4787 case Q_ARP: 4788 case Q_RARP: 4789 switch (linktype) { 4790 case DLT_EN10MB: 4791 case DLT_NETANALYZER: 4792 case DLT_NETANALYZER_TRANSPARENT: 4793 b1 = gen_prevlinkhdr_check(); 4794 b0 = gen_ehostop(eaddr, Q_OR); 4795 if (b1 != NULL) 4796 gen_and(b1, b0); 4797 break; 4798 case DLT_FDDI: 4799 b0 = gen_fhostop(eaddr, Q_OR); 4800 break; 4801 case DLT_IEEE802: 4802 b0 = gen_thostop(eaddr, Q_OR); 4803 break; 4804 case DLT_IEEE802_11: 4805 case DLT_PRISM_HEADER: 4806 case DLT_IEEE802_11_RADIO_AVS: 4807 case DLT_IEEE802_11_RADIO: 4808 case DLT_PPI: 4809 b0 = gen_wlanhostop(eaddr, Q_OR); 4810 break; 4811 case DLT_SUNATM: 4812 /* 4813 * This is LLC-multiplexed traffic; if it were 4814 * LANE, linktype would have been set to 4815 * DLT_EN10MB. 4816 */ 4817 bpf_error( 4818 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4819 break; 4820 case DLT_IP_OVER_FC: 4821 b0 = gen_ipfchostop(eaddr, Q_OR); 4822 break; 4823 default: 4824 bpf_error( 4825 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 4826 } 4827 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST); 4828 while (*alist) { 4829 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR, 4830 Q_HOST); 4831 gen_or(b1, tmp); 4832 b1 = tmp; 4833 } 4834 gen_not(b1); 4835 gen_and(b0, b1); 4836 return b1; 4837 } 4838 bpf_error("illegal modifier of 'gateway'"); 4839 /* NOTREACHED */ 4840 } 4841 #endif 4842 4843 struct block * 4844 gen_proto_abbrev(proto) 4845 int proto; 4846 { 4847 struct block *b0; 4848 struct block *b1; 4849 4850 switch (proto) { 4851 4852 case Q_SCTP: 4853 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT); 4854 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT); 4855 gen_or(b0, b1); 4856 break; 4857 4858 case Q_TCP: 4859 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT); 4860 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT); 4861 gen_or(b0, b1); 4862 break; 4863 4864 case Q_UDP: 4865 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT); 4866 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT); 4867 gen_or(b0, b1); 4868 break; 4869 4870 case Q_ICMP: 4871 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT); 4872 break; 4873 4874 #ifndef IPPROTO_IGMP 4875 #define IPPROTO_IGMP 2 4876 #endif 4877 4878 case Q_IGMP: 4879 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT); 4880 break; 4881 4882 #ifndef IPPROTO_IGRP 4883 #define IPPROTO_IGRP 9 4884 #endif 4885 case Q_IGRP: 4886 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT); 4887 break; 4888 4889 #ifndef IPPROTO_PIM 4890 #define IPPROTO_PIM 103 4891 #endif 4892 4893 case Q_PIM: 4894 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT); 4895 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT); 4896 gen_or(b0, b1); 4897 break; 4898 4899 #ifndef IPPROTO_VRRP 4900 #define IPPROTO_VRRP 112 4901 #endif 4902 4903 case Q_VRRP: 4904 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT); 4905 break; 4906 4907 #ifndef IPPROTO_CARP 4908 #define IPPROTO_CARP 112 4909 #endif 4910 4911 case Q_CARP: 4912 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT); 4913 break; 4914 4915 case Q_IP: 4916 b1 = gen_linktype(ETHERTYPE_IP); 4917 break; 4918 4919 case Q_ARP: 4920 b1 = gen_linktype(ETHERTYPE_ARP); 4921 break; 4922 4923 case Q_RARP: 4924 b1 = gen_linktype(ETHERTYPE_REVARP); 4925 break; 4926 4927 case Q_LINK: 4928 bpf_error("link layer applied in wrong context"); 4929 4930 case Q_ATALK: 4931 b1 = gen_linktype(ETHERTYPE_ATALK); 4932 break; 4933 4934 case Q_AARP: 4935 b1 = gen_linktype(ETHERTYPE_AARP); 4936 break; 4937 4938 case Q_DECNET: 4939 b1 = gen_linktype(ETHERTYPE_DN); 4940 break; 4941 4942 case Q_SCA: 4943 b1 = gen_linktype(ETHERTYPE_SCA); 4944 break; 4945 4946 case Q_LAT: 4947 b1 = gen_linktype(ETHERTYPE_LAT); 4948 break; 4949 4950 case Q_MOPDL: 4951 b1 = gen_linktype(ETHERTYPE_MOPDL); 4952 break; 4953 4954 case Q_MOPRC: 4955 b1 = gen_linktype(ETHERTYPE_MOPRC); 4956 break; 4957 4958 case Q_IPV6: 4959 b1 = gen_linktype(ETHERTYPE_IPV6); 4960 break; 4961 4962 #ifndef IPPROTO_ICMPV6 4963 #define IPPROTO_ICMPV6 58 4964 #endif 4965 case Q_ICMPV6: 4966 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT); 4967 break; 4968 4969 #ifndef IPPROTO_AH 4970 #define IPPROTO_AH 51 4971 #endif 4972 case Q_AH: 4973 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT); 4974 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT); 4975 gen_or(b0, b1); 4976 break; 4977 4978 #ifndef IPPROTO_ESP 4979 #define IPPROTO_ESP 50 4980 #endif 4981 case Q_ESP: 4982 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT); 4983 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT); 4984 gen_or(b0, b1); 4985 break; 4986 4987 case Q_ISO: 4988 b1 = gen_linktype(LLCSAP_ISONS); 4989 break; 4990 4991 case Q_ESIS: 4992 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT); 4993 break; 4994 4995 case Q_ISIS: 4996 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 4997 break; 4998 4999 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */ 5000 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5001 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5002 gen_or(b0, b1); 5003 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5004 gen_or(b0, b1); 5005 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5006 gen_or(b0, b1); 5007 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5008 gen_or(b0, b1); 5009 break; 5010 5011 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */ 5012 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5013 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */ 5014 gen_or(b0, b1); 5015 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5016 gen_or(b0, b1); 5017 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5018 gen_or(b0, b1); 5019 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5020 gen_or(b0, b1); 5021 break; 5022 5023 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */ 5024 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT); 5025 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT); 5026 gen_or(b0, b1); 5027 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); 5028 gen_or(b0, b1); 5029 break; 5030 5031 case Q_ISIS_LSP: 5032 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT); 5033 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT); 5034 gen_or(b0, b1); 5035 break; 5036 5037 case Q_ISIS_SNP: 5038 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5039 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5040 gen_or(b0, b1); 5041 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5042 gen_or(b0, b1); 5043 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5044 gen_or(b0, b1); 5045 break; 5046 5047 case Q_ISIS_CSNP: 5048 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT); 5049 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT); 5050 gen_or(b0, b1); 5051 break; 5052 5053 case Q_ISIS_PSNP: 5054 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT); 5055 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT); 5056 gen_or(b0, b1); 5057 break; 5058 5059 case Q_CLNP: 5060 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT); 5061 break; 5062 5063 case Q_STP: 5064 b1 = gen_linktype(LLCSAP_8021D); 5065 break; 5066 5067 case Q_IPX: 5068 b1 = gen_linktype(LLCSAP_IPX); 5069 break; 5070 5071 case Q_NETBEUI: 5072 b1 = gen_linktype(LLCSAP_NETBEUI); 5073 break; 5074 5075 case Q_RADIO: 5076 bpf_error("'radio' is not a valid protocol type"); 5077 5078 default: 5079 abort(); 5080 } 5081 return b1; 5082 } 5083 5084 static struct block * 5085 gen_ipfrag() 5086 { 5087 struct slist *s; 5088 struct block *b; 5089 5090 /* not IPv4 frag other than the first frag */ 5091 s = gen_load_a(OR_LINKPL, 6, BPF_H); 5092 b = new_block(JMP(BPF_JSET)); 5093 b->s.k = 0x1fff; 5094 b->stmts = s; 5095 gen_not(b); 5096 5097 return b; 5098 } 5099 5100 /* 5101 * Generate a comparison to a port value in the transport-layer header 5102 * at the specified offset from the beginning of that header. 5103 * 5104 * XXX - this handles a variable-length prefix preceding the link-layer 5105 * header, such as the radiotap or AVS radio prefix, but doesn't handle 5106 * variable-length link-layer headers (such as Token Ring or 802.11 5107 * headers). 5108 */ 5109 static struct block * 5110 gen_portatom(off, v) 5111 int off; 5112 bpf_int32 v; 5113 { 5114 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v); 5115 } 5116 5117 static struct block * 5118 gen_portatom6(off, v) 5119 int off; 5120 bpf_int32 v; 5121 { 5122 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v); 5123 } 5124 5125 struct block * 5126 gen_portop(port, proto, dir) 5127 int port, proto, dir; 5128 { 5129 struct block *b0, *b1, *tmp; 5130 5131 /* ip proto 'proto' and not a fragment other than the first fragment */ 5132 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5133 b0 = gen_ipfrag(); 5134 gen_and(tmp, b0); 5135 5136 switch (dir) { 5137 case Q_SRC: 5138 b1 = gen_portatom(0, (bpf_int32)port); 5139 break; 5140 5141 case Q_DST: 5142 b1 = gen_portatom(2, (bpf_int32)port); 5143 break; 5144 5145 case Q_OR: 5146 case Q_DEFAULT: 5147 tmp = gen_portatom(0, (bpf_int32)port); 5148 b1 = gen_portatom(2, (bpf_int32)port); 5149 gen_or(tmp, b1); 5150 break; 5151 5152 case Q_AND: 5153 tmp = gen_portatom(0, (bpf_int32)port); 5154 b1 = gen_portatom(2, (bpf_int32)port); 5155 gen_and(tmp, b1); 5156 break; 5157 5158 default: 5159 abort(); 5160 } 5161 gen_and(b0, b1); 5162 5163 return b1; 5164 } 5165 5166 static struct block * 5167 gen_port(port, ip_proto, dir) 5168 int port; 5169 int ip_proto; 5170 int dir; 5171 { 5172 struct block *b0, *b1, *tmp; 5173 5174 /* 5175 * ether proto ip 5176 * 5177 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5178 * not LLC encapsulation with LLCSAP_IP. 5179 * 5180 * For IEEE 802 networks - which includes 802.5 token ring 5181 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5182 * says that SNAP encapsulation is used, not LLC encapsulation 5183 * with LLCSAP_IP. 5184 * 5185 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5186 * RFC 2225 say that SNAP encapsulation is used, not LLC 5187 * encapsulation with LLCSAP_IP. 5188 * 5189 * So we always check for ETHERTYPE_IP. 5190 */ 5191 b0 = gen_linktype(ETHERTYPE_IP); 5192 5193 switch (ip_proto) { 5194 case IPPROTO_UDP: 5195 case IPPROTO_TCP: 5196 case IPPROTO_SCTP: 5197 b1 = gen_portop(port, ip_proto, dir); 5198 break; 5199 5200 case PROTO_UNDEF: 5201 tmp = gen_portop(port, IPPROTO_TCP, dir); 5202 b1 = gen_portop(port, IPPROTO_UDP, dir); 5203 gen_or(tmp, b1); 5204 tmp = gen_portop(port, IPPROTO_SCTP, dir); 5205 gen_or(tmp, b1); 5206 break; 5207 5208 default: 5209 abort(); 5210 } 5211 gen_and(b0, b1); 5212 return b1; 5213 } 5214 5215 struct block * 5216 gen_portop6(port, proto, dir) 5217 int port, proto, dir; 5218 { 5219 struct block *b0, *b1, *tmp; 5220 5221 /* ip6 proto 'proto' */ 5222 /* XXX - catch the first fragment of a fragmented packet? */ 5223 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5224 5225 switch (dir) { 5226 case Q_SRC: 5227 b1 = gen_portatom6(0, (bpf_int32)port); 5228 break; 5229 5230 case Q_DST: 5231 b1 = gen_portatom6(2, (bpf_int32)port); 5232 break; 5233 5234 case Q_OR: 5235 case Q_DEFAULT: 5236 tmp = gen_portatom6(0, (bpf_int32)port); 5237 b1 = gen_portatom6(2, (bpf_int32)port); 5238 gen_or(tmp, b1); 5239 break; 5240 5241 case Q_AND: 5242 tmp = gen_portatom6(0, (bpf_int32)port); 5243 b1 = gen_portatom6(2, (bpf_int32)port); 5244 gen_and(tmp, b1); 5245 break; 5246 5247 default: 5248 abort(); 5249 } 5250 gen_and(b0, b1); 5251 5252 return b1; 5253 } 5254 5255 static struct block * 5256 gen_port6(port, ip_proto, dir) 5257 int port; 5258 int ip_proto; 5259 int dir; 5260 { 5261 struct block *b0, *b1, *tmp; 5262 5263 /* link proto ip6 */ 5264 b0 = gen_linktype(ETHERTYPE_IPV6); 5265 5266 switch (ip_proto) { 5267 case IPPROTO_UDP: 5268 case IPPROTO_TCP: 5269 case IPPROTO_SCTP: 5270 b1 = gen_portop6(port, ip_proto, dir); 5271 break; 5272 5273 case PROTO_UNDEF: 5274 tmp = gen_portop6(port, IPPROTO_TCP, dir); 5275 b1 = gen_portop6(port, IPPROTO_UDP, dir); 5276 gen_or(tmp, b1); 5277 tmp = gen_portop6(port, IPPROTO_SCTP, dir); 5278 gen_or(tmp, b1); 5279 break; 5280 5281 default: 5282 abort(); 5283 } 5284 gen_and(b0, b1); 5285 return b1; 5286 } 5287 5288 /* gen_portrange code */ 5289 static struct block * 5290 gen_portrangeatom(off, v1, v2) 5291 int off; 5292 bpf_int32 v1, v2; 5293 { 5294 struct block *b1, *b2; 5295 5296 if (v1 > v2) { 5297 /* 5298 * Reverse the order of the ports, so v1 is the lower one. 5299 */ 5300 bpf_int32 vtemp; 5301 5302 vtemp = v1; 5303 v1 = v2; 5304 v2 = vtemp; 5305 } 5306 5307 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1); 5308 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2); 5309 5310 gen_and(b1, b2); 5311 5312 return b2; 5313 } 5314 5315 struct block * 5316 gen_portrangeop(port1, port2, proto, dir) 5317 int port1, port2; 5318 int proto; 5319 int dir; 5320 { 5321 struct block *b0, *b1, *tmp; 5322 5323 /* ip proto 'proto' and not a fragment other than the first fragment */ 5324 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto); 5325 b0 = gen_ipfrag(); 5326 gen_and(tmp, b0); 5327 5328 switch (dir) { 5329 case Q_SRC: 5330 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5331 break; 5332 5333 case Q_DST: 5334 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5335 break; 5336 5337 case Q_OR: 5338 case Q_DEFAULT: 5339 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5340 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5341 gen_or(tmp, b1); 5342 break; 5343 5344 case Q_AND: 5345 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2); 5346 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2); 5347 gen_and(tmp, b1); 5348 break; 5349 5350 default: 5351 abort(); 5352 } 5353 gen_and(b0, b1); 5354 5355 return b1; 5356 } 5357 5358 static struct block * 5359 gen_portrange(port1, port2, ip_proto, dir) 5360 int port1, port2; 5361 int ip_proto; 5362 int dir; 5363 { 5364 struct block *b0, *b1, *tmp; 5365 5366 /* link proto ip */ 5367 b0 = gen_linktype(ETHERTYPE_IP); 5368 5369 switch (ip_proto) { 5370 case IPPROTO_UDP: 5371 case IPPROTO_TCP: 5372 case IPPROTO_SCTP: 5373 b1 = gen_portrangeop(port1, port2, ip_proto, dir); 5374 break; 5375 5376 case PROTO_UNDEF: 5377 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir); 5378 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir); 5379 gen_or(tmp, b1); 5380 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir); 5381 gen_or(tmp, b1); 5382 break; 5383 5384 default: 5385 abort(); 5386 } 5387 gen_and(b0, b1); 5388 return b1; 5389 } 5390 5391 static struct block * 5392 gen_portrangeatom6(off, v1, v2) 5393 int off; 5394 bpf_int32 v1, v2; 5395 { 5396 struct block *b1, *b2; 5397 5398 if (v1 > v2) { 5399 /* 5400 * Reverse the order of the ports, so v1 is the lower one. 5401 */ 5402 bpf_int32 vtemp; 5403 5404 vtemp = v1; 5405 v1 = v2; 5406 v2 = vtemp; 5407 } 5408 5409 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1); 5410 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2); 5411 5412 gen_and(b1, b2); 5413 5414 return b2; 5415 } 5416 5417 struct block * 5418 gen_portrangeop6(port1, port2, proto, dir) 5419 int port1, port2; 5420 int proto; 5421 int dir; 5422 { 5423 struct block *b0, *b1, *tmp; 5424 5425 /* ip6 proto 'proto' */ 5426 /* XXX - catch the first fragment of a fragmented packet? */ 5427 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto); 5428 5429 switch (dir) { 5430 case Q_SRC: 5431 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5432 break; 5433 5434 case Q_DST: 5435 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5436 break; 5437 5438 case Q_OR: 5439 case Q_DEFAULT: 5440 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5441 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5442 gen_or(tmp, b1); 5443 break; 5444 5445 case Q_AND: 5446 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2); 5447 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2); 5448 gen_and(tmp, b1); 5449 break; 5450 5451 default: 5452 abort(); 5453 } 5454 gen_and(b0, b1); 5455 5456 return b1; 5457 } 5458 5459 static struct block * 5460 gen_portrange6(port1, port2, ip_proto, dir) 5461 int port1, port2; 5462 int ip_proto; 5463 int dir; 5464 { 5465 struct block *b0, *b1, *tmp; 5466 5467 /* link proto ip6 */ 5468 b0 = gen_linktype(ETHERTYPE_IPV6); 5469 5470 switch (ip_proto) { 5471 case IPPROTO_UDP: 5472 case IPPROTO_TCP: 5473 case IPPROTO_SCTP: 5474 b1 = gen_portrangeop6(port1, port2, ip_proto, dir); 5475 break; 5476 5477 case PROTO_UNDEF: 5478 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir); 5479 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir); 5480 gen_or(tmp, b1); 5481 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir); 5482 gen_or(tmp, b1); 5483 break; 5484 5485 default: 5486 abort(); 5487 } 5488 gen_and(b0, b1); 5489 return b1; 5490 } 5491 5492 static int 5493 lookup_proto(name, proto) 5494 register const char *name; 5495 register int proto; 5496 { 5497 register int v; 5498 5499 switch (proto) { 5500 5501 case Q_DEFAULT: 5502 case Q_IP: 5503 case Q_IPV6: 5504 v = pcap_nametoproto(name); 5505 if (v == PROTO_UNDEF) 5506 bpf_error("unknown ip proto '%s'", name); 5507 break; 5508 5509 case Q_LINK: 5510 /* XXX should look up h/w protocol type based on linktype */ 5511 v = pcap_nametoeproto(name); 5512 if (v == PROTO_UNDEF) { 5513 v = pcap_nametollc(name); 5514 if (v == PROTO_UNDEF) 5515 bpf_error("unknown ether proto '%s'", name); 5516 } 5517 break; 5518 5519 case Q_ISO: 5520 if (strcmp(name, "esis") == 0) 5521 v = ISO9542_ESIS; 5522 else if (strcmp(name, "isis") == 0) 5523 v = ISO10589_ISIS; 5524 else if (strcmp(name, "clnp") == 0) 5525 v = ISO8473_CLNP; 5526 else 5527 bpf_error("unknown osi proto '%s'", name); 5528 break; 5529 5530 default: 5531 v = PROTO_UNDEF; 5532 break; 5533 } 5534 return v; 5535 } 5536 5537 #if 0 5538 struct stmt * 5539 gen_joinsp(s, n) 5540 struct stmt **s; 5541 int n; 5542 { 5543 return NULL; 5544 } 5545 #endif 5546 5547 static struct block * 5548 gen_protochain(v, proto, dir) 5549 int v; 5550 int proto; 5551 int dir; 5552 { 5553 #ifdef NO_PROTOCHAIN 5554 return gen_proto(v, proto, dir); 5555 #else 5556 struct block *b0, *b; 5557 struct slist *s[100]; 5558 int fix2, fix3, fix4, fix5; 5559 int ahcheck, again, end; 5560 int i, max; 5561 int reg2 = alloc_reg(); 5562 5563 memset(s, 0, sizeof(s)); 5564 fix2 = fix3 = fix4 = fix5 = 0; 5565 5566 switch (proto) { 5567 case Q_IP: 5568 case Q_IPV6: 5569 break; 5570 case Q_DEFAULT: 5571 b0 = gen_protochain(v, Q_IP, dir); 5572 b = gen_protochain(v, Q_IPV6, dir); 5573 gen_or(b0, b); 5574 return b; 5575 default: 5576 bpf_error("bad protocol applied for 'protochain'"); 5577 /*NOTREACHED*/ 5578 } 5579 5580 /* 5581 * We don't handle variable-length prefixes before the link-layer 5582 * header, or variable-length link-layer headers, here yet. 5583 * We might want to add BPF instructions to do the protochain 5584 * work, to simplify that and, on platforms that have a BPF 5585 * interpreter with the new instructions, let the filtering 5586 * be done in the kernel. (We already require a modified BPF 5587 * engine to do the protochain stuff, to support backward 5588 * branches, and backward branch support is unlikely to appear 5589 * in kernel BPF engines.) 5590 */ 5591 if (off_linkpl.is_variable) 5592 bpf_error("'protochain' not supported with variable length headers"); 5593 5594 no_optimize = 1; /*this code is not compatible with optimzer yet */ 5595 5596 /* 5597 * s[0] is a dummy entry to protect other BPF insn from damage 5598 * by s[fix] = foo with uninitialized variable "fix". It is somewhat 5599 * hard to find interdependency made by jump table fixup. 5600 */ 5601 i = 0; 5602 s[i] = new_stmt(0); /*dummy*/ 5603 i++; 5604 5605 switch (proto) { 5606 case Q_IP: 5607 b0 = gen_linktype(ETHERTYPE_IP); 5608 5609 /* A = ip->ip_p */ 5610 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5611 s[i]->s.k = off_linkpl.constant_part + off_nl + 9; 5612 i++; 5613 /* X = ip->ip_hl << 2 */ 5614 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B); 5615 s[i]->s.k = off_linkpl.constant_part + off_nl; 5616 i++; 5617 break; 5618 5619 case Q_IPV6: 5620 b0 = gen_linktype(ETHERTYPE_IPV6); 5621 5622 /* A = ip6->ip_nxt */ 5623 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B); 5624 s[i]->s.k = off_linkpl.constant_part + off_nl + 6; 5625 i++; 5626 /* X = sizeof(struct ip6_hdr) */ 5627 s[i] = new_stmt(BPF_LDX|BPF_IMM); 5628 s[i]->s.k = 40; 5629 i++; 5630 break; 5631 5632 default: 5633 bpf_error("unsupported proto to gen_protochain"); 5634 /*NOTREACHED*/ 5635 } 5636 5637 /* again: if (A == v) goto end; else fall through; */ 5638 again = i; 5639 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5640 s[i]->s.k = v; 5641 s[i]->s.jt = NULL; /*later*/ 5642 s[i]->s.jf = NULL; /*update in next stmt*/ 5643 fix5 = i; 5644 i++; 5645 5646 #ifndef IPPROTO_NONE 5647 #define IPPROTO_NONE 59 5648 #endif 5649 /* if (A == IPPROTO_NONE) goto end */ 5650 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5651 s[i]->s.jt = NULL; /*later*/ 5652 s[i]->s.jf = NULL; /*update in next stmt*/ 5653 s[i]->s.k = IPPROTO_NONE; 5654 s[fix5]->s.jf = s[i]; 5655 fix2 = i; 5656 i++; 5657 5658 if (proto == Q_IPV6) { 5659 int v6start, v6end, v6advance, j; 5660 5661 v6start = i; 5662 /* if (A == IPPROTO_HOPOPTS) goto v6advance */ 5663 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5664 s[i]->s.jt = NULL; /*later*/ 5665 s[i]->s.jf = NULL; /*update in next stmt*/ 5666 s[i]->s.k = IPPROTO_HOPOPTS; 5667 s[fix2]->s.jf = s[i]; 5668 i++; 5669 /* if (A == IPPROTO_DSTOPTS) goto v6advance */ 5670 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5671 s[i]->s.jt = NULL; /*later*/ 5672 s[i]->s.jf = NULL; /*update in next stmt*/ 5673 s[i]->s.k = IPPROTO_DSTOPTS; 5674 i++; 5675 /* if (A == IPPROTO_ROUTING) goto v6advance */ 5676 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5677 s[i]->s.jt = NULL; /*later*/ 5678 s[i]->s.jf = NULL; /*update in next stmt*/ 5679 s[i]->s.k = IPPROTO_ROUTING; 5680 i++; 5681 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */ 5682 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5683 s[i]->s.jt = NULL; /*later*/ 5684 s[i]->s.jf = NULL; /*later*/ 5685 s[i]->s.k = IPPROTO_FRAGMENT; 5686 fix3 = i; 5687 v6end = i; 5688 i++; 5689 5690 /* v6advance: */ 5691 v6advance = i; 5692 5693 /* 5694 * in short, 5695 * A = P[X + packet head]; 5696 * X = X + (P[X + packet head + 1] + 1) * 8; 5697 */ 5698 /* A = P[X + packet head] */ 5699 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5700 s[i]->s.k = off_linkpl.constant_part + off_nl; 5701 i++; 5702 /* MEM[reg2] = A */ 5703 s[i] = new_stmt(BPF_ST); 5704 s[i]->s.k = reg2; 5705 i++; 5706 /* A = P[X + packet head + 1]; */ 5707 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5708 s[i]->s.k = off_linkpl.constant_part + off_nl + 1; 5709 i++; 5710 /* A += 1 */ 5711 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5712 s[i]->s.k = 1; 5713 i++; 5714 /* A *= 8 */ 5715 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5716 s[i]->s.k = 8; 5717 i++; 5718 /* A += X */ 5719 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 5720 s[i]->s.k = 0; 5721 i++; 5722 /* X = A; */ 5723 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5724 i++; 5725 /* A = MEM[reg2] */ 5726 s[i] = new_stmt(BPF_LD|BPF_MEM); 5727 s[i]->s.k = reg2; 5728 i++; 5729 5730 /* goto again; (must use BPF_JA for backward jump) */ 5731 s[i] = new_stmt(BPF_JMP|BPF_JA); 5732 s[i]->s.k = again - i - 1; 5733 s[i - 1]->s.jf = s[i]; 5734 i++; 5735 5736 /* fixup */ 5737 for (j = v6start; j <= v6end; j++) 5738 s[j]->s.jt = s[v6advance]; 5739 } else { 5740 /* nop */ 5741 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5742 s[i]->s.k = 0; 5743 s[fix2]->s.jf = s[i]; 5744 i++; 5745 } 5746 5747 /* ahcheck: */ 5748 ahcheck = i; 5749 /* if (A == IPPROTO_AH) then fall through; else goto end; */ 5750 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K); 5751 s[i]->s.jt = NULL; /*later*/ 5752 s[i]->s.jf = NULL; /*later*/ 5753 s[i]->s.k = IPPROTO_AH; 5754 if (fix3) 5755 s[fix3]->s.jf = s[ahcheck]; 5756 fix4 = i; 5757 i++; 5758 5759 /* 5760 * in short, 5761 * A = P[X]; 5762 * X = X + (P[X + 1] + 2) * 4; 5763 */ 5764 /* A = X */ 5765 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5766 i++; 5767 /* A = P[X + packet head]; */ 5768 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5769 s[i]->s.k = off_linkpl.constant_part + off_nl; 5770 i++; 5771 /* MEM[reg2] = A */ 5772 s[i] = new_stmt(BPF_ST); 5773 s[i]->s.k = reg2; 5774 i++; 5775 /* A = X */ 5776 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA); 5777 i++; 5778 /* A += 1 */ 5779 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5780 s[i]->s.k = 1; 5781 i++; 5782 /* X = A */ 5783 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5784 i++; 5785 /* A = P[X + packet head] */ 5786 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B); 5787 s[i]->s.k = off_linkpl.constant_part + off_nl; 5788 i++; 5789 /* A += 2 */ 5790 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5791 s[i]->s.k = 2; 5792 i++; 5793 /* A *= 4 */ 5794 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 5795 s[i]->s.k = 4; 5796 i++; 5797 /* X = A; */ 5798 s[i] = new_stmt(BPF_MISC|BPF_TAX); 5799 i++; 5800 /* A = MEM[reg2] */ 5801 s[i] = new_stmt(BPF_LD|BPF_MEM); 5802 s[i]->s.k = reg2; 5803 i++; 5804 5805 /* goto again; (must use BPF_JA for backward jump) */ 5806 s[i] = new_stmt(BPF_JMP|BPF_JA); 5807 s[i]->s.k = again - i - 1; 5808 i++; 5809 5810 /* end: nop */ 5811 end = i; 5812 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 5813 s[i]->s.k = 0; 5814 s[fix2]->s.jt = s[end]; 5815 s[fix4]->s.jf = s[end]; 5816 s[fix5]->s.jt = s[end]; 5817 i++; 5818 5819 /* 5820 * make slist chain 5821 */ 5822 max = i; 5823 for (i = 0; i < max - 1; i++) 5824 s[i]->next = s[i + 1]; 5825 s[max - 1]->next = NULL; 5826 5827 /* 5828 * emit final check 5829 */ 5830 b = new_block(JMP(BPF_JEQ)); 5831 b->stmts = s[1]; /*remember, s[0] is dummy*/ 5832 b->s.k = v; 5833 5834 free_reg(reg2); 5835 5836 gen_and(b0, b); 5837 return b; 5838 #endif 5839 } 5840 5841 static struct block * 5842 gen_check_802_11_data_frame() 5843 { 5844 struct slist *s; 5845 struct block *b0, *b1; 5846 5847 /* 5848 * A data frame has the 0x08 bit (b3) in the frame control field set 5849 * and the 0x04 bit (b2) clear. 5850 */ 5851 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 5852 b0 = new_block(JMP(BPF_JSET)); 5853 b0->s.k = 0x08; 5854 b0->stmts = s; 5855 5856 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 5857 b1 = new_block(JMP(BPF_JSET)); 5858 b1->s.k = 0x04; 5859 b1->stmts = s; 5860 gen_not(b1); 5861 5862 gen_and(b1, b0); 5863 5864 return b0; 5865 } 5866 5867 /* 5868 * Generate code that checks whether the packet is a packet for protocol 5869 * <proto> and whether the type field in that protocol's header has 5870 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an 5871 * IP packet and checks the protocol number in the IP header against <v>. 5872 * 5873 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks 5874 * against Q_IP and Q_IPV6. 5875 */ 5876 static struct block * 5877 gen_proto(v, proto, dir) 5878 int v; 5879 int proto; 5880 int dir; 5881 { 5882 struct block *b0, *b1; 5883 #ifndef CHASE_CHAIN 5884 struct block *b2; 5885 #endif 5886 5887 if (dir != Q_DEFAULT) 5888 bpf_error("direction applied to 'proto'"); 5889 5890 switch (proto) { 5891 case Q_DEFAULT: 5892 b0 = gen_proto(v, Q_IP, dir); 5893 b1 = gen_proto(v, Q_IPV6, dir); 5894 gen_or(b0, b1); 5895 return b1; 5896 5897 case Q_IP: 5898 /* 5899 * For FDDI, RFC 1188 says that SNAP encapsulation is used, 5900 * not LLC encapsulation with LLCSAP_IP. 5901 * 5902 * For IEEE 802 networks - which includes 802.5 token ring 5903 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042 5904 * says that SNAP encapsulation is used, not LLC encapsulation 5905 * with LLCSAP_IP. 5906 * 5907 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and 5908 * RFC 2225 say that SNAP encapsulation is used, not LLC 5909 * encapsulation with LLCSAP_IP. 5910 * 5911 * So we always check for ETHERTYPE_IP. 5912 */ 5913 b0 = gen_linktype(ETHERTYPE_IP); 5914 #ifndef CHASE_CHAIN 5915 b1 = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)v); 5916 #else 5917 b1 = gen_protochain(v, Q_IP); 5918 #endif 5919 gen_and(b0, b1); 5920 return b1; 5921 5922 case Q_ISO: 5923 switch (linktype) { 5924 5925 case DLT_FRELAY: 5926 /* 5927 * Frame Relay packets typically have an OSI 5928 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)" 5929 * generates code to check for all the OSI 5930 * NLPIDs, so calling it and then adding a check 5931 * for the particular NLPID for which we're 5932 * looking is bogus, as we can just check for 5933 * the NLPID. 5934 * 5935 * What we check for is the NLPID and a frame 5936 * control field value of UI, i.e. 0x03 followed 5937 * by the NLPID. 5938 * 5939 * XXX - assumes a 2-byte Frame Relay header with 5940 * DLCI and flags. What if the address is longer? 5941 * 5942 * XXX - what about SNAP-encapsulated frames? 5943 */ 5944 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | v); 5945 /*NOTREACHED*/ 5946 break; 5947 5948 case DLT_C_HDLC: 5949 /* 5950 * Cisco uses an Ethertype lookalike - for OSI, 5951 * it's 0xfefe. 5952 */ 5953 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS); 5954 /* OSI in C-HDLC is stuffed with a fudge byte */ 5955 b1 = gen_cmp(OR_LINKPL_NOSNAP, 1, BPF_B, (long)v); 5956 gen_and(b0, b1); 5957 return b1; 5958 5959 default: 5960 b0 = gen_linktype(LLCSAP_ISONS); 5961 b1 = gen_cmp(OR_LINKPL_NOSNAP, 0, BPF_B, (long)v); 5962 gen_and(b0, b1); 5963 return b1; 5964 } 5965 5966 case Q_ISIS: 5967 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT); 5968 /* 5969 * 4 is the offset of the PDU type relative to the IS-IS 5970 * header. 5971 */ 5972 b1 = gen_cmp(OR_LINKPL_NOSNAP, 4, BPF_B, (long)v); 5973 gen_and(b0, b1); 5974 return b1; 5975 5976 case Q_ARP: 5977 bpf_error("arp does not encapsulate another protocol"); 5978 /* NOTREACHED */ 5979 5980 case Q_RARP: 5981 bpf_error("rarp does not encapsulate another protocol"); 5982 /* NOTREACHED */ 5983 5984 case Q_ATALK: 5985 bpf_error("atalk encapsulation is not specifiable"); 5986 /* NOTREACHED */ 5987 5988 case Q_DECNET: 5989 bpf_error("decnet encapsulation is not specifiable"); 5990 /* NOTREACHED */ 5991 5992 case Q_SCA: 5993 bpf_error("sca does not encapsulate another protocol"); 5994 /* NOTREACHED */ 5995 5996 case Q_LAT: 5997 bpf_error("lat does not encapsulate another protocol"); 5998 /* NOTREACHED */ 5999 6000 case Q_MOPRC: 6001 bpf_error("moprc does not encapsulate another protocol"); 6002 /* NOTREACHED */ 6003 6004 case Q_MOPDL: 6005 bpf_error("mopdl does not encapsulate another protocol"); 6006 /* NOTREACHED */ 6007 6008 case Q_LINK: 6009 return gen_linktype(v); 6010 6011 case Q_UDP: 6012 bpf_error("'udp proto' is bogus"); 6013 /* NOTREACHED */ 6014 6015 case Q_TCP: 6016 bpf_error("'tcp proto' is bogus"); 6017 /* NOTREACHED */ 6018 6019 case Q_SCTP: 6020 bpf_error("'sctp proto' is bogus"); 6021 /* NOTREACHED */ 6022 6023 case Q_ICMP: 6024 bpf_error("'icmp proto' is bogus"); 6025 /* NOTREACHED */ 6026 6027 case Q_IGMP: 6028 bpf_error("'igmp proto' is bogus"); 6029 /* NOTREACHED */ 6030 6031 case Q_IGRP: 6032 bpf_error("'igrp proto' is bogus"); 6033 /* NOTREACHED */ 6034 6035 case Q_PIM: 6036 bpf_error("'pim proto' is bogus"); 6037 /* NOTREACHED */ 6038 6039 case Q_VRRP: 6040 bpf_error("'vrrp proto' is bogus"); 6041 /* NOTREACHED */ 6042 6043 case Q_CARP: 6044 bpf_error("'carp proto' is bogus"); 6045 /* NOTREACHED */ 6046 6047 case Q_IPV6: 6048 b0 = gen_linktype(ETHERTYPE_IPV6); 6049 #ifndef CHASE_CHAIN 6050 /* 6051 * Also check for a fragment header before the final 6052 * header. 6053 */ 6054 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT); 6055 b1 = gen_cmp(OR_LINKPL, 40, BPF_B, (bpf_int32)v); 6056 gen_and(b2, b1); 6057 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)v); 6058 gen_or(b2, b1); 6059 #else 6060 b1 = gen_protochain(v, Q_IPV6); 6061 #endif 6062 gen_and(b0, b1); 6063 return b1; 6064 6065 case Q_ICMPV6: 6066 bpf_error("'icmp6 proto' is bogus"); 6067 6068 case Q_AH: 6069 bpf_error("'ah proto' is bogus"); 6070 6071 case Q_ESP: 6072 bpf_error("'ah proto' is bogus"); 6073 6074 case Q_STP: 6075 bpf_error("'stp proto' is bogus"); 6076 6077 case Q_IPX: 6078 bpf_error("'ipx proto' is bogus"); 6079 6080 case Q_NETBEUI: 6081 bpf_error("'netbeui proto' is bogus"); 6082 6083 case Q_RADIO: 6084 bpf_error("'radio proto' is bogus"); 6085 6086 default: 6087 abort(); 6088 /* NOTREACHED */ 6089 } 6090 /* NOTREACHED */ 6091 } 6092 6093 struct block * 6094 gen_scode(name, q) 6095 register const char *name; 6096 struct qual q; 6097 { 6098 int proto = q.proto; 6099 int dir = q.dir; 6100 int tproto; 6101 u_char *eaddr; 6102 bpf_u_int32 mask, addr; 6103 #ifndef INET6 6104 bpf_u_int32 **alist; 6105 #else 6106 int tproto6; 6107 struct sockaddr_in *sin4; 6108 struct sockaddr_in6 *sin6; 6109 struct addrinfo *res, *res0; 6110 struct in6_addr mask128; 6111 #endif /*INET6*/ 6112 struct block *b, *tmp; 6113 int port, real_proto; 6114 int port1, port2; 6115 6116 switch (q.addr) { 6117 6118 case Q_NET: 6119 addr = pcap_nametonetaddr(name); 6120 if (addr == 0) 6121 bpf_error("unknown network '%s'", name); 6122 /* Left justify network addr and calculate its network mask */ 6123 mask = 0xffffffff; 6124 while (addr && (addr & 0xff000000) == 0) { 6125 addr <<= 8; 6126 mask <<= 8; 6127 } 6128 return gen_host(addr, mask, proto, dir, q.addr); 6129 6130 case Q_DEFAULT: 6131 case Q_HOST: 6132 if (proto == Q_LINK) { 6133 switch (linktype) { 6134 6135 case DLT_EN10MB: 6136 case DLT_NETANALYZER: 6137 case DLT_NETANALYZER_TRANSPARENT: 6138 eaddr = pcap_ether_hostton(name); 6139 if (eaddr == NULL) 6140 bpf_error( 6141 "unknown ether host '%s'", name); 6142 tmp = gen_prevlinkhdr_check(); 6143 b = gen_ehostop(eaddr, dir); 6144 if (tmp != NULL) 6145 gen_and(tmp, b); 6146 free(eaddr); 6147 return b; 6148 6149 case DLT_FDDI: 6150 eaddr = pcap_ether_hostton(name); 6151 if (eaddr == NULL) 6152 bpf_error( 6153 "unknown FDDI host '%s'", name); 6154 b = gen_fhostop(eaddr, dir); 6155 free(eaddr); 6156 return b; 6157 6158 case DLT_IEEE802: 6159 eaddr = pcap_ether_hostton(name); 6160 if (eaddr == NULL) 6161 bpf_error( 6162 "unknown token ring host '%s'", name); 6163 b = gen_thostop(eaddr, dir); 6164 free(eaddr); 6165 return b; 6166 6167 case DLT_IEEE802_11: 6168 case DLT_PRISM_HEADER: 6169 case DLT_IEEE802_11_RADIO_AVS: 6170 case DLT_IEEE802_11_RADIO: 6171 case DLT_PPI: 6172 eaddr = pcap_ether_hostton(name); 6173 if (eaddr == NULL) 6174 bpf_error( 6175 "unknown 802.11 host '%s'", name); 6176 b = gen_wlanhostop(eaddr, dir); 6177 free(eaddr); 6178 return b; 6179 6180 case DLT_IP_OVER_FC: 6181 eaddr = pcap_ether_hostton(name); 6182 if (eaddr == NULL) 6183 bpf_error( 6184 "unknown Fibre Channel host '%s'", name); 6185 b = gen_ipfchostop(eaddr, dir); 6186 free(eaddr); 6187 return b; 6188 } 6189 6190 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name"); 6191 } else if (proto == Q_DECNET) { 6192 unsigned short dn_addr = __pcap_nametodnaddr(name); 6193 /* 6194 * I don't think DECNET hosts can be multihomed, so 6195 * there is no need to build up a list of addresses 6196 */ 6197 return (gen_host(dn_addr, 0, proto, dir, q.addr)); 6198 } else { 6199 #ifndef INET6 6200 alist = pcap_nametoaddr(name); 6201 if (alist == NULL || *alist == NULL) 6202 bpf_error("unknown host '%s'", name); 6203 tproto = proto; 6204 if (off_linktype.constant_part == (u_int)-1 && 6205 tproto == Q_DEFAULT) 6206 tproto = Q_IP; 6207 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr); 6208 while (*alist) { 6209 tmp = gen_host(**alist++, 0xffffffff, 6210 tproto, dir, q.addr); 6211 gen_or(b, tmp); 6212 b = tmp; 6213 } 6214 return b; 6215 #else 6216 memset(&mask128, 0xff, sizeof(mask128)); 6217 res0 = res = pcap_nametoaddrinfo(name); 6218 if (res == NULL) 6219 bpf_error("unknown host '%s'", name); 6220 ai = res; 6221 b = tmp = NULL; 6222 tproto = tproto6 = proto; 6223 if (off_linktype.constant_part == -1 && 6224 tproto == Q_DEFAULT) { 6225 tproto = Q_IP; 6226 tproto6 = Q_IPV6; 6227 } 6228 for (res = res0; res; res = res->ai_next) { 6229 switch (res->ai_family) { 6230 case AF_INET: 6231 if (tproto == Q_IPV6) 6232 continue; 6233 6234 sin4 = (struct sockaddr_in *) 6235 res->ai_addr; 6236 tmp = gen_host(ntohl(sin4->sin_addr.s_addr), 6237 0xffffffff, tproto, dir, q.addr); 6238 break; 6239 case AF_INET6: 6240 if (tproto6 == Q_IP) 6241 continue; 6242 6243 sin6 = (struct sockaddr_in6 *) 6244 res->ai_addr; 6245 tmp = gen_host6(&sin6->sin6_addr, 6246 &mask128, tproto6, dir, q.addr); 6247 break; 6248 default: 6249 continue; 6250 } 6251 if (b) 6252 gen_or(b, tmp); 6253 b = tmp; 6254 } 6255 ai = NULL; 6256 freeaddrinfo(res0); 6257 if (b == NULL) { 6258 bpf_error("unknown host '%s'%s", name, 6259 (proto == Q_DEFAULT) 6260 ? "" 6261 : " for specified address family"); 6262 } 6263 return b; 6264 #endif /*INET6*/ 6265 } 6266 6267 case Q_PORT: 6268 if (proto != Q_DEFAULT && 6269 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6270 bpf_error("illegal qualifier of 'port'"); 6271 if (pcap_nametoport(name, &port, &real_proto) == 0) 6272 bpf_error("unknown port '%s'", name); 6273 if (proto == Q_UDP) { 6274 if (real_proto == IPPROTO_TCP) 6275 bpf_error("port '%s' is tcp", name); 6276 else if (real_proto == IPPROTO_SCTP) 6277 bpf_error("port '%s' is sctp", name); 6278 else 6279 /* override PROTO_UNDEF */ 6280 real_proto = IPPROTO_UDP; 6281 } 6282 if (proto == Q_TCP) { 6283 if (real_proto == IPPROTO_UDP) 6284 bpf_error("port '%s' is udp", name); 6285 6286 else if (real_proto == IPPROTO_SCTP) 6287 bpf_error("port '%s' is sctp", name); 6288 else 6289 /* override PROTO_UNDEF */ 6290 real_proto = IPPROTO_TCP; 6291 } 6292 if (proto == Q_SCTP) { 6293 if (real_proto == IPPROTO_UDP) 6294 bpf_error("port '%s' is udp", name); 6295 6296 else if (real_proto == IPPROTO_TCP) 6297 bpf_error("port '%s' is tcp", name); 6298 else 6299 /* override PROTO_UNDEF */ 6300 real_proto = IPPROTO_SCTP; 6301 } 6302 if (port < 0) 6303 bpf_error("illegal port number %d < 0", port); 6304 if (port > 65535) 6305 bpf_error("illegal port number %d > 65535", port); 6306 b = gen_port(port, real_proto, dir); 6307 gen_or(gen_port6(port, real_proto, dir), b); 6308 return b; 6309 6310 case Q_PORTRANGE: 6311 if (proto != Q_DEFAULT && 6312 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP) 6313 bpf_error("illegal qualifier of 'portrange'"); 6314 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0) 6315 bpf_error("unknown port in range '%s'", name); 6316 if (proto == Q_UDP) { 6317 if (real_proto == IPPROTO_TCP) 6318 bpf_error("port in range '%s' is tcp", name); 6319 else if (real_proto == IPPROTO_SCTP) 6320 bpf_error("port in range '%s' is sctp", name); 6321 else 6322 /* override PROTO_UNDEF */ 6323 real_proto = IPPROTO_UDP; 6324 } 6325 if (proto == Q_TCP) { 6326 if (real_proto == IPPROTO_UDP) 6327 bpf_error("port in range '%s' is udp", name); 6328 else if (real_proto == IPPROTO_SCTP) 6329 bpf_error("port in range '%s' is sctp", name); 6330 else 6331 /* override PROTO_UNDEF */ 6332 real_proto = IPPROTO_TCP; 6333 } 6334 if (proto == Q_SCTP) { 6335 if (real_proto == IPPROTO_UDP) 6336 bpf_error("port in range '%s' is udp", name); 6337 else if (real_proto == IPPROTO_TCP) 6338 bpf_error("port in range '%s' is tcp", name); 6339 else 6340 /* override PROTO_UNDEF */ 6341 real_proto = IPPROTO_SCTP; 6342 } 6343 if (port1 < 0) 6344 bpf_error("illegal port number %d < 0", port1); 6345 if (port1 > 65535) 6346 bpf_error("illegal port number %d > 65535", port1); 6347 if (port2 < 0) 6348 bpf_error("illegal port number %d < 0", port2); 6349 if (port2 > 65535) 6350 bpf_error("illegal port number %d > 65535", port2); 6351 6352 b = gen_portrange(port1, port2, real_proto, dir); 6353 gen_or(gen_portrange6(port1, port2, real_proto, dir), b); 6354 return b; 6355 6356 case Q_GATEWAY: 6357 #ifndef INET6 6358 eaddr = pcap_ether_hostton(name); 6359 if (eaddr == NULL) 6360 bpf_error("unknown ether host: %s", name); 6361 6362 alist = pcap_nametoaddr(name); 6363 if (alist == NULL || *alist == NULL) 6364 bpf_error("unknown host '%s'", name); 6365 b = gen_gateway(eaddr, alist, proto, dir); 6366 free(eaddr); 6367 return b; 6368 #else 6369 bpf_error("'gateway' not supported in this configuration"); 6370 #endif /*INET6*/ 6371 6372 case Q_PROTO: 6373 real_proto = lookup_proto(name, proto); 6374 if (real_proto >= 0) 6375 return gen_proto(real_proto, proto, dir); 6376 else 6377 bpf_error("unknown protocol: %s", name); 6378 6379 case Q_PROTOCHAIN: 6380 real_proto = lookup_proto(name, proto); 6381 if (real_proto >= 0) 6382 return gen_protochain(real_proto, proto, dir); 6383 else 6384 bpf_error("unknown protocol: %s", name); 6385 6386 case Q_UNDEF: 6387 syntax(); 6388 /* NOTREACHED */ 6389 } 6390 abort(); 6391 /* NOTREACHED */ 6392 } 6393 6394 struct block * 6395 gen_mcode(s1, s2, masklen, q) 6396 register const char *s1, *s2; 6397 register unsigned int masklen; 6398 struct qual q; 6399 { 6400 register int nlen, mlen; 6401 bpf_u_int32 n, m; 6402 6403 nlen = __pcap_atoin(s1, &n); 6404 /* Promote short ipaddr */ 6405 n <<= 32 - nlen; 6406 6407 if (s2 != NULL) { 6408 mlen = __pcap_atoin(s2, &m); 6409 /* Promote short ipaddr */ 6410 m <<= 32 - mlen; 6411 if ((n & ~m) != 0) 6412 bpf_error("non-network bits set in \"%s mask %s\"", 6413 s1, s2); 6414 } else { 6415 /* Convert mask len to mask */ 6416 if (masklen > 32) 6417 bpf_error("mask length must be <= 32"); 6418 if (masklen == 0) { 6419 /* 6420 * X << 32 is not guaranteed by C to be 0; it's 6421 * undefined. 6422 */ 6423 m = 0; 6424 } else 6425 m = 0xffffffff << (32 - masklen); 6426 if ((n & ~m) != 0) 6427 bpf_error("non-network bits set in \"%s/%d\"", 6428 s1, masklen); 6429 } 6430 6431 switch (q.addr) { 6432 6433 case Q_NET: 6434 return gen_host(n, m, q.proto, q.dir, q.addr); 6435 6436 default: 6437 bpf_error("Mask syntax for networks only"); 6438 /* NOTREACHED */ 6439 } 6440 /* NOTREACHED */ 6441 return NULL; 6442 } 6443 6444 struct block * 6445 gen_ncode(s, v, q) 6446 register const char *s; 6447 bpf_u_int32 v; 6448 struct qual q; 6449 { 6450 bpf_u_int32 mask; 6451 int proto = q.proto; 6452 int dir = q.dir; 6453 register int vlen; 6454 6455 if (s == NULL) 6456 vlen = 32; 6457 else if (q.proto == Q_DECNET) 6458 vlen = __pcap_atodn(s, &v); 6459 else 6460 vlen = __pcap_atoin(s, &v); 6461 6462 switch (q.addr) { 6463 6464 case Q_DEFAULT: 6465 case Q_HOST: 6466 case Q_NET: 6467 if (proto == Q_DECNET) 6468 return gen_host(v, 0, proto, dir, q.addr); 6469 else if (proto == Q_LINK) { 6470 bpf_error("illegal link layer address"); 6471 } else { 6472 mask = 0xffffffff; 6473 if (s == NULL && q.addr == Q_NET) { 6474 /* Promote short net number */ 6475 while (v && (v & 0xff000000) == 0) { 6476 v <<= 8; 6477 mask <<= 8; 6478 } 6479 } else { 6480 /* Promote short ipaddr */ 6481 v <<= 32 - vlen; 6482 mask <<= 32 - vlen; 6483 } 6484 return gen_host(v, mask, proto, dir, q.addr); 6485 } 6486 6487 case Q_PORT: 6488 if (proto == Q_UDP) 6489 proto = IPPROTO_UDP; 6490 else if (proto == Q_TCP) 6491 proto = IPPROTO_TCP; 6492 else if (proto == Q_SCTP) 6493 proto = IPPROTO_SCTP; 6494 else if (proto == Q_DEFAULT) 6495 proto = PROTO_UNDEF; 6496 else 6497 bpf_error("illegal qualifier of 'port'"); 6498 6499 if (v > 65535) 6500 bpf_error("illegal port number %u > 65535", v); 6501 6502 { 6503 struct block *b; 6504 b = gen_port((int)v, proto, dir); 6505 gen_or(gen_port6((int)v, proto, dir), b); 6506 return b; 6507 } 6508 6509 case Q_PORTRANGE: 6510 if (proto == Q_UDP) 6511 proto = IPPROTO_UDP; 6512 else if (proto == Q_TCP) 6513 proto = IPPROTO_TCP; 6514 else if (proto == Q_SCTP) 6515 proto = IPPROTO_SCTP; 6516 else if (proto == Q_DEFAULT) 6517 proto = PROTO_UNDEF; 6518 else 6519 bpf_error("illegal qualifier of 'portrange'"); 6520 6521 if (v > 65535) 6522 bpf_error("illegal port number %u > 65535", v); 6523 6524 { 6525 struct block *b; 6526 b = gen_portrange((int)v, (int)v, proto, dir); 6527 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b); 6528 return b; 6529 } 6530 6531 case Q_GATEWAY: 6532 bpf_error("'gateway' requires a name"); 6533 /* NOTREACHED */ 6534 6535 case Q_PROTO: 6536 return gen_proto((int)v, proto, dir); 6537 6538 case Q_PROTOCHAIN: 6539 return gen_protochain((int)v, proto, dir); 6540 6541 case Q_UNDEF: 6542 syntax(); 6543 /* NOTREACHED */ 6544 6545 default: 6546 abort(); 6547 /* NOTREACHED */ 6548 } 6549 /* NOTREACHED */ 6550 } 6551 6552 #ifdef INET6 6553 struct block * 6554 gen_mcode6(s1, s2, masklen, q) 6555 register const char *s1, *s2; 6556 register unsigned int masklen; 6557 struct qual q; 6558 { 6559 struct addrinfo *res; 6560 struct in6_addr *addr; 6561 struct in6_addr mask; 6562 struct block *b; 6563 u_int32_t *a, *m; 6564 6565 if (s2) 6566 bpf_error("no mask %s supported", s2); 6567 6568 res = pcap_nametoaddrinfo(s1); 6569 if (!res) 6570 bpf_error("invalid ip6 address %s", s1); 6571 ai = res; 6572 if (res->ai_next) 6573 bpf_error("%s resolved to multiple address", s1); 6574 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr; 6575 6576 if (sizeof(mask) * 8 < masklen) 6577 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8)); 6578 memset(&mask, 0, sizeof(mask)); 6579 memset(&mask, 0xff, masklen / 8); 6580 if (masklen % 8) { 6581 mask.s6_addr[masklen / 8] = 6582 (0xff << (8 - masklen % 8)) & 0xff; 6583 } 6584 6585 a = (u_int32_t *)addr; 6586 m = (u_int32_t *)&mask; 6587 if ((a[0] & ~m[0]) || (a[1] & ~m[1]) 6588 || (a[2] & ~m[2]) || (a[3] & ~m[3])) { 6589 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen); 6590 } 6591 6592 switch (q.addr) { 6593 6594 case Q_DEFAULT: 6595 case Q_HOST: 6596 if (masklen != 128) 6597 bpf_error("Mask syntax for networks only"); 6598 /* FALLTHROUGH */ 6599 6600 case Q_NET: 6601 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr); 6602 ai = NULL; 6603 freeaddrinfo(res); 6604 return b; 6605 6606 default: 6607 bpf_error("invalid qualifier against IPv6 address"); 6608 /* NOTREACHED */ 6609 } 6610 return NULL; 6611 } 6612 #endif /*INET6*/ 6613 6614 struct block * 6615 gen_ecode(eaddr, q) 6616 register const u_char *eaddr; 6617 struct qual q; 6618 { 6619 struct block *b, *tmp; 6620 6621 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) { 6622 switch (linktype) { 6623 case DLT_EN10MB: 6624 case DLT_NETANALYZER: 6625 case DLT_NETANALYZER_TRANSPARENT: 6626 tmp = gen_prevlinkhdr_check(); 6627 b = gen_ehostop(eaddr, (int)q.dir); 6628 if (tmp != NULL) 6629 gen_and(tmp, b); 6630 return b; 6631 case DLT_FDDI: 6632 return gen_fhostop(eaddr, (int)q.dir); 6633 case DLT_IEEE802: 6634 return gen_thostop(eaddr, (int)q.dir); 6635 case DLT_IEEE802_11: 6636 case DLT_PRISM_HEADER: 6637 case DLT_IEEE802_11_RADIO_AVS: 6638 case DLT_IEEE802_11_RADIO: 6639 case DLT_PPI: 6640 return gen_wlanhostop(eaddr, (int)q.dir); 6641 case DLT_IP_OVER_FC: 6642 return gen_ipfchostop(eaddr, (int)q.dir); 6643 default: 6644 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel"); 6645 break; 6646 } 6647 } 6648 bpf_error("ethernet address used in non-ether expression"); 6649 /* NOTREACHED */ 6650 return NULL; 6651 } 6652 6653 void 6654 sappend(s0, s1) 6655 struct slist *s0, *s1; 6656 { 6657 /* 6658 * This is definitely not the best way to do this, but the 6659 * lists will rarely get long. 6660 */ 6661 while (s0->next) 6662 s0 = s0->next; 6663 s0->next = s1; 6664 } 6665 6666 static struct slist * 6667 xfer_to_x(a) 6668 struct arth *a; 6669 { 6670 struct slist *s; 6671 6672 s = new_stmt(BPF_LDX|BPF_MEM); 6673 s->s.k = a->regno; 6674 return s; 6675 } 6676 6677 static struct slist * 6678 xfer_to_a(a) 6679 struct arth *a; 6680 { 6681 struct slist *s; 6682 6683 s = new_stmt(BPF_LD|BPF_MEM); 6684 s->s.k = a->regno; 6685 return s; 6686 } 6687 6688 /* 6689 * Modify "index" to use the value stored into its register as an 6690 * offset relative to the beginning of the header for the protocol 6691 * "proto", and allocate a register and put an item "size" bytes long 6692 * (1, 2, or 4) at that offset into that register, making it the register 6693 * for "index". 6694 */ 6695 struct arth * 6696 gen_load(proto, inst, size) 6697 int proto; 6698 struct arth *inst; 6699 int size; 6700 { 6701 struct slist *s, *tmp; 6702 struct block *b; 6703 int regno = alloc_reg(); 6704 6705 free_reg(inst->regno); 6706 switch (size) { 6707 6708 default: 6709 bpf_error("data size must be 1, 2, or 4"); 6710 6711 case 1: 6712 size = BPF_B; 6713 break; 6714 6715 case 2: 6716 size = BPF_H; 6717 break; 6718 6719 case 4: 6720 size = BPF_W; 6721 break; 6722 } 6723 switch (proto) { 6724 default: 6725 bpf_error("unsupported index operation"); 6726 6727 case Q_RADIO: 6728 /* 6729 * The offset is relative to the beginning of the packet 6730 * data, if we have a radio header. (If we don't, this 6731 * is an error.) 6732 */ 6733 if (linktype != DLT_IEEE802_11_RADIO_AVS && 6734 linktype != DLT_IEEE802_11_RADIO && 6735 linktype != DLT_PRISM_HEADER) 6736 bpf_error("radio information not present in capture"); 6737 6738 /* 6739 * Load into the X register the offset computed into the 6740 * register specified by "index". 6741 */ 6742 s = xfer_to_x(inst); 6743 6744 /* 6745 * Load the item at that offset. 6746 */ 6747 tmp = new_stmt(BPF_LD|BPF_IND|size); 6748 sappend(s, tmp); 6749 sappend(inst->s, s); 6750 break; 6751 6752 case Q_LINK: 6753 /* 6754 * The offset is relative to the beginning of 6755 * the link-layer header. 6756 * 6757 * XXX - what about ATM LANE? Should the index be 6758 * relative to the beginning of the AAL5 frame, so 6759 * that 0 refers to the beginning of the LE Control 6760 * field, or relative to the beginning of the LAN 6761 * frame, so that 0 refers, for Ethernet LANE, to 6762 * the beginning of the destination address? 6763 */ 6764 s = gen_abs_offset_varpart(&off_linkhdr); 6765 6766 /* 6767 * If "s" is non-null, it has code to arrange that the 6768 * X register contains the length of the prefix preceding 6769 * the link-layer header. Add to it the offset computed 6770 * into the register specified by "index", and move that 6771 * into the X register. Otherwise, just load into the X 6772 * register the offset computed into the register specified 6773 * by "index". 6774 */ 6775 if (s != NULL) { 6776 sappend(s, xfer_to_a(inst)); 6777 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6778 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6779 } else 6780 s = xfer_to_x(inst); 6781 6782 /* 6783 * Load the item at the sum of the offset we've put in the 6784 * X register and the offset of the start of the link 6785 * layer header (which is 0 if the radio header is 6786 * variable-length; that header length is what we put 6787 * into the X register and then added to the index). 6788 */ 6789 tmp = new_stmt(BPF_LD|BPF_IND|size); 6790 tmp->s.k = off_linkhdr.constant_part; 6791 sappend(s, tmp); 6792 sappend(inst->s, s); 6793 break; 6794 6795 case Q_IP: 6796 case Q_ARP: 6797 case Q_RARP: 6798 case Q_ATALK: 6799 case Q_DECNET: 6800 case Q_SCA: 6801 case Q_LAT: 6802 case Q_MOPRC: 6803 case Q_MOPDL: 6804 case Q_IPV6: 6805 /* 6806 * The offset is relative to the beginning of 6807 * the network-layer header. 6808 * XXX - are there any cases where we want 6809 * off_nl_nosnap? 6810 */ 6811 s = gen_abs_offset_varpart(&off_linkpl); 6812 6813 /* 6814 * If "s" is non-null, it has code to arrange that the 6815 * X register contains the variable part of the offset 6816 * of the link-layer payload. Add to it the offset 6817 * computed into the register specified by "index", 6818 * and move that into the X register. Otherwise, just 6819 * load into the X register the offset computed into 6820 * the register specified by "index". 6821 */ 6822 if (s != NULL) { 6823 sappend(s, xfer_to_a(inst)); 6824 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6825 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6826 } else 6827 s = xfer_to_x(inst); 6828 6829 /* 6830 * Load the item at the sum of the offset we've put in the 6831 * X register, the offset of the start of the network 6832 * layer header from the beginning of the link-layer 6833 * payload, and the constant part of the offset of the 6834 * start of the link-layer payload. 6835 */ 6836 tmp = new_stmt(BPF_LD|BPF_IND|size); 6837 tmp->s.k = off_linkpl.constant_part + off_nl; 6838 sappend(s, tmp); 6839 sappend(inst->s, s); 6840 6841 /* 6842 * Do the computation only if the packet contains 6843 * the protocol in question. 6844 */ 6845 b = gen_proto_abbrev(proto); 6846 if (inst->b) 6847 gen_and(inst->b, b); 6848 inst->b = b; 6849 break; 6850 6851 case Q_SCTP: 6852 case Q_TCP: 6853 case Q_UDP: 6854 case Q_ICMP: 6855 case Q_IGMP: 6856 case Q_IGRP: 6857 case Q_PIM: 6858 case Q_VRRP: 6859 case Q_CARP: 6860 /* 6861 * The offset is relative to the beginning of 6862 * the transport-layer header. 6863 * 6864 * Load the X register with the length of the IPv4 header 6865 * (plus the offset of the link-layer header, if it's 6866 * a variable-length header), in bytes. 6867 * 6868 * XXX - are there any cases where we want 6869 * off_nl_nosnap? 6870 * XXX - we should, if we're built with 6871 * IPv6 support, generate code to load either 6872 * IPv4, IPv6, or both, as appropriate. 6873 */ 6874 s = gen_loadx_iphdrlen(); 6875 6876 /* 6877 * The X register now contains the sum of the variable 6878 * part of the offset of the link-layer payload and the 6879 * length of the network-layer header. 6880 * 6881 * Load into the A register the offset relative to 6882 * the beginning of the transport layer header, 6883 * add the X register to that, move that to the 6884 * X register, and load with an offset from the 6885 * X register equal to the sum of the constant part of 6886 * the offset of the link-layer payload and the offset, 6887 * relative to the beginning of the link-layer payload, 6888 * of the network-layer header. 6889 */ 6890 sappend(s, xfer_to_a(inst)); 6891 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X)); 6892 sappend(s, new_stmt(BPF_MISC|BPF_TAX)); 6893 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size)); 6894 tmp->s.k = off_linkpl.constant_part + off_nl; 6895 sappend(inst->s, s); 6896 6897 /* 6898 * Do the computation only if the packet contains 6899 * the protocol in question - which is true only 6900 * if this is an IP datagram and is the first or 6901 * only fragment of that datagram. 6902 */ 6903 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag()); 6904 if (inst->b) 6905 gen_and(inst->b, b); 6906 gen_and(gen_proto_abbrev(Q_IP), b); 6907 inst->b = b; 6908 break; 6909 case Q_ICMPV6: 6910 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]"); 6911 /*NOTREACHED*/ 6912 } 6913 inst->regno = regno; 6914 s = new_stmt(BPF_ST); 6915 s->s.k = regno; 6916 sappend(inst->s, s); 6917 6918 return inst; 6919 } 6920 6921 struct block * 6922 gen_relation(code, a0, a1, reversed) 6923 int code; 6924 struct arth *a0, *a1; 6925 int reversed; 6926 { 6927 struct slist *s0, *s1, *s2; 6928 struct block *b, *tmp; 6929 6930 s0 = xfer_to_x(a1); 6931 s1 = xfer_to_a(a0); 6932 if (code == BPF_JEQ) { 6933 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X); 6934 b = new_block(JMP(code)); 6935 sappend(s1, s2); 6936 } 6937 else 6938 b = new_block(BPF_JMP|code|BPF_X); 6939 if (reversed) 6940 gen_not(b); 6941 6942 sappend(s0, s1); 6943 sappend(a1->s, s0); 6944 sappend(a0->s, a1->s); 6945 6946 b->stmts = a0->s; 6947 6948 free_reg(a0->regno); 6949 free_reg(a1->regno); 6950 6951 /* 'and' together protocol checks */ 6952 if (a0->b) { 6953 if (a1->b) { 6954 gen_and(a0->b, tmp = a1->b); 6955 } 6956 else 6957 tmp = a0->b; 6958 } else 6959 tmp = a1->b; 6960 6961 if (tmp) 6962 gen_and(tmp, b); 6963 6964 return b; 6965 } 6966 6967 struct arth * 6968 gen_loadlen() 6969 { 6970 int regno = alloc_reg(); 6971 struct arth *a = (struct arth *)newchunk(sizeof(*a)); 6972 struct slist *s; 6973 6974 s = new_stmt(BPF_LD|BPF_LEN); 6975 s->next = new_stmt(BPF_ST); 6976 s->next->s.k = regno; 6977 a->s = s; 6978 a->regno = regno; 6979 6980 return a; 6981 } 6982 6983 struct arth * 6984 gen_loadi(val) 6985 int val; 6986 { 6987 struct arth *a; 6988 struct slist *s; 6989 int reg; 6990 6991 a = (struct arth *)newchunk(sizeof(*a)); 6992 6993 reg = alloc_reg(); 6994 6995 s = new_stmt(BPF_LD|BPF_IMM); 6996 s->s.k = val; 6997 s->next = new_stmt(BPF_ST); 6998 s->next->s.k = reg; 6999 a->s = s; 7000 a->regno = reg; 7001 7002 return a; 7003 } 7004 7005 struct arth * 7006 gen_neg(a) 7007 struct arth *a; 7008 { 7009 struct slist *s; 7010 7011 s = xfer_to_a(a); 7012 sappend(a->s, s); 7013 s = new_stmt(BPF_ALU|BPF_NEG); 7014 s->s.k = 0; 7015 sappend(a->s, s); 7016 s = new_stmt(BPF_ST); 7017 s->s.k = a->regno; 7018 sappend(a->s, s); 7019 7020 return a; 7021 } 7022 7023 struct arth * 7024 gen_arth(code, a0, a1) 7025 int code; 7026 struct arth *a0, *a1; 7027 { 7028 struct slist *s0, *s1, *s2; 7029 7030 s0 = xfer_to_x(a1); 7031 s1 = xfer_to_a(a0); 7032 s2 = new_stmt(BPF_ALU|BPF_X|code); 7033 7034 sappend(s1, s2); 7035 sappend(s0, s1); 7036 sappend(a1->s, s0); 7037 sappend(a0->s, a1->s); 7038 7039 free_reg(a0->regno); 7040 free_reg(a1->regno); 7041 7042 s0 = new_stmt(BPF_ST); 7043 a0->regno = s0->s.k = alloc_reg(); 7044 sappend(a0->s, s0); 7045 7046 return a0; 7047 } 7048 7049 /* 7050 * Here we handle simple allocation of the scratch registers. 7051 * If too many registers are alloc'd, the allocator punts. 7052 */ 7053 static int regused[BPF_MEMWORDS]; 7054 static int curreg; 7055 7056 /* 7057 * Initialize the table of used registers and the current register. 7058 */ 7059 static void 7060 init_regs() 7061 { 7062 curreg = 0; 7063 memset(regused, 0, sizeof regused); 7064 } 7065 7066 /* 7067 * Return the next free register. 7068 */ 7069 static int 7070 alloc_reg() 7071 { 7072 int n = BPF_MEMWORDS; 7073 7074 while (--n >= 0) { 7075 if (regused[curreg]) 7076 curreg = (curreg + 1) % BPF_MEMWORDS; 7077 else { 7078 regused[curreg] = 1; 7079 return curreg; 7080 } 7081 } 7082 bpf_error("too many registers needed to evaluate expression"); 7083 /* NOTREACHED */ 7084 return 0; 7085 } 7086 7087 /* 7088 * Return a register to the table so it can 7089 * be used later. 7090 */ 7091 static void 7092 free_reg(n) 7093 int n; 7094 { 7095 regused[n] = 0; 7096 } 7097 7098 static struct block * 7099 gen_len(jmp, n) 7100 int jmp, n; 7101 { 7102 struct slist *s; 7103 struct block *b; 7104 7105 s = new_stmt(BPF_LD|BPF_LEN); 7106 b = new_block(JMP(jmp)); 7107 b->stmts = s; 7108 b->s.k = n; 7109 7110 return b; 7111 } 7112 7113 struct block * 7114 gen_greater(n) 7115 int n; 7116 { 7117 return gen_len(BPF_JGE, n); 7118 } 7119 7120 /* 7121 * Actually, this is less than or equal. 7122 */ 7123 struct block * 7124 gen_less(n) 7125 int n; 7126 { 7127 struct block *b; 7128 7129 b = gen_len(BPF_JGT, n); 7130 gen_not(b); 7131 7132 return b; 7133 } 7134 7135 /* 7136 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to 7137 * the beginning of the link-layer header. 7138 * XXX - that means you can't test values in the radiotap header, but 7139 * as that header is difficult if not impossible to parse generally 7140 * without a loop, that might not be a severe problem. A new keyword 7141 * "radio" could be added for that, although what you'd really want 7142 * would be a way of testing particular radio header values, which 7143 * would generate code appropriate to the radio header in question. 7144 */ 7145 struct block * 7146 gen_byteop(op, idx, val) 7147 int op, idx, val; 7148 { 7149 struct block *b; 7150 struct slist *s; 7151 7152 switch (op) { 7153 default: 7154 abort(); 7155 7156 case '=': 7157 return gen_cmp(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7158 7159 case '<': 7160 b = gen_cmp_lt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7161 return b; 7162 7163 case '>': 7164 b = gen_cmp_gt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val); 7165 return b; 7166 7167 case '|': 7168 s = new_stmt(BPF_ALU|BPF_OR|BPF_K); 7169 break; 7170 7171 case '&': 7172 s = new_stmt(BPF_ALU|BPF_AND|BPF_K); 7173 break; 7174 } 7175 s->s.k = val; 7176 b = new_block(JMP(BPF_JEQ)); 7177 b->stmts = s; 7178 gen_not(b); 7179 7180 return b; 7181 } 7182 7183 static u_char abroadcast[] = { 0x0 }; 7184 7185 struct block * 7186 gen_broadcast(proto) 7187 int proto; 7188 { 7189 bpf_u_int32 hostmask; 7190 struct block *b0, *b1, *b2; 7191 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; 7192 7193 switch (proto) { 7194 7195 case Q_DEFAULT: 7196 case Q_LINK: 7197 switch (linktype) { 7198 case DLT_ARCNET: 7199 case DLT_ARCNET_LINUX: 7200 return gen_ahostop(abroadcast, Q_DST); 7201 case DLT_EN10MB: 7202 case DLT_NETANALYZER: 7203 case DLT_NETANALYZER_TRANSPARENT: 7204 b1 = gen_prevlinkhdr_check(); 7205 b0 = gen_ehostop(ebroadcast, Q_DST); 7206 if (b1 != NULL) 7207 gen_and(b1, b0); 7208 return b0; 7209 case DLT_FDDI: 7210 return gen_fhostop(ebroadcast, Q_DST); 7211 case DLT_IEEE802: 7212 return gen_thostop(ebroadcast, Q_DST); 7213 case DLT_IEEE802_11: 7214 case DLT_PRISM_HEADER: 7215 case DLT_IEEE802_11_RADIO_AVS: 7216 case DLT_IEEE802_11_RADIO: 7217 case DLT_PPI: 7218 return gen_wlanhostop(ebroadcast, Q_DST); 7219 case DLT_IP_OVER_FC: 7220 return gen_ipfchostop(ebroadcast, Q_DST); 7221 default: 7222 bpf_error("not a broadcast link"); 7223 } 7224 break; 7225 7226 case Q_IP: 7227 /* 7228 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff) 7229 * as an indication that we don't know the netmask, and fail 7230 * in that case. 7231 */ 7232 if (netmask == PCAP_NETMASK_UNKNOWN) 7233 bpf_error("netmask not known, so 'ip broadcast' not supported"); 7234 b0 = gen_linktype(ETHERTYPE_IP); 7235 hostmask = ~netmask; 7236 b1 = gen_mcmp(OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask); 7237 b2 = gen_mcmp(OR_LINKPL, 16, BPF_W, 7238 (bpf_int32)(~0 & hostmask), hostmask); 7239 gen_or(b1, b2); 7240 gen_and(b0, b2); 7241 return b2; 7242 } 7243 bpf_error("only link-layer/IP broadcast filters supported"); 7244 /* NOTREACHED */ 7245 return NULL; 7246 } 7247 7248 /* 7249 * Generate code to test the low-order bit of a MAC address (that's 7250 * the bottom bit of the *first* byte). 7251 */ 7252 static struct block * 7253 gen_mac_multicast(offset) 7254 int offset; 7255 { 7256 register struct block *b0; 7257 register struct slist *s; 7258 7259 /* link[offset] & 1 != 0 */ 7260 s = gen_load_a(OR_LINKHDR, offset, BPF_B); 7261 b0 = new_block(JMP(BPF_JSET)); 7262 b0->s.k = 1; 7263 b0->stmts = s; 7264 return b0; 7265 } 7266 7267 struct block * 7268 gen_multicast(proto) 7269 int proto; 7270 { 7271 register struct block *b0, *b1, *b2; 7272 register struct slist *s; 7273 7274 switch (proto) { 7275 7276 case Q_DEFAULT: 7277 case Q_LINK: 7278 switch (linktype) { 7279 case DLT_ARCNET: 7280 case DLT_ARCNET_LINUX: 7281 /* all ARCnet multicasts use the same address */ 7282 return gen_ahostop(abroadcast, Q_DST); 7283 case DLT_EN10MB: 7284 case DLT_NETANALYZER: 7285 case DLT_NETANALYZER_TRANSPARENT: 7286 b1 = gen_prevlinkhdr_check(); 7287 /* ether[0] & 1 != 0 */ 7288 b0 = gen_mac_multicast(0); 7289 if (b1 != NULL) 7290 gen_and(b1, b0); 7291 return b0; 7292 case DLT_FDDI: 7293 /* 7294 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX 7295 * 7296 * XXX - was that referring to bit-order issues? 7297 */ 7298 /* fddi[1] & 1 != 0 */ 7299 return gen_mac_multicast(1); 7300 case DLT_IEEE802: 7301 /* tr[2] & 1 != 0 */ 7302 return gen_mac_multicast(2); 7303 case DLT_IEEE802_11: 7304 case DLT_PRISM_HEADER: 7305 case DLT_IEEE802_11_RADIO_AVS: 7306 case DLT_IEEE802_11_RADIO: 7307 case DLT_PPI: 7308 /* 7309 * Oh, yuk. 7310 * 7311 * For control frames, there is no DA. 7312 * 7313 * For management frames, DA is at an 7314 * offset of 4 from the beginning of 7315 * the packet. 7316 * 7317 * For data frames, DA is at an offset 7318 * of 4 from the beginning of the packet 7319 * if To DS is clear and at an offset of 7320 * 16 from the beginning of the packet 7321 * if To DS is set. 7322 */ 7323 7324 /* 7325 * Generate the tests to be done for data frames. 7326 * 7327 * First, check for To DS set, i.e. "link[1] & 0x01". 7328 */ 7329 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 7330 b1 = new_block(JMP(BPF_JSET)); 7331 b1->s.k = 0x01; /* To DS */ 7332 b1->stmts = s; 7333 7334 /* 7335 * If To DS is set, the DA is at 16. 7336 */ 7337 b0 = gen_mac_multicast(16); 7338 gen_and(b1, b0); 7339 7340 /* 7341 * Now, check for To DS not set, i.e. check 7342 * "!(link[1] & 0x01)". 7343 */ 7344 s = gen_load_a(OR_LINKHDR, 1, BPF_B); 7345 b2 = new_block(JMP(BPF_JSET)); 7346 b2->s.k = 0x01; /* To DS */ 7347 b2->stmts = s; 7348 gen_not(b2); 7349 7350 /* 7351 * If To DS is not set, the DA is at 4. 7352 */ 7353 b1 = gen_mac_multicast(4); 7354 gen_and(b2, b1); 7355 7356 /* 7357 * Now OR together the last two checks. That gives 7358 * the complete set of checks for data frames. 7359 */ 7360 gen_or(b1, b0); 7361 7362 /* 7363 * Now check for a data frame. 7364 * I.e, check "link[0] & 0x08". 7365 */ 7366 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7367 b1 = new_block(JMP(BPF_JSET)); 7368 b1->s.k = 0x08; 7369 b1->stmts = s; 7370 7371 /* 7372 * AND that with the checks done for data frames. 7373 */ 7374 gen_and(b1, b0); 7375 7376 /* 7377 * If the high-order bit of the type value is 0, this 7378 * is a management frame. 7379 * I.e, check "!(link[0] & 0x08)". 7380 */ 7381 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7382 b2 = new_block(JMP(BPF_JSET)); 7383 b2->s.k = 0x08; 7384 b2->stmts = s; 7385 gen_not(b2); 7386 7387 /* 7388 * For management frames, the DA is at 4. 7389 */ 7390 b1 = gen_mac_multicast(4); 7391 gen_and(b2, b1); 7392 7393 /* 7394 * OR that with the checks done for data frames. 7395 * That gives the checks done for management and 7396 * data frames. 7397 */ 7398 gen_or(b1, b0); 7399 7400 /* 7401 * If the low-order bit of the type value is 1, 7402 * this is either a control frame or a frame 7403 * with a reserved type, and thus not a 7404 * frame with an SA. 7405 * 7406 * I.e., check "!(link[0] & 0x04)". 7407 */ 7408 s = gen_load_a(OR_LINKHDR, 0, BPF_B); 7409 b1 = new_block(JMP(BPF_JSET)); 7410 b1->s.k = 0x04; 7411 b1->stmts = s; 7412 gen_not(b1); 7413 7414 /* 7415 * AND that with the checks for data and management 7416 * frames. 7417 */ 7418 gen_and(b1, b0); 7419 return b0; 7420 case DLT_IP_OVER_FC: 7421 b0 = gen_mac_multicast(2); 7422 return b0; 7423 default: 7424 break; 7425 } 7426 /* Link not known to support multicasts */ 7427 break; 7428 7429 case Q_IP: 7430 b0 = gen_linktype(ETHERTYPE_IP); 7431 b1 = gen_cmp_ge(OR_LINKPL, 16, BPF_B, (bpf_int32)224); 7432 gen_and(b0, b1); 7433 return b1; 7434 7435 case Q_IPV6: 7436 b0 = gen_linktype(ETHERTYPE_IPV6); 7437 b1 = gen_cmp(OR_LINKPL, 24, BPF_B, (bpf_int32)255); 7438 gen_and(b0, b1); 7439 return b1; 7440 } 7441 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel"); 7442 /* NOTREACHED */ 7443 return NULL; 7444 } 7445 7446 /* 7447 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic. 7448 * Outbound traffic is sent by this machine, while inbound traffic is 7449 * sent by a remote machine (and may include packets destined for a 7450 * unicast or multicast link-layer address we are not subscribing to). 7451 * These are the same definitions implemented by pcap_setdirection(). 7452 * Capturing only unicast traffic destined for this host is probably 7453 * better accomplished using a higher-layer filter. 7454 */ 7455 struct block * 7456 gen_inbound(dir) 7457 int dir; 7458 { 7459 register struct block *b0; 7460 7461 /* 7462 * Only some data link types support inbound/outbound qualifiers. 7463 */ 7464 switch (linktype) { 7465 case DLT_SLIP: 7466 b0 = gen_relation(BPF_JEQ, 7467 gen_load(Q_LINK, gen_loadi(0), 1), 7468 gen_loadi(0), 7469 dir); 7470 break; 7471 7472 case DLT_IPNET: 7473 if (dir) { 7474 /* match outgoing packets */ 7475 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND); 7476 } else { 7477 /* match incoming packets */ 7478 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_INBOUND); 7479 } 7480 break; 7481 7482 case DLT_LINUX_SLL: 7483 /* match outgoing packets */ 7484 b0 = gen_cmp(OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING); 7485 if (!dir) { 7486 /* to filter on inbound traffic, invert the match */ 7487 gen_not(b0); 7488 } 7489 break; 7490 7491 #ifdef HAVE_NET_PFVAR_H 7492 case DLT_PFLOG: 7493 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B, 7494 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT)); 7495 break; 7496 #endif 7497 7498 case DLT_PPP_PPPD: 7499 if (dir) { 7500 /* match outgoing packets */ 7501 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT); 7502 } else { 7503 /* match incoming packets */ 7504 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN); 7505 } 7506 break; 7507 7508 case DLT_JUNIPER_MFR: 7509 case DLT_JUNIPER_MLFR: 7510 case DLT_JUNIPER_MLPPP: 7511 case DLT_JUNIPER_ATM1: 7512 case DLT_JUNIPER_ATM2: 7513 case DLT_JUNIPER_PPPOE: 7514 case DLT_JUNIPER_PPPOE_ATM: 7515 case DLT_JUNIPER_GGSN: 7516 case DLT_JUNIPER_ES: 7517 case DLT_JUNIPER_MONITOR: 7518 case DLT_JUNIPER_SERVICES: 7519 case DLT_JUNIPER_ETHER: 7520 case DLT_JUNIPER_PPP: 7521 case DLT_JUNIPER_FRELAY: 7522 case DLT_JUNIPER_CHDLC: 7523 case DLT_JUNIPER_VP: 7524 case DLT_JUNIPER_ST: 7525 case DLT_JUNIPER_ISM: 7526 case DLT_JUNIPER_VS: 7527 case DLT_JUNIPER_SRX_E2E: 7528 case DLT_JUNIPER_FIBRECHANNEL: 7529 case DLT_JUNIPER_ATM_CEMIC: 7530 7531 /* juniper flags (including direction) are stored 7532 * the byte after the 3-byte magic number */ 7533 if (dir) { 7534 /* match outgoing packets */ 7535 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 0, 0x01); 7536 } else { 7537 /* match incoming packets */ 7538 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 1, 0x01); 7539 } 7540 break; 7541 7542 default: 7543 /* 7544 * If we have packet meta-data indicating a direction, 7545 * check it, otherwise give up as this link-layer type 7546 * has nothing in the packet data. 7547 */ 7548 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) 7549 /* 7550 * This is Linux with PF_PACKET support. 7551 * If this is a *live* capture, we can look at 7552 * special meta-data in the filter expression; 7553 * if it's a savefile, we can't. 7554 */ 7555 if (bpf_pcap->rfile != NULL) { 7556 /* We have a FILE *, so this is a savefile */ 7557 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles", 7558 linktype); 7559 b0 = NULL; 7560 /* NOTREACHED */ 7561 } 7562 /* match outgoing packets */ 7563 b0 = gen_cmp(OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H, 7564 PACKET_OUTGOING); 7565 if (!dir) { 7566 /* to filter on inbound traffic, invert the match */ 7567 gen_not(b0); 7568 } 7569 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7570 bpf_error("inbound/outbound not supported on linktype %d", 7571 linktype); 7572 b0 = NULL; 7573 /* NOTREACHED */ 7574 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */ 7575 } 7576 return (b0); 7577 } 7578 7579 #ifdef HAVE_NET_PFVAR_H 7580 /* PF firewall log matched interface */ 7581 struct block * 7582 gen_pf_ifname(const char *ifname) 7583 { 7584 struct block *b0; 7585 u_int len, off; 7586 7587 if (linktype != DLT_PFLOG) { 7588 bpf_error("ifname supported only on PF linktype"); 7589 /* NOTREACHED */ 7590 } 7591 len = sizeof(((struct pfloghdr *)0)->ifname); 7592 off = offsetof(struct pfloghdr, ifname); 7593 if (strlen(ifname) >= len) { 7594 bpf_error("ifname interface names can only be %d characters", 7595 len-1); 7596 /* NOTREACHED */ 7597 } 7598 b0 = gen_bcmp(OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname); 7599 return (b0); 7600 } 7601 7602 /* PF firewall log ruleset name */ 7603 struct block * 7604 gen_pf_ruleset(char *ruleset) 7605 { 7606 struct block *b0; 7607 7608 if (linktype != DLT_PFLOG) { 7609 bpf_error("ruleset supported only on PF linktype"); 7610 /* NOTREACHED */ 7611 } 7612 7613 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) { 7614 bpf_error("ruleset names can only be %ld characters", 7615 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1)); 7616 /* NOTREACHED */ 7617 } 7618 7619 b0 = gen_bcmp(OR_LINKHDR, offsetof(struct pfloghdr, ruleset), 7620 strlen(ruleset), (const u_char *)ruleset); 7621 return (b0); 7622 } 7623 7624 /* PF firewall log rule number */ 7625 struct block * 7626 gen_pf_rnr(int rnr) 7627 { 7628 struct block *b0; 7629 7630 if (linktype != DLT_PFLOG) { 7631 bpf_error("rnr supported only on PF linktype"); 7632 /* NOTREACHED */ 7633 } 7634 7635 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W, 7636 (bpf_int32)rnr); 7637 return (b0); 7638 } 7639 7640 /* PF firewall log sub-rule number */ 7641 struct block * 7642 gen_pf_srnr(int srnr) 7643 { 7644 struct block *b0; 7645 7646 if (linktype != DLT_PFLOG) { 7647 bpf_error("srnr supported only on PF linktype"); 7648 /* NOTREACHED */ 7649 } 7650 7651 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W, 7652 (bpf_int32)srnr); 7653 return (b0); 7654 } 7655 7656 /* PF firewall log reason code */ 7657 struct block * 7658 gen_pf_reason(int reason) 7659 { 7660 struct block *b0; 7661 7662 if (linktype != DLT_PFLOG) { 7663 bpf_error("reason supported only on PF linktype"); 7664 /* NOTREACHED */ 7665 } 7666 7667 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B, 7668 (bpf_int32)reason); 7669 return (b0); 7670 } 7671 7672 /* PF firewall log action */ 7673 struct block * 7674 gen_pf_action(int action) 7675 { 7676 struct block *b0; 7677 7678 if (linktype != DLT_PFLOG) { 7679 bpf_error("action supported only on PF linktype"); 7680 /* NOTREACHED */ 7681 } 7682 7683 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B, 7684 (bpf_int32)action); 7685 return (b0); 7686 } 7687 #else /* !HAVE_NET_PFVAR_H */ 7688 struct block * 7689 gen_pf_ifname(const char *ifname) 7690 { 7691 bpf_error("libpcap was compiled without pf support"); 7692 /* NOTREACHED */ 7693 return (NULL); 7694 } 7695 7696 struct block * 7697 gen_pf_ruleset(char *ruleset) 7698 { 7699 bpf_error("libpcap was compiled on a machine without pf support"); 7700 /* NOTREACHED */ 7701 return (NULL); 7702 } 7703 7704 struct block * 7705 gen_pf_rnr(int rnr) 7706 { 7707 bpf_error("libpcap was compiled on a machine without pf support"); 7708 /* NOTREACHED */ 7709 return (NULL); 7710 } 7711 7712 struct block * 7713 gen_pf_srnr(int srnr) 7714 { 7715 bpf_error("libpcap was compiled on a machine without pf support"); 7716 /* NOTREACHED */ 7717 return (NULL); 7718 } 7719 7720 struct block * 7721 gen_pf_reason(int reason) 7722 { 7723 bpf_error("libpcap was compiled on a machine without pf support"); 7724 /* NOTREACHED */ 7725 return (NULL); 7726 } 7727 7728 struct block * 7729 gen_pf_action(int action) 7730 { 7731 bpf_error("libpcap was compiled on a machine without pf support"); 7732 /* NOTREACHED */ 7733 return (NULL); 7734 } 7735 #endif /* HAVE_NET_PFVAR_H */ 7736 7737 /* IEEE 802.11 wireless header */ 7738 struct block * 7739 gen_p80211_type(int type, int mask) 7740 { 7741 struct block *b0; 7742 7743 switch (linktype) { 7744 7745 case DLT_IEEE802_11: 7746 case DLT_PRISM_HEADER: 7747 case DLT_IEEE802_11_RADIO_AVS: 7748 case DLT_IEEE802_11_RADIO: 7749 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, (bpf_int32)type, 7750 (bpf_int32)mask); 7751 break; 7752 7753 default: 7754 bpf_error("802.11 link-layer types supported only on 802.11"); 7755 /* NOTREACHED */ 7756 } 7757 7758 return (b0); 7759 } 7760 7761 struct block * 7762 gen_p80211_fcdir(int fcdir) 7763 { 7764 struct block *b0; 7765 7766 switch (linktype) { 7767 7768 case DLT_IEEE802_11: 7769 case DLT_PRISM_HEADER: 7770 case DLT_IEEE802_11_RADIO_AVS: 7771 case DLT_IEEE802_11_RADIO: 7772 break; 7773 7774 default: 7775 bpf_error("frame direction supported only with 802.11 headers"); 7776 /* NOTREACHED */ 7777 } 7778 7779 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir, 7780 (bpf_u_int32)IEEE80211_FC1_DIR_MASK); 7781 7782 return (b0); 7783 } 7784 7785 struct block * 7786 gen_acode(eaddr, q) 7787 register const u_char *eaddr; 7788 struct qual q; 7789 { 7790 switch (linktype) { 7791 7792 case DLT_ARCNET: 7793 case DLT_ARCNET_LINUX: 7794 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && 7795 q.proto == Q_LINK) 7796 return (gen_ahostop(eaddr, (int)q.dir)); 7797 else { 7798 bpf_error("ARCnet address used in non-arc expression"); 7799 /* NOTREACHED */ 7800 } 7801 break; 7802 7803 default: 7804 bpf_error("aid supported only on ARCnet"); 7805 /* NOTREACHED */ 7806 } 7807 bpf_error("ARCnet address used in non-arc expression"); 7808 /* NOTREACHED */ 7809 return NULL; 7810 } 7811 7812 static struct block * 7813 gen_ahostop(eaddr, dir) 7814 register const u_char *eaddr; 7815 register int dir; 7816 { 7817 register struct block *b0, *b1; 7818 7819 switch (dir) { 7820 /* src comes first, different from Ethernet */ 7821 case Q_SRC: 7822 return gen_bcmp(OR_LINKHDR, 0, 1, eaddr); 7823 7824 case Q_DST: 7825 return gen_bcmp(OR_LINKHDR, 1, 1, eaddr); 7826 7827 case Q_AND: 7828 b0 = gen_ahostop(eaddr, Q_SRC); 7829 b1 = gen_ahostop(eaddr, Q_DST); 7830 gen_and(b0, b1); 7831 return b1; 7832 7833 case Q_DEFAULT: 7834 case Q_OR: 7835 b0 = gen_ahostop(eaddr, Q_SRC); 7836 b1 = gen_ahostop(eaddr, Q_DST); 7837 gen_or(b0, b1); 7838 return b1; 7839 7840 case Q_ADDR1: 7841 bpf_error("'addr1' is only supported on 802.11"); 7842 break; 7843 7844 case Q_ADDR2: 7845 bpf_error("'addr2' is only supported on 802.11"); 7846 break; 7847 7848 case Q_ADDR3: 7849 bpf_error("'addr3' is only supported on 802.11"); 7850 break; 7851 7852 case Q_ADDR4: 7853 bpf_error("'addr4' is only supported on 802.11"); 7854 break; 7855 7856 case Q_RA: 7857 bpf_error("'ra' is only supported on 802.11"); 7858 break; 7859 7860 case Q_TA: 7861 bpf_error("'ta' is only supported on 802.11"); 7862 break; 7863 } 7864 abort(); 7865 /* NOTREACHED */ 7866 } 7867 7868 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7869 static struct block * 7870 gen_vlan_bpf_extensions(int vlan_num) 7871 { 7872 struct block *b0, *b1; 7873 struct slist *s; 7874 7875 /* generate new filter code based on extracting packet 7876 * metadata */ 7877 s = new_stmt(BPF_LD|BPF_B|BPF_ABS); 7878 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT; 7879 7880 b0 = new_block(JMP(BPF_JEQ)); 7881 b0->stmts = s; 7882 b0->s.k = 1; 7883 7884 if (vlan_num >= 0) { 7885 s = new_stmt(BPF_LD|BPF_B|BPF_ABS); 7886 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG; 7887 7888 b1 = new_block(JMP(BPF_JEQ)); 7889 b1->stmts = s; 7890 b1->s.k = (bpf_int32) vlan_num; 7891 7892 gen_and(b0,b1); 7893 b0 = b1; 7894 } 7895 7896 return b0; 7897 } 7898 #endif 7899 7900 static struct block * 7901 gen_vlan_no_bpf_extensions(int vlan_num) 7902 { 7903 struct block *b0, *b1; 7904 7905 /* check for VLAN, including QinQ */ 7906 b0 = gen_linktype(ETHERTYPE_8021Q); 7907 b1 = gen_linktype(ETHERTYPE_8021QINQ); 7908 gen_or(b0,b1); 7909 b0 = b1; 7910 7911 /* If a specific VLAN is requested, check VLAN id */ 7912 if (vlan_num >= 0) { 7913 b1 = gen_mcmp(OR_LINKPL, 0, BPF_H, 7914 (bpf_int32)vlan_num, 0x0fff); 7915 gen_and(b0, b1); 7916 b0 = b1; 7917 } 7918 7919 /* 7920 * The payload follows the full header, including the 7921 * VLAN tags, so skip past this VLAN tag. 7922 */ 7923 off_linkpl.constant_part += 4; 7924 7925 /* 7926 * The link-layer type information follows the VLAN tags, so 7927 * skip past this VLAN tag. 7928 */ 7929 off_linktype.constant_part += 4; 7930 7931 return b0; 7932 } 7933 7934 /* 7935 * support IEEE 802.1Q VLAN trunk over ethernet 7936 */ 7937 struct block * 7938 gen_vlan(vlan_num) 7939 int vlan_num; 7940 { 7941 struct block *b0; 7942 7943 /* can't check for VLAN-encapsulated packets inside MPLS */ 7944 if (label_stack_depth > 0) 7945 bpf_error("no VLAN match after MPLS"); 7946 7947 /* 7948 * Check for a VLAN packet, and then change the offsets to point 7949 * to the type and data fields within the VLAN packet. Just 7950 * increment the offsets, so that we can support a hierarchy, e.g. 7951 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within 7952 * VLAN 100. 7953 * 7954 * XXX - this is a bit of a kludge. If we were to split the 7955 * compiler into a parser that parses an expression and 7956 * generates an expression tree, and a code generator that 7957 * takes an expression tree (which could come from our 7958 * parser or from some other parser) and generates BPF code, 7959 * we could perhaps make the offsets parameters of routines 7960 * and, in the handler for an "AND" node, pass to subnodes 7961 * other than the VLAN node the adjusted offsets. 7962 * 7963 * This would mean that "vlan" would, instead of changing the 7964 * behavior of *all* tests after it, change only the behavior 7965 * of tests ANDed with it. That would change the documented 7966 * semantics of "vlan", which might break some expressions. 7967 * However, it would mean that "(vlan and ip) or ip" would check 7968 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 7969 * checking only for VLAN-encapsulated IP, so that could still 7970 * be considered worth doing; it wouldn't break expressions 7971 * that are of the form "vlan and ..." or "vlan N and ...", 7972 * which I suspect are the most common expressions involving 7973 * "vlan". "vlan or ..." doesn't necessarily do what the user 7974 * would really want, now, as all the "or ..." tests would 7975 * be done assuming a VLAN, even though the "or" could be viewed 7976 * as meaning "or, if this isn't a VLAN packet...". 7977 */ 7978 switch (linktype) { 7979 7980 case DLT_EN10MB: 7981 case DLT_NETANALYZER: 7982 case DLT_NETANALYZER_TRANSPARENT: 7983 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT) 7984 /* Verify that this is the outer part of the packet and 7985 * not encapsulated somehow. */ 7986 if (vlan_stack_depth == 0 && !off_linkhdr.is_variable && 7987 off_linkhdr.constant_part == 7988 off_outermostlinkhdr.constant_part) { 7989 /* 7990 * Do we need special VLAN handling? 7991 */ 7992 if (bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING) 7993 b0 = gen_vlan_bpf_extensions(vlan_num); 7994 else 7995 b0 = gen_vlan_no_bpf_extensions(vlan_num); 7996 } else 7997 #endif 7998 b0 = gen_vlan_no_bpf_extensions(vlan_num); 7999 break; 8000 8001 case DLT_IEEE802_11: 8002 case DLT_PRISM_HEADER: 8003 case DLT_IEEE802_11_RADIO_AVS: 8004 case DLT_IEEE802_11_RADIO: 8005 b0 = gen_vlan_no_bpf_extensions(vlan_num); 8006 break; 8007 8008 default: 8009 bpf_error("no VLAN support for data link type %d", 8010 linktype); 8011 /*NOTREACHED*/ 8012 } 8013 8014 vlan_stack_depth++; 8015 8016 return (b0); 8017 } 8018 8019 /* 8020 * support for MPLS 8021 */ 8022 struct block * 8023 gen_mpls(label_num) 8024 int label_num; 8025 { 8026 struct block *b0, *b1; 8027 8028 if (label_stack_depth > 0) { 8029 /* just match the bottom-of-stack bit clear */ 8030 b0 = gen_mcmp(OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01); 8031 } else { 8032 /* 8033 * We're not in an MPLS stack yet, so check the link-layer 8034 * type against MPLS. 8035 */ 8036 switch (linktype) { 8037 8038 case DLT_C_HDLC: /* fall through */ 8039 case DLT_EN10MB: 8040 case DLT_NETANALYZER: 8041 case DLT_NETANALYZER_TRANSPARENT: 8042 b0 = gen_linktype(ETHERTYPE_MPLS); 8043 break; 8044 8045 case DLT_PPP: 8046 b0 = gen_linktype(PPP_MPLS_UCAST); 8047 break; 8048 8049 /* FIXME add other DLT_s ... 8050 * for Frame-Relay/and ATM this may get messy due to SNAP headers 8051 * leave it for now */ 8052 8053 default: 8054 bpf_error("no MPLS support for data link type %d", 8055 linktype); 8056 b0 = NULL; 8057 /*NOTREACHED*/ 8058 break; 8059 } 8060 } 8061 8062 /* If a specific MPLS label is requested, check it */ 8063 if (label_num >= 0) { 8064 label_num = label_num << 12; /* label is shifted 12 bits on the wire */ 8065 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, (bpf_int32)label_num, 8066 0xfffff000); /* only compare the first 20 bits */ 8067 gen_and(b0, b1); 8068 b0 = b1; 8069 } 8070 8071 /* 8072 * Change the offsets to point to the type and data fields within 8073 * the MPLS packet. Just increment the offsets, so that we 8074 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to 8075 * capture packets with an outer label of 100000 and an inner 8076 * label of 1024. 8077 * 8078 * Increment the MPLS stack depth as well; this indicates that 8079 * we're checking MPLS-encapsulated headers, to make sure higher 8080 * level code generators don't try to match against IP-related 8081 * protocols such as Q_ARP, Q_RARP etc. 8082 * 8083 * XXX - this is a bit of a kludge. See comments in gen_vlan(). 8084 */ 8085 off_nl_nosnap += 4; 8086 off_nl += 4; 8087 label_stack_depth++; 8088 return (b0); 8089 } 8090 8091 /* 8092 * Support PPPOE discovery and session. 8093 */ 8094 struct block * 8095 gen_pppoed() 8096 { 8097 /* check for PPPoE discovery */ 8098 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED); 8099 } 8100 8101 struct block * 8102 gen_pppoes(sess_num) 8103 int sess_num; 8104 { 8105 struct block *b0, *b1; 8106 8107 /* 8108 * Test against the PPPoE session link-layer type. 8109 */ 8110 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES); 8111 8112 /* If a specific session is requested, check PPPoE session id */ 8113 if (sess_num >= 0) { 8114 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, 8115 (bpf_int32)sess_num, 0x0000ffff); 8116 gen_and(b0, b1); 8117 b0 = b1; 8118 } 8119 8120 /* 8121 * Change the offsets to point to the type and data fields within 8122 * the PPP packet, and note that this is PPPoE rather than 8123 * raw PPP. 8124 * 8125 * XXX - this is a bit of a kludge. If we were to split the 8126 * compiler into a parser that parses an expression and 8127 * generates an expression tree, and a code generator that 8128 * takes an expression tree (which could come from our 8129 * parser or from some other parser) and generates BPF code, 8130 * we could perhaps make the offsets parameters of routines 8131 * and, in the handler for an "AND" node, pass to subnodes 8132 * other than the PPPoE node the adjusted offsets. 8133 * 8134 * This would mean that "pppoes" would, instead of changing the 8135 * behavior of *all* tests after it, change only the behavior 8136 * of tests ANDed with it. That would change the documented 8137 * semantics of "pppoes", which might break some expressions. 8138 * However, it would mean that "(pppoes and ip) or ip" would check 8139 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than 8140 * checking only for VLAN-encapsulated IP, so that could still 8141 * be considered worth doing; it wouldn't break expressions 8142 * that are of the form "pppoes and ..." which I suspect are the 8143 * most common expressions involving "pppoes". "pppoes or ..." 8144 * doesn't necessarily do what the user would really want, now, 8145 * as all the "or ..." tests would be done assuming PPPoE, even 8146 * though the "or" could be viewed as meaning "or, if this isn't 8147 * a PPPoE packet...". 8148 * 8149 * The "network-layer" protocol is PPPoE, which has a 6-byte 8150 * PPPoE header, followed by a PPP packet. 8151 * 8152 * There is no HDLC encapsulation for the PPP packet (it's 8153 * encapsulated in PPPoES instead), so the link-layer type 8154 * starts at the first byte of the PPP packet. For PPPoE, 8155 * that offset is relative to the beginning of the total 8156 * link-layer payload, including any 802.2 LLC header, so 8157 * it's 6 bytes past off_nl. 8158 */ 8159 PUSH_LINKHDR(DLT_PPP, off_linkpl.is_variable, 8160 off_linkpl.constant_part + off_nl + 6, /* 6 bytes past the PPPoE header */ 8161 off_linkpl.reg); 8162 8163 off_linktype = off_linkhdr; 8164 off_linkpl.constant_part = off_linkhdr.constant_part + 2; 8165 8166 off_nl = 0; 8167 off_nl_nosnap = 0; /* no 802.2 LLC */ 8168 8169 return b0; 8170 } 8171 8172 /* Check that this is Geneve and the VNI is correct if 8173 * specified. Parameterized to handle both IPv4 and IPv6. */ 8174 static struct block * 8175 gen_geneve_check(struct block *(*gen_portfn)(int, int, int), 8176 enum e_offrel offrel, int vni) 8177 { 8178 struct block *b0, *b1; 8179 8180 b0 = gen_portfn(GENEVE_PORT, IPPROTO_UDP, Q_DST); 8181 8182 /* Check that we are operating on version 0. Otherwise, we 8183 * can't decode the rest of the fields. The version is 2 bits 8184 * in the first byte of the Geneve header. */ 8185 b1 = gen_mcmp(offrel, 8, BPF_B, (bpf_int32)0, 0xc0); 8186 gen_and(b0, b1); 8187 b0 = b1; 8188 8189 if (vni >= 0) { 8190 vni <<= 8; /* VNI is in the upper 3 bytes */ 8191 b1 = gen_mcmp(offrel, 12, BPF_W, (bpf_int32)vni, 8192 0xffffff00); 8193 gen_and(b0, b1); 8194 b0 = b1; 8195 } 8196 8197 return b0; 8198 } 8199 8200 /* The IPv4 and IPv6 Geneve checks need to do two things: 8201 * - Verify that this actually is Geneve with the right VNI. 8202 * - Place the IP header length (plus variable link prefix if 8203 * needed) into register A to be used later to compute 8204 * the inner packet offsets. */ 8205 static struct block * 8206 gen_geneve4(int vni) 8207 { 8208 struct block *b0, *b1; 8209 struct slist *s, *s1; 8210 8211 b0 = gen_geneve_check(gen_port, OR_TRAN_IPV4, vni); 8212 8213 /* Load the IP header length into A. */ 8214 s = gen_loadx_iphdrlen(); 8215 8216 s1 = new_stmt(BPF_MISC|BPF_TXA); 8217 sappend(s, s1); 8218 8219 /* Forcibly append these statements to the true condition 8220 * of the protocol check by creating a new block that is 8221 * always true and ANDing them. */ 8222 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8223 b1->stmts = s; 8224 b1->s.k = 0; 8225 8226 gen_and(b0, b1); 8227 8228 return b1; 8229 } 8230 8231 static struct block * 8232 gen_geneve6(int vni) 8233 { 8234 struct block *b0, *b1; 8235 struct slist *s, *s1; 8236 8237 b0 = gen_geneve_check(gen_port6, OR_TRAN_IPV6, vni); 8238 8239 /* Load the IP header length. We need to account for a 8240 * variable length link prefix if there is one. */ 8241 s = gen_abs_offset_varpart(&off_linkpl); 8242 if (s) { 8243 s1 = new_stmt(BPF_LD|BPF_IMM); 8244 s1->s.k = 40; 8245 sappend(s, s1); 8246 8247 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 8248 s1->s.k = 0; 8249 sappend(s, s1); 8250 } else { 8251 s = new_stmt(BPF_LD|BPF_IMM); 8252 s->s.k = 40;; 8253 } 8254 8255 /* Forcibly append these statements to the true condition 8256 * of the protocol check by creating a new block that is 8257 * always true and ANDing them. */ 8258 s1 = new_stmt(BPF_MISC|BPF_TAX); 8259 sappend(s, s1); 8260 8261 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8262 b1->stmts = s; 8263 b1->s.k = 0; 8264 8265 gen_and(b0, b1); 8266 8267 return b1; 8268 } 8269 8270 /* We need to store three values based on the Geneve header:: 8271 * - The offset of the linktype. 8272 * - The offset of the end of the Geneve header. 8273 * - The offset of the end of the encapsulated MAC header. */ 8274 static struct slist * 8275 gen_geneve_offsets(void) 8276 { 8277 struct slist *s, *s1, *s_proto; 8278 8279 /* First we need to calculate the offset of the Geneve header 8280 * itself. This is composed of the IP header previously calculated 8281 * (include any variable link prefix) and stored in A plus the 8282 * fixed sized headers (fixed link prefix, MAC length, and UDP 8283 * header). */ 8284 s = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8285 s->s.k = off_linkpl.constant_part + off_nl + 8; 8286 8287 /* Stash this in X since we'll need it later. */ 8288 s1 = new_stmt(BPF_MISC|BPF_TAX); 8289 sappend(s, s1); 8290 8291 /* The EtherType in Geneve is 2 bytes in. Calculate this and 8292 * store it. */ 8293 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8294 s1->s.k = 2; 8295 sappend(s, s1); 8296 8297 off_linktype.reg = alloc_reg(); 8298 off_linktype.is_variable = 1; 8299 off_linktype.constant_part = 0; 8300 8301 s1 = new_stmt(BPF_ST); 8302 s1->s.k = off_linktype.reg; 8303 sappend(s, s1); 8304 8305 /* Load the Geneve option length and mask and shift to get the 8306 * number of bytes. It is stored in the first byte of the Geneve 8307 * header. */ 8308 s1 = new_stmt(BPF_LD|BPF_IND|BPF_B); 8309 s1->s.k = 0; 8310 sappend(s, s1); 8311 8312 s1 = new_stmt(BPF_ALU|BPF_AND|BPF_K); 8313 s1->s.k = 0x3f; 8314 sappend(s, s1); 8315 8316 s1 = new_stmt(BPF_ALU|BPF_MUL|BPF_K); 8317 s1->s.k = 4; 8318 sappend(s, s1); 8319 8320 /* Add in the rest of the Geneve base header. */ 8321 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8322 s1->s.k = 8; 8323 sappend(s, s1); 8324 8325 /* Add the Geneve header length to its offset and store. */ 8326 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X); 8327 s1->s.k = 0; 8328 sappend(s, s1); 8329 8330 /* Set the encapsulated type as Ethernet. Even though we may 8331 * not actually have Ethernet inside there are two reasons this 8332 * is useful: 8333 * - The linktype field is always in EtherType format regardless 8334 * of whether it is in Geneve or an inner Ethernet frame. 8335 * - The only link layer that we have specific support for is 8336 * Ethernet. We will confirm that the packet actually is 8337 * Ethernet at runtime before executing these checks. */ 8338 PUSH_LINKHDR(DLT_EN10MB, 1, 0, alloc_reg()); 8339 8340 s1 = new_stmt(BPF_ST); 8341 s1->s.k = off_linkhdr.reg; 8342 sappend(s, s1); 8343 8344 /* Calculate whether we have an Ethernet header or just raw IP/ 8345 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset 8346 * and linktype by 14 bytes so that the network header can be found 8347 * seamlessly. Otherwise, keep what we've calculated already. */ 8348 8349 /* We have a bare jmp so we can't use the optimizer. */ 8350 no_optimize = 1; 8351 8352 /* Load the EtherType in the Geneve header, 2 bytes in. */ 8353 s1 = new_stmt(BPF_LD|BPF_IND|BPF_H); 8354 s1->s.k = 2; 8355 sappend(s, s1); 8356 8357 /* Load X with the end of the Geneve header. */ 8358 s1 = new_stmt(BPF_LDX|BPF_MEM); 8359 s1->s.k = off_linkhdr.reg; 8360 sappend(s, s1); 8361 8362 /* Check if the EtherType is Transparent Ethernet Bridging. At the 8363 * end of this check, we should have the total length in X. In 8364 * the non-Ethernet case, it's already there. */ 8365 s_proto = new_stmt(JMP(BPF_JEQ)); 8366 s_proto->s.k = ETHERTYPE_TEB; 8367 sappend(s, s_proto); 8368 8369 s1 = new_stmt(BPF_MISC|BPF_TXA); 8370 sappend(s, s1); 8371 s_proto->s.jt = s1; 8372 8373 /* Since this is Ethernet, use the EtherType of the payload 8374 * directly as the linktype. Overwrite what we already have. */ 8375 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8376 s1->s.k = 12; 8377 sappend(s, s1); 8378 8379 s1 = new_stmt(BPF_ST); 8380 s1->s.k = off_linktype.reg; 8381 sappend(s, s1); 8382 8383 /* Advance two bytes further to get the end of the Ethernet 8384 * header. */ 8385 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K); 8386 s1->s.k = 2; 8387 sappend(s, s1); 8388 8389 /* Move the result to X. */ 8390 s1 = new_stmt(BPF_MISC|BPF_TAX); 8391 sappend(s, s1); 8392 8393 /* Store the final result of our linkpl calculation. */ 8394 off_linkpl.reg = alloc_reg(); 8395 off_linkpl.is_variable = 1; 8396 off_linkpl.constant_part = 0; 8397 8398 s1 = new_stmt(BPF_STX); 8399 s1->s.k = off_linkpl.reg; 8400 sappend(s, s1); 8401 s_proto->s.jf = s1; 8402 8403 off_nl = 0; 8404 8405 return s; 8406 } 8407 8408 /* Check to see if this is a Geneve packet. */ 8409 struct block * 8410 gen_geneve(int vni) 8411 { 8412 struct block *b0, *b1; 8413 struct slist *s; 8414 8415 b0 = gen_geneve4(vni); 8416 b1 = gen_geneve6(vni); 8417 8418 gen_or(b0, b1); 8419 b0 = b1; 8420 8421 /* Later filters should act on the payload of the Geneve frame, 8422 * update all of the header pointers. Attach this code so that 8423 * it gets executed in the event that the Geneve filter matches. */ 8424 s = gen_geneve_offsets(); 8425 8426 b1 = gen_true(); 8427 sappend(s, b1->stmts); 8428 b1->stmts = s; 8429 8430 gen_and(b0, b1); 8431 8432 is_geneve = 1; 8433 8434 return b1; 8435 } 8436 8437 /* Check that the encapsulated frame has a link layer header 8438 * for Ethernet filters. */ 8439 static struct block * 8440 gen_geneve_ll_check() 8441 { 8442 struct block *b0; 8443 struct slist *s, *s1; 8444 8445 /* The easiest way to see if there is a link layer present 8446 * is to check if the link layer header and payload are not 8447 * the same. */ 8448 8449 /* Geneve always generates pure variable offsets so we can 8450 * compare only the registers. */ 8451 s = new_stmt(BPF_LD|BPF_MEM); 8452 s->s.k = off_linkhdr.reg; 8453 8454 s1 = new_stmt(BPF_LDX|BPF_MEM); 8455 s1->s.k = off_linkpl.reg; 8456 sappend(s, s1); 8457 8458 b0 = new_block(BPF_JMP|BPF_JEQ|BPF_X); 8459 b0->stmts = s; 8460 b0->s.k = 0; 8461 gen_not(b0); 8462 8463 return b0; 8464 } 8465 8466 struct block * 8467 gen_atmfield_code(atmfield, jvalue, jtype, reverse) 8468 int atmfield; 8469 bpf_int32 jvalue; 8470 bpf_u_int32 jtype; 8471 int reverse; 8472 { 8473 struct block *b0; 8474 8475 switch (atmfield) { 8476 8477 case A_VPI: 8478 if (!is_atm) 8479 bpf_error("'vpi' supported only on raw ATM"); 8480 if (off_vpi == (u_int)-1) 8481 abort(); 8482 b0 = gen_ncmp(OR_LINKHDR, off_vpi, BPF_B, 0xffffffff, jtype, 8483 reverse, jvalue); 8484 break; 8485 8486 case A_VCI: 8487 if (!is_atm) 8488 bpf_error("'vci' supported only on raw ATM"); 8489 if (off_vci == (u_int)-1) 8490 abort(); 8491 b0 = gen_ncmp(OR_LINKHDR, off_vci, BPF_H, 0xffffffff, jtype, 8492 reverse, jvalue); 8493 break; 8494 8495 case A_PROTOTYPE: 8496 if (off_proto == (u_int)-1) 8497 abort(); /* XXX - this isn't on FreeBSD */ 8498 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0x0f, jtype, 8499 reverse, jvalue); 8500 break; 8501 8502 case A_MSGTYPE: 8503 if (off_payload == (u_int)-1) 8504 abort(); 8505 b0 = gen_ncmp(OR_LINKHDR, off_payload + MSG_TYPE_POS, BPF_B, 8506 0xffffffff, jtype, reverse, jvalue); 8507 break; 8508 8509 case A_CALLREFTYPE: 8510 if (!is_atm) 8511 bpf_error("'callref' supported only on raw ATM"); 8512 if (off_proto == (u_int)-1) 8513 abort(); 8514 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0xffffffff, 8515 jtype, reverse, jvalue); 8516 break; 8517 8518 default: 8519 abort(); 8520 } 8521 return b0; 8522 } 8523 8524 struct block * 8525 gen_atmtype_abbrev(type) 8526 int type; 8527 { 8528 struct block *b0, *b1; 8529 8530 switch (type) { 8531 8532 case A_METAC: 8533 /* Get all packets in Meta signalling Circuit */ 8534 if (!is_atm) 8535 bpf_error("'metac' supported only on raw ATM"); 8536 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8537 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0); 8538 gen_and(b0, b1); 8539 break; 8540 8541 case A_BCC: 8542 /* Get all packets in Broadcast Circuit*/ 8543 if (!is_atm) 8544 bpf_error("'bcc' supported only on raw ATM"); 8545 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8546 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0); 8547 gen_and(b0, b1); 8548 break; 8549 8550 case A_OAMF4SC: 8551 /* Get all cells in Segment OAM F4 circuit*/ 8552 if (!is_atm) 8553 bpf_error("'oam4sc' supported only on raw ATM"); 8554 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8555 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8556 gen_and(b0, b1); 8557 break; 8558 8559 case A_OAMF4EC: 8560 /* Get all cells in End-to-End OAM F4 Circuit*/ 8561 if (!is_atm) 8562 bpf_error("'oam4ec' supported only on raw ATM"); 8563 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8564 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8565 gen_and(b0, b1); 8566 break; 8567 8568 case A_SC: 8569 /* Get all packets in connection Signalling Circuit */ 8570 if (!is_atm) 8571 bpf_error("'sc' supported only on raw ATM"); 8572 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8573 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0); 8574 gen_and(b0, b1); 8575 break; 8576 8577 case A_ILMIC: 8578 /* Get all packets in ILMI Circuit */ 8579 if (!is_atm) 8580 bpf_error("'ilmic' supported only on raw ATM"); 8581 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8582 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0); 8583 gen_and(b0, b1); 8584 break; 8585 8586 case A_LANE: 8587 /* Get all LANE packets */ 8588 if (!is_atm) 8589 bpf_error("'lane' supported only on raw ATM"); 8590 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0); 8591 8592 /* 8593 * Arrange that all subsequent tests assume LANE 8594 * rather than LLC-encapsulated packets, and set 8595 * the offsets appropriately for LANE-encapsulated 8596 * Ethernet. 8597 * 8598 * We assume LANE means Ethernet, not Token Ring. 8599 */ 8600 PUSH_LINKHDR(DLT_EN10MB, 0, 8601 off_payload + 2, /* Ethernet header */ 8602 -1); 8603 off_linktype.constant_part = off_linkhdr.constant_part + 12; 8604 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* Ethernet */ 8605 off_nl = 0; /* Ethernet II */ 8606 off_nl_nosnap = 3; /* 802.3+802.2 */ 8607 break; 8608 8609 case A_LLC: 8610 /* Get all LLC-encapsulated packets */ 8611 if (!is_atm) 8612 bpf_error("'llc' supported only on raw ATM"); 8613 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0); 8614 linktype = prevlinktype; 8615 break; 8616 8617 default: 8618 abort(); 8619 } 8620 return b1; 8621 } 8622 8623 /* 8624 * Filtering for MTP2 messages based on li value 8625 * FISU, length is null 8626 * LSSU, length is 1 or 2 8627 * MSU, length is 3 or more 8628 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits 8629 */ 8630 struct block * 8631 gen_mtp2type_abbrev(type) 8632 int type; 8633 { 8634 struct block *b0, *b1; 8635 8636 switch (type) { 8637 8638 case M_FISU: 8639 if ( (linktype != DLT_MTP2) && 8640 (linktype != DLT_ERF) && 8641 (linktype != DLT_MTP2_WITH_PHDR) ) 8642 bpf_error("'fisu' supported only on MTP2"); 8643 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8644 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0); 8645 break; 8646 8647 case M_LSSU: 8648 if ( (linktype != DLT_MTP2) && 8649 (linktype != DLT_ERF) && 8650 (linktype != DLT_MTP2_WITH_PHDR) ) 8651 bpf_error("'lssu' supported only on MTP2"); 8652 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2); 8653 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0); 8654 gen_and(b1, b0); 8655 break; 8656 8657 case M_MSU: 8658 if ( (linktype != DLT_MTP2) && 8659 (linktype != DLT_ERF) && 8660 (linktype != DLT_MTP2_WITH_PHDR) ) 8661 bpf_error("'msu' supported only on MTP2"); 8662 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2); 8663 break; 8664 8665 case MH_FISU: 8666 if ( (linktype != DLT_MTP2) && 8667 (linktype != DLT_ERF) && 8668 (linktype != DLT_MTP2_WITH_PHDR) ) 8669 bpf_error("'hfisu' supported only on MTP2_HSL"); 8670 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */ 8671 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0); 8672 break; 8673 8674 case MH_LSSU: 8675 if ( (linktype != DLT_MTP2) && 8676 (linktype != DLT_ERF) && 8677 (linktype != DLT_MTP2_WITH_PHDR) ) 8678 bpf_error("'hlssu' supported only on MTP2_HSL"); 8679 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100); 8680 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0); 8681 gen_and(b1, b0); 8682 break; 8683 8684 case MH_MSU: 8685 if ( (linktype != DLT_MTP2) && 8686 (linktype != DLT_ERF) && 8687 (linktype != DLT_MTP2_WITH_PHDR) ) 8688 bpf_error("'hmsu' supported only on MTP2_HSL"); 8689 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100); 8690 break; 8691 8692 default: 8693 abort(); 8694 } 8695 return b0; 8696 } 8697 8698 struct block * 8699 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse) 8700 int mtp3field; 8701 bpf_u_int32 jvalue; 8702 bpf_u_int32 jtype; 8703 int reverse; 8704 { 8705 struct block *b0; 8706 bpf_u_int32 val1 , val2 , val3; 8707 u_int newoff_sio=off_sio; 8708 u_int newoff_opc=off_opc; 8709 u_int newoff_dpc=off_dpc; 8710 u_int newoff_sls=off_sls; 8711 8712 switch (mtp3field) { 8713 8714 case MH_SIO: 8715 newoff_sio += 3; /* offset for MTP2_HSL */ 8716 /* FALLTHROUGH */ 8717 8718 case M_SIO: 8719 if (off_sio == (u_int)-1) 8720 bpf_error("'sio' supported only on SS7"); 8721 /* sio coded on 1 byte so max value 255 */ 8722 if(jvalue > 255) 8723 bpf_error("sio value %u too big; max value = 255", 8724 jvalue); 8725 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff, 8726 (u_int)jtype, reverse, (u_int)jvalue); 8727 break; 8728 8729 case MH_OPC: 8730 newoff_opc+=3; 8731 case M_OPC: 8732 if (off_opc == (u_int)-1) 8733 bpf_error("'opc' supported only on SS7"); 8734 /* opc coded on 14 bits so max value 16383 */ 8735 if (jvalue > 16383) 8736 bpf_error("opc value %u too big; max value = 16383", 8737 jvalue); 8738 /* the following instructions are made to convert jvalue 8739 * to the form used to write opc in an ss7 message*/ 8740 val1 = jvalue & 0x00003c00; 8741 val1 = val1 >>10; 8742 val2 = jvalue & 0x000003fc; 8743 val2 = val2 <<6; 8744 val3 = jvalue & 0x00000003; 8745 val3 = val3 <<22; 8746 jvalue = val1 + val2 + val3; 8747 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f, 8748 (u_int)jtype, reverse, (u_int)jvalue); 8749 break; 8750 8751 case MH_DPC: 8752 newoff_dpc += 3; 8753 /* FALLTHROUGH */ 8754 8755 case M_DPC: 8756 if (off_dpc == (u_int)-1) 8757 bpf_error("'dpc' supported only on SS7"); 8758 /* dpc coded on 14 bits so max value 16383 */ 8759 if (jvalue > 16383) 8760 bpf_error("dpc value %u too big; max value = 16383", 8761 jvalue); 8762 /* the following instructions are made to convert jvalue 8763 * to the forme used to write dpc in an ss7 message*/ 8764 val1 = jvalue & 0x000000ff; 8765 val1 = val1 << 24; 8766 val2 = jvalue & 0x00003f00; 8767 val2 = val2 << 8; 8768 jvalue = val1 + val2; 8769 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000, 8770 (u_int)jtype, reverse, (u_int)jvalue); 8771 break; 8772 8773 case MH_SLS: 8774 newoff_sls+=3; 8775 case M_SLS: 8776 if (off_sls == (u_int)-1) 8777 bpf_error("'sls' supported only on SS7"); 8778 /* sls coded on 4 bits so max value 15 */ 8779 if (jvalue > 15) 8780 bpf_error("sls value %u too big; max value = 15", 8781 jvalue); 8782 /* the following instruction is made to convert jvalue 8783 * to the forme used to write sls in an ss7 message*/ 8784 jvalue = jvalue << 4; 8785 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0, 8786 (u_int)jtype,reverse, (u_int)jvalue); 8787 break; 8788 8789 default: 8790 abort(); 8791 } 8792 return b0; 8793 } 8794 8795 static struct block * 8796 gen_msg_abbrev(type) 8797 int type; 8798 { 8799 struct block *b1; 8800 8801 /* 8802 * Q.2931 signalling protocol messages for handling virtual circuits 8803 * establishment and teardown 8804 */ 8805 switch (type) { 8806 8807 case A_SETUP: 8808 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0); 8809 break; 8810 8811 case A_CALLPROCEED: 8812 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0); 8813 break; 8814 8815 case A_CONNECT: 8816 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0); 8817 break; 8818 8819 case A_CONNECTACK: 8820 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0); 8821 break; 8822 8823 case A_RELEASE: 8824 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0); 8825 break; 8826 8827 case A_RELEASE_DONE: 8828 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0); 8829 break; 8830 8831 default: 8832 abort(); 8833 } 8834 return b1; 8835 } 8836 8837 struct block * 8838 gen_atmmulti_abbrev(type) 8839 int type; 8840 { 8841 struct block *b0, *b1; 8842 8843 switch (type) { 8844 8845 case A_OAM: 8846 if (!is_atm) 8847 bpf_error("'oam' supported only on raw ATM"); 8848 b1 = gen_atmmulti_abbrev(A_OAMF4); 8849 break; 8850 8851 case A_OAMF4: 8852 if (!is_atm) 8853 bpf_error("'oamf4' supported only on raw ATM"); 8854 /* OAM F4 type */ 8855 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0); 8856 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0); 8857 gen_or(b0, b1); 8858 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0); 8859 gen_and(b0, b1); 8860 break; 8861 8862 case A_CONNECTMSG: 8863 /* 8864 * Get Q.2931 signalling messages for switched 8865 * virtual connection 8866 */ 8867 if (!is_atm) 8868 bpf_error("'connectmsg' supported only on raw ATM"); 8869 b0 = gen_msg_abbrev(A_SETUP); 8870 b1 = gen_msg_abbrev(A_CALLPROCEED); 8871 gen_or(b0, b1); 8872 b0 = gen_msg_abbrev(A_CONNECT); 8873 gen_or(b0, b1); 8874 b0 = gen_msg_abbrev(A_CONNECTACK); 8875 gen_or(b0, b1); 8876 b0 = gen_msg_abbrev(A_RELEASE); 8877 gen_or(b0, b1); 8878 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8879 gen_or(b0, b1); 8880 b0 = gen_atmtype_abbrev(A_SC); 8881 gen_and(b0, b1); 8882 break; 8883 8884 case A_METACONNECT: 8885 if (!is_atm) 8886 bpf_error("'metaconnect' supported only on raw ATM"); 8887 b0 = gen_msg_abbrev(A_SETUP); 8888 b1 = gen_msg_abbrev(A_CALLPROCEED); 8889 gen_or(b0, b1); 8890 b0 = gen_msg_abbrev(A_CONNECT); 8891 gen_or(b0, b1); 8892 b0 = gen_msg_abbrev(A_RELEASE); 8893 gen_or(b0, b1); 8894 b0 = gen_msg_abbrev(A_RELEASE_DONE); 8895 gen_or(b0, b1); 8896 b0 = gen_atmtype_abbrev(A_METAC); 8897 gen_and(b0, b1); 8898 break; 8899 8900 default: 8901 abort(); 8902 } 8903 return b1; 8904 } 8905