]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
From Nicolas Dade <[email protected]>: the VLAN tag is in the lower
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.209 2004-08-27 07:37:10 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #include <sys/time.h>
37 #endif /* WIN32 */
38
39 /*
40 * XXX - why was this included even on UNIX?
41 */
42 #ifdef __MINGW32__
43 #include "IP6_misc.h"
44 #endif
45
46 #ifndef WIN32
47
48 #ifdef __NetBSD__
49 #include <sys/param.h>
50 #endif
51
52 #include <netinet/in.h>
53
54 #endif /* WIN32 */
55
56 #include <stdlib.h>
57 #include <string.h>
58 #include <memory.h>
59 #include <setjmp.h>
60 #include <stdarg.h>
61
62 #include "pcap-int.h"
63
64 #include "ethertype.h"
65 #include "nlpid.h"
66 #include "llc.h"
67 #include "gencode.h"
68 #include "atmuni31.h"
69 #include "sunatmpos.h"
70 #include "ppp.h"
71 #include "sll.h"
72 #include "arcnet.h"
73 #include "pf.h"
74 #ifndef offsetof
75 #define offsetof(s, e) ((size_t)&((s *)0)->e)
76 #endif
77 #ifdef INET6
78 #ifndef WIN32
79 #include <netdb.h> /* for "struct addrinfo" */
80 #endif /* WIN32 */
81 #endif /*INET6*/
82 #include <pcap-namedb.h>
83
84 #define ETHERMTU 1500
85
86 #ifndef IPPROTO_SCTP
87 #define IPPROTO_SCTP 132
88 #endif
89
90 #ifdef HAVE_OS_PROTO_H
91 #include "os-proto.h"
92 #endif
93
94 #define JMP(c) ((c)|BPF_JMP|BPF_K)
95
96 /* Locals */
97 static jmp_buf top_ctx;
98 static pcap_t *bpf_pcap;
99
100 /* Hack for updating VLAN, MPLS offsets. */
101 static u_int orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
102
103 /* XXX */
104 #ifdef PCAP_FDDIPAD
105 int pcap_fddipad = PCAP_FDDIPAD;
106 #else
107 int pcap_fddipad;
108 #endif
109
110 /* VARARGS */
111 void
112 bpf_error(const char *fmt, ...)
113
114 {
115 va_list ap;
116
117 va_start(ap, fmt);
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
120 fmt, ap);
121 va_end(ap);
122 longjmp(top_ctx, 1);
123 /* NOTREACHED */
124 }
125
126 static void init_linktype(int);
127
128 static int alloc_reg(void);
129 static void free_reg(int);
130
131 static struct block *root;
132
133 /*
134 * We divy out chunks of memory rather than call malloc each time so
135 * we don't have to worry about leaking memory. It's probably
136 * not a big deal if all this memory was wasted but it this ever
137 * goes into a library that would probably not be a good idea.
138 */
139 #define NCHUNKS 16
140 #define CHUNK0SIZE 1024
141 struct chunk {
142 u_int n_left;
143 void *m;
144 };
145
146 static struct chunk chunks[NCHUNKS];
147 static int cur_chunk;
148
149 static void *newchunk(u_int);
150 static void freechunks(void);
151 static inline struct block *new_block(int);
152 static inline struct slist *new_stmt(int);
153 static struct block *gen_retblk(int);
154 static inline void syntax(void);
155
156 static void backpatch(struct block *, struct block *);
157 static void merge(struct block *, struct block *);
158 static struct block *gen_cmp(u_int, u_int, bpf_int32);
159 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
160 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
161 static struct block *gen_bcmp(u_int, u_int, const u_char *);
162 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
163 bpf_u_int32, bpf_u_int32, int);
164 static struct block *gen_uncond(int);
165 static inline struct block *gen_true(void);
166 static inline struct block *gen_false(void);
167 static struct block *gen_ether_linktype(int);
168 static struct block *gen_linktype(int);
169 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
170 static struct block *gen_llc(int);
171 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
172 #ifdef INET6
173 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
174 #endif
175 static struct block *gen_ahostop(const u_char *, int);
176 static struct block *gen_ehostop(const u_char *, int);
177 static struct block *gen_fhostop(const u_char *, int);
178 static struct block *gen_thostop(const u_char *, int);
179 static struct block *gen_wlanhostop(const u_char *, int);
180 static struct block *gen_ipfchostop(const u_char *, int);
181 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
182 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
183 #ifdef INET6
184 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
185 #endif
186 #ifndef INET6
187 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
188 #endif
189 static struct block *gen_ipfrag(void);
190 static struct block *gen_portatom(int, bpf_int32);
191 #ifdef INET6
192 static struct block *gen_portatom6(int, bpf_int32);
193 #endif
194 struct block *gen_portop(int, int, int);
195 static struct block *gen_port(int, int, int);
196 #ifdef INET6
197 struct block *gen_portop6(int, int, int);
198 static struct block *gen_port6(int, int, int);
199 #endif
200 static int lookup_proto(const char *, int);
201 static struct block *gen_protochain(int, int, int);
202 static struct block *gen_proto(int, int, int);
203 static struct slist *xfer_to_x(struct arth *);
204 static struct slist *xfer_to_a(struct arth *);
205 static struct block *gen_mac_multicast(int);
206 static struct block *gen_len(int, int);
207
208 static struct block *gen_msg_abbrev(int type);
209
210 static void *
211 newchunk(n)
212 u_int n;
213 {
214 struct chunk *cp;
215 int k;
216 size_t size;
217
218 #ifndef __NetBSD__
219 /* XXX Round up to nearest long. */
220 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
221 #else
222 /* XXX Round up to structure boundary. */
223 n = ALIGN(n);
224 #endif
225
226 cp = &chunks[cur_chunk];
227 if (n > cp->n_left) {
228 ++cp, k = ++cur_chunk;
229 if (k >= NCHUNKS)
230 bpf_error("out of memory");
231 size = CHUNK0SIZE << k;
232 cp->m = (void *)malloc(size);
233 if (cp->m == NULL)
234 bpf_error("out of memory");
235 memset((char *)cp->m, 0, size);
236 cp->n_left = size;
237 if (n > size)
238 bpf_error("out of memory");
239 }
240 cp->n_left -= n;
241 return (void *)((char *)cp->m + cp->n_left);
242 }
243
244 static void
245 freechunks()
246 {
247 int i;
248
249 cur_chunk = 0;
250 for (i = 0; i < NCHUNKS; ++i)
251 if (chunks[i].m != NULL) {
252 free(chunks[i].m);
253 chunks[i].m = NULL;
254 }
255 }
256
257 /*
258 * A strdup whose allocations are freed after code generation is over.
259 */
260 char *
261 sdup(s)
262 register const char *s;
263 {
264 int n = strlen(s) + 1;
265 char *cp = newchunk(n);
266
267 strlcpy(cp, s, n);
268 return (cp);
269 }
270
271 static inline struct block *
272 new_block(code)
273 int code;
274 {
275 struct block *p;
276
277 p = (struct block *)newchunk(sizeof(*p));
278 p->s.code = code;
279 p->head = p;
280
281 return p;
282 }
283
284 static inline struct slist *
285 new_stmt(code)
286 int code;
287 {
288 struct slist *p;
289
290 p = (struct slist *)newchunk(sizeof(*p));
291 p->s.code = code;
292
293 return p;
294 }
295
296 static struct block *
297 gen_retblk(v)
298 int v;
299 {
300 struct block *b = new_block(BPF_RET|BPF_K);
301
302 b->s.k = v;
303 return b;
304 }
305
306 static inline void
307 syntax()
308 {
309 bpf_error("syntax error in filter expression");
310 }
311
312 static bpf_u_int32 netmask;
313 static int snaplen;
314 int no_optimize;
315
316 int
317 pcap_compile(pcap_t *p, struct bpf_program *program,
318 char *buf, int optimize, bpf_u_int32 mask)
319 {
320 extern int n_errors;
321 int len;
322
323 no_optimize = 0;
324 n_errors = 0;
325 root = NULL;
326 bpf_pcap = p;
327 if (setjmp(top_ctx)) {
328 lex_cleanup();
329 freechunks();
330 return (-1);
331 }
332
333 netmask = mask;
334
335 snaplen = pcap_snapshot(p);
336 if (snaplen == 0) {
337 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
338 "snaplen of 0 rejects all packets");
339 return -1;
340 }
341
342 lex_init(buf ? buf : "");
343 init_linktype(pcap_datalink(p));
344 (void)pcap_parse();
345
346 if (n_errors)
347 syntax();
348
349 if (root == NULL)
350 root = gen_retblk(snaplen);
351
352 if (optimize && !no_optimize) {
353 bpf_optimize(&root);
354 if (root == NULL ||
355 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
356 bpf_error("expression rejects all packets");
357 }
358 program->bf_insns = icode_to_fcode(root, &len);
359 program->bf_len = len;
360
361 lex_cleanup();
362 freechunks();
363 return (0);
364 }
365
366 /*
367 * entry point for using the compiler with no pcap open
368 * pass in all the stuff that is needed explicitly instead.
369 */
370 int
371 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
372 struct bpf_program *program,
373 char *buf, int optimize, bpf_u_int32 mask)
374 {
375 pcap_t *p;
376 int ret;
377
378 p = pcap_open_dead(linktype_arg, snaplen_arg);
379 if (p == NULL)
380 return (-1);
381 ret = pcap_compile(p, program, buf, optimize, mask);
382 pcap_close(p);
383 return (ret);
384 }
385
386 /*
387 * Clean up a "struct bpf_program" by freeing all the memory allocated
388 * in it.
389 */
390 void
391 pcap_freecode(struct bpf_program *program)
392 {
393 program->bf_len = 0;
394 if (program->bf_insns != NULL) {
395 free((char *)program->bf_insns);
396 program->bf_insns = NULL;
397 }
398 }
399
400 /*
401 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
402 * which of the jt and jf fields has been resolved and which is a pointer
403 * back to another unresolved block (or nil). At least one of the fields
404 * in each block is already resolved.
405 */
406 static void
407 backpatch(list, target)
408 struct block *list, *target;
409 {
410 struct block *next;
411
412 while (list) {
413 if (!list->sense) {
414 next = JT(list);
415 JT(list) = target;
416 } else {
417 next = JF(list);
418 JF(list) = target;
419 }
420 list = next;
421 }
422 }
423
424 /*
425 * Merge the lists in b0 and b1, using the 'sense' field to indicate
426 * which of jt and jf is the link.
427 */
428 static void
429 merge(b0, b1)
430 struct block *b0, *b1;
431 {
432 register struct block **p = &b0;
433
434 /* Find end of list. */
435 while (*p)
436 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
437
438 /* Concatenate the lists. */
439 *p = b1;
440 }
441
442 void
443 finish_parse(p)
444 struct block *p;
445 {
446 backpatch(p, gen_retblk(snaplen));
447 p->sense = !p->sense;
448 backpatch(p, gen_retblk(0));
449 root = p->head;
450 }
451
452 void
453 gen_and(b0, b1)
454 struct block *b0, *b1;
455 {
456 backpatch(b0, b1->head);
457 b0->sense = !b0->sense;
458 b1->sense = !b1->sense;
459 merge(b1, b0);
460 b1->sense = !b1->sense;
461 b1->head = b0->head;
462 }
463
464 void
465 gen_or(b0, b1)
466 struct block *b0, *b1;
467 {
468 b0->sense = !b0->sense;
469 backpatch(b0, b1->head);
470 b0->sense = !b0->sense;
471 merge(b1, b0);
472 b1->head = b0->head;
473 }
474
475 void
476 gen_not(b)
477 struct block *b;
478 {
479 b->sense = !b->sense;
480 }
481
482 static struct block *
483 gen_cmp(offset, size, v)
484 u_int offset, size;
485 bpf_int32 v;
486 {
487 struct slist *s;
488 struct block *b;
489
490 s = new_stmt(BPF_LD|BPF_ABS|size);
491 s->s.k = offset;
492
493 b = new_block(JMP(BPF_JEQ));
494 b->stmts = s;
495 b->s.k = v;
496
497 return b;
498 }
499
500 static struct block *
501 gen_cmp_gt(offset, size, v)
502 u_int offset, size;
503 bpf_int32 v;
504 {
505 struct slist *s;
506 struct block *b;
507
508 s = new_stmt(BPF_LD|BPF_ABS|size);
509 s->s.k = offset;
510
511 b = new_block(JMP(BPF_JGT));
512 b->stmts = s;
513 b->s.k = v;
514
515 return b;
516 }
517
518 static struct block *
519 gen_mcmp(offset, size, v, mask)
520 u_int offset, size;
521 bpf_int32 v;
522 bpf_u_int32 mask;
523 {
524 struct block *b = gen_cmp(offset, size, v);
525 struct slist *s;
526
527 if (mask != 0xffffffff) {
528 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
529 s->s.k = mask;
530 b->stmts->next = s;
531 }
532 return b;
533 }
534
535 static struct block *
536 gen_bcmp(offset, size, v)
537 register u_int offset, size;
538 register const u_char *v;
539 {
540 register struct block *b, *tmp;
541
542 b = NULL;
543 while (size >= 4) {
544 register const u_char *p = &v[size - 4];
545 bpf_int32 w = ((bpf_int32)p[0] << 24) |
546 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
547
548 tmp = gen_cmp(offset + size - 4, BPF_W, w);
549 if (b != NULL)
550 gen_and(b, tmp);
551 b = tmp;
552 size -= 4;
553 }
554 while (size >= 2) {
555 register const u_char *p = &v[size - 2];
556 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
557
558 tmp = gen_cmp(offset + size - 2, BPF_H, w);
559 if (b != NULL)
560 gen_and(b, tmp);
561 b = tmp;
562 size -= 2;
563 }
564 if (size > 0) {
565 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
566 if (b != NULL)
567 gen_and(b, tmp);
568 b = tmp;
569 }
570 return b;
571 }
572
573 static struct block *
574 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
575 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
576 int reverse;
577 {
578 struct slist *s;
579 struct block *b;
580
581 s = new_stmt(BPF_LD|datasize|BPF_ABS);
582 s->s.k = offset;
583
584 if (mask != 0xffffffff) {
585 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
586 s->next->s.k = mask;
587 }
588
589 b = new_block(JMP(jtype));
590 b->stmts = s;
591 b->s.k = jvalue;
592 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
593 gen_not(b);
594 return b;
595 }
596
597 /*
598 * Various code constructs need to know the layout of the data link
599 * layer. These variables give the necessary offsets.
600 */
601
602 /*
603 * This is the offset of the beginning of the MAC-layer header.
604 * It's usually 0, except for ATM LANE.
605 */
606 static u_int off_mac;
607
608 /*
609 * "off_linktype" is the offset to information in the link-layer header
610 * giving the packet type.
611 *
612 * For Ethernet, it's the offset of the Ethernet type field.
613 *
614 * For link-layer types that always use 802.2 headers, it's the
615 * offset of the LLC header.
616 *
617 * For PPP, it's the offset of the PPP type field.
618 *
619 * For Cisco HDLC, it's the offset of the CHDLC type field.
620 *
621 * For BSD loopback, it's the offset of the AF_ value.
622 *
623 * For Linux cooked sockets, it's the offset of the type field.
624 *
625 * It's set to -1 for no encapsulation, in which case, IP is assumed.
626 */
627 static u_int off_linktype;
628
629 /*
630 * TRUE if the link layer includes an ATM pseudo-header.
631 */
632 static int is_atm = 0;
633
634 /*
635 * TRUE if "lane" appeared in the filter; it causes us to generate
636 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
637 */
638 static int is_lane = 0;
639
640 /*
641 * These are offsets for the ATM pseudo-header.
642 */
643 static u_int off_vpi;
644 static u_int off_vci;
645 static u_int off_proto;
646
647 /*
648 * This is the offset of the first byte after the ATM pseudo_header,
649 * or -1 if there is no ATM pseudo-header.
650 */
651 static u_int off_payload;
652
653 /*
654 * These are offsets to the beginning of the network-layer header.
655 *
656 * If the link layer never uses 802.2 LLC:
657 *
658 * "off_nl" and "off_nl_nosnap" are the same.
659 *
660 * If the link layer always uses 802.2 LLC:
661 *
662 * "off_nl" is the offset if there's a SNAP header following
663 * the 802.2 header;
664 *
665 * "off_nl_nosnap" is the offset if there's no SNAP header.
666 *
667 * If the link layer is Ethernet:
668 *
669 * "off_nl" is the offset if the packet is an Ethernet II packet
670 * (we assume no 802.3+802.2+SNAP);
671 *
672 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
673 * with an 802.2 header following it.
674 */
675 static u_int off_nl;
676 static u_int off_nl_nosnap;
677
678 static int linktype;
679
680 static void
681 init_linktype(type)
682 int type;
683 {
684 linktype = type;
685
686 /*
687 * Assume it's not raw ATM with a pseudo-header, for now.
688 */
689 off_mac = 0;
690 is_atm = 0;
691 is_lane = 0;
692 off_vpi = -1;
693 off_vci = -1;
694 off_proto = -1;
695 off_payload = -1;
696
697 orig_linktype = -1;
698 orig_nl = -1;
699 orig_nl_nosnap = -1;
700
701 switch (type) {
702
703 case DLT_ARCNET:
704 off_linktype = 2;
705 off_nl = 6; /* XXX in reality, variable! */
706 off_nl_nosnap = 6; /* no 802.2 LLC */
707 return;
708
709 case DLT_ARCNET_LINUX:
710 off_linktype = 4;
711 off_nl = 8; /* XXX in reality, variable! */
712 off_nl_nosnap = 8; /* no 802.2 LLC */
713 return;
714
715 case DLT_EN10MB:
716 off_linktype = 12;
717 off_nl = 14; /* Ethernet II */
718 off_nl_nosnap = 17; /* 802.3+802.2 */
719 return;
720
721 case DLT_SLIP:
722 /*
723 * SLIP doesn't have a link level type. The 16 byte
724 * header is hacked into our SLIP driver.
725 */
726 off_linktype = -1;
727 off_nl = 16;
728 off_nl_nosnap = 16; /* no 802.2 LLC */
729 return;
730
731 case DLT_SLIP_BSDOS:
732 /* XXX this may be the same as the DLT_PPP_BSDOS case */
733 off_linktype = -1;
734 /* XXX end */
735 off_nl = 24;
736 off_nl_nosnap = 24; /* no 802.2 LLC */
737 return;
738
739 case DLT_NULL:
740 case DLT_LOOP:
741 off_linktype = 0;
742 off_nl = 4;
743 off_nl_nosnap = 4; /* no 802.2 LLC */
744 return;
745
746 case DLT_ENC:
747 off_linktype = 0;
748 off_nl = 12;
749 off_nl_nosnap = 12; /* no 802.2 LLC */
750 return;
751
752 case DLT_PPP:
753 case DLT_PPP_WITHDIRECTION:
754 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
755 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
756 off_linktype = 2;
757 off_nl = 4;
758 off_nl_nosnap = 4; /* no 802.2 LLC */
759 return;
760
761 case DLT_PPP_ETHER:
762 /*
763 * This does no include the Ethernet header, and
764 * only covers session state.
765 */
766 off_linktype = 6;
767 off_nl = 8;
768 off_nl_nosnap = 8; /* no 802.2 LLC */
769 return;
770
771 case DLT_PPP_BSDOS:
772 off_linktype = 5;
773 off_nl = 24;
774 off_nl_nosnap = 24; /* no 802.2 LLC */
775 return;
776
777 case DLT_FDDI:
778 /*
779 * FDDI doesn't really have a link-level type field.
780 * We set "off_linktype" to the offset of the LLC header.
781 *
782 * To check for Ethernet types, we assume that SSAP = SNAP
783 * is being used and pick out the encapsulated Ethernet type.
784 * XXX - should we generate code to check for SNAP?
785 */
786 off_linktype = 13;
787 #ifdef PCAP_FDDIPAD
788 off_linktype += pcap_fddipad;
789 #endif
790 off_nl = 21; /* FDDI+802.2+SNAP */
791 off_nl_nosnap = 16; /* FDDI+802.2 */
792 #ifdef PCAP_FDDIPAD
793 off_nl += pcap_fddipad;
794 off_nl_nosnap += pcap_fddipad;
795 #endif
796 return;
797
798 case DLT_IEEE802:
799 /*
800 * Token Ring doesn't really have a link-level type field.
801 * We set "off_linktype" to the offset of the LLC header.
802 *
803 * To check for Ethernet types, we assume that SSAP = SNAP
804 * is being used and pick out the encapsulated Ethernet type.
805 * XXX - should we generate code to check for SNAP?
806 *
807 * XXX - the header is actually variable-length.
808 * Some various Linux patched versions gave 38
809 * as "off_linktype" and 40 as "off_nl"; however,
810 * if a token ring packet has *no* routing
811 * information, i.e. is not source-routed, the correct
812 * values are 20 and 22, as they are in the vanilla code.
813 *
814 * A packet is source-routed iff the uppermost bit
815 * of the first byte of the source address, at an
816 * offset of 8, has the uppermost bit set. If the
817 * packet is source-routed, the total number of bytes
818 * of routing information is 2 plus bits 0x1F00 of
819 * the 16-bit value at an offset of 14 (shifted right
820 * 8 - figure out which byte that is).
821 */
822 off_linktype = 14;
823 off_nl = 22; /* Token Ring+802.2+SNAP */
824 off_nl_nosnap = 17; /* Token Ring+802.2 */
825 return;
826
827 case DLT_IEEE802_11:
828 /*
829 * 802.11 doesn't really have a link-level type field.
830 * We set "off_linktype" to the offset of the LLC header.
831 *
832 * To check for Ethernet types, we assume that SSAP = SNAP
833 * is being used and pick out the encapsulated Ethernet type.
834 * XXX - should we generate code to check for SNAP?
835 *
836 * XXX - the header is actually variable-length. We
837 * assume a 24-byte link-layer header, as appears in
838 * data frames in networks with no bridges. If the
839 * fromds and tods 802.11 header bits are both set,
840 * it's actually supposed to be 30 bytes.
841 */
842 off_linktype = 24;
843 off_nl = 32; /* 802.11+802.2+SNAP */
844 off_nl_nosnap = 27; /* 802.11+802.2 */
845 return;
846
847 case DLT_PRISM_HEADER:
848 /*
849 * Same as 802.11, but with an additional header before
850 * the 802.11 header, containing a bunch of additional
851 * information including radio-level information.
852 *
853 * The header is 144 bytes long.
854 *
855 * XXX - same variable-length header problem; at least
856 * the Prism header is fixed-length.
857 */
858 off_linktype = 144+24;
859 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
860 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
861 return;
862
863 case DLT_IEEE802_11_RADIO_AVS:
864 /*
865 * Same as 802.11, but with an additional header before
866 * the 802.11 header, containing a bunch of additional
867 * information including radio-level information.
868 *
869 * The header is 64 bytes long, at least in its
870 * current incarnation.
871 *
872 * XXX - same variable-length header problem, only
873 * more so; this header is also variable-length,
874 * with the length being the 32-bit big-endian
875 * number at an offset of 4 from the beginning
876 * of the radio header.
877 */
878 off_linktype = 64+24;
879 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
880 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
881 return;
882
883 case DLT_IEEE802_11_RADIO:
884 /*
885 * Same as 802.11, but with an additional header before
886 * the 802.11 header, containing a bunch of additional
887 * information including radio-level information.
888 *
889 * XXX - same variable-length header problem, only
890 * even *more* so; this header is also variable-length,
891 * with the length being the 16-bit number at an offset
892 * of 2 from the beginning of the radio header, and it's
893 * device-dependent (different devices might supply
894 * different amounts of information), so we can't even
895 * assume a fixed length for the current version of the
896 * header.
897 *
898 * Therefore, currently, only raw "link[N:M]" filtering is
899 * supported.
900 */
901 off_linktype = -1;
902 off_nl = -1;
903 off_nl_nosnap = -1;
904 return;
905
906 case DLT_ATM_RFC1483:
907 case DLT_ATM_CLIP: /* Linux ATM defines this */
908 /*
909 * assume routed, non-ISO PDUs
910 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
911 */
912 off_linktype = 0;
913 off_nl = 8; /* 802.2+SNAP */
914 off_nl_nosnap = 3; /* 802.2 */
915 return;
916
917 case DLT_SUNATM:
918 /*
919 * Full Frontal ATM; you get AALn PDUs with an ATM
920 * pseudo-header.
921 */
922 is_atm = 1;
923 off_vpi = SUNATM_VPI_POS;
924 off_vci = SUNATM_VCI_POS;
925 off_proto = PROTO_POS;
926 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
927 off_payload = SUNATM_PKT_BEGIN_POS;
928 off_linktype = off_payload;
929 off_nl = off_payload+8; /* 802.2+SNAP */
930 off_nl_nosnap = off_payload+3; /* 802.2 */
931 return;
932
933 case DLT_RAW:
934 off_linktype = -1;
935 off_nl = 0;
936 off_nl_nosnap = 0; /* no 802.2 LLC */
937 return;
938
939 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
940 off_linktype = 14;
941 off_nl = 16;
942 off_nl_nosnap = 16; /* no 802.2 LLC */
943 return;
944
945 case DLT_LTALK:
946 /*
947 * LocalTalk does have a 1-byte type field in the LLAP header,
948 * but really it just indicates whether there is a "short" or
949 * "long" DDP packet following.
950 */
951 off_linktype = -1;
952 off_nl = 0;
953 off_nl_nosnap = 0; /* no 802.2 LLC */
954 return;
955
956 case DLT_IP_OVER_FC:
957 /*
958 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
959 * link-level type field. We set "off_linktype" to the
960 * offset of the LLC header.
961 *
962 * To check for Ethernet types, we assume that SSAP = SNAP
963 * is being used and pick out the encapsulated Ethernet type.
964 * XXX - should we generate code to check for SNAP? RFC
965 * 2625 says SNAP should be used.
966 */
967 off_linktype = 16;
968 off_nl = 24; /* IPFC+802.2+SNAP */
969 off_nl_nosnap = 19; /* IPFC+802.2 */
970 return;
971
972 case DLT_FRELAY:
973 /*
974 * XXX - we should set this to handle SNAP-encapsulated
975 * frames (NLPID of 0x80).
976 */
977 off_linktype = -1;
978 off_nl = 0;
979 off_nl_nosnap = 0; /* no 802.2 LLC */
980 return;
981
982 case DLT_APPLE_IP_OVER_IEEE1394:
983 off_linktype = 16;
984 off_nl = 18;
985 off_nl_nosnap = 0; /* no 802.2 LLC */
986 return;
987
988 case DLT_LINUX_IRDA:
989 /*
990 * Currently, only raw "link[N:M]" filtering is supported.
991 */
992 off_linktype = -1;
993 off_nl = -1;
994 off_nl_nosnap = -1;
995 return;
996
997 case DLT_DOCSIS:
998 /*
999 * Currently, only raw "link[N:M]" filtering is supported.
1000 */
1001 off_linktype = -1;
1002 off_nl = -1;
1003 off_nl_nosnap = -1;
1004 return;
1005
1006 case DLT_SYMANTEC_FIREWALL:
1007 off_linktype = 6;
1008 off_nl = 44; /* Ethernet II */
1009 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1010 return;
1011
1012 case DLT_PFLOG:
1013 off_linktype = 0;
1014 /* XXX read from header? */
1015 off_nl = PFLOG_HDRLEN;
1016 off_nl_nosnap = PFLOG_HDRLEN;
1017 return;
1018
1019 #ifdef DLT_PFSYNC
1020 case DLT_PFSYNC:
1021 off_linktype = -1;
1022 off_nl = 4;
1023 off_nl_nosnap = 4;
1024 return;
1025 #endif
1026 }
1027 bpf_error("unknown data link type %d", linktype);
1028 /* NOTREACHED */
1029 }
1030
1031 static struct block *
1032 gen_uncond(rsense)
1033 int rsense;
1034 {
1035 struct block *b;
1036 struct slist *s;
1037
1038 s = new_stmt(BPF_LD|BPF_IMM);
1039 s->s.k = !rsense;
1040 b = new_block(JMP(BPF_JEQ));
1041 b->stmts = s;
1042
1043 return b;
1044 }
1045
1046 static inline struct block *
1047 gen_true()
1048 {
1049 return gen_uncond(1);
1050 }
1051
1052 static inline struct block *
1053 gen_false()
1054 {
1055 return gen_uncond(0);
1056 }
1057
1058 /*
1059 * Byte-swap a 32-bit number.
1060 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1061 * big-endian platforms.)
1062 */
1063 #define SWAPLONG(y) \
1064 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1065
1066 static struct block *
1067 gen_ether_linktype(proto)
1068 register int proto;
1069 {
1070 struct block *b0, *b1;
1071
1072 switch (proto) {
1073
1074 case LLCSAP_ISONS:
1075 /*
1076 * OSI protocols always use 802.2 encapsulation.
1077 * XXX - should we check both the DSAP and the
1078 * SSAP, like this, or should we check just the
1079 * DSAP?
1080 */
1081 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1082 gen_not(b0);
1083 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1084 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1085 gen_and(b0, b1);
1086 return b1;
1087
1088 case LLCSAP_IP:
1089 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1090 gen_not(b0);
1091 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1092 ((LLCSAP_IP << 8) | LLCSAP_IP));
1093 gen_and(b0, b1);
1094 return b1;
1095
1096 case LLCSAP_NETBEUI:
1097 /*
1098 * NetBEUI always uses 802.2 encapsulation.
1099 * XXX - should we check both the DSAP and the
1100 * SSAP, like this, or should we check just the
1101 * DSAP?
1102 */
1103 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1104 gen_not(b0);
1105 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1106 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1107 gen_and(b0, b1);
1108 return b1;
1109
1110 case LLCSAP_IPX:
1111 /*
1112 * Check for;
1113 *
1114 * Ethernet_II frames, which are Ethernet
1115 * frames with a frame type of ETHERTYPE_IPX;
1116 *
1117 * Ethernet_802.3 frames, which are 802.3
1118 * frames (i.e., the type/length field is
1119 * a length field, <= ETHERMTU, rather than
1120 * a type field) with the first two bytes
1121 * after the Ethernet/802.3 header being
1122 * 0xFFFF;
1123 *
1124 * Ethernet_802.2 frames, which are 802.3
1125 * frames with an 802.2 LLC header and
1126 * with the IPX LSAP as the DSAP in the LLC
1127 * header;
1128 *
1129 * Ethernet_SNAP frames, which are 802.3
1130 * frames with an LLC header and a SNAP
1131 * header and with an OUI of 0x000000
1132 * (encapsulated Ethernet) and a protocol
1133 * ID of ETHERTYPE_IPX in the SNAP header.
1134 *
1135 * XXX - should we generate the same code both
1136 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1137 */
1138
1139 /*
1140 * This generates code to check both for the
1141 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1142 */
1143 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1144 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1145 gen_or(b0, b1);
1146
1147 /*
1148 * Now we add code to check for SNAP frames with
1149 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1150 */
1151 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1152 gen_or(b0, b1);
1153
1154 /*
1155 * Now we generate code to check for 802.3
1156 * frames in general.
1157 */
1158 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1159 gen_not(b0);
1160
1161 /*
1162 * Now add the check for 802.3 frames before the
1163 * check for Ethernet_802.2 and Ethernet_802.3,
1164 * as those checks should only be done on 802.3
1165 * frames, not on Ethernet frames.
1166 */
1167 gen_and(b0, b1);
1168
1169 /*
1170 * Now add the check for Ethernet_II frames, and
1171 * do that before checking for the other frame
1172 * types.
1173 */
1174 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1175 gen_or(b0, b1);
1176 return b1;
1177
1178 case ETHERTYPE_ATALK:
1179 case ETHERTYPE_AARP:
1180 /*
1181 * EtherTalk (AppleTalk protocols on Ethernet link
1182 * layer) may use 802.2 encapsulation.
1183 */
1184
1185 /*
1186 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1187 * we check for an Ethernet type field less than
1188 * 1500, which means it's an 802.3 length field.
1189 */
1190 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1191 gen_not(b0);
1192
1193 /*
1194 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1195 * SNAP packets with an organization code of
1196 * 0x080007 (Apple, for Appletalk) and a protocol
1197 * type of ETHERTYPE_ATALK (Appletalk).
1198 *
1199 * 802.2-encapsulated ETHERTYPE_AARP packets are
1200 * SNAP packets with an organization code of
1201 * 0x000000 (encapsulated Ethernet) and a protocol
1202 * type of ETHERTYPE_AARP (Appletalk ARP).
1203 */
1204 if (proto == ETHERTYPE_ATALK)
1205 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1206 else /* proto == ETHERTYPE_AARP */
1207 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1208 gen_and(b0, b1);
1209
1210 /*
1211 * Check for Ethernet encapsulation (Ethertalk
1212 * phase 1?); we just check for the Ethernet
1213 * protocol type.
1214 */
1215 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1216
1217 gen_or(b0, b1);
1218 return b1;
1219
1220 default:
1221 if (proto <= ETHERMTU) {
1222 /*
1223 * This is an LLC SAP value, so the frames
1224 * that match would be 802.2 frames.
1225 * Check that the frame is an 802.2 frame
1226 * (i.e., that the length/type field is
1227 * a length field, <= ETHERMTU) and
1228 * then check the DSAP.
1229 */
1230 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1231 gen_not(b0);
1232 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1233 gen_and(b0, b1);
1234 return b1;
1235 } else {
1236 /*
1237 * This is an Ethernet type, so compare
1238 * the length/type field with it (if
1239 * the frame is an 802.2 frame, the length
1240 * field will be <= ETHERMTU, and, as
1241 * "proto" is > ETHERMTU, this test
1242 * will fail and the frame won't match,
1243 * which is what we want).
1244 */
1245 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1246 }
1247 }
1248 }
1249
1250 static struct block *
1251 gen_linktype(proto)
1252 register int proto;
1253 {
1254 struct block *b0, *b1, *b2;
1255
1256 switch (linktype) {
1257
1258 case DLT_EN10MB:
1259 return gen_ether_linktype(proto);
1260 /*NOTREACHED*/
1261 break;
1262
1263 case DLT_C_HDLC:
1264 switch (proto) {
1265
1266 case LLCSAP_ISONS:
1267 proto = (proto << 8 | LLCSAP_ISONS);
1268 /* fall through */
1269
1270 default:
1271 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1272 /*NOTREACHED*/
1273 break;
1274 }
1275 break;
1276
1277 case DLT_IEEE802_11:
1278 case DLT_PRISM_HEADER:
1279 case DLT_IEEE802_11_RADIO:
1280 case DLT_FDDI:
1281 case DLT_IEEE802:
1282 case DLT_ATM_RFC1483:
1283 case DLT_ATM_CLIP:
1284 case DLT_IP_OVER_FC:
1285 return gen_llc(proto);
1286 /*NOTREACHED*/
1287 break;
1288
1289 case DLT_SUNATM:
1290 /*
1291 * If "is_lane" is set, check for a LANE-encapsulated
1292 * version of this protocol, otherwise check for an
1293 * LLC-encapsulated version of this protocol.
1294 *
1295 * We assume LANE means Ethernet, not Token Ring.
1296 */
1297 if (is_lane) {
1298 /*
1299 * Check that the packet doesn't begin with an
1300 * LE Control marker. (We've already generated
1301 * a test for LANE.)
1302 */
1303 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1304 gen_not(b0);
1305
1306 /*
1307 * Now generate an Ethernet test.
1308 */
1309 b1 = gen_ether_linktype(proto);
1310 gen_and(b0, b1);
1311 return b1;
1312 } else {
1313 /*
1314 * Check for LLC encapsulation and then check the
1315 * protocol.
1316 */
1317 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1318 b1 = gen_llc(proto);
1319 gen_and(b0, b1);
1320 return b1;
1321 }
1322
1323 case DLT_LINUX_SLL:
1324 switch (proto) {
1325
1326 case LLCSAP_IP:
1327 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1328 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1329 ((LLCSAP_IP << 8) | LLCSAP_IP));
1330 gen_and(b0, b1);
1331 return b1;
1332
1333 case LLCSAP_ISONS:
1334 /*
1335 * OSI protocols always use 802.2 encapsulation.
1336 * XXX - should we check both the DSAP and the
1337 * LSAP, like this, or should we check just the
1338 * DSAP?
1339 */
1340 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1341 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1342 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1343 gen_and(b0, b1);
1344 return b1;
1345
1346 case LLCSAP_NETBEUI:
1347 /*
1348 * NetBEUI always uses 802.2 encapsulation.
1349 * XXX - should we check both the DSAP and the
1350 * LSAP, like this, or should we check just the
1351 * DSAP?
1352 */
1353 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1354 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1355 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1356 gen_and(b0, b1);
1357 return b1;
1358
1359 case LLCSAP_IPX:
1360 /*
1361 * Ethernet_II frames, which are Ethernet
1362 * frames with a frame type of ETHERTYPE_IPX;
1363 *
1364 * Ethernet_802.3 frames, which have a frame
1365 * type of LINUX_SLL_P_802_3;
1366 *
1367 * Ethernet_802.2 frames, which are 802.3
1368 * frames with an 802.2 LLC header (i.e, have
1369 * a frame type of LINUX_SLL_P_802_2) and
1370 * with the IPX LSAP as the DSAP in the LLC
1371 * header;
1372 *
1373 * Ethernet_SNAP frames, which are 802.3
1374 * frames with an LLC header and a SNAP
1375 * header and with an OUI of 0x000000
1376 * (encapsulated Ethernet) and a protocol
1377 * ID of ETHERTYPE_IPX in the SNAP header.
1378 *
1379 * First, do the checks on LINUX_SLL_P_802_2
1380 * frames; generate the check for either
1381 * Ethernet_802.2 or Ethernet_SNAP frames, and
1382 * then put a check for LINUX_SLL_P_802_2 frames
1383 * before it.
1384 */
1385 b0 = gen_cmp(off_linktype + 2, BPF_B,
1386 (bpf_int32)LLCSAP_IPX);
1387 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1388 off_linktype + 2);
1389 gen_or(b0, b1);
1390 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1391 gen_and(b0, b1);
1392
1393 /*
1394 * Now check for 802.3 frames and OR that with
1395 * the previous test.
1396 */
1397 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1398 gen_or(b0, b1);
1399
1400 /*
1401 * Now add the check for Ethernet_II frames, and
1402 * do that before checking for the other frame
1403 * types.
1404 */
1405 b0 = gen_cmp(off_linktype, BPF_H,
1406 (bpf_int32)ETHERTYPE_IPX);
1407 gen_or(b0, b1);
1408 return b1;
1409
1410 case ETHERTYPE_ATALK:
1411 case ETHERTYPE_AARP:
1412 /*
1413 * EtherTalk (AppleTalk protocols on Ethernet link
1414 * layer) may use 802.2 encapsulation.
1415 */
1416
1417 /*
1418 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1419 * we check for the 802.2 protocol type in the
1420 * "Ethernet type" field.
1421 */
1422 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1423
1424 /*
1425 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1426 * SNAP packets with an organization code of
1427 * 0x080007 (Apple, for Appletalk) and a protocol
1428 * type of ETHERTYPE_ATALK (Appletalk).
1429 *
1430 * 802.2-encapsulated ETHERTYPE_AARP packets are
1431 * SNAP packets with an organization code of
1432 * 0x000000 (encapsulated Ethernet) and a protocol
1433 * type of ETHERTYPE_AARP (Appletalk ARP).
1434 */
1435 if (proto == ETHERTYPE_ATALK)
1436 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1437 off_linktype + 2);
1438 else /* proto == ETHERTYPE_AARP */
1439 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1440 off_linktype + 2);
1441 gen_and(b0, b1);
1442
1443 /*
1444 * Check for Ethernet encapsulation (Ethertalk
1445 * phase 1?); we just check for the Ethernet
1446 * protocol type.
1447 */
1448 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1449
1450 gen_or(b0, b1);
1451 return b1;
1452
1453 default:
1454 if (proto <= ETHERMTU) {
1455 /*
1456 * This is an LLC SAP value, so the frames
1457 * that match would be 802.2 frames.
1458 * Check for the 802.2 protocol type
1459 * in the "Ethernet type" field, and
1460 * then check the DSAP.
1461 */
1462 b0 = gen_cmp(off_linktype, BPF_H,
1463 LINUX_SLL_P_802_2);
1464 b1 = gen_cmp(off_linktype + 2, BPF_B,
1465 (bpf_int32)proto);
1466 gen_and(b0, b1);
1467 return b1;
1468 } else {
1469 /*
1470 * This is an Ethernet type, so compare
1471 * the length/type field with it (if
1472 * the frame is an 802.2 frame, the length
1473 * field will be <= ETHERMTU, and, as
1474 * "proto" is > ETHERMTU, this test
1475 * will fail and the frame won't match,
1476 * which is what we want).
1477 */
1478 return gen_cmp(off_linktype, BPF_H,
1479 (bpf_int32)proto);
1480 }
1481 }
1482 /*NOTREACHED*/
1483 break;
1484
1485 case DLT_SLIP:
1486 case DLT_SLIP_BSDOS:
1487 case DLT_RAW:
1488 /*
1489 * These types don't provide any type field; packets
1490 * are always IP.
1491 *
1492 * XXX - for IPv4, check for a version number of 4, and,
1493 * for IPv6, check for a version number of 6?
1494 */
1495 switch (proto) {
1496
1497 case ETHERTYPE_IP:
1498 #ifdef INET6
1499 case ETHERTYPE_IPV6:
1500 #endif
1501 return gen_true(); /* always true */
1502
1503 default:
1504 return gen_false(); /* always false */
1505 }
1506 /*NOTREACHED*/
1507 break;
1508
1509 case DLT_PPP:
1510 case DLT_PPP_WITHDIRECTION:
1511 case DLT_PPP_SERIAL:
1512 case DLT_PPP_ETHER:
1513 /*
1514 * We use Ethernet protocol types inside libpcap;
1515 * map them to the corresponding PPP protocol types.
1516 */
1517 switch (proto) {
1518
1519 case ETHERTYPE_IP:
1520 proto = PPP_IP;
1521 break;
1522
1523 #ifdef INET6
1524 case ETHERTYPE_IPV6:
1525 proto = PPP_IPV6;
1526 break;
1527 #endif
1528
1529 case ETHERTYPE_DN:
1530 proto = PPP_DECNET;
1531 break;
1532
1533 case ETHERTYPE_ATALK:
1534 proto = PPP_APPLE;
1535 break;
1536
1537 case ETHERTYPE_NS:
1538 proto = PPP_NS;
1539 break;
1540
1541 case LLCSAP_ISONS:
1542 proto = PPP_OSI;
1543 break;
1544
1545 case LLCSAP_8021D:
1546 /*
1547 * I'm assuming the "Bridging PDU"s that go
1548 * over PPP are Spanning Tree Protocol
1549 * Bridging PDUs.
1550 */
1551 proto = PPP_BRPDU;
1552 break;
1553
1554 case LLCSAP_IPX:
1555 proto = PPP_IPX;
1556 break;
1557 }
1558 break;
1559
1560 case DLT_PPP_BSDOS:
1561 /*
1562 * We use Ethernet protocol types inside libpcap;
1563 * map them to the corresponding PPP protocol types.
1564 */
1565 switch (proto) {
1566
1567 case ETHERTYPE_IP:
1568 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1569 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1570 gen_or(b0, b1);
1571 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1572 gen_or(b1, b0);
1573 return b0;
1574
1575 #ifdef INET6
1576 case ETHERTYPE_IPV6:
1577 proto = PPP_IPV6;
1578 /* more to go? */
1579 break;
1580 #endif
1581
1582 case ETHERTYPE_DN:
1583 proto = PPP_DECNET;
1584 break;
1585
1586 case ETHERTYPE_ATALK:
1587 proto = PPP_APPLE;
1588 break;
1589
1590 case ETHERTYPE_NS:
1591 proto = PPP_NS;
1592 break;
1593
1594 case LLCSAP_ISONS:
1595 proto = PPP_OSI;
1596 break;
1597
1598 case LLCSAP_8021D:
1599 /*
1600 * I'm assuming the "Bridging PDU"s that go
1601 * over PPP are Spanning Tree Protocol
1602 * Bridging PDUs.
1603 */
1604 proto = PPP_BRPDU;
1605 break;
1606
1607 case LLCSAP_IPX:
1608 proto = PPP_IPX;
1609 break;
1610 }
1611 break;
1612
1613 case DLT_NULL:
1614 case DLT_LOOP:
1615 case DLT_ENC:
1616 /*
1617 * For DLT_NULL, the link-layer header is a 32-bit
1618 * word containing an AF_ value in *host* byte order,
1619 * and for DLT_ENC, the link-layer header begins
1620 * with a 32-bit work containing an AF_ value in
1621 * host byte order.
1622 *
1623 * In addition, if we're reading a saved capture file,
1624 * the host byte order in the capture may not be the
1625 * same as the host byte order on this machine.
1626 *
1627 * For DLT_LOOP, the link-layer header is a 32-bit
1628 * word containing an AF_ value in *network* byte order.
1629 *
1630 * XXX - AF_ values may, unfortunately, be platform-
1631 * dependent; for example, FreeBSD's AF_INET6 is 24
1632 * whilst NetBSD's and OpenBSD's is 26.
1633 *
1634 * This means that, when reading a capture file, just
1635 * checking for our AF_INET6 value won't work if the
1636 * capture file came from another OS.
1637 */
1638 switch (proto) {
1639
1640 case ETHERTYPE_IP:
1641 proto = AF_INET;
1642 break;
1643
1644 #ifdef INET6
1645 case ETHERTYPE_IPV6:
1646 proto = AF_INET6;
1647 break;
1648 #endif
1649
1650 default:
1651 /*
1652 * Not a type on which we support filtering.
1653 * XXX - support those that have AF_ values
1654 * #defined on this platform, at least?
1655 */
1656 return gen_false();
1657 }
1658
1659 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1660 /*
1661 * The AF_ value is in host byte order, but
1662 * the BPF interpreter will convert it to
1663 * network byte order.
1664 *
1665 * If this is a save file, and it's from a
1666 * machine with the opposite byte order to
1667 * ours, we byte-swap the AF_ value.
1668 *
1669 * Then we run it through "htonl()", and
1670 * generate code to compare against the result.
1671 */
1672 if (bpf_pcap->sf.rfile != NULL &&
1673 bpf_pcap->sf.swapped)
1674 proto = SWAPLONG(proto);
1675 proto = htonl(proto);
1676 }
1677 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1678
1679 case DLT_PFLOG:
1680 /*
1681 * af field is host byte order in contrast to the rest of
1682 * the packet.
1683 */
1684 if (proto == ETHERTYPE_IP)
1685 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1686 (bpf_int32)AF_INET));
1687 #ifdef INET6
1688 else if (proto == ETHERTYPE_IPV6)
1689 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1690 (bpf_int32)AF_INET6));
1691 #endif /* INET6 */
1692 else
1693 return gen_false();
1694 /*NOTREACHED*/
1695 break;
1696
1697 case DLT_ARCNET:
1698 case DLT_ARCNET_LINUX:
1699 /*
1700 * XXX should we check for first fragment if the protocol
1701 * uses PHDS?
1702 */
1703 switch (proto) {
1704
1705 default:
1706 return gen_false();
1707
1708 #ifdef INET6
1709 case ETHERTYPE_IPV6:
1710 return (gen_cmp(off_linktype, BPF_B,
1711 (bpf_int32)ARCTYPE_INET6));
1712 #endif /* INET6 */
1713
1714 case ETHERTYPE_IP:
1715 b0 = gen_cmp(off_linktype, BPF_B,
1716 (bpf_int32)ARCTYPE_IP);
1717 b1 = gen_cmp(off_linktype, BPF_B,
1718 (bpf_int32)ARCTYPE_IP_OLD);
1719 gen_or(b0, b1);
1720 return (b1);
1721
1722 case ETHERTYPE_ARP:
1723 b0 = gen_cmp(off_linktype, BPF_B,
1724 (bpf_int32)ARCTYPE_ARP);
1725 b1 = gen_cmp(off_linktype, BPF_B,
1726 (bpf_int32)ARCTYPE_ARP_OLD);
1727 gen_or(b0, b1);
1728 return (b1);
1729
1730 case ETHERTYPE_REVARP:
1731 return (gen_cmp(off_linktype, BPF_B,
1732 (bpf_int32)ARCTYPE_REVARP));
1733
1734 case ETHERTYPE_ATALK:
1735 return (gen_cmp(off_linktype, BPF_B,
1736 (bpf_int32)ARCTYPE_ATALK));
1737 }
1738 /*NOTREACHED*/
1739 break;
1740
1741 case DLT_LTALK:
1742 switch (proto) {
1743 case ETHERTYPE_ATALK:
1744 return gen_true();
1745 default:
1746 return gen_false();
1747 }
1748 /*NOTREACHED*/
1749 break;
1750
1751 case DLT_FRELAY:
1752 /*
1753 * XXX - assumes a 2-byte Frame Relay header with
1754 * DLCI and flags. What if the address is longer?
1755 */
1756 switch (proto) {
1757
1758 case ETHERTYPE_IP:
1759 /*
1760 * Check for the special NLPID for IP.
1761 */
1762 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1763
1764 #ifdef INET6
1765 case ETHERTYPE_IPV6:
1766 /*
1767 * Check for the special NLPID for IPv6.
1768 */
1769 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1770 #endif
1771
1772 case LLCSAP_ISONS:
1773 /*
1774 * Check for several OSI protocols.
1775 *
1776 * Frame Relay packets typically have an OSI
1777 * NLPID at the beginning; we check for each
1778 * of them.
1779 *
1780 * What we check for is the NLPID and a frame
1781 * control field of UI, i.e. 0x03 followed
1782 * by the NLPID.
1783 */
1784 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1785 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1786 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1787 gen_or(b1, b2);
1788 gen_or(b0, b2);
1789 return b2;
1790
1791 default:
1792 return gen_false();
1793 }
1794 /*NOTREACHED*/
1795 break;
1796
1797 case DLT_LINUX_IRDA:
1798 bpf_error("IrDA link-layer type filtering not implemented");
1799
1800 case DLT_DOCSIS:
1801 bpf_error("DOCSIS link-layer type filtering not implemented");
1802 }
1803
1804 /*
1805 * All the types that have no encapsulation should either be
1806 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1807 * all packets are IP packets, or should be handled in some
1808 * special case, if none of them are (if some are and some
1809 * aren't, the lack of encapsulation is a problem, as we'd
1810 * have to find some other way of determining the packet type).
1811 *
1812 * Therefore, if "off_linktype" is -1, there's an error.
1813 */
1814 if (off_linktype == (u_int)-1)
1815 abort();
1816
1817 /*
1818 * Any type not handled above should always have an Ethernet
1819 * type at an offset of "off_linktype". (PPP is partially
1820 * handled above - the protocol type is mapped from the
1821 * Ethernet and LLC types we use internally to the corresponding
1822 * PPP type - but the PPP type is always specified by a value
1823 * at "off_linktype", so we don't have to do the code generation
1824 * above.)
1825 */
1826 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1827 }
1828
1829 /*
1830 * Check for an LLC SNAP packet with a given organization code and
1831 * protocol type; we check the entire contents of the 802.2 LLC and
1832 * snap headers, checking for DSAP and SSAP of SNAP and a control
1833 * field of 0x03 in the LLC header, and for the specified organization
1834 * code and protocol type in the SNAP header.
1835 */
1836 static struct block *
1837 gen_snap(orgcode, ptype, offset)
1838 bpf_u_int32 orgcode;
1839 bpf_u_int32 ptype;
1840 u_int offset;
1841 {
1842 u_char snapblock[8];
1843
1844 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1845 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1846 snapblock[2] = 0x03; /* control = UI */
1847 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1848 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1849 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1850 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1851 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1852 return gen_bcmp(offset, 8, snapblock);
1853 }
1854
1855 /*
1856 * Check for a given protocol value assuming an 802.2 LLC header.
1857 */
1858 static struct block *
1859 gen_llc(proto)
1860 int proto;
1861 {
1862 /*
1863 * XXX - handle token-ring variable-length header.
1864 */
1865 switch (proto) {
1866
1867 case LLCSAP_IP:
1868 return gen_cmp(off_linktype, BPF_H, (long)
1869 ((LLCSAP_IP << 8) | LLCSAP_IP));
1870
1871 case LLCSAP_ISONS:
1872 return gen_cmp(off_linktype, BPF_H, (long)
1873 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1874
1875 case LLCSAP_NETBEUI:
1876 return gen_cmp(off_linktype, BPF_H, (long)
1877 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1878
1879 case LLCSAP_IPX:
1880 /*
1881 * XXX - are there ever SNAP frames for IPX on
1882 * non-Ethernet 802.x networks?
1883 */
1884 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1885
1886 case ETHERTYPE_ATALK:
1887 /*
1888 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1889 * SNAP packets with an organization code of
1890 * 0x080007 (Apple, for Appletalk) and a protocol
1891 * type of ETHERTYPE_ATALK (Appletalk).
1892 *
1893 * XXX - check for an organization code of
1894 * encapsulated Ethernet as well?
1895 */
1896 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1897
1898 default:
1899 /*
1900 * XXX - we don't have to check for IPX 802.3
1901 * here, but should we check for the IPX Ethertype?
1902 */
1903 if (proto <= ETHERMTU) {
1904 /*
1905 * This is an LLC SAP value, so check
1906 * the DSAP.
1907 */
1908 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1909 } else {
1910 /*
1911 * This is an Ethernet type; we assume that it's
1912 * unlikely that it'll appear in the right place
1913 * at random, and therefore check only the
1914 * location that would hold the Ethernet type
1915 * in a SNAP frame with an organization code of
1916 * 0x000000 (encapsulated Ethernet).
1917 *
1918 * XXX - if we were to check for the SNAP DSAP and
1919 * LSAP, as per XXX, and were also to check for an
1920 * organization code of 0x000000 (encapsulated
1921 * Ethernet), we'd do
1922 *
1923 * return gen_snap(0x000000, proto,
1924 * off_linktype);
1925 *
1926 * here; for now, we don't, as per the above.
1927 * I don't know whether it's worth the extra CPU
1928 * time to do the right check or not.
1929 */
1930 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1931 }
1932 }
1933 }
1934
1935 static struct block *
1936 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1937 bpf_u_int32 addr;
1938 bpf_u_int32 mask;
1939 int dir, proto;
1940 u_int src_off, dst_off;
1941 {
1942 struct block *b0, *b1;
1943 u_int offset;
1944
1945 switch (dir) {
1946
1947 case Q_SRC:
1948 offset = src_off;
1949 break;
1950
1951 case Q_DST:
1952 offset = dst_off;
1953 break;
1954
1955 case Q_AND:
1956 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1957 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1958 gen_and(b0, b1);
1959 return b1;
1960
1961 case Q_OR:
1962 case Q_DEFAULT:
1963 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1964 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1965 gen_or(b0, b1);
1966 return b1;
1967
1968 default:
1969 abort();
1970 }
1971 b0 = gen_linktype(proto);
1972 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
1973 gen_and(b0, b1);
1974 return b1;
1975 }
1976
1977 #ifdef INET6
1978 static struct block *
1979 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
1980 struct in6_addr *addr;
1981 struct in6_addr *mask;
1982 int dir, proto;
1983 u_int src_off, dst_off;
1984 {
1985 struct block *b0, *b1;
1986 u_int offset;
1987 u_int32_t *a, *m;
1988
1989 switch (dir) {
1990
1991 case Q_SRC:
1992 offset = src_off;
1993 break;
1994
1995 case Q_DST:
1996 offset = dst_off;
1997 break;
1998
1999 case Q_AND:
2000 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2001 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2002 gen_and(b0, b1);
2003 return b1;
2004
2005 case Q_OR:
2006 case Q_DEFAULT:
2007 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2008 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2009 gen_or(b0, b1);
2010 return b1;
2011
2012 default:
2013 abort();
2014 }
2015 /* this order is important */
2016 a = (u_int32_t *)addr;
2017 m = (u_int32_t *)mask;
2018 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2019 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2020 gen_and(b0, b1);
2021 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2022 gen_and(b0, b1);
2023 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2024 gen_and(b0, b1);
2025 b0 = gen_linktype(proto);
2026 gen_and(b0, b1);
2027 return b1;
2028 }
2029 #endif /*INET6*/
2030
2031 static struct block *
2032 gen_ehostop(eaddr, dir)
2033 register const u_char *eaddr;
2034 register int dir;
2035 {
2036 register struct block *b0, *b1;
2037
2038 switch (dir) {
2039 case Q_SRC:
2040 return gen_bcmp(off_mac + 6, 6, eaddr);
2041
2042 case Q_DST:
2043 return gen_bcmp(off_mac + 0, 6, eaddr);
2044
2045 case Q_AND:
2046 b0 = gen_ehostop(eaddr, Q_SRC);
2047 b1 = gen_ehostop(eaddr, Q_DST);
2048 gen_and(b0, b1);
2049 return b1;
2050
2051 case Q_DEFAULT:
2052 case Q_OR:
2053 b0 = gen_ehostop(eaddr, Q_SRC);
2054 b1 = gen_ehostop(eaddr, Q_DST);
2055 gen_or(b0, b1);
2056 return b1;
2057 }
2058 abort();
2059 /* NOTREACHED */
2060 }
2061
2062 /*
2063 * Like gen_ehostop, but for DLT_FDDI
2064 */
2065 static struct block *
2066 gen_fhostop(eaddr, dir)
2067 register const u_char *eaddr;
2068 register int dir;
2069 {
2070 struct block *b0, *b1;
2071
2072 switch (dir) {
2073 case Q_SRC:
2074 #ifdef PCAP_FDDIPAD
2075 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2076 #else
2077 return gen_bcmp(6 + 1, 6, eaddr);
2078 #endif
2079
2080 case Q_DST:
2081 #ifdef PCAP_FDDIPAD
2082 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2083 #else
2084 return gen_bcmp(0 + 1, 6, eaddr);
2085 #endif
2086
2087 case Q_AND:
2088 b0 = gen_fhostop(eaddr, Q_SRC);
2089 b1 = gen_fhostop(eaddr, Q_DST);
2090 gen_and(b0, b1);
2091 return b1;
2092
2093 case Q_DEFAULT:
2094 case Q_OR:
2095 b0 = gen_fhostop(eaddr, Q_SRC);
2096 b1 = gen_fhostop(eaddr, Q_DST);
2097 gen_or(b0, b1);
2098 return b1;
2099 }
2100 abort();
2101 /* NOTREACHED */
2102 }
2103
2104 /*
2105 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2106 */
2107 static struct block *
2108 gen_thostop(eaddr, dir)
2109 register const u_char *eaddr;
2110 register int dir;
2111 {
2112 register struct block *b0, *b1;
2113
2114 switch (dir) {
2115 case Q_SRC:
2116 return gen_bcmp(8, 6, eaddr);
2117
2118 case Q_DST:
2119 return gen_bcmp(2, 6, eaddr);
2120
2121 case Q_AND:
2122 b0 = gen_thostop(eaddr, Q_SRC);
2123 b1 = gen_thostop(eaddr, Q_DST);
2124 gen_and(b0, b1);
2125 return b1;
2126
2127 case Q_DEFAULT:
2128 case Q_OR:
2129 b0 = gen_thostop(eaddr, Q_SRC);
2130 b1 = gen_thostop(eaddr, Q_DST);
2131 gen_or(b0, b1);
2132 return b1;
2133 }
2134 abort();
2135 /* NOTREACHED */
2136 }
2137
2138 /*
2139 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2140 */
2141 static struct block *
2142 gen_wlanhostop(eaddr, dir)
2143 register const u_char *eaddr;
2144 register int dir;
2145 {
2146 register struct block *b0, *b1, *b2;
2147 register struct slist *s;
2148
2149 switch (dir) {
2150 case Q_SRC:
2151 /*
2152 * Oh, yuk.
2153 *
2154 * For control frames, there is no SA.
2155 *
2156 * For management frames, SA is at an
2157 * offset of 10 from the beginning of
2158 * the packet.
2159 *
2160 * For data frames, SA is at an offset
2161 * of 10 from the beginning of the packet
2162 * if From DS is clear, at an offset of
2163 * 16 from the beginning of the packet
2164 * if From DS is set and To DS is clear,
2165 * and an offset of 24 from the beginning
2166 * of the packet if From DS is set and To DS
2167 * is set.
2168 */
2169
2170 /*
2171 * Generate the tests to be done for data frames
2172 * with From DS set.
2173 *
2174 * First, check for To DS set, i.e. check "link[1] & 0x01".
2175 */
2176 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2177 s->s.k = 1;
2178 b1 = new_block(JMP(BPF_JSET));
2179 b1->s.k = 0x01; /* To DS */
2180 b1->stmts = s;
2181
2182 /*
2183 * If To DS is set, the SA is at 24.
2184 */
2185 b0 = gen_bcmp(24, 6, eaddr);
2186 gen_and(b1, b0);
2187
2188 /*
2189 * Now, check for To DS not set, i.e. check
2190 * "!(link[1] & 0x01)".
2191 */
2192 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2193 s->s.k = 1;
2194 b2 = new_block(JMP(BPF_JSET));
2195 b2->s.k = 0x01; /* To DS */
2196 b2->stmts = s;
2197 gen_not(b2);
2198
2199 /*
2200 * If To DS is not set, the SA is at 16.
2201 */
2202 b1 = gen_bcmp(16, 6, eaddr);
2203 gen_and(b2, b1);
2204
2205 /*
2206 * Now OR together the last two checks. That gives
2207 * the complete set of checks for data frames with
2208 * From DS set.
2209 */
2210 gen_or(b1, b0);
2211
2212 /*
2213 * Now check for From DS being set, and AND that with
2214 * the ORed-together checks.
2215 */
2216 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2217 s->s.k = 1;
2218 b1 = new_block(JMP(BPF_JSET));
2219 b1->s.k = 0x02; /* From DS */
2220 b1->stmts = s;
2221 gen_and(b1, b0);
2222
2223 /*
2224 * Now check for data frames with From DS not set.
2225 */
2226 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2227 s->s.k = 1;
2228 b2 = new_block(JMP(BPF_JSET));
2229 b2->s.k = 0x02; /* From DS */
2230 b2->stmts = s;
2231 gen_not(b2);
2232
2233 /*
2234 * If From DS isn't set, the SA is at 10.
2235 */
2236 b1 = gen_bcmp(10, 6, eaddr);
2237 gen_and(b2, b1);
2238
2239 /*
2240 * Now OR together the checks for data frames with
2241 * From DS not set and for data frames with From DS
2242 * set; that gives the checks done for data frames.
2243 */
2244 gen_or(b1, b0);
2245
2246 /*
2247 * Now check for a data frame.
2248 * I.e, check "link[0] & 0x08".
2249 */
2250 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2251 s->s.k = 0;
2252 b1 = new_block(JMP(BPF_JSET));
2253 b1->s.k = 0x08;
2254 b1->stmts = s;
2255
2256 /*
2257 * AND that with the checks done for data frames.
2258 */
2259 gen_and(b1, b0);
2260
2261 /*
2262 * If the high-order bit of the type value is 0, this
2263 * is a management frame.
2264 * I.e, check "!(link[0] & 0x08)".
2265 */
2266 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2267 s->s.k = 0;
2268 b2 = new_block(JMP(BPF_JSET));
2269 b2->s.k = 0x08;
2270 b2->stmts = s;
2271 gen_not(b2);
2272
2273 /*
2274 * For management frames, the SA is at 10.
2275 */
2276 b1 = gen_bcmp(10, 6, eaddr);
2277 gen_and(b2, b1);
2278
2279 /*
2280 * OR that with the checks done for data frames.
2281 * That gives the checks done for management and
2282 * data frames.
2283 */
2284 gen_or(b1, b0);
2285
2286 /*
2287 * If the low-order bit of the type value is 1,
2288 * this is either a control frame or a frame
2289 * with a reserved type, and thus not a
2290 * frame with an SA.
2291 *
2292 * I.e., check "!(link[0] & 0x04)".
2293 */
2294 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2295 s->s.k = 0;
2296 b1 = new_block(JMP(BPF_JSET));
2297 b1->s.k = 0x04;
2298 b1->stmts = s;
2299 gen_not(b1);
2300
2301 /*
2302 * AND that with the checks for data and management
2303 * frames.
2304 */
2305 gen_and(b1, b0);
2306 return b0;
2307
2308 case Q_DST:
2309 /*
2310 * Oh, yuk.
2311 *
2312 * For control frames, there is no DA.
2313 *
2314 * For management frames, DA is at an
2315 * offset of 4 from the beginning of
2316 * the packet.
2317 *
2318 * For data frames, DA is at an offset
2319 * of 4 from the beginning of the packet
2320 * if To DS is clear and at an offset of
2321 * 16 from the beginning of the packet
2322 * if To DS is set.
2323 */
2324
2325 /*
2326 * Generate the tests to be done for data frames.
2327 *
2328 * First, check for To DS set, i.e. "link[1] & 0x01".
2329 */
2330 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2331 s->s.k = 1;
2332 b1 = new_block(JMP(BPF_JSET));
2333 b1->s.k = 0x01; /* To DS */
2334 b1->stmts = s;
2335
2336 /*
2337 * If To DS is set, the DA is at 16.
2338 */
2339 b0 = gen_bcmp(16, 6, eaddr);
2340 gen_and(b1, b0);
2341
2342 /*
2343 * Now, check for To DS not set, i.e. check
2344 * "!(link[1] & 0x01)".
2345 */
2346 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2347 s->s.k = 1;
2348 b2 = new_block(JMP(BPF_JSET));
2349 b2->s.k = 0x01; /* To DS */
2350 b2->stmts = s;
2351 gen_not(b2);
2352
2353 /*
2354 * If To DS is not set, the DA is at 4.
2355 */
2356 b1 = gen_bcmp(4, 6, eaddr);
2357 gen_and(b2, b1);
2358
2359 /*
2360 * Now OR together the last two checks. That gives
2361 * the complete set of checks for data frames.
2362 */
2363 gen_or(b1, b0);
2364
2365 /*
2366 * Now check for a data frame.
2367 * I.e, check "link[0] & 0x08".
2368 */
2369 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2370 s->s.k = 0;
2371 b1 = new_block(JMP(BPF_JSET));
2372 b1->s.k = 0x08;
2373 b1->stmts = s;
2374
2375 /*
2376 * AND that with the checks done for data frames.
2377 */
2378 gen_and(b1, b0);
2379
2380 /*
2381 * If the high-order bit of the type value is 0, this
2382 * is a management frame.
2383 * I.e, check "!(link[0] & 0x08)".
2384 */
2385 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2386 s->s.k = 0;
2387 b2 = new_block(JMP(BPF_JSET));
2388 b2->s.k = 0x08;
2389 b2->stmts = s;
2390 gen_not(b2);
2391
2392 /*
2393 * For management frames, the DA is at 4.
2394 */
2395 b1 = gen_bcmp(4, 6, eaddr);
2396 gen_and(b2, b1);
2397
2398 /*
2399 * OR that with the checks done for data frames.
2400 * That gives the checks done for management and
2401 * data frames.
2402 */
2403 gen_or(b1, b0);
2404
2405 /*
2406 * If the low-order bit of the type value is 1,
2407 * this is either a control frame or a frame
2408 * with a reserved type, and thus not a
2409 * frame with an SA.
2410 *
2411 * I.e., check "!(link[0] & 0x04)".
2412 */
2413 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2414 s->s.k = 0;
2415 b1 = new_block(JMP(BPF_JSET));
2416 b1->s.k = 0x04;
2417 b1->stmts = s;
2418 gen_not(b1);
2419
2420 /*
2421 * AND that with the checks for data and management
2422 * frames.
2423 */
2424 gen_and(b1, b0);
2425 return b0;
2426
2427 case Q_AND:
2428 b0 = gen_wlanhostop(eaddr, Q_SRC);
2429 b1 = gen_wlanhostop(eaddr, Q_DST);
2430 gen_and(b0, b1);
2431 return b1;
2432
2433 case Q_DEFAULT:
2434 case Q_OR:
2435 b0 = gen_wlanhostop(eaddr, Q_SRC);
2436 b1 = gen_wlanhostop(eaddr, Q_DST);
2437 gen_or(b0, b1);
2438 return b1;
2439 }
2440 abort();
2441 /* NOTREACHED */
2442 }
2443
2444 /*
2445 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2446 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2447 * as the RFC states.)
2448 */
2449 static struct block *
2450 gen_ipfchostop(eaddr, dir)
2451 register const u_char *eaddr;
2452 register int dir;
2453 {
2454 register struct block *b0, *b1;
2455
2456 switch (dir) {
2457 case Q_SRC:
2458 return gen_bcmp(10, 6, eaddr);
2459
2460 case Q_DST:
2461 return gen_bcmp(2, 6, eaddr);
2462
2463 case Q_AND:
2464 b0 = gen_ipfchostop(eaddr, Q_SRC);
2465 b1 = gen_ipfchostop(eaddr, Q_DST);
2466 gen_and(b0, b1);
2467 return b1;
2468
2469 case Q_DEFAULT:
2470 case Q_OR:
2471 b0 = gen_ipfchostop(eaddr, Q_SRC);
2472 b1 = gen_ipfchostop(eaddr, Q_DST);
2473 gen_or(b0, b1);
2474 return b1;
2475 }
2476 abort();
2477 /* NOTREACHED */
2478 }
2479
2480 /*
2481 * This is quite tricky because there may be pad bytes in front of the
2482 * DECNET header, and then there are two possible data packet formats that
2483 * carry both src and dst addresses, plus 5 packet types in a format that
2484 * carries only the src node, plus 2 types that use a different format and
2485 * also carry just the src node.
2486 *
2487 * Yuck.
2488 *
2489 * Instead of doing those all right, we just look for data packets with
2490 * 0 or 1 bytes of padding. If you want to look at other packets, that
2491 * will require a lot more hacking.
2492 *
2493 * To add support for filtering on DECNET "areas" (network numbers)
2494 * one would want to add a "mask" argument to this routine. That would
2495 * make the filter even more inefficient, although one could be clever
2496 * and not generate masking instructions if the mask is 0xFFFF.
2497 */
2498 static struct block *
2499 gen_dnhostop(addr, dir, base_off)
2500 bpf_u_int32 addr;
2501 int dir;
2502 u_int base_off;
2503 {
2504 struct block *b0, *b1, *b2, *tmp;
2505 u_int offset_lh; /* offset if long header is received */
2506 u_int offset_sh; /* offset if short header is received */
2507
2508 switch (dir) {
2509
2510 case Q_DST:
2511 offset_sh = 1; /* follows flags */
2512 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2513 break;
2514
2515 case Q_SRC:
2516 offset_sh = 3; /* follows flags, dstnode */
2517 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2518 break;
2519
2520 case Q_AND:
2521 /* Inefficient because we do our Calvinball dance twice */
2522 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2523 b1 = gen_dnhostop(addr, Q_DST, base_off);
2524 gen_and(b0, b1);
2525 return b1;
2526
2527 case Q_OR:
2528 case Q_DEFAULT:
2529 /* Inefficient because we do our Calvinball dance twice */
2530 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2531 b1 = gen_dnhostop(addr, Q_DST, base_off);
2532 gen_or(b0, b1);
2533 return b1;
2534
2535 case Q_ISO:
2536 bpf_error("ISO host filtering not implemented");
2537
2538 default:
2539 abort();
2540 }
2541 b0 = gen_linktype(ETHERTYPE_DN);
2542 /* Check for pad = 1, long header case */
2543 tmp = gen_mcmp(base_off + 2, BPF_H,
2544 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2545 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2546 BPF_H, (bpf_int32)ntohs(addr));
2547 gen_and(tmp, b1);
2548 /* Check for pad = 0, long header case */
2549 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2550 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2551 gen_and(tmp, b2);
2552 gen_or(b2, b1);
2553 /* Check for pad = 1, short header case */
2554 tmp = gen_mcmp(base_off + 2, BPF_H,
2555 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2556 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2557 BPF_H, (bpf_int32)ntohs(addr));
2558 gen_and(tmp, b2);
2559 gen_or(b2, b1);
2560 /* Check for pad = 0, short header case */
2561 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2562 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2563 gen_and(tmp, b2);
2564 gen_or(b2, b1);
2565
2566 /* Combine with test for linktype */
2567 gen_and(b0, b1);
2568 return b1;
2569 }
2570
2571 static struct block *
2572 gen_host(addr, mask, proto, dir)
2573 bpf_u_int32 addr;
2574 bpf_u_int32 mask;
2575 int proto;
2576 int dir;
2577 {
2578 struct block *b0, *b1;
2579
2580 switch (proto) {
2581
2582 case Q_DEFAULT:
2583 b0 = gen_host(addr, mask, Q_IP, dir);
2584 if (off_linktype != (u_int)-1) {
2585 b1 = gen_host(addr, mask, Q_ARP, dir);
2586 gen_or(b0, b1);
2587 b0 = gen_host(addr, mask, Q_RARP, dir);
2588 gen_or(b1, b0);
2589 }
2590 return b0;
2591
2592 case Q_IP:
2593 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2594 off_nl + 12, off_nl + 16);
2595
2596 case Q_RARP:
2597 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2598 off_nl + 14, off_nl + 24);
2599
2600 case Q_ARP:
2601 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2602 off_nl + 14, off_nl + 24);
2603
2604 case Q_TCP:
2605 bpf_error("'tcp' modifier applied to host");
2606
2607 case Q_SCTP:
2608 bpf_error("'sctp' modifier applied to host");
2609
2610 case Q_UDP:
2611 bpf_error("'udp' modifier applied to host");
2612
2613 case Q_ICMP:
2614 bpf_error("'icmp' modifier applied to host");
2615
2616 case Q_IGMP:
2617 bpf_error("'igmp' modifier applied to host");
2618
2619 case Q_IGRP:
2620 bpf_error("'igrp' modifier applied to host");
2621
2622 case Q_PIM:
2623 bpf_error("'pim' modifier applied to host");
2624
2625 case Q_VRRP:
2626 bpf_error("'vrrp' modifier applied to host");
2627
2628 case Q_ATALK:
2629 bpf_error("ATALK host filtering not implemented");
2630
2631 case Q_AARP:
2632 bpf_error("AARP host filtering not implemented");
2633
2634 case Q_DECNET:
2635 return gen_dnhostop(addr, dir, off_nl);
2636
2637 case Q_SCA:
2638 bpf_error("SCA host filtering not implemented");
2639
2640 case Q_LAT:
2641 bpf_error("LAT host filtering not implemented");
2642
2643 case Q_MOPDL:
2644 bpf_error("MOPDL host filtering not implemented");
2645
2646 case Q_MOPRC:
2647 bpf_error("MOPRC host filtering not implemented");
2648
2649 #ifdef INET6
2650 case Q_IPV6:
2651 bpf_error("'ip6' modifier applied to ip host");
2652
2653 case Q_ICMPV6:
2654 bpf_error("'icmp6' modifier applied to host");
2655 #endif /* INET6 */
2656
2657 case Q_AH:
2658 bpf_error("'ah' modifier applied to host");
2659
2660 case Q_ESP:
2661 bpf_error("'esp' modifier applied to host");
2662
2663 case Q_ISO:
2664 bpf_error("ISO host filtering not implemented");
2665
2666 case Q_ESIS:
2667 bpf_error("'esis' modifier applied to host");
2668
2669 case Q_ISIS:
2670 bpf_error("'isis' modifier applied to host");
2671
2672 case Q_CLNP:
2673 bpf_error("'clnp' modifier applied to host");
2674
2675 case Q_STP:
2676 bpf_error("'stp' modifier applied to host");
2677
2678 case Q_IPX:
2679 bpf_error("IPX host filtering not implemented");
2680
2681 case Q_NETBEUI:
2682 bpf_error("'netbeui' modifier applied to host");
2683
2684 default:
2685 abort();
2686 }
2687 /* NOTREACHED */
2688 }
2689
2690 #ifdef INET6
2691 static struct block *
2692 gen_host6(addr, mask, proto, dir)
2693 struct in6_addr *addr;
2694 struct in6_addr *mask;
2695 int proto;
2696 int dir;
2697 {
2698 switch (proto) {
2699
2700 case Q_DEFAULT:
2701 return gen_host6(addr, mask, Q_IPV6, dir);
2702
2703 case Q_IP:
2704 bpf_error("'ip' modifier applied to ip6 host");
2705
2706 case Q_RARP:
2707 bpf_error("'rarp' modifier applied to ip6 host");
2708
2709 case Q_ARP:
2710 bpf_error("'arp' modifier applied to ip6 host");
2711
2712 case Q_SCTP:
2713 bpf_error("'sctp' modifier applied to host");
2714
2715 case Q_TCP:
2716 bpf_error("'tcp' modifier applied to host");
2717
2718 case Q_UDP:
2719 bpf_error("'udp' modifier applied to host");
2720
2721 case Q_ICMP:
2722 bpf_error("'icmp' modifier applied to host");
2723
2724 case Q_IGMP:
2725 bpf_error("'igmp' modifier applied to host");
2726
2727 case Q_IGRP:
2728 bpf_error("'igrp' modifier applied to host");
2729
2730 case Q_PIM:
2731 bpf_error("'pim' modifier applied to host");
2732
2733 case Q_VRRP:
2734 bpf_error("'vrrp' modifier applied to host");
2735
2736 case Q_ATALK:
2737 bpf_error("ATALK host filtering not implemented");
2738
2739 case Q_AARP:
2740 bpf_error("AARP host filtering not implemented");
2741
2742 case Q_DECNET:
2743 bpf_error("'decnet' modifier applied to ip6 host");
2744
2745 case Q_SCA:
2746 bpf_error("SCA host filtering not implemented");
2747
2748 case Q_LAT:
2749 bpf_error("LAT host filtering not implemented");
2750
2751 case Q_MOPDL:
2752 bpf_error("MOPDL host filtering not implemented");
2753
2754 case Q_MOPRC:
2755 bpf_error("MOPRC host filtering not implemented");
2756
2757 case Q_IPV6:
2758 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2759 off_nl + 8, off_nl + 24);
2760
2761 case Q_ICMPV6:
2762 bpf_error("'icmp6' modifier applied to host");
2763
2764 case Q_AH:
2765 bpf_error("'ah' modifier applied to host");
2766
2767 case Q_ESP:
2768 bpf_error("'esp' modifier applied to host");
2769
2770 case Q_ISO:
2771 bpf_error("ISO host filtering not implemented");
2772
2773 case Q_ESIS:
2774 bpf_error("'esis' modifier applied to host");
2775
2776 case Q_ISIS:
2777 bpf_error("'isis' modifier applied to host");
2778
2779 case Q_CLNP:
2780 bpf_error("'clnp' modifier applied to host");
2781
2782 case Q_STP:
2783 bpf_error("'stp' modifier applied to host");
2784
2785 case Q_IPX:
2786 bpf_error("IPX host filtering not implemented");
2787
2788 case Q_NETBEUI:
2789 bpf_error("'netbeui' modifier applied to host");
2790
2791 default:
2792 abort();
2793 }
2794 /* NOTREACHED */
2795 }
2796 #endif /*INET6*/
2797
2798 #ifndef INET6
2799 static struct block *
2800 gen_gateway(eaddr, alist, proto, dir)
2801 const u_char *eaddr;
2802 bpf_u_int32 **alist;
2803 int proto;
2804 int dir;
2805 {
2806 struct block *b0, *b1, *tmp;
2807
2808 if (dir != 0)
2809 bpf_error("direction applied to 'gateway'");
2810
2811 switch (proto) {
2812 case Q_DEFAULT:
2813 case Q_IP:
2814 case Q_ARP:
2815 case Q_RARP:
2816 if (linktype == DLT_EN10MB)
2817 b0 = gen_ehostop(eaddr, Q_OR);
2818 else if (linktype == DLT_FDDI)
2819 b0 = gen_fhostop(eaddr, Q_OR);
2820 else if (linktype == DLT_IEEE802)
2821 b0 = gen_thostop(eaddr, Q_OR);
2822 else if (linktype == DLT_IEEE802_11)
2823 b0 = gen_wlanhostop(eaddr, Q_OR);
2824 else if (linktype == DLT_SUNATM && is_lane) {
2825 /*
2826 * Check that the packet doesn't begin with an
2827 * LE Control marker. (We've already generated
2828 * a test for LANE.)
2829 */
2830 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2831 gen_not(b1);
2832
2833 /*
2834 * Now check the MAC address.
2835 */
2836 b0 = gen_ehostop(eaddr, Q_OR);
2837 gen_and(b1, b0);
2838 } else if (linktype == DLT_IP_OVER_FC)
2839 b0 = gen_ipfchostop(eaddr, Q_OR);
2840 else
2841 bpf_error(
2842 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2843
2844 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2845 while (*alist) {
2846 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2847 gen_or(b1, tmp);
2848 b1 = tmp;
2849 }
2850 gen_not(b1);
2851 gen_and(b0, b1);
2852 return b1;
2853 }
2854 bpf_error("illegal modifier of 'gateway'");
2855 /* NOTREACHED */
2856 }
2857 #endif
2858
2859 struct block *
2860 gen_proto_abbrev(proto)
2861 int proto;
2862 {
2863 struct block *b0;
2864 struct block *b1;
2865
2866 switch (proto) {
2867
2868 case Q_SCTP:
2869 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2870 #ifdef INET6
2871 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2872 gen_or(b0, b1);
2873 #endif
2874 break;
2875
2876 case Q_TCP:
2877 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2878 #ifdef INET6
2879 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2880 gen_or(b0, b1);
2881 #endif
2882 break;
2883
2884 case Q_UDP:
2885 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2886 #ifdef INET6
2887 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2888 gen_or(b0, b1);
2889 #endif
2890 break;
2891
2892 case Q_ICMP:
2893 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2894 break;
2895
2896 #ifndef IPPROTO_IGMP
2897 #define IPPROTO_IGMP 2
2898 #endif
2899
2900 case Q_IGMP:
2901 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2902 break;
2903
2904 #ifndef IPPROTO_IGRP
2905 #define IPPROTO_IGRP 9
2906 #endif
2907 case Q_IGRP:
2908 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2909 break;
2910
2911 #ifndef IPPROTO_PIM
2912 #define IPPROTO_PIM 103
2913 #endif
2914
2915 case Q_PIM:
2916 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2917 #ifdef INET6
2918 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2919 gen_or(b0, b1);
2920 #endif
2921 break;
2922
2923 #ifndef IPPROTO_VRRP
2924 #define IPPROTO_VRRP 112
2925 #endif
2926
2927 case Q_VRRP:
2928 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2929 break;
2930
2931 case Q_IP:
2932 b1 = gen_linktype(ETHERTYPE_IP);
2933 break;
2934
2935 case Q_ARP:
2936 b1 = gen_linktype(ETHERTYPE_ARP);
2937 break;
2938
2939 case Q_RARP:
2940 b1 = gen_linktype(ETHERTYPE_REVARP);
2941 break;
2942
2943 case Q_LINK:
2944 bpf_error("link layer applied in wrong context");
2945
2946 case Q_ATALK:
2947 b1 = gen_linktype(ETHERTYPE_ATALK);
2948 break;
2949
2950 case Q_AARP:
2951 b1 = gen_linktype(ETHERTYPE_AARP);
2952 break;
2953
2954 case Q_DECNET:
2955 b1 = gen_linktype(ETHERTYPE_DN);
2956 break;
2957
2958 case Q_SCA:
2959 b1 = gen_linktype(ETHERTYPE_SCA);
2960 break;
2961
2962 case Q_LAT:
2963 b1 = gen_linktype(ETHERTYPE_LAT);
2964 break;
2965
2966 case Q_MOPDL:
2967 b1 = gen_linktype(ETHERTYPE_MOPDL);
2968 break;
2969
2970 case Q_MOPRC:
2971 b1 = gen_linktype(ETHERTYPE_MOPRC);
2972 break;
2973
2974 #ifdef INET6
2975 case Q_IPV6:
2976 b1 = gen_linktype(ETHERTYPE_IPV6);
2977 break;
2978
2979 #ifndef IPPROTO_ICMPV6
2980 #define IPPROTO_ICMPV6 58
2981 #endif
2982 case Q_ICMPV6:
2983 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
2984 break;
2985 #endif /* INET6 */
2986
2987 #ifndef IPPROTO_AH
2988 #define IPPROTO_AH 51
2989 #endif
2990 case Q_AH:
2991 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
2992 #ifdef INET6
2993 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
2994 gen_or(b0, b1);
2995 #endif
2996 break;
2997
2998 #ifndef IPPROTO_ESP
2999 #define IPPROTO_ESP 50
3000 #endif
3001 case Q_ESP:
3002 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3003 #ifdef INET6
3004 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3005 gen_or(b0, b1);
3006 #endif
3007 break;
3008
3009 case Q_ISO:
3010 b1 = gen_linktype(LLCSAP_ISONS);
3011 break;
3012
3013 case Q_ESIS:
3014 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3015 break;
3016
3017 case Q_ISIS:
3018 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3019 break;
3020
3021 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3022 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3023 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3024 gen_or(b0, b1);
3025 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3026 gen_or(b0, b1);
3027 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3028 gen_or(b0, b1);
3029 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3030 gen_or(b0, b1);
3031 break;
3032
3033 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3034 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3035 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3036 gen_or(b0, b1);
3037 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3038 gen_or(b0, b1);
3039 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3040 gen_or(b0, b1);
3041 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3042 gen_or(b0, b1);
3043 break;
3044
3045 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3046 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3047 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3048 gen_or(b0, b1);
3049 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3050 gen_or(b0, b1);
3051 break;
3052
3053 case Q_ISIS_LSP:
3054 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3055 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3056 gen_or(b0, b1);
3057 break;
3058
3059 case Q_ISIS_SNP:
3060 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3061 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3062 gen_or(b0, b1);
3063 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3064 gen_or(b0, b1);
3065 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3066 gen_or(b0, b1);
3067 break;
3068
3069 case Q_ISIS_CSNP:
3070 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3071 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3072 gen_or(b0, b1);
3073 break;
3074
3075 case Q_ISIS_PSNP:
3076 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3077 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3078 gen_or(b0, b1);
3079 break;
3080
3081 case Q_CLNP:
3082 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3083 break;
3084
3085 case Q_STP:
3086 b1 = gen_linktype(LLCSAP_8021D);
3087 break;
3088
3089 case Q_IPX:
3090 b1 = gen_linktype(LLCSAP_IPX);
3091 break;
3092
3093 case Q_NETBEUI:
3094 b1 = gen_linktype(LLCSAP_NETBEUI);
3095 break;
3096
3097 default:
3098 abort();
3099 }
3100 return b1;
3101 }
3102
3103 static struct block *
3104 gen_ipfrag()
3105 {
3106 struct slist *s;
3107 struct block *b;
3108
3109 /* not ip frag */
3110 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3111 s->s.k = off_nl + 6;
3112 b = new_block(JMP(BPF_JSET));
3113 b->s.k = 0x1fff;
3114 b->stmts = s;
3115 gen_not(b);
3116
3117 return b;
3118 }
3119
3120 static struct block *
3121 gen_portatom(off, v)
3122 int off;
3123 bpf_int32 v;
3124 {
3125 struct slist *s;
3126 struct block *b;
3127
3128 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3129 s->s.k = off_nl;
3130
3131 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3132 s->next->s.k = off_nl + off;
3133
3134 b = new_block(JMP(BPF_JEQ));
3135 b->stmts = s;
3136 b->s.k = v;
3137
3138 return b;
3139 }
3140
3141 #ifdef INET6
3142 static struct block *
3143 gen_portatom6(off, v)
3144 int off;
3145 bpf_int32 v;
3146 {
3147 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3148 }
3149 #endif/*INET6*/
3150
3151 struct block *
3152 gen_portop(port, proto, dir)
3153 int port, proto, dir;
3154 {
3155 struct block *b0, *b1, *tmp;
3156
3157 /* ip proto 'proto' */
3158 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3159 b0 = gen_ipfrag();
3160 gen_and(tmp, b0);
3161
3162 switch (dir) {
3163 case Q_SRC:
3164 b1 = gen_portatom(0, (bpf_int32)port);
3165 break;
3166
3167 case Q_DST:
3168 b1 = gen_portatom(2, (bpf_int32)port);
3169 break;
3170
3171 case Q_OR:
3172 case Q_DEFAULT:
3173 tmp = gen_portatom(0, (bpf_int32)port);
3174 b1 = gen_portatom(2, (bpf_int32)port);
3175 gen_or(tmp, b1);
3176 break;
3177
3178 case Q_AND:
3179 tmp = gen_portatom(0, (bpf_int32)port);
3180 b1 = gen_portatom(2, (bpf_int32)port);
3181 gen_and(tmp, b1);
3182 break;
3183
3184 default:
3185 abort();
3186 }
3187 gen_and(b0, b1);
3188
3189 return b1;
3190 }
3191
3192 static struct block *
3193 gen_port(port, ip_proto, dir)
3194 int port;
3195 int ip_proto;
3196 int dir;
3197 {
3198 struct block *b0, *b1, *tmp;
3199
3200 /*
3201 * ether proto ip
3202 *
3203 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3204 * not LLC encapsulation with LLCSAP_IP.
3205 *
3206 * For IEEE 802 networks - which includes 802.5 token ring
3207 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3208 * says that SNAP encapsulation is used, not LLC encapsulation
3209 * with LLCSAP_IP.
3210 *
3211 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3212 * RFC 2225 say that SNAP encapsulation is used, not LLC
3213 * encapsulation with LLCSAP_IP.
3214 *
3215 * So we always check for ETHERTYPE_IP.
3216 */
3217 b0 = gen_linktype(ETHERTYPE_IP);
3218
3219 switch (ip_proto) {
3220 case IPPROTO_UDP:
3221 case IPPROTO_TCP:
3222 case IPPROTO_SCTP:
3223 b1 = gen_portop(port, ip_proto, dir);
3224 break;
3225
3226 case PROTO_UNDEF:
3227 tmp = gen_portop(port, IPPROTO_TCP, dir);
3228 b1 = gen_portop(port, IPPROTO_UDP, dir);
3229 gen_or(tmp, b1);
3230 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3231 gen_or(tmp, b1);
3232 break;
3233
3234 default:
3235 abort();
3236 }
3237 gen_and(b0, b1);
3238 return b1;
3239 }
3240
3241 #ifdef INET6
3242 struct block *
3243 gen_portop6(port, proto, dir)
3244 int port, proto, dir;
3245 {
3246 struct block *b0, *b1, *tmp;
3247
3248 /* ip proto 'proto' */
3249 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3250
3251 switch (dir) {
3252 case Q_SRC:
3253 b1 = gen_portatom6(0, (bpf_int32)port);
3254 break;
3255
3256 case Q_DST:
3257 b1 = gen_portatom6(2, (bpf_int32)port);
3258 break;
3259
3260 case Q_OR:
3261 case Q_DEFAULT:
3262 tmp = gen_portatom6(0, (bpf_int32)port);
3263 b1 = gen_portatom6(2, (bpf_int32)port);
3264 gen_or(tmp, b1);
3265 break;
3266
3267 case Q_AND:
3268 tmp = gen_portatom6(0, (bpf_int32)port);
3269 b1 = gen_portatom6(2, (bpf_int32)port);
3270 gen_and(tmp, b1);
3271 break;
3272
3273 default:
3274 abort();
3275 }
3276 gen_and(b0, b1);
3277
3278 return b1;
3279 }
3280
3281 static struct block *
3282 gen_port6(port, ip_proto, dir)
3283 int port;
3284 int ip_proto;
3285 int dir;
3286 {
3287 struct block *b0, *b1, *tmp;
3288
3289 /* ether proto ip */
3290 b0 = gen_linktype(ETHERTYPE_IPV6);
3291
3292 switch (ip_proto) {
3293 case IPPROTO_UDP:
3294 case IPPROTO_TCP:
3295 case IPPROTO_SCTP:
3296 b1 = gen_portop6(port, ip_proto, dir);
3297 break;
3298
3299 case PROTO_UNDEF:
3300 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3301 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3302 gen_or(tmp, b1);
3303 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3304 gen_or(tmp, b1);
3305 break;
3306
3307 default:
3308 abort();
3309 }
3310 gen_and(b0, b1);
3311 return b1;
3312 }
3313 #endif /* INET6 */
3314
3315 static int
3316 lookup_proto(name, proto)
3317 register const char *name;
3318 register int proto;
3319 {
3320 register int v;
3321
3322 switch (proto) {
3323
3324 case Q_DEFAULT:
3325 case Q_IP:
3326 case Q_IPV6:
3327 v = pcap_nametoproto(name);
3328 if (v == PROTO_UNDEF)
3329 bpf_error("unknown ip proto '%s'", name);
3330 break;
3331
3332 case Q_LINK:
3333 /* XXX should look up h/w protocol type based on linktype */
3334 v = pcap_nametoeproto(name);
3335 if (v == PROTO_UNDEF)
3336 bpf_error("unknown ether proto '%s'", name);
3337 break;
3338
3339 case Q_ISO:
3340 if (strcmp(name, "esis") == 0)
3341 v = ISO9542_ESIS;
3342 else if (strcmp(name, "isis") == 0)
3343 v = ISO10589_ISIS;
3344 else if (strcmp(name, "clnp") == 0)
3345 v = ISO8473_CLNP;
3346 else
3347 bpf_error("unknown osi proto '%s'", name);
3348 break;
3349
3350 default:
3351 v = PROTO_UNDEF;
3352 break;
3353 }
3354 return v;
3355 }
3356
3357 #if 0
3358 struct stmt *
3359 gen_joinsp(s, n)
3360 struct stmt **s;
3361 int n;
3362 {
3363 return NULL;
3364 }
3365 #endif
3366
3367 static struct block *
3368 gen_protochain(v, proto, dir)
3369 int v;
3370 int proto;
3371 int dir;
3372 {
3373 #ifdef NO_PROTOCHAIN
3374 return gen_proto(v, proto, dir);
3375 #else
3376 struct block *b0, *b;
3377 struct slist *s[100];
3378 int fix2, fix3, fix4, fix5;
3379 int ahcheck, again, end;
3380 int i, max;
3381 int reg2 = alloc_reg();
3382
3383 memset(s, 0, sizeof(s));
3384 fix2 = fix3 = fix4 = fix5 = 0;
3385
3386 switch (proto) {
3387 case Q_IP:
3388 case Q_IPV6:
3389 break;
3390 case Q_DEFAULT:
3391 b0 = gen_protochain(v, Q_IP, dir);
3392 b = gen_protochain(v, Q_IPV6, dir);
3393 gen_or(b0, b);
3394 return b;
3395 default:
3396 bpf_error("bad protocol applied for 'protochain'");
3397 /*NOTREACHED*/
3398 }
3399
3400 no_optimize = 1; /*this code is not compatible with optimzer yet */
3401
3402 /*
3403 * s[0] is a dummy entry to protect other BPF insn from damaged
3404 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3405 * hard to find interdependency made by jump table fixup.
3406 */
3407 i = 0;
3408 s[i] = new_stmt(0); /*dummy*/
3409 i++;
3410
3411 switch (proto) {
3412 case Q_IP:
3413 b0 = gen_linktype(ETHERTYPE_IP);
3414
3415 /* A = ip->ip_p */
3416 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3417 s[i]->s.k = off_nl + 9;
3418 i++;
3419 /* X = ip->ip_hl << 2 */
3420 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3421 s[i]->s.k = off_nl;
3422 i++;
3423 break;
3424 #ifdef INET6
3425 case Q_IPV6:
3426 b0 = gen_linktype(ETHERTYPE_IPV6);
3427
3428 /* A = ip6->ip_nxt */
3429 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3430 s[i]->s.k = off_nl + 6;
3431 i++;
3432 /* X = sizeof(struct ip6_hdr) */
3433 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3434 s[i]->s.k = 40;
3435 i++;
3436 break;
3437 #endif
3438 default:
3439 bpf_error("unsupported proto to gen_protochain");
3440 /*NOTREACHED*/
3441 }
3442
3443 /* again: if (A == v) goto end; else fall through; */
3444 again = i;
3445 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3446 s[i]->s.k = v;
3447 s[i]->s.jt = NULL; /*later*/
3448 s[i]->s.jf = NULL; /*update in next stmt*/
3449 fix5 = i;
3450 i++;
3451
3452 #ifndef IPPROTO_NONE
3453 #define IPPROTO_NONE 59
3454 #endif
3455 /* if (A == IPPROTO_NONE) goto end */
3456 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3457 s[i]->s.jt = NULL; /*later*/
3458 s[i]->s.jf = NULL; /*update in next stmt*/
3459 s[i]->s.k = IPPROTO_NONE;
3460 s[fix5]->s.jf = s[i];
3461 fix2 = i;
3462 i++;
3463
3464 #ifdef INET6
3465 if (proto == Q_IPV6) {
3466 int v6start, v6end, v6advance, j;
3467
3468 v6start = i;
3469 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3470 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3471 s[i]->s.jt = NULL; /*later*/
3472 s[i]->s.jf = NULL; /*update in next stmt*/
3473 s[i]->s.k = IPPROTO_HOPOPTS;
3474 s[fix2]->s.jf = s[i];
3475 i++;
3476 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3477 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3478 s[i]->s.jt = NULL; /*later*/
3479 s[i]->s.jf = NULL; /*update in next stmt*/
3480 s[i]->s.k = IPPROTO_DSTOPTS;
3481 i++;
3482 /* if (A == IPPROTO_ROUTING) goto v6advance */
3483 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3484 s[i]->s.jt = NULL; /*later*/
3485 s[i]->s.jf = NULL; /*update in next stmt*/
3486 s[i]->s.k = IPPROTO_ROUTING;
3487 i++;
3488 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3489 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3490 s[i]->s.jt = NULL; /*later*/
3491 s[i]->s.jf = NULL; /*later*/
3492 s[i]->s.k = IPPROTO_FRAGMENT;
3493 fix3 = i;
3494 v6end = i;
3495 i++;
3496
3497 /* v6advance: */
3498 v6advance = i;
3499
3500 /*
3501 * in short,
3502 * A = P[X];
3503 * X = X + (P[X + 1] + 1) * 8;
3504 */
3505 /* A = X */
3506 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3507 i++;
3508 /* A = P[X + packet head] */
3509 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3510 s[i]->s.k = off_nl;
3511 i++;
3512 /* MEM[reg2] = A */
3513 s[i] = new_stmt(BPF_ST);
3514 s[i]->s.k = reg2;
3515 i++;
3516 /* A = X */
3517 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3518 i++;
3519 /* A += 1 */
3520 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3521 s[i]->s.k = 1;
3522 i++;
3523 /* X = A */
3524 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3525 i++;
3526 /* A = P[X + packet head]; */
3527 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3528 s[i]->s.k = off_nl;
3529 i++;
3530 /* A += 1 */
3531 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3532 s[i]->s.k = 1;
3533 i++;
3534 /* A *= 8 */
3535 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3536 s[i]->s.k = 8;
3537 i++;
3538 /* X = A; */
3539 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3540 i++;
3541 /* A = MEM[reg2] */
3542 s[i] = new_stmt(BPF_LD|BPF_MEM);
3543 s[i]->s.k = reg2;
3544 i++;
3545
3546 /* goto again; (must use BPF_JA for backward jump) */
3547 s[i] = new_stmt(BPF_JMP|BPF_JA);
3548 s[i]->s.k = again - i - 1;
3549 s[i - 1]->s.jf = s[i];
3550 i++;
3551
3552 /* fixup */
3553 for (j = v6start; j <= v6end; j++)
3554 s[j]->s.jt = s[v6advance];
3555 } else
3556 #endif
3557 {
3558 /* nop */
3559 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3560 s[i]->s.k = 0;
3561 s[fix2]->s.jf = s[i];
3562 i++;
3563 }
3564
3565 /* ahcheck: */
3566 ahcheck = i;
3567 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3568 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3569 s[i]->s.jt = NULL; /*later*/
3570 s[i]->s.jf = NULL; /*later*/
3571 s[i]->s.k = IPPROTO_AH;
3572 if (fix3)
3573 s[fix3]->s.jf = s[ahcheck];
3574 fix4 = i;
3575 i++;
3576
3577 /*
3578 * in short,
3579 * A = P[X];
3580 * X = X + (P[X + 1] + 2) * 4;
3581 */
3582 /* A = X */
3583 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3584 i++;
3585 /* A = P[X + packet head]; */
3586 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3587 s[i]->s.k = off_nl;
3588 i++;
3589 /* MEM[reg2] = A */
3590 s[i] = new_stmt(BPF_ST);
3591 s[i]->s.k = reg2;
3592 i++;
3593 /* A = X */
3594 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3595 i++;
3596 /* A += 1 */
3597 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3598 s[i]->s.k = 1;
3599 i++;
3600 /* X = A */
3601 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3602 i++;
3603 /* A = P[X + packet head] */
3604 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3605 s[i]->s.k = off_nl;
3606 i++;
3607 /* A += 2 */
3608 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3609 s[i]->s.k = 2;
3610 i++;
3611 /* A *= 4 */
3612 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3613 s[i]->s.k = 4;
3614 i++;
3615 /* X = A; */
3616 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3617 i++;
3618 /* A = MEM[reg2] */
3619 s[i] = new_stmt(BPF_LD|BPF_MEM);
3620 s[i]->s.k = reg2;
3621 i++;
3622
3623 /* goto again; (must use BPF_JA for backward jump) */
3624 s[i] = new_stmt(BPF_JMP|BPF_JA);
3625 s[i]->s.k = again - i - 1;
3626 i++;
3627
3628 /* end: nop */
3629 end = i;
3630 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3631 s[i]->s.k = 0;
3632 s[fix2]->s.jt = s[end];
3633 s[fix4]->s.jf = s[end];
3634 s[fix5]->s.jt = s[end];
3635 i++;
3636
3637 /*
3638 * make slist chain
3639 */
3640 max = i;
3641 for (i = 0; i < max - 1; i++)
3642 s[i]->next = s[i + 1];
3643 s[max - 1]->next = NULL;
3644
3645 /*
3646 * emit final check
3647 */
3648 b = new_block(JMP(BPF_JEQ));
3649 b->stmts = s[1]; /*remember, s[0] is dummy*/
3650 b->s.k = v;
3651
3652 free_reg(reg2);
3653
3654 gen_and(b0, b);
3655 return b;
3656 #endif
3657 }
3658
3659 static struct block *
3660 gen_proto(v, proto, dir)
3661 int v;
3662 int proto;
3663 int dir;
3664 {
3665 struct block *b0, *b1;
3666
3667 if (dir != Q_DEFAULT)
3668 bpf_error("direction applied to 'proto'");
3669
3670 switch (proto) {
3671 case Q_DEFAULT:
3672 #ifdef INET6
3673 b0 = gen_proto(v, Q_IP, dir);
3674 b1 = gen_proto(v, Q_IPV6, dir);
3675 gen_or(b0, b1);
3676 return b1;
3677 #else
3678 /*FALLTHROUGH*/
3679 #endif
3680 case Q_IP:
3681 /*
3682 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3683 * not LLC encapsulation with LLCSAP_IP.
3684 *
3685 * For IEEE 802 networks - which includes 802.5 token ring
3686 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3687 * says that SNAP encapsulation is used, not LLC encapsulation
3688 * with LLCSAP_IP.
3689 *
3690 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3691 * RFC 2225 say that SNAP encapsulation is used, not LLC
3692 * encapsulation with LLCSAP_IP.
3693 *
3694 * So we always check for ETHERTYPE_IP.
3695 */
3696 b0 = gen_linktype(ETHERTYPE_IP);
3697 #ifndef CHASE_CHAIN
3698 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3699 #else
3700 b1 = gen_protochain(v, Q_IP);
3701 #endif
3702 gen_and(b0, b1);
3703 return b1;
3704
3705 case Q_ISO:
3706 switch (linktype) {
3707
3708 case DLT_FRELAY:
3709 /*
3710 * Frame Relay packets typically have an OSI
3711 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3712 * generates code to check for all the OSI
3713 * NLPIDs, so calling it and then adding a check
3714 * for the particular NLPID for which we're
3715 * looking is bogus, as we can just check for
3716 * the NLPID.
3717 *
3718 * What we check for is the NLPID and a frame
3719 * control field value of UI, i.e. 0x03 followed
3720 * by the NLPID.
3721 *
3722 * XXX - assumes a 2-byte Frame Relay header with
3723 * DLCI and flags. What if the address is longer?
3724 *
3725 * XXX - what about SNAP-encapsulated frames?
3726 */
3727 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3728 /*NOTREACHED*/
3729 break;
3730
3731 case DLT_C_HDLC:
3732 /*
3733 * Cisco uses an Ethertype lookalike - for OSI,
3734 * it's 0xfefe.
3735 */
3736 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3737 /* OSI in C-HDLC is stuffed with a fudge byte */
3738 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3739 gen_and(b0, b1);
3740 return b1;
3741
3742 default:
3743 b0 = gen_linktype(LLCSAP_ISONS);
3744 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3745 gen_and(b0, b1);
3746 return b1;
3747 }
3748
3749 case Q_ISIS:
3750 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3751 /*
3752 * 4 is the offset of the PDU type relative to the IS-IS
3753 * header.
3754 */
3755 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3756 gen_and(b0, b1);
3757 return b1;
3758
3759 case Q_ARP:
3760 bpf_error("arp does not encapsulate another protocol");
3761 /* NOTREACHED */
3762
3763 case Q_RARP:
3764 bpf_error("rarp does not encapsulate another protocol");
3765 /* NOTREACHED */
3766
3767 case Q_ATALK:
3768 bpf_error("atalk encapsulation is not specifiable");
3769 /* NOTREACHED */
3770
3771 case Q_DECNET:
3772 bpf_error("decnet encapsulation is not specifiable");
3773 /* NOTREACHED */
3774
3775 case Q_SCA:
3776 bpf_error("sca does not encapsulate another protocol");
3777 /* NOTREACHED */
3778
3779 case Q_LAT:
3780 bpf_error("lat does not encapsulate another protocol");
3781 /* NOTREACHED */
3782
3783 case Q_MOPRC:
3784 bpf_error("moprc does not encapsulate another protocol");
3785 /* NOTREACHED */
3786
3787 case Q_MOPDL:
3788 bpf_error("mopdl does not encapsulate another protocol");
3789 /* NOTREACHED */
3790
3791 case Q_LINK:
3792 return gen_linktype(v);
3793
3794 case Q_UDP:
3795 bpf_error("'udp proto' is bogus");
3796 /* NOTREACHED */
3797
3798 case Q_TCP:
3799 bpf_error("'tcp proto' is bogus");
3800 /* NOTREACHED */
3801
3802 case Q_SCTP:
3803 bpf_error("'sctp proto' is bogus");
3804 /* NOTREACHED */
3805
3806 case Q_ICMP:
3807 bpf_error("'icmp proto' is bogus");
3808 /* NOTREACHED */
3809
3810 case Q_IGMP:
3811 bpf_error("'igmp proto' is bogus");
3812 /* NOTREACHED */
3813
3814 case Q_IGRP:
3815 bpf_error("'igrp proto' is bogus");
3816 /* NOTREACHED */
3817
3818 case Q_PIM:
3819 bpf_error("'pim proto' is bogus");
3820 /* NOTREACHED */
3821
3822 case Q_VRRP:
3823 bpf_error("'vrrp proto' is bogus");
3824 /* NOTREACHED */
3825
3826 #ifdef INET6
3827 case Q_IPV6:
3828 b0 = gen_linktype(ETHERTYPE_IPV6);
3829 #ifndef CHASE_CHAIN
3830 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3831 #else
3832 b1 = gen_protochain(v, Q_IPV6);
3833 #endif
3834 gen_and(b0, b1);
3835 return b1;
3836
3837 case Q_ICMPV6:
3838 bpf_error("'icmp6 proto' is bogus");
3839 #endif /* INET6 */
3840
3841 case Q_AH:
3842 bpf_error("'ah proto' is bogus");
3843
3844 case Q_ESP:
3845 bpf_error("'ah proto' is bogus");
3846
3847 case Q_STP:
3848 bpf_error("'stp proto' is bogus");
3849
3850 case Q_IPX:
3851 bpf_error("'ipx proto' is bogus");
3852
3853 case Q_NETBEUI:
3854 bpf_error("'netbeui proto' is bogus");
3855
3856 default:
3857 abort();
3858 /* NOTREACHED */
3859 }
3860 /* NOTREACHED */
3861 }
3862
3863 struct block *
3864 gen_scode(name, q)
3865 register const char *name;
3866 struct qual q;
3867 {
3868 int proto = q.proto;
3869 int dir = q.dir;
3870 int tproto;
3871 u_char *eaddr;
3872 bpf_u_int32 mask, addr;
3873 #ifndef INET6
3874 bpf_u_int32 **alist;
3875 #else
3876 int tproto6;
3877 struct sockaddr_in *sin;
3878 struct sockaddr_in6 *sin6;
3879 struct addrinfo *res, *res0;
3880 struct in6_addr mask128;
3881 #endif /*INET6*/
3882 struct block *b, *tmp;
3883 int port, real_proto;
3884
3885 switch (q.addr) {
3886
3887 case Q_NET:
3888 addr = pcap_nametonetaddr(name);
3889 if (addr == 0)
3890 bpf_error("unknown network '%s'", name);
3891 /* Left justify network addr and calculate its network mask */
3892 mask = 0xffffffff;
3893 while (addr && (addr & 0xff000000) == 0) {
3894 addr <<= 8;
3895 mask <<= 8;
3896 }
3897 return gen_host(addr, mask, proto, dir);
3898
3899 case Q_DEFAULT:
3900 case Q_HOST:
3901 if (proto == Q_LINK) {
3902 switch (linktype) {
3903
3904 case DLT_EN10MB:
3905 eaddr = pcap_ether_hostton(name);
3906 if (eaddr == NULL)
3907 bpf_error(
3908 "unknown ether host '%s'", name);
3909 b = gen_ehostop(eaddr, dir);
3910 free(eaddr);
3911 return b;
3912
3913 case DLT_FDDI:
3914 eaddr = pcap_ether_hostton(name);
3915 if (eaddr == NULL)
3916 bpf_error(
3917 "unknown FDDI host '%s'", name);
3918 b = gen_fhostop(eaddr, dir);
3919 free(eaddr);
3920 return b;
3921
3922 case DLT_IEEE802:
3923 eaddr = pcap_ether_hostton(name);
3924 if (eaddr == NULL)
3925 bpf_error(
3926 "unknown token ring host '%s'", name);
3927 b = gen_thostop(eaddr, dir);
3928 free(eaddr);
3929 return b;
3930
3931 case DLT_IEEE802_11:
3932 eaddr = pcap_ether_hostton(name);
3933 if (eaddr == NULL)
3934 bpf_error(
3935 "unknown 802.11 host '%s'", name);
3936 b = gen_wlanhostop(eaddr, dir);
3937 free(eaddr);
3938 return b;
3939
3940 case DLT_IP_OVER_FC:
3941 eaddr = pcap_ether_hostton(name);
3942 if (eaddr == NULL)
3943 bpf_error(
3944 "unknown Fibre Channel host '%s'", name);
3945 b = gen_ipfchostop(eaddr, dir);
3946 free(eaddr);
3947 return b;
3948
3949 case DLT_SUNATM:
3950 if (!is_lane)
3951 break;
3952
3953 /*
3954 * Check that the packet doesn't begin
3955 * with an LE Control marker. (We've
3956 * already generated a test for LANE.)
3957 */
3958 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
3959 0xFF00);
3960 gen_not(tmp);
3961
3962 eaddr = pcap_ether_hostton(name);
3963 if (eaddr == NULL)
3964 bpf_error(
3965 "unknown ether host '%s'", name);
3966 b = gen_ehostop(eaddr, dir);
3967 gen_and(tmp, b);
3968 free(eaddr);
3969 return b;
3970 }
3971
3972 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
3973 } else if (proto == Q_DECNET) {
3974 unsigned short dn_addr = __pcap_nametodnaddr(name);
3975 /*
3976 * I don't think DECNET hosts can be multihomed, so
3977 * there is no need to build up a list of addresses
3978 */
3979 return (gen_host(dn_addr, 0, proto, dir));
3980 } else {
3981 #ifndef INET6
3982 alist = pcap_nametoaddr(name);
3983 if (alist == NULL || *alist == NULL)
3984 bpf_error("unknown host '%s'", name);
3985 tproto = proto;
3986 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
3987 tproto = Q_IP;
3988 b = gen_host(**alist++, 0xffffffff, tproto, dir);
3989 while (*alist) {
3990 tmp = gen_host(**alist++, 0xffffffff,
3991 tproto, dir);
3992 gen_or(b, tmp);
3993 b = tmp;
3994 }
3995 return b;
3996 #else
3997 memset(&mask128, 0xff, sizeof(mask128));
3998 res0 = res = pcap_nametoaddrinfo(name);
3999 if (res == NULL)
4000 bpf_error("unknown host '%s'", name);
4001 b = tmp = NULL;
4002 tproto = tproto6 = proto;
4003 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4004 tproto = Q_IP;
4005 tproto6 = Q_IPV6;
4006 }
4007 for (res = res0; res; res = res->ai_next) {
4008 switch (res->ai_family) {
4009 case AF_INET:
4010 if (tproto == Q_IPV6)
4011 continue;
4012
4013 sin = (struct sockaddr_in *)
4014 res->ai_addr;
4015 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4016 0xffffffff, tproto, dir);
4017 break;
4018 case AF_INET6:
4019 if (tproto6 == Q_IP)
4020 continue;
4021
4022 sin6 = (struct sockaddr_in6 *)
4023 res->ai_addr;
4024 tmp = gen_host6(&sin6->sin6_addr,
4025 &mask128, tproto6, dir);
4026 break;
4027 default:
4028 continue;
4029 }
4030 if (b)
4031 gen_or(b, tmp);
4032 b = tmp;
4033 }
4034 freeaddrinfo(res0);
4035 if (b == NULL) {
4036 bpf_error("unknown host '%s'%s", name,
4037 (proto == Q_DEFAULT)
4038 ? ""
4039 : " for specified address family");
4040 }
4041 return b;
4042 #endif /*INET6*/
4043 }
4044
4045 case Q_PORT:
4046 if (proto != Q_DEFAULT &&
4047 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4048 bpf_error("illegal qualifier of 'port'");
4049 if (pcap_nametoport(name, &port, &real_proto) == 0)
4050 bpf_error("unknown port '%s'", name);
4051 if (proto == Q_UDP) {
4052 if (real_proto == IPPROTO_TCP)
4053 bpf_error("port '%s' is tcp", name);
4054 else if (real_proto == IPPROTO_SCTP)
4055 bpf_error("port '%s' is sctp", name);
4056 else
4057 /* override PROTO_UNDEF */
4058 real_proto = IPPROTO_UDP;
4059 }
4060 if (proto == Q_TCP) {
4061 if (real_proto == IPPROTO_UDP)
4062 bpf_error("port '%s' is udp", name);
4063
4064 else if (real_proto == IPPROTO_SCTP)
4065 bpf_error("port '%s' is sctp", name);
4066 else
4067 /* override PROTO_UNDEF */
4068 real_proto = IPPROTO_TCP;
4069 }
4070 if (proto == Q_SCTP) {
4071 if (real_proto == IPPROTO_UDP)
4072 bpf_error("port '%s' is udp", name);
4073
4074 else if (real_proto == IPPROTO_TCP)
4075 bpf_error("port '%s' is tcp", name);
4076 else
4077 /* override PROTO_UNDEF */
4078 real_proto = IPPROTO_SCTP;
4079 }
4080 #ifndef INET6
4081 return gen_port(port, real_proto, dir);
4082 #else
4083 {
4084 struct block *b;
4085 b = gen_port(port, real_proto, dir);
4086 gen_or(gen_port6(port, real_proto, dir), b);
4087 return b;
4088 }
4089 #endif /* INET6 */
4090
4091 case Q_GATEWAY:
4092 #ifndef INET6
4093 eaddr = pcap_ether_hostton(name);
4094 if (eaddr == NULL)
4095 bpf_error("unknown ether host: %s", name);
4096
4097 alist = pcap_nametoaddr(name);
4098 if (alist == NULL || *alist == NULL)
4099 bpf_error("unknown host '%s'", name);
4100 b = gen_gateway(eaddr, alist, proto, dir);
4101 free(eaddr);
4102 return b;
4103 #else
4104 bpf_error("'gateway' not supported in this configuration");
4105 #endif /*INET6*/
4106
4107 case Q_PROTO:
4108 real_proto = lookup_proto(name, proto);
4109 if (real_proto >= 0)
4110 return gen_proto(real_proto, proto, dir);
4111 else
4112 bpf_error("unknown protocol: %s", name);
4113
4114 case Q_PROTOCHAIN:
4115 real_proto = lookup_proto(name, proto);
4116 if (real_proto >= 0)
4117 return gen_protochain(real_proto, proto, dir);
4118 else
4119 bpf_error("unknown protocol: %s", name);
4120
4121
4122 case Q_UNDEF:
4123 syntax();
4124 /* NOTREACHED */
4125 }
4126 abort();
4127 /* NOTREACHED */
4128 }
4129
4130 struct block *
4131 gen_mcode(s1, s2, masklen, q)
4132 register const char *s1, *s2;
4133 register int masklen;
4134 struct qual q;
4135 {
4136 register int nlen, mlen;
4137 bpf_u_int32 n, m;
4138
4139 nlen = __pcap_atoin(s1, &n);
4140 /* Promote short ipaddr */
4141 n <<= 32 - nlen;
4142
4143 if (s2 != NULL) {
4144 mlen = __pcap_atoin(s2, &m);
4145 /* Promote short ipaddr */
4146 m <<= 32 - mlen;
4147 if ((n & ~m) != 0)
4148 bpf_error("non-network bits set in \"%s mask %s\"",
4149 s1, s2);
4150 } else {
4151 /* Convert mask len to mask */
4152 if (masklen > 32)
4153 bpf_error("mask length must be <= 32");
4154 m = 0xffffffff << (32 - masklen);
4155 if ((n & ~m) != 0)
4156 bpf_error("non-network bits set in \"%s/%d\"",
4157 s1, masklen);
4158 }
4159
4160 switch (q.addr) {
4161
4162 case Q_NET:
4163 return gen_host(n, m, q.proto, q.dir);
4164
4165 default:
4166 bpf_error("Mask syntax for networks only");
4167 /* NOTREACHED */
4168 }
4169 /* NOTREACHED */
4170 }
4171
4172 struct block *
4173 gen_ncode(s, v, q)
4174 register const char *s;
4175 bpf_u_int32 v;
4176 struct qual q;
4177 {
4178 bpf_u_int32 mask;
4179 int proto = q.proto;
4180 int dir = q.dir;
4181 register int vlen;
4182
4183 if (s == NULL)
4184 vlen = 32;
4185 else if (q.proto == Q_DECNET)
4186 vlen = __pcap_atodn(s, &v);
4187 else
4188 vlen = __pcap_atoin(s, &v);
4189
4190 switch (q.addr) {
4191
4192 case Q_DEFAULT:
4193 case Q_HOST:
4194 case Q_NET:
4195 if (proto == Q_DECNET)
4196 return gen_host(v, 0, proto, dir);
4197 else if (proto == Q_LINK) {
4198 bpf_error("illegal link layer address");
4199 } else {
4200 mask = 0xffffffff;
4201 if (s == NULL && q.addr == Q_NET) {
4202 /* Promote short net number */
4203 while (v && (v & 0xff000000) == 0) {
4204 v <<= 8;
4205 mask <<= 8;
4206 }
4207 } else {
4208 /* Promote short ipaddr */
4209 v <<= 32 - vlen;
4210 mask <<= 32 - vlen;
4211 }
4212 return gen_host(v, mask, proto, dir);
4213 }
4214
4215 case Q_PORT:
4216 if (proto == Q_UDP)
4217 proto = IPPROTO_UDP;
4218 else if (proto == Q_TCP)
4219 proto = IPPROTO_TCP;
4220 else if (proto == Q_SCTP)
4221 proto = IPPROTO_SCTP;
4222 else if (proto == Q_DEFAULT)
4223 proto = PROTO_UNDEF;
4224 else
4225 bpf_error("illegal qualifier of 'port'");
4226
4227 #ifndef INET6
4228 return gen_port((int)v, proto, dir);
4229 #else
4230 {
4231 struct block *b;
4232 b = gen_port((int)v, proto, dir);
4233 gen_or(gen_port6((int)v, proto, dir), b);
4234 return b;
4235 }
4236 #endif /* INET6 */
4237
4238 case Q_GATEWAY:
4239 bpf_error("'gateway' requires a name");
4240 /* NOTREACHED */
4241
4242 case Q_PROTO:
4243 return gen_proto((int)v, proto, dir);
4244
4245 case Q_PROTOCHAIN:
4246 return gen_protochain((int)v, proto, dir);
4247
4248 case Q_UNDEF:
4249 syntax();
4250 /* NOTREACHED */
4251
4252 default:
4253 abort();
4254 /* NOTREACHED */
4255 }
4256 /* NOTREACHED */
4257 }
4258
4259 #ifdef INET6
4260 struct block *
4261 gen_mcode6(s1, s2, masklen, q)
4262 register const char *s1, *s2;
4263 register int masklen;
4264 struct qual q;
4265 {
4266 struct addrinfo *res;
4267 struct in6_addr *addr;
4268 struct in6_addr mask;
4269 struct block *b;
4270 u_int32_t *a, *m;
4271
4272 if (s2)
4273 bpf_error("no mask %s supported", s2);
4274
4275 res = pcap_nametoaddrinfo(s1);
4276 if (!res)
4277 bpf_error("invalid ip6 address %s", s1);
4278 if (res->ai_next)
4279 bpf_error("%s resolved to multiple address", s1);
4280 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4281
4282 if (sizeof(mask) * 8 < masklen)
4283 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4284 memset(&mask, 0, sizeof(mask));
4285 memset(&mask, 0xff, masklen / 8);
4286 if (masklen % 8) {
4287 mask.s6_addr[masklen / 8] =
4288 (0xff << (8 - masklen % 8)) & 0xff;
4289 }
4290
4291 a = (u_int32_t *)addr;
4292 m = (u_int32_t *)&mask;
4293 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4294 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4295 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4296 }
4297
4298 switch (q.addr) {
4299
4300 case Q_DEFAULT:
4301 case Q_HOST:
4302 if (masklen != 128)
4303 bpf_error("Mask syntax for networks only");
4304 /* FALLTHROUGH */
4305
4306 case Q_NET:
4307 b = gen_host6(addr, &mask, q.proto, q.dir);
4308 freeaddrinfo(res);
4309 return b;
4310
4311 default:
4312 bpf_error("invalid qualifier against IPv6 address");
4313 /* NOTREACHED */
4314 }
4315 }
4316 #endif /*INET6*/
4317
4318 struct block *
4319 gen_ecode(eaddr, q)
4320 register const u_char *eaddr;
4321 struct qual q;
4322 {
4323 struct block *b, *tmp;
4324
4325 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4326 if (linktype == DLT_EN10MB)
4327 return gen_ehostop(eaddr, (int)q.dir);
4328 if (linktype == DLT_FDDI)
4329 return gen_fhostop(eaddr, (int)q.dir);
4330 if (linktype == DLT_IEEE802)
4331 return gen_thostop(eaddr, (int)q.dir);
4332 if (linktype == DLT_IEEE802_11)
4333 return gen_wlanhostop(eaddr, (int)q.dir);
4334 if (linktype == DLT_SUNATM && is_lane) {
4335 /*
4336 * Check that the packet doesn't begin with an
4337 * LE Control marker. (We've already generated
4338 * a test for LANE.)
4339 */
4340 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4341 gen_not(tmp);
4342
4343 /*
4344 * Now check the MAC address.
4345 */
4346 b = gen_ehostop(eaddr, (int)q.dir);
4347 gen_and(tmp, b);
4348 return b;
4349 }
4350 if (linktype == DLT_IP_OVER_FC)
4351 return gen_ipfchostop(eaddr, (int)q.dir);
4352 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4353 }
4354 bpf_error("ethernet address used in non-ether expression");
4355 /* NOTREACHED */
4356 }
4357
4358 void
4359 sappend(s0, s1)
4360 struct slist *s0, *s1;
4361 {
4362 /*
4363 * This is definitely not the best way to do this, but the
4364 * lists will rarely get long.
4365 */
4366 while (s0->next)
4367 s0 = s0->next;
4368 s0->next = s1;
4369 }
4370
4371 static struct slist *
4372 xfer_to_x(a)
4373 struct arth *a;
4374 {
4375 struct slist *s;
4376
4377 s = new_stmt(BPF_LDX|BPF_MEM);
4378 s->s.k = a->regno;
4379 return s;
4380 }
4381
4382 static struct slist *
4383 xfer_to_a(a)
4384 struct arth *a;
4385 {
4386 struct slist *s;
4387
4388 s = new_stmt(BPF_LD|BPF_MEM);
4389 s->s.k = a->regno;
4390 return s;
4391 }
4392
4393 struct arth *
4394 gen_load(proto, index, size)
4395 int proto;
4396 struct arth *index;
4397 int size;
4398 {
4399 struct slist *s, *tmp;
4400 struct block *b;
4401 int regno = alloc_reg();
4402
4403 free_reg(index->regno);
4404 switch (size) {
4405
4406 default:
4407 bpf_error("data size must be 1, 2, or 4");
4408
4409 case 1:
4410 size = BPF_B;
4411 break;
4412
4413 case 2:
4414 size = BPF_H;
4415 break;
4416
4417 case 4:
4418 size = BPF_W;
4419 break;
4420 }
4421 switch (proto) {
4422 default:
4423 bpf_error("unsupported index operation");
4424
4425 case Q_LINK:
4426 /*
4427 * XXX - what about ATM LANE? Should the index be
4428 * relative to the beginning of the AAL5 frame, so
4429 * that 0 refers to the beginning of the LE Control
4430 * field, or relative to the beginning of the LAN
4431 * frame, so that 0 refers, for Ethernet LANE, to
4432 * the beginning of the destination address?
4433 */
4434 s = xfer_to_x(index);
4435 tmp = new_stmt(BPF_LD|BPF_IND|size);
4436 sappend(s, tmp);
4437 sappend(index->s, s);
4438 break;
4439
4440 case Q_IP:
4441 case Q_ARP:
4442 case Q_RARP:
4443 case Q_ATALK:
4444 case Q_DECNET:
4445 case Q_SCA:
4446 case Q_LAT:
4447 case Q_MOPRC:
4448 case Q_MOPDL:
4449 #ifdef INET6
4450 case Q_IPV6:
4451 #endif
4452 /* XXX Note that we assume a fixed link header here. */
4453 s = xfer_to_x(index);
4454 tmp = new_stmt(BPF_LD|BPF_IND|size);
4455 tmp->s.k = off_nl;
4456 sappend(s, tmp);
4457 sappend(index->s, s);
4458
4459 b = gen_proto_abbrev(proto);
4460 if (index->b)
4461 gen_and(index->b, b);
4462 index->b = b;
4463 break;
4464
4465 case Q_SCTP:
4466 case Q_TCP:
4467 case Q_UDP:
4468 case Q_ICMP:
4469 case Q_IGMP:
4470 case Q_IGRP:
4471 case Q_PIM:
4472 case Q_VRRP:
4473 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4474 s->s.k = off_nl;
4475 sappend(s, xfer_to_a(index));
4476 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4477 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4478 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4479 tmp->s.k = off_nl;
4480 sappend(index->s, s);
4481
4482 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4483 if (index->b)
4484 gen_and(index->b, b);
4485 #ifdef INET6
4486 gen_and(gen_proto_abbrev(Q_IP), b);
4487 #endif
4488 index->b = b;
4489 break;
4490 #ifdef INET6
4491 case Q_ICMPV6:
4492 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4493 /*NOTREACHED*/
4494 #endif
4495 }
4496 index->regno = regno;
4497 s = new_stmt(BPF_ST);
4498 s->s.k = regno;
4499 sappend(index->s, s);
4500
4501 return index;
4502 }
4503
4504 struct block *
4505 gen_relation(code, a0, a1, reversed)
4506 int code;
4507 struct arth *a0, *a1;
4508 int reversed;
4509 {
4510 struct slist *s0, *s1, *s2;
4511 struct block *b, *tmp;
4512
4513 s0 = xfer_to_x(a1);
4514 s1 = xfer_to_a(a0);
4515 if (code == BPF_JEQ) {
4516 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4517 b = new_block(JMP(code));
4518 sappend(s1, s2);
4519 }
4520 else
4521 b = new_block(BPF_JMP|code|BPF_X);
4522 if (reversed)
4523 gen_not(b);
4524
4525 sappend(s0, s1);
4526 sappend(a1->s, s0);
4527 sappend(a0->s, a1->s);
4528
4529 b->stmts = a0->s;
4530
4531 free_reg(a0->regno);
4532 free_reg(a1->regno);
4533
4534 /* 'and' together protocol checks */
4535 if (a0->b) {
4536 if (a1->b) {
4537 gen_and(a0->b, tmp = a1->b);
4538 }
4539 else
4540 tmp = a0->b;
4541 } else
4542 tmp = a1->b;
4543
4544 if (tmp)
4545 gen_and(tmp, b);
4546
4547 return b;
4548 }
4549
4550 struct arth *
4551 gen_loadlen()
4552 {
4553 int regno = alloc_reg();
4554 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4555 struct slist *s;
4556
4557 s = new_stmt(BPF_LD|BPF_LEN);
4558 s->next = new_stmt(BPF_ST);
4559 s->next->s.k = regno;
4560 a->s = s;
4561 a->regno = regno;
4562
4563 return a;
4564 }
4565
4566 struct arth *
4567 gen_loadi(val)
4568 int val;
4569 {
4570 struct arth *a;
4571 struct slist *s;
4572 int reg;
4573
4574 a = (struct arth *)newchunk(sizeof(*a));
4575
4576 reg = alloc_reg();
4577
4578 s = new_stmt(BPF_LD|BPF_IMM);
4579 s->s.k = val;
4580 s->next = new_stmt(BPF_ST);
4581 s->next->s.k = reg;
4582 a->s = s;
4583 a->regno = reg;
4584
4585 return a;
4586 }
4587
4588 struct arth *
4589 gen_neg(a)
4590 struct arth *a;
4591 {
4592 struct slist *s;
4593
4594 s = xfer_to_a(a);
4595 sappend(a->s, s);
4596 s = new_stmt(BPF_ALU|BPF_NEG);
4597 s->s.k = 0;
4598 sappend(a->s, s);
4599 s = new_stmt(BPF_ST);
4600 s->s.k = a->regno;
4601 sappend(a->s, s);
4602
4603 return a;
4604 }
4605
4606 struct arth *
4607 gen_arth(code, a0, a1)
4608 int code;
4609 struct arth *a0, *a1;
4610 {
4611 struct slist *s0, *s1, *s2;
4612
4613 s0 = xfer_to_x(a1);
4614 s1 = xfer_to_a(a0);
4615 s2 = new_stmt(BPF_ALU|BPF_X|code);
4616
4617 sappend(s1, s2);
4618 sappend(s0, s1);
4619 sappend(a1->s, s0);
4620 sappend(a0->s, a1->s);
4621
4622 free_reg(a0->regno);
4623 free_reg(a1->regno);
4624
4625 s0 = new_stmt(BPF_ST);
4626 a0->regno = s0->s.k = alloc_reg();
4627 sappend(a0->s, s0);
4628
4629 return a0;
4630 }
4631
4632 /*
4633 * Here we handle simple allocation of the scratch registers.
4634 * If too many registers are alloc'd, the allocator punts.
4635 */
4636 static int regused[BPF_MEMWORDS];
4637 static int curreg;
4638
4639 /*
4640 * Return the next free register.
4641 */
4642 static int
4643 alloc_reg()
4644 {
4645 int n = BPF_MEMWORDS;
4646
4647 while (--n >= 0) {
4648 if (regused[curreg])
4649 curreg = (curreg + 1) % BPF_MEMWORDS;
4650 else {
4651 regused[curreg] = 1;
4652 return curreg;
4653 }
4654 }
4655 bpf_error("too many registers needed to evaluate expression");
4656 /* NOTREACHED */
4657 }
4658
4659 /*
4660 * Return a register to the table so it can
4661 * be used later.
4662 */
4663 static void
4664 free_reg(n)
4665 int n;
4666 {
4667 regused[n] = 0;
4668 }
4669
4670 static struct block *
4671 gen_len(jmp, n)
4672 int jmp, n;
4673 {
4674 struct slist *s;
4675 struct block *b;
4676
4677 s = new_stmt(BPF_LD|BPF_LEN);
4678 b = new_block(JMP(jmp));
4679 b->stmts = s;
4680 b->s.k = n;
4681
4682 return b;
4683 }
4684
4685 struct block *
4686 gen_greater(n)
4687 int n;
4688 {
4689 return gen_len(BPF_JGE, n);
4690 }
4691
4692 /*
4693 * Actually, this is less than or equal.
4694 */
4695 struct block *
4696 gen_less(n)
4697 int n;
4698 {
4699 struct block *b;
4700
4701 b = gen_len(BPF_JGT, n);
4702 gen_not(b);
4703
4704 return b;
4705 }
4706
4707 struct block *
4708 gen_byteop(op, idx, val)
4709 int op, idx, val;
4710 {
4711 struct block *b;
4712 struct slist *s;
4713
4714 switch (op) {
4715 default:
4716 abort();
4717
4718 case '=':
4719 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4720
4721 case '<':
4722 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4723 b->s.code = JMP(BPF_JGE);
4724 gen_not(b);
4725 return b;
4726
4727 case '>':
4728 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4729 b->s.code = JMP(BPF_JGT);
4730 return b;
4731
4732 case '|':
4733 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4734 break;
4735
4736 case '&':
4737 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4738 break;
4739 }
4740 s->s.k = val;
4741 b = new_block(JMP(BPF_JEQ));
4742 b->stmts = s;
4743 gen_not(b);
4744
4745 return b;
4746 }
4747
4748 static u_char abroadcast[] = { 0x0 };
4749
4750 struct block *
4751 gen_broadcast(proto)
4752 int proto;
4753 {
4754 bpf_u_int32 hostmask;
4755 struct block *b0, *b1, *b2;
4756 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4757
4758 switch (proto) {
4759
4760 case Q_DEFAULT:
4761 case Q_LINK:
4762 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4763 return gen_ahostop(abroadcast, Q_DST);
4764 if (linktype == DLT_EN10MB)
4765 return gen_ehostop(ebroadcast, Q_DST);
4766 if (linktype == DLT_FDDI)
4767 return gen_fhostop(ebroadcast, Q_DST);
4768 if (linktype == DLT_IEEE802)
4769 return gen_thostop(ebroadcast, Q_DST);
4770 if (linktype == DLT_IEEE802_11)
4771 return gen_wlanhostop(ebroadcast, Q_DST);
4772 if (linktype == DLT_IP_OVER_FC)
4773 return gen_ipfchostop(ebroadcast, Q_DST);
4774 if (linktype == DLT_SUNATM && is_lane) {
4775 /*
4776 * Check that the packet doesn't begin with an
4777 * LE Control marker. (We've already generated
4778 * a test for LANE.)
4779 */
4780 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4781 gen_not(b1);
4782
4783 /*
4784 * Now check the MAC address.
4785 */
4786 b0 = gen_ehostop(ebroadcast, Q_DST);
4787 gen_and(b1, b0);
4788 return b0;
4789 }
4790 bpf_error("not a broadcast link");
4791 break;
4792
4793 case Q_IP:
4794 b0 = gen_linktype(ETHERTYPE_IP);
4795 hostmask = ~netmask;
4796 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4797 b2 = gen_mcmp(off_nl + 16, BPF_W,
4798 (bpf_int32)(~0 & hostmask), hostmask);
4799 gen_or(b1, b2);
4800 gen_and(b0, b2);
4801 return b2;
4802 }
4803 bpf_error("only link-layer/IP broadcast filters supported");
4804 /* NOTREACHED */
4805 }
4806
4807 /*
4808 * Generate code to test the low-order bit of a MAC address (that's
4809 * the bottom bit of the *first* byte).
4810 */
4811 static struct block *
4812 gen_mac_multicast(offset)
4813 int offset;
4814 {
4815 register struct block *b0;
4816 register struct slist *s;
4817
4818 /* link[offset] & 1 != 0 */
4819 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4820 s->s.k = offset;
4821 b0 = new_block(JMP(BPF_JSET));
4822 b0->s.k = 1;
4823 b0->stmts = s;
4824 return b0;
4825 }
4826
4827 struct block *
4828 gen_multicast(proto)
4829 int proto;
4830 {
4831 register struct block *b0, *b1, *b2;
4832 register struct slist *s;
4833
4834 switch (proto) {
4835
4836 case Q_DEFAULT:
4837 case Q_LINK:
4838 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4839 /* all ARCnet multicasts use the same address */
4840 return gen_ahostop(abroadcast, Q_DST);
4841
4842 if (linktype == DLT_EN10MB) {
4843 /* ether[0] & 1 != 0 */
4844 return gen_mac_multicast(0);
4845 }
4846
4847 if (linktype == DLT_FDDI) {
4848 /*
4849 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4850 *
4851 * XXX - was that referring to bit-order issues?
4852 */
4853 /* fddi[1] & 1 != 0 */
4854 return gen_mac_multicast(1);
4855 }
4856
4857 if (linktype == DLT_IEEE802) {
4858 /* tr[2] & 1 != 0 */
4859 return gen_mac_multicast(2);
4860 }
4861
4862 if (linktype == DLT_IEEE802_11) {
4863 /*
4864 * Oh, yuk.
4865 *
4866 * For control frames, there is no DA.
4867 *
4868 * For management frames, DA is at an
4869 * offset of 4 from the beginning of
4870 * the packet.
4871 *
4872 * For data frames, DA is at an offset
4873 * of 4 from the beginning of the packet
4874 * if To DS is clear and at an offset of
4875 * 16 from the beginning of the packet
4876 * if To DS is set.
4877 */
4878
4879 /*
4880 * Generate the tests to be done for data frames.
4881 *
4882 * First, check for To DS set, i.e. "link[1] & 0x01".
4883 */
4884 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4885 s->s.k = 1;
4886 b1 = new_block(JMP(BPF_JSET));
4887 b1->s.k = 0x01; /* To DS */
4888 b1->stmts = s;
4889
4890 /*
4891 * If To DS is set, the DA is at 16.
4892 */
4893 b0 = gen_mac_multicast(16);
4894 gen_and(b1, b0);
4895
4896 /*
4897 * Now, check for To DS not set, i.e. check
4898 * "!(link[1] & 0x01)".
4899 */
4900 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4901 s->s.k = 1;
4902 b2 = new_block(JMP(BPF_JSET));
4903 b2->s.k = 0x01; /* To DS */
4904 b2->stmts = s;
4905 gen_not(b2);
4906
4907 /*
4908 * If To DS is not set, the DA is at 4.
4909 */
4910 b1 = gen_mac_multicast(4);
4911 gen_and(b2, b1);
4912
4913 /*
4914 * Now OR together the last two checks. That gives
4915 * the complete set of checks for data frames.
4916 */
4917 gen_or(b1, b0);
4918
4919 /*
4920 * Now check for a data frame.
4921 * I.e, check "link[0] & 0x08".
4922 */
4923 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4924 s->s.k = 0;
4925 b1 = new_block(JMP(BPF_JSET));
4926 b1->s.k = 0x08;
4927 b1->stmts = s;
4928
4929 /*
4930 * AND that with the checks done for data frames.
4931 */
4932 gen_and(b1, b0);
4933
4934 /*
4935 * If the high-order bit of the type value is 0, this
4936 * is a management frame.
4937 * I.e, check "!(link[0] & 0x08)".
4938 */
4939 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4940 s->s.k = 0;
4941 b2 = new_block(JMP(BPF_JSET));
4942 b2->s.k = 0x08;
4943 b2->stmts = s;
4944 gen_not(b2);
4945
4946 /*
4947 * For management frames, the DA is at 4.
4948 */
4949 b1 = gen_mac_multicast(4);
4950 gen_and(b2, b1);
4951
4952 /*
4953 * OR that with the checks done for data frames.
4954 * That gives the checks done for management and
4955 * data frames.
4956 */
4957 gen_or(b1, b0);
4958
4959 /*
4960 * If the low-order bit of the type value is 1,
4961 * this is either a control frame or a frame
4962 * with a reserved type, and thus not a
4963 * frame with an SA.
4964 *
4965 * I.e., check "!(link[0] & 0x04)".
4966 */
4967 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4968 s->s.k = 0;
4969 b1 = new_block(JMP(BPF_JSET));
4970 b1->s.k = 0x04;
4971 b1->stmts = s;
4972 gen_not(b1);
4973
4974 /*
4975 * AND that with the checks for data and management
4976 * frames.
4977 */
4978 gen_and(b1, b0);
4979 return b0;
4980 }
4981
4982 if (linktype == DLT_IP_OVER_FC) {
4983 b0 = gen_mac_multicast(2);
4984 return b0;
4985 }
4986
4987 if (linktype == DLT_SUNATM && is_lane) {
4988 /*
4989 * Check that the packet doesn't begin with an
4990 * LE Control marker. (We've already generated
4991 * a test for LANE.)
4992 */
4993 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4994 gen_not(b1);
4995
4996 /* ether[off_mac] & 1 != 0 */
4997 b0 = gen_mac_multicast(off_mac);
4998 gen_and(b1, b0);
4999 return b0;
5000 }
5001
5002 /* Link not known to support multicasts */
5003 break;
5004
5005 case Q_IP:
5006 b0 = gen_linktype(ETHERTYPE_IP);
5007 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
5008 b1->s.code = JMP(BPF_JGE);
5009 gen_and(b0, b1);
5010 return b1;
5011
5012 #ifdef INET6
5013 case Q_IPV6:
5014 b0 = gen_linktype(ETHERTYPE_IPV6);
5015 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
5016 gen_and(b0, b1);
5017 return b1;
5018 #endif /* INET6 */
5019 }
5020 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5021 /* NOTREACHED */
5022 }
5023
5024 /*
5025 * generate command for inbound/outbound. It's here so we can
5026 * make it link-type specific. 'dir' = 0 implies "inbound",
5027 * = 1 implies "outbound".
5028 */
5029 struct block *
5030 gen_inbound(dir)
5031 int dir;
5032 {
5033 register struct block *b0;
5034
5035 /*
5036 * Only some data link types support inbound/outbound qualifiers.
5037 */
5038 switch (linktype) {
5039 case DLT_SLIP:
5040 b0 = gen_relation(BPF_JEQ,
5041 gen_load(Q_LINK, gen_loadi(0), 1),
5042 gen_loadi(0),
5043 dir);
5044 break;
5045
5046 case DLT_LINUX_SLL:
5047 if (dir) {
5048 /*
5049 * Match packets sent by this machine.
5050 */
5051 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5052 } else {
5053 /*
5054 * Match packets sent to this machine.
5055 * (No broadcast or multicast packets, or
5056 * packets sent to some other machine and
5057 * received promiscuously.)
5058 *
5059 * XXX - packets sent to other machines probably
5060 * shouldn't be matched, but what about broadcast
5061 * or multicast packets we received?
5062 */
5063 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5064 }
5065 break;
5066
5067 case DLT_PFLOG:
5068 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5069 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5070 break;
5071
5072 case DLT_PPP_WITHDIRECTION:
5073 if (dir) {
5074 /* match outgoing packets */
5075 b0 = gen_cmp(0, BPF_B, PPP_WITHDIRECTION_OUT);
5076 } else {
5077 /* match incoming packets */
5078 b0 = gen_cmp(0, BPF_B, PPP_WITHDIRECTION_IN);
5079 }
5080 break;
5081
5082 default:
5083 bpf_error("inbound/outbound not supported on linktype %d",
5084 linktype);
5085 b0 = NULL;
5086 /* NOTREACHED */
5087 }
5088 return (b0);
5089 }
5090
5091 /* PF firewall log matched interface */
5092 struct block *
5093 gen_pf_ifname(const char *ifname)
5094 {
5095 struct block *b0;
5096 u_int len, off;
5097
5098 if (linktype == DLT_PFLOG) {
5099 len = sizeof(((struct pfloghdr *)0)->ifname);
5100 off = offsetof(struct pfloghdr, ifname);
5101 } else {
5102 bpf_error("ifname not supported on linktype 0x%x", linktype);
5103 /* NOTREACHED */
5104 }
5105 if (strlen(ifname) >= len) {
5106 bpf_error("ifname interface names can only be %d characters",
5107 len-1);
5108 /* NOTREACHED */
5109 }
5110 b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
5111 return (b0);
5112 }
5113
5114 /* PF firewall log matched interface */
5115 struct block *
5116 gen_pf_ruleset(char *ruleset)
5117 {
5118 struct block *b0;
5119
5120 if (linktype != DLT_PFLOG) {
5121 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5122 /* NOTREACHED */
5123 }
5124 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5125 bpf_error("ruleset names can only be %ld characters",
5126 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5127 /* NOTREACHED */
5128 }
5129 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5130 strlen(ruleset), (const u_char *)ruleset);
5131 return (b0);
5132 }
5133
5134 /* PF firewall log rule number */
5135 struct block *
5136 gen_pf_rnr(int rnr)
5137 {
5138 struct block *b0;
5139
5140 if (linktype == DLT_PFLOG) {
5141 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5142 (bpf_int32)rnr);
5143 } else {
5144 bpf_error("rnr not supported on linktype 0x%x", linktype);
5145 /* NOTREACHED */
5146 }
5147
5148 return (b0);
5149 }
5150
5151 /* PF firewall log sub-rule number */
5152 struct block *
5153 gen_pf_srnr(int srnr)
5154 {
5155 struct block *b0;
5156
5157 if (linktype != DLT_PFLOG) {
5158 bpf_error("srnr not supported on linktype 0x%x", linktype);
5159 /* NOTREACHED */
5160 }
5161
5162 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5163 (bpf_int32)srnr);
5164 return (b0);
5165 }
5166
5167 /* PF firewall log reason code */
5168 struct block *
5169 gen_pf_reason(int reason)
5170 {
5171 struct block *b0;
5172
5173 if (linktype == DLT_PFLOG) {
5174 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5175 (bpf_int32)reason);
5176 } else {
5177 bpf_error("reason not supported on linktype 0x%x", linktype);
5178 /* NOTREACHED */
5179 }
5180
5181 return (b0);
5182 }
5183
5184 /* PF firewall log action */
5185 struct block *
5186 gen_pf_action(int action)
5187 {
5188 struct block *b0;
5189
5190 if (linktype == DLT_PFLOG) {
5191 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5192 (bpf_int32)action);
5193 } else {
5194 bpf_error("action not supported on linktype 0x%x", linktype);
5195 /* NOTREACHED */
5196 }
5197
5198 return (b0);
5199 }
5200
5201 struct block *
5202 gen_acode(eaddr, q)
5203 register const u_char *eaddr;
5204 struct qual q;
5205 {
5206 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5207 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5208 return gen_ahostop(eaddr, (int)q.dir);
5209 }
5210 bpf_error("ARCnet address used in non-arc expression");
5211 /* NOTREACHED */
5212 }
5213
5214 static struct block *
5215 gen_ahostop(eaddr, dir)
5216 register const u_char *eaddr;
5217 register int dir;
5218 {
5219 register struct block *b0, *b1;
5220
5221 switch (dir) {
5222 /* src comes first, different from Ethernet */
5223 case Q_SRC:
5224 return gen_bcmp(0, 1, eaddr);
5225
5226 case Q_DST:
5227 return gen_bcmp(1, 1, eaddr);
5228
5229 case Q_AND:
5230 b0 = gen_ahostop(eaddr, Q_SRC);
5231 b1 = gen_ahostop(eaddr, Q_DST);
5232 gen_and(b0, b1);
5233 return b1;
5234
5235 case Q_DEFAULT:
5236 case Q_OR:
5237 b0 = gen_ahostop(eaddr, Q_SRC);
5238 b1 = gen_ahostop(eaddr, Q_DST);
5239 gen_or(b0, b1);
5240 return b1;
5241 }
5242 abort();
5243 /* NOTREACHED */
5244 }
5245
5246 /*
5247 * support IEEE 802.1Q VLAN trunk over ethernet
5248 */
5249 struct block *
5250 gen_vlan(vlan_num)
5251 int vlan_num;
5252 {
5253 struct block *b0;
5254
5255 /*
5256 * Change the offsets to point to the type and data fields within
5257 * the VLAN packet. This is somewhat of a kludge.
5258 */
5259 if (orig_nl == (u_int)-1) {
5260 orig_linktype = off_linktype; /* save original values */
5261 orig_nl = off_nl;
5262 orig_nl_nosnap = off_nl_nosnap;
5263
5264 switch (linktype) {
5265
5266 case DLT_EN10MB:
5267 off_linktype = 16;
5268 off_nl_nosnap = 18;
5269 off_nl = 18;
5270 break;
5271
5272 default:
5273 bpf_error("no VLAN support for data link type %d",
5274 linktype);
5275 /*NOTREACHED*/
5276 }
5277 }
5278
5279 /* check for VLAN */
5280 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5281
5282 /* If a specific VLAN is requested, check VLAN id */
5283 if (vlan_num >= 0) {
5284 struct block *b1;
5285
5286 b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)vlan_num, 0x0fff);
5287 gen_and(b0, b1);
5288 b0 = b1;
5289 }
5290
5291 return (b0);
5292 }
5293
5294 /*
5295 * support for MPLS
5296 */
5297 struct block *
5298 gen_mpls(label_num)
5299 int label_num;
5300 {
5301 struct block *b0;
5302
5303 /*
5304 * Change the offsets to point to the type and data fields within
5305 * the MPLS packet. This is somewhat of a kludge.
5306 */
5307 if (orig_nl == (u_int)-1) {
5308 orig_linktype = off_linktype; /* save original values */
5309 orig_nl = off_nl;
5310 orig_nl_nosnap = off_nl_nosnap;
5311
5312 switch (linktype) {
5313
5314 case DLT_EN10MB:
5315 off_linktype = 16;
5316 off_nl_nosnap = 18;
5317 off_nl = 18;
5318
5319 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5320 break;
5321
5322 case DLT_PPP:
5323 off_linktype = 6;
5324 off_nl_nosnap = 8;
5325 off_nl = 8;
5326
5327 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
5328 break;
5329
5330 case DLT_C_HDLC:
5331 off_linktype = 6;
5332 off_nl_nosnap = 8;
5333 off_nl = 8;
5334
5335 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5336 break;
5337
5338 /* FIXME add other DLT_s ...
5339 * for Frame-Relay/and ATM this may get messy due to SNAP headers
5340 * leave it for now */
5341
5342 default:
5343 bpf_error("no MPLS support for data link type %d",
5344 linktype);
5345 /*NOTREACHED*/
5346 }
5347 } else {
5348 bpf_error("'mpls' can't be combined with 'vlan' or another 'mpls'");
5349 /*NOTREACHED*/
5350 }
5351
5352 /* If a specific MPLS label is requested, check it */
5353 if (label_num >= 0) {
5354 struct block *b1;
5355
5356 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
5357 b1 = gen_mcmp(orig_nl, BPF_W, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
5358 gen_and(b0, b1);
5359 b0 = b1;
5360 }
5361
5362 return (b0);
5363 }
5364
5365 struct block *
5366 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5367 int atmfield;
5368 bpf_u_int32 jvalue;
5369 bpf_u_int32 jtype;
5370 int reverse;
5371 {
5372 struct block *b0;
5373
5374 switch (atmfield) {
5375
5376 case A_VPI:
5377 if (!is_atm)
5378 bpf_error("'vpi' supported only on raw ATM");
5379 if (off_vpi == (u_int)-1)
5380 abort();
5381 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5382 (u_int)jvalue, reverse);
5383 break;
5384
5385 case A_VCI:
5386 if (!is_atm)
5387 bpf_error("'vci' supported only on raw ATM");
5388 if (off_vci == (u_int)-1)
5389 abort();
5390 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5391 (u_int)jvalue, reverse);
5392 break;
5393
5394 case A_PROTOTYPE:
5395 if (off_proto == (u_int)-1)
5396 abort(); /* XXX - this isn't on FreeBSD */
5397 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5398 (u_int)jvalue, reverse);
5399 break;
5400
5401 case A_MSGTYPE:
5402 if (off_payload == (u_int)-1)
5403 abort();
5404 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5405 (u_int)jtype, (u_int)jvalue, reverse);
5406 break;
5407
5408 case A_CALLREFTYPE:
5409 if (!is_atm)
5410 bpf_error("'callref' supported only on raw ATM");
5411 if (off_proto == (u_int)-1)
5412 abort();
5413 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5414 (u_int)jvalue, reverse);
5415 break;
5416
5417 default:
5418 abort();
5419 }
5420 return b0;
5421 }
5422
5423 struct block *
5424 gen_atmtype_abbrev(type)
5425 int type;
5426 {
5427 struct block *b0, *b1;
5428
5429 switch (type) {
5430
5431 case A_METAC:
5432 /* Get all packets in Meta signalling Circuit */
5433 if (!is_atm)
5434 bpf_error("'metac' supported only on raw ATM");
5435 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5436 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5437 gen_and(b0, b1);
5438 break;
5439
5440 case A_BCC:
5441 /* Get all packets in Broadcast Circuit*/
5442 if (!is_atm)
5443 bpf_error("'bcc' supported only on raw ATM");
5444 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5445 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5446 gen_and(b0, b1);
5447 break;
5448
5449 case A_OAMF4SC:
5450 /* Get all cells in Segment OAM F4 circuit*/
5451 if (!is_atm)
5452 bpf_error("'oam4sc' supported only on raw ATM");
5453 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5454 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5455 gen_and(b0, b1);
5456 break;
5457
5458 case A_OAMF4EC:
5459 /* Get all cells in End-to-End OAM F4 Circuit*/
5460 if (!is_atm)
5461 bpf_error("'oam4ec' supported only on raw ATM");
5462 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5463 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5464 gen_and(b0, b1);
5465 break;
5466
5467 case A_SC:
5468 /* Get all packets in connection Signalling Circuit */
5469 if (!is_atm)
5470 bpf_error("'sc' supported only on raw ATM");
5471 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5472 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5473 gen_and(b0, b1);
5474 break;
5475
5476 case A_ILMIC:
5477 /* Get all packets in ILMI Circuit */
5478 if (!is_atm)
5479 bpf_error("'ilmic' supported only on raw ATM");
5480 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5481 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5482 gen_and(b0, b1);
5483 break;
5484
5485 case A_LANE:
5486 /* Get all LANE packets */
5487 if (!is_atm)
5488 bpf_error("'lane' supported only on raw ATM");
5489 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5490
5491 /*
5492 * Arrange that all subsequent tests assume LANE
5493 * rather than LLC-encapsulated packets, and set
5494 * the offsets appropriately for LANE-encapsulated
5495 * Ethernet.
5496 *
5497 * "off_mac" is the offset of the Ethernet header,
5498 * which is 2 bytes past the ATM pseudo-header
5499 * (skipping the pseudo-header and 2-byte LE Client
5500 * field). The other offsets are Ethernet offsets
5501 * relative to "off_mac".
5502 */
5503 is_lane = 1;
5504 off_mac = off_payload + 2; /* MAC header */
5505 off_linktype = off_mac + 12;
5506 off_nl = off_mac + 14; /* Ethernet II */
5507 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5508 break;
5509
5510 case A_LLC:
5511 /* Get all LLC-encapsulated packets */
5512 if (!is_atm)
5513 bpf_error("'llc' supported only on raw ATM");
5514 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5515 is_lane = 0;
5516 break;
5517
5518 default:
5519 abort();
5520 }
5521 return b1;
5522 }
5523
5524
5525 static struct block *
5526 gen_msg_abbrev(type)
5527 int type;
5528 {
5529 struct block *b1;
5530
5531 /*
5532 * Q.2931 signalling protocol messages for handling virtual circuits
5533 * establishment and teardown
5534 */
5535 switch (type) {
5536
5537 case A_SETUP:
5538 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5539 break;
5540
5541 case A_CALLPROCEED:
5542 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5543 break;
5544
5545 case A_CONNECT:
5546 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5547 break;
5548
5549 case A_CONNECTACK:
5550 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5551 break;
5552
5553 case A_RELEASE:
5554 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5555 break;
5556
5557 case A_RELEASE_DONE:
5558 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5559 break;
5560
5561 default:
5562 abort();
5563 }
5564 return b1;
5565 }
5566
5567 struct block *
5568 gen_atmmulti_abbrev(type)
5569 int type;
5570 {
5571 struct block *b0, *b1;
5572
5573 switch (type) {
5574
5575 case A_OAM:
5576 if (!is_atm)
5577 bpf_error("'oam' supported only on raw ATM");
5578 b1 = gen_atmmulti_abbrev(A_OAMF4);
5579 break;
5580
5581 case A_OAMF4:
5582 if (!is_atm)
5583 bpf_error("'oamf4' supported only on raw ATM");
5584 /* OAM F4 type */
5585 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5586 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5587 gen_or(b0, b1);
5588 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5589 gen_and(b0, b1);
5590 break;
5591
5592 case A_CONNECTMSG:
5593 /*
5594 * Get Q.2931 signalling messages for switched
5595 * virtual connection
5596 */
5597 if (!is_atm)
5598 bpf_error("'connectmsg' supported only on raw ATM");
5599 b0 = gen_msg_abbrev(A_SETUP);
5600 b1 = gen_msg_abbrev(A_CALLPROCEED);
5601 gen_or(b0, b1);
5602 b0 = gen_msg_abbrev(A_CONNECT);
5603 gen_or(b0, b1);
5604 b0 = gen_msg_abbrev(A_CONNECTACK);
5605 gen_or(b0, b1);
5606 b0 = gen_msg_abbrev(A_RELEASE);
5607 gen_or(b0, b1);
5608 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5609 gen_or(b0, b1);
5610 b0 = gen_atmtype_abbrev(A_SC);
5611 gen_and(b0, b1);
5612 break;
5613
5614 case A_METACONNECT:
5615 if (!is_atm)
5616 bpf_error("'metaconnect' supported only on raw ATM");
5617 b0 = gen_msg_abbrev(A_SETUP);
5618 b1 = gen_msg_abbrev(A_CALLPROCEED);
5619 gen_or(b0, b1);
5620 b0 = gen_msg_abbrev(A_CONNECT);
5621 gen_or(b0, b1);
5622 b0 = gen_msg_abbrev(A_RELEASE);
5623 gen_or(b0, b1);
5624 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5625 gen_or(b0, b1);
5626 b0 = gen_atmtype_abbrev(A_METAC);
5627 gen_and(b0, b1);
5628 break;
5629
5630 default:
5631 abort();
5632 }
5633 return b1;
5634 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism