]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob


37246e46e46611b50f0f74cc3030681bbf348ee9
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.21 2005-05-28 00:30:21 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "sll.h"
75 #include "arcnet.h"
76 #include "pf.h"
77 #ifndef offsetof
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #endif
80 #ifdef INET6
81 #ifndef WIN32
82 #include <netdb.h> /* for "struct addrinfo" */
83 #endif /* WIN32 */
84 #endif /*INET6*/
85 #include <pcap-namedb.h>
86
87 #define ETHERMTU 1500
88
89 #ifndef IPPROTO_SCTP
90 #define IPPROTO_SCTP 132
91 #endif
92
93 #ifdef HAVE_OS_PROTO_H
94 #include "os-proto.h"
95 #endif
96
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
98
99 /* Locals */
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
102
103 /* Hack for updating VLAN, MPLS offsets. */
104 static u_int orig_linktype = -1U, orig_nl = -1U;
105
106 /* XXX */
107 #ifdef PCAP_FDDIPAD
108 static int pcap_fddipad;
109 #endif
110
111 /* VARARGS */
112 void
113 bpf_error(const char *fmt, ...)
114 {
115 va_list ap;
116
117 va_start(ap, fmt);
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
120 fmt, ap);
121 va_end(ap);
122 longjmp(top_ctx, 1);
123 /* NOTREACHED */
124 }
125
126 static void init_linktype(pcap_t *);
127
128 static int alloc_reg(void);
129 static void free_reg(int);
130
131 static struct block *root;
132
133 /*
134 * Value passed to gen_load_a() to indicate what the offset argument
135 * is relative to.
136 */
137 enum e_offrel {
138 OR_PACKET, /* relative to the beginning of the packet */
139 OR_LINK, /* relative to the link-layer header */
140 OR_NET, /* relative to the network-layer header */
141 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
142 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
143 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
144 };
145
146 /*
147 * We divy out chunks of memory rather than call malloc each time so
148 * we don't have to worry about leaking memory. It's probably
149 * not a big deal if all this memory was wasted but if this ever
150 * goes into a library that would probably not be a good idea.
151 *
152 * XXX - this *is* in a library....
153 */
154 #define NCHUNKS 16
155 #define CHUNK0SIZE 1024
156 struct chunk {
157 u_int n_left;
158 void *m;
159 };
160
161 static struct chunk chunks[NCHUNKS];
162 static int cur_chunk;
163
164 static void *newchunk(u_int);
165 static void freechunks(void);
166 static inline struct block *new_block(int);
167 static inline struct slist *new_stmt(int);
168 static struct block *gen_retblk(int);
169 static inline void syntax(void);
170
171 static void backpatch(struct block *, struct block *);
172 static void merge(struct block *, struct block *);
173 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
174 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
175 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
176 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
177 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
178 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
179 bpf_u_int32);
180 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
181 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
182 bpf_u_int32, bpf_u_int32, int, bpf_int32);
183 static struct slist *gen_load_llrel(u_int, u_int);
184 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
185 static struct slist *gen_loadx_iphdrlen(void);
186 static struct block *gen_uncond(int);
187 static inline struct block *gen_true(void);
188 static inline struct block *gen_false(void);
189 static struct block *gen_ether_linktype(int);
190 static struct block *gen_linux_sll_linktype(int);
191 static void insert_radiotap_load_llprefixlen(struct block *);
192 static void insert_load_llprefixlen(struct block *);
193 static struct slist *gen_llprefixlen(void);
194 static struct block *gen_linktype(int);
195 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
196 static struct block *gen_llc_linktype(int);
197 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
198 #ifdef INET6
199 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
200 #endif
201 static struct block *gen_ahostop(const u_char *, int);
202 static struct block *gen_ehostop(const u_char *, int);
203 static struct block *gen_fhostop(const u_char *, int);
204 static struct block *gen_thostop(const u_char *, int);
205 static struct block *gen_wlanhostop(const u_char *, int);
206 static struct block *gen_ipfchostop(const u_char *, int);
207 static struct block *gen_dnhostop(bpf_u_int32, int);
208 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
209 #ifdef INET6
210 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
211 #endif
212 #ifndef INET6
213 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
214 #endif
215 static struct block *gen_ipfrag(void);
216 static struct block *gen_portatom(int, bpf_int32);
217 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
218 #ifdef INET6
219 static struct block *gen_portatom6(int, bpf_int32);
220 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
221 #endif
222 struct block *gen_portop(int, int, int);
223 static struct block *gen_port(int, int, int);
224 struct block *gen_portrangeop(int, int, int, int);
225 static struct block *gen_portrange(int, int, int, int);
226 #ifdef INET6
227 struct block *gen_portop6(int, int, int);
228 static struct block *gen_port6(int, int, int);
229 struct block *gen_portrangeop6(int, int, int, int);
230 static struct block *gen_portrange6(int, int, int, int);
231 #endif
232 static int lookup_proto(const char *, int);
233 static struct block *gen_protochain(int, int, int);
234 static struct block *gen_proto(int, int, int);
235 static struct slist *xfer_to_x(struct arth *);
236 static struct slist *xfer_to_a(struct arth *);
237 static struct block *gen_mac_multicast(int);
238 static struct block *gen_len(int, int);
239
240 static struct block *gen_msg_abbrev(int type);
241
242 static void *
243 newchunk(n)
244 u_int n;
245 {
246 struct chunk *cp;
247 int k;
248 size_t size;
249
250 #ifndef __NetBSD__
251 /* XXX Round up to nearest long. */
252 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
253 #else
254 /* XXX Round up to structure boundary. */
255 n = ALIGN(n);
256 #endif
257
258 cp = &chunks[cur_chunk];
259 if (n > cp->n_left) {
260 ++cp, k = ++cur_chunk;
261 if (k >= NCHUNKS)
262 bpf_error("out of memory");
263 size = CHUNK0SIZE << k;
264 cp->m = (void *)malloc(size);
265 if (cp->m == NULL)
266 bpf_error("out of memory");
267 memset((char *)cp->m, 0, size);
268 cp->n_left = size;
269 if (n > size)
270 bpf_error("out of memory");
271 }
272 cp->n_left -= n;
273 return (void *)((char *)cp->m + cp->n_left);
274 }
275
276 static void
277 freechunks()
278 {
279 int i;
280
281 cur_chunk = 0;
282 for (i = 0; i < NCHUNKS; ++i)
283 if (chunks[i].m != NULL) {
284 free(chunks[i].m);
285 chunks[i].m = NULL;
286 }
287 }
288
289 /*
290 * A strdup whose allocations are freed after code generation is over.
291 */
292 char *
293 sdup(s)
294 register const char *s;
295 {
296 int n = strlen(s) + 1;
297 char *cp = newchunk(n);
298
299 strlcpy(cp, s, n);
300 return (cp);
301 }
302
303 static inline struct block *
304 new_block(code)
305 int code;
306 {
307 struct block *p;
308
309 p = (struct block *)newchunk(sizeof(*p));
310 p->s.code = code;
311 p->head = p;
312
313 return p;
314 }
315
316 static inline struct slist *
317 new_stmt(code)
318 int code;
319 {
320 struct slist *p;
321
322 p = (struct slist *)newchunk(sizeof(*p));
323 p->s.code = code;
324
325 return p;
326 }
327
328 static struct block *
329 gen_retblk(v)
330 int v;
331 {
332 struct block *b = new_block(BPF_RET|BPF_K);
333
334 b->s.k = v;
335 return b;
336 }
337
338 static inline void
339 syntax()
340 {
341 bpf_error("syntax error in filter expression");
342 }
343
344 static bpf_u_int32 netmask;
345 static int snaplen;
346 int no_optimize;
347
348 int
349 pcap_compile(pcap_t *p, struct bpf_program *program,
350 char *buf, int optimize, bpf_u_int32 mask)
351 {
352 extern int n_errors;
353 int len;
354
355 no_optimize = 0;
356 n_errors = 0;
357 root = NULL;
358 bpf_pcap = p;
359 if (setjmp(top_ctx)) {
360 lex_cleanup();
361 freechunks();
362 return (-1);
363 }
364
365 netmask = mask;
366
367 snaplen = pcap_snapshot(p);
368 if (snaplen == 0) {
369 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
370 "snaplen of 0 rejects all packets");
371 return -1;
372 }
373
374 lex_init(buf ? buf : "");
375 init_linktype(p);
376 (void)pcap_parse();
377
378 if (n_errors)
379 syntax();
380
381 if (root == NULL)
382 root = gen_retblk(snaplen);
383
384 if (optimize && !no_optimize) {
385 bpf_optimize(&root);
386 if (root == NULL ||
387 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
388 bpf_error("expression rejects all packets");
389 }
390 program->bf_insns = icode_to_fcode(root, &len);
391 program->bf_len = len;
392
393 lex_cleanup();
394 freechunks();
395 return (0);
396 }
397
398 /*
399 * entry point for using the compiler with no pcap open
400 * pass in all the stuff that is needed explicitly instead.
401 */
402 int
403 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
404 struct bpf_program *program,
405 char *buf, int optimize, bpf_u_int32 mask)
406 {
407 pcap_t *p;
408 int ret;
409
410 p = pcap_open_dead(linktype_arg, snaplen_arg);
411 if (p == NULL)
412 return (-1);
413 ret = pcap_compile(p, program, buf, optimize, mask);
414 pcap_close(p);
415 return (ret);
416 }
417
418 /*
419 * Clean up a "struct bpf_program" by freeing all the memory allocated
420 * in it.
421 */
422 void
423 pcap_freecode(struct bpf_program *program)
424 {
425 program->bf_len = 0;
426 if (program->bf_insns != NULL) {
427 free((char *)program->bf_insns);
428 program->bf_insns = NULL;
429 }
430 }
431
432 /*
433 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
434 * which of the jt and jf fields has been resolved and which is a pointer
435 * back to another unresolved block (or nil). At least one of the fields
436 * in each block is already resolved.
437 */
438 static void
439 backpatch(list, target)
440 struct block *list, *target;
441 {
442 struct block *next;
443
444 while (list) {
445 if (!list->sense) {
446 next = JT(list);
447 JT(list) = target;
448 } else {
449 next = JF(list);
450 JF(list) = target;
451 }
452 list = next;
453 }
454 }
455
456 /*
457 * Merge the lists in b0 and b1, using the 'sense' field to indicate
458 * which of jt and jf is the link.
459 */
460 static void
461 merge(b0, b1)
462 struct block *b0, *b1;
463 {
464 register struct block **p = &b0;
465
466 /* Find end of list. */
467 while (*p)
468 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
469
470 /* Concatenate the lists. */
471 *p = b1;
472 }
473
474 void
475 finish_parse(p)
476 struct block *p;
477 {
478 backpatch(p, gen_retblk(snaplen));
479 p->sense = !p->sense;
480 backpatch(p, gen_retblk(0));
481 root = p->head;
482
483 /*
484 * Insert before the statements of the first (root) block any
485 * statements needed to load the lengths of any variable-length
486 * headers into registers.
487 *
488 * XXX - a fancier strategy would be to insert those before the
489 * statements of all blocks that use those lengths and that
490 * have no predecessors that use them, so that we only compute
491 * the lengths if we need them. There might be even better
492 * approaches than that. However, as we're currently only
493 * handling variable-length radiotap headers, and as all
494 * filtering expressions other than raw link[M:N] tests
495 * require the length of that header, doing more for that
496 * header length isn't really worth the effort.
497 */
498 insert_load_llprefixlen(root);
499 }
500
501 void
502 gen_and(b0, b1)
503 struct block *b0, *b1;
504 {
505 backpatch(b0, b1->head);
506 b0->sense = !b0->sense;
507 b1->sense = !b1->sense;
508 merge(b1, b0);
509 b1->sense = !b1->sense;
510 b1->head = b0->head;
511 }
512
513 void
514 gen_or(b0, b1)
515 struct block *b0, *b1;
516 {
517 b0->sense = !b0->sense;
518 backpatch(b0, b1->head);
519 b0->sense = !b0->sense;
520 merge(b1, b0);
521 b1->head = b0->head;
522 }
523
524 void
525 gen_not(b)
526 struct block *b;
527 {
528 b->sense = !b->sense;
529 }
530
531 static struct block *
532 gen_cmp(offrel, offset, size, v)
533 enum e_offrel offrel;
534 u_int offset, size;
535 bpf_int32 v;
536 {
537 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
538 }
539
540 static struct block *
541 gen_cmp_gt(offrel, offset, size, v)
542 enum e_offrel offrel;
543 u_int offset, size;
544 bpf_int32 v;
545 {
546 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
547 }
548
549 static struct block *
550 gen_cmp_ge(offrel, offset, size, v)
551 enum e_offrel offrel;
552 u_int offset, size;
553 bpf_int32 v;
554 {
555 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
556 }
557
558 static struct block *
559 gen_cmp_lt(offrel, offset, size, v)
560 enum e_offrel offrel;
561 u_int offset, size;
562 bpf_int32 v;
563 {
564 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
565 }
566
567 static struct block *
568 gen_cmp_le(offrel, offset, size, v)
569 enum e_offrel offrel;
570 u_int offset, size;
571 bpf_int32 v;
572 {
573 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
574 }
575
576 static struct block *
577 gen_mcmp(offrel, offset, size, v, mask)
578 enum e_offrel offrel;
579 u_int offset, size;
580 bpf_int32 v;
581 bpf_u_int32 mask;
582 {
583 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
584 }
585
586 static struct block *
587 gen_bcmp(offrel, offset, size, v)
588 enum e_offrel offrel;
589 register u_int offset, size;
590 register const u_char *v;
591 {
592 register struct block *b, *tmp;
593
594 b = NULL;
595 while (size >= 4) {
596 register const u_char *p = &v[size - 4];
597 bpf_int32 w = ((bpf_int32)p[0] << 24) |
598 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
599
600 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
601 if (b != NULL)
602 gen_and(b, tmp);
603 b = tmp;
604 size -= 4;
605 }
606 while (size >= 2) {
607 register const u_char *p = &v[size - 2];
608 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
609
610 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
611 if (b != NULL)
612 gen_and(b, tmp);
613 b = tmp;
614 size -= 2;
615 }
616 if (size > 0) {
617 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
618 if (b != NULL)
619 gen_and(b, tmp);
620 b = tmp;
621 }
622 return b;
623 }
624
625 /*
626 * AND the field of size "size" at offset "offset" relative to the header
627 * specified by "offrel" with "mask", and compare it with the value "v"
628 * with the test specified by "jtype"; if "reverse" is true, the test
629 * should test the opposite of "jtype".
630 */
631 static struct block *
632 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
633 enum e_offrel offrel;
634 bpf_int32 v;
635 bpf_u_int32 offset, size, mask, jtype;
636 int reverse;
637 {
638 struct slist *s, *s2;
639 struct block *b;
640
641 s = gen_load_a(offrel, offset, size);
642
643 if (mask != 0xffffffff) {
644 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
645 s2->s.k = mask;
646 sappend(s, s2);
647 }
648
649 b = new_block(JMP(jtype));
650 b->stmts = s;
651 b->s.k = v;
652 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
653 gen_not(b);
654 return b;
655 }
656
657 /*
658 * Various code constructs need to know the layout of the data link
659 * layer. These variables give the necessary offsets from the beginning
660 * of the packet data.
661 *
662 * If the link layer has variable_length headers, the offsets are offsets
663 * from the end of the link-link-layer header, and "reg_ll_size" is
664 * the register number for a register containing the length of the
665 * link-layer header. Otherwise, "reg_ll_size" is -1.
666 */
667 static int reg_ll_size;
668
669 /*
670 * This is the offset of the beginning of the link-layer header.
671 * It's usually 0, except for 802.11 with a fixed-length radio header.
672 */
673 static u_int off_ll;
674
675 /*
676 * This is the offset of the beginning of the MAC-layer header.
677 * It's usually 0, except for ATM LANE.
678 */
679 static u_int off_mac;
680
681 /*
682 * "off_linktype" is the offset to information in the link-layer header
683 * giving the packet type.
684 *
685 * For Ethernet, it's the offset of the Ethernet type field.
686 *
687 * For link-layer types that always use 802.2 headers, it's the
688 * offset of the LLC header.
689 *
690 * For PPP, it's the offset of the PPP type field.
691 *
692 * For Cisco HDLC, it's the offset of the CHDLC type field.
693 *
694 * For BSD loopback, it's the offset of the AF_ value.
695 *
696 * For Linux cooked sockets, it's the offset of the type field.
697 *
698 * It's set to -1 for no encapsulation, in which case, IP is assumed.
699 */
700 static u_int off_linktype;
701
702 /*
703 * TRUE if the link layer includes an ATM pseudo-header.
704 */
705 static int is_atm = 0;
706
707 /*
708 * TRUE if "lane" appeared in the filter; it causes us to generate
709 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
710 */
711 static int is_lane = 0;
712
713 /*
714 * These are offsets for the ATM pseudo-header.
715 */
716 static u_int off_vpi;
717 static u_int off_vci;
718 static u_int off_proto;
719
720 /*
721 * This is the offset of the first byte after the ATM pseudo_header,
722 * or -1 if there is no ATM pseudo-header.
723 */
724 static u_int off_payload;
725
726 /*
727 * These are offsets to the beginning of the network-layer header.
728 *
729 * If the link layer never uses 802.2 LLC:
730 *
731 * "off_nl" and "off_nl_nosnap" are the same.
732 *
733 * If the link layer always uses 802.2 LLC:
734 *
735 * "off_nl" is the offset if there's a SNAP header following
736 * the 802.2 header;
737 *
738 * "off_nl_nosnap" is the offset if there's no SNAP header.
739 *
740 * If the link layer is Ethernet:
741 *
742 * "off_nl" is the offset if the packet is an Ethernet II packet
743 * (we assume no 802.3+802.2+SNAP);
744 *
745 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
746 * with an 802.2 header following it.
747 */
748 static u_int off_nl;
749 static u_int off_nl_nosnap;
750
751 static int linktype;
752
753 static void
754 init_linktype(p)
755 pcap_t *p;
756 {
757 linktype = pcap_datalink(p);
758 #ifdef PCAP_FDDIPAD
759 pcap_fddipad = p->fddipad;
760 #endif
761
762 /*
763 * Assume it's not raw ATM with a pseudo-header, for now.
764 */
765 off_mac = 0;
766 is_atm = 0;
767 is_lane = 0;
768 off_vpi = -1;
769 off_vci = -1;
770 off_proto = -1;
771 off_payload = -1;
772
773 /*
774 * Also assume it's not 802.11 with a fixed-length radio header.
775 */
776 off_ll = 0;
777
778 orig_linktype = -1;
779 orig_nl = -1;
780
781 reg_ll_size = -1;
782
783 switch (linktype) {
784
785 case DLT_ARCNET:
786 off_linktype = 2;
787 off_nl = 6; /* XXX in reality, variable! */
788 off_nl_nosnap = 6; /* no 802.2 LLC */
789 return;
790
791 case DLT_ARCNET_LINUX:
792 off_linktype = 4;
793 off_nl = 8; /* XXX in reality, variable! */
794 off_nl_nosnap = 8; /* no 802.2 LLC */
795 return;
796
797 case DLT_EN10MB:
798 off_linktype = 12;
799 off_nl = 14; /* Ethernet II */
800 off_nl_nosnap = 17; /* 802.3+802.2 */
801 return;
802
803 case DLT_SLIP:
804 /*
805 * SLIP doesn't have a link level type. The 16 byte
806 * header is hacked into our SLIP driver.
807 */
808 off_linktype = -1;
809 off_nl = 16;
810 off_nl_nosnap = 16; /* no 802.2 LLC */
811 return;
812
813 case DLT_SLIP_BSDOS:
814 /* XXX this may be the same as the DLT_PPP_BSDOS case */
815 off_linktype = -1;
816 /* XXX end */
817 off_nl = 24;
818 off_nl_nosnap = 24; /* no 802.2 LLC */
819 return;
820
821 case DLT_NULL:
822 case DLT_LOOP:
823 off_linktype = 0;
824 off_nl = 4;
825 off_nl_nosnap = 4; /* no 802.2 LLC */
826 return;
827
828 case DLT_ENC:
829 off_linktype = 0;
830 off_nl = 12;
831 off_nl_nosnap = 12; /* no 802.2 LLC */
832 return;
833
834 case DLT_PPP:
835 case DLT_PPP_PPPD:
836 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
837 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
838 off_linktype = 2;
839 off_nl = 4;
840 off_nl_nosnap = 4; /* no 802.2 LLC */
841 return;
842
843 case DLT_PPP_ETHER:
844 /*
845 * This does no include the Ethernet header, and
846 * only covers session state.
847 */
848 off_linktype = 6;
849 off_nl = 8;
850 off_nl_nosnap = 8; /* no 802.2 LLC */
851 return;
852
853 case DLT_PPP_BSDOS:
854 off_linktype = 5;
855 off_nl = 24;
856 off_nl_nosnap = 24; /* no 802.2 LLC */
857 return;
858
859 case DLT_FDDI:
860 /*
861 * FDDI doesn't really have a link-level type field.
862 * We set "off_linktype" to the offset of the LLC header.
863 *
864 * To check for Ethernet types, we assume that SSAP = SNAP
865 * is being used and pick out the encapsulated Ethernet type.
866 * XXX - should we generate code to check for SNAP?
867 */
868 off_linktype = 13;
869 #ifdef PCAP_FDDIPAD
870 off_linktype += pcap_fddipad;
871 #endif
872 off_nl = 21; /* FDDI+802.2+SNAP */
873 off_nl_nosnap = 16; /* FDDI+802.2 */
874 #ifdef PCAP_FDDIPAD
875 off_nl += pcap_fddipad;
876 off_nl_nosnap += pcap_fddipad;
877 #endif
878 return;
879
880 case DLT_IEEE802:
881 /*
882 * Token Ring doesn't really have a link-level type field.
883 * We set "off_linktype" to the offset of the LLC header.
884 *
885 * To check for Ethernet types, we assume that SSAP = SNAP
886 * is being used and pick out the encapsulated Ethernet type.
887 * XXX - should we generate code to check for SNAP?
888 *
889 * XXX - the header is actually variable-length.
890 * Some various Linux patched versions gave 38
891 * as "off_linktype" and 40 as "off_nl"; however,
892 * if a token ring packet has *no* routing
893 * information, i.e. is not source-routed, the correct
894 * values are 20 and 22, as they are in the vanilla code.
895 *
896 * A packet is source-routed iff the uppermost bit
897 * of the first byte of the source address, at an
898 * offset of 8, has the uppermost bit set. If the
899 * packet is source-routed, the total number of bytes
900 * of routing information is 2 plus bits 0x1F00 of
901 * the 16-bit value at an offset of 14 (shifted right
902 * 8 - figure out which byte that is).
903 */
904 off_linktype = 14;
905 off_nl = 22; /* Token Ring+802.2+SNAP */
906 off_nl_nosnap = 17; /* Token Ring+802.2 */
907 return;
908
909 case DLT_IEEE802_11:
910 /*
911 * 802.11 doesn't really have a link-level type field.
912 * We set "off_linktype" to the offset of the LLC header.
913 *
914 * To check for Ethernet types, we assume that SSAP = SNAP
915 * is being used and pick out the encapsulated Ethernet type.
916 * XXX - should we generate code to check for SNAP?
917 *
918 * XXX - the header is actually variable-length. We
919 * assume a 24-byte link-layer header, as appears in
920 * data frames in networks with no bridges. If the
921 * fromds and tods 802.11 header bits are both set,
922 * it's actually supposed to be 30 bytes.
923 */
924 off_linktype = 24;
925 off_nl = 32; /* 802.11+802.2+SNAP */
926 off_nl_nosnap = 27; /* 802.11+802.2 */
927 return;
928
929 case DLT_PRISM_HEADER:
930 /*
931 * Same as 802.11, but with an additional header before
932 * the 802.11 header, containing a bunch of additional
933 * information including radio-level information.
934 *
935 * The header is 144 bytes long.
936 *
937 * XXX - same variable-length header problem; at least
938 * the Prism header is fixed-length.
939 */
940 off_ll = 144;
941 off_linktype = 144+24;
942 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
943 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
944 return;
945
946 case DLT_IEEE802_11_RADIO_AVS:
947 /*
948 * Same as 802.11, but with an additional header before
949 * the 802.11 header, containing a bunch of additional
950 * information including radio-level information.
951 *
952 * The header is 64 bytes long, at least in its
953 * current incarnation.
954 *
955 * XXX - same variable-length header problem, only
956 * more so; this header is also variable-length,
957 * with the length being the 32-bit big-endian
958 * number at an offset of 4 from the beginning
959 * of the radio header.
960 */
961 off_ll = 64;
962 off_linktype = 64+24;
963 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
964 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
965 return;
966
967 case DLT_IEEE802_11_RADIO:
968 /*
969 * Same as 802.11, but with an additional header before
970 * the 802.11 header, containing a bunch of additional
971 * information including radio-level information.
972 *
973 * The radiotap header is variable length, and we
974 * generate code to compute its length and store it
975 * in a register. These offsets are relative to the
976 * beginning of the 802.11 header.
977 */
978 off_linktype = 24;
979 off_nl = 32; /* 802.11+802.2+SNAP */
980 off_nl_nosnap = 27; /* 802.11+802.2 */
981 return;
982
983 case DLT_ATM_RFC1483:
984 case DLT_ATM_CLIP: /* Linux ATM defines this */
985 /*
986 * assume routed, non-ISO PDUs
987 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
988 *
989 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
990 * or PPP with the PPP NLPID (e.g., PPPoA)? The
991 * latter would presumably be treated the way PPPoE
992 * should be, so you can do "pppoe and udp port 2049"
993 * or "pppoa and tcp port 80" and have it check for
994 * PPPo{A,E} and a PPP protocol of IP and....
995 */
996 off_linktype = 0;
997 off_nl = 8; /* 802.2+SNAP */
998 off_nl_nosnap = 3; /* 802.2 */
999 return;
1000
1001 case DLT_SUNATM:
1002 /*
1003 * Full Frontal ATM; you get AALn PDUs with an ATM
1004 * pseudo-header.
1005 */
1006 is_atm = 1;
1007 off_vpi = SUNATM_VPI_POS;
1008 off_vci = SUNATM_VCI_POS;
1009 off_proto = PROTO_POS;
1010 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
1011 off_payload = SUNATM_PKT_BEGIN_POS;
1012 off_linktype = off_payload;
1013 off_nl = off_payload+8; /* 802.2+SNAP */
1014 off_nl_nosnap = off_payload+3; /* 802.2 */
1015 return;
1016
1017 case DLT_RAW:
1018 off_linktype = -1;
1019 off_nl = 0;
1020 off_nl_nosnap = 0; /* no 802.2 LLC */
1021 return;
1022
1023 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1024 off_linktype = 14;
1025 off_nl = 16;
1026 off_nl_nosnap = 16; /* no 802.2 LLC */
1027 return;
1028
1029 case DLT_LTALK:
1030 /*
1031 * LocalTalk does have a 1-byte type field in the LLAP header,
1032 * but really it just indicates whether there is a "short" or
1033 * "long" DDP packet following.
1034 */
1035 off_linktype = -1;
1036 off_nl = 0;
1037 off_nl_nosnap = 0; /* no 802.2 LLC */
1038 return;
1039
1040 case DLT_IP_OVER_FC:
1041 /*
1042 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1043 * link-level type field. We set "off_linktype" to the
1044 * offset of the LLC header.
1045 *
1046 * To check for Ethernet types, we assume that SSAP = SNAP
1047 * is being used and pick out the encapsulated Ethernet type.
1048 * XXX - should we generate code to check for SNAP? RFC
1049 * 2625 says SNAP should be used.
1050 */
1051 off_linktype = 16;
1052 off_nl = 24; /* IPFC+802.2+SNAP */
1053 off_nl_nosnap = 19; /* IPFC+802.2 */
1054 return;
1055
1056 case DLT_FRELAY:
1057 /*
1058 * XXX - we should set this to handle SNAP-encapsulated
1059 * frames (NLPID of 0x80).
1060 */
1061 off_linktype = -1;
1062 off_nl = 0;
1063 off_nl_nosnap = 0; /* no 802.2 LLC */
1064 return;
1065
1066 case DLT_APPLE_IP_OVER_IEEE1394:
1067 off_linktype = 16;
1068 off_nl = 18;
1069 off_nl_nosnap = 18; /* no 802.2 LLC */
1070 return;
1071
1072 case DLT_LINUX_IRDA:
1073 /*
1074 * Currently, only raw "link[N:M]" filtering is supported.
1075 */
1076 off_linktype = -1;
1077 off_nl = -1;
1078 off_nl_nosnap = -1;
1079 return;
1080
1081 case DLT_DOCSIS:
1082 /*
1083 * Currently, only raw "link[N:M]" filtering is supported.
1084 */
1085 off_linktype = -1;
1086 off_nl = -1;
1087 off_nl_nosnap = -1;
1088 return;
1089
1090 case DLT_SYMANTEC_FIREWALL:
1091 off_linktype = 6;
1092 off_nl = 44; /* Ethernet II */
1093 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1094 return;
1095
1096 case DLT_PFLOG:
1097 off_linktype = 0;
1098 /* XXX read this from pf.h? */
1099 off_nl = PFLOG_HDRLEN;
1100 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1101 return;
1102
1103 case DLT_JUNIPER_MLFR:
1104 case DLT_JUNIPER_MLPPP:
1105 off_linktype = 4;
1106 off_nl = 4;
1107 off_nl_nosnap = -1; /* no 802.2 LLC */
1108 return;
1109
1110 case DLT_JUNIPER_ATM1:
1111 off_linktype = 4; /* in reality variable between 4-8 */
1112 off_nl = 4;
1113 off_nl_nosnap = 14;
1114 return;
1115
1116 case DLT_JUNIPER_ATM2:
1117 off_linktype = 8; /* in reality variable between 8-12 */
1118 off_nl = 8;
1119 off_nl_nosnap = 18;
1120 return;
1121
1122 /* frames captured on a Juniper PPPoE service PIC
1123 * contain raw ethernet frames */
1124 case DLT_JUNIPER_PPPOE:
1125 off_linktype = 16;
1126 off_nl = 18; /* Ethernet II */
1127 off_nl_nosnap = 21; /* 802.3+802.2 */
1128 return;
1129
1130 case DLT_JUNIPER_PPPOE_ATM:
1131 off_linktype = 4;
1132 off_nl = 6;
1133 off_nl_nosnap = -1; /* no 802.2 LLC */
1134 return;
1135
1136 case DLT_JUNIPER_GGSN:
1137 off_linktype = 6;
1138 off_nl = 12;
1139 off_nl_nosnap = -1; /* no 802.2 LLC */
1140 return;
1141
1142 case DLT_JUNIPER_ES:
1143 off_linktype = 6;
1144 off_nl = -1; /* not really a network layer but raw IP adresses */
1145 off_nl_nosnap = -1; /* no 802.2 LLC */
1146 return;
1147
1148 case DLT_JUNIPER_MONITOR:
1149 off_linktype = 12;
1150 off_nl = 12; /* raw IP/IP6 header */
1151 off_nl_nosnap = -1; /* no 802.2 LLC */
1152 return;
1153
1154 case DLT_JUNIPER_SERVICES:
1155 off_linktype = 12;
1156 off_nl = -1; /* L3 proto location dep. on cookie type */
1157 off_nl_nosnap = -1; /* no 802.2 LLC */
1158 return;
1159
1160 #ifdef DLT_PFSYNC
1161 case DLT_PFSYNC:
1162 off_linktype = -1;
1163 off_nl = 4;
1164 off_nl_nosnap = 4;
1165 return;
1166 #endif
1167
1168 case DLT_LINUX_LAPD:
1169 /*
1170 * Currently, only raw "link[N:M]" filtering is supported.
1171 */
1172 off_linktype = -1;
1173 off_nl = -1;
1174 off_nl_nosnap = -1;
1175 return;
1176 }
1177 bpf_error("unknown data link type %d", linktype);
1178 /* NOTREACHED */
1179 }
1180
1181 /*
1182 * Load a value relative to the beginning of the link-layer header.
1183 * The link-layer header doesn't necessarily begin at the beginning
1184 * of the packet data; there might be a variable-length prefix containing
1185 * radio information.
1186 */
1187 static struct slist *
1188 gen_load_llrel(offset, size)
1189 u_int offset, size;
1190 {
1191 struct slist *s, *s2;
1192
1193 s = gen_llprefixlen();
1194
1195 /*
1196 * If "s" is non-null, it has code to arrange that the X register
1197 * contains the length of the prefix preceding the link-layer
1198 * header.
1199 */
1200 if (s != NULL) {
1201 s2 = new_stmt(BPF_LD|BPF_IND|size);
1202 s2->s.k = offset;
1203 sappend(s, s2);
1204 } else {
1205 s = new_stmt(BPF_LD|BPF_ABS|size);
1206 s->s.k = offset;
1207 }
1208 return s;
1209 }
1210
1211 /*
1212 * Load a value relative to the beginning of the specified header.
1213 */
1214 static struct slist *
1215 gen_load_a(offrel, offset, size)
1216 enum e_offrel offrel;
1217 u_int offset, size;
1218 {
1219 struct slist *s, *s2;
1220
1221 switch (offrel) {
1222
1223 case OR_PACKET:
1224 s = gen_load_llrel(offset, size);
1225 break;
1226
1227 case OR_LINK:
1228 s = gen_load_llrel(off_ll + offset, size);
1229 break;
1230
1231 case OR_NET:
1232 s = gen_load_llrel(off_nl + offset, size);
1233 break;
1234
1235 case OR_NET_NOSNAP:
1236 s = gen_load_llrel(off_nl_nosnap + offset, size);
1237 break;
1238
1239 case OR_TRAN_IPV4:
1240 /*
1241 * Load the X register with the length of the IPv4 header,
1242 * in bytes.
1243 */
1244 s = gen_loadx_iphdrlen();
1245
1246 /*
1247 * Load the item at {length of the link-layer header} +
1248 * {length of the IPv4 header} + {specified offset}.
1249 */
1250 s2 = new_stmt(BPF_LD|BPF_IND|size);
1251 s2->s.k = off_nl + offset;
1252 sappend(s, s2);
1253 break;
1254
1255 case OR_TRAN_IPV6:
1256 s = gen_load_llrel(off_nl + 40 + offset, size);
1257 break;
1258
1259 default:
1260 abort();
1261 return NULL;
1262 }
1263 return s;
1264 }
1265
1266 /*
1267 * Generate code to load into the X register the sum of the length of
1268 * the IPv4 header and any variable-length header preceding the link-layer
1269 * header.
1270 */
1271 static struct slist *
1272 gen_loadx_iphdrlen()
1273 {
1274 struct slist *s, *s2;
1275
1276 s = gen_llprefixlen();
1277 if (s != NULL) {
1278 /*
1279 * There's a variable-length prefix preceding the
1280 * link-layer header. "s" points to a list of statements
1281 * that put the length of that prefix into the X register.
1282 * The 4*([k]&0xf) addressing mode can't be used, as we
1283 * don't have a constant offset, so we have to load the
1284 * value in question into the A register and add to it
1285 * the value from the X register.
1286 */
1287 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1288 s2->s.k = off_nl;
1289 sappend(s, s2);
1290 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1291 s2->s.k = 0xf;
1292 sappend(s, s2);
1293 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1294 s2->s.k = 2;
1295 sappend(s, s2);
1296
1297 /*
1298 * The A register now contains the length of the
1299 * IP header. We need to add to it the length
1300 * of the prefix preceding the link-layer
1301 * header, which is still in the X register, and
1302 * move the result into the X register.
1303 */
1304 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1305 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1306 } else {
1307 /*
1308 * There is no variable-length header preceding the
1309 * link-layer header; if there's a fixed-length
1310 * header preceding it, its length is included in
1311 * the off_ variables, so it doesn't need to be added.
1312 */
1313 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1314 s->s.k = off_nl;
1315 }
1316 return s;
1317 }
1318
1319 static struct block *
1320 gen_uncond(rsense)
1321 int rsense;
1322 {
1323 struct block *b;
1324 struct slist *s;
1325
1326 s = new_stmt(BPF_LD|BPF_IMM);
1327 s->s.k = !rsense;
1328 b = new_block(JMP(BPF_JEQ));
1329 b->stmts = s;
1330
1331 return b;
1332 }
1333
1334 static inline struct block *
1335 gen_true()
1336 {
1337 return gen_uncond(1);
1338 }
1339
1340 static inline struct block *
1341 gen_false()
1342 {
1343 return gen_uncond(0);
1344 }
1345
1346 /*
1347 * Byte-swap a 32-bit number.
1348 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1349 * big-endian platforms.)
1350 */
1351 #define SWAPLONG(y) \
1352 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1353
1354 /*
1355 * Generate code to match a particular packet type.
1356 *
1357 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1358 * value, if <= ETHERMTU. We use that to determine whether to
1359 * match the type/length field or to check the type/length field for
1360 * a value <= ETHERMTU to see whether it's a type field and then do
1361 * the appropriate test.
1362 */
1363 static struct block *
1364 gen_ether_linktype(proto)
1365 register int proto;
1366 {
1367 struct block *b0, *b1;
1368
1369 switch (proto) {
1370
1371 case LLCSAP_ISONS:
1372 case LLCSAP_IP:
1373 case LLCSAP_NETBEUI:
1374 /*
1375 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1376 * so we check the DSAP and SSAP.
1377 *
1378 * LLCSAP_IP checks for IP-over-802.2, rather
1379 * than IP-over-Ethernet or IP-over-SNAP.
1380 *
1381 * XXX - should we check both the DSAP and the
1382 * SSAP, like this, or should we check just the
1383 * DSAP, as we do for other types <= ETHERMTU
1384 * (i.e., other SAP values)?
1385 */
1386 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1387 gen_not(b0);
1388 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1389 ((proto << 8) | proto));
1390 gen_and(b0, b1);
1391 return b1;
1392
1393 case LLCSAP_IPX:
1394 /*
1395 * Check for;
1396 *
1397 * Ethernet_II frames, which are Ethernet
1398 * frames with a frame type of ETHERTYPE_IPX;
1399 *
1400 * Ethernet_802.3 frames, which are 802.3
1401 * frames (i.e., the type/length field is
1402 * a length field, <= ETHERMTU, rather than
1403 * a type field) with the first two bytes
1404 * after the Ethernet/802.3 header being
1405 * 0xFFFF;
1406 *
1407 * Ethernet_802.2 frames, which are 802.3
1408 * frames with an 802.2 LLC header and
1409 * with the IPX LSAP as the DSAP in the LLC
1410 * header;
1411 *
1412 * Ethernet_SNAP frames, which are 802.3
1413 * frames with an LLC header and a SNAP
1414 * header and with an OUI of 0x000000
1415 * (encapsulated Ethernet) and a protocol
1416 * ID of ETHERTYPE_IPX in the SNAP header.
1417 *
1418 * XXX - should we generate the same code both
1419 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1420 */
1421
1422 /*
1423 * This generates code to check both for the
1424 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1425 */
1426 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1427 (bpf_int32)LLCSAP_IPX);
1428 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1429 (bpf_int32)0xFFFF);
1430 gen_or(b0, b1);
1431
1432 /*
1433 * Now we add code to check for SNAP frames with
1434 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1435 */
1436 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1437 gen_or(b0, b1);
1438
1439 /*
1440 * Now we generate code to check for 802.3
1441 * frames in general.
1442 */
1443 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1444 gen_not(b0);
1445
1446 /*
1447 * Now add the check for 802.3 frames before the
1448 * check for Ethernet_802.2 and Ethernet_802.3,
1449 * as those checks should only be done on 802.3
1450 * frames, not on Ethernet frames.
1451 */
1452 gen_and(b0, b1);
1453
1454 /*
1455 * Now add the check for Ethernet_II frames, and
1456 * do that before checking for the other frame
1457 * types.
1458 */
1459 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1460 (bpf_int32)ETHERTYPE_IPX);
1461 gen_or(b0, b1);
1462 return b1;
1463
1464 case ETHERTYPE_ATALK:
1465 case ETHERTYPE_AARP:
1466 /*
1467 * EtherTalk (AppleTalk protocols on Ethernet link
1468 * layer) may use 802.2 encapsulation.
1469 */
1470
1471 /*
1472 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1473 * we check for an Ethernet type field less than
1474 * 1500, which means it's an 802.3 length field.
1475 */
1476 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1477 gen_not(b0);
1478
1479 /*
1480 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1481 * SNAP packets with an organization code of
1482 * 0x080007 (Apple, for Appletalk) and a protocol
1483 * type of ETHERTYPE_ATALK (Appletalk).
1484 *
1485 * 802.2-encapsulated ETHERTYPE_AARP packets are
1486 * SNAP packets with an organization code of
1487 * 0x000000 (encapsulated Ethernet) and a protocol
1488 * type of ETHERTYPE_AARP (Appletalk ARP).
1489 */
1490 if (proto == ETHERTYPE_ATALK)
1491 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1492 else /* proto == ETHERTYPE_AARP */
1493 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1494 gen_and(b0, b1);
1495
1496 /*
1497 * Check for Ethernet encapsulation (Ethertalk
1498 * phase 1?); we just check for the Ethernet
1499 * protocol type.
1500 */
1501 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1502
1503 gen_or(b0, b1);
1504 return b1;
1505
1506 default:
1507 if (proto <= ETHERMTU) {
1508 /*
1509 * This is an LLC SAP value, so the frames
1510 * that match would be 802.2 frames.
1511 * Check that the frame is an 802.2 frame
1512 * (i.e., that the length/type field is
1513 * a length field, <= ETHERMTU) and
1514 * then check the DSAP.
1515 */
1516 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1517 gen_not(b0);
1518 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1519 (bpf_int32)proto);
1520 gen_and(b0, b1);
1521 return b1;
1522 } else {
1523 /*
1524 * This is an Ethernet type, so compare
1525 * the length/type field with it (if
1526 * the frame is an 802.2 frame, the length
1527 * field will be <= ETHERMTU, and, as
1528 * "proto" is > ETHERMTU, this test
1529 * will fail and the frame won't match,
1530 * which is what we want).
1531 */
1532 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1533 (bpf_int32)proto);
1534 }
1535 }
1536 }
1537
1538 /*
1539 * Generate code to match a particular packet type.
1540 *
1541 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1542 * value, if <= ETHERMTU. We use that to determine whether to
1543 * match the type field or to check the type field for the special
1544 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1545 */
1546 static struct block *
1547 gen_linux_sll_linktype(proto)
1548 register int proto;
1549 {
1550 struct block *b0, *b1;
1551
1552 switch (proto) {
1553
1554 case LLCSAP_ISONS:
1555 case LLCSAP_IP:
1556 case LLCSAP_NETBEUI:
1557 /*
1558 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1559 * so we check the DSAP and SSAP.
1560 *
1561 * LLCSAP_IP checks for IP-over-802.2, rather
1562 * than IP-over-Ethernet or IP-over-SNAP.
1563 *
1564 * XXX - should we check both the DSAP and the
1565 * SSAP, like this, or should we check just the
1566 * DSAP, as we do for other types <= ETHERMTU
1567 * (i.e., other SAP values)?
1568 */
1569 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1570 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1571 ((proto << 8) | proto));
1572 gen_and(b0, b1);
1573 return b1;
1574
1575 case LLCSAP_IPX:
1576 /*
1577 * Ethernet_II frames, which are Ethernet
1578 * frames with a frame type of ETHERTYPE_IPX;
1579 *
1580 * Ethernet_802.3 frames, which have a frame
1581 * type of LINUX_SLL_P_802_3;
1582 *
1583 * Ethernet_802.2 frames, which are 802.3
1584 * frames with an 802.2 LLC header (i.e, have
1585 * a frame type of LINUX_SLL_P_802_2) and
1586 * with the IPX LSAP as the DSAP in the LLC
1587 * header;
1588 *
1589 * Ethernet_SNAP frames, which are 802.3
1590 * frames with an LLC header and a SNAP
1591 * header and with an OUI of 0x000000
1592 * (encapsulated Ethernet) and a protocol
1593 * ID of ETHERTYPE_IPX in the SNAP header.
1594 *
1595 * First, do the checks on LINUX_SLL_P_802_2
1596 * frames; generate the check for either
1597 * Ethernet_802.2 or Ethernet_SNAP frames, and
1598 * then put a check for LINUX_SLL_P_802_2 frames
1599 * before it.
1600 */
1601 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1602 (bpf_int32)LLCSAP_IPX);
1603 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1604 off_linktype + 2);
1605 gen_or(b0, b1);
1606 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1607 gen_and(b0, b1);
1608
1609 /*
1610 * Now check for 802.3 frames and OR that with
1611 * the previous test.
1612 */
1613 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1614 gen_or(b0, b1);
1615
1616 /*
1617 * Now add the check for Ethernet_II frames, and
1618 * do that before checking for the other frame
1619 * types.
1620 */
1621 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1622 (bpf_int32)ETHERTYPE_IPX);
1623 gen_or(b0, b1);
1624 return b1;
1625
1626 case ETHERTYPE_ATALK:
1627 case ETHERTYPE_AARP:
1628 /*
1629 * EtherTalk (AppleTalk protocols on Ethernet link
1630 * layer) may use 802.2 encapsulation.
1631 */
1632
1633 /*
1634 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1635 * we check for the 802.2 protocol type in the
1636 * "Ethernet type" field.
1637 */
1638 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1639
1640 /*
1641 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1642 * SNAP packets with an organization code of
1643 * 0x080007 (Apple, for Appletalk) and a protocol
1644 * type of ETHERTYPE_ATALK (Appletalk).
1645 *
1646 * 802.2-encapsulated ETHERTYPE_AARP packets are
1647 * SNAP packets with an organization code of
1648 * 0x000000 (encapsulated Ethernet) and a protocol
1649 * type of ETHERTYPE_AARP (Appletalk ARP).
1650 */
1651 if (proto == ETHERTYPE_ATALK)
1652 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1653 off_linktype + 2);
1654 else /* proto == ETHERTYPE_AARP */
1655 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1656 off_linktype + 2);
1657 gen_and(b0, b1);
1658
1659 /*
1660 * Check for Ethernet encapsulation (Ethertalk
1661 * phase 1?); we just check for the Ethernet
1662 * protocol type.
1663 */
1664 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1665
1666 gen_or(b0, b1);
1667 return b1;
1668
1669 default:
1670 if (proto <= ETHERMTU) {
1671 /*
1672 * This is an LLC SAP value, so the frames
1673 * that match would be 802.2 frames.
1674 * Check for the 802.2 protocol type
1675 * in the "Ethernet type" field, and
1676 * then check the DSAP.
1677 */
1678 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1679 LINUX_SLL_P_802_2);
1680 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1681 (bpf_int32)proto);
1682 gen_and(b0, b1);
1683 return b1;
1684 } else {
1685 /*
1686 * This is an Ethernet type, so compare
1687 * the length/type field with it (if
1688 * the frame is an 802.2 frame, the length
1689 * field will be <= ETHERMTU, and, as
1690 * "proto" is > ETHERMTU, this test
1691 * will fail and the frame won't match,
1692 * which is what we want).
1693 */
1694 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1695 (bpf_int32)proto);
1696 }
1697 }
1698 }
1699
1700 static void
1701 insert_radiotap_load_llprefixlen(b)
1702 struct block *b;
1703 {
1704 struct slist *s1, *s2;
1705
1706 /*
1707 * Prepend to the statements in this block code to load the
1708 * length of the radiotap header into the register assigned
1709 * to hold that length, if one has been assigned.
1710 */
1711 if (reg_ll_size != -1) {
1712 /*
1713 * The 2 bytes at offsets of 2 and 3 from the beginning
1714 * of the radiotap header are the length of the radiotap
1715 * header; unfortunately, it's little-endian, so we have
1716 * to load it a byte at a time and construct the value.
1717 */
1718
1719 /*
1720 * Load the high-order byte, at an offset of 3, shift it
1721 * left a byte, and put the result in the X register.
1722 */
1723 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1724 s1->s.k = 3;
1725 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1726 sappend(s1, s2);
1727 s2->s.k = 8;
1728 s2 = new_stmt(BPF_MISC|BPF_TAX);
1729 sappend(s1, s2);
1730
1731 /*
1732 * Load the next byte, at an offset of 2, and OR the
1733 * value from the X register into it.
1734 */
1735 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1736 sappend(s1, s2);
1737 s2->s.k = 2;
1738 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1739 sappend(s1, s2);
1740
1741 /*
1742 * Now allocate a register to hold that value and store
1743 * it.
1744 */
1745 s2 = new_stmt(BPF_ST);
1746 s2->s.k = reg_ll_size;
1747 sappend(s1, s2);
1748
1749 /*
1750 * Now move it into the X register.
1751 */
1752 s2 = new_stmt(BPF_MISC|BPF_TAX);
1753 sappend(s1, s2);
1754
1755 /*
1756 * Now append all the existing statements in this
1757 * block to these statements.
1758 */
1759 sappend(s1, b->stmts);
1760 b->stmts = s1;
1761 }
1762 }
1763
1764
1765 static void
1766 insert_load_llprefixlen(b)
1767 struct block *b;
1768 {
1769 switch (linktype) {
1770
1771 case DLT_IEEE802_11_RADIO:
1772 insert_radiotap_load_llprefixlen(b);
1773 }
1774 }
1775
1776
1777 static struct slist *
1778 gen_radiotap_llprefixlen(void)
1779 {
1780 struct slist *s;
1781
1782 if (reg_ll_size == -1) {
1783 /*
1784 * We haven't yet assigned a register for the length
1785 * of the radiotap header; allocate one.
1786 */
1787 reg_ll_size = alloc_reg();
1788 }
1789
1790 /*
1791 * Load the register containing the radiotap length
1792 * into the X register.
1793 */
1794 s = new_stmt(BPF_LDX|BPF_MEM);
1795 s->s.k = reg_ll_size;
1796 return s;
1797 }
1798
1799 /*
1800 * Generate code to compute the link-layer header length, if necessary,
1801 * putting it into the X register, and to return either a pointer to a
1802 * "struct slist" for the list of statements in that code, or NULL if
1803 * no code is necessary.
1804 */
1805 static struct slist *
1806 gen_llprefixlen(void)
1807 {
1808 switch (linktype) {
1809
1810 case DLT_IEEE802_11_RADIO:
1811 return gen_radiotap_llprefixlen();
1812
1813 default:
1814 return NULL;
1815 }
1816 }
1817
1818 /*
1819 * Generate code to match a particular packet type by matching the
1820 * link-layer type field or fields in the 802.2 LLC header.
1821 *
1822 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1823 * value, if <= ETHERMTU.
1824 */
1825 static struct block *
1826 gen_linktype(proto)
1827 register int proto;
1828 {
1829 struct block *b0, *b1, *b2;
1830
1831 switch (linktype) {
1832
1833 case DLT_EN10MB:
1834 return gen_ether_linktype(proto);
1835 /*NOTREACHED*/
1836 break;
1837
1838 case DLT_C_HDLC:
1839 switch (proto) {
1840
1841 case LLCSAP_ISONS:
1842 proto = (proto << 8 | LLCSAP_ISONS);
1843 /* fall through */
1844
1845 default:
1846 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1847 (bpf_int32)proto);
1848 /*NOTREACHED*/
1849 break;
1850 }
1851 break;
1852
1853 case DLT_FDDI:
1854 case DLT_IEEE802:
1855 case DLT_IEEE802_11:
1856 case DLT_IEEE802_11_RADIO_AVS:
1857 case DLT_IEEE802_11_RADIO:
1858 case DLT_PRISM_HEADER:
1859 case DLT_ATM_RFC1483:
1860 case DLT_ATM_CLIP:
1861 case DLT_IP_OVER_FC:
1862 return gen_llc_linktype(proto);
1863 /*NOTREACHED*/
1864 break;
1865
1866 case DLT_SUNATM:
1867 /*
1868 * If "is_lane" is set, check for a LANE-encapsulated
1869 * version of this protocol, otherwise check for an
1870 * LLC-encapsulated version of this protocol.
1871 *
1872 * We assume LANE means Ethernet, not Token Ring.
1873 */
1874 if (is_lane) {
1875 /*
1876 * Check that the packet doesn't begin with an
1877 * LE Control marker. (We've already generated
1878 * a test for LANE.)
1879 */
1880 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
1881 0xFF00);
1882 gen_not(b0);
1883
1884 /*
1885 * Now generate an Ethernet test.
1886 */
1887 b1 = gen_ether_linktype(proto);
1888 gen_and(b0, b1);
1889 return b1;
1890 } else {
1891 /*
1892 * Check for LLC encapsulation and then check the
1893 * protocol.
1894 */
1895 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1896 b1 = gen_llc_linktype(proto);
1897 gen_and(b0, b1);
1898 return b1;
1899 }
1900 /*NOTREACHED*/
1901 break;
1902
1903 case DLT_LINUX_SLL:
1904 return gen_linux_sll_linktype(proto);
1905 /*NOTREACHED*/
1906 break;
1907
1908 case DLT_SLIP:
1909 case DLT_SLIP_BSDOS:
1910 case DLT_RAW:
1911 /*
1912 * These types don't provide any type field; packets
1913 * are always IP.
1914 *
1915 * XXX - for IPv4, check for a version number of 4, and,
1916 * for IPv6, check for a version number of 6?
1917 */
1918 switch (proto) {
1919
1920 case ETHERTYPE_IP:
1921 #ifdef INET6
1922 case ETHERTYPE_IPV6:
1923 #endif
1924 return gen_true(); /* always true */
1925
1926 default:
1927 return gen_false(); /* always false */
1928 }
1929 /*NOTREACHED*/
1930 break;
1931
1932 case DLT_PPP:
1933 case DLT_PPP_PPPD:
1934 case DLT_PPP_SERIAL:
1935 case DLT_PPP_ETHER:
1936 /*
1937 * We use Ethernet protocol types inside libpcap;
1938 * map them to the corresponding PPP protocol types.
1939 */
1940 switch (proto) {
1941
1942 case ETHERTYPE_IP:
1943 proto = PPP_IP;
1944 break;
1945
1946 #ifdef INET6
1947 case ETHERTYPE_IPV6:
1948 proto = PPP_IPV6;
1949 break;
1950 #endif
1951
1952 case ETHERTYPE_DN:
1953 proto = PPP_DECNET;
1954 break;
1955
1956 case ETHERTYPE_ATALK:
1957 proto = PPP_APPLE;
1958 break;
1959
1960 case ETHERTYPE_NS:
1961 proto = PPP_NS;
1962 break;
1963
1964 case LLCSAP_ISONS:
1965 proto = PPP_OSI;
1966 break;
1967
1968 case LLCSAP_8021D:
1969 /*
1970 * I'm assuming the "Bridging PDU"s that go
1971 * over PPP are Spanning Tree Protocol
1972 * Bridging PDUs.
1973 */
1974 proto = PPP_BRPDU;
1975 break;
1976
1977 case LLCSAP_IPX:
1978 proto = PPP_IPX;
1979 break;
1980 }
1981 break;
1982
1983 case DLT_PPP_BSDOS:
1984 /*
1985 * We use Ethernet protocol types inside libpcap;
1986 * map them to the corresponding PPP protocol types.
1987 */
1988 switch (proto) {
1989
1990 case ETHERTYPE_IP:
1991 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
1992 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
1993 gen_or(b0, b1);
1994 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
1995 gen_or(b1, b0);
1996 return b0;
1997
1998 #ifdef INET6
1999 case ETHERTYPE_IPV6:
2000 proto = PPP_IPV6;
2001 /* more to go? */
2002 break;
2003 #endif
2004
2005 case ETHERTYPE_DN:
2006 proto = PPP_DECNET;
2007 break;
2008
2009 case ETHERTYPE_ATALK:
2010 proto = PPP_APPLE;
2011 break;
2012
2013 case ETHERTYPE_NS:
2014 proto = PPP_NS;
2015 break;
2016
2017 case LLCSAP_ISONS:
2018 proto = PPP_OSI;
2019 break;
2020
2021 case LLCSAP_8021D:
2022 /*
2023 * I'm assuming the "Bridging PDU"s that go
2024 * over PPP are Spanning Tree Protocol
2025 * Bridging PDUs.
2026 */
2027 proto = PPP_BRPDU;
2028 break;
2029
2030 case LLCSAP_IPX:
2031 proto = PPP_IPX;
2032 break;
2033 }
2034 break;
2035
2036 case DLT_NULL:
2037 case DLT_LOOP:
2038 case DLT_ENC:
2039 /*
2040 * For DLT_NULL, the link-layer header is a 32-bit
2041 * word containing an AF_ value in *host* byte order,
2042 * and for DLT_ENC, the link-layer header begins
2043 * with a 32-bit work containing an AF_ value in
2044 * host byte order.
2045 *
2046 * In addition, if we're reading a saved capture file,
2047 * the host byte order in the capture may not be the
2048 * same as the host byte order on this machine.
2049 *
2050 * For DLT_LOOP, the link-layer header is a 32-bit
2051 * word containing an AF_ value in *network* byte order.
2052 *
2053 * XXX - AF_ values may, unfortunately, be platform-
2054 * dependent; for example, FreeBSD's AF_INET6 is 24
2055 * whilst NetBSD's and OpenBSD's is 26.
2056 *
2057 * This means that, when reading a capture file, just
2058 * checking for our AF_INET6 value won't work if the
2059 * capture file came from another OS.
2060 */
2061 switch (proto) {
2062
2063 case ETHERTYPE_IP:
2064 proto = AF_INET;
2065 break;
2066
2067 #ifdef INET6
2068 case ETHERTYPE_IPV6:
2069 proto = AF_INET6;
2070 break;
2071 #endif
2072
2073 default:
2074 /*
2075 * Not a type on which we support filtering.
2076 * XXX - support those that have AF_ values
2077 * #defined on this platform, at least?
2078 */
2079 return gen_false();
2080 }
2081
2082 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2083 /*
2084 * The AF_ value is in host byte order, but
2085 * the BPF interpreter will convert it to
2086 * network byte order.
2087 *
2088 * If this is a save file, and it's from a
2089 * machine with the opposite byte order to
2090 * ours, we byte-swap the AF_ value.
2091 *
2092 * Then we run it through "htonl()", and
2093 * generate code to compare against the result.
2094 */
2095 if (bpf_pcap->sf.rfile != NULL &&
2096 bpf_pcap->sf.swapped)
2097 proto = SWAPLONG(proto);
2098 proto = htonl(proto);
2099 }
2100 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2101
2102 case DLT_PFLOG:
2103 /*
2104 * af field is host byte order in contrast to the rest of
2105 * the packet.
2106 */
2107 if (proto == ETHERTYPE_IP)
2108 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2109 BPF_B, (bpf_int32)AF_INET));
2110 #ifdef INET6
2111 else if (proto == ETHERTYPE_IPV6)
2112 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2113 BPF_B, (bpf_int32)AF_INET6));
2114 #endif /* INET6 */
2115 else
2116 return gen_false();
2117 /*NOTREACHED*/
2118 break;
2119
2120 case DLT_ARCNET:
2121 case DLT_ARCNET_LINUX:
2122 /*
2123 * XXX should we check for first fragment if the protocol
2124 * uses PHDS?
2125 */
2126 switch (proto) {
2127
2128 default:
2129 return gen_false();
2130
2131 #ifdef INET6
2132 case ETHERTYPE_IPV6:
2133 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2134 (bpf_int32)ARCTYPE_INET6));
2135 #endif /* INET6 */
2136
2137 case ETHERTYPE_IP:
2138 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2139 (bpf_int32)ARCTYPE_IP);
2140 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2141 (bpf_int32)ARCTYPE_IP_OLD);
2142 gen_or(b0, b1);
2143 return (b1);
2144
2145 case ETHERTYPE_ARP:
2146 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2147 (bpf_int32)ARCTYPE_ARP);
2148 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2149 (bpf_int32)ARCTYPE_ARP_OLD);
2150 gen_or(b0, b1);
2151 return (b1);
2152
2153 case ETHERTYPE_REVARP:
2154 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2155 (bpf_int32)ARCTYPE_REVARP));
2156
2157 case ETHERTYPE_ATALK:
2158 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2159 (bpf_int32)ARCTYPE_ATALK));
2160 }
2161 /*NOTREACHED*/
2162 break;
2163
2164 case DLT_LTALK:
2165 switch (proto) {
2166 case ETHERTYPE_ATALK:
2167 return gen_true();
2168 default:
2169 return gen_false();
2170 }
2171 /*NOTREACHED*/
2172 break;
2173
2174 case DLT_FRELAY:
2175 /*
2176 * XXX - assumes a 2-byte Frame Relay header with
2177 * DLCI and flags. What if the address is longer?
2178 */
2179 switch (proto) {
2180
2181 case ETHERTYPE_IP:
2182 /*
2183 * Check for the special NLPID for IP.
2184 */
2185 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2186
2187 #ifdef INET6
2188 case ETHERTYPE_IPV6:
2189 /*
2190 * Check for the special NLPID for IPv6.
2191 */
2192 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2193 #endif
2194
2195 case LLCSAP_ISONS:
2196 /*
2197 * Check for several OSI protocols.
2198 *
2199 * Frame Relay packets typically have an OSI
2200 * NLPID at the beginning; we check for each
2201 * of them.
2202 *
2203 * What we check for is the NLPID and a frame
2204 * control field of UI, i.e. 0x03 followed
2205 * by the NLPID.
2206 */
2207 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2208 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2209 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2210 gen_or(b1, b2);
2211 gen_or(b0, b2);
2212 return b2;
2213
2214 default:
2215 return gen_false();
2216 }
2217 /*NOTREACHED*/
2218 break;
2219
2220 case DLT_JUNIPER_MLFR:
2221 case DLT_JUNIPER_MLPPP:
2222 case DLT_JUNIPER_ATM1:
2223 case DLT_JUNIPER_ATM2:
2224 case DLT_JUNIPER_PPPOE:
2225 case DLT_JUNIPER_PPPOE_ATM:
2226 case DLT_JUNIPER_GGSN:
2227 case DLT_JUNIPER_ES:
2228 case DLT_JUNIPER_MONITOR:
2229 case DLT_JUNIPER_SERVICES:
2230 /* just lets verify the magic number for now -
2231 * on ATM we may have up to 6 different encapsulations on the wire
2232 * and need a lot of heuristics to figure out that the payload
2233 * might be;
2234 *
2235 * FIXME encapsulation specific BPF_ filters
2236 */
2237 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2238
2239 case DLT_LINUX_IRDA:
2240 bpf_error("IrDA link-layer type filtering not implemented");
2241
2242 case DLT_DOCSIS:
2243 bpf_error("DOCSIS link-layer type filtering not implemented");
2244
2245 case DLT_LINUX_LAPD:
2246 bpf_error("LAPD link-layer type filtering not implemented");
2247 }
2248
2249 /*
2250 * All the types that have no encapsulation should either be
2251 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2252 * all packets are IP packets, or should be handled in some
2253 * special case, if none of them are (if some are and some
2254 * aren't, the lack of encapsulation is a problem, as we'd
2255 * have to find some other way of determining the packet type).
2256 *
2257 * Therefore, if "off_linktype" is -1, there's an error.
2258 */
2259 if (off_linktype == (u_int)-1)
2260 abort();
2261
2262 /*
2263 * Any type not handled above should always have an Ethernet
2264 * type at an offset of "off_linktype". (PPP is partially
2265 * handled above - the protocol type is mapped from the
2266 * Ethernet and LLC types we use internally to the corresponding
2267 * PPP type - but the PPP type is always specified by a value
2268 * at "off_linktype", so we don't have to do the code generation
2269 * above.)
2270 */
2271 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2272 }
2273
2274 /*
2275 * Check for an LLC SNAP packet with a given organization code and
2276 * protocol type; we check the entire contents of the 802.2 LLC and
2277 * snap headers, checking for DSAP and SSAP of SNAP and a control
2278 * field of 0x03 in the LLC header, and for the specified organization
2279 * code and protocol type in the SNAP header.
2280 */
2281 static struct block *
2282 gen_snap(orgcode, ptype, offset)
2283 bpf_u_int32 orgcode;
2284 bpf_u_int32 ptype;
2285 u_int offset;
2286 {
2287 u_char snapblock[8];
2288
2289 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2290 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2291 snapblock[2] = 0x03; /* control = UI */
2292 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2293 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2294 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2295 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2296 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2297 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2298 }
2299
2300 /*
2301 * Generate code to match a particular packet type, for link-layer types
2302 * using 802.2 LLC headers.
2303 *
2304 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2305 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2306 *
2307 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2308 * value, if <= ETHERMTU. We use that to determine whether to
2309 * match the DSAP or both DSAP and LSAP or to check the OUI and
2310 * protocol ID in a SNAP header.
2311 */
2312 static struct block *
2313 gen_llc_linktype(proto)
2314 int proto;
2315 {
2316 /*
2317 * XXX - handle token-ring variable-length header.
2318 */
2319 switch (proto) {
2320
2321 case LLCSAP_IP:
2322 case LLCSAP_ISONS:
2323 case LLCSAP_NETBEUI:
2324 /*
2325 * XXX - should we check both the DSAP and the
2326 * SSAP, like this, or should we check just the
2327 * DSAP, as we do for other types <= ETHERMTU
2328 * (i.e., other SAP values)?
2329 */
2330 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2331 ((proto << 8) | proto));
2332
2333 case LLCSAP_IPX:
2334 /*
2335 * XXX - are there ever SNAP frames for IPX on
2336 * non-Ethernet 802.x networks?
2337 */
2338 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2339 (bpf_int32)LLCSAP_IPX);
2340
2341 case ETHERTYPE_ATALK:
2342 /*
2343 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2344 * SNAP packets with an organization code of
2345 * 0x080007 (Apple, for Appletalk) and a protocol
2346 * type of ETHERTYPE_ATALK (Appletalk).
2347 *
2348 * XXX - check for an organization code of
2349 * encapsulated Ethernet as well?
2350 */
2351 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2352
2353 default:
2354 /*
2355 * XXX - we don't have to check for IPX 802.3
2356 * here, but should we check for the IPX Ethertype?
2357 */
2358 if (proto <= ETHERMTU) {
2359 /*
2360 * This is an LLC SAP value, so check
2361 * the DSAP.
2362 */
2363 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2364 (bpf_int32)proto);
2365 } else {
2366 /*
2367 * This is an Ethernet type; we assume that it's
2368 * unlikely that it'll appear in the right place
2369 * at random, and therefore check only the
2370 * location that would hold the Ethernet type
2371 * in a SNAP frame with an organization code of
2372 * 0x000000 (encapsulated Ethernet).
2373 *
2374 * XXX - if we were to check for the SNAP DSAP and
2375 * LSAP, as per XXX, and were also to check for an
2376 * organization code of 0x000000 (encapsulated
2377 * Ethernet), we'd do
2378 *
2379 * return gen_snap(0x000000, proto,
2380 * off_linktype);
2381 *
2382 * here; for now, we don't, as per the above.
2383 * I don't know whether it's worth the extra CPU
2384 * time to do the right check or not.
2385 */
2386 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2387 (bpf_int32)proto);
2388 }
2389 }
2390 }
2391
2392 static struct block *
2393 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2394 bpf_u_int32 addr;
2395 bpf_u_int32 mask;
2396 int dir, proto;
2397 u_int src_off, dst_off;
2398 {
2399 struct block *b0, *b1;
2400 u_int offset;
2401
2402 switch (dir) {
2403
2404 case Q_SRC:
2405 offset = src_off;
2406 break;
2407
2408 case Q_DST:
2409 offset = dst_off;
2410 break;
2411
2412 case Q_AND:
2413 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2414 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2415 gen_and(b0, b1);
2416 return b1;
2417
2418 case Q_OR:
2419 case Q_DEFAULT:
2420 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2421 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2422 gen_or(b0, b1);
2423 return b1;
2424
2425 default:
2426 abort();
2427 }
2428 b0 = gen_linktype(proto);
2429 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2430 gen_and(b0, b1);
2431 return b1;
2432 }
2433
2434 #ifdef INET6
2435 static struct block *
2436 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2437 struct in6_addr *addr;
2438 struct in6_addr *mask;
2439 int dir, proto;
2440 u_int src_off, dst_off;
2441 {
2442 struct block *b0, *b1;
2443 u_int offset;
2444 u_int32_t *a, *m;
2445
2446 switch (dir) {
2447
2448 case Q_SRC:
2449 offset = src_off;
2450 break;
2451
2452 case Q_DST:
2453 offset = dst_off;
2454 break;
2455
2456 case Q_AND:
2457 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2458 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2459 gen_and(b0, b1);
2460 return b1;
2461
2462 case Q_OR:
2463 case Q_DEFAULT:
2464 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2465 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2466 gen_or(b0, b1);
2467 return b1;
2468
2469 default:
2470 abort();
2471 }
2472 /* this order is important */
2473 a = (u_int32_t *)addr;
2474 m = (u_int32_t *)mask;
2475 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2476 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2477 gen_and(b0, b1);
2478 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2479 gen_and(b0, b1);
2480 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2481 gen_and(b0, b1);
2482 b0 = gen_linktype(proto);
2483 gen_and(b0, b1);
2484 return b1;
2485 }
2486 #endif /*INET6*/
2487
2488 static struct block *
2489 gen_ehostop(eaddr, dir)
2490 register const u_char *eaddr;
2491 register int dir;
2492 {
2493 register struct block *b0, *b1;
2494
2495 switch (dir) {
2496 case Q_SRC:
2497 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2498
2499 case Q_DST:
2500 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2501
2502 case Q_AND:
2503 b0 = gen_ehostop(eaddr, Q_SRC);
2504 b1 = gen_ehostop(eaddr, Q_DST);
2505 gen_and(b0, b1);
2506 return b1;
2507
2508 case Q_DEFAULT:
2509 case Q_OR:
2510 b0 = gen_ehostop(eaddr, Q_SRC);
2511 b1 = gen_ehostop(eaddr, Q_DST);
2512 gen_or(b0, b1);
2513 return b1;
2514 }
2515 abort();
2516 /* NOTREACHED */
2517 }
2518
2519 /*
2520 * Like gen_ehostop, but for DLT_FDDI
2521 */
2522 static struct block *
2523 gen_fhostop(eaddr, dir)
2524 register const u_char *eaddr;
2525 register int dir;
2526 {
2527 struct block *b0, *b1;
2528
2529 switch (dir) {
2530 case Q_SRC:
2531 #ifdef PCAP_FDDIPAD
2532 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2533 #else
2534 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2535 #endif
2536
2537 case Q_DST:
2538 #ifdef PCAP_FDDIPAD
2539 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2540 #else
2541 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2542 #endif
2543
2544 case Q_AND:
2545 b0 = gen_fhostop(eaddr, Q_SRC);
2546 b1 = gen_fhostop(eaddr, Q_DST);
2547 gen_and(b0, b1);
2548 return b1;
2549
2550 case Q_DEFAULT:
2551 case Q_OR:
2552 b0 = gen_fhostop(eaddr, Q_SRC);
2553 b1 = gen_fhostop(eaddr, Q_DST);
2554 gen_or(b0, b1);
2555 return b1;
2556 }
2557 abort();
2558 /* NOTREACHED */
2559 }
2560
2561 /*
2562 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2563 */
2564 static struct block *
2565 gen_thostop(eaddr, dir)
2566 register const u_char *eaddr;
2567 register int dir;
2568 {
2569 register struct block *b0, *b1;
2570
2571 switch (dir) {
2572 case Q_SRC:
2573 return gen_bcmp(OR_LINK, 8, 6, eaddr);
2574
2575 case Q_DST:
2576 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2577
2578 case Q_AND:
2579 b0 = gen_thostop(eaddr, Q_SRC);
2580 b1 = gen_thostop(eaddr, Q_DST);
2581 gen_and(b0, b1);
2582 return b1;
2583
2584 case Q_DEFAULT:
2585 case Q_OR:
2586 b0 = gen_thostop(eaddr, Q_SRC);
2587 b1 = gen_thostop(eaddr, Q_DST);
2588 gen_or(b0, b1);
2589 return b1;
2590 }
2591 abort();
2592 /* NOTREACHED */
2593 }
2594
2595 /*
2596 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2597 */
2598 static struct block *
2599 gen_wlanhostop(eaddr, dir)
2600 register const u_char *eaddr;
2601 register int dir;
2602 {
2603 register struct block *b0, *b1, *b2;
2604 register struct slist *s;
2605
2606 switch (dir) {
2607 case Q_SRC:
2608 /*
2609 * Oh, yuk.
2610 *
2611 * For control frames, there is no SA.
2612 *
2613 * For management frames, SA is at an
2614 * offset of 10 from the beginning of
2615 * the packet.
2616 *
2617 * For data frames, SA is at an offset
2618 * of 10 from the beginning of the packet
2619 * if From DS is clear, at an offset of
2620 * 16 from the beginning of the packet
2621 * if From DS is set and To DS is clear,
2622 * and an offset of 24 from the beginning
2623 * of the packet if From DS is set and To DS
2624 * is set.
2625 */
2626
2627 /*
2628 * Generate the tests to be done for data frames
2629 * with From DS set.
2630 *
2631 * First, check for To DS set, i.e. check "link[1] & 0x01".
2632 */
2633 s = gen_load_a(OR_LINK, 1, BPF_B);
2634 b1 = new_block(JMP(BPF_JSET));
2635 b1->s.k = 0x01; /* To DS */
2636 b1->stmts = s;
2637
2638 /*
2639 * If To DS is set, the SA is at 24.
2640 */
2641 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2642 gen_and(b1, b0);
2643
2644 /*
2645 * Now, check for To DS not set, i.e. check
2646 * "!(link[1] & 0x01)".
2647 */
2648 s = gen_load_a(OR_LINK, 1, BPF_B);
2649 b2 = new_block(JMP(BPF_JSET));
2650 b2->s.k = 0x01; /* To DS */
2651 b2->stmts = s;
2652 gen_not(b2);
2653
2654 /*
2655 * If To DS is not set, the SA is at 16.
2656 */
2657 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2658 gen_and(b2, b1);
2659
2660 /*
2661 * Now OR together the last two checks. That gives
2662 * the complete set of checks for data frames with
2663 * From DS set.
2664 */
2665 gen_or(b1, b0);
2666
2667 /*
2668 * Now check for From DS being set, and AND that with
2669 * the ORed-together checks.
2670 */
2671 s = gen_load_a(OR_LINK, 1, BPF_B);
2672 b1 = new_block(JMP(BPF_JSET));
2673 b1->s.k = 0x02; /* From DS */
2674 b1->stmts = s;
2675 gen_and(b1, b0);
2676
2677 /*
2678 * Now check for data frames with From DS not set.
2679 */
2680 s = gen_load_a(OR_LINK, 1, BPF_B);
2681 b2 = new_block(JMP(BPF_JSET));
2682 b2->s.k = 0x02; /* From DS */
2683 b2->stmts = s;
2684 gen_not(b2);
2685
2686 /*
2687 * If From DS isn't set, the SA is at 10.
2688 */
2689 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2690 gen_and(b2, b1);
2691
2692 /*
2693 * Now OR together the checks for data frames with
2694 * From DS not set and for data frames with From DS
2695 * set; that gives the checks done for data frames.
2696 */
2697 gen_or(b1, b0);
2698
2699 /*
2700 * Now check for a data frame.
2701 * I.e, check "link[0] & 0x08".
2702 */
2703 gen_load_a(OR_LINK, 0, BPF_B);
2704 b1 = new_block(JMP(BPF_JSET));
2705 b1->s.k = 0x08;
2706 b1->stmts = s;
2707
2708 /*
2709 * AND that with the checks done for data frames.
2710 */
2711 gen_and(b1, b0);
2712
2713 /*
2714 * If the high-order bit of the type value is 0, this
2715 * is a management frame.
2716 * I.e, check "!(link[0] & 0x08)".
2717 */
2718 s = gen_load_a(OR_LINK, 0, BPF_B);
2719 b2 = new_block(JMP(BPF_JSET));
2720 b2->s.k = 0x08;
2721 b2->stmts = s;
2722 gen_not(b2);
2723
2724 /*
2725 * For management frames, the SA is at 10.
2726 */
2727 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2728 gen_and(b2, b1);
2729
2730 /*
2731 * OR that with the checks done for data frames.
2732 * That gives the checks done for management and
2733 * data frames.
2734 */
2735 gen_or(b1, b0);
2736
2737 /*
2738 * If the low-order bit of the type value is 1,
2739 * this is either a control frame or a frame
2740 * with a reserved type, and thus not a
2741 * frame with an SA.
2742 *
2743 * I.e., check "!(link[0] & 0x04)".
2744 */
2745 s = gen_load_a(OR_LINK, 0, BPF_B);
2746 b1 = new_block(JMP(BPF_JSET));
2747 b1->s.k = 0x04;
2748 b1->stmts = s;
2749 gen_not(b1);
2750
2751 /*
2752 * AND that with the checks for data and management
2753 * frames.
2754 */
2755 gen_and(b1, b0);
2756 return b0;
2757
2758 case Q_DST:
2759 /*
2760 * Oh, yuk.
2761 *
2762 * For control frames, there is no DA.
2763 *
2764 * For management frames, DA is at an
2765 * offset of 4 from the beginning of
2766 * the packet.
2767 *
2768 * For data frames, DA is at an offset
2769 * of 4 from the beginning of the packet
2770 * if To DS is clear and at an offset of
2771 * 16 from the beginning of the packet
2772 * if To DS is set.
2773 */
2774
2775 /*
2776 * Generate the tests to be done for data frames.
2777 *
2778 * First, check for To DS set, i.e. "link[1] & 0x01".
2779 */
2780 s = gen_load_a(OR_LINK, 1, BPF_B);
2781 b1 = new_block(JMP(BPF_JSET));
2782 b1->s.k = 0x01; /* To DS */
2783 b1->stmts = s;
2784
2785 /*
2786 * If To DS is set, the DA is at 16.
2787 */
2788 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2789 gen_and(b1, b0);
2790
2791 /*
2792 * Now, check for To DS not set, i.e. check
2793 * "!(link[1] & 0x01)".
2794 */
2795 s = gen_load_a(OR_LINK, 1, BPF_B);
2796 b2 = new_block(JMP(BPF_JSET));
2797 b2->s.k = 0x01; /* To DS */
2798 b2->stmts = s;
2799 gen_not(b2);
2800
2801 /*
2802 * If To DS is not set, the DA is at 4.
2803 */
2804 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2805 gen_and(b2, b1);
2806
2807 /*
2808 * Now OR together the last two checks. That gives
2809 * the complete set of checks for data frames.
2810 */
2811 gen_or(b1, b0);
2812
2813 /*
2814 * Now check for a data frame.
2815 * I.e, check "link[0] & 0x08".
2816 */
2817 s = gen_load_a(OR_LINK, 0, BPF_B);
2818 b1 = new_block(JMP(BPF_JSET));
2819 b1->s.k = 0x08;
2820 b1->stmts = s;
2821
2822 /*
2823 * AND that with the checks done for data frames.
2824 */
2825 gen_and(b1, b0);
2826
2827 /*
2828 * If the high-order bit of the type value is 0, this
2829 * is a management frame.
2830 * I.e, check "!(link[0] & 0x08)".
2831 */
2832 s = gen_load_a(OR_LINK, 0, BPF_B);
2833 b2 = new_block(JMP(BPF_JSET));
2834 b2->s.k = 0x08;
2835 b2->stmts = s;
2836 gen_not(b2);
2837
2838 /*
2839 * For management frames, the DA is at 4.
2840 */
2841 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2842 gen_and(b2, b1);
2843
2844 /*
2845 * OR that with the checks done for data frames.
2846 * That gives the checks done for management and
2847 * data frames.
2848 */
2849 gen_or(b1, b0);
2850
2851 /*
2852 * If the low-order bit of the type value is 1,
2853 * this is either a control frame or a frame
2854 * with a reserved type, and thus not a
2855 * frame with an SA.
2856 *
2857 * I.e., check "!(link[0] & 0x04)".
2858 */
2859 s = gen_load_a(OR_LINK, 0, BPF_B);
2860 b1 = new_block(JMP(BPF_JSET));
2861 b1->s.k = 0x04;
2862 b1->stmts = s;
2863 gen_not(b1);
2864
2865 /*
2866 * AND that with the checks for data and management
2867 * frames.
2868 */
2869 gen_and(b1, b0);
2870 return b0;
2871
2872 case Q_AND:
2873 b0 = gen_wlanhostop(eaddr, Q_SRC);
2874 b1 = gen_wlanhostop(eaddr, Q_DST);
2875 gen_and(b0, b1);
2876 return b1;
2877
2878 case Q_DEFAULT:
2879 case Q_OR:
2880 b0 = gen_wlanhostop(eaddr, Q_SRC);
2881 b1 = gen_wlanhostop(eaddr, Q_DST);
2882 gen_or(b0, b1);
2883 return b1;
2884 }
2885 abort();
2886 /* NOTREACHED */
2887 }
2888
2889 /*
2890 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2891 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2892 * as the RFC states.)
2893 */
2894 static struct block *
2895 gen_ipfchostop(eaddr, dir)
2896 register const u_char *eaddr;
2897 register int dir;
2898 {
2899 register struct block *b0, *b1;
2900
2901 switch (dir) {
2902 case Q_SRC:
2903 return gen_bcmp(OR_LINK, 10, 6, eaddr);
2904
2905 case Q_DST:
2906 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2907
2908 case Q_AND:
2909 b0 = gen_ipfchostop(eaddr, Q_SRC);
2910 b1 = gen_ipfchostop(eaddr, Q_DST);
2911 gen_and(b0, b1);
2912 return b1;
2913
2914 case Q_DEFAULT:
2915 case Q_OR:
2916 b0 = gen_ipfchostop(eaddr, Q_SRC);
2917 b1 = gen_ipfchostop(eaddr, Q_DST);
2918 gen_or(b0, b1);
2919 return b1;
2920 }
2921 abort();
2922 /* NOTREACHED */
2923 }
2924
2925 /*
2926 * This is quite tricky because there may be pad bytes in front of the
2927 * DECNET header, and then there are two possible data packet formats that
2928 * carry both src and dst addresses, plus 5 packet types in a format that
2929 * carries only the src node, plus 2 types that use a different format and
2930 * also carry just the src node.
2931 *
2932 * Yuck.
2933 *
2934 * Instead of doing those all right, we just look for data packets with
2935 * 0 or 1 bytes of padding. If you want to look at other packets, that
2936 * will require a lot more hacking.
2937 *
2938 * To add support for filtering on DECNET "areas" (network numbers)
2939 * one would want to add a "mask" argument to this routine. That would
2940 * make the filter even more inefficient, although one could be clever
2941 * and not generate masking instructions if the mask is 0xFFFF.
2942 */
2943 static struct block *
2944 gen_dnhostop(addr, dir)
2945 bpf_u_int32 addr;
2946 int dir;
2947 {
2948 struct block *b0, *b1, *b2, *tmp;
2949 u_int offset_lh; /* offset if long header is received */
2950 u_int offset_sh; /* offset if short header is received */
2951
2952 switch (dir) {
2953
2954 case Q_DST:
2955 offset_sh = 1; /* follows flags */
2956 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2957 break;
2958
2959 case Q_SRC:
2960 offset_sh = 3; /* follows flags, dstnode */
2961 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2962 break;
2963
2964 case Q_AND:
2965 /* Inefficient because we do our Calvinball dance twice */
2966 b0 = gen_dnhostop(addr, Q_SRC);
2967 b1 = gen_dnhostop(addr, Q_DST);
2968 gen_and(b0, b1);
2969 return b1;
2970
2971 case Q_OR:
2972 case Q_DEFAULT:
2973 /* Inefficient because we do our Calvinball dance twice */
2974 b0 = gen_dnhostop(addr, Q_SRC);
2975 b1 = gen_dnhostop(addr, Q_DST);
2976 gen_or(b0, b1);
2977 return b1;
2978
2979 case Q_ISO:
2980 bpf_error("ISO host filtering not implemented");
2981
2982 default:
2983 abort();
2984 }
2985 b0 = gen_linktype(ETHERTYPE_DN);
2986 /* Check for pad = 1, long header case */
2987 tmp = gen_mcmp(OR_NET, 2, BPF_H,
2988 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2989 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
2990 BPF_H, (bpf_int32)ntohs(addr));
2991 gen_and(tmp, b1);
2992 /* Check for pad = 0, long header case */
2993 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2994 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2995 gen_and(tmp, b2);
2996 gen_or(b2, b1);
2997 /* Check for pad = 1, short header case */
2998 tmp = gen_mcmp(OR_NET, 2, BPF_H,
2999 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3000 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3001 gen_and(tmp, b2);
3002 gen_or(b2, b1);
3003 /* Check for pad = 0, short header case */
3004 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3005 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
3006 gen_and(tmp, b2);
3007 gen_or(b2, b1);
3008
3009 /* Combine with test for linktype */
3010 gen_and(b0, b1);
3011 return b1;
3012 }
3013
3014 static struct block *
3015 gen_host(addr, mask, proto, dir)
3016 bpf_u_int32 addr;
3017 bpf_u_int32 mask;
3018 int proto;
3019 int dir;
3020 {
3021 struct block *b0, *b1;
3022
3023 switch (proto) {
3024
3025 case Q_DEFAULT:
3026 b0 = gen_host(addr, mask, Q_IP, dir);
3027 if (off_linktype != (u_int)-1) {
3028 b1 = gen_host(addr, mask, Q_ARP, dir);
3029 gen_or(b0, b1);
3030 b0 = gen_host(addr, mask, Q_RARP, dir);
3031 gen_or(b1, b0);
3032 }
3033 return b0;
3034
3035 case Q_IP:
3036 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3037
3038 case Q_RARP:
3039 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3040
3041 case Q_ARP:
3042 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3043
3044 case Q_TCP:
3045 bpf_error("'tcp' modifier applied to host");
3046
3047 case Q_SCTP:
3048 bpf_error("'sctp' modifier applied to host");
3049
3050 case Q_UDP:
3051 bpf_error("'udp' modifier applied to host");
3052
3053 case Q_ICMP:
3054 bpf_error("'icmp' modifier applied to host");
3055
3056 case Q_IGMP:
3057 bpf_error("'igmp' modifier applied to host");
3058
3059 case Q_IGRP:
3060 bpf_error("'igrp' modifier applied to host");
3061
3062 case Q_PIM:
3063 bpf_error("'pim' modifier applied to host");
3064
3065 case Q_VRRP:
3066 bpf_error("'vrrp' modifier applied to host");
3067
3068 case Q_ATALK:
3069 bpf_error("ATALK host filtering not implemented");
3070
3071 case Q_AARP:
3072 bpf_error("AARP host filtering not implemented");
3073
3074 case Q_DECNET:
3075 return gen_dnhostop(addr, dir);
3076
3077 case Q_SCA:
3078 bpf_error("SCA host filtering not implemented");
3079
3080 case Q_LAT:
3081 bpf_error("LAT host filtering not implemented");
3082
3083 case Q_MOPDL:
3084 bpf_error("MOPDL host filtering not implemented");
3085
3086 case Q_MOPRC:
3087 bpf_error("MOPRC host filtering not implemented");
3088
3089 #ifdef INET6
3090 case Q_IPV6:
3091 bpf_error("'ip6' modifier applied to ip host");
3092
3093 case Q_ICMPV6:
3094 bpf_error("'icmp6' modifier applied to host");
3095 #endif /* INET6 */
3096
3097 case Q_AH:
3098 bpf_error("'ah' modifier applied to host");
3099
3100 case Q_ESP:
3101 bpf_error("'esp' modifier applied to host");
3102
3103 case Q_ISO:
3104 bpf_error("ISO host filtering not implemented");
3105
3106 case Q_ESIS:
3107 bpf_error("'esis' modifier applied to host");
3108
3109 case Q_ISIS:
3110 bpf_error("'isis' modifier applied to host");
3111
3112 case Q_CLNP:
3113 bpf_error("'clnp' modifier applied to host");
3114
3115 case Q_STP:
3116 bpf_error("'stp' modifier applied to host");
3117
3118 case Q_IPX:
3119 bpf_error("IPX host filtering not implemented");
3120
3121 case Q_NETBEUI:
3122 bpf_error("'netbeui' modifier applied to host");
3123
3124 case Q_RADIO:
3125 bpf_error("'radio' modifier applied to host");
3126
3127 default:
3128 abort();
3129 }
3130 /* NOTREACHED */
3131 }
3132
3133 #ifdef INET6
3134 static struct block *
3135 gen_host6(addr, mask, proto, dir)
3136 struct in6_addr *addr;
3137 struct in6_addr *mask;
3138 int proto;
3139 int dir;
3140 {
3141 switch (proto) {
3142
3143 case Q_DEFAULT:
3144 return gen_host6(addr, mask, Q_IPV6, dir);
3145
3146 case Q_IP:
3147 bpf_error("'ip' modifier applied to ip6 host");
3148
3149 case Q_RARP:
3150 bpf_error("'rarp' modifier applied to ip6 host");
3151
3152 case Q_ARP:
3153 bpf_error("'arp' modifier applied to ip6 host");
3154
3155 case Q_SCTP:
3156 bpf_error("'sctp' modifier applied to host");
3157
3158 case Q_TCP:
3159 bpf_error("'tcp' modifier applied to host");
3160
3161 case Q_UDP:
3162 bpf_error("'udp' modifier applied to host");
3163
3164 case Q_ICMP:
3165 bpf_error("'icmp' modifier applied to host");
3166
3167 case Q_IGMP:
3168 bpf_error("'igmp' modifier applied to host");
3169
3170 case Q_IGRP:
3171 bpf_error("'igrp' modifier applied to host");
3172
3173 case Q_PIM:
3174 bpf_error("'pim' modifier applied to host");
3175
3176 case Q_VRRP:
3177 bpf_error("'vrrp' modifier applied to host");
3178
3179 case Q_ATALK:
3180 bpf_error("ATALK host filtering not implemented");
3181
3182 case Q_AARP:
3183 bpf_error("AARP host filtering not implemented");
3184
3185 case Q_DECNET:
3186 bpf_error("'decnet' modifier applied to ip6 host");
3187
3188 case Q_SCA:
3189 bpf_error("SCA host filtering not implemented");
3190
3191 case Q_LAT:
3192 bpf_error("LAT host filtering not implemented");
3193
3194 case Q_MOPDL:
3195 bpf_error("MOPDL host filtering not implemented");
3196
3197 case Q_MOPRC:
3198 bpf_error("MOPRC host filtering not implemented");
3199
3200 case Q_IPV6:
3201 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3202
3203 case Q_ICMPV6:
3204 bpf_error("'icmp6' modifier applied to host");
3205
3206 case Q_AH:
3207 bpf_error("'ah' modifier applied to host");
3208
3209 case Q_ESP:
3210 bpf_error("'esp' modifier applied to host");
3211
3212 case Q_ISO:
3213 bpf_error("ISO host filtering not implemented");
3214
3215 case Q_ESIS:
3216 bpf_error("'esis' modifier applied to host");
3217
3218 case Q_ISIS:
3219 bpf_error("'isis' modifier applied to host");
3220
3221 case Q_CLNP:
3222 bpf_error("'clnp' modifier applied to host");
3223
3224 case Q_STP:
3225 bpf_error("'stp' modifier applied to host");
3226
3227 case Q_IPX:
3228 bpf_error("IPX host filtering not implemented");
3229
3230 case Q_NETBEUI:
3231 bpf_error("'netbeui' modifier applied to host");
3232
3233 case Q_RADIO:
3234 bpf_error("'radio' modifier applied to host");
3235
3236 default:
3237 abort();
3238 }
3239 /* NOTREACHED */
3240 }
3241 #endif /*INET6*/
3242
3243 #ifndef INET6
3244 static struct block *
3245 gen_gateway(eaddr, alist, proto, dir)
3246 const u_char *eaddr;
3247 bpf_u_int32 **alist;
3248 int proto;
3249 int dir;
3250 {
3251 struct block *b0, *b1, *tmp;
3252
3253 if (dir != 0)
3254 bpf_error("direction applied to 'gateway'");
3255
3256 switch (proto) {
3257 case Q_DEFAULT:
3258 case Q_IP:
3259 case Q_ARP:
3260 case Q_RARP:
3261 if (linktype == DLT_EN10MB)
3262 b0 = gen_ehostop(eaddr, Q_OR);
3263 else if (linktype == DLT_FDDI)
3264 b0 = gen_fhostop(eaddr, Q_OR);
3265 else if (linktype == DLT_IEEE802)
3266 b0 = gen_thostop(eaddr, Q_OR);
3267 else if (linktype == DLT_IEEE802_11 ||
3268 linktype == DLT_IEEE802_11_RADIO_AVS ||
3269 linktype == DLT_IEEE802_11_RADIO ||
3270 linktype == DLT_PRISM_HEADER)
3271 b0 = gen_wlanhostop(eaddr, Q_OR);
3272 else if (linktype == DLT_SUNATM && is_lane) {
3273 /*
3274 * Check that the packet doesn't begin with an
3275 * LE Control marker. (We've already generated
3276 * a test for LANE.)
3277 */
3278 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3279 0xFF00);
3280 gen_not(b1);
3281
3282 /*
3283 * Now check the MAC address.
3284 */
3285 b0 = gen_ehostop(eaddr, Q_OR);
3286 gen_and(b1, b0);
3287 } else if (linktype == DLT_IP_OVER_FC)
3288 b0 = gen_ipfchostop(eaddr, Q_OR);
3289 else
3290 bpf_error(
3291 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3292
3293 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3294 while (*alist) {
3295 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3296 gen_or(b1, tmp);
3297 b1 = tmp;
3298 }
3299 gen_not(b1);
3300 gen_and(b0, b1);
3301 return b1;
3302 }
3303 bpf_error("illegal modifier of 'gateway'");
3304 /* NOTREACHED */
3305 }
3306 #endif
3307
3308 struct block *
3309 gen_proto_abbrev(proto)
3310 int proto;
3311 {
3312 struct block *b0;
3313 struct block *b1;
3314
3315 switch (proto) {
3316
3317 case Q_SCTP:
3318 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3319 #ifdef INET6
3320 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3321 gen_or(b0, b1);
3322 #endif
3323 break;
3324
3325 case Q_TCP:
3326 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3327 #ifdef INET6
3328 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3329 gen_or(b0, b1);
3330 #endif
3331 break;
3332
3333 case Q_UDP:
3334 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3335 #ifdef INET6
3336 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3337 gen_or(b0, b1);
3338 #endif
3339 break;
3340
3341 case Q_ICMP:
3342 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3343 break;
3344
3345 #ifndef IPPROTO_IGMP
3346 #define IPPROTO_IGMP 2
3347 #endif
3348
3349 case Q_IGMP:
3350 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3351 break;
3352
3353 #ifndef IPPROTO_IGRP
3354 #define IPPROTO_IGRP 9
3355 #endif
3356 case Q_IGRP:
3357 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3358 break;
3359
3360 #ifndef IPPROTO_PIM
3361 #define IPPROTO_PIM 103
3362 #endif
3363
3364 case Q_PIM:
3365 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3366 #ifdef INET6
3367 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3368 gen_or(b0, b1);
3369 #endif
3370 break;
3371
3372 #ifndef IPPROTO_VRRP
3373 #define IPPROTO_VRRP 112
3374 #endif
3375
3376 case Q_VRRP:
3377 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3378 break;
3379
3380 case Q_IP:
3381 b1 = gen_linktype(ETHERTYPE_IP);
3382 break;
3383
3384 case Q_ARP:
3385 b1 = gen_linktype(ETHERTYPE_ARP);
3386 break;
3387
3388 case Q_RARP:
3389 b1 = gen_linktype(ETHERTYPE_REVARP);
3390 break;
3391
3392 case Q_LINK:
3393 bpf_error("link layer applied in wrong context");
3394
3395 case Q_ATALK:
3396 b1 = gen_linktype(ETHERTYPE_ATALK);
3397 break;
3398
3399 case Q_AARP:
3400 b1 = gen_linktype(ETHERTYPE_AARP);
3401 break;
3402
3403 case Q_DECNET:
3404 b1 = gen_linktype(ETHERTYPE_DN);
3405 break;
3406
3407 case Q_SCA:
3408 b1 = gen_linktype(ETHERTYPE_SCA);
3409 break;
3410
3411 case Q_LAT:
3412 b1 = gen_linktype(ETHERTYPE_LAT);
3413 break;
3414
3415 case Q_MOPDL:
3416 b1 = gen_linktype(ETHERTYPE_MOPDL);
3417 break;
3418
3419 case Q_MOPRC:
3420 b1 = gen_linktype(ETHERTYPE_MOPRC);
3421 break;
3422
3423 #ifdef INET6
3424 case Q_IPV6:
3425 b1 = gen_linktype(ETHERTYPE_IPV6);
3426 break;
3427
3428 #ifndef IPPROTO_ICMPV6
3429 #define IPPROTO_ICMPV6 58
3430 #endif
3431 case Q_ICMPV6:
3432 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3433 break;
3434 #endif /* INET6 */
3435
3436 #ifndef IPPROTO_AH
3437 #define IPPROTO_AH 51
3438 #endif
3439 case Q_AH:
3440 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3441 #ifdef INET6
3442 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3443 gen_or(b0, b1);
3444 #endif
3445 break;
3446
3447 #ifndef IPPROTO_ESP
3448 #define IPPROTO_ESP 50
3449 #endif
3450 case Q_ESP:
3451 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3452 #ifdef INET6
3453 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3454 gen_or(b0, b1);
3455 #endif
3456 break;
3457
3458 case Q_ISO:
3459 b1 = gen_linktype(LLCSAP_ISONS);
3460 break;
3461
3462 case Q_ESIS:
3463 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3464 break;
3465
3466 case Q_ISIS:
3467 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3468 break;
3469
3470 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3471 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3472 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3473 gen_or(b0, b1);
3474 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3475 gen_or(b0, b1);
3476 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3477 gen_or(b0, b1);
3478 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3479 gen_or(b0, b1);
3480 break;
3481
3482 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3483 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3484 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3485 gen_or(b0, b1);
3486 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3487 gen_or(b0, b1);
3488 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3489 gen_or(b0, b1);
3490 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3491 gen_or(b0, b1);
3492 break;
3493
3494 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3495 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3496 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3497 gen_or(b0, b1);
3498 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3499 gen_or(b0, b1);
3500 break;
3501
3502 case Q_ISIS_LSP:
3503 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3504 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3505 gen_or(b0, b1);
3506 break;
3507
3508 case Q_ISIS_SNP:
3509 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3510 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3511 gen_or(b0, b1);
3512 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3513 gen_or(b0, b1);
3514 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3515 gen_or(b0, b1);
3516 break;
3517
3518 case Q_ISIS_CSNP:
3519 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3520 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3521 gen_or(b0, b1);
3522 break;
3523
3524 case Q_ISIS_PSNP:
3525 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3526 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3527 gen_or(b0, b1);
3528 break;
3529
3530 case Q_CLNP:
3531 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3532 break;
3533
3534 case Q_STP:
3535 b1 = gen_linktype(LLCSAP_8021D);
3536 break;
3537
3538 case Q_IPX:
3539 b1 = gen_linktype(LLCSAP_IPX);
3540 break;
3541
3542 case Q_NETBEUI:
3543 b1 = gen_linktype(LLCSAP_NETBEUI);
3544 break;
3545
3546 case Q_RADIO:
3547 bpf_error("'radio' is not a valid protocol type");
3548
3549 default:
3550 abort();
3551 }
3552 return b1;
3553 }
3554
3555 static struct block *
3556 gen_ipfrag()
3557 {
3558 struct slist *s;
3559 struct block *b;
3560
3561 /* not ip frag */
3562 s = gen_load_a(OR_NET, 6, BPF_H);
3563 b = new_block(JMP(BPF_JSET));
3564 b->s.k = 0x1fff;
3565 b->stmts = s;
3566 gen_not(b);
3567
3568 return b;
3569 }
3570
3571 /*
3572 * Generate a comparison to a port value in the transport-layer header
3573 * at the specified offset from the beginning of that header.
3574 *
3575 * XXX - this handles a variable-length prefix preceding the link-layer
3576 * header, such as the radiotap or AVS radio prefix, but doesn't handle
3577 * variable-length link-layer headers (such as Token Ring or 802.11
3578 * headers).
3579 */
3580 static struct block *
3581 gen_portatom(off, v)
3582 int off;
3583 bpf_int32 v;
3584 {
3585 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3586 }
3587
3588 #ifdef INET6
3589 static struct block *
3590 gen_portatom6(off, v)
3591 int off;
3592 bpf_int32 v;
3593 {
3594 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
3595 }
3596 #endif/*INET6*/
3597
3598 struct block *
3599 gen_portop(port, proto, dir)
3600 int port, proto, dir;
3601 {
3602 struct block *b0, *b1, *tmp;
3603
3604 /* ip proto 'proto' */
3605 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3606 b0 = gen_ipfrag();
3607 gen_and(tmp, b0);
3608
3609 switch (dir) {
3610 case Q_SRC:
3611 b1 = gen_portatom(0, (bpf_int32)port);
3612 break;
3613
3614 case Q_DST:
3615 b1 = gen_portatom(2, (bpf_int32)port);
3616 break;
3617
3618 case Q_OR:
3619 case Q_DEFAULT:
3620 tmp = gen_portatom(0, (bpf_int32)port);
3621 b1 = gen_portatom(2, (bpf_int32)port);
3622 gen_or(tmp, b1);
3623 break;
3624
3625 case Q_AND:
3626 tmp = gen_portatom(0, (bpf_int32)port);
3627 b1 = gen_portatom(2, (bpf_int32)port);
3628 gen_and(tmp, b1);
3629 break;
3630
3631 default:
3632 abort();
3633 }
3634 gen_and(b0, b1);
3635
3636 return b1;
3637 }
3638
3639 static struct block *
3640 gen_port(port, ip_proto, dir)
3641 int port;
3642 int ip_proto;
3643 int dir;
3644 {
3645 struct block *b0, *b1, *tmp;
3646
3647 /*
3648 * ether proto ip
3649 *
3650 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3651 * not LLC encapsulation with LLCSAP_IP.
3652 *
3653 * For IEEE 802 networks - which includes 802.5 token ring
3654 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3655 * says that SNAP encapsulation is used, not LLC encapsulation
3656 * with LLCSAP_IP.
3657 *
3658 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3659 * RFC 2225 say that SNAP encapsulation is used, not LLC
3660 * encapsulation with LLCSAP_IP.
3661 *
3662 * So we always check for ETHERTYPE_IP.
3663 */
3664 b0 = gen_linktype(ETHERTYPE_IP);
3665
3666 switch (ip_proto) {
3667 case IPPROTO_UDP:
3668 case IPPROTO_TCP:
3669 case IPPROTO_SCTP:
3670 b1 = gen_portop(port, ip_proto, dir);
3671 break;
3672
3673 case PROTO_UNDEF:
3674 tmp = gen_portop(port, IPPROTO_TCP, dir);
3675 b1 = gen_portop(port, IPPROTO_UDP, dir);
3676 gen_or(tmp, b1);
3677 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3678 gen_or(tmp, b1);
3679 break;
3680
3681 default:
3682 abort();
3683 }
3684 gen_and(b0, b1);
3685 return b1;
3686 }
3687
3688 #ifdef INET6
3689 struct block *
3690 gen_portop6(port, proto, dir)
3691 int port, proto, dir;
3692 {
3693 struct block *b0, *b1, *tmp;
3694
3695 /* ip6 proto 'proto' */
3696 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3697
3698 switch (dir) {
3699 case Q_SRC:
3700 b1 = gen_portatom6(0, (bpf_int32)port);
3701 break;
3702
3703 case Q_DST:
3704 b1 = gen_portatom6(2, (bpf_int32)port);
3705 break;
3706
3707 case Q_OR:
3708 case Q_DEFAULT:
3709 tmp = gen_portatom6(0, (bpf_int32)port);
3710 b1 = gen_portatom6(2, (bpf_int32)port);
3711 gen_or(tmp, b1);
3712 break;
3713
3714 case Q_AND:
3715 tmp = gen_portatom6(0, (bpf_int32)port);
3716 b1 = gen_portatom6(2, (bpf_int32)port);
3717 gen_and(tmp, b1);
3718 break;
3719
3720 default:
3721 abort();
3722 }
3723 gen_and(b0, b1);
3724
3725 return b1;
3726 }
3727
3728 static struct block *
3729 gen_port6(port, ip_proto, dir)
3730 int port;
3731 int ip_proto;
3732 int dir;
3733 {
3734 struct block *b0, *b1, *tmp;
3735
3736 /* link proto ip6 */
3737 b0 = gen_linktype(ETHERTYPE_IPV6);
3738
3739 switch (ip_proto) {
3740 case IPPROTO_UDP:
3741 case IPPROTO_TCP:
3742 case IPPROTO_SCTP:
3743 b1 = gen_portop6(port, ip_proto, dir);
3744 break;
3745
3746 case PROTO_UNDEF:
3747 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3748 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3749 gen_or(tmp, b1);
3750 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3751 gen_or(tmp, b1);
3752 break;
3753
3754 default:
3755 abort();
3756 }
3757 gen_and(b0, b1);
3758 return b1;
3759 }
3760 #endif /* INET6 */
3761
3762 /* gen_portrange code */
3763 static struct block *
3764 gen_portrangeatom(off, v1, v2)
3765 int off;
3766 bpf_int32 v1, v2;
3767 {
3768 struct block *b1, *b2;
3769
3770 if (v1 > v2) {
3771 /*
3772 * Reverse the order of the ports, so v1 is the lower one.
3773 */
3774 bpf_int32 vtemp;
3775
3776 vtemp = v1;
3777 v1 = v2;
3778 v2 = vtemp;
3779 }
3780
3781 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
3782 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
3783
3784 gen_and(b1, b2);
3785
3786 return b2;
3787 }
3788
3789 struct block *
3790 gen_portrangeop(port1, port2, proto, dir)
3791 int port1, port2;
3792 int proto;
3793 int dir;
3794 {
3795 struct block *b0, *b1, *tmp;
3796
3797 /* ip proto 'proto' */
3798 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3799 b0 = gen_ipfrag();
3800 gen_and(tmp, b0);
3801
3802 switch (dir) {
3803 case Q_SRC:
3804 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3805 break;
3806
3807 case Q_DST:
3808 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3809 break;
3810
3811 case Q_OR:
3812 case Q_DEFAULT:
3813 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3814 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3815 gen_or(tmp, b1);
3816 break;
3817
3818 case Q_AND:
3819 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3820 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3821 gen_and(tmp, b1);
3822 break;
3823
3824 default:
3825 abort();
3826 }
3827 gen_and(b0, b1);
3828
3829 return b1;
3830 }
3831
3832 static struct block *
3833 gen_portrange(port1, port2, ip_proto, dir)
3834 int port1, port2;
3835 int ip_proto;
3836 int dir;
3837 {
3838 struct block *b0, *b1, *tmp;
3839
3840 /* link proto ip */
3841 b0 = gen_linktype(ETHERTYPE_IP);
3842
3843 switch (ip_proto) {
3844 case IPPROTO_UDP:
3845 case IPPROTO_TCP:
3846 case IPPROTO_SCTP:
3847 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
3848 break;
3849
3850 case PROTO_UNDEF:
3851 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
3852 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
3853 gen_or(tmp, b1);
3854 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
3855 gen_or(tmp, b1);
3856 break;
3857
3858 default:
3859 abort();
3860 }
3861 gen_and(b0, b1);
3862 return b1;
3863 }
3864
3865 #ifdef INET6
3866 static struct block *
3867 gen_portrangeatom6(off, v1, v2)
3868 int off;
3869 bpf_int32 v1, v2;
3870 {
3871 struct block *b1, *b2;
3872
3873 if (v1 > v2) {
3874 /*
3875 * Reverse the order of the ports, so v1 is the lower one.
3876 */
3877 bpf_int32 vtemp;
3878
3879 vtemp = v1;
3880 v1 = v2;
3881 v2 = vtemp;
3882 }
3883
3884 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
3885 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
3886
3887 gen_and(b1, b2);
3888
3889 return b2;
3890 }
3891
3892 struct block *
3893 gen_portrangeop6(port1, port2, proto, dir)
3894 int port1, port2;
3895 int proto;
3896 int dir;
3897 {
3898 struct block *b0, *b1, *tmp;
3899
3900 /* ip6 proto 'proto' */
3901 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3902
3903 switch (dir) {
3904 case Q_SRC:
3905 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3906 break;
3907
3908 case Q_DST:
3909 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3910 break;
3911
3912 case Q_OR:
3913 case Q_DEFAULT:
3914 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3915 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3916 gen_or(tmp, b1);
3917 break;
3918
3919 case Q_AND:
3920 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3921 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3922 gen_and(tmp, b1);
3923 break;
3924
3925 default:
3926 abort();
3927 }
3928 gen_and(b0, b1);
3929
3930 return b1;
3931 }
3932
3933 static struct block *
3934 gen_portrange6(port1, port2, ip_proto, dir)
3935 int port1, port2;
3936 int ip_proto;
3937 int dir;
3938 {
3939 struct block *b0, *b1, *tmp;
3940
3941 /* link proto ip6 */
3942 b0 = gen_linktype(ETHERTYPE_IPV6);
3943
3944 switch (ip_proto) {
3945 case IPPROTO_UDP:
3946 case IPPROTO_TCP:
3947 case IPPROTO_SCTP:
3948 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
3949 break;
3950
3951 case PROTO_UNDEF:
3952 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
3953 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
3954 gen_or(tmp, b1);
3955 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
3956 gen_or(tmp, b1);
3957 break;
3958
3959 default:
3960 abort();
3961 }
3962 gen_and(b0, b1);
3963 return b1;
3964 }
3965 #endif /* INET6 */
3966
3967 static int
3968 lookup_proto(name, proto)
3969 register const char *name;
3970 register int proto;
3971 {
3972 register int v;
3973
3974 switch (proto) {
3975
3976 case Q_DEFAULT:
3977 case Q_IP:
3978 case Q_IPV6:
3979 v = pcap_nametoproto(name);
3980 if (v == PROTO_UNDEF)
3981 bpf_error("unknown ip proto '%s'", name);
3982 break;
3983
3984 case Q_LINK:
3985 /* XXX should look up h/w protocol type based on linktype */
3986 v = pcap_nametoeproto(name);
3987 if (v == PROTO_UNDEF) {
3988 v = pcap_nametollc(name);
3989 if (v == PROTO_UNDEF)
3990 bpf_error("unknown ether proto '%s'", name);
3991 }
3992 break;
3993
3994 case Q_ISO:
3995 if (strcmp(name, "esis") == 0)
3996 v = ISO9542_ESIS;
3997 else if (strcmp(name, "isis") == 0)
3998 v = ISO10589_ISIS;
3999 else if (strcmp(name, "clnp") == 0)
4000 v = ISO8473_CLNP;
4001 else
4002 bpf_error("unknown osi proto '%s'", name);
4003 break;
4004
4005 default:
4006 v = PROTO_UNDEF;
4007 break;
4008 }
4009 return v;
4010 }
4011
4012 #if 0
4013 struct stmt *
4014 gen_joinsp(s, n)
4015 struct stmt **s;
4016 int n;
4017 {
4018 return NULL;
4019 }
4020 #endif
4021
4022 static struct block *
4023 gen_protochain(v, proto, dir)
4024 int v;
4025 int proto;
4026 int dir;
4027 {
4028 #ifdef NO_PROTOCHAIN
4029 return gen_proto(v, proto, dir);
4030 #else
4031 struct block *b0, *b;
4032 struct slist *s[100];
4033 int fix2, fix3, fix4, fix5;
4034 int ahcheck, again, end;
4035 int i, max;
4036 int reg2 = alloc_reg();
4037
4038 memset(s, 0, sizeof(s));
4039 fix2 = fix3 = fix4 = fix5 = 0;
4040
4041 switch (proto) {
4042 case Q_IP:
4043 case Q_IPV6:
4044 break;
4045 case Q_DEFAULT:
4046 b0 = gen_protochain(v, Q_IP, dir);
4047 b = gen_protochain(v, Q_IPV6, dir);
4048 gen_or(b0, b);
4049 return b;
4050 default:
4051 bpf_error("bad protocol applied for 'protochain'");
4052 /*NOTREACHED*/
4053 }
4054
4055 /*
4056 * We don't handle variable-length radiotap here headers yet.
4057 * We might want to add BPF instructions to do the protochain
4058 * work, to simplify that and, on platforms that have a BPF
4059 * interpreter with the new instructions, let the filtering
4060 * be done in the kernel. (We already require a modified BPF
4061 * engine to do the protochain stuff, to support backward
4062 * branches, and backward branch support is unlikely to appear
4063 * in kernel BPF engines.)
4064 */
4065 if (linktype == DLT_IEEE802_11_RADIO)
4066 bpf_error("'protochain' not supported with radiotap headers");
4067
4068 no_optimize = 1; /*this code is not compatible with optimzer yet */
4069
4070 /*
4071 * s[0] is a dummy entry to protect other BPF insn from damage
4072 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
4073 * hard to find interdependency made by jump table fixup.
4074 */
4075 i = 0;
4076 s[i] = new_stmt(0); /*dummy*/
4077 i++;
4078
4079 switch (proto) {
4080 case Q_IP:
4081 b0 = gen_linktype(ETHERTYPE_IP);
4082
4083 /* A = ip->ip_p */
4084 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4085 s[i]->s.k = off_nl + 9;
4086 i++;
4087 /* X = ip->ip_hl << 2 */
4088 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4089 s[i]->s.k = off_nl;
4090 i++;
4091 break;
4092 #ifdef INET6
4093 case Q_IPV6:
4094 b0 = gen_linktype(ETHERTYPE_IPV6);
4095
4096 /* A = ip6->ip_nxt */
4097 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4098 s[i]->s.k = off_nl + 6;
4099 i++;
4100 /* X = sizeof(struct ip6_hdr) */
4101 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4102 s[i]->s.k = 40;
4103 i++;
4104 break;
4105 #endif
4106 default:
4107 bpf_error("unsupported proto to gen_protochain");
4108 /*NOTREACHED*/
4109 }
4110
4111 /* again: if (A == v) goto end; else fall through; */
4112 again = i;
4113 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4114 s[i]->s.k = v;
4115 s[i]->s.jt = NULL; /*later*/
4116 s[i]->s.jf = NULL; /*update in next stmt*/
4117 fix5 = i;
4118 i++;
4119
4120 #ifndef IPPROTO_NONE
4121 #define IPPROTO_NONE 59
4122 #endif
4123 /* if (A == IPPROTO_NONE) goto end */
4124 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4125 s[i]->s.jt = NULL; /*later*/
4126 s[i]->s.jf = NULL; /*update in next stmt*/
4127 s[i]->s.k = IPPROTO_NONE;
4128 s[fix5]->s.jf = s[i];
4129 fix2 = i;
4130 i++;
4131
4132 #ifdef INET6
4133 if (proto == Q_IPV6) {
4134 int v6start, v6end, v6advance, j;
4135
4136 v6start = i;
4137 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4138 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4139 s[i]->s.jt = NULL; /*later*/
4140 s[i]->s.jf = NULL; /*update in next stmt*/
4141 s[i]->s.k = IPPROTO_HOPOPTS;
4142 s[fix2]->s.jf = s[i];
4143 i++;
4144 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4145 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4146 s[i]->s.jt = NULL; /*later*/
4147 s[i]->s.jf = NULL; /*update in next stmt*/
4148 s[i]->s.k = IPPROTO_DSTOPTS;
4149 i++;
4150 /* if (A == IPPROTO_ROUTING) goto v6advance */
4151 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4152 s[i]->s.jt = NULL; /*later*/
4153 s[i]->s.jf = NULL; /*update in next stmt*/
4154 s[i]->s.k = IPPROTO_ROUTING;
4155 i++;
4156 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4157 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4158 s[i]->s.jt = NULL; /*later*/
4159 s[i]->s.jf = NULL; /*later*/
4160 s[i]->s.k = IPPROTO_FRAGMENT;
4161 fix3 = i;
4162 v6end = i;
4163 i++;
4164
4165 /* v6advance: */
4166 v6advance = i;
4167
4168 /*
4169 * in short,
4170 * A = P[X];
4171 * X = X + (P[X + 1] + 1) * 8;
4172 */
4173 /* A = X */
4174 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4175 i++;
4176 /* A = P[X + packet head] */
4177 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4178 s[i]->s.k = off_nl;
4179 i++;
4180 /* MEM[reg2] = A */
4181 s[i] = new_stmt(BPF_ST);
4182 s[i]->s.k = reg2;
4183 i++;
4184 /* A = X */
4185 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4186 i++;
4187 /* A += 1 */
4188 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4189 s[i]->s.k = 1;
4190 i++;
4191 /* X = A */
4192 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4193 i++;
4194 /* A = P[X + packet head]; */
4195 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4196 s[i]->s.k = off_nl;
4197 i++;
4198 /* A += 1 */
4199 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4200 s[i]->s.k = 1;
4201 i++;
4202 /* A *= 8 */
4203 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4204 s[i]->s.k = 8;
4205 i++;
4206 /* X = A; */
4207 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4208 i++;
4209 /* A = MEM[reg2] */
4210 s[i] = new_stmt(BPF_LD|BPF_MEM);
4211 s[i]->s.k = reg2;
4212 i++;
4213
4214 /* goto again; (must use BPF_JA for backward jump) */
4215 s[i] = new_stmt(BPF_JMP|BPF_JA);
4216 s[i]->s.k = again - i - 1;
4217 s[i - 1]->s.jf = s[i];
4218 i++;
4219
4220 /* fixup */
4221 for (j = v6start; j <= v6end; j++)
4222 s[j]->s.jt = s[v6advance];
4223 } else
4224 #endif
4225 {
4226 /* nop */
4227 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4228 s[i]->s.k = 0;
4229 s[fix2]->s.jf = s[i];
4230 i++;
4231 }
4232
4233 /* ahcheck: */
4234 ahcheck = i;
4235 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4236 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4237 s[i]->s.jt = NULL; /*later*/
4238 s[i]->s.jf = NULL; /*later*/
4239 s[i]->s.k = IPPROTO_AH;
4240 if (fix3)
4241 s[fix3]->s.jf = s[ahcheck];
4242 fix4 = i;
4243 i++;
4244
4245 /*
4246 * in short,
4247 * A = P[X];
4248 * X = X + (P[X + 1] + 2) * 4;
4249 */
4250 /* A = X */
4251 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4252 i++;
4253 /* A = P[X + packet head]; */
4254 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4255 s[i]->s.k = off_nl;
4256 i++;
4257 /* MEM[reg2] = A */
4258 s[i] = new_stmt(BPF_ST);
4259 s[i]->s.k = reg2;
4260 i++;
4261 /* A = X */
4262 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4263 i++;
4264 /* A += 1 */
4265 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4266 s[i]->s.k = 1;
4267 i++;
4268 /* X = A */
4269 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4270 i++;
4271 /* A = P[X + packet head] */
4272 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4273 s[i]->s.k = off_nl;
4274 i++;
4275 /* A += 2 */
4276 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4277 s[i]->s.k = 2;
4278 i++;
4279 /* A *= 4 */
4280 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4281 s[i]->s.k = 4;
4282 i++;
4283 /* X = A; */
4284 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4285 i++;
4286 /* A = MEM[reg2] */
4287 s[i] = new_stmt(BPF_LD|BPF_MEM);
4288 s[i]->s.k = reg2;
4289 i++;
4290
4291 /* goto again; (must use BPF_JA for backward jump) */
4292 s[i] = new_stmt(BPF_JMP|BPF_JA);
4293 s[i]->s.k = again - i - 1;
4294 i++;
4295
4296 /* end: nop */
4297 end = i;
4298 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4299 s[i]->s.k = 0;
4300 s[fix2]->s.jt = s[end];
4301 s[fix4]->s.jf = s[end];
4302 s[fix5]->s.jt = s[end];
4303 i++;
4304
4305 /*
4306 * make slist chain
4307 */
4308 max = i;
4309 for (i = 0; i < max - 1; i++)
4310 s[i]->next = s[i + 1];
4311 s[max - 1]->next = NULL;
4312
4313 /*
4314 * emit final check
4315 */
4316 b = new_block(JMP(BPF_JEQ));
4317 b->stmts = s[1]; /*remember, s[0] is dummy*/
4318 b->s.k = v;
4319
4320 free_reg(reg2);
4321
4322 gen_and(b0, b);
4323 return b;
4324 #endif
4325 }
4326
4327 /*
4328 * Generate code that checks whether the packet is a packet for protocol
4329 * <proto> and whether the type field in that protocol's header has
4330 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4331 * IP packet and checks the protocol number in the IP header against <v>.
4332 *
4333 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4334 * against Q_IP and Q_IPV6.
4335 */
4336 static struct block *
4337 gen_proto(v, proto, dir)
4338 int v;
4339 int proto;
4340 int dir;
4341 {
4342 struct block *b0, *b1;
4343
4344 if (dir != Q_DEFAULT)
4345 bpf_error("direction applied to 'proto'");
4346
4347 switch (proto) {
4348 case Q_DEFAULT:
4349 #ifdef INET6
4350 b0 = gen_proto(v, Q_IP, dir);
4351 b1 = gen_proto(v, Q_IPV6, dir);
4352 gen_or(b0, b1);
4353 return b1;
4354 #else
4355 /*FALLTHROUGH*/
4356 #endif
4357 case Q_IP:
4358 /*
4359 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4360 * not LLC encapsulation with LLCSAP_IP.
4361 *
4362 * For IEEE 802 networks - which includes 802.5 token ring
4363 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4364 * says that SNAP encapsulation is used, not LLC encapsulation
4365 * with LLCSAP_IP.
4366 *
4367 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4368 * RFC 2225 say that SNAP encapsulation is used, not LLC
4369 * encapsulation with LLCSAP_IP.
4370 *
4371 * So we always check for ETHERTYPE_IP.
4372 */
4373 b0 = gen_linktype(ETHERTYPE_IP);
4374 #ifndef CHASE_CHAIN
4375 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4376 #else
4377 b1 = gen_protochain(v, Q_IP);
4378 #endif
4379 gen_and(b0, b1);
4380 return b1;
4381
4382 case Q_ISO:
4383 switch (linktype) {
4384
4385 case DLT_FRELAY:
4386 /*
4387 * Frame Relay packets typically have an OSI
4388 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4389 * generates code to check for all the OSI
4390 * NLPIDs, so calling it and then adding a check
4391 * for the particular NLPID for which we're
4392 * looking is bogus, as we can just check for
4393 * the NLPID.
4394 *
4395 * What we check for is the NLPID and a frame
4396 * control field value of UI, i.e. 0x03 followed
4397 * by the NLPID.
4398 *
4399 * XXX - assumes a 2-byte Frame Relay header with
4400 * DLCI and flags. What if the address is longer?
4401 *
4402 * XXX - what about SNAP-encapsulated frames?
4403 */
4404 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4405 /*NOTREACHED*/
4406 break;
4407
4408 case DLT_C_HDLC:
4409 /*
4410 * Cisco uses an Ethertype lookalike - for OSI,
4411 * it's 0xfefe.
4412 */
4413 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4414 /* OSI in C-HDLC is stuffed with a fudge byte */
4415 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4416 gen_and(b0, b1);
4417 return b1;
4418
4419 default:
4420 b0 = gen_linktype(LLCSAP_ISONS);
4421 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4422 gen_and(b0, b1);
4423 return b1;
4424 }
4425
4426 case Q_ISIS:
4427 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4428 /*
4429 * 4 is the offset of the PDU type relative to the IS-IS
4430 * header.
4431 */
4432 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4433 gen_and(b0, b1);
4434 return b1;
4435
4436 case Q_ARP:
4437 bpf_error("arp does not encapsulate another protocol");
4438 /* NOTREACHED */
4439
4440 case Q_RARP:
4441 bpf_error("rarp does not encapsulate another protocol");
4442 /* NOTREACHED */
4443
4444 case Q_ATALK:
4445 bpf_error("atalk encapsulation is not specifiable");
4446 /* NOTREACHED */
4447
4448 case Q_DECNET:
4449 bpf_error("decnet encapsulation is not specifiable");
4450 /* NOTREACHED */
4451
4452 case Q_SCA:
4453 bpf_error("sca does not encapsulate another protocol");
4454 /* NOTREACHED */
4455
4456 case Q_LAT:
4457 bpf_error("lat does not encapsulate another protocol");
4458 /* NOTREACHED */
4459
4460 case Q_MOPRC:
4461 bpf_error("moprc does not encapsulate another protocol");
4462 /* NOTREACHED */
4463
4464 case Q_MOPDL:
4465 bpf_error("mopdl does not encapsulate another protocol");
4466 /* NOTREACHED */
4467
4468 case Q_LINK:
4469 return gen_linktype(v);
4470
4471 case Q_UDP:
4472 bpf_error("'udp proto' is bogus");
4473 /* NOTREACHED */
4474
4475 case Q_TCP:
4476 bpf_error("'tcp proto' is bogus");
4477 /* NOTREACHED */
4478
4479 case Q_SCTP:
4480 bpf_error("'sctp proto' is bogus");
4481 /* NOTREACHED */
4482
4483 case Q_ICMP:
4484 bpf_error("'icmp proto' is bogus");
4485 /* NOTREACHED */
4486
4487 case Q_IGMP:
4488 bpf_error("'igmp proto' is bogus");
4489 /* NOTREACHED */
4490
4491 case Q_IGRP:
4492 bpf_error("'igrp proto' is bogus");
4493 /* NOTREACHED */
4494
4495 case Q_PIM:
4496 bpf_error("'pim proto' is bogus");
4497 /* NOTREACHED */
4498
4499 case Q_VRRP:
4500 bpf_error("'vrrp proto' is bogus");
4501 /* NOTREACHED */
4502
4503 #ifdef INET6
4504 case Q_IPV6:
4505 b0 = gen_linktype(ETHERTYPE_IPV6);
4506 #ifndef CHASE_CHAIN
4507 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4508 #else
4509 b1 = gen_protochain(v, Q_IPV6);
4510 #endif
4511 gen_and(b0, b1);
4512 return b1;
4513
4514 case Q_ICMPV6:
4515 bpf_error("'icmp6 proto' is bogus");
4516 #endif /* INET6 */
4517
4518 case Q_AH:
4519 bpf_error("'ah proto' is bogus");
4520
4521 case Q_ESP:
4522 bpf_error("'ah proto' is bogus");
4523
4524 case Q_STP:
4525 bpf_error("'stp proto' is bogus");
4526
4527 case Q_IPX:
4528 bpf_error("'ipx proto' is bogus");
4529
4530 case Q_NETBEUI:
4531 bpf_error("'netbeui proto' is bogus");
4532
4533 case Q_RADIO:
4534 bpf_error("'radio proto' is bogus");
4535
4536 default:
4537 abort();
4538 /* NOTREACHED */
4539 }
4540 /* NOTREACHED */
4541 }
4542
4543 struct block *
4544 gen_scode(name, q)
4545 register const char *name;
4546 struct qual q;
4547 {
4548 int proto = q.proto;
4549 int dir = q.dir;
4550 int tproto;
4551 u_char *eaddr;
4552 bpf_u_int32 mask, addr;
4553 #ifndef INET6
4554 bpf_u_int32 **alist;
4555 #else
4556 int tproto6;
4557 struct sockaddr_in *sin;
4558 struct sockaddr_in6 *sin6;
4559 struct addrinfo *res, *res0;
4560 struct in6_addr mask128;
4561 #endif /*INET6*/
4562 struct block *b, *tmp;
4563 int port, real_proto;
4564 int port1, port2;
4565
4566 switch (q.addr) {
4567
4568 case Q_NET:
4569 addr = pcap_nametonetaddr(name);
4570 if (addr == 0)
4571 bpf_error("unknown network '%s'", name);
4572 /* Left justify network addr and calculate its network mask */
4573 mask = 0xffffffff;
4574 while (addr && (addr & 0xff000000) == 0) {
4575 addr <<= 8;
4576 mask <<= 8;
4577 }
4578 return gen_host(addr, mask, proto, dir);
4579
4580 case Q_DEFAULT:
4581 case Q_HOST:
4582 if (proto == Q_LINK) {
4583 switch (linktype) {
4584
4585 case DLT_EN10MB:
4586 eaddr = pcap_ether_hostton(name);
4587 if (eaddr == NULL)
4588 bpf_error(
4589 "unknown ether host '%s'", name);
4590 b = gen_ehostop(eaddr, dir);
4591 free(eaddr);
4592 return b;
4593
4594 case DLT_FDDI:
4595 eaddr = pcap_ether_hostton(name);
4596 if (eaddr == NULL)
4597 bpf_error(
4598 "unknown FDDI host '%s'", name);
4599 b = gen_fhostop(eaddr, dir);
4600 free(eaddr);
4601 return b;
4602
4603 case DLT_IEEE802:
4604 eaddr = pcap_ether_hostton(name);
4605 if (eaddr == NULL)
4606 bpf_error(
4607 "unknown token ring host '%s'", name);
4608 b = gen_thostop(eaddr, dir);
4609 free(eaddr);
4610 return b;
4611
4612 case DLT_IEEE802_11:
4613 case DLT_IEEE802_11_RADIO_AVS:
4614 case DLT_IEEE802_11_RADIO:
4615 case DLT_PRISM_HEADER:
4616 eaddr = pcap_ether_hostton(name);
4617 if (eaddr == NULL)
4618 bpf_error(
4619 "unknown 802.11 host '%s'", name);
4620 b = gen_wlanhostop(eaddr, dir);
4621 free(eaddr);
4622 return b;
4623
4624 case DLT_IP_OVER_FC:
4625 eaddr = pcap_ether_hostton(name);
4626 if (eaddr == NULL)
4627 bpf_error(
4628 "unknown Fibre Channel host '%s'", name);
4629 b = gen_ipfchostop(eaddr, dir);
4630 free(eaddr);
4631 return b;
4632
4633 case DLT_SUNATM:
4634 if (!is_lane)
4635 break;
4636
4637 /*
4638 * Check that the packet doesn't begin
4639 * with an LE Control marker. (We've
4640 * already generated a test for LANE.)
4641 */
4642 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4643 BPF_H, 0xFF00);
4644 gen_not(tmp);
4645
4646 eaddr = pcap_ether_hostton(name);
4647 if (eaddr == NULL)
4648 bpf_error(
4649 "unknown ether host '%s'", name);
4650 b = gen_ehostop(eaddr, dir);
4651 gen_and(tmp, b);
4652 free(eaddr);
4653 return b;
4654 }
4655
4656 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4657 } else if (proto == Q_DECNET) {
4658 unsigned short dn_addr = __pcap_nametodnaddr(name);
4659 /*
4660 * I don't think DECNET hosts can be multihomed, so
4661 * there is no need to build up a list of addresses
4662 */
4663 return (gen_host(dn_addr, 0, proto, dir));
4664 } else {
4665 #ifndef INET6
4666 alist = pcap_nametoaddr(name);
4667 if (alist == NULL || *alist == NULL)
4668 bpf_error("unknown host '%s'", name);
4669 tproto = proto;
4670 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4671 tproto = Q_IP;
4672 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4673 while (*alist) {
4674 tmp = gen_host(**alist++, 0xffffffff,
4675 tproto, dir);
4676 gen_or(b, tmp);
4677 b = tmp;
4678 }
4679 return b;
4680 #else
4681 memset(&mask128, 0xff, sizeof(mask128));
4682 res0 = res = pcap_nametoaddrinfo(name);
4683 if (res == NULL)
4684 bpf_error("unknown host '%s'", name);
4685 b = tmp = NULL;
4686 tproto = tproto6 = proto;
4687 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4688 tproto = Q_IP;
4689 tproto6 = Q_IPV6;
4690 }
4691 for (res = res0; res; res = res->ai_next) {
4692 switch (res->ai_family) {
4693 case AF_INET:
4694 if (tproto == Q_IPV6)
4695 continue;
4696
4697 sin = (struct sockaddr_in *)
4698 res->ai_addr;
4699 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4700 0xffffffff, tproto, dir);
4701 break;
4702 case AF_INET6:
4703 if (tproto6 == Q_IP)
4704 continue;
4705
4706 sin6 = (struct sockaddr_in6 *)
4707 res->ai_addr;
4708 tmp = gen_host6(&sin6->sin6_addr,
4709 &mask128, tproto6, dir);
4710 break;
4711 default:
4712 continue;
4713 }
4714 if (b)
4715 gen_or(b, tmp);
4716 b = tmp;
4717 }
4718 freeaddrinfo(res0);
4719 if (b == NULL) {
4720 bpf_error("unknown host '%s'%s", name,
4721 (proto == Q_DEFAULT)
4722 ? ""
4723 : " for specified address family");
4724 }
4725 return b;
4726 #endif /*INET6*/
4727 }
4728
4729 case Q_PORT:
4730 if (proto != Q_DEFAULT &&
4731 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4732 bpf_error("illegal qualifier of 'port'");
4733 if (pcap_nametoport(name, &port, &real_proto) == 0)
4734 bpf_error("unknown port '%s'", name);
4735 if (proto == Q_UDP) {
4736 if (real_proto == IPPROTO_TCP)
4737 bpf_error("port '%s' is tcp", name);
4738 else if (real_proto == IPPROTO_SCTP)
4739 bpf_error("port '%s' is sctp", name);
4740 else
4741 /* override PROTO_UNDEF */
4742 real_proto = IPPROTO_UDP;
4743 }
4744 if (proto == Q_TCP) {
4745 if (real_proto == IPPROTO_UDP)
4746 bpf_error("port '%s' is udp", name);
4747
4748 else if (real_proto == IPPROTO_SCTP)
4749 bpf_error("port '%s' is sctp", name);
4750 else
4751 /* override PROTO_UNDEF */
4752 real_proto = IPPROTO_TCP;
4753 }
4754 if (proto == Q_SCTP) {
4755 if (real_proto == IPPROTO_UDP)
4756 bpf_error("port '%s' is udp", name);
4757
4758 else if (real_proto == IPPROTO_TCP)
4759 bpf_error("port '%s' is tcp", name);
4760 else
4761 /* override PROTO_UNDEF */
4762 real_proto = IPPROTO_SCTP;
4763 }
4764 #ifndef INET6
4765 return gen_port(port, real_proto, dir);
4766 #else
4767 {
4768 struct block *b;
4769 b = gen_port(port, real_proto, dir);
4770 gen_or(gen_port6(port, real_proto, dir), b);
4771 return b;
4772 }
4773 #endif /* INET6 */
4774
4775 case Q_PORTRANGE:
4776 if (proto != Q_DEFAULT &&
4777 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4778 bpf_error("illegal qualifier of 'portrange'");
4779 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
4780 bpf_error("unknown port in range '%s'", name);
4781 if (proto == Q_UDP) {
4782 if (real_proto == IPPROTO_TCP)
4783 bpf_error("port in range '%s' is tcp", name);
4784 else if (real_proto == IPPROTO_SCTP)
4785 bpf_error("port in range '%s' is sctp", name);
4786 else
4787 /* override PROTO_UNDEF */
4788 real_proto = IPPROTO_UDP;
4789 }
4790 if (proto == Q_TCP) {
4791 if (real_proto == IPPROTO_UDP)
4792 bpf_error("port in range '%s' is udp", name);
4793 else if (real_proto == IPPROTO_SCTP)
4794 bpf_error("port in range '%s' is sctp", name);
4795 else
4796 /* override PROTO_UNDEF */
4797 real_proto = IPPROTO_TCP;
4798 }
4799 if (proto == Q_SCTP) {
4800 if (real_proto == IPPROTO_UDP)
4801 bpf_error("port in range '%s' is udp", name);
4802 else if (real_proto == IPPROTO_TCP)
4803 bpf_error("port in range '%s' is tcp", name);
4804 else
4805 /* override PROTO_UNDEF */
4806 real_proto = IPPROTO_SCTP;
4807 }
4808 #ifndef INET6
4809 return gen_portrange(port1, port2, real_proto, dir);
4810 #else
4811 {
4812 struct block *b;
4813 b = gen_portrange(port1, port2, real_proto, dir);
4814 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
4815 return b;
4816 }
4817 #endif /* INET6 */
4818
4819 case Q_GATEWAY:
4820 #ifndef INET6
4821 eaddr = pcap_ether_hostton(name);
4822 if (eaddr == NULL)
4823 bpf_error("unknown ether host: %s", name);
4824
4825 alist = pcap_nametoaddr(name);
4826 if (alist == NULL || *alist == NULL)
4827 bpf_error("unknown host '%s'", name);
4828 b = gen_gateway(eaddr, alist, proto, dir);
4829 free(eaddr);
4830 return b;
4831 #else
4832 bpf_error("'gateway' not supported in this configuration");
4833 #endif /*INET6*/
4834
4835 case Q_PROTO:
4836 real_proto = lookup_proto(name, proto);
4837 if (real_proto >= 0)
4838 return gen_proto(real_proto, proto, dir);
4839 else
4840 bpf_error("unknown protocol: %s", name);
4841
4842 case Q_PROTOCHAIN:
4843 real_proto = lookup_proto(name, proto);
4844 if (real_proto >= 0)
4845 return gen_protochain(real_proto, proto, dir);
4846 else
4847 bpf_error("unknown protocol: %s", name);
4848
4849
4850 case Q_UNDEF:
4851 syntax();
4852 /* NOTREACHED */
4853 }
4854 abort();
4855 /* NOTREACHED */
4856 }
4857
4858 struct block *
4859 gen_mcode(s1, s2, masklen, q)
4860 register const char *s1, *s2;
4861 register int masklen;
4862 struct qual q;
4863 {
4864 register int nlen, mlen;
4865 bpf_u_int32 n, m;
4866
4867 nlen = __pcap_atoin(s1, &n);
4868 /* Promote short ipaddr */
4869 n <<= 32 - nlen;
4870
4871 if (s2 != NULL) {
4872 mlen = __pcap_atoin(s2, &m);
4873 /* Promote short ipaddr */
4874 m <<= 32 - mlen;
4875 if ((n & ~m) != 0)
4876 bpf_error("non-network bits set in \"%s mask %s\"",
4877 s1, s2);
4878 } else {
4879 /* Convert mask len to mask */
4880 if (masklen > 32)
4881 bpf_error("mask length must be <= 32");
4882 m = 0xffffffff << (32 - masklen);
4883 if ((n & ~m) != 0)
4884 bpf_error("non-network bits set in \"%s/%d\"",
4885 s1, masklen);
4886 }
4887
4888 switch (q.addr) {
4889
4890 case Q_NET:
4891 return gen_host(n, m, q.proto, q.dir);
4892
4893 default:
4894 bpf_error("Mask syntax for networks only");
4895 /* NOTREACHED */
4896 }
4897 /* NOTREACHED */
4898 }
4899
4900 struct block *
4901 gen_ncode(s, v, q)
4902 register const char *s;
4903 bpf_u_int32 v;
4904 struct qual q;
4905 {
4906 bpf_u_int32 mask;
4907 int proto = q.proto;
4908 int dir = q.dir;
4909 register int vlen;
4910
4911 if (s == NULL)
4912 vlen = 32;
4913 else if (q.proto == Q_DECNET)
4914 vlen = __pcap_atodn(s, &v);
4915 else
4916 vlen = __pcap_atoin(s, &v);
4917
4918 switch (q.addr) {
4919
4920 case Q_DEFAULT:
4921 case Q_HOST:
4922 case Q_NET:
4923 if (proto == Q_DECNET)
4924 return gen_host(v, 0, proto, dir);
4925 else if (proto == Q_LINK) {
4926 bpf_error("illegal link layer address");
4927 } else {
4928 mask = 0xffffffff;
4929 if (s == NULL && q.addr == Q_NET) {
4930 /* Promote short net number */
4931 while (v && (v & 0xff000000) == 0) {
4932 v <<= 8;
4933 mask <<= 8;
4934 }
4935 } else {
4936 /* Promote short ipaddr */
4937 v <<= 32 - vlen;
4938 mask <<= 32 - vlen;
4939 }
4940 return gen_host(v, mask, proto, dir);
4941 }
4942
4943 case Q_PORT:
4944 if (proto == Q_UDP)
4945 proto = IPPROTO_UDP;
4946 else if (proto == Q_TCP)
4947 proto = IPPROTO_TCP;
4948 else if (proto == Q_SCTP)
4949 proto = IPPROTO_SCTP;
4950 else if (proto == Q_DEFAULT)
4951 proto = PROTO_UNDEF;
4952 else
4953 bpf_error("illegal qualifier of 'port'");
4954
4955 #ifndef INET6
4956 return gen_port((int)v, proto, dir);
4957 #else
4958 {
4959 struct block *b;
4960 b = gen_port((int)v, proto, dir);
4961 gen_or(gen_port6((int)v, proto, dir), b);
4962 return b;
4963 }
4964 #endif /* INET6 */
4965
4966 case Q_PORTRANGE:
4967 if (proto == Q_UDP)
4968 proto = IPPROTO_UDP;
4969 else if (proto == Q_TCP)
4970 proto = IPPROTO_TCP;
4971 else if (proto == Q_SCTP)
4972 proto = IPPROTO_SCTP;
4973 else if (proto == Q_DEFAULT)
4974 proto = PROTO_UNDEF;
4975 else
4976 bpf_error("illegal qualifier of 'portrange'");
4977
4978 #ifndef INET6
4979 return gen_portrange((int)v, (int)v, proto, dir);
4980 #else
4981 {
4982 struct block *b;
4983 b = gen_portrange((int)v, (int)v, proto, dir);
4984 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
4985 return b;
4986 }
4987 #endif /* INET6 */
4988
4989 case Q_GATEWAY:
4990 bpf_error("'gateway' requires a name");
4991 /* NOTREACHED */
4992
4993 case Q_PROTO:
4994 return gen_proto((int)v, proto, dir);
4995
4996 case Q_PROTOCHAIN:
4997 return gen_protochain((int)v, proto, dir);
4998
4999 case Q_UNDEF:
5000 syntax();
5001 /* NOTREACHED */
5002
5003 default:
5004 abort();
5005 /* NOTREACHED */
5006 }
5007 /* NOTREACHED */
5008 }
5009
5010 #ifdef INET6
5011 struct block *
5012 gen_mcode6(s1, s2, masklen, q)
5013 register const char *s1, *s2;
5014 register int masklen;
5015 struct qual q;
5016 {
5017 struct addrinfo *res;
5018 struct in6_addr *addr;
5019 struct in6_addr mask;
5020 struct block *b;
5021 u_int32_t *a, *m;
5022
5023 if (s2)
5024 bpf_error("no mask %s supported", s2);
5025
5026 res = pcap_nametoaddrinfo(s1);
5027 if (!res)
5028 bpf_error("invalid ip6 address %s", s1);
5029 if (res->ai_next)
5030 bpf_error("%s resolved to multiple address", s1);
5031 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5032
5033 if (sizeof(mask) * 8 < masklen)
5034 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5035 memset(&mask, 0, sizeof(mask));
5036 memset(&mask, 0xff, masklen / 8);
5037 if (masklen % 8) {
5038 mask.s6_addr[masklen / 8] =
5039 (0xff << (8 - masklen % 8)) & 0xff;
5040 }
5041
5042 a = (u_int32_t *)addr;
5043 m = (u_int32_t *)&mask;
5044 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5045 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5046 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5047 }
5048
5049 switch (q.addr) {
5050
5051 case Q_DEFAULT:
5052 case Q_HOST:
5053 if (masklen != 128)
5054 bpf_error("Mask syntax for networks only");
5055 /* FALLTHROUGH */
5056
5057 case Q_NET:
5058 b = gen_host6(addr, &mask, q.proto, q.dir);
5059 freeaddrinfo(res);
5060 return b;
5061
5062 default:
5063 bpf_error("invalid qualifier against IPv6 address");
5064 /* NOTREACHED */
5065 }
5066 }
5067 #endif /*INET6*/
5068
5069 struct block *
5070 gen_ecode(eaddr, q)
5071 register const u_char *eaddr;
5072 struct qual q;
5073 {
5074 struct block *b, *tmp;
5075
5076 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5077 if (linktype == DLT_EN10MB)
5078 return gen_ehostop(eaddr, (int)q.dir);
5079 if (linktype == DLT_FDDI)
5080 return gen_fhostop(eaddr, (int)q.dir);
5081 if (linktype == DLT_IEEE802)
5082 return gen_thostop(eaddr, (int)q.dir);
5083 if (linktype == DLT_IEEE802_11 ||
5084 linktype == DLT_IEEE802_11_RADIO_AVS ||
5085 linktype == DLT_IEEE802_11_RADIO ||
5086 linktype == DLT_PRISM_HEADER)
5087 return gen_wlanhostop(eaddr, (int)q.dir);
5088 if (linktype == DLT_SUNATM && is_lane) {
5089 /*
5090 * Check that the packet doesn't begin with an
5091 * LE Control marker. (We've already generated
5092 * a test for LANE.)
5093 */
5094 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5095 0xFF00);
5096 gen_not(tmp);
5097
5098 /*
5099 * Now check the MAC address.
5100 */
5101 b = gen_ehostop(eaddr, (int)q.dir);
5102 gen_and(tmp, b);
5103 return b;
5104 }
5105 if (linktype == DLT_IP_OVER_FC)
5106 return gen_ipfchostop(eaddr, (int)q.dir);
5107 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5108 }
5109 bpf_error("ethernet address used in non-ether expression");
5110 /* NOTREACHED */
5111 }
5112
5113 void
5114 sappend(s0, s1)
5115 struct slist *s0, *s1;
5116 {
5117 /*
5118 * This is definitely not the best way to do this, but the
5119 * lists will rarely get long.
5120 */
5121 while (s0->next)
5122 s0 = s0->next;
5123 s0->next = s1;
5124 }
5125
5126 static struct slist *
5127 xfer_to_x(a)
5128 struct arth *a;
5129 {
5130 struct slist *s;
5131
5132 s = new_stmt(BPF_LDX|BPF_MEM);
5133 s->s.k = a->regno;
5134 return s;
5135 }
5136
5137 static struct slist *
5138 xfer_to_a(a)
5139 struct arth *a;
5140 {
5141 struct slist *s;
5142
5143 s = new_stmt(BPF_LD|BPF_MEM);
5144 s->s.k = a->regno;
5145 return s;
5146 }
5147
5148 /*
5149 * Modify "index" to use the value stored into its register as an
5150 * offset relative to the beginning of the header for the protocol
5151 * "proto", and allocate a register and put an item "size" bytes long
5152 * (1, 2, or 4) at that offset into that register, making it the register
5153 * for "index".
5154 */
5155 struct arth *
5156 gen_load(proto, index, size)
5157 int proto;
5158 struct arth *index;
5159 int size;
5160 {
5161 struct slist *s, *tmp;
5162 struct block *b;
5163 int regno = alloc_reg();
5164
5165 free_reg(index->regno);
5166 switch (size) {
5167
5168 default:
5169 bpf_error("data size must be 1, 2, or 4");
5170
5171 case 1:
5172 size = BPF_B;
5173 break;
5174
5175 case 2:
5176 size = BPF_H;
5177 break;
5178
5179 case 4:
5180 size = BPF_W;
5181 break;
5182 }
5183 switch (proto) {
5184 default:
5185 bpf_error("unsupported index operation");
5186
5187 case Q_RADIO:
5188 /*
5189 * The offset is relative to the beginning of the packet
5190 * data, if we have a radio header. (If we don't, this
5191 * is an error.)
5192 */
5193 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5194 linktype != DLT_IEEE802_11_RADIO &&
5195 linktype != DLT_PRISM_HEADER)
5196 bpf_error("radio information not present in capture");
5197
5198 /*
5199 * Load into the X register the offset computed into the
5200 * register specifed by "index".
5201 */
5202 s = xfer_to_x(index);
5203
5204 /*
5205 * Load the item at that offset.
5206 */
5207 tmp = new_stmt(BPF_LD|BPF_IND|size);
5208 sappend(s, tmp);
5209 sappend(index->s, s);
5210 break;
5211
5212 case Q_LINK:
5213 /*
5214 * The offset is relative to the beginning of
5215 * the link-layer header.
5216 *
5217 * XXX - what about ATM LANE? Should the index be
5218 * relative to the beginning of the AAL5 frame, so
5219 * that 0 refers to the beginning of the LE Control
5220 * field, or relative to the beginning of the LAN
5221 * frame, so that 0 refers, for Ethernet LANE, to
5222 * the beginning of the destination address?
5223 */
5224 s = gen_llprefixlen();
5225
5226 /*
5227 * If "s" is non-null, it has code to arrange that the
5228 * X register contains the length of the prefix preceding
5229 * the link-layer header. Add to it the offset computed
5230 * into the register specified by "index", and move that
5231 * into the X register. Otherwise, just load into the X
5232 * register the offset computed into the register specifed
5233 * by "index".
5234 */
5235 if (s != NULL) {
5236 sappend(s, xfer_to_a(index));
5237 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5238 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5239 } else
5240 s = xfer_to_x(index);
5241
5242 /*
5243 * Load the item at the sum of the offset we've put in the
5244 * X register and the offset of the start of the link
5245 * layer header (which is 0 if the radio header is
5246 * variable-length; that header length is what we put
5247 * into the X register and then added to the index).
5248 */
5249 tmp = new_stmt(BPF_LD|BPF_IND|size);
5250 tmp->s.k = off_ll;
5251 sappend(s, tmp);
5252 sappend(index->s, s);
5253 break;
5254
5255 case Q_IP:
5256 case Q_ARP:
5257 case Q_RARP:
5258 case Q_ATALK:
5259 case Q_DECNET:
5260 case Q_SCA:
5261 case Q_LAT:
5262 case Q_MOPRC:
5263 case Q_MOPDL:
5264 #ifdef INET6
5265 case Q_IPV6:
5266 #endif
5267 /*
5268 * The offset is relative to the beginning of
5269 * the network-layer header.
5270 * XXX - are there any cases where we want
5271 * off_nl_nosnap?
5272 */
5273 s = gen_llprefixlen();
5274
5275 /*
5276 * If "s" is non-null, it has code to arrange that the
5277 * X register contains the length of the prefix preceding
5278 * the link-layer header. Add to it the offset computed
5279 * into the register specified by "index", and move that
5280 * into the X register. Otherwise, just load into the X
5281 * register the offset computed into the register specifed
5282 * by "index".
5283 */
5284 if (s != NULL) {
5285 sappend(s, xfer_to_a(index));
5286 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5287 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5288 } else
5289 s = xfer_to_x(index);
5290
5291 /*
5292 * Load the item at the sum of the offset we've put in the
5293 * X register and the offset of the start of the network
5294 * layer header.
5295 */
5296 tmp = new_stmt(BPF_LD|BPF_IND|size);
5297 tmp->s.k = off_nl;
5298 sappend(s, tmp);
5299 sappend(index->s, s);
5300
5301 /*
5302 * Do the computation only if the packet contains
5303 * the protocol in question.
5304 */
5305 b = gen_proto_abbrev(proto);
5306 if (index->b)
5307 gen_and(index->b, b);
5308 index->b = b;
5309 break;
5310
5311 case Q_SCTP:
5312 case Q_TCP:
5313 case Q_UDP:
5314 case Q_ICMP:
5315 case Q_IGMP:
5316 case Q_IGRP:
5317 case Q_PIM:
5318 case Q_VRRP:
5319 /*
5320 * The offset is relative to the beginning of
5321 * the transport-layer header.
5322 * XXX - are there any cases where we want
5323 * off_nl_nosnap?
5324 * XXX - we should, if we're built with
5325 * IPv6 support, generate code to load either
5326 * IPv4, IPv6, or both, as appropriate.
5327 */
5328 s = gen_loadx_iphdrlen();
5329
5330 /*
5331 * The X register now contains the sum of the offset
5332 * of the beginning of the link-layer header and
5333 * the length of the network-layer header. Load
5334 * into the A register the offset relative to
5335 * the beginning of the transport layer header,
5336 * add the X register to that, move that to the
5337 * X register, and load with an offset from the
5338 * X register equal to the offset of the network
5339 * layer header relative to the beginning of
5340 * the link-layer header.
5341 */
5342 sappend(s, xfer_to_a(index));
5343 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5344 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5345 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5346 tmp->s.k = off_nl;
5347 sappend(index->s, s);
5348
5349 /*
5350 * Do the computation only if the packet contains
5351 * the protocol in question - which is true only
5352 * if this is an IP datagram and is the first or
5353 * only fragment of that datagram.
5354 */
5355 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5356 if (index->b)
5357 gen_and(index->b, b);
5358 #ifdef INET6
5359 gen_and(gen_proto_abbrev(Q_IP), b);
5360 #endif
5361 index->b = b;
5362 break;
5363 #ifdef INET6
5364 case Q_ICMPV6:
5365 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5366 /*NOTREACHED*/
5367 #endif
5368 }
5369 index->regno = regno;
5370 s = new_stmt(BPF_ST);
5371 s->s.k = regno;
5372 sappend(index->s, s);
5373
5374 return index;
5375 }
5376
5377 struct block *
5378 gen_relation(code, a0, a1, reversed)
5379 int code;
5380 struct arth *a0, *a1;
5381 int reversed;
5382 {
5383 struct slist *s0, *s1, *s2;
5384 struct block *b, *tmp;
5385
5386 s0 = xfer_to_x(a1);
5387 s1 = xfer_to_a(a0);
5388 if (code == BPF_JEQ) {
5389 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5390 b = new_block(JMP(code));
5391 sappend(s1, s2);
5392 }
5393 else
5394 b = new_block(BPF_JMP|code|BPF_X);
5395 if (reversed)
5396 gen_not(b);
5397
5398 sappend(s0, s1);
5399 sappend(a1->s, s0);
5400 sappend(a0->s, a1->s);
5401
5402 b->stmts = a0->s;
5403
5404 free_reg(a0->regno);
5405 free_reg(a1->regno);
5406
5407 /* 'and' together protocol checks */
5408 if (a0->b) {
5409 if (a1->b) {
5410 gen_and(a0->b, tmp = a1->b);
5411 }
5412 else
5413 tmp = a0->b;
5414 } else
5415 tmp = a1->b;
5416
5417 if (tmp)
5418 gen_and(tmp, b);
5419
5420 return b;
5421 }
5422
5423 struct arth *
5424 gen_loadlen()
5425 {
5426 int regno = alloc_reg();
5427 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5428 struct slist *s;
5429
5430 s = new_stmt(BPF_LD|BPF_LEN);
5431 s->next = new_stmt(BPF_ST);
5432 s->next->s.k = regno;
5433 a->s = s;
5434 a->regno = regno;
5435
5436 return a;
5437 }
5438
5439 struct arth *
5440 gen_loadi(val)
5441 int val;
5442 {
5443 struct arth *a;
5444 struct slist *s;
5445 int reg;
5446
5447 a = (struct arth *)newchunk(sizeof(*a));
5448
5449 reg = alloc_reg();
5450
5451 s = new_stmt(BPF_LD|BPF_IMM);
5452 s->s.k = val;
5453 s->next = new_stmt(BPF_ST);
5454 s->next->s.k = reg;
5455 a->s = s;
5456 a->regno = reg;
5457
5458 return a;
5459 }
5460
5461 struct arth *
5462 gen_neg(a)
5463 struct arth *a;
5464 {
5465 struct slist *s;
5466
5467 s = xfer_to_a(a);
5468 sappend(a->s, s);
5469 s = new_stmt(BPF_ALU|BPF_NEG);
5470 s->s.k = 0;
5471 sappend(a->s, s);
5472 s = new_stmt(BPF_ST);
5473 s->s.k = a->regno;
5474 sappend(a->s, s);
5475
5476 return a;
5477 }
5478
5479 struct arth *
5480 gen_arth(code, a0, a1)
5481 int code;
5482 struct arth *a0, *a1;
5483 {
5484 struct slist *s0, *s1, *s2;
5485
5486 s0 = xfer_to_x(a1);
5487 s1 = xfer_to_a(a0);
5488 s2 = new_stmt(BPF_ALU|BPF_X|code);
5489
5490 sappend(s1, s2);
5491 sappend(s0, s1);
5492 sappend(a1->s, s0);
5493 sappend(a0->s, a1->s);
5494
5495 free_reg(a0->regno);
5496 free_reg(a1->regno);
5497
5498 s0 = new_stmt(BPF_ST);
5499 a0->regno = s0->s.k = alloc_reg();
5500 sappend(a0->s, s0);
5501
5502 return a0;
5503 }
5504
5505 /*
5506 * Here we handle simple allocation of the scratch registers.
5507 * If too many registers are alloc'd, the allocator punts.
5508 */
5509 static int regused[BPF_MEMWORDS];
5510 static int curreg;
5511
5512 /*
5513 * Return the next free register.
5514 */
5515 static int
5516 alloc_reg()
5517 {
5518 int n = BPF_MEMWORDS;
5519
5520 while (--n >= 0) {
5521 if (regused[curreg])
5522 curreg = (curreg + 1) % BPF_MEMWORDS;
5523 else {
5524 regused[curreg] = 1;
5525 return curreg;
5526 }
5527 }
5528 bpf_error("too many registers needed to evaluate expression");
5529 /* NOTREACHED */
5530 }
5531
5532 /*
5533 * Return a register to the table so it can
5534 * be used later.
5535 */
5536 static void
5537 free_reg(n)
5538 int n;
5539 {
5540 regused[n] = 0;
5541 }
5542
5543 static struct block *
5544 gen_len(jmp, n)
5545 int jmp, n;
5546 {
5547 struct slist *s;
5548 struct block *b;
5549
5550 s = new_stmt(BPF_LD|BPF_LEN);
5551 b = new_block(JMP(jmp));
5552 b->stmts = s;
5553 b->s.k = n;
5554
5555 return b;
5556 }
5557
5558 struct block *
5559 gen_greater(n)
5560 int n;
5561 {
5562 return gen_len(BPF_JGE, n);
5563 }
5564
5565 /*
5566 * Actually, this is less than or equal.
5567 */
5568 struct block *
5569 gen_less(n)
5570 int n;
5571 {
5572 struct block *b;
5573
5574 b = gen_len(BPF_JGT, n);
5575 gen_not(b);
5576
5577 return b;
5578 }
5579
5580 /*
5581 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
5582 * the beginning of the link-layer header.
5583 * XXX - that means you can't test values in the radiotap header, but
5584 * as that header is difficult if not impossible to parse generally
5585 * without a loop, that might not be a severe problem. A new keyword
5586 * "radio" could be added for that, although what you'd really want
5587 * would be a way of testing particular radio header values, which
5588 * would generate code appropriate to the radio header in question.
5589 */
5590 struct block *
5591 gen_byteop(op, idx, val)
5592 int op, idx, val;
5593 {
5594 struct block *b;
5595 struct slist *s;
5596
5597 switch (op) {
5598 default:
5599 abort();
5600
5601 case '=':
5602 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5603
5604 case '<':
5605 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5606 return b;
5607
5608 case '>':
5609 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5610 return b;
5611
5612 case '|':
5613 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
5614 break;
5615
5616 case '&':
5617 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
5618 break;
5619 }
5620 s->s.k = val;
5621 b = new_block(JMP(BPF_JEQ));
5622 b->stmts = s;
5623 gen_not(b);
5624
5625 return b;
5626 }
5627
5628 static u_char abroadcast[] = { 0x0 };
5629
5630 struct block *
5631 gen_broadcast(proto)
5632 int proto;
5633 {
5634 bpf_u_int32 hostmask;
5635 struct block *b0, *b1, *b2;
5636 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
5637
5638 switch (proto) {
5639
5640 case Q_DEFAULT:
5641 case Q_LINK:
5642 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5643 return gen_ahostop(abroadcast, Q_DST);
5644 if (linktype == DLT_EN10MB)
5645 return gen_ehostop(ebroadcast, Q_DST);
5646 if (linktype == DLT_FDDI)
5647 return gen_fhostop(ebroadcast, Q_DST);
5648 if (linktype == DLT_IEEE802)
5649 return gen_thostop(ebroadcast, Q_DST);
5650 if (linktype == DLT_IEEE802_11 ||
5651 linktype == DLT_IEEE802_11_RADIO_AVS ||
5652 linktype == DLT_IEEE802_11_RADIO ||
5653 linktype == DLT_PRISM_HEADER)
5654 return gen_wlanhostop(ebroadcast, Q_DST);
5655 if (linktype == DLT_IP_OVER_FC)
5656 return gen_ipfchostop(ebroadcast, Q_DST);
5657 if (linktype == DLT_SUNATM && is_lane) {
5658 /*
5659 * Check that the packet doesn't begin with an
5660 * LE Control marker. (We've already generated
5661 * a test for LANE.)
5662 */
5663 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5664 0xFF00);
5665 gen_not(b1);
5666
5667 /*
5668 * Now check the MAC address.
5669 */
5670 b0 = gen_ehostop(ebroadcast, Q_DST);
5671 gen_and(b1, b0);
5672 return b0;
5673 }
5674 bpf_error("not a broadcast link");
5675 break;
5676
5677 case Q_IP:
5678 b0 = gen_linktype(ETHERTYPE_IP);
5679 hostmask = ~netmask;
5680 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
5681 b2 = gen_mcmp(OR_NET, 16, BPF_W,
5682 (bpf_int32)(~0 & hostmask), hostmask);
5683 gen_or(b1, b2);
5684 gen_and(b0, b2);
5685 return b2;
5686 }
5687 bpf_error("only link-layer/IP broadcast filters supported");
5688 /* NOTREACHED */
5689 }
5690
5691 /*
5692 * Generate code to test the low-order bit of a MAC address (that's
5693 * the bottom bit of the *first* byte).
5694 */
5695 static struct block *
5696 gen_mac_multicast(offset)
5697 int offset;
5698 {
5699 register struct block *b0;
5700 register struct slist *s;
5701
5702 /* link[offset] & 1 != 0 */
5703 s = gen_load_a(OR_LINK, offset, BPF_B);
5704 b0 = new_block(JMP(BPF_JSET));
5705 b0->s.k = 1;
5706 b0->stmts = s;
5707 return b0;
5708 }
5709
5710 struct block *
5711 gen_multicast(proto)
5712 int proto;
5713 {
5714 register struct block *b0, *b1, *b2;
5715 register struct slist *s;
5716
5717 switch (proto) {
5718
5719 case Q_DEFAULT:
5720 case Q_LINK:
5721 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5722 /* all ARCnet multicasts use the same address */
5723 return gen_ahostop(abroadcast, Q_DST);
5724
5725 if (linktype == DLT_EN10MB) {
5726 /* ether[0] & 1 != 0 */
5727 return gen_mac_multicast(0);
5728 }
5729
5730 if (linktype == DLT_FDDI) {
5731 /*
5732 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
5733 *
5734 * XXX - was that referring to bit-order issues?
5735 */
5736 /* fddi[1] & 1 != 0 */
5737 return gen_mac_multicast(1);
5738 }
5739
5740 if (linktype == DLT_IEEE802) {
5741 /* tr[2] & 1 != 0 */
5742 return gen_mac_multicast(2);
5743 }
5744
5745 if (linktype == DLT_IEEE802_11 ||
5746 linktype == DLT_IEEE802_11_RADIO_AVS ||
5747 linktype == DLT_IEEE802_11_RADIO ||
5748 linktype == DLT_PRISM_HEADER) {
5749 /*
5750 * Oh, yuk.
5751 *
5752 * For control frames, there is no DA.
5753 *
5754 * For management frames, DA is at an
5755 * offset of 4 from the beginning of
5756 * the packet.
5757 *
5758 * For data frames, DA is at an offset
5759 * of 4 from the beginning of the packet
5760 * if To DS is clear and at an offset of
5761 * 16 from the beginning of the packet
5762 * if To DS is set.
5763 */
5764
5765 /*
5766 * Generate the tests to be done for data frames.
5767 *
5768 * First, check for To DS set, i.e. "link[1] & 0x01".
5769 */
5770 s = gen_load_a(OR_LINK, 1, BPF_B);
5771 b1 = new_block(JMP(BPF_JSET));
5772 b1->s.k = 0x01; /* To DS */
5773 b1->stmts = s;
5774
5775 /*
5776 * If To DS is set, the DA is at 16.
5777 */
5778 b0 = gen_mac_multicast(16);
5779 gen_and(b1, b0);
5780
5781 /*
5782 * Now, check for To DS not set, i.e. check
5783 * "!(link[1] & 0x01)".
5784 */
5785 s = gen_load_a(OR_LINK, 1, BPF_B);
5786 b2 = new_block(JMP(BPF_JSET));
5787 b2->s.k = 0x01; /* To DS */
5788 b2->stmts = s;
5789 gen_not(b2);
5790
5791 /*
5792 * If To DS is not set, the DA is at 4.
5793 */
5794 b1 = gen_mac_multicast(4);
5795 gen_and(b2, b1);
5796
5797 /*
5798 * Now OR together the last two checks. That gives
5799 * the complete set of checks for data frames.
5800 */
5801 gen_or(b1, b0);
5802
5803 /*
5804 * Now check for a data frame.
5805 * I.e, check "link[0] & 0x08".
5806 */
5807 s = gen_load_a(OR_LINK, 0, BPF_B);
5808 b1 = new_block(JMP(BPF_JSET));
5809 b1->s.k = 0x08;
5810 b1->stmts = s;
5811
5812 /*
5813 * AND that with the checks done for data frames.
5814 */
5815 gen_and(b1, b0);
5816
5817 /*
5818 * If the high-order bit of the type value is 0, this
5819 * is a management frame.
5820 * I.e, check "!(link[0] & 0x08)".
5821 */
5822 s = gen_load_a(OR_LINK, 0, BPF_B);
5823 b2 = new_block(JMP(BPF_JSET));
5824 b2->s.k = 0x08;
5825 b2->stmts = s;
5826 gen_not(b2);
5827
5828 /*
5829 * For management frames, the DA is at 4.
5830 */
5831 b1 = gen_mac_multicast(4);
5832 gen_and(b2, b1);
5833
5834 /*
5835 * OR that with the checks done for data frames.
5836 * That gives the checks done for management and
5837 * data frames.
5838 */
5839 gen_or(b1, b0);
5840
5841 /*
5842 * If the low-order bit of the type value is 1,
5843 * this is either a control frame or a frame
5844 * with a reserved type, and thus not a
5845 * frame with an SA.
5846 *
5847 * I.e., check "!(link[0] & 0x04)".
5848 */
5849 s = gen_load_a(OR_LINK, 0, BPF_B);
5850 b1 = new_block(JMP(BPF_JSET));
5851 b1->s.k = 0x04;
5852 b1->stmts = s;
5853 gen_not(b1);
5854
5855 /*
5856 * AND that with the checks for data and management
5857 * frames.
5858 */
5859 gen_and(b1, b0);
5860 return b0;
5861 }
5862
5863 if (linktype == DLT_IP_OVER_FC) {
5864 b0 = gen_mac_multicast(2);
5865 return b0;
5866 }
5867
5868 if (linktype == DLT_SUNATM && is_lane) {
5869 /*
5870 * Check that the packet doesn't begin with an
5871 * LE Control marker. (We've already generated
5872 * a test for LANE.)
5873 */
5874 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5875 0xFF00);
5876 gen_not(b1);
5877
5878 /* ether[off_mac] & 1 != 0 */
5879 b0 = gen_mac_multicast(off_mac);
5880 gen_and(b1, b0);
5881 return b0;
5882 }
5883
5884 /* Link not known to support multicasts */
5885 break;
5886
5887 case Q_IP:
5888 b0 = gen_linktype(ETHERTYPE_IP);
5889 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
5890 gen_and(b0, b1);
5891 return b1;
5892
5893 #ifdef INET6
5894 case Q_IPV6:
5895 b0 = gen_linktype(ETHERTYPE_IPV6);
5896 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
5897 gen_and(b0, b1);
5898 return b1;
5899 #endif /* INET6 */
5900 }
5901 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5902 /* NOTREACHED */
5903 }
5904
5905 /*
5906 * generate command for inbound/outbound. It's here so we can
5907 * make it link-type specific. 'dir' = 0 implies "inbound",
5908 * = 1 implies "outbound".
5909 */
5910 struct block *
5911 gen_inbound(dir)
5912 int dir;
5913 {
5914 register struct block *b0;
5915
5916 /*
5917 * Only some data link types support inbound/outbound qualifiers.
5918 */
5919 switch (linktype) {
5920 case DLT_SLIP:
5921 b0 = gen_relation(BPF_JEQ,
5922 gen_load(Q_LINK, gen_loadi(0), 1),
5923 gen_loadi(0),
5924 dir);
5925 break;
5926
5927 case DLT_LINUX_SLL:
5928 if (dir) {
5929 /*
5930 * Match packets sent by this machine.
5931 */
5932 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
5933 } else {
5934 /*
5935 * Match packets sent to this machine.
5936 * (No broadcast or multicast packets, or
5937 * packets sent to some other machine and
5938 * received promiscuously.)
5939 *
5940 * XXX - packets sent to other machines probably
5941 * shouldn't be matched, but what about broadcast
5942 * or multicast packets we received?
5943 */
5944 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
5945 }
5946 break;
5947
5948 case DLT_PFLOG:
5949 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
5950 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5951 break;
5952
5953 case DLT_PPP_PPPD:
5954 if (dir) {
5955 /* match outgoing packets */
5956 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
5957 } else {
5958 /* match incoming packets */
5959 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
5960 }
5961 break;
5962
5963 case DLT_JUNIPER_MLFR:
5964 case DLT_JUNIPER_MLPPP:
5965 case DLT_JUNIPER_ATM1:
5966 case DLT_JUNIPER_ATM2:
5967 case DLT_JUNIPER_PPPOE:
5968 case DLT_JUNIPER_PPPOE_ATM:
5969 case DLT_JUNIPER_GGSN:
5970 case DLT_JUNIPER_ES:
5971 case DLT_JUNIPER_MONITOR:
5972 case DLT_JUNIPER_SERVICES:
5973 /* juniper flags (including direction) are stored
5974 * the byte after the 3-byte magic number */
5975 if (dir) {
5976 /* match outgoing packets */
5977 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
5978 } else {
5979 /* match incoming packets */
5980 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
5981 }
5982 break;
5983
5984 default:
5985 bpf_error("inbound/outbound not supported on linktype %d",
5986 linktype);
5987 b0 = NULL;
5988 /* NOTREACHED */
5989 }
5990 return (b0);
5991 }
5992
5993 /* PF firewall log matched interface */
5994 struct block *
5995 gen_pf_ifname(const char *ifname)
5996 {
5997 struct block *b0;
5998 u_int len, off;
5999
6000 if (linktype == DLT_PFLOG) {
6001 len = sizeof(((struct pfloghdr *)0)->ifname);
6002 off = offsetof(struct pfloghdr, ifname);
6003 } else {
6004 bpf_error("ifname not supported on linktype 0x%x", linktype);
6005 /* NOTREACHED */
6006 }
6007 if (strlen(ifname) >= len) {
6008 bpf_error("ifname interface names can only be %d characters",
6009 len-1);
6010 /* NOTREACHED */
6011 }
6012 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6013 return (b0);
6014 }
6015
6016 /* PF firewall log matched interface */
6017 struct block *
6018 gen_pf_ruleset(char *ruleset)
6019 {
6020 struct block *b0;
6021
6022 if (linktype != DLT_PFLOG) {
6023 bpf_error("ruleset not supported on linktype 0x%x", linktype);
6024 /* NOTREACHED */
6025 }
6026 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6027 bpf_error("ruleset names can only be %ld characters",
6028 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6029 /* NOTREACHED */
6030 }
6031 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6032 strlen(ruleset), (const u_char *)ruleset);
6033 return (b0);
6034 }
6035
6036 /* PF firewall log rule number */
6037 struct block *
6038 gen_pf_rnr(int rnr)
6039 {
6040 struct block *b0;
6041
6042 if (linktype == DLT_PFLOG) {
6043 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6044 (bpf_int32)rnr);
6045 } else {
6046 bpf_error("rnr not supported on linktype 0x%x", linktype);
6047 /* NOTREACHED */
6048 }
6049
6050 return (b0);
6051 }
6052
6053 /* PF firewall log sub-rule number */
6054 struct block *
6055 gen_pf_srnr(int srnr)
6056 {
6057 struct block *b0;
6058
6059 if (linktype != DLT_PFLOG) {
6060 bpf_error("srnr not supported on linktype 0x%x", linktype);
6061 /* NOTREACHED */
6062 }
6063
6064 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6065 (bpf_int32)srnr);
6066 return (b0);
6067 }
6068
6069 /* PF firewall log reason code */
6070 struct block *
6071 gen_pf_reason(int reason)
6072 {
6073 struct block *b0;
6074
6075 if (linktype == DLT_PFLOG) {
6076 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6077 (bpf_int32)reason);
6078 } else {
6079 bpf_error("reason not supported on linktype 0x%x", linktype);
6080 /* NOTREACHED */
6081 }
6082
6083 return (b0);
6084 }
6085
6086 /* PF firewall log action */
6087 struct block *
6088 gen_pf_action(int action)
6089 {
6090 struct block *b0;
6091
6092 if (linktype == DLT_PFLOG) {
6093 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6094 (bpf_int32)action);
6095 } else {
6096 bpf_error("action not supported on linktype 0x%x", linktype);
6097 /* NOTREACHED */
6098 }
6099
6100 return (b0);
6101 }
6102
6103 struct block *
6104 gen_acode(eaddr, q)
6105 register const u_char *eaddr;
6106 struct qual q;
6107 {
6108 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6109 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
6110 return gen_ahostop(eaddr, (int)q.dir);
6111 }
6112 bpf_error("ARCnet address used in non-arc expression");
6113 /* NOTREACHED */
6114 }
6115
6116 static struct block *
6117 gen_ahostop(eaddr, dir)
6118 register const u_char *eaddr;
6119 register int dir;
6120 {
6121 register struct block *b0, *b1;
6122
6123 switch (dir) {
6124 /* src comes first, different from Ethernet */
6125 case Q_SRC:
6126 return gen_bcmp(OR_LINK, 0, 1, eaddr);
6127
6128 case Q_DST:
6129 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6130
6131 case Q_AND:
6132 b0 = gen_ahostop(eaddr, Q_SRC);
6133 b1 = gen_ahostop(eaddr, Q_DST);
6134 gen_and(b0, b1);
6135 return b1;
6136
6137 case Q_DEFAULT:
6138 case Q_OR:
6139 b0 = gen_ahostop(eaddr, Q_SRC);
6140 b1 = gen_ahostop(eaddr, Q_DST);
6141 gen_or(b0, b1);
6142 return b1;
6143 }
6144 abort();
6145 /* NOTREACHED */
6146 }
6147
6148 /*
6149 * support IEEE 802.1Q VLAN trunk over ethernet
6150 */
6151 struct block *
6152 gen_vlan(vlan_num)
6153 int vlan_num;
6154 {
6155 struct block *b0;
6156
6157 /*
6158 * Change the offsets to point to the type and data fields within
6159 * the VLAN packet. Just increment the offsets, so that we
6160 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6161 * capture VLAN 200 encapsulated within VLAN 100.
6162 *
6163 * XXX - this is a bit of a kludge. If we were to split the
6164 * compiler into a parser that parses an expression and
6165 * generates an expression tree, and a code generator that
6166 * takes an expression tree (which could come from our
6167 * parser or from some other parser) and generates BPF code,
6168 * we could perhaps make the offsets parameters of routines
6169 * and, in the handler for an "AND" node, pass to subnodes
6170 * other than the VLAN node the adjusted offsets.
6171 *
6172 * This would mean that "vlan" would, instead of changing the
6173 * behavior of *all* tests after it, change only the behavior
6174 * of tests ANDed with it. That would change the documented
6175 * semantics of "vlan", which might break some expressions.
6176 * However, it would mean that "(vlan and ip) or ip" would check
6177 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6178 * checking only for VLAN-encapsulated IP, so that could still
6179 * be considered worth doing; it wouldn't break expressions
6180 * that are of the form "vlan and ..." or "vlan N and ...",
6181 * which I suspect are the most common expressions involving
6182 * "vlan". "vlan or ..." doesn't necessarily do what the user
6183 * would really want, now, as all the "or ..." tests would
6184 * be done assuming a VLAN, even though the "or" could be viewed
6185 * as meaning "or, if this isn't a VLAN packet...".
6186 */
6187 orig_linktype = off_linktype; /* save original values */
6188 orig_nl = off_nl;
6189
6190 switch (linktype) {
6191
6192 case DLT_EN10MB:
6193 off_linktype += 4;
6194 off_nl_nosnap += 4;
6195 off_nl += 4;
6196 break;
6197
6198 default:
6199 bpf_error("no VLAN support for data link type %d",
6200 linktype);
6201 /*NOTREACHED*/
6202 }
6203
6204 /* check for VLAN */
6205 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6206
6207 /* If a specific VLAN is requested, check VLAN id */
6208 if (vlan_num >= 0) {
6209 struct block *b1;
6210
6211 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6212 0x0fff);
6213 gen_and(b0, b1);
6214 b0 = b1;
6215 }
6216
6217 return (b0);
6218 }
6219
6220 /*
6221 * support for MPLS
6222 */
6223 struct block *
6224 gen_mpls(label_num)
6225 int label_num;
6226 {
6227 struct block *b0;
6228
6229 /*
6230 * Change the offsets to point to the type and data fields within
6231 * the MPLS packet. Just increment the offsets, so that we
6232 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6233 * capture packets with an outer label of 100000 and an inner
6234 * label of 1024.
6235 *
6236 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6237 */
6238 orig_linktype = off_linktype; /* save original values */
6239 orig_nl = off_nl;
6240
6241 switch (linktype) {
6242
6243 case DLT_C_HDLC: /* fall through */
6244 case DLT_EN10MB:
6245 off_linktype += 4;
6246 off_nl_nosnap += 4;
6247 off_nl += 4;
6248
6249 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6250 (bpf_int32)ETHERTYPE_MPLS);
6251 break;
6252
6253 case DLT_PPP:
6254 off_linktype += 4;
6255 off_nl_nosnap += 4;
6256 off_nl += 4;
6257
6258 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6259 (bpf_int32)PPP_MPLS_UCAST);
6260 break;
6261
6262 /* FIXME add other DLT_s ...
6263 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6264 * leave it for now */
6265
6266 default:
6267 bpf_error("no MPLS support for data link type %d",
6268 linktype);
6269 b0 = NULL;
6270 /*NOTREACHED*/
6271 break;
6272 }
6273
6274 /* If a specific MPLS label is requested, check it */
6275 if (label_num >= 0) {
6276 struct block *b1;
6277
6278 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6279 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6280 0xfffff000); /* only compare the first 20 bits */
6281 gen_and(b0, b1);
6282 b0 = b1;
6283 }
6284
6285 return (b0);
6286 }
6287
6288 struct block *
6289 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6290 int atmfield;
6291 bpf_int32 jvalue;
6292 bpf_u_int32 jtype;
6293 int reverse;
6294 {
6295 struct block *b0;
6296
6297 switch (atmfield) {
6298
6299 case A_VPI:
6300 if (!is_atm)
6301 bpf_error("'vpi' supported only on raw ATM");
6302 if (off_vpi == (u_int)-1)
6303 abort();
6304 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6305 reverse, jvalue);
6306 break;
6307
6308 case A_VCI:
6309 if (!is_atm)
6310 bpf_error("'vci' supported only on raw ATM");
6311 if (off_vci == (u_int)-1)
6312 abort();
6313 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6314 reverse, jvalue);
6315 break;
6316
6317 case A_PROTOTYPE:
6318 if (off_proto == (u_int)-1)
6319 abort(); /* XXX - this isn't on FreeBSD */
6320 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6321 reverse, jvalue);
6322 break;
6323
6324 case A_MSGTYPE:
6325 if (off_payload == (u_int)-1)
6326 abort();
6327 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6328 0xffffffff, jtype, reverse, jvalue);
6329 break;
6330
6331 case A_CALLREFTYPE:
6332 if (!is_atm)
6333 bpf_error("'callref' supported only on raw ATM");
6334 if (off_proto == (u_int)-1)
6335 abort();
6336 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6337 jtype, reverse, jvalue);
6338 break;
6339
6340 default:
6341 abort();
6342 }
6343 return b0;
6344 }
6345
6346 struct block *
6347 gen_atmtype_abbrev(type)
6348 int type;
6349 {
6350 struct block *b0, *b1;
6351
6352 switch (type) {
6353
6354 case A_METAC:
6355 /* Get all packets in Meta signalling Circuit */
6356 if (!is_atm)
6357 bpf_error("'metac' supported only on raw ATM");
6358 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6359 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6360 gen_and(b0, b1);
6361 break;
6362
6363 case A_BCC:
6364 /* Get all packets in Broadcast Circuit*/
6365 if (!is_atm)
6366 bpf_error("'bcc' supported only on raw ATM");
6367 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6368 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6369 gen_and(b0, b1);
6370 break;
6371
6372 case A_OAMF4SC:
6373 /* Get all cells in Segment OAM F4 circuit*/
6374 if (!is_atm)
6375 bpf_error("'oam4sc' supported only on raw ATM");
6376 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6377 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6378 gen_and(b0, b1);
6379 break;
6380
6381 case A_OAMF4EC:
6382 /* Get all cells in End-to-End OAM F4 Circuit*/
6383 if (!is_atm)
6384 bpf_error("'oam4ec' supported only on raw ATM");
6385 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6386 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6387 gen_and(b0, b1);
6388 break;
6389
6390 case A_SC:
6391 /* Get all packets in connection Signalling Circuit */
6392 if (!is_atm)
6393 bpf_error("'sc' supported only on raw ATM");
6394 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6395 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6396 gen_and(b0, b1);
6397 break;
6398
6399 case A_ILMIC:
6400 /* Get all packets in ILMI Circuit */
6401 if (!is_atm)
6402 bpf_error("'ilmic' supported only on raw ATM");
6403 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6404 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6405 gen_and(b0, b1);
6406 break;
6407
6408 case A_LANE:
6409 /* Get all LANE packets */
6410 if (!is_atm)
6411 bpf_error("'lane' supported only on raw ATM");
6412 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6413
6414 /*
6415 * Arrange that all subsequent tests assume LANE
6416 * rather than LLC-encapsulated packets, and set
6417 * the offsets appropriately for LANE-encapsulated
6418 * Ethernet.
6419 *
6420 * "off_mac" is the offset of the Ethernet header,
6421 * which is 2 bytes past the ATM pseudo-header
6422 * (skipping the pseudo-header and 2-byte LE Client
6423 * field). The other offsets are Ethernet offsets
6424 * relative to "off_mac".
6425 */
6426 is_lane = 1;
6427 off_mac = off_payload + 2; /* MAC header */
6428 off_linktype = off_mac + 12;
6429 off_nl = off_mac + 14; /* Ethernet II */
6430 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
6431 break;
6432
6433 case A_LLC:
6434 /* Get all LLC-encapsulated packets */
6435 if (!is_atm)
6436 bpf_error("'llc' supported only on raw ATM");
6437 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
6438 is_lane = 0;
6439 break;
6440
6441 default:
6442 abort();
6443 }
6444 return b1;
6445 }
6446
6447
6448 static struct block *
6449 gen_msg_abbrev(type)
6450 int type;
6451 {
6452 struct block *b1;
6453
6454 /*
6455 * Q.2931 signalling protocol messages for handling virtual circuits
6456 * establishment and teardown
6457 */
6458 switch (type) {
6459
6460 case A_SETUP:
6461 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
6462 break;
6463
6464 case A_CALLPROCEED:
6465 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
6466 break;
6467
6468 case A_CONNECT:
6469 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
6470 break;
6471
6472 case A_CONNECTACK:
6473 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
6474 break;
6475
6476 case A_RELEASE:
6477 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
6478 break;
6479
6480 case A_RELEASE_DONE:
6481 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
6482 break;
6483
6484 default:
6485 abort();
6486 }
6487 return b1;
6488 }
6489
6490 struct block *
6491 gen_atmmulti_abbrev(type)
6492 int type;
6493 {
6494 struct block *b0, *b1;
6495
6496 switch (type) {
6497
6498 case A_OAM:
6499 if (!is_atm)
6500 bpf_error("'oam' supported only on raw ATM");
6501 b1 = gen_atmmulti_abbrev(A_OAMF4);
6502 break;
6503
6504 case A_OAMF4:
6505 if (!is_atm)
6506 bpf_error("'oamf4' supported only on raw ATM");
6507 /* OAM F4 type */
6508 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6509 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6510 gen_or(b0, b1);
6511 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6512 gen_and(b0, b1);
6513 break;
6514
6515 case A_CONNECTMSG:
6516 /*
6517 * Get Q.2931 signalling messages for switched
6518 * virtual connection
6519 */
6520 if (!is_atm)
6521 bpf_error("'connectmsg' supported only on raw ATM");
6522 b0 = gen_msg_abbrev(A_SETUP);
6523 b1 = gen_msg_abbrev(A_CALLPROCEED);
6524 gen_or(b0, b1);
6525 b0 = gen_msg_abbrev(A_CONNECT);
6526 gen_or(b0, b1);
6527 b0 = gen_msg_abbrev(A_CONNECTACK);
6528 gen_or(b0, b1);
6529 b0 = gen_msg_abbrev(A_RELEASE);
6530 gen_or(b0, b1);
6531 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6532 gen_or(b0, b1);
6533 b0 = gen_atmtype_abbrev(A_SC);
6534 gen_and(b0, b1);
6535 break;
6536
6537 case A_METACONNECT:
6538 if (!is_atm)
6539 bpf_error("'metaconnect' supported only on raw ATM");
6540 b0 = gen_msg_abbrev(A_SETUP);
6541 b1 = gen_msg_abbrev(A_CALLPROCEED);
6542 gen_or(b0, b1);
6543 b0 = gen_msg_abbrev(A_CONNECT);
6544 gen_or(b0, b1);
6545 b0 = gen_msg_abbrev(A_RELEASE);
6546 gen_or(b0, b1);
6547 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6548 gen_or(b0, b1);
6549 b0 = gen_atmtype_abbrev(A_METAC);
6550 gen_and(b0, b1);
6551 break;
6552
6553 default:
6554 abort();
6555 }
6556 return b1;
6557 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism