]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add DLT_AX25_KISS, for AX.25 with a KISS header, as per discussions in
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290 2007-10-05 01:40:14 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "pcap/sll.h"
75 #include "arcnet.h"
76 #ifdef HAVE_NET_PFVAR_H
77 #include <sys/socket.h>
78 #include <net/if.h>
79 #include <net/pfvar.h>
80 #include <net/if_pflog.h>
81 #endif
82 #ifndef offsetof
83 #define offsetof(s, e) ((size_t)&((s *)0)->e)
84 #endif
85 #ifdef INET6
86 #ifndef WIN32
87 #include <netdb.h> /* for "struct addrinfo" */
88 #endif /* WIN32 */
89 #endif /*INET6*/
90 #include <pcap/namedb.h>
91
92 #define ETHERMTU 1500
93
94 #ifndef IPPROTO_SCTP
95 #define IPPROTO_SCTP 132
96 #endif
97
98 #ifdef HAVE_OS_PROTO_H
99 #include "os-proto.h"
100 #endif
101
102 #define JMP(c) ((c)|BPF_JMP|BPF_K)
103
104 /* Locals */
105 static jmp_buf top_ctx;
106 static pcap_t *bpf_pcap;
107
108 /* Hack for updating VLAN, MPLS, and PPPoE offsets. */
109 #ifdef WIN32
110 static u_int orig_linktype = (u_int)-1, orig_nl = (u_int)-1, label_stack_depth = (u_int)-1;
111 #else
112 static u_int orig_linktype = -1U, orig_nl = -1U, label_stack_depth = -1U;
113 #endif
114
115 /* XXX */
116 #ifdef PCAP_FDDIPAD
117 static int pcap_fddipad;
118 #endif
119
120 /* VARARGS */
121 void
122 bpf_error(const char *fmt, ...)
123 {
124 va_list ap;
125
126 va_start(ap, fmt);
127 if (bpf_pcap != NULL)
128 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
129 fmt, ap);
130 va_end(ap);
131 longjmp(top_ctx, 1);
132 /* NOTREACHED */
133 }
134
135 static void init_linktype(pcap_t *);
136
137 static int alloc_reg(void);
138 static void free_reg(int);
139
140 static struct block *root;
141
142 /*
143 * Value passed to gen_load_a() to indicate what the offset argument
144 * is relative to.
145 */
146 enum e_offrel {
147 OR_PACKET, /* relative to the beginning of the packet */
148 OR_LINK, /* relative to the link-layer header */
149 OR_NET, /* relative to the network-layer header */
150 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
151 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
152 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
153 };
154
155 /*
156 * We divy out chunks of memory rather than call malloc each time so
157 * we don't have to worry about leaking memory. It's probably
158 * not a big deal if all this memory was wasted but if this ever
159 * goes into a library that would probably not be a good idea.
160 *
161 * XXX - this *is* in a library....
162 */
163 #define NCHUNKS 16
164 #define CHUNK0SIZE 1024
165 struct chunk {
166 u_int n_left;
167 void *m;
168 };
169
170 static struct chunk chunks[NCHUNKS];
171 static int cur_chunk;
172
173 static void *newchunk(u_int);
174 static void freechunks(void);
175 static inline struct block *new_block(int);
176 static inline struct slist *new_stmt(int);
177 static struct block *gen_retblk(int);
178 static inline void syntax(void);
179
180 static void backpatch(struct block *, struct block *);
181 static void merge(struct block *, struct block *);
182 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
183 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
184 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
185 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
186 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
187 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
188 bpf_u_int32);
189 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
190 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
191 bpf_u_int32, bpf_u_int32, int, bpf_int32);
192 static struct slist *gen_load_llrel(u_int, u_int);
193 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
194 static struct slist *gen_loadx_iphdrlen(void);
195 static struct block *gen_uncond(int);
196 static inline struct block *gen_true(void);
197 static inline struct block *gen_false(void);
198 static struct block *gen_ether_linktype(int);
199 static struct block *gen_linux_sll_linktype(int);
200 static void insert_radiotap_load_llprefixlen(struct block *);
201 static void insert_ppi_load_llprefixlen(struct block *);
202 static void insert_load_llprefixlen(struct block *);
203 static struct slist *gen_llprefixlen(void);
204 static struct block *gen_linktype(int);
205 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
206 static struct block *gen_llc_linktype(int);
207 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
208 #ifdef INET6
209 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
210 #endif
211 static struct block *gen_ahostop(const u_char *, int);
212 static struct block *gen_ehostop(const u_char *, int);
213 static struct block *gen_fhostop(const u_char *, int);
214 static struct block *gen_thostop(const u_char *, int);
215 static struct block *gen_wlanhostop(const u_char *, int);
216 static struct block *gen_ipfchostop(const u_char *, int);
217 static struct block *gen_dnhostop(bpf_u_int32, int);
218 static struct block *gen_mpls_linktype(int);
219 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int, int);
220 #ifdef INET6
221 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int, int);
222 #endif
223 #ifndef INET6
224 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
225 #endif
226 static struct block *gen_ipfrag(void);
227 static struct block *gen_portatom(int, bpf_int32);
228 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
229 #ifdef INET6
230 static struct block *gen_portatom6(int, bpf_int32);
231 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
232 #endif
233 struct block *gen_portop(int, int, int);
234 static struct block *gen_port(int, int, int);
235 struct block *gen_portrangeop(int, int, int, int);
236 static struct block *gen_portrange(int, int, int, int);
237 #ifdef INET6
238 struct block *gen_portop6(int, int, int);
239 static struct block *gen_port6(int, int, int);
240 struct block *gen_portrangeop6(int, int, int, int);
241 static struct block *gen_portrange6(int, int, int, int);
242 #endif
243 static int lookup_proto(const char *, int);
244 static struct block *gen_protochain(int, int, int);
245 static struct block *gen_proto(int, int, int);
246 static struct slist *xfer_to_x(struct arth *);
247 static struct slist *xfer_to_a(struct arth *);
248 static struct block *gen_mac_multicast(int);
249 static struct block *gen_len(int, int);
250
251 static struct block *gen_ppi_dlt_check(void);
252 static struct block *gen_msg_abbrev(int type);
253
254 static void *
255 newchunk(n)
256 u_int n;
257 {
258 struct chunk *cp;
259 int k;
260 size_t size;
261
262 #ifndef __NetBSD__
263 /* XXX Round up to nearest long. */
264 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
265 #else
266 /* XXX Round up to structure boundary. */
267 n = ALIGN(n);
268 #endif
269
270 cp = &chunks[cur_chunk];
271 if (n > cp->n_left) {
272 ++cp, k = ++cur_chunk;
273 if (k >= NCHUNKS)
274 bpf_error("out of memory");
275 size = CHUNK0SIZE << k;
276 cp->m = (void *)malloc(size);
277 if (cp->m == NULL)
278 bpf_error("out of memory");
279 memset((char *)cp->m, 0, size);
280 cp->n_left = size;
281 if (n > size)
282 bpf_error("out of memory");
283 }
284 cp->n_left -= n;
285 return (void *)((char *)cp->m + cp->n_left);
286 }
287
288 static void
289 freechunks()
290 {
291 int i;
292
293 cur_chunk = 0;
294 for (i = 0; i < NCHUNKS; ++i)
295 if (chunks[i].m != NULL) {
296 free(chunks[i].m);
297 chunks[i].m = NULL;
298 }
299 }
300
301 /*
302 * A strdup whose allocations are freed after code generation is over.
303 */
304 char *
305 sdup(s)
306 register const char *s;
307 {
308 int n = strlen(s) + 1;
309 char *cp = newchunk(n);
310
311 strlcpy(cp, s, n);
312 return (cp);
313 }
314
315 static inline struct block *
316 new_block(code)
317 int code;
318 {
319 struct block *p;
320
321 p = (struct block *)newchunk(sizeof(*p));
322 p->s.code = code;
323 p->head = p;
324
325 return p;
326 }
327
328 static inline struct slist *
329 new_stmt(code)
330 int code;
331 {
332 struct slist *p;
333
334 p = (struct slist *)newchunk(sizeof(*p));
335 p->s.code = code;
336
337 return p;
338 }
339
340 static struct block *
341 gen_retblk(v)
342 int v;
343 {
344 struct block *b = new_block(BPF_RET|BPF_K);
345
346 b->s.k = v;
347 return b;
348 }
349
350 static inline void
351 syntax()
352 {
353 bpf_error("syntax error in filter expression");
354 }
355
356 static bpf_u_int32 netmask;
357 static int snaplen;
358 int no_optimize;
359
360 int
361 pcap_compile(pcap_t *p, struct bpf_program *program,
362 const char *buf, int optimize, bpf_u_int32 mask)
363 {
364 extern int n_errors;
365 const char * volatile xbuf = buf;
366 int len;
367
368 no_optimize = 0;
369 n_errors = 0;
370 root = NULL;
371 bpf_pcap = p;
372 if (setjmp(top_ctx)) {
373 lex_cleanup();
374 freechunks();
375 return (-1);
376 }
377
378 netmask = mask;
379
380 snaplen = pcap_snapshot(p);
381 if (snaplen == 0) {
382 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
383 "snaplen of 0 rejects all packets");
384 return -1;
385 }
386
387 lex_init(xbuf ? xbuf : "");
388 init_linktype(p);
389 (void)pcap_parse();
390
391 if (n_errors)
392 syntax();
393
394 if (root == NULL)
395 root = gen_retblk(snaplen);
396
397 if (optimize && !no_optimize) {
398 bpf_optimize(&root);
399 if (root == NULL ||
400 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
401 bpf_error("expression rejects all packets");
402 }
403 program->bf_insns = icode_to_fcode(root, &len);
404 program->bf_len = len;
405
406 lex_cleanup();
407 freechunks();
408 return (0);
409 }
410
411 /*
412 * entry point for using the compiler with no pcap open
413 * pass in all the stuff that is needed explicitly instead.
414 */
415 int
416 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
417 struct bpf_program *program,
418 const char *buf, int optimize, bpf_u_int32 mask)
419 {
420 pcap_t *p;
421 int ret;
422
423 p = pcap_open_dead(linktype_arg, snaplen_arg);
424 if (p == NULL)
425 return (-1);
426 ret = pcap_compile(p, program, buf, optimize, mask);
427 pcap_close(p);
428 return (ret);
429 }
430
431 /*
432 * Clean up a "struct bpf_program" by freeing all the memory allocated
433 * in it.
434 */
435 void
436 pcap_freecode(struct bpf_program *program)
437 {
438 program->bf_len = 0;
439 if (program->bf_insns != NULL) {
440 free((char *)program->bf_insns);
441 program->bf_insns = NULL;
442 }
443 }
444
445 /*
446 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
447 * which of the jt and jf fields has been resolved and which is a pointer
448 * back to another unresolved block (or nil). At least one of the fields
449 * in each block is already resolved.
450 */
451 static void
452 backpatch(list, target)
453 struct block *list, *target;
454 {
455 struct block *next;
456
457 while (list) {
458 if (!list->sense) {
459 next = JT(list);
460 JT(list) = target;
461 } else {
462 next = JF(list);
463 JF(list) = target;
464 }
465 list = next;
466 }
467 }
468
469 /*
470 * Merge the lists in b0 and b1, using the 'sense' field to indicate
471 * which of jt and jf is the link.
472 */
473 static void
474 merge(b0, b1)
475 struct block *b0, *b1;
476 {
477 register struct block **p = &b0;
478
479 /* Find end of list. */
480 while (*p)
481 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
482
483 /* Concatenate the lists. */
484 *p = b1;
485 }
486
487 void
488 finish_parse(p)
489 struct block *p;
490 {
491 struct block *ppi_dlt_check;
492
493 ppi_dlt_check = gen_ppi_dlt_check();
494
495 if (ppi_dlt_check != NULL)
496 {
497 gen_and(ppi_dlt_check, p);
498 }
499
500 backpatch(p, gen_retblk(snaplen));
501 p->sense = !p->sense;
502 backpatch(p, gen_retblk(0));
503 root = p->head;
504
505 /*
506 * Insert before the statements of the first (root) block any
507 * statements needed to load the lengths of any variable-length
508 * headers into registers.
509 *
510 * XXX - a fancier strategy would be to insert those before the
511 * statements of all blocks that use those lengths and that
512 * have no predecessors that use them, so that we only compute
513 * the lengths if we need them. There might be even better
514 * approaches than that. However, as we're currently only
515 * handling variable-length radiotap headers, and as all
516 * filtering expressions other than raw link[M:N] tests
517 * require the length of that header, doing more for that
518 * header length isn't really worth the effort.
519 */
520 insert_load_llprefixlen(root);
521 }
522
523 void
524 gen_and(b0, b1)
525 struct block *b0, *b1;
526 {
527 backpatch(b0, b1->head);
528 b0->sense = !b0->sense;
529 b1->sense = !b1->sense;
530 merge(b1, b0);
531 b1->sense = !b1->sense;
532 b1->head = b0->head;
533 }
534
535 void
536 gen_or(b0, b1)
537 struct block *b0, *b1;
538 {
539 b0->sense = !b0->sense;
540 backpatch(b0, b1->head);
541 b0->sense = !b0->sense;
542 merge(b1, b0);
543 b1->head = b0->head;
544 }
545
546 void
547 gen_not(b)
548 struct block *b;
549 {
550 b->sense = !b->sense;
551 }
552
553 static struct block *
554 gen_cmp(offrel, offset, size, v)
555 enum e_offrel offrel;
556 u_int offset, size;
557 bpf_int32 v;
558 {
559 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
560 }
561
562 static struct block *
563 gen_cmp_gt(offrel, offset, size, v)
564 enum e_offrel offrel;
565 u_int offset, size;
566 bpf_int32 v;
567 {
568 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
569 }
570
571 static struct block *
572 gen_cmp_ge(offrel, offset, size, v)
573 enum e_offrel offrel;
574 u_int offset, size;
575 bpf_int32 v;
576 {
577 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
578 }
579
580 static struct block *
581 gen_cmp_lt(offrel, offset, size, v)
582 enum e_offrel offrel;
583 u_int offset, size;
584 bpf_int32 v;
585 {
586 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
587 }
588
589 static struct block *
590 gen_cmp_le(offrel, offset, size, v)
591 enum e_offrel offrel;
592 u_int offset, size;
593 bpf_int32 v;
594 {
595 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
596 }
597
598 static struct block *
599 gen_mcmp(offrel, offset, size, v, mask)
600 enum e_offrel offrel;
601 u_int offset, size;
602 bpf_int32 v;
603 bpf_u_int32 mask;
604 {
605 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
606 }
607
608 static struct block *
609 gen_bcmp(offrel, offset, size, v)
610 enum e_offrel offrel;
611 register u_int offset, size;
612 register const u_char *v;
613 {
614 register struct block *b, *tmp;
615
616 b = NULL;
617 while (size >= 4) {
618 register const u_char *p = &v[size - 4];
619 bpf_int32 w = ((bpf_int32)p[0] << 24) |
620 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
621
622 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
623 if (b != NULL)
624 gen_and(b, tmp);
625 b = tmp;
626 size -= 4;
627 }
628 while (size >= 2) {
629 register const u_char *p = &v[size - 2];
630 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
631
632 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
633 if (b != NULL)
634 gen_and(b, tmp);
635 b = tmp;
636 size -= 2;
637 }
638 if (size > 0) {
639 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
640 if (b != NULL)
641 gen_and(b, tmp);
642 b = tmp;
643 }
644 return b;
645 }
646
647 /*
648 * AND the field of size "size" at offset "offset" relative to the header
649 * specified by "offrel" with "mask", and compare it with the value "v"
650 * with the test specified by "jtype"; if "reverse" is true, the test
651 * should test the opposite of "jtype".
652 */
653 static struct block *
654 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
655 enum e_offrel offrel;
656 bpf_int32 v;
657 bpf_u_int32 offset, size, mask, jtype;
658 int reverse;
659 {
660 struct slist *s, *s2;
661 struct block *b;
662
663 s = gen_load_a(offrel, offset, size);
664
665 if (mask != 0xffffffff) {
666 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
667 s2->s.k = mask;
668 sappend(s, s2);
669 }
670
671 b = new_block(JMP(jtype));
672 b->stmts = s;
673 b->s.k = v;
674 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
675 gen_not(b);
676 return b;
677 }
678
679 /*
680 * Various code constructs need to know the layout of the data link
681 * layer. These variables give the necessary offsets from the beginning
682 * of the packet data.
683 *
684 * If the link layer has variable_length headers, the offsets are offsets
685 * from the end of the link-link-layer header, and "reg_ll_size" is
686 * the register number for a register containing the length of the
687 * link-layer header. Otherwise, "reg_ll_size" is -1.
688 */
689 static int reg_ll_size;
690
691 /*
692 * This is the offset of the beginning of the link-layer header from
693 * the beginning of the raw packet data.
694 *
695 * It's usually 0, except for 802.11 with a fixed-length radio header.
696 * (For 802.11 with a variable-length radio header, we have to generate
697 * code to compute that offset; off_ll is 0 in that case.)
698 */
699 static u_int off_ll;
700
701 /*
702 * This is the offset of the beginning of the MAC-layer header.
703 * It's usually 0, except for ATM LANE, where it's the offset, relative
704 * to the beginning of the raw packet data, of the Ethernet header.
705 */
706 static u_int off_mac;
707
708 /*
709 * "off_linktype" is the offset to information in the link-layer header
710 * giving the packet type. This offset is relative to the beginning
711 * of the link-layer header (i.e., it doesn't include off_ll).
712 *
713 * For Ethernet, it's the offset of the Ethernet type field.
714 *
715 * For link-layer types that always use 802.2 headers, it's the
716 * offset of the LLC header.
717 *
718 * For PPP, it's the offset of the PPP type field.
719 *
720 * For Cisco HDLC, it's the offset of the CHDLC type field.
721 *
722 * For BSD loopback, it's the offset of the AF_ value.
723 *
724 * For Linux cooked sockets, it's the offset of the type field.
725 *
726 * It's set to -1 for no encapsulation, in which case, IP is assumed.
727 */
728 static u_int off_linktype;
729
730 /*
731 * TRUE if the link layer includes an ATM pseudo-header.
732 */
733 static int is_atm = 0;
734
735 /*
736 * TRUE if "lane" appeared in the filter; it causes us to generate
737 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
738 */
739 static int is_lane = 0;
740
741 /*
742 * These are offsets for the ATM pseudo-header.
743 */
744 static u_int off_vpi;
745 static u_int off_vci;
746 static u_int off_proto;
747
748 /*
749 * These are offsets for the MTP2 fields.
750 */
751 static u_int off_li;
752
753 /*
754 * These are offsets for the MTP3 fields.
755 */
756 static u_int off_sio;
757 static u_int off_opc;
758 static u_int off_dpc;
759 static u_int off_sls;
760
761 /*
762 * This is the offset of the first byte after the ATM pseudo_header,
763 * or -1 if there is no ATM pseudo-header.
764 */
765 static u_int off_payload;
766
767 /*
768 * These are offsets to the beginning of the network-layer header.
769 * They are relative to the beginning of the link-layer header (i.e.,
770 * they don't include off_ll).
771 *
772 * If the link layer never uses 802.2 LLC:
773 *
774 * "off_nl" and "off_nl_nosnap" are the same.
775 *
776 * If the link layer always uses 802.2 LLC:
777 *
778 * "off_nl" is the offset if there's a SNAP header following
779 * the 802.2 header;
780 *
781 * "off_nl_nosnap" is the offset if there's no SNAP header.
782 *
783 * If the link layer is Ethernet:
784 *
785 * "off_nl" is the offset if the packet is an Ethernet II packet
786 * (we assume no 802.3+802.2+SNAP);
787 *
788 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
789 * with an 802.2 header following it.
790 */
791 static u_int off_nl;
792 static u_int off_nl_nosnap;
793
794 static int linktype;
795
796 static void
797 init_linktype(p)
798 pcap_t *p;
799 {
800 linktype = pcap_datalink(p);
801 #ifdef PCAP_FDDIPAD
802 pcap_fddipad = p->fddipad;
803 #endif
804
805 /*
806 * Assume it's not raw ATM with a pseudo-header, for now.
807 */
808 off_mac = 0;
809 is_atm = 0;
810 is_lane = 0;
811 off_vpi = -1;
812 off_vci = -1;
813 off_proto = -1;
814 off_payload = -1;
815
816 /*
817 * And assume we're not doing SS7.
818 */
819 off_li = -1;
820 off_sio = -1;
821 off_opc = -1;
822 off_dpc = -1;
823 off_sls = -1;
824
825 /*
826 * Also assume it's not 802.11 with a fixed-length radio header.
827 */
828 off_ll = 0;
829
830 orig_linktype = -1;
831 orig_nl = -1;
832 label_stack_depth = 0;
833
834 reg_ll_size = -1;
835
836 switch (linktype) {
837
838 case DLT_ARCNET:
839 off_linktype = 2;
840 off_nl = 6; /* XXX in reality, variable! */
841 off_nl_nosnap = 6; /* no 802.2 LLC */
842 return;
843
844 case DLT_ARCNET_LINUX:
845 off_linktype = 4;
846 off_nl = 8; /* XXX in reality, variable! */
847 off_nl_nosnap = 8; /* no 802.2 LLC */
848 return;
849
850 case DLT_EN10MB:
851 off_linktype = 12;
852 off_nl = 14; /* Ethernet II */
853 off_nl_nosnap = 17; /* 802.3+802.2 */
854 return;
855
856 case DLT_SLIP:
857 /*
858 * SLIP doesn't have a link level type. The 16 byte
859 * header is hacked into our SLIP driver.
860 */
861 off_linktype = -1;
862 off_nl = 16;
863 off_nl_nosnap = 16; /* no 802.2 LLC */
864 return;
865
866 case DLT_SLIP_BSDOS:
867 /* XXX this may be the same as the DLT_PPP_BSDOS case */
868 off_linktype = -1;
869 /* XXX end */
870 off_nl = 24;
871 off_nl_nosnap = 24; /* no 802.2 LLC */
872 return;
873
874 case DLT_NULL:
875 case DLT_LOOP:
876 off_linktype = 0;
877 off_nl = 4;
878 off_nl_nosnap = 4; /* no 802.2 LLC */
879 return;
880
881 case DLT_ENC:
882 off_linktype = 0;
883 off_nl = 12;
884 off_nl_nosnap = 12; /* no 802.2 LLC */
885 return;
886
887 case DLT_PPP:
888 case DLT_PPP_PPPD:
889 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
890 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
891 off_linktype = 2;
892 off_nl = 4;
893 off_nl_nosnap = 4; /* no 802.2 LLC */
894 return;
895
896 case DLT_PPP_ETHER:
897 /*
898 * This does no include the Ethernet header, and
899 * only covers session state.
900 */
901 off_linktype = 6;
902 off_nl = 8;
903 off_nl_nosnap = 8; /* no 802.2 LLC */
904 return;
905
906 case DLT_PPP_BSDOS:
907 off_linktype = 5;
908 off_nl = 24;
909 off_nl_nosnap = 24; /* no 802.2 LLC */
910 return;
911
912 case DLT_FDDI:
913 /*
914 * FDDI doesn't really have a link-level type field.
915 * We set "off_linktype" to the offset of the LLC header.
916 *
917 * To check for Ethernet types, we assume that SSAP = SNAP
918 * is being used and pick out the encapsulated Ethernet type.
919 * XXX - should we generate code to check for SNAP?
920 */
921 off_linktype = 13;
922 #ifdef PCAP_FDDIPAD
923 off_linktype += pcap_fddipad;
924 #endif
925 off_nl = 21; /* FDDI+802.2+SNAP */
926 off_nl_nosnap = 16; /* FDDI+802.2 */
927 #ifdef PCAP_FDDIPAD
928 off_nl += pcap_fddipad;
929 off_nl_nosnap += pcap_fddipad;
930 #endif
931 return;
932
933 case DLT_IEEE802:
934 /*
935 * Token Ring doesn't really have a link-level type field.
936 * We set "off_linktype" to the offset of the LLC header.
937 *
938 * To check for Ethernet types, we assume that SSAP = SNAP
939 * is being used and pick out the encapsulated Ethernet type.
940 * XXX - should we generate code to check for SNAP?
941 *
942 * XXX - the header is actually variable-length.
943 * Some various Linux patched versions gave 38
944 * as "off_linktype" and 40 as "off_nl"; however,
945 * if a token ring packet has *no* routing
946 * information, i.e. is not source-routed, the correct
947 * values are 20 and 22, as they are in the vanilla code.
948 *
949 * A packet is source-routed iff the uppermost bit
950 * of the first byte of the source address, at an
951 * offset of 8, has the uppermost bit set. If the
952 * packet is source-routed, the total number of bytes
953 * of routing information is 2 plus bits 0x1F00 of
954 * the 16-bit value at an offset of 14 (shifted right
955 * 8 - figure out which byte that is).
956 */
957 off_linktype = 14;
958 off_nl = 22; /* Token Ring+802.2+SNAP */
959 off_nl_nosnap = 17; /* Token Ring+802.2 */
960 return;
961
962 case DLT_IEEE802_11:
963 /*
964 * 802.11 doesn't really have a link-level type field.
965 * We set "off_linktype" to the offset of the LLC header.
966 *
967 * To check for Ethernet types, we assume that SSAP = SNAP
968 * is being used and pick out the encapsulated Ethernet type.
969 * XXX - should we generate code to check for SNAP?
970 *
971 * XXX - the header is actually variable-length. We
972 * assume a 24-byte link-layer header, as appears in
973 * data frames in networks with no bridges. If the
974 * fromds and tods 802.11 header bits are both set,
975 * it's actually supposed to be 30 bytes.
976 */
977 off_linktype = 24;
978 off_nl = 32; /* 802.11+802.2+SNAP */
979 off_nl_nosnap = 27; /* 802.11+802.2 */
980 return;
981
982 case DLT_PRISM_HEADER:
983 /*
984 * Same as 802.11, but with an additional header before
985 * the 802.11 header, containing a bunch of additional
986 * information including radio-level information.
987 *
988 * The header is 144 bytes long.
989 *
990 * XXX - same variable-length header problem; at least
991 * the Prism header is fixed-length.
992 */
993 off_ll = 144;
994 off_linktype = 24;
995 off_nl = 32; /* Prism+802.11+802.2+SNAP */
996 off_nl_nosnap = 27; /* Prism+802.11+802.2 */
997 return;
998
999 case DLT_IEEE802_11_RADIO_AVS:
1000 /*
1001 * Same as 802.11, but with an additional header before
1002 * the 802.11 header, containing a bunch of additional
1003 * information including radio-level information.
1004 *
1005 * The header is 64 bytes long, at least in its
1006 * current incarnation.
1007 *
1008 * XXX - same variable-length header problem, only
1009 * more so; this header is also variable-length,
1010 * with the length being the 32-bit big-endian
1011 * number at an offset of 4 from the beginning
1012 * of the radio header. We should handle that the
1013 * same way we handle the length at the beginning
1014 * of the radiotap header.
1015 *
1016 * XXX - in Linux, do any drivers that supply an AVS
1017 * header supply a link-layer type other than
1018 * ARPHRD_IEEE80211_PRISM? If so, we should map that
1019 * to DLT_IEEE802_11_RADIO_AVS; if not, or if there are
1020 * any drivers that supply an AVS header but supply
1021 * an ARPHRD value of ARPHRD_IEEE80211_PRISM, we'll
1022 * have to check the header in the generated code to
1023 * determine whether it's Prism or AVS.
1024 */
1025 off_ll = 64;
1026 off_linktype = 24;
1027 off_nl = 32; /* Radio+802.11+802.2+SNAP */
1028 off_nl_nosnap = 27; /* Radio+802.11+802.2 */
1029 return;
1030
1031
1032 /*
1033 * At the moment we treat PPI as normal Radiotap encoded
1034 * packets. The difference is in the function that generates
1035 * the code at the beginning to compute the header length.
1036 * Since this code generator of PPI supports bare 802.11
1037 * encapsulation only (i.e. the encapsulated DLT should be
1038 * DLT_IEEE802_11) we generate code to check for this too.
1039 */
1040 case DLT_PPI:
1041 case DLT_IEEE802_11_RADIO:
1042 /*
1043 * Same as 802.11, but with an additional header before
1044 * the 802.11 header, containing a bunch of additional
1045 * information including radio-level information.
1046 *
1047 * The radiotap header is variable length, and we
1048 * generate code to compute its length and store it
1049 * in a register. These offsets are relative to the
1050 * beginning of the 802.11 header.
1051 */
1052 off_linktype = 24;
1053 off_nl = 32; /* 802.11+802.2+SNAP */
1054 off_nl_nosnap = 27; /* 802.11+802.2 */
1055 return;
1056
1057 case DLT_ATM_RFC1483:
1058 case DLT_ATM_CLIP: /* Linux ATM defines this */
1059 /*
1060 * assume routed, non-ISO PDUs
1061 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1062 *
1063 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1064 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1065 * latter would presumably be treated the way PPPoE
1066 * should be, so you can do "pppoe and udp port 2049"
1067 * or "pppoa and tcp port 80" and have it check for
1068 * PPPo{A,E} and a PPP protocol of IP and....
1069 */
1070 off_linktype = 0;
1071 off_nl = 8; /* 802.2+SNAP */
1072 off_nl_nosnap = 3; /* 802.2 */
1073 return;
1074
1075 case DLT_SUNATM:
1076 /*
1077 * Full Frontal ATM; you get AALn PDUs with an ATM
1078 * pseudo-header.
1079 */
1080 is_atm = 1;
1081 off_vpi = SUNATM_VPI_POS;
1082 off_vci = SUNATM_VCI_POS;
1083 off_proto = PROTO_POS;
1084 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
1085 off_payload = SUNATM_PKT_BEGIN_POS;
1086 off_linktype = off_payload;
1087 off_nl = off_payload+8; /* 802.2+SNAP */
1088 off_nl_nosnap = off_payload+3; /* 802.2 */
1089 return;
1090
1091 case DLT_RAW:
1092 off_linktype = -1;
1093 off_nl = 0;
1094 off_nl_nosnap = 0; /* no 802.2 LLC */
1095 return;
1096
1097 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1098 off_linktype = 14;
1099 off_nl = 16;
1100 off_nl_nosnap = 16; /* no 802.2 LLC */
1101 return;
1102
1103 case DLT_LTALK:
1104 /*
1105 * LocalTalk does have a 1-byte type field in the LLAP header,
1106 * but really it just indicates whether there is a "short" or
1107 * "long" DDP packet following.
1108 */
1109 off_linktype = -1;
1110 off_nl = 0;
1111 off_nl_nosnap = 0; /* no 802.2 LLC */
1112 return;
1113
1114 case DLT_IP_OVER_FC:
1115 /*
1116 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1117 * link-level type field. We set "off_linktype" to the
1118 * offset of the LLC header.
1119 *
1120 * To check for Ethernet types, we assume that SSAP = SNAP
1121 * is being used and pick out the encapsulated Ethernet type.
1122 * XXX - should we generate code to check for SNAP? RFC
1123 * 2625 says SNAP should be used.
1124 */
1125 off_linktype = 16;
1126 off_nl = 24; /* IPFC+802.2+SNAP */
1127 off_nl_nosnap = 19; /* IPFC+802.2 */
1128 return;
1129
1130 case DLT_FRELAY:
1131 /*
1132 * XXX - we should set this to handle SNAP-encapsulated
1133 * frames (NLPID of 0x80).
1134 */
1135 off_linktype = -1;
1136 off_nl = 0;
1137 off_nl_nosnap = 0; /* no 802.2 LLC */
1138 return;
1139
1140 /*
1141 * the only BPF-interesting FRF.16 frames are non-control frames;
1142 * Frame Relay has a variable length link-layer
1143 * so lets start with offset 4 for now and increments later on (FIXME);
1144 */
1145 case DLT_MFR:
1146 off_linktype = -1;
1147 off_nl = 4;
1148 off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1149 return;
1150
1151 case DLT_APPLE_IP_OVER_IEEE1394:
1152 off_linktype = 16;
1153 off_nl = 18;
1154 off_nl_nosnap = 18; /* no 802.2 LLC */
1155 return;
1156
1157 case DLT_LINUX_IRDA:
1158 /*
1159 * Currently, only raw "link[N:M]" filtering is supported.
1160 */
1161 off_linktype = -1;
1162 off_nl = -1;
1163 off_nl_nosnap = -1;
1164 return;
1165
1166 case DLT_DOCSIS:
1167 /*
1168 * Currently, only raw "link[N:M]" filtering is supported.
1169 */
1170 off_linktype = -1;
1171 off_nl = -1;
1172 off_nl_nosnap = -1;
1173 return;
1174
1175 case DLT_SYMANTEC_FIREWALL:
1176 off_linktype = 6;
1177 off_nl = 44; /* Ethernet II */
1178 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1179 return;
1180
1181 #ifdef HAVE_NET_PFVAR_H
1182 case DLT_PFLOG:
1183 off_linktype = 0;
1184 off_nl = PFLOG_HDRLEN;
1185 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1186 return;
1187 #endif
1188
1189 case DLT_JUNIPER_MFR:
1190 case DLT_JUNIPER_MLFR:
1191 case DLT_JUNIPER_MLPPP:
1192 case DLT_JUNIPER_PPP:
1193 case DLT_JUNIPER_CHDLC:
1194 case DLT_JUNIPER_FRELAY:
1195 off_linktype = 4;
1196 off_nl = 4;
1197 off_nl_nosnap = -1; /* no 802.2 LLC */
1198 return;
1199
1200 case DLT_JUNIPER_ATM1:
1201 off_linktype = 4; /* in reality variable between 4-8 */
1202 off_nl = 4;
1203 off_nl_nosnap = 14;
1204 return;
1205
1206 case DLT_JUNIPER_ATM2:
1207 off_linktype = 8; /* in reality variable between 8-12 */
1208 off_nl = 8;
1209 off_nl_nosnap = 18;
1210 return;
1211
1212 /* frames captured on a Juniper PPPoE service PIC
1213 * contain raw ethernet frames */
1214 case DLT_JUNIPER_PPPOE:
1215 case DLT_JUNIPER_ETHER:
1216 off_linktype = 16;
1217 off_nl = 18; /* Ethernet II */
1218 off_nl_nosnap = 21; /* 802.3+802.2 */
1219 return;
1220
1221 case DLT_JUNIPER_PPPOE_ATM:
1222 off_linktype = 4;
1223 off_nl = 6;
1224 off_nl_nosnap = -1; /* no 802.2 LLC */
1225 return;
1226
1227 case DLT_JUNIPER_GGSN:
1228 off_linktype = 6;
1229 off_nl = 12;
1230 off_nl_nosnap = -1; /* no 802.2 LLC */
1231 return;
1232
1233 case DLT_JUNIPER_ES:
1234 off_linktype = 6;
1235 off_nl = -1; /* not really a network layer but raw IP adresses */
1236 off_nl_nosnap = -1; /* no 802.2 LLC */
1237 return;
1238
1239 case DLT_JUNIPER_MONITOR:
1240 off_linktype = 12;
1241 off_nl = 12; /* raw IP/IP6 header */
1242 off_nl_nosnap = -1; /* no 802.2 LLC */
1243 return;
1244
1245 case DLT_JUNIPER_SERVICES:
1246 off_linktype = 12;
1247 off_nl = -1; /* L3 proto location dep. on cookie type */
1248 off_nl_nosnap = -1; /* no 802.2 LLC */
1249 return;
1250
1251 case DLT_JUNIPER_VP:
1252 off_linktype = 18;
1253 off_nl = -1;
1254 off_nl_nosnap = -1;
1255 return;
1256
1257 case DLT_JUNIPER_ST:
1258 off_linktype = 18;
1259 off_nl = -1;
1260 off_nl_nosnap = -1;
1261 return;
1262
1263 case DLT_JUNIPER_ISM:
1264 off_linktype = 8;
1265 off_nl = -1;
1266 off_nl_nosnap = -1;
1267 return;
1268
1269 case DLT_MTP2:
1270 off_li = 2;
1271 off_sio = 3;
1272 off_opc = 4;
1273 off_dpc = 4;
1274 off_sls = 7;
1275 off_linktype = -1;
1276 off_nl = -1;
1277 off_nl_nosnap = -1;
1278 return;
1279
1280 case DLT_MTP2_WITH_PHDR:
1281 off_li = 6;
1282 off_sio = 7;
1283 off_opc = 8;
1284 off_dpc = 8;
1285 off_sls = 11;
1286 off_linktype = -1;
1287 off_nl = -1;
1288 off_nl_nosnap = -1;
1289 return;
1290
1291 #ifdef DLT_PFSYNC
1292 case DLT_PFSYNC:
1293 off_linktype = -1;
1294 off_nl = 4;
1295 off_nl_nosnap = 4;
1296 return;
1297 #endif
1298
1299 case DLT_LINUX_LAPD:
1300 /*
1301 * Currently, only raw "link[N:M]" filtering is supported.
1302 */
1303 off_linktype = -1;
1304 off_nl = -1;
1305 off_nl_nosnap = -1;
1306 return;
1307
1308 case DLT_USB:
1309 /*
1310 * Currently, only raw "link[N:M]" filtering is supported.
1311 */
1312 off_linktype = -1;
1313 off_nl = -1;
1314 off_nl_nosnap = -1;
1315 return;
1316
1317 case DLT_BLUETOOTH_HCI_H4:
1318 /*
1319 * Currently, only raw "link[N:M]" filtering is supported.
1320 */
1321 off_linktype = -1;
1322 off_nl = -1;
1323 off_nl_nosnap = -1;
1324 return;
1325
1326 case DLT_USB_LINUX:
1327 /*
1328 * Currently, only raw "link[N:M]" filtering is supported.
1329 */
1330 off_linktype = -1;
1331 off_nl = -1;
1332 off_nl_nosnap = -1;
1333 return;
1334
1335 case DLT_CAN20B:
1336 /*
1337 * Currently, only raw "link[N:M]" filtering is supported.
1338 */
1339 off_linktype = -1;
1340 off_nl = -1;
1341 off_nl_nosnap = -1;
1342 return;
1343
1344 case DLT_IEEE802_15_4_LINUX:
1345 /*
1346 * Currently, only raw "link[N:M]" filtering is supported.
1347 */
1348 off_linktype = -1;
1349 off_nl = -1;
1350 off_nl_nosnap = -1;
1351 return;
1352
1353 case DLT_IEEE802_16_MAC_CPS_RADIO:
1354 /*
1355 * Currently, only raw "link[N:M]" filtering is supported.
1356 */
1357 off_linktype = -1;
1358 off_nl = -1;
1359 off_nl_nosnap = -1;
1360 return;
1361
1362 case DLT_IEEE802_15_4:
1363 /*
1364 * Currently, only raw "link[N:M]" filtering is supported.
1365 */
1366 off_linktype = -1;
1367 off_nl = -1;
1368 off_nl_nosnap = -1;
1369 return;
1370
1371 case DLT_SITA:
1372 /*
1373 * Currently, only raw "link[N:M]" filtering is supported.
1374 */
1375 off_linktype = -1;
1376 off_nl = -1;
1377 off_nl_nosnap = -1;
1378 return;
1379
1380 case DLT_RAIF1:
1381 /*
1382 * Currently, only raw "link[N:M]" filtering is supported.
1383 */
1384 off_linktype = -1;
1385 off_nl = -1;
1386 off_nl_nosnap = -1;
1387 return;
1388
1389 case DLT_IPMB:
1390 /*
1391 * Currently, only raw "link[N:M]" filtering is supported.
1392 */
1393 off_linktype = -1;
1394 off_nl = -1;
1395 off_nl_nosnap = -1;
1396 return;
1397
1398 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
1399 /*
1400 * Currently, only raw "link[N:M]" filtering is supported.
1401 */
1402 off_linktype = -1;
1403 off_nl = -1;
1404 off_nl_nosnap = -1;
1405 return;
1406
1407 case DLT_AX25_KISS:
1408 /*
1409 * Currently, only raw "link[N:M]" filtering is supported.
1410 */
1411 off_linktype = -1; /* variable, min 15, max 71 steps of 7 */
1412 off_nl = -1; /* variable, min 16, max 71 steps of 7 */
1413 off_nl_nosnap = -1; /* no 802.2 LLC */
1414 off_mac = 1; /* step over the kiss length byte */
1415 return;
1416 }
1417 bpf_error("unknown data link type %d", linktype);
1418 /* NOTREACHED */
1419 }
1420
1421 /*
1422 * Load a value relative to the beginning of the link-layer header.
1423 * The link-layer header doesn't necessarily begin at the beginning
1424 * of the packet data; there might be a variable-length prefix containing
1425 * radio information.
1426 */
1427 static struct slist *
1428 gen_load_llrel(offset, size)
1429 u_int offset, size;
1430 {
1431 struct slist *s, *s2;
1432
1433 s = gen_llprefixlen();
1434
1435 /*
1436 * If "s" is non-null, it has code to arrange that the X register
1437 * contains the length of the prefix preceding the link-layer
1438 * header.
1439 *
1440 * Otherwise, the length of the prefix preceding the link-layer
1441 * header is "off_ll".
1442 */
1443 if (s != NULL) {
1444 /*
1445 * There's a variable-length prefix preceding the
1446 * link-layer header. "s" points to a list of statements
1447 * that put the length of that prefix into the X register.
1448 * do an indirect load, to use the X register as an offset.
1449 */
1450 s2 = new_stmt(BPF_LD|BPF_IND|size);
1451 s2->s.k = offset;
1452 sappend(s, s2);
1453 } else {
1454 /*
1455 * There is no variable-length header preceding the
1456 * link-layer header; add in off_ll, which, if there's
1457 * a fixed-length header preceding the link-layer header,
1458 * is the length of that header.
1459 */
1460 s = new_stmt(BPF_LD|BPF_ABS|size);
1461 s->s.k = offset + off_ll;
1462 }
1463 return s;
1464 }
1465
1466 /*
1467 * Load a value relative to the beginning of the specified header.
1468 */
1469 static struct slist *
1470 gen_load_a(offrel, offset, size)
1471 enum e_offrel offrel;
1472 u_int offset, size;
1473 {
1474 struct slist *s, *s2;
1475
1476 switch (offrel) {
1477
1478 case OR_PACKET:
1479 s = new_stmt(BPF_LD|BPF_ABS|size);
1480 s->s.k = offset;
1481 break;
1482
1483 case OR_LINK:
1484 s = gen_load_llrel(offset, size);
1485 break;
1486
1487 case OR_NET:
1488 s = gen_load_llrel(off_nl + offset, size);
1489 break;
1490
1491 case OR_NET_NOSNAP:
1492 s = gen_load_llrel(off_nl_nosnap + offset, size);
1493 break;
1494
1495 case OR_TRAN_IPV4:
1496 /*
1497 * Load the X register with the length of the IPv4 header
1498 * (plus the offset of the link-layer header, if it's
1499 * preceded by a variable-length header such as a radio
1500 * header), in bytes.
1501 */
1502 s = gen_loadx_iphdrlen();
1503
1504 /*
1505 * Load the item at {offset of the link-layer header} +
1506 * {offset, relative to the start of the link-layer
1507 * header, of the IPv4 header} + {length of the IPv4 header} +
1508 * {specified offset}.
1509 *
1510 * (If the link-layer is variable-length, it's included
1511 * in the value in the X register, and off_ll is 0.)
1512 */
1513 s2 = new_stmt(BPF_LD|BPF_IND|size);
1514 s2->s.k = off_ll + off_nl + offset;
1515 sappend(s, s2);
1516 break;
1517
1518 case OR_TRAN_IPV6:
1519 s = gen_load_llrel(off_nl + 40 + offset, size);
1520 break;
1521
1522 default:
1523 abort();
1524 return NULL;
1525 }
1526 return s;
1527 }
1528
1529 /*
1530 * Generate code to load into the X register the sum of the length of
1531 * the IPv4 header and any variable-length header preceding the link-layer
1532 * header.
1533 */
1534 static struct slist *
1535 gen_loadx_iphdrlen()
1536 {
1537 struct slist *s, *s2;
1538
1539 s = gen_llprefixlen();
1540 if (s != NULL) {
1541 /*
1542 * There's a variable-length prefix preceding the
1543 * link-layer header. "s" points to a list of statements
1544 * that put the length of that prefix into the X register.
1545 * The 4*([k]&0xf) addressing mode can't be used, as we
1546 * don't have a constant offset, so we have to load the
1547 * value in question into the A register and add to it
1548 * the value from the X register.
1549 */
1550 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1551 s2->s.k = off_nl;
1552 sappend(s, s2);
1553 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1554 s2->s.k = 0xf;
1555 sappend(s, s2);
1556 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1557 s2->s.k = 2;
1558 sappend(s, s2);
1559
1560 /*
1561 * The A register now contains the length of the
1562 * IP header. We need to add to it the length
1563 * of the prefix preceding the link-layer
1564 * header, which is still in the X register, and
1565 * move the result into the X register.
1566 */
1567 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1568 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1569 } else {
1570 /*
1571 * There is no variable-length header preceding the
1572 * link-layer header; add in off_ll, which, if there's
1573 * a fixed-length header preceding the link-layer header,
1574 * is the length of that header.
1575 */
1576 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1577 s->s.k = off_ll + off_nl;
1578 }
1579 return s;
1580 }
1581
1582 static struct block *
1583 gen_uncond(rsense)
1584 int rsense;
1585 {
1586 struct block *b;
1587 struct slist *s;
1588
1589 s = new_stmt(BPF_LD|BPF_IMM);
1590 s->s.k = !rsense;
1591 b = new_block(JMP(BPF_JEQ));
1592 b->stmts = s;
1593
1594 return b;
1595 }
1596
1597 static inline struct block *
1598 gen_true()
1599 {
1600 return gen_uncond(1);
1601 }
1602
1603 static inline struct block *
1604 gen_false()
1605 {
1606 return gen_uncond(0);
1607 }
1608
1609 /*
1610 * Byte-swap a 32-bit number.
1611 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1612 * big-endian platforms.)
1613 */
1614 #define SWAPLONG(y) \
1615 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1616
1617 /*
1618 * Generate code to match a particular packet type.
1619 *
1620 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1621 * value, if <= ETHERMTU. We use that to determine whether to
1622 * match the type/length field or to check the type/length field for
1623 * a value <= ETHERMTU to see whether it's a type field and then do
1624 * the appropriate test.
1625 */
1626 static struct block *
1627 gen_ether_linktype(proto)
1628 register int proto;
1629 {
1630 struct block *b0, *b1;
1631
1632 switch (proto) {
1633
1634 case LLCSAP_ISONS:
1635 case LLCSAP_IP:
1636 case LLCSAP_NETBEUI:
1637 /*
1638 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1639 * so we check the DSAP and SSAP.
1640 *
1641 * LLCSAP_IP checks for IP-over-802.2, rather
1642 * than IP-over-Ethernet or IP-over-SNAP.
1643 *
1644 * XXX - should we check both the DSAP and the
1645 * SSAP, like this, or should we check just the
1646 * DSAP, as we do for other types <= ETHERMTU
1647 * (i.e., other SAP values)?
1648 */
1649 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1650 gen_not(b0);
1651 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1652 ((proto << 8) | proto));
1653 gen_and(b0, b1);
1654 return b1;
1655
1656 case LLCSAP_IPX:
1657 /*
1658 * Check for;
1659 *
1660 * Ethernet_II frames, which are Ethernet
1661 * frames with a frame type of ETHERTYPE_IPX;
1662 *
1663 * Ethernet_802.3 frames, which are 802.3
1664 * frames (i.e., the type/length field is
1665 * a length field, <= ETHERMTU, rather than
1666 * a type field) with the first two bytes
1667 * after the Ethernet/802.3 header being
1668 * 0xFFFF;
1669 *
1670 * Ethernet_802.2 frames, which are 802.3
1671 * frames with an 802.2 LLC header and
1672 * with the IPX LSAP as the DSAP in the LLC
1673 * header;
1674 *
1675 * Ethernet_SNAP frames, which are 802.3
1676 * frames with an LLC header and a SNAP
1677 * header and with an OUI of 0x000000
1678 * (encapsulated Ethernet) and a protocol
1679 * ID of ETHERTYPE_IPX in the SNAP header.
1680 *
1681 * XXX - should we generate the same code both
1682 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1683 */
1684
1685 /*
1686 * This generates code to check both for the
1687 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1688 */
1689 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1690 (bpf_int32)LLCSAP_IPX);
1691 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1692 (bpf_int32)0xFFFF);
1693 gen_or(b0, b1);
1694
1695 /*
1696 * Now we add code to check for SNAP frames with
1697 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1698 */
1699 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1700 gen_or(b0, b1);
1701
1702 /*
1703 * Now we generate code to check for 802.3
1704 * frames in general.
1705 */
1706 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1707 gen_not(b0);
1708
1709 /*
1710 * Now add the check for 802.3 frames before the
1711 * check for Ethernet_802.2 and Ethernet_802.3,
1712 * as those checks should only be done on 802.3
1713 * frames, not on Ethernet frames.
1714 */
1715 gen_and(b0, b1);
1716
1717 /*
1718 * Now add the check for Ethernet_II frames, and
1719 * do that before checking for the other frame
1720 * types.
1721 */
1722 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1723 (bpf_int32)ETHERTYPE_IPX);
1724 gen_or(b0, b1);
1725 return b1;
1726
1727 case ETHERTYPE_ATALK:
1728 case ETHERTYPE_AARP:
1729 /*
1730 * EtherTalk (AppleTalk protocols on Ethernet link
1731 * layer) may use 802.2 encapsulation.
1732 */
1733
1734 /*
1735 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1736 * we check for an Ethernet type field less than
1737 * 1500, which means it's an 802.3 length field.
1738 */
1739 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1740 gen_not(b0);
1741
1742 /*
1743 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1744 * SNAP packets with an organization code of
1745 * 0x080007 (Apple, for Appletalk) and a protocol
1746 * type of ETHERTYPE_ATALK (Appletalk).
1747 *
1748 * 802.2-encapsulated ETHERTYPE_AARP packets are
1749 * SNAP packets with an organization code of
1750 * 0x000000 (encapsulated Ethernet) and a protocol
1751 * type of ETHERTYPE_AARP (Appletalk ARP).
1752 */
1753 if (proto == ETHERTYPE_ATALK)
1754 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1755 else /* proto == ETHERTYPE_AARP */
1756 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1757 gen_and(b0, b1);
1758
1759 /*
1760 * Check for Ethernet encapsulation (Ethertalk
1761 * phase 1?); we just check for the Ethernet
1762 * protocol type.
1763 */
1764 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1765
1766 gen_or(b0, b1);
1767 return b1;
1768
1769 default:
1770 if (proto <= ETHERMTU) {
1771 /*
1772 * This is an LLC SAP value, so the frames
1773 * that match would be 802.2 frames.
1774 * Check that the frame is an 802.2 frame
1775 * (i.e., that the length/type field is
1776 * a length field, <= ETHERMTU) and
1777 * then check the DSAP.
1778 */
1779 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1780 gen_not(b0);
1781 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1782 (bpf_int32)proto);
1783 gen_and(b0, b1);
1784 return b1;
1785 } else {
1786 /*
1787 * This is an Ethernet type, so compare
1788 * the length/type field with it (if
1789 * the frame is an 802.2 frame, the length
1790 * field will be <= ETHERMTU, and, as
1791 * "proto" is > ETHERMTU, this test
1792 * will fail and the frame won't match,
1793 * which is what we want).
1794 */
1795 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1796 (bpf_int32)proto);
1797 }
1798 }
1799 }
1800
1801 /*
1802 * Generate code to match a particular packet type.
1803 *
1804 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1805 * value, if <= ETHERMTU. We use that to determine whether to
1806 * match the type field or to check the type field for the special
1807 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1808 */
1809 static struct block *
1810 gen_linux_sll_linktype(proto)
1811 register int proto;
1812 {
1813 struct block *b0, *b1;
1814
1815 switch (proto) {
1816
1817 case LLCSAP_ISONS:
1818 case LLCSAP_IP:
1819 case LLCSAP_NETBEUI:
1820 /*
1821 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1822 * so we check the DSAP and SSAP.
1823 *
1824 * LLCSAP_IP checks for IP-over-802.2, rather
1825 * than IP-over-Ethernet or IP-over-SNAP.
1826 *
1827 * XXX - should we check both the DSAP and the
1828 * SSAP, like this, or should we check just the
1829 * DSAP, as we do for other types <= ETHERMTU
1830 * (i.e., other SAP values)?
1831 */
1832 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1833 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1834 ((proto << 8) | proto));
1835 gen_and(b0, b1);
1836 return b1;
1837
1838 case LLCSAP_IPX:
1839 /*
1840 * Ethernet_II frames, which are Ethernet
1841 * frames with a frame type of ETHERTYPE_IPX;
1842 *
1843 * Ethernet_802.3 frames, which have a frame
1844 * type of LINUX_SLL_P_802_3;
1845 *
1846 * Ethernet_802.2 frames, which are 802.3
1847 * frames with an 802.2 LLC header (i.e, have
1848 * a frame type of LINUX_SLL_P_802_2) and
1849 * with the IPX LSAP as the DSAP in the LLC
1850 * header;
1851 *
1852 * Ethernet_SNAP frames, which are 802.3
1853 * frames with an LLC header and a SNAP
1854 * header and with an OUI of 0x000000
1855 * (encapsulated Ethernet) and a protocol
1856 * ID of ETHERTYPE_IPX in the SNAP header.
1857 *
1858 * First, do the checks on LINUX_SLL_P_802_2
1859 * frames; generate the check for either
1860 * Ethernet_802.2 or Ethernet_SNAP frames, and
1861 * then put a check for LINUX_SLL_P_802_2 frames
1862 * before it.
1863 */
1864 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1865 (bpf_int32)LLCSAP_IPX);
1866 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1867 off_linktype + 2);
1868 gen_or(b0, b1);
1869 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1870 gen_and(b0, b1);
1871
1872 /*
1873 * Now check for 802.3 frames and OR that with
1874 * the previous test.
1875 */
1876 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1877 gen_or(b0, b1);
1878
1879 /*
1880 * Now add the check for Ethernet_II frames, and
1881 * do that before checking for the other frame
1882 * types.
1883 */
1884 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1885 (bpf_int32)ETHERTYPE_IPX);
1886 gen_or(b0, b1);
1887 return b1;
1888
1889 case ETHERTYPE_ATALK:
1890 case ETHERTYPE_AARP:
1891 /*
1892 * EtherTalk (AppleTalk protocols on Ethernet link
1893 * layer) may use 802.2 encapsulation.
1894 */
1895
1896 /*
1897 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1898 * we check for the 802.2 protocol type in the
1899 * "Ethernet type" field.
1900 */
1901 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1902
1903 /*
1904 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1905 * SNAP packets with an organization code of
1906 * 0x080007 (Apple, for Appletalk) and a protocol
1907 * type of ETHERTYPE_ATALK (Appletalk).
1908 *
1909 * 802.2-encapsulated ETHERTYPE_AARP packets are
1910 * SNAP packets with an organization code of
1911 * 0x000000 (encapsulated Ethernet) and a protocol
1912 * type of ETHERTYPE_AARP (Appletalk ARP).
1913 */
1914 if (proto == ETHERTYPE_ATALK)
1915 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1916 off_linktype + 2);
1917 else /* proto == ETHERTYPE_AARP */
1918 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1919 off_linktype + 2);
1920 gen_and(b0, b1);
1921
1922 /*
1923 * Check for Ethernet encapsulation (Ethertalk
1924 * phase 1?); we just check for the Ethernet
1925 * protocol type.
1926 */
1927 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1928
1929 gen_or(b0, b1);
1930 return b1;
1931
1932 default:
1933 if (proto <= ETHERMTU) {
1934 /*
1935 * This is an LLC SAP value, so the frames
1936 * that match would be 802.2 frames.
1937 * Check for the 802.2 protocol type
1938 * in the "Ethernet type" field, and
1939 * then check the DSAP.
1940 */
1941 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1942 LINUX_SLL_P_802_2);
1943 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1944 (bpf_int32)proto);
1945 gen_and(b0, b1);
1946 return b1;
1947 } else {
1948 /*
1949 * This is an Ethernet type, so compare
1950 * the length/type field with it (if
1951 * the frame is an 802.2 frame, the length
1952 * field will be <= ETHERMTU, and, as
1953 * "proto" is > ETHERMTU, this test
1954 * will fail and the frame won't match,
1955 * which is what we want).
1956 */
1957 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1958 (bpf_int32)proto);
1959 }
1960 }
1961 }
1962
1963 static void
1964 insert_radiotap_load_llprefixlen(b)
1965 struct block *b;
1966 {
1967 struct slist *s1, *s2;
1968
1969 /*
1970 * Prepend to the statements in this block code to load the
1971 * length of the radiotap header into the register assigned
1972 * to hold that length, if one has been assigned.
1973 */
1974 if (reg_ll_size != -1) {
1975 /*
1976 * The 2 bytes at offsets of 2 and 3 from the beginning
1977 * of the radiotap header are the length of the radiotap
1978 * header; unfortunately, it's little-endian, so we have
1979 * to load it a byte at a time and construct the value.
1980 */
1981
1982 /*
1983 * Load the high-order byte, at an offset of 3, shift it
1984 * left a byte, and put the result in the X register.
1985 */
1986 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1987 s1->s.k = 3;
1988 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1989 sappend(s1, s2);
1990 s2->s.k = 8;
1991 s2 = new_stmt(BPF_MISC|BPF_TAX);
1992 sappend(s1, s2);
1993
1994 /*
1995 * Load the next byte, at an offset of 2, and OR the
1996 * value from the X register into it.
1997 */
1998 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1999 sappend(s1, s2);
2000 s2->s.k = 2;
2001 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2002 sappend(s1, s2);
2003
2004 /*
2005 * Now allocate a register to hold that value and store
2006 * it.
2007 */
2008 s2 = new_stmt(BPF_ST);
2009 s2->s.k = reg_ll_size;
2010 sappend(s1, s2);
2011
2012 /*
2013 * Now move it into the X register.
2014 */
2015 s2 = new_stmt(BPF_MISC|BPF_TAX);
2016 sappend(s1, s2);
2017
2018 /*
2019 * Now append all the existing statements in this
2020 * block to these statements.
2021 */
2022 sappend(s1, b->stmts);
2023 b->stmts = s1;
2024 }
2025 }
2026
2027 /*
2028 * At the moment we treat PPI as normal Radiotap encoded
2029 * packets. The difference is in the function that generates
2030 * the code at the beginning to compute the header length.
2031 * Since this code generator of PPI supports bare 802.11
2032 * encapsulation only (i.e. the encapsulated DLT should be
2033 * DLT_IEEE802_11) we generate code to check for this too.
2034 */
2035 static void
2036 insert_ppi_load_llprefixlen(b)
2037 struct block *b;
2038 {
2039 struct slist *s1, *s2;
2040
2041 /*
2042 * Prepend to the statements in this block code to load the
2043 * length of the radiotap header into the register assigned
2044 * to hold that length, if one has been assigned.
2045 */
2046 if (reg_ll_size != -1) {
2047 /*
2048 * The 2 bytes at offsets of 2 and 3 from the beginning
2049 * of the radiotap header are the length of the radiotap
2050 * header; unfortunately, it's little-endian, so we have
2051 * to load it a byte at a time and construct the value.
2052 */
2053
2054 /*
2055 * Load the high-order byte, at an offset of 3, shift it
2056 * left a byte, and put the result in the X register.
2057 */
2058 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2059 s1->s.k = 3;
2060 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
2061 sappend(s1, s2);
2062 s2->s.k = 8;
2063 s2 = new_stmt(BPF_MISC|BPF_TAX);
2064 sappend(s1, s2);
2065
2066 /*
2067 * Load the next byte, at an offset of 2, and OR the
2068 * value from the X register into it.
2069 */
2070 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2071 sappend(s1, s2);
2072 s2->s.k = 2;
2073 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
2074 sappend(s1, s2);
2075
2076 /*
2077 * Now allocate a register to hold that value and store
2078 * it.
2079 */
2080 s2 = new_stmt(BPF_ST);
2081 s2->s.k = reg_ll_size;
2082 sappend(s1, s2);
2083
2084 /*
2085 * Now move it into the X register.
2086 */
2087 s2 = new_stmt(BPF_MISC|BPF_TAX);
2088 sappend(s1, s2);
2089
2090 /*
2091 * Now append all the existing statements in this
2092 * block to these statements.
2093 */
2094 sappend(s1, b->stmts);
2095 b->stmts = s1;
2096
2097 }
2098 }
2099
2100 static struct block *
2101 gen_ppi_dlt_check(void)
2102 {
2103 struct slist *s_load_dlt;
2104 struct block *b;
2105
2106 if (linktype == DLT_PPI)
2107 {
2108 /* Create the statements that check for the DLT
2109 */
2110 s_load_dlt = new_stmt(BPF_LD|BPF_W|BPF_ABS);
2111 s_load_dlt->s.k = 4;
2112
2113 b = new_block(JMP(BPF_JEQ));
2114
2115 b->stmts = s_load_dlt;
2116 b->s.k = SWAPLONG(DLT_IEEE802_11);
2117 }
2118 else
2119 {
2120 b = NULL;
2121 }
2122
2123 return b;
2124 }
2125
2126 static void
2127 insert_load_llprefixlen(b)
2128 struct block *b;
2129 {
2130 switch (linktype) {
2131
2132 /*
2133 * At the moment we treat PPI as normal Radiotap encoded
2134 * packets. The difference is in the function that generates
2135 * the code at the beginning to compute the header length.
2136 * Since this code generator of PPI supports bare 802.11
2137 * encapsulation only (i.e. the encapsulated DLT should be
2138 * DLT_IEEE802_11) we generate code to check for this too.
2139 */
2140 case DLT_PPI:
2141 insert_ppi_load_llprefixlen(b);
2142 break;
2143
2144 case DLT_IEEE802_11_RADIO:
2145 insert_radiotap_load_llprefixlen(b);
2146 break;
2147 }
2148 }
2149
2150
2151 static struct slist *
2152 gen_radiotap_llprefixlen(void)
2153 {
2154 struct slist *s;
2155
2156 if (reg_ll_size == -1) {
2157 /*
2158 * We haven't yet assigned a register for the length
2159 * of the radiotap header; allocate one.
2160 */
2161 reg_ll_size = alloc_reg();
2162 }
2163
2164 /*
2165 * Load the register containing the radiotap length
2166 * into the X register.
2167 */
2168 s = new_stmt(BPF_LDX|BPF_MEM);
2169 s->s.k = reg_ll_size;
2170 return s;
2171 }
2172
2173 /*
2174 * At the moment we treat PPI as normal Radiotap encoded
2175 * packets. The difference is in the function that generates
2176 * the code at the beginning to compute the header length.
2177 * Since this code generator of PPI supports bare 802.11
2178 * encapsulation only (i.e. the encapsulated DLT should be
2179 * DLT_IEEE802_11) we generate code to check for this too.
2180 */
2181 static struct slist *
2182 gen_ppi_llprefixlen(void)
2183 {
2184 struct slist *s;
2185
2186 if (reg_ll_size == -1) {
2187 /*
2188 * We haven't yet assigned a register for the length
2189 * of the radiotap header; allocate one.
2190 */
2191 reg_ll_size = alloc_reg();
2192 }
2193
2194 /*
2195 * Load the register containing the radiotap length
2196 * into the X register.
2197 */
2198 s = new_stmt(BPF_LDX|BPF_MEM);
2199 s->s.k = reg_ll_size;
2200 return s;
2201 }
2202
2203
2204
2205 /*
2206 * Generate code to compute the link-layer header length, if necessary,
2207 * putting it into the X register, and to return either a pointer to a
2208 * "struct slist" for the list of statements in that code, or NULL if
2209 * no code is necessary.
2210 */
2211 static struct slist *
2212 gen_llprefixlen(void)
2213 {
2214 switch (linktype) {
2215
2216 case DLT_PPI:
2217 return gen_ppi_llprefixlen();
2218
2219
2220 case DLT_IEEE802_11_RADIO:
2221 return gen_radiotap_llprefixlen();
2222
2223 default:
2224 return NULL;
2225 }
2226 }
2227
2228 /*
2229 * Generate code to match a particular packet type by matching the
2230 * link-layer type field or fields in the 802.2 LLC header.
2231 *
2232 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2233 * value, if <= ETHERMTU.
2234 */
2235 static struct block *
2236 gen_linktype(proto)
2237 register int proto;
2238 {
2239 struct block *b0, *b1, *b2;
2240
2241 /* are we checking MPLS-encapsulated packets? */
2242 if (label_stack_depth > 0) {
2243 switch (proto) {
2244 case ETHERTYPE_IP:
2245 case PPP_IP:
2246 /* FIXME add other L3 proto IDs */
2247 return gen_mpls_linktype(Q_IP);
2248
2249 case ETHERTYPE_IPV6:
2250 case PPP_IPV6:
2251 /* FIXME add other L3 proto IDs */
2252 return gen_mpls_linktype(Q_IPV6);
2253
2254 default:
2255 bpf_error("unsupported protocol over mpls");
2256 /* NOTREACHED */
2257 }
2258 }
2259
2260 switch (linktype) {
2261
2262 case DLT_EN10MB:
2263 return gen_ether_linktype(proto);
2264 /*NOTREACHED*/
2265 break;
2266
2267 case DLT_C_HDLC:
2268 switch (proto) {
2269
2270 case LLCSAP_ISONS:
2271 proto = (proto << 8 | LLCSAP_ISONS);
2272 /* fall through */
2273
2274 default:
2275 return gen_cmp(OR_LINK, off_linktype, BPF_H,
2276 (bpf_int32)proto);
2277 /*NOTREACHED*/
2278 break;
2279 }
2280 break;
2281
2282 case DLT_PPI:
2283 case DLT_FDDI:
2284 case DLT_IEEE802:
2285 case DLT_IEEE802_11:
2286 case DLT_IEEE802_11_RADIO_AVS:
2287 case DLT_IEEE802_11_RADIO:
2288 case DLT_PRISM_HEADER:
2289 case DLT_ATM_RFC1483:
2290 case DLT_ATM_CLIP:
2291 case DLT_IP_OVER_FC:
2292 return gen_llc_linktype(proto);
2293 /*NOTREACHED*/
2294 break;
2295
2296 case DLT_SUNATM:
2297 /*
2298 * If "is_lane" is set, check for a LANE-encapsulated
2299 * version of this protocol, otherwise check for an
2300 * LLC-encapsulated version of this protocol.
2301 *
2302 * We assume LANE means Ethernet, not Token Ring.
2303 */
2304 if (is_lane) {
2305 /*
2306 * Check that the packet doesn't begin with an
2307 * LE Control marker. (We've already generated
2308 * a test for LANE.)
2309 */
2310 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
2311 0xFF00);
2312 gen_not(b0);
2313
2314 /*
2315 * Now generate an Ethernet test.
2316 */
2317 b1 = gen_ether_linktype(proto);
2318 gen_and(b0, b1);
2319 return b1;
2320 } else {
2321 /*
2322 * Check for LLC encapsulation and then check the
2323 * protocol.
2324 */
2325 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
2326 b1 = gen_llc_linktype(proto);
2327 gen_and(b0, b1);
2328 return b1;
2329 }
2330 /*NOTREACHED*/
2331 break;
2332
2333 case DLT_LINUX_SLL:
2334 return gen_linux_sll_linktype(proto);
2335 /*NOTREACHED*/
2336 break;
2337
2338 case DLT_SLIP:
2339 case DLT_SLIP_BSDOS:
2340 case DLT_RAW:
2341 /*
2342 * These types don't provide any type field; packets
2343 * are always IPv4 or IPv6.
2344 *
2345 * XXX - for IPv4, check for a version number of 4, and,
2346 * for IPv6, check for a version number of 6?
2347 */
2348 switch (proto) {
2349
2350 case ETHERTYPE_IP:
2351 /* Check for a version number of 4. */
2352 return gen_mcmp(OR_LINK, 0, BPF_B, 0x40, 0xF0);
2353 #ifdef INET6
2354 case ETHERTYPE_IPV6:
2355 /* Check for a version number of 6. */
2356 return gen_mcmp(OR_LINK, 0, BPF_B, 0x60, 0xF0);
2357 #endif
2358
2359 default:
2360 return gen_false(); /* always false */
2361 }
2362 /*NOTREACHED*/
2363 break;
2364
2365 case DLT_PPP:
2366 case DLT_PPP_PPPD:
2367 case DLT_PPP_SERIAL:
2368 case DLT_PPP_ETHER:
2369 /*
2370 * We use Ethernet protocol types inside libpcap;
2371 * map them to the corresponding PPP protocol types.
2372 */
2373 switch (proto) {
2374
2375 case ETHERTYPE_IP:
2376 proto = PPP_IP;
2377 break;
2378
2379 #ifdef INET6
2380 case ETHERTYPE_IPV6:
2381 proto = PPP_IPV6;
2382 break;
2383 #endif
2384
2385 case ETHERTYPE_DN:
2386 proto = PPP_DECNET;
2387 break;
2388
2389 case ETHERTYPE_ATALK:
2390 proto = PPP_APPLE;
2391 break;
2392
2393 case ETHERTYPE_NS:
2394 proto = PPP_NS;
2395 break;
2396
2397 case LLCSAP_ISONS:
2398 proto = PPP_OSI;
2399 break;
2400
2401 case LLCSAP_8021D:
2402 /*
2403 * I'm assuming the "Bridging PDU"s that go
2404 * over PPP are Spanning Tree Protocol
2405 * Bridging PDUs.
2406 */
2407 proto = PPP_BRPDU;
2408 break;
2409
2410 case LLCSAP_IPX:
2411 proto = PPP_IPX;
2412 break;
2413 }
2414 break;
2415
2416 case DLT_PPP_BSDOS:
2417 /*
2418 * We use Ethernet protocol types inside libpcap;
2419 * map them to the corresponding PPP protocol types.
2420 */
2421 switch (proto) {
2422
2423 case ETHERTYPE_IP:
2424 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
2425 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
2426 gen_or(b0, b1);
2427 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
2428 gen_or(b1, b0);
2429 return b0;
2430
2431 #ifdef INET6
2432 case ETHERTYPE_IPV6:
2433 proto = PPP_IPV6;
2434 /* more to go? */
2435 break;
2436 #endif
2437
2438 case ETHERTYPE_DN:
2439 proto = PPP_DECNET;
2440 break;
2441
2442 case ETHERTYPE_ATALK:
2443 proto = PPP_APPLE;
2444 break;
2445
2446 case ETHERTYPE_NS:
2447 proto = PPP_NS;
2448 break;
2449
2450 case LLCSAP_ISONS:
2451 proto = PPP_OSI;
2452 break;
2453
2454 case LLCSAP_8021D:
2455 /*
2456 * I'm assuming the "Bridging PDU"s that go
2457 * over PPP are Spanning Tree Protocol
2458 * Bridging PDUs.
2459 */
2460 proto = PPP_BRPDU;
2461 break;
2462
2463 case LLCSAP_IPX:
2464 proto = PPP_IPX;
2465 break;
2466 }
2467 break;
2468
2469 case DLT_NULL:
2470 case DLT_LOOP:
2471 case DLT_ENC:
2472 /*
2473 * For DLT_NULL, the link-layer header is a 32-bit
2474 * word containing an AF_ value in *host* byte order,
2475 * and for DLT_ENC, the link-layer header begins
2476 * with a 32-bit work containing an AF_ value in
2477 * host byte order.
2478 *
2479 * In addition, if we're reading a saved capture file,
2480 * the host byte order in the capture may not be the
2481 * same as the host byte order on this machine.
2482 *
2483 * For DLT_LOOP, the link-layer header is a 32-bit
2484 * word containing an AF_ value in *network* byte order.
2485 *
2486 * XXX - AF_ values may, unfortunately, be platform-
2487 * dependent; for example, FreeBSD's AF_INET6 is 24
2488 * whilst NetBSD's and OpenBSD's is 26.
2489 *
2490 * This means that, when reading a capture file, just
2491 * checking for our AF_INET6 value won't work if the
2492 * capture file came from another OS.
2493 */
2494 switch (proto) {
2495
2496 case ETHERTYPE_IP:
2497 proto = AF_INET;
2498 break;
2499
2500 #ifdef INET6
2501 case ETHERTYPE_IPV6:
2502 proto = AF_INET6;
2503 break;
2504 #endif
2505
2506 default:
2507 /*
2508 * Not a type on which we support filtering.
2509 * XXX - support those that have AF_ values
2510 * #defined on this platform, at least?
2511 */
2512 return gen_false();
2513 }
2514
2515 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2516 /*
2517 * The AF_ value is in host byte order, but
2518 * the BPF interpreter will convert it to
2519 * network byte order.
2520 *
2521 * If this is a save file, and it's from a
2522 * machine with the opposite byte order to
2523 * ours, we byte-swap the AF_ value.
2524 *
2525 * Then we run it through "htonl()", and
2526 * generate code to compare against the result.
2527 */
2528 if (bpf_pcap->sf.rfile != NULL &&
2529 bpf_pcap->sf.swapped)
2530 proto = SWAPLONG(proto);
2531 proto = htonl(proto);
2532 }
2533 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2534
2535 #ifdef HAVE_NET_PFVAR_H
2536 case DLT_PFLOG:
2537 /*
2538 * af field is host byte order in contrast to the rest of
2539 * the packet.
2540 */
2541 if (proto == ETHERTYPE_IP)
2542 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2543 BPF_B, (bpf_int32)AF_INET));
2544 #ifdef INET6
2545 else if (proto == ETHERTYPE_IPV6)
2546 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2547 BPF_B, (bpf_int32)AF_INET6));
2548 #endif /* INET6 */
2549 else
2550 return gen_false();
2551 /*NOTREACHED*/
2552 break;
2553 #endif /* HAVE_NET_PFVAR_H */
2554
2555 case DLT_ARCNET:
2556 case DLT_ARCNET_LINUX:
2557 /*
2558 * XXX should we check for first fragment if the protocol
2559 * uses PHDS?
2560 */
2561 switch (proto) {
2562
2563 default:
2564 return gen_false();
2565
2566 #ifdef INET6
2567 case ETHERTYPE_IPV6:
2568 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2569 (bpf_int32)ARCTYPE_INET6));
2570 #endif /* INET6 */
2571
2572 case ETHERTYPE_IP:
2573 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2574 (bpf_int32)ARCTYPE_IP);
2575 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2576 (bpf_int32)ARCTYPE_IP_OLD);
2577 gen_or(b0, b1);
2578 return (b1);
2579
2580 case ETHERTYPE_ARP:
2581 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2582 (bpf_int32)ARCTYPE_ARP);
2583 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2584 (bpf_int32)ARCTYPE_ARP_OLD);
2585 gen_or(b0, b1);
2586 return (b1);
2587
2588 case ETHERTYPE_REVARP:
2589 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2590 (bpf_int32)ARCTYPE_REVARP));
2591
2592 case ETHERTYPE_ATALK:
2593 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2594 (bpf_int32)ARCTYPE_ATALK));
2595 }
2596 /*NOTREACHED*/
2597 break;
2598
2599 case DLT_LTALK:
2600 switch (proto) {
2601 case ETHERTYPE_ATALK:
2602 return gen_true();
2603 default:
2604 return gen_false();
2605 }
2606 /*NOTREACHED*/
2607 break;
2608
2609 case DLT_FRELAY:
2610 /*
2611 * XXX - assumes a 2-byte Frame Relay header with
2612 * DLCI and flags. What if the address is longer?
2613 */
2614 switch (proto) {
2615
2616 case ETHERTYPE_IP:
2617 /*
2618 * Check for the special NLPID for IP.
2619 */
2620 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2621
2622 #ifdef INET6
2623 case ETHERTYPE_IPV6:
2624 /*
2625 * Check for the special NLPID for IPv6.
2626 */
2627 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2628 #endif
2629
2630 case LLCSAP_ISONS:
2631 /*
2632 * Check for several OSI protocols.
2633 *
2634 * Frame Relay packets typically have an OSI
2635 * NLPID at the beginning; we check for each
2636 * of them.
2637 *
2638 * What we check for is the NLPID and a frame
2639 * control field of UI, i.e. 0x03 followed
2640 * by the NLPID.
2641 */
2642 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2643 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2644 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2645 gen_or(b1, b2);
2646 gen_or(b0, b2);
2647 return b2;
2648
2649 default:
2650 return gen_false();
2651 }
2652 /*NOTREACHED*/
2653 break;
2654
2655 case DLT_JUNIPER_MFR:
2656 case DLT_JUNIPER_MLFR:
2657 case DLT_JUNIPER_MLPPP:
2658 case DLT_JUNIPER_ATM1:
2659 case DLT_JUNIPER_ATM2:
2660 case DLT_JUNIPER_PPPOE:
2661 case DLT_JUNIPER_PPPOE_ATM:
2662 case DLT_JUNIPER_GGSN:
2663 case DLT_JUNIPER_ES:
2664 case DLT_JUNIPER_MONITOR:
2665 case DLT_JUNIPER_SERVICES:
2666 case DLT_JUNIPER_ETHER:
2667 case DLT_JUNIPER_PPP:
2668 case DLT_JUNIPER_FRELAY:
2669 case DLT_JUNIPER_CHDLC:
2670 case DLT_JUNIPER_VP:
2671 case DLT_JUNIPER_ST:
2672 case DLT_JUNIPER_ISM:
2673 /* just lets verify the magic number for now -
2674 * on ATM we may have up to 6 different encapsulations on the wire
2675 * and need a lot of heuristics to figure out that the payload
2676 * might be;
2677 *
2678 * FIXME encapsulation specific BPF_ filters
2679 */
2680 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2681
2682 case DLT_LINUX_IRDA:
2683 bpf_error("IrDA link-layer type filtering not implemented");
2684
2685 case DLT_DOCSIS:
2686 bpf_error("DOCSIS link-layer type filtering not implemented");
2687
2688 case DLT_LINUX_LAPD:
2689 bpf_error("LAPD link-layer type filtering not implemented");
2690
2691 case DLT_AX25_KISS:
2692 bpf_error("AX.25 link-layer type filtering not implemented");
2693 }
2694
2695 /*
2696 * All the types that have no encapsulation should either be
2697 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2698 * all packets are IP packets, or should be handled in some
2699 * special case, if none of them are (if some are and some
2700 * aren't, the lack of encapsulation is a problem, as we'd
2701 * have to find some other way of determining the packet type).
2702 *
2703 * Therefore, if "off_linktype" is -1, there's an error.
2704 */
2705 if (off_linktype == (u_int)-1)
2706 abort();
2707
2708 /*
2709 * Any type not handled above should always have an Ethernet
2710 * type at an offset of "off_linktype". (PPP is partially
2711 * handled above - the protocol type is mapped from the
2712 * Ethernet and LLC types we use internally to the corresponding
2713 * PPP type - but the PPP type is always specified by a value
2714 * at "off_linktype", so we don't have to do the code generation
2715 * above.)
2716 */
2717 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2718 }
2719
2720 /*
2721 * Check for an LLC SNAP packet with a given organization code and
2722 * protocol type; we check the entire contents of the 802.2 LLC and
2723 * snap headers, checking for DSAP and SSAP of SNAP and a control
2724 * field of 0x03 in the LLC header, and for the specified organization
2725 * code and protocol type in the SNAP header.
2726 */
2727 static struct block *
2728 gen_snap(orgcode, ptype, offset)
2729 bpf_u_int32 orgcode;
2730 bpf_u_int32 ptype;
2731 u_int offset;
2732 {
2733 u_char snapblock[8];
2734
2735 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2736 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2737 snapblock[2] = 0x03; /* control = UI */
2738 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2739 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2740 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2741 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2742 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2743 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2744 }
2745
2746 /*
2747 * Generate code to match a particular packet type, for link-layer types
2748 * using 802.2 LLC headers.
2749 *
2750 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2751 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2752 *
2753 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2754 * value, if <= ETHERMTU. We use that to determine whether to
2755 * match the DSAP or both DSAP and LSAP or to check the OUI and
2756 * protocol ID in a SNAP header.
2757 */
2758 static struct block *
2759 gen_llc_linktype(proto)
2760 int proto;
2761 {
2762 /*
2763 * XXX - handle token-ring variable-length header.
2764 */
2765 switch (proto) {
2766
2767 case LLCSAP_IP:
2768 case LLCSAP_ISONS:
2769 case LLCSAP_NETBEUI:
2770 /*
2771 * XXX - should we check both the DSAP and the
2772 * SSAP, like this, or should we check just the
2773 * DSAP, as we do for other types <= ETHERMTU
2774 * (i.e., other SAP values)?
2775 */
2776 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2777 ((proto << 8) | proto));
2778
2779 case LLCSAP_IPX:
2780 /*
2781 * XXX - are there ever SNAP frames for IPX on
2782 * non-Ethernet 802.x networks?
2783 */
2784 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2785 (bpf_int32)LLCSAP_IPX);
2786
2787 case ETHERTYPE_ATALK:
2788 /*
2789 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2790 * SNAP packets with an organization code of
2791 * 0x080007 (Apple, for Appletalk) and a protocol
2792 * type of ETHERTYPE_ATALK (Appletalk).
2793 *
2794 * XXX - check for an organization code of
2795 * encapsulated Ethernet as well?
2796 */
2797 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2798
2799 default:
2800 /*
2801 * XXX - we don't have to check for IPX 802.3
2802 * here, but should we check for the IPX Ethertype?
2803 */
2804 if (proto <= ETHERMTU) {
2805 /*
2806 * This is an LLC SAP value, so check
2807 * the DSAP.
2808 */
2809 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2810 (bpf_int32)proto);
2811 } else {
2812 /*
2813 * This is an Ethernet type; we assume that it's
2814 * unlikely that it'll appear in the right place
2815 * at random, and therefore check only the
2816 * location that would hold the Ethernet type
2817 * in a SNAP frame with an organization code of
2818 * 0x000000 (encapsulated Ethernet).
2819 *
2820 * XXX - if we were to check for the SNAP DSAP and
2821 * LSAP, as per XXX, and were also to check for an
2822 * organization code of 0x000000 (encapsulated
2823 * Ethernet), we'd do
2824 *
2825 * return gen_snap(0x000000, proto,
2826 * off_linktype);
2827 *
2828 * here; for now, we don't, as per the above.
2829 * I don't know whether it's worth the extra CPU
2830 * time to do the right check or not.
2831 */
2832 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2833 (bpf_int32)proto);
2834 }
2835 }
2836 }
2837
2838 static struct block *
2839 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2840 bpf_u_int32 addr;
2841 bpf_u_int32 mask;
2842 int dir, proto;
2843 u_int src_off, dst_off;
2844 {
2845 struct block *b0, *b1;
2846 u_int offset;
2847
2848 switch (dir) {
2849
2850 case Q_SRC:
2851 offset = src_off;
2852 break;
2853
2854 case Q_DST:
2855 offset = dst_off;
2856 break;
2857
2858 case Q_AND:
2859 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2860 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2861 gen_and(b0, b1);
2862 return b1;
2863
2864 case Q_OR:
2865 case Q_DEFAULT:
2866 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2867 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2868 gen_or(b0, b1);
2869 return b1;
2870
2871 default:
2872 abort();
2873 }
2874 b0 = gen_linktype(proto);
2875 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2876 gen_and(b0, b1);
2877 return b1;
2878 }
2879
2880 #ifdef INET6
2881 static struct block *
2882 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2883 struct in6_addr *addr;
2884 struct in6_addr *mask;
2885 int dir, proto;
2886 u_int src_off, dst_off;
2887 {
2888 struct block *b0, *b1;
2889 u_int offset;
2890 u_int32_t *a, *m;
2891
2892 switch (dir) {
2893
2894 case Q_SRC:
2895 offset = src_off;
2896 break;
2897
2898 case Q_DST:
2899 offset = dst_off;
2900 break;
2901
2902 case Q_AND:
2903 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2904 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2905 gen_and(b0, b1);
2906 return b1;
2907
2908 case Q_OR:
2909 case Q_DEFAULT:
2910 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2911 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2912 gen_or(b0, b1);
2913 return b1;
2914
2915 default:
2916 abort();
2917 }
2918 /* this order is important */
2919 a = (u_int32_t *)addr;
2920 m = (u_int32_t *)mask;
2921 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2922 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2923 gen_and(b0, b1);
2924 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2925 gen_and(b0, b1);
2926 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2927 gen_and(b0, b1);
2928 b0 = gen_linktype(proto);
2929 gen_and(b0, b1);
2930 return b1;
2931 }
2932 #endif /*INET6*/
2933
2934 static struct block *
2935 gen_ehostop(eaddr, dir)
2936 register const u_char *eaddr;
2937 register int dir;
2938 {
2939 register struct block *b0, *b1;
2940
2941 switch (dir) {
2942 case Q_SRC:
2943 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2944
2945 case Q_DST:
2946 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2947
2948 case Q_AND:
2949 b0 = gen_ehostop(eaddr, Q_SRC);
2950 b1 = gen_ehostop(eaddr, Q_DST);
2951 gen_and(b0, b1);
2952 return b1;
2953
2954 case Q_DEFAULT:
2955 case Q_OR:
2956 b0 = gen_ehostop(eaddr, Q_SRC);
2957 b1 = gen_ehostop(eaddr, Q_DST);
2958 gen_or(b0, b1);
2959 return b1;
2960 }
2961 abort();
2962 /* NOTREACHED */
2963 }
2964
2965 /*
2966 * Like gen_ehostop, but for DLT_FDDI
2967 */
2968 static struct block *
2969 gen_fhostop(eaddr, dir)
2970 register const u_char *eaddr;
2971 register int dir;
2972 {
2973 struct block *b0, *b1;
2974
2975 switch (dir) {
2976 case Q_SRC:
2977 #ifdef PCAP_FDDIPAD
2978 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2979 #else
2980 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2981 #endif
2982
2983 case Q_DST:
2984 #ifdef PCAP_FDDIPAD
2985 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2986 #else
2987 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2988 #endif
2989
2990 case Q_AND:
2991 b0 = gen_fhostop(eaddr, Q_SRC);
2992 b1 = gen_fhostop(eaddr, Q_DST);
2993 gen_and(b0, b1);
2994 return b1;
2995
2996 case Q_DEFAULT:
2997 case Q_OR:
2998 b0 = gen_fhostop(eaddr, Q_SRC);
2999 b1 = gen_fhostop(eaddr, Q_DST);
3000 gen_or(b0, b1);
3001 return b1;
3002 }
3003 abort();
3004 /* NOTREACHED */
3005 }
3006
3007 /*
3008 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
3009 */
3010 static struct block *
3011 gen_thostop(eaddr, dir)
3012 register const u_char *eaddr;
3013 register int dir;
3014 {
3015 register struct block *b0, *b1;
3016
3017 switch (dir) {
3018 case Q_SRC:
3019 return gen_bcmp(OR_LINK, 8, 6, eaddr);
3020
3021 case Q_DST:
3022 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3023
3024 case Q_AND:
3025 b0 = gen_thostop(eaddr, Q_SRC);
3026 b1 = gen_thostop(eaddr, Q_DST);
3027 gen_and(b0, b1);
3028 return b1;
3029
3030 case Q_DEFAULT:
3031 case Q_OR:
3032 b0 = gen_thostop(eaddr, Q_SRC);
3033 b1 = gen_thostop(eaddr, Q_DST);
3034 gen_or(b0, b1);
3035 return b1;
3036 }
3037 abort();
3038 /* NOTREACHED */
3039 }
3040
3041 /*
3042 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
3043 */
3044 static struct block *
3045 gen_wlanhostop(eaddr, dir)
3046 register const u_char *eaddr;
3047 register int dir;
3048 {
3049 register struct block *b0, *b1, *b2;
3050 register struct slist *s;
3051
3052 switch (dir) {
3053 case Q_SRC:
3054 /*
3055 * Oh, yuk.
3056 *
3057 * For control frames, there is no SA.
3058 *
3059 * For management frames, SA is at an
3060 * offset of 10 from the beginning of
3061 * the packet.
3062 *
3063 * For data frames, SA is at an offset
3064 * of 10 from the beginning of the packet
3065 * if From DS is clear, at an offset of
3066 * 16 from the beginning of the packet
3067 * if From DS is set and To DS is clear,
3068 * and an offset of 24 from the beginning
3069 * of the packet if From DS is set and To DS
3070 * is set.
3071 */
3072
3073 /*
3074 * Generate the tests to be done for data frames
3075 * with From DS set.
3076 *
3077 * First, check for To DS set, i.e. check "link[1] & 0x01".
3078 */
3079 s = gen_load_a(OR_LINK, 1, BPF_B);
3080 b1 = new_block(JMP(BPF_JSET));
3081 b1->s.k = 0x01; /* To DS */
3082 b1->stmts = s;
3083
3084 /*
3085 * If To DS is set, the SA is at 24.
3086 */
3087 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
3088 gen_and(b1, b0);
3089
3090 /*
3091 * Now, check for To DS not set, i.e. check
3092 * "!(link[1] & 0x01)".
3093 */
3094 s = gen_load_a(OR_LINK, 1, BPF_B);
3095 b2 = new_block(JMP(BPF_JSET));
3096 b2->s.k = 0x01; /* To DS */
3097 b2->stmts = s;
3098 gen_not(b2);
3099
3100 /*
3101 * If To DS is not set, the SA is at 16.
3102 */
3103 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3104 gen_and(b2, b1);
3105
3106 /*
3107 * Now OR together the last two checks. That gives
3108 * the complete set of checks for data frames with
3109 * From DS set.
3110 */
3111 gen_or(b1, b0);
3112
3113 /*
3114 * Now check for From DS being set, and AND that with
3115 * the ORed-together checks.
3116 */
3117 s = gen_load_a(OR_LINK, 1, BPF_B);
3118 b1 = new_block(JMP(BPF_JSET));
3119 b1->s.k = 0x02; /* From DS */
3120 b1->stmts = s;
3121 gen_and(b1, b0);
3122
3123 /*
3124 * Now check for data frames with From DS not set.
3125 */
3126 s = gen_load_a(OR_LINK, 1, BPF_B);
3127 b2 = new_block(JMP(BPF_JSET));
3128 b2->s.k = 0x02; /* From DS */
3129 b2->stmts = s;
3130 gen_not(b2);
3131
3132 /*
3133 * If From DS isn't set, the SA is at 10.
3134 */
3135 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3136 gen_and(b2, b1);
3137
3138 /*
3139 * Now OR together the checks for data frames with
3140 * From DS not set and for data frames with From DS
3141 * set; that gives the checks done for data frames.
3142 */
3143 gen_or(b1, b0);
3144
3145 /*
3146 * Now check for a data frame.
3147 * I.e, check "link[0] & 0x08".
3148 */
3149 gen_load_a(OR_LINK, 0, BPF_B);
3150 b1 = new_block(JMP(BPF_JSET));
3151 b1->s.k = 0x08;
3152 b1->stmts = s;
3153
3154 /*
3155 * AND that with the checks done for data frames.
3156 */
3157 gen_and(b1, b0);
3158
3159 /*
3160 * If the high-order bit of the type value is 0, this
3161 * is a management frame.
3162 * I.e, check "!(link[0] & 0x08)".
3163 */
3164 s = gen_load_a(OR_LINK, 0, BPF_B);
3165 b2 = new_block(JMP(BPF_JSET));
3166 b2->s.k = 0x08;
3167 b2->stmts = s;
3168 gen_not(b2);
3169
3170 /*
3171 * For management frames, the SA is at 10.
3172 */
3173 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
3174 gen_and(b2, b1);
3175
3176 /*
3177 * OR that with the checks done for data frames.
3178 * That gives the checks done for management and
3179 * data frames.
3180 */
3181 gen_or(b1, b0);
3182
3183 /*
3184 * If the low-order bit of the type value is 1,
3185 * this is either a control frame or a frame
3186 * with a reserved type, and thus not a
3187 * frame with an SA.
3188 *
3189 * I.e., check "!(link[0] & 0x04)".
3190 */
3191 s = gen_load_a(OR_LINK, 0, BPF_B);
3192 b1 = new_block(JMP(BPF_JSET));
3193 b1->s.k = 0x04;
3194 b1->stmts = s;
3195 gen_not(b1);
3196
3197 /*
3198 * AND that with the checks for data and management
3199 * frames.
3200 */
3201 gen_and(b1, b0);
3202 return b0;
3203
3204 case Q_DST:
3205 /*
3206 * Oh, yuk.
3207 *
3208 * For control frames, there is no DA.
3209 *
3210 * For management frames, DA is at an
3211 * offset of 4 from the beginning of
3212 * the packet.
3213 *
3214 * For data frames, DA is at an offset
3215 * of 4 from the beginning of the packet
3216 * if To DS is clear and at an offset of
3217 * 16 from the beginning of the packet
3218 * if To DS is set.
3219 */
3220
3221 /*
3222 * Generate the tests to be done for data frames.
3223 *
3224 * First, check for To DS set, i.e. "link[1] & 0x01".
3225 */
3226 s = gen_load_a(OR_LINK, 1, BPF_B);
3227 b1 = new_block(JMP(BPF_JSET));
3228 b1->s.k = 0x01; /* To DS */
3229 b1->stmts = s;
3230
3231 /*
3232 * If To DS is set, the DA is at 16.
3233 */
3234 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
3235 gen_and(b1, b0);
3236
3237 /*
3238 * Now, check for To DS not set, i.e. check
3239 * "!(link[1] & 0x01)".
3240 */
3241 s = gen_load_a(OR_LINK, 1, BPF_B);
3242 b2 = new_block(JMP(BPF_JSET));
3243 b2->s.k = 0x01; /* To DS */
3244 b2->stmts = s;
3245 gen_not(b2);
3246
3247 /*
3248 * If To DS is not set, the DA is at 4.
3249 */
3250 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3251 gen_and(b2, b1);
3252
3253 /*
3254 * Now OR together the last two checks. That gives
3255 * the complete set of checks for data frames.
3256 */
3257 gen_or(b1, b0);
3258
3259 /*
3260 * Now check for a data frame.
3261 * I.e, check "link[0] & 0x08".
3262 */
3263 s = gen_load_a(OR_LINK, 0, BPF_B);
3264 b1 = new_block(JMP(BPF_JSET));
3265 b1->s.k = 0x08;
3266 b1->stmts = s;
3267
3268 /*
3269 * AND that with the checks done for data frames.
3270 */
3271 gen_and(b1, b0);
3272
3273 /*
3274 * If the high-order bit of the type value is 0, this
3275 * is a management frame.
3276 * I.e, check "!(link[0] & 0x08)".
3277 */
3278 s = gen_load_a(OR_LINK, 0, BPF_B);
3279 b2 = new_block(JMP(BPF_JSET));
3280 b2->s.k = 0x08;
3281 b2->stmts = s;
3282 gen_not(b2);
3283
3284 /*
3285 * For management frames, the DA is at 4.
3286 */
3287 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
3288 gen_and(b2, b1);
3289
3290 /*
3291 * OR that with the checks done for data frames.
3292 * That gives the checks done for management and
3293 * data frames.
3294 */
3295 gen_or(b1, b0);
3296
3297 /*
3298 * If the low-order bit of the type value is 1,
3299 * this is either a control frame or a frame
3300 * with a reserved type, and thus not a
3301 * frame with an SA.
3302 *
3303 * I.e., check "!(link[0] & 0x04)".
3304 */
3305 s = gen_load_a(OR_LINK, 0, BPF_B);
3306 b1 = new_block(JMP(BPF_JSET));
3307 b1->s.k = 0x04;
3308 b1->stmts = s;
3309 gen_not(b1);
3310
3311 /*
3312 * AND that with the checks for data and management
3313 * frames.
3314 */
3315 gen_and(b1, b0);
3316 return b0;
3317
3318 case Q_AND:
3319 b0 = gen_wlanhostop(eaddr, Q_SRC);
3320 b1 = gen_wlanhostop(eaddr, Q_DST);
3321 gen_and(b0, b1);
3322 return b1;
3323
3324 case Q_DEFAULT:
3325 case Q_OR:
3326 b0 = gen_wlanhostop(eaddr, Q_SRC);
3327 b1 = gen_wlanhostop(eaddr, Q_DST);
3328 gen_or(b0, b1);
3329 return b1;
3330 }
3331 abort();
3332 /* NOTREACHED */
3333 }
3334
3335 /*
3336 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
3337 * (We assume that the addresses are IEEE 48-bit MAC addresses,
3338 * as the RFC states.)
3339 */
3340 static struct block *
3341 gen_ipfchostop(eaddr, dir)
3342 register const u_char *eaddr;
3343 register int dir;
3344 {
3345 register struct block *b0, *b1;
3346
3347 switch (dir) {
3348 case Q_SRC:
3349 return gen_bcmp(OR_LINK, 10, 6, eaddr);
3350
3351 case Q_DST:
3352 return gen_bcmp(OR_LINK, 2, 6, eaddr);
3353
3354 case Q_AND:
3355 b0 = gen_ipfchostop(eaddr, Q_SRC);
3356 b1 = gen_ipfchostop(eaddr, Q_DST);
3357 gen_and(b0, b1);
3358 return b1;
3359
3360 case Q_DEFAULT:
3361 case Q_OR:
3362 b0 = gen_ipfchostop(eaddr, Q_SRC);
3363 b1 = gen_ipfchostop(eaddr, Q_DST);
3364 gen_or(b0, b1);
3365 return b1;
3366 }
3367 abort();
3368 /* NOTREACHED */
3369 }
3370
3371 /*
3372 * This is quite tricky because there may be pad bytes in front of the
3373 * DECNET header, and then there are two possible data packet formats that
3374 * carry both src and dst addresses, plus 5 packet types in a format that
3375 * carries only the src node, plus 2 types that use a different format and
3376 * also carry just the src node.
3377 *
3378 * Yuck.
3379 *
3380 * Instead of doing those all right, we just look for data packets with
3381 * 0 or 1 bytes of padding. If you want to look at other packets, that
3382 * will require a lot more hacking.
3383 *
3384 * To add support for filtering on DECNET "areas" (network numbers)
3385 * one would want to add a "mask" argument to this routine. That would
3386 * make the filter even more inefficient, although one could be clever
3387 * and not generate masking instructions if the mask is 0xFFFF.
3388 */
3389 static struct block *
3390 gen_dnhostop(addr, dir)
3391 bpf_u_int32 addr;
3392 int dir;
3393 {
3394 struct block *b0, *b1, *b2, *tmp;
3395 u_int offset_lh; /* offset if long header is received */
3396 u_int offset_sh; /* offset if short header is received */
3397
3398 switch (dir) {
3399
3400 case Q_DST:
3401 offset_sh = 1; /* follows flags */
3402 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
3403 break;
3404
3405 case Q_SRC:
3406 offset_sh = 3; /* follows flags, dstnode */
3407 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
3408 break;
3409
3410 case Q_AND:
3411 /* Inefficient because we do our Calvinball dance twice */
3412 b0 = gen_dnhostop(addr, Q_SRC);
3413 b1 = gen_dnhostop(addr, Q_DST);
3414 gen_and(b0, b1);
3415 return b1;
3416
3417 case Q_OR:
3418 case Q_DEFAULT:
3419 /* Inefficient because we do our Calvinball dance twice */
3420 b0 = gen_dnhostop(addr, Q_SRC);
3421 b1 = gen_dnhostop(addr, Q_DST);
3422 gen_or(b0, b1);
3423 return b1;
3424
3425 case Q_ISO:
3426 bpf_error("ISO host filtering not implemented");
3427
3428 default:
3429 abort();
3430 }
3431 b0 = gen_linktype(ETHERTYPE_DN);
3432 /* Check for pad = 1, long header case */
3433 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3434 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
3435 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
3436 BPF_H, (bpf_int32)ntohs((u_short)addr));
3437 gen_and(tmp, b1);
3438 /* Check for pad = 0, long header case */
3439 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
3440 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3441 gen_and(tmp, b2);
3442 gen_or(b2, b1);
3443 /* Check for pad = 1, short header case */
3444 tmp = gen_mcmp(OR_NET, 2, BPF_H,
3445 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
3446 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3447 gen_and(tmp, b2);
3448 gen_or(b2, b1);
3449 /* Check for pad = 0, short header case */
3450 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
3451 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs((u_short)addr));
3452 gen_and(tmp, b2);
3453 gen_or(b2, b1);
3454
3455 /* Combine with test for linktype */
3456 gen_and(b0, b1);
3457 return b1;
3458 }
3459
3460 /*
3461 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
3462 * test the bottom-of-stack bit, and then check the version number
3463 * field in the IP header.
3464 */
3465 static struct block *
3466 gen_mpls_linktype(proto)
3467 int proto;
3468 {
3469 struct block *b0, *b1;
3470
3471 switch (proto) {
3472
3473 case Q_IP:
3474 /* match the bottom-of-stack bit */
3475 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3476 /* match the IPv4 version number */
3477 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x40, 0xf0);
3478 gen_and(b0, b1);
3479 return b1;
3480
3481 case Q_IPV6:
3482 /* match the bottom-of-stack bit */
3483 b0 = gen_mcmp(OR_NET, -2, BPF_B, 0x01, 0x01);
3484 /* match the IPv4 version number */
3485 b1 = gen_mcmp(OR_NET, 0, BPF_B, 0x60, 0xf0);
3486 gen_and(b0, b1);
3487 return b1;
3488
3489 default:
3490 abort();
3491 }
3492 }
3493
3494 static struct block *
3495 gen_host(addr, mask, proto, dir, type)
3496 bpf_u_int32 addr;
3497 bpf_u_int32 mask;
3498 int proto;
3499 int dir;
3500 int type;
3501 {
3502 struct block *b0, *b1;
3503 const char *typestr;
3504
3505 if (type == Q_NET)
3506 typestr = "net";
3507 else
3508 typestr = "host";
3509
3510 switch (proto) {
3511
3512 case Q_DEFAULT:
3513 b0 = gen_host(addr, mask, Q_IP, dir, type);
3514 /*
3515 * Only check for non-IPv4 addresses if we're not
3516 * checking MPLS-encapsulated packets.
3517 */
3518 if (label_stack_depth == 0) {
3519 b1 = gen_host(addr, mask, Q_ARP, dir, type);
3520 gen_or(b0, b1);
3521 b0 = gen_host(addr, mask, Q_RARP, dir, type);
3522 gen_or(b1, b0);
3523 }
3524 return b0;
3525
3526 case Q_IP:
3527 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
3528
3529 case Q_RARP:
3530 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
3531
3532 case Q_ARP:
3533 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
3534
3535 case Q_TCP:
3536 bpf_error("'tcp' modifier applied to %s", typestr);
3537
3538 case Q_SCTP:
3539 bpf_error("'sctp' modifier applied to %s", typestr);
3540
3541 case Q_UDP:
3542 bpf_error("'udp' modifier applied to %s", typestr);
3543
3544 case Q_ICMP:
3545 bpf_error("'icmp' modifier applied to %s", typestr);
3546
3547 case Q_IGMP:
3548 bpf_error("'igmp' modifier applied to %s", typestr);
3549
3550 case Q_IGRP:
3551 bpf_error("'igrp' modifier applied to %s", typestr);
3552
3553 case Q_PIM:
3554 bpf_error("'pim' modifier applied to %s", typestr);
3555
3556 case Q_VRRP:
3557 bpf_error("'vrrp' modifier applied to %s", typestr);
3558
3559 case Q_ATALK:
3560 bpf_error("ATALK host filtering not implemented");
3561
3562 case Q_AARP:
3563 bpf_error("AARP host filtering not implemented");
3564
3565 case Q_DECNET:
3566 return gen_dnhostop(addr, dir);
3567
3568 case Q_SCA:
3569 bpf_error("SCA host filtering not implemented");
3570
3571 case Q_LAT:
3572 bpf_error("LAT host filtering not implemented");
3573
3574 case Q_MOPDL:
3575 bpf_error("MOPDL host filtering not implemented");
3576
3577 case Q_MOPRC:
3578 bpf_error("MOPRC host filtering not implemented");
3579
3580 #ifdef INET6
3581 case Q_IPV6:
3582 bpf_error("'ip6' modifier applied to ip host");
3583
3584 case Q_ICMPV6:
3585 bpf_error("'icmp6' modifier applied to %s", typestr);
3586 #endif /* INET6 */
3587
3588 case Q_AH:
3589 bpf_error("'ah' modifier applied to %s", typestr);
3590
3591 case Q_ESP:
3592 bpf_error("'esp' modifier applied to %s", typestr);
3593
3594 case Q_ISO:
3595 bpf_error("ISO host filtering not implemented");
3596
3597 case Q_ESIS:
3598 bpf_error("'esis' modifier applied to %s", typestr);
3599
3600 case Q_ISIS:
3601 bpf_error("'isis' modifier applied to %s", typestr);
3602
3603 case Q_CLNP:
3604 bpf_error("'clnp' modifier applied to %s", typestr);
3605
3606 case Q_STP:
3607 bpf_error("'stp' modifier applied to %s", typestr);
3608
3609 case Q_IPX:
3610 bpf_error("IPX host filtering not implemented");
3611
3612 case Q_NETBEUI:
3613 bpf_error("'netbeui' modifier applied to %s", typestr);
3614
3615 case Q_RADIO:
3616 bpf_error("'radio' modifier applied to %s", typestr);
3617
3618 default:
3619 abort();
3620 }
3621 /* NOTREACHED */
3622 }
3623
3624 #ifdef INET6
3625 static struct block *
3626 gen_host6(addr, mask, proto, dir, type)
3627 struct in6_addr *addr;
3628 struct in6_addr *mask;
3629 int proto;
3630 int dir;
3631 int type;
3632 {
3633 const char *typestr;
3634
3635 if (type == Q_NET)
3636 typestr = "net";
3637 else
3638 typestr = "host";
3639
3640 switch (proto) {
3641
3642 case Q_DEFAULT:
3643 return gen_host6(addr, mask, Q_IPV6, dir, type);
3644
3645 case Q_IP:
3646 bpf_error("'ip' modifier applied to ip6 %s", typestr);
3647
3648 case Q_RARP:
3649 bpf_error("'rarp' modifier applied to ip6 %s", typestr);
3650
3651 case Q_ARP:
3652 bpf_error("'arp' modifier applied to ip6 %s", typestr);
3653
3654 case Q_SCTP:
3655 bpf_error("'sctp' modifier applied to %s", typestr);
3656
3657 case Q_TCP:
3658 bpf_error("'tcp' modifier applied to %s", typestr);
3659
3660 case Q_UDP:
3661 bpf_error("'udp' modifier applied to %s", typestr);
3662
3663 case Q_ICMP:
3664 bpf_error("'icmp' modifier applied to %s", typestr);
3665
3666 case Q_IGMP:
3667 bpf_error("'igmp' modifier applied to %s", typestr);
3668
3669 case Q_IGRP:
3670 bpf_error("'igrp' modifier applied to %s", typestr);
3671
3672 case Q_PIM:
3673 bpf_error("'pim' modifier applied to %s", typestr);
3674
3675 case Q_VRRP:
3676 bpf_error("'vrrp' modifier applied to %s", typestr);
3677
3678 case Q_ATALK:
3679 bpf_error("ATALK host filtering not implemented");
3680
3681 case Q_AARP:
3682 bpf_error("AARP host filtering not implemented");
3683
3684 case Q_DECNET:
3685 bpf_error("'decnet' modifier applied to ip6 %s", typestr);
3686
3687 case Q_SCA:
3688 bpf_error("SCA host filtering not implemented");
3689
3690 case Q_LAT:
3691 bpf_error("LAT host filtering not implemented");
3692
3693 case Q_MOPDL:
3694 bpf_error("MOPDL host filtering not implemented");
3695
3696 case Q_MOPRC:
3697 bpf_error("MOPRC host filtering not implemented");
3698
3699 case Q_IPV6:
3700 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3701
3702 case Q_ICMPV6:
3703 bpf_error("'icmp6' modifier applied to %s", typestr);
3704
3705 case Q_AH:
3706 bpf_error("'ah' modifier applied to %s", typestr);
3707
3708 case Q_ESP:
3709 bpf_error("'esp' modifier applied to %s", typestr);
3710
3711 case Q_ISO:
3712 bpf_error("ISO host filtering not implemented");
3713
3714 case Q_ESIS:
3715 bpf_error("'esis' modifier applied to %s", typestr);
3716
3717 case Q_ISIS:
3718 bpf_error("'isis' modifier applied to %s", typestr);
3719
3720 case Q_CLNP:
3721 bpf_error("'clnp' modifier applied to %s", typestr);
3722
3723 case Q_STP:
3724 bpf_error("'stp' modifier applied to %s", typestr);
3725
3726 case Q_IPX:
3727 bpf_error("IPX host filtering not implemented");
3728
3729 case Q_NETBEUI:
3730 bpf_error("'netbeui' modifier applied to %s", typestr);
3731
3732 case Q_RADIO:
3733 bpf_error("'radio' modifier applied to %s", typestr);
3734
3735 default:
3736 abort();
3737 }
3738 /* NOTREACHED */
3739 }
3740 #endif /*INET6*/
3741
3742 #ifndef INET6
3743 static struct block *
3744 gen_gateway(eaddr, alist, proto, dir)
3745 const u_char *eaddr;
3746 bpf_u_int32 **alist;
3747 int proto;
3748 int dir;
3749 {
3750 struct block *b0, *b1, *tmp;
3751
3752 if (dir != 0)
3753 bpf_error("direction applied to 'gateway'");
3754
3755 switch (proto) {
3756 case Q_DEFAULT:
3757 case Q_IP:
3758 case Q_ARP:
3759 case Q_RARP:
3760 switch (linktype) {
3761 case DLT_EN10MB:
3762 b0 = gen_ehostop(eaddr, Q_OR);
3763 break;
3764 case DLT_FDDI:
3765 b0 = gen_fhostop(eaddr, Q_OR);
3766 break;
3767 case DLT_IEEE802:
3768 b0 = gen_thostop(eaddr, Q_OR);
3769 break;
3770 case DLT_IEEE802_11:
3771 case DLT_IEEE802_11_RADIO_AVS:
3772 case DLT_PPI:
3773 case DLT_IEEE802_11_RADIO:
3774 case DLT_PRISM_HEADER:
3775 b0 = gen_wlanhostop(eaddr, Q_OR);
3776 break;
3777 case DLT_SUNATM:
3778 if (is_lane) {
3779 /*
3780 * Check that the packet doesn't begin with an
3781 * LE Control marker. (We've already generated
3782 * a test for LANE.)
3783 */
3784 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
3785 BPF_H, 0xFF00);
3786 gen_not(b1);
3787
3788 /*
3789 * Now check the MAC address.
3790 */
3791 b0 = gen_ehostop(eaddr, Q_OR);
3792 gen_and(b1, b0);
3793 }
3794 break;
3795 case DLT_IP_OVER_FC:
3796 b0 = gen_ipfchostop(eaddr, Q_OR);
3797 break;
3798 default:
3799 bpf_error(
3800 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3801 }
3802 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR, Q_HOST);
3803 while (*alist) {
3804 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR,
3805 Q_HOST);
3806 gen_or(b1, tmp);
3807 b1 = tmp;
3808 }
3809 gen_not(b1);
3810 gen_and(b0, b1);
3811 return b1;
3812 }
3813 bpf_error("illegal modifier of 'gateway'");
3814 /* NOTREACHED */
3815 }
3816 #endif
3817
3818 struct block *
3819 gen_proto_abbrev(proto)
3820 int proto;
3821 {
3822 struct block *b0;
3823 struct block *b1;
3824
3825 switch (proto) {
3826
3827 case Q_SCTP:
3828 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3829 #ifdef INET6
3830 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3831 gen_or(b0, b1);
3832 #endif
3833 break;
3834
3835 case Q_TCP:
3836 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3837 #ifdef INET6
3838 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3839 gen_or(b0, b1);
3840 #endif
3841 break;
3842
3843 case Q_UDP:
3844 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3845 #ifdef INET6
3846 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3847 gen_or(b0, b1);
3848 #endif
3849 break;
3850
3851 case Q_ICMP:
3852 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3853 break;
3854
3855 #ifndef IPPROTO_IGMP
3856 #define IPPROTO_IGMP 2
3857 #endif
3858
3859 case Q_IGMP:
3860 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3861 break;
3862
3863 #ifndef IPPROTO_IGRP
3864 #define IPPROTO_IGRP 9
3865 #endif
3866 case Q_IGRP:
3867 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3868 break;
3869
3870 #ifndef IPPROTO_PIM
3871 #define IPPROTO_PIM 103
3872 #endif
3873
3874 case Q_PIM:
3875 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3876 #ifdef INET6
3877 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3878 gen_or(b0, b1);
3879 #endif
3880 break;
3881
3882 #ifndef IPPROTO_VRRP
3883 #define IPPROTO_VRRP 112
3884 #endif
3885
3886 case Q_VRRP:
3887 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3888 break;
3889
3890 case Q_IP:
3891 b1 = gen_linktype(ETHERTYPE_IP);
3892 break;
3893
3894 case Q_ARP:
3895 b1 = gen_linktype(ETHERTYPE_ARP);
3896 break;
3897
3898 case Q_RARP:
3899 b1 = gen_linktype(ETHERTYPE_REVARP);
3900 break;
3901
3902 case Q_LINK:
3903 bpf_error("link layer applied in wrong context");
3904
3905 case Q_ATALK:
3906 b1 = gen_linktype(ETHERTYPE_ATALK);
3907 break;
3908
3909 case Q_AARP:
3910 b1 = gen_linktype(ETHERTYPE_AARP);
3911 break;
3912
3913 case Q_DECNET:
3914 b1 = gen_linktype(ETHERTYPE_DN);
3915 break;
3916
3917 case Q_SCA:
3918 b1 = gen_linktype(ETHERTYPE_SCA);
3919 break;
3920
3921 case Q_LAT:
3922 b1 = gen_linktype(ETHERTYPE_LAT);
3923 break;
3924
3925 case Q_MOPDL:
3926 b1 = gen_linktype(ETHERTYPE_MOPDL);
3927 break;
3928
3929 case Q_MOPRC:
3930 b1 = gen_linktype(ETHERTYPE_MOPRC);
3931 break;
3932
3933 #ifdef INET6
3934 case Q_IPV6:
3935 b1 = gen_linktype(ETHERTYPE_IPV6);
3936 break;
3937
3938 #ifndef IPPROTO_ICMPV6
3939 #define IPPROTO_ICMPV6 58
3940 #endif
3941 case Q_ICMPV6:
3942 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3943 break;
3944 #endif /* INET6 */
3945
3946 #ifndef IPPROTO_AH
3947 #define IPPROTO_AH 51
3948 #endif
3949 case Q_AH:
3950 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3951 #ifdef INET6
3952 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3953 gen_or(b0, b1);
3954 #endif
3955 break;
3956
3957 #ifndef IPPROTO_ESP
3958 #define IPPROTO_ESP 50
3959 #endif
3960 case Q_ESP:
3961 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3962 #ifdef INET6
3963 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3964 gen_or(b0, b1);
3965 #endif
3966 break;
3967
3968 case Q_ISO:
3969 b1 = gen_linktype(LLCSAP_ISONS);
3970 break;
3971
3972 case Q_ESIS:
3973 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3974 break;
3975
3976 case Q_ISIS:
3977 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3978 break;
3979
3980 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3981 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3982 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3983 gen_or(b0, b1);
3984 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3985 gen_or(b0, b1);
3986 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3987 gen_or(b0, b1);
3988 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3989 gen_or(b0, b1);
3990 break;
3991
3992 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3993 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3994 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3995 gen_or(b0, b1);
3996 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3997 gen_or(b0, b1);
3998 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3999 gen_or(b0, b1);
4000 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4001 gen_or(b0, b1);
4002 break;
4003
4004 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
4005 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
4006 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
4007 gen_or(b0, b1);
4008 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
4009 gen_or(b0, b1);
4010 break;
4011
4012 case Q_ISIS_LSP:
4013 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
4014 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
4015 gen_or(b0, b1);
4016 break;
4017
4018 case Q_ISIS_SNP:
4019 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4020 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4021 gen_or(b0, b1);
4022 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4023 gen_or(b0, b1);
4024 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4025 gen_or(b0, b1);
4026 break;
4027
4028 case Q_ISIS_CSNP:
4029 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
4030 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
4031 gen_or(b0, b1);
4032 break;
4033
4034 case Q_ISIS_PSNP:
4035 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
4036 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
4037 gen_or(b0, b1);
4038 break;
4039
4040 case Q_CLNP:
4041 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
4042 break;
4043
4044 case Q_STP:
4045 b1 = gen_linktype(LLCSAP_8021D);
4046 break;
4047
4048 case Q_IPX:
4049 b1 = gen_linktype(LLCSAP_IPX);
4050 break;
4051
4052 case Q_NETBEUI:
4053 b1 = gen_linktype(LLCSAP_NETBEUI);
4054 break;
4055
4056 case Q_RADIO:
4057 bpf_error("'radio' is not a valid protocol type");
4058
4059 default:
4060 abort();
4061 }
4062 return b1;
4063 }
4064
4065 static struct block *
4066 gen_ipfrag()
4067 {
4068 struct slist *s;
4069 struct block *b;
4070
4071 /* not ip frag */
4072 s = gen_load_a(OR_NET, 6, BPF_H);
4073 b = new_block(JMP(BPF_JSET));
4074 b->s.k = 0x1fff;
4075 b->stmts = s;
4076 gen_not(b);
4077
4078 return b;
4079 }
4080
4081 /*
4082 * Generate a comparison to a port value in the transport-layer header
4083 * at the specified offset from the beginning of that header.
4084 *
4085 * XXX - this handles a variable-length prefix preceding the link-layer
4086 * header, such as the radiotap or AVS radio prefix, but doesn't handle
4087 * variable-length link-layer headers (such as Token Ring or 802.11
4088 * headers).
4089 */
4090 static struct block *
4091 gen_portatom(off, v)
4092 int off;
4093 bpf_int32 v;
4094 {
4095 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
4096 }
4097
4098 #ifdef INET6
4099 static struct block *
4100 gen_portatom6(off, v)
4101 int off;
4102 bpf_int32 v;
4103 {
4104 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
4105 }
4106 #endif/*INET6*/
4107
4108 struct block *
4109 gen_portop(port, proto, dir)
4110 int port, proto, dir;
4111 {
4112 struct block *b0, *b1, *tmp;
4113
4114 /* ip proto 'proto' */
4115 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4116 b0 = gen_ipfrag();
4117 gen_and(tmp, b0);
4118
4119 switch (dir) {
4120 case Q_SRC:
4121 b1 = gen_portatom(0, (bpf_int32)port);
4122 break;
4123
4124 case Q_DST:
4125 b1 = gen_portatom(2, (bpf_int32)port);
4126 break;
4127
4128 case Q_OR:
4129 case Q_DEFAULT:
4130 tmp = gen_portatom(0, (bpf_int32)port);
4131 b1 = gen_portatom(2, (bpf_int32)port);
4132 gen_or(tmp, b1);
4133 break;
4134
4135 case Q_AND:
4136 tmp = gen_portatom(0, (bpf_int32)port);
4137 b1 = gen_portatom(2, (bpf_int32)port);
4138 gen_and(tmp, b1);
4139 break;
4140
4141 default:
4142 abort();
4143 }
4144 gen_and(b0, b1);
4145
4146 return b1;
4147 }
4148
4149 static struct block *
4150 gen_port(port, ip_proto, dir)
4151 int port;
4152 int ip_proto;
4153 int dir;
4154 {
4155 struct block *b0, *b1, *tmp;
4156
4157 /*
4158 * ether proto ip
4159 *
4160 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4161 * not LLC encapsulation with LLCSAP_IP.
4162 *
4163 * For IEEE 802 networks - which includes 802.5 token ring
4164 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4165 * says that SNAP encapsulation is used, not LLC encapsulation
4166 * with LLCSAP_IP.
4167 *
4168 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4169 * RFC 2225 say that SNAP encapsulation is used, not LLC
4170 * encapsulation with LLCSAP_IP.
4171 *
4172 * So we always check for ETHERTYPE_IP.
4173 */
4174 b0 = gen_linktype(ETHERTYPE_IP);
4175
4176 switch (ip_proto) {
4177 case IPPROTO_UDP:
4178 case IPPROTO_TCP:
4179 case IPPROTO_SCTP:
4180 b1 = gen_portop(port, ip_proto, dir);
4181 break;
4182
4183 case PROTO_UNDEF:
4184 tmp = gen_portop(port, IPPROTO_TCP, dir);
4185 b1 = gen_portop(port, IPPROTO_UDP, dir);
4186 gen_or(tmp, b1);
4187 tmp = gen_portop(port, IPPROTO_SCTP, dir);
4188 gen_or(tmp, b1);
4189 break;
4190
4191 default:
4192 abort();
4193 }
4194 gen_and(b0, b1);
4195 return b1;
4196 }
4197
4198 #ifdef INET6
4199 struct block *
4200 gen_portop6(port, proto, dir)
4201 int port, proto, dir;
4202 {
4203 struct block *b0, *b1, *tmp;
4204
4205 /* ip6 proto 'proto' */
4206 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4207
4208 switch (dir) {
4209 case Q_SRC:
4210 b1 = gen_portatom6(0, (bpf_int32)port);
4211 break;
4212
4213 case Q_DST:
4214 b1 = gen_portatom6(2, (bpf_int32)port);
4215 break;
4216
4217 case Q_OR:
4218 case Q_DEFAULT:
4219 tmp = gen_portatom6(0, (bpf_int32)port);
4220 b1 = gen_portatom6(2, (bpf_int32)port);
4221 gen_or(tmp, b1);
4222 break;
4223
4224 case Q_AND:
4225 tmp = gen_portatom6(0, (bpf_int32)port);
4226 b1 = gen_portatom6(2, (bpf_int32)port);
4227 gen_and(tmp, b1);
4228 break;
4229
4230 default:
4231 abort();
4232 }
4233 gen_and(b0, b1);
4234
4235 return b1;
4236 }
4237
4238 static struct block *
4239 gen_port6(port, ip_proto, dir)
4240 int port;
4241 int ip_proto;
4242 int dir;
4243 {
4244 struct block *b0, *b1, *tmp;
4245
4246 /* link proto ip6 */
4247 b0 = gen_linktype(ETHERTYPE_IPV6);
4248
4249 switch (ip_proto) {
4250 case IPPROTO_UDP:
4251 case IPPROTO_TCP:
4252 case IPPROTO_SCTP:
4253 b1 = gen_portop6(port, ip_proto, dir);
4254 break;
4255
4256 case PROTO_UNDEF:
4257 tmp = gen_portop6(port, IPPROTO_TCP, dir);
4258 b1 = gen_portop6(port, IPPROTO_UDP, dir);
4259 gen_or(tmp, b1);
4260 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
4261 gen_or(tmp, b1);
4262 break;
4263
4264 default:
4265 abort();
4266 }
4267 gen_and(b0, b1);
4268 return b1;
4269 }
4270 #endif /* INET6 */
4271
4272 /* gen_portrange code */
4273 static struct block *
4274 gen_portrangeatom(off, v1, v2)
4275 int off;
4276 bpf_int32 v1, v2;
4277 {
4278 struct block *b1, *b2;
4279
4280 if (v1 > v2) {
4281 /*
4282 * Reverse the order of the ports, so v1 is the lower one.
4283 */
4284 bpf_int32 vtemp;
4285
4286 vtemp = v1;
4287 v1 = v2;
4288 v2 = vtemp;
4289 }
4290
4291 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
4292 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
4293
4294 gen_and(b1, b2);
4295
4296 return b2;
4297 }
4298
4299 struct block *
4300 gen_portrangeop(port1, port2, proto, dir)
4301 int port1, port2;
4302 int proto;
4303 int dir;
4304 {
4305 struct block *b0, *b1, *tmp;
4306
4307 /* ip proto 'proto' */
4308 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
4309 b0 = gen_ipfrag();
4310 gen_and(tmp, b0);
4311
4312 switch (dir) {
4313 case Q_SRC:
4314 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4315 break;
4316
4317 case Q_DST:
4318 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4319 break;
4320
4321 case Q_OR:
4322 case Q_DEFAULT:
4323 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4324 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4325 gen_or(tmp, b1);
4326 break;
4327
4328 case Q_AND:
4329 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
4330 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
4331 gen_and(tmp, b1);
4332 break;
4333
4334 default:
4335 abort();
4336 }
4337 gen_and(b0, b1);
4338
4339 return b1;
4340 }
4341
4342 static struct block *
4343 gen_portrange(port1, port2, ip_proto, dir)
4344 int port1, port2;
4345 int ip_proto;
4346 int dir;
4347 {
4348 struct block *b0, *b1, *tmp;
4349
4350 /* link proto ip */
4351 b0 = gen_linktype(ETHERTYPE_IP);
4352
4353 switch (ip_proto) {
4354 case IPPROTO_UDP:
4355 case IPPROTO_TCP:
4356 case IPPROTO_SCTP:
4357 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
4358 break;
4359
4360 case PROTO_UNDEF:
4361 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
4362 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
4363 gen_or(tmp, b1);
4364 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
4365 gen_or(tmp, b1);
4366 break;
4367
4368 default:
4369 abort();
4370 }
4371 gen_and(b0, b1);
4372 return b1;
4373 }
4374
4375 #ifdef INET6
4376 static struct block *
4377 gen_portrangeatom6(off, v1, v2)
4378 int off;
4379 bpf_int32 v1, v2;
4380 {
4381 struct block *b1, *b2;
4382
4383 if (v1 > v2) {
4384 /*
4385 * Reverse the order of the ports, so v1 is the lower one.
4386 */
4387 bpf_int32 vtemp;
4388
4389 vtemp = v1;
4390 v1 = v2;
4391 v2 = vtemp;
4392 }
4393
4394 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
4395 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
4396
4397 gen_and(b1, b2);
4398
4399 return b2;
4400 }
4401
4402 struct block *
4403 gen_portrangeop6(port1, port2, proto, dir)
4404 int port1, port2;
4405 int proto;
4406 int dir;
4407 {
4408 struct block *b0, *b1, *tmp;
4409
4410 /* ip6 proto 'proto' */
4411 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
4412
4413 switch (dir) {
4414 case Q_SRC:
4415 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4416 break;
4417
4418 case Q_DST:
4419 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4420 break;
4421
4422 case Q_OR:
4423 case Q_DEFAULT:
4424 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4425 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4426 gen_or(tmp, b1);
4427 break;
4428
4429 case Q_AND:
4430 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
4431 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
4432 gen_and(tmp, b1);
4433 break;
4434
4435 default:
4436 abort();
4437 }
4438 gen_and(b0, b1);
4439
4440 return b1;
4441 }
4442
4443 static struct block *
4444 gen_portrange6(port1, port2, ip_proto, dir)
4445 int port1, port2;
4446 int ip_proto;
4447 int dir;
4448 {
4449 struct block *b0, *b1, *tmp;
4450
4451 /* link proto ip6 */
4452 b0 = gen_linktype(ETHERTYPE_IPV6);
4453
4454 switch (ip_proto) {
4455 case IPPROTO_UDP:
4456 case IPPROTO_TCP:
4457 case IPPROTO_SCTP:
4458 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
4459 break;
4460
4461 case PROTO_UNDEF:
4462 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
4463 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
4464 gen_or(tmp, b1);
4465 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
4466 gen_or(tmp, b1);
4467 break;
4468
4469 default:
4470 abort();
4471 }
4472 gen_and(b0, b1);
4473 return b1;
4474 }
4475 #endif /* INET6 */
4476
4477 static int
4478 lookup_proto(name, proto)
4479 register const char *name;
4480 register int proto;
4481 {
4482 register int v;
4483
4484 switch (proto) {
4485
4486 case Q_DEFAULT:
4487 case Q_IP:
4488 case Q_IPV6:
4489 v = pcap_nametoproto(name);
4490 if (v == PROTO_UNDEF)
4491 bpf_error("unknown ip proto '%s'", name);
4492 break;
4493
4494 case Q_LINK:
4495 /* XXX should look up h/w protocol type based on linktype */
4496 v = pcap_nametoeproto(name);
4497 if (v == PROTO_UNDEF) {
4498 v = pcap_nametollc(name);
4499 if (v == PROTO_UNDEF)
4500 bpf_error("unknown ether proto '%s'", name);
4501 }
4502 break;
4503
4504 case Q_ISO:
4505 if (strcmp(name, "esis") == 0)
4506 v = ISO9542_ESIS;
4507 else if (strcmp(name, "isis") == 0)
4508 v = ISO10589_ISIS;
4509 else if (strcmp(name, "clnp") == 0)
4510 v = ISO8473_CLNP;
4511 else
4512 bpf_error("unknown osi proto '%s'", name);
4513 break;
4514
4515 default:
4516 v = PROTO_UNDEF;
4517 break;
4518 }
4519 return v;
4520 }
4521
4522 #if 0
4523 struct stmt *
4524 gen_joinsp(s, n)
4525 struct stmt **s;
4526 int n;
4527 {
4528 return NULL;
4529 }
4530 #endif
4531
4532 static struct block *
4533 gen_protochain(v, proto, dir)
4534 int v;
4535 int proto;
4536 int dir;
4537 {
4538 #ifdef NO_PROTOCHAIN
4539 return gen_proto(v, proto, dir);
4540 #else
4541 struct block *b0, *b;
4542 struct slist *s[100];
4543 int fix2, fix3, fix4, fix5;
4544 int ahcheck, again, end;
4545 int i, max;
4546 int reg2 = alloc_reg();
4547
4548 memset(s, 0, sizeof(s));
4549 fix2 = fix3 = fix4 = fix5 = 0;
4550
4551 switch (proto) {
4552 case Q_IP:
4553 case Q_IPV6:
4554 break;
4555 case Q_DEFAULT:
4556 b0 = gen_protochain(v, Q_IP, dir);
4557 b = gen_protochain(v, Q_IPV6, dir);
4558 gen_or(b0, b);
4559 return b;
4560 default:
4561 bpf_error("bad protocol applied for 'protochain'");
4562 /*NOTREACHED*/
4563 }
4564
4565 /*
4566 * We don't handle variable-length radiotap here headers yet.
4567 * We might want to add BPF instructions to do the protochain
4568 * work, to simplify that and, on platforms that have a BPF
4569 * interpreter with the new instructions, let the filtering
4570 * be done in the kernel. (We already require a modified BPF
4571 * engine to do the protochain stuff, to support backward
4572 * branches, and backward branch support is unlikely to appear
4573 * in kernel BPF engines.)
4574 */
4575 if (linktype == DLT_IEEE802_11_RADIO)
4576 bpf_error("'protochain' not supported with radiotap headers");
4577
4578 if (linktype == DLT_PPI)
4579 bpf_error("'protochain' not supported with PPI headers");
4580
4581 no_optimize = 1; /*this code is not compatible with optimzer yet */
4582
4583 /*
4584 * s[0] is a dummy entry to protect other BPF insn from damage
4585 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
4586 * hard to find interdependency made by jump table fixup.
4587 */
4588 i = 0;
4589 s[i] = new_stmt(0); /*dummy*/
4590 i++;
4591
4592 switch (proto) {
4593 case Q_IP:
4594 b0 = gen_linktype(ETHERTYPE_IP);
4595
4596 /* A = ip->ip_p */
4597 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4598 s[i]->s.k = off_ll + off_nl + 9;
4599 i++;
4600 /* X = ip->ip_hl << 2 */
4601 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4602 s[i]->s.k = off_ll + off_nl;
4603 i++;
4604 break;
4605 #ifdef INET6
4606 case Q_IPV6:
4607 b0 = gen_linktype(ETHERTYPE_IPV6);
4608
4609 /* A = ip6->ip_nxt */
4610 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4611 s[i]->s.k = off_ll + off_nl + 6;
4612 i++;
4613 /* X = sizeof(struct ip6_hdr) */
4614 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4615 s[i]->s.k = 40;
4616 i++;
4617 break;
4618 #endif
4619 default:
4620 bpf_error("unsupported proto to gen_protochain");
4621 /*NOTREACHED*/
4622 }
4623
4624 /* again: if (A == v) goto end; else fall through; */
4625 again = i;
4626 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4627 s[i]->s.k = v;
4628 s[i]->s.jt = NULL; /*later*/
4629 s[i]->s.jf = NULL; /*update in next stmt*/
4630 fix5 = i;
4631 i++;
4632
4633 #ifndef IPPROTO_NONE
4634 #define IPPROTO_NONE 59
4635 #endif
4636 /* if (A == IPPROTO_NONE) goto end */
4637 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4638 s[i]->s.jt = NULL; /*later*/
4639 s[i]->s.jf = NULL; /*update in next stmt*/
4640 s[i]->s.k = IPPROTO_NONE;
4641 s[fix5]->s.jf = s[i];
4642 fix2 = i;
4643 i++;
4644
4645 #ifdef INET6
4646 if (proto == Q_IPV6) {
4647 int v6start, v6end, v6advance, j;
4648
4649 v6start = i;
4650 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4651 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4652 s[i]->s.jt = NULL; /*later*/
4653 s[i]->s.jf = NULL; /*update in next stmt*/
4654 s[i]->s.k = IPPROTO_HOPOPTS;
4655 s[fix2]->s.jf = s[i];
4656 i++;
4657 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4658 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4659 s[i]->s.jt = NULL; /*later*/
4660 s[i]->s.jf = NULL; /*update in next stmt*/
4661 s[i]->s.k = IPPROTO_DSTOPTS;
4662 i++;
4663 /* if (A == IPPROTO_ROUTING) goto v6advance */
4664 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4665 s[i]->s.jt = NULL; /*later*/
4666 s[i]->s.jf = NULL; /*update in next stmt*/
4667 s[i]->s.k = IPPROTO_ROUTING;
4668 i++;
4669 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4670 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4671 s[i]->s.jt = NULL; /*later*/
4672 s[i]->s.jf = NULL; /*later*/
4673 s[i]->s.k = IPPROTO_FRAGMENT;
4674 fix3 = i;
4675 v6end = i;
4676 i++;
4677
4678 /* v6advance: */
4679 v6advance = i;
4680
4681 /*
4682 * in short,
4683 * A = P[X];
4684 * X = X + (P[X + 1] + 1) * 8;
4685 */
4686 /* A = X */
4687 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4688 i++;
4689 /* A = P[X + packet head] */
4690 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4691 s[i]->s.k = off_ll + off_nl;
4692 i++;
4693 /* MEM[reg2] = A */
4694 s[i] = new_stmt(BPF_ST);
4695 s[i]->s.k = reg2;
4696 i++;
4697 /* A = X */
4698 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4699 i++;
4700 /* A += 1 */
4701 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4702 s[i]->s.k = 1;
4703 i++;
4704 /* X = A */
4705 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4706 i++;
4707 /* A = P[X + packet head]; */
4708 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4709 s[i]->s.k = off_ll + off_nl;
4710 i++;
4711 /* A += 1 */
4712 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4713 s[i]->s.k = 1;
4714 i++;
4715 /* A *= 8 */
4716 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4717 s[i]->s.k = 8;
4718 i++;
4719 /* X = A; */
4720 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4721 i++;
4722 /* A = MEM[reg2] */
4723 s[i] = new_stmt(BPF_LD|BPF_MEM);
4724 s[i]->s.k = reg2;
4725 i++;
4726
4727 /* goto again; (must use BPF_JA for backward jump) */
4728 s[i] = new_stmt(BPF_JMP|BPF_JA);
4729 s[i]->s.k = again - i - 1;
4730 s[i - 1]->s.jf = s[i];
4731 i++;
4732
4733 /* fixup */
4734 for (j = v6start; j <= v6end; j++)
4735 s[j]->s.jt = s[v6advance];
4736 } else
4737 #endif
4738 {
4739 /* nop */
4740 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4741 s[i]->s.k = 0;
4742 s[fix2]->s.jf = s[i];
4743 i++;
4744 }
4745
4746 /* ahcheck: */
4747 ahcheck = i;
4748 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4749 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4750 s[i]->s.jt = NULL; /*later*/
4751 s[i]->s.jf = NULL; /*later*/
4752 s[i]->s.k = IPPROTO_AH;
4753 if (fix3)
4754 s[fix3]->s.jf = s[ahcheck];
4755 fix4 = i;
4756 i++;
4757
4758 /*
4759 * in short,
4760 * A = P[X];
4761 * X = X + (P[X + 1] + 2) * 4;
4762 */
4763 /* A = X */
4764 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4765 i++;
4766 /* A = P[X + packet head]; */
4767 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4768 s[i]->s.k = off_ll + off_nl;
4769 i++;
4770 /* MEM[reg2] = A */
4771 s[i] = new_stmt(BPF_ST);
4772 s[i]->s.k = reg2;
4773 i++;
4774 /* A = X */
4775 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4776 i++;
4777 /* A += 1 */
4778 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4779 s[i]->s.k = 1;
4780 i++;
4781 /* X = A */
4782 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4783 i++;
4784 /* A = P[X + packet head] */
4785 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4786 s[i]->s.k = off_ll + off_nl;
4787 i++;
4788 /* A += 2 */
4789 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4790 s[i]->s.k = 2;
4791 i++;
4792 /* A *= 4 */
4793 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4794 s[i]->s.k = 4;
4795 i++;
4796 /* X = A; */
4797 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4798 i++;
4799 /* A = MEM[reg2] */
4800 s[i] = new_stmt(BPF_LD|BPF_MEM);
4801 s[i]->s.k = reg2;
4802 i++;
4803
4804 /* goto again; (must use BPF_JA for backward jump) */
4805 s[i] = new_stmt(BPF_JMP|BPF_JA);
4806 s[i]->s.k = again - i - 1;
4807 i++;
4808
4809 /* end: nop */
4810 end = i;
4811 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4812 s[i]->s.k = 0;
4813 s[fix2]->s.jt = s[end];
4814 s[fix4]->s.jf = s[end];
4815 s[fix5]->s.jt = s[end];
4816 i++;
4817
4818 /*
4819 * make slist chain
4820 */
4821 max = i;
4822 for (i = 0; i < max - 1; i++)
4823 s[i]->next = s[i + 1];
4824 s[max - 1]->next = NULL;
4825
4826 /*
4827 * emit final check
4828 */
4829 b = new_block(JMP(BPF_JEQ));
4830 b->stmts = s[1]; /*remember, s[0] is dummy*/
4831 b->s.k = v;
4832
4833 free_reg(reg2);
4834
4835 gen_and(b0, b);
4836 return b;
4837 #endif
4838 }
4839
4840 /*
4841 * Generate code that checks whether the packet is a packet for protocol
4842 * <proto> and whether the type field in that protocol's header has
4843 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4844 * IP packet and checks the protocol number in the IP header against <v>.
4845 *
4846 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4847 * against Q_IP and Q_IPV6.
4848 */
4849 static struct block *
4850 gen_proto(v, proto, dir)
4851 int v;
4852 int proto;
4853 int dir;
4854 {
4855 struct block *b0, *b1;
4856
4857 if (dir != Q_DEFAULT)
4858 bpf_error("direction applied to 'proto'");
4859
4860 switch (proto) {
4861 case Q_DEFAULT:
4862 #ifdef INET6
4863 b0 = gen_proto(v, Q_IP, dir);
4864 b1 = gen_proto(v, Q_IPV6, dir);
4865 gen_or(b0, b1);
4866 return b1;
4867 #else
4868 /*FALLTHROUGH*/
4869 #endif
4870 case Q_IP:
4871 /*
4872 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4873 * not LLC encapsulation with LLCSAP_IP.
4874 *
4875 * For IEEE 802 networks - which includes 802.5 token ring
4876 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4877 * says that SNAP encapsulation is used, not LLC encapsulation
4878 * with LLCSAP_IP.
4879 *
4880 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4881 * RFC 2225 say that SNAP encapsulation is used, not LLC
4882 * encapsulation with LLCSAP_IP.
4883 *
4884 * So we always check for ETHERTYPE_IP.
4885 */
4886 b0 = gen_linktype(ETHERTYPE_IP);
4887 #ifndef CHASE_CHAIN
4888 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4889 #else
4890 b1 = gen_protochain(v, Q_IP);
4891 #endif
4892 gen_and(b0, b1);
4893 return b1;
4894
4895 case Q_ISO:
4896 switch (linktype) {
4897
4898 case DLT_FRELAY:
4899 /*
4900 * Frame Relay packets typically have an OSI
4901 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4902 * generates code to check for all the OSI
4903 * NLPIDs, so calling it and then adding a check
4904 * for the particular NLPID for which we're
4905 * looking is bogus, as we can just check for
4906 * the NLPID.
4907 *
4908 * What we check for is the NLPID and a frame
4909 * control field value of UI, i.e. 0x03 followed
4910 * by the NLPID.
4911 *
4912 * XXX - assumes a 2-byte Frame Relay header with
4913 * DLCI and flags. What if the address is longer?
4914 *
4915 * XXX - what about SNAP-encapsulated frames?
4916 */
4917 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4918 /*NOTREACHED*/
4919 break;
4920
4921 case DLT_C_HDLC:
4922 /*
4923 * Cisco uses an Ethertype lookalike - for OSI,
4924 * it's 0xfefe.
4925 */
4926 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4927 /* OSI in C-HDLC is stuffed with a fudge byte */
4928 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4929 gen_and(b0, b1);
4930 return b1;
4931
4932 default:
4933 b0 = gen_linktype(LLCSAP_ISONS);
4934 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4935 gen_and(b0, b1);
4936 return b1;
4937 }
4938
4939 case Q_ISIS:
4940 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4941 /*
4942 * 4 is the offset of the PDU type relative to the IS-IS
4943 * header.
4944 */
4945 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4946 gen_and(b0, b1);
4947 return b1;
4948
4949 case Q_ARP:
4950 bpf_error("arp does not encapsulate another protocol");
4951 /* NOTREACHED */
4952
4953 case Q_RARP:
4954 bpf_error("rarp does not encapsulate another protocol");
4955 /* NOTREACHED */
4956
4957 case Q_ATALK:
4958 bpf_error("atalk encapsulation is not specifiable");
4959 /* NOTREACHED */
4960
4961 case Q_DECNET:
4962 bpf_error("decnet encapsulation is not specifiable");
4963 /* NOTREACHED */
4964
4965 case Q_SCA:
4966 bpf_error("sca does not encapsulate another protocol");
4967 /* NOTREACHED */
4968
4969 case Q_LAT:
4970 bpf_error("lat does not encapsulate another protocol");
4971 /* NOTREACHED */
4972
4973 case Q_MOPRC:
4974 bpf_error("moprc does not encapsulate another protocol");
4975 /* NOTREACHED */
4976
4977 case Q_MOPDL:
4978 bpf_error("mopdl does not encapsulate another protocol");
4979 /* NOTREACHED */
4980
4981 case Q_LINK:
4982 return gen_linktype(v);
4983
4984 case Q_UDP:
4985 bpf_error("'udp proto' is bogus");
4986 /* NOTREACHED */
4987
4988 case Q_TCP:
4989 bpf_error("'tcp proto' is bogus");
4990 /* NOTREACHED */
4991
4992 case Q_SCTP:
4993 bpf_error("'sctp proto' is bogus");
4994 /* NOTREACHED */
4995
4996 case Q_ICMP:
4997 bpf_error("'icmp proto' is bogus");
4998 /* NOTREACHED */
4999
5000 case Q_IGMP:
5001 bpf_error("'igmp proto' is bogus");
5002 /* NOTREACHED */
5003
5004 case Q_IGRP:
5005 bpf_error("'igrp proto' is bogus");
5006 /* NOTREACHED */
5007
5008 case Q_PIM:
5009 bpf_error("'pim proto' is bogus");
5010 /* NOTREACHED */
5011
5012 case Q_VRRP:
5013 bpf_error("'vrrp proto' is bogus");
5014 /* NOTREACHED */
5015
5016 #ifdef INET6
5017 case Q_IPV6:
5018 b0 = gen_linktype(ETHERTYPE_IPV6);
5019 #ifndef CHASE_CHAIN
5020 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
5021 #else
5022 b1 = gen_protochain(v, Q_IPV6);
5023 #endif
5024 gen_and(b0, b1);
5025 return b1;
5026
5027 case Q_ICMPV6:
5028 bpf_error("'icmp6 proto' is bogus");
5029 #endif /* INET6 */
5030
5031 case Q_AH:
5032 bpf_error("'ah proto' is bogus");
5033
5034 case Q_ESP:
5035 bpf_error("'ah proto' is bogus");
5036
5037 case Q_STP:
5038 bpf_error("'stp proto' is bogus");
5039
5040 case Q_IPX:
5041 bpf_error("'ipx proto' is bogus");
5042
5043 case Q_NETBEUI:
5044 bpf_error("'netbeui proto' is bogus");
5045
5046 case Q_RADIO:
5047 bpf_error("'radio proto' is bogus");
5048
5049 default:
5050 abort();
5051 /* NOTREACHED */
5052 }
5053 /* NOTREACHED */
5054 }
5055
5056 struct block *
5057 gen_scode(name, q)
5058 register const char *name;
5059 struct qual q;
5060 {
5061 int proto = q.proto;
5062 int dir = q.dir;
5063 int tproto;
5064 u_char *eaddr;
5065 bpf_u_int32 mask, addr;
5066 #ifndef INET6
5067 bpf_u_int32 **alist;
5068 #else
5069 int tproto6;
5070 struct sockaddr_in *sin4;
5071 struct sockaddr_in6 *sin6;
5072 struct addrinfo *res, *res0;
5073 struct in6_addr mask128;
5074 #endif /*INET6*/
5075 struct block *b, *tmp;
5076 int port, real_proto;
5077 int port1, port2;
5078
5079 switch (q.addr) {
5080
5081 case Q_NET:
5082 addr = pcap_nametonetaddr(name);
5083 if (addr == 0)
5084 bpf_error("unknown network '%s'", name);
5085 /* Left justify network addr and calculate its network mask */
5086 mask = 0xffffffff;
5087 while (addr && (addr & 0xff000000) == 0) {
5088 addr <<= 8;
5089 mask <<= 8;
5090 }
5091 return gen_host(addr, mask, proto, dir, q.addr);
5092
5093 case Q_DEFAULT:
5094 case Q_HOST:
5095 if (proto == Q_LINK) {
5096 switch (linktype) {
5097
5098 case DLT_EN10MB:
5099 eaddr = pcap_ether_hostton(name);
5100 if (eaddr == NULL)
5101 bpf_error(
5102 "unknown ether host '%s'", name);
5103 b = gen_ehostop(eaddr, dir);
5104 free(eaddr);
5105 return b;
5106
5107 case DLT_FDDI:
5108 eaddr = pcap_ether_hostton(name);
5109 if (eaddr == NULL)
5110 bpf_error(
5111 "unknown FDDI host '%s'", name);
5112 b = gen_fhostop(eaddr, dir);
5113 free(eaddr);
5114 return b;
5115
5116 case DLT_IEEE802:
5117 eaddr = pcap_ether_hostton(name);
5118 if (eaddr == NULL)
5119 bpf_error(
5120 "unknown token ring host '%s'", name);
5121 b = gen_thostop(eaddr, dir);
5122 free(eaddr);
5123 return b;
5124
5125 case DLT_IEEE802_11:
5126 case DLT_IEEE802_11_RADIO_AVS:
5127 case DLT_IEEE802_11_RADIO:
5128 case DLT_PRISM_HEADER:
5129 case DLT_PPI:
5130 eaddr = pcap_ether_hostton(name);
5131 if (eaddr == NULL)
5132 bpf_error(
5133 "unknown 802.11 host '%s'", name);
5134 b = gen_wlanhostop(eaddr, dir);
5135 free(eaddr);
5136 return b;
5137
5138 case DLT_IP_OVER_FC:
5139 eaddr = pcap_ether_hostton(name);
5140 if (eaddr == NULL)
5141 bpf_error(
5142 "unknown Fibre Channel host '%s'", name);
5143 b = gen_ipfchostop(eaddr, dir);
5144 free(eaddr);
5145 return b;
5146
5147 case DLT_SUNATM:
5148 if (!is_lane)
5149 break;
5150
5151 /*
5152 * Check that the packet doesn't begin
5153 * with an LE Control marker. (We've
5154 * already generated a test for LANE.)
5155 */
5156 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
5157 BPF_H, 0xFF00);
5158 gen_not(tmp);
5159
5160 eaddr = pcap_ether_hostton(name);
5161 if (eaddr == NULL)
5162 bpf_error(
5163 "unknown ether host '%s'", name);
5164 b = gen_ehostop(eaddr, dir);
5165 gen_and(tmp, b);
5166 free(eaddr);
5167 return b;
5168 }
5169
5170 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
5171 } else if (proto == Q_DECNET) {
5172 unsigned short dn_addr = __pcap_nametodnaddr(name);
5173 /*
5174 * I don't think DECNET hosts can be multihomed, so
5175 * there is no need to build up a list of addresses
5176 */
5177 return (gen_host(dn_addr, 0, proto, dir, q.addr));
5178 } else {
5179 #ifndef INET6
5180 alist = pcap_nametoaddr(name);
5181 if (alist == NULL || *alist == NULL)
5182 bpf_error("unknown host '%s'", name);
5183 tproto = proto;
5184 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
5185 tproto = Q_IP;
5186 b = gen_host(**alist++, 0xffffffff, tproto, dir, q.addr);
5187 while (*alist) {
5188 tmp = gen_host(**alist++, 0xffffffff,
5189 tproto, dir, q.addr);
5190 gen_or(b, tmp);
5191 b = tmp;
5192 }
5193 return b;
5194 #else
5195 memset(&mask128, 0xff, sizeof(mask128));
5196 res0 = res = pcap_nametoaddrinfo(name);
5197 if (res == NULL)
5198 bpf_error("unknown host '%s'", name);
5199 b = tmp = NULL;
5200 tproto = tproto6 = proto;
5201 if (off_linktype == -1 && tproto == Q_DEFAULT) {
5202 tproto = Q_IP;
5203 tproto6 = Q_IPV6;
5204 }
5205 for (res = res0; res; res = res->ai_next) {
5206 switch (res->ai_family) {
5207 case AF_INET:
5208 if (tproto == Q_IPV6)
5209 continue;
5210
5211 sin4 = (struct sockaddr_in *)
5212 res->ai_addr;
5213 tmp = gen_host(ntohl(sin4->sin_addr.s_addr),
5214 0xffffffff, tproto, dir, q.addr);
5215 break;
5216 case AF_INET6:
5217 if (tproto6 == Q_IP)
5218 continue;
5219
5220 sin6 = (struct sockaddr_in6 *)
5221 res->ai_addr;
5222 tmp = gen_host6(&sin6->sin6_addr,
5223 &mask128, tproto6, dir, q.addr);
5224 break;
5225 default:
5226 continue;
5227 }
5228 if (b)
5229 gen_or(b, tmp);
5230 b = tmp;
5231 }
5232 freeaddrinfo(res0);
5233 if (b == NULL) {
5234 bpf_error("unknown host '%s'%s", name,
5235 (proto == Q_DEFAULT)
5236 ? ""
5237 : " for specified address family");
5238 }
5239 return b;
5240 #endif /*INET6*/
5241 }
5242
5243 case Q_PORT:
5244 if (proto != Q_DEFAULT &&
5245 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5246 bpf_error("illegal qualifier of 'port'");
5247 if (pcap_nametoport(name, &port, &real_proto) == 0)
5248 bpf_error("unknown port '%s'", name);
5249 if (proto == Q_UDP) {
5250 if (real_proto == IPPROTO_TCP)
5251 bpf_error("port '%s' is tcp", name);
5252 else if (real_proto == IPPROTO_SCTP)
5253 bpf_error("port '%s' is sctp", name);
5254 else
5255 /* override PROTO_UNDEF */
5256 real_proto = IPPROTO_UDP;
5257 }
5258 if (proto == Q_TCP) {
5259 if (real_proto == IPPROTO_UDP)
5260 bpf_error("port '%s' is udp", name);
5261
5262 else if (real_proto == IPPROTO_SCTP)
5263 bpf_error("port '%s' is sctp", name);
5264 else
5265 /* override PROTO_UNDEF */
5266 real_proto = IPPROTO_TCP;
5267 }
5268 if (proto == Q_SCTP) {
5269 if (real_proto == IPPROTO_UDP)
5270 bpf_error("port '%s' is udp", name);
5271
5272 else if (real_proto == IPPROTO_TCP)
5273 bpf_error("port '%s' is tcp", name);
5274 else
5275 /* override PROTO_UNDEF */
5276 real_proto = IPPROTO_SCTP;
5277 }
5278 #ifndef INET6
5279 return gen_port(port, real_proto, dir);
5280 #else
5281 b = gen_port(port, real_proto, dir);
5282 gen_or(gen_port6(port, real_proto, dir), b);
5283 return b;
5284 #endif /* INET6 */
5285
5286 case Q_PORTRANGE:
5287 if (proto != Q_DEFAULT &&
5288 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
5289 bpf_error("illegal qualifier of 'portrange'");
5290 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
5291 bpf_error("unknown port in range '%s'", name);
5292 if (proto == Q_UDP) {
5293 if (real_proto == IPPROTO_TCP)
5294 bpf_error("port in range '%s' is tcp", name);
5295 else if (real_proto == IPPROTO_SCTP)
5296 bpf_error("port in range '%s' is sctp", name);
5297 else
5298 /* override PROTO_UNDEF */
5299 real_proto = IPPROTO_UDP;
5300 }
5301 if (proto == Q_TCP) {
5302 if (real_proto == IPPROTO_UDP)
5303 bpf_error("port in range '%s' is udp", name);
5304 else if (real_proto == IPPROTO_SCTP)
5305 bpf_error("port in range '%s' is sctp", name);
5306 else
5307 /* override PROTO_UNDEF */
5308 real_proto = IPPROTO_TCP;
5309 }
5310 if (proto == Q_SCTP) {
5311 if (real_proto == IPPROTO_UDP)
5312 bpf_error("port in range '%s' is udp", name);
5313 else if (real_proto == IPPROTO_TCP)
5314 bpf_error("port in range '%s' is tcp", name);
5315 else
5316 /* override PROTO_UNDEF */
5317 real_proto = IPPROTO_SCTP;
5318 }
5319 #ifndef INET6
5320 return gen_portrange(port1, port2, real_proto, dir);
5321 #else
5322 b = gen_portrange(port1, port2, real_proto, dir);
5323 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
5324 return b;
5325 #endif /* INET6 */
5326
5327 case Q_GATEWAY:
5328 #ifndef INET6
5329 eaddr = pcap_ether_hostton(name);
5330 if (eaddr == NULL)
5331 bpf_error("unknown ether host: %s", name);
5332
5333 alist = pcap_nametoaddr(name);
5334 if (alist == NULL || *alist == NULL)
5335 bpf_error("unknown host '%s'", name);
5336 b = gen_gateway(eaddr, alist, proto, dir);
5337 free(eaddr);
5338 return b;
5339 #else
5340 bpf_error("'gateway' not supported in this configuration");
5341 #endif /*INET6*/
5342
5343 case Q_PROTO:
5344 real_proto = lookup_proto(name, proto);
5345 if (real_proto >= 0)
5346 return gen_proto(real_proto, proto, dir);
5347 else
5348 bpf_error("unknown protocol: %s", name);
5349
5350 case Q_PROTOCHAIN:
5351 real_proto = lookup_proto(name, proto);
5352 if (real_proto >= 0)
5353 return gen_protochain(real_proto, proto, dir);
5354 else
5355 bpf_error("unknown protocol: %s", name);
5356
5357
5358 case Q_UNDEF:
5359 syntax();
5360 /* NOTREACHED */
5361 }
5362 abort();
5363 /* NOTREACHED */
5364 }
5365
5366 struct block *
5367 gen_mcode(s1, s2, masklen, q)
5368 register const char *s1, *s2;
5369 register int masklen;
5370 struct qual q;
5371 {
5372 register int nlen, mlen;
5373 bpf_u_int32 n, m;
5374
5375 nlen = __pcap_atoin(s1, &n);
5376 /* Promote short ipaddr */
5377 n <<= 32 - nlen;
5378
5379 if (s2 != NULL) {
5380 mlen = __pcap_atoin(s2, &m);
5381 /* Promote short ipaddr */
5382 m <<= 32 - mlen;
5383 if ((n & ~m) != 0)
5384 bpf_error("non-network bits set in \"%s mask %s\"",
5385 s1, s2);
5386 } else {
5387 /* Convert mask len to mask */
5388 if (masklen > 32)
5389 bpf_error("mask length must be <= 32");
5390 if (masklen == 0) {
5391 /*
5392 * X << 32 is not guaranteed by C to be 0; it's
5393 * undefined.
5394 */
5395 m = 0;
5396 } else
5397 m = 0xffffffff << (32 - masklen);
5398 if ((n & ~m) != 0)
5399 bpf_error("non-network bits set in \"%s/%d\"",
5400 s1, masklen);
5401 }
5402
5403 switch (q.addr) {
5404
5405 case Q_NET:
5406 return gen_host(n, m, q.proto, q.dir, q.addr);
5407
5408 default:
5409 bpf_error("Mask syntax for networks only");
5410 /* NOTREACHED */
5411 }
5412 /* NOTREACHED */
5413 return NULL;
5414 }
5415
5416 struct block *
5417 gen_ncode(s, v, q)
5418 register const char *s;
5419 bpf_u_int32 v;
5420 struct qual q;
5421 {
5422 bpf_u_int32 mask;
5423 int proto = q.proto;
5424 int dir = q.dir;
5425 register int vlen;
5426
5427 if (s == NULL)
5428 vlen = 32;
5429 else if (q.proto == Q_DECNET)
5430 vlen = __pcap_atodn(s, &v);
5431 else
5432 vlen = __pcap_atoin(s, &v);
5433
5434 switch (q.addr) {
5435
5436 case Q_DEFAULT:
5437 case Q_HOST:
5438 case Q_NET:
5439 if (proto == Q_DECNET)
5440 return gen_host(v, 0, proto, dir, q.addr);
5441 else if (proto == Q_LINK) {
5442 bpf_error("illegal link layer address");
5443 } else {
5444 mask = 0xffffffff;
5445 if (s == NULL && q.addr == Q_NET) {
5446 /* Promote short net number */
5447 while (v && (v & 0xff000000) == 0) {
5448 v <<= 8;
5449 mask <<= 8;
5450 }
5451 } else {
5452 /* Promote short ipaddr */
5453 v <<= 32 - vlen;
5454 mask <<= 32 - vlen;
5455 }
5456 return gen_host(v, mask, proto, dir, q.addr);
5457 }
5458
5459 case Q_PORT:
5460 if (proto == Q_UDP)
5461 proto = IPPROTO_UDP;
5462 else if (proto == Q_TCP)
5463 proto = IPPROTO_TCP;
5464 else if (proto == Q_SCTP)
5465 proto = IPPROTO_SCTP;
5466 else if (proto == Q_DEFAULT)
5467 proto = PROTO_UNDEF;
5468 else
5469 bpf_error("illegal qualifier of 'port'");
5470
5471 #ifndef INET6
5472 return gen_port((int)v, proto, dir);
5473 #else
5474 {
5475 struct block *b;
5476 b = gen_port((int)v, proto, dir);
5477 gen_or(gen_port6((int)v, proto, dir), b);
5478 return b;
5479 }
5480 #endif /* INET6 */
5481
5482 case Q_PORTRANGE:
5483 if (proto == Q_UDP)
5484 proto = IPPROTO_UDP;
5485 else if (proto == Q_TCP)
5486 proto = IPPROTO_TCP;
5487 else if (proto == Q_SCTP)
5488 proto = IPPROTO_SCTP;
5489 else if (proto == Q_DEFAULT)
5490 proto = PROTO_UNDEF;
5491 else
5492 bpf_error("illegal qualifier of 'portrange'");
5493
5494 #ifndef INET6
5495 return gen_portrange((int)v, (int)v, proto, dir);
5496 #else
5497 {
5498 struct block *b;
5499 b = gen_portrange((int)v, (int)v, proto, dir);
5500 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
5501 return b;
5502 }
5503 #endif /* INET6 */
5504
5505 case Q_GATEWAY:
5506 bpf_error("'gateway' requires a name");
5507 /* NOTREACHED */
5508
5509 case Q_PROTO:
5510 return gen_proto((int)v, proto, dir);
5511
5512 case Q_PROTOCHAIN:
5513 return gen_protochain((int)v, proto, dir);
5514
5515 case Q_UNDEF:
5516 syntax();
5517 /* NOTREACHED */
5518
5519 default:
5520 abort();
5521 /* NOTREACHED */
5522 }
5523 /* NOTREACHED */
5524 }
5525
5526 #ifdef INET6
5527 struct block *
5528 gen_mcode6(s1, s2, masklen, q)
5529 register const char *s1, *s2;
5530 register int masklen;
5531 struct qual q;
5532 {
5533 struct addrinfo *res;
5534 struct in6_addr *addr;
5535 struct in6_addr mask;
5536 struct block *b;
5537 u_int32_t *a, *m;
5538
5539 if (s2)
5540 bpf_error("no mask %s supported", s2);
5541
5542 res = pcap_nametoaddrinfo(s1);
5543 if (!res)
5544 bpf_error("invalid ip6 address %s", s1);
5545 if (res->ai_next)
5546 bpf_error("%s resolved to multiple address", s1);
5547 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
5548
5549 if (sizeof(mask) * 8 < masklen)
5550 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
5551 memset(&mask, 0, sizeof(mask));
5552 memset(&mask, 0xff, masklen / 8);
5553 if (masklen % 8) {
5554 mask.s6_addr[masklen / 8] =
5555 (0xff << (8 - masklen % 8)) & 0xff;
5556 }
5557
5558 a = (u_int32_t *)addr;
5559 m = (u_int32_t *)&mask;
5560 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
5561 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
5562 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
5563 }
5564
5565 switch (q.addr) {
5566
5567 case Q_DEFAULT:
5568 case Q_HOST:
5569 if (masklen != 128)
5570 bpf_error("Mask syntax for networks only");
5571 /* FALLTHROUGH */
5572
5573 case Q_NET:
5574 b = gen_host6(addr, &mask, q.proto, q.dir, q.addr);
5575 freeaddrinfo(res);
5576 return b;
5577
5578 default:
5579 bpf_error("invalid qualifier against IPv6 address");
5580 /* NOTREACHED */
5581 }
5582 return NULL;
5583 }
5584 #endif /*INET6*/
5585
5586 struct block *
5587 gen_ecode(eaddr, q)
5588 register const u_char *eaddr;
5589 struct qual q;
5590 {
5591 struct block *b, *tmp;
5592
5593 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5594 switch (linktype) {
5595 case DLT_EN10MB:
5596 return gen_ehostop(eaddr, (int)q.dir);
5597 case DLT_FDDI:
5598 return gen_fhostop(eaddr, (int)q.dir);
5599 case DLT_IEEE802:
5600 return gen_thostop(eaddr, (int)q.dir);
5601 case DLT_IEEE802_11:
5602 case DLT_IEEE802_11_RADIO_AVS:
5603 case DLT_IEEE802_11_RADIO:
5604 case DLT_PRISM_HEADER:
5605 case DLT_PPI:
5606 return gen_wlanhostop(eaddr, (int)q.dir);
5607 case DLT_SUNATM:
5608 if (is_lane) {
5609 /*
5610 * Check that the packet doesn't begin with an
5611 * LE Control marker. (We've already generated
5612 * a test for LANE.)
5613 */
5614 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5615 0xFF00);
5616 gen_not(tmp);
5617
5618 /*
5619 * Now check the MAC address.
5620 */
5621 b = gen_ehostop(eaddr, (int)q.dir);
5622 gen_and(tmp, b);
5623 return b;
5624 }
5625 break;
5626 case DLT_IP_OVER_FC:
5627 return gen_ipfchostop(eaddr, (int)q.dir);
5628 default:
5629 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5630 break;
5631 }
5632 }
5633 bpf_error("ethernet address used in non-ether expression");
5634 /* NOTREACHED */
5635 return NULL;
5636 }
5637
5638 void
5639 sappend(s0, s1)
5640 struct slist *s0, *s1;
5641 {
5642 /*
5643 * This is definitely not the best way to do this, but the
5644 * lists will rarely get long.
5645 */
5646 while (s0->next)
5647 s0 = s0->next;
5648 s0->next = s1;
5649 }
5650
5651 static struct slist *
5652 xfer_to_x(a)
5653 struct arth *a;
5654 {
5655 struct slist *s;
5656
5657 s = new_stmt(BPF_LDX|BPF_MEM);
5658 s->s.k = a->regno;
5659 return s;
5660 }
5661
5662 static struct slist *
5663 xfer_to_a(a)
5664 struct arth *a;
5665 {
5666 struct slist *s;
5667
5668 s = new_stmt(BPF_LD|BPF_MEM);
5669 s->s.k = a->regno;
5670 return s;
5671 }
5672
5673 /*
5674 * Modify "index" to use the value stored into its register as an
5675 * offset relative to the beginning of the header for the protocol
5676 * "proto", and allocate a register and put an item "size" bytes long
5677 * (1, 2, or 4) at that offset into that register, making it the register
5678 * for "index".
5679 */
5680 struct arth *
5681 gen_load(proto, inst, size)
5682 int proto;
5683 struct arth *inst;
5684 int size;
5685 {
5686 struct slist *s, *tmp;
5687 struct block *b;
5688 int regno = alloc_reg();
5689
5690 free_reg(inst->regno);
5691 switch (size) {
5692
5693 default:
5694 bpf_error("data size must be 1, 2, or 4");
5695
5696 case 1:
5697 size = BPF_B;
5698 break;
5699
5700 case 2:
5701 size = BPF_H;
5702 break;
5703
5704 case 4:
5705 size = BPF_W;
5706 break;
5707 }
5708 switch (proto) {
5709 default:
5710 bpf_error("unsupported index operation");
5711
5712 case Q_RADIO:
5713 /*
5714 * The offset is relative to the beginning of the packet
5715 * data, if we have a radio header. (If we don't, this
5716 * is an error.)
5717 */
5718 if (linktype != DLT_IEEE802_11_RADIO_AVS &&
5719 linktype != DLT_IEEE802_11_RADIO &&
5720 linktype != DLT_PRISM_HEADER)
5721 bpf_error("radio information not present in capture");
5722
5723 /*
5724 * Load into the X register the offset computed into the
5725 * register specifed by "index".
5726 */
5727 s = xfer_to_x(inst);
5728
5729 /*
5730 * Load the item at that offset.
5731 */
5732 tmp = new_stmt(BPF_LD|BPF_IND|size);
5733 sappend(s, tmp);
5734 sappend(inst->s, s);
5735 break;
5736
5737 case Q_LINK:
5738 /*
5739 * The offset is relative to the beginning of
5740 * the link-layer header.
5741 *
5742 * XXX - what about ATM LANE? Should the index be
5743 * relative to the beginning of the AAL5 frame, so
5744 * that 0 refers to the beginning of the LE Control
5745 * field, or relative to the beginning of the LAN
5746 * frame, so that 0 refers, for Ethernet LANE, to
5747 * the beginning of the destination address?
5748 */
5749 s = gen_llprefixlen();
5750
5751 /*
5752 * If "s" is non-null, it has code to arrange that the
5753 * X register contains the length of the prefix preceding
5754 * the link-layer header. Add to it the offset computed
5755 * into the register specified by "index", and move that
5756 * into the X register. Otherwise, just load into the X
5757 * register the offset computed into the register specifed
5758 * by "index".
5759 */
5760 if (s != NULL) {
5761 sappend(s, xfer_to_a(inst));
5762 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5763 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5764 } else
5765 s = xfer_to_x(inst);
5766
5767 /*
5768 * Load the item at the sum of the offset we've put in the
5769 * X register and the offset of the start of the link
5770 * layer header (which is 0 if the radio header is
5771 * variable-length; that header length is what we put
5772 * into the X register and then added to the index).
5773 */
5774 tmp = new_stmt(BPF_LD|BPF_IND|size);
5775 tmp->s.k = off_ll;
5776 sappend(s, tmp);
5777 sappend(inst->s, s);
5778 break;
5779
5780 case Q_IP:
5781 case Q_ARP:
5782 case Q_RARP:
5783 case Q_ATALK:
5784 case Q_DECNET:
5785 case Q_SCA:
5786 case Q_LAT:
5787 case Q_MOPRC:
5788 case Q_MOPDL:
5789 #ifdef INET6
5790 case Q_IPV6:
5791 #endif
5792 /*
5793 * The offset is relative to the beginning of
5794 * the network-layer header.
5795 * XXX - are there any cases where we want
5796 * off_nl_nosnap?
5797 */
5798 s = gen_llprefixlen();
5799
5800 /*
5801 * If "s" is non-null, it has code to arrange that the
5802 * X register contains the length of the prefix preceding
5803 * the link-layer header. Add to it the offset computed
5804 * into the register specified by "index", and move that
5805 * into the X register. Otherwise, just load into the X
5806 * register the offset computed into the register specifed
5807 * by "index".
5808 */
5809 if (s != NULL) {
5810 sappend(s, xfer_to_a(inst));
5811 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5812 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5813 } else
5814 s = xfer_to_x(inst);
5815
5816 /*
5817 * Load the item at the sum of the offset we've put in the
5818 * X register, the offset of the start of the network
5819 * layer header, and the offset of the start of the link
5820 * layer header (which is 0 if the radio header is
5821 * variable-length; that header length is what we put
5822 * into the X register and then added to the index).
5823 */
5824 tmp = new_stmt(BPF_LD|BPF_IND|size);
5825 tmp->s.k = off_ll + off_nl;
5826 sappend(s, tmp);
5827 sappend(inst->s, s);
5828
5829 /*
5830 * Do the computation only if the packet contains
5831 * the protocol in question.
5832 */
5833 b = gen_proto_abbrev(proto);
5834 if (inst->b)
5835 gen_and(inst->b, b);
5836 inst->b = b;
5837 break;
5838
5839 case Q_SCTP:
5840 case Q_TCP:
5841 case Q_UDP:
5842 case Q_ICMP:
5843 case Q_IGMP:
5844 case Q_IGRP:
5845 case Q_PIM:
5846 case Q_VRRP:
5847 /*
5848 * The offset is relative to the beginning of
5849 * the transport-layer header.
5850 *
5851 * Load the X register with the length of the IPv4 header
5852 * (plus the offset of the link-layer header, if it's
5853 * a variable-length header), in bytes.
5854 *
5855 * XXX - are there any cases where we want
5856 * off_nl_nosnap?
5857 * XXX - we should, if we're built with
5858 * IPv6 support, generate code to load either
5859 * IPv4, IPv6, or both, as appropriate.
5860 */
5861 s = gen_loadx_iphdrlen();
5862
5863 /*
5864 * The X register now contains the sum of the length
5865 * of any variable-length header preceding the link-layer
5866 * header and the length of the network-layer header.
5867 * Load into the A register the offset relative to
5868 * the beginning of the transport layer header,
5869 * add the X register to that, move that to the
5870 * X register, and load with an offset from the
5871 * X register equal to the offset of the network
5872 * layer header relative to the beginning of
5873 * the link-layer header plus the length of any
5874 * fixed-length header preceding the link-layer
5875 * header.
5876 */
5877 sappend(s, xfer_to_a(inst));
5878 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5879 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5880 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5881 tmp->s.k = off_ll + off_nl;
5882 sappend(inst->s, s);
5883
5884 /*
5885 * Do the computation only if the packet contains
5886 * the protocol in question - which is true only
5887 * if this is an IP datagram and is the first or
5888 * only fragment of that datagram.
5889 */
5890 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5891 if (inst->b)
5892 gen_and(inst->b, b);
5893 #ifdef INET6
5894 gen_and(gen_proto_abbrev(Q_IP), b);
5895 #endif
5896 inst->b = b;
5897 break;
5898 #ifdef INET6
5899 case Q_ICMPV6:
5900 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5901 /*NOTREACHED*/
5902 #endif
5903 }
5904 inst->regno = regno;
5905 s = new_stmt(BPF_ST);
5906 s->s.k = regno;
5907 sappend(inst->s, s);
5908
5909 return inst;
5910 }
5911
5912 struct block *
5913 gen_relation(code, a0, a1, reversed)
5914 int code;
5915 struct arth *a0, *a1;
5916 int reversed;
5917 {
5918 struct slist *s0, *s1, *s2;
5919 struct block *b, *tmp;
5920
5921 s0 = xfer_to_x(a1);
5922 s1 = xfer_to_a(a0);
5923 if (code == BPF_JEQ) {
5924 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5925 b = new_block(JMP(code));
5926 sappend(s1, s2);
5927 }
5928 else
5929 b = new_block(BPF_JMP|code|BPF_X);
5930 if (reversed)
5931 gen_not(b);
5932
5933 sappend(s0, s1);
5934 sappend(a1->s, s0);
5935 sappend(a0->s, a1->s);
5936
5937 b->stmts = a0->s;
5938
5939 free_reg(a0->regno);
5940 free_reg(a1->regno);
5941
5942 /* 'and' together protocol checks */
5943 if (a0->b) {
5944 if (a1->b) {
5945 gen_and(a0->b, tmp = a1->b);
5946 }
5947 else
5948 tmp = a0->b;
5949 } else
5950 tmp = a1->b;
5951
5952 if (tmp)
5953 gen_and(tmp, b);
5954
5955 return b;
5956 }
5957
5958 struct arth *
5959 gen_loadlen()
5960 {
5961 int regno = alloc_reg();
5962 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5963 struct slist *s;
5964
5965 s = new_stmt(BPF_LD|BPF_LEN);
5966 s->next = new_stmt(BPF_ST);
5967 s->next->s.k = regno;
5968 a->s = s;
5969 a->regno = regno;
5970
5971 return a;
5972 }
5973
5974 struct arth *
5975 gen_loadi(val)
5976 int val;
5977 {
5978 struct arth *a;
5979 struct slist *s;
5980 int reg;
5981
5982 a = (struct arth *)newchunk(sizeof(*a));
5983
5984 reg = alloc_reg();
5985
5986 s = new_stmt(BPF_LD|BPF_IMM);
5987 s->s.k = val;
5988 s->next = new_stmt(BPF_ST);
5989 s->next->s.k = reg;
5990 a->s = s;
5991 a->regno = reg;
5992
5993 return a;
5994 }
5995
5996 struct arth *
5997 gen_neg(a)
5998 struct arth *a;
5999 {
6000 struct slist *s;
6001
6002 s = xfer_to_a(a);
6003 sappend(a->s, s);
6004 s = new_stmt(BPF_ALU|BPF_NEG);
6005 s->s.k = 0;
6006 sappend(a->s, s);
6007 s = new_stmt(BPF_ST);
6008 s->s.k = a->regno;
6009 sappend(a->s, s);
6010
6011 return a;
6012 }
6013
6014 struct arth *
6015 gen_arth(code, a0, a1)
6016 int code;
6017 struct arth *a0, *a1;
6018 {
6019 struct slist *s0, *s1, *s2;
6020
6021 s0 = xfer_to_x(a1);
6022 s1 = xfer_to_a(a0);
6023 s2 = new_stmt(BPF_ALU|BPF_X|code);
6024
6025 sappend(s1, s2);
6026 sappend(s0, s1);
6027 sappend(a1->s, s0);
6028 sappend(a0->s, a1->s);
6029
6030 free_reg(a0->regno);
6031 free_reg(a1->regno);
6032
6033 s0 = new_stmt(BPF_ST);
6034 a0->regno = s0->s.k = alloc_reg();
6035 sappend(a0->s, s0);
6036
6037 return a0;
6038 }
6039
6040 /*
6041 * Here we handle simple allocation of the scratch registers.
6042 * If too many registers are alloc'd, the allocator punts.
6043 */
6044 static int regused[BPF_MEMWORDS];
6045 static int curreg;
6046
6047 /*
6048 * Return the next free register.
6049 */
6050 static int
6051 alloc_reg()
6052 {
6053 int n = BPF_MEMWORDS;
6054
6055 while (--n >= 0) {
6056 if (regused[curreg])
6057 curreg = (curreg + 1) % BPF_MEMWORDS;
6058 else {
6059 regused[curreg] = 1;
6060 return curreg;
6061 }
6062 }
6063 bpf_error("too many registers needed to evaluate expression");
6064 /* NOTREACHED */
6065 return 0;
6066 }
6067
6068 /*
6069 * Return a register to the table so it can
6070 * be used later.
6071 */
6072 static void
6073 free_reg(n)
6074 int n;
6075 {
6076 regused[n] = 0;
6077 }
6078
6079 static struct block *
6080 gen_len(jmp, n)
6081 int jmp, n;
6082 {
6083 struct slist *s;
6084 struct block *b;
6085
6086 s = new_stmt(BPF_LD|BPF_LEN);
6087 b = new_block(JMP(jmp));
6088 b->stmts = s;
6089 b->s.k = n;
6090
6091 return b;
6092 }
6093
6094 struct block *
6095 gen_greater(n)
6096 int n;
6097 {
6098 return gen_len(BPF_JGE, n);
6099 }
6100
6101 /*
6102 * Actually, this is less than or equal.
6103 */
6104 struct block *
6105 gen_less(n)
6106 int n;
6107 {
6108 struct block *b;
6109
6110 b = gen_len(BPF_JGT, n);
6111 gen_not(b);
6112
6113 return b;
6114 }
6115
6116 /*
6117 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
6118 * the beginning of the link-layer header.
6119 * XXX - that means you can't test values in the radiotap header, but
6120 * as that header is difficult if not impossible to parse generally
6121 * without a loop, that might not be a severe problem. A new keyword
6122 * "radio" could be added for that, although what you'd really want
6123 * would be a way of testing particular radio header values, which
6124 * would generate code appropriate to the radio header in question.
6125 */
6126 struct block *
6127 gen_byteop(op, idx, val)
6128 int op, idx, val;
6129 {
6130 struct block *b;
6131 struct slist *s;
6132
6133 switch (op) {
6134 default:
6135 abort();
6136
6137 case '=':
6138 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6139
6140 case '<':
6141 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6142 return b;
6143
6144 case '>':
6145 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
6146 return b;
6147
6148 case '|':
6149 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
6150 break;
6151
6152 case '&':
6153 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
6154 break;
6155 }
6156 s->s.k = val;
6157 b = new_block(JMP(BPF_JEQ));
6158 b->stmts = s;
6159 gen_not(b);
6160
6161 return b;
6162 }
6163
6164 static u_char abroadcast[] = { 0x0 };
6165
6166 struct block *
6167 gen_broadcast(proto)
6168 int proto;
6169 {
6170 bpf_u_int32 hostmask;
6171 struct block *b0, *b1, *b2;
6172 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
6173
6174 switch (proto) {
6175
6176 case Q_DEFAULT:
6177 case Q_LINK:
6178 switch (linktype) {
6179 case DLT_ARCNET:
6180 case DLT_ARCNET_LINUX:
6181 return gen_ahostop(abroadcast, Q_DST);
6182 case DLT_EN10MB:
6183 return gen_ehostop(ebroadcast, Q_DST);
6184 case DLT_FDDI:
6185 return gen_fhostop(ebroadcast, Q_DST);
6186 case DLT_IEEE802:
6187 return gen_thostop(ebroadcast, Q_DST);
6188 case DLT_IEEE802_11:
6189 case DLT_IEEE802_11_RADIO_AVS:
6190 case DLT_IEEE802_11_RADIO:
6191 case DLT_PPI:
6192 case DLT_PRISM_HEADER:
6193 return gen_wlanhostop(ebroadcast, Q_DST);
6194 case DLT_IP_OVER_FC:
6195 return gen_ipfchostop(ebroadcast, Q_DST);
6196 case DLT_SUNATM:
6197 if (is_lane) {
6198 /*
6199 * Check that the packet doesn't begin with an
6200 * LE Control marker. (We've already generated
6201 * a test for LANE.)
6202 */
6203 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6204 BPF_H, 0xFF00);
6205 gen_not(b1);
6206
6207 /*
6208 * Now check the MAC address.
6209 */
6210 b0 = gen_ehostop(ebroadcast, Q_DST);
6211 gen_and(b1, b0);
6212 return b0;
6213 }
6214 break;
6215 default:
6216 bpf_error("not a broadcast link");
6217 }
6218 break;
6219
6220 case Q_IP:
6221 b0 = gen_linktype(ETHERTYPE_IP);
6222 hostmask = ~netmask;
6223 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
6224 b2 = gen_mcmp(OR_NET, 16, BPF_W,
6225 (bpf_int32)(~0 & hostmask), hostmask);
6226 gen_or(b1, b2);
6227 gen_and(b0, b2);
6228 return b2;
6229 }
6230 bpf_error("only link-layer/IP broadcast filters supported");
6231 /* NOTREACHED */
6232 return NULL;
6233 }
6234
6235 /*
6236 * Generate code to test the low-order bit of a MAC address (that's
6237 * the bottom bit of the *first* byte).
6238 */
6239 static struct block *
6240 gen_mac_multicast(offset)
6241 int offset;
6242 {
6243 register struct block *b0;
6244 register struct slist *s;
6245
6246 /* link[offset] & 1 != 0 */
6247 s = gen_load_a(OR_LINK, offset, BPF_B);
6248 b0 = new_block(JMP(BPF_JSET));
6249 b0->s.k = 1;
6250 b0->stmts = s;
6251 return b0;
6252 }
6253
6254 struct block *
6255 gen_multicast(proto)
6256 int proto;
6257 {
6258 register struct block *b0, *b1, *b2;
6259 register struct slist *s;
6260
6261 switch (proto) {
6262
6263 case Q_DEFAULT:
6264 case Q_LINK:
6265 switch (linktype) {
6266 case DLT_ARCNET:
6267 case DLT_ARCNET_LINUX:
6268 /* all ARCnet multicasts use the same address */
6269 return gen_ahostop(abroadcast, Q_DST);
6270 case DLT_EN10MB:
6271 /* ether[0] & 1 != 0 */
6272 return gen_mac_multicast(0);
6273 case DLT_FDDI:
6274 /*
6275 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
6276 *
6277 * XXX - was that referring to bit-order issues?
6278 */
6279 /* fddi[1] & 1 != 0 */
6280 return gen_mac_multicast(1);
6281 case DLT_IEEE802:
6282 /* tr[2] & 1 != 0 */
6283 return gen_mac_multicast(2);
6284 case DLT_IEEE802_11:
6285 case DLT_IEEE802_11_RADIO_AVS:
6286 case DLT_PPI:
6287 case DLT_IEEE802_11_RADIO:
6288 case DLT_PRISM_HEADER:
6289 /*
6290 * Oh, yuk.
6291 *
6292 * For control frames, there is no DA.
6293 *
6294 * For management frames, DA is at an
6295 * offset of 4 from the beginning of
6296 * the packet.
6297 *
6298 * For data frames, DA is at an offset
6299 * of 4 from the beginning of the packet
6300 * if To DS is clear and at an offset of
6301 * 16 from the beginning of the packet
6302 * if To DS is set.
6303 */
6304
6305 /*
6306 * Generate the tests to be done for data frames.
6307 *
6308 * First, check for To DS set, i.e. "link[1] & 0x01".
6309 */
6310 s = gen_load_a(OR_LINK, 1, BPF_B);
6311 b1 = new_block(JMP(BPF_JSET));
6312 b1->s.k = 0x01; /* To DS */
6313 b1->stmts = s;
6314
6315 /*
6316 * If To DS is set, the DA is at 16.
6317 */
6318 b0 = gen_mac_multicast(16);
6319 gen_and(b1, b0);
6320
6321 /*
6322 * Now, check for To DS not set, i.e. check
6323 * "!(link[1] & 0x01)".
6324 */
6325 s = gen_load_a(OR_LINK, 1, BPF_B);
6326 b2 = new_block(JMP(BPF_JSET));
6327 b2->s.k = 0x01; /* To DS */
6328 b2->stmts = s;
6329 gen_not(b2);
6330
6331 /*
6332 * If To DS is not set, the DA is at 4.
6333 */
6334 b1 = gen_mac_multicast(4);
6335 gen_and(b2, b1);
6336
6337 /*
6338 * Now OR together the last two checks. That gives
6339 * the complete set of checks for data frames.
6340 */
6341 gen_or(b1, b0);
6342
6343 /*
6344 * Now check for a data frame.
6345 * I.e, check "link[0] & 0x08".
6346 */
6347 s = gen_load_a(OR_LINK, 0, BPF_B);
6348 b1 = new_block(JMP(BPF_JSET));
6349 b1->s.k = 0x08;
6350 b1->stmts = s;
6351
6352 /*
6353 * AND that with the checks done for data frames.
6354 */
6355 gen_and(b1, b0);
6356
6357 /*
6358 * If the high-order bit of the type value is 0, this
6359 * is a management frame.
6360 * I.e, check "!(link[0] & 0x08)".
6361 */
6362 s = gen_load_a(OR_LINK, 0, BPF_B);
6363 b2 = new_block(JMP(BPF_JSET));
6364 b2->s.k = 0x08;
6365 b2->stmts = s;
6366 gen_not(b2);
6367
6368 /*
6369 * For management frames, the DA is at 4.
6370 */
6371 b1 = gen_mac_multicast(4);
6372 gen_and(b2, b1);
6373
6374 /*
6375 * OR that with the checks done for data frames.
6376 * That gives the checks done for management and
6377 * data frames.
6378 */
6379 gen_or(b1, b0);
6380
6381 /*
6382 * If the low-order bit of the type value is 1,
6383 * this is either a control frame or a frame
6384 * with a reserved type, and thus not a
6385 * frame with an SA.
6386 *
6387 * I.e., check "!(link[0] & 0x04)".
6388 */
6389 s = gen_load_a(OR_LINK, 0, BPF_B);
6390 b1 = new_block(JMP(BPF_JSET));
6391 b1->s.k = 0x04;
6392 b1->stmts = s;
6393 gen_not(b1);
6394
6395 /*
6396 * AND that with the checks for data and management
6397 * frames.
6398 */
6399 gen_and(b1, b0);
6400 return b0;
6401 case DLT_IP_OVER_FC:
6402 b0 = gen_mac_multicast(2);
6403 return b0;
6404 case DLT_SUNATM:
6405 if (is_lane) {
6406 /*
6407 * Check that the packet doesn't begin with an
6408 * LE Control marker. (We've already generated
6409 * a test for LANE.)
6410 */
6411 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
6412 BPF_H, 0xFF00);
6413 gen_not(b1);
6414
6415 /* ether[off_mac] & 1 != 0 */
6416 b0 = gen_mac_multicast(off_mac);
6417 gen_and(b1, b0);
6418 return b0;
6419 }
6420 break;
6421 default:
6422 break;
6423 }
6424 /* Link not known to support multicasts */
6425 break;
6426
6427 case Q_IP:
6428 b0 = gen_linktype(ETHERTYPE_IP);
6429 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
6430 gen_and(b0, b1);
6431 return b1;
6432
6433 #ifdef INET6
6434 case Q_IPV6:
6435 b0 = gen_linktype(ETHERTYPE_IPV6);
6436 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
6437 gen_and(b0, b1);
6438 return b1;
6439 #endif /* INET6 */
6440 }
6441 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
6442 /* NOTREACHED */
6443 return NULL;
6444 }
6445
6446 /*
6447 * generate command for inbound/outbound. It's here so we can
6448 * make it link-type specific. 'dir' = 0 implies "inbound",
6449 * = 1 implies "outbound".
6450 */
6451 struct block *
6452 gen_inbound(dir)
6453 int dir;
6454 {
6455 register struct block *b0;
6456
6457 /*
6458 * Only some data link types support inbound/outbound qualifiers.
6459 */
6460 switch (linktype) {
6461 case DLT_SLIP:
6462 b0 = gen_relation(BPF_JEQ,
6463 gen_load(Q_LINK, gen_loadi(0), 1),
6464 gen_loadi(0),
6465 dir);
6466 break;
6467
6468 case DLT_LINUX_SLL:
6469 if (dir) {
6470 /*
6471 * Match packets sent by this machine.
6472 */
6473 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
6474 } else {
6475 /*
6476 * Match packets sent to this machine.
6477 * (No broadcast or multicast packets, or
6478 * packets sent to some other machine and
6479 * received promiscuously.)
6480 *
6481 * XXX - packets sent to other machines probably
6482 * shouldn't be matched, but what about broadcast
6483 * or multicast packets we received?
6484 */
6485 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
6486 }
6487 break;
6488
6489 #ifdef HAVE_NET_PFVAR_H
6490 case DLT_PFLOG:
6491 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
6492 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
6493 break;
6494 #endif
6495
6496 case DLT_PPP_PPPD:
6497 if (dir) {
6498 /* match outgoing packets */
6499 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
6500 } else {
6501 /* match incoming packets */
6502 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
6503 }
6504 break;
6505
6506 case DLT_JUNIPER_MFR:
6507 case DLT_JUNIPER_MLFR:
6508 case DLT_JUNIPER_MLPPP:
6509 case DLT_JUNIPER_ATM1:
6510 case DLT_JUNIPER_ATM2:
6511 case DLT_JUNIPER_PPPOE:
6512 case DLT_JUNIPER_PPPOE_ATM:
6513 case DLT_JUNIPER_GGSN:
6514 case DLT_JUNIPER_ES:
6515 case DLT_JUNIPER_MONITOR:
6516 case DLT_JUNIPER_SERVICES:
6517 case DLT_JUNIPER_ETHER:
6518 case DLT_JUNIPER_PPP:
6519 case DLT_JUNIPER_FRELAY:
6520 case DLT_JUNIPER_CHDLC:
6521 case DLT_JUNIPER_VP:
6522 case DLT_JUNIPER_ST:
6523 case DLT_JUNIPER_ISM:
6524 /* juniper flags (including direction) are stored
6525 * the byte after the 3-byte magic number */
6526 if (dir) {
6527 /* match outgoing packets */
6528 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
6529 } else {
6530 /* match incoming packets */
6531 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
6532 }
6533 break;
6534
6535 default:
6536 bpf_error("inbound/outbound not supported on linktype %d",
6537 linktype);
6538 b0 = NULL;
6539 /* NOTREACHED */
6540 }
6541 return (b0);
6542 }
6543
6544 #ifdef HAVE_NET_PFVAR_H
6545 /* PF firewall log matched interface */
6546 struct block *
6547 gen_pf_ifname(const char *ifname)
6548 {
6549 struct block *b0;
6550 u_int len, off;
6551
6552 if (linktype != DLT_PFLOG) {
6553 bpf_error("ifname supported only on PF linktype");
6554 /* NOTREACHED */
6555 }
6556 len = sizeof(((struct pfloghdr *)0)->ifname);
6557 off = offsetof(struct pfloghdr, ifname);
6558 if (strlen(ifname) >= len) {
6559 bpf_error("ifname interface names can only be %d characters",
6560 len-1);
6561 /* NOTREACHED */
6562 }
6563 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
6564 return (b0);
6565 }
6566
6567 /* PF firewall log ruleset name */
6568 struct block *
6569 gen_pf_ruleset(char *ruleset)
6570 {
6571 struct block *b0;
6572
6573 if (linktype != DLT_PFLOG) {
6574 bpf_error("ruleset supported only on PF linktype");
6575 /* NOTREACHED */
6576 }
6577
6578 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
6579 bpf_error("ruleset names can only be %ld characters",
6580 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
6581 /* NOTREACHED */
6582 }
6583
6584 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
6585 strlen(ruleset), (const u_char *)ruleset);
6586 return (b0);
6587 }
6588
6589 /* PF firewall log rule number */
6590 struct block *
6591 gen_pf_rnr(int rnr)
6592 {
6593 struct block *b0;
6594
6595 if (linktype != DLT_PFLOG) {
6596 bpf_error("rnr supported only on PF linktype");
6597 /* NOTREACHED */
6598 }
6599
6600 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
6601 (bpf_int32)rnr);
6602 return (b0);
6603 }
6604
6605 /* PF firewall log sub-rule number */
6606 struct block *
6607 gen_pf_srnr(int srnr)
6608 {
6609 struct block *b0;
6610
6611 if (linktype != DLT_PFLOG) {
6612 bpf_error("srnr supported only on PF linktype");
6613 /* NOTREACHED */
6614 }
6615
6616 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
6617 (bpf_int32)srnr);
6618 return (b0);
6619 }
6620
6621 /* PF firewall log reason code */
6622 struct block *
6623 gen_pf_reason(int reason)
6624 {
6625 struct block *b0;
6626
6627 if (linktype != DLT_PFLOG) {
6628 bpf_error("reason supported only on PF linktype");
6629 /* NOTREACHED */
6630 }
6631
6632 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
6633 (bpf_int32)reason);
6634 return (b0);
6635 }
6636
6637 /* PF firewall log action */
6638 struct block *
6639 gen_pf_action(int action)
6640 {
6641 struct block *b0;
6642
6643 if (linktype != DLT_PFLOG) {
6644 bpf_error("action supported only on PF linktype");
6645 /* NOTREACHED */
6646 }
6647
6648 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
6649 (bpf_int32)action);
6650 return (b0);
6651 }
6652 #else /* !HAVE_NET_PFVAR_H */
6653 struct block *
6654 gen_pf_ifname(const char *ifname)
6655 {
6656 bpf_error("libpcap was compiled without pf support");
6657 /* NOTREACHED */
6658 return (NULL);
6659 }
6660
6661 struct block *
6662 gen_pf_ruleset(char *ruleset)
6663 {
6664 bpf_error("libpcap was compiled on a machine without pf support");
6665 /* NOTREACHED */
6666 return (NULL);
6667 }
6668
6669 struct block *
6670 gen_pf_rnr(int rnr)
6671 {
6672 bpf_error("libpcap was compiled on a machine without pf support");
6673 /* NOTREACHED */
6674 return (NULL);
6675 }
6676
6677 struct block *
6678 gen_pf_srnr(int srnr)
6679 {
6680 bpf_error("libpcap was compiled on a machine without pf support");
6681 /* NOTREACHED */
6682 return (NULL);
6683 }
6684
6685 struct block *
6686 gen_pf_reason(int reason)
6687 {
6688 bpf_error("libpcap was compiled on a machine without pf support");
6689 /* NOTREACHED */
6690 return (NULL);
6691 }
6692
6693 struct block *
6694 gen_pf_action(int action)
6695 {
6696 bpf_error("libpcap was compiled on a machine without pf support");
6697 /* NOTREACHED */
6698 return (NULL);
6699 }
6700 #endif /* HAVE_NET_PFVAR_H */
6701
6702 /* IEEE 802.11 wireless header */
6703 struct block *
6704 gen_p80211_type(int type, int mask)
6705 {
6706 struct block *b0;
6707
6708 switch (linktype) {
6709
6710 case DLT_IEEE802_11:
6711 case DLT_PRISM_HEADER:
6712 case DLT_IEEE802_11_RADIO_AVS:
6713 case DLT_IEEE802_11_RADIO:
6714 b0 = gen_mcmp(OR_LINK, 0, BPF_B, (bpf_int32)type,
6715 (bpf_int32)mask);
6716 break;
6717
6718 default:
6719 bpf_error("802.11 link-layer types supported only on 802.11");
6720 /* NOTREACHED */
6721 }
6722 return (b0);
6723 }
6724
6725 struct block *
6726 gen_acode(eaddr, q)
6727 register const u_char *eaddr;
6728 struct qual q;
6729 {
6730 switch (linktype) {
6731
6732 case DLT_ARCNET:
6733 case DLT_ARCNET_LINUX:
6734 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
6735 q.proto == Q_LINK)
6736 return (gen_ahostop(eaddr, (int)q.dir));
6737 else {
6738 bpf_error("ARCnet address used in non-arc expression");
6739 /* NOTREACHED */
6740 }
6741 break;
6742
6743 default:
6744 bpf_error("aid supported only on ARCnet");
6745 /* NOTREACHED */
6746 }
6747 bpf_error("ARCnet address used in non-arc expression");
6748 /* NOTREACHED */
6749 return NULL;
6750 }
6751
6752 static struct block *
6753 gen_ahostop(eaddr, dir)
6754 register const u_char *eaddr;
6755 register int dir;
6756 {
6757 register struct block *b0, *b1;
6758
6759 switch (dir) {
6760 /* src comes first, different from Ethernet */
6761 case Q_SRC:
6762 return gen_bcmp(OR_LINK, 0, 1, eaddr);
6763
6764 case Q_DST:
6765 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6766
6767 case Q_AND:
6768 b0 = gen_ahostop(eaddr, Q_SRC);
6769 b1 = gen_ahostop(eaddr, Q_DST);
6770 gen_and(b0, b1);
6771 return b1;
6772
6773 case Q_DEFAULT:
6774 case Q_OR:
6775 b0 = gen_ahostop(eaddr, Q_SRC);
6776 b1 = gen_ahostop(eaddr, Q_DST);
6777 gen_or(b0, b1);
6778 return b1;
6779 }
6780 abort();
6781 /* NOTREACHED */
6782 }
6783
6784 /*
6785 * support IEEE 802.1Q VLAN trunk over ethernet
6786 */
6787 struct block *
6788 gen_vlan(vlan_num)
6789 int vlan_num;
6790 {
6791 struct block *b0, *b1;
6792
6793 /* can't check for VLAN-encapsulated packets inside MPLS */
6794 if (label_stack_depth > 0)
6795 bpf_error("no VLAN match after MPLS");
6796
6797 /*
6798 * Change the offsets to point to the type and data fields within
6799 * the VLAN packet. Just increment the offsets, so that we
6800 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6801 * capture VLAN 200 encapsulated within VLAN 100.
6802 *
6803 * XXX - this is a bit of a kludge. If we were to split the
6804 * compiler into a parser that parses an expression and
6805 * generates an expression tree, and a code generator that
6806 * takes an expression tree (which could come from our
6807 * parser or from some other parser) and generates BPF code,
6808 * we could perhaps make the offsets parameters of routines
6809 * and, in the handler for an "AND" node, pass to subnodes
6810 * other than the VLAN node the adjusted offsets.
6811 *
6812 * This would mean that "vlan" would, instead of changing the
6813 * behavior of *all* tests after it, change only the behavior
6814 * of tests ANDed with it. That would change the documented
6815 * semantics of "vlan", which might break some expressions.
6816 * However, it would mean that "(vlan and ip) or ip" would check
6817 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6818 * checking only for VLAN-encapsulated IP, so that could still
6819 * be considered worth doing; it wouldn't break expressions
6820 * that are of the form "vlan and ..." or "vlan N and ...",
6821 * which I suspect are the most common expressions involving
6822 * "vlan". "vlan or ..." doesn't necessarily do what the user
6823 * would really want, now, as all the "or ..." tests would
6824 * be done assuming a VLAN, even though the "or" could be viewed
6825 * as meaning "or, if this isn't a VLAN packet...".
6826 */
6827 orig_linktype = off_linktype; /* save original values */
6828 orig_nl = off_nl;
6829
6830 switch (linktype) {
6831
6832 case DLT_EN10MB:
6833 off_linktype += 4;
6834 off_nl_nosnap += 4;
6835 off_nl += 4;
6836 break;
6837
6838 default:
6839 bpf_error("no VLAN support for data link type %d",
6840 linktype);
6841 /*NOTREACHED*/
6842 }
6843
6844 /* check for VLAN */
6845 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6846
6847 /* If a specific VLAN is requested, check VLAN id */
6848 if (vlan_num >= 0) {
6849 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6850 0x0fff);
6851 gen_and(b0, b1);
6852 b0 = b1;
6853 }
6854
6855 return (b0);
6856 }
6857
6858 /*
6859 * support for MPLS
6860 */
6861 struct block *
6862 gen_mpls(label_num)
6863 int label_num;
6864 {
6865 struct block *b0,*b1;
6866
6867 /*
6868 * Change the offsets to point to the type and data fields within
6869 * the MPLS packet. Just increment the offsets, so that we
6870 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6871 * capture packets with an outer label of 100000 and an inner
6872 * label of 1024.
6873 *
6874 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6875 */
6876 orig_nl = off_nl;
6877
6878 if (label_stack_depth > 0) {
6879 /* just match the bottom-of-stack bit clear */
6880 b0 = gen_mcmp(OR_LINK, orig_nl-2, BPF_B, 0, 0x01);
6881 } else {
6882 /*
6883 * Indicate that we're checking MPLS-encapsulated headers,
6884 * to make sure higher level code generators don't try to
6885 * match against IP-related protocols such as Q_ARP, Q_RARP
6886 * etc.
6887 */
6888 switch (linktype) {
6889
6890 case DLT_C_HDLC: /* fall through */
6891 case DLT_EN10MB:
6892 b0 = gen_linktype(ETHERTYPE_MPLS);
6893 break;
6894
6895 case DLT_PPP:
6896 b0 = gen_linktype(PPP_MPLS_UCAST);
6897 break;
6898
6899 /* FIXME add other DLT_s ...
6900 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6901 * leave it for now */
6902
6903 default:
6904 bpf_error("no MPLS support for data link type %d",
6905 linktype);
6906 b0 = NULL;
6907 /*NOTREACHED*/
6908 break;
6909 }
6910 }
6911
6912 /* If a specific MPLS label is requested, check it */
6913 if (label_num >= 0) {
6914 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6915 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6916 0xfffff000); /* only compare the first 20 bits */
6917 gen_and(b0, b1);
6918 b0 = b1;
6919 }
6920
6921 off_nl_nosnap += 4;
6922 off_nl += 4;
6923 label_stack_depth++;
6924 return (b0);
6925 }
6926
6927 /*
6928 * Support PPPOE discovery and session.
6929 */
6930 struct block *
6931 gen_pppoed()
6932 {
6933 /* check for PPPoE discovery */
6934 return gen_linktype((bpf_int32)ETHERTYPE_PPPOED);
6935 }
6936
6937 struct block *
6938 gen_pppoes()
6939 {
6940 struct block *b0;
6941
6942 /*
6943 * Test against the PPPoE session link-layer type.
6944 */
6945 b0 = gen_linktype((bpf_int32)ETHERTYPE_PPPOES);
6946
6947 /*
6948 * Change the offsets to point to the type and data fields within
6949 * the PPP packet.
6950 *
6951 * XXX - this is a bit of a kludge. If we were to split the
6952 * compiler into a parser that parses an expression and
6953 * generates an expression tree, and a code generator that
6954 * takes an expression tree (which could come from our
6955 * parser or from some other parser) and generates BPF code,
6956 * we could perhaps make the offsets parameters of routines
6957 * and, in the handler for an "AND" node, pass to subnodes
6958 * other than the PPPoE node the adjusted offsets.
6959 *
6960 * This would mean that "pppoes" would, instead of changing the
6961 * behavior of *all* tests after it, change only the behavior
6962 * of tests ANDed with it. That would change the documented
6963 * semantics of "pppoes", which might break some expressions.
6964 * However, it would mean that "(pppoes and ip) or ip" would check
6965 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6966 * checking only for VLAN-encapsulated IP, so that could still
6967 * be considered worth doing; it wouldn't break expressions
6968 * that are of the form "pppoes and ..." which I suspect are the
6969 * most common expressions involving "pppoes". "pppoes or ..."
6970 * doesn't necessarily do what the user would really want, now,
6971 * as all the "or ..." tests would be done assuming PPPoE, even
6972 * though the "or" could be viewed as meaning "or, if this isn't
6973 * a PPPoE packet...".
6974 */
6975 orig_linktype = off_linktype; /* save original values */
6976 orig_nl = off_nl;
6977
6978 /*
6979 * The "network-layer" protocol is PPPoE, which has a 6-byte
6980 * PPPoE header, followed by PPP payload, so we set the
6981 * offsets to the network layer offset plus 6 bytes for
6982 * the PPPoE header plus the values appropriate for PPP when
6983 * encapsulated in Ethernet (which means there's no HDLC
6984 * encapsulation).
6985 */
6986 off_linktype = orig_nl + 6;
6987 off_nl = orig_nl + 6 + 2;
6988 off_nl_nosnap = orig_nl + 6 + 2;
6989
6990 /*
6991 * Set the link-layer type to PPP, as all subsequent tests will
6992 * be on the encapsulated PPP header.
6993 */
6994 linktype = DLT_PPP;
6995
6996 return b0;
6997 }
6998
6999 struct block *
7000 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
7001 int atmfield;
7002 bpf_int32 jvalue;
7003 bpf_u_int32 jtype;
7004 int reverse;
7005 {
7006 struct block *b0;
7007
7008 switch (atmfield) {
7009
7010 case A_VPI:
7011 if (!is_atm)
7012 bpf_error("'vpi' supported only on raw ATM");
7013 if (off_vpi == (u_int)-1)
7014 abort();
7015 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
7016 reverse, jvalue);
7017 break;
7018
7019 case A_VCI:
7020 if (!is_atm)
7021 bpf_error("'vci' supported only on raw ATM");
7022 if (off_vci == (u_int)-1)
7023 abort();
7024 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
7025 reverse, jvalue);
7026 break;
7027
7028 case A_PROTOTYPE:
7029 if (off_proto == (u_int)-1)
7030 abort(); /* XXX - this isn't on FreeBSD */
7031 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
7032 reverse, jvalue);
7033 break;
7034
7035 case A_MSGTYPE:
7036 if (off_payload == (u_int)-1)
7037 abort();
7038 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
7039 0xffffffff, jtype, reverse, jvalue);
7040 break;
7041
7042 case A_CALLREFTYPE:
7043 if (!is_atm)
7044 bpf_error("'callref' supported only on raw ATM");
7045 if (off_proto == (u_int)-1)
7046 abort();
7047 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
7048 jtype, reverse, jvalue);
7049 break;
7050
7051 default:
7052 abort();
7053 }
7054 return b0;
7055 }
7056
7057 struct block *
7058 gen_atmtype_abbrev(type)
7059 int type;
7060 {
7061 struct block *b0, *b1;
7062
7063 switch (type) {
7064
7065 case A_METAC:
7066 /* Get all packets in Meta signalling Circuit */
7067 if (!is_atm)
7068 bpf_error("'metac' supported only on raw ATM");
7069 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7070 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
7071 gen_and(b0, b1);
7072 break;
7073
7074 case A_BCC:
7075 /* Get all packets in Broadcast Circuit*/
7076 if (!is_atm)
7077 bpf_error("'bcc' supported only on raw ATM");
7078 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7079 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
7080 gen_and(b0, b1);
7081 break;
7082
7083 case A_OAMF4SC:
7084 /* Get all cells in Segment OAM F4 circuit*/
7085 if (!is_atm)
7086 bpf_error("'oam4sc' supported only on raw ATM");
7087 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7088 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7089 gen_and(b0, b1);
7090 break;
7091
7092 case A_OAMF4EC:
7093 /* Get all cells in End-to-End OAM F4 Circuit*/
7094 if (!is_atm)
7095 bpf_error("'oam4ec' supported only on raw ATM");
7096 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7097 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7098 gen_and(b0, b1);
7099 break;
7100
7101 case A_SC:
7102 /* Get all packets in connection Signalling Circuit */
7103 if (!is_atm)
7104 bpf_error("'sc' supported only on raw ATM");
7105 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7106 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
7107 gen_and(b0, b1);
7108 break;
7109
7110 case A_ILMIC:
7111 /* Get all packets in ILMI Circuit */
7112 if (!is_atm)
7113 bpf_error("'ilmic' supported only on raw ATM");
7114 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7115 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
7116 gen_and(b0, b1);
7117 break;
7118
7119 case A_LANE:
7120 /* Get all LANE packets */
7121 if (!is_atm)
7122 bpf_error("'lane' supported only on raw ATM");
7123 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
7124
7125 /*
7126 * Arrange that all subsequent tests assume LANE
7127 * rather than LLC-encapsulated packets, and set
7128 * the offsets appropriately for LANE-encapsulated
7129 * Ethernet.
7130 *
7131 * "off_mac" is the offset of the Ethernet header,
7132 * which is 2 bytes past the ATM pseudo-header
7133 * (skipping the pseudo-header and 2-byte LE Client
7134 * field). The other offsets are Ethernet offsets
7135 * relative to "off_mac".
7136 */
7137 is_lane = 1;
7138 off_mac = off_payload + 2; /* MAC header */
7139 off_linktype = off_mac + 12;
7140 off_nl = off_mac + 14; /* Ethernet II */
7141 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
7142 break;
7143
7144 case A_LLC:
7145 /* Get all LLC-encapsulated packets */
7146 if (!is_atm)
7147 bpf_error("'llc' supported only on raw ATM");
7148 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
7149 is_lane = 0;
7150 break;
7151
7152 default:
7153 abort();
7154 }
7155 return b1;
7156 }
7157
7158 /*
7159 * Filtering for MTP2 messages based on li value
7160 * FISU, length is null
7161 * LSSU, length is 1 or 2
7162 * MSU, length is 3 or more
7163 */
7164 struct block *
7165 gen_mtp2type_abbrev(type)
7166 int type;
7167 {
7168 struct block *b0, *b1;
7169
7170 switch (type) {
7171
7172 case M_FISU:
7173 if ( (linktype != DLT_MTP2) &&
7174 (linktype != DLT_MTP2_WITH_PHDR) )
7175 bpf_error("'fisu' supported only on MTP2");
7176 /* gen_ncmp(offrel, offset, size, mask, jtype, reverse, value) */
7177 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JEQ, 0, 0);
7178 break;
7179
7180 case M_LSSU:
7181 if ( (linktype != DLT_MTP2) &&
7182 (linktype != DLT_MTP2_WITH_PHDR) )
7183 bpf_error("'lssu' supported only on MTP2");
7184 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 1, 2);
7185 b1 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 0);
7186 gen_and(b1, b0);
7187 break;
7188
7189 case M_MSU:
7190 if ( (linktype != DLT_MTP2) &&
7191 (linktype != DLT_MTP2_WITH_PHDR) )
7192 bpf_error("'msu' supported only on MTP2");
7193 b0 = gen_ncmp(OR_PACKET, off_li, BPF_B, 0x3f, BPF_JGT, 0, 2);
7194 break;
7195
7196 default:
7197 abort();
7198 }
7199 return b0;
7200 }
7201
7202 struct block *
7203 gen_mtp3field_code(mtp3field, jvalue, jtype, reverse)
7204 int mtp3field;
7205 bpf_u_int32 jvalue;
7206 bpf_u_int32 jtype;
7207 int reverse;
7208 {
7209 struct block *b0;
7210 bpf_u_int32 val1 , val2 , val3;
7211
7212 switch (mtp3field) {
7213
7214 case M_SIO:
7215 if (off_sio == (u_int)-1)
7216 bpf_error("'sio' supported only on SS7");
7217 /* sio coded on 1 byte so max value 255 */
7218 if(jvalue > 255)
7219 bpf_error("sio value %u too big; max value = 255",
7220 jvalue);
7221 b0 = gen_ncmp(OR_PACKET, off_sio, BPF_B, 0xffffffff,
7222 (u_int)jtype, reverse, (u_int)jvalue);
7223 break;
7224
7225 case M_OPC:
7226 if (off_opc == (u_int)-1)
7227 bpf_error("'opc' supported only on SS7");
7228 /* opc coded on 14 bits so max value 16383 */
7229 if (jvalue > 16383)
7230 bpf_error("opc value %u too big; max value = 16383",
7231 jvalue);
7232 /* the following instructions are made to convert jvalue
7233 * to the form used to write opc in an ss7 message*/
7234 val1 = jvalue & 0x00003c00;
7235 val1 = val1 >>10;
7236 val2 = jvalue & 0x000003fc;
7237 val2 = val2 <<6;
7238 val3 = jvalue & 0x00000003;
7239 val3 = val3 <<22;
7240 jvalue = val1 + val2 + val3;
7241 b0 = gen_ncmp(OR_PACKET, off_opc, BPF_W, 0x00c0ff0f,
7242 (u_int)jtype, reverse, (u_int)jvalue);
7243 break;
7244
7245 case M_DPC:
7246 if (off_dpc == (u_int)-1)
7247 bpf_error("'dpc' supported only on SS7");
7248 /* dpc coded on 14 bits so max value 16383 */
7249 if (jvalue > 16383)
7250 bpf_error("dpc value %u too big; max value = 16383",
7251 jvalue);
7252 /* the following instructions are made to convert jvalue
7253 * to the forme used to write dpc in an ss7 message*/
7254 val1 = jvalue & 0x000000ff;
7255 val1 = val1 << 24;
7256 val2 = jvalue & 0x00003f00;
7257 val2 = val2 << 8;
7258 jvalue = val1 + val2;
7259 b0 = gen_ncmp(OR_PACKET, off_dpc, BPF_W, 0xff3f0000,
7260 (u_int)jtype, reverse, (u_int)jvalue);
7261 break;
7262
7263 case M_SLS:
7264 if (off_sls == (u_int)-1)
7265 bpf_error("'sls' supported only on SS7");
7266 /* sls coded on 4 bits so max value 15 */
7267 if (jvalue > 15)
7268 bpf_error("sls value %u too big; max value = 15",
7269 jvalue);
7270 /* the following instruction is made to convert jvalue
7271 * to the forme used to write sls in an ss7 message*/
7272 jvalue = jvalue << 4;
7273 b0 = gen_ncmp(OR_PACKET, off_sls, BPF_B, 0xf0,
7274 (u_int)jtype,reverse, (u_int)jvalue);
7275 break;
7276
7277 default:
7278 abort();
7279 }
7280 return b0;
7281 }
7282
7283 static struct block *
7284 gen_msg_abbrev(type)
7285 int type;
7286 {
7287 struct block *b1;
7288
7289 /*
7290 * Q.2931 signalling protocol messages for handling virtual circuits
7291 * establishment and teardown
7292 */
7293 switch (type) {
7294
7295 case A_SETUP:
7296 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
7297 break;
7298
7299 case A_CALLPROCEED:
7300 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
7301 break;
7302
7303 case A_CONNECT:
7304 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
7305 break;
7306
7307 case A_CONNECTACK:
7308 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
7309 break;
7310
7311 case A_RELEASE:
7312 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
7313 break;
7314
7315 case A_RELEASE_DONE:
7316 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
7317 break;
7318
7319 default:
7320 abort();
7321 }
7322 return b1;
7323 }
7324
7325 struct block *
7326 gen_atmmulti_abbrev(type)
7327 int type;
7328 {
7329 struct block *b0, *b1;
7330
7331 switch (type) {
7332
7333 case A_OAM:
7334 if (!is_atm)
7335 bpf_error("'oam' supported only on raw ATM");
7336 b1 = gen_atmmulti_abbrev(A_OAMF4);
7337 break;
7338
7339 case A_OAMF4:
7340 if (!is_atm)
7341 bpf_error("'oamf4' supported only on raw ATM");
7342 /* OAM F4 type */
7343 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
7344 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
7345 gen_or(b0, b1);
7346 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
7347 gen_and(b0, b1);
7348 break;
7349
7350 case A_CONNECTMSG:
7351 /*
7352 * Get Q.2931 signalling messages for switched
7353 * virtual connection
7354 */
7355 if (!is_atm)
7356 bpf_error("'connectmsg' supported only on raw ATM");
7357 b0 = gen_msg_abbrev(A_SETUP);
7358 b1 = gen_msg_abbrev(A_CALLPROCEED);
7359 gen_or(b0, b1);
7360 b0 = gen_msg_abbrev(A_CONNECT);
7361 gen_or(b0, b1);
7362 b0 = gen_msg_abbrev(A_CONNECTACK);
7363 gen_or(b0, b1);
7364 b0 = gen_msg_abbrev(A_RELEASE);
7365 gen_or(b0, b1);
7366 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7367 gen_or(b0, b1);
7368 b0 = gen_atmtype_abbrev(A_SC);
7369 gen_and(b0, b1);
7370 break;
7371
7372 case A_METACONNECT:
7373 if (!is_atm)
7374 bpf_error("'metaconnect' supported only on raw ATM");
7375 b0 = gen_msg_abbrev(A_SETUP);
7376 b1 = gen_msg_abbrev(A_CALLPROCEED);
7377 gen_or(b0, b1);
7378 b0 = gen_msg_abbrev(A_CONNECT);
7379 gen_or(b0, b1);
7380 b0 = gen_msg_abbrev(A_RELEASE);
7381 gen_or(b0, b1);
7382 b0 = gen_msg_abbrev(A_RELEASE_DONE);
7383 gen_or(b0, b1);
7384 b0 = gen_atmtype_abbrev(A_METAC);
7385 gen_and(b0, b1);
7386 break;
7387
7388 default:
7389 abort();
7390 }
7391 return b1;
7392 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism