]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added a critical section on Windows to make pcap_compile thread safe.
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.309 2008-12-23 20:13:29 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52 #include <arpa/inet.h>
53
54 #endif /* WIN32 */
55
56 #include <stdlib.h>
57 #include <string.h>
58 #include <memory.h>
59 #include <setjmp.h>
60 #include <stdarg.h>
61
62 #ifdef MSDOS
63 #include "pcap-dos.h"
64 #endif
65
66 #include "pcap-int.h"
67
68 #include "ethertype.h"
69 #include "nlpid.h"
70 #include "llc.h"
71 #include "gencode.h"
72 #include "ieee80211.h"
73 #include "atmuni31.h"
74 #include "sunatmpos.h"
75 #include "ppp.h"
76 #include "pcap/sll.h"
77 #include "arcnet.h"
78 #ifdef HAVE_NET_PFVAR_H
79 #include <sys/socket.h>
80 #include <net/if.h>
81 #include <net/pfvar.h>
82 #include <net/if_pflog.h>
83 #endif
84 #ifndef offsetof
85 #define offsetof(s, e) ((size_t)&((s *)0)->e)
86 #endif
87 #ifdef INET6
88 #ifndef WIN32
89 #include <netdb.h> /* for "struct addrinfo" */
90 #endif /* WIN32 */
91 #endif /*INET6*/
92 #include <pcap/namedb.h>
93
94 #define ETHERMTU 1500
95
96 #ifndef IPPROTO_SCTP
97 #define IPPROTO_SCTP 132
98 #endif
99
100 #ifdef HAVE_OS_PROTO_H
101 #include "os-proto.h"
102 #endif
103
104 #define JMP(c) ((c)|BPF_JMP|BPF_K)
105
106 /* Locals */
107 static jmp_buf top_ctx;
108 static pcap_t *bpf_pcap;
109
110 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
111 #ifdef WIN32
112 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
113 #else
114 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
115 #endif
116
117 /* XXX */
118 #ifdef PCAP_FDDIPAD
119 static int pcap_fddipad;
120 #endif
121
122 /* VARARGS */
123 void
124 bpf_error(const char *fmt, ...)
125 {
126 va_list ap;
127
128 va_start(ap, fmt);
129 if (bpf_pcap != NULL)
130 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
131 fmt, ap);
132 va_end(ap);
133 longjmp(top_ctx, 1);
134 /* NOTREACHED */
135 }
136
137 static void init_linktype(pcap_t *);
138
139 static void init_regs(void);
140 static int alloc_reg(void);
141 static void free_reg(int);
142
143 static struct block *root;
144
145 /*
146 * Value passed to gen_load_a() to indicate what the offset argument
147 * is relative to.
148 */
149 enum e_offrel {
150 OR_PACKET, /* relative to the beginning of the packet */
151 OR_LINK, /* relative to the beginning of the link-layer header */
152 OR_MACPL, /* relative to the end of the MAC-layer header */
153 OR_NET, /* relative to the network-layer header */
154 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
155 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
156 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
157 };
158
159 #ifdef INET6
160 /*
161 * As errors are handled by a longjmp, anything allocated must be freed
162 * in the longjmp handler, so it must be reachable from that handler.
163 * One thing that's allocated is the result of pcap_nametoaddrinfo();
164 * it must be freed with freeaddrinfo(). This variable points to any
165 * addrinfo structure that would need to be freed.
166 */
167 static struct addrinfo *ai;
168 #endif
169
170 /*
171 * We divy out chunks of memory rather than call malloc each time so
172 * we don't have to worry about leaking memory. It's probably
173 * not a big deal if all this memory was wasted but if this ever
174 * goes into a library that would probably not be a good idea.
175 *
176 * XXX - this *is* in a library....
177 */
178 #define NCHUNKS 16
179 #define CHUNK0SIZE 1024
180 struct chunk {
181 u_int n_left;
182 void *m;
183 };
184
185 static struct chunk chunks[NCHUNKS];
186 static int cur_chunk;
187
188 static void *newchunk(u_int);
189 static void freechunks(void);
190 static inline struct block *new_block(int);
191 static inline struct slist *new_stmt(int);
192 static struct block *gen_retblk(int);
193 static inline void syntax(void);
194
195 static void backpatch(struct block *, struct block *);
196 static void merge(struct block *, struct block *);
197 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
198 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
199 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
200 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
201 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
202 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
203 bpf_u_int32);
204 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
205 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
206 bpf_u_int32, bpf_u_int32, int, bpf_int32);
207 static struct slist *gen_load_llrel(u_int, u_int);
208 static struct slist *gen_load_macplrel(u_int, u_int);
209 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
210 static struct slist *gen_loadx_iphdrlen(void);
211 static struct block *gen_uncond(int);
212 static inline struct block *gen_true(void);
213 static inline struct block *gen_false(void);
214 static struct block *gen_ether_linktype(int);
215 static struct block *gen_linux_sll_linktype(int);
216 static struct slist *gen_load_prism_llprefixlen(void);
217 static struct slist *gen_load_avs_llprefixlen(void);
218 static struct slist *gen_load_radiotap_llprefixlen(void);
219 static struct slist *gen_load_ppi_llprefixlen(void);
220 static void insert_compute_vloffsets(struct block *);
221 static struct slist *gen_llprefixlen(void);
222 static struct slist *gen_off_macpl(void);
223 static int ethertype_to_ppptype(int);
224 static struct block *gen_linktype(int);
225 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
226 static struct block *gen_llc_linktype(int);
227 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
228 #ifdef INET6
229 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
230 #endif
231 static struct block *gen_ahostop(const u_char *, int);
232 static struct block *gen_ehostop(const u_char *, int);
233 static struct block *gen_fhostop(const u_char *, int);
234 static struct block *gen_thostop(const u_char *, int);
235 static struct block *gen_wlanhostop(const u_char *, int);
236 static struct block *gen_ipfchostop(const u_char *, int);
237 static struct block *gen_dnhostop(bpf_u_int32, int);
238 static struct block *gen_mpls_linktype(int);
239 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
240 #ifdef INET6
241 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
242 #endif
243 #ifndef INET6
244 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
245 #endif
246 static struct block *gen_ipfrag(void);
247 static struct block *gen_portatom(int, bpf_int32);
248 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
249 #ifdef INET6
250 static struct block *gen_portatom6(int, bpf_int32);
251 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
252 #endif
253 struct block *gen_portop(int, int, int);
254 static struct block *gen_port(int, int, int);
255 struct block *gen_portrangeop(int, int, int, int);
256 static struct block *gen_portrange(int, int, int, int);
257 #ifdef INET6
258 struct block *gen_portop6(int, int, int);
259 static struct block *gen_port6(int, int, int);
260 struct block *gen_portrangeop6(int, int, int, int);
261 static struct block *gen_portrange6(int, int, int, int);
262 #endif
263 static int lookup_proto(const char *, int);
264 static struct block *gen_protochain(int, int, int);
265 static struct block *gen_proto(int, int, int);
266 static struct slist *xfer_to_x(struct arth *);
267 static struct slist *xfer_to_a(struct arth *);
268 static struct block *gen_mac_multicast(int);
269 static struct block *gen_len(int, int);
270 static struct block *gen_check_802_11_data_frame(void);
271
272 static struct block *gen_ppi_dlt_check(void);
273 static struct block *gen_msg_abbrev(int type);
274
275 static void *
276 newchunk(n)
277 u_int n;
278 {
279 struct chunk *cp;
280 int k;
281 size_t size;
282
283 #ifndef __NetBSD__
284 /* XXX Round up to nearest long. */
285 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
286 #else
287 /* XXX Round up to structure boundary. */
288 n = ALIGN(n);
289 #endif
290
291 cp = &chunks[cur_chunk];
292 if (n > cp->n_left) {
293 ++cp, k = ++cur_chunk;
294 if (k >= NCHUNKS)
295 bpf_error("out of memory");
296 size = CHUNK0SIZE << k;
297 cp->m = (void *)malloc(size);
298 if (cp->m == NULL)
299 bpf_error("out of memory");
300 memset((char *)cp->m, 0, size);
301 cp->n_left = size;
302 if (n > size)
303 bpf_error("out of memory");
304 }
305 cp->n_left -= n;
306 return (void *)((char *)cp->m + cp->n_left);
307 }
308
309 static void
310 freechunks()
311 {
312 int i;
313
314 cur_chunk = 0;
315 for (i = 0; i < NCHUNKS; ++i)
316 if (chunks[i].m != NULL) {
317 free(chunks[i].m);
318 chunks[i].m = NULL;
319 }
320 }
321
322 /*
323 * A strdup whose allocations are freed after code generation is over.
324 */
325 char *
326 sdup(s)
327 register const char *s;
328 {
329 int n = strlen(s) + 1;
330 char *cp = newchunk(n);
331
332 strlcpy(cp, s, n);
333 return (cp);
334 }
335
336 static inline struct block *
337 new_block(code)
338 int code;
339 {
340 struct block *p;
341
342 p = (struct block *)newchunk(sizeof(*p));
343 p->s.code = code;
344 p->head = p;
345
346 return p;
347 }
348
349 static inline struct slist *
350 new_stmt(code)
351 int code;
352 {
353 struct slist *p;
354
355 p = (struct slist *)newchunk(sizeof(*p));
356 p->s.code = code;
357
358 return p;
359 }
360
361 static struct block *
362 gen_retblk(v)
363 int v;
364 {
365 struct block *b = new_block(BPF_RET|BPF_K);
366
367 b->s.k = v;
368 return b;
369 }
370
371 static inline void
372 syntax()
373 {
374 bpf_error("syntax error in filter expression");
375 }
376
377 static bpf_u_int32 netmask;
378 static int snaplen;
379 int no_optimize;
380 #ifdef WIN32
381 static int
382 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
383 const char *buf, int optimize, bpf_u_int32 mask);
384
385 int
386 pcap_compile(pcap_t *p, struct bpf_program *program,
387 const char *buf, int optimize, bpf_u_int32 mask)
388 {
389 int result;
390
391 EnterCriticalSection(&g_PcapCompileCriticalSection);
392 OutputDebugString("Hello my dear, I locked myself\n");
393
394 result = pcap_compile_unsafe(p, program, buf, optimize, mask);
395
396 LeaveCriticalSection(&g_PcapCompileCriticalSection);
397
398 return result;
399 }
400
401 static int
402 pcap_compile_unsafe(pcap_t *p, struct bpf_program *program,
403 const char *buf, int optimize, bpf_u_int32 mask)
404 #else /* WIN32 */
405 int
406 pcap_compile(pcap_t *p, struct bpf_program *program,
407 const char *buf, int optimize, bpf_u_int32 mask)
408 #endif /* WIN32 */
409 {
410 extern int n_errors;
411 const char * volatile xbuf = buf;
412 int len;
413
414 no_optimize = 0;
415 n_errors = 0;
416 root = NULL;
417 bpf_pcap = p;
418 init_regs();
419 if (setjmp(top_ctx)) {
420 #ifdef INET6
421 if (ai != NULL) {
422 freeaddrinfo(ai);
423 ai = NULL;
424 }
425 #endif
426 lex_cleanup();
427 freechunks();
428 return (-1);
429 }
430
431 netmask = mask;
432
433 snaplen = pcap_snapshot(p);
434 if (snaplen == 0) {
435 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
436 "snaplen of 0 rejects all packets");
437 return -1;
438 }
439
440 lex_init(xbuf ? xbuf : "");
441 init_linktype(p);
442 (void)pcap_parse();
443
444 if (n_errors)
445 syntax();
446
447 if (root == NULL)
448 root = gen_retblk(snaplen);
449
450 if (optimize && !no_optimize) {
451 bpf_optimize(&root);
452 if (root == NULL ||
453 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
454 bpf_error("expression rejects all packets");
455 }
456 program->bf_insns = icode_to_fcode(root, &len);
457 program->bf_len = len;
458
459 lex_cleanup();
460 freechunks();
461 return (0);
462 }
463
464 /*
465 * entry point for using the compiler with no pcap open
466 * pass in all the stuff that is needed explicitly instead.
467 */
468 int
469 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
470 struct bpf_program *program,
471 const char *buf, int optimize, bpf_u_int32 mask)
472 {
473 pcap_t *p;
474 int ret;
475
476 p = pcap_open_dead(linktype_arg, snaplen_arg);
477 if (p == NULL)
478 return (-1);
479 ret = pcap_compile(p, program, buf, optimize, mask);
480 pcap_close(p);
481 return (ret);
482 }
483
484 /*
485 * Clean up a "struct bpf_program" by freeing all the memory allocated
486 * in it.
487 */
488 void
489 pcap_freecode(struct bpf_program *program)
490 {
491 program->bf_len = 0;
492 if (program->bf_insns != NULL) {
493 free((char *)program->bf_insns);
494 program->bf_insns = NULL;
495 }
496 }
497
498 /*
499 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
500 * which of the jt and jf fields has been resolved and which is a pointer
501 * back to another unresolved block (or nil). At least one of the fields
502 * in each block is already resolved.
503 */
504 static void
505 backpatch(list, target)
506 struct block *list, *target;
507 {
508 struct block *next;
509
510 while (list) {
511 if (!list->sense) {
512 next = JT(list);
513 JT(list) = target;
514 } else {
515 next = JF(list);
516 JF(list) = target;
517 }
518 list = next;
519 }
520 }
521
522 /*
523 * Merge the lists in b0 and b1, using the 'sense' field to indicate
524 * which of jt and jf is the link.
525 */
526 static void
527 merge(b0, b1)
528 struct block *b0, *b1;
529 {
530 register struct block **p = &b0;
531
532 /* Find end of list. */
533 while (*p)
534 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
535
536 /* Concatenate the lists. */
537 *p = b1;
538 }
539
540 void
541 finish_parse(p)
542 struct block *p;
543 {
544 struct block *ppi_dlt_check;
545
546 /*
547 * Insert before the statements of the first (root) block any
548 * statements needed to load the lengths of any variable-length
549 * headers into registers.
550 *
551 * XXX - a fancier strategy would be to insert those before the
552 * statements of all blocks that use those lengths and that
553 * have no predecessors that use them, so that we only compute
554 * the lengths if we need them. There might be even better
555 * approaches than that.
556 *
557 * However, those strategies would be more complicated, and
558 * as we don't generate code to compute a length if the
559 * program has no tests that use the length, and as most
560 * tests will probably use those lengths, we would just
561 * postpone computing the lengths so that it's not done
562 * for tests that fail early, and it's not clear that's
563 * worth the effort.
564 */
565 insert_compute_vloffsets(p->head);
566
567 /*
568 * For DLT_PPI captures, generate a check of the per-packet
569 * DLT value to make sure it's DLT_IEEE802_11.
570 */
571 ppi_dlt_check = gen_ppi_dlt_check();
572 if (ppi_dlt_check != NULL)
573 gen_and(ppi_dlt_check, p);
574
575 backpatch(p, gen_retblk(snaplen));
576 p->sense = !p->sense;
577 backpatch(p, gen_retblk(0));
578 root = p->head;
579 }
580
581 void
582 gen_and(b0, b1)
583 struct block *b0, *b1;
584 {
585 backpatch(b0, b1->head);
586 b0->sense = !b0->sense;
587 b1->sense = !b1->sense;
588 merge(b1, b0);
589 b1->sense = !b1->sense;
590 b1->head = b0->head;
591 }
592
593 void
594 gen_or(b0, b1)
595 struct block *b0, *b1;
596 {
597 b0->sense = !b0->sense;
598 backpatch(b0, b1->head);
599 b0->sense = !b0->sense;
600 merge(b1, b0);
601 b1->head = b0->head;
602 }
603
604 void
605 gen_not(b)
606 struct block *b;
607 {
608 b->sense = !b->sense;
609 }
610
611 static struct block *
612 gen_cmp(offrel, offset, size, v)
613 enum e_offrel offrel;
614 u_int offset, size;
615 bpf_int32 v;
616 {
617 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
618 }
619
620 static struct block *
621 gen_cmp_gt(offrel, offset, size, v)
622 enum e_offrel offrel;
623 u_int offset, size;
624 bpf_int32 v;
625 {
626 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
627 }
628
629 static struct block *
630 gen_cmp_ge(offrel, offset, size, v)
631 enum e_offrel offrel;
632 u_int offset, size;
633 bpf_int32 v;
634 {
635 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
636 }
637
638 static struct block *
639 gen_cmp_lt(offrel, offset, size, v)
640 enum e_offrel offrel;
641 u_int offset, size;
642 bpf_int32 v;
643 {
644 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
645 }
646
647 static struct block *
648 gen_cmp_le(offrel, offset, size, v)
649 enum e_offrel offrel;
650 u_int offset, size;
651 bpf_int32 v;
652 {
653 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
654 }
655
656 static struct block *
657 gen_mcmp(offrel, offset, size, v, mask)
658 enum e_offrel offrel;
659 u_int offset, size;
660 bpf_int32 v;
661 bpf_u_int32 mask;
662 {
663 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
664 }
665
666 static struct block *
667 gen_bcmp(offrel, offset, size, v)
668 enum e_offrel offrel;
669 register u_int offset, size;
670 register const u_char *v;
671 {
672 register struct block *b, *tmp;
673
674 b = NULL;
675 while (size >= 4) {
676 register const u_char *p = &v[size - 4];
677 bpf_int32 w = ((bpf_int32)p[0] << 24) |
678 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
679
680 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
681 if (b != NULL)
682 gen_and(b, tmp);
683 b = tmp;
684 size -= 4;
685 }
686 while (size >= 2) {
687 register const u_char *p = &v[size - 2];
688 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
689
690 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
691 if (b != NULL)
692 gen_and(b, tmp);
693 b = tmp;
694 size -= 2;
695 }
696 if (size > 0) {
697 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
698 if (b != NULL)
699 gen_and(b, tmp);
700 b = tmp;
701 }
702 return b;
703 }
704
705 /*
706 * AND the field of size "size" at offset "offset" relative to the header
707 * specified by "offrel" with "mask", and compare it with the value "v"
708 * with the test specified by "jtype"; if "reverse" is true, the test
709 * should test the opposite of "jtype".
710 */
711 static struct block *
712 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
713 enum e_offrel offrel;
714 bpf_int32 v;
715 bpf_u_int32 offset, size, mask, jtype;
716 int reverse;
717 {
718 struct slist *s, *s2;
719 struct block *b;
720
721 s = gen_load_a(offrel, offset, size);
722
723 if (mask != 0xffffffff) {
724 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
725 s2->s.k = mask;
726 sappend(s, s2);
727 }
728
729 b = new_block(JMP(jtype));
730 b->stmts = s;
731 b->s.k = v;
732 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
733 gen_not(b);
734 return b;
735 }
736
737 /*
738 * Various code constructs need to know the layout of the data link
739 * layer. These variables give the necessary offsets from the beginning
740 * of the packet data.
741 */
742
743 /*
744 * This is the offset of the beginning of the link-layer header from
745 * the beginning of the raw packet data.
746 *
747 * It's usually 0, except for 802.11 with a fixed-length radio header.
748 * (For 802.11 with a variable-length radio header, we have to generate
749 * code to compute that offset; off_ll is 0 in that case.)
750 */
751 static u_int off_ll;
752
753 /*
754 * If there's a variable-length header preceding the link-layer header,
755 * "reg_off_ll" is the register number for a register containing the
756 * length of that header, and therefore the offset of the link-layer
757 * header from the beginning of the raw packet data. Otherwise,
758 * "reg_off_ll" is -1.
759 */
760 static int reg_off_ll;
761
762 /*
763 * This is the offset of the beginning of the MAC-layer header from
764 * the beginning of the link-layer header.
765 * It's usually 0, except for ATM LANE, where it's the offset, relative
766 * to the beginning of the raw packet data, of the Ethernet header.
767 */
768 static u_int off_mac;
769
770 /*
771 * This is the offset of the beginning of the MAC-layer payload,
772 * from the beginning of the raw packet data.
773 *
774 * I.e., it's the sum of the length of the link-layer header (without,
775 * for example, any 802.2 LLC header, so it's the MAC-layer
776 * portion of that header), plus any prefix preceding the
777 * link-layer header.
778 */
779 static u_int off_macpl;
780
781 /*
782 * This is 1 if the offset of the beginning of the MAC-layer payload
783 * from the beginning of the link-layer header is variable-length.
784 */
785 static int off_macpl_is_variable;
786
787 /*
788 * If the link layer has variable_length headers, "reg_off_macpl"
789 * is the register number for a register containing the length of the
790 * link-layer header plus the length of any variable-length header
791 * preceding the link-layer header. Otherwise, "reg_off_macpl"
792 * is -1.
793 */
794 static int reg_off_macpl;
795
796 /*
797 * "off_linktype" is the offset to information in the link-layer header
798 * giving the packet type. This offset is relative to the beginning
799 * of the link-layer header (i.e., it doesn't include off_ll).
800 *
801 * For Ethernet, it's the offset of the Ethernet type field.
802 *
803 * For link-layer types that always use 802.2 headers, it's the
804 * offset of the LLC header.
805 *
806 * For PPP, it's the offset of the PPP type field.
807 *
808 * For Cisco HDLC, it's the offset of the CHDLC type field.
809 *
810 * For BSD loopback, it's the offset of the AF_ value.
811 *
812 * For Linux cooked sockets, it's the offset of the type field.
813 *
814 * It's set to -1 for no encapsulation, in which case, IP is assumed.
815 */
816 static u_int off_linktype;
817
818 /*
819 * TRUE if "pppoes" appeared in the filter; it causes link-layer type
820 * checks to check the PPP header, assumed to follow a LAN-style link-
821 * layer header and a PPPoE session header.
822 */
823 static int is_pppoes = 0;
824
825 /*
826 * TRUE if the link layer includes an ATM pseudo-header.
827 */
828 static int is_atm = 0;
829
830 /*
831 * TRUE if "lane" appeared in the filter; it causes us to generate
832 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
833 */
834 static int is_lane = 0;
835
836 /*
837 * These are offsets for the ATM pseudo-header.
838 */
839 static u_int off_vpi;
840 static u_int off_vci;
841 static u_int off_proto;
842
843 /*
844 * These are offsets for the MTP2 fields.
845 */
846 static u_int off_li;
847
848 /*
849 * These are offsets for the MTP3 fields.
850 */
851 static u_int off_sio;
852 static u_int off_opc;
853 static u_int off_dpc;
854 static u_int off_sls;
855
856 /*
857 * This is the offset of the first byte after the ATM pseudo_header,
858 * or -1 if there is no ATM pseudo-header.
859 */
860 static u_int off_payload;
861
862 /*
863 * These are offsets to the beginning of the network-layer header.
864 * They are relative to the beginning of the MAC-layer payload (i.e.,
865 * they don't include off_ll or off_macpl).
866 *
867 * If the link layer never uses 802.2 LLC:
868 *
869 * "off_nl" and "off_nl_nosnap" are the same.
870 *
871 * If the link layer always uses 802.2 LLC:
872 *
873 * "off_nl" is the offset if there's a SNAP header following
874 * the 802.2 header;
875 *
876 * "off_nl_nosnap" is the offset if there's no SNAP header.
877 *
878 * If the link layer is Ethernet:
879 *
880 * "off_nl" is the offset if the packet is an Ethernet II packet
881 * (we assume no 802.3+802.2+SNAP);
882 *
883 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
884 * with an 802.2 header following it.
885 */
886 static u_int off_nl;
887 static u_int off_nl_nosnap;
888
889 static int linktype;
890
891 static void
892 init_linktype(p)
893 pcap_t *p;
894 {
895 linktype = pcap_datalink(p);
896 #ifdef PCAP_FDDIPAD
897 pcap_fddipad = p->fddipad;
898 #endif
899
900 /*
901 * Assume it's not raw ATM with a pseudo-header, for now.
902 */
903 off_mac = 0;
904 is_atm = 0;
905 is_lane = 0;
906 off_vpi = -1;
907 off_vci = -1;
908 off_proto = -1;
909 off_payload = -1;
910
911 /*
912 * And that we're not doing PPPoE.
913 */
914 is_pppoes = 0;
915
916 /*
917 * And assume we're not doing SS7.
918 */
919 off_li = -1;
920 off_sio = -1;
921 off_opc = -1;
922 off_dpc = -1;
923 off_sls = -1;
924
925 /*
926 * Also assume it's not 802.11.
927 */
928 off_ll = 0;
929 off_macpl = 0;
930 off_macpl_is_variable = 0;
931
932 orig_linktype = -1;
933 orig_nl = -1;
934 label_stack_depth = 0;
935
936 reg_off_ll = -1;
937 reg_off_macpl = -1;
938
939 switch (linktype) {
940
941 case DLT_ARCNET:
942 off_linktype = 2;
943 off_macpl = 6;
944 off_nl = 0; /* XXX in reality, variable! */
945 off_nl_nosnap = 0; /* no 802.2 LLC */
946 return;
947
948 case DLT_ARCNET_LINUX:
949 off_linktype = 4;
950 off_macpl = 8;
951 off_nl = 0; /* XXX in reality, variable! */
952 off_nl_nosnap = 0; /* no 802.2 LLC */
953 return;
954
955 case DLT_EN10MB:
956 off_linktype = 12;
957 off_macpl = 14; /* Ethernet header length */
958 off_nl = 0; /* Ethernet II */
959 off_nl_nosnap = 3; /* 802.3+802.2 */
960 return;
961
962 case DLT_SLIP:
963 /*
964 * SLIP doesn't have a link level type. The 16 byte
965 * header is hacked into our SLIP driver.
966 */
967 off_linktype = -1;
968 off_macpl = 16;
969 off_nl = 0;
970 off_nl_nosnap = 0; /* no 802.2 LLC */
971 return;
972
973 case DLT_SLIP_BSDOS:
974 /* XXX this may be the same as the DLT_PPP_BSDOS case */
975 off_linktype = -1;
976 /* XXX end */
977 off_macpl = 24;
978 off_nl = 0;
979 off_nl_nosnap = 0; /* no 802.2 LLC */
980 return;
981
982 case DLT_NULL:
983 case DLT_LOOP:
984 off_linktype = 0;
985 off_macpl = 4;
986 off_nl = 0;
987 off_nl_nosnap = 0; /* no 802.2 LLC */
988 return;
989
990 case DLT_ENC:
991 off_linktype = 0;
992 off_macpl = 12;
993 off_nl = 0;
994 off_nl_nosnap = 0; /* no 802.2 LLC */
995 return;
996
997 case DLT_PPP:
998 case DLT_PPP_PPPD:
999 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1000 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1001 off_linktype = 2;
1002 off_macpl = 4;
1003 off_nl = 0;
1004 off_nl_nosnap = 0; /* no 802.2 LLC */
1005 return;
1006
1007 case DLT_PPP_ETHER:
1008 /*
1009 * This does no include the Ethernet header, and
1010 * only covers session state.
1011 */
1012 off_linktype = 6;
1013 off_macpl = 8;
1014 off_nl = 0;
1015 off_nl_nosnap = 0; /* no 802.2 LLC */
1016 return;
1017
1018 case DLT_PPP_BSDOS:
1019 off_linktype = 5;
1020 off_macpl = 24;
1021 off_nl = 0;
1022 off_nl_nosnap = 0; /* no 802.2 LLC */
1023 return;
1024
1025 case DLT_FDDI:
1026 /*
1027 * FDDI doesn't really have a link-level type field.
1028 * We set "off_linktype" to the offset of the LLC header.
1029 *
1030 * To check for Ethernet types, we assume that SSAP = SNAP
1031 * is being used and pick out the encapsulated Ethernet type.
1032 * XXX - should we generate code to check for SNAP?
1033 */
1034 off_linktype = 13;
1035 #ifdef PCAP_FDDIPAD
1036 off_linktype += pcap_fddipad;
1037 #endif
1038 off_macpl = 13; /* FDDI MAC header length */
1039 #ifdef PCAP_FDDIPAD
1040 off_macpl += pcap_fddipad;
1041 #endif
1042 off_nl = 8; /* 802.2+SNAP */
1043 off_nl_nosnap = 3; /* 802.2 */
1044 return;
1045
1046 case DLT_IEEE802:
1047 /*
1048 * Token Ring doesn't really have a link-level type field.
1049 * We set "off_linktype" to the offset of the LLC header.
1050 *
1051 * To check for Ethernet types, we assume that SSAP = SNAP
1052 * is being used and pick out the encapsulated Ethernet type.
1053 * XXX - should we generate code to check for SNAP?
1054 *
1055 * XXX - the header is actually variable-length.
1056 * Some various Linux patched versions gave 38
1057 * as "off_linktype" and 40 as "off_nl"; however,
1058 * if a token ring packet has *no* routing
1059 * information, i.e. is not source-routed, the correct
1060 * values are 20 and 22, as they are in the vanilla code.
1061 *
1062 * A packet is source-routed iff the uppermost bit
1063 * of the first byte of the source address, at an
1064 * offset of 8, has the uppermost bit set. If the
1065 * packet is source-routed, the total number of bytes
1066 * of routing information is 2 plus bits 0x1F00 of
1067 * the 16-bit value at an offset of 14 (shifted right
1068 * 8 - figure out which byte that is).
1069 */
1070 off_linktype = 14;
1071 off_macpl = 14; /* Token Ring MAC header length */
1072 off_nl = 8; /* 802.2+SNAP */
1073 off_nl_nosnap = 3; /* 802.2 */
1074 return;
1075
1076 case DLT_IEEE802_11:
1077 case DLT_PRISM_HEADER:
1078 case DLT_IEEE802_11_RADIO_AVS:
1079 case DLT_IEEE802_11_RADIO:
1080 /*
1081 * 802.11 doesn't really have a link-level type field.
1082 * We set "off_linktype" to the offset of the LLC header.
1083 *
1084 * To check for Ethernet types, we assume that SSAP = SNAP
1085 * is being used and pick out the encapsulated Ethernet type.
1086 * XXX - should we generate code to check for SNAP?
1087 *
1088 * We also handle variable-length radio headers here.
1089 * The Prism header is in theory variable-length, but in
1090 * practice it's always 144 bytes long. However, some
1091 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1092 * sometimes or always supply an AVS header, so we
1093 * have to check whether the radio header is a Prism
1094 * header or an AVS header, so, in practice, it's
1095 * variable-length.
1096 */
1097 off_linktype = 24;
1098 off_macpl = 0; /* link-layer header is variable-length */
1099 off_macpl_is_variable = 1;
1100 off_nl = 8; /* 802.2+SNAP */
1101 off_nl_nosnap = 3; /* 802.2 */
1102 return;
1103
1104 case DLT_PPI:
1105 /*
1106 * At the moment we treat PPI the same way that we treat
1107 * normal Radiotap encoded packets. The difference is in
1108 * the function that generates the code at the beginning
1109 * to compute the header length. Since this code generator
1110 * of PPI supports bare 802.11 encapsulation only (i.e.
1111 * the encapsulated DLT should be DLT_IEEE802_11) we
1112 * generate code to check for this too.
1113 */
1114 off_linktype = 24;
1115 off_macpl = 0; /* link-layer header is variable-length */
1116 off_macpl_is_variable = 1;
1117 off_nl = 8; /* 802.2+SNAP */
1118 off_nl_nosnap = 3; /* 802.2 */
1119 return;
1120
1121 case DLT_ATM_RFC1483:
1122 case DLT_ATM_CLIP: /* Linux ATM defines this */
1123 /*
1124 * assume routed, non-ISO PDUs
1125 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1126 *
1127 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1128 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1129 * latter would presumably be treated the way PPPoE
1130 * should be, so you can do "pppoe and udp port 2049"
1131 * or "pppoa and tcp port 80" and have it check for
1132 * PPPo{A,E} and a PPP protocol of IP and....
1133 */
1134 off_linktype = 0;
1135 off_macpl = 0; /* packet begins with LLC header */
1136 off_nl = 8; /* 802.2+SNAP */
1137 off_nl_nosnap = 3; /* 802.2 */
1138 return;
1139
1140 case DLT_SUNATM:
1141 /*
1142 * Full Frontal ATM; you get AALn PDUs with an ATM
1143 * pseudo-header.
1144 */
1145 is_atm = 1;
1146 off_vpi = SUNATM_VPI_POS;
1147 off_vci = SUNATM_VCI_POS;
1148 off_proto = PROTO_POS;
1149 off_mac = -1; /* assume LLC-encapsulated, so no MAC-layer header */
1150 off_payload = SUNATM_PKT_BEGIN_POS;
1151 off_linktype = off_payload;
1152 off_macpl = off_payload; /* if LLC-encapsulated */
1153 off_nl = 8; /* 802.2+SNAP */
1154 off_nl_nosnap = 3; /* 802.2 */
1155 return;
1156
1157 case DLT_RAW:
1158 off_linktype = -1;
1159 off_macpl = 0;
1160 off_nl = 0;
1161 off_nl_nosnap = 0; /* no 802.2 LLC */
1162 return;
1163
1164 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1165 off_linktype = 14;
1166 off_macpl = 16;
1167 off_nl = 0;
1168 off_nl_nosnap = 0; /* no 802.2 LLC */
1169 return;
1170
1171 case DLT_LTALK:
1172 /*
1173 * LocalTalk does have a 1-byte type field in the LLAP header,
1174 * but really it just indicates whether there is a "short" or
1175 * "long" DDP packet following.
1176 */
1177 off_linktype = -1;
1178 off_macpl = 0;
1179 off_nl = 0;
1180 off_nl_nosnap = 0; /* no 802.2 LLC */
1181 return;
1182
1183 case DLT_IP_OVER_FC:
1184 /*
1185 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1186 * link-level type field. We set "off_linktype" to the
1187 * offset of the LLC header.
1188 *
1189 * To check for Ethernet types, we assume that SSAP = SNAP
1190 * is being used and pick out the encapsulated Ethernet type.
1191 * XXX - should we generate code to check for SNAP? RFC
1192 * 2625 says SNAP should be used.
1193 */
1194 off_linktype = 16;
1195 off_macpl = 16;
1196 off_nl = 8; /* 802.2+SNAP */
1197 off_nl_nosnap = 3; /* 802.2 */
1198 return;
1199
1200 case DLT_FRELAY:
1201 /*
1202 * XXX - we should set this to handle SNAP-encapsulated
1203 * frames (NLPID of 0x80).
1204 */
1205 off_linktype = -1;
1206 off_macpl = 0;
1207 off_nl = 0;
1208 off_nl_nosnap = 0; /* no 802.2 LLC */
1209 return;
1210
1211 /*
1212 * the only BPF-interesting FRF.16 frames are non-control frames;
1213 * Frame Relay has a variable length link-layer
1214 * so lets start with offset 4 for now and increments later on (FIXME);
1215 */
1216 case DLT_MFR:
1217 off_linktype = -1;
1218 off_macpl = 0;
1219 off_nl = 4;
1220 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1221 return;
1222
1223 case DLT_APPLE_IP_OVER_IEEE1394:
1224 off_linktype = 16;
1225 off_macpl = 18;
1226 off_nl = 0;
1227 off_nl_nosnap = 0; /* no 802.2 LLC */
1228 return;
1229
1230 case DLT_LINUX_IRDA:
1231 /*
1232 * Currently, only raw "link[N:M]" filtering is supported.
1233 */
1234 off_linktype = -1;
1235 off_macpl = -1;
1236 off_nl = -1;
1237 off_nl_nosnap = -1;
1238 return;
1239
1240 case DLT_DOCSIS:
1241 /*
1242 * Currently, only raw "link[N:M]" filtering is supported.
1243 */
1244 off_linktype = -1;
1245 off_macpl = -1;
1246 off_nl = -1;
1247 off_nl_nosnap = -1;
1248 return;
1249
1250 case DLT_SYMANTEC_FIREWALL:
1251 off_linktype = 6;
1252 off_macpl = 44;
1253 off_nl = 0; /* Ethernet II */
1254 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1255 return;
1256
1257 #ifdef HAVE_NET_PFVAR_H
1258 case DLT_PFLOG:
1259 off_linktype = 0;
1260 off_macpl = PFLOG_HDRLEN;
1261 off_nl = 0;
1262 off_nl_nosnap = 0; /* no 802.2 LLC */
1263 return;
1264 #endif
1265
1266 case DLT_JUNIPER_MFR:
1267 case DLT_JUNIPER_MLFR:
1268 case DLT_JUNIPER_MLPPP:
1269 case DLT_JUNIPER_PPP:
1270 case DLT_JUNIPER_CHDLC:
1271 case DLT_JUNIPER_FRELAY:
1272 off_linktype = 4;
1273 off_macpl = 4;
1274 off_nl = 0;
1275 off_nl_nosnap = -1; /* no 802.2 LLC */
1276 return;
1277
1278 case DLT_JUNIPER_ATM1:
1279 off_linktype = 4; /* in reality variable between 4-8 */
1280 off_macpl = 4; /* in reality variable between 4-8 */
1281 off_nl = 0;
1282 off_nl_nosnap = 10;
1283 return;
1284
1285 case DLT_JUNIPER_ATM2:
1286 off_linktype = 8; /* in reality variable between 8-12 */
1287 off_macpl = 8; /* in reality variable between 8-12 */
1288 off_nl = 0;
1289 off_nl_nosnap = 10;
1290 return;
1291
1292 /* frames captured on a Juniper PPPoE service PIC
1293 * contain raw ethernet frames */
1294 case DLT_JUNIPER_PPPOE:
1295 case DLT_JUNIPER_ETHER:
1296 off_macpl = 14;
1297 off_linktype = 16;
1298 off_nl = 18; /* Ethernet II */
1299 off_nl_nosnap = 21; /* 802.3+802.2 */
1300 return;
1301
1302 case DLT_JUNIPER_PPPOE_ATM:
1303 off_linktype = 4;
1304 off_macpl = 6;
1305 off_nl = 0;
1306 off_nl_nosnap = -1; /* no 802.2 LLC */
1307 return;
1308
1309 case DLT_JUNIPER_GGSN:
1310 off_linktype = 6;
1311 off_macpl = 12;
1312 off_nl = 0;
1313 off_nl_nosnap = -1; /* no 802.2 LLC */
1314 return;
1315
1316 case DLT_JUNIPER_ES:
1317 off_linktype = 6;
1318 off_macpl = -1; /* not really a network layer but raw IP addresses */
1319 off_nl = -1; /* not really a network layer but raw IP addresses */
1320 off_nl_nosnap = -1; /* no 802.2 LLC */
1321 return;
1322
1323 case DLT_JUNIPER_MONITOR:
1324 off_linktype = 12;
1325 off_macpl = 12;
1326 off_nl = 0; /* raw IP/IP6 header */
1327 off_nl_nosnap = -1; /* no 802.2 LLC */
1328 return;
1329
1330 case DLT_JUNIPER_SERVICES:
1331 off_linktype = 12;
1332 off_macpl = -1; /* L3 proto location dep. on cookie type */
1333 off_nl = -1; /* L3 proto location dep. on cookie type */
1334 off_nl_nosnap = -1; /* no 802.2 LLC */
1335 return;
1336
1337 case DLT_JUNIPER_VP:
1338 off_linktype = 18;
1339 off_macpl = -1;
1340 off_nl = -1;
1341 off_nl_nosnap = -1;
1342 return;
1343
1344 case DLT_JUNIPER_ST:
1345 off_linktype = 18;
1346 off_macpl = -1;
1347 off_nl = -1;
1348 off_nl_nosnap = -1;
1349 return;
1350
1351 case DLT_JUNIPER_ISM:
1352 off_linktype = 8;
1353 off_macpl = -1;
1354 off_nl = -1;
1355 off_nl_nosnap = -1;
1356 return;
1357
1358 case DLT_MTP2:
1359 off_li = 2;
1360 off_sio = 3;
1361 off_opc = 4;
1362 off_dpc = 4;
1363 off_sls = 7;
1364 off_linktype = -1;
1365 off_macpl = -1;
1366 off_nl = -1;
1367 off_nl_nosnap = -1;
1368 return;
1369
1370 case DLT_MTP2_WITH_PHDR:
1371 off_li = 6;
1372 off_sio = 7;
1373 off_opc = 8;
1374 off_dpc = 8;
1375 off_sls = 11;
1376 off_linktype = -1;
1377 off_macpl = -1;
1378 off_nl = -1;
1379 off_nl_nosnap = -1;
1380 return;
1381
1382 case DLT_ERF:
1383 off_li = 22;
1384 off_sio = 23;
1385 off_opc = 24;
1386 off_dpc = 24;
1387 off_sls = 27;
1388 off_linktype = -1;
1389 off_macpl = -1;
1390 off_nl = -1;
1391 off_nl_nosnap = -1;
1392 return;
1393
1394 #ifdef DLT_PFSYNC
1395 case DLT_PFSYNC:
1396 off_linktype = -1;
1397 off_macpl = 4;
1398 off_nl = 0;
1399 off_nl_nosnap = 0;
1400 return;
1401 #endif
1402
1403 case DLT_LINUX_LAPD:
1404 /*
1405 * Currently, only raw "link[N:M]" filtering is supported.
1406 */
1407 off_linktype = -1;
1408 off_macpl = -1;
1409 off_nl = -1;
1410 off_nl_nosnap = -1;
1411 return;
1412
1413 case DLT_USB:
1414 /*
1415 * Currently, only raw "link[N:M]" filtering is supported.
1416 */
1417 off_linktype = -1;
1418 off_macpl = -1;
1419 off_nl = -1;
1420 off_nl_nosnap = -1;
1421 return;
1422
1423 case DLT_BLUETOOTH_HCI_H4:
1424 /*
1425 * Currently, only raw "link[N:M]" filtering is supported.
1426 */
1427 off_linktype = -1;
1428 off_macpl = -1;
1429 off_nl = -1;
1430 off_nl_nosnap = -1;
1431 return;
1432
1433 case DLT_USB_LINUX:
1434 /*
1435 * Currently, only raw "link[N:M]" filtering is supported.
1436 */
1437 off_linktype = -1;
1438 off_macpl = -1;
1439 off_nl = -1;
1440 off_nl_nosnap = -1;
1441 return;
1442
1443 case DLT_CAN20B:
1444 /*
1445 * Currently, only raw "link[N:M]" filtering is supported.
1446 */
1447 off_linktype = -1;
1448 off_macpl = -1;
1449 off_nl = -1;
1450 off_nl_nosnap = -1;
1451 return;
1452
1453 case DLT_IEEE802_15_4_LINUX:
1454 /*
1455 * Currently, only raw "link[N:M]" filtering is supported.
1456 */
1457 off_linktype = -1;
1458 off_macpl = -1;
1459 off_nl = -1;
1460 off_nl_nosnap = -1;
1461 return;
1462
1463 case DLT_IEEE802_16_MAC_CPS_RADIO:
1464 /*
1465 * Currently, only raw "link[N:M]" filtering is supported.
1466 */
1467 off_linktype = -1;
1468 off_macpl = -1;
1469 off_nl = -1;
1470 off_nl_nosnap = -1;
1471 return;
1472
1473 case DLT_IEEE802_15_4:
1474 /*
1475 * Currently, only raw "link[N:M]" filtering is supported.
1476 */
1477 off_linktype = -1;
1478 off_macpl = -1;
1479 off_nl = -1;
1480 off_nl_nosnap = -1;
1481 return;
1482
1483 case DLT_SITA:
1484 /*
1485 * Currently, only raw "link[N:M]" filtering is supported.
1486 */
1487 off_linktype = -1;
1488 off_macpl = -1;
1489 off_nl = -1;
1490 off_nl_nosnap = -1;
1491 return;
1492
1493 case DLT_RAIF1:
1494 /*
1495 * Currently, only raw "link[N:M]" filtering is supported.
1496 */
1497 off_linktype = -1;
1498 off_macpl = -1;
1499 off_nl = -1;
1500 off_nl_nosnap = -1;
1501 return;
1502
1503 case DLT_IPMB:
1504 /*
1505 * Currently, only raw "link[N:M]" filtering is supported.
1506 */
1507 off_linktype = -1;
1508 off_macpl = -1;
1509 off_nl = -1;
1510 off_nl_nosnap = -1;
1511 return;
1512
1513 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1514 /*
1515 * Currently, only raw "link[N:M]" filtering is supported.
1516 */
1517 off_linktype = -1;
1518 off_macpl = -1;
1519 off_nl = -1;
1520 off_nl_nosnap = -1;
1521 return;
1522
1523 case DLT_AX25_KISS:
1524 /*
1525 * Currently, only raw "link[N:M]" filtering is supported.
1526 */
1527 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1528 off_macpl = -1;
1529 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1530 off_nl_nosnap = -1; /* no 802.2 LLC */
1531 off_mac = 1; /* step over the kiss length byte */
1532 return;
1533
1534 case DLT_IEEE802_15_4_NONASK_PHY:
1535 /*
1536 * Currently, only raw "link[N:M]" filtering is supported.
1537 */
1538 off_linktype = -1;
1539 off_macpl = -1;
1540 off_nl = -1;
1541 off_nl_nosnap = -1;
1542 return;
1543
1544 case DLT_MPLS:
1545 /*
1546 * Currently, only raw "link[N:M]" filtering is supported.
1547 */
1548 off_linktype = -1;
1549 off_macpl = -1;
1550 off_nl = -1;
1551 off_nl_nosnap = -1;
1552 return;
1553
1554 case DLT_USB_LINUX_MMAPPED:
1555 /*
1556 * Currently, only raw "link[N:M]" filtering is supported.
1557 */
1558 off_linktype = -1;
1559 off_macpl = -1;
1560 off_nl = -1;
1561 off_nl_nosnap = -1;
1562 return;
1563 }
1564 bpf_error("unknown data link type %d", linktype);
1565 /* NOTREACHED */
1566 }
1567
1568 /*
1569 * Load a value relative to the beginning of the link-layer header.
1570 * The link-layer header doesn't necessarily begin at the beginning
1571 * of the packet data; there might be a variable-length prefix containing
1572 * radio information.
1573 */
1574 static struct slist *
1575 gen_load_llrel(offset, size)
1576 u_int offset, size;
1577 {
1578 struct slist *s, *s2;
1579
1580 s = gen_llprefixlen();
1581
1582 /*
1583 * If "s" is non-null, it has code to arrange that the X register
1584 * contains the length of the prefix preceding the link-layer
1585 * header.
1586 *
1587 * Otherwise, the length of the prefix preceding the link-layer
1588 * header is "off_ll".
1589 */
1590 if (s != NULL) {
1591 /*
1592 * There's a variable-length prefix preceding the
1593 * link-layer header. "s" points to a list of statements
1594 * that put the length of that prefix into the X register.
1595 * do an indirect load, to use the X register as an offset.
1596 */
1597 s2 = new_stmt(BPF_LD|BPF_IND|size);
1598 s2->s.k = offset;
1599 sappend(s, s2);
1600 } else {
1601 /*
1602 * There is no variable-length header preceding the
1603 * link-layer header; add in off_ll, which, if there's
1604 * a fixed-length header preceding the link-layer header,
1605 * is the length of that header.
1606 */
1607 s = new_stmt(BPF_LD|BPF_ABS|size);
1608 s->s.k = offset + off_ll;
1609 }
1610 return s;
1611 }
1612
1613 /*
1614 * Load a value relative to the beginning of the MAC-layer payload.
1615 */
1616 static struct slist *
1617 gen_load_macplrel(offset, size)
1618 u_int offset, size;
1619 {
1620 struct slist *s, *s2;
1621
1622 s = gen_off_macpl();
1623
1624 /*
1625 * If s is non-null, the offset of the MAC-layer payload is
1626 * variable, and s points to a list of instructions that
1627 * arrange that the X register contains that offset.
1628 *
1629 * Otherwise, the offset of the MAC-layer payload is constant,
1630 * and is in off_macpl.
1631 */
1632 if (s != NULL) {
1633 /*
1634 * The offset of the MAC-layer payload is in the X
1635 * register. Do an indirect load, to use the X register
1636 * as an offset.
1637 */
1638 s2 = new_stmt(BPF_LD|BPF_IND|size);
1639 s2->s.k = offset;
1640 sappend(s, s2);
1641 } else {
1642 /*
1643 * The offset of the MAC-layer payload is constant,
1644 * and is in off_macpl; load the value at that offset
1645 * plus the specified offset.
1646 */
1647 s = new_stmt(BPF_LD|BPF_ABS|size);
1648 s->s.k = off_macpl + offset;
1649 }
1650 return s;
1651 }
1652
1653 /*
1654 * Load a value relative to the beginning of the specified header.
1655 */
1656 static struct slist *
1657 gen_load_a(offrel, offset, size)
1658 enum e_offrel offrel;
1659 u_int offset, size;
1660 {
1661 struct slist *s, *s2;
1662
1663 switch (offrel) {
1664
1665 case OR_PACKET:
1666 s = new_stmt(BPF_LD|BPF_ABS|size);
1667 s->s.k = offset;
1668 break;
1669
1670 case OR_LINK:
1671 s = gen_load_llrel(offset, size);
1672 break;
1673
1674 case OR_MACPL:
1675 s = gen_load_macplrel(offset, size);
1676 break;
1677
1678 case OR_NET:
1679 s = gen_load_macplrel(off_nl + offset, size);
1680 break;
1681
1682 case OR_NET_NOSNAP:
1683 s = gen_load_macplrel(off_nl_nosnap + offset, size);
1684 break;
1685
1686 case OR_TRAN_IPV4:
1687 /*
1688 * Load the X register with the length of the IPv4 header
1689 * (plus the offset of the link-layer header, if it's
1690 * preceded by a variable-length header such as a radio
1691 * header), in bytes.
1692 */
1693 s = gen_loadx_iphdrlen();
1694
1695 /*
1696 * Load the item at {offset of the MAC-layer payload} +
1697 * {offset, relative to the start of the MAC-layer
1698 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1699 * {specified offset}.
1700 *
1701 * (If the offset of the MAC-layer payload is variable,
1702 * it's included in the value in the X register, and
1703 * off_macpl is 0.)
1704 */
1705 s2 = new_stmt(BPF_LD|BPF_IND|size);
1706 s2->s.k = off_macpl + off_nl + offset;
1707 sappend(s, s2);
1708 break;
1709
1710 case OR_TRAN_IPV6:
1711 s = gen_load_macplrel(off_nl + 40 + offset, size);
1712 break;
1713
1714 default:
1715 abort();
1716 return NULL;
1717 }
1718 return s;
1719 }
1720
1721 /*
1722 * Generate code to load into the X register the sum of the length of
1723 * the IPv4 header and any variable-length header preceding the link-layer
1724 * header.
1725 */
1726 static struct slist *
1727 gen_loadx_iphdrlen()
1728 {
1729 struct slist *s, *s2;
1730
1731 s = gen_off_macpl();
1732 if (s != NULL) {
1733 /*
1734 * There's a variable-length prefix preceding the
1735 * link-layer header, or the link-layer header is itself
1736 * variable-length. "s" points to a list of statements
1737 * that put the offset of the MAC-layer payload into
1738 * the X register.
1739 *
1740 * The 4*([k]&0xf) addressing mode can't be used, as we
1741 * don't have a constant offset, so we have to load the
1742 * value in question into the A register and add to it
1743 * the value from the X register.
1744 */
1745 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1746 s2->s.k = off_nl;
1747 sappend(s, s2);
1748 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1749 s2->s.k = 0xf;
1750 sappend(s, s2);
1751 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1752 s2->s.k = 2;
1753 sappend(s, s2);
1754
1755 /*
1756 * The A register now contains the length of the
1757 * IP header. We need to add to it the offset of
1758 * the MAC-layer payload, which is still in the X
1759 * register, and move the result into the X register.
1760 */
1761 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1762 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1763 } else {
1764 /*
1765 * There is no variable-length header preceding the
1766 * link-layer header, and the link-layer header is
1767 * fixed-length; load the length of the IPv4 header,
1768 * which is at an offset of off_nl from the beginning
1769 * of the MAC-layer payload, and thus at an offset
1770 * of off_mac_pl + off_nl from the beginning of the
1771 * raw packet data.
1772 */
1773 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1774 s->s.k = off_macpl + off_nl;
1775 }
1776 return s;
1777 }
1778
1779 static struct block *
1780 gen_uncond(rsense)
1781 int rsense;
1782 {
1783 struct block *b;
1784 struct slist *s;
1785
1786 s = new_stmt(BPF_LD|BPF_IMM);
1787 s->s.k = !rsense;
1788 b = new_block(JMP(BPF_JEQ));
1789 b->stmts = s;
1790
1791 return b;
1792 }
1793
1794 static inline struct block *
1795 gen_true()
1796 {
1797 return gen_uncond(1);
1798 }
1799
1800 static inline struct block *
1801 gen_false()
1802 {
1803 return gen_uncond(0);
1804 }
1805
1806 /*
1807 * Byte-swap a 32-bit number.
1808 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1809 * big-endian platforms.)
1810 */
1811 #define SWAPLONG(y) \
1812 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1813
1814 /*
1815 * Generate code to match a particular packet type.
1816 *
1817 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1818 * value, if <= ETHERMTU. We use that to determine whether to
1819 * match the type/length field or to check the type/length field for
1820 * a value <= ETHERMTU to see whether it's a type field and then do
1821 * the appropriate test.
1822 */
1823 static struct block *
1824 gen_ether_linktype(proto)
1825 register int proto;
1826 {
1827 struct block *b0, *b1;
1828
1829 switch (proto) {
1830
1831 case LLCSAP_ISONS:
1832 case LLCSAP_IP:
1833 case LLCSAP_NETBEUI:
1834 /*
1835 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1836 * so we check the DSAP and SSAP.
1837 *
1838 * LLCSAP_IP checks for IP-over-802.2, rather
1839 * than IP-over-Ethernet or IP-over-SNAP.
1840 *
1841 * XXX - should we check both the DSAP and the
1842 * SSAP, like this, or should we check just the
1843 * DSAP, as we do for other types <= ETHERMTU
1844 * (i.e., other SAP values)?
1845 */
1846 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1847 gen_not(b0);
1848 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
1849 ((proto << 8) | proto));
1850 gen_and(b0, b1);
1851 return b1;
1852
1853 case LLCSAP_IPX:
1854 /*
1855 * Check for;
1856 *
1857 * Ethernet_II frames, which are Ethernet
1858 * frames with a frame type of ETHERTYPE_IPX;
1859 *
1860 * Ethernet_802.3 frames, which are 802.3
1861 * frames (i.e., the type/length field is
1862 * a length field, <= ETHERMTU, rather than
1863 * a type field) with the first two bytes
1864 * after the Ethernet/802.3 header being
1865 * 0xFFFF;
1866 *
1867 * Ethernet_802.2 frames, which are 802.3
1868 * frames with an 802.2 LLC header and
1869 * with the IPX LSAP as the DSAP in the LLC
1870 * header;
1871 *
1872 * Ethernet_SNAP frames, which are 802.3
1873 * frames with an LLC header and a SNAP
1874 * header and with an OUI of 0x000000
1875 * (encapsulated Ethernet) and a protocol
1876 * ID of ETHERTYPE_IPX in the SNAP header.
1877 *
1878 * XXX - should we generate the same code both
1879 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1880 */
1881
1882 /*
1883 * This generates code to check both for the
1884 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1885 */
1886 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1887 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)0xFFFF);
1888 gen_or(b0, b1);
1889
1890 /*
1891 * Now we add code to check for SNAP frames with
1892 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1893 */
1894 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1895 gen_or(b0, b1);
1896
1897 /*
1898 * Now we generate code to check for 802.3
1899 * frames in general.
1900 */
1901 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1902 gen_not(b0);
1903
1904 /*
1905 * Now add the check for 802.3 frames before the
1906 * check for Ethernet_802.2 and Ethernet_802.3,
1907 * as those checks should only be done on 802.3
1908 * frames, not on Ethernet frames.
1909 */
1910 gen_and(b0, b1);
1911
1912 /*
1913 * Now add the check for Ethernet_II frames, and
1914 * do that before checking for the other frame
1915 * types.
1916 */
1917 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1918 (bpf_int32)ETHERTYPE_IPX);
1919 gen_or(b0, b1);
1920 return b1;
1921
1922 case ETHERTYPE_ATALK:
1923 case ETHERTYPE_AARP:
1924 /*
1925 * EtherTalk (AppleTalk protocols on Ethernet link
1926 * layer) may use 802.2 encapsulation.
1927 */
1928
1929 /*
1930 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1931 * we check for an Ethernet type field less than
1932 * 1500, which means it's an 802.3 length field.
1933 */
1934 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1935 gen_not(b0);
1936
1937 /*
1938 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1939 * SNAP packets with an organization code of
1940 * 0x080007 (Apple, for Appletalk) and a protocol
1941 * type of ETHERTYPE_ATALK (Appletalk).
1942 *
1943 * 802.2-encapsulated ETHERTYPE_AARP packets are
1944 * SNAP packets with an organization code of
1945 * 0x000000 (encapsulated Ethernet) and a protocol
1946 * type of ETHERTYPE_AARP (Appletalk ARP).
1947 */
1948 if (proto == ETHERTYPE_ATALK)
1949 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1950 else /* proto == ETHERTYPE_AARP */
1951 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1952 gen_and(b0, b1);
1953
1954 /*
1955 * Check for Ethernet encapsulation (Ethertalk
1956 * phase 1?); we just check for the Ethernet
1957 * protocol type.
1958 */
1959 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1960
1961 gen_or(b0, b1);
1962 return b1;
1963
1964 default:
1965 if (proto <= ETHERMTU) {
1966 /*
1967 * This is an LLC SAP value, so the frames
1968 * that match would be 802.2 frames.
1969 * Check that the frame is an 802.2 frame
1970 * (i.e., that the length/type field is
1971 * a length field, <= ETHERMTU) and
1972 * then check the DSAP.
1973 */
1974 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1975 gen_not(b0);
1976 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1977 (bpf_int32)proto);
1978 gen_and(b0, b1);
1979 return b1;
1980 } else {
1981 /*
1982 * This is an Ethernet type, so compare
1983 * the length/type field with it (if
1984 * the frame is an 802.2 frame, the length
1985 * field will be <= ETHERMTU, and, as
1986 * "proto" is > ETHERMTU, this test
1987 * will fail and the frame won't match,
1988 * which is what we want).
1989 */
1990 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1991 (bpf_int32)proto);
1992 }
1993 }
1994 }
1995
1996 /*
1997 * Generate code to match a particular packet type.
1998 *
1999 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2000 * value, if <= ETHERMTU. We use that to determine whether to
2001 * match the type field or to check the type field for the special
2002 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2003 */
2004 static struct block *
2005 gen_linux_sll_linktype(proto)
2006 register int proto;
2007 {
2008 struct block *b0, *b1;
2009
2010 switch (proto) {
2011
2012 case LLCSAP_ISONS:
2013 case LLCSAP_IP:
2014 case LLCSAP_NETBEUI:
2015 /*
2016 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2017 * so we check the DSAP and SSAP.
2018 *
2019 * LLCSAP_IP checks for IP-over-802.2, rather
2020 * than IP-over-Ethernet or IP-over-SNAP.
2021 *
2022 * XXX - should we check both the DSAP and the
2023 * SSAP, like this, or should we check just the
2024 * DSAP, as we do for other types <= ETHERMTU
2025 * (i.e., other SAP values)?
2026 */
2027 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2028 b1 = gen_cmp(OR_MACPL, 0, BPF_H, (bpf_int32)
2029 ((proto << 8) | proto));
2030 gen_and(b0, b1);
2031 return b1;
2032
2033 case LLCSAP_IPX:
2034 /*
2035 * Ethernet_II frames, which are Ethernet
2036 * frames with a frame type of ETHERTYPE_IPX;
2037 *
2038 * Ethernet_802.3 frames, which have a frame
2039 * type of LINUX_SLL_P_802_3;
2040 *
2041 * Ethernet_802.2 frames, which are 802.3
2042 * frames with an 802.2 LLC header (i.e, have
2043 * a frame type of LINUX_SLL_P_802_2) and
2044 * with the IPX LSAP as the DSAP in the LLC
2045 * header;
2046 *
2047 * Ethernet_SNAP frames, which are 802.3
2048 * frames with an LLC header and a SNAP
2049 * header and with an OUI of 0x000000
2050 * (encapsulated Ethernet) and a protocol
2051 * ID of ETHERTYPE_IPX in the SNAP header.
2052 *
2053 * First, do the checks on LINUX_SLL_P_802_2
2054 * frames; generate the check for either
2055 * Ethernet_802.2 or Ethernet_SNAP frames, and
2056 * then put a check for LINUX_SLL_P_802_2 frames
2057 * before it.
2058 */
2059 b0 = gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2060 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2061 gen_or(b0, b1);
2062 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2063 gen_and(b0, b1);
2064
2065 /*
2066 * Now check for 802.3 frames and OR that with
2067 * the previous test.
2068 */
2069 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
2070 gen_or(b0, b1);
2071
2072 /*
2073 * Now add the check for Ethernet_II frames, and
2074 * do that before checking for the other frame
2075 * types.
2076 */
2077 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2078 (bpf_int32)ETHERTYPE_IPX);
2079 gen_or(b0, b1);
2080 return b1;
2081
2082 case ETHERTYPE_ATALK:
2083 case ETHERTYPE_AARP:
2084 /*
2085 * EtherTalk (AppleTalk protocols on Ethernet link
2086 * layer) may use 802.2 encapsulation.
2087 */
2088
2089 /*
2090 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2091 * we check for the 802.2 protocol type in the
2092 * "Ethernet type" field.
2093 */
2094 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
2095
2096 /*
2097 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2098 * SNAP packets with an organization code of
2099 * 0x080007 (Apple, for Appletalk) and a protocol
2100 * type of ETHERTYPE_ATALK (Appletalk).
2101 *
2102 * 802.2-encapsulated ETHERTYPE_AARP packets are
2103 * SNAP packets with an organization code of
2104 * 0x000000 (encapsulated Ethernet) and a protocol
2105 * type of ETHERTYPE_AARP (Appletalk ARP).
2106 */
2107 if (proto == ETHERTYPE_ATALK)
2108 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2109 else /* proto == ETHERTYPE_AARP */
2110 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2111 gen_and(b0, b1);
2112
2113 /*
2114 * Check for Ethernet encapsulation (Ethertalk
2115 * phase 1?); we just check for the Ethernet
2116 * protocol type.
2117 */
2118 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2119
2120 gen_or(b0, b1);
2121 return b1;
2122
2123 default:
2124 if (proto <= ETHERMTU) {
2125 /*
2126 * This is an LLC SAP value, so the frames
2127 * that match would be 802.2 frames.
2128 * Check for the 802.2 protocol type
2129 * in the "Ethernet type" field, and
2130 * then check the DSAP.
2131 */
2132 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
2133 LINUX_SLL_P_802_2);
2134 b1 = gen_cmp(OR_LINK, off_macpl, BPF_B,
2135 (bpf_int32)proto);
2136 gen_and(b0, b1);
2137 return b1;
2138 } else {
2139 /*
2140 * This is an Ethernet type, so compare
2141 * the length/type field with it (if
2142 * the frame is an 802.2 frame, the length
2143 * field will be <= ETHERMTU, and, as
2144 * "proto" is > ETHERMTU, this test
2145 * will fail and the frame won't match,
2146 * which is what we want).
2147 */
2148 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2149 (bpf_int32)proto);
2150 }
2151 }
2152 }
2153
2154 static struct slist *
2155 gen_load_prism_llprefixlen()
2156 {
2157 struct slist *s1, *s2;
2158 struct slist *sjeq_avs_cookie;
2159 struct slist *sjcommon;
2160
2161 /*
2162 * This code is not compatible with the optimizer, as
2163 * we are generating jmp instructions within a normal
2164 * slist of instructions
2165 */
2166 no_optimize = 1;
2167
2168 /*
2169 * Generate code to load the length of the radio header into
2170 * the register assigned to hold that length, if one has been
2171 * assigned. (If one hasn't been assigned, no code we've
2172 * generated uses that prefix, so we don't need to generate any
2173 * code to load it.)
2174 *
2175 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2176 * or always use the AVS header rather than the Prism header.
2177 * We load a 4-byte big-endian value at the beginning of the
2178 * raw packet data, and see whether, when masked with 0xFFFFF000,
2179 * it's equal to 0x80211000. If so, that indicates that it's
2180 * an AVS header (the masked-out bits are the version number).
2181 * Otherwise, it's a Prism header.
2182 *
2183 * XXX - the Prism header is also, in theory, variable-length,
2184 * but no known software generates headers that aren't 144
2185 * bytes long.
2186 */
2187 if (reg_off_ll != -1) {
2188 /*
2189 * Load the cookie.
2190 */
2191 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2192 s1->s.k = 0;
2193
2194 /*
2195 * AND it with 0xFFFFF000.
2196 */
2197 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2198 s2->s.k = 0xFFFFF000;
2199 sappend(s1, s2);
2200
2201 /*
2202 * Compare with 0x80211000.
2203 */
2204 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2205 sjeq_avs_cookie->s.k = 0x80211000;
2206 sappend(s1, sjeq_avs_cookie);
2207
2208 /*
2209 * If it's AVS:
2210 *
2211 * The 4 bytes at an offset of 4 from the beginning of
2212 * the AVS header are the length of the AVS header.
2213 * That field is big-endian.
2214 */
2215 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2216 s2->s.k = 4;
2217 sappend(s1, s2);
2218 sjeq_avs_cookie->s.jt = s2;
2219
2220 /*
2221 * Now jump to the code to allocate a register
2222 * into which to save the header length and
2223 * store the length there. (The "jump always"
2224 * instruction needs to have the k field set;
2225 * it's added to the PC, so, as we're jumping
2226 * over a single instruction, it should be 1.)
2227 */
2228 sjcommon = new_stmt(JMP(BPF_JA));
2229 sjcommon->s.k = 1;
2230 sappend(s1, sjcommon);
2231
2232 /*
2233 * Now for the code that handles the Prism header.
2234 * Just load the length of the Prism header (144)
2235 * into the A register. Have the test for an AVS
2236 * header branch here if we don't have an AVS header.
2237 */
2238 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2239 s2->s.k = 144;
2240 sappend(s1, s2);
2241 sjeq_avs_cookie->s.jf = s2;
2242
2243 /*
2244 * Now allocate a register to hold that value and store
2245 * it. The code for the AVS header will jump here after
2246 * loading the length of the AVS header.
2247 */
2248 s2 = new_stmt(BPF_ST);
2249 s2->s.k = reg_off_ll;
2250 sappend(s1, s2);
2251 sjcommon->s.jf = s2;
2252
2253 /*
2254 * Now move it into the X register.
2255 */
2256 s2 = new_stmt(BPF_MISC|BPF_TAX);
2257 sappend(s1, s2);
2258
2259 return (s1);
2260 } else
2261 return (NULL);
2262 }
2263
2264 static struct slist *
2265 gen_load_avs_llprefixlen()
2266 {
2267 struct slist *s1, *s2;
2268
2269 /*
2270 * Generate code to load the length of the AVS header into
2271 * the register assigned to hold that length, if one has been
2272 * assigned. (If one hasn't been assigned, no code we've
2273 * generated uses that prefix, so we don't need to generate any
2274 * code to load it.)
2275 */
2276 if (reg_off_ll != -1) {
2277 /*
2278 * The 4 bytes at an offset of 4 from the beginning of
2279 * the AVS header are the length of the AVS header.
2280 * That field is big-endian.
2281 */
2282 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2283 s1->s.k = 4;
2284
2285 /*
2286 * Now allocate a register to hold that value and store
2287 * it.
2288 */
2289 s2 = new_stmt(BPF_ST);
2290 s2->s.k = reg_off_ll;
2291 sappend(s1, s2);
2292
2293 /*
2294 * Now move it into the X register.
2295 */
2296 s2 = new_stmt(BPF_MISC|BPF_TAX);
2297 sappend(s1, s2);
2298
2299 return (s1);
2300 } else
2301 return (NULL);
2302 }
2303
2304 static struct slist *
2305 gen_load_radiotap_llprefixlen()
2306 {
2307 struct slist *s1, *s2;
2308
2309 /*
2310 * Generate code to load the length of the radiotap header into
2311 * the register assigned to hold that length, if one has been
2312 * assigned. (If one hasn't been assigned, no code we've
2313 * generated uses that prefix, so we don't need to generate any
2314 * code to load it.)
2315 */
2316 if (reg_off_ll != -1) {
2317 /*
2318 * The 2 bytes at offsets of 2 and 3 from the beginning
2319 * of the radiotap header are the length of the radiotap
2320 * header; unfortunately, it's little-endian, so we have
2321 * to load it a byte at a time and construct the value.
2322 */
2323
2324 /*
2325 * Load the high-order byte, at an offset of 3, shift it
2326 * left a byte, and put the result in the X register.
2327 */
2328 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2329 s1->s.k = 3;
2330 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2331 sappend(s1, s2);
2332 s2->s.k = 8;
2333 s2 = new_stmt(BPF_MISC|BPF_TAX);
2334 sappend(s1, s2);
2335
2336 /*
2337 * Load the next byte, at an offset of 2, and OR the
2338 * value from the X register into it.
2339 */
2340 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2341 sappend(s1, s2);
2342 s2->s.k = 2;
2343 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2344 sappend(s1, s2);
2345
2346 /*
2347 * Now allocate a register to hold that value and store
2348 * it.
2349 */
2350 s2 = new_stmt(BPF_ST);
2351 s2->s.k = reg_off_ll;
2352 sappend(s1, s2);
2353
2354 /*
2355 * Now move it into the X register.
2356 */
2357 s2 = new_stmt(BPF_MISC|BPF_TAX);
2358 sappend(s1, s2);
2359
2360 return (s1);
2361 } else
2362 return (NULL);
2363 }
2364
2365 /*
2366 * At the moment we treat PPI as normal Radiotap encoded
2367 * packets. The difference is in the function that generates
2368 * the code at the beginning to compute the header length.
2369 * Since this code generator of PPI supports bare 802.11
2370 * encapsulation only (i.e. the encapsulated DLT should be
2371 * DLT_IEEE802_11) we generate code to check for this too;
2372 * that's done in finish_parse().
2373 */
2374 static struct slist *
2375 gen_load_ppi_llprefixlen()
2376 {
2377 struct slist *s1, *s2;
2378
2379 /*
2380 * Generate code to load the length of the radiotap header
2381 * into the register assigned to hold that length, if one has
2382 * been assigned.
2383 */
2384 if (reg_off_ll != -1) {
2385 /*
2386 * The 2 bytes at offsets of 2 and 3 from the beginning
2387 * of the radiotap header are the length of the radiotap
2388 * header; unfortunately, it's little-endian, so we have
2389 * to load it a byte at a time and construct the value.
2390 */
2391
2392 /*
2393 * Load the high-order byte, at an offset of 3, shift it
2394 * left a byte, and put the result in the X register.
2395 */
2396 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2397 s1->s.k = 3;
2398 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2399 sappend(s1, s2);
2400 s2->s.k = 8;
2401 s2 = new_stmt(BPF_MISC|BPF_TAX);
2402 sappend(s1, s2);
2403
2404 /*
2405 * Load the next byte, at an offset of 2, and OR the
2406 * value from the X register into it.
2407 */
2408 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2409 sappend(s1, s2);
2410 s2->s.k = 2;
2411 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2412 sappend(s1, s2);
2413
2414 /*
2415 * Now allocate a register to hold that value and store
2416 * it.
2417 */
2418 s2 = new_stmt(BPF_ST);
2419 s2->s.k = reg_off_ll;
2420 sappend(s1, s2);
2421
2422 /*
2423 * Now move it into the X register.
2424 */
2425 s2 = new_stmt(BPF_MISC|BPF_TAX);
2426 sappend(s1, s2);
2427
2428 return (s1);
2429 } else
2430 return (NULL);
2431 }
2432
2433 /*
2434 * Load a value relative to the beginning of the link-layer header after the 802.11
2435 * header, i.e. LLC_SNAP.
2436 * The link-layer header doesn't necessarily begin at the beginning
2437 * of the packet data; there might be a variable-length prefix containing
2438 * radio information.
2439 */
2440 static struct slist *
2441 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2442 {
2443 struct slist *s2;
2444 struct slist *sjset_data_frame_1;
2445 struct slist *sjset_data_frame_2;
2446 struct slist *sjset_qos;
2447 struct slist *sjset_radiotap_flags;
2448 struct slist *sjset_radiotap_tsft;
2449 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2450 struct slist *s_roundup;
2451
2452 if (reg_off_macpl == -1) {
2453 /*
2454 * No register has been assigned to the offset of
2455 * the MAC-layer payload, which means nobody needs
2456 * it; don't bother computing it - just return
2457 * what we already have.
2458 */
2459 return (s);
2460 }
2461
2462 /*
2463 * This code is not compatible with the optimizer, as
2464 * we are generating jmp instructions within a normal
2465 * slist of instructions
2466 */
2467 no_optimize = 1;
2468
2469 /*
2470 * If "s" is non-null, it has code to arrange that the X register
2471 * contains the length of the prefix preceding the link-layer
2472 * header.
2473 *
2474 * Otherwise, the length of the prefix preceding the link-layer
2475 * header is "off_ll".
2476 */
2477 if (s == NULL) {
2478 /*
2479 * There is no variable-length header preceding the
2480 * link-layer header.
2481 *
2482 * Load the length of the fixed-length prefix preceding
2483 * the link-layer header (if any) into the X register,
2484 * and store it in the reg_off_macpl register.
2485 * That length is off_ll.
2486 */
2487 s = new_stmt(BPF_LDX|BPF_IMM);
2488 s->s.k = off_ll;
2489 }
2490
2491 /*
2492 * The X register contains the offset of the beginning of the
2493 * link-layer header; add 24, which is the minimum length
2494 * of the MAC header for a data frame, to that, and store it
2495 * in reg_off_macpl, and then load the Frame Control field,
2496 * which is at the offset in the X register, with an indexed load.
2497 */
2498 s2 = new_stmt(BPF_MISC|BPF_TXA);
2499 sappend(s, s2);
2500 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2501 s2->s.k = 24;
2502 sappend(s, s2);
2503 s2 = new_stmt(BPF_ST);
2504 s2->s.k = reg_off_macpl;
2505 sappend(s, s2);
2506
2507 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2508 s2->s.k = 0;
2509 sappend(s, s2);
2510
2511 /*
2512 * Check the Frame Control field to see if this is a data frame;
2513 * a data frame has the 0x08 bit (b3) in that field set and the
2514 * 0x04 bit (b2) clear.
2515 */
2516 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2517 sjset_data_frame_1->s.k = 0x08;
2518 sappend(s, sjset_data_frame_1);
2519
2520 /*
2521 * If b3 is set, test b2, otherwise go to the first statement of
2522 * the rest of the program.
2523 */
2524 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2525 sjset_data_frame_2->s.k = 0x04;
2526 sappend(s, sjset_data_frame_2);
2527 sjset_data_frame_1->s.jf = snext;
2528
2529 /*
2530 * If b2 is not set, this is a data frame; test the QoS bit.
2531 * Otherwise, go to the first statement of the rest of the
2532 * program.
2533 */
2534 sjset_data_frame_2->s.jt = snext;
2535 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2536 sjset_qos->s.k = 0x80; /* QoS bit */
2537 sappend(s, sjset_qos);
2538
2539 /*
2540 * If it's set, add 2 to reg_off_macpl, to skip the QoS
2541 * field.
2542 * Otherwise, go to the first statement of the rest of the
2543 * program.
2544 */
2545 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2546 s2->s.k = reg_off_macpl;
2547 sappend(s, s2);
2548 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2549 s2->s.k = 2;
2550 sappend(s, s2);
2551 s2 = new_stmt(BPF_ST);
2552 s2->s.k = reg_off_macpl;
2553 sappend(s, s2);
2554
2555 /*
2556 * If we have a radiotap header, look at it to see whether
2557 * there's Atheros padding between the MAC-layer header
2558 * and the payload.
2559 *
2560 * Note: all of the fields in the radiotap header are
2561 * little-endian, so we byte-swap all of the values
2562 * we test against, as they will be loaded as big-endian
2563 * values.
2564 */
2565 if (linktype == DLT_IEEE802_11_RADIO) {
2566 /*
2567 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2568 * in the presence flag?
2569 */
2570 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2571 s2->s.k = 4;
2572 sappend(s, s2);
2573
2574 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2575 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2576 sappend(s, sjset_radiotap_flags);
2577
2578 /*
2579 * If not, skip all of this.
2580 */
2581 sjset_radiotap_flags->s.jf = snext;
2582
2583 /*
2584 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2585 */
2586 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2587 new_stmt(JMP(BPF_JSET));
2588 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2589 sappend(s, sjset_radiotap_tsft);
2590
2591 /*
2592 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2593 * at an offset of 16 from the beginning of the raw packet
2594 * data (8 bytes for the radiotap header and 8 bytes for
2595 * the TSFT field).
2596 *
2597 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2598 * is set.
2599 */
2600 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2601 s2->s.k = 16;
2602 sappend(s, s2);
2603
2604 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2605 sjset_tsft_datapad->s.k = 0x20;
2606 sappend(s, sjset_tsft_datapad);
2607
2608 /*
2609 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2610 * at an offset of 8 from the beginning of the raw packet
2611 * data (8 bytes for the radiotap header).
2612 *
2613 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2614 * is set.
2615 */
2616 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2617 s2->s.k = 8;
2618 sappend(s, s2);
2619
2620 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2621 sjset_notsft_datapad->s.k = 0x20;
2622 sappend(s, sjset_notsft_datapad);
2623
2624 /*
2625 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2626 * set, round the length of the 802.11 header to
2627 * a multiple of 4. Do that by adding 3 and then
2628 * dividing by and multiplying by 4, which we do by
2629 * ANDing with ~3.
2630 */
2631 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2632 s_roundup->s.k = reg_off_macpl;
2633 sappend(s, s_roundup);
2634 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2635 s2->s.k = 3;
2636 sappend(s, s2);
2637 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2638 s2->s.k = ~3;
2639 sappend(s, s2);
2640 s2 = new_stmt(BPF_ST);
2641 s2->s.k = reg_off_macpl;
2642 sappend(s, s2);
2643
2644 sjset_tsft_datapad->s.jt = s_roundup;
2645 sjset_tsft_datapad->s.jf = snext;
2646 sjset_notsft_datapad->s.jt = s_roundup;
2647 sjset_notsft_datapad->s.jf = snext;
2648 } else
2649 sjset_qos->s.jf = snext;
2650
2651 return s;
2652 }
2653
2654 static void
2655 insert_compute_vloffsets(b)
2656 struct block *b;
2657 {
2658 struct slist *s;
2659
2660 /*
2661 * For link-layer types that have a variable-length header
2662 * preceding the link-layer header, generate code to load
2663 * the offset of the link-layer header into the register
2664 * assigned to that offset, if any.
2665 */
2666 switch (linktype) {
2667
2668 case DLT_PRISM_HEADER:
2669 s = gen_load_prism_llprefixlen();
2670 break;
2671
2672 case DLT_IEEE802_11_RADIO_AVS:
2673 s = gen_load_avs_llprefixlen();
2674 break;
2675
2676 case DLT_IEEE802_11_RADIO:
2677 s = gen_load_radiotap_llprefixlen();
2678 break;
2679
2680 case DLT_PPI:
2681 s = gen_load_ppi_llprefixlen();
2682 break;
2683
2684 default:
2685 s = NULL;
2686 break;
2687 }
2688
2689 /*
2690 * For link-layer types that have a variable-length link-layer
2691 * header, generate code to load the offset of the MAC-layer
2692 * payload into the register assigned to that offset, if any.
2693 */
2694 switch (linktype) {
2695
2696 case DLT_IEEE802_11:
2697 case DLT_PRISM_HEADER:
2698 case DLT_IEEE802_11_RADIO_AVS:
2699 case DLT_IEEE802_11_RADIO:
2700 case DLT_PPI:
2701 s = gen_load_802_11_header_len(s, b->stmts);
2702 break;
2703 }
2704
2705 /*
2706 * If we have any offset-loading code, append all the
2707 * existing statements in the block to those statements,
2708 * and make the resulting list the list of statements
2709 * for the block.
2710 */
2711 if (s != NULL) {
2712 sappend(s, b->stmts);
2713 b->stmts = s;
2714 }
2715 }
2716
2717 static struct block *
2718 gen_ppi_dlt_check(void)
2719 {
2720 struct slist *s_load_dlt;
2721 struct block *b;
2722
2723 if (linktype == DLT_PPI)
2724 {
2725 /* Create the statements that check for the DLT
2726 */
2727 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2728 s_load_dlt->s.k = 4;
2729
2730 b = new_block(JMP(BPF_JEQ));
2731
2732 b->stmts = s_load_dlt;
2733 b->s.k = SWAPLONG(DLT_IEEE802_11);
2734 }
2735 else
2736 {
2737 b = NULL;
2738 }
2739
2740 return b;
2741 }
2742
2743 static struct slist *
2744 gen_prism_llprefixlen(void)
2745 {
2746 struct slist *s;
2747
2748 if (reg_off_ll == -1) {
2749 /*
2750 * We haven't yet assigned a register for the length
2751 * of the radio header; allocate one.
2752 */
2753 reg_off_ll = alloc_reg();
2754 }
2755
2756 /*
2757 * Load the register containing the radio length
2758 * into the X register.
2759 */
2760 s = new_stmt(BPF_LDX|BPF_MEM);
2761 s->s.k = reg_off_ll;
2762 return s;
2763 }
2764
2765 static struct slist *
2766 gen_avs_llprefixlen(void)
2767 {
2768 struct slist *s;
2769
2770 if (reg_off_ll == -1) {
2771 /*
2772 * We haven't yet assigned a register for the length
2773 * of the AVS header; allocate one.
2774 */
2775 reg_off_ll = alloc_reg();
2776 }
2777
2778 /*
2779 * Load the register containing the AVS length
2780 * into the X register.
2781 */
2782 s = new_stmt(BPF_LDX|BPF_MEM);
2783 s->s.k = reg_off_ll;
2784 return s;
2785 }
2786
2787 static struct slist *
2788 gen_radiotap_llprefixlen(void)
2789 {
2790 struct slist *s;
2791
2792 if (reg_off_ll == -1) {
2793 /*
2794 * We haven't yet assigned a register for the length
2795 * of the radiotap header; allocate one.
2796 */
2797 reg_off_ll = alloc_reg();
2798 }
2799
2800 /*
2801 * Load the register containing the radiotap length
2802 * into the X register.
2803 */
2804 s = new_stmt(BPF_LDX|BPF_MEM);
2805 s->s.k = reg_off_ll;
2806 return s;
2807 }
2808
2809 /*
2810 * At the moment we treat PPI as normal Radiotap encoded
2811 * packets. The difference is in the function that generates
2812 * the code at the beginning to compute the header length.
2813 * Since this code generator of PPI supports bare 802.11
2814 * encapsulation only (i.e. the encapsulated DLT should be
2815 * DLT_IEEE802_11) we generate code to check for this too.
2816 */
2817 static struct slist *
2818 gen_ppi_llprefixlen(void)
2819 {
2820 struct slist *s;
2821
2822 if (reg_off_ll == -1) {
2823 /*
2824 * We haven't yet assigned a register for the length
2825 * of the radiotap header; allocate one.
2826 */
2827 reg_off_ll = alloc_reg();
2828 }
2829
2830 /*
2831 * Load the register containing the PPI length
2832 * into the X register.
2833 */
2834 s = new_stmt(BPF_LDX|BPF_MEM);
2835 s->s.k = reg_off_ll;
2836 return s;
2837 }
2838
2839 /*
2840 * Generate code to compute the link-layer header length, if necessary,
2841 * putting it into the X register, and to return either a pointer to a
2842 * "struct slist" for the list of statements in that code, or NULL if
2843 * no code is necessary.
2844 */
2845 static struct slist *
2846 gen_llprefixlen(void)
2847 {
2848 switch (linktype) {
2849
2850 case DLT_PRISM_HEADER:
2851 return gen_prism_llprefixlen();
2852
2853 case DLT_IEEE802_11_RADIO_AVS:
2854 return gen_avs_llprefixlen();
2855
2856 case DLT_IEEE802_11_RADIO:
2857 return gen_radiotap_llprefixlen();
2858
2859 case DLT_PPI:
2860 return gen_ppi_llprefixlen();
2861
2862 default:
2863 return NULL;
2864 }
2865 }
2866
2867 /*
2868 * Generate code to load the register containing the offset of the
2869 * MAC-layer payload into the X register; if no register for that offset
2870 * has been allocated, allocate it first.
2871 */
2872 static struct slist *
2873 gen_off_macpl(void)
2874 {
2875 struct slist *s;
2876
2877 if (off_macpl_is_variable) {
2878 if (reg_off_macpl == -1) {
2879 /*
2880 * We haven't yet assigned a register for the offset
2881 * of the MAC-layer payload; allocate one.
2882 */
2883 reg_off_macpl = alloc_reg();
2884 }
2885
2886 /*
2887 * Load the register containing the offset of the MAC-layer
2888 * payload into the X register.
2889 */
2890 s = new_stmt(BPF_LDX|BPF_MEM);
2891 s->s.k = reg_off_macpl;
2892 return s;
2893 } else {
2894 /*
2895 * That offset isn't variable, so we don't need to
2896 * generate any code.
2897 */
2898 return NULL;
2899 }
2900 }
2901
2902 /*
2903 * Map an Ethernet type to the equivalent PPP type.
2904 */
2905 static int
2906 ethertype_to_ppptype(proto)
2907 int proto;
2908 {
2909 switch (proto) {
2910
2911 case ETHERTYPE_IP:
2912 proto = PPP_IP;
2913 break;
2914
2915 #ifdef INET6
2916 case ETHERTYPE_IPV6:
2917 proto = PPP_IPV6;
2918 break;
2919 #endif
2920
2921 case ETHERTYPE_DN:
2922 proto = PPP_DECNET;
2923 break;
2924
2925 case ETHERTYPE_ATALK:
2926 proto = PPP_APPLE;
2927 break;
2928
2929 case ETHERTYPE_NS:
2930 proto = PPP_NS;
2931 break;
2932
2933 case LLCSAP_ISONS:
2934 proto = PPP_OSI;
2935 break;
2936
2937 case LLCSAP_8021D:
2938 /*
2939 * I'm assuming the "Bridging PDU"s that go
2940 * over PPP are Spanning Tree Protocol
2941 * Bridging PDUs.
2942 */
2943 proto = PPP_BRPDU;
2944 break;
2945
2946 case LLCSAP_IPX:
2947 proto = PPP_IPX;
2948 break;
2949 }
2950 return (proto);
2951 }
2952
2953 /*
2954 * Generate code to match a particular packet type by matching the
2955 * link-layer type field or fields in the 802.2 LLC header.
2956 *
2957 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2958 * value, if <= ETHERMTU.
2959 */
2960 static struct block *
2961 gen_linktype(proto)
2962 register int proto;
2963 {
2964 struct block *b0, *b1, *b2;
2965
2966 /* are we checking MPLS-encapsulated packets? */
2967 if (label_stack_depth > 0) {
2968 switch (proto) {
2969 case ETHERTYPE_IP:
2970 case PPP_IP:
2971 /* FIXME add other L3 proto IDs */
2972 return gen_mpls_linktype(Q_IP);
2973
2974 case ETHERTYPE_IPV6:
2975 case PPP_IPV6:
2976 /* FIXME add other L3 proto IDs */
2977 return gen_mpls_linktype(Q_IPV6);
2978
2979 default:
2980 bpf_error("unsupported protocol over mpls");
2981 /* NOTREACHED */
2982 }
2983 }
2984
2985 /*
2986 * Are we testing PPPoE packets?
2987 */
2988 if (is_pppoes) {
2989 /*
2990 * The PPPoE session header is part of the
2991 * MAC-layer payload, so all references
2992 * should be relative to the beginning of
2993 * that payload.
2994 */
2995
2996 /*
2997 * We use Ethernet protocol types inside libpcap;
2998 * map them to the corresponding PPP protocol types.
2999 */
3000 proto = ethertype_to_ppptype(proto);
3001 return gen_cmp(OR_MACPL, off_linktype, BPF_H, (bpf_int32)proto);
3002 }
3003
3004 switch (linktype) {
3005
3006 case DLT_EN10MB:
3007 return gen_ether_linktype(proto);
3008 /*NOTREACHED*/
3009 break;
3010
3011 case DLT_C_HDLC:
3012 switch (proto) {
3013
3014 case LLCSAP_ISONS:
3015 proto = (proto << 8 | LLCSAP_ISONS);
3016 /* fall through */
3017
3018 default:
3019 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3020 (bpf_int32)proto);
3021 /*NOTREACHED*/
3022 break;
3023 }
3024 break;
3025
3026 case DLT_IEEE802_11:
3027 case DLT_PRISM_HEADER:
3028 case DLT_IEEE802_11_RADIO_AVS:
3029 case DLT_IEEE802_11_RADIO:
3030 case DLT_PPI:
3031 /*
3032 * Check that we have a data frame.
3033 */
3034 b0 = gen_check_802_11_data_frame();
3035
3036 /*
3037 * Now check for the specified link-layer type.
3038 */
3039 b1 = gen_llc_linktype(proto);
3040 gen_and(b0, b1);
3041 return b1;
3042 /*NOTREACHED*/
3043 break;
3044
3045 case DLT_FDDI:
3046 /*
3047 * XXX - check for asynchronous frames, as per RFC 1103.
3048 */
3049 return gen_llc_linktype(proto);
3050 /*NOTREACHED*/
3051 break;
3052
3053 case DLT_IEEE802:
3054 /*
3055 * XXX - check for LLC PDUs, as per IEEE 802.5.
3056 */
3057 return gen_llc_linktype(proto);
3058 /*NOTREACHED*/
3059 break;
3060
3061 case DLT_ATM_RFC1483:
3062 case DLT_ATM_CLIP:
3063 case DLT_IP_OVER_FC:
3064 return gen_llc_linktype(proto);
3065 /*NOTREACHED*/
3066 break;
3067
3068 case DLT_SUNATM:
3069 /*
3070 * If "is_lane" is set, check for a LANE-encapsulated
3071 * version of this protocol, otherwise check for an
3072 * LLC-encapsulated version of this protocol.
3073 *
3074 * We assume LANE means Ethernet, not Token Ring.
3075 */
3076 if (is_lane) {
3077 /*
3078 * Check that the packet doesn't begin with an
3079 * LE Control marker. (We've already generated
3080 * a test for LANE.)
3081 */
3082 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3083 0xFF00);
3084 gen_not(b0);
3085
3086 /*
3087 * Now generate an Ethernet test.
3088 */
3089 b1 = gen_ether_linktype(proto);
3090 gen_and(b0, b1);
3091 return b1;
3092 } else {
3093 /*
3094 * Check for LLC encapsulation and then check the
3095 * protocol.
3096 */
3097 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3098 b1 = gen_llc_linktype(proto);
3099 gen_and(b0, b1);
3100 return b1;
3101 }
3102 /*NOTREACHED*/
3103 break;
3104
3105 case DLT_LINUX_SLL:
3106 return gen_linux_sll_linktype(proto);
3107 /*NOTREACHED*/
3108 break;
3109
3110 case DLT_SLIP:
3111 case DLT_SLIP_BSDOS:
3112 case DLT_RAW:
3113 /*
3114 * These types don't provide any type field; packets
3115 * are always IPv4 or IPv6.
3116 *
3117 * XXX - for IPv4, check for a version number of 4, and,
3118 * for IPv6, check for a version number of 6?
3119 */
3120 switch (proto) {
3121
3122 case ETHERTYPE_IP:
3123 /* Check for a version number of 4. */
3124 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
3125 #ifdef INET6
3126 case ETHERTYPE_IPV6:
3127 /* Check for a version number of 6. */
3128 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
3129 #endif
3130
3131 default:
3132 return gen_false(); /* always false */
3133 }
3134 /*NOTREACHED*/
3135 break;
3136
3137 case DLT_PPP:
3138 case DLT_PPP_PPPD:
3139 case DLT_PPP_SERIAL:
3140 case DLT_PPP_ETHER:
3141 /*
3142 * We use Ethernet protocol types inside libpcap;
3143 * map them to the corresponding PPP protocol types.
3144 */
3145 proto = ethertype_to_ppptype(proto);
3146 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3147 /*NOTREACHED*/
3148 break;
3149
3150 case DLT_PPP_BSDOS:
3151 /*
3152 * We use Ethernet protocol types inside libpcap;
3153 * map them to the corresponding PPP protocol types.
3154 */
3155 switch (proto) {
3156
3157 case ETHERTYPE_IP:
3158 /*
3159 * Also check for Van Jacobson-compressed IP.
3160 * XXX - do this for other forms of PPP?
3161 */
3162 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
3163 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
3164 gen_or(b0, b1);
3165 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
3166 gen_or(b1, b0);
3167 return b0;
3168
3169 default:
3170 proto = ethertype_to_ppptype(proto);
3171 return gen_cmp(OR_LINK, off_linktype, BPF_H,
3172 (bpf_int32)proto);
3173 }
3174 /*NOTREACHED*/
3175 break;
3176
3177 case DLT_NULL:
3178 case DLT_LOOP:
3179 case DLT_ENC:
3180 /*
3181 * For DLT_NULL, the link-layer header is a 32-bit
3182 * word containing an AF_ value in *host* byte order,
3183 * and for DLT_ENC, the link-layer header begins
3184 * with a 32-bit work containing an AF_ value in
3185 * host byte order.
3186 *
3187 * In addition, if we're reading a saved capture file,
3188 * the host byte order in the capture may not be the
3189 * same as the host byte order on this machine.
3190 *
3191 * For DLT_LOOP, the link-layer header is a 32-bit
3192 * word containing an AF_ value in *network* byte order.
3193 *
3194 * XXX - AF_ values may, unfortunately, be platform-
3195 * dependent; for example, FreeBSD's AF_INET6 is 24
3196 * whilst NetBSD's and OpenBSD's is 26.
3197 *
3198 * This means that, when reading a capture file, just
3199 * checking for our AF_INET6 value won't work if the
3200 * capture file came from another OS.
3201 */
3202 switch (proto) {
3203
3204 case ETHERTYPE_IP:
3205 proto = AF_INET;
3206 break;
3207
3208 #ifdef INET6
3209 case ETHERTYPE_IPV6:
3210 proto = AF_INET6;
3211 break;
3212 #endif
3213
3214 default:
3215 /*
3216 * Not a type on which we support filtering.
3217 * XXX - support those that have AF_ values
3218 * #defined on this platform, at least?
3219 */
3220 return gen_false();
3221 }
3222
3223 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3224 /*
3225 * The AF_ value is in host byte order, but
3226 * the BPF interpreter will convert it to
3227 * network byte order.
3228 *
3229 * If this is a save file, and it's from a
3230 * machine with the opposite byte order to
3231 * ours, we byte-swap the AF_ value.
3232 *
3233 * Then we run it through "htonl()", and
3234 * generate code to compare against the result.
3235 */
3236 if (bpf_pcap->sf.rfile != NULL &&
3237 bpf_pcap->sf.swapped)
3238 proto = SWAPLONG(proto);
3239 proto = htonl(proto);
3240 }
3241 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
3242
3243 #ifdef HAVE_NET_PFVAR_H
3244 case DLT_PFLOG:
3245 /*
3246 * af field is host byte order in contrast to the rest of
3247 * the packet.
3248 */
3249 if (proto == ETHERTYPE_IP)
3250 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3251 BPF_B, (bpf_int32)AF_INET));
3252 #ifdef INET6
3253 else if (proto == ETHERTYPE_IPV6)
3254 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
3255 BPF_B, (bpf_int32)AF_INET6));
3256 #endif /* INET6 */
3257 else
3258 return gen_false();
3259 /*NOTREACHED*/
3260 break;
3261 #endif /* HAVE_NET_PFVAR_H */
3262
3263 case DLT_ARCNET:
3264 case DLT_ARCNET_LINUX:
3265 /*
3266 * XXX should we check for first fragment if the protocol
3267 * uses PHDS?
3268 */
3269 switch (proto) {
3270
3271 default:
3272 return gen_false();
3273
3274 #ifdef INET6
3275 case ETHERTYPE_IPV6:
3276 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3277 (bpf_int32)ARCTYPE_INET6));
3278 #endif /* INET6 */
3279
3280 case ETHERTYPE_IP:
3281 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3282 (bpf_int32)ARCTYPE_IP);
3283 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3284 (bpf_int32)ARCTYPE_IP_OLD);
3285 gen_or(b0, b1);
3286 return (b1);
3287
3288 case ETHERTYPE_ARP:
3289 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3290 (bpf_int32)ARCTYPE_ARP);
3291 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
3292 (bpf_int32)ARCTYPE_ARP_OLD);
3293 gen_or(b0, b1);
3294 return (b1);
3295
3296 case ETHERTYPE_REVARP:
3297 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3298 (bpf_int32)ARCTYPE_REVARP));
3299
3300 case ETHERTYPE_ATALK:
3301 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
3302 (bpf_int32)ARCTYPE_ATALK));
3303 }
3304 /*NOTREACHED*/
3305 break;
3306
3307 case DLT_LTALK:
3308 switch (proto) {
3309 case ETHERTYPE_ATALK:
3310 return gen_true();
3311 default:
3312 return gen_false();
3313 }
3314 /*NOTREACHED*/
3315 break;
3316
3317 case DLT_FRELAY:
3318 /*
3319 * XXX - assumes a 2-byte Frame Relay header with
3320 * DLCI and flags. What if the address is longer?
3321 */
3322 switch (proto) {
3323
3324 case ETHERTYPE_IP:
3325 /*
3326 * Check for the special NLPID for IP.
3327 */
3328 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
3329
3330 #ifdef INET6
3331 case ETHERTYPE_IPV6:
3332 /*
3333 * Check for the special NLPID for IPv6.
3334 */
3335 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
3336 #endif
3337
3338 case LLCSAP_ISONS:
3339 /*
3340 * Check for several OSI protocols.
3341 *
3342 * Frame Relay packets typically have an OSI
3343 * NLPID at the beginning; we check for each
3344 * of them.
3345 *
3346 * What we check for is the NLPID and a frame
3347 * control field of UI, i.e. 0x03 followed
3348 * by the NLPID.
3349 */
3350 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3351 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3352 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3353 gen_or(b1, b2);
3354 gen_or(b0, b2);
3355 return b2;
3356
3357 default:
3358 return gen_false();
3359 }
3360 /*NOTREACHED*/
3361 break;
3362
3363 case DLT_MFR:
3364 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3365
3366 case DLT_JUNIPER_MFR:
3367 case DLT_JUNIPER_MLFR:
3368 case DLT_JUNIPER_MLPPP:
3369 case DLT_JUNIPER_ATM1:
3370 case DLT_JUNIPER_ATM2:
3371 case DLT_JUNIPER_PPPOE:
3372 case DLT_JUNIPER_PPPOE_ATM:
3373 case DLT_JUNIPER_GGSN:
3374 case DLT_JUNIPER_ES:
3375 case DLT_JUNIPER_MONITOR:
3376 case DLT_JUNIPER_SERVICES:
3377 case DLT_JUNIPER_ETHER:
3378 case DLT_JUNIPER_PPP:
3379 case DLT_JUNIPER_FRELAY:
3380 case DLT_JUNIPER_CHDLC:
3381 case DLT_JUNIPER_VP:
3382 case DLT_JUNIPER_ST:
3383 case DLT_JUNIPER_ISM:
3384 /* just lets verify the magic number for now -
3385 * on ATM we may have up to 6 different encapsulations on the wire
3386 * and need a lot of heuristics to figure out that the payload
3387 * might be;
3388 *
3389 * FIXME encapsulation specific BPF_ filters
3390 */
3391 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3392
3393 case DLT_LINUX_IRDA:
3394 bpf_error("IrDA link-layer type filtering not implemented");
3395
3396 case DLT_DOCSIS:
3397 bpf_error("DOCSIS link-layer type filtering not implemented");
3398
3399 case DLT_MTP2:
3400 case DLT_MTP2_WITH_PHDR:
3401 bpf_error("MTP2 link-layer type filtering not implemented");
3402
3403 case DLT_ERF:
3404 bpf_error("ERF link-layer type filtering not implemented");
3405
3406 #ifdef DLT_PFSYNC
3407 case DLT_PFSYNC:
3408 bpf_error("PFSYNC link-layer type filtering not implemented");
3409 #endif
3410
3411 case DLT_LINUX_LAPD:
3412 bpf_error("LAPD link-layer type filtering not implemented");
3413
3414 case DLT_USB:
3415 case DLT_USB_LINUX:
3416 case DLT_USB_LINUX_MMAPPED:
3417 bpf_error("USB link-layer type filtering not implemented");
3418
3419 case DLT_BLUETOOTH_HCI_H4:
3420 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3421 bpf_error("Bluetooth link-layer type filtering not implemented");
3422
3423 case DLT_CAN20B:
3424 bpf_error("CAN20B link-layer type filtering not implemented");
3425
3426 case DLT_IEEE802_15_4:
3427 case DLT_IEEE802_15_4_LINUX:
3428 case DLT_IEEE802_15_4_NONASK_PHY:
3429 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3430
3431 case DLT_IEEE802_16_MAC_CPS_RADIO:
3432 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3433
3434 case DLT_SITA:
3435 bpf_error("SITA link-layer type filtering not implemented");
3436
3437 case DLT_RAIF1:
3438 bpf_error("RAIF1 link-layer type filtering not implemented");
3439
3440 case DLT_IPMB:
3441 bpf_error("IPMB link-layer type filtering not implemented");
3442
3443 case DLT_AX25_KISS:
3444 bpf_error("AX.25 link-layer type filtering not implemented");
3445 }
3446
3447 /*
3448 * All the types that have no encapsulation should either be
3449 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
3450 * all packets are IP packets, or should be handled in some
3451 * special case, if none of them are (if some are and some
3452 * aren't, the lack of encapsulation is a problem, as we'd
3453 * have to find some other way of determining the packet type).
3454 *
3455 * Therefore, if "off_linktype" is -1, there's an error.
3456 */
3457 if (off_linktype == (u_int)-1)
3458 abort();
3459
3460 /*
3461 * Any type not handled above should always have an Ethernet
3462 * type at an offset of "off_linktype".
3463 */
3464 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
3465 }
3466
3467 /*
3468 * Check for an LLC SNAP packet with a given organization code and
3469 * protocol type; we check the entire contents of the 802.2 LLC and
3470 * snap headers, checking for DSAP and SSAP of SNAP and a control
3471 * field of 0x03 in the LLC header, and for the specified organization
3472 * code and protocol type in the SNAP header.
3473 */
3474 static struct block *
3475 gen_snap(orgcode, ptype)
3476 bpf_u_int32 orgcode;
3477 bpf_u_int32 ptype;
3478 {
3479 u_char snapblock[8];
3480
3481 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3482 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3483 snapblock[2] = 0x03; /* control = UI */
3484 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3485 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3486 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3487 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3488 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3489 return gen_bcmp(OR_MACPL, 0, 8, snapblock);
3490 }
3491
3492 /*
3493 * Generate code to match a particular packet type, for link-layer types
3494 * using 802.2 LLC headers.
3495 *
3496 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3497 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3498 *
3499 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3500 * value, if <= ETHERMTU. We use that to determine whether to
3501 * match the DSAP or both DSAP and LSAP or to check the OUI and
3502 * protocol ID in a SNAP header.
3503 */
3504 static struct block *
3505 gen_llc_linktype(proto)
3506 int proto;
3507 {
3508 /*
3509 * XXX - handle token-ring variable-length header.
3510 */
3511 switch (proto) {
3512
3513 case LLCSAP_IP:
3514 case LLCSAP_ISONS:
3515 case LLCSAP_NETBEUI:
3516 /*
3517 * XXX - should we check both the DSAP and the
3518 * SSAP, like this, or should we check just the
3519 * DSAP, as we do for other types <= ETHERMTU
3520 * (i.e., other SAP values)?
3521 */
3522 return gen_cmp(OR_MACPL, 0, BPF_H, (bpf_u_int32)
3523 ((proto << 8) | proto));
3524
3525 case LLCSAP_IPX:
3526 /*
3527 * XXX - are there ever SNAP frames for IPX on
3528 * non-Ethernet 802.x networks?
3529 */
3530 return gen_cmp(OR_MACPL, 0, BPF_B,
3531 (bpf_int32)LLCSAP_IPX);
3532
3533 case ETHERTYPE_ATALK:
3534 /*
3535 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3536 * SNAP packets with an organization code of
3537 * 0x080007 (Apple, for Appletalk) and a protocol
3538 * type of ETHERTYPE_ATALK (Appletalk).
3539 *
3540 * XXX - check for an organization code of
3541 * encapsulated Ethernet as well?
3542 */
3543 return gen_snap(0x080007, ETHERTYPE_ATALK);
3544
3545 default:
3546 /*
3547 * XXX - we don't have to check for IPX 802.3
3548 * here, but should we check for the IPX Ethertype?
3549 */
3550 if (proto <= ETHERMTU) {
3551 /*
3552 * This is an LLC SAP value, so check
3553 * the DSAP.
3554 */
3555 return gen_cmp(OR_MACPL, 0, BPF_B, (bpf_int32)proto);
3556 } else {
3557 /*
3558 * This is an Ethernet type; we assume that it's
3559 * unlikely that it'll appear in the right place
3560 * at random, and therefore check only the
3561 * location that would hold the Ethernet type
3562 * in a SNAP frame with an organization code of
3563 * 0x000000 (encapsulated Ethernet).
3564 *
3565 * XXX - if we were to check for the SNAP DSAP and
3566 * LSAP, as per XXX, and were also to check for an
3567 * organization code of 0x000000 (encapsulated
3568 * Ethernet), we'd do
3569 *
3570 * return gen_snap(0x000000, proto);
3571 *
3572 * here; for now, we don't, as per the above.
3573 * I don't know whether it's worth the extra CPU
3574 * time to do the right check or not.
3575 */
3576 return gen_cmp(OR_MACPL, 6, BPF_H, (bpf_int32)proto);
3577 }
3578 }
3579 }
3580
3581 static struct block *
3582 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3583 bpf_u_int32 addr;
3584 bpf_u_int32 mask;
3585 int dir, proto;
3586 u_int src_off, dst_off;
3587 {
3588 struct block *b0, *b1;
3589 u_int offset;
3590
3591 switch (dir) {
3592
3593 case Q_SRC:
3594 offset = src_off;
3595 break;
3596
3597 case Q_DST:
3598 offset = dst_off;
3599 break;
3600
3601 case Q_AND:
3602 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3603 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3604 gen_and(b0, b1);
3605 return b1;
3606
3607 case Q_OR:
3608 case Q_DEFAULT:
3609 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3610 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3611 gen_or(b0, b1);
3612 return b1;
3613
3614 default:
3615 abort();
3616 }
3617 b0 = gen_linktype(proto);
3618 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
3619 gen_and(b0, b1);
3620 return b1;
3621 }
3622
3623 #ifdef INET6
3624 static struct block *
3625 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3626 struct in6_addr *addr;
3627 struct in6_addr *mask;
3628 int dir, proto;
3629 u_int src_off, dst_off;
3630 {
3631 struct block *b0, *b1;
3632 u_int offset;
3633 u_int32_t *a, *m;
3634
3635 switch (dir) {
3636
3637 case Q_SRC:
3638 offset = src_off;
3639 break;
3640
3641 case Q_DST:
3642 offset = dst_off;
3643 break;
3644
3645 case Q_AND:
3646 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3647 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3648 gen_and(b0, b1);
3649 return b1;
3650
3651 case Q_OR:
3652 case Q_DEFAULT:
3653 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3654 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3655 gen_or(b0, b1);
3656 return b1;
3657
3658 default:
3659 abort();
3660 }
3661 /* this order is important */
3662 a = (u_int32_t *)addr;
3663 m = (u_int32_t *)mask;
3664 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3665 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3666 gen_and(b0, b1);
3667 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3668 gen_and(b0, b1);
3669 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3670 gen_and(b0, b1);
3671 b0 = gen_linktype(proto);
3672 gen_and(b0, b1);
3673 return b1;
3674 }
3675 #endif /*INET6*/
3676
3677 static struct block *
3678 gen_ehostop(eaddr, dir)
3679 register const u_char *eaddr;
3680 register int dir;
3681 {
3682 register struct block *b0, *b1;
3683
3684 switch (dir) {
3685 case Q_SRC:
3686 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
3687
3688 case Q_DST:
3689 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
3690
3691 case Q_AND:
3692 b0 = gen_ehostop(eaddr, Q_SRC);
3693 b1 = gen_ehostop(eaddr, Q_DST);
3694 gen_and(b0, b1);
3695 return b1;
3696
3697 case Q_DEFAULT:
3698 case Q_OR:
3699 b0 = gen_ehostop(eaddr, Q_SRC);
3700 b1 = gen_ehostop(eaddr, Q_DST);
3701 gen_or(b0, b1);
3702 return b1;
3703 }
3704 abort();
3705 /* NOTREACHED */
3706 }
3707
3708 /*
3709 * Like gen_ehostop, but for DLT_FDDI
3710 */
3711 static struct block *
3712 gen_fhostop(eaddr, dir)
3713 register const u_char *eaddr;
3714 register int dir;
3715 {
3716 struct block *b0, *b1;
3717
3718 switch (dir) {
3719 case Q_SRC:
3720 #ifdef PCAP_FDDIPAD
3721 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
3722 #else
3723 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
3724 #endif
3725
3726 case Q_DST:
3727 #ifdef PCAP_FDDIPAD
3728 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
3729 #else
3730 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
3731 #endif
3732
3733 case Q_AND:
3734 b0 = gen_fhostop(eaddr, Q_SRC);
3735 b1 = gen_fhostop(eaddr, Q_DST);
3736 gen_and(b0, b1);
3737 return b1;
3738
3739 case Q_DEFAULT:
3740 case Q_OR:
3741 b0 = gen_fhostop(eaddr, Q_SRC);
3742 b1 = gen_fhostop(eaddr, Q_DST);
3743 gen_or(b0, b1);
3744 return b1;
3745 }
3746 abort();
3747 /* NOTREACHED */
3748 }
3749
3750 /*
3751 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3752 */
3753 static struct block *
3754 gen_thostop(eaddr, dir)
3755 register const u_char *eaddr;
3756 register int dir;
3757 {
3758 register struct block *b0, *b1;
3759
3760 switch (dir) {
3761 case Q_SRC:
3762 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3763
3764 case Q_DST:
3765 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3766
3767 case Q_AND:
3768 b0 = gen_thostop(eaddr, Q_SRC);
3769 b1 = gen_thostop(eaddr, Q_DST);
3770 gen_and(b0, b1);
3771 return b1;
3772
3773 case Q_DEFAULT:
3774 case Q_OR:
3775 b0 = gen_thostop(eaddr, Q_SRC);
3776 b1 = gen_thostop(eaddr, Q_DST);
3777 gen_or(b0, b1);
3778 return b1;
3779 }
3780 abort();
3781 /* NOTREACHED */
3782 }
3783
3784 /*
3785 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3786 * various 802.11 + radio headers.
3787 */
3788 static struct block *
3789 gen_wlanhostop(eaddr, dir)
3790 register const u_char *eaddr;
3791 register int dir;
3792 {
3793 register struct block *b0, *b1, *b2;
3794 register struct slist *s;
3795
3796 #ifdef ENABLE_WLAN_FILTERING_PATCH
3797 /*
3798 * TODO GV 20070613
3799 * We need to disable the optimizer because the optimizer is buggy
3800 * and wipes out some LD instructions generated by the below
3801 * code to validate the Frame Control bits
3802 */
3803 no_optimize = 1;
3804 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3805
3806 switch (dir) {
3807 case Q_SRC:
3808 /*
3809 * Oh, yuk.
3810 *
3811 * For control frames, there is no SA.
3812 *
3813 * For management frames, SA is at an
3814 * offset of 10 from the beginning of
3815 * the packet.
3816 *
3817 * For data frames, SA is at an offset
3818 * of 10 from the beginning of the packet
3819 * if From DS is clear, at an offset of
3820 * 16 from the beginning of the packet
3821 * if From DS is set and To DS is clear,
3822 * and an offset of 24 from the beginning
3823 * of the packet if From DS is set and To DS
3824 * is set.
3825 */
3826
3827 /*
3828 * Generate the tests to be done for data frames
3829 * with From DS set.
3830 *
3831 * First, check for To DS set, i.e. check "link[1] & 0x01".
3832 */
3833 s = gen_load_a(OR_LINK, 1, BPF_B);
3834 b1 = new_block(JMP(BPF_JSET));
3835 b1->s.k = 0x01; /* To DS */
3836 b1->stmts = s;
3837
3838 /*
3839 * If To DS is set, the SA is at 24.
3840 */
3841 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3842 gen_and(b1, b0);
3843
3844 /*
3845 * Now, check for To DS not set, i.e. check
3846 * "!(link[1] & 0x01)".
3847 */
3848 s = gen_load_a(OR_LINK, 1, BPF_B);
3849 b2 = new_block(JMP(BPF_JSET));
3850 b2->s.k = 0x01; /* To DS */
3851 b2->stmts = s;
3852 gen_not(b2);
3853
3854 /*
3855 * If To DS is not set, the SA is at 16.
3856 */
3857 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3858 gen_and(b2, b1);
3859
3860 /*
3861 * Now OR together the last two checks. That gives
3862 * the complete set of checks for data frames with
3863 * From DS set.
3864 */
3865 gen_or(b1, b0);
3866
3867 /*
3868 * Now check for From DS being set, and AND that with
3869 * the ORed-together checks.
3870 */
3871 s = gen_load_a(OR_LINK, 1, BPF_B);
3872 b1 = new_block(JMP(BPF_JSET));
3873 b1->s.k = 0x02; /* From DS */
3874 b1->stmts = s;
3875 gen_and(b1, b0);
3876
3877 /*
3878 * Now check for data frames with From DS not set.
3879 */
3880 s = gen_load_a(OR_LINK, 1, BPF_B);
3881 b2 = new_block(JMP(BPF_JSET));
3882 b2->s.k = 0x02; /* From DS */
3883 b2->stmts = s;
3884 gen_not(b2);
3885
3886 /*
3887 * If From DS isn't set, the SA is at 10.
3888 */
3889 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3890 gen_and(b2, b1);
3891
3892 /*
3893 * Now OR together the checks for data frames with
3894 * From DS not set and for data frames with From DS
3895 * set; that gives the checks done for data frames.
3896 */
3897 gen_or(b1, b0);
3898
3899 /*
3900 * Now check for a data frame.
3901 * I.e, check "link[0] & 0x08".
3902 */
3903 s = gen_load_a(OR_LINK, 0, BPF_B);
3904 b1 = new_block(JMP(BPF_JSET));
3905 b1->s.k = 0x08;
3906 b1->stmts = s;
3907
3908 /*
3909 * AND that with the checks done for data frames.
3910 */
3911 gen_and(b1, b0);
3912
3913 /*
3914 * If the high-order bit of the type value is 0, this
3915 * is a management frame.
3916 * I.e, check "!(link[0] & 0x08)".
3917 */
3918 s = gen_load_a(OR_LINK, 0, BPF_B);
3919 b2 = new_block(JMP(BPF_JSET));
3920 b2->s.k = 0x08;
3921 b2->stmts = s;
3922 gen_not(b2);
3923
3924 /*
3925 * For management frames, the SA is at 10.
3926 */
3927 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3928 gen_and(b2, b1);
3929
3930 /*
3931 * OR that with the checks done for data frames.
3932 * That gives the checks done for management and
3933 * data frames.
3934 */
3935 gen_or(b1, b0);
3936
3937 /*
3938 * If the low-order bit of the type value is 1,
3939 * this is either a control frame or a frame
3940 * with a reserved type, and thus not a
3941 * frame with an SA.
3942 *
3943 * I.e., check "!(link[0] & 0x04)".
3944 */
3945 s = gen_load_a(OR_LINK, 0, BPF_B);
3946 b1 = new_block(JMP(BPF_JSET));
3947 b1->s.k = 0x04;
3948 b1->stmts = s;
3949 gen_not(b1);
3950
3951 /*
3952 * AND that with the checks for data and management
3953 * frames.
3954 */
3955 gen_and(b1, b0);
3956 return b0;
3957
3958 case Q_DST:
3959 /*
3960 * Oh, yuk.
3961 *
3962 * For control frames, there is no DA.
3963 *
3964 * For management frames, DA is at an
3965 * offset of 4 from the beginning of
3966 * the packet.
3967 *
3968 * For data frames, DA is at an offset
3969 * of 4 from the beginning of the packet
3970 * if To DS is clear and at an offset of
3971 * 16 from the beginning of the packet
3972 * if To DS is set.
3973 */
3974
3975 /*
3976 * Generate the tests to be done for data frames.
3977 *
3978 * First, check for To DS set, i.e. "link[1] & 0x01".
3979 */
3980 s = gen_load_a(OR_LINK, 1, BPF_B);
3981 b1 = new_block(JMP(BPF_JSET));
3982 b1->s.k = 0x01; /* To DS */
3983 b1->stmts = s;
3984
3985 /*
3986 * If To DS is set, the DA is at 16.
3987 */
3988 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3989 gen_and(b1, b0);
3990
3991 /*
3992 * Now, check for To DS not set, i.e. check
3993 * "!(link[1] & 0x01)".
3994 */
3995 s = gen_load_a(OR_LINK, 1, BPF_B);
3996 b2 = new_block(JMP(BPF_JSET));
3997 b2->s.k = 0x01; /* To DS */
3998 b2->stmts = s;
3999 gen_not(b2);
4000
4001 /*
4002 * If To DS is not set, the DA is at 4.
4003 */
4004 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4005 gen_and(b2, b1);
4006
4007 /*
4008 * Now OR together the last two checks. That gives
4009 * the complete set of checks for data frames.
4010 */
4011 gen_or(b1, b0);
4012
4013 /*
4014 * Now check for a data frame.
4015 * I.e, check "link[0] & 0x08".
4016 */
4017 s = gen_load_a(OR_LINK, 0, BPF_B);
4018 b1 = new_block(JMP(BPF_JSET));
4019 b1->s.k = 0x08;
4020 b1->stmts = s;
4021
4022 /*
4023 * AND that with the checks done for data frames.
4024 */
4025 gen_and(b1, b0);
4026
4027 /*
4028 * If the high-order bit of the type value is 0, this
4029 * is a management frame.
4030 * I.e, check "!(link[0] & 0x08)".
4031 */
4032 s = gen_load_a(OR_LINK, 0, BPF_B);
4033 b2 = new_block(JMP(BPF_JSET));
4034 b2->s.k = 0x08;
4035 b2->stmts = s;
4036 gen_not(b2);
4037
4038 /*
4039 * For management frames, the DA is at 4.
4040 */
4041 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
4042 gen_and(b2, b1);
4043
4044 /*
4045 * OR that with the checks done for data frames.
4046 * That gives the checks done for management and
4047 * data frames.
4048 */
4049 gen_or(b1, b0);
4050
4051 /*
4052 * If the low-order bit of the type value is 1,
4053 * this is either a control frame or a frame
4054 * with a reserved type, and thus not a
4055 * frame with an SA.
4056 *
4057 * I.e., check "!(link[0] & 0x04)".
4058 */
4059 s = gen_load_a(OR_LINK, 0, BPF_B);
4060 b1 = new_block(JMP(BPF_JSET));
4061 b1->s.k = 0x04;
4062 b1->stmts = s;
4063 gen_not(b1);
4064
4065 /*
4066 * AND that with the checks for data and management
4067 * frames.
4068 */
4069 gen_and(b1, b0);
4070 return b0;
4071
4072 /*
4073 * XXX - add RA, TA, and BSSID keywords?
4074 */
4075 case Q_ADDR1:
4076 return (gen_bcmp(OR_LINK, 4, 6, eaddr));
4077
4078 case Q_ADDR2:
4079 /*
4080 * Not present in CTS or ACK control frames.
4081 */
4082 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4083 IEEE80211_FC0_TYPE_MASK);
4084 gen_not(b0);
4085 b1 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4086 IEEE80211_FC0_SUBTYPE_MASK);
4087 gen_not(b1);
4088 b2 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4089 IEEE80211_FC0_SUBTYPE_MASK);
4090 gen_not(b2);
4091 gen_and(b1, b2);
4092 gen_or(b0, b2);
4093 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
4094 gen_and(b2, b1);
4095 return b1;
4096
4097 case Q_ADDR3:
4098 /*
4099 * Not present in control frames.
4100 */
4101 b0 = gen_mcmp(OR_LINK, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4102 IEEE80211_FC0_TYPE_MASK);
4103 gen_not(b0);
4104 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
4105 gen_and(b0, b1);
4106 return b1;
4107
4108 case Q_ADDR4:
4109 /*
4110 * Present only if the direction mask has both "From DS"
4111 * and "To DS" set. Neither control frames nor management
4112 * frames should have both of those set, so we don't
4113 * check the frame type.
4114 */
4115 b0 = gen_mcmp(OR_LINK, 1, BPF_B,
4116 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4117 b1 = gen_bcmp(OR_LINK, 24, 6, eaddr);
4118 gen_and(b0, b1);
4119 return b1;
4120
4121 case Q_AND:
4122 b0 = gen_wlanhostop(eaddr, Q_SRC);
4123 b1 = gen_wlanhostop(eaddr, Q_DST);
4124 gen_and(b0, b1);
4125 return b1;
4126
4127 case Q_DEFAULT:
4128 case Q_OR:
4129 b0 = gen_wlanhostop(eaddr, Q_SRC);
4130 b1 = gen_wlanhostop(eaddr, Q_DST);
4131 gen_or(b0, b1);
4132 return b1;
4133 }
4134 abort();
4135 /* NOTREACHED */
4136 }
4137
4138 /*
4139 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4140 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4141 * as the RFC states.)
4142 */
4143 static struct block *
4144 gen_ipfchostop(eaddr, dir)
4145 register const u_char *eaddr;
4146 register int dir;
4147 {
4148 register struct block *b0, *b1;
4149
4150 switch (dir) {
4151 case Q_SRC:
4152 return gen_bcmp(OR_LINK, 10, 6, eaddr);
4153
4154 case Q_DST:
4155 return gen_bcmp(OR_LINK, 2, 6, eaddr);
4156
4157 case Q_AND:
4158 b0 = gen_ipfchostop(eaddr, Q_SRC);
4159 b1 = gen_ipfchostop(eaddr, Q_DST);
4160 gen_and(b0, b1);
4161 return b1;
4162
4163 case Q_DEFAULT:
4164 case Q_OR:
4165 b0 = gen_ipfchostop(eaddr, Q_SRC);
4166 b1 = gen_ipfchostop(eaddr, Q_DST);
4167 gen_or(b0, b1);
4168 return b1;
4169 }
4170 abort();
4171 /* NOTREACHED */
4172 }
4173
4174 /*
4175 * This is quite tricky because there may be pad bytes in front of the
4176 * DECNET header, and then there are two possible data packet formats that
4177 * carry both src and dst addresses, plus 5 packet types in a format that
4178 * carries only the src node, plus 2 types that use a different format and
4179 * also carry just the src node.
4180 *
4181 * Yuck.
4182 *
4183 * Instead of doing those all right, we just look for data packets with
4184 * 0 or 1 bytes of padding. If you want to look at other packets, that
4185 * will require a lot more hacking.
4186 *
4187 * To add support for filtering on DECNET "areas" (network numbers)
4188 * one would want to add a "mask" argument to this routine. That would
4189 * make the filter even more inefficient, although one could be clever
4190 * and not generate masking instructions if the mask is 0xFFFF.
4191 */
4192 static struct block *
4193 gen_dnhostop(addr, dir)
4194 bpf_u_int32 addr;
4195 int dir;
4196 {
4197 struct block *b0, *b1, *b2, *tmp;
4198 u_int offset_lh; /* offset if long header is received */
4199 u_int offset_sh; /* offset if short header is received */
4200
4201 switch (dir) {
4202
4203 case Q_DST:
4204 offset_sh = 1; /* follows flags */
4205 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4206 break;
4207
4208 case Q_SRC:
4209 offset_sh = 3; /* follows flags, dstnode */
4210 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4211 break;
4212
4213 case Q_AND:
4214 /* Inefficient because we do our Calvinball dance twice */
4215 b0 = gen_dnhostop(addr, Q_SRC);
4216 b1 = gen_dnhostop(addr, Q_DST);
4217 gen_and(b0, b1);
4218 return b1;
4219
4220 case Q_OR:
4221 case Q_DEFAULT:
4222 /* Inefficient because we do our Calvinball dance twice */
4223 b0 = gen_dnhostop(addr, Q_SRC);
4224 b1 = gen_dnhostop(addr, Q_DST);
4225 gen_or(b0, b1);
4226 return b1;
4227
4228 case Q_ISO:
4229 bpf_error("ISO host filtering not implemented");
4230
4231 default:
4232 abort();
4233 }
4234 b0 = gen_linktype(ETHERTYPE_DN);
4235 /* Check for pad = 1, long header case */
4236 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4237 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4238 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
4239 BPF_H, (bpf_int32)ntohs((u_short)addr));
4240 gen_and(tmp, b1);
4241 /* Check for pad = 0, long header case */
4242 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4243 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4244 gen_and(tmp, b2);
4245 gen_or(b2, b1);
4246 /* Check for pad = 1, short header case */
4247 tmp = gen_mcmp(OR_NET, 2, BPF_H,
4248 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4249 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4250 gen_and(tmp, b2);
4251 gen_or(b2, b1);
4252 /* Check for pad = 0, short header case */
4253 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4254 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4255 gen_and(tmp, b2);
4256 gen_or(b2, b1);
4257
4258 /* Combine with test for linktype */
4259 gen_and(b0, b1);
4260 return b1;
4261 }
4262
4263 /*
4264 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4265 * test the bottom-of-stack bit, and then check the version number
4266 * field in the IP header.
4267 */
4268 static struct block *
4269 gen_mpls_linktype(proto)
4270 int proto;
4271 {
4272 struct block *b0, *b1;
4273
4274 switch (proto) {
4275
4276 case Q_IP:
4277 /* match the bottom-of-stack bit */
4278 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4279 /* match the IPv4 version number */
4280 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
4281 gen_and(b0, b1);
4282 return b1;
4283
4284 case Q_IPV6:
4285 /* match the bottom-of-stack bit */
4286 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
4287 /* match the IPv4 version number */
4288 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
4289 gen_and(b0, b1);
4290 return b1;
4291
4292 default:
4293 abort();
4294 }
4295 }
4296
4297 static struct block *
4298 gen_host(addr, mask, proto, dir, type)
4299 bpf_u_int32 addr;
4300 bpf_u_int32 mask;
4301 int proto;
4302 int dir;
4303 int type;
4304 {
4305 struct block *b0, *b1;
4306 const char *typestr;
4307
4308 if (type == Q_NET)
4309 typestr = "net";
4310 else
4311 typestr = "host";
4312
4313 switch (proto) {
4314
4315 case Q_DEFAULT:
4316 b0 = gen_host(addr, mask, Q_IP, dir, type);
4317 /*
4318 * Only check for non-IPv4 addresses if we're not
4319 * checking MPLS-encapsulated packets.
4320 */
4321 if (label_stack_depth == 0) {
4322 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4323 gen_or(b0, b1);
4324 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4325 gen_or(b1, b0);
4326 }
4327 return b0;
4328
4329 case Q_IP:
4330 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4331
4332 case Q_RARP:
4333 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4334
4335 case Q_ARP:
4336 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4337
4338 case Q_TCP:
4339 bpf_error("'tcp' modifier applied to %s", typestr);
4340
4341 case Q_SCTP:
4342 bpf_error("'sctp' modifier applied to %s", typestr);
4343
4344 case Q_UDP:
4345 bpf_error("'udp' modifier applied to %s", typestr);
4346
4347 case Q_ICMP:
4348 bpf_error("'icmp' modifier applied to %s", typestr);
4349
4350 case Q_IGMP:
4351 bpf_error("'igmp' modifier applied to %s", typestr);
4352
4353 case Q_IGRP:
4354 bpf_error("'igrp' modifier applied to %s", typestr);
4355
4356 case Q_PIM:
4357 bpf_error("'pim' modifier applied to %s", typestr);
4358
4359 case Q_VRRP:
4360 bpf_error("'vrrp' modifier applied to %s", typestr);
4361
4362 case Q_ATALK:
4363 bpf_error("ATALK host filtering not implemented");
4364
4365 case Q_AARP:
4366 bpf_error("AARP host filtering not implemented");
4367
4368 case Q_DECNET:
4369 return gen_dnhostop(addr, dir);
4370
4371 case Q_SCA:
4372 bpf_error("SCA host filtering not implemented");
4373
4374 case Q_LAT:
4375 bpf_error("LAT host filtering not implemented");
4376
4377 case Q_MOPDL:
4378 bpf_error("MOPDL host filtering not implemented");
4379
4380 case Q_MOPRC:
4381 bpf_error("MOPRC host filtering not implemented");
4382
4383 #ifdef INET6
4384 case Q_IPV6:
4385 bpf_error("'ip6' modifier applied to ip host");
4386
4387 case Q_ICMPV6:
4388 bpf_error("'icmp6' modifier applied to %s", typestr);
4389 #endif /* INET6 */
4390
4391 case Q_AH:
4392 bpf_error("'ah' modifier applied to %s", typestr);
4393
4394 case Q_ESP:
4395 bpf_error("'esp' modifier applied to %s", typestr);
4396
4397 case Q_ISO:
4398 bpf_error("ISO host filtering not implemented");
4399
4400 case Q_ESIS:
4401 bpf_error("'esis' modifier applied to %s", typestr);
4402
4403 case Q_ISIS:
4404 bpf_error("'isis' modifier applied to %s", typestr);
4405
4406 case Q_CLNP:
4407 bpf_error("'clnp' modifier applied to %s", typestr);
4408
4409 case Q_STP:
4410 bpf_error("'stp' modifier applied to %s", typestr);
4411
4412 case Q_IPX:
4413 bpf_error("IPX host filtering not implemented");
4414
4415 case Q_NETBEUI:
4416 bpf_error("'netbeui' modifier applied to %s", typestr);
4417
4418 case Q_RADIO:
4419 bpf_error("'radio' modifier applied to %s", typestr);
4420
4421 default:
4422 abort();
4423 }
4424 /* NOTREACHED */
4425 }
4426
4427 #ifdef INET6
4428 static struct block *
4429 gen_host6(addr, mask, proto, dir, type)
4430 struct in6_addr *addr;
4431 struct in6_addr *mask;
4432 int proto;
4433 int dir;
4434 int type;
4435 {
4436 const char *typestr;
4437
4438 if (type == Q_NET)
4439 typestr = "net";
4440 else
4441 typestr = "host";
4442
4443 switch (proto) {
4444
4445 case Q_DEFAULT:
4446 return gen_host6(addr, mask, Q_IPV6, dir, type);
4447
4448 case Q_IP:
4449 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4450
4451 case Q_RARP:
4452 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4453
4454 case Q_ARP:
4455 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4456
4457 case Q_SCTP:
4458 bpf_error("'sctp' modifier applied to %s", typestr);
4459
4460 case Q_TCP:
4461 bpf_error("'tcp' modifier applied to %s", typestr);
4462
4463 case Q_UDP:
4464 bpf_error("'udp' modifier applied to %s", typestr);
4465
4466 case Q_ICMP:
4467 bpf_error("'icmp' modifier applied to %s", typestr);
4468
4469 case Q_IGMP:
4470 bpf_error("'igmp' modifier applied to %s", typestr);
4471
4472 case Q_IGRP:
4473 bpf_error("'igrp' modifier applied to %s", typestr);
4474
4475 case Q_PIM:
4476 bpf_error("'pim' modifier applied to %s", typestr);
4477
4478 case Q_VRRP:
4479 bpf_error("'vrrp' modifier applied to %s", typestr);
4480
4481 case Q_ATALK:
4482 bpf_error("ATALK host filtering not implemented");
4483
4484 case Q_AARP:
4485 bpf_error("AARP host filtering not implemented");
4486
4487 case Q_DECNET:
4488 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4489
4490 case Q_SCA:
4491 bpf_error("SCA host filtering not implemented");
4492
4493 case Q_LAT:
4494 bpf_error("LAT host filtering not implemented");
4495
4496 case Q_MOPDL:
4497 bpf_error("MOPDL host filtering not implemented");
4498
4499 case Q_MOPRC:
4500 bpf_error("MOPRC host filtering not implemented");
4501
4502 case Q_IPV6:
4503 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4504
4505 case Q_ICMPV6:
4506 bpf_error("'icmp6' modifier applied to %s", typestr);
4507
4508 case Q_AH:
4509 bpf_error("'ah' modifier applied to %s", typestr);
4510
4511 case Q_ESP:
4512 bpf_error("'esp' modifier applied to %s", typestr);
4513
4514 case Q_ISO:
4515 bpf_error("ISO host filtering not implemented");
4516
4517 case Q_ESIS:
4518 bpf_error("'esis' modifier applied to %s", typestr);
4519
4520 case Q_ISIS:
4521 bpf_error("'isis' modifier applied to %s", typestr);
4522
4523 case Q_CLNP:
4524 bpf_error("'clnp' modifier applied to %s", typestr);
4525
4526 case Q_STP:
4527 bpf_error("'stp' modifier applied to %s", typestr);
4528
4529 case Q_IPX:
4530 bpf_error("IPX host filtering not implemented");
4531
4532 case Q_NETBEUI:
4533 bpf_error("'netbeui' modifier applied to %s", typestr);
4534
4535 case Q_RADIO:
4536 bpf_error("'radio' modifier applied to %s", typestr);
4537
4538 default:
4539 abort();
4540 }
4541 /* NOTREACHED */
4542 }
4543 #endif /*INET6*/
4544
4545 #ifndef INET6
4546 static struct block *
4547 gen_gateway(eaddr, alist, proto, dir)
4548 const u_char *eaddr;
4549 bpf_u_int32 **alist;
4550 int proto;
4551 int dir;
4552 {
4553 struct block *b0, *b1, *tmp;
4554
4555 if (dir != 0)
4556 bpf_error("direction applied to 'gateway'");
4557
4558 switch (proto) {
4559 case Q_DEFAULT:
4560 case Q_IP:
4561 case Q_ARP:
4562 case Q_RARP:
4563 switch (linktype) {
4564 case DLT_EN10MB:
4565 b0 = gen_ehostop(eaddr, Q_OR);
4566 break;
4567 case DLT_FDDI:
4568 b0 = gen_fhostop(eaddr, Q_OR);
4569 break;
4570 case DLT_IEEE802:
4571 b0 = gen_thostop(eaddr, Q_OR);
4572 break;
4573 case DLT_IEEE802_11:
4574 case DLT_PRISM_HEADER:
4575 case DLT_IEEE802_11_RADIO_AVS:
4576 case DLT_IEEE802_11_RADIO:
4577 case DLT_PPI:
4578 b0 = gen_wlanhostop(eaddr, Q_OR);
4579 break;
4580 case DLT_SUNATM:
4581 if (!is_lane)
4582 bpf_error(
4583 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4584 /*
4585 * Check that the packet doesn't begin with an
4586 * LE Control marker. (We've already generated
4587 * a test for LANE.)
4588 */
4589 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4590 BPF_H, 0xFF00);
4591 gen_not(b1);
4592
4593 /*
4594 * Now check the MAC address.
4595 */
4596 b0 = gen_ehostop(eaddr, Q_OR);
4597 gen_and(b1, b0);
4598 break;
4599 case DLT_IP_OVER_FC:
4600 b0 = gen_ipfchostop(eaddr, Q_OR);
4601 break;
4602 default:
4603 bpf_error(
4604 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4605 }
4606 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4607 while (*alist) {
4608 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4609 Q_HOST);
4610 gen_or(b1, tmp);
4611 b1 = tmp;
4612 }
4613 gen_not(b1);
4614 gen_and(b0, b1);
4615 return b1;
4616 }
4617 bpf_error("illegal modifier of 'gateway'");
4618 /* NOTREACHED */
4619 }
4620 #endif
4621
4622 struct block *
4623 gen_proto_abbrev(proto)
4624 int proto;
4625 {
4626 struct block *b0;
4627 struct block *b1;
4628
4629 switch (proto) {
4630
4631 case Q_SCTP:
4632 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4633 #ifdef INET6
4634 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4635 gen_or(b0, b1);
4636 #endif
4637 break;
4638
4639 case Q_TCP:
4640 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4641 #ifdef INET6
4642 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4643 gen_or(b0, b1);
4644 #endif
4645 break;
4646
4647 case Q_UDP:
4648 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4649 #ifdef INET6
4650 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4651 gen_or(b0, b1);
4652 #endif
4653 break;
4654
4655 case Q_ICMP:
4656 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4657 break;
4658
4659 #ifndef IPPROTO_IGMP
4660 #define IPPROTO_IGMP 2
4661 #endif
4662
4663 case Q_IGMP:
4664 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4665 break;
4666
4667 #ifndef IPPROTO_IGRP
4668 #define IPPROTO_IGRP 9
4669 #endif
4670 case Q_IGRP:
4671 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4672 break;
4673
4674 #ifndef IPPROTO_PIM
4675 #define IPPROTO_PIM 103
4676 #endif
4677
4678 case Q_PIM:
4679 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4680 #ifdef INET6
4681 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4682 gen_or(b0, b1);
4683 #endif
4684 break;
4685
4686 #ifndef IPPROTO_VRRP
4687 #define IPPROTO_VRRP 112
4688 #endif
4689
4690 case Q_VRRP:
4691 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4692 break;
4693
4694 case Q_IP:
4695 b1 = gen_linktype(ETHERTYPE_IP);
4696 break;
4697
4698 case Q_ARP:
4699 b1 = gen_linktype(ETHERTYPE_ARP);
4700 break;
4701
4702 case Q_RARP:
4703 b1 = gen_linktype(ETHERTYPE_REVARP);
4704 break;
4705
4706 case Q_LINK:
4707 bpf_error("link layer applied in wrong context");
4708
4709 case Q_ATALK:
4710 b1 = gen_linktype(ETHERTYPE_ATALK);
4711 break;
4712
4713 case Q_AARP:
4714 b1 = gen_linktype(ETHERTYPE_AARP);
4715 break;
4716
4717 case Q_DECNET:
4718 b1 = gen_linktype(ETHERTYPE_DN);
4719 break;
4720
4721 case Q_SCA:
4722 b1 = gen_linktype(ETHERTYPE_SCA);
4723 break;
4724
4725 case Q_LAT:
4726 b1 = gen_linktype(ETHERTYPE_LAT);
4727 break;
4728
4729 case Q_MOPDL:
4730 b1 = gen_linktype(ETHERTYPE_MOPDL);
4731 break;
4732
4733 case Q_MOPRC:
4734 b1 = gen_linktype(ETHERTYPE_MOPRC);
4735 break;
4736
4737 #ifdef INET6
4738 case Q_IPV6:
4739 b1 = gen_linktype(ETHERTYPE_IPV6);
4740 break;
4741
4742 #ifndef IPPROTO_ICMPV6
4743 #define IPPROTO_ICMPV6 58
4744 #endif
4745 case Q_ICMPV6:
4746 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
4747 break;
4748 #endif /* INET6 */
4749
4750 #ifndef IPPROTO_AH
4751 #define IPPROTO_AH 51
4752 #endif
4753 case Q_AH:
4754 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
4755 #ifdef INET6
4756 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
4757 gen_or(b0, b1);
4758 #endif
4759 break;
4760
4761 #ifndef IPPROTO_ESP
4762 #define IPPROTO_ESP 50
4763 #endif
4764 case Q_ESP:
4765 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
4766 #ifdef INET6
4767 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
4768 gen_or(b0, b1);
4769 #endif
4770 break;
4771
4772 case Q_ISO:
4773 b1 = gen_linktype(LLCSAP_ISONS);
4774 break;
4775
4776 case Q_ESIS:
4777 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
4778 break;
4779
4780 case Q_ISIS:
4781 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4782 break;
4783
4784 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
4785 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4786 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4787 gen_or(b0, b1);
4788 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4789 gen_or(b0, b1);
4790 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4791 gen_or(b0, b1);
4792 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4793 gen_or(b0, b1);
4794 break;
4795
4796 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
4797 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4798 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
4799 gen_or(b0, b1);
4800 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4801 gen_or(b0, b1);
4802 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4803 gen_or(b0, b1);
4804 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4805 gen_or(b0, b1);
4806 break;
4807
4808 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4809 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4810 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4811 gen_or(b0, b1);
4812 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4813 gen_or(b0, b1);
4814 break;
4815
4816 case Q_ISIS_LSP:
4817 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4818 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4819 gen_or(b0, b1);
4820 break;
4821
4822 case Q_ISIS_SNP:
4823 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4824 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4825 gen_or(b0, b1);
4826 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4827 gen_or(b0, b1);
4828 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4829 gen_or(b0, b1);
4830 break;
4831
4832 case Q_ISIS_CSNP:
4833 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4834 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4835 gen_or(b0, b1);
4836 break;
4837
4838 case Q_ISIS_PSNP:
4839 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4840 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4841 gen_or(b0, b1);
4842 break;
4843
4844 case Q_CLNP:
4845 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4846 break;
4847
4848 case Q_STP:
4849 b1 = gen_linktype(LLCSAP_8021D);
4850 break;
4851
4852 case Q_IPX:
4853 b1 = gen_linktype(LLCSAP_IPX);
4854 break;
4855
4856 case Q_NETBEUI:
4857 b1 = gen_linktype(LLCSAP_NETBEUI);
4858 break;
4859
4860 case Q_RADIO:
4861 bpf_error("'radio' is not a valid protocol type");
4862
4863 default:
4864 abort();
4865 }
4866 return b1;
4867 }
4868
4869 static struct block *
4870 gen_ipfrag()
4871 {
4872 struct slist *s;
4873 struct block *b;
4874
4875 /* not ip frag */
4876 s = gen_load_a(OR_NET, 6, BPF_H);
4877 b = new_block(JMP(BPF_JSET));
4878 b->s.k = 0x1fff;
4879 b->stmts = s;
4880 gen_not(b);
4881
4882 return b;
4883 }
4884
4885 /*
4886 * Generate a comparison to a port value in the transport-layer header
4887 * at the specified offset from the beginning of that header.
4888 *
4889 * XXX - this handles a variable-length prefix preceding the link-layer
4890 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4891 * variable-length link-layer headers (such as Token Ring or 802.11
4892 * headers).
4893 */
4894 static struct block *
4895 gen_portatom(off, v)
4896 int off;
4897 bpf_int32 v;
4898 {
4899 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4900 }
4901
4902 #ifdef INET6
4903 static struct block *
4904 gen_portatom6(off, v)
4905 int off;
4906 bpf_int32 v;
4907 {
4908 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4909 }
4910 #endif/*INET6*/
4911
4912 struct block *
4913 gen_portop(port, proto, dir)
4914 int port, proto, dir;
4915 {
4916 struct block *b0, *b1, *tmp;
4917
4918 /* ip proto 'proto' */
4919 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4920 b0 = gen_ipfrag();
4921 gen_and(tmp, b0);
4922
4923 switch (dir) {
4924 case Q_SRC:
4925 b1 = gen_portatom(0, (bpf_int32)port);
4926 break;
4927
4928 case Q_DST:
4929 b1 = gen_portatom(2, (bpf_int32)port);
4930 break;
4931
4932 case Q_OR:
4933 case Q_DEFAULT:
4934 tmp = gen_portatom(0, (bpf_int32)port);
4935 b1 = gen_portatom(2, (bpf_int32)port);
4936 gen_or(tmp, b1);
4937 break;
4938
4939 case Q_AND:
4940 tmp = gen_portatom(0, (bpf_int32)port);
4941 b1 = gen_portatom(2, (bpf_int32)port);
4942 gen_and(tmp, b1);
4943 break;
4944
4945 default:
4946 abort();
4947 }
4948 gen_and(b0, b1);
4949
4950 return b1;
4951 }
4952
4953 static struct block *
4954 gen_port(port, ip_proto, dir)
4955 int port;
4956 int ip_proto;
4957 int dir;
4958 {
4959 struct block *b0, *b1, *tmp;
4960
4961 /*
4962 * ether proto ip
4963 *
4964 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4965 * not LLC encapsulation with LLCSAP_IP.
4966 *
4967 * For IEEE 802 networks - which includes 802.5 token ring
4968 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4969 * says that SNAP encapsulation is used, not LLC encapsulation
4970 * with LLCSAP_IP.
4971 *
4972 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4973 * RFC 2225 say that SNAP encapsulation is used, not LLC
4974 * encapsulation with LLCSAP_IP.
4975 *
4976 * So we always check for ETHERTYPE_IP.
4977 */
4978 b0 = gen_linktype(ETHERTYPE_IP);
4979
4980 switch (ip_proto) {
4981 case IPPROTO_UDP:
4982 case IPPROTO_TCP:
4983 case IPPROTO_SCTP:
4984 b1 = gen_portop(port, ip_proto, dir);
4985 break;
4986
4987 case PROTO_UNDEF:
4988 tmp = gen_portop(port, IPPROTO_TCP, dir);
4989 b1 = gen_portop(port, IPPROTO_UDP, dir);
4990 gen_or(tmp, b1);
4991 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4992 gen_or(tmp, b1);
4993 break;
4994
4995 default:
4996 abort();
4997 }
4998 gen_and(b0, b1);
4999 return b1;
5000 }
5001
5002 #ifdef INET6
5003 struct block *
5004 gen_portop6(port, proto, dir)
5005 int port, proto, dir;
5006 {
5007 struct block *b0, *b1, *tmp;
5008
5009 /* ip6 proto 'proto' */
5010 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5011
5012 switch (dir) {
5013 case Q_SRC:
5014 b1 = gen_portatom6(0, (bpf_int32)port);
5015 break;
5016
5017 case Q_DST:
5018 b1 = gen_portatom6(2, (bpf_int32)port);
5019 break;
5020
5021 case Q_OR:
5022 case Q_DEFAULT:
5023 tmp = gen_portatom6(0, (bpf_int32)port);
5024 b1 = gen_portatom6(2, (bpf_int32)port);
5025 gen_or(tmp, b1);
5026 break;
5027
5028 case Q_AND:
5029 tmp = gen_portatom6(0, (bpf_int32)port);
5030 b1 = gen_portatom6(2, (bpf_int32)port);
5031 gen_and(tmp, b1);
5032 break;
5033
5034 default:
5035 abort();
5036 }
5037 gen_and(b0, b1);
5038
5039 return b1;
5040 }
5041
5042 static struct block *
5043 gen_port6(port, ip_proto, dir)
5044 int port;
5045 int ip_proto;
5046 int dir;
5047 {
5048 struct block *b0, *b1, *tmp;
5049
5050 /* link proto ip6 */
5051 b0 = gen_linktype(ETHERTYPE_IPV6);
5052
5053 switch (ip_proto) {
5054 case IPPROTO_UDP:
5055 case IPPROTO_TCP:
5056 case IPPROTO_SCTP:
5057 b1 = gen_portop6(port, ip_proto, dir);
5058 break;
5059
5060 case PROTO_UNDEF:
5061 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5062 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5063 gen_or(tmp, b1);
5064 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5065 gen_or(tmp, b1);
5066 break;
5067
5068 default:
5069 abort();
5070 }
5071 gen_and(b0, b1);
5072 return b1;
5073 }
5074 #endif /* INET6 */
5075
5076 /* gen_portrange code */
5077 static struct block *
5078 gen_portrangeatom(off, v1, v2)
5079 int off;
5080 bpf_int32 v1, v2;
5081 {
5082 struct block *b1, *b2;
5083
5084 if (v1 > v2) {
5085 /*
5086 * Reverse the order of the ports, so v1 is the lower one.
5087 */
5088 bpf_int32 vtemp;
5089
5090 vtemp = v1;
5091 v1 = v2;
5092 v2 = vtemp;
5093 }
5094
5095 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5096 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5097
5098 gen_and(b1, b2);
5099
5100 return b2;
5101 }
5102
5103 struct block *
5104 gen_portrangeop(port1, port2, proto, dir)
5105 int port1, port2;
5106 int proto;
5107 int dir;
5108 {
5109 struct block *b0, *b1, *tmp;
5110
5111 /* ip proto 'proto' */
5112 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
5113 b0 = gen_ipfrag();
5114 gen_and(tmp, b0);
5115
5116 switch (dir) {
5117 case Q_SRC:
5118 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5119 break;
5120
5121 case Q_DST:
5122 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5123 break;
5124
5125 case Q_OR:
5126 case Q_DEFAULT:
5127 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5128 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5129 gen_or(tmp, b1);
5130 break;
5131
5132 case Q_AND:
5133 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5134 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5135 gen_and(tmp, b1);
5136 break;
5137
5138 default:
5139 abort();
5140 }
5141 gen_and(b0, b1);
5142
5143 return b1;
5144 }
5145
5146 static struct block *
5147 gen_portrange(port1, port2, ip_proto, dir)
5148 int port1, port2;
5149 int ip_proto;
5150 int dir;
5151 {
5152 struct block *b0, *b1, *tmp;
5153
5154 /* link proto ip */
5155 b0 = gen_linktype(ETHERTYPE_IP);
5156
5157 switch (ip_proto) {
5158 case IPPROTO_UDP:
5159 case IPPROTO_TCP:
5160 case IPPROTO_SCTP:
5161 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5162 break;
5163
5164 case PROTO_UNDEF:
5165 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5166 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5167 gen_or(tmp, b1);
5168 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5169 gen_or(tmp, b1);
5170 break;
5171
5172 default:
5173 abort();
5174 }
5175 gen_and(b0, b1);
5176 return b1;
5177 }
5178
5179 #ifdef INET6
5180 static struct block *
5181 gen_portrangeatom6(off, v1, v2)
5182 int off;
5183 bpf_int32 v1, v2;
5184 {
5185 struct block *b1, *b2;
5186
5187 if (v1 > v2) {
5188 /*
5189 * Reverse the order of the ports, so v1 is the lower one.
5190 */
5191 bpf_int32 vtemp;
5192
5193 vtemp = v1;
5194 v1 = v2;
5195 v2 = vtemp;
5196 }
5197
5198 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5199 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5200
5201 gen_and(b1, b2);
5202
5203 return b2;
5204 }
5205
5206 struct block *
5207 gen_portrangeop6(port1, port2, proto, dir)
5208 int port1, port2;
5209 int proto;
5210 int dir;
5211 {
5212 struct block *b0, *b1, *tmp;
5213
5214 /* ip6 proto 'proto' */
5215 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
5216
5217 switch (dir) {
5218 case Q_SRC:
5219 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5220 break;
5221
5222 case Q_DST:
5223 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5224 break;
5225
5226 case Q_OR:
5227 case Q_DEFAULT:
5228 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5229 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5230 gen_or(tmp, b1);
5231 break;
5232
5233 case Q_AND:
5234 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5235 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5236 gen_and(tmp, b1);
5237 break;
5238
5239 default:
5240 abort();
5241 }
5242 gen_and(b0, b1);
5243
5244 return b1;
5245 }
5246
5247 static struct block *
5248 gen_portrange6(port1, port2, ip_proto, dir)
5249 int port1, port2;
5250 int ip_proto;
5251 int dir;
5252 {
5253 struct block *b0, *b1, *tmp;
5254
5255 /* link proto ip6 */
5256 b0 = gen_linktype(ETHERTYPE_IPV6);
5257
5258 switch (ip_proto) {
5259 case IPPROTO_UDP:
5260 case IPPROTO_TCP:
5261 case IPPROTO_SCTP:
5262 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5263 break;
5264
5265 case PROTO_UNDEF:
5266 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5267 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5268 gen_or(tmp, b1);
5269 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5270 gen_or(tmp, b1);
5271 break;
5272
5273 default:
5274 abort();
5275 }
5276 gen_and(b0, b1);
5277 return b1;
5278 }
5279 #endif /* INET6 */
5280
5281 static int
5282 lookup_proto(name, proto)
5283 register const char *name;
5284 register int proto;
5285 {
5286 register int v;
5287
5288 switch (proto) {
5289
5290 case Q_DEFAULT:
5291 case Q_IP:
5292 case Q_IPV6:
5293 v = pcap_nametoproto(name);
5294 if (v == PROTO_UNDEF)
5295 bpf_error("unknown ip proto '%s'", name);
5296 break;
5297
5298 case Q_LINK:
5299 /* XXX should look up h/w protocol type based on linktype */
5300 v = pcap_nametoeproto(name);
5301 if (v == PROTO_UNDEF) {
5302 v = pcap_nametollc(name);
5303 if (v == PROTO_UNDEF)
5304 bpf_error("unknown ether proto '%s'", name);
5305 }
5306 break;
5307
5308 case Q_ISO:
5309 if (strcmp(name, "esis") == 0)
5310 v = ISO9542_ESIS;
5311 else if (strcmp(name, "isis") == 0)
5312 v = ISO10589_ISIS;
5313 else if (strcmp(name, "clnp") == 0)
5314 v = ISO8473_CLNP;
5315 else
5316 bpf_error("unknown osi proto '%s'", name);
5317 break;
5318
5319 default:
5320 v = PROTO_UNDEF;
5321 break;
5322 }
5323 return v;
5324 }
5325
5326 #if 0
5327 struct stmt *
5328 gen_joinsp(s, n)
5329 struct stmt **s;
5330 int n;
5331 {
5332 return NULL;
5333 }
5334 #endif
5335
5336 static struct block *
5337 gen_protochain(v, proto, dir)
5338 int v;
5339 int proto;
5340 int dir;
5341 {
5342 #ifdef NO_PROTOCHAIN
5343 return gen_proto(v, proto, dir);
5344 #else
5345 struct block *b0, *b;
5346 struct slist *s[100];
5347 int fix2, fix3, fix4, fix5;
5348 int ahcheck, again, end;
5349 int i, max;
5350 int reg2 = alloc_reg();
5351
5352 memset(s, 0, sizeof(s));
5353 fix2 = fix3 = fix4 = fix5 = 0;
5354
5355 switch (proto) {
5356 case Q_IP:
5357 case Q_IPV6:
5358 break;
5359 case Q_DEFAULT:
5360 b0 = gen_protochain(v, Q_IP, dir);
5361 b = gen_protochain(v, Q_IPV6, dir);
5362 gen_or(b0, b);
5363 return b;
5364 default:
5365 bpf_error("bad protocol applied for 'protochain'");
5366 /*NOTREACHED*/
5367 }
5368
5369 /*
5370 * We don't handle variable-length prefixes before the link-layer
5371 * header, or variable-length link-layer headers, here yet.
5372 * We might want to add BPF instructions to do the protochain
5373 * work, to simplify that and, on platforms that have a BPF
5374 * interpreter with the new instructions, let the filtering
5375 * be done in the kernel. (We already require a modified BPF
5376 * engine to do the protochain stuff, to support backward
5377 * branches, and backward branch support is unlikely to appear
5378 * in kernel BPF engines.)
5379 */
5380 switch (linktype) {
5381
5382 case DLT_IEEE802_11:
5383 case DLT_PRISM_HEADER:
5384 case DLT_IEEE802_11_RADIO_AVS:
5385 case DLT_IEEE802_11_RADIO:
5386 case DLT_PPI:
5387 bpf_error("'protochain' not supported with 802.11");
5388 }
5389
5390 no_optimize = 1; /*this code is not compatible with optimzer yet */
5391
5392 /*
5393 * s[0] is a dummy entry to protect other BPF insn from damage
5394 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5395 * hard to find interdependency made by jump table fixup.
5396 */
5397 i = 0;
5398 s[i] = new_stmt(0); /*dummy*/
5399 i++;
5400
5401 switch (proto) {
5402 case Q_IP:
5403 b0 = gen_linktype(ETHERTYPE_IP);
5404
5405 /* A = ip->ip_p */
5406 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5407 s[i]->s.k = off_macpl + off_nl + 9;
5408 i++;
5409 /* X = ip->ip_hl << 2 */
5410 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5411 s[i]->s.k = off_macpl + off_nl;
5412 i++;
5413 break;
5414 #ifdef INET6
5415 case Q_IPV6:
5416 b0 = gen_linktype(ETHERTYPE_IPV6);
5417
5418 /* A = ip6->ip_nxt */
5419 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5420 s[i]->s.k = off_macpl + off_nl + 6;
5421 i++;
5422 /* X = sizeof(struct ip6_hdr) */
5423 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5424 s[i]->s.k = 40;
5425 i++;
5426 break;
5427 #endif
5428 default:
5429 bpf_error("unsupported proto to gen_protochain");
5430 /*NOTREACHED*/
5431 }
5432
5433 /* again: if (A == v) goto end; else fall through; */
5434 again = i;
5435 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5436 s[i]->s.k = v;
5437 s[i]->s.jt = NULL; /*later*/
5438 s[i]->s.jf = NULL; /*update in next stmt*/
5439 fix5 = i;
5440 i++;
5441
5442 #ifndef IPPROTO_NONE
5443 #define IPPROTO_NONE 59
5444 #endif
5445 /* if (A == IPPROTO_NONE) goto end */
5446 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5447 s[i]->s.jt = NULL; /*later*/
5448 s[i]->s.jf = NULL; /*update in next stmt*/
5449 s[i]->s.k = IPPROTO_NONE;
5450 s[fix5]->s.jf = s[i];
5451 fix2 = i;
5452 i++;
5453
5454 #ifdef INET6
5455 if (proto == Q_IPV6) {
5456 int v6start, v6end, v6advance, j;
5457
5458 v6start = i;
5459 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5460 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5461 s[i]->s.jt = NULL; /*later*/
5462 s[i]->s.jf = NULL; /*update in next stmt*/
5463 s[i]->s.k = IPPROTO_HOPOPTS;
5464 s[fix2]->s.jf = s[i];
5465 i++;
5466 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5467 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5468 s[i]->s.jt = NULL; /*later*/
5469 s[i]->s.jf = NULL; /*update in next stmt*/
5470 s[i]->s.k = IPPROTO_DSTOPTS;
5471 i++;
5472 /* if (A == IPPROTO_ROUTING) goto v6advance */
5473 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5474 s[i]->s.jt = NULL; /*later*/
5475 s[i]->s.jf = NULL; /*update in next stmt*/
5476 s[i]->s.k = IPPROTO_ROUTING;
5477 i++;
5478 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5479 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5480 s[i]->s.jt = NULL; /*later*/
5481 s[i]->s.jf = NULL; /*later*/
5482 s[i]->s.k = IPPROTO_FRAGMENT;
5483 fix3 = i;
5484 v6end = i;
5485 i++;
5486
5487 /* v6advance: */
5488 v6advance = i;
5489
5490 /*
5491 * in short,
5492 * A = P[X];
5493 * X = X + (P[X + 1] + 1) * 8;
5494 */
5495 /* A = X */
5496 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5497 i++;
5498 /* A = P[X + packet head] */
5499 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5500 s[i]->s.k = off_macpl + off_nl;
5501 i++;
5502 /* MEM[reg2] = A */
5503 s[i] = new_stmt(BPF_ST);
5504 s[i]->s.k = reg2;
5505 i++;
5506 /* A = X */
5507 s[i] = new_stmt(BPF_MISC|BPF_TXA);
5508 i++;
5509 /* A += 1 */
5510 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5511 s[i]->s.k = 1;
5512 i++;
5513 /* X = A */
5514 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5515 i++;
5516 /* A = P[X + packet head]; */
5517 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5518 s[i]->s.k = off_macpl + off_nl;
5519 i++;
5520 /* A += 1 */
5521 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5522 s[i]->s.k = 1;
5523 i++;
5524 /* A *= 8 */
5525 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5526 s[i]->s.k = 8;
5527 i++;
5528 /* X = A; */
5529 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5530 i++;
5531 /* A = MEM[reg2] */
5532 s[i] = new_stmt(BPF_LD|BPF_MEM);
5533 s[i]->s.k = reg2;
5534 i++;
5535
5536 /* goto again; (must use BPF_JA for backward jump) */
5537 s[i] = new_stmt(BPF_JMP|BPF_JA);
5538 s[i]->s.k = again - i - 1;
5539 s[i - 1]->s.jf = s[i];
5540 i++;
5541
5542 /* fixup */
5543 for (j = v6start; j <= v6end; j++)
5544 s[j]->s.jt = s[v6advance];
5545 } else
5546 #endif
5547 {
5548 /* nop */
5549 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5550 s[i]->s.k = 0;
5551 s[fix2]->s.jf = s[i];
5552 i++;
5553 }
5554
5555 /* ahcheck: */
5556 ahcheck = i;
5557 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5558 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5559 s[i]->s.jt = NULL; /*later*/
5560 s[i]->s.jf = NULL; /*later*/
5561 s[i]->s.k = IPPROTO_AH;
5562 if (fix3)
5563 s[fix3]->s.jf = s[ahcheck];
5564 fix4 = i;
5565 i++;
5566
5567 /*
5568 * in short,
5569 * A = P[X];
5570 * X = X + (P[X + 1] + 2) * 4;
5571 */
5572 /* A = X */
5573 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5574 i++;
5575 /* A = P[X + packet head]; */
5576 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5577 s[i]->s.k = off_macpl + off_nl;
5578 i++;
5579 /* MEM[reg2] = A */
5580 s[i] = new_stmt(BPF_ST);
5581 s[i]->s.k = reg2;
5582 i++;
5583 /* A = X */
5584 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5585 i++;
5586 /* A += 1 */
5587 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5588 s[i]->s.k = 1;
5589 i++;
5590 /* X = A */
5591 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5592 i++;
5593 /* A = P[X + packet head] */
5594 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5595 s[i]->s.k = off_macpl + off_nl;
5596 i++;
5597 /* A += 2 */
5598 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5599 s[i]->s.k = 2;
5600 i++;
5601 /* A *= 4 */
5602 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5603 s[i]->s.k = 4;
5604 i++;
5605 /* X = A; */
5606 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5607 i++;
5608 /* A = MEM[reg2] */
5609 s[i] = new_stmt(BPF_LD|BPF_MEM);
5610 s[i]->s.k = reg2;
5611 i++;
5612
5613 /* goto again; (must use BPF_JA for backward jump) */
5614 s[i] = new_stmt(BPF_JMP|BPF_JA);
5615 s[i]->s.k = again - i - 1;
5616 i++;
5617
5618 /* end: nop */
5619 end = i;
5620 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5621 s[i]->s.k = 0;
5622 s[fix2]->s.jt = s[end];
5623 s[fix4]->s.jf = s[end];
5624 s[fix5]->s.jt = s[end];
5625 i++;
5626
5627 /*
5628 * make slist chain
5629 */
5630 max = i;
5631 for (i = 0; i < max - 1; i++)
5632 s[i]->next = s[i + 1];
5633 s[max - 1]->next = NULL;
5634
5635 /*
5636 * emit final check
5637 */
5638 b = new_block(JMP(BPF_JEQ));
5639 b->stmts = s[1]; /*remember, s[0] is dummy*/
5640 b->s.k = v;
5641
5642 free_reg(reg2);
5643
5644 gen_and(b0, b);
5645 return b;
5646 #endif
5647 }
5648
5649 static struct block *
5650 gen_check_802_11_data_frame()
5651 {
5652 struct slist *s;
5653 struct block *b0, *b1;
5654
5655 /*
5656 * A data frame has the 0x08 bit (b3) in the frame control field set
5657 * and the 0x04 bit (b2) clear.
5658 */
5659 s = gen_load_a(OR_LINK, 0, BPF_B);
5660 b0 = new_block(JMP(BPF_JSET));
5661 b0->s.k = 0x08;
5662 b0->stmts = s;
5663
5664 s = gen_load_a(OR_LINK, 0, BPF_B);
5665 b1 = new_block(JMP(BPF_JSET));
5666 b1->s.k = 0x04;
5667 b1->stmts = s;
5668 gen_not(b1);
5669
5670 gen_and(b1, b0);
5671
5672 return b0;
5673 }
5674
5675 /*
5676 * Generate code that checks whether the packet is a packet for protocol
5677 * <proto> and whether the type field in that protocol's header has
5678 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5679 * IP packet and checks the protocol number in the IP header against <v>.
5680 *
5681 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5682 * against Q_IP and Q_IPV6.
5683 */
5684 static struct block *
5685 gen_proto(v, proto, dir)
5686 int v;
5687 int proto;
5688 int dir;
5689 {
5690 struct block *b0, *b1;
5691
5692 if (dir != Q_DEFAULT)
5693 bpf_error("direction applied to 'proto'");
5694
5695 switch (proto) {
5696 case Q_DEFAULT:
5697 #ifdef INET6
5698 b0 = gen_proto(v, Q_IP, dir);
5699 b1 = gen_proto(v, Q_IPV6, dir);
5700 gen_or(b0, b1);
5701 return b1;
5702 #else
5703 /*FALLTHROUGH*/
5704 #endif
5705 case Q_IP:
5706 /*
5707 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5708 * not LLC encapsulation with LLCSAP_IP.
5709 *
5710 * For IEEE 802 networks - which includes 802.5 token ring
5711 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5712 * says that SNAP encapsulation is used, not LLC encapsulation
5713 * with LLCSAP_IP.
5714 *
5715 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5716 * RFC 2225 say that SNAP encapsulation is used, not LLC
5717 * encapsulation with LLCSAP_IP.
5718 *
5719 * So we always check for ETHERTYPE_IP.
5720 */
5721 b0 = gen_linktype(ETHERTYPE_IP);
5722 #ifndef CHASE_CHAIN
5723 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
5724 #else
5725 b1 = gen_protochain(v, Q_IP);
5726 #endif
5727 gen_and(b0, b1);
5728 return b1;
5729
5730 case Q_ISO:
5731 switch (linktype) {
5732
5733 case DLT_FRELAY:
5734 /*
5735 * Frame Relay packets typically have an OSI
5736 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5737 * generates code to check for all the OSI
5738 * NLPIDs, so calling it and then adding a check
5739 * for the particular NLPID for which we're
5740 * looking is bogus, as we can just check for
5741 * the NLPID.
5742 *
5743 * What we check for is the NLPID and a frame
5744 * control field value of UI, i.e. 0x03 followed
5745 * by the NLPID.
5746 *
5747 * XXX - assumes a 2-byte Frame Relay header with
5748 * DLCI and flags. What if the address is longer?
5749 *
5750 * XXX - what about SNAP-encapsulated frames?
5751 */
5752 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
5753 /*NOTREACHED*/
5754 break;
5755
5756 case DLT_C_HDLC:
5757 /*
5758 * Cisco uses an Ethertype lookalike - for OSI,
5759 * it's 0xfefe.
5760 */
5761 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
5762 /* OSI in C-HDLC is stuffed with a fudge byte */
5763 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
5764 gen_and(b0, b1);
5765 return b1;
5766
5767 default:
5768 b0 = gen_linktype(LLCSAP_ISONS);
5769 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
5770 gen_and(b0, b1);
5771 return b1;
5772 }
5773
5774 case Q_ISIS:
5775 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5776 /*
5777 * 4 is the offset of the PDU type relative to the IS-IS
5778 * header.
5779 */
5780 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
5781 gen_and(b0, b1);
5782 return b1;
5783
5784 case Q_ARP:
5785 bpf_error("arp does not encapsulate another protocol");
5786 /* NOTREACHED */
5787
5788 case Q_RARP:
5789 bpf_error("rarp does not encapsulate another protocol");
5790 /* NOTREACHED */
5791
5792 case Q_ATALK:
5793 bpf_error("atalk encapsulation is not specifiable");
5794 /* NOTREACHED */
5795
5796 case Q_DECNET:
5797 bpf_error("decnet encapsulation is not specifiable");
5798 /* NOTREACHED */
5799
5800 case Q_SCA:
5801 bpf_error("sca does not encapsulate another protocol");
5802 /* NOTREACHED */
5803
5804 case Q_LAT:
5805 bpf_error("lat does not encapsulate another protocol");
5806 /* NOTREACHED */
5807
5808 case Q_MOPRC:
5809 bpf_error("moprc does not encapsulate another protocol");
5810 /* NOTREACHED */
5811
5812 case Q_MOPDL:
5813 bpf_error("mopdl does not encapsulate another protocol");
5814 /* NOTREACHED */
5815
5816 case Q_LINK:
5817 return gen_linktype(v);
5818
5819 case Q_UDP:
5820 bpf_error("'udp proto' is bogus");
5821 /* NOTREACHED */
5822
5823 case Q_TCP:
5824 bpf_error("'tcp proto' is bogus");
5825 /* NOTREACHED */
5826
5827 case Q_SCTP:
5828 bpf_error("'sctp proto' is bogus");
5829 /* NOTREACHED */
5830
5831 case Q_ICMP:
5832 bpf_error("'icmp proto' is bogus");
5833 /* NOTREACHED */
5834
5835 case Q_IGMP:
5836 bpf_error("'igmp proto' is bogus");
5837 /* NOTREACHED */
5838
5839 case Q_IGRP:
5840 bpf_error("'igrp proto' is bogus");
5841 /* NOTREACHED */
5842
5843 case Q_PIM:
5844 bpf_error("'pim proto' is bogus");
5845 /* NOTREACHED */
5846
5847 case Q_VRRP:
5848 bpf_error("'vrrp proto' is bogus");
5849 /* NOTREACHED */
5850
5851 #ifdef INET6
5852 case Q_IPV6:
5853 b0 = gen_linktype(ETHERTYPE_IPV6);
5854 #ifndef CHASE_CHAIN
5855 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5856 #else
5857 b1 = gen_protochain(v, Q_IPV6);
5858 #endif
5859 gen_and(b0, b1);
5860 return b1;
5861
5862 case Q_ICMPV6:
5863 bpf_error("'icmp6 proto' is bogus");
5864 #endif /* INET6 */
5865
5866 case Q_AH:
5867 bpf_error("'ah proto' is bogus");
5868
5869 case Q_ESP:
5870 bpf_error("'ah proto' is bogus");
5871
5872 case Q_STP:
5873 bpf_error("'stp proto' is bogus");
5874
5875 case Q_IPX:
5876 bpf_error("'ipx proto' is bogus");
5877
5878 case Q_NETBEUI:
5879 bpf_error("'netbeui proto' is bogus");
5880
5881 case Q_RADIO:
5882 bpf_error("'radio proto' is bogus");
5883
5884 default:
5885 abort();
5886 /* NOTREACHED */
5887 }
5888 /* NOTREACHED */
5889 }
5890
5891 struct block *
5892 gen_scode(name, q)
5893 register const char *name;
5894 struct qual q;
5895 {
5896 int proto = q.proto;
5897 int dir = q.dir;
5898 int tproto;
5899 u_char *eaddr;
5900 bpf_u_int32 mask, addr;
5901 #ifndef INET6
5902 bpf_u_int32 **alist;
5903 #else
5904 int tproto6;
5905 struct sockaddr_in *sin4;
5906 struct sockaddr_in6 *sin6;
5907 struct addrinfo *res, *res0;
5908 struct in6_addr mask128;
5909 #endif /*INET6*/
5910 struct block *b, *tmp;
5911 int port, real_proto;
5912 int port1, port2;
5913
5914 switch (q.addr) {
5915
5916 case Q_NET:
5917 addr = pcap_nametonetaddr(name);
5918 if (addr == 0)
5919 bpf_error("unknown network '%s'", name);
5920 /* Left justify network addr and calculate its network mask */
5921 mask = 0xffffffff;
5922 while (addr && (addr & 0xff000000) == 0) {
5923 addr <<= 8;
5924 mask <<= 8;
5925 }
5926 return gen_host(addr, mask, proto, dir, q.addr);
5927
5928 case Q_DEFAULT:
5929 case Q_HOST:
5930 if (proto == Q_LINK) {
5931 switch (linktype) {
5932
5933 case DLT_EN10MB:
5934 eaddr = pcap_ether_hostton(name);
5935 if (eaddr == NULL)
5936 bpf_error(
5937 "unknown ether host '%s'", name);
5938 b = gen_ehostop(eaddr, dir);
5939 free(eaddr);
5940 return b;
5941
5942 case DLT_FDDI:
5943 eaddr = pcap_ether_hostton(name);
5944 if (eaddr == NULL)
5945 bpf_error(
5946 "unknown FDDI host '%s'", name);
5947 b = gen_fhostop(eaddr, dir);
5948 free(eaddr);
5949 return b;
5950
5951 case DLT_IEEE802:
5952 eaddr = pcap_ether_hostton(name);
5953 if (eaddr == NULL)
5954 bpf_error(
5955 "unknown token ring host '%s'", name);
5956 b = gen_thostop(eaddr, dir);
5957 free(eaddr);
5958 return b;
5959
5960 case DLT_IEEE802_11:
5961 case DLT_PRISM_HEADER:
5962 case DLT_IEEE802_11_RADIO_AVS:
5963 case DLT_IEEE802_11_RADIO:
5964 case DLT_PPI:
5965 eaddr = pcap_ether_hostton(name);
5966 if (eaddr == NULL)
5967 bpf_error(
5968 "unknown 802.11 host '%s'", name);
5969 b = gen_wlanhostop(eaddr, dir);
5970 free(eaddr);
5971 return b;
5972
5973 case DLT_IP_OVER_FC:
5974 eaddr = pcap_ether_hostton(name);
5975 if (eaddr == NULL)
5976 bpf_error(
5977 "unknown Fibre Channel host '%s'", name);
5978 b = gen_ipfchostop(eaddr, dir);
5979 free(eaddr);
5980 return b;
5981
5982 case DLT_SUNATM:
5983 if (!is_lane)
5984 break;
5985
5986 /*
5987 * Check that the packet doesn't begin
5988 * with an LE Control marker. (We've
5989 * already generated a test for LANE.)
5990 */
5991 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5992 BPF_H, 0xFF00);
5993 gen_not(tmp);
5994
5995 eaddr = pcap_ether_hostton(name);
5996 if (eaddr == NULL)
5997 bpf_error(
5998 "unknown ether host '%s'", name);
5999 b = gen_ehostop(eaddr, dir);
6000 gen_and(tmp, b);
6001 free(eaddr);
6002 return b;
6003 }
6004
6005 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6006 } else if (proto == Q_DECNET) {
6007 unsigned short dn_addr = __pcap_nametodnaddr(name);
6008 /*
6009 * I don't think DECNET hosts can be multihomed, so
6010 * there is no need to build up a list of addresses
6011 */
6012 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6013 } else {
6014 #ifndef INET6
6015 alist = pcap_nametoaddr(name);
6016 if (alist == NULL || *alist == NULL)
6017 bpf_error("unknown host '%s'", name);
6018 tproto = proto;
6019 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
6020 tproto = Q_IP;
6021 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6022 while (*alist) {
6023 tmp = gen_host(**alist++, 0xffffffff,
6024 tproto, dir, q.addr);
6025 gen_or(b, tmp);
6026 b = tmp;
6027 }
6028 return b;
6029 #else
6030 memset(&mask128, 0xff, sizeof(mask128));
6031 res0 = res = pcap_nametoaddrinfo(name);
6032 if (res == NULL)
6033 bpf_error("unknown host '%s'", name);
6034 ai = res;
6035 b = tmp = NULL;
6036 tproto = tproto6 = proto;
6037 if (off_linktype == -1 && tproto == Q_DEFAULT) {
6038 tproto = Q_IP;
6039 tproto6 = Q_IPV6;
6040 }
6041 for (res = res0; res; res = res->ai_next) {
6042 switch (res->ai_family) {
6043 case AF_INET:
6044 if (tproto == Q_IPV6)
6045 continue;
6046
6047 sin4 = (struct sockaddr_in *)
6048 res->ai_addr;
6049 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6050 0xffffffff, tproto, dir, q.addr);
6051 break;
6052 case AF_INET6:
6053 if (tproto6 == Q_IP)
6054 continue;
6055
6056 sin6 = (struct sockaddr_in6 *)
6057 res->ai_addr;
6058 tmp = gen_host6(&sin6->sin6_addr,
6059 &mask128, tproto6, dir, q.addr);
6060 break;
6061 default:
6062 continue;
6063 }
6064 if (b)
6065 gen_or(b, tmp);
6066 b = tmp;
6067 }
6068 ai = NULL;
6069 freeaddrinfo(res0);
6070 if (b == NULL) {
6071 bpf_error("unknown host '%s'%s", name,
6072 (proto == Q_DEFAULT)
6073 ? ""
6074 : " for specified address family");
6075 }
6076 return b;
6077 #endif /*INET6*/
6078 }
6079
6080 case Q_PORT:
6081 if (proto != Q_DEFAULT &&
6082 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6083 bpf_error("illegal qualifier of 'port'");
6084 if (pcap_nametoport(name, &port, &real_proto) == 0)
6085 bpf_error("unknown port '%s'", name);
6086 if (proto == Q_UDP) {
6087 if (real_proto == IPPROTO_TCP)
6088 bpf_error("port '%s' is tcp", name);
6089 else if (real_proto == IPPROTO_SCTP)
6090 bpf_error("port '%s' is sctp", name);
6091 else
6092 /* override PROTO_UNDEF */
6093 real_proto = IPPROTO_UDP;
6094 }
6095 if (proto == Q_TCP) {
6096 if (real_proto == IPPROTO_UDP)
6097 bpf_error("port '%s' is udp", name);
6098
6099 else if (real_proto == IPPROTO_SCTP)
6100 bpf_error("port '%s' is sctp", name);
6101 else
6102 /* override PROTO_UNDEF */
6103 real_proto = IPPROTO_TCP;
6104 }
6105 if (proto == Q_SCTP) {
6106 if (real_proto == IPPROTO_UDP)
6107 bpf_error("port '%s' is udp", name);
6108
6109 else if (real_proto == IPPROTO_TCP)
6110 bpf_error("port '%s' is tcp", name);
6111 else
6112 /* override PROTO_UNDEF */
6113 real_proto = IPPROTO_SCTP;
6114 }
6115 #ifndef INET6
6116 return gen_port(port, real_proto, dir);
6117 #else
6118 b = gen_port(port, real_proto, dir);
6119 gen_or(gen_port6(port, real_proto, dir), b);
6120 return b;
6121 #endif /* INET6 */
6122
6123 case Q_PORTRANGE:
6124 if (proto != Q_DEFAULT &&
6125 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6126 bpf_error("illegal qualifier of 'portrange'");
6127 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6128 bpf_error("unknown port in range '%s'", name);
6129 if (proto == Q_UDP) {
6130 if (real_proto == IPPROTO_TCP)
6131 bpf_error("port in range '%s' is tcp", name);
6132 else if (real_proto == IPPROTO_SCTP)
6133 bpf_error("port in range '%s' is sctp", name);
6134 else
6135 /* override PROTO_UNDEF */
6136 real_proto = IPPROTO_UDP;
6137 }
6138 if (proto == Q_TCP) {
6139 if (real_proto == IPPROTO_UDP)
6140 bpf_error("port in range '%s' is udp", name);
6141 else if (real_proto == IPPROTO_SCTP)
6142 bpf_error("port in range '%s' is sctp", name);
6143 else
6144 /* override PROTO_UNDEF */
6145 real_proto = IPPROTO_TCP;
6146 }
6147 if (proto == Q_SCTP) {
6148 if (real_proto == IPPROTO_UDP)
6149 bpf_error("port in range '%s' is udp", name);
6150 else if (real_proto == IPPROTO_TCP)
6151 bpf_error("port in range '%s' is tcp", name);
6152 else
6153 /* override PROTO_UNDEF */
6154 real_proto = IPPROTO_SCTP;
6155 }
6156 #ifndef INET6
6157 return gen_portrange(port1, port2, real_proto, dir);
6158 #else
6159 b = gen_portrange(port1, port2, real_proto, dir);
6160 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6161 return b;
6162 #endif /* INET6 */
6163
6164 case Q_GATEWAY:
6165 #ifndef INET6
6166 eaddr = pcap_ether_hostton(name);
6167 if (eaddr == NULL)
6168 bpf_error("unknown ether host: %s", name);
6169
6170 alist = pcap_nametoaddr(name);
6171 if (alist == NULL || *alist == NULL)
6172 bpf_error("unknown host '%s'", name);
6173 b = gen_gateway(eaddr, alist, proto, dir);
6174 free(eaddr);
6175 return b;
6176 #else
6177 bpf_error("'gateway' not supported in this configuration");
6178 #endif /*INET6*/
6179
6180 case Q_PROTO:
6181 real_proto = lookup_proto(name, proto);
6182 if (real_proto >= 0)
6183 return gen_proto(real_proto, proto, dir);
6184 else
6185 bpf_error("unknown protocol: %s", name);
6186
6187 case Q_PROTOCHAIN:
6188 real_proto = lookup_proto(name, proto);
6189 if (real_proto >= 0)
6190 return gen_protochain(real_proto, proto, dir);
6191 else
6192 bpf_error("unknown protocol: %s", name);
6193
6194 case Q_UNDEF:
6195 syntax();
6196 /* NOTREACHED */
6197 }
6198 abort();
6199 /* NOTREACHED */
6200 }
6201
6202 struct block *
6203 gen_mcode(s1, s2, masklen, q)
6204 register const char *s1, *s2;
6205 register int masklen;
6206 struct qual q;
6207 {
6208 register int nlen, mlen;
6209 bpf_u_int32 n, m;
6210
6211 nlen = __pcap_atoin(s1, &n);
6212 /* Promote short ipaddr */
6213 n <<= 32 - nlen;
6214
6215 if (s2 != NULL) {
6216 mlen = __pcap_atoin(s2, &m);
6217 /* Promote short ipaddr */
6218 m <<= 32 - mlen;
6219 if ((n & ~m) != 0)
6220 bpf_error("non-network bits set in \"%s mask %s\"",
6221 s1, s2);
6222 } else {
6223 /* Convert mask len to mask */
6224 if (masklen > 32)
6225 bpf_error("mask length must be <= 32");
6226 if (masklen == 0) {
6227 /*
6228 * X << 32 is not guaranteed by C to be 0; it's
6229 * undefined.
6230 */
6231 m = 0;
6232 } else
6233 m = 0xffffffff << (32 - masklen);
6234 if ((n & ~m) != 0)
6235 bpf_error("non-network bits set in \"%s/%d\"",
6236 s1, masklen);
6237 }
6238
6239 switch (q.addr) {
6240
6241 case Q_NET:
6242 return gen_host(n, m, q.proto, q.dir, q.addr);
6243
6244 default:
6245 bpf_error("Mask syntax for networks only");
6246 /* NOTREACHED */
6247 }
6248 /* NOTREACHED */
6249 return NULL;
6250 }
6251
6252 struct block *
6253 gen_ncode(s, v, q)
6254 register const char *s;
6255 bpf_u_int32 v;
6256 struct qual q;
6257 {
6258 bpf_u_int32 mask;
6259 int proto = q.proto;
6260 int dir = q.dir;
6261 register int vlen;
6262
6263 if (s == NULL)
6264 vlen = 32;
6265 else if (q.proto == Q_DECNET)
6266 vlen = __pcap_atodn(s, &v);
6267 else
6268 vlen = __pcap_atoin(s, &v);
6269
6270 switch (q.addr) {
6271
6272 case Q_DEFAULT:
6273 case Q_HOST:
6274 case Q_NET:
6275 if (proto == Q_DECNET)
6276 return gen_host(v, 0, proto, dir, q.addr);
6277 else if (proto == Q_LINK) {
6278 bpf_error("illegal link layer address");
6279 } else {
6280 mask = 0xffffffff;
6281 if (s == NULL && q.addr == Q_NET) {
6282 /* Promote short net number */
6283 while (v && (v & 0xff000000) == 0) {
6284 v <<= 8;
6285 mask <<= 8;
6286 }
6287 } else {
6288 /* Promote short ipaddr */
6289 v <<= 32 - vlen;
6290 mask <<= 32 - vlen;
6291 }
6292 return gen_host(v, mask, proto, dir, q.addr);
6293 }
6294
6295 case Q_PORT:
6296 if (proto == Q_UDP)
6297 proto = IPPROTO_UDP;
6298 else if (proto == Q_TCP)
6299 proto = IPPROTO_TCP;
6300 else if (proto == Q_SCTP)
6301 proto = IPPROTO_SCTP;
6302 else if (proto == Q_DEFAULT)
6303 proto = PROTO_UNDEF;
6304 else
6305 bpf_error("illegal qualifier of 'port'");
6306
6307 #ifndef INET6
6308 return gen_port((int)v, proto, dir);
6309 #else
6310 {
6311 struct block *b;
6312 b = gen_port((int)v, proto, dir);
6313 gen_or(gen_port6((int)v, proto, dir), b);
6314 return b;
6315 }
6316 #endif /* INET6 */
6317
6318 case Q_PORTRANGE:
6319 if (proto == Q_UDP)
6320 proto = IPPROTO_UDP;
6321 else if (proto == Q_TCP)
6322 proto = IPPROTO_TCP;
6323 else if (proto == Q_SCTP)
6324 proto = IPPROTO_SCTP;
6325 else if (proto == Q_DEFAULT)
6326 proto = PROTO_UNDEF;
6327 else
6328 bpf_error("illegal qualifier of 'portrange'");
6329
6330 #ifndef INET6
6331 return gen_portrange((int)v, (int)v, proto, dir);
6332 #else
6333 {
6334 struct block *b;
6335 b = gen_portrange((int)v, (int)v, proto, dir);
6336 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6337 return b;
6338 }
6339 #endif /* INET6 */
6340
6341 case Q_GATEWAY:
6342 bpf_error("'gateway' requires a name");
6343 /* NOTREACHED */
6344
6345 case Q_PROTO:
6346 return gen_proto((int)v, proto, dir);
6347
6348 case Q_PROTOCHAIN:
6349 return gen_protochain((int)v, proto, dir);
6350
6351 case Q_UNDEF:
6352 syntax();
6353 /* NOTREACHED */
6354
6355 default:
6356 abort();
6357 /* NOTREACHED */
6358 }
6359 /* NOTREACHED */
6360 }
6361
6362 #ifdef INET6
6363 struct block *
6364 gen_mcode6(s1, s2, masklen, q)
6365 register const char *s1, *s2;
6366 register int masklen;
6367 struct qual q;
6368 {
6369 struct addrinfo *res;
6370 struct in6_addr *addr;
6371 struct in6_addr mask;
6372 struct block *b;
6373 u_int32_t *a, *m;
6374
6375 if (s2)
6376 bpf_error("no mask %s supported", s2);
6377
6378 res = pcap_nametoaddrinfo(s1);
6379 if (!res)
6380 bpf_error("invalid ip6 address %s", s1);
6381 ai = res;
6382 if (res->ai_next)
6383 bpf_error("%s resolved to multiple address", s1);
6384 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6385
6386 if (sizeof(mask) * 8 < masklen)
6387 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6388 memset(&mask, 0, sizeof(mask));
6389 memset(&mask, 0xff, masklen / 8);
6390 if (masklen % 8) {
6391 mask.s6_addr[masklen / 8] =
6392 (0xff << (8 - masklen % 8)) & 0xff;
6393 }
6394
6395 a = (u_int32_t *)addr;
6396 m = (u_int32_t *)&mask;
6397 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6398 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6399 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6400 }
6401
6402 switch (q.addr) {
6403
6404 case Q_DEFAULT:
6405 case Q_HOST:
6406 if (masklen != 128)
6407 bpf_error("Mask syntax for networks only");
6408 /* FALLTHROUGH */
6409
6410 case Q_NET:
6411 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6412 ai = NULL;
6413 freeaddrinfo(res);
6414 return b;
6415
6416 default:
6417 bpf_error("invalid qualifier against IPv6 address");
6418 /* NOTREACHED */
6419 }
6420 return NULL;
6421 }
6422 #endif /*INET6*/
6423
6424 struct block *
6425 gen_ecode(eaddr, q)
6426 register const u_char *eaddr;
6427 struct qual q;
6428 {
6429 struct block *b, *tmp;
6430
6431 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6432 switch (linktype) {
6433 case DLT_EN10MB:
6434 return gen_ehostop(eaddr, (int)q.dir);
6435 case DLT_FDDI:
6436 return gen_fhostop(eaddr, (int)q.dir);
6437 case DLT_IEEE802:
6438 return gen_thostop(eaddr, (int)q.dir);
6439 case DLT_IEEE802_11:
6440 case DLT_PRISM_HEADER:
6441 case DLT_IEEE802_11_RADIO_AVS:
6442 case DLT_IEEE802_11_RADIO:
6443 case DLT_PPI:
6444 return gen_wlanhostop(eaddr, (int)q.dir);
6445 case DLT_SUNATM:
6446 if (is_lane) {
6447 /*
6448 * Check that the packet doesn't begin with an
6449 * LE Control marker. (We've already generated
6450 * a test for LANE.)
6451 */
6452 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
6453 0xFF00);
6454 gen_not(tmp);
6455
6456 /*
6457 * Now check the MAC address.
6458 */
6459 b = gen_ehostop(eaddr, (int)q.dir);
6460 gen_and(tmp, b);
6461 return b;
6462 }
6463 break;
6464 case DLT_IP_OVER_FC:
6465 return gen_ipfchostop(eaddr, (int)q.dir);
6466 default:
6467 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6468 break;
6469 }
6470 }
6471 bpf_error("ethernet address used in non-ether expression");
6472 /* NOTREACHED */
6473 return NULL;
6474 }
6475
6476 void
6477 sappend(s0, s1)
6478 struct slist *s0, *s1;
6479 {
6480 /*
6481 * This is definitely not the best way to do this, but the
6482 * lists will rarely get long.
6483 */
6484 while (s0->next)
6485 s0 = s0->next;
6486 s0->next = s1;
6487 }
6488
6489 static struct slist *
6490 xfer_to_x(a)
6491 struct arth *a;
6492 {
6493 struct slist *s;
6494
6495 s = new_stmt(BPF_LDX|BPF_MEM);
6496 s->s.k = a->regno;
6497 return s;
6498 }
6499
6500 static struct slist *
6501 xfer_to_a(a)
6502 struct arth *a;
6503 {
6504 struct slist *s;
6505
6506 s = new_stmt(BPF_LD|BPF_MEM);
6507 s->s.k = a->regno;
6508 return s;
6509 }
6510
6511 /*
6512 * Modify "index" to use the value stored into its register as an
6513 * offset relative to the beginning of the header for the protocol
6514 * "proto", and allocate a register and put an item "size" bytes long
6515 * (1, 2, or 4) at that offset into that register, making it the register
6516 * for "index".
6517 */
6518 struct arth *
6519 gen_load(proto, inst, size)
6520 int proto;
6521 struct arth *inst;
6522 int size;
6523 {
6524 struct slist *s, *tmp;
6525 struct block *b;
6526 int regno = alloc_reg();
6527
6528 free_reg(inst->regno);
6529 switch (size) {
6530
6531 default:
6532 bpf_error("data size must be 1, 2, or 4");
6533
6534 case 1:
6535 size = BPF_B;
6536 break;
6537
6538 case 2:
6539 size = BPF_H;
6540 break;
6541
6542 case 4:
6543 size = BPF_W;
6544 break;
6545 }
6546 switch (proto) {
6547 default:
6548 bpf_error("unsupported index operation");
6549
6550 case Q_RADIO:
6551 /*
6552 * The offset is relative to the beginning of the packet
6553 * data, if we have a radio header. (If we don't, this
6554 * is an error.)
6555 */
6556 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6557 linktype != DLT_IEEE802_11_RADIO &&
6558 linktype != DLT_PRISM_HEADER)
6559 bpf_error("radio information not present in capture");
6560
6561 /*
6562 * Load into the X register the offset computed into the
6563 * register specifed by "index".
6564 */
6565 s = xfer_to_x(inst);
6566
6567 /*
6568 * Load the item at that offset.
6569 */
6570 tmp = new_stmt(BPF_LD|BPF_IND|size);
6571 sappend(s, tmp);
6572 sappend(inst->s, s);
6573 break;
6574
6575 case Q_LINK:
6576 /*
6577 * The offset is relative to the beginning of
6578 * the link-layer header.
6579 *
6580 * XXX - what about ATM LANE? Should the index be
6581 * relative to the beginning of the AAL5 frame, so
6582 * that 0 refers to the beginning of the LE Control
6583 * field, or relative to the beginning of the LAN
6584 * frame, so that 0 refers, for Ethernet LANE, to
6585 * the beginning of the destination address?
6586 */
6587 s = gen_llprefixlen();
6588
6589 /*
6590 * If "s" is non-null, it has code to arrange that the
6591 * X register contains the length of the prefix preceding
6592 * the link-layer header. Add to it the offset computed
6593 * into the register specified by "index", and move that
6594 * into the X register. Otherwise, just load into the X
6595 * register the offset computed into the register specifed
6596 * by "index".
6597 */
6598 if (s != NULL) {
6599 sappend(s, xfer_to_a(inst));
6600 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6601 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6602 } else
6603 s = xfer_to_x(inst);
6604
6605 /*
6606 * Load the item at the sum of the offset we've put in the
6607 * X register and the offset of the start of the link
6608 * layer header (which is 0 if the radio header is
6609 * variable-length; that header length is what we put
6610 * into the X register and then added to the index).
6611 */
6612 tmp = new_stmt(BPF_LD|BPF_IND|size);
6613 tmp->s.k = off_ll;
6614 sappend(s, tmp);
6615 sappend(inst->s, s);
6616 break;
6617
6618 case Q_IP:
6619 case Q_ARP:
6620 case Q_RARP:
6621 case Q_ATALK:
6622 case Q_DECNET:
6623 case Q_SCA:
6624 case Q_LAT:
6625 case Q_MOPRC:
6626 case Q_MOPDL:
6627 #ifdef INET6
6628 case Q_IPV6:
6629 #endif
6630 /*
6631 * The offset is relative to the beginning of
6632 * the network-layer header.
6633 * XXX - are there any cases where we want
6634 * off_nl_nosnap?
6635 */
6636 s = gen_off_macpl();
6637
6638 /*
6639 * If "s" is non-null, it has code to arrange that the
6640 * X register contains the offset of the MAC-layer
6641 * payload. Add to it the offset computed into the
6642 * register specified by "index", and move that into
6643 * the X register. Otherwise, just load into the X
6644 * register the offset computed into the register specifed
6645 * by "index".
6646 */
6647 if (s != NULL) {
6648 sappend(s, xfer_to_a(inst));
6649 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6650 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6651 } else
6652 s = xfer_to_x(inst);
6653
6654 /*
6655 * Load the item at the sum of the offset we've put in the
6656 * X register, the offset of the start of the network
6657 * layer header from the beginning of the MAC-layer
6658 * payload, and the purported offset of the start of the
6659 * MAC-layer payload (which might be 0 if there's a
6660 * variable-length prefix before the link-layer header
6661 * or the link-layer header itself is variable-length;
6662 * the variable-length offset of the start of the
6663 * MAC-layer payload is what we put into the X register
6664 * and then added to the index).
6665 */
6666 tmp = new_stmt(BPF_LD|BPF_IND|size);
6667 tmp->s.k = off_macpl + off_nl;
6668 sappend(s, tmp);
6669 sappend(inst->s, s);
6670
6671 /*
6672 * Do the computation only if the packet contains
6673 * the protocol in question.
6674 */
6675 b = gen_proto_abbrev(proto);
6676 if (inst->b)
6677 gen_and(inst->b, b);
6678 inst->b = b;
6679 break;
6680
6681 case Q_SCTP:
6682 case Q_TCP:
6683 case Q_UDP:
6684 case Q_ICMP:
6685 case Q_IGMP:
6686 case Q_IGRP:
6687 case Q_PIM:
6688 case Q_VRRP:
6689 /*
6690 * The offset is relative to the beginning of
6691 * the transport-layer header.
6692 *
6693 * Load the X register with the length of the IPv4 header
6694 * (plus the offset of the link-layer header, if it's
6695 * a variable-length header), in bytes.
6696 *
6697 * XXX - are there any cases where we want
6698 * off_nl_nosnap?
6699 * XXX - we should, if we're built with
6700 * IPv6 support, generate code to load either
6701 * IPv4, IPv6, or both, as appropriate.
6702 */
6703 s = gen_loadx_iphdrlen();
6704
6705 /*
6706 * The X register now contains the sum of the length
6707 * of any variable-length header preceding the link-layer
6708 * header, any variable-length link-layer header, and the
6709 * length of the network-layer header.
6710 *
6711 * Load into the A register the offset relative to
6712 * the beginning of the transport layer header,
6713 * add the X register to that, move that to the
6714 * X register, and load with an offset from the
6715 * X register equal to the offset of the network
6716 * layer header relative to the beginning of
6717 * the MAC-layer payload plus the fixed-length
6718 * portion of the offset of the MAC-layer payload
6719 * from the beginning of the raw packet data.
6720 */
6721 sappend(s, xfer_to_a(inst));
6722 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6723 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6724 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6725 tmp->s.k = off_macpl + off_nl;
6726 sappend(inst->s, s);
6727
6728 /*
6729 * Do the computation only if the packet contains
6730 * the protocol in question - which is true only
6731 * if this is an IP datagram and is the first or
6732 * only fragment of that datagram.
6733 */
6734 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6735 if (inst->b)
6736 gen_and(inst->b, b);
6737 #ifdef INET6
6738 gen_and(gen_proto_abbrev(Q_IP), b);
6739 #endif
6740 inst->b = b;
6741 break;
6742 #ifdef INET6
6743 case Q_ICMPV6:
6744 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6745 /*NOTREACHED*/
6746 #endif
6747 }
6748 inst->regno = regno;
6749 s = new_stmt(BPF_ST);
6750 s->s.k = regno;
6751 sappend(inst->s, s);
6752
6753 return inst;
6754 }
6755
6756 struct block *
6757 gen_relation(code, a0, a1, reversed)
6758 int code;
6759 struct arth *a0, *a1;
6760 int reversed;
6761 {
6762 struct slist *s0, *s1, *s2;
6763 struct block *b, *tmp;
6764
6765 s0 = xfer_to_x(a1);
6766 s1 = xfer_to_a(a0);
6767 if (code == BPF_JEQ) {
6768 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6769 b = new_block(JMP(code));
6770 sappend(s1, s2);
6771 }
6772 else
6773 b = new_block(BPF_JMP|code|BPF_X);
6774 if (reversed)
6775 gen_not(b);
6776
6777 sappend(s0, s1);
6778 sappend(a1->s, s0);
6779 sappend(a0->s, a1->s);
6780
6781 b->stmts = a0->s;
6782
6783 free_reg(a0->regno);
6784 free_reg(a1->regno);
6785
6786 /* 'and' together protocol checks */
6787 if (a0->b) {
6788 if (a1->b) {
6789 gen_and(a0->b, tmp = a1->b);
6790 }
6791 else
6792 tmp = a0->b;
6793 } else
6794 tmp = a1->b;
6795
6796 if (tmp)
6797 gen_and(tmp, b);
6798
6799 return b;
6800 }
6801
6802 struct arth *
6803 gen_loadlen()
6804 {
6805 int regno = alloc_reg();
6806 struct arth *a = (struct arth *)newchunk(sizeof(*a));
6807 struct slist *s;
6808
6809 s = new_stmt(BPF_LD|BPF_LEN);
6810 s->next = new_stmt(BPF_ST);
6811 s->next->s.k = regno;
6812 a->s = s;
6813 a->regno = regno;
6814
6815 return a;
6816 }
6817
6818 struct arth *
6819 gen_loadi(val)
6820 int val;
6821 {
6822 struct arth *a;
6823 struct slist *s;
6824 int reg;
6825
6826 a = (struct arth *)newchunk(sizeof(*a));
6827
6828 reg = alloc_reg();
6829
6830 s = new_stmt(BPF_LD|BPF_IMM);
6831 s->s.k = val;
6832 s->next = new_stmt(BPF_ST);
6833 s->next->s.k = reg;
6834 a->s = s;
6835 a->regno = reg;
6836
6837 return a;
6838 }
6839
6840 struct arth *
6841 gen_neg(a)
6842 struct arth *a;
6843 {
6844 struct slist *s;
6845
6846 s = xfer_to_a(a);
6847 sappend(a->s, s);
6848 s = new_stmt(BPF_ALU|BPF_NEG);
6849 s->s.k = 0;
6850 sappend(a->s, s);
6851 s = new_stmt(BPF_ST);
6852 s->s.k = a->regno;
6853 sappend(a->s, s);
6854
6855 return a;
6856 }
6857
6858 struct arth *
6859 gen_arth(code, a0, a1)
6860 int code;
6861 struct arth *a0, *a1;
6862 {
6863 struct slist *s0, *s1, *s2;
6864
6865 s0 = xfer_to_x(a1);
6866 s1 = xfer_to_a(a0);
6867 s2 = new_stmt(BPF_ALU|BPF_X|code);
6868
6869 sappend(s1, s2);
6870 sappend(s0, s1);
6871 sappend(a1->s, s0);
6872 sappend(a0->s, a1->s);
6873
6874 free_reg(a0->regno);
6875 free_reg(a1->regno);
6876
6877 s0 = new_stmt(BPF_ST);
6878 a0->regno = s0->s.k = alloc_reg();
6879 sappend(a0->s, s0);
6880
6881 return a0;
6882 }
6883
6884 /*
6885 * Here we handle simple allocation of the scratch registers.
6886 * If too many registers are alloc'd, the allocator punts.
6887 */
6888 static int regused[BPF_MEMWORDS];
6889 static int curreg;
6890
6891 /*
6892 * Initialize the table of used registers and the current register.
6893 */
6894 static void
6895 init_regs()
6896 {
6897 curreg = 0;
6898 memset(regused, 0, sizeof regused);
6899 }
6900
6901 /*
6902 * Return the next free register.
6903 */
6904 static int
6905 alloc_reg()
6906 {
6907 int n = BPF_MEMWORDS;
6908
6909 while (--n >= 0) {
6910 if (regused[curreg])
6911 curreg = (curreg + 1) % BPF_MEMWORDS;
6912 else {
6913 regused[curreg] = 1;
6914 return curreg;
6915 }
6916 }
6917 bpf_error("too many registers needed to evaluate expression");
6918 /* NOTREACHED */
6919 return 0;
6920 }
6921
6922 /*
6923 * Return a register to the table so it can
6924 * be used later.
6925 */
6926 static void
6927 free_reg(n)
6928 int n;
6929 {
6930 regused[n] = 0;
6931 }
6932
6933 static struct block *
6934 gen_len(jmp, n)
6935 int jmp, n;
6936 {
6937 struct slist *s;
6938 struct block *b;
6939
6940 s = new_stmt(BPF_LD|BPF_LEN);
6941 b = new_block(JMP(jmp));
6942 b->stmts = s;
6943 b->s.k = n;
6944
6945 return b;
6946 }
6947
6948 struct block *
6949 gen_greater(n)
6950 int n;
6951 {
6952 return gen_len(BPF_JGE, n);
6953 }
6954
6955 /*
6956 * Actually, this is less than or equal.
6957 */
6958 struct block *
6959 gen_less(n)
6960 int n;
6961 {
6962 struct block *b;
6963
6964 b = gen_len(BPF_JGT, n);
6965 gen_not(b);
6966
6967 return b;
6968 }
6969
6970 /*
6971 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6972 * the beginning of the link-layer header.
6973 * XXX - that means you can't test values in the radiotap header, but
6974 * as that header is difficult if not impossible to parse generally
6975 * without a loop, that might not be a severe problem. A new keyword
6976 * "radio" could be added for that, although what you'd really want
6977 * would be a way of testing particular radio header values, which
6978 * would generate code appropriate to the radio header in question.
6979 */
6980 struct block *
6981 gen_byteop(op, idx, val)
6982 int op, idx, val;
6983 {
6984 struct block *b;
6985 struct slist *s;
6986
6987 switch (op) {
6988 default:
6989 abort();
6990
6991 case '=':
6992 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6993
6994 case '<':
6995 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6996 return b;
6997
6998 case '>':
6999 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
7000 return b;
7001
7002 case '|':
7003 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7004 break;
7005
7006 case '&':
7007 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7008 break;
7009 }
7010 s->s.k = val;
7011 b = new_block(JMP(BPF_JEQ));
7012 b->stmts = s;
7013 gen_not(b);
7014
7015 return b;
7016 }
7017
7018 static u_char abroadcast[] = { 0x0 };
7019
7020 struct block *
7021 gen_broadcast(proto)
7022 int proto;
7023 {
7024 bpf_u_int32 hostmask;
7025 struct block *b0, *b1, *b2;
7026 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7027
7028 switch (proto) {
7029
7030 case Q_DEFAULT:
7031 case Q_LINK:
7032 switch (linktype) {
7033 case DLT_ARCNET:
7034 case DLT_ARCNET_LINUX:
7035 return gen_ahostop(abroadcast, Q_DST);
7036 case DLT_EN10MB:
7037 return gen_ehostop(ebroadcast, Q_DST);
7038 case DLT_FDDI:
7039 return gen_fhostop(ebroadcast, Q_DST);
7040 case DLT_IEEE802:
7041 return gen_thostop(ebroadcast, Q_DST);
7042 case DLT_IEEE802_11:
7043 case DLT_PRISM_HEADER:
7044 case DLT_IEEE802_11_RADIO_AVS:
7045 case DLT_IEEE802_11_RADIO:
7046 case DLT_PPI:
7047 return gen_wlanhostop(ebroadcast, Q_DST);
7048 case DLT_IP_OVER_FC:
7049 return gen_ipfchostop(ebroadcast, Q_DST);
7050 case DLT_SUNATM:
7051 if (is_lane) {
7052 /*
7053 * Check that the packet doesn't begin with an
7054 * LE Control marker. (We've already generated
7055 * a test for LANE.)
7056 */
7057 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7058 BPF_H, 0xFF00);
7059 gen_not(b1);
7060
7061 /*
7062 * Now check the MAC address.
7063 */
7064 b0 = gen_ehostop(ebroadcast, Q_DST);
7065 gen_and(b1, b0);
7066 return b0;
7067 }
7068 break;
7069 default:
7070 bpf_error("not a broadcast link");
7071 }
7072 break;
7073
7074 case Q_IP:
7075 b0 = gen_linktype(ETHERTYPE_IP);
7076 hostmask = ~netmask;
7077 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
7078 b2 = gen_mcmp(OR_NET, 16, BPF_W,
7079 (bpf_int32)(~0 & hostmask), hostmask);
7080 gen_or(b1, b2);
7081 gen_and(b0, b2);
7082 return b2;
7083 }
7084 bpf_error("only link-layer/IP broadcast filters supported");
7085 /* NOTREACHED */
7086 return NULL;
7087 }
7088
7089 /*
7090 * Generate code to test the low-order bit of a MAC address (that's
7091 * the bottom bit of the *first* byte).
7092 */
7093 static struct block *
7094 gen_mac_multicast(offset)
7095 int offset;
7096 {
7097 register struct block *b0;
7098 register struct slist *s;
7099
7100 /* link[offset] & 1 != 0 */
7101 s = gen_load_a(OR_LINK, offset, BPF_B);
7102 b0 = new_block(JMP(BPF_JSET));
7103 b0->s.k = 1;
7104 b0->stmts = s;
7105 return b0;
7106 }
7107
7108 struct block *
7109 gen_multicast(proto)
7110 int proto;
7111 {
7112 register struct block *b0, *b1, *b2;
7113 register struct slist *s;
7114
7115 switch (proto) {
7116
7117 case Q_DEFAULT:
7118 case Q_LINK:
7119 switch (linktype) {
7120 case DLT_ARCNET:
7121 case DLT_ARCNET_LINUX:
7122 /* all ARCnet multicasts use the same address */
7123 return gen_ahostop(abroadcast, Q_DST);
7124 case DLT_EN10MB:
7125 /* ether[0] & 1 != 0 */
7126 return gen_mac_multicast(0);
7127 case DLT_FDDI:
7128 /*
7129 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7130 *
7131 * XXX - was that referring to bit-order issues?
7132 */
7133 /* fddi[1] & 1 != 0 */
7134 return gen_mac_multicast(1);
7135 case DLT_IEEE802:
7136 /* tr[2] & 1 != 0 */
7137 return gen_mac_multicast(2);
7138 case DLT_IEEE802_11:
7139 case DLT_PRISM_HEADER:
7140 case DLT_IEEE802_11_RADIO_AVS:
7141 case DLT_IEEE802_11_RADIO:
7142 case DLT_PPI:
7143 /*
7144 * Oh, yuk.
7145 *
7146 * For control frames, there is no DA.
7147 *
7148 * For management frames, DA is at an
7149 * offset of 4 from the beginning of
7150 * the packet.
7151 *
7152 * For data frames, DA is at an offset
7153 * of 4 from the beginning of the packet
7154 * if To DS is clear and at an offset of
7155 * 16 from the beginning of the packet
7156 * if To DS is set.
7157 */
7158
7159 /*
7160 * Generate the tests to be done for data frames.
7161 *
7162 * First, check for To DS set, i.e. "link[1] & 0x01".
7163 */
7164 s = gen_load_a(OR_LINK, 1, BPF_B);
7165 b1 = new_block(JMP(BPF_JSET));
7166 b1->s.k = 0x01; /* To DS */
7167 b1->stmts = s;
7168
7169 /*
7170 * If To DS is set, the DA is at 16.
7171 */
7172 b0 = gen_mac_multicast(16);
7173 gen_and(b1, b0);
7174
7175 /*
7176 * Now, check for To DS not set, i.e. check
7177 * "!(link[1] & 0x01)".
7178 */
7179 s = gen_load_a(OR_LINK, 1, BPF_B);
7180 b2 = new_block(JMP(BPF_JSET));
7181 b2->s.k = 0x01; /* To DS */
7182 b2->stmts = s;
7183 gen_not(b2);
7184
7185 /*
7186 * If To DS is not set, the DA is at 4.
7187 */
7188 b1 = gen_mac_multicast(4);
7189 gen_and(b2, b1);
7190
7191 /*
7192 * Now OR together the last two checks. That gives
7193 * the complete set of checks for data frames.
7194 */
7195 gen_or(b1, b0);
7196
7197 /*
7198 * Now check for a data frame.
7199 * I.e, check "link[0] & 0x08".
7200 */
7201 s = gen_load_a(OR_LINK, 0, BPF_B);
7202 b1 = new_block(JMP(BPF_JSET));
7203 b1->s.k = 0x08;
7204 b1->stmts = s;
7205
7206 /*
7207 * AND that with the checks done for data frames.
7208 */
7209 gen_and(b1, b0);
7210
7211 /*
7212 * If the high-order bit of the type value is 0, this
7213 * is a management frame.
7214 * I.e, check "!(link[0] & 0x08)".
7215 */
7216 s = gen_load_a(OR_LINK, 0, BPF_B);
7217 b2 = new_block(JMP(BPF_JSET));
7218 b2->s.k = 0x08;
7219 b2->stmts = s;
7220 gen_not(b2);
7221
7222 /*
7223 * For management frames, the DA is at 4.
7224 */
7225 b1 = gen_mac_multicast(4);
7226 gen_and(b2, b1);
7227
7228 /*
7229 * OR that with the checks done for data frames.
7230 * That gives the checks done for management and
7231 * data frames.
7232 */
7233 gen_or(b1, b0);
7234
7235 /*
7236 * If the low-order bit of the type value is 1,
7237 * this is either a control frame or a frame
7238 * with a reserved type, and thus not a
7239 * frame with an SA.
7240 *
7241 * I.e., check "!(link[0] & 0x04)".
7242 */
7243 s = gen_load_a(OR_LINK, 0, BPF_B);
7244 b1 = new_block(JMP(BPF_JSET));
7245 b1->s.k = 0x04;
7246 b1->stmts = s;
7247 gen_not(b1);
7248
7249 /*
7250 * AND that with the checks for data and management
7251 * frames.
7252 */
7253 gen_and(b1, b0);
7254 return b0;
7255 case DLT_IP_OVER_FC:
7256 b0 = gen_mac_multicast(2);
7257 return b0;
7258 case DLT_SUNATM:
7259 if (is_lane) {
7260 /*
7261 * Check that the packet doesn't begin with an
7262 * LE Control marker. (We've already generated
7263 * a test for LANE.)
7264 */
7265 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
7266 BPF_H, 0xFF00);
7267 gen_not(b1);
7268
7269 /* ether[off_mac] & 1 != 0 */
7270 b0 = gen_mac_multicast(off_mac);
7271 gen_and(b1, b0);
7272 return b0;
7273 }
7274 break;
7275 default:
7276 break;
7277 }
7278 /* Link not known to support multicasts */
7279 break;
7280
7281 case Q_IP:
7282 b0 = gen_linktype(ETHERTYPE_IP);
7283 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
7284 gen_and(b0, b1);
7285 return b1;
7286
7287 #ifdef INET6
7288 case Q_IPV6:
7289 b0 = gen_linktype(ETHERTYPE_IPV6);
7290 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
7291 gen_and(b0, b1);
7292 return b1;
7293 #endif /* INET6 */
7294 }
7295 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7296 /* NOTREACHED */
7297 return NULL;
7298 }
7299
7300 /*
7301 * generate command for inbound/outbound. It's here so we can
7302 * make it link-type specific. 'dir' = 0 implies "inbound",
7303 * = 1 implies "outbound".
7304 */
7305 struct block *
7306 gen_inbound(dir)
7307 int dir;
7308 {
7309 register struct block *b0;
7310
7311 /*
7312 * Only some data link types support inbound/outbound qualifiers.
7313 */
7314 switch (linktype) {
7315 case DLT_SLIP:
7316 b0 = gen_relation(BPF_JEQ,
7317 gen_load(Q_LINK, gen_loadi(0), 1),
7318 gen_loadi(0),
7319 dir);
7320 break;
7321
7322 case DLT_LINUX_SLL:
7323 if (dir) {
7324 /*
7325 * Match packets sent by this machine.
7326 */
7327 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
7328 } else {
7329 /*
7330 * Match packets sent to this machine.
7331 * (No broadcast or multicast packets, or
7332 * packets sent to some other machine and
7333 * received promiscuously.)
7334 *
7335 * XXX - packets sent to other machines probably
7336 * shouldn't be matched, but what about broadcast
7337 * or multicast packets we received?
7338 */
7339 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
7340 }
7341 break;
7342
7343 #ifdef HAVE_NET_PFVAR_H
7344 case DLT_PFLOG:
7345 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
7346 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7347 break;
7348 #endif
7349
7350 case DLT_PPP_PPPD:
7351 if (dir) {
7352 /* match outgoing packets */
7353 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
7354 } else {
7355 /* match incoming packets */
7356 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
7357 }
7358 break;
7359
7360 case DLT_JUNIPER_MFR:
7361 case DLT_JUNIPER_MLFR:
7362 case DLT_JUNIPER_MLPPP:
7363 case DLT_JUNIPER_ATM1:
7364 case DLT_JUNIPER_ATM2:
7365 case DLT_JUNIPER_PPPOE:
7366 case DLT_JUNIPER_PPPOE_ATM:
7367 case DLT_JUNIPER_GGSN:
7368 case DLT_JUNIPER_ES:
7369 case DLT_JUNIPER_MONITOR:
7370 case DLT_JUNIPER_SERVICES:
7371 case DLT_JUNIPER_ETHER:
7372 case DLT_JUNIPER_PPP:
7373 case DLT_JUNIPER_FRELAY:
7374 case DLT_JUNIPER_CHDLC:
7375 case DLT_JUNIPER_VP:
7376 case DLT_JUNIPER_ST:
7377 case DLT_JUNIPER_ISM:
7378 /* juniper flags (including direction) are stored
7379 * the byte after the 3-byte magic number */
7380 if (dir) {
7381 /* match outgoing packets */
7382 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
7383 } else {
7384 /* match incoming packets */
7385 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
7386 }
7387 break;
7388
7389 default:
7390 bpf_error("inbound/outbound not supported on linktype %d",
7391 linktype);
7392 b0 = NULL;
7393 /* NOTREACHED */
7394 }
7395 return (b0);
7396 }
7397
7398 #ifdef HAVE_NET_PFVAR_H
7399 /* PF firewall log matched interface */
7400 struct block *
7401 gen_pf_ifname(const char *ifname)
7402 {
7403 struct block *b0;
7404 u_int len, off;
7405
7406 if (linktype != DLT_PFLOG) {
7407 bpf_error("ifname supported only on PF linktype");
7408 /* NOTREACHED */
7409 }
7410 len = sizeof(((struct pfloghdr *)0)->ifname);
7411 off = offsetof(struct pfloghdr, ifname);
7412 if (strlen(ifname) >= len) {
7413 bpf_error("ifname interface names can only be %d characters",
7414 len-1);
7415 /* NOTREACHED */
7416 }
7417 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
7418 return (b0);
7419 }
7420
7421 /* PF firewall log ruleset name */
7422 struct block *
7423 gen_pf_ruleset(char *ruleset)
7424 {
7425 struct block *b0;
7426
7427 if (linktype != DLT_PFLOG) {
7428 bpf_error("ruleset supported only on PF linktype");
7429 /* NOTREACHED */
7430 }
7431
7432 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7433 bpf_error("ruleset names can only be %ld characters",
7434 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7435 /* NOTREACHED */
7436 }
7437
7438 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
7439 strlen(ruleset), (const u_char *)ruleset);
7440 return (b0);
7441 }
7442
7443 /* PF firewall log rule number */
7444 struct block *
7445 gen_pf_rnr(int rnr)
7446 {
7447 struct block *b0;
7448
7449 if (linktype != DLT_PFLOG) {
7450 bpf_error("rnr supported only on PF linktype");
7451 /* NOTREACHED */
7452 }
7453
7454 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
7455 (bpf_int32)rnr);
7456 return (b0);
7457 }
7458
7459 /* PF firewall log sub-rule number */
7460 struct block *
7461 gen_pf_srnr(int srnr)
7462 {
7463 struct block *b0;
7464
7465 if (linktype != DLT_PFLOG) {
7466 bpf_error("srnr supported only on PF linktype");
7467 /* NOTREACHED */
7468 }
7469
7470 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
7471 (bpf_int32)srnr);
7472 return (b0);
7473 }
7474
7475 /* PF firewall log reason code */
7476 struct block *
7477 gen_pf_reason(int reason)
7478 {
7479 struct block *b0;
7480
7481 if (linktype != DLT_PFLOG) {
7482 bpf_error("reason supported only on PF linktype");
7483 /* NOTREACHED */
7484 }
7485
7486 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
7487 (bpf_int32)reason);
7488 return (b0);
7489 }
7490
7491 /* PF firewall log action */
7492 struct block *
7493 gen_pf_action(int action)
7494 {
7495 struct block *b0;
7496
7497 if (linktype != DLT_PFLOG) {
7498 bpf_error("action supported only on PF linktype");
7499 /* NOTREACHED */
7500 }
7501
7502 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
7503 (bpf_int32)action);
7504 return (b0);
7505 }
7506 #else /* !HAVE_NET_PFVAR_H */
7507 struct block *
7508 gen_pf_ifname(const char *ifname)
7509 {
7510 bpf_error("libpcap was compiled without pf support");
7511 /* NOTREACHED */
7512 return (NULL);
7513 }
7514
7515 struct block *
7516 gen_pf_ruleset(char *ruleset)
7517 {
7518 bpf_error("libpcap was compiled on a machine without pf support");
7519 /* NOTREACHED */
7520 return (NULL);
7521 }
7522
7523 struct block *
7524 gen_pf_rnr(int rnr)
7525 {
7526 bpf_error("libpcap was compiled on a machine without pf support");
7527 /* NOTREACHED */
7528 return (NULL);
7529 }
7530
7531 struct block *
7532 gen_pf_srnr(int srnr)
7533 {
7534 bpf_error("libpcap was compiled on a machine without pf support");
7535 /* NOTREACHED */
7536 return (NULL);
7537 }
7538
7539 struct block *
7540 gen_pf_reason(int reason)
7541 {
7542 bpf_error("libpcap was compiled on a machine without pf support");
7543 /* NOTREACHED */
7544 return (NULL);
7545 }
7546
7547 struct block *
7548 gen_pf_action(int action)
7549 {
7550 bpf_error("libpcap was compiled on a machine without pf support");
7551 /* NOTREACHED */
7552 return (NULL);
7553 }
7554 #endif /* HAVE_NET_PFVAR_H */
7555
7556 /* IEEE 802.11 wireless header */
7557 struct block *
7558 gen_p80211_type(int type, int mask)
7559 {
7560 struct block *b0;
7561
7562 switch (linktype) {
7563
7564 case DLT_IEEE802_11:
7565 case DLT_PRISM_HEADER:
7566 case DLT_IEEE802_11_RADIO_AVS:
7567 case DLT_IEEE802_11_RADIO:
7568 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
7569 (bpf_int32)mask);
7570 break;
7571
7572 default:
7573 bpf_error("802.11 link-layer types supported only on 802.11");
7574 /* NOTREACHED */
7575 }
7576
7577 return (b0);
7578 }
7579
7580 struct block *
7581 gen_p80211_fcdir(int fcdir)
7582 {
7583 struct block *b0;
7584
7585 switch (linktype) {
7586
7587 case DLT_IEEE802_11:
7588 case DLT_PRISM_HEADER:
7589 case DLT_IEEE802_11_RADIO_AVS:
7590 case DLT_IEEE802_11_RADIO:
7591 break;
7592
7593 default:
7594 bpf_error("frame direction supported only with 802.11 headers");
7595 /* NOTREACHED */
7596 }
7597
7598 b0 = gen_mcmp(OR_LINK, 1, BPF_B, (bpf_int32)fcdir,
7599 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7600
7601 return (b0);
7602 }
7603
7604 struct block *
7605 gen_acode(eaddr, q)
7606 register const u_char *eaddr;
7607 struct qual q;
7608 {
7609 switch (linktype) {
7610
7611 case DLT_ARCNET:
7612 case DLT_ARCNET_LINUX:
7613 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7614 q.proto == Q_LINK)
7615 return (gen_ahostop(eaddr, (int)q.dir));
7616 else {
7617 bpf_error("ARCnet address used in non-arc expression");
7618 /* NOTREACHED */
7619 }
7620 break;
7621
7622 default:
7623 bpf_error("aid supported only on ARCnet");
7624 /* NOTREACHED */
7625 }
7626 bpf_error("ARCnet address used in non-arc expression");
7627 /* NOTREACHED */
7628 return NULL;
7629 }
7630
7631 static struct block *
7632 gen_ahostop(eaddr, dir)
7633 register const u_char *eaddr;
7634 register int dir;
7635 {
7636 register struct block *b0, *b1;
7637
7638 switch (dir) {
7639 /* src comes first, different from Ethernet */
7640 case Q_SRC:
7641 return gen_bcmp(OR_LINK, 0, 1, eaddr);
7642
7643 case Q_DST:
7644 return gen_bcmp(OR_LINK, 1, 1, eaddr);
7645
7646 case Q_AND:
7647 b0 = gen_ahostop(eaddr, Q_SRC);
7648 b1 = gen_ahostop(eaddr, Q_DST);
7649 gen_and(b0, b1);
7650 return b1;
7651
7652 case Q_DEFAULT:
7653 case Q_OR:
7654 b0 = gen_ahostop(eaddr, Q_SRC);
7655 b1 = gen_ahostop(eaddr, Q_DST);
7656 gen_or(b0, b1);
7657 return b1;
7658 }
7659 abort();
7660 /* NOTREACHED */
7661 }
7662
7663 /*
7664 * support IEEE 802.1Q VLAN trunk over ethernet
7665 */
7666 struct block *
7667 gen_vlan(vlan_num)
7668 int vlan_num;
7669 {
7670 struct block *b0, *b1;
7671
7672 /* can't check for VLAN-encapsulated packets inside MPLS */
7673 if (label_stack_depth > 0)
7674 bpf_error("no VLAN match after MPLS");
7675
7676 /*
7677 * Check for a VLAN packet, and then change the offsets to point
7678 * to the type and data fields within the VLAN packet. Just
7679 * increment the offsets, so that we can support a hierarchy, e.g.
7680 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
7681 * VLAN 100.
7682 *
7683 * XXX - this is a bit of a kludge. If we were to split the
7684 * compiler into a parser that parses an expression and
7685 * generates an expression tree, and a code generator that
7686 * takes an expression tree (which could come from our
7687 * parser or from some other parser) and generates BPF code,
7688 * we could perhaps make the offsets parameters of routines
7689 * and, in the handler for an "AND" node, pass to subnodes
7690 * other than the VLAN node the adjusted offsets.
7691 *
7692 * This would mean that "vlan" would, instead of changing the
7693 * behavior of *all* tests after it, change only the behavior
7694 * of tests ANDed with it. That would change the documented
7695 * semantics of "vlan", which might break some expressions.
7696 * However, it would mean that "(vlan and ip) or ip" would check
7697 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7698 * checking only for VLAN-encapsulated IP, so that could still
7699 * be considered worth doing; it wouldn't break expressions
7700 * that are of the form "vlan and ..." or "vlan N and ...",
7701 * which I suspect are the most common expressions involving
7702 * "vlan". "vlan or ..." doesn't necessarily do what the user
7703 * would really want, now, as all the "or ..." tests would
7704 * be done assuming a VLAN, even though the "or" could be viewed
7705 * as meaning "or, if this isn't a VLAN packet...".
7706 */
7707 orig_nl = off_nl;
7708
7709 switch (linktype) {
7710
7711 case DLT_EN10MB:
7712 /* check for VLAN */
7713 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
7714 (bpf_int32)ETHERTYPE_8021Q);
7715
7716 /* If a specific VLAN is requested, check VLAN id */
7717 if (vlan_num >= 0) {
7718 b1 = gen_mcmp(OR_MACPL, 0, BPF_H,
7719 (bpf_int32)vlan_num, 0x0fff);
7720 gen_and(b0, b1);
7721 b0 = b1;
7722 }
7723
7724 off_macpl += 4;
7725 off_linktype += 4;
7726 #if 0
7727 off_nl_nosnap += 4;
7728 off_nl += 4;
7729 #endif
7730 break;
7731
7732 default:
7733 bpf_error("no VLAN support for data link type %d",
7734 linktype);
7735 /*NOTREACHED*/
7736 }
7737
7738 return (b0);
7739 }
7740
7741 /*
7742 * support for MPLS
7743 */
7744 struct block *
7745 gen_mpls(label_num)
7746 int label_num;
7747 {
7748 struct block *b0,*b1;
7749
7750 /*
7751 * Change the offsets to point to the type and data fields within
7752 * the MPLS packet. Just increment the offsets, so that we
7753 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
7754 * capture packets with an outer label of 100000 and an inner
7755 * label of 1024.
7756 *
7757 * XXX - this is a bit of a kludge. See comments in gen_vlan().
7758 */
7759 orig_nl = off_nl;
7760
7761 if (label_stack_depth > 0) {
7762 /* just match the bottom-of-stack bit clear */
7763 b0 = gen_mcmp(OR_MACPL, orig_nl-2, BPF_B, 0, 0x01);
7764 } else {
7765 /*
7766 * Indicate that we're checking MPLS-encapsulated headers,
7767 * to make sure higher level code generators don't try to
7768 * match against IP-related protocols such as Q_ARP, Q_RARP
7769 * etc.
7770 */
7771 switch (linktype) {
7772
7773 case DLT_C_HDLC: /* fall through */
7774 case DLT_EN10MB:
7775 b0 = gen_linktype(ETHERTYPE_MPLS);
7776 break;
7777
7778 case DLT_PPP:
7779 b0 = gen_linktype(PPP_MPLS_UCAST);
7780 break;
7781
7782 /* FIXME add other DLT_s ...
7783 * for Frame-Relay/and ATM this may get messy due to SNAP headers
7784 * leave it for now */
7785
7786 default:
7787 bpf_error("no MPLS support for data link type %d",
7788 linktype);
7789 b0 = NULL;
7790 /*NOTREACHED*/
7791 break;
7792 }
7793 }
7794
7795 /* If a specific MPLS label is requested, check it */
7796 if (label_num >= 0) {
7797 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
7798 b1 = gen_mcmp(OR_MACPL, orig_nl, BPF_W, (bpf_int32)label_num,
7799 0xfffff000); /* only compare the first 20 bits */
7800 gen_and(b0, b1);
7801 b0 = b1;
7802 }
7803
7804 off_nl_nosnap += 4;
7805 off_nl += 4;
7806 label_stack_depth++;
7807 return (b0);
7808 }
7809
7810 /*
7811 * Support PPPOE discovery and session.
7812 */
7813 struct block *
7814 gen_pppoed()
7815 {
7816 /* check for PPPoE discovery */
7817 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
7818 }
7819
7820 struct block *
7821 gen_pppoes()
7822 {
7823 struct block *b0;
7824
7825 /*
7826 * Test against the PPPoE session link-layer type.
7827 */
7828 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
7829
7830 /*
7831 * Change the offsets to point to the type and data fields within
7832 * the PPP packet, and note that this is PPPoE rather than
7833 * raw PPP.
7834 *
7835 * XXX - this is a bit of a kludge. If we were to split the
7836 * compiler into a parser that parses an expression and
7837 * generates an expression tree, and a code generator that
7838 * takes an expression tree (which could come from our
7839 * parser or from some other parser) and generates BPF code,
7840 * we could perhaps make the offsets parameters of routines
7841 * and, in the handler for an "AND" node, pass to subnodes
7842 * other than the PPPoE node the adjusted offsets.
7843 *
7844 * This would mean that "pppoes" would, instead of changing the
7845 * behavior of *all* tests after it, change only the behavior
7846 * of tests ANDed with it. That would change the documented
7847 * semantics of "pppoes", which might break some expressions.
7848 * However, it would mean that "(pppoes and ip) or ip" would check
7849 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
7850 * checking only for VLAN-encapsulated IP, so that could still
7851 * be considered worth doing; it wouldn't break expressions
7852 * that are of the form "pppoes and ..." which I suspect are the
7853 * most common expressions involving "pppoes". "pppoes or ..."
7854 * doesn't necessarily do what the user would really want, now,
7855 * as all the "or ..." tests would be done assuming PPPoE, even
7856 * though the "or" could be viewed as meaning "or, if this isn't
7857 * a PPPoE packet...".
7858 */
7859 orig_linktype = off_linktype; /* save original values */
7860 orig_nl = off_nl;
7861 is_pppoes = 1;
7862
7863 /*
7864 * The "network-layer" protocol is PPPoE, which has a 6-byte
7865 * PPPoE header, followed by a PPP packet.
7866 *
7867 * There is no HDLC encapsulation for the PPP packet (it's
7868 * encapsulated in PPPoES instead), so the link-layer type
7869 * starts at the first byte of the PPP packet. For PPPoE,
7870 * that offset is relative to the beginning of the total
7871 * link-layer payload, including any 802.2 LLC header, so
7872 * it's 6 bytes past off_nl.
7873 */
7874 off_linktype = off_nl + 6;
7875
7876 /*
7877 * The network-layer offsets are relative to the beginning
7878 * of the MAC-layer payload; that's past the 6-byte
7879 * PPPoE header and the 2-byte PPP header.
7880 */
7881 off_nl = 6+2;
7882 off_nl_nosnap = 6+2;
7883
7884 return b0;
7885 }
7886
7887 struct block *
7888 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7889 int atmfield;
7890 bpf_int32 jvalue;
7891 bpf_u_int32 jtype;
7892 int reverse;
7893 {
7894 struct block *b0;
7895
7896 switch (atmfield) {
7897
7898 case A_VPI:
7899 if (!is_atm)
7900 bpf_error("'vpi' supported only on raw ATM");
7901 if (off_vpi == (u_int)-1)
7902 abort();
7903 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
7904 reverse, jvalue);
7905 break;
7906
7907 case A_VCI:
7908 if (!is_atm)
7909 bpf_error("'vci' supported only on raw ATM");
7910 if (off_vci == (u_int)-1)
7911 abort();
7912 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
7913 reverse, jvalue);
7914 break;
7915
7916 case A_PROTOTYPE:
7917 if (off_proto == (u_int)-1)
7918 abort(); /* XXX - this isn't on FreeBSD */
7919 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
7920 reverse, jvalue);
7921 break;
7922
7923 case A_MSGTYPE:
7924 if (off_payload == (u_int)-1)
7925 abort();
7926 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
7927 0xffffffff, jtype, reverse, jvalue);
7928 break;
7929
7930 case A_CALLREFTYPE:
7931 if (!is_atm)
7932 bpf_error("'callref' supported only on raw ATM");
7933 if (off_proto == (u_int)-1)
7934 abort();
7935 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
7936 jtype, reverse, jvalue);
7937 break;
7938
7939 default:
7940 abort();
7941 }
7942 return b0;
7943 }
7944
7945 struct block *
7946 gen_atmtype_abbrev(type)
7947 int type;
7948 {
7949 struct block *b0, *b1;
7950
7951 switch (type) {
7952
7953 case A_METAC:
7954 /* Get all packets in Meta signalling Circuit */
7955 if (!is_atm)
7956 bpf_error("'metac' supported only on raw ATM");
7957 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7958 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7959 gen_and(b0, b1);
7960 break;
7961
7962 case A_BCC:
7963 /* Get all packets in Broadcast Circuit*/
7964 if (!is_atm)
7965 bpf_error("'bcc' supported only on raw ATM");
7966 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7967 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7968 gen_and(b0, b1);
7969 break;
7970
7971 case A_OAMF4SC:
7972 /* Get all cells in Segment OAM F4 circuit*/
7973 if (!is_atm)
7974 bpf_error("'oam4sc' supported only on raw ATM");
7975 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7976 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7977 gen_and(b0, b1);
7978 break;
7979
7980 case A_OAMF4EC:
7981 /* Get all cells in End-to-End OAM F4 Circuit*/
7982 if (!is_atm)
7983 bpf_error("'oam4ec' supported only on raw ATM");
7984 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7985 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7986 gen_and(b0, b1);
7987 break;
7988
7989 case A_SC:
7990 /* Get all packets in connection Signalling Circuit */
7991 if (!is_atm)
7992 bpf_error("'sc' supported only on raw ATM");
7993 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7994 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
7995 gen_and(b0, b1);
7996 break;
7997
7998 case A_ILMIC:
7999 /* Get all packets in ILMI Circuit */
8000 if (!is_atm)
8001 bpf_error("'ilmic' supported only on raw ATM");
8002 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8003 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8004 gen_and(b0, b1);
8005 break;
8006
8007 case A_LANE:
8008 /* Get all LANE packets */
8009 if (!is_atm)
8010 bpf_error("'lane' supported only on raw ATM");
8011 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8012
8013 /*
8014 * Arrange that all subsequent tests assume LANE
8015 * rather than LLC-encapsulated packets, and set
8016 * the offsets appropriately for LANE-encapsulated
8017 * Ethernet.
8018 *
8019 * "off_mac" is the offset of the Ethernet header,
8020 * which is 2 bytes past the ATM pseudo-header
8021 * (skipping the pseudo-header and 2-byte LE Client
8022 * field). The other offsets are Ethernet offsets
8023 * relative to "off_mac".
8024 */
8025 is_lane = 1;
8026 off_mac = off_payload + 2; /* MAC header */
8027 off_linktype = off_mac + 12;
8028 off_macpl = off_mac + 14; /* Ethernet */
8029 off_nl = 0; /* Ethernet II */
8030 off_nl_nosnap = 3; /* 802.3+802.2 */
8031 break;
8032
8033 case A_LLC:
8034 /* Get all LLC-encapsulated packets */
8035 if (!is_atm)
8036 bpf_error("'llc' supported only on raw ATM");
8037 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8038 is_lane = 0;
8039 break;
8040
8041 default:
8042 abort();
8043 }
8044 return b1;
8045 }
8046
8047 /*
8048 * Filtering for MTP2 messages based on li value
8049 * FISU, length is null
8050 * LSSU, length is 1 or 2
8051 * MSU, length is 3 or more
8052 */
8053 struct block *
8054 gen_mtp2type_abbrev(type)
8055 int type;
8056 {
8057 struct block *b0, *b1;
8058
8059 switch (type) {
8060
8061 case M_FISU:
8062 if ( (linktype != DLT_MTP2) &&
8063 (linktype != DLT_ERF) &&
8064 (linktype != DLT_MTP2_WITH_PHDR) )
8065 bpf_error("'fisu' supported only on MTP2");
8066 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8067 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8068 break;
8069
8070 case M_LSSU:
8071 if ( (linktype != DLT_MTP2) &&
8072 (linktype != DLT_ERF) &&
8073 (linktype != DLT_MTP2_WITH_PHDR) )
8074 bpf_error("'lssu' supported only on MTP2");
8075 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8076 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8077 gen_and(b1, b0);
8078 break;
8079
8080 case M_MSU:
8081 if ( (linktype != DLT_MTP2) &&
8082 (linktype != DLT_ERF) &&
8083 (linktype != DLT_MTP2_WITH_PHDR) )
8084 bpf_error("'msu' supported only on MTP2");
8085 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8086 break;
8087
8088 default:
8089 abort();
8090 }
8091 return b0;
8092 }
8093
8094 struct block *
8095 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8096 int mtp3field;
8097 bpf_u_int32 jvalue;
8098 bpf_u_int32 jtype;
8099 int reverse;
8100 {
8101 struct block *b0;
8102 bpf_u_int32 val1 , val2 , val3;
8103
8104 switch (mtp3field) {
8105
8106 case M_SIO:
8107 if (off_sio == (u_int)-1)
8108 bpf_error("'sio' supported only on SS7");
8109 /* sio coded on 1 byte so max value 255 */
8110 if(jvalue > 255)
8111 bpf_error("sio value %u too big; max value = 255",
8112 jvalue);
8113 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
8114 (u_int)jtype, reverse, (u_int)jvalue);
8115 break;
8116
8117 case M_OPC:
8118 if (off_opc == (u_int)-1)
8119 bpf_error("'opc' supported only on SS7");
8120 /* opc coded on 14 bits so max value 16383 */
8121 if (jvalue > 16383)
8122 bpf_error("opc value %u too big; max value = 16383",
8123 jvalue);
8124 /* the following instructions are made to convert jvalue
8125 * to the form used to write opc in an ss7 message*/
8126 val1 = jvalue & 0x00003c00;
8127 val1 = val1 >>10;
8128 val2 = jvalue & 0x000003fc;
8129 val2 = val2 <<6;
8130 val3 = jvalue & 0x00000003;
8131 val3 = val3 <<22;
8132 jvalue = val1 + val2 + val3;
8133 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
8134 (u_int)jtype, reverse, (u_int)jvalue);
8135 break;
8136
8137 case M_DPC:
8138 if (off_dpc == (u_int)-1)
8139 bpf_error("'dpc' supported only on SS7");
8140 /* dpc coded on 14 bits so max value 16383 */
8141 if (jvalue > 16383)
8142 bpf_error("dpc value %u too big; max value = 16383",
8143 jvalue);
8144 /* the following instructions are made to convert jvalue
8145 * to the forme used to write dpc in an ss7 message*/
8146 val1 = jvalue & 0x000000ff;
8147 val1 = val1 << 24;
8148 val2 = jvalue & 0x00003f00;
8149 val2 = val2 << 8;
8150 jvalue = val1 + val2;
8151 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
8152 (u_int)jtype, reverse, (u_int)jvalue);
8153 break;
8154
8155 case M_SLS:
8156 if (off_sls == (u_int)-1)
8157 bpf_error("'sls' supported only on SS7");
8158 /* sls coded on 4 bits so max value 15 */
8159 if (jvalue > 15)
8160 bpf_error("sls value %u too big; max value = 15",
8161 jvalue);
8162 /* the following instruction is made to convert jvalue
8163 * to the forme used to write sls in an ss7 message*/
8164 jvalue = jvalue << 4;
8165 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
8166 (u_int)jtype,reverse, (u_int)jvalue);
8167 break;
8168
8169 default:
8170 abort();
8171 }
8172 return b0;
8173 }
8174
8175 static struct block *
8176 gen_msg_abbrev(type)
8177 int type;
8178 {
8179 struct block *b1;
8180
8181 /*
8182 * Q.2931 signalling protocol messages for handling virtual circuits
8183 * establishment and teardown
8184 */
8185 switch (type) {
8186
8187 case A_SETUP:
8188 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8189 break;
8190
8191 case A_CALLPROCEED:
8192 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8193 break;
8194
8195 case A_CONNECT:
8196 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8197 break;
8198
8199 case A_CONNECTACK:
8200 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8201 break;
8202
8203 case A_RELEASE:
8204 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8205 break;
8206
8207 case A_RELEASE_DONE:
8208 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8209 break;
8210
8211 default:
8212 abort();
8213 }
8214 return b1;
8215 }
8216
8217 struct block *
8218 gen_atmmulti_abbrev(type)
8219 int type;
8220 {
8221 struct block *b0, *b1;
8222
8223 switch (type) {
8224
8225 case A_OAM:
8226 if (!is_atm)
8227 bpf_error("'oam' supported only on raw ATM");
8228 b1 = gen_atmmulti_abbrev(A_OAMF4);
8229 break;
8230
8231 case A_OAMF4:
8232 if (!is_atm)
8233 bpf_error("'oamf4' supported only on raw ATM");
8234 /* OAM F4 type */
8235 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8236 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8237 gen_or(b0, b1);
8238 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8239 gen_and(b0, b1);
8240 break;
8241
8242 case A_CONNECTMSG:
8243 /*
8244 * Get Q.2931 signalling messages for switched
8245 * virtual connection
8246 */
8247 if (!is_atm)
8248 bpf_error("'connectmsg' supported only on raw ATM");
8249 b0 = gen_msg_abbrev(A_SETUP);
8250 b1 = gen_msg_abbrev(A_CALLPROCEED);
8251 gen_or(b0, b1);
8252 b0 = gen_msg_abbrev(A_CONNECT);
8253 gen_or(b0, b1);
8254 b0 = gen_msg_abbrev(A_CONNECTACK);
8255 gen_or(b0, b1);
8256 b0 = gen_msg_abbrev(A_RELEASE);
8257 gen_or(b0, b1);
8258 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8259 gen_or(b0, b1);
8260 b0 = gen_atmtype_abbrev(A_SC);
8261 gen_and(b0, b1);
8262 break;
8263
8264 case A_METACONNECT:
8265 if (!is_atm)
8266 bpf_error("'metaconnect' supported only on raw ATM");
8267 b0 = gen_msg_abbrev(A_SETUP);
8268 b1 = gen_msg_abbrev(A_CALLPROCEED);
8269 gen_or(b0, b1);
8270 b0 = gen_msg_abbrev(A_CONNECT);
8271 gen_or(b0, b1);
8272 b0 = gen_msg_abbrev(A_RELEASE);
8273 gen_or(b0, b1);
8274 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8275 gen_or(b0, b1);
8276 b0 = gen_atmtype_abbrev(A_METAC);
8277 gen_and(b0, b1);
8278 break;
8279
8280 default:
8281 abort();
8282 }
8283 return b1;
8284 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism