]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob


481c4d9c358a5ade099ba458a907502b837c8139
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include "config.h"
25 #endif
26
27 #ifdef _WIN32
28 #include <pcap-stdinc.h>
29 #else /* _WIN32 */
30 #if HAVE_INTTYPES_H
31 #include <inttypes.h>
32 #elif HAVE_STDINT_H
33 #include <stdint.h>
34 #endif
35 #ifdef HAVE_SYS_BITYPES_H
36 #include <sys/bitypes.h>
37 #endif
38 #include <sys/types.h>
39 #include <sys/socket.h>
40 #endif /* _WIN32 */
41
42 #ifndef _WIN32
43
44 #ifdef __NetBSD__
45 #include <sys/param.h>
46 #endif
47
48 #include <netinet/in.h>
49 #include <arpa/inet.h>
50
51 #endif /* _WIN32 */
52
53 #include <stdlib.h>
54 #include <string.h>
55 #include <memory.h>
56 #include <setjmp.h>
57 #include <stdarg.h>
58
59 #ifdef MSDOS
60 #include "pcap-dos.h"
61 #endif
62
63 #include "pcap-int.h"
64
65 #include "ethertype.h"
66 #include "nlpid.h"
67 #include "llc.h"
68 #include "gencode.h"
69 #include "ieee80211.h"
70 #include "atmuni31.h"
71 #include "sunatmpos.h"
72 #include "ppp.h"
73 #include "pcap/sll.h"
74 #include "pcap/ipnet.h"
75 #include "arcnet.h"
76
77 #include "grammar.h"
78 #include "scanner.h"
79
80 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
81 #include <linux/types.h>
82 #include <linux/if_packet.h>
83 #include <linux/filter.h>
84 #endif
85
86 #ifdef HAVE_NET_PFVAR_H
87 #include <sys/socket.h>
88 #include <net/if.h>
89 #include <net/pfvar.h>
90 #include <net/if_pflog.h>
91 #endif
92
93 #ifndef offsetof
94 #define offsetof(s, e) ((size_t)&((s *)0)->e)
95 #endif
96
97 #ifdef INET6
98 #ifdef _WIN32
99 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
100 /* IPv6 address */
101 struct in6_addr
102 {
103 union
104 {
105 u_int8_t u6_addr8[16];
106 u_int16_t u6_addr16[8];
107 u_int32_t u6_addr32[4];
108 } in6_u;
109 #define s6_addr in6_u.u6_addr8
110 #define s6_addr16 in6_u.u6_addr16
111 #define s6_addr32 in6_u.u6_addr32
112 #define s6_addr64 in6_u.u6_addr64
113 };
114
115 typedef unsigned short sa_family_t;
116
117 #define __SOCKADDR_COMMON(sa_prefix) \
118 sa_family_t sa_prefix##family
119
120 /* Ditto, for IPv6. */
121 struct sockaddr_in6
122 {
123 __SOCKADDR_COMMON (sin6_);
124 u_int16_t sin6_port; /* Transport layer port # */
125 u_int32_t sin6_flowinfo; /* IPv6 flow information */
126 struct in6_addr sin6_addr; /* IPv6 address */
127 };
128
129 #ifndef EAI_ADDRFAMILY
130 struct addrinfo {
131 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
132 int ai_family; /* PF_xxx */
133 int ai_socktype; /* SOCK_xxx */
134 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
135 size_t ai_addrlen; /* length of ai_addr */
136 char *ai_canonname; /* canonical name for hostname */
137 struct sockaddr *ai_addr; /* binary address */
138 struct addrinfo *ai_next; /* next structure in linked list */
139 };
140 #endif /* EAI_ADDRFAMILY */
141 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
142 #else /* _WIN32 */
143 #include <netdb.h> /* for "struct addrinfo" */
144 #endif /* _WIN32 */
145 #endif /* INET6 */
146 #include <pcap/namedb.h>
147
148 #include "nametoaddr.h"
149
150 #define ETHERMTU 1500
151
152 #ifndef ETHERTYPE_TEB
153 #define ETHERTYPE_TEB 0x6558
154 #endif
155
156 #ifndef IPPROTO_HOPOPTS
157 #define IPPROTO_HOPOPTS 0
158 #endif
159 #ifndef IPPROTO_ROUTING
160 #define IPPROTO_ROUTING 43
161 #endif
162 #ifndef IPPROTO_FRAGMENT
163 #define IPPROTO_FRAGMENT 44
164 #endif
165 #ifndef IPPROTO_DSTOPTS
166 #define IPPROTO_DSTOPTS 60
167 #endif
168 #ifndef IPPROTO_SCTP
169 #define IPPROTO_SCTP 132
170 #endif
171
172 #define GENEVE_PORT 6081
173
174 #ifdef HAVE_OS_PROTO_H
175 #include "os-proto.h"
176 #endif
177
178 #define JMP(c) ((c)|BPF_JMP|BPF_K)
179
180 /* Locals */
181 static jmp_buf top_ctx;
182 static pcap_t *bpf_pcap;
183
184 /* Hack for handling VLAN and MPLS stacks. */
185 #ifdef _WIN32
186 static u_int label_stack_depth = (u_int)-1, vlan_stack_depth = (u_int)-1;
187 #else
188 static u_int label_stack_depth = -1U, vlan_stack_depth = -1U;
189 #endif
190
191 /* XXX */
192 static int pcap_fddipad;
193
194 /* VARARGS */
195 void
196 bpf_error(const char *fmt, ...)
197 {
198 va_list ap;
199
200 va_start(ap, fmt);
201 if (bpf_pcap != NULL)
202 (void)pcap_vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
203 fmt, ap);
204 va_end(ap);
205 longjmp(top_ctx, 1);
206 /* NOTREACHED */
207 }
208
209 static void init_linktype(pcap_t *);
210
211 static void init_regs(void);
212 static int alloc_reg(void);
213 static void free_reg(int);
214
215 static struct block *root;
216
217 /*
218 * Absolute offsets, which are offsets from the beginning of the raw
219 * packet data, are, in the general case, the sum of a variable value
220 * and a constant value; the variable value may be absent, in which
221 * case the offset is only the constant value, and the constant value
222 * may be zero, in which case the offset is only the variable value.
223 *
224 * bpf_abs_offset is a structure containing all that information:
225 *
226 * is_variable is 1 if there's a variable part.
227 *
228 * constant_part is the constant part of the value, possibly zero;
229 *
230 * if is_variable is 1, reg is the register number for a register
231 * containing the variable value if the register has been assigned,
232 * and -1 otherwise.
233 */
234 typedef struct {
235 int is_variable;
236 u_int constant_part;
237 int reg;
238 } bpf_abs_offset;
239
240 /*
241 * Value passed to gen_load_a() to indicate what the offset argument
242 * is relative to the beginning of.
243 */
244 enum e_offrel {
245 OR_PACKET, /* full packet data */
246 OR_LINKHDR, /* link-layer header */
247 OR_PREVLINKHDR, /* previous link-layer header */
248 OR_LLC, /* 802.2 LLC header */
249 OR_PREVMPLSHDR, /* previous MPLS header */
250 OR_LINKTYPE, /* link-layer type */
251 OR_LINKPL, /* link-layer payload */
252 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
253 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
254 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
255 };
256
257 #ifdef INET6
258 /*
259 * As errors are handled by a longjmp, anything allocated must be freed
260 * in the longjmp handler, so it must be reachable from that handler.
261 * One thing that's allocated is the result of pcap_nametoaddrinfo();
262 * it must be freed with freeaddrinfo(). This variable points to any
263 * addrinfo structure that would need to be freed.
264 */
265 static struct addrinfo *ai;
266 #endif
267
268 /*
269 * We divy out chunks of memory rather than call malloc each time so
270 * we don't have to worry about leaking memory. It's probably
271 * not a big deal if all this memory was wasted but if this ever
272 * goes into a library that would probably not be a good idea.
273 *
274 * XXX - this *is* in a library....
275 */
276 #define NCHUNKS 16
277 #define CHUNK0SIZE 1024
278 struct chunk {
279 size_t n_left;
280 void *m;
281 };
282
283 static struct chunk chunks[NCHUNKS];
284 static int cur_chunk;
285
286 static void *newchunk(size_t);
287 static void freechunks(void);
288 static inline struct block *new_block(int);
289 static inline struct slist *new_stmt(int);
290 static struct block *gen_retblk(int);
291 static inline void syntax(void);
292
293 static void backpatch(struct block *, struct block *);
294 static void merge(struct block *, struct block *);
295 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
296 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
297 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
298 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
299 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
300 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
301 bpf_u_int32);
302 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
303 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
304 bpf_u_int32, bpf_u_int32, int, bpf_int32);
305 static struct slist *gen_load_absoffsetrel(bpf_abs_offset *, u_int, u_int);
306 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
307 static struct slist *gen_loadx_iphdrlen(void);
308 static struct block *gen_uncond(int);
309 static inline struct block *gen_true(void);
310 static inline struct block *gen_false(void);
311 static struct block *gen_ether_linktype(int);
312 static struct block *gen_ipnet_linktype(int);
313 static struct block *gen_linux_sll_linktype(int);
314 static struct slist *gen_load_prism_llprefixlen(void);
315 static struct slist *gen_load_avs_llprefixlen(void);
316 static struct slist *gen_load_radiotap_llprefixlen(void);
317 static struct slist *gen_load_ppi_llprefixlen(void);
318 static void insert_compute_vloffsets(struct block *);
319 static struct slist *gen_abs_offset_varpart(bpf_abs_offset *);
320 static int ethertype_to_ppptype(int);
321 static struct block *gen_linktype(int);
322 static struct block *gen_snap(bpf_u_int32, bpf_u_int32);
323 static struct block *gen_llc_linktype(int);
324 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
325 #ifdef INET6
326 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
327 #endif
328 static struct block *gen_ahostop(const u_char *, int);
329 static struct block *gen_ehostop(const u_char *, int);
330 static struct block *gen_fhostop(const u_char *, int);
331 static struct block *gen_thostop(const u_char *, int);
332 static struct block *gen_wlanhostop(const u_char *, int);
333 static struct block *gen_ipfchostop(const u_char *, int);
334 static struct block *gen_dnhostop(bpf_u_int32, int);
335 static struct block *gen_mpls_linktype(int);
336 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
337 #ifdef INET6
338 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
339 #endif
340 #ifndef INET6
341 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
342 #endif
343 static struct block *gen_ipfrag(void);
344 static struct block *gen_portatom(int, bpf_int32);
345 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
346 static struct block *gen_portatom6(int, bpf_int32);
347 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
348 struct block *gen_portop(int, int, int);
349 static struct block *gen_port(int, int, int);
350 struct block *gen_portrangeop(int, int, int, int);
351 static struct block *gen_portrange(int, int, int, int);
352 struct block *gen_portop6(int, int, int);
353 static struct block *gen_port6(int, int, int);
354 struct block *gen_portrangeop6(int, int, int, int);
355 static struct block *gen_portrange6(int, int, int, int);
356 static int lookup_proto(const char *, int);
357 static struct block *gen_protochain(int, int, int);
358 static struct block *gen_proto(int, int, int);
359 static struct slist *xfer_to_x(struct arth *);
360 static struct slist *xfer_to_a(struct arth *);
361 static struct block *gen_mac_multicast(int);
362 static struct block *gen_len(int, int);
363 static struct block *gen_check_802_11_data_frame(void);
364 static struct block *gen_geneve_ll_check(void);
365
366 static struct block *gen_ppi_dlt_check(void);
367 static struct block *gen_msg_abbrev(int type);
368
369 static void *
370 newchunk(size_t n)
371 {
372 struct chunk *cp;
373 int k;
374 size_t size;
375
376 #ifndef __NetBSD__
377 /* XXX Round up to nearest long. */
378 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
379 #else
380 /* XXX Round up to structure boundary. */
381 n = ALIGN(n);
382 #endif
383
384 cp = &chunks[cur_chunk];
385 if (n > cp->n_left) {
386 ++cp, k = ++cur_chunk;
387 if (k >= NCHUNKS)
388 bpf_error("out of memory");
389 size = CHUNK0SIZE << k;
390 cp->m = (void *)malloc(size);
391 if (cp->m == NULL)
392 bpf_error("out of memory");
393 memset((char *)cp->m, 0, size);
394 cp->n_left = size;
395 if (n > size)
396 bpf_error("out of memory");
397 }
398 cp->n_left -= n;
399 return (void *)((char *)cp->m + cp->n_left);
400 }
401
402 static void
403 freechunks()
404 {
405 int i;
406
407 cur_chunk = 0;
408 for (i = 0; i < NCHUNKS; ++i)
409 if (chunks[i].m != NULL) {
410 free(chunks[i].m);
411 chunks[i].m = NULL;
412 }
413 }
414
415 /*
416 * A strdup whose allocations are freed after code generation is over.
417 */
418 char *
419 sdup(s)
420 register const char *s;
421 {
422 size_t n = strlen(s) + 1;
423 char *cp = newchunk(n);
424
425 strlcpy(cp, s, n);
426 return (cp);
427 }
428
429 static inline struct block *
430 new_block(code)
431 int code;
432 {
433 struct block *p;
434
435 p = (struct block *)newchunk(sizeof(*p));
436 p->s.code = code;
437 p->head = p;
438
439 return p;
440 }
441
442 static inline struct slist *
443 new_stmt(code)
444 int code;
445 {
446 struct slist *p;
447
448 p = (struct slist *)newchunk(sizeof(*p));
449 p->s.code = code;
450
451 return p;
452 }
453
454 static struct block *
455 gen_retblk(v)
456 int v;
457 {
458 struct block *b = new_block(BPF_RET|BPF_K);
459
460 b->s.k = v;
461 return b;
462 }
463
464 static inline void
465 syntax()
466 {
467 bpf_error("syntax error in filter expression");
468 }
469
470 static bpf_u_int32 netmask;
471 static int snaplen;
472 int no_optimize;
473
474 int
475 pcap_compile(pcap_t *p, struct bpf_program *program,
476 const char *buf, int optimize, bpf_u_int32 mask)
477 {
478 extern int n_errors;
479 const char * volatile xbuf = buf;
480 yyscan_t scanner = NULL;
481 YY_BUFFER_STATE in_buffer = NULL;
482 u_int len;
483 int rc;
484
485 /*
486 * XXX - single-thread this code path with pthread calls on
487 * UN*X, if the platform supports pthreads? If that requires
488 * a separate -lpthread, we might not want to do that.
489 */
490 #ifdef _WIN32
491 static int done = 0;
492
493 if (!done)
494 pcap_wsockinit();
495 done = 1;
496 EnterCriticalSection(&g_PcapCompileCriticalSection);
497 #endif
498
499 /*
500 * If this pcap_t hasn't been activated, it doesn't have a
501 * link-layer type, so we can't use it.
502 */
503 if (!p->activated) {
504 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
505 "not-yet-activated pcap_t passed to pcap_compile");
506 rc = -1;
507 goto quit;
508 }
509 no_optimize = 0;
510 n_errors = 0;
511 root = NULL;
512 bpf_pcap = p;
513 init_regs();
514
515 if (setjmp(top_ctx)) {
516 #ifdef INET6
517 if (ai != NULL) {
518 freeaddrinfo(ai);
519 ai = NULL;
520 }
521 #endif
522 rc = -1;
523 goto quit;
524 }
525
526 netmask = mask;
527
528 snaplen = pcap_snapshot(p);
529 if (snaplen == 0) {
530 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
531 "snaplen of 0 rejects all packets");
532 rc = -1;
533 goto quit;
534 }
535
536 if (pcap_lex_init(&scanner) != 0)
537 bpf_error("can't initialize scanner: %s", pcap_strerror(errno));
538 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
539 init_linktype(p);
540 (void)pcap_parse(scanner);
541
542 if (n_errors)
543 syntax();
544
545 if (root == NULL)
546 root = gen_retblk(snaplen);
547
548 if (optimize && !no_optimize) {
549 bpf_optimize(&root);
550 if (root == NULL ||
551 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
552 bpf_error("expression rejects all packets");
553 }
554 program->bf_insns = icode_to_fcode(root, &len);
555 program->bf_len = len;
556
557 rc = 0; /* We're all okay */
558
559 quit:
560 /*
561 * Clean up everything for the lexical analyzer.
562 */
563 if (in_buffer != NULL)
564 pcap__delete_buffer(in_buffer, scanner);
565 if (scanner != NULL)
566 pcap_lex_destroy(scanner);
567
568 /*
569 * Clean up our own allocated memory.
570 */
571 freechunks();
572
573 #ifdef _WIN32
574 LeaveCriticalSection(&g_PcapCompileCriticalSection);
575 #endif
576
577 return (rc);
578 }
579
580 /*
581 * entry point for using the compiler with no pcap open
582 * pass in all the stuff that is needed explicitly instead.
583 */
584 int
585 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
586 struct bpf_program *program,
587 const char *buf, int optimize, bpf_u_int32 mask)
588 {
589 pcap_t *p;
590 int ret;
591
592 p = pcap_open_dead(linktype_arg, snaplen_arg);
593 if (p == NULL)
594 return (-1);
595 ret = pcap_compile(p, program, buf, optimize, mask);
596 pcap_close(p);
597 return (ret);
598 }
599
600 /*
601 * Clean up a "struct bpf_program" by freeing all the memory allocated
602 * in it.
603 */
604 void
605 pcap_freecode(struct bpf_program *program)
606 {
607 program->bf_len = 0;
608 if (program->bf_insns != NULL) {
609 free((char *)program->bf_insns);
610 program->bf_insns = NULL;
611 }
612 }
613
614 /*
615 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
616 * which of the jt and jf fields has been resolved and which is a pointer
617 * back to another unresolved block (or nil). At least one of the fields
618 * in each block is already resolved.
619 */
620 static void
621 backpatch(list, target)
622 struct block *list, *target;
623 {
624 struct block *next;
625
626 while (list) {
627 if (!list->sense) {
628 next = JT(list);
629 JT(list) = target;
630 } else {
631 next = JF(list);
632 JF(list) = target;
633 }
634 list = next;
635 }
636 }
637
638 /*
639 * Merge the lists in b0 and b1, using the 'sense' field to indicate
640 * which of jt and jf is the link.
641 */
642 static void
643 merge(b0, b1)
644 struct block *b0, *b1;
645 {
646 register struct block **p = &b0;
647
648 /* Find end of list. */
649 while (*p)
650 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
651
652 /* Concatenate the lists. */
653 *p = b1;
654 }
655
656 void
657 finish_parse(p)
658 struct block *p;
659 {
660 struct block *ppi_dlt_check;
661
662 /*
663 * Insert before the statements of the first (root) block any
664 * statements needed to load the lengths of any variable-length
665 * headers into registers.
666 *
667 * XXX - a fancier strategy would be to insert those before the
668 * statements of all blocks that use those lengths and that
669 * have no predecessors that use them, so that we only compute
670 * the lengths if we need them. There might be even better
671 * approaches than that.
672 *
673 * However, those strategies would be more complicated, and
674 * as we don't generate code to compute a length if the
675 * program has no tests that use the length, and as most
676 * tests will probably use those lengths, we would just
677 * postpone computing the lengths so that it's not done
678 * for tests that fail early, and it's not clear that's
679 * worth the effort.
680 */
681 insert_compute_vloffsets(p->head);
682
683 /*
684 * For DLT_PPI captures, generate a check of the per-packet
685 * DLT value to make sure it's DLT_IEEE802_11.
686 *
687 * XXX - TurboCap cards use DLT_PPI for Ethernet.
688 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
689 * with appropriate Ethernet information and use that rather
690 * than using something such as DLT_PPI where you don't know
691 * the link-layer header type until runtime, which, in the
692 * general case, would force us to generate both Ethernet *and*
693 * 802.11 code (*and* anything else for which PPI is used)
694 * and choose between them early in the BPF program?
695 */
696 ppi_dlt_check = gen_ppi_dlt_check();
697 if (ppi_dlt_check != NULL)
698 gen_and(ppi_dlt_check, p);
699
700 backpatch(p, gen_retblk(snaplen));
701 p->sense = !p->sense;
702 backpatch(p, gen_retblk(0));
703 root = p->head;
704 }
705
706 void
707 gen_and(b0, b1)
708 struct block *b0, *b1;
709 {
710 backpatch(b0, b1->head);
711 b0->sense = !b0->sense;
712 b1->sense = !b1->sense;
713 merge(b1, b0);
714 b1->sense = !b1->sense;
715 b1->head = b0->head;
716 }
717
718 void
719 gen_or(b0, b1)
720 struct block *b0, *b1;
721 {
722 b0->sense = !b0->sense;
723 backpatch(b0, b1->head);
724 b0->sense = !b0->sense;
725 merge(b1, b0);
726 b1->head = b0->head;
727 }
728
729 void
730 gen_not(b)
731 struct block *b;
732 {
733 b->sense = !b->sense;
734 }
735
736 static struct block *
737 gen_cmp(offrel, offset, size, v)
738 enum e_offrel offrel;
739 u_int offset, size;
740 bpf_int32 v;
741 {
742 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
743 }
744
745 static struct block *
746 gen_cmp_gt(offrel, offset, size, v)
747 enum e_offrel offrel;
748 u_int offset, size;
749 bpf_int32 v;
750 {
751 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
752 }
753
754 static struct block *
755 gen_cmp_ge(offrel, offset, size, v)
756 enum e_offrel offrel;
757 u_int offset, size;
758 bpf_int32 v;
759 {
760 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
761 }
762
763 static struct block *
764 gen_cmp_lt(offrel, offset, size, v)
765 enum e_offrel offrel;
766 u_int offset, size;
767 bpf_int32 v;
768 {
769 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
770 }
771
772 static struct block *
773 gen_cmp_le(offrel, offset, size, v)
774 enum e_offrel offrel;
775 u_int offset, size;
776 bpf_int32 v;
777 {
778 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
779 }
780
781 static struct block *
782 gen_mcmp(offrel, offset, size, v, mask)
783 enum e_offrel offrel;
784 u_int offset, size;
785 bpf_int32 v;
786 bpf_u_int32 mask;
787 {
788 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
789 }
790
791 static struct block *
792 gen_bcmp(offrel, offset, size, v)
793 enum e_offrel offrel;
794 register u_int offset, size;
795 register const u_char *v;
796 {
797 register struct block *b, *tmp;
798
799 b = NULL;
800 while (size >= 4) {
801 register const u_char *p = &v[size - 4];
802 bpf_int32 w = ((bpf_int32)p[0] << 24) |
803 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
804
805 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
806 if (b != NULL)
807 gen_and(b, tmp);
808 b = tmp;
809 size -= 4;
810 }
811 while (size >= 2) {
812 register const u_char *p = &v[size - 2];
813 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
814
815 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
816 if (b != NULL)
817 gen_and(b, tmp);
818 b = tmp;
819 size -= 2;
820 }
821 if (size > 0) {
822 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
823 if (b != NULL)
824 gen_and(b, tmp);
825 b = tmp;
826 }
827 return b;
828 }
829
830 /*
831 * AND the field of size "size" at offset "offset" relative to the header
832 * specified by "offrel" with "mask", and compare it with the value "v"
833 * with the test specified by "jtype"; if "reverse" is true, the test
834 * should test the opposite of "jtype".
835 */
836 static struct block *
837 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
838 enum e_offrel offrel;
839 bpf_int32 v;
840 bpf_u_int32 offset, size, mask, jtype;
841 int reverse;
842 {
843 struct slist *s, *s2;
844 struct block *b;
845
846 s = gen_load_a(offrel, offset, size);
847
848 if (mask != 0xffffffff) {
849 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
850 s2->s.k = mask;
851 sappend(s, s2);
852 }
853
854 b = new_block(JMP(jtype));
855 b->stmts = s;
856 b->s.k = v;
857 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
858 gen_not(b);
859 return b;
860 }
861
862 /*
863 * Various code constructs need to know the layout of the packet.
864 * These variables give the necessary offsets from the beginning
865 * of the packet data.
866 */
867
868 /*
869 * Absolute offset of the beginning of the link-layer header.
870 */
871 static bpf_abs_offset off_linkhdr;
872
873 /*
874 * If we're checking a link-layer header for a packet encapsulated in
875 * another protocol layer, this is the equivalent information for the
876 * previous layers' link-layer header from the beginning of the raw
877 * packet data.
878 */
879 static bpf_abs_offset off_prevlinkhdr;
880
881 /*
882 * This is the equivalent information for the outermost layers' link-layer
883 * header.
884 */
885 static bpf_abs_offset off_outermostlinkhdr;
886
887 /*
888 * "Push" the current value of the link-layer header type and link-layer
889 * header offset onto a "stack", and set a new value. (It's not a
890 * full-blown stack; we keep only the top two items.)
891 */
892 #define PUSH_LINKHDR(new_linktype, new_is_variable, new_constant_part, new_reg) \
893 { \
894 prevlinktype = new_linktype; \
895 off_prevlinkhdr = off_linkhdr; \
896 linktype = new_linktype; \
897 off_linkhdr.is_variable = new_is_variable; \
898 off_linkhdr.constant_part = new_constant_part; \
899 off_linkhdr.reg = new_reg; \
900 is_geneve = 0; \
901 }
902
903 /*
904 * Absolute offset of the beginning of the link-layer payload.
905 */
906 static bpf_abs_offset off_linkpl;
907
908 /*
909 * "off_linktype" is the offset to information in the link-layer header
910 * giving the packet type. This is an absolute offset from the beginning
911 * of the packet.
912 *
913 * For Ethernet, it's the offset of the Ethernet type field; this
914 * means that it must have a value that skips VLAN tags.
915 *
916 * For link-layer types that always use 802.2 headers, it's the
917 * offset of the LLC header; this means that it must have a value
918 * that skips VLAN tags.
919 *
920 * For PPP, it's the offset of the PPP type field.
921 *
922 * For Cisco HDLC, it's the offset of the CHDLC type field.
923 *
924 * For BSD loopback, it's the offset of the AF_ value.
925 *
926 * For Linux cooked sockets, it's the offset of the type field.
927 *
928 * off_linktype.constant_part is set to -1 for no encapsulation,
929 * in which case, IP is assumed.
930 */
931 static bpf_abs_offset off_linktype;
932
933 /*
934 * TRUE if the link layer includes an ATM pseudo-header.
935 */
936 static int is_atm = 0;
937
938 /*
939 * TRUE if "geneve" appeared in the filter; it causes us to generate
940 * code that checks for a Geneve header and assume that later filters
941 * apply to the encapsulated payload.
942 */
943 static int is_geneve = 0;
944
945 /*
946 * These are offsets for the ATM pseudo-header.
947 */
948 static u_int off_vpi;
949 static u_int off_vci;
950 static u_int off_proto;
951
952 /*
953 * These are offsets for the MTP2 fields.
954 */
955 static u_int off_li;
956 static u_int off_li_hsl;
957
958 /*
959 * These are offsets for the MTP3 fields.
960 */
961 static u_int off_sio;
962 static u_int off_opc;
963 static u_int off_dpc;
964 static u_int off_sls;
965
966 /*
967 * This is the offset of the first byte after the ATM pseudo_header,
968 * or -1 if there is no ATM pseudo-header.
969 */
970 static u_int off_payload;
971
972 /*
973 * These are offsets to the beginning of the network-layer header.
974 * They are relative to the beginning of the link-layer payload (i.e.,
975 * they don't include off_linkhdr.constant_part or off_linkpl.constant_part).
976 *
977 * If the link layer never uses 802.2 LLC:
978 *
979 * "off_nl" and "off_nl_nosnap" are the same.
980 *
981 * If the link layer always uses 802.2 LLC:
982 *
983 * "off_nl" is the offset if there's a SNAP header following
984 * the 802.2 header;
985 *
986 * "off_nl_nosnap" is the offset if there's no SNAP header.
987 *
988 * If the link layer is Ethernet:
989 *
990 * "off_nl" is the offset if the packet is an Ethernet II packet
991 * (we assume no 802.3+802.2+SNAP);
992 *
993 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
994 * with an 802.2 header following it.
995 */
996 static u_int off_nl;
997 static u_int off_nl_nosnap;
998
999 static int linktype;
1000 static int prevlinktype;
1001 static int outermostlinktype;
1002
1003 static void
1004 init_linktype(p)
1005 pcap_t *p;
1006 {
1007 pcap_fddipad = p->fddipad;
1008
1009 /*
1010 * We start out with only one link-layer header.
1011 */
1012 outermostlinktype = pcap_datalink(p);
1013 off_outermostlinkhdr.constant_part = 0;
1014 off_outermostlinkhdr.is_variable = 0;
1015 off_outermostlinkhdr.reg = -1;
1016
1017 prevlinktype = outermostlinktype;
1018 off_prevlinkhdr.constant_part = 0;
1019 off_prevlinkhdr.is_variable = 0;
1020 off_prevlinkhdr.reg = -1;
1021
1022 linktype = outermostlinktype;
1023 off_linkhdr.constant_part = 0;
1024 off_linkhdr.is_variable = 0;
1025 off_linkhdr.reg = -1;
1026
1027 /*
1028 * XXX
1029 */
1030 off_linkpl.constant_part = 0;
1031 off_linkpl.is_variable = 0;
1032 off_linkpl.reg = -1;
1033
1034 off_linktype.constant_part = 0;
1035 off_linktype.is_variable = 0;
1036 off_linktype.reg = -1;
1037
1038 /*
1039 * Assume it's not raw ATM with a pseudo-header, for now.
1040 */
1041 is_atm = 0;
1042 off_vpi = -1;
1043 off_vci = -1;
1044 off_proto = -1;
1045 off_payload = -1;
1046
1047 /*
1048 * And not Geneve.
1049 */
1050 is_geneve = 0;
1051
1052 /*
1053 * And assume we're not doing SS7.
1054 */
1055 off_li = -1;
1056 off_li_hsl = -1;
1057 off_sio = -1;
1058 off_opc = -1;
1059 off_dpc = -1;
1060 off_sls = -1;
1061
1062 label_stack_depth = 0;
1063 vlan_stack_depth = 0;
1064
1065 switch (linktype) {
1066
1067 case DLT_ARCNET:
1068 off_linktype.constant_part = 2;
1069 off_linkpl.constant_part = 6;
1070 off_nl = 0; /* XXX in reality, variable! */
1071 off_nl_nosnap = 0; /* no 802.2 LLC */
1072 break;
1073
1074 case DLT_ARCNET_LINUX:
1075 off_linktype.constant_part = 4;
1076 off_linkpl.constant_part = 8;
1077 off_nl = 0; /* XXX in reality, variable! */
1078 off_nl_nosnap = 0; /* no 802.2 LLC */
1079 break;
1080
1081 case DLT_EN10MB:
1082 off_linktype.constant_part = 12;
1083 off_linkpl.constant_part = 14; /* Ethernet header length */
1084 off_nl = 0; /* Ethernet II */
1085 off_nl_nosnap = 3; /* 802.3+802.2 */
1086 break;
1087
1088 case DLT_SLIP:
1089 /*
1090 * SLIP doesn't have a link level type. The 16 byte
1091 * header is hacked into our SLIP driver.
1092 */
1093 off_linktype.constant_part = -1;
1094 off_linkpl.constant_part = 16;
1095 off_nl = 0;
1096 off_nl_nosnap = 0; /* no 802.2 LLC */
1097 break;
1098
1099 case DLT_SLIP_BSDOS:
1100 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1101 off_linktype.constant_part = -1;
1102 /* XXX end */
1103 off_linkpl.constant_part = 24;
1104 off_nl = 0;
1105 off_nl_nosnap = 0; /* no 802.2 LLC */
1106 break;
1107
1108 case DLT_NULL:
1109 case DLT_LOOP:
1110 off_linktype.constant_part = 0;
1111 off_linkpl.constant_part = 4;
1112 off_nl = 0;
1113 off_nl_nosnap = 0; /* no 802.2 LLC */
1114 break;
1115
1116 case DLT_ENC:
1117 off_linktype.constant_part = 0;
1118 off_linkpl.constant_part = 12;
1119 off_nl = 0;
1120 off_nl_nosnap = 0; /* no 802.2 LLC */
1121 break;
1122
1123 case DLT_PPP:
1124 case DLT_PPP_PPPD:
1125 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1126 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1127 off_linktype.constant_part = 2; /* skip HDLC-like framing */
1128 off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1129 off_nl = 0;
1130 off_nl_nosnap = 0; /* no 802.2 LLC */
1131 break;
1132
1133 case DLT_PPP_ETHER:
1134 /*
1135 * This does no include the Ethernet header, and
1136 * only covers session state.
1137 */
1138 off_linktype.constant_part = 6;
1139 off_linkpl.constant_part = 8;
1140 off_nl = 0;
1141 off_nl_nosnap = 0; /* no 802.2 LLC */
1142 break;
1143
1144 case DLT_PPP_BSDOS:
1145 off_linktype.constant_part = 5;
1146 off_linkpl.constant_part = 24;
1147 off_nl = 0;
1148 off_nl_nosnap = 0; /* no 802.2 LLC */
1149 break;
1150
1151 case DLT_FDDI:
1152 /*
1153 * FDDI doesn't really have a link-level type field.
1154 * We set "off_linktype" to the offset of the LLC header.
1155 *
1156 * To check for Ethernet types, we assume that SSAP = SNAP
1157 * is being used and pick out the encapsulated Ethernet type.
1158 * XXX - should we generate code to check for SNAP?
1159 */
1160 off_linktype.constant_part = 13;
1161 off_linktype.constant_part += pcap_fddipad;
1162 off_linkpl.constant_part = 13; /* FDDI MAC header length */
1163 off_linkpl.constant_part += pcap_fddipad;
1164 off_nl = 8; /* 802.2+SNAP */
1165 off_nl_nosnap = 3; /* 802.2 */
1166 break;
1167
1168 case DLT_IEEE802:
1169 /*
1170 * Token Ring doesn't really have a link-level type field.
1171 * We set "off_linktype" to the offset of the LLC header.
1172 *
1173 * To check for Ethernet types, we assume that SSAP = SNAP
1174 * is being used and pick out the encapsulated Ethernet type.
1175 * XXX - should we generate code to check for SNAP?
1176 *
1177 * XXX - the header is actually variable-length.
1178 * Some various Linux patched versions gave 38
1179 * as "off_linktype" and 40 as "off_nl"; however,
1180 * if a token ring packet has *no* routing
1181 * information, i.e. is not source-routed, the correct
1182 * values are 20 and 22, as they are in the vanilla code.
1183 *
1184 * A packet is source-routed iff the uppermost bit
1185 * of the first byte of the source address, at an
1186 * offset of 8, has the uppermost bit set. If the
1187 * packet is source-routed, the total number of bytes
1188 * of routing information is 2 plus bits 0x1F00 of
1189 * the 16-bit value at an offset of 14 (shifted right
1190 * 8 - figure out which byte that is).
1191 */
1192 off_linktype.constant_part = 14;
1193 off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1194 off_nl = 8; /* 802.2+SNAP */
1195 off_nl_nosnap = 3; /* 802.2 */
1196 break;
1197
1198 case DLT_PRISM_HEADER:
1199 case DLT_IEEE802_11_RADIO_AVS:
1200 case DLT_IEEE802_11_RADIO:
1201 off_linkhdr.is_variable = 1;
1202 /* Fall through, 802.11 doesn't have a variable link
1203 * prefix but is otherwise the same. */
1204
1205 case DLT_IEEE802_11:
1206 /*
1207 * 802.11 doesn't really have a link-level type field.
1208 * We set "off_linktype.constant_part" to the offset of
1209 * the LLC header.
1210 *
1211 * To check for Ethernet types, we assume that SSAP = SNAP
1212 * is being used and pick out the encapsulated Ethernet type.
1213 * XXX - should we generate code to check for SNAP?
1214 *
1215 * We also handle variable-length radio headers here.
1216 * The Prism header is in theory variable-length, but in
1217 * practice it's always 144 bytes long. However, some
1218 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1219 * sometimes or always supply an AVS header, so we
1220 * have to check whether the radio header is a Prism
1221 * header or an AVS header, so, in practice, it's
1222 * variable-length.
1223 */
1224 off_linktype.constant_part = 24;
1225 off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1226 off_linkpl.is_variable = 1;
1227 off_nl = 8; /* 802.2+SNAP */
1228 off_nl_nosnap = 3; /* 802.2 */
1229 break;
1230
1231 case DLT_PPI:
1232 /*
1233 * At the moment we treat PPI the same way that we treat
1234 * normal Radiotap encoded packets. The difference is in
1235 * the function that generates the code at the beginning
1236 * to compute the header length. Since this code generator
1237 * of PPI supports bare 802.11 encapsulation only (i.e.
1238 * the encapsulated DLT should be DLT_IEEE802_11) we
1239 * generate code to check for this too.
1240 */
1241 off_linktype.constant_part = 24;
1242 off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1243 off_linkpl.is_variable = 1;
1244 off_linkhdr.is_variable = 1;
1245 off_nl = 8; /* 802.2+SNAP */
1246 off_nl_nosnap = 3; /* 802.2 */
1247 break;
1248
1249 case DLT_ATM_RFC1483:
1250 case DLT_ATM_CLIP: /* Linux ATM defines this */
1251 /*
1252 * assume routed, non-ISO PDUs
1253 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1254 *
1255 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1256 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1257 * latter would presumably be treated the way PPPoE
1258 * should be, so you can do "pppoe and udp port 2049"
1259 * or "pppoa and tcp port 80" and have it check for
1260 * PPPo{A,E} and a PPP protocol of IP and....
1261 */
1262 off_linktype.constant_part = 0;
1263 off_linkpl.constant_part = 0; /* packet begins with LLC header */
1264 off_nl = 8; /* 802.2+SNAP */
1265 off_nl_nosnap = 3; /* 802.2 */
1266 break;
1267
1268 case DLT_SUNATM:
1269 /*
1270 * Full Frontal ATM; you get AALn PDUs with an ATM
1271 * pseudo-header.
1272 */
1273 is_atm = 1;
1274 off_vpi = SUNATM_VPI_POS;
1275 off_vci = SUNATM_VCI_POS;
1276 off_proto = PROTO_POS;
1277 off_payload = SUNATM_PKT_BEGIN_POS;
1278 off_linktype.constant_part = off_payload;
1279 off_linkpl.constant_part = off_payload; /* if LLC-encapsulated */
1280 off_nl = 8; /* 802.2+SNAP */
1281 off_nl_nosnap = 3; /* 802.2 */
1282 break;
1283
1284 case DLT_RAW:
1285 case DLT_IPV4:
1286 case DLT_IPV6:
1287 off_linktype.constant_part = -1;
1288 off_linkpl.constant_part = 0;
1289 off_nl = 0;
1290 off_nl_nosnap = 0; /* no 802.2 LLC */
1291 break;
1292
1293 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1294 off_linktype.constant_part = 14;
1295 off_linkpl.constant_part = 16;
1296 off_nl = 0;
1297 off_nl_nosnap = 0; /* no 802.2 LLC */
1298 break;
1299
1300 case DLT_LTALK:
1301 /*
1302 * LocalTalk does have a 1-byte type field in the LLAP header,
1303 * but really it just indicates whether there is a "short" or
1304 * "long" DDP packet following.
1305 */
1306 off_linktype.constant_part = -1;
1307 off_linkpl.constant_part = 0;
1308 off_nl = 0;
1309 off_nl_nosnap = 0; /* no 802.2 LLC */
1310 break;
1311
1312 case DLT_IP_OVER_FC:
1313 /*
1314 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1315 * link-level type field. We set "off_linktype" to the
1316 * offset of the LLC header.
1317 *
1318 * To check for Ethernet types, we assume that SSAP = SNAP
1319 * is being used and pick out the encapsulated Ethernet type.
1320 * XXX - should we generate code to check for SNAP? RFC
1321 * 2625 says SNAP should be used.
1322 */
1323 off_linktype.constant_part = 16;
1324 off_linkpl.constant_part = 16;
1325 off_nl = 8; /* 802.2+SNAP */
1326 off_nl_nosnap = 3; /* 802.2 */
1327 break;
1328
1329 case DLT_FRELAY:
1330 /*
1331 * XXX - we should set this to handle SNAP-encapsulated
1332 * frames (NLPID of 0x80).
1333 */
1334 off_linktype.constant_part = -1;
1335 off_linkpl.constant_part = 0;
1336 off_nl = 0;
1337 off_nl_nosnap = 0; /* no 802.2 LLC */
1338 break;
1339
1340 /*
1341 * the only BPF-interesting FRF.16 frames are non-control frames;
1342 * Frame Relay has a variable length link-layer
1343 * so lets start with offset 4 for now and increments later on (FIXME);
1344 */
1345 case DLT_MFR:
1346 off_linktype.constant_part = -1;
1347 off_linkpl.constant_part = 0;
1348 off_nl = 4;
1349 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1350 break;
1351
1352 case DLT_APPLE_IP_OVER_IEEE1394:
1353 off_linktype.constant_part = 16;
1354 off_linkpl.constant_part = 18;
1355 off_nl = 0;
1356 off_nl_nosnap = 0; /* no 802.2 LLC */
1357 break;
1358
1359 case DLT_SYMANTEC_FIREWALL:
1360 off_linktype.constant_part = 6;
1361 off_linkpl.constant_part = 44;
1362 off_nl = 0; /* Ethernet II */
1363 off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1364 break;
1365
1366 #ifdef HAVE_NET_PFVAR_H
1367 case DLT_PFLOG:
1368 off_linktype.constant_part = 0;
1369 off_linkpl.constant_part = PFLOG_HDRLEN;
1370 off_nl = 0;
1371 off_nl_nosnap = 0; /* no 802.2 LLC */
1372 break;
1373 #endif
1374
1375 case DLT_JUNIPER_MFR:
1376 case DLT_JUNIPER_MLFR:
1377 case DLT_JUNIPER_MLPPP:
1378 case DLT_JUNIPER_PPP:
1379 case DLT_JUNIPER_CHDLC:
1380 case DLT_JUNIPER_FRELAY:
1381 off_linktype.constant_part = 4;
1382 off_linkpl.constant_part = 4;
1383 off_nl = 0;
1384 off_nl_nosnap = -1; /* no 802.2 LLC */
1385 break;
1386
1387 case DLT_JUNIPER_ATM1:
1388 off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1389 off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1390 off_nl = 0;
1391 off_nl_nosnap = 10;
1392 break;
1393
1394 case DLT_JUNIPER_ATM2:
1395 off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1396 off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1397 off_nl = 0;
1398 off_nl_nosnap = 10;
1399 break;
1400
1401 /* frames captured on a Juniper PPPoE service PIC
1402 * contain raw ethernet frames */
1403 case DLT_JUNIPER_PPPOE:
1404 case DLT_JUNIPER_ETHER:
1405 off_linkpl.constant_part = 14;
1406 off_linktype.constant_part = 16;
1407 off_nl = 18; /* Ethernet II */
1408 off_nl_nosnap = 21; /* 802.3+802.2 */
1409 break;
1410
1411 case DLT_JUNIPER_PPPOE_ATM:
1412 off_linktype.constant_part = 4;
1413 off_linkpl.constant_part = 6;
1414 off_nl = 0;
1415 off_nl_nosnap = -1; /* no 802.2 LLC */
1416 break;
1417
1418 case DLT_JUNIPER_GGSN:
1419 off_linktype.constant_part = 6;
1420 off_linkpl.constant_part = 12;
1421 off_nl = 0;
1422 off_nl_nosnap = -1; /* no 802.2 LLC */
1423 break;
1424
1425 case DLT_JUNIPER_ES:
1426 off_linktype.constant_part = 6;
1427 off_linkpl.constant_part = -1; /* not really a network layer but raw IP addresses */
1428 off_nl = -1; /* not really a network layer but raw IP addresses */
1429 off_nl_nosnap = -1; /* no 802.2 LLC */
1430 break;
1431
1432 case DLT_JUNIPER_MONITOR:
1433 off_linktype.constant_part = 12;
1434 off_linkpl.constant_part = 12;
1435 off_nl = 0; /* raw IP/IP6 header */
1436 off_nl_nosnap = -1; /* no 802.2 LLC */
1437 break;
1438
1439 case DLT_BACNET_MS_TP:
1440 off_linktype.constant_part = -1;
1441 off_linkpl.constant_part = -1;
1442 off_nl = -1;
1443 off_nl_nosnap = -1;
1444 break;
1445
1446 case DLT_JUNIPER_SERVICES:
1447 off_linktype.constant_part = 12;
1448 off_linkpl.constant_part = -1; /* L3 proto location dep. on cookie type */
1449 off_nl = -1; /* L3 proto location dep. on cookie type */
1450 off_nl_nosnap = -1; /* no 802.2 LLC */
1451 break;
1452
1453 case DLT_JUNIPER_VP:
1454 off_linktype.constant_part = 18;
1455 off_linkpl.constant_part = -1;
1456 off_nl = -1;
1457 off_nl_nosnap = -1;
1458 break;
1459
1460 case DLT_JUNIPER_ST:
1461 off_linktype.constant_part = 18;
1462 off_linkpl.constant_part = -1;
1463 off_nl = -1;
1464 off_nl_nosnap = -1;
1465 break;
1466
1467 case DLT_JUNIPER_ISM:
1468 off_linktype.constant_part = 8;
1469 off_linkpl.constant_part = -1;
1470 off_nl = -1;
1471 off_nl_nosnap = -1;
1472 break;
1473
1474 case DLT_JUNIPER_VS:
1475 case DLT_JUNIPER_SRX_E2E:
1476 case DLT_JUNIPER_FIBRECHANNEL:
1477 case DLT_JUNIPER_ATM_CEMIC:
1478 off_linktype.constant_part = 8;
1479 off_linkpl.constant_part = -1;
1480 off_nl = -1;
1481 off_nl_nosnap = -1;
1482 break;
1483
1484 case DLT_MTP2:
1485 off_li = 2;
1486 off_li_hsl = 4;
1487 off_sio = 3;
1488 off_opc = 4;
1489 off_dpc = 4;
1490 off_sls = 7;
1491 off_linktype.constant_part = -1;
1492 off_linkpl.constant_part = -1;
1493 off_nl = -1;
1494 off_nl_nosnap = -1;
1495 break;
1496
1497 case DLT_MTP2_WITH_PHDR:
1498 off_li = 6;
1499 off_li_hsl = 8;
1500 off_sio = 7;
1501 off_opc = 8;
1502 off_dpc = 8;
1503 off_sls = 11;
1504 off_linktype.constant_part = -1;
1505 off_linkpl.constant_part = -1;
1506 off_nl = -1;
1507 off_nl_nosnap = -1;
1508 break;
1509
1510 case DLT_ERF:
1511 off_li = 22;
1512 off_li_hsl = 24;
1513 off_sio = 23;
1514 off_opc = 24;
1515 off_dpc = 24;
1516 off_sls = 27;
1517 off_linktype.constant_part = -1;
1518 off_linkpl.constant_part = -1;
1519 off_nl = -1;
1520 off_nl_nosnap = -1;
1521 break;
1522
1523 case DLT_PFSYNC:
1524 off_linktype.constant_part = -1;
1525 off_linkpl.constant_part = 4;
1526 off_nl = 0;
1527 off_nl_nosnap = 0;
1528 break;
1529
1530 case DLT_AX25_KISS:
1531 /*
1532 * Currently, only raw "link[N:M]" filtering is supported.
1533 */
1534 off_linktype.constant_part = -1; /* variable, min 15, max 71 steps of 7 */
1535 off_linkpl.constant_part = -1;
1536 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1537 off_nl_nosnap = -1; /* no 802.2 LLC */
1538 break;
1539
1540 case DLT_IPNET:
1541 off_linktype.constant_part = 1;
1542 off_linkpl.constant_part = 24; /* ipnet header length */
1543 off_nl = 0;
1544 off_nl_nosnap = -1;
1545 break;
1546
1547 case DLT_NETANALYZER:
1548 off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1549 off_linktype.constant_part = off_linkhdr.constant_part + 12;
1550 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1551 off_nl = 0; /* Ethernet II */
1552 off_nl_nosnap = 3; /* 802.3+802.2 */
1553 break;
1554
1555 case DLT_NETANALYZER_TRANSPARENT:
1556 off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1557 off_linktype.constant_part = off_linkhdr.constant_part + 12;
1558 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1559 off_nl = 0; /* Ethernet II */
1560 off_nl_nosnap = 3; /* 802.3+802.2 */
1561 break;
1562
1563 default:
1564 /*
1565 * For values in the range in which we've assigned new
1566 * DLT_ values, only raw "link[N:M]" filtering is supported.
1567 */
1568 if (linktype >= DLT_MATCHING_MIN &&
1569 linktype <= DLT_MATCHING_MAX) {
1570 off_linktype.constant_part = -1;
1571 off_linkpl.constant_part = -1;
1572 off_nl = -1;
1573 off_nl_nosnap = -1;
1574 } else {
1575 bpf_error("unknown data link type %d", linktype);
1576 }
1577 break;
1578 }
1579
1580 off_outermostlinkhdr = off_prevlinkhdr = off_linkhdr;
1581 }
1582
1583 /*
1584 * Load a value relative to the specified absolute offset.
1585 */
1586 static struct slist *
1587 gen_load_absoffsetrel(bpf_abs_offset *abs_offset, u_int offset, u_int size)
1588 {
1589 struct slist *s, *s2;
1590
1591 s = gen_abs_offset_varpart(abs_offset);
1592
1593 /*
1594 * If "s" is non-null, it has code to arrange that the X register
1595 * contains the variable part of the absolute offset, so we
1596 * generate a load relative to that, with an offset of
1597 * abs_offset->constant_part + offset.
1598 *
1599 * Otherwise, we can do an absolute load with an offset of
1600 * abs_offset->constant_part + offset.
1601 */
1602 if (s != NULL) {
1603 /*
1604 * "s" points to a list of statements that puts the
1605 * variable part of the absolute offset into the X register.
1606 * Do an indirect load, to use the X register as an offset.
1607 */
1608 s2 = new_stmt(BPF_LD|BPF_IND|size);
1609 s2->s.k = abs_offset->constant_part + offset;
1610 sappend(s, s2);
1611 } else {
1612 /*
1613 * There is no variable part of the absolute offset, so
1614 * just do an absolute load.
1615 */
1616 s = new_stmt(BPF_LD|BPF_ABS|size);
1617 s->s.k = abs_offset->constant_part + offset;
1618 }
1619 return s;
1620 }
1621
1622 /*
1623 * Load a value relative to the beginning of the specified header.
1624 */
1625 static struct slist *
1626 gen_load_a(offrel, offset, size)
1627 enum e_offrel offrel;
1628 u_int offset, size;
1629 {
1630 struct slist *s, *s2;
1631
1632 switch (offrel) {
1633
1634 case OR_PACKET:
1635 s = new_stmt(BPF_LD|BPF_ABS|size);
1636 s->s.k = offset;
1637 break;
1638
1639 case OR_LINKHDR:
1640 s = gen_load_absoffsetrel(&off_linkhdr, offset, size);
1641 break;
1642
1643 case OR_PREVLINKHDR:
1644 s = gen_load_absoffsetrel(&off_prevlinkhdr, offset, size);
1645 break;
1646
1647 case OR_LLC:
1648 s = gen_load_absoffsetrel(&off_linkpl, offset, size);
1649 break;
1650
1651 case OR_PREVMPLSHDR:
1652 s = gen_load_absoffsetrel(&off_linkpl, off_nl - 4 + offset, size);
1653 break;
1654
1655 case OR_LINKPL:
1656 s = gen_load_absoffsetrel(&off_linkpl, off_nl + offset, size);
1657 break;
1658
1659 case OR_LINKPL_NOSNAP:
1660 s = gen_load_absoffsetrel(&off_linkpl, off_nl_nosnap + offset, size);
1661 break;
1662
1663 case OR_LINKTYPE:
1664 s = gen_load_absoffsetrel(&off_linktype, offset, size);
1665 break;
1666
1667 case OR_TRAN_IPV4:
1668 /*
1669 * Load the X register with the length of the IPv4 header
1670 * (plus the offset of the link-layer header, if it's
1671 * preceded by a variable-length header such as a radio
1672 * header), in bytes.
1673 */
1674 s = gen_loadx_iphdrlen();
1675
1676 /*
1677 * Load the item at {offset of the link-layer payload} +
1678 * {offset, relative to the start of the link-layer
1679 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1680 * {specified offset}.
1681 *
1682 * If the offset of the link-layer payload is variable,
1683 * the variable part of that offset is included in the
1684 * value in the X register, and we include the constant
1685 * part in the offset of the load.
1686 */
1687 s2 = new_stmt(BPF_LD|BPF_IND|size);
1688 s2->s.k = off_linkpl.constant_part + off_nl + offset;
1689 sappend(s, s2);
1690 break;
1691
1692 case OR_TRAN_IPV6:
1693 s = gen_load_absoffsetrel(&off_linkpl, off_nl + 40 + offset, size);
1694 break;
1695
1696 default:
1697 abort();
1698 return NULL;
1699 }
1700 return s;
1701 }
1702
1703 /*
1704 * Generate code to load into the X register the sum of the length of
1705 * the IPv4 header and the variable part of the offset of the link-layer
1706 * payload.
1707 */
1708 static struct slist *
1709 gen_loadx_iphdrlen()
1710 {
1711 struct slist *s, *s2;
1712
1713 s = gen_abs_offset_varpart(&off_linkpl);
1714 if (s != NULL) {
1715 /*
1716 * The offset of the link-layer payload has a variable
1717 * part. "s" points to a list of statements that put
1718 * the variable part of that offset into the X register.
1719 *
1720 * The 4*([k]&0xf) addressing mode can't be used, as we
1721 * don't have a constant offset, so we have to load the
1722 * value in question into the A register and add to it
1723 * the value from the X register.
1724 */
1725 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1726 s2->s.k = off_linkpl.constant_part + off_nl;
1727 sappend(s, s2);
1728 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1729 s2->s.k = 0xf;
1730 sappend(s, s2);
1731 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1732 s2->s.k = 2;
1733 sappend(s, s2);
1734
1735 /*
1736 * The A register now contains the length of the IP header.
1737 * We need to add to it the variable part of the offset of
1738 * the link-layer payload, which is still in the X
1739 * register, and move the result into the X register.
1740 */
1741 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1742 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1743 } else {
1744 /*
1745 * The offset of the link-layer payload is a constant,
1746 * so no code was generated to load the (non-existent)
1747 * variable part of that offset.
1748 *
1749 * This means we can use the 4*([k]&0xf) addressing
1750 * mode. Load the length of the IPv4 header, which
1751 * is at an offset of off_nl from the beginning of
1752 * the link-layer payload, and thus at an offset of
1753 * off_linkpl.constant_part + off_nl from the beginning
1754 * of the raw packet data, using that addressing mode.
1755 */
1756 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1757 s->s.k = off_linkpl.constant_part + off_nl;
1758 }
1759 return s;
1760 }
1761
1762 static struct block *
1763 gen_uncond(rsense)
1764 int rsense;
1765 {
1766 struct block *b;
1767 struct slist *s;
1768
1769 s = new_stmt(BPF_LD|BPF_IMM);
1770 s->s.k = !rsense;
1771 b = new_block(JMP(BPF_JEQ));
1772 b->stmts = s;
1773
1774 return b;
1775 }
1776
1777 static inline struct block *
1778 gen_true()
1779 {
1780 return gen_uncond(1);
1781 }
1782
1783 static inline struct block *
1784 gen_false()
1785 {
1786 return gen_uncond(0);
1787 }
1788
1789 /*
1790 * Byte-swap a 32-bit number.
1791 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1792 * big-endian platforms.)
1793 */
1794 #define SWAPLONG(y) \
1795 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1796
1797 /*
1798 * Generate code to match a particular packet type.
1799 *
1800 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1801 * value, if <= ETHERMTU. We use that to determine whether to
1802 * match the type/length field or to check the type/length field for
1803 * a value <= ETHERMTU to see whether it's a type field and then do
1804 * the appropriate test.
1805 */
1806 static struct block *
1807 gen_ether_linktype(proto)
1808 register int proto;
1809 {
1810 struct block *b0, *b1;
1811
1812 switch (proto) {
1813
1814 case LLCSAP_ISONS:
1815 case LLCSAP_IP:
1816 case LLCSAP_NETBEUI:
1817 /*
1818 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1819 * so we check the DSAP and SSAP.
1820 *
1821 * LLCSAP_IP checks for IP-over-802.2, rather
1822 * than IP-over-Ethernet or IP-over-SNAP.
1823 *
1824 * XXX - should we check both the DSAP and the
1825 * SSAP, like this, or should we check just the
1826 * DSAP, as we do for other types <= ETHERMTU
1827 * (i.e., other SAP values)?
1828 */
1829 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1830 gen_not(b0);
1831 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)
1832 ((proto << 8) | proto));
1833 gen_and(b0, b1);
1834 return b1;
1835
1836 case LLCSAP_IPX:
1837 /*
1838 * Check for;
1839 *
1840 * Ethernet_II frames, which are Ethernet
1841 * frames with a frame type of ETHERTYPE_IPX;
1842 *
1843 * Ethernet_802.3 frames, which are 802.3
1844 * frames (i.e., the type/length field is
1845 * a length field, <= ETHERMTU, rather than
1846 * a type field) with the first two bytes
1847 * after the Ethernet/802.3 header being
1848 * 0xFFFF;
1849 *
1850 * Ethernet_802.2 frames, which are 802.3
1851 * frames with an 802.2 LLC header and
1852 * with the IPX LSAP as the DSAP in the LLC
1853 * header;
1854 *
1855 * Ethernet_SNAP frames, which are 802.3
1856 * frames with an LLC header and a SNAP
1857 * header and with an OUI of 0x000000
1858 * (encapsulated Ethernet) and a protocol
1859 * ID of ETHERTYPE_IPX in the SNAP header.
1860 *
1861 * XXX - should we generate the same code both
1862 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1863 */
1864
1865 /*
1866 * This generates code to check both for the
1867 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1868 */
1869 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1870 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
1871 gen_or(b0, b1);
1872
1873 /*
1874 * Now we add code to check for SNAP frames with
1875 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1876 */
1877 b0 = gen_snap(0x000000, ETHERTYPE_IPX);
1878 gen_or(b0, b1);
1879
1880 /*
1881 * Now we generate code to check for 802.3
1882 * frames in general.
1883 */
1884 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1885 gen_not(b0);
1886
1887 /*
1888 * Now add the check for 802.3 frames before the
1889 * check for Ethernet_802.2 and Ethernet_802.3,
1890 * as those checks should only be done on 802.3
1891 * frames, not on Ethernet frames.
1892 */
1893 gen_and(b0, b1);
1894
1895 /*
1896 * Now add the check for Ethernet_II frames, and
1897 * do that before checking for the other frame
1898 * types.
1899 */
1900 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1901 gen_or(b0, b1);
1902 return b1;
1903
1904 case ETHERTYPE_ATALK:
1905 case ETHERTYPE_AARP:
1906 /*
1907 * EtherTalk (AppleTalk protocols on Ethernet link
1908 * layer) may use 802.2 encapsulation.
1909 */
1910
1911 /*
1912 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1913 * we check for an Ethernet type field less than
1914 * 1500, which means it's an 802.3 length field.
1915 */
1916 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1917 gen_not(b0);
1918
1919 /*
1920 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1921 * SNAP packets with an organization code of
1922 * 0x080007 (Apple, for Appletalk) and a protocol
1923 * type of ETHERTYPE_ATALK (Appletalk).
1924 *
1925 * 802.2-encapsulated ETHERTYPE_AARP packets are
1926 * SNAP packets with an organization code of
1927 * 0x000000 (encapsulated Ethernet) and a protocol
1928 * type of ETHERTYPE_AARP (Appletalk ARP).
1929 */
1930 if (proto == ETHERTYPE_ATALK)
1931 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
1932 else /* proto == ETHERTYPE_AARP */
1933 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
1934 gen_and(b0, b1);
1935
1936 /*
1937 * Check for Ethernet encapsulation (Ethertalk
1938 * phase 1?); we just check for the Ethernet
1939 * protocol type.
1940 */
1941 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
1942
1943 gen_or(b0, b1);
1944 return b1;
1945
1946 default:
1947 if (proto <= ETHERMTU) {
1948 /*
1949 * This is an LLC SAP value, so the frames
1950 * that match would be 802.2 frames.
1951 * Check that the frame is an 802.2 frame
1952 * (i.e., that the length/type field is
1953 * a length field, <= ETHERMTU) and
1954 * then check the DSAP.
1955 */
1956 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1957 gen_not(b0);
1958 b1 = gen_cmp(OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
1959 gen_and(b0, b1);
1960 return b1;
1961 } else {
1962 /*
1963 * This is an Ethernet type, so compare
1964 * the length/type field with it (if
1965 * the frame is an 802.2 frame, the length
1966 * field will be <= ETHERMTU, and, as
1967 * "proto" is > ETHERMTU, this test
1968 * will fail and the frame won't match,
1969 * which is what we want).
1970 */
1971 return gen_cmp(OR_LINKTYPE, 0, BPF_H,
1972 (bpf_int32)proto);
1973 }
1974 }
1975 }
1976
1977 /*
1978 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
1979 * or IPv6 then we have an error.
1980 */
1981 static struct block *
1982 gen_ipnet_linktype(proto)
1983 register int proto;
1984 {
1985 switch (proto) {
1986
1987 case ETHERTYPE_IP:
1988 return gen_cmp(OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
1989 /* NOTREACHED */
1990
1991 case ETHERTYPE_IPV6:
1992 return gen_cmp(OR_LINKTYPE, 0, BPF_B,
1993 (bpf_int32)IPH_AF_INET6);
1994 /* NOTREACHED */
1995
1996 default:
1997 break;
1998 }
1999
2000 return gen_false();
2001 }
2002
2003 /*
2004 * Generate code to match a particular packet type.
2005 *
2006 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2007 * value, if <= ETHERMTU. We use that to determine whether to
2008 * match the type field or to check the type field for the special
2009 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2010 */
2011 static struct block *
2012 gen_linux_sll_linktype(proto)
2013 register int proto;
2014 {
2015 struct block *b0, *b1;
2016
2017 switch (proto) {
2018
2019 case LLCSAP_ISONS:
2020 case LLCSAP_IP:
2021 case LLCSAP_NETBEUI:
2022 /*
2023 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2024 * so we check the DSAP and SSAP.
2025 *
2026 * LLCSAP_IP checks for IP-over-802.2, rather
2027 * than IP-over-Ethernet or IP-over-SNAP.
2028 *
2029 * XXX - should we check both the DSAP and the
2030 * SSAP, like this, or should we check just the
2031 * DSAP, as we do for other types <= ETHERMTU
2032 * (i.e., other SAP values)?
2033 */
2034 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2035 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)
2036 ((proto << 8) | proto));
2037 gen_and(b0, b1);
2038 return b1;
2039
2040 case LLCSAP_IPX:
2041 /*
2042 * Ethernet_II frames, which are Ethernet
2043 * frames with a frame type of ETHERTYPE_IPX;
2044 *
2045 * Ethernet_802.3 frames, which have a frame
2046 * type of LINUX_SLL_P_802_3;
2047 *
2048 * Ethernet_802.2 frames, which are 802.3
2049 * frames with an 802.2 LLC header (i.e, have
2050 * a frame type of LINUX_SLL_P_802_2) and
2051 * with the IPX LSAP as the DSAP in the LLC
2052 * header;
2053 *
2054 * Ethernet_SNAP frames, which are 802.3
2055 * frames with an LLC header and a SNAP
2056 * header and with an OUI of 0x000000
2057 * (encapsulated Ethernet) and a protocol
2058 * ID of ETHERTYPE_IPX in the SNAP header.
2059 *
2060 * First, do the checks on LINUX_SLL_P_802_2
2061 * frames; generate the check for either
2062 * Ethernet_802.2 or Ethernet_SNAP frames, and
2063 * then put a check for LINUX_SLL_P_802_2 frames
2064 * before it.
2065 */
2066 b0 = gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2067 b1 = gen_snap(0x000000, ETHERTYPE_IPX);
2068 gen_or(b0, b1);
2069 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2070 gen_and(b0, b1);
2071
2072 /*
2073 * Now check for 802.3 frames and OR that with
2074 * the previous test.
2075 */
2076 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2077 gen_or(b0, b1);
2078
2079 /*
2080 * Now add the check for Ethernet_II frames, and
2081 * do that before checking for the other frame
2082 * types.
2083 */
2084 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2085 gen_or(b0, b1);
2086 return b1;
2087
2088 case ETHERTYPE_ATALK:
2089 case ETHERTYPE_AARP:
2090 /*
2091 * EtherTalk (AppleTalk protocols on Ethernet link
2092 * layer) may use 802.2 encapsulation.
2093 */
2094
2095 /*
2096 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2097 * we check for the 802.2 protocol type in the
2098 * "Ethernet type" field.
2099 */
2100 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2101
2102 /*
2103 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2104 * SNAP packets with an organization code of
2105 * 0x080007 (Apple, for Appletalk) and a protocol
2106 * type of ETHERTYPE_ATALK (Appletalk).
2107 *
2108 * 802.2-encapsulated ETHERTYPE_AARP packets are
2109 * SNAP packets with an organization code of
2110 * 0x000000 (encapsulated Ethernet) and a protocol
2111 * type of ETHERTYPE_AARP (Appletalk ARP).
2112 */
2113 if (proto == ETHERTYPE_ATALK)
2114 b1 = gen_snap(0x080007, ETHERTYPE_ATALK);
2115 else /* proto == ETHERTYPE_AARP */
2116 b1 = gen_snap(0x000000, ETHERTYPE_AARP);
2117 gen_and(b0, b1);
2118
2119 /*
2120 * Check for Ethernet encapsulation (Ethertalk
2121 * phase 1?); we just check for the Ethernet
2122 * protocol type.
2123 */
2124 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2125
2126 gen_or(b0, b1);
2127 return b1;
2128
2129 default:
2130 if (proto <= ETHERMTU) {
2131 /*
2132 * This is an LLC SAP value, so the frames
2133 * that match would be 802.2 frames.
2134 * Check for the 802.2 protocol type
2135 * in the "Ethernet type" field, and
2136 * then check the DSAP.
2137 */
2138 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2139 b1 = gen_cmp(OR_LINKHDR, off_linkpl.constant_part, BPF_B,
2140 (bpf_int32)proto);
2141 gen_and(b0, b1);
2142 return b1;
2143 } else {
2144 /*
2145 * This is an Ethernet type, so compare
2146 * the length/type field with it (if
2147 * the frame is an 802.2 frame, the length
2148 * field will be <= ETHERMTU, and, as
2149 * "proto" is > ETHERMTU, this test
2150 * will fail and the frame won't match,
2151 * which is what we want).
2152 */
2153 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2154 }
2155 }
2156 }
2157
2158 static struct slist *
2159 gen_load_prism_llprefixlen()
2160 {
2161 struct slist *s1, *s2;
2162 struct slist *sjeq_avs_cookie;
2163 struct slist *sjcommon;
2164
2165 /*
2166 * This code is not compatible with the optimizer, as
2167 * we are generating jmp instructions within a normal
2168 * slist of instructions
2169 */
2170 no_optimize = 1;
2171
2172 /*
2173 * Generate code to load the length of the radio header into
2174 * the register assigned to hold that length, if one has been
2175 * assigned. (If one hasn't been assigned, no code we've
2176 * generated uses that prefix, so we don't need to generate any
2177 * code to load it.)
2178 *
2179 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2180 * or always use the AVS header rather than the Prism header.
2181 * We load a 4-byte big-endian value at the beginning of the
2182 * raw packet data, and see whether, when masked with 0xFFFFF000,
2183 * it's equal to 0x80211000. If so, that indicates that it's
2184 * an AVS header (the masked-out bits are the version number).
2185 * Otherwise, it's a Prism header.
2186 *
2187 * XXX - the Prism header is also, in theory, variable-length,
2188 * but no known software generates headers that aren't 144
2189 * bytes long.
2190 */
2191 if (off_linkhdr.reg != -1) {
2192 /*
2193 * Load the cookie.
2194 */
2195 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2196 s1->s.k = 0;
2197
2198 /*
2199 * AND it with 0xFFFFF000.
2200 */
2201 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
2202 s2->s.k = 0xFFFFF000;
2203 sappend(s1, s2);
2204
2205 /*
2206 * Compare with 0x80211000.
2207 */
2208 sjeq_avs_cookie = new_stmt(JMP(BPF_JEQ));
2209 sjeq_avs_cookie->s.k = 0x80211000;
2210 sappend(s1, sjeq_avs_cookie);
2211
2212 /*
2213 * If it's AVS:
2214 *
2215 * The 4 bytes at an offset of 4 from the beginning of
2216 * the AVS header are the length of the AVS header.
2217 * That field is big-endian.
2218 */
2219 s2 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2220 s2->s.k = 4;
2221 sappend(s1, s2);
2222 sjeq_avs_cookie->s.jt = s2;
2223
2224 /*
2225 * Now jump to the code to allocate a register
2226 * into which to save the header length and
2227 * store the length there. (The "jump always"
2228 * instruction needs to have the k field set;
2229 * it's added to the PC, so, as we're jumping
2230 * over a single instruction, it should be 1.)
2231 */
2232 sjcommon = new_stmt(JMP(BPF_JA));
2233 sjcommon->s.k = 1;
2234 sappend(s1, sjcommon);
2235
2236 /*
2237 * Now for the code that handles the Prism header.
2238 * Just load the length of the Prism header (144)
2239 * into the A register. Have the test for an AVS
2240 * header branch here if we don't have an AVS header.
2241 */
2242 s2 = new_stmt(BPF_LD|BPF_W|BPF_IMM);
2243 s2->s.k = 144;
2244 sappend(s1, s2);
2245 sjeq_avs_cookie->s.jf = s2;
2246
2247 /*
2248 * Now allocate a register to hold that value and store
2249 * it. The code for the AVS header will jump here after
2250 * loading the length of the AVS header.
2251 */
2252 s2 = new_stmt(BPF_ST);
2253 s2->s.k = off_linkhdr.reg;
2254 sappend(s1, s2);
2255 sjcommon->s.jf = s2;
2256
2257 /*
2258 * Now move it into the X register.
2259 */
2260 s2 = new_stmt(BPF_MISC|BPF_TAX);
2261 sappend(s1, s2);
2262
2263 return (s1);
2264 } else
2265 return (NULL);
2266 }
2267
2268 static struct slist *
2269 gen_load_avs_llprefixlen()
2270 {
2271 struct slist *s1, *s2;
2272
2273 /*
2274 * Generate code to load the length of the AVS header into
2275 * the register assigned to hold that length, if one has been
2276 * assigned. (If one hasn't been assigned, no code we've
2277 * generated uses that prefix, so we don't need to generate any
2278 * code to load it.)
2279 */
2280 if (off_linkhdr.reg != -1) {
2281 /*
2282 * The 4 bytes at an offset of 4 from the beginning of
2283 * the AVS header are the length of the AVS header.
2284 * That field is big-endian.
2285 */
2286 s1 = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2287 s1->s.k = 4;
2288
2289 /*
2290 * Now allocate a register to hold that value and store
2291 * it.
2292 */
2293 s2 = new_stmt(BPF_ST);
2294 s2->s.k = off_linkhdr.reg;
2295 sappend(s1, s2);
2296
2297 /*
2298 * Now move it into the X register.
2299 */
2300 s2 = new_stmt(BPF_MISC|BPF_TAX);
2301 sappend(s1, s2);
2302
2303 return (s1);
2304 } else
2305 return (NULL);
2306 }
2307
2308 static struct slist *
2309 gen_load_radiotap_llprefixlen()
2310 {
2311 struct slist *s1, *s2;
2312
2313 /*
2314 * Generate code to load the length of the radiotap header into
2315 * the register assigned to hold that length, if one has been
2316 * assigned. (If one hasn't been assigned, no code we've
2317 * generated uses that prefix, so we don't need to generate any
2318 * code to load it.)
2319 */
2320 if (off_linkhdr.reg != -1) {
2321 /*
2322 * The 2 bytes at offsets of 2 and 3 from the beginning
2323 * of the radiotap header are the length of the radiotap
2324 * header; unfortunately, it's little-endian, so we have
2325 * to load it a byte at a time and construct the value.
2326 */
2327
2328 /*
2329 * Load the high-order byte, at an offset of 3, shift it
2330 * left a byte, and put the result in the X register.
2331 */
2332 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2333 s1->s.k = 3;
2334 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2335 sappend(s1, s2);
2336 s2->s.k = 8;
2337 s2 = new_stmt(BPF_MISC|BPF_TAX);
2338 sappend(s1, s2);
2339
2340 /*
2341 * Load the next byte, at an offset of 2, and OR the
2342 * value from the X register into it.
2343 */
2344 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2345 sappend(s1, s2);
2346 s2->s.k = 2;
2347 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2348 sappend(s1, s2);
2349
2350 /*
2351 * Now allocate a register to hold that value and store
2352 * it.
2353 */
2354 s2 = new_stmt(BPF_ST);
2355 s2->s.k = off_linkhdr.reg;
2356 sappend(s1, s2);
2357
2358 /*
2359 * Now move it into the X register.
2360 */
2361 s2 = new_stmt(BPF_MISC|BPF_TAX);
2362 sappend(s1, s2);
2363
2364 return (s1);
2365 } else
2366 return (NULL);
2367 }
2368
2369 /*
2370 * At the moment we treat PPI as normal Radiotap encoded
2371 * packets. The difference is in the function that generates
2372 * the code at the beginning to compute the header length.
2373 * Since this code generator of PPI supports bare 802.11
2374 * encapsulation only (i.e. the encapsulated DLT should be
2375 * DLT_IEEE802_11) we generate code to check for this too;
2376 * that's done in finish_parse().
2377 */
2378 static struct slist *
2379 gen_load_ppi_llprefixlen()
2380 {
2381 struct slist *s1, *s2;
2382
2383 /*
2384 * Generate code to load the length of the radiotap header
2385 * into the register assigned to hold that length, if one has
2386 * been assigned.
2387 */
2388 if (off_linkhdr.reg != -1) {
2389 /*
2390 * The 2 bytes at offsets of 2 and 3 from the beginning
2391 * of the radiotap header are the length of the radiotap
2392 * header; unfortunately, it's little-endian, so we have
2393 * to load it a byte at a time and construct the value.
2394 */
2395
2396 /*
2397 * Load the high-order byte, at an offset of 3, shift it
2398 * left a byte, and put the result in the X register.
2399 */
2400 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2401 s1->s.k = 3;
2402 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2403 sappend(s1, s2);
2404 s2->s.k = 8;
2405 s2 = new_stmt(BPF_MISC|BPF_TAX);
2406 sappend(s1, s2);
2407
2408 /*
2409 * Load the next byte, at an offset of 2, and OR the
2410 * value from the X register into it.
2411 */
2412 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2413 sappend(s1, s2);
2414 s2->s.k = 2;
2415 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2416 sappend(s1, s2);
2417
2418 /*
2419 * Now allocate a register to hold that value and store
2420 * it.
2421 */
2422 s2 = new_stmt(BPF_ST);
2423 s2->s.k = off_linkhdr.reg;
2424 sappend(s1, s2);
2425
2426 /*
2427 * Now move it into the X register.
2428 */
2429 s2 = new_stmt(BPF_MISC|BPF_TAX);
2430 sappend(s1, s2);
2431
2432 return (s1);
2433 } else
2434 return (NULL);
2435 }
2436
2437 /*
2438 * Load a value relative to the beginning of the link-layer header after the 802.11
2439 * header, i.e. LLC_SNAP.
2440 * The link-layer header doesn't necessarily begin at the beginning
2441 * of the packet data; there might be a variable-length prefix containing
2442 * radio information.
2443 */
2444 static struct slist *
2445 gen_load_802_11_header_len(struct slist *s, struct slist *snext)
2446 {
2447 struct slist *s2;
2448 struct slist *sjset_data_frame_1;
2449 struct slist *sjset_data_frame_2;
2450 struct slist *sjset_qos;
2451 struct slist *sjset_radiotap_flags;
2452 struct slist *sjset_radiotap_tsft;
2453 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2454 struct slist *s_roundup;
2455
2456 if (off_linkpl.reg == -1) {
2457 /*
2458 * No register has been assigned to the offset of
2459 * the link-layer payload, which means nobody needs
2460 * it; don't bother computing it - just return
2461 * what we already have.
2462 */
2463 return (s);
2464 }
2465
2466 /*
2467 * This code is not compatible with the optimizer, as
2468 * we are generating jmp instructions within a normal
2469 * slist of instructions
2470 */
2471 no_optimize = 1;
2472
2473 /*
2474 * If "s" is non-null, it has code to arrange that the X register
2475 * contains the length of the prefix preceding the link-layer
2476 * header.
2477 *
2478 * Otherwise, the length of the prefix preceding the link-layer
2479 * header is "off_outermostlinkhdr.constant_part".
2480 */
2481 if (s == NULL) {
2482 /*
2483 * There is no variable-length header preceding the
2484 * link-layer header.
2485 *
2486 * Load the length of the fixed-length prefix preceding
2487 * the link-layer header (if any) into the X register,
2488 * and store it in the off_linkpl.reg register.
2489 * That length is off_outermostlinkhdr.constant_part.
2490 */
2491 s = new_stmt(BPF_LDX|BPF_IMM);
2492 s->s.k = off_outermostlinkhdr.constant_part;
2493 }
2494
2495 /*
2496 * The X register contains the offset of the beginning of the
2497 * link-layer header; add 24, which is the minimum length
2498 * of the MAC header for a data frame, to that, and store it
2499 * in off_linkpl.reg, and then load the Frame Control field,
2500 * which is at the offset in the X register, with an indexed load.
2501 */
2502 s2 = new_stmt(BPF_MISC|BPF_TXA);
2503 sappend(s, s2);
2504 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
2505 s2->s.k = 24;
2506 sappend(s, s2);
2507 s2 = new_stmt(BPF_ST);
2508 s2->s.k = off_linkpl.reg;
2509 sappend(s, s2);
2510
2511 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
2512 s2->s.k = 0;
2513 sappend(s, s2);
2514
2515 /*
2516 * Check the Frame Control field to see if this is a data frame;
2517 * a data frame has the 0x08 bit (b3) in that field set and the
2518 * 0x04 bit (b2) clear.
2519 */
2520 sjset_data_frame_1 = new_stmt(JMP(BPF_JSET));
2521 sjset_data_frame_1->s.k = 0x08;
2522 sappend(s, sjset_data_frame_1);
2523
2524 /*
2525 * If b3 is set, test b2, otherwise go to the first statement of
2526 * the rest of the program.
2527 */
2528 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(JMP(BPF_JSET));
2529 sjset_data_frame_2->s.k = 0x04;
2530 sappend(s, sjset_data_frame_2);
2531 sjset_data_frame_1->s.jf = snext;
2532
2533 /*
2534 * If b2 is not set, this is a data frame; test the QoS bit.
2535 * Otherwise, go to the first statement of the rest of the
2536 * program.
2537 */
2538 sjset_data_frame_2->s.jt = snext;
2539 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(JMP(BPF_JSET));
2540 sjset_qos->s.k = 0x80; /* QoS bit */
2541 sappend(s, sjset_qos);
2542
2543 /*
2544 * If it's set, add 2 to off_linkpl.reg, to skip the QoS
2545 * field.
2546 * Otherwise, go to the first statement of the rest of the
2547 * program.
2548 */
2549 sjset_qos->s.jt = s2 = new_stmt(BPF_LD|BPF_MEM);
2550 s2->s.k = off_linkpl.reg;
2551 sappend(s, s2);
2552 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2553 s2->s.k = 2;
2554 sappend(s, s2);
2555 s2 = new_stmt(BPF_ST);
2556 s2->s.k = off_linkpl.reg;
2557 sappend(s, s2);
2558
2559 /*
2560 * If we have a radiotap header, look at it to see whether
2561 * there's Atheros padding between the MAC-layer header
2562 * and the payload.
2563 *
2564 * Note: all of the fields in the radiotap header are
2565 * little-endian, so we byte-swap all of the values
2566 * we test against, as they will be loaded as big-endian
2567 * values.
2568 */
2569 if (linktype == DLT_IEEE802_11_RADIO) {
2570 /*
2571 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2572 * in the presence flag?
2573 */
2574 sjset_qos->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_W);
2575 s2->s.k = 4;
2576 sappend(s, s2);
2577
2578 sjset_radiotap_flags = new_stmt(JMP(BPF_JSET));
2579 sjset_radiotap_flags->s.k = SWAPLONG(0x00000002);
2580 sappend(s, sjset_radiotap_flags);
2581
2582 /*
2583 * If not, skip all of this.
2584 */
2585 sjset_radiotap_flags->s.jf = snext;
2586
2587 /*
2588 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2589 */
2590 sjset_radiotap_tsft = sjset_radiotap_flags->s.jt =
2591 new_stmt(JMP(BPF_JSET));
2592 sjset_radiotap_tsft->s.k = SWAPLONG(0x00000001);
2593 sappend(s, sjset_radiotap_tsft);
2594
2595 /*
2596 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2597 * at an offset of 16 from the beginning of the raw packet
2598 * data (8 bytes for the radiotap header and 8 bytes for
2599 * the TSFT field).
2600 *
2601 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2602 * is set.
2603 */
2604 sjset_radiotap_tsft->s.jt = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2605 s2->s.k = 16;
2606 sappend(s, s2);
2607
2608 sjset_tsft_datapad = new_stmt(JMP(BPF_JSET));
2609 sjset_tsft_datapad->s.k = 0x20;
2610 sappend(s, sjset_tsft_datapad);
2611
2612 /*
2613 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2614 * at an offset of 8 from the beginning of the raw packet
2615 * data (8 bytes for the radiotap header).
2616 *
2617 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2618 * is set.
2619 */
2620 sjset_radiotap_tsft->s.jf = s2 = new_stmt(BPF_LD|BPF_ABS|BPF_B);
2621 s2->s.k = 8;
2622 sappend(s, s2);
2623
2624 sjset_notsft_datapad = new_stmt(JMP(BPF_JSET));
2625 sjset_notsft_datapad->s.k = 0x20;
2626 sappend(s, sjset_notsft_datapad);
2627
2628 /*
2629 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2630 * set, round the length of the 802.11 header to
2631 * a multiple of 4. Do that by adding 3 and then
2632 * dividing by and multiplying by 4, which we do by
2633 * ANDing with ~3.
2634 */
2635 s_roundup = new_stmt(BPF_LD|BPF_MEM);
2636 s_roundup->s.k = off_linkpl.reg;
2637 sappend(s, s_roundup);
2638 s2 = new_stmt(BPF_ALU|BPF_ADD|BPF_IMM);
2639 s2->s.k = 3;
2640 sappend(s, s2);
2641 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_IMM);
2642 s2->s.k = ~3;
2643 sappend(s, s2);
2644 s2 = new_stmt(BPF_ST);
2645 s2->s.k = off_linkpl.reg;
2646 sappend(s, s2);
2647
2648 sjset_tsft_datapad->s.jt = s_roundup;
2649 sjset_tsft_datapad->s.jf = snext;
2650 sjset_notsft_datapad->s.jt = s_roundup;
2651 sjset_notsft_datapad->s.jf = snext;
2652 } else
2653 sjset_qos->s.jf = snext;
2654
2655 return s;
2656 }
2657
2658 static void
2659 insert_compute_vloffsets(b)
2660 struct block *b;
2661 {
2662 struct slist *s;
2663
2664 /* There is an implicit dependency between the link
2665 * payload and link header since the payload computation
2666 * includes the variable part of the header. Therefore,
2667 * if nobody else has allocated a register for the link
2668 * header and we need it, do it now. */
2669 if (off_linkpl.reg != -1 && off_linkhdr.is_variable &&
2670 off_linkhdr.reg == -1)
2671 off_linkhdr.reg = alloc_reg();
2672
2673 /*
2674 * For link-layer types that have a variable-length header
2675 * preceding the link-layer header, generate code to load
2676 * the offset of the link-layer header into the register
2677 * assigned to that offset, if any.
2678 *
2679 * XXX - this, and the next switch statement, won't handle
2680 * encapsulation of 802.11 or 802.11+radio information in
2681 * some other protocol stack. That's significantly more
2682 * complicated.
2683 */
2684 switch (outermostlinktype) {
2685
2686 case DLT_PRISM_HEADER:
2687 s = gen_load_prism_llprefixlen();
2688 break;
2689
2690 case DLT_IEEE802_11_RADIO_AVS:
2691 s = gen_load_avs_llprefixlen();
2692 break;
2693
2694 case DLT_IEEE802_11_RADIO:
2695 s = gen_load_radiotap_llprefixlen();
2696 break;
2697
2698 case DLT_PPI:
2699 s = gen_load_ppi_llprefixlen();
2700 break;
2701
2702 default:
2703 s = NULL;
2704 break;
2705 }
2706
2707 /*
2708 * For link-layer types that have a variable-length link-layer
2709 * header, generate code to load the offset of the link-layer
2710 * payload into the register assigned to that offset, if any.
2711 */
2712 switch (outermostlinktype) {
2713
2714 case DLT_IEEE802_11:
2715 case DLT_PRISM_HEADER:
2716 case DLT_IEEE802_11_RADIO_AVS:
2717 case DLT_IEEE802_11_RADIO:
2718 case DLT_PPI:
2719 s = gen_load_802_11_header_len(s, b->stmts);
2720 break;
2721 }
2722
2723 /*
2724 * If we have any offset-loading code, append all the
2725 * existing statements in the block to those statements,
2726 * and make the resulting list the list of statements
2727 * for the block.
2728 */
2729 if (s != NULL) {
2730 sappend(s, b->stmts);
2731 b->stmts = s;
2732 }
2733 }
2734
2735 static struct block *
2736 gen_ppi_dlt_check(void)
2737 {
2738 struct slist *s_load_dlt;
2739 struct block *b;
2740
2741 if (linktype == DLT_PPI)
2742 {
2743 /* Create the statements that check for the DLT
2744 */
2745 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2746 s_load_dlt->s.k = 4;
2747
2748 b = new_block(JMP(BPF_JEQ));
2749
2750 b->stmts = s_load_dlt;
2751 b->s.k = SWAPLONG(DLT_IEEE802_11);
2752 }
2753 else
2754 {
2755 b = NULL;
2756 }
2757
2758 return b;
2759 }
2760
2761 /*
2762 * Take an absolute offset, and:
2763 *
2764 * if it has no variable part, return NULL;
2765 *
2766 * if it has a variable part, generate code to load the register
2767 * containing that variable part into the X register, returning
2768 * a pointer to that code - if no register for that offset has
2769 * been allocated, allocate it first.
2770 *
2771 * (The code to set that register will be generated later, but will
2772 * be placed earlier in the code sequence.)
2773 */
2774 static struct slist *
2775 gen_abs_offset_varpart(bpf_abs_offset *off)
2776 {
2777 struct slist *s;
2778
2779 if (off->is_variable) {
2780 if (off->reg == -1) {
2781 /*
2782 * We haven't yet assigned a register for the
2783 * variable part of the offset of the link-layer
2784 * header; allocate one.
2785 */
2786 off->reg = alloc_reg();
2787 }
2788
2789 /*
2790 * Load the register containing the variable part of the
2791 * offset of the link-layer header into the X register.
2792 */
2793 s = new_stmt(BPF_LDX|BPF_MEM);
2794 s->s.k = off->reg;
2795 return s;
2796 } else {
2797 /*
2798 * That offset isn't variable, there's no variable part,
2799 * so we don't need to generate any code.
2800 */
2801 return NULL;
2802 }
2803 }
2804
2805 /*
2806 * Map an Ethernet type to the equivalent PPP type.
2807 */
2808 static int
2809 ethertype_to_ppptype(proto)
2810 int proto;
2811 {
2812 switch (proto) {
2813
2814 case ETHERTYPE_IP:
2815 proto = PPP_IP;
2816 break;
2817
2818 case ETHERTYPE_IPV6:
2819 proto = PPP_IPV6;
2820 break;
2821
2822 case ETHERTYPE_DN:
2823 proto = PPP_DECNET;
2824 break;
2825
2826 case ETHERTYPE_ATALK:
2827 proto = PPP_APPLE;
2828 break;
2829
2830 case ETHERTYPE_NS:
2831 proto = PPP_NS;
2832 break;
2833
2834 case LLCSAP_ISONS:
2835 proto = PPP_OSI;
2836 break;
2837
2838 case LLCSAP_8021D:
2839 /*
2840 * I'm assuming the "Bridging PDU"s that go
2841 * over PPP are Spanning Tree Protocol
2842 * Bridging PDUs.
2843 */
2844 proto = PPP_BRPDU;
2845 break;
2846
2847 case LLCSAP_IPX:
2848 proto = PPP_IPX;
2849 break;
2850 }
2851 return (proto);
2852 }
2853
2854 /*
2855 * Generate any tests that, for encapsulation of a link-layer packet
2856 * inside another protocol stack, need to be done to check for those
2857 * link-layer packets (and that haven't already been done by a check
2858 * for that encapsulation).
2859 */
2860 static struct block *
2861 gen_prevlinkhdr_check(void)
2862 {
2863 struct block *b0;
2864
2865 if (is_geneve)
2866 return gen_geneve_ll_check();
2867
2868 switch (prevlinktype) {
2869
2870 case DLT_SUNATM:
2871 /*
2872 * This is LANE-encapsulated Ethernet; check that the LANE
2873 * packet doesn't begin with an LE Control marker, i.e.
2874 * that it's data, not a control message.
2875 *
2876 * (We've already generated a test for LANE.)
2877 */
2878 b0 = gen_cmp(OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2879 gen_not(b0);
2880 return b0;
2881
2882 default:
2883 /*
2884 * No such tests are necessary.
2885 */
2886 return NULL;
2887 }
2888 /*NOTREACHED*/
2889 }
2890
2891 /*
2892 * Generate code to match a particular packet type by matching the
2893 * link-layer type field or fields in the 802.2 LLC header.
2894 *
2895 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2896 * value, if <= ETHERMTU.
2897 */
2898 static struct block *
2899 gen_linktype(proto)
2900 register int proto;
2901 {
2902 struct block *b0, *b1, *b2;
2903 const char *description;
2904
2905 /* are we checking MPLS-encapsulated packets? */
2906 if (label_stack_depth > 0) {
2907 switch (proto) {
2908 case ETHERTYPE_IP:
2909 case PPP_IP:
2910 /* FIXME add other L3 proto IDs */
2911 return gen_mpls_linktype(Q_IP);
2912
2913 case ETHERTYPE_IPV6:
2914 case PPP_IPV6:
2915 /* FIXME add other L3 proto IDs */
2916 return gen_mpls_linktype(Q_IPV6);
2917
2918 default:
2919 bpf_error("unsupported protocol over mpls");
2920 /* NOTREACHED */
2921 }
2922 }
2923
2924 switch (linktype) {
2925
2926 case DLT_EN10MB:
2927 case DLT_NETANALYZER:
2928 case DLT_NETANALYZER_TRANSPARENT:
2929 /* Geneve has an EtherType regardless of whether there is an
2930 * L2 header. */
2931 if (!is_geneve)
2932 b0 = gen_prevlinkhdr_check();
2933 else
2934 b0 = NULL;
2935
2936 b1 = gen_ether_linktype(proto);
2937 if (b0 != NULL)
2938 gen_and(b0, b1);
2939 return b1;
2940 /*NOTREACHED*/
2941 break;
2942
2943 case DLT_C_HDLC:
2944 switch (proto) {
2945
2946 case LLCSAP_ISONS:
2947 proto = (proto << 8 | LLCSAP_ISONS);
2948 /* fall through */
2949
2950 default:
2951 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2952 /*NOTREACHED*/
2953 break;
2954 }
2955 break;
2956
2957 case DLT_IEEE802_11:
2958 case DLT_PRISM_HEADER:
2959 case DLT_IEEE802_11_RADIO_AVS:
2960 case DLT_IEEE802_11_RADIO:
2961 case DLT_PPI:
2962 /*
2963 * Check that we have a data frame.
2964 */
2965 b0 = gen_check_802_11_data_frame();
2966
2967 /*
2968 * Now check for the specified link-layer type.
2969 */
2970 b1 = gen_llc_linktype(proto);
2971 gen_and(b0, b1);
2972 return b1;
2973 /*NOTREACHED*/
2974 break;
2975
2976 case DLT_FDDI:
2977 /*
2978 * XXX - check for LLC frames.
2979 */
2980 return gen_llc_linktype(proto);
2981 /*NOTREACHED*/
2982 break;
2983
2984 case DLT_IEEE802:
2985 /*
2986 * XXX - check for LLC PDUs, as per IEEE 802.5.
2987 */
2988 return gen_llc_linktype(proto);
2989 /*NOTREACHED*/
2990 break;
2991
2992 case DLT_ATM_RFC1483:
2993 case DLT_ATM_CLIP:
2994 case DLT_IP_OVER_FC:
2995 return gen_llc_linktype(proto);
2996 /*NOTREACHED*/
2997 break;
2998
2999 case DLT_SUNATM:
3000 /*
3001 * Check for an LLC-encapsulated version of this protocol;
3002 * if we were checking for LANE, linktype would no longer
3003 * be DLT_SUNATM.
3004 *
3005 * Check for LLC encapsulation and then check the protocol.
3006 */
3007 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3008 b1 = gen_llc_linktype(proto);
3009 gen_and(b0, b1);
3010 return b1;
3011 /*NOTREACHED*/
3012 break;
3013
3014 case DLT_LINUX_SLL:
3015 return gen_linux_sll_linktype(proto);
3016 /*NOTREACHED*/
3017 break;
3018
3019 case DLT_SLIP:
3020 case DLT_SLIP_BSDOS:
3021 case DLT_RAW:
3022 /*
3023 * These types don't provide any type field; packets
3024 * are always IPv4 or IPv6.
3025 *
3026 * XXX - for IPv4, check for a version number of 4, and,
3027 * for IPv6, check for a version number of 6?
3028 */
3029 switch (proto) {
3030
3031 case ETHERTYPE_IP:
3032 /* Check for a version number of 4. */
3033 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3034
3035 case ETHERTYPE_IPV6:
3036 /* Check for a version number of 6. */
3037 return gen_mcmp(OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3038
3039 default:
3040 return gen_false(); /* always false */
3041 }
3042 /*NOTREACHED*/
3043 break;
3044
3045 case DLT_IPV4:
3046 /*
3047 * Raw IPv4, so no type field.
3048 */
3049 if (proto == ETHERTYPE_IP)
3050 return gen_true(); /* always true */
3051
3052 /* Checking for something other than IPv4; always false */
3053 return gen_false();
3054 /*NOTREACHED*/
3055 break;
3056
3057 case DLT_IPV6:
3058 /*
3059 * Raw IPv6, so no type field.
3060 */
3061 if (proto == ETHERTYPE_IPV6)
3062 return gen_true(); /* always true */
3063
3064 /* Checking for something other than IPv6; always false */
3065 return gen_false();
3066 /*NOTREACHED*/
3067 break;
3068
3069 case DLT_PPP:
3070 case DLT_PPP_PPPD:
3071 case DLT_PPP_SERIAL:
3072 case DLT_PPP_ETHER:
3073 /*
3074 * We use Ethernet protocol types inside libpcap;
3075 * map them to the corresponding PPP protocol types.
3076 */
3077 proto = ethertype_to_ppptype(proto);
3078 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3079 /*NOTREACHED*/
3080 break;
3081
3082 case DLT_PPP_BSDOS:
3083 /*
3084 * We use Ethernet protocol types inside libpcap;
3085 * map them to the corresponding PPP protocol types.
3086 */
3087 switch (proto) {
3088
3089 case ETHERTYPE_IP:
3090 /*
3091 * Also check for Van Jacobson-compressed IP.
3092 * XXX - do this for other forms of PPP?
3093 */
3094 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_IP);
3095 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3096 gen_or(b0, b1);
3097 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3098 gen_or(b1, b0);
3099 return b0;
3100
3101 default:
3102 proto = ethertype_to_ppptype(proto);
3103 return gen_cmp(OR_LINKTYPE, 0, BPF_H,
3104 (bpf_int32)proto);
3105 }
3106 /*NOTREACHED*/
3107 break;
3108
3109 case DLT_NULL:
3110 case DLT_LOOP:
3111 case DLT_ENC:
3112 /*
3113 * For DLT_NULL, the link-layer header is a 32-bit
3114 * word containing an AF_ value in *host* byte order,
3115 * and for DLT_ENC, the link-layer header begins
3116 * with a 32-bit work containing an AF_ value in
3117 * host byte order.
3118 *
3119 * In addition, if we're reading a saved capture file,
3120 * the host byte order in the capture may not be the
3121 * same as the host byte order on this machine.
3122 *
3123 * For DLT_LOOP, the link-layer header is a 32-bit
3124 * word containing an AF_ value in *network* byte order.
3125 *
3126 * XXX - AF_ values may, unfortunately, be platform-
3127 * dependent; for example, FreeBSD's AF_INET6 is 24
3128 * whilst NetBSD's and OpenBSD's is 26.
3129 *
3130 * This means that, when reading a capture file, just
3131 * checking for our AF_INET6 value won't work if the
3132 * capture file came from another OS.
3133 */
3134 switch (proto) {
3135
3136 case ETHERTYPE_IP:
3137 proto = AF_INET;
3138 break;
3139
3140 #ifdef INET6
3141 case ETHERTYPE_IPV6:
3142 proto = AF_INET6;
3143 break;
3144 #endif
3145
3146 default:
3147 /*
3148 * Not a type on which we support filtering.
3149 * XXX - support those that have AF_ values
3150 * #defined on this platform, at least?
3151 */
3152 return gen_false();
3153 }
3154
3155 if (linktype == DLT_NULL || linktype == DLT_ENC) {
3156 /*
3157 * The AF_ value is in host byte order, but
3158 * the BPF interpreter will convert it to
3159 * network byte order.
3160 *
3161 * If this is a save file, and it's from a
3162 * machine with the opposite byte order to
3163 * ours, we byte-swap the AF_ value.
3164 *
3165 * Then we run it through "htonl()", and
3166 * generate code to compare against the result.
3167 */
3168 if (bpf_pcap->rfile != NULL && bpf_pcap->swapped)
3169 proto = SWAPLONG(proto);
3170 proto = htonl(proto);
3171 }
3172 return (gen_cmp(OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
3173
3174 #ifdef HAVE_NET_PFVAR_H
3175 case DLT_PFLOG:
3176 /*
3177 * af field is host byte order in contrast to the rest of
3178 * the packet.
3179 */
3180 if (proto == ETHERTYPE_IP)
3181 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af),
3182 BPF_B, (bpf_int32)AF_INET));
3183 else if (proto == ETHERTYPE_IPV6)
3184 return (gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, af),
3185 BPF_B, (bpf_int32)AF_INET6));
3186 else
3187 return gen_false();
3188 /*NOTREACHED*/
3189 break;
3190 #endif /* HAVE_NET_PFVAR_H */
3191
3192 case DLT_ARCNET:
3193 case DLT_ARCNET_LINUX:
3194 /*
3195 * XXX should we check for first fragment if the protocol
3196 * uses PHDS?
3197 */
3198 switch (proto) {
3199
3200 default:
3201 return gen_false();
3202
3203 case ETHERTYPE_IPV6:
3204 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3205 (bpf_int32)ARCTYPE_INET6));
3206
3207 case ETHERTYPE_IP:
3208 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3209 (bpf_int32)ARCTYPE_IP);
3210 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3211 (bpf_int32)ARCTYPE_IP_OLD);
3212 gen_or(b0, b1);
3213 return (b1);
3214
3215 case ETHERTYPE_ARP:
3216 b0 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3217 (bpf_int32)ARCTYPE_ARP);
3218 b1 = gen_cmp(OR_LINKTYPE, 0, BPF_B,
3219 (bpf_int32)ARCTYPE_ARP_OLD);
3220 gen_or(b0, b1);
3221 return (b1);
3222
3223 case ETHERTYPE_REVARP:
3224 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3225 (bpf_int32)ARCTYPE_REVARP));
3226
3227 case ETHERTYPE_ATALK:
3228 return (gen_cmp(OR_LINKTYPE, 0, BPF_B,
3229 (bpf_int32)ARCTYPE_ATALK));
3230 }
3231 /*NOTREACHED*/
3232 break;
3233
3234 case DLT_LTALK:
3235 switch (proto) {
3236 case ETHERTYPE_ATALK:
3237 return gen_true();
3238 default:
3239 return gen_false();
3240 }
3241 /*NOTREACHED*/
3242 break;
3243
3244 case DLT_FRELAY:
3245 /*
3246 * XXX - assumes a 2-byte Frame Relay header with
3247 * DLCI and flags. What if the address is longer?
3248 */
3249 switch (proto) {
3250
3251 case ETHERTYPE_IP:
3252 /*
3253 * Check for the special NLPID for IP.
3254 */
3255 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3256
3257 case ETHERTYPE_IPV6:
3258 /*
3259 * Check for the special NLPID for IPv6.
3260 */
3261 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3262
3263 case LLCSAP_ISONS:
3264 /*
3265 * Check for several OSI protocols.
3266 *
3267 * Frame Relay packets typically have an OSI
3268 * NLPID at the beginning; we check for each
3269 * of them.
3270 *
3271 * What we check for is the NLPID and a frame
3272 * control field of UI, i.e. 0x03 followed
3273 * by the NLPID.
3274 */
3275 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3276 b1 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3277 b2 = gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3278 gen_or(b1, b2);
3279 gen_or(b0, b2);
3280 return b2;
3281
3282 default:
3283 return gen_false();
3284 }
3285 /*NOTREACHED*/
3286 break;
3287
3288 case DLT_MFR:
3289 bpf_error("Multi-link Frame Relay link-layer type filtering not implemented");
3290
3291 case DLT_JUNIPER_MFR:
3292 case DLT_JUNIPER_MLFR:
3293 case DLT_JUNIPER_MLPPP:
3294 case DLT_JUNIPER_ATM1:
3295 case DLT_JUNIPER_ATM2:
3296 case DLT_JUNIPER_PPPOE:
3297 case DLT_JUNIPER_PPPOE_ATM:
3298 case DLT_JUNIPER_GGSN:
3299 case DLT_JUNIPER_ES:
3300 case DLT_JUNIPER_MONITOR:
3301 case DLT_JUNIPER_SERVICES:
3302 case DLT_JUNIPER_ETHER:
3303 case DLT_JUNIPER_PPP:
3304 case DLT_JUNIPER_FRELAY:
3305 case DLT_JUNIPER_CHDLC:
3306 case DLT_JUNIPER_VP:
3307 case DLT_JUNIPER_ST:
3308 case DLT_JUNIPER_ISM:
3309 case DLT_JUNIPER_VS:
3310 case DLT_JUNIPER_SRX_E2E:
3311 case DLT_JUNIPER_FIBRECHANNEL:
3312 case DLT_JUNIPER_ATM_CEMIC:
3313
3314 /* just lets verify the magic number for now -
3315 * on ATM we may have up to 6 different encapsulations on the wire
3316 * and need a lot of heuristics to figure out that the payload
3317 * might be;
3318 *
3319 * FIXME encapsulation specific BPF_ filters
3320 */
3321 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3322
3323 case DLT_BACNET_MS_TP:
3324 return gen_mcmp(OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3325
3326 case DLT_IPNET:
3327 return gen_ipnet_linktype(proto);
3328
3329 case DLT_LINUX_IRDA:
3330 bpf_error("IrDA link-layer type filtering not implemented");
3331
3332 case DLT_DOCSIS:
3333 bpf_error("DOCSIS link-layer type filtering not implemented");
3334
3335 case DLT_MTP2:
3336 case DLT_MTP2_WITH_PHDR:
3337 bpf_error("MTP2 link-layer type filtering not implemented");
3338
3339 case DLT_ERF:
3340 bpf_error("ERF link-layer type filtering not implemented");
3341
3342 case DLT_PFSYNC:
3343 bpf_error("PFSYNC link-layer type filtering not implemented");
3344
3345 case DLT_LINUX_LAPD:
3346 bpf_error("LAPD link-layer type filtering not implemented");
3347
3348 case DLT_USB:
3349 case DLT_USB_LINUX:
3350 case DLT_USB_LINUX_MMAPPED:
3351 bpf_error("USB link-layer type filtering not implemented");
3352
3353 case DLT_BLUETOOTH_HCI_H4:
3354 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3355 bpf_error("Bluetooth link-layer type filtering not implemented");
3356
3357 case DLT_CAN20B:
3358 case DLT_CAN_SOCKETCAN:
3359 bpf_error("CAN link-layer type filtering not implemented");
3360
3361 case DLT_IEEE802_15_4:
3362 case DLT_IEEE802_15_4_LINUX:
3363 case DLT_IEEE802_15_4_NONASK_PHY:
3364 case DLT_IEEE802_15_4_NOFCS:
3365 bpf_error("IEEE 802.15.4 link-layer type filtering not implemented");
3366
3367 case DLT_IEEE802_16_MAC_CPS_RADIO:
3368 bpf_error("IEEE 802.16 link-layer type filtering not implemented");
3369
3370 case DLT_SITA:
3371 bpf_error("SITA link-layer type filtering not implemented");
3372
3373 case DLT_RAIF1:
3374 bpf_error("RAIF1 link-layer type filtering not implemented");
3375
3376 case DLT_IPMB:
3377 bpf_error("IPMB link-layer type filtering not implemented");
3378
3379 case DLT_AX25_KISS:
3380 bpf_error("AX.25 link-layer type filtering not implemented");
3381
3382 case DLT_NFLOG:
3383 /* Using the fixed-size NFLOG header it is possible to tell only
3384 * the address family of the packet, other meaningful data is
3385 * either missing or behind TLVs.
3386 */
3387 bpf_error("NFLOG link-layer type filtering not implemented");
3388
3389 default:
3390 /*
3391 * Does this link-layer header type have a field
3392 * indicating the type of the next protocol? If
3393 * so, off_linktype.constant_part will be the offset of that
3394 * field in the packet; if not, it will be -1.
3395 */
3396 if (off_linktype.constant_part != (u_int)-1) {
3397 /*
3398 * Yes; assume it's an Ethernet type. (If
3399 * it's not, it needs to be handled specially
3400 * above.)
3401 */
3402 return gen_cmp(OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3403 } else {
3404 /*
3405 * No; report an error.
3406 */
3407 description = pcap_datalink_val_to_description(linktype);
3408 if (description != NULL) {
3409 bpf_error("%s link-layer type filtering not implemented",
3410 description);
3411 } else {
3412 bpf_error("DLT %u link-layer type filtering not implemented",
3413 linktype);
3414 }
3415 }
3416 break;
3417 }
3418 }
3419
3420 /*
3421 * Check for an LLC SNAP packet with a given organization code and
3422 * protocol type; we check the entire contents of the 802.2 LLC and
3423 * snap headers, checking for DSAP and SSAP of SNAP and a control
3424 * field of 0x03 in the LLC header, and for the specified organization
3425 * code and protocol type in the SNAP header.
3426 */
3427 static struct block *
3428 gen_snap(orgcode, ptype)
3429 bpf_u_int32 orgcode;
3430 bpf_u_int32 ptype;
3431 {
3432 u_char snapblock[8];
3433
3434 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3435 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3436 snapblock[2] = 0x03; /* control = UI */
3437 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3438 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3439 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3440 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3441 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3442 return gen_bcmp(OR_LLC, 0, 8, snapblock);
3443 }
3444
3445 /*
3446 * Generate code to match frames with an LLC header.
3447 */
3448 struct block *
3449 gen_llc(void)
3450 {
3451 struct block *b0, *b1;
3452
3453 switch (linktype) {
3454
3455 case DLT_EN10MB:
3456 /*
3457 * We check for an Ethernet type field less than
3458 * 1500, which means it's an 802.3 length field.
3459 */
3460 b0 = gen_cmp_gt(OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3461 gen_not(b0);
3462
3463 /*
3464 * Now check for the purported DSAP and SSAP not being
3465 * 0xFF, to rule out NetWare-over-802.3.
3466 */
3467 b1 = gen_cmp(OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3468 gen_not(b1);
3469 gen_and(b0, b1);
3470 return b1;
3471
3472 case DLT_SUNATM:
3473 /*
3474 * We check for LLC traffic.
3475 */
3476 b0 = gen_atmtype_abbrev(A_LLC);
3477 return b0;
3478
3479 case DLT_IEEE802: /* Token Ring */
3480 /*
3481 * XXX - check for LLC frames.
3482 */
3483 return gen_true();
3484
3485 case DLT_FDDI:
3486 /*
3487 * XXX - check for LLC frames.
3488 */
3489 return gen_true();
3490
3491 case DLT_ATM_RFC1483:
3492 /*
3493 * For LLC encapsulation, these are defined to have an
3494 * 802.2 LLC header.
3495 *
3496 * For VC encapsulation, they don't, but there's no
3497 * way to check for that; the protocol used on the VC
3498 * is negotiated out of band.
3499 */
3500 return gen_true();
3501
3502 case DLT_IEEE802_11:
3503 case DLT_PRISM_HEADER:
3504 case DLT_IEEE802_11_RADIO:
3505 case DLT_IEEE802_11_RADIO_AVS:
3506 case DLT_PPI:
3507 /*
3508 * Check that we have a data frame.
3509 */
3510 b0 = gen_check_802_11_data_frame();
3511 return b0;
3512
3513 default:
3514 bpf_error("'llc' not supported for linktype %d", linktype);
3515 /* NOTREACHED */
3516 }
3517 }
3518
3519 struct block *
3520 gen_llc_i(void)
3521 {
3522 struct block *b0, *b1;
3523 struct slist *s;
3524
3525 /*
3526 * Check whether this is an LLC frame.
3527 */
3528 b0 = gen_llc();
3529
3530 /*
3531 * Load the control byte and test the low-order bit; it must
3532 * be clear for I frames.
3533 */
3534 s = gen_load_a(OR_LLC, 2, BPF_B);
3535 b1 = new_block(JMP(BPF_JSET));
3536 b1->s.k = 0x01;
3537 b1->stmts = s;
3538 gen_not(b1);
3539 gen_and(b0, b1);
3540 return b1;
3541 }
3542
3543 struct block *
3544 gen_llc_s(void)
3545 {
3546 struct block *b0, *b1;
3547
3548 /*
3549 * Check whether this is an LLC frame.
3550 */
3551 b0 = gen_llc();
3552
3553 /*
3554 * Now compare the low-order 2 bit of the control byte against
3555 * the appropriate value for S frames.
3556 */
3557 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3558 gen_and(b0, b1);
3559 return b1;
3560 }
3561
3562 struct block *
3563 gen_llc_u(void)
3564 {
3565 struct block *b0, *b1;
3566
3567 /*
3568 * Check whether this is an LLC frame.
3569 */
3570 b0 = gen_llc();
3571
3572 /*
3573 * Now compare the low-order 2 bit of the control byte against
3574 * the appropriate value for U frames.
3575 */
3576 b1 = gen_mcmp(OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3577 gen_and(b0, b1);
3578 return b1;
3579 }
3580
3581 struct block *
3582 gen_llc_s_subtype(bpf_u_int32 subtype)
3583 {
3584 struct block *b0, *b1;
3585
3586 /*
3587 * Check whether this is an LLC frame.
3588 */
3589 b0 = gen_llc();
3590
3591 /*
3592 * Now check for an S frame with the appropriate type.
3593 */
3594 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3595 gen_and(b0, b1);
3596 return b1;
3597 }
3598
3599 struct block *
3600 gen_llc_u_subtype(bpf_u_int32 subtype)
3601 {
3602 struct block *b0, *b1;
3603
3604 /*
3605 * Check whether this is an LLC frame.
3606 */
3607 b0 = gen_llc();
3608
3609 /*
3610 * Now check for a U frame with the appropriate type.
3611 */
3612 b1 = gen_mcmp(OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3613 gen_and(b0, b1);
3614 return b1;
3615 }
3616
3617 /*
3618 * Generate code to match a particular packet type, for link-layer types
3619 * using 802.2 LLC headers.
3620 *
3621 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3622 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3623 *
3624 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3625 * value, if <= ETHERMTU. We use that to determine whether to
3626 * match the DSAP or both DSAP and LSAP or to check the OUI and
3627 * protocol ID in a SNAP header.
3628 */
3629 static struct block *
3630 gen_llc_linktype(proto)
3631 int proto;
3632 {
3633 /*
3634 * XXX - handle token-ring variable-length header.
3635 */
3636 switch (proto) {
3637
3638 case LLCSAP_IP:
3639 case LLCSAP_ISONS:
3640 case LLCSAP_NETBEUI:
3641 /*
3642 * XXX - should we check both the DSAP and the
3643 * SSAP, like this, or should we check just the
3644 * DSAP, as we do for other SAP values?
3645 */
3646 return gen_cmp(OR_LLC, 0, BPF_H, (bpf_u_int32)
3647 ((proto << 8) | proto));
3648
3649 case LLCSAP_IPX:
3650 /*
3651 * XXX - are there ever SNAP frames for IPX on
3652 * non-Ethernet 802.x networks?
3653 */
3654 return gen_cmp(OR_LLC, 0, BPF_B,
3655 (bpf_int32)LLCSAP_IPX);
3656
3657 case ETHERTYPE_ATALK:
3658 /*
3659 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3660 * SNAP packets with an organization code of
3661 * 0x080007 (Apple, for Appletalk) and a protocol
3662 * type of ETHERTYPE_ATALK (Appletalk).
3663 *
3664 * XXX - check for an organization code of
3665 * encapsulated Ethernet as well?
3666 */
3667 return gen_snap(0x080007, ETHERTYPE_ATALK);
3668
3669 default:
3670 /*
3671 * XXX - we don't have to check for IPX 802.3
3672 * here, but should we check for the IPX Ethertype?
3673 */
3674 if (proto <= ETHERMTU) {
3675 /*
3676 * This is an LLC SAP value, so check
3677 * the DSAP.
3678 */
3679 return gen_cmp(OR_LLC, 0, BPF_B, (bpf_int32)proto);
3680 } else {
3681 /*
3682 * This is an Ethernet type; we assume that it's
3683 * unlikely that it'll appear in the right place
3684 * at random, and therefore check only the
3685 * location that would hold the Ethernet type
3686 * in a SNAP frame with an organization code of
3687 * 0x000000 (encapsulated Ethernet).
3688 *
3689 * XXX - if we were to check for the SNAP DSAP and
3690 * LSAP, as per XXX, and were also to check for an
3691 * organization code of 0x000000 (encapsulated
3692 * Ethernet), we'd do
3693 *
3694 * return gen_snap(0x000000, proto);
3695 *
3696 * here; for now, we don't, as per the above.
3697 * I don't know whether it's worth the extra CPU
3698 * time to do the right check or not.
3699 */
3700 return gen_cmp(OR_LLC, 6, BPF_H, (bpf_int32)proto);
3701 }
3702 }
3703 }
3704
3705 static struct block *
3706 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
3707 bpf_u_int32 addr;
3708 bpf_u_int32 mask;
3709 int dir, proto;
3710 u_int src_off, dst_off;
3711 {
3712 struct block *b0, *b1;
3713 u_int offset;
3714
3715 switch (dir) {
3716
3717 case Q_SRC:
3718 offset = src_off;
3719 break;
3720
3721 case Q_DST:
3722 offset = dst_off;
3723 break;
3724
3725 case Q_AND:
3726 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3727 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3728 gen_and(b0, b1);
3729 return b1;
3730
3731 case Q_OR:
3732 case Q_DEFAULT:
3733 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
3734 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
3735 gen_or(b0, b1);
3736 return b1;
3737
3738 default:
3739 abort();
3740 }
3741 b0 = gen_linktype(proto);
3742 b1 = gen_mcmp(OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
3743 gen_and(b0, b1);
3744 return b1;
3745 }
3746
3747 #ifdef INET6
3748 static struct block *
3749 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
3750 struct in6_addr *addr;
3751 struct in6_addr *mask;
3752 int dir, proto;
3753 u_int src_off, dst_off;
3754 {
3755 struct block *b0, *b1;
3756 u_int offset;
3757 u_int32_t *a, *m;
3758
3759 switch (dir) {
3760
3761 case Q_SRC:
3762 offset = src_off;
3763 break;
3764
3765 case Q_DST:
3766 offset = dst_off;
3767 break;
3768
3769 case Q_AND:
3770 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3771 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3772 gen_and(b0, b1);
3773 return b1;
3774
3775 case Q_OR:
3776 case Q_DEFAULT:
3777 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
3778 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
3779 gen_or(b0, b1);
3780 return b1;
3781
3782 default:
3783 abort();
3784 }
3785 /* this order is important */
3786 a = (u_int32_t *)addr;
3787 m = (u_int32_t *)mask;
3788 b1 = gen_mcmp(OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3789 b0 = gen_mcmp(OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3790 gen_and(b0, b1);
3791 b0 = gen_mcmp(OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3792 gen_and(b0, b1);
3793 b0 = gen_mcmp(OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3794 gen_and(b0, b1);
3795 b0 = gen_linktype(proto);
3796 gen_and(b0, b1);
3797 return b1;
3798 }
3799 #endif
3800
3801 static struct block *
3802 gen_ehostop(eaddr, dir)
3803 register const u_char *eaddr;
3804 register int dir;
3805 {
3806 register struct block *b0, *b1;
3807
3808 switch (dir) {
3809 case Q_SRC:
3810 return gen_bcmp(OR_LINKHDR, 6, 6, eaddr);
3811
3812 case Q_DST:
3813 return gen_bcmp(OR_LINKHDR, 0, 6, eaddr);
3814
3815 case Q_AND:
3816 b0 = gen_ehostop(eaddr, Q_SRC);
3817 b1 = gen_ehostop(eaddr, Q_DST);
3818 gen_and(b0, b1);
3819 return b1;
3820
3821 case Q_DEFAULT:
3822 case Q_OR:
3823 b0 = gen_ehostop(eaddr, Q_SRC);
3824 b1 = gen_ehostop(eaddr, Q_DST);
3825 gen_or(b0, b1);
3826 return b1;
3827
3828 case Q_ADDR1:
3829 bpf_error("'addr1' is only supported on 802.11 with 802.11 headers");
3830 break;
3831
3832 case Q_ADDR2:
3833 bpf_error("'addr2' is only supported on 802.11 with 802.11 headers");
3834 break;
3835
3836 case Q_ADDR3:
3837 bpf_error("'addr3' is only supported on 802.11 with 802.11 headers");
3838 break;
3839
3840 case Q_ADDR4:
3841 bpf_error("'addr4' is only supported on 802.11 with 802.11 headers");
3842 break;
3843
3844 case Q_RA:
3845 bpf_error("'ra' is only supported on 802.11 with 802.11 headers");
3846 break;
3847
3848 case Q_TA:
3849 bpf_error("'ta' is only supported on 802.11 with 802.11 headers");
3850 break;
3851 }
3852 abort();
3853 /* NOTREACHED */
3854 }
3855
3856 /*
3857 * Like gen_ehostop, but for DLT_FDDI
3858 */
3859 static struct block *
3860 gen_fhostop(eaddr, dir)
3861 register const u_char *eaddr;
3862 register int dir;
3863 {
3864 struct block *b0, *b1;
3865
3866 switch (dir) {
3867 case Q_SRC:
3868 return gen_bcmp(OR_LINKHDR, 6 + 1 + pcap_fddipad, 6, eaddr);
3869
3870 case Q_DST:
3871 return gen_bcmp(OR_LINKHDR, 0 + 1 + pcap_fddipad, 6, eaddr);
3872
3873 case Q_AND:
3874 b0 = gen_fhostop(eaddr, Q_SRC);
3875 b1 = gen_fhostop(eaddr, Q_DST);
3876 gen_and(b0, b1);
3877 return b1;
3878
3879 case Q_DEFAULT:
3880 case Q_OR:
3881 b0 = gen_fhostop(eaddr, Q_SRC);
3882 b1 = gen_fhostop(eaddr, Q_DST);
3883 gen_or(b0, b1);
3884 return b1;
3885
3886 case Q_ADDR1:
3887 bpf_error("'addr1' is only supported on 802.11");
3888 break;
3889
3890 case Q_ADDR2:
3891 bpf_error("'addr2' is only supported on 802.11");
3892 break;
3893
3894 case Q_ADDR3:
3895 bpf_error("'addr3' is only supported on 802.11");
3896 break;
3897
3898 case Q_ADDR4:
3899 bpf_error("'addr4' is only supported on 802.11");
3900 break;
3901
3902 case Q_RA:
3903 bpf_error("'ra' is only supported on 802.11");
3904 break;
3905
3906 case Q_TA:
3907 bpf_error("'ta' is only supported on 802.11");
3908 break;
3909 }
3910 abort();
3911 /* NOTREACHED */
3912 }
3913
3914 /*
3915 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3916 */
3917 static struct block *
3918 gen_thostop(eaddr, dir)
3919 register const u_char *eaddr;
3920 register int dir;
3921 {
3922 register struct block *b0, *b1;
3923
3924 switch (dir) {
3925 case Q_SRC:
3926 return gen_bcmp(OR_LINKHDR, 8, 6, eaddr);
3927
3928 case Q_DST:
3929 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr);
3930
3931 case Q_AND:
3932 b0 = gen_thostop(eaddr, Q_SRC);
3933 b1 = gen_thostop(eaddr, Q_DST);
3934 gen_and(b0, b1);
3935 return b1;
3936
3937 case Q_DEFAULT:
3938 case Q_OR:
3939 b0 = gen_thostop(eaddr, Q_SRC);
3940 b1 = gen_thostop(eaddr, Q_DST);
3941 gen_or(b0, b1);
3942 return b1;
3943
3944 case Q_ADDR1:
3945 bpf_error("'addr1' is only supported on 802.11");
3946 break;
3947
3948 case Q_ADDR2:
3949 bpf_error("'addr2' is only supported on 802.11");
3950 break;
3951
3952 case Q_ADDR3:
3953 bpf_error("'addr3' is only supported on 802.11");
3954 break;
3955
3956 case Q_ADDR4:
3957 bpf_error("'addr4' is only supported on 802.11");
3958 break;
3959
3960 case Q_RA:
3961 bpf_error("'ra' is only supported on 802.11");
3962 break;
3963
3964 case Q_TA:
3965 bpf_error("'ta' is only supported on 802.11");
3966 break;
3967 }
3968 abort();
3969 /* NOTREACHED */
3970 }
3971
3972 /*
3973 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
3974 * various 802.11 + radio headers.
3975 */
3976 static struct block *
3977 gen_wlanhostop(eaddr, dir)
3978 register const u_char *eaddr;
3979 register int dir;
3980 {
3981 register struct block *b0, *b1, *b2;
3982 register struct slist *s;
3983
3984 #ifdef ENABLE_WLAN_FILTERING_PATCH
3985 /*
3986 * TODO GV 20070613
3987 * We need to disable the optimizer because the optimizer is buggy
3988 * and wipes out some LD instructions generated by the below
3989 * code to validate the Frame Control bits
3990 */
3991 no_optimize = 1;
3992 #endif /* ENABLE_WLAN_FILTERING_PATCH */
3993
3994 switch (dir) {
3995 case Q_SRC:
3996 /*
3997 * Oh, yuk.
3998 *
3999 * For control frames, there is no SA.
4000 *
4001 * For management frames, SA is at an
4002 * offset of 10 from the beginning of
4003 * the packet.
4004 *
4005 * For data frames, SA is at an offset
4006 * of 10 from the beginning of the packet
4007 * if From DS is clear, at an offset of
4008 * 16 from the beginning of the packet
4009 * if From DS is set and To DS is clear,
4010 * and an offset of 24 from the beginning
4011 * of the packet if From DS is set and To DS
4012 * is set.
4013 */
4014
4015 /*
4016 * Generate the tests to be done for data frames
4017 * with From DS set.
4018 *
4019 * First, check for To DS set, i.e. check "link[1] & 0x01".
4020 */
4021 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4022 b1 = new_block(JMP(BPF_JSET));
4023 b1->s.k = 0x01; /* To DS */
4024 b1->stmts = s;
4025
4026 /*
4027 * If To DS is set, the SA is at 24.
4028 */
4029 b0 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr);
4030 gen_and(b1, b0);
4031
4032 /*
4033 * Now, check for To DS not set, i.e. check
4034 * "!(link[1] & 0x01)".
4035 */
4036 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4037 b2 = new_block(JMP(BPF_JSET));
4038 b2->s.k = 0x01; /* To DS */
4039 b2->stmts = s;
4040 gen_not(b2);
4041
4042 /*
4043 * If To DS is not set, the SA is at 16.
4044 */
4045 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
4046 gen_and(b2, b1);
4047
4048 /*
4049 * Now OR together the last two checks. That gives
4050 * the complete set of checks for data frames with
4051 * From DS set.
4052 */
4053 gen_or(b1, b0);
4054
4055 /*
4056 * Now check for From DS being set, and AND that with
4057 * the ORed-together checks.
4058 */
4059 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4060 b1 = new_block(JMP(BPF_JSET));
4061 b1->s.k = 0x02; /* From DS */
4062 b1->stmts = s;
4063 gen_and(b1, b0);
4064
4065 /*
4066 * Now check for data frames with From DS not set.
4067 */
4068 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4069 b2 = new_block(JMP(BPF_JSET));
4070 b2->s.k = 0x02; /* From DS */
4071 b2->stmts = s;
4072 gen_not(b2);
4073
4074 /*
4075 * If From DS isn't set, the SA is at 10.
4076 */
4077 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4078 gen_and(b2, b1);
4079
4080 /*
4081 * Now OR together the checks for data frames with
4082 * From DS not set and for data frames with From DS
4083 * set; that gives the checks done for data frames.
4084 */
4085 gen_or(b1, b0);
4086
4087 /*
4088 * Now check for a data frame.
4089 * I.e, check "link[0] & 0x08".
4090 */
4091 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4092 b1 = new_block(JMP(BPF_JSET));
4093 b1->s.k = 0x08;
4094 b1->stmts = s;
4095
4096 /*
4097 * AND that with the checks done for data frames.
4098 */
4099 gen_and(b1, b0);
4100
4101 /*
4102 * If the high-order bit of the type value is 0, this
4103 * is a management frame.
4104 * I.e, check "!(link[0] & 0x08)".
4105 */
4106 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4107 b2 = new_block(JMP(BPF_JSET));
4108 b2->s.k = 0x08;
4109 b2->stmts = s;
4110 gen_not(b2);
4111
4112 /*
4113 * For management frames, the SA is at 10.
4114 */
4115 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4116 gen_and(b2, b1);
4117
4118 /*
4119 * OR that with the checks done for data frames.
4120 * That gives the checks done for management and
4121 * data frames.
4122 */
4123 gen_or(b1, b0);
4124
4125 /*
4126 * If the low-order bit of the type value is 1,
4127 * this is either a control frame or a frame
4128 * with a reserved type, and thus not a
4129 * frame with an SA.
4130 *
4131 * I.e., check "!(link[0] & 0x04)".
4132 */
4133 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4134 b1 = new_block(JMP(BPF_JSET));
4135 b1->s.k = 0x04;
4136 b1->stmts = s;
4137 gen_not(b1);
4138
4139 /*
4140 * AND that with the checks for data and management
4141 * frames.
4142 */
4143 gen_and(b1, b0);
4144 return b0;
4145
4146 case Q_DST:
4147 /*
4148 * Oh, yuk.
4149 *
4150 * For control frames, there is no DA.
4151 *
4152 * For management frames, DA is at an
4153 * offset of 4 from the beginning of
4154 * the packet.
4155 *
4156 * For data frames, DA is at an offset
4157 * of 4 from the beginning of the packet
4158 * if To DS is clear and at an offset of
4159 * 16 from the beginning of the packet
4160 * if To DS is set.
4161 */
4162
4163 /*
4164 * Generate the tests to be done for data frames.
4165 *
4166 * First, check for To DS set, i.e. "link[1] & 0x01".
4167 */
4168 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4169 b1 = new_block(JMP(BPF_JSET));
4170 b1->s.k = 0x01; /* To DS */
4171 b1->stmts = s;
4172
4173 /*
4174 * If To DS is set, the DA is at 16.
4175 */
4176 b0 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
4177 gen_and(b1, b0);
4178
4179 /*
4180 * Now, check for To DS not set, i.e. check
4181 * "!(link[1] & 0x01)".
4182 */
4183 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
4184 b2 = new_block(JMP(BPF_JSET));
4185 b2->s.k = 0x01; /* To DS */
4186 b2->stmts = s;
4187 gen_not(b2);
4188
4189 /*
4190 * If To DS is not set, the DA is at 4.
4191 */
4192 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4193 gen_and(b2, b1);
4194
4195 /*
4196 * Now OR together the last two checks. That gives
4197 * the complete set of checks for data frames.
4198 */
4199 gen_or(b1, b0);
4200
4201 /*
4202 * Now check for a data frame.
4203 * I.e, check "link[0] & 0x08".
4204 */
4205 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4206 b1 = new_block(JMP(BPF_JSET));
4207 b1->s.k = 0x08;
4208 b1->stmts = s;
4209
4210 /*
4211 * AND that with the checks done for data frames.
4212 */
4213 gen_and(b1, b0);
4214
4215 /*
4216 * If the high-order bit of the type value is 0, this
4217 * is a management frame.
4218 * I.e, check "!(link[0] & 0x08)".
4219 */
4220 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4221 b2 = new_block(JMP(BPF_JSET));
4222 b2->s.k = 0x08;
4223 b2->stmts = s;
4224 gen_not(b2);
4225
4226 /*
4227 * For management frames, the DA is at 4.
4228 */
4229 b1 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4230 gen_and(b2, b1);
4231
4232 /*
4233 * OR that with the checks done for data frames.
4234 * That gives the checks done for management and
4235 * data frames.
4236 */
4237 gen_or(b1, b0);
4238
4239 /*
4240 * If the low-order bit of the type value is 1,
4241 * this is either a control frame or a frame
4242 * with a reserved type, and thus not a
4243 * frame with an SA.
4244 *
4245 * I.e., check "!(link[0] & 0x04)".
4246 */
4247 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4248 b1 = new_block(JMP(BPF_JSET));
4249 b1->s.k = 0x04;
4250 b1->stmts = s;
4251 gen_not(b1);
4252
4253 /*
4254 * AND that with the checks for data and management
4255 * frames.
4256 */
4257 gen_and(b1, b0);
4258 return b0;
4259
4260 case Q_RA:
4261 /*
4262 * Not present in management frames; addr1 in other
4263 * frames.
4264 */
4265
4266 /*
4267 * If the high-order bit of the type value is 0, this
4268 * is a management frame.
4269 * I.e, check "(link[0] & 0x08)".
4270 */
4271 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4272 b1 = new_block(JMP(BPF_JSET));
4273 b1->s.k = 0x08;
4274 b1->stmts = s;
4275
4276 /*
4277 * Check addr1.
4278 */
4279 b0 = gen_bcmp(OR_LINKHDR, 4, 6, eaddr);
4280
4281 /*
4282 * AND that with the check of addr1.
4283 */
4284 gen_and(b1, b0);
4285 return (b0);
4286
4287 case Q_TA:
4288 /*
4289 * Not present in management frames; addr2, if present,
4290 * in other frames.
4291 */
4292
4293 /*
4294 * Not present in CTS or ACK control frames.
4295 */
4296 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4297 IEEE80211_FC0_TYPE_MASK);
4298 gen_not(b0);
4299 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4300 IEEE80211_FC0_SUBTYPE_MASK);
4301 gen_not(b1);
4302 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4303 IEEE80211_FC0_SUBTYPE_MASK);
4304 gen_not(b2);
4305 gen_and(b1, b2);
4306 gen_or(b0, b2);
4307
4308 /*
4309 * If the high-order bit of the type value is 0, this
4310 * is a management frame.
4311 * I.e, check "(link[0] & 0x08)".
4312 */
4313 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
4314 b1 = new_block(JMP(BPF_JSET));
4315 b1->s.k = 0x08;
4316 b1->stmts = s;
4317
4318 /*
4319 * AND that with the check for frames other than
4320 * CTS and ACK frames.
4321 */
4322 gen_and(b1, b2);
4323
4324 /*
4325 * Check addr2.
4326 */
4327 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4328 gen_and(b2, b1);
4329 return b1;
4330
4331 /*
4332 * XXX - add BSSID keyword?
4333 */
4334 case Q_ADDR1:
4335 return (gen_bcmp(OR_LINKHDR, 4, 6, eaddr));
4336
4337 case Q_ADDR2:
4338 /*
4339 * Not present in CTS or ACK control frames.
4340 */
4341 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4342 IEEE80211_FC0_TYPE_MASK);
4343 gen_not(b0);
4344 b1 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4345 IEEE80211_FC0_SUBTYPE_MASK);
4346 gen_not(b1);
4347 b2 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4348 IEEE80211_FC0_SUBTYPE_MASK);
4349 gen_not(b2);
4350 gen_and(b1, b2);
4351 gen_or(b0, b2);
4352 b1 = gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4353 gen_and(b2, b1);
4354 return b1;
4355
4356 case Q_ADDR3:
4357 /*
4358 * Not present in control frames.
4359 */
4360 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4361 IEEE80211_FC0_TYPE_MASK);
4362 gen_not(b0);
4363 b1 = gen_bcmp(OR_LINKHDR, 16, 6, eaddr);
4364 gen_and(b0, b1);
4365 return b1;
4366
4367 case Q_ADDR4:
4368 /*
4369 * Present only if the direction mask has both "From DS"
4370 * and "To DS" set. Neither control frames nor management
4371 * frames should have both of those set, so we don't
4372 * check the frame type.
4373 */
4374 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B,
4375 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4376 b1 = gen_bcmp(OR_LINKHDR, 24, 6, eaddr);
4377 gen_and(b0, b1);
4378 return b1;
4379
4380 case Q_AND:
4381 b0 = gen_wlanhostop(eaddr, Q_SRC);
4382 b1 = gen_wlanhostop(eaddr, Q_DST);
4383 gen_and(b0, b1);
4384 return b1;
4385
4386 case Q_DEFAULT:
4387 case Q_OR:
4388 b0 = gen_wlanhostop(eaddr, Q_SRC);
4389 b1 = gen_wlanhostop(eaddr, Q_DST);
4390 gen_or(b0, b1);
4391 return b1;
4392 }
4393 abort();
4394 /* NOTREACHED */
4395 }
4396
4397 /*
4398 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4399 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4400 * as the RFC states.)
4401 */
4402 static struct block *
4403 gen_ipfchostop(eaddr, dir)
4404 register const u_char *eaddr;
4405 register int dir;
4406 {
4407 register struct block *b0, *b1;
4408
4409 switch (dir) {
4410 case Q_SRC:
4411 return gen_bcmp(OR_LINKHDR, 10, 6, eaddr);
4412
4413 case Q_DST:
4414 return gen_bcmp(OR_LINKHDR, 2, 6, eaddr);
4415
4416 case Q_AND:
4417 b0 = gen_ipfchostop(eaddr, Q_SRC);
4418 b1 = gen_ipfchostop(eaddr, Q_DST);
4419 gen_and(b0, b1);
4420 return b1;
4421
4422 case Q_DEFAULT:
4423 case Q_OR:
4424 b0 = gen_ipfchostop(eaddr, Q_SRC);
4425 b1 = gen_ipfchostop(eaddr, Q_DST);
4426 gen_or(b0, b1);
4427 return b1;
4428
4429 case Q_ADDR1:
4430 bpf_error("'addr1' is only supported on 802.11");
4431 break;
4432
4433 case Q_ADDR2:
4434 bpf_error("'addr2' is only supported on 802.11");
4435 break;
4436
4437 case Q_ADDR3:
4438 bpf_error("'addr3' is only supported on 802.11");
4439 break;
4440
4441 case Q_ADDR4:
4442 bpf_error("'addr4' is only supported on 802.11");
4443 break;
4444
4445 case Q_RA:
4446 bpf_error("'ra' is only supported on 802.11");
4447 break;
4448
4449 case Q_TA:
4450 bpf_error("'ta' is only supported on 802.11");
4451 break;
4452 }
4453 abort();
4454 /* NOTREACHED */
4455 }
4456
4457 /*
4458 * This is quite tricky because there may be pad bytes in front of the
4459 * DECNET header, and then there are two possible data packet formats that
4460 * carry both src and dst addresses, plus 5 packet types in a format that
4461 * carries only the src node, plus 2 types that use a different format and
4462 * also carry just the src node.
4463 *
4464 * Yuck.
4465 *
4466 * Instead of doing those all right, we just look for data packets with
4467 * 0 or 1 bytes of padding. If you want to look at other packets, that
4468 * will require a lot more hacking.
4469 *
4470 * To add support for filtering on DECNET "areas" (network numbers)
4471 * one would want to add a "mask" argument to this routine. That would
4472 * make the filter even more inefficient, although one could be clever
4473 * and not generate masking instructions if the mask is 0xFFFF.
4474 */
4475 static struct block *
4476 gen_dnhostop(addr, dir)
4477 bpf_u_int32 addr;
4478 int dir;
4479 {
4480 struct block *b0, *b1, *b2, *tmp;
4481 u_int offset_lh; /* offset if long header is received */
4482 u_int offset_sh; /* offset if short header is received */
4483
4484 switch (dir) {
4485
4486 case Q_DST:
4487 offset_sh = 1; /* follows flags */
4488 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4489 break;
4490
4491 case Q_SRC:
4492 offset_sh = 3; /* follows flags, dstnode */
4493 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4494 break;
4495
4496 case Q_AND:
4497 /* Inefficient because we do our Calvinball dance twice */
4498 b0 = gen_dnhostop(addr, Q_SRC);
4499 b1 = gen_dnhostop(addr, Q_DST);
4500 gen_and(b0, b1);
4501 return b1;
4502
4503 case Q_OR:
4504 case Q_DEFAULT:
4505 /* Inefficient because we do our Calvinball dance twice */
4506 b0 = gen_dnhostop(addr, Q_SRC);
4507 b1 = gen_dnhostop(addr, Q_DST);
4508 gen_or(b0, b1);
4509 return b1;
4510
4511 case Q_ISO:
4512 bpf_error("ISO host filtering not implemented");
4513
4514 default:
4515 abort();
4516 }
4517 b0 = gen_linktype(ETHERTYPE_DN);
4518 /* Check for pad = 1, long header case */
4519 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H,
4520 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4521 b1 = gen_cmp(OR_LINKPL, 2 + 1 + offset_lh,
4522 BPF_H, (bpf_int32)ntohs((u_short)addr));
4523 gen_and(tmp, b1);
4524 /* Check for pad = 0, long header case */
4525 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4526 b2 = gen_cmp(OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4527 gen_and(tmp, b2);
4528 gen_or(b2, b1);
4529 /* Check for pad = 1, short header case */
4530 tmp = gen_mcmp(OR_LINKPL, 2, BPF_H,
4531 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4532 b2 = gen_cmp(OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4533 gen_and(tmp, b2);
4534 gen_or(b2, b1);
4535 /* Check for pad = 0, short header case */
4536 tmp = gen_mcmp(OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4537 b2 = gen_cmp(OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4538 gen_and(tmp, b2);
4539 gen_or(b2, b1);
4540
4541 /* Combine with test for linktype */
4542 gen_and(b0, b1);
4543 return b1;
4544 }
4545
4546 /*
4547 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4548 * test the bottom-of-stack bit, and then check the version number
4549 * field in the IP header.
4550 */
4551 static struct block *
4552 gen_mpls_linktype(proto)
4553 int proto;
4554 {
4555 struct block *b0, *b1;
4556
4557 switch (proto) {
4558
4559 case Q_IP:
4560 /* match the bottom-of-stack bit */
4561 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4562 /* match the IPv4 version number */
4563 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4564 gen_and(b0, b1);
4565 return b1;
4566
4567 case Q_IPV6:
4568 /* match the bottom-of-stack bit */
4569 b0 = gen_mcmp(OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4570 /* match the IPv4 version number */
4571 b1 = gen_mcmp(OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4572 gen_and(b0, b1);
4573 return b1;
4574
4575 default:
4576 abort();
4577 }
4578 }
4579
4580 static struct block *
4581 gen_host(addr, mask, proto, dir, type)
4582 bpf_u_int32 addr;
4583 bpf_u_int32 mask;
4584 int proto;
4585 int dir;
4586 int type;
4587 {
4588 struct block *b0, *b1;
4589 const char *typestr;
4590
4591 if (type == Q_NET)
4592 typestr = "net";
4593 else
4594 typestr = "host";
4595
4596 switch (proto) {
4597
4598 case Q_DEFAULT:
4599 b0 = gen_host(addr, mask, Q_IP, dir, type);
4600 /*
4601 * Only check for non-IPv4 addresses if we're not
4602 * checking MPLS-encapsulated packets.
4603 */
4604 if (label_stack_depth == 0) {
4605 b1 = gen_host(addr, mask, Q_ARP, dir, type);
4606 gen_or(b0, b1);
4607 b0 = gen_host(addr, mask, Q_RARP, dir, type);
4608 gen_or(b1, b0);
4609 }
4610 return b0;
4611
4612 case Q_IP:
4613 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
4614
4615 case Q_RARP:
4616 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4617
4618 case Q_ARP:
4619 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4620
4621 case Q_TCP:
4622 bpf_error("'tcp' modifier applied to %s", typestr);
4623
4624 case Q_SCTP:
4625 bpf_error("'sctp' modifier applied to %s", typestr);
4626
4627 case Q_UDP:
4628 bpf_error("'udp' modifier applied to %s", typestr);
4629
4630 case Q_ICMP:
4631 bpf_error("'icmp' modifier applied to %s", typestr);
4632
4633 case Q_IGMP:
4634 bpf_error("'igmp' modifier applied to %s", typestr);
4635
4636 case Q_IGRP:
4637 bpf_error("'igrp' modifier applied to %s", typestr);
4638
4639 case Q_PIM:
4640 bpf_error("'pim' modifier applied to %s", typestr);
4641
4642 case Q_VRRP:
4643 bpf_error("'vrrp' modifier applied to %s", typestr);
4644
4645 case Q_CARP:
4646 bpf_error("'carp' modifier applied to %s", typestr);
4647
4648 case Q_ATALK:
4649 bpf_error("ATALK host filtering not implemented");
4650
4651 case Q_AARP:
4652 bpf_error("AARP host filtering not implemented");
4653
4654 case Q_DECNET:
4655 return gen_dnhostop(addr, dir);
4656
4657 case Q_SCA:
4658 bpf_error("SCA host filtering not implemented");
4659
4660 case Q_LAT:
4661 bpf_error("LAT host filtering not implemented");
4662
4663 case Q_MOPDL:
4664 bpf_error("MOPDL host filtering not implemented");
4665
4666 case Q_MOPRC:
4667 bpf_error("MOPRC host filtering not implemented");
4668
4669 case Q_IPV6:
4670 bpf_error("'ip6' modifier applied to ip host");
4671
4672 case Q_ICMPV6:
4673 bpf_error("'icmp6' modifier applied to %s", typestr);
4674
4675 case Q_AH:
4676 bpf_error("'ah' modifier applied to %s", typestr);
4677
4678 case Q_ESP:
4679 bpf_error("'esp' modifier applied to %s", typestr);
4680
4681 case Q_ISO:
4682 bpf_error("ISO host filtering not implemented");
4683
4684 case Q_ESIS:
4685 bpf_error("'esis' modifier applied to %s", typestr);
4686
4687 case Q_ISIS:
4688 bpf_error("'isis' modifier applied to %s", typestr);
4689
4690 case Q_CLNP:
4691 bpf_error("'clnp' modifier applied to %s", typestr);
4692
4693 case Q_STP:
4694 bpf_error("'stp' modifier applied to %s", typestr);
4695
4696 case Q_IPX:
4697 bpf_error("IPX host filtering not implemented");
4698
4699 case Q_NETBEUI:
4700 bpf_error("'netbeui' modifier applied to %s", typestr);
4701
4702 case Q_RADIO:
4703 bpf_error("'radio' modifier applied to %s", typestr);
4704
4705 default:
4706 abort();
4707 }
4708 /* NOTREACHED */
4709 }
4710
4711 #ifdef INET6
4712 static struct block *
4713 gen_host6(addr, mask, proto, dir, type)
4714 struct in6_addr *addr;
4715 struct in6_addr *mask;
4716 int proto;
4717 int dir;
4718 int type;
4719 {
4720 const char *typestr;
4721
4722 if (type == Q_NET)
4723 typestr = "net";
4724 else
4725 typestr = "host";
4726
4727 switch (proto) {
4728
4729 case Q_DEFAULT:
4730 return gen_host6(addr, mask, Q_IPV6, dir, type);
4731
4732 case Q_LINK:
4733 bpf_error("link-layer modifier applied to ip6 %s", typestr);
4734
4735 case Q_IP:
4736 bpf_error("'ip' modifier applied to ip6 %s", typestr);
4737
4738 case Q_RARP:
4739 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
4740
4741 case Q_ARP:
4742 bpf_error("'arp' modifier applied to ip6 %s", typestr);
4743
4744 case Q_SCTP:
4745 bpf_error("'sctp' modifier applied to %s", typestr);
4746
4747 case Q_TCP:
4748 bpf_error("'tcp' modifier applied to %s", typestr);
4749
4750 case Q_UDP:
4751 bpf_error("'udp' modifier applied to %s", typestr);
4752
4753 case Q_ICMP:
4754 bpf_error("'icmp' modifier applied to %s", typestr);
4755
4756 case Q_IGMP:
4757 bpf_error("'igmp' modifier applied to %s", typestr);
4758
4759 case Q_IGRP:
4760 bpf_error("'igrp' modifier applied to %s", typestr);
4761
4762 case Q_PIM:
4763 bpf_error("'pim' modifier applied to %s", typestr);
4764
4765 case Q_VRRP:
4766 bpf_error("'vrrp' modifier applied to %s", typestr);
4767
4768 case Q_CARP:
4769 bpf_error("'carp' modifier applied to %s", typestr);
4770
4771 case Q_ATALK:
4772 bpf_error("ATALK host filtering not implemented");
4773
4774 case Q_AARP:
4775 bpf_error("AARP host filtering not implemented");
4776
4777 case Q_DECNET:
4778 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
4779
4780 case Q_SCA:
4781 bpf_error("SCA host filtering not implemented");
4782
4783 case Q_LAT:
4784 bpf_error("LAT host filtering not implemented");
4785
4786 case Q_MOPDL:
4787 bpf_error("MOPDL host filtering not implemented");
4788
4789 case Q_MOPRC:
4790 bpf_error("MOPRC host filtering not implemented");
4791
4792 case Q_IPV6:
4793 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4794
4795 case Q_ICMPV6:
4796 bpf_error("'icmp6' modifier applied to %s", typestr);
4797
4798 case Q_AH:
4799 bpf_error("'ah' modifier applied to %s", typestr);
4800
4801 case Q_ESP:
4802 bpf_error("'esp' modifier applied to %s", typestr);
4803
4804 case Q_ISO:
4805 bpf_error("ISO host filtering not implemented");
4806
4807 case Q_ESIS:
4808 bpf_error("'esis' modifier applied to %s", typestr);
4809
4810 case Q_ISIS:
4811 bpf_error("'isis' modifier applied to %s", typestr);
4812
4813 case Q_CLNP:
4814 bpf_error("'clnp' modifier applied to %s", typestr);
4815
4816 case Q_STP:
4817 bpf_error("'stp' modifier applied to %s", typestr);
4818
4819 case Q_IPX:
4820 bpf_error("IPX host filtering not implemented");
4821
4822 case Q_NETBEUI:
4823 bpf_error("'netbeui' modifier applied to %s", typestr);
4824
4825 case Q_RADIO:
4826 bpf_error("'radio' modifier applied to %s", typestr);
4827
4828 default:
4829 abort();
4830 }
4831 /* NOTREACHED */
4832 }
4833 #endif
4834
4835 #ifndef INET6
4836 static struct block *
4837 gen_gateway(eaddr, alist, proto, dir)
4838 const u_char *eaddr;
4839 bpf_u_int32 **alist;
4840 int proto;
4841 int dir;
4842 {
4843 struct block *b0, *b1, *tmp;
4844
4845 if (dir != 0)
4846 bpf_error("direction applied to 'gateway'");
4847
4848 switch (proto) {
4849 case Q_DEFAULT:
4850 case Q_IP:
4851 case Q_ARP:
4852 case Q_RARP:
4853 switch (linktype) {
4854 case DLT_EN10MB:
4855 case DLT_NETANALYZER:
4856 case DLT_NETANALYZER_TRANSPARENT:
4857 b1 = gen_prevlinkhdr_check();
4858 b0 = gen_ehostop(eaddr, Q_OR);
4859 if (b1 != NULL)
4860 gen_and(b1, b0);
4861 break;
4862 case DLT_FDDI:
4863 b0 = gen_fhostop(eaddr, Q_OR);
4864 break;
4865 case DLT_IEEE802:
4866 b0 = gen_thostop(eaddr, Q_OR);
4867 break;
4868 case DLT_IEEE802_11:
4869 case DLT_PRISM_HEADER:
4870 case DLT_IEEE802_11_RADIO_AVS:
4871 case DLT_IEEE802_11_RADIO:
4872 case DLT_PPI:
4873 b0 = gen_wlanhostop(eaddr, Q_OR);
4874 break;
4875 case DLT_SUNATM:
4876 /*
4877 * This is LLC-multiplexed traffic; if it were
4878 * LANE, linktype would have been set to
4879 * DLT_EN10MB.
4880 */
4881 bpf_error(
4882 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4883 break;
4884 case DLT_IP_OVER_FC:
4885 b0 = gen_ipfchostop(eaddr, Q_OR);
4886 break;
4887 default:
4888 bpf_error(
4889 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4890 }
4891 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
4892 while (*alist) {
4893 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
4894 Q_HOST);
4895 gen_or(b1, tmp);
4896 b1 = tmp;
4897 }
4898 gen_not(b1);
4899 gen_and(b0, b1);
4900 return b1;
4901 }
4902 bpf_error("illegal modifier of 'gateway'");
4903 /* NOTREACHED */
4904 }
4905 #endif
4906
4907 struct block *
4908 gen_proto_abbrev(proto)
4909 int proto;
4910 {
4911 struct block *b0;
4912 struct block *b1;
4913
4914 switch (proto) {
4915
4916 case Q_SCTP:
4917 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
4918 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
4919 gen_or(b0, b1);
4920 break;
4921
4922 case Q_TCP:
4923 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
4924 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
4925 gen_or(b0, b1);
4926 break;
4927
4928 case Q_UDP:
4929 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
4930 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
4931 gen_or(b0, b1);
4932 break;
4933
4934 case Q_ICMP:
4935 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
4936 break;
4937
4938 #ifndef IPPROTO_IGMP
4939 #define IPPROTO_IGMP 2
4940 #endif
4941
4942 case Q_IGMP:
4943 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
4944 break;
4945
4946 #ifndef IPPROTO_IGRP
4947 #define IPPROTO_IGRP 9
4948 #endif
4949 case Q_IGRP:
4950 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
4951 break;
4952
4953 #ifndef IPPROTO_PIM
4954 #define IPPROTO_PIM 103
4955 #endif
4956
4957 case Q_PIM:
4958 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
4959 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
4960 gen_or(b0, b1);
4961 break;
4962
4963 #ifndef IPPROTO_VRRP
4964 #define IPPROTO_VRRP 112
4965 #endif
4966
4967 case Q_VRRP:
4968 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
4969 break;
4970
4971 #ifndef IPPROTO_CARP
4972 #define IPPROTO_CARP 112
4973 #endif
4974
4975 case Q_CARP:
4976 b1 = gen_proto(IPPROTO_CARP, Q_IP, Q_DEFAULT);
4977 break;
4978
4979 case Q_IP:
4980 b1 = gen_linktype(ETHERTYPE_IP);
4981 break;
4982
4983 case Q_ARP:
4984 b1 = gen_linktype(ETHERTYPE_ARP);
4985 break;
4986
4987 case Q_RARP:
4988 b1 = gen_linktype(ETHERTYPE_REVARP);
4989 break;
4990
4991 case Q_LINK:
4992 bpf_error("link layer applied in wrong context");
4993
4994 case Q_ATALK:
4995 b1 = gen_linktype(ETHERTYPE_ATALK);
4996 break;
4997
4998 case Q_AARP:
4999 b1 = gen_linktype(ETHERTYPE_AARP);
5000 break;
5001
5002 case Q_DECNET:
5003 b1 = gen_linktype(ETHERTYPE_DN);
5004 break;
5005
5006 case Q_SCA:
5007 b1 = gen_linktype(ETHERTYPE_SCA);
5008 break;
5009
5010 case Q_LAT:
5011 b1 = gen_linktype(ETHERTYPE_LAT);
5012 break;
5013
5014 case Q_MOPDL:
5015 b1 = gen_linktype(ETHERTYPE_MOPDL);
5016 break;
5017
5018 case Q_MOPRC:
5019 b1 = gen_linktype(ETHERTYPE_MOPRC);
5020 break;
5021
5022 case Q_IPV6:
5023 b1 = gen_linktype(ETHERTYPE_IPV6);
5024 break;
5025
5026 #ifndef IPPROTO_ICMPV6
5027 #define IPPROTO_ICMPV6 58
5028 #endif
5029 case Q_ICMPV6:
5030 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5031 break;
5032
5033 #ifndef IPPROTO_AH
5034 #define IPPROTO_AH 51
5035 #endif
5036 case Q_AH:
5037 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
5038 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5039 gen_or(b0, b1);
5040 break;
5041
5042 #ifndef IPPROTO_ESP
5043 #define IPPROTO_ESP 50
5044 #endif
5045 case Q_ESP:
5046 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
5047 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5048 gen_or(b0, b1);
5049 break;
5050
5051 case Q_ISO:
5052 b1 = gen_linktype(LLCSAP_ISONS);
5053 break;
5054
5055 case Q_ESIS:
5056 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5057 break;
5058
5059 case Q_ISIS:
5060 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5061 break;
5062
5063 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5064 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5065 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5066 gen_or(b0, b1);
5067 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5068 gen_or(b0, b1);
5069 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5070 gen_or(b0, b1);
5071 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5072 gen_or(b0, b1);
5073 break;
5074
5075 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5076 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5077 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5078 gen_or(b0, b1);
5079 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5080 gen_or(b0, b1);
5081 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5082 gen_or(b0, b1);
5083 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5084 gen_or(b0, b1);
5085 break;
5086
5087 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5088 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5089 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5090 gen_or(b0, b1);
5091 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5092 gen_or(b0, b1);
5093 break;
5094
5095 case Q_ISIS_LSP:
5096 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5097 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5098 gen_or(b0, b1);
5099 break;
5100
5101 case Q_ISIS_SNP:
5102 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5103 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5104 gen_or(b0, b1);
5105 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5106 gen_or(b0, b1);
5107 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5108 gen_or(b0, b1);
5109 break;
5110
5111 case Q_ISIS_CSNP:
5112 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5113 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5114 gen_or(b0, b1);
5115 break;
5116
5117 case Q_ISIS_PSNP:
5118 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5119 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5120 gen_or(b0, b1);
5121 break;
5122
5123 case Q_CLNP:
5124 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5125 break;
5126
5127 case Q_STP:
5128 b1 = gen_linktype(LLCSAP_8021D);
5129 break;
5130
5131 case Q_IPX:
5132 b1 = gen_linktype(LLCSAP_IPX);
5133 break;
5134
5135 case Q_NETBEUI:
5136 b1 = gen_linktype(LLCSAP_NETBEUI);
5137 break;
5138
5139 case Q_RADIO:
5140 bpf_error("'radio' is not a valid protocol type");
5141
5142 default:
5143 abort();
5144 }
5145 return b1;
5146 }
5147
5148 static struct block *
5149 gen_ipfrag()
5150 {
5151 struct slist *s;
5152 struct block *b;
5153
5154 /* not IPv4 frag other than the first frag */
5155 s = gen_load_a(OR_LINKPL, 6, BPF_H);
5156 b = new_block(JMP(BPF_JSET));
5157 b->s.k = 0x1fff;
5158 b->stmts = s;
5159 gen_not(b);
5160
5161 return b;
5162 }
5163
5164 /*
5165 * Generate a comparison to a port value in the transport-layer header
5166 * at the specified offset from the beginning of that header.
5167 *
5168 * XXX - this handles a variable-length prefix preceding the link-layer
5169 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5170 * variable-length link-layer headers (such as Token Ring or 802.11
5171 * headers).
5172 */
5173 static struct block *
5174 gen_portatom(off, v)
5175 int off;
5176 bpf_int32 v;
5177 {
5178 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
5179 }
5180
5181 static struct block *
5182 gen_portatom6(off, v)
5183 int off;
5184 bpf_int32 v;
5185 {
5186 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
5187 }
5188
5189 struct block *
5190 gen_portop(port, proto, dir)
5191 int port, proto, dir;
5192 {
5193 struct block *b0, *b1, *tmp;
5194
5195 /* ip proto 'proto' and not a fragment other than the first fragment */
5196 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5197 b0 = gen_ipfrag();
5198 gen_and(tmp, b0);
5199
5200 switch (dir) {
5201 case Q_SRC:
5202 b1 = gen_portatom(0, (bpf_int32)port);
5203 break;
5204
5205 case Q_DST:
5206 b1 = gen_portatom(2, (bpf_int32)port);
5207 break;
5208
5209 case Q_OR:
5210 case Q_DEFAULT:
5211 tmp = gen_portatom(0, (bpf_int32)port);
5212 b1 = gen_portatom(2, (bpf_int32)port);
5213 gen_or(tmp, b1);
5214 break;
5215
5216 case Q_AND:
5217 tmp = gen_portatom(0, (bpf_int32)port);
5218 b1 = gen_portatom(2, (bpf_int32)port);
5219 gen_and(tmp, b1);
5220 break;
5221
5222 default:
5223 abort();
5224 }
5225 gen_and(b0, b1);
5226
5227 return b1;
5228 }
5229
5230 static struct block *
5231 gen_port(port, ip_proto, dir)
5232 int port;
5233 int ip_proto;
5234 int dir;
5235 {
5236 struct block *b0, *b1, *tmp;
5237
5238 /*
5239 * ether proto ip
5240 *
5241 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5242 * not LLC encapsulation with LLCSAP_IP.
5243 *
5244 * For IEEE 802 networks - which includes 802.5 token ring
5245 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5246 * says that SNAP encapsulation is used, not LLC encapsulation
5247 * with LLCSAP_IP.
5248 *
5249 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5250 * RFC 2225 say that SNAP encapsulation is used, not LLC
5251 * encapsulation with LLCSAP_IP.
5252 *
5253 * So we always check for ETHERTYPE_IP.
5254 */
5255 b0 = gen_linktype(ETHERTYPE_IP);
5256
5257 switch (ip_proto) {
5258 case IPPROTO_UDP:
5259 case IPPROTO_TCP:
5260 case IPPROTO_SCTP:
5261 b1 = gen_portop(port, ip_proto, dir);
5262 break;
5263
5264 case PROTO_UNDEF:
5265 tmp = gen_portop(port, IPPROTO_TCP, dir);
5266 b1 = gen_portop(port, IPPROTO_UDP, dir);
5267 gen_or(tmp, b1);
5268 tmp = gen_portop(port, IPPROTO_SCTP, dir);
5269 gen_or(tmp, b1);
5270 break;
5271
5272 default:
5273 abort();
5274 }
5275 gen_and(b0, b1);
5276 return b1;
5277 }
5278
5279 struct block *
5280 gen_portop6(port, proto, dir)
5281 int port, proto, dir;
5282 {
5283 struct block *b0, *b1, *tmp;
5284
5285 /* ip6 proto 'proto' */
5286 /* XXX - catch the first fragment of a fragmented packet? */
5287 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5288
5289 switch (dir) {
5290 case Q_SRC:
5291 b1 = gen_portatom6(0, (bpf_int32)port);
5292 break;
5293
5294 case Q_DST:
5295 b1 = gen_portatom6(2, (bpf_int32)port);
5296 break;
5297
5298 case Q_OR:
5299 case Q_DEFAULT:
5300 tmp = gen_portatom6(0, (bpf_int32)port);
5301 b1 = gen_portatom6(2, (bpf_int32)port);
5302 gen_or(tmp, b1);
5303 break;
5304
5305 case Q_AND:
5306 tmp = gen_portatom6(0, (bpf_int32)port);
5307 b1 = gen_portatom6(2, (bpf_int32)port);
5308 gen_and(tmp, b1);
5309 break;
5310
5311 default:
5312 abort();
5313 }
5314 gen_and(b0, b1);
5315
5316 return b1;
5317 }
5318
5319 static struct block *
5320 gen_port6(port, ip_proto, dir)
5321 int port;
5322 int ip_proto;
5323 int dir;
5324 {
5325 struct block *b0, *b1, *tmp;
5326
5327 /* link proto ip6 */
5328 b0 = gen_linktype(ETHERTYPE_IPV6);
5329
5330 switch (ip_proto) {
5331 case IPPROTO_UDP:
5332 case IPPROTO_TCP:
5333 case IPPROTO_SCTP:
5334 b1 = gen_portop6(port, ip_proto, dir);
5335 break;
5336
5337 case PROTO_UNDEF:
5338 tmp = gen_portop6(port, IPPROTO_TCP, dir);
5339 b1 = gen_portop6(port, IPPROTO_UDP, dir);
5340 gen_or(tmp, b1);
5341 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
5342 gen_or(tmp, b1);
5343 break;
5344
5345 default:
5346 abort();
5347 }
5348 gen_and(b0, b1);
5349 return b1;
5350 }
5351
5352 /* gen_portrange code */
5353 static struct block *
5354 gen_portrangeatom(off, v1, v2)
5355 int off;
5356 bpf_int32 v1, v2;
5357 {
5358 struct block *b1, *b2;
5359
5360 if (v1 > v2) {
5361 /*
5362 * Reverse the order of the ports, so v1 is the lower one.
5363 */
5364 bpf_int32 vtemp;
5365
5366 vtemp = v1;
5367 v1 = v2;
5368 v2 = vtemp;
5369 }
5370
5371 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
5372 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
5373
5374 gen_and(b1, b2);
5375
5376 return b2;
5377 }
5378
5379 struct block *
5380 gen_portrangeop(port1, port2, proto, dir)
5381 int port1, port2;
5382 int proto;
5383 int dir;
5384 {
5385 struct block *b0, *b1, *tmp;
5386
5387 /* ip proto 'proto' and not a fragment other than the first fragment */
5388 tmp = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5389 b0 = gen_ipfrag();
5390 gen_and(tmp, b0);
5391
5392 switch (dir) {
5393 case Q_SRC:
5394 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5395 break;
5396
5397 case Q_DST:
5398 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5399 break;
5400
5401 case Q_OR:
5402 case Q_DEFAULT:
5403 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5404 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5405 gen_or(tmp, b1);
5406 break;
5407
5408 case Q_AND:
5409 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
5410 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
5411 gen_and(tmp, b1);
5412 break;
5413
5414 default:
5415 abort();
5416 }
5417 gen_and(b0, b1);
5418
5419 return b1;
5420 }
5421
5422 static struct block *
5423 gen_portrange(port1, port2, ip_proto, dir)
5424 int port1, port2;
5425 int ip_proto;
5426 int dir;
5427 {
5428 struct block *b0, *b1, *tmp;
5429
5430 /* link proto ip */
5431 b0 = gen_linktype(ETHERTYPE_IP);
5432
5433 switch (ip_proto) {
5434 case IPPROTO_UDP:
5435 case IPPROTO_TCP:
5436 case IPPROTO_SCTP:
5437 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
5438 break;
5439
5440 case PROTO_UNDEF:
5441 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
5442 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
5443 gen_or(tmp, b1);
5444 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
5445 gen_or(tmp, b1);
5446 break;
5447
5448 default:
5449 abort();
5450 }
5451 gen_and(b0, b1);
5452 return b1;
5453 }
5454
5455 static struct block *
5456 gen_portrangeatom6(off, v1, v2)
5457 int off;
5458 bpf_int32 v1, v2;
5459 {
5460 struct block *b1, *b2;
5461
5462 if (v1 > v2) {
5463 /*
5464 * Reverse the order of the ports, so v1 is the lower one.
5465 */
5466 bpf_int32 vtemp;
5467
5468 vtemp = v1;
5469 v1 = v2;
5470 v2 = vtemp;
5471 }
5472
5473 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
5474 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
5475
5476 gen_and(b1, b2);
5477
5478 return b2;
5479 }
5480
5481 struct block *
5482 gen_portrangeop6(port1, port2, proto, dir)
5483 int port1, port2;
5484 int proto;
5485 int dir;
5486 {
5487 struct block *b0, *b1, *tmp;
5488
5489 /* ip6 proto 'proto' */
5490 /* XXX - catch the first fragment of a fragmented packet? */
5491 b0 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5492
5493 switch (dir) {
5494 case Q_SRC:
5495 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5496 break;
5497
5498 case Q_DST:
5499 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5500 break;
5501
5502 case Q_OR:
5503 case Q_DEFAULT:
5504 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5505 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5506 gen_or(tmp, b1);
5507 break;
5508
5509 case Q_AND:
5510 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
5511 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
5512 gen_and(tmp, b1);
5513 break;
5514
5515 default:
5516 abort();
5517 }
5518 gen_and(b0, b1);
5519
5520 return b1;
5521 }
5522
5523 static struct block *
5524 gen_portrange6(port1, port2, ip_proto, dir)
5525 int port1, port2;
5526 int ip_proto;
5527 int dir;
5528 {
5529 struct block *b0, *b1, *tmp;
5530
5531 /* link proto ip6 */
5532 b0 = gen_linktype(ETHERTYPE_IPV6);
5533
5534 switch (ip_proto) {
5535 case IPPROTO_UDP:
5536 case IPPROTO_TCP:
5537 case IPPROTO_SCTP:
5538 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
5539 break;
5540
5541 case PROTO_UNDEF:
5542 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
5543 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
5544 gen_or(tmp, b1);
5545 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
5546 gen_or(tmp, b1);
5547 break;
5548
5549 default:
5550 abort();
5551 }
5552 gen_and(b0, b1);
5553 return b1;
5554 }
5555
5556 static int
5557 lookup_proto(name, proto)
5558 register const char *name;
5559 register int proto;
5560 {
5561 register int v;
5562
5563 switch (proto) {
5564
5565 case Q_DEFAULT:
5566 case Q_IP:
5567 case Q_IPV6:
5568 v = pcap_nametoproto(name);
5569 if (v == PROTO_UNDEF)
5570 bpf_error("unknown ip proto '%s'", name);
5571 break;
5572
5573 case Q_LINK:
5574 /* XXX should look up h/w protocol type based on linktype */
5575 v = pcap_nametoeproto(name);
5576 if (v == PROTO_UNDEF) {
5577 v = pcap_nametollc(name);
5578 if (v == PROTO_UNDEF)
5579 bpf_error("unknown ether proto '%s'", name);
5580 }
5581 break;
5582
5583 case Q_ISO:
5584 if (strcmp(name, "esis") == 0)
5585 v = ISO9542_ESIS;
5586 else if (strcmp(name, "isis") == 0)
5587 v = ISO10589_ISIS;
5588 else if (strcmp(name, "clnp") == 0)
5589 v = ISO8473_CLNP;
5590 else
5591 bpf_error("unknown osi proto '%s'", name);
5592 break;
5593
5594 default:
5595 v = PROTO_UNDEF;
5596 break;
5597 }
5598 return v;
5599 }
5600
5601 #if 0
5602 struct stmt *
5603 gen_joinsp(s, n)
5604 struct stmt **s;
5605 int n;
5606 {
5607 return NULL;
5608 }
5609 #endif
5610
5611 static struct block *
5612 gen_protochain(v, proto, dir)
5613 int v;
5614 int proto;
5615 int dir;
5616 {
5617 #ifdef NO_PROTOCHAIN
5618 return gen_proto(v, proto, dir);
5619 #else
5620 struct block *b0, *b;
5621 struct slist *s[100];
5622 int fix2, fix3, fix4, fix5;
5623 int ahcheck, again, end;
5624 int i, max;
5625 int reg2 = alloc_reg();
5626
5627 memset(s, 0, sizeof(s));
5628 fix3 = fix4 = fix5 = 0;
5629
5630 switch (proto) {
5631 case Q_IP:
5632 case Q_IPV6:
5633 break;
5634 case Q_DEFAULT:
5635 b0 = gen_protochain(v, Q_IP, dir);
5636 b = gen_protochain(v, Q_IPV6, dir);
5637 gen_or(b0, b);
5638 return b;
5639 default:
5640 bpf_error("bad protocol applied for 'protochain'");
5641 /*NOTREACHED*/
5642 }
5643
5644 /*
5645 * We don't handle variable-length prefixes before the link-layer
5646 * header, or variable-length link-layer headers, here yet.
5647 * We might want to add BPF instructions to do the protochain
5648 * work, to simplify that and, on platforms that have a BPF
5649 * interpreter with the new instructions, let the filtering
5650 * be done in the kernel. (We already require a modified BPF
5651 * engine to do the protochain stuff, to support backward
5652 * branches, and backward branch support is unlikely to appear
5653 * in kernel BPF engines.)
5654 */
5655 if (off_linkpl.is_variable)
5656 bpf_error("'protochain' not supported with variable length headers");
5657
5658 no_optimize = 1; /*this code is not compatible with optimzer yet */
5659
5660 /*
5661 * s[0] is a dummy entry to protect other BPF insn from damage
5662 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5663 * hard to find interdependency made by jump table fixup.
5664 */
5665 i = 0;
5666 s[i] = new_stmt(0); /*dummy*/
5667 i++;
5668
5669 switch (proto) {
5670 case Q_IP:
5671 b0 = gen_linktype(ETHERTYPE_IP);
5672
5673 /* A = ip->ip_p */
5674 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5675 s[i]->s.k = off_linkpl.constant_part + off_nl + 9;
5676 i++;
5677 /* X = ip->ip_hl << 2 */
5678 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
5679 s[i]->s.k = off_linkpl.constant_part + off_nl;
5680 i++;
5681 break;
5682
5683 case Q_IPV6:
5684 b0 = gen_linktype(ETHERTYPE_IPV6);
5685
5686 /* A = ip6->ip_nxt */
5687 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
5688 s[i]->s.k = off_linkpl.constant_part + off_nl + 6;
5689 i++;
5690 /* X = sizeof(struct ip6_hdr) */
5691 s[i] = new_stmt(BPF_LDX|BPF_IMM);
5692 s[i]->s.k = 40;
5693 i++;
5694 break;
5695
5696 default:
5697 bpf_error("unsupported proto to gen_protochain");
5698 /*NOTREACHED*/
5699 }
5700
5701 /* again: if (A == v) goto end; else fall through; */
5702 again = i;
5703 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5704 s[i]->s.k = v;
5705 s[i]->s.jt = NULL; /*later*/
5706 s[i]->s.jf = NULL; /*update in next stmt*/
5707 fix5 = i;
5708 i++;
5709
5710 #ifndef IPPROTO_NONE
5711 #define IPPROTO_NONE 59
5712 #endif
5713 /* if (A == IPPROTO_NONE) goto end */
5714 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5715 s[i]->s.jt = NULL; /*later*/
5716 s[i]->s.jf = NULL; /*update in next stmt*/
5717 s[i]->s.k = IPPROTO_NONE;
5718 s[fix5]->s.jf = s[i];
5719 fix2 = i;
5720 i++;
5721
5722 if (proto == Q_IPV6) {
5723 int v6start, v6end, v6advance, j;
5724
5725 v6start = i;
5726 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5727 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5728 s[i]->s.jt = NULL; /*later*/
5729 s[i]->s.jf = NULL; /*update in next stmt*/
5730 s[i]->s.k = IPPROTO_HOPOPTS;
5731 s[fix2]->s.jf = s[i];
5732 i++;
5733 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5734 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5735 s[i]->s.jt = NULL; /*later*/
5736 s[i]->s.jf = NULL; /*update in next stmt*/
5737 s[i]->s.k = IPPROTO_DSTOPTS;
5738 i++;
5739 /* if (A == IPPROTO_ROUTING) goto v6advance */
5740 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5741 s[i]->s.jt = NULL; /*later*/
5742 s[i]->s.jf = NULL; /*update in next stmt*/
5743 s[i]->s.k = IPPROTO_ROUTING;
5744 i++;
5745 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5746 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5747 s[i]->s.jt = NULL; /*later*/
5748 s[i]->s.jf = NULL; /*later*/
5749 s[i]->s.k = IPPROTO_FRAGMENT;
5750 fix3 = i;
5751 v6end = i;
5752 i++;
5753
5754 /* v6advance: */
5755 v6advance = i;
5756
5757 /*
5758 * in short,
5759 * A = P[X + packet head];
5760 * X = X + (P[X + packet head + 1] + 1) * 8;
5761 */
5762 /* A = P[X + packet head] */
5763 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5764 s[i]->s.k = off_linkpl.constant_part + off_nl;
5765 i++;
5766 /* MEM[reg2] = A */
5767 s[i] = new_stmt(BPF_ST);
5768 s[i]->s.k = reg2;
5769 i++;
5770 /* A = P[X + packet head + 1]; */
5771 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5772 s[i]->s.k = off_linkpl.constant_part + off_nl + 1;
5773 i++;
5774 /* A += 1 */
5775 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5776 s[i]->s.k = 1;
5777 i++;
5778 /* A *= 8 */
5779 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5780 s[i]->s.k = 8;
5781 i++;
5782 /* A += X */
5783 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
5784 s[i]->s.k = 0;
5785 i++;
5786 /* X = A; */
5787 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5788 i++;
5789 /* A = MEM[reg2] */
5790 s[i] = new_stmt(BPF_LD|BPF_MEM);
5791 s[i]->s.k = reg2;
5792 i++;
5793
5794 /* goto again; (must use BPF_JA for backward jump) */
5795 s[i] = new_stmt(BPF_JMP|BPF_JA);
5796 s[i]->s.k = again - i - 1;
5797 s[i - 1]->s.jf = s[i];
5798 i++;
5799
5800 /* fixup */
5801 for (j = v6start; j <= v6end; j++)
5802 s[j]->s.jt = s[v6advance];
5803 } else {
5804 /* nop */
5805 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5806 s[i]->s.k = 0;
5807 s[fix2]->s.jf = s[i];
5808 i++;
5809 }
5810
5811 /* ahcheck: */
5812 ahcheck = i;
5813 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5814 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
5815 s[i]->s.jt = NULL; /*later*/
5816 s[i]->s.jf = NULL; /*later*/
5817 s[i]->s.k = IPPROTO_AH;
5818 if (fix3)
5819 s[fix3]->s.jf = s[ahcheck];
5820 fix4 = i;
5821 i++;
5822
5823 /*
5824 * in short,
5825 * A = P[X];
5826 * X = X + (P[X + 1] + 2) * 4;
5827 */
5828 /* A = X */
5829 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5830 i++;
5831 /* A = P[X + packet head]; */
5832 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5833 s[i]->s.k = off_linkpl.constant_part + off_nl;
5834 i++;
5835 /* MEM[reg2] = A */
5836 s[i] = new_stmt(BPF_ST);
5837 s[i]->s.k = reg2;
5838 i++;
5839 /* A = X */
5840 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
5841 i++;
5842 /* A += 1 */
5843 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5844 s[i]->s.k = 1;
5845 i++;
5846 /* X = A */
5847 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5848 i++;
5849 /* A = P[X + packet head] */
5850 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
5851 s[i]->s.k = off_linkpl.constant_part + off_nl;
5852 i++;
5853 /* A += 2 */
5854 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5855 s[i]->s.k = 2;
5856 i++;
5857 /* A *= 4 */
5858 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
5859 s[i]->s.k = 4;
5860 i++;
5861 /* X = A; */
5862 s[i] = new_stmt(BPF_MISC|BPF_TAX);
5863 i++;
5864 /* A = MEM[reg2] */
5865 s[i] = new_stmt(BPF_LD|BPF_MEM);
5866 s[i]->s.k = reg2;
5867 i++;
5868
5869 /* goto again; (must use BPF_JA for backward jump) */
5870 s[i] = new_stmt(BPF_JMP|BPF_JA);
5871 s[i]->s.k = again - i - 1;
5872 i++;
5873
5874 /* end: nop */
5875 end = i;
5876 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
5877 s[i]->s.k = 0;
5878 s[fix2]->s.jt = s[end];
5879 s[fix4]->s.jf = s[end];
5880 s[fix5]->s.jt = s[end];
5881 i++;
5882
5883 /*
5884 * make slist chain
5885 */
5886 max = i;
5887 for (i = 0; i < max - 1; i++)
5888 s[i]->next = s[i + 1];
5889 s[max - 1]->next = NULL;
5890
5891 /*
5892 * emit final check
5893 */
5894 b = new_block(JMP(BPF_JEQ));
5895 b->stmts = s[1]; /*remember, s[0] is dummy*/
5896 b->s.k = v;
5897
5898 free_reg(reg2);
5899
5900 gen_and(b0, b);
5901 return b;
5902 #endif
5903 }
5904
5905 static struct block *
5906 gen_check_802_11_data_frame()
5907 {
5908 struct slist *s;
5909 struct block *b0, *b1;
5910
5911 /*
5912 * A data frame has the 0x08 bit (b3) in the frame control field set
5913 * and the 0x04 bit (b2) clear.
5914 */
5915 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
5916 b0 = new_block(JMP(BPF_JSET));
5917 b0->s.k = 0x08;
5918 b0->stmts = s;
5919
5920 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
5921 b1 = new_block(JMP(BPF_JSET));
5922 b1->s.k = 0x04;
5923 b1->stmts = s;
5924 gen_not(b1);
5925
5926 gen_and(b1, b0);
5927
5928 return b0;
5929 }
5930
5931 /*
5932 * Generate code that checks whether the packet is a packet for protocol
5933 * <proto> and whether the type field in that protocol's header has
5934 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
5935 * IP packet and checks the protocol number in the IP header against <v>.
5936 *
5937 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
5938 * against Q_IP and Q_IPV6.
5939 */
5940 static struct block *
5941 gen_proto(v, proto, dir)
5942 int v;
5943 int proto;
5944 int dir;
5945 {
5946 struct block *b0, *b1;
5947 #ifndef CHASE_CHAIN
5948 struct block *b2;
5949 #endif
5950
5951 if (dir != Q_DEFAULT)
5952 bpf_error("direction applied to 'proto'");
5953
5954 switch (proto) {
5955 case Q_DEFAULT:
5956 b0 = gen_proto(v, Q_IP, dir);
5957 b1 = gen_proto(v, Q_IPV6, dir);
5958 gen_or(b0, b1);
5959 return b1;
5960
5961 case Q_IP:
5962 /*
5963 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5964 * not LLC encapsulation with LLCSAP_IP.
5965 *
5966 * For IEEE 802 networks - which includes 802.5 token ring
5967 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5968 * says that SNAP encapsulation is used, not LLC encapsulation
5969 * with LLCSAP_IP.
5970 *
5971 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5972 * RFC 2225 say that SNAP encapsulation is used, not LLC
5973 * encapsulation with LLCSAP_IP.
5974 *
5975 * So we always check for ETHERTYPE_IP.
5976 */
5977 b0 = gen_linktype(ETHERTYPE_IP);
5978 #ifndef CHASE_CHAIN
5979 b1 = gen_cmp(OR_LINKPL, 9, BPF_B, (bpf_int32)v);
5980 #else
5981 b1 = gen_protochain(v, Q_IP);
5982 #endif
5983 gen_and(b0, b1);
5984 return b1;
5985
5986 case Q_ISO:
5987 switch (linktype) {
5988
5989 case DLT_FRELAY:
5990 /*
5991 * Frame Relay packets typically have an OSI
5992 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
5993 * generates code to check for all the OSI
5994 * NLPIDs, so calling it and then adding a check
5995 * for the particular NLPID for which we're
5996 * looking is bogus, as we can just check for
5997 * the NLPID.
5998 *
5999 * What we check for is the NLPID and a frame
6000 * control field value of UI, i.e. 0x03 followed
6001 * by the NLPID.
6002 *
6003 * XXX - assumes a 2-byte Frame Relay header with
6004 * DLCI and flags. What if the address is longer?
6005 *
6006 * XXX - what about SNAP-encapsulated frames?
6007 */
6008 return gen_cmp(OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6009 /*NOTREACHED*/
6010 break;
6011
6012 case DLT_C_HDLC:
6013 /*
6014 * Cisco uses an Ethertype lookalike - for OSI,
6015 * it's 0xfefe.
6016 */
6017 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6018 /* OSI in C-HDLC is stuffed with a fudge byte */
6019 b1 = gen_cmp(OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6020 gen_and(b0, b1);
6021 return b1;
6022
6023 default:
6024 b0 = gen_linktype(LLCSAP_ISONS);
6025 b1 = gen_cmp(OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6026 gen_and(b0, b1);
6027 return b1;
6028 }
6029
6030 case Q_ISIS:
6031 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6032 /*
6033 * 4 is the offset of the PDU type relative to the IS-IS
6034 * header.
6035 */
6036 b1 = gen_cmp(OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6037 gen_and(b0, b1);
6038 return b1;
6039
6040 case Q_ARP:
6041 bpf_error("arp does not encapsulate another protocol");
6042 /* NOTREACHED */
6043
6044 case Q_RARP:
6045 bpf_error("rarp does not encapsulate another protocol");
6046 /* NOTREACHED */
6047
6048 case Q_ATALK:
6049 bpf_error("atalk encapsulation is not specifiable");
6050 /* NOTREACHED */
6051
6052 case Q_DECNET:
6053 bpf_error("decnet encapsulation is not specifiable");
6054 /* NOTREACHED */
6055
6056 case Q_SCA:
6057 bpf_error("sca does not encapsulate another protocol");
6058 /* NOTREACHED */
6059
6060 case Q_LAT:
6061 bpf_error("lat does not encapsulate another protocol");
6062 /* NOTREACHED */
6063
6064 case Q_MOPRC:
6065 bpf_error("moprc does not encapsulate another protocol");
6066 /* NOTREACHED */
6067
6068 case Q_MOPDL:
6069 bpf_error("mopdl does not encapsulate another protocol");
6070 /* NOTREACHED */
6071
6072 case Q_LINK:
6073 return gen_linktype(v);
6074
6075 case Q_UDP:
6076 bpf_error("'udp proto' is bogus");
6077 /* NOTREACHED */
6078
6079 case Q_TCP:
6080 bpf_error("'tcp proto' is bogus");
6081 /* NOTREACHED */
6082
6083 case Q_SCTP:
6084 bpf_error("'sctp proto' is bogus");
6085 /* NOTREACHED */
6086
6087 case Q_ICMP:
6088 bpf_error("'icmp proto' is bogus");
6089 /* NOTREACHED */
6090
6091 case Q_IGMP:
6092 bpf_error("'igmp proto' is bogus");
6093 /* NOTREACHED */
6094
6095 case Q_IGRP:
6096 bpf_error("'igrp proto' is bogus");
6097 /* NOTREACHED */
6098
6099 case Q_PIM:
6100 bpf_error("'pim proto' is bogus");
6101 /* NOTREACHED */
6102
6103 case Q_VRRP:
6104 bpf_error("'vrrp proto' is bogus");
6105 /* NOTREACHED */
6106
6107 case Q_CARP:
6108 bpf_error("'carp proto' is bogus");
6109 /* NOTREACHED */
6110
6111 case Q_IPV6:
6112 b0 = gen_linktype(ETHERTYPE_IPV6);
6113 #ifndef CHASE_CHAIN
6114 /*
6115 * Also check for a fragment header before the final
6116 * header.
6117 */
6118 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6119 b1 = gen_cmp(OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6120 gen_and(b2, b1);
6121 b2 = gen_cmp(OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6122 gen_or(b2, b1);
6123 #else
6124 b1 = gen_protochain(v, Q_IPV6);
6125 #endif
6126 gen_and(b0, b1);
6127 return b1;
6128
6129 case Q_ICMPV6:
6130 bpf_error("'icmp6 proto' is bogus");
6131
6132 case Q_AH:
6133 bpf_error("'ah proto' is bogus");
6134
6135 case Q_ESP:
6136 bpf_error("'ah proto' is bogus");
6137
6138 case Q_STP:
6139 bpf_error("'stp proto' is bogus");
6140
6141 case Q_IPX:
6142 bpf_error("'ipx proto' is bogus");
6143
6144 case Q_NETBEUI:
6145 bpf_error("'netbeui proto' is bogus");
6146
6147 case Q_RADIO:
6148 bpf_error("'radio proto' is bogus");
6149
6150 default:
6151 abort();
6152 /* NOTREACHED */
6153 }
6154 /* NOTREACHED */
6155 }
6156
6157 struct block *
6158 gen_scode(name, q)
6159 register const char *name;
6160 struct qual q;
6161 {
6162 int proto = q.proto;
6163 int dir = q.dir;
6164 int tproto;
6165 u_char *eaddr;
6166 bpf_u_int32 mask, addr;
6167 #ifndef INET6
6168 bpf_u_int32 **alist;
6169 #else
6170 int tproto6;
6171 struct sockaddr_in *sin4;
6172 struct sockaddr_in6 *sin6;
6173 struct addrinfo *res, *res0;
6174 struct in6_addr mask128;
6175 #endif /*INET6*/
6176 struct block *b, *tmp;
6177 int port, real_proto;
6178 int port1, port2;
6179
6180 switch (q.addr) {
6181
6182 case Q_NET:
6183 addr = pcap_nametonetaddr(name);
6184 if (addr == 0)
6185 bpf_error("unknown network '%s'", name);
6186 /* Left justify network addr and calculate its network mask */
6187 mask = 0xffffffff;
6188 while (addr && (addr & 0xff000000) == 0) {
6189 addr <<= 8;
6190 mask <<= 8;
6191 }
6192 return gen_host(addr, mask, proto, dir, q.addr);
6193
6194 case Q_DEFAULT:
6195 case Q_HOST:
6196 if (proto == Q_LINK) {
6197 switch (linktype) {
6198
6199 case DLT_EN10MB:
6200 case DLT_NETANALYZER:
6201 case DLT_NETANALYZER_TRANSPARENT:
6202 eaddr = pcap_ether_hostton(name);
6203 if (eaddr == NULL)
6204 bpf_error(
6205 "unknown ether host '%s'", name);
6206 tmp = gen_prevlinkhdr_check();
6207 b = gen_ehostop(eaddr, dir);
6208 if (tmp != NULL)
6209 gen_and(tmp, b);
6210 free(eaddr);
6211 return b;
6212
6213 case DLT_FDDI:
6214 eaddr = pcap_ether_hostton(name);
6215 if (eaddr == NULL)
6216 bpf_error(
6217 "unknown FDDI host '%s'", name);
6218 b = gen_fhostop(eaddr, dir);
6219 free(eaddr);
6220 return b;
6221
6222 case DLT_IEEE802:
6223 eaddr = pcap_ether_hostton(name);
6224 if (eaddr == NULL)
6225 bpf_error(
6226 "unknown token ring host '%s'", name);
6227 b = gen_thostop(eaddr, dir);
6228 free(eaddr);
6229 return b;
6230
6231 case DLT_IEEE802_11:
6232 case DLT_PRISM_HEADER:
6233 case DLT_IEEE802_11_RADIO_AVS:
6234 case DLT_IEEE802_11_RADIO:
6235 case DLT_PPI:
6236 eaddr = pcap_ether_hostton(name);
6237 if (eaddr == NULL)
6238 bpf_error(
6239 "unknown 802.11 host '%s'", name);
6240 b = gen_wlanhostop(eaddr, dir);
6241 free(eaddr);
6242 return b;
6243
6244 case DLT_IP_OVER_FC:
6245 eaddr = pcap_ether_hostton(name);
6246 if (eaddr == NULL)
6247 bpf_error(
6248 "unknown Fibre Channel host '%s'", name);
6249 b = gen_ipfchostop(eaddr, dir);
6250 free(eaddr);
6251 return b;
6252 }
6253
6254 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6255 } else if (proto == Q_DECNET) {
6256 unsigned short dn_addr = __pcap_nametodnaddr(name);
6257 /*
6258 * I don't think DECNET hosts can be multihomed, so
6259 * there is no need to build up a list of addresses
6260 */
6261 return (gen_host(dn_addr, 0, proto, dir, q.addr));
6262 } else {
6263 #ifndef INET6
6264 alist = pcap_nametoaddr(name);
6265 if (alist == NULL || *alist == NULL)
6266 bpf_error("unknown host '%s'", name);
6267 tproto = proto;
6268 if (off_linktype.constant_part == (u_int)-1 &&
6269 tproto == Q_DEFAULT)
6270 tproto = Q_IP;
6271 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
6272 while (*alist) {
6273 tmp = gen_host(**alist++, 0xffffffff,
6274 tproto, dir, q.addr);
6275 gen_or(b, tmp);
6276 b = tmp;
6277 }
6278 return b;
6279 #else
6280 memset(&mask128, 0xff, sizeof(mask128));
6281 res0 = res = pcap_nametoaddrinfo(name);
6282 if (res == NULL)
6283 bpf_error("unknown host '%s'", name);
6284 ai = res;
6285 b = tmp = NULL;
6286 tproto = tproto6 = proto;
6287 if (off_linktype.constant_part == -1 &&
6288 tproto == Q_DEFAULT) {
6289 tproto = Q_IP;
6290 tproto6 = Q_IPV6;
6291 }
6292 for (res = res0; res; res = res->ai_next) {
6293 switch (res->ai_family) {
6294 case AF_INET:
6295 if (tproto == Q_IPV6)
6296 continue;
6297
6298 sin4 = (struct sockaddr_in *)
6299 res->ai_addr;
6300 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
6301 0xffffffff, tproto, dir, q.addr);
6302 break;
6303 case AF_INET6:
6304 if (tproto6 == Q_IP)
6305 continue;
6306
6307 sin6 = (struct sockaddr_in6 *)
6308 res->ai_addr;
6309 tmp = gen_host6(&sin6->sin6_addr,
6310 &mask128, tproto6, dir, q.addr);
6311 break;
6312 default:
6313 continue;
6314 }
6315 if (b)
6316 gen_or(b, tmp);
6317 b = tmp;
6318 }
6319 ai = NULL;
6320 freeaddrinfo(res0);
6321 if (b == NULL) {
6322 bpf_error("unknown host '%s'%s", name,
6323 (proto == Q_DEFAULT)
6324 ? ""
6325 : " for specified address family");
6326 }
6327 return b;
6328 #endif /*INET6*/
6329 }
6330
6331 case Q_PORT:
6332 if (proto != Q_DEFAULT &&
6333 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6334 bpf_error("illegal qualifier of 'port'");
6335 if (pcap_nametoport(name, &port, &real_proto) == 0)
6336 bpf_error("unknown port '%s'", name);
6337 if (proto == Q_UDP) {
6338 if (real_proto == IPPROTO_TCP)
6339 bpf_error("port '%s' is tcp", name);
6340 else if (real_proto == IPPROTO_SCTP)
6341 bpf_error("port '%s' is sctp", name);
6342 else
6343 /* override PROTO_UNDEF */
6344 real_proto = IPPROTO_UDP;
6345 }
6346 if (proto == Q_TCP) {
6347 if (real_proto == IPPROTO_UDP)
6348 bpf_error("port '%s' is udp", name);
6349
6350 else if (real_proto == IPPROTO_SCTP)
6351 bpf_error("port '%s' is sctp", name);
6352 else
6353 /* override PROTO_UNDEF */
6354 real_proto = IPPROTO_TCP;
6355 }
6356 if (proto == Q_SCTP) {
6357 if (real_proto == IPPROTO_UDP)
6358 bpf_error("port '%s' is udp", name);
6359
6360 else if (real_proto == IPPROTO_TCP)
6361 bpf_error("port '%s' is tcp", name);
6362 else
6363 /* override PROTO_UNDEF */
6364 real_proto = IPPROTO_SCTP;
6365 }
6366 if (port < 0)
6367 bpf_error("illegal port number %d < 0", port);
6368 if (port > 65535)
6369 bpf_error("illegal port number %d > 65535", port);
6370 b = gen_port(port, real_proto, dir);
6371 gen_or(gen_port6(port, real_proto, dir), b);
6372 return b;
6373
6374 case Q_PORTRANGE:
6375 if (proto != Q_DEFAULT &&
6376 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6377 bpf_error("illegal qualifier of 'portrange'");
6378 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6379 bpf_error("unknown port in range '%s'", name);
6380 if (proto == Q_UDP) {
6381 if (real_proto == IPPROTO_TCP)
6382 bpf_error("port in range '%s' is tcp", name);
6383 else if (real_proto == IPPROTO_SCTP)
6384 bpf_error("port in range '%s' is sctp", name);
6385 else
6386 /* override PROTO_UNDEF */
6387 real_proto = IPPROTO_UDP;
6388 }
6389 if (proto == Q_TCP) {
6390 if (real_proto == IPPROTO_UDP)
6391 bpf_error("port in range '%s' is udp", name);
6392 else if (real_proto == IPPROTO_SCTP)
6393 bpf_error("port in range '%s' is sctp", name);
6394 else
6395 /* override PROTO_UNDEF */
6396 real_proto = IPPROTO_TCP;
6397 }
6398 if (proto == Q_SCTP) {
6399 if (real_proto == IPPROTO_UDP)
6400 bpf_error("port in range '%s' is udp", name);
6401 else if (real_proto == IPPROTO_TCP)
6402 bpf_error("port in range '%s' is tcp", name);
6403 else
6404 /* override PROTO_UNDEF */
6405 real_proto = IPPROTO_SCTP;
6406 }
6407 if (port1 < 0)
6408 bpf_error("illegal port number %d < 0", port1);
6409 if (port1 > 65535)
6410 bpf_error("illegal port number %d > 65535", port1);
6411 if (port2 < 0)
6412 bpf_error("illegal port number %d < 0", port2);
6413 if (port2 > 65535)
6414 bpf_error("illegal port number %d > 65535", port2);
6415
6416 b = gen_portrange(port1, port2, real_proto, dir);
6417 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
6418 return b;
6419
6420 case Q_GATEWAY:
6421 #ifndef INET6
6422 eaddr = pcap_ether_hostton(name);
6423 if (eaddr == NULL)
6424 bpf_error("unknown ether host: %s", name);
6425
6426 alist = pcap_nametoaddr(name);
6427 if (alist == NULL || *alist == NULL)
6428 bpf_error("unknown host '%s'", name);
6429 b = gen_gateway(eaddr, alist, proto, dir);
6430 free(eaddr);
6431 return b;
6432 #else
6433 bpf_error("'gateway' not supported in this configuration");
6434 #endif /*INET6*/
6435
6436 case Q_PROTO:
6437 real_proto = lookup_proto(name, proto);
6438 if (real_proto >= 0)
6439 return gen_proto(real_proto, proto, dir);
6440 else
6441 bpf_error("unknown protocol: %s", name);
6442
6443 case Q_PROTOCHAIN:
6444 real_proto = lookup_proto(name, proto);
6445 if (real_proto >= 0)
6446 return gen_protochain(real_proto, proto, dir);
6447 else
6448 bpf_error("unknown protocol: %s", name);
6449
6450 case Q_UNDEF:
6451 syntax();
6452 /* NOTREACHED */
6453 }
6454 abort();
6455 /* NOTREACHED */
6456 }
6457
6458 struct block *
6459 gen_mcode(s1, s2, masklen, q)
6460 register const char *s1, *s2;
6461 register unsigned int masklen;
6462 struct qual q;
6463 {
6464 register int nlen, mlen;
6465 bpf_u_int32 n, m;
6466
6467 nlen = __pcap_atoin(s1, &n);
6468 /* Promote short ipaddr */
6469 n <<= 32 - nlen;
6470
6471 if (s2 != NULL) {
6472 mlen = __pcap_atoin(s2, &m);
6473 /* Promote short ipaddr */
6474 m <<= 32 - mlen;
6475 if ((n & ~m) != 0)
6476 bpf_error("non-network bits set in \"%s mask %s\"",
6477 s1, s2);
6478 } else {
6479 /* Convert mask len to mask */
6480 if (masklen > 32)
6481 bpf_error("mask length must be <= 32");
6482 if (masklen == 0) {
6483 /*
6484 * X << 32 is not guaranteed by C to be 0; it's
6485 * undefined.
6486 */
6487 m = 0;
6488 } else
6489 m = 0xffffffff << (32 - masklen);
6490 if ((n & ~m) != 0)
6491 bpf_error("non-network bits set in \"%s/%d\"",
6492 s1, masklen);
6493 }
6494
6495 switch (q.addr) {
6496
6497 case Q_NET:
6498 return gen_host(n, m, q.proto, q.dir, q.addr);
6499
6500 default:
6501 bpf_error("Mask syntax for networks only");
6502 /* NOTREACHED */
6503 }
6504 /* NOTREACHED */
6505 return NULL;
6506 }
6507
6508 struct block *
6509 gen_ncode(s, v, q)
6510 register const char *s;
6511 bpf_u_int32 v;
6512 struct qual q;
6513 {
6514 bpf_u_int32 mask;
6515 int proto = q.proto;
6516 int dir = q.dir;
6517 register int vlen;
6518
6519 if (s == NULL)
6520 vlen = 32;
6521 else if (q.proto == Q_DECNET)
6522 vlen = __pcap_atodn(s, &v);
6523 else
6524 vlen = __pcap_atoin(s, &v);
6525
6526 switch (q.addr) {
6527
6528 case Q_DEFAULT:
6529 case Q_HOST:
6530 case Q_NET:
6531 if (proto == Q_DECNET)
6532 return gen_host(v, 0, proto, dir, q.addr);
6533 else if (proto == Q_LINK) {
6534 bpf_error("illegal link layer address");
6535 } else {
6536 mask = 0xffffffff;
6537 if (s == NULL && q.addr == Q_NET) {
6538 /* Promote short net number */
6539 while (v && (v & 0xff000000) == 0) {
6540 v <<= 8;
6541 mask <<= 8;
6542 }
6543 } else {
6544 /* Promote short ipaddr */
6545 v <<= 32 - vlen;
6546 mask <<= 32 - vlen;
6547 }
6548 return gen_host(v, mask, proto, dir, q.addr);
6549 }
6550
6551 case Q_PORT:
6552 if (proto == Q_UDP)
6553 proto = IPPROTO_UDP;
6554 else if (proto == Q_TCP)
6555 proto = IPPROTO_TCP;
6556 else if (proto == Q_SCTP)
6557 proto = IPPROTO_SCTP;
6558 else if (proto == Q_DEFAULT)
6559 proto = PROTO_UNDEF;
6560 else
6561 bpf_error("illegal qualifier of 'port'");
6562
6563 if (v > 65535)
6564 bpf_error("illegal port number %u > 65535", v);
6565
6566 {
6567 struct block *b;
6568 b = gen_port((int)v, proto, dir);
6569 gen_or(gen_port6((int)v, proto, dir), b);
6570 return b;
6571 }
6572
6573 case Q_PORTRANGE:
6574 if (proto == Q_UDP)
6575 proto = IPPROTO_UDP;
6576 else if (proto == Q_TCP)
6577 proto = IPPROTO_TCP;
6578 else if (proto == Q_SCTP)
6579 proto = IPPROTO_SCTP;
6580 else if (proto == Q_DEFAULT)
6581 proto = PROTO_UNDEF;
6582 else
6583 bpf_error("illegal qualifier of 'portrange'");
6584
6585 if (v > 65535)
6586 bpf_error("illegal port number %u > 65535", v);
6587
6588 {
6589 struct block *b;
6590 b = gen_portrange((int)v, (int)v, proto, dir);
6591 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
6592 return b;
6593 }
6594
6595 case Q_GATEWAY:
6596 bpf_error("'gateway' requires a name");
6597 /* NOTREACHED */
6598
6599 case Q_PROTO:
6600 return gen_proto((int)v, proto, dir);
6601
6602 case Q_PROTOCHAIN:
6603 return gen_protochain((int)v, proto, dir);
6604
6605 case Q_UNDEF:
6606 syntax();
6607 /* NOTREACHED */
6608
6609 default:
6610 abort();
6611 /* NOTREACHED */
6612 }
6613 /* NOTREACHED */
6614 }
6615
6616 #ifdef INET6
6617 struct block *
6618 gen_mcode6(s1, s2, masklen, q)
6619 register const char *s1, *s2;
6620 register unsigned int masklen;
6621 struct qual q;
6622 {
6623 struct addrinfo *res;
6624 struct in6_addr *addr;
6625 struct in6_addr mask;
6626 struct block *b;
6627 u_int32_t *a, *m;
6628
6629 if (s2)
6630 bpf_error("no mask %s supported", s2);
6631
6632 res = pcap_nametoaddrinfo(s1);
6633 if (!res)
6634 bpf_error("invalid ip6 address %s", s1);
6635 ai = res;
6636 if (res->ai_next)
6637 bpf_error("%s resolved to multiple address", s1);
6638 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6639
6640 if (sizeof(mask) * 8 < masklen)
6641 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6642 memset(&mask, 0, sizeof(mask));
6643 memset(&mask, 0xff, masklen / 8);
6644 if (masklen % 8) {
6645 mask.s6_addr[masklen / 8] =
6646 (0xff << (8 - masklen % 8)) & 0xff;
6647 }
6648
6649 a = (u_int32_t *)addr;
6650 m = (u_int32_t *)&mask;
6651 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6652 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6653 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
6654 }
6655
6656 switch (q.addr) {
6657
6658 case Q_DEFAULT:
6659 case Q_HOST:
6660 if (masklen != 128)
6661 bpf_error("Mask syntax for networks only");
6662 /* FALLTHROUGH */
6663
6664 case Q_NET:
6665 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
6666 ai = NULL;
6667 freeaddrinfo(res);
6668 return b;
6669
6670 default:
6671 bpf_error("invalid qualifier against IPv6 address");
6672 /* NOTREACHED */
6673 }
6674 return NULL;
6675 }
6676 #endif /*INET6*/
6677
6678 struct block *
6679 gen_ecode(eaddr, q)
6680 register const u_char *eaddr;
6681 struct qual q;
6682 {
6683 struct block *b, *tmp;
6684
6685 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6686 switch (linktype) {
6687 case DLT_EN10MB:
6688 case DLT_NETANALYZER:
6689 case DLT_NETANALYZER_TRANSPARENT:
6690 tmp = gen_prevlinkhdr_check();
6691 b = gen_ehostop(eaddr, (int)q.dir);
6692 if (tmp != NULL)
6693 gen_and(tmp, b);
6694 return b;
6695 case DLT_FDDI:
6696 return gen_fhostop(eaddr, (int)q.dir);
6697 case DLT_IEEE802:
6698 return gen_thostop(eaddr, (int)q.dir);
6699 case DLT_IEEE802_11:
6700 case DLT_PRISM_HEADER:
6701 case DLT_IEEE802_11_RADIO_AVS:
6702 case DLT_IEEE802_11_RADIO:
6703 case DLT_PPI:
6704 return gen_wlanhostop(eaddr, (int)q.dir);
6705 case DLT_IP_OVER_FC:
6706 return gen_ipfchostop(eaddr, (int)q.dir);
6707 default:
6708 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6709 break;
6710 }
6711 }
6712 bpf_error("ethernet address used in non-ether expression");
6713 /* NOTREACHED */
6714 return NULL;
6715 }
6716
6717 void
6718 sappend(s0, s1)
6719 struct slist *s0, *s1;
6720 {
6721 /*
6722 * This is definitely not the best way to do this, but the
6723 * lists will rarely get long.
6724 */
6725 while (s0->next)
6726 s0 = s0->next;
6727 s0->next = s1;
6728 }
6729
6730 static struct slist *
6731 xfer_to_x(a)
6732 struct arth *a;
6733 {
6734 struct slist *s;
6735
6736 s = new_stmt(BPF_LDX|BPF_MEM);
6737 s->s.k = a->regno;
6738 return s;
6739 }
6740
6741 static struct slist *
6742 xfer_to_a(a)
6743 struct arth *a;
6744 {
6745 struct slist *s;
6746
6747 s = new_stmt(BPF_LD|BPF_MEM);
6748 s->s.k = a->regno;
6749 return s;
6750 }
6751
6752 /*
6753 * Modify "index" to use the value stored into its register as an
6754 * offset relative to the beginning of the header for the protocol
6755 * "proto", and allocate a register and put an item "size" bytes long
6756 * (1, 2, or 4) at that offset into that register, making it the register
6757 * for "index".
6758 */
6759 struct arth *
6760 gen_load(proto, inst, size)
6761 int proto;
6762 struct arth *inst;
6763 int size;
6764 {
6765 struct slist *s, *tmp;
6766 struct block *b;
6767 int regno = alloc_reg();
6768
6769 free_reg(inst->regno);
6770 switch (size) {
6771
6772 default:
6773 bpf_error("data size must be 1, 2, or 4");
6774
6775 case 1:
6776 size = BPF_B;
6777 break;
6778
6779 case 2:
6780 size = BPF_H;
6781 break;
6782
6783 case 4:
6784 size = BPF_W;
6785 break;
6786 }
6787 switch (proto) {
6788 default:
6789 bpf_error("unsupported index operation");
6790
6791 case Q_RADIO:
6792 /*
6793 * The offset is relative to the beginning of the packet
6794 * data, if we have a radio header. (If we don't, this
6795 * is an error.)
6796 */
6797 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
6798 linktype != DLT_IEEE802_11_RADIO &&
6799 linktype != DLT_PRISM_HEADER)
6800 bpf_error("radio information not present in capture");
6801
6802 /*
6803 * Load into the X register the offset computed into the
6804 * register specified by "index".
6805 */
6806 s = xfer_to_x(inst);
6807
6808 /*
6809 * Load the item at that offset.
6810 */
6811 tmp = new_stmt(BPF_LD|BPF_IND|size);
6812 sappend(s, tmp);
6813 sappend(inst->s, s);
6814 break;
6815
6816 case Q_LINK:
6817 /*
6818 * The offset is relative to the beginning of
6819 * the link-layer header.
6820 *
6821 * XXX - what about ATM LANE? Should the index be
6822 * relative to the beginning of the AAL5 frame, so
6823 * that 0 refers to the beginning of the LE Control
6824 * field, or relative to the beginning of the LAN
6825 * frame, so that 0 refers, for Ethernet LANE, to
6826 * the beginning of the destination address?
6827 */
6828 s = gen_abs_offset_varpart(&off_linkhdr);
6829
6830 /*
6831 * If "s" is non-null, it has code to arrange that the
6832 * X register contains the length of the prefix preceding
6833 * the link-layer header. Add to it the offset computed
6834 * into the register specified by "index", and move that
6835 * into the X register. Otherwise, just load into the X
6836 * register the offset computed into the register specified
6837 * by "index".
6838 */
6839 if (s != NULL) {
6840 sappend(s, xfer_to_a(inst));
6841 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6842 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6843 } else
6844 s = xfer_to_x(inst);
6845
6846 /*
6847 * Load the item at the sum of the offset we've put in the
6848 * X register and the offset of the start of the link
6849 * layer header (which is 0 if the radio header is
6850 * variable-length; that header length is what we put
6851 * into the X register and then added to the index).
6852 */
6853 tmp = new_stmt(BPF_LD|BPF_IND|size);
6854 tmp->s.k = off_linkhdr.constant_part;
6855 sappend(s, tmp);
6856 sappend(inst->s, s);
6857 break;
6858
6859 case Q_IP:
6860 case Q_ARP:
6861 case Q_RARP:
6862 case Q_ATALK:
6863 case Q_DECNET:
6864 case Q_SCA:
6865 case Q_LAT:
6866 case Q_MOPRC:
6867 case Q_MOPDL:
6868 case Q_IPV6:
6869 /*
6870 * The offset is relative to the beginning of
6871 * the network-layer header.
6872 * XXX - are there any cases where we want
6873 * off_nl_nosnap?
6874 */
6875 s = gen_abs_offset_varpart(&off_linkpl);
6876
6877 /*
6878 * If "s" is non-null, it has code to arrange that the
6879 * X register contains the variable part of the offset
6880 * of the link-layer payload. Add to it the offset
6881 * computed into the register specified by "index",
6882 * and move that into the X register. Otherwise, just
6883 * load into the X register the offset computed into
6884 * the register specified by "index".
6885 */
6886 if (s != NULL) {
6887 sappend(s, xfer_to_a(inst));
6888 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6889 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6890 } else
6891 s = xfer_to_x(inst);
6892
6893 /*
6894 * Load the item at the sum of the offset we've put in the
6895 * X register, the offset of the start of the network
6896 * layer header from the beginning of the link-layer
6897 * payload, and the constant part of the offset of the
6898 * start of the link-layer payload.
6899 */
6900 tmp = new_stmt(BPF_LD|BPF_IND|size);
6901 tmp->s.k = off_linkpl.constant_part + off_nl;
6902 sappend(s, tmp);
6903 sappend(inst->s, s);
6904
6905 /*
6906 * Do the computation only if the packet contains
6907 * the protocol in question.
6908 */
6909 b = gen_proto_abbrev(proto);
6910 if (inst->b)
6911 gen_and(inst->b, b);
6912 inst->b = b;
6913 break;
6914
6915 case Q_SCTP:
6916 case Q_TCP:
6917 case Q_UDP:
6918 case Q_ICMP:
6919 case Q_IGMP:
6920 case Q_IGRP:
6921 case Q_PIM:
6922 case Q_VRRP:
6923 case Q_CARP:
6924 /*
6925 * The offset is relative to the beginning of
6926 * the transport-layer header.
6927 *
6928 * Load the X register with the length of the IPv4 header
6929 * (plus the offset of the link-layer header, if it's
6930 * a variable-length header), in bytes.
6931 *
6932 * XXX - are there any cases where we want
6933 * off_nl_nosnap?
6934 * XXX - we should, if we're built with
6935 * IPv6 support, generate code to load either
6936 * IPv4, IPv6, or both, as appropriate.
6937 */
6938 s = gen_loadx_iphdrlen();
6939
6940 /*
6941 * The X register now contains the sum of the variable
6942 * part of the offset of the link-layer payload and the
6943 * length of the network-layer header.
6944 *
6945 * Load into the A register the offset relative to
6946 * the beginning of the transport layer header,
6947 * add the X register to that, move that to the
6948 * X register, and load with an offset from the
6949 * X register equal to the sum of the constant part of
6950 * the offset of the link-layer payload and the offset,
6951 * relative to the beginning of the link-layer payload,
6952 * of the network-layer header.
6953 */
6954 sappend(s, xfer_to_a(inst));
6955 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
6956 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
6957 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
6958 tmp->s.k = off_linkpl.constant_part + off_nl;
6959 sappend(inst->s, s);
6960
6961 /*
6962 * Do the computation only if the packet contains
6963 * the protocol in question - which is true only
6964 * if this is an IP datagram and is the first or
6965 * only fragment of that datagram.
6966 */
6967 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
6968 if (inst->b)
6969 gen_and(inst->b, b);
6970 gen_and(gen_proto_abbrev(Q_IP), b);
6971 inst->b = b;
6972 break;
6973 case Q_ICMPV6:
6974 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
6975 /*NOTREACHED*/
6976 }
6977 inst->regno = regno;
6978 s = new_stmt(BPF_ST);
6979 s->s.k = regno;
6980 sappend(inst->s, s);
6981
6982 return inst;
6983 }
6984
6985 struct block *
6986 gen_relation(code, a0, a1, reversed)
6987 int code;
6988 struct arth *a0, *a1;
6989 int reversed;
6990 {
6991 struct slist *s0, *s1, *s2;
6992 struct block *b, *tmp;
6993
6994 s0 = xfer_to_x(a1);
6995 s1 = xfer_to_a(a0);
6996 if (code == BPF_JEQ) {
6997 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
6998 b = new_block(JMP(code));
6999 sappend(s1, s2);
7000 }
7001 else
7002 b = new_block(BPF_JMP|code|BPF_X);
7003 if (reversed)
7004 gen_not(b);
7005
7006 sappend(s0, s1);
7007 sappend(a1->s, s0);
7008 sappend(a0->s, a1->s);
7009
7010 b->stmts = a0->s;
7011
7012 free_reg(a0->regno);
7013 free_reg(a1->regno);
7014
7015 /* 'and' together protocol checks */
7016 if (a0->b) {
7017 if (a1->b) {
7018 gen_and(a0->b, tmp = a1->b);
7019 }
7020 else
7021 tmp = a0->b;
7022 } else
7023 tmp = a1->b;
7024
7025 if (tmp)
7026 gen_and(tmp, b);
7027
7028 return b;
7029 }
7030
7031 struct arth *
7032 gen_loadlen()
7033 {
7034 int regno = alloc_reg();
7035 struct arth *a = (struct arth *)newchunk(sizeof(*a));
7036 struct slist *s;
7037
7038 s = new_stmt(BPF_LD|BPF_LEN);
7039 s->next = new_stmt(BPF_ST);
7040 s->next->s.k = regno;
7041 a->s = s;
7042 a->regno = regno;
7043
7044 return a;
7045 }
7046
7047 struct arth *
7048 gen_loadi(val)
7049 int val;
7050 {
7051 struct arth *a;
7052 struct slist *s;
7053 int reg;
7054
7055 a = (struct arth *)newchunk(sizeof(*a));
7056
7057 reg = alloc_reg();
7058
7059 s = new_stmt(BPF_LD|BPF_IMM);
7060 s->s.k = val;
7061 s->next = new_stmt(BPF_ST);
7062 s->next->s.k = reg;
7063 a->s = s;
7064 a->regno = reg;
7065
7066 return a;
7067 }
7068
7069 struct arth *
7070 gen_neg(a)
7071 struct arth *a;
7072 {
7073 struct slist *s;
7074
7075 s = xfer_to_a(a);
7076 sappend(a->s, s);
7077 s = new_stmt(BPF_ALU|BPF_NEG);
7078 s->s.k = 0;
7079 sappend(a->s, s);
7080 s = new_stmt(BPF_ST);
7081 s->s.k = a->regno;
7082 sappend(a->s, s);
7083
7084 return a;
7085 }
7086
7087 struct arth *
7088 gen_arth(code, a0, a1)
7089 int code;
7090 struct arth *a0, *a1;
7091 {
7092 struct slist *s0, *s1, *s2;
7093
7094 /*
7095 * Disallow division by, or modulus by, zero; we do this here
7096 * so that it gets done even if the optimizer is disabled.
7097 */
7098 if (code == BPF_DIV) {
7099 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7100 bpf_error("division by zero");
7101 } else if (code == BPF_MOD) {
7102 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7103 bpf_error("modulus by zero");
7104 }
7105 s0 = xfer_to_x(a1);
7106 s1 = xfer_to_a(a0);
7107 s2 = new_stmt(BPF_ALU|BPF_X|code);
7108
7109 sappend(s1, s2);
7110 sappend(s0, s1);
7111 sappend(a1->s, s0);
7112 sappend(a0->s, a1->s);
7113
7114 free_reg(a0->regno);
7115 free_reg(a1->regno);
7116
7117 s0 = new_stmt(BPF_ST);
7118 a0->regno = s0->s.k = alloc_reg();
7119 sappend(a0->s, s0);
7120
7121 return a0;
7122 }
7123
7124 /*
7125 * Here we handle simple allocation of the scratch registers.
7126 * If too many registers are alloc'd, the allocator punts.
7127 */
7128 static int regused[BPF_MEMWORDS];
7129 static int curreg;
7130
7131 /*
7132 * Initialize the table of used registers and the current register.
7133 */
7134 static void
7135 init_regs()
7136 {
7137 curreg = 0;
7138 memset(regused, 0, sizeof regused);
7139 }
7140
7141 /*
7142 * Return the next free register.
7143 */
7144 static int
7145 alloc_reg()
7146 {
7147 int n = BPF_MEMWORDS;
7148
7149 while (--n >= 0) {
7150 if (regused[curreg])
7151 curreg = (curreg + 1) % BPF_MEMWORDS;
7152 else {
7153 regused[curreg] = 1;
7154 return curreg;
7155 }
7156 }
7157 bpf_error("too many registers needed to evaluate expression");
7158 /* NOTREACHED */
7159 return 0;
7160 }
7161
7162 /*
7163 * Return a register to the table so it can
7164 * be used later.
7165 */
7166 static void
7167 free_reg(n)
7168 int n;
7169 {
7170 regused[n] = 0;
7171 }
7172
7173 static struct block *
7174 gen_len(jmp, n)
7175 int jmp, n;
7176 {
7177 struct slist *s;
7178 struct block *b;
7179
7180 s = new_stmt(BPF_LD|BPF_LEN);
7181 b = new_block(JMP(jmp));
7182 b->stmts = s;
7183 b->s.k = n;
7184
7185 return b;
7186 }
7187
7188 struct block *
7189 gen_greater(n)
7190 int n;
7191 {
7192 return gen_len(BPF_JGE, n);
7193 }
7194
7195 /*
7196 * Actually, this is less than or equal.
7197 */
7198 struct block *
7199 gen_less(n)
7200 int n;
7201 {
7202 struct block *b;
7203
7204 b = gen_len(BPF_JGT, n);
7205 gen_not(b);
7206
7207 return b;
7208 }
7209
7210 /*
7211 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7212 * the beginning of the link-layer header.
7213 * XXX - that means you can't test values in the radiotap header, but
7214 * as that header is difficult if not impossible to parse generally
7215 * without a loop, that might not be a severe problem. A new keyword
7216 * "radio" could be added for that, although what you'd really want
7217 * would be a way of testing particular radio header values, which
7218 * would generate code appropriate to the radio header in question.
7219 */
7220 struct block *
7221 gen_byteop(op, idx, val)
7222 int op, idx, val;
7223 {
7224 struct block *b;
7225 struct slist *s;
7226
7227 switch (op) {
7228 default:
7229 abort();
7230
7231 case '=':
7232 return gen_cmp(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7233
7234 case '<':
7235 b = gen_cmp_lt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7236 return b;
7237
7238 case '>':
7239 b = gen_cmp_gt(OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7240 return b;
7241
7242 case '|':
7243 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
7244 break;
7245
7246 case '&':
7247 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
7248 break;
7249 }
7250 s->s.k = val;
7251 b = new_block(JMP(BPF_JEQ));
7252 b->stmts = s;
7253 gen_not(b);
7254
7255 return b;
7256 }
7257
7258 static u_char abroadcast[] = { 0x0 };
7259
7260 struct block *
7261 gen_broadcast(proto)
7262 int proto;
7263 {
7264 bpf_u_int32 hostmask;
7265 struct block *b0, *b1, *b2;
7266 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7267
7268 switch (proto) {
7269
7270 case Q_DEFAULT:
7271 case Q_LINK:
7272 switch (linktype) {
7273 case DLT_ARCNET:
7274 case DLT_ARCNET_LINUX:
7275 return gen_ahostop(abroadcast, Q_DST);
7276 case DLT_EN10MB:
7277 case DLT_NETANALYZER:
7278 case DLT_NETANALYZER_TRANSPARENT:
7279 b1 = gen_prevlinkhdr_check();
7280 b0 = gen_ehostop(ebroadcast, Q_DST);
7281 if (b1 != NULL)
7282 gen_and(b1, b0);
7283 return b0;
7284 case DLT_FDDI:
7285 return gen_fhostop(ebroadcast, Q_DST);
7286 case DLT_IEEE802:
7287 return gen_thostop(ebroadcast, Q_DST);
7288 case DLT_IEEE802_11:
7289 case DLT_PRISM_HEADER:
7290 case DLT_IEEE802_11_RADIO_AVS:
7291 case DLT_IEEE802_11_RADIO:
7292 case DLT_PPI:
7293 return gen_wlanhostop(ebroadcast, Q_DST);
7294 case DLT_IP_OVER_FC:
7295 return gen_ipfchostop(ebroadcast, Q_DST);
7296 default:
7297 bpf_error("not a broadcast link");
7298 }
7299 break;
7300
7301 case Q_IP:
7302 /*
7303 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7304 * as an indication that we don't know the netmask, and fail
7305 * in that case.
7306 */
7307 if (netmask == PCAP_NETMASK_UNKNOWN)
7308 bpf_error("netmask not known, so 'ip broadcast' not supported");
7309 b0 = gen_linktype(ETHERTYPE_IP);
7310 hostmask = ~netmask;
7311 b1 = gen_mcmp(OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7312 b2 = gen_mcmp(OR_LINKPL, 16, BPF_W,
7313 (bpf_int32)(~0 & hostmask), hostmask);
7314 gen_or(b1, b2);
7315 gen_and(b0, b2);
7316 return b2;
7317 }
7318 bpf_error("only link-layer/IP broadcast filters supported");
7319 /* NOTREACHED */
7320 return NULL;
7321 }
7322
7323 /*
7324 * Generate code to test the low-order bit of a MAC address (that's
7325 * the bottom bit of the *first* byte).
7326 */
7327 static struct block *
7328 gen_mac_multicast(offset)
7329 int offset;
7330 {
7331 register struct block *b0;
7332 register struct slist *s;
7333
7334 /* link[offset] & 1 != 0 */
7335 s = gen_load_a(OR_LINKHDR, offset, BPF_B);
7336 b0 = new_block(JMP(BPF_JSET));
7337 b0->s.k = 1;
7338 b0->stmts = s;
7339 return b0;
7340 }
7341
7342 struct block *
7343 gen_multicast(proto)
7344 int proto;
7345 {
7346 register struct block *b0, *b1, *b2;
7347 register struct slist *s;
7348
7349 switch (proto) {
7350
7351 case Q_DEFAULT:
7352 case Q_LINK:
7353 switch (linktype) {
7354 case DLT_ARCNET:
7355 case DLT_ARCNET_LINUX:
7356 /* all ARCnet multicasts use the same address */
7357 return gen_ahostop(abroadcast, Q_DST);
7358 case DLT_EN10MB:
7359 case DLT_NETANALYZER:
7360 case DLT_NETANALYZER_TRANSPARENT:
7361 b1 = gen_prevlinkhdr_check();
7362 /* ether[0] & 1 != 0 */
7363 b0 = gen_mac_multicast(0);
7364 if (b1 != NULL)
7365 gen_and(b1, b0);
7366 return b0;
7367 case DLT_FDDI:
7368 /*
7369 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7370 *
7371 * XXX - was that referring to bit-order issues?
7372 */
7373 /* fddi[1] & 1 != 0 */
7374 return gen_mac_multicast(1);
7375 case DLT_IEEE802:
7376 /* tr[2] & 1 != 0 */
7377 return gen_mac_multicast(2);
7378 case DLT_IEEE802_11:
7379 case DLT_PRISM_HEADER:
7380 case DLT_IEEE802_11_RADIO_AVS:
7381 case DLT_IEEE802_11_RADIO:
7382 case DLT_PPI:
7383 /*
7384 * Oh, yuk.
7385 *
7386 * For control frames, there is no DA.
7387 *
7388 * For management frames, DA is at an
7389 * offset of 4 from the beginning of
7390 * the packet.
7391 *
7392 * For data frames, DA is at an offset
7393 * of 4 from the beginning of the packet
7394 * if To DS is clear and at an offset of
7395 * 16 from the beginning of the packet
7396 * if To DS is set.
7397 */
7398
7399 /*
7400 * Generate the tests to be done for data frames.
7401 *
7402 * First, check for To DS set, i.e. "link[1] & 0x01".
7403 */
7404 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
7405 b1 = new_block(JMP(BPF_JSET));
7406 b1->s.k = 0x01; /* To DS */
7407 b1->stmts = s;
7408
7409 /*
7410 * If To DS is set, the DA is at 16.
7411 */
7412 b0 = gen_mac_multicast(16);
7413 gen_and(b1, b0);
7414
7415 /*
7416 * Now, check for To DS not set, i.e. check
7417 * "!(link[1] & 0x01)".
7418 */
7419 s = gen_load_a(OR_LINKHDR, 1, BPF_B);
7420 b2 = new_block(JMP(BPF_JSET));
7421 b2->s.k = 0x01; /* To DS */
7422 b2->stmts = s;
7423 gen_not(b2);
7424
7425 /*
7426 * If To DS is not set, the DA is at 4.
7427 */
7428 b1 = gen_mac_multicast(4);
7429 gen_and(b2, b1);
7430
7431 /*
7432 * Now OR together the last two checks. That gives
7433 * the complete set of checks for data frames.
7434 */
7435 gen_or(b1, b0);
7436
7437 /*
7438 * Now check for a data frame.
7439 * I.e, check "link[0] & 0x08".
7440 */
7441 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7442 b1 = new_block(JMP(BPF_JSET));
7443 b1->s.k = 0x08;
7444 b1->stmts = s;
7445
7446 /*
7447 * AND that with the checks done for data frames.
7448 */
7449 gen_and(b1, b0);
7450
7451 /*
7452 * If the high-order bit of the type value is 0, this
7453 * is a management frame.
7454 * I.e, check "!(link[0] & 0x08)".
7455 */
7456 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7457 b2 = new_block(JMP(BPF_JSET));
7458 b2->s.k = 0x08;
7459 b2->stmts = s;
7460 gen_not(b2);
7461
7462 /*
7463 * For management frames, the DA is at 4.
7464 */
7465 b1 = gen_mac_multicast(4);
7466 gen_and(b2, b1);
7467
7468 /*
7469 * OR that with the checks done for data frames.
7470 * That gives the checks done for management and
7471 * data frames.
7472 */
7473 gen_or(b1, b0);
7474
7475 /*
7476 * If the low-order bit of the type value is 1,
7477 * this is either a control frame or a frame
7478 * with a reserved type, and thus not a
7479 * frame with an SA.
7480 *
7481 * I.e., check "!(link[0] & 0x04)".
7482 */
7483 s = gen_load_a(OR_LINKHDR, 0, BPF_B);
7484 b1 = new_block(JMP(BPF_JSET));
7485 b1->s.k = 0x04;
7486 b1->stmts = s;
7487 gen_not(b1);
7488
7489 /*
7490 * AND that with the checks for data and management
7491 * frames.
7492 */
7493 gen_and(b1, b0);
7494 return b0;
7495 case DLT_IP_OVER_FC:
7496 b0 = gen_mac_multicast(2);
7497 return b0;
7498 default:
7499 break;
7500 }
7501 /* Link not known to support multicasts */
7502 break;
7503
7504 case Q_IP:
7505 b0 = gen_linktype(ETHERTYPE_IP);
7506 b1 = gen_cmp_ge(OR_LINKPL, 16, BPF_B, (bpf_int32)224);
7507 gen_and(b0, b1);
7508 return b1;
7509
7510 case Q_IPV6:
7511 b0 = gen_linktype(ETHERTYPE_IPV6);
7512 b1 = gen_cmp(OR_LINKPL, 24, BPF_B, (bpf_int32)255);
7513 gen_and(b0, b1);
7514 return b1;
7515 }
7516 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7517 /* NOTREACHED */
7518 return NULL;
7519 }
7520
7521 /*
7522 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7523 * Outbound traffic is sent by this machine, while inbound traffic is
7524 * sent by a remote machine (and may include packets destined for a
7525 * unicast or multicast link-layer address we are not subscribing to).
7526 * These are the same definitions implemented by pcap_setdirection().
7527 * Capturing only unicast traffic destined for this host is probably
7528 * better accomplished using a higher-layer filter.
7529 */
7530 struct block *
7531 gen_inbound(dir)
7532 int dir;
7533 {
7534 register struct block *b0;
7535
7536 /*
7537 * Only some data link types support inbound/outbound qualifiers.
7538 */
7539 switch (linktype) {
7540 case DLT_SLIP:
7541 b0 = gen_relation(BPF_JEQ,
7542 gen_load(Q_LINK, gen_loadi(0), 1),
7543 gen_loadi(0),
7544 dir);
7545 break;
7546
7547 case DLT_IPNET:
7548 if (dir) {
7549 /* match outgoing packets */
7550 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
7551 } else {
7552 /* match incoming packets */
7553 b0 = gen_cmp(OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
7554 }
7555 break;
7556
7557 case DLT_LINUX_SLL:
7558 /* match outgoing packets */
7559 b0 = gen_cmp(OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
7560 if (!dir) {
7561 /* to filter on inbound traffic, invert the match */
7562 gen_not(b0);
7563 }
7564 break;
7565
7566 #ifdef HAVE_NET_PFVAR_H
7567 case DLT_PFLOG:
7568 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
7569 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7570 break;
7571 #endif
7572
7573 case DLT_PPP_PPPD:
7574 if (dir) {
7575 /* match outgoing packets */
7576 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
7577 } else {
7578 /* match incoming packets */
7579 b0 = gen_cmp(OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
7580 }
7581 break;
7582
7583 case DLT_JUNIPER_MFR:
7584 case DLT_JUNIPER_MLFR:
7585 case DLT_JUNIPER_MLPPP:
7586 case DLT_JUNIPER_ATM1:
7587 case DLT_JUNIPER_ATM2:
7588 case DLT_JUNIPER_PPPOE:
7589 case DLT_JUNIPER_PPPOE_ATM:
7590 case DLT_JUNIPER_GGSN:
7591 case DLT_JUNIPER_ES:
7592 case DLT_JUNIPER_MONITOR:
7593 case DLT_JUNIPER_SERVICES:
7594 case DLT_JUNIPER_ETHER:
7595 case DLT_JUNIPER_PPP:
7596 case DLT_JUNIPER_FRELAY:
7597 case DLT_JUNIPER_CHDLC:
7598 case DLT_JUNIPER_VP:
7599 case DLT_JUNIPER_ST:
7600 case DLT_JUNIPER_ISM:
7601 case DLT_JUNIPER_VS:
7602 case DLT_JUNIPER_SRX_E2E:
7603 case DLT_JUNIPER_FIBRECHANNEL:
7604 case DLT_JUNIPER_ATM_CEMIC:
7605
7606 /* juniper flags (including direction) are stored
7607 * the byte after the 3-byte magic number */
7608 if (dir) {
7609 /* match outgoing packets */
7610 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 0, 0x01);
7611 } else {
7612 /* match incoming packets */
7613 b0 = gen_mcmp(OR_LINKHDR, 3, BPF_B, 1, 0x01);
7614 }
7615 break;
7616
7617 default:
7618 /*
7619 * If we have packet meta-data indicating a direction,
7620 * check it, otherwise give up as this link-layer type
7621 * has nothing in the packet data.
7622 */
7623 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7624 /*
7625 * This is Linux with PF_PACKET support.
7626 * If this is a *live* capture, we can look at
7627 * special meta-data in the filter expression;
7628 * if it's a savefile, we can't.
7629 */
7630 if (bpf_pcap->rfile != NULL) {
7631 /* We have a FILE *, so this is a savefile */
7632 bpf_error("inbound/outbound not supported on linktype %d when reading savefiles",
7633 linktype);
7634 b0 = NULL;
7635 /* NOTREACHED */
7636 }
7637 /* match outgoing packets */
7638 b0 = gen_cmp(OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7639 PACKET_OUTGOING);
7640 if (!dir) {
7641 /* to filter on inbound traffic, invert the match */
7642 gen_not(b0);
7643 }
7644 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7645 bpf_error("inbound/outbound not supported on linktype %d",
7646 linktype);
7647 b0 = NULL;
7648 /* NOTREACHED */
7649 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7650 }
7651 return (b0);
7652 }
7653
7654 #ifdef HAVE_NET_PFVAR_H
7655 /* PF firewall log matched interface */
7656 struct block *
7657 gen_pf_ifname(const char *ifname)
7658 {
7659 struct block *b0;
7660 u_int len, off;
7661
7662 if (linktype != DLT_PFLOG) {
7663 bpf_error("ifname supported only on PF linktype");
7664 /* NOTREACHED */
7665 }
7666 len = sizeof(((struct pfloghdr *)0)->ifname);
7667 off = offsetof(struct pfloghdr, ifname);
7668 if (strlen(ifname) >= len) {
7669 bpf_error("ifname interface names can only be %d characters",
7670 len-1);
7671 /* NOTREACHED */
7672 }
7673 b0 = gen_bcmp(OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname);
7674 return (b0);
7675 }
7676
7677 /* PF firewall log ruleset name */
7678 struct block *
7679 gen_pf_ruleset(char *ruleset)
7680 {
7681 struct block *b0;
7682
7683 if (linktype != DLT_PFLOG) {
7684 bpf_error("ruleset supported only on PF linktype");
7685 /* NOTREACHED */
7686 }
7687
7688 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7689 bpf_error("ruleset names can only be %ld characters",
7690 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7691 /* NOTREACHED */
7692 }
7693
7694 b0 = gen_bcmp(OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
7695 strlen(ruleset), (const u_char *)ruleset);
7696 return (b0);
7697 }
7698
7699 /* PF firewall log rule number */
7700 struct block *
7701 gen_pf_rnr(int rnr)
7702 {
7703 struct block *b0;
7704
7705 if (linktype != DLT_PFLOG) {
7706 bpf_error("rnr supported only on PF linktype");
7707 /* NOTREACHED */
7708 }
7709
7710 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
7711 (bpf_int32)rnr);
7712 return (b0);
7713 }
7714
7715 /* PF firewall log sub-rule number */
7716 struct block *
7717 gen_pf_srnr(int srnr)
7718 {
7719 struct block *b0;
7720
7721 if (linktype != DLT_PFLOG) {
7722 bpf_error("srnr supported only on PF linktype");
7723 /* NOTREACHED */
7724 }
7725
7726 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
7727 (bpf_int32)srnr);
7728 return (b0);
7729 }
7730
7731 /* PF firewall log reason code */
7732 struct block *
7733 gen_pf_reason(int reason)
7734 {
7735 struct block *b0;
7736
7737 if (linktype != DLT_PFLOG) {
7738 bpf_error("reason supported only on PF linktype");
7739 /* NOTREACHED */
7740 }
7741
7742 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
7743 (bpf_int32)reason);
7744 return (b0);
7745 }
7746
7747 /* PF firewall log action */
7748 struct block *
7749 gen_pf_action(int action)
7750 {
7751 struct block *b0;
7752
7753 if (linktype != DLT_PFLOG) {
7754 bpf_error("action supported only on PF linktype");
7755 /* NOTREACHED */
7756 }
7757
7758 b0 = gen_cmp(OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
7759 (bpf_int32)action);
7760 return (b0);
7761 }
7762 #else /* !HAVE_NET_PFVAR_H */
7763 struct block *
7764 gen_pf_ifname(const char *ifname)
7765 {
7766 bpf_error("libpcap was compiled without pf support");
7767 /* NOTREACHED */
7768 return (NULL);
7769 }
7770
7771 struct block *
7772 gen_pf_ruleset(char *ruleset)
7773 {
7774 bpf_error("libpcap was compiled on a machine without pf support");
7775 /* NOTREACHED */
7776 return (NULL);
7777 }
7778
7779 struct block *
7780 gen_pf_rnr(int rnr)
7781 {
7782 bpf_error("libpcap was compiled on a machine without pf support");
7783 /* NOTREACHED */
7784 return (NULL);
7785 }
7786
7787 struct block *
7788 gen_pf_srnr(int srnr)
7789 {
7790 bpf_error("libpcap was compiled on a machine without pf support");
7791 /* NOTREACHED */
7792 return (NULL);
7793 }
7794
7795 struct block *
7796 gen_pf_reason(int reason)
7797 {
7798 bpf_error("libpcap was compiled on a machine without pf support");
7799 /* NOTREACHED */
7800 return (NULL);
7801 }
7802
7803 struct block *
7804 gen_pf_action(int action)
7805 {
7806 bpf_error("libpcap was compiled on a machine without pf support");
7807 /* NOTREACHED */
7808 return (NULL);
7809 }
7810 #endif /* HAVE_NET_PFVAR_H */
7811
7812 /* IEEE 802.11 wireless header */
7813 struct block *
7814 gen_p80211_type(int type, int mask)
7815 {
7816 struct block *b0;
7817
7818 switch (linktype) {
7819
7820 case DLT_IEEE802_11:
7821 case DLT_PRISM_HEADER:
7822 case DLT_IEEE802_11_RADIO_AVS:
7823 case DLT_IEEE802_11_RADIO:
7824 b0 = gen_mcmp(OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
7825 (bpf_int32)mask);
7826 break;
7827
7828 default:
7829 bpf_error("802.11 link-layer types supported only on 802.11");
7830 /* NOTREACHED */
7831 }
7832
7833 return (b0);
7834 }
7835
7836 struct block *
7837 gen_p80211_fcdir(int fcdir)
7838 {
7839 struct block *b0;
7840
7841 switch (linktype) {
7842
7843 case DLT_IEEE802_11:
7844 case DLT_PRISM_HEADER:
7845 case DLT_IEEE802_11_RADIO_AVS:
7846 case DLT_IEEE802_11_RADIO:
7847 break;
7848
7849 default:
7850 bpf_error("frame direction supported only with 802.11 headers");
7851 /* NOTREACHED */
7852 }
7853
7854 b0 = gen_mcmp(OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
7855 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7856
7857 return (b0);
7858 }
7859
7860 struct block *
7861 gen_acode(eaddr, q)
7862 register const u_char *eaddr;
7863 struct qual q;
7864 {
7865 switch (linktype) {
7866
7867 case DLT_ARCNET:
7868 case DLT_ARCNET_LINUX:
7869 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7870 q.proto == Q_LINK)
7871 return (gen_ahostop(eaddr, (int)q.dir));
7872 else {
7873 bpf_error("ARCnet address used in non-arc expression");
7874 /* NOTREACHED */
7875 }
7876 break;
7877
7878 default:
7879 bpf_error("aid supported only on ARCnet");
7880 /* NOTREACHED */
7881 }
7882 bpf_error("ARCnet address used in non-arc expression");
7883 /* NOTREACHED */
7884 return NULL;
7885 }
7886
7887 static struct block *
7888 gen_ahostop(eaddr, dir)
7889 register const u_char *eaddr;
7890 register int dir;
7891 {
7892 register struct block *b0, *b1;
7893
7894 switch (dir) {
7895 /* src comes first, different from Ethernet */
7896 case Q_SRC:
7897 return gen_bcmp(OR_LINKHDR, 0, 1, eaddr);
7898
7899 case Q_DST:
7900 return gen_bcmp(OR_LINKHDR, 1, 1, eaddr);
7901
7902 case Q_AND:
7903 b0 = gen_ahostop(eaddr, Q_SRC);
7904 b1 = gen_ahostop(eaddr, Q_DST);
7905 gen_and(b0, b1);
7906 return b1;
7907
7908 case Q_DEFAULT:
7909 case Q_OR:
7910 b0 = gen_ahostop(eaddr, Q_SRC);
7911 b1 = gen_ahostop(eaddr, Q_DST);
7912 gen_or(b0, b1);
7913 return b1;
7914
7915 case Q_ADDR1:
7916 bpf_error("'addr1' is only supported on 802.11");
7917 break;
7918
7919 case Q_ADDR2:
7920 bpf_error("'addr2' is only supported on 802.11");
7921 break;
7922
7923 case Q_ADDR3:
7924 bpf_error("'addr3' is only supported on 802.11");
7925 break;
7926
7927 case Q_ADDR4:
7928 bpf_error("'addr4' is only supported on 802.11");
7929 break;
7930
7931 case Q_RA:
7932 bpf_error("'ra' is only supported on 802.11");
7933 break;
7934
7935 case Q_TA:
7936 bpf_error("'ta' is only supported on 802.11");
7937 break;
7938 }
7939 abort();
7940 /* NOTREACHED */
7941 }
7942
7943 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
7944 static struct block *
7945 gen_vlan_bpf_extensions(int vlan_num)
7946 {
7947 struct block *b0, *b1;
7948 struct slist *s;
7949
7950 /* generate new filter code based on extracting packet
7951 * metadata */
7952 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
7953 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
7954
7955 b0 = new_block(JMP(BPF_JEQ));
7956 b0->stmts = s;
7957 b0->s.k = 1;
7958
7959 if (vlan_num >= 0) {
7960 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
7961 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
7962
7963 b1 = new_block(JMP(BPF_JEQ));
7964 b1->stmts = s;
7965 b1->s.k = (bpf_int32) vlan_num;
7966
7967 gen_and(b0,b1);
7968 b0 = b1;
7969 }
7970
7971 return b0;
7972 }
7973 #endif
7974
7975 static struct block *
7976 gen_vlan_no_bpf_extensions(int vlan_num)
7977 {
7978 struct block *b0, *b1;
7979
7980 /* check for VLAN, including QinQ */
7981 b0 = gen_linktype(ETHERTYPE_8021Q);
7982 b1 = gen_linktype(ETHERTYPE_8021AD);
7983 gen_or(b0,b1);
7984 b0 = b1;
7985 b1 = gen_linktype(ETHERTYPE_8021QINQ);
7986 gen_or(b0,b1);
7987 b0 = b1;
7988
7989 /* If a specific VLAN is requested, check VLAN id */
7990 if (vlan_num >= 0) {
7991 b1 = gen_mcmp(OR_LINKPL, 0, BPF_H,
7992 (bpf_int32)vlan_num, 0x0fff);
7993 gen_and(b0, b1);
7994 b0 = b1;
7995 }
7996
7997 /*
7998 * The payload follows the full header, including the
7999 * VLAN tags, so skip past this VLAN tag.
8000 */
8001 off_linkpl.constant_part += 4;
8002
8003 /*
8004 * The link-layer type information follows the VLAN tags, so
8005 * skip past this VLAN tag.
8006 */
8007 off_linktype.constant_part += 4;
8008
8009 return b0;
8010 }
8011
8012 /*
8013 * support IEEE 802.1Q VLAN trunk over ethernet
8014 */
8015 struct block *
8016 gen_vlan(vlan_num)
8017 int vlan_num;
8018 {
8019 struct block *b0;
8020
8021 /* can't check for VLAN-encapsulated packets inside MPLS */
8022 if (label_stack_depth > 0)
8023 bpf_error("no VLAN match after MPLS");
8024
8025 /*
8026 * Check for a VLAN packet, and then change the offsets to point
8027 * to the type and data fields within the VLAN packet. Just
8028 * increment the offsets, so that we can support a hierarchy, e.g.
8029 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8030 * VLAN 100.
8031 *
8032 * XXX - this is a bit of a kludge. If we were to split the
8033 * compiler into a parser that parses an expression and
8034 * generates an expression tree, and a code generator that
8035 * takes an expression tree (which could come from our
8036 * parser or from some other parser) and generates BPF code,
8037 * we could perhaps make the offsets parameters of routines
8038 * and, in the handler for an "AND" node, pass to subnodes
8039 * other than the VLAN node the adjusted offsets.
8040 *
8041 * This would mean that "vlan" would, instead of changing the
8042 * behavior of *all* tests after it, change only the behavior
8043 * of tests ANDed with it. That would change the documented
8044 * semantics of "vlan", which might break some expressions.
8045 * However, it would mean that "(vlan and ip) or ip" would check
8046 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8047 * checking only for VLAN-encapsulated IP, so that could still
8048 * be considered worth doing; it wouldn't break expressions
8049 * that are of the form "vlan and ..." or "vlan N and ...",
8050 * which I suspect are the most common expressions involving
8051 * "vlan". "vlan or ..." doesn't necessarily do what the user
8052 * would really want, now, as all the "or ..." tests would
8053 * be done assuming a VLAN, even though the "or" could be viewed
8054 * as meaning "or, if this isn't a VLAN packet...".
8055 */
8056 switch (linktype) {
8057
8058 case DLT_EN10MB:
8059 case DLT_NETANALYZER:
8060 case DLT_NETANALYZER_TRANSPARENT:
8061 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
8062 /* Verify that this is the outer part of the packet and
8063 * not encapsulated somehow. */
8064 if (vlan_stack_depth == 0 && !off_linkhdr.is_variable &&
8065 off_linkhdr.constant_part ==
8066 off_outermostlinkhdr.constant_part) {
8067 /*
8068 * Do we need special VLAN handling?
8069 */
8070 if (bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8071 b0 = gen_vlan_bpf_extensions(vlan_num);
8072 else
8073 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8074 } else
8075 #endif
8076 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8077 break;
8078
8079 case DLT_IEEE802_11:
8080 case DLT_PRISM_HEADER:
8081 case DLT_IEEE802_11_RADIO_AVS:
8082 case DLT_IEEE802_11_RADIO:
8083 b0 = gen_vlan_no_bpf_extensions(vlan_num);
8084 break;
8085
8086 default:
8087 bpf_error("no VLAN support for data link type %d",
8088 linktype);
8089 /*NOTREACHED*/
8090 }
8091
8092 vlan_stack_depth++;
8093
8094 return (b0);
8095 }
8096
8097 /*
8098 * support for MPLS
8099 */
8100 struct block *
8101 gen_mpls(label_num)
8102 int label_num;
8103 {
8104 struct block *b0, *b1;
8105
8106 if (label_stack_depth > 0) {
8107 /* just match the bottom-of-stack bit clear */
8108 b0 = gen_mcmp(OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
8109 } else {
8110 /*
8111 * We're not in an MPLS stack yet, so check the link-layer
8112 * type against MPLS.
8113 */
8114 switch (linktype) {
8115
8116 case DLT_C_HDLC: /* fall through */
8117 case DLT_EN10MB:
8118 case DLT_NETANALYZER:
8119 case DLT_NETANALYZER_TRANSPARENT:
8120 b0 = gen_linktype(ETHERTYPE_MPLS);
8121 break;
8122
8123 case DLT_PPP:
8124 b0 = gen_linktype(PPP_MPLS_UCAST);
8125 break;
8126
8127 /* FIXME add other DLT_s ...
8128 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8129 * leave it for now */
8130
8131 default:
8132 bpf_error("no MPLS support for data link type %d",
8133 linktype);
8134 b0 = NULL;
8135 /*NOTREACHED*/
8136 break;
8137 }
8138 }
8139
8140 /* If a specific MPLS label is requested, check it */
8141 if (label_num >= 0) {
8142 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8143 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
8144 0xfffff000); /* only compare the first 20 bits */
8145 gen_and(b0, b1);
8146 b0 = b1;
8147 }
8148
8149 /*
8150 * Change the offsets to point to the type and data fields within
8151 * the MPLS packet. Just increment the offsets, so that we
8152 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8153 * capture packets with an outer label of 100000 and an inner
8154 * label of 1024.
8155 *
8156 * Increment the MPLS stack depth as well; this indicates that
8157 * we're checking MPLS-encapsulated headers, to make sure higher
8158 * level code generators don't try to match against IP-related
8159 * protocols such as Q_ARP, Q_RARP etc.
8160 *
8161 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8162 */
8163 off_nl_nosnap += 4;
8164 off_nl += 4;
8165 label_stack_depth++;
8166 return (b0);
8167 }
8168
8169 /*
8170 * Support PPPOE discovery and session.
8171 */
8172 struct block *
8173 gen_pppoed()
8174 {
8175 /* check for PPPoE discovery */
8176 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
8177 }
8178
8179 struct block *
8180 gen_pppoes(sess_num)
8181 int sess_num;
8182 {
8183 struct block *b0, *b1;
8184
8185 /*
8186 * Test against the PPPoE session link-layer type.
8187 */
8188 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
8189
8190 /* If a specific session is requested, check PPPoE session id */
8191 if (sess_num >= 0) {
8192 b1 = gen_mcmp(OR_LINKPL, 0, BPF_W,
8193 (bpf_int32)sess_num, 0x0000ffff);
8194 gen_and(b0, b1);
8195 b0 = b1;
8196 }
8197
8198 /*
8199 * Change the offsets to point to the type and data fields within
8200 * the PPP packet, and note that this is PPPoE rather than
8201 * raw PPP.
8202 *
8203 * XXX - this is a bit of a kludge. If we were to split the
8204 * compiler into a parser that parses an expression and
8205 * generates an expression tree, and a code generator that
8206 * takes an expression tree (which could come from our
8207 * parser or from some other parser) and generates BPF code,
8208 * we could perhaps make the offsets parameters of routines
8209 * and, in the handler for an "AND" node, pass to subnodes
8210 * other than the PPPoE node the adjusted offsets.
8211 *
8212 * This would mean that "pppoes" would, instead of changing the
8213 * behavior of *all* tests after it, change only the behavior
8214 * of tests ANDed with it. That would change the documented
8215 * semantics of "pppoes", which might break some expressions.
8216 * However, it would mean that "(pppoes and ip) or ip" would check
8217 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8218 * checking only for VLAN-encapsulated IP, so that could still
8219 * be considered worth doing; it wouldn't break expressions
8220 * that are of the form "pppoes and ..." which I suspect are the
8221 * most common expressions involving "pppoes". "pppoes or ..."
8222 * doesn't necessarily do what the user would really want, now,
8223 * as all the "or ..." tests would be done assuming PPPoE, even
8224 * though the "or" could be viewed as meaning "or, if this isn't
8225 * a PPPoE packet...".
8226 *
8227 * The "network-layer" protocol is PPPoE, which has a 6-byte
8228 * PPPoE header, followed by a PPP packet.
8229 *
8230 * There is no HDLC encapsulation for the PPP packet (it's
8231 * encapsulated in PPPoES instead), so the link-layer type
8232 * starts at the first byte of the PPP packet. For PPPoE,
8233 * that offset is relative to the beginning of the total
8234 * link-layer payload, including any 802.2 LLC header, so
8235 * it's 6 bytes past off_nl.
8236 */
8237 PUSH_LINKHDR(DLT_PPP, off_linkpl.is_variable,
8238 off_linkpl.constant_part + off_nl + 6, /* 6 bytes past the PPPoE header */
8239 off_linkpl.reg);
8240
8241 off_linktype = off_linkhdr;
8242 off_linkpl.constant_part = off_linkhdr.constant_part + 2;
8243
8244 off_nl = 0;
8245 off_nl_nosnap = 0; /* no 802.2 LLC */
8246
8247 return b0;
8248 }
8249
8250 /* Check that this is Geneve and the VNI is correct if
8251 * specified. Parameterized to handle both IPv4 and IPv6. */
8252 static struct block *
8253 gen_geneve_check(struct block *(*gen_portfn)(int, int, int),
8254 enum e_offrel offrel, int vni)
8255 {
8256 struct block *b0, *b1;
8257
8258 b0 = gen_portfn(GENEVE_PORT, IPPROTO_UDP, Q_DST);
8259
8260 /* Check that we are operating on version 0. Otherwise, we
8261 * can't decode the rest of the fields. The version is 2 bits
8262 * in the first byte of the Geneve header. */
8263 b1 = gen_mcmp(offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
8264 gen_and(b0, b1);
8265 b0 = b1;
8266
8267 if (vni >= 0) {
8268 vni <<= 8; /* VNI is in the upper 3 bytes */
8269 b1 = gen_mcmp(offrel, 12, BPF_W, (bpf_int32)vni,
8270 0xffffff00);
8271 gen_and(b0, b1);
8272 b0 = b1;
8273 }
8274
8275 return b0;
8276 }
8277
8278 /* The IPv4 and IPv6 Geneve checks need to do two things:
8279 * - Verify that this actually is Geneve with the right VNI.
8280 * - Place the IP header length (plus variable link prefix if
8281 * needed) into register A to be used later to compute
8282 * the inner packet offsets. */
8283 static struct block *
8284 gen_geneve4(int vni)
8285 {
8286 struct block *b0, *b1;
8287 struct slist *s, *s1;
8288
8289 b0 = gen_geneve_check(gen_port, OR_TRAN_IPV4, vni);
8290
8291 /* Load the IP header length into A. */
8292 s = gen_loadx_iphdrlen();
8293
8294 s1 = new_stmt(BPF_MISC|BPF_TXA);
8295 sappend(s, s1);
8296
8297 /* Forcibly append these statements to the true condition
8298 * of the protocol check by creating a new block that is
8299 * always true and ANDing them. */
8300 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8301 b1->stmts = s;
8302 b1->s.k = 0;
8303
8304 gen_and(b0, b1);
8305
8306 return b1;
8307 }
8308
8309 static struct block *
8310 gen_geneve6(int vni)
8311 {
8312 struct block *b0, *b1;
8313 struct slist *s, *s1;
8314
8315 b0 = gen_geneve_check(gen_port6, OR_TRAN_IPV6, vni);
8316
8317 /* Load the IP header length. We need to account for a
8318 * variable length link prefix if there is one. */
8319 s = gen_abs_offset_varpart(&off_linkpl);
8320 if (s) {
8321 s1 = new_stmt(BPF_LD|BPF_IMM);
8322 s1->s.k = 40;
8323 sappend(s, s1);
8324
8325 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
8326 s1->s.k = 0;
8327 sappend(s, s1);
8328 } else {
8329 s = new_stmt(BPF_LD|BPF_IMM);
8330 s->s.k = 40;
8331 }
8332
8333 /* Forcibly append these statements to the true condition
8334 * of the protocol check by creating a new block that is
8335 * always true and ANDing them. */
8336 s1 = new_stmt(BPF_MISC|BPF_TAX);
8337 sappend(s, s1);
8338
8339 b1 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8340 b1->stmts = s;
8341 b1->s.k = 0;
8342
8343 gen_and(b0, b1);
8344
8345 return b1;
8346 }
8347
8348 /* We need to store three values based on the Geneve header::
8349 * - The offset of the linktype.
8350 * - The offset of the end of the Geneve header.
8351 * - The offset of the end of the encapsulated MAC header. */
8352 static struct slist *
8353 gen_geneve_offsets(void)
8354 {
8355 struct slist *s, *s1, *s_proto;
8356
8357 /* First we need to calculate the offset of the Geneve header
8358 * itself. This is composed of the IP header previously calculated
8359 * (include any variable link prefix) and stored in A plus the
8360 * fixed sized headers (fixed link prefix, MAC length, and UDP
8361 * header). */
8362 s = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8363 s->s.k = off_linkpl.constant_part + off_nl + 8;
8364
8365 /* Stash this in X since we'll need it later. */
8366 s1 = new_stmt(BPF_MISC|BPF_TAX);
8367 sappend(s, s1);
8368
8369 /* The EtherType in Geneve is 2 bytes in. Calculate this and
8370 * store it. */
8371 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8372 s1->s.k = 2;
8373 sappend(s, s1);
8374
8375 off_linktype.reg = alloc_reg();
8376 off_linktype.is_variable = 1;
8377 off_linktype.constant_part = 0;
8378
8379 s1 = new_stmt(BPF_ST);
8380 s1->s.k = off_linktype.reg;
8381 sappend(s, s1);
8382
8383 /* Load the Geneve option length and mask and shift to get the
8384 * number of bytes. It is stored in the first byte of the Geneve
8385 * header. */
8386 s1 = new_stmt(BPF_LD|BPF_IND|BPF_B);
8387 s1->s.k = 0;
8388 sappend(s, s1);
8389
8390 s1 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
8391 s1->s.k = 0x3f;
8392 sappend(s, s1);
8393
8394 s1 = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
8395 s1->s.k = 4;
8396 sappend(s, s1);
8397
8398 /* Add in the rest of the Geneve base header. */
8399 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8400 s1->s.k = 8;
8401 sappend(s, s1);
8402
8403 /* Add the Geneve header length to its offset and store. */
8404 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_X);
8405 s1->s.k = 0;
8406 sappend(s, s1);
8407
8408 /* Set the encapsulated type as Ethernet. Even though we may
8409 * not actually have Ethernet inside there are two reasons this
8410 * is useful:
8411 * - The linktype field is always in EtherType format regardless
8412 * of whether it is in Geneve or an inner Ethernet frame.
8413 * - The only link layer that we have specific support for is
8414 * Ethernet. We will confirm that the packet actually is
8415 * Ethernet at runtime before executing these checks. */
8416 PUSH_LINKHDR(DLT_EN10MB, 1, 0, alloc_reg());
8417
8418 s1 = new_stmt(BPF_ST);
8419 s1->s.k = off_linkhdr.reg;
8420 sappend(s, s1);
8421
8422 /* Calculate whether we have an Ethernet header or just raw IP/
8423 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
8424 * and linktype by 14 bytes so that the network header can be found
8425 * seamlessly. Otherwise, keep what we've calculated already. */
8426
8427 /* We have a bare jmp so we can't use the optimizer. */
8428 no_optimize = 1;
8429
8430 /* Load the EtherType in the Geneve header, 2 bytes in. */
8431 s1 = new_stmt(BPF_LD|BPF_IND|BPF_H);
8432 s1->s.k = 2;
8433 sappend(s, s1);
8434
8435 /* Load X with the end of the Geneve header. */
8436 s1 = new_stmt(BPF_LDX|BPF_MEM);
8437 s1->s.k = off_linkhdr.reg;
8438 sappend(s, s1);
8439
8440 /* Check if the EtherType is Transparent Ethernet Bridging. At the
8441 * end of this check, we should have the total length in X. In
8442 * the non-Ethernet case, it's already there. */
8443 s_proto = new_stmt(JMP(BPF_JEQ));
8444 s_proto->s.k = ETHERTYPE_TEB;
8445 sappend(s, s_proto);
8446
8447 s1 = new_stmt(BPF_MISC|BPF_TXA);
8448 sappend(s, s1);
8449 s_proto->s.jt = s1;
8450
8451 /* Since this is Ethernet, use the EtherType of the payload
8452 * directly as the linktype. Overwrite what we already have. */
8453 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8454 s1->s.k = 12;
8455 sappend(s, s1);
8456
8457 s1 = new_stmt(BPF_ST);
8458 s1->s.k = off_linktype.reg;
8459 sappend(s, s1);
8460
8461 /* Advance two bytes further to get the end of the Ethernet
8462 * header. */
8463 s1 = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
8464 s1->s.k = 2;
8465 sappend(s, s1);
8466
8467 /* Move the result to X. */
8468 s1 = new_stmt(BPF_MISC|BPF_TAX);
8469 sappend(s, s1);
8470
8471 /* Store the final result of our linkpl calculation. */
8472 off_linkpl.reg = alloc_reg();
8473 off_linkpl.is_variable = 1;
8474 off_linkpl.constant_part = 0;
8475
8476 s1 = new_stmt(BPF_STX);
8477 s1->s.k = off_linkpl.reg;
8478 sappend(s, s1);
8479 s_proto->s.jf = s1;
8480
8481 off_nl = 0;
8482
8483 return s;
8484 }
8485
8486 /* Check to see if this is a Geneve packet. */
8487 struct block *
8488 gen_geneve(int vni)
8489 {
8490 struct block *b0, *b1;
8491 struct slist *s;
8492
8493 b0 = gen_geneve4(vni);
8494 b1 = gen_geneve6(vni);
8495
8496 gen_or(b0, b1);
8497 b0 = b1;
8498
8499 /* Later filters should act on the payload of the Geneve frame,
8500 * update all of the header pointers. Attach this code so that
8501 * it gets executed in the event that the Geneve filter matches. */
8502 s = gen_geneve_offsets();
8503
8504 b1 = gen_true();
8505 sappend(s, b1->stmts);
8506 b1->stmts = s;
8507
8508 gen_and(b0, b1);
8509
8510 is_geneve = 1;
8511
8512 return b1;
8513 }
8514
8515 /* Check that the encapsulated frame has a link layer header
8516 * for Ethernet filters. */
8517 static struct block *
8518 gen_geneve_ll_check()
8519 {
8520 struct block *b0;
8521 struct slist *s, *s1;
8522
8523 /* The easiest way to see if there is a link layer present
8524 * is to check if the link layer header and payload are not
8525 * the same. */
8526
8527 /* Geneve always generates pure variable offsets so we can
8528 * compare only the registers. */
8529 s = new_stmt(BPF_LD|BPF_MEM);
8530 s->s.k = off_linkhdr.reg;
8531
8532 s1 = new_stmt(BPF_LDX|BPF_MEM);
8533 s1->s.k = off_linkpl.reg;
8534 sappend(s, s1);
8535
8536 b0 = new_block(BPF_JMP|BPF_JEQ|BPF_X);
8537 b0->stmts = s;
8538 b0->s.k = 0;
8539 gen_not(b0);
8540
8541 return b0;
8542 }
8543
8544 struct block *
8545 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
8546 int atmfield;
8547 bpf_int32 jvalue;
8548 bpf_u_int32 jtype;
8549 int reverse;
8550 {
8551 struct block *b0;
8552
8553 switch (atmfield) {
8554
8555 case A_VPI:
8556 if (!is_atm)
8557 bpf_error("'vpi' supported only on raw ATM");
8558 if (off_vpi == (u_int)-1)
8559 abort();
8560 b0 = gen_ncmp(OR_LINKHDR, off_vpi, BPF_B, 0xffffffff, jtype,
8561 reverse, jvalue);
8562 break;
8563
8564 case A_VCI:
8565 if (!is_atm)
8566 bpf_error("'vci' supported only on raw ATM");
8567 if (off_vci == (u_int)-1)
8568 abort();
8569 b0 = gen_ncmp(OR_LINKHDR, off_vci, BPF_H, 0xffffffff, jtype,
8570 reverse, jvalue);
8571 break;
8572
8573 case A_PROTOTYPE:
8574 if (off_proto == (u_int)-1)
8575 abort(); /* XXX - this isn't on FreeBSD */
8576 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0x0f, jtype,
8577 reverse, jvalue);
8578 break;
8579
8580 case A_MSGTYPE:
8581 if (off_payload == (u_int)-1)
8582 abort();
8583 b0 = gen_ncmp(OR_LINKHDR, off_payload + MSG_TYPE_POS, BPF_B,
8584 0xffffffff, jtype, reverse, jvalue);
8585 break;
8586
8587 case A_CALLREFTYPE:
8588 if (!is_atm)
8589 bpf_error("'callref' supported only on raw ATM");
8590 if (off_proto == (u_int)-1)
8591 abort();
8592 b0 = gen_ncmp(OR_LINKHDR, off_proto, BPF_B, 0xffffffff,
8593 jtype, reverse, jvalue);
8594 break;
8595
8596 default:
8597 abort();
8598 }
8599 return b0;
8600 }
8601
8602 struct block *
8603 gen_atmtype_abbrev(type)
8604 int type;
8605 {
8606 struct block *b0, *b1;
8607
8608 switch (type) {
8609
8610 case A_METAC:
8611 /* Get all packets in Meta signalling Circuit */
8612 if (!is_atm)
8613 bpf_error("'metac' supported only on raw ATM");
8614 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8615 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
8616 gen_and(b0, b1);
8617 break;
8618
8619 case A_BCC:
8620 /* Get all packets in Broadcast Circuit*/
8621 if (!is_atm)
8622 bpf_error("'bcc' supported only on raw ATM");
8623 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8624 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
8625 gen_and(b0, b1);
8626 break;
8627
8628 case A_OAMF4SC:
8629 /* Get all cells in Segment OAM F4 circuit*/
8630 if (!is_atm)
8631 bpf_error("'oam4sc' supported only on raw ATM");
8632 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8633 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8634 gen_and(b0, b1);
8635 break;
8636
8637 case A_OAMF4EC:
8638 /* Get all cells in End-to-End OAM F4 Circuit*/
8639 if (!is_atm)
8640 bpf_error("'oam4ec' supported only on raw ATM");
8641 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8642 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8643 gen_and(b0, b1);
8644 break;
8645
8646 case A_SC:
8647 /* Get all packets in connection Signalling Circuit */
8648 if (!is_atm)
8649 bpf_error("'sc' supported only on raw ATM");
8650 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8651 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
8652 gen_and(b0, b1);
8653 break;
8654
8655 case A_ILMIC:
8656 /* Get all packets in ILMI Circuit */
8657 if (!is_atm)
8658 bpf_error("'ilmic' supported only on raw ATM");
8659 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8660 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
8661 gen_and(b0, b1);
8662 break;
8663
8664 case A_LANE:
8665 /* Get all LANE packets */
8666 if (!is_atm)
8667 bpf_error("'lane' supported only on raw ATM");
8668 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8669
8670 /*
8671 * Arrange that all subsequent tests assume LANE
8672 * rather than LLC-encapsulated packets, and set
8673 * the offsets appropriately for LANE-encapsulated
8674 * Ethernet.
8675 *
8676 * We assume LANE means Ethernet, not Token Ring.
8677 */
8678 PUSH_LINKHDR(DLT_EN10MB, 0,
8679 off_payload + 2, /* Ethernet header */
8680 -1);
8681 off_linktype.constant_part = off_linkhdr.constant_part + 12;
8682 off_linkpl.constant_part = off_linkhdr.constant_part + 14; /* Ethernet */
8683 off_nl = 0; /* Ethernet II */
8684 off_nl_nosnap = 3; /* 802.3+802.2 */
8685 break;
8686
8687 case A_LLC:
8688 /* Get all LLC-encapsulated packets */
8689 if (!is_atm)
8690 bpf_error("'llc' supported only on raw ATM");
8691 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8692 linktype = prevlinktype;
8693 break;
8694
8695 default:
8696 abort();
8697 }
8698 return b1;
8699 }
8700
8701 /*
8702 * Filtering for MTP2 messages based on li value
8703 * FISU, length is null
8704 * LSSU, length is 1 or 2
8705 * MSU, length is 3 or more
8706 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8707 */
8708 struct block *
8709 gen_mtp2type_abbrev(type)
8710 int type;
8711 {
8712 struct block *b0, *b1;
8713
8714 switch (type) {
8715
8716 case M_FISU:
8717 if ( (linktype != DLT_MTP2) &&
8718 (linktype != DLT_ERF) &&
8719 (linktype != DLT_MTP2_WITH_PHDR) )
8720 bpf_error("'fisu' supported only on MTP2");
8721 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8722 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8723 break;
8724
8725 case M_LSSU:
8726 if ( (linktype != DLT_MTP2) &&
8727 (linktype != DLT_ERF) &&
8728 (linktype != DLT_MTP2_WITH_PHDR) )
8729 bpf_error("'lssu' supported only on MTP2");
8730 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8731 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8732 gen_and(b1, b0);
8733 break;
8734
8735 case M_MSU:
8736 if ( (linktype != DLT_MTP2) &&
8737 (linktype != DLT_ERF) &&
8738 (linktype != DLT_MTP2_WITH_PHDR) )
8739 bpf_error("'msu' supported only on MTP2");
8740 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8741 break;
8742
8743 case MH_FISU:
8744 if ( (linktype != DLT_MTP2) &&
8745 (linktype != DLT_ERF) &&
8746 (linktype != DLT_MTP2_WITH_PHDR) )
8747 bpf_error("'hfisu' supported only on MTP2_HSL");
8748 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
8749 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
8750 break;
8751
8752 case MH_LSSU:
8753 if ( (linktype != DLT_MTP2) &&
8754 (linktype != DLT_ERF) &&
8755 (linktype != DLT_MTP2_WITH_PHDR) )
8756 bpf_error("'hlssu' supported only on MTP2_HSL");
8757 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
8758 b1 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
8759 gen_and(b1, b0);
8760 break;
8761
8762 case MH_MSU:
8763 if ( (linktype != DLT_MTP2) &&
8764 (linktype != DLT_ERF) &&
8765 (linktype != DLT_MTP2_WITH_PHDR) )
8766 bpf_error("'hmsu' supported only on MTP2_HSL");
8767 b0 = gen_ncmp(OR_PACKET, off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
8768 break;
8769
8770 default:
8771 abort();
8772 }
8773 return b0;
8774 }
8775
8776 struct block *
8777 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
8778 int mtp3field;
8779 bpf_u_int32 jvalue;
8780 bpf_u_int32 jtype;
8781 int reverse;
8782 {
8783 struct block *b0;
8784 bpf_u_int32 val1 , val2 , val3;
8785 u_int newoff_sio=off_sio;
8786 u_int newoff_opc=off_opc;
8787 u_int newoff_dpc=off_dpc;
8788 u_int newoff_sls=off_sls;
8789
8790 switch (mtp3field) {
8791
8792 case MH_SIO:
8793 newoff_sio += 3; /* offset for MTP2_HSL */
8794 /* FALLTHROUGH */
8795
8796 case M_SIO:
8797 if (off_sio == (u_int)-1)
8798 bpf_error("'sio' supported only on SS7");
8799 /* sio coded on 1 byte so max value 255 */
8800 if(jvalue > 255)
8801 bpf_error("sio value %u too big; max value = 255",
8802 jvalue);
8803 b0 = gen_ncmp(OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
8804 (u_int)jtype, reverse, (u_int)jvalue);
8805 break;
8806
8807 case MH_OPC:
8808 newoff_opc+=3;
8809 case M_OPC:
8810 if (off_opc == (u_int)-1)
8811 bpf_error("'opc' supported only on SS7");
8812 /* opc coded on 14 bits so max value 16383 */
8813 if (jvalue > 16383)
8814 bpf_error("opc value %u too big; max value = 16383",
8815 jvalue);
8816 /* the following instructions are made to convert jvalue
8817 * to the form used to write opc in an ss7 message*/
8818 val1 = jvalue & 0x00003c00;
8819 val1 = val1 >>10;
8820 val2 = jvalue & 0x000003fc;
8821 val2 = val2 <<6;
8822 val3 = jvalue & 0x00000003;
8823 val3 = val3 <<22;
8824 jvalue = val1 + val2 + val3;
8825 b0 = gen_ncmp(OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
8826 (u_int)jtype, reverse, (u_int)jvalue);
8827 break;
8828
8829 case MH_DPC:
8830 newoff_dpc += 3;
8831 /* FALLTHROUGH */
8832
8833 case M_DPC:
8834 if (off_dpc == (u_int)-1)
8835 bpf_error("'dpc' supported only on SS7");
8836 /* dpc coded on 14 bits so max value 16383 */
8837 if (jvalue > 16383)
8838 bpf_error("dpc value %u too big; max value = 16383",
8839 jvalue);
8840 /* the following instructions are made to convert jvalue
8841 * to the forme used to write dpc in an ss7 message*/
8842 val1 = jvalue & 0x000000ff;
8843 val1 = val1 << 24;
8844 val2 = jvalue & 0x00003f00;
8845 val2 = val2 << 8;
8846 jvalue = val1 + val2;
8847 b0 = gen_ncmp(OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
8848 (u_int)jtype, reverse, (u_int)jvalue);
8849 break;
8850
8851 case MH_SLS:
8852 newoff_sls+=3;
8853 case M_SLS:
8854 if (off_sls == (u_int)-1)
8855 bpf_error("'sls' supported only on SS7");
8856 /* sls coded on 4 bits so max value 15 */
8857 if (jvalue > 15)
8858 bpf_error("sls value %u too big; max value = 15",
8859 jvalue);
8860 /* the following instruction is made to convert jvalue
8861 * to the forme used to write sls in an ss7 message*/
8862 jvalue = jvalue << 4;
8863 b0 = gen_ncmp(OR_PACKET, newoff_sls, BPF_B, 0xf0,
8864 (u_int)jtype,reverse, (u_int)jvalue);
8865 break;
8866
8867 default:
8868 abort();
8869 }
8870 return b0;
8871 }
8872
8873 static struct block *
8874 gen_msg_abbrev(type)
8875 int type;
8876 {
8877 struct block *b1;
8878
8879 /*
8880 * Q.2931 signalling protocol messages for handling virtual circuits
8881 * establishment and teardown
8882 */
8883 switch (type) {
8884
8885 case A_SETUP:
8886 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
8887 break;
8888
8889 case A_CALLPROCEED:
8890 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
8891 break;
8892
8893 case A_CONNECT:
8894 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
8895 break;
8896
8897 case A_CONNECTACK:
8898 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
8899 break;
8900
8901 case A_RELEASE:
8902 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
8903 break;
8904
8905 case A_RELEASE_DONE:
8906 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
8907 break;
8908
8909 default:
8910 abort();
8911 }
8912 return b1;
8913 }
8914
8915 struct block *
8916 gen_atmmulti_abbrev(type)
8917 int type;
8918 {
8919 struct block *b0, *b1;
8920
8921 switch (type) {
8922
8923 case A_OAM:
8924 if (!is_atm)
8925 bpf_error("'oam' supported only on raw ATM");
8926 b1 = gen_atmmulti_abbrev(A_OAMF4);
8927 break;
8928
8929 case A_OAMF4:
8930 if (!is_atm)
8931 bpf_error("'oamf4' supported only on raw ATM");
8932 /* OAM F4 type */
8933 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
8934 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
8935 gen_or(b0, b1);
8936 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
8937 gen_and(b0, b1);
8938 break;
8939
8940 case A_CONNECTMSG:
8941 /*
8942 * Get Q.2931 signalling messages for switched
8943 * virtual connection
8944 */
8945 if (!is_atm)
8946 bpf_error("'connectmsg' supported only on raw ATM");
8947 b0 = gen_msg_abbrev(A_SETUP);
8948 b1 = gen_msg_abbrev(A_CALLPROCEED);
8949 gen_or(b0, b1);
8950 b0 = gen_msg_abbrev(A_CONNECT);
8951 gen_or(b0, b1);
8952 b0 = gen_msg_abbrev(A_CONNECTACK);
8953 gen_or(b0, b1);
8954 b0 = gen_msg_abbrev(A_RELEASE);
8955 gen_or(b0, b1);
8956 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8957 gen_or(b0, b1);
8958 b0 = gen_atmtype_abbrev(A_SC);
8959 gen_and(b0, b1);
8960 break;
8961
8962 case A_METACONNECT:
8963 if (!is_atm)
8964 bpf_error("'metaconnect' supported only on raw ATM");
8965 b0 = gen_msg_abbrev(A_SETUP);
8966 b1 = gen_msg_abbrev(A_CALLPROCEED);
8967 gen_or(b0, b1);
8968 b0 = gen_msg_abbrev(A_CONNECT);
8969 gen_or(b0, b1);
8970 b0 = gen_msg_abbrev(A_RELEASE);
8971 gen_or(b0, b1);
8972 b0 = gen_msg_abbrev(A_RELEASE_DONE);
8973 gen_or(b0, b1);
8974 b0 = gen_atmtype_abbrev(A_METAC);
8975 gen_and(b0, b1);
8976 break;
8977
8978 default:
8979 abort();
8980 }
8981 return b1;
8982 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism