]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Move a comment that applies to both branches of an #ifdef outside the
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.289 2007-10-05 01:03:53 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "pcap/sll.h"
75 #include "arcnet.h"
76 #ifdef HAVE_NET_PFVAR_H
77 #include <sys/socket.h>
78 #include <net/if.h>
79 #include <net/pfvar.h>
80 #include <net/if_pflog.h>
81 #endif
82 #ifndef offsetof
83 #define offsetof(s, e) ((size_t)&((s *)0)->e)
84 #endif
85 #ifdef INET6
86 #ifndef WIN32
87 #include <netdb.h> /* for "struct addrinfo" */
88 #endif /* WIN32 */
89 #endif /*INET6*/
90 #include <pcap/namedb.h>
91
92 #define ETHERMTU 1500
93
94 #ifndef IPPROTO_SCTP
95 #define IPPROTO_SCTP 132
96 #endif
97
98 #ifdef HAVE_OS_PROTO_H
99 #include "os-proto.h"
100 #endif
101
102 #define JMP(c) ((c)|BPF_JMP|BPF_K)
103
104 /* Locals */
105 static jmp_buf top_ctx;
106 static pcap_t *bpf_pcap;
107
108 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
109 #ifdef WIN32
110 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
111 #else
112 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
113 #endif
114
115 /* XXX */
116 #ifdef PCAP_FDDIPAD
117 static int pcap_fddipad;
118 #endif
119
120 /* VARARGS */
121 void
122 bpf_error(const char *fmt, ...)
123 {
124 va_list ap;
125
126 va_start(ap, fmt);
127 if (bpf_pcap != NULL)
128 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
129 fmt, ap);
130 va_end(ap);
131 longjmp(top_ctx, 1);
132 /* NOTREACHED */
133 }
134
135 static void init_linktype(pcap_t *);
136
137 static int alloc_reg(void);
138 static void free_reg(int);
139
140 static struct block *root;
141
142 /*
143 * Value passed to gen_load_a() to indicate what the offset argument
144 * is relative to.
145 */
146 enum e_offrel {
147 OR_PACKET, /* relative to the beginning of the packet */
148 OR_LINK, /* relative to the link-layer header */
149 OR_NET, /* relative to the network-layer header */
150 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
151 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
152 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
153 };
154
155 /*
156 * We divy out chunks of memory rather than call malloc each time so
157 * we don't have to worry about leaking memory. It's probably
158 * not a big deal if all this memory was wasted but if this ever
159 * goes into a library that would probably not be a good idea.
160 *
161 * XXX - this *is* in a library....
162 */
163 #define NCHUNKS 16
164 #define CHUNK0SIZE 1024
165 struct chunk {
166 u_int n_left;
167 void *m;
168 };
169
170 static struct chunk chunks[NCHUNKS];
171 static int cur_chunk;
172
173 static void *newchunk(u_int);
174 static void freechunks(void);
175 static inline struct block *new_block(int);
176 static inline struct slist *new_stmt(int);
177 static struct block *gen_retblk(int);
178 static inline void syntax(void);
179
180 static void backpatch(struct block *, struct block *);
181 static void merge(struct block *, struct block *);
182 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
183 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
184 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
185 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
186 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
187 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
188 bpf_u_int32);
189 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
190 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
191 bpf_u_int32, bpf_u_int32, int, bpf_int32);
192 static struct slist *gen_load_llrel(u_int, u_int);
193 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
194 static struct slist *gen_loadx_iphdrlen(void);
195 static struct block *gen_uncond(int);
196 static inline struct block *gen_true(void);
197 static inline struct block *gen_false(void);
198 static struct block *gen_ether_linktype(int);
199 static struct block *gen_linux_sll_linktype(int);
200 static void insert_radiotap_load_llprefixlen(struct block *);
201 static void insert_ppi_load_llprefixlen(struct block *);
202 static void insert_load_llprefixlen(struct block *);
203 static struct slist *gen_llprefixlen(void);
204 static struct block *gen_linktype(int);
205 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
206 static struct block *gen_llc_linktype(int);
207 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
208 #ifdef INET6
209 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
210 #endif
211 static struct block *gen_ahostop(const u_char *, int);
212 static struct block *gen_ehostop(const u_char *, int);
213 static struct block *gen_fhostop(const u_char *, int);
214 static struct block *gen_thostop(const u_char *, int);
215 static struct block *gen_wlanhostop(const u_char *, int);
216 static struct block *gen_ipfchostop(const u_char *, int);
217 static struct block *gen_dnhostop(bpf_u_int32, int);
218 static struct block *gen_mpls_linktype(int);
219 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
220 #ifdef INET6
221 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
222 #endif
223 #ifndef INET6
224 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
225 #endif
226 static struct block *gen_ipfrag(void);
227 static struct block *gen_portatom(int, bpf_int32);
228 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
229 #ifdef INET6
230 static struct block *gen_portatom6(int, bpf_int32);
231 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
232 #endif
233 struct block *gen_portop(int, int, int);
234 static struct block *gen_port(int, int, int);
235 struct block *gen_portrangeop(int, int, int, int);
236 static struct block *gen_portrange(int, int, int, int);
237 #ifdef INET6
238 struct block *gen_portop6(int, int, int);
239 static struct block *gen_port6(int, int, int);
240 struct block *gen_portrangeop6(int, int, int, int);
241 static struct block *gen_portrange6(int, int, int, int);
242 #endif
243 static int lookup_proto(const char *, int);
244 static struct block *gen_protochain(int, int, int);
245 static struct block *gen_proto(int, int, int);
246 static struct slist *xfer_to_x(struct arth *);
247 static struct slist *xfer_to_a(struct arth *);
248 static struct block *gen_mac_multicast(int);
249 static struct block *gen_len(int, int);
250
251 static struct block *gen_ppi_dlt_check(void);
252 static struct block *gen_msg_abbrev(int type);
253
254 static void *
255 newchunk(n)
256 u_int n;
257 {
258 struct chunk *cp;
259 int k;
260 size_t size;
261
262 #ifndef __NetBSD__
263 /* XXX Round up to nearest long. */
264 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
265 #else
266 /* XXX Round up to structure boundary. */
267 n = ALIGN(n);
268 #endif
269
270 cp = &chunks[cur_chunk];
271 if (n > cp->n_left) {
272 ++cp, k = ++cur_chunk;
273 if (k >= NCHUNKS)
274 bpf_error("out of memory");
275 size = CHUNK0SIZE << k;
276 cp->m = (void *)malloc(size);
277 if (cp->m == NULL)
278 bpf_error("out of memory");
279 memset((char *)cp->m, 0, size);
280 cp->n_left = size;
281 if (n > size)
282 bpf_error("out of memory");
283 }
284 cp->n_left -= n;
285 return (void *)((char *)cp->m + cp->n_left);
286 }
287
288 static void
289 freechunks()
290 {
291 int i;
292
293 cur_chunk = 0;
294 for (i = 0; i < NCHUNKS; ++i)
295 if (chunks[i].m != NULL) {
296 free(chunks[i].m);
297 chunks[i].m = NULL;
298 }
299 }
300
301 /*
302 * A strdup whose allocations are freed after code generation is over.
303 */
304 char *
305 sdup(s)
306 register const char *s;
307 {
308 int n = strlen(s) + 1;
309 char *cp = newchunk(n);
310
311 strlcpy(cp, s, n);
312 return (cp);
313 }
314
315 static inline struct block *
316 new_block(code)
317 int code;
318 {
319 struct block *p;
320
321 p = (struct block *)newchunk(sizeof(*p));
322 p->s.code = code;
323 p->head = p;
324
325 return p;
326 }
327
328 static inline struct slist *
329 new_stmt(code)
330 int code;
331 {
332 struct slist *p;
333
334 p = (struct slist *)newchunk(sizeof(*p));
335 p->s.code = code;
336
337 return p;
338 }
339
340 static struct block *
341 gen_retblk(v)
342 int v;
343 {
344 struct block *b = new_block(BPF_RET|BPF_K);
345
346 b->s.k = v;
347 return b;
348 }
349
350 static inline void
351 syntax()
352 {
353 bpf_error("syntax error in filter expression");
354 }
355
356 static bpf_u_int32 netmask;
357 static int snaplen;
358 int no_optimize;
359
360 int
361 pcap_compile(pcap_t *p, struct bpf_program *program,
362 const char *buf, int optimize, bpf_u_int32 mask)
363 {
364 extern int n_errors;
365 const char * volatile xbuf = buf;
366 int len;
367
368 no_optimize = 0;
369 n_errors = 0;
370 root = NULL;
371 bpf_pcap = p;
372 if (setjmp(top_ctx)) {
373 lex_cleanup();
374 freechunks();
375 return (-1);
376 }
377
378 netmask = mask;
379
380 snaplen = pcap_snapshot(p);
381 if (snaplen == 0) {
382 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
383 "snaplen of 0 rejects all packets");
384 return -1;
385 }
386
387 lex_init(xbuf ? xbuf : "");
388 init_linktype(p);
389 (void)pcap_parse();
390
391 if (n_errors)
392 syntax();
393
394 if (root == NULL)
395 root = gen_retblk(snaplen);
396
397 if (optimize && !no_optimize) {
398 bpf_optimize(&root);
399 if (root == NULL ||
400 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
401 bpf_error("expression rejects all packets");
402 }
403 program->bf_insns = icode_to_fcode(root, &len);
404 program->bf_len = len;
405
406 lex_cleanup();
407 freechunks();
408 return (0);
409 }
410
411 /*
412 * entry point for using the compiler with no pcap open
413 * pass in all the stuff that is needed explicitly instead.
414 */
415 int
416 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
417 struct bpf_program *program,
418 const char *buf, int optimize, bpf_u_int32 mask)
419 {
420 pcap_t *p;
421 int ret;
422
423 p = pcap_open_dead(linktype_arg, snaplen_arg);
424 if (p == NULL)
425 return (-1);
426 ret = pcap_compile(p, program, buf, optimize, mask);
427 pcap_close(p);
428 return (ret);
429 }
430
431 /*
432 * Clean up a "struct bpf_program" by freeing all the memory allocated
433 * in it.
434 */
435 void
436 pcap_freecode(struct bpf_program *program)
437 {
438 program->bf_len = 0;
439 if (program->bf_insns != NULL) {
440 free((char *)program->bf_insns);
441 program->bf_insns = NULL;
442 }
443 }
444
445 /*
446 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
447 * which of the jt and jf fields has been resolved and which is a pointer
448 * back to another unresolved block (or nil). At least one of the fields
449 * in each block is already resolved.
450 */
451 static void
452 backpatch(list, target)
453 struct block *list, *target;
454 {
455 struct block *next;
456
457 while (list) {
458 if (!list->sense) {
459 next = JT(list);
460 JT(list) = target;
461 } else {
462 next = JF(list);
463 JF(list) = target;
464 }
465 list = next;
466 }
467 }
468
469 /*
470 * Merge the lists in b0 and b1, using the 'sense' field to indicate
471 * which of jt and jf is the link.
472 */
473 static void
474 merge(b0, b1)
475 struct block *b0, *b1;
476 {
477 register struct block **p = &b0;
478
479 /* Find end of list. */
480 while (*p)
481 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
482
483 /* Concatenate the lists. */
484 *p = b1;
485 }
486
487 void
488 finish_parse(p)
489 struct block *p;
490 {
491 struct block *ppi_dlt_check;
492
493 ppi_dlt_check = gen_ppi_dlt_check();
494
495 if (ppi_dlt_check != NULL)
496 {
497 gen_and(ppi_dlt_check, p);
498 }
499
500 backpatch(p, gen_retblk(snaplen));
501 p->sense = !p->sense;
502 backpatch(p, gen_retblk(0));
503 root = p->head;
504
505 /*
506 * Insert before the statements of the first (root) block any
507 * statements needed to load the lengths of any variable-length
508 * headers into registers.
509 *
510 * XXX - a fancier strategy would be to insert those before the
511 * statements of all blocks that use those lengths and that
512 * have no predecessors that use them, so that we only compute
513 * the lengths if we need them. There might be even better
514 * approaches than that. However, as we're currently only
515 * handling variable-length radiotap headers, and as all
516 * filtering expressions other than raw link[M:N] tests
517 * require the length of that header, doing more for that
518 * header length isn't really worth the effort.
519 */
520 insert_load_llprefixlen(root);
521 }
522
523 void
524 gen_and(b0, b1)
525 struct block *b0, *b1;
526 {
527 backpatch(b0, b1->head);
528 b0->sense = !b0->sense;
529 b1->sense = !b1->sense;
530 merge(b1, b0);
531 b1->sense = !b1->sense;
532 b1->head = b0->head;
533 }
534
535 void
536 gen_or(b0, b1)
537 struct block *b0, *b1;
538 {
539 b0->sense = !b0->sense;
540 backpatch(b0, b1->head);
541 b0->sense = !b0->sense;
542 merge(b1, b0);
543 b1->head = b0->head;
544 }
545
546 void
547 gen_not(b)
548 struct block *b;
549 {
550 b->sense = !b->sense;
551 }
552
553 static struct block *
554 gen_cmp(offrel, offset, size, v)
555 enum e_offrel offrel;
556 u_int offset, size;
557 bpf_int32 v;
558 {
559 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
560 }
561
562 static struct block *
563 gen_cmp_gt(offrel, offset, size, v)
564 enum e_offrel offrel;
565 u_int offset, size;
566 bpf_int32 v;
567 {
568 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
569 }
570
571 static struct block *
572 gen_cmp_ge(offrel, offset, size, v)
573 enum e_offrel offrel;
574 u_int offset, size;
575 bpf_int32 v;
576 {
577 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
578 }
579
580 static struct block *
581 gen_cmp_lt(offrel, offset, size, v)
582 enum e_offrel offrel;
583 u_int offset, size;
584 bpf_int32 v;
585 {
586 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
587 }
588
589 static struct block *
590 gen_cmp_le(offrel, offset, size, v)
591 enum e_offrel offrel;
592 u_int offset, size;
593 bpf_int32 v;
594 {
595 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
596 }
597
598 static struct block *
599 gen_mcmp(offrel, offset, size, v, mask)
600 enum e_offrel offrel;
601 u_int offset, size;
602 bpf_int32 v;
603 bpf_u_int32 mask;
604 {
605 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
606 }
607
608 static struct block *
609 gen_bcmp(offrel, offset, size, v)
610 enum e_offrel offrel;
611 register u_int offset, size;
612 register const u_char *v;
613 {
614 register struct block *b, *tmp;
615
616 b = NULL;
617 while (size >= 4) {
618 register const u_char *p = &v[size - 4];
619 bpf_int32 w = ((bpf_int32)p[0] << 24) |
620 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
621
622 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
623 if (b != NULL)
624 gen_and(b, tmp);
625 b = tmp;
626 size -= 4;
627 }
628 while (size >= 2) {
629 register const u_char *p = &v[size - 2];
630 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
631
632 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
633 if (b != NULL)
634 gen_and(b, tmp);
635 b = tmp;
636 size -= 2;
637 }
638 if (size > 0) {
639 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
640 if (b != NULL)
641 gen_and(b, tmp);
642 b = tmp;
643 }
644 return b;
645 }
646
647 /*
648 * AND the field of size "size" at offset "offset" relative to the header
649 * specified by "offrel" with "mask", and compare it with the value "v"
650 * with the test specified by "jtype"; if "reverse" is true, the test
651 * should test the opposite of "jtype".
652 */
653 static struct block *
654 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
655 enum e_offrel offrel;
656 bpf_int32 v;
657 bpf_u_int32 offset, size, mask, jtype;
658 int reverse;
659 {
660 struct slist *s, *s2;
661 struct block *b;
662
663 s = gen_load_a(offrel, offset, size);
664
665 if (mask != 0xffffffff) {
666 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
667 s2->s.k = mask;
668 sappend(s, s2);
669 }
670
671 b = new_block(JMP(jtype));
672 b->stmts = s;
673 b->s.k = v;
674 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
675 gen_not(b);
676 return b;
677 }
678
679 /*
680 * Various code constructs need to know the layout of the data link
681 * layer. These variables give the necessary offsets from the beginning
682 * of the packet data.
683 *
684 * If the link layer has variable_length headers, the offsets are offsets
685 * from the end of the link-link-layer header, and "reg_ll_size" is
686 * the register number for a register containing the length of the
687 * link-layer header. Otherwise, "reg_ll_size" is -1.
688 */
689 static int reg_ll_size;
690
691 /*
692 * This is the offset of the beginning of the link-layer header from
693 * the beginning of the raw packet data.
694 *
695 * It's usually 0, except for 802.11 with a fixed-length radio header.
696 * (For 802.11 with a variable-length radio header, we have to generate
697 * code to compute that offset; off_ll is 0 in that case.)
698 */
699 static u_int off_ll;
700
701 /*
702 * This is the offset of the beginning of the MAC-layer header.
703 * It's usually 0, except for ATM LANE, where it's the offset, relative
704 * to the beginning of the raw packet data, of the Ethernet header.
705 */
706 static u_int off_mac;
707
708 /*
709 * "off_linktype" is the offset to information in the link-layer header
710 * giving the packet type. This offset is relative to the beginning
711 * of the link-layer header (i.e., it doesn't include off_ll).
712 *
713 * For Ethernet, it's the offset of the Ethernet type field.
714 *
715 * For link-layer types that always use 802.2 headers, it's the
716 * offset of the LLC header.
717 *
718 * For PPP, it's the offset of the PPP type field.
719 *
720 * For Cisco HDLC, it's the offset of the CHDLC type field.
721 *
722 * For BSD loopback, it's the offset of the AF_ value.
723 *
724 * For Linux cooked sockets, it's the offset of the type field.
725 *
726 * It's set to -1 for no encapsulation, in which case, IP is assumed.
727 */
728 static u_int off_linktype;
729
730 /*
731 * TRUE if the link layer includes an ATM pseudo-header.
732 */
733 static int is_atm = 0;
734
735 /*
736 * TRUE if "lane" appeared in the filter; it causes us to generate
737 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
738 */
739 static int is_lane = 0;
740
741 /*
742 * These are offsets for the ATM pseudo-header.
743 */
744 static u_int off_vpi;
745 static u_int off_vci;
746 static u_int off_proto;
747
748 /*
749 * These are offsets for the MTP2 fields.
750 */
751 static u_int off_li;
752
753 /*
754 * These are offsets for the MTP3 fields.
755 */
756 static u_int off_sio;
757 static u_int off_opc;
758 static u_int off_dpc;
759 static u_int off_sls;
760
761 /*
762 * This is the offset of the first byte after the ATM pseudo_header,
763 * or -1 if there is no ATM pseudo-header.
764 */
765 static u_int off_payload;
766
767 /*
768 * These are offsets to the beginning of the network-layer header.
769 * They are relative to the beginning of the link-layer header (i.e.,
770 * they don't include off_ll).
771 *
772 * If the link layer never uses 802.2 LLC:
773 *
774 * "off_nl" and "off_nl_nosnap" are the same.
775 *
776 * If the link layer always uses 802.2 LLC:
777 *
778 * "off_nl" is the offset if there's a SNAP header following
779 * the 802.2 header;
780 *
781 * "off_nl_nosnap" is the offset if there's no SNAP header.
782 *
783 * If the link layer is Ethernet:
784 *
785 * "off_nl" is the offset if the packet is an Ethernet II packet
786 * (we assume no 802.3+802.2+SNAP);
787 *
788 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
789 * with an 802.2 header following it.
790 */
791 static u_int off_nl;
792 static u_int off_nl_nosnap;
793
794 static int linktype;
795
796 static void
797 init_linktype(p)
798 pcap_t *p;
799 {
800 linktype = pcap_datalink(p);
801 #ifdef PCAP_FDDIPAD
802 pcap_fddipad = p->fddipad;
803 #endif
804
805 /*
806 * Assume it's not raw ATM with a pseudo-header, for now.
807 */
808 off_mac = 0;
809 is_atm = 0;
810 is_lane = 0;
811 off_vpi = -1;
812 off_vci = -1;
813 off_proto = -1;
814 off_payload = -1;
815
816 /*
817 * And assume we're not doing SS7.
818 */
819 off_li = -1;
820 off_sio = -1;
821 off_opc = -1;
822 off_dpc = -1;
823 off_sls = -1;
824
825 /*
826 * Also assume it's not 802.11 with a fixed-length radio header.
827 */
828 off_ll = 0;
829
830 orig_linktype = -1;
831 orig_nl = -1;
832 label_stack_depth = 0;
833
834 reg_ll_size = -1;
835
836 switch (linktype) {
837
838 case DLT_ARCNET:
839 off_linktype = 2;
840 off_nl = 6; /* XXX in reality, variable! */
841 off_nl_nosnap = 6; /* no 802.2 LLC */
842 return;
843
844 case DLT_ARCNET_LINUX:
845 off_linktype = 4;
846 off_nl = 8; /* XXX in reality, variable! */
847 off_nl_nosnap = 8; /* no 802.2 LLC */
848 return;
849
850 case DLT_EN10MB:
851 off_linktype = 12;
852 off_nl = 14; /* Ethernet II */
853 off_nl_nosnap = 17; /* 802.3+802.2 */
854 return;
855
856 case DLT_SLIP:
857 /*
858 * SLIP doesn't have a link level type. The 16 byte
859 * header is hacked into our SLIP driver.
860 */
861 off_linktype = -1;
862 off_nl = 16;
863 off_nl_nosnap = 16; /* no 802.2 LLC */
864 return;
865
866 case DLT_SLIP_BSDOS:
867 /* XXX this may be the same as the DLT_PPP_BSDOS case */
868 off_linktype = -1;
869 /* XXX end */
870 off_nl = 24;
871 off_nl_nosnap = 24; /* no 802.2 LLC */
872 return;
873
874 case DLT_NULL:
875 case DLT_LOOP:
876 off_linktype = 0;
877 off_nl = 4;
878 off_nl_nosnap = 4; /* no 802.2 LLC */
879 return;
880
881 case DLT_ENC:
882 off_linktype = 0;
883 off_nl = 12;
884 off_nl_nosnap = 12; /* no 802.2 LLC */
885 return;
886
887 case DLT_PPP:
888 case DLT_PPP_PPPD:
889 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
890 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
891 off_linktype = 2;
892 off_nl = 4;
893 off_nl_nosnap = 4; /* no 802.2 LLC */
894 return;
895
896 case DLT_PPP_ETHER:
897 /*
898 * This does no include the Ethernet header, and
899 * only covers session state.
900 */
901 off_linktype = 6;
902 off_nl = 8;
903 off_nl_nosnap = 8; /* no 802.2 LLC */
904 return;
905
906 case DLT_PPP_BSDOS:
907 off_linktype = 5;
908 off_nl = 24;
909 off_nl_nosnap = 24; /* no 802.2 LLC */
910 return;
911
912 case DLT_FDDI:
913 /*
914 * FDDI doesn't really have a link-level type field.
915 * We set "off_linktype" to the offset of the LLC header.
916 *
917 * To check for Ethernet types, we assume that SSAP = SNAP
918 * is being used and pick out the encapsulated Ethernet type.
919 * XXX - should we generate code to check for SNAP?
920 */
921 off_linktype = 13;
922 #ifdef PCAP_FDDIPAD
923 off_linktype += pcap_fddipad;
924 #endif
925 off_nl = 21; /* FDDI+802.2+SNAP */
926 off_nl_nosnap = 16; /* FDDI+802.2 */
927 #ifdef PCAP_FDDIPAD
928 off_nl += pcap_fddipad;
929 off_nl_nosnap += pcap_fddipad;
930 #endif
931 return;
932
933 case DLT_IEEE802:
934 /*
935 * Token Ring doesn't really have a link-level type field.
936 * We set "off_linktype" to the offset of the LLC header.
937 *
938 * To check for Ethernet types, we assume that SSAP = SNAP
939 * is being used and pick out the encapsulated Ethernet type.
940 * XXX - should we generate code to check for SNAP?
941 *
942 * XXX - the header is actually variable-length.
943 * Some various Linux patched versions gave 38
944 * as "off_linktype" and 40 as "off_nl"; however,
945 * if a token ring packet has *no* routing
946 * information, i.e. is not source-routed, the correct
947 * values are 20 and 22, as they are in the vanilla code.
948 *
949 * A packet is source-routed iff the uppermost bit
950 * of the first byte of the source address, at an
951 * offset of 8, has the uppermost bit set. If the
952 * packet is source-routed, the total number of bytes
953 * of routing information is 2 plus bits 0x1F00 of
954 * the 16-bit value at an offset of 14 (shifted right
955 * 8 - figure out which byte that is).
956 */
957 off_linktype = 14;
958 off_nl = 22; /* Token Ring+802.2+SNAP */
959 off_nl_nosnap = 17; /* Token Ring+802.2 */
960 return;
961
962 case DLT_IEEE802_11:
963 /*
964 * 802.11 doesn't really have a link-level type field.
965 * We set "off_linktype" to the offset of the LLC header.
966 *
967 * To check for Ethernet types, we assume that SSAP = SNAP
968 * is being used and pick out the encapsulated Ethernet type.
969 * XXX - should we generate code to check for SNAP?
970 *
971 * XXX - the header is actually variable-length. We
972 * assume a 24-byte link-layer header, as appears in
973 * data frames in networks with no bridges. If the
974 * fromds and tods 802.11 header bits are both set,
975 * it's actually supposed to be 30 bytes.
976 */
977 off_linktype = 24;
978 off_nl = 32; /* 802.11+802.2+SNAP */
979 off_nl_nosnap = 27; /* 802.11+802.2 */
980 return;
981
982 case DLT_PRISM_HEADER:
983 /*
984 * Same as 802.11, but with an additional header before
985 * the 802.11 header, containing a bunch of additional
986 * information including radio-level information.
987 *
988 * The header is 144 bytes long.
989 *
990 * XXX - same variable-length header problem; at least
991 * the Prism header is fixed-length.
992 */
993 off_ll = 144;
994 off_linktype = 24;
995 off_nl = 32; /* Prism+802.11+802.2+SNAP */
996 off_nl_nosnap = 27; /* Prism+802.11+802.2 */
997 return;
998
999 case DLT_IEEE802_11_RADIO_AVS:
1000 /*
1001 * Same as 802.11, but with an additional header before
1002 * the 802.11 header, containing a bunch of additional
1003 * information including radio-level information.
1004 *
1005 * The header is 64 bytes long, at least in its
1006 * current incarnation.
1007 *
1008 * XXX - same variable-length header problem, only
1009 * more so; this header is also variable-length,
1010 * with the length being the 32-bit big-endian
1011 * number at an offset of 4 from the beginning
1012 * of the radio header. We should handle that the
1013 * same way we handle the length at the beginning
1014 * of the radiotap header.
1015 *
1016 * XXX - in Linux, do any drivers that supply an AVS
1017 * header supply a link-layer type other than
1018 * ARPHRD_IEEE80211_PRISM? If so, we should map that
1019 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are
1020 * any drivers that supply an AVS header but supply
1021 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll
1022 * have to check the header in the generated code to
1023 * determine whether it's Prism or AVS.
1024 */
1025 off_ll = 64;
1026 off_linktype = 24;
1027 off_nl = 32; /* Radio+802.11+802.2+SNAP */
1028 off_nl_nosnap = 27; /* Radio+802.11+802.2 */
1029 return;
1030
1031
1032 /*
1033 * At the moment we treat PPI as normal Radiotap encoded
1034 * packets. The difference is in the function that generates
1035 * the code at the beginning to compute the header length.
1036 * Since this code generator of PPI supports bare 802.11
1037 * encapsulation only (i.e. the encapsulated DLT should be
1038 * DLT_IEEE802_11) we generate code to check for this too.
1039 */
1040 case DLT_PPI:
1041 case DLT_IEEE802_11_RADIO:
1042 /*
1043 * Same as 802.11, but with an additional header before
1044 * the 802.11 header, containing a bunch of additional
1045 * information including radio-level information.
1046 *
1047 * The radiotap header is variable length, and we
1048 * generate code to compute its length and store it
1049 * in a register. These offsets are relative to the
1050 * beginning of the 802.11 header.
1051 */
1052 off_linktype = 24;
1053 off_nl = 32; /* 802.11+802.2+SNAP */
1054 off_nl_nosnap = 27; /* 802.11+802.2 */
1055 return;
1056
1057 case DLT_ATM_RFC1483:
1058 case DLT_ATM_CLIP: /* Linux ATM defines this */
1059 /*
1060 * assume routed, non-ISO PDUs
1061 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1062 *
1063 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1064 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1065 * latter would presumably be treated the way PPPoE
1066 * should be, so you can do "pppoe and udp port 2049"
1067 * or "pppoa and tcp port 80" and have it check for
1068 * PPPo{A,E} and a PPP protocol of IP and....
1069 */
1070 off_linktype = 0;
1071 off_nl = 8; /* 802.2+SNAP */
1072 off_nl_nosnap = 3; /* 802.2 */
1073 return;
1074
1075 case DLT_SUNATM:
1076 /*
1077 * Full Frontal ATM; you get AALn PDUs with an ATM
1078 * pseudo-header.
1079 */
1080 is_atm = 1;
1081 off_vpi = SUNATM_VPI_POS;
1082 off_vci = SUNATM_VCI_POS;
1083 off_proto = PROTO_POS;
1084 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
1085 off_payload = SUNATM_PKT_BEGIN_POS;
1086 off_linktype = off_payload;
1087 off_nl = off_payload+8; /* 802.2+SNAP */
1088 off_nl_nosnap = off_payload+3; /* 802.2 */
1089 return;
1090
1091 case DLT_RAW:
1092 off_linktype = -1;
1093 off_nl = 0;
1094 off_nl_nosnap = 0; /* no 802.2 LLC */
1095 return;
1096
1097 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1098 off_linktype = 14;
1099 off_nl = 16;
1100 off_nl_nosnap = 16; /* no 802.2 LLC */
1101 return;
1102
1103 case DLT_LTALK:
1104 /*
1105 * LocalTalk does have a 1-byte type field in the LLAP header,
1106 * but really it just indicates whether there is a "short" or
1107 * "long" DDP packet following.
1108 */
1109 off_linktype = -1;
1110 off_nl = 0;
1111 off_nl_nosnap = 0; /* no 802.2 LLC */
1112 return;
1113
1114 case DLT_IP_OVER_FC:
1115 /*
1116 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1117 * link-level type field. We set "off_linktype" to the
1118 * offset of the LLC header.
1119 *
1120 * To check for Ethernet types, we assume that SSAP = SNAP
1121 * is being used and pick out the encapsulated Ethernet type.
1122 * XXX - should we generate code to check for SNAP? RFC
1123 * 2625 says SNAP should be used.
1124 */
1125 off_linktype = 16;
1126 off_nl = 24; /* IPFC+802.2+SNAP */
1127 off_nl_nosnap = 19; /* IPFC+802.2 */
1128 return;
1129
1130 case DLT_FRELAY:
1131 /*
1132 * XXX - we should set this to handle SNAP-encapsulated
1133 * frames (NLPID of 0x80).
1134 */
1135 off_linktype = -1;
1136 off_nl = 0;
1137 off_nl_nosnap = 0; /* no 802.2 LLC */
1138 return;
1139
1140 /*
1141 * the only BPF-interesting FRF.16 frames are non-control frames;
1142 * Frame Relay has a variable length link-layer
1143 * so lets start with offset 4 for now and increments later on (FIXME);
1144 */
1145 case DLT_MFR:
1146 off_linktype = -1;
1147 off_nl = 4;
1148 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1149 return;
1150
1151 case DLT_APPLE_IP_OVER_IEEE1394:
1152 off_linktype = 16;
1153 off_nl = 18;
1154 off_nl_nosnap = 18; /* no 802.2 LLC */
1155 return;
1156
1157 case DLT_LINUX_IRDA:
1158 /*
1159 * Currently, only raw "link[N:M]" filtering is supported.
1160 */
1161 off_linktype = -1;
1162 off_nl = -1;
1163 off_nl_nosnap = -1;
1164 return;
1165
1166 case DLT_DOCSIS:
1167 /*
1168 * Currently, only raw "link[N:M]" filtering is supported.
1169 */
1170 off_linktype = -1;
1171 off_nl = -1;
1172 off_nl_nosnap = -1;
1173 return;
1174
1175 case DLT_SYMANTEC_FIREWALL:
1176 off_linktype = 6;
1177 off_nl = 44; /* Ethernet II */
1178 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1179 return;
1180
1181 #ifdef HAVE_NET_PFVAR_H
1182 case DLT_PFLOG:
1183 off_linktype = 0;
1184 off_nl = PFLOG_HDRLEN;
1185 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1186 return;
1187 #endif
1188
1189 case DLT_JUNIPER_MFR:
1190 case DLT_JUNIPER_MLFR:
1191 case DLT_JUNIPER_MLPPP:
1192 case DLT_JUNIPER_PPP:
1193 case DLT_JUNIPER_CHDLC:
1194 case DLT_JUNIPER_FRELAY:
1195 off_linktype = 4;
1196 off_nl = 4;
1197 off_nl_nosnap = -1; /* no 802.2 LLC */
1198 return;
1199
1200 case DLT_JUNIPER_ATM1:
1201 off_linktype = 4; /* in reality variable between 4-8 */
1202 off_nl = 4;
1203 off_nl_nosnap = 14;
1204 return;
1205
1206 case DLT_JUNIPER_ATM2:
1207 off_linktype = 8; /* in reality variable between 8-12 */
1208 off_nl = 8;
1209 off_nl_nosnap = 18;
1210 return;
1211
1212 /* frames captured on a Juniper PPPoE service PIC
1213 * contain raw ethernet frames */
1214 case DLT_JUNIPER_PPPOE:
1215 case DLT_JUNIPER_ETHER:
1216 off_linktype = 16;
1217 off_nl = 18; /* Ethernet II */
1218 off_nl_nosnap = 21; /* 802.3+802.2 */
1219 return;
1220
1221 case DLT_JUNIPER_PPPOE_ATM:
1222 off_linktype = 4;
1223 off_nl = 6;
1224 off_nl_nosnap = -1; /* no 802.2 LLC */
1225 return;
1226
1227 case DLT_JUNIPER_GGSN:
1228 off_linktype = 6;
1229 off_nl = 12;
1230 off_nl_nosnap = -1; /* no 802.2 LLC */
1231 return;
1232
1233 case DLT_JUNIPER_ES:
1234 off_linktype = 6;
1235 off_nl = -1; /* not really a network layer but raw IP adresses */
1236 off_nl_nosnap = -1; /* no 802.2 LLC */
1237 return;
1238
1239 case DLT_JUNIPER_MONITOR:
1240 off_linktype = 12;
1241 off_nl = 12; /* raw IP/IP6 header */
1242 off_nl_nosnap = -1; /* no 802.2 LLC */
1243 return;
1244
1245 case DLT_JUNIPER_SERVICES:
1246 off_linktype = 12;
1247 off_nl = -1; /* L3 proto location dep. on cookie type */
1248 off_nl_nosnap = -1; /* no 802.2 LLC */
1249 return;
1250
1251 case DLT_JUNIPER_VP:
1252 off_linktype = 18;
1253 off_nl = -1;
1254 off_nl_nosnap = -1;
1255 return;
1256
1257 case DLT_JUNIPER_ST:
1258 off_linktype = 18;
1259 off_nl = -1;
1260 off_nl_nosnap = -1;
1261 return;
1262
1263 case DLT_JUNIPER_ISM:
1264 off_linktype = 8;
1265 off_nl = -1;
1266 off_nl_nosnap = -1;
1267 return;
1268
1269 case DLT_MTP2:
1270 off_li = 2;
1271 off_sio = 3;
1272 off_opc = 4;
1273 off_dpc = 4;
1274 off_sls = 7;
1275 off_linktype = -1;
1276 off_nl = -1;
1277 off_nl_nosnap = -1;
1278 return;
1279
1280 case DLT_MTP2_WITH_PHDR:
1281 off_li = 6;
1282 off_sio = 7;
1283 off_opc = 8;
1284 off_dpc = 8;
1285 off_sls = 11;
1286 off_linktype = -1;
1287 off_nl = -1;
1288 off_nl_nosnap = -1;
1289 return;
1290
1291 #ifdef DLT_PFSYNC
1292 case DLT_PFSYNC:
1293 off_linktype = -1;
1294 off_nl = 4;
1295 off_nl_nosnap = 4;
1296 return;
1297 #endif
1298
1299 case DLT_LINUX_LAPD:
1300 /*
1301 * Currently, only raw "link[N:M]" filtering is supported.
1302 */
1303 off_linktype = -1;
1304 off_nl = -1;
1305 off_nl_nosnap = -1;
1306 return;
1307
1308 case DLT_USB:
1309 /*
1310 * Currently, only raw "link[N:M]" filtering is supported.
1311 */
1312 off_linktype = -1;
1313 off_nl = -1;
1314 off_nl_nosnap = -1;
1315 return;
1316
1317 case DLT_BLUETOOTH_HCI_H4:
1318 /*
1319 * Currently, only raw "link[N:M]" filtering is supported.
1320 */
1321 off_linktype = -1;
1322 off_nl = -1;
1323 off_nl_nosnap = -1;
1324 return;
1325
1326 case DLT_USB_LINUX:
1327 /*
1328 * Currently, only raw "link[N:M]" filtering is supported.
1329 */
1330 off_linktype = -1;
1331 off_nl = -1;
1332 off_nl_nosnap = -1;
1333 return;
1334
1335 case DLT_CAN20B:
1336 /*
1337 * Currently, only raw "link[N:M]" filtering is supported.
1338 */
1339 off_linktype = -1;
1340 off_nl = -1;
1341 off_nl_nosnap = -1;
1342 return;
1343
1344 case DLT_IEEE802_15_4_LINUX:
1345 /*
1346 * Currently, only raw "link[N:M]" filtering is supported.
1347 */
1348 off_linktype = -1;
1349 off_nl = -1;
1350 off_nl_nosnap = -1;
1351 return;
1352
1353 case DLT_IEEE802_16_MAC_CPS_RADIO:
1354 /*
1355 * Currently, only raw "link[N:M]" filtering is supported.
1356 */
1357 off_linktype = -1;
1358 off_nl = -1;
1359 off_nl_nosnap = -1;
1360 return;
1361
1362 case DLT_IEEE802_15_4:
1363 /*
1364 * Currently, only raw "link[N:M]" filtering is supported.
1365 */
1366 off_linktype = -1;
1367 off_nl = -1;
1368 off_nl_nosnap = -1;
1369 return;
1370
1371 case DLT_SITA:
1372 /*
1373 * Currently, only raw "link[N:M]" filtering is supported.
1374 */
1375 off_linktype = -1;
1376 off_nl = -1;
1377 off_nl_nosnap = -1;
1378 return;
1379
1380 case DLT_RAIF1:
1381 /*
1382 * Currently, only raw "link[N:M]" filtering is supported.
1383 */
1384 off_linktype = -1;
1385 off_nl = -1;
1386 off_nl_nosnap = -1;
1387 return;
1388
1389 case DLT_IPMB:
1390 /*
1391 * Currently, only raw "link[N:M]" filtering is supported.
1392 */
1393 off_linktype = -1;
1394 off_nl = -1;
1395 off_nl_nosnap = -1;
1396 return;
1397
1398 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1399 /*
1400 * Currently, only raw "link[N:M]" filtering is supported.
1401 */
1402 off_linktype = -1;
1403 off_nl = -1;
1404 off_nl_nosnap = -1;
1405 return;
1406 }
1407 bpf_error("unknown data link type %d", linktype);
1408 /* NOTREACHED */
1409 }
1410
1411 /*
1412 * Load a value relative to the beginning of the link-layer header.
1413 * The link-layer header doesn't necessarily begin at the beginning
1414 * of the packet data; there might be a variable-length prefix containing
1415 * radio information.
1416 */
1417 static struct slist *
1418 gen_load_llrel(offset, size)
1419 u_int offset, size;
1420 {
1421 struct slist *s, *s2;
1422
1423 s = gen_llprefixlen();
1424
1425 /*
1426 * If "s" is non-null, it has code to arrange that the X register
1427 * contains the length of the prefix preceding the link-layer
1428 * header.
1429 *
1430 * Otherwise, the length of the prefix preceding the link-layer
1431 * header is "off_ll".
1432 */
1433 if (s != NULL) {
1434 /*
1435 * There's a variable-length prefix preceding the
1436 * link-layer header. "s" points to a list of statements
1437 * that put the length of that prefix into the X register.
1438 * do an indirect load, to use the X register as an offset.
1439 */
1440 s2 = new_stmt(BPF_LD|BPF_IND|size);
1441 s2->s.k = offset;
1442 sappend(s, s2);
1443 } else {
1444 /*
1445 * There is no variable-length header preceding the
1446 * link-layer header; add in off_ll, which, if there's
1447 * a fixed-length header preceding the link-layer header,
1448 * is the length of that header.
1449 */
1450 s = new_stmt(BPF_LD|BPF_ABS|size);
1451 s->s.k = offset + off_ll;
1452 }
1453 return s;
1454 }
1455
1456 /*
1457 * Load a value relative to the beginning of the specified header.
1458 */
1459 static struct slist *
1460 gen_load_a(offrel, offset, size)
1461 enum e_offrel offrel;
1462 u_int offset, size;
1463 {
1464 struct slist *s, *s2;
1465
1466 switch (offrel) {
1467
1468 case OR_PACKET:
1469 s = new_stmt(BPF_LD|BPF_ABS|size);
1470 s->s.k = offset;
1471 break;
1472
1473 case OR_LINK:
1474 s = gen_load_llrel(offset, size);
1475 break;
1476
1477 case OR_NET:
1478 s = gen_load_llrel(off_nl + offset, size);
1479 break;
1480
1481 case OR_NET_NOSNAP:
1482 s = gen_load_llrel(off_nl_nosnap + offset, size);
1483 break;
1484
1485 case OR_TRAN_IPV4:
1486 /*
1487 * Load the X register with the length of the IPv4 header
1488 * (plus the offset of the link-layer header, if it's
1489 * preceded by a variable-length header such as a radio
1490 * header), in bytes.
1491 */
1492 s = gen_loadx_iphdrlen();
1493
1494 /*
1495 * Load the item at {offset of the link-layer header} +
1496 * {offset, relative to the start of the link-layer
1497 * header, of the IPv4 header} + {length of the IPv4 header} +
1498 * {specified offset}.
1499 *
1500 * (If the link-layer is variable-length, it's included
1501 * in the value in the X register, and off_ll is 0.)
1502 */
1503 s2 = new_stmt(BPF_LD|BPF_IND|size);
1504 s2->s.k = off_ll + off_nl + offset;
1505 sappend(s, s2);
1506 break;
1507
1508 case OR_TRAN_IPV6:
1509 s = gen_load_llrel(off_nl + 40 + offset, size);
1510 break;
1511
1512 default:
1513 abort();
1514 return NULL;
1515 }
1516 return s;
1517 }
1518
1519 /*
1520 * Generate code to load into the X register the sum of the length of
1521 * the IPv4 header and any variable-length header preceding the link-layer
1522 * header.
1523 */
1524 static struct slist *
1525 gen_loadx_iphdrlen()
1526 {
1527 struct slist *s, *s2;
1528
1529 s = gen_llprefixlen();
1530 if (s != NULL) {
1531 /*
1532 * There's a variable-length prefix preceding the
1533 * link-layer header. "s" points to a list of statements
1534 * that put the length of that prefix into the X register.
1535 * The 4*([k]&0xf) addressing mode can't be used, as we
1536 * don't have a constant offset, so we have to load the
1537 * value in question into the A register and add to it
1538 * the value from the X register.
1539 */
1540 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1541 s2->s.k = off_nl;
1542 sappend(s, s2);
1543 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1544 s2->s.k = 0xf;
1545 sappend(s, s2);
1546 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1547 s2->s.k = 2;
1548 sappend(s, s2);
1549
1550 /*
1551 * The A register now contains the length of the
1552 * IP header. We need to add to it the length
1553 * of the prefix preceding the link-layer
1554 * header, which is still in the X register, and
1555 * move the result into the X register.
1556 */
1557 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1558 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1559 } else {
1560 /*
1561 * There is no variable-length header preceding the
1562 * link-layer header; add in off_ll, which, if there's
1563 * a fixed-length header preceding the link-layer header,
1564 * is the length of that header.
1565 */
1566 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1567 s->s.k = off_ll + off_nl;
1568 }
1569 return s;
1570 }
1571
1572 static struct block *
1573 gen_uncond(rsense)
1574 int rsense;
1575 {
1576 struct block *b;
1577 struct slist *s;
1578
1579 s = new_stmt(BPF_LD|BPF_IMM);
1580 s->s.k = !rsense;
1581 b = new_block(JMP(BPF_JEQ));
1582 b->stmts = s;
1583
1584 return b;
1585 }
1586
1587 static inline struct block *
1588 gen_true()
1589 {
1590 return gen_uncond(1);
1591 }
1592
1593 static inline struct block *
1594 gen_false()
1595 {
1596 return gen_uncond(0);
1597 }
1598
1599 /*
1600 * Byte-swap a 32-bit number.
1601 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1602 * big-endian platforms.)
1603 */
1604 #define SWAPLONG(y) \
1605 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1606
1607 /*
1608 * Generate code to match a particular packet type.
1609 *
1610 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1611 * value, if <= ETHERMTU. We use that to determine whether to
1612 * match the type/length field or to check the type/length field for
1613 * a value <= ETHERMTU to see whether it's a type field and then do
1614 * the appropriate test.
1615 */
1616 static struct block *
1617 gen_ether_linktype(proto)
1618 register int proto;
1619 {
1620 struct block *b0, *b1;
1621
1622 switch (proto) {
1623
1624 case LLCSAP_ISONS:
1625 case LLCSAP_IP:
1626 case LLCSAP_NETBEUI:
1627 /*
1628 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1629 * so we check the DSAP and SSAP.
1630 *
1631 * LLCSAP_IP checks for IP-over-802.2, rather
1632 * than IP-over-Ethernet or IP-over-SNAP.
1633 *
1634 * XXX - should we check both the DSAP and the
1635 * SSAP, like this, or should we check just the
1636 * DSAP, as we do for other types <= ETHERMTU
1637 * (i.e., other SAP values)?
1638 */
1639 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1640 gen_not(b0);
1641 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1642 ((proto << 8) | proto));
1643 gen_and(b0, b1);
1644 return b1;
1645
1646 case LLCSAP_IPX:
1647 /*
1648 * Check for;
1649 *
1650 * Ethernet_II frames, which are Ethernet
1651 * frames with a frame type of ETHERTYPE_IPX;
1652 *
1653 * Ethernet_802.3 frames, which are 802.3
1654 * frames (i.e., the type/length field is
1655 * a length field, <= ETHERMTU, rather than
1656 * a type field) with the first two bytes
1657 * after the Ethernet/802.3 header being
1658 * 0xFFFF;
1659 *
1660 * Ethernet_802.2 frames, which are 802.3
1661 * frames with an 802.2 LLC header and
1662 * with the IPX LSAP as the DSAP in the LLC
1663 * header;
1664 *
1665 * Ethernet_SNAP frames, which are 802.3
1666 * frames with an LLC header and a SNAP
1667 * header and with an OUI of 0x000000
1668 * (encapsulated Ethernet) and a protocol
1669 * ID of ETHERTYPE_IPX in the SNAP header.
1670 *
1671 * XXX - should we generate the same code both
1672 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1673 */
1674
1675 /*
1676 * This generates code to check both for the
1677 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1678 */
1679 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1680 (bpf_int32)LLCSAP_IPX);
1681 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1682 (bpf_int32)0xFFFF);
1683 gen_or(b0, b1);
1684
1685 /*
1686 * Now we add code to check for SNAP frames with
1687 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1688 */
1689 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1690 gen_or(b0, b1);
1691
1692 /*
1693 * Now we generate code to check for 802.3
1694 * frames in general.
1695 */
1696 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1697 gen_not(b0);
1698
1699 /*
1700 * Now add the check for 802.3 frames before the
1701 * check for Ethernet_802.2 and Ethernet_802.3,
1702 * as those checks should only be done on 802.3
1703 * frames, not on Ethernet frames.
1704 */
1705 gen_and(b0, b1);
1706
1707 /*
1708 * Now add the check for Ethernet_II frames, and
1709 * do that before checking for the other frame
1710 * types.
1711 */
1712 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1713 (bpf_int32)ETHERTYPE_IPX);
1714 gen_or(b0, b1);
1715 return b1;
1716
1717 case ETHERTYPE_ATALK:
1718 case ETHERTYPE_AARP:
1719 /*
1720 * EtherTalk (AppleTalk protocols on Ethernet link
1721 * layer) may use 802.2 encapsulation.
1722 */
1723
1724 /*
1725 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1726 * we check for an Ethernet type field less than
1727 * 1500, which means it's an 802.3 length field.
1728 */
1729 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1730 gen_not(b0);
1731
1732 /*
1733 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1734 * SNAP packets with an organization code of
1735 * 0x080007 (Apple, for Appletalk) and a protocol
1736 * type of ETHERTYPE_ATALK (Appletalk).
1737 *
1738 * 802.2-encapsulated ETHERTYPE_AARP packets are
1739 * SNAP packets with an organization code of
1740 * 0x000000 (encapsulated Ethernet) and a protocol
1741 * type of ETHERTYPE_AARP (Appletalk ARP).
1742 */
1743 if (proto == ETHERTYPE_ATALK)
1744 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1745 else /* proto == ETHERTYPE_AARP */
1746 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1747 gen_and(b0, b1);
1748
1749 /*
1750 * Check for Ethernet encapsulation (Ethertalk
1751 * phase 1?); we just check for the Ethernet
1752 * protocol type.
1753 */
1754 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1755
1756 gen_or(b0, b1);
1757 return b1;
1758
1759 default:
1760 if (proto <= ETHERMTU) {
1761 /*
1762 * This is an LLC SAP value, so the frames
1763 * that match would be 802.2 frames.
1764 * Check that the frame is an 802.2 frame
1765 * (i.e., that the length/type field is
1766 * a length field, <= ETHERMTU) and
1767 * then check the DSAP.
1768 */
1769 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1770 gen_not(b0);
1771 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1772 (bpf_int32)proto);
1773 gen_and(b0, b1);
1774 return b1;
1775 } else {
1776 /*
1777 * This is an Ethernet type, so compare
1778 * the length/type field with it (if
1779 * the frame is an 802.2 frame, the length
1780 * field will be <= ETHERMTU, and, as
1781 * "proto" is > ETHERMTU, this test
1782 * will fail and the frame won't match,
1783 * which is what we want).
1784 */
1785 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1786 (bpf_int32)proto);
1787 }
1788 }
1789 }
1790
1791 /*
1792 * Generate code to match a particular packet type.
1793 *
1794 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1795 * value, if <= ETHERMTU. We use that to determine whether to
1796 * match the type field or to check the type field for the special
1797 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1798 */
1799 static struct block *
1800 gen_linux_sll_linktype(proto)
1801 register int proto;
1802 {
1803 struct block *b0, *b1;
1804
1805 switch (proto) {
1806
1807 case LLCSAP_ISONS:
1808 case LLCSAP_IP:
1809 case LLCSAP_NETBEUI:
1810 /*
1811 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1812 * so we check the DSAP and SSAP.
1813 *
1814 * LLCSAP_IP checks for IP-over-802.2, rather
1815 * than IP-over-Ethernet or IP-over-SNAP.
1816 *
1817 * XXX - should we check both the DSAP and the
1818 * SSAP, like this, or should we check just the
1819 * DSAP, as we do for other types <= ETHERMTU
1820 * (i.e., other SAP values)?
1821 */
1822 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1823 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1824 ((proto << 8) | proto));
1825 gen_and(b0, b1);
1826 return b1;
1827
1828 case LLCSAP_IPX:
1829 /*
1830 * Ethernet_II frames, which are Ethernet
1831 * frames with a frame type of ETHERTYPE_IPX;
1832 *
1833 * Ethernet_802.3 frames, which have a frame
1834 * type of LINUX_SLL_P_802_3;
1835 *
1836 * Ethernet_802.2 frames, which are 802.3
1837 * frames with an 802.2 LLC header (i.e, have
1838 * a frame type of LINUX_SLL_P_802_2) and
1839 * with the IPX LSAP as the DSAP in the LLC
1840 * header;
1841 *
1842 * Ethernet_SNAP frames, which are 802.3
1843 * frames with an LLC header and a SNAP
1844 * header and with an OUI of 0x000000
1845 * (encapsulated Ethernet) and a protocol
1846 * ID of ETHERTYPE_IPX in the SNAP header.
1847 *
1848 * First, do the checks on LINUX_SLL_P_802_2
1849 * frames; generate the check for either
1850 * Ethernet_802.2 or Ethernet_SNAP frames, and
1851 * then put a check for LINUX_SLL_P_802_2 frames
1852 * before it.
1853 */
1854 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1855 (bpf_int32)LLCSAP_IPX);
1856 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1857 off_linktype + 2);
1858 gen_or(b0, b1);
1859 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1860 gen_and(b0, b1);
1861
1862 /*
1863 * Now check for 802.3 frames and OR that with
1864 * the previous test.
1865 */
1866 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1867 gen_or(b0, b1);
1868
1869 /*
1870 * Now add the check for Ethernet_II frames, and
1871 * do that before checking for the other frame
1872 * types.
1873 */
1874 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1875 (bpf_int32)ETHERTYPE_IPX);
1876 gen_or(b0, b1);
1877 return b1;
1878
1879 case ETHERTYPE_ATALK:
1880 case ETHERTYPE_AARP:
1881 /*
1882 * EtherTalk (AppleTalk protocols on Ethernet link
1883 * layer) may use 802.2 encapsulation.
1884 */
1885
1886 /*
1887 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1888 * we check for the 802.2 protocol type in the
1889 * "Ethernet type" field.
1890 */
1891 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1892
1893 /*
1894 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1895 * SNAP packets with an organization code of
1896 * 0x080007 (Apple, for Appletalk) and a protocol
1897 * type of ETHERTYPE_ATALK (Appletalk).
1898 *
1899 * 802.2-encapsulated ETHERTYPE_AARP packets are
1900 * SNAP packets with an organization code of
1901 * 0x000000 (encapsulated Ethernet) and a protocol
1902 * type of ETHERTYPE_AARP (Appletalk ARP).
1903 */
1904 if (proto == ETHERTYPE_ATALK)
1905 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1906 off_linktype + 2);
1907 else /* proto == ETHERTYPE_AARP */
1908 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1909 off_linktype + 2);
1910 gen_and(b0, b1);
1911
1912 /*
1913 * Check for Ethernet encapsulation (Ethertalk
1914 * phase 1?); we just check for the Ethernet
1915 * protocol type.
1916 */
1917 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1918
1919 gen_or(b0, b1);
1920 return b1;
1921
1922 default:
1923 if (proto <= ETHERMTU) {
1924 /*
1925 * This is an LLC SAP value, so the frames
1926 * that match would be 802.2 frames.
1927 * Check for the 802.2 protocol type
1928 * in the "Ethernet type" field, and
1929 * then check the DSAP.
1930 */
1931 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1932 LINUX_SLL_P_802_2);
1933 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1934 (bpf_int32)proto);
1935 gen_and(b0, b1);
1936 return b1;
1937 } else {
1938 /*
1939 * This is an Ethernet type, so compare
1940 * the length/type field with it (if
1941 * the frame is an 802.2 frame, the length
1942 * field will be <= ETHERMTU, and, as
1943 * "proto" is > ETHERMTU, this test
1944 * will fail and the frame won't match,
1945 * which is what we want).
1946 */
1947 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1948 (bpf_int32)proto);
1949 }
1950 }
1951 }
1952
1953 static void
1954 insert_radiotap_load_llprefixlen(b)
1955 struct block *b;
1956 {
1957 struct slist *s1, *s2;
1958
1959 /*
1960 * Prepend to the statements in this block code to load the
1961 * length of the radiotap header into the register assigned
1962 * to hold that length, if one has been assigned.
1963 */
1964 if (reg_ll_size != -1) {
1965 /*
1966 * The 2 bytes at offsets of 2 and 3 from the beginning
1967 * of the radiotap header are the length of the radiotap
1968 * header; unfortunately, it's little-endian, so we have
1969 * to load it a byte at a time and construct the value.
1970 */
1971
1972 /*
1973 * Load the high-order byte, at an offset of 3, shift it
1974 * left a byte, and put the result in the X register.
1975 */
1976 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1977 s1->s.k = 3;
1978 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1979 sappend(s1, s2);
1980 s2->s.k = 8;
1981 s2 = new_stmt(BPF_MISC|BPF_TAX);
1982 sappend(s1, s2);
1983
1984 /*
1985 * Load the next byte, at an offset of 2, and OR the
1986 * value from the X register into it.
1987 */
1988 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1989 sappend(s1, s2);
1990 s2->s.k = 2;
1991 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1992 sappend(s1, s2);
1993
1994 /*
1995 * Now allocate a register to hold that value and store
1996 * it.
1997 */
1998 s2 = new_stmt(BPF_ST);
1999 s2->s.k = reg_ll_size;
2000 sappend(s1, s2);
2001
2002 /*
2003 * Now move it into the X register.
2004 */
2005 s2 = new_stmt(BPF_MISC|BPF_TAX);
2006 sappend(s1, s2);
2007
2008 /*
2009 * Now append all the existing statements in this
2010 * block to these statements.
2011 */
2012 sappend(s1, b->stmts);
2013 b->stmts = s1;
2014 }
2015 }
2016
2017 /*
2018 * At the moment we treat PPI as normal Radiotap encoded
2019 * packets. The difference is in the function that generates
2020 * the code at the beginning to compute the header length.
2021 * Since this code generator of PPI supports bare 802.11
2022 * encapsulation only (i.e. the encapsulated DLT should be
2023 * DLT_IEEE802_11) we generate code to check for this too.
2024 */
2025 static void
2026 insert_ppi_load_llprefixlen(b)
2027 struct block *b;
2028 {
2029 struct slist *s1, *s2;
2030
2031 /*
2032 * Prepend to the statements in this block code to load the
2033 * length of the radiotap header into the register assigned
2034 * to hold that length, if one has been assigned.
2035 */
2036 if (reg_ll_size != -1) {
2037 /*
2038 * The 2 bytes at offsets of 2 and 3 from the beginning
2039 * of the radiotap header are the length of the radiotap
2040 * header; unfortunately, it's little-endian, so we have
2041 * to load it a byte at a time and construct the value.
2042 */
2043
2044 /*
2045 * Load the high-order byte, at an offset of 3, shift it
2046 * left a byte, and put the result in the X register.
2047 */
2048 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2049 s1->s.k = 3;
2050 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2051 sappend(s1, s2);
2052 s2->s.k = 8;
2053 s2 = new_stmt(BPF_MISC|BPF_TAX);
2054 sappend(s1, s2);
2055
2056 /*
2057 * Load the next byte, at an offset of 2, and OR the
2058 * value from the X register into it.
2059 */
2060 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2061 sappend(s1, s2);
2062 s2->s.k = 2;
2063 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2064 sappend(s1, s2);
2065
2066 /*
2067 * Now allocate a register to hold that value and store
2068 * it.
2069 */
2070 s2 = new_stmt(BPF_ST);
2071 s2->s.k = reg_ll_size;
2072 sappend(s1, s2);
2073
2074 /*
2075 * Now move it into the X register.
2076 */
2077 s2 = new_stmt(BPF_MISC|BPF_TAX);
2078 sappend(s1, s2);
2079
2080 /*
2081 * Now append all the existing statements in this
2082 * block to these statements.
2083 */
2084 sappend(s1, b->stmts);
2085 b->stmts = s1;
2086
2087 }
2088 }
2089
2090 static struct block *
2091 gen_ppi_dlt_check(void)
2092 {
2093 struct slist *s_load_dlt;
2094 struct block *b;
2095
2096 if (linktype == DLT_PPI)
2097 {
2098 /* Create the statements that check for the DLT
2099 */
2100 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2101 s_load_dlt->s.k = 4;
2102
2103 b = new_block(JMP(BPF_JEQ));
2104
2105 b->stmts = s_load_dlt;
2106 b->s.k = SWAPLONG(DLT_IEEE802_11);
2107 }
2108 else
2109 {
2110 b = NULL;
2111 }
2112
2113 return b;
2114 }
2115
2116 static void
2117 insert_load_llprefixlen(b)
2118 struct block *b;
2119 {
2120 switch (linktype) {
2121
2122 /*
2123 * At the moment we treat PPI as normal Radiotap encoded
2124 * packets. The difference is in the function that generates
2125 * the code at the beginning to compute the header length.
2126 * Since this code generator of PPI supports bare 802.11
2127 * encapsulation only (i.e. the encapsulated DLT should be
2128 * DLT_IEEE802_11) we generate code to check for this too.
2129 */
2130 case DLT_PPI:
2131 insert_ppi_load_llprefixlen(b);
2132 break;
2133
2134 case DLT_IEEE802_11_RADIO:
2135 insert_radiotap_load_llprefixlen(b);
2136 break;
2137 }
2138 }
2139
2140
2141 static struct slist *
2142 gen_radiotap_llprefixlen(void)
2143 {
2144 struct slist *s;
2145
2146 if (reg_ll_size == -1) {
2147 /*
2148 * We haven't yet assigned a register for the length
2149 * of the radiotap header; allocate one.
2150 */
2151 reg_ll_size = alloc_reg();
2152 }
2153
2154 /*
2155 * Load the register containing the radiotap length
2156 * into the X register.
2157 */
2158 s = new_stmt(BPF_LDX|BPF_MEM);
2159 s->s.k = reg_ll_size;
2160 return s;
2161 }
2162
2163 /*
2164 * At the moment we treat PPI as normal Radiotap encoded
2165 * packets. The difference is in the function that generates
2166 * the code at the beginning to compute the header length.
2167 * Since this code generator of PPI supports bare 802.11
2168 * encapsulation only (i.e. the encapsulated DLT should be
2169 * DLT_IEEE802_11) we generate code to check for this too.
2170 */
2171 static struct slist *
2172 gen_ppi_llprefixlen(void)
2173 {
2174 struct slist *s;
2175
2176 if (reg_ll_size == -1) {
2177 /*
2178 * We haven't yet assigned a register for the length
2179 * of the radiotap header; allocate one.
2180 */
2181 reg_ll_size = alloc_reg();
2182 }
2183
2184 /*
2185 * Load the register containing the radiotap length
2186 * into the X register.
2187 */
2188 s = new_stmt(BPF_LDX|BPF_MEM);
2189 s->s.k = reg_ll_size;
2190 return s;
2191 }
2192
2193
2194
2195 /*
2196 * Generate code to compute the link-layer header length, if necessary,
2197 * putting it into the X register, and to return either a pointer to a
2198 * "struct slist" for the list of statements in that code, or NULL if
2199 * no code is necessary.
2200 */
2201 static struct slist *
2202 gen_llprefixlen(void)
2203 {
2204 switch (linktype) {
2205
2206 case DLT_PPI:
2207 return gen_ppi_llprefixlen();
2208
2209
2210 case DLT_IEEE802_11_RADIO:
2211 return gen_radiotap_llprefixlen();
2212
2213 default:
2214 return NULL;
2215 }
2216 }
2217
2218 /*
2219 * Generate code to match a particular packet type by matching the
2220 * link-layer type field or fields in the 802.2 LLC header.
2221 *
2222 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2223 * value, if <= ETHERMTU.
2224 */
2225 static struct block *
2226 gen_linktype(proto)
2227 register int proto;
2228 {
2229 struct block *b0, *b1, *b2;
2230
2231 /* are we checking MPLS-encapsulated packets? */
2232 if (label_stack_depth > 0) {
2233 switch (proto) {
2234 case ETHERTYPE_IP:
2235 case PPP_IP:
2236 /* FIXME add other L3 proto IDs */
2237 return gen_mpls_linktype(Q_IP);
2238
2239 case ETHERTYPE_IPV6:
2240 case PPP_IPV6:
2241 /* FIXME add other L3 proto IDs */
2242 return gen_mpls_linktype(Q_IPV6);
2243
2244 default:
2245 bpf_error("unsupported protocol over mpls");
2246 /* NOTREACHED */
2247 }
2248 }
2249
2250 switch (linktype) {
2251
2252 case DLT_EN10MB:
2253 return gen_ether_linktype(proto);
2254 /*NOTREACHED*/
2255 break;
2256
2257 case DLT_C_HDLC:
2258 switch (proto) {
2259
2260 case LLCSAP_ISONS:
2261 proto = (proto << 8 | LLCSAP_ISONS);
2262 /* fall through */
2263
2264 default:
2265 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2266 (bpf_int32)proto);
2267 /*NOTREACHED*/
2268 break;
2269 }
2270 break;
2271
2272 case DLT_PPI:
2273 case DLT_FDDI:
2274 case DLT_IEEE802:
2275 case DLT_IEEE802_11:
2276 case DLT_IEEE802_11_RADIO_AVS:
2277 case DLT_IEEE802_11_RADIO:
2278 case DLT_PRISM_HEADER:
2279 case DLT_ATM_RFC1483:
2280 case DLT_ATM_CLIP:
2281 case DLT_IP_OVER_FC:
2282 return gen_llc_linktype(proto);
2283 /*NOTREACHED*/
2284 break;
2285
2286 case DLT_SUNATM:
2287 /*
2288 * If "is_lane" is set, check for a LANE-encapsulated
2289 * version of this protocol, otherwise check for an
2290 * LLC-encapsulated version of this protocol.
2291 *
2292 * We assume LANE means Ethernet, not Token Ring.
2293 */
2294 if (is_lane) {
2295 /*
2296 * Check that the packet doesn't begin with an
2297 * LE Control marker. (We've already generated
2298 * a test for LANE.)
2299 */
2300 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
2301 0xFF00);
2302 gen_not(b0);
2303
2304 /*
2305 * Now generate an Ethernet test.
2306 */
2307 b1 = gen_ether_linktype(proto);
2308 gen_and(b0, b1);
2309 return b1;
2310 } else {
2311 /*
2312 * Check for LLC encapsulation and then check the
2313 * protocol.
2314 */
2315 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
2316 b1 = gen_llc_linktype(proto);
2317 gen_and(b0, b1);
2318 return b1;
2319 }
2320 /*NOTREACHED*/
2321 break;
2322
2323 case DLT_LINUX_SLL:
2324 return gen_linux_sll_linktype(proto);
2325 /*NOTREACHED*/
2326 break;
2327
2328 case DLT_SLIP:
2329 case DLT_SLIP_BSDOS:
2330 case DLT_RAW:
2331 /*
2332 * These types don't provide any type field; packets
2333 * are always IPv4 or IPv6.
2334 *
2335 * XXX - for IPv4, check for a version number of 4, and,
2336 * for IPv6, check for a version number of 6?
2337 */
2338 switch (proto) {
2339
2340 case ETHERTYPE_IP:
2341 /* Check for a version number of 4. */
2342 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
2343 #ifdef INET6
2344 case ETHERTYPE_IPV6:
2345 /* Check for a version number of 6. */
2346 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
2347 #endif
2348
2349 default:
2350 return gen_false(); /* always false */
2351 }
2352 /*NOTREACHED*/
2353 break;
2354
2355 case DLT_PPP:
2356 case DLT_PPP_PPPD:
2357 case DLT_PPP_SERIAL:
2358 case DLT_PPP_ETHER:
2359 /*
2360 * We use Ethernet protocol types inside libpcap;
2361 * map them to the corresponding PPP protocol types.
2362 */
2363 switch (proto) {
2364
2365 case ETHERTYPE_IP:
2366 proto = PPP_IP;
2367 break;
2368
2369 #ifdef INET6
2370 case ETHERTYPE_IPV6:
2371 proto = PPP_IPV6;
2372 break;
2373 #endif
2374
2375 case ETHERTYPE_DN:
2376 proto = PPP_DECNET;
2377 break;
2378
2379 case ETHERTYPE_ATALK:
2380 proto = PPP_APPLE;
2381 break;
2382
2383 case ETHERTYPE_NS:
2384 proto = PPP_NS;
2385 break;
2386
2387 case LLCSAP_ISONS:
2388 proto = PPP_OSI;
2389 break;
2390
2391 case LLCSAP_8021D:
2392 /*
2393 * I'm assuming the "Bridging PDU"s that go
2394 * over PPP are Spanning Tree Protocol
2395 * Bridging PDUs.
2396 */
2397 proto = PPP_BRPDU;
2398 break;
2399
2400 case LLCSAP_IPX:
2401 proto = PPP_IPX;
2402 break;
2403 }
2404 break;
2405
2406 case DLT_PPP_BSDOS:
2407 /*
2408 * We use Ethernet protocol types inside libpcap;
2409 * map them to the corresponding PPP protocol types.
2410 */
2411 switch (proto) {
2412
2413 case ETHERTYPE_IP:
2414 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2415 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2416 gen_or(b0, b1);
2417 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2418 gen_or(b1, b0);
2419 return b0;
2420
2421 #ifdef INET6
2422 case ETHERTYPE_IPV6:
2423 proto = PPP_IPV6;
2424 /* more to go? */
2425 break;
2426 #endif
2427
2428 case ETHERTYPE_DN:
2429 proto = PPP_DECNET;
2430 break;
2431
2432 case ETHERTYPE_ATALK:
2433 proto = PPP_APPLE;
2434 break;
2435
2436 case ETHERTYPE_NS:
2437 proto = PPP_NS;
2438 break;
2439
2440 case LLCSAP_ISONS:
2441 proto = PPP_OSI;
2442 break;
2443
2444 case LLCSAP_8021D:
2445 /*
2446 * I'm assuming the "Bridging PDU"s that go
2447 * over PPP are Spanning Tree Protocol
2448 * Bridging PDUs.
2449 */
2450 proto = PPP_BRPDU;
2451 break;
2452
2453 case LLCSAP_IPX:
2454 proto = PPP_IPX;
2455 break;
2456 }
2457 break;
2458
2459 case DLT_NULL:
2460 case DLT_LOOP:
2461 case DLT_ENC:
2462 /*
2463 * For DLT_NULL, the link-layer header is a 32-bit
2464 * word containing an AF_ value in *host* byte order,
2465 * and for DLT_ENC, the link-layer header begins
2466 * with a 32-bit work containing an AF_ value in
2467 * host byte order.
2468 *
2469 * In addition, if we're reading a saved capture file,
2470 * the host byte order in the capture may not be the
2471 * same as the host byte order on this machine.
2472 *
2473 * For DLT_LOOP, the link-layer header is a 32-bit
2474 * word containing an AF_ value in *network* byte order.
2475 *
2476 * XXX - AF_ values may, unfortunately, be platform-
2477 * dependent; for example, FreeBSD's AF_INET6 is 24
2478 * whilst NetBSD's and OpenBSD's is 26.
2479 *
2480 * This means that, when reading a capture file, just
2481 * checking for our AF_INET6 value won't work if the
2482 * capture file came from another OS.
2483 */
2484 switch (proto) {
2485
2486 case ETHERTYPE_IP:
2487 proto = AF_INET;
2488 break;
2489
2490 #ifdef INET6
2491 case ETHERTYPE_IPV6:
2492 proto = AF_INET6;
2493 break;
2494 #endif
2495
2496 default:
2497 /*
2498 * Not a type on which we support filtering.
2499 * XXX - support those that have AF_ values
2500 * #defined on this platform, at least?
2501 */
2502 return gen_false();
2503 }
2504
2505 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2506 /*
2507 * The AF_ value is in host byte order, but
2508 * the BPF interpreter will convert it to
2509 * network byte order.
2510 *
2511 * If this is a save file, and it's from a
2512 * machine with the opposite byte order to
2513 * ours, we byte-swap the AF_ value.
2514 *
2515 * Then we run it through "htonl()", and
2516 * generate code to compare against the result.
2517 */
2518 if (bpf_pcap->sf.rfile != NULL &&
2519 bpf_pcap->sf.swapped)
2520 proto = SWAPLONG(proto);
2521 proto = htonl(proto);
2522 }
2523 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2524
2525 #ifdef HAVE_NET_PFVAR_H
2526 case DLT_PFLOG:
2527 /*
2528 * af field is host byte order in contrast to the rest of
2529 * the packet.
2530 */
2531 if (proto == ETHERTYPE_IP)
2532 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2533 BPF_B, (bpf_int32)AF_INET));
2534 #ifdef INET6
2535 else if (proto == ETHERTYPE_IPV6)
2536 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2537 BPF_B, (bpf_int32)AF_INET6));
2538 #endif /* INET6 */
2539 else
2540 return gen_false();
2541 /*NOTREACHED*/
2542 break;
2543 #endif /* HAVE_NET_PFVAR_H */
2544
2545 case DLT_ARCNET:
2546 case DLT_ARCNET_LINUX:
2547 /*
2548 * XXX should we check for first fragment if the protocol
2549 * uses PHDS?
2550 */
2551 switch (proto) {
2552
2553 default:
2554 return gen_false();
2555
2556 #ifdef INET6
2557 case ETHERTYPE_IPV6:
2558 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2559 (bpf_int32)ARCTYPE_INET6));
2560 #endif /* INET6 */
2561
2562 case ETHERTYPE_IP:
2563 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2564 (bpf_int32)ARCTYPE_IP);
2565 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2566 (bpf_int32)ARCTYPE_IP_OLD);
2567 gen_or(b0, b1);
2568 return (b1);
2569
2570 case ETHERTYPE_ARP:
2571 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2572 (bpf_int32)ARCTYPE_ARP);
2573 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2574 (bpf_int32)ARCTYPE_ARP_OLD);
2575 gen_or(b0, b1);
2576 return (b1);
2577
2578 case ETHERTYPE_REVARP:
2579 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2580 (bpf_int32)ARCTYPE_REVARP));
2581
2582 case ETHERTYPE_ATALK:
2583 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2584 (bpf_int32)ARCTYPE_ATALK));
2585 }
2586 /*NOTREACHED*/
2587 break;
2588
2589 case DLT_LTALK:
2590 switch (proto) {
2591 case ETHERTYPE_ATALK:
2592 return gen_true();
2593 default:
2594 return gen_false();
2595 }
2596 /*NOTREACHED*/
2597 break;
2598
2599 case DLT_FRELAY:
2600 /*
2601 * XXX - assumes a 2-byte Frame Relay header with
2602 * DLCI and flags. What if the address is longer?
2603 */
2604 switch (proto) {
2605
2606 case ETHERTYPE_IP:
2607 /*
2608 * Check for the special NLPID for IP.
2609 */
2610 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2611
2612 #ifdef INET6
2613 case ETHERTYPE_IPV6:
2614 /*
2615 * Check for the special NLPID for IPv6.
2616 */
2617 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2618 #endif
2619
2620 case LLCSAP_ISONS:
2621 /*
2622 * Check for several OSI protocols.
2623 *
2624 * Frame Relay packets typically have an OSI
2625 * NLPID at the beginning; we check for each
2626 * of them.
2627 *
2628 * What we check for is the NLPID and a frame
2629 * control field of UI, i.e. 0x03 followed
2630 * by the NLPID.
2631 */
2632 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2633 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2634 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2635 gen_or(b1, b2);
2636 gen_or(b0, b2);
2637 return b2;
2638
2639 default:
2640 return gen_false();
2641 }
2642 /*NOTREACHED*/
2643 break;
2644
2645 case DLT_JUNIPER_MFR:
2646 case DLT_JUNIPER_MLFR:
2647 case DLT_JUNIPER_MLPPP:
2648 case DLT_JUNIPER_ATM1:
2649 case DLT_JUNIPER_ATM2:
2650 case DLT_JUNIPER_PPPOE:
2651 case DLT_JUNIPER_PPPOE_ATM:
2652 case DLT_JUNIPER_GGSN:
2653 case DLT_JUNIPER_ES:
2654 case DLT_JUNIPER_MONITOR:
2655 case DLT_JUNIPER_SERVICES:
2656 case DLT_JUNIPER_ETHER:
2657 case DLT_JUNIPER_PPP:
2658 case DLT_JUNIPER_FRELAY:
2659 case DLT_JUNIPER_CHDLC:
2660 case DLT_JUNIPER_VP:
2661 case DLT_JUNIPER_ST:
2662 case DLT_JUNIPER_ISM:
2663 /* just lets verify the magic number for now -
2664 * on ATM we may have up to 6 different encapsulations on the wire
2665 * and need a lot of heuristics to figure out that the payload
2666 * might be;
2667 *
2668 * FIXME encapsulation specific BPF_ filters
2669 */
2670 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2671
2672 case DLT_LINUX_IRDA:
2673 bpf_error("IrDA link-layer type filtering not implemented");
2674
2675 case DLT_DOCSIS:
2676 bpf_error("DOCSIS link-layer type filtering not implemented");
2677
2678 case DLT_LINUX_LAPD:
2679 bpf_error("LAPD link-layer type filtering not implemented");
2680 }
2681
2682 /*
2683 * All the types that have no encapsulation should either be
2684 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2685 * all packets are IP packets, or should be handled in some
2686 * special case, if none of them are (if some are and some
2687 * aren't, the lack of encapsulation is a problem, as we'd
2688 * have to find some other way of determining the packet type).
2689 *
2690 * Therefore, if "off_linktype" is -1, there's an error.
2691 */
2692 if (off_linktype == (u_int)-1)
2693 abort();
2694
2695 /*
2696 * Any type not handled above should always have an Ethernet
2697 * type at an offset of "off_linktype". (PPP is partially
2698 * handled above - the protocol type is mapped from the
2699 * Ethernet and LLC types we use internally to the corresponding
2700 * PPP type - but the PPP type is always specified by a value
2701 * at "off_linktype", so we don't have to do the code generation
2702 * above.)
2703 */
2704 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2705 }
2706
2707 /*
2708 * Check for an LLC SNAP packet with a given organization code and
2709 * protocol type; we check the entire contents of the 802.2 LLC and
2710 * snap headers, checking for DSAP and SSAP of SNAP and a control
2711 * field of 0x03 in the LLC header, and for the specified organization
2712 * code and protocol type in the SNAP header.
2713 */
2714 static struct block *
2715 gen_snap(orgcode, ptype, offset)
2716 bpf_u_int32 orgcode;
2717 bpf_u_int32 ptype;
2718 u_int offset;
2719 {
2720 u_char snapblock[8];
2721
2722 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2723 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2724 snapblock[2] = 0x03; /* control = UI */
2725 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2726 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2727 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2728 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2729 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2730 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2731 }
2732
2733 /*
2734 * Generate code to match a particular packet type, for link-layer types
2735 * using 802.2 LLC headers.
2736 *
2737 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2738 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2739 *
2740 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2741 * value, if <= ETHERMTU. We use that to determine whether to
2742 * match the DSAP or both DSAP and LSAP or to check the OUI and
2743 * protocol ID in a SNAP header.
2744 */
2745 static struct block *
2746 gen_llc_linktype(proto)
2747 int proto;
2748 {
2749 /*
2750 * XXX - handle token-ring variable-length header.
2751 */
2752 switch (proto) {
2753
2754 case LLCSAP_IP:
2755 case LLCSAP_ISONS:
2756 case LLCSAP_NETBEUI:
2757 /*
2758 * XXX - should we check both the DSAP and the
2759 * SSAP, like this, or should we check just the
2760 * DSAP, as we do for other types <= ETHERMTU
2761 * (i.e., other SAP values)?
2762 */
2763 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2764 ((proto << 8) | proto));
2765
2766 case LLCSAP_IPX:
2767 /*
2768 * XXX - are there ever SNAP frames for IPX on
2769 * non-Ethernet 802.x networks?
2770 */
2771 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2772 (bpf_int32)LLCSAP_IPX);
2773
2774 case ETHERTYPE_ATALK:
2775 /*
2776 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2777 * SNAP packets with an organization code of
2778 * 0x080007 (Apple, for Appletalk) and a protocol
2779 * type of ETHERTYPE_ATALK (Appletalk).
2780 *
2781 * XXX - check for an organization code of
2782 * encapsulated Ethernet as well?
2783 */
2784 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2785
2786 default:
2787 /*
2788 * XXX - we don't have to check for IPX 802.3
2789 * here, but should we check for the IPX Ethertype?
2790 */
2791 if (proto <= ETHERMTU) {
2792 /*
2793 * This is an LLC SAP value, so check
2794 * the DSAP.
2795 */
2796 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2797 (bpf_int32)proto);
2798 } else {
2799 /*
2800 * This is an Ethernet type; we assume that it's
2801 * unlikely that it'll appear in the right place
2802 * at random, and therefore check only the
2803 * location that would hold the Ethernet type
2804 * in a SNAP frame with an organization code of
2805 * 0x000000 (encapsulated Ethernet).
2806 *
2807 * XXX - if we were to check for the SNAP DSAP and
2808 * LSAP, as per XXX, and were also to check for an
2809 * organization code of 0x000000 (encapsulated
2810 * Ethernet), we'd do
2811 *
2812 * return gen_snap(0x000000, proto,
2813 * off_linktype);
2814 *
2815 * here; for now, we don't, as per the above.
2816 * I don't know whether it's worth the extra CPU
2817 * time to do the right check or not.
2818 */
2819 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2820 (bpf_int32)proto);
2821 }
2822 }
2823 }
2824
2825 static struct block *
2826 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2827 bpf_u_int32 addr;
2828 bpf_u_int32 mask;
2829 int dir, proto;
2830 u_int src_off, dst_off;
2831 {
2832 struct block *b0, *b1;
2833 u_int offset;
2834
2835 switch (dir) {
2836
2837 case Q_SRC:
2838 offset = src_off;
2839 break;
2840
2841 case Q_DST:
2842 offset = dst_off;
2843 break;
2844
2845 case Q_AND:
2846 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2847 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2848 gen_and(b0, b1);
2849 return b1;
2850
2851 case Q_OR:
2852 case Q_DEFAULT:
2853 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2854 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2855 gen_or(b0, b1);
2856 return b1;
2857
2858 default:
2859 abort();
2860 }
2861 b0 = gen_linktype(proto);
2862 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2863 gen_and(b0, b1);
2864 return b1;
2865 }
2866
2867 #ifdef INET6
2868 static struct block *
2869 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2870 struct in6_addr *addr;
2871 struct in6_addr *mask;
2872 int dir, proto;
2873 u_int src_off, dst_off;
2874 {
2875 struct block *b0, *b1;
2876 u_int offset;
2877 u_int32_t *a, *m;
2878
2879 switch (dir) {
2880
2881 case Q_SRC:
2882 offset = src_off;
2883 break;
2884
2885 case Q_DST:
2886 offset = dst_off;
2887 break;
2888
2889 case Q_AND:
2890 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2891 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2892 gen_and(b0, b1);
2893 return b1;
2894
2895 case Q_OR:
2896 case Q_DEFAULT:
2897 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2898 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2899 gen_or(b0, b1);
2900 return b1;
2901
2902 default:
2903 abort();
2904 }
2905 /* this order is important */
2906 a = (u_int32_t *)addr;
2907 m = (u_int32_t *)mask;
2908 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2909 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2910 gen_and(b0, b1);
2911 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2912 gen_and(b0, b1);
2913 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2914 gen_and(b0, b1);
2915 b0 = gen_linktype(proto);
2916 gen_and(b0, b1);
2917 return b1;
2918 }
2919 #endif /*INET6*/
2920
2921 static struct block *
2922 gen_ehostop(eaddr, dir)
2923 register const u_char *eaddr;
2924 register int dir;
2925 {
2926 register struct block *b0, *b1;
2927
2928 switch (dir) {
2929 case Q_SRC:
2930 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2931
2932 case Q_DST:
2933 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2934
2935 case Q_AND:
2936 b0 = gen_ehostop(eaddr, Q_SRC);
2937 b1 = gen_ehostop(eaddr, Q_DST);
2938 gen_and(b0, b1);
2939 return b1;
2940
2941 case Q_DEFAULT:
2942 case Q_OR:
2943 b0 = gen_ehostop(eaddr, Q_SRC);
2944 b1 = gen_ehostop(eaddr, Q_DST);
2945 gen_or(b0, b1);
2946 return b1;
2947 }
2948 abort();
2949 /* NOTREACHED */
2950 }
2951
2952 /*
2953 * Like gen_ehostop, but for DLT_FDDI
2954 */
2955 static struct block *
2956 gen_fhostop(eaddr, dir)
2957 register const u_char *eaddr;
2958 register int dir;
2959 {
2960 struct block *b0, *b1;
2961
2962 switch (dir) {
2963 case Q_SRC:
2964 #ifdef PCAP_FDDIPAD
2965 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2966 #else
2967 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2968 #endif
2969
2970 case Q_DST:
2971 #ifdef PCAP_FDDIPAD
2972 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2973 #else
2974 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2975 #endif
2976
2977 case Q_AND:
2978 b0 = gen_fhostop(eaddr, Q_SRC);
2979 b1 = gen_fhostop(eaddr, Q_DST);
2980 gen_and(b0, b1);
2981 return b1;
2982
2983 case Q_DEFAULT:
2984 case Q_OR:
2985 b0 = gen_fhostop(eaddr, Q_SRC);
2986 b1 = gen_fhostop(eaddr, Q_DST);
2987 gen_or(b0, b1);
2988 return b1;
2989 }
2990 abort();
2991 /* NOTREACHED */
2992 }
2993
2994 /*
2995 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2996 */
2997 static struct block *
2998 gen_thostop(eaddr, dir)
2999 register const u_char *eaddr;
3000 register int dir;
3001 {
3002 register struct block *b0, *b1;
3003
3004 switch (dir) {
3005 case Q_SRC:
3006 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3007
3008 case Q_DST:
3009 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3010
3011 case Q_AND:
3012 b0 = gen_thostop(eaddr, Q_SRC);
3013 b1 = gen_thostop(eaddr, Q_DST);
3014 gen_and(b0, b1);
3015 return b1;
3016
3017 case Q_DEFAULT:
3018 case Q_OR:
3019 b0 = gen_thostop(eaddr, Q_SRC);
3020 b1 = gen_thostop(eaddr, Q_DST);
3021 gen_or(b0, b1);
3022 return b1;
3023 }
3024 abort();
3025 /* NOTREACHED */
3026 }
3027
3028 /*
3029 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
3030 */
3031 static struct block *
3032 gen_wlanhostop(eaddr, dir)
3033 register const u_char *eaddr;
3034 register int dir;
3035 {
3036 register struct block *b0, *b1, *b2;
3037 register struct slist *s;
3038
3039 switch (dir) {
3040 case Q_SRC:
3041 /*
3042 * Oh, yuk.
3043 *
3044 * For control frames, there is no SA.
3045 *
3046 * For management frames, SA is at an
3047 * offset of 10 from the beginning of
3048 * the packet.
3049 *
3050 * For data frames, SA is at an offset
3051 * of 10 from the beginning of the packet
3052 * if From DS is clear, at an offset of
3053 * 16 from the beginning of the packet
3054 * if From DS is set and To DS is clear,
3055 * and an offset of 24 from the beginning
3056 * of the packet if From DS is set and To DS
3057 * is set.
3058 */
3059
3060 /*
3061 * Generate the tests to be done for data frames
3062 * with From DS set.
3063 *
3064 * First, check for To DS set, i.e. check "link[1] & 0x01".
3065 */
3066 s = gen_load_a(OR_LINK, 1, BPF_B);
3067 b1 = new_block(JMP(BPF_JSET));
3068 b1->s.k = 0x01; /* To DS */
3069 b1->stmts = s;
3070
3071 /*
3072 * If To DS is set, the SA is at 24.
3073 */
3074 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3075 gen_and(b1, b0);
3076
3077 /*
3078 * Now, check for To DS not set, i.e. check
3079 * "!(link[1] & 0x01)".
3080 */
3081 s = gen_load_a(OR_LINK, 1, BPF_B);
3082 b2 = new_block(JMP(BPF_JSET));
3083 b2->s.k = 0x01; /* To DS */
3084 b2->stmts = s;
3085 gen_not(b2);
3086
3087 /*
3088 * If To DS is not set, the SA is at 16.
3089 */
3090 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3091 gen_and(b2, b1);
3092
3093 /*
3094 * Now OR together the last two checks. That gives
3095 * the complete set of checks for data frames with
3096 * From DS set.
3097 */
3098 gen_or(b1, b0);
3099
3100 /*
3101 * Now check for From DS being set, and AND that with
3102 * the ORed-together checks.
3103 */
3104 s = gen_load_a(OR_LINK, 1, BPF_B);
3105 b1 = new_block(JMP(BPF_JSET));
3106 b1->s.k = 0x02; /* From DS */
3107 b1->stmts = s;
3108 gen_and(b1, b0);
3109
3110 /*
3111 * Now check for data frames with From DS not set.
3112 */
3113 s = gen_load_a(OR_LINK, 1, BPF_B);
3114 b2 = new_block(JMP(BPF_JSET));
3115 b2->s.k = 0x02; /* From DS */
3116 b2->stmts = s;
3117 gen_not(b2);
3118
3119 /*
3120 * If From DS isn't set, the SA is at 10.
3121 */
3122 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3123 gen_and(b2, b1);
3124
3125 /*
3126 * Now OR together the checks for data frames with
3127 * From DS not set and for data frames with From DS
3128 * set; that gives the checks done for data frames.
3129 */
3130 gen_or(b1, b0);
3131
3132 /*
3133 * Now check for a data frame.
3134 * I.e, check "link[0] & 0x08".
3135 */
3136 gen_load_a(OR_LINK, 0, BPF_B);
3137 b1 = new_block(JMP(BPF_JSET));
3138 b1->s.k = 0x08;
3139 b1->stmts = s;
3140
3141 /*
3142 * AND that with the checks done for data frames.
3143 */
3144 gen_and(b1, b0);
3145
3146 /*
3147 * If the high-order bit of the type value is 0, this
3148 * is a management frame.
3149 * I.e, check "!(link[0] & 0x08)".
3150 */
3151 s = gen_load_a(OR_LINK, 0, BPF_B);
3152 b2 = new_block(JMP(BPF_JSET));
3153 b2->s.k = 0x08;
3154 b2->stmts = s;
3155 gen_not(b2);
3156
3157 /*
3158 * For management frames, the SA is at 10.
3159 */
3160 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3161 gen_and(b2, b1);
3162
3163 /*
3164 * OR that with the checks done for data frames.
3165 * That gives the checks done for management and
3166 * data frames.
3167 */
3168 gen_or(b1, b0);
3169
3170 /*
3171 * If the low-order bit of the type value is 1,
3172 * this is either a control frame or a frame
3173 * with a reserved type, and thus not a
3174 * frame with an SA.
3175 *
3176 * I.e., check "!(link[0] & 0x04)".
3177 */
3178 s = gen_load_a(OR_LINK, 0, BPF_B);
3179 b1 = new_block(JMP(BPF_JSET));
3180 b1->s.k = 0x04;
3181 b1->stmts = s;
3182 gen_not(b1);
3183
3184 /*
3185 * AND that with the checks for data and management
3186 * frames.
3187 */
3188 gen_and(b1, b0);
3189 return b0;
3190
3191 case Q_DST:
3192 /*
3193 * Oh, yuk.
3194 *
3195 * For control frames, there is no DA.
3196 *
3197 * For management frames, DA is at an
3198 * offset of 4 from the beginning of
3199 * the packet.
3200 *
3201 * For data frames, DA is at an offset
3202 * of 4 from the beginning of the packet
3203 * if To DS is clear and at an offset of
3204 * 16 from the beginning of the packet
3205 * if To DS is set.
3206 */
3207
3208 /*
3209 * Generate the tests to be done for data frames.
3210 *
3211 * First, check for To DS set, i.e. "link[1] & 0x01".
3212 */
3213 s = gen_load_a(OR_LINK, 1, BPF_B);
3214 b1 = new_block(JMP(BPF_JSET));
3215 b1->s.k = 0x01; /* To DS */
3216 b1->stmts = s;
3217
3218 /*
3219 * If To DS is set, the DA is at 16.
3220 */
3221 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3222 gen_and(b1, b0);
3223
3224 /*
3225 * Now, check for To DS not set, i.e. check
3226 * "!(link[1] & 0x01)".
3227 */
3228 s = gen_load_a(OR_LINK, 1, BPF_B);
3229 b2 = new_block(JMP(BPF_JSET));
3230 b2->s.k = 0x01; /* To DS */
3231 b2->stmts = s;
3232 gen_not(b2);
3233
3234 /*
3235 * If To DS is not set, the DA is at 4.
3236 */
3237 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3238 gen_and(b2, b1);
3239
3240 /*
3241 * Now OR together the last two checks. That gives
3242 * the complete set of checks for data frames.
3243 */
3244 gen_or(b1, b0);
3245
3246 /*
3247 * Now check for a data frame.
3248 * I.e, check "link[0] & 0x08".
3249 */
3250 s = gen_load_a(OR_LINK, 0, BPF_B);
3251 b1 = new_block(JMP(BPF_JSET));
3252 b1->s.k = 0x08;
3253 b1->stmts = s;
3254
3255 /*
3256 * AND that with the checks done for data frames.
3257 */
3258 gen_and(b1, b0);
3259
3260 /*
3261 * If the high-order bit of the type value is 0, this
3262 * is a management frame.
3263 * I.e, check "!(link[0] & 0x08)".
3264 */
3265 s = gen_load_a(OR_LINK, 0, BPF_B);
3266 b2 = new_block(JMP(BPF_JSET));
3267 b2->s.k = 0x08;
3268 b2->stmts = s;
3269 gen_not(b2);
3270
3271 /*
3272 * For management frames, the DA is at 4.
3273 */
3274 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3275 gen_and(b2, b1);
3276
3277 /*
3278 * OR that with the checks done for data frames.
3279 * That gives the checks done for management and
3280 * data frames.
3281 */
3282 gen_or(b1, b0);
3283
3284 /*
3285 * If the low-order bit of the type value is 1,
3286 * this is either a control frame or a frame
3287 * with a reserved type, and thus not a
3288 * frame with an SA.
3289 *
3290 * I.e., check "!(link[0] & 0x04)".
3291 */
3292 s = gen_load_a(OR_LINK, 0, BPF_B);
3293 b1 = new_block(JMP(BPF_JSET));
3294 b1->s.k = 0x04;
3295 b1->stmts = s;
3296 gen_not(b1);
3297
3298 /*
3299 * AND that with the checks for data and management
3300 * frames.
3301 */
3302 gen_and(b1, b0);
3303 return b0;
3304
3305 case Q_AND:
3306 b0 = gen_wlanhostop(eaddr, Q_SRC);
3307 b1 = gen_wlanhostop(eaddr, Q_DST);
3308 gen_and(b0, b1);
3309 return b1;
3310
3311 case Q_DEFAULT:
3312 case Q_OR:
3313 b0 = gen_wlanhostop(eaddr, Q_SRC);
3314 b1 = gen_wlanhostop(eaddr, Q_DST);
3315 gen_or(b0, b1);
3316 return b1;
3317 }
3318 abort();
3319 /* NOTREACHED */
3320 }
3321
3322 /*
3323 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
3324 * (We assume that the addresses are IEEE 48-bit MAC addresses,
3325 * as the RFC states.)
3326 */
3327 static struct block *
3328 gen_ipfchostop(eaddr, dir)
3329 register const u_char *eaddr;
3330 register int dir;
3331 {
3332 register struct block *b0, *b1;
3333
3334 switch (dir) {
3335 case Q_SRC:
3336 return gen_bcmp(OR_LINK, 10, 6, eaddr);
3337
3338 case Q_DST:
3339 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3340
3341 case Q_AND:
3342 b0 = gen_ipfchostop(eaddr, Q_SRC);
3343 b1 = gen_ipfchostop(eaddr, Q_DST);
3344 gen_and(b0, b1);
3345 return b1;
3346
3347 case Q_DEFAULT:
3348 case Q_OR:
3349 b0 = gen_ipfchostop(eaddr, Q_SRC);
3350 b1 = gen_ipfchostop(eaddr, Q_DST);
3351 gen_or(b0, b1);
3352 return b1;
3353 }
3354 abort();
3355 /* NOTREACHED */
3356 }
3357
3358 /*
3359 * This is quite tricky because there may be pad bytes in front of the
3360 * DECNET header, and then there are two possible data packet formats that
3361 * carry both src and dst addresses, plus 5 packet types in a format that
3362 * carries only the src node, plus 2 types that use a different format and
3363 * also carry just the src node.
3364 *
3365 * Yuck.
3366 *
3367 * Instead of doing those all right, we just look for data packets with
3368 * 0 or 1 bytes of padding. If you want to look at other packets, that
3369 * will require a lot more hacking.
3370 *
3371 * To add support for filtering on DECNET "areas" (network numbers)
3372 * one would want to add a "mask" argument to this routine. That would
3373 * make the filter even more inefficient, although one could be clever
3374 * and not generate masking instructions if the mask is 0xFFFF.
3375 */
3376 static struct block *
3377 gen_dnhostop(addr, dir)
3378 bpf_u_int32 addr;
3379 int dir;
3380 {
3381 struct block *b0, *b1, *b2, *tmp;
3382 u_int offset_lh; /* offset if long header is received */
3383 u_int offset_sh; /* offset if short header is received */
3384
3385 switch (dir) {
3386
3387 case Q_DST:
3388 offset_sh = 1; /* follows flags */
3389 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
3390 break;
3391
3392 case Q_SRC:
3393 offset_sh = 3; /* follows flags, dstnode */
3394 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3395 break;
3396
3397 case Q_AND:
3398 /* Inefficient because we do our Calvinball dance twice */
3399 b0 = gen_dnhostop(addr, Q_SRC);
3400 b1 = gen_dnhostop(addr, Q_DST);
3401 gen_and(b0, b1);
3402 return b1;
3403
3404 case Q_OR:
3405 case Q_DEFAULT:
3406 /* Inefficient because we do our Calvinball dance twice */
3407 b0 = gen_dnhostop(addr, Q_SRC);
3408 b1 = gen_dnhostop(addr, Q_DST);
3409 gen_or(b0, b1);
3410 return b1;
3411
3412 case Q_ISO:
3413 bpf_error("ISO host filtering not implemented");
3414
3415 default:
3416 abort();
3417 }
3418 b0 = gen_linktype(ETHERTYPE_DN);
3419 /* Check for pad = 1, long header case */
3420 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3421 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3422 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3423 BPF_H, (bpf_int32)ntohs((u_short)addr));
3424 gen_and(tmp, b1);
3425 /* Check for pad = 0, long header case */
3426 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3427 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3428 gen_and(tmp, b2);
3429 gen_or(b2, b1);
3430 /* Check for pad = 1, short header case */
3431 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3432 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3433 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3434 gen_and(tmp, b2);
3435 gen_or(b2, b1);
3436 /* Check for pad = 0, short header case */
3437 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3438 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3439 gen_and(tmp, b2);
3440 gen_or(b2, b1);
3441
3442 /* Combine with test for linktype */
3443 gen_and(b0, b1);
3444 return b1;
3445 }
3446
3447 /*
3448 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
3449 * test the bottom-of-stack bit, and then check the version number
3450 * field in the IP header.
3451 */
3452 static struct block *
3453 gen_mpls_linktype(proto)
3454 int proto;
3455 {
3456 struct block *b0, *b1;
3457
3458 switch (proto) {
3459
3460 case Q_IP:
3461 /* match the bottom-of-stack bit */
3462 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3463 /* match the IPv4 version number */
3464 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3465 gen_and(b0, b1);
3466 return b1;
3467
3468 case Q_IPV6:
3469 /* match the bottom-of-stack bit */
3470 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3471 /* match the IPv4 version number */
3472 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3473 gen_and(b0, b1);
3474 return b1;
3475
3476 default:
3477 abort();
3478 }
3479 }
3480
3481 static struct block *
3482 gen_host(addr, mask, proto, dir, type)
3483 bpf_u_int32 addr;
3484 bpf_u_int32 mask;
3485 int proto;
3486 int dir;
3487 int type;
3488 {
3489 struct block *b0, *b1;
3490 const char *typestr;
3491
3492 if (type == Q_NET)
3493 typestr = "net";
3494 else
3495 typestr = "host";
3496
3497 switch (proto) {
3498
3499 case Q_DEFAULT:
3500 b0 = gen_host(addr, mask, Q_IP, dir, type);
3501 /*
3502 * Only check for non-IPv4 addresses if we're not
3503 * checking MPLS-encapsulated packets.
3504 */
3505 if (label_stack_depth == 0) {
3506 b1 = gen_host(addr, mask, Q_ARP, dir, type);
3507 gen_or(b0, b1);
3508 b0 = gen_host(addr, mask, Q_RARP, dir, type);
3509 gen_or(b1, b0);
3510 }
3511 return b0;
3512
3513 case Q_IP:
3514 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3515
3516 case Q_RARP:
3517 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3518
3519 case Q_ARP:
3520 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3521
3522 case Q_TCP:
3523 bpf_error("'tcp' modifier applied to %s", typestr);
3524
3525 case Q_SCTP:
3526 bpf_error("'sctp' modifier applied to %s", typestr);
3527
3528 case Q_UDP:
3529 bpf_error("'udp' modifier applied to %s", typestr);
3530
3531 case Q_ICMP:
3532 bpf_error("'icmp' modifier applied to %s", typestr);
3533
3534 case Q_IGMP:
3535 bpf_error("'igmp' modifier applied to %s", typestr);
3536
3537 case Q_IGRP:
3538 bpf_error("'igrp' modifier applied to %s", typestr);
3539
3540 case Q_PIM:
3541 bpf_error("'pim' modifier applied to %s", typestr);
3542
3543 case Q_VRRP:
3544 bpf_error("'vrrp' modifier applied to %s", typestr);
3545
3546 case Q_ATALK:
3547 bpf_error("ATALK host filtering not implemented");
3548
3549 case Q_AARP:
3550 bpf_error("AARP host filtering not implemented");
3551
3552 case Q_DECNET:
3553 return gen_dnhostop(addr, dir);
3554
3555 case Q_SCA:
3556 bpf_error("SCA host filtering not implemented");
3557
3558 case Q_LAT:
3559 bpf_error("LAT host filtering not implemented");
3560
3561 case Q_MOPDL:
3562 bpf_error("MOPDL host filtering not implemented");
3563
3564 case Q_MOPRC:
3565 bpf_error("MOPRC host filtering not implemented");
3566
3567 #ifdef INET6
3568 case Q_IPV6:
3569 bpf_error("'ip6' modifier applied to ip host");
3570
3571 case Q_ICMPV6:
3572 bpf_error("'icmp6' modifier applied to %s", typestr);
3573 #endif /* INET6 */
3574
3575 case Q_AH:
3576 bpf_error("'ah' modifier applied to %s", typestr);
3577
3578 case Q_ESP:
3579 bpf_error("'esp' modifier applied to %s", typestr);
3580
3581 case Q_ISO:
3582 bpf_error("ISO host filtering not implemented");
3583
3584 case Q_ESIS:
3585 bpf_error("'esis' modifier applied to %s", typestr);
3586
3587 case Q_ISIS:
3588 bpf_error("'isis' modifier applied to %s", typestr);
3589
3590 case Q_CLNP:
3591 bpf_error("'clnp' modifier applied to %s", typestr);
3592
3593 case Q_STP:
3594 bpf_error("'stp' modifier applied to %s", typestr);
3595
3596 case Q_IPX:
3597 bpf_error("IPX host filtering not implemented");
3598
3599 case Q_NETBEUI:
3600 bpf_error("'netbeui' modifier applied to %s", typestr);
3601
3602 case Q_RADIO:
3603 bpf_error("'radio' modifier applied to %s", typestr);
3604
3605 default:
3606 abort();
3607 }
3608 /* NOTREACHED */
3609 }
3610
3611 #ifdef INET6
3612 static struct block *
3613 gen_host6(addr, mask, proto, dir, type)
3614 struct in6_addr *addr;
3615 struct in6_addr *mask;
3616 int proto;
3617 int dir;
3618 int type;
3619 {
3620 const char *typestr;
3621
3622 if (type == Q_NET)
3623 typestr = "net";
3624 else
3625 typestr = "host";
3626
3627 switch (proto) {
3628
3629 case Q_DEFAULT:
3630 return gen_host6(addr, mask, Q_IPV6, dir, type);
3631
3632 case Q_IP:
3633 bpf_error("'ip' modifier applied to ip6 %s", typestr);
3634
3635 case Q_RARP:
3636 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
3637
3638 case Q_ARP:
3639 bpf_error("'arp' modifier applied to ip6 %s", typestr);
3640
3641 case Q_SCTP:
3642 bpf_error("'sctp' modifier applied to %s", typestr);
3643
3644 case Q_TCP:
3645 bpf_error("'tcp' modifier applied to %s", typestr);
3646
3647 case Q_UDP:
3648 bpf_error("'udp' modifier applied to %s", typestr);
3649
3650 case Q_ICMP:
3651 bpf_error("'icmp' modifier applied to %s", typestr);
3652
3653 case Q_IGMP:
3654 bpf_error("'igmp' modifier applied to %s", typestr);
3655
3656 case Q_IGRP:
3657 bpf_error("'igrp' modifier applied to %s", typestr);
3658
3659 case Q_PIM:
3660 bpf_error("'pim' modifier applied to %s", typestr);
3661
3662 case Q_VRRP:
3663 bpf_error("'vrrp' modifier applied to %s", typestr);
3664
3665 case Q_ATALK:
3666 bpf_error("ATALK host filtering not implemented");
3667
3668 case Q_AARP:
3669 bpf_error("AARP host filtering not implemented");
3670
3671 case Q_DECNET:
3672 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
3673
3674 case Q_SCA:
3675 bpf_error("SCA host filtering not implemented");
3676
3677 case Q_LAT:
3678 bpf_error("LAT host filtering not implemented");
3679
3680 case Q_MOPDL:
3681 bpf_error("MOPDL host filtering not implemented");
3682
3683 case Q_MOPRC:
3684 bpf_error("MOPRC host filtering not implemented");
3685
3686 case Q_IPV6:
3687 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3688
3689 case Q_ICMPV6:
3690 bpf_error("'icmp6' modifier applied to %s", typestr);
3691
3692 case Q_AH:
3693 bpf_error("'ah' modifier applied to %s", typestr);
3694
3695 case Q_ESP:
3696 bpf_error("'esp' modifier applied to %s", typestr);
3697
3698 case Q_ISO:
3699 bpf_error("ISO host filtering not implemented");
3700
3701 case Q_ESIS:
3702 bpf_error("'esis' modifier applied to %s", typestr);
3703
3704 case Q_ISIS:
3705 bpf_error("'isis' modifier applied to %s", typestr);
3706
3707 case Q_CLNP:
3708 bpf_error("'clnp' modifier applied to %s", typestr);
3709
3710 case Q_STP:
3711 bpf_error("'stp' modifier applied to %s", typestr);
3712
3713 case Q_IPX:
3714 bpf_error("IPX host filtering not implemented");
3715
3716 case Q_NETBEUI:
3717 bpf_error("'netbeui' modifier applied to %s", typestr);
3718
3719 case Q_RADIO:
3720 bpf_error("'radio' modifier applied to %s", typestr);
3721
3722 default:
3723 abort();
3724 }
3725 /* NOTREACHED */
3726 }
3727 #endif /*INET6*/
3728
3729 #ifndef INET6
3730 static struct block *
3731 gen_gateway(eaddr, alist, proto, dir)
3732 const u_char *eaddr;
3733 bpf_u_int32 **alist;
3734 int proto;
3735 int dir;
3736 {
3737 struct block *b0, *b1, *tmp;
3738
3739 if (dir != 0)
3740 bpf_error("direction applied to 'gateway'");
3741
3742 switch (proto) {
3743 case Q_DEFAULT:
3744 case Q_IP:
3745 case Q_ARP:
3746 case Q_RARP:
3747 switch (linktype) {
3748 case DLT_EN10MB:
3749 b0 = gen_ehostop(eaddr, Q_OR);
3750 break;
3751 case DLT_FDDI:
3752 b0 = gen_fhostop(eaddr, Q_OR);
3753 break;
3754 case DLT_IEEE802:
3755 b0 = gen_thostop(eaddr, Q_OR);
3756 break;
3757 case DLT_IEEE802_11:
3758 case DLT_IEEE802_11_RADIO_AVS:
3759 case DLT_PPI:
3760 case DLT_IEEE802_11_RADIO:
3761 case DLT_PRISM_HEADER:
3762 b0 = gen_wlanhostop(eaddr, Q_OR);
3763 break;
3764 case DLT_SUNATM:
3765 if (is_lane) {
3766 /*
3767 * Check that the packet doesn't begin with an
3768 * LE Control marker. (We've already generated
3769 * a test for LANE.)
3770 */
3771 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
3772 BPF_H, 0xFF00);
3773 gen_not(b1);
3774
3775 /*
3776 * Now check the MAC address.
3777 */
3778 b0 = gen_ehostop(eaddr, Q_OR);
3779 gen_and(b1, b0);
3780 }
3781 break;
3782 case DLT_IP_OVER_FC:
3783 b0 = gen_ipfchostop(eaddr, Q_OR);
3784 break;
3785 default:
3786 bpf_error(
3787 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3788 }
3789 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
3790 while (*alist) {
3791 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
3792 Q_HOST);
3793 gen_or(b1, tmp);
3794 b1 = tmp;
3795 }
3796 gen_not(b1);
3797 gen_and(b0, b1);
3798 return b1;
3799 }
3800 bpf_error("illegal modifier of 'gateway'");
3801 /* NOTREACHED */
3802 }
3803 #endif
3804
3805 struct block *
3806 gen_proto_abbrev(proto)
3807 int proto;
3808 {
3809 struct block *b0;
3810 struct block *b1;
3811
3812 switch (proto) {
3813
3814 case Q_SCTP:
3815 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3816 #ifdef INET6
3817 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3818 gen_or(b0, b1);
3819 #endif
3820 break;
3821
3822 case Q_TCP:
3823 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3824 #ifdef INET6
3825 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3826 gen_or(b0, b1);
3827 #endif
3828 break;
3829
3830 case Q_UDP:
3831 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3832 #ifdef INET6
3833 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3834 gen_or(b0, b1);
3835 #endif
3836 break;
3837
3838 case Q_ICMP:
3839 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3840 break;
3841
3842 #ifndef IPPROTO_IGMP
3843 #define IPPROTO_IGMP 2
3844 #endif
3845
3846 case Q_IGMP:
3847 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3848 break;
3849
3850 #ifndef IPPROTO_IGRP
3851 #define IPPROTO_IGRP 9
3852 #endif
3853 case Q_IGRP:
3854 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3855 break;
3856
3857 #ifndef IPPROTO_PIM
3858 #define IPPROTO_PIM 103
3859 #endif
3860
3861 case Q_PIM:
3862 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3863 #ifdef INET6
3864 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3865 gen_or(b0, b1);
3866 #endif
3867 break;
3868
3869 #ifndef IPPROTO_VRRP
3870 #define IPPROTO_VRRP 112
3871 #endif
3872
3873 case Q_VRRP:
3874 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3875 break;
3876
3877 case Q_IP:
3878 b1 = gen_linktype(ETHERTYPE_IP);
3879 break;
3880
3881 case Q_ARP:
3882 b1 = gen_linktype(ETHERTYPE_ARP);
3883 break;
3884
3885 case Q_RARP:
3886 b1 = gen_linktype(ETHERTYPE_REVARP);
3887 break;
3888
3889 case Q_LINK:
3890 bpf_error("link layer applied in wrong context");
3891
3892 case Q_ATALK:
3893 b1 = gen_linktype(ETHERTYPE_ATALK);
3894 break;
3895
3896 case Q_AARP:
3897 b1 = gen_linktype(ETHERTYPE_AARP);
3898 break;
3899
3900 case Q_DECNET:
3901 b1 = gen_linktype(ETHERTYPE_DN);
3902 break;
3903
3904 case Q_SCA:
3905 b1 = gen_linktype(ETHERTYPE_SCA);
3906 break;
3907
3908 case Q_LAT:
3909 b1 = gen_linktype(ETHERTYPE_LAT);
3910 break;
3911
3912 case Q_MOPDL:
3913 b1 = gen_linktype(ETHERTYPE_MOPDL);
3914 break;
3915
3916 case Q_MOPRC:
3917 b1 = gen_linktype(ETHERTYPE_MOPRC);
3918 break;
3919
3920 #ifdef INET6
3921 case Q_IPV6:
3922 b1 = gen_linktype(ETHERTYPE_IPV6);
3923 break;
3924
3925 #ifndef IPPROTO_ICMPV6
3926 #define IPPROTO_ICMPV6 58
3927 #endif
3928 case Q_ICMPV6:
3929 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3930 break;
3931 #endif /* INET6 */
3932
3933 #ifndef IPPROTO_AH
3934 #define IPPROTO_AH 51
3935 #endif
3936 case Q_AH:
3937 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3938 #ifdef INET6
3939 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3940 gen_or(b0, b1);
3941 #endif
3942 break;
3943
3944 #ifndef IPPROTO_ESP
3945 #define IPPROTO_ESP 50
3946 #endif
3947 case Q_ESP:
3948 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3949 #ifdef INET6
3950 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3951 gen_or(b0, b1);
3952 #endif
3953 break;
3954
3955 case Q_ISO:
3956 b1 = gen_linktype(LLCSAP_ISONS);
3957 break;
3958
3959 case Q_ESIS:
3960 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3961 break;
3962
3963 case Q_ISIS:
3964 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3965 break;
3966
3967 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3968 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3969 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3970 gen_or(b0, b1);
3971 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3972 gen_or(b0, b1);
3973 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3974 gen_or(b0, b1);
3975 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3976 gen_or(b0, b1);
3977 break;
3978
3979 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3980 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3981 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3982 gen_or(b0, b1);
3983 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3984 gen_or(b0, b1);
3985 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3986 gen_or(b0, b1);
3987 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3988 gen_or(b0, b1);
3989 break;
3990
3991 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3992 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3993 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3994 gen_or(b0, b1);
3995 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3996 gen_or(b0, b1);
3997 break;
3998
3999 case Q_ISIS_LSP:
4000 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4001 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4002 gen_or(b0, b1);
4003 break;
4004
4005 case Q_ISIS_SNP:
4006 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4007 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4008 gen_or(b0, b1);
4009 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4010 gen_or(b0, b1);
4011 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4012 gen_or(b0, b1);
4013 break;
4014
4015 case Q_ISIS_CSNP:
4016 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4017 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4018 gen_or(b0, b1);
4019 break;
4020
4021 case Q_ISIS_PSNP:
4022 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4023 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4024 gen_or(b0, b1);
4025 break;
4026
4027 case Q_CLNP:
4028 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4029 break;
4030
4031 case Q_STP:
4032 b1 = gen_linktype(LLCSAP_8021D);
4033 break;
4034
4035 case Q_IPX:
4036 b1 = gen_linktype(LLCSAP_IPX);
4037 break;
4038
4039 case Q_NETBEUI:
4040 b1 = gen_linktype(LLCSAP_NETBEUI);
4041 break;
4042
4043 case Q_RADIO:
4044 bpf_error("'radio' is not a valid protocol type");
4045
4046 default:
4047 abort();
4048 }
4049 return b1;
4050 }
4051
4052 static struct block *
4053 gen_ipfrag()
4054 {
4055 struct slist *s;
4056 struct block *b;
4057
4058 /* not ip frag */
4059 s = gen_load_a(OR_NET, 6, BPF_H);
4060 b = new_block(JMP(BPF_JSET));
4061 b->s.k = 0x1fff;
4062 b->stmts = s;
4063 gen_not(b);
4064
4065 return b;
4066 }
4067
4068 /*
4069 * Generate a comparison to a port value in the transport-layer header
4070 * at the specified offset from the beginning of that header.
4071 *
4072 * XXX - this handles a variable-length prefix preceding the link-layer
4073 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4074 * variable-length link-layer headers (such as Token Ring or 802.11
4075 * headers).
4076 */
4077 static struct block *
4078 gen_portatom(off, v)
4079 int off;
4080 bpf_int32 v;
4081 {
4082 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4083 }
4084
4085 #ifdef INET6
4086 static struct block *
4087 gen_portatom6(off, v)
4088 int off;
4089 bpf_int32 v;
4090 {
4091 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4092 }
4093 #endif/*INET6*/
4094
4095 struct block *
4096 gen_portop(port, proto, dir)
4097 int port, proto, dir;
4098 {
4099 struct block *b0, *b1, *tmp;
4100
4101 /* ip proto 'proto' */
4102 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4103 b0 = gen_ipfrag();
4104 gen_and(tmp, b0);
4105
4106 switch (dir) {
4107 case Q_SRC:
4108 b1 = gen_portatom(0, (bpf_int32)port);
4109 break;
4110
4111 case Q_DST:
4112 b1 = gen_portatom(2, (bpf_int32)port);
4113 break;
4114
4115 case Q_OR:
4116 case Q_DEFAULT:
4117 tmp = gen_portatom(0, (bpf_int32)port);
4118 b1 = gen_portatom(2, (bpf_int32)port);
4119 gen_or(tmp, b1);
4120 break;
4121
4122 case Q_AND:
4123 tmp = gen_portatom(0, (bpf_int32)port);
4124 b1 = gen_portatom(2, (bpf_int32)port);
4125 gen_and(tmp, b1);
4126 break;
4127
4128 default:
4129 abort();
4130 }
4131 gen_and(b0, b1);
4132
4133 return b1;
4134 }
4135
4136 static struct block *
4137 gen_port(port, ip_proto, dir)
4138 int port;
4139 int ip_proto;
4140 int dir;
4141 {
4142 struct block *b0, *b1, *tmp;
4143
4144 /*
4145 * ether proto ip
4146 *
4147 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4148 * not LLC encapsulation with LLCSAP_IP.
4149 *
4150 * For IEEE 802 networks - which includes 802.5 token ring
4151 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4152 * says that SNAP encapsulation is used, not LLC encapsulation
4153 * with LLCSAP_IP.
4154 *
4155 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4156 * RFC 2225 say that SNAP encapsulation is used, not LLC
4157 * encapsulation with LLCSAP_IP.
4158 *
4159 * So we always check for ETHERTYPE_IP.
4160 */
4161 b0 = gen_linktype(ETHERTYPE_IP);
4162
4163 switch (ip_proto) {
4164 case IPPROTO_UDP:
4165 case IPPROTO_TCP:
4166 case IPPROTO_SCTP:
4167 b1 = gen_portop(port, ip_proto, dir);
4168 break;
4169
4170 case PROTO_UNDEF:
4171 tmp = gen_portop(port, IPPROTO_TCP, dir);
4172 b1 = gen_portop(port, IPPROTO_UDP, dir);
4173 gen_or(tmp, b1);
4174 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4175 gen_or(tmp, b1);
4176 break;
4177
4178 default:
4179 abort();
4180 }
4181 gen_and(b0, b1);
4182 return b1;
4183 }
4184
4185 #ifdef INET6
4186 struct block *
4187 gen_portop6(port, proto, dir)
4188 int port, proto, dir;
4189 {
4190 struct block *b0, *b1, *tmp;
4191
4192 /* ip6 proto 'proto' */
4193 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4194
4195 switch (dir) {
4196 case Q_SRC:
4197 b1 = gen_portatom6(0, (bpf_int32)port);
4198 break;
4199
4200 case Q_DST:
4201 b1 = gen_portatom6(2, (bpf_int32)port);
4202 break;
4203
4204 case Q_OR:
4205 case Q_DEFAULT:
4206 tmp = gen_portatom6(0, (bpf_int32)port);
4207 b1 = gen_portatom6(2, (bpf_int32)port);
4208 gen_or(tmp, b1);
4209 break;
4210
4211 case Q_AND:
4212 tmp = gen_portatom6(0, (bpf_int32)port);
4213 b1 = gen_portatom6(2, (bpf_int32)port);
4214 gen_and(tmp, b1);
4215 break;
4216
4217 default:
4218 abort();
4219 }
4220 gen_and(b0, b1);
4221
4222 return b1;
4223 }
4224
4225 static struct block *
4226 gen_port6(port, ip_proto, dir)
4227 int port;
4228 int ip_proto;
4229 int dir;
4230 {
4231 struct block *b0, *b1, *tmp;
4232
4233 /* link proto ip6 */
4234 b0 = gen_linktype(ETHERTYPE_IPV6);
4235
4236 switch (ip_proto) {
4237 case IPPROTO_UDP:
4238 case IPPROTO_TCP:
4239 case IPPROTO_SCTP:
4240 b1 = gen_portop6(port, ip_proto, dir);
4241 break;
4242
4243 case PROTO_UNDEF:
4244 tmp = gen_portop6(port, IPPROTO_TCP, dir);
4245 b1 = gen_portop6(port, IPPROTO_UDP, dir);
4246 gen_or(tmp, b1);
4247 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
4248 gen_or(tmp, b1);
4249 break;
4250
4251 default:
4252 abort();
4253 }
4254 gen_and(b0, b1);
4255 return b1;
4256 }
4257 #endif /* INET6 */
4258
4259 /* gen_portrange code */
4260 static struct block *
4261 gen_portrangeatom(off, v1, v2)
4262 int off;
4263 bpf_int32 v1, v2;
4264 {
4265 struct block *b1, *b2;
4266
4267 if (v1 > v2) {
4268 /*
4269 * Reverse the order of the ports, so v1 is the lower one.
4270 */
4271 bpf_int32 vtemp;
4272
4273 vtemp = v1;
4274 v1 = v2;
4275 v2 = vtemp;
4276 }
4277
4278 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
4279 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
4280
4281 gen_and(b1, b2);
4282
4283 return b2;
4284 }
4285
4286 struct block *
4287 gen_portrangeop(port1, port2, proto, dir)
4288 int port1, port2;
4289 int proto;
4290 int dir;
4291 {
4292 struct block *b0, *b1, *tmp;
4293
4294 /* ip proto 'proto' */
4295 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4296 b0 = gen_ipfrag();
4297 gen_and(tmp, b0);
4298
4299 switch (dir) {
4300 case Q_SRC:
4301 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4302 break;
4303
4304 case Q_DST:
4305 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4306 break;
4307
4308 case Q_OR:
4309 case Q_DEFAULT:
4310 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4311 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4312 gen_or(tmp, b1);
4313 break;
4314
4315 case Q_AND:
4316 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4317 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4318 gen_and(tmp, b1);
4319 break;
4320
4321 default:
4322 abort();
4323 }
4324 gen_and(b0, b1);
4325
4326 return b1;
4327 }
4328
4329 static struct block *
4330 gen_portrange(port1, port2, ip_proto, dir)
4331 int port1, port2;
4332 int ip_proto;
4333 int dir;
4334 {
4335 struct block *b0, *b1, *tmp;
4336
4337 /* link proto ip */
4338 b0 = gen_linktype(ETHERTYPE_IP);
4339
4340 switch (ip_proto) {
4341 case IPPROTO_UDP:
4342 case IPPROTO_TCP:
4343 case IPPROTO_SCTP:
4344 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
4345 break;
4346
4347 case PROTO_UNDEF:
4348 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
4349 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
4350 gen_or(tmp, b1);
4351 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
4352 gen_or(tmp, b1);
4353 break;
4354
4355 default:
4356 abort();
4357 }
4358 gen_and(b0, b1);
4359 return b1;
4360 }
4361
4362 #ifdef INET6
4363 static struct block *
4364 gen_portrangeatom6(off, v1, v2)
4365 int off;
4366 bpf_int32 v1, v2;
4367 {
4368 struct block *b1, *b2;
4369
4370 if (v1 > v2) {
4371 /*
4372 * Reverse the order of the ports, so v1 is the lower one.
4373 */
4374 bpf_int32 vtemp;
4375
4376 vtemp = v1;
4377 v1 = v2;
4378 v2 = vtemp;
4379 }
4380
4381 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
4382 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
4383
4384 gen_and(b1, b2);
4385
4386 return b2;
4387 }
4388
4389 struct block *
4390 gen_portrangeop6(port1, port2, proto, dir)
4391 int port1, port2;
4392 int proto;
4393 int dir;
4394 {
4395 struct block *b0, *b1, *tmp;
4396
4397 /* ip6 proto 'proto' */
4398 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4399
4400 switch (dir) {
4401 case Q_SRC:
4402 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4403 break;
4404
4405 case Q_DST:
4406 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4407 break;
4408
4409 case Q_OR:
4410 case Q_DEFAULT:
4411 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4412 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4413 gen_or(tmp, b1);
4414 break;
4415
4416 case Q_AND:
4417 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4418 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4419 gen_and(tmp, b1);
4420 break;
4421
4422 default:
4423 abort();
4424 }
4425 gen_and(b0, b1);
4426
4427 return b1;
4428 }
4429
4430 static struct block *
4431 gen_portrange6(port1, port2, ip_proto, dir)
4432 int port1, port2;
4433 int ip_proto;
4434 int dir;
4435 {
4436 struct block *b0, *b1, *tmp;
4437
4438 /* link proto ip6 */
4439 b0 = gen_linktype(ETHERTYPE_IPV6);
4440
4441 switch (ip_proto) {
4442 case IPPROTO_UDP:
4443 case IPPROTO_TCP:
4444 case IPPROTO_SCTP:
4445 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4446 break;
4447
4448 case PROTO_UNDEF:
4449 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4450 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4451 gen_or(tmp, b1);
4452 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4453 gen_or(tmp, b1);
4454 break;
4455
4456 default:
4457 abort();
4458 }
4459 gen_and(b0, b1);
4460 return b1;
4461 }
4462 #endif /* INET6 */
4463
4464 static int
4465 lookup_proto(name, proto)
4466 register const char *name;
4467 register int proto;
4468 {
4469 register int v;
4470
4471 switch (proto) {
4472
4473 case Q_DEFAULT:
4474 case Q_IP:
4475 case Q_IPV6:
4476 v = pcap_nametoproto(name);
4477 if (v == PROTO_UNDEF)
4478 bpf_error("unknown ip proto '%s'", name);
4479 break;
4480
4481 case Q_LINK:
4482 /* XXX should look up h/w protocol type based on linktype */
4483 v = pcap_nametoeproto(name);
4484 if (v == PROTO_UNDEF) {
4485 v = pcap_nametollc(name);
4486 if (v == PROTO_UNDEF)
4487 bpf_error("unknown ether proto '%s'", name);
4488 }
4489 break;
4490
4491 case Q_ISO:
4492 if (strcmp(name, "esis") == 0)
4493 v = ISO9542_ESIS;
4494 else if (strcmp(name, "isis") == 0)
4495 v = ISO10589_ISIS;
4496 else if (strcmp(name, "clnp") == 0)
4497 v = ISO8473_CLNP;
4498 else
4499 bpf_error("unknown osi proto '%s'", name);
4500 break;
4501
4502 default:
4503 v = PROTO_UNDEF;
4504 break;
4505 }
4506 return v;
4507 }
4508
4509 #if 0
4510 struct stmt *
4511 gen_joinsp(s, n)
4512 struct stmt **s;
4513 int n;
4514 {
4515 return NULL;
4516 }
4517 #endif
4518
4519 static struct block *
4520 gen_protochain(v, proto, dir)
4521 int v;
4522 int proto;
4523 int dir;
4524 {
4525 #ifdef NO_PROTOCHAIN
4526 return gen_proto(v, proto, dir);
4527 #else
4528 struct block *b0, *b;
4529 struct slist *s[100];
4530 int fix2, fix3, fix4, fix5;
4531 int ahcheck, again, end;
4532 int i, max;
4533 int reg2 = alloc_reg();
4534
4535 memset(s, 0, sizeof(s));
4536 fix2 = fix3 = fix4 = fix5 = 0;
4537
4538 switch (proto) {
4539 case Q_IP:
4540 case Q_IPV6:
4541 break;
4542 case Q_DEFAULT:
4543 b0 = gen_protochain(v, Q_IP, dir);
4544 b = gen_protochain(v, Q_IPV6, dir);
4545 gen_or(b0, b);
4546 return b;
4547 default:
4548 bpf_error("bad protocol applied for 'protochain'");
4549 /*NOTREACHED*/
4550 }
4551
4552 /*
4553 * We don't handle variable-length radiotap here headers yet.
4554 * We might want to add BPF instructions to do the protochain
4555 * work, to simplify that and, on platforms that have a BPF
4556 * interpreter with the new instructions, let the filtering
4557 * be done in the kernel. (We already require a modified BPF
4558 * engine to do the protochain stuff, to support backward
4559 * branches, and backward branch support is unlikely to appear
4560 * in kernel BPF engines.)
4561 */
4562 if (linktype == DLT_IEEE802_11_RADIO)
4563 bpf_error("'protochain' not supported with radiotap headers");
4564
4565 if (linktype == DLT_PPI)
4566 bpf_error("'protochain' not supported with PPI headers");
4567
4568 no_optimize = 1; /*this code is not compatible with optimzer yet */
4569
4570 /*
4571 * s[0] is a dummy entry to protect other BPF insn from damage
4572 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
4573 * hard to find interdependency made by jump table fixup.
4574 */
4575 i = 0;
4576 s[i] = new_stmt(0); /*dummy*/
4577 i++;
4578
4579 switch (proto) {
4580 case Q_IP:
4581 b0 = gen_linktype(ETHERTYPE_IP);
4582
4583 /* A = ip->ip_p */
4584 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4585 s[i]->s.k = off_ll + off_nl + 9;
4586 i++;
4587 /* X = ip->ip_hl << 2 */
4588 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4589 s[i]->s.k = off_ll + off_nl;
4590 i++;
4591 break;
4592 #ifdef INET6
4593 case Q_IPV6:
4594 b0 = gen_linktype(ETHERTYPE_IPV6);
4595
4596 /* A = ip6->ip_nxt */
4597 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4598 s[i]->s.k = off_ll + off_nl + 6;
4599 i++;
4600 /* X = sizeof(struct ip6_hdr) */
4601 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4602 s[i]->s.k = 40;
4603 i++;
4604 break;
4605 #endif
4606 default:
4607 bpf_error("unsupported proto to gen_protochain");
4608 /*NOTREACHED*/
4609 }
4610
4611 /* again: if (A == v) goto end; else fall through; */
4612 again = i;
4613 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4614 s[i]->s.k = v;
4615 s[i]->s.jt = NULL; /*later*/
4616 s[i]->s.jf = NULL; /*update in next stmt*/
4617 fix5 = i;
4618 i++;
4619
4620 #ifndef IPPROTO_NONE
4621 #define IPPROTO_NONE 59
4622 #endif
4623 /* if (A == IPPROTO_NONE) goto end */
4624 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4625 s[i]->s.jt = NULL; /*later*/
4626 s[i]->s.jf = NULL; /*update in next stmt*/
4627 s[i]->s.k = IPPROTO_NONE;
4628 s[fix5]->s.jf = s[i];
4629 fix2 = i;
4630 i++;
4631
4632 #ifdef INET6
4633 if (proto == Q_IPV6) {
4634 int v6start, v6end, v6advance, j;
4635
4636 v6start = i;
4637 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4638 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4639 s[i]->s.jt = NULL; /*later*/
4640 s[i]->s.jf = NULL; /*update in next stmt*/
4641 s[i]->s.k = IPPROTO_HOPOPTS;
4642 s[fix2]->s.jf = s[i];
4643 i++;
4644 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4645 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4646 s[i]->s.jt = NULL; /*later*/
4647 s[i]->s.jf = NULL; /*update in next stmt*/
4648 s[i]->s.k = IPPROTO_DSTOPTS;
4649 i++;
4650 /* if (A == IPPROTO_ROUTING) goto v6advance */
4651 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4652 s[i]->s.jt = NULL; /*later*/
4653 s[i]->s.jf = NULL; /*update in next stmt*/
4654 s[i]->s.k = IPPROTO_ROUTING;
4655 i++;
4656 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4657 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4658 s[i]->s.jt = NULL; /*later*/
4659 s[i]->s.jf = NULL; /*later*/
4660 s[i]->s.k = IPPROTO_FRAGMENT;
4661 fix3 = i;
4662 v6end = i;
4663 i++;
4664
4665 /* v6advance: */
4666 v6advance = i;
4667
4668 /*
4669 * in short,
4670 * A = P[X];
4671 * X = X + (P[X + 1] + 1) * 8;
4672 */
4673 /* A = X */
4674 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4675 i++;
4676 /* A = P[X + packet head] */
4677 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4678 s[i]->s.k = off_ll + off_nl;
4679 i++;
4680 /* MEM[reg2] = A */
4681 s[i] = new_stmt(BPF_ST);
4682 s[i]->s.k = reg2;
4683 i++;
4684 /* A = X */
4685 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4686 i++;
4687 /* A += 1 */
4688 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4689 s[i]->s.k = 1;
4690 i++;
4691 /* X = A */
4692 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4693 i++;
4694 /* A = P[X + packet head]; */
4695 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4696 s[i]->s.k = off_ll + off_nl;
4697 i++;
4698 /* A += 1 */
4699 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4700 s[i]->s.k = 1;
4701 i++;
4702 /* A *= 8 */
4703 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4704 s[i]->s.k = 8;
4705 i++;
4706 /* X = A; */
4707 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4708 i++;
4709 /* A = MEM[reg2] */
4710 s[i] = new_stmt(BPF_LD|BPF_MEM);
4711 s[i]->s.k = reg2;
4712 i++;
4713
4714 /* goto again; (must use BPF_JA for backward jump) */
4715 s[i] = new_stmt(BPF_JMP|BPF_JA);
4716 s[i]->s.k = again - i - 1;
4717 s[i - 1]->s.jf = s[i];
4718 i++;
4719
4720 /* fixup */
4721 for (j = v6start; j <= v6end; j++)
4722 s[j]->s.jt = s[v6advance];
4723 } else
4724 #endif
4725 {
4726 /* nop */
4727 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4728 s[i]->s.k = 0;
4729 s[fix2]->s.jf = s[i];
4730 i++;
4731 }
4732
4733 /* ahcheck: */
4734 ahcheck = i;
4735 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4736 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4737 s[i]->s.jt = NULL; /*later*/
4738 s[i]->s.jf = NULL; /*later*/
4739 s[i]->s.k = IPPROTO_AH;
4740 if (fix3)
4741 s[fix3]->s.jf = s[ahcheck];
4742 fix4 = i;
4743 i++;
4744
4745 /*
4746 * in short,
4747 * A = P[X];
4748 * X = X + (P[X + 1] + 2) * 4;
4749 */
4750 /* A = X */
4751 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4752 i++;
4753 /* A = P[X + packet head]; */
4754 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4755 s[i]->s.k = off_ll + off_nl;
4756 i++;
4757 /* MEM[reg2] = A */
4758 s[i] = new_stmt(BPF_ST);
4759 s[i]->s.k = reg2;
4760 i++;
4761 /* A = X */
4762 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4763 i++;
4764 /* A += 1 */
4765 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4766 s[i]->s.k = 1;
4767 i++;
4768 /* X = A */
4769 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4770 i++;
4771 /* A = P[X + packet head] */
4772 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4773 s[i]->s.k = off_ll + off_nl;
4774 i++;
4775 /* A += 2 */
4776 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4777 s[i]->s.k = 2;
4778 i++;
4779 /* A *= 4 */
4780 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4781 s[i]->s.k = 4;
4782 i++;
4783 /* X = A; */
4784 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4785 i++;
4786 /* A = MEM[reg2] */
4787 s[i] = new_stmt(BPF_LD|BPF_MEM);
4788 s[i]->s.k = reg2;
4789 i++;
4790
4791 /* goto again; (must use BPF_JA for backward jump) */
4792 s[i] = new_stmt(BPF_JMP|BPF_JA);
4793 s[i]->s.k = again - i - 1;
4794 i++;
4795
4796 /* end: nop */
4797 end = i;
4798 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4799 s[i]->s.k = 0;
4800 s[fix2]->s.jt = s[end];
4801 s[fix4]->s.jf = s[end];
4802 s[fix5]->s.jt = s[end];
4803 i++;
4804
4805 /*
4806 * make slist chain
4807 */
4808 max = i;
4809 for (i = 0; i < max - 1; i++)
4810 s[i]->next = s[i + 1];
4811 s[max - 1]->next = NULL;
4812
4813 /*
4814 * emit final check
4815 */
4816 b = new_block(JMP(BPF_JEQ));
4817 b->stmts = s[1]; /*remember, s[0] is dummy*/
4818 b->s.k = v;
4819
4820 free_reg(reg2);
4821
4822 gen_and(b0, b);
4823 return b;
4824 #endif
4825 }
4826
4827 /*
4828 * Generate code that checks whether the packet is a packet for protocol
4829 * <proto> and whether the type field in that protocol's header has
4830 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4831 * IP packet and checks the protocol number in the IP header against <v>.
4832 *
4833 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4834 * against Q_IP and Q_IPV6.
4835 */
4836 static struct block *
4837 gen_proto(v, proto, dir)
4838 int v;
4839 int proto;
4840 int dir;
4841 {
4842 struct block *b0, *b1;
4843
4844 if (dir != Q_DEFAULT)
4845 bpf_error("direction applied to 'proto'");
4846
4847 switch (proto) {
4848 case Q_DEFAULT:
4849 #ifdef INET6
4850 b0 = gen_proto(v, Q_IP, dir);
4851 b1 = gen_proto(v, Q_IPV6, dir);
4852 gen_or(b0, b1);
4853 return b1;
4854 #else
4855 /*FALLTHROUGH*/
4856 #endif
4857 case Q_IP:
4858 /*
4859 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4860 * not LLC encapsulation with LLCSAP_IP.
4861 *
4862 * For IEEE 802 networks - which includes 802.5 token ring
4863 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4864 * says that SNAP encapsulation is used, not LLC encapsulation
4865 * with LLCSAP_IP.
4866 *
4867 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4868 * RFC 2225 say that SNAP encapsulation is used, not LLC
4869 * encapsulation with LLCSAP_IP.
4870 *
4871 * So we always check for ETHERTYPE_IP.
4872 */
4873 b0 = gen_linktype(ETHERTYPE_IP);
4874 #ifndef CHASE_CHAIN
4875 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4876 #else
4877 b1 = gen_protochain(v, Q_IP);
4878 #endif
4879 gen_and(b0, b1);
4880 return b1;
4881
4882 case Q_ISO:
4883 switch (linktype) {
4884
4885 case DLT_FRELAY:
4886 /*
4887 * Frame Relay packets typically have an OSI
4888 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4889 * generates code to check for all the OSI
4890 * NLPIDs, so calling it and then adding a check
4891 * for the particular NLPID for which we're
4892 * looking is bogus, as we can just check for
4893 * the NLPID.
4894 *
4895 * What we check for is the NLPID and a frame
4896 * control field value of UI, i.e. 0x03 followed
4897 * by the NLPID.
4898 *
4899 * XXX - assumes a 2-byte Frame Relay header with
4900 * DLCI and flags. What if the address is longer?
4901 *
4902 * XXX - what about SNAP-encapsulated frames?
4903 */
4904 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4905 /*NOTREACHED*/
4906 break;
4907
4908 case DLT_C_HDLC:
4909 /*
4910 * Cisco uses an Ethertype lookalike - for OSI,
4911 * it's 0xfefe.
4912 */
4913 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4914 /* OSI in C-HDLC is stuffed with a fudge byte */
4915 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4916 gen_and(b0, b1);
4917 return b1;
4918
4919 default:
4920 b0 = gen_linktype(LLCSAP_ISONS);
4921 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4922 gen_and(b0, b1);
4923 return b1;
4924 }
4925
4926 case Q_ISIS:
4927 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4928 /*
4929 * 4 is the offset of the PDU type relative to the IS-IS
4930 * header.
4931 */
4932 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4933 gen_and(b0, b1);
4934 return b1;
4935
4936 case Q_ARP:
4937 bpf_error("arp does not encapsulate another protocol");
4938 /* NOTREACHED */
4939
4940 case Q_RARP:
4941 bpf_error("rarp does not encapsulate another protocol");
4942 /* NOTREACHED */
4943
4944 case Q_ATALK:
4945 bpf_error("atalk encapsulation is not specifiable");
4946 /* NOTREACHED */
4947
4948 case Q_DECNET:
4949 bpf_error("decnet encapsulation is not specifiable");
4950 /* NOTREACHED */
4951
4952 case Q_SCA:
4953 bpf_error("sca does not encapsulate another protocol");
4954 /* NOTREACHED */
4955
4956 case Q_LAT:
4957 bpf_error("lat does not encapsulate another protocol");
4958 /* NOTREACHED */
4959
4960 case Q_MOPRC:
4961 bpf_error("moprc does not encapsulate another protocol");
4962 /* NOTREACHED */
4963
4964 case Q_MOPDL:
4965 bpf_error("mopdl does not encapsulate another protocol");
4966 /* NOTREACHED */
4967
4968 case Q_LINK:
4969 return gen_linktype(v);
4970
4971 case Q_UDP:
4972 bpf_error("'udp proto' is bogus");
4973 /* NOTREACHED */
4974
4975 case Q_TCP:
4976 bpf_error("'tcp proto' is bogus");
4977 /* NOTREACHED */
4978
4979 case Q_SCTP:
4980 bpf_error("'sctp proto' is bogus");
4981 /* NOTREACHED */
4982
4983 case Q_ICMP:
4984 bpf_error("'icmp proto' is bogus");
4985 /* NOTREACHED */
4986
4987 case Q_IGMP:
4988 bpf_error("'igmp proto' is bogus");
4989 /* NOTREACHED */
4990
4991 case Q_IGRP:
4992 bpf_error("'igrp proto' is bogus");
4993 /* NOTREACHED */
4994
4995 case Q_PIM:
4996 bpf_error("'pim proto' is bogus");
4997 /* NOTREACHED */
4998
4999 case Q_VRRP:
5000 bpf_error("'vrrp proto' is bogus");
5001 /* NOTREACHED */
5002
5003 #ifdef INET6
5004 case Q_IPV6:
5005 b0 = gen_linktype(ETHERTYPE_IPV6);
5006 #ifndef CHASE_CHAIN
5007 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5008 #else
5009 b1 = gen_protochain(v, Q_IPV6);
5010 #endif
5011 gen_and(b0, b1);
5012 return b1;
5013
5014 case Q_ICMPV6:
5015 bpf_error("'icmp6 proto' is bogus");
5016 #endif /* INET6 */
5017
5018 case Q_AH:
5019 bpf_error("'ah proto' is bogus");
5020
5021 case Q_ESP:
5022 bpf_error("'ah proto' is bogus");
5023
5024 case Q_STP:
5025 bpf_error("'stp proto' is bogus");
5026
5027 case Q_IPX:
5028 bpf_error("'ipx proto' is bogus");
5029
5030 case Q_NETBEUI:
5031 bpf_error("'netbeui proto' is bogus");
5032
5033 case Q_RADIO:
5034 bpf_error("'radio proto' is bogus");
5035
5036 default:
5037 abort();
5038 /* NOTREACHED */
5039 }
5040 /* NOTREACHED */
5041 }
5042
5043 struct block *
5044 gen_scode(name, q)
5045 register const char *name;
5046 struct qual q;
5047 {
5048 int proto = q.proto;
5049 int dir = q.dir;
5050 int tproto;
5051 u_char *eaddr;
5052 bpf_u_int32 mask, addr;
5053 #ifndef INET6
5054 bpf_u_int32 **alist;
5055 #else
5056 int tproto6;
5057 struct sockaddr_in *sin4;
5058 struct sockaddr_in6 *sin6;
5059 struct addrinfo *res, *res0;
5060 struct in6_addr mask128;
5061 #endif /*INET6*/
5062 struct block *b, *tmp;
5063 int port, real_proto;
5064 int port1, port2;
5065
5066 switch (q.addr) {
5067
5068 case Q_NET:
5069 addr = pcap_nametonetaddr(name);
5070 if (addr == 0)
5071 bpf_error("unknown network '%s'", name);
5072 /* Left justify network addr and calculate its network mask */
5073 mask = 0xffffffff;
5074 while (addr && (addr & 0xff000000) == 0) {
5075 addr <<= 8;
5076 mask <<= 8;
5077 }
5078 return gen_host(addr, mask, proto, dir, q.addr);
5079
5080 case Q_DEFAULT:
5081 case Q_HOST:
5082 if (proto == Q_LINK) {
5083 switch (linktype) {
5084
5085 case DLT_EN10MB:
5086 eaddr = pcap_ether_hostton(name);
5087 if (eaddr == NULL)
5088 bpf_error(
5089 "unknown ether host '%s'", name);
5090 b = gen_ehostop(eaddr, dir);
5091 free(eaddr);
5092 return b;
5093
5094 case DLT_FDDI:
5095 eaddr = pcap_ether_hostton(name);
5096 if (eaddr == NULL)
5097 bpf_error(
5098 "unknown FDDI host '%s'", name);
5099 b = gen_fhostop(eaddr, dir);
5100 free(eaddr);
5101 return b;
5102
5103 case DLT_IEEE802:
5104 eaddr = pcap_ether_hostton(name);
5105 if (eaddr == NULL)
5106 bpf_error(
5107 "unknown token ring host '%s'", name);
5108 b = gen_thostop(eaddr, dir);
5109 free(eaddr);
5110 return b;
5111
5112 case DLT_IEEE802_11:
5113 case DLT_IEEE802_11_RADIO_AVS:
5114 case DLT_IEEE802_11_RADIO:
5115 case DLT_PRISM_HEADER:
5116 case DLT_PPI:
5117 eaddr = pcap_ether_hostton(name);
5118 if (eaddr == NULL)
5119 bpf_error(
5120 "unknown 802.11 host '%s'", name);
5121 b = gen_wlanhostop(eaddr, dir);
5122 free(eaddr);
5123 return b;
5124
5125 case DLT_IP_OVER_FC:
5126 eaddr = pcap_ether_hostton(name);
5127 if (eaddr == NULL)
5128 bpf_error(
5129 "unknown Fibre Channel host '%s'", name);
5130 b = gen_ipfchostop(eaddr, dir);
5131 free(eaddr);
5132 return b;
5133
5134 case DLT_SUNATM:
5135 if (!is_lane)
5136 break;
5137
5138 /*
5139 * Check that the packet doesn't begin
5140 * with an LE Control marker. (We've
5141 * already generated a test for LANE.)
5142 */
5143 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5144 BPF_H, 0xFF00);
5145 gen_not(tmp);
5146
5147 eaddr = pcap_ether_hostton(name);
5148 if (eaddr == NULL)
5149 bpf_error(
5150 "unknown ether host '%s'", name);
5151 b = gen_ehostop(eaddr, dir);
5152 gen_and(tmp, b);
5153 free(eaddr);
5154 return b;
5155 }
5156
5157 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
5158 } else if (proto == Q_DECNET) {
5159 unsigned short dn_addr = __pcap_nametodnaddr(name);
5160 /*
5161 * I don't think DECNET hosts can be multihomed, so
5162 * there is no need to build up a list of addresses
5163 */
5164 return (gen_host(dn_addr, 0, proto, dir, q.addr));
5165 } else {
5166 #ifndef INET6
5167 alist = pcap_nametoaddr(name);
5168 if (alist == NULL || *alist == NULL)
5169 bpf_error("unknown host '%s'", name);
5170 tproto = proto;
5171 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
5172 tproto = Q_IP;
5173 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
5174 while (*alist) {
5175 tmp = gen_host(**alist++, 0xffffffff,
5176 tproto, dir, q.addr);
5177 gen_or(b, tmp);
5178 b = tmp;
5179 }
5180 return b;
5181 #else
5182 memset(&mask128, 0xff, sizeof(mask128));
5183 res0 = res = pcap_nametoaddrinfo(name);
5184 if (res == NULL)
5185 bpf_error("unknown host '%s'", name);
5186 b = tmp = NULL;
5187 tproto = tproto6 = proto;
5188 if (off_linktype == -1 && tproto == Q_DEFAULT) {
5189 tproto = Q_IP;
5190 tproto6 = Q_IPV6;
5191 }
5192 for (res = res0; res; res = res->ai_next) {
5193 switch (res->ai_family) {
5194 case AF_INET:
5195 if (tproto == Q_IPV6)
5196 continue;
5197
5198 sin4 = (struct sockaddr_in *)
5199 res->ai_addr;
5200 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
5201 0xffffffff, tproto, dir, q.addr);
5202 break;
5203 case AF_INET6:
5204 if (tproto6 == Q_IP)
5205 continue;
5206
5207 sin6 = (struct sockaddr_in6 *)
5208 res->ai_addr;
5209 tmp = gen_host6(&sin6->sin6_addr,
5210 &mask128, tproto6, dir, q.addr);
5211 break;
5212 default:
5213 continue;
5214 }
5215 if (b)
5216 gen_or(b, tmp);
5217 b = tmp;
5218 }
5219 freeaddrinfo(res0);
5220 if (b == NULL) {
5221 bpf_error("unknown host '%s'%s", name,
5222 (proto == Q_DEFAULT)
5223 ? ""
5224 : " for specified address family");
5225 }
5226 return b;
5227 #endif /*INET6*/
5228 }
5229
5230 case Q_PORT:
5231 if (proto != Q_DEFAULT &&
5232 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5233 bpf_error("illegal qualifier of 'port'");
5234 if (pcap_nametoport(name, &port, &real_proto) == 0)
5235 bpf_error("unknown port '%s'", name);
5236 if (proto == Q_UDP) {
5237 if (real_proto == IPPROTO_TCP)
5238 bpf_error("port '%s' is tcp", name);
5239 else if (real_proto == IPPROTO_SCTP)
5240 bpf_error("port '%s' is sctp", name);
5241 else
5242 /* override PROTO_UNDEF */
5243 real_proto = IPPROTO_UDP;
5244 }
5245 if (proto == Q_TCP) {
5246 if (real_proto == IPPROTO_UDP)
5247 bpf_error("port '%s' is udp", name);
5248
5249 else if (real_proto == IPPROTO_SCTP)
5250 bpf_error("port '%s' is sctp", name);
5251 else
5252 /* override PROTO_UNDEF */
5253 real_proto = IPPROTO_TCP;
5254 }
5255 if (proto == Q_SCTP) {
5256 if (real_proto == IPPROTO_UDP)
5257 bpf_error("port '%s' is udp", name);
5258
5259 else if (real_proto == IPPROTO_TCP)
5260 bpf_error("port '%s' is tcp", name);
5261 else
5262 /* override PROTO_UNDEF */
5263 real_proto = IPPROTO_SCTP;
5264 }
5265 #ifndef INET6
5266 return gen_port(port, real_proto, dir);
5267 #else
5268 b = gen_port(port, real_proto, dir);
5269 gen_or(gen_port6(port, real_proto, dir), b);
5270 return b;
5271 #endif /* INET6 */
5272
5273 case Q_PORTRANGE:
5274 if (proto != Q_DEFAULT &&
5275 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5276 bpf_error("illegal qualifier of 'portrange'");
5277 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
5278 bpf_error("unknown port in range '%s'", name);
5279 if (proto == Q_UDP) {
5280 if (real_proto == IPPROTO_TCP)
5281 bpf_error("port in range '%s' is tcp", name);
5282 else if (real_proto == IPPROTO_SCTP)
5283 bpf_error("port in range '%s' is sctp", name);
5284 else
5285 /* override PROTO_UNDEF */
5286 real_proto = IPPROTO_UDP;
5287 }
5288 if (proto == Q_TCP) {
5289 if (real_proto == IPPROTO_UDP)
5290 bpf_error("port in range '%s' is udp", name);
5291 else if (real_proto == IPPROTO_SCTP)
5292 bpf_error("port in range '%s' is sctp", name);
5293 else
5294 /* override PROTO_UNDEF */
5295 real_proto = IPPROTO_TCP;
5296 }
5297 if (proto == Q_SCTP) {
5298 if (real_proto == IPPROTO_UDP)
5299 bpf_error("port in range '%s' is udp", name);
5300 else if (real_proto == IPPROTO_TCP)
5301 bpf_error("port in range '%s' is tcp", name);
5302 else
5303 /* override PROTO_UNDEF */
5304 real_proto = IPPROTO_SCTP;
5305 }
5306 #ifndef INET6
5307 return gen_portrange(port1, port2, real_proto, dir);
5308 #else
5309 b = gen_portrange(port1, port2, real_proto, dir);
5310 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
5311 return b;
5312 #endif /* INET6 */
5313
5314 case Q_GATEWAY:
5315 #ifndef INET6
5316 eaddr = pcap_ether_hostton(name);
5317 if (eaddr == NULL)
5318 bpf_error("unknown ether host: %s", name);
5319
5320 alist = pcap_nametoaddr(name);
5321 if (alist == NULL || *alist == NULL)
5322 bpf_error("unknown host '%s'", name);
5323 b = gen_gateway(eaddr, alist, proto, dir);
5324 free(eaddr);
5325 return b;
5326 #else
5327 bpf_error("'gateway' not supported in this configuration");
5328 #endif /*INET6*/
5329
5330 case Q_PROTO:
5331 real_proto = lookup_proto(name, proto);
5332 if (real_proto >= 0)
5333 return gen_proto(real_proto, proto, dir);
5334 else
5335 bpf_error("unknown protocol: %s", name);
5336
5337 case Q_PROTOCHAIN:
5338 real_proto = lookup_proto(name, proto);
5339 if (real_proto >= 0)
5340 return gen_protochain(real_proto, proto, dir);
5341 else
5342 bpf_error("unknown protocol: %s", name);
5343
5344
5345 case Q_UNDEF:
5346 syntax();
5347 /* NOTREACHED */
5348 }
5349 abort();
5350 /* NOTREACHED */
5351 }
5352
5353 struct block *
5354 gen_mcode(s1, s2, masklen, q)
5355 register const char *s1, *s2;
5356 register int masklen;
5357 struct qual q;
5358 {
5359 register int nlen, mlen;
5360 bpf_u_int32 n, m;
5361
5362 nlen = __pcap_atoin(s1, &n);
5363 /* Promote short ipaddr */
5364 n <<= 32 - nlen;
5365
5366 if (s2 != NULL) {
5367 mlen = __pcap_atoin(s2, &m);
5368 /* Promote short ipaddr */
5369 m <<= 32 - mlen;
5370 if ((n & ~m) != 0)
5371 bpf_error("non-network bits set in \"%s mask %s\"",
5372 s1, s2);
5373 } else {
5374 /* Convert mask len to mask */
5375 if (masklen > 32)
5376 bpf_error("mask length must be <= 32");
5377 if (masklen == 0) {
5378 /*
5379 * X << 32 is not guaranteed by C to be 0; it's
5380 * undefined.
5381 */
5382 m = 0;
5383 } else
5384 m = 0xffffffff << (32 - masklen);
5385 if ((n & ~m) != 0)
5386 bpf_error("non-network bits set in \"%s/%d\"",
5387 s1, masklen);
5388 }
5389
5390 switch (q.addr) {
5391
5392 case Q_NET:
5393 return gen_host(n, m, q.proto, q.dir, q.addr);
5394
5395 default:
5396 bpf_error("Mask syntax for networks only");
5397 /* NOTREACHED */
5398 }
5399 /* NOTREACHED */
5400 return NULL;
5401 }
5402
5403 struct block *
5404 gen_ncode(s, v, q)
5405 register const char *s;
5406 bpf_u_int32 v;
5407 struct qual q;
5408 {
5409 bpf_u_int32 mask;
5410 int proto = q.proto;
5411 int dir = q.dir;
5412 register int vlen;
5413
5414 if (s == NULL)
5415 vlen = 32;
5416 else if (q.proto == Q_DECNET)
5417 vlen = __pcap_atodn(s, &v);
5418 else
5419 vlen = __pcap_atoin(s, &v);
5420
5421 switch (q.addr) {
5422
5423 case Q_DEFAULT:
5424 case Q_HOST:
5425 case Q_NET:
5426 if (proto == Q_DECNET)
5427 return gen_host(v, 0, proto, dir, q.addr);
5428 else if (proto == Q_LINK) {
5429 bpf_error("illegal link layer address");
5430 } else {
5431 mask = 0xffffffff;
5432 if (s == NULL && q.addr == Q_NET) {
5433 /* Promote short net number */
5434 while (v && (v & 0xff000000) == 0) {
5435 v <<= 8;
5436 mask <<= 8;
5437 }
5438 } else {
5439 /* Promote short ipaddr */
5440 v <<= 32 - vlen;
5441 mask <<= 32 - vlen;
5442 }
5443 return gen_host(v, mask, proto, dir, q.addr);
5444 }
5445
5446 case Q_PORT:
5447 if (proto == Q_UDP)
5448 proto = IPPROTO_UDP;
5449 else if (proto == Q_TCP)
5450 proto = IPPROTO_TCP;
5451 else if (proto == Q_SCTP)
5452 proto = IPPROTO_SCTP;
5453 else if (proto == Q_DEFAULT)
5454 proto = PROTO_UNDEF;
5455 else
5456 bpf_error("illegal qualifier of 'port'");
5457
5458 #ifndef INET6
5459 return gen_port((int)v, proto, dir);
5460 #else
5461 {
5462 struct block *b;
5463 b = gen_port((int)v, proto, dir);
5464 gen_or(gen_port6((int)v, proto, dir), b);
5465 return b;
5466 }
5467 #endif /* INET6 */
5468
5469 case Q_PORTRANGE:
5470 if (proto == Q_UDP)
5471 proto = IPPROTO_UDP;
5472 else if (proto == Q_TCP)
5473 proto = IPPROTO_TCP;
5474 else if (proto == Q_SCTP)
5475 proto = IPPROTO_SCTP;
5476 else if (proto == Q_DEFAULT)
5477 proto = PROTO_UNDEF;
5478 else
5479 bpf_error("illegal qualifier of 'portrange'");
5480
5481 #ifndef INET6
5482 return gen_portrange((int)v, (int)v, proto, dir);
5483 #else
5484 {
5485 struct block *b;
5486 b = gen_portrange((int)v, (int)v, proto, dir);
5487 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5488 return b;
5489 }
5490 #endif /* INET6 */
5491
5492 case Q_GATEWAY:
5493 bpf_error("'gateway' requires a name");
5494 /* NOTREACHED */
5495
5496 case Q_PROTO:
5497 return gen_proto((int)v, proto, dir);
5498
5499 case Q_PROTOCHAIN:
5500 return gen_protochain((int)v, proto, dir);
5501
5502 case Q_UNDEF:
5503 syntax();
5504 /* NOTREACHED */
5505
5506 default:
5507 abort();
5508 /* NOTREACHED */
5509 }
5510 /* NOTREACHED */
5511 }
5512
5513 #ifdef INET6
5514 struct block *
5515 gen_mcode6(s1, s2, masklen, q)
5516 register const char *s1, *s2;
5517 register int masklen;
5518 struct qual q;
5519 {
5520 struct addrinfo *res;
5521 struct in6_addr *addr;
5522 struct in6_addr mask;
5523 struct block *b;
5524 u_int32_t *a, *m;
5525
5526 if (s2)
5527 bpf_error("no mask %s supported", s2);
5528
5529 res = pcap_nametoaddrinfo(s1);
5530 if (!res)
5531 bpf_error("invalid ip6 address %s", s1);
5532 if (res->ai_next)
5533 bpf_error("%s resolved to multiple address", s1);
5534 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5535
5536 if (sizeof(mask) * 8 < masklen)
5537 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5538 memset(&mask, 0, sizeof(mask));
5539 memset(&mask, 0xff, masklen / 8);
5540 if (masklen % 8) {
5541 mask.s6_addr[masklen / 8] =
5542 (0xff << (8 - masklen % 8)) & 0xff;
5543 }
5544
5545 a = (u_int32_t *)addr;
5546 m = (u_int32_t *)&mask;
5547 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5548 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5549 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5550 }
5551
5552 switch (q.addr) {
5553
5554 case Q_DEFAULT:
5555 case Q_HOST:
5556 if (masklen != 128)
5557 bpf_error("Mask syntax for networks only");
5558 /* FALLTHROUGH */
5559
5560 case Q_NET:
5561 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
5562 freeaddrinfo(res);
5563 return b;
5564
5565 default:
5566 bpf_error("invalid qualifier against IPv6 address");
5567 /* NOTREACHED */
5568 }
5569 return NULL;
5570 }
5571 #endif /*INET6*/
5572
5573 struct block *
5574 gen_ecode(eaddr, q)
5575 register const u_char *eaddr;
5576 struct qual q;
5577 {
5578 struct block *b, *tmp;
5579
5580 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5581 switch (linktype) {
5582 case DLT_EN10MB:
5583 return gen_ehostop(eaddr, (int)q.dir);
5584 case DLT_FDDI:
5585 return gen_fhostop(eaddr, (int)q.dir);
5586 case DLT_IEEE802:
5587 return gen_thostop(eaddr, (int)q.dir);
5588 case DLT_IEEE802_11:
5589 case DLT_IEEE802_11_RADIO_AVS:
5590 case DLT_IEEE802_11_RADIO:
5591 case DLT_PRISM_HEADER:
5592 case DLT_PPI:
5593 return gen_wlanhostop(eaddr, (int)q.dir);
5594 case DLT_SUNATM:
5595 if (is_lane) {
5596 /*
5597 * Check that the packet doesn't begin with an
5598 * LE Control marker. (We've already generated
5599 * a test for LANE.)
5600 */
5601 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5602 0xFF00);
5603 gen_not(tmp);
5604
5605 /*
5606 * Now check the MAC address.
5607 */
5608 b = gen_ehostop(eaddr, (int)q.dir);
5609 gen_and(tmp, b);
5610 return b;
5611 }
5612 break;
5613 case DLT_IP_OVER_FC:
5614 return gen_ipfchostop(eaddr, (int)q.dir);
5615 default:
5616 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5617 break;
5618 }
5619 }
5620 bpf_error("ethernet address used in non-ether expression");
5621 /* NOTREACHED */
5622 return NULL;
5623 }
5624
5625 void
5626 sappend(s0, s1)
5627 struct slist *s0, *s1;
5628 {
5629 /*
5630 * This is definitely not the best way to do this, but the
5631 * lists will rarely get long.
5632 */
5633 while (s0->next)
5634 s0 = s0->next;
5635 s0->next = s1;
5636 }
5637
5638 static struct slist *
5639 xfer_to_x(a)
5640 struct arth *a;
5641 {
5642 struct slist *s;
5643
5644 s = new_stmt(BPF_LDX|BPF_MEM);
5645 s->s.k = a->regno;
5646 return s;
5647 }
5648
5649 static struct slist *
5650 xfer_to_a(a)
5651 struct arth *a;
5652 {
5653 struct slist *s;
5654
5655 s = new_stmt(BPF_LD|BPF_MEM);
5656 s->s.k = a->regno;
5657 return s;
5658 }
5659
5660 /*
5661 * Modify "index" to use the value stored into its register as an
5662 * offset relative to the beginning of the header for the protocol
5663 * "proto", and allocate a register and put an item "size" bytes long
5664 * (1, 2, or 4) at that offset into that register, making it the register
5665 * for "index".
5666 */
5667 struct arth *
5668 gen_load(proto, inst, size)
5669 int proto;
5670 struct arth *inst;
5671 int size;
5672 {
5673 struct slist *s, *tmp;
5674 struct block *b;
5675 int regno = alloc_reg();
5676
5677 free_reg(inst->regno);
5678 switch (size) {
5679
5680 default:
5681 bpf_error("data size must be 1, 2, or 4");
5682
5683 case 1:
5684 size = BPF_B;
5685 break;
5686
5687 case 2:
5688 size = BPF_H;
5689 break;
5690
5691 case 4:
5692 size = BPF_W;
5693 break;
5694 }
5695 switch (proto) {
5696 default:
5697 bpf_error("unsupported index operation");
5698
5699 case Q_RADIO:
5700 /*
5701 * The offset is relative to the beginning of the packet
5702 * data, if we have a radio header. (If we don't, this
5703 * is an error.)
5704 */
5705 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5706 linktype != DLT_IEEE802_11_RADIO &&
5707 linktype != DLT_PRISM_HEADER)
5708 bpf_error("radio information not present in capture");
5709
5710 /*
5711 * Load into the X register the offset computed into the
5712 * register specifed by "index".
5713 */
5714 s = xfer_to_x(inst);
5715
5716 /*
5717 * Load the item at that offset.
5718 */
5719 tmp = new_stmt(BPF_LD|BPF_IND|size);
5720 sappend(s, tmp);
5721 sappend(inst->s, s);
5722 break;
5723
5724 case Q_LINK:
5725 /*
5726 * The offset is relative to the beginning of
5727 * the link-layer header.
5728 *
5729 * XXX - what about ATM LANE? Should the index be
5730 * relative to the beginning of the AAL5 frame, so
5731 * that 0 refers to the beginning of the LE Control
5732 * field, or relative to the beginning of the LAN
5733 * frame, so that 0 refers, for Ethernet LANE, to
5734 * the beginning of the destination address?
5735 */
5736 s = gen_llprefixlen();
5737
5738 /*
5739 * If "s" is non-null, it has code to arrange that the
5740 * X register contains the length of the prefix preceding
5741 * the link-layer header. Add to it the offset computed
5742 * into the register specified by "index", and move that
5743 * into the X register. Otherwise, just load into the X
5744 * register the offset computed into the register specifed
5745 * by "index".
5746 */
5747 if (s != NULL) {
5748 sappend(s, xfer_to_a(inst));
5749 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5750 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5751 } else
5752 s = xfer_to_x(inst);
5753
5754 /*
5755 * Load the item at the sum of the offset we've put in the
5756 * X register and the offset of the start of the link
5757 * layer header (which is 0 if the radio header is
5758 * variable-length; that header length is what we put
5759 * into the X register and then added to the index).
5760 */
5761 tmp = new_stmt(BPF_LD|BPF_IND|size);
5762 tmp->s.k = off_ll;
5763 sappend(s, tmp);
5764 sappend(inst->s, s);
5765 break;
5766
5767 case Q_IP:
5768 case Q_ARP:
5769 case Q_RARP:
5770 case Q_ATALK:
5771 case Q_DECNET:
5772 case Q_SCA:
5773 case Q_LAT:
5774 case Q_MOPRC:
5775 case Q_MOPDL:
5776 #ifdef INET6
5777 case Q_IPV6:
5778 #endif
5779 /*
5780 * The offset is relative to the beginning of
5781 * the network-layer header.
5782 * XXX - are there any cases where we want
5783 * off_nl_nosnap?
5784 */
5785 s = gen_llprefixlen();
5786
5787 /*
5788 * If "s" is non-null, it has code to arrange that the
5789 * X register contains the length of the prefix preceding
5790 * the link-layer header. Add to it the offset computed
5791 * into the register specified by "index", and move that
5792 * into the X register. Otherwise, just load into the X
5793 * register the offset computed into the register specifed
5794 * by "index".
5795 */
5796 if (s != NULL) {
5797 sappend(s, xfer_to_a(inst));
5798 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5799 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5800 } else
5801 s = xfer_to_x(inst);
5802
5803 /*
5804 * Load the item at the sum of the offset we've put in the
5805 * X register, the offset of the start of the network
5806 * layer header, and the offset of the start of the link
5807 * layer header (which is 0 if the radio header is
5808 * variable-length; that header length is what we put
5809 * into the X register and then added to the index).
5810 */
5811 tmp = new_stmt(BPF_LD|BPF_IND|size);
5812 tmp->s.k = off_ll + off_nl;
5813 sappend(s, tmp);
5814 sappend(inst->s, s);
5815
5816 /*
5817 * Do the computation only if the packet contains
5818 * the protocol in question.
5819 */
5820 b = gen_proto_abbrev(proto);
5821 if (inst->b)
5822 gen_and(inst->b, b);
5823 inst->b = b;
5824 break;
5825
5826 case Q_SCTP:
5827 case Q_TCP:
5828 case Q_UDP:
5829 case Q_ICMP:
5830 case Q_IGMP:
5831 case Q_IGRP:
5832 case Q_PIM:
5833 case Q_VRRP:
5834 /*
5835 * The offset is relative to the beginning of
5836 * the transport-layer header.
5837 *
5838 * Load the X register with the length of the IPv4 header
5839 * (plus the offset of the link-layer header, if it's
5840 * a variable-length header), in bytes.
5841 *
5842 * XXX - are there any cases where we want
5843 * off_nl_nosnap?
5844 * XXX - we should, if we're built with
5845 * IPv6 support, generate code to load either
5846 * IPv4, IPv6, or both, as appropriate.
5847 */
5848 s = gen_loadx_iphdrlen();
5849
5850 /*
5851 * The X register now contains the sum of the length
5852 * of any variable-length header preceding the link-layer
5853 * header and the length of the network-layer header.
5854 * Load into the A register the offset relative to
5855 * the beginning of the transport layer header,
5856 * add the X register to that, move that to the
5857 * X register, and load with an offset from the
5858 * X register equal to the offset of the network
5859 * layer header relative to the beginning of
5860 * the link-layer header plus the length of any
5861 * fixed-length header preceding the link-layer
5862 * header.
5863 */
5864 sappend(s, xfer_to_a(inst));
5865 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5866 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5867 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5868 tmp->s.k = off_ll + off_nl;
5869 sappend(inst->s, s);
5870
5871 /*
5872 * Do the computation only if the packet contains
5873 * the protocol in question - which is true only
5874 * if this is an IP datagram and is the first or
5875 * only fragment of that datagram.
5876 */
5877 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5878 if (inst->b)
5879 gen_and(inst->b, b);
5880 #ifdef INET6
5881 gen_and(gen_proto_abbrev(Q_IP), b);
5882 #endif
5883 inst->b = b;
5884 break;
5885 #ifdef INET6
5886 case Q_ICMPV6:
5887 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5888 /*NOTREACHED*/
5889 #endif
5890 }
5891 inst->regno = regno;
5892 s = new_stmt(BPF_ST);
5893 s->s.k = regno;
5894 sappend(inst->s, s);
5895
5896 return inst;
5897 }
5898
5899 struct block *
5900 gen_relation(code, a0, a1, reversed)
5901 int code;
5902 struct arth *a0, *a1;
5903 int reversed;
5904 {
5905 struct slist *s0, *s1, *s2;
5906 struct block *b, *tmp;
5907
5908 s0 = xfer_to_x(a1);
5909 s1 = xfer_to_a(a0);
5910 if (code == BPF_JEQ) {
5911 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5912 b = new_block(JMP(code));
5913 sappend(s1, s2);
5914 }
5915 else
5916 b = new_block(BPF_JMP|code|BPF_X);
5917 if (reversed)
5918 gen_not(b);
5919
5920 sappend(s0, s1);
5921 sappend(a1->s, s0);
5922 sappend(a0->s, a1->s);
5923
5924 b->stmts = a0->s;
5925
5926 free_reg(a0->regno);
5927 free_reg(a1->regno);
5928
5929 /* 'and' together protocol checks */
5930 if (a0->b) {
5931 if (a1->b) {
5932 gen_and(a0->b, tmp = a1->b);
5933 }
5934 else
5935 tmp = a0->b;
5936 } else
5937 tmp = a1->b;
5938
5939 if (tmp)
5940 gen_and(tmp, b);
5941
5942 return b;
5943 }
5944
5945 struct arth *
5946 gen_loadlen()
5947 {
5948 int regno = alloc_reg();
5949 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5950 struct slist *s;
5951
5952 s = new_stmt(BPF_LD|BPF_LEN);
5953 s->next = new_stmt(BPF_ST);
5954 s->next->s.k = regno;
5955 a->s = s;
5956 a->regno = regno;
5957
5958 return a;
5959 }
5960
5961 struct arth *
5962 gen_loadi(val)
5963 int val;
5964 {
5965 struct arth *a;
5966 struct slist *s;
5967 int reg;
5968
5969 a = (struct arth *)newchunk(sizeof(*a));
5970
5971 reg = alloc_reg();
5972
5973 s = new_stmt(BPF_LD|BPF_IMM);
5974 s->s.k = val;
5975 s->next = new_stmt(BPF_ST);
5976 s->next->s.k = reg;
5977 a->s = s;
5978 a->regno = reg;
5979
5980 return a;
5981 }
5982
5983 struct arth *
5984 gen_neg(a)
5985 struct arth *a;
5986 {
5987 struct slist *s;
5988
5989 s = xfer_to_a(a);
5990 sappend(a->s, s);
5991 s = new_stmt(BPF_ALU|BPF_NEG);
5992 s->s.k = 0;
5993 sappend(a->s, s);
5994 s = new_stmt(BPF_ST);
5995 s->s.k = a->regno;
5996 sappend(a->s, s);
5997
5998 return a;
5999 }
6000
6001 struct arth *
6002 gen_arth(code, a0, a1)
6003 int code;
6004 struct arth *a0, *a1;
6005 {
6006 struct slist *s0, *s1, *s2;
6007
6008 s0 = xfer_to_x(a1);
6009 s1 = xfer_to_a(a0);
6010 s2 = new_stmt(BPF_ALU|BPF_X|code);
6011
6012 sappend(s1, s2);
6013 sappend(s0, s1);
6014 sappend(a1->s, s0);
6015 sappend(a0->s, a1->s);
6016
6017 free_reg(a0->regno);
6018 free_reg(a1->regno);
6019
6020 s0 = new_stmt(BPF_ST);
6021 a0->regno = s0->s.k = alloc_reg();
6022 sappend(a0->s, s0);
6023
6024 return a0;
6025 }
6026
6027 /*
6028 * Here we handle simple allocation of the scratch registers.
6029 * If too many registers are alloc'd, the allocator punts.
6030 */
6031 static int regused[BPF_MEMWORDS];
6032 static int curreg;
6033
6034 /*
6035 * Return the next free register.
6036 */
6037 static int
6038 alloc_reg()
6039 {
6040 int n = BPF_MEMWORDS;
6041
6042 while (--n >= 0) {
6043 if (regused[curreg])
6044 curreg = (curreg + 1) % BPF_MEMWORDS;
6045 else {
6046 regused[curreg] = 1;
6047 return curreg;
6048 }
6049 }
6050 bpf_error("too many registers needed to evaluate expression");
6051 /* NOTREACHED */
6052 return 0;
6053 }
6054
6055 /*
6056 * Return a register to the table so it can
6057 * be used later.
6058 */
6059 static void
6060 free_reg(n)
6061 int n;
6062 {
6063 regused[n] = 0;
6064 }
6065
6066 static struct block *
6067 gen_len(jmp, n)
6068 int jmp, n;
6069 {
6070 struct slist *s;
6071 struct block *b;
6072
6073 s = new_stmt(BPF_LD|BPF_LEN);
6074 b = new_block(JMP(jmp));
6075 b->stmts = s;
6076 b->s.k = n;
6077
6078 return b;
6079 }
6080
6081 struct block *
6082 gen_greater(n)
6083 int n;
6084 {
6085 return gen_len(BPF_JGE, n);
6086 }
6087
6088 /*
6089 * Actually, this is less than or equal.
6090 */
6091 struct block *
6092 gen_less(n)
6093 int n;
6094 {
6095 struct block *b;
6096
6097 b = gen_len(BPF_JGT, n);
6098 gen_not(b);
6099
6100 return b;
6101 }
6102
6103 /*
6104 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6105 * the beginning of the link-layer header.
6106 * XXX - that means you can't test values in the radiotap header, but
6107 * as that header is difficult if not impossible to parse generally
6108 * without a loop, that might not be a severe problem. A new keyword
6109 * "radio" could be added for that, although what you'd really want
6110 * would be a way of testing particular radio header values, which
6111 * would generate code appropriate to the radio header in question.
6112 */
6113 struct block *
6114 gen_byteop(op, idx, val)
6115 int op, idx, val;
6116 {
6117 struct block *b;
6118 struct slist *s;
6119
6120 switch (op) {
6121 default:
6122 abort();
6123
6124 case '=':
6125 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6126
6127 case '<':
6128 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6129 return b;
6130
6131 case '>':
6132 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6133 return b;
6134
6135 case '|':
6136 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
6137 break;
6138
6139 case '&':
6140 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
6141 break;
6142 }
6143 s->s.k = val;
6144 b = new_block(JMP(BPF_JEQ));
6145 b->stmts = s;
6146 gen_not(b);
6147
6148 return b;
6149 }
6150
6151 static u_char abroadcast[] = { 0x0 };
6152
6153 struct block *
6154 gen_broadcast(proto)
6155 int proto;
6156 {
6157 bpf_u_int32 hostmask;
6158 struct block *b0, *b1, *b2;
6159 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
6160
6161 switch (proto) {
6162
6163 case Q_DEFAULT:
6164 case Q_LINK:
6165 switch (linktype) {
6166 case DLT_ARCNET:
6167 case DLT_ARCNET_LINUX:
6168 return gen_ahostop(abroadcast, Q_DST);
6169 case DLT_EN10MB:
6170 return gen_ehostop(ebroadcast, Q_DST);
6171 case DLT_FDDI:
6172 return gen_fhostop(ebroadcast, Q_DST);
6173 case DLT_IEEE802:
6174 return gen_thostop(ebroadcast, Q_DST);
6175 case DLT_IEEE802_11:
6176 case DLT_IEEE802_11_RADIO_AVS:
6177 case DLT_IEEE802_11_RADIO:
6178 case DLT_PPI:
6179 case DLT_PRISM_HEADER:
6180 return gen_wlanhostop(ebroadcast, Q_DST);
6181 case DLT_IP_OVER_FC:
6182 return gen_ipfchostop(ebroadcast, Q_DST);
6183 case DLT_SUNATM:
6184 if (is_lane) {
6185 /*
6186 * Check that the packet doesn't begin with an
6187 * LE Control marker. (We've already generated
6188 * a test for LANE.)
6189 */
6190 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6191 BPF_H, 0xFF00);
6192 gen_not(b1);
6193
6194 /*
6195 * Now check the MAC address.
6196 */
6197 b0 = gen_ehostop(ebroadcast, Q_DST);
6198 gen_and(b1, b0);
6199 return b0;
6200 }
6201 break;
6202 default:
6203 bpf_error("not a broadcast link");
6204 }
6205 break;
6206
6207 case Q_IP:
6208 b0 = gen_linktype(ETHERTYPE_IP);
6209 hostmask = ~netmask;
6210 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
6211 b2 = gen_mcmp(OR_NET, 16, BPF_W,
6212 (bpf_int32)(~0 & hostmask), hostmask);
6213 gen_or(b1, b2);
6214 gen_and(b0, b2);
6215 return b2;
6216 }
6217 bpf_error("only link-layer/IP broadcast filters supported");
6218 /* NOTREACHED */
6219 return NULL;
6220 }
6221
6222 /*
6223 * Generate code to test the low-order bit of a MAC address (that's
6224 * the bottom bit of the *first* byte).
6225 */
6226 static struct block *
6227 gen_mac_multicast(offset)
6228 int offset;
6229 {
6230 register struct block *b0;
6231 register struct slist *s;
6232
6233 /* link[offset] & 1 != 0 */
6234 s = gen_load_a(OR_LINK, offset, BPF_B);
6235 b0 = new_block(JMP(BPF_JSET));
6236 b0->s.k = 1;
6237 b0->stmts = s;
6238 return b0;
6239 }
6240
6241 struct block *
6242 gen_multicast(proto)
6243 int proto;
6244 {
6245 register struct block *b0, *b1, *b2;
6246 register struct slist *s;
6247
6248 switch (proto) {
6249
6250 case Q_DEFAULT:
6251 case Q_LINK:
6252 switch (linktype) {
6253 case DLT_ARCNET:
6254 case DLT_ARCNET_LINUX:
6255 /* all ARCnet multicasts use the same address */
6256 return gen_ahostop(abroadcast, Q_DST);
6257 case DLT_EN10MB:
6258 /* ether[0] & 1 != 0 */
6259 return gen_mac_multicast(0);
6260 case DLT_FDDI:
6261 /*
6262 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
6263 *
6264 * XXX - was that referring to bit-order issues?
6265 */
6266 /* fddi[1] & 1 != 0 */
6267 return gen_mac_multicast(1);
6268 case DLT_IEEE802:
6269 /* tr[2] & 1 != 0 */
6270 return gen_mac_multicast(2);
6271 case DLT_IEEE802_11:
6272 case DLT_IEEE802_11_RADIO_AVS:
6273 case DLT_PPI:
6274 case DLT_IEEE802_11_RADIO:
6275 case DLT_PRISM_HEADER:
6276 /*
6277 * Oh, yuk.
6278 *
6279 * For control frames, there is no DA.
6280 *
6281 * For management frames, DA is at an
6282 * offset of 4 from the beginning of
6283 * the packet.
6284 *
6285 * For data frames, DA is at an offset
6286 * of 4 from the beginning of the packet
6287 * if To DS is clear and at an offset of
6288 * 16 from the beginning of the packet
6289 * if To DS is set.
6290 */
6291
6292 /*
6293 * Generate the tests to be done for data frames.
6294 *
6295 * First, check for To DS set, i.e. "link[1] & 0x01".
6296 */
6297 s = gen_load_a(OR_LINK, 1, BPF_B);
6298 b1 = new_block(JMP(BPF_JSET));
6299 b1->s.k = 0x01; /* To DS */
6300 b1->stmts = s;
6301
6302 /*
6303 * If To DS is set, the DA is at 16.
6304 */
6305 b0 = gen_mac_multicast(16);
6306 gen_and(b1, b0);
6307
6308 /*
6309 * Now, check for To DS not set, i.e. check
6310 * "!(link[1] & 0x01)".
6311 */
6312 s = gen_load_a(OR_LINK, 1, BPF_B);
6313 b2 = new_block(JMP(BPF_JSET));
6314 b2->s.k = 0x01; /* To DS */
6315 b2->stmts = s;
6316 gen_not(b2);
6317
6318 /*
6319 * If To DS is not set, the DA is at 4.
6320 */
6321 b1 = gen_mac_multicast(4);
6322 gen_and(b2, b1);
6323
6324 /*
6325 * Now OR together the last two checks. That gives
6326 * the complete set of checks for data frames.
6327 */
6328 gen_or(b1, b0);
6329
6330 /*
6331 * Now check for a data frame.
6332 * I.e, check "link[0] & 0x08".
6333 */
6334 s = gen_load_a(OR_LINK, 0, BPF_B);
6335 b1 = new_block(JMP(BPF_JSET));
6336 b1->s.k = 0x08;
6337 b1->stmts = s;
6338
6339 /*
6340 * AND that with the checks done for data frames.
6341 */
6342 gen_and(b1, b0);
6343
6344 /*
6345 * If the high-order bit of the type value is 0, this
6346 * is a management frame.
6347 * I.e, check "!(link[0] & 0x08)".
6348 */
6349 s = gen_load_a(OR_LINK, 0, BPF_B);
6350 b2 = new_block(JMP(BPF_JSET));
6351 b2->s.k = 0x08;
6352 b2->stmts = s;
6353 gen_not(b2);
6354
6355 /*
6356 * For management frames, the DA is at 4.
6357 */
6358 b1 = gen_mac_multicast(4);
6359 gen_and(b2, b1);
6360
6361 /*
6362 * OR that with the checks done for data frames.
6363 * That gives the checks done for management and
6364 * data frames.
6365 */
6366 gen_or(b1, b0);
6367
6368 /*
6369 * If the low-order bit of the type value is 1,
6370 * this is either a control frame or a frame
6371 * with a reserved type, and thus not a
6372 * frame with an SA.
6373 *
6374 * I.e., check "!(link[0] & 0x04)".
6375 */
6376 s = gen_load_a(OR_LINK, 0, BPF_B);
6377 b1 = new_block(JMP(BPF_JSET));
6378 b1->s.k = 0x04;
6379 b1->stmts = s;
6380 gen_not(b1);
6381
6382 /*
6383 * AND that with the checks for data and management
6384 * frames.
6385 */
6386 gen_and(b1, b0);
6387 return b0;
6388 case DLT_IP_OVER_FC:
6389 b0 = gen_mac_multicast(2);
6390 return b0;
6391 case DLT_SUNATM:
6392 if (is_lane) {
6393 /*
6394 * Check that the packet doesn't begin with an
6395 * LE Control marker. (We've already generated
6396 * a test for LANE.)
6397 */
6398 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6399 BPF_H, 0xFF00);
6400 gen_not(b1);
6401
6402 /* ether[off_mac] & 1 != 0 */
6403 b0 = gen_mac_multicast(off_mac);
6404 gen_and(b1, b0);
6405 return b0;
6406 }
6407 break;
6408 default:
6409 break;
6410 }
6411 /* Link not known to support multicasts */
6412 break;
6413
6414 case Q_IP:
6415 b0 = gen_linktype(ETHERTYPE_IP);
6416 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
6417 gen_and(b0, b1);
6418 return b1;
6419
6420 #ifdef INET6
6421 case Q_IPV6:
6422 b0 = gen_linktype(ETHERTYPE_IPV6);
6423 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
6424 gen_and(b0, b1);
6425 return b1;
6426 #endif /* INET6 */
6427 }
6428 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
6429 /* NOTREACHED */
6430 return NULL;
6431 }
6432
6433 /*
6434 * generate command for inbound/outbound. It's here so we can
6435 * make it link-type specific. 'dir' = 0 implies "inbound",
6436 * = 1 implies "outbound".
6437 */
6438 struct block *
6439 gen_inbound(dir)
6440 int dir;
6441 {
6442 register struct block *b0;
6443
6444 /*
6445 * Only some data link types support inbound/outbound qualifiers.
6446 */
6447 switch (linktype) {
6448 case DLT_SLIP:
6449 b0 = gen_relation(BPF_JEQ,
6450 gen_load(Q_LINK, gen_loadi(0), 1),
6451 gen_loadi(0),
6452 dir);
6453 break;
6454
6455 case DLT_LINUX_SLL:
6456 if (dir) {
6457 /*
6458 * Match packets sent by this machine.
6459 */
6460 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6461 } else {
6462 /*
6463 * Match packets sent to this machine.
6464 * (No broadcast or multicast packets, or
6465 * packets sent to some other machine and
6466 * received promiscuously.)
6467 *
6468 * XXX - packets sent to other machines probably
6469 * shouldn't be matched, but what about broadcast
6470 * or multicast packets we received?
6471 */
6472 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6473 }
6474 break;
6475
6476 #ifdef HAVE_NET_PFVAR_H
6477 case DLT_PFLOG:
6478 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6479 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6480 break;
6481 #endif
6482
6483 case DLT_PPP_PPPD:
6484 if (dir) {
6485 /* match outgoing packets */
6486 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6487 } else {
6488 /* match incoming packets */
6489 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6490 }
6491 break;
6492
6493 case DLT_JUNIPER_MFR:
6494 case DLT_JUNIPER_MLFR:
6495 case DLT_JUNIPER_MLPPP:
6496 case DLT_JUNIPER_ATM1:
6497 case DLT_JUNIPER_ATM2:
6498 case DLT_JUNIPER_PPPOE:
6499 case DLT_JUNIPER_PPPOE_ATM:
6500 case DLT_JUNIPER_GGSN:
6501 case DLT_JUNIPER_ES:
6502 case DLT_JUNIPER_MONITOR:
6503 case DLT_JUNIPER_SERVICES:
6504 case DLT_JUNIPER_ETHER:
6505 case DLT_JUNIPER_PPP:
6506 case DLT_JUNIPER_FRELAY:
6507 case DLT_JUNIPER_CHDLC:
6508 case DLT_JUNIPER_VP:
6509 case DLT_JUNIPER_ST:
6510 case DLT_JUNIPER_ISM:
6511 /* juniper flags (including direction) are stored
6512 * the byte after the 3-byte magic number */
6513 if (dir) {
6514 /* match outgoing packets */
6515 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6516 } else {
6517 /* match incoming packets */
6518 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6519 }
6520 break;
6521
6522 default:
6523 bpf_error("inbound/outbound not supported on linktype %d",
6524 linktype);
6525 b0 = NULL;
6526 /* NOTREACHED */
6527 }
6528 return (b0);
6529 }
6530
6531 #ifdef HAVE_NET_PFVAR_H
6532 /* PF firewall log matched interface */
6533 struct block *
6534 gen_pf_ifname(const char *ifname)
6535 {
6536 struct block *b0;
6537 u_int len, off;
6538
6539 if (linktype != DLT_PFLOG) {
6540 bpf_error("ifname supported only on PF linktype");
6541 /* NOTREACHED */
6542 }
6543 len = sizeof(((struct pfloghdr *)0)->ifname);
6544 off = offsetof(struct pfloghdr, ifname);
6545 if (strlen(ifname) >= len) {
6546 bpf_error("ifname interface names can only be %d characters",
6547 len-1);
6548 /* NOTREACHED */
6549 }
6550 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6551 return (b0);
6552 }
6553
6554 /* PF firewall log ruleset name */
6555 struct block *
6556 gen_pf_ruleset(char *ruleset)
6557 {
6558 struct block *b0;
6559
6560 if (linktype != DLT_PFLOG) {
6561 bpf_error("ruleset supported only on PF linktype");
6562 /* NOTREACHED */
6563 }
6564
6565 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6566 bpf_error("ruleset names can only be %ld characters",
6567 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6568 /* NOTREACHED */
6569 }
6570
6571 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6572 strlen(ruleset), (const u_char *)ruleset);
6573 return (b0);
6574 }
6575
6576 /* PF firewall log rule number */
6577 struct block *
6578 gen_pf_rnr(int rnr)
6579 {
6580 struct block *b0;
6581
6582 if (linktype != DLT_PFLOG) {
6583 bpf_error("rnr supported only on PF linktype");
6584 /* NOTREACHED */
6585 }
6586
6587 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6588 (bpf_int32)rnr);
6589 return (b0);
6590 }
6591
6592 /* PF firewall log sub-rule number */
6593 struct block *
6594 gen_pf_srnr(int srnr)
6595 {
6596 struct block *b0;
6597
6598 if (linktype != DLT_PFLOG) {
6599 bpf_error("srnr supported only on PF linktype");
6600 /* NOTREACHED */
6601 }
6602
6603 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6604 (bpf_int32)srnr);
6605 return (b0);
6606 }
6607
6608 /* PF firewall log reason code */
6609 struct block *
6610 gen_pf_reason(int reason)
6611 {
6612 struct block *b0;
6613
6614 if (linktype != DLT_PFLOG) {
6615 bpf_error("reason supported only on PF linktype");
6616 /* NOTREACHED */
6617 }
6618
6619 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6620 (bpf_int32)reason);
6621 return (b0);
6622 }
6623
6624 /* PF firewall log action */
6625 struct block *
6626 gen_pf_action(int action)
6627 {
6628 struct block *b0;
6629
6630 if (linktype != DLT_PFLOG) {
6631 bpf_error("action supported only on PF linktype");
6632 /* NOTREACHED */
6633 }
6634
6635 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6636 (bpf_int32)action);
6637 return (b0);
6638 }
6639 #else /* !HAVE_NET_PFVAR_H */
6640 struct block *
6641 gen_pf_ifname(const char *ifname)
6642 {
6643 bpf_error("libpcap was compiled without pf support");
6644 /* NOTREACHED */
6645 return (NULL);
6646 }
6647
6648 struct block *
6649 gen_pf_ruleset(char *ruleset)
6650 {
6651 bpf_error("libpcap was compiled on a machine without pf support");
6652 /* NOTREACHED */
6653 return (NULL);
6654 }
6655
6656 struct block *
6657 gen_pf_rnr(int rnr)
6658 {
6659 bpf_error("libpcap was compiled on a machine without pf support");
6660 /* NOTREACHED */
6661 return (NULL);
6662 }
6663
6664 struct block *
6665 gen_pf_srnr(int srnr)
6666 {
6667 bpf_error("libpcap was compiled on a machine without pf support");
6668 /* NOTREACHED */
6669 return (NULL);
6670 }
6671
6672 struct block *
6673 gen_pf_reason(int reason)
6674 {
6675 bpf_error("libpcap was compiled on a machine without pf support");
6676 /* NOTREACHED */
6677 return (NULL);
6678 }
6679
6680 struct block *
6681 gen_pf_action(int action)
6682 {
6683 bpf_error("libpcap was compiled on a machine without pf support");
6684 /* NOTREACHED */
6685 return (NULL);
6686 }
6687 #endif /* HAVE_NET_PFVAR_H */
6688
6689 /* IEEE 802.11 wireless header */
6690 struct block *
6691 gen_p80211_type(int type, int mask)
6692 {
6693 struct block *b0;
6694
6695 switch (linktype) {
6696
6697 case DLT_IEEE802_11:
6698 case DLT_PRISM_HEADER:
6699 case DLT_IEEE802_11_RADIO_AVS:
6700 case DLT_IEEE802_11_RADIO:
6701 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
6702 (bpf_int32)mask);
6703 break;
6704
6705 default:
6706 bpf_error("802.11 link-layer types supported only on 802.11");
6707 /* NOTREACHED */
6708 }
6709 return (b0);
6710 }
6711
6712 struct block *
6713 gen_acode(eaddr, q)
6714 register const u_char *eaddr;
6715 struct qual q;
6716 {
6717 switch (linktype) {
6718
6719 case DLT_ARCNET:
6720 case DLT_ARCNET_LINUX:
6721 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
6722 q.proto == Q_LINK)
6723 return (gen_ahostop(eaddr, (int)q.dir));
6724 else {
6725 bpf_error("ARCnet address used in non-arc expression");
6726 /* NOTREACHED */
6727 }
6728 break;
6729
6730 default:
6731 bpf_error("aid supported only on ARCnet");
6732 /* NOTREACHED */
6733 }
6734 bpf_error("ARCnet address used in non-arc expression");
6735 /* NOTREACHED */
6736 return NULL;
6737 }
6738
6739 static struct block *
6740 gen_ahostop(eaddr, dir)
6741 register const u_char *eaddr;
6742 register int dir;
6743 {
6744 register struct block *b0, *b1;
6745
6746 switch (dir) {
6747 /* src comes first, different from Ethernet */
6748 case Q_SRC:
6749 return gen_bcmp(OR_LINK, 0, 1, eaddr);
6750
6751 case Q_DST:
6752 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6753
6754 case Q_AND:
6755 b0 = gen_ahostop(eaddr, Q_SRC);
6756 b1 = gen_ahostop(eaddr, Q_DST);
6757 gen_and(b0, b1);
6758 return b1;
6759
6760 case Q_DEFAULT:
6761 case Q_OR:
6762 b0 = gen_ahostop(eaddr, Q_SRC);
6763 b1 = gen_ahostop(eaddr, Q_DST);
6764 gen_or(b0, b1);
6765 return b1;
6766 }
6767 abort();
6768 /* NOTREACHED */
6769 }
6770
6771 /*
6772 * support IEEE 802.1Q VLAN trunk over ethernet
6773 */
6774 struct block *
6775 gen_vlan(vlan_num)
6776 int vlan_num;
6777 {
6778 struct block *b0, *b1;
6779
6780 /* can't check for VLAN-encapsulated packets inside MPLS */
6781 if (label_stack_depth > 0)
6782 bpf_error("no VLAN match after MPLS");
6783
6784 /*
6785 * Change the offsets to point to the type and data fields within
6786 * the VLAN packet. Just increment the offsets, so that we
6787 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6788 * capture VLAN 200 encapsulated within VLAN 100.
6789 *
6790 * XXX - this is a bit of a kludge. If we were to split the
6791 * compiler into a parser that parses an expression and
6792 * generates an expression tree, and a code generator that
6793 * takes an expression tree (which could come from our
6794 * parser or from some other parser) and generates BPF code,
6795 * we could perhaps make the offsets parameters of routines
6796 * and, in the handler for an "AND" node, pass to subnodes
6797 * other than the VLAN node the adjusted offsets.
6798 *
6799 * This would mean that "vlan" would, instead of changing the
6800 * behavior of *all* tests after it, change only the behavior
6801 * of tests ANDed with it. That would change the documented
6802 * semantics of "vlan", which might break some expressions.
6803 * However, it would mean that "(vlan and ip) or ip" would check
6804 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6805 * checking only for VLAN-encapsulated IP, so that could still
6806 * be considered worth doing; it wouldn't break expressions
6807 * that are of the form "vlan and ..." or "vlan N and ...",
6808 * which I suspect are the most common expressions involving
6809 * "vlan". "vlan or ..." doesn't necessarily do what the user
6810 * would really want, now, as all the "or ..." tests would
6811 * be done assuming a VLAN, even though the "or" could be viewed
6812 * as meaning "or, if this isn't a VLAN packet...".
6813 */
6814 orig_linktype = off_linktype; /* save original values */
6815 orig_nl = off_nl;
6816
6817 switch (linktype) {
6818
6819 case DLT_EN10MB:
6820 off_linktype += 4;
6821 off_nl_nosnap += 4;
6822 off_nl += 4;
6823 break;
6824
6825 default:
6826 bpf_error("no VLAN support for data link type %d",
6827 linktype);
6828 /*NOTREACHED*/
6829 }
6830
6831 /* check for VLAN */
6832 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6833
6834 /* If a specific VLAN is requested, check VLAN id */
6835 if (vlan_num >= 0) {
6836 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6837 0x0fff);
6838 gen_and(b0, b1);
6839 b0 = b1;
6840 }
6841
6842 return (b0);
6843 }
6844
6845 /*
6846 * support for MPLS
6847 */
6848 struct block *
6849 gen_mpls(label_num)
6850 int label_num;
6851 {
6852 struct block *b0,*b1;
6853
6854 /*
6855 * Change the offsets to point to the type and data fields within
6856 * the MPLS packet. Just increment the offsets, so that we
6857 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6858 * capture packets with an outer label of 100000 and an inner
6859 * label of 1024.
6860 *
6861 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6862 */
6863 orig_nl = off_nl;
6864
6865 if (label_stack_depth > 0) {
6866 /* just match the bottom-of-stack bit clear */
6867 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6868 } else {
6869 /*
6870 * Indicate that we're checking MPLS-encapsulated headers,
6871 * to make sure higher level code generators don't try to
6872 * match against IP-related protocols such as Q_ARP, Q_RARP
6873 * etc.
6874 */
6875 switch (linktype) {
6876
6877 case DLT_C_HDLC: /* fall through */
6878 case DLT_EN10MB:
6879 b0 = gen_linktype(ETHERTYPE_MPLS);
6880 break;
6881
6882 case DLT_PPP:
6883 b0 = gen_linktype(PPP_MPLS_UCAST);
6884 break;
6885
6886 /* FIXME add other DLT_s ...
6887 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6888 * leave it for now */
6889
6890 default:
6891 bpf_error("no MPLS support for data link type %d",
6892 linktype);
6893 b0 = NULL;
6894 /*NOTREACHED*/
6895 break;
6896 }
6897 }
6898
6899 /* If a specific MPLS label is requested, check it */
6900 if (label_num >= 0) {
6901 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6902 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6903 0xfffff000); /* only compare the first 20 bits */
6904 gen_and(b0, b1);
6905 b0 = b1;
6906 }
6907
6908 off_nl_nosnap += 4;
6909 off_nl += 4;
6910 label_stack_depth++;
6911 return (b0);
6912 }
6913
6914 /*
6915 * Support PPPOE discovery and session.
6916 */
6917 struct block *
6918 gen_pppoed()
6919 {
6920 /* check for PPPoE discovery */
6921 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
6922 }
6923
6924 struct block *
6925 gen_pppoes()
6926 {
6927 struct block *b0;
6928
6929 /*
6930 * Test against the PPPoE session link-layer type.
6931 */
6932 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
6933
6934 /*
6935 * Change the offsets to point to the type and data fields within
6936 * the PPP packet.
6937 *
6938 * XXX - this is a bit of a kludge. If we were to split the
6939 * compiler into a parser that parses an expression and
6940 * generates an expression tree, and a code generator that
6941 * takes an expression tree (which could come from our
6942 * parser or from some other parser) and generates BPF code,
6943 * we could perhaps make the offsets parameters of routines
6944 * and, in the handler for an "AND" node, pass to subnodes
6945 * other than the PPPoE node the adjusted offsets.
6946 *
6947 * This would mean that "pppoes" would, instead of changing the
6948 * behavior of *all* tests after it, change only the behavior
6949 * of tests ANDed with it. That would change the documented
6950 * semantics of "pppoes", which might break some expressions.
6951 * However, it would mean that "(pppoes and ip) or ip" would check
6952 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6953 * checking only for VLAN-encapsulated IP, so that could still
6954 * be considered worth doing; it wouldn't break expressions
6955 * that are of the form "pppoes and ..." which I suspect are the
6956 * most common expressions involving "pppoes". "pppoes or ..."
6957 * doesn't necessarily do what the user would really want, now,
6958 * as all the "or ..." tests would be done assuming PPPoE, even
6959 * though the "or" could be viewed as meaning "or, if this isn't
6960 * a PPPoE packet...".
6961 */
6962 orig_linktype = off_linktype; /* save original values */
6963 orig_nl = off_nl;
6964
6965 /*
6966 * The "network-layer" protocol is PPPoE, which has a 6-byte
6967 * PPPoE header, followed by PPP payload, so we set the
6968 * offsets to the network layer offset plus 6 bytes for
6969 * the PPPoE header plus the values appropriate for PPP when
6970 * encapsulated in Ethernet (which means there's no HDLC
6971 * encapsulation).
6972 */
6973 off_linktype = orig_nl + 6;
6974 off_nl = orig_nl + 6 + 2;
6975 off_nl_nosnap = orig_nl + 6 + 2;
6976
6977 /*
6978 * Set the link-layer type to PPP, as all subsequent tests will
6979 * be on the encapsulated PPP header.
6980 */
6981 linktype = DLT_PPP;
6982
6983 return b0;
6984 }
6985
6986 struct block *
6987 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6988 int atmfield;
6989 bpf_int32 jvalue;
6990 bpf_u_int32 jtype;
6991 int reverse;
6992 {
6993 struct block *b0;
6994
6995 switch (atmfield) {
6996
6997 case A_VPI:
6998 if (!is_atm)
6999 bpf_error("'vpi' supported only on raw ATM");
7000 if (off_vpi == (u_int)-1)
7001 abort();
7002 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
7003 reverse, jvalue);
7004 break;
7005
7006 case A_VCI:
7007 if (!is_atm)
7008 bpf_error("'vci' supported only on raw ATM");
7009 if (off_vci == (u_int)-1)
7010 abort();
7011 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
7012 reverse, jvalue);
7013 break;
7014
7015 case A_PROTOTYPE:
7016 if (off_proto == (u_int)-1)
7017 abort(); /* XXX - this isn't on FreeBSD */
7018 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
7019 reverse, jvalue);
7020 break;
7021
7022 case A_MSGTYPE:
7023 if (off_payload == (u_int)-1)
7024 abort();
7025 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
7026 0xffffffff, jtype, reverse, jvalue);
7027 break;
7028
7029 case A_CALLREFTYPE:
7030 if (!is_atm)
7031 bpf_error("'callref' supported only on raw ATM");
7032 if (off_proto == (u_int)-1)
7033 abort();
7034 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
7035 jtype, reverse, jvalue);
7036 break;
7037
7038 default:
7039 abort();
7040 }
7041 return b0;
7042 }
7043
7044 struct block *
7045 gen_atmtype_abbrev(type)
7046 int type;
7047 {
7048 struct block *b0, *b1;
7049
7050 switch (type) {
7051
7052 case A_METAC:
7053 /* Get all packets in Meta signalling Circuit */
7054 if (!is_atm)
7055 bpf_error("'metac' supported only on raw ATM");
7056 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7057 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7058 gen_and(b0, b1);
7059 break;
7060
7061 case A_BCC:
7062 /* Get all packets in Broadcast Circuit*/
7063 if (!is_atm)
7064 bpf_error("'bcc' supported only on raw ATM");
7065 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7066 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7067 gen_and(b0, b1);
7068 break;
7069
7070 case A_OAMF4SC:
7071 /* Get all cells in Segment OAM F4 circuit*/
7072 if (!is_atm)
7073 bpf_error("'oam4sc' supported only on raw ATM");
7074 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7075 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7076 gen_and(b0, b1);
7077 break;
7078
7079 case A_OAMF4EC:
7080 /* Get all cells in End-to-End OAM F4 Circuit*/
7081 if (!is_atm)
7082 bpf_error("'oam4ec' supported only on raw ATM");
7083 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7084 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7085 gen_and(b0, b1);
7086 break;
7087
7088 case A_SC:
7089 /* Get all packets in connection Signalling Circuit */
7090 if (!is_atm)
7091 bpf_error("'sc' supported only on raw ATM");
7092 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7093 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
7094 gen_and(b0, b1);
7095 break;
7096
7097 case A_ILMIC:
7098 /* Get all packets in ILMI Circuit */
7099 if (!is_atm)
7100 bpf_error("'ilmic' supported only on raw ATM");
7101 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7102 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
7103 gen_and(b0, b1);
7104 break;
7105
7106 case A_LANE:
7107 /* Get all LANE packets */
7108 if (!is_atm)
7109 bpf_error("'lane' supported only on raw ATM");
7110 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
7111
7112 /*
7113 * Arrange that all subsequent tests assume LANE
7114 * rather than LLC-encapsulated packets, and set
7115 * the offsets appropriately for LANE-encapsulated
7116 * Ethernet.
7117 *
7118 * "off_mac" is the offset of the Ethernet header,
7119 * which is 2 bytes past the ATM pseudo-header
7120 * (skipping the pseudo-header and 2-byte LE Client
7121 * field). The other offsets are Ethernet offsets
7122 * relative to "off_mac".
7123 */
7124 is_lane = 1;
7125 off_mac = off_payload + 2; /* MAC header */
7126 off_linktype = off_mac + 12;
7127 off_nl = off_mac + 14; /* Ethernet II */
7128 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
7129 break;
7130
7131 case A_LLC:
7132 /* Get all LLC-encapsulated packets */
7133 if (!is_atm)
7134 bpf_error("'llc' supported only on raw ATM");
7135 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
7136 is_lane = 0;
7137 break;
7138
7139 default:
7140 abort();
7141 }
7142 return b1;
7143 }
7144
7145 /*
7146 * Filtering for MTP2 messages based on li value
7147 * FISU, length is null
7148 * LSSU, length is 1 or 2
7149 * MSU, length is 3 or more
7150 */
7151 struct block *
7152 gen_mtp2type_abbrev(type)
7153 int type;
7154 {
7155 struct block *b0, *b1;
7156
7157 switch (type) {
7158
7159 case M_FISU:
7160 if ( (linktype != DLT_MTP2) &&
7161 (linktype != DLT_MTP2_WITH_PHDR) )
7162 bpf_error("'fisu' supported only on MTP2");
7163 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
7164 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
7165 break;
7166
7167 case M_LSSU:
7168 if ( (linktype != DLT_MTP2) &&
7169 (linktype != DLT_MTP2_WITH_PHDR) )
7170 bpf_error("'lssu' supported only on MTP2");
7171 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
7172 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
7173 gen_and(b1, b0);
7174 break;
7175
7176 case M_MSU:
7177 if ( (linktype != DLT_MTP2) &&
7178 (linktype != DLT_MTP2_WITH_PHDR) )
7179 bpf_error("'msu' supported only on MTP2");
7180 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
7181 break;
7182
7183 default:
7184 abort();
7185 }
7186 return b0;
7187 }
7188
7189 struct block *
7190 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
7191 int mtp3field;
7192 bpf_u_int32 jvalue;
7193 bpf_u_int32 jtype;
7194 int reverse;
7195 {
7196 struct block *b0;
7197 bpf_u_int32 val1 , val2 , val3;
7198
7199 switch (mtp3field) {
7200
7201 case M_SIO:
7202 if (off_sio == (u_int)-1)
7203 bpf_error("'sio' supported only on SS7");
7204 /* sio coded on 1 byte so max value 255 */
7205 if(jvalue > 255)
7206 bpf_error("sio value %u too big; max value = 255",
7207 jvalue);
7208 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
7209 (u_int)jtype, reverse, (u_int)jvalue);
7210 break;
7211
7212 case M_OPC:
7213 if (off_opc == (u_int)-1)
7214 bpf_error("'opc' supported only on SS7");
7215 /* opc coded on 14 bits so max value 16383 */
7216 if (jvalue > 16383)
7217 bpf_error("opc value %u too big; max value = 16383",
7218 jvalue);
7219 /* the following instructions are made to convert jvalue
7220 * to the form used to write opc in an ss7 message*/
7221 val1 = jvalue & 0x00003c00;
7222 val1 = val1 >>10;
7223 val2 = jvalue & 0x000003fc;
7224 val2 = val2 <<6;
7225 val3 = jvalue & 0x00000003;
7226 val3 = val3 <<22;
7227 jvalue = val1 + val2 + val3;
7228 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
7229 (u_int)jtype, reverse, (u_int)jvalue);
7230 break;
7231
7232 case M_DPC:
7233 if (off_dpc == (u_int)-1)
7234 bpf_error("'dpc' supported only on SS7");
7235 /* dpc coded on 14 bits so max value 16383 */
7236 if (jvalue > 16383)
7237 bpf_error("dpc value %u too big; max value = 16383",
7238 jvalue);
7239 /* the following instructions are made to convert jvalue
7240 * to the forme used to write dpc in an ss7 message*/
7241 val1 = jvalue & 0x000000ff;
7242 val1 = val1 << 24;
7243 val2 = jvalue & 0x00003f00;
7244 val2 = val2 << 8;
7245 jvalue = val1 + val2;
7246 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
7247 (u_int)jtype, reverse, (u_int)jvalue);
7248 break;
7249
7250 case M_SLS:
7251 if (off_sls == (u_int)-1)
7252 bpf_error("'sls' supported only on SS7");
7253 /* sls coded on 4 bits so max value 15 */
7254 if (jvalue > 15)
7255 bpf_error("sls value %u too big; max value = 15",
7256 jvalue);
7257 /* the following instruction is made to convert jvalue
7258 * to the forme used to write sls in an ss7 message*/
7259 jvalue = jvalue << 4;
7260 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
7261 (u_int)jtype,reverse, (u_int)jvalue);
7262 break;
7263
7264 default:
7265 abort();
7266 }
7267 return b0;
7268 }
7269
7270 static struct block *
7271 gen_msg_abbrev(type)
7272 int type;
7273 {
7274 struct block *b1;
7275
7276 /*
7277 * Q.2931 signalling protocol messages for handling virtual circuits
7278 * establishment and teardown
7279 */
7280 switch (type) {
7281
7282 case A_SETUP:
7283 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
7284 break;
7285
7286 case A_CALLPROCEED:
7287 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
7288 break;
7289
7290 case A_CONNECT:
7291 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
7292 break;
7293
7294 case A_CONNECTACK:
7295 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
7296 break;
7297
7298 case A_RELEASE:
7299 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
7300 break;
7301
7302 case A_RELEASE_DONE:
7303 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
7304 break;
7305
7306 default:
7307 abort();
7308 }
7309 return b1;
7310 }
7311
7312 struct block *
7313 gen_atmmulti_abbrev(type)
7314 int type;
7315 {
7316 struct block *b0, *b1;
7317
7318 switch (type) {
7319
7320 case A_OAM:
7321 if (!is_atm)
7322 bpf_error("'oam' supported only on raw ATM");
7323 b1 = gen_atmmulti_abbrev(A_OAMF4);
7324 break;
7325
7326 case A_OAMF4:
7327 if (!is_atm)
7328 bpf_error("'oamf4' supported only on raw ATM");
7329 /* OAM F4 type */
7330 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7331 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7332 gen_or(b0, b1);
7333 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7334 gen_and(b0, b1);
7335 break;
7336
7337 case A_CONNECTMSG:
7338 /*
7339 * Get Q.2931 signalling messages for switched
7340 * virtual connection
7341 */
7342 if (!is_atm)
7343 bpf_error("'connectmsg' supported only on raw ATM");
7344 b0 = gen_msg_abbrev(A_SETUP);
7345 b1 = gen_msg_abbrev(A_CALLPROCEED);
7346 gen_or(b0, b1);
7347 b0 = gen_msg_abbrev(A_CONNECT);
7348 gen_or(b0, b1);
7349 b0 = gen_msg_abbrev(A_CONNECTACK);
7350 gen_or(b0, b1);
7351 b0 = gen_msg_abbrev(A_RELEASE);
7352 gen_or(b0, b1);
7353 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7354 gen_or(b0, b1);
7355 b0 = gen_atmtype_abbrev(A_SC);
7356 gen_and(b0, b1);
7357 break;
7358
7359 case A_METACONNECT:
7360 if (!is_atm)
7361 bpf_error("'metaconnect' supported only on raw ATM");
7362 b0 = gen_msg_abbrev(A_SETUP);
7363 b1 = gen_msg_abbrev(A_CALLPROCEED);
7364 gen_or(b0, b1);
7365 b0 = gen_msg_abbrev(A_CONNECT);
7366 gen_or(b0, b1);
7367 b0 = gen_msg_abbrev(A_RELEASE);
7368 gen_or(b0, b1);
7369 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7370 gen_or(b0, b1);
7371 b0 = gen_atmtype_abbrev(A_METAC);
7372 gen_and(b0, b1);
7373 break;
7374
7375 default:
7376 abort();
7377 }
7378 return b1;
7379 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism