]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Squelch a compiler warning.
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include <pcap-types.h>
28 #ifdef _WIN32
29 #include <ws2tcpip.h>
30 #else
31 #include <sys/socket.h>
32
33 #ifdef __NetBSD__
34 #include <sys/param.h>
35 #endif
36
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39 #endif /* _WIN32 */
40
41 #include <stdlib.h>
42 #include <string.h>
43 #include <memory.h>
44 #include <setjmp.h>
45 #include <stdarg.h>
46
47 #ifdef MSDOS
48 #include "pcap-dos.h"
49 #endif
50
51 #include "pcap-int.h"
52
53 #include "ethertype.h"
54 #include "nlpid.h"
55 #include "llc.h"
56 #include "gencode.h"
57 #include "ieee80211.h"
58 #include "atmuni31.h"
59 #include "sunatmpos.h"
60 #include "ppp.h"
61 #include "pcap/sll.h"
62 #include "pcap/ipnet.h"
63 #include "arcnet.h"
64
65 #include "grammar.h"
66 #include "scanner.h"
67
68 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
69 #include <linux/types.h>
70 #include <linux/if_packet.h>
71 #include <linux/filter.h>
72 #endif
73
74 #ifdef HAVE_NET_PFVAR_H
75 #include <sys/socket.h>
76 #include <net/if.h>
77 #include <net/pfvar.h>
78 #include <net/if_pflog.h>
79 #endif
80
81 #ifndef offsetof
82 #define offsetof(s, e) ((size_t)&((s *)0)->e)
83 #endif
84
85 #ifdef INET6
86 #ifdef _WIN32
87 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
88 /* IPv6 address */
89 struct in6_addr
90 {
91 union
92 {
93 uint8_t u6_addr8[16];
94 uint16_t u6_addr16[8];
95 uint32_t u6_addr32[4];
96 } in6_u;
97 #define s6_addr in6_u.u6_addr8
98 #define s6_addr16 in6_u.u6_addr16
99 #define s6_addr32 in6_u.u6_addr32
100 #define s6_addr64 in6_u.u6_addr64
101 };
102
103 typedef unsigned short sa_family_t;
104
105 #define __SOCKADDR_COMMON(sa_prefix) \
106 sa_family_t sa_prefix##family
107
108 /* Ditto, for IPv6. */
109 struct sockaddr_in6
110 {
111 __SOCKADDR_COMMON (sin6_);
112 uint16_t sin6_port; /* Transport layer port # */
113 uint32_t sin6_flowinfo; /* IPv6 flow information */
114 struct in6_addr sin6_addr; /* IPv6 address */
115 };
116
117 #ifndef EAI_ADDRFAMILY
118 struct addrinfo {
119 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
120 int ai_family; /* PF_xxx */
121 int ai_socktype; /* SOCK_xxx */
122 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
123 size_t ai_addrlen; /* length of ai_addr */
124 char *ai_canonname; /* canonical name for hostname */
125 struct sockaddr *ai_addr; /* binary address */
126 struct addrinfo *ai_next; /* next structure in linked list */
127 };
128 #endif /* EAI_ADDRFAMILY */
129 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
130 #else /* _WIN32 */
131 #include <netdb.h> /* for "struct addrinfo" */
132 #endif /* _WIN32 */
133 #endif /* INET6 */
134 #include <pcap/namedb.h>
135
136 #include "nametoaddr.h"
137
138 #define ETHERMTU 1500
139
140 #ifndef ETHERTYPE_TEB
141 #define ETHERTYPE_TEB 0x6558
142 #endif
143
144 #ifndef IPPROTO_HOPOPTS
145 #define IPPROTO_HOPOPTS 0
146 #endif
147 #ifndef IPPROTO_ROUTING
148 #define IPPROTO_ROUTING 43
149 #endif
150 #ifndef IPPROTO_FRAGMENT
151 #define IPPROTO_FRAGMENT 44
152 #endif
153 #ifndef IPPROTO_DSTOPTS
154 #define IPPROTO_DSTOPTS 60
155 #endif
156 #ifndef IPPROTO_SCTP
157 #define IPPROTO_SCTP 132
158 #endif
159
160 #define GENEVE_PORT 6081
161
162 #ifdef HAVE_OS_PROTO_H
163 #include "os-proto.h"
164 #endif
165
166 #define JMP(c) ((c)|BPF_JMP|BPF_K)
167
168 /*
169 * "Push" the current value of the link-layer header type and link-layer
170 * header offset onto a "stack", and set a new value. (It's not a
171 * full-blown stack; we keep only the top two items.)
172 */
173 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
174 { \
175 (cs)->prevlinktype = (cs)->linktype; \
176 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
177 (cs)->linktype = (new_linktype); \
178 (cs)->off_linkhdr.is_variable = (new_is_variable); \
179 (cs)->off_linkhdr.constant_part = (new_constant_part); \
180 (cs)->off_linkhdr.reg = (new_reg); \
181 (cs)->is_geneve = 0; \
182 }
183
184 /*
185 * Offset "not set" value.
186 */
187 #define OFFSET_NOT_SET 0xffffffffU
188
189 /*
190 * Absolute offsets, which are offsets from the beginning of the raw
191 * packet data, are, in the general case, the sum of a variable value
192 * and a constant value; the variable value may be absent, in which
193 * case the offset is only the constant value, and the constant value
194 * may be zero, in which case the offset is only the variable value.
195 *
196 * bpf_abs_offset is a structure containing all that information:
197 *
198 * is_variable is 1 if there's a variable part.
199 *
200 * constant_part is the constant part of the value, possibly zero;
201 *
202 * if is_variable is 1, reg is the register number for a register
203 * containing the variable value if the register has been assigned,
204 * and -1 otherwise.
205 */
206 typedef struct {
207 int is_variable;
208 u_int constant_part;
209 int reg;
210 } bpf_abs_offset;
211
212 /*
213 * Value passed to gen_load_a() to indicate what the offset argument
214 * is relative to the beginning of.
215 */
216 enum e_offrel {
217 OR_PACKET, /* full packet data */
218 OR_LINKHDR, /* link-layer header */
219 OR_PREVLINKHDR, /* previous link-layer header */
220 OR_LLC, /* 802.2 LLC header */
221 OR_PREVMPLSHDR, /* previous MPLS header */
222 OR_LINKTYPE, /* link-layer type */
223 OR_LINKPL, /* link-layer payload */
224 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
225 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
226 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
227 };
228
229 /*
230 * We divy out chunks of memory rather than call malloc each time so
231 * we don't have to worry about leaking memory. It's probably
232 * not a big deal if all this memory was wasted but if this ever
233 * goes into a library that would probably not be a good idea.
234 *
235 * XXX - this *is* in a library....
236 */
237 #define NCHUNKS 16
238 #define CHUNK0SIZE 1024
239 struct chunk {
240 size_t n_left;
241 void *m;
242 };
243
244 /* Code generator state */
245
246 struct _compiler_state {
247 jmp_buf top_ctx;
248 pcap_t *bpf_pcap;
249
250 struct icode ic;
251
252 int snaplen;
253
254 int linktype;
255 int prevlinktype;
256 int outermostlinktype;
257
258 bpf_u_int32 netmask;
259 int no_optimize;
260
261 /* Hack for handling VLAN and MPLS stacks. */
262 u_int label_stack_depth;
263 u_int vlan_stack_depth;
264
265 /* XXX */
266 u_int pcap_fddipad;
267
268 #ifdef INET6
269 /*
270 * As errors are handled by a longjmp, anything allocated must
271 * be freed in the longjmp handler, so it must be reachable
272 * from that handler.
273 *
274 * One thing that's allocated is the result of pcap_nametoaddrinfo();
275 * it must be freed with freeaddrinfo(). This variable points to
276 * any addrinfo structure that would need to be freed.
277 */
278 struct addrinfo *ai;
279 #endif
280
281 /*
282 * Various code constructs need to know the layout of the packet.
283 * These values give the necessary offsets from the beginning
284 * of the packet data.
285 */
286
287 /*
288 * Absolute offset of the beginning of the link-layer header.
289 */
290 bpf_abs_offset off_linkhdr;
291
292 /*
293 * If we're checking a link-layer header for a packet encapsulated
294 * in another protocol layer, this is the equivalent information
295 * for the previous layers' link-layer header from the beginning
296 * of the raw packet data.
297 */
298 bpf_abs_offset off_prevlinkhdr;
299
300 /*
301 * This is the equivalent information for the outermost layers'
302 * link-layer header.
303 */
304 bpf_abs_offset off_outermostlinkhdr;
305
306 /*
307 * Absolute offset of the beginning of the link-layer payload.
308 */
309 bpf_abs_offset off_linkpl;
310
311 /*
312 * "off_linktype" is the offset to information in the link-layer
313 * header giving the packet type. This is an absolute offset
314 * from the beginning of the packet.
315 *
316 * For Ethernet, it's the offset of the Ethernet type field; this
317 * means that it must have a value that skips VLAN tags.
318 *
319 * For link-layer types that always use 802.2 headers, it's the
320 * offset of the LLC header; this means that it must have a value
321 * that skips VLAN tags.
322 *
323 * For PPP, it's the offset of the PPP type field.
324 *
325 * For Cisco HDLC, it's the offset of the CHDLC type field.
326 *
327 * For BSD loopback, it's the offset of the AF_ value.
328 *
329 * For Linux cooked sockets, it's the offset of the type field.
330 *
331 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
332 * encapsulation, in which case, IP is assumed.
333 */
334 bpf_abs_offset off_linktype;
335
336 /*
337 * TRUE if the link layer includes an ATM pseudo-header.
338 */
339 int is_atm;
340
341 /*
342 * TRUE if "geneve" appeared in the filter; it causes us to
343 * generate code that checks for a Geneve header and assume
344 * that later filters apply to the encapsulated payload.
345 */
346 int is_geneve;
347
348 /*
349 * TRUE if we need variable length part of VLAN offset
350 */
351 int is_vlan_vloffset;
352
353 /*
354 * These are offsets for the ATM pseudo-header.
355 */
356 u_int off_vpi;
357 u_int off_vci;
358 u_int off_proto;
359
360 /*
361 * These are offsets for the MTP2 fields.
362 */
363 u_int off_li;
364 u_int off_li_hsl;
365
366 /*
367 * These are offsets for the MTP3 fields.
368 */
369 u_int off_sio;
370 u_int off_opc;
371 u_int off_dpc;
372 u_int off_sls;
373
374 /*
375 * This is the offset of the first byte after the ATM pseudo_header,
376 * or -1 if there is no ATM pseudo-header.
377 */
378 u_int off_payload;
379
380 /*
381 * These are offsets to the beginning of the network-layer header.
382 * They are relative to the beginning of the link-layer payload
383 * (i.e., they don't include off_linkhdr.constant_part or
384 * off_linkpl.constant_part).
385 *
386 * If the link layer never uses 802.2 LLC:
387 *
388 * "off_nl" and "off_nl_nosnap" are the same.
389 *
390 * If the link layer always uses 802.2 LLC:
391 *
392 * "off_nl" is the offset if there's a SNAP header following
393 * the 802.2 header;
394 *
395 * "off_nl_nosnap" is the offset if there's no SNAP header.
396 *
397 * If the link layer is Ethernet:
398 *
399 * "off_nl" is the offset if the packet is an Ethernet II packet
400 * (we assume no 802.3+802.2+SNAP);
401 *
402 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
403 * with an 802.2 header following it.
404 */
405 u_int off_nl;
406 u_int off_nl_nosnap;
407
408 /*
409 * Here we handle simple allocation of the scratch registers.
410 * If too many registers are alloc'd, the allocator punts.
411 */
412 int regused[BPF_MEMWORDS];
413 int curreg;
414
415 /*
416 * Memory chunks.
417 */
418 struct chunk chunks[NCHUNKS];
419 int cur_chunk;
420 };
421
422 void
423 bpf_syntax_error(compiler_state_t *cstate, const char *msg)
424 {
425 bpf_error(cstate, "syntax error in filter expression: %s", msg);
426 /* NOTREACHED */
427 }
428
429 /* VARARGS */
430 void
431 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
432 {
433 va_list ap;
434
435 va_start(ap, fmt);
436 if (cstate->bpf_pcap != NULL)
437 (void)pcap_vsnprintf(pcap_geterr(cstate->bpf_pcap),
438 PCAP_ERRBUF_SIZE, fmt, ap);
439 va_end(ap);
440 longjmp(cstate->top_ctx, 1);
441 /* NOTREACHED */
442 }
443
444 static void init_linktype(compiler_state_t *, pcap_t *);
445
446 static void init_regs(compiler_state_t *);
447 static int alloc_reg(compiler_state_t *);
448 static void free_reg(compiler_state_t *, int);
449
450 static void initchunks(compiler_state_t *cstate);
451 static void *newchunk(compiler_state_t *cstate, size_t);
452 static void freechunks(compiler_state_t *cstate);
453 static inline struct block *new_block(compiler_state_t *cstate, int);
454 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
455 static struct block *gen_retblk(compiler_state_t *cstate, int);
456 static inline void syntax(compiler_state_t *cstate);
457
458 static void backpatch(struct block *, struct block *);
459 static void merge(struct block *, struct block *);
460 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
461 u_int, bpf_int32);
462 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
463 u_int, bpf_int32);
464 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
465 u_int, bpf_int32);
466 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
467 u_int, bpf_int32);
468 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
469 u_int, bpf_int32);
470 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
471 u_int, bpf_int32, bpf_u_int32);
472 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
473 u_int, const u_char *);
474 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, bpf_u_int32,
475 bpf_u_int32, bpf_u_int32, bpf_u_int32, int, bpf_int32);
476 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
477 u_int, u_int);
478 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
479 u_int);
480 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
481 static struct block *gen_uncond(compiler_state_t *, int);
482 static inline struct block *gen_true(compiler_state_t *);
483 static inline struct block *gen_false(compiler_state_t *);
484 static struct block *gen_ether_linktype(compiler_state_t *, int);
485 static struct block *gen_ipnet_linktype(compiler_state_t *, int);
486 static struct block *gen_linux_sll_linktype(compiler_state_t *, int);
487 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
488 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
489 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
490 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
491 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
492 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
493 bpf_abs_offset *);
494 static int ethertype_to_ppptype(int);
495 static struct block *gen_linktype(compiler_state_t *, int);
496 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
497 static struct block *gen_llc_linktype(compiler_state_t *, int);
498 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
499 int, int, u_int, u_int);
500 #ifdef INET6
501 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
502 struct in6_addr *, int, int, u_int, u_int);
503 #endif
504 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
505 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
506 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
507 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
508 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
509 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
510 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
511 static struct block *gen_mpls_linktype(compiler_state_t *, int);
512 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
513 int, int, int);
514 #ifdef INET6
515 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
516 struct in6_addr *, int, int, int);
517 #endif
518 #ifndef INET6
519 static struct block *gen_gateway(compiler_state_t *, const u_char *,
520 bpf_u_int32 **, int, int);
521 #endif
522 static struct block *gen_ipfrag(compiler_state_t *);
523 static struct block *gen_portatom(compiler_state_t *, int, bpf_int32);
524 static struct block *gen_portrangeatom(compiler_state_t *, int, bpf_int32,
525 bpf_int32);
526 static struct block *gen_portatom6(compiler_state_t *, int, bpf_int32);
527 static struct block *gen_portrangeatom6(compiler_state_t *, int, bpf_int32,
528 bpf_int32);
529 struct block *gen_portop(compiler_state_t *, int, int, int);
530 static struct block *gen_port(compiler_state_t *, int, int, int);
531 struct block *gen_portrangeop(compiler_state_t *, int, int, int, int);
532 static struct block *gen_portrange(compiler_state_t *, int, int, int, int);
533 struct block *gen_portop6(compiler_state_t *, int, int, int);
534 static struct block *gen_port6(compiler_state_t *, int, int, int);
535 struct block *gen_portrangeop6(compiler_state_t *, int, int, int, int);
536 static struct block *gen_portrange6(compiler_state_t *, int, int, int, int);
537 static int lookup_proto(compiler_state_t *, const char *, int);
538 static struct block *gen_protochain(compiler_state_t *, int, int, int);
539 static struct block *gen_proto(compiler_state_t *, int, int, int);
540 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
541 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
542 static struct block *gen_mac_multicast(compiler_state_t *, int);
543 static struct block *gen_len(compiler_state_t *, int, int);
544 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
545 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
546
547 static struct block *gen_ppi_dlt_check(compiler_state_t *);
548 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
549
550 static void
551 initchunks(compiler_state_t *cstate)
552 {
553 int i;
554
555 for (i = 0; i < NCHUNKS; i++) {
556 cstate->chunks[i].n_left = 0;
557 cstate->chunks[i].m = NULL;
558 }
559 cstate->cur_chunk = 0;
560 }
561
562 static void *
563 newchunk(compiler_state_t *cstate, size_t n)
564 {
565 struct chunk *cp;
566 int k;
567 size_t size;
568
569 #ifndef __NetBSD__
570 /* XXX Round up to nearest long. */
571 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
572 #else
573 /* XXX Round up to structure boundary. */
574 n = ALIGN(n);
575 #endif
576
577 cp = &cstate->chunks[cstate->cur_chunk];
578 if (n > cp->n_left) {
579 ++cp, k = ++cstate->cur_chunk;
580 if (k >= NCHUNKS)
581 bpf_error(cstate, "out of memory");
582 size = CHUNK0SIZE << k;
583 cp->m = (void *)malloc(size);
584 if (cp->m == NULL)
585 bpf_error(cstate, "out of memory");
586 memset((char *)cp->m, 0, size);
587 cp->n_left = size;
588 if (n > size)
589 bpf_error(cstate, "out of memory");
590 }
591 cp->n_left -= n;
592 return (void *)((char *)cp->m + cp->n_left);
593 }
594
595 static void
596 freechunks(compiler_state_t *cstate)
597 {
598 int i;
599
600 for (i = 0; i < NCHUNKS; ++i)
601 if (cstate->chunks[i].m != NULL)
602 free(cstate->chunks[i].m);
603 }
604
605 /*
606 * A strdup whose allocations are freed after code generation is over.
607 */
608 char *
609 sdup(compiler_state_t *cstate, const char *s)
610 {
611 size_t n = strlen(s) + 1;
612 char *cp = newchunk(cstate, n);
613
614 strlcpy(cp, s, n);
615 return (cp);
616 }
617
618 static inline struct block *
619 new_block(compiler_state_t *cstate, int code)
620 {
621 struct block *p;
622
623 p = (struct block *)newchunk(cstate, sizeof(*p));
624 p->s.code = code;
625 p->head = p;
626
627 return p;
628 }
629
630 static inline struct slist *
631 new_stmt(compiler_state_t *cstate, int code)
632 {
633 struct slist *p;
634
635 p = (struct slist *)newchunk(cstate, sizeof(*p));
636 p->s.code = code;
637
638 return p;
639 }
640
641 static struct block *
642 gen_retblk(compiler_state_t *cstate, int v)
643 {
644 struct block *b = new_block(cstate, BPF_RET|BPF_K);
645
646 b->s.k = v;
647 return b;
648 }
649
650 static inline void
651 syntax(compiler_state_t *cstate)
652 {
653 bpf_error(cstate, "syntax error in filter expression");
654 }
655
656 int
657 pcap_compile(pcap_t *p, struct bpf_program *program,
658 const char *buf, int optimize, bpf_u_int32 mask)
659 {
660 #ifdef _WIN32
661 static int done = 0;
662 #endif
663 compiler_state_t cstate;
664 const char * volatile xbuf = buf;
665 yyscan_t scanner = NULL;
666 YY_BUFFER_STATE in_buffer = NULL;
667 u_int len;
668 int rc;
669
670 /*
671 * If this pcap_t hasn't been activated, it doesn't have a
672 * link-layer type, so we can't use it.
673 */
674 if (!p->activated) {
675 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
676 "not-yet-activated pcap_t passed to pcap_compile");
677 return (-1);
678 }
679
680 #ifdef _WIN32
681 if (!done)
682 pcap_wsockinit();
683 done = 1;
684 #endif
685
686 #ifdef HAVE_REMOTE
687 /*
688 * If the device on which we're capturing need to be notified
689 * that a new filter is being compiled, do so.
690 *
691 * This allows them to save a copy of it, in case, for example,
692 * they're implementing a form of remote packet capture, and
693 * want the remote machine to filter out the packets in which
694 * it's sending the packets it's captured.
695 *
696 * XXX - the fact that we happen to be compiling a filter
697 * doesn't necessarily mean we'll be installing it as the
698 * filter for this pcap_t; we might be running it from userland
699 * on captured packets to do packet classification. We really
700 * need a better way of handling this, but this is all that
701 * the WinPcap code did.
702 */
703 if (p->save_current_filter_op != NULL)
704 (p->save_current_filter_op)(p, buf);
705 #endif
706
707 initchunks(&cstate);
708 cstate.no_optimize = 0;
709 #ifdef INET6
710 cstate.ai = NULL;
711 #endif
712 cstate.ic.root = NULL;
713 cstate.ic.cur_mark = 0;
714 cstate.bpf_pcap = p;
715 init_regs(&cstate);
716
717 if (setjmp(cstate.top_ctx)) {
718 #ifdef INET6
719 if (cstate.ai != NULL)
720 freeaddrinfo(cstate.ai);
721 #endif
722 rc = -1;
723 goto quit;
724 }
725
726 cstate.netmask = mask;
727
728 cstate.snaplen = pcap_snapshot(p);
729 if (cstate.snaplen == 0) {
730 pcap_snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
731 "snaplen of 0 rejects all packets");
732 rc = -1;
733 goto quit;
734 }
735
736 if (pcap_lex_init(&scanner) != 0)
737 bpf_error(&cstate, "can't initialize scanner: %s", pcap_strerror(errno));
738 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
739
740 /*
741 * Associate the compiler state with the lexical analyzer
742 * state.
743 */
744 pcap_set_extra(&cstate, scanner);
745
746 init_linktype(&cstate, p);
747 (void)pcap_parse(scanner, &cstate);
748
749 if (cstate.ic.root == NULL)
750 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
751
752 if (optimize && !cstate.no_optimize) {
753 bpf_optimize(&cstate, &cstate.ic);
754 if (cstate.ic.root == NULL ||
755 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0))
756 bpf_error(&cstate, "expression rejects all packets");
757 }
758 program->bf_insns = icode_to_fcode(&cstate, &cstate.ic, cstate.ic.root, &len);
759 program->bf_len = len;
760
761 rc = 0; /* We're all okay */
762
763 quit:
764 /*
765 * Clean up everything for the lexical analyzer.
766 */
767 if (in_buffer != NULL)
768 pcap__delete_buffer(in_buffer, scanner);
769 if (scanner != NULL)
770 pcap_lex_destroy(scanner);
771
772 /*
773 * Clean up our own allocated memory.
774 */
775 freechunks(&cstate);
776
777 return (rc);
778 }
779
780 /*
781 * entry point for using the compiler with no pcap open
782 * pass in all the stuff that is needed explicitly instead.
783 */
784 int
785 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
786 struct bpf_program *program,
787 const char *buf, int optimize, bpf_u_int32 mask)
788 {
789 pcap_t *p;
790 int ret;
791
792 p = pcap_open_dead(linktype_arg, snaplen_arg);
793 if (p == NULL)
794 return (-1);
795 ret = pcap_compile(p, program, buf, optimize, mask);
796 pcap_close(p);
797 return (ret);
798 }
799
800 /*
801 * Clean up a "struct bpf_program" by freeing all the memory allocated
802 * in it.
803 */
804 void
805 pcap_freecode(struct bpf_program *program)
806 {
807 program->bf_len = 0;
808 if (program->bf_insns != NULL) {
809 free((char *)program->bf_insns);
810 program->bf_insns = NULL;
811 }
812 }
813
814 /*
815 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
816 * which of the jt and jf fields has been resolved and which is a pointer
817 * back to another unresolved block (or nil). At least one of the fields
818 * in each block is already resolved.
819 */
820 static void
821 backpatch(list, target)
822 struct block *list, *target;
823 {
824 struct block *next;
825
826 while (list) {
827 if (!list->sense) {
828 next = JT(list);
829 JT(list) = target;
830 } else {
831 next = JF(list);
832 JF(list) = target;
833 }
834 list = next;
835 }
836 }
837
838 /*
839 * Merge the lists in b0 and b1, using the 'sense' field to indicate
840 * which of jt and jf is the link.
841 */
842 static void
843 merge(b0, b1)
844 struct block *b0, *b1;
845 {
846 register struct block **p = &b0;
847
848 /* Find end of list. */
849 while (*p)
850 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
851
852 /* Concatenate the lists. */
853 *p = b1;
854 }
855
856 void
857 finish_parse(compiler_state_t *cstate, struct block *p)
858 {
859 struct block *ppi_dlt_check;
860
861 /*
862 * Insert before the statements of the first (root) block any
863 * statements needed to load the lengths of any variable-length
864 * headers into registers.
865 *
866 * XXX - a fancier strategy would be to insert those before the
867 * statements of all blocks that use those lengths and that
868 * have no predecessors that use them, so that we only compute
869 * the lengths if we need them. There might be even better
870 * approaches than that.
871 *
872 * However, those strategies would be more complicated, and
873 * as we don't generate code to compute a length if the
874 * program has no tests that use the length, and as most
875 * tests will probably use those lengths, we would just
876 * postpone computing the lengths so that it's not done
877 * for tests that fail early, and it's not clear that's
878 * worth the effort.
879 */
880 insert_compute_vloffsets(cstate, p->head);
881
882 /*
883 * For DLT_PPI captures, generate a check of the per-packet
884 * DLT value to make sure it's DLT_IEEE802_11.
885 *
886 * XXX - TurboCap cards use DLT_PPI for Ethernet.
887 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
888 * with appropriate Ethernet information and use that rather
889 * than using something such as DLT_PPI where you don't know
890 * the link-layer header type until runtime, which, in the
891 * general case, would force us to generate both Ethernet *and*
892 * 802.11 code (*and* anything else for which PPI is used)
893 * and choose between them early in the BPF program?
894 */
895 ppi_dlt_check = gen_ppi_dlt_check(cstate);
896 if (ppi_dlt_check != NULL)
897 gen_and(ppi_dlt_check, p);
898
899 backpatch(p, gen_retblk(cstate, cstate->snaplen));
900 p->sense = !p->sense;
901 backpatch(p, gen_retblk(cstate, 0));
902 cstate->ic.root = p->head;
903 }
904
905 void
906 gen_and(b0, b1)
907 struct block *b0, *b1;
908 {
909 backpatch(b0, b1->head);
910 b0->sense = !b0->sense;
911 b1->sense = !b1->sense;
912 merge(b1, b0);
913 b1->sense = !b1->sense;
914 b1->head = b0->head;
915 }
916
917 void
918 gen_or(b0, b1)
919 struct block *b0, *b1;
920 {
921 b0->sense = !b0->sense;
922 backpatch(b0, b1->head);
923 b0->sense = !b0->sense;
924 merge(b1, b0);
925 b1->head = b0->head;
926 }
927
928 void
929 gen_not(b)
930 struct block *b;
931 {
932 b->sense = !b->sense;
933 }
934
935 static struct block *
936 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
937 u_int size, bpf_int32 v)
938 {
939 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
940 }
941
942 static struct block *
943 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
944 u_int size, bpf_int32 v)
945 {
946 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
947 }
948
949 static struct block *
950 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
951 u_int size, bpf_int32 v)
952 {
953 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
954 }
955
956 static struct block *
957 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
958 u_int size, bpf_int32 v)
959 {
960 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
961 }
962
963 static struct block *
964 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
965 u_int size, bpf_int32 v)
966 {
967 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
968 }
969
970 static struct block *
971 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
972 u_int size, bpf_int32 v, bpf_u_int32 mask)
973 {
974 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
975 }
976
977 static struct block *
978 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
979 u_int size, const u_char *v)
980 {
981 register struct block *b, *tmp;
982
983 b = NULL;
984 while (size >= 4) {
985 register const u_char *p = &v[size - 4];
986 bpf_int32 w = ((bpf_int32)p[0] << 24) |
987 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
988
989 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W, w);
990 if (b != NULL)
991 gen_and(b, tmp);
992 b = tmp;
993 size -= 4;
994 }
995 while (size >= 2) {
996 register const u_char *p = &v[size - 2];
997 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
998
999 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H, w);
1000 if (b != NULL)
1001 gen_and(b, tmp);
1002 b = tmp;
1003 size -= 2;
1004 }
1005 if (size > 0) {
1006 tmp = gen_cmp(cstate, offrel, offset, BPF_B, (bpf_int32)v[0]);
1007 if (b != NULL)
1008 gen_and(b, tmp);
1009 b = tmp;
1010 }
1011 return b;
1012 }
1013
1014 /*
1015 * AND the field of size "size" at offset "offset" relative to the header
1016 * specified by "offrel" with "mask", and compare it with the value "v"
1017 * with the test specified by "jtype"; if "reverse" is true, the test
1018 * should test the opposite of "jtype".
1019 */
1020 static struct block *
1021 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, bpf_u_int32 offset,
1022 bpf_u_int32 size, bpf_u_int32 mask, bpf_u_int32 jtype, int reverse,
1023 bpf_int32 v)
1024 {
1025 struct slist *s, *s2;
1026 struct block *b;
1027
1028 s = gen_load_a(cstate, offrel, offset, size);
1029
1030 if (mask != 0xffffffff) {
1031 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1032 s2->s.k = mask;
1033 sappend(s, s2);
1034 }
1035
1036 b = new_block(cstate, JMP(jtype));
1037 b->stmts = s;
1038 b->s.k = v;
1039 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1040 gen_not(b);
1041 return b;
1042 }
1043
1044 static void
1045 init_linktype(compiler_state_t *cstate, pcap_t *p)
1046 {
1047 cstate->pcap_fddipad = p->fddipad;
1048
1049 /*
1050 * We start out with only one link-layer header.
1051 */
1052 cstate->outermostlinktype = pcap_datalink(p);
1053 cstate->off_outermostlinkhdr.constant_part = 0;
1054 cstate->off_outermostlinkhdr.is_variable = 0;
1055 cstate->off_outermostlinkhdr.reg = -1;
1056
1057 cstate->prevlinktype = cstate->outermostlinktype;
1058 cstate->off_prevlinkhdr.constant_part = 0;
1059 cstate->off_prevlinkhdr.is_variable = 0;
1060 cstate->off_prevlinkhdr.reg = -1;
1061
1062 cstate->linktype = cstate->outermostlinktype;
1063 cstate->off_linkhdr.constant_part = 0;
1064 cstate->off_linkhdr.is_variable = 0;
1065 cstate->off_linkhdr.reg = -1;
1066
1067 /*
1068 * XXX
1069 */
1070 cstate->off_linkpl.constant_part = 0;
1071 cstate->off_linkpl.is_variable = 0;
1072 cstate->off_linkpl.reg = -1;
1073
1074 cstate->off_linktype.constant_part = 0;
1075 cstate->off_linktype.is_variable = 0;
1076 cstate->off_linktype.reg = -1;
1077
1078 /*
1079 * Assume it's not raw ATM with a pseudo-header, for now.
1080 */
1081 cstate->is_atm = 0;
1082 cstate->off_vpi = -1;
1083 cstate->off_vci = -1;
1084 cstate->off_proto = -1;
1085 cstate->off_payload = -1;
1086
1087 /*
1088 * And not Geneve.
1089 */
1090 cstate->is_geneve = 0;
1091
1092 /*
1093 * No variable length VLAN offset by default
1094 */
1095 cstate->is_vlan_vloffset = 0;
1096
1097 /*
1098 * And assume we're not doing SS7.
1099 */
1100 cstate->off_li = -1;
1101 cstate->off_li_hsl = -1;
1102 cstate->off_sio = -1;
1103 cstate->off_opc = -1;
1104 cstate->off_dpc = -1;
1105 cstate->off_sls = -1;
1106
1107 cstate->label_stack_depth = 0;
1108 cstate->vlan_stack_depth = 0;
1109
1110 switch (cstate->linktype) {
1111
1112 case DLT_ARCNET:
1113 cstate->off_linktype.constant_part = 2;
1114 cstate->off_linkpl.constant_part = 6;
1115 cstate->off_nl = 0; /* XXX in reality, variable! */
1116 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1117 break;
1118
1119 case DLT_ARCNET_LINUX:
1120 cstate->off_linktype.constant_part = 4;
1121 cstate->off_linkpl.constant_part = 8;
1122 cstate->off_nl = 0; /* XXX in reality, variable! */
1123 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1124 break;
1125
1126 case DLT_EN10MB:
1127 cstate->off_linktype.constant_part = 12;
1128 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1129 cstate->off_nl = 0; /* Ethernet II */
1130 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1131 break;
1132
1133 case DLT_SLIP:
1134 /*
1135 * SLIP doesn't have a link level type. The 16 byte
1136 * header is hacked into our SLIP driver.
1137 */
1138 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1139 cstate->off_linkpl.constant_part = 16;
1140 cstate->off_nl = 0;
1141 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1142 break;
1143
1144 case DLT_SLIP_BSDOS:
1145 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1146 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1147 /* XXX end */
1148 cstate->off_linkpl.constant_part = 24;
1149 cstate->off_nl = 0;
1150 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1151 break;
1152
1153 case DLT_NULL:
1154 case DLT_LOOP:
1155 cstate->off_linktype.constant_part = 0;
1156 cstate->off_linkpl.constant_part = 4;
1157 cstate->off_nl = 0;
1158 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1159 break;
1160
1161 case DLT_ENC:
1162 cstate->off_linktype.constant_part = 0;
1163 cstate->off_linkpl.constant_part = 12;
1164 cstate->off_nl = 0;
1165 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1166 break;
1167
1168 case DLT_PPP:
1169 case DLT_PPP_PPPD:
1170 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1171 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1172 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1173 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1174 cstate->off_nl = 0;
1175 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1176 break;
1177
1178 case DLT_PPP_ETHER:
1179 /*
1180 * This does no include the Ethernet header, and
1181 * only covers session state.
1182 */
1183 cstate->off_linktype.constant_part = 6;
1184 cstate->off_linkpl.constant_part = 8;
1185 cstate->off_nl = 0;
1186 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1187 break;
1188
1189 case DLT_PPP_BSDOS:
1190 cstate->off_linktype.constant_part = 5;
1191 cstate->off_linkpl.constant_part = 24;
1192 cstate->off_nl = 0;
1193 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1194 break;
1195
1196 case DLT_FDDI:
1197 /*
1198 * FDDI doesn't really have a link-level type field.
1199 * We set "off_linktype" to the offset of the LLC header.
1200 *
1201 * To check for Ethernet types, we assume that SSAP = SNAP
1202 * is being used and pick out the encapsulated Ethernet type.
1203 * XXX - should we generate code to check for SNAP?
1204 */
1205 cstate->off_linktype.constant_part = 13;
1206 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1207 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1208 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1209 cstate->off_nl = 8; /* 802.2+SNAP */
1210 cstate->off_nl_nosnap = 3; /* 802.2 */
1211 break;
1212
1213 case DLT_IEEE802:
1214 /*
1215 * Token Ring doesn't really have a link-level type field.
1216 * We set "off_linktype" to the offset of the LLC header.
1217 *
1218 * To check for Ethernet types, we assume that SSAP = SNAP
1219 * is being used and pick out the encapsulated Ethernet type.
1220 * XXX - should we generate code to check for SNAP?
1221 *
1222 * XXX - the header is actually variable-length.
1223 * Some various Linux patched versions gave 38
1224 * as "off_linktype" and 40 as "off_nl"; however,
1225 * if a token ring packet has *no* routing
1226 * information, i.e. is not source-routed, the correct
1227 * values are 20 and 22, as they are in the vanilla code.
1228 *
1229 * A packet is source-routed iff the uppermost bit
1230 * of the first byte of the source address, at an
1231 * offset of 8, has the uppermost bit set. If the
1232 * packet is source-routed, the total number of bytes
1233 * of routing information is 2 plus bits 0x1F00 of
1234 * the 16-bit value at an offset of 14 (shifted right
1235 * 8 - figure out which byte that is).
1236 */
1237 cstate->off_linktype.constant_part = 14;
1238 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1239 cstate->off_nl = 8; /* 802.2+SNAP */
1240 cstate->off_nl_nosnap = 3; /* 802.2 */
1241 break;
1242
1243 case DLT_PRISM_HEADER:
1244 case DLT_IEEE802_11_RADIO_AVS:
1245 case DLT_IEEE802_11_RADIO:
1246 cstate->off_linkhdr.is_variable = 1;
1247 /* Fall through, 802.11 doesn't have a variable link
1248 * prefix but is otherwise the same. */
1249
1250 case DLT_IEEE802_11:
1251 /*
1252 * 802.11 doesn't really have a link-level type field.
1253 * We set "off_linktype.constant_part" to the offset of
1254 * the LLC header.
1255 *
1256 * To check for Ethernet types, we assume that SSAP = SNAP
1257 * is being used and pick out the encapsulated Ethernet type.
1258 * XXX - should we generate code to check for SNAP?
1259 *
1260 * We also handle variable-length radio headers here.
1261 * The Prism header is in theory variable-length, but in
1262 * practice it's always 144 bytes long. However, some
1263 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1264 * sometimes or always supply an AVS header, so we
1265 * have to check whether the radio header is a Prism
1266 * header or an AVS header, so, in practice, it's
1267 * variable-length.
1268 */
1269 cstate->off_linktype.constant_part = 24;
1270 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1271 cstate->off_linkpl.is_variable = 1;
1272 cstate->off_nl = 8; /* 802.2+SNAP */
1273 cstate->off_nl_nosnap = 3; /* 802.2 */
1274 break;
1275
1276 case DLT_PPI:
1277 /*
1278 * At the moment we treat PPI the same way that we treat
1279 * normal Radiotap encoded packets. The difference is in
1280 * the function that generates the code at the beginning
1281 * to compute the header length. Since this code generator
1282 * of PPI supports bare 802.11 encapsulation only (i.e.
1283 * the encapsulated DLT should be DLT_IEEE802_11) we
1284 * generate code to check for this too.
1285 */
1286 cstate->off_linktype.constant_part = 24;
1287 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1288 cstate->off_linkpl.is_variable = 1;
1289 cstate->off_linkhdr.is_variable = 1;
1290 cstate->off_nl = 8; /* 802.2+SNAP */
1291 cstate->off_nl_nosnap = 3; /* 802.2 */
1292 break;
1293
1294 case DLT_ATM_RFC1483:
1295 case DLT_ATM_CLIP: /* Linux ATM defines this */
1296 /*
1297 * assume routed, non-ISO PDUs
1298 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1299 *
1300 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1301 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1302 * latter would presumably be treated the way PPPoE
1303 * should be, so you can do "pppoe and udp port 2049"
1304 * or "pppoa and tcp port 80" and have it check for
1305 * PPPo{A,E} and a PPP protocol of IP and....
1306 */
1307 cstate->off_linktype.constant_part = 0;
1308 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1309 cstate->off_nl = 8; /* 802.2+SNAP */
1310 cstate->off_nl_nosnap = 3; /* 802.2 */
1311 break;
1312
1313 case DLT_SUNATM:
1314 /*
1315 * Full Frontal ATM; you get AALn PDUs with an ATM
1316 * pseudo-header.
1317 */
1318 cstate->is_atm = 1;
1319 cstate->off_vpi = SUNATM_VPI_POS;
1320 cstate->off_vci = SUNATM_VCI_POS;
1321 cstate->off_proto = PROTO_POS;
1322 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1323 cstate->off_linktype.constant_part = cstate->off_payload;
1324 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1325 cstate->off_nl = 8; /* 802.2+SNAP */
1326 cstate->off_nl_nosnap = 3; /* 802.2 */
1327 break;
1328
1329 case DLT_RAW:
1330 case DLT_IPV4:
1331 case DLT_IPV6:
1332 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1333 cstate->off_linkpl.constant_part = 0;
1334 cstate->off_nl = 0;
1335 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1336 break;
1337
1338 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1339 cstate->off_linktype.constant_part = 14;
1340 cstate->off_linkpl.constant_part = 16;
1341 cstate->off_nl = 0;
1342 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1343 break;
1344
1345 case DLT_LTALK:
1346 /*
1347 * LocalTalk does have a 1-byte type field in the LLAP header,
1348 * but really it just indicates whether there is a "short" or
1349 * "long" DDP packet following.
1350 */
1351 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1352 cstate->off_linkpl.constant_part = 0;
1353 cstate->off_nl = 0;
1354 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1355 break;
1356
1357 case DLT_IP_OVER_FC:
1358 /*
1359 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1360 * link-level type field. We set "off_linktype" to the
1361 * offset of the LLC header.
1362 *
1363 * To check for Ethernet types, we assume that SSAP = SNAP
1364 * is being used and pick out the encapsulated Ethernet type.
1365 * XXX - should we generate code to check for SNAP? RFC
1366 * 2625 says SNAP should be used.
1367 */
1368 cstate->off_linktype.constant_part = 16;
1369 cstate->off_linkpl.constant_part = 16;
1370 cstate->off_nl = 8; /* 802.2+SNAP */
1371 cstate->off_nl_nosnap = 3; /* 802.2 */
1372 break;
1373
1374 case DLT_FRELAY:
1375 /*
1376 * XXX - we should set this to handle SNAP-encapsulated
1377 * frames (NLPID of 0x80).
1378 */
1379 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1380 cstate->off_linkpl.constant_part = 0;
1381 cstate->off_nl = 0;
1382 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1383 break;
1384
1385 /*
1386 * the only BPF-interesting FRF.16 frames are non-control frames;
1387 * Frame Relay has a variable length link-layer
1388 * so lets start with offset 4 for now and increments later on (FIXME);
1389 */
1390 case DLT_MFR:
1391 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1392 cstate->off_linkpl.constant_part = 0;
1393 cstate->off_nl = 4;
1394 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1395 break;
1396
1397 case DLT_APPLE_IP_OVER_IEEE1394:
1398 cstate->off_linktype.constant_part = 16;
1399 cstate->off_linkpl.constant_part = 18;
1400 cstate->off_nl = 0;
1401 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1402 break;
1403
1404 case DLT_SYMANTEC_FIREWALL:
1405 cstate->off_linktype.constant_part = 6;
1406 cstate->off_linkpl.constant_part = 44;
1407 cstate->off_nl = 0; /* Ethernet II */
1408 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1409 break;
1410
1411 #ifdef HAVE_NET_PFVAR_H
1412 case DLT_PFLOG:
1413 cstate->off_linktype.constant_part = 0;
1414 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1415 cstate->off_nl = 0;
1416 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1417 break;
1418 #endif
1419
1420 case DLT_JUNIPER_MFR:
1421 case DLT_JUNIPER_MLFR:
1422 case DLT_JUNIPER_MLPPP:
1423 case DLT_JUNIPER_PPP:
1424 case DLT_JUNIPER_CHDLC:
1425 case DLT_JUNIPER_FRELAY:
1426 cstate->off_linktype.constant_part = 4;
1427 cstate->off_linkpl.constant_part = 4;
1428 cstate->off_nl = 0;
1429 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1430 break;
1431
1432 case DLT_JUNIPER_ATM1:
1433 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1434 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1435 cstate->off_nl = 0;
1436 cstate->off_nl_nosnap = 10;
1437 break;
1438
1439 case DLT_JUNIPER_ATM2:
1440 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1441 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1442 cstate->off_nl = 0;
1443 cstate->off_nl_nosnap = 10;
1444 break;
1445
1446 /* frames captured on a Juniper PPPoE service PIC
1447 * contain raw ethernet frames */
1448 case DLT_JUNIPER_PPPOE:
1449 case DLT_JUNIPER_ETHER:
1450 cstate->off_linkpl.constant_part = 14;
1451 cstate->off_linktype.constant_part = 16;
1452 cstate->off_nl = 18; /* Ethernet II */
1453 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1454 break;
1455
1456 case DLT_JUNIPER_PPPOE_ATM:
1457 cstate->off_linktype.constant_part = 4;
1458 cstate->off_linkpl.constant_part = 6;
1459 cstate->off_nl = 0;
1460 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1461 break;
1462
1463 case DLT_JUNIPER_GGSN:
1464 cstate->off_linktype.constant_part = 6;
1465 cstate->off_linkpl.constant_part = 12;
1466 cstate->off_nl = 0;
1467 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1468 break;
1469
1470 case DLT_JUNIPER_ES:
1471 cstate->off_linktype.constant_part = 6;
1472 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1473 cstate->off_nl = -1; /* not really a network layer but raw IP addresses */
1474 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1475 break;
1476
1477 case DLT_JUNIPER_MONITOR:
1478 cstate->off_linktype.constant_part = 12;
1479 cstate->off_linkpl.constant_part = 12;
1480 cstate->off_nl = 0; /* raw IP/IP6 header */
1481 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1482 break;
1483
1484 case DLT_BACNET_MS_TP:
1485 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1486 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1487 cstate->off_nl = -1;
1488 cstate->off_nl_nosnap = -1;
1489 break;
1490
1491 case DLT_JUNIPER_SERVICES:
1492 cstate->off_linktype.constant_part = 12;
1493 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1494 cstate->off_nl = -1; /* L3 proto location dep. on cookie type */
1495 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1496 break;
1497
1498 case DLT_JUNIPER_VP:
1499 cstate->off_linktype.constant_part = 18;
1500 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1501 cstate->off_nl = -1;
1502 cstate->off_nl_nosnap = -1;
1503 break;
1504
1505 case DLT_JUNIPER_ST:
1506 cstate->off_linktype.constant_part = 18;
1507 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1508 cstate->off_nl = -1;
1509 cstate->off_nl_nosnap = -1;
1510 break;
1511
1512 case DLT_JUNIPER_ISM:
1513 cstate->off_linktype.constant_part = 8;
1514 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1515 cstate->off_nl = -1;
1516 cstate->off_nl_nosnap = -1;
1517 break;
1518
1519 case DLT_JUNIPER_VS:
1520 case DLT_JUNIPER_SRX_E2E:
1521 case DLT_JUNIPER_FIBRECHANNEL:
1522 case DLT_JUNIPER_ATM_CEMIC:
1523 cstate->off_linktype.constant_part = 8;
1524 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1525 cstate->off_nl = -1;
1526 cstate->off_nl_nosnap = -1;
1527 break;
1528
1529 case DLT_MTP2:
1530 cstate->off_li = 2;
1531 cstate->off_li_hsl = 4;
1532 cstate->off_sio = 3;
1533 cstate->off_opc = 4;
1534 cstate->off_dpc = 4;
1535 cstate->off_sls = 7;
1536 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1537 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1538 cstate->off_nl = -1;
1539 cstate->off_nl_nosnap = -1;
1540 break;
1541
1542 case DLT_MTP2_WITH_PHDR:
1543 cstate->off_li = 6;
1544 cstate->off_li_hsl = 8;
1545 cstate->off_sio = 7;
1546 cstate->off_opc = 8;
1547 cstate->off_dpc = 8;
1548 cstate->off_sls = 11;
1549 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1550 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1551 cstate->off_nl = -1;
1552 cstate->off_nl_nosnap = -1;
1553 break;
1554
1555 case DLT_ERF:
1556 cstate->off_li = 22;
1557 cstate->off_li_hsl = 24;
1558 cstate->off_sio = 23;
1559 cstate->off_opc = 24;
1560 cstate->off_dpc = 24;
1561 cstate->off_sls = 27;
1562 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1563 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1564 cstate->off_nl = -1;
1565 cstate->off_nl_nosnap = -1;
1566 break;
1567
1568 case DLT_PFSYNC:
1569 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1570 cstate->off_linkpl.constant_part = 4;
1571 cstate->off_nl = 0;
1572 cstate->off_nl_nosnap = 0;
1573 break;
1574
1575 case DLT_AX25_KISS:
1576 /*
1577 * Currently, only raw "link[N:M]" filtering is supported.
1578 */
1579 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1580 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1581 cstate->off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1582 cstate->off_nl_nosnap = -1; /* no 802.2 LLC */
1583 break;
1584
1585 case DLT_IPNET:
1586 cstate->off_linktype.constant_part = 1;
1587 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1588 cstate->off_nl = 0;
1589 cstate->off_nl_nosnap = -1;
1590 break;
1591
1592 case DLT_NETANALYZER:
1593 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1594 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1595 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1596 cstate->off_nl = 0; /* Ethernet II */
1597 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1598 break;
1599
1600 case DLT_NETANALYZER_TRANSPARENT:
1601 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1602 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1603 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1604 cstate->off_nl = 0; /* Ethernet II */
1605 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1606 break;
1607
1608 default:
1609 /*
1610 * For values in the range in which we've assigned new
1611 * DLT_ values, only raw "link[N:M]" filtering is supported.
1612 */
1613 if (cstate->linktype >= DLT_MATCHING_MIN &&
1614 cstate->linktype <= DLT_MATCHING_MAX) {
1615 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1616 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1617 cstate->off_nl = -1;
1618 cstate->off_nl_nosnap = -1;
1619 } else {
1620 bpf_error(cstate, "unknown data link type %d", cstate->linktype);
1621 }
1622 break;
1623 }
1624
1625 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1626 }
1627
1628 /*
1629 * Load a value relative to the specified absolute offset.
1630 */
1631 static struct slist *
1632 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1633 u_int offset, u_int size)
1634 {
1635 struct slist *s, *s2;
1636
1637 s = gen_abs_offset_varpart(cstate, abs_offset);
1638
1639 /*
1640 * If "s" is non-null, it has code to arrange that the X register
1641 * contains the variable part of the absolute offset, so we
1642 * generate a load relative to that, with an offset of
1643 * abs_offset->constant_part + offset.
1644 *
1645 * Otherwise, we can do an absolute load with an offset of
1646 * abs_offset->constant_part + offset.
1647 */
1648 if (s != NULL) {
1649 /*
1650 * "s" points to a list of statements that puts the
1651 * variable part of the absolute offset into the X register.
1652 * Do an indirect load, to use the X register as an offset.
1653 */
1654 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1655 s2->s.k = abs_offset->constant_part + offset;
1656 sappend(s, s2);
1657 } else {
1658 /*
1659 * There is no variable part of the absolute offset, so
1660 * just do an absolute load.
1661 */
1662 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1663 s->s.k = abs_offset->constant_part + offset;
1664 }
1665 return s;
1666 }
1667
1668 /*
1669 * Load a value relative to the beginning of the specified header.
1670 */
1671 static struct slist *
1672 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1673 u_int size)
1674 {
1675 struct slist *s, *s2;
1676
1677 switch (offrel) {
1678
1679 case OR_PACKET:
1680 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1681 s->s.k = offset;
1682 break;
1683
1684 case OR_LINKHDR:
1685 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1686 break;
1687
1688 case OR_PREVLINKHDR:
1689 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1690 break;
1691
1692 case OR_LLC:
1693 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1694 break;
1695
1696 case OR_PREVMPLSHDR:
1697 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1698 break;
1699
1700 case OR_LINKPL:
1701 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1702 break;
1703
1704 case OR_LINKPL_NOSNAP:
1705 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1706 break;
1707
1708 case OR_LINKTYPE:
1709 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1710 break;
1711
1712 case OR_TRAN_IPV4:
1713 /*
1714 * Load the X register with the length of the IPv4 header
1715 * (plus the offset of the link-layer header, if it's
1716 * preceded by a variable-length header such as a radio
1717 * header), in bytes.
1718 */
1719 s = gen_loadx_iphdrlen(cstate);
1720
1721 /*
1722 * Load the item at {offset of the link-layer payload} +
1723 * {offset, relative to the start of the link-layer
1724 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1725 * {specified offset}.
1726 *
1727 * If the offset of the link-layer payload is variable,
1728 * the variable part of that offset is included in the
1729 * value in the X register, and we include the constant
1730 * part in the offset of the load.
1731 */
1732 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1733 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1734 sappend(s, s2);
1735 break;
1736
1737 case OR_TRAN_IPV6:
1738 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1739 break;
1740
1741 default:
1742 abort();
1743 return NULL;
1744 }
1745 return s;
1746 }
1747
1748 /*
1749 * Generate code to load into the X register the sum of the length of
1750 * the IPv4 header and the variable part of the offset of the link-layer
1751 * payload.
1752 */
1753 static struct slist *
1754 gen_loadx_iphdrlen(compiler_state_t *cstate)
1755 {
1756 struct slist *s, *s2;
1757
1758 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1759 if (s != NULL) {
1760 /*
1761 * The offset of the link-layer payload has a variable
1762 * part. "s" points to a list of statements that put
1763 * the variable part of that offset into the X register.
1764 *
1765 * The 4*([k]&0xf) addressing mode can't be used, as we
1766 * don't have a constant offset, so we have to load the
1767 * value in question into the A register and add to it
1768 * the value from the X register.
1769 */
1770 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1771 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1772 sappend(s, s2);
1773 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1774 s2->s.k = 0xf;
1775 sappend(s, s2);
1776 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1777 s2->s.k = 2;
1778 sappend(s, s2);
1779
1780 /*
1781 * The A register now contains the length of the IP header.
1782 * We need to add to it the variable part of the offset of
1783 * the link-layer payload, which is still in the X
1784 * register, and move the result into the X register.
1785 */
1786 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1787 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1788 } else {
1789 /*
1790 * The offset of the link-layer payload is a constant,
1791 * so no code was generated to load the (non-existent)
1792 * variable part of that offset.
1793 *
1794 * This means we can use the 4*([k]&0xf) addressing
1795 * mode. Load the length of the IPv4 header, which
1796 * is at an offset of cstate->off_nl from the beginning of
1797 * the link-layer payload, and thus at an offset of
1798 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1799 * of the raw packet data, using that addressing mode.
1800 */
1801 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1802 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1803 }
1804 return s;
1805 }
1806
1807 static struct block *
1808 gen_uncond(compiler_state_t *cstate, int rsense)
1809 {
1810 struct block *b;
1811 struct slist *s;
1812
1813 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1814 s->s.k = !rsense;
1815 b = new_block(cstate, JMP(BPF_JEQ));
1816 b->stmts = s;
1817
1818 return b;
1819 }
1820
1821 static inline struct block *
1822 gen_true(compiler_state_t *cstate)
1823 {
1824 return gen_uncond(cstate, 1);
1825 }
1826
1827 static inline struct block *
1828 gen_false(compiler_state_t *cstate)
1829 {
1830 return gen_uncond(cstate, 0);
1831 }
1832
1833 /*
1834 * Byte-swap a 32-bit number.
1835 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1836 * big-endian platforms.)
1837 */
1838 #define SWAPLONG(y) \
1839 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1840
1841 /*
1842 * Generate code to match a particular packet type.
1843 *
1844 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1845 * value, if <= ETHERMTU. We use that to determine whether to
1846 * match the type/length field or to check the type/length field for
1847 * a value <= ETHERMTU to see whether it's a type field and then do
1848 * the appropriate test.
1849 */
1850 static struct block *
1851 gen_ether_linktype(compiler_state_t *cstate, int proto)
1852 {
1853 struct block *b0, *b1;
1854
1855 switch (proto) {
1856
1857 case LLCSAP_ISONS:
1858 case LLCSAP_IP:
1859 case LLCSAP_NETBEUI:
1860 /*
1861 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1862 * so we check the DSAP and SSAP.
1863 *
1864 * LLCSAP_IP checks for IP-over-802.2, rather
1865 * than IP-over-Ethernet or IP-over-SNAP.
1866 *
1867 * XXX - should we check both the DSAP and the
1868 * SSAP, like this, or should we check just the
1869 * DSAP, as we do for other types <= ETHERMTU
1870 * (i.e., other SAP values)?
1871 */
1872 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1873 gen_not(b0);
1874 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
1875 ((proto << 8) | proto));
1876 gen_and(b0, b1);
1877 return b1;
1878
1879 case LLCSAP_IPX:
1880 /*
1881 * Check for;
1882 *
1883 * Ethernet_II frames, which are Ethernet
1884 * frames with a frame type of ETHERTYPE_IPX;
1885 *
1886 * Ethernet_802.3 frames, which are 802.3
1887 * frames (i.e., the type/length field is
1888 * a length field, <= ETHERMTU, rather than
1889 * a type field) with the first two bytes
1890 * after the Ethernet/802.3 header being
1891 * 0xFFFF;
1892 *
1893 * Ethernet_802.2 frames, which are 802.3
1894 * frames with an 802.2 LLC header and
1895 * with the IPX LSAP as the DSAP in the LLC
1896 * header;
1897 *
1898 * Ethernet_SNAP frames, which are 802.3
1899 * frames with an LLC header and a SNAP
1900 * header and with an OUI of 0x000000
1901 * (encapsulated Ethernet) and a protocol
1902 * ID of ETHERTYPE_IPX in the SNAP header.
1903 *
1904 * XXX - should we generate the same code both
1905 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1906 */
1907
1908 /*
1909 * This generates code to check both for the
1910 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1911 */
1912 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
1913 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
1914 gen_or(b0, b1);
1915
1916 /*
1917 * Now we add code to check for SNAP frames with
1918 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1919 */
1920 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
1921 gen_or(b0, b1);
1922
1923 /*
1924 * Now we generate code to check for 802.3
1925 * frames in general.
1926 */
1927 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1928 gen_not(b0);
1929
1930 /*
1931 * Now add the check for 802.3 frames before the
1932 * check for Ethernet_802.2 and Ethernet_802.3,
1933 * as those checks should only be done on 802.3
1934 * frames, not on Ethernet frames.
1935 */
1936 gen_and(b0, b1);
1937
1938 /*
1939 * Now add the check for Ethernet_II frames, and
1940 * do that before checking for the other frame
1941 * types.
1942 */
1943 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1944 gen_or(b0, b1);
1945 return b1;
1946
1947 case ETHERTYPE_ATALK:
1948 case ETHERTYPE_AARP:
1949 /*
1950 * EtherTalk (AppleTalk protocols on Ethernet link
1951 * layer) may use 802.2 encapsulation.
1952 */
1953
1954 /*
1955 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1956 * we check for an Ethernet type field less than
1957 * 1500, which means it's an 802.3 length field.
1958 */
1959 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1960 gen_not(b0);
1961
1962 /*
1963 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1964 * SNAP packets with an organization code of
1965 * 0x080007 (Apple, for Appletalk) and a protocol
1966 * type of ETHERTYPE_ATALK (Appletalk).
1967 *
1968 * 802.2-encapsulated ETHERTYPE_AARP packets are
1969 * SNAP packets with an organization code of
1970 * 0x000000 (encapsulated Ethernet) and a protocol
1971 * type of ETHERTYPE_AARP (Appletalk ARP).
1972 */
1973 if (proto == ETHERTYPE_ATALK)
1974 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
1975 else /* proto == ETHERTYPE_AARP */
1976 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
1977 gen_and(b0, b1);
1978
1979 /*
1980 * Check for Ethernet encapsulation (Ethertalk
1981 * phase 1?); we just check for the Ethernet
1982 * protocol type.
1983 */
1984 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
1985
1986 gen_or(b0, b1);
1987 return b1;
1988
1989 default:
1990 if (proto <= ETHERMTU) {
1991 /*
1992 * This is an LLC SAP value, so the frames
1993 * that match would be 802.2 frames.
1994 * Check that the frame is an 802.2 frame
1995 * (i.e., that the length/type field is
1996 * a length field, <= ETHERMTU) and
1997 * then check the DSAP.
1998 */
1999 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2000 gen_not(b0);
2001 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, (bpf_int32)proto);
2002 gen_and(b0, b1);
2003 return b1;
2004 } else {
2005 /*
2006 * This is an Ethernet type, so compare
2007 * the length/type field with it (if
2008 * the frame is an 802.2 frame, the length
2009 * field will be <= ETHERMTU, and, as
2010 * "proto" is > ETHERMTU, this test
2011 * will fail and the frame won't match,
2012 * which is what we want).
2013 */
2014 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
2015 (bpf_int32)proto);
2016 }
2017 }
2018 }
2019
2020 static struct block *
2021 gen_loopback_linktype(compiler_state_t *cstate, int proto)
2022 {
2023 /*
2024 * For DLT_NULL, the link-layer header is a 32-bit word
2025 * containing an AF_ value in *host* byte order, and for
2026 * DLT_ENC, the link-layer header begins with a 32-bit
2027 * word containing an AF_ value in host byte order.
2028 *
2029 * In addition, if we're reading a saved capture file,
2030 * the host byte order in the capture may not be the
2031 * same as the host byte order on this machine.
2032 *
2033 * For DLT_LOOP, the link-layer header is a 32-bit
2034 * word containing an AF_ value in *network* byte order.
2035 */
2036 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2037 /*
2038 * The AF_ value is in host byte order, but the BPF
2039 * interpreter will convert it to network byte order.
2040 *
2041 * If this is a save file, and it's from a machine
2042 * with the opposite byte order to ours, we byte-swap
2043 * the AF_ value.
2044 *
2045 * Then we run it through "htonl()", and generate
2046 * code to compare against the result.
2047 */
2048 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2049 proto = SWAPLONG(proto);
2050 proto = htonl(proto);
2051 }
2052 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, (bpf_int32)proto));
2053 }
2054
2055 /*
2056 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2057 * or IPv6 then we have an error.
2058 */
2059 static struct block *
2060 gen_ipnet_linktype(compiler_state_t *cstate, int proto)
2061 {
2062 switch (proto) {
2063
2064 case ETHERTYPE_IP:
2065 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, (bpf_int32)IPH_AF_INET);
2066 /* NOTREACHED */
2067
2068 case ETHERTYPE_IPV6:
2069 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
2070 (bpf_int32)IPH_AF_INET6);
2071 /* NOTREACHED */
2072
2073 default:
2074 break;
2075 }
2076
2077 return gen_false(cstate);
2078 }
2079
2080 /*
2081 * Generate code to match a particular packet type.
2082 *
2083 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2084 * value, if <= ETHERMTU. We use that to determine whether to
2085 * match the type field or to check the type field for the special
2086 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2087 */
2088 static struct block *
2089 gen_linux_sll_linktype(compiler_state_t *cstate, int proto)
2090 {
2091 struct block *b0, *b1;
2092
2093 switch (proto) {
2094
2095 case LLCSAP_ISONS:
2096 case LLCSAP_IP:
2097 case LLCSAP_NETBEUI:
2098 /*
2099 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2100 * so we check the DSAP and SSAP.
2101 *
2102 * LLCSAP_IP checks for IP-over-802.2, rather
2103 * than IP-over-Ethernet or IP-over-SNAP.
2104 *
2105 * XXX - should we check both the DSAP and the
2106 * SSAP, like this, or should we check just the
2107 * DSAP, as we do for other types <= ETHERMTU
2108 * (i.e., other SAP values)?
2109 */
2110 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2111 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)
2112 ((proto << 8) | proto));
2113 gen_and(b0, b1);
2114 return b1;
2115
2116 case LLCSAP_IPX:
2117 /*
2118 * Ethernet_II frames, which are Ethernet
2119 * frames with a frame type of ETHERTYPE_IPX;
2120 *
2121 * Ethernet_802.3 frames, which have a frame
2122 * type of LINUX_SLL_P_802_3;
2123 *
2124 * Ethernet_802.2 frames, which are 802.3
2125 * frames with an 802.2 LLC header (i.e, have
2126 * a frame type of LINUX_SLL_P_802_2) and
2127 * with the IPX LSAP as the DSAP in the LLC
2128 * header;
2129 *
2130 * Ethernet_SNAP frames, which are 802.3
2131 * frames with an LLC header and a SNAP
2132 * header and with an OUI of 0x000000
2133 * (encapsulated Ethernet) and a protocol
2134 * ID of ETHERTYPE_IPX in the SNAP header.
2135 *
2136 * First, do the checks on LINUX_SLL_P_802_2
2137 * frames; generate the check for either
2138 * Ethernet_802.2 or Ethernet_SNAP frames, and
2139 * then put a check for LINUX_SLL_P_802_2 frames
2140 * before it.
2141 */
2142 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)LLCSAP_IPX);
2143 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2144 gen_or(b0, b1);
2145 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2146 gen_and(b0, b1);
2147
2148 /*
2149 * Now check for 802.3 frames and OR that with
2150 * the previous test.
2151 */
2152 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2153 gen_or(b0, b1);
2154
2155 /*
2156 * Now add the check for Ethernet_II frames, and
2157 * do that before checking for the other frame
2158 * types.
2159 */
2160 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)ETHERTYPE_IPX);
2161 gen_or(b0, b1);
2162 return b1;
2163
2164 case ETHERTYPE_ATALK:
2165 case ETHERTYPE_AARP:
2166 /*
2167 * EtherTalk (AppleTalk protocols on Ethernet link
2168 * layer) may use 802.2 encapsulation.
2169 */
2170
2171 /*
2172 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2173 * we check for the 802.2 protocol type in the
2174 * "Ethernet type" field.
2175 */
2176 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2177
2178 /*
2179 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2180 * SNAP packets with an organization code of
2181 * 0x080007 (Apple, for Appletalk) and a protocol
2182 * type of ETHERTYPE_ATALK (Appletalk).
2183 *
2184 * 802.2-encapsulated ETHERTYPE_AARP packets are
2185 * SNAP packets with an organization code of
2186 * 0x000000 (encapsulated Ethernet) and a protocol
2187 * type of ETHERTYPE_AARP (Appletalk ARP).
2188 */
2189 if (proto == ETHERTYPE_ATALK)
2190 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2191 else /* proto == ETHERTYPE_AARP */
2192 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2193 gen_and(b0, b1);
2194
2195 /*
2196 * Check for Ethernet encapsulation (Ethertalk
2197 * phase 1?); we just check for the Ethernet
2198 * protocol type.
2199 */
2200 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2201
2202 gen_or(b0, b1);
2203 return b1;
2204
2205 default:
2206 if (proto <= ETHERMTU) {
2207 /*
2208 * This is an LLC SAP value, so the frames
2209 * that match would be 802.2 frames.
2210 * Check for the 802.2 protocol type
2211 * in the "Ethernet type" field, and
2212 * then check the DSAP.
2213 */
2214 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2215 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2216 (bpf_int32)proto);
2217 gen_and(b0, b1);
2218 return b1;
2219 } else {
2220 /*
2221 * This is an Ethernet type, so compare
2222 * the length/type field with it (if
2223 * the frame is an 802.2 frame, the length
2224 * field will be <= ETHERMTU, and, as
2225 * "proto" is > ETHERMTU, this test
2226 * will fail and the frame won't match,
2227 * which is what we want).
2228 */
2229 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
2230 }
2231 }
2232 }
2233
2234 static struct slist *
2235 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2236 {
2237 struct slist *s1, *s2;
2238 struct slist *sjeq_avs_cookie;
2239 struct slist *sjcommon;
2240
2241 /*
2242 * This code is not compatible with the optimizer, as
2243 * we are generating jmp instructions within a normal
2244 * slist of instructions
2245 */
2246 cstate->no_optimize = 1;
2247
2248 /*
2249 * Generate code to load the length of the radio header into
2250 * the register assigned to hold that length, if one has been
2251 * assigned. (If one hasn't been assigned, no code we've
2252 * generated uses that prefix, so we don't need to generate any
2253 * code to load it.)
2254 *
2255 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2256 * or always use the AVS header rather than the Prism header.
2257 * We load a 4-byte big-endian value at the beginning of the
2258 * raw packet data, and see whether, when masked with 0xFFFFF000,
2259 * it's equal to 0x80211000. If so, that indicates that it's
2260 * an AVS header (the masked-out bits are the version number).
2261 * Otherwise, it's a Prism header.
2262 *
2263 * XXX - the Prism header is also, in theory, variable-length,
2264 * but no known software generates headers that aren't 144
2265 * bytes long.
2266 */
2267 if (cstate->off_linkhdr.reg != -1) {
2268 /*
2269 * Load the cookie.
2270 */
2271 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2272 s1->s.k = 0;
2273
2274 /*
2275 * AND it with 0xFFFFF000.
2276 */
2277 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2278 s2->s.k = 0xFFFFF000;
2279 sappend(s1, s2);
2280
2281 /*
2282 * Compare with 0x80211000.
2283 */
2284 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2285 sjeq_avs_cookie->s.k = 0x80211000;
2286 sappend(s1, sjeq_avs_cookie);
2287
2288 /*
2289 * If it's AVS:
2290 *
2291 * The 4 bytes at an offset of 4 from the beginning of
2292 * the AVS header are the length of the AVS header.
2293 * That field is big-endian.
2294 */
2295 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2296 s2->s.k = 4;
2297 sappend(s1, s2);
2298 sjeq_avs_cookie->s.jt = s2;
2299
2300 /*
2301 * Now jump to the code to allocate a register
2302 * into which to save the header length and
2303 * store the length there. (The "jump always"
2304 * instruction needs to have the k field set;
2305 * it's added to the PC, so, as we're jumping
2306 * over a single instruction, it should be 1.)
2307 */
2308 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2309 sjcommon->s.k = 1;
2310 sappend(s1, sjcommon);
2311
2312 /*
2313 * Now for the code that handles the Prism header.
2314 * Just load the length of the Prism header (144)
2315 * into the A register. Have the test for an AVS
2316 * header branch here if we don't have an AVS header.
2317 */
2318 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2319 s2->s.k = 144;
2320 sappend(s1, s2);
2321 sjeq_avs_cookie->s.jf = s2;
2322
2323 /*
2324 * Now allocate a register to hold that value and store
2325 * it. The code for the AVS header will jump here after
2326 * loading the length of the AVS header.
2327 */
2328 s2 = new_stmt(cstate, BPF_ST);
2329 s2->s.k = cstate->off_linkhdr.reg;
2330 sappend(s1, s2);
2331 sjcommon->s.jf = s2;
2332
2333 /*
2334 * Now move it into the X register.
2335 */
2336 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2337 sappend(s1, s2);
2338
2339 return (s1);
2340 } else
2341 return (NULL);
2342 }
2343
2344 static struct slist *
2345 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2346 {
2347 struct slist *s1, *s2;
2348
2349 /*
2350 * Generate code to load the length of the AVS header into
2351 * the register assigned to hold that length, if one has been
2352 * assigned. (If one hasn't been assigned, no code we've
2353 * generated uses that prefix, so we don't need to generate any
2354 * code to load it.)
2355 */
2356 if (cstate->off_linkhdr.reg != -1) {
2357 /*
2358 * The 4 bytes at an offset of 4 from the beginning of
2359 * the AVS header are the length of the AVS header.
2360 * That field is big-endian.
2361 */
2362 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2363 s1->s.k = 4;
2364
2365 /*
2366 * Now allocate a register to hold that value and store
2367 * it.
2368 */
2369 s2 = new_stmt(cstate, BPF_ST);
2370 s2->s.k = cstate->off_linkhdr.reg;
2371 sappend(s1, s2);
2372
2373 /*
2374 * Now move it into the X register.
2375 */
2376 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2377 sappend(s1, s2);
2378
2379 return (s1);
2380 } else
2381 return (NULL);
2382 }
2383
2384 static struct slist *
2385 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2386 {
2387 struct slist *s1, *s2;
2388
2389 /*
2390 * Generate code to load the length of the radiotap header into
2391 * the register assigned to hold that length, if one has been
2392 * assigned. (If one hasn't been assigned, no code we've
2393 * generated uses that prefix, so we don't need to generate any
2394 * code to load it.)
2395 */
2396 if (cstate->off_linkhdr.reg != -1) {
2397 /*
2398 * The 2 bytes at offsets of 2 and 3 from the beginning
2399 * of the radiotap header are the length of the radiotap
2400 * header; unfortunately, it's little-endian, so we have
2401 * to load it a byte at a time and construct the value.
2402 */
2403
2404 /*
2405 * Load the high-order byte, at an offset of 3, shift it
2406 * left a byte, and put the result in the X register.
2407 */
2408 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2409 s1->s.k = 3;
2410 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2411 sappend(s1, s2);
2412 s2->s.k = 8;
2413 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2414 sappend(s1, s2);
2415
2416 /*
2417 * Load the next byte, at an offset of 2, and OR the
2418 * value from the X register into it.
2419 */
2420 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2421 sappend(s1, s2);
2422 s2->s.k = 2;
2423 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2424 sappend(s1, s2);
2425
2426 /*
2427 * Now allocate a register to hold that value and store
2428 * it.
2429 */
2430 s2 = new_stmt(cstate, BPF_ST);
2431 s2->s.k = cstate->off_linkhdr.reg;
2432 sappend(s1, s2);
2433
2434 /*
2435 * Now move it into the X register.
2436 */
2437 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2438 sappend(s1, s2);
2439
2440 return (s1);
2441 } else
2442 return (NULL);
2443 }
2444
2445 /*
2446 * At the moment we treat PPI as normal Radiotap encoded
2447 * packets. The difference is in the function that generates
2448 * the code at the beginning to compute the header length.
2449 * Since this code generator of PPI supports bare 802.11
2450 * encapsulation only (i.e. the encapsulated DLT should be
2451 * DLT_IEEE802_11) we generate code to check for this too;
2452 * that's done in finish_parse().
2453 */
2454 static struct slist *
2455 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2456 {
2457 struct slist *s1, *s2;
2458
2459 /*
2460 * Generate code to load the length of the radiotap header
2461 * into the register assigned to hold that length, if one has
2462 * been assigned.
2463 */
2464 if (cstate->off_linkhdr.reg != -1) {
2465 /*
2466 * The 2 bytes at offsets of 2 and 3 from the beginning
2467 * of the radiotap header are the length of the radiotap
2468 * header; unfortunately, it's little-endian, so we have
2469 * to load it a byte at a time and construct the value.
2470 */
2471
2472 /*
2473 * Load the high-order byte, at an offset of 3, shift it
2474 * left a byte, and put the result in the X register.
2475 */
2476 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2477 s1->s.k = 3;
2478 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2479 sappend(s1, s2);
2480 s2->s.k = 8;
2481 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2482 sappend(s1, s2);
2483
2484 /*
2485 * Load the next byte, at an offset of 2, and OR the
2486 * value from the X register into it.
2487 */
2488 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2489 sappend(s1, s2);
2490 s2->s.k = 2;
2491 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2492 sappend(s1, s2);
2493
2494 /*
2495 * Now allocate a register to hold that value and store
2496 * it.
2497 */
2498 s2 = new_stmt(cstate, BPF_ST);
2499 s2->s.k = cstate->off_linkhdr.reg;
2500 sappend(s1, s2);
2501
2502 /*
2503 * Now move it into the X register.
2504 */
2505 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2506 sappend(s1, s2);
2507
2508 return (s1);
2509 } else
2510 return (NULL);
2511 }
2512
2513 /*
2514 * Load a value relative to the beginning of the link-layer header after the 802.11
2515 * header, i.e. LLC_SNAP.
2516 * The link-layer header doesn't necessarily begin at the beginning
2517 * of the packet data; there might be a variable-length prefix containing
2518 * radio information.
2519 */
2520 static struct slist *
2521 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2522 {
2523 struct slist *s2;
2524 struct slist *sjset_data_frame_1;
2525 struct slist *sjset_data_frame_2;
2526 struct slist *sjset_qos;
2527 struct slist *sjset_radiotap_flags_present;
2528 struct slist *sjset_radiotap_ext_present;
2529 struct slist *sjset_radiotap_tsft_present;
2530 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2531 struct slist *s_roundup;
2532
2533 if (cstate->off_linkpl.reg == -1) {
2534 /*
2535 * No register has been assigned to the offset of
2536 * the link-layer payload, which means nobody needs
2537 * it; don't bother computing it - just return
2538 * what we already have.
2539 */
2540 return (s);
2541 }
2542
2543 /*
2544 * This code is not compatible with the optimizer, as
2545 * we are generating jmp instructions within a normal
2546 * slist of instructions
2547 */
2548 cstate->no_optimize = 1;
2549
2550 /*
2551 * If "s" is non-null, it has code to arrange that the X register
2552 * contains the length of the prefix preceding the link-layer
2553 * header.
2554 *
2555 * Otherwise, the length of the prefix preceding the link-layer
2556 * header is "off_outermostlinkhdr.constant_part".
2557 */
2558 if (s == NULL) {
2559 /*
2560 * There is no variable-length header preceding the
2561 * link-layer header.
2562 *
2563 * Load the length of the fixed-length prefix preceding
2564 * the link-layer header (if any) into the X register,
2565 * and store it in the cstate->off_linkpl.reg register.
2566 * That length is off_outermostlinkhdr.constant_part.
2567 */
2568 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2569 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2570 }
2571
2572 /*
2573 * The X register contains the offset of the beginning of the
2574 * link-layer header; add 24, which is the minimum length
2575 * of the MAC header for a data frame, to that, and store it
2576 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2577 * which is at the offset in the X register, with an indexed load.
2578 */
2579 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2580 sappend(s, s2);
2581 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2582 s2->s.k = 24;
2583 sappend(s, s2);
2584 s2 = new_stmt(cstate, BPF_ST);
2585 s2->s.k = cstate->off_linkpl.reg;
2586 sappend(s, s2);
2587
2588 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2589 s2->s.k = 0;
2590 sappend(s, s2);
2591
2592 /*
2593 * Check the Frame Control field to see if this is a data frame;
2594 * a data frame has the 0x08 bit (b3) in that field set and the
2595 * 0x04 bit (b2) clear.
2596 */
2597 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2598 sjset_data_frame_1->s.k = 0x08;
2599 sappend(s, sjset_data_frame_1);
2600
2601 /*
2602 * If b3 is set, test b2, otherwise go to the first statement of
2603 * the rest of the program.
2604 */
2605 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2606 sjset_data_frame_2->s.k = 0x04;
2607 sappend(s, sjset_data_frame_2);
2608 sjset_data_frame_1->s.jf = snext;
2609
2610 /*
2611 * If b2 is not set, this is a data frame; test the QoS bit.
2612 * Otherwise, go to the first statement of the rest of the
2613 * program.
2614 */
2615 sjset_data_frame_2->s.jt = snext;
2616 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2617 sjset_qos->s.k = 0x80; /* QoS bit */
2618 sappend(s, sjset_qos);
2619
2620 /*
2621 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2622 * field.
2623 * Otherwise, go to the first statement of the rest of the
2624 * program.
2625 */
2626 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2627 s2->s.k = cstate->off_linkpl.reg;
2628 sappend(s, s2);
2629 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2630 s2->s.k = 2;
2631 sappend(s, s2);
2632 s2 = new_stmt(cstate, BPF_ST);
2633 s2->s.k = cstate->off_linkpl.reg;
2634 sappend(s, s2);
2635
2636 /*
2637 * If we have a radiotap header, look at it to see whether
2638 * there's Atheros padding between the MAC-layer header
2639 * and the payload.
2640 *
2641 * Note: all of the fields in the radiotap header are
2642 * little-endian, so we byte-swap all of the values
2643 * we test against, as they will be loaded as big-endian
2644 * values.
2645 *
2646 * XXX - in the general case, we would have to scan through
2647 * *all* the presence bits, if there's more than one word of
2648 * presence bits. That would require a loop, meaning that
2649 * we wouldn't be able to run the filter in the kernel.
2650 *
2651 * We assume here that the Atheros adapters that insert the
2652 * annoying padding don't have multiple antennae and therefore
2653 * do not generate radiotap headers with multiple presence words.
2654 */
2655 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2656 /*
2657 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2658 * in the first presence flag word?
2659 */
2660 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2661 s2->s.k = 4;
2662 sappend(s, s2);
2663
2664 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2665 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2666 sappend(s, sjset_radiotap_flags_present);
2667
2668 /*
2669 * If not, skip all of this.
2670 */
2671 sjset_radiotap_flags_present->s.jf = snext;
2672
2673 /*
2674 * Otherwise, is the "extension" bit set in that word?
2675 */
2676 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2677 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2678 sappend(s, sjset_radiotap_ext_present);
2679 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2680
2681 /*
2682 * If so, skip all of this.
2683 */
2684 sjset_radiotap_ext_present->s.jt = snext;
2685
2686 /*
2687 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2688 */
2689 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2690 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2691 sappend(s, sjset_radiotap_tsft_present);
2692 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2693
2694 /*
2695 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2696 * at an offset of 16 from the beginning of the raw packet
2697 * data (8 bytes for the radiotap header and 8 bytes for
2698 * the TSFT field).
2699 *
2700 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2701 * is set.
2702 */
2703 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2704 s2->s.k = 16;
2705 sappend(s, s2);
2706 sjset_radiotap_tsft_present->s.jt = s2;
2707
2708 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2709 sjset_tsft_datapad->s.k = 0x20;
2710 sappend(s, sjset_tsft_datapad);
2711
2712 /*
2713 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2714 * at an offset of 8 from the beginning of the raw packet
2715 * data (8 bytes for the radiotap header).
2716 *
2717 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2718 * is set.
2719 */
2720 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2721 s2->s.k = 8;
2722 sappend(s, s2);
2723 sjset_radiotap_tsft_present->s.jf = s2;
2724
2725 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2726 sjset_notsft_datapad->s.k = 0x20;
2727 sappend(s, sjset_notsft_datapad);
2728
2729 /*
2730 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2731 * set, round the length of the 802.11 header to
2732 * a multiple of 4. Do that by adding 3 and then
2733 * dividing by and multiplying by 4, which we do by
2734 * ANDing with ~3.
2735 */
2736 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2737 s_roundup->s.k = cstate->off_linkpl.reg;
2738 sappend(s, s_roundup);
2739 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2740 s2->s.k = 3;
2741 sappend(s, s2);
2742 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2743 s2->s.k = ~3;
2744 sappend(s, s2);
2745 s2 = new_stmt(cstate, BPF_ST);
2746 s2->s.k = cstate->off_linkpl.reg;
2747 sappend(s, s2);
2748
2749 sjset_tsft_datapad->s.jt = s_roundup;
2750 sjset_tsft_datapad->s.jf = snext;
2751 sjset_notsft_datapad->s.jt = s_roundup;
2752 sjset_notsft_datapad->s.jf = snext;
2753 } else
2754 sjset_qos->s.jf = snext;
2755
2756 return s;
2757 }
2758
2759 static void
2760 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2761 {
2762 struct slist *s;
2763
2764 /* There is an implicit dependency between the link
2765 * payload and link header since the payload computation
2766 * includes the variable part of the header. Therefore,
2767 * if nobody else has allocated a register for the link
2768 * header and we need it, do it now. */
2769 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2770 cstate->off_linkhdr.reg == -1)
2771 cstate->off_linkhdr.reg = alloc_reg(cstate);
2772
2773 /*
2774 * For link-layer types that have a variable-length header
2775 * preceding the link-layer header, generate code to load
2776 * the offset of the link-layer header into the register
2777 * assigned to that offset, if any.
2778 *
2779 * XXX - this, and the next switch statement, won't handle
2780 * encapsulation of 802.11 or 802.11+radio information in
2781 * some other protocol stack. That's significantly more
2782 * complicated.
2783 */
2784 switch (cstate->outermostlinktype) {
2785
2786 case DLT_PRISM_HEADER:
2787 s = gen_load_prism_llprefixlen(cstate);
2788 break;
2789
2790 case DLT_IEEE802_11_RADIO_AVS:
2791 s = gen_load_avs_llprefixlen(cstate);
2792 break;
2793
2794 case DLT_IEEE802_11_RADIO:
2795 s = gen_load_radiotap_llprefixlen(cstate);
2796 break;
2797
2798 case DLT_PPI:
2799 s = gen_load_ppi_llprefixlen(cstate);
2800 break;
2801
2802 default:
2803 s = NULL;
2804 break;
2805 }
2806
2807 /*
2808 * For link-layer types that have a variable-length link-layer
2809 * header, generate code to load the offset of the link-layer
2810 * payload into the register assigned to that offset, if any.
2811 */
2812 switch (cstate->outermostlinktype) {
2813
2814 case DLT_IEEE802_11:
2815 case DLT_PRISM_HEADER:
2816 case DLT_IEEE802_11_RADIO_AVS:
2817 case DLT_IEEE802_11_RADIO:
2818 case DLT_PPI:
2819 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2820 break;
2821 }
2822
2823 /*
2824 * If there there is no initialization yet and we need variable
2825 * length offsets for VLAN, initialize them to zero
2826 */
2827 if (s == NULL && cstate->is_vlan_vloffset) {
2828 struct slist *s2;
2829
2830 if (cstate->off_linkpl.reg == -1)
2831 cstate->off_linkpl.reg = alloc_reg(cstate);
2832 if (cstate->off_linktype.reg == -1)
2833 cstate->off_linktype.reg = alloc_reg(cstate);
2834
2835 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2836 s->s.k = 0;
2837 s2 = new_stmt(cstate, BPF_ST);
2838 s2->s.k = cstate->off_linkpl.reg;
2839 sappend(s, s2);
2840 s2 = new_stmt(cstate, BPF_ST);
2841 s2->s.k = cstate->off_linktype.reg;
2842 sappend(s, s2);
2843 }
2844
2845 /*
2846 * If we have any offset-loading code, append all the
2847 * existing statements in the block to those statements,
2848 * and make the resulting list the list of statements
2849 * for the block.
2850 */
2851 if (s != NULL) {
2852 sappend(s, b->stmts);
2853 b->stmts = s;
2854 }
2855 }
2856
2857 static struct block *
2858 gen_ppi_dlt_check(compiler_state_t *cstate)
2859 {
2860 struct slist *s_load_dlt;
2861 struct block *b;
2862
2863 if (cstate->linktype == DLT_PPI)
2864 {
2865 /* Create the statements that check for the DLT
2866 */
2867 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2868 s_load_dlt->s.k = 4;
2869
2870 b = new_block(cstate, JMP(BPF_JEQ));
2871
2872 b->stmts = s_load_dlt;
2873 b->s.k = SWAPLONG(DLT_IEEE802_11);
2874 }
2875 else
2876 {
2877 b = NULL;
2878 }
2879
2880 return b;
2881 }
2882
2883 /*
2884 * Take an absolute offset, and:
2885 *
2886 * if it has no variable part, return NULL;
2887 *
2888 * if it has a variable part, generate code to load the register
2889 * containing that variable part into the X register, returning
2890 * a pointer to that code - if no register for that offset has
2891 * been allocated, allocate it first.
2892 *
2893 * (The code to set that register will be generated later, but will
2894 * be placed earlier in the code sequence.)
2895 */
2896 static struct slist *
2897 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
2898 {
2899 struct slist *s;
2900
2901 if (off->is_variable) {
2902 if (off->reg == -1) {
2903 /*
2904 * We haven't yet assigned a register for the
2905 * variable part of the offset of the link-layer
2906 * header; allocate one.
2907 */
2908 off->reg = alloc_reg(cstate);
2909 }
2910
2911 /*
2912 * Load the register containing the variable part of the
2913 * offset of the link-layer header into the X register.
2914 */
2915 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
2916 s->s.k = off->reg;
2917 return s;
2918 } else {
2919 /*
2920 * That offset isn't variable, there's no variable part,
2921 * so we don't need to generate any code.
2922 */
2923 return NULL;
2924 }
2925 }
2926
2927 /*
2928 * Map an Ethernet type to the equivalent PPP type.
2929 */
2930 static int
2931 ethertype_to_ppptype(proto)
2932 int proto;
2933 {
2934 switch (proto) {
2935
2936 case ETHERTYPE_IP:
2937 proto = PPP_IP;
2938 break;
2939
2940 case ETHERTYPE_IPV6:
2941 proto = PPP_IPV6;
2942 break;
2943
2944 case ETHERTYPE_DN:
2945 proto = PPP_DECNET;
2946 break;
2947
2948 case ETHERTYPE_ATALK:
2949 proto = PPP_APPLE;
2950 break;
2951
2952 case ETHERTYPE_NS:
2953 proto = PPP_NS;
2954 break;
2955
2956 case LLCSAP_ISONS:
2957 proto = PPP_OSI;
2958 break;
2959
2960 case LLCSAP_8021D:
2961 /*
2962 * I'm assuming the "Bridging PDU"s that go
2963 * over PPP are Spanning Tree Protocol
2964 * Bridging PDUs.
2965 */
2966 proto = PPP_BRPDU;
2967 break;
2968
2969 case LLCSAP_IPX:
2970 proto = PPP_IPX;
2971 break;
2972 }
2973 return (proto);
2974 }
2975
2976 /*
2977 * Generate any tests that, for encapsulation of a link-layer packet
2978 * inside another protocol stack, need to be done to check for those
2979 * link-layer packets (and that haven't already been done by a check
2980 * for that encapsulation).
2981 */
2982 static struct block *
2983 gen_prevlinkhdr_check(compiler_state_t *cstate)
2984 {
2985 struct block *b0;
2986
2987 if (cstate->is_geneve)
2988 return gen_geneve_ll_check(cstate);
2989
2990 switch (cstate->prevlinktype) {
2991
2992 case DLT_SUNATM:
2993 /*
2994 * This is LANE-encapsulated Ethernet; check that the LANE
2995 * packet doesn't begin with an LE Control marker, i.e.
2996 * that it's data, not a control message.
2997 *
2998 * (We've already generated a test for LANE.)
2999 */
3000 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3001 gen_not(b0);
3002 return b0;
3003
3004 default:
3005 /*
3006 * No such tests are necessary.
3007 */
3008 return NULL;
3009 }
3010 /*NOTREACHED*/
3011 }
3012
3013 /*
3014 * The three different values we should check for when checking for an
3015 * IPv6 packet with DLT_NULL.
3016 */
3017 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3018 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3019 #define BSD_AFNUM_INET6_DARWIN 30 /* OS X, iOS, other Darwin-based OSes */
3020
3021 /*
3022 * Generate code to match a particular packet type by matching the
3023 * link-layer type field or fields in the 802.2 LLC header.
3024 *
3025 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3026 * value, if <= ETHERMTU.
3027 */
3028 static struct block *
3029 gen_linktype(compiler_state_t *cstate, int proto)
3030 {
3031 struct block *b0, *b1, *b2;
3032 const char *description;
3033
3034 /* are we checking MPLS-encapsulated packets? */
3035 if (cstate->label_stack_depth > 0) {
3036 switch (proto) {
3037 case ETHERTYPE_IP:
3038 case PPP_IP:
3039 /* FIXME add other L3 proto IDs */
3040 return gen_mpls_linktype(cstate, Q_IP);
3041
3042 case ETHERTYPE_IPV6:
3043 case PPP_IPV6:
3044 /* FIXME add other L3 proto IDs */
3045 return gen_mpls_linktype(cstate, Q_IPV6);
3046
3047 default:
3048 bpf_error(cstate, "unsupported protocol over mpls");
3049 /* NOTREACHED */
3050 }
3051 }
3052
3053 switch (cstate->linktype) {
3054
3055 case DLT_EN10MB:
3056 case DLT_NETANALYZER:
3057 case DLT_NETANALYZER_TRANSPARENT:
3058 /* Geneve has an EtherType regardless of whether there is an
3059 * L2 header. */
3060 if (!cstate->is_geneve)
3061 b0 = gen_prevlinkhdr_check(cstate);
3062 else
3063 b0 = NULL;
3064
3065 b1 = gen_ether_linktype(cstate, proto);
3066 if (b0 != NULL)
3067 gen_and(b0, b1);
3068 return b1;
3069 /*NOTREACHED*/
3070 break;
3071
3072 case DLT_C_HDLC:
3073 switch (proto) {
3074
3075 case LLCSAP_ISONS:
3076 proto = (proto << 8 | LLCSAP_ISONS);
3077 /* fall through */
3078
3079 default:
3080 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3081 /*NOTREACHED*/
3082 break;
3083 }
3084 break;
3085
3086 case DLT_IEEE802_11:
3087 case DLT_PRISM_HEADER:
3088 case DLT_IEEE802_11_RADIO_AVS:
3089 case DLT_IEEE802_11_RADIO:
3090 case DLT_PPI:
3091 /*
3092 * Check that we have a data frame.
3093 */
3094 b0 = gen_check_802_11_data_frame(cstate);
3095
3096 /*
3097 * Now check for the specified link-layer type.
3098 */
3099 b1 = gen_llc_linktype(cstate, proto);
3100 gen_and(b0, b1);
3101 return b1;
3102 /*NOTREACHED*/
3103 break;
3104
3105 case DLT_FDDI:
3106 /*
3107 * XXX - check for LLC frames.
3108 */
3109 return gen_llc_linktype(cstate, proto);
3110 /*NOTREACHED*/
3111 break;
3112
3113 case DLT_IEEE802:
3114 /*
3115 * XXX - check for LLC PDUs, as per IEEE 802.5.
3116 */
3117 return gen_llc_linktype(cstate, proto);
3118 /*NOTREACHED*/
3119 break;
3120
3121 case DLT_ATM_RFC1483:
3122 case DLT_ATM_CLIP:
3123 case DLT_IP_OVER_FC:
3124 return gen_llc_linktype(cstate, proto);
3125 /*NOTREACHED*/
3126 break;
3127
3128 case DLT_SUNATM:
3129 /*
3130 * Check for an LLC-encapsulated version of this protocol;
3131 * if we were checking for LANE, linktype would no longer
3132 * be DLT_SUNATM.
3133 *
3134 * Check for LLC encapsulation and then check the protocol.
3135 */
3136 b0 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3137 b1 = gen_llc_linktype(cstate, proto);
3138 gen_and(b0, b1);
3139 return b1;
3140 /*NOTREACHED*/
3141 break;
3142
3143 case DLT_LINUX_SLL:
3144 return gen_linux_sll_linktype(cstate, proto);
3145 /*NOTREACHED*/
3146 break;
3147
3148 case DLT_SLIP:
3149 case DLT_SLIP_BSDOS:
3150 case DLT_RAW:
3151 /*
3152 * These types don't provide any type field; packets
3153 * are always IPv4 or IPv6.
3154 *
3155 * XXX - for IPv4, check for a version number of 4, and,
3156 * for IPv6, check for a version number of 6?
3157 */
3158 switch (proto) {
3159
3160 case ETHERTYPE_IP:
3161 /* Check for a version number of 4. */
3162 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3163
3164 case ETHERTYPE_IPV6:
3165 /* Check for a version number of 6. */
3166 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3167
3168 default:
3169 return gen_false(cstate); /* always false */
3170 }
3171 /*NOTREACHED*/
3172 break;
3173
3174 case DLT_IPV4:
3175 /*
3176 * Raw IPv4, so no type field.
3177 */
3178 if (proto == ETHERTYPE_IP)
3179 return gen_true(cstate); /* always true */
3180
3181 /* Checking for something other than IPv4; always false */
3182 return gen_false(cstate);
3183 /*NOTREACHED*/
3184 break;
3185
3186 case DLT_IPV6:
3187 /*
3188 * Raw IPv6, so no type field.
3189 */
3190 if (proto == ETHERTYPE_IPV6)
3191 return gen_true(cstate); /* always true */
3192
3193 /* Checking for something other than IPv6; always false */
3194 return gen_false(cstate);
3195 /*NOTREACHED*/
3196 break;
3197
3198 case DLT_PPP:
3199 case DLT_PPP_PPPD:
3200 case DLT_PPP_SERIAL:
3201 case DLT_PPP_ETHER:
3202 /*
3203 * We use Ethernet protocol types inside libpcap;
3204 * map them to the corresponding PPP protocol types.
3205 */
3206 proto = ethertype_to_ppptype(proto);
3207 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3208 /*NOTREACHED*/
3209 break;
3210
3211 case DLT_PPP_BSDOS:
3212 /*
3213 * We use Ethernet protocol types inside libpcap;
3214 * map them to the corresponding PPP protocol types.
3215 */
3216 switch (proto) {
3217
3218 case ETHERTYPE_IP:
3219 /*
3220 * Also check for Van Jacobson-compressed IP.
3221 * XXX - do this for other forms of PPP?
3222 */
3223 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3224 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3225 gen_or(b0, b1);
3226 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3227 gen_or(b1, b0);
3228 return b0;
3229
3230 default:
3231 proto = ethertype_to_ppptype(proto);
3232 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3233 (bpf_int32)proto);
3234 }
3235 /*NOTREACHED*/
3236 break;
3237
3238 case DLT_NULL:
3239 case DLT_LOOP:
3240 case DLT_ENC:
3241 switch (proto) {
3242
3243 case ETHERTYPE_IP:
3244 return (gen_loopback_linktype(cstate, AF_INET));
3245
3246 case ETHERTYPE_IPV6:
3247 /*
3248 * AF_ values may, unfortunately, be platform-
3249 * dependent; AF_INET isn't, because everybody
3250 * used 4.2BSD's value, but AF_INET6 is, because
3251 * 4.2BSD didn't have a value for it (given that
3252 * IPv6 didn't exist back in the early 1980's),
3253 * and they all picked their own values.
3254 *
3255 * This means that, if we're reading from a
3256 * savefile, we need to check for all the
3257 * possible values.
3258 *
3259 * If we're doing a live capture, we only need
3260 * to check for this platform's value; however,
3261 * Npcap uses 24, which isn't Windows's AF_INET6
3262 * value. (Given the multiple different values,
3263 * programs that read pcap files shouldn't be
3264 * checking for their platform's AF_INET6 value
3265 * anyway, they should check for all of the
3266 * possible values. and they might as well do
3267 * that even for live captures.)
3268 */
3269 if (cstate->bpf_pcap->rfile != NULL) {
3270 /*
3271 * Savefile - check for all three
3272 * possible IPv6 values.
3273 */
3274 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3275 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3276 gen_or(b0, b1);
3277 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3278 gen_or(b0, b1);
3279 return (b1);
3280 } else {
3281 /*
3282 * Live capture, so we only need to
3283 * check for the value used on this
3284 * platform.
3285 */
3286 #ifdef _WIN32
3287 /*
3288 * Npcap doesn't use Windows's AF_INET6,
3289 * as that collides with AF_IPX on
3290 * some BSDs (both have the value 23).
3291 * Instead, it uses 24.
3292 */
3293 return (gen_loopback_linktype(cstate, 24));
3294 #else /* _WIN32 */
3295 #ifdef AF_INET6
3296 return (gen_loopback_linktype(cstate, AF_INET6));
3297 #else /* AF_INET6 */
3298 /*
3299 * I guess this platform doesn't support
3300 * IPv6, so we just reject all packets.
3301 */
3302 return gen_false(cstate);
3303 #endif /* AF_INET6 */
3304 #endif /* _WIN32 */
3305 }
3306
3307 default:
3308 /*
3309 * Not a type on which we support filtering.
3310 * XXX - support those that have AF_ values
3311 * #defined on this platform, at least?
3312 */
3313 return gen_false(cstate);
3314 }
3315
3316 #ifdef HAVE_NET_PFVAR_H
3317 case DLT_PFLOG:
3318 /*
3319 * af field is host byte order in contrast to the rest of
3320 * the packet.
3321 */
3322 if (proto == ETHERTYPE_IP)
3323 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3324 BPF_B, (bpf_int32)AF_INET));
3325 else if (proto == ETHERTYPE_IPV6)
3326 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3327 BPF_B, (bpf_int32)AF_INET6));
3328 else
3329 return gen_false(cstate);
3330 /*NOTREACHED*/
3331 break;
3332 #endif /* HAVE_NET_PFVAR_H */
3333
3334 case DLT_ARCNET:
3335 case DLT_ARCNET_LINUX:
3336 /*
3337 * XXX should we check for first fragment if the protocol
3338 * uses PHDS?
3339 */
3340 switch (proto) {
3341
3342 default:
3343 return gen_false(cstate);
3344
3345 case ETHERTYPE_IPV6:
3346 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3347 (bpf_int32)ARCTYPE_INET6));
3348
3349 case ETHERTYPE_IP:
3350 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3351 (bpf_int32)ARCTYPE_IP);
3352 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3353 (bpf_int32)ARCTYPE_IP_OLD);
3354 gen_or(b0, b1);
3355 return (b1);
3356
3357 case ETHERTYPE_ARP:
3358 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3359 (bpf_int32)ARCTYPE_ARP);
3360 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3361 (bpf_int32)ARCTYPE_ARP_OLD);
3362 gen_or(b0, b1);
3363 return (b1);
3364
3365 case ETHERTYPE_REVARP:
3366 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3367 (bpf_int32)ARCTYPE_REVARP));
3368
3369 case ETHERTYPE_ATALK:
3370 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3371 (bpf_int32)ARCTYPE_ATALK));
3372 }
3373 /*NOTREACHED*/
3374 break;
3375
3376 case DLT_LTALK:
3377 switch (proto) {
3378 case ETHERTYPE_ATALK:
3379 return gen_true(cstate);
3380 default:
3381 return gen_false(cstate);
3382 }
3383 /*NOTREACHED*/
3384 break;
3385
3386 case DLT_FRELAY:
3387 /*
3388 * XXX - assumes a 2-byte Frame Relay header with
3389 * DLCI and flags. What if the address is longer?
3390 */
3391 switch (proto) {
3392
3393 case ETHERTYPE_IP:
3394 /*
3395 * Check for the special NLPID for IP.
3396 */
3397 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3398
3399 case ETHERTYPE_IPV6:
3400 /*
3401 * Check for the special NLPID for IPv6.
3402 */
3403 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3404
3405 case LLCSAP_ISONS:
3406 /*
3407 * Check for several OSI protocols.
3408 *
3409 * Frame Relay packets typically have an OSI
3410 * NLPID at the beginning; we check for each
3411 * of them.
3412 *
3413 * What we check for is the NLPID and a frame
3414 * control field of UI, i.e. 0x03 followed
3415 * by the NLPID.
3416 */
3417 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3418 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3419 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3420 gen_or(b1, b2);
3421 gen_or(b0, b2);
3422 return b2;
3423
3424 default:
3425 return gen_false(cstate);
3426 }
3427 /*NOTREACHED*/
3428 break;
3429
3430 case DLT_MFR:
3431 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3432
3433 case DLT_JUNIPER_MFR:
3434 case DLT_JUNIPER_MLFR:
3435 case DLT_JUNIPER_MLPPP:
3436 case DLT_JUNIPER_ATM1:
3437 case DLT_JUNIPER_ATM2:
3438 case DLT_JUNIPER_PPPOE:
3439 case DLT_JUNIPER_PPPOE_ATM:
3440 case DLT_JUNIPER_GGSN:
3441 case DLT_JUNIPER_ES:
3442 case DLT_JUNIPER_MONITOR:
3443 case DLT_JUNIPER_SERVICES:
3444 case DLT_JUNIPER_ETHER:
3445 case DLT_JUNIPER_PPP:
3446 case DLT_JUNIPER_FRELAY:
3447 case DLT_JUNIPER_CHDLC:
3448 case DLT_JUNIPER_VP:
3449 case DLT_JUNIPER_ST:
3450 case DLT_JUNIPER_ISM:
3451 case DLT_JUNIPER_VS:
3452 case DLT_JUNIPER_SRX_E2E:
3453 case DLT_JUNIPER_FIBRECHANNEL:
3454 case DLT_JUNIPER_ATM_CEMIC:
3455
3456 /* just lets verify the magic number for now -
3457 * on ATM we may have up to 6 different encapsulations on the wire
3458 * and need a lot of heuristics to figure out that the payload
3459 * might be;
3460 *
3461 * FIXME encapsulation specific BPF_ filters
3462 */
3463 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3464
3465 case DLT_BACNET_MS_TP:
3466 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3467
3468 case DLT_IPNET:
3469 return gen_ipnet_linktype(cstate, proto);
3470
3471 case DLT_LINUX_IRDA:
3472 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3473
3474 case DLT_DOCSIS:
3475 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3476
3477 case DLT_MTP2:
3478 case DLT_MTP2_WITH_PHDR:
3479 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3480
3481 case DLT_ERF:
3482 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3483
3484 case DLT_PFSYNC:
3485 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3486
3487 case DLT_LINUX_LAPD:
3488 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3489
3490 case DLT_USB_FREEBSD:
3491 case DLT_USB_LINUX:
3492 case DLT_USB_LINUX_MMAPPED:
3493 case DLT_USBPCAP:
3494 bpf_error(cstate, "USB link-layer type filtering not implemented");
3495
3496 case DLT_BLUETOOTH_HCI_H4:
3497 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3498 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3499
3500 case DLT_CAN20B:
3501 case DLT_CAN_SOCKETCAN:
3502 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3503
3504 case DLT_IEEE802_15_4:
3505 case DLT_IEEE802_15_4_LINUX:
3506 case DLT_IEEE802_15_4_NONASK_PHY:
3507 case DLT_IEEE802_15_4_NOFCS:
3508 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3509
3510 case DLT_IEEE802_16_MAC_CPS_RADIO:
3511 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3512
3513 case DLT_SITA:
3514 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3515
3516 case DLT_RAIF1:
3517 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3518
3519 case DLT_IPMB:
3520 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3521
3522 case DLT_AX25_KISS:
3523 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3524
3525 case DLT_NFLOG:
3526 /* Using the fixed-size NFLOG header it is possible to tell only
3527 * the address family of the packet, other meaningful data is
3528 * either missing or behind TLVs.
3529 */
3530 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3531
3532 default:
3533 /*
3534 * Does this link-layer header type have a field
3535 * indicating the type of the next protocol? If
3536 * so, off_linktype.constant_part will be the offset of that
3537 * field in the packet; if not, it will be OFFSET_NOT_SET.
3538 */
3539 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3540 /*
3541 * Yes; assume it's an Ethernet type. (If
3542 * it's not, it needs to be handled specially
3543 * above.)
3544 */
3545 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, (bpf_int32)proto);
3546 } else {
3547 /*
3548 * No; report an error.
3549 */
3550 description = pcap_datalink_val_to_description(cstate->linktype);
3551 if (description != NULL) {
3552 bpf_error(cstate, "%s link-layer type filtering not implemented",
3553 description);
3554 } else {
3555 bpf_error(cstate, "DLT %u link-layer type filtering not implemented",
3556 cstate->linktype);
3557 }
3558 }
3559 break;
3560 }
3561 }
3562
3563 /*
3564 * Check for an LLC SNAP packet with a given organization code and
3565 * protocol type; we check the entire contents of the 802.2 LLC and
3566 * snap headers, checking for DSAP and SSAP of SNAP and a control
3567 * field of 0x03 in the LLC header, and for the specified organization
3568 * code and protocol type in the SNAP header.
3569 */
3570 static struct block *
3571 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3572 {
3573 u_char snapblock[8];
3574
3575 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3576 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3577 snapblock[2] = 0x03; /* control = UI */
3578 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
3579 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
3580 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
3581 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
3582 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
3583 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3584 }
3585
3586 /*
3587 * Generate code to match frames with an LLC header.
3588 */
3589 struct block *
3590 gen_llc(compiler_state_t *cstate)
3591 {
3592 struct block *b0, *b1;
3593
3594 switch (cstate->linktype) {
3595
3596 case DLT_EN10MB:
3597 /*
3598 * We check for an Ethernet type field less than
3599 * 1500, which means it's an 802.3 length field.
3600 */
3601 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3602 gen_not(b0);
3603
3604 /*
3605 * Now check for the purported DSAP and SSAP not being
3606 * 0xFF, to rule out NetWare-over-802.3.
3607 */
3608 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_int32)0xFFFF);
3609 gen_not(b1);
3610 gen_and(b0, b1);
3611 return b1;
3612
3613 case DLT_SUNATM:
3614 /*
3615 * We check for LLC traffic.
3616 */
3617 b0 = gen_atmtype_abbrev(cstate, A_LLC);
3618 return b0;
3619
3620 case DLT_IEEE802: /* Token Ring */
3621 /*
3622 * XXX - check for LLC frames.
3623 */
3624 return gen_true(cstate);
3625
3626 case DLT_FDDI:
3627 /*
3628 * XXX - check for LLC frames.
3629 */
3630 return gen_true(cstate);
3631
3632 case DLT_ATM_RFC1483:
3633 /*
3634 * For LLC encapsulation, these are defined to have an
3635 * 802.2 LLC header.
3636 *
3637 * For VC encapsulation, they don't, but there's no
3638 * way to check for that; the protocol used on the VC
3639 * is negotiated out of band.
3640 */
3641 return gen_true(cstate);
3642
3643 case DLT_IEEE802_11:
3644 case DLT_PRISM_HEADER:
3645 case DLT_IEEE802_11_RADIO:
3646 case DLT_IEEE802_11_RADIO_AVS:
3647 case DLT_PPI:
3648 /*
3649 * Check that we have a data frame.
3650 */
3651 b0 = gen_check_802_11_data_frame(cstate);
3652 return b0;
3653
3654 default:
3655 bpf_error(cstate, "'llc' not supported for linktype %d", cstate->linktype);
3656 /* NOTREACHED */
3657 }
3658 }
3659
3660 struct block *
3661 gen_llc_i(compiler_state_t *cstate)
3662 {
3663 struct block *b0, *b1;
3664 struct slist *s;
3665
3666 /*
3667 * Check whether this is an LLC frame.
3668 */
3669 b0 = gen_llc(cstate);
3670
3671 /*
3672 * Load the control byte and test the low-order bit; it must
3673 * be clear for I frames.
3674 */
3675 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3676 b1 = new_block(cstate, JMP(BPF_JSET));
3677 b1->s.k = 0x01;
3678 b1->stmts = s;
3679 gen_not(b1);
3680 gen_and(b0, b1);
3681 return b1;
3682 }
3683
3684 struct block *
3685 gen_llc_s(compiler_state_t *cstate)
3686 {
3687 struct block *b0, *b1;
3688
3689 /*
3690 * Check whether this is an LLC frame.
3691 */
3692 b0 = gen_llc(cstate);
3693
3694 /*
3695 * Now compare the low-order 2 bit of the control byte against
3696 * the appropriate value for S frames.
3697 */
3698 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3699 gen_and(b0, b1);
3700 return b1;
3701 }
3702
3703 struct block *
3704 gen_llc_u(compiler_state_t *cstate)
3705 {
3706 struct block *b0, *b1;
3707
3708 /*
3709 * Check whether this is an LLC frame.
3710 */
3711 b0 = gen_llc(cstate);
3712
3713 /*
3714 * Now compare the low-order 2 bit of the control byte against
3715 * the appropriate value for U frames.
3716 */
3717 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3718 gen_and(b0, b1);
3719 return b1;
3720 }
3721
3722 struct block *
3723 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3724 {
3725 struct block *b0, *b1;
3726
3727 /*
3728 * Check whether this is an LLC frame.
3729 */
3730 b0 = gen_llc(cstate);
3731
3732 /*
3733 * Now check for an S frame with the appropriate type.
3734 */
3735 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3736 gen_and(b0, b1);
3737 return b1;
3738 }
3739
3740 struct block *
3741 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3742 {
3743 struct block *b0, *b1;
3744
3745 /*
3746 * Check whether this is an LLC frame.
3747 */
3748 b0 = gen_llc(cstate);
3749
3750 /*
3751 * Now check for a U frame with the appropriate type.
3752 */
3753 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3754 gen_and(b0, b1);
3755 return b1;
3756 }
3757
3758 /*
3759 * Generate code to match a particular packet type, for link-layer types
3760 * using 802.2 LLC headers.
3761 *
3762 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3763 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3764 *
3765 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3766 * value, if <= ETHERMTU. We use that to determine whether to
3767 * match the DSAP or both DSAP and LSAP or to check the OUI and
3768 * protocol ID in a SNAP header.
3769 */
3770 static struct block *
3771 gen_llc_linktype(compiler_state_t *cstate, int proto)
3772 {
3773 /*
3774 * XXX - handle token-ring variable-length header.
3775 */
3776 switch (proto) {
3777
3778 case LLCSAP_IP:
3779 case LLCSAP_ISONS:
3780 case LLCSAP_NETBEUI:
3781 /*
3782 * XXX - should we check both the DSAP and the
3783 * SSAP, like this, or should we check just the
3784 * DSAP, as we do for other SAP values?
3785 */
3786 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3787 ((proto << 8) | proto));
3788
3789 case LLCSAP_IPX:
3790 /*
3791 * XXX - are there ever SNAP frames for IPX on
3792 * non-Ethernet 802.x networks?
3793 */
3794 return gen_cmp(cstate, OR_LLC, 0, BPF_B,
3795 (bpf_int32)LLCSAP_IPX);
3796
3797 case ETHERTYPE_ATALK:
3798 /*
3799 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3800 * SNAP packets with an organization code of
3801 * 0x080007 (Apple, for Appletalk) and a protocol
3802 * type of ETHERTYPE_ATALK (Appletalk).
3803 *
3804 * XXX - check for an organization code of
3805 * encapsulated Ethernet as well?
3806 */
3807 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3808
3809 default:
3810 /*
3811 * XXX - we don't have to check for IPX 802.3
3812 * here, but should we check for the IPX Ethertype?
3813 */
3814 if (proto <= ETHERMTU) {
3815 /*
3816 * This is an LLC SAP value, so check
3817 * the DSAP.
3818 */
3819 return gen_cmp(cstate, OR_LLC, 0, BPF_B, (bpf_int32)proto);
3820 } else {
3821 /*
3822 * This is an Ethernet type; we assume that it's
3823 * unlikely that it'll appear in the right place
3824 * at random, and therefore check only the
3825 * location that would hold the Ethernet type
3826 * in a SNAP frame with an organization code of
3827 * 0x000000 (encapsulated Ethernet).
3828 *
3829 * XXX - if we were to check for the SNAP DSAP and
3830 * LSAP, as per XXX, and were also to check for an
3831 * organization code of 0x000000 (encapsulated
3832 * Ethernet), we'd do
3833 *
3834 * return gen_snap(cstate, 0x000000, proto);
3835 *
3836 * here; for now, we don't, as per the above.
3837 * I don't know whether it's worth the extra CPU
3838 * time to do the right check or not.
3839 */
3840 return gen_cmp(cstate, OR_LLC, 6, BPF_H, (bpf_int32)proto);
3841 }
3842 }
3843 }
3844
3845 static struct block *
3846 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3847 int dir, int proto, u_int src_off, u_int dst_off)
3848 {
3849 struct block *b0, *b1;
3850 u_int offset;
3851
3852 switch (dir) {
3853
3854 case Q_SRC:
3855 offset = src_off;
3856 break;
3857
3858 case Q_DST:
3859 offset = dst_off;
3860 break;
3861
3862 case Q_AND:
3863 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3864 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3865 gen_and(b0, b1);
3866 return b1;
3867
3868 case Q_OR:
3869 case Q_DEFAULT:
3870 b0 = gen_hostop(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3871 b1 = gen_hostop(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3872 gen_or(b0, b1);
3873 return b1;
3874
3875 default:
3876 abort();
3877 }
3878 b0 = gen_linktype(cstate, proto);
3879 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, (bpf_int32)addr, mask);
3880 gen_and(b0, b1);
3881 return b1;
3882 }
3883
3884 #ifdef INET6
3885 static struct block *
3886 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
3887 struct in6_addr *mask, int dir, int proto, u_int src_off, u_int dst_off)
3888 {
3889 struct block *b0, *b1;
3890 u_int offset;
3891 uint32_t *a, *m;
3892
3893 switch (dir) {
3894
3895 case Q_SRC:
3896 offset = src_off;
3897 break;
3898
3899 case Q_DST:
3900 offset = dst_off;
3901 break;
3902
3903 case Q_AND:
3904 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3905 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3906 gen_and(b0, b1);
3907 return b1;
3908
3909 case Q_OR:
3910 case Q_DEFAULT:
3911 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, proto, src_off, dst_off);
3912 b1 = gen_hostop6(cstate, addr, mask, Q_DST, proto, src_off, dst_off);
3913 gen_or(b0, b1);
3914 return b1;
3915
3916 default:
3917 abort();
3918 }
3919 /* this order is important */
3920 a = (uint32_t *)addr;
3921 m = (uint32_t *)mask;
3922 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
3923 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
3924 gen_and(b0, b1);
3925 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
3926 gen_and(b0, b1);
3927 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
3928 gen_and(b0, b1);
3929 b0 = gen_linktype(cstate, proto);
3930 gen_and(b0, b1);
3931 return b1;
3932 }
3933 #endif
3934
3935 static struct block *
3936 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
3937 {
3938 register struct block *b0, *b1;
3939
3940 switch (dir) {
3941 case Q_SRC:
3942 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
3943
3944 case Q_DST:
3945 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
3946
3947 case Q_AND:
3948 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3949 b1 = gen_ehostop(cstate, eaddr, Q_DST);
3950 gen_and(b0, b1);
3951 return b1;
3952
3953 case Q_DEFAULT:
3954 case Q_OR:
3955 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
3956 b1 = gen_ehostop(cstate, eaddr, Q_DST);
3957 gen_or(b0, b1);
3958 return b1;
3959
3960 case Q_ADDR1:
3961 bpf_error(cstate, "'addr1' is only supported on 802.11 with 802.11 headers");
3962 break;
3963
3964 case Q_ADDR2:
3965 bpf_error(cstate, "'addr2' is only supported on 802.11 with 802.11 headers");
3966 break;
3967
3968 case Q_ADDR3:
3969 bpf_error(cstate, "'addr3' is only supported on 802.11 with 802.11 headers");
3970 break;
3971
3972 case Q_ADDR4:
3973 bpf_error(cstate, "'addr4' is only supported on 802.11 with 802.11 headers");
3974 break;
3975
3976 case Q_RA:
3977 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
3978 break;
3979
3980 case Q_TA:
3981 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
3982 break;
3983 }
3984 abort();
3985 /* NOTREACHED */
3986 }
3987
3988 /*
3989 * Like gen_ehostop, but for DLT_FDDI
3990 */
3991 static struct block *
3992 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
3993 {
3994 struct block *b0, *b1;
3995
3996 switch (dir) {
3997 case Q_SRC:
3998 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
3999
4000 case Q_DST:
4001 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4002
4003 case Q_AND:
4004 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4005 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4006 gen_and(b0, b1);
4007 return b1;
4008
4009 case Q_DEFAULT:
4010 case Q_OR:
4011 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4012 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4013 gen_or(b0, b1);
4014 return b1;
4015
4016 case Q_ADDR1:
4017 bpf_error(cstate, "'addr1' is only supported on 802.11");
4018 break;
4019
4020 case Q_ADDR2:
4021 bpf_error(cstate, "'addr2' is only supported on 802.11");
4022 break;
4023
4024 case Q_ADDR3:
4025 bpf_error(cstate, "'addr3' is only supported on 802.11");
4026 break;
4027
4028 case Q_ADDR4:
4029 bpf_error(cstate, "'addr4' is only supported on 802.11");
4030 break;
4031
4032 case Q_RA:
4033 bpf_error(cstate, "'ra' is only supported on 802.11");
4034 break;
4035
4036 case Q_TA:
4037 bpf_error(cstate, "'ta' is only supported on 802.11");
4038 break;
4039 }
4040 abort();
4041 /* NOTREACHED */
4042 }
4043
4044 /*
4045 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4046 */
4047 static struct block *
4048 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4049 {
4050 register struct block *b0, *b1;
4051
4052 switch (dir) {
4053 case Q_SRC:
4054 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4055
4056 case Q_DST:
4057 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4058
4059 case Q_AND:
4060 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4061 b1 = gen_thostop(cstate, eaddr, Q_DST);
4062 gen_and(b0, b1);
4063 return b1;
4064
4065 case Q_DEFAULT:
4066 case Q_OR:
4067 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4068 b1 = gen_thostop(cstate, eaddr, Q_DST);
4069 gen_or(b0, b1);
4070 return b1;
4071
4072 case Q_ADDR1:
4073 bpf_error(cstate, "'addr1' is only supported on 802.11");
4074 break;
4075
4076 case Q_ADDR2:
4077 bpf_error(cstate, "'addr2' is only supported on 802.11");
4078 break;
4079
4080 case Q_ADDR3:
4081 bpf_error(cstate, "'addr3' is only supported on 802.11");
4082 break;
4083
4084 case Q_ADDR4:
4085 bpf_error(cstate, "'addr4' is only supported on 802.11");
4086 break;
4087
4088 case Q_RA:
4089 bpf_error(cstate, "'ra' is only supported on 802.11");
4090 break;
4091
4092 case Q_TA:
4093 bpf_error(cstate, "'ta' is only supported on 802.11");
4094 break;
4095 }
4096 abort();
4097 /* NOTREACHED */
4098 }
4099
4100 /*
4101 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4102 * various 802.11 + radio headers.
4103 */
4104 static struct block *
4105 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4106 {
4107 register struct block *b0, *b1, *b2;
4108 register struct slist *s;
4109
4110 #ifdef ENABLE_WLAN_FILTERING_PATCH
4111 /*
4112 * TODO GV 20070613
4113 * We need to disable the optimizer because the optimizer is buggy
4114 * and wipes out some LD instructions generated by the below
4115 * code to validate the Frame Control bits
4116 */
4117 cstate->no_optimize = 1;
4118 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4119
4120 switch (dir) {
4121 case Q_SRC:
4122 /*
4123 * Oh, yuk.
4124 *
4125 * For control frames, there is no SA.
4126 *
4127 * For management frames, SA is at an
4128 * offset of 10 from the beginning of
4129 * the packet.
4130 *
4131 * For data frames, SA is at an offset
4132 * of 10 from the beginning of the packet
4133 * if From DS is clear, at an offset of
4134 * 16 from the beginning of the packet
4135 * if From DS is set and To DS is clear,
4136 * and an offset of 24 from the beginning
4137 * of the packet if From DS is set and To DS
4138 * is set.
4139 */
4140
4141 /*
4142 * Generate the tests to be done for data frames
4143 * with From DS set.
4144 *
4145 * First, check for To DS set, i.e. check "link[1] & 0x01".
4146 */
4147 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4148 b1 = new_block(cstate, JMP(BPF_JSET));
4149 b1->s.k = 0x01; /* To DS */
4150 b1->stmts = s;
4151
4152 /*
4153 * If To DS is set, the SA is at 24.
4154 */
4155 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4156 gen_and(b1, b0);
4157
4158 /*
4159 * Now, check for To DS not set, i.e. check
4160 * "!(link[1] & 0x01)".
4161 */
4162 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4163 b2 = new_block(cstate, JMP(BPF_JSET));
4164 b2->s.k = 0x01; /* To DS */
4165 b2->stmts = s;
4166 gen_not(b2);
4167
4168 /*
4169 * If To DS is not set, the SA is at 16.
4170 */
4171 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4172 gen_and(b2, b1);
4173
4174 /*
4175 * Now OR together the last two checks. That gives
4176 * the complete set of checks for data frames with
4177 * From DS set.
4178 */
4179 gen_or(b1, b0);
4180
4181 /*
4182 * Now check for From DS being set, and AND that with
4183 * the ORed-together checks.
4184 */
4185 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4186 b1 = new_block(cstate, JMP(BPF_JSET));
4187 b1->s.k = 0x02; /* From DS */
4188 b1->stmts = s;
4189 gen_and(b1, b0);
4190
4191 /*
4192 * Now check for data frames with From DS not set.
4193 */
4194 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4195 b2 = new_block(cstate, JMP(BPF_JSET));
4196 b2->s.k = 0x02; /* From DS */
4197 b2->stmts = s;
4198 gen_not(b2);
4199
4200 /*
4201 * If From DS isn't set, the SA is at 10.
4202 */
4203 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4204 gen_and(b2, b1);
4205
4206 /*
4207 * Now OR together the checks for data frames with
4208 * From DS not set and for data frames with From DS
4209 * set; that gives the checks done for data frames.
4210 */
4211 gen_or(b1, b0);
4212
4213 /*
4214 * Now check for a data frame.
4215 * I.e, check "link[0] & 0x08".
4216 */
4217 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4218 b1 = new_block(cstate, JMP(BPF_JSET));
4219 b1->s.k = 0x08;
4220 b1->stmts = s;
4221
4222 /*
4223 * AND that with the checks done for data frames.
4224 */
4225 gen_and(b1, b0);
4226
4227 /*
4228 * If the high-order bit of the type value is 0, this
4229 * is a management frame.
4230 * I.e, check "!(link[0] & 0x08)".
4231 */
4232 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4233 b2 = new_block(cstate, JMP(BPF_JSET));
4234 b2->s.k = 0x08;
4235 b2->stmts = s;
4236 gen_not(b2);
4237
4238 /*
4239 * For management frames, the SA is at 10.
4240 */
4241 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4242 gen_and(b2, b1);
4243
4244 /*
4245 * OR that with the checks done for data frames.
4246 * That gives the checks done for management and
4247 * data frames.
4248 */
4249 gen_or(b1, b0);
4250
4251 /*
4252 * If the low-order bit of the type value is 1,
4253 * this is either a control frame or a frame
4254 * with a reserved type, and thus not a
4255 * frame with an SA.
4256 *
4257 * I.e., check "!(link[0] & 0x04)".
4258 */
4259 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4260 b1 = new_block(cstate, JMP(BPF_JSET));
4261 b1->s.k = 0x04;
4262 b1->stmts = s;
4263 gen_not(b1);
4264
4265 /*
4266 * AND that with the checks for data and management
4267 * frames.
4268 */
4269 gen_and(b1, b0);
4270 return b0;
4271
4272 case Q_DST:
4273 /*
4274 * Oh, yuk.
4275 *
4276 * For control frames, there is no DA.
4277 *
4278 * For management frames, DA is at an
4279 * offset of 4 from the beginning of
4280 * the packet.
4281 *
4282 * For data frames, DA is at an offset
4283 * of 4 from the beginning of the packet
4284 * if To DS is clear and at an offset of
4285 * 16 from the beginning of the packet
4286 * if To DS is set.
4287 */
4288
4289 /*
4290 * Generate the tests to be done for data frames.
4291 *
4292 * First, check for To DS set, i.e. "link[1] & 0x01".
4293 */
4294 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4295 b1 = new_block(cstate, JMP(BPF_JSET));
4296 b1->s.k = 0x01; /* To DS */
4297 b1->stmts = s;
4298
4299 /*
4300 * If To DS is set, the DA is at 16.
4301 */
4302 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4303 gen_and(b1, b0);
4304
4305 /*
4306 * Now, check for To DS not set, i.e. check
4307 * "!(link[1] & 0x01)".
4308 */
4309 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4310 b2 = new_block(cstate, JMP(BPF_JSET));
4311 b2->s.k = 0x01; /* To DS */
4312 b2->stmts = s;
4313 gen_not(b2);
4314
4315 /*
4316 * If To DS is not set, the DA is at 4.
4317 */
4318 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4319 gen_and(b2, b1);
4320
4321 /*
4322 * Now OR together the last two checks. That gives
4323 * the complete set of checks for data frames.
4324 */
4325 gen_or(b1, b0);
4326
4327 /*
4328 * Now check for a data frame.
4329 * I.e, check "link[0] & 0x08".
4330 */
4331 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4332 b1 = new_block(cstate, JMP(BPF_JSET));
4333 b1->s.k = 0x08;
4334 b1->stmts = s;
4335
4336 /*
4337 * AND that with the checks done for data frames.
4338 */
4339 gen_and(b1, b0);
4340
4341 /*
4342 * If the high-order bit of the type value is 0, this
4343 * is a management frame.
4344 * I.e, check "!(link[0] & 0x08)".
4345 */
4346 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4347 b2 = new_block(cstate, JMP(BPF_JSET));
4348 b2->s.k = 0x08;
4349 b2->stmts = s;
4350 gen_not(b2);
4351
4352 /*
4353 * For management frames, the DA is at 4.
4354 */
4355 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4356 gen_and(b2, b1);
4357
4358 /*
4359 * OR that with the checks done for data frames.
4360 * That gives the checks done for management and
4361 * data frames.
4362 */
4363 gen_or(b1, b0);
4364
4365 /*
4366 * If the low-order bit of the type value is 1,
4367 * this is either a control frame or a frame
4368 * with a reserved type, and thus not a
4369 * frame with an SA.
4370 *
4371 * I.e., check "!(link[0] & 0x04)".
4372 */
4373 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4374 b1 = new_block(cstate, JMP(BPF_JSET));
4375 b1->s.k = 0x04;
4376 b1->stmts = s;
4377 gen_not(b1);
4378
4379 /*
4380 * AND that with the checks for data and management
4381 * frames.
4382 */
4383 gen_and(b1, b0);
4384 return b0;
4385
4386 case Q_RA:
4387 /*
4388 * Not present in management frames; addr1 in other
4389 * frames.
4390 */
4391
4392 /*
4393 * If the high-order bit of the type value is 0, this
4394 * is a management frame.
4395 * I.e, check "(link[0] & 0x08)".
4396 */
4397 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4398 b1 = new_block(cstate, JMP(BPF_JSET));
4399 b1->s.k = 0x08;
4400 b1->stmts = s;
4401
4402 /*
4403 * Check addr1.
4404 */
4405 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4406
4407 /*
4408 * AND that with the check of addr1.
4409 */
4410 gen_and(b1, b0);
4411 return (b0);
4412
4413 case Q_TA:
4414 /*
4415 * Not present in management frames; addr2, if present,
4416 * in other frames.
4417 */
4418
4419 /*
4420 * Not present in CTS or ACK control frames.
4421 */
4422 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4423 IEEE80211_FC0_TYPE_MASK);
4424 gen_not(b0);
4425 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4426 IEEE80211_FC0_SUBTYPE_MASK);
4427 gen_not(b1);
4428 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4429 IEEE80211_FC0_SUBTYPE_MASK);
4430 gen_not(b2);
4431 gen_and(b1, b2);
4432 gen_or(b0, b2);
4433
4434 /*
4435 * If the high-order bit of the type value is 0, this
4436 * is a management frame.
4437 * I.e, check "(link[0] & 0x08)".
4438 */
4439 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4440 b1 = new_block(cstate, JMP(BPF_JSET));
4441 b1->s.k = 0x08;
4442 b1->stmts = s;
4443
4444 /*
4445 * AND that with the check for frames other than
4446 * CTS and ACK frames.
4447 */
4448 gen_and(b1, b2);
4449
4450 /*
4451 * Check addr2.
4452 */
4453 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4454 gen_and(b2, b1);
4455 return b1;
4456
4457 /*
4458 * XXX - add BSSID keyword?
4459 */
4460 case Q_ADDR1:
4461 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4462
4463 case Q_ADDR2:
4464 /*
4465 * Not present in CTS or ACK control frames.
4466 */
4467 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4468 IEEE80211_FC0_TYPE_MASK);
4469 gen_not(b0);
4470 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4471 IEEE80211_FC0_SUBTYPE_MASK);
4472 gen_not(b1);
4473 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4474 IEEE80211_FC0_SUBTYPE_MASK);
4475 gen_not(b2);
4476 gen_and(b1, b2);
4477 gen_or(b0, b2);
4478 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4479 gen_and(b2, b1);
4480 return b1;
4481
4482 case Q_ADDR3:
4483 /*
4484 * Not present in control frames.
4485 */
4486 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4487 IEEE80211_FC0_TYPE_MASK);
4488 gen_not(b0);
4489 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4490 gen_and(b0, b1);
4491 return b1;
4492
4493 case Q_ADDR4:
4494 /*
4495 * Present only if the direction mask has both "From DS"
4496 * and "To DS" set. Neither control frames nor management
4497 * frames should have both of those set, so we don't
4498 * check the frame type.
4499 */
4500 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4501 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4502 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4503 gen_and(b0, b1);
4504 return b1;
4505
4506 case Q_AND:
4507 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4508 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4509 gen_and(b0, b1);
4510 return b1;
4511
4512 case Q_DEFAULT:
4513 case Q_OR:
4514 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4515 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4516 gen_or(b0, b1);
4517 return b1;
4518 }
4519 abort();
4520 /* NOTREACHED */
4521 }
4522
4523 /*
4524 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4525 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4526 * as the RFC states.)
4527 */
4528 static struct block *
4529 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4530 {
4531 register struct block *b0, *b1;
4532
4533 switch (dir) {
4534 case Q_SRC:
4535 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4536
4537 case Q_DST:
4538 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4539
4540 case Q_AND:
4541 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4542 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4543 gen_and(b0, b1);
4544 return b1;
4545
4546 case Q_DEFAULT:
4547 case Q_OR:
4548 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4549 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4550 gen_or(b0, b1);
4551 return b1;
4552
4553 case Q_ADDR1:
4554 bpf_error(cstate, "'addr1' is only supported on 802.11");
4555 break;
4556
4557 case Q_ADDR2:
4558 bpf_error(cstate, "'addr2' is only supported on 802.11");
4559 break;
4560
4561 case Q_ADDR3:
4562 bpf_error(cstate, "'addr3' is only supported on 802.11");
4563 break;
4564
4565 case Q_ADDR4:
4566 bpf_error(cstate, "'addr4' is only supported on 802.11");
4567 break;
4568
4569 case Q_RA:
4570 bpf_error(cstate, "'ra' is only supported on 802.11");
4571 break;
4572
4573 case Q_TA:
4574 bpf_error(cstate, "'ta' is only supported on 802.11");
4575 break;
4576 }
4577 abort();
4578 /* NOTREACHED */
4579 }
4580
4581 /*
4582 * This is quite tricky because there may be pad bytes in front of the
4583 * DECNET header, and then there are two possible data packet formats that
4584 * carry both src and dst addresses, plus 5 packet types in a format that
4585 * carries only the src node, plus 2 types that use a different format and
4586 * also carry just the src node.
4587 *
4588 * Yuck.
4589 *
4590 * Instead of doing those all right, we just look for data packets with
4591 * 0 or 1 bytes of padding. If you want to look at other packets, that
4592 * will require a lot more hacking.
4593 *
4594 * To add support for filtering on DECNET "areas" (network numbers)
4595 * one would want to add a "mask" argument to this routine. That would
4596 * make the filter even more inefficient, although one could be clever
4597 * and not generate masking instructions if the mask is 0xFFFF.
4598 */
4599 static struct block *
4600 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4601 {
4602 struct block *b0, *b1, *b2, *tmp;
4603 u_int offset_lh; /* offset if long header is received */
4604 u_int offset_sh; /* offset if short header is received */
4605
4606 switch (dir) {
4607
4608 case Q_DST:
4609 offset_sh = 1; /* follows flags */
4610 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4611 break;
4612
4613 case Q_SRC:
4614 offset_sh = 3; /* follows flags, dstnode */
4615 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4616 break;
4617
4618 case Q_AND:
4619 /* Inefficient because we do our Calvinball dance twice */
4620 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4621 b1 = gen_dnhostop(cstate, addr, Q_DST);
4622 gen_and(b0, b1);
4623 return b1;
4624
4625 case Q_OR:
4626 case Q_DEFAULT:
4627 /* Inefficient because we do our Calvinball dance twice */
4628 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4629 b1 = gen_dnhostop(cstate, addr, Q_DST);
4630 gen_or(b0, b1);
4631 return b1;
4632
4633 case Q_ISO:
4634 bpf_error(cstate, "ISO host filtering not implemented");
4635
4636 default:
4637 abort();
4638 }
4639 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4640 /* Check for pad = 1, long header case */
4641 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4642 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
4643 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4644 BPF_H, (bpf_int32)ntohs((u_short)addr));
4645 gen_and(tmp, b1);
4646 /* Check for pad = 0, long header case */
4647 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
4648 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4649 gen_and(tmp, b2);
4650 gen_or(b2, b1);
4651 /* Check for pad = 1, short header case */
4652 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4653 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
4654 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4655 gen_and(tmp, b2);
4656 gen_or(b2, b1);
4657 /* Check for pad = 0, short header case */
4658 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
4659 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
4660 gen_and(tmp, b2);
4661 gen_or(b2, b1);
4662
4663 /* Combine with test for cstate->linktype */
4664 gen_and(b0, b1);
4665 return b1;
4666 }
4667
4668 /*
4669 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4670 * test the bottom-of-stack bit, and then check the version number
4671 * field in the IP header.
4672 */
4673 static struct block *
4674 gen_mpls_linktype(compiler_state_t *cstate, int proto)
4675 {
4676 struct block *b0, *b1;
4677
4678 switch (proto) {
4679
4680 case Q_IP:
4681 /* match the bottom-of-stack bit */
4682 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4683 /* match the IPv4 version number */
4684 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4685 gen_and(b0, b1);
4686 return b1;
4687
4688 case Q_IPV6:
4689 /* match the bottom-of-stack bit */
4690 b0 = gen_mcmp(cstate, OR_LINKPL, -2, BPF_B, 0x01, 0x01);
4691 /* match the IPv4 version number */
4692 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4693 gen_and(b0, b1);
4694 return b1;
4695
4696 default:
4697 abort();
4698 }
4699 }
4700
4701 static struct block *
4702 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4703 int proto, int dir, int type)
4704 {
4705 struct block *b0, *b1;
4706 const char *typestr;
4707
4708 if (type == Q_NET)
4709 typestr = "net";
4710 else
4711 typestr = "host";
4712
4713 switch (proto) {
4714
4715 case Q_DEFAULT:
4716 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4717 /*
4718 * Only check for non-IPv4 addresses if we're not
4719 * checking MPLS-encapsulated packets.
4720 */
4721 if (cstate->label_stack_depth == 0) {
4722 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4723 gen_or(b0, b1);
4724 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4725 gen_or(b1, b0);
4726 }
4727 return b0;
4728
4729 case Q_IP:
4730 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4731
4732 case Q_RARP:
4733 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4734
4735 case Q_ARP:
4736 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4737
4738 case Q_TCP:
4739 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4740
4741 case Q_SCTP:
4742 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4743
4744 case Q_UDP:
4745 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4746
4747 case Q_ICMP:
4748 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4749
4750 case Q_IGMP:
4751 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4752
4753 case Q_IGRP:
4754 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4755
4756 case Q_PIM:
4757 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4758
4759 case Q_VRRP:
4760 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4761
4762 case Q_CARP:
4763 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4764
4765 case Q_ATALK:
4766 bpf_error(cstate, "ATALK host filtering not implemented");
4767
4768 case Q_AARP:
4769 bpf_error(cstate, "AARP host filtering not implemented");
4770
4771 case Q_DECNET:
4772 return gen_dnhostop(cstate, addr, dir);
4773
4774 case Q_SCA:
4775 bpf_error(cstate, "SCA host filtering not implemented");
4776
4777 case Q_LAT:
4778 bpf_error(cstate, "LAT host filtering not implemented");
4779
4780 case Q_MOPDL:
4781 bpf_error(cstate, "MOPDL host filtering not implemented");
4782
4783 case Q_MOPRC:
4784 bpf_error(cstate, "MOPRC host filtering not implemented");
4785
4786 case Q_IPV6:
4787 bpf_error(cstate, "'ip6' modifier applied to ip host");
4788
4789 case Q_ICMPV6:
4790 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4791
4792 case Q_AH:
4793 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4794
4795 case Q_ESP:
4796 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4797
4798 case Q_ISO:
4799 bpf_error(cstate, "ISO host filtering not implemented");
4800
4801 case Q_ESIS:
4802 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4803
4804 case Q_ISIS:
4805 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4806
4807 case Q_CLNP:
4808 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4809
4810 case Q_STP:
4811 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4812
4813 case Q_IPX:
4814 bpf_error(cstate, "IPX host filtering not implemented");
4815
4816 case Q_NETBEUI:
4817 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4818
4819 case Q_RADIO:
4820 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4821
4822 default:
4823 abort();
4824 }
4825 /* NOTREACHED */
4826 }
4827
4828 #ifdef INET6
4829 static struct block *
4830 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
4831 struct in6_addr *mask, int proto, int dir, int type)
4832 {
4833 const char *typestr;
4834
4835 if (type == Q_NET)
4836 typestr = "net";
4837 else
4838 typestr = "host";
4839
4840 switch (proto) {
4841
4842 case Q_DEFAULT:
4843 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
4844
4845 case Q_LINK:
4846 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
4847
4848 case Q_IP:
4849 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
4850
4851 case Q_RARP:
4852 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
4853
4854 case Q_ARP:
4855 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
4856
4857 case Q_SCTP:
4858 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4859
4860 case Q_TCP:
4861 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4862
4863 case Q_UDP:
4864 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4865
4866 case Q_ICMP:
4867 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4868
4869 case Q_IGMP:
4870 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4871
4872 case Q_IGRP:
4873 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4874
4875 case Q_PIM:
4876 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4877
4878 case Q_VRRP:
4879 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4880
4881 case Q_CARP:
4882 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
4883
4884 case Q_ATALK:
4885 bpf_error(cstate, "ATALK host filtering not implemented");
4886
4887 case Q_AARP:
4888 bpf_error(cstate, "AARP host filtering not implemented");
4889
4890 case Q_DECNET:
4891 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
4892
4893 case Q_SCA:
4894 bpf_error(cstate, "SCA host filtering not implemented");
4895
4896 case Q_LAT:
4897 bpf_error(cstate, "LAT host filtering not implemented");
4898
4899 case Q_MOPDL:
4900 bpf_error(cstate, "MOPDL host filtering not implemented");
4901
4902 case Q_MOPRC:
4903 bpf_error(cstate, "MOPRC host filtering not implemented");
4904
4905 case Q_IPV6:
4906 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
4907
4908 case Q_ICMPV6:
4909 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4910
4911 case Q_AH:
4912 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4913
4914 case Q_ESP:
4915 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4916
4917 case Q_ISO:
4918 bpf_error(cstate, "ISO host filtering not implemented");
4919
4920 case Q_ESIS:
4921 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
4922
4923 case Q_ISIS:
4924 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
4925
4926 case Q_CLNP:
4927 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
4928
4929 case Q_STP:
4930 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
4931
4932 case Q_IPX:
4933 bpf_error(cstate, "IPX host filtering not implemented");
4934
4935 case Q_NETBEUI:
4936 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
4937
4938 case Q_RADIO:
4939 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
4940
4941 default:
4942 abort();
4943 }
4944 /* NOTREACHED */
4945 }
4946 #endif
4947
4948 #ifndef INET6
4949 static struct block *
4950 gen_gateway(compiler_state_t *cstate, const u_char *eaddr, bpf_u_int32 **alist,
4951 int proto, int dir)
4952 {
4953 struct block *b0, *b1, *tmp;
4954
4955 if (dir != 0)
4956 bpf_error(cstate, "direction applied to 'gateway'");
4957
4958 switch (proto) {
4959 case Q_DEFAULT:
4960 case Q_IP:
4961 case Q_ARP:
4962 case Q_RARP:
4963 switch (cstate->linktype) {
4964 case DLT_EN10MB:
4965 case DLT_NETANALYZER:
4966 case DLT_NETANALYZER_TRANSPARENT:
4967 b1 = gen_prevlinkhdr_check(cstate);
4968 b0 = gen_ehostop(cstate, eaddr, Q_OR);
4969 if (b1 != NULL)
4970 gen_and(b1, b0);
4971 break;
4972 case DLT_FDDI:
4973 b0 = gen_fhostop(cstate, eaddr, Q_OR);
4974 break;
4975 case DLT_IEEE802:
4976 b0 = gen_thostop(cstate, eaddr, Q_OR);
4977 break;
4978 case DLT_IEEE802_11:
4979 case DLT_PRISM_HEADER:
4980 case DLT_IEEE802_11_RADIO_AVS:
4981 case DLT_IEEE802_11_RADIO:
4982 case DLT_PPI:
4983 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
4984 break;
4985 case DLT_SUNATM:
4986 /*
4987 * This is LLC-multiplexed traffic; if it were
4988 * LANE, cstate->linktype would have been set to
4989 * DLT_EN10MB.
4990 */
4991 bpf_error(cstate,
4992 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4993 break;
4994 case DLT_IP_OVER_FC:
4995 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
4996 break;
4997 default:
4998 bpf_error(cstate,
4999 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5000 }
5001 b1 = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR, Q_HOST);
5002 while (*alist) {
5003 tmp = gen_host(cstate, **alist++, 0xffffffff, proto, Q_OR,
5004 Q_HOST);
5005 gen_or(b1, tmp);
5006 b1 = tmp;
5007 }
5008 gen_not(b1);
5009 gen_and(b0, b1);
5010 return b1;
5011 }
5012 bpf_error(cstate, "illegal modifier of 'gateway'");
5013 /* NOTREACHED */
5014 }
5015 #endif
5016
5017 struct block *
5018 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5019 {
5020 struct block *b0;
5021 struct block *b1;
5022
5023 switch (proto) {
5024
5025 case Q_SCTP:
5026 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5027 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5028 gen_or(b0, b1);
5029 break;
5030
5031 case Q_TCP:
5032 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5033 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5034 gen_or(b0, b1);
5035 break;
5036
5037 case Q_UDP:
5038 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5039 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5040 gen_or(b0, b1);
5041 break;
5042
5043 case Q_ICMP:
5044 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5045 break;
5046
5047 #ifndef IPPROTO_IGMP
5048 #define IPPROTO_IGMP 2
5049 #endif
5050
5051 case Q_IGMP:
5052 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5053 break;
5054
5055 #ifndef IPPROTO_IGRP
5056 #define IPPROTO_IGRP 9
5057 #endif
5058 case Q_IGRP:
5059 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5060 break;
5061
5062 #ifndef IPPROTO_PIM
5063 #define IPPROTO_PIM 103
5064 #endif
5065
5066 case Q_PIM:
5067 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5068 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5069 gen_or(b0, b1);
5070 break;
5071
5072 #ifndef IPPROTO_VRRP
5073 #define IPPROTO_VRRP 112
5074 #endif
5075
5076 case Q_VRRP:
5077 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5078 break;
5079
5080 #ifndef IPPROTO_CARP
5081 #define IPPROTO_CARP 112
5082 #endif
5083
5084 case Q_CARP:
5085 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5086 break;
5087
5088 case Q_IP:
5089 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5090 break;
5091
5092 case Q_ARP:
5093 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5094 break;
5095
5096 case Q_RARP:
5097 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5098 break;
5099
5100 case Q_LINK:
5101 bpf_error(cstate, "link layer applied in wrong context");
5102
5103 case Q_ATALK:
5104 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5105 break;
5106
5107 case Q_AARP:
5108 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5109 break;
5110
5111 case Q_DECNET:
5112 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5113 break;
5114
5115 case Q_SCA:
5116 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5117 break;
5118
5119 case Q_LAT:
5120 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5121 break;
5122
5123 case Q_MOPDL:
5124 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5125 break;
5126
5127 case Q_MOPRC:
5128 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5129 break;
5130
5131 case Q_IPV6:
5132 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5133 break;
5134
5135 #ifndef IPPROTO_ICMPV6
5136 #define IPPROTO_ICMPV6 58
5137 #endif
5138 case Q_ICMPV6:
5139 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5140 break;
5141
5142 #ifndef IPPROTO_AH
5143 #define IPPROTO_AH 51
5144 #endif
5145 case Q_AH:
5146 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5147 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5148 gen_or(b0, b1);
5149 break;
5150
5151 #ifndef IPPROTO_ESP
5152 #define IPPROTO_ESP 50
5153 #endif
5154 case Q_ESP:
5155 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5156 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5157 gen_or(b0, b1);
5158 break;
5159
5160 case Q_ISO:
5161 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5162 break;
5163
5164 case Q_ESIS:
5165 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5166 break;
5167
5168 case Q_ISIS:
5169 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5170 break;
5171
5172 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5173 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5174 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5175 gen_or(b0, b1);
5176 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5177 gen_or(b0, b1);
5178 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5179 gen_or(b0, b1);
5180 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5181 gen_or(b0, b1);
5182 break;
5183
5184 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5185 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5186 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5187 gen_or(b0, b1);
5188 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5189 gen_or(b0, b1);
5190 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5191 gen_or(b0, b1);
5192 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5193 gen_or(b0, b1);
5194 break;
5195
5196 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5197 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5198 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5199 gen_or(b0, b1);
5200 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5201 gen_or(b0, b1);
5202 break;
5203
5204 case Q_ISIS_LSP:
5205 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5206 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5207 gen_or(b0, b1);
5208 break;
5209
5210 case Q_ISIS_SNP:
5211 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5212 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5213 gen_or(b0, b1);
5214 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5215 gen_or(b0, b1);
5216 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5217 gen_or(b0, b1);
5218 break;
5219
5220 case Q_ISIS_CSNP:
5221 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5222 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5223 gen_or(b0, b1);
5224 break;
5225
5226 case Q_ISIS_PSNP:
5227 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5228 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5229 gen_or(b0, b1);
5230 break;
5231
5232 case Q_CLNP:
5233 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5234 break;
5235
5236 case Q_STP:
5237 b1 = gen_linktype(cstate, LLCSAP_8021D);
5238 break;
5239
5240 case Q_IPX:
5241 b1 = gen_linktype(cstate, LLCSAP_IPX);
5242 break;
5243
5244 case Q_NETBEUI:
5245 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5246 break;
5247
5248 case Q_RADIO:
5249 bpf_error(cstate, "'radio' is not a valid protocol type");
5250
5251 default:
5252 abort();
5253 }
5254 return b1;
5255 }
5256
5257 static struct block *
5258 gen_ipfrag(compiler_state_t *cstate)
5259 {
5260 struct slist *s;
5261 struct block *b;
5262
5263 /* not IPv4 frag other than the first frag */
5264 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5265 b = new_block(cstate, JMP(BPF_JSET));
5266 b->s.k = 0x1fff;
5267 b->stmts = s;
5268 gen_not(b);
5269
5270 return b;
5271 }
5272
5273 /*
5274 * Generate a comparison to a port value in the transport-layer header
5275 * at the specified offset from the beginning of that header.
5276 *
5277 * XXX - this handles a variable-length prefix preceding the link-layer
5278 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5279 * variable-length link-layer headers (such as Token Ring or 802.11
5280 * headers).
5281 */
5282 static struct block *
5283 gen_portatom(compiler_state_t *cstate, int off, bpf_int32 v)
5284 {
5285 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5286 }
5287
5288 static struct block *
5289 gen_portatom6(compiler_state_t *cstate, int off, bpf_int32 v)
5290 {
5291 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5292 }
5293
5294 struct block *
5295 gen_portop(compiler_state_t *cstate, int port, int proto, int dir)
5296 {
5297 struct block *b0, *b1, *tmp;
5298
5299 /* ip proto 'proto' and not a fragment other than the first fragment */
5300 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5301 b0 = gen_ipfrag(cstate);
5302 gen_and(tmp, b0);
5303
5304 switch (dir) {
5305 case Q_SRC:
5306 b1 = gen_portatom(cstate, 0, (bpf_int32)port);
5307 break;
5308
5309 case Q_DST:
5310 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5311 break;
5312
5313 case Q_OR:
5314 case Q_DEFAULT:
5315 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5316 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5317 gen_or(tmp, b1);
5318 break;
5319
5320 case Q_AND:
5321 tmp = gen_portatom(cstate, 0, (bpf_int32)port);
5322 b1 = gen_portatom(cstate, 2, (bpf_int32)port);
5323 gen_and(tmp, b1);
5324 break;
5325
5326 default:
5327 abort();
5328 }
5329 gen_and(b0, b1);
5330
5331 return b1;
5332 }
5333
5334 static struct block *
5335 gen_port(compiler_state_t *cstate, int port, int ip_proto, int dir)
5336 {
5337 struct block *b0, *b1, *tmp;
5338
5339 /*
5340 * ether proto ip
5341 *
5342 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5343 * not LLC encapsulation with LLCSAP_IP.
5344 *
5345 * For IEEE 802 networks - which includes 802.5 token ring
5346 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5347 * says that SNAP encapsulation is used, not LLC encapsulation
5348 * with LLCSAP_IP.
5349 *
5350 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5351 * RFC 2225 say that SNAP encapsulation is used, not LLC
5352 * encapsulation with LLCSAP_IP.
5353 *
5354 * So we always check for ETHERTYPE_IP.
5355 */
5356 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5357
5358 switch (ip_proto) {
5359 case IPPROTO_UDP:
5360 case IPPROTO_TCP:
5361 case IPPROTO_SCTP:
5362 b1 = gen_portop(cstate, port, ip_proto, dir);
5363 break;
5364
5365 case PROTO_UNDEF:
5366 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5367 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5368 gen_or(tmp, b1);
5369 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5370 gen_or(tmp, b1);
5371 break;
5372
5373 default:
5374 abort();
5375 }
5376 gen_and(b0, b1);
5377 return b1;
5378 }
5379
5380 struct block *
5381 gen_portop6(compiler_state_t *cstate, int port, int proto, int dir)
5382 {
5383 struct block *b0, *b1, *tmp;
5384
5385 /* ip6 proto 'proto' */
5386 /* XXX - catch the first fragment of a fragmented packet? */
5387 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5388
5389 switch (dir) {
5390 case Q_SRC:
5391 b1 = gen_portatom6(cstate, 0, (bpf_int32)port);
5392 break;
5393
5394 case Q_DST:
5395 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5396 break;
5397
5398 case Q_OR:
5399 case Q_DEFAULT:
5400 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5401 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5402 gen_or(tmp, b1);
5403 break;
5404
5405 case Q_AND:
5406 tmp = gen_portatom6(cstate, 0, (bpf_int32)port);
5407 b1 = gen_portatom6(cstate, 2, (bpf_int32)port);
5408 gen_and(tmp, b1);
5409 break;
5410
5411 default:
5412 abort();
5413 }
5414 gen_and(b0, b1);
5415
5416 return b1;
5417 }
5418
5419 static struct block *
5420 gen_port6(compiler_state_t *cstate, int port, int ip_proto, int dir)
5421 {
5422 struct block *b0, *b1, *tmp;
5423
5424 /* link proto ip6 */
5425 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5426
5427 switch (ip_proto) {
5428 case IPPROTO_UDP:
5429 case IPPROTO_TCP:
5430 case IPPROTO_SCTP:
5431 b1 = gen_portop6(cstate, port, ip_proto, dir);
5432 break;
5433
5434 case PROTO_UNDEF:
5435 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5436 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5437 gen_or(tmp, b1);
5438 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5439 gen_or(tmp, b1);
5440 break;
5441
5442 default:
5443 abort();
5444 }
5445 gen_and(b0, b1);
5446 return b1;
5447 }
5448
5449 /* gen_portrange code */
5450 static struct block *
5451 gen_portrangeatom(compiler_state_t *cstate, int off, bpf_int32 v1,
5452 bpf_int32 v2)
5453 {
5454 struct block *b1, *b2;
5455
5456 if (v1 > v2) {
5457 /*
5458 * Reverse the order of the ports, so v1 is the lower one.
5459 */
5460 bpf_int32 vtemp;
5461
5462 vtemp = v1;
5463 v1 = v2;
5464 v2 = vtemp;
5465 }
5466
5467 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5468 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5469
5470 gen_and(b1, b2);
5471
5472 return b2;
5473 }
5474
5475 struct block *
5476 gen_portrangeop(compiler_state_t *cstate, int port1, int port2, int proto,
5477 int dir)
5478 {
5479 struct block *b0, *b1, *tmp;
5480
5481 /* ip proto 'proto' and not a fragment other than the first fragment */
5482 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)proto);
5483 b0 = gen_ipfrag(cstate);
5484 gen_and(tmp, b0);
5485
5486 switch (dir) {
5487 case Q_SRC:
5488 b1 = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5489 break;
5490
5491 case Q_DST:
5492 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5493 break;
5494
5495 case Q_OR:
5496 case Q_DEFAULT:
5497 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5498 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5499 gen_or(tmp, b1);
5500 break;
5501
5502 case Q_AND:
5503 tmp = gen_portrangeatom(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5504 b1 = gen_portrangeatom(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5505 gen_and(tmp, b1);
5506 break;
5507
5508 default:
5509 abort();
5510 }
5511 gen_and(b0, b1);
5512
5513 return b1;
5514 }
5515
5516 static struct block *
5517 gen_portrange(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5518 int dir)
5519 {
5520 struct block *b0, *b1, *tmp;
5521
5522 /* link proto ip */
5523 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5524
5525 switch (ip_proto) {
5526 case IPPROTO_UDP:
5527 case IPPROTO_TCP:
5528 case IPPROTO_SCTP:
5529 b1 = gen_portrangeop(cstate, port1, port2, ip_proto, dir);
5530 break;
5531
5532 case PROTO_UNDEF:
5533 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5534 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5535 gen_or(tmp, b1);
5536 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5537 gen_or(tmp, b1);
5538 break;
5539
5540 default:
5541 abort();
5542 }
5543 gen_and(b0, b1);
5544 return b1;
5545 }
5546
5547 static struct block *
5548 gen_portrangeatom6(compiler_state_t *cstate, int off, bpf_int32 v1,
5549 bpf_int32 v2)
5550 {
5551 struct block *b1, *b2;
5552
5553 if (v1 > v2) {
5554 /*
5555 * Reverse the order of the ports, so v1 is the lower one.
5556 */
5557 bpf_int32 vtemp;
5558
5559 vtemp = v1;
5560 v1 = v2;
5561 v2 = vtemp;
5562 }
5563
5564 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5565 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5566
5567 gen_and(b1, b2);
5568
5569 return b2;
5570 }
5571
5572 struct block *
5573 gen_portrangeop6(compiler_state_t *cstate, int port1, int port2, int proto,
5574 int dir)
5575 {
5576 struct block *b0, *b1, *tmp;
5577
5578 /* ip6 proto 'proto' */
5579 /* XXX - catch the first fragment of a fragmented packet? */
5580 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)proto);
5581
5582 switch (dir) {
5583 case Q_SRC:
5584 b1 = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5585 break;
5586
5587 case Q_DST:
5588 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5589 break;
5590
5591 case Q_OR:
5592 case Q_DEFAULT:
5593 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5594 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5595 gen_or(tmp, b1);
5596 break;
5597
5598 case Q_AND:
5599 tmp = gen_portrangeatom6(cstate, 0, (bpf_int32)port1, (bpf_int32)port2);
5600 b1 = gen_portrangeatom6(cstate, 2, (bpf_int32)port1, (bpf_int32)port2);
5601 gen_and(tmp, b1);
5602 break;
5603
5604 default:
5605 abort();
5606 }
5607 gen_and(b0, b1);
5608
5609 return b1;
5610 }
5611
5612 static struct block *
5613 gen_portrange6(compiler_state_t *cstate, int port1, int port2, int ip_proto,
5614 int dir)
5615 {
5616 struct block *b0, *b1, *tmp;
5617
5618 /* link proto ip6 */
5619 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5620
5621 switch (ip_proto) {
5622 case IPPROTO_UDP:
5623 case IPPROTO_TCP:
5624 case IPPROTO_SCTP:
5625 b1 = gen_portrangeop6(cstate, port1, port2, ip_proto, dir);
5626 break;
5627
5628 case PROTO_UNDEF:
5629 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5630 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5631 gen_or(tmp, b1);
5632 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5633 gen_or(tmp, b1);
5634 break;
5635
5636 default:
5637 abort();
5638 }
5639 gen_and(b0, b1);
5640 return b1;
5641 }
5642
5643 static int
5644 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5645 {
5646 register int v;
5647
5648 switch (proto) {
5649
5650 case Q_DEFAULT:
5651 case Q_IP:
5652 case Q_IPV6:
5653 v = pcap_nametoproto(name);
5654 if (v == PROTO_UNDEF)
5655 bpf_error(cstate, "unknown ip proto '%s'", name);
5656 break;
5657
5658 case Q_LINK:
5659 /* XXX should look up h/w protocol type based on cstate->linktype */
5660 v = pcap_nametoeproto(name);
5661 if (v == PROTO_UNDEF) {
5662 v = pcap_nametollc(name);
5663 if (v == PROTO_UNDEF)
5664 bpf_error(cstate, "unknown ether proto '%s'", name);
5665 }
5666 break;
5667
5668 case Q_ISO:
5669 if (strcmp(name, "esis") == 0)
5670 v = ISO9542_ESIS;
5671 else if (strcmp(name, "isis") == 0)
5672 v = ISO10589_ISIS;
5673 else if (strcmp(name, "clnp") == 0)
5674 v = ISO8473_CLNP;
5675 else
5676 bpf_error(cstate, "unknown osi proto '%s'", name);
5677 break;
5678
5679 default:
5680 v = PROTO_UNDEF;
5681 break;
5682 }
5683 return v;
5684 }
5685
5686 #if 0
5687 struct stmt *
5688 gen_joinsp(s, n)
5689 struct stmt **s;
5690 int n;
5691 {
5692 return NULL;
5693 }
5694 #endif
5695
5696 static struct block *
5697 gen_protochain(compiler_state_t *cstate, int v, int proto, int dir)
5698 {
5699 #ifdef NO_PROTOCHAIN
5700 return gen_proto(cstate, v, proto, dir);
5701 #else
5702 struct block *b0, *b;
5703 struct slist *s[100];
5704 int fix2, fix3, fix4, fix5;
5705 int ahcheck, again, end;
5706 int i, max;
5707 int reg2 = alloc_reg(cstate);
5708
5709 memset(s, 0, sizeof(s));
5710 fix3 = fix4 = fix5 = 0;
5711
5712 switch (proto) {
5713 case Q_IP:
5714 case Q_IPV6:
5715 break;
5716 case Q_DEFAULT:
5717 b0 = gen_protochain(cstate, v, Q_IP, dir);
5718 b = gen_protochain(cstate, v, Q_IPV6, dir);
5719 gen_or(b0, b);
5720 return b;
5721 default:
5722 bpf_error(cstate, "bad protocol applied for 'protochain'");
5723 /*NOTREACHED*/
5724 }
5725
5726 /*
5727 * We don't handle variable-length prefixes before the link-layer
5728 * header, or variable-length link-layer headers, here yet.
5729 * We might want to add BPF instructions to do the protochain
5730 * work, to simplify that and, on platforms that have a BPF
5731 * interpreter with the new instructions, let the filtering
5732 * be done in the kernel. (We already require a modified BPF
5733 * engine to do the protochain stuff, to support backward
5734 * branches, and backward branch support is unlikely to appear
5735 * in kernel BPF engines.)
5736 */
5737 if (cstate->off_linkpl.is_variable)
5738 bpf_error(cstate, "'protochain' not supported with variable length headers");
5739
5740 cstate->no_optimize = 1; /*this code is not compatible with optimzer yet */
5741
5742 /*
5743 * s[0] is a dummy entry to protect other BPF insn from damage
5744 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
5745 * hard to find interdependency made by jump table fixup.
5746 */
5747 i = 0;
5748 s[i] = new_stmt(cstate, 0); /*dummy*/
5749 i++;
5750
5751 switch (proto) {
5752 case Q_IP:
5753 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5754
5755 /* A = ip->ip_p */
5756 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5757 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
5758 i++;
5759 /* X = ip->ip_hl << 2 */
5760 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
5761 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5762 i++;
5763 break;
5764
5765 case Q_IPV6:
5766 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5767
5768 /* A = ip6->ip_nxt */
5769 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
5770 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
5771 i++;
5772 /* X = sizeof(struct ip6_hdr) */
5773 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
5774 s[i]->s.k = 40;
5775 i++;
5776 break;
5777
5778 default:
5779 bpf_error(cstate, "unsupported proto to gen_protochain");
5780 /*NOTREACHED*/
5781 }
5782
5783 /* again: if (A == v) goto end; else fall through; */
5784 again = i;
5785 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5786 s[i]->s.k = v;
5787 s[i]->s.jt = NULL; /*later*/
5788 s[i]->s.jf = NULL; /*update in next stmt*/
5789 fix5 = i;
5790 i++;
5791
5792 #ifndef IPPROTO_NONE
5793 #define IPPROTO_NONE 59
5794 #endif
5795 /* if (A == IPPROTO_NONE) goto end */
5796 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5797 s[i]->s.jt = NULL; /*later*/
5798 s[i]->s.jf = NULL; /*update in next stmt*/
5799 s[i]->s.k = IPPROTO_NONE;
5800 s[fix5]->s.jf = s[i];
5801 fix2 = i;
5802 i++;
5803
5804 if (proto == Q_IPV6) {
5805 int v6start, v6end, v6advance, j;
5806
5807 v6start = i;
5808 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
5809 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5810 s[i]->s.jt = NULL; /*later*/
5811 s[i]->s.jf = NULL; /*update in next stmt*/
5812 s[i]->s.k = IPPROTO_HOPOPTS;
5813 s[fix2]->s.jf = s[i];
5814 i++;
5815 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
5816 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5817 s[i]->s.jt = NULL; /*later*/
5818 s[i]->s.jf = NULL; /*update in next stmt*/
5819 s[i]->s.k = IPPROTO_DSTOPTS;
5820 i++;
5821 /* if (A == IPPROTO_ROUTING) goto v6advance */
5822 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5823 s[i]->s.jt = NULL; /*later*/
5824 s[i]->s.jf = NULL; /*update in next stmt*/
5825 s[i]->s.k = IPPROTO_ROUTING;
5826 i++;
5827 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
5828 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5829 s[i]->s.jt = NULL; /*later*/
5830 s[i]->s.jf = NULL; /*later*/
5831 s[i]->s.k = IPPROTO_FRAGMENT;
5832 fix3 = i;
5833 v6end = i;
5834 i++;
5835
5836 /* v6advance: */
5837 v6advance = i;
5838
5839 /*
5840 * in short,
5841 * A = P[X + packet head];
5842 * X = X + (P[X + packet head + 1] + 1) * 8;
5843 */
5844 /* A = P[X + packet head] */
5845 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5846 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5847 i++;
5848 /* MEM[reg2] = A */
5849 s[i] = new_stmt(cstate, BPF_ST);
5850 s[i]->s.k = reg2;
5851 i++;
5852 /* A = P[X + packet head + 1]; */
5853 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5854 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
5855 i++;
5856 /* A += 1 */
5857 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5858 s[i]->s.k = 1;
5859 i++;
5860 /* A *= 8 */
5861 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
5862 s[i]->s.k = 8;
5863 i++;
5864 /* A += X */
5865 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
5866 s[i]->s.k = 0;
5867 i++;
5868 /* X = A; */
5869 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5870 i++;
5871 /* A = MEM[reg2] */
5872 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
5873 s[i]->s.k = reg2;
5874 i++;
5875
5876 /* goto again; (must use BPF_JA for backward jump) */
5877 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
5878 s[i]->s.k = again - i - 1;
5879 s[i - 1]->s.jf = s[i];
5880 i++;
5881
5882 /* fixup */
5883 for (j = v6start; j <= v6end; j++)
5884 s[j]->s.jt = s[v6advance];
5885 } else {
5886 /* nop */
5887 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5888 s[i]->s.k = 0;
5889 s[fix2]->s.jf = s[i];
5890 i++;
5891 }
5892
5893 /* ahcheck: */
5894 ahcheck = i;
5895 /* if (A == IPPROTO_AH) then fall through; else goto end; */
5896 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
5897 s[i]->s.jt = NULL; /*later*/
5898 s[i]->s.jf = NULL; /*later*/
5899 s[i]->s.k = IPPROTO_AH;
5900 if (fix3)
5901 s[fix3]->s.jf = s[ahcheck];
5902 fix4 = i;
5903 i++;
5904
5905 /*
5906 * in short,
5907 * A = P[X];
5908 * X = X + (P[X + 1] + 2) * 4;
5909 */
5910 /* A = X */
5911 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
5912 i++;
5913 /* A = P[X + packet head]; */
5914 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5915 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5916 i++;
5917 /* MEM[reg2] = A */
5918 s[i] = new_stmt(cstate, BPF_ST);
5919 s[i]->s.k = reg2;
5920 i++;
5921 /* A = X */
5922 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
5923 i++;
5924 /* A += 1 */
5925 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5926 s[i]->s.k = 1;
5927 i++;
5928 /* X = A */
5929 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5930 i++;
5931 /* A = P[X + packet head] */
5932 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
5933 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
5934 i++;
5935 /* A += 2 */
5936 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5937 s[i]->s.k = 2;
5938 i++;
5939 /* A *= 4 */
5940 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
5941 s[i]->s.k = 4;
5942 i++;
5943 /* X = A; */
5944 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
5945 i++;
5946 /* A = MEM[reg2] */
5947 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
5948 s[i]->s.k = reg2;
5949 i++;
5950
5951 /* goto again; (must use BPF_JA for backward jump) */
5952 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
5953 s[i]->s.k = again - i - 1;
5954 i++;
5955
5956 /* end: nop */
5957 end = i;
5958 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
5959 s[i]->s.k = 0;
5960 s[fix2]->s.jt = s[end];
5961 s[fix4]->s.jf = s[end];
5962 s[fix5]->s.jt = s[end];
5963 i++;
5964
5965 /*
5966 * make slist chain
5967 */
5968 max = i;
5969 for (i = 0; i < max - 1; i++)
5970 s[i]->next = s[i + 1];
5971 s[max - 1]->next = NULL;
5972
5973 /*
5974 * emit final check
5975 */
5976 b = new_block(cstate, JMP(BPF_JEQ));
5977 b->stmts = s[1]; /*remember, s[0] is dummy*/
5978 b->s.k = v;
5979
5980 free_reg(cstate, reg2);
5981
5982 gen_and(b0, b);
5983 return b;
5984 #endif
5985 }
5986
5987 static struct block *
5988 gen_check_802_11_data_frame(compiler_state_t *cstate)
5989 {
5990 struct slist *s;
5991 struct block *b0, *b1;
5992
5993 /*
5994 * A data frame has the 0x08 bit (b3) in the frame control field set
5995 * and the 0x04 bit (b2) clear.
5996 */
5997 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
5998 b0 = new_block(cstate, JMP(BPF_JSET));
5999 b0->s.k = 0x08;
6000 b0->stmts = s;
6001
6002 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6003 b1 = new_block(cstate, JMP(BPF_JSET));
6004 b1->s.k = 0x04;
6005 b1->stmts = s;
6006 gen_not(b1);
6007
6008 gen_and(b1, b0);
6009
6010 return b0;
6011 }
6012
6013 /*
6014 * Generate code that checks whether the packet is a packet for protocol
6015 * <proto> and whether the type field in that protocol's header has
6016 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6017 * IP packet and checks the protocol number in the IP header against <v>.
6018 *
6019 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6020 * against Q_IP and Q_IPV6.
6021 */
6022 static struct block *
6023 gen_proto(compiler_state_t *cstate, int v, int proto, int dir)
6024 {
6025 struct block *b0, *b1;
6026 #ifndef CHASE_CHAIN
6027 struct block *b2;
6028 #endif
6029
6030 if (dir != Q_DEFAULT)
6031 bpf_error(cstate, "direction applied to 'proto'");
6032
6033 switch (proto) {
6034 case Q_DEFAULT:
6035 b0 = gen_proto(cstate, v, Q_IP, dir);
6036 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6037 gen_or(b0, b1);
6038 return b1;
6039
6040 case Q_IP:
6041 /*
6042 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6043 * not LLC encapsulation with LLCSAP_IP.
6044 *
6045 * For IEEE 802 networks - which includes 802.5 token ring
6046 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6047 * says that SNAP encapsulation is used, not LLC encapsulation
6048 * with LLCSAP_IP.
6049 *
6050 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6051 * RFC 2225 say that SNAP encapsulation is used, not LLC
6052 * encapsulation with LLCSAP_IP.
6053 *
6054 * So we always check for ETHERTYPE_IP.
6055 */
6056 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6057 #ifndef CHASE_CHAIN
6058 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, (bpf_int32)v);
6059 #else
6060 b1 = gen_protochain(cstate, v, Q_IP);
6061 #endif
6062 gen_and(b0, b1);
6063 return b1;
6064
6065 case Q_ISO:
6066 switch (cstate->linktype) {
6067
6068 case DLT_FRELAY:
6069 /*
6070 * Frame Relay packets typically have an OSI
6071 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6072 * generates code to check for all the OSI
6073 * NLPIDs, so calling it and then adding a check
6074 * for the particular NLPID for which we're
6075 * looking is bogus, as we can just check for
6076 * the NLPID.
6077 *
6078 * What we check for is the NLPID and a frame
6079 * control field value of UI, i.e. 0x03 followed
6080 * by the NLPID.
6081 *
6082 * XXX - assumes a 2-byte Frame Relay header with
6083 * DLCI and flags. What if the address is longer?
6084 *
6085 * XXX - what about SNAP-encapsulated frames?
6086 */
6087 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6088 /*NOTREACHED*/
6089 break;
6090
6091 case DLT_C_HDLC:
6092 /*
6093 * Cisco uses an Ethertype lookalike - for OSI,
6094 * it's 0xfefe.
6095 */
6096 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6097 /* OSI in C-HDLC is stuffed with a fudge byte */
6098 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, (long)v);
6099 gen_and(b0, b1);
6100 return b1;
6101
6102 default:
6103 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6104 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, (long)v);
6105 gen_and(b0, b1);
6106 return b1;
6107 }
6108
6109 case Q_ISIS:
6110 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6111 /*
6112 * 4 is the offset of the PDU type relative to the IS-IS
6113 * header.
6114 */
6115 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, (long)v);
6116 gen_and(b0, b1);
6117 return b1;
6118
6119 case Q_ARP:
6120 bpf_error(cstate, "arp does not encapsulate another protocol");
6121 /* NOTREACHED */
6122
6123 case Q_RARP:
6124 bpf_error(cstate, "rarp does not encapsulate another protocol");
6125 /* NOTREACHED */
6126
6127 case Q_ATALK:
6128 bpf_error(cstate, "atalk encapsulation is not specifiable");
6129 /* NOTREACHED */
6130
6131 case Q_DECNET:
6132 bpf_error(cstate, "decnet encapsulation is not specifiable");
6133 /* NOTREACHED */
6134
6135 case Q_SCA:
6136 bpf_error(cstate, "sca does not encapsulate another protocol");
6137 /* NOTREACHED */
6138
6139 case Q_LAT:
6140 bpf_error(cstate, "lat does not encapsulate another protocol");
6141 /* NOTREACHED */
6142
6143 case Q_MOPRC:
6144 bpf_error(cstate, "moprc does not encapsulate another protocol");
6145 /* NOTREACHED */
6146
6147 case Q_MOPDL:
6148 bpf_error(cstate, "mopdl does not encapsulate another protocol");
6149 /* NOTREACHED */
6150
6151 case Q_LINK:
6152 return gen_linktype(cstate, v);
6153
6154 case Q_UDP:
6155 bpf_error(cstate, "'udp proto' is bogus");
6156 /* NOTREACHED */
6157
6158 case Q_TCP:
6159 bpf_error(cstate, "'tcp proto' is bogus");
6160 /* NOTREACHED */
6161
6162 case Q_SCTP:
6163 bpf_error(cstate, "'sctp proto' is bogus");
6164 /* NOTREACHED */
6165
6166 case Q_ICMP:
6167 bpf_error(cstate, "'icmp proto' is bogus");
6168 /* NOTREACHED */
6169
6170 case Q_IGMP:
6171 bpf_error(cstate, "'igmp proto' is bogus");
6172 /* NOTREACHED */
6173
6174 case Q_IGRP:
6175 bpf_error(cstate, "'igrp proto' is bogus");
6176 /* NOTREACHED */
6177
6178 case Q_PIM:
6179 bpf_error(cstate, "'pim proto' is bogus");
6180 /* NOTREACHED */
6181
6182 case Q_VRRP:
6183 bpf_error(cstate, "'vrrp proto' is bogus");
6184 /* NOTREACHED */
6185
6186 case Q_CARP:
6187 bpf_error(cstate, "'carp proto' is bogus");
6188 /* NOTREACHED */
6189
6190 case Q_IPV6:
6191 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6192 #ifndef CHASE_CHAIN
6193 /*
6194 * Also check for a fragment header before the final
6195 * header.
6196 */
6197 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6198 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, (bpf_int32)v);
6199 gen_and(b2, b1);
6200 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, (bpf_int32)v);
6201 gen_or(b2, b1);
6202 #else
6203 b1 = gen_protochain(cstate, v, Q_IPV6);
6204 #endif
6205 gen_and(b0, b1);
6206 return b1;
6207
6208 case Q_ICMPV6:
6209 bpf_error(cstate, "'icmp6 proto' is bogus");
6210
6211 case Q_AH:
6212 bpf_error(cstate, "'ah proto' is bogus");
6213
6214 case Q_ESP:
6215 bpf_error(cstate, "'ah proto' is bogus");
6216
6217 case Q_STP:
6218 bpf_error(cstate, "'stp proto' is bogus");
6219
6220 case Q_IPX:
6221 bpf_error(cstate, "'ipx proto' is bogus");
6222
6223 case Q_NETBEUI:
6224 bpf_error(cstate, "'netbeui proto' is bogus");
6225
6226 case Q_RADIO:
6227 bpf_error(cstate, "'radio proto' is bogus");
6228
6229 default:
6230 abort();
6231 /* NOTREACHED */
6232 }
6233 /* NOTREACHED */
6234 }
6235
6236 struct block *
6237 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6238 {
6239 int proto = q.proto;
6240 int dir = q.dir;
6241 int tproto;
6242 u_char *eaddr;
6243 bpf_u_int32 mask, addr;
6244 #ifndef INET6
6245 bpf_u_int32 **alist;
6246 #else
6247 int tproto6;
6248 struct sockaddr_in *sin4;
6249 struct sockaddr_in6 *sin6;
6250 struct addrinfo *res, *res0;
6251 struct in6_addr mask128;
6252 #endif /*INET6*/
6253 struct block *b, *tmp;
6254 int port, real_proto;
6255 int port1, port2;
6256
6257 switch (q.addr) {
6258
6259 case Q_NET:
6260 addr = pcap_nametonetaddr(name);
6261 if (addr == 0)
6262 bpf_error(cstate, "unknown network '%s'", name);
6263 /* Left justify network addr and calculate its network mask */
6264 mask = 0xffffffff;
6265 while (addr && (addr & 0xff000000) == 0) {
6266 addr <<= 8;
6267 mask <<= 8;
6268 }
6269 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6270
6271 case Q_DEFAULT:
6272 case Q_HOST:
6273 if (proto == Q_LINK) {
6274 switch (cstate->linktype) {
6275
6276 case DLT_EN10MB:
6277 case DLT_NETANALYZER:
6278 case DLT_NETANALYZER_TRANSPARENT:
6279 eaddr = pcap_ether_hostton(name);
6280 if (eaddr == NULL)
6281 bpf_error(cstate,
6282 "unknown ether host '%s'", name);
6283 tmp = gen_prevlinkhdr_check(cstate);
6284 b = gen_ehostop(cstate, eaddr, dir);
6285 if (tmp != NULL)
6286 gen_and(tmp, b);
6287 free(eaddr);
6288 return b;
6289
6290 case DLT_FDDI:
6291 eaddr = pcap_ether_hostton(name);
6292 if (eaddr == NULL)
6293 bpf_error(cstate,
6294 "unknown FDDI host '%s'", name);
6295 b = gen_fhostop(cstate, eaddr, dir);
6296 free(eaddr);
6297 return b;
6298
6299 case DLT_IEEE802:
6300 eaddr = pcap_ether_hostton(name);
6301 if (eaddr == NULL)
6302 bpf_error(cstate,
6303 "unknown token ring host '%s'", name);
6304 b = gen_thostop(cstate, eaddr, dir);
6305 free(eaddr);
6306 return b;
6307
6308 case DLT_IEEE802_11:
6309 case DLT_PRISM_HEADER:
6310 case DLT_IEEE802_11_RADIO_AVS:
6311 case DLT_IEEE802_11_RADIO:
6312 case DLT_PPI:
6313 eaddr = pcap_ether_hostton(name);
6314 if (eaddr == NULL)
6315 bpf_error(cstate,
6316 "unknown 802.11 host '%s'", name);
6317 b = gen_wlanhostop(cstate, eaddr, dir);
6318 free(eaddr);
6319 return b;
6320
6321 case DLT_IP_OVER_FC:
6322 eaddr = pcap_ether_hostton(name);
6323 if (eaddr == NULL)
6324 bpf_error(cstate,
6325 "unknown Fibre Channel host '%s'", name);
6326 b = gen_ipfchostop(cstate, eaddr, dir);
6327 free(eaddr);
6328 return b;
6329 }
6330
6331 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6332 } else if (proto == Q_DECNET) {
6333 unsigned short dn_addr;
6334
6335 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6336 #ifdef DECNETLIB
6337 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6338 #else
6339 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6340 name);
6341 #endif
6342 }
6343 /*
6344 * I don't think DECNET hosts can be multihomed, so
6345 * there is no need to build up a list of addresses
6346 */
6347 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6348 } else {
6349 #ifndef INET6
6350 alist = pcap_nametoaddr(name);
6351 if (alist == NULL || *alist == NULL)
6352 bpf_error(cstate, "unknown host '%s'", name);
6353 tproto = proto;
6354 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6355 tproto == Q_DEFAULT)
6356 tproto = Q_IP;
6357 b = gen_host(cstate, **alist++, 0xffffffff, tproto, dir, q.addr);
6358 while (*alist) {
6359 tmp = gen_host(cstate, **alist++, 0xffffffff,
6360 tproto, dir, q.addr);
6361 gen_or(b, tmp);
6362 b = tmp;
6363 }
6364 return b;
6365 #else
6366 memset(&mask128, 0xff, sizeof(mask128));
6367 res0 = res = pcap_nametoaddrinfo(name);
6368 if (res == NULL)
6369 bpf_error(cstate, "unknown host '%s'", name);
6370 cstate->ai = res;
6371 b = tmp = NULL;
6372 tproto = tproto6 = proto;
6373 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6374 tproto == Q_DEFAULT) {
6375 tproto = Q_IP;
6376 tproto6 = Q_IPV6;
6377 }
6378 for (res = res0; res; res = res->ai_next) {
6379 switch (res->ai_family) {
6380 case AF_INET:
6381 if (tproto == Q_IPV6)
6382 continue;
6383
6384 sin4 = (struct sockaddr_in *)
6385 res->ai_addr;
6386 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6387 0xffffffff, tproto, dir, q.addr);
6388 break;
6389 case AF_INET6:
6390 if (tproto6 == Q_IP)
6391 continue;
6392
6393 sin6 = (struct sockaddr_in6 *)
6394 res->ai_addr;
6395 tmp = gen_host6(cstate, &sin6->sin6_addr,
6396 &mask128, tproto6, dir, q.addr);
6397 break;
6398 default:
6399 continue;
6400 }
6401 if (b)
6402 gen_or(b, tmp);
6403 b = tmp;
6404 }
6405 cstate->ai = NULL;
6406 freeaddrinfo(res0);
6407 if (b == NULL) {
6408 bpf_error(cstate, "unknown host '%s'%s", name,
6409 (proto == Q_DEFAULT)
6410 ? ""
6411 : " for specified address family");
6412 }
6413 return b;
6414 #endif /*INET6*/
6415 }
6416
6417 case Q_PORT:
6418 if (proto != Q_DEFAULT &&
6419 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6420 bpf_error(cstate, "illegal qualifier of 'port'");
6421 if (pcap_nametoport(name, &port, &real_proto) == 0)
6422 bpf_error(cstate, "unknown port '%s'", name);
6423 if (proto == Q_UDP) {
6424 if (real_proto == IPPROTO_TCP)
6425 bpf_error(cstate, "port '%s' is tcp", name);
6426 else if (real_proto == IPPROTO_SCTP)
6427 bpf_error(cstate, "port '%s' is sctp", name);
6428 else
6429 /* override PROTO_UNDEF */
6430 real_proto = IPPROTO_UDP;
6431 }
6432 if (proto == Q_TCP) {
6433 if (real_proto == IPPROTO_UDP)
6434 bpf_error(cstate, "port '%s' is udp", name);
6435
6436 else if (real_proto == IPPROTO_SCTP)
6437 bpf_error(cstate, "port '%s' is sctp", name);
6438 else
6439 /* override PROTO_UNDEF */
6440 real_proto = IPPROTO_TCP;
6441 }
6442 if (proto == Q_SCTP) {
6443 if (real_proto == IPPROTO_UDP)
6444 bpf_error(cstate, "port '%s' is udp", name);
6445
6446 else if (real_proto == IPPROTO_TCP)
6447 bpf_error(cstate, "port '%s' is tcp", name);
6448 else
6449 /* override PROTO_UNDEF */
6450 real_proto = IPPROTO_SCTP;
6451 }
6452 if (port < 0)
6453 bpf_error(cstate, "illegal port number %d < 0", port);
6454 if (port > 65535)
6455 bpf_error(cstate, "illegal port number %d > 65535", port);
6456 b = gen_port(cstate, port, real_proto, dir);
6457 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6458 return b;
6459
6460 case Q_PORTRANGE:
6461 if (proto != Q_DEFAULT &&
6462 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6463 bpf_error(cstate, "illegal qualifier of 'portrange'");
6464 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6465 bpf_error(cstate, "unknown port in range '%s'", name);
6466 if (proto == Q_UDP) {
6467 if (real_proto == IPPROTO_TCP)
6468 bpf_error(cstate, "port in range '%s' is tcp", name);
6469 else if (real_proto == IPPROTO_SCTP)
6470 bpf_error(cstate, "port in range '%s' is sctp", name);
6471 else
6472 /* override PROTO_UNDEF */
6473 real_proto = IPPROTO_UDP;
6474 }
6475 if (proto == Q_TCP) {
6476 if (real_proto == IPPROTO_UDP)
6477 bpf_error(cstate, "port in range '%s' is udp", name);
6478 else if (real_proto == IPPROTO_SCTP)
6479 bpf_error(cstate, "port in range '%s' is sctp", name);
6480 else
6481 /* override PROTO_UNDEF */
6482 real_proto = IPPROTO_TCP;
6483 }
6484 if (proto == Q_SCTP) {
6485 if (real_proto == IPPROTO_UDP)
6486 bpf_error(cstate, "port in range '%s' is udp", name);
6487 else if (real_proto == IPPROTO_TCP)
6488 bpf_error(cstate, "port in range '%s' is tcp", name);
6489 else
6490 /* override PROTO_UNDEF */
6491 real_proto = IPPROTO_SCTP;
6492 }
6493 if (port1 < 0)
6494 bpf_error(cstate, "illegal port number %d < 0", port1);
6495 if (port1 > 65535)
6496 bpf_error(cstate, "illegal port number %d > 65535", port1);
6497 if (port2 < 0)
6498 bpf_error(cstate, "illegal port number %d < 0", port2);
6499 if (port2 > 65535)
6500 bpf_error(cstate, "illegal port number %d > 65535", port2);
6501
6502 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6503 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6504 return b;
6505
6506 case Q_GATEWAY:
6507 #ifndef INET6
6508 eaddr = pcap_ether_hostton(name);
6509 if (eaddr == NULL)
6510 bpf_error(cstate, "unknown ether host: %s", name);
6511
6512 alist = pcap_nametoaddr(name);
6513 if (alist == NULL || *alist == NULL)
6514 bpf_error(cstate, "unknown host '%s'", name);
6515 b = gen_gateway(cstate, eaddr, alist, proto, dir);
6516 free(eaddr);
6517 return b;
6518 #else
6519 bpf_error(cstate, "'gateway' not supported in this configuration");
6520 #endif /*INET6*/
6521
6522 case Q_PROTO:
6523 real_proto = lookup_proto(cstate, name, proto);
6524 if (real_proto >= 0)
6525 return gen_proto(cstate, real_proto, proto, dir);
6526 else
6527 bpf_error(cstate, "unknown protocol: %s", name);
6528
6529 case Q_PROTOCHAIN:
6530 real_proto = lookup_proto(cstate, name, proto);
6531 if (real_proto >= 0)
6532 return gen_protochain(cstate, real_proto, proto, dir);
6533 else
6534 bpf_error(cstate, "unknown protocol: %s", name);
6535
6536 case Q_UNDEF:
6537 syntax(cstate);
6538 /* NOTREACHED */
6539 }
6540 abort();
6541 /* NOTREACHED */
6542 }
6543
6544 struct block *
6545 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6546 unsigned int masklen, struct qual q)
6547 {
6548 register int nlen, mlen;
6549 bpf_u_int32 n, m;
6550
6551 nlen = __pcap_atoin(s1, &n);
6552 /* Promote short ipaddr */
6553 n <<= 32 - nlen;
6554
6555 if (s2 != NULL) {
6556 mlen = __pcap_atoin(s2, &m);
6557 /* Promote short ipaddr */
6558 m <<= 32 - mlen;
6559 if ((n & ~m) != 0)
6560 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6561 s1, s2);
6562 } else {
6563 /* Convert mask len to mask */
6564 if (masklen > 32)
6565 bpf_error(cstate, "mask length must be <= 32");
6566 if (masklen == 0) {
6567 /*
6568 * X << 32 is not guaranteed by C to be 0; it's
6569 * undefined.
6570 */
6571 m = 0;
6572 } else
6573 m = 0xffffffff << (32 - masklen);
6574 if ((n & ~m) != 0)
6575 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6576 s1, masklen);
6577 }
6578
6579 switch (q.addr) {
6580
6581 case Q_NET:
6582 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
6583
6584 default:
6585 bpf_error(cstate, "Mask syntax for networks only");
6586 /* NOTREACHED */
6587 }
6588 /* NOTREACHED */
6589 return NULL;
6590 }
6591
6592 struct block *
6593 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
6594 {
6595 bpf_u_int32 mask;
6596 int proto = q.proto;
6597 int dir = q.dir;
6598 register int vlen;
6599
6600 if (s == NULL)
6601 vlen = 32;
6602 else if (q.proto == Q_DECNET) {
6603 vlen = __pcap_atodn(s, &v);
6604 if (vlen == 0)
6605 bpf_error(cstate, "malformed decnet address '%s'", s);
6606 } else
6607 vlen = __pcap_atoin(s, &v);
6608
6609 switch (q.addr) {
6610
6611 case Q_DEFAULT:
6612 case Q_HOST:
6613 case Q_NET:
6614 if (proto == Q_DECNET)
6615 return gen_host(cstate, v, 0, proto, dir, q.addr);
6616 else if (proto == Q_LINK) {
6617 bpf_error(cstate, "illegal link layer address");
6618 } else {
6619 mask = 0xffffffff;
6620 if (s == NULL && q.addr == Q_NET) {
6621 /* Promote short net number */
6622 while (v && (v & 0xff000000) == 0) {
6623 v <<= 8;
6624 mask <<= 8;
6625 }
6626 } else {
6627 /* Promote short ipaddr */
6628 v <<= 32 - vlen;
6629 mask <<= 32 - vlen ;
6630 }
6631 return gen_host(cstate, v, mask, proto, dir, q.addr);
6632 }
6633
6634 case Q_PORT:
6635 if (proto == Q_UDP)
6636 proto = IPPROTO_UDP;
6637 else if (proto == Q_TCP)
6638 proto = IPPROTO_TCP;
6639 else if (proto == Q_SCTP)
6640 proto = IPPROTO_SCTP;
6641 else if (proto == Q_DEFAULT)
6642 proto = PROTO_UNDEF;
6643 else
6644 bpf_error(cstate, "illegal qualifier of 'port'");
6645
6646 if (v > 65535)
6647 bpf_error(cstate, "illegal port number %u > 65535", v);
6648
6649 {
6650 struct block *b;
6651 b = gen_port(cstate, (int)v, proto, dir);
6652 gen_or(gen_port6(cstate, (int)v, proto, dir), b);
6653 return b;
6654 }
6655
6656 case Q_PORTRANGE:
6657 if (proto == Q_UDP)
6658 proto = IPPROTO_UDP;
6659 else if (proto == Q_TCP)
6660 proto = IPPROTO_TCP;
6661 else if (proto == Q_SCTP)
6662 proto = IPPROTO_SCTP;
6663 else if (proto == Q_DEFAULT)
6664 proto = PROTO_UNDEF;
6665 else
6666 bpf_error(cstate, "illegal qualifier of 'portrange'");
6667
6668 if (v > 65535)
6669 bpf_error(cstate, "illegal port number %u > 65535", v);
6670
6671 {
6672 struct block *b;
6673 b = gen_portrange(cstate, (int)v, (int)v, proto, dir);
6674 gen_or(gen_portrange6(cstate, (int)v, (int)v, proto, dir), b);
6675 return b;
6676 }
6677
6678 case Q_GATEWAY:
6679 bpf_error(cstate, "'gateway' requires a name");
6680 /* NOTREACHED */
6681
6682 case Q_PROTO:
6683 return gen_proto(cstate, (int)v, proto, dir);
6684
6685 case Q_PROTOCHAIN:
6686 return gen_protochain(cstate, (int)v, proto, dir);
6687
6688 case Q_UNDEF:
6689 syntax(cstate);
6690 /* NOTREACHED */
6691
6692 default:
6693 abort();
6694 /* NOTREACHED */
6695 }
6696 /* NOTREACHED */
6697 }
6698
6699 #ifdef INET6
6700 struct block *
6701 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
6702 unsigned int masklen, struct qual q)
6703 {
6704 struct addrinfo *res;
6705 struct in6_addr *addr;
6706 struct in6_addr mask;
6707 struct block *b;
6708 uint32_t *a, *m;
6709
6710 if (s2)
6711 bpf_error(cstate, "no mask %s supported", s2);
6712
6713 res = pcap_nametoaddrinfo(s1);
6714 if (!res)
6715 bpf_error(cstate, "invalid ip6 address %s", s1);
6716 cstate->ai = res;
6717 if (res->ai_next)
6718 bpf_error(cstate, "%s resolved to multiple address", s1);
6719 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
6720
6721 if (sizeof(mask) * 8 < masklen)
6722 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
6723 memset(&mask, 0, sizeof(mask));
6724 memset(&mask, 0xff, masklen / 8);
6725 if (masklen % 8) {
6726 mask.s6_addr[masklen / 8] =
6727 (0xff << (8 - masklen % 8)) & 0xff;
6728 }
6729
6730 a = (uint32_t *)addr;
6731 m = (uint32_t *)&mask;
6732 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
6733 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
6734 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
6735 }
6736
6737 switch (q.addr) {
6738
6739 case Q_DEFAULT:
6740 case Q_HOST:
6741 if (masklen != 128)
6742 bpf_error(cstate, "Mask syntax for networks only");
6743 /* FALLTHROUGH */
6744
6745 case Q_NET:
6746 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
6747 cstate->ai = NULL;
6748 freeaddrinfo(res);
6749 return b;
6750
6751 default:
6752 bpf_error(cstate, "invalid qualifier against IPv6 address");
6753 /* NOTREACHED */
6754 }
6755 return NULL;
6756 }
6757 #endif /*INET6*/
6758
6759 struct block *
6760 gen_ecode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
6761 {
6762 struct block *b, *tmp;
6763
6764 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
6765 switch (cstate->linktype) {
6766 case DLT_EN10MB:
6767 case DLT_NETANALYZER:
6768 case DLT_NETANALYZER_TRANSPARENT:
6769 tmp = gen_prevlinkhdr_check(cstate);
6770 b = gen_ehostop(cstate, eaddr, (int)q.dir);
6771 if (tmp != NULL)
6772 gen_and(tmp, b);
6773 return b;
6774 case DLT_FDDI:
6775 return gen_fhostop(cstate, eaddr, (int)q.dir);
6776 case DLT_IEEE802:
6777 return gen_thostop(cstate, eaddr, (int)q.dir);
6778 case DLT_IEEE802_11:
6779 case DLT_PRISM_HEADER:
6780 case DLT_IEEE802_11_RADIO_AVS:
6781 case DLT_IEEE802_11_RADIO:
6782 case DLT_PPI:
6783 return gen_wlanhostop(cstate, eaddr, (int)q.dir);
6784 case DLT_IP_OVER_FC:
6785 return gen_ipfchostop(cstate, eaddr, (int)q.dir);
6786 default:
6787 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
6788 break;
6789 }
6790 }
6791 bpf_error(cstate, "ethernet address used in non-ether expression");
6792 /* NOTREACHED */
6793 return NULL;
6794 }
6795
6796 void
6797 sappend(s0, s1)
6798 struct slist *s0, *s1;
6799 {
6800 /*
6801 * This is definitely not the best way to do this, but the
6802 * lists will rarely get long.
6803 */
6804 while (s0->next)
6805 s0 = s0->next;
6806 s0->next = s1;
6807 }
6808
6809 static struct slist *
6810 xfer_to_x(compiler_state_t *cstate, struct arth *a)
6811 {
6812 struct slist *s;
6813
6814 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
6815 s->s.k = a->regno;
6816 return s;
6817 }
6818
6819 static struct slist *
6820 xfer_to_a(compiler_state_t *cstate, struct arth *a)
6821 {
6822 struct slist *s;
6823
6824 s = new_stmt(cstate, BPF_LD|BPF_MEM);
6825 s->s.k = a->regno;
6826 return s;
6827 }
6828
6829 /*
6830 * Modify "index" to use the value stored into its register as an
6831 * offset relative to the beginning of the header for the protocol
6832 * "proto", and allocate a register and put an item "size" bytes long
6833 * (1, 2, or 4) at that offset into that register, making it the register
6834 * for "index".
6835 */
6836 struct arth *
6837 gen_load(compiler_state_t *cstate, int proto, struct arth *inst, int size)
6838 {
6839 struct slist *s, *tmp;
6840 struct block *b;
6841 int regno = alloc_reg(cstate);
6842
6843 free_reg(cstate, inst->regno);
6844 switch (size) {
6845
6846 default:
6847 bpf_error(cstate, "data size must be 1, 2, or 4");
6848
6849 case 1:
6850 size = BPF_B;
6851 break;
6852
6853 case 2:
6854 size = BPF_H;
6855 break;
6856
6857 case 4:
6858 size = BPF_W;
6859 break;
6860 }
6861 switch (proto) {
6862 default:
6863 bpf_error(cstate, "unsupported index operation");
6864
6865 case Q_RADIO:
6866 /*
6867 * The offset is relative to the beginning of the packet
6868 * data, if we have a radio header. (If we don't, this
6869 * is an error.)
6870 */
6871 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
6872 cstate->linktype != DLT_IEEE802_11_RADIO &&
6873 cstate->linktype != DLT_PRISM_HEADER)
6874 bpf_error(cstate, "radio information not present in capture");
6875
6876 /*
6877 * Load into the X register the offset computed into the
6878 * register specified by "index".
6879 */
6880 s = xfer_to_x(cstate, inst);
6881
6882 /*
6883 * Load the item at that offset.
6884 */
6885 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6886 sappend(s, tmp);
6887 sappend(inst->s, s);
6888 break;
6889
6890 case Q_LINK:
6891 /*
6892 * The offset is relative to the beginning of
6893 * the link-layer header.
6894 *
6895 * XXX - what about ATM LANE? Should the index be
6896 * relative to the beginning of the AAL5 frame, so
6897 * that 0 refers to the beginning of the LE Control
6898 * field, or relative to the beginning of the LAN
6899 * frame, so that 0 refers, for Ethernet LANE, to
6900 * the beginning of the destination address?
6901 */
6902 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
6903
6904 /*
6905 * If "s" is non-null, it has code to arrange that the
6906 * X register contains the length of the prefix preceding
6907 * the link-layer header. Add to it the offset computed
6908 * into the register specified by "index", and move that
6909 * into the X register. Otherwise, just load into the X
6910 * register the offset computed into the register specified
6911 * by "index".
6912 */
6913 if (s != NULL) {
6914 sappend(s, xfer_to_a(cstate, inst));
6915 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6916 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6917 } else
6918 s = xfer_to_x(cstate, inst);
6919
6920 /*
6921 * Load the item at the sum of the offset we've put in the
6922 * X register and the offset of the start of the link
6923 * layer header (which is 0 if the radio header is
6924 * variable-length; that header length is what we put
6925 * into the X register and then added to the index).
6926 */
6927 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6928 tmp->s.k = cstate->off_linkhdr.constant_part;
6929 sappend(s, tmp);
6930 sappend(inst->s, s);
6931 break;
6932
6933 case Q_IP:
6934 case Q_ARP:
6935 case Q_RARP:
6936 case Q_ATALK:
6937 case Q_DECNET:
6938 case Q_SCA:
6939 case Q_LAT:
6940 case Q_MOPRC:
6941 case Q_MOPDL:
6942 case Q_IPV6:
6943 /*
6944 * The offset is relative to the beginning of
6945 * the network-layer header.
6946 * XXX - are there any cases where we want
6947 * cstate->off_nl_nosnap?
6948 */
6949 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
6950
6951 /*
6952 * If "s" is non-null, it has code to arrange that the
6953 * X register contains the variable part of the offset
6954 * of the link-layer payload. Add to it the offset
6955 * computed into the register specified by "index",
6956 * and move that into the X register. Otherwise, just
6957 * load into the X register the offset computed into
6958 * the register specified by "index".
6959 */
6960 if (s != NULL) {
6961 sappend(s, xfer_to_a(cstate, inst));
6962 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
6963 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
6964 } else
6965 s = xfer_to_x(cstate, inst);
6966
6967 /*
6968 * Load the item at the sum of the offset we've put in the
6969 * X register, the offset of the start of the network
6970 * layer header from the beginning of the link-layer
6971 * payload, and the constant part of the offset of the
6972 * start of the link-layer payload.
6973 */
6974 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size);
6975 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6976 sappend(s, tmp);
6977 sappend(inst->s, s);
6978
6979 /*
6980 * Do the computation only if the packet contains
6981 * the protocol in question.
6982 */
6983 b = gen_proto_abbrev(cstate, proto);
6984 if (inst->b)
6985 gen_and(inst->b, b);
6986 inst->b = b;
6987 break;
6988
6989 case Q_SCTP:
6990 case Q_TCP:
6991 case Q_UDP:
6992 case Q_ICMP:
6993 case Q_IGMP:
6994 case Q_IGRP:
6995 case Q_PIM:
6996 case Q_VRRP:
6997 case Q_CARP:
6998 /*
6999 * The offset is relative to the beginning of
7000 * the transport-layer header.
7001 *
7002 * Load the X register with the length of the IPv4 header
7003 * (plus the offset of the link-layer header, if it's
7004 * a variable-length header), in bytes.
7005 *
7006 * XXX - are there any cases where we want
7007 * cstate->off_nl_nosnap?
7008 * XXX - we should, if we're built with
7009 * IPv6 support, generate code to load either
7010 * IPv4, IPv6, or both, as appropriate.
7011 */
7012 s = gen_loadx_iphdrlen(cstate);
7013
7014 /*
7015 * The X register now contains the sum of the variable
7016 * part of the offset of the link-layer payload and the
7017 * length of the network-layer header.
7018 *
7019 * Load into the A register the offset relative to
7020 * the beginning of the transport layer header,
7021 * add the X register to that, move that to the
7022 * X register, and load with an offset from the
7023 * X register equal to the sum of the constant part of
7024 * the offset of the link-layer payload and the offset,
7025 * relative to the beginning of the link-layer payload,
7026 * of the network-layer header.
7027 */
7028 sappend(s, xfer_to_a(cstate, inst));
7029 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7030 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7031 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size));
7032 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7033 sappend(inst->s, s);
7034
7035 /*
7036 * Do the computation only if the packet contains
7037 * the protocol in question - which is true only
7038 * if this is an IP datagram and is the first or
7039 * only fragment of that datagram.
7040 */
7041 gen_and(gen_proto_abbrev(cstate, proto), b = gen_ipfrag(cstate));
7042 if (inst->b)
7043 gen_and(inst->b, b);
7044 gen_and(gen_proto_abbrev(cstate, Q_IP), b);
7045 inst->b = b;
7046 break;
7047 case Q_ICMPV6:
7048 bpf_error(cstate, "IPv6 upper-layer protocol is not supported by proto[x]");
7049 /*NOTREACHED*/
7050 }
7051 inst->regno = regno;
7052 s = new_stmt(cstate, BPF_ST);
7053 s->s.k = regno;
7054 sappend(inst->s, s);
7055
7056 return inst;
7057 }
7058
7059 struct block *
7060 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7061 struct arth *a1, int reversed)
7062 {
7063 struct slist *s0, *s1, *s2;
7064 struct block *b, *tmp;
7065
7066 s0 = xfer_to_x(cstate, a1);
7067 s1 = xfer_to_a(cstate, a0);
7068 if (code == BPF_JEQ) {
7069 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7070 b = new_block(cstate, JMP(code));
7071 sappend(s1, s2);
7072 }
7073 else
7074 b = new_block(cstate, BPF_JMP|code|BPF_X);
7075 if (reversed)
7076 gen_not(b);
7077
7078 sappend(s0, s1);
7079 sappend(a1->s, s0);
7080 sappend(a0->s, a1->s);
7081
7082 b->stmts = a0->s;
7083
7084 free_reg(cstate, a0->regno);
7085 free_reg(cstate, a1->regno);
7086
7087 /* 'and' together protocol checks */
7088 if (a0->b) {
7089 if (a1->b) {
7090 gen_and(a0->b, tmp = a1->b);
7091 }
7092 else
7093 tmp = a0->b;
7094 } else
7095 tmp = a1->b;
7096
7097 if (tmp)
7098 gen_and(tmp, b);
7099
7100 return b;
7101 }
7102
7103 struct arth *
7104 gen_loadlen(compiler_state_t *cstate)
7105 {
7106 int regno = alloc_reg(cstate);
7107 struct arth *a = (struct arth *)newchunk(cstate, sizeof(*a));
7108 struct slist *s;
7109
7110 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7111 s->next = new_stmt(cstate, BPF_ST);
7112 s->next->s.k = regno;
7113 a->s = s;
7114 a->regno = regno;
7115
7116 return a;
7117 }
7118
7119 struct arth *
7120 gen_loadi(compiler_state_t *cstate, int val)
7121 {
7122 struct arth *a;
7123 struct slist *s;
7124 int reg;
7125
7126 a = (struct arth *)newchunk(cstate, sizeof(*a));
7127
7128 reg = alloc_reg(cstate);
7129
7130 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7131 s->s.k = val;
7132 s->next = new_stmt(cstate, BPF_ST);
7133 s->next->s.k = reg;
7134 a->s = s;
7135 a->regno = reg;
7136
7137 return a;
7138 }
7139
7140 struct arth *
7141 gen_neg(compiler_state_t *cstate, struct arth *a)
7142 {
7143 struct slist *s;
7144
7145 s = xfer_to_a(cstate, a);
7146 sappend(a->s, s);
7147 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7148 s->s.k = 0;
7149 sappend(a->s, s);
7150 s = new_stmt(cstate, BPF_ST);
7151 s->s.k = a->regno;
7152 sappend(a->s, s);
7153
7154 return a;
7155 }
7156
7157 struct arth *
7158 gen_arth(compiler_state_t *cstate, int code, struct arth *a0,
7159 struct arth *a1)
7160 {
7161 struct slist *s0, *s1, *s2;
7162
7163 /*
7164 * Disallow division by, or modulus by, zero; we do this here
7165 * so that it gets done even if the optimizer is disabled.
7166 */
7167 if (code == BPF_DIV) {
7168 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7169 bpf_error(cstate, "division by zero");
7170 } else if (code == BPF_MOD) {
7171 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7172 bpf_error(cstate, "modulus by zero");
7173 }
7174 s0 = xfer_to_x(cstate, a1);
7175 s1 = xfer_to_a(cstate, a0);
7176 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7177
7178 sappend(s1, s2);
7179 sappend(s0, s1);
7180 sappend(a1->s, s0);
7181 sappend(a0->s, a1->s);
7182
7183 free_reg(cstate, a0->regno);
7184 free_reg(cstate, a1->regno);
7185
7186 s0 = new_stmt(cstate, BPF_ST);
7187 a0->regno = s0->s.k = alloc_reg(cstate);
7188 sappend(a0->s, s0);
7189
7190 return a0;
7191 }
7192
7193 /*
7194 * Initialize the table of used registers and the current register.
7195 */
7196 static void
7197 init_regs(compiler_state_t *cstate)
7198 {
7199 cstate->curreg = 0;
7200 memset(cstate->regused, 0, sizeof cstate->regused);
7201 }
7202
7203 /*
7204 * Return the next free register.
7205 */
7206 static int
7207 alloc_reg(compiler_state_t *cstate)
7208 {
7209 int n = BPF_MEMWORDS;
7210
7211 while (--n >= 0) {
7212 if (cstate->regused[cstate->curreg])
7213 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7214 else {
7215 cstate->regused[cstate->curreg] = 1;
7216 return cstate->curreg;
7217 }
7218 }
7219 bpf_error(cstate, "too many registers needed to evaluate expression");
7220 /* NOTREACHED */
7221 return 0;
7222 }
7223
7224 /*
7225 * Return a register to the table so it can
7226 * be used later.
7227 */
7228 static void
7229 free_reg(compiler_state_t *cstate, int n)
7230 {
7231 cstate->regused[n] = 0;
7232 }
7233
7234 static struct block *
7235 gen_len(compiler_state_t *cstate, int jmp, int n)
7236 {
7237 struct slist *s;
7238 struct block *b;
7239
7240 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7241 b = new_block(cstate, JMP(jmp));
7242 b->stmts = s;
7243 b->s.k = n;
7244
7245 return b;
7246 }
7247
7248 struct block *
7249 gen_greater(compiler_state_t *cstate, int n)
7250 {
7251 return gen_len(cstate, BPF_JGE, n);
7252 }
7253
7254 /*
7255 * Actually, this is less than or equal.
7256 */
7257 struct block *
7258 gen_less(compiler_state_t *cstate, int n)
7259 {
7260 struct block *b;
7261
7262 b = gen_len(cstate, BPF_JGT, n);
7263 gen_not(b);
7264
7265 return b;
7266 }
7267
7268 /*
7269 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7270 * the beginning of the link-layer header.
7271 * XXX - that means you can't test values in the radiotap header, but
7272 * as that header is difficult if not impossible to parse generally
7273 * without a loop, that might not be a severe problem. A new keyword
7274 * "radio" could be added for that, although what you'd really want
7275 * would be a way of testing particular radio header values, which
7276 * would generate code appropriate to the radio header in question.
7277 */
7278 struct block *
7279 gen_byteop(compiler_state_t *cstate, int op, int idx, int val)
7280 {
7281 struct block *b;
7282 struct slist *s;
7283
7284 switch (op) {
7285 default:
7286 abort();
7287
7288 case '=':
7289 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7290
7291 case '<':
7292 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7293 return b;
7294
7295 case '>':
7296 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, (bpf_int32)val);
7297 return b;
7298
7299 case '|':
7300 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7301 break;
7302
7303 case '&':
7304 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7305 break;
7306 }
7307 s->s.k = val;
7308 b = new_block(cstate, JMP(BPF_JEQ));
7309 b->stmts = s;
7310 gen_not(b);
7311
7312 return b;
7313 }
7314
7315 static const u_char abroadcast[] = { 0x0 };
7316
7317 struct block *
7318 gen_broadcast(compiler_state_t *cstate, int proto)
7319 {
7320 bpf_u_int32 hostmask;
7321 struct block *b0, *b1, *b2;
7322 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7323
7324 switch (proto) {
7325
7326 case Q_DEFAULT:
7327 case Q_LINK:
7328 switch (cstate->linktype) {
7329 case DLT_ARCNET:
7330 case DLT_ARCNET_LINUX:
7331 return gen_ahostop(cstate, abroadcast, Q_DST);
7332 case DLT_EN10MB:
7333 case DLT_NETANALYZER:
7334 case DLT_NETANALYZER_TRANSPARENT:
7335 b1 = gen_prevlinkhdr_check(cstate);
7336 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7337 if (b1 != NULL)
7338 gen_and(b1, b0);
7339 return b0;
7340 case DLT_FDDI:
7341 return gen_fhostop(cstate, ebroadcast, Q_DST);
7342 case DLT_IEEE802:
7343 return gen_thostop(cstate, ebroadcast, Q_DST);
7344 case DLT_IEEE802_11:
7345 case DLT_PRISM_HEADER:
7346 case DLT_IEEE802_11_RADIO_AVS:
7347 case DLT_IEEE802_11_RADIO:
7348 case DLT_PPI:
7349 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7350 case DLT_IP_OVER_FC:
7351 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7352 default:
7353 bpf_error(cstate, "not a broadcast link");
7354 }
7355 break;
7356
7357 case Q_IP:
7358 /*
7359 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7360 * as an indication that we don't know the netmask, and fail
7361 * in that case.
7362 */
7363 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7364 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7365 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7366 hostmask = ~cstate->netmask;
7367 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, (bpf_int32)0, hostmask);
7368 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7369 (bpf_int32)(~0 & hostmask), hostmask);
7370 gen_or(b1, b2);
7371 gen_and(b0, b2);
7372 return b2;
7373 }
7374 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7375 /* NOTREACHED */
7376 return NULL;
7377 }
7378
7379 /*
7380 * Generate code to test the low-order bit of a MAC address (that's
7381 * the bottom bit of the *first* byte).
7382 */
7383 static struct block *
7384 gen_mac_multicast(compiler_state_t *cstate, int offset)
7385 {
7386 register struct block *b0;
7387 register struct slist *s;
7388
7389 /* link[offset] & 1 != 0 */
7390 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
7391 b0 = new_block(cstate, JMP(BPF_JSET));
7392 b0->s.k = 1;
7393 b0->stmts = s;
7394 return b0;
7395 }
7396
7397 struct block *
7398 gen_multicast(compiler_state_t *cstate, int proto)
7399 {
7400 register struct block *b0, *b1, *b2;
7401 register struct slist *s;
7402
7403 switch (proto) {
7404
7405 case Q_DEFAULT:
7406 case Q_LINK:
7407 switch (cstate->linktype) {
7408 case DLT_ARCNET:
7409 case DLT_ARCNET_LINUX:
7410 /* all ARCnet multicasts use the same address */
7411 return gen_ahostop(cstate, abroadcast, Q_DST);
7412 case DLT_EN10MB:
7413 case DLT_NETANALYZER:
7414 case DLT_NETANALYZER_TRANSPARENT:
7415 b1 = gen_prevlinkhdr_check(cstate);
7416 /* ether[0] & 1 != 0 */
7417 b0 = gen_mac_multicast(cstate, 0);
7418 if (b1 != NULL)
7419 gen_and(b1, b0);
7420 return b0;
7421 case DLT_FDDI:
7422 /*
7423 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
7424 *
7425 * XXX - was that referring to bit-order issues?
7426 */
7427 /* fddi[1] & 1 != 0 */
7428 return gen_mac_multicast(cstate, 1);
7429 case DLT_IEEE802:
7430 /* tr[2] & 1 != 0 */
7431 return gen_mac_multicast(cstate, 2);
7432 case DLT_IEEE802_11:
7433 case DLT_PRISM_HEADER:
7434 case DLT_IEEE802_11_RADIO_AVS:
7435 case DLT_IEEE802_11_RADIO:
7436 case DLT_PPI:
7437 /*
7438 * Oh, yuk.
7439 *
7440 * For control frames, there is no DA.
7441 *
7442 * For management frames, DA is at an
7443 * offset of 4 from the beginning of
7444 * the packet.
7445 *
7446 * For data frames, DA is at an offset
7447 * of 4 from the beginning of the packet
7448 * if To DS is clear and at an offset of
7449 * 16 from the beginning of the packet
7450 * if To DS is set.
7451 */
7452
7453 /*
7454 * Generate the tests to be done for data frames.
7455 *
7456 * First, check for To DS set, i.e. "link[1] & 0x01".
7457 */
7458 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7459 b1 = new_block(cstate, JMP(BPF_JSET));
7460 b1->s.k = 0x01; /* To DS */
7461 b1->stmts = s;
7462
7463 /*
7464 * If To DS is set, the DA is at 16.
7465 */
7466 b0 = gen_mac_multicast(cstate, 16);
7467 gen_and(b1, b0);
7468
7469 /*
7470 * Now, check for To DS not set, i.e. check
7471 * "!(link[1] & 0x01)".
7472 */
7473 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
7474 b2 = new_block(cstate, JMP(BPF_JSET));
7475 b2->s.k = 0x01; /* To DS */
7476 b2->stmts = s;
7477 gen_not(b2);
7478
7479 /*
7480 * If To DS is not set, the DA is at 4.
7481 */
7482 b1 = gen_mac_multicast(cstate, 4);
7483 gen_and(b2, b1);
7484
7485 /*
7486 * Now OR together the last two checks. That gives
7487 * the complete set of checks for data frames.
7488 */
7489 gen_or(b1, b0);
7490
7491 /*
7492 * Now check for a data frame.
7493 * I.e, check "link[0] & 0x08".
7494 */
7495 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7496 b1 = new_block(cstate, JMP(BPF_JSET));
7497 b1->s.k = 0x08;
7498 b1->stmts = s;
7499
7500 /*
7501 * AND that with the checks done for data frames.
7502 */
7503 gen_and(b1, b0);
7504
7505 /*
7506 * If the high-order bit of the type value is 0, this
7507 * is a management frame.
7508 * I.e, check "!(link[0] & 0x08)".
7509 */
7510 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7511 b2 = new_block(cstate, JMP(BPF_JSET));
7512 b2->s.k = 0x08;
7513 b2->stmts = s;
7514 gen_not(b2);
7515
7516 /*
7517 * For management frames, the DA is at 4.
7518 */
7519 b1 = gen_mac_multicast(cstate, 4);
7520 gen_and(b2, b1);
7521
7522 /*
7523 * OR that with the checks done for data frames.
7524 * That gives the checks done for management and
7525 * data frames.
7526 */
7527 gen_or(b1, b0);
7528
7529 /*
7530 * If the low-order bit of the type value is 1,
7531 * this is either a control frame or a frame
7532 * with a reserved type, and thus not a
7533 * frame with an SA.
7534 *
7535 * I.e., check "!(link[0] & 0x04)".
7536 */
7537 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
7538 b1 = new_block(cstate, JMP(BPF_JSET));
7539 b1->s.k = 0x04;
7540 b1->stmts = s;
7541 gen_not(b1);
7542
7543 /*
7544 * AND that with the checks for data and management
7545 * frames.
7546 */
7547 gen_and(b1, b0);
7548 return b0;
7549 case DLT_IP_OVER_FC:
7550 b0 = gen_mac_multicast(cstate, 2);
7551 return b0;
7552 default:
7553 break;
7554 }
7555 /* Link not known to support multicasts */
7556 break;
7557
7558 case Q_IP:
7559 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7560 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, (bpf_int32)224);
7561 gen_and(b0, b1);
7562 return b1;
7563
7564 case Q_IPV6:
7565 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
7566 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, (bpf_int32)255);
7567 gen_and(b0, b1);
7568 return b1;
7569 }
7570 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
7571 /* NOTREACHED */
7572 return NULL;
7573 }
7574
7575 /*
7576 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
7577 * Outbound traffic is sent by this machine, while inbound traffic is
7578 * sent by a remote machine (and may include packets destined for a
7579 * unicast or multicast link-layer address we are not subscribing to).
7580 * These are the same definitions implemented by pcap_setdirection().
7581 * Capturing only unicast traffic destined for this host is probably
7582 * better accomplished using a higher-layer filter.
7583 */
7584 struct block *
7585 gen_inbound(compiler_state_t *cstate, int dir)
7586 {
7587 register struct block *b0;
7588
7589 /*
7590 * Only some data link types support inbound/outbound qualifiers.
7591 */
7592 switch (cstate->linktype) {
7593 case DLT_SLIP:
7594 b0 = gen_relation(cstate, BPF_JEQ,
7595 gen_load(cstate, Q_LINK, gen_loadi(cstate, 0), 1),
7596 gen_loadi(cstate, 0),
7597 dir);
7598 break;
7599
7600 case DLT_IPNET:
7601 if (dir) {
7602 /* match outgoing packets */
7603 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
7604 } else {
7605 /* match incoming packets */
7606 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
7607 }
7608 break;
7609
7610 case DLT_LINUX_SLL:
7611 /* match outgoing packets */
7612 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
7613 if (!dir) {
7614 /* to filter on inbound traffic, invert the match */
7615 gen_not(b0);
7616 }
7617 break;
7618
7619 #ifdef HAVE_NET_PFVAR_H
7620 case DLT_PFLOG:
7621 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
7622 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
7623 break;
7624 #endif
7625
7626 case DLT_PPP_PPPD:
7627 if (dir) {
7628 /* match outgoing packets */
7629 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
7630 } else {
7631 /* match incoming packets */
7632 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
7633 }
7634 break;
7635
7636 case DLT_JUNIPER_MFR:
7637 case DLT_JUNIPER_MLFR:
7638 case DLT_JUNIPER_MLPPP:
7639 case DLT_JUNIPER_ATM1:
7640 case DLT_JUNIPER_ATM2:
7641 case DLT_JUNIPER_PPPOE:
7642 case DLT_JUNIPER_PPPOE_ATM:
7643 case DLT_JUNIPER_GGSN:
7644 case DLT_JUNIPER_ES:
7645 case DLT_JUNIPER_MONITOR:
7646 case DLT_JUNIPER_SERVICES:
7647 case DLT_JUNIPER_ETHER:
7648 case DLT_JUNIPER_PPP:
7649 case DLT_JUNIPER_FRELAY:
7650 case DLT_JUNIPER_CHDLC:
7651 case DLT_JUNIPER_VP:
7652 case DLT_JUNIPER_ST:
7653 case DLT_JUNIPER_ISM:
7654 case DLT_JUNIPER_VS:
7655 case DLT_JUNIPER_SRX_E2E:
7656 case DLT_JUNIPER_FIBRECHANNEL:
7657 case DLT_JUNIPER_ATM_CEMIC:
7658
7659 /* juniper flags (including direction) are stored
7660 * the byte after the 3-byte magic number */
7661 if (dir) {
7662 /* match outgoing packets */
7663 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
7664 } else {
7665 /* match incoming packets */
7666 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
7667 }
7668 break;
7669
7670 default:
7671 /*
7672 * If we have packet meta-data indicating a direction,
7673 * check it, otherwise give up as this link-layer type
7674 * has nothing in the packet data.
7675 */
7676 #if defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER)
7677 /*
7678 * This is Linux with PF_PACKET support.
7679 * If this is a *live* capture, we can look at
7680 * special meta-data in the filter expression;
7681 * if it's a savefile, we can't.
7682 */
7683 if (cstate->bpf_pcap->rfile != NULL) {
7684 /* We have a FILE *, so this is a savefile */
7685 bpf_error(cstate, "inbound/outbound not supported on linktype %d when reading savefiles",
7686 cstate->linktype);
7687 b0 = NULL;
7688 /* NOTREACHED */
7689 }
7690 /* match outgoing packets */
7691 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
7692 PACKET_OUTGOING);
7693 if (!dir) {
7694 /* to filter on inbound traffic, invert the match */
7695 gen_not(b0);
7696 }
7697 #else /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7698 bpf_error(cstate, "inbound/outbound not supported on linktype %d",
7699 cstate->linktype);
7700 b0 = NULL;
7701 /* NOTREACHED */
7702 #endif /* defined(linux) && defined(PF_PACKET) && defined(SO_ATTACH_FILTER) */
7703 }
7704 return (b0);
7705 }
7706
7707 #ifdef HAVE_NET_PFVAR_H
7708 /* PF firewall log matched interface */
7709 struct block *
7710 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
7711 {
7712 struct block *b0;
7713 u_int len, off;
7714
7715 if (cstate->linktype != DLT_PFLOG) {
7716 bpf_error(cstate, "ifname supported only on PF linktype");
7717 /* NOTREACHED */
7718 }
7719 len = sizeof(((struct pfloghdr *)0)->ifname);
7720 off = offsetof(struct pfloghdr, ifname);
7721 if (strlen(ifname) >= len) {
7722 bpf_error(cstate, "ifname interface names can only be %d characters",
7723 len-1);
7724 /* NOTREACHED */
7725 }
7726 b0 = gen_bcmp(cstate, OR_LINKHDR, off, strlen(ifname), (const u_char *)ifname);
7727 return (b0);
7728 }
7729
7730 /* PF firewall log ruleset name */
7731 struct block *
7732 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
7733 {
7734 struct block *b0;
7735
7736 if (cstate->linktype != DLT_PFLOG) {
7737 bpf_error(cstate, "ruleset supported only on PF linktype");
7738 /* NOTREACHED */
7739 }
7740
7741 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
7742 bpf_error(cstate, "ruleset names can only be %ld characters",
7743 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
7744 /* NOTREACHED */
7745 }
7746
7747 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
7748 strlen(ruleset), (const u_char *)ruleset);
7749 return (b0);
7750 }
7751
7752 /* PF firewall log rule number */
7753 struct block *
7754 gen_pf_rnr(compiler_state_t *cstate, int rnr)
7755 {
7756 struct block *b0;
7757
7758 if (cstate->linktype != DLT_PFLOG) {
7759 bpf_error(cstate, "rnr supported only on PF linktype");
7760 /* NOTREACHED */
7761 }
7762
7763 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
7764 (bpf_int32)rnr);
7765 return (b0);
7766 }
7767
7768 /* PF firewall log sub-rule number */
7769 struct block *
7770 gen_pf_srnr(compiler_state_t *cstate, int srnr)
7771 {
7772 struct block *b0;
7773
7774 if (cstate->linktype != DLT_PFLOG) {
7775 bpf_error(cstate, "srnr supported only on PF linktype");
7776 /* NOTREACHED */
7777 }
7778
7779 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
7780 (bpf_int32)srnr);
7781 return (b0);
7782 }
7783
7784 /* PF firewall log reason code */
7785 struct block *
7786 gen_pf_reason(compiler_state_t *cstate, int reason)
7787 {
7788 struct block *b0;
7789
7790 if (cstate->linktype != DLT_PFLOG) {
7791 bpf_error(cstate, "reason supported only on PF linktype");
7792 /* NOTREACHED */
7793 }
7794
7795 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
7796 (bpf_int32)reason);
7797 return (b0);
7798 }
7799
7800 /* PF firewall log action */
7801 struct block *
7802 gen_pf_action(compiler_state_t *cstate, int action)
7803 {
7804 struct block *b0;
7805
7806 if (cstate->linktype != DLT_PFLOG) {
7807 bpf_error(cstate, "action supported only on PF linktype");
7808 /* NOTREACHED */
7809 }
7810
7811 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
7812 (bpf_int32)action);
7813 return (b0);
7814 }
7815 #else /* !HAVE_NET_PFVAR_H */
7816 struct block *
7817 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
7818 {
7819 bpf_error(cstate, "libpcap was compiled without pf support");
7820 /* NOTREACHED */
7821 return (NULL);
7822 }
7823
7824 struct block *
7825 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
7826 {
7827 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7828 /* NOTREACHED */
7829 return (NULL);
7830 }
7831
7832 struct block *
7833 gen_pf_rnr(compiler_state_t *cstate, int rnr)
7834 {
7835 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7836 /* NOTREACHED */
7837 return (NULL);
7838 }
7839
7840 struct block *
7841 gen_pf_srnr(compiler_state_t *cstate, int srnr)
7842 {
7843 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7844 /* NOTREACHED */
7845 return (NULL);
7846 }
7847
7848 struct block *
7849 gen_pf_reason(compiler_state_t *cstate, int reason)
7850 {
7851 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7852 /* NOTREACHED */
7853 return (NULL);
7854 }
7855
7856 struct block *
7857 gen_pf_action(compiler_state_t *cstate, int action)
7858 {
7859 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
7860 /* NOTREACHED */
7861 return (NULL);
7862 }
7863 #endif /* HAVE_NET_PFVAR_H */
7864
7865 /* IEEE 802.11 wireless header */
7866 struct block *
7867 gen_p80211_type(compiler_state_t *cstate, int type, int mask)
7868 {
7869 struct block *b0;
7870
7871 switch (cstate->linktype) {
7872
7873 case DLT_IEEE802_11:
7874 case DLT_PRISM_HEADER:
7875 case DLT_IEEE802_11_RADIO_AVS:
7876 case DLT_IEEE802_11_RADIO:
7877 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, (bpf_int32)type,
7878 (bpf_int32)mask);
7879 break;
7880
7881 default:
7882 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
7883 /* NOTREACHED */
7884 }
7885
7886 return (b0);
7887 }
7888
7889 struct block *
7890 gen_p80211_fcdir(compiler_state_t *cstate, int fcdir)
7891 {
7892 struct block *b0;
7893
7894 switch (cstate->linktype) {
7895
7896 case DLT_IEEE802_11:
7897 case DLT_PRISM_HEADER:
7898 case DLT_IEEE802_11_RADIO_AVS:
7899 case DLT_IEEE802_11_RADIO:
7900 break;
7901
7902 default:
7903 bpf_error(cstate, "frame direction supported only with 802.11 headers");
7904 /* NOTREACHED */
7905 }
7906
7907 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, (bpf_int32)fcdir,
7908 (bpf_u_int32)IEEE80211_FC1_DIR_MASK);
7909
7910 return (b0);
7911 }
7912
7913 struct block *
7914 gen_acode(compiler_state_t *cstate, const u_char *eaddr, struct qual q)
7915 {
7916 switch (cstate->linktype) {
7917
7918 case DLT_ARCNET:
7919 case DLT_ARCNET_LINUX:
7920 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
7921 q.proto == Q_LINK)
7922 return (gen_ahostop(cstate, eaddr, (int)q.dir));
7923 else {
7924 bpf_error(cstate, "ARCnet address used in non-arc expression");
7925 /* NOTREACHED */
7926 }
7927 break;
7928
7929 default:
7930 bpf_error(cstate, "aid supported only on ARCnet");
7931 /* NOTREACHED */
7932 }
7933 bpf_error(cstate, "ARCnet address used in non-arc expression");
7934 /* NOTREACHED */
7935 return NULL;
7936 }
7937
7938 static struct block *
7939 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
7940 {
7941 register struct block *b0, *b1;
7942
7943 switch (dir) {
7944 /* src comes first, different from Ethernet */
7945 case Q_SRC:
7946 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
7947
7948 case Q_DST:
7949 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
7950
7951 case Q_AND:
7952 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
7953 b1 = gen_ahostop(cstate, eaddr, Q_DST);
7954 gen_and(b0, b1);
7955 return b1;
7956
7957 case Q_DEFAULT:
7958 case Q_OR:
7959 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
7960 b1 = gen_ahostop(cstate, eaddr, Q_DST);
7961 gen_or(b0, b1);
7962 return b1;
7963
7964 case Q_ADDR1:
7965 bpf_error(cstate, "'addr1' is only supported on 802.11");
7966 break;
7967
7968 case Q_ADDR2:
7969 bpf_error(cstate, "'addr2' is only supported on 802.11");
7970 break;
7971
7972 case Q_ADDR3:
7973 bpf_error(cstate, "'addr3' is only supported on 802.11");
7974 break;
7975
7976 case Q_ADDR4:
7977 bpf_error(cstate, "'addr4' is only supported on 802.11");
7978 break;
7979
7980 case Q_RA:
7981 bpf_error(cstate, "'ra' is only supported on 802.11");
7982 break;
7983
7984 case Q_TA:
7985 bpf_error(cstate, "'ta' is only supported on 802.11");
7986 break;
7987 }
7988 abort();
7989 /* NOTREACHED */
7990 }
7991
7992 static struct block *
7993 gen_vlan_tpid_test(compiler_state_t *cstate)
7994 {
7995 struct block *b0, *b1;
7996
7997 /* check for VLAN, including QinQ */
7998 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
7999 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8000 gen_or(b0,b1);
8001 b0 = b1;
8002 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8003 gen_or(b0,b1);
8004
8005 return b1;
8006 }
8007
8008 static struct block *
8009 gen_vlan_vid_test(compiler_state_t *cstate, int vlan_num)
8010 {
8011 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, (bpf_int32)vlan_num, 0x0fff);
8012 }
8013
8014 static struct block *
8015 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, int vlan_num)
8016 {
8017 struct block *b0, *b1;
8018
8019 b0 = gen_vlan_tpid_test(cstate);
8020
8021 if (vlan_num >= 0) {
8022 b1 = gen_vlan_vid_test(cstate, vlan_num);
8023 gen_and(b0, b1);
8024 b0 = b1;
8025 }
8026
8027 /*
8028 * Both payload and link header type follow the VLAN tags so that
8029 * both need to be updated.
8030 */
8031 cstate->off_linkpl.constant_part += 4;
8032 cstate->off_linktype.constant_part += 4;
8033
8034 return b0;
8035 }
8036
8037 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
8038 /* add v to variable part of off */
8039 static void
8040 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off, int v, struct slist *s)
8041 {
8042 struct slist *s2;
8043
8044 if (!off->is_variable)
8045 off->is_variable = 1;
8046 if (off->reg == -1)
8047 off->reg = alloc_reg(cstate);
8048
8049 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8050 s2->s.k = off->reg;
8051 sappend(s, s2);
8052 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8053 s2->s.k = v;
8054 sappend(s, s2);
8055 s2 = new_stmt(cstate, BPF_ST);
8056 s2->s.k = off->reg;
8057 sappend(s, s2);
8058 }
8059
8060 /*
8061 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8062 * and link type offsets first
8063 */
8064 static void
8065 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8066 {
8067 struct slist s;
8068
8069 /* offset determined at run time, shift variable part */
8070 s.next = NULL;
8071 cstate->is_vlan_vloffset = 1;
8072 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8073 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8074
8075 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8076 sappend(s.next, b_tpid->head->stmts);
8077 b_tpid->head->stmts = s.next;
8078 }
8079
8080 /*
8081 * patch block b_vid (VLAN id test) to load VID value either from packet
8082 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8083 */
8084 static void
8085 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8086 {
8087 struct slist *s, *s2, *sjeq;
8088 unsigned cnt;
8089
8090 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8091 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8092
8093 /* true -> next instructions, false -> beginning of b_vid */
8094 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8095 sjeq->s.k = 1;
8096 sjeq->s.jf = b_vid->stmts;
8097 sappend(s, sjeq);
8098
8099 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8100 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8101 sappend(s, s2);
8102 sjeq->s.jt = s2;
8103
8104 /* jump to the test in b_vid (bypass loading VID from packet data) */
8105 cnt = 0;
8106 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8107 cnt++;
8108 s2 = new_stmt(cstate, JMP(BPF_JA));
8109 s2->s.k = cnt;
8110 sappend(s, s2);
8111
8112 /* insert our statements at the beginning of b_vid */
8113 sappend(s, b_vid->stmts);
8114 b_vid->stmts = s;
8115 }
8116
8117 /*
8118 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8119 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8120 * tag can be either in metadata or in packet data; therefore if the
8121 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8122 * header for VLAN tag. As the decision is done at run time, we need
8123 * update variable part of the offsets
8124 */
8125 static struct block *
8126 gen_vlan_bpf_extensions(compiler_state_t *cstate, int vlan_num)
8127 {
8128 struct block *b0, *b_tpid, *b_vid = NULL;
8129 struct slist *s;
8130
8131 /* generate new filter code based on extracting packet
8132 * metadata */
8133 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8134 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8135
8136 b0 = new_block(cstate, JMP(BPF_JEQ));
8137 b0->stmts = s;
8138 b0->s.k = 1;
8139
8140 /*
8141 * This is tricky. We need to insert the statements updating variable
8142 * parts of offsets before the the traditional TPID and VID tests so
8143 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8144 * we do not want this update to affect those checks. That's why we
8145 * generate both test blocks first and insert the statements updating
8146 * variable parts of both offsets after that. This wouldn't work if
8147 * there already were variable length link header when entering this
8148 * function but gen_vlan_bpf_extensions() isn't called in that case.
8149 */
8150 b_tpid = gen_vlan_tpid_test(cstate);
8151 if (vlan_num >= 0)
8152 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8153
8154 gen_vlan_patch_tpid_test(cstate, b_tpid);
8155 gen_or(b0, b_tpid);
8156 b0 = b_tpid;
8157
8158 if (vlan_num >= 0) {
8159 gen_vlan_patch_vid_test(cstate, b_vid);
8160 gen_and(b0, b_vid);
8161 b0 = b_vid;
8162 }
8163
8164 return b0;
8165 }
8166 #endif
8167
8168 /*
8169 * support IEEE 802.1Q VLAN trunk over ethernet
8170 */
8171 struct block *
8172 gen_vlan(compiler_state_t *cstate, int vlan_num)
8173 {
8174 struct block *b0;
8175
8176 /* can't check for VLAN-encapsulated packets inside MPLS */
8177 if (cstate->label_stack_depth > 0)
8178 bpf_error(cstate, "no VLAN match after MPLS");
8179
8180 /*
8181 * Check for a VLAN packet, and then change the offsets to point
8182 * to the type and data fields within the VLAN packet. Just
8183 * increment the offsets, so that we can support a hierarchy, e.g.
8184 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8185 * VLAN 100.
8186 *
8187 * XXX - this is a bit of a kludge. If we were to split the
8188 * compiler into a parser that parses an expression and
8189 * generates an expression tree, and a code generator that
8190 * takes an expression tree (which could come from our
8191 * parser or from some other parser) and generates BPF code,
8192 * we could perhaps make the offsets parameters of routines
8193 * and, in the handler for an "AND" node, pass to subnodes
8194 * other than the VLAN node the adjusted offsets.
8195 *
8196 * This would mean that "vlan" would, instead of changing the
8197 * behavior of *all* tests after it, change only the behavior
8198 * of tests ANDed with it. That would change the documented
8199 * semantics of "vlan", which might break some expressions.
8200 * However, it would mean that "(vlan and ip) or ip" would check
8201 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8202 * checking only for VLAN-encapsulated IP, so that could still
8203 * be considered worth doing; it wouldn't break expressions
8204 * that are of the form "vlan and ..." or "vlan N and ...",
8205 * which I suspect are the most common expressions involving
8206 * "vlan". "vlan or ..." doesn't necessarily do what the user
8207 * would really want, now, as all the "or ..." tests would
8208 * be done assuming a VLAN, even though the "or" could be viewed
8209 * as meaning "or, if this isn't a VLAN packet...".
8210 */
8211 switch (cstate->linktype) {
8212
8213 case DLT_EN10MB:
8214 case DLT_NETANALYZER:
8215 case DLT_NETANALYZER_TRANSPARENT:
8216 #if defined(SKF_AD_VLAN_TAG) && defined(SKF_AD_VLAN_TAG_PRESENT)
8217 /* Verify that this is the outer part of the packet and
8218 * not encapsulated somehow. */
8219 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
8220 cstate->off_linkhdr.constant_part ==
8221 cstate->off_outermostlinkhdr.constant_part) {
8222 /*
8223 * Do we need special VLAN handling?
8224 */
8225 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
8226 b0 = gen_vlan_bpf_extensions(cstate, vlan_num);
8227 else
8228 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8229 } else
8230 #endif
8231 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8232 break;
8233
8234 case DLT_IEEE802_11:
8235 case DLT_PRISM_HEADER:
8236 case DLT_IEEE802_11_RADIO_AVS:
8237 case DLT_IEEE802_11_RADIO:
8238 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num);
8239 break;
8240
8241 default:
8242 bpf_error(cstate, "no VLAN support for data link type %d",
8243 cstate->linktype);
8244 /*NOTREACHED*/
8245 }
8246
8247 cstate->vlan_stack_depth++;
8248
8249 return (b0);
8250 }
8251
8252 /*
8253 * support for MPLS
8254 */
8255 struct block *
8256 gen_mpls(compiler_state_t *cstate, int label_num)
8257 {
8258 struct block *b0, *b1;
8259
8260 if (cstate->label_stack_depth > 0) {
8261 /* just match the bottom-of-stack bit clear */
8262 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
8263 } else {
8264 /*
8265 * We're not in an MPLS stack yet, so check the link-layer
8266 * type against MPLS.
8267 */
8268 switch (cstate->linktype) {
8269
8270 case DLT_C_HDLC: /* fall through */
8271 case DLT_EN10MB:
8272 case DLT_NETANALYZER:
8273 case DLT_NETANALYZER_TRANSPARENT:
8274 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
8275 break;
8276
8277 case DLT_PPP:
8278 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
8279 break;
8280
8281 /* FIXME add other DLT_s ...
8282 * for Frame-Relay/and ATM this may get messy due to SNAP headers
8283 * leave it for now */
8284
8285 default:
8286 bpf_error(cstate, "no MPLS support for data link type %d",
8287 cstate->linktype);
8288 b0 = NULL;
8289 /*NOTREACHED*/
8290 break;
8291 }
8292 }
8293
8294 /* If a specific MPLS label is requested, check it */
8295 if (label_num >= 0) {
8296 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
8297 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, (bpf_int32)label_num,
8298 0xfffff000); /* only compare the first 20 bits */
8299 gen_and(b0, b1);
8300 b0 = b1;
8301 }
8302
8303 /*
8304 * Change the offsets to point to the type and data fields within
8305 * the MPLS packet. Just increment the offsets, so that we
8306 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
8307 * capture packets with an outer label of 100000 and an inner
8308 * label of 1024.
8309 *
8310 * Increment the MPLS stack depth as well; this indicates that
8311 * we're checking MPLS-encapsulated headers, to make sure higher
8312 * level code generators don't try to match against IP-related
8313 * protocols such as Q_ARP, Q_RARP etc.
8314 *
8315 * XXX - this is a bit of a kludge. See comments in gen_vlan().
8316 */
8317 cstate->off_nl_nosnap += 4;
8318 cstate->off_nl += 4;
8319 cstate->label_stack_depth++;
8320 return (b0);
8321 }
8322
8323 /*
8324 * Support PPPOE discovery and session.
8325 */
8326 struct block *
8327 gen_pppoed(compiler_state_t *cstate)
8328 {
8329 /* check for PPPoE discovery */
8330 return gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOED);
8331 }
8332
8333 struct block *
8334 gen_pppoes(compiler_state_t *cstate, int sess_num)
8335 {
8336 struct block *b0, *b1;
8337
8338 /*
8339 * Test against the PPPoE session link-layer type.
8340 */
8341 b0 = gen_linktype(cstate, (bpf_int32)ETHERTYPE_PPPOES);
8342
8343 /* If a specific session is requested, check PPPoE session id */
8344 if (sess_num >= 0) {
8345 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W,
8346 (bpf_int32)sess_num, 0x0000ffff);
8347 gen_and(b0, b1);
8348 b0 = b1;
8349 }
8350
8351 /*
8352 * Change the offsets to point to the type and data fields within
8353 * the PPP packet, and note that this is PPPoE rather than
8354 * raw PPP.
8355 *
8356 * XXX - this is a bit of a kludge. If we were to split the
8357 * compiler into a parser that parses an expression and
8358 * generates an expression tree, and a code generator that
8359 * takes an expression tree (which could come from our
8360 * parser or from some other parser) and generates BPF code,
8361 * we could perhaps make the offsets parameters of routines
8362 * and, in the handler for an "AND" node, pass to subnodes
8363 * other than the PPPoE node the adjusted offsets.
8364 *
8365 * This would mean that "pppoes" would, instead of changing the
8366 * behavior of *all* tests after it, change only the behavior
8367 * of tests ANDed with it. That would change the documented
8368 * semantics of "pppoes", which might break some expressions.
8369 * However, it would mean that "(pppoes and ip) or ip" would check
8370 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
8371 * checking only for VLAN-encapsulated IP, so that could still
8372 * be considered worth doing; it wouldn't break expressions
8373 * that are of the form "pppoes and ..." which I suspect are the
8374 * most common expressions involving "pppoes". "pppoes or ..."
8375 * doesn't necessarily do what the user would really want, now,
8376 * as all the "or ..." tests would be done assuming PPPoE, even
8377 * though the "or" could be viewed as meaning "or, if this isn't
8378 * a PPPoE packet...".
8379 *
8380 * The "network-layer" protocol is PPPoE, which has a 6-byte
8381 * PPPoE header, followed by a PPP packet.
8382 *
8383 * There is no HDLC encapsulation for the PPP packet (it's
8384 * encapsulated in PPPoES instead), so the link-layer type
8385 * starts at the first byte of the PPP packet. For PPPoE,
8386 * that offset is relative to the beginning of the total
8387 * link-layer payload, including any 802.2 LLC header, so
8388 * it's 6 bytes past cstate->off_nl.
8389 */
8390 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
8391 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
8392 cstate->off_linkpl.reg);
8393
8394 cstate->off_linktype = cstate->off_linkhdr;
8395 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
8396
8397 cstate->off_nl = 0;
8398 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
8399
8400 return b0;
8401 }
8402
8403 /* Check that this is Geneve and the VNI is correct if
8404 * specified. Parameterized to handle both IPv4 and IPv6. */
8405 static struct block *
8406 gen_geneve_check(compiler_state_t *cstate,
8407 struct block *(*gen_portfn)(compiler_state_t *, int, int, int),
8408 enum e_offrel offrel, int vni)
8409 {
8410 struct block *b0, *b1;
8411
8412 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
8413
8414 /* Check that we are operating on version 0. Otherwise, we
8415 * can't decode the rest of the fields. The version is 2 bits
8416 * in the first byte of the Geneve header. */
8417 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, (bpf_int32)0, 0xc0);
8418 gen_and(b0, b1);
8419 b0 = b1;
8420
8421 if (vni >= 0) {
8422 vni <<= 8; /* VNI is in the upper 3 bytes */
8423 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, (bpf_int32)vni,
8424 0xffffff00);
8425 gen_and(b0, b1);
8426 b0 = b1;
8427 }
8428
8429 return b0;
8430 }
8431
8432 /* The IPv4 and IPv6 Geneve checks need to do two things:
8433 * - Verify that this actually is Geneve with the right VNI.
8434 * - Place the IP header length (plus variable link prefix if
8435 * needed) into register A to be used later to compute
8436 * the inner packet offsets. */
8437 static struct block *
8438 gen_geneve4(compiler_state_t *cstate, int vni)
8439 {
8440 struct block *b0, *b1;
8441 struct slist *s, *s1;
8442
8443 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni);
8444
8445 /* Load the IP header length into A. */
8446 s = gen_loadx_iphdrlen(cstate);
8447
8448 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8449 sappend(s, s1);
8450
8451 /* Forcibly append these statements to the true condition
8452 * of the protocol check by creating a new block that is
8453 * always true and ANDing them. */
8454 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8455 b1->stmts = s;
8456 b1->s.k = 0;
8457
8458 gen_and(b0, b1);
8459
8460 return b1;
8461 }
8462
8463 static struct block *
8464 gen_geneve6(compiler_state_t *cstate, int vni)
8465 {
8466 struct block *b0, *b1;
8467 struct slist *s, *s1;
8468
8469 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni);
8470
8471 /* Load the IP header length. We need to account for a
8472 * variable length link prefix if there is one. */
8473 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
8474 if (s) {
8475 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
8476 s1->s.k = 40;
8477 sappend(s, s1);
8478
8479 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8480 s1->s.k = 0;
8481 sappend(s, s1);
8482 } else {
8483 s = new_stmt(cstate, BPF_LD|BPF_IMM);
8484 s->s.k = 40;
8485 }
8486
8487 /* Forcibly append these statements to the true condition
8488 * of the protocol check by creating a new block that is
8489 * always true and ANDing them. */
8490 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8491 sappend(s, s1);
8492
8493 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8494 b1->stmts = s;
8495 b1->s.k = 0;
8496
8497 gen_and(b0, b1);
8498
8499 return b1;
8500 }
8501
8502 /* We need to store three values based on the Geneve header::
8503 * - The offset of the linktype.
8504 * - The offset of the end of the Geneve header.
8505 * - The offset of the end of the encapsulated MAC header. */
8506 static struct slist *
8507 gen_geneve_offsets(compiler_state_t *cstate)
8508 {
8509 struct slist *s, *s1, *s_proto;
8510
8511 /* First we need to calculate the offset of the Geneve header
8512 * itself. This is composed of the IP header previously calculated
8513 * (include any variable link prefix) and stored in A plus the
8514 * fixed sized headers (fixed link prefix, MAC length, and UDP
8515 * header). */
8516 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8517 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
8518
8519 /* Stash this in X since we'll need it later. */
8520 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8521 sappend(s, s1);
8522
8523 /* The EtherType in Geneve is 2 bytes in. Calculate this and
8524 * store it. */
8525 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8526 s1->s.k = 2;
8527 sappend(s, s1);
8528
8529 cstate->off_linktype.reg = alloc_reg(cstate);
8530 cstate->off_linktype.is_variable = 1;
8531 cstate->off_linktype.constant_part = 0;
8532
8533 s1 = new_stmt(cstate, BPF_ST);
8534 s1->s.k = cstate->off_linktype.reg;
8535 sappend(s, s1);
8536
8537 /* Load the Geneve option length and mask and shift to get the
8538 * number of bytes. It is stored in the first byte of the Geneve
8539 * header. */
8540 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
8541 s1->s.k = 0;
8542 sappend(s, s1);
8543
8544 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8545 s1->s.k = 0x3f;
8546 sappend(s, s1);
8547
8548 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
8549 s1->s.k = 4;
8550 sappend(s, s1);
8551
8552 /* Add in the rest of the Geneve base header. */
8553 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8554 s1->s.k = 8;
8555 sappend(s, s1);
8556
8557 /* Add the Geneve header length to its offset and store. */
8558 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
8559 s1->s.k = 0;
8560 sappend(s, s1);
8561
8562 /* Set the encapsulated type as Ethernet. Even though we may
8563 * not actually have Ethernet inside there are two reasons this
8564 * is useful:
8565 * - The linktype field is always in EtherType format regardless
8566 * of whether it is in Geneve or an inner Ethernet frame.
8567 * - The only link layer that we have specific support for is
8568 * Ethernet. We will confirm that the packet actually is
8569 * Ethernet at runtime before executing these checks. */
8570 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
8571
8572 s1 = new_stmt(cstate, BPF_ST);
8573 s1->s.k = cstate->off_linkhdr.reg;
8574 sappend(s, s1);
8575
8576 /* Calculate whether we have an Ethernet header or just raw IP/
8577 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
8578 * and linktype by 14 bytes so that the network header can be found
8579 * seamlessly. Otherwise, keep what we've calculated already. */
8580
8581 /* We have a bare jmp so we can't use the optimizer. */
8582 cstate->no_optimize = 1;
8583
8584 /* Load the EtherType in the Geneve header, 2 bytes in. */
8585 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
8586 s1->s.k = 2;
8587 sappend(s, s1);
8588
8589 /* Load X with the end of the Geneve header. */
8590 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8591 s1->s.k = cstate->off_linkhdr.reg;
8592 sappend(s, s1);
8593
8594 /* Check if the EtherType is Transparent Ethernet Bridging. At the
8595 * end of this check, we should have the total length in X. In
8596 * the non-Ethernet case, it's already there. */
8597 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
8598 s_proto->s.k = ETHERTYPE_TEB;
8599 sappend(s, s_proto);
8600
8601 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
8602 sappend(s, s1);
8603 s_proto->s.jt = s1;
8604
8605 /* Since this is Ethernet, use the EtherType of the payload
8606 * directly as the linktype. Overwrite what we already have. */
8607 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8608 s1->s.k = 12;
8609 sappend(s, s1);
8610
8611 s1 = new_stmt(cstate, BPF_ST);
8612 s1->s.k = cstate->off_linktype.reg;
8613 sappend(s, s1);
8614
8615 /* Advance two bytes further to get the end of the Ethernet
8616 * header. */
8617 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
8618 s1->s.k = 2;
8619 sappend(s, s1);
8620
8621 /* Move the result to X. */
8622 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
8623 sappend(s, s1);
8624
8625 /* Store the final result of our linkpl calculation. */
8626 cstate->off_linkpl.reg = alloc_reg(cstate);
8627 cstate->off_linkpl.is_variable = 1;
8628 cstate->off_linkpl.constant_part = 0;
8629
8630 s1 = new_stmt(cstate, BPF_STX);
8631 s1->s.k = cstate->off_linkpl.reg;
8632 sappend(s, s1);
8633 s_proto->s.jf = s1;
8634
8635 cstate->off_nl = 0;
8636
8637 return s;
8638 }
8639
8640 /* Check to see if this is a Geneve packet. */
8641 struct block *
8642 gen_geneve(compiler_state_t *cstate, int vni)
8643 {
8644 struct block *b0, *b1;
8645 struct slist *s;
8646
8647 b0 = gen_geneve4(cstate, vni);
8648 b1 = gen_geneve6(cstate, vni);
8649
8650 gen_or(b0, b1);
8651 b0 = b1;
8652
8653 /* Later filters should act on the payload of the Geneve frame,
8654 * update all of the header pointers. Attach this code so that
8655 * it gets executed in the event that the Geneve filter matches. */
8656 s = gen_geneve_offsets(cstate);
8657
8658 b1 = gen_true(cstate);
8659 sappend(s, b1->stmts);
8660 b1->stmts = s;
8661
8662 gen_and(b0, b1);
8663
8664 cstate->is_geneve = 1;
8665
8666 return b1;
8667 }
8668
8669 /* Check that the encapsulated frame has a link layer header
8670 * for Ethernet filters. */
8671 static struct block *
8672 gen_geneve_ll_check(compiler_state_t *cstate)
8673 {
8674 struct block *b0;
8675 struct slist *s, *s1;
8676
8677 /* The easiest way to see if there is a link layer present
8678 * is to check if the link layer header and payload are not
8679 * the same. */
8680
8681 /* Geneve always generates pure variable offsets so we can
8682 * compare only the registers. */
8683 s = new_stmt(cstate, BPF_LD|BPF_MEM);
8684 s->s.k = cstate->off_linkhdr.reg;
8685
8686 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
8687 s1->s.k = cstate->off_linkpl.reg;
8688 sappend(s, s1);
8689
8690 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
8691 b0->stmts = s;
8692 b0->s.k = 0;
8693 gen_not(b0);
8694
8695 return b0;
8696 }
8697
8698 struct block *
8699 gen_atmfield_code(compiler_state_t *cstate, int atmfield, bpf_int32 jvalue,
8700 bpf_u_int32 jtype, int reverse)
8701 {
8702 struct block *b0;
8703
8704 switch (atmfield) {
8705
8706 case A_VPI:
8707 if (!cstate->is_atm)
8708 bpf_error(cstate, "'vpi' supported only on raw ATM");
8709 if (cstate->off_vpi == (u_int)-1)
8710 abort();
8711 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B, 0xffffffff, jtype,
8712 reverse, jvalue);
8713 break;
8714
8715 case A_VCI:
8716 if (!cstate->is_atm)
8717 bpf_error(cstate, "'vci' supported only on raw ATM");
8718 if (cstate->off_vci == (u_int)-1)
8719 abort();
8720 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H, 0xffffffff, jtype,
8721 reverse, jvalue);
8722 break;
8723
8724 case A_PROTOTYPE:
8725 if (cstate->off_proto == (u_int)-1)
8726 abort(); /* XXX - this isn't on FreeBSD */
8727 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0x0f, jtype,
8728 reverse, jvalue);
8729 break;
8730
8731 case A_MSGTYPE:
8732 if (cstate->off_payload == (u_int)-1)
8733 abort();
8734 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
8735 0xffffffff, jtype, reverse, jvalue);
8736 break;
8737
8738 case A_CALLREFTYPE:
8739 if (!cstate->is_atm)
8740 bpf_error(cstate, "'callref' supported only on raw ATM");
8741 if (cstate->off_proto == (u_int)-1)
8742 abort();
8743 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B, 0xffffffff,
8744 jtype, reverse, jvalue);
8745 break;
8746
8747 default:
8748 abort();
8749 }
8750 return b0;
8751 }
8752
8753 struct block *
8754 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
8755 {
8756 struct block *b0, *b1;
8757
8758 switch (type) {
8759
8760 case A_METAC:
8761 /* Get all packets in Meta signalling Circuit */
8762 if (!cstate->is_atm)
8763 bpf_error(cstate, "'metac' supported only on raw ATM");
8764 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8765 b1 = gen_atmfield_code(cstate, A_VCI, 1, BPF_JEQ, 0);
8766 gen_and(b0, b1);
8767 break;
8768
8769 case A_BCC:
8770 /* Get all packets in Broadcast Circuit*/
8771 if (!cstate->is_atm)
8772 bpf_error(cstate, "'bcc' supported only on raw ATM");
8773 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8774 b1 = gen_atmfield_code(cstate, A_VCI, 2, BPF_JEQ, 0);
8775 gen_and(b0, b1);
8776 break;
8777
8778 case A_OAMF4SC:
8779 /* Get all cells in Segment OAM F4 circuit*/
8780 if (!cstate->is_atm)
8781 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
8782 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8783 b1 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
8784 gen_and(b0, b1);
8785 break;
8786
8787 case A_OAMF4EC:
8788 /* Get all cells in End-to-End OAM F4 Circuit*/
8789 if (!cstate->is_atm)
8790 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
8791 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8792 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
8793 gen_and(b0, b1);
8794 break;
8795
8796 case A_SC:
8797 /* Get all packets in connection Signalling Circuit */
8798 if (!cstate->is_atm)
8799 bpf_error(cstate, "'sc' supported only on raw ATM");
8800 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8801 b1 = gen_atmfield_code(cstate, A_VCI, 5, BPF_JEQ, 0);
8802 gen_and(b0, b1);
8803 break;
8804
8805 case A_ILMIC:
8806 /* Get all packets in ILMI Circuit */
8807 if (!cstate->is_atm)
8808 bpf_error(cstate, "'ilmic' supported only on raw ATM");
8809 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
8810 b1 = gen_atmfield_code(cstate, A_VCI, 16, BPF_JEQ, 0);
8811 gen_and(b0, b1);
8812 break;
8813
8814 case A_LANE:
8815 /* Get all LANE packets */
8816 if (!cstate->is_atm)
8817 bpf_error(cstate, "'lane' supported only on raw ATM");
8818 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
8819
8820 /*
8821 * Arrange that all subsequent tests assume LANE
8822 * rather than LLC-encapsulated packets, and set
8823 * the offsets appropriately for LANE-encapsulated
8824 * Ethernet.
8825 *
8826 * We assume LANE means Ethernet, not Token Ring.
8827 */
8828 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
8829 cstate->off_payload + 2, /* Ethernet header */
8830 -1);
8831 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
8832 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
8833 cstate->off_nl = 0; /* Ethernet II */
8834 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
8835 break;
8836
8837 case A_LLC:
8838 /* Get all LLC-encapsulated packets */
8839 if (!cstate->is_atm)
8840 bpf_error(cstate, "'llc' supported only on raw ATM");
8841 b1 = gen_atmfield_code(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
8842 cstate->linktype = cstate->prevlinktype;
8843 break;
8844
8845 default:
8846 abort();
8847 }
8848 return b1;
8849 }
8850
8851 /*
8852 * Filtering for MTP2 messages based on li value
8853 * FISU, length is null
8854 * LSSU, length is 1 or 2
8855 * MSU, length is 3 or more
8856 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
8857 */
8858 struct block *
8859 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
8860 {
8861 struct block *b0, *b1;
8862
8863 switch (type) {
8864
8865 case M_FISU:
8866 if ( (cstate->linktype != DLT_MTP2) &&
8867 (cstate->linktype != DLT_ERF) &&
8868 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8869 bpf_error(cstate, "'fisu' supported only on MTP2");
8870 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
8871 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
8872 break;
8873
8874 case M_LSSU:
8875 if ( (cstate->linktype != DLT_MTP2) &&
8876 (cstate->linktype != DLT_ERF) &&
8877 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8878 bpf_error(cstate, "'lssu' supported only on MTP2");
8879 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
8880 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
8881 gen_and(b1, b0);
8882 break;
8883
8884 case M_MSU:
8885 if ( (cstate->linktype != DLT_MTP2) &&
8886 (cstate->linktype != DLT_ERF) &&
8887 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8888 bpf_error(cstate, "'msu' supported only on MTP2");
8889 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
8890 break;
8891
8892 case MH_FISU:
8893 if ( (cstate->linktype != DLT_MTP2) &&
8894 (cstate->linktype != DLT_ERF) &&
8895 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8896 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
8897 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
8898 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JEQ, 0, 0);
8899 break;
8900
8901 case MH_LSSU:
8902 if ( (cstate->linktype != DLT_MTP2) &&
8903 (cstate->linktype != DLT_ERF) &&
8904 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8905 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
8906 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 1, 0x0100);
8907 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0);
8908 gen_and(b1, b0);
8909 break;
8910
8911 case MH_MSU:
8912 if ( (cstate->linktype != DLT_MTP2) &&
8913 (cstate->linktype != DLT_ERF) &&
8914 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
8915 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
8916 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H, 0xff80, BPF_JGT, 0, 0x0100);
8917 break;
8918
8919 default:
8920 abort();
8921 }
8922 return b0;
8923 }
8924
8925 struct block *
8926 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field, bpf_u_int32 jvalue,
8927 bpf_u_int32 jtype, int reverse)
8928 {
8929 struct block *b0;
8930 bpf_u_int32 val1 , val2 , val3;
8931 u_int newoff_sio = cstate->off_sio;
8932 u_int newoff_opc = cstate->off_opc;
8933 u_int newoff_dpc = cstate->off_dpc;
8934 u_int newoff_sls = cstate->off_sls;
8935
8936 switch (mtp3field) {
8937
8938 case MH_SIO:
8939 newoff_sio += 3; /* offset for MTP2_HSL */
8940 /* FALLTHROUGH */
8941
8942 case M_SIO:
8943 if (cstate->off_sio == (u_int)-1)
8944 bpf_error(cstate, "'sio' supported only on SS7");
8945 /* sio coded on 1 byte so max value 255 */
8946 if(jvalue > 255)
8947 bpf_error(cstate, "sio value %u too big; max value = 255",
8948 jvalue);
8949 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffff,
8950 (u_int)jtype, reverse, (u_int)jvalue);
8951 break;
8952
8953 case MH_OPC:
8954 newoff_opc+=3;
8955 case M_OPC:
8956 if (cstate->off_opc == (u_int)-1)
8957 bpf_error(cstate, "'opc' supported only on SS7");
8958 /* opc coded on 14 bits so max value 16383 */
8959 if (jvalue > 16383)
8960 bpf_error(cstate, "opc value %u too big; max value = 16383",
8961 jvalue);
8962 /* the following instructions are made to convert jvalue
8963 * to the form used to write opc in an ss7 message*/
8964 val1 = jvalue & 0x00003c00;
8965 val1 = val1 >>10;
8966 val2 = jvalue & 0x000003fc;
8967 val2 = val2 <<6;
8968 val3 = jvalue & 0x00000003;
8969 val3 = val3 <<22;
8970 jvalue = val1 + val2 + val3;
8971 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0f,
8972 (u_int)jtype, reverse, (u_int)jvalue);
8973 break;
8974
8975 case MH_DPC:
8976 newoff_dpc += 3;
8977 /* FALLTHROUGH */
8978
8979 case M_DPC:
8980 if (cstate->off_dpc == (u_int)-1)
8981 bpf_error(cstate, "'dpc' supported only on SS7");
8982 /* dpc coded on 14 bits so max value 16383 */
8983 if (jvalue > 16383)
8984 bpf_error(cstate, "dpc value %u too big; max value = 16383",
8985 jvalue);
8986 /* the following instructions are made to convert jvalue
8987 * to the forme used to write dpc in an ss7 message*/
8988 val1 = jvalue & 0x000000ff;
8989 val1 = val1 << 24;
8990 val2 = jvalue & 0x00003f00;
8991 val2 = val2 << 8;
8992 jvalue = val1 + val2;
8993 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000,
8994 (u_int)jtype, reverse, (u_int)jvalue);
8995 break;
8996
8997 case MH_SLS:
8998 newoff_sls+=3;
8999 case M_SLS:
9000 if (cstate->off_sls == (u_int)-1)
9001 bpf_error(cstate, "'sls' supported only on SS7");
9002 /* sls coded on 4 bits so max value 15 */
9003 if (jvalue > 15)
9004 bpf_error(cstate, "sls value %u too big; max value = 15",
9005 jvalue);
9006 /* the following instruction is made to convert jvalue
9007 * to the forme used to write sls in an ss7 message*/
9008 jvalue = jvalue << 4;
9009 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0,
9010 (u_int)jtype,reverse, (u_int)jvalue);
9011 break;
9012
9013 default:
9014 abort();
9015 }
9016 return b0;
9017 }
9018
9019 static struct block *
9020 gen_msg_abbrev(compiler_state_t *cstate, int type)
9021 {
9022 struct block *b1;
9023
9024 /*
9025 * Q.2931 signalling protocol messages for handling virtual circuits
9026 * establishment and teardown
9027 */
9028 switch (type) {
9029
9030 case A_SETUP:
9031 b1 = gen_atmfield_code(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9032 break;
9033
9034 case A_CALLPROCEED:
9035 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9036 break;
9037
9038 case A_CONNECT:
9039 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9040 break;
9041
9042 case A_CONNECTACK:
9043 b1 = gen_atmfield_code(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9044 break;
9045
9046 case A_RELEASE:
9047 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9048 break;
9049
9050 case A_RELEASE_DONE:
9051 b1 = gen_atmfield_code(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9052 break;
9053
9054 default:
9055 abort();
9056 }
9057 return b1;
9058 }
9059
9060 struct block *
9061 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9062 {
9063 struct block *b0, *b1;
9064
9065 switch (type) {
9066
9067 case A_OAM:
9068 if (!cstate->is_atm)
9069 bpf_error(cstate, "'oam' supported only on raw ATM");
9070 b1 = gen_atmmulti_abbrev(cstate, A_OAMF4);
9071 break;
9072
9073 case A_OAMF4:
9074 if (!cstate->is_atm)
9075 bpf_error(cstate, "'oamf4' supported only on raw ATM");
9076 /* OAM F4 type */
9077 b0 = gen_atmfield_code(cstate, A_VCI, 3, BPF_JEQ, 0);
9078 b1 = gen_atmfield_code(cstate, A_VCI, 4, BPF_JEQ, 0);
9079 gen_or(b0, b1);
9080 b0 = gen_atmfield_code(cstate, A_VPI, 0, BPF_JEQ, 0);
9081 gen_and(b0, b1);
9082 break;
9083
9084 case A_CONNECTMSG:
9085 /*
9086 * Get Q.2931 signalling messages for switched
9087 * virtual connection
9088 */
9089 if (!cstate->is_atm)
9090 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
9091 b0 = gen_msg_abbrev(cstate, A_SETUP);
9092 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9093 gen_or(b0, b1);
9094 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9095 gen_or(b0, b1);
9096 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
9097 gen_or(b0, b1);
9098 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9099 gen_or(b0, b1);
9100 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9101 gen_or(b0, b1);
9102 b0 = gen_atmtype_abbrev(cstate, A_SC);
9103 gen_and(b0, b1);
9104 break;
9105
9106 case A_METACONNECT:
9107 if (!cstate->is_atm)
9108 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
9109 b0 = gen_msg_abbrev(cstate, A_SETUP);
9110 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
9111 gen_or(b0, b1);
9112 b0 = gen_msg_abbrev(cstate, A_CONNECT);
9113 gen_or(b0, b1);
9114 b0 = gen_msg_abbrev(cstate, A_RELEASE);
9115 gen_or(b0, b1);
9116 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
9117 gen_or(b0, b1);
9118 b0 = gen_atmtype_abbrev(cstate, A_METAC);
9119 gen_and(b0, b1);
9120 break;
9121
9122 default:
9123 abort();
9124 }
9125 return b1;
9126 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism