]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ATM: Simplify protocol and message type handling.
[libpcap] / gencode.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 #include <config.h>
23
24 #ifdef _WIN32
25 #include <ws2tcpip.h>
26 #else
27 #include <netinet/in.h>
28 #endif /* _WIN32 */
29
30 #include <stdlib.h>
31 #include <string.h>
32 #include <memory.h>
33 #include <setjmp.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdint.h>
37 #include <stddef.h>
38
39 #include "pcap-int.h"
40
41 #include "extract.h"
42
43 #include "ethertype.h"
44 #include "llc.h"
45 #include "gencode.h"
46 #include "ieee80211.h"
47 #include "pflog.h"
48 #include "ppp.h"
49 #include "pcap/sll.h"
50 #include "pcap/ipnet.h"
51 #include "diag-control.h"
52 #include "pcap-util.h"
53
54 #include "scanner.h"
55
56 #if defined(__linux__)
57 #include <linux/types.h>
58 #include <linux/if_packet.h>
59 #include <linux/filter.h>
60 #endif
61
62 #ifdef _WIN32
63 #ifdef HAVE_NPCAP_BPF_H
64 /* Defines BPF extensions for Npcap */
65 #include <npcap-bpf.h>
66 #endif
67 #ifdef INET6
68 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
69 /* IPv6 address */
70 struct in6_addr
71 {
72 union
73 {
74 uint8_t u6_addr8[16];
75 uint16_t u6_addr16[8];
76 uint32_t u6_addr32[4];
77 } in6_u;
78 #define s6_addr in6_u.u6_addr8
79 #define s6_addr16 in6_u.u6_addr16
80 #define s6_addr32 in6_u.u6_addr32
81 #define s6_addr64 in6_u.u6_addr64
82 };
83
84 typedef unsigned short sa_family_t;
85
86 #define __SOCKADDR_COMMON(sa_prefix) \
87 sa_family_t sa_prefix##family
88
89 /* Ditto, for IPv6. */
90 struct sockaddr_in6
91 {
92 __SOCKADDR_COMMON (sin6_);
93 uint16_t sin6_port; /* Transport layer port # */
94 uint32_t sin6_flowinfo; /* IPv6 flow information */
95 struct in6_addr sin6_addr; /* IPv6 address */
96 };
97
98 #ifndef EAI_ADDRFAMILY
99 struct addrinfo {
100 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
101 int ai_family; /* PF_xxx */
102 int ai_socktype; /* SOCK_xxx */
103 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
104 size_t ai_addrlen; /* length of ai_addr */
105 char *ai_canonname; /* canonical name for hostname */
106 struct sockaddr *ai_addr; /* binary address */
107 struct addrinfo *ai_next; /* next structure in linked list */
108 };
109 #endif /* EAI_ADDRFAMILY */
110 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
111 #endif /* INET6 */
112 #else /* _WIN32 */
113 #include <netdb.h> /* for "struct addrinfo" */
114 #endif /* _WIN32 */
115 #include <pcap/namedb.h>
116
117 #include "nametoaddr.h"
118
119 #define ETHERMTU 1500
120
121 #ifndef IPPROTO_HOPOPTS
122 #define IPPROTO_HOPOPTS 0
123 #endif
124 #ifndef IPPROTO_ROUTING
125 #define IPPROTO_ROUTING 43
126 #endif
127 #ifndef IPPROTO_FRAGMENT
128 #define IPPROTO_FRAGMENT 44
129 #endif
130 #ifndef IPPROTO_DSTOPTS
131 #define IPPROTO_DSTOPTS 60
132 #endif
133 #ifndef IPPROTO_SCTP
134 #define IPPROTO_SCTP 132
135 #endif
136
137 #define GENEVE_PORT 6081
138 #define VXLAN_PORT 4789
139
140
141 /*
142 * from: NetBSD: if_arc.h,v 1.13 1999/11/19 20:41:19 thorpej Exp
143 */
144
145 /* RFC 1051 */
146 #define ARCTYPE_IP_OLD 240 /* IP protocol */
147 #define ARCTYPE_ARP_OLD 241 /* address resolution protocol */
148
149 /* RFC 1201 */
150 #define ARCTYPE_IP 212 /* IP protocol */
151 #define ARCTYPE_ARP 213 /* address resolution protocol */
152 #define ARCTYPE_REVARP 214 /* reverse addr resolution protocol */
153
154 #define ARCTYPE_ATALK 221 /* Appletalk */
155 #define ARCTYPE_BANIAN 247 /* Banyan Vines */
156 #define ARCTYPE_IPX 250 /* Novell IPX */
157
158 #define ARCTYPE_INET6 0xc4 /* IPng */
159 #define ARCTYPE_DIAGNOSE 0x80 /* as per ANSI/ATA 878.1 */
160
161
162 /* Based on UNI3.1 standard by ATM Forum */
163
164 /* ATM traffic types based on VPI=0 and (the following VCI */
165 #define VCI_PPC 0x05 /* Point-to-point signal msg */
166 #define VCI_BCC 0x02 /* Broadcast signal msg */
167 #define VCI_OAMF4SC 0x03 /* Segment OAM F4 flow cell */
168 #define VCI_OAMF4EC 0x04 /* End-to-end OAM F4 flow cell */
169 #define VCI_METAC 0x01 /* Meta signal msg */
170 #define VCI_ILMIC 0x10 /* ILMI msg */
171
172 /* Q.2931 signalling messages */
173 #define CALL_PROCEED 0x02 /* call proceeding */
174 #define CONNECT 0x07 /* connect */
175 #define CONNECT_ACK 0x0f /* connect_ack */
176 #define SETUP 0x05 /* setup */
177 #define RELEASE 0x4d /* release */
178 #define RELEASE_DONE 0x5a /* release_done */
179 #define RESTART 0x46 /* restart */
180 #define RESTART_ACK 0x4e /* restart ack */
181 #define STATUS 0x7d /* status */
182 #define STATUS_ENQ 0x75 /* status ack */
183 #define ADD_PARTY 0x80 /* add party */
184 #define ADD_PARTY_ACK 0x81 /* add party ack */
185 #define ADD_PARTY_REJ 0x82 /* add party rej */
186 #define DROP_PARTY 0x83 /* drop party */
187 #define DROP_PARTY_ACK 0x84 /* drop party ack */
188
189 /* Information Element Parameters in the signalling messages */
190 #define CAUSE 0x08 /* cause */
191 #define ENDPT_REF 0x54 /* endpoint reference */
192 #define AAL_PARA 0x58 /* ATM adaptation layer parameters */
193 #define TRAFF_DESCRIP 0x59 /* atm traffic descriptors */
194 #define CONNECT_ID 0x5a /* connection identifier */
195 #define QOS_PARA 0x5c /* quality of service parameters */
196 #define B_HIGHER 0x5d /* broadband higher layer information */
197 #define B_BEARER 0x5e /* broadband bearer capability */
198 #define B_LOWER 0x5f /* broadband lower information */
199 #define CALLING_PARTY 0x6c /* calling party number */
200 #define CALLED_PARTY 0x70 /* called party number */
201
202 #define Q2931 0x09
203
204 /* Q.2931 signalling general messages format */
205 #define PROTO_POS 0 /* offset of protocol discriminator */
206 #define CALL_REF_POS 2 /* offset of call reference value */
207 #define MSG_TYPE_POS 5 /* offset of message type */
208 #define MSG_LEN_POS 7 /* offset of message length */
209 #define IE_BEGIN_POS 9 /* offset of first information element */
210
211 /* format of signalling messages */
212 #define TYPE_POS 0
213 #define LEN_POS 2
214 #define FIELD_BEGIN_POS 4
215
216
217 /* SunATM header for ATM packet */
218 #define SUNATM_DIR_POS 0
219 #define SUNATM_VPI_POS 1
220 #define SUNATM_VCI_POS 2
221 #define SUNATM_PKT_BEGIN_POS 4 /* Start of ATM packet */
222
223 /* Protocol type values in the bottom for bits of the byte at SUNATM_DIR_POS. */
224 #define PT_LANE 0x01 /* LANE */
225 #define PT_LLC 0x02 /* LLC encapsulation */
226 #define PT_ILMI 0x05 /* ILMI */
227 #define PT_QSAAL 0x06 /* Q.SAAL */
228
229
230 /* Types missing from some systems */
231
232 /*
233 * Network layer protocol identifiers
234 */
235 #ifndef ISO8473_CLNP
236 #define ISO8473_CLNP 0x81
237 #endif
238 #ifndef ISO9542_ESIS
239 #define ISO9542_ESIS 0x82
240 #endif
241 #ifndef ISO9542X25_ESIS
242 #define ISO9542X25_ESIS 0x8a
243 #endif
244 #ifndef ISO10589_ISIS
245 #define ISO10589_ISIS 0x83
246 #endif
247
248 #define ISIS_L1_LAN_IIH 15
249 #define ISIS_L2_LAN_IIH 16
250 #define ISIS_PTP_IIH 17
251 #define ISIS_L1_LSP 18
252 #define ISIS_L2_LSP 20
253 #define ISIS_L1_CSNP 24
254 #define ISIS_L2_CSNP 25
255 #define ISIS_L1_PSNP 26
256 #define ISIS_L2_PSNP 27
257 /*
258 * The maximum possible value can also be used as a bit mask because the
259 * "PDU Type" field comprises the least significant 5 bits of a particular
260 * octet, see sections 9.5~9.13 of ISO/IEC 10589:2002(E).
261 */
262 #define ISIS_PDU_TYPE_MAX 0x1FU
263
264 #ifndef ISO8878A_CONS
265 #define ISO8878A_CONS 0x84
266 #endif
267 #ifndef ISO10747_IDRP
268 #define ISO10747_IDRP 0x85
269 #endif
270
271 // Same as in tcpdump/print-sl.c.
272 #define SLIPDIR_IN 0
273 #define SLIPDIR_OUT 1
274
275 #ifdef HAVE_OS_PROTO_H
276 #include "os-proto.h"
277 #endif
278
279 #define JMP(c) ((c)|BPF_JMP|BPF_K)
280
281 /*
282 * "Push" the current value of the link-layer header type and link-layer
283 * header offset onto a "stack", and set a new value. (It's not a
284 * full-blown stack; we keep only the top two items.)
285 */
286 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
287 { \
288 (cs)->prevlinktype = (cs)->linktype; \
289 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
290 (cs)->linktype = (new_linktype); \
291 (cs)->off_linkhdr.is_variable = (new_is_variable); \
292 (cs)->off_linkhdr.constant_part = (new_constant_part); \
293 (cs)->off_linkhdr.reg = (new_reg); \
294 (cs)->is_encap = 0; \
295 }
296
297 /*
298 * Offset "not set" value.
299 */
300 #define OFFSET_NOT_SET 0xffffffffU
301
302 /*
303 * Absolute offsets, which are offsets from the beginning of the raw
304 * packet data, are, in the general case, the sum of a variable value
305 * and a constant value; the variable value may be absent, in which
306 * case the offset is only the constant value, and the constant value
307 * may be zero, in which case the offset is only the variable value.
308 *
309 * bpf_abs_offset is a structure containing all that information:
310 *
311 * is_variable is 1 if there's a variable part.
312 *
313 * constant_part is the constant part of the value, possibly zero;
314 *
315 * if is_variable is 1, reg is the register number for a register
316 * containing the variable value if the register has been assigned,
317 * and -1 otherwise.
318 */
319 typedef struct {
320 int is_variable;
321 u_int constant_part;
322 int reg;
323 } bpf_abs_offset;
324
325 /*
326 * Value passed to gen_load_a() to indicate what the offset argument
327 * is relative to the beginning of.
328 */
329 enum e_offrel {
330 OR_PACKET, /* full packet data */
331 OR_LINKHDR, /* link-layer header */
332 OR_PREVLINKHDR, /* previous link-layer header */
333 OR_LLC, /* 802.2 LLC header */
334 OR_PREVMPLSHDR, /* previous MPLS header */
335 OR_LINKTYPE, /* link-layer type */
336 OR_LINKPL, /* link-layer payload */
337 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
338 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
339 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
340 };
341
342 /*
343 * We divvy out chunks of memory rather than call malloc each time so
344 * we don't have to worry about leaking memory. It's probably
345 * not a big deal if all this memory was wasted but if this ever
346 * goes into a library that would probably not be a good idea.
347 *
348 * XXX - this *is* in a library....
349 */
350 #define NCHUNKS 16
351 #define CHUNK0SIZE 1024
352 struct chunk {
353 size_t n_left;
354 void *m;
355 };
356
357 /*
358 * A chunk can store any of:
359 * - a string (guaranteed alignment 1 but present for completeness)
360 * - a block
361 * - an slist
362 * - an arth
363 * For this simple allocator every allocated chunk gets rounded up to the
364 * alignment needed for any chunk.
365 */
366 struct chunk_align {
367 char dummy;
368 union {
369 char c;
370 struct block b;
371 struct slist s;
372 struct arth a;
373 } u;
374 };
375 #define CHUNK_ALIGN (offsetof(struct chunk_align, u))
376
377 /* Code generator state */
378
379 struct _compiler_state {
380 jmp_buf top_ctx;
381 pcap_t *bpf_pcap;
382 int error_set;
383
384 struct icode ic;
385
386 int snaplen;
387
388 int linktype;
389 int prevlinktype;
390 int outermostlinktype;
391
392 bpf_u_int32 netmask;
393 int no_optimize;
394
395 /* Hack for handling VLAN and MPLS stacks. */
396 u_int label_stack_depth;
397 u_int vlan_stack_depth;
398
399 /* XXX */
400 u_int pcap_fddipad;
401
402 /*
403 * As errors are handled by a longjmp, anything allocated must
404 * be freed in the longjmp handler, so it must be reachable
405 * from that handler.
406 *
407 * One thing that's allocated is the result of pcap_nametoaddrinfo();
408 * it must be freed with freeaddrinfo(). This variable points to
409 * any addrinfo structure that would need to be freed.
410 */
411 struct addrinfo *ai;
412
413 /*
414 * Another thing that's allocated is the result of pcap_ether_aton();
415 * it must be freed with free(). This variable points to any
416 * address that would need to be freed.
417 */
418 u_char *e;
419
420 /*
421 * Various code constructs need to know the layout of the packet.
422 * These values give the necessary offsets from the beginning
423 * of the packet data.
424 */
425
426 /*
427 * Absolute offset of the beginning of the link-layer header.
428 */
429 bpf_abs_offset off_linkhdr;
430
431 /*
432 * If we're checking a link-layer header for a packet encapsulated
433 * in another protocol layer, this is the equivalent information
434 * for the previous layers' link-layer header from the beginning
435 * of the raw packet data.
436 */
437 bpf_abs_offset off_prevlinkhdr;
438
439 /*
440 * This is the equivalent information for the outermost layers'
441 * link-layer header.
442 */
443 bpf_abs_offset off_outermostlinkhdr;
444
445 /*
446 * Absolute offset of the beginning of the link-layer payload.
447 */
448 bpf_abs_offset off_linkpl;
449
450 /*
451 * "off_linktype" is the offset to information in the link-layer
452 * header giving the packet type. This is an absolute offset
453 * from the beginning of the packet.
454 *
455 * For Ethernet, it's the offset of the Ethernet type field; this
456 * means that it must have a value that skips VLAN tags.
457 *
458 * For link-layer types that always use 802.2 headers, it's the
459 * offset of the LLC header; this means that it must have a value
460 * that skips VLAN tags.
461 *
462 * For PPP, it's the offset of the PPP type field.
463 *
464 * For Cisco HDLC, it's the offset of the CHDLC type field.
465 *
466 * For BSD loopback, it's the offset of the AF_ value.
467 *
468 * For Linux cooked sockets, it's the offset of the type field.
469 *
470 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
471 * encapsulation, in which case, IP is assumed.
472 */
473 bpf_abs_offset off_linktype;
474
475 /*
476 * TRUE if the link layer includes an ATM pseudo-header.
477 */
478 int is_atm;
479
480 /* TRUE if "geneve" or "vxlan" appeared in the filter; it
481 * causes us to generate code that checks for a Geneve or
482 * VXLAN header respectively and assume that later filters
483 * apply to the encapsulated payload.
484 */
485 int is_encap;
486
487 /*
488 * TRUE if we need variable length part of VLAN offset
489 */
490 int is_vlan_vloffset;
491
492 /*
493 * These are offsets for the ATM pseudo-header.
494 */
495 u_int off_vpi;
496 u_int off_vci;
497 u_int off_proto;
498
499 /*
500 * These are offsets for the MTP2 fields.
501 */
502 u_int off_li;
503 u_int off_li_hsl;
504
505 /*
506 * These are offsets for the MTP3 fields.
507 */
508 u_int off_sio;
509 u_int off_opc;
510 u_int off_dpc;
511 u_int off_sls;
512
513 /*
514 * This is the offset of the first byte after the ATM pseudo_header,
515 * or -1 if there is no ATM pseudo-header.
516 */
517 u_int off_payload;
518
519 /*
520 * These are offsets to the beginning of the network-layer header.
521 * They are relative to the beginning of the link-layer payload
522 * (i.e., they don't include off_linkhdr.constant_part or
523 * off_linkpl.constant_part).
524 *
525 * If the link layer never uses 802.2 LLC:
526 *
527 * "off_nl" and "off_nl_nosnap" are the same.
528 *
529 * If the link layer always uses 802.2 LLC:
530 *
531 * "off_nl" is the offset if there's a SNAP header following
532 * the 802.2 header;
533 *
534 * "off_nl_nosnap" is the offset if there's no SNAP header.
535 *
536 * If the link layer is Ethernet:
537 *
538 * "off_nl" is the offset if the packet is an Ethernet II packet
539 * (we assume no 802.3+802.2+SNAP);
540 *
541 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
542 * with an 802.2 header following it.
543 */
544 u_int off_nl;
545 u_int off_nl_nosnap;
546
547 /*
548 * Here we handle simple allocation of the scratch registers.
549 * If too many registers are alloc'd, the allocator punts.
550 */
551 int regused[BPF_MEMWORDS];
552 int curreg;
553
554 /*
555 * Memory chunks.
556 */
557 struct chunk chunks[NCHUNKS];
558 int cur_chunk;
559 };
560
561 /*
562 * For use by routines outside this file.
563 */
564 /* VARARGS */
565 void
566 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
567 {
568 va_list ap;
569
570 /*
571 * If we've already set an error, don't override it.
572 * The lexical analyzer reports some errors by setting
573 * the error and then returning a LEX_ERROR token, which
574 * is not recognized by any grammar rule, and thus forces
575 * the parse to stop. We don't want the error reported
576 * by the lexical analyzer to be overwritten by the syntax
577 * error.
578 */
579 if (!cstate->error_set) {
580 va_start(ap, fmt);
581 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
582 fmt, ap);
583 va_end(ap);
584 cstate->error_set = 1;
585 }
586 }
587
588 /*
589 * For use *ONLY* in routines in this file.
590 */
591 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
592 PCAP_PRINTFLIKE(2, 3);
593
594 /* VARARGS */
595 static void PCAP_NORETURN
596 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
597 {
598 va_list ap;
599
600 va_start(ap, fmt);
601 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
602 fmt, ap);
603 va_end(ap);
604 longjmp(cstate->top_ctx, 1);
605 /*NOTREACHED*/
606 #ifdef _AIX
607 PCAP_UNREACHABLE
608 #endif /* _AIX */
609 }
610
611 static int init_linktype(compiler_state_t *, pcap_t *);
612
613 static void init_regs(compiler_state_t *);
614 static int alloc_reg(compiler_state_t *);
615 static void free_reg(compiler_state_t *, int);
616
617 static void initchunks(compiler_state_t *cstate);
618 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
619 static void *newchunk(compiler_state_t *cstate, size_t);
620 static void freechunks(compiler_state_t *cstate);
621 static inline struct block *new_block(compiler_state_t *cstate, int);
622 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
623 static struct block *gen_retblk(compiler_state_t *cstate, int);
624 static inline void syntax(compiler_state_t *cstate);
625
626 static void backpatch(struct block *, struct block *);
627 static void merge(struct block *, struct block *);
628 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
629 u_int, bpf_u_int32);
630 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
631 u_int, bpf_u_int32);
632 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
633 u_int, bpf_u_int32);
634 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
635 u_int, bpf_u_int32);
636 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
637 u_int, bpf_u_int32);
638 static struct block *gen_cmp_ne(compiler_state_t *, enum e_offrel, u_int,
639 u_int size, bpf_u_int32);
640 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
641 u_int, bpf_u_int32, bpf_u_int32);
642 static struct block *gen_mcmp_ne(compiler_state_t *, enum e_offrel, u_int,
643 u_int, bpf_u_int32, bpf_u_int32);
644 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
645 u_int, const u_char *);
646 static struct block *gen_jmp(compiler_state_t *, int, bpf_u_int32,
647 struct slist *);
648 static struct block *gen_set(compiler_state_t *, bpf_u_int32, struct slist *);
649 static struct block *gen_unset(compiler_state_t *, bpf_u_int32, struct slist *);
650 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
651 u_int, bpf_u_int32, int, int, bpf_u_int32);
652 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
653 u_int, u_int);
654 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
655 u_int);
656 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
657 static struct block *gen_uncond(compiler_state_t *, int);
658 static inline struct block *gen_true(compiler_state_t *);
659 static inline struct block *gen_false(compiler_state_t *);
660 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
661 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
662 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
663 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *);
664 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
665 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
666 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
667 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
668 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
669 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
670 bpf_abs_offset *);
671 static uint16_t ethertype_to_ppptype(compiler_state_t *, bpf_u_int32);
672 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
673 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
674 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
675 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
676 int, u_int, u_int);
677 #ifdef INET6
678 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
679 struct in6_addr *, int, u_int, u_int);
680 #endif
681 static struct block *gen_ahostop(compiler_state_t *, const uint8_t, int);
682 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
683 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
684 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
685 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
686 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
687 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
688 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
689 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
690 int, int, int);
691 #ifdef INET6
692 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
693 struct in6_addr *, int, int, int);
694 #endif
695 #ifndef INET6
696 static struct block *gen_gateway(compiler_state_t *, const u_char *,
697 struct addrinfo *, int);
698 #endif
699 static struct block *gen_ip_proto(compiler_state_t *, const uint8_t);
700 static struct block *gen_ip6_proto(compiler_state_t *, const uint8_t);
701 static struct block *gen_ipfrag(compiler_state_t *);
702 static struct block *gen_portatom(compiler_state_t *, int, uint16_t);
703 static struct block *gen_portrangeatom(compiler_state_t *, u_int, uint16_t,
704 uint16_t);
705 static struct block *gen_portatom6(compiler_state_t *, int, uint16_t);
706 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, uint16_t,
707 uint16_t);
708 static struct block *gen_port(compiler_state_t *, uint16_t, int, int);
709 static struct block *gen_port_common(compiler_state_t *, int, struct block *);
710 static struct block *gen_portrange(compiler_state_t *, uint16_t, uint16_t,
711 int, int);
712 static struct block *gen_port6(compiler_state_t *, uint16_t, int, int);
713 static struct block *gen_port6_common(compiler_state_t *, int, struct block *);
714 static struct block *gen_portrange6(compiler_state_t *, uint16_t, uint16_t,
715 int, int);
716 static int lookup_proto(compiler_state_t *, const char *, int);
717 #if !defined(NO_PROTOCHAIN)
718 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
719 #endif /* !defined(NO_PROTOCHAIN) */
720 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int);
721 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
722 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
723 static struct block *gen_mac_multicast(compiler_state_t *, int);
724 static struct block *gen_len(compiler_state_t *, int, int);
725 static struct block *gen_encap_ll_check(compiler_state_t *cstate);
726
727 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
728 bpf_u_int32, int, int);
729 static struct block *gen_atmtype_llc(compiler_state_t *);
730 static struct block *gen_msg_abbrev(compiler_state_t *, const uint8_t);
731 static struct block *gen_atm_prototype(compiler_state_t *, const uint8_t);
732
733 static void
734 initchunks(compiler_state_t *cstate)
735 {
736 int i;
737
738 for (i = 0; i < NCHUNKS; i++) {
739 cstate->chunks[i].n_left = 0;
740 cstate->chunks[i].m = NULL;
741 }
742 cstate->cur_chunk = 0;
743 }
744
745 static void *
746 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
747 {
748 struct chunk *cp;
749 int k;
750 size_t size;
751
752 /* Round up to chunk alignment. */
753 n = (n + CHUNK_ALIGN - 1) & ~(CHUNK_ALIGN - 1);
754
755 cp = &cstate->chunks[cstate->cur_chunk];
756 if (n > cp->n_left) {
757 ++cp;
758 k = ++cstate->cur_chunk;
759 if (k >= NCHUNKS) {
760 bpf_set_error(cstate, "out of memory");
761 return (NULL);
762 }
763 size = CHUNK0SIZE << k;
764 cp->m = (void *)malloc(size);
765 if (cp->m == NULL) {
766 bpf_set_error(cstate, "out of memory");
767 return (NULL);
768 }
769 memset((char *)cp->m, 0, size);
770 cp->n_left = size;
771 if (n > size) {
772 bpf_set_error(cstate, "out of memory");
773 return (NULL);
774 }
775 }
776 cp->n_left -= n;
777 return (void *)((char *)cp->m + cp->n_left);
778 }
779
780 static void *
781 newchunk(compiler_state_t *cstate, size_t n)
782 {
783 void *p;
784
785 p = newchunk_nolongjmp(cstate, n);
786 if (p == NULL) {
787 longjmp(cstate->top_ctx, 1);
788 /*NOTREACHED*/
789 }
790 return (p);
791 }
792
793 static void
794 freechunks(compiler_state_t *cstate)
795 {
796 int i;
797
798 for (i = 0; i < NCHUNKS; ++i)
799 if (cstate->chunks[i].m != NULL)
800 free(cstate->chunks[i].m);
801 }
802
803 /*
804 * A strdup whose allocations are freed after code generation is over.
805 * This is used by the lexical analyzer, so it can't longjmp; it just
806 * returns NULL on an allocation error, and the callers must check
807 * for it.
808 */
809 char *
810 sdup(compiler_state_t *cstate, const char *s)
811 {
812 size_t n = strlen(s) + 1;
813 char *cp = newchunk_nolongjmp(cstate, n);
814
815 if (cp == NULL)
816 return (NULL);
817 pcapint_strlcpy(cp, s, n);
818 return (cp);
819 }
820
821 static inline struct block *
822 new_block(compiler_state_t *cstate, int code)
823 {
824 struct block *p;
825
826 p = (struct block *)newchunk(cstate, sizeof(*p));
827 p->s.code = code;
828 p->head = p;
829
830 return p;
831 }
832
833 static inline struct slist *
834 new_stmt(compiler_state_t *cstate, int code)
835 {
836 struct slist *p;
837
838 p = (struct slist *)newchunk(cstate, sizeof(*p));
839 p->s.code = code;
840
841 return p;
842 }
843
844 static struct block *
845 gen_retblk_internal(compiler_state_t *cstate, int v)
846 {
847 struct block *b = new_block(cstate, BPF_RET|BPF_K);
848
849 b->s.k = v;
850 return b;
851 }
852
853 static struct block *
854 gen_retblk(compiler_state_t *cstate, int v)
855 {
856 if (setjmp(cstate->top_ctx)) {
857 /*
858 * gen_retblk() only fails because a memory
859 * allocation failed in newchunk(), meaning
860 * that it can't return a pointer.
861 *
862 * Return NULL.
863 */
864 return NULL;
865 }
866 return gen_retblk_internal(cstate, v);
867 }
868
869 static inline PCAP_NORETURN_DEF void
870 syntax(compiler_state_t *cstate)
871 {
872 bpf_error(cstate, "syntax error in filter expression");
873 }
874
875 /*
876 * For the given integer return a string with the keyword (or the nominal
877 * keyword if there is more than one). This is a simpler version of tok2str()
878 * in tcpdump because in this problem space a valid integer value is not
879 * greater than 71.
880 */
881 static const char *
882 qual2kw(const char *kind, const unsigned id, const char *tokens[],
883 const size_t size)
884 {
885 static char buf[4][64];
886 static int idx = 0;
887
888 if (id < size && tokens[id])
889 return tokens[id];
890
891 char *ret = buf[idx];
892 idx = (idx + 1) % (sizeof(buf) / sizeof(buf[0]));
893 ret[0] = '\0'; // just in case
894 snprintf(ret, sizeof(buf[0]), "<invalid %s %u>", kind, id);
895 return ret;
896 }
897
898 // protocol qualifier keywords
899 static const char *
900 pqkw(const unsigned id)
901 {
902 const char * tokens[] = {
903 [Q_LINK] = "link",
904 [Q_IP] = "ip",
905 [Q_ARP] = "arp",
906 [Q_RARP] = "rarp",
907 [Q_SCTP] = "sctp",
908 [Q_TCP] = "tcp",
909 [Q_UDP] = "udp",
910 [Q_ICMP] = "icmp",
911 [Q_IGMP] = "igmp",
912 [Q_IGRP] = "igrp",
913 [Q_ATALK] = "atalk",
914 [Q_DECNET] = "decnet",
915 [Q_LAT] = "lat",
916 [Q_SCA] = "sca",
917 [Q_MOPRC] = "moprc",
918 [Q_MOPDL] = "mopdl",
919 [Q_IPV6] = "ip6",
920 [Q_ICMPV6] = "icmp6",
921 [Q_AH] = "ah",
922 [Q_ESP] = "esp",
923 [Q_PIM] = "pim",
924 [Q_VRRP] = "vrrp",
925 [Q_AARP] = "aarp",
926 [Q_ISO] = "iso",
927 [Q_ESIS] = "esis",
928 [Q_ISIS] = "isis",
929 [Q_CLNP] = "clnp",
930 [Q_STP] = "stp",
931 [Q_IPX] = "ipx",
932 [Q_NETBEUI] = "netbeui",
933 [Q_ISIS_L1] = "l1",
934 [Q_ISIS_L2] = "l2",
935 [Q_ISIS_IIH] = "iih",
936 [Q_ISIS_SNP] = "snp",
937 [Q_ISIS_CSNP] = "csnp",
938 [Q_ISIS_PSNP] = "psnp",
939 [Q_ISIS_LSP] = "lsp",
940 [Q_RADIO] = "radio",
941 [Q_CARP] = "carp",
942 };
943 return qual2kw("proto", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
944 }
945
946 // direction qualifier keywords
947 static const char *
948 dqkw(const unsigned id)
949 {
950 const char * map[] = {
951 [Q_SRC] = "src",
952 [Q_DST] = "dst",
953 [Q_OR] = "src or dst",
954 [Q_AND] = "src and dst",
955 [Q_ADDR1] = "addr1",
956 [Q_ADDR2] = "addr2",
957 [Q_ADDR3] = "addr3",
958 [Q_ADDR4] = "addr4",
959 [Q_RA] = "ra",
960 [Q_TA] = "ta",
961 };
962 return qual2kw("dir", id, map, sizeof(map) / sizeof(map[0]));
963 }
964
965 // ATM keywords
966 static const char *
967 atmkw(const unsigned id)
968 {
969 const char * tokens[] = {
970 [A_METAC] = "metac",
971 [A_BCC] = "bcc",
972 [A_OAMF4SC] = "oamf4sc",
973 [A_OAMF4EC] = "oamf4ec",
974 [A_SC] = "sc",
975 [A_ILMIC] = "ilmic",
976 [A_OAM] = "oam",
977 [A_OAMF4] = "oamf4",
978 [A_LANE] = "lane",
979 [A_VPI] = "vpi",
980 [A_VCI] = "vci",
981 [A_CONNECTMSG] = "connectmsg",
982 [A_METACONNECT] = "metaconnect",
983 };
984 return qual2kw("ATM keyword", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
985 }
986
987 // SS7 keywords
988 static const char *
989 ss7kw(const unsigned id)
990 {
991 const char * tokens[] = {
992 [M_FISU] = "fisu",
993 [M_LSSU] = "lssu",
994 [M_MSU] = "msu",
995 [MH_FISU] = "hfisu",
996 [MH_LSSU] = "hlssu",
997 [MH_MSU] = "hmsu",
998 [M_SIO] = "sio",
999 [M_OPC] = "opc",
1000 [M_DPC] = "dpc",
1001 [M_SLS] = "sls",
1002 [MH_SIO] = "hsio",
1003 [MH_OPC] = "hopc",
1004 [MH_DPC] = "hdpc",
1005 [MH_SLS] = "hsls",
1006 };
1007 return qual2kw("MTP keyword", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
1008 }
1009
1010 static PCAP_NORETURN_DEF void
1011 fail_kw_on_dlt(compiler_state_t *cstate, const char *keyword)
1012 {
1013 bpf_error(cstate, "'%s' not supported on %s", keyword,
1014 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
1015 }
1016
1017 static void
1018 assert_pflog(compiler_state_t *cstate, const char *kw)
1019 {
1020 if (cstate->linktype != DLT_PFLOG)
1021 bpf_error(cstate, "'%s' supported only on PFLOG linktype", kw);
1022 }
1023
1024 static void
1025 assert_atm(compiler_state_t *cstate, const char *kw)
1026 {
1027 /*
1028 * Belt and braces: init_linktype() sets either all of these struct
1029 * members (for DLT_SUNATM) or none (otherwise).
1030 */
1031 if (cstate->linktype != DLT_SUNATM ||
1032 ! cstate->is_atm ||
1033 cstate->off_vpi == OFFSET_NOT_SET ||
1034 cstate->off_vci == OFFSET_NOT_SET ||
1035 cstate->off_proto == OFFSET_NOT_SET ||
1036 cstate->off_payload == OFFSET_NOT_SET)
1037 bpf_error(cstate, "'%s' supported only on SUNATM", kw);
1038 }
1039
1040 static void
1041 assert_ss7(compiler_state_t *cstate, const char *kw)
1042 {
1043 switch (cstate->linktype) {
1044 case DLT_MTP2:
1045 case DLT_ERF:
1046 case DLT_MTP2_WITH_PHDR:
1047 // Belt and braces, same as in assert_atm().
1048 if (cstate->off_sio != OFFSET_NOT_SET &&
1049 cstate->off_opc != OFFSET_NOT_SET &&
1050 cstate->off_dpc != OFFSET_NOT_SET &&
1051 cstate->off_sls != OFFSET_NOT_SET)
1052 return;
1053 }
1054 bpf_error(cstate, "'%s' supported only on SS7", kw);
1055 }
1056
1057 static void
1058 assert_maxval(compiler_state_t *cstate, const char *name,
1059 const bpf_u_int32 val, const bpf_u_int32 maxval)
1060 {
1061 if (val > maxval)
1062 bpf_error(cstate, "%s %u greater than maximum %u",
1063 name, val, maxval);
1064 }
1065
1066 #define ERRSTR_802_11_ONLY_KW "'%s' is valid for 802.11 syntax only"
1067 #define ERRSTR_INVALID_QUAL "'%s' is not a valid qualifier for '%s'"
1068
1069 // Validate a port/portrange proto qualifier and map to an IP protocol number.
1070 static int
1071 port_pq_to_ipproto(compiler_state_t *cstate, const int proto, const char *kw)
1072 {
1073 switch (proto) {
1074 case Q_UDP:
1075 return IPPROTO_UDP;
1076 case Q_TCP:
1077 return IPPROTO_TCP;
1078 case Q_SCTP:
1079 return IPPROTO_SCTP;
1080 case Q_DEFAULT:
1081 return PROTO_UNDEF;
1082 }
1083 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), kw);
1084 }
1085
1086 int
1087 pcap_compile(pcap_t *p, struct bpf_program *program,
1088 const char *buf, int optimize, bpf_u_int32 mask)
1089 {
1090 #ifdef _WIN32
1091 int err;
1092 WSADATA wsaData;
1093 #endif
1094 compiler_state_t cstate;
1095 yyscan_t scanner = NULL;
1096 YY_BUFFER_STATE in_buffer = NULL;
1097 u_int len;
1098 int rc;
1099
1100 /*
1101 * If this pcap_t hasn't been activated, it doesn't have a
1102 * link-layer type, so we can't use it.
1103 */
1104 if (!p->activated) {
1105 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1106 "not-yet-activated pcap_t passed to pcap_compile");
1107 return (PCAP_ERROR);
1108 }
1109
1110 #ifdef _WIN32
1111 /*
1112 * Initialize Winsock, asking for the latest version (2.2),
1113 * as we may be calling Winsock routines to translate
1114 * host names to addresses.
1115 */
1116 err = WSAStartup(MAKEWORD(2, 2), &wsaData);
1117 if (err != 0) {
1118 pcapint_fmt_errmsg_for_win32_err(p->errbuf, PCAP_ERRBUF_SIZE,
1119 err, "Error calling WSAStartup()");
1120 return (PCAP_ERROR);
1121 }
1122 #endif
1123
1124 #ifdef ENABLE_REMOTE
1125 /*
1126 * If the device on which we're capturing need to be notified
1127 * that a new filter is being compiled, do so.
1128 *
1129 * This allows them to save a copy of it, in case, for example,
1130 * they're implementing a form of remote packet capture, and
1131 * want the remote machine to filter out the packets in which
1132 * it's sending the packets it's captured.
1133 *
1134 * XXX - the fact that we happen to be compiling a filter
1135 * doesn't necessarily mean we'll be installing it as the
1136 * filter for this pcap_t; we might be running it from userland
1137 * on captured packets to do packet classification. We really
1138 * need a better way of handling this, but this is all that
1139 * the WinPcap remote capture code did.
1140 */
1141 if (p->save_current_filter_op != NULL)
1142 (p->save_current_filter_op)(p, buf);
1143 #endif
1144
1145 initchunks(&cstate);
1146 cstate.no_optimize = 0;
1147 #ifdef INET6
1148 cstate.ai = NULL;
1149 #endif
1150 cstate.e = NULL;
1151 cstate.ic.root = NULL;
1152 cstate.ic.cur_mark = 0;
1153 cstate.bpf_pcap = p;
1154 cstate.error_set = 0;
1155 init_regs(&cstate);
1156
1157 cstate.netmask = mask;
1158
1159 cstate.snaplen = pcap_snapshot(p);
1160 if (cstate.snaplen == 0) {
1161 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1162 "snaplen of 0 rejects all packets");
1163 rc = PCAP_ERROR;
1164 goto quit;
1165 }
1166
1167 if (pcap_lex_init(&scanner) != 0) {
1168 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1169 errno, "can't initialize scanner");
1170 rc = PCAP_ERROR;
1171 goto quit;
1172 }
1173 in_buffer = pcap__scan_string(buf ? buf : "", scanner);
1174
1175 /*
1176 * Associate the compiler state with the lexical analyzer
1177 * state.
1178 */
1179 pcap_set_extra(&cstate, scanner);
1180
1181 if (init_linktype(&cstate, p) == -1) {
1182 rc = PCAP_ERROR;
1183 goto quit;
1184 }
1185 if (pcap_parse(scanner, &cstate) != 0) {
1186 #ifdef INET6
1187 if (cstate.ai != NULL)
1188 freeaddrinfo(cstate.ai);
1189 #endif
1190 if (cstate.e != NULL)
1191 free(cstate.e);
1192 rc = PCAP_ERROR;
1193 goto quit;
1194 }
1195
1196 if (cstate.ic.root == NULL) {
1197 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
1198
1199 /*
1200 * Catch errors reported by gen_retblk().
1201 */
1202 if (cstate.ic.root== NULL) {
1203 rc = PCAP_ERROR;
1204 goto quit;
1205 }
1206 }
1207
1208 if (optimize && !cstate.no_optimize) {
1209 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
1210 /* Failure */
1211 rc = PCAP_ERROR;
1212 goto quit;
1213 }
1214 if (cstate.ic.root == NULL ||
1215 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
1216 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1217 "expression rejects all packets");
1218 rc = PCAP_ERROR;
1219 goto quit;
1220 }
1221 }
1222 program->bf_insns = icode_to_fcode(&cstate.ic,
1223 cstate.ic.root, &len, p->errbuf);
1224 if (program->bf_insns == NULL) {
1225 /* Failure */
1226 rc = PCAP_ERROR;
1227 goto quit;
1228 }
1229 program->bf_len = len;
1230
1231 rc = 0; /* We're all okay */
1232
1233 quit:
1234 /*
1235 * Clean up everything for the lexical analyzer.
1236 */
1237 if (in_buffer != NULL)
1238 pcap__delete_buffer(in_buffer, scanner);
1239 if (scanner != NULL)
1240 pcap_lex_destroy(scanner);
1241
1242 /*
1243 * Clean up our own allocated memory.
1244 */
1245 freechunks(&cstate);
1246
1247 #ifdef _WIN32
1248 WSACleanup();
1249 #endif
1250
1251 return (rc);
1252 }
1253
1254 /*
1255 * entry point for using the compiler with no pcap open
1256 * pass in all the stuff that is needed explicitly instead.
1257 */
1258 int
1259 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
1260 struct bpf_program *program,
1261 const char *buf, int optimize, bpf_u_int32 mask)
1262 {
1263 pcap_t *p;
1264 int ret;
1265
1266 p = pcap_open_dead(linktype_arg, snaplen_arg);
1267 if (p == NULL)
1268 return (PCAP_ERROR);
1269 ret = pcap_compile(p, program, buf, optimize, mask);
1270 pcap_close(p);
1271 return (ret);
1272 }
1273
1274 /*
1275 * Clean up a "struct bpf_program" by freeing all the memory allocated
1276 * in it.
1277 */
1278 void
1279 pcap_freecode(struct bpf_program *program)
1280 {
1281 program->bf_len = 0;
1282 if (program->bf_insns != NULL) {
1283 free((char *)program->bf_insns);
1284 program->bf_insns = NULL;
1285 }
1286 }
1287
1288 /*
1289 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
1290 * which of the jt and jf fields has been resolved and which is a pointer
1291 * back to another unresolved block (or nil). At least one of the fields
1292 * in each block is already resolved.
1293 */
1294 static void
1295 backpatch(struct block *list, struct block *target)
1296 {
1297 struct block *next;
1298
1299 while (list) {
1300 if (!list->sense) {
1301 next = JT(list);
1302 JT(list) = target;
1303 } else {
1304 next = JF(list);
1305 JF(list) = target;
1306 }
1307 list = next;
1308 }
1309 }
1310
1311 /*
1312 * Merge the lists in b0 and b1, using the 'sense' field to indicate
1313 * which of jt and jf is the link.
1314 */
1315 static void
1316 merge(struct block *b0, struct block *b1)
1317 {
1318 register struct block **p = &b0;
1319
1320 /* Find end of list. */
1321 while (*p)
1322 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
1323
1324 /* Concatenate the lists. */
1325 *p = b1;
1326 }
1327
1328 int
1329 finish_parse(compiler_state_t *cstate, struct block *p)
1330 {
1331 /*
1332 * Catch errors reported by us and routines below us, and return -1
1333 * on an error.
1334 */
1335 if (setjmp(cstate->top_ctx))
1336 return (-1);
1337
1338 /*
1339 * Insert before the statements of the first (root) block any
1340 * statements needed to load the lengths of any variable-length
1341 * headers into registers.
1342 *
1343 * XXX - a fancier strategy would be to insert those before the
1344 * statements of all blocks that use those lengths and that
1345 * have no predecessors that use them, so that we only compute
1346 * the lengths if we need them. There might be even better
1347 * approaches than that.
1348 *
1349 * However, those strategies would be more complicated, and
1350 * as we don't generate code to compute a length if the
1351 * program has no tests that use the length, and as most
1352 * tests will probably use those lengths, we would just
1353 * postpone computing the lengths so that it's not done
1354 * for tests that fail early, and it's not clear that's
1355 * worth the effort.
1356 */
1357 insert_compute_vloffsets(cstate, p->head);
1358
1359 /*
1360 * For DLT_PPI captures, generate a check of the per-packet
1361 * DLT value to make sure it's DLT_IEEE802_11.
1362 *
1363 * XXX - TurboCap cards use DLT_PPI for Ethernet.
1364 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
1365 * with appropriate Ethernet information and use that rather
1366 * than using something such as DLT_PPI where you don't know
1367 * the link-layer header type until runtime, which, in the
1368 * general case, would force us to generate both Ethernet *and*
1369 * 802.11 code (*and* anything else for which PPI is used)
1370 * and choose between them early in the BPF program?
1371 */
1372 if (cstate->linktype == DLT_PPI) {
1373 struct block *ppi_dlt_check = gen_cmp(cstate, OR_PACKET,
1374 4, BPF_W, SWAPLONG(DLT_IEEE802_11));
1375 gen_and(ppi_dlt_check, p);
1376 }
1377
1378 backpatch(p, gen_retblk_internal(cstate, cstate->snaplen));
1379 p->sense = !p->sense;
1380 backpatch(p, gen_retblk_internal(cstate, 0));
1381 cstate->ic.root = p->head;
1382 return (0);
1383 }
1384
1385 void
1386 gen_and(struct block *b0, struct block *b1)
1387 {
1388 backpatch(b0, b1->head);
1389 b0->sense = !b0->sense;
1390 b1->sense = !b1->sense;
1391 merge(b1, b0);
1392 b1->sense = !b1->sense;
1393 b1->head = b0->head;
1394 }
1395
1396 void
1397 gen_or(struct block *b0, struct block *b1)
1398 {
1399 b0->sense = !b0->sense;
1400 backpatch(b0, b1->head);
1401 b0->sense = !b0->sense;
1402 merge(b1, b0);
1403 b1->head = b0->head;
1404 }
1405
1406 void
1407 gen_not(struct block *b)
1408 {
1409 b->sense = !b->sense;
1410 }
1411
1412 static struct block *
1413 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1414 u_int size, bpf_u_int32 v)
1415 {
1416 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1417 }
1418
1419 static struct block *
1420 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1421 u_int size, bpf_u_int32 v)
1422 {
1423 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1424 }
1425
1426 static struct block *
1427 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1428 u_int size, bpf_u_int32 v)
1429 {
1430 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1431 }
1432
1433 static struct block *
1434 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1435 u_int size, bpf_u_int32 v)
1436 {
1437 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1438 }
1439
1440 static struct block *
1441 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1442 u_int size, bpf_u_int32 v)
1443 {
1444 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1445 }
1446
1447 static struct block *
1448 gen_cmp_ne(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1449 u_int size, bpf_u_int32 v)
1450 {
1451 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 1, v);
1452 }
1453
1454 static struct block *
1455 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1456 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1457 {
1458 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1459 }
1460
1461 static struct block *
1462 gen_mcmp_ne(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1463 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1464 {
1465 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 1, v);
1466 }
1467
1468 static struct block *
1469 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1470 u_int size, const u_char *v)
1471 {
1472 register struct block *b, *tmp;
1473
1474 b = NULL;
1475 while (size >= 4) {
1476 register const u_char *p = &v[size - 4];
1477
1478 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1479 EXTRACT_BE_U_4(p));
1480 if (b != NULL)
1481 gen_and(b, tmp);
1482 b = tmp;
1483 size -= 4;
1484 }
1485 while (size >= 2) {
1486 register const u_char *p = &v[size - 2];
1487
1488 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1489 EXTRACT_BE_U_2(p));
1490 if (b != NULL)
1491 gen_and(b, tmp);
1492 b = tmp;
1493 size -= 2;
1494 }
1495 if (size > 0) {
1496 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1497 if (b != NULL)
1498 gen_and(b, tmp);
1499 b = tmp;
1500 }
1501 return b;
1502 }
1503
1504 static struct block *
1505 gen_jmp(compiler_state_t *cstate, int jtype, bpf_u_int32 v, struct slist *stmts)
1506 {
1507 struct block *b = new_block(cstate, JMP(jtype));
1508 b->s.k = v;
1509 b->stmts = stmts;
1510 return b;
1511 }
1512
1513 static struct block *
1514 gen_set(compiler_state_t *cstate, bpf_u_int32 v, struct slist *stmts)
1515 {
1516 return gen_jmp(cstate, BPF_JSET, v, stmts);
1517 }
1518
1519 static struct block *
1520 gen_unset(compiler_state_t *cstate, bpf_u_int32 v, struct slist *stmts)
1521 {
1522 struct block *b = gen_set(cstate, v, stmts);
1523 gen_not(b);
1524 return b;
1525 }
1526
1527 /*
1528 * AND the field of size "size" at offset "offset" relative to the header
1529 * specified by "offrel" with "mask", and compare it with the value "v"
1530 * with the test specified by "jtype"; if "reverse" is true, the test
1531 * should test the opposite of "jtype".
1532 */
1533 static struct block *
1534 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1535 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1536 bpf_u_int32 v)
1537 {
1538 struct slist *s, *s2;
1539 struct block *b;
1540
1541 s = gen_load_a(cstate, offrel, offset, size);
1542
1543 if (mask != 0xffffffff) {
1544 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1545 s2->s.k = mask;
1546 sappend(s, s2);
1547 }
1548
1549 b = gen_jmp(cstate, jtype, v, s);
1550 if (reverse)
1551 gen_not(b);
1552 return b;
1553 }
1554
1555 static int
1556 init_linktype(compiler_state_t *cstate, pcap_t *p)
1557 {
1558 cstate->pcap_fddipad = p->fddipad;
1559
1560 /*
1561 * We start out with only one link-layer header.
1562 */
1563 cstate->outermostlinktype = pcap_datalink(p);
1564 cstate->off_outermostlinkhdr.constant_part = 0;
1565 cstate->off_outermostlinkhdr.is_variable = 0;
1566 cstate->off_outermostlinkhdr.reg = -1;
1567
1568 cstate->prevlinktype = cstate->outermostlinktype;
1569 cstate->off_prevlinkhdr.constant_part = 0;
1570 cstate->off_prevlinkhdr.is_variable = 0;
1571 cstate->off_prevlinkhdr.reg = -1;
1572
1573 cstate->linktype = cstate->outermostlinktype;
1574 cstate->off_linkhdr.constant_part = 0;
1575 cstate->off_linkhdr.is_variable = 0;
1576 cstate->off_linkhdr.reg = -1;
1577
1578 /*
1579 * XXX
1580 */
1581 cstate->off_linkpl.constant_part = 0;
1582 cstate->off_linkpl.is_variable = 0;
1583 cstate->off_linkpl.reg = -1;
1584
1585 cstate->off_linktype.constant_part = 0;
1586 cstate->off_linktype.is_variable = 0;
1587 cstate->off_linktype.reg = -1;
1588
1589 /*
1590 * Assume it's not raw ATM with a pseudo-header, for now.
1591 */
1592 cstate->is_atm = 0;
1593 cstate->off_vpi = OFFSET_NOT_SET;
1594 cstate->off_vci = OFFSET_NOT_SET;
1595 cstate->off_proto = OFFSET_NOT_SET;
1596 cstate->off_payload = OFFSET_NOT_SET;
1597
1598 /*
1599 * And not encapsulated with either Geneve or VXLAN.
1600 */
1601 cstate->is_encap = 0;
1602
1603 /*
1604 * No variable length VLAN offset by default
1605 */
1606 cstate->is_vlan_vloffset = 0;
1607
1608 /*
1609 * And assume we're not doing SS7.
1610 */
1611 cstate->off_li = OFFSET_NOT_SET;
1612 cstate->off_li_hsl = OFFSET_NOT_SET;
1613 cstate->off_sio = OFFSET_NOT_SET;
1614 cstate->off_opc = OFFSET_NOT_SET;
1615 cstate->off_dpc = OFFSET_NOT_SET;
1616 cstate->off_sls = OFFSET_NOT_SET;
1617
1618 cstate->label_stack_depth = 0;
1619 cstate->vlan_stack_depth = 0;
1620
1621 switch (cstate->linktype) {
1622
1623 case DLT_ARCNET:
1624 cstate->off_linktype.constant_part = 2;
1625 cstate->off_linkpl.constant_part = 6;
1626 cstate->off_nl = 0; /* XXX in reality, variable! */
1627 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1628 break;
1629
1630 case DLT_ARCNET_LINUX:
1631 cstate->off_linktype.constant_part = 4;
1632 cstate->off_linkpl.constant_part = 8;
1633 cstate->off_nl = 0; /* XXX in reality, variable! */
1634 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1635 break;
1636
1637 case DLT_EN10MB:
1638 cstate->off_linktype.constant_part = 12;
1639 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1640 cstate->off_nl = 0; /* Ethernet II */
1641 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1642 break;
1643
1644 case DLT_SLIP:
1645 /*
1646 * SLIP doesn't have a link level type. The 16 byte
1647 * header is hacked into our SLIP driver.
1648 */
1649 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1650 cstate->off_linkpl.constant_part = 16;
1651 cstate->off_nl = 0;
1652 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1653 break;
1654
1655 case DLT_SLIP_BSDOS:
1656 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1657 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1658 /* XXX end */
1659 cstate->off_linkpl.constant_part = 24;
1660 cstate->off_nl = 0;
1661 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1662 break;
1663
1664 case DLT_NULL:
1665 case DLT_LOOP:
1666 cstate->off_linktype.constant_part = 0;
1667 cstate->off_linkpl.constant_part = 4;
1668 cstate->off_nl = 0;
1669 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1670 break;
1671
1672 case DLT_ENC:
1673 cstate->off_linktype.constant_part = 0;
1674 cstate->off_linkpl.constant_part = 12;
1675 cstate->off_nl = 0;
1676 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1677 break;
1678
1679 case DLT_PPP:
1680 case DLT_PPP_PPPD:
1681 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1682 case DLT_HDLC: /* NetBSD (Cisco) HDLC */
1683 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1684 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1685 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1686 cstate->off_nl = 0;
1687 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1688 break;
1689
1690 case DLT_PPP_ETHER:
1691 /*
1692 * This does not include the Ethernet header, and
1693 * only covers session state.
1694 */
1695 cstate->off_linktype.constant_part = 6;
1696 cstate->off_linkpl.constant_part = 8;
1697 cstate->off_nl = 0;
1698 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1699 break;
1700
1701 case DLT_PPP_BSDOS:
1702 cstate->off_linktype.constant_part = 5;
1703 cstate->off_linkpl.constant_part = 24;
1704 cstate->off_nl = 0;
1705 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1706 break;
1707
1708 case DLT_FDDI:
1709 /*
1710 * FDDI doesn't really have a link-level type field.
1711 * We set "off_linktype" to the offset of the LLC header.
1712 *
1713 * To check for Ethernet types, we assume that SSAP = SNAP
1714 * is being used and pick out the encapsulated Ethernet type.
1715 * XXX - should we generate code to check for SNAP?
1716 */
1717 cstate->off_linktype.constant_part = 13;
1718 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1719 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1720 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1721 cstate->off_nl = 8; /* 802.2+SNAP */
1722 cstate->off_nl_nosnap = 3; /* 802.2 */
1723 break;
1724
1725 case DLT_IEEE802:
1726 /*
1727 * Token Ring doesn't really have a link-level type field.
1728 * We set "off_linktype" to the offset of the LLC header.
1729 *
1730 * To check for Ethernet types, we assume that SSAP = SNAP
1731 * is being used and pick out the encapsulated Ethernet type.
1732 * XXX - should we generate code to check for SNAP?
1733 *
1734 * XXX - the header is actually variable-length.
1735 * Some various Linux patched versions gave 38
1736 * as "off_linktype" and 40 as "off_nl"; however,
1737 * if a token ring packet has *no* routing
1738 * information, i.e. is not source-routed, the correct
1739 * values are 20 and 22, as they are in the vanilla code.
1740 *
1741 * A packet is source-routed iff the uppermost bit
1742 * of the first byte of the source address, at an
1743 * offset of 8, has the uppermost bit set. If the
1744 * packet is source-routed, the total number of bytes
1745 * of routing information is 2 plus bits 0x1F00 of
1746 * the 16-bit value at an offset of 14 (shifted right
1747 * 8 - figure out which byte that is).
1748 */
1749 cstate->off_linktype.constant_part = 14;
1750 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1751 cstate->off_nl = 8; /* 802.2+SNAP */
1752 cstate->off_nl_nosnap = 3; /* 802.2 */
1753 break;
1754
1755 case DLT_PRISM_HEADER:
1756 case DLT_IEEE802_11_RADIO_AVS:
1757 case DLT_IEEE802_11_RADIO:
1758 cstate->off_linkhdr.is_variable = 1;
1759 /* Fall through, 802.11 doesn't have a variable link
1760 * prefix but is otherwise the same. */
1761 /* FALLTHROUGH */
1762
1763 case DLT_IEEE802_11:
1764 /*
1765 * 802.11 doesn't really have a link-level type field.
1766 * We set "off_linktype.constant_part" to the offset of
1767 * the LLC header.
1768 *
1769 * To check for Ethernet types, we assume that SSAP = SNAP
1770 * is being used and pick out the encapsulated Ethernet type.
1771 * XXX - should we generate code to check for SNAP?
1772 *
1773 * We also handle variable-length radio headers here.
1774 * The Prism header is in theory variable-length, but in
1775 * practice it's always 144 bytes long. However, some
1776 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1777 * sometimes or always supply an AVS header, so we
1778 * have to check whether the radio header is a Prism
1779 * header or an AVS header, so, in practice, it's
1780 * variable-length.
1781 */
1782 cstate->off_linktype.constant_part = 24;
1783 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1784 cstate->off_linkpl.is_variable = 1;
1785 cstate->off_nl = 8; /* 802.2+SNAP */
1786 cstate->off_nl_nosnap = 3; /* 802.2 */
1787 break;
1788
1789 case DLT_PPI:
1790 /*
1791 * At the moment we treat PPI the same way that we treat
1792 * normal Radiotap encoded packets. The difference is in
1793 * the function that generates the code at the beginning
1794 * to compute the header length. Since this code generator
1795 * of PPI supports bare 802.11 encapsulation only (i.e.
1796 * the encapsulated DLT should be DLT_IEEE802_11) we
1797 * generate code to check for this too.
1798 */
1799 cstate->off_linktype.constant_part = 24;
1800 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1801 cstate->off_linkpl.is_variable = 1;
1802 cstate->off_linkhdr.is_variable = 1;
1803 cstate->off_nl = 8; /* 802.2+SNAP */
1804 cstate->off_nl_nosnap = 3; /* 802.2 */
1805 break;
1806
1807 case DLT_ATM_RFC1483:
1808 case DLT_ATM_CLIP: /* Linux ATM defines this */
1809 /*
1810 * assume routed, non-ISO PDUs
1811 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1812 *
1813 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1814 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1815 * latter would presumably be treated the way PPPoE
1816 * should be, so you can do "pppoe and udp port 2049"
1817 * or "pppoa and tcp port 80" and have it check for
1818 * PPPo{A,E} and a PPP protocol of IP and....
1819 */
1820 cstate->off_linktype.constant_part = 0;
1821 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1822 cstate->off_nl = 8; /* 802.2+SNAP */
1823 cstate->off_nl_nosnap = 3; /* 802.2 */
1824 break;
1825
1826 case DLT_SUNATM:
1827 /*
1828 * Full Frontal ATM; you get AALn PDUs with an ATM
1829 * pseudo-header.
1830 */
1831 cstate->is_atm = 1;
1832 cstate->off_vpi = SUNATM_VPI_POS;
1833 cstate->off_vci = SUNATM_VCI_POS;
1834 cstate->off_proto = PROTO_POS;
1835 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1836 cstate->off_linktype.constant_part = cstate->off_payload;
1837 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1838 cstate->off_nl = 8; /* 802.2+SNAP */
1839 cstate->off_nl_nosnap = 3; /* 802.2 */
1840 break;
1841
1842 case DLT_RAW:
1843 case DLT_IPV4:
1844 case DLT_IPV6:
1845 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1846 cstate->off_linkpl.constant_part = 0;
1847 cstate->off_nl = 0;
1848 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1849 break;
1850
1851 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1852 cstate->off_linktype.constant_part = 14;
1853 cstate->off_linkpl.constant_part = 16;
1854 cstate->off_nl = 0;
1855 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1856 break;
1857
1858 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1859 cstate->off_linktype.constant_part = 0;
1860 cstate->off_linkpl.constant_part = 20;
1861 cstate->off_nl = 0;
1862 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1863 break;
1864
1865 case DLT_LTALK:
1866 /*
1867 * LocalTalk does have a 1-byte type field in the LLAP header,
1868 * but really it just indicates whether there is a "short" or
1869 * "long" DDP packet following.
1870 */
1871 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1872 cstate->off_linkpl.constant_part = 0;
1873 cstate->off_nl = 0;
1874 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1875 break;
1876
1877 case DLT_IP_OVER_FC:
1878 /*
1879 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1880 * link-level type field. We set "off_linktype" to the
1881 * offset of the LLC header.
1882 *
1883 * To check for Ethernet types, we assume that SSAP = SNAP
1884 * is being used and pick out the encapsulated Ethernet type.
1885 * XXX - should we generate code to check for SNAP? RFC
1886 * 2625 says SNAP should be used.
1887 */
1888 cstate->off_linktype.constant_part = 16;
1889 cstate->off_linkpl.constant_part = 16;
1890 cstate->off_nl = 8; /* 802.2+SNAP */
1891 cstate->off_nl_nosnap = 3; /* 802.2 */
1892 break;
1893
1894 case DLT_FRELAY:
1895 /*
1896 * XXX - we should set this to handle SNAP-encapsulated
1897 * frames (NLPID of 0x80).
1898 */
1899 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1900 cstate->off_linkpl.constant_part = 0;
1901 cstate->off_nl = 0;
1902 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1903 break;
1904
1905 /*
1906 * the only BPF-interesting FRF.16 frames are non-control frames;
1907 * Frame Relay has a variable length link-layer
1908 * so lets start with offset 4 for now and increments later on (FIXME);
1909 */
1910 case DLT_MFR:
1911 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1912 cstate->off_linkpl.constant_part = 0;
1913 cstate->off_nl = 4;
1914 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1915 break;
1916
1917 case DLT_APPLE_IP_OVER_IEEE1394:
1918 cstate->off_linktype.constant_part = 16;
1919 cstate->off_linkpl.constant_part = 18;
1920 cstate->off_nl = 0;
1921 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1922 break;
1923
1924 case DLT_SYMANTEC_FIREWALL:
1925 cstate->off_linktype.constant_part = 6;
1926 cstate->off_linkpl.constant_part = 44;
1927 cstate->off_nl = 0; /* Ethernet II */
1928 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1929 break;
1930
1931 case DLT_PFLOG:
1932 cstate->off_linktype.constant_part = 0;
1933 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1934 cstate->off_linkpl.is_variable = 1;
1935 cstate->off_nl = 0;
1936 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1937 break;
1938
1939 case DLT_JUNIPER_MFR:
1940 case DLT_JUNIPER_MLFR:
1941 case DLT_JUNIPER_MLPPP:
1942 case DLT_JUNIPER_PPP:
1943 case DLT_JUNIPER_CHDLC:
1944 case DLT_JUNIPER_FRELAY:
1945 cstate->off_linktype.constant_part = 4;
1946 cstate->off_linkpl.constant_part = 4;
1947 cstate->off_nl = 0;
1948 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1949 break;
1950
1951 case DLT_JUNIPER_ATM1:
1952 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1953 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1954 cstate->off_nl = 0;
1955 cstate->off_nl_nosnap = 10;
1956 break;
1957
1958 case DLT_JUNIPER_ATM2:
1959 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1960 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1961 cstate->off_nl = 0;
1962 cstate->off_nl_nosnap = 10;
1963 break;
1964
1965 /* frames captured on a Juniper PPPoE service PIC
1966 * contain raw ethernet frames */
1967 case DLT_JUNIPER_PPPOE:
1968 case DLT_JUNIPER_ETHER:
1969 cstate->off_linkpl.constant_part = 14;
1970 cstate->off_linktype.constant_part = 16;
1971 cstate->off_nl = 18; /* Ethernet II */
1972 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1973 break;
1974
1975 case DLT_JUNIPER_PPPOE_ATM:
1976 cstate->off_linktype.constant_part = 4;
1977 cstate->off_linkpl.constant_part = 6;
1978 cstate->off_nl = 0;
1979 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1980 break;
1981
1982 case DLT_JUNIPER_GGSN:
1983 cstate->off_linktype.constant_part = 6;
1984 cstate->off_linkpl.constant_part = 12;
1985 cstate->off_nl = 0;
1986 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1987 break;
1988
1989 case DLT_JUNIPER_ES:
1990 cstate->off_linktype.constant_part = 6;
1991 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1992 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1993 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1994 break;
1995
1996 case DLT_JUNIPER_MONITOR:
1997 cstate->off_linktype.constant_part = 12;
1998 cstate->off_linkpl.constant_part = 12;
1999 cstate->off_nl = 0; /* raw IP/IP6 header */
2000 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
2001 break;
2002
2003 case DLT_BACNET_MS_TP:
2004 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2005 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2006 cstate->off_nl = OFFSET_NOT_SET;
2007 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2008 break;
2009
2010 case DLT_JUNIPER_SERVICES:
2011 cstate->off_linktype.constant_part = 12;
2012 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
2013 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
2014 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
2015 break;
2016
2017 case DLT_JUNIPER_VP:
2018 cstate->off_linktype.constant_part = 18;
2019 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2020 cstate->off_nl = OFFSET_NOT_SET;
2021 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2022 break;
2023
2024 case DLT_JUNIPER_ST:
2025 cstate->off_linktype.constant_part = 18;
2026 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2027 cstate->off_nl = OFFSET_NOT_SET;
2028 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2029 break;
2030
2031 case DLT_JUNIPER_ISM:
2032 cstate->off_linktype.constant_part = 8;
2033 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2034 cstate->off_nl = OFFSET_NOT_SET;
2035 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2036 break;
2037
2038 case DLT_JUNIPER_VS:
2039 case DLT_JUNIPER_SRX_E2E:
2040 case DLT_JUNIPER_FIBRECHANNEL:
2041 case DLT_JUNIPER_ATM_CEMIC:
2042 cstate->off_linktype.constant_part = 8;
2043 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2044 cstate->off_nl = OFFSET_NOT_SET;
2045 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2046 break;
2047
2048 case DLT_MTP2:
2049 cstate->off_li = 2;
2050 cstate->off_li_hsl = 4;
2051 cstate->off_sio = 3;
2052 cstate->off_opc = 4;
2053 cstate->off_dpc = 4;
2054 cstate->off_sls = 7;
2055 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2056 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2057 cstate->off_nl = OFFSET_NOT_SET;
2058 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2059 break;
2060
2061 case DLT_MTP2_WITH_PHDR:
2062 cstate->off_li = 6;
2063 cstate->off_li_hsl = 8;
2064 cstate->off_sio = 7;
2065 cstate->off_opc = 8;
2066 cstate->off_dpc = 8;
2067 cstate->off_sls = 11;
2068 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2069 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2070 cstate->off_nl = OFFSET_NOT_SET;
2071 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2072 break;
2073
2074 case DLT_ERF:
2075 cstate->off_li = 22;
2076 cstate->off_li_hsl = 24;
2077 cstate->off_sio = 23;
2078 cstate->off_opc = 24;
2079 cstate->off_dpc = 24;
2080 cstate->off_sls = 27;
2081 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2082 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2083 cstate->off_nl = OFFSET_NOT_SET;
2084 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2085 break;
2086
2087 case DLT_PFSYNC:
2088 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2089 cstate->off_linkpl.constant_part = 4;
2090 cstate->off_nl = 0;
2091 cstate->off_nl_nosnap = 0;
2092 break;
2093
2094 case DLT_AX25_KISS:
2095 /*
2096 * Currently, only raw "link[N:M]" filtering is supported.
2097 */
2098 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
2099 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2100 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
2101 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
2102 break;
2103
2104 case DLT_IPNET:
2105 cstate->off_linktype.constant_part = 1;
2106 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
2107 cstate->off_nl = 0;
2108 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2109 break;
2110
2111 case DLT_NETANALYZER:
2112 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
2113 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
2114 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
2115 cstate->off_nl = 0; /* Ethernet II */
2116 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
2117 break;
2118
2119 case DLT_NETANALYZER_TRANSPARENT:
2120 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
2121 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
2122 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
2123 cstate->off_nl = 0; /* Ethernet II */
2124 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
2125 break;
2126
2127 default:
2128 /*
2129 * For values in the range in which we've assigned new
2130 * DLT_ values, only raw "link[N:M]" filtering is supported.
2131 */
2132 if (cstate->linktype >= DLT_HIGH_MATCHING_MIN &&
2133 cstate->linktype <= DLT_HIGH_MATCHING_MAX) {
2134 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2135 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2136 cstate->off_nl = OFFSET_NOT_SET;
2137 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2138 } else {
2139 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)",
2140 cstate->linktype, DLT_HIGH_MATCHING_MIN, DLT_HIGH_MATCHING_MAX);
2141 return (-1);
2142 }
2143 break;
2144 }
2145
2146 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
2147 return (0);
2148 }
2149
2150 /*
2151 * Load a value relative to the specified absolute offset.
2152 */
2153 static struct slist *
2154 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
2155 u_int offset, u_int size)
2156 {
2157 struct slist *s, *s2;
2158
2159 s = gen_abs_offset_varpart(cstate, abs_offset);
2160
2161 /*
2162 * If "s" is non-null, it has code to arrange that the X register
2163 * contains the variable part of the absolute offset, so we
2164 * generate a load relative to that, with an offset of
2165 * abs_offset->constant_part + offset.
2166 *
2167 * Otherwise, we can do an absolute load with an offset of
2168 * abs_offset->constant_part + offset.
2169 */
2170 if (s != NULL) {
2171 /*
2172 * "s" points to a list of statements that puts the
2173 * variable part of the absolute offset into the X register.
2174 * Do an indirect load, to use the X register as an offset.
2175 */
2176 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
2177 s2->s.k = abs_offset->constant_part + offset;
2178 sappend(s, s2);
2179 } else {
2180 /*
2181 * There is no variable part of the absolute offset, so
2182 * just do an absolute load.
2183 */
2184 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
2185 s->s.k = abs_offset->constant_part + offset;
2186 }
2187 return s;
2188 }
2189
2190 /*
2191 * Load a value relative to the beginning of the specified header.
2192 */
2193 static struct slist *
2194 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
2195 u_int size)
2196 {
2197 struct slist *s, *s2;
2198
2199 /*
2200 * Squelch warnings from compilers that *don't* assume that
2201 * offrel always has a valid enum value and therefore don't
2202 * assume that we'll always go through one of the case arms.
2203 *
2204 * If we have a default case, compilers that *do* assume that
2205 * will then complain about the default case code being
2206 * unreachable.
2207 *
2208 * Damned if you do, damned if you don't.
2209 */
2210 s = NULL;
2211
2212 switch (offrel) {
2213
2214 case OR_PACKET:
2215 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
2216 s->s.k = offset;
2217 break;
2218
2219 case OR_LINKHDR:
2220 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
2221 break;
2222
2223 case OR_PREVLINKHDR:
2224 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
2225 break;
2226
2227 case OR_LLC:
2228 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
2229 break;
2230
2231 case OR_PREVMPLSHDR:
2232 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
2233 break;
2234
2235 case OR_LINKPL:
2236 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
2237 break;
2238
2239 case OR_LINKPL_NOSNAP:
2240 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
2241 break;
2242
2243 case OR_LINKTYPE:
2244 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
2245 break;
2246
2247 case OR_TRAN_IPV4:
2248 /*
2249 * Load the X register with the length of the IPv4 header
2250 * (plus the offset of the link-layer header, if it's
2251 * preceded by a variable-length header such as a radio
2252 * header), in bytes.
2253 */
2254 s = gen_loadx_iphdrlen(cstate);
2255
2256 /*
2257 * Load the item at {offset of the link-layer payload} +
2258 * {offset, relative to the start of the link-layer
2259 * payload, of the IPv4 header} + {length of the IPv4 header} +
2260 * {specified offset}.
2261 *
2262 * If the offset of the link-layer payload is variable,
2263 * the variable part of that offset is included in the
2264 * value in the X register, and we include the constant
2265 * part in the offset of the load.
2266 */
2267 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
2268 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
2269 sappend(s, s2);
2270 break;
2271
2272 case OR_TRAN_IPV6:
2273 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
2274 break;
2275 }
2276 return s;
2277 }
2278
2279 /*
2280 * Generate code to load into the X register the sum of the length of
2281 * the IPv4 header and the variable part of the offset of the link-layer
2282 * payload.
2283 */
2284 static struct slist *
2285 gen_loadx_iphdrlen(compiler_state_t *cstate)
2286 {
2287 struct slist *s, *s2;
2288
2289 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
2290 if (s != NULL) {
2291 /*
2292 * The offset of the link-layer payload has a variable
2293 * part. "s" points to a list of statements that put
2294 * the variable part of that offset into the X register.
2295 *
2296 * The 4*([k]&0xf) addressing mode can't be used, as we
2297 * don't have a constant offset, so we have to load the
2298 * value in question into the A register and add to it
2299 * the value from the X register.
2300 */
2301 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2302 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2303 sappend(s, s2);
2304 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2305 s2->s.k = 0xf;
2306 sappend(s, s2);
2307 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2308 s2->s.k = 2;
2309 sappend(s, s2);
2310
2311 /*
2312 * The A register now contains the length of the IP header.
2313 * We need to add to it the variable part of the offset of
2314 * the link-layer payload, which is still in the X
2315 * register, and move the result into the X register.
2316 */
2317 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
2318 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
2319 } else {
2320 /*
2321 * The offset of the link-layer payload is a constant,
2322 * so no code was generated to load the (nonexistent)
2323 * variable part of that offset.
2324 *
2325 * This means we can use the 4*([k]&0xf) addressing
2326 * mode. Load the length of the IPv4 header, which
2327 * is at an offset of cstate->off_nl from the beginning of
2328 * the link-layer payload, and thus at an offset of
2329 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
2330 * of the raw packet data, using that addressing mode.
2331 */
2332 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
2333 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2334 }
2335 return s;
2336 }
2337
2338
2339 static struct block *
2340 gen_uncond(compiler_state_t *cstate, int rsense)
2341 {
2342 struct slist *s;
2343
2344 s = new_stmt(cstate, BPF_LD|BPF_IMM);
2345 s->s.k = !rsense;
2346 return gen_jmp(cstate, BPF_JEQ, 0, s);
2347 }
2348
2349 static inline struct block *
2350 gen_true(compiler_state_t *cstate)
2351 {
2352 return gen_uncond(cstate, 1);
2353 }
2354
2355 static inline struct block *
2356 gen_false(compiler_state_t *cstate)
2357 {
2358 return gen_uncond(cstate, 0);
2359 }
2360
2361 /*
2362 * Generate code to match a particular packet type.
2363 *
2364 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2365 * value, if <= ETHERMTU. We use that to determine whether to
2366 * match the type/length field or to check the type/length field for
2367 * a value <= ETHERMTU to see whether it's a type field and then do
2368 * the appropriate test.
2369 */
2370 static struct block *
2371 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2372 {
2373 struct block *b0, *b1;
2374
2375 switch (ll_proto) {
2376
2377 case LLCSAP_ISONS:
2378 case LLCSAP_IP:
2379 case LLCSAP_NETBEUI:
2380 /*
2381 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2382 * so we check the DSAP and SSAP.
2383 *
2384 * LLCSAP_IP checks for IP-over-802.2, rather
2385 * than IP-over-Ethernet or IP-over-SNAP.
2386 *
2387 * XXX - should we check both the DSAP and the
2388 * SSAP, like this, or should we check just the
2389 * DSAP, as we do for other types <= ETHERMTU
2390 * (i.e., other SAP values)?
2391 */
2392 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2393 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2394 gen_and(b0, b1);
2395 return b1;
2396
2397 case LLCSAP_IPX:
2398 /*
2399 * Check for;
2400 *
2401 * Ethernet_II frames, which are Ethernet
2402 * frames with a frame type of ETHERTYPE_IPX;
2403 *
2404 * Ethernet_802.3 frames, which are 802.3
2405 * frames (i.e., the type/length field is
2406 * a length field, <= ETHERMTU, rather than
2407 * a type field) with the first two bytes
2408 * after the Ethernet/802.3 header being
2409 * 0xFFFF;
2410 *
2411 * Ethernet_802.2 frames, which are 802.3
2412 * frames with an 802.2 LLC header and
2413 * with the IPX LSAP as the DSAP in the LLC
2414 * header;
2415 *
2416 * Ethernet_SNAP frames, which are 802.3
2417 * frames with an LLC header and a SNAP
2418 * header and with an OUI of 0x000000
2419 * (encapsulated Ethernet) and a protocol
2420 * ID of ETHERTYPE_IPX in the SNAP header.
2421 *
2422 * XXX - should we generate the same code both
2423 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2424 */
2425
2426 /*
2427 * This generates code to check both for the
2428 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2429 */
2430 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2431 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2432 gen_or(b0, b1);
2433
2434 /*
2435 * Now we add code to check for SNAP frames with
2436 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2437 */
2438 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2439 gen_or(b0, b1);
2440
2441 /*
2442 * Now we generate code to check for 802.3
2443 * frames in general.
2444 */
2445 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2446
2447 /*
2448 * Now add the check for 802.3 frames before the
2449 * check for Ethernet_802.2 and Ethernet_802.3,
2450 * as those checks should only be done on 802.3
2451 * frames, not on Ethernet frames.
2452 */
2453 gen_and(b0, b1);
2454
2455 /*
2456 * Now add the check for Ethernet_II frames, and
2457 * do that before checking for the other frame
2458 * types.
2459 */
2460 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2461 gen_or(b0, b1);
2462 return b1;
2463
2464 case ETHERTYPE_ATALK:
2465 case ETHERTYPE_AARP:
2466 /*
2467 * EtherTalk (AppleTalk protocols on Ethernet link
2468 * layer) may use 802.2 encapsulation.
2469 */
2470
2471 /*
2472 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2473 * we check for an Ethernet type field less or equal than
2474 * 1500, which means it's an 802.3 length field.
2475 */
2476 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2477
2478 /*
2479 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2480 * SNAP packets with an organization code of
2481 * 0x080007 (Apple, for Appletalk) and a protocol
2482 * type of ETHERTYPE_ATALK (Appletalk).
2483 *
2484 * 802.2-encapsulated ETHERTYPE_AARP packets are
2485 * SNAP packets with an organization code of
2486 * 0x000000 (encapsulated Ethernet) and a protocol
2487 * type of ETHERTYPE_AARP (Appletalk ARP).
2488 */
2489 if (ll_proto == ETHERTYPE_ATALK)
2490 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2491 else /* ll_proto == ETHERTYPE_AARP */
2492 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2493 gen_and(b0, b1);
2494
2495 /*
2496 * Check for Ethernet encapsulation (Ethertalk
2497 * phase 1?); we just check for the Ethernet
2498 * protocol type.
2499 */
2500 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2501
2502 gen_or(b0, b1);
2503 return b1;
2504
2505 default:
2506 if (ll_proto <= ETHERMTU) {
2507 assert_maxval(cstate, "LLC DSAP", ll_proto, UINT8_MAX);
2508 /*
2509 * This is an LLC SAP value, so the frames
2510 * that match would be 802.2 frames.
2511 * Check that the frame is an 802.2 frame
2512 * (i.e., that the length/type field is
2513 * a length field, <= ETHERMTU) and
2514 * then check the DSAP.
2515 */
2516 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2517 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2518 gen_and(b0, b1);
2519 return b1;
2520 } else {
2521 assert_maxval(cstate, "EtherType", ll_proto, UINT16_MAX);
2522 /*
2523 * This is an Ethernet type, so compare
2524 * the length/type field with it (if
2525 * the frame is an 802.2 frame, the length
2526 * field will be <= ETHERMTU, and, as
2527 * "ll_proto" is > ETHERMTU, this test
2528 * will fail and the frame won't match,
2529 * which is what we want).
2530 */
2531 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2532 }
2533 }
2534 }
2535
2536 static struct block *
2537 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2538 {
2539 /*
2540 * For DLT_NULL, the link-layer header is a 32-bit word
2541 * containing an AF_ value in *host* byte order, and for
2542 * DLT_ENC, the link-layer header begins with a 32-bit
2543 * word containing an AF_ value in host byte order.
2544 *
2545 * In addition, if we're reading a saved capture file,
2546 * the host byte order in the capture may not be the
2547 * same as the host byte order on this machine.
2548 *
2549 * For DLT_LOOP, the link-layer header is a 32-bit
2550 * word containing an AF_ value in *network* byte order.
2551 */
2552 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2553 /*
2554 * The AF_ value is in host byte order, but the BPF
2555 * interpreter will convert it to network byte order.
2556 *
2557 * If this is a save file, and it's from a machine
2558 * with the opposite byte order to ours, we byte-swap
2559 * the AF_ value.
2560 *
2561 * Then we run it through "htonl()", and generate
2562 * code to compare against the result.
2563 */
2564 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2565 ll_proto = SWAPLONG(ll_proto);
2566 ll_proto = htonl(ll_proto);
2567 }
2568 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2569 }
2570
2571 /*
2572 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2573 * or IPv6 then we have an error.
2574 */
2575 static struct block *
2576 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2577 {
2578 switch (ll_proto) {
2579
2580 case ETHERTYPE_IP:
2581 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2582 /*NOTREACHED*/
2583
2584 case ETHERTYPE_IPV6:
2585 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2586 /*NOTREACHED*/
2587
2588 default:
2589 break;
2590 }
2591
2592 return gen_false(cstate);
2593 }
2594
2595 /*
2596 * Generate code to match a particular packet type.
2597 *
2598 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2599 * value, if <= ETHERMTU. We use that to determine whether to
2600 * match the type field or to check the type field for the special
2601 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2602 */
2603 static struct block *
2604 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2605 {
2606 struct block *b0, *b1;
2607
2608 switch (ll_proto) {
2609
2610 case LLCSAP_ISONS:
2611 case LLCSAP_IP:
2612 case LLCSAP_NETBEUI:
2613 /*
2614 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2615 * so we check the DSAP and SSAP.
2616 *
2617 * LLCSAP_IP checks for IP-over-802.2, rather
2618 * than IP-over-Ethernet or IP-over-SNAP.
2619 *
2620 * XXX - should we check both the DSAP and the
2621 * SSAP, like this, or should we check just the
2622 * DSAP, as we do for other types <= ETHERMTU
2623 * (i.e., other SAP values)?
2624 */
2625 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2626 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2627 gen_and(b0, b1);
2628 return b1;
2629
2630 case LLCSAP_IPX:
2631 /*
2632 * Ethernet_II frames, which are Ethernet
2633 * frames with a frame type of ETHERTYPE_IPX;
2634 *
2635 * Ethernet_802.3 frames, which have a frame
2636 * type of LINUX_SLL_P_802_3;
2637 *
2638 * Ethernet_802.2 frames, which are 802.3
2639 * frames with an 802.2 LLC header (i.e, have
2640 * a frame type of LINUX_SLL_P_802_2) and
2641 * with the IPX LSAP as the DSAP in the LLC
2642 * header;
2643 *
2644 * Ethernet_SNAP frames, which are 802.3
2645 * frames with an LLC header and a SNAP
2646 * header and with an OUI of 0x000000
2647 * (encapsulated Ethernet) and a protocol
2648 * ID of ETHERTYPE_IPX in the SNAP header.
2649 *
2650 * First, do the checks on LINUX_SLL_P_802_2
2651 * frames; generate the check for either
2652 * Ethernet_802.2 or Ethernet_SNAP frames, and
2653 * then put a check for LINUX_SLL_P_802_2 frames
2654 * before it.
2655 */
2656 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2657 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2658 gen_or(b0, b1);
2659 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2660 gen_and(b0, b1);
2661
2662 /*
2663 * Now check for 802.3 frames and OR that with
2664 * the previous test.
2665 */
2666 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2667 gen_or(b0, b1);
2668
2669 /*
2670 * Now add the check for Ethernet_II frames, and
2671 * do that before checking for the other frame
2672 * types.
2673 */
2674 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2675 gen_or(b0, b1);
2676 return b1;
2677
2678 case ETHERTYPE_ATALK:
2679 case ETHERTYPE_AARP:
2680 /*
2681 * EtherTalk (AppleTalk protocols on Ethernet link
2682 * layer) may use 802.2 encapsulation.
2683 */
2684
2685 /*
2686 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2687 * we check for the 802.2 protocol type in the
2688 * "Ethernet type" field.
2689 */
2690 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2691
2692 /*
2693 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2694 * SNAP packets with an organization code of
2695 * 0x080007 (Apple, for Appletalk) and a protocol
2696 * type of ETHERTYPE_ATALK (Appletalk).
2697 *
2698 * 802.2-encapsulated ETHERTYPE_AARP packets are
2699 * SNAP packets with an organization code of
2700 * 0x000000 (encapsulated Ethernet) and a protocol
2701 * type of ETHERTYPE_AARP (Appletalk ARP).
2702 */
2703 if (ll_proto == ETHERTYPE_ATALK)
2704 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2705 else /* ll_proto == ETHERTYPE_AARP */
2706 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2707 gen_and(b0, b1);
2708
2709 /*
2710 * Check for Ethernet encapsulation (Ethertalk
2711 * phase 1?); we just check for the Ethernet
2712 * protocol type.
2713 */
2714 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2715
2716 gen_or(b0, b1);
2717 return b1;
2718
2719 default:
2720 if (ll_proto <= ETHERMTU) {
2721 assert_maxval(cstate, "LLC DSAP", ll_proto, UINT8_MAX);
2722 /*
2723 * This is an LLC SAP value, so the frames
2724 * that match would be 802.2 frames.
2725 * Check for the 802.2 protocol type
2726 * in the "Ethernet type" field, and
2727 * then check the DSAP.
2728 */
2729 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2730 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2731 ll_proto);
2732 gen_and(b0, b1);
2733 return b1;
2734 } else {
2735 assert_maxval(cstate, "EtherType", ll_proto, UINT16_MAX);
2736 /*
2737 * This is an Ethernet type, so compare
2738 * the length/type field with it (if
2739 * the frame is an 802.2 frame, the length
2740 * field will be <= ETHERMTU, and, as
2741 * "ll_proto" is > ETHERMTU, this test
2742 * will fail and the frame won't match,
2743 * which is what we want).
2744 */
2745 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2746 }
2747 }
2748 }
2749
2750 /*
2751 * Load a value relative to the beginning of the link-layer header after the
2752 * pflog header.
2753 */
2754 static struct slist *
2755 gen_load_pflog_llprefixlen(compiler_state_t *cstate)
2756 {
2757 struct slist *s1, *s2;
2758
2759 /*
2760 * Generate code to load the length of the pflog header into
2761 * the register assigned to hold that length, if one has been
2762 * assigned. (If one hasn't been assigned, no code we've
2763 * generated uses that prefix, so we don't need to generate any
2764 * code to load it.)
2765 */
2766 if (cstate->off_linkpl.reg != -1) {
2767 /*
2768 * The length is in the first byte of the header.
2769 */
2770 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2771 s1->s.k = 0;
2772
2773 /*
2774 * Round it up to a multiple of 4.
2775 * Add 3, and clear the lower 2 bits.
2776 */
2777 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2778 s2->s.k = 3;
2779 sappend(s1, s2);
2780 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2781 s2->s.k = 0xfffffffc;
2782 sappend(s1, s2);
2783
2784 /*
2785 * Now allocate a register to hold that value and store
2786 * it.
2787 */
2788 s2 = new_stmt(cstate, BPF_ST);
2789 s2->s.k = cstate->off_linkpl.reg;
2790 sappend(s1, s2);
2791
2792 /*
2793 * Now move it into the X register.
2794 */
2795 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2796 sappend(s1, s2);
2797
2798 return (s1);
2799 } else
2800 return (NULL);
2801 }
2802
2803 static struct slist *
2804 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2805 {
2806 struct slist *s1, *s2;
2807 struct slist *sjeq_avs_cookie;
2808 struct slist *sjcommon;
2809
2810 /*
2811 * This code is not compatible with the optimizer, as
2812 * we are generating jmp instructions within a normal
2813 * slist of instructions
2814 */
2815 cstate->no_optimize = 1;
2816
2817 /*
2818 * Generate code to load the length of the radio header into
2819 * the register assigned to hold that length, if one has been
2820 * assigned. (If one hasn't been assigned, no code we've
2821 * generated uses that prefix, so we don't need to generate any
2822 * code to load it.)
2823 *
2824 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2825 * or always use the AVS header rather than the Prism header.
2826 * We load a 4-byte big-endian value at the beginning of the
2827 * raw packet data, and see whether, when masked with 0xFFFFF000,
2828 * it's equal to 0x80211000. If so, that indicates that it's
2829 * an AVS header (the masked-out bits are the version number).
2830 * Otherwise, it's a Prism header.
2831 *
2832 * XXX - the Prism header is also, in theory, variable-length,
2833 * but no known software generates headers that aren't 144
2834 * bytes long.
2835 */
2836 if (cstate->off_linkhdr.reg != -1) {
2837 /*
2838 * Load the cookie.
2839 */
2840 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2841 s1->s.k = 0;
2842
2843 /*
2844 * AND it with 0xFFFFF000.
2845 */
2846 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2847 s2->s.k = 0xFFFFF000;
2848 sappend(s1, s2);
2849
2850 /*
2851 * Compare with 0x80211000.
2852 */
2853 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2854 sjeq_avs_cookie->s.k = 0x80211000;
2855 sappend(s1, sjeq_avs_cookie);
2856
2857 /*
2858 * If it's AVS:
2859 *
2860 * The 4 bytes at an offset of 4 from the beginning of
2861 * the AVS header are the length of the AVS header.
2862 * That field is big-endian.
2863 */
2864 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2865 s2->s.k = 4;
2866 sappend(s1, s2);
2867 sjeq_avs_cookie->s.jt = s2;
2868
2869 /*
2870 * Now jump to the code to allocate a register
2871 * into which to save the header length and
2872 * store the length there. (The "jump always"
2873 * instruction needs to have the k field set;
2874 * it's added to the PC, so, as we're jumping
2875 * over a single instruction, it should be 1.)
2876 */
2877 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2878 sjcommon->s.k = 1;
2879 sappend(s1, sjcommon);
2880
2881 /*
2882 * Now for the code that handles the Prism header.
2883 * Just load the length of the Prism header (144)
2884 * into the A register. Have the test for an AVS
2885 * header branch here if we don't have an AVS header.
2886 */
2887 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2888 s2->s.k = 144;
2889 sappend(s1, s2);
2890 sjeq_avs_cookie->s.jf = s2;
2891
2892 /*
2893 * Now allocate a register to hold that value and store
2894 * it. The code for the AVS header will jump here after
2895 * loading the length of the AVS header.
2896 */
2897 s2 = new_stmt(cstate, BPF_ST);
2898 s2->s.k = cstate->off_linkhdr.reg;
2899 sappend(s1, s2);
2900 sjcommon->s.jf = s2;
2901
2902 /*
2903 * Now move it into the X register.
2904 */
2905 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2906 sappend(s1, s2);
2907
2908 return (s1);
2909 } else
2910 return (NULL);
2911 }
2912
2913 static struct slist *
2914 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2915 {
2916 struct slist *s1, *s2;
2917
2918 /*
2919 * Generate code to load the length of the AVS header into
2920 * the register assigned to hold that length, if one has been
2921 * assigned. (If one hasn't been assigned, no code we've
2922 * generated uses that prefix, so we don't need to generate any
2923 * code to load it.)
2924 */
2925 if (cstate->off_linkhdr.reg != -1) {
2926 /*
2927 * The 4 bytes at an offset of 4 from the beginning of
2928 * the AVS header are the length of the AVS header.
2929 * That field is big-endian.
2930 */
2931 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2932 s1->s.k = 4;
2933
2934 /*
2935 * Now allocate a register to hold that value and store
2936 * it.
2937 */
2938 s2 = new_stmt(cstate, BPF_ST);
2939 s2->s.k = cstate->off_linkhdr.reg;
2940 sappend(s1, s2);
2941
2942 /*
2943 * Now move it into the X register.
2944 */
2945 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2946 sappend(s1, s2);
2947
2948 return (s1);
2949 } else
2950 return (NULL);
2951 }
2952
2953 static struct slist *
2954 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2955 {
2956 struct slist *s1, *s2;
2957
2958 /*
2959 * Generate code to load the length of the radiotap header into
2960 * the register assigned to hold that length, if one has been
2961 * assigned. (If one hasn't been assigned, no code we've
2962 * generated uses that prefix, so we don't need to generate any
2963 * code to load it.)
2964 */
2965 if (cstate->off_linkhdr.reg != -1) {
2966 /*
2967 * The 2 bytes at offsets of 2 and 3 from the beginning
2968 * of the radiotap header are the length of the radiotap
2969 * header; unfortunately, it's little-endian, so we have
2970 * to load it a byte at a time and construct the value.
2971 */
2972
2973 /*
2974 * Load the high-order byte, at an offset of 3, shift it
2975 * left a byte, and put the result in the X register.
2976 */
2977 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2978 s1->s.k = 3;
2979 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2980 sappend(s1, s2);
2981 s2->s.k = 8;
2982 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2983 sappend(s1, s2);
2984
2985 /*
2986 * Load the next byte, at an offset of 2, and OR the
2987 * value from the X register into it.
2988 */
2989 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2990 sappend(s1, s2);
2991 s2->s.k = 2;
2992 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2993 sappend(s1, s2);
2994
2995 /*
2996 * Now allocate a register to hold that value and store
2997 * it.
2998 */
2999 s2 = new_stmt(cstate, BPF_ST);
3000 s2->s.k = cstate->off_linkhdr.reg;
3001 sappend(s1, s2);
3002
3003 /*
3004 * Now move it into the X register.
3005 */
3006 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3007 sappend(s1, s2);
3008
3009 return (s1);
3010 } else
3011 return (NULL);
3012 }
3013
3014 /*
3015 * At the moment we treat PPI as normal Radiotap encoded
3016 * packets. The difference is in the function that generates
3017 * the code at the beginning to compute the header length.
3018 * Since this code generator of PPI supports bare 802.11
3019 * encapsulation only (i.e. the encapsulated DLT should be
3020 * DLT_IEEE802_11) we generate code to check for this too;
3021 * that's done in finish_parse().
3022 */
3023 static struct slist *
3024 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
3025 {
3026 struct slist *s1, *s2;
3027
3028 /*
3029 * Generate code to load the length of the radiotap header
3030 * into the register assigned to hold that length, if one has
3031 * been assigned.
3032 */
3033 if (cstate->off_linkhdr.reg != -1) {
3034 /*
3035 * The 2 bytes at offsets of 2 and 3 from the beginning
3036 * of the radiotap header are the length of the radiotap
3037 * header; unfortunately, it's little-endian, so we have
3038 * to load it a byte at a time and construct the value.
3039 */
3040
3041 /*
3042 * Load the high-order byte, at an offset of 3, shift it
3043 * left a byte, and put the result in the X register.
3044 */
3045 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
3046 s1->s.k = 3;
3047 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
3048 sappend(s1, s2);
3049 s2->s.k = 8;
3050 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3051 sappend(s1, s2);
3052
3053 /*
3054 * Load the next byte, at an offset of 2, and OR the
3055 * value from the X register into it.
3056 */
3057 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
3058 sappend(s1, s2);
3059 s2->s.k = 2;
3060 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
3061 sappend(s1, s2);
3062
3063 /*
3064 * Now allocate a register to hold that value and store
3065 * it.
3066 */
3067 s2 = new_stmt(cstate, BPF_ST);
3068 s2->s.k = cstate->off_linkhdr.reg;
3069 sappend(s1, s2);
3070
3071 /*
3072 * Now move it into the X register.
3073 */
3074 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3075 sappend(s1, s2);
3076
3077 return (s1);
3078 } else
3079 return (NULL);
3080 }
3081
3082 /*
3083 * Load a value relative to the beginning of the link-layer header after the 802.11
3084 * header, i.e. LLC_SNAP.
3085 * The link-layer header doesn't necessarily begin at the beginning
3086 * of the packet data; there might be a variable-length prefix containing
3087 * radio information.
3088 */
3089 static struct slist *
3090 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
3091 {
3092 struct slist *s2;
3093 struct slist *sjset_data_frame_1;
3094 struct slist *sjset_data_frame_2;
3095 struct slist *sjset_qos;
3096 struct slist *sjset_radiotap_flags_present;
3097 struct slist *sjset_radiotap_ext_present;
3098 struct slist *sjset_radiotap_tsft_present;
3099 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
3100 struct slist *s_roundup;
3101
3102 if (cstate->off_linkpl.reg == -1) {
3103 /*
3104 * No register has been assigned to the offset of
3105 * the link-layer payload, which means nobody needs
3106 * it; don't bother computing it - just return
3107 * what we already have.
3108 */
3109 return (s);
3110 }
3111
3112 /*
3113 * This code is not compatible with the optimizer, as
3114 * we are generating jmp instructions within a normal
3115 * slist of instructions
3116 */
3117 cstate->no_optimize = 1;
3118
3119 /*
3120 * If "s" is non-null, it has code to arrange that the X register
3121 * contains the length of the prefix preceding the link-layer
3122 * header.
3123 *
3124 * Otherwise, the length of the prefix preceding the link-layer
3125 * header is "off_outermostlinkhdr.constant_part".
3126 */
3127 if (s == NULL) {
3128 /*
3129 * There is no variable-length header preceding the
3130 * link-layer header.
3131 *
3132 * Load the length of the fixed-length prefix preceding
3133 * the link-layer header (if any) into the X register,
3134 * and store it in the cstate->off_linkpl.reg register.
3135 * That length is off_outermostlinkhdr.constant_part.
3136 */
3137 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
3138 s->s.k = cstate->off_outermostlinkhdr.constant_part;
3139 }
3140
3141 /*
3142 * The X register contains the offset of the beginning of the
3143 * link-layer header; add 24, which is the minimum length
3144 * of the MAC header for a data frame, to that, and store it
3145 * in cstate->off_linkpl.reg, and then load the Frame Control field,
3146 * which is at the offset in the X register, with an indexed load.
3147 */
3148 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
3149 sappend(s, s2);
3150 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
3151 s2->s.k = 24;
3152 sappend(s, s2);
3153 s2 = new_stmt(cstate, BPF_ST);
3154 s2->s.k = cstate->off_linkpl.reg;
3155 sappend(s, s2);
3156
3157 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
3158 s2->s.k = 0;
3159 sappend(s, s2);
3160
3161 /*
3162 * Check the Frame Control field to see if this is a data frame;
3163 * a data frame has the 0x08 bit (b3) in that field set and the
3164 * 0x04 bit (b2) clear.
3165 */
3166 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
3167 sjset_data_frame_1->s.k = IEEE80211_FC0_TYPE_DATA;
3168 sappend(s, sjset_data_frame_1);
3169
3170 /*
3171 * If b3 is set, test b2, otherwise go to the first statement of
3172 * the rest of the program.
3173 */
3174 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
3175 sjset_data_frame_2->s.k = IEEE80211_FC0_TYPE_CTL;
3176 sappend(s, sjset_data_frame_2);
3177 sjset_data_frame_1->s.jf = snext;
3178
3179 /*
3180 * If b2 is not set, this is a data frame; test the QoS bit.
3181 * Otherwise, go to the first statement of the rest of the
3182 * program.
3183 */
3184 sjset_data_frame_2->s.jt = snext;
3185 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
3186 sjset_qos->s.k = IEEE80211_FC0_SUBTYPE_QOS;
3187 sappend(s, sjset_qos);
3188
3189 /*
3190 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
3191 * field.
3192 * Otherwise, go to the first statement of the rest of the
3193 * program.
3194 */
3195 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
3196 s2->s.k = cstate->off_linkpl.reg;
3197 sappend(s, s2);
3198 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3199 s2->s.k = 2;
3200 sappend(s, s2);
3201 s2 = new_stmt(cstate, BPF_ST);
3202 s2->s.k = cstate->off_linkpl.reg;
3203 sappend(s, s2);
3204
3205 /*
3206 * If we have a radiotap header, look at it to see whether
3207 * there's Atheros padding between the MAC-layer header
3208 * and the payload.
3209 *
3210 * Note: all of the fields in the radiotap header are
3211 * little-endian, so we byte-swap all of the values
3212 * we test against, as they will be loaded as big-endian
3213 * values.
3214 *
3215 * XXX - in the general case, we would have to scan through
3216 * *all* the presence bits, if there's more than one word of
3217 * presence bits. That would require a loop, meaning that
3218 * we wouldn't be able to run the filter in the kernel.
3219 *
3220 * We assume here that the Atheros adapters that insert the
3221 * annoying padding don't have multiple antennae and therefore
3222 * do not generate radiotap headers with multiple presence words.
3223 */
3224 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
3225 /*
3226 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
3227 * in the first presence flag word?
3228 */
3229 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
3230 s2->s.k = 4;
3231 sappend(s, s2);
3232
3233 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
3234 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
3235 sappend(s, sjset_radiotap_flags_present);
3236
3237 /*
3238 * If not, skip all of this.
3239 */
3240 sjset_radiotap_flags_present->s.jf = snext;
3241
3242 /*
3243 * Otherwise, is the "extension" bit set in that word?
3244 */
3245 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
3246 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
3247 sappend(s, sjset_radiotap_ext_present);
3248 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
3249
3250 /*
3251 * If so, skip all of this.
3252 */
3253 sjset_radiotap_ext_present->s.jt = snext;
3254
3255 /*
3256 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
3257 */
3258 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
3259 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
3260 sappend(s, sjset_radiotap_tsft_present);
3261 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
3262
3263 /*
3264 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
3265 * at an offset of 16 from the beginning of the raw packet
3266 * data (8 bytes for the radiotap header and 8 bytes for
3267 * the TSFT field).
3268 *
3269 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3270 * is set.
3271 */
3272 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3273 s2->s.k = 16;
3274 sappend(s, s2);
3275 sjset_radiotap_tsft_present->s.jt = s2;
3276
3277 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3278 sjset_tsft_datapad->s.k = 0x20;
3279 sappend(s, sjset_tsft_datapad);
3280
3281 /*
3282 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
3283 * at an offset of 8 from the beginning of the raw packet
3284 * data (8 bytes for the radiotap header).
3285 *
3286 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3287 * is set.
3288 */
3289 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3290 s2->s.k = 8;
3291 sappend(s, s2);
3292 sjset_radiotap_tsft_present->s.jf = s2;
3293
3294 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3295 sjset_notsft_datapad->s.k = 0x20;
3296 sappend(s, sjset_notsft_datapad);
3297
3298 /*
3299 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
3300 * set, round the length of the 802.11 header to
3301 * a multiple of 4. Do that by adding 3 and then
3302 * dividing by and multiplying by 4, which we do by
3303 * ANDing with ~3.
3304 */
3305 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
3306 s_roundup->s.k = cstate->off_linkpl.reg;
3307 sappend(s, s_roundup);
3308 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3309 s2->s.k = 3;
3310 sappend(s, s2);
3311 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
3312 s2->s.k = (bpf_u_int32)~3;
3313 sappend(s, s2);
3314 s2 = new_stmt(cstate, BPF_ST);
3315 s2->s.k = cstate->off_linkpl.reg;
3316 sappend(s, s2);
3317
3318 sjset_tsft_datapad->s.jt = s_roundup;
3319 sjset_tsft_datapad->s.jf = snext;
3320 sjset_notsft_datapad->s.jt = s_roundup;
3321 sjset_notsft_datapad->s.jf = snext;
3322 } else
3323 sjset_qos->s.jf = snext;
3324
3325 return s;
3326 }
3327
3328 static void
3329 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
3330 {
3331 struct slist *s;
3332
3333 /* There is an implicit dependency between the link
3334 * payload and link header since the payload computation
3335 * includes the variable part of the header. Therefore,
3336 * if nobody else has allocated a register for the link
3337 * header and we need it, do it now. */
3338 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
3339 cstate->off_linkhdr.reg == -1)
3340 cstate->off_linkhdr.reg = alloc_reg(cstate);
3341
3342 /*
3343 * For link-layer types that have a variable-length header
3344 * preceding the link-layer header, generate code to load
3345 * the offset of the link-layer header into the register
3346 * assigned to that offset, if any.
3347 *
3348 * XXX - this, and the next switch statement, won't handle
3349 * encapsulation of 802.11 or 802.11+radio information in
3350 * some other protocol stack. That's significantly more
3351 * complicated.
3352 */
3353 switch (cstate->outermostlinktype) {
3354
3355 case DLT_PRISM_HEADER:
3356 s = gen_load_prism_llprefixlen(cstate);
3357 break;
3358
3359 case DLT_IEEE802_11_RADIO_AVS:
3360 s = gen_load_avs_llprefixlen(cstate);
3361 break;
3362
3363 case DLT_IEEE802_11_RADIO:
3364 s = gen_load_radiotap_llprefixlen(cstate);
3365 break;
3366
3367 case DLT_PPI:
3368 s = gen_load_ppi_llprefixlen(cstate);
3369 break;
3370
3371 default:
3372 s = NULL;
3373 break;
3374 }
3375
3376 /*
3377 * For link-layer types that have a variable-length link-layer
3378 * header, generate code to load the offset of the link-layer
3379 * payload into the register assigned to that offset, if any.
3380 */
3381 switch (cstate->outermostlinktype) {
3382
3383 case DLT_IEEE802_11:
3384 case DLT_PRISM_HEADER:
3385 case DLT_IEEE802_11_RADIO_AVS:
3386 case DLT_IEEE802_11_RADIO:
3387 case DLT_PPI:
3388 s = gen_load_802_11_header_len(cstate, s, b->stmts);
3389 break;
3390
3391 case DLT_PFLOG:
3392 s = gen_load_pflog_llprefixlen(cstate);
3393 break;
3394 }
3395
3396 /*
3397 * If there is no initialization yet and we need variable
3398 * length offsets for VLAN, initialize them to zero
3399 */
3400 if (s == NULL && cstate->is_vlan_vloffset) {
3401 struct slist *s2;
3402
3403 if (cstate->off_linkpl.reg == -1)
3404 cstate->off_linkpl.reg = alloc_reg(cstate);
3405 if (cstate->off_linktype.reg == -1)
3406 cstate->off_linktype.reg = alloc_reg(cstate);
3407
3408 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
3409 s->s.k = 0;
3410 s2 = new_stmt(cstate, BPF_ST);
3411 s2->s.k = cstate->off_linkpl.reg;
3412 sappend(s, s2);
3413 s2 = new_stmt(cstate, BPF_ST);
3414 s2->s.k = cstate->off_linktype.reg;
3415 sappend(s, s2);
3416 }
3417
3418 /*
3419 * If we have any offset-loading code, append all the
3420 * existing statements in the block to those statements,
3421 * and make the resulting list the list of statements
3422 * for the block.
3423 */
3424 if (s != NULL) {
3425 sappend(s, b->stmts);
3426 b->stmts = s;
3427 }
3428 }
3429
3430 /*
3431 * Take an absolute offset, and:
3432 *
3433 * if it has no variable part, return NULL;
3434 *
3435 * if it has a variable part, generate code to load the register
3436 * containing that variable part into the X register, returning
3437 * a pointer to that code - if no register for that offset has
3438 * been allocated, allocate it first.
3439 *
3440 * (The code to set that register will be generated later, but will
3441 * be placed earlier in the code sequence.)
3442 */
3443 static struct slist *
3444 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3445 {
3446 struct slist *s;
3447
3448 if (off->is_variable) {
3449 if (off->reg == -1) {
3450 /*
3451 * We haven't yet assigned a register for the
3452 * variable part of the offset of the link-layer
3453 * header; allocate one.
3454 */
3455 off->reg = alloc_reg(cstate);
3456 }
3457
3458 /*
3459 * Load the register containing the variable part of the
3460 * offset of the link-layer header into the X register.
3461 */
3462 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3463 s->s.k = off->reg;
3464 return s;
3465 } else {
3466 /*
3467 * That offset isn't variable, there's no variable part,
3468 * so we don't need to generate any code.
3469 */
3470 return NULL;
3471 }
3472 }
3473
3474 /*
3475 * Map an Ethernet type to the equivalent PPP type.
3476 */
3477 static uint16_t
3478 ethertype_to_ppptype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3479 {
3480 switch (ll_proto) {
3481
3482 case ETHERTYPE_IP:
3483 return PPP_IP;
3484
3485 case ETHERTYPE_IPV6:
3486 return PPP_IPV6;
3487
3488 case ETHERTYPE_DN:
3489 return PPP_DECNET;
3490
3491 case ETHERTYPE_ATALK:
3492 return PPP_APPLE;
3493
3494 case ETHERTYPE_NS:
3495 return PPP_NS;
3496
3497 case LLCSAP_ISONS:
3498 return PPP_OSI;
3499
3500 case LLCSAP_8021D:
3501 /*
3502 * I'm assuming the "Bridging PDU"s that go
3503 * over PPP are Spanning Tree Protocol
3504 * Bridging PDUs.
3505 */
3506 return PPP_BRPDU;
3507
3508 case LLCSAP_IPX:
3509 return PPP_IPX;
3510 }
3511 assert_maxval(cstate, "PPP protocol", ll_proto, UINT16_MAX);
3512 return (uint16_t)ll_proto;
3513 }
3514
3515 /*
3516 * Generate any tests that, for encapsulation of a link-layer packet
3517 * inside another protocol stack, need to be done to check for those
3518 * link-layer packets (and that haven't already been done by a check
3519 * for that encapsulation).
3520 */
3521 static struct block *
3522 gen_prevlinkhdr_check(compiler_state_t *cstate)
3523 {
3524 if (cstate->is_encap)
3525 return gen_encap_ll_check(cstate);
3526
3527 switch (cstate->prevlinktype) {
3528
3529 case DLT_SUNATM:
3530 /*
3531 * This is LANE-encapsulated Ethernet; check that the LANE
3532 * packet doesn't begin with an LE Control marker, i.e.
3533 * that it's data, not a control message.
3534 *
3535 * (We've already generated a test for LANE.)
3536 */
3537 return gen_cmp_ne(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3538
3539 default:
3540 /*
3541 * No such tests are necessary.
3542 */
3543 return NULL;
3544 }
3545 /*NOTREACHED*/
3546 }
3547
3548 /*
3549 * The three different values we should check for when checking for an
3550 * IPv6 packet with DLT_NULL.
3551 */
3552 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3553 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3554 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3555
3556 /*
3557 * Generate code to match a particular packet type by matching the
3558 * link-layer type field or fields in the 802.2 LLC header.
3559 *
3560 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3561 * value, if <= ETHERMTU.
3562 */
3563 static struct block *
3564 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3565 {
3566 struct block *b0, *b1, *b2;
3567
3568 /* are we checking MPLS-encapsulated packets? */
3569 if (cstate->label_stack_depth > 0)
3570 return gen_mpls_linktype(cstate, ll_proto);
3571
3572 switch (cstate->linktype) {
3573
3574 case DLT_EN10MB:
3575 case DLT_NETANALYZER:
3576 case DLT_NETANALYZER_TRANSPARENT:
3577 /* Geneve has an EtherType regardless of whether there is an
3578 * L2 header. VXLAN always has an EtherType. */
3579 if (!cstate->is_encap)
3580 b0 = gen_prevlinkhdr_check(cstate);
3581 else
3582 b0 = NULL;
3583
3584 b1 = gen_ether_linktype(cstate, ll_proto);
3585 if (b0 != NULL)
3586 gen_and(b0, b1);
3587 return b1;
3588 /*NOTREACHED*/
3589
3590 case DLT_C_HDLC:
3591 case DLT_HDLC:
3592 assert_maxval(cstate, "HDLC protocol", ll_proto, UINT16_MAX);
3593 switch (ll_proto) {
3594
3595 case LLCSAP_ISONS:
3596 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3597 /* fall through */
3598
3599 default:
3600 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3601 /*NOTREACHED*/
3602 }
3603
3604 case DLT_IEEE802_11:
3605 case DLT_PRISM_HEADER:
3606 case DLT_IEEE802_11_RADIO_AVS:
3607 case DLT_IEEE802_11_RADIO:
3608 case DLT_PPI:
3609 /*
3610 * Check that we have a data frame.
3611 */
3612 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
3613 IEEE80211_FC0_TYPE_DATA,
3614 IEEE80211_FC0_TYPE_MASK);
3615
3616 /*
3617 * Now check for the specified link-layer type.
3618 */
3619 b1 = gen_llc_linktype(cstate, ll_proto);
3620 gen_and(b0, b1);
3621 return b1;
3622 /*NOTREACHED*/
3623
3624 case DLT_FDDI:
3625 /*
3626 * XXX - check for LLC frames.
3627 */
3628 return gen_llc_linktype(cstate, ll_proto);
3629 /*NOTREACHED*/
3630
3631 case DLT_IEEE802:
3632 /*
3633 * XXX - check for LLC PDUs, as per IEEE 802.5.
3634 */
3635 return gen_llc_linktype(cstate, ll_proto);
3636 /*NOTREACHED*/
3637
3638 case DLT_ATM_RFC1483:
3639 case DLT_ATM_CLIP:
3640 case DLT_IP_OVER_FC:
3641 return gen_llc_linktype(cstate, ll_proto);
3642 /*NOTREACHED*/
3643
3644 case DLT_SUNATM:
3645 /*
3646 * Check for an LLC-encapsulated version of this protocol;
3647 * if we were checking for LANE, linktype would no longer
3648 * be DLT_SUNATM.
3649 *
3650 * Check for LLC encapsulation and then check the protocol.
3651 */
3652 b0 = gen_atm_prototype(cstate, PT_LLC);
3653 b1 = gen_llc_linktype(cstate, ll_proto);
3654 gen_and(b0, b1);
3655 return b1;
3656 /*NOTREACHED*/
3657
3658 case DLT_LINUX_SLL:
3659 return gen_linux_sll_linktype(cstate, ll_proto);
3660 /*NOTREACHED*/
3661
3662 case DLT_SLIP:
3663 case DLT_SLIP_BSDOS:
3664 case DLT_RAW:
3665 /*
3666 * These types don't provide any type field; packets
3667 * are always IPv4 or IPv6.
3668 *
3669 * XXX - for IPv4, check for a version number of 4, and,
3670 * for IPv6, check for a version number of 6?
3671 */
3672 switch (ll_proto) {
3673
3674 case ETHERTYPE_IP:
3675 /* Check for a version number of 4. */
3676 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3677
3678 case ETHERTYPE_IPV6:
3679 /* Check for a version number of 6. */
3680 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3681
3682 default:
3683 return gen_false(cstate); /* always false */
3684 }
3685 /*NOTREACHED*/
3686
3687 case DLT_IPV4:
3688 /*
3689 * Raw IPv4, so no type field.
3690 */
3691 if (ll_proto == ETHERTYPE_IP)
3692 return gen_true(cstate); /* always true */
3693
3694 /* Checking for something other than IPv4; always false */
3695 return gen_false(cstate);
3696 /*NOTREACHED*/
3697
3698 case DLT_IPV6:
3699 /*
3700 * Raw IPv6, so no type field.
3701 */
3702 if (ll_proto == ETHERTYPE_IPV6)
3703 return gen_true(cstate); /* always true */
3704
3705 /* Checking for something other than IPv6; always false */
3706 return gen_false(cstate);
3707 /*NOTREACHED*/
3708
3709 case DLT_PPP:
3710 case DLT_PPP_PPPD:
3711 case DLT_PPP_SERIAL:
3712 case DLT_PPP_ETHER:
3713 /*
3714 * We use Ethernet protocol types inside libpcap;
3715 * map them to the corresponding PPP protocol types.
3716 */
3717 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3718 ethertype_to_ppptype(cstate, ll_proto));
3719 /*NOTREACHED*/
3720
3721 case DLT_PPP_BSDOS:
3722 /*
3723 * We use Ethernet protocol types inside libpcap;
3724 * map them to the corresponding PPP protocol types.
3725 */
3726 switch (ll_proto) {
3727
3728 case ETHERTYPE_IP:
3729 /*
3730 * Also check for Van Jacobson-compressed IP.
3731 * XXX - do this for other forms of PPP?
3732 */
3733 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3734 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3735 gen_or(b0, b1);
3736 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3737 gen_or(b1, b0);
3738 return b0;
3739
3740 default:
3741 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3742 ethertype_to_ppptype(cstate, ll_proto));
3743 }
3744 /*NOTREACHED*/
3745
3746 case DLT_NULL:
3747 case DLT_LOOP:
3748 case DLT_ENC:
3749 switch (ll_proto) {
3750
3751 case ETHERTYPE_IP:
3752 return (gen_loopback_linktype(cstate, AF_INET));
3753
3754 case ETHERTYPE_IPV6:
3755 /*
3756 * AF_ values may, unfortunately, be platform-
3757 * dependent; AF_INET isn't, because everybody
3758 * used 4.2BSD's value, but AF_INET6 is, because
3759 * 4.2BSD didn't have a value for it (given that
3760 * IPv6 didn't exist back in the early 1980's),
3761 * and they all picked their own values.
3762 *
3763 * This means that, if we're reading from a
3764 * savefile, we need to check for all the
3765 * possible values.
3766 *
3767 * If we're doing a live capture, we only need
3768 * to check for this platform's value; however,
3769 * Npcap uses 24, which isn't Windows's AF_INET6
3770 * value. (Given the multiple different values,
3771 * programs that read pcap files shouldn't be
3772 * checking for their platform's AF_INET6 value
3773 * anyway, they should check for all of the
3774 * possible values. and they might as well do
3775 * that even for live captures.)
3776 */
3777 if (cstate->bpf_pcap->rfile != NULL) {
3778 /*
3779 * Savefile - check for all three
3780 * possible IPv6 values.
3781 */
3782 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3783 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3784 gen_or(b0, b1);
3785 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3786 gen_or(b0, b1);
3787 return (b1);
3788 } else {
3789 /*
3790 * Live capture, so we only need to
3791 * check for the value used on this
3792 * platform.
3793 */
3794 #ifdef _WIN32
3795 /*
3796 * Npcap doesn't use Windows's AF_INET6,
3797 * as that collides with AF_IPX on
3798 * some BSDs (both have the value 23).
3799 * Instead, it uses 24.
3800 */
3801 return (gen_loopback_linktype(cstate, 24));
3802 #else /* _WIN32 */
3803 #ifdef AF_INET6
3804 return (gen_loopback_linktype(cstate, AF_INET6));
3805 #else /* AF_INET6 */
3806 /*
3807 * I guess this platform doesn't support
3808 * IPv6, so we just reject all packets.
3809 */
3810 return gen_false(cstate);
3811 #endif /* AF_INET6 */
3812 #endif /* _WIN32 */
3813 }
3814
3815 default:
3816 /*
3817 * Not a type on which we support filtering.
3818 * XXX - support those that have AF_ values
3819 * #defined on this platform, at least?
3820 */
3821 return gen_false(cstate);
3822 }
3823
3824 case DLT_PFLOG:
3825 /*
3826 * af field is host byte order in contrast to the rest of
3827 * the packet.
3828 */
3829 if (ll_proto == ETHERTYPE_IP)
3830 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3831 BPF_B, AF_INET));
3832 else if (ll_proto == ETHERTYPE_IPV6)
3833 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3834 BPF_B, AF_INET6));
3835 else
3836 return gen_false(cstate);
3837 /*NOTREACHED*/
3838
3839 case DLT_ARCNET:
3840 case DLT_ARCNET_LINUX:
3841 /*
3842 * XXX should we check for first fragment if the protocol
3843 * uses PHDS?
3844 */
3845 switch (ll_proto) {
3846
3847 default:
3848 return gen_false(cstate);
3849
3850 case ETHERTYPE_IPV6:
3851 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3852 ARCTYPE_INET6));
3853
3854 case ETHERTYPE_IP:
3855 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3856 ARCTYPE_IP);
3857 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3858 ARCTYPE_IP_OLD);
3859 gen_or(b0, b1);
3860 return (b1);
3861
3862 case ETHERTYPE_ARP:
3863 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3864 ARCTYPE_ARP);
3865 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3866 ARCTYPE_ARP_OLD);
3867 gen_or(b0, b1);
3868 return (b1);
3869
3870 case ETHERTYPE_REVARP:
3871 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3872 ARCTYPE_REVARP));
3873
3874 case ETHERTYPE_ATALK:
3875 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3876 ARCTYPE_ATALK));
3877 }
3878 /*NOTREACHED*/
3879
3880 case DLT_LTALK:
3881 switch (ll_proto) {
3882 case ETHERTYPE_ATALK:
3883 return gen_true(cstate);
3884 default:
3885 return gen_false(cstate);
3886 }
3887 /*NOTREACHED*/
3888
3889 case DLT_FRELAY:
3890 /*
3891 * XXX - assumes a 2-byte Frame Relay header with
3892 * DLCI and flags. What if the address is longer?
3893 */
3894 switch (ll_proto) {
3895
3896 case ETHERTYPE_IP:
3897 /*
3898 * Check for the special NLPID for IP.
3899 */
3900 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3901
3902 case ETHERTYPE_IPV6:
3903 /*
3904 * Check for the special NLPID for IPv6.
3905 */
3906 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3907
3908 case LLCSAP_ISONS:
3909 /*
3910 * Check for several OSI protocols.
3911 *
3912 * Frame Relay packets typically have an OSI
3913 * NLPID at the beginning; we check for each
3914 * of them.
3915 *
3916 * What we check for is the NLPID and a frame
3917 * control field of UI, i.e. 0x03 followed
3918 * by the NLPID.
3919 */
3920 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3921 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3922 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3923 gen_or(b1, b2);
3924 gen_or(b0, b2);
3925 return b2;
3926
3927 default:
3928 return gen_false(cstate);
3929 }
3930 /*NOTREACHED*/
3931
3932 case DLT_MFR:
3933 break; // not implemented
3934
3935 case DLT_JUNIPER_MFR:
3936 case DLT_JUNIPER_MLFR:
3937 case DLT_JUNIPER_MLPPP:
3938 case DLT_JUNIPER_ATM1:
3939 case DLT_JUNIPER_ATM2:
3940 case DLT_JUNIPER_PPPOE:
3941 case DLT_JUNIPER_PPPOE_ATM:
3942 case DLT_JUNIPER_GGSN:
3943 case DLT_JUNIPER_ES:
3944 case DLT_JUNIPER_MONITOR:
3945 case DLT_JUNIPER_SERVICES:
3946 case DLT_JUNIPER_ETHER:
3947 case DLT_JUNIPER_PPP:
3948 case DLT_JUNIPER_FRELAY:
3949 case DLT_JUNIPER_CHDLC:
3950 case DLT_JUNIPER_VP:
3951 case DLT_JUNIPER_ST:
3952 case DLT_JUNIPER_ISM:
3953 case DLT_JUNIPER_VS:
3954 case DLT_JUNIPER_SRX_E2E:
3955 case DLT_JUNIPER_FIBRECHANNEL:
3956 case DLT_JUNIPER_ATM_CEMIC:
3957
3958 /* just lets verify the magic number for now -
3959 * on ATM we may have up to 6 different encapsulations on the wire
3960 * and need a lot of heuristics to figure out that the payload
3961 * might be;
3962 *
3963 * FIXME encapsulation specific BPF_ filters
3964 */
3965 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3966
3967 case DLT_BACNET_MS_TP:
3968 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3969
3970 case DLT_IPNET:
3971 return gen_ipnet_linktype(cstate, ll_proto);
3972
3973 case DLT_LINUX_IRDA:
3974 case DLT_DOCSIS:
3975 case DLT_MTP2:
3976 case DLT_MTP2_WITH_PHDR:
3977 case DLT_ERF:
3978 case DLT_PFSYNC:
3979 case DLT_LINUX_LAPD:
3980 case DLT_USB_FREEBSD:
3981 case DLT_USB_LINUX:
3982 case DLT_USB_LINUX_MMAPPED:
3983 case DLT_USBPCAP:
3984 case DLT_BLUETOOTH_HCI_H4:
3985 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3986 case DLT_CAN20B:
3987 case DLT_CAN_SOCKETCAN:
3988 case DLT_IEEE802_15_4:
3989 case DLT_IEEE802_15_4_LINUX:
3990 case DLT_IEEE802_15_4_NONASK_PHY:
3991 case DLT_IEEE802_15_4_NOFCS:
3992 case DLT_IEEE802_15_4_TAP:
3993 case DLT_IEEE802_16_MAC_CPS_RADIO:
3994 case DLT_SITA:
3995 case DLT_RAIF1:
3996 case DLT_IPMB_KONTRON:
3997 case DLT_I2C_LINUX:
3998 case DLT_AX25_KISS:
3999 case DLT_NFLOG:
4000 /* Using the fixed-size NFLOG header it is possible to tell only
4001 * the address family of the packet, other meaningful data is
4002 * either missing or behind TLVs.
4003 */
4004 break; // not implemented
4005
4006 default:
4007 /*
4008 * Does this link-layer header type have a field
4009 * indicating the type of the next protocol? If
4010 * so, off_linktype.constant_part will be the offset of that
4011 * field in the packet; if not, it will be OFFSET_NOT_SET.
4012 */
4013 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
4014 /*
4015 * Yes; assume it's an Ethernet type. (If
4016 * it's not, it needs to be handled specially
4017 * above.)
4018 */
4019 assert_maxval(cstate, "EtherType", ll_proto, UINT16_MAX);
4020 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
4021 /*NOTREACHED */
4022 }
4023 }
4024 bpf_error(cstate, "link-layer type filtering not implemented for %s",
4025 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
4026 }
4027
4028 /*
4029 * Check for an LLC SNAP packet with a given organization code and
4030 * protocol type; we check the entire contents of the 802.2 LLC and
4031 * snap headers, checking for DSAP and SSAP of SNAP and a control
4032 * field of 0x03 in the LLC header, and for the specified organization
4033 * code and protocol type in the SNAP header.
4034 */
4035 static struct block *
4036 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
4037 {
4038 u_char snapblock[8];
4039
4040 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
4041 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
4042 snapblock[2] = 0x03; /* control = UI */
4043 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
4044 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
4045 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
4046 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
4047 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
4048 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
4049 }
4050
4051 /*
4052 * Generate code to match frames with an LLC header.
4053 */
4054 static struct block *
4055 gen_llc_internal(compiler_state_t *cstate)
4056 {
4057 struct block *b0, *b1;
4058
4059 switch (cstate->linktype) {
4060
4061 case DLT_EN10MB:
4062 /*
4063 * We check for an Ethernet type field less or equal than
4064 * 1500, which means it's an 802.3 length field.
4065 */
4066 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
4067
4068 /*
4069 * Now check for the purported DSAP and SSAP not being
4070 * 0xFF, to rule out NetWare-over-802.3.
4071 */
4072 b1 = gen_cmp_ne(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
4073 gen_and(b0, b1);
4074 return b1;
4075
4076 case DLT_SUNATM:
4077 /*
4078 * We check for LLC traffic.
4079 */
4080 return gen_atmtype_llc(cstate);
4081
4082 case DLT_IEEE802: /* Token Ring */
4083 /*
4084 * XXX - check for LLC frames.
4085 */
4086 return gen_true(cstate);
4087
4088 case DLT_FDDI:
4089 /*
4090 * XXX - check for LLC frames.
4091 */
4092 return gen_true(cstate);
4093
4094 case DLT_ATM_RFC1483:
4095 /*
4096 * For LLC encapsulation, these are defined to have an
4097 * 802.2 LLC header.
4098 *
4099 * For VC encapsulation, they don't, but there's no
4100 * way to check for that; the protocol used on the VC
4101 * is negotiated out of band.
4102 */
4103 return gen_true(cstate);
4104
4105 case DLT_IEEE802_11:
4106 case DLT_PRISM_HEADER:
4107 case DLT_IEEE802_11_RADIO:
4108 case DLT_IEEE802_11_RADIO_AVS:
4109 case DLT_PPI:
4110 /*
4111 * Check that we have a data frame.
4112 */
4113 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
4114 IEEE80211_FC0_TYPE_DATA,
4115 IEEE80211_FC0_TYPE_MASK);
4116
4117 default:
4118 fail_kw_on_dlt(cstate, "llc");
4119 /*NOTREACHED*/
4120 }
4121 }
4122
4123 struct block *
4124 gen_llc(compiler_state_t *cstate)
4125 {
4126 /*
4127 * Catch errors reported by us and routines below us, and return NULL
4128 * on an error.
4129 */
4130 if (setjmp(cstate->top_ctx))
4131 return (NULL);
4132
4133 return gen_llc_internal(cstate);
4134 }
4135
4136 struct block *
4137 gen_llc_i(compiler_state_t *cstate)
4138 {
4139 struct block *b0, *b1;
4140 struct slist *s;
4141
4142 /*
4143 * Catch errors reported by us and routines below us, and return NULL
4144 * on an error.
4145 */
4146 if (setjmp(cstate->top_ctx))
4147 return (NULL);
4148
4149 /*
4150 * Check whether this is an LLC frame.
4151 */
4152 b0 = gen_llc_internal(cstate);
4153
4154 /*
4155 * Load the control byte and test the low-order bit; it must
4156 * be clear for I frames.
4157 */
4158 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
4159 b1 = gen_unset(cstate, 0x01, s);
4160
4161 gen_and(b0, b1);
4162 return b1;
4163 }
4164
4165 struct block *
4166 gen_llc_s(compiler_state_t *cstate)
4167 {
4168 struct block *b0, *b1;
4169
4170 /*
4171 * Catch errors reported by us and routines below us, and return NULL
4172 * on an error.
4173 */
4174 if (setjmp(cstate->top_ctx))
4175 return (NULL);
4176
4177 /*
4178 * Check whether this is an LLC frame.
4179 */
4180 b0 = gen_llc_internal(cstate);
4181
4182 /*
4183 * Now compare the low-order 2 bit of the control byte against
4184 * the appropriate value for S frames.
4185 */
4186 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
4187 gen_and(b0, b1);
4188 return b1;
4189 }
4190
4191 struct block *
4192 gen_llc_u(compiler_state_t *cstate)
4193 {
4194 struct block *b0, *b1;
4195
4196 /*
4197 * Catch errors reported by us and routines below us, and return NULL
4198 * on an error.
4199 */
4200 if (setjmp(cstate->top_ctx))
4201 return (NULL);
4202
4203 /*
4204 * Check whether this is an LLC frame.
4205 */
4206 b0 = gen_llc_internal(cstate);
4207
4208 /*
4209 * Now compare the low-order 2 bit of the control byte against
4210 * the appropriate value for U frames.
4211 */
4212 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
4213 gen_and(b0, b1);
4214 return b1;
4215 }
4216
4217 struct block *
4218 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4219 {
4220 struct block *b0, *b1;
4221
4222 /*
4223 * Catch errors reported by us and routines below us, and return NULL
4224 * on an error.
4225 */
4226 if (setjmp(cstate->top_ctx))
4227 return (NULL);
4228
4229 /*
4230 * Check whether this is an LLC frame.
4231 */
4232 b0 = gen_llc_internal(cstate);
4233
4234 /*
4235 * Now check for an S frame with the appropriate type.
4236 */
4237 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
4238 gen_and(b0, b1);
4239 return b1;
4240 }
4241
4242 struct block *
4243 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4244 {
4245 struct block *b0, *b1;
4246
4247 /*
4248 * Catch errors reported by us and routines below us, and return NULL
4249 * on an error.
4250 */
4251 if (setjmp(cstate->top_ctx))
4252 return (NULL);
4253
4254 /*
4255 * Check whether this is an LLC frame.
4256 */
4257 b0 = gen_llc_internal(cstate);
4258
4259 /*
4260 * Now check for a U frame with the appropriate type.
4261 */
4262 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
4263 gen_and(b0, b1);
4264 return b1;
4265 }
4266
4267 /*
4268 * Generate code to match a particular packet type, for link-layer types
4269 * using 802.2 LLC headers.
4270 *
4271 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
4272 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
4273 *
4274 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
4275 * value, if <= ETHERMTU. We use that to determine whether to
4276 * match the DSAP or both DSAP and LSAP or to check the OUI and
4277 * protocol ID in a SNAP header.
4278 */
4279 static struct block *
4280 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4281 {
4282 /*
4283 * XXX - handle token-ring variable-length header.
4284 */
4285 switch (ll_proto) {
4286
4287 case LLCSAP_IP:
4288 case LLCSAP_ISONS:
4289 case LLCSAP_NETBEUI:
4290 /*
4291 * XXX - should we check both the DSAP and the
4292 * SSAP, like this, or should we check just the
4293 * DSAP, as we do for other SAP values?
4294 */
4295 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
4296 ((ll_proto << 8) | ll_proto));
4297
4298 case LLCSAP_IPX:
4299 /*
4300 * XXX - are there ever SNAP frames for IPX on
4301 * non-Ethernet 802.x networks?
4302 */
4303 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
4304
4305 case ETHERTYPE_ATALK:
4306 /*
4307 * 802.2-encapsulated ETHERTYPE_ATALK packets are
4308 * SNAP packets with an organization code of
4309 * 0x080007 (Apple, for Appletalk) and a protocol
4310 * type of ETHERTYPE_ATALK (Appletalk).
4311 *
4312 * XXX - check for an organization code of
4313 * encapsulated Ethernet as well?
4314 */
4315 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
4316
4317 default:
4318 /*
4319 * XXX - we don't have to check for IPX 802.3
4320 * here, but should we check for the IPX Ethertype?
4321 */
4322 if (ll_proto <= ETHERMTU) {
4323 assert_maxval(cstate, "LLC DSAP", ll_proto, UINT8_MAX);
4324 /*
4325 * This is an LLC SAP value, so check
4326 * the DSAP.
4327 */
4328 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
4329 } else {
4330 assert_maxval(cstate, "EtherType", ll_proto, UINT16_MAX);
4331 /*
4332 * This is an Ethernet type; we assume that it's
4333 * unlikely that it'll appear in the right place
4334 * at random, and therefore check only the
4335 * location that would hold the Ethernet type
4336 * in a SNAP frame with an organization code of
4337 * 0x000000 (encapsulated Ethernet).
4338 *
4339 * XXX - if we were to check for the SNAP DSAP and
4340 * LSAP, as per XXX, and were also to check for an
4341 * organization code of 0x000000 (encapsulated
4342 * Ethernet), we'd do
4343 *
4344 * return gen_snap(cstate, 0x000000, ll_proto);
4345 *
4346 * here; for now, we don't, as per the above.
4347 * I don't know whether it's worth the extra CPU
4348 * time to do the right check or not.
4349 */
4350 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
4351 }
4352 }
4353 }
4354
4355 static struct block *
4356 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4357 int dir, u_int src_off, u_int dst_off)
4358 {
4359 struct block *b0, *b1;
4360 u_int offset;
4361
4362 switch (dir) {
4363
4364 case Q_SRC:
4365 offset = src_off;
4366 break;
4367
4368 case Q_DST:
4369 offset = dst_off;
4370 break;
4371
4372 case Q_AND:
4373 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4374 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4375 gen_and(b0, b1);
4376 return b1;
4377
4378 case Q_DEFAULT:
4379 case Q_OR:
4380 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4381 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4382 gen_or(b0, b1);
4383 return b1;
4384
4385 case Q_ADDR1:
4386 case Q_ADDR2:
4387 case Q_ADDR3:
4388 case Q_ADDR4:
4389 case Q_RA:
4390 case Q_TA:
4391 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4392 /*NOTREACHED*/
4393
4394 default:
4395 abort();
4396 /*NOTREACHED*/
4397 }
4398 return gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4399 }
4400
4401 #ifdef INET6
4402 static struct block *
4403 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4404 struct in6_addr *mask, int dir, u_int src_off, u_int dst_off)
4405 {
4406 struct block *b0, *b1;
4407 u_int offset;
4408 /*
4409 * Code below needs to access four separate 32-bit parts of the 128-bit
4410 * IPv6 address and mask. In some OSes this is as simple as using the
4411 * s6_addr32 pseudo-member of struct in6_addr, which contains a union of
4412 * 8-, 16- and 32-bit arrays. In other OSes this is not the case, as
4413 * far as libpcap sees it. Hence copy the data before use to avoid
4414 * potential unaligned memory access and the associated compiler
4415 * warnings (whether genuine or not).
4416 */
4417 bpf_u_int32 a[4], m[4];
4418
4419 switch (dir) {
4420
4421 case Q_SRC:
4422 offset = src_off;
4423 break;
4424
4425 case Q_DST:
4426 offset = dst_off;
4427 break;
4428
4429 case Q_AND:
4430 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4431 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4432 gen_and(b0, b1);
4433 return b1;
4434
4435 case Q_DEFAULT:
4436 case Q_OR:
4437 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4438 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4439 gen_or(b0, b1);
4440 return b1;
4441
4442 case Q_ADDR1:
4443 case Q_ADDR2:
4444 case Q_ADDR3:
4445 case Q_ADDR4:
4446 case Q_RA:
4447 case Q_TA:
4448 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4449 /*NOTREACHED*/
4450
4451 default:
4452 abort();
4453 /*NOTREACHED*/
4454 }
4455 /* this order is important */
4456 memcpy(a, addr, sizeof(a));
4457 memcpy(m, mask, sizeof(m));
4458 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4459 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4460 gen_and(b0, b1);
4461 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4462 gen_and(b0, b1);
4463 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4464 gen_and(b0, b1);
4465 return b1;
4466 }
4467 #endif
4468
4469 static struct block *
4470 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4471 {
4472 register struct block *b0, *b1;
4473
4474 switch (dir) {
4475 case Q_SRC:
4476 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4477
4478 case Q_DST:
4479 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4480
4481 case Q_AND:
4482 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4483 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4484 gen_and(b0, b1);
4485 return b1;
4486
4487 case Q_DEFAULT:
4488 case Q_OR:
4489 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4490 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4491 gen_or(b0, b1);
4492 return b1;
4493
4494 case Q_ADDR1:
4495 case Q_ADDR2:
4496 case Q_ADDR3:
4497 case Q_ADDR4:
4498 case Q_RA:
4499 case Q_TA:
4500 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4501 /*NOTREACHED*/
4502 }
4503 abort();
4504 /*NOTREACHED*/
4505 }
4506
4507 /*
4508 * Like gen_ehostop, but for DLT_FDDI
4509 */
4510 static struct block *
4511 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4512 {
4513 struct block *b0, *b1;
4514
4515 switch (dir) {
4516 case Q_SRC:
4517 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4518
4519 case Q_DST:
4520 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4521
4522 case Q_AND:
4523 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4524 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4525 gen_and(b0, b1);
4526 return b1;
4527
4528 case Q_DEFAULT:
4529 case Q_OR:
4530 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4531 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4532 gen_or(b0, b1);
4533 return b1;
4534
4535 case Q_ADDR1:
4536 case Q_ADDR2:
4537 case Q_ADDR3:
4538 case Q_ADDR4:
4539 case Q_RA:
4540 case Q_TA:
4541 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4542 /*NOTREACHED*/
4543 }
4544 abort();
4545 /*NOTREACHED*/
4546 }
4547
4548 /*
4549 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4550 */
4551 static struct block *
4552 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4553 {
4554 register struct block *b0, *b1;
4555
4556 switch (dir) {
4557 case Q_SRC:
4558 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4559
4560 case Q_DST:
4561 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4562
4563 case Q_AND:
4564 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4565 b1 = gen_thostop(cstate, eaddr, Q_DST);
4566 gen_and(b0, b1);
4567 return b1;
4568
4569 case Q_DEFAULT:
4570 case Q_OR:
4571 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4572 b1 = gen_thostop(cstate, eaddr, Q_DST);
4573 gen_or(b0, b1);
4574 return b1;
4575
4576 case Q_ADDR1:
4577 case Q_ADDR2:
4578 case Q_ADDR3:
4579 case Q_ADDR4:
4580 case Q_RA:
4581 case Q_TA:
4582 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4583 /*NOTREACHED*/
4584 }
4585 abort();
4586 /*NOTREACHED*/
4587 }
4588
4589 /*
4590 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4591 * various 802.11 + radio headers.
4592 */
4593 static struct block *
4594 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4595 {
4596 register struct block *b0, *b1, *b2;
4597 register struct slist *s;
4598
4599 #ifdef ENABLE_WLAN_FILTERING_PATCH
4600 /*
4601 * TODO GV 20070613
4602 * We need to disable the optimizer because the optimizer is buggy
4603 * and wipes out some LD instructions generated by the below
4604 * code to validate the Frame Control bits
4605 */
4606 cstate->no_optimize = 1;
4607 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4608
4609 switch (dir) {
4610 case Q_SRC:
4611 /*
4612 * Oh, yuk.
4613 *
4614 * For control frames, there is no SA.
4615 *
4616 * For management frames, SA is at an
4617 * offset of 10 from the beginning of
4618 * the packet.
4619 *
4620 * For data frames, SA is at an offset
4621 * of 10 from the beginning of the packet
4622 * if From DS is clear, at an offset of
4623 * 16 from the beginning of the packet
4624 * if From DS is set and To DS is clear,
4625 * and an offset of 24 from the beginning
4626 * of the packet if From DS is set and To DS
4627 * is set.
4628 */
4629
4630 /*
4631 * Generate the tests to be done for data frames
4632 * with From DS set.
4633 *
4634 * First, check for To DS set, i.e. check "link[1] & 0x01".
4635 */
4636 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4637 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
4638
4639 /*
4640 * If To DS is set, the SA is at 24.
4641 */
4642 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4643 gen_and(b1, b0);
4644
4645 /*
4646 * Now, check for To DS not set, i.e. check
4647 * "!(link[1] & 0x01)".
4648 */
4649 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4650 b2 = gen_unset(cstate, IEEE80211_FC1_DIR_TODS, s);
4651
4652 /*
4653 * If To DS is not set, the SA is at 16.
4654 */
4655 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4656 gen_and(b2, b1);
4657
4658 /*
4659 * Now OR together the last two checks. That gives
4660 * the complete set of checks for data frames with
4661 * From DS set.
4662 */
4663 gen_or(b1, b0);
4664
4665 /*
4666 * Now check for From DS being set, and AND that with
4667 * the ORed-together checks.
4668 */
4669 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4670 b1 = gen_set(cstate, IEEE80211_FC1_DIR_FROMDS, s);
4671 gen_and(b1, b0);
4672
4673 /*
4674 * Now check for data frames with From DS not set.
4675 */
4676 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4677 b2 = gen_unset(cstate, IEEE80211_FC1_DIR_FROMDS, s);
4678
4679 /*
4680 * If From DS isn't set, the SA is at 10.
4681 */
4682 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4683 gen_and(b2, b1);
4684
4685 /*
4686 * Now OR together the checks for data frames with
4687 * From DS not set and for data frames with From DS
4688 * set; that gives the checks done for data frames.
4689 */
4690 gen_or(b1, b0);
4691
4692 /*
4693 * Now check for a data frame.
4694 * I.e, check "link[0] & 0x08".
4695 */
4696 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4697 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4698
4699 /*
4700 * AND that with the checks done for data frames.
4701 */
4702 gen_and(b1, b0);
4703
4704 /*
4705 * If the high-order bit of the type value is 0, this
4706 * is a management frame.
4707 * I.e, check "!(link[0] & 0x08)".
4708 */
4709 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4710 b2 = gen_unset(cstate, IEEE80211_FC0_TYPE_DATA, s);
4711
4712 /*
4713 * For management frames, the SA is at 10.
4714 */
4715 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4716 gen_and(b2, b1);
4717
4718 /*
4719 * OR that with the checks done for data frames.
4720 * That gives the checks done for management and
4721 * data frames.
4722 */
4723 gen_or(b1, b0);
4724
4725 /*
4726 * If the low-order bit of the type value is 1,
4727 * this is either a control frame or a frame
4728 * with a reserved type, and thus not a
4729 * frame with an SA.
4730 *
4731 * I.e., check "!(link[0] & 0x04)".
4732 */
4733 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4734 b1 = gen_unset(cstate, IEEE80211_FC0_TYPE_CTL, s);
4735
4736 /*
4737 * AND that with the checks for data and management
4738 * frames.
4739 */
4740 gen_and(b1, b0);
4741 return b0;
4742
4743 case Q_DST:
4744 /*
4745 * Oh, yuk.
4746 *
4747 * For control frames, there is no DA.
4748 *
4749 * For management frames, DA is at an
4750 * offset of 4 from the beginning of
4751 * the packet.
4752 *
4753 * For data frames, DA is at an offset
4754 * of 4 from the beginning of the packet
4755 * if To DS is clear and at an offset of
4756 * 16 from the beginning of the packet
4757 * if To DS is set.
4758 */
4759
4760 /*
4761 * Generate the tests to be done for data frames.
4762 *
4763 * First, check for To DS set, i.e. "link[1] & 0x01".
4764 */
4765 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4766 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
4767
4768 /*
4769 * If To DS is set, the DA is at 16.
4770 */
4771 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4772 gen_and(b1, b0);
4773
4774 /*
4775 * Now, check for To DS not set, i.e. check
4776 * "!(link[1] & 0x01)".
4777 */
4778 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4779 b2 = gen_unset(cstate, IEEE80211_FC1_DIR_TODS, s);
4780
4781 /*
4782 * If To DS is not set, the DA is at 4.
4783 */
4784 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4785 gen_and(b2, b1);
4786
4787 /*
4788 * Now OR together the last two checks. That gives
4789 * the complete set of checks for data frames.
4790 */
4791 gen_or(b1, b0);
4792
4793 /*
4794 * Now check for a data frame.
4795 * I.e, check "link[0] & 0x08".
4796 */
4797 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4798 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4799
4800 /*
4801 * AND that with the checks done for data frames.
4802 */
4803 gen_and(b1, b0);
4804
4805 /*
4806 * If the high-order bit of the type value is 0, this
4807 * is a management frame.
4808 * I.e, check "!(link[0] & 0x08)".
4809 */
4810 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4811 b2 = gen_unset(cstate, IEEE80211_FC0_TYPE_DATA, s);
4812
4813 /*
4814 * For management frames, the DA is at 4.
4815 */
4816 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4817 gen_and(b2, b1);
4818
4819 /*
4820 * OR that with the checks done for data frames.
4821 * That gives the checks done for management and
4822 * data frames.
4823 */
4824 gen_or(b1, b0);
4825
4826 /*
4827 * If the low-order bit of the type value is 1,
4828 * this is either a control frame or a frame
4829 * with a reserved type, and thus not a
4830 * frame with an SA.
4831 *
4832 * I.e., check "!(link[0] & 0x04)".
4833 */
4834 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4835 b1 = gen_unset(cstate, IEEE80211_FC0_TYPE_CTL, s);
4836
4837 /*
4838 * AND that with the checks for data and management
4839 * frames.
4840 */
4841 gen_and(b1, b0);
4842 return b0;
4843
4844 case Q_AND:
4845 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4846 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4847 gen_and(b0, b1);
4848 return b1;
4849
4850 case Q_DEFAULT:
4851 case Q_OR:
4852 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4853 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4854 gen_or(b0, b1);
4855 return b1;
4856
4857 /*
4858 * XXX - add BSSID keyword?
4859 */
4860 case Q_ADDR1:
4861 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4862
4863 case Q_ADDR2:
4864 /*
4865 * Not present in CTS or ACK control frames.
4866 */
4867 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4868 IEEE80211_FC0_TYPE_MASK);
4869 b1 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4870 IEEE80211_FC0_SUBTYPE_MASK);
4871 b2 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4872 IEEE80211_FC0_SUBTYPE_MASK);
4873 gen_and(b1, b2);
4874 gen_or(b0, b2);
4875 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4876 gen_and(b2, b1);
4877 return b1;
4878
4879 case Q_ADDR3:
4880 /*
4881 * Not present in control frames.
4882 */
4883 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4884 IEEE80211_FC0_TYPE_MASK);
4885 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4886 gen_and(b0, b1);
4887 return b1;
4888
4889 case Q_ADDR4:
4890 /*
4891 * Present only if the direction mask has both "From DS"
4892 * and "To DS" set. Neither control frames nor management
4893 * frames should have both of those set, so we don't
4894 * check the frame type.
4895 */
4896 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4897 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4898 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4899 gen_and(b0, b1);
4900 return b1;
4901
4902 case Q_RA:
4903 /*
4904 * Not present in management frames; addr1 in other
4905 * frames.
4906 */
4907
4908 /*
4909 * If the high-order bit of the type value is 0, this
4910 * is a management frame.
4911 * I.e, check "(link[0] & 0x08)".
4912 */
4913 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4914 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4915
4916 /*
4917 * Check addr1.
4918 */
4919 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4920
4921 /*
4922 * AND that with the check of addr1.
4923 */
4924 gen_and(b1, b0);
4925 return (b0);
4926
4927 case Q_TA:
4928 /*
4929 * Not present in management frames; addr2, if present,
4930 * in other frames.
4931 */
4932
4933 /*
4934 * Not present in CTS or ACK control frames.
4935 */
4936 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4937 IEEE80211_FC0_TYPE_MASK);
4938 b1 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4939 IEEE80211_FC0_SUBTYPE_MASK);
4940 b2 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4941 IEEE80211_FC0_SUBTYPE_MASK);
4942 gen_and(b1, b2);
4943 gen_or(b0, b2);
4944
4945 /*
4946 * If the high-order bit of the type value is 0, this
4947 * is a management frame.
4948 * I.e, check "(link[0] & 0x08)".
4949 */
4950 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4951 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4952
4953 /*
4954 * AND that with the check for frames other than
4955 * CTS and ACK frames.
4956 */
4957 gen_and(b1, b2);
4958
4959 /*
4960 * Check addr2.
4961 */
4962 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4963 gen_and(b2, b1);
4964 return b1;
4965 }
4966 abort();
4967 /*NOTREACHED*/
4968 }
4969
4970 /*
4971 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4972 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4973 * as the RFC states.)
4974 */
4975 static struct block *
4976 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4977 {
4978 register struct block *b0, *b1;
4979
4980 switch (dir) {
4981 case Q_SRC:
4982 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4983
4984 case Q_DST:
4985 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4986
4987 case Q_AND:
4988 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4989 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4990 gen_and(b0, b1);
4991 return b1;
4992
4993 case Q_DEFAULT:
4994 case Q_OR:
4995 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4996 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4997 gen_or(b0, b1);
4998 return b1;
4999
5000 case Q_ADDR1:
5001 case Q_ADDR2:
5002 case Q_ADDR3:
5003 case Q_ADDR4:
5004 case Q_RA:
5005 case Q_TA:
5006 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
5007 /*NOTREACHED*/
5008 }
5009 abort();
5010 /*NOTREACHED*/
5011 }
5012
5013 /*
5014 * This is quite tricky because there may be pad bytes in front of the
5015 * DECNET header, and then there are two possible data packet formats that
5016 * carry both src and dst addresses, plus 5 packet types in a format that
5017 * carries only the src node, plus 2 types that use a different format and
5018 * also carry just the src node.
5019 *
5020 * Yuck.
5021 *
5022 * Instead of doing those all right, we just look for data packets with
5023 * 0 or 1 bytes of padding. If you want to look at other packets, that
5024 * will require a lot more hacking.
5025 *
5026 * To add support for filtering on DECNET "areas" (network numbers)
5027 * one would want to add a "mask" argument to this routine. That would
5028 * make the filter even more inefficient, although one could be clever
5029 * and not generate masking instructions if the mask is 0xFFFF.
5030 */
5031 static struct block *
5032 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
5033 {
5034 struct block *b0, *b1, *b2, *tmp;
5035 u_int offset_lh; /* offset if long header is received */
5036 u_int offset_sh; /* offset if short header is received */
5037
5038 switch (dir) {
5039
5040 case Q_DST:
5041 offset_sh = 1; /* follows flags */
5042 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
5043 break;
5044
5045 case Q_SRC:
5046 offset_sh = 3; /* follows flags, dstnode */
5047 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
5048 break;
5049
5050 case Q_AND:
5051 /* Inefficient because we do our Calvinball dance twice */
5052 b0 = gen_dnhostop(cstate, addr, Q_SRC);
5053 b1 = gen_dnhostop(cstate, addr, Q_DST);
5054 gen_and(b0, b1);
5055 return b1;
5056
5057 case Q_DEFAULT:
5058 case Q_OR:
5059 /* Inefficient because we do our Calvinball dance twice */
5060 b0 = gen_dnhostop(cstate, addr, Q_SRC);
5061 b1 = gen_dnhostop(cstate, addr, Q_DST);
5062 gen_or(b0, b1);
5063 return b1;
5064
5065 case Q_ADDR1:
5066 case Q_ADDR2:
5067 case Q_ADDR3:
5068 case Q_ADDR4:
5069 case Q_RA:
5070 case Q_TA:
5071 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
5072 /*NOTREACHED*/
5073
5074 default:
5075 abort();
5076 /*NOTREACHED*/
5077 }
5078 /*
5079 * In a DECnet message inside an Ethernet frame the first two bytes
5080 * immediately after EtherType are the [litle-endian] DECnet message
5081 * length, which is irrelevant in this context.
5082 *
5083 * "pad = 1" means the third byte equals 0x81, thus it is the PLENGTH
5084 * 8-bit bitmap of the optional padding before the packet route header.
5085 * The bitmap always has bit 7 set to 1 and in this case has bits 0-6
5086 * (TOTAL-PAD-SEQUENCE-LENGTH) set to integer value 1. The latter
5087 * means there aren't any PAD bytes after the bitmap, so the header
5088 * begins at the fourth byte. "pad = 0" means bit 7 of the third byte
5089 * is set to 0, thus the header begins at the third byte.
5090 *
5091 * The header can be in several (as mentioned above) formats, all of
5092 * which begin with the FLAGS 8-bit bitmap, which always has bit 7
5093 * (PF, "pad field") set to 0 regardless of any padding present before
5094 * the header. "Short header" means bits 0-2 of the bitmap encode the
5095 * integer value 2 (SFDP), and "long header" means value 6 (LFDP).
5096 *
5097 * To test PLENGTH and FLAGS, use multiple-byte constants with the
5098 * values and the masks, this maps to the required single bytes of
5099 * the message correctly on both big-endian and little-endian hosts.
5100 * For the DECnet address use SWAPSHORT(), which always swaps bytes,
5101 * because the wire encoding is little-endian and BPF multiple-byte
5102 * loads are big-endian. When the destination address is near enough
5103 * to PLENGTH and FLAGS, generate one 32-bit comparison instead of two
5104 * smaller ones.
5105 */
5106 /* Check for pad = 1, long header case */
5107 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8106U, 0xFF07U);
5108 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
5109 BPF_H, SWAPSHORT(addr));
5110 gen_and(tmp, b1);
5111 /* Check for pad = 0, long header case */
5112 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x06U, 0x07U);
5113 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
5114 SWAPSHORT(addr));
5115 gen_and(tmp, b2);
5116 gen_or(b2, b1);
5117 /* Check for pad = 1, short header case */
5118 if (dir == Q_DST) {
5119 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5120 0x81020000U | SWAPSHORT(addr),
5121 0xFF07FFFFU);
5122 } else {
5123 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8102U, 0xFF07U);
5124 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
5125 SWAPSHORT(addr));
5126 gen_and(tmp, b2);
5127 }
5128 gen_or(b2, b1);
5129 /* Check for pad = 0, short header case */
5130 if (dir == Q_DST) {
5131 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5132 0x02000000U | SWAPSHORT(addr) << 8,
5133 0x07FFFF00U);
5134 } else {
5135 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x02U, 0x07U);
5136 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
5137 SWAPSHORT(addr));
5138 gen_and(tmp, b2);
5139 }
5140 gen_or(b2, b1);
5141
5142 return b1;
5143 }
5144
5145 /*
5146 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
5147 * test the bottom-of-stack bit, and then check the version number
5148 * field in the IP header.
5149 */
5150 static struct block *
5151 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
5152 {
5153 struct block *b0, *b1;
5154
5155 switch (ll_proto) {
5156
5157 case ETHERTYPE_IP:
5158 /* match the bottom-of-stack bit */
5159 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5160 /* match the IPv4 version number */
5161 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
5162 gen_and(b0, b1);
5163 return b1;
5164
5165 case ETHERTYPE_IPV6:
5166 /* match the bottom-of-stack bit */
5167 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5168 /* match the IPv6 version number */
5169 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
5170 gen_and(b0, b1);
5171 return b1;
5172
5173 default:
5174 /* FIXME add other L3 proto IDs */
5175 bpf_error(cstate, "unsupported protocol over mpls");
5176 /*NOTREACHED*/
5177 }
5178 }
5179
5180 static struct block *
5181 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
5182 int proto, int dir, int type)
5183 {
5184 struct block *b0, *b1;
5185
5186 switch (proto) {
5187
5188 case Q_DEFAULT:
5189 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
5190 /*
5191 * Only check for non-IPv4 addresses if we're not
5192 * checking MPLS-encapsulated packets.
5193 */
5194 if (cstate->label_stack_depth == 0) {
5195 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
5196 gen_or(b0, b1);
5197 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
5198 gen_or(b1, b0);
5199 }
5200 return b0;
5201
5202 case Q_LINK:
5203 // "link net NETNAME" and variations thereof
5204 break; // invalid qualifier
5205
5206 case Q_IP:
5207 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5208 b1 = gen_hostop(cstate, addr, mask, dir, 12, 16);
5209 gen_and(b0, b1);
5210 return b1;
5211
5212 case Q_RARP:
5213 b0 = gen_linktype(cstate, ETHERTYPE_REVARP);
5214 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5215 gen_and(b0, b1);
5216 return b1;
5217
5218 case Q_ARP:
5219 b0 = gen_linktype(cstate, ETHERTYPE_ARP);
5220 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5221 gen_and(b0, b1);
5222 return b1;
5223
5224 case Q_SCTP:
5225 case Q_TCP:
5226 case Q_UDP:
5227 case Q_ICMP:
5228 case Q_IGMP:
5229 case Q_IGRP:
5230 case Q_ATALK:
5231 break; // invalid qualifier
5232
5233 case Q_DECNET:
5234 b0 = gen_linktype(cstate, ETHERTYPE_DN);
5235 b1 = gen_dnhostop(cstate, addr, dir);
5236 gen_and(b0, b1);
5237 return b1;
5238
5239 case Q_LAT:
5240 case Q_SCA:
5241 case Q_MOPRC:
5242 case Q_MOPDL:
5243 case Q_IPV6:
5244 case Q_ICMPV6:
5245 case Q_AH:
5246 case Q_ESP:
5247 case Q_PIM:
5248 case Q_VRRP:
5249 case Q_AARP:
5250 case Q_ISO:
5251 case Q_ESIS:
5252 case Q_ISIS:
5253 case Q_CLNP:
5254 case Q_STP:
5255 case Q_IPX:
5256 case Q_NETBEUI:
5257 case Q_ISIS_L1:
5258 case Q_ISIS_L2:
5259 case Q_ISIS_IIH:
5260 case Q_ISIS_SNP:
5261 case Q_ISIS_CSNP:
5262 case Q_ISIS_PSNP:
5263 case Q_ISIS_LSP:
5264 case Q_RADIO:
5265 case Q_CARP:
5266 break; // invalid qualifier
5267
5268 default:
5269 abort();
5270 }
5271 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto),
5272 type == Q_NET ? "ip net" : "ip host");
5273 /*NOTREACHED*/
5274 }
5275
5276 #ifdef INET6
5277 static struct block *
5278 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5279 struct in6_addr *mask, int proto, int dir, int type)
5280 {
5281 struct block *b0, *b1;
5282
5283 switch (proto) {
5284
5285 case Q_DEFAULT:
5286 case Q_IPV6:
5287 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5288 b1 = gen_hostop6(cstate, addr, mask, dir, 8, 24);
5289 gen_and(b0, b1);
5290 return b1;
5291
5292 case Q_LINK:
5293 case Q_IP:
5294 case Q_RARP:
5295 case Q_ARP:
5296 case Q_SCTP:
5297 case Q_TCP:
5298 case Q_UDP:
5299 case Q_ICMP:
5300 case Q_IGMP:
5301 case Q_IGRP:
5302 case Q_ATALK:
5303 case Q_DECNET:
5304 case Q_LAT:
5305 case Q_SCA:
5306 case Q_MOPRC:
5307 case Q_MOPDL:
5308 case Q_ICMPV6:
5309 case Q_AH:
5310 case Q_ESP:
5311 case Q_PIM:
5312 case Q_VRRP:
5313 case Q_AARP:
5314 case Q_ISO:
5315 case Q_ESIS:
5316 case Q_ISIS:
5317 case Q_CLNP:
5318 case Q_STP:
5319 case Q_IPX:
5320 case Q_NETBEUI:
5321 case Q_ISIS_L1:
5322 case Q_ISIS_L2:
5323 case Q_ISIS_IIH:
5324 case Q_ISIS_SNP:
5325 case Q_ISIS_CSNP:
5326 case Q_ISIS_PSNP:
5327 case Q_ISIS_LSP:
5328 case Q_RADIO:
5329 case Q_CARP:
5330 break; // invalid qualifier
5331
5332 default:
5333 abort();
5334 }
5335 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto),
5336 type == Q_NET ? "ip6 net" : "ip6 host");
5337 /*NOTREACHED*/
5338 }
5339 #endif
5340
5341 #ifndef INET6
5342 /*
5343 * This primitive is non-directional by design, so the grammar does not allow
5344 * to qualify it with a direction.
5345 */
5346 static struct block *
5347 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5348 struct addrinfo *alist, int proto)
5349 {
5350 struct block *b0, *b1, *tmp;
5351 struct addrinfo *ai;
5352 struct sockaddr_in *sin;
5353
5354 switch (proto) {
5355 case Q_DEFAULT:
5356 case Q_IP:
5357 case Q_ARP:
5358 case Q_RARP:
5359 switch (cstate->linktype) {
5360 case DLT_EN10MB:
5361 case DLT_NETANALYZER:
5362 case DLT_NETANALYZER_TRANSPARENT:
5363 b1 = gen_prevlinkhdr_check(cstate);
5364 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5365 if (b1 != NULL)
5366 gen_and(b1, b0);
5367 break;
5368 case DLT_FDDI:
5369 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5370 break;
5371 case DLT_IEEE802:
5372 b0 = gen_thostop(cstate, eaddr, Q_OR);
5373 break;
5374 case DLT_IEEE802_11:
5375 case DLT_PRISM_HEADER:
5376 case DLT_IEEE802_11_RADIO_AVS:
5377 case DLT_IEEE802_11_RADIO:
5378 case DLT_PPI:
5379 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5380 break;
5381 case DLT_IP_OVER_FC:
5382 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5383 break;
5384 case DLT_SUNATM:
5385 /*
5386 * This is LLC-multiplexed traffic; if it were
5387 * LANE, cstate->linktype would have been set to
5388 * DLT_EN10MB.
5389 */
5390 /* FALLTHROUGH */
5391 default:
5392 bpf_error(cstate,
5393 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5394 }
5395 b1 = NULL;
5396 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5397 /*
5398 * Does it have an address?
5399 */
5400 if (ai->ai_addr != NULL) {
5401 /*
5402 * Yes. Is it an IPv4 address?
5403 */
5404 if (ai->ai_addr->sa_family == AF_INET) {
5405 /*
5406 * Generate an entry for it.
5407 */
5408 sin = (struct sockaddr_in *)ai->ai_addr;
5409 tmp = gen_host(cstate,
5410 ntohl(sin->sin_addr.s_addr),
5411 0xffffffff, proto, Q_OR, Q_HOST);
5412 /*
5413 * Is it the *first* IPv4 address?
5414 */
5415 if (b1 == NULL) {
5416 /*
5417 * Yes, so start with it.
5418 */
5419 b1 = tmp;
5420 } else {
5421 /*
5422 * No, so OR it into the
5423 * existing set of
5424 * addresses.
5425 */
5426 gen_or(b1, tmp);
5427 b1 = tmp;
5428 }
5429 }
5430 }
5431 }
5432 if (b1 == NULL) {
5433 /*
5434 * No IPv4 addresses found.
5435 */
5436 return (NULL);
5437 }
5438 gen_not(b1);
5439 gen_and(b0, b1);
5440 return b1;
5441 }
5442 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "gateway");
5443 /*NOTREACHED*/
5444 }
5445 #endif
5446
5447 static struct block *
5448 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5449 {
5450 struct block *b0;
5451 struct block *b1;
5452
5453 switch (proto) {
5454
5455 case Q_SCTP:
5456 return gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT);
5457
5458 case Q_TCP:
5459 return gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT);
5460
5461 case Q_UDP:
5462 return gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT);
5463
5464 case Q_ICMP:
5465 return gen_proto(cstate, IPPROTO_ICMP, Q_IP);
5466
5467 #ifndef IPPROTO_IGMP
5468 #define IPPROTO_IGMP 2
5469 #endif
5470
5471 case Q_IGMP:
5472 return gen_proto(cstate, IPPROTO_IGMP, Q_IP);
5473
5474 #ifndef IPPROTO_IGRP
5475 #define IPPROTO_IGRP 9
5476 #endif
5477 case Q_IGRP:
5478 return gen_proto(cstate, IPPROTO_IGRP, Q_IP);
5479
5480 #ifndef IPPROTO_PIM
5481 #define IPPROTO_PIM 103
5482 #endif
5483
5484 case Q_PIM:
5485 return gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT);
5486
5487 #ifndef IPPROTO_VRRP
5488 #define IPPROTO_VRRP 112
5489 #endif
5490
5491 case Q_VRRP:
5492 return gen_proto(cstate, IPPROTO_VRRP, Q_IP);
5493
5494 #ifndef IPPROTO_CARP
5495 #define IPPROTO_CARP 112
5496 #endif
5497
5498 case Q_CARP:
5499 return gen_proto(cstate, IPPROTO_CARP, Q_IP);
5500
5501 case Q_IP:
5502 return gen_linktype(cstate, ETHERTYPE_IP);
5503
5504 case Q_ARP:
5505 return gen_linktype(cstate, ETHERTYPE_ARP);
5506
5507 case Q_RARP:
5508 return gen_linktype(cstate, ETHERTYPE_REVARP);
5509
5510 case Q_LINK:
5511 break; // invalid syntax
5512
5513 case Q_ATALK:
5514 return gen_linktype(cstate, ETHERTYPE_ATALK);
5515
5516 case Q_AARP:
5517 return gen_linktype(cstate, ETHERTYPE_AARP);
5518
5519 case Q_DECNET:
5520 return gen_linktype(cstate, ETHERTYPE_DN);
5521
5522 case Q_SCA:
5523 return gen_linktype(cstate, ETHERTYPE_SCA);
5524
5525 case Q_LAT:
5526 return gen_linktype(cstate, ETHERTYPE_LAT);
5527
5528 case Q_MOPDL:
5529 return gen_linktype(cstate, ETHERTYPE_MOPDL);
5530
5531 case Q_MOPRC:
5532 return gen_linktype(cstate, ETHERTYPE_MOPRC);
5533
5534 case Q_IPV6:
5535 return gen_linktype(cstate, ETHERTYPE_IPV6);
5536
5537 #ifndef IPPROTO_ICMPV6
5538 #define IPPROTO_ICMPV6 58
5539 #endif
5540 case Q_ICMPV6:
5541 return gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6);
5542
5543 #ifndef IPPROTO_AH
5544 #define IPPROTO_AH 51
5545 #endif
5546 case Q_AH:
5547 return gen_proto(cstate, IPPROTO_AH, Q_DEFAULT);
5548
5549 #ifndef IPPROTO_ESP
5550 #define IPPROTO_ESP 50
5551 #endif
5552 case Q_ESP:
5553 return gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT);
5554
5555 case Q_ISO:
5556 return gen_linktype(cstate, LLCSAP_ISONS);
5557
5558 case Q_ESIS:
5559 return gen_proto(cstate, ISO9542_ESIS, Q_ISO);
5560
5561 case Q_ISIS:
5562 return gen_proto(cstate, ISO10589_ISIS, Q_ISO);
5563
5564 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5565 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS);
5566 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS); /* FIXME extract the circuit-type bits */
5567 gen_or(b0, b1);
5568 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS);
5569 gen_or(b0, b1);
5570 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5571 gen_or(b0, b1);
5572 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5573 gen_or(b0, b1);
5574 return b1;
5575
5576 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5577 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS);
5578 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS); /* FIXME extract the circuit-type bits */
5579 gen_or(b0, b1);
5580 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS);
5581 gen_or(b0, b1);
5582 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5583 gen_or(b0, b1);
5584 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5585 gen_or(b0, b1);
5586 return b1;
5587
5588 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5589 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS);
5590 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS);
5591 gen_or(b0, b1);
5592 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS);
5593 gen_or(b0, b1);
5594 return b1;
5595
5596 case Q_ISIS_LSP:
5597 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS);
5598 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS);
5599 gen_or(b0, b1);
5600 return b1;
5601
5602 case Q_ISIS_SNP:
5603 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5604 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5605 gen_or(b0, b1);
5606 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5607 gen_or(b0, b1);
5608 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5609 gen_or(b0, b1);
5610 return b1;
5611
5612 case Q_ISIS_CSNP:
5613 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5614 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5615 gen_or(b0, b1);
5616 return b1;
5617
5618 case Q_ISIS_PSNP:
5619 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5620 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5621 gen_or(b0, b1);
5622 return b1;
5623
5624 case Q_CLNP:
5625 return gen_proto(cstate, ISO8473_CLNP, Q_ISO);
5626
5627 case Q_STP:
5628 return gen_linktype(cstate, LLCSAP_8021D);
5629
5630 case Q_IPX:
5631 return gen_linktype(cstate, LLCSAP_IPX);
5632
5633 case Q_NETBEUI:
5634 return gen_linktype(cstate, LLCSAP_NETBEUI);
5635
5636 case Q_RADIO:
5637 break; // invalid syntax
5638
5639 default:
5640 abort();
5641 }
5642 bpf_error(cstate, "'%s' cannot be used as an abbreviation", pqkw(proto));
5643 }
5644
5645 struct block *
5646 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5647 {
5648 /*
5649 * Catch errors reported by us and routines below us, and return NULL
5650 * on an error.
5651 */
5652 if (setjmp(cstate->top_ctx))
5653 return (NULL);
5654
5655 return gen_proto_abbrev_internal(cstate, proto);
5656 }
5657
5658 static struct block *
5659 gen_ip_proto(compiler_state_t *cstate, const uint8_t proto)
5660 {
5661 return gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5662 }
5663
5664 static struct block *
5665 gen_ip6_proto(compiler_state_t *cstate, const uint8_t proto)
5666 {
5667 return gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5668 }
5669
5670 static struct block *
5671 gen_ipfrag(compiler_state_t *cstate)
5672 {
5673 struct slist *s;
5674
5675 /* not IPv4 frag other than the first frag */
5676 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5677 return gen_unset(cstate, 0x1fff, s);
5678 }
5679
5680 /*
5681 * Generate a comparison to a port value in the transport-layer header
5682 * at the specified offset from the beginning of that header.
5683 *
5684 * XXX - this handles a variable-length prefix preceding the link-layer
5685 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5686 * variable-length link-layer headers (such as Token Ring or 802.11
5687 * headers).
5688 */
5689 static struct block *
5690 gen_portatom(compiler_state_t *cstate, int off, uint16_t v)
5691 {
5692 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5693 }
5694
5695 static struct block *
5696 gen_portatom6(compiler_state_t *cstate, int off, uint16_t v)
5697 {
5698 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5699 }
5700
5701 static struct block *
5702 gen_port(compiler_state_t *cstate, uint16_t port, int proto, int dir)
5703 {
5704 struct block *b1, *tmp;
5705
5706 switch (dir) {
5707 case Q_SRC:
5708 b1 = gen_portatom(cstate, 0, port);
5709 break;
5710
5711 case Q_DST:
5712 b1 = gen_portatom(cstate, 2, port);
5713 break;
5714
5715 case Q_AND:
5716 tmp = gen_portatom(cstate, 0, port);
5717 b1 = gen_portatom(cstate, 2, port);
5718 gen_and(tmp, b1);
5719 break;
5720
5721 case Q_DEFAULT:
5722 case Q_OR:
5723 tmp = gen_portatom(cstate, 0, port);
5724 b1 = gen_portatom(cstate, 2, port);
5725 gen_or(tmp, b1);
5726 break;
5727
5728 case Q_ADDR1:
5729 case Q_ADDR2:
5730 case Q_ADDR3:
5731 case Q_ADDR4:
5732 case Q_RA:
5733 case Q_TA:
5734 bpf_error(cstate, ERRSTR_INVALID_QUAL, dqkw(dir), "port");
5735 /*NOTREACHED*/
5736
5737 default:
5738 abort();
5739 /*NOTREACHED*/
5740 }
5741
5742 return gen_port_common(cstate, proto, b1);
5743 }
5744
5745 static struct block *
5746 gen_port_common(compiler_state_t *cstate, int proto, struct block *b1)
5747 {
5748 struct block *b0, *tmp;
5749
5750 /*
5751 * ether proto ip
5752 *
5753 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5754 * not LLC encapsulation with LLCSAP_IP.
5755 *
5756 * For IEEE 802 networks - which includes 802.5 token ring
5757 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5758 * says that SNAP encapsulation is used, not LLC encapsulation
5759 * with LLCSAP_IP.
5760 *
5761 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5762 * RFC 2225 say that SNAP encapsulation is used, not LLC
5763 * encapsulation with LLCSAP_IP.
5764 *
5765 * So we always check for ETHERTYPE_IP.
5766 *
5767 * At the time of this writing all three L4 protocols the "port" and
5768 * "portrange" primitives support (TCP, UDP and SCTP) have the source
5769 * and the destination ports identically encoded in the transport
5770 * protocol header. So without a proto qualifier the only difference
5771 * between the implemented cases is the protocol number and all other
5772 * checks need to be made exactly once.
5773 *
5774 * If the expression syntax in future starts to support ports for
5775 * another L4 protocol that has unsigned integer ports encoded using a
5776 * different size and/or offset, this will require a different code.
5777 */
5778 switch (proto) {
5779 case IPPROTO_UDP:
5780 case IPPROTO_TCP:
5781 case IPPROTO_SCTP:
5782 tmp = gen_ip_proto(cstate, (uint8_t)proto);
5783 break;
5784
5785 case PROTO_UNDEF:
5786 tmp = gen_ip_proto(cstate, IPPROTO_UDP);
5787 gen_or(gen_ip_proto(cstate, IPPROTO_TCP), tmp);
5788 gen_or(gen_ip_proto(cstate, IPPROTO_SCTP), tmp);
5789 break;
5790
5791 default:
5792 abort();
5793 }
5794 // Not a fragment other than the first fragment.
5795 b0 = gen_ipfrag(cstate);
5796 gen_and(tmp, b0);
5797 gen_and(b0, b1);
5798 // "link proto \ip"
5799 gen_and(gen_linktype(cstate, ETHERTYPE_IP), b1);
5800 return b1;
5801 }
5802
5803 static struct block *
5804 gen_port6(compiler_state_t *cstate, uint16_t port, int proto, int dir)
5805 {
5806 struct block *b1, *tmp;
5807
5808 switch (dir) {
5809 case Q_SRC:
5810 b1 = gen_portatom6(cstate, 0, port);
5811 break;
5812
5813 case Q_DST:
5814 b1 = gen_portatom6(cstate, 2, port);
5815 break;
5816
5817 case Q_AND:
5818 tmp = gen_portatom6(cstate, 0, port);
5819 b1 = gen_portatom6(cstate, 2, port);
5820 gen_and(tmp, b1);
5821 break;
5822
5823 case Q_DEFAULT:
5824 case Q_OR:
5825 tmp = gen_portatom6(cstate, 0, port);
5826 b1 = gen_portatom6(cstate, 2, port);
5827 gen_or(tmp, b1);
5828 break;
5829
5830 default:
5831 abort();
5832 }
5833
5834 return gen_port6_common(cstate, proto, b1);
5835 }
5836
5837 static struct block *
5838 gen_port6_common(compiler_state_t *cstate, int proto, struct block *b1)
5839 {
5840 struct block *tmp;
5841
5842 // "ip6 proto 'ip_proto'"
5843 switch (proto) {
5844 case IPPROTO_UDP:
5845 case IPPROTO_TCP:
5846 case IPPROTO_SCTP:
5847 tmp = gen_ip6_proto(cstate, (uint8_t)proto);
5848 break;
5849
5850 case PROTO_UNDEF:
5851 // Same as in gen_port_common().
5852 tmp = gen_ip6_proto(cstate, IPPROTO_UDP);
5853 gen_or(gen_ip6_proto(cstate, IPPROTO_TCP), tmp);
5854 gen_or(gen_ip6_proto(cstate, IPPROTO_SCTP), tmp);
5855 break;
5856
5857 default:
5858 abort();
5859 }
5860 // XXX - catch the first fragment of a fragmented packet?
5861 gen_and(tmp, b1);
5862 // "link proto \ip6"
5863 gen_and(gen_linktype(cstate, ETHERTYPE_IPV6), b1);
5864 return b1;
5865 }
5866
5867 /* gen_portrange code */
5868 static struct block *
5869 gen_portrangeatom(compiler_state_t *cstate, u_int off, uint16_t v1,
5870 uint16_t v2)
5871 {
5872 if (v1 == v2)
5873 return gen_portatom(cstate, off, v1);
5874
5875 struct block *b1, *b2;
5876
5877 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, min(v1, v2));
5878 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, max(v1, v2));
5879
5880 gen_and(b1, b2);
5881
5882 return b2;
5883 }
5884
5885 static struct block *
5886 gen_portrange(compiler_state_t *cstate, uint16_t port1, uint16_t port2,
5887 int proto, int dir)
5888 {
5889 struct block *b1, *tmp;
5890
5891 switch (dir) {
5892 case Q_SRC:
5893 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5894 break;
5895
5896 case Q_DST:
5897 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5898 break;
5899
5900 case Q_AND:
5901 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5902 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5903 gen_and(tmp, b1);
5904 break;
5905
5906 case Q_DEFAULT:
5907 case Q_OR:
5908 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5909 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5910 gen_or(tmp, b1);
5911 break;
5912
5913 case Q_ADDR1:
5914 case Q_ADDR2:
5915 case Q_ADDR3:
5916 case Q_ADDR4:
5917 case Q_RA:
5918 case Q_TA:
5919 bpf_error(cstate, ERRSTR_INVALID_QUAL, dqkw(dir), "portrange");
5920 /*NOTREACHED*/
5921
5922 default:
5923 abort();
5924 /*NOTREACHED*/
5925 }
5926
5927 return gen_port_common(cstate, proto, b1);
5928 }
5929
5930 static struct block *
5931 gen_portrangeatom6(compiler_state_t *cstate, u_int off, uint16_t v1,
5932 uint16_t v2)
5933 {
5934 if (v1 == v2)
5935 return gen_portatom6(cstate, off, v1);
5936
5937 struct block *b1, *b2;
5938
5939 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, min(v1, v2));
5940 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, max(v1, v2));
5941
5942 gen_and(b1, b2);
5943
5944 return b2;
5945 }
5946
5947 static struct block *
5948 gen_portrange6(compiler_state_t *cstate, uint16_t port1, uint16_t port2,
5949 int proto, int dir)
5950 {
5951 struct block *b1, *tmp;
5952
5953 switch (dir) {
5954 case Q_SRC:
5955 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
5956 break;
5957
5958 case Q_DST:
5959 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5960 break;
5961
5962 case Q_AND:
5963 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5964 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5965 gen_and(tmp, b1);
5966 break;
5967
5968 case Q_DEFAULT:
5969 case Q_OR:
5970 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5971 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5972 gen_or(tmp, b1);
5973 break;
5974
5975 default:
5976 abort();
5977 }
5978
5979 return gen_port6_common(cstate, proto, b1);
5980 }
5981
5982 static int
5983 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5984 {
5985 register int v;
5986
5987 switch (proto) {
5988
5989 case Q_DEFAULT:
5990 case Q_IP:
5991 case Q_IPV6:
5992 v = pcap_nametoproto(name);
5993 if (v == PROTO_UNDEF)
5994 bpf_error(cstate, "unknown ip proto '%s'", name);
5995 break;
5996
5997 case Q_LINK:
5998 /* XXX should look up h/w protocol type based on cstate->linktype */
5999 v = pcap_nametoeproto(name);
6000 if (v == PROTO_UNDEF) {
6001 v = pcap_nametollc(name);
6002 if (v == PROTO_UNDEF)
6003 bpf_error(cstate, "unknown ether proto '%s'", name);
6004 }
6005 break;
6006
6007 case Q_ISO:
6008 if (strcmp(name, "esis") == 0)
6009 v = ISO9542_ESIS;
6010 else if (strcmp(name, "isis") == 0)
6011 v = ISO10589_ISIS;
6012 else if (strcmp(name, "clnp") == 0)
6013 v = ISO8473_CLNP;
6014 else
6015 bpf_error(cstate, "unknown osi proto '%s'", name);
6016 break;
6017
6018 default:
6019 v = PROTO_UNDEF;
6020 break;
6021 }
6022 return v;
6023 }
6024
6025 #if !defined(NO_PROTOCHAIN)
6026 /*
6027 * This primitive is non-directional by design, so the grammar does not allow
6028 * to qualify it with a direction.
6029 */
6030 static struct block *
6031 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6032 {
6033 struct block *b0, *b;
6034 struct slist *s[100];
6035 int fix2, fix3, fix4, fix5;
6036 int ahcheck, again, end;
6037 int i, max;
6038 int reg2 = alloc_reg(cstate);
6039
6040 memset(s, 0, sizeof(s));
6041 fix3 = fix4 = fix5 = 0;
6042
6043 switch (proto) {
6044 case Q_IP:
6045 case Q_IPV6:
6046 break;
6047 case Q_DEFAULT:
6048 b0 = gen_protochain(cstate, v, Q_IP);
6049 b = gen_protochain(cstate, v, Q_IPV6);
6050 gen_or(b0, b);
6051 return b;
6052 default:
6053 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "protochain");
6054 /*NOTREACHED*/
6055 }
6056
6057 /*
6058 * We don't handle variable-length prefixes before the link-layer
6059 * header, or variable-length link-layer headers, here yet.
6060 * We might want to add BPF instructions to do the protochain
6061 * work, to simplify that and, on platforms that have a BPF
6062 * interpreter with the new instructions, let the filtering
6063 * be done in the kernel. (We already require a modified BPF
6064 * engine to do the protochain stuff, to support backward
6065 * branches, and backward branch support is unlikely to appear
6066 * in kernel BPF engines.)
6067 */
6068 if (cstate->off_linkpl.is_variable)
6069 bpf_error(cstate, "'protochain' not supported with variable length headers");
6070
6071 /*
6072 * To quote a comment in optimize.c:
6073 *
6074 * "These data structures are used in a Cocke and Schwartz style
6075 * value numbering scheme. Since the flowgraph is acyclic,
6076 * exit values can be propagated from a node's predecessors
6077 * provided it is uniquely defined."
6078 *
6079 * "Acyclic" means "no backward branches", which means "no
6080 * loops", so we have to turn the optimizer off.
6081 */
6082 cstate->no_optimize = 1;
6083
6084 /*
6085 * s[0] is a dummy entry to protect other BPF insn from damage
6086 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6087 * hard to find interdependency made by jump table fixup.
6088 */
6089 i = 0;
6090 s[i] = new_stmt(cstate, 0); /*dummy*/
6091 i++;
6092
6093 switch (proto) {
6094 case Q_IP:
6095 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6096
6097 /* A = ip->ip_p */
6098 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6099 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6100 i++;
6101 /* X = ip->ip_hl << 2 */
6102 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6103 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6104 i++;
6105 break;
6106
6107 case Q_IPV6:
6108 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6109
6110 /* A = ip6->ip_nxt */
6111 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6112 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6113 i++;
6114 /* X = sizeof(struct ip6_hdr) */
6115 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6116 s[i]->s.k = 40;
6117 i++;
6118 break;
6119
6120 default:
6121 bpf_error(cstate, "unsupported proto to gen_protochain");
6122 /*NOTREACHED*/
6123 }
6124
6125 /* again: if (A == v) goto end; else fall through; */
6126 again = i;
6127 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6128 s[i]->s.k = v;
6129 s[i]->s.jt = NULL; /*later*/
6130 s[i]->s.jf = NULL; /*update in next stmt*/
6131 fix5 = i;
6132 i++;
6133
6134 #ifndef IPPROTO_NONE
6135 #define IPPROTO_NONE 59
6136 #endif
6137 /* if (A == IPPROTO_NONE) goto end */
6138 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6139 s[i]->s.jt = NULL; /*later*/
6140 s[i]->s.jf = NULL; /*update in next stmt*/
6141 s[i]->s.k = IPPROTO_NONE;
6142 s[fix5]->s.jf = s[i];
6143 fix2 = i;
6144 i++;
6145
6146 if (proto == Q_IPV6) {
6147 int v6start, v6end, v6advance, j;
6148
6149 v6start = i;
6150 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6151 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6152 s[i]->s.jt = NULL; /*later*/
6153 s[i]->s.jf = NULL; /*update in next stmt*/
6154 s[i]->s.k = IPPROTO_HOPOPTS;
6155 s[fix2]->s.jf = s[i];
6156 i++;
6157 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6158 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6159 s[i]->s.jt = NULL; /*later*/
6160 s[i]->s.jf = NULL; /*update in next stmt*/
6161 s[i]->s.k = IPPROTO_DSTOPTS;
6162 i++;
6163 /* if (A == IPPROTO_ROUTING) goto v6advance */
6164 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6165 s[i]->s.jt = NULL; /*later*/
6166 s[i]->s.jf = NULL; /*update in next stmt*/
6167 s[i]->s.k = IPPROTO_ROUTING;
6168 i++;
6169 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6170 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6171 s[i]->s.jt = NULL; /*later*/
6172 s[i]->s.jf = NULL; /*later*/
6173 s[i]->s.k = IPPROTO_FRAGMENT;
6174 fix3 = i;
6175 v6end = i;
6176 i++;
6177
6178 /* v6advance: */
6179 v6advance = i;
6180
6181 /*
6182 * in short,
6183 * A = P[X + packet head];
6184 * X = X + (P[X + packet head + 1] + 1) * 8;
6185 */
6186 /* A = P[X + packet head] */
6187 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6188 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6189 i++;
6190 /* MEM[reg2] = A */
6191 s[i] = new_stmt(cstate, BPF_ST);
6192 s[i]->s.k = reg2;
6193 i++;
6194 /* A = P[X + packet head + 1]; */
6195 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6196 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6197 i++;
6198 /* A += 1 */
6199 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6200 s[i]->s.k = 1;
6201 i++;
6202 /* A *= 8 */
6203 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6204 s[i]->s.k = 8;
6205 i++;
6206 /* A += X */
6207 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6208 s[i]->s.k = 0;
6209 i++;
6210 /* X = A; */
6211 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6212 i++;
6213 /* A = MEM[reg2] */
6214 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6215 s[i]->s.k = reg2;
6216 i++;
6217
6218 /* goto again; (must use BPF_JA for backward jump) */
6219 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6220 s[i]->s.k = again - i - 1;
6221 s[i - 1]->s.jf = s[i];
6222 i++;
6223
6224 /* fixup */
6225 for (j = v6start; j <= v6end; j++)
6226 s[j]->s.jt = s[v6advance];
6227 } else {
6228 /* nop */
6229 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6230 s[i]->s.k = 0;
6231 s[fix2]->s.jf = s[i];
6232 i++;
6233 }
6234
6235 /* ahcheck: */
6236 ahcheck = i;
6237 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6238 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6239 s[i]->s.jt = NULL; /*later*/
6240 s[i]->s.jf = NULL; /*later*/
6241 s[i]->s.k = IPPROTO_AH;
6242 if (fix3)
6243 s[fix3]->s.jf = s[ahcheck];
6244 fix4 = i;
6245 i++;
6246
6247 /*
6248 * in short,
6249 * A = P[X];
6250 * X = X + (P[X + 1] + 2) * 4;
6251 */
6252 /* A = X */
6253 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6254 i++;
6255 /* A = P[X + packet head]; */
6256 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6257 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6258 i++;
6259 /* MEM[reg2] = A */
6260 s[i] = new_stmt(cstate, BPF_ST);
6261 s[i]->s.k = reg2;
6262 i++;
6263 /* A = X */
6264 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6265 i++;
6266 /* A += 1 */
6267 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6268 s[i]->s.k = 1;
6269 i++;
6270 /* X = A */
6271 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6272 i++;
6273 /* A = P[X + packet head] */
6274 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6275 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6276 i++;
6277 /* A += 2 */
6278 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6279 s[i]->s.k = 2;
6280 i++;
6281 /* A *= 4 */
6282 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6283 s[i]->s.k = 4;
6284 i++;
6285 /* X = A; */
6286 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6287 i++;
6288 /* A = MEM[reg2] */
6289 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6290 s[i]->s.k = reg2;
6291 i++;
6292
6293 /* goto again; (must use BPF_JA for backward jump) */
6294 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6295 s[i]->s.k = again - i - 1;
6296 i++;
6297
6298 /* end: nop */
6299 end = i;
6300 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6301 s[i]->s.k = 0;
6302 s[fix2]->s.jt = s[end];
6303 s[fix4]->s.jf = s[end];
6304 s[fix5]->s.jt = s[end];
6305 i++;
6306
6307 /*
6308 * make slist chain
6309 */
6310 max = i;
6311 for (i = 0; i < max - 1; i++)
6312 s[i]->next = s[i + 1];
6313 s[max - 1]->next = NULL;
6314
6315 /*
6316 * emit final check
6317 * Remember, s[0] is dummy.
6318 */
6319 b = gen_jmp(cstate, BPF_JEQ, v, s[1]);
6320
6321 free_reg(cstate, reg2);
6322
6323 gen_and(b0, b);
6324 return b;
6325 }
6326 #endif /* !defined(NO_PROTOCHAIN) */
6327
6328 /*
6329 * Generate code that checks whether the packet is a packet for protocol
6330 * <proto> and whether the type field in that protocol's header has
6331 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6332 * IP packet and checks the protocol number in the IP header against <v>.
6333 *
6334 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6335 * against Q_IP and Q_IPV6.
6336 *
6337 * This primitive is non-directional by design, so the grammar does not allow
6338 * to qualify it with a direction.
6339 */
6340 static struct block *
6341 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6342 {
6343 struct block *b0, *b1;
6344 struct block *b2;
6345
6346 switch (proto) {
6347 case Q_DEFAULT:
6348 b0 = gen_proto(cstate, v, Q_IP);
6349 b1 = gen_proto(cstate, v, Q_IPV6);
6350 gen_or(b0, b1);
6351 return b1;
6352
6353 case Q_LINK:
6354 return gen_linktype(cstate, v);
6355
6356 case Q_IP:
6357 assert_maxval(cstate, "protocol number", v, UINT8_MAX);
6358 /*
6359 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6360 * not LLC encapsulation with LLCSAP_IP.
6361 *
6362 * For IEEE 802 networks - which includes 802.5 token ring
6363 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6364 * says that SNAP encapsulation is used, not LLC encapsulation
6365 * with LLCSAP_IP.
6366 *
6367 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6368 * RFC 2225 say that SNAP encapsulation is used, not LLC
6369 * encapsulation with LLCSAP_IP.
6370 *
6371 * So we always check for ETHERTYPE_IP.
6372 */
6373 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6374 // 0 <= v <= UINT8_MAX
6375 b1 = gen_ip_proto(cstate, (uint8_t)v);
6376 gen_and(b0, b1);
6377 return b1;
6378
6379 case Q_ARP:
6380 case Q_RARP:
6381 case Q_SCTP:
6382 case Q_TCP:
6383 case Q_UDP:
6384 case Q_ICMP:
6385 case Q_IGMP:
6386 case Q_IGRP:
6387 case Q_ATALK:
6388 case Q_DECNET:
6389 case Q_LAT:
6390 case Q_SCA:
6391 case Q_MOPRC:
6392 case Q_MOPDL:
6393 break; // invalid qualifier
6394
6395 case Q_IPV6:
6396 assert_maxval(cstate, "protocol number", v, UINT8_MAX);
6397 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6398 /*
6399 * Also check for a fragment header before the final
6400 * header.
6401 */
6402 b2 = gen_ip6_proto(cstate, IPPROTO_FRAGMENT);
6403 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6404 gen_and(b2, b1);
6405 // 0 <= v <= UINT8_MAX
6406 b2 = gen_ip6_proto(cstate, (uint8_t)v);
6407 gen_or(b2, b1);
6408 gen_and(b0, b1);
6409 return b1;
6410
6411 case Q_ICMPV6:
6412 case Q_AH:
6413 case Q_ESP:
6414 case Q_PIM:
6415 case Q_VRRP:
6416 case Q_AARP:
6417 break; // invalid qualifier
6418
6419 case Q_ISO:
6420 assert_maxval(cstate, "ISO protocol", v, UINT8_MAX);
6421 switch (cstate->linktype) {
6422
6423 case DLT_FRELAY:
6424 /*
6425 * Frame Relay packets typically have an OSI
6426 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6427 * generates code to check for all the OSI
6428 * NLPIDs, so calling it and then adding a check
6429 * for the particular NLPID for which we're
6430 * looking is bogus, as we can just check for
6431 * the NLPID.
6432 *
6433 * What we check for is the NLPID and a frame
6434 * control field value of UI, i.e. 0x03 followed
6435 * by the NLPID.
6436 *
6437 * XXX - assumes a 2-byte Frame Relay header with
6438 * DLCI and flags. What if the address is longer?
6439 *
6440 * XXX - what about SNAP-encapsulated frames?
6441 */
6442 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6443 /*NOTREACHED*/
6444
6445 case DLT_C_HDLC:
6446 case DLT_HDLC:
6447 /*
6448 * Cisco uses an Ethertype lookalike - for OSI,
6449 * it's 0xfefe.
6450 */
6451 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6452 /* OSI in C-HDLC is stuffed with a fudge byte */
6453 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6454 gen_and(b0, b1);
6455 return b1;
6456
6457 default:
6458 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6459 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6460 gen_and(b0, b1);
6461 return b1;
6462 }
6463
6464 case Q_ESIS:
6465 break; // invalid qualifier
6466
6467 case Q_ISIS:
6468 assert_maxval(cstate, "IS-IS PDU type", v, ISIS_PDU_TYPE_MAX);
6469 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO);
6470 /*
6471 * 4 is the offset of the PDU type relative to the IS-IS
6472 * header.
6473 * Except when it is not, see above.
6474 */
6475 unsigned pdu_type_offset;
6476 switch (cstate->linktype) {
6477 case DLT_C_HDLC:
6478 case DLT_HDLC:
6479 pdu_type_offset = 5;
6480 break;
6481 default:
6482 pdu_type_offset = 4;
6483 }
6484 b1 = gen_mcmp(cstate, OR_LINKPL_NOSNAP, pdu_type_offset, BPF_B,
6485 v, ISIS_PDU_TYPE_MAX);
6486 gen_and(b0, b1);
6487 return b1;
6488
6489 case Q_CLNP:
6490 case Q_STP:
6491 case Q_IPX:
6492 case Q_NETBEUI:
6493 case Q_ISIS_L1:
6494 case Q_ISIS_L2:
6495 case Q_ISIS_IIH:
6496 case Q_ISIS_SNP:
6497 case Q_ISIS_CSNP:
6498 case Q_ISIS_PSNP:
6499 case Q_ISIS_LSP:
6500 case Q_RADIO:
6501 case Q_CARP:
6502 break; // invalid qualifier
6503
6504 default:
6505 abort();
6506 /*NOTREACHED*/
6507 }
6508 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "proto");
6509 /*NOTREACHED*/
6510 }
6511
6512 /*
6513 * Convert a non-numeric name to a port number.
6514 */
6515 static int
6516 nametoport(compiler_state_t *cstate, const char *name, int ipproto)
6517 {
6518 struct addrinfo hints, *res, *ai;
6519 int error;
6520 struct sockaddr_in *in4;
6521 #ifdef INET6
6522 struct sockaddr_in6 *in6;
6523 #endif
6524 int port = -1;
6525
6526 /*
6527 * We check for both TCP and UDP in case there are
6528 * ambiguous entries.
6529 */
6530 memset(&hints, 0, sizeof(hints));
6531 hints.ai_family = PF_UNSPEC;
6532 hints.ai_socktype = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
6533 hints.ai_protocol = ipproto;
6534 error = getaddrinfo(NULL, name, &hints, &res);
6535 if (error != 0) {
6536 switch (error) {
6537
6538 case EAI_NONAME:
6539 case EAI_SERVICE:
6540 /*
6541 * No such port. Just return -1.
6542 */
6543 break;
6544
6545 #ifdef EAI_SYSTEM
6546 case EAI_SYSTEM:
6547 /*
6548 * We don't use strerror() because it's not
6549 * guaranteed to be thread-safe on all platforms
6550 * (probably because it might use a non-thread-local
6551 * buffer into which to format an error message
6552 * if the error code isn't one for which it has
6553 * a canned string; three cheers for C string
6554 * handling).
6555 */
6556 bpf_set_error(cstate, "getaddrinfo(\"%s\" fails with system error: %d",
6557 name, errno);
6558 port = -2; /* a real error */
6559 break;
6560 #endif
6561
6562 default:
6563 /*
6564 * This is a real error, not just "there's
6565 * no such service name".
6566 *
6567 * We don't use gai_strerror() because it's not
6568 * guaranteed to be thread-safe on all platforms
6569 * (probably because it might use a non-thread-local
6570 * buffer into which to format an error message
6571 * if the error code isn't one for which it has
6572 * a canned string; three cheers for C string
6573 * handling).
6574 */
6575 bpf_set_error(cstate, "getaddrinfo(\"%s\") fails with error: %d",
6576 name, error);
6577 port = -2; /* a real error */
6578 break;
6579 }
6580 } else {
6581 /*
6582 * OK, we found it. Did it find anything?
6583 */
6584 for (ai = res; ai != NULL; ai = ai->ai_next) {
6585 /*
6586 * Does it have an address?
6587 */
6588 if (ai->ai_addr != NULL) {
6589 /*
6590 * Yes. Get a port number; we're done.
6591 */
6592 if (ai->ai_addr->sa_family == AF_INET) {
6593 in4 = (struct sockaddr_in *)ai->ai_addr;
6594 port = ntohs(in4->sin_port);
6595 break;
6596 }
6597 #ifdef INET6
6598 if (ai->ai_addr->sa_family == AF_INET6) {
6599 in6 = (struct sockaddr_in6 *)ai->ai_addr;
6600 port = ntohs(in6->sin6_port);
6601 break;
6602 }
6603 #endif
6604 }
6605 }
6606 freeaddrinfo(res);
6607 }
6608 return port;
6609 }
6610
6611 /*
6612 * Convert a string to a port number.
6613 */
6614 static bpf_u_int32
6615 stringtoport(compiler_state_t *cstate, const char *string, size_t string_size,
6616 int *proto)
6617 {
6618 stoulen_ret ret;
6619 char *cpy;
6620 bpf_u_int32 val;
6621 int tcp_port = -1;
6622 int udp_port = -1;
6623
6624 /*
6625 * See if it's a number.
6626 */
6627 ret = stoulen(string, string_size, &val, cstate);
6628 switch (ret) {
6629
6630 case STOULEN_OK:
6631 /* Unknown port type - it's just a number. */
6632 *proto = PROTO_UNDEF;
6633 break;
6634
6635 case STOULEN_NOT_OCTAL_NUMBER:
6636 case STOULEN_NOT_HEX_NUMBER:
6637 case STOULEN_NOT_DECIMAL_NUMBER:
6638 /*
6639 * Not a valid number; try looking it up as a port.
6640 */
6641 cpy = malloc(string_size + 1); /* +1 for terminating '\0' */
6642 memcpy(cpy, string, string_size);
6643 cpy[string_size] = '\0';
6644 tcp_port = nametoport(cstate, cpy, IPPROTO_TCP);
6645 if (tcp_port == -2) {
6646 /*
6647 * We got a hard error; the error string has
6648 * already been set.
6649 */
6650 free(cpy);
6651 longjmp(cstate->top_ctx, 1);
6652 /*NOTREACHED*/
6653 }
6654 udp_port = nametoport(cstate, cpy, IPPROTO_UDP);
6655 if (udp_port == -2) {
6656 /*
6657 * We got a hard error; the error string has
6658 * already been set.
6659 */
6660 free(cpy);
6661 longjmp(cstate->top_ctx, 1);
6662 /*NOTREACHED*/
6663 }
6664
6665 /*
6666 * We need to check /etc/services for ambiguous entries.
6667 * If we find an ambiguous entry, and it has the
6668 * same port number, change the proto to PROTO_UNDEF
6669 * so both TCP and UDP will be checked.
6670 */
6671 if (tcp_port >= 0) {
6672 val = (bpf_u_int32)tcp_port;
6673 *proto = IPPROTO_TCP;
6674 if (udp_port >= 0) {
6675 if (udp_port == tcp_port)
6676 *proto = PROTO_UNDEF;
6677 #ifdef notdef
6678 else
6679 /* Can't handle ambiguous names that refer
6680 to different port numbers. */
6681 warning("ambiguous port %s in /etc/services",
6682 cpy);
6683 #endif
6684 }
6685 free(cpy);
6686 break;
6687 }
6688 if (udp_port >= 0) {
6689 val = (bpf_u_int32)udp_port;
6690 *proto = IPPROTO_UDP;
6691 free(cpy);
6692 break;
6693 }
6694 bpf_set_error(cstate, "'%s' is not a valid port", cpy);
6695 free(cpy);
6696 longjmp(cstate->top_ctx, 1);
6697 /*NOTREACHED*/
6698 #ifdef _AIX
6699 PCAP_UNREACHABLE
6700 #endif /* _AIX */
6701
6702 case STOULEN_ERROR:
6703 /* Error already set. */
6704 longjmp(cstate->top_ctx, 1);
6705 /*NOTREACHED*/
6706 #ifdef _AIX
6707 PCAP_UNREACHABLE
6708 #endif /* _AIX */
6709
6710 default:
6711 /* Should not happen */
6712 bpf_set_error(cstate, "stoulen returned %d - this should not happen", ret);
6713 longjmp(cstate->top_ctx, 1);
6714 /*NOTREACHED*/
6715 }
6716 return (val);
6717 }
6718
6719 /*
6720 * Convert a string in the form PPP-PPP, which correspond to ports, to
6721 * a starting and ending port in a port range.
6722 */
6723 static void
6724 stringtoportrange(compiler_state_t *cstate, const char *string,
6725 bpf_u_int32 *port1, bpf_u_int32 *port2, int *proto)
6726 {
6727 char *hyphen_off;
6728 const char *first, *second;
6729 size_t first_size, second_size;
6730 int save_proto;
6731
6732 if ((hyphen_off = strchr(string, '-')) == NULL)
6733 bpf_error(cstate, "port range '%s' contains no hyphen", string);
6734
6735 /*
6736 * Make sure there are no other hyphens.
6737 *
6738 * XXX - we support named ports, but there are some port names
6739 * in /etc/services that include hyphens, so this would rule
6740 * that out.
6741 */
6742 if (strchr(hyphen_off + 1, '-') != NULL)
6743 bpf_error(cstate, "port range '%s' contains more than one hyphen",
6744 string);
6745
6746 /*
6747 * Get the length of the first port.
6748 */
6749 first = string;
6750 first_size = hyphen_off - string;
6751 if (first_size == 0) {
6752 /* Range of "-port", which we don't support. */
6753 bpf_error(cstate, "port range '%s' has no starting port", string);
6754 }
6755
6756 /*
6757 * Try to convert it to a port.
6758 */
6759 *port1 = stringtoport(cstate, first, first_size, proto);
6760 save_proto = *proto;
6761
6762 /*
6763 * Get the length of the second port.
6764 */
6765 second = hyphen_off + 1;
6766 second_size = strlen(second);
6767 if (second_size == 0) {
6768 /* Range of "port-", which we don't support. */
6769 bpf_error(cstate, "port range '%s' has no ending port", string);
6770 }
6771
6772 /*
6773 * Try to convert it to a port.
6774 */
6775 *port2 = stringtoport(cstate, second, second_size, proto);
6776 if (*proto != save_proto)
6777 *proto = PROTO_UNDEF;
6778 }
6779
6780 struct block *
6781 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6782 {
6783 int proto = q.proto;
6784 int dir = q.dir;
6785 int tproto;
6786 u_char *eaddr;
6787 bpf_u_int32 mask, addr;
6788 struct addrinfo *res, *res0;
6789 struct sockaddr_in *sin4;
6790 #ifdef INET6
6791 int tproto6;
6792 struct sockaddr_in6 *sin6;
6793 struct in6_addr mask128;
6794 #endif /*INET6*/
6795 struct block *b, *tmp;
6796 int port, real_proto;
6797 bpf_u_int32 port1, port2;
6798
6799 /*
6800 * Catch errors reported by us and routines below us, and return NULL
6801 * on an error.
6802 */
6803 if (setjmp(cstate->top_ctx))
6804 return (NULL);
6805
6806 switch (q.addr) {
6807
6808 case Q_NET:
6809 addr = pcap_nametonetaddr(name);
6810 if (addr == 0)
6811 bpf_error(cstate, "unknown network '%s'", name);
6812 /* Left justify network addr and calculate its network mask */
6813 mask = 0xffffffff;
6814 while (addr && (addr & 0xff000000) == 0) {
6815 addr <<= 8;
6816 mask <<= 8;
6817 }
6818 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6819
6820 case Q_DEFAULT:
6821 case Q_HOST:
6822 if (proto == Q_LINK) {
6823 switch (cstate->linktype) {
6824
6825 case DLT_EN10MB:
6826 case DLT_NETANALYZER:
6827 case DLT_NETANALYZER_TRANSPARENT:
6828 eaddr = pcap_ether_hostton(name);
6829 if (eaddr == NULL)
6830 bpf_error(cstate,
6831 "unknown ether host '%s'", name);
6832 tmp = gen_prevlinkhdr_check(cstate);
6833 b = gen_ehostop(cstate, eaddr, dir);
6834 if (tmp != NULL)
6835 gen_and(tmp, b);
6836 free(eaddr);
6837 return b;
6838
6839 case DLT_FDDI:
6840 eaddr = pcap_ether_hostton(name);
6841 if (eaddr == NULL)
6842 bpf_error(cstate,
6843 "unknown FDDI host '%s'", name);
6844 b = gen_fhostop(cstate, eaddr, dir);
6845 free(eaddr);
6846 return b;
6847
6848 case DLT_IEEE802:
6849 eaddr = pcap_ether_hostton(name);
6850 if (eaddr == NULL)
6851 bpf_error(cstate,
6852 "unknown token ring host '%s'", name);
6853 b = gen_thostop(cstate, eaddr, dir);
6854 free(eaddr);
6855 return b;
6856
6857 case DLT_IEEE802_11:
6858 case DLT_PRISM_HEADER:
6859 case DLT_IEEE802_11_RADIO_AVS:
6860 case DLT_IEEE802_11_RADIO:
6861 case DLT_PPI:
6862 eaddr = pcap_ether_hostton(name);
6863 if (eaddr == NULL)
6864 bpf_error(cstate,
6865 "unknown 802.11 host '%s'", name);
6866 b = gen_wlanhostop(cstate, eaddr, dir);
6867 free(eaddr);
6868 return b;
6869
6870 case DLT_IP_OVER_FC:
6871 eaddr = pcap_ether_hostton(name);
6872 if (eaddr == NULL)
6873 bpf_error(cstate,
6874 "unknown Fibre Channel host '%s'", name);
6875 b = gen_ipfchostop(cstate, eaddr, dir);
6876 free(eaddr);
6877 return b;
6878 }
6879
6880 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6881 } else if (proto == Q_DECNET) {
6882 /*
6883 * A long time ago on Ultrix libpcap supported
6884 * translation of DECnet host names into DECnet
6885 * addresses, but this feature is history now.
6886 */
6887 bpf_error(cstate, "invalid DECnet address '%s'", name);
6888 } else {
6889 #ifdef INET6
6890 memset(&mask128, 0xff, sizeof(mask128));
6891 #endif
6892 res0 = res = pcap_nametoaddrinfo(name);
6893 if (res == NULL)
6894 bpf_error(cstate, "unknown host '%s'", name);
6895 cstate->ai = res;
6896 b = tmp = NULL;
6897 tproto = proto;
6898 #ifdef INET6
6899 tproto6 = proto;
6900 #endif
6901 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6902 tproto == Q_DEFAULT) {
6903 tproto = Q_IP;
6904 #ifdef INET6
6905 tproto6 = Q_IPV6;
6906 #endif
6907 }
6908 for (res = res0; res; res = res->ai_next) {
6909 switch (res->ai_family) {
6910 case AF_INET:
6911 #ifdef INET6
6912 if (tproto == Q_IPV6)
6913 continue;
6914 #endif
6915
6916 sin4 = (struct sockaddr_in *)
6917 res->ai_addr;
6918 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6919 0xffffffff, tproto, dir, q.addr);
6920 break;
6921 #ifdef INET6
6922 case AF_INET6:
6923 if (tproto6 == Q_IP)
6924 continue;
6925
6926 sin6 = (struct sockaddr_in6 *)
6927 res->ai_addr;
6928 tmp = gen_host6(cstate, &sin6->sin6_addr,
6929 &mask128, tproto6, dir, q.addr);
6930 break;
6931 #endif
6932 default:
6933 continue;
6934 }
6935 if (b)
6936 gen_or(b, tmp);
6937 b = tmp;
6938 }
6939 cstate->ai = NULL;
6940 freeaddrinfo(res0);
6941 if (b == NULL) {
6942 bpf_error(cstate, "unknown host '%s'%s", name,
6943 (proto == Q_DEFAULT)
6944 ? ""
6945 : " for specified address family");
6946 }
6947 return b;
6948 }
6949
6950 case Q_PORT:
6951 (void)port_pq_to_ipproto(cstate, proto, "port"); // validate only
6952 if (pcap_nametoport(name, &port, &real_proto) == 0)
6953 bpf_error(cstate, "unknown port '%s'", name);
6954 if (proto == Q_UDP) {
6955 if (real_proto == IPPROTO_TCP)
6956 bpf_error(cstate, "port '%s' is tcp", name);
6957 else if (real_proto == IPPROTO_SCTP)
6958 bpf_error(cstate, "port '%s' is sctp", name);
6959 else
6960 /* override PROTO_UNDEF */
6961 real_proto = IPPROTO_UDP;
6962 }
6963 if (proto == Q_TCP) {
6964 if (real_proto == IPPROTO_UDP)
6965 bpf_error(cstate, "port '%s' is udp", name);
6966
6967 else if (real_proto == IPPROTO_SCTP)
6968 bpf_error(cstate, "port '%s' is sctp", name);
6969 else
6970 /* override PROTO_UNDEF */
6971 real_proto = IPPROTO_TCP;
6972 }
6973 if (proto == Q_SCTP) {
6974 if (real_proto == IPPROTO_UDP)
6975 bpf_error(cstate, "port '%s' is udp", name);
6976
6977 else if (real_proto == IPPROTO_TCP)
6978 bpf_error(cstate, "port '%s' is tcp", name);
6979 else
6980 /* override PROTO_UNDEF */
6981 real_proto = IPPROTO_SCTP;
6982 }
6983 if (port < 0)
6984 bpf_error(cstate, "illegal port number %d < 0", port);
6985 if (port > 65535)
6986 bpf_error(cstate, "illegal port number %d > 65535", port);
6987 // real_proto can be PROTO_UNDEF
6988 b = gen_port(cstate, (uint16_t)port, real_proto, dir);
6989 gen_or(gen_port6(cstate, (uint16_t)port, real_proto, dir), b);
6990 return b;
6991
6992 case Q_PORTRANGE:
6993 (void)port_pq_to_ipproto(cstate, proto, "portrange"); // validate only
6994 stringtoportrange(cstate, name, &port1, &port2, &real_proto);
6995 if (proto == Q_UDP) {
6996 if (real_proto == IPPROTO_TCP)
6997 bpf_error(cstate, "port in range '%s' is tcp", name);
6998 else if (real_proto == IPPROTO_SCTP)
6999 bpf_error(cstate, "port in range '%s' is sctp", name);
7000 else
7001 /* override PROTO_UNDEF */
7002 real_proto = IPPROTO_UDP;
7003 }
7004 if (proto == Q_TCP) {
7005 if (real_proto == IPPROTO_UDP)
7006 bpf_error(cstate, "port in range '%s' is udp", name);
7007 else if (real_proto == IPPROTO_SCTP)
7008 bpf_error(cstate, "port in range '%s' is sctp", name);
7009 else
7010 /* override PROTO_UNDEF */
7011 real_proto = IPPROTO_TCP;
7012 }
7013 if (proto == Q_SCTP) {
7014 if (real_proto == IPPROTO_UDP)
7015 bpf_error(cstate, "port in range '%s' is udp", name);
7016 else if (real_proto == IPPROTO_TCP)
7017 bpf_error(cstate, "port in range '%s' is tcp", name);
7018 else
7019 /* override PROTO_UNDEF */
7020 real_proto = IPPROTO_SCTP;
7021 }
7022 if (port1 > 65535)
7023 bpf_error(cstate, "illegal port number %d > 65535", port1);
7024 if (port2 > 65535)
7025 bpf_error(cstate, "illegal port number %d > 65535", port2);
7026
7027 // real_proto can be PROTO_UNDEF
7028 b = gen_portrange(cstate, (uint16_t)port1, (uint16_t)port2,
7029 real_proto, dir);
7030 gen_or(gen_portrange6(cstate, (uint16_t)port1, (uint16_t)port2,
7031 real_proto, dir), b);
7032 return b;
7033
7034 case Q_GATEWAY:
7035 #ifndef INET6
7036 eaddr = pcap_ether_hostton(name);
7037 if (eaddr == NULL)
7038 bpf_error(cstate, "unknown ether host: %s", name);
7039
7040 res = pcap_nametoaddrinfo(name);
7041 cstate->ai = res;
7042 if (res == NULL)
7043 bpf_error(cstate, "unknown host '%s'", name);
7044 b = gen_gateway(cstate, eaddr, res, proto);
7045 cstate->ai = NULL;
7046 freeaddrinfo(res);
7047 free(eaddr);
7048 if (b == NULL)
7049 bpf_error(cstate, "unknown host '%s'", name);
7050 return b;
7051 #else
7052 bpf_error(cstate, "'gateway' not supported in this configuration");
7053 #endif /*INET6*/
7054
7055 case Q_PROTO:
7056 real_proto = lookup_proto(cstate, name, proto);
7057 if (real_proto >= 0)
7058 return gen_proto(cstate, real_proto, proto);
7059 else
7060 bpf_error(cstate, "unknown protocol: %s", name);
7061
7062 #if !defined(NO_PROTOCHAIN)
7063 case Q_PROTOCHAIN:
7064 real_proto = lookup_proto(cstate, name, proto);
7065 if (real_proto >= 0)
7066 return gen_protochain(cstate, real_proto, proto);
7067 else
7068 bpf_error(cstate, "unknown protocol: %s", name);
7069 #endif /* !defined(NO_PROTOCHAIN) */
7070
7071 case Q_UNDEF:
7072 syntax(cstate);
7073 /*NOTREACHED*/
7074 }
7075 abort();
7076 /*NOTREACHED*/
7077 }
7078
7079 struct block *
7080 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
7081 bpf_u_int32 masklen, struct qual q)
7082 {
7083 register int nlen, mlen;
7084 bpf_u_int32 n, m;
7085 uint64_t m64;
7086
7087 /*
7088 * Catch errors reported by us and routines below us, and return NULL
7089 * on an error.
7090 */
7091 if (setjmp(cstate->top_ctx))
7092 return (NULL);
7093
7094 nlen = pcapint_atoin(s1, &n);
7095 if (nlen < 0)
7096 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
7097 /* Promote short ipaddr */
7098 n <<= 32 - nlen;
7099
7100 if (s2 != NULL) {
7101 mlen = pcapint_atoin(s2, &m);
7102 if (mlen < 0)
7103 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
7104 /* Promote short ipaddr */
7105 m <<= 32 - mlen;
7106 if ((n & ~m) != 0)
7107 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
7108 s1, s2);
7109 } else {
7110 /* Convert mask len to mask */
7111 if (masklen > 32)
7112 bpf_error(cstate, "mask length must be <= 32");
7113 m64 = UINT64_C(0xffffffff) << (32 - masklen);
7114 m = (bpf_u_int32)m64;
7115 if ((n & ~m) != 0)
7116 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
7117 s1, masklen);
7118 }
7119
7120 switch (q.addr) {
7121
7122 case Q_NET:
7123 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7124
7125 default:
7126 // Q_HOST and Q_GATEWAY only (see the grammar)
7127 bpf_error(cstate, "Mask syntax for networks only");
7128 /*NOTREACHED*/
7129 }
7130 /*NOTREACHED*/
7131 }
7132
7133 struct block *
7134 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7135 {
7136 bpf_u_int32 mask;
7137 int proto;
7138 int dir;
7139 register int vlen;
7140
7141 /*
7142 * Catch errors reported by us and routines below us, and return NULL
7143 * on an error.
7144 */
7145 if (setjmp(cstate->top_ctx))
7146 return (NULL);
7147
7148 proto = q.proto;
7149 dir = q.dir;
7150 if (s == NULL) {
7151 /*
7152 * v contains a 32-bit unsigned parsed from a string of the
7153 * form {N}, which could be decimal, hexadecimal or octal.
7154 * Although it would be possible to use the value as a raw
7155 * 16-bit DECnet address when the value fits into 16 bits, this
7156 * would be a questionable feature: DECnet address wire
7157 * encoding is little-endian, so this would not work as
7158 * intuitively as the same works for [big-endian] IPv4
7159 * addresses (0x01020304 means 1.2.3.4).
7160 */
7161 if (proto == Q_DECNET)
7162 bpf_error(cstate, "invalid DECnet address '%u'", v);
7163 vlen = 32;
7164 } else if (proto == Q_DECNET) {
7165 /*
7166 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7167 * {N}.{N}.{N}.{N}, of which only the first potentially stands
7168 * for a valid DECnet address.
7169 */
7170 vlen = pcapint_atodn(s, &v);
7171 if (vlen == 0)
7172 bpf_error(cstate, "invalid DECnet address '%s'", s);
7173 } else {
7174 /*
7175 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7176 * {N}.{N}.{N}.{N}, all of which potentially stand for a valid
7177 * IPv4 address.
7178 */
7179 vlen = pcapint_atoin(s, &v);
7180 if (vlen < 0)
7181 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7182 }
7183
7184 switch (q.addr) {
7185
7186 case Q_DEFAULT:
7187 case Q_HOST:
7188 case Q_NET:
7189 if (proto == Q_DECNET)
7190 return gen_host(cstate, v, 0, proto, dir, q.addr);
7191 else if (proto == Q_LINK) {
7192 // "link (host|net) IPV4ADDR" and variations thereof
7193 bpf_error(cstate, "illegal link layer address");
7194 } else {
7195 mask = 0xffffffff;
7196 if (s == NULL && q.addr == Q_NET) {
7197 /* Promote short net number */
7198 while (v && (v & 0xff000000) == 0) {
7199 v <<= 8;
7200 mask <<= 8;
7201 }
7202 } else {
7203 /* Promote short ipaddr */
7204 v <<= 32 - vlen;
7205 mask <<= 32 - vlen ;
7206 }
7207 return gen_host(cstate, v, mask, proto, dir, q.addr);
7208 }
7209
7210 case Q_PORT:
7211 proto = port_pq_to_ipproto(cstate, proto, "port");
7212
7213 if (v > 65535)
7214 bpf_error(cstate, "illegal port number %u > 65535", v);
7215
7216 // proto can be PROTO_UNDEF
7217 {
7218 struct block *b;
7219 b = gen_port(cstate, (uint16_t)v, proto, dir);
7220 gen_or(gen_port6(cstate, (uint16_t)v, proto, dir), b);
7221 return b;
7222 }
7223
7224 case Q_PORTRANGE:
7225 proto = port_pq_to_ipproto(cstate, proto, "portrange");
7226
7227 if (v > 65535)
7228 bpf_error(cstate, "illegal port number %u > 65535", v);
7229
7230 // proto can be PROTO_UNDEF
7231 {
7232 struct block *b;
7233 b = gen_portrange(cstate, (uint16_t)v, (uint16_t)v,
7234 proto, dir);
7235 gen_or(gen_portrange6(cstate, (uint16_t)v, (uint16_t)v,
7236 proto, dir), b);
7237 return b;
7238 }
7239
7240 case Q_GATEWAY:
7241 bpf_error(cstate, "'gateway' requires a name");
7242 /*NOTREACHED*/
7243
7244 case Q_PROTO:
7245 return gen_proto(cstate, v, proto);
7246
7247 #if !defined(NO_PROTOCHAIN)
7248 case Q_PROTOCHAIN:
7249 return gen_protochain(cstate, v, proto);
7250 #endif
7251
7252 case Q_UNDEF:
7253 syntax(cstate);
7254 /*NOTREACHED*/
7255
7256 default:
7257 abort();
7258 /*NOTREACHED*/
7259 }
7260 /*NOTREACHED*/
7261 }
7262
7263 #ifdef INET6
7264 struct block *
7265 gen_mcode6(compiler_state_t *cstate, const char *s, bpf_u_int32 masklen,
7266 struct qual q)
7267 {
7268 struct addrinfo *res;
7269 struct in6_addr *addr;
7270 struct in6_addr mask;
7271 struct block *b;
7272 bpf_u_int32 a[4], m[4]; /* Same as in gen_hostop6(). */
7273
7274 /*
7275 * Catch errors reported by us and routines below us, and return NULL
7276 * on an error.
7277 */
7278 if (setjmp(cstate->top_ctx))
7279 return (NULL);
7280
7281 res = pcap_nametoaddrinfo(s);
7282 if (!res)
7283 bpf_error(cstate, "invalid ip6 address %s", s);
7284 cstate->ai = res;
7285 if (res->ai_next)
7286 bpf_error(cstate, "%s resolved to multiple address", s);
7287 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7288
7289 if (masklen > sizeof(mask.s6_addr) * 8)
7290 bpf_error(cstate, "mask length must be <= %zu", sizeof(mask.s6_addr) * 8);
7291 memset(&mask, 0, sizeof(mask));
7292 memset(&mask.s6_addr, 0xff, masklen / 8);
7293 if (masklen % 8) {
7294 mask.s6_addr[masklen / 8] =
7295 (0xff << (8 - masklen % 8)) & 0xff;
7296 }
7297
7298 memcpy(a, addr, sizeof(a));
7299 memcpy(m, &mask, sizeof(m));
7300 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7301 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7302 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s, masklen);
7303 }
7304
7305 switch (q.addr) {
7306
7307 case Q_DEFAULT:
7308 case Q_HOST:
7309 if (masklen != 128)
7310 bpf_error(cstate, "Mask syntax for networks only");
7311 /* FALLTHROUGH */
7312
7313 case Q_NET:
7314 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7315 cstate->ai = NULL;
7316 freeaddrinfo(res);
7317 return b;
7318
7319 default:
7320 // Q_GATEWAY only (see the grammar)
7321 bpf_error(cstate, "invalid qualifier against IPv6 address");
7322 /*NOTREACHED*/
7323 }
7324 }
7325 #endif /*INET6*/
7326
7327 struct block *
7328 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7329 {
7330 struct block *b, *tmp;
7331
7332 /*
7333 * Catch errors reported by us and routines below us, and return NULL
7334 * on an error.
7335 */
7336 if (setjmp(cstate->top_ctx))
7337 return (NULL);
7338
7339 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7340 cstate->e = pcap_ether_aton(s);
7341 if (cstate->e == NULL)
7342 bpf_error(cstate, "malloc");
7343 switch (cstate->linktype) {
7344 case DLT_EN10MB:
7345 case DLT_NETANALYZER:
7346 case DLT_NETANALYZER_TRANSPARENT:
7347 tmp = gen_prevlinkhdr_check(cstate);
7348 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7349 if (tmp != NULL)
7350 gen_and(tmp, b);
7351 break;
7352 case DLT_FDDI:
7353 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7354 break;
7355 case DLT_IEEE802:
7356 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7357 break;
7358 case DLT_IEEE802_11:
7359 case DLT_PRISM_HEADER:
7360 case DLT_IEEE802_11_RADIO_AVS:
7361 case DLT_IEEE802_11_RADIO:
7362 case DLT_PPI:
7363 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7364 break;
7365 case DLT_IP_OVER_FC:
7366 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7367 break;
7368 default:
7369 free(cstate->e);
7370 cstate->e = NULL;
7371 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7372 /*NOTREACHED*/
7373 }
7374 free(cstate->e);
7375 cstate->e = NULL;
7376 return (b);
7377 }
7378 bpf_error(cstate, "ethernet address used in non-ether expression");
7379 /*NOTREACHED*/
7380 }
7381
7382 void
7383 sappend(struct slist *s0, struct slist *s1)
7384 {
7385 /*
7386 * This is definitely not the best way to do this, but the
7387 * lists will rarely get long.
7388 */
7389 while (s0->next)
7390 s0 = s0->next;
7391 s0->next = s1;
7392 }
7393
7394 static struct slist *
7395 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7396 {
7397 struct slist *s;
7398
7399 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7400 s->s.k = a->regno;
7401 return s;
7402 }
7403
7404 static struct slist *
7405 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7406 {
7407 struct slist *s;
7408
7409 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7410 s->s.k = a->regno;
7411 return s;
7412 }
7413
7414 /*
7415 * Modify "index" to use the value stored into its register as an
7416 * offset relative to the beginning of the header for the protocol
7417 * "proto", and allocate a register and put an item "size" bytes long
7418 * (1, 2, or 4) at that offset into that register, making it the register
7419 * for "index".
7420 */
7421 static struct arth *
7422 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7423 bpf_u_int32 size)
7424 {
7425 int size_code;
7426 struct slist *s, *tmp;
7427 struct block *b;
7428 int regno = alloc_reg(cstate);
7429
7430 free_reg(cstate, inst->regno);
7431 switch (size) {
7432
7433 default:
7434 bpf_error(cstate, "data size must be 1, 2, or 4");
7435 /*NOTREACHED*/
7436
7437 case 1:
7438 size_code = BPF_B;
7439 break;
7440
7441 case 2:
7442 size_code = BPF_H;
7443 break;
7444
7445 case 4:
7446 size_code = BPF_W;
7447 break;
7448 }
7449 switch (proto) {
7450 default:
7451 bpf_error(cstate, "'%s' does not support the index operation", pqkw(proto));
7452
7453 case Q_RADIO:
7454 /*
7455 * The offset is relative to the beginning of the packet
7456 * data, if we have a radio header. (If we don't, this
7457 * is an error.)
7458 */
7459 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7460 cstate->linktype != DLT_IEEE802_11_RADIO &&
7461 cstate->linktype != DLT_PRISM_HEADER)
7462 bpf_error(cstate, "radio information not present in capture");
7463
7464 /*
7465 * Load into the X register the offset computed into the
7466 * register specified by "index".
7467 */
7468 s = xfer_to_x(cstate, inst);
7469
7470 /*
7471 * Load the item at that offset.
7472 */
7473 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7474 sappend(s, tmp);
7475 sappend(inst->s, s);
7476 break;
7477
7478 case Q_LINK:
7479 /*
7480 * The offset is relative to the beginning of
7481 * the link-layer header.
7482 *
7483 * XXX - what about ATM LANE? Should the index be
7484 * relative to the beginning of the AAL5 frame, so
7485 * that 0 refers to the beginning of the LE Control
7486 * field, or relative to the beginning of the LAN
7487 * frame, so that 0 refers, for Ethernet LANE, to
7488 * the beginning of the destination address?
7489 */
7490 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7491
7492 /*
7493 * If "s" is non-null, it has code to arrange that the
7494 * X register contains the length of the prefix preceding
7495 * the link-layer header. Add to it the offset computed
7496 * into the register specified by "index", and move that
7497 * into the X register. Otherwise, just load into the X
7498 * register the offset computed into the register specified
7499 * by "index".
7500 */
7501 if (s != NULL) {
7502 sappend(s, xfer_to_a(cstate, inst));
7503 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7504 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7505 } else
7506 s = xfer_to_x(cstate, inst);
7507
7508 /*
7509 * Load the item at the sum of the offset we've put in the
7510 * X register and the offset of the start of the link
7511 * layer header (which is 0 if the radio header is
7512 * variable-length; that header length is what we put
7513 * into the X register and then added to the index).
7514 */
7515 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7516 tmp->s.k = cstate->off_linkhdr.constant_part;
7517 sappend(s, tmp);
7518 sappend(inst->s, s);
7519 break;
7520
7521 case Q_IP:
7522 case Q_ARP:
7523 case Q_RARP:
7524 case Q_ATALK:
7525 case Q_DECNET:
7526 case Q_SCA:
7527 case Q_LAT:
7528 case Q_MOPRC:
7529 case Q_MOPDL:
7530 case Q_IPV6:
7531 /*
7532 * The offset is relative to the beginning of
7533 * the network-layer header.
7534 * XXX - are there any cases where we want
7535 * cstate->off_nl_nosnap?
7536 */
7537 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7538
7539 /*
7540 * If "s" is non-null, it has code to arrange that the
7541 * X register contains the variable part of the offset
7542 * of the link-layer payload. Add to it the offset
7543 * computed into the register specified by "index",
7544 * and move that into the X register. Otherwise, just
7545 * load into the X register the offset computed into
7546 * the register specified by "index".
7547 */
7548 if (s != NULL) {
7549 sappend(s, xfer_to_a(cstate, inst));
7550 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7551 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7552 } else
7553 s = xfer_to_x(cstate, inst);
7554
7555 /*
7556 * Load the item at the sum of the offset we've put in the
7557 * X register, the offset of the start of the network
7558 * layer header from the beginning of the link-layer
7559 * payload, and the constant part of the offset of the
7560 * start of the link-layer payload.
7561 */
7562 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7563 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7564 sappend(s, tmp);
7565 sappend(inst->s, s);
7566
7567 /*
7568 * Do the computation only if the packet contains
7569 * the protocol in question.
7570 */
7571 b = gen_proto_abbrev_internal(cstate, proto);
7572 if (inst->b)
7573 gen_and(inst->b, b);
7574 inst->b = b;
7575 break;
7576
7577 case Q_SCTP:
7578 case Q_TCP:
7579 case Q_UDP:
7580 case Q_ICMP:
7581 case Q_IGMP:
7582 case Q_IGRP:
7583 case Q_PIM:
7584 case Q_VRRP:
7585 case Q_CARP:
7586 /*
7587 * The offset is relative to the beginning of
7588 * the transport-layer header.
7589 *
7590 * Load the X register with the length of the IPv4 header
7591 * (plus the offset of the link-layer header, if it's
7592 * a variable-length header), in bytes.
7593 *
7594 * XXX - are there any cases where we want
7595 * cstate->off_nl_nosnap?
7596 * XXX - we should, if we're built with
7597 * IPv6 support, generate code to load either
7598 * IPv4, IPv6, or both, as appropriate.
7599 */
7600 s = gen_loadx_iphdrlen(cstate);
7601
7602 /*
7603 * The X register now contains the sum of the variable
7604 * part of the offset of the link-layer payload and the
7605 * length of the network-layer header.
7606 *
7607 * Load into the A register the offset relative to
7608 * the beginning of the transport layer header,
7609 * add the X register to that, move that to the
7610 * X register, and load with an offset from the
7611 * X register equal to the sum of the constant part of
7612 * the offset of the link-layer payload and the offset,
7613 * relative to the beginning of the link-layer payload,
7614 * of the network-layer header.
7615 */
7616 sappend(s, xfer_to_a(cstate, inst));
7617 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7618 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7619 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7620 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7621 sappend(inst->s, s);
7622
7623 /*
7624 * Do the computation only if the packet contains
7625 * the protocol in question - which is true only
7626 * if this is an IP datagram and is the first or
7627 * only fragment of that datagram.
7628 */
7629 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7630 if (inst->b)
7631 gen_and(inst->b, b);
7632 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7633 inst->b = b;
7634 break;
7635 case Q_ICMPV6:
7636 /*
7637 * Do the computation only if the packet contains
7638 * the protocol in question.
7639 */
7640 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7641 if (inst->b)
7642 gen_and(inst->b, b);
7643 inst->b = b;
7644
7645 /*
7646 * Check if we have an icmp6 next header
7647 */
7648 b = gen_ip6_proto(cstate, 58);
7649 if (inst->b)
7650 gen_and(inst->b, b);
7651 inst->b = b;
7652
7653 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7654 /*
7655 * If "s" is non-null, it has code to arrange that the
7656 * X register contains the variable part of the offset
7657 * of the link-layer payload. Add to it the offset
7658 * computed into the register specified by "index",
7659 * and move that into the X register. Otherwise, just
7660 * load into the X register the offset computed into
7661 * the register specified by "index".
7662 */
7663 if (s != NULL) {
7664 sappend(s, xfer_to_a(cstate, inst));
7665 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7666 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7667 } else
7668 s = xfer_to_x(cstate, inst);
7669
7670 /*
7671 * Load the item at the sum of the offset we've put in the
7672 * X register, the offset of the start of the network
7673 * layer header from the beginning of the link-layer
7674 * payload, and the constant part of the offset of the
7675 * start of the link-layer payload.
7676 */
7677 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7678 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7679
7680 sappend(s, tmp);
7681 sappend(inst->s, s);
7682
7683 break;
7684 }
7685 inst->regno = regno;
7686 s = new_stmt(cstate, BPF_ST);
7687 s->s.k = regno;
7688 sappend(inst->s, s);
7689
7690 return inst;
7691 }
7692
7693 struct arth *
7694 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7695 bpf_u_int32 size)
7696 {
7697 /*
7698 * Catch errors reported by us and routines below us, and return NULL
7699 * on an error.
7700 */
7701 if (setjmp(cstate->top_ctx))
7702 return (NULL);
7703
7704 return gen_load_internal(cstate, proto, inst, size);
7705 }
7706
7707 static struct block *
7708 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7709 struct arth *a1, int reversed)
7710 {
7711 struct slist *s0, *s1, *s2;
7712 struct block *b, *tmp;
7713
7714 s0 = xfer_to_x(cstate, a1);
7715 s1 = xfer_to_a(cstate, a0);
7716 if (code == BPF_JEQ) {
7717 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7718 b = new_block(cstate, JMP(code));
7719 sappend(s1, s2);
7720 }
7721 else
7722 b = new_block(cstate, BPF_JMP|code|BPF_X);
7723 if (reversed)
7724 gen_not(b);
7725
7726 sappend(s0, s1);
7727 sappend(a1->s, s0);
7728 sappend(a0->s, a1->s);
7729
7730 b->stmts = a0->s;
7731
7732 free_reg(cstate, a0->regno);
7733 free_reg(cstate, a1->regno);
7734
7735 /* 'and' together protocol checks */
7736 if (a0->b) {
7737 if (a1->b) {
7738 gen_and(a0->b, tmp = a1->b);
7739 }
7740 else
7741 tmp = a0->b;
7742 } else
7743 tmp = a1->b;
7744
7745 if (tmp)
7746 gen_and(tmp, b);
7747
7748 return b;
7749 }
7750
7751 struct block *
7752 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7753 struct arth *a1, int reversed)
7754 {
7755 /*
7756 * Catch errors reported by us and routines below us, and return NULL
7757 * on an error.
7758 */
7759 if (setjmp(cstate->top_ctx))
7760 return (NULL);
7761
7762 return gen_relation_internal(cstate, code, a0, a1, reversed);
7763 }
7764
7765 struct arth *
7766 gen_loadlen(compiler_state_t *cstate)
7767 {
7768 int regno;
7769 struct arth *a;
7770 struct slist *s;
7771
7772 /*
7773 * Catch errors reported by us and routines below us, and return NULL
7774 * on an error.
7775 */
7776 if (setjmp(cstate->top_ctx))
7777 return (NULL);
7778
7779 regno = alloc_reg(cstate);
7780 a = (struct arth *)newchunk(cstate, sizeof(*a));
7781 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7782 s->next = new_stmt(cstate, BPF_ST);
7783 s->next->s.k = regno;
7784 a->s = s;
7785 a->regno = regno;
7786
7787 return a;
7788 }
7789
7790 static struct arth *
7791 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
7792 {
7793 struct arth *a;
7794 struct slist *s;
7795 int reg;
7796
7797 a = (struct arth *)newchunk(cstate, sizeof(*a));
7798
7799 reg = alloc_reg(cstate);
7800
7801 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7802 s->s.k = val;
7803 s->next = new_stmt(cstate, BPF_ST);
7804 s->next->s.k = reg;
7805 a->s = s;
7806 a->regno = reg;
7807
7808 return a;
7809 }
7810
7811 struct arth *
7812 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
7813 {
7814 /*
7815 * Catch errors reported by us and routines below us, and return NULL
7816 * on an error.
7817 */
7818 if (setjmp(cstate->top_ctx))
7819 return (NULL);
7820
7821 return gen_loadi_internal(cstate, val);
7822 }
7823
7824 /*
7825 * The a_arg dance is to avoid annoying whining by compilers that
7826 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7827 * It's not *used* after setjmp returns.
7828 */
7829 struct arth *
7830 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7831 {
7832 struct arth *a = a_arg;
7833 struct slist *s;
7834
7835 /*
7836 * Catch errors reported by us and routines below us, and return NULL
7837 * on an error.
7838 */
7839 if (setjmp(cstate->top_ctx))
7840 return (NULL);
7841
7842 s = xfer_to_a(cstate, a);
7843 sappend(a->s, s);
7844 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7845 s->s.k = 0;
7846 sappend(a->s, s);
7847 s = new_stmt(cstate, BPF_ST);
7848 s->s.k = a->regno;
7849 sappend(a->s, s);
7850
7851 return a;
7852 }
7853
7854 /*
7855 * The a0_arg dance is to avoid annoying whining by compilers that
7856 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7857 * It's not *used* after setjmp returns.
7858 */
7859 struct arth *
7860 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7861 struct arth *a1)
7862 {
7863 struct arth *a0 = a0_arg;
7864 struct slist *s0, *s1, *s2;
7865
7866 /*
7867 * Catch errors reported by us and routines below us, and return NULL
7868 * on an error.
7869 */
7870 if (setjmp(cstate->top_ctx))
7871 return (NULL);
7872
7873 /*
7874 * Disallow division by, or modulus by, zero; we do this here
7875 * so that it gets done even if the optimizer is disabled.
7876 *
7877 * Also disallow shifts by a value greater than 31; we do this
7878 * here, for the same reason.
7879 */
7880 if (code == BPF_DIV) {
7881 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7882 bpf_error(cstate, "division by zero");
7883 } else if (code == BPF_MOD) {
7884 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7885 bpf_error(cstate, "modulus by zero");
7886 } else if (code == BPF_LSH || code == BPF_RSH) {
7887 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
7888 bpf_error(cstate, "shift by more than 31 bits");
7889 }
7890 s0 = xfer_to_x(cstate, a1);
7891 s1 = xfer_to_a(cstate, a0);
7892 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7893
7894 sappend(s1, s2);
7895 sappend(s0, s1);
7896 sappend(a1->s, s0);
7897 sappend(a0->s, a1->s);
7898
7899 free_reg(cstate, a0->regno);
7900 free_reg(cstate, a1->regno);
7901
7902 s0 = new_stmt(cstate, BPF_ST);
7903 a0->regno = s0->s.k = alloc_reg(cstate);
7904 sappend(a0->s, s0);
7905
7906 return a0;
7907 }
7908
7909 /*
7910 * Initialize the table of used registers and the current register.
7911 */
7912 static void
7913 init_regs(compiler_state_t *cstate)
7914 {
7915 cstate->curreg = 0;
7916 memset(cstate->regused, 0, sizeof cstate->regused);
7917 }
7918
7919 /*
7920 * Return the next free register.
7921 */
7922 static int
7923 alloc_reg(compiler_state_t *cstate)
7924 {
7925 int n = BPF_MEMWORDS;
7926
7927 while (--n >= 0) {
7928 if (cstate->regused[cstate->curreg])
7929 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7930 else {
7931 cstate->regused[cstate->curreg] = 1;
7932 return cstate->curreg;
7933 }
7934 }
7935 bpf_error(cstate, "too many registers needed to evaluate expression");
7936 /*NOTREACHED*/
7937 }
7938
7939 /*
7940 * Return a register to the table so it can
7941 * be used later.
7942 */
7943 static void
7944 free_reg(compiler_state_t *cstate, int n)
7945 {
7946 cstate->regused[n] = 0;
7947 }
7948
7949 static struct block *
7950 gen_len(compiler_state_t *cstate, int jmp, int n)
7951 {
7952 struct slist *s;
7953
7954 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7955 return gen_jmp(cstate, jmp, n, s);
7956 }
7957
7958 struct block *
7959 gen_greater(compiler_state_t *cstate, int n)
7960 {
7961 /*
7962 * Catch errors reported by us and routines below us, and return NULL
7963 * on an error.
7964 */
7965 if (setjmp(cstate->top_ctx))
7966 return (NULL);
7967
7968 return gen_len(cstate, BPF_JGE, n);
7969 }
7970
7971 /*
7972 * Actually, this is less than or equal.
7973 */
7974 struct block *
7975 gen_less(compiler_state_t *cstate, int n)
7976 {
7977 struct block *b;
7978
7979 /*
7980 * Catch errors reported by us and routines below us, and return NULL
7981 * on an error.
7982 */
7983 if (setjmp(cstate->top_ctx))
7984 return (NULL);
7985
7986 b = gen_len(cstate, BPF_JGT, n);
7987 gen_not(b);
7988
7989 return b;
7990 }
7991
7992 /*
7993 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7994 * the beginning of the link-layer header.
7995 * XXX - that means you can't test values in the radiotap header, but
7996 * as that header is difficult if not impossible to parse generally
7997 * without a loop, that might not be a severe problem. A new keyword
7998 * "radio" could be added for that, although what you'd really want
7999 * would be a way of testing particular radio header values, which
8000 * would generate code appropriate to the radio header in question.
8001 */
8002 struct block *
8003 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
8004 {
8005 struct block *b;
8006 struct slist *s;
8007
8008 /*
8009 * Catch errors reported by us and routines below us, and return NULL
8010 * on an error.
8011 */
8012 if (setjmp(cstate->top_ctx))
8013 return (NULL);
8014
8015 assert_maxval(cstate, "byte argument", val, UINT8_MAX);
8016
8017 switch (op) {
8018 default:
8019 abort();
8020
8021 case '=':
8022 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8023
8024 case '<':
8025 return gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8026
8027 case '>':
8028 return gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8029
8030 case '|':
8031 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
8032 break;
8033
8034 case '&':
8035 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8036 break;
8037 }
8038 s->s.k = val;
8039 // Load the required byte first.
8040 struct slist *s0 = gen_load_a(cstate, OR_LINKHDR, idx, BPF_B);
8041 sappend(s0, s);
8042 b = gen_jmp(cstate, BPF_JEQ, 0, s0);
8043 gen_not(b);
8044
8045 return b;
8046 }
8047
8048 struct block *
8049 gen_broadcast(compiler_state_t *cstate, int proto)
8050 {
8051 bpf_u_int32 hostmask;
8052 struct block *b0, *b1, *b2;
8053 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
8054
8055 /*
8056 * Catch errors reported by us and routines below us, and return NULL
8057 * on an error.
8058 */
8059 if (setjmp(cstate->top_ctx))
8060 return (NULL);
8061
8062 switch (proto) {
8063
8064 case Q_DEFAULT:
8065 case Q_LINK:
8066 switch (cstate->linktype) {
8067 case DLT_ARCNET:
8068 case DLT_ARCNET_LINUX:
8069 // ARCnet broadcast is [8-bit] destination address 0.
8070 return gen_ahostop(cstate, 0, Q_DST);
8071 case DLT_EN10MB:
8072 case DLT_NETANALYZER:
8073 case DLT_NETANALYZER_TRANSPARENT:
8074 b1 = gen_prevlinkhdr_check(cstate);
8075 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
8076 if (b1 != NULL)
8077 gen_and(b1, b0);
8078 return b0;
8079 case DLT_FDDI:
8080 return gen_fhostop(cstate, ebroadcast, Q_DST);
8081 case DLT_IEEE802:
8082 return gen_thostop(cstate, ebroadcast, Q_DST);
8083 case DLT_IEEE802_11:
8084 case DLT_PRISM_HEADER:
8085 case DLT_IEEE802_11_RADIO_AVS:
8086 case DLT_IEEE802_11_RADIO:
8087 case DLT_PPI:
8088 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
8089 case DLT_IP_OVER_FC:
8090 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
8091 }
8092 fail_kw_on_dlt(cstate, "broadcast");
8093 /*NOTREACHED*/
8094
8095 case Q_IP:
8096 /*
8097 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
8098 * as an indication that we don't know the netmask, and fail
8099 * in that case.
8100 */
8101 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
8102 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
8103 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8104 hostmask = ~cstate->netmask;
8105 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
8106 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, hostmask, hostmask);
8107 gen_or(b1, b2);
8108 gen_and(b0, b2);
8109 return b2;
8110 }
8111 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "broadcast");
8112 /*NOTREACHED*/
8113 }
8114
8115 /*
8116 * Generate code to test the low-order bit of a MAC address (that's
8117 * the bottom bit of the *first* byte).
8118 */
8119 static struct block *
8120 gen_mac_multicast(compiler_state_t *cstate, int offset)
8121 {
8122 register struct slist *s;
8123
8124 /* link[offset] & 1 != 0 */
8125 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8126 return gen_set(cstate, 1, s);
8127 }
8128
8129 struct block *
8130 gen_multicast(compiler_state_t *cstate, int proto)
8131 {
8132 register struct block *b0, *b1, *b2;
8133 register struct slist *s;
8134
8135 /*
8136 * Catch errors reported by us and routines below us, and return NULL
8137 * on an error.
8138 */
8139 if (setjmp(cstate->top_ctx))
8140 return (NULL);
8141
8142 switch (proto) {
8143
8144 case Q_DEFAULT:
8145 case Q_LINK:
8146 switch (cstate->linktype) {
8147 case DLT_ARCNET:
8148 case DLT_ARCNET_LINUX:
8149 // ARCnet multicast is the same as broadcast.
8150 return gen_ahostop(cstate, 0, Q_DST);
8151 case DLT_EN10MB:
8152 case DLT_NETANALYZER:
8153 case DLT_NETANALYZER_TRANSPARENT:
8154 b1 = gen_prevlinkhdr_check(cstate);
8155 /* ether[0] & 1 != 0 */
8156 b0 = gen_mac_multicast(cstate, 0);
8157 if (b1 != NULL)
8158 gen_and(b1, b0);
8159 return b0;
8160 case DLT_FDDI:
8161 /*
8162 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8163 *
8164 * XXX - was that referring to bit-order issues?
8165 */
8166 /* fddi[1] & 1 != 0 */
8167 return gen_mac_multicast(cstate, 1);
8168 case DLT_IEEE802:
8169 /* tr[2] & 1 != 0 */
8170 return gen_mac_multicast(cstate, 2);
8171 case DLT_IEEE802_11:
8172 case DLT_PRISM_HEADER:
8173 case DLT_IEEE802_11_RADIO_AVS:
8174 case DLT_IEEE802_11_RADIO:
8175 case DLT_PPI:
8176 /*
8177 * Oh, yuk.
8178 *
8179 * For control frames, there is no DA.
8180 *
8181 * For management frames, DA is at an
8182 * offset of 4 from the beginning of
8183 * the packet.
8184 *
8185 * For data frames, DA is at an offset
8186 * of 4 from the beginning of the packet
8187 * if To DS is clear and at an offset of
8188 * 16 from the beginning of the packet
8189 * if To DS is set.
8190 */
8191
8192 /*
8193 * Generate the tests to be done for data frames.
8194 *
8195 * First, check for To DS set, i.e. "link[1] & 0x01".
8196 */
8197 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8198 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
8199
8200 /*
8201 * If To DS is set, the DA is at 16.
8202 */
8203 b0 = gen_mac_multicast(cstate, 16);
8204 gen_and(b1, b0);
8205
8206 /*
8207 * Now, check for To DS not set, i.e. check
8208 * "!(link[1] & 0x01)".
8209 */
8210 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8211 b2 = gen_unset(cstate, IEEE80211_FC1_DIR_TODS, s);
8212
8213 /*
8214 * If To DS is not set, the DA is at 4.
8215 */
8216 b1 = gen_mac_multicast(cstate, 4);
8217 gen_and(b2, b1);
8218
8219 /*
8220 * Now OR together the last two checks. That gives
8221 * the complete set of checks for data frames.
8222 */
8223 gen_or(b1, b0);
8224
8225 /*
8226 * Now check for a data frame.
8227 * I.e, check "link[0] & 0x08".
8228 */
8229 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8230 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
8231
8232 /*
8233 * AND that with the checks done for data frames.
8234 */
8235 gen_and(b1, b0);
8236
8237 /*
8238 * If the high-order bit of the type value is 0, this
8239 * is a management frame.
8240 * I.e, check "!(link[0] & 0x08)".
8241 */
8242 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8243 b2 = gen_unset(cstate, IEEE80211_FC0_TYPE_DATA, s);
8244
8245 /*
8246 * For management frames, the DA is at 4.
8247 */
8248 b1 = gen_mac_multicast(cstate, 4);
8249 gen_and(b2, b1);
8250
8251 /*
8252 * OR that with the checks done for data frames.
8253 * That gives the checks done for management and
8254 * data frames.
8255 */
8256 gen_or(b1, b0);
8257
8258 /*
8259 * If the low-order bit of the type value is 1,
8260 * this is either a control frame or a frame
8261 * with a reserved type, and thus not a
8262 * frame with an SA.
8263 *
8264 * I.e., check "!(link[0] & 0x04)".
8265 */
8266 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8267 b1 = gen_unset(cstate, IEEE80211_FC0_TYPE_CTL, s);
8268
8269 /*
8270 * AND that with the checks for data and management
8271 * frames.
8272 */
8273 gen_and(b1, b0);
8274 return b0;
8275 case DLT_IP_OVER_FC:
8276 return gen_mac_multicast(cstate, 2);
8277 default:
8278 break;
8279 }
8280 fail_kw_on_dlt(cstate, "multicast");
8281 /*NOTREACHED*/
8282
8283 case Q_IP:
8284 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8285 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8286 gen_and(b0, b1);
8287 return b1;
8288
8289 case Q_IPV6:
8290 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8291 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8292 gen_and(b0, b1);
8293 return b1;
8294 }
8295 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "multicast");
8296 /*NOTREACHED*/
8297 }
8298
8299 #ifdef __linux__
8300 /*
8301 * This is Linux; we require PF_PACKET support. If this is a *live* capture,
8302 * we can look at special meta-data in the filter expression; otherwise we
8303 * can't because it is either a savefile (rfile != NULL) or a pcap_t created
8304 * using pcap_open_dead() (rfile == NULL). Thus check for a flag that
8305 * pcap_activate() conditionally sets.
8306 */
8307 static void
8308 require_basic_bpf_extensions(compiler_state_t *cstate, const char *keyword)
8309 {
8310 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_BASIC_HANDLING)
8311 return;
8312 bpf_error(cstate, "%s not supported on %s (not a live capture)",
8313 keyword,
8314 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8315 }
8316 #endif // __linux__
8317
8318 struct block *
8319 gen_ifindex(compiler_state_t *cstate, int ifindex)
8320 {
8321 register struct block *b0;
8322
8323 /*
8324 * Catch errors reported by us and routines below us, and return NULL
8325 * on an error.
8326 */
8327 if (setjmp(cstate->top_ctx))
8328 return (NULL);
8329
8330 /*
8331 * Only some data link types support ifindex qualifiers.
8332 */
8333 switch (cstate->linktype) {
8334 case DLT_LINUX_SLL2:
8335 /* match packets on this interface */
8336 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8337 break;
8338 default:
8339 #if defined(__linux__)
8340 require_basic_bpf_extensions(cstate, "ifindex");
8341 /* match ifindex */
8342 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8343 ifindex);
8344 #else /* defined(__linux__) */
8345 fail_kw_on_dlt(cstate, "ifindex");
8346 /*NOTREACHED*/
8347 #endif /* defined(__linux__) */
8348 }
8349 return (b0);
8350 }
8351
8352 /*
8353 * Filter on inbound (outbound == 0) or outbound (outbound == 1) traffic.
8354 * Outbound traffic is sent by this machine, while inbound traffic is
8355 * sent by a remote machine (and may include packets destined for a
8356 * unicast or multicast link-layer address we are not subscribing to).
8357 * These are the same definitions implemented by pcap_setdirection().
8358 * Capturing only unicast traffic destined for this host is probably
8359 * better accomplished using a higher-layer filter.
8360 */
8361 struct block *
8362 gen_inbound_outbound(compiler_state_t *cstate, const int outbound)
8363 {
8364 register struct block *b0;
8365
8366 /*
8367 * Catch errors reported by us and routines below us, and return NULL
8368 * on an error.
8369 */
8370 if (setjmp(cstate->top_ctx))
8371 return (NULL);
8372
8373 /*
8374 * Only some data link types support inbound/outbound qualifiers.
8375 */
8376 switch (cstate->linktype) {
8377 case DLT_SLIP:
8378 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B,
8379 outbound ? SLIPDIR_OUT : SLIPDIR_IN);
8380 break;
8381
8382 case DLT_IPNET:
8383 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H,
8384 outbound ? IPNET_OUTBOUND : IPNET_INBOUND);
8385 break;
8386
8387 case DLT_LINUX_SLL:
8388 /* match outgoing packets */
8389 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8390 if (! outbound) {
8391 /* to filter on inbound traffic, invert the match */
8392 gen_not(b0);
8393 }
8394 break;
8395
8396 case DLT_LINUX_SLL2:
8397 /* match outgoing packets */
8398 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8399 if (! outbound) {
8400 /* to filter on inbound traffic, invert the match */
8401 gen_not(b0);
8402 }
8403 break;
8404
8405 case DLT_PFLOG:
8406 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8407 outbound ? PF_OUT : PF_IN);
8408 break;
8409
8410 case DLT_PPP_PPPD:
8411 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, outbound ? PPP_PPPD_OUT : PPP_PPPD_IN);
8412 break;
8413
8414 case DLT_JUNIPER_MFR:
8415 case DLT_JUNIPER_MLFR:
8416 case DLT_JUNIPER_MLPPP:
8417 case DLT_JUNIPER_ATM1:
8418 case DLT_JUNIPER_ATM2:
8419 case DLT_JUNIPER_PPPOE:
8420 case DLT_JUNIPER_PPPOE_ATM:
8421 case DLT_JUNIPER_GGSN:
8422 case DLT_JUNIPER_ES:
8423 case DLT_JUNIPER_MONITOR:
8424 case DLT_JUNIPER_SERVICES:
8425 case DLT_JUNIPER_ETHER:
8426 case DLT_JUNIPER_PPP:
8427 case DLT_JUNIPER_FRELAY:
8428 case DLT_JUNIPER_CHDLC:
8429 case DLT_JUNIPER_VP:
8430 case DLT_JUNIPER_ST:
8431 case DLT_JUNIPER_ISM:
8432 case DLT_JUNIPER_VS:
8433 case DLT_JUNIPER_SRX_E2E:
8434 case DLT_JUNIPER_FIBRECHANNEL:
8435 case DLT_JUNIPER_ATM_CEMIC:
8436 /* juniper flags (including direction) are stored
8437 * the byte after the 3-byte magic number */
8438 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, outbound ? 0 : 1, 0x01);
8439 break;
8440
8441 default:
8442 /*
8443 * If we have packet meta-data indicating a direction,
8444 * and that metadata can be checked by BPF code, check
8445 * it. Otherwise, give up, as this link-layer type has
8446 * nothing in the packet data.
8447 *
8448 * Currently, the only platform where a BPF filter can
8449 * check that metadata is Linux with the in-kernel
8450 * BPF interpreter. If other packet capture mechanisms
8451 * and BPF filters also supported this, it would be
8452 * nice. It would be even better if they made that
8453 * metadata available so that we could provide it
8454 * with newer capture APIs, allowing it to be saved
8455 * in pcapng files.
8456 */
8457 #if defined(__linux__)
8458 require_basic_bpf_extensions(cstate, outbound ? "outbound" : "inbound");
8459 /* match outgoing packets */
8460 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8461 PACKET_OUTGOING);
8462 if (! outbound) {
8463 /* to filter on inbound traffic, invert the match */
8464 gen_not(b0);
8465 }
8466 #else /* defined(__linux__) */
8467 fail_kw_on_dlt(cstate, outbound ? "outbound" : "inbound");
8468 /*NOTREACHED*/
8469 #endif /* defined(__linux__) */
8470 }
8471 return (b0);
8472 }
8473
8474 /* PF firewall log matched interface */
8475 struct block *
8476 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8477 {
8478 struct block *b0;
8479 u_int len, off;
8480
8481 /*
8482 * Catch errors reported by us and routines below us, and return NULL
8483 * on an error.
8484 */
8485 if (setjmp(cstate->top_ctx))
8486 return (NULL);
8487
8488 assert_pflog(cstate, "ifname");
8489
8490 len = sizeof(((struct pfloghdr *)0)->ifname);
8491 off = offsetof(struct pfloghdr, ifname);
8492 if (strlen(ifname) >= len) {
8493 bpf_error(cstate, "ifname interface names can only be %d characters",
8494 len-1);
8495 /*NOTREACHED*/
8496 }
8497 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8498 (const u_char *)ifname);
8499 return (b0);
8500 }
8501
8502 /* PF firewall log ruleset name */
8503 struct block *
8504 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8505 {
8506 struct block *b0;
8507
8508 /*
8509 * Catch errors reported by us and routines below us, and return NULL
8510 * on an error.
8511 */
8512 if (setjmp(cstate->top_ctx))
8513 return (NULL);
8514
8515 assert_pflog(cstate, "ruleset");
8516
8517 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8518 bpf_error(cstate, "ruleset names can only be %ld characters",
8519 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8520 /*NOTREACHED*/
8521 }
8522
8523 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8524 (u_int)strlen(ruleset), (const u_char *)ruleset);
8525 return (b0);
8526 }
8527
8528 /* PF firewall log rule number */
8529 struct block *
8530 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8531 {
8532 struct block *b0;
8533
8534 /*
8535 * Catch errors reported by us and routines below us, and return NULL
8536 * on an error.
8537 */
8538 if (setjmp(cstate->top_ctx))
8539 return (NULL);
8540
8541 assert_pflog(cstate, "rnr");
8542
8543 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8544 (bpf_u_int32)rnr);
8545 return (b0);
8546 }
8547
8548 /* PF firewall log sub-rule number */
8549 struct block *
8550 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8551 {
8552 struct block *b0;
8553
8554 /*
8555 * Catch errors reported by us and routines below us, and return NULL
8556 * on an error.
8557 */
8558 if (setjmp(cstate->top_ctx))
8559 return (NULL);
8560
8561 assert_pflog(cstate, "srnr");
8562
8563 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8564 (bpf_u_int32)srnr);
8565 return (b0);
8566 }
8567
8568 /* PF firewall log reason code */
8569 struct block *
8570 gen_pf_reason(compiler_state_t *cstate, int reason)
8571 {
8572 struct block *b0;
8573
8574 /*
8575 * Catch errors reported by us and routines below us, and return NULL
8576 * on an error.
8577 */
8578 if (setjmp(cstate->top_ctx))
8579 return (NULL);
8580
8581 assert_pflog(cstate, "reason");
8582
8583 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8584 (bpf_u_int32)reason);
8585 return (b0);
8586 }
8587
8588 /* PF firewall log action */
8589 struct block *
8590 gen_pf_action(compiler_state_t *cstate, int action)
8591 {
8592 struct block *b0;
8593
8594 /*
8595 * Catch errors reported by us and routines below us, and return NULL
8596 * on an error.
8597 */
8598 if (setjmp(cstate->top_ctx))
8599 return (NULL);
8600
8601 assert_pflog(cstate, "action");
8602
8603 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8604 (bpf_u_int32)action);
8605 return (b0);
8606 }
8607
8608 /* IEEE 802.11 wireless header */
8609 struct block *
8610 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8611 {
8612 struct block *b0;
8613
8614 /*
8615 * Catch errors reported by us and routines below us, and return NULL
8616 * on an error.
8617 */
8618 if (setjmp(cstate->top_ctx))
8619 return (NULL);
8620
8621 switch (cstate->linktype) {
8622
8623 case DLT_IEEE802_11:
8624 case DLT_PRISM_HEADER:
8625 case DLT_IEEE802_11_RADIO_AVS:
8626 case DLT_IEEE802_11_RADIO:
8627 case DLT_PPI:
8628 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8629 break;
8630
8631 default:
8632 fail_kw_on_dlt(cstate, "type/subtype");
8633 /*NOTREACHED*/
8634 }
8635
8636 return (b0);
8637 }
8638
8639 struct block *
8640 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8641 {
8642 struct block *b0;
8643
8644 /*
8645 * Catch errors reported by us and routines below us, and return NULL
8646 * on an error.
8647 */
8648 if (setjmp(cstate->top_ctx))
8649 return (NULL);
8650
8651 switch (cstate->linktype) {
8652
8653 case DLT_IEEE802_11:
8654 case DLT_PRISM_HEADER:
8655 case DLT_IEEE802_11_RADIO_AVS:
8656 case DLT_IEEE802_11_RADIO:
8657 case DLT_PPI:
8658 break;
8659
8660 default:
8661 fail_kw_on_dlt(cstate, "dir");
8662 /*NOTREACHED*/
8663 }
8664
8665 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8666 IEEE80211_FC1_DIR_MASK);
8667
8668 return (b0);
8669 }
8670
8671 // Process an ARCnet host address string.
8672 struct block *
8673 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8674 {
8675 /*
8676 * Catch errors reported by us and routines below us, and return NULL
8677 * on an error.
8678 */
8679 if (setjmp(cstate->top_ctx))
8680 return (NULL);
8681
8682 switch (cstate->linktype) {
8683
8684 case DLT_ARCNET:
8685 case DLT_ARCNET_LINUX:
8686 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8687 q.proto == Q_LINK) {
8688 uint8_t addr;
8689 /*
8690 * The lexer currently defines the address format in a
8691 * way that makes this error condition never true.
8692 * Let's check it anyway in case this part of the lexer
8693 * changes in future.
8694 */
8695 if (! pcapint_atoan(s, &addr))
8696 bpf_error(cstate, "invalid ARCnet address '%s'", s);
8697 return gen_ahostop(cstate, addr, (int)q.dir);
8698 } else
8699 bpf_error(cstate, "ARCnet address used in non-arc expression");
8700 /*NOTREACHED*/
8701
8702 default:
8703 bpf_error(cstate, "aid supported only on ARCnet");
8704 /*NOTREACHED*/
8705 }
8706 }
8707
8708 // Compare an ARCnet host address with the given value.
8709 static struct block *
8710 gen_ahostop(compiler_state_t *cstate, const uint8_t eaddr, int dir)
8711 {
8712 register struct block *b0, *b1;
8713
8714 switch (dir) {
8715 /*
8716 * ARCnet is different from Ethernet: the source address comes before
8717 * the destination address, each is one byte long. This holds for all
8718 * three "buffer formats" in RFC 1201 Section 2.1, see also page 4-10
8719 * in the 1983 edition of the "ARCNET Designer's Handbook" published
8720 * by Datapoint (document number 61610-01).
8721 */
8722 case Q_SRC:
8723 return gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, eaddr);
8724
8725 case Q_DST:
8726 return gen_cmp(cstate, OR_LINKHDR, 1, BPF_B, eaddr);
8727
8728 case Q_AND:
8729 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8730 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8731 gen_and(b0, b1);
8732 return b1;
8733
8734 case Q_DEFAULT:
8735 case Q_OR:
8736 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8737 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8738 gen_or(b0, b1);
8739 return b1;
8740
8741 case Q_ADDR1:
8742 case Q_ADDR2:
8743 case Q_ADDR3:
8744 case Q_ADDR4:
8745 case Q_RA:
8746 case Q_TA:
8747 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
8748 /*NOTREACHED*/
8749 }
8750 abort();
8751 /*NOTREACHED*/
8752 }
8753
8754 static struct block *
8755 gen_vlan_tpid_test(compiler_state_t *cstate)
8756 {
8757 struct block *b0, *b1;
8758
8759 /* check for VLAN, including 802.1ad and QinQ */
8760 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8761 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8762 gen_or(b0,b1);
8763 b0 = b1;
8764 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8765 gen_or(b0,b1);
8766
8767 return b1;
8768 }
8769
8770 static struct block *
8771 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8772 {
8773 assert_maxval(cstate, "VLAN tag", vlan_num, 0x0fff);
8774 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
8775 }
8776
8777 static struct block *
8778 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8779 int has_vlan_tag)
8780 {
8781 struct block *b0, *b1;
8782
8783 b0 = gen_vlan_tpid_test(cstate);
8784
8785 if (has_vlan_tag) {
8786 b1 = gen_vlan_vid_test(cstate, vlan_num);
8787 gen_and(b0, b1);
8788 b0 = b1;
8789 }
8790
8791 /*
8792 * Both payload and link header type follow the VLAN tags so that
8793 * both need to be updated.
8794 */
8795 cstate->off_linkpl.constant_part += 4;
8796 cstate->off_linktype.constant_part += 4;
8797
8798 return b0;
8799 }
8800
8801 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8802 /* add v to variable part of off */
8803 static void
8804 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
8805 bpf_u_int32 v, struct slist *s)
8806 {
8807 struct slist *s2;
8808
8809 if (!off->is_variable)
8810 off->is_variable = 1;
8811 if (off->reg == -1)
8812 off->reg = alloc_reg(cstate);
8813
8814 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8815 s2->s.k = off->reg;
8816 sappend(s, s2);
8817 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8818 s2->s.k = v;
8819 sappend(s, s2);
8820 s2 = new_stmt(cstate, BPF_ST);
8821 s2->s.k = off->reg;
8822 sappend(s, s2);
8823 }
8824
8825 /*
8826 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8827 * and link type offsets first
8828 */
8829 static void
8830 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8831 {
8832 struct slist s;
8833
8834 /* offset determined at run time, shift variable part */
8835 s.next = NULL;
8836 cstate->is_vlan_vloffset = 1;
8837 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8838 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8839
8840 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8841 sappend(s.next, b_tpid->head->stmts);
8842 b_tpid->head->stmts = s.next;
8843 }
8844
8845 /*
8846 * patch block b_vid (VLAN id test) to load VID value either from packet
8847 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8848 */
8849 static void
8850 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8851 {
8852 struct slist *s, *s2, *sjeq;
8853 unsigned cnt;
8854
8855 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8856 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
8857
8858 /* true -> next instructions, false -> beginning of b_vid */
8859 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8860 sjeq->s.k = 1;
8861 sjeq->s.jf = b_vid->stmts;
8862 sappend(s, sjeq);
8863
8864 s2 = new_stmt(cstate, BPF_LD|BPF_H|BPF_ABS);
8865 s2->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG);
8866 sappend(s, s2);
8867 sjeq->s.jt = s2;
8868
8869 /* Jump to the test in b_vid. We need to jump one instruction before
8870 * the end of the b_vid block so that we only skip loading the TCI
8871 * from packet data and not the 'and' instruction extracting VID.
8872 */
8873 cnt = 0;
8874 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8875 cnt++;
8876 s2 = new_stmt(cstate, JMP(BPF_JA));
8877 s2->s.k = cnt - 1;
8878 sappend(s, s2);
8879
8880 /* insert our statements at the beginning of b_vid */
8881 sappend(s, b_vid->stmts);
8882 b_vid->stmts = s;
8883 }
8884
8885 /*
8886 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8887 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8888 * tag can be either in metadata or in packet data; therefore if the
8889 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8890 * header for VLAN tag. As the decision is done at run time, we need
8891 * update variable part of the offsets
8892 */
8893 static struct block *
8894 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8895 int has_vlan_tag)
8896 {
8897 struct block *b0, *b_tpid, *b_vid = NULL;
8898 struct slist *s;
8899
8900 /* generate new filter code based on extracting packet
8901 * metadata */
8902 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8903 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
8904
8905 b0 = gen_jmp(cstate, BPF_JEQ, 1, s);
8906
8907 /*
8908 * This is tricky. We need to insert the statements updating variable
8909 * parts of offsets before the traditional TPID and VID tests so
8910 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8911 * we do not want this update to affect those checks. That's why we
8912 * generate both test blocks first and insert the statements updating
8913 * variable parts of both offsets after that. This wouldn't work if
8914 * there already were variable length link header when entering this
8915 * function but gen_vlan_bpf_extensions() isn't called in that case.
8916 */
8917 b_tpid = gen_vlan_tpid_test(cstate);
8918 if (has_vlan_tag)
8919 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8920
8921 gen_vlan_patch_tpid_test(cstate, b_tpid);
8922 gen_or(b0, b_tpid);
8923 b0 = b_tpid;
8924
8925 if (has_vlan_tag) {
8926 gen_vlan_patch_vid_test(cstate, b_vid);
8927 gen_and(b0, b_vid);
8928 b0 = b_vid;
8929 }
8930
8931 return b0;
8932 }
8933 #endif
8934
8935 /*
8936 * support IEEE 802.1Q VLAN trunk over ethernet
8937 */
8938 struct block *
8939 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
8940 {
8941 struct block *b0;
8942
8943 /*
8944 * Catch errors reported by us and routines below us, and return NULL
8945 * on an error.
8946 */
8947 if (setjmp(cstate->top_ctx))
8948 return (NULL);
8949
8950 /* can't check for VLAN-encapsulated packets inside MPLS */
8951 if (cstate->label_stack_depth > 0)
8952 bpf_error(cstate, "no VLAN match after MPLS");
8953
8954 /*
8955 * Check for a VLAN packet, and then change the offsets to point
8956 * to the type and data fields within the VLAN packet. Just
8957 * increment the offsets, so that we can support a hierarchy, e.g.
8958 * "vlan 100 && vlan 200" to capture VLAN 200 encapsulated within
8959 * VLAN 100.
8960 *
8961 * XXX - this is a bit of a kludge. If we were to split the
8962 * compiler into a parser that parses an expression and
8963 * generates an expression tree, and a code generator that
8964 * takes an expression tree (which could come from our
8965 * parser or from some other parser) and generates BPF code,
8966 * we could perhaps make the offsets parameters of routines
8967 * and, in the handler for an "AND" node, pass to subnodes
8968 * other than the VLAN node the adjusted offsets.
8969 *
8970 * This would mean that "vlan" would, instead of changing the
8971 * behavior of *all* tests after it, change only the behavior
8972 * of tests ANDed with it. That would change the documented
8973 * semantics of "vlan", which might break some expressions.
8974 * However, it would mean that "(vlan and ip) or ip" would check
8975 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8976 * checking only for VLAN-encapsulated IP, so that could still
8977 * be considered worth doing; it wouldn't break expressions
8978 * that are of the form "vlan and ..." or "vlan N and ...",
8979 * which I suspect are the most common expressions involving
8980 * "vlan". "vlan or ..." doesn't necessarily do what the user
8981 * would really want, now, as all the "or ..." tests would
8982 * be done assuming a VLAN, even though the "or" could be viewed
8983 * as meaning "or, if this isn't a VLAN packet...".
8984 */
8985 switch (cstate->linktype) {
8986
8987 case DLT_EN10MB:
8988 /*
8989 * Newer version of the Linux kernel pass around
8990 * packets in which the VLAN tag has been removed
8991 * from the packet data and put into metadata.
8992 *
8993 * This requires special treatment.
8994 */
8995 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8996 /* Verify that this is the outer part of the packet and
8997 * not encapsulated somehow. */
8998 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8999 cstate->off_linkhdr.constant_part ==
9000 cstate->off_outermostlinkhdr.constant_part) {
9001 /*
9002 * Do we need special VLAN handling?
9003 */
9004 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9005 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9006 has_vlan_tag);
9007 else
9008 b0 = gen_vlan_no_bpf_extensions(cstate,
9009 vlan_num, has_vlan_tag);
9010 } else
9011 #endif
9012 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9013 has_vlan_tag);
9014 break;
9015
9016 case DLT_NETANALYZER:
9017 case DLT_NETANALYZER_TRANSPARENT:
9018 case DLT_IEEE802_11:
9019 case DLT_PRISM_HEADER:
9020 case DLT_IEEE802_11_RADIO_AVS:
9021 case DLT_IEEE802_11_RADIO:
9022 /*
9023 * These are either Ethernet packets with an additional
9024 * metadata header (the NetAnalyzer types), or 802.11
9025 * packets, possibly with an additional metadata header.
9026 *
9027 * For the first of those, the VLAN tag is in the normal
9028 * place, so the special-case handling above isn't
9029 * necessary.
9030 *
9031 * For the second of those, we don't do the special-case
9032 * handling for now.
9033 */
9034 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9035 break;
9036
9037 default:
9038 bpf_error(cstate, "no VLAN support for %s",
9039 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9040 /*NOTREACHED*/
9041 }
9042
9043 cstate->vlan_stack_depth++;
9044
9045 return (b0);
9046 }
9047
9048 /*
9049 * support for MPLS
9050 *
9051 * The label_num_arg dance is to avoid annoying whining by compilers that
9052 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9053 * It's not *used* after setjmp returns.
9054 */
9055 static struct block *
9056 gen_mpls_internal(compiler_state_t *cstate, bpf_u_int32 label_num,
9057 int has_label_num)
9058 {
9059 struct block *b0, *b1;
9060
9061 if (cstate->label_stack_depth > 0) {
9062 /* just match the bottom-of-stack bit clear */
9063 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9064 } else {
9065 /*
9066 * We're not in an MPLS stack yet, so check the link-layer
9067 * type against MPLS.
9068 */
9069 switch (cstate->linktype) {
9070
9071 case DLT_C_HDLC: /* fall through */
9072 case DLT_HDLC:
9073 case DLT_EN10MB:
9074 case DLT_NETANALYZER:
9075 case DLT_NETANALYZER_TRANSPARENT:
9076 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9077 break;
9078
9079 case DLT_PPP:
9080 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9081 break;
9082
9083 /* FIXME add other DLT_s ...
9084 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9085 * leave it for now */
9086
9087 default:
9088 bpf_error(cstate, "no MPLS support for %s",
9089 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9090 /*NOTREACHED*/
9091 }
9092 }
9093
9094 /* If a specific MPLS label is requested, check it */
9095 if (has_label_num) {
9096 assert_maxval(cstate, "MPLS label", label_num, 0xFFFFF);
9097 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9098 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9099 0xfffff000); /* only compare the first 20 bits */
9100 gen_and(b0, b1);
9101 b0 = b1;
9102 }
9103
9104 /*
9105 * Change the offsets to point to the type and data fields within
9106 * the MPLS packet. Just increment the offsets, so that we
9107 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9108 * capture packets with an outer label of 100000 and an inner
9109 * label of 1024.
9110 *
9111 * Increment the MPLS stack depth as well; this indicates that
9112 * we're checking MPLS-encapsulated headers, to make sure higher
9113 * level code generators don't try to match against IP-related
9114 * protocols such as Q_ARP, Q_RARP etc.
9115 *
9116 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9117 */
9118 cstate->off_nl_nosnap += 4;
9119 cstate->off_nl += 4;
9120 cstate->label_stack_depth++;
9121 return (b0);
9122 }
9123
9124 struct block *
9125 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num, int has_label_num)
9126 {
9127 /*
9128 * Catch errors reported by us and routines below us, and return NULL
9129 * on an error.
9130 */
9131 if (setjmp(cstate->top_ctx))
9132 return (NULL);
9133
9134 return gen_mpls_internal(cstate, label_num, has_label_num);
9135 }
9136
9137 /*
9138 * Support PPPOE discovery and session.
9139 */
9140 struct block *
9141 gen_pppoed(compiler_state_t *cstate)
9142 {
9143 /*
9144 * Catch errors reported by us and routines below us, and return NULL
9145 * on an error.
9146 */
9147 if (setjmp(cstate->top_ctx))
9148 return (NULL);
9149
9150 /* check for PPPoE discovery */
9151 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9152 }
9153
9154 /*
9155 * RFC 2516 Section 4:
9156 *
9157 * The Ethernet payload for PPPoE is as follows:
9158 *
9159 * 1 2 3
9160 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
9161 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9162 * | VER | TYPE | CODE | SESSION_ID |
9163 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9164 * | LENGTH | payload ~
9165 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9166 */
9167 struct block *
9168 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9169 {
9170 struct block *b0, *b1;
9171
9172 /*
9173 * Catch errors reported by us and routines below us, and return NULL
9174 * on an error.
9175 */
9176 if (setjmp(cstate->top_ctx))
9177 return (NULL);
9178
9179 /*
9180 * Test against the PPPoE session link-layer type.
9181 */
9182 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9183
9184 /* If a specific session is requested, check PPPoE session id */
9185 if (has_sess_num) {
9186 assert_maxval(cstate, "PPPoE session number", sess_num, UINT16_MAX);
9187 b1 = gen_cmp(cstate, OR_LINKPL, 2, BPF_H, sess_num);
9188 gen_and(b0, b1);
9189 b0 = b1;
9190 }
9191
9192 /*
9193 * Change the offsets to point to the type and data fields within
9194 * the PPP packet, and note that this is PPPoE rather than
9195 * raw PPP.
9196 *
9197 * XXX - this is a bit of a kludge. See the comments in
9198 * gen_vlan().
9199 *
9200 * The "network-layer" protocol is PPPoE, which has a 6-byte
9201 * PPPoE header, followed by a PPP packet.
9202 *
9203 * There is no HDLC encapsulation for the PPP packet (it's
9204 * encapsulated in PPPoES instead), so the link-layer type
9205 * starts at the first byte of the PPP packet. For PPPoE,
9206 * that offset is relative to the beginning of the total
9207 * link-layer payload, including any 802.2 LLC header, so
9208 * it's 6 bytes past cstate->off_nl.
9209 */
9210 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9211 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9212 cstate->off_linkpl.reg);
9213
9214 cstate->off_linktype = cstate->off_linkhdr;
9215 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9216
9217 cstate->off_nl = 0;
9218 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9219
9220 return b0;
9221 }
9222
9223 /* Check that this is Geneve and the VNI is correct if
9224 * specified. Parameterized to handle both IPv4 and IPv6. */
9225 static struct block *
9226 gen_geneve_check(compiler_state_t *cstate,
9227 struct block *(*gen_portfn)(compiler_state_t *, uint16_t, int, int),
9228 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9229 {
9230 struct block *b0, *b1;
9231
9232 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9233
9234 /* Check that we are operating on version 0. Otherwise, we
9235 * can't decode the rest of the fields. The version is 2 bits
9236 * in the first byte of the Geneve header. */
9237 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9238 gen_and(b0, b1);
9239 b0 = b1;
9240
9241 if (has_vni) {
9242 assert_maxval(cstate, "Geneve VNI", vni, 0xffffff);
9243 vni <<= 8; /* VNI is in the upper 3 bytes */
9244 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9245 gen_and(b0, b1);
9246 b0 = b1;
9247 }
9248
9249 return b0;
9250 }
9251
9252 /* The IPv4 and IPv6 Geneve checks need to do two things:
9253 * - Verify that this actually is Geneve with the right VNI.
9254 * - Place the IP header length (plus variable link prefix if
9255 * needed) into register A to be used later to compute
9256 * the inner packet offsets. */
9257 static struct block *
9258 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9259 {
9260 struct block *b0, *b1;
9261 struct slist *s, *s1;
9262
9263 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9264
9265 /* Load the IP header length into A. */
9266 s = gen_loadx_iphdrlen(cstate);
9267
9268 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9269 sappend(s, s1);
9270
9271 /* Forcibly append these statements to the true condition
9272 * of the protocol check by creating a new block that is
9273 * always true and ANDing them. */
9274 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9275
9276 gen_and(b0, b1);
9277
9278 return b1;
9279 }
9280
9281 static struct block *
9282 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9283 {
9284 struct block *b0, *b1;
9285 struct slist *s, *s1;
9286
9287 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9288
9289 /* Load the IP header length. We need to account for a
9290 * variable length link prefix if there is one. */
9291 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9292 if (s) {
9293 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9294 s1->s.k = 40;
9295 sappend(s, s1);
9296
9297 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9298 s1->s.k = 0;
9299 sappend(s, s1);
9300 } else {
9301 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9302 s->s.k = 40;
9303 }
9304
9305 /* Forcibly append these statements to the true condition
9306 * of the protocol check by creating a new block that is
9307 * always true and ANDing them. */
9308 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9309 sappend(s, s1);
9310
9311 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9312
9313 gen_and(b0, b1);
9314
9315 return b1;
9316 }
9317
9318 /* We need to store three values based on the Geneve header::
9319 * - The offset of the linktype.
9320 * - The offset of the end of the Geneve header.
9321 * - The offset of the end of the encapsulated MAC header. */
9322 static struct slist *
9323 gen_geneve_offsets(compiler_state_t *cstate)
9324 {
9325 struct slist *s, *s1, *s_proto;
9326
9327 /* First we need to calculate the offset of the Geneve header
9328 * itself. This is composed of the IP header previously calculated
9329 * (include any variable link prefix) and stored in A plus the
9330 * fixed sized headers (fixed link prefix, MAC length, and UDP
9331 * header). */
9332 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9333 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9334
9335 /* Stash this in X since we'll need it later. */
9336 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9337 sappend(s, s1);
9338
9339 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9340 * store it. */
9341 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9342 s1->s.k = 2;
9343 sappend(s, s1);
9344
9345 cstate->off_linktype.reg = alloc_reg(cstate);
9346 cstate->off_linktype.is_variable = 1;
9347 cstate->off_linktype.constant_part = 0;
9348
9349 s1 = new_stmt(cstate, BPF_ST);
9350 s1->s.k = cstate->off_linktype.reg;
9351 sappend(s, s1);
9352
9353 /* Load the Geneve option length and mask and shift to get the
9354 * number of bytes. It is stored in the first byte of the Geneve
9355 * header. */
9356 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9357 s1->s.k = 0;
9358 sappend(s, s1);
9359
9360 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9361 s1->s.k = 0x3f;
9362 sappend(s, s1);
9363
9364 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9365 s1->s.k = 4;
9366 sappend(s, s1);
9367
9368 /* Add in the rest of the Geneve base header. */
9369 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9370 s1->s.k = 8;
9371 sappend(s, s1);
9372
9373 /* Add the Geneve header length to its offset and store. */
9374 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9375 s1->s.k = 0;
9376 sappend(s, s1);
9377
9378 /* Set the encapsulated type as Ethernet. Even though we may
9379 * not actually have Ethernet inside there are two reasons this
9380 * is useful:
9381 * - The linktype field is always in EtherType format regardless
9382 * of whether it is in Geneve or an inner Ethernet frame.
9383 * - The only link layer that we have specific support for is
9384 * Ethernet. We will confirm that the packet actually is
9385 * Ethernet at runtime before executing these checks. */
9386 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9387
9388 s1 = new_stmt(cstate, BPF_ST);
9389 s1->s.k = cstate->off_linkhdr.reg;
9390 sappend(s, s1);
9391
9392 /* Calculate whether we have an Ethernet header or just raw IP/
9393 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9394 * and linktype by 14 bytes so that the network header can be found
9395 * seamlessly. Otherwise, keep what we've calculated already. */
9396
9397 /* We have a bare jmp so we can't use the optimizer. */
9398 cstate->no_optimize = 1;
9399
9400 /* Load the EtherType in the Geneve header, 2 bytes in. */
9401 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9402 s1->s.k = 2;
9403 sappend(s, s1);
9404
9405 /* Load X with the end of the Geneve header. */
9406 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9407 s1->s.k = cstate->off_linkhdr.reg;
9408 sappend(s, s1);
9409
9410 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9411 * end of this check, we should have the total length in X. In
9412 * the non-Ethernet case, it's already there. */
9413 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9414 s_proto->s.k = ETHERTYPE_TEB;
9415 sappend(s, s_proto);
9416
9417 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9418 sappend(s, s1);
9419 s_proto->s.jt = s1;
9420
9421 /* Since this is Ethernet, use the EtherType of the payload
9422 * directly as the linktype. Overwrite what we already have. */
9423 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9424 s1->s.k = 12;
9425 sappend(s, s1);
9426
9427 s1 = new_stmt(cstate, BPF_ST);
9428 s1->s.k = cstate->off_linktype.reg;
9429 sappend(s, s1);
9430
9431 /* Advance two bytes further to get the end of the Ethernet
9432 * header. */
9433 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9434 s1->s.k = 2;
9435 sappend(s, s1);
9436
9437 /* Move the result to X. */
9438 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9439 sappend(s, s1);
9440
9441 /* Store the final result of our linkpl calculation. */
9442 cstate->off_linkpl.reg = alloc_reg(cstate);
9443 cstate->off_linkpl.is_variable = 1;
9444 cstate->off_linkpl.constant_part = 0;
9445
9446 s1 = new_stmt(cstate, BPF_STX);
9447 s1->s.k = cstate->off_linkpl.reg;
9448 sappend(s, s1);
9449 s_proto->s.jf = s1;
9450
9451 cstate->off_nl = 0;
9452
9453 return s;
9454 }
9455
9456 /* Check to see if this is a Geneve packet. */
9457 struct block *
9458 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9459 {
9460 struct block *b0, *b1;
9461 struct slist *s;
9462
9463 /*
9464 * Catch errors reported by us and routines below us, and return NULL
9465 * on an error.
9466 */
9467 if (setjmp(cstate->top_ctx))
9468 return (NULL);
9469
9470 b0 = gen_geneve4(cstate, vni, has_vni);
9471 b1 = gen_geneve6(cstate, vni, has_vni);
9472
9473 gen_or(b0, b1);
9474 b0 = b1;
9475
9476 /* Later filters should act on the payload of the Geneve frame,
9477 * update all of the header pointers. Attach this code so that
9478 * it gets executed in the event that the Geneve filter matches. */
9479 s = gen_geneve_offsets(cstate);
9480
9481 b1 = gen_true(cstate);
9482 sappend(s, b1->stmts);
9483 b1->stmts = s;
9484
9485 gen_and(b0, b1);
9486
9487 cstate->is_encap = 1;
9488
9489 return b1;
9490 }
9491
9492 /* Check that this is VXLAN and the VNI is correct if
9493 * specified. Parameterized to handle both IPv4 and IPv6. */
9494 static struct block *
9495 gen_vxlan_check(compiler_state_t *cstate,
9496 struct block *(*gen_portfn)(compiler_state_t *, uint16_t, int, int),
9497 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9498 {
9499 struct block *b0, *b1;
9500
9501 b0 = gen_portfn(cstate, VXLAN_PORT, IPPROTO_UDP, Q_DST);
9502
9503 /* Check that the VXLAN header has the flag bits set
9504 * correctly. */
9505 b1 = gen_cmp(cstate, offrel, 8, BPF_B, 0x08);
9506 gen_and(b0, b1);
9507 b0 = b1;
9508
9509 if (has_vni) {
9510 assert_maxval(cstate, "VXLAN VNI", vni, 0xffffff);
9511 vni <<= 8; /* VNI is in the upper 3 bytes */
9512 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9513 gen_and(b0, b1);
9514 b0 = b1;
9515 }
9516
9517 return b0;
9518 }
9519
9520 /* The IPv4 and IPv6 VXLAN checks need to do two things:
9521 * - Verify that this actually is VXLAN with the right VNI.
9522 * - Place the IP header length (plus variable link prefix if
9523 * needed) into register A to be used later to compute
9524 * the inner packet offsets. */
9525 static struct block *
9526 gen_vxlan4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9527 {
9528 struct block *b0, *b1;
9529 struct slist *s, *s1;
9530
9531 b0 = gen_vxlan_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9532
9533 /* Load the IP header length into A. */
9534 s = gen_loadx_iphdrlen(cstate);
9535
9536 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9537 sappend(s, s1);
9538
9539 /* Forcibly append these statements to the true condition
9540 * of the protocol check by creating a new block that is
9541 * always true and ANDing them. */
9542 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9543
9544 gen_and(b0, b1);
9545
9546 return b1;
9547 }
9548
9549 static struct block *
9550 gen_vxlan6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9551 {
9552 struct block *b0, *b1;
9553 struct slist *s, *s1;
9554
9555 b0 = gen_vxlan_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9556
9557 /* Load the IP header length. We need to account for a
9558 * variable length link prefix if there is one. */
9559 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9560 if (s) {
9561 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9562 s1->s.k = 40;
9563 sappend(s, s1);
9564
9565 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9566 s1->s.k = 0;
9567 sappend(s, s1);
9568 } else {
9569 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9570 s->s.k = 40;
9571 }
9572
9573 /* Forcibly append these statements to the true condition
9574 * of the protocol check by creating a new block that is
9575 * always true and ANDing them. */
9576 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9577 sappend(s, s1);
9578
9579 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9580
9581 gen_and(b0, b1);
9582
9583 return b1;
9584 }
9585
9586 /* We need to store three values based on the VXLAN header:
9587 * - The offset of the linktype.
9588 * - The offset of the end of the VXLAN header.
9589 * - The offset of the end of the encapsulated MAC header. */
9590 static struct slist *
9591 gen_vxlan_offsets(compiler_state_t *cstate)
9592 {
9593 struct slist *s, *s1;
9594
9595 /* Calculate the offset of the VXLAN header itself. This
9596 * includes the IP header computed previously (including any
9597 * variable link prefix) and stored in A plus the fixed size
9598 * headers (fixed link prefix, MAC length, UDP header). */
9599 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9600 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9601
9602 /* Add the VXLAN header length to its offset and store */
9603 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9604 s1->s.k = 8;
9605 sappend(s, s1);
9606
9607 /* Push the link header. VXLAN packets always contain Ethernet
9608 * frames. */
9609 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9610
9611 s1 = new_stmt(cstate, BPF_ST);
9612 s1->s.k = cstate->off_linkhdr.reg;
9613 sappend(s, s1);
9614
9615 /* As the payload is an Ethernet packet, we can use the
9616 * EtherType of the payload directly as the linktype. */
9617 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9618 s1->s.k = 12;
9619 sappend(s, s1);
9620
9621 cstate->off_linktype.reg = alloc_reg(cstate);
9622 cstate->off_linktype.is_variable = 1;
9623 cstate->off_linktype.constant_part = 0;
9624
9625 s1 = new_stmt(cstate, BPF_ST);
9626 s1->s.k = cstate->off_linktype.reg;
9627 sappend(s, s1);
9628
9629 /* Two bytes further is the end of the Ethernet header and the
9630 * start of the payload. */
9631 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9632 s1->s.k = 2;
9633 sappend(s, s1);
9634
9635 /* Move the result to X. */
9636 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9637 sappend(s, s1);
9638
9639 /* Store the final result of our linkpl calculation. */
9640 cstate->off_linkpl.reg = alloc_reg(cstate);
9641 cstate->off_linkpl.is_variable = 1;
9642 cstate->off_linkpl.constant_part = 0;
9643
9644 s1 = new_stmt(cstate, BPF_STX);
9645 s1->s.k = cstate->off_linkpl.reg;
9646 sappend(s, s1);
9647
9648 cstate->off_nl = 0;
9649
9650 return s;
9651 }
9652
9653 /* Check to see if this is a VXLAN packet. */
9654 struct block *
9655 gen_vxlan(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9656 {
9657 struct block *b0, *b1;
9658 struct slist *s;
9659
9660 /*
9661 * Catch errors reported by us and routines below us, and return NULL
9662 * on an error.
9663 */
9664 if (setjmp(cstate->top_ctx))
9665 return (NULL);
9666
9667 b0 = gen_vxlan4(cstate, vni, has_vni);
9668 b1 = gen_vxlan6(cstate, vni, has_vni);
9669
9670 gen_or(b0, b1);
9671 b0 = b1;
9672
9673 /* Later filters should act on the payload of the VXLAN frame,
9674 * update all of the header pointers. Attach this code so that
9675 * it gets executed in the event that the VXLAN filter matches. */
9676 s = gen_vxlan_offsets(cstate);
9677
9678 b1 = gen_true(cstate);
9679 sappend(s, b1->stmts);
9680 b1->stmts = s;
9681
9682 gen_and(b0, b1);
9683
9684 cstate->is_encap = 1;
9685
9686 return b1;
9687 }
9688
9689 /* Check that the encapsulated frame has a link layer header
9690 * for Ethernet filters. */
9691 static struct block *
9692 gen_encap_ll_check(compiler_state_t *cstate)
9693 {
9694 struct block *b0;
9695 struct slist *s, *s1;
9696
9697 /* The easiest way to see if there is a link layer present
9698 * is to check if the link layer header and payload are not
9699 * the same. */
9700
9701 /* Geneve always generates pure variable offsets so we can
9702 * compare only the registers. */
9703 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9704 s->s.k = cstate->off_linkhdr.reg;
9705
9706 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9707 s1->s.k = cstate->off_linkpl.reg;
9708 sappend(s, s1);
9709
9710 b0 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9711 gen_not(b0);
9712
9713 return b0;
9714 }
9715
9716 static struct block *
9717 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9718 bpf_u_int32 jvalue, int jtype, int reverse)
9719 {
9720 struct block *b0;
9721
9722 assert_atm(cstate, atmkw(atmfield));
9723
9724 switch (atmfield) {
9725
9726 case A_VPI:
9727 assert_maxval(cstate, "VPI", jvalue, UINT8_MAX);
9728 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9729 0xffffffffU, jtype, reverse, jvalue);
9730 break;
9731
9732 case A_VCI:
9733 assert_maxval(cstate, "VCI", jvalue, UINT16_MAX);
9734 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9735 0xffffffffU, jtype, reverse, jvalue);
9736 break;
9737
9738 default:
9739 abort();
9740 }
9741 return b0;
9742 }
9743
9744 static struct block *
9745 gen_atmtype_metac(compiler_state_t *cstate)
9746 {
9747 struct block *b0, *b1;
9748
9749 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9750 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9751 gen_and(b0, b1);
9752 return b1;
9753 }
9754
9755 static struct block *
9756 gen_atmtype_sc(compiler_state_t *cstate)
9757 {
9758 struct block *b0, *b1;
9759
9760 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9761 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9762 gen_and(b0, b1);
9763 return b1;
9764 }
9765
9766 static struct block *
9767 gen_atm_prototype(compiler_state_t *cstate, const uint8_t v)
9768 {
9769 return gen_mcmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, v, 0x0fU);
9770 }
9771
9772 static struct block *
9773 gen_atmtype_llc(compiler_state_t *cstate)
9774 {
9775 struct block *b0;
9776
9777 b0 = gen_atm_prototype(cstate, PT_LLC);
9778 cstate->linktype = cstate->prevlinktype;
9779 return b0;
9780 }
9781
9782 struct block *
9783 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9784 bpf_u_int32 jvalue, int jtype, int reverse)
9785 {
9786 /*
9787 * Catch errors reported by us and routines below us, and return NULL
9788 * on an error.
9789 */
9790 if (setjmp(cstate->top_ctx))
9791 return (NULL);
9792
9793 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9794 reverse);
9795 }
9796
9797 struct block *
9798 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9799 {
9800 struct block *b0, *b1;
9801
9802 /*
9803 * Catch errors reported by us and routines below us, and return NULL
9804 * on an error.
9805 */
9806 if (setjmp(cstate->top_ctx))
9807 return (NULL);
9808
9809 assert_atm(cstate, atmkw(type));
9810
9811 switch (type) {
9812
9813 case A_METAC:
9814 /* Get all packets in Meta signalling Circuit */
9815 b1 = gen_atmtype_metac(cstate);
9816 break;
9817
9818 case A_BCC:
9819 /* Get all packets in Broadcast Circuit*/
9820 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9821 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9822 gen_and(b0, b1);
9823 break;
9824
9825 case A_OAMF4SC:
9826 /* Get all cells in Segment OAM F4 circuit*/
9827 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9828 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9829 gen_and(b0, b1);
9830 break;
9831
9832 case A_OAMF4EC:
9833 /* Get all cells in End-to-End OAM F4 Circuit*/
9834 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9835 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9836 gen_and(b0, b1);
9837 break;
9838
9839 case A_SC:
9840 /* Get all packets in connection Signalling Circuit */
9841 b1 = gen_atmtype_sc(cstate);
9842 break;
9843
9844 case A_ILMIC:
9845 /* Get all packets in ILMI Circuit */
9846 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9847 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9848 gen_and(b0, b1);
9849 break;
9850
9851 case A_LANE:
9852 /* Get all LANE packets */
9853 b1 = gen_atm_prototype(cstate, PT_LANE);
9854
9855 /*
9856 * Arrange that all subsequent tests assume LANE
9857 * rather than LLC-encapsulated packets, and set
9858 * the offsets appropriately for LANE-encapsulated
9859 * Ethernet.
9860 *
9861 * We assume LANE means Ethernet, not Token Ring.
9862 */
9863 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9864 cstate->off_payload + 2, /* Ethernet header */
9865 -1);
9866 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
9867 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
9868 cstate->off_nl = 0; /* Ethernet II */
9869 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
9870 break;
9871
9872 default:
9873 abort();
9874 }
9875 return b1;
9876 }
9877
9878 /*
9879 * Filtering for MTP2 messages based on li value
9880 * FISU, length is null
9881 * LSSU, length is 1 or 2
9882 * MSU, length is 3 or more
9883 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
9884 */
9885 struct block *
9886 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
9887 {
9888 struct block *b0, *b1;
9889
9890 /*
9891 * Catch errors reported by us and routines below us, and return NULL
9892 * on an error.
9893 */
9894 if (setjmp(cstate->top_ctx))
9895 return (NULL);
9896
9897 assert_ss7(cstate, ss7kw(type));
9898
9899 switch (type) {
9900
9901 case M_FISU:
9902 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9903 0x3fU, BPF_JEQ, 0, 0U);
9904 break;
9905
9906 case M_LSSU:
9907 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9908 0x3fU, BPF_JGT, 1, 2U);
9909 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9910 0x3fU, BPF_JGT, 0, 0U);
9911 gen_and(b1, b0);
9912 break;
9913
9914 case M_MSU:
9915 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9916 0x3fU, BPF_JGT, 0, 2U);
9917 break;
9918
9919 case MH_FISU:
9920 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9921 0xff80U, BPF_JEQ, 0, 0U);
9922 break;
9923
9924 case MH_LSSU:
9925 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9926 0xff80U, BPF_JGT, 1, 0x0100U);
9927 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9928 0xff80U, BPF_JGT, 0, 0U);
9929 gen_and(b1, b0);
9930 break;
9931
9932 case MH_MSU:
9933 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9934 0xff80U, BPF_JGT, 0, 0x0100U);
9935 break;
9936
9937 default:
9938 abort();
9939 }
9940 return b0;
9941 }
9942
9943 /*
9944 * These maximum valid values are all-ones, so they double as the bitmasks
9945 * before any bitwise shifting.
9946 */
9947 #define MTP2_SIO_MAXVAL UINT8_MAX
9948 #define MTP3_PC_MAXVAL 0x3fffU
9949 #define MTP3_SLS_MAXVAL 0xfU
9950
9951 static struct block *
9952 gen_mtp3field_code_internal(compiler_state_t *cstate, int mtp3field,
9953 bpf_u_int32 jvalue, int jtype, int reverse)
9954 {
9955 struct block *b0;
9956 u_int newoff_sio;
9957 u_int newoff_opc;
9958 u_int newoff_dpc;
9959 u_int newoff_sls;
9960
9961 newoff_sio = cstate->off_sio;
9962 newoff_opc = cstate->off_opc;
9963 newoff_dpc = cstate->off_dpc;
9964 newoff_sls = cstate->off_sls;
9965
9966 assert_ss7(cstate, ss7kw(mtp3field));
9967
9968 switch (mtp3field) {
9969
9970 /*
9971 * See UTU-T Rec. Q.703, Section 2.2, Figure 3/Q.703.
9972 *
9973 * SIO is the simplest field: the size is one byte and the offset is a
9974 * multiple of bytes, so the only detail to get right is the value of
9975 * the [right-to-left] field offset.
9976 */
9977 case MH_SIO:
9978 newoff_sio += 3; /* offset for MTP2_HSL */
9979 /* FALLTHROUGH */
9980
9981 case M_SIO:
9982 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP2_SIO_MAXVAL);
9983 // Here the bitmask means "do not apply a bitmask".
9984 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, UINT32_MAX,
9985 jtype, reverse, jvalue);
9986 break;
9987
9988 /*
9989 * See UTU-T Rec. Q.704, Section 2.2, Figure 3/Q.704.
9990 *
9991 * SLS, OPC and DPC are more complicated: none of these is sized in a
9992 * multiple of 8 bits, MTP3 encoding is little-endian and MTP packet
9993 * diagrams are meant to be read right-to-left. This means in the
9994 * diagrams within individual fields and concatenations thereof
9995 * bitwise shifts and masks can be noted in the common left-to-right
9996 * manner until each final value is ready to be byte-swapped and
9997 * handed to gen_ncmp(). See also gen_dnhostop(), which solves a
9998 * similar problem in a similar way.
9999 *
10000 * Offsets of fields within the packet header always have the
10001 * right-to-left meaning. Note that in DLT_MTP2 and possibly other
10002 * DLTs the offset does not include the F (Flag) field at the
10003 * beginning of each message.
10004 *
10005 * For example, if the 8-bit SIO field has a 3 byte [RTL] offset, the
10006 * 32-bit standard routing header has a 4 byte [RTL] offset and could
10007 * be tested entirely using a single BPF_W comparison. In this case
10008 * the 14-bit DPC field [LTR] bitmask would be 0x3FFF, the 14-bit OPC
10009 * field [LTR] bitmask would be (0x3FFF << 14) and the 4-bit SLS field
10010 * [LTR] bitmask would be (0xF << 28), all of which conveniently
10011 * correlates with the [RTL] packet diagram until the byte-swapping is
10012 * done before use.
10013 *
10014 * The code below uses this approach for OPC, which spans 3 bytes.
10015 * DPC and SLS use shorter loads, SLS also uses a different offset.
10016 */
10017 case MH_OPC:
10018 newoff_opc += 3;
10019
10020 /* FALLTHROUGH */
10021 case M_OPC:
10022 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_PC_MAXVAL);
10023 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W,
10024 SWAPLONG(MTP3_PC_MAXVAL << 14), jtype, reverse,
10025 SWAPLONG(jvalue << 14));
10026 break;
10027
10028 case MH_DPC:
10029 newoff_dpc += 3;
10030 /* FALLTHROUGH */
10031
10032 case M_DPC:
10033 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_PC_MAXVAL);
10034 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_H,
10035 SWAPSHORT(MTP3_PC_MAXVAL), jtype, reverse,
10036 SWAPSHORT(jvalue));
10037 break;
10038
10039 case MH_SLS:
10040 newoff_sls += 3;
10041 /* FALLTHROUGH */
10042
10043 case M_SLS:
10044 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_SLS_MAXVAL);
10045 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B,
10046 MTP3_SLS_MAXVAL << 4, jtype, reverse,
10047 jvalue << 4);
10048 break;
10049
10050 default:
10051 abort();
10052 }
10053 return b0;
10054 }
10055
10056 struct block *
10057 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
10058 bpf_u_int32 jvalue, int jtype, int reverse)
10059 {
10060 /*
10061 * Catch errors reported by us and routines below us, and return NULL
10062 * on an error.
10063 */
10064 if (setjmp(cstate->top_ctx))
10065 return (NULL);
10066
10067 return gen_mtp3field_code_internal(cstate, mtp3field, jvalue, jtype,
10068 reverse);
10069 }
10070
10071 static struct block *
10072 gen_msg_abbrev(compiler_state_t *cstate, const uint8_t type)
10073 {
10074 /*
10075 * Q.2931 signalling protocol messages for handling virtual circuits
10076 * establishment and teardown
10077 */
10078 return gen_cmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS,
10079 BPF_B, type);
10080 }
10081
10082 struct block *
10083 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
10084 {
10085 struct block *b0, *b1;
10086
10087 /*
10088 * Catch errors reported by us and routines below us, and return NULL
10089 * on an error.
10090 */
10091 if (setjmp(cstate->top_ctx))
10092 return (NULL);
10093
10094 assert_atm(cstate, atmkw(type));
10095
10096 switch (type) {
10097
10098 case A_OAM:
10099 /* OAM F4 type */
10100 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10101 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10102 gen_or(b0, b1);
10103 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10104 gen_and(b0, b1);
10105 break;
10106
10107 case A_OAMF4:
10108 /* OAM F4 type */
10109 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10110 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10111 gen_or(b0, b1);
10112 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10113 gen_and(b0, b1);
10114 break;
10115
10116 case A_CONNECTMSG:
10117 /*
10118 * Get Q.2931 signalling messages for switched
10119 * virtual connection
10120 */
10121 b0 = gen_msg_abbrev(cstate, SETUP);
10122 b1 = gen_msg_abbrev(cstate, CALL_PROCEED);
10123 gen_or(b0, b1);
10124 b0 = gen_msg_abbrev(cstate, CONNECT);
10125 gen_or(b0, b1);
10126 b0 = gen_msg_abbrev(cstate, CONNECT_ACK);
10127 gen_or(b0, b1);
10128 b0 = gen_msg_abbrev(cstate, RELEASE);
10129 gen_or(b0, b1);
10130 b0 = gen_msg_abbrev(cstate, RELEASE_DONE);
10131 gen_or(b0, b1);
10132 b0 = gen_atmtype_sc(cstate);
10133 gen_and(b0, b1);
10134 break;
10135
10136 case A_METACONNECT:
10137 b0 = gen_msg_abbrev(cstate, SETUP);
10138 b1 = gen_msg_abbrev(cstate, CALL_PROCEED);
10139 gen_or(b0, b1);
10140 b0 = gen_msg_abbrev(cstate, CONNECT);
10141 gen_or(b0, b1);
10142 b0 = gen_msg_abbrev(cstate, RELEASE);
10143 gen_or(b0, b1);
10144 b0 = gen_msg_abbrev(cstate, RELEASE_DONE);
10145 gen_or(b0, b1);
10146 b0 = gen_atmtype_metac(cstate);
10147 gen_and(b0, b1);
10148 break;
10149
10150 default:
10151 abort();
10152 }
10153 return b1;
10154 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism