]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add baseline support for MPLS protocol and per-label filtering
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.205 2004-06-16 08:20:29 hannes Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #include <sys/time.h>
37 #endif /* WIN32 */
38
39 /*
40 * XXX - why was this included even on UNIX?
41 */
42 #ifdef __MINGW32__
43 #include "IP6_misc.h"
44 #endif
45
46 #ifndef WIN32
47
48 #ifdef __NetBSD__
49 #include <sys/param.h>
50 #endif
51
52 #include <netinet/in.h>
53
54 #endif /* WIN32 */
55
56 #include <stdlib.h>
57 #include <string.h>
58 #include <memory.h>
59 #include <setjmp.h>
60 #include <stdarg.h>
61
62 #include "pcap-int.h"
63
64 #include "ethertype.h"
65 #include "nlpid.h"
66 #include "llc.h"
67 #include "gencode.h"
68 #include "atmuni31.h"
69 #include "sunatmpos.h"
70 #include "ppp.h"
71 #include "sll.h"
72 #include "arcnet.h"
73 #include "pf.h"
74 #ifndef offsetof
75 #define offsetof(s, e) ((size_t)&((s *)0)->e)
76 #endif
77 #ifdef INET6
78 #ifndef WIN32
79 #include <netdb.h> /* for "struct addrinfo" */
80 #endif /* WIN32 */
81 #endif /*INET6*/
82 #include <pcap-namedb.h>
83
84 #define ETHERMTU 1500
85
86 #ifndef IPPROTO_SCTP
87 #define IPPROTO_SCTP 132
88 #endif
89
90 #ifdef HAVE_OS_PROTO_H
91 #include "os-proto.h"
92 #endif
93
94 #define JMP(c) ((c)|BPF_JMP|BPF_K)
95
96 /* Locals */
97 static jmp_buf top_ctx;
98 static pcap_t *bpf_pcap;
99
100 /* Hack for updating VLAN, MPLS offsets. */
101 static u_int orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
102
103 /* XXX */
104 #ifdef PCAP_FDDIPAD
105 int pcap_fddipad = PCAP_FDDIPAD;
106 #else
107 int pcap_fddipad;
108 #endif
109
110 /* VARARGS */
111 void
112 bpf_error(const char *fmt, ...)
113
114 {
115 va_list ap;
116
117 va_start(ap, fmt);
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
120 fmt, ap);
121 va_end(ap);
122 longjmp(top_ctx, 1);
123 /* NOTREACHED */
124 }
125
126 static void init_linktype(int);
127
128 static int alloc_reg(void);
129 static void free_reg(int);
130
131 static struct block *root;
132
133 /*
134 * We divy out chunks of memory rather than call malloc each time so
135 * we don't have to worry about leaking memory. It's probably
136 * not a big deal if all this memory was wasted but it this ever
137 * goes into a library that would probably not be a good idea.
138 */
139 #define NCHUNKS 16
140 #define CHUNK0SIZE 1024
141 struct chunk {
142 u_int n_left;
143 void *m;
144 };
145
146 static struct chunk chunks[NCHUNKS];
147 static int cur_chunk;
148
149 static void *newchunk(u_int);
150 static void freechunks(void);
151 static inline struct block *new_block(int);
152 static inline struct slist *new_stmt(int);
153 static struct block *gen_retblk(int);
154 static inline void syntax(void);
155
156 static void backpatch(struct block *, struct block *);
157 static void merge(struct block *, struct block *);
158 static struct block *gen_cmp(u_int, u_int, bpf_int32);
159 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
160 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
161 static struct block *gen_bcmp(u_int, u_int, const u_char *);
162 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
163 bpf_u_int32, bpf_u_int32, int);
164 static struct block *gen_uncond(int);
165 static inline struct block *gen_true(void);
166 static inline struct block *gen_false(void);
167 static struct block *gen_ether_linktype(int);
168 static struct block *gen_linktype(int);
169 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
170 static struct block *gen_llc(int);
171 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
172 #ifdef INET6
173 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
174 #endif
175 static struct block *gen_ahostop(const u_char *, int);
176 static struct block *gen_ehostop(const u_char *, int);
177 static struct block *gen_fhostop(const u_char *, int);
178 static struct block *gen_thostop(const u_char *, int);
179 static struct block *gen_wlanhostop(const u_char *, int);
180 static struct block *gen_ipfchostop(const u_char *, int);
181 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
182 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
183 #ifdef INET6
184 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
185 #endif
186 #ifndef INET6
187 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
188 #endif
189 static struct block *gen_ipfrag(void);
190 static struct block *gen_portatom(int, bpf_int32);
191 #ifdef INET6
192 static struct block *gen_portatom6(int, bpf_int32);
193 #endif
194 struct block *gen_portop(int, int, int);
195 static struct block *gen_port(int, int, int);
196 #ifdef INET6
197 struct block *gen_portop6(int, int, int);
198 static struct block *gen_port6(int, int, int);
199 #endif
200 static int lookup_proto(const char *, int);
201 static struct block *gen_protochain(int, int, int);
202 static struct block *gen_proto(int, int, int);
203 static struct slist *xfer_to_x(struct arth *);
204 static struct slist *xfer_to_a(struct arth *);
205 static struct block *gen_mac_multicast(int);
206 static struct block *gen_len(int, int);
207
208 static struct block *gen_msg_abbrev(int type);
209
210 static void *
211 newchunk(n)
212 u_int n;
213 {
214 struct chunk *cp;
215 int k;
216 size_t size;
217
218 #ifndef __NetBSD__
219 /* XXX Round up to nearest long. */
220 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
221 #else
222 /* XXX Round up to structure boundary. */
223 n = ALIGN(n);
224 #endif
225
226 cp = &chunks[cur_chunk];
227 if (n > cp->n_left) {
228 ++cp, k = ++cur_chunk;
229 if (k >= NCHUNKS)
230 bpf_error("out of memory");
231 size = CHUNK0SIZE << k;
232 cp->m = (void *)malloc(size);
233 if (cp->m == NULL)
234 bpf_error("out of memory");
235 memset((char *)cp->m, 0, size);
236 cp->n_left = size;
237 if (n > size)
238 bpf_error("out of memory");
239 }
240 cp->n_left -= n;
241 return (void *)((char *)cp->m + cp->n_left);
242 }
243
244 static void
245 freechunks()
246 {
247 int i;
248
249 cur_chunk = 0;
250 for (i = 0; i < NCHUNKS; ++i)
251 if (chunks[i].m != NULL) {
252 free(chunks[i].m);
253 chunks[i].m = NULL;
254 }
255 }
256
257 /*
258 * A strdup whose allocations are freed after code generation is over.
259 */
260 char *
261 sdup(s)
262 register const char *s;
263 {
264 int n = strlen(s) + 1;
265 char *cp = newchunk(n);
266
267 strlcpy(cp, s, n);
268 return (cp);
269 }
270
271 static inline struct block *
272 new_block(code)
273 int code;
274 {
275 struct block *p;
276
277 p = (struct block *)newchunk(sizeof(*p));
278 p->s.code = code;
279 p->head = p;
280
281 return p;
282 }
283
284 static inline struct slist *
285 new_stmt(code)
286 int code;
287 {
288 struct slist *p;
289
290 p = (struct slist *)newchunk(sizeof(*p));
291 p->s.code = code;
292
293 return p;
294 }
295
296 static struct block *
297 gen_retblk(v)
298 int v;
299 {
300 struct block *b = new_block(BPF_RET|BPF_K);
301
302 b->s.k = v;
303 return b;
304 }
305
306 static inline void
307 syntax()
308 {
309 bpf_error("syntax error in filter expression");
310 }
311
312 static bpf_u_int32 netmask;
313 static int snaplen;
314 int no_optimize;
315
316 int
317 pcap_compile(pcap_t *p, struct bpf_program *program,
318 char *buf, int optimize, bpf_u_int32 mask)
319 {
320 extern int n_errors;
321 int len;
322
323 no_optimize = 0;
324 n_errors = 0;
325 root = NULL;
326 bpf_pcap = p;
327 if (setjmp(top_ctx)) {
328 lex_cleanup();
329 freechunks();
330 return (-1);
331 }
332
333 netmask = mask;
334
335 snaplen = pcap_snapshot(p);
336 if (snaplen == 0) {
337 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
338 "snaplen of 0 rejects all packets");
339 return -1;
340 }
341
342 lex_init(buf ? buf : "");
343 init_linktype(pcap_datalink(p));
344 (void)pcap_parse();
345
346 if (n_errors)
347 syntax();
348
349 if (root == NULL)
350 root = gen_retblk(snaplen);
351
352 if (optimize && !no_optimize) {
353 bpf_optimize(&root);
354 if (root == NULL ||
355 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
356 bpf_error("expression rejects all packets");
357 }
358 program->bf_insns = icode_to_fcode(root, &len);
359 program->bf_len = len;
360
361 lex_cleanup();
362 freechunks();
363 return (0);
364 }
365
366 /*
367 * entry point for using the compiler with no pcap open
368 * pass in all the stuff that is needed explicitly instead.
369 */
370 int
371 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
372 struct bpf_program *program,
373 char *buf, int optimize, bpf_u_int32 mask)
374 {
375 pcap_t *p;
376 int ret;
377
378 p = pcap_open_dead(linktype_arg, snaplen_arg);
379 if (p == NULL)
380 return (-1);
381 ret = pcap_compile(p, program, buf, optimize, mask);
382 pcap_close(p);
383 return (ret);
384 }
385
386 /*
387 * Clean up a "struct bpf_program" by freeing all the memory allocated
388 * in it.
389 */
390 void
391 pcap_freecode(struct bpf_program *program)
392 {
393 program->bf_len = 0;
394 if (program->bf_insns != NULL) {
395 free((char *)program->bf_insns);
396 program->bf_insns = NULL;
397 }
398 }
399
400 /*
401 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
402 * which of the jt and jf fields has been resolved and which is a pointer
403 * back to another unresolved block (or nil). At least one of the fields
404 * in each block is already resolved.
405 */
406 static void
407 backpatch(list, target)
408 struct block *list, *target;
409 {
410 struct block *next;
411
412 while (list) {
413 if (!list->sense) {
414 next = JT(list);
415 JT(list) = target;
416 } else {
417 next = JF(list);
418 JF(list) = target;
419 }
420 list = next;
421 }
422 }
423
424 /*
425 * Merge the lists in b0 and b1, using the 'sense' field to indicate
426 * which of jt and jf is the link.
427 */
428 static void
429 merge(b0, b1)
430 struct block *b0, *b1;
431 {
432 register struct block **p = &b0;
433
434 /* Find end of list. */
435 while (*p)
436 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
437
438 /* Concatenate the lists. */
439 *p = b1;
440 }
441
442 void
443 finish_parse(p)
444 struct block *p;
445 {
446 backpatch(p, gen_retblk(snaplen));
447 p->sense = !p->sense;
448 backpatch(p, gen_retblk(0));
449 root = p->head;
450 }
451
452 void
453 gen_and(b0, b1)
454 struct block *b0, *b1;
455 {
456 backpatch(b0, b1->head);
457 b0->sense = !b0->sense;
458 b1->sense = !b1->sense;
459 merge(b1, b0);
460 b1->sense = !b1->sense;
461 b1->head = b0->head;
462 }
463
464 void
465 gen_or(b0, b1)
466 struct block *b0, *b1;
467 {
468 b0->sense = !b0->sense;
469 backpatch(b0, b1->head);
470 b0->sense = !b0->sense;
471 merge(b1, b0);
472 b1->head = b0->head;
473 }
474
475 void
476 gen_not(b)
477 struct block *b;
478 {
479 b->sense = !b->sense;
480 }
481
482 static struct block *
483 gen_cmp(offset, size, v)
484 u_int offset, size;
485 bpf_int32 v;
486 {
487 struct slist *s;
488 struct block *b;
489
490 s = new_stmt(BPF_LD|BPF_ABS|size);
491 s->s.k = offset;
492
493 b = new_block(JMP(BPF_JEQ));
494 b->stmts = s;
495 b->s.k = v;
496
497 return b;
498 }
499
500 static struct block *
501 gen_cmp_gt(offset, size, v)
502 u_int offset, size;
503 bpf_int32 v;
504 {
505 struct slist *s;
506 struct block *b;
507
508 s = new_stmt(BPF_LD|BPF_ABS|size);
509 s->s.k = offset;
510
511 b = new_block(JMP(BPF_JGT));
512 b->stmts = s;
513 b->s.k = v;
514
515 return b;
516 }
517
518 static struct block *
519 gen_mcmp(offset, size, v, mask)
520 u_int offset, size;
521 bpf_int32 v;
522 bpf_u_int32 mask;
523 {
524 struct block *b = gen_cmp(offset, size, v);
525 struct slist *s;
526
527 if (mask != 0xffffffff) {
528 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
529 s->s.k = mask;
530 b->stmts->next = s;
531 }
532 return b;
533 }
534
535 static struct block *
536 gen_bcmp(offset, size, v)
537 register u_int offset, size;
538 register const u_char *v;
539 {
540 register struct block *b, *tmp;
541
542 b = NULL;
543 while (size >= 4) {
544 register const u_char *p = &v[size - 4];
545 bpf_int32 w = ((bpf_int32)p[0] << 24) |
546 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
547
548 tmp = gen_cmp(offset + size - 4, BPF_W, w);
549 if (b != NULL)
550 gen_and(b, tmp);
551 b = tmp;
552 size -= 4;
553 }
554 while (size >= 2) {
555 register const u_char *p = &v[size - 2];
556 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
557
558 tmp = gen_cmp(offset + size - 2, BPF_H, w);
559 if (b != NULL)
560 gen_and(b, tmp);
561 b = tmp;
562 size -= 2;
563 }
564 if (size > 0) {
565 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
566 if (b != NULL)
567 gen_and(b, tmp);
568 b = tmp;
569 }
570 return b;
571 }
572
573 static struct block *
574 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
575 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
576 int reverse;
577 {
578 struct slist *s;
579 struct block *b;
580
581 s = new_stmt(BPF_LD|datasize|BPF_ABS);
582 s->s.k = offset;
583
584 if (mask != 0xffffffff) {
585 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
586 s->next->s.k = mask;
587 }
588
589 b = new_block(JMP(jtype));
590 b->stmts = s;
591 b->s.k = jvalue;
592 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
593 gen_not(b);
594 return b;
595 }
596
597 /*
598 * Various code constructs need to know the layout of the data link
599 * layer. These variables give the necessary offsets.
600 */
601
602 /*
603 * This is the offset of the beginning of the MAC-layer header.
604 * It's usually 0, except for ATM LANE.
605 */
606 static u_int off_mac;
607
608 /*
609 * "off_linktype" is the offset to information in the link-layer header
610 * giving the packet type.
611 *
612 * For Ethernet, it's the offset of the Ethernet type field.
613 *
614 * For link-layer types that always use 802.2 headers, it's the
615 * offset of the LLC header.
616 *
617 * For PPP, it's the offset of the PPP type field.
618 *
619 * For Cisco HDLC, it's the offset of the CHDLC type field.
620 *
621 * For BSD loopback, it's the offset of the AF_ value.
622 *
623 * For Linux cooked sockets, it's the offset of the type field.
624 *
625 * It's set to -1 for no encapsulation, in which case, IP is assumed.
626 */
627 static u_int off_linktype;
628
629 /*
630 * TRUE if the link layer includes an ATM pseudo-header.
631 */
632 static int is_atm = 0;
633
634 /*
635 * TRUE if "lane" appeared in the filter; it causes us to generate
636 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
637 */
638 static int is_lane = 0;
639
640 /*
641 * These are offsets for the ATM pseudo-header.
642 */
643 static u_int off_vpi;
644 static u_int off_vci;
645 static u_int off_proto;
646
647 /*
648 * This is the offset of the first byte after the ATM pseudo_header,
649 * or -1 if there is no ATM pseudo-header.
650 */
651 static u_int off_payload;
652
653 /*
654 * These are offsets to the beginning of the network-layer header.
655 *
656 * If the link layer never uses 802.2 LLC:
657 *
658 * "off_nl" and "off_nl_nosnap" are the same.
659 *
660 * If the link layer always uses 802.2 LLC:
661 *
662 * "off_nl" is the offset if there's a SNAP header following
663 * the 802.2 header;
664 *
665 * "off_nl_nosnap" is the offset if there's no SNAP header.
666 *
667 * If the link layer is Ethernet:
668 *
669 * "off_nl" is the offset if the packet is an Ethernet II packet
670 * (we assume no 802.3+802.2+SNAP);
671 *
672 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
673 * with an 802.2 header following it.
674 */
675 static u_int off_nl;
676 static u_int off_nl_nosnap;
677
678 static int linktype;
679
680 static void
681 init_linktype(type)
682 int type;
683 {
684 linktype = type;
685
686 /*
687 * Assume it's not raw ATM with a pseudo-header, for now.
688 */
689 off_mac = 0;
690 is_atm = 0;
691 is_lane = 0;
692 off_vpi = -1;
693 off_vci = -1;
694 off_proto = -1;
695 off_payload = -1;
696
697 orig_linktype = -1;
698 orig_nl = -1;
699 orig_nl_nosnap = -1;
700
701 switch (type) {
702
703 case DLT_ARCNET:
704 off_linktype = 2;
705 off_nl = 6; /* XXX in reality, variable! */
706 off_nl_nosnap = 6; /* no 802.2 LLC */
707 return;
708
709 case DLT_ARCNET_LINUX:
710 off_linktype = 4;
711 off_nl = 8; /* XXX in reality, variable! */
712 off_nl_nosnap = 8; /* no 802.2 LLC */
713 return;
714
715 case DLT_EN10MB:
716 off_linktype = 12;
717 off_nl = 14; /* Ethernet II */
718 off_nl_nosnap = 17; /* 802.3+802.2 */
719 return;
720
721 case DLT_SLIP:
722 /*
723 * SLIP doesn't have a link level type. The 16 byte
724 * header is hacked into our SLIP driver.
725 */
726 off_linktype = -1;
727 off_nl = 16;
728 off_nl_nosnap = 16; /* no 802.2 LLC */
729 return;
730
731 case DLT_SLIP_BSDOS:
732 /* XXX this may be the same as the DLT_PPP_BSDOS case */
733 off_linktype = -1;
734 /* XXX end */
735 off_nl = 24;
736 off_nl_nosnap = 24; /* no 802.2 LLC */
737 return;
738
739 case DLT_NULL:
740 case DLT_LOOP:
741 off_linktype = 0;
742 off_nl = 4;
743 off_nl_nosnap = 4; /* no 802.2 LLC */
744 return;
745
746 case DLT_ENC:
747 off_linktype = 0;
748 off_nl = 12;
749 off_nl_nosnap = 12; /* no 802.2 LLC */
750 return;
751
752 case DLT_PPP:
753 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
754 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
755 off_linktype = 2;
756 off_nl = 4;
757 off_nl_nosnap = 4; /* no 802.2 LLC */
758 return;
759
760 case DLT_PPP_ETHER:
761 /*
762 * This does no include the Ethernet header, and
763 * only covers session state.
764 */
765 off_linktype = 6;
766 off_nl = 8;
767 off_nl_nosnap = 8; /* no 802.2 LLC */
768 return;
769
770 case DLT_PPP_BSDOS:
771 off_linktype = 5;
772 off_nl = 24;
773 off_nl_nosnap = 24; /* no 802.2 LLC */
774 return;
775
776 case DLT_FDDI:
777 /*
778 * FDDI doesn't really have a link-level type field.
779 * We set "off_linktype" to the offset of the LLC header.
780 *
781 * To check for Ethernet types, we assume that SSAP = SNAP
782 * is being used and pick out the encapsulated Ethernet type.
783 * XXX - should we generate code to check for SNAP?
784 */
785 off_linktype = 13;
786 #ifdef PCAP_FDDIPAD
787 off_linktype += pcap_fddipad;
788 #endif
789 off_nl = 21; /* FDDI+802.2+SNAP */
790 off_nl_nosnap = 16; /* FDDI+802.2 */
791 #ifdef PCAP_FDDIPAD
792 off_nl += pcap_fddipad;
793 off_nl_nosnap += pcap_fddipad;
794 #endif
795 return;
796
797 case DLT_IEEE802:
798 /*
799 * Token Ring doesn't really have a link-level type field.
800 * We set "off_linktype" to the offset of the LLC header.
801 *
802 * To check for Ethernet types, we assume that SSAP = SNAP
803 * is being used and pick out the encapsulated Ethernet type.
804 * XXX - should we generate code to check for SNAP?
805 *
806 * XXX - the header is actually variable-length.
807 * Some various Linux patched versions gave 38
808 * as "off_linktype" and 40 as "off_nl"; however,
809 * if a token ring packet has *no* routing
810 * information, i.e. is not source-routed, the correct
811 * values are 20 and 22, as they are in the vanilla code.
812 *
813 * A packet is source-routed iff the uppermost bit
814 * of the first byte of the source address, at an
815 * offset of 8, has the uppermost bit set. If the
816 * packet is source-routed, the total number of bytes
817 * of routing information is 2 plus bits 0x1F00 of
818 * the 16-bit value at an offset of 14 (shifted right
819 * 8 - figure out which byte that is).
820 */
821 off_linktype = 14;
822 off_nl = 22; /* Token Ring+802.2+SNAP */
823 off_nl_nosnap = 17; /* Token Ring+802.2 */
824 return;
825
826 case DLT_IEEE802_11:
827 /*
828 * 802.11 doesn't really have a link-level type field.
829 * We set "off_linktype" to the offset of the LLC header.
830 *
831 * To check for Ethernet types, we assume that SSAP = SNAP
832 * is being used and pick out the encapsulated Ethernet type.
833 * XXX - should we generate code to check for SNAP?
834 *
835 * XXX - the header is actually variable-length. We
836 * assume a 24-byte link-layer header, as appears in
837 * data frames in networks with no bridges. If the
838 * fromds and tods 802.11 header bits are both set,
839 * it's actually supposed to be 30 bytes.
840 */
841 off_linktype = 24;
842 off_nl = 32; /* 802.11+802.2+SNAP */
843 off_nl_nosnap = 27; /* 802.11+802.2 */
844 return;
845
846 case DLT_PRISM_HEADER:
847 /*
848 * Same as 802.11, but with an additional header before
849 * the 802.11 header, containing a bunch of additional
850 * information including radio-level information.
851 *
852 * The header is 144 bytes long.
853 *
854 * XXX - same variable-length header problem; at least
855 * the Prism header is fixed-length.
856 */
857 off_linktype = 144+24;
858 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
859 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
860 return;
861
862 case DLT_IEEE802_11_RADIO_AVS:
863 /*
864 * Same as 802.11, but with an additional header before
865 * the 802.11 header, containing a bunch of additional
866 * information including radio-level information.
867 *
868 * The header is 64 bytes long, at least in its
869 * current incarnation.
870 *
871 * XXX - same variable-length header problem, only
872 * more so; this header is also variable-length,
873 * with the length being the 32-bit big-endian
874 * number at an offset of 4 from the beginning
875 * of the radio header.
876 */
877 off_linktype = 64+24;
878 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
879 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
880 return;
881
882 case DLT_IEEE802_11_RADIO:
883 /*
884 * Same as 802.11, but with an additional header before
885 * the 802.11 header, containing a bunch of additional
886 * information including radio-level information.
887 *
888 * XXX - same variable-length header problem, only
889 * even *more* so; this header is also variable-length,
890 * with the length being the 16-bit number at an offset
891 * of 2 from the beginning of the radio header, and it's
892 * device-dependent (different devices might supply
893 * different amounts of information), so we can't even
894 * assume a fixed length for the current version of the
895 * header.
896 *
897 * Therefore, currently, only raw "link[N:M]" filtering is
898 * supported.
899 */
900 off_linktype = -1;
901 off_nl = -1;
902 off_nl_nosnap = -1;
903 return;
904
905 case DLT_ATM_RFC1483:
906 case DLT_ATM_CLIP: /* Linux ATM defines this */
907 /*
908 * assume routed, non-ISO PDUs
909 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
910 */
911 off_linktype = 0;
912 off_nl = 8; /* 802.2+SNAP */
913 off_nl_nosnap = 3; /* 802.2 */
914 return;
915
916 case DLT_SUNATM:
917 /*
918 * Full Frontal ATM; you get AALn PDUs with an ATM
919 * pseudo-header.
920 */
921 is_atm = 1;
922 off_vpi = SUNATM_VPI_POS;
923 off_vci = SUNATM_VCI_POS;
924 off_proto = PROTO_POS;
925 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
926 off_payload = SUNATM_PKT_BEGIN_POS;
927 off_linktype = off_payload;
928 off_nl = off_payload+8; /* 802.2+SNAP */
929 off_nl_nosnap = off_payload+3; /* 802.2 */
930 return;
931
932 case DLT_RAW:
933 off_linktype = -1;
934 off_nl = 0;
935 off_nl_nosnap = 0; /* no 802.2 LLC */
936 return;
937
938 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
939 off_linktype = 14;
940 off_nl = 16;
941 off_nl_nosnap = 16; /* no 802.2 LLC */
942 return;
943
944 case DLT_LTALK:
945 /*
946 * LocalTalk does have a 1-byte type field in the LLAP header,
947 * but really it just indicates whether there is a "short" or
948 * "long" DDP packet following.
949 */
950 off_linktype = -1;
951 off_nl = 0;
952 off_nl_nosnap = 0; /* no 802.2 LLC */
953 return;
954
955 case DLT_IP_OVER_FC:
956 /*
957 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
958 * link-level type field. We set "off_linktype" to the
959 * offset of the LLC header.
960 *
961 * To check for Ethernet types, we assume that SSAP = SNAP
962 * is being used and pick out the encapsulated Ethernet type.
963 * XXX - should we generate code to check for SNAP? RFC
964 * 2625 says SNAP should be used.
965 */
966 off_linktype = 16;
967 off_nl = 24; /* IPFC+802.2+SNAP */
968 off_nl_nosnap = 19; /* IPFC+802.2 */
969 return;
970
971 case DLT_FRELAY:
972 /*
973 * XXX - we should set this to handle SNAP-encapsulated
974 * frames (NLPID of 0x80).
975 */
976 off_linktype = -1;
977 off_nl = 0;
978 off_nl_nosnap = 0; /* no 802.2 LLC */
979 return;
980
981 case DLT_APPLE_IP_OVER_IEEE1394:
982 off_linktype = 16;
983 off_nl = 18;
984 off_nl_nosnap = 0; /* no 802.2 LLC */
985 return;
986
987 case DLT_LINUX_IRDA:
988 /*
989 * Currently, only raw "link[N:M]" filtering is supported.
990 */
991 off_linktype = -1;
992 off_nl = -1;
993 off_nl_nosnap = -1;
994 return;
995
996 case DLT_DOCSIS:
997 /*
998 * Currently, only raw "link[N:M]" filtering is supported.
999 */
1000 off_linktype = -1;
1001 off_nl = -1;
1002 off_nl_nosnap = -1;
1003 return;
1004
1005 case DLT_SYMANTEC_FIREWALL:
1006 off_linktype = 6;
1007 off_nl = 44; /* Ethernet II */
1008 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1009 return;
1010
1011 case DLT_PFLOG:
1012 off_linktype = 0;
1013 /* XXX read from header? */
1014 off_nl = PFLOG_HDRLEN;
1015 off_nl_nosnap = PFLOG_HDRLEN;
1016 return;
1017
1018 #ifdef DLT_PFSYNC
1019 case DLT_PFSYNC:
1020 off_linktype = -1;
1021 off_nl = 4;
1022 off_nl_nosnap = 4;
1023 return;
1024 #endif
1025 }
1026 bpf_error("unknown data link type %d", linktype);
1027 /* NOTREACHED */
1028 }
1029
1030 static struct block *
1031 gen_uncond(rsense)
1032 int rsense;
1033 {
1034 struct block *b;
1035 struct slist *s;
1036
1037 s = new_stmt(BPF_LD|BPF_IMM);
1038 s->s.k = !rsense;
1039 b = new_block(JMP(BPF_JEQ));
1040 b->stmts = s;
1041
1042 return b;
1043 }
1044
1045 static inline struct block *
1046 gen_true()
1047 {
1048 return gen_uncond(1);
1049 }
1050
1051 static inline struct block *
1052 gen_false()
1053 {
1054 return gen_uncond(0);
1055 }
1056
1057 /*
1058 * Byte-swap a 32-bit number.
1059 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1060 * big-endian platforms.)
1061 */
1062 #define SWAPLONG(y) \
1063 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1064
1065 static struct block *
1066 gen_ether_linktype(proto)
1067 register int proto;
1068 {
1069 struct block *b0, *b1;
1070
1071 switch (proto) {
1072
1073 case LLCSAP_ISONS:
1074 /*
1075 * OSI protocols always use 802.2 encapsulation.
1076 * XXX - should we check both the DSAP and the
1077 * SSAP, like this, or should we check just the
1078 * DSAP?
1079 */
1080 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1081 gen_not(b0);
1082 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1083 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1084 gen_and(b0, b1);
1085 return b1;
1086
1087 case LLCSAP_IP:
1088 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1089 gen_not(b0);
1090 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1091 ((LLCSAP_IP << 8) | LLCSAP_IP));
1092 gen_and(b0, b1);
1093 return b1;
1094
1095 case LLCSAP_NETBEUI:
1096 /*
1097 * NetBEUI always uses 802.2 encapsulation.
1098 * XXX - should we check both the DSAP and the
1099 * SSAP, like this, or should we check just the
1100 * DSAP?
1101 */
1102 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1103 gen_not(b0);
1104 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1105 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1106 gen_and(b0, b1);
1107 return b1;
1108
1109 case LLCSAP_IPX:
1110 /*
1111 * Check for;
1112 *
1113 * Ethernet_II frames, which are Ethernet
1114 * frames with a frame type of ETHERTYPE_IPX;
1115 *
1116 * Ethernet_802.3 frames, which are 802.3
1117 * frames (i.e., the type/length field is
1118 * a length field, <= ETHERMTU, rather than
1119 * a type field) with the first two bytes
1120 * after the Ethernet/802.3 header being
1121 * 0xFFFF;
1122 *
1123 * Ethernet_802.2 frames, which are 802.3
1124 * frames with an 802.2 LLC header and
1125 * with the IPX LSAP as the DSAP in the LLC
1126 * header;
1127 *
1128 * Ethernet_SNAP frames, which are 802.3
1129 * frames with an LLC header and a SNAP
1130 * header and with an OUI of 0x000000
1131 * (encapsulated Ethernet) and a protocol
1132 * ID of ETHERTYPE_IPX in the SNAP header.
1133 *
1134 * XXX - should we generate the same code both
1135 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1136 */
1137
1138 /*
1139 * This generates code to check both for the
1140 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1141 */
1142 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1143 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1144 gen_or(b0, b1);
1145
1146 /*
1147 * Now we add code to check for SNAP frames with
1148 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1149 */
1150 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1151 gen_or(b0, b1);
1152
1153 /*
1154 * Now we generate code to check for 802.3
1155 * frames in general.
1156 */
1157 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1158 gen_not(b0);
1159
1160 /*
1161 * Now add the check for 802.3 frames before the
1162 * check for Ethernet_802.2 and Ethernet_802.3,
1163 * as those checks should only be done on 802.3
1164 * frames, not on Ethernet frames.
1165 */
1166 gen_and(b0, b1);
1167
1168 /*
1169 * Now add the check for Ethernet_II frames, and
1170 * do that before checking for the other frame
1171 * types.
1172 */
1173 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1174 gen_or(b0, b1);
1175 return b1;
1176
1177 case ETHERTYPE_ATALK:
1178 case ETHERTYPE_AARP:
1179 /*
1180 * EtherTalk (AppleTalk protocols on Ethernet link
1181 * layer) may use 802.2 encapsulation.
1182 */
1183
1184 /*
1185 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1186 * we check for an Ethernet type field less than
1187 * 1500, which means it's an 802.3 length field.
1188 */
1189 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1190 gen_not(b0);
1191
1192 /*
1193 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1194 * SNAP packets with an organization code of
1195 * 0x080007 (Apple, for Appletalk) and a protocol
1196 * type of ETHERTYPE_ATALK (Appletalk).
1197 *
1198 * 802.2-encapsulated ETHERTYPE_AARP packets are
1199 * SNAP packets with an organization code of
1200 * 0x000000 (encapsulated Ethernet) and a protocol
1201 * type of ETHERTYPE_AARP (Appletalk ARP).
1202 */
1203 if (proto == ETHERTYPE_ATALK)
1204 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1205 else /* proto == ETHERTYPE_AARP */
1206 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1207 gen_and(b0, b1);
1208
1209 /*
1210 * Check for Ethernet encapsulation (Ethertalk
1211 * phase 1?); we just check for the Ethernet
1212 * protocol type.
1213 */
1214 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1215
1216 gen_or(b0, b1);
1217 return b1;
1218
1219 default:
1220 if (proto <= ETHERMTU) {
1221 /*
1222 * This is an LLC SAP value, so the frames
1223 * that match would be 802.2 frames.
1224 * Check that the frame is an 802.2 frame
1225 * (i.e., that the length/type field is
1226 * a length field, <= ETHERMTU) and
1227 * then check the DSAP.
1228 */
1229 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1230 gen_not(b0);
1231 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1232 gen_and(b0, b1);
1233 return b1;
1234 } else {
1235 /*
1236 * This is an Ethernet type, so compare
1237 * the length/type field with it (if
1238 * the frame is an 802.2 frame, the length
1239 * field will be <= ETHERMTU, and, as
1240 * "proto" is > ETHERMTU, this test
1241 * will fail and the frame won't match,
1242 * which is what we want).
1243 */
1244 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1245 }
1246 }
1247 }
1248
1249 static struct block *
1250 gen_linktype(proto)
1251 register int proto;
1252 {
1253 struct block *b0, *b1, *b2;
1254
1255 switch (linktype) {
1256
1257 case DLT_EN10MB:
1258 return gen_ether_linktype(proto);
1259 /*NOTREACHED*/
1260 break;
1261
1262 case DLT_C_HDLC:
1263 switch (proto) {
1264
1265 case LLCSAP_ISONS:
1266 proto = (proto << 8 | LLCSAP_ISONS);
1267 /* fall through */
1268
1269 default:
1270 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1271 /*NOTREACHED*/
1272 break;
1273 }
1274 break;
1275
1276 case DLT_IEEE802_11:
1277 case DLT_PRISM_HEADER:
1278 case DLT_IEEE802_11_RADIO:
1279 case DLT_FDDI:
1280 case DLT_IEEE802:
1281 case DLT_ATM_RFC1483:
1282 case DLT_ATM_CLIP:
1283 case DLT_IP_OVER_FC:
1284 return gen_llc(proto);
1285 /*NOTREACHED*/
1286 break;
1287
1288 case DLT_SUNATM:
1289 /*
1290 * If "is_lane" is set, check for a LANE-encapsulated
1291 * version of this protocol, otherwise check for an
1292 * LLC-encapsulated version of this protocol.
1293 *
1294 * We assume LANE means Ethernet, not Token Ring.
1295 */
1296 if (is_lane) {
1297 /*
1298 * Check that the packet doesn't begin with an
1299 * LE Control marker. (We've already generated
1300 * a test for LANE.)
1301 */
1302 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1303 gen_not(b0);
1304
1305 /*
1306 * Now generate an Ethernet test.
1307 */
1308 b1 = gen_ether_linktype(proto);
1309 gen_and(b0, b1);
1310 return b1;
1311 } else {
1312 /*
1313 * Check for LLC encapsulation and then check the
1314 * protocol.
1315 */
1316 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1317 b1 = gen_llc(proto);
1318 gen_and(b0, b1);
1319 return b1;
1320 }
1321
1322 case DLT_LINUX_SLL:
1323 switch (proto) {
1324
1325 case LLCSAP_IP:
1326 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1327 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1328 ((LLCSAP_IP << 8) | LLCSAP_IP));
1329 gen_and(b0, b1);
1330 return b1;
1331
1332 case LLCSAP_ISONS:
1333 /*
1334 * OSI protocols always use 802.2 encapsulation.
1335 * XXX - should we check both the DSAP and the
1336 * LSAP, like this, or should we check just the
1337 * DSAP?
1338 */
1339 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1340 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1341 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1342 gen_and(b0, b1);
1343 return b1;
1344
1345 case LLCSAP_NETBEUI:
1346 /*
1347 * NetBEUI always uses 802.2 encapsulation.
1348 * XXX - should we check both the DSAP and the
1349 * LSAP, like this, or should we check just the
1350 * DSAP?
1351 */
1352 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1353 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1354 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1355 gen_and(b0, b1);
1356 return b1;
1357
1358 case LLCSAP_IPX:
1359 /*
1360 * Ethernet_II frames, which are Ethernet
1361 * frames with a frame type of ETHERTYPE_IPX;
1362 *
1363 * Ethernet_802.3 frames, which have a frame
1364 * type of LINUX_SLL_P_802_3;
1365 *
1366 * Ethernet_802.2 frames, which are 802.3
1367 * frames with an 802.2 LLC header (i.e, have
1368 * a frame type of LINUX_SLL_P_802_2) and
1369 * with the IPX LSAP as the DSAP in the LLC
1370 * header;
1371 *
1372 * Ethernet_SNAP frames, which are 802.3
1373 * frames with an LLC header and a SNAP
1374 * header and with an OUI of 0x000000
1375 * (encapsulated Ethernet) and a protocol
1376 * ID of ETHERTYPE_IPX in the SNAP header.
1377 *
1378 * First, do the checks on LINUX_SLL_P_802_2
1379 * frames; generate the check for either
1380 * Ethernet_802.2 or Ethernet_SNAP frames, and
1381 * then put a check for LINUX_SLL_P_802_2 frames
1382 * before it.
1383 */
1384 b0 = gen_cmp(off_linktype + 2, BPF_B,
1385 (bpf_int32)LLCSAP_IPX);
1386 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1387 off_linktype + 2);
1388 gen_or(b0, b1);
1389 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1390 gen_and(b0, b1);
1391
1392 /*
1393 * Now check for 802.3 frames and OR that with
1394 * the previous test.
1395 */
1396 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1397 gen_or(b0, b1);
1398
1399 /*
1400 * Now add the check for Ethernet_II frames, and
1401 * do that before checking for the other frame
1402 * types.
1403 */
1404 b0 = gen_cmp(off_linktype, BPF_H,
1405 (bpf_int32)ETHERTYPE_IPX);
1406 gen_or(b0, b1);
1407 return b1;
1408
1409 case ETHERTYPE_ATALK:
1410 case ETHERTYPE_AARP:
1411 /*
1412 * EtherTalk (AppleTalk protocols on Ethernet link
1413 * layer) may use 802.2 encapsulation.
1414 */
1415
1416 /*
1417 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1418 * we check for the 802.2 protocol type in the
1419 * "Ethernet type" field.
1420 */
1421 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1422
1423 /*
1424 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1425 * SNAP packets with an organization code of
1426 * 0x080007 (Apple, for Appletalk) and a protocol
1427 * type of ETHERTYPE_ATALK (Appletalk).
1428 *
1429 * 802.2-encapsulated ETHERTYPE_AARP packets are
1430 * SNAP packets with an organization code of
1431 * 0x000000 (encapsulated Ethernet) and a protocol
1432 * type of ETHERTYPE_AARP (Appletalk ARP).
1433 */
1434 if (proto == ETHERTYPE_ATALK)
1435 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1436 off_linktype + 2);
1437 else /* proto == ETHERTYPE_AARP */
1438 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1439 off_linktype + 2);
1440 gen_and(b0, b1);
1441
1442 /*
1443 * Check for Ethernet encapsulation (Ethertalk
1444 * phase 1?); we just check for the Ethernet
1445 * protocol type.
1446 */
1447 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1448
1449 gen_or(b0, b1);
1450 return b1;
1451
1452 default:
1453 if (proto <= ETHERMTU) {
1454 /*
1455 * This is an LLC SAP value, so the frames
1456 * that match would be 802.2 frames.
1457 * Check for the 802.2 protocol type
1458 * in the "Ethernet type" field, and
1459 * then check the DSAP.
1460 */
1461 b0 = gen_cmp(off_linktype, BPF_H,
1462 LINUX_SLL_P_802_2);
1463 b1 = gen_cmp(off_linktype + 2, BPF_B,
1464 (bpf_int32)proto);
1465 gen_and(b0, b1);
1466 return b1;
1467 } else {
1468 /*
1469 * This is an Ethernet type, so compare
1470 * the length/type field with it (if
1471 * the frame is an 802.2 frame, the length
1472 * field will be <= ETHERMTU, and, as
1473 * "proto" is > ETHERMTU, this test
1474 * will fail and the frame won't match,
1475 * which is what we want).
1476 */
1477 return gen_cmp(off_linktype, BPF_H,
1478 (bpf_int32)proto);
1479 }
1480 }
1481 /*NOTREACHED*/
1482 break;
1483
1484 case DLT_SLIP:
1485 case DLT_SLIP_BSDOS:
1486 case DLT_RAW:
1487 /*
1488 * These types don't provide any type field; packets
1489 * are always IP.
1490 *
1491 * XXX - for IPv4, check for a version number of 4, and,
1492 * for IPv6, check for a version number of 6?
1493 */
1494 switch (proto) {
1495
1496 case ETHERTYPE_IP:
1497 #ifdef INET6
1498 case ETHERTYPE_IPV6:
1499 #endif
1500 return gen_true(); /* always true */
1501
1502 default:
1503 return gen_false(); /* always false */
1504 }
1505 /*NOTREACHED*/
1506 break;
1507
1508 case DLT_PPP:
1509 case DLT_PPP_SERIAL:
1510 case DLT_PPP_ETHER:
1511 /*
1512 * We use Ethernet protocol types inside libpcap;
1513 * map them to the corresponding PPP protocol types.
1514 */
1515 switch (proto) {
1516
1517 case ETHERTYPE_IP:
1518 proto = PPP_IP;
1519 break;
1520
1521 #ifdef INET6
1522 case ETHERTYPE_IPV6:
1523 proto = PPP_IPV6;
1524 break;
1525 #endif
1526
1527 case ETHERTYPE_DN:
1528 proto = PPP_DECNET;
1529 break;
1530
1531 case ETHERTYPE_ATALK:
1532 proto = PPP_APPLE;
1533 break;
1534
1535 case ETHERTYPE_NS:
1536 proto = PPP_NS;
1537 break;
1538
1539 case LLCSAP_ISONS:
1540 proto = PPP_OSI;
1541 break;
1542
1543 case LLCSAP_8021D:
1544 /*
1545 * I'm assuming the "Bridging PDU"s that go
1546 * over PPP are Spanning Tree Protocol
1547 * Bridging PDUs.
1548 */
1549 proto = PPP_BRPDU;
1550 break;
1551
1552 case LLCSAP_IPX:
1553 proto = PPP_IPX;
1554 break;
1555 }
1556 break;
1557
1558 case DLT_PPP_BSDOS:
1559 /*
1560 * We use Ethernet protocol types inside libpcap;
1561 * map them to the corresponding PPP protocol types.
1562 */
1563 switch (proto) {
1564
1565 case ETHERTYPE_IP:
1566 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1567 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1568 gen_or(b0, b1);
1569 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1570 gen_or(b1, b0);
1571 return b0;
1572
1573 #ifdef INET6
1574 case ETHERTYPE_IPV6:
1575 proto = PPP_IPV6;
1576 /* more to go? */
1577 break;
1578 #endif
1579
1580 case ETHERTYPE_DN:
1581 proto = PPP_DECNET;
1582 break;
1583
1584 case ETHERTYPE_ATALK:
1585 proto = PPP_APPLE;
1586 break;
1587
1588 case ETHERTYPE_NS:
1589 proto = PPP_NS;
1590 break;
1591
1592 case LLCSAP_ISONS:
1593 proto = PPP_OSI;
1594 break;
1595
1596 case LLCSAP_8021D:
1597 /*
1598 * I'm assuming the "Bridging PDU"s that go
1599 * over PPP are Spanning Tree Protocol
1600 * Bridging PDUs.
1601 */
1602 proto = PPP_BRPDU;
1603 break;
1604
1605 case LLCSAP_IPX:
1606 proto = PPP_IPX;
1607 break;
1608 }
1609 break;
1610
1611 case DLT_NULL:
1612 case DLT_LOOP:
1613 case DLT_ENC:
1614 /*
1615 * For DLT_NULL, the link-layer header is a 32-bit
1616 * word containing an AF_ value in *host* byte order,
1617 * and for DLT_ENC, the link-layer header begins
1618 * with a 32-bit work containing an AF_ value in
1619 * host byte order.
1620 *
1621 * In addition, if we're reading a saved capture file,
1622 * the host byte order in the capture may not be the
1623 * same as the host byte order on this machine.
1624 *
1625 * For DLT_LOOP, the link-layer header is a 32-bit
1626 * word containing an AF_ value in *network* byte order.
1627 *
1628 * XXX - AF_ values may, unfortunately, be platform-
1629 * dependent; for example, FreeBSD's AF_INET6 is 24
1630 * whilst NetBSD's and OpenBSD's is 26.
1631 *
1632 * This means that, when reading a capture file, just
1633 * checking for our AF_INET6 value won't work if the
1634 * capture file came from another OS.
1635 */
1636 switch (proto) {
1637
1638 case ETHERTYPE_IP:
1639 proto = AF_INET;
1640 break;
1641
1642 #ifdef INET6
1643 case ETHERTYPE_IPV6:
1644 proto = AF_INET6;
1645 break;
1646 #endif
1647
1648 default:
1649 /*
1650 * Not a type on which we support filtering.
1651 * XXX - support those that have AF_ values
1652 * #defined on this platform, at least?
1653 */
1654 return gen_false();
1655 }
1656
1657 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1658 /*
1659 * The AF_ value is in host byte order, but
1660 * the BPF interpreter will convert it to
1661 * network byte order.
1662 *
1663 * If this is a save file, and it's from a
1664 * machine with the opposite byte order to
1665 * ours, we byte-swap the AF_ value.
1666 *
1667 * Then we run it through "htonl()", and
1668 * generate code to compare against the result.
1669 */
1670 if (bpf_pcap->sf.rfile != NULL &&
1671 bpf_pcap->sf.swapped)
1672 proto = SWAPLONG(proto);
1673 proto = htonl(proto);
1674 }
1675 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1676
1677 case DLT_PFLOG:
1678 /*
1679 * af field is host byte order in contrast to the rest of
1680 * the packet.
1681 */
1682 if (proto == ETHERTYPE_IP)
1683 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1684 (bpf_int32)AF_INET));
1685 #ifdef INET6
1686 else if (proto == ETHERTYPE_IPV6)
1687 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1688 (bpf_int32)AF_INET6));
1689 #endif /* INET6 */
1690 else
1691 return gen_false();
1692 /*NOTREACHED*/
1693 break;
1694
1695 case DLT_ARCNET:
1696 case DLT_ARCNET_LINUX:
1697 /*
1698 * XXX should we check for first fragment if the protocol
1699 * uses PHDS?
1700 */
1701 switch (proto) {
1702
1703 default:
1704 return gen_false();
1705
1706 #ifdef INET6
1707 case ETHERTYPE_IPV6:
1708 return (gen_cmp(off_linktype, BPF_B,
1709 (bpf_int32)ARCTYPE_INET6));
1710 #endif /* INET6 */
1711
1712 case ETHERTYPE_IP:
1713 b0 = gen_cmp(off_linktype, BPF_B,
1714 (bpf_int32)ARCTYPE_IP);
1715 b1 = gen_cmp(off_linktype, BPF_B,
1716 (bpf_int32)ARCTYPE_IP_OLD);
1717 gen_or(b0, b1);
1718 return (b1);
1719
1720 case ETHERTYPE_ARP:
1721 b0 = gen_cmp(off_linktype, BPF_B,
1722 (bpf_int32)ARCTYPE_ARP);
1723 b1 = gen_cmp(off_linktype, BPF_B,
1724 (bpf_int32)ARCTYPE_ARP_OLD);
1725 gen_or(b0, b1);
1726 return (b1);
1727
1728 case ETHERTYPE_REVARP:
1729 return (gen_cmp(off_linktype, BPF_B,
1730 (bpf_int32)ARCTYPE_REVARP));
1731
1732 case ETHERTYPE_ATALK:
1733 return (gen_cmp(off_linktype, BPF_B,
1734 (bpf_int32)ARCTYPE_ATALK));
1735 }
1736 /*NOTREACHED*/
1737 break;
1738
1739 case DLT_LTALK:
1740 switch (proto) {
1741 case ETHERTYPE_ATALK:
1742 return gen_true();
1743 default:
1744 return gen_false();
1745 }
1746 /*NOTREACHED*/
1747 break;
1748
1749 case DLT_FRELAY:
1750 /*
1751 * XXX - assumes a 2-byte Frame Relay header with
1752 * DLCI and flags. What if the address is longer?
1753 */
1754 switch (proto) {
1755
1756 case ETHERTYPE_IP:
1757 /*
1758 * Check for the special NLPID for IP.
1759 */
1760 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1761
1762 #ifdef INET6
1763 case ETHERTYPE_IPV6:
1764 /*
1765 * Check for the special NLPID for IPv6.
1766 */
1767 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1768 #endif
1769
1770 case LLCSAP_ISONS:
1771 /*
1772 * Check for several OSI protocols.
1773 *
1774 * Frame Relay packets typically have an OSI
1775 * NLPID at the beginning; we check for each
1776 * of them.
1777 *
1778 * What we check for is the NLPID and a frame
1779 * control field of UI, i.e. 0x03 followed
1780 * by the NLPID.
1781 */
1782 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1783 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1784 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1785 gen_or(b1, b2);
1786 gen_or(b0, b2);
1787 return b2;
1788
1789 default:
1790 return gen_false();
1791 }
1792 /*NOTREACHED*/
1793 break;
1794
1795 case DLT_LINUX_IRDA:
1796 bpf_error("IrDA link-layer type filtering not implemented");
1797
1798 case DLT_DOCSIS:
1799 bpf_error("DOCSIS link-layer type filtering not implemented");
1800 }
1801
1802 /*
1803 * All the types that have no encapsulation should either be
1804 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1805 * all packets are IP packets, or should be handled in some
1806 * special case, if none of them are (if some are and some
1807 * aren't, the lack of encapsulation is a problem, as we'd
1808 * have to find some other way of determining the packet type).
1809 *
1810 * Therefore, if "off_linktype" is -1, there's an error.
1811 */
1812 if (off_linktype == (u_int)-1)
1813 abort();
1814
1815 /*
1816 * Any type not handled above should always have an Ethernet
1817 * type at an offset of "off_linktype". (PPP is partially
1818 * handled above - the protocol type is mapped from the
1819 * Ethernet and LLC types we use internally to the corresponding
1820 * PPP type - but the PPP type is always specified by a value
1821 * at "off_linktype", so we don't have to do the code generation
1822 * above.)
1823 */
1824 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1825 }
1826
1827 /*
1828 * Check for an LLC SNAP packet with a given organization code and
1829 * protocol type; we check the entire contents of the 802.2 LLC and
1830 * snap headers, checking for DSAP and SSAP of SNAP and a control
1831 * field of 0x03 in the LLC header, and for the specified organization
1832 * code and protocol type in the SNAP header.
1833 */
1834 static struct block *
1835 gen_snap(orgcode, ptype, offset)
1836 bpf_u_int32 orgcode;
1837 bpf_u_int32 ptype;
1838 u_int offset;
1839 {
1840 u_char snapblock[8];
1841
1842 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1843 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1844 snapblock[2] = 0x03; /* control = UI */
1845 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1846 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1847 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1848 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1849 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1850 return gen_bcmp(offset, 8, snapblock);
1851 }
1852
1853 /*
1854 * Check for a given protocol value assuming an 802.2 LLC header.
1855 */
1856 static struct block *
1857 gen_llc(proto)
1858 int proto;
1859 {
1860 /*
1861 * XXX - handle token-ring variable-length header.
1862 */
1863 switch (proto) {
1864
1865 case LLCSAP_IP:
1866 return gen_cmp(off_linktype, BPF_H, (long)
1867 ((LLCSAP_IP << 8) | LLCSAP_IP));
1868
1869 case LLCSAP_ISONS:
1870 return gen_cmp(off_linktype, BPF_H, (long)
1871 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1872
1873 case LLCSAP_NETBEUI:
1874 return gen_cmp(off_linktype, BPF_H, (long)
1875 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1876
1877 case LLCSAP_IPX:
1878 /*
1879 * XXX - are there ever SNAP frames for IPX on
1880 * non-Ethernet 802.x networks?
1881 */
1882 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1883
1884 case ETHERTYPE_ATALK:
1885 /*
1886 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1887 * SNAP packets with an organization code of
1888 * 0x080007 (Apple, for Appletalk) and a protocol
1889 * type of ETHERTYPE_ATALK (Appletalk).
1890 *
1891 * XXX - check for an organization code of
1892 * encapsulated Ethernet as well?
1893 */
1894 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1895
1896 default:
1897 /*
1898 * XXX - we don't have to check for IPX 802.3
1899 * here, but should we check for the IPX Ethertype?
1900 */
1901 if (proto <= ETHERMTU) {
1902 /*
1903 * This is an LLC SAP value, so check
1904 * the DSAP.
1905 */
1906 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1907 } else {
1908 /*
1909 * This is an Ethernet type; we assume that it's
1910 * unlikely that it'll appear in the right place
1911 * at random, and therefore check only the
1912 * location that would hold the Ethernet type
1913 * in a SNAP frame with an organization code of
1914 * 0x000000 (encapsulated Ethernet).
1915 *
1916 * XXX - if we were to check for the SNAP DSAP and
1917 * LSAP, as per XXX, and were also to check for an
1918 * organization code of 0x000000 (encapsulated
1919 * Ethernet), we'd do
1920 *
1921 * return gen_snap(0x000000, proto,
1922 * off_linktype);
1923 *
1924 * here; for now, we don't, as per the above.
1925 * I don't know whether it's worth the extra CPU
1926 * time to do the right check or not.
1927 */
1928 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1929 }
1930 }
1931 }
1932
1933 static struct block *
1934 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1935 bpf_u_int32 addr;
1936 bpf_u_int32 mask;
1937 int dir, proto;
1938 u_int src_off, dst_off;
1939 {
1940 struct block *b0, *b1;
1941 u_int offset;
1942
1943 switch (dir) {
1944
1945 case Q_SRC:
1946 offset = src_off;
1947 break;
1948
1949 case Q_DST:
1950 offset = dst_off;
1951 break;
1952
1953 case Q_AND:
1954 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1955 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1956 gen_and(b0, b1);
1957 return b1;
1958
1959 case Q_OR:
1960 case Q_DEFAULT:
1961 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
1962 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
1963 gen_or(b0, b1);
1964 return b1;
1965
1966 default:
1967 abort();
1968 }
1969 b0 = gen_linktype(proto);
1970 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
1971 gen_and(b0, b1);
1972 return b1;
1973 }
1974
1975 #ifdef INET6
1976 static struct block *
1977 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
1978 struct in6_addr *addr;
1979 struct in6_addr *mask;
1980 int dir, proto;
1981 u_int src_off, dst_off;
1982 {
1983 struct block *b0, *b1;
1984 u_int offset;
1985 u_int32_t *a, *m;
1986
1987 switch (dir) {
1988
1989 case Q_SRC:
1990 offset = src_off;
1991 break;
1992
1993 case Q_DST:
1994 offset = dst_off;
1995 break;
1996
1997 case Q_AND:
1998 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
1999 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2000 gen_and(b0, b1);
2001 return b1;
2002
2003 case Q_OR:
2004 case Q_DEFAULT:
2005 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2006 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2007 gen_or(b0, b1);
2008 return b1;
2009
2010 default:
2011 abort();
2012 }
2013 /* this order is important */
2014 a = (u_int32_t *)addr;
2015 m = (u_int32_t *)mask;
2016 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2017 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2018 gen_and(b0, b1);
2019 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2020 gen_and(b0, b1);
2021 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2022 gen_and(b0, b1);
2023 b0 = gen_linktype(proto);
2024 gen_and(b0, b1);
2025 return b1;
2026 }
2027 #endif /*INET6*/
2028
2029 static struct block *
2030 gen_ehostop(eaddr, dir)
2031 register const u_char *eaddr;
2032 register int dir;
2033 {
2034 register struct block *b0, *b1;
2035
2036 switch (dir) {
2037 case Q_SRC:
2038 return gen_bcmp(off_mac + 6, 6, eaddr);
2039
2040 case Q_DST:
2041 return gen_bcmp(off_mac + 0, 6, eaddr);
2042
2043 case Q_AND:
2044 b0 = gen_ehostop(eaddr, Q_SRC);
2045 b1 = gen_ehostop(eaddr, Q_DST);
2046 gen_and(b0, b1);
2047 return b1;
2048
2049 case Q_DEFAULT:
2050 case Q_OR:
2051 b0 = gen_ehostop(eaddr, Q_SRC);
2052 b1 = gen_ehostop(eaddr, Q_DST);
2053 gen_or(b0, b1);
2054 return b1;
2055 }
2056 abort();
2057 /* NOTREACHED */
2058 }
2059
2060 /*
2061 * Like gen_ehostop, but for DLT_FDDI
2062 */
2063 static struct block *
2064 gen_fhostop(eaddr, dir)
2065 register const u_char *eaddr;
2066 register int dir;
2067 {
2068 struct block *b0, *b1;
2069
2070 switch (dir) {
2071 case Q_SRC:
2072 #ifdef PCAP_FDDIPAD
2073 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2074 #else
2075 return gen_bcmp(6 + 1, 6, eaddr);
2076 #endif
2077
2078 case Q_DST:
2079 #ifdef PCAP_FDDIPAD
2080 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2081 #else
2082 return gen_bcmp(0 + 1, 6, eaddr);
2083 #endif
2084
2085 case Q_AND:
2086 b0 = gen_fhostop(eaddr, Q_SRC);
2087 b1 = gen_fhostop(eaddr, Q_DST);
2088 gen_and(b0, b1);
2089 return b1;
2090
2091 case Q_DEFAULT:
2092 case Q_OR:
2093 b0 = gen_fhostop(eaddr, Q_SRC);
2094 b1 = gen_fhostop(eaddr, Q_DST);
2095 gen_or(b0, b1);
2096 return b1;
2097 }
2098 abort();
2099 /* NOTREACHED */
2100 }
2101
2102 /*
2103 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2104 */
2105 static struct block *
2106 gen_thostop(eaddr, dir)
2107 register const u_char *eaddr;
2108 register int dir;
2109 {
2110 register struct block *b0, *b1;
2111
2112 switch (dir) {
2113 case Q_SRC:
2114 return gen_bcmp(8, 6, eaddr);
2115
2116 case Q_DST:
2117 return gen_bcmp(2, 6, eaddr);
2118
2119 case Q_AND:
2120 b0 = gen_thostop(eaddr, Q_SRC);
2121 b1 = gen_thostop(eaddr, Q_DST);
2122 gen_and(b0, b1);
2123 return b1;
2124
2125 case Q_DEFAULT:
2126 case Q_OR:
2127 b0 = gen_thostop(eaddr, Q_SRC);
2128 b1 = gen_thostop(eaddr, Q_DST);
2129 gen_or(b0, b1);
2130 return b1;
2131 }
2132 abort();
2133 /* NOTREACHED */
2134 }
2135
2136 /*
2137 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2138 */
2139 static struct block *
2140 gen_wlanhostop(eaddr, dir)
2141 register const u_char *eaddr;
2142 register int dir;
2143 {
2144 register struct block *b0, *b1, *b2;
2145 register struct slist *s;
2146
2147 switch (dir) {
2148 case Q_SRC:
2149 /*
2150 * Oh, yuk.
2151 *
2152 * For control frames, there is no SA.
2153 *
2154 * For management frames, SA is at an
2155 * offset of 10 from the beginning of
2156 * the packet.
2157 *
2158 * For data frames, SA is at an offset
2159 * of 10 from the beginning of the packet
2160 * if From DS is clear, at an offset of
2161 * 16 from the beginning of the packet
2162 * if From DS is set and To DS is clear,
2163 * and an offset of 24 from the beginning
2164 * of the packet if From DS is set and To DS
2165 * is set.
2166 */
2167
2168 /*
2169 * Generate the tests to be done for data frames
2170 * with From DS set.
2171 *
2172 * First, check for To DS set, i.e. check "link[1] & 0x01".
2173 */
2174 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2175 s->s.k = 1;
2176 b1 = new_block(JMP(BPF_JSET));
2177 b1->s.k = 0x01; /* To DS */
2178 b1->stmts = s;
2179
2180 /*
2181 * If To DS is set, the SA is at 24.
2182 */
2183 b0 = gen_bcmp(24, 6, eaddr);
2184 gen_and(b1, b0);
2185
2186 /*
2187 * Now, check for To DS not set, i.e. check
2188 * "!(link[1] & 0x01)".
2189 */
2190 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2191 s->s.k = 1;
2192 b2 = new_block(JMP(BPF_JSET));
2193 b2->s.k = 0x01; /* To DS */
2194 b2->stmts = s;
2195 gen_not(b2);
2196
2197 /*
2198 * If To DS is not set, the SA is at 16.
2199 */
2200 b1 = gen_bcmp(16, 6, eaddr);
2201 gen_and(b2, b1);
2202
2203 /*
2204 * Now OR together the last two checks. That gives
2205 * the complete set of checks for data frames with
2206 * From DS set.
2207 */
2208 gen_or(b1, b0);
2209
2210 /*
2211 * Now check for From DS being set, and AND that with
2212 * the ORed-together checks.
2213 */
2214 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2215 s->s.k = 1;
2216 b1 = new_block(JMP(BPF_JSET));
2217 b1->s.k = 0x02; /* From DS */
2218 b1->stmts = s;
2219 gen_and(b1, b0);
2220
2221 /*
2222 * Now check for data frames with From DS not set.
2223 */
2224 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2225 s->s.k = 1;
2226 b2 = new_block(JMP(BPF_JSET));
2227 b2->s.k = 0x02; /* From DS */
2228 b2->stmts = s;
2229 gen_not(b2);
2230
2231 /*
2232 * If From DS isn't set, the SA is at 10.
2233 */
2234 b1 = gen_bcmp(10, 6, eaddr);
2235 gen_and(b2, b1);
2236
2237 /*
2238 * Now OR together the checks for data frames with
2239 * From DS not set and for data frames with From DS
2240 * set; that gives the checks done for data frames.
2241 */
2242 gen_or(b1, b0);
2243
2244 /*
2245 * Now check for a data frame.
2246 * I.e, check "link[0] & 0x08".
2247 */
2248 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2249 s->s.k = 0;
2250 b1 = new_block(JMP(BPF_JSET));
2251 b1->s.k = 0x08;
2252 b1->stmts = s;
2253
2254 /*
2255 * AND that with the checks done for data frames.
2256 */
2257 gen_and(b1, b0);
2258
2259 /*
2260 * If the high-order bit of the type value is 0, this
2261 * is a management frame.
2262 * I.e, check "!(link[0] & 0x08)".
2263 */
2264 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2265 s->s.k = 0;
2266 b2 = new_block(JMP(BPF_JSET));
2267 b2->s.k = 0x08;
2268 b2->stmts = s;
2269 gen_not(b2);
2270
2271 /*
2272 * For management frames, the SA is at 10.
2273 */
2274 b1 = gen_bcmp(10, 6, eaddr);
2275 gen_and(b2, b1);
2276
2277 /*
2278 * OR that with the checks done for data frames.
2279 * That gives the checks done for management and
2280 * data frames.
2281 */
2282 gen_or(b1, b0);
2283
2284 /*
2285 * If the low-order bit of the type value is 1,
2286 * this is either a control frame or a frame
2287 * with a reserved type, and thus not a
2288 * frame with an SA.
2289 *
2290 * I.e., check "!(link[0] & 0x04)".
2291 */
2292 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2293 s->s.k = 0;
2294 b1 = new_block(JMP(BPF_JSET));
2295 b1->s.k = 0x04;
2296 b1->stmts = s;
2297 gen_not(b1);
2298
2299 /*
2300 * AND that with the checks for data and management
2301 * frames.
2302 */
2303 gen_and(b1, b0);
2304 return b0;
2305
2306 case Q_DST:
2307 /*
2308 * Oh, yuk.
2309 *
2310 * For control frames, there is no DA.
2311 *
2312 * For management frames, DA is at an
2313 * offset of 4 from the beginning of
2314 * the packet.
2315 *
2316 * For data frames, DA is at an offset
2317 * of 4 from the beginning of the packet
2318 * if To DS is clear and at an offset of
2319 * 16 from the beginning of the packet
2320 * if To DS is set.
2321 */
2322
2323 /*
2324 * Generate the tests to be done for data frames.
2325 *
2326 * First, check for To DS set, i.e. "link[1] & 0x01".
2327 */
2328 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2329 s->s.k = 1;
2330 b1 = new_block(JMP(BPF_JSET));
2331 b1->s.k = 0x01; /* To DS */
2332 b1->stmts = s;
2333
2334 /*
2335 * If To DS is set, the DA is at 16.
2336 */
2337 b0 = gen_bcmp(16, 6, eaddr);
2338 gen_and(b1, b0);
2339
2340 /*
2341 * Now, check for To DS not set, i.e. check
2342 * "!(link[1] & 0x01)".
2343 */
2344 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2345 s->s.k = 1;
2346 b2 = new_block(JMP(BPF_JSET));
2347 b2->s.k = 0x01; /* To DS */
2348 b2->stmts = s;
2349 gen_not(b2);
2350
2351 /*
2352 * If To DS is not set, the DA is at 4.
2353 */
2354 b1 = gen_bcmp(4, 6, eaddr);
2355 gen_and(b2, b1);
2356
2357 /*
2358 * Now OR together the last two checks. That gives
2359 * the complete set of checks for data frames.
2360 */
2361 gen_or(b1, b0);
2362
2363 /*
2364 * Now check for a data frame.
2365 * I.e, check "link[0] & 0x08".
2366 */
2367 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2368 s->s.k = 0;
2369 b1 = new_block(JMP(BPF_JSET));
2370 b1->s.k = 0x08;
2371 b1->stmts = s;
2372
2373 /*
2374 * AND that with the checks done for data frames.
2375 */
2376 gen_and(b1, b0);
2377
2378 /*
2379 * If the high-order bit of the type value is 0, this
2380 * is a management frame.
2381 * I.e, check "!(link[0] & 0x08)".
2382 */
2383 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2384 s->s.k = 0;
2385 b2 = new_block(JMP(BPF_JSET));
2386 b2->s.k = 0x08;
2387 b2->stmts = s;
2388 gen_not(b2);
2389
2390 /*
2391 * For management frames, the DA is at 4.
2392 */
2393 b1 = gen_bcmp(4, 6, eaddr);
2394 gen_and(b2, b1);
2395
2396 /*
2397 * OR that with the checks done for data frames.
2398 * That gives the checks done for management and
2399 * data frames.
2400 */
2401 gen_or(b1, b0);
2402
2403 /*
2404 * If the low-order bit of the type value is 1,
2405 * this is either a control frame or a frame
2406 * with a reserved type, and thus not a
2407 * frame with an SA.
2408 *
2409 * I.e., check "!(link[0] & 0x04)".
2410 */
2411 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2412 s->s.k = 0;
2413 b1 = new_block(JMP(BPF_JSET));
2414 b1->s.k = 0x04;
2415 b1->stmts = s;
2416 gen_not(b1);
2417
2418 /*
2419 * AND that with the checks for data and management
2420 * frames.
2421 */
2422 gen_and(b1, b0);
2423 return b0;
2424
2425 case Q_AND:
2426 b0 = gen_wlanhostop(eaddr, Q_SRC);
2427 b1 = gen_wlanhostop(eaddr, Q_DST);
2428 gen_and(b0, b1);
2429 return b1;
2430
2431 case Q_DEFAULT:
2432 case Q_OR:
2433 b0 = gen_wlanhostop(eaddr, Q_SRC);
2434 b1 = gen_wlanhostop(eaddr, Q_DST);
2435 gen_or(b0, b1);
2436 return b1;
2437 }
2438 abort();
2439 /* NOTREACHED */
2440 }
2441
2442 /*
2443 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2444 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2445 * as the RFC states.)
2446 */
2447 static struct block *
2448 gen_ipfchostop(eaddr, dir)
2449 register const u_char *eaddr;
2450 register int dir;
2451 {
2452 register struct block *b0, *b1;
2453
2454 switch (dir) {
2455 case Q_SRC:
2456 return gen_bcmp(10, 6, eaddr);
2457
2458 case Q_DST:
2459 return gen_bcmp(2, 6, eaddr);
2460
2461 case Q_AND:
2462 b0 = gen_ipfchostop(eaddr, Q_SRC);
2463 b1 = gen_ipfchostop(eaddr, Q_DST);
2464 gen_and(b0, b1);
2465 return b1;
2466
2467 case Q_DEFAULT:
2468 case Q_OR:
2469 b0 = gen_ipfchostop(eaddr, Q_SRC);
2470 b1 = gen_ipfchostop(eaddr, Q_DST);
2471 gen_or(b0, b1);
2472 return b1;
2473 }
2474 abort();
2475 /* NOTREACHED */
2476 }
2477
2478 /*
2479 * This is quite tricky because there may be pad bytes in front of the
2480 * DECNET header, and then there are two possible data packet formats that
2481 * carry both src and dst addresses, plus 5 packet types in a format that
2482 * carries only the src node, plus 2 types that use a different format and
2483 * also carry just the src node.
2484 *
2485 * Yuck.
2486 *
2487 * Instead of doing those all right, we just look for data packets with
2488 * 0 or 1 bytes of padding. If you want to look at other packets, that
2489 * will require a lot more hacking.
2490 *
2491 * To add support for filtering on DECNET "areas" (network numbers)
2492 * one would want to add a "mask" argument to this routine. That would
2493 * make the filter even more inefficient, although one could be clever
2494 * and not generate masking instructions if the mask is 0xFFFF.
2495 */
2496 static struct block *
2497 gen_dnhostop(addr, dir, base_off)
2498 bpf_u_int32 addr;
2499 int dir;
2500 u_int base_off;
2501 {
2502 struct block *b0, *b1, *b2, *tmp;
2503 u_int offset_lh; /* offset if long header is received */
2504 u_int offset_sh; /* offset if short header is received */
2505
2506 switch (dir) {
2507
2508 case Q_DST:
2509 offset_sh = 1; /* follows flags */
2510 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2511 break;
2512
2513 case Q_SRC:
2514 offset_sh = 3; /* follows flags, dstnode */
2515 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2516 break;
2517
2518 case Q_AND:
2519 /* Inefficient because we do our Calvinball dance twice */
2520 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2521 b1 = gen_dnhostop(addr, Q_DST, base_off);
2522 gen_and(b0, b1);
2523 return b1;
2524
2525 case Q_OR:
2526 case Q_DEFAULT:
2527 /* Inefficient because we do our Calvinball dance twice */
2528 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2529 b1 = gen_dnhostop(addr, Q_DST, base_off);
2530 gen_or(b0, b1);
2531 return b1;
2532
2533 case Q_ISO:
2534 bpf_error("ISO host filtering not implemented");
2535
2536 default:
2537 abort();
2538 }
2539 b0 = gen_linktype(ETHERTYPE_DN);
2540 /* Check for pad = 1, long header case */
2541 tmp = gen_mcmp(base_off + 2, BPF_H,
2542 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2543 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2544 BPF_H, (bpf_int32)ntohs(addr));
2545 gen_and(tmp, b1);
2546 /* Check for pad = 0, long header case */
2547 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2548 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2549 gen_and(tmp, b2);
2550 gen_or(b2, b1);
2551 /* Check for pad = 1, short header case */
2552 tmp = gen_mcmp(base_off + 2, BPF_H,
2553 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2554 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2555 BPF_H, (bpf_int32)ntohs(addr));
2556 gen_and(tmp, b2);
2557 gen_or(b2, b1);
2558 /* Check for pad = 0, short header case */
2559 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2560 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2561 gen_and(tmp, b2);
2562 gen_or(b2, b1);
2563
2564 /* Combine with test for linktype */
2565 gen_and(b0, b1);
2566 return b1;
2567 }
2568
2569 static struct block *
2570 gen_host(addr, mask, proto, dir)
2571 bpf_u_int32 addr;
2572 bpf_u_int32 mask;
2573 int proto;
2574 int dir;
2575 {
2576 struct block *b0, *b1;
2577
2578 switch (proto) {
2579
2580 case Q_DEFAULT:
2581 b0 = gen_host(addr, mask, Q_IP, dir);
2582 if (off_linktype != (u_int)-1) {
2583 b1 = gen_host(addr, mask, Q_ARP, dir);
2584 gen_or(b0, b1);
2585 b0 = gen_host(addr, mask, Q_RARP, dir);
2586 gen_or(b1, b0);
2587 }
2588 return b0;
2589
2590 case Q_IP:
2591 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2592 off_nl + 12, off_nl + 16);
2593
2594 case Q_RARP:
2595 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2596 off_nl + 14, off_nl + 24);
2597
2598 case Q_ARP:
2599 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2600 off_nl + 14, off_nl + 24);
2601
2602 case Q_TCP:
2603 bpf_error("'tcp' modifier applied to host");
2604
2605 case Q_SCTP:
2606 bpf_error("'sctp' modifier applied to host");
2607
2608 case Q_UDP:
2609 bpf_error("'udp' modifier applied to host");
2610
2611 case Q_ICMP:
2612 bpf_error("'icmp' modifier applied to host");
2613
2614 case Q_IGMP:
2615 bpf_error("'igmp' modifier applied to host");
2616
2617 case Q_IGRP:
2618 bpf_error("'igrp' modifier applied to host");
2619
2620 case Q_PIM:
2621 bpf_error("'pim' modifier applied to host");
2622
2623 case Q_VRRP:
2624 bpf_error("'vrrp' modifier applied to host");
2625
2626 case Q_ATALK:
2627 bpf_error("ATALK host filtering not implemented");
2628
2629 case Q_AARP:
2630 bpf_error("AARP host filtering not implemented");
2631
2632 case Q_DECNET:
2633 return gen_dnhostop(addr, dir, off_nl);
2634
2635 case Q_SCA:
2636 bpf_error("SCA host filtering not implemented");
2637
2638 case Q_LAT:
2639 bpf_error("LAT host filtering not implemented");
2640
2641 case Q_MOPDL:
2642 bpf_error("MOPDL host filtering not implemented");
2643
2644 case Q_MOPRC:
2645 bpf_error("MOPRC host filtering not implemented");
2646
2647 #ifdef INET6
2648 case Q_IPV6:
2649 bpf_error("'ip6' modifier applied to ip host");
2650
2651 case Q_ICMPV6:
2652 bpf_error("'icmp6' modifier applied to host");
2653 #endif /* INET6 */
2654
2655 case Q_AH:
2656 bpf_error("'ah' modifier applied to host");
2657
2658 case Q_ESP:
2659 bpf_error("'esp' modifier applied to host");
2660
2661 case Q_ISO:
2662 bpf_error("ISO host filtering not implemented");
2663
2664 case Q_ESIS:
2665 bpf_error("'esis' modifier applied to host");
2666
2667 case Q_ISIS:
2668 bpf_error("'isis' modifier applied to host");
2669
2670 case Q_CLNP:
2671 bpf_error("'clnp' modifier applied to host");
2672
2673 case Q_STP:
2674 bpf_error("'stp' modifier applied to host");
2675
2676 case Q_IPX:
2677 bpf_error("IPX host filtering not implemented");
2678
2679 case Q_NETBEUI:
2680 bpf_error("'netbeui' modifier applied to host");
2681
2682 default:
2683 abort();
2684 }
2685 /* NOTREACHED */
2686 }
2687
2688 #ifdef INET6
2689 static struct block *
2690 gen_host6(addr, mask, proto, dir)
2691 struct in6_addr *addr;
2692 struct in6_addr *mask;
2693 int proto;
2694 int dir;
2695 {
2696 switch (proto) {
2697
2698 case Q_DEFAULT:
2699 return gen_host6(addr, mask, Q_IPV6, dir);
2700
2701 case Q_IP:
2702 bpf_error("'ip' modifier applied to ip6 host");
2703
2704 case Q_RARP:
2705 bpf_error("'rarp' modifier applied to ip6 host");
2706
2707 case Q_ARP:
2708 bpf_error("'arp' modifier applied to ip6 host");
2709
2710 case Q_SCTP:
2711 bpf_error("'sctp' modifier applied to host");
2712
2713 case Q_TCP:
2714 bpf_error("'tcp' modifier applied to host");
2715
2716 case Q_UDP:
2717 bpf_error("'udp' modifier applied to host");
2718
2719 case Q_ICMP:
2720 bpf_error("'icmp' modifier applied to host");
2721
2722 case Q_IGMP:
2723 bpf_error("'igmp' modifier applied to host");
2724
2725 case Q_IGRP:
2726 bpf_error("'igrp' modifier applied to host");
2727
2728 case Q_PIM:
2729 bpf_error("'pim' modifier applied to host");
2730
2731 case Q_VRRP:
2732 bpf_error("'vrrp' modifier applied to host");
2733
2734 case Q_ATALK:
2735 bpf_error("ATALK host filtering not implemented");
2736
2737 case Q_AARP:
2738 bpf_error("AARP host filtering not implemented");
2739
2740 case Q_DECNET:
2741 bpf_error("'decnet' modifier applied to ip6 host");
2742
2743 case Q_SCA:
2744 bpf_error("SCA host filtering not implemented");
2745
2746 case Q_LAT:
2747 bpf_error("LAT host filtering not implemented");
2748
2749 case Q_MOPDL:
2750 bpf_error("MOPDL host filtering not implemented");
2751
2752 case Q_MOPRC:
2753 bpf_error("MOPRC host filtering not implemented");
2754
2755 case Q_IPV6:
2756 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2757 off_nl + 8, off_nl + 24);
2758
2759 case Q_ICMPV6:
2760 bpf_error("'icmp6' modifier applied to host");
2761
2762 case Q_AH:
2763 bpf_error("'ah' modifier applied to host");
2764
2765 case Q_ESP:
2766 bpf_error("'esp' modifier applied to host");
2767
2768 case Q_ISO:
2769 bpf_error("ISO host filtering not implemented");
2770
2771 case Q_ESIS:
2772 bpf_error("'esis' modifier applied to host");
2773
2774 case Q_ISIS:
2775 bpf_error("'isis' modifier applied to host");
2776
2777 case Q_CLNP:
2778 bpf_error("'clnp' modifier applied to host");
2779
2780 case Q_STP:
2781 bpf_error("'stp' modifier applied to host");
2782
2783 case Q_IPX:
2784 bpf_error("IPX host filtering not implemented");
2785
2786 case Q_NETBEUI:
2787 bpf_error("'netbeui' modifier applied to host");
2788
2789 default:
2790 abort();
2791 }
2792 /* NOTREACHED */
2793 }
2794 #endif /*INET6*/
2795
2796 #ifndef INET6
2797 static struct block *
2798 gen_gateway(eaddr, alist, proto, dir)
2799 const u_char *eaddr;
2800 bpf_u_int32 **alist;
2801 int proto;
2802 int dir;
2803 {
2804 struct block *b0, *b1, *tmp;
2805
2806 if (dir != 0)
2807 bpf_error("direction applied to 'gateway'");
2808
2809 switch (proto) {
2810 case Q_DEFAULT:
2811 case Q_IP:
2812 case Q_ARP:
2813 case Q_RARP:
2814 if (linktype == DLT_EN10MB)
2815 b0 = gen_ehostop(eaddr, Q_OR);
2816 else if (linktype == DLT_FDDI)
2817 b0 = gen_fhostop(eaddr, Q_OR);
2818 else if (linktype == DLT_IEEE802)
2819 b0 = gen_thostop(eaddr, Q_OR);
2820 else if (linktype == DLT_IEEE802_11)
2821 b0 = gen_wlanhostop(eaddr, Q_OR);
2822 else if (linktype == DLT_SUNATM && is_lane) {
2823 /*
2824 * Check that the packet doesn't begin with an
2825 * LE Control marker. (We've already generated
2826 * a test for LANE.)
2827 */
2828 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2829 gen_not(b1);
2830
2831 /*
2832 * Now check the MAC address.
2833 */
2834 b0 = gen_ehostop(eaddr, Q_OR);
2835 gen_and(b1, b0);
2836 } else if (linktype == DLT_IP_OVER_FC)
2837 b0 = gen_ipfchostop(eaddr, Q_OR);
2838 else
2839 bpf_error(
2840 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2841
2842 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2843 while (*alist) {
2844 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2845 gen_or(b1, tmp);
2846 b1 = tmp;
2847 }
2848 gen_not(b1);
2849 gen_and(b0, b1);
2850 return b1;
2851 }
2852 bpf_error("illegal modifier of 'gateway'");
2853 /* NOTREACHED */
2854 }
2855 #endif
2856
2857 struct block *
2858 gen_proto_abbrev(proto)
2859 int proto;
2860 {
2861 struct block *b0;
2862 struct block *b1;
2863
2864 switch (proto) {
2865
2866 case Q_SCTP:
2867 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2868 #ifdef INET6
2869 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2870 gen_or(b0, b1);
2871 #endif
2872 break;
2873
2874 case Q_TCP:
2875 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2876 #ifdef INET6
2877 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2878 gen_or(b0, b1);
2879 #endif
2880 break;
2881
2882 case Q_UDP:
2883 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2884 #ifdef INET6
2885 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2886 gen_or(b0, b1);
2887 #endif
2888 break;
2889
2890 case Q_ICMP:
2891 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2892 break;
2893
2894 #ifndef IPPROTO_IGMP
2895 #define IPPROTO_IGMP 2
2896 #endif
2897
2898 case Q_IGMP:
2899 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2900 break;
2901
2902 #ifndef IPPROTO_IGRP
2903 #define IPPROTO_IGRP 9
2904 #endif
2905 case Q_IGRP:
2906 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2907 break;
2908
2909 #ifndef IPPROTO_PIM
2910 #define IPPROTO_PIM 103
2911 #endif
2912
2913 case Q_PIM:
2914 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2915 #ifdef INET6
2916 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2917 gen_or(b0, b1);
2918 #endif
2919 break;
2920
2921 #ifndef IPPROTO_VRRP
2922 #define IPPROTO_VRRP 112
2923 #endif
2924
2925 case Q_VRRP:
2926 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2927 break;
2928
2929 case Q_IP:
2930 b1 = gen_linktype(ETHERTYPE_IP);
2931 break;
2932
2933 case Q_ARP:
2934 b1 = gen_linktype(ETHERTYPE_ARP);
2935 break;
2936
2937 case Q_RARP:
2938 b1 = gen_linktype(ETHERTYPE_REVARP);
2939 break;
2940
2941 case Q_LINK:
2942 bpf_error("link layer applied in wrong context");
2943
2944 case Q_ATALK:
2945 b1 = gen_linktype(ETHERTYPE_ATALK);
2946 break;
2947
2948 case Q_AARP:
2949 b1 = gen_linktype(ETHERTYPE_AARP);
2950 break;
2951
2952 case Q_DECNET:
2953 b1 = gen_linktype(ETHERTYPE_DN);
2954 break;
2955
2956 case Q_SCA:
2957 b1 = gen_linktype(ETHERTYPE_SCA);
2958 break;
2959
2960 case Q_LAT:
2961 b1 = gen_linktype(ETHERTYPE_LAT);
2962 break;
2963
2964 case Q_MOPDL:
2965 b1 = gen_linktype(ETHERTYPE_MOPDL);
2966 break;
2967
2968 case Q_MOPRC:
2969 b1 = gen_linktype(ETHERTYPE_MOPRC);
2970 break;
2971
2972 #ifdef INET6
2973 case Q_IPV6:
2974 b1 = gen_linktype(ETHERTYPE_IPV6);
2975 break;
2976
2977 #ifndef IPPROTO_ICMPV6
2978 #define IPPROTO_ICMPV6 58
2979 #endif
2980 case Q_ICMPV6:
2981 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
2982 break;
2983 #endif /* INET6 */
2984
2985 #ifndef IPPROTO_AH
2986 #define IPPROTO_AH 51
2987 #endif
2988 case Q_AH:
2989 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
2990 #ifdef INET6
2991 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
2992 gen_or(b0, b1);
2993 #endif
2994 break;
2995
2996 #ifndef IPPROTO_ESP
2997 #define IPPROTO_ESP 50
2998 #endif
2999 case Q_ESP:
3000 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3001 #ifdef INET6
3002 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3003 gen_or(b0, b1);
3004 #endif
3005 break;
3006
3007 case Q_ISO:
3008 b1 = gen_linktype(LLCSAP_ISONS);
3009 break;
3010
3011 case Q_ESIS:
3012 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3013 break;
3014
3015 case Q_ISIS:
3016 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3017 break;
3018
3019 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3020 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3021 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3022 gen_or(b0, b1);
3023 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3024 gen_or(b0, b1);
3025 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3026 gen_or(b0, b1);
3027 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3028 gen_or(b0, b1);
3029 break;
3030
3031 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3032 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3033 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3034 gen_or(b0, b1);
3035 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3036 gen_or(b0, b1);
3037 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3038 gen_or(b0, b1);
3039 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3040 gen_or(b0, b1);
3041 break;
3042
3043 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3044 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3045 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3046 gen_or(b0, b1);
3047 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3048 gen_or(b0, b1);
3049 break;
3050
3051 case Q_ISIS_LSP:
3052 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3053 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3054 gen_or(b0, b1);
3055 break;
3056
3057 case Q_ISIS_SNP:
3058 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3059 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3060 gen_or(b0, b1);
3061 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3062 gen_or(b0, b1);
3063 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3064 gen_or(b0, b1);
3065 break;
3066
3067 case Q_ISIS_CSNP:
3068 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3069 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3070 gen_or(b0, b1);
3071 break;
3072
3073 case Q_ISIS_PSNP:
3074 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3075 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3076 gen_or(b0, b1);
3077 break;
3078
3079 case Q_CLNP:
3080 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3081 break;
3082
3083 case Q_STP:
3084 b1 = gen_linktype(LLCSAP_8021D);
3085 break;
3086
3087 case Q_IPX:
3088 b1 = gen_linktype(LLCSAP_IPX);
3089 break;
3090
3091 case Q_NETBEUI:
3092 b1 = gen_linktype(LLCSAP_NETBEUI);
3093 break;
3094
3095 default:
3096 abort();
3097 }
3098 return b1;
3099 }
3100
3101 static struct block *
3102 gen_ipfrag()
3103 {
3104 struct slist *s;
3105 struct block *b;
3106
3107 /* not ip frag */
3108 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3109 s->s.k = off_nl + 6;
3110 b = new_block(JMP(BPF_JSET));
3111 b->s.k = 0x1fff;
3112 b->stmts = s;
3113 gen_not(b);
3114
3115 return b;
3116 }
3117
3118 static struct block *
3119 gen_portatom(off, v)
3120 int off;
3121 bpf_int32 v;
3122 {
3123 struct slist *s;
3124 struct block *b;
3125
3126 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3127 s->s.k = off_nl;
3128
3129 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3130 s->next->s.k = off_nl + off;
3131
3132 b = new_block(JMP(BPF_JEQ));
3133 b->stmts = s;
3134 b->s.k = v;
3135
3136 return b;
3137 }
3138
3139 #ifdef INET6
3140 static struct block *
3141 gen_portatom6(off, v)
3142 int off;
3143 bpf_int32 v;
3144 {
3145 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3146 }
3147 #endif/*INET6*/
3148
3149 struct block *
3150 gen_portop(port, proto, dir)
3151 int port, proto, dir;
3152 {
3153 struct block *b0, *b1, *tmp;
3154
3155 /* ip proto 'proto' */
3156 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3157 b0 = gen_ipfrag();
3158 gen_and(tmp, b0);
3159
3160 switch (dir) {
3161 case Q_SRC:
3162 b1 = gen_portatom(0, (bpf_int32)port);
3163 break;
3164
3165 case Q_DST:
3166 b1 = gen_portatom(2, (bpf_int32)port);
3167 break;
3168
3169 case Q_OR:
3170 case Q_DEFAULT:
3171 tmp = gen_portatom(0, (bpf_int32)port);
3172 b1 = gen_portatom(2, (bpf_int32)port);
3173 gen_or(tmp, b1);
3174 break;
3175
3176 case Q_AND:
3177 tmp = gen_portatom(0, (bpf_int32)port);
3178 b1 = gen_portatom(2, (bpf_int32)port);
3179 gen_and(tmp, b1);
3180 break;
3181
3182 default:
3183 abort();
3184 }
3185 gen_and(b0, b1);
3186
3187 return b1;
3188 }
3189
3190 static struct block *
3191 gen_port(port, ip_proto, dir)
3192 int port;
3193 int ip_proto;
3194 int dir;
3195 {
3196 struct block *b0, *b1, *tmp;
3197
3198 /*
3199 * ether proto ip
3200 *
3201 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3202 * not LLC encapsulation with LLCSAP_IP.
3203 *
3204 * For IEEE 802 networks - which includes 802.5 token ring
3205 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3206 * says that SNAP encapsulation is used, not LLC encapsulation
3207 * with LLCSAP_IP.
3208 *
3209 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3210 * RFC 2225 say that SNAP encapsulation is used, not LLC
3211 * encapsulation with LLCSAP_IP.
3212 *
3213 * So we always check for ETHERTYPE_IP.
3214 */
3215 b0 = gen_linktype(ETHERTYPE_IP);
3216
3217 switch (ip_proto) {
3218 case IPPROTO_UDP:
3219 case IPPROTO_TCP:
3220 case IPPROTO_SCTP:
3221 b1 = gen_portop(port, ip_proto, dir);
3222 break;
3223
3224 case PROTO_UNDEF:
3225 tmp = gen_portop(port, IPPROTO_TCP, dir);
3226 b1 = gen_portop(port, IPPROTO_UDP, dir);
3227 gen_or(tmp, b1);
3228 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3229 gen_or(tmp, b1);
3230 break;
3231
3232 default:
3233 abort();
3234 }
3235 gen_and(b0, b1);
3236 return b1;
3237 }
3238
3239 #ifdef INET6
3240 struct block *
3241 gen_portop6(port, proto, dir)
3242 int port, proto, dir;
3243 {
3244 struct block *b0, *b1, *tmp;
3245
3246 /* ip proto 'proto' */
3247 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3248
3249 switch (dir) {
3250 case Q_SRC:
3251 b1 = gen_portatom6(0, (bpf_int32)port);
3252 break;
3253
3254 case Q_DST:
3255 b1 = gen_portatom6(2, (bpf_int32)port);
3256 break;
3257
3258 case Q_OR:
3259 case Q_DEFAULT:
3260 tmp = gen_portatom6(0, (bpf_int32)port);
3261 b1 = gen_portatom6(2, (bpf_int32)port);
3262 gen_or(tmp, b1);
3263 break;
3264
3265 case Q_AND:
3266 tmp = gen_portatom6(0, (bpf_int32)port);
3267 b1 = gen_portatom6(2, (bpf_int32)port);
3268 gen_and(tmp, b1);
3269 break;
3270
3271 default:
3272 abort();
3273 }
3274 gen_and(b0, b1);
3275
3276 return b1;
3277 }
3278
3279 static struct block *
3280 gen_port6(port, ip_proto, dir)
3281 int port;
3282 int ip_proto;
3283 int dir;
3284 {
3285 struct block *b0, *b1, *tmp;
3286
3287 /* ether proto ip */
3288 b0 = gen_linktype(ETHERTYPE_IPV6);
3289
3290 switch (ip_proto) {
3291 case IPPROTO_UDP:
3292 case IPPROTO_TCP:
3293 case IPPROTO_SCTP:
3294 b1 = gen_portop6(port, ip_proto, dir);
3295 break;
3296
3297 case PROTO_UNDEF:
3298 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3299 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3300 gen_or(tmp, b1);
3301 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3302 gen_or(tmp, b1);
3303 break;
3304
3305 default:
3306 abort();
3307 }
3308 gen_and(b0, b1);
3309 return b1;
3310 }
3311 #endif /* INET6 */
3312
3313 static int
3314 lookup_proto(name, proto)
3315 register const char *name;
3316 register int proto;
3317 {
3318 register int v;
3319
3320 switch (proto) {
3321
3322 case Q_DEFAULT:
3323 case Q_IP:
3324 case Q_IPV6:
3325 v = pcap_nametoproto(name);
3326 if (v == PROTO_UNDEF)
3327 bpf_error("unknown ip proto '%s'", name);
3328 break;
3329
3330 case Q_LINK:
3331 /* XXX should look up h/w protocol type based on linktype */
3332 v = pcap_nametoeproto(name);
3333 if (v == PROTO_UNDEF)
3334 bpf_error("unknown ether proto '%s'", name);
3335 break;
3336
3337 case Q_ISO:
3338 if (strcmp(name, "esis") == 0)
3339 v = ISO9542_ESIS;
3340 else if (strcmp(name, "isis") == 0)
3341 v = ISO10589_ISIS;
3342 else if (strcmp(name, "clnp") == 0)
3343 v = ISO8473_CLNP;
3344 else
3345 bpf_error("unknown osi proto '%s'", name);
3346 break;
3347
3348 default:
3349 v = PROTO_UNDEF;
3350 break;
3351 }
3352 return v;
3353 }
3354
3355 #if 0
3356 struct stmt *
3357 gen_joinsp(s, n)
3358 struct stmt **s;
3359 int n;
3360 {
3361 return NULL;
3362 }
3363 #endif
3364
3365 static struct block *
3366 gen_protochain(v, proto, dir)
3367 int v;
3368 int proto;
3369 int dir;
3370 {
3371 #ifdef NO_PROTOCHAIN
3372 return gen_proto(v, proto, dir);
3373 #else
3374 struct block *b0, *b;
3375 struct slist *s[100];
3376 int fix2, fix3, fix4, fix5;
3377 int ahcheck, again, end;
3378 int i, max;
3379 int reg2 = alloc_reg();
3380
3381 memset(s, 0, sizeof(s));
3382 fix2 = fix3 = fix4 = fix5 = 0;
3383
3384 switch (proto) {
3385 case Q_IP:
3386 case Q_IPV6:
3387 break;
3388 case Q_DEFAULT:
3389 b0 = gen_protochain(v, Q_IP, dir);
3390 b = gen_protochain(v, Q_IPV6, dir);
3391 gen_or(b0, b);
3392 return b;
3393 default:
3394 bpf_error("bad protocol applied for 'protochain'");
3395 /*NOTREACHED*/
3396 }
3397
3398 no_optimize = 1; /*this code is not compatible with optimzer yet */
3399
3400 /*
3401 * s[0] is a dummy entry to protect other BPF insn from damaged
3402 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3403 * hard to find interdependency made by jump table fixup.
3404 */
3405 i = 0;
3406 s[i] = new_stmt(0); /*dummy*/
3407 i++;
3408
3409 switch (proto) {
3410 case Q_IP:
3411 b0 = gen_linktype(ETHERTYPE_IP);
3412
3413 /* A = ip->ip_p */
3414 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3415 s[i]->s.k = off_nl + 9;
3416 i++;
3417 /* X = ip->ip_hl << 2 */
3418 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3419 s[i]->s.k = off_nl;
3420 i++;
3421 break;
3422 #ifdef INET6
3423 case Q_IPV6:
3424 b0 = gen_linktype(ETHERTYPE_IPV6);
3425
3426 /* A = ip6->ip_nxt */
3427 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3428 s[i]->s.k = off_nl + 6;
3429 i++;
3430 /* X = sizeof(struct ip6_hdr) */
3431 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3432 s[i]->s.k = 40;
3433 i++;
3434 break;
3435 #endif
3436 default:
3437 bpf_error("unsupported proto to gen_protochain");
3438 /*NOTREACHED*/
3439 }
3440
3441 /* again: if (A == v) goto end; else fall through; */
3442 again = i;
3443 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3444 s[i]->s.k = v;
3445 s[i]->s.jt = NULL; /*later*/
3446 s[i]->s.jf = NULL; /*update in next stmt*/
3447 fix5 = i;
3448 i++;
3449
3450 #ifndef IPPROTO_NONE
3451 #define IPPROTO_NONE 59
3452 #endif
3453 /* if (A == IPPROTO_NONE) goto end */
3454 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3455 s[i]->s.jt = NULL; /*later*/
3456 s[i]->s.jf = NULL; /*update in next stmt*/
3457 s[i]->s.k = IPPROTO_NONE;
3458 s[fix5]->s.jf = s[i];
3459 fix2 = i;
3460 i++;
3461
3462 #ifdef INET6
3463 if (proto == Q_IPV6) {
3464 int v6start, v6end, v6advance, j;
3465
3466 v6start = i;
3467 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3468 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3469 s[i]->s.jt = NULL; /*later*/
3470 s[i]->s.jf = NULL; /*update in next stmt*/
3471 s[i]->s.k = IPPROTO_HOPOPTS;
3472 s[fix2]->s.jf = s[i];
3473 i++;
3474 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3475 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3476 s[i]->s.jt = NULL; /*later*/
3477 s[i]->s.jf = NULL; /*update in next stmt*/
3478 s[i]->s.k = IPPROTO_DSTOPTS;
3479 i++;
3480 /* if (A == IPPROTO_ROUTING) goto v6advance */
3481 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3482 s[i]->s.jt = NULL; /*later*/
3483 s[i]->s.jf = NULL; /*update in next stmt*/
3484 s[i]->s.k = IPPROTO_ROUTING;
3485 i++;
3486 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3487 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3488 s[i]->s.jt = NULL; /*later*/
3489 s[i]->s.jf = NULL; /*later*/
3490 s[i]->s.k = IPPROTO_FRAGMENT;
3491 fix3 = i;
3492 v6end = i;
3493 i++;
3494
3495 /* v6advance: */
3496 v6advance = i;
3497
3498 /*
3499 * in short,
3500 * A = P[X];
3501 * X = X + (P[X + 1] + 1) * 8;
3502 */
3503 /* A = X */
3504 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3505 i++;
3506 /* A = P[X + packet head] */
3507 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3508 s[i]->s.k = off_nl;
3509 i++;
3510 /* MEM[reg2] = A */
3511 s[i] = new_stmt(BPF_ST);
3512 s[i]->s.k = reg2;
3513 i++;
3514 /* A = X */
3515 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3516 i++;
3517 /* A += 1 */
3518 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3519 s[i]->s.k = 1;
3520 i++;
3521 /* X = A */
3522 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3523 i++;
3524 /* A = P[X + packet head]; */
3525 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3526 s[i]->s.k = off_nl;
3527 i++;
3528 /* A += 1 */
3529 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3530 s[i]->s.k = 1;
3531 i++;
3532 /* A *= 8 */
3533 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3534 s[i]->s.k = 8;
3535 i++;
3536 /* X = A; */
3537 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3538 i++;
3539 /* A = MEM[reg2] */
3540 s[i] = new_stmt(BPF_LD|BPF_MEM);
3541 s[i]->s.k = reg2;
3542 i++;
3543
3544 /* goto again; (must use BPF_JA for backward jump) */
3545 s[i] = new_stmt(BPF_JMP|BPF_JA);
3546 s[i]->s.k = again - i - 1;
3547 s[i - 1]->s.jf = s[i];
3548 i++;
3549
3550 /* fixup */
3551 for (j = v6start; j <= v6end; j++)
3552 s[j]->s.jt = s[v6advance];
3553 } else
3554 #endif
3555 {
3556 /* nop */
3557 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3558 s[i]->s.k = 0;
3559 s[fix2]->s.jf = s[i];
3560 i++;
3561 }
3562
3563 /* ahcheck: */
3564 ahcheck = i;
3565 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3566 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3567 s[i]->s.jt = NULL; /*later*/
3568 s[i]->s.jf = NULL; /*later*/
3569 s[i]->s.k = IPPROTO_AH;
3570 if (fix3)
3571 s[fix3]->s.jf = s[ahcheck];
3572 fix4 = i;
3573 i++;
3574
3575 /*
3576 * in short,
3577 * A = P[X];
3578 * X = X + (P[X + 1] + 2) * 4;
3579 */
3580 /* A = X */
3581 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3582 i++;
3583 /* A = P[X + packet head]; */
3584 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3585 s[i]->s.k = off_nl;
3586 i++;
3587 /* MEM[reg2] = A */
3588 s[i] = new_stmt(BPF_ST);
3589 s[i]->s.k = reg2;
3590 i++;
3591 /* A = X */
3592 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3593 i++;
3594 /* A += 1 */
3595 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3596 s[i]->s.k = 1;
3597 i++;
3598 /* X = A */
3599 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3600 i++;
3601 /* A = P[X + packet head] */
3602 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3603 s[i]->s.k = off_nl;
3604 i++;
3605 /* A += 2 */
3606 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3607 s[i]->s.k = 2;
3608 i++;
3609 /* A *= 4 */
3610 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3611 s[i]->s.k = 4;
3612 i++;
3613 /* X = A; */
3614 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3615 i++;
3616 /* A = MEM[reg2] */
3617 s[i] = new_stmt(BPF_LD|BPF_MEM);
3618 s[i]->s.k = reg2;
3619 i++;
3620
3621 /* goto again; (must use BPF_JA for backward jump) */
3622 s[i] = new_stmt(BPF_JMP|BPF_JA);
3623 s[i]->s.k = again - i - 1;
3624 i++;
3625
3626 /* end: nop */
3627 end = i;
3628 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3629 s[i]->s.k = 0;
3630 s[fix2]->s.jt = s[end];
3631 s[fix4]->s.jf = s[end];
3632 s[fix5]->s.jt = s[end];
3633 i++;
3634
3635 /*
3636 * make slist chain
3637 */
3638 max = i;
3639 for (i = 0; i < max - 1; i++)
3640 s[i]->next = s[i + 1];
3641 s[max - 1]->next = NULL;
3642
3643 /*
3644 * emit final check
3645 */
3646 b = new_block(JMP(BPF_JEQ));
3647 b->stmts = s[1]; /*remember, s[0] is dummy*/
3648 b->s.k = v;
3649
3650 free_reg(reg2);
3651
3652 gen_and(b0, b);
3653 return b;
3654 #endif
3655 }
3656
3657 static struct block *
3658 gen_proto(v, proto, dir)
3659 int v;
3660 int proto;
3661 int dir;
3662 {
3663 struct block *b0, *b1;
3664
3665 if (dir != Q_DEFAULT)
3666 bpf_error("direction applied to 'proto'");
3667
3668 switch (proto) {
3669 case Q_DEFAULT:
3670 #ifdef INET6
3671 b0 = gen_proto(v, Q_IP, dir);
3672 b1 = gen_proto(v, Q_IPV6, dir);
3673 gen_or(b0, b1);
3674 return b1;
3675 #else
3676 /*FALLTHROUGH*/
3677 #endif
3678 case Q_IP:
3679 /*
3680 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3681 * not LLC encapsulation with LLCSAP_IP.
3682 *
3683 * For IEEE 802 networks - which includes 802.5 token ring
3684 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3685 * says that SNAP encapsulation is used, not LLC encapsulation
3686 * with LLCSAP_IP.
3687 *
3688 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3689 * RFC 2225 say that SNAP encapsulation is used, not LLC
3690 * encapsulation with LLCSAP_IP.
3691 *
3692 * So we always check for ETHERTYPE_IP.
3693 */
3694 b0 = gen_linktype(ETHERTYPE_IP);
3695 #ifndef CHASE_CHAIN
3696 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3697 #else
3698 b1 = gen_protochain(v, Q_IP);
3699 #endif
3700 gen_and(b0, b1);
3701 return b1;
3702
3703 case Q_ISO:
3704 switch (linktype) {
3705
3706 case DLT_FRELAY:
3707 /*
3708 * Frame Relay packets typically have an OSI
3709 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3710 * generates code to check for all the OSI
3711 * NLPIDs, so calling it and then adding a check
3712 * for the particular NLPID for which we're
3713 * looking is bogus, as we can just check for
3714 * the NLPID.
3715 *
3716 * What we check for is the NLPID and a frame
3717 * control field value of UI, i.e. 0x03 followed
3718 * by the NLPID.
3719 *
3720 * XXX - assumes a 2-byte Frame Relay header with
3721 * DLCI and flags. What if the address is longer?
3722 *
3723 * XXX - what about SNAP-encapsulated frames?
3724 */
3725 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3726 /*NOTREACHED*/
3727 break;
3728
3729 case DLT_C_HDLC:
3730 /*
3731 * Cisco uses an Ethertype lookalike - for OSI,
3732 * it's 0xfefe.
3733 */
3734 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3735 /* OSI in C-HDLC is stuffed with a fudge byte */
3736 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3737 gen_and(b0, b1);
3738 return b1;
3739
3740 default:
3741 b0 = gen_linktype(LLCSAP_ISONS);
3742 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3743 gen_and(b0, b1);
3744 return b1;
3745 }
3746
3747 case Q_ISIS:
3748 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3749 /*
3750 * 4 is the offset of the PDU type relative to the IS-IS
3751 * header.
3752 */
3753 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3754 gen_and(b0, b1);
3755 return b1;
3756
3757 case Q_ARP:
3758 bpf_error("arp does not encapsulate another protocol");
3759 /* NOTREACHED */
3760
3761 case Q_RARP:
3762 bpf_error("rarp does not encapsulate another protocol");
3763 /* NOTREACHED */
3764
3765 case Q_ATALK:
3766 bpf_error("atalk encapsulation is not specifiable");
3767 /* NOTREACHED */
3768
3769 case Q_DECNET:
3770 bpf_error("decnet encapsulation is not specifiable");
3771 /* NOTREACHED */
3772
3773 case Q_SCA:
3774 bpf_error("sca does not encapsulate another protocol");
3775 /* NOTREACHED */
3776
3777 case Q_LAT:
3778 bpf_error("lat does not encapsulate another protocol");
3779 /* NOTREACHED */
3780
3781 case Q_MOPRC:
3782 bpf_error("moprc does not encapsulate another protocol");
3783 /* NOTREACHED */
3784
3785 case Q_MOPDL:
3786 bpf_error("mopdl does not encapsulate another protocol");
3787 /* NOTREACHED */
3788
3789 case Q_LINK:
3790 return gen_linktype(v);
3791
3792 case Q_UDP:
3793 bpf_error("'udp proto' is bogus");
3794 /* NOTREACHED */
3795
3796 case Q_TCP:
3797 bpf_error("'tcp proto' is bogus");
3798 /* NOTREACHED */
3799
3800 case Q_SCTP:
3801 bpf_error("'sctp proto' is bogus");
3802 /* NOTREACHED */
3803
3804 case Q_ICMP:
3805 bpf_error("'icmp proto' is bogus");
3806 /* NOTREACHED */
3807
3808 case Q_IGMP:
3809 bpf_error("'igmp proto' is bogus");
3810 /* NOTREACHED */
3811
3812 case Q_IGRP:
3813 bpf_error("'igrp proto' is bogus");
3814 /* NOTREACHED */
3815
3816 case Q_PIM:
3817 bpf_error("'pim proto' is bogus");
3818 /* NOTREACHED */
3819
3820 case Q_VRRP:
3821 bpf_error("'vrrp proto' is bogus");
3822 /* NOTREACHED */
3823
3824 #ifdef INET6
3825 case Q_IPV6:
3826 b0 = gen_linktype(ETHERTYPE_IPV6);
3827 #ifndef CHASE_CHAIN
3828 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3829 #else
3830 b1 = gen_protochain(v, Q_IPV6);
3831 #endif
3832 gen_and(b0, b1);
3833 return b1;
3834
3835 case Q_ICMPV6:
3836 bpf_error("'icmp6 proto' is bogus");
3837 #endif /* INET6 */
3838
3839 case Q_AH:
3840 bpf_error("'ah proto' is bogus");
3841
3842 case Q_ESP:
3843 bpf_error("'ah proto' is bogus");
3844
3845 case Q_STP:
3846 bpf_error("'stp proto' is bogus");
3847
3848 case Q_IPX:
3849 bpf_error("'ipx proto' is bogus");
3850
3851 case Q_NETBEUI:
3852 bpf_error("'netbeui proto' is bogus");
3853
3854 default:
3855 abort();
3856 /* NOTREACHED */
3857 }
3858 /* NOTREACHED */
3859 }
3860
3861 struct block *
3862 gen_scode(name, q)
3863 register const char *name;
3864 struct qual q;
3865 {
3866 int proto = q.proto;
3867 int dir = q.dir;
3868 int tproto;
3869 u_char *eaddr;
3870 bpf_u_int32 mask, addr;
3871 #ifndef INET6
3872 bpf_u_int32 **alist;
3873 #else
3874 int tproto6;
3875 struct sockaddr_in *sin;
3876 struct sockaddr_in6 *sin6;
3877 struct addrinfo *res, *res0;
3878 struct in6_addr mask128;
3879 #endif /*INET6*/
3880 struct block *b, *tmp;
3881 int port, real_proto;
3882
3883 switch (q.addr) {
3884
3885 case Q_NET:
3886 addr = pcap_nametonetaddr(name);
3887 if (addr == 0)
3888 bpf_error("unknown network '%s'", name);
3889 /* Left justify network addr and calculate its network mask */
3890 mask = 0xffffffff;
3891 while (addr && (addr & 0xff000000) == 0) {
3892 addr <<= 8;
3893 mask <<= 8;
3894 }
3895 return gen_host(addr, mask, proto, dir);
3896
3897 case Q_DEFAULT:
3898 case Q_HOST:
3899 if (proto == Q_LINK) {
3900 switch (linktype) {
3901
3902 case DLT_EN10MB:
3903 eaddr = pcap_ether_hostton(name);
3904 if (eaddr == NULL)
3905 bpf_error(
3906 "unknown ether host '%s'", name);
3907 b = gen_ehostop(eaddr, dir);
3908 free(eaddr);
3909 return b;
3910
3911 case DLT_FDDI:
3912 eaddr = pcap_ether_hostton(name);
3913 if (eaddr == NULL)
3914 bpf_error(
3915 "unknown FDDI host '%s'", name);
3916 b = gen_fhostop(eaddr, dir);
3917 free(eaddr);
3918 return b;
3919
3920 case DLT_IEEE802:
3921 eaddr = pcap_ether_hostton(name);
3922 if (eaddr == NULL)
3923 bpf_error(
3924 "unknown token ring host '%s'", name);
3925 b = gen_thostop(eaddr, dir);
3926 free(eaddr);
3927 return b;
3928
3929 case DLT_IEEE802_11:
3930 eaddr = pcap_ether_hostton(name);
3931 if (eaddr == NULL)
3932 bpf_error(
3933 "unknown 802.11 host '%s'", name);
3934 b = gen_wlanhostop(eaddr, dir);
3935 free(eaddr);
3936 return b;
3937
3938 case DLT_IP_OVER_FC:
3939 eaddr = pcap_ether_hostton(name);
3940 if (eaddr == NULL)
3941 bpf_error(
3942 "unknown Fibre Channel host '%s'", name);
3943 b = gen_ipfchostop(eaddr, dir);
3944 free(eaddr);
3945 return b;
3946
3947 case DLT_SUNATM:
3948 if (!is_lane)
3949 break;
3950
3951 /*
3952 * Check that the packet doesn't begin
3953 * with an LE Control marker. (We've
3954 * already generated a test for LANE.)
3955 */
3956 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
3957 0xFF00);
3958 gen_not(tmp);
3959
3960 eaddr = pcap_ether_hostton(name);
3961 if (eaddr == NULL)
3962 bpf_error(
3963 "unknown ether host '%s'", name);
3964 b = gen_ehostop(eaddr, dir);
3965 gen_and(tmp, b);
3966 free(eaddr);
3967 return b;
3968 }
3969
3970 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
3971 } else if (proto == Q_DECNET) {
3972 unsigned short dn_addr = __pcap_nametodnaddr(name);
3973 /*
3974 * I don't think DECNET hosts can be multihomed, so
3975 * there is no need to build up a list of addresses
3976 */
3977 return (gen_host(dn_addr, 0, proto, dir));
3978 } else {
3979 #ifndef INET6
3980 alist = pcap_nametoaddr(name);
3981 if (alist == NULL || *alist == NULL)
3982 bpf_error("unknown host '%s'", name);
3983 tproto = proto;
3984 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
3985 tproto = Q_IP;
3986 b = gen_host(**alist++, 0xffffffff, tproto, dir);
3987 while (*alist) {
3988 tmp = gen_host(**alist++, 0xffffffff,
3989 tproto, dir);
3990 gen_or(b, tmp);
3991 b = tmp;
3992 }
3993 return b;
3994 #else
3995 memset(&mask128, 0xff, sizeof(mask128));
3996 res0 = res = pcap_nametoaddrinfo(name);
3997 if (res == NULL)
3998 bpf_error("unknown host '%s'", name);
3999 b = tmp = NULL;
4000 tproto = tproto6 = proto;
4001 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4002 tproto = Q_IP;
4003 tproto6 = Q_IPV6;
4004 }
4005 for (res = res0; res; res = res->ai_next) {
4006 switch (res->ai_family) {
4007 case AF_INET:
4008 if (tproto == Q_IPV6)
4009 continue;
4010
4011 sin = (struct sockaddr_in *)
4012 res->ai_addr;
4013 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4014 0xffffffff, tproto, dir);
4015 break;
4016 case AF_INET6:
4017 if (tproto6 == Q_IP)
4018 continue;
4019
4020 sin6 = (struct sockaddr_in6 *)
4021 res->ai_addr;
4022 tmp = gen_host6(&sin6->sin6_addr,
4023 &mask128, tproto6, dir);
4024 break;
4025 default:
4026 continue;
4027 }
4028 if (b)
4029 gen_or(b, tmp);
4030 b = tmp;
4031 }
4032 freeaddrinfo(res0);
4033 if (b == NULL) {
4034 bpf_error("unknown host '%s'%s", name,
4035 (proto == Q_DEFAULT)
4036 ? ""
4037 : " for specified address family");
4038 }
4039 return b;
4040 #endif /*INET6*/
4041 }
4042
4043 case Q_PORT:
4044 if (proto != Q_DEFAULT &&
4045 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4046 bpf_error("illegal qualifier of 'port'");
4047 if (pcap_nametoport(name, &port, &real_proto) == 0)
4048 bpf_error("unknown port '%s'", name);
4049 if (proto == Q_UDP) {
4050 if (real_proto == IPPROTO_TCP)
4051 bpf_error("port '%s' is tcp", name);
4052 else if (real_proto == IPPROTO_SCTP)
4053 bpf_error("port '%s' is sctp", name);
4054 else
4055 /* override PROTO_UNDEF */
4056 real_proto = IPPROTO_UDP;
4057 }
4058 if (proto == Q_TCP) {
4059 if (real_proto == IPPROTO_UDP)
4060 bpf_error("port '%s' is udp", name);
4061
4062 else if (real_proto == IPPROTO_SCTP)
4063 bpf_error("port '%s' is sctp", name);
4064 else
4065 /* override PROTO_UNDEF */
4066 real_proto = IPPROTO_TCP;
4067 }
4068 if (proto == Q_SCTP) {
4069 if (real_proto == IPPROTO_UDP)
4070 bpf_error("port '%s' is udp", name);
4071
4072 else if (real_proto == IPPROTO_TCP)
4073 bpf_error("port '%s' is tcp", name);
4074 else
4075 /* override PROTO_UNDEF */
4076 real_proto = IPPROTO_SCTP;
4077 }
4078 #ifndef INET6
4079 return gen_port(port, real_proto, dir);
4080 #else
4081 {
4082 struct block *b;
4083 b = gen_port(port, real_proto, dir);
4084 gen_or(gen_port6(port, real_proto, dir), b);
4085 return b;
4086 }
4087 #endif /* INET6 */
4088
4089 case Q_GATEWAY:
4090 #ifndef INET6
4091 eaddr = pcap_ether_hostton(name);
4092 if (eaddr == NULL)
4093 bpf_error("unknown ether host: %s", name);
4094
4095 alist = pcap_nametoaddr(name);
4096 if (alist == NULL || *alist == NULL)
4097 bpf_error("unknown host '%s'", name);
4098 b = gen_gateway(eaddr, alist, proto, dir);
4099 free(eaddr);
4100 return b;
4101 #else
4102 bpf_error("'gateway' not supported in this configuration");
4103 #endif /*INET6*/
4104
4105 case Q_PROTO:
4106 real_proto = lookup_proto(name, proto);
4107 if (real_proto >= 0)
4108 return gen_proto(real_proto, proto, dir);
4109 else
4110 bpf_error("unknown protocol: %s", name);
4111
4112 case Q_PROTOCHAIN:
4113 real_proto = lookup_proto(name, proto);
4114 if (real_proto >= 0)
4115 return gen_protochain(real_proto, proto, dir);
4116 else
4117 bpf_error("unknown protocol: %s", name);
4118
4119
4120 case Q_UNDEF:
4121 syntax();
4122 /* NOTREACHED */
4123 }
4124 abort();
4125 /* NOTREACHED */
4126 }
4127
4128 struct block *
4129 gen_mcode(s1, s2, masklen, q)
4130 register const char *s1, *s2;
4131 register int masklen;
4132 struct qual q;
4133 {
4134 register int nlen, mlen;
4135 bpf_u_int32 n, m;
4136
4137 nlen = __pcap_atoin(s1, &n);
4138 /* Promote short ipaddr */
4139 n <<= 32 - nlen;
4140
4141 if (s2 != NULL) {
4142 mlen = __pcap_atoin(s2, &m);
4143 /* Promote short ipaddr */
4144 m <<= 32 - mlen;
4145 if ((n & ~m) != 0)
4146 bpf_error("non-network bits set in \"%s mask %s\"",
4147 s1, s2);
4148 } else {
4149 /* Convert mask len to mask */
4150 if (masklen > 32)
4151 bpf_error("mask length must be <= 32");
4152 m = 0xffffffff << (32 - masklen);
4153 if ((n & ~m) != 0)
4154 bpf_error("non-network bits set in \"%s/%d\"",
4155 s1, masklen);
4156 }
4157
4158 switch (q.addr) {
4159
4160 case Q_NET:
4161 return gen_host(n, m, q.proto, q.dir);
4162
4163 default:
4164 bpf_error("Mask syntax for networks only");
4165 /* NOTREACHED */
4166 }
4167 /* NOTREACHED */
4168 }
4169
4170 struct block *
4171 gen_ncode(s, v, q)
4172 register const char *s;
4173 bpf_u_int32 v;
4174 struct qual q;
4175 {
4176 bpf_u_int32 mask;
4177 int proto = q.proto;
4178 int dir = q.dir;
4179 register int vlen;
4180
4181 if (s == NULL)
4182 vlen = 32;
4183 else if (q.proto == Q_DECNET)
4184 vlen = __pcap_atodn(s, &v);
4185 else
4186 vlen = __pcap_atoin(s, &v);
4187
4188 switch (q.addr) {
4189
4190 case Q_DEFAULT:
4191 case Q_HOST:
4192 case Q_NET:
4193 if (proto == Q_DECNET)
4194 return gen_host(v, 0, proto, dir);
4195 else if (proto == Q_LINK) {
4196 bpf_error("illegal link layer address");
4197 } else {
4198 mask = 0xffffffff;
4199 if (s == NULL && q.addr == Q_NET) {
4200 /* Promote short net number */
4201 while (v && (v & 0xff000000) == 0) {
4202 v <<= 8;
4203 mask <<= 8;
4204 }
4205 } else {
4206 /* Promote short ipaddr */
4207 v <<= 32 - vlen;
4208 mask <<= 32 - vlen;
4209 }
4210 return gen_host(v, mask, proto, dir);
4211 }
4212
4213 case Q_PORT:
4214 if (proto == Q_UDP)
4215 proto = IPPROTO_UDP;
4216 else if (proto == Q_TCP)
4217 proto = IPPROTO_TCP;
4218 else if (proto == Q_SCTP)
4219 proto = IPPROTO_SCTP;
4220 else if (proto == Q_DEFAULT)
4221 proto = PROTO_UNDEF;
4222 else
4223 bpf_error("illegal qualifier of 'port'");
4224
4225 #ifndef INET6
4226 return gen_port((int)v, proto, dir);
4227 #else
4228 {
4229 struct block *b;
4230 b = gen_port((int)v, proto, dir);
4231 gen_or(gen_port6((int)v, proto, dir), b);
4232 return b;
4233 }
4234 #endif /* INET6 */
4235
4236 case Q_GATEWAY:
4237 bpf_error("'gateway' requires a name");
4238 /* NOTREACHED */
4239
4240 case Q_PROTO:
4241 return gen_proto((int)v, proto, dir);
4242
4243 case Q_PROTOCHAIN:
4244 return gen_protochain((int)v, proto, dir);
4245
4246 case Q_UNDEF:
4247 syntax();
4248 /* NOTREACHED */
4249
4250 default:
4251 abort();
4252 /* NOTREACHED */
4253 }
4254 /* NOTREACHED */
4255 }
4256
4257 #ifdef INET6
4258 struct block *
4259 gen_mcode6(s1, s2, masklen, q)
4260 register const char *s1, *s2;
4261 register int masklen;
4262 struct qual q;
4263 {
4264 struct addrinfo *res;
4265 struct in6_addr *addr;
4266 struct in6_addr mask;
4267 struct block *b;
4268 u_int32_t *a, *m;
4269
4270 if (s2)
4271 bpf_error("no mask %s supported", s2);
4272
4273 res = pcap_nametoaddrinfo(s1);
4274 if (!res)
4275 bpf_error("invalid ip6 address %s", s1);
4276 if (res->ai_next)
4277 bpf_error("%s resolved to multiple address", s1);
4278 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4279
4280 if (sizeof(mask) * 8 < masklen)
4281 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4282 memset(&mask, 0, sizeof(mask));
4283 memset(&mask, 0xff, masklen / 8);
4284 if (masklen % 8) {
4285 mask.s6_addr[masklen / 8] =
4286 (0xff << (8 - masklen % 8)) & 0xff;
4287 }
4288
4289 a = (u_int32_t *)addr;
4290 m = (u_int32_t *)&mask;
4291 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4292 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4293 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4294 }
4295
4296 switch (q.addr) {
4297
4298 case Q_DEFAULT:
4299 case Q_HOST:
4300 if (masklen != 128)
4301 bpf_error("Mask syntax for networks only");
4302 /* FALLTHROUGH */
4303
4304 case Q_NET:
4305 b = gen_host6(addr, &mask, q.proto, q.dir);
4306 freeaddrinfo(res);
4307 return b;
4308
4309 default:
4310 bpf_error("invalid qualifier against IPv6 address");
4311 /* NOTREACHED */
4312 }
4313 }
4314 #endif /*INET6*/
4315
4316 struct block *
4317 gen_ecode(eaddr, q)
4318 register const u_char *eaddr;
4319 struct qual q;
4320 {
4321 struct block *b, *tmp;
4322
4323 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4324 if (linktype == DLT_EN10MB)
4325 return gen_ehostop(eaddr, (int)q.dir);
4326 if (linktype == DLT_FDDI)
4327 return gen_fhostop(eaddr, (int)q.dir);
4328 if (linktype == DLT_IEEE802)
4329 return gen_thostop(eaddr, (int)q.dir);
4330 if (linktype == DLT_IEEE802_11)
4331 return gen_wlanhostop(eaddr, (int)q.dir);
4332 if (linktype == DLT_SUNATM && is_lane) {
4333 /*
4334 * Check that the packet doesn't begin with an
4335 * LE Control marker. (We've already generated
4336 * a test for LANE.)
4337 */
4338 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4339 gen_not(tmp);
4340
4341 /*
4342 * Now check the MAC address.
4343 */
4344 b = gen_ehostop(eaddr, (int)q.dir);
4345 gen_and(tmp, b);
4346 return b;
4347 }
4348 if (linktype == DLT_IP_OVER_FC)
4349 return gen_ipfchostop(eaddr, (int)q.dir);
4350 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4351 }
4352 bpf_error("ethernet address used in non-ether expression");
4353 /* NOTREACHED */
4354 }
4355
4356 void
4357 sappend(s0, s1)
4358 struct slist *s0, *s1;
4359 {
4360 /*
4361 * This is definitely not the best way to do this, but the
4362 * lists will rarely get long.
4363 */
4364 while (s0->next)
4365 s0 = s0->next;
4366 s0->next = s1;
4367 }
4368
4369 static struct slist *
4370 xfer_to_x(a)
4371 struct arth *a;
4372 {
4373 struct slist *s;
4374
4375 s = new_stmt(BPF_LDX|BPF_MEM);
4376 s->s.k = a->regno;
4377 return s;
4378 }
4379
4380 static struct slist *
4381 xfer_to_a(a)
4382 struct arth *a;
4383 {
4384 struct slist *s;
4385
4386 s = new_stmt(BPF_LD|BPF_MEM);
4387 s->s.k = a->regno;
4388 return s;
4389 }
4390
4391 struct arth *
4392 gen_load(proto, index, size)
4393 int proto;
4394 struct arth *index;
4395 int size;
4396 {
4397 struct slist *s, *tmp;
4398 struct block *b;
4399 int regno = alloc_reg();
4400
4401 free_reg(index->regno);
4402 switch (size) {
4403
4404 default:
4405 bpf_error("data size must be 1, 2, or 4");
4406
4407 case 1:
4408 size = BPF_B;
4409 break;
4410
4411 case 2:
4412 size = BPF_H;
4413 break;
4414
4415 case 4:
4416 size = BPF_W;
4417 break;
4418 }
4419 switch (proto) {
4420 default:
4421 bpf_error("unsupported index operation");
4422
4423 case Q_LINK:
4424 /*
4425 * XXX - what about ATM LANE? Should the index be
4426 * relative to the beginning of the AAL5 frame, so
4427 * that 0 refers to the beginning of the LE Control
4428 * field, or relative to the beginning of the LAN
4429 * frame, so that 0 refers, for Ethernet LANE, to
4430 * the beginning of the destination address?
4431 */
4432 s = xfer_to_x(index);
4433 tmp = new_stmt(BPF_LD|BPF_IND|size);
4434 sappend(s, tmp);
4435 sappend(index->s, s);
4436 break;
4437
4438 case Q_IP:
4439 case Q_ARP:
4440 case Q_RARP:
4441 case Q_ATALK:
4442 case Q_DECNET:
4443 case Q_SCA:
4444 case Q_LAT:
4445 case Q_MOPRC:
4446 case Q_MOPDL:
4447 #ifdef INET6
4448 case Q_IPV6:
4449 #endif
4450 /* XXX Note that we assume a fixed link header here. */
4451 s = xfer_to_x(index);
4452 tmp = new_stmt(BPF_LD|BPF_IND|size);
4453 tmp->s.k = off_nl;
4454 sappend(s, tmp);
4455 sappend(index->s, s);
4456
4457 b = gen_proto_abbrev(proto);
4458 if (index->b)
4459 gen_and(index->b, b);
4460 index->b = b;
4461 break;
4462
4463 case Q_SCTP:
4464 case Q_TCP:
4465 case Q_UDP:
4466 case Q_ICMP:
4467 case Q_IGMP:
4468 case Q_IGRP:
4469 case Q_PIM:
4470 case Q_VRRP:
4471 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4472 s->s.k = off_nl;
4473 sappend(s, xfer_to_a(index));
4474 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4475 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4476 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4477 tmp->s.k = off_nl;
4478 sappend(index->s, s);
4479
4480 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4481 if (index->b)
4482 gen_and(index->b, b);
4483 #ifdef INET6
4484 gen_and(gen_proto_abbrev(Q_IP), b);
4485 #endif
4486 index->b = b;
4487 break;
4488 #ifdef INET6
4489 case Q_ICMPV6:
4490 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4491 /*NOTREACHED*/
4492 #endif
4493 }
4494 index->regno = regno;
4495 s = new_stmt(BPF_ST);
4496 s->s.k = regno;
4497 sappend(index->s, s);
4498
4499 return index;
4500 }
4501
4502 struct block *
4503 gen_relation(code, a0, a1, reversed)
4504 int code;
4505 struct arth *a0, *a1;
4506 int reversed;
4507 {
4508 struct slist *s0, *s1, *s2;
4509 struct block *b, *tmp;
4510
4511 s0 = xfer_to_x(a1);
4512 s1 = xfer_to_a(a0);
4513 if (code == BPF_JEQ) {
4514 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4515 b = new_block(JMP(code));
4516 sappend(s1, s2);
4517 }
4518 else
4519 b = new_block(BPF_JMP|code|BPF_X);
4520 if (reversed)
4521 gen_not(b);
4522
4523 sappend(s0, s1);
4524 sappend(a1->s, s0);
4525 sappend(a0->s, a1->s);
4526
4527 b->stmts = a0->s;
4528
4529 free_reg(a0->regno);
4530 free_reg(a1->regno);
4531
4532 /* 'and' together protocol checks */
4533 if (a0->b) {
4534 if (a1->b) {
4535 gen_and(a0->b, tmp = a1->b);
4536 }
4537 else
4538 tmp = a0->b;
4539 } else
4540 tmp = a1->b;
4541
4542 if (tmp)
4543 gen_and(tmp, b);
4544
4545 return b;
4546 }
4547
4548 struct arth *
4549 gen_loadlen()
4550 {
4551 int regno = alloc_reg();
4552 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4553 struct slist *s;
4554
4555 s = new_stmt(BPF_LD|BPF_LEN);
4556 s->next = new_stmt(BPF_ST);
4557 s->next->s.k = regno;
4558 a->s = s;
4559 a->regno = regno;
4560
4561 return a;
4562 }
4563
4564 struct arth *
4565 gen_loadi(val)
4566 int val;
4567 {
4568 struct arth *a;
4569 struct slist *s;
4570 int reg;
4571
4572 a = (struct arth *)newchunk(sizeof(*a));
4573
4574 reg = alloc_reg();
4575
4576 s = new_stmt(BPF_LD|BPF_IMM);
4577 s->s.k = val;
4578 s->next = new_stmt(BPF_ST);
4579 s->next->s.k = reg;
4580 a->s = s;
4581 a->regno = reg;
4582
4583 return a;
4584 }
4585
4586 struct arth *
4587 gen_neg(a)
4588 struct arth *a;
4589 {
4590 struct slist *s;
4591
4592 s = xfer_to_a(a);
4593 sappend(a->s, s);
4594 s = new_stmt(BPF_ALU|BPF_NEG);
4595 s->s.k = 0;
4596 sappend(a->s, s);
4597 s = new_stmt(BPF_ST);
4598 s->s.k = a->regno;
4599 sappend(a->s, s);
4600
4601 return a;
4602 }
4603
4604 struct arth *
4605 gen_arth(code, a0, a1)
4606 int code;
4607 struct arth *a0, *a1;
4608 {
4609 struct slist *s0, *s1, *s2;
4610
4611 s0 = xfer_to_x(a1);
4612 s1 = xfer_to_a(a0);
4613 s2 = new_stmt(BPF_ALU|BPF_X|code);
4614
4615 sappend(s1, s2);
4616 sappend(s0, s1);
4617 sappend(a1->s, s0);
4618 sappend(a0->s, a1->s);
4619
4620 free_reg(a0->regno);
4621 free_reg(a1->regno);
4622
4623 s0 = new_stmt(BPF_ST);
4624 a0->regno = s0->s.k = alloc_reg();
4625 sappend(a0->s, s0);
4626
4627 return a0;
4628 }
4629
4630 /*
4631 * Here we handle simple allocation of the scratch registers.
4632 * If too many registers are alloc'd, the allocator punts.
4633 */
4634 static int regused[BPF_MEMWORDS];
4635 static int curreg;
4636
4637 /*
4638 * Return the next free register.
4639 */
4640 static int
4641 alloc_reg()
4642 {
4643 int n = BPF_MEMWORDS;
4644
4645 while (--n >= 0) {
4646 if (regused[curreg])
4647 curreg = (curreg + 1) % BPF_MEMWORDS;
4648 else {
4649 regused[curreg] = 1;
4650 return curreg;
4651 }
4652 }
4653 bpf_error("too many registers needed to evaluate expression");
4654 /* NOTREACHED */
4655 }
4656
4657 /*
4658 * Return a register to the table so it can
4659 * be used later.
4660 */
4661 static void
4662 free_reg(n)
4663 int n;
4664 {
4665 regused[n] = 0;
4666 }
4667
4668 static struct block *
4669 gen_len(jmp, n)
4670 int jmp, n;
4671 {
4672 struct slist *s;
4673 struct block *b;
4674
4675 s = new_stmt(BPF_LD|BPF_LEN);
4676 b = new_block(JMP(jmp));
4677 b->stmts = s;
4678 b->s.k = n;
4679
4680 return b;
4681 }
4682
4683 struct block *
4684 gen_greater(n)
4685 int n;
4686 {
4687 return gen_len(BPF_JGE, n);
4688 }
4689
4690 /*
4691 * Actually, this is less than or equal.
4692 */
4693 struct block *
4694 gen_less(n)
4695 int n;
4696 {
4697 struct block *b;
4698
4699 b = gen_len(BPF_JGT, n);
4700 gen_not(b);
4701
4702 return b;
4703 }
4704
4705 struct block *
4706 gen_byteop(op, idx, val)
4707 int op, idx, val;
4708 {
4709 struct block *b;
4710 struct slist *s;
4711
4712 switch (op) {
4713 default:
4714 abort();
4715
4716 case '=':
4717 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4718
4719 case '<':
4720 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4721 b->s.code = JMP(BPF_JGE);
4722 gen_not(b);
4723 return b;
4724
4725 case '>':
4726 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4727 b->s.code = JMP(BPF_JGT);
4728 return b;
4729
4730 case '|':
4731 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4732 break;
4733
4734 case '&':
4735 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4736 break;
4737 }
4738 s->s.k = val;
4739 b = new_block(JMP(BPF_JEQ));
4740 b->stmts = s;
4741 gen_not(b);
4742
4743 return b;
4744 }
4745
4746 static u_char abroadcast[] = { 0x0 };
4747
4748 struct block *
4749 gen_broadcast(proto)
4750 int proto;
4751 {
4752 bpf_u_int32 hostmask;
4753 struct block *b0, *b1, *b2;
4754 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4755
4756 switch (proto) {
4757
4758 case Q_DEFAULT:
4759 case Q_LINK:
4760 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4761 return gen_ahostop(abroadcast, Q_DST);
4762 if (linktype == DLT_EN10MB)
4763 return gen_ehostop(ebroadcast, Q_DST);
4764 if (linktype == DLT_FDDI)
4765 return gen_fhostop(ebroadcast, Q_DST);
4766 if (linktype == DLT_IEEE802)
4767 return gen_thostop(ebroadcast, Q_DST);
4768 if (linktype == DLT_IEEE802_11)
4769 return gen_wlanhostop(ebroadcast, Q_DST);
4770 if (linktype == DLT_IP_OVER_FC)
4771 return gen_ipfchostop(ebroadcast, Q_DST);
4772 if (linktype == DLT_SUNATM && is_lane) {
4773 /*
4774 * Check that the packet doesn't begin with an
4775 * LE Control marker. (We've already generated
4776 * a test for LANE.)
4777 */
4778 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4779 gen_not(b1);
4780
4781 /*
4782 * Now check the MAC address.
4783 */
4784 b0 = gen_ehostop(ebroadcast, Q_DST);
4785 gen_and(b1, b0);
4786 return b0;
4787 }
4788 bpf_error("not a broadcast link");
4789 break;
4790
4791 case Q_IP:
4792 b0 = gen_linktype(ETHERTYPE_IP);
4793 hostmask = ~netmask;
4794 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4795 b2 = gen_mcmp(off_nl + 16, BPF_W,
4796 (bpf_int32)(~0 & hostmask), hostmask);
4797 gen_or(b1, b2);
4798 gen_and(b0, b2);
4799 return b2;
4800 }
4801 bpf_error("only link-layer/IP broadcast filters supported");
4802 /* NOTREACHED */
4803 }
4804
4805 /*
4806 * Generate code to test the low-order bit of a MAC address (that's
4807 * the bottom bit of the *first* byte).
4808 */
4809 static struct block *
4810 gen_mac_multicast(offset)
4811 int offset;
4812 {
4813 register struct block *b0;
4814 register struct slist *s;
4815
4816 /* link[offset] & 1 != 0 */
4817 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4818 s->s.k = offset;
4819 b0 = new_block(JMP(BPF_JSET));
4820 b0->s.k = 1;
4821 b0->stmts = s;
4822 return b0;
4823 }
4824
4825 struct block *
4826 gen_multicast(proto)
4827 int proto;
4828 {
4829 register struct block *b0, *b1, *b2;
4830 register struct slist *s;
4831
4832 switch (proto) {
4833
4834 case Q_DEFAULT:
4835 case Q_LINK:
4836 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4837 /* all ARCnet multicasts use the same address */
4838 return gen_ahostop(abroadcast, Q_DST);
4839
4840 if (linktype == DLT_EN10MB) {
4841 /* ether[0] & 1 != 0 */
4842 return gen_mac_multicast(0);
4843 }
4844
4845 if (linktype == DLT_FDDI) {
4846 /*
4847 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4848 *
4849 * XXX - was that referring to bit-order issues?
4850 */
4851 /* fddi[1] & 1 != 0 */
4852 return gen_mac_multicast(1);
4853 }
4854
4855 if (linktype == DLT_IEEE802) {
4856 /* tr[2] & 1 != 0 */
4857 return gen_mac_multicast(2);
4858 }
4859
4860 if (linktype == DLT_IEEE802_11) {
4861 /*
4862 * Oh, yuk.
4863 *
4864 * For control frames, there is no DA.
4865 *
4866 * For management frames, DA is at an
4867 * offset of 4 from the beginning of
4868 * the packet.
4869 *
4870 * For data frames, DA is at an offset
4871 * of 4 from the beginning of the packet
4872 * if To DS is clear and at an offset of
4873 * 16 from the beginning of the packet
4874 * if To DS is set.
4875 */
4876
4877 /*
4878 * Generate the tests to be done for data frames.
4879 *
4880 * First, check for To DS set, i.e. "link[1] & 0x01".
4881 */
4882 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4883 s->s.k = 1;
4884 b1 = new_block(JMP(BPF_JSET));
4885 b1->s.k = 0x01; /* To DS */
4886 b1->stmts = s;
4887
4888 /*
4889 * If To DS is set, the DA is at 16.
4890 */
4891 b0 = gen_mac_multicast(16);
4892 gen_and(b1, b0);
4893
4894 /*
4895 * Now, check for To DS not set, i.e. check
4896 * "!(link[1] & 0x01)".
4897 */
4898 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4899 s->s.k = 1;
4900 b2 = new_block(JMP(BPF_JSET));
4901 b2->s.k = 0x01; /* To DS */
4902 b2->stmts = s;
4903 gen_not(b2);
4904
4905 /*
4906 * If To DS is not set, the DA is at 4.
4907 */
4908 b1 = gen_mac_multicast(4);
4909 gen_and(b2, b1);
4910
4911 /*
4912 * Now OR together the last two checks. That gives
4913 * the complete set of checks for data frames.
4914 */
4915 gen_or(b1, b0);
4916
4917 /*
4918 * Now check for a data frame.
4919 * I.e, check "link[0] & 0x08".
4920 */
4921 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4922 s->s.k = 0;
4923 b1 = new_block(JMP(BPF_JSET));
4924 b1->s.k = 0x08;
4925 b1->stmts = s;
4926
4927 /*
4928 * AND that with the checks done for data frames.
4929 */
4930 gen_and(b1, b0);
4931
4932 /*
4933 * If the high-order bit of the type value is 0, this
4934 * is a management frame.
4935 * I.e, check "!(link[0] & 0x08)".
4936 */
4937 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4938 s->s.k = 0;
4939 b2 = new_block(JMP(BPF_JSET));
4940 b2->s.k = 0x08;
4941 b2->stmts = s;
4942 gen_not(b2);
4943
4944 /*
4945 * For management frames, the DA is at 4.
4946 */
4947 b1 = gen_mac_multicast(4);
4948 gen_and(b2, b1);
4949
4950 /*
4951 * OR that with the checks done for data frames.
4952 * That gives the checks done for management and
4953 * data frames.
4954 */
4955 gen_or(b1, b0);
4956
4957 /*
4958 * If the low-order bit of the type value is 1,
4959 * this is either a control frame or a frame
4960 * with a reserved type, and thus not a
4961 * frame with an SA.
4962 *
4963 * I.e., check "!(link[0] & 0x04)".
4964 */
4965 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4966 s->s.k = 0;
4967 b1 = new_block(JMP(BPF_JSET));
4968 b1->s.k = 0x04;
4969 b1->stmts = s;
4970 gen_not(b1);
4971
4972 /*
4973 * AND that with the checks for data and management
4974 * frames.
4975 */
4976 gen_and(b1, b0);
4977 return b0;
4978 }
4979
4980 if (linktype == DLT_IP_OVER_FC) {
4981 b0 = gen_mac_multicast(2);
4982 return b0;
4983 }
4984
4985 if (linktype == DLT_SUNATM && is_lane) {
4986 /*
4987 * Check that the packet doesn't begin with an
4988 * LE Control marker. (We've already generated
4989 * a test for LANE.)
4990 */
4991 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4992 gen_not(b1);
4993
4994 /* ether[off_mac] & 1 != 0 */
4995 b0 = gen_mac_multicast(off_mac);
4996 gen_and(b1, b0);
4997 return b0;
4998 }
4999
5000 /* Link not known to support multicasts */
5001 break;
5002
5003 case Q_IP:
5004 b0 = gen_linktype(ETHERTYPE_IP);
5005 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
5006 b1->s.code = JMP(BPF_JGE);
5007 gen_and(b0, b1);
5008 return b1;
5009
5010 #ifdef INET6
5011 case Q_IPV6:
5012 b0 = gen_linktype(ETHERTYPE_IPV6);
5013 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
5014 gen_and(b0, b1);
5015 return b1;
5016 #endif /* INET6 */
5017 }
5018 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5019 /* NOTREACHED */
5020 }
5021
5022 /*
5023 * generate command for inbound/outbound. It's here so we can
5024 * make it link-type specific. 'dir' = 0 implies "inbound",
5025 * = 1 implies "outbound".
5026 */
5027 struct block *
5028 gen_inbound(dir)
5029 int dir;
5030 {
5031 register struct block *b0;
5032
5033 /*
5034 * Only some data link types support inbound/outbound qualifiers.
5035 */
5036 switch (linktype) {
5037 case DLT_SLIP:
5038 b0 = gen_relation(BPF_JEQ,
5039 gen_load(Q_LINK, gen_loadi(0), 1),
5040 gen_loadi(0),
5041 dir);
5042 break;
5043
5044 case DLT_LINUX_SLL:
5045 if (dir) {
5046 /*
5047 * Match packets sent by this machine.
5048 */
5049 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5050 } else {
5051 /*
5052 * Match packets sent to this machine.
5053 * (No broadcast or multicast packets, or
5054 * packets sent to some other machine and
5055 * received promiscuously.)
5056 *
5057 * XXX - packets sent to other machines probably
5058 * shouldn't be matched, but what about broadcast
5059 * or multicast packets we received?
5060 */
5061 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5062 }
5063 break;
5064
5065 case DLT_PFLOG:
5066 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5067 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5068 break;
5069
5070 default:
5071 bpf_error("inbound/outbound not supported on linktype %d",
5072 linktype);
5073 b0 = NULL;
5074 /* NOTREACHED */
5075 }
5076 return (b0);
5077 }
5078
5079 /* PF firewall log matched interface */
5080 struct block *
5081 gen_pf_ifname(const char *ifname)
5082 {
5083 struct block *b0;
5084 u_int len, off;
5085
5086 if (linktype == DLT_PFLOG) {
5087 len = sizeof(((struct pfloghdr *)0)->ifname);
5088 off = offsetof(struct pfloghdr, ifname);
5089 } else {
5090 bpf_error("ifname not supported on linktype 0x%x", linktype);
5091 /* NOTREACHED */
5092 }
5093 if (strlen(ifname) >= len) {
5094 bpf_error("ifname interface names can only be %d characters",
5095 len-1);
5096 /* NOTREACHED */
5097 }
5098 b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
5099 return (b0);
5100 }
5101
5102 /* PF firewall log matched interface */
5103 struct block *
5104 gen_pf_ruleset(char *ruleset)
5105 {
5106 struct block *b0;
5107
5108 if (linktype != DLT_PFLOG) {
5109 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5110 /* NOTREACHED */
5111 }
5112 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5113 bpf_error("ruleset names can only be %ld characters",
5114 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5115 /* NOTREACHED */
5116 }
5117 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5118 strlen(ruleset), (const u_char *)ruleset);
5119 return (b0);
5120 }
5121
5122 /* PF firewall log rule number */
5123 struct block *
5124 gen_pf_rnr(int rnr)
5125 {
5126 struct block *b0;
5127
5128 if (linktype == DLT_PFLOG) {
5129 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5130 (bpf_int32)rnr);
5131 } else {
5132 bpf_error("rnr not supported on linktype 0x%x", linktype);
5133 /* NOTREACHED */
5134 }
5135
5136 return (b0);
5137 }
5138
5139 /* PF firewall log sub-rule number */
5140 struct block *
5141 gen_pf_srnr(int srnr)
5142 {
5143 struct block *b0;
5144
5145 if (linktype != DLT_PFLOG) {
5146 bpf_error("srnr not supported on linktype 0x%x", linktype);
5147 /* NOTREACHED */
5148 }
5149
5150 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5151 (bpf_int32)srnr);
5152 return (b0);
5153 }
5154
5155 /* PF firewall log reason code */
5156 struct block *
5157 gen_pf_reason(int reason)
5158 {
5159 struct block *b0;
5160
5161 if (linktype == DLT_PFLOG) {
5162 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5163 (bpf_int32)reason);
5164 } else {
5165 bpf_error("reason not supported on linktype 0x%x", linktype);
5166 /* NOTREACHED */
5167 }
5168
5169 return (b0);
5170 }
5171
5172 /* PF firewall log action */
5173 struct block *
5174 gen_pf_action(int action)
5175 {
5176 struct block *b0;
5177
5178 if (linktype == DLT_PFLOG) {
5179 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5180 (bpf_int32)action);
5181 } else {
5182 bpf_error("action not supported on linktype 0x%x", linktype);
5183 /* NOTREACHED */
5184 }
5185
5186 return (b0);
5187 }
5188
5189 struct block *
5190 gen_acode(eaddr, q)
5191 register const u_char *eaddr;
5192 struct qual q;
5193 {
5194 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5195 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5196 return gen_ahostop(eaddr, (int)q.dir);
5197 }
5198 bpf_error("ARCnet address used in non-arc expression");
5199 /* NOTREACHED */
5200 }
5201
5202 static struct block *
5203 gen_ahostop(eaddr, dir)
5204 register const u_char *eaddr;
5205 register int dir;
5206 {
5207 register struct block *b0, *b1;
5208
5209 switch (dir) {
5210 /* src comes first, different from Ethernet */
5211 case Q_SRC:
5212 return gen_bcmp(0, 1, eaddr);
5213
5214 case Q_DST:
5215 return gen_bcmp(1, 1, eaddr);
5216
5217 case Q_AND:
5218 b0 = gen_ahostop(eaddr, Q_SRC);
5219 b1 = gen_ahostop(eaddr, Q_DST);
5220 gen_and(b0, b1);
5221 return b1;
5222
5223 case Q_DEFAULT:
5224 case Q_OR:
5225 b0 = gen_ahostop(eaddr, Q_SRC);
5226 b1 = gen_ahostop(eaddr, Q_DST);
5227 gen_or(b0, b1);
5228 return b1;
5229 }
5230 abort();
5231 /* NOTREACHED */
5232 }
5233
5234 /*
5235 * support IEEE 802.1Q VLAN trunk over ethernet
5236 */
5237 struct block *
5238 gen_vlan(vlan_num)
5239 int vlan_num;
5240 {
5241 struct block *b0;
5242
5243 /*
5244 * Change the offsets to point to the type and data fields within
5245 * the VLAN packet. This is somewhat of a kludge.
5246 */
5247 if (orig_nl == (u_int)-1) {
5248 orig_linktype = off_linktype; /* save original values */
5249 orig_nl = off_nl;
5250 orig_nl_nosnap = off_nl_nosnap;
5251
5252 switch (linktype) {
5253
5254 case DLT_EN10MB:
5255 off_linktype = 16;
5256 off_nl_nosnap = 18;
5257 off_nl = 18;
5258 break;
5259
5260 default:
5261 bpf_error("no VLAN support for data link type %d",
5262 linktype);
5263 /*NOTREACHED*/
5264 }
5265 }
5266
5267 /* check for VLAN */
5268 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5269
5270 /* If a specific VLAN is requested, check VLAN id */
5271 if (vlan_num >= 0) {
5272 struct block *b1;
5273
5274 b1 = gen_cmp(orig_nl, BPF_H, (bpf_int32)vlan_num);
5275 gen_and(b0, b1);
5276 b0 = b1;
5277 }
5278
5279 return (b0);
5280 }
5281
5282 /*
5283 * support for MPLS
5284 */
5285 struct block *
5286 gen_mpls(label_num)
5287 int label_num;
5288 {
5289 struct block *b0;
5290
5291 /*
5292 * Change the offsets to point to the type and data fields within
5293 * the MPLS packet. This is somewhat of a kludge.
5294 */
5295 if (orig_nl == (u_int)-1) {
5296 orig_linktype = off_linktype; /* save original values */
5297 orig_nl = off_nl;
5298 orig_nl_nosnap = off_nl_nosnap;
5299
5300 switch (linktype) {
5301
5302 case DLT_EN10MB:
5303 off_linktype = 16;
5304 off_nl_nosnap = 18;
5305 off_nl = 18;
5306
5307 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5308 break;
5309
5310 case DLT_PPP:
5311 off_linktype = 6;
5312 off_nl_nosnap = 8;
5313 off_nl = 8;
5314
5315 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
5316 break;
5317
5318 case DLT_C_HDLC:
5319 off_linktype = 6;
5320 off_nl_nosnap = 8;
5321 off_nl = 8;
5322
5323 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5324 break;
5325
5326 /* FIXME add other DLT_s ...
5327 * for Frame-Relay/and ATM this may get messy due to SNAP headers
5328 * leave it for now */
5329
5330 default:
5331 bpf_error("no MPLS support for data link type %d",
5332 linktype);
5333 /*NOTREACHED*/
5334 }
5335 }
5336
5337 /* If a specific MPLS label is requested, check it */
5338 if (label_num >= 0) {
5339 struct block *b1;
5340
5341 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
5342 b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
5343 gen_and(b0, b1);
5344 b0 = b1;
5345 }
5346
5347 return (b0);
5348 }
5349
5350 struct block *
5351 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5352 int atmfield;
5353 bpf_u_int32 jvalue;
5354 bpf_u_int32 jtype;
5355 int reverse;
5356 {
5357 struct block *b0;
5358
5359 switch (atmfield) {
5360
5361 case A_VPI:
5362 if (!is_atm)
5363 bpf_error("'vpi' supported only on raw ATM");
5364 if (off_vpi == (u_int)-1)
5365 abort();
5366 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5367 (u_int)jvalue, reverse);
5368 break;
5369
5370 case A_VCI:
5371 if (!is_atm)
5372 bpf_error("'vci' supported only on raw ATM");
5373 if (off_vci == (u_int)-1)
5374 abort();
5375 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5376 (u_int)jvalue, reverse);
5377 break;
5378
5379 case A_PROTOTYPE:
5380 if (off_proto == (u_int)-1)
5381 abort(); /* XXX - this isn't on FreeBSD */
5382 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5383 (u_int)jvalue, reverse);
5384 break;
5385
5386 case A_MSGTYPE:
5387 if (off_payload == (u_int)-1)
5388 abort();
5389 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5390 (u_int)jtype, (u_int)jvalue, reverse);
5391 break;
5392
5393 case A_CALLREFTYPE:
5394 if (!is_atm)
5395 bpf_error("'callref' supported only on raw ATM");
5396 if (off_proto == (u_int)-1)
5397 abort();
5398 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5399 (u_int)jvalue, reverse);
5400 break;
5401
5402 default:
5403 abort();
5404 }
5405 return b0;
5406 }
5407
5408 struct block *
5409 gen_atmtype_abbrev(type)
5410 int type;
5411 {
5412 struct block *b0, *b1;
5413
5414 switch (type) {
5415
5416 case A_METAC:
5417 /* Get all packets in Meta signalling Circuit */
5418 if (!is_atm)
5419 bpf_error("'metac' supported only on raw ATM");
5420 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5421 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5422 gen_and(b0, b1);
5423 break;
5424
5425 case A_BCC:
5426 /* Get all packets in Broadcast Circuit*/
5427 if (!is_atm)
5428 bpf_error("'bcc' supported only on raw ATM");
5429 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5430 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5431 gen_and(b0, b1);
5432 break;
5433
5434 case A_OAMF4SC:
5435 /* Get all cells in Segment OAM F4 circuit*/
5436 if (!is_atm)
5437 bpf_error("'oam4sc' supported only on raw ATM");
5438 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5439 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5440 gen_and(b0, b1);
5441 break;
5442
5443 case A_OAMF4EC:
5444 /* Get all cells in End-to-End OAM F4 Circuit*/
5445 if (!is_atm)
5446 bpf_error("'oam4ec' supported only on raw ATM");
5447 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5448 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5449 gen_and(b0, b1);
5450 break;
5451
5452 case A_SC:
5453 /* Get all packets in connection Signalling Circuit */
5454 if (!is_atm)
5455 bpf_error("'sc' supported only on raw ATM");
5456 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5457 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5458 gen_and(b0, b1);
5459 break;
5460
5461 case A_ILMIC:
5462 /* Get all packets in ILMI Circuit */
5463 if (!is_atm)
5464 bpf_error("'ilmic' supported only on raw ATM");
5465 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5466 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5467 gen_and(b0, b1);
5468 break;
5469
5470 case A_LANE:
5471 /* Get all LANE packets */
5472 if (!is_atm)
5473 bpf_error("'lane' supported only on raw ATM");
5474 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5475
5476 /*
5477 * Arrange that all subsequent tests assume LANE
5478 * rather than LLC-encapsulated packets, and set
5479 * the offsets appropriately for LANE-encapsulated
5480 * Ethernet.
5481 *
5482 * "off_mac" is the offset of the Ethernet header,
5483 * which is 2 bytes past the ATM pseudo-header
5484 * (skipping the pseudo-header and 2-byte LE Client
5485 * field). The other offsets are Ethernet offsets
5486 * relative to "off_mac".
5487 */
5488 is_lane = 1;
5489 off_mac = off_payload + 2; /* MAC header */
5490 off_linktype = off_mac + 12;
5491 off_nl = off_mac + 14; /* Ethernet II */
5492 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5493 break;
5494
5495 case A_LLC:
5496 /* Get all LLC-encapsulated packets */
5497 if (!is_atm)
5498 bpf_error("'llc' supported only on raw ATM");
5499 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5500 is_lane = 0;
5501 break;
5502
5503 default:
5504 abort();
5505 }
5506 return b1;
5507 }
5508
5509
5510 static struct block *
5511 gen_msg_abbrev(type)
5512 int type;
5513 {
5514 struct block *b1;
5515
5516 /*
5517 * Q.2931 signalling protocol messages for handling virtual circuits
5518 * establishment and teardown
5519 */
5520 switch (type) {
5521
5522 case A_SETUP:
5523 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5524 break;
5525
5526 case A_CALLPROCEED:
5527 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5528 break;
5529
5530 case A_CONNECT:
5531 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5532 break;
5533
5534 case A_CONNECTACK:
5535 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5536 break;
5537
5538 case A_RELEASE:
5539 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5540 break;
5541
5542 case A_RELEASE_DONE:
5543 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5544 break;
5545
5546 default:
5547 abort();
5548 }
5549 return b1;
5550 }
5551
5552 struct block *
5553 gen_atmmulti_abbrev(type)
5554 int type;
5555 {
5556 struct block *b0, *b1;
5557
5558 switch (type) {
5559
5560 case A_OAM:
5561 if (!is_atm)
5562 bpf_error("'oam' supported only on raw ATM");
5563 b1 = gen_atmmulti_abbrev(A_OAMF4);
5564 break;
5565
5566 case A_OAMF4:
5567 if (!is_atm)
5568 bpf_error("'oamf4' supported only on raw ATM");
5569 /* OAM F4 type */
5570 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5571 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5572 gen_or(b0, b1);
5573 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5574 gen_and(b0, b1);
5575 break;
5576
5577 case A_CONNECTMSG:
5578 /*
5579 * Get Q.2931 signalling messages for switched
5580 * virtual connection
5581 */
5582 if (!is_atm)
5583 bpf_error("'connectmsg' supported only on raw ATM");
5584 b0 = gen_msg_abbrev(A_SETUP);
5585 b1 = gen_msg_abbrev(A_CALLPROCEED);
5586 gen_or(b0, b1);
5587 b0 = gen_msg_abbrev(A_CONNECT);
5588 gen_or(b0, b1);
5589 b0 = gen_msg_abbrev(A_CONNECTACK);
5590 gen_or(b0, b1);
5591 b0 = gen_msg_abbrev(A_RELEASE);
5592 gen_or(b0, b1);
5593 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5594 gen_or(b0, b1);
5595 b0 = gen_atmtype_abbrev(A_SC);
5596 gen_and(b0, b1);
5597 break;
5598
5599 case A_METACONNECT:
5600 if (!is_atm)
5601 bpf_error("'metaconnect' supported only on raw ATM");
5602 b0 = gen_msg_abbrev(A_SETUP);
5603 b1 = gen_msg_abbrev(A_CALLPROCEED);
5604 gen_or(b0, b1);
5605 b0 = gen_msg_abbrev(A_CONNECT);
5606 gen_or(b0, b1);
5607 b0 = gen_msg_abbrev(A_RELEASE);
5608 gen_or(b0, b1);
5609 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5610 gen_or(b0, b1);
5611 b0 = gen_atmtype_abbrev(A_METAC);
5612 gen_and(b0, b1);
5613 break;
5614
5615 default:
5616 abort();
5617 }
5618 return b1;
5619 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism