]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Factor gen_set() out.
[libpcap] / gencode.c
1 /*
2 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that: (1) source code distributions
7 * retain the above copyright notice and this paragraph in its entirety, (2)
8 * distributions including binary code include the above copyright notice and
9 * this paragraph in its entirety in the documentation or other materials
10 * provided with the distribution, and (3) all advertising materials mentioning
11 * features or use of this software display the following acknowledgement:
12 * ``This product includes software developed by the University of California,
13 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
14 * the University nor the names of its contributors may be used to endorse
15 * or promote products derived from this software without specific prior
16 * written permission.
17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
19 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
20 */
21
22 #include <config.h>
23
24 #ifdef _WIN32
25 #include <ws2tcpip.h>
26 #else
27 #include <netinet/in.h>
28 #endif /* _WIN32 */
29
30 #include <stdlib.h>
31 #include <string.h>
32 #include <memory.h>
33 #include <setjmp.h>
34 #include <stdarg.h>
35 #include <stdio.h>
36 #include <stdint.h>
37 #include <stddef.h>
38
39 #include "pcap-int.h"
40
41 #include "extract.h"
42
43 #include "ethertype.h"
44 #include "llc.h"
45 #include "gencode.h"
46 #include "ieee80211.h"
47 #include "pflog.h"
48 #include "ppp.h"
49 #include "pcap/sll.h"
50 #include "pcap/ipnet.h"
51 #include "diag-control.h"
52 #include "pcap-util.h"
53
54 #include "scanner.h"
55
56 #if defined(__linux__)
57 #include <linux/types.h>
58 #include <linux/if_packet.h>
59 #include <linux/filter.h>
60 #endif
61
62 #ifdef _WIN32
63 #ifdef HAVE_NPCAP_BPF_H
64 /* Defines BPF extensions for Npcap */
65 #include <npcap-bpf.h>
66 #endif
67 #ifdef INET6
68 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
69 /* IPv6 address */
70 struct in6_addr
71 {
72 union
73 {
74 uint8_t u6_addr8[16];
75 uint16_t u6_addr16[8];
76 uint32_t u6_addr32[4];
77 } in6_u;
78 #define s6_addr in6_u.u6_addr8
79 #define s6_addr16 in6_u.u6_addr16
80 #define s6_addr32 in6_u.u6_addr32
81 #define s6_addr64 in6_u.u6_addr64
82 };
83
84 typedef unsigned short sa_family_t;
85
86 #define __SOCKADDR_COMMON(sa_prefix) \
87 sa_family_t sa_prefix##family
88
89 /* Ditto, for IPv6. */
90 struct sockaddr_in6
91 {
92 __SOCKADDR_COMMON (sin6_);
93 uint16_t sin6_port; /* Transport layer port # */
94 uint32_t sin6_flowinfo; /* IPv6 flow information */
95 struct in6_addr sin6_addr; /* IPv6 address */
96 };
97
98 #ifndef EAI_ADDRFAMILY
99 struct addrinfo {
100 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
101 int ai_family; /* PF_xxx */
102 int ai_socktype; /* SOCK_xxx */
103 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
104 size_t ai_addrlen; /* length of ai_addr */
105 char *ai_canonname; /* canonical name for hostname */
106 struct sockaddr *ai_addr; /* binary address */
107 struct addrinfo *ai_next; /* next structure in linked list */
108 };
109 #endif /* EAI_ADDRFAMILY */
110 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
111 #endif /* INET6 */
112 #else /* _WIN32 */
113 #include <netdb.h> /* for "struct addrinfo" */
114 #endif /* _WIN32 */
115 #include <pcap/namedb.h>
116
117 #include "nametoaddr.h"
118
119 #define ETHERMTU 1500
120
121 #ifndef IPPROTO_HOPOPTS
122 #define IPPROTO_HOPOPTS 0
123 #endif
124 #ifndef IPPROTO_ROUTING
125 #define IPPROTO_ROUTING 43
126 #endif
127 #ifndef IPPROTO_FRAGMENT
128 #define IPPROTO_FRAGMENT 44
129 #endif
130 #ifndef IPPROTO_DSTOPTS
131 #define IPPROTO_DSTOPTS 60
132 #endif
133 #ifndef IPPROTO_SCTP
134 #define IPPROTO_SCTP 132
135 #endif
136
137 #define GENEVE_PORT 6081
138 #define VXLAN_PORT 4789
139
140
141 /*
142 * from: NetBSD: if_arc.h,v 1.13 1999/11/19 20:41:19 thorpej Exp
143 */
144
145 /* RFC 1051 */
146 #define ARCTYPE_IP_OLD 240 /* IP protocol */
147 #define ARCTYPE_ARP_OLD 241 /* address resolution protocol */
148
149 /* RFC 1201 */
150 #define ARCTYPE_IP 212 /* IP protocol */
151 #define ARCTYPE_ARP 213 /* address resolution protocol */
152 #define ARCTYPE_REVARP 214 /* reverse addr resolution protocol */
153
154 #define ARCTYPE_ATALK 221 /* Appletalk */
155 #define ARCTYPE_BANIAN 247 /* Banyan Vines */
156 #define ARCTYPE_IPX 250 /* Novell IPX */
157
158 #define ARCTYPE_INET6 0xc4 /* IPng */
159 #define ARCTYPE_DIAGNOSE 0x80 /* as per ANSI/ATA 878.1 */
160
161
162 /* Based on UNI3.1 standard by ATM Forum */
163
164 /* ATM traffic types based on VPI=0 and (the following VCI */
165 #define VCI_PPC 0x05 /* Point-to-point signal msg */
166 #define VCI_BCC 0x02 /* Broadcast signal msg */
167 #define VCI_OAMF4SC 0x03 /* Segment OAM F4 flow cell */
168 #define VCI_OAMF4EC 0x04 /* End-to-end OAM F4 flow cell */
169 #define VCI_METAC 0x01 /* Meta signal msg */
170 #define VCI_ILMIC 0x10 /* ILMI msg */
171
172 /* Q.2931 signalling messages */
173 #define CALL_PROCEED 0x02 /* call proceeding */
174 #define CONNECT 0x07 /* connect */
175 #define CONNECT_ACK 0x0f /* connect_ack */
176 #define SETUP 0x05 /* setup */
177 #define RELEASE 0x4d /* release */
178 #define RELEASE_DONE 0x5a /* release_done */
179 #define RESTART 0x46 /* restart */
180 #define RESTART_ACK 0x4e /* restart ack */
181 #define STATUS 0x7d /* status */
182 #define STATUS_ENQ 0x75 /* status ack */
183 #define ADD_PARTY 0x80 /* add party */
184 #define ADD_PARTY_ACK 0x81 /* add party ack */
185 #define ADD_PARTY_REJ 0x82 /* add party rej */
186 #define DROP_PARTY 0x83 /* drop party */
187 #define DROP_PARTY_ACK 0x84 /* drop party ack */
188
189 /* Information Element Parameters in the signalling messages */
190 #define CAUSE 0x08 /* cause */
191 #define ENDPT_REF 0x54 /* endpoint reference */
192 #define AAL_PARA 0x58 /* ATM adaptation layer parameters */
193 #define TRAFF_DESCRIP 0x59 /* atm traffic descriptors */
194 #define CONNECT_ID 0x5a /* connection identifier */
195 #define QOS_PARA 0x5c /* quality of service parameters */
196 #define B_HIGHER 0x5d /* broadband higher layer information */
197 #define B_BEARER 0x5e /* broadband bearer capability */
198 #define B_LOWER 0x5f /* broadband lower information */
199 #define CALLING_PARTY 0x6c /* calling party number */
200 #define CALLED_PARTY 0x70 /* called party number */
201
202 #define Q2931 0x09
203
204 /* Q.2931 signalling general messages format */
205 #define PROTO_POS 0 /* offset of protocol discriminator */
206 #define CALL_REF_POS 2 /* offset of call reference value */
207 #define MSG_TYPE_POS 5 /* offset of message type */
208 #define MSG_LEN_POS 7 /* offset of message length */
209 #define IE_BEGIN_POS 9 /* offset of first information element */
210
211 /* format of signalling messages */
212 #define TYPE_POS 0
213 #define LEN_POS 2
214 #define FIELD_BEGIN_POS 4
215
216
217 /* SunATM header for ATM packet */
218 #define SUNATM_DIR_POS 0
219 #define SUNATM_VPI_POS 1
220 #define SUNATM_VCI_POS 2
221 #define SUNATM_PKT_BEGIN_POS 4 /* Start of ATM packet */
222
223 /* Protocol type values in the bottom for bits of the byte at SUNATM_DIR_POS. */
224 #define PT_LANE 0x01 /* LANE */
225 #define PT_LLC 0x02 /* LLC encapsulation */
226 #define PT_ILMI 0x05 /* ILMI */
227 #define PT_QSAAL 0x06 /* Q.SAAL */
228
229
230 /* Types missing from some systems */
231
232 /*
233 * Network layer protocol identifiers
234 */
235 #ifndef ISO8473_CLNP
236 #define ISO8473_CLNP 0x81
237 #endif
238 #ifndef ISO9542_ESIS
239 #define ISO9542_ESIS 0x82
240 #endif
241 #ifndef ISO9542X25_ESIS
242 #define ISO9542X25_ESIS 0x8a
243 #endif
244 #ifndef ISO10589_ISIS
245 #define ISO10589_ISIS 0x83
246 #endif
247
248 #define ISIS_L1_LAN_IIH 15
249 #define ISIS_L2_LAN_IIH 16
250 #define ISIS_PTP_IIH 17
251 #define ISIS_L1_LSP 18
252 #define ISIS_L2_LSP 20
253 #define ISIS_L1_CSNP 24
254 #define ISIS_L2_CSNP 25
255 #define ISIS_L1_PSNP 26
256 #define ISIS_L2_PSNP 27
257 /*
258 * The maximum possible value can also be used as a bit mask because the
259 * "PDU Type" field comprises the least significant 5 bits of a particular
260 * octet, see sections 9.5~9.13 of ISO/IEC 10589:2002(E).
261 */
262 #define ISIS_PDU_TYPE_MAX 0x1FU
263
264 #ifndef ISO8878A_CONS
265 #define ISO8878A_CONS 0x84
266 #endif
267 #ifndef ISO10747_IDRP
268 #define ISO10747_IDRP 0x85
269 #endif
270
271 // Same as in tcpdump/print-sl.c.
272 #define SLIPDIR_IN 0
273 #define SLIPDIR_OUT 1
274
275 #ifdef HAVE_OS_PROTO_H
276 #include "os-proto.h"
277 #endif
278
279 #define JMP(c) ((c)|BPF_JMP|BPF_K)
280
281 /*
282 * "Push" the current value of the link-layer header type and link-layer
283 * header offset onto a "stack", and set a new value. (It's not a
284 * full-blown stack; we keep only the top two items.)
285 */
286 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
287 { \
288 (cs)->prevlinktype = (cs)->linktype; \
289 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
290 (cs)->linktype = (new_linktype); \
291 (cs)->off_linkhdr.is_variable = (new_is_variable); \
292 (cs)->off_linkhdr.constant_part = (new_constant_part); \
293 (cs)->off_linkhdr.reg = (new_reg); \
294 (cs)->is_encap = 0; \
295 }
296
297 /*
298 * Offset "not set" value.
299 */
300 #define OFFSET_NOT_SET 0xffffffffU
301
302 /*
303 * Absolute offsets, which are offsets from the beginning of the raw
304 * packet data, are, in the general case, the sum of a variable value
305 * and a constant value; the variable value may be absent, in which
306 * case the offset is only the constant value, and the constant value
307 * may be zero, in which case the offset is only the variable value.
308 *
309 * bpf_abs_offset is a structure containing all that information:
310 *
311 * is_variable is 1 if there's a variable part.
312 *
313 * constant_part is the constant part of the value, possibly zero;
314 *
315 * if is_variable is 1, reg is the register number for a register
316 * containing the variable value if the register has been assigned,
317 * and -1 otherwise.
318 */
319 typedef struct {
320 int is_variable;
321 u_int constant_part;
322 int reg;
323 } bpf_abs_offset;
324
325 /*
326 * Value passed to gen_load_a() to indicate what the offset argument
327 * is relative to the beginning of.
328 */
329 enum e_offrel {
330 OR_PACKET, /* full packet data */
331 OR_LINKHDR, /* link-layer header */
332 OR_PREVLINKHDR, /* previous link-layer header */
333 OR_LLC, /* 802.2 LLC header */
334 OR_PREVMPLSHDR, /* previous MPLS header */
335 OR_LINKTYPE, /* link-layer type */
336 OR_LINKPL, /* link-layer payload */
337 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
338 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
339 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
340 };
341
342 /*
343 * We divvy out chunks of memory rather than call malloc each time so
344 * we don't have to worry about leaking memory. It's probably
345 * not a big deal if all this memory was wasted but if this ever
346 * goes into a library that would probably not be a good idea.
347 *
348 * XXX - this *is* in a library....
349 */
350 #define NCHUNKS 16
351 #define CHUNK0SIZE 1024
352 struct chunk {
353 size_t n_left;
354 void *m;
355 };
356
357 /*
358 * A chunk can store any of:
359 * - a string (guaranteed alignment 1 but present for completeness)
360 * - a block
361 * - an slist
362 * - an arth
363 * For this simple allocator every allocated chunk gets rounded up to the
364 * alignment needed for any chunk.
365 */
366 struct chunk_align {
367 char dummy;
368 union {
369 char c;
370 struct block b;
371 struct slist s;
372 struct arth a;
373 } u;
374 };
375 #define CHUNK_ALIGN (offsetof(struct chunk_align, u))
376
377 /* Code generator state */
378
379 struct _compiler_state {
380 jmp_buf top_ctx;
381 pcap_t *bpf_pcap;
382 int error_set;
383
384 struct icode ic;
385
386 int snaplen;
387
388 int linktype;
389 int prevlinktype;
390 int outermostlinktype;
391
392 bpf_u_int32 netmask;
393 int no_optimize;
394
395 /* Hack for handling VLAN and MPLS stacks. */
396 u_int label_stack_depth;
397 u_int vlan_stack_depth;
398
399 /* XXX */
400 u_int pcap_fddipad;
401
402 /*
403 * As errors are handled by a longjmp, anything allocated must
404 * be freed in the longjmp handler, so it must be reachable
405 * from that handler.
406 *
407 * One thing that's allocated is the result of pcap_nametoaddrinfo();
408 * it must be freed with freeaddrinfo(). This variable points to
409 * any addrinfo structure that would need to be freed.
410 */
411 struct addrinfo *ai;
412
413 /*
414 * Another thing that's allocated is the result of pcap_ether_aton();
415 * it must be freed with free(). This variable points to any
416 * address that would need to be freed.
417 */
418 u_char *e;
419
420 /*
421 * Various code constructs need to know the layout of the packet.
422 * These values give the necessary offsets from the beginning
423 * of the packet data.
424 */
425
426 /*
427 * Absolute offset of the beginning of the link-layer header.
428 */
429 bpf_abs_offset off_linkhdr;
430
431 /*
432 * If we're checking a link-layer header for a packet encapsulated
433 * in another protocol layer, this is the equivalent information
434 * for the previous layers' link-layer header from the beginning
435 * of the raw packet data.
436 */
437 bpf_abs_offset off_prevlinkhdr;
438
439 /*
440 * This is the equivalent information for the outermost layers'
441 * link-layer header.
442 */
443 bpf_abs_offset off_outermostlinkhdr;
444
445 /*
446 * Absolute offset of the beginning of the link-layer payload.
447 */
448 bpf_abs_offset off_linkpl;
449
450 /*
451 * "off_linktype" is the offset to information in the link-layer
452 * header giving the packet type. This is an absolute offset
453 * from the beginning of the packet.
454 *
455 * For Ethernet, it's the offset of the Ethernet type field; this
456 * means that it must have a value that skips VLAN tags.
457 *
458 * For link-layer types that always use 802.2 headers, it's the
459 * offset of the LLC header; this means that it must have a value
460 * that skips VLAN tags.
461 *
462 * For PPP, it's the offset of the PPP type field.
463 *
464 * For Cisco HDLC, it's the offset of the CHDLC type field.
465 *
466 * For BSD loopback, it's the offset of the AF_ value.
467 *
468 * For Linux cooked sockets, it's the offset of the type field.
469 *
470 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
471 * encapsulation, in which case, IP is assumed.
472 */
473 bpf_abs_offset off_linktype;
474
475 /*
476 * TRUE if the link layer includes an ATM pseudo-header.
477 */
478 int is_atm;
479
480 /* TRUE if "geneve" or "vxlan" appeared in the filter; it
481 * causes us to generate code that checks for a Geneve or
482 * VXLAN header respectively and assume that later filters
483 * apply to the encapsulated payload.
484 */
485 int is_encap;
486
487 /*
488 * TRUE if we need variable length part of VLAN offset
489 */
490 int is_vlan_vloffset;
491
492 /*
493 * These are offsets for the ATM pseudo-header.
494 */
495 u_int off_vpi;
496 u_int off_vci;
497 u_int off_proto;
498
499 /*
500 * These are offsets for the MTP2 fields.
501 */
502 u_int off_li;
503 u_int off_li_hsl;
504
505 /*
506 * These are offsets for the MTP3 fields.
507 */
508 u_int off_sio;
509 u_int off_opc;
510 u_int off_dpc;
511 u_int off_sls;
512
513 /*
514 * This is the offset of the first byte after the ATM pseudo_header,
515 * or -1 if there is no ATM pseudo-header.
516 */
517 u_int off_payload;
518
519 /*
520 * These are offsets to the beginning of the network-layer header.
521 * They are relative to the beginning of the link-layer payload
522 * (i.e., they don't include off_linkhdr.constant_part or
523 * off_linkpl.constant_part).
524 *
525 * If the link layer never uses 802.2 LLC:
526 *
527 * "off_nl" and "off_nl_nosnap" are the same.
528 *
529 * If the link layer always uses 802.2 LLC:
530 *
531 * "off_nl" is the offset if there's a SNAP header following
532 * the 802.2 header;
533 *
534 * "off_nl_nosnap" is the offset if there's no SNAP header.
535 *
536 * If the link layer is Ethernet:
537 *
538 * "off_nl" is the offset if the packet is an Ethernet II packet
539 * (we assume no 802.3+802.2+SNAP);
540 *
541 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
542 * with an 802.2 header following it.
543 */
544 u_int off_nl;
545 u_int off_nl_nosnap;
546
547 /*
548 * Here we handle simple allocation of the scratch registers.
549 * If too many registers are alloc'd, the allocator punts.
550 */
551 int regused[BPF_MEMWORDS];
552 int curreg;
553
554 /*
555 * Memory chunks.
556 */
557 struct chunk chunks[NCHUNKS];
558 int cur_chunk;
559 };
560
561 /*
562 * For use by routines outside this file.
563 */
564 /* VARARGS */
565 void
566 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
567 {
568 va_list ap;
569
570 /*
571 * If we've already set an error, don't override it.
572 * The lexical analyzer reports some errors by setting
573 * the error and then returning a LEX_ERROR token, which
574 * is not recognized by any grammar rule, and thus forces
575 * the parse to stop. We don't want the error reported
576 * by the lexical analyzer to be overwritten by the syntax
577 * error.
578 */
579 if (!cstate->error_set) {
580 va_start(ap, fmt);
581 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
582 fmt, ap);
583 va_end(ap);
584 cstate->error_set = 1;
585 }
586 }
587
588 /*
589 * For use *ONLY* in routines in this file.
590 */
591 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
592 PCAP_PRINTFLIKE(2, 3);
593
594 /* VARARGS */
595 static void PCAP_NORETURN
596 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
597 {
598 va_list ap;
599
600 va_start(ap, fmt);
601 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
602 fmt, ap);
603 va_end(ap);
604 longjmp(cstate->top_ctx, 1);
605 /*NOTREACHED*/
606 #ifdef _AIX
607 PCAP_UNREACHABLE
608 #endif /* _AIX */
609 }
610
611 static int init_linktype(compiler_state_t *, pcap_t *);
612
613 static void init_regs(compiler_state_t *);
614 static int alloc_reg(compiler_state_t *);
615 static void free_reg(compiler_state_t *, int);
616
617 static void initchunks(compiler_state_t *cstate);
618 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
619 static void *newchunk(compiler_state_t *cstate, size_t);
620 static void freechunks(compiler_state_t *cstate);
621 static inline struct block *new_block(compiler_state_t *cstate, int);
622 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
623 static struct block *gen_retblk(compiler_state_t *cstate, int);
624 static inline void syntax(compiler_state_t *cstate);
625
626 static void backpatch(struct block *, struct block *);
627 static void merge(struct block *, struct block *);
628 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
629 u_int, bpf_u_int32);
630 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
631 u_int, bpf_u_int32);
632 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
633 u_int, bpf_u_int32);
634 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
635 u_int, bpf_u_int32);
636 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
637 u_int, bpf_u_int32);
638 static struct block *gen_cmp_ne(compiler_state_t *, enum e_offrel, u_int,
639 u_int size, bpf_u_int32);
640 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
641 u_int, bpf_u_int32, bpf_u_int32);
642 static struct block *gen_mcmp_ne(compiler_state_t *, enum e_offrel, u_int,
643 u_int, bpf_u_int32, bpf_u_int32);
644 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
645 u_int, const u_char *);
646 static struct block *gen_jmp(compiler_state_t *, int, bpf_u_int32,
647 struct slist *);
648 static struct block *gen_set(compiler_state_t *, bpf_u_int32, struct slist *);
649 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
650 u_int, bpf_u_int32, int, int, bpf_u_int32);
651 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
652 u_int, u_int);
653 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
654 u_int);
655 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
656 static struct block *gen_uncond(compiler_state_t *, int);
657 static inline struct block *gen_true(compiler_state_t *);
658 static inline struct block *gen_false(compiler_state_t *);
659 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
660 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
661 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
662 static struct slist *gen_load_pflog_llprefixlen(compiler_state_t *);
663 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
664 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
665 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
666 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
667 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
668 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
669 bpf_abs_offset *);
670 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
671 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
672 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
673 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
674 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
675 int, u_int, u_int);
676 #ifdef INET6
677 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
678 struct in6_addr *, int, u_int, u_int);
679 #endif
680 static struct block *gen_ahostop(compiler_state_t *, const uint8_t, int);
681 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
682 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
683 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
684 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
685 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
686 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
687 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
688 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
689 int, int, int);
690 #ifdef INET6
691 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
692 struct in6_addr *, int, int, int);
693 #endif
694 #ifndef INET6
695 static struct block *gen_gateway(compiler_state_t *, const u_char *,
696 struct addrinfo *, int);
697 #endif
698 static struct block *gen_ipfrag(compiler_state_t *);
699 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
700 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
701 bpf_u_int32);
702 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
703 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
704 bpf_u_int32);
705 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
706 static struct block *gen_port(compiler_state_t *, u_int, int, int);
707 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
708 bpf_u_int32, int);
709 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
710 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
711 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
712 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
713 bpf_u_int32, int);
714 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
715 static int lookup_proto(compiler_state_t *, const char *, int);
716 #if !defined(NO_PROTOCHAIN)
717 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
718 #endif /* !defined(NO_PROTOCHAIN) */
719 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int);
720 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
721 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
722 static struct block *gen_mac_multicast(compiler_state_t *, int);
723 static struct block *gen_len(compiler_state_t *, int, int);
724 static struct block *gen_encap_ll_check(compiler_state_t *cstate);
725
726 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
727 bpf_u_int32, int, int);
728 static struct block *gen_atmtype_llc(compiler_state_t *);
729 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
730
731 static void
732 initchunks(compiler_state_t *cstate)
733 {
734 int i;
735
736 for (i = 0; i < NCHUNKS; i++) {
737 cstate->chunks[i].n_left = 0;
738 cstate->chunks[i].m = NULL;
739 }
740 cstate->cur_chunk = 0;
741 }
742
743 static void *
744 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
745 {
746 struct chunk *cp;
747 int k;
748 size_t size;
749
750 /* Round up to chunk alignment. */
751 n = (n + CHUNK_ALIGN - 1) & ~(CHUNK_ALIGN - 1);
752
753 cp = &cstate->chunks[cstate->cur_chunk];
754 if (n > cp->n_left) {
755 ++cp;
756 k = ++cstate->cur_chunk;
757 if (k >= NCHUNKS) {
758 bpf_set_error(cstate, "out of memory");
759 return (NULL);
760 }
761 size = CHUNK0SIZE << k;
762 cp->m = (void *)malloc(size);
763 if (cp->m == NULL) {
764 bpf_set_error(cstate, "out of memory");
765 return (NULL);
766 }
767 memset((char *)cp->m, 0, size);
768 cp->n_left = size;
769 if (n > size) {
770 bpf_set_error(cstate, "out of memory");
771 return (NULL);
772 }
773 }
774 cp->n_left -= n;
775 return (void *)((char *)cp->m + cp->n_left);
776 }
777
778 static void *
779 newchunk(compiler_state_t *cstate, size_t n)
780 {
781 void *p;
782
783 p = newchunk_nolongjmp(cstate, n);
784 if (p == NULL) {
785 longjmp(cstate->top_ctx, 1);
786 /*NOTREACHED*/
787 }
788 return (p);
789 }
790
791 static void
792 freechunks(compiler_state_t *cstate)
793 {
794 int i;
795
796 for (i = 0; i < NCHUNKS; ++i)
797 if (cstate->chunks[i].m != NULL)
798 free(cstate->chunks[i].m);
799 }
800
801 /*
802 * A strdup whose allocations are freed after code generation is over.
803 * This is used by the lexical analyzer, so it can't longjmp; it just
804 * returns NULL on an allocation error, and the callers must check
805 * for it.
806 */
807 char *
808 sdup(compiler_state_t *cstate, const char *s)
809 {
810 size_t n = strlen(s) + 1;
811 char *cp = newchunk_nolongjmp(cstate, n);
812
813 if (cp == NULL)
814 return (NULL);
815 pcapint_strlcpy(cp, s, n);
816 return (cp);
817 }
818
819 static inline struct block *
820 new_block(compiler_state_t *cstate, int code)
821 {
822 struct block *p;
823
824 p = (struct block *)newchunk(cstate, sizeof(*p));
825 p->s.code = code;
826 p->head = p;
827
828 return p;
829 }
830
831 static inline struct slist *
832 new_stmt(compiler_state_t *cstate, int code)
833 {
834 struct slist *p;
835
836 p = (struct slist *)newchunk(cstate, sizeof(*p));
837 p->s.code = code;
838
839 return p;
840 }
841
842 static struct block *
843 gen_retblk_internal(compiler_state_t *cstate, int v)
844 {
845 struct block *b = new_block(cstate, BPF_RET|BPF_K);
846
847 b->s.k = v;
848 return b;
849 }
850
851 static struct block *
852 gen_retblk(compiler_state_t *cstate, int v)
853 {
854 if (setjmp(cstate->top_ctx)) {
855 /*
856 * gen_retblk() only fails because a memory
857 * allocation failed in newchunk(), meaning
858 * that it can't return a pointer.
859 *
860 * Return NULL.
861 */
862 return NULL;
863 }
864 return gen_retblk_internal(cstate, v);
865 }
866
867 static inline PCAP_NORETURN_DEF void
868 syntax(compiler_state_t *cstate)
869 {
870 bpf_error(cstate, "syntax error in filter expression");
871 }
872
873 /*
874 * For the given integer return a string with the keyword (or the nominal
875 * keyword if there is more than one). This is a simpler version of tok2str()
876 * in tcpdump because in this problem space a valid integer value is not
877 * greater than 71.
878 */
879 static const char *
880 qual2kw(const char *kind, const unsigned id, const char *tokens[],
881 const size_t size)
882 {
883 static char buf[4][64];
884 static int idx = 0;
885
886 if (id < size && tokens[id])
887 return tokens[id];
888
889 char *ret = buf[idx];
890 idx = (idx + 1) % (sizeof(buf) / sizeof(buf[0]));
891 ret[0] = '\0'; // just in case
892 snprintf(ret, sizeof(buf[0]), "<invalid %s %u>", kind, id);
893 return ret;
894 }
895
896 // protocol qualifier keywords
897 static const char *
898 pqkw(const unsigned id)
899 {
900 const char * tokens[] = {
901 [Q_LINK] = "link",
902 [Q_IP] = "ip",
903 [Q_ARP] = "arp",
904 [Q_RARP] = "rarp",
905 [Q_SCTP] = "sctp",
906 [Q_TCP] = "tcp",
907 [Q_UDP] = "udp",
908 [Q_ICMP] = "icmp",
909 [Q_IGMP] = "igmp",
910 [Q_IGRP] = "igrp",
911 [Q_ATALK] = "atalk",
912 [Q_DECNET] = "decnet",
913 [Q_LAT] = "lat",
914 [Q_SCA] = "sca",
915 [Q_MOPRC] = "moprc",
916 [Q_MOPDL] = "mopdl",
917 [Q_IPV6] = "ip6",
918 [Q_ICMPV6] = "icmp6",
919 [Q_AH] = "ah",
920 [Q_ESP] = "esp",
921 [Q_PIM] = "pim",
922 [Q_VRRP] = "vrrp",
923 [Q_AARP] = "aarp",
924 [Q_ISO] = "iso",
925 [Q_ESIS] = "esis",
926 [Q_ISIS] = "isis",
927 [Q_CLNP] = "clnp",
928 [Q_STP] = "stp",
929 [Q_IPX] = "ipx",
930 [Q_NETBEUI] = "netbeui",
931 [Q_ISIS_L1] = "l1",
932 [Q_ISIS_L2] = "l2",
933 [Q_ISIS_IIH] = "iih",
934 [Q_ISIS_SNP] = "snp",
935 [Q_ISIS_CSNP] = "csnp",
936 [Q_ISIS_PSNP] = "psnp",
937 [Q_ISIS_LSP] = "lsp",
938 [Q_RADIO] = "radio",
939 [Q_CARP] = "carp",
940 };
941 return qual2kw("proto", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
942 }
943
944 // direction qualifier keywords
945 static const char *
946 dqkw(const unsigned id)
947 {
948 const char * map[] = {
949 [Q_SRC] = "src",
950 [Q_DST] = "dst",
951 [Q_OR] = "src or dst",
952 [Q_AND] = "src and dst",
953 [Q_ADDR1] = "addr1",
954 [Q_ADDR2] = "addr2",
955 [Q_ADDR3] = "addr3",
956 [Q_ADDR4] = "addr4",
957 [Q_RA] = "ra",
958 [Q_TA] = "ta",
959 };
960 return qual2kw("dir", id, map, sizeof(map) / sizeof(map[0]));
961 }
962
963 // ATM keywords
964 static const char *
965 atmkw(const unsigned id)
966 {
967 const char * tokens[] = {
968 [A_METAC] = "metac",
969 [A_BCC] = "bcc",
970 [A_OAMF4SC] = "oamf4sc",
971 [A_OAMF4EC] = "oamf4ec",
972 [A_SC] = "sc",
973 [A_ILMIC] = "ilmic",
974 [A_OAM] = "oam",
975 [A_OAMF4] = "oamf4",
976 [A_LANE] = "lane",
977 // no keyword for A_SETUP
978 // no keyword for A_CALLPROCEED
979 // no keyword for A_CONNECT
980 // no keyword for A_CONNECTACK
981 // no keyword for A_RELEASE
982 // no keyword for A_RELEASE_DONE
983 [A_VPI] = "vpi",
984 [A_VCI] = "vci",
985 // no keyword for A_PROTOTYPE
986 // no keyword for A_MSGTYPE
987 [A_CONNECTMSG] = "connectmsg",
988 [A_METACONNECT] = "metaconnect",
989 };
990 return qual2kw("ATM keyword", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
991 }
992
993 // SS7 keywords
994 static const char *
995 ss7kw(const unsigned id)
996 {
997 const char * tokens[] = {
998 [M_FISU] = "fisu",
999 [M_LSSU] = "lssu",
1000 [M_MSU] = "msu",
1001 [MH_FISU] = "hfisu",
1002 [MH_LSSU] = "hlssu",
1003 [MH_MSU] = "hmsu",
1004 [M_SIO] = "sio",
1005 [M_OPC] = "opc",
1006 [M_DPC] = "dpc",
1007 [M_SLS] = "sls",
1008 [MH_SIO] = "hsio",
1009 [MH_OPC] = "hopc",
1010 [MH_DPC] = "hdpc",
1011 [MH_SLS] = "hsls",
1012 };
1013 return qual2kw("MTP keyword", id, tokens, sizeof(tokens) / sizeof(tokens[0]));
1014 }
1015
1016 static PCAP_NORETURN_DEF void
1017 fail_kw_on_dlt(compiler_state_t *cstate, const char *keyword)
1018 {
1019 bpf_error(cstate, "'%s' not supported on %s", keyword,
1020 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
1021 }
1022
1023 static void
1024 assert_pflog(compiler_state_t *cstate, const char *kw)
1025 {
1026 if (cstate->linktype != DLT_PFLOG)
1027 bpf_error(cstate, "'%s' supported only on PFLOG linktype", kw);
1028 }
1029
1030 static void
1031 assert_atm(compiler_state_t *cstate, const char *kw)
1032 {
1033 /*
1034 * Belt and braces: init_linktype() sets either all of these struct
1035 * members (for DLT_SUNATM) or none (otherwise).
1036 */
1037 if (cstate->linktype != DLT_SUNATM ||
1038 ! cstate->is_atm ||
1039 cstate->off_vpi == OFFSET_NOT_SET ||
1040 cstate->off_vci == OFFSET_NOT_SET ||
1041 cstate->off_proto == OFFSET_NOT_SET ||
1042 cstate->off_payload == OFFSET_NOT_SET)
1043 bpf_error(cstate, "'%s' supported only on SUNATM", kw);
1044 }
1045
1046 static void
1047 assert_ss7(compiler_state_t *cstate, const char *kw)
1048 {
1049 switch (cstate->linktype) {
1050 case DLT_MTP2:
1051 case DLT_ERF:
1052 case DLT_MTP2_WITH_PHDR:
1053 // Belt and braces, same as in assert_atm().
1054 if (cstate->off_sio != OFFSET_NOT_SET &&
1055 cstate->off_opc != OFFSET_NOT_SET &&
1056 cstate->off_dpc != OFFSET_NOT_SET &&
1057 cstate->off_sls != OFFSET_NOT_SET)
1058 return;
1059 }
1060 bpf_error(cstate, "'%s' supported only on SS7", kw);
1061 }
1062
1063 static void
1064 assert_maxval(compiler_state_t *cstate, const char *name,
1065 const bpf_u_int32 val, const bpf_u_int32 maxval)
1066 {
1067 if (val > maxval)
1068 bpf_error(cstate, "%s %u greater than maximum %u",
1069 name, val, maxval);
1070 }
1071
1072 #define ERRSTR_802_11_ONLY_KW "'%s' is valid for 802.11 syntax only"
1073 #define ERRSTR_INVALID_QUAL "'%s' is not a valid qualifier for '%s'"
1074
1075 // Validate a port/portrange proto qualifier and map to an IP protocol number.
1076 static int
1077 port_pq_to_ipproto(compiler_state_t *cstate, const int proto, const char *kw)
1078 {
1079 switch (proto) {
1080 case Q_UDP:
1081 return IPPROTO_UDP;
1082 case Q_TCP:
1083 return IPPROTO_TCP;
1084 case Q_SCTP:
1085 return IPPROTO_SCTP;
1086 case Q_DEFAULT:
1087 return PROTO_UNDEF;
1088 }
1089 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), kw);
1090 }
1091
1092 int
1093 pcap_compile(pcap_t *p, struct bpf_program *program,
1094 const char *buf, int optimize, bpf_u_int32 mask)
1095 {
1096 #ifdef _WIN32
1097 int err;
1098 WSADATA wsaData;
1099 #endif
1100 compiler_state_t cstate;
1101 yyscan_t scanner = NULL;
1102 YY_BUFFER_STATE in_buffer = NULL;
1103 u_int len;
1104 int rc;
1105
1106 /*
1107 * If this pcap_t hasn't been activated, it doesn't have a
1108 * link-layer type, so we can't use it.
1109 */
1110 if (!p->activated) {
1111 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1112 "not-yet-activated pcap_t passed to pcap_compile");
1113 return (PCAP_ERROR);
1114 }
1115
1116 #ifdef _WIN32
1117 /*
1118 * Initialize Winsock, asking for the latest version (2.2),
1119 * as we may be calling Winsock routines to translate
1120 * host names to addresses.
1121 */
1122 err = WSAStartup(MAKEWORD(2, 2), &wsaData);
1123 if (err != 0) {
1124 pcapint_fmt_errmsg_for_win32_err(p->errbuf, PCAP_ERRBUF_SIZE,
1125 err, "Error calling WSAStartup()");
1126 return (PCAP_ERROR);
1127 }
1128 #endif
1129
1130 #ifdef ENABLE_REMOTE
1131 /*
1132 * If the device on which we're capturing need to be notified
1133 * that a new filter is being compiled, do so.
1134 *
1135 * This allows them to save a copy of it, in case, for example,
1136 * they're implementing a form of remote packet capture, and
1137 * want the remote machine to filter out the packets in which
1138 * it's sending the packets it's captured.
1139 *
1140 * XXX - the fact that we happen to be compiling a filter
1141 * doesn't necessarily mean we'll be installing it as the
1142 * filter for this pcap_t; we might be running it from userland
1143 * on captured packets to do packet classification. We really
1144 * need a better way of handling this, but this is all that
1145 * the WinPcap remote capture code did.
1146 */
1147 if (p->save_current_filter_op != NULL)
1148 (p->save_current_filter_op)(p, buf);
1149 #endif
1150
1151 initchunks(&cstate);
1152 cstate.no_optimize = 0;
1153 #ifdef INET6
1154 cstate.ai = NULL;
1155 #endif
1156 cstate.e = NULL;
1157 cstate.ic.root = NULL;
1158 cstate.ic.cur_mark = 0;
1159 cstate.bpf_pcap = p;
1160 cstate.error_set = 0;
1161 init_regs(&cstate);
1162
1163 cstate.netmask = mask;
1164
1165 cstate.snaplen = pcap_snapshot(p);
1166 if (cstate.snaplen == 0) {
1167 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1168 "snaplen of 0 rejects all packets");
1169 rc = PCAP_ERROR;
1170 goto quit;
1171 }
1172
1173 if (pcap_lex_init(&scanner) != 0) {
1174 pcapint_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
1175 errno, "can't initialize scanner");
1176 rc = PCAP_ERROR;
1177 goto quit;
1178 }
1179 in_buffer = pcap__scan_string(buf ? buf : "", scanner);
1180
1181 /*
1182 * Associate the compiler state with the lexical analyzer
1183 * state.
1184 */
1185 pcap_set_extra(&cstate, scanner);
1186
1187 if (init_linktype(&cstate, p) == -1) {
1188 rc = PCAP_ERROR;
1189 goto quit;
1190 }
1191 if (pcap_parse(scanner, &cstate) != 0) {
1192 #ifdef INET6
1193 if (cstate.ai != NULL)
1194 freeaddrinfo(cstate.ai);
1195 #endif
1196 if (cstate.e != NULL)
1197 free(cstate.e);
1198 rc = PCAP_ERROR;
1199 goto quit;
1200 }
1201
1202 if (cstate.ic.root == NULL) {
1203 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
1204
1205 /*
1206 * Catch errors reported by gen_retblk().
1207 */
1208 if (cstate.ic.root== NULL) {
1209 rc = PCAP_ERROR;
1210 goto quit;
1211 }
1212 }
1213
1214 if (optimize && !cstate.no_optimize) {
1215 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
1216 /* Failure */
1217 rc = PCAP_ERROR;
1218 goto quit;
1219 }
1220 if (cstate.ic.root == NULL ||
1221 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
1222 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
1223 "expression rejects all packets");
1224 rc = PCAP_ERROR;
1225 goto quit;
1226 }
1227 }
1228 program->bf_insns = icode_to_fcode(&cstate.ic,
1229 cstate.ic.root, &len, p->errbuf);
1230 if (program->bf_insns == NULL) {
1231 /* Failure */
1232 rc = PCAP_ERROR;
1233 goto quit;
1234 }
1235 program->bf_len = len;
1236
1237 rc = 0; /* We're all okay */
1238
1239 quit:
1240 /*
1241 * Clean up everything for the lexical analyzer.
1242 */
1243 if (in_buffer != NULL)
1244 pcap__delete_buffer(in_buffer, scanner);
1245 if (scanner != NULL)
1246 pcap_lex_destroy(scanner);
1247
1248 /*
1249 * Clean up our own allocated memory.
1250 */
1251 freechunks(&cstate);
1252
1253 #ifdef _WIN32
1254 WSACleanup();
1255 #endif
1256
1257 return (rc);
1258 }
1259
1260 /*
1261 * entry point for using the compiler with no pcap open
1262 * pass in all the stuff that is needed explicitly instead.
1263 */
1264 int
1265 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
1266 struct bpf_program *program,
1267 const char *buf, int optimize, bpf_u_int32 mask)
1268 {
1269 pcap_t *p;
1270 int ret;
1271
1272 p = pcap_open_dead(linktype_arg, snaplen_arg);
1273 if (p == NULL)
1274 return (PCAP_ERROR);
1275 ret = pcap_compile(p, program, buf, optimize, mask);
1276 pcap_close(p);
1277 return (ret);
1278 }
1279
1280 /*
1281 * Clean up a "struct bpf_program" by freeing all the memory allocated
1282 * in it.
1283 */
1284 void
1285 pcap_freecode(struct bpf_program *program)
1286 {
1287 program->bf_len = 0;
1288 if (program->bf_insns != NULL) {
1289 free((char *)program->bf_insns);
1290 program->bf_insns = NULL;
1291 }
1292 }
1293
1294 /*
1295 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
1296 * which of the jt and jf fields has been resolved and which is a pointer
1297 * back to another unresolved block (or nil). At least one of the fields
1298 * in each block is already resolved.
1299 */
1300 static void
1301 backpatch(struct block *list, struct block *target)
1302 {
1303 struct block *next;
1304
1305 while (list) {
1306 if (!list->sense) {
1307 next = JT(list);
1308 JT(list) = target;
1309 } else {
1310 next = JF(list);
1311 JF(list) = target;
1312 }
1313 list = next;
1314 }
1315 }
1316
1317 /*
1318 * Merge the lists in b0 and b1, using the 'sense' field to indicate
1319 * which of jt and jf is the link.
1320 */
1321 static void
1322 merge(struct block *b0, struct block *b1)
1323 {
1324 register struct block **p = &b0;
1325
1326 /* Find end of list. */
1327 while (*p)
1328 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
1329
1330 /* Concatenate the lists. */
1331 *p = b1;
1332 }
1333
1334 int
1335 finish_parse(compiler_state_t *cstate, struct block *p)
1336 {
1337 /*
1338 * Catch errors reported by us and routines below us, and return -1
1339 * on an error.
1340 */
1341 if (setjmp(cstate->top_ctx))
1342 return (-1);
1343
1344 /*
1345 * Insert before the statements of the first (root) block any
1346 * statements needed to load the lengths of any variable-length
1347 * headers into registers.
1348 *
1349 * XXX - a fancier strategy would be to insert those before the
1350 * statements of all blocks that use those lengths and that
1351 * have no predecessors that use them, so that we only compute
1352 * the lengths if we need them. There might be even better
1353 * approaches than that.
1354 *
1355 * However, those strategies would be more complicated, and
1356 * as we don't generate code to compute a length if the
1357 * program has no tests that use the length, and as most
1358 * tests will probably use those lengths, we would just
1359 * postpone computing the lengths so that it's not done
1360 * for tests that fail early, and it's not clear that's
1361 * worth the effort.
1362 */
1363 insert_compute_vloffsets(cstate, p->head);
1364
1365 /*
1366 * For DLT_PPI captures, generate a check of the per-packet
1367 * DLT value to make sure it's DLT_IEEE802_11.
1368 *
1369 * XXX - TurboCap cards use DLT_PPI for Ethernet.
1370 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
1371 * with appropriate Ethernet information and use that rather
1372 * than using something such as DLT_PPI where you don't know
1373 * the link-layer header type until runtime, which, in the
1374 * general case, would force us to generate both Ethernet *and*
1375 * 802.11 code (*and* anything else for which PPI is used)
1376 * and choose between them early in the BPF program?
1377 */
1378 if (cstate->linktype == DLT_PPI) {
1379 struct block *ppi_dlt_check = gen_cmp(cstate, OR_PACKET,
1380 4, BPF_W, SWAPLONG(DLT_IEEE802_11));
1381 gen_and(ppi_dlt_check, p);
1382 }
1383
1384 backpatch(p, gen_retblk_internal(cstate, cstate->snaplen));
1385 p->sense = !p->sense;
1386 backpatch(p, gen_retblk_internal(cstate, 0));
1387 cstate->ic.root = p->head;
1388 return (0);
1389 }
1390
1391 void
1392 gen_and(struct block *b0, struct block *b1)
1393 {
1394 backpatch(b0, b1->head);
1395 b0->sense = !b0->sense;
1396 b1->sense = !b1->sense;
1397 merge(b1, b0);
1398 b1->sense = !b1->sense;
1399 b1->head = b0->head;
1400 }
1401
1402 void
1403 gen_or(struct block *b0, struct block *b1)
1404 {
1405 b0->sense = !b0->sense;
1406 backpatch(b0, b1->head);
1407 b0->sense = !b0->sense;
1408 merge(b1, b0);
1409 b1->head = b0->head;
1410 }
1411
1412 void
1413 gen_not(struct block *b)
1414 {
1415 b->sense = !b->sense;
1416 }
1417
1418 static struct block *
1419 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1420 u_int size, bpf_u_int32 v)
1421 {
1422 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1423 }
1424
1425 static struct block *
1426 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1427 u_int size, bpf_u_int32 v)
1428 {
1429 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1430 }
1431
1432 static struct block *
1433 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1434 u_int size, bpf_u_int32 v)
1435 {
1436 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1437 }
1438
1439 static struct block *
1440 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1441 u_int size, bpf_u_int32 v)
1442 {
1443 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1444 }
1445
1446 static struct block *
1447 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1448 u_int size, bpf_u_int32 v)
1449 {
1450 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1451 }
1452
1453 static struct block *
1454 gen_cmp_ne(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1455 u_int size, bpf_u_int32 v)
1456 {
1457 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 1, v);
1458 }
1459
1460 static struct block *
1461 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1462 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1463 {
1464 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1465 }
1466
1467 static struct block *
1468 gen_mcmp_ne(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1469 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1470 {
1471 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 1, v);
1472 }
1473
1474 static struct block *
1475 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1476 u_int size, const u_char *v)
1477 {
1478 register struct block *b, *tmp;
1479
1480 b = NULL;
1481 while (size >= 4) {
1482 register const u_char *p = &v[size - 4];
1483
1484 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1485 EXTRACT_BE_U_4(p));
1486 if (b != NULL)
1487 gen_and(b, tmp);
1488 b = tmp;
1489 size -= 4;
1490 }
1491 while (size >= 2) {
1492 register const u_char *p = &v[size - 2];
1493
1494 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1495 EXTRACT_BE_U_2(p));
1496 if (b != NULL)
1497 gen_and(b, tmp);
1498 b = tmp;
1499 size -= 2;
1500 }
1501 if (size > 0) {
1502 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1503 if (b != NULL)
1504 gen_and(b, tmp);
1505 b = tmp;
1506 }
1507 return b;
1508 }
1509
1510 static struct block *
1511 gen_jmp(compiler_state_t *cstate, int jtype, bpf_u_int32 v, struct slist *stmts)
1512 {
1513 struct block *b = new_block(cstate, JMP(jtype));
1514 b->s.k = v;
1515 b->stmts = stmts;
1516 return b;
1517 }
1518
1519 static struct block *
1520 gen_set(compiler_state_t *cstate, bpf_u_int32 v, struct slist *stmts)
1521 {
1522 return gen_jmp(cstate, BPF_JSET, v, stmts);
1523 }
1524
1525 /*
1526 * AND the field of size "size" at offset "offset" relative to the header
1527 * specified by "offrel" with "mask", and compare it with the value "v"
1528 * with the test specified by "jtype"; if "reverse" is true, the test
1529 * should test the opposite of "jtype".
1530 */
1531 static struct block *
1532 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1533 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1534 bpf_u_int32 v)
1535 {
1536 struct slist *s, *s2;
1537 struct block *b;
1538
1539 s = gen_load_a(cstate, offrel, offset, size);
1540
1541 if (mask != 0xffffffff) {
1542 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1543 s2->s.k = mask;
1544 sappend(s, s2);
1545 }
1546
1547 b = gen_jmp(cstate, jtype, v, s);
1548 if (reverse)
1549 gen_not(b);
1550 return b;
1551 }
1552
1553 static int
1554 init_linktype(compiler_state_t *cstate, pcap_t *p)
1555 {
1556 cstate->pcap_fddipad = p->fddipad;
1557
1558 /*
1559 * We start out with only one link-layer header.
1560 */
1561 cstate->outermostlinktype = pcap_datalink(p);
1562 cstate->off_outermostlinkhdr.constant_part = 0;
1563 cstate->off_outermostlinkhdr.is_variable = 0;
1564 cstate->off_outermostlinkhdr.reg = -1;
1565
1566 cstate->prevlinktype = cstate->outermostlinktype;
1567 cstate->off_prevlinkhdr.constant_part = 0;
1568 cstate->off_prevlinkhdr.is_variable = 0;
1569 cstate->off_prevlinkhdr.reg = -1;
1570
1571 cstate->linktype = cstate->outermostlinktype;
1572 cstate->off_linkhdr.constant_part = 0;
1573 cstate->off_linkhdr.is_variable = 0;
1574 cstate->off_linkhdr.reg = -1;
1575
1576 /*
1577 * XXX
1578 */
1579 cstate->off_linkpl.constant_part = 0;
1580 cstate->off_linkpl.is_variable = 0;
1581 cstate->off_linkpl.reg = -1;
1582
1583 cstate->off_linktype.constant_part = 0;
1584 cstate->off_linktype.is_variable = 0;
1585 cstate->off_linktype.reg = -1;
1586
1587 /*
1588 * Assume it's not raw ATM with a pseudo-header, for now.
1589 */
1590 cstate->is_atm = 0;
1591 cstate->off_vpi = OFFSET_NOT_SET;
1592 cstate->off_vci = OFFSET_NOT_SET;
1593 cstate->off_proto = OFFSET_NOT_SET;
1594 cstate->off_payload = OFFSET_NOT_SET;
1595
1596 /*
1597 * And not encapsulated with either Geneve or VXLAN.
1598 */
1599 cstate->is_encap = 0;
1600
1601 /*
1602 * No variable length VLAN offset by default
1603 */
1604 cstate->is_vlan_vloffset = 0;
1605
1606 /*
1607 * And assume we're not doing SS7.
1608 */
1609 cstate->off_li = OFFSET_NOT_SET;
1610 cstate->off_li_hsl = OFFSET_NOT_SET;
1611 cstate->off_sio = OFFSET_NOT_SET;
1612 cstate->off_opc = OFFSET_NOT_SET;
1613 cstate->off_dpc = OFFSET_NOT_SET;
1614 cstate->off_sls = OFFSET_NOT_SET;
1615
1616 cstate->label_stack_depth = 0;
1617 cstate->vlan_stack_depth = 0;
1618
1619 switch (cstate->linktype) {
1620
1621 case DLT_ARCNET:
1622 cstate->off_linktype.constant_part = 2;
1623 cstate->off_linkpl.constant_part = 6;
1624 cstate->off_nl = 0; /* XXX in reality, variable! */
1625 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1626 break;
1627
1628 case DLT_ARCNET_LINUX:
1629 cstate->off_linktype.constant_part = 4;
1630 cstate->off_linkpl.constant_part = 8;
1631 cstate->off_nl = 0; /* XXX in reality, variable! */
1632 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1633 break;
1634
1635 case DLT_EN10MB:
1636 cstate->off_linktype.constant_part = 12;
1637 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1638 cstate->off_nl = 0; /* Ethernet II */
1639 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1640 break;
1641
1642 case DLT_SLIP:
1643 /*
1644 * SLIP doesn't have a link level type. The 16 byte
1645 * header is hacked into our SLIP driver.
1646 */
1647 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1648 cstate->off_linkpl.constant_part = 16;
1649 cstate->off_nl = 0;
1650 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1651 break;
1652
1653 case DLT_SLIP_BSDOS:
1654 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1655 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1656 /* XXX end */
1657 cstate->off_linkpl.constant_part = 24;
1658 cstate->off_nl = 0;
1659 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1660 break;
1661
1662 case DLT_NULL:
1663 case DLT_LOOP:
1664 cstate->off_linktype.constant_part = 0;
1665 cstate->off_linkpl.constant_part = 4;
1666 cstate->off_nl = 0;
1667 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1668 break;
1669
1670 case DLT_ENC:
1671 cstate->off_linktype.constant_part = 0;
1672 cstate->off_linkpl.constant_part = 12;
1673 cstate->off_nl = 0;
1674 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1675 break;
1676
1677 case DLT_PPP:
1678 case DLT_PPP_PPPD:
1679 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1680 case DLT_HDLC: /* NetBSD (Cisco) HDLC */
1681 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1682 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1683 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1684 cstate->off_nl = 0;
1685 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1686 break;
1687
1688 case DLT_PPP_ETHER:
1689 /*
1690 * This does not include the Ethernet header, and
1691 * only covers session state.
1692 */
1693 cstate->off_linktype.constant_part = 6;
1694 cstate->off_linkpl.constant_part = 8;
1695 cstate->off_nl = 0;
1696 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1697 break;
1698
1699 case DLT_PPP_BSDOS:
1700 cstate->off_linktype.constant_part = 5;
1701 cstate->off_linkpl.constant_part = 24;
1702 cstate->off_nl = 0;
1703 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1704 break;
1705
1706 case DLT_FDDI:
1707 /*
1708 * FDDI doesn't really have a link-level type field.
1709 * We set "off_linktype" to the offset of the LLC header.
1710 *
1711 * To check for Ethernet types, we assume that SSAP = SNAP
1712 * is being used and pick out the encapsulated Ethernet type.
1713 * XXX - should we generate code to check for SNAP?
1714 */
1715 cstate->off_linktype.constant_part = 13;
1716 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1717 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1718 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1719 cstate->off_nl = 8; /* 802.2+SNAP */
1720 cstate->off_nl_nosnap = 3; /* 802.2 */
1721 break;
1722
1723 case DLT_IEEE802:
1724 /*
1725 * Token Ring doesn't really have a link-level type field.
1726 * We set "off_linktype" to the offset of the LLC header.
1727 *
1728 * To check for Ethernet types, we assume that SSAP = SNAP
1729 * is being used and pick out the encapsulated Ethernet type.
1730 * XXX - should we generate code to check for SNAP?
1731 *
1732 * XXX - the header is actually variable-length.
1733 * Some various Linux patched versions gave 38
1734 * as "off_linktype" and 40 as "off_nl"; however,
1735 * if a token ring packet has *no* routing
1736 * information, i.e. is not source-routed, the correct
1737 * values are 20 and 22, as they are in the vanilla code.
1738 *
1739 * A packet is source-routed iff the uppermost bit
1740 * of the first byte of the source address, at an
1741 * offset of 8, has the uppermost bit set. If the
1742 * packet is source-routed, the total number of bytes
1743 * of routing information is 2 plus bits 0x1F00 of
1744 * the 16-bit value at an offset of 14 (shifted right
1745 * 8 - figure out which byte that is).
1746 */
1747 cstate->off_linktype.constant_part = 14;
1748 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1749 cstate->off_nl = 8; /* 802.2+SNAP */
1750 cstate->off_nl_nosnap = 3; /* 802.2 */
1751 break;
1752
1753 case DLT_PRISM_HEADER:
1754 case DLT_IEEE802_11_RADIO_AVS:
1755 case DLT_IEEE802_11_RADIO:
1756 cstate->off_linkhdr.is_variable = 1;
1757 /* Fall through, 802.11 doesn't have a variable link
1758 * prefix but is otherwise the same. */
1759 /* FALLTHROUGH */
1760
1761 case DLT_IEEE802_11:
1762 /*
1763 * 802.11 doesn't really have a link-level type field.
1764 * We set "off_linktype.constant_part" to the offset of
1765 * the LLC header.
1766 *
1767 * To check for Ethernet types, we assume that SSAP = SNAP
1768 * is being used and pick out the encapsulated Ethernet type.
1769 * XXX - should we generate code to check for SNAP?
1770 *
1771 * We also handle variable-length radio headers here.
1772 * The Prism header is in theory variable-length, but in
1773 * practice it's always 144 bytes long. However, some
1774 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1775 * sometimes or always supply an AVS header, so we
1776 * have to check whether the radio header is a Prism
1777 * header or an AVS header, so, in practice, it's
1778 * variable-length.
1779 */
1780 cstate->off_linktype.constant_part = 24;
1781 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1782 cstate->off_linkpl.is_variable = 1;
1783 cstate->off_nl = 8; /* 802.2+SNAP */
1784 cstate->off_nl_nosnap = 3; /* 802.2 */
1785 break;
1786
1787 case DLT_PPI:
1788 /*
1789 * At the moment we treat PPI the same way that we treat
1790 * normal Radiotap encoded packets. The difference is in
1791 * the function that generates the code at the beginning
1792 * to compute the header length. Since this code generator
1793 * of PPI supports bare 802.11 encapsulation only (i.e.
1794 * the encapsulated DLT should be DLT_IEEE802_11) we
1795 * generate code to check for this too.
1796 */
1797 cstate->off_linktype.constant_part = 24;
1798 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1799 cstate->off_linkpl.is_variable = 1;
1800 cstate->off_linkhdr.is_variable = 1;
1801 cstate->off_nl = 8; /* 802.2+SNAP */
1802 cstate->off_nl_nosnap = 3; /* 802.2 */
1803 break;
1804
1805 case DLT_ATM_RFC1483:
1806 case DLT_ATM_CLIP: /* Linux ATM defines this */
1807 /*
1808 * assume routed, non-ISO PDUs
1809 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1810 *
1811 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1812 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1813 * latter would presumably be treated the way PPPoE
1814 * should be, so you can do "pppoe and udp port 2049"
1815 * or "pppoa and tcp port 80" and have it check for
1816 * PPPo{A,E} and a PPP protocol of IP and....
1817 */
1818 cstate->off_linktype.constant_part = 0;
1819 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1820 cstate->off_nl = 8; /* 802.2+SNAP */
1821 cstate->off_nl_nosnap = 3; /* 802.2 */
1822 break;
1823
1824 case DLT_SUNATM:
1825 /*
1826 * Full Frontal ATM; you get AALn PDUs with an ATM
1827 * pseudo-header.
1828 */
1829 cstate->is_atm = 1;
1830 cstate->off_vpi = SUNATM_VPI_POS;
1831 cstate->off_vci = SUNATM_VCI_POS;
1832 cstate->off_proto = PROTO_POS;
1833 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1834 cstate->off_linktype.constant_part = cstate->off_payload;
1835 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1836 cstate->off_nl = 8; /* 802.2+SNAP */
1837 cstate->off_nl_nosnap = 3; /* 802.2 */
1838 break;
1839
1840 case DLT_RAW:
1841 case DLT_IPV4:
1842 case DLT_IPV6:
1843 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1844 cstate->off_linkpl.constant_part = 0;
1845 cstate->off_nl = 0;
1846 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1847 break;
1848
1849 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1850 cstate->off_linktype.constant_part = 14;
1851 cstate->off_linkpl.constant_part = 16;
1852 cstate->off_nl = 0;
1853 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1854 break;
1855
1856 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1857 cstate->off_linktype.constant_part = 0;
1858 cstate->off_linkpl.constant_part = 20;
1859 cstate->off_nl = 0;
1860 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1861 break;
1862
1863 case DLT_LTALK:
1864 /*
1865 * LocalTalk does have a 1-byte type field in the LLAP header,
1866 * but really it just indicates whether there is a "short" or
1867 * "long" DDP packet following.
1868 */
1869 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1870 cstate->off_linkpl.constant_part = 0;
1871 cstate->off_nl = 0;
1872 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1873 break;
1874
1875 case DLT_IP_OVER_FC:
1876 /*
1877 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1878 * link-level type field. We set "off_linktype" to the
1879 * offset of the LLC header.
1880 *
1881 * To check for Ethernet types, we assume that SSAP = SNAP
1882 * is being used and pick out the encapsulated Ethernet type.
1883 * XXX - should we generate code to check for SNAP? RFC
1884 * 2625 says SNAP should be used.
1885 */
1886 cstate->off_linktype.constant_part = 16;
1887 cstate->off_linkpl.constant_part = 16;
1888 cstate->off_nl = 8; /* 802.2+SNAP */
1889 cstate->off_nl_nosnap = 3; /* 802.2 */
1890 break;
1891
1892 case DLT_FRELAY:
1893 /*
1894 * XXX - we should set this to handle SNAP-encapsulated
1895 * frames (NLPID of 0x80).
1896 */
1897 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1898 cstate->off_linkpl.constant_part = 0;
1899 cstate->off_nl = 0;
1900 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1901 break;
1902
1903 /*
1904 * the only BPF-interesting FRF.16 frames are non-control frames;
1905 * Frame Relay has a variable length link-layer
1906 * so lets start with offset 4 for now and increments later on (FIXME);
1907 */
1908 case DLT_MFR:
1909 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1910 cstate->off_linkpl.constant_part = 0;
1911 cstate->off_nl = 4;
1912 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1913 break;
1914
1915 case DLT_APPLE_IP_OVER_IEEE1394:
1916 cstate->off_linktype.constant_part = 16;
1917 cstate->off_linkpl.constant_part = 18;
1918 cstate->off_nl = 0;
1919 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1920 break;
1921
1922 case DLT_SYMANTEC_FIREWALL:
1923 cstate->off_linktype.constant_part = 6;
1924 cstate->off_linkpl.constant_part = 44;
1925 cstate->off_nl = 0; /* Ethernet II */
1926 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1927 break;
1928
1929 case DLT_PFLOG:
1930 cstate->off_linktype.constant_part = 0;
1931 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1932 cstate->off_linkpl.is_variable = 1;
1933 cstate->off_nl = 0;
1934 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1935 break;
1936
1937 case DLT_JUNIPER_MFR:
1938 case DLT_JUNIPER_MLFR:
1939 case DLT_JUNIPER_MLPPP:
1940 case DLT_JUNIPER_PPP:
1941 case DLT_JUNIPER_CHDLC:
1942 case DLT_JUNIPER_FRELAY:
1943 cstate->off_linktype.constant_part = 4;
1944 cstate->off_linkpl.constant_part = 4;
1945 cstate->off_nl = 0;
1946 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1947 break;
1948
1949 case DLT_JUNIPER_ATM1:
1950 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1951 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1952 cstate->off_nl = 0;
1953 cstate->off_nl_nosnap = 10;
1954 break;
1955
1956 case DLT_JUNIPER_ATM2:
1957 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1958 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1959 cstate->off_nl = 0;
1960 cstate->off_nl_nosnap = 10;
1961 break;
1962
1963 /* frames captured on a Juniper PPPoE service PIC
1964 * contain raw ethernet frames */
1965 case DLT_JUNIPER_PPPOE:
1966 case DLT_JUNIPER_ETHER:
1967 cstate->off_linkpl.constant_part = 14;
1968 cstate->off_linktype.constant_part = 16;
1969 cstate->off_nl = 18; /* Ethernet II */
1970 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1971 break;
1972
1973 case DLT_JUNIPER_PPPOE_ATM:
1974 cstate->off_linktype.constant_part = 4;
1975 cstate->off_linkpl.constant_part = 6;
1976 cstate->off_nl = 0;
1977 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1978 break;
1979
1980 case DLT_JUNIPER_GGSN:
1981 cstate->off_linktype.constant_part = 6;
1982 cstate->off_linkpl.constant_part = 12;
1983 cstate->off_nl = 0;
1984 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1985 break;
1986
1987 case DLT_JUNIPER_ES:
1988 cstate->off_linktype.constant_part = 6;
1989 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1990 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1991 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1992 break;
1993
1994 case DLT_JUNIPER_MONITOR:
1995 cstate->off_linktype.constant_part = 12;
1996 cstate->off_linkpl.constant_part = 12;
1997 cstate->off_nl = 0; /* raw IP/IP6 header */
1998 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1999 break;
2000
2001 case DLT_BACNET_MS_TP:
2002 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2003 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2004 cstate->off_nl = OFFSET_NOT_SET;
2005 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2006 break;
2007
2008 case DLT_JUNIPER_SERVICES:
2009 cstate->off_linktype.constant_part = 12;
2010 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
2011 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
2012 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
2013 break;
2014
2015 case DLT_JUNIPER_VP:
2016 cstate->off_linktype.constant_part = 18;
2017 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2018 cstate->off_nl = OFFSET_NOT_SET;
2019 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2020 break;
2021
2022 case DLT_JUNIPER_ST:
2023 cstate->off_linktype.constant_part = 18;
2024 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2025 cstate->off_nl = OFFSET_NOT_SET;
2026 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2027 break;
2028
2029 case DLT_JUNIPER_ISM:
2030 cstate->off_linktype.constant_part = 8;
2031 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2032 cstate->off_nl = OFFSET_NOT_SET;
2033 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2034 break;
2035
2036 case DLT_JUNIPER_VS:
2037 case DLT_JUNIPER_SRX_E2E:
2038 case DLT_JUNIPER_FIBRECHANNEL:
2039 case DLT_JUNIPER_ATM_CEMIC:
2040 cstate->off_linktype.constant_part = 8;
2041 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2042 cstate->off_nl = OFFSET_NOT_SET;
2043 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2044 break;
2045
2046 case DLT_MTP2:
2047 cstate->off_li = 2;
2048 cstate->off_li_hsl = 4;
2049 cstate->off_sio = 3;
2050 cstate->off_opc = 4;
2051 cstate->off_dpc = 4;
2052 cstate->off_sls = 7;
2053 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2054 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2055 cstate->off_nl = OFFSET_NOT_SET;
2056 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2057 break;
2058
2059 case DLT_MTP2_WITH_PHDR:
2060 cstate->off_li = 6;
2061 cstate->off_li_hsl = 8;
2062 cstate->off_sio = 7;
2063 cstate->off_opc = 8;
2064 cstate->off_dpc = 8;
2065 cstate->off_sls = 11;
2066 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2067 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2068 cstate->off_nl = OFFSET_NOT_SET;
2069 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2070 break;
2071
2072 case DLT_ERF:
2073 cstate->off_li = 22;
2074 cstate->off_li_hsl = 24;
2075 cstate->off_sio = 23;
2076 cstate->off_opc = 24;
2077 cstate->off_dpc = 24;
2078 cstate->off_sls = 27;
2079 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2080 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2081 cstate->off_nl = OFFSET_NOT_SET;
2082 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2083 break;
2084
2085 case DLT_PFSYNC:
2086 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2087 cstate->off_linkpl.constant_part = 4;
2088 cstate->off_nl = 0;
2089 cstate->off_nl_nosnap = 0;
2090 break;
2091
2092 case DLT_AX25_KISS:
2093 /*
2094 * Currently, only raw "link[N:M]" filtering is supported.
2095 */
2096 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
2097 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2098 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
2099 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
2100 break;
2101
2102 case DLT_IPNET:
2103 cstate->off_linktype.constant_part = 1;
2104 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
2105 cstate->off_nl = 0;
2106 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2107 break;
2108
2109 case DLT_NETANALYZER:
2110 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
2111 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
2112 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
2113 cstate->off_nl = 0; /* Ethernet II */
2114 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
2115 break;
2116
2117 case DLT_NETANALYZER_TRANSPARENT:
2118 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
2119 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
2120 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
2121 cstate->off_nl = 0; /* Ethernet II */
2122 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
2123 break;
2124
2125 default:
2126 /*
2127 * For values in the range in which we've assigned new
2128 * DLT_ values, only raw "link[N:M]" filtering is supported.
2129 */
2130 if (cstate->linktype >= DLT_HIGH_MATCHING_MIN &&
2131 cstate->linktype <= DLT_HIGH_MATCHING_MAX) {
2132 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
2133 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
2134 cstate->off_nl = OFFSET_NOT_SET;
2135 cstate->off_nl_nosnap = OFFSET_NOT_SET;
2136 } else {
2137 bpf_set_error(cstate, "unknown data link type %d (min %d, max %d)",
2138 cstate->linktype, DLT_HIGH_MATCHING_MIN, DLT_HIGH_MATCHING_MAX);
2139 return (-1);
2140 }
2141 break;
2142 }
2143
2144 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
2145 return (0);
2146 }
2147
2148 /*
2149 * Load a value relative to the specified absolute offset.
2150 */
2151 static struct slist *
2152 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
2153 u_int offset, u_int size)
2154 {
2155 struct slist *s, *s2;
2156
2157 s = gen_abs_offset_varpart(cstate, abs_offset);
2158
2159 /*
2160 * If "s" is non-null, it has code to arrange that the X register
2161 * contains the variable part of the absolute offset, so we
2162 * generate a load relative to that, with an offset of
2163 * abs_offset->constant_part + offset.
2164 *
2165 * Otherwise, we can do an absolute load with an offset of
2166 * abs_offset->constant_part + offset.
2167 */
2168 if (s != NULL) {
2169 /*
2170 * "s" points to a list of statements that puts the
2171 * variable part of the absolute offset into the X register.
2172 * Do an indirect load, to use the X register as an offset.
2173 */
2174 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
2175 s2->s.k = abs_offset->constant_part + offset;
2176 sappend(s, s2);
2177 } else {
2178 /*
2179 * There is no variable part of the absolute offset, so
2180 * just do an absolute load.
2181 */
2182 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
2183 s->s.k = abs_offset->constant_part + offset;
2184 }
2185 return s;
2186 }
2187
2188 /*
2189 * Load a value relative to the beginning of the specified header.
2190 */
2191 static struct slist *
2192 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
2193 u_int size)
2194 {
2195 struct slist *s, *s2;
2196
2197 /*
2198 * Squelch warnings from compilers that *don't* assume that
2199 * offrel always has a valid enum value and therefore don't
2200 * assume that we'll always go through one of the case arms.
2201 *
2202 * If we have a default case, compilers that *do* assume that
2203 * will then complain about the default case code being
2204 * unreachable.
2205 *
2206 * Damned if you do, damned if you don't.
2207 */
2208 s = NULL;
2209
2210 switch (offrel) {
2211
2212 case OR_PACKET:
2213 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
2214 s->s.k = offset;
2215 break;
2216
2217 case OR_LINKHDR:
2218 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
2219 break;
2220
2221 case OR_PREVLINKHDR:
2222 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
2223 break;
2224
2225 case OR_LLC:
2226 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
2227 break;
2228
2229 case OR_PREVMPLSHDR:
2230 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
2231 break;
2232
2233 case OR_LINKPL:
2234 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
2235 break;
2236
2237 case OR_LINKPL_NOSNAP:
2238 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
2239 break;
2240
2241 case OR_LINKTYPE:
2242 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
2243 break;
2244
2245 case OR_TRAN_IPV4:
2246 /*
2247 * Load the X register with the length of the IPv4 header
2248 * (plus the offset of the link-layer header, if it's
2249 * preceded by a variable-length header such as a radio
2250 * header), in bytes.
2251 */
2252 s = gen_loadx_iphdrlen(cstate);
2253
2254 /*
2255 * Load the item at {offset of the link-layer payload} +
2256 * {offset, relative to the start of the link-layer
2257 * payload, of the IPv4 header} + {length of the IPv4 header} +
2258 * {specified offset}.
2259 *
2260 * If the offset of the link-layer payload is variable,
2261 * the variable part of that offset is included in the
2262 * value in the X register, and we include the constant
2263 * part in the offset of the load.
2264 */
2265 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
2266 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
2267 sappend(s, s2);
2268 break;
2269
2270 case OR_TRAN_IPV6:
2271 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
2272 break;
2273 }
2274 return s;
2275 }
2276
2277 /*
2278 * Generate code to load into the X register the sum of the length of
2279 * the IPv4 header and the variable part of the offset of the link-layer
2280 * payload.
2281 */
2282 static struct slist *
2283 gen_loadx_iphdrlen(compiler_state_t *cstate)
2284 {
2285 struct slist *s, *s2;
2286
2287 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
2288 if (s != NULL) {
2289 /*
2290 * The offset of the link-layer payload has a variable
2291 * part. "s" points to a list of statements that put
2292 * the variable part of that offset into the X register.
2293 *
2294 * The 4*([k]&0xf) addressing mode can't be used, as we
2295 * don't have a constant offset, so we have to load the
2296 * value in question into the A register and add to it
2297 * the value from the X register.
2298 */
2299 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2300 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2301 sappend(s, s2);
2302 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2303 s2->s.k = 0xf;
2304 sappend(s, s2);
2305 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2306 s2->s.k = 2;
2307 sappend(s, s2);
2308
2309 /*
2310 * The A register now contains the length of the IP header.
2311 * We need to add to it the variable part of the offset of
2312 * the link-layer payload, which is still in the X
2313 * register, and move the result into the X register.
2314 */
2315 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
2316 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
2317 } else {
2318 /*
2319 * The offset of the link-layer payload is a constant,
2320 * so no code was generated to load the (nonexistent)
2321 * variable part of that offset.
2322 *
2323 * This means we can use the 4*([k]&0xf) addressing
2324 * mode. Load the length of the IPv4 header, which
2325 * is at an offset of cstate->off_nl from the beginning of
2326 * the link-layer payload, and thus at an offset of
2327 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
2328 * of the raw packet data, using that addressing mode.
2329 */
2330 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
2331 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
2332 }
2333 return s;
2334 }
2335
2336
2337 static struct block *
2338 gen_uncond(compiler_state_t *cstate, int rsense)
2339 {
2340 struct slist *s;
2341
2342 s = new_stmt(cstate, BPF_LD|BPF_IMM);
2343 s->s.k = !rsense;
2344 return gen_jmp(cstate, BPF_JEQ, 0, s);
2345 }
2346
2347 static inline struct block *
2348 gen_true(compiler_state_t *cstate)
2349 {
2350 return gen_uncond(cstate, 1);
2351 }
2352
2353 static inline struct block *
2354 gen_false(compiler_state_t *cstate)
2355 {
2356 return gen_uncond(cstate, 0);
2357 }
2358
2359 /*
2360 * Generate code to match a particular packet type.
2361 *
2362 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2363 * value, if <= ETHERMTU. We use that to determine whether to
2364 * match the type/length field or to check the type/length field for
2365 * a value <= ETHERMTU to see whether it's a type field and then do
2366 * the appropriate test.
2367 */
2368 static struct block *
2369 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2370 {
2371 struct block *b0, *b1;
2372
2373 switch (ll_proto) {
2374
2375 case LLCSAP_ISONS:
2376 case LLCSAP_IP:
2377 case LLCSAP_NETBEUI:
2378 /*
2379 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2380 * so we check the DSAP and SSAP.
2381 *
2382 * LLCSAP_IP checks for IP-over-802.2, rather
2383 * than IP-over-Ethernet or IP-over-SNAP.
2384 *
2385 * XXX - should we check both the DSAP and the
2386 * SSAP, like this, or should we check just the
2387 * DSAP, as we do for other types <= ETHERMTU
2388 * (i.e., other SAP values)?
2389 */
2390 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2391 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2392 gen_and(b0, b1);
2393 return b1;
2394
2395 case LLCSAP_IPX:
2396 /*
2397 * Check for;
2398 *
2399 * Ethernet_II frames, which are Ethernet
2400 * frames with a frame type of ETHERTYPE_IPX;
2401 *
2402 * Ethernet_802.3 frames, which are 802.3
2403 * frames (i.e., the type/length field is
2404 * a length field, <= ETHERMTU, rather than
2405 * a type field) with the first two bytes
2406 * after the Ethernet/802.3 header being
2407 * 0xFFFF;
2408 *
2409 * Ethernet_802.2 frames, which are 802.3
2410 * frames with an 802.2 LLC header and
2411 * with the IPX LSAP as the DSAP in the LLC
2412 * header;
2413 *
2414 * Ethernet_SNAP frames, which are 802.3
2415 * frames with an LLC header and a SNAP
2416 * header and with an OUI of 0x000000
2417 * (encapsulated Ethernet) and a protocol
2418 * ID of ETHERTYPE_IPX in the SNAP header.
2419 *
2420 * XXX - should we generate the same code both
2421 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2422 */
2423
2424 /*
2425 * This generates code to check both for the
2426 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2427 */
2428 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2429 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2430 gen_or(b0, b1);
2431
2432 /*
2433 * Now we add code to check for SNAP frames with
2434 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2435 */
2436 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2437 gen_or(b0, b1);
2438
2439 /*
2440 * Now we generate code to check for 802.3
2441 * frames in general.
2442 */
2443 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2444
2445 /*
2446 * Now add the check for 802.3 frames before the
2447 * check for Ethernet_802.2 and Ethernet_802.3,
2448 * as those checks should only be done on 802.3
2449 * frames, not on Ethernet frames.
2450 */
2451 gen_and(b0, b1);
2452
2453 /*
2454 * Now add the check for Ethernet_II frames, and
2455 * do that before checking for the other frame
2456 * types.
2457 */
2458 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2459 gen_or(b0, b1);
2460 return b1;
2461
2462 case ETHERTYPE_ATALK:
2463 case ETHERTYPE_AARP:
2464 /*
2465 * EtherTalk (AppleTalk protocols on Ethernet link
2466 * layer) may use 802.2 encapsulation.
2467 */
2468
2469 /*
2470 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2471 * we check for an Ethernet type field less or equal than
2472 * 1500, which means it's an 802.3 length field.
2473 */
2474 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2475
2476 /*
2477 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2478 * SNAP packets with an organization code of
2479 * 0x080007 (Apple, for Appletalk) and a protocol
2480 * type of ETHERTYPE_ATALK (Appletalk).
2481 *
2482 * 802.2-encapsulated ETHERTYPE_AARP packets are
2483 * SNAP packets with an organization code of
2484 * 0x000000 (encapsulated Ethernet) and a protocol
2485 * type of ETHERTYPE_AARP (Appletalk ARP).
2486 */
2487 if (ll_proto == ETHERTYPE_ATALK)
2488 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2489 else /* ll_proto == ETHERTYPE_AARP */
2490 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2491 gen_and(b0, b1);
2492
2493 /*
2494 * Check for Ethernet encapsulation (Ethertalk
2495 * phase 1?); we just check for the Ethernet
2496 * protocol type.
2497 */
2498 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2499
2500 gen_or(b0, b1);
2501 return b1;
2502
2503 default:
2504 if (ll_proto <= ETHERMTU) {
2505 /*
2506 * This is an LLC SAP value, so the frames
2507 * that match would be 802.2 frames.
2508 * Check that the frame is an 802.2 frame
2509 * (i.e., that the length/type field is
2510 * a length field, <= ETHERMTU) and
2511 * then check the DSAP.
2512 */
2513 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2514 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2515 gen_and(b0, b1);
2516 return b1;
2517 } else {
2518 /*
2519 * This is an Ethernet type, so compare
2520 * the length/type field with it (if
2521 * the frame is an 802.2 frame, the length
2522 * field will be <= ETHERMTU, and, as
2523 * "ll_proto" is > ETHERMTU, this test
2524 * will fail and the frame won't match,
2525 * which is what we want).
2526 */
2527 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2528 }
2529 }
2530 }
2531
2532 static struct block *
2533 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2534 {
2535 /*
2536 * For DLT_NULL, the link-layer header is a 32-bit word
2537 * containing an AF_ value in *host* byte order, and for
2538 * DLT_ENC, the link-layer header begins with a 32-bit
2539 * word containing an AF_ value in host byte order.
2540 *
2541 * In addition, if we're reading a saved capture file,
2542 * the host byte order in the capture may not be the
2543 * same as the host byte order on this machine.
2544 *
2545 * For DLT_LOOP, the link-layer header is a 32-bit
2546 * word containing an AF_ value in *network* byte order.
2547 */
2548 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2549 /*
2550 * The AF_ value is in host byte order, but the BPF
2551 * interpreter will convert it to network byte order.
2552 *
2553 * If this is a save file, and it's from a machine
2554 * with the opposite byte order to ours, we byte-swap
2555 * the AF_ value.
2556 *
2557 * Then we run it through "htonl()", and generate
2558 * code to compare against the result.
2559 */
2560 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2561 ll_proto = SWAPLONG(ll_proto);
2562 ll_proto = htonl(ll_proto);
2563 }
2564 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2565 }
2566
2567 /*
2568 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2569 * or IPv6 then we have an error.
2570 */
2571 static struct block *
2572 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2573 {
2574 switch (ll_proto) {
2575
2576 case ETHERTYPE_IP:
2577 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2578 /*NOTREACHED*/
2579
2580 case ETHERTYPE_IPV6:
2581 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2582 /*NOTREACHED*/
2583
2584 default:
2585 break;
2586 }
2587
2588 return gen_false(cstate);
2589 }
2590
2591 /*
2592 * Generate code to match a particular packet type.
2593 *
2594 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2595 * value, if <= ETHERMTU. We use that to determine whether to
2596 * match the type field or to check the type field for the special
2597 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2598 */
2599 static struct block *
2600 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2601 {
2602 struct block *b0, *b1;
2603
2604 switch (ll_proto) {
2605
2606 case LLCSAP_ISONS:
2607 case LLCSAP_IP:
2608 case LLCSAP_NETBEUI:
2609 /*
2610 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2611 * so we check the DSAP and SSAP.
2612 *
2613 * LLCSAP_IP checks for IP-over-802.2, rather
2614 * than IP-over-Ethernet or IP-over-SNAP.
2615 *
2616 * XXX - should we check both the DSAP and the
2617 * SSAP, like this, or should we check just the
2618 * DSAP, as we do for other types <= ETHERMTU
2619 * (i.e., other SAP values)?
2620 */
2621 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2622 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2623 gen_and(b0, b1);
2624 return b1;
2625
2626 case LLCSAP_IPX:
2627 /*
2628 * Ethernet_II frames, which are Ethernet
2629 * frames with a frame type of ETHERTYPE_IPX;
2630 *
2631 * Ethernet_802.3 frames, which have a frame
2632 * type of LINUX_SLL_P_802_3;
2633 *
2634 * Ethernet_802.2 frames, which are 802.3
2635 * frames with an 802.2 LLC header (i.e, have
2636 * a frame type of LINUX_SLL_P_802_2) and
2637 * with the IPX LSAP as the DSAP in the LLC
2638 * header;
2639 *
2640 * Ethernet_SNAP frames, which are 802.3
2641 * frames with an LLC header and a SNAP
2642 * header and with an OUI of 0x000000
2643 * (encapsulated Ethernet) and a protocol
2644 * ID of ETHERTYPE_IPX in the SNAP header.
2645 *
2646 * First, do the checks on LINUX_SLL_P_802_2
2647 * frames; generate the check for either
2648 * Ethernet_802.2 or Ethernet_SNAP frames, and
2649 * then put a check for LINUX_SLL_P_802_2 frames
2650 * before it.
2651 */
2652 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2653 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2654 gen_or(b0, b1);
2655 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2656 gen_and(b0, b1);
2657
2658 /*
2659 * Now check for 802.3 frames and OR that with
2660 * the previous test.
2661 */
2662 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2663 gen_or(b0, b1);
2664
2665 /*
2666 * Now add the check for Ethernet_II frames, and
2667 * do that before checking for the other frame
2668 * types.
2669 */
2670 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2671 gen_or(b0, b1);
2672 return b1;
2673
2674 case ETHERTYPE_ATALK:
2675 case ETHERTYPE_AARP:
2676 /*
2677 * EtherTalk (AppleTalk protocols on Ethernet link
2678 * layer) may use 802.2 encapsulation.
2679 */
2680
2681 /*
2682 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2683 * we check for the 802.2 protocol type in the
2684 * "Ethernet type" field.
2685 */
2686 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2687
2688 /*
2689 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2690 * SNAP packets with an organization code of
2691 * 0x080007 (Apple, for Appletalk) and a protocol
2692 * type of ETHERTYPE_ATALK (Appletalk).
2693 *
2694 * 802.2-encapsulated ETHERTYPE_AARP packets are
2695 * SNAP packets with an organization code of
2696 * 0x000000 (encapsulated Ethernet) and a protocol
2697 * type of ETHERTYPE_AARP (Appletalk ARP).
2698 */
2699 if (ll_proto == ETHERTYPE_ATALK)
2700 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2701 else /* ll_proto == ETHERTYPE_AARP */
2702 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2703 gen_and(b0, b1);
2704
2705 /*
2706 * Check for Ethernet encapsulation (Ethertalk
2707 * phase 1?); we just check for the Ethernet
2708 * protocol type.
2709 */
2710 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2711
2712 gen_or(b0, b1);
2713 return b1;
2714
2715 default:
2716 if (ll_proto <= ETHERMTU) {
2717 /*
2718 * This is an LLC SAP value, so the frames
2719 * that match would be 802.2 frames.
2720 * Check for the 802.2 protocol type
2721 * in the "Ethernet type" field, and
2722 * then check the DSAP.
2723 */
2724 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2725 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2726 ll_proto);
2727 gen_and(b0, b1);
2728 return b1;
2729 } else {
2730 /*
2731 * This is an Ethernet type, so compare
2732 * the length/type field with it (if
2733 * the frame is an 802.2 frame, the length
2734 * field will be <= ETHERMTU, and, as
2735 * "ll_proto" is > ETHERMTU, this test
2736 * will fail and the frame won't match,
2737 * which is what we want).
2738 */
2739 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2740 }
2741 }
2742 }
2743
2744 /*
2745 * Load a value relative to the beginning of the link-layer header after the
2746 * pflog header.
2747 */
2748 static struct slist *
2749 gen_load_pflog_llprefixlen(compiler_state_t *cstate)
2750 {
2751 struct slist *s1, *s2;
2752
2753 /*
2754 * Generate code to load the length of the pflog header into
2755 * the register assigned to hold that length, if one has been
2756 * assigned. (If one hasn't been assigned, no code we've
2757 * generated uses that prefix, so we don't need to generate any
2758 * code to load it.)
2759 */
2760 if (cstate->off_linkpl.reg != -1) {
2761 /*
2762 * The length is in the first byte of the header.
2763 */
2764 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2765 s1->s.k = 0;
2766
2767 /*
2768 * Round it up to a multiple of 4.
2769 * Add 3, and clear the lower 2 bits.
2770 */
2771 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2772 s2->s.k = 3;
2773 sappend(s1, s2);
2774 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2775 s2->s.k = 0xfffffffc;
2776 sappend(s1, s2);
2777
2778 /*
2779 * Now allocate a register to hold that value and store
2780 * it.
2781 */
2782 s2 = new_stmt(cstate, BPF_ST);
2783 s2->s.k = cstate->off_linkpl.reg;
2784 sappend(s1, s2);
2785
2786 /*
2787 * Now move it into the X register.
2788 */
2789 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2790 sappend(s1, s2);
2791
2792 return (s1);
2793 } else
2794 return (NULL);
2795 }
2796
2797 static struct slist *
2798 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2799 {
2800 struct slist *s1, *s2;
2801 struct slist *sjeq_avs_cookie;
2802 struct slist *sjcommon;
2803
2804 /*
2805 * This code is not compatible with the optimizer, as
2806 * we are generating jmp instructions within a normal
2807 * slist of instructions
2808 */
2809 cstate->no_optimize = 1;
2810
2811 /*
2812 * Generate code to load the length of the radio header into
2813 * the register assigned to hold that length, if one has been
2814 * assigned. (If one hasn't been assigned, no code we've
2815 * generated uses that prefix, so we don't need to generate any
2816 * code to load it.)
2817 *
2818 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2819 * or always use the AVS header rather than the Prism header.
2820 * We load a 4-byte big-endian value at the beginning of the
2821 * raw packet data, and see whether, when masked with 0xFFFFF000,
2822 * it's equal to 0x80211000. If so, that indicates that it's
2823 * an AVS header (the masked-out bits are the version number).
2824 * Otherwise, it's a Prism header.
2825 *
2826 * XXX - the Prism header is also, in theory, variable-length,
2827 * but no known software generates headers that aren't 144
2828 * bytes long.
2829 */
2830 if (cstate->off_linkhdr.reg != -1) {
2831 /*
2832 * Load the cookie.
2833 */
2834 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2835 s1->s.k = 0;
2836
2837 /*
2838 * AND it with 0xFFFFF000.
2839 */
2840 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2841 s2->s.k = 0xFFFFF000;
2842 sappend(s1, s2);
2843
2844 /*
2845 * Compare with 0x80211000.
2846 */
2847 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2848 sjeq_avs_cookie->s.k = 0x80211000;
2849 sappend(s1, sjeq_avs_cookie);
2850
2851 /*
2852 * If it's AVS:
2853 *
2854 * The 4 bytes at an offset of 4 from the beginning of
2855 * the AVS header are the length of the AVS header.
2856 * That field is big-endian.
2857 */
2858 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2859 s2->s.k = 4;
2860 sappend(s1, s2);
2861 sjeq_avs_cookie->s.jt = s2;
2862
2863 /*
2864 * Now jump to the code to allocate a register
2865 * into which to save the header length and
2866 * store the length there. (The "jump always"
2867 * instruction needs to have the k field set;
2868 * it's added to the PC, so, as we're jumping
2869 * over a single instruction, it should be 1.)
2870 */
2871 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2872 sjcommon->s.k = 1;
2873 sappend(s1, sjcommon);
2874
2875 /*
2876 * Now for the code that handles the Prism header.
2877 * Just load the length of the Prism header (144)
2878 * into the A register. Have the test for an AVS
2879 * header branch here if we don't have an AVS header.
2880 */
2881 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2882 s2->s.k = 144;
2883 sappend(s1, s2);
2884 sjeq_avs_cookie->s.jf = s2;
2885
2886 /*
2887 * Now allocate a register to hold that value and store
2888 * it. The code for the AVS header will jump here after
2889 * loading the length of the AVS header.
2890 */
2891 s2 = new_stmt(cstate, BPF_ST);
2892 s2->s.k = cstate->off_linkhdr.reg;
2893 sappend(s1, s2);
2894 sjcommon->s.jf = s2;
2895
2896 /*
2897 * Now move it into the X register.
2898 */
2899 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2900 sappend(s1, s2);
2901
2902 return (s1);
2903 } else
2904 return (NULL);
2905 }
2906
2907 static struct slist *
2908 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2909 {
2910 struct slist *s1, *s2;
2911
2912 /*
2913 * Generate code to load the length of the AVS header into
2914 * the register assigned to hold that length, if one has been
2915 * assigned. (If one hasn't been assigned, no code we've
2916 * generated uses that prefix, so we don't need to generate any
2917 * code to load it.)
2918 */
2919 if (cstate->off_linkhdr.reg != -1) {
2920 /*
2921 * The 4 bytes at an offset of 4 from the beginning of
2922 * the AVS header are the length of the AVS header.
2923 * That field is big-endian.
2924 */
2925 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2926 s1->s.k = 4;
2927
2928 /*
2929 * Now allocate a register to hold that value and store
2930 * it.
2931 */
2932 s2 = new_stmt(cstate, BPF_ST);
2933 s2->s.k = cstate->off_linkhdr.reg;
2934 sappend(s1, s2);
2935
2936 /*
2937 * Now move it into the X register.
2938 */
2939 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2940 sappend(s1, s2);
2941
2942 return (s1);
2943 } else
2944 return (NULL);
2945 }
2946
2947 static struct slist *
2948 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2949 {
2950 struct slist *s1, *s2;
2951
2952 /*
2953 * Generate code to load the length of the radiotap header into
2954 * the register assigned to hold that length, if one has been
2955 * assigned. (If one hasn't been assigned, no code we've
2956 * generated uses that prefix, so we don't need to generate any
2957 * code to load it.)
2958 */
2959 if (cstate->off_linkhdr.reg != -1) {
2960 /*
2961 * The 2 bytes at offsets of 2 and 3 from the beginning
2962 * of the radiotap header are the length of the radiotap
2963 * header; unfortunately, it's little-endian, so we have
2964 * to load it a byte at a time and construct the value.
2965 */
2966
2967 /*
2968 * Load the high-order byte, at an offset of 3, shift it
2969 * left a byte, and put the result in the X register.
2970 */
2971 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2972 s1->s.k = 3;
2973 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2974 sappend(s1, s2);
2975 s2->s.k = 8;
2976 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2977 sappend(s1, s2);
2978
2979 /*
2980 * Load the next byte, at an offset of 2, and OR the
2981 * value from the X register into it.
2982 */
2983 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2984 sappend(s1, s2);
2985 s2->s.k = 2;
2986 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2987 sappend(s1, s2);
2988
2989 /*
2990 * Now allocate a register to hold that value and store
2991 * it.
2992 */
2993 s2 = new_stmt(cstate, BPF_ST);
2994 s2->s.k = cstate->off_linkhdr.reg;
2995 sappend(s1, s2);
2996
2997 /*
2998 * Now move it into the X register.
2999 */
3000 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3001 sappend(s1, s2);
3002
3003 return (s1);
3004 } else
3005 return (NULL);
3006 }
3007
3008 /*
3009 * At the moment we treat PPI as normal Radiotap encoded
3010 * packets. The difference is in the function that generates
3011 * the code at the beginning to compute the header length.
3012 * Since this code generator of PPI supports bare 802.11
3013 * encapsulation only (i.e. the encapsulated DLT should be
3014 * DLT_IEEE802_11) we generate code to check for this too;
3015 * that's done in finish_parse().
3016 */
3017 static struct slist *
3018 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
3019 {
3020 struct slist *s1, *s2;
3021
3022 /*
3023 * Generate code to load the length of the radiotap header
3024 * into the register assigned to hold that length, if one has
3025 * been assigned.
3026 */
3027 if (cstate->off_linkhdr.reg != -1) {
3028 /*
3029 * The 2 bytes at offsets of 2 and 3 from the beginning
3030 * of the radiotap header are the length of the radiotap
3031 * header; unfortunately, it's little-endian, so we have
3032 * to load it a byte at a time and construct the value.
3033 */
3034
3035 /*
3036 * Load the high-order byte, at an offset of 3, shift it
3037 * left a byte, and put the result in the X register.
3038 */
3039 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
3040 s1->s.k = 3;
3041 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
3042 sappend(s1, s2);
3043 s2->s.k = 8;
3044 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3045 sappend(s1, s2);
3046
3047 /*
3048 * Load the next byte, at an offset of 2, and OR the
3049 * value from the X register into it.
3050 */
3051 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
3052 sappend(s1, s2);
3053 s2->s.k = 2;
3054 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
3055 sappend(s1, s2);
3056
3057 /*
3058 * Now allocate a register to hold that value and store
3059 * it.
3060 */
3061 s2 = new_stmt(cstate, BPF_ST);
3062 s2->s.k = cstate->off_linkhdr.reg;
3063 sappend(s1, s2);
3064
3065 /*
3066 * Now move it into the X register.
3067 */
3068 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
3069 sappend(s1, s2);
3070
3071 return (s1);
3072 } else
3073 return (NULL);
3074 }
3075
3076 /*
3077 * Load a value relative to the beginning of the link-layer header after the 802.11
3078 * header, i.e. LLC_SNAP.
3079 * The link-layer header doesn't necessarily begin at the beginning
3080 * of the packet data; there might be a variable-length prefix containing
3081 * radio information.
3082 */
3083 static struct slist *
3084 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
3085 {
3086 struct slist *s2;
3087 struct slist *sjset_data_frame_1;
3088 struct slist *sjset_data_frame_2;
3089 struct slist *sjset_qos;
3090 struct slist *sjset_radiotap_flags_present;
3091 struct slist *sjset_radiotap_ext_present;
3092 struct slist *sjset_radiotap_tsft_present;
3093 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
3094 struct slist *s_roundup;
3095
3096 if (cstate->off_linkpl.reg == -1) {
3097 /*
3098 * No register has been assigned to the offset of
3099 * the link-layer payload, which means nobody needs
3100 * it; don't bother computing it - just return
3101 * what we already have.
3102 */
3103 return (s);
3104 }
3105
3106 /*
3107 * This code is not compatible with the optimizer, as
3108 * we are generating jmp instructions within a normal
3109 * slist of instructions
3110 */
3111 cstate->no_optimize = 1;
3112
3113 /*
3114 * If "s" is non-null, it has code to arrange that the X register
3115 * contains the length of the prefix preceding the link-layer
3116 * header.
3117 *
3118 * Otherwise, the length of the prefix preceding the link-layer
3119 * header is "off_outermostlinkhdr.constant_part".
3120 */
3121 if (s == NULL) {
3122 /*
3123 * There is no variable-length header preceding the
3124 * link-layer header.
3125 *
3126 * Load the length of the fixed-length prefix preceding
3127 * the link-layer header (if any) into the X register,
3128 * and store it in the cstate->off_linkpl.reg register.
3129 * That length is off_outermostlinkhdr.constant_part.
3130 */
3131 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
3132 s->s.k = cstate->off_outermostlinkhdr.constant_part;
3133 }
3134
3135 /*
3136 * The X register contains the offset of the beginning of the
3137 * link-layer header; add 24, which is the minimum length
3138 * of the MAC header for a data frame, to that, and store it
3139 * in cstate->off_linkpl.reg, and then load the Frame Control field,
3140 * which is at the offset in the X register, with an indexed load.
3141 */
3142 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
3143 sappend(s, s2);
3144 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
3145 s2->s.k = 24;
3146 sappend(s, s2);
3147 s2 = new_stmt(cstate, BPF_ST);
3148 s2->s.k = cstate->off_linkpl.reg;
3149 sappend(s, s2);
3150
3151 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
3152 s2->s.k = 0;
3153 sappend(s, s2);
3154
3155 /*
3156 * Check the Frame Control field to see if this is a data frame;
3157 * a data frame has the 0x08 bit (b3) in that field set and the
3158 * 0x04 bit (b2) clear.
3159 */
3160 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
3161 sjset_data_frame_1->s.k = IEEE80211_FC0_TYPE_DATA;
3162 sappend(s, sjset_data_frame_1);
3163
3164 /*
3165 * If b3 is set, test b2, otherwise go to the first statement of
3166 * the rest of the program.
3167 */
3168 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
3169 sjset_data_frame_2->s.k = IEEE80211_FC0_TYPE_CTL;
3170 sappend(s, sjset_data_frame_2);
3171 sjset_data_frame_1->s.jf = snext;
3172
3173 /*
3174 * If b2 is not set, this is a data frame; test the QoS bit.
3175 * Otherwise, go to the first statement of the rest of the
3176 * program.
3177 */
3178 sjset_data_frame_2->s.jt = snext;
3179 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
3180 sjset_qos->s.k = IEEE80211_FC0_SUBTYPE_QOS;
3181 sappend(s, sjset_qos);
3182
3183 /*
3184 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
3185 * field.
3186 * Otherwise, go to the first statement of the rest of the
3187 * program.
3188 */
3189 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
3190 s2->s.k = cstate->off_linkpl.reg;
3191 sappend(s, s2);
3192 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3193 s2->s.k = 2;
3194 sappend(s, s2);
3195 s2 = new_stmt(cstate, BPF_ST);
3196 s2->s.k = cstate->off_linkpl.reg;
3197 sappend(s, s2);
3198
3199 /*
3200 * If we have a radiotap header, look at it to see whether
3201 * there's Atheros padding between the MAC-layer header
3202 * and the payload.
3203 *
3204 * Note: all of the fields in the radiotap header are
3205 * little-endian, so we byte-swap all of the values
3206 * we test against, as they will be loaded as big-endian
3207 * values.
3208 *
3209 * XXX - in the general case, we would have to scan through
3210 * *all* the presence bits, if there's more than one word of
3211 * presence bits. That would require a loop, meaning that
3212 * we wouldn't be able to run the filter in the kernel.
3213 *
3214 * We assume here that the Atheros adapters that insert the
3215 * annoying padding don't have multiple antennae and therefore
3216 * do not generate radiotap headers with multiple presence words.
3217 */
3218 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
3219 /*
3220 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
3221 * in the first presence flag word?
3222 */
3223 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
3224 s2->s.k = 4;
3225 sappend(s, s2);
3226
3227 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
3228 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
3229 sappend(s, sjset_radiotap_flags_present);
3230
3231 /*
3232 * If not, skip all of this.
3233 */
3234 sjset_radiotap_flags_present->s.jf = snext;
3235
3236 /*
3237 * Otherwise, is the "extension" bit set in that word?
3238 */
3239 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
3240 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
3241 sappend(s, sjset_radiotap_ext_present);
3242 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
3243
3244 /*
3245 * If so, skip all of this.
3246 */
3247 sjset_radiotap_ext_present->s.jt = snext;
3248
3249 /*
3250 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
3251 */
3252 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
3253 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
3254 sappend(s, sjset_radiotap_tsft_present);
3255 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
3256
3257 /*
3258 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
3259 * at an offset of 16 from the beginning of the raw packet
3260 * data (8 bytes for the radiotap header and 8 bytes for
3261 * the TSFT field).
3262 *
3263 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3264 * is set.
3265 */
3266 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3267 s2->s.k = 16;
3268 sappend(s, s2);
3269 sjset_radiotap_tsft_present->s.jt = s2;
3270
3271 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3272 sjset_tsft_datapad->s.k = 0x20;
3273 sappend(s, sjset_tsft_datapad);
3274
3275 /*
3276 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
3277 * at an offset of 8 from the beginning of the raw packet
3278 * data (8 bytes for the radiotap header).
3279 *
3280 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
3281 * is set.
3282 */
3283 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
3284 s2->s.k = 8;
3285 sappend(s, s2);
3286 sjset_radiotap_tsft_present->s.jf = s2;
3287
3288 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
3289 sjset_notsft_datapad->s.k = 0x20;
3290 sappend(s, sjset_notsft_datapad);
3291
3292 /*
3293 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
3294 * set, round the length of the 802.11 header to
3295 * a multiple of 4. Do that by adding 3 and then
3296 * dividing by and multiplying by 4, which we do by
3297 * ANDing with ~3.
3298 */
3299 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
3300 s_roundup->s.k = cstate->off_linkpl.reg;
3301 sappend(s, s_roundup);
3302 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
3303 s2->s.k = 3;
3304 sappend(s, s2);
3305 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
3306 s2->s.k = (bpf_u_int32)~3;
3307 sappend(s, s2);
3308 s2 = new_stmt(cstate, BPF_ST);
3309 s2->s.k = cstate->off_linkpl.reg;
3310 sappend(s, s2);
3311
3312 sjset_tsft_datapad->s.jt = s_roundup;
3313 sjset_tsft_datapad->s.jf = snext;
3314 sjset_notsft_datapad->s.jt = s_roundup;
3315 sjset_notsft_datapad->s.jf = snext;
3316 } else
3317 sjset_qos->s.jf = snext;
3318
3319 return s;
3320 }
3321
3322 static void
3323 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
3324 {
3325 struct slist *s;
3326
3327 /* There is an implicit dependency between the link
3328 * payload and link header since the payload computation
3329 * includes the variable part of the header. Therefore,
3330 * if nobody else has allocated a register for the link
3331 * header and we need it, do it now. */
3332 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
3333 cstate->off_linkhdr.reg == -1)
3334 cstate->off_linkhdr.reg = alloc_reg(cstate);
3335
3336 /*
3337 * For link-layer types that have a variable-length header
3338 * preceding the link-layer header, generate code to load
3339 * the offset of the link-layer header into the register
3340 * assigned to that offset, if any.
3341 *
3342 * XXX - this, and the next switch statement, won't handle
3343 * encapsulation of 802.11 or 802.11+radio information in
3344 * some other protocol stack. That's significantly more
3345 * complicated.
3346 */
3347 switch (cstate->outermostlinktype) {
3348
3349 case DLT_PRISM_HEADER:
3350 s = gen_load_prism_llprefixlen(cstate);
3351 break;
3352
3353 case DLT_IEEE802_11_RADIO_AVS:
3354 s = gen_load_avs_llprefixlen(cstate);
3355 break;
3356
3357 case DLT_IEEE802_11_RADIO:
3358 s = gen_load_radiotap_llprefixlen(cstate);
3359 break;
3360
3361 case DLT_PPI:
3362 s = gen_load_ppi_llprefixlen(cstate);
3363 break;
3364
3365 default:
3366 s = NULL;
3367 break;
3368 }
3369
3370 /*
3371 * For link-layer types that have a variable-length link-layer
3372 * header, generate code to load the offset of the link-layer
3373 * payload into the register assigned to that offset, if any.
3374 */
3375 switch (cstate->outermostlinktype) {
3376
3377 case DLT_IEEE802_11:
3378 case DLT_PRISM_HEADER:
3379 case DLT_IEEE802_11_RADIO_AVS:
3380 case DLT_IEEE802_11_RADIO:
3381 case DLT_PPI:
3382 s = gen_load_802_11_header_len(cstate, s, b->stmts);
3383 break;
3384
3385 case DLT_PFLOG:
3386 s = gen_load_pflog_llprefixlen(cstate);
3387 break;
3388 }
3389
3390 /*
3391 * If there is no initialization yet and we need variable
3392 * length offsets for VLAN, initialize them to zero
3393 */
3394 if (s == NULL && cstate->is_vlan_vloffset) {
3395 struct slist *s2;
3396
3397 if (cstate->off_linkpl.reg == -1)
3398 cstate->off_linkpl.reg = alloc_reg(cstate);
3399 if (cstate->off_linktype.reg == -1)
3400 cstate->off_linktype.reg = alloc_reg(cstate);
3401
3402 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
3403 s->s.k = 0;
3404 s2 = new_stmt(cstate, BPF_ST);
3405 s2->s.k = cstate->off_linkpl.reg;
3406 sappend(s, s2);
3407 s2 = new_stmt(cstate, BPF_ST);
3408 s2->s.k = cstate->off_linktype.reg;
3409 sappend(s, s2);
3410 }
3411
3412 /*
3413 * If we have any offset-loading code, append all the
3414 * existing statements in the block to those statements,
3415 * and make the resulting list the list of statements
3416 * for the block.
3417 */
3418 if (s != NULL) {
3419 sappend(s, b->stmts);
3420 b->stmts = s;
3421 }
3422 }
3423
3424 /*
3425 * Take an absolute offset, and:
3426 *
3427 * if it has no variable part, return NULL;
3428 *
3429 * if it has a variable part, generate code to load the register
3430 * containing that variable part into the X register, returning
3431 * a pointer to that code - if no register for that offset has
3432 * been allocated, allocate it first.
3433 *
3434 * (The code to set that register will be generated later, but will
3435 * be placed earlier in the code sequence.)
3436 */
3437 static struct slist *
3438 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3439 {
3440 struct slist *s;
3441
3442 if (off->is_variable) {
3443 if (off->reg == -1) {
3444 /*
3445 * We haven't yet assigned a register for the
3446 * variable part of the offset of the link-layer
3447 * header; allocate one.
3448 */
3449 off->reg = alloc_reg(cstate);
3450 }
3451
3452 /*
3453 * Load the register containing the variable part of the
3454 * offset of the link-layer header into the X register.
3455 */
3456 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3457 s->s.k = off->reg;
3458 return s;
3459 } else {
3460 /*
3461 * That offset isn't variable, there's no variable part,
3462 * so we don't need to generate any code.
3463 */
3464 return NULL;
3465 }
3466 }
3467
3468 /*
3469 * Map an Ethernet type to the equivalent PPP type.
3470 */
3471 static bpf_u_int32
3472 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3473 {
3474 switch (ll_proto) {
3475
3476 case ETHERTYPE_IP:
3477 ll_proto = PPP_IP;
3478 break;
3479
3480 case ETHERTYPE_IPV6:
3481 ll_proto = PPP_IPV6;
3482 break;
3483
3484 case ETHERTYPE_DN:
3485 ll_proto = PPP_DECNET;
3486 break;
3487
3488 case ETHERTYPE_ATALK:
3489 ll_proto = PPP_APPLE;
3490 break;
3491
3492 case ETHERTYPE_NS:
3493 ll_proto = PPP_NS;
3494 break;
3495
3496 case LLCSAP_ISONS:
3497 ll_proto = PPP_OSI;
3498 break;
3499
3500 case LLCSAP_8021D:
3501 /*
3502 * I'm assuming the "Bridging PDU"s that go
3503 * over PPP are Spanning Tree Protocol
3504 * Bridging PDUs.
3505 */
3506 ll_proto = PPP_BRPDU;
3507 break;
3508
3509 case LLCSAP_IPX:
3510 ll_proto = PPP_IPX;
3511 break;
3512 }
3513 return (ll_proto);
3514 }
3515
3516 /*
3517 * Generate any tests that, for encapsulation of a link-layer packet
3518 * inside another protocol stack, need to be done to check for those
3519 * link-layer packets (and that haven't already been done by a check
3520 * for that encapsulation).
3521 */
3522 static struct block *
3523 gen_prevlinkhdr_check(compiler_state_t *cstate)
3524 {
3525 if (cstate->is_encap)
3526 return gen_encap_ll_check(cstate);
3527
3528 switch (cstate->prevlinktype) {
3529
3530 case DLT_SUNATM:
3531 /*
3532 * This is LANE-encapsulated Ethernet; check that the LANE
3533 * packet doesn't begin with an LE Control marker, i.e.
3534 * that it's data, not a control message.
3535 *
3536 * (We've already generated a test for LANE.)
3537 */
3538 return gen_cmp_ne(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3539
3540 default:
3541 /*
3542 * No such tests are necessary.
3543 */
3544 return NULL;
3545 }
3546 /*NOTREACHED*/
3547 }
3548
3549 /*
3550 * The three different values we should check for when checking for an
3551 * IPv6 packet with DLT_NULL.
3552 */
3553 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3554 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3555 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3556
3557 /*
3558 * Generate code to match a particular packet type by matching the
3559 * link-layer type field or fields in the 802.2 LLC header.
3560 *
3561 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3562 * value, if <= ETHERMTU.
3563 */
3564 static struct block *
3565 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3566 {
3567 struct block *b0, *b1, *b2;
3568
3569 /* are we checking MPLS-encapsulated packets? */
3570 if (cstate->label_stack_depth > 0)
3571 return gen_mpls_linktype(cstate, ll_proto);
3572
3573 switch (cstate->linktype) {
3574
3575 case DLT_EN10MB:
3576 case DLT_NETANALYZER:
3577 case DLT_NETANALYZER_TRANSPARENT:
3578 /* Geneve has an EtherType regardless of whether there is an
3579 * L2 header. VXLAN always has an EtherType. */
3580 if (!cstate->is_encap)
3581 b0 = gen_prevlinkhdr_check(cstate);
3582 else
3583 b0 = NULL;
3584
3585 b1 = gen_ether_linktype(cstate, ll_proto);
3586 if (b0 != NULL)
3587 gen_and(b0, b1);
3588 return b1;
3589 /*NOTREACHED*/
3590
3591 case DLT_C_HDLC:
3592 case DLT_HDLC:
3593 switch (ll_proto) {
3594
3595 case LLCSAP_ISONS:
3596 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3597 /* fall through */
3598
3599 default:
3600 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3601 /*NOTREACHED*/
3602 }
3603
3604 case DLT_IEEE802_11:
3605 case DLT_PRISM_HEADER:
3606 case DLT_IEEE802_11_RADIO_AVS:
3607 case DLT_IEEE802_11_RADIO:
3608 case DLT_PPI:
3609 /*
3610 * Check that we have a data frame.
3611 */
3612 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
3613 IEEE80211_FC0_TYPE_DATA,
3614 IEEE80211_FC0_TYPE_MASK);
3615
3616 /*
3617 * Now check for the specified link-layer type.
3618 */
3619 b1 = gen_llc_linktype(cstate, ll_proto);
3620 gen_and(b0, b1);
3621 return b1;
3622 /*NOTREACHED*/
3623
3624 case DLT_FDDI:
3625 /*
3626 * XXX - check for LLC frames.
3627 */
3628 return gen_llc_linktype(cstate, ll_proto);
3629 /*NOTREACHED*/
3630
3631 case DLT_IEEE802:
3632 /*
3633 * XXX - check for LLC PDUs, as per IEEE 802.5.
3634 */
3635 return gen_llc_linktype(cstate, ll_proto);
3636 /*NOTREACHED*/
3637
3638 case DLT_ATM_RFC1483:
3639 case DLT_ATM_CLIP:
3640 case DLT_IP_OVER_FC:
3641 return gen_llc_linktype(cstate, ll_proto);
3642 /*NOTREACHED*/
3643
3644 case DLT_SUNATM:
3645 /*
3646 * Check for an LLC-encapsulated version of this protocol;
3647 * if we were checking for LANE, linktype would no longer
3648 * be DLT_SUNATM.
3649 *
3650 * Check for LLC encapsulation and then check the protocol.
3651 */
3652 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3653 b1 = gen_llc_linktype(cstate, ll_proto);
3654 gen_and(b0, b1);
3655 return b1;
3656 /*NOTREACHED*/
3657
3658 case DLT_LINUX_SLL:
3659 return gen_linux_sll_linktype(cstate, ll_proto);
3660 /*NOTREACHED*/
3661
3662 case DLT_SLIP:
3663 case DLT_SLIP_BSDOS:
3664 case DLT_RAW:
3665 /*
3666 * These types don't provide any type field; packets
3667 * are always IPv4 or IPv6.
3668 *
3669 * XXX - for IPv4, check for a version number of 4, and,
3670 * for IPv6, check for a version number of 6?
3671 */
3672 switch (ll_proto) {
3673
3674 case ETHERTYPE_IP:
3675 /* Check for a version number of 4. */
3676 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3677
3678 case ETHERTYPE_IPV6:
3679 /* Check for a version number of 6. */
3680 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3681
3682 default:
3683 return gen_false(cstate); /* always false */
3684 }
3685 /*NOTREACHED*/
3686
3687 case DLT_IPV4:
3688 /*
3689 * Raw IPv4, so no type field.
3690 */
3691 if (ll_proto == ETHERTYPE_IP)
3692 return gen_true(cstate); /* always true */
3693
3694 /* Checking for something other than IPv4; always false */
3695 return gen_false(cstate);
3696 /*NOTREACHED*/
3697
3698 case DLT_IPV6:
3699 /*
3700 * Raw IPv6, so no type field.
3701 */
3702 if (ll_proto == ETHERTYPE_IPV6)
3703 return gen_true(cstate); /* always true */
3704
3705 /* Checking for something other than IPv6; always false */
3706 return gen_false(cstate);
3707 /*NOTREACHED*/
3708
3709 case DLT_PPP:
3710 case DLT_PPP_PPPD:
3711 case DLT_PPP_SERIAL:
3712 case DLT_PPP_ETHER:
3713 /*
3714 * We use Ethernet protocol types inside libpcap;
3715 * map them to the corresponding PPP protocol types.
3716 */
3717 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3718 ethertype_to_ppptype(ll_proto));
3719 /*NOTREACHED*/
3720
3721 case DLT_PPP_BSDOS:
3722 /*
3723 * We use Ethernet protocol types inside libpcap;
3724 * map them to the corresponding PPP protocol types.
3725 */
3726 switch (ll_proto) {
3727
3728 case ETHERTYPE_IP:
3729 /*
3730 * Also check for Van Jacobson-compressed IP.
3731 * XXX - do this for other forms of PPP?
3732 */
3733 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3734 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3735 gen_or(b0, b1);
3736 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3737 gen_or(b1, b0);
3738 return b0;
3739
3740 default:
3741 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3742 ethertype_to_ppptype(ll_proto));
3743 }
3744 /*NOTREACHED*/
3745
3746 case DLT_NULL:
3747 case DLT_LOOP:
3748 case DLT_ENC:
3749 switch (ll_proto) {
3750
3751 case ETHERTYPE_IP:
3752 return (gen_loopback_linktype(cstate, AF_INET));
3753
3754 case ETHERTYPE_IPV6:
3755 /*
3756 * AF_ values may, unfortunately, be platform-
3757 * dependent; AF_INET isn't, because everybody
3758 * used 4.2BSD's value, but AF_INET6 is, because
3759 * 4.2BSD didn't have a value for it (given that
3760 * IPv6 didn't exist back in the early 1980's),
3761 * and they all picked their own values.
3762 *
3763 * This means that, if we're reading from a
3764 * savefile, we need to check for all the
3765 * possible values.
3766 *
3767 * If we're doing a live capture, we only need
3768 * to check for this platform's value; however,
3769 * Npcap uses 24, which isn't Windows's AF_INET6
3770 * value. (Given the multiple different values,
3771 * programs that read pcap files shouldn't be
3772 * checking for their platform's AF_INET6 value
3773 * anyway, they should check for all of the
3774 * possible values. and they might as well do
3775 * that even for live captures.)
3776 */
3777 if (cstate->bpf_pcap->rfile != NULL) {
3778 /*
3779 * Savefile - check for all three
3780 * possible IPv6 values.
3781 */
3782 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3783 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3784 gen_or(b0, b1);
3785 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3786 gen_or(b0, b1);
3787 return (b1);
3788 } else {
3789 /*
3790 * Live capture, so we only need to
3791 * check for the value used on this
3792 * platform.
3793 */
3794 #ifdef _WIN32
3795 /*
3796 * Npcap doesn't use Windows's AF_INET6,
3797 * as that collides with AF_IPX on
3798 * some BSDs (both have the value 23).
3799 * Instead, it uses 24.
3800 */
3801 return (gen_loopback_linktype(cstate, 24));
3802 #else /* _WIN32 */
3803 #ifdef AF_INET6
3804 return (gen_loopback_linktype(cstate, AF_INET6));
3805 #else /* AF_INET6 */
3806 /*
3807 * I guess this platform doesn't support
3808 * IPv6, so we just reject all packets.
3809 */
3810 return gen_false(cstate);
3811 #endif /* AF_INET6 */
3812 #endif /* _WIN32 */
3813 }
3814
3815 default:
3816 /*
3817 * Not a type on which we support filtering.
3818 * XXX - support those that have AF_ values
3819 * #defined on this platform, at least?
3820 */
3821 return gen_false(cstate);
3822 }
3823
3824 case DLT_PFLOG:
3825 /*
3826 * af field is host byte order in contrast to the rest of
3827 * the packet.
3828 */
3829 if (ll_proto == ETHERTYPE_IP)
3830 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3831 BPF_B, AF_INET));
3832 else if (ll_proto == ETHERTYPE_IPV6)
3833 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3834 BPF_B, AF_INET6));
3835 else
3836 return gen_false(cstate);
3837 /*NOTREACHED*/
3838
3839 case DLT_ARCNET:
3840 case DLT_ARCNET_LINUX:
3841 /*
3842 * XXX should we check for first fragment if the protocol
3843 * uses PHDS?
3844 */
3845 switch (ll_proto) {
3846
3847 default:
3848 return gen_false(cstate);
3849
3850 case ETHERTYPE_IPV6:
3851 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3852 ARCTYPE_INET6));
3853
3854 case ETHERTYPE_IP:
3855 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3856 ARCTYPE_IP);
3857 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3858 ARCTYPE_IP_OLD);
3859 gen_or(b0, b1);
3860 return (b1);
3861
3862 case ETHERTYPE_ARP:
3863 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3864 ARCTYPE_ARP);
3865 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3866 ARCTYPE_ARP_OLD);
3867 gen_or(b0, b1);
3868 return (b1);
3869
3870 case ETHERTYPE_REVARP:
3871 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3872 ARCTYPE_REVARP));
3873
3874 case ETHERTYPE_ATALK:
3875 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3876 ARCTYPE_ATALK));
3877 }
3878 /*NOTREACHED*/
3879
3880 case DLT_LTALK:
3881 switch (ll_proto) {
3882 case ETHERTYPE_ATALK:
3883 return gen_true(cstate);
3884 default:
3885 return gen_false(cstate);
3886 }
3887 /*NOTREACHED*/
3888
3889 case DLT_FRELAY:
3890 /*
3891 * XXX - assumes a 2-byte Frame Relay header with
3892 * DLCI and flags. What if the address is longer?
3893 */
3894 switch (ll_proto) {
3895
3896 case ETHERTYPE_IP:
3897 /*
3898 * Check for the special NLPID for IP.
3899 */
3900 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3901
3902 case ETHERTYPE_IPV6:
3903 /*
3904 * Check for the special NLPID for IPv6.
3905 */
3906 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3907
3908 case LLCSAP_ISONS:
3909 /*
3910 * Check for several OSI protocols.
3911 *
3912 * Frame Relay packets typically have an OSI
3913 * NLPID at the beginning; we check for each
3914 * of them.
3915 *
3916 * What we check for is the NLPID and a frame
3917 * control field of UI, i.e. 0x03 followed
3918 * by the NLPID.
3919 */
3920 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3921 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3922 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3923 gen_or(b1, b2);
3924 gen_or(b0, b2);
3925 return b2;
3926
3927 default:
3928 return gen_false(cstate);
3929 }
3930 /*NOTREACHED*/
3931
3932 case DLT_MFR:
3933 break; // not implemented
3934
3935 case DLT_JUNIPER_MFR:
3936 case DLT_JUNIPER_MLFR:
3937 case DLT_JUNIPER_MLPPP:
3938 case DLT_JUNIPER_ATM1:
3939 case DLT_JUNIPER_ATM2:
3940 case DLT_JUNIPER_PPPOE:
3941 case DLT_JUNIPER_PPPOE_ATM:
3942 case DLT_JUNIPER_GGSN:
3943 case DLT_JUNIPER_ES:
3944 case DLT_JUNIPER_MONITOR:
3945 case DLT_JUNIPER_SERVICES:
3946 case DLT_JUNIPER_ETHER:
3947 case DLT_JUNIPER_PPP:
3948 case DLT_JUNIPER_FRELAY:
3949 case DLT_JUNIPER_CHDLC:
3950 case DLT_JUNIPER_VP:
3951 case DLT_JUNIPER_ST:
3952 case DLT_JUNIPER_ISM:
3953 case DLT_JUNIPER_VS:
3954 case DLT_JUNIPER_SRX_E2E:
3955 case DLT_JUNIPER_FIBRECHANNEL:
3956 case DLT_JUNIPER_ATM_CEMIC:
3957
3958 /* just lets verify the magic number for now -
3959 * on ATM we may have up to 6 different encapsulations on the wire
3960 * and need a lot of heuristics to figure out that the payload
3961 * might be;
3962 *
3963 * FIXME encapsulation specific BPF_ filters
3964 */
3965 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3966
3967 case DLT_BACNET_MS_TP:
3968 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3969
3970 case DLT_IPNET:
3971 return gen_ipnet_linktype(cstate, ll_proto);
3972
3973 case DLT_LINUX_IRDA:
3974 case DLT_DOCSIS:
3975 case DLT_MTP2:
3976 case DLT_MTP2_WITH_PHDR:
3977 case DLT_ERF:
3978 case DLT_PFSYNC:
3979 case DLT_LINUX_LAPD:
3980 case DLT_USB_FREEBSD:
3981 case DLT_USB_LINUX:
3982 case DLT_USB_LINUX_MMAPPED:
3983 case DLT_USBPCAP:
3984 case DLT_BLUETOOTH_HCI_H4:
3985 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3986 case DLT_CAN20B:
3987 case DLT_CAN_SOCKETCAN:
3988 case DLT_IEEE802_15_4:
3989 case DLT_IEEE802_15_4_LINUX:
3990 case DLT_IEEE802_15_4_NONASK_PHY:
3991 case DLT_IEEE802_15_4_NOFCS:
3992 case DLT_IEEE802_15_4_TAP:
3993 case DLT_IEEE802_16_MAC_CPS_RADIO:
3994 case DLT_SITA:
3995 case DLT_RAIF1:
3996 case DLT_IPMB_KONTRON:
3997 case DLT_I2C_LINUX:
3998 case DLT_AX25_KISS:
3999 case DLT_NFLOG:
4000 /* Using the fixed-size NFLOG header it is possible to tell only
4001 * the address family of the packet, other meaningful data is
4002 * either missing or behind TLVs.
4003 */
4004 break; // not implemented
4005
4006 default:
4007 /*
4008 * Does this link-layer header type have a field
4009 * indicating the type of the next protocol? If
4010 * so, off_linktype.constant_part will be the offset of that
4011 * field in the packet; if not, it will be OFFSET_NOT_SET.
4012 */
4013 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
4014 /*
4015 * Yes; assume it's an Ethernet type. (If
4016 * it's not, it needs to be handled specially
4017 * above.)
4018 */
4019 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
4020 /*NOTREACHED */
4021 }
4022 }
4023 bpf_error(cstate, "link-layer type filtering not implemented for %s",
4024 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
4025 }
4026
4027 /*
4028 * Check for an LLC SNAP packet with a given organization code and
4029 * protocol type; we check the entire contents of the 802.2 LLC and
4030 * snap headers, checking for DSAP and SSAP of SNAP and a control
4031 * field of 0x03 in the LLC header, and for the specified organization
4032 * code and protocol type in the SNAP header.
4033 */
4034 static struct block *
4035 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
4036 {
4037 u_char snapblock[8];
4038
4039 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
4040 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
4041 snapblock[2] = 0x03; /* control = UI */
4042 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
4043 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
4044 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
4045 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
4046 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
4047 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
4048 }
4049
4050 /*
4051 * Generate code to match frames with an LLC header.
4052 */
4053 static struct block *
4054 gen_llc_internal(compiler_state_t *cstate)
4055 {
4056 struct block *b0, *b1;
4057
4058 switch (cstate->linktype) {
4059
4060 case DLT_EN10MB:
4061 /*
4062 * We check for an Ethernet type field less or equal than
4063 * 1500, which means it's an 802.3 length field.
4064 */
4065 b0 = gen_cmp_le(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
4066
4067 /*
4068 * Now check for the purported DSAP and SSAP not being
4069 * 0xFF, to rule out NetWare-over-802.3.
4070 */
4071 b1 = gen_cmp_ne(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
4072 gen_and(b0, b1);
4073 return b1;
4074
4075 case DLT_SUNATM:
4076 /*
4077 * We check for LLC traffic.
4078 */
4079 b0 = gen_atmtype_llc(cstate);
4080 return b0;
4081
4082 case DLT_IEEE802: /* Token Ring */
4083 /*
4084 * XXX - check for LLC frames.
4085 */
4086 return gen_true(cstate);
4087
4088 case DLT_FDDI:
4089 /*
4090 * XXX - check for LLC frames.
4091 */
4092 return gen_true(cstate);
4093
4094 case DLT_ATM_RFC1483:
4095 /*
4096 * For LLC encapsulation, these are defined to have an
4097 * 802.2 LLC header.
4098 *
4099 * For VC encapsulation, they don't, but there's no
4100 * way to check for that; the protocol used on the VC
4101 * is negotiated out of band.
4102 */
4103 return gen_true(cstate);
4104
4105 case DLT_IEEE802_11:
4106 case DLT_PRISM_HEADER:
4107 case DLT_IEEE802_11_RADIO:
4108 case DLT_IEEE802_11_RADIO_AVS:
4109 case DLT_PPI:
4110 /*
4111 * Check that we have a data frame.
4112 */
4113 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B,
4114 IEEE80211_FC0_TYPE_DATA,
4115 IEEE80211_FC0_TYPE_MASK);
4116
4117 default:
4118 fail_kw_on_dlt(cstate, "llc");
4119 /*NOTREACHED*/
4120 }
4121 }
4122
4123 struct block *
4124 gen_llc(compiler_state_t *cstate)
4125 {
4126 /*
4127 * Catch errors reported by us and routines below us, and return NULL
4128 * on an error.
4129 */
4130 if (setjmp(cstate->top_ctx))
4131 return (NULL);
4132
4133 return gen_llc_internal(cstate);
4134 }
4135
4136 struct block *
4137 gen_llc_i(compiler_state_t *cstate)
4138 {
4139 struct block *b0, *b1;
4140 struct slist *s;
4141
4142 /*
4143 * Catch errors reported by us and routines below us, and return NULL
4144 * on an error.
4145 */
4146 if (setjmp(cstate->top_ctx))
4147 return (NULL);
4148
4149 /*
4150 * Check whether this is an LLC frame.
4151 */
4152 b0 = gen_llc_internal(cstate);
4153
4154 /*
4155 * Load the control byte and test the low-order bit; it must
4156 * be clear for I frames.
4157 */
4158 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
4159 b1 = new_block(cstate, JMP(BPF_JSET));
4160 b1->s.k = 0x01;
4161 b1->stmts = s;
4162 gen_not(b1);
4163 gen_and(b0, b1);
4164 return b1;
4165 }
4166
4167 struct block *
4168 gen_llc_s(compiler_state_t *cstate)
4169 {
4170 struct block *b0, *b1;
4171
4172 /*
4173 * Catch errors reported by us and routines below us, and return NULL
4174 * on an error.
4175 */
4176 if (setjmp(cstate->top_ctx))
4177 return (NULL);
4178
4179 /*
4180 * Check whether this is an LLC frame.
4181 */
4182 b0 = gen_llc_internal(cstate);
4183
4184 /*
4185 * Now compare the low-order 2 bit of the control byte against
4186 * the appropriate value for S frames.
4187 */
4188 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
4189 gen_and(b0, b1);
4190 return b1;
4191 }
4192
4193 struct block *
4194 gen_llc_u(compiler_state_t *cstate)
4195 {
4196 struct block *b0, *b1;
4197
4198 /*
4199 * Catch errors reported by us and routines below us, and return NULL
4200 * on an error.
4201 */
4202 if (setjmp(cstate->top_ctx))
4203 return (NULL);
4204
4205 /*
4206 * Check whether this is an LLC frame.
4207 */
4208 b0 = gen_llc_internal(cstate);
4209
4210 /*
4211 * Now compare the low-order 2 bit of the control byte against
4212 * the appropriate value for U frames.
4213 */
4214 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
4215 gen_and(b0, b1);
4216 return b1;
4217 }
4218
4219 struct block *
4220 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4221 {
4222 struct block *b0, *b1;
4223
4224 /*
4225 * Catch errors reported by us and routines below us, and return NULL
4226 * on an error.
4227 */
4228 if (setjmp(cstate->top_ctx))
4229 return (NULL);
4230
4231 /*
4232 * Check whether this is an LLC frame.
4233 */
4234 b0 = gen_llc_internal(cstate);
4235
4236 /*
4237 * Now check for an S frame with the appropriate type.
4238 */
4239 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
4240 gen_and(b0, b1);
4241 return b1;
4242 }
4243
4244 struct block *
4245 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
4246 {
4247 struct block *b0, *b1;
4248
4249 /*
4250 * Catch errors reported by us and routines below us, and return NULL
4251 * on an error.
4252 */
4253 if (setjmp(cstate->top_ctx))
4254 return (NULL);
4255
4256 /*
4257 * Check whether this is an LLC frame.
4258 */
4259 b0 = gen_llc_internal(cstate);
4260
4261 /*
4262 * Now check for a U frame with the appropriate type.
4263 */
4264 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
4265 gen_and(b0, b1);
4266 return b1;
4267 }
4268
4269 /*
4270 * Generate code to match a particular packet type, for link-layer types
4271 * using 802.2 LLC headers.
4272 *
4273 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
4274 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
4275 *
4276 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
4277 * value, if <= ETHERMTU. We use that to determine whether to
4278 * match the DSAP or both DSAP and LSAP or to check the OUI and
4279 * protocol ID in a SNAP header.
4280 */
4281 static struct block *
4282 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4283 {
4284 /*
4285 * XXX - handle token-ring variable-length header.
4286 */
4287 switch (ll_proto) {
4288
4289 case LLCSAP_IP:
4290 case LLCSAP_ISONS:
4291 case LLCSAP_NETBEUI:
4292 /*
4293 * XXX - should we check both the DSAP and the
4294 * SSAP, like this, or should we check just the
4295 * DSAP, as we do for other SAP values?
4296 */
4297 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
4298 ((ll_proto << 8) | ll_proto));
4299
4300 case LLCSAP_IPX:
4301 /*
4302 * XXX - are there ever SNAP frames for IPX on
4303 * non-Ethernet 802.x networks?
4304 */
4305 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
4306
4307 case ETHERTYPE_ATALK:
4308 /*
4309 * 802.2-encapsulated ETHERTYPE_ATALK packets are
4310 * SNAP packets with an organization code of
4311 * 0x080007 (Apple, for Appletalk) and a protocol
4312 * type of ETHERTYPE_ATALK (Appletalk).
4313 *
4314 * XXX - check for an organization code of
4315 * encapsulated Ethernet as well?
4316 */
4317 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
4318
4319 default:
4320 /*
4321 * XXX - we don't have to check for IPX 802.3
4322 * here, but should we check for the IPX Ethertype?
4323 */
4324 if (ll_proto <= ETHERMTU) {
4325 /*
4326 * This is an LLC SAP value, so check
4327 * the DSAP.
4328 */
4329 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
4330 } else {
4331 /*
4332 * This is an Ethernet type; we assume that it's
4333 * unlikely that it'll appear in the right place
4334 * at random, and therefore check only the
4335 * location that would hold the Ethernet type
4336 * in a SNAP frame with an organization code of
4337 * 0x000000 (encapsulated Ethernet).
4338 *
4339 * XXX - if we were to check for the SNAP DSAP and
4340 * LSAP, as per XXX, and were also to check for an
4341 * organization code of 0x000000 (encapsulated
4342 * Ethernet), we'd do
4343 *
4344 * return gen_snap(cstate, 0x000000, ll_proto);
4345 *
4346 * here; for now, we don't, as per the above.
4347 * I don't know whether it's worth the extra CPU
4348 * time to do the right check or not.
4349 */
4350 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
4351 }
4352 }
4353 }
4354
4355 static struct block *
4356 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4357 int dir, u_int src_off, u_int dst_off)
4358 {
4359 struct block *b0, *b1;
4360 u_int offset;
4361
4362 switch (dir) {
4363
4364 case Q_SRC:
4365 offset = src_off;
4366 break;
4367
4368 case Q_DST:
4369 offset = dst_off;
4370 break;
4371
4372 case Q_AND:
4373 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4374 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4375 gen_and(b0, b1);
4376 return b1;
4377
4378 case Q_DEFAULT:
4379 case Q_OR:
4380 b0 = gen_hostop(cstate, addr, mask, Q_SRC, src_off, dst_off);
4381 b1 = gen_hostop(cstate, addr, mask, Q_DST, src_off, dst_off);
4382 gen_or(b0, b1);
4383 return b1;
4384
4385 case Q_ADDR1:
4386 case Q_ADDR2:
4387 case Q_ADDR3:
4388 case Q_ADDR4:
4389 case Q_RA:
4390 case Q_TA:
4391 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4392 /*NOTREACHED*/
4393
4394 default:
4395 abort();
4396 /*NOTREACHED*/
4397 }
4398 return gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4399 }
4400
4401 #ifdef INET6
4402 static struct block *
4403 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4404 struct in6_addr *mask, int dir, u_int src_off, u_int dst_off)
4405 {
4406 struct block *b0, *b1;
4407 u_int offset;
4408 /*
4409 * Code below needs to access four separate 32-bit parts of the 128-bit
4410 * IPv6 address and mask. In some OSes this is as simple as using the
4411 * s6_addr32 pseudo-member of struct in6_addr, which contains a union of
4412 * 8-, 16- and 32-bit arrays. In other OSes this is not the case, as
4413 * far as libpcap sees it. Hence copy the data before use to avoid
4414 * potential unaligned memory access and the associated compiler
4415 * warnings (whether genuine or not).
4416 */
4417 bpf_u_int32 a[4], m[4];
4418
4419 switch (dir) {
4420
4421 case Q_SRC:
4422 offset = src_off;
4423 break;
4424
4425 case Q_DST:
4426 offset = dst_off;
4427 break;
4428
4429 case Q_AND:
4430 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4431 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4432 gen_and(b0, b1);
4433 return b1;
4434
4435 case Q_DEFAULT:
4436 case Q_OR:
4437 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, src_off, dst_off);
4438 b1 = gen_hostop6(cstate, addr, mask, Q_DST, src_off, dst_off);
4439 gen_or(b0, b1);
4440 return b1;
4441
4442 case Q_ADDR1:
4443 case Q_ADDR2:
4444 case Q_ADDR3:
4445 case Q_ADDR4:
4446 case Q_RA:
4447 case Q_TA:
4448 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4449 /*NOTREACHED*/
4450
4451 default:
4452 abort();
4453 /*NOTREACHED*/
4454 }
4455 /* this order is important */
4456 memcpy(a, addr, sizeof(a));
4457 memcpy(m, mask, sizeof(m));
4458 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4459 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4460 gen_and(b0, b1);
4461 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4462 gen_and(b0, b1);
4463 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4464 gen_and(b0, b1);
4465 return b1;
4466 }
4467 #endif
4468
4469 static struct block *
4470 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4471 {
4472 register struct block *b0, *b1;
4473
4474 switch (dir) {
4475 case Q_SRC:
4476 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4477
4478 case Q_DST:
4479 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4480
4481 case Q_AND:
4482 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4483 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4484 gen_and(b0, b1);
4485 return b1;
4486
4487 case Q_DEFAULT:
4488 case Q_OR:
4489 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4490 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4491 gen_or(b0, b1);
4492 return b1;
4493
4494 case Q_ADDR1:
4495 case Q_ADDR2:
4496 case Q_ADDR3:
4497 case Q_ADDR4:
4498 case Q_RA:
4499 case Q_TA:
4500 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4501 /*NOTREACHED*/
4502 }
4503 abort();
4504 /*NOTREACHED*/
4505 }
4506
4507 /*
4508 * Like gen_ehostop, but for DLT_FDDI
4509 */
4510 static struct block *
4511 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4512 {
4513 struct block *b0, *b1;
4514
4515 switch (dir) {
4516 case Q_SRC:
4517 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4518
4519 case Q_DST:
4520 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4521
4522 case Q_AND:
4523 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4524 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4525 gen_and(b0, b1);
4526 return b1;
4527
4528 case Q_DEFAULT:
4529 case Q_OR:
4530 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4531 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4532 gen_or(b0, b1);
4533 return b1;
4534
4535 case Q_ADDR1:
4536 case Q_ADDR2:
4537 case Q_ADDR3:
4538 case Q_ADDR4:
4539 case Q_RA:
4540 case Q_TA:
4541 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4542 /*NOTREACHED*/
4543 }
4544 abort();
4545 /*NOTREACHED*/
4546 }
4547
4548 /*
4549 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4550 */
4551 static struct block *
4552 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4553 {
4554 register struct block *b0, *b1;
4555
4556 switch (dir) {
4557 case Q_SRC:
4558 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4559
4560 case Q_DST:
4561 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4562
4563 case Q_AND:
4564 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4565 b1 = gen_thostop(cstate, eaddr, Q_DST);
4566 gen_and(b0, b1);
4567 return b1;
4568
4569 case Q_DEFAULT:
4570 case Q_OR:
4571 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4572 b1 = gen_thostop(cstate, eaddr, Q_DST);
4573 gen_or(b0, b1);
4574 return b1;
4575
4576 case Q_ADDR1:
4577 case Q_ADDR2:
4578 case Q_ADDR3:
4579 case Q_ADDR4:
4580 case Q_RA:
4581 case Q_TA:
4582 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
4583 /*NOTREACHED*/
4584 }
4585 abort();
4586 /*NOTREACHED*/
4587 }
4588
4589 /*
4590 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4591 * various 802.11 + radio headers.
4592 */
4593 static struct block *
4594 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4595 {
4596 register struct block *b0, *b1, *b2;
4597 register struct slist *s;
4598
4599 #ifdef ENABLE_WLAN_FILTERING_PATCH
4600 /*
4601 * TODO GV 20070613
4602 * We need to disable the optimizer because the optimizer is buggy
4603 * and wipes out some LD instructions generated by the below
4604 * code to validate the Frame Control bits
4605 */
4606 cstate->no_optimize = 1;
4607 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4608
4609 switch (dir) {
4610 case Q_SRC:
4611 /*
4612 * Oh, yuk.
4613 *
4614 * For control frames, there is no SA.
4615 *
4616 * For management frames, SA is at an
4617 * offset of 10 from the beginning of
4618 * the packet.
4619 *
4620 * For data frames, SA is at an offset
4621 * of 10 from the beginning of the packet
4622 * if From DS is clear, at an offset of
4623 * 16 from the beginning of the packet
4624 * if From DS is set and To DS is clear,
4625 * and an offset of 24 from the beginning
4626 * of the packet if From DS is set and To DS
4627 * is set.
4628 */
4629
4630 /*
4631 * Generate the tests to be done for data frames
4632 * with From DS set.
4633 *
4634 * First, check for To DS set, i.e. check "link[1] & 0x01".
4635 */
4636 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4637 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
4638
4639 /*
4640 * If To DS is set, the SA is at 24.
4641 */
4642 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4643 gen_and(b1, b0);
4644
4645 /*
4646 * Now, check for To DS not set, i.e. check
4647 * "!(link[1] & 0x01)".
4648 */
4649 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4650 b2 = new_block(cstate, JMP(BPF_JSET));
4651 b2->s.k = 0x01; /* To DS */
4652 b2->stmts = s;
4653 gen_not(b2);
4654
4655 /*
4656 * If To DS is not set, the SA is at 16.
4657 */
4658 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4659 gen_and(b2, b1);
4660
4661 /*
4662 * Now OR together the last two checks. That gives
4663 * the complete set of checks for data frames with
4664 * From DS set.
4665 */
4666 gen_or(b1, b0);
4667
4668 /*
4669 * Now check for From DS being set, and AND that with
4670 * the ORed-together checks.
4671 */
4672 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4673 b1 = gen_set(cstate, IEEE80211_FC1_DIR_FROMDS, s);
4674 gen_and(b1, b0);
4675
4676 /*
4677 * Now check for data frames with From DS not set.
4678 */
4679 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4680 b2 = new_block(cstate, JMP(BPF_JSET));
4681 b2->s.k = 0x02; /* From DS */
4682 b2->stmts = s;
4683 gen_not(b2);
4684
4685 /*
4686 * If From DS isn't set, the SA is at 10.
4687 */
4688 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4689 gen_and(b2, b1);
4690
4691 /*
4692 * Now OR together the checks for data frames with
4693 * From DS not set and for data frames with From DS
4694 * set; that gives the checks done for data frames.
4695 */
4696 gen_or(b1, b0);
4697
4698 /*
4699 * Now check for a data frame.
4700 * I.e, check "link[0] & 0x08".
4701 */
4702 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4703 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4704
4705 /*
4706 * AND that with the checks done for data frames.
4707 */
4708 gen_and(b1, b0);
4709
4710 /*
4711 * If the high-order bit of the type value is 0, this
4712 * is a management frame.
4713 * I.e, check "!(link[0] & 0x08)".
4714 */
4715 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4716 b2 = new_block(cstate, JMP(BPF_JSET));
4717 b2->s.k = 0x08;
4718 b2->stmts = s;
4719 gen_not(b2);
4720
4721 /*
4722 * For management frames, the SA is at 10.
4723 */
4724 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4725 gen_and(b2, b1);
4726
4727 /*
4728 * OR that with the checks done for data frames.
4729 * That gives the checks done for management and
4730 * data frames.
4731 */
4732 gen_or(b1, b0);
4733
4734 /*
4735 * If the low-order bit of the type value is 1,
4736 * this is either a control frame or a frame
4737 * with a reserved type, and thus not a
4738 * frame with an SA.
4739 *
4740 * I.e., check "!(link[0] & 0x04)".
4741 */
4742 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4743 b1 = new_block(cstate, JMP(BPF_JSET));
4744 b1->s.k = 0x04;
4745 b1->stmts = s;
4746 gen_not(b1);
4747
4748 /*
4749 * AND that with the checks for data and management
4750 * frames.
4751 */
4752 gen_and(b1, b0);
4753 return b0;
4754
4755 case Q_DST:
4756 /*
4757 * Oh, yuk.
4758 *
4759 * For control frames, there is no DA.
4760 *
4761 * For management frames, DA is at an
4762 * offset of 4 from the beginning of
4763 * the packet.
4764 *
4765 * For data frames, DA is at an offset
4766 * of 4 from the beginning of the packet
4767 * if To DS is clear and at an offset of
4768 * 16 from the beginning of the packet
4769 * if To DS is set.
4770 */
4771
4772 /*
4773 * Generate the tests to be done for data frames.
4774 *
4775 * First, check for To DS set, i.e. "link[1] & 0x01".
4776 */
4777 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4778 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
4779
4780 /*
4781 * If To DS is set, the DA is at 16.
4782 */
4783 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4784 gen_and(b1, b0);
4785
4786 /*
4787 * Now, check for To DS not set, i.e. check
4788 * "!(link[1] & 0x01)".
4789 */
4790 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4791 b2 = new_block(cstate, JMP(BPF_JSET));
4792 b2->s.k = 0x01; /* To DS */
4793 b2->stmts = s;
4794 gen_not(b2);
4795
4796 /*
4797 * If To DS is not set, the DA is at 4.
4798 */
4799 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4800 gen_and(b2, b1);
4801
4802 /*
4803 * Now OR together the last two checks. That gives
4804 * the complete set of checks for data frames.
4805 */
4806 gen_or(b1, b0);
4807
4808 /*
4809 * Now check for a data frame.
4810 * I.e, check "link[0] & 0x08".
4811 */
4812 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4813 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4814
4815 /*
4816 * AND that with the checks done for data frames.
4817 */
4818 gen_and(b1, b0);
4819
4820 /*
4821 * If the high-order bit of the type value is 0, this
4822 * is a management frame.
4823 * I.e, check "!(link[0] & 0x08)".
4824 */
4825 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4826 b2 = new_block(cstate, JMP(BPF_JSET));
4827 b2->s.k = 0x08;
4828 b2->stmts = s;
4829 gen_not(b2);
4830
4831 /*
4832 * For management frames, the DA is at 4.
4833 */
4834 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4835 gen_and(b2, b1);
4836
4837 /*
4838 * OR that with the checks done for data frames.
4839 * That gives the checks done for management and
4840 * data frames.
4841 */
4842 gen_or(b1, b0);
4843
4844 /*
4845 * If the low-order bit of the type value is 1,
4846 * this is either a control frame or a frame
4847 * with a reserved type, and thus not a
4848 * frame with an SA.
4849 *
4850 * I.e., check "!(link[0] & 0x04)".
4851 */
4852 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4853 b1 = new_block(cstate, JMP(BPF_JSET));
4854 b1->s.k = 0x04;
4855 b1->stmts = s;
4856 gen_not(b1);
4857
4858 /*
4859 * AND that with the checks for data and management
4860 * frames.
4861 */
4862 gen_and(b1, b0);
4863 return b0;
4864
4865 case Q_AND:
4866 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4867 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4868 gen_and(b0, b1);
4869 return b1;
4870
4871 case Q_DEFAULT:
4872 case Q_OR:
4873 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4874 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4875 gen_or(b0, b1);
4876 return b1;
4877
4878 /*
4879 * XXX - add BSSID keyword?
4880 */
4881 case Q_ADDR1:
4882 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4883
4884 case Q_ADDR2:
4885 /*
4886 * Not present in CTS or ACK control frames.
4887 */
4888 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4889 IEEE80211_FC0_TYPE_MASK);
4890 b1 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4891 IEEE80211_FC0_SUBTYPE_MASK);
4892 b2 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4893 IEEE80211_FC0_SUBTYPE_MASK);
4894 gen_and(b1, b2);
4895 gen_or(b0, b2);
4896 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4897 gen_and(b2, b1);
4898 return b1;
4899
4900 case Q_ADDR3:
4901 /*
4902 * Not present in control frames.
4903 */
4904 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4905 IEEE80211_FC0_TYPE_MASK);
4906 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4907 gen_and(b0, b1);
4908 return b1;
4909
4910 case Q_ADDR4:
4911 /*
4912 * Present only if the direction mask has both "From DS"
4913 * and "To DS" set. Neither control frames nor management
4914 * frames should have both of those set, so we don't
4915 * check the frame type.
4916 */
4917 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4918 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4919 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4920 gen_and(b0, b1);
4921 return b1;
4922
4923 case Q_RA:
4924 /*
4925 * Not present in management frames; addr1 in other
4926 * frames.
4927 */
4928
4929 /*
4930 * If the high-order bit of the type value is 0, this
4931 * is a management frame.
4932 * I.e, check "(link[0] & 0x08)".
4933 */
4934 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4935 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4936
4937 /*
4938 * Check addr1.
4939 */
4940 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4941
4942 /*
4943 * AND that with the check of addr1.
4944 */
4945 gen_and(b1, b0);
4946 return (b0);
4947
4948 case Q_TA:
4949 /*
4950 * Not present in management frames; addr2, if present,
4951 * in other frames.
4952 */
4953
4954 /*
4955 * Not present in CTS or ACK control frames.
4956 */
4957 b0 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4958 IEEE80211_FC0_TYPE_MASK);
4959 b1 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4960 IEEE80211_FC0_SUBTYPE_MASK);
4961 b2 = gen_mcmp_ne(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4962 IEEE80211_FC0_SUBTYPE_MASK);
4963 gen_and(b1, b2);
4964 gen_or(b0, b2);
4965
4966 /*
4967 * If the high-order bit of the type value is 0, this
4968 * is a management frame.
4969 * I.e, check "(link[0] & 0x08)".
4970 */
4971 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4972 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
4973
4974 /*
4975 * AND that with the check for frames other than
4976 * CTS and ACK frames.
4977 */
4978 gen_and(b1, b2);
4979
4980 /*
4981 * Check addr2.
4982 */
4983 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4984 gen_and(b2, b1);
4985 return b1;
4986 }
4987 abort();
4988 /*NOTREACHED*/
4989 }
4990
4991 /*
4992 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4993 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4994 * as the RFC states.)
4995 */
4996 static struct block *
4997 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4998 {
4999 register struct block *b0, *b1;
5000
5001 switch (dir) {
5002 case Q_SRC:
5003 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
5004
5005 case Q_DST:
5006 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
5007
5008 case Q_AND:
5009 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
5010 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
5011 gen_and(b0, b1);
5012 return b1;
5013
5014 case Q_DEFAULT:
5015 case Q_OR:
5016 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
5017 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
5018 gen_or(b0, b1);
5019 return b1;
5020
5021 case Q_ADDR1:
5022 case Q_ADDR2:
5023 case Q_ADDR3:
5024 case Q_ADDR4:
5025 case Q_RA:
5026 case Q_TA:
5027 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
5028 /*NOTREACHED*/
5029 }
5030 abort();
5031 /*NOTREACHED*/
5032 }
5033
5034 /*
5035 * This is quite tricky because there may be pad bytes in front of the
5036 * DECNET header, and then there are two possible data packet formats that
5037 * carry both src and dst addresses, plus 5 packet types in a format that
5038 * carries only the src node, plus 2 types that use a different format and
5039 * also carry just the src node.
5040 *
5041 * Yuck.
5042 *
5043 * Instead of doing those all right, we just look for data packets with
5044 * 0 or 1 bytes of padding. If you want to look at other packets, that
5045 * will require a lot more hacking.
5046 *
5047 * To add support for filtering on DECNET "areas" (network numbers)
5048 * one would want to add a "mask" argument to this routine. That would
5049 * make the filter even more inefficient, although one could be clever
5050 * and not generate masking instructions if the mask is 0xFFFF.
5051 */
5052 static struct block *
5053 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
5054 {
5055 struct block *b0, *b1, *b2, *tmp;
5056 u_int offset_lh; /* offset if long header is received */
5057 u_int offset_sh; /* offset if short header is received */
5058
5059 switch (dir) {
5060
5061 case Q_DST:
5062 offset_sh = 1; /* follows flags */
5063 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
5064 break;
5065
5066 case Q_SRC:
5067 offset_sh = 3; /* follows flags, dstnode */
5068 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
5069 break;
5070
5071 case Q_AND:
5072 /* Inefficient because we do our Calvinball dance twice */
5073 b0 = gen_dnhostop(cstate, addr, Q_SRC);
5074 b1 = gen_dnhostop(cstate, addr, Q_DST);
5075 gen_and(b0, b1);
5076 return b1;
5077
5078 case Q_DEFAULT:
5079 case Q_OR:
5080 /* Inefficient because we do our Calvinball dance twice */
5081 b0 = gen_dnhostop(cstate, addr, Q_SRC);
5082 b1 = gen_dnhostop(cstate, addr, Q_DST);
5083 gen_or(b0, b1);
5084 return b1;
5085
5086 case Q_ADDR1:
5087 case Q_ADDR2:
5088 case Q_ADDR3:
5089 case Q_ADDR4:
5090 case Q_RA:
5091 case Q_TA:
5092 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
5093 /*NOTREACHED*/
5094
5095 default:
5096 abort();
5097 /*NOTREACHED*/
5098 }
5099 /*
5100 * In a DECnet message inside an Ethernet frame the first two bytes
5101 * immediately after EtherType are the [litle-endian] DECnet message
5102 * length, which is irrelevant in this context.
5103 *
5104 * "pad = 1" means the third byte equals 0x81, thus it is the PLENGTH
5105 * 8-bit bitmap of the optional padding before the packet route header.
5106 * The bitmap always has bit 7 set to 1 and in this case has bits 0-6
5107 * (TOTAL-PAD-SEQUENCE-LENGTH) set to integer value 1. The latter
5108 * means there aren't any PAD bytes after the bitmap, so the header
5109 * begins at the fourth byte. "pad = 0" means bit 7 of the third byte
5110 * is set to 0, thus the header begins at the third byte.
5111 *
5112 * The header can be in several (as mentioned above) formats, all of
5113 * which begin with the FLAGS 8-bit bitmap, which always has bit 7
5114 * (PF, "pad field") set to 0 regardless of any padding present before
5115 * the header. "Short header" means bits 0-2 of the bitmap encode the
5116 * integer value 2 (SFDP), and "long header" means value 6 (LFDP).
5117 *
5118 * To test PLENGTH and FLAGS, use multiple-byte constants with the
5119 * values and the masks, this maps to the required single bytes of
5120 * the message correctly on both big-endian and little-endian hosts.
5121 * For the DECnet address use SWAPSHORT(), which always swaps bytes,
5122 * because the wire encoding is little-endian and BPF multiple-byte
5123 * loads are big-endian. When the destination address is near enough
5124 * to PLENGTH and FLAGS, generate one 32-bit comparison instead of two
5125 * smaller ones.
5126 */
5127 /* Check for pad = 1, long header case */
5128 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8106U, 0xFF07U);
5129 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
5130 BPF_H, SWAPSHORT(addr));
5131 gen_and(tmp, b1);
5132 /* Check for pad = 0, long header case */
5133 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x06U, 0x07U);
5134 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
5135 SWAPSHORT(addr));
5136 gen_and(tmp, b2);
5137 gen_or(b2, b1);
5138 /* Check for pad = 1, short header case */
5139 if (dir == Q_DST) {
5140 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5141 0x81020000U | SWAPSHORT(addr),
5142 0xFF07FFFFU);
5143 } else {
5144 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H, 0x8102U, 0xFF07U);
5145 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
5146 SWAPSHORT(addr));
5147 gen_and(tmp, b2);
5148 }
5149 gen_or(b2, b1);
5150 /* Check for pad = 0, short header case */
5151 if (dir == Q_DST) {
5152 b2 = gen_mcmp(cstate, OR_LINKPL, 2, BPF_W,
5153 0x02000000U | SWAPSHORT(addr) << 8,
5154 0x07FFFF00U);
5155 } else {
5156 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, 0x02U, 0x07U);
5157 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
5158 SWAPSHORT(addr));
5159 gen_and(tmp, b2);
5160 }
5161 gen_or(b2, b1);
5162
5163 return b1;
5164 }
5165
5166 /*
5167 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
5168 * test the bottom-of-stack bit, and then check the version number
5169 * field in the IP header.
5170 */
5171 static struct block *
5172 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
5173 {
5174 struct block *b0, *b1;
5175
5176 switch (ll_proto) {
5177
5178 case ETHERTYPE_IP:
5179 /* match the bottom-of-stack bit */
5180 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5181 /* match the IPv4 version number */
5182 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
5183 gen_and(b0, b1);
5184 return b1;
5185
5186 case ETHERTYPE_IPV6:
5187 /* match the bottom-of-stack bit */
5188 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
5189 /* match the IPv4 version number */
5190 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
5191 gen_and(b0, b1);
5192 return b1;
5193
5194 default:
5195 /* FIXME add other L3 proto IDs */
5196 bpf_error(cstate, "unsupported protocol over mpls");
5197 /*NOTREACHED*/
5198 }
5199 }
5200
5201 static struct block *
5202 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
5203 int proto, int dir, int type)
5204 {
5205 struct block *b0, *b1;
5206
5207 switch (proto) {
5208
5209 case Q_DEFAULT:
5210 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
5211 /*
5212 * Only check for non-IPv4 addresses if we're not
5213 * checking MPLS-encapsulated packets.
5214 */
5215 if (cstate->label_stack_depth == 0) {
5216 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
5217 gen_or(b0, b1);
5218 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
5219 gen_or(b1, b0);
5220 }
5221 return b0;
5222
5223 case Q_LINK:
5224 // "link net NETNAME" and variations thereof
5225 break; // invalid qualifier
5226
5227 case Q_IP:
5228 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5229 b1 = gen_hostop(cstate, addr, mask, dir, 12, 16);
5230 gen_and(b0, b1);
5231 return b1;
5232
5233 case Q_RARP:
5234 b0 = gen_linktype(cstate, ETHERTYPE_REVARP);
5235 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5236 gen_and(b0, b1);
5237 return b1;
5238
5239 case Q_ARP:
5240 b0 = gen_linktype(cstate, ETHERTYPE_ARP);
5241 b1 = gen_hostop(cstate, addr, mask, dir, 14, 24);
5242 gen_and(b0, b1);
5243 return b1;
5244
5245 case Q_SCTP:
5246 case Q_TCP:
5247 case Q_UDP:
5248 case Q_ICMP:
5249 case Q_IGMP:
5250 case Q_IGRP:
5251 case Q_ATALK:
5252 break; // invalid qualifier
5253
5254 case Q_DECNET:
5255 b0 = gen_linktype(cstate, ETHERTYPE_DN);
5256 b1 = gen_dnhostop(cstate, addr, dir);
5257 gen_and(b0, b1);
5258 return b1;
5259
5260 case Q_LAT:
5261 case Q_SCA:
5262 case Q_MOPRC:
5263 case Q_MOPDL:
5264 case Q_IPV6:
5265 case Q_ICMPV6:
5266 case Q_AH:
5267 case Q_ESP:
5268 case Q_PIM:
5269 case Q_VRRP:
5270 case Q_AARP:
5271 case Q_ISO:
5272 case Q_ESIS:
5273 case Q_ISIS:
5274 case Q_CLNP:
5275 case Q_STP:
5276 case Q_IPX:
5277 case Q_NETBEUI:
5278 case Q_ISIS_L1:
5279 case Q_ISIS_L2:
5280 case Q_ISIS_IIH:
5281 case Q_ISIS_SNP:
5282 case Q_ISIS_CSNP:
5283 case Q_ISIS_PSNP:
5284 case Q_ISIS_LSP:
5285 case Q_RADIO:
5286 case Q_CARP:
5287 break; // invalid qualifier
5288
5289 default:
5290 abort();
5291 }
5292 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto),
5293 type == Q_NET ? "ip net" : "ip host");
5294 /*NOTREACHED*/
5295 }
5296
5297 #ifdef INET6
5298 static struct block *
5299 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5300 struct in6_addr *mask, int proto, int dir, int type)
5301 {
5302 struct block *b0, *b1;
5303
5304 switch (proto) {
5305
5306 case Q_DEFAULT:
5307 case Q_IPV6:
5308 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5309 b1 = gen_hostop6(cstate, addr, mask, dir, 8, 24);
5310 gen_and(b0, b1);
5311 return b1;
5312
5313 case Q_LINK:
5314 case Q_IP:
5315 case Q_RARP:
5316 case Q_ARP:
5317 case Q_SCTP:
5318 case Q_TCP:
5319 case Q_UDP:
5320 case Q_ICMP:
5321 case Q_IGMP:
5322 case Q_IGRP:
5323 case Q_ATALK:
5324 case Q_DECNET:
5325 case Q_LAT:
5326 case Q_SCA:
5327 case Q_MOPRC:
5328 case Q_MOPDL:
5329 case Q_ICMPV6:
5330 case Q_AH:
5331 case Q_ESP:
5332 case Q_PIM:
5333 case Q_VRRP:
5334 case Q_AARP:
5335 case Q_ISO:
5336 case Q_ESIS:
5337 case Q_ISIS:
5338 case Q_CLNP:
5339 case Q_STP:
5340 case Q_IPX:
5341 case Q_NETBEUI:
5342 case Q_ISIS_L1:
5343 case Q_ISIS_L2:
5344 case Q_ISIS_IIH:
5345 case Q_ISIS_SNP:
5346 case Q_ISIS_CSNP:
5347 case Q_ISIS_PSNP:
5348 case Q_ISIS_LSP:
5349 case Q_RADIO:
5350 case Q_CARP:
5351 break; // invalid qualifier
5352
5353 default:
5354 abort();
5355 }
5356 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto),
5357 type == Q_NET ? "ip6 net" : "ip6 host");
5358 /*NOTREACHED*/
5359 }
5360 #endif
5361
5362 #ifndef INET6
5363 /*
5364 * This primitive is non-directional by design, so the grammar does not allow
5365 * to qualify it with a direction.
5366 */
5367 static struct block *
5368 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5369 struct addrinfo *alist, int proto)
5370 {
5371 struct block *b0, *b1, *tmp;
5372 struct addrinfo *ai;
5373 struct sockaddr_in *sin;
5374
5375 switch (proto) {
5376 case Q_DEFAULT:
5377 case Q_IP:
5378 case Q_ARP:
5379 case Q_RARP:
5380 switch (cstate->linktype) {
5381 case DLT_EN10MB:
5382 case DLT_NETANALYZER:
5383 case DLT_NETANALYZER_TRANSPARENT:
5384 b1 = gen_prevlinkhdr_check(cstate);
5385 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5386 if (b1 != NULL)
5387 gen_and(b1, b0);
5388 break;
5389 case DLT_FDDI:
5390 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5391 break;
5392 case DLT_IEEE802:
5393 b0 = gen_thostop(cstate, eaddr, Q_OR);
5394 break;
5395 case DLT_IEEE802_11:
5396 case DLT_PRISM_HEADER:
5397 case DLT_IEEE802_11_RADIO_AVS:
5398 case DLT_IEEE802_11_RADIO:
5399 case DLT_PPI:
5400 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5401 break;
5402 case DLT_IP_OVER_FC:
5403 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5404 break;
5405 case DLT_SUNATM:
5406 /*
5407 * This is LLC-multiplexed traffic; if it were
5408 * LANE, cstate->linktype would have been set to
5409 * DLT_EN10MB.
5410 */
5411 /* FALLTHROUGH */
5412 default:
5413 bpf_error(cstate,
5414 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5415 }
5416 b1 = NULL;
5417 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5418 /*
5419 * Does it have an address?
5420 */
5421 if (ai->ai_addr != NULL) {
5422 /*
5423 * Yes. Is it an IPv4 address?
5424 */
5425 if (ai->ai_addr->sa_family == AF_INET) {
5426 /*
5427 * Generate an entry for it.
5428 */
5429 sin = (struct sockaddr_in *)ai->ai_addr;
5430 tmp = gen_host(cstate,
5431 ntohl(sin->sin_addr.s_addr),
5432 0xffffffff, proto, Q_OR, Q_HOST);
5433 /*
5434 * Is it the *first* IPv4 address?
5435 */
5436 if (b1 == NULL) {
5437 /*
5438 * Yes, so start with it.
5439 */
5440 b1 = tmp;
5441 } else {
5442 /*
5443 * No, so OR it into the
5444 * existing set of
5445 * addresses.
5446 */
5447 gen_or(b1, tmp);
5448 b1 = tmp;
5449 }
5450 }
5451 }
5452 }
5453 if (b1 == NULL) {
5454 /*
5455 * No IPv4 addresses found.
5456 */
5457 return (NULL);
5458 }
5459 gen_not(b1);
5460 gen_and(b0, b1);
5461 return b1;
5462 }
5463 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "gateway");
5464 /*NOTREACHED*/
5465 }
5466 #endif
5467
5468 static struct block *
5469 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5470 {
5471 struct block *b0;
5472 struct block *b1 = NULL;
5473
5474 switch (proto) {
5475
5476 case Q_SCTP:
5477 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_DEFAULT);
5478 break;
5479
5480 case Q_TCP:
5481 b1 = gen_proto(cstate, IPPROTO_TCP, Q_DEFAULT);
5482 break;
5483
5484 case Q_UDP:
5485 b1 = gen_proto(cstate, IPPROTO_UDP, Q_DEFAULT);
5486 break;
5487
5488 case Q_ICMP:
5489 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP);
5490 break;
5491
5492 #ifndef IPPROTO_IGMP
5493 #define IPPROTO_IGMP 2
5494 #endif
5495
5496 case Q_IGMP:
5497 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP);
5498 break;
5499
5500 #ifndef IPPROTO_IGRP
5501 #define IPPROTO_IGRP 9
5502 #endif
5503 case Q_IGRP:
5504 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP);
5505 break;
5506
5507 #ifndef IPPROTO_PIM
5508 #define IPPROTO_PIM 103
5509 #endif
5510
5511 case Q_PIM:
5512 b1 = gen_proto(cstate, IPPROTO_PIM, Q_DEFAULT);
5513 break;
5514
5515 #ifndef IPPROTO_VRRP
5516 #define IPPROTO_VRRP 112
5517 #endif
5518
5519 case Q_VRRP:
5520 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP);
5521 break;
5522
5523 #ifndef IPPROTO_CARP
5524 #define IPPROTO_CARP 112
5525 #endif
5526
5527 case Q_CARP:
5528 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP);
5529 break;
5530
5531 case Q_IP:
5532 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5533 break;
5534
5535 case Q_ARP:
5536 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5537 break;
5538
5539 case Q_RARP:
5540 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5541 break;
5542
5543 case Q_LINK:
5544 break; // invalid syntax
5545
5546 case Q_ATALK:
5547 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5548 break;
5549
5550 case Q_AARP:
5551 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5552 break;
5553
5554 case Q_DECNET:
5555 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5556 break;
5557
5558 case Q_SCA:
5559 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5560 break;
5561
5562 case Q_LAT:
5563 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5564 break;
5565
5566 case Q_MOPDL:
5567 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5568 break;
5569
5570 case Q_MOPRC:
5571 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5572 break;
5573
5574 case Q_IPV6:
5575 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5576 break;
5577
5578 #ifndef IPPROTO_ICMPV6
5579 #define IPPROTO_ICMPV6 58
5580 #endif
5581 case Q_ICMPV6:
5582 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6);
5583 break;
5584
5585 #ifndef IPPROTO_AH
5586 #define IPPROTO_AH 51
5587 #endif
5588 case Q_AH:
5589 b1 = gen_proto(cstate, IPPROTO_AH, Q_DEFAULT);
5590 break;
5591
5592 #ifndef IPPROTO_ESP
5593 #define IPPROTO_ESP 50
5594 #endif
5595 case Q_ESP:
5596 b1 = gen_proto(cstate, IPPROTO_ESP, Q_DEFAULT);
5597 break;
5598
5599 case Q_ISO:
5600 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5601 break;
5602
5603 case Q_ESIS:
5604 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO);
5605 break;
5606
5607 case Q_ISIS:
5608 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO);
5609 break;
5610
5611 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5612 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS);
5613 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS); /* FIXME extract the circuit-type bits */
5614 gen_or(b0, b1);
5615 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS);
5616 gen_or(b0, b1);
5617 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5618 gen_or(b0, b1);
5619 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5620 gen_or(b0, b1);
5621 break;
5622
5623 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5624 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS);
5625 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS); /* FIXME extract the circuit-type bits */
5626 gen_or(b0, b1);
5627 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS);
5628 gen_or(b0, b1);
5629 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5630 gen_or(b0, b1);
5631 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5632 gen_or(b0, b1);
5633 break;
5634
5635 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5636 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS);
5637 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS);
5638 gen_or(b0, b1);
5639 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS);
5640 gen_or(b0, b1);
5641 break;
5642
5643 case Q_ISIS_LSP:
5644 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS);
5645 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS);
5646 gen_or(b0, b1);
5647 break;
5648
5649 case Q_ISIS_SNP:
5650 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5651 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5652 gen_or(b0, b1);
5653 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5654 gen_or(b0, b1);
5655 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5656 gen_or(b0, b1);
5657 break;
5658
5659 case Q_ISIS_CSNP:
5660 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS);
5661 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS);
5662 gen_or(b0, b1);
5663 break;
5664
5665 case Q_ISIS_PSNP:
5666 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS);
5667 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS);
5668 gen_or(b0, b1);
5669 break;
5670
5671 case Q_CLNP:
5672 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO);
5673 break;
5674
5675 case Q_STP:
5676 b1 = gen_linktype(cstate, LLCSAP_8021D);
5677 break;
5678
5679 case Q_IPX:
5680 b1 = gen_linktype(cstate, LLCSAP_IPX);
5681 break;
5682
5683 case Q_NETBEUI:
5684 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5685 break;
5686
5687 case Q_RADIO:
5688 break; // invalid syntax
5689
5690 default:
5691 abort();
5692 }
5693 if (b1)
5694 return b1;
5695 bpf_error(cstate, "'%s' cannot be used as an abbreviation", pqkw(proto));
5696 }
5697
5698 struct block *
5699 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5700 {
5701 /*
5702 * Catch errors reported by us and routines below us, and return NULL
5703 * on an error.
5704 */
5705 if (setjmp(cstate->top_ctx))
5706 return (NULL);
5707
5708 return gen_proto_abbrev_internal(cstate, proto);
5709 }
5710
5711 static struct block *
5712 gen_ipfrag(compiler_state_t *cstate)
5713 {
5714 struct slist *s;
5715 struct block *b;
5716
5717 /* not IPv4 frag other than the first frag */
5718 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5719 b = new_block(cstate, JMP(BPF_JSET));
5720 b->s.k = 0x1fff;
5721 b->stmts = s;
5722 gen_not(b);
5723
5724 return b;
5725 }
5726
5727 /*
5728 * Generate a comparison to a port value in the transport-layer header
5729 * at the specified offset from the beginning of that header.
5730 *
5731 * XXX - this handles a variable-length prefix preceding the link-layer
5732 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5733 * variable-length link-layer headers (such as Token Ring or 802.11
5734 * headers).
5735 */
5736 static struct block *
5737 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5738 {
5739 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5740 }
5741
5742 static struct block *
5743 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5744 {
5745 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5746 }
5747
5748 static struct block *
5749 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5750 {
5751 struct block *b0, *b1, *tmp;
5752
5753 /* ip proto 'proto' and not a fragment other than the first fragment */
5754 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5755 b0 = gen_ipfrag(cstate);
5756 gen_and(tmp, b0);
5757
5758 switch (dir) {
5759 case Q_SRC:
5760 b1 = gen_portatom(cstate, 0, port);
5761 break;
5762
5763 case Q_DST:
5764 b1 = gen_portatom(cstate, 2, port);
5765 break;
5766
5767 case Q_AND:
5768 tmp = gen_portatom(cstate, 0, port);
5769 b1 = gen_portatom(cstate, 2, port);
5770 gen_and(tmp, b1);
5771 break;
5772
5773 case Q_DEFAULT:
5774 case Q_OR:
5775 tmp = gen_portatom(cstate, 0, port);
5776 b1 = gen_portatom(cstate, 2, port);
5777 gen_or(tmp, b1);
5778 break;
5779
5780 case Q_ADDR1:
5781 case Q_ADDR2:
5782 case Q_ADDR3:
5783 case Q_ADDR4:
5784 case Q_RA:
5785 case Q_TA:
5786 bpf_error(cstate, ERRSTR_INVALID_QUAL, dqkw(dir), "port");
5787 /*NOTREACHED*/
5788
5789 default:
5790 abort();
5791 /*NOTREACHED*/
5792 }
5793 gen_and(b0, b1);
5794
5795 return b1;
5796 }
5797
5798 static struct block *
5799 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5800 {
5801 struct block *b0, *b1, *tmp;
5802
5803 /*
5804 * ether proto ip
5805 *
5806 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5807 * not LLC encapsulation with LLCSAP_IP.
5808 *
5809 * For IEEE 802 networks - which includes 802.5 token ring
5810 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5811 * says that SNAP encapsulation is used, not LLC encapsulation
5812 * with LLCSAP_IP.
5813 *
5814 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5815 * RFC 2225 say that SNAP encapsulation is used, not LLC
5816 * encapsulation with LLCSAP_IP.
5817 *
5818 * So we always check for ETHERTYPE_IP.
5819 */
5820 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5821
5822 switch (ip_proto) {
5823 case IPPROTO_UDP:
5824 case IPPROTO_TCP:
5825 case IPPROTO_SCTP:
5826 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5827 break;
5828
5829 case PROTO_UNDEF:
5830 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5831 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5832 gen_or(tmp, b1);
5833 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5834 gen_or(tmp, b1);
5835 break;
5836
5837 default:
5838 abort();
5839 }
5840 gen_and(b0, b1);
5841 return b1;
5842 }
5843
5844 struct block *
5845 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5846 {
5847 struct block *b0, *b1, *tmp;
5848
5849 /* ip6 proto 'proto' */
5850 /* XXX - catch the first fragment of a fragmented packet? */
5851 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5852
5853 switch (dir) {
5854 case Q_SRC:
5855 b1 = gen_portatom6(cstate, 0, port);
5856 break;
5857
5858 case Q_DST:
5859 b1 = gen_portatom6(cstate, 2, port);
5860 break;
5861
5862 case Q_AND:
5863 tmp = gen_portatom6(cstate, 0, port);
5864 b1 = gen_portatom6(cstate, 2, port);
5865 gen_and(tmp, b1);
5866 break;
5867
5868 case Q_DEFAULT:
5869 case Q_OR:
5870 tmp = gen_portatom6(cstate, 0, port);
5871 b1 = gen_portatom6(cstate, 2, port);
5872 gen_or(tmp, b1);
5873 break;
5874
5875 default:
5876 abort();
5877 }
5878 gen_and(b0, b1);
5879
5880 return b1;
5881 }
5882
5883 static struct block *
5884 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5885 {
5886 struct block *b0, *b1, *tmp;
5887
5888 /* link proto ip6 */
5889 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5890
5891 switch (ip_proto) {
5892 case IPPROTO_UDP:
5893 case IPPROTO_TCP:
5894 case IPPROTO_SCTP:
5895 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5896 break;
5897
5898 case PROTO_UNDEF:
5899 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5900 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5901 gen_or(tmp, b1);
5902 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5903 gen_or(tmp, b1);
5904 break;
5905
5906 default:
5907 abort();
5908 }
5909 gen_and(b0, b1);
5910 return b1;
5911 }
5912
5913 /* gen_portrange code */
5914 static struct block *
5915 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5916 bpf_u_int32 v2)
5917 {
5918 if (v1 == v2)
5919 return gen_portatom(cstate, off, v1);
5920
5921 struct block *b1, *b2;
5922
5923 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, min(v1, v2));
5924 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, max(v1, v2));
5925
5926 gen_and(b1, b2);
5927
5928 return b2;
5929 }
5930
5931 static struct block *
5932 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5933 bpf_u_int32 proto, int dir)
5934 {
5935 struct block *b0, *b1, *tmp;
5936
5937 /* ip proto 'proto' and not a fragment other than the first fragment */
5938 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5939 b0 = gen_ipfrag(cstate);
5940 gen_and(tmp, b0);
5941
5942 switch (dir) {
5943 case Q_SRC:
5944 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5945 break;
5946
5947 case Q_DST:
5948 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5949 break;
5950
5951 case Q_AND:
5952 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5953 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5954 gen_and(tmp, b1);
5955 break;
5956
5957 case Q_DEFAULT:
5958 case Q_OR:
5959 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5960 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5961 gen_or(tmp, b1);
5962 break;
5963
5964 case Q_ADDR1:
5965 case Q_ADDR2:
5966 case Q_ADDR3:
5967 case Q_ADDR4:
5968 case Q_RA:
5969 case Q_TA:
5970 bpf_error(cstate, ERRSTR_INVALID_QUAL, dqkw(dir), "portrange");
5971 /*NOTREACHED*/
5972
5973 default:
5974 abort();
5975 /*NOTREACHED*/
5976 }
5977 gen_and(b0, b1);
5978
5979 return b1;
5980 }
5981
5982 static struct block *
5983 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5984 int dir)
5985 {
5986 struct block *b0, *b1, *tmp;
5987
5988 /* link proto ip */
5989 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5990
5991 switch (ip_proto) {
5992 case IPPROTO_UDP:
5993 case IPPROTO_TCP:
5994 case IPPROTO_SCTP:
5995 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
5996 dir);
5997 break;
5998
5999 case PROTO_UNDEF:
6000 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
6001 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
6002 gen_or(tmp, b1);
6003 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
6004 gen_or(tmp, b1);
6005 break;
6006
6007 default:
6008 abort();
6009 }
6010 gen_and(b0, b1);
6011 return b1;
6012 }
6013
6014 static struct block *
6015 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
6016 bpf_u_int32 v2)
6017 {
6018 if (v1 == v2)
6019 return gen_portatom6(cstate, off, v1);
6020
6021 struct block *b1, *b2;
6022
6023 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, min(v1, v2));
6024 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, max(v1, v2));
6025
6026 gen_and(b1, b2);
6027
6028 return b2;
6029 }
6030
6031 static struct block *
6032 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
6033 bpf_u_int32 proto, int dir)
6034 {
6035 struct block *b0, *b1, *tmp;
6036
6037 /* ip6 proto 'proto' */
6038 /* XXX - catch the first fragment of a fragmented packet? */
6039 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
6040
6041 switch (dir) {
6042 case Q_SRC:
6043 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
6044 break;
6045
6046 case Q_DST:
6047 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6048 break;
6049
6050 case Q_AND:
6051 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6052 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6053 gen_and(tmp, b1);
6054 break;
6055
6056 case Q_DEFAULT:
6057 case Q_OR:
6058 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
6059 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
6060 gen_or(tmp, b1);
6061 break;
6062
6063 default:
6064 abort();
6065 }
6066 gen_and(b0, b1);
6067
6068 return b1;
6069 }
6070
6071 static struct block *
6072 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
6073 int dir)
6074 {
6075 struct block *b0, *b1, *tmp;
6076
6077 /* link proto ip6 */
6078 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6079
6080 switch (ip_proto) {
6081 case IPPROTO_UDP:
6082 case IPPROTO_TCP:
6083 case IPPROTO_SCTP:
6084 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
6085 dir);
6086 break;
6087
6088 case PROTO_UNDEF:
6089 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
6090 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
6091 gen_or(tmp, b1);
6092 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
6093 gen_or(tmp, b1);
6094 break;
6095
6096 default:
6097 abort();
6098 }
6099 gen_and(b0, b1);
6100 return b1;
6101 }
6102
6103 static int
6104 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
6105 {
6106 register int v;
6107
6108 switch (proto) {
6109
6110 case Q_DEFAULT:
6111 case Q_IP:
6112 case Q_IPV6:
6113 v = pcap_nametoproto(name);
6114 if (v == PROTO_UNDEF)
6115 bpf_error(cstate, "unknown ip proto '%s'", name);
6116 break;
6117
6118 case Q_LINK:
6119 /* XXX should look up h/w protocol type based on cstate->linktype */
6120 v = pcap_nametoeproto(name);
6121 if (v == PROTO_UNDEF) {
6122 v = pcap_nametollc(name);
6123 if (v == PROTO_UNDEF)
6124 bpf_error(cstate, "unknown ether proto '%s'", name);
6125 }
6126 break;
6127
6128 case Q_ISO:
6129 if (strcmp(name, "esis") == 0)
6130 v = ISO9542_ESIS;
6131 else if (strcmp(name, "isis") == 0)
6132 v = ISO10589_ISIS;
6133 else if (strcmp(name, "clnp") == 0)
6134 v = ISO8473_CLNP;
6135 else
6136 bpf_error(cstate, "unknown osi proto '%s'", name);
6137 break;
6138
6139 default:
6140 v = PROTO_UNDEF;
6141 break;
6142 }
6143 return v;
6144 }
6145
6146 #if !defined(NO_PROTOCHAIN)
6147 /*
6148 * This primitive is non-directional by design, so the grammar does not allow
6149 * to qualify it with a direction.
6150 */
6151 static struct block *
6152 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6153 {
6154 struct block *b0, *b;
6155 struct slist *s[100];
6156 int fix2, fix3, fix4, fix5;
6157 int ahcheck, again, end;
6158 int i, max;
6159 int reg2 = alloc_reg(cstate);
6160
6161 memset(s, 0, sizeof(s));
6162 fix3 = fix4 = fix5 = 0;
6163
6164 switch (proto) {
6165 case Q_IP:
6166 case Q_IPV6:
6167 break;
6168 case Q_DEFAULT:
6169 b0 = gen_protochain(cstate, v, Q_IP);
6170 b = gen_protochain(cstate, v, Q_IPV6);
6171 gen_or(b0, b);
6172 return b;
6173 default:
6174 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "protochain");
6175 /*NOTREACHED*/
6176 }
6177
6178 /*
6179 * We don't handle variable-length prefixes before the link-layer
6180 * header, or variable-length link-layer headers, here yet.
6181 * We might want to add BPF instructions to do the protochain
6182 * work, to simplify that and, on platforms that have a BPF
6183 * interpreter with the new instructions, let the filtering
6184 * be done in the kernel. (We already require a modified BPF
6185 * engine to do the protochain stuff, to support backward
6186 * branches, and backward branch support is unlikely to appear
6187 * in kernel BPF engines.)
6188 */
6189 if (cstate->off_linkpl.is_variable)
6190 bpf_error(cstate, "'protochain' not supported with variable length headers");
6191
6192 /*
6193 * To quote a comment in optimize.c:
6194 *
6195 * "These data structures are used in a Cocke and Schwartz style
6196 * value numbering scheme. Since the flowgraph is acyclic,
6197 * exit values can be propagated from a node's predecessors
6198 * provided it is uniquely defined."
6199 *
6200 * "Acyclic" means "no backward branches", which means "no
6201 * loops", so we have to turn the optimizer off.
6202 */
6203 cstate->no_optimize = 1;
6204
6205 /*
6206 * s[0] is a dummy entry to protect other BPF insn from damage
6207 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6208 * hard to find interdependency made by jump table fixup.
6209 */
6210 i = 0;
6211 s[i] = new_stmt(cstate, 0); /*dummy*/
6212 i++;
6213
6214 switch (proto) {
6215 case Q_IP:
6216 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6217
6218 /* A = ip->ip_p */
6219 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6220 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6221 i++;
6222 /* X = ip->ip_hl << 2 */
6223 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6224 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6225 i++;
6226 break;
6227
6228 case Q_IPV6:
6229 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6230
6231 /* A = ip6->ip_nxt */
6232 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6233 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6234 i++;
6235 /* X = sizeof(struct ip6_hdr) */
6236 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6237 s[i]->s.k = 40;
6238 i++;
6239 break;
6240
6241 default:
6242 bpf_error(cstate, "unsupported proto to gen_protochain");
6243 /*NOTREACHED*/
6244 }
6245
6246 /* again: if (A == v) goto end; else fall through; */
6247 again = i;
6248 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6249 s[i]->s.k = v;
6250 s[i]->s.jt = NULL; /*later*/
6251 s[i]->s.jf = NULL; /*update in next stmt*/
6252 fix5 = i;
6253 i++;
6254
6255 #ifndef IPPROTO_NONE
6256 #define IPPROTO_NONE 59
6257 #endif
6258 /* if (A == IPPROTO_NONE) goto end */
6259 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6260 s[i]->s.jt = NULL; /*later*/
6261 s[i]->s.jf = NULL; /*update in next stmt*/
6262 s[i]->s.k = IPPROTO_NONE;
6263 s[fix5]->s.jf = s[i];
6264 fix2 = i;
6265 i++;
6266
6267 if (proto == Q_IPV6) {
6268 int v6start, v6end, v6advance, j;
6269
6270 v6start = i;
6271 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6272 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6273 s[i]->s.jt = NULL; /*later*/
6274 s[i]->s.jf = NULL; /*update in next stmt*/
6275 s[i]->s.k = IPPROTO_HOPOPTS;
6276 s[fix2]->s.jf = s[i];
6277 i++;
6278 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6279 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6280 s[i]->s.jt = NULL; /*later*/
6281 s[i]->s.jf = NULL; /*update in next stmt*/
6282 s[i]->s.k = IPPROTO_DSTOPTS;
6283 i++;
6284 /* if (A == IPPROTO_ROUTING) goto v6advance */
6285 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6286 s[i]->s.jt = NULL; /*later*/
6287 s[i]->s.jf = NULL; /*update in next stmt*/
6288 s[i]->s.k = IPPROTO_ROUTING;
6289 i++;
6290 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6291 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6292 s[i]->s.jt = NULL; /*later*/
6293 s[i]->s.jf = NULL; /*later*/
6294 s[i]->s.k = IPPROTO_FRAGMENT;
6295 fix3 = i;
6296 v6end = i;
6297 i++;
6298
6299 /* v6advance: */
6300 v6advance = i;
6301
6302 /*
6303 * in short,
6304 * A = P[X + packet head];
6305 * X = X + (P[X + packet head + 1] + 1) * 8;
6306 */
6307 /* A = P[X + packet head] */
6308 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6309 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6310 i++;
6311 /* MEM[reg2] = A */
6312 s[i] = new_stmt(cstate, BPF_ST);
6313 s[i]->s.k = reg2;
6314 i++;
6315 /* A = P[X + packet head + 1]; */
6316 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6317 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6318 i++;
6319 /* A += 1 */
6320 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6321 s[i]->s.k = 1;
6322 i++;
6323 /* A *= 8 */
6324 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6325 s[i]->s.k = 8;
6326 i++;
6327 /* A += X */
6328 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6329 s[i]->s.k = 0;
6330 i++;
6331 /* X = A; */
6332 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6333 i++;
6334 /* A = MEM[reg2] */
6335 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6336 s[i]->s.k = reg2;
6337 i++;
6338
6339 /* goto again; (must use BPF_JA for backward jump) */
6340 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6341 s[i]->s.k = again - i - 1;
6342 s[i - 1]->s.jf = s[i];
6343 i++;
6344
6345 /* fixup */
6346 for (j = v6start; j <= v6end; j++)
6347 s[j]->s.jt = s[v6advance];
6348 } else {
6349 /* nop */
6350 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6351 s[i]->s.k = 0;
6352 s[fix2]->s.jf = s[i];
6353 i++;
6354 }
6355
6356 /* ahcheck: */
6357 ahcheck = i;
6358 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6359 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6360 s[i]->s.jt = NULL; /*later*/
6361 s[i]->s.jf = NULL; /*later*/
6362 s[i]->s.k = IPPROTO_AH;
6363 if (fix3)
6364 s[fix3]->s.jf = s[ahcheck];
6365 fix4 = i;
6366 i++;
6367
6368 /*
6369 * in short,
6370 * A = P[X];
6371 * X = X + (P[X + 1] + 2) * 4;
6372 */
6373 /* A = X */
6374 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6375 i++;
6376 /* A = P[X + packet head]; */
6377 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6378 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6379 i++;
6380 /* MEM[reg2] = A */
6381 s[i] = new_stmt(cstate, BPF_ST);
6382 s[i]->s.k = reg2;
6383 i++;
6384 /* A = X */
6385 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6386 i++;
6387 /* A += 1 */
6388 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6389 s[i]->s.k = 1;
6390 i++;
6391 /* X = A */
6392 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6393 i++;
6394 /* A = P[X + packet head] */
6395 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6396 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6397 i++;
6398 /* A += 2 */
6399 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6400 s[i]->s.k = 2;
6401 i++;
6402 /* A *= 4 */
6403 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6404 s[i]->s.k = 4;
6405 i++;
6406 /* X = A; */
6407 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6408 i++;
6409 /* A = MEM[reg2] */
6410 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6411 s[i]->s.k = reg2;
6412 i++;
6413
6414 /* goto again; (must use BPF_JA for backward jump) */
6415 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6416 s[i]->s.k = again - i - 1;
6417 i++;
6418
6419 /* end: nop */
6420 end = i;
6421 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6422 s[i]->s.k = 0;
6423 s[fix2]->s.jt = s[end];
6424 s[fix4]->s.jf = s[end];
6425 s[fix5]->s.jt = s[end];
6426 i++;
6427
6428 /*
6429 * make slist chain
6430 */
6431 max = i;
6432 for (i = 0; i < max - 1; i++)
6433 s[i]->next = s[i + 1];
6434 s[max - 1]->next = NULL;
6435
6436 /*
6437 * emit final check
6438 * Remember, s[0] is dummy.
6439 */
6440 b = gen_jmp(cstate, BPF_JEQ, v, s[1]);
6441
6442 free_reg(cstate, reg2);
6443
6444 gen_and(b0, b);
6445 return b;
6446 }
6447 #endif /* !defined(NO_PROTOCHAIN) */
6448
6449 /*
6450 * Generate code that checks whether the packet is a packet for protocol
6451 * <proto> and whether the type field in that protocol's header has
6452 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6453 * IP packet and checks the protocol number in the IP header against <v>.
6454 *
6455 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6456 * against Q_IP and Q_IPV6.
6457 *
6458 * This primitive is non-directional by design, so the grammar does not allow
6459 * to qualify it with a direction.
6460 */
6461 static struct block *
6462 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6463 {
6464 struct block *b0, *b1;
6465 struct block *b2;
6466
6467 switch (proto) {
6468 case Q_DEFAULT:
6469 b0 = gen_proto(cstate, v, Q_IP);
6470 b1 = gen_proto(cstate, v, Q_IPV6);
6471 gen_or(b0, b1);
6472 return b1;
6473
6474 case Q_LINK:
6475 return gen_linktype(cstate, v);
6476
6477 case Q_IP:
6478 /*
6479 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6480 * not LLC encapsulation with LLCSAP_IP.
6481 *
6482 * For IEEE 802 networks - which includes 802.5 token ring
6483 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6484 * says that SNAP encapsulation is used, not LLC encapsulation
6485 * with LLCSAP_IP.
6486 *
6487 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6488 * RFC 2225 say that SNAP encapsulation is used, not LLC
6489 * encapsulation with LLCSAP_IP.
6490 *
6491 * So we always check for ETHERTYPE_IP.
6492 */
6493 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6494 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6495 gen_and(b0, b1);
6496 return b1;
6497
6498 case Q_ARP:
6499 case Q_RARP:
6500 case Q_SCTP:
6501 case Q_TCP:
6502 case Q_UDP:
6503 case Q_ICMP:
6504 case Q_IGMP:
6505 case Q_IGRP:
6506 case Q_ATALK:
6507 case Q_DECNET:
6508 case Q_LAT:
6509 case Q_SCA:
6510 case Q_MOPRC:
6511 case Q_MOPDL:
6512 break; // invalid qualifier
6513
6514 case Q_IPV6:
6515 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6516 /*
6517 * Also check for a fragment header before the final
6518 * header.
6519 */
6520 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6521 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6522 gen_and(b2, b1);
6523 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6524 gen_or(b2, b1);
6525 gen_and(b0, b1);
6526 return b1;
6527
6528 case Q_ICMPV6:
6529 case Q_AH:
6530 case Q_ESP:
6531 case Q_PIM:
6532 case Q_VRRP:
6533 case Q_AARP:
6534 break; // invalid qualifier
6535
6536 case Q_ISO:
6537 assert_maxval(cstate, "ISO protocol", v, UINT8_MAX);
6538 switch (cstate->linktype) {
6539
6540 case DLT_FRELAY:
6541 /*
6542 * Frame Relay packets typically have an OSI
6543 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6544 * generates code to check for all the OSI
6545 * NLPIDs, so calling it and then adding a check
6546 * for the particular NLPID for which we're
6547 * looking is bogus, as we can just check for
6548 * the NLPID.
6549 *
6550 * What we check for is the NLPID and a frame
6551 * control field value of UI, i.e. 0x03 followed
6552 * by the NLPID.
6553 *
6554 * XXX - assumes a 2-byte Frame Relay header with
6555 * DLCI and flags. What if the address is longer?
6556 *
6557 * XXX - what about SNAP-encapsulated frames?
6558 */
6559 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6560 /*NOTREACHED*/
6561
6562 case DLT_C_HDLC:
6563 case DLT_HDLC:
6564 /*
6565 * Cisco uses an Ethertype lookalike - for OSI,
6566 * it's 0xfefe.
6567 */
6568 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6569 /* OSI in C-HDLC is stuffed with a fudge byte */
6570 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6571 gen_and(b0, b1);
6572 return b1;
6573
6574 default:
6575 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6576 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6577 gen_and(b0, b1);
6578 return b1;
6579 }
6580
6581 case Q_ESIS:
6582 break; // invalid qualifier
6583
6584 case Q_ISIS:
6585 assert_maxval(cstate, "IS-IS PDU type", v, ISIS_PDU_TYPE_MAX);
6586 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO);
6587 /*
6588 * 4 is the offset of the PDU type relative to the IS-IS
6589 * header.
6590 * Except when it is not, see above.
6591 */
6592 unsigned pdu_type_offset;
6593 switch (cstate->linktype) {
6594 case DLT_C_HDLC:
6595 case DLT_HDLC:
6596 pdu_type_offset = 5;
6597 break;
6598 default:
6599 pdu_type_offset = 4;
6600 }
6601 b1 = gen_mcmp(cstate, OR_LINKPL_NOSNAP, pdu_type_offset, BPF_B,
6602 v, ISIS_PDU_TYPE_MAX);
6603 gen_and(b0, b1);
6604 return b1;
6605
6606 case Q_CLNP:
6607 case Q_STP:
6608 case Q_IPX:
6609 case Q_NETBEUI:
6610 case Q_ISIS_L1:
6611 case Q_ISIS_L2:
6612 case Q_ISIS_IIH:
6613 case Q_ISIS_SNP:
6614 case Q_ISIS_CSNP:
6615 case Q_ISIS_PSNP:
6616 case Q_ISIS_LSP:
6617 case Q_RADIO:
6618 case Q_CARP:
6619 break; // invalid qualifier
6620
6621 default:
6622 abort();
6623 /*NOTREACHED*/
6624 }
6625 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "proto");
6626 /*NOTREACHED*/
6627 }
6628
6629 /*
6630 * Convert a non-numeric name to a port number.
6631 */
6632 static int
6633 nametoport(compiler_state_t *cstate, const char *name, int ipproto)
6634 {
6635 struct addrinfo hints, *res, *ai;
6636 int error;
6637 struct sockaddr_in *in4;
6638 #ifdef INET6
6639 struct sockaddr_in6 *in6;
6640 #endif
6641 int port = -1;
6642
6643 /*
6644 * We check for both TCP and UDP in case there are
6645 * ambiguous entries.
6646 */
6647 memset(&hints, 0, sizeof(hints));
6648 hints.ai_family = PF_UNSPEC;
6649 hints.ai_socktype = (ipproto == IPPROTO_TCP) ? SOCK_STREAM : SOCK_DGRAM;
6650 hints.ai_protocol = ipproto;
6651 error = getaddrinfo(NULL, name, &hints, &res);
6652 if (error != 0) {
6653 switch (error) {
6654
6655 case EAI_NONAME:
6656 case EAI_SERVICE:
6657 /*
6658 * No such port. Just return -1.
6659 */
6660 break;
6661
6662 #ifdef EAI_SYSTEM
6663 case EAI_SYSTEM:
6664 /*
6665 * We don't use strerror() because it's not
6666 * guaranteed to be thread-safe on all platforms
6667 * (probably because it might use a non-thread-local
6668 * buffer into which to format an error message
6669 * if the error code isn't one for which it has
6670 * a canned string; three cheers for C string
6671 * handling).
6672 */
6673 bpf_set_error(cstate, "getaddrinfo(\"%s\" fails with system error: %d",
6674 name, errno);
6675 port = -2; /* a real error */
6676 break;
6677 #endif
6678
6679 default:
6680 /*
6681 * This is a real error, not just "there's
6682 * no such service name".
6683 *
6684 * We don't use gai_strerror() because it's not
6685 * guaranteed to be thread-safe on all platforms
6686 * (probably because it might use a non-thread-local
6687 * buffer into which to format an error message
6688 * if the error code isn't one for which it has
6689 * a canned string; three cheers for C string
6690 * handling).
6691 */
6692 bpf_set_error(cstate, "getaddrinfo(\"%s\") fails with error: %d",
6693 name, error);
6694 port = -2; /* a real error */
6695 break;
6696 }
6697 } else {
6698 /*
6699 * OK, we found it. Did it find anything?
6700 */
6701 for (ai = res; ai != NULL; ai = ai->ai_next) {
6702 /*
6703 * Does it have an address?
6704 */
6705 if (ai->ai_addr != NULL) {
6706 /*
6707 * Yes. Get a port number; we're done.
6708 */
6709 if (ai->ai_addr->sa_family == AF_INET) {
6710 in4 = (struct sockaddr_in *)ai->ai_addr;
6711 port = ntohs(in4->sin_port);
6712 break;
6713 }
6714 #ifdef INET6
6715 if (ai->ai_addr->sa_family == AF_INET6) {
6716 in6 = (struct sockaddr_in6 *)ai->ai_addr;
6717 port = ntohs(in6->sin6_port);
6718 break;
6719 }
6720 #endif
6721 }
6722 }
6723 freeaddrinfo(res);
6724 }
6725 return port;
6726 }
6727
6728 /*
6729 * Convert a string to a port number.
6730 */
6731 static bpf_u_int32
6732 stringtoport(compiler_state_t *cstate, const char *string, size_t string_size,
6733 int *proto)
6734 {
6735 stoulen_ret ret;
6736 char *cpy;
6737 bpf_u_int32 val;
6738 int tcp_port = -1;
6739 int udp_port = -1;
6740
6741 /*
6742 * See if it's a number.
6743 */
6744 ret = stoulen(string, string_size, &val, cstate);
6745 switch (ret) {
6746
6747 case STOULEN_OK:
6748 /* Unknown port type - it's just a number. */
6749 *proto = PROTO_UNDEF;
6750 break;
6751
6752 case STOULEN_NOT_OCTAL_NUMBER:
6753 case STOULEN_NOT_HEX_NUMBER:
6754 case STOULEN_NOT_DECIMAL_NUMBER:
6755 /*
6756 * Not a valid number; try looking it up as a port.
6757 */
6758 cpy = malloc(string_size + 1); /* +1 for terminating '\0' */
6759 memcpy(cpy, string, string_size);
6760 cpy[string_size] = '\0';
6761 tcp_port = nametoport(cstate, cpy, IPPROTO_TCP);
6762 if (tcp_port == -2) {
6763 /*
6764 * We got a hard error; the error string has
6765 * already been set.
6766 */
6767 free(cpy);
6768 longjmp(cstate->top_ctx, 1);
6769 /*NOTREACHED*/
6770 }
6771 udp_port = nametoport(cstate, cpy, IPPROTO_UDP);
6772 if (udp_port == -2) {
6773 /*
6774 * We got a hard error; the error string has
6775 * already been set.
6776 */
6777 free(cpy);
6778 longjmp(cstate->top_ctx, 1);
6779 /*NOTREACHED*/
6780 }
6781
6782 /*
6783 * We need to check /etc/services for ambiguous entries.
6784 * If we find an ambiguous entry, and it has the
6785 * same port number, change the proto to PROTO_UNDEF
6786 * so both TCP and UDP will be checked.
6787 */
6788 if (tcp_port >= 0) {
6789 val = (bpf_u_int32)tcp_port;
6790 *proto = IPPROTO_TCP;
6791 if (udp_port >= 0) {
6792 if (udp_port == tcp_port)
6793 *proto = PROTO_UNDEF;
6794 #ifdef notdef
6795 else
6796 /* Can't handle ambiguous names that refer
6797 to different port numbers. */
6798 warning("ambiguous port %s in /etc/services",
6799 cpy);
6800 #endif
6801 }
6802 free(cpy);
6803 break;
6804 }
6805 if (udp_port >= 0) {
6806 val = (bpf_u_int32)udp_port;
6807 *proto = IPPROTO_UDP;
6808 free(cpy);
6809 break;
6810 }
6811 bpf_set_error(cstate, "'%s' is not a valid port", cpy);
6812 free(cpy);
6813 longjmp(cstate->top_ctx, 1);
6814 /*NOTREACHED*/
6815 #ifdef _AIX
6816 PCAP_UNREACHABLE
6817 #endif /* _AIX */
6818
6819 case STOULEN_ERROR:
6820 /* Error already set. */
6821 longjmp(cstate->top_ctx, 1);
6822 /*NOTREACHED*/
6823 #ifdef _AIX
6824 PCAP_UNREACHABLE
6825 #endif /* _AIX */
6826
6827 default:
6828 /* Should not happen */
6829 bpf_set_error(cstate, "stoulen returned %d - this should not happen", ret);
6830 longjmp(cstate->top_ctx, 1);
6831 /*NOTREACHED*/
6832 }
6833 return (val);
6834 }
6835
6836 /*
6837 * Convert a string in the form PPP-PPP, which correspond to ports, to
6838 * a starting and ending port in a port range.
6839 */
6840 static void
6841 stringtoportrange(compiler_state_t *cstate, const char *string,
6842 bpf_u_int32 *port1, bpf_u_int32 *port2, int *proto)
6843 {
6844 char *hyphen_off;
6845 const char *first, *second;
6846 size_t first_size, second_size;
6847 int save_proto;
6848
6849 if ((hyphen_off = strchr(string, '-')) == NULL)
6850 bpf_error(cstate, "port range '%s' contains no hyphen", string);
6851
6852 /*
6853 * Make sure there are no other hyphens.
6854 *
6855 * XXX - we support named ports, but there are some port names
6856 * in /etc/services that include hyphens, so this would rule
6857 * that out.
6858 */
6859 if (strchr(hyphen_off + 1, '-') != NULL)
6860 bpf_error(cstate, "port range '%s' contains more than one hyphen",
6861 string);
6862
6863 /*
6864 * Get the length of the first port.
6865 */
6866 first = string;
6867 first_size = hyphen_off - string;
6868 if (first_size == 0) {
6869 /* Range of "-port", which we don't support. */
6870 bpf_error(cstate, "port range '%s' has no starting port", string);
6871 }
6872
6873 /*
6874 * Try to convert it to a port.
6875 */
6876 *port1 = stringtoport(cstate, first, first_size, proto);
6877 save_proto = *proto;
6878
6879 /*
6880 * Get the length of the second port.
6881 */
6882 second = hyphen_off + 1;
6883 second_size = strlen(second);
6884 if (second_size == 0) {
6885 /* Range of "port-", which we don't support. */
6886 bpf_error(cstate, "port range '%s' has no ending port", string);
6887 }
6888
6889 /*
6890 * Try to convert it to a port.
6891 */
6892 *port2 = stringtoport(cstate, second, second_size, proto);
6893 if (*proto != save_proto)
6894 *proto = PROTO_UNDEF;
6895 }
6896
6897 struct block *
6898 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6899 {
6900 int proto = q.proto;
6901 int dir = q.dir;
6902 int tproto;
6903 u_char *eaddr;
6904 bpf_u_int32 mask, addr;
6905 struct addrinfo *res, *res0;
6906 struct sockaddr_in *sin4;
6907 #ifdef INET6
6908 int tproto6;
6909 struct sockaddr_in6 *sin6;
6910 struct in6_addr mask128;
6911 #endif /*INET6*/
6912 struct block *b, *tmp;
6913 int port, real_proto;
6914 bpf_u_int32 port1, port2;
6915
6916 /*
6917 * Catch errors reported by us and routines below us, and return NULL
6918 * on an error.
6919 */
6920 if (setjmp(cstate->top_ctx))
6921 return (NULL);
6922
6923 switch (q.addr) {
6924
6925 case Q_NET:
6926 addr = pcap_nametonetaddr(name);
6927 if (addr == 0)
6928 bpf_error(cstate, "unknown network '%s'", name);
6929 /* Left justify network addr and calculate its network mask */
6930 mask = 0xffffffff;
6931 while (addr && (addr & 0xff000000) == 0) {
6932 addr <<= 8;
6933 mask <<= 8;
6934 }
6935 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6936
6937 case Q_DEFAULT:
6938 case Q_HOST:
6939 if (proto == Q_LINK) {
6940 switch (cstate->linktype) {
6941
6942 case DLT_EN10MB:
6943 case DLT_NETANALYZER:
6944 case DLT_NETANALYZER_TRANSPARENT:
6945 eaddr = pcap_ether_hostton(name);
6946 if (eaddr == NULL)
6947 bpf_error(cstate,
6948 "unknown ether host '%s'", name);
6949 tmp = gen_prevlinkhdr_check(cstate);
6950 b = gen_ehostop(cstate, eaddr, dir);
6951 if (tmp != NULL)
6952 gen_and(tmp, b);
6953 free(eaddr);
6954 return b;
6955
6956 case DLT_FDDI:
6957 eaddr = pcap_ether_hostton(name);
6958 if (eaddr == NULL)
6959 bpf_error(cstate,
6960 "unknown FDDI host '%s'", name);
6961 b = gen_fhostop(cstate, eaddr, dir);
6962 free(eaddr);
6963 return b;
6964
6965 case DLT_IEEE802:
6966 eaddr = pcap_ether_hostton(name);
6967 if (eaddr == NULL)
6968 bpf_error(cstate,
6969 "unknown token ring host '%s'", name);
6970 b = gen_thostop(cstate, eaddr, dir);
6971 free(eaddr);
6972 return b;
6973
6974 case DLT_IEEE802_11:
6975 case DLT_PRISM_HEADER:
6976 case DLT_IEEE802_11_RADIO_AVS:
6977 case DLT_IEEE802_11_RADIO:
6978 case DLT_PPI:
6979 eaddr = pcap_ether_hostton(name);
6980 if (eaddr == NULL)
6981 bpf_error(cstate,
6982 "unknown 802.11 host '%s'", name);
6983 b = gen_wlanhostop(cstate, eaddr, dir);
6984 free(eaddr);
6985 return b;
6986
6987 case DLT_IP_OVER_FC:
6988 eaddr = pcap_ether_hostton(name);
6989 if (eaddr == NULL)
6990 bpf_error(cstate,
6991 "unknown Fibre Channel host '%s'", name);
6992 b = gen_ipfchostop(cstate, eaddr, dir);
6993 free(eaddr);
6994 return b;
6995 }
6996
6997 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6998 } else if (proto == Q_DECNET) {
6999 /*
7000 * A long time ago on Ultrix libpcap supported
7001 * translation of DECnet host names into DECnet
7002 * addresses, but this feature is history now.
7003 */
7004 bpf_error(cstate, "invalid DECnet address '%s'", name);
7005 } else {
7006 #ifdef INET6
7007 memset(&mask128, 0xff, sizeof(mask128));
7008 #endif
7009 res0 = res = pcap_nametoaddrinfo(name);
7010 if (res == NULL)
7011 bpf_error(cstate, "unknown host '%s'", name);
7012 cstate->ai = res;
7013 b = tmp = NULL;
7014 tproto = proto;
7015 #ifdef INET6
7016 tproto6 = proto;
7017 #endif
7018 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
7019 tproto == Q_DEFAULT) {
7020 tproto = Q_IP;
7021 #ifdef INET6
7022 tproto6 = Q_IPV6;
7023 #endif
7024 }
7025 for (res = res0; res; res = res->ai_next) {
7026 switch (res->ai_family) {
7027 case AF_INET:
7028 #ifdef INET6
7029 if (tproto == Q_IPV6)
7030 continue;
7031 #endif
7032
7033 sin4 = (struct sockaddr_in *)
7034 res->ai_addr;
7035 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
7036 0xffffffff, tproto, dir, q.addr);
7037 break;
7038 #ifdef INET6
7039 case AF_INET6:
7040 if (tproto6 == Q_IP)
7041 continue;
7042
7043 sin6 = (struct sockaddr_in6 *)
7044 res->ai_addr;
7045 tmp = gen_host6(cstate, &sin6->sin6_addr,
7046 &mask128, tproto6, dir, q.addr);
7047 break;
7048 #endif
7049 default:
7050 continue;
7051 }
7052 if (b)
7053 gen_or(b, tmp);
7054 b = tmp;
7055 }
7056 cstate->ai = NULL;
7057 freeaddrinfo(res0);
7058 if (b == NULL) {
7059 bpf_error(cstate, "unknown host '%s'%s", name,
7060 (proto == Q_DEFAULT)
7061 ? ""
7062 : " for specified address family");
7063 }
7064 return b;
7065 }
7066
7067 case Q_PORT:
7068 (void)port_pq_to_ipproto(cstate, proto, "port"); // validate only
7069 if (pcap_nametoport(name, &port, &real_proto) == 0)
7070 bpf_error(cstate, "unknown port '%s'", name);
7071 if (proto == Q_UDP) {
7072 if (real_proto == IPPROTO_TCP)
7073 bpf_error(cstate, "port '%s' is tcp", name);
7074 else if (real_proto == IPPROTO_SCTP)
7075 bpf_error(cstate, "port '%s' is sctp", name);
7076 else
7077 /* override PROTO_UNDEF */
7078 real_proto = IPPROTO_UDP;
7079 }
7080 if (proto == Q_TCP) {
7081 if (real_proto == IPPROTO_UDP)
7082 bpf_error(cstate, "port '%s' is udp", name);
7083
7084 else if (real_proto == IPPROTO_SCTP)
7085 bpf_error(cstate, "port '%s' is sctp", name);
7086 else
7087 /* override PROTO_UNDEF */
7088 real_proto = IPPROTO_TCP;
7089 }
7090 if (proto == Q_SCTP) {
7091 if (real_proto == IPPROTO_UDP)
7092 bpf_error(cstate, "port '%s' is udp", name);
7093
7094 else if (real_proto == IPPROTO_TCP)
7095 bpf_error(cstate, "port '%s' is tcp", name);
7096 else
7097 /* override PROTO_UNDEF */
7098 real_proto = IPPROTO_SCTP;
7099 }
7100 if (port < 0)
7101 bpf_error(cstate, "illegal port number %d < 0", port);
7102 if (port > 65535)
7103 bpf_error(cstate, "illegal port number %d > 65535", port);
7104 b = gen_port(cstate, port, real_proto, dir);
7105 gen_or(gen_port6(cstate, port, real_proto, dir), b);
7106 return b;
7107
7108 case Q_PORTRANGE:
7109 (void)port_pq_to_ipproto(cstate, proto, "portrange"); // validate only
7110 stringtoportrange(cstate, name, &port1, &port2, &real_proto);
7111 if (proto == Q_UDP) {
7112 if (real_proto == IPPROTO_TCP)
7113 bpf_error(cstate, "port in range '%s' is tcp", name);
7114 else if (real_proto == IPPROTO_SCTP)
7115 bpf_error(cstate, "port in range '%s' is sctp", name);
7116 else
7117 /* override PROTO_UNDEF */
7118 real_proto = IPPROTO_UDP;
7119 }
7120 if (proto == Q_TCP) {
7121 if (real_proto == IPPROTO_UDP)
7122 bpf_error(cstate, "port in range '%s' is udp", name);
7123 else if (real_proto == IPPROTO_SCTP)
7124 bpf_error(cstate, "port in range '%s' is sctp", name);
7125 else
7126 /* override PROTO_UNDEF */
7127 real_proto = IPPROTO_TCP;
7128 }
7129 if (proto == Q_SCTP) {
7130 if (real_proto == IPPROTO_UDP)
7131 bpf_error(cstate, "port in range '%s' is udp", name);
7132 else if (real_proto == IPPROTO_TCP)
7133 bpf_error(cstate, "port in range '%s' is tcp", name);
7134 else
7135 /* override PROTO_UNDEF */
7136 real_proto = IPPROTO_SCTP;
7137 }
7138 if (port1 > 65535)
7139 bpf_error(cstate, "illegal port number %d > 65535", port1);
7140 if (port2 > 65535)
7141 bpf_error(cstate, "illegal port number %d > 65535", port2);
7142
7143 b = gen_portrange(cstate, port1, port2, real_proto, dir);
7144 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
7145 return b;
7146
7147 case Q_GATEWAY:
7148 #ifndef INET6
7149 eaddr = pcap_ether_hostton(name);
7150 if (eaddr == NULL)
7151 bpf_error(cstate, "unknown ether host: %s", name);
7152
7153 res = pcap_nametoaddrinfo(name);
7154 cstate->ai = res;
7155 if (res == NULL)
7156 bpf_error(cstate, "unknown host '%s'", name);
7157 b = gen_gateway(cstate, eaddr, res, proto);
7158 cstate->ai = NULL;
7159 freeaddrinfo(res);
7160 free(eaddr);
7161 if (b == NULL)
7162 bpf_error(cstate, "unknown host '%s'", name);
7163 return b;
7164 #else
7165 bpf_error(cstate, "'gateway' not supported in this configuration");
7166 #endif /*INET6*/
7167
7168 case Q_PROTO:
7169 real_proto = lookup_proto(cstate, name, proto);
7170 if (real_proto >= 0)
7171 return gen_proto(cstate, real_proto, proto);
7172 else
7173 bpf_error(cstate, "unknown protocol: %s", name);
7174
7175 #if !defined(NO_PROTOCHAIN)
7176 case Q_PROTOCHAIN:
7177 real_proto = lookup_proto(cstate, name, proto);
7178 if (real_proto >= 0)
7179 return gen_protochain(cstate, real_proto, proto);
7180 else
7181 bpf_error(cstate, "unknown protocol: %s", name);
7182 #endif /* !defined(NO_PROTOCHAIN) */
7183
7184 case Q_UNDEF:
7185 syntax(cstate);
7186 /*NOTREACHED*/
7187 }
7188 abort();
7189 /*NOTREACHED*/
7190 }
7191
7192 struct block *
7193 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
7194 bpf_u_int32 masklen, struct qual q)
7195 {
7196 register int nlen, mlen;
7197 bpf_u_int32 n, m;
7198 uint64_t m64;
7199
7200 /*
7201 * Catch errors reported by us and routines below us, and return NULL
7202 * on an error.
7203 */
7204 if (setjmp(cstate->top_ctx))
7205 return (NULL);
7206
7207 nlen = pcapint_atoin(s1, &n);
7208 if (nlen < 0)
7209 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
7210 /* Promote short ipaddr */
7211 n <<= 32 - nlen;
7212
7213 if (s2 != NULL) {
7214 mlen = pcapint_atoin(s2, &m);
7215 if (mlen < 0)
7216 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
7217 /* Promote short ipaddr */
7218 m <<= 32 - mlen;
7219 if ((n & ~m) != 0)
7220 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
7221 s1, s2);
7222 } else {
7223 /* Convert mask len to mask */
7224 if (masklen > 32)
7225 bpf_error(cstate, "mask length must be <= 32");
7226 m64 = UINT64_C(0xffffffff) << (32 - masklen);
7227 m = (bpf_u_int32)m64;
7228 if ((n & ~m) != 0)
7229 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
7230 s1, masklen);
7231 }
7232
7233 switch (q.addr) {
7234
7235 case Q_NET:
7236 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7237
7238 default:
7239 // Q_HOST and Q_GATEWAY only (see the grammar)
7240 bpf_error(cstate, "Mask syntax for networks only");
7241 /*NOTREACHED*/
7242 }
7243 /*NOTREACHED*/
7244 }
7245
7246 struct block *
7247 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7248 {
7249 bpf_u_int32 mask;
7250 int proto;
7251 int dir;
7252 register int vlen;
7253
7254 /*
7255 * Catch errors reported by us and routines below us, and return NULL
7256 * on an error.
7257 */
7258 if (setjmp(cstate->top_ctx))
7259 return (NULL);
7260
7261 proto = q.proto;
7262 dir = q.dir;
7263 if (s == NULL) {
7264 /*
7265 * v contains a 32-bit unsigned parsed from a string of the
7266 * form {N}, which could be decimal, hexadecimal or octal.
7267 * Although it would be possible to use the value as a raw
7268 * 16-bit DECnet address when the value fits into 16 bits, this
7269 * would be a questionable feature: DECnet address wire
7270 * encoding is little-endian, so this would not work as
7271 * intuitively as the same works for [big-endian] IPv4
7272 * addresses (0x01020304 means 1.2.3.4).
7273 */
7274 if (proto == Q_DECNET)
7275 bpf_error(cstate, "invalid DECnet address '%u'", v);
7276 vlen = 32;
7277 } else if (proto == Q_DECNET) {
7278 /*
7279 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7280 * {N}.{N}.{N}.{N}, of which only the first potentially stands
7281 * for a valid DECnet address.
7282 */
7283 vlen = pcapint_atodn(s, &v);
7284 if (vlen == 0)
7285 bpf_error(cstate, "invalid DECnet address '%s'", s);
7286 } else {
7287 /*
7288 * s points to a string of the form {N}.{N}, {N}.{N}.{N} or
7289 * {N}.{N}.{N}.{N}, all of which potentially stand for a valid
7290 * IPv4 address.
7291 */
7292 vlen = pcapint_atoin(s, &v);
7293 if (vlen < 0)
7294 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7295 }
7296
7297 switch (q.addr) {
7298
7299 case Q_DEFAULT:
7300 case Q_HOST:
7301 case Q_NET:
7302 if (proto == Q_DECNET)
7303 return gen_host(cstate, v, 0, proto, dir, q.addr);
7304 else if (proto == Q_LINK) {
7305 // "link (host|net) IPV4ADDR" and variations thereof
7306 bpf_error(cstate, "illegal link layer address");
7307 } else {
7308 mask = 0xffffffff;
7309 if (s == NULL && q.addr == Q_NET) {
7310 /* Promote short net number */
7311 while (v && (v & 0xff000000) == 0) {
7312 v <<= 8;
7313 mask <<= 8;
7314 }
7315 } else {
7316 /* Promote short ipaddr */
7317 v <<= 32 - vlen;
7318 mask <<= 32 - vlen ;
7319 }
7320 return gen_host(cstate, v, mask, proto, dir, q.addr);
7321 }
7322
7323 case Q_PORT:
7324 proto = port_pq_to_ipproto(cstate, proto, "port");
7325
7326 if (v > 65535)
7327 bpf_error(cstate, "illegal port number %u > 65535", v);
7328
7329 {
7330 struct block *b;
7331 b = gen_port(cstate, v, proto, dir);
7332 gen_or(gen_port6(cstate, v, proto, dir), b);
7333 return b;
7334 }
7335
7336 case Q_PORTRANGE:
7337 proto = port_pq_to_ipproto(cstate, proto, "portrange");
7338
7339 if (v > 65535)
7340 bpf_error(cstate, "illegal port number %u > 65535", v);
7341
7342 {
7343 struct block *b;
7344 b = gen_portrange(cstate, v, v, proto, dir);
7345 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7346 return b;
7347 }
7348
7349 case Q_GATEWAY:
7350 bpf_error(cstate, "'gateway' requires a name");
7351 /*NOTREACHED*/
7352
7353 case Q_PROTO:
7354 return gen_proto(cstate, v, proto);
7355
7356 #if !defined(NO_PROTOCHAIN)
7357 case Q_PROTOCHAIN:
7358 return gen_protochain(cstate, v, proto);
7359 #endif
7360
7361 case Q_UNDEF:
7362 syntax(cstate);
7363 /*NOTREACHED*/
7364
7365 default:
7366 abort();
7367 /*NOTREACHED*/
7368 }
7369 /*NOTREACHED*/
7370 }
7371
7372 #ifdef INET6
7373 struct block *
7374 gen_mcode6(compiler_state_t *cstate, const char *s, bpf_u_int32 masklen,
7375 struct qual q)
7376 {
7377 struct addrinfo *res;
7378 struct in6_addr *addr;
7379 struct in6_addr mask;
7380 struct block *b;
7381 bpf_u_int32 a[4], m[4]; /* Same as in gen_hostop6(). */
7382
7383 /*
7384 * Catch errors reported by us and routines below us, and return NULL
7385 * on an error.
7386 */
7387 if (setjmp(cstate->top_ctx))
7388 return (NULL);
7389
7390 res = pcap_nametoaddrinfo(s);
7391 if (!res)
7392 bpf_error(cstate, "invalid ip6 address %s", s);
7393 cstate->ai = res;
7394 if (res->ai_next)
7395 bpf_error(cstate, "%s resolved to multiple address", s);
7396 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7397
7398 if (masklen > sizeof(mask.s6_addr) * 8)
7399 bpf_error(cstate, "mask length must be <= %zu", sizeof(mask.s6_addr) * 8);
7400 memset(&mask, 0, sizeof(mask));
7401 memset(&mask.s6_addr, 0xff, masklen / 8);
7402 if (masklen % 8) {
7403 mask.s6_addr[masklen / 8] =
7404 (0xff << (8 - masklen % 8)) & 0xff;
7405 }
7406
7407 memcpy(a, addr, sizeof(a));
7408 memcpy(m, &mask, sizeof(m));
7409 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7410 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7411 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s, masklen);
7412 }
7413
7414 switch (q.addr) {
7415
7416 case Q_DEFAULT:
7417 case Q_HOST:
7418 if (masklen != 128)
7419 bpf_error(cstate, "Mask syntax for networks only");
7420 /* FALLTHROUGH */
7421
7422 case Q_NET:
7423 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7424 cstate->ai = NULL;
7425 freeaddrinfo(res);
7426 return b;
7427
7428 default:
7429 // Q_GATEWAY only (see the grammar)
7430 bpf_error(cstate, "invalid qualifier against IPv6 address");
7431 /*NOTREACHED*/
7432 }
7433 }
7434 #endif /*INET6*/
7435
7436 struct block *
7437 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7438 {
7439 struct block *b, *tmp;
7440
7441 /*
7442 * Catch errors reported by us and routines below us, and return NULL
7443 * on an error.
7444 */
7445 if (setjmp(cstate->top_ctx))
7446 return (NULL);
7447
7448 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7449 cstate->e = pcap_ether_aton(s);
7450 if (cstate->e == NULL)
7451 bpf_error(cstate, "malloc");
7452 switch (cstate->linktype) {
7453 case DLT_EN10MB:
7454 case DLT_NETANALYZER:
7455 case DLT_NETANALYZER_TRANSPARENT:
7456 tmp = gen_prevlinkhdr_check(cstate);
7457 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7458 if (tmp != NULL)
7459 gen_and(tmp, b);
7460 break;
7461 case DLT_FDDI:
7462 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7463 break;
7464 case DLT_IEEE802:
7465 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7466 break;
7467 case DLT_IEEE802_11:
7468 case DLT_PRISM_HEADER:
7469 case DLT_IEEE802_11_RADIO_AVS:
7470 case DLT_IEEE802_11_RADIO:
7471 case DLT_PPI:
7472 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7473 break;
7474 case DLT_IP_OVER_FC:
7475 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7476 break;
7477 default:
7478 free(cstate->e);
7479 cstate->e = NULL;
7480 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7481 /*NOTREACHED*/
7482 }
7483 free(cstate->e);
7484 cstate->e = NULL;
7485 return (b);
7486 }
7487 bpf_error(cstate, "ethernet address used in non-ether expression");
7488 /*NOTREACHED*/
7489 }
7490
7491 void
7492 sappend(struct slist *s0, struct slist *s1)
7493 {
7494 /*
7495 * This is definitely not the best way to do this, but the
7496 * lists will rarely get long.
7497 */
7498 while (s0->next)
7499 s0 = s0->next;
7500 s0->next = s1;
7501 }
7502
7503 static struct slist *
7504 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7505 {
7506 struct slist *s;
7507
7508 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7509 s->s.k = a->regno;
7510 return s;
7511 }
7512
7513 static struct slist *
7514 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7515 {
7516 struct slist *s;
7517
7518 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7519 s->s.k = a->regno;
7520 return s;
7521 }
7522
7523 /*
7524 * Modify "index" to use the value stored into its register as an
7525 * offset relative to the beginning of the header for the protocol
7526 * "proto", and allocate a register and put an item "size" bytes long
7527 * (1, 2, or 4) at that offset into that register, making it the register
7528 * for "index".
7529 */
7530 static struct arth *
7531 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7532 bpf_u_int32 size)
7533 {
7534 int size_code;
7535 struct slist *s, *tmp;
7536 struct block *b;
7537 int regno = alloc_reg(cstate);
7538
7539 free_reg(cstate, inst->regno);
7540 switch (size) {
7541
7542 default:
7543 bpf_error(cstate, "data size must be 1, 2, or 4");
7544 /*NOTREACHED*/
7545
7546 case 1:
7547 size_code = BPF_B;
7548 break;
7549
7550 case 2:
7551 size_code = BPF_H;
7552 break;
7553
7554 case 4:
7555 size_code = BPF_W;
7556 break;
7557 }
7558 switch (proto) {
7559 default:
7560 bpf_error(cstate, "'%s' does not support the index operation", pqkw(proto));
7561
7562 case Q_RADIO:
7563 /*
7564 * The offset is relative to the beginning of the packet
7565 * data, if we have a radio header. (If we don't, this
7566 * is an error.)
7567 */
7568 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7569 cstate->linktype != DLT_IEEE802_11_RADIO &&
7570 cstate->linktype != DLT_PRISM_HEADER)
7571 bpf_error(cstate, "radio information not present in capture");
7572
7573 /*
7574 * Load into the X register the offset computed into the
7575 * register specified by "index".
7576 */
7577 s = xfer_to_x(cstate, inst);
7578
7579 /*
7580 * Load the item at that offset.
7581 */
7582 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7583 sappend(s, tmp);
7584 sappend(inst->s, s);
7585 break;
7586
7587 case Q_LINK:
7588 /*
7589 * The offset is relative to the beginning of
7590 * the link-layer header.
7591 *
7592 * XXX - what about ATM LANE? Should the index be
7593 * relative to the beginning of the AAL5 frame, so
7594 * that 0 refers to the beginning of the LE Control
7595 * field, or relative to the beginning of the LAN
7596 * frame, so that 0 refers, for Ethernet LANE, to
7597 * the beginning of the destination address?
7598 */
7599 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7600
7601 /*
7602 * If "s" is non-null, it has code to arrange that the
7603 * X register contains the length of the prefix preceding
7604 * the link-layer header. Add to it the offset computed
7605 * into the register specified by "index", and move that
7606 * into the X register. Otherwise, just load into the X
7607 * register the offset computed into the register specified
7608 * by "index".
7609 */
7610 if (s != NULL) {
7611 sappend(s, xfer_to_a(cstate, inst));
7612 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7613 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7614 } else
7615 s = xfer_to_x(cstate, inst);
7616
7617 /*
7618 * Load the item at the sum of the offset we've put in the
7619 * X register and the offset of the start of the link
7620 * layer header (which is 0 if the radio header is
7621 * variable-length; that header length is what we put
7622 * into the X register and then added to the index).
7623 */
7624 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7625 tmp->s.k = cstate->off_linkhdr.constant_part;
7626 sappend(s, tmp);
7627 sappend(inst->s, s);
7628 break;
7629
7630 case Q_IP:
7631 case Q_ARP:
7632 case Q_RARP:
7633 case Q_ATALK:
7634 case Q_DECNET:
7635 case Q_SCA:
7636 case Q_LAT:
7637 case Q_MOPRC:
7638 case Q_MOPDL:
7639 case Q_IPV6:
7640 /*
7641 * The offset is relative to the beginning of
7642 * the network-layer header.
7643 * XXX - are there any cases where we want
7644 * cstate->off_nl_nosnap?
7645 */
7646 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7647
7648 /*
7649 * If "s" is non-null, it has code to arrange that the
7650 * X register contains the variable part of the offset
7651 * of the link-layer payload. Add to it the offset
7652 * computed into the register specified by "index",
7653 * and move that into the X register. Otherwise, just
7654 * load into the X register the offset computed into
7655 * the register specified by "index".
7656 */
7657 if (s != NULL) {
7658 sappend(s, xfer_to_a(cstate, inst));
7659 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7660 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7661 } else
7662 s = xfer_to_x(cstate, inst);
7663
7664 /*
7665 * Load the item at the sum of the offset we've put in the
7666 * X register, the offset of the start of the network
7667 * layer header from the beginning of the link-layer
7668 * payload, and the constant part of the offset of the
7669 * start of the link-layer payload.
7670 */
7671 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7672 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7673 sappend(s, tmp);
7674 sappend(inst->s, s);
7675
7676 /*
7677 * Do the computation only if the packet contains
7678 * the protocol in question.
7679 */
7680 b = gen_proto_abbrev_internal(cstate, proto);
7681 if (inst->b)
7682 gen_and(inst->b, b);
7683 inst->b = b;
7684 break;
7685
7686 case Q_SCTP:
7687 case Q_TCP:
7688 case Q_UDP:
7689 case Q_ICMP:
7690 case Q_IGMP:
7691 case Q_IGRP:
7692 case Q_PIM:
7693 case Q_VRRP:
7694 case Q_CARP:
7695 /*
7696 * The offset is relative to the beginning of
7697 * the transport-layer header.
7698 *
7699 * Load the X register with the length of the IPv4 header
7700 * (plus the offset of the link-layer header, if it's
7701 * a variable-length header), in bytes.
7702 *
7703 * XXX - are there any cases where we want
7704 * cstate->off_nl_nosnap?
7705 * XXX - we should, if we're built with
7706 * IPv6 support, generate code to load either
7707 * IPv4, IPv6, or both, as appropriate.
7708 */
7709 s = gen_loadx_iphdrlen(cstate);
7710
7711 /*
7712 * The X register now contains the sum of the variable
7713 * part of the offset of the link-layer payload and the
7714 * length of the network-layer header.
7715 *
7716 * Load into the A register the offset relative to
7717 * the beginning of the transport layer header,
7718 * add the X register to that, move that to the
7719 * X register, and load with an offset from the
7720 * X register equal to the sum of the constant part of
7721 * the offset of the link-layer payload and the offset,
7722 * relative to the beginning of the link-layer payload,
7723 * of the network-layer header.
7724 */
7725 sappend(s, xfer_to_a(cstate, inst));
7726 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7727 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7728 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7729 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7730 sappend(inst->s, s);
7731
7732 /*
7733 * Do the computation only if the packet contains
7734 * the protocol in question - which is true only
7735 * if this is an IP datagram and is the first or
7736 * only fragment of that datagram.
7737 */
7738 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7739 if (inst->b)
7740 gen_and(inst->b, b);
7741 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7742 inst->b = b;
7743 break;
7744 case Q_ICMPV6:
7745 /*
7746 * Do the computation only if the packet contains
7747 * the protocol in question.
7748 */
7749 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7750 if (inst->b)
7751 gen_and(inst->b, b);
7752 inst->b = b;
7753
7754 /*
7755 * Check if we have an icmp6 next header
7756 */
7757 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7758 if (inst->b)
7759 gen_and(inst->b, b);
7760 inst->b = b;
7761
7762 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7763 /*
7764 * If "s" is non-null, it has code to arrange that the
7765 * X register contains the variable part of the offset
7766 * of the link-layer payload. Add to it the offset
7767 * computed into the register specified by "index",
7768 * and move that into the X register. Otherwise, just
7769 * load into the X register the offset computed into
7770 * the register specified by "index".
7771 */
7772 if (s != NULL) {
7773 sappend(s, xfer_to_a(cstate, inst));
7774 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7775 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7776 } else
7777 s = xfer_to_x(cstate, inst);
7778
7779 /*
7780 * Load the item at the sum of the offset we've put in the
7781 * X register, the offset of the start of the network
7782 * layer header from the beginning of the link-layer
7783 * payload, and the constant part of the offset of the
7784 * start of the link-layer payload.
7785 */
7786 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7787 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7788
7789 sappend(s, tmp);
7790 sappend(inst->s, s);
7791
7792 break;
7793 }
7794 inst->regno = regno;
7795 s = new_stmt(cstate, BPF_ST);
7796 s->s.k = regno;
7797 sappend(inst->s, s);
7798
7799 return inst;
7800 }
7801
7802 struct arth *
7803 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7804 bpf_u_int32 size)
7805 {
7806 /*
7807 * Catch errors reported by us and routines below us, and return NULL
7808 * on an error.
7809 */
7810 if (setjmp(cstate->top_ctx))
7811 return (NULL);
7812
7813 return gen_load_internal(cstate, proto, inst, size);
7814 }
7815
7816 static struct block *
7817 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7818 struct arth *a1, int reversed)
7819 {
7820 struct slist *s0, *s1, *s2;
7821 struct block *b, *tmp;
7822
7823 s0 = xfer_to_x(cstate, a1);
7824 s1 = xfer_to_a(cstate, a0);
7825 if (code == BPF_JEQ) {
7826 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7827 b = new_block(cstate, JMP(code));
7828 sappend(s1, s2);
7829 }
7830 else
7831 b = new_block(cstate, BPF_JMP|code|BPF_X);
7832 if (reversed)
7833 gen_not(b);
7834
7835 sappend(s0, s1);
7836 sappend(a1->s, s0);
7837 sappend(a0->s, a1->s);
7838
7839 b->stmts = a0->s;
7840
7841 free_reg(cstate, a0->regno);
7842 free_reg(cstate, a1->regno);
7843
7844 /* 'and' together protocol checks */
7845 if (a0->b) {
7846 if (a1->b) {
7847 gen_and(a0->b, tmp = a1->b);
7848 }
7849 else
7850 tmp = a0->b;
7851 } else
7852 tmp = a1->b;
7853
7854 if (tmp)
7855 gen_and(tmp, b);
7856
7857 return b;
7858 }
7859
7860 struct block *
7861 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7862 struct arth *a1, int reversed)
7863 {
7864 /*
7865 * Catch errors reported by us and routines below us, and return NULL
7866 * on an error.
7867 */
7868 if (setjmp(cstate->top_ctx))
7869 return (NULL);
7870
7871 return gen_relation_internal(cstate, code, a0, a1, reversed);
7872 }
7873
7874 struct arth *
7875 gen_loadlen(compiler_state_t *cstate)
7876 {
7877 int regno;
7878 struct arth *a;
7879 struct slist *s;
7880
7881 /*
7882 * Catch errors reported by us and routines below us, and return NULL
7883 * on an error.
7884 */
7885 if (setjmp(cstate->top_ctx))
7886 return (NULL);
7887
7888 regno = alloc_reg(cstate);
7889 a = (struct arth *)newchunk(cstate, sizeof(*a));
7890 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7891 s->next = new_stmt(cstate, BPF_ST);
7892 s->next->s.k = regno;
7893 a->s = s;
7894 a->regno = regno;
7895
7896 return a;
7897 }
7898
7899 static struct arth *
7900 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
7901 {
7902 struct arth *a;
7903 struct slist *s;
7904 int reg;
7905
7906 a = (struct arth *)newchunk(cstate, sizeof(*a));
7907
7908 reg = alloc_reg(cstate);
7909
7910 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7911 s->s.k = val;
7912 s->next = new_stmt(cstate, BPF_ST);
7913 s->next->s.k = reg;
7914 a->s = s;
7915 a->regno = reg;
7916
7917 return a;
7918 }
7919
7920 struct arth *
7921 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
7922 {
7923 /*
7924 * Catch errors reported by us and routines below us, and return NULL
7925 * on an error.
7926 */
7927 if (setjmp(cstate->top_ctx))
7928 return (NULL);
7929
7930 return gen_loadi_internal(cstate, val);
7931 }
7932
7933 /*
7934 * The a_arg dance is to avoid annoying whining by compilers that
7935 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7936 * It's not *used* after setjmp returns.
7937 */
7938 struct arth *
7939 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7940 {
7941 struct arth *a = a_arg;
7942 struct slist *s;
7943
7944 /*
7945 * Catch errors reported by us and routines below us, and return NULL
7946 * on an error.
7947 */
7948 if (setjmp(cstate->top_ctx))
7949 return (NULL);
7950
7951 s = xfer_to_a(cstate, a);
7952 sappend(a->s, s);
7953 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7954 s->s.k = 0;
7955 sappend(a->s, s);
7956 s = new_stmt(cstate, BPF_ST);
7957 s->s.k = a->regno;
7958 sappend(a->s, s);
7959
7960 return a;
7961 }
7962
7963 /*
7964 * The a0_arg dance is to avoid annoying whining by compilers that
7965 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7966 * It's not *used* after setjmp returns.
7967 */
7968 struct arth *
7969 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7970 struct arth *a1)
7971 {
7972 struct arth *a0 = a0_arg;
7973 struct slist *s0, *s1, *s2;
7974
7975 /*
7976 * Catch errors reported by us and routines below us, and return NULL
7977 * on an error.
7978 */
7979 if (setjmp(cstate->top_ctx))
7980 return (NULL);
7981
7982 /*
7983 * Disallow division by, or modulus by, zero; we do this here
7984 * so that it gets done even if the optimizer is disabled.
7985 *
7986 * Also disallow shifts by a value greater than 31; we do this
7987 * here, for the same reason.
7988 */
7989 if (code == BPF_DIV) {
7990 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7991 bpf_error(cstate, "division by zero");
7992 } else if (code == BPF_MOD) {
7993 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7994 bpf_error(cstate, "modulus by zero");
7995 } else if (code == BPF_LSH || code == BPF_RSH) {
7996 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
7997 bpf_error(cstate, "shift by more than 31 bits");
7998 }
7999 s0 = xfer_to_x(cstate, a1);
8000 s1 = xfer_to_a(cstate, a0);
8001 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
8002
8003 sappend(s1, s2);
8004 sappend(s0, s1);
8005 sappend(a1->s, s0);
8006 sappend(a0->s, a1->s);
8007
8008 free_reg(cstate, a0->regno);
8009 free_reg(cstate, a1->regno);
8010
8011 s0 = new_stmt(cstate, BPF_ST);
8012 a0->regno = s0->s.k = alloc_reg(cstate);
8013 sappend(a0->s, s0);
8014
8015 return a0;
8016 }
8017
8018 /*
8019 * Initialize the table of used registers and the current register.
8020 */
8021 static void
8022 init_regs(compiler_state_t *cstate)
8023 {
8024 cstate->curreg = 0;
8025 memset(cstate->regused, 0, sizeof cstate->regused);
8026 }
8027
8028 /*
8029 * Return the next free register.
8030 */
8031 static int
8032 alloc_reg(compiler_state_t *cstate)
8033 {
8034 int n = BPF_MEMWORDS;
8035
8036 while (--n >= 0) {
8037 if (cstate->regused[cstate->curreg])
8038 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
8039 else {
8040 cstate->regused[cstate->curreg] = 1;
8041 return cstate->curreg;
8042 }
8043 }
8044 bpf_error(cstate, "too many registers needed to evaluate expression");
8045 /*NOTREACHED*/
8046 }
8047
8048 /*
8049 * Return a register to the table so it can
8050 * be used later.
8051 */
8052 static void
8053 free_reg(compiler_state_t *cstate, int n)
8054 {
8055 cstate->regused[n] = 0;
8056 }
8057
8058 static struct block *
8059 gen_len(compiler_state_t *cstate, int jmp, int n)
8060 {
8061 struct slist *s;
8062
8063 s = new_stmt(cstate, BPF_LD|BPF_LEN);
8064 return gen_jmp(cstate, jmp, n, s);
8065 }
8066
8067 struct block *
8068 gen_greater(compiler_state_t *cstate, int n)
8069 {
8070 /*
8071 * Catch errors reported by us and routines below us, and return NULL
8072 * on an error.
8073 */
8074 if (setjmp(cstate->top_ctx))
8075 return (NULL);
8076
8077 return gen_len(cstate, BPF_JGE, n);
8078 }
8079
8080 /*
8081 * Actually, this is less than or equal.
8082 */
8083 struct block *
8084 gen_less(compiler_state_t *cstate, int n)
8085 {
8086 struct block *b;
8087
8088 /*
8089 * Catch errors reported by us and routines below us, and return NULL
8090 * on an error.
8091 */
8092 if (setjmp(cstate->top_ctx))
8093 return (NULL);
8094
8095 b = gen_len(cstate, BPF_JGT, n);
8096 gen_not(b);
8097
8098 return b;
8099 }
8100
8101 /*
8102 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
8103 * the beginning of the link-layer header.
8104 * XXX - that means you can't test values in the radiotap header, but
8105 * as that header is difficult if not impossible to parse generally
8106 * without a loop, that might not be a severe problem. A new keyword
8107 * "radio" could be added for that, although what you'd really want
8108 * would be a way of testing particular radio header values, which
8109 * would generate code appropriate to the radio header in question.
8110 */
8111 struct block *
8112 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
8113 {
8114 struct block *b;
8115 struct slist *s;
8116
8117 /*
8118 * Catch errors reported by us and routines below us, and return NULL
8119 * on an error.
8120 */
8121 if (setjmp(cstate->top_ctx))
8122 return (NULL);
8123
8124 assert_maxval(cstate, "byte argument", val, UINT8_MAX);
8125
8126 switch (op) {
8127 default:
8128 abort();
8129
8130 case '=':
8131 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8132
8133 case '<':
8134 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8135 return b;
8136
8137 case '>':
8138 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
8139 return b;
8140
8141 case '|':
8142 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
8143 break;
8144
8145 case '&':
8146 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
8147 break;
8148 }
8149 s->s.k = val;
8150 // Load the required byte first.
8151 struct slist *s0 = gen_load_a(cstate, OR_LINKHDR, idx, BPF_B);
8152 sappend(s0, s);
8153 b = gen_jmp(cstate, BPF_JEQ, 0, s0);
8154 gen_not(b);
8155
8156 return b;
8157 }
8158
8159 struct block *
8160 gen_broadcast(compiler_state_t *cstate, int proto)
8161 {
8162 bpf_u_int32 hostmask;
8163 struct block *b0, *b1, *b2;
8164 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
8165
8166 /*
8167 * Catch errors reported by us and routines below us, and return NULL
8168 * on an error.
8169 */
8170 if (setjmp(cstate->top_ctx))
8171 return (NULL);
8172
8173 switch (proto) {
8174
8175 case Q_DEFAULT:
8176 case Q_LINK:
8177 switch (cstate->linktype) {
8178 case DLT_ARCNET:
8179 case DLT_ARCNET_LINUX:
8180 // ARCnet broadcast is [8-bit] destination address 0.
8181 return gen_ahostop(cstate, 0, Q_DST);
8182 case DLT_EN10MB:
8183 case DLT_NETANALYZER:
8184 case DLT_NETANALYZER_TRANSPARENT:
8185 b1 = gen_prevlinkhdr_check(cstate);
8186 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
8187 if (b1 != NULL)
8188 gen_and(b1, b0);
8189 return b0;
8190 case DLT_FDDI:
8191 return gen_fhostop(cstate, ebroadcast, Q_DST);
8192 case DLT_IEEE802:
8193 return gen_thostop(cstate, ebroadcast, Q_DST);
8194 case DLT_IEEE802_11:
8195 case DLT_PRISM_HEADER:
8196 case DLT_IEEE802_11_RADIO_AVS:
8197 case DLT_IEEE802_11_RADIO:
8198 case DLT_PPI:
8199 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
8200 case DLT_IP_OVER_FC:
8201 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
8202 }
8203 fail_kw_on_dlt(cstate, "broadcast");
8204 /*NOTREACHED*/
8205
8206 case Q_IP:
8207 /*
8208 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
8209 * as an indication that we don't know the netmask, and fail
8210 * in that case.
8211 */
8212 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
8213 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
8214 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8215 hostmask = ~cstate->netmask;
8216 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
8217 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, hostmask, hostmask);
8218 gen_or(b1, b2);
8219 gen_and(b0, b2);
8220 return b2;
8221 }
8222 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "broadcast");
8223 /*NOTREACHED*/
8224 }
8225
8226 /*
8227 * Generate code to test the low-order bit of a MAC address (that's
8228 * the bottom bit of the *first* byte).
8229 */
8230 static struct block *
8231 gen_mac_multicast(compiler_state_t *cstate, int offset)
8232 {
8233 register struct slist *s;
8234
8235 /* link[offset] & 1 != 0 */
8236 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8237 return gen_set(cstate, 1, s);
8238 }
8239
8240 struct block *
8241 gen_multicast(compiler_state_t *cstate, int proto)
8242 {
8243 register struct block *b0, *b1, *b2;
8244 register struct slist *s;
8245
8246 /*
8247 * Catch errors reported by us and routines below us, and return NULL
8248 * on an error.
8249 */
8250 if (setjmp(cstate->top_ctx))
8251 return (NULL);
8252
8253 switch (proto) {
8254
8255 case Q_DEFAULT:
8256 case Q_LINK:
8257 switch (cstate->linktype) {
8258 case DLT_ARCNET:
8259 case DLT_ARCNET_LINUX:
8260 // ARCnet multicast is the same as broadcast.
8261 return gen_ahostop(cstate, 0, Q_DST);
8262 case DLT_EN10MB:
8263 case DLT_NETANALYZER:
8264 case DLT_NETANALYZER_TRANSPARENT:
8265 b1 = gen_prevlinkhdr_check(cstate);
8266 /* ether[0] & 1 != 0 */
8267 b0 = gen_mac_multicast(cstate, 0);
8268 if (b1 != NULL)
8269 gen_and(b1, b0);
8270 return b0;
8271 case DLT_FDDI:
8272 /*
8273 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8274 *
8275 * XXX - was that referring to bit-order issues?
8276 */
8277 /* fddi[1] & 1 != 0 */
8278 return gen_mac_multicast(cstate, 1);
8279 case DLT_IEEE802:
8280 /* tr[2] & 1 != 0 */
8281 return gen_mac_multicast(cstate, 2);
8282 case DLT_IEEE802_11:
8283 case DLT_PRISM_HEADER:
8284 case DLT_IEEE802_11_RADIO_AVS:
8285 case DLT_IEEE802_11_RADIO:
8286 case DLT_PPI:
8287 /*
8288 * Oh, yuk.
8289 *
8290 * For control frames, there is no DA.
8291 *
8292 * For management frames, DA is at an
8293 * offset of 4 from the beginning of
8294 * the packet.
8295 *
8296 * For data frames, DA is at an offset
8297 * of 4 from the beginning of the packet
8298 * if To DS is clear and at an offset of
8299 * 16 from the beginning of the packet
8300 * if To DS is set.
8301 */
8302
8303 /*
8304 * Generate the tests to be done for data frames.
8305 *
8306 * First, check for To DS set, i.e. "link[1] & 0x01".
8307 */
8308 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8309 b1 = gen_set(cstate, IEEE80211_FC1_DIR_TODS, s);
8310
8311 /*
8312 * If To DS is set, the DA is at 16.
8313 */
8314 b0 = gen_mac_multicast(cstate, 16);
8315 gen_and(b1, b0);
8316
8317 /*
8318 * Now, check for To DS not set, i.e. check
8319 * "!(link[1] & 0x01)".
8320 */
8321 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8322 b2 = new_block(cstate, JMP(BPF_JSET));
8323 b2->s.k = 0x01; /* To DS */
8324 b2->stmts = s;
8325 gen_not(b2);
8326
8327 /*
8328 * If To DS is not set, the DA is at 4.
8329 */
8330 b1 = gen_mac_multicast(cstate, 4);
8331 gen_and(b2, b1);
8332
8333 /*
8334 * Now OR together the last two checks. That gives
8335 * the complete set of checks for data frames.
8336 */
8337 gen_or(b1, b0);
8338
8339 /*
8340 * Now check for a data frame.
8341 * I.e, check "link[0] & 0x08".
8342 */
8343 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8344 b1 = gen_set(cstate, IEEE80211_FC0_TYPE_DATA, s);
8345
8346 /*
8347 * AND that with the checks done for data frames.
8348 */
8349 gen_and(b1, b0);
8350
8351 /*
8352 * If the high-order bit of the type value is 0, this
8353 * is a management frame.
8354 * I.e, check "!(link[0] & 0x08)".
8355 */
8356 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8357 b2 = new_block(cstate, JMP(BPF_JSET));
8358 b2->s.k = 0x08;
8359 b2->stmts = s;
8360 gen_not(b2);
8361
8362 /*
8363 * For management frames, the DA is at 4.
8364 */
8365 b1 = gen_mac_multicast(cstate, 4);
8366 gen_and(b2, b1);
8367
8368 /*
8369 * OR that with the checks done for data frames.
8370 * That gives the checks done for management and
8371 * data frames.
8372 */
8373 gen_or(b1, b0);
8374
8375 /*
8376 * If the low-order bit of the type value is 1,
8377 * this is either a control frame or a frame
8378 * with a reserved type, and thus not a
8379 * frame with an SA.
8380 *
8381 * I.e., check "!(link[0] & 0x04)".
8382 */
8383 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8384 b1 = new_block(cstate, JMP(BPF_JSET));
8385 b1->s.k = 0x04;
8386 b1->stmts = s;
8387 gen_not(b1);
8388
8389 /*
8390 * AND that with the checks for data and management
8391 * frames.
8392 */
8393 gen_and(b1, b0);
8394 return b0;
8395 case DLT_IP_OVER_FC:
8396 b0 = gen_mac_multicast(cstate, 2);
8397 return b0;
8398 default:
8399 break;
8400 }
8401 fail_kw_on_dlt(cstate, "multicast");
8402 /*NOTREACHED*/
8403
8404 case Q_IP:
8405 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8406 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8407 gen_and(b0, b1);
8408 return b1;
8409
8410 case Q_IPV6:
8411 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8412 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8413 gen_and(b0, b1);
8414 return b1;
8415 }
8416 bpf_error(cstate, ERRSTR_INVALID_QUAL, pqkw(proto), "multicast");
8417 /*NOTREACHED*/
8418 }
8419
8420 #ifdef __linux__
8421 /*
8422 * This is Linux; we require PF_PACKET support. If this is a *live* capture,
8423 * we can look at special meta-data in the filter expression; otherwise we
8424 * can't because it is either a savefile (rfile != NULL) or a pcap_t created
8425 * using pcap_open_dead() (rfile == NULL). Thus check for a flag that
8426 * pcap_activate() conditionally sets.
8427 */
8428 static void
8429 require_basic_bpf_extensions(compiler_state_t *cstate, const char *keyword)
8430 {
8431 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_BASIC_HANDLING)
8432 return;
8433 bpf_error(cstate, "%s not supported on %s (not a live capture)",
8434 keyword,
8435 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8436 }
8437 #endif // __linux__
8438
8439 struct block *
8440 gen_ifindex(compiler_state_t *cstate, int ifindex)
8441 {
8442 register struct block *b0;
8443
8444 /*
8445 * Catch errors reported by us and routines below us, and return NULL
8446 * on an error.
8447 */
8448 if (setjmp(cstate->top_ctx))
8449 return (NULL);
8450
8451 /*
8452 * Only some data link types support ifindex qualifiers.
8453 */
8454 switch (cstate->linktype) {
8455 case DLT_LINUX_SLL2:
8456 /* match packets on this interface */
8457 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8458 break;
8459 default:
8460 #if defined(__linux__)
8461 require_basic_bpf_extensions(cstate, "ifindex");
8462 /* match ifindex */
8463 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8464 ifindex);
8465 #else /* defined(__linux__) */
8466 fail_kw_on_dlt(cstate, "ifindex");
8467 /*NOTREACHED*/
8468 #endif /* defined(__linux__) */
8469 }
8470 return (b0);
8471 }
8472
8473 /*
8474 * Filter on inbound (outbound == 0) or outbound (outbound == 1) traffic.
8475 * Outbound traffic is sent by this machine, while inbound traffic is
8476 * sent by a remote machine (and may include packets destined for a
8477 * unicast or multicast link-layer address we are not subscribing to).
8478 * These are the same definitions implemented by pcap_setdirection().
8479 * Capturing only unicast traffic destined for this host is probably
8480 * better accomplished using a higher-layer filter.
8481 */
8482 struct block *
8483 gen_inbound_outbound(compiler_state_t *cstate, const int outbound)
8484 {
8485 register struct block *b0;
8486
8487 /*
8488 * Catch errors reported by us and routines below us, and return NULL
8489 * on an error.
8490 */
8491 if (setjmp(cstate->top_ctx))
8492 return (NULL);
8493
8494 /*
8495 * Only some data link types support inbound/outbound qualifiers.
8496 */
8497 switch (cstate->linktype) {
8498 case DLT_SLIP:
8499 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B,
8500 outbound ? SLIPDIR_OUT : SLIPDIR_IN);
8501 break;
8502
8503 case DLT_IPNET:
8504 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H,
8505 outbound ? IPNET_OUTBOUND : IPNET_INBOUND);
8506 break;
8507
8508 case DLT_LINUX_SLL:
8509 /* match outgoing packets */
8510 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8511 if (! outbound) {
8512 /* to filter on inbound traffic, invert the match */
8513 gen_not(b0);
8514 }
8515 break;
8516
8517 case DLT_LINUX_SLL2:
8518 /* match outgoing packets */
8519 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8520 if (! outbound) {
8521 /* to filter on inbound traffic, invert the match */
8522 gen_not(b0);
8523 }
8524 break;
8525
8526 case DLT_PFLOG:
8527 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8528 outbound ? PF_OUT : PF_IN);
8529 break;
8530
8531 case DLT_PPP_PPPD:
8532 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, outbound ? PPP_PPPD_OUT : PPP_PPPD_IN);
8533 break;
8534
8535 case DLT_JUNIPER_MFR:
8536 case DLT_JUNIPER_MLFR:
8537 case DLT_JUNIPER_MLPPP:
8538 case DLT_JUNIPER_ATM1:
8539 case DLT_JUNIPER_ATM2:
8540 case DLT_JUNIPER_PPPOE:
8541 case DLT_JUNIPER_PPPOE_ATM:
8542 case DLT_JUNIPER_GGSN:
8543 case DLT_JUNIPER_ES:
8544 case DLT_JUNIPER_MONITOR:
8545 case DLT_JUNIPER_SERVICES:
8546 case DLT_JUNIPER_ETHER:
8547 case DLT_JUNIPER_PPP:
8548 case DLT_JUNIPER_FRELAY:
8549 case DLT_JUNIPER_CHDLC:
8550 case DLT_JUNIPER_VP:
8551 case DLT_JUNIPER_ST:
8552 case DLT_JUNIPER_ISM:
8553 case DLT_JUNIPER_VS:
8554 case DLT_JUNIPER_SRX_E2E:
8555 case DLT_JUNIPER_FIBRECHANNEL:
8556 case DLT_JUNIPER_ATM_CEMIC:
8557 /* juniper flags (including direction) are stored
8558 * the byte after the 3-byte magic number */
8559 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, outbound ? 0 : 1, 0x01);
8560 break;
8561
8562 default:
8563 /*
8564 * If we have packet meta-data indicating a direction,
8565 * and that metadata can be checked by BPF code, check
8566 * it. Otherwise, give up, as this link-layer type has
8567 * nothing in the packet data.
8568 *
8569 * Currently, the only platform where a BPF filter can
8570 * check that metadata is Linux with the in-kernel
8571 * BPF interpreter. If other packet capture mechanisms
8572 * and BPF filters also supported this, it would be
8573 * nice. It would be even better if they made that
8574 * metadata available so that we could provide it
8575 * with newer capture APIs, allowing it to be saved
8576 * in pcapng files.
8577 */
8578 #if defined(__linux__)
8579 require_basic_bpf_extensions(cstate, outbound ? "outbound" : "inbound");
8580 /* match outgoing packets */
8581 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8582 PACKET_OUTGOING);
8583 if (! outbound) {
8584 /* to filter on inbound traffic, invert the match */
8585 gen_not(b0);
8586 }
8587 #else /* defined(__linux__) */
8588 fail_kw_on_dlt(cstate, outbound ? "outbound" : "inbound");
8589 /*NOTREACHED*/
8590 #endif /* defined(__linux__) */
8591 }
8592 return (b0);
8593 }
8594
8595 /* PF firewall log matched interface */
8596 struct block *
8597 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8598 {
8599 struct block *b0;
8600 u_int len, off;
8601
8602 /*
8603 * Catch errors reported by us and routines below us, and return NULL
8604 * on an error.
8605 */
8606 if (setjmp(cstate->top_ctx))
8607 return (NULL);
8608
8609 assert_pflog(cstate, "ifname");
8610
8611 len = sizeof(((struct pfloghdr *)0)->ifname);
8612 off = offsetof(struct pfloghdr, ifname);
8613 if (strlen(ifname) >= len) {
8614 bpf_error(cstate, "ifname interface names can only be %d characters",
8615 len-1);
8616 /*NOTREACHED*/
8617 }
8618 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8619 (const u_char *)ifname);
8620 return (b0);
8621 }
8622
8623 /* PF firewall log ruleset name */
8624 struct block *
8625 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8626 {
8627 struct block *b0;
8628
8629 /*
8630 * Catch errors reported by us and routines below us, and return NULL
8631 * on an error.
8632 */
8633 if (setjmp(cstate->top_ctx))
8634 return (NULL);
8635
8636 assert_pflog(cstate, "ruleset");
8637
8638 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8639 bpf_error(cstate, "ruleset names can only be %ld characters",
8640 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8641 /*NOTREACHED*/
8642 }
8643
8644 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8645 (u_int)strlen(ruleset), (const u_char *)ruleset);
8646 return (b0);
8647 }
8648
8649 /* PF firewall log rule number */
8650 struct block *
8651 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8652 {
8653 struct block *b0;
8654
8655 /*
8656 * Catch errors reported by us and routines below us, and return NULL
8657 * on an error.
8658 */
8659 if (setjmp(cstate->top_ctx))
8660 return (NULL);
8661
8662 assert_pflog(cstate, "rnr");
8663
8664 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8665 (bpf_u_int32)rnr);
8666 return (b0);
8667 }
8668
8669 /* PF firewall log sub-rule number */
8670 struct block *
8671 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8672 {
8673 struct block *b0;
8674
8675 /*
8676 * Catch errors reported by us and routines below us, and return NULL
8677 * on an error.
8678 */
8679 if (setjmp(cstate->top_ctx))
8680 return (NULL);
8681
8682 assert_pflog(cstate, "srnr");
8683
8684 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8685 (bpf_u_int32)srnr);
8686 return (b0);
8687 }
8688
8689 /* PF firewall log reason code */
8690 struct block *
8691 gen_pf_reason(compiler_state_t *cstate, int reason)
8692 {
8693 struct block *b0;
8694
8695 /*
8696 * Catch errors reported by us and routines below us, and return NULL
8697 * on an error.
8698 */
8699 if (setjmp(cstate->top_ctx))
8700 return (NULL);
8701
8702 assert_pflog(cstate, "reason");
8703
8704 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8705 (bpf_u_int32)reason);
8706 return (b0);
8707 }
8708
8709 /* PF firewall log action */
8710 struct block *
8711 gen_pf_action(compiler_state_t *cstate, int action)
8712 {
8713 struct block *b0;
8714
8715 /*
8716 * Catch errors reported by us and routines below us, and return NULL
8717 * on an error.
8718 */
8719 if (setjmp(cstate->top_ctx))
8720 return (NULL);
8721
8722 assert_pflog(cstate, "action");
8723
8724 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8725 (bpf_u_int32)action);
8726 return (b0);
8727 }
8728
8729 /* IEEE 802.11 wireless header */
8730 struct block *
8731 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8732 {
8733 struct block *b0;
8734
8735 /*
8736 * Catch errors reported by us and routines below us, and return NULL
8737 * on an error.
8738 */
8739 if (setjmp(cstate->top_ctx))
8740 return (NULL);
8741
8742 switch (cstate->linktype) {
8743
8744 case DLT_IEEE802_11:
8745 case DLT_PRISM_HEADER:
8746 case DLT_IEEE802_11_RADIO_AVS:
8747 case DLT_IEEE802_11_RADIO:
8748 case DLT_PPI:
8749 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8750 break;
8751
8752 default:
8753 fail_kw_on_dlt(cstate, "type/subtype");
8754 /*NOTREACHED*/
8755 }
8756
8757 return (b0);
8758 }
8759
8760 struct block *
8761 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8762 {
8763 struct block *b0;
8764
8765 /*
8766 * Catch errors reported by us and routines below us, and return NULL
8767 * on an error.
8768 */
8769 if (setjmp(cstate->top_ctx))
8770 return (NULL);
8771
8772 switch (cstate->linktype) {
8773
8774 case DLT_IEEE802_11:
8775 case DLT_PRISM_HEADER:
8776 case DLT_IEEE802_11_RADIO_AVS:
8777 case DLT_IEEE802_11_RADIO:
8778 case DLT_PPI:
8779 break;
8780
8781 default:
8782 fail_kw_on_dlt(cstate, "dir");
8783 /*NOTREACHED*/
8784 }
8785
8786 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8787 IEEE80211_FC1_DIR_MASK);
8788
8789 return (b0);
8790 }
8791
8792 // Process an ARCnet host address string.
8793 struct block *
8794 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8795 {
8796 /*
8797 * Catch errors reported by us and routines below us, and return NULL
8798 * on an error.
8799 */
8800 if (setjmp(cstate->top_ctx))
8801 return (NULL);
8802
8803 switch (cstate->linktype) {
8804
8805 case DLT_ARCNET:
8806 case DLT_ARCNET_LINUX:
8807 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8808 q.proto == Q_LINK) {
8809 uint8_t addr;
8810 /*
8811 * The lexer currently defines the address format in a
8812 * way that makes this error condition never true.
8813 * Let's check it anyway in case this part of the lexer
8814 * changes in future.
8815 */
8816 if (! pcapint_atoan(s, &addr))
8817 bpf_error(cstate, "invalid ARCnet address '%s'", s);
8818 return gen_ahostop(cstate, addr, (int)q.dir);
8819 } else
8820 bpf_error(cstate, "ARCnet address used in non-arc expression");
8821 /*NOTREACHED*/
8822
8823 default:
8824 bpf_error(cstate, "aid supported only on ARCnet");
8825 /*NOTREACHED*/
8826 }
8827 }
8828
8829 // Compare an ARCnet host address with the given value.
8830 static struct block *
8831 gen_ahostop(compiler_state_t *cstate, const uint8_t eaddr, int dir)
8832 {
8833 register struct block *b0, *b1;
8834
8835 switch (dir) {
8836 /*
8837 * ARCnet is different from Ethernet: the source address comes before
8838 * the destination address, each is one byte long. This holds for all
8839 * three "buffer formats" in RFC 1201 Section 2.1, see also page 4-10
8840 * in the 1983 edition of the "ARCNET Designer's Handbook" published
8841 * by Datapoint (document number 61610-01).
8842 */
8843 case Q_SRC:
8844 return gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, eaddr);
8845
8846 case Q_DST:
8847 return gen_cmp(cstate, OR_LINKHDR, 1, BPF_B, eaddr);
8848
8849 case Q_AND:
8850 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8851 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8852 gen_and(b0, b1);
8853 return b1;
8854
8855 case Q_DEFAULT:
8856 case Q_OR:
8857 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8858 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8859 gen_or(b0, b1);
8860 return b1;
8861
8862 case Q_ADDR1:
8863 case Q_ADDR2:
8864 case Q_ADDR3:
8865 case Q_ADDR4:
8866 case Q_RA:
8867 case Q_TA:
8868 bpf_error(cstate, ERRSTR_802_11_ONLY_KW, dqkw(dir));
8869 /*NOTREACHED*/
8870 }
8871 abort();
8872 /*NOTREACHED*/
8873 }
8874
8875 static struct block *
8876 gen_vlan_tpid_test(compiler_state_t *cstate)
8877 {
8878 struct block *b0, *b1;
8879
8880 /* check for VLAN, including 802.1ad and QinQ */
8881 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8882 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8883 gen_or(b0,b1);
8884 b0 = b1;
8885 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8886 gen_or(b0,b1);
8887
8888 return b1;
8889 }
8890
8891 static struct block *
8892 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8893 {
8894 assert_maxval(cstate, "VLAN tag", vlan_num, 0x0fff);
8895 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
8896 }
8897
8898 static struct block *
8899 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8900 int has_vlan_tag)
8901 {
8902 struct block *b0, *b1;
8903
8904 b0 = gen_vlan_tpid_test(cstate);
8905
8906 if (has_vlan_tag) {
8907 b1 = gen_vlan_vid_test(cstate, vlan_num);
8908 gen_and(b0, b1);
8909 b0 = b1;
8910 }
8911
8912 /*
8913 * Both payload and link header type follow the VLAN tags so that
8914 * both need to be updated.
8915 */
8916 cstate->off_linkpl.constant_part += 4;
8917 cstate->off_linktype.constant_part += 4;
8918
8919 return b0;
8920 }
8921
8922 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8923 /* add v to variable part of off */
8924 static void
8925 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
8926 bpf_u_int32 v, struct slist *s)
8927 {
8928 struct slist *s2;
8929
8930 if (!off->is_variable)
8931 off->is_variable = 1;
8932 if (off->reg == -1)
8933 off->reg = alloc_reg(cstate);
8934
8935 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8936 s2->s.k = off->reg;
8937 sappend(s, s2);
8938 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8939 s2->s.k = v;
8940 sappend(s, s2);
8941 s2 = new_stmt(cstate, BPF_ST);
8942 s2->s.k = off->reg;
8943 sappend(s, s2);
8944 }
8945
8946 /*
8947 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8948 * and link type offsets first
8949 */
8950 static void
8951 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8952 {
8953 struct slist s;
8954
8955 /* offset determined at run time, shift variable part */
8956 s.next = NULL;
8957 cstate->is_vlan_vloffset = 1;
8958 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8959 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8960
8961 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8962 sappend(s.next, b_tpid->head->stmts);
8963 b_tpid->head->stmts = s.next;
8964 }
8965
8966 /*
8967 * patch block b_vid (VLAN id test) to load VID value either from packet
8968 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8969 */
8970 static void
8971 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8972 {
8973 struct slist *s, *s2, *sjeq;
8974 unsigned cnt;
8975
8976 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8977 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
8978
8979 /* true -> next instructions, false -> beginning of b_vid */
8980 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8981 sjeq->s.k = 1;
8982 sjeq->s.jf = b_vid->stmts;
8983 sappend(s, sjeq);
8984
8985 s2 = new_stmt(cstate, BPF_LD|BPF_H|BPF_ABS);
8986 s2->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG);
8987 sappend(s, s2);
8988 sjeq->s.jt = s2;
8989
8990 /* Jump to the test in b_vid. We need to jump one instruction before
8991 * the end of the b_vid block so that we only skip loading the TCI
8992 * from packet data and not the 'and' instruction extracting VID.
8993 */
8994 cnt = 0;
8995 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8996 cnt++;
8997 s2 = new_stmt(cstate, JMP(BPF_JA));
8998 s2->s.k = cnt - 1;
8999 sappend(s, s2);
9000
9001 /* insert our statements at the beginning of b_vid */
9002 sappend(s, b_vid->stmts);
9003 b_vid->stmts = s;
9004 }
9005
9006 /*
9007 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
9008 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
9009 * tag can be either in metadata or in packet data; therefore if the
9010 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
9011 * header for VLAN tag. As the decision is done at run time, we need
9012 * update variable part of the offsets
9013 */
9014 static struct block *
9015 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
9016 int has_vlan_tag)
9017 {
9018 struct block *b0, *b_tpid, *b_vid = NULL;
9019 struct slist *s;
9020
9021 /* generate new filter code based on extracting packet
9022 * metadata */
9023 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
9024 s->s.k = (bpf_u_int32)(SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT);
9025
9026 b0 = gen_jmp(cstate, BPF_JEQ, 1, s);
9027
9028 /*
9029 * This is tricky. We need to insert the statements updating variable
9030 * parts of offsets before the traditional TPID and VID tests so
9031 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
9032 * we do not want this update to affect those checks. That's why we
9033 * generate both test blocks first and insert the statements updating
9034 * variable parts of both offsets after that. This wouldn't work if
9035 * there already were variable length link header when entering this
9036 * function but gen_vlan_bpf_extensions() isn't called in that case.
9037 */
9038 b_tpid = gen_vlan_tpid_test(cstate);
9039 if (has_vlan_tag)
9040 b_vid = gen_vlan_vid_test(cstate, vlan_num);
9041
9042 gen_vlan_patch_tpid_test(cstate, b_tpid);
9043 gen_or(b0, b_tpid);
9044 b0 = b_tpid;
9045
9046 if (has_vlan_tag) {
9047 gen_vlan_patch_vid_test(cstate, b_vid);
9048 gen_and(b0, b_vid);
9049 b0 = b_vid;
9050 }
9051
9052 return b0;
9053 }
9054 #endif
9055
9056 /*
9057 * support IEEE 802.1Q VLAN trunk over ethernet
9058 */
9059 struct block *
9060 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
9061 {
9062 struct block *b0;
9063
9064 /*
9065 * Catch errors reported by us and routines below us, and return NULL
9066 * on an error.
9067 */
9068 if (setjmp(cstate->top_ctx))
9069 return (NULL);
9070
9071 /* can't check for VLAN-encapsulated packets inside MPLS */
9072 if (cstate->label_stack_depth > 0)
9073 bpf_error(cstate, "no VLAN match after MPLS");
9074
9075 /*
9076 * Check for a VLAN packet, and then change the offsets to point
9077 * to the type and data fields within the VLAN packet. Just
9078 * increment the offsets, so that we can support a hierarchy, e.g.
9079 * "vlan 100 && vlan 200" to capture VLAN 200 encapsulated within
9080 * VLAN 100.
9081 *
9082 * XXX - this is a bit of a kludge. If we were to split the
9083 * compiler into a parser that parses an expression and
9084 * generates an expression tree, and a code generator that
9085 * takes an expression tree (which could come from our
9086 * parser or from some other parser) and generates BPF code,
9087 * we could perhaps make the offsets parameters of routines
9088 * and, in the handler for an "AND" node, pass to subnodes
9089 * other than the VLAN node the adjusted offsets.
9090 *
9091 * This would mean that "vlan" would, instead of changing the
9092 * behavior of *all* tests after it, change only the behavior
9093 * of tests ANDed with it. That would change the documented
9094 * semantics of "vlan", which might break some expressions.
9095 * However, it would mean that "(vlan and ip) or ip" would check
9096 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
9097 * checking only for VLAN-encapsulated IP, so that could still
9098 * be considered worth doing; it wouldn't break expressions
9099 * that are of the form "vlan and ..." or "vlan N and ...",
9100 * which I suspect are the most common expressions involving
9101 * "vlan". "vlan or ..." doesn't necessarily do what the user
9102 * would really want, now, as all the "or ..." tests would
9103 * be done assuming a VLAN, even though the "or" could be viewed
9104 * as meaning "or, if this isn't a VLAN packet...".
9105 */
9106 switch (cstate->linktype) {
9107
9108 case DLT_EN10MB:
9109 /*
9110 * Newer version of the Linux kernel pass around
9111 * packets in which the VLAN tag has been removed
9112 * from the packet data and put into metadata.
9113 *
9114 * This requires special treatment.
9115 */
9116 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9117 /* Verify that this is the outer part of the packet and
9118 * not encapsulated somehow. */
9119 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
9120 cstate->off_linkhdr.constant_part ==
9121 cstate->off_outermostlinkhdr.constant_part) {
9122 /*
9123 * Do we need special VLAN handling?
9124 */
9125 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9126 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9127 has_vlan_tag);
9128 else
9129 b0 = gen_vlan_no_bpf_extensions(cstate,
9130 vlan_num, has_vlan_tag);
9131 } else
9132 #endif
9133 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9134 has_vlan_tag);
9135 break;
9136
9137 case DLT_NETANALYZER:
9138 case DLT_NETANALYZER_TRANSPARENT:
9139 case DLT_IEEE802_11:
9140 case DLT_PRISM_HEADER:
9141 case DLT_IEEE802_11_RADIO_AVS:
9142 case DLT_IEEE802_11_RADIO:
9143 /*
9144 * These are either Ethernet packets with an additional
9145 * metadata header (the NetAnalyzer types), or 802.11
9146 * packets, possibly with an additional metadata header.
9147 *
9148 * For the first of those, the VLAN tag is in the normal
9149 * place, so the special-case handling above isn't
9150 * necessary.
9151 *
9152 * For the second of those, we don't do the special-case
9153 * handling for now.
9154 */
9155 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9156 break;
9157
9158 default:
9159 bpf_error(cstate, "no VLAN support for %s",
9160 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9161 /*NOTREACHED*/
9162 }
9163
9164 cstate->vlan_stack_depth++;
9165
9166 return (b0);
9167 }
9168
9169 /*
9170 * support for MPLS
9171 *
9172 * The label_num_arg dance is to avoid annoying whining by compilers that
9173 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9174 * It's not *used* after setjmp returns.
9175 */
9176 static struct block *
9177 gen_mpls_internal(compiler_state_t *cstate, bpf_u_int32 label_num,
9178 int has_label_num)
9179 {
9180 struct block *b0, *b1;
9181
9182 if (cstate->label_stack_depth > 0) {
9183 /* just match the bottom-of-stack bit clear */
9184 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9185 } else {
9186 /*
9187 * We're not in an MPLS stack yet, so check the link-layer
9188 * type against MPLS.
9189 */
9190 switch (cstate->linktype) {
9191
9192 case DLT_C_HDLC: /* fall through */
9193 case DLT_HDLC:
9194 case DLT_EN10MB:
9195 case DLT_NETANALYZER:
9196 case DLT_NETANALYZER_TRANSPARENT:
9197 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9198 break;
9199
9200 case DLT_PPP:
9201 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9202 break;
9203
9204 /* FIXME add other DLT_s ...
9205 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9206 * leave it for now */
9207
9208 default:
9209 bpf_error(cstate, "no MPLS support for %s",
9210 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9211 /*NOTREACHED*/
9212 }
9213 }
9214
9215 /* If a specific MPLS label is requested, check it */
9216 if (has_label_num) {
9217 assert_maxval(cstate, "MPLS label", label_num, 0xFFFFF);
9218 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9219 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9220 0xfffff000); /* only compare the first 20 bits */
9221 gen_and(b0, b1);
9222 b0 = b1;
9223 }
9224
9225 /*
9226 * Change the offsets to point to the type and data fields within
9227 * the MPLS packet. Just increment the offsets, so that we
9228 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9229 * capture packets with an outer label of 100000 and an inner
9230 * label of 1024.
9231 *
9232 * Increment the MPLS stack depth as well; this indicates that
9233 * we're checking MPLS-encapsulated headers, to make sure higher
9234 * level code generators don't try to match against IP-related
9235 * protocols such as Q_ARP, Q_RARP etc.
9236 *
9237 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9238 */
9239 cstate->off_nl_nosnap += 4;
9240 cstate->off_nl += 4;
9241 cstate->label_stack_depth++;
9242 return (b0);
9243 }
9244
9245 struct block *
9246 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num, int has_label_num)
9247 {
9248 /*
9249 * Catch errors reported by us and routines below us, and return NULL
9250 * on an error.
9251 */
9252 if (setjmp(cstate->top_ctx))
9253 return (NULL);
9254
9255 return gen_mpls_internal(cstate, label_num, has_label_num);
9256 }
9257
9258 /*
9259 * Support PPPOE discovery and session.
9260 */
9261 struct block *
9262 gen_pppoed(compiler_state_t *cstate)
9263 {
9264 /*
9265 * Catch errors reported by us and routines below us, and return NULL
9266 * on an error.
9267 */
9268 if (setjmp(cstate->top_ctx))
9269 return (NULL);
9270
9271 /* check for PPPoE discovery */
9272 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9273 }
9274
9275 /*
9276 * RFC 2516 Section 4:
9277 *
9278 * The Ethernet payload for PPPoE is as follows:
9279 *
9280 * 1 2 3
9281 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
9282 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9283 * | VER | TYPE | CODE | SESSION_ID |
9284 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9285 * | LENGTH | payload ~
9286 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
9287 */
9288 struct block *
9289 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9290 {
9291 struct block *b0, *b1;
9292
9293 /*
9294 * Catch errors reported by us and routines below us, and return NULL
9295 * on an error.
9296 */
9297 if (setjmp(cstate->top_ctx))
9298 return (NULL);
9299
9300 /*
9301 * Test against the PPPoE session link-layer type.
9302 */
9303 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9304
9305 /* If a specific session is requested, check PPPoE session id */
9306 if (has_sess_num) {
9307 assert_maxval(cstate, "PPPoE session number", sess_num, UINT16_MAX);
9308 b1 = gen_cmp(cstate, OR_LINKPL, 2, BPF_H, sess_num);
9309 gen_and(b0, b1);
9310 b0 = b1;
9311 }
9312
9313 /*
9314 * Change the offsets to point to the type and data fields within
9315 * the PPP packet, and note that this is PPPoE rather than
9316 * raw PPP.
9317 *
9318 * XXX - this is a bit of a kludge. See the comments in
9319 * gen_vlan().
9320 *
9321 * The "network-layer" protocol is PPPoE, which has a 6-byte
9322 * PPPoE header, followed by a PPP packet.
9323 *
9324 * There is no HDLC encapsulation for the PPP packet (it's
9325 * encapsulated in PPPoES instead), so the link-layer type
9326 * starts at the first byte of the PPP packet. For PPPoE,
9327 * that offset is relative to the beginning of the total
9328 * link-layer payload, including any 802.2 LLC header, so
9329 * it's 6 bytes past cstate->off_nl.
9330 */
9331 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9332 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9333 cstate->off_linkpl.reg);
9334
9335 cstate->off_linktype = cstate->off_linkhdr;
9336 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9337
9338 cstate->off_nl = 0;
9339 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9340
9341 return b0;
9342 }
9343
9344 /* Check that this is Geneve and the VNI is correct if
9345 * specified. Parameterized to handle both IPv4 and IPv6. */
9346 static struct block *
9347 gen_geneve_check(compiler_state_t *cstate,
9348 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9349 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9350 {
9351 struct block *b0, *b1;
9352
9353 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9354
9355 /* Check that we are operating on version 0. Otherwise, we
9356 * can't decode the rest of the fields. The version is 2 bits
9357 * in the first byte of the Geneve header. */
9358 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9359 gen_and(b0, b1);
9360 b0 = b1;
9361
9362 if (has_vni) {
9363 assert_maxval(cstate, "Geneve VNI", vni, 0xffffff);
9364 vni <<= 8; /* VNI is in the upper 3 bytes */
9365 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9366 gen_and(b0, b1);
9367 b0 = b1;
9368 }
9369
9370 return b0;
9371 }
9372
9373 /* The IPv4 and IPv6 Geneve checks need to do two things:
9374 * - Verify that this actually is Geneve with the right VNI.
9375 * - Place the IP header length (plus variable link prefix if
9376 * needed) into register A to be used later to compute
9377 * the inner packet offsets. */
9378 static struct block *
9379 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9380 {
9381 struct block *b0, *b1;
9382 struct slist *s, *s1;
9383
9384 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9385
9386 /* Load the IP header length into A. */
9387 s = gen_loadx_iphdrlen(cstate);
9388
9389 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9390 sappend(s, s1);
9391
9392 /* Forcibly append these statements to the true condition
9393 * of the protocol check by creating a new block that is
9394 * always true and ANDing them. */
9395 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9396
9397 gen_and(b0, b1);
9398
9399 return b1;
9400 }
9401
9402 static struct block *
9403 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9404 {
9405 struct block *b0, *b1;
9406 struct slist *s, *s1;
9407
9408 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9409
9410 /* Load the IP header length. We need to account for a
9411 * variable length link prefix if there is one. */
9412 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9413 if (s) {
9414 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9415 s1->s.k = 40;
9416 sappend(s, s1);
9417
9418 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9419 s1->s.k = 0;
9420 sappend(s, s1);
9421 } else {
9422 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9423 s->s.k = 40;
9424 }
9425
9426 /* Forcibly append these statements to the true condition
9427 * of the protocol check by creating a new block that is
9428 * always true and ANDing them. */
9429 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9430 sappend(s, s1);
9431
9432 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9433
9434 gen_and(b0, b1);
9435
9436 return b1;
9437 }
9438
9439 /* We need to store three values based on the Geneve header::
9440 * - The offset of the linktype.
9441 * - The offset of the end of the Geneve header.
9442 * - The offset of the end of the encapsulated MAC header. */
9443 static struct slist *
9444 gen_geneve_offsets(compiler_state_t *cstate)
9445 {
9446 struct slist *s, *s1, *s_proto;
9447
9448 /* First we need to calculate the offset of the Geneve header
9449 * itself. This is composed of the IP header previously calculated
9450 * (include any variable link prefix) and stored in A plus the
9451 * fixed sized headers (fixed link prefix, MAC length, and UDP
9452 * header). */
9453 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9454 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9455
9456 /* Stash this in X since we'll need it later. */
9457 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9458 sappend(s, s1);
9459
9460 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9461 * store it. */
9462 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9463 s1->s.k = 2;
9464 sappend(s, s1);
9465
9466 cstate->off_linktype.reg = alloc_reg(cstate);
9467 cstate->off_linktype.is_variable = 1;
9468 cstate->off_linktype.constant_part = 0;
9469
9470 s1 = new_stmt(cstate, BPF_ST);
9471 s1->s.k = cstate->off_linktype.reg;
9472 sappend(s, s1);
9473
9474 /* Load the Geneve option length and mask and shift to get the
9475 * number of bytes. It is stored in the first byte of the Geneve
9476 * header. */
9477 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9478 s1->s.k = 0;
9479 sappend(s, s1);
9480
9481 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9482 s1->s.k = 0x3f;
9483 sappend(s, s1);
9484
9485 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9486 s1->s.k = 4;
9487 sappend(s, s1);
9488
9489 /* Add in the rest of the Geneve base header. */
9490 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9491 s1->s.k = 8;
9492 sappend(s, s1);
9493
9494 /* Add the Geneve header length to its offset and store. */
9495 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9496 s1->s.k = 0;
9497 sappend(s, s1);
9498
9499 /* Set the encapsulated type as Ethernet. Even though we may
9500 * not actually have Ethernet inside there are two reasons this
9501 * is useful:
9502 * - The linktype field is always in EtherType format regardless
9503 * of whether it is in Geneve or an inner Ethernet frame.
9504 * - The only link layer that we have specific support for is
9505 * Ethernet. We will confirm that the packet actually is
9506 * Ethernet at runtime before executing these checks. */
9507 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9508
9509 s1 = new_stmt(cstate, BPF_ST);
9510 s1->s.k = cstate->off_linkhdr.reg;
9511 sappend(s, s1);
9512
9513 /* Calculate whether we have an Ethernet header or just raw IP/
9514 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9515 * and linktype by 14 bytes so that the network header can be found
9516 * seamlessly. Otherwise, keep what we've calculated already. */
9517
9518 /* We have a bare jmp so we can't use the optimizer. */
9519 cstate->no_optimize = 1;
9520
9521 /* Load the EtherType in the Geneve header, 2 bytes in. */
9522 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9523 s1->s.k = 2;
9524 sappend(s, s1);
9525
9526 /* Load X with the end of the Geneve header. */
9527 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9528 s1->s.k = cstate->off_linkhdr.reg;
9529 sappend(s, s1);
9530
9531 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9532 * end of this check, we should have the total length in X. In
9533 * the non-Ethernet case, it's already there. */
9534 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9535 s_proto->s.k = ETHERTYPE_TEB;
9536 sappend(s, s_proto);
9537
9538 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9539 sappend(s, s1);
9540 s_proto->s.jt = s1;
9541
9542 /* Since this is Ethernet, use the EtherType of the payload
9543 * directly as the linktype. Overwrite what we already have. */
9544 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9545 s1->s.k = 12;
9546 sappend(s, s1);
9547
9548 s1 = new_stmt(cstate, BPF_ST);
9549 s1->s.k = cstate->off_linktype.reg;
9550 sappend(s, s1);
9551
9552 /* Advance two bytes further to get the end of the Ethernet
9553 * header. */
9554 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9555 s1->s.k = 2;
9556 sappend(s, s1);
9557
9558 /* Move the result to X. */
9559 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9560 sappend(s, s1);
9561
9562 /* Store the final result of our linkpl calculation. */
9563 cstate->off_linkpl.reg = alloc_reg(cstate);
9564 cstate->off_linkpl.is_variable = 1;
9565 cstate->off_linkpl.constant_part = 0;
9566
9567 s1 = new_stmt(cstate, BPF_STX);
9568 s1->s.k = cstate->off_linkpl.reg;
9569 sappend(s, s1);
9570 s_proto->s.jf = s1;
9571
9572 cstate->off_nl = 0;
9573
9574 return s;
9575 }
9576
9577 /* Check to see if this is a Geneve packet. */
9578 struct block *
9579 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9580 {
9581 struct block *b0, *b1;
9582 struct slist *s;
9583
9584 /*
9585 * Catch errors reported by us and routines below us, and return NULL
9586 * on an error.
9587 */
9588 if (setjmp(cstate->top_ctx))
9589 return (NULL);
9590
9591 b0 = gen_geneve4(cstate, vni, has_vni);
9592 b1 = gen_geneve6(cstate, vni, has_vni);
9593
9594 gen_or(b0, b1);
9595 b0 = b1;
9596
9597 /* Later filters should act on the payload of the Geneve frame,
9598 * update all of the header pointers. Attach this code so that
9599 * it gets executed in the event that the Geneve filter matches. */
9600 s = gen_geneve_offsets(cstate);
9601
9602 b1 = gen_true(cstate);
9603 sappend(s, b1->stmts);
9604 b1->stmts = s;
9605
9606 gen_and(b0, b1);
9607
9608 cstate->is_encap = 1;
9609
9610 return b1;
9611 }
9612
9613 /* Check that this is VXLAN and the VNI is correct if
9614 * specified. Parameterized to handle both IPv4 and IPv6. */
9615 static struct block *
9616 gen_vxlan_check(compiler_state_t *cstate,
9617 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9618 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9619 {
9620 struct block *b0, *b1;
9621
9622 b0 = gen_portfn(cstate, VXLAN_PORT, IPPROTO_UDP, Q_DST);
9623
9624 /* Check that the VXLAN header has the flag bits set
9625 * correctly. */
9626 b1 = gen_cmp(cstate, offrel, 8, BPF_B, 0x08);
9627 gen_and(b0, b1);
9628 b0 = b1;
9629
9630 if (has_vni) {
9631 assert_maxval(cstate, "VXLAN VNI", vni, 0xffffff);
9632 vni <<= 8; /* VNI is in the upper 3 bytes */
9633 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9634 gen_and(b0, b1);
9635 b0 = b1;
9636 }
9637
9638 return b0;
9639 }
9640
9641 /* The IPv4 and IPv6 VXLAN checks need to do two things:
9642 * - Verify that this actually is VXLAN with the right VNI.
9643 * - Place the IP header length (plus variable link prefix if
9644 * needed) into register A to be used later to compute
9645 * the inner packet offsets. */
9646 static struct block *
9647 gen_vxlan4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9648 {
9649 struct block *b0, *b1;
9650 struct slist *s, *s1;
9651
9652 b0 = gen_vxlan_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9653
9654 /* Load the IP header length into A. */
9655 s = gen_loadx_iphdrlen(cstate);
9656
9657 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9658 sappend(s, s1);
9659
9660 /* Forcibly append these statements to the true condition
9661 * of the protocol check by creating a new block that is
9662 * always true and ANDing them. */
9663 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9664
9665 gen_and(b0, b1);
9666
9667 return b1;
9668 }
9669
9670 static struct block *
9671 gen_vxlan6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9672 {
9673 struct block *b0, *b1;
9674 struct slist *s, *s1;
9675
9676 b0 = gen_vxlan_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9677
9678 /* Load the IP header length. We need to account for a
9679 * variable length link prefix if there is one. */
9680 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9681 if (s) {
9682 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9683 s1->s.k = 40;
9684 sappend(s, s1);
9685
9686 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9687 s1->s.k = 0;
9688 sappend(s, s1);
9689 } else {
9690 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9691 s->s.k = 40;
9692 }
9693
9694 /* Forcibly append these statements to the true condition
9695 * of the protocol check by creating a new block that is
9696 * always true and ANDing them. */
9697 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9698 sappend(s, s1);
9699
9700 b1 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9701
9702 gen_and(b0, b1);
9703
9704 return b1;
9705 }
9706
9707 /* We need to store three values based on the VXLAN header:
9708 * - The offset of the linktype.
9709 * - The offset of the end of the VXLAN header.
9710 * - The offset of the end of the encapsulated MAC header. */
9711 static struct slist *
9712 gen_vxlan_offsets(compiler_state_t *cstate)
9713 {
9714 struct slist *s, *s1;
9715
9716 /* Calculate the offset of the VXLAN header itself. This
9717 * includes the IP header computed previously (including any
9718 * variable link prefix) and stored in A plus the fixed size
9719 * headers (fixed link prefix, MAC length, UDP header). */
9720 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9721 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9722
9723 /* Add the VXLAN header length to its offset and store */
9724 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9725 s1->s.k = 8;
9726 sappend(s, s1);
9727
9728 /* Push the link header. VXLAN packets always contain Ethernet
9729 * frames. */
9730 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9731
9732 s1 = new_stmt(cstate, BPF_ST);
9733 s1->s.k = cstate->off_linkhdr.reg;
9734 sappend(s, s1);
9735
9736 /* As the payload is an Ethernet packet, we can use the
9737 * EtherType of the payload directly as the linktype. */
9738 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9739 s1->s.k = 12;
9740 sappend(s, s1);
9741
9742 cstate->off_linktype.reg = alloc_reg(cstate);
9743 cstate->off_linktype.is_variable = 1;
9744 cstate->off_linktype.constant_part = 0;
9745
9746 s1 = new_stmt(cstate, BPF_ST);
9747 s1->s.k = cstate->off_linktype.reg;
9748 sappend(s, s1);
9749
9750 /* Two bytes further is the end of the Ethernet header and the
9751 * start of the payload. */
9752 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9753 s1->s.k = 2;
9754 sappend(s, s1);
9755
9756 /* Move the result to X. */
9757 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9758 sappend(s, s1);
9759
9760 /* Store the final result of our linkpl calculation. */
9761 cstate->off_linkpl.reg = alloc_reg(cstate);
9762 cstate->off_linkpl.is_variable = 1;
9763 cstate->off_linkpl.constant_part = 0;
9764
9765 s1 = new_stmt(cstate, BPF_STX);
9766 s1->s.k = cstate->off_linkpl.reg;
9767 sappend(s, s1);
9768
9769 cstate->off_nl = 0;
9770
9771 return s;
9772 }
9773
9774 /* Check to see if this is a VXLAN packet. */
9775 struct block *
9776 gen_vxlan(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9777 {
9778 struct block *b0, *b1;
9779 struct slist *s;
9780
9781 /*
9782 * Catch errors reported by us and routines below us, and return NULL
9783 * on an error.
9784 */
9785 if (setjmp(cstate->top_ctx))
9786 return (NULL);
9787
9788 b0 = gen_vxlan4(cstate, vni, has_vni);
9789 b1 = gen_vxlan6(cstate, vni, has_vni);
9790
9791 gen_or(b0, b1);
9792 b0 = b1;
9793
9794 /* Later filters should act on the payload of the VXLAN frame,
9795 * update all of the header pointers. Attach this code so that
9796 * it gets executed in the event that the VXLAN filter matches. */
9797 s = gen_vxlan_offsets(cstate);
9798
9799 b1 = gen_true(cstate);
9800 sappend(s, b1->stmts);
9801 b1->stmts = s;
9802
9803 gen_and(b0, b1);
9804
9805 cstate->is_encap = 1;
9806
9807 return b1;
9808 }
9809
9810 /* Check that the encapsulated frame has a link layer header
9811 * for Ethernet filters. */
9812 static struct block *
9813 gen_encap_ll_check(compiler_state_t *cstate)
9814 {
9815 struct block *b0;
9816 struct slist *s, *s1;
9817
9818 /* The easiest way to see if there is a link layer present
9819 * is to check if the link layer header and payload are not
9820 * the same. */
9821
9822 /* Geneve always generates pure variable offsets so we can
9823 * compare only the registers. */
9824 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9825 s->s.k = cstate->off_linkhdr.reg;
9826
9827 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9828 s1->s.k = cstate->off_linkpl.reg;
9829 sappend(s, s1);
9830
9831 b0 = gen_jmp(cstate, BPF_JMP|BPF_JEQ|BPF_X, 0, s);
9832 gen_not(b0);
9833
9834 return b0;
9835 }
9836
9837 static struct block *
9838 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9839 bpf_u_int32 jvalue, int jtype, int reverse)
9840 {
9841 struct block *b0;
9842
9843 /*
9844 * This check is a no-op for A_MSGTYPE so long as the only incoming
9845 * code path is from gen_atmmulti_abbrev(), which makes the same
9846 * check first; also for A_PROTOTYPE so long as the only incoming code
9847 * paths are from gen_atmtype_abbrev(), which makes the same check
9848 * first, or from gen_llc_internal() or gen_linktype(), which restrict
9849 * it to DLT_SUNATM.
9850 */
9851 assert_atm(cstate, atmkw(atmfield));
9852
9853 switch (atmfield) {
9854
9855 case A_VPI:
9856 assert_maxval(cstate, "VPI", jvalue, UINT8_MAX);
9857 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9858 0xffffffffU, jtype, reverse, jvalue);
9859 break;
9860
9861 case A_VCI:
9862 assert_maxval(cstate, "VCI", jvalue, UINT16_MAX);
9863 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9864 0xffffffffU, jtype, reverse, jvalue);
9865 break;
9866
9867 case A_PROTOTYPE:
9868 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9869 0x0fU, jtype, reverse, jvalue);
9870 break;
9871
9872 case A_MSGTYPE:
9873 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9874 0xffffffffU, jtype, reverse, jvalue);
9875 break;
9876
9877 default:
9878 abort();
9879 }
9880 return b0;
9881 }
9882
9883 static struct block *
9884 gen_atmtype_metac(compiler_state_t *cstate)
9885 {
9886 struct block *b0, *b1;
9887
9888 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9889 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9890 gen_and(b0, b1);
9891 return b1;
9892 }
9893
9894 static struct block *
9895 gen_atmtype_sc(compiler_state_t *cstate)
9896 {
9897 struct block *b0, *b1;
9898
9899 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9900 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9901 gen_and(b0, b1);
9902 return b1;
9903 }
9904
9905 static struct block *
9906 gen_atmtype_llc(compiler_state_t *cstate)
9907 {
9908 struct block *b0;
9909
9910 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9911 cstate->linktype = cstate->prevlinktype;
9912 return b0;
9913 }
9914
9915 struct block *
9916 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9917 bpf_u_int32 jvalue, int jtype, int reverse)
9918 {
9919 /*
9920 * Catch errors reported by us and routines below us, and return NULL
9921 * on an error.
9922 */
9923 if (setjmp(cstate->top_ctx))
9924 return (NULL);
9925
9926 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9927 reverse);
9928 }
9929
9930 struct block *
9931 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9932 {
9933 struct block *b0, *b1;
9934
9935 /*
9936 * Catch errors reported by us and routines below us, and return NULL
9937 * on an error.
9938 */
9939 if (setjmp(cstate->top_ctx))
9940 return (NULL);
9941
9942 assert_atm(cstate, atmkw(type));
9943
9944 switch (type) {
9945
9946 case A_METAC:
9947 /* Get all packets in Meta signalling Circuit */
9948 b1 = gen_atmtype_metac(cstate);
9949 break;
9950
9951 case A_BCC:
9952 /* Get all packets in Broadcast Circuit*/
9953 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9954 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9955 gen_and(b0, b1);
9956 break;
9957
9958 case A_OAMF4SC:
9959 /* Get all cells in Segment OAM F4 circuit*/
9960 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9961 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9962 gen_and(b0, b1);
9963 break;
9964
9965 case A_OAMF4EC:
9966 /* Get all cells in End-to-End OAM F4 Circuit*/
9967 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9968 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9969 gen_and(b0, b1);
9970 break;
9971
9972 case A_SC:
9973 /* Get all packets in connection Signalling Circuit */
9974 b1 = gen_atmtype_sc(cstate);
9975 break;
9976
9977 case A_ILMIC:
9978 /* Get all packets in ILMI Circuit */
9979 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9980 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9981 gen_and(b0, b1);
9982 break;
9983
9984 case A_LANE:
9985 /* Get all LANE packets */
9986 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
9987
9988 /*
9989 * Arrange that all subsequent tests assume LANE
9990 * rather than LLC-encapsulated packets, and set
9991 * the offsets appropriately for LANE-encapsulated
9992 * Ethernet.
9993 *
9994 * We assume LANE means Ethernet, not Token Ring.
9995 */
9996 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9997 cstate->off_payload + 2, /* Ethernet header */
9998 -1);
9999 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
10000 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
10001 cstate->off_nl = 0; /* Ethernet II */
10002 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
10003 break;
10004
10005 default:
10006 abort();
10007 }
10008 return b1;
10009 }
10010
10011 /*
10012 * Filtering for MTP2 messages based on li value
10013 * FISU, length is null
10014 * LSSU, length is 1 or 2
10015 * MSU, length is 3 or more
10016 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
10017 */
10018 struct block *
10019 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
10020 {
10021 struct block *b0, *b1;
10022
10023 /*
10024 * Catch errors reported by us and routines below us, and return NULL
10025 * on an error.
10026 */
10027 if (setjmp(cstate->top_ctx))
10028 return (NULL);
10029
10030 assert_ss7(cstate, ss7kw(type));
10031
10032 switch (type) {
10033
10034 case M_FISU:
10035 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10036 0x3fU, BPF_JEQ, 0, 0U);
10037 break;
10038
10039 case M_LSSU:
10040 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10041 0x3fU, BPF_JGT, 1, 2U);
10042 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10043 0x3fU, BPF_JGT, 0, 0U);
10044 gen_and(b1, b0);
10045 break;
10046
10047 case M_MSU:
10048 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
10049 0x3fU, BPF_JGT, 0, 2U);
10050 break;
10051
10052 case MH_FISU:
10053 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10054 0xff80U, BPF_JEQ, 0, 0U);
10055 break;
10056
10057 case MH_LSSU:
10058 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10059 0xff80U, BPF_JGT, 1, 0x0100U);
10060 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10061 0xff80U, BPF_JGT, 0, 0U);
10062 gen_and(b1, b0);
10063 break;
10064
10065 case MH_MSU:
10066 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
10067 0xff80U, BPF_JGT, 0, 0x0100U);
10068 break;
10069
10070 default:
10071 abort();
10072 }
10073 return b0;
10074 }
10075
10076 /*
10077 * These maximum valid values are all-ones, so they double as the bitmasks
10078 * before any bitwise shifting.
10079 */
10080 #define MTP2_SIO_MAXVAL UINT8_MAX
10081 #define MTP3_PC_MAXVAL 0x3fffU
10082 #define MTP3_SLS_MAXVAL 0xfU
10083
10084 static struct block *
10085 gen_mtp3field_code_internal(compiler_state_t *cstate, int mtp3field,
10086 bpf_u_int32 jvalue, int jtype, int reverse)
10087 {
10088 struct block *b0;
10089 u_int newoff_sio;
10090 u_int newoff_opc;
10091 u_int newoff_dpc;
10092 u_int newoff_sls;
10093
10094 newoff_sio = cstate->off_sio;
10095 newoff_opc = cstate->off_opc;
10096 newoff_dpc = cstate->off_dpc;
10097 newoff_sls = cstate->off_sls;
10098
10099 assert_ss7(cstate, ss7kw(mtp3field));
10100
10101 switch (mtp3field) {
10102
10103 /*
10104 * See UTU-T Rec. Q.703, Section 2.2, Figure 3/Q.703.
10105 *
10106 * SIO is the simplest field: the size is one byte and the offset is a
10107 * multiple of bytes, so the only detail to get right is the value of
10108 * the [right-to-left] field offset.
10109 */
10110 case MH_SIO:
10111 newoff_sio += 3; /* offset for MTP2_HSL */
10112 /* FALLTHROUGH */
10113
10114 case M_SIO:
10115 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP2_SIO_MAXVAL);
10116 // Here the bitmask means "do not apply a bitmask".
10117 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, UINT32_MAX,
10118 jtype, reverse, jvalue);
10119 break;
10120
10121 /*
10122 * See UTU-T Rec. Q.704, Section 2.2, Figure 3/Q.704.
10123 *
10124 * SLS, OPC and DPC are more complicated: none of these is sized in a
10125 * multiple of 8 bits, MTP3 encoding is little-endian and MTP packet
10126 * diagrams are meant to be read right-to-left. This means in the
10127 * diagrams within individual fields and concatenations thereof
10128 * bitwise shifts and masks can be noted in the common left-to-right
10129 * manner until each final value is ready to be byte-swapped and
10130 * handed to gen_ncmp(). See also gen_dnhostop(), which solves a
10131 * similar problem in a similar way.
10132 *
10133 * Offsets of fields within the packet header always have the
10134 * right-to-left meaning. Note that in DLT_MTP2 and possibly other
10135 * DLTs the offset does not include the F (Flag) field at the
10136 * beginning of each message.
10137 *
10138 * For example, if the 8-bit SIO field has a 3 byte [RTL] offset, the
10139 * 32-bit standard routing header has a 4 byte [RTL] offset and could
10140 * be tested entirely using a single BPF_W comparison. In this case
10141 * the 14-bit DPC field [LTR] bitmask would be 0x3FFF, the 14-bit OPC
10142 * field [LTR] bitmask would be (0x3FFF << 14) and the 4-bit SLS field
10143 * [LTR] bitmask would be (0xF << 28), all of which conveniently
10144 * correlates with the [RTL] packet diagram until the byte-swapping is
10145 * done before use.
10146 *
10147 * The code below uses this approach for OPC, which spans 3 bytes.
10148 * DPC and SLS use shorter loads, SLS also uses a different offset.
10149 */
10150 case MH_OPC:
10151 newoff_opc += 3;
10152
10153 /* FALLTHROUGH */
10154 case M_OPC:
10155 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_PC_MAXVAL);
10156 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W,
10157 SWAPLONG(MTP3_PC_MAXVAL << 14), jtype, reverse,
10158 SWAPLONG(jvalue << 14));
10159 break;
10160
10161 case MH_DPC:
10162 newoff_dpc += 3;
10163 /* FALLTHROUGH */
10164
10165 case M_DPC:
10166 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_PC_MAXVAL);
10167 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_H,
10168 SWAPSHORT(MTP3_PC_MAXVAL), jtype, reverse,
10169 SWAPSHORT(jvalue));
10170 break;
10171
10172 case MH_SLS:
10173 newoff_sls += 3;
10174 /* FALLTHROUGH */
10175
10176 case M_SLS:
10177 assert_maxval(cstate, ss7kw(mtp3field), jvalue, MTP3_SLS_MAXVAL);
10178 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B,
10179 MTP3_SLS_MAXVAL << 4, jtype, reverse,
10180 jvalue << 4);
10181 break;
10182
10183 default:
10184 abort();
10185 }
10186 return b0;
10187 }
10188
10189 struct block *
10190 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
10191 bpf_u_int32 jvalue, int jtype, int reverse)
10192 {
10193 /*
10194 * Catch errors reported by us and routines below us, and return NULL
10195 * on an error.
10196 */
10197 if (setjmp(cstate->top_ctx))
10198 return (NULL);
10199
10200 return gen_mtp3field_code_internal(cstate, mtp3field, jvalue, jtype,
10201 reverse);
10202 }
10203
10204 static struct block *
10205 gen_msg_abbrev(compiler_state_t *cstate, int type)
10206 {
10207 struct block *b1;
10208
10209 /*
10210 * Q.2931 signalling protocol messages for handling virtual circuits
10211 * establishment and teardown
10212 */
10213 switch (type) {
10214
10215 case A_SETUP:
10216 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
10217 break;
10218
10219 case A_CALLPROCEED:
10220 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
10221 break;
10222
10223 case A_CONNECT:
10224 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
10225 break;
10226
10227 case A_CONNECTACK:
10228 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
10229 break;
10230
10231 case A_RELEASE:
10232 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
10233 break;
10234
10235 case A_RELEASE_DONE:
10236 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
10237 break;
10238
10239 default:
10240 abort();
10241 }
10242 return b1;
10243 }
10244
10245 struct block *
10246 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
10247 {
10248 struct block *b0, *b1;
10249
10250 /*
10251 * Catch errors reported by us and routines below us, and return NULL
10252 * on an error.
10253 */
10254 if (setjmp(cstate->top_ctx))
10255 return (NULL);
10256
10257 assert_atm(cstate, atmkw(type));
10258
10259 switch (type) {
10260
10261 case A_OAM:
10262 /* OAM F4 type */
10263 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10264 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10265 gen_or(b0, b1);
10266 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10267 gen_and(b0, b1);
10268 break;
10269
10270 case A_OAMF4:
10271 /* OAM F4 type */
10272 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10273 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10274 gen_or(b0, b1);
10275 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10276 gen_and(b0, b1);
10277 break;
10278
10279 case A_CONNECTMSG:
10280 /*
10281 * Get Q.2931 signalling messages for switched
10282 * virtual connection
10283 */
10284 b0 = gen_msg_abbrev(cstate, A_SETUP);
10285 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10286 gen_or(b0, b1);
10287 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10288 gen_or(b0, b1);
10289 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
10290 gen_or(b0, b1);
10291 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10292 gen_or(b0, b1);
10293 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10294 gen_or(b0, b1);
10295 b0 = gen_atmtype_sc(cstate);
10296 gen_and(b0, b1);
10297 break;
10298
10299 case A_METACONNECT:
10300 b0 = gen_msg_abbrev(cstate, A_SETUP);
10301 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10302 gen_or(b0, b1);
10303 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10304 gen_or(b0, b1);
10305 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10306 gen_or(b0, b1);
10307 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10308 gen_or(b0, b1);
10309 b0 = gen_atmtype_metac(cstate);
10310 gen_and(b0, b1);
10311 break;
10312
10313 default:
10314 abort();
10315 }
10316 return b1;
10317 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism