]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Add support for most filter operations for captures with the radiotap
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.221.2.15 2005-05-01 19:33:11 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "sll.h"
75 #include "arcnet.h"
76 #include "pf.h"
77 #ifndef offsetof
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #endif
80 #ifdef INET6
81 #ifndef WIN32
82 #include <netdb.h> /* for "struct addrinfo" */
83 #endif /* WIN32 */
84 #endif /*INET6*/
85 #include <pcap-namedb.h>
86
87 #define ETHERMTU 1500
88
89 #ifndef IPPROTO_SCTP
90 #define IPPROTO_SCTP 132
91 #endif
92
93 #ifdef HAVE_OS_PROTO_H
94 #include "os-proto.h"
95 #endif
96
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
98
99 /* Locals */
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
102
103 /* Hack for updating VLAN, MPLS offsets. */
104 static u_int orig_linktype = -1U, orig_nl = -1U;
105
106 /* XXX */
107 #ifdef PCAP_FDDIPAD
108 static int pcap_fddipad;
109 #endif
110
111 /* VARARGS */
112 void
113 bpf_error(const char *fmt, ...)
114 {
115 va_list ap;
116
117 va_start(ap, fmt);
118 if (bpf_pcap != NULL)
119 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
120 fmt, ap);
121 va_end(ap);
122 longjmp(top_ctx, 1);
123 /* NOTREACHED */
124 }
125
126 static void init_linktype(pcap_t *);
127
128 static int alloc_reg(void);
129 static void free_reg(int);
130
131 static struct block *root;
132
133 /*
134 * Value passed to gen_load_a() to indicate what the offset argument
135 * is relative to.
136 */
137 enum e_offrel {
138 OR_LINK, /* relative to the link-layer header */
139 OR_NET, /* relative to the network-layer header */
140 OR_NET_NOSNAP, /* relative to the network-layer header, with no SNAP header at the link layer */
141 OR_TRAN_IPV4, /* relative to the transport-layer header, with IPv4 network layer */
142 OR_TRAN_IPV6 /* relative to the transport-layer header, with IPv6 network layer */
143 };
144
145 /*
146 * We divy out chunks of memory rather than call malloc each time so
147 * we don't have to worry about leaking memory. It's probably
148 * not a big deal if all this memory was wasted but if this ever
149 * goes into a library that would probably not be a good idea.
150 *
151 * XXX - this *is* in a library....
152 */
153 #define NCHUNKS 16
154 #define CHUNK0SIZE 1024
155 struct chunk {
156 u_int n_left;
157 void *m;
158 };
159
160 static struct chunk chunks[NCHUNKS];
161 static int cur_chunk;
162
163 static void *newchunk(u_int);
164 static void freechunks(void);
165 static inline struct block *new_block(int);
166 static inline struct slist *new_stmt(int);
167 static struct block *gen_retblk(int);
168 static inline void syntax(void);
169
170 static void backpatch(struct block *, struct block *);
171 static void merge(struct block *, struct block *);
172 static struct block *gen_cmp(enum e_offrel, u_int, u_int, bpf_int32);
173 static struct block *gen_cmp_gt(enum e_offrel, u_int, u_int, bpf_int32);
174 static struct block *gen_cmp_ge(enum e_offrel, u_int, u_int, bpf_int32);
175 static struct block *gen_cmp_lt(enum e_offrel, u_int, u_int, bpf_int32);
176 static struct block *gen_cmp_le(enum e_offrel, u_int, u_int, bpf_int32);
177 static struct block *gen_mcmp(enum e_offrel, u_int, u_int, bpf_int32,
178 bpf_u_int32);
179 static struct block *gen_bcmp(enum e_offrel, u_int, u_int, const u_char *);
180 static struct block *gen_ncmp(enum e_offrel, bpf_u_int32, bpf_u_int32,
181 bpf_u_int32, bpf_u_int32, int, bpf_int32);
182 static struct slist *gen_load_llrel(u_int, u_int);
183 static struct slist *gen_load_a(enum e_offrel, u_int, u_int);
184 static struct slist *gen_loadx_iphdrlen(void);
185 static struct block *gen_uncond(int);
186 static inline struct block *gen_true(void);
187 static inline struct block *gen_false(void);
188 static struct block *gen_ether_linktype(int);
189 static struct block *gen_linux_sll_linktype(int);
190 static void insert_radiotap_load_llprefixlen(struct block *);
191 static void insert_load_llprefixlen(struct block *);
192 static struct slist *gen_llprefixlen(void);
193 static struct block *gen_linktype(int);
194 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
195 static struct block *gen_llc_linktype(int);
196 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
197 #ifdef INET6
198 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
199 #endif
200 static struct block *gen_ahostop(const u_char *, int);
201 static struct block *gen_ehostop(const u_char *, int);
202 static struct block *gen_fhostop(const u_char *, int);
203 static struct block *gen_thostop(const u_char *, int);
204 static struct block *gen_wlanhostop(const u_char *, int);
205 static struct block *gen_ipfchostop(const u_char *, int);
206 static struct block *gen_dnhostop(bpf_u_int32, int);
207 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
208 #ifdef INET6
209 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
210 #endif
211 #ifndef INET6
212 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
213 #endif
214 static struct block *gen_ipfrag(void);
215 static struct block *gen_portatom(int, bpf_int32);
216 static struct block *gen_portrangeatom(int, bpf_int32, bpf_int32);
217 #ifdef INET6
218 static struct block *gen_portatom6(int, bpf_int32);
219 static struct block *gen_portrangeatom6(int, bpf_int32, bpf_int32);
220 #endif
221 struct block *gen_portop(int, int, int);
222 static struct block *gen_port(int, int, int);
223 struct block *gen_portrangeop(int, int, int, int);
224 static struct block *gen_portrange(int, int, int, int);
225 #ifdef INET6
226 struct block *gen_portop6(int, int, int);
227 static struct block *gen_port6(int, int, int);
228 struct block *gen_portrangeop6(int, int, int, int);
229 static struct block *gen_portrange6(int, int, int, int);
230 #endif
231 static int lookup_proto(const char *, int);
232 static struct block *gen_protochain(int, int, int);
233 static struct block *gen_proto(int, int, int);
234 static struct slist *xfer_to_x(struct arth *);
235 static struct slist *xfer_to_a(struct arth *);
236 static struct block *gen_mac_multicast(int);
237 static struct block *gen_len(int, int);
238
239 static struct block *gen_msg_abbrev(int type);
240
241 static void *
242 newchunk(n)
243 u_int n;
244 {
245 struct chunk *cp;
246 int k;
247 size_t size;
248
249 #ifndef __NetBSD__
250 /* XXX Round up to nearest long. */
251 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
252 #else
253 /* XXX Round up to structure boundary. */
254 n = ALIGN(n);
255 #endif
256
257 cp = &chunks[cur_chunk];
258 if (n > cp->n_left) {
259 ++cp, k = ++cur_chunk;
260 if (k >= NCHUNKS)
261 bpf_error("out of memory");
262 size = CHUNK0SIZE << k;
263 cp->m = (void *)malloc(size);
264 if (cp->m == NULL)
265 bpf_error("out of memory");
266 memset((char *)cp->m, 0, size);
267 cp->n_left = size;
268 if (n > size)
269 bpf_error("out of memory");
270 }
271 cp->n_left -= n;
272 return (void *)((char *)cp->m + cp->n_left);
273 }
274
275 static void
276 freechunks()
277 {
278 int i;
279
280 cur_chunk = 0;
281 for (i = 0; i < NCHUNKS; ++i)
282 if (chunks[i].m != NULL) {
283 free(chunks[i].m);
284 chunks[i].m = NULL;
285 }
286 }
287
288 /*
289 * A strdup whose allocations are freed after code generation is over.
290 */
291 char *
292 sdup(s)
293 register const char *s;
294 {
295 int n = strlen(s) + 1;
296 char *cp = newchunk(n);
297
298 strlcpy(cp, s, n);
299 return (cp);
300 }
301
302 static inline struct block *
303 new_block(code)
304 int code;
305 {
306 struct block *p;
307
308 p = (struct block *)newchunk(sizeof(*p));
309 p->s.code = code;
310 p->head = p;
311
312 return p;
313 }
314
315 static inline struct slist *
316 new_stmt(code)
317 int code;
318 {
319 struct slist *p;
320
321 p = (struct slist *)newchunk(sizeof(*p));
322 p->s.code = code;
323
324 return p;
325 }
326
327 static struct block *
328 gen_retblk(v)
329 int v;
330 {
331 struct block *b = new_block(BPF_RET|BPF_K);
332
333 b->s.k = v;
334 return b;
335 }
336
337 static inline void
338 syntax()
339 {
340 bpf_error("syntax error in filter expression");
341 }
342
343 static bpf_u_int32 netmask;
344 static int snaplen;
345 int no_optimize;
346
347 int
348 pcap_compile(pcap_t *p, struct bpf_program *program,
349 char *buf, int optimize, bpf_u_int32 mask)
350 {
351 extern int n_errors;
352 int len;
353
354 no_optimize = 0;
355 n_errors = 0;
356 root = NULL;
357 bpf_pcap = p;
358 if (setjmp(top_ctx)) {
359 lex_cleanup();
360 freechunks();
361 return (-1);
362 }
363
364 netmask = mask;
365
366 snaplen = pcap_snapshot(p);
367 if (snaplen == 0) {
368 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
369 "snaplen of 0 rejects all packets");
370 return -1;
371 }
372
373 lex_init(buf ? buf : "");
374 init_linktype(p);
375 (void)pcap_parse();
376
377 if (n_errors)
378 syntax();
379
380 if (root == NULL)
381 root = gen_retblk(snaplen);
382
383 if (optimize && !no_optimize) {
384 bpf_optimize(&root);
385 if (root == NULL ||
386 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
387 bpf_error("expression rejects all packets");
388 }
389 program->bf_insns = icode_to_fcode(root, &len);
390 program->bf_len = len;
391
392 lex_cleanup();
393 freechunks();
394 return (0);
395 }
396
397 /*
398 * entry point for using the compiler with no pcap open
399 * pass in all the stuff that is needed explicitly instead.
400 */
401 int
402 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
403 struct bpf_program *program,
404 char *buf, int optimize, bpf_u_int32 mask)
405 {
406 pcap_t *p;
407 int ret;
408
409 p = pcap_open_dead(linktype_arg, snaplen_arg);
410 if (p == NULL)
411 return (-1);
412 ret = pcap_compile(p, program, buf, optimize, mask);
413 pcap_close(p);
414 return (ret);
415 }
416
417 /*
418 * Clean up a "struct bpf_program" by freeing all the memory allocated
419 * in it.
420 */
421 void
422 pcap_freecode(struct bpf_program *program)
423 {
424 program->bf_len = 0;
425 if (program->bf_insns != NULL) {
426 free((char *)program->bf_insns);
427 program->bf_insns = NULL;
428 }
429 }
430
431 /*
432 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
433 * which of the jt and jf fields has been resolved and which is a pointer
434 * back to another unresolved block (or nil). At least one of the fields
435 * in each block is already resolved.
436 */
437 static void
438 backpatch(list, target)
439 struct block *list, *target;
440 {
441 struct block *next;
442
443 while (list) {
444 if (!list->sense) {
445 next = JT(list);
446 JT(list) = target;
447 } else {
448 next = JF(list);
449 JF(list) = target;
450 }
451 list = next;
452 }
453 }
454
455 /*
456 * Merge the lists in b0 and b1, using the 'sense' field to indicate
457 * which of jt and jf is the link.
458 */
459 static void
460 merge(b0, b1)
461 struct block *b0, *b1;
462 {
463 register struct block **p = &b0;
464
465 /* Find end of list. */
466 while (*p)
467 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
468
469 /* Concatenate the lists. */
470 *p = b1;
471 }
472
473 void
474 finish_parse(p)
475 struct block *p;
476 {
477 backpatch(p, gen_retblk(snaplen));
478 p->sense = !p->sense;
479 backpatch(p, gen_retblk(0));
480 root = p->head;
481
482 /*
483 * Insert before the statements of the first (root) block any
484 * statements needed to load the lengths of any variable-length
485 * headers into registers.
486 *
487 * XXX - a fancier strategy would be to insert those before the
488 * statements of all blocks that use those lengths and that
489 * have no predecessors that use them, so that we only compute
490 * the lengths if we need them. There might be even better
491 * approaches than that. However, as we're currently only
492 * handling variable-length radiotap headers, and as all
493 * filtering expressions other than raw link[M:N] tests
494 * require the length of that header, doing more for that
495 * header length isn't really worth the effort.
496 */
497 insert_load_llprefixlen(root);
498 }
499
500 void
501 gen_and(b0, b1)
502 struct block *b0, *b1;
503 {
504 backpatch(b0, b1->head);
505 b0->sense = !b0->sense;
506 b1->sense = !b1->sense;
507 merge(b1, b0);
508 b1->sense = !b1->sense;
509 b1->head = b0->head;
510 }
511
512 void
513 gen_or(b0, b1)
514 struct block *b0, *b1;
515 {
516 b0->sense = !b0->sense;
517 backpatch(b0, b1->head);
518 b0->sense = !b0->sense;
519 merge(b1, b0);
520 b1->head = b0->head;
521 }
522
523 void
524 gen_not(b)
525 struct block *b;
526 {
527 b->sense = !b->sense;
528 }
529
530 static struct block *
531 gen_cmp(offrel, offset, size, v)
532 enum e_offrel offrel;
533 u_int offset, size;
534 bpf_int32 v;
535 {
536 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
537 }
538
539 static struct block *
540 gen_cmp_gt(offrel, offset, size, v)
541 enum e_offrel offrel;
542 u_int offset, size;
543 bpf_int32 v;
544 {
545 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
546 }
547
548 static struct block *
549 gen_cmp_ge(offrel, offset, size, v)
550 enum e_offrel offrel;
551 u_int offset, size;
552 bpf_int32 v;
553 {
554 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
555 }
556
557 static struct block *
558 gen_cmp_lt(offrel, offset, size, v)
559 enum e_offrel offrel;
560 u_int offset, size;
561 bpf_int32 v;
562 {
563 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
564 }
565
566 static struct block *
567 gen_cmp_le(offrel, offset, size, v)
568 enum e_offrel offrel;
569 u_int offset, size;
570 bpf_int32 v;
571 {
572 return gen_ncmp(offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
573 }
574
575 static struct block *
576 gen_mcmp(offrel, offset, size, v, mask)
577 enum e_offrel offrel;
578 u_int offset, size;
579 bpf_int32 v;
580 bpf_u_int32 mask;
581 {
582 return gen_ncmp(offrel, offset, size, mask, BPF_JEQ, 0, v);
583 }
584
585 static struct block *
586 gen_bcmp(offrel, offset, size, v)
587 enum e_offrel offrel;
588 register u_int offset, size;
589 register const u_char *v;
590 {
591 register struct block *b, *tmp;
592
593 b = NULL;
594 while (size >= 4) {
595 register const u_char *p = &v[size - 4];
596 bpf_int32 w = ((bpf_int32)p[0] << 24) |
597 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
598
599 tmp = gen_cmp(offrel, offset + size - 4, BPF_W, w);
600 if (b != NULL)
601 gen_and(b, tmp);
602 b = tmp;
603 size -= 4;
604 }
605 while (size >= 2) {
606 register const u_char *p = &v[size - 2];
607 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
608
609 tmp = gen_cmp(offrel, offset + size - 2, BPF_H, w);
610 if (b != NULL)
611 gen_and(b, tmp);
612 b = tmp;
613 size -= 2;
614 }
615 if (size > 0) {
616 tmp = gen_cmp(offrel, offset, BPF_B, (bpf_int32)v[0]);
617 if (b != NULL)
618 gen_and(b, tmp);
619 b = tmp;
620 }
621 return b;
622 }
623
624 /*
625 * AND the field of size "size" at offset "offset" relative to the header
626 * specified by "offrel" with "mask", and compare it with the value "v"
627 * with the test specified by "jtype"; if "reverse" is true, the test
628 * should test the opposite of "jtype".
629 */
630 static struct block *
631 gen_ncmp(offrel, offset, size, mask, jtype, reverse, v)
632 enum e_offrel offrel;
633 bpf_int32 v;
634 bpf_u_int32 offset, size, mask, jtype;
635 int reverse;
636 {
637 struct slist *s, *s2;
638 struct block *b;
639
640 s = gen_load_a(offrel, offset, size);
641
642 if (mask != 0xffffffff) {
643 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
644 s2->s.k = mask;
645 sappend(s, s2);
646 }
647
648 b = new_block(JMP(jtype));
649 b->stmts = s;
650 b->s.k = v;
651 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
652 gen_not(b);
653 return b;
654 }
655
656 /*
657 * Various code constructs need to know the layout of the data link
658 * layer. These variables give the necessary offsets from the beginning
659 * of the packet data.
660 *
661 * If the link layer has variable_length headers, the offsets are offsets
662 * from the end of the link-link-layer header, and "reg_ll_size" is
663 * the register number for a register containing the length of the
664 * link-layer header. Otherwise, "reg_ll_size" is -1.
665 */
666 static int reg_ll_size;
667
668 /*
669 * This is the offset of the beginning of the MAC-layer header.
670 * It's usually 0, except for ATM LANE.
671 */
672 static u_int off_mac;
673
674 /*
675 * "off_linktype" is the offset to information in the link-layer header
676 * giving the packet type.
677 *
678 * For Ethernet, it's the offset of the Ethernet type field.
679 *
680 * For link-layer types that always use 802.2 headers, it's the
681 * offset of the LLC header.
682 *
683 * For PPP, it's the offset of the PPP type field.
684 *
685 * For Cisco HDLC, it's the offset of the CHDLC type field.
686 *
687 * For BSD loopback, it's the offset of the AF_ value.
688 *
689 * For Linux cooked sockets, it's the offset of the type field.
690 *
691 * It's set to -1 for no encapsulation, in which case, IP is assumed.
692 */
693 static u_int off_linktype;
694
695 /*
696 * TRUE if the link layer includes an ATM pseudo-header.
697 */
698 static int is_atm = 0;
699
700 /*
701 * TRUE if "lane" appeared in the filter; it causes us to generate
702 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
703 */
704 static int is_lane = 0;
705
706 /*
707 * These are offsets for the ATM pseudo-header.
708 */
709 static u_int off_vpi;
710 static u_int off_vci;
711 static u_int off_proto;
712
713 /*
714 * This is the offset of the first byte after the ATM pseudo_header,
715 * or -1 if there is no ATM pseudo-header.
716 */
717 static u_int off_payload;
718
719 /*
720 * These are offsets to the beginning of the network-layer header.
721 *
722 * If the link layer never uses 802.2 LLC:
723 *
724 * "off_nl" and "off_nl_nosnap" are the same.
725 *
726 * If the link layer always uses 802.2 LLC:
727 *
728 * "off_nl" is the offset if there's a SNAP header following
729 * the 802.2 header;
730 *
731 * "off_nl_nosnap" is the offset if there's no SNAP header.
732 *
733 * If the link layer is Ethernet:
734 *
735 * "off_nl" is the offset if the packet is an Ethernet II packet
736 * (we assume no 802.3+802.2+SNAP);
737 *
738 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
739 * with an 802.2 header following it.
740 */
741 static u_int off_nl;
742 static u_int off_nl_nosnap;
743
744 static int linktype;
745
746 static void
747 init_linktype(p)
748 pcap_t *p;
749 {
750 linktype = pcap_datalink(p);
751 #ifdef PCAP_FDDIPAD
752 pcap_fddipad = p->fddipad;
753 #endif
754
755 /*
756 * Assume it's not raw ATM with a pseudo-header, for now.
757 */
758 off_mac = 0;
759 is_atm = 0;
760 is_lane = 0;
761 off_vpi = -1;
762 off_vci = -1;
763 off_proto = -1;
764 off_payload = -1;
765
766 orig_linktype = -1;
767 orig_nl = -1;
768
769 reg_ll_size = -1;
770
771 switch (linktype) {
772
773 case DLT_ARCNET:
774 off_linktype = 2;
775 off_nl = 6; /* XXX in reality, variable! */
776 off_nl_nosnap = 6; /* no 802.2 LLC */
777 return;
778
779 case DLT_ARCNET_LINUX:
780 off_linktype = 4;
781 off_nl = 8; /* XXX in reality, variable! */
782 off_nl_nosnap = 8; /* no 802.2 LLC */
783 return;
784
785 case DLT_EN10MB:
786 off_linktype = 12;
787 off_nl = 14; /* Ethernet II */
788 off_nl_nosnap = 17; /* 802.3+802.2 */
789 return;
790
791 case DLT_SLIP:
792 /*
793 * SLIP doesn't have a link level type. The 16 byte
794 * header is hacked into our SLIP driver.
795 */
796 off_linktype = -1;
797 off_nl = 16;
798 off_nl_nosnap = 16; /* no 802.2 LLC */
799 return;
800
801 case DLT_SLIP_BSDOS:
802 /* XXX this may be the same as the DLT_PPP_BSDOS case */
803 off_linktype = -1;
804 /* XXX end */
805 off_nl = 24;
806 off_nl_nosnap = 24; /* no 802.2 LLC */
807 return;
808
809 case DLT_NULL:
810 case DLT_LOOP:
811 off_linktype = 0;
812 off_nl = 4;
813 off_nl_nosnap = 4; /* no 802.2 LLC */
814 return;
815
816 case DLT_ENC:
817 off_linktype = 0;
818 off_nl = 12;
819 off_nl_nosnap = 12; /* no 802.2 LLC */
820 return;
821
822 case DLT_PPP:
823 case DLT_PPP_PPPD:
824 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
825 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
826 off_linktype = 2;
827 off_nl = 4;
828 off_nl_nosnap = 4; /* no 802.2 LLC */
829 return;
830
831 case DLT_PPP_ETHER:
832 /*
833 * This does no include the Ethernet header, and
834 * only covers session state.
835 */
836 off_linktype = 6;
837 off_nl = 8;
838 off_nl_nosnap = 8; /* no 802.2 LLC */
839 return;
840
841 case DLT_PPP_BSDOS:
842 off_linktype = 5;
843 off_nl = 24;
844 off_nl_nosnap = 24; /* no 802.2 LLC */
845 return;
846
847 case DLT_FDDI:
848 /*
849 * FDDI doesn't really have a link-level type field.
850 * We set "off_linktype" to the offset of the LLC header.
851 *
852 * To check for Ethernet types, we assume that SSAP = SNAP
853 * is being used and pick out the encapsulated Ethernet type.
854 * XXX - should we generate code to check for SNAP?
855 */
856 off_linktype = 13;
857 #ifdef PCAP_FDDIPAD
858 off_linktype += pcap_fddipad;
859 #endif
860 off_nl = 21; /* FDDI+802.2+SNAP */
861 off_nl_nosnap = 16; /* FDDI+802.2 */
862 #ifdef PCAP_FDDIPAD
863 off_nl += pcap_fddipad;
864 off_nl_nosnap += pcap_fddipad;
865 #endif
866 return;
867
868 case DLT_IEEE802:
869 /*
870 * Token Ring doesn't really have a link-level type field.
871 * We set "off_linktype" to the offset of the LLC header.
872 *
873 * To check for Ethernet types, we assume that SSAP = SNAP
874 * is being used and pick out the encapsulated Ethernet type.
875 * XXX - should we generate code to check for SNAP?
876 *
877 * XXX - the header is actually variable-length.
878 * Some various Linux patched versions gave 38
879 * as "off_linktype" and 40 as "off_nl"; however,
880 * if a token ring packet has *no* routing
881 * information, i.e. is not source-routed, the correct
882 * values are 20 and 22, as they are in the vanilla code.
883 *
884 * A packet is source-routed iff the uppermost bit
885 * of the first byte of the source address, at an
886 * offset of 8, has the uppermost bit set. If the
887 * packet is source-routed, the total number of bytes
888 * of routing information is 2 plus bits 0x1F00 of
889 * the 16-bit value at an offset of 14 (shifted right
890 * 8 - figure out which byte that is).
891 */
892 off_linktype = 14;
893 off_nl = 22; /* Token Ring+802.2+SNAP */
894 off_nl_nosnap = 17; /* Token Ring+802.2 */
895 return;
896
897 case DLT_IEEE802_11:
898 /*
899 * 802.11 doesn't really have a link-level type field.
900 * We set "off_linktype" to the offset of the LLC header.
901 *
902 * To check for Ethernet types, we assume that SSAP = SNAP
903 * is being used and pick out the encapsulated Ethernet type.
904 * XXX - should we generate code to check for SNAP?
905 *
906 * XXX - the header is actually variable-length. We
907 * assume a 24-byte link-layer header, as appears in
908 * data frames in networks with no bridges. If the
909 * fromds and tods 802.11 header bits are both set,
910 * it's actually supposed to be 30 bytes.
911 */
912 off_linktype = 24;
913 off_nl = 32; /* 802.11+802.2+SNAP */
914 off_nl_nosnap = 27; /* 802.11+802.2 */
915 return;
916
917 case DLT_PRISM_HEADER:
918 /*
919 * Same as 802.11, but with an additional header before
920 * the 802.11 header, containing a bunch of additional
921 * information including radio-level information.
922 *
923 * The header is 144 bytes long.
924 *
925 * XXX - same variable-length header problem; at least
926 * the Prism header is fixed-length.
927 */
928 off_linktype = 144+24;
929 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
930 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
931 return;
932
933 case DLT_IEEE802_11_RADIO_AVS:
934 /*
935 * Same as 802.11, but with an additional header before
936 * the 802.11 header, containing a bunch of additional
937 * information including radio-level information.
938 *
939 * The header is 64 bytes long, at least in its
940 * current incarnation.
941 *
942 * XXX - same variable-length header problem, only
943 * more so; this header is also variable-length,
944 * with the length being the 32-bit big-endian
945 * number at an offset of 4 from the beginning
946 * of the radio header.
947 */
948 off_linktype = 64+24;
949 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
950 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
951 return;
952
953 case DLT_IEEE802_11_RADIO:
954 /*
955 * Same as 802.11, but with an additional header before
956 * the 802.11 header, containing a bunch of additional
957 * information including radio-level information.
958 *
959 * The radiotap header is variable length, and we
960 * generate code to compute its length and store it
961 * in a register. These offsets are relative to the
962 * beginning of the 802.11 header.
963 */
964 off_linktype = 24;
965 off_nl = 32; /* 802.11+802.2+SNAP */
966 off_nl_nosnap = 27; /* 802.11+802.2 */
967 return;
968
969 case DLT_ATM_RFC1483:
970 case DLT_ATM_CLIP: /* Linux ATM defines this */
971 /*
972 * assume routed, non-ISO PDUs
973 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
974 */
975 off_linktype = 0;
976 off_nl = 8; /* 802.2+SNAP */
977 off_nl_nosnap = 3; /* 802.2 */
978 return;
979
980 case DLT_SUNATM:
981 /*
982 * Full Frontal ATM; you get AALn PDUs with an ATM
983 * pseudo-header.
984 */
985 is_atm = 1;
986 off_vpi = SUNATM_VPI_POS;
987 off_vci = SUNATM_VCI_POS;
988 off_proto = PROTO_POS;
989 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
990 off_payload = SUNATM_PKT_BEGIN_POS;
991 off_linktype = off_payload;
992 off_nl = off_payload+8; /* 802.2+SNAP */
993 off_nl_nosnap = off_payload+3; /* 802.2 */
994 return;
995
996 case DLT_RAW:
997 off_linktype = -1;
998 off_nl = 0;
999 off_nl_nosnap = 0; /* no 802.2 LLC */
1000 return;
1001
1002 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
1003 off_linktype = 14;
1004 off_nl = 16;
1005 off_nl_nosnap = 16; /* no 802.2 LLC */
1006 return;
1007
1008 case DLT_LTALK:
1009 /*
1010 * LocalTalk does have a 1-byte type field in the LLAP header,
1011 * but really it just indicates whether there is a "short" or
1012 * "long" DDP packet following.
1013 */
1014 off_linktype = -1;
1015 off_nl = 0;
1016 off_nl_nosnap = 0; /* no 802.2 LLC */
1017 return;
1018
1019 case DLT_IP_OVER_FC:
1020 /*
1021 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1022 * link-level type field. We set "off_linktype" to the
1023 * offset of the LLC header.
1024 *
1025 * To check for Ethernet types, we assume that SSAP = SNAP
1026 * is being used and pick out the encapsulated Ethernet type.
1027 * XXX - should we generate code to check for SNAP? RFC
1028 * 2625 says SNAP should be used.
1029 */
1030 off_linktype = 16;
1031 off_nl = 24; /* IPFC+802.2+SNAP */
1032 off_nl_nosnap = 19; /* IPFC+802.2 */
1033 return;
1034
1035 case DLT_FRELAY:
1036 /*
1037 * XXX - we should set this to handle SNAP-encapsulated
1038 * frames (NLPID of 0x80).
1039 */
1040 off_linktype = -1;
1041 off_nl = 0;
1042 off_nl_nosnap = 0; /* no 802.2 LLC */
1043 return;
1044
1045 case DLT_APPLE_IP_OVER_IEEE1394:
1046 off_linktype = 16;
1047 off_nl = 18;
1048 off_nl_nosnap = 18; /* no 802.2 LLC */
1049 return;
1050
1051 case DLT_LINUX_IRDA:
1052 /*
1053 * Currently, only raw "link[N:M]" filtering is supported.
1054 */
1055 off_linktype = -1;
1056 off_nl = -1;
1057 off_nl_nosnap = -1;
1058 return;
1059
1060 case DLT_DOCSIS:
1061 /*
1062 * Currently, only raw "link[N:M]" filtering is supported.
1063 */
1064 off_linktype = -1;
1065 off_nl = -1;
1066 off_nl_nosnap = -1;
1067 return;
1068
1069 case DLT_SYMANTEC_FIREWALL:
1070 off_linktype = 6;
1071 off_nl = 44; /* Ethernet II */
1072 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1073 return;
1074
1075 case DLT_PFLOG:
1076 off_linktype = 0;
1077 /* XXX read this from pf.h? */
1078 off_nl = PFLOG_HDRLEN;
1079 off_nl_nosnap = PFLOG_HDRLEN; /* no 802.2 LLC */
1080 return;
1081
1082 case DLT_JUNIPER_MLFR:
1083 case DLT_JUNIPER_MLPPP:
1084 off_linktype = 4;
1085 off_nl = 4;
1086 off_nl_nosnap = -1; /* no 802.2 LLC */
1087 return;
1088
1089 case DLT_JUNIPER_ATM1:
1090 off_linktype = 4; /* in reality variable between 4-8 */
1091 off_nl = 4;
1092 off_nl_nosnap = 14;
1093 return;
1094
1095 case DLT_JUNIPER_ATM2:
1096 off_linktype = 8; /* in reality variable between 8-12 */
1097 off_nl = 8;
1098 off_nl_nosnap = 18;
1099 return;
1100
1101 #ifdef DLT_PFSYNC
1102 case DLT_PFSYNC:
1103 off_linktype = -1;
1104 off_nl = 4;
1105 off_nl_nosnap = 4;
1106 return;
1107 #endif
1108
1109 case DLT_LINUX_LAPD:
1110 /*
1111 * Currently, only raw "link[N:M]" filtering is supported.
1112 */
1113 off_linktype = -1;
1114 off_nl = -1;
1115 off_nl_nosnap = -1;
1116 return;
1117 }
1118 bpf_error("unknown data link type %d", linktype);
1119 /* NOTREACHED */
1120 }
1121
1122 /*
1123 * Load a value relative to the beginning of the link-layer header.
1124 * The link-layer header doesn't necessarily begin at the beginning
1125 * of the packet data; there might be a variable-length prefix containing
1126 * radio information.
1127 */
1128 static struct slist *
1129 gen_load_llrel(offset, size)
1130 u_int offset, size;
1131 {
1132 struct slist *s, *s2;
1133
1134 s = gen_llprefixlen();
1135
1136 /*
1137 * If "s" is non-null, it has code to arrange that the X register
1138 * contains the length of the prefix preceding the link-layer
1139 * header.
1140 */
1141 if (s != NULL) {
1142 s2 = new_stmt(BPF_LD|BPF_IND|size);
1143 s2->s.k = offset;
1144 sappend(s, s2);
1145 } else {
1146 s = new_stmt(BPF_LD|BPF_ABS|size);
1147 s->s.k = offset;
1148 }
1149 return s;
1150 }
1151
1152 /*
1153 * Load a value relative to the beginning of the specified header.
1154 */
1155 static struct slist *
1156 gen_load_a(offrel, offset, size)
1157 enum e_offrel offrel;
1158 u_int offset, size;
1159 {
1160 struct slist *s, *s2;
1161
1162 switch (offrel) {
1163
1164 case OR_LINK:
1165 s = gen_load_llrel(offset, size);
1166 break;
1167
1168 case OR_NET:
1169 s = gen_load_llrel(off_nl + offset, size);
1170 break;
1171
1172 case OR_NET_NOSNAP:
1173 s = gen_load_llrel(off_nl_nosnap + offset, size);
1174 break;
1175
1176 case OR_TRAN_IPV4:
1177 /*
1178 * Load the X register with the length of the IPv4 header,
1179 * in bytes.
1180 */
1181 s = gen_loadx_iphdrlen();
1182
1183 /*
1184 * Load the item at {length of the link-layer header} +
1185 * {length of the IPv4 header} + {specified offset}.
1186 */
1187 s2 = new_stmt(BPF_LD|BPF_IND|size);
1188 s2->s.k = off_nl + offset;
1189 sappend(s, s2);
1190 break;
1191
1192 case OR_TRAN_IPV6:
1193 s = gen_load_llrel(off_nl + 40 + offset, size);
1194 break;
1195
1196 default:
1197 abort();
1198 return NULL;
1199 }
1200 return s;
1201 }
1202
1203 /*
1204 * Generate code to load into the X register the sum of the length of
1205 * the IPv4 header and any variable-length header preceding the link-layer
1206 * header.
1207 */
1208 static struct slist *
1209 gen_loadx_iphdrlen()
1210 {
1211 struct slist *s, *s2;
1212
1213 s = gen_llprefixlen();
1214 if (s != NULL) {
1215 /*
1216 * There's a variable-length prefix preceding the
1217 * link-layer header. "s" points to a list of statements
1218 * that put the length of that prefix into the X register.
1219 * The 4*([k]&0xf) addressing mode can't be used, as we
1220 * don't have a constant offset, so we have to load the
1221 * value in question into the A register and add to it
1222 * the value from the X register.
1223 */
1224 s2 = new_stmt(BPF_LD|BPF_IND|BPF_B);
1225 s2->s.k = off_nl;
1226 sappend(s, s2);
1227 s2 = new_stmt(BPF_ALU|BPF_AND|BPF_K);
1228 s2->s.k = 0xf;
1229 sappend(s, s2);
1230 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1231 s2->s.k = 2;
1232 sappend(s, s2);
1233
1234 /*
1235 * The A register now contains the length of the
1236 * IP header. We need to add to it the length
1237 * of the prefix preceding the link-layer
1238 * header, which is still in the X register, and
1239 * move the result into the X register.
1240 */
1241 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
1242 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
1243 } else {
1244 /*
1245 * There is no variable-length header preceding the
1246 * link-layer header; if there's a fixed-length
1247 * header preceding it, its length is included in
1248 * the off_ variables, so it doesn't need to be added.
1249 */
1250 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
1251 s->s.k = off_nl;
1252 }
1253 return s;
1254 }
1255
1256 static struct block *
1257 gen_uncond(rsense)
1258 int rsense;
1259 {
1260 struct block *b;
1261 struct slist *s;
1262
1263 s = new_stmt(BPF_LD|BPF_IMM);
1264 s->s.k = !rsense;
1265 b = new_block(JMP(BPF_JEQ));
1266 b->stmts = s;
1267
1268 return b;
1269 }
1270
1271 static inline struct block *
1272 gen_true()
1273 {
1274 return gen_uncond(1);
1275 }
1276
1277 static inline struct block *
1278 gen_false()
1279 {
1280 return gen_uncond(0);
1281 }
1282
1283 /*
1284 * Byte-swap a 32-bit number.
1285 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1286 * big-endian platforms.)
1287 */
1288 #define SWAPLONG(y) \
1289 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1290
1291 /*
1292 * Generate code to match a particular packet type.
1293 *
1294 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1295 * value, if <= ETHERMTU. We use that to determine whether to
1296 * match the type/length field or to check the type/length field for
1297 * a value <= ETHERMTU to see whether it's a type field and then do
1298 * the appropriate test.
1299 */
1300 static struct block *
1301 gen_ether_linktype(proto)
1302 register int proto;
1303 {
1304 struct block *b0, *b1;
1305
1306 switch (proto) {
1307
1308 case LLCSAP_ISONS:
1309 case LLCSAP_IP:
1310 case LLCSAP_NETBEUI:
1311 /*
1312 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1313 * so we check the DSAP and SSAP.
1314 *
1315 * LLCSAP_IP checks for IP-over-802.2, rather
1316 * than IP-over-Ethernet or IP-over-SNAP.
1317 *
1318 * XXX - should we check both the DSAP and the
1319 * SSAP, like this, or should we check just the
1320 * DSAP, as we do for other types <= ETHERMTU
1321 * (i.e., other SAP values)?
1322 */
1323 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1324 gen_not(b0);
1325 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1326 ((proto << 8) | proto));
1327 gen_and(b0, b1);
1328 return b1;
1329
1330 case LLCSAP_IPX:
1331 /*
1332 * Check for;
1333 *
1334 * Ethernet_II frames, which are Ethernet
1335 * frames with a frame type of ETHERTYPE_IPX;
1336 *
1337 * Ethernet_802.3 frames, which are 802.3
1338 * frames (i.e., the type/length field is
1339 * a length field, <= ETHERMTU, rather than
1340 * a type field) with the first two bytes
1341 * after the Ethernet/802.3 header being
1342 * 0xFFFF;
1343 *
1344 * Ethernet_802.2 frames, which are 802.3
1345 * frames with an 802.2 LLC header and
1346 * with the IPX LSAP as the DSAP in the LLC
1347 * header;
1348 *
1349 * Ethernet_SNAP frames, which are 802.3
1350 * frames with an LLC header and a SNAP
1351 * header and with an OUI of 0x000000
1352 * (encapsulated Ethernet) and a protocol
1353 * ID of ETHERTYPE_IPX in the SNAP header.
1354 *
1355 * XXX - should we generate the same code both
1356 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1357 */
1358
1359 /*
1360 * This generates code to check both for the
1361 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1362 */
1363 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1364 (bpf_int32)LLCSAP_IPX);
1365 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H,
1366 (bpf_int32)0xFFFF);
1367 gen_or(b0, b1);
1368
1369 /*
1370 * Now we add code to check for SNAP frames with
1371 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1372 */
1373 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1374 gen_or(b0, b1);
1375
1376 /*
1377 * Now we generate code to check for 802.3
1378 * frames in general.
1379 */
1380 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1381 gen_not(b0);
1382
1383 /*
1384 * Now add the check for 802.3 frames before the
1385 * check for Ethernet_802.2 and Ethernet_802.3,
1386 * as those checks should only be done on 802.3
1387 * frames, not on Ethernet frames.
1388 */
1389 gen_and(b0, b1);
1390
1391 /*
1392 * Now add the check for Ethernet_II frames, and
1393 * do that before checking for the other frame
1394 * types.
1395 */
1396 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1397 (bpf_int32)ETHERTYPE_IPX);
1398 gen_or(b0, b1);
1399 return b1;
1400
1401 case ETHERTYPE_ATALK:
1402 case ETHERTYPE_AARP:
1403 /*
1404 * EtherTalk (AppleTalk protocols on Ethernet link
1405 * layer) may use 802.2 encapsulation.
1406 */
1407
1408 /*
1409 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1410 * we check for an Ethernet type field less than
1411 * 1500, which means it's an 802.3 length field.
1412 */
1413 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1414 gen_not(b0);
1415
1416 /*
1417 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1418 * SNAP packets with an organization code of
1419 * 0x080007 (Apple, for Appletalk) and a protocol
1420 * type of ETHERTYPE_ATALK (Appletalk).
1421 *
1422 * 802.2-encapsulated ETHERTYPE_AARP packets are
1423 * SNAP packets with an organization code of
1424 * 0x000000 (encapsulated Ethernet) and a protocol
1425 * type of ETHERTYPE_AARP (Appletalk ARP).
1426 */
1427 if (proto == ETHERTYPE_ATALK)
1428 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1429 else /* proto == ETHERTYPE_AARP */
1430 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1431 gen_and(b0, b1);
1432
1433 /*
1434 * Check for Ethernet encapsulation (Ethertalk
1435 * phase 1?); we just check for the Ethernet
1436 * protocol type.
1437 */
1438 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1439
1440 gen_or(b0, b1);
1441 return b1;
1442
1443 default:
1444 if (proto <= ETHERMTU) {
1445 /*
1446 * This is an LLC SAP value, so the frames
1447 * that match would be 802.2 frames.
1448 * Check that the frame is an 802.2 frame
1449 * (i.e., that the length/type field is
1450 * a length field, <= ETHERMTU) and
1451 * then check the DSAP.
1452 */
1453 b0 = gen_cmp_gt(OR_LINK, off_linktype, BPF_H, ETHERMTU);
1454 gen_not(b0);
1455 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1456 (bpf_int32)proto);
1457 gen_and(b0, b1);
1458 return b1;
1459 } else {
1460 /*
1461 * This is an Ethernet type, so compare
1462 * the length/type field with it (if
1463 * the frame is an 802.2 frame, the length
1464 * field will be <= ETHERMTU, and, as
1465 * "proto" is > ETHERMTU, this test
1466 * will fail and the frame won't match,
1467 * which is what we want).
1468 */
1469 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1470 (bpf_int32)proto);
1471 }
1472 }
1473 }
1474
1475 /*
1476 * Generate code to match a particular packet type.
1477 *
1478 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1479 * value, if <= ETHERMTU. We use that to determine whether to
1480 * match the type field or to check the type field for the special
1481 * LINUX_SLL_P_802_2 value and then do the appropriate test.
1482 */
1483 static struct block *
1484 gen_linux_sll_linktype(proto)
1485 register int proto;
1486 {
1487 struct block *b0, *b1;
1488
1489 switch (proto) {
1490
1491 case LLCSAP_ISONS:
1492 case LLCSAP_IP:
1493 case LLCSAP_NETBEUI:
1494 /*
1495 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1496 * so we check the DSAP and SSAP.
1497 *
1498 * LLCSAP_IP checks for IP-over-802.2, rather
1499 * than IP-over-Ethernet or IP-over-SNAP.
1500 *
1501 * XXX - should we check both the DSAP and the
1502 * SSAP, like this, or should we check just the
1503 * DSAP, as we do for other types <= ETHERMTU
1504 * (i.e., other SAP values)?
1505 */
1506 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1507 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_H, (bpf_int32)
1508 ((proto << 8) | proto));
1509 gen_and(b0, b1);
1510 return b1;
1511
1512 case LLCSAP_IPX:
1513 /*
1514 * Ethernet_II frames, which are Ethernet
1515 * frames with a frame type of ETHERTYPE_IPX;
1516 *
1517 * Ethernet_802.3 frames, which have a frame
1518 * type of LINUX_SLL_P_802_3;
1519 *
1520 * Ethernet_802.2 frames, which are 802.3
1521 * frames with an 802.2 LLC header (i.e, have
1522 * a frame type of LINUX_SLL_P_802_2) and
1523 * with the IPX LSAP as the DSAP in the LLC
1524 * header;
1525 *
1526 * Ethernet_SNAP frames, which are 802.3
1527 * frames with an LLC header and a SNAP
1528 * header and with an OUI of 0x000000
1529 * (encapsulated Ethernet) and a protocol
1530 * ID of ETHERTYPE_IPX in the SNAP header.
1531 *
1532 * First, do the checks on LINUX_SLL_P_802_2
1533 * frames; generate the check for either
1534 * Ethernet_802.2 or Ethernet_SNAP frames, and
1535 * then put a check for LINUX_SLL_P_802_2 frames
1536 * before it.
1537 */
1538 b0 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1539 (bpf_int32)LLCSAP_IPX);
1540 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1541 off_linktype + 2);
1542 gen_or(b0, b1);
1543 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1544 gen_and(b0, b1);
1545
1546 /*
1547 * Now check for 802.3 frames and OR that with
1548 * the previous test.
1549 */
1550 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_3);
1551 gen_or(b0, b1);
1552
1553 /*
1554 * Now add the check for Ethernet_II frames, and
1555 * do that before checking for the other frame
1556 * types.
1557 */
1558 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1559 (bpf_int32)ETHERTYPE_IPX);
1560 gen_or(b0, b1);
1561 return b1;
1562
1563 case ETHERTYPE_ATALK:
1564 case ETHERTYPE_AARP:
1565 /*
1566 * EtherTalk (AppleTalk protocols on Ethernet link
1567 * layer) may use 802.2 encapsulation.
1568 */
1569
1570 /*
1571 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1572 * we check for the 802.2 protocol type in the
1573 * "Ethernet type" field.
1574 */
1575 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, LINUX_SLL_P_802_2);
1576
1577 /*
1578 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1579 * SNAP packets with an organization code of
1580 * 0x080007 (Apple, for Appletalk) and a protocol
1581 * type of ETHERTYPE_ATALK (Appletalk).
1582 *
1583 * 802.2-encapsulated ETHERTYPE_AARP packets are
1584 * SNAP packets with an organization code of
1585 * 0x000000 (encapsulated Ethernet) and a protocol
1586 * type of ETHERTYPE_AARP (Appletalk ARP).
1587 */
1588 if (proto == ETHERTYPE_ATALK)
1589 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1590 off_linktype + 2);
1591 else /* proto == ETHERTYPE_AARP */
1592 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1593 off_linktype + 2);
1594 gen_and(b0, b1);
1595
1596 /*
1597 * Check for Ethernet encapsulation (Ethertalk
1598 * phase 1?); we just check for the Ethernet
1599 * protocol type.
1600 */
1601 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
1602
1603 gen_or(b0, b1);
1604 return b1;
1605
1606 default:
1607 if (proto <= ETHERMTU) {
1608 /*
1609 * This is an LLC SAP value, so the frames
1610 * that match would be 802.2 frames.
1611 * Check for the 802.2 protocol type
1612 * in the "Ethernet type" field, and
1613 * then check the DSAP.
1614 */
1615 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H,
1616 LINUX_SLL_P_802_2);
1617 b1 = gen_cmp(OR_LINK, off_linktype + 2, BPF_B,
1618 (bpf_int32)proto);
1619 gen_and(b0, b1);
1620 return b1;
1621 } else {
1622 /*
1623 * This is an Ethernet type, so compare
1624 * the length/type field with it (if
1625 * the frame is an 802.2 frame, the length
1626 * field will be <= ETHERMTU, and, as
1627 * "proto" is > ETHERMTU, this test
1628 * will fail and the frame won't match,
1629 * which is what we want).
1630 */
1631 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1632 (bpf_int32)proto);
1633 }
1634 }
1635 }
1636
1637 static void
1638 insert_radiotap_load_llprefixlen(b)
1639 struct block *b;
1640 {
1641 struct slist *s1, *s2;
1642
1643 /*
1644 * Prepend to the statements in this block code to load the
1645 * length of the radiotap header into the register assigned
1646 * to hold that length, if one has been assigned.
1647 */
1648 if (reg_ll_size != -1) {
1649 /*
1650 * The 2 bytes at offsets of 2 and 3 from the beginning
1651 * of the radiotap header are the length of the radiotap
1652 * header; unfortunately, it's little-endian, so we have
1653 * to load it a byte at a time and construct the value.
1654 */
1655
1656 /*
1657 * Load the high-order byte, at an offset of 3, shift it
1658 * left a byte, and put the result in the X register.
1659 */
1660 s1 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1661 s1->s.k = 3;
1662 s2 = new_stmt(BPF_ALU|BPF_LSH|BPF_K);
1663 sappend(s1, s2);
1664 s2->s.k = 8;
1665 s2 = new_stmt(BPF_MISC|BPF_TAX);
1666 sappend(s1, s2);
1667
1668 /*
1669 * Load the next byte, at an offset of 2, and OR the
1670 * value from the X register into it.
1671 */
1672 s2 = new_stmt(BPF_LD|BPF_B|BPF_ABS);
1673 sappend(s1, s2);
1674 s2->s.k = 2;
1675 s2 = new_stmt(BPF_ALU|BPF_OR|BPF_X);
1676 sappend(s1, s2);
1677
1678 /*
1679 * Now allocate a register to hold that value and store
1680 * it.
1681 */
1682 s2 = new_stmt(BPF_ST);
1683 s2->s.k = reg_ll_size;
1684 sappend(s1, s2);
1685
1686 /*
1687 * Now move it into the X register.
1688 */
1689 s2 = new_stmt(BPF_MISC|BPF_TAX);
1690 sappend(s1, s2);
1691
1692 /*
1693 * Now append all the existing statements in this
1694 * block to these statements.
1695 */
1696 sappend(s1, b->stmts);
1697 b->stmts = s1;
1698 }
1699 }
1700
1701
1702 static void
1703 insert_load_llprefixlen(b)
1704 struct block *b;
1705 {
1706 switch (linktype) {
1707
1708 case DLT_IEEE802_11_RADIO:
1709 insert_radiotap_load_llprefixlen(b);
1710 }
1711 }
1712
1713
1714 static struct slist *
1715 gen_radiotap_llprefixlen(void)
1716 {
1717 struct slist *s;
1718
1719 if (reg_ll_size == -1) {
1720 /*
1721 * We haven't yet assigned a register for the length
1722 * of the radiotap header; allocate one.
1723 */
1724 reg_ll_size = alloc_reg();
1725 }
1726
1727 /*
1728 * Load the register containing the radiotap length
1729 * into the X register.
1730 */
1731 s = new_stmt(BPF_LDX|BPF_MEM);
1732 s->s.k = reg_ll_size;
1733 return s;
1734 }
1735
1736 /*
1737 * Generate code to compute the link-layer header length, if necessary,
1738 * putting it into the X register, and to return either a pointer to a
1739 * "struct slist" for the list of statements in that code, or NULL if
1740 * no code is necessary.
1741 */
1742 static struct slist *
1743 gen_llprefixlen(void)
1744 {
1745 switch (linktype) {
1746
1747 case DLT_IEEE802_11_RADIO:
1748 return gen_radiotap_llprefixlen();
1749
1750 default:
1751 return NULL;
1752 }
1753 }
1754
1755 /*
1756 * Generate code to match a particular packet type by matching the
1757 * link-layer type field or fields in the 802.2 LLC header.
1758 *
1759 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1760 * value, if <= ETHERMTU.
1761 */
1762 static struct block *
1763 gen_linktype(proto)
1764 register int proto;
1765 {
1766 struct block *b0, *b1, *b2;
1767
1768 switch (linktype) {
1769
1770 case DLT_EN10MB:
1771 return gen_ether_linktype(proto);
1772 /*NOTREACHED*/
1773 break;
1774
1775 case DLT_C_HDLC:
1776 switch (proto) {
1777
1778 case LLCSAP_ISONS:
1779 proto = (proto << 8 | LLCSAP_ISONS);
1780 /* fall through */
1781
1782 default:
1783 return gen_cmp(OR_LINK, off_linktype, BPF_H,
1784 (bpf_int32)proto);
1785 /*NOTREACHED*/
1786 break;
1787 }
1788 break;
1789
1790 case DLT_IEEE802_11:
1791 case DLT_PRISM_HEADER:
1792 case DLT_FDDI:
1793 case DLT_IEEE802:
1794 case DLT_IEEE802_11_RADIO:
1795 case DLT_ATM_RFC1483:
1796 case DLT_ATM_CLIP:
1797 case DLT_IP_OVER_FC:
1798 return gen_llc_linktype(proto);
1799 /*NOTREACHED*/
1800 break;
1801
1802 case DLT_SUNATM:
1803 /*
1804 * If "is_lane" is set, check for a LANE-encapsulated
1805 * version of this protocol, otherwise check for an
1806 * LLC-encapsulated version of this protocol.
1807 *
1808 * We assume LANE means Ethernet, not Token Ring.
1809 */
1810 if (is_lane) {
1811 /*
1812 * Check that the packet doesn't begin with an
1813 * LE Control marker. (We've already generated
1814 * a test for LANE.)
1815 */
1816 b0 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
1817 0xFF00);
1818 gen_not(b0);
1819
1820 /*
1821 * Now generate an Ethernet test.
1822 */
1823 b1 = gen_ether_linktype(proto);
1824 gen_and(b0, b1);
1825 return b1;
1826 } else {
1827 /*
1828 * Check for LLC encapsulation and then check the
1829 * protocol.
1830 */
1831 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1832 b1 = gen_llc_linktype(proto);
1833 gen_and(b0, b1);
1834 return b1;
1835 }
1836 /*NOTREACHED*/
1837 break;
1838
1839 case DLT_LINUX_SLL:
1840 return gen_linux_sll_linktype(proto);
1841 /*NOTREACHED*/
1842 break;
1843
1844 case DLT_SLIP:
1845 case DLT_SLIP_BSDOS:
1846 case DLT_RAW:
1847 /*
1848 * These types don't provide any type field; packets
1849 * are always IP.
1850 *
1851 * XXX - for IPv4, check for a version number of 4, and,
1852 * for IPv6, check for a version number of 6?
1853 */
1854 switch (proto) {
1855
1856 case ETHERTYPE_IP:
1857 #ifdef INET6
1858 case ETHERTYPE_IPV6:
1859 #endif
1860 return gen_true(); /* always true */
1861
1862 default:
1863 return gen_false(); /* always false */
1864 }
1865 /*NOTREACHED*/
1866 break;
1867
1868 case DLT_PPP:
1869 case DLT_PPP_PPPD:
1870 case DLT_PPP_SERIAL:
1871 case DLT_PPP_ETHER:
1872 /*
1873 * We use Ethernet protocol types inside libpcap;
1874 * map them to the corresponding PPP protocol types.
1875 */
1876 switch (proto) {
1877
1878 case ETHERTYPE_IP:
1879 proto = PPP_IP;
1880 break;
1881
1882 #ifdef INET6
1883 case ETHERTYPE_IPV6:
1884 proto = PPP_IPV6;
1885 break;
1886 #endif
1887
1888 case ETHERTYPE_DN:
1889 proto = PPP_DECNET;
1890 break;
1891
1892 case ETHERTYPE_ATALK:
1893 proto = PPP_APPLE;
1894 break;
1895
1896 case ETHERTYPE_NS:
1897 proto = PPP_NS;
1898 break;
1899
1900 case LLCSAP_ISONS:
1901 proto = PPP_OSI;
1902 break;
1903
1904 case LLCSAP_8021D:
1905 /*
1906 * I'm assuming the "Bridging PDU"s that go
1907 * over PPP are Spanning Tree Protocol
1908 * Bridging PDUs.
1909 */
1910 proto = PPP_BRPDU;
1911 break;
1912
1913 case LLCSAP_IPX:
1914 proto = PPP_IPX;
1915 break;
1916 }
1917 break;
1918
1919 case DLT_PPP_BSDOS:
1920 /*
1921 * We use Ethernet protocol types inside libpcap;
1922 * map them to the corresponding PPP protocol types.
1923 */
1924 switch (proto) {
1925
1926 case ETHERTYPE_IP:
1927 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_IP);
1928 b1 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJC);
1929 gen_or(b0, b1);
1930 b0 = gen_cmp(OR_LINK, off_linktype, BPF_H, PPP_VJNC);
1931 gen_or(b1, b0);
1932 return b0;
1933
1934 #ifdef INET6
1935 case ETHERTYPE_IPV6:
1936 proto = PPP_IPV6;
1937 /* more to go? */
1938 break;
1939 #endif
1940
1941 case ETHERTYPE_DN:
1942 proto = PPP_DECNET;
1943 break;
1944
1945 case ETHERTYPE_ATALK:
1946 proto = PPP_APPLE;
1947 break;
1948
1949 case ETHERTYPE_NS:
1950 proto = PPP_NS;
1951 break;
1952
1953 case LLCSAP_ISONS:
1954 proto = PPP_OSI;
1955 break;
1956
1957 case LLCSAP_8021D:
1958 /*
1959 * I'm assuming the "Bridging PDU"s that go
1960 * over PPP are Spanning Tree Protocol
1961 * Bridging PDUs.
1962 */
1963 proto = PPP_BRPDU;
1964 break;
1965
1966 case LLCSAP_IPX:
1967 proto = PPP_IPX;
1968 break;
1969 }
1970 break;
1971
1972 case DLT_NULL:
1973 case DLT_LOOP:
1974 case DLT_ENC:
1975 /*
1976 * For DLT_NULL, the link-layer header is a 32-bit
1977 * word containing an AF_ value in *host* byte order,
1978 * and for DLT_ENC, the link-layer header begins
1979 * with a 32-bit work containing an AF_ value in
1980 * host byte order.
1981 *
1982 * In addition, if we're reading a saved capture file,
1983 * the host byte order in the capture may not be the
1984 * same as the host byte order on this machine.
1985 *
1986 * For DLT_LOOP, the link-layer header is a 32-bit
1987 * word containing an AF_ value in *network* byte order.
1988 *
1989 * XXX - AF_ values may, unfortunately, be platform-
1990 * dependent; for example, FreeBSD's AF_INET6 is 24
1991 * whilst NetBSD's and OpenBSD's is 26.
1992 *
1993 * This means that, when reading a capture file, just
1994 * checking for our AF_INET6 value won't work if the
1995 * capture file came from another OS.
1996 */
1997 switch (proto) {
1998
1999 case ETHERTYPE_IP:
2000 proto = AF_INET;
2001 break;
2002
2003 #ifdef INET6
2004 case ETHERTYPE_IPV6:
2005 proto = AF_INET6;
2006 break;
2007 #endif
2008
2009 default:
2010 /*
2011 * Not a type on which we support filtering.
2012 * XXX - support those that have AF_ values
2013 * #defined on this platform, at least?
2014 */
2015 return gen_false();
2016 }
2017
2018 if (linktype == DLT_NULL || linktype == DLT_ENC) {
2019 /*
2020 * The AF_ value is in host byte order, but
2021 * the BPF interpreter will convert it to
2022 * network byte order.
2023 *
2024 * If this is a save file, and it's from a
2025 * machine with the opposite byte order to
2026 * ours, we byte-swap the AF_ value.
2027 *
2028 * Then we run it through "htonl()", and
2029 * generate code to compare against the result.
2030 */
2031 if (bpf_pcap->sf.rfile != NULL &&
2032 bpf_pcap->sf.swapped)
2033 proto = SWAPLONG(proto);
2034 proto = htonl(proto);
2035 }
2036 return (gen_cmp(OR_LINK, 0, BPF_W, (bpf_int32)proto));
2037
2038 case DLT_PFLOG:
2039 /*
2040 * af field is host byte order in contrast to the rest of
2041 * the packet.
2042 */
2043 if (proto == ETHERTYPE_IP)
2044 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2045 BPF_B, (bpf_int32)AF_INET));
2046 #ifdef INET6
2047 else if (proto == ETHERTYPE_IPV6)
2048 return (gen_cmp(OR_LINK, offsetof(struct pfloghdr, af),
2049 BPF_B, (bpf_int32)AF_INET6));
2050 #endif /* INET6 */
2051 else
2052 return gen_false();
2053 /*NOTREACHED*/
2054 break;
2055
2056 case DLT_ARCNET:
2057 case DLT_ARCNET_LINUX:
2058 /*
2059 * XXX should we check for first fragment if the protocol
2060 * uses PHDS?
2061 */
2062 switch (proto) {
2063
2064 default:
2065 return gen_false();
2066
2067 #ifdef INET6
2068 case ETHERTYPE_IPV6:
2069 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2070 (bpf_int32)ARCTYPE_INET6));
2071 #endif /* INET6 */
2072
2073 case ETHERTYPE_IP:
2074 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2075 (bpf_int32)ARCTYPE_IP);
2076 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2077 (bpf_int32)ARCTYPE_IP_OLD);
2078 gen_or(b0, b1);
2079 return (b1);
2080
2081 case ETHERTYPE_ARP:
2082 b0 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2083 (bpf_int32)ARCTYPE_ARP);
2084 b1 = gen_cmp(OR_LINK, off_linktype, BPF_B,
2085 (bpf_int32)ARCTYPE_ARP_OLD);
2086 gen_or(b0, b1);
2087 return (b1);
2088
2089 case ETHERTYPE_REVARP:
2090 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2091 (bpf_int32)ARCTYPE_REVARP));
2092
2093 case ETHERTYPE_ATALK:
2094 return (gen_cmp(OR_LINK, off_linktype, BPF_B,
2095 (bpf_int32)ARCTYPE_ATALK));
2096 }
2097 /*NOTREACHED*/
2098 break;
2099
2100 case DLT_LTALK:
2101 switch (proto) {
2102 case ETHERTYPE_ATALK:
2103 return gen_true();
2104 default:
2105 return gen_false();
2106 }
2107 /*NOTREACHED*/
2108 break;
2109
2110 case DLT_FRELAY:
2111 /*
2112 * XXX - assumes a 2-byte Frame Relay header with
2113 * DLCI and flags. What if the address is longer?
2114 */
2115 switch (proto) {
2116
2117 case ETHERTYPE_IP:
2118 /*
2119 * Check for the special NLPID for IP.
2120 */
2121 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0xcc);
2122
2123 #ifdef INET6
2124 case ETHERTYPE_IPV6:
2125 /*
2126 * Check for the special NLPID for IPv6.
2127 */
2128 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | 0x8e);
2129 #endif
2130
2131 case LLCSAP_ISONS:
2132 /*
2133 * Check for several OSI protocols.
2134 *
2135 * Frame Relay packets typically have an OSI
2136 * NLPID at the beginning; we check for each
2137 * of them.
2138 *
2139 * What we check for is the NLPID and a frame
2140 * control field of UI, i.e. 0x03 followed
2141 * by the NLPID.
2142 */
2143 b0 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
2144 b1 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
2145 b2 = gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
2146 gen_or(b1, b2);
2147 gen_or(b0, b2);
2148 return b2;
2149
2150 default:
2151 return gen_false();
2152 }
2153 /*NOTREACHED*/
2154 break;
2155
2156 case DLT_JUNIPER_MLFR:
2157 case DLT_JUNIPER_MLPPP:
2158 case DLT_JUNIPER_ATM1:
2159 case DLT_JUNIPER_ATM2:
2160 /* just lets verify the magic number for now -
2161 * on ATM we may have up to 6 different encapsulations on the wire
2162 * and need a lot of heuristics to figure out that the payload
2163 * might be;
2164 *
2165 * FIXME encapsulation specific BPF_ filters
2166 */
2167 return gen_mcmp(OR_LINK, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
2168
2169 case DLT_LINUX_IRDA:
2170 bpf_error("IrDA link-layer type filtering not implemented");
2171
2172 case DLT_DOCSIS:
2173 bpf_error("DOCSIS link-layer type filtering not implemented");
2174
2175 case DLT_LINUX_LAPD:
2176 bpf_error("LAPD link-layer type filtering not implemented");
2177 }
2178
2179 /*
2180 * All the types that have no encapsulation should either be
2181 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
2182 * all packets are IP packets, or should be handled in some
2183 * special case, if none of them are (if some are and some
2184 * aren't, the lack of encapsulation is a problem, as we'd
2185 * have to find some other way of determining the packet type).
2186 *
2187 * Therefore, if "off_linktype" is -1, there's an error.
2188 */
2189 if (off_linktype == (u_int)-1)
2190 abort();
2191
2192 /*
2193 * Any type not handled above should always have an Ethernet
2194 * type at an offset of "off_linktype". (PPP is partially
2195 * handled above - the protocol type is mapped from the
2196 * Ethernet and LLC types we use internally to the corresponding
2197 * PPP type - but the PPP type is always specified by a value
2198 * at "off_linktype", so we don't have to do the code generation
2199 * above.)
2200 */
2201 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_int32)proto);
2202 }
2203
2204 /*
2205 * Check for an LLC SNAP packet with a given organization code and
2206 * protocol type; we check the entire contents of the 802.2 LLC and
2207 * snap headers, checking for DSAP and SSAP of SNAP and a control
2208 * field of 0x03 in the LLC header, and for the specified organization
2209 * code and protocol type in the SNAP header.
2210 */
2211 static struct block *
2212 gen_snap(orgcode, ptype, offset)
2213 bpf_u_int32 orgcode;
2214 bpf_u_int32 ptype;
2215 u_int offset;
2216 {
2217 u_char snapblock[8];
2218
2219 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
2220 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
2221 snapblock[2] = 0x03; /* control = UI */
2222 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
2223 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
2224 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
2225 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
2226 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
2227 return gen_bcmp(OR_LINK, offset, 8, snapblock);
2228 }
2229
2230 /*
2231 * Generate code to match a particular packet type, for link-layer types
2232 * using 802.2 LLC headers.
2233 *
2234 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
2235 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
2236 *
2237 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2238 * value, if <= ETHERMTU. We use that to determine whether to
2239 * match the DSAP or both DSAP and LSAP or to check the OUI and
2240 * protocol ID in a SNAP header.
2241 */
2242 static struct block *
2243 gen_llc_linktype(proto)
2244 int proto;
2245 {
2246 /*
2247 * XXX - handle token-ring variable-length header.
2248 */
2249 switch (proto) {
2250
2251 case LLCSAP_IP:
2252 case LLCSAP_ISONS:
2253 case LLCSAP_NETBEUI:
2254 /*
2255 * XXX - should we check both the DSAP and the
2256 * SSAP, like this, or should we check just the
2257 * DSAP, as we do for other types <= ETHERMTU
2258 * (i.e., other SAP values)?
2259 */
2260 return gen_cmp(OR_LINK, off_linktype, BPF_H, (bpf_u_int32)
2261 ((proto << 8) | proto));
2262
2263 case LLCSAP_IPX:
2264 /*
2265 * XXX - are there ever SNAP frames for IPX on
2266 * non-Ethernet 802.x networks?
2267 */
2268 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2269 (bpf_int32)LLCSAP_IPX);
2270
2271 case ETHERTYPE_ATALK:
2272 /*
2273 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2274 * SNAP packets with an organization code of
2275 * 0x080007 (Apple, for Appletalk) and a protocol
2276 * type of ETHERTYPE_ATALK (Appletalk).
2277 *
2278 * XXX - check for an organization code of
2279 * encapsulated Ethernet as well?
2280 */
2281 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
2282
2283 default:
2284 /*
2285 * XXX - we don't have to check for IPX 802.3
2286 * here, but should we check for the IPX Ethertype?
2287 */
2288 if (proto <= ETHERMTU) {
2289 /*
2290 * This is an LLC SAP value, so check
2291 * the DSAP.
2292 */
2293 return gen_cmp(OR_LINK, off_linktype, BPF_B,
2294 (bpf_int32)proto);
2295 } else {
2296 /*
2297 * This is an Ethernet type; we assume that it's
2298 * unlikely that it'll appear in the right place
2299 * at random, and therefore check only the
2300 * location that would hold the Ethernet type
2301 * in a SNAP frame with an organization code of
2302 * 0x000000 (encapsulated Ethernet).
2303 *
2304 * XXX - if we were to check for the SNAP DSAP and
2305 * LSAP, as per XXX, and were also to check for an
2306 * organization code of 0x000000 (encapsulated
2307 * Ethernet), we'd do
2308 *
2309 * return gen_snap(0x000000, proto,
2310 * off_linktype);
2311 *
2312 * here; for now, we don't, as per the above.
2313 * I don't know whether it's worth the extra CPU
2314 * time to do the right check or not.
2315 */
2316 return gen_cmp(OR_LINK, off_linktype+6, BPF_H,
2317 (bpf_int32)proto);
2318 }
2319 }
2320 }
2321
2322 static struct block *
2323 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
2324 bpf_u_int32 addr;
2325 bpf_u_int32 mask;
2326 int dir, proto;
2327 u_int src_off, dst_off;
2328 {
2329 struct block *b0, *b1;
2330 u_int offset;
2331
2332 switch (dir) {
2333
2334 case Q_SRC:
2335 offset = src_off;
2336 break;
2337
2338 case Q_DST:
2339 offset = dst_off;
2340 break;
2341
2342 case Q_AND:
2343 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2344 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2345 gen_and(b0, b1);
2346 return b1;
2347
2348 case Q_OR:
2349 case Q_DEFAULT:
2350 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2351 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2352 gen_or(b0, b1);
2353 return b1;
2354
2355 default:
2356 abort();
2357 }
2358 b0 = gen_linktype(proto);
2359 b1 = gen_mcmp(OR_NET, offset, BPF_W, (bpf_int32)addr, mask);
2360 gen_and(b0, b1);
2361 return b1;
2362 }
2363
2364 #ifdef INET6
2365 static struct block *
2366 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2367 struct in6_addr *addr;
2368 struct in6_addr *mask;
2369 int dir, proto;
2370 u_int src_off, dst_off;
2371 {
2372 struct block *b0, *b1;
2373 u_int offset;
2374 u_int32_t *a, *m;
2375
2376 switch (dir) {
2377
2378 case Q_SRC:
2379 offset = src_off;
2380 break;
2381
2382 case Q_DST:
2383 offset = dst_off;
2384 break;
2385
2386 case Q_AND:
2387 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2388 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2389 gen_and(b0, b1);
2390 return b1;
2391
2392 case Q_OR:
2393 case Q_DEFAULT:
2394 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2395 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2396 gen_or(b0, b1);
2397 return b1;
2398
2399 default:
2400 abort();
2401 }
2402 /* this order is important */
2403 a = (u_int32_t *)addr;
2404 m = (u_int32_t *)mask;
2405 b1 = gen_mcmp(OR_NET, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2406 b0 = gen_mcmp(OR_NET, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2407 gen_and(b0, b1);
2408 b0 = gen_mcmp(OR_NET, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2409 gen_and(b0, b1);
2410 b0 = gen_mcmp(OR_NET, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2411 gen_and(b0, b1);
2412 b0 = gen_linktype(proto);
2413 gen_and(b0, b1);
2414 return b1;
2415 }
2416 #endif /*INET6*/
2417
2418 static struct block *
2419 gen_ehostop(eaddr, dir)
2420 register const u_char *eaddr;
2421 register int dir;
2422 {
2423 register struct block *b0, *b1;
2424
2425 switch (dir) {
2426 case Q_SRC:
2427 return gen_bcmp(OR_LINK, off_mac + 6, 6, eaddr);
2428
2429 case Q_DST:
2430 return gen_bcmp(OR_LINK, off_mac + 0, 6, eaddr);
2431
2432 case Q_AND:
2433 b0 = gen_ehostop(eaddr, Q_SRC);
2434 b1 = gen_ehostop(eaddr, Q_DST);
2435 gen_and(b0, b1);
2436 return b1;
2437
2438 case Q_DEFAULT:
2439 case Q_OR:
2440 b0 = gen_ehostop(eaddr, Q_SRC);
2441 b1 = gen_ehostop(eaddr, Q_DST);
2442 gen_or(b0, b1);
2443 return b1;
2444 }
2445 abort();
2446 /* NOTREACHED */
2447 }
2448
2449 /*
2450 * Like gen_ehostop, but for DLT_FDDI
2451 */
2452 static struct block *
2453 gen_fhostop(eaddr, dir)
2454 register const u_char *eaddr;
2455 register int dir;
2456 {
2457 struct block *b0, *b1;
2458
2459 switch (dir) {
2460 case Q_SRC:
2461 #ifdef PCAP_FDDIPAD
2462 return gen_bcmp(OR_LINK, 6 + 1 + pcap_fddipad, 6, eaddr);
2463 #else
2464 return gen_bcmp(OR_LINK, 6 + 1, 6, eaddr);
2465 #endif
2466
2467 case Q_DST:
2468 #ifdef PCAP_FDDIPAD
2469 return gen_bcmp(OR_LINK, 0 + 1 + pcap_fddipad, 6, eaddr);
2470 #else
2471 return gen_bcmp(OR_LINK, 0 + 1, 6, eaddr);
2472 #endif
2473
2474 case Q_AND:
2475 b0 = gen_fhostop(eaddr, Q_SRC);
2476 b1 = gen_fhostop(eaddr, Q_DST);
2477 gen_and(b0, b1);
2478 return b1;
2479
2480 case Q_DEFAULT:
2481 case Q_OR:
2482 b0 = gen_fhostop(eaddr, Q_SRC);
2483 b1 = gen_fhostop(eaddr, Q_DST);
2484 gen_or(b0, b1);
2485 return b1;
2486 }
2487 abort();
2488 /* NOTREACHED */
2489 }
2490
2491 /*
2492 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2493 */
2494 static struct block *
2495 gen_thostop(eaddr, dir)
2496 register const u_char *eaddr;
2497 register int dir;
2498 {
2499 register struct block *b0, *b1;
2500
2501 switch (dir) {
2502 case Q_SRC:
2503 return gen_bcmp(OR_LINK, 8, 6, eaddr);
2504
2505 case Q_DST:
2506 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2507
2508 case Q_AND:
2509 b0 = gen_thostop(eaddr, Q_SRC);
2510 b1 = gen_thostop(eaddr, Q_DST);
2511 gen_and(b0, b1);
2512 return b1;
2513
2514 case Q_DEFAULT:
2515 case Q_OR:
2516 b0 = gen_thostop(eaddr, Q_SRC);
2517 b1 = gen_thostop(eaddr, Q_DST);
2518 gen_or(b0, b1);
2519 return b1;
2520 }
2521 abort();
2522 /* NOTREACHED */
2523 }
2524
2525 /*
2526 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2527 */
2528 static struct block *
2529 gen_wlanhostop(eaddr, dir)
2530 register const u_char *eaddr;
2531 register int dir;
2532 {
2533 register struct block *b0, *b1, *b2;
2534 register struct slist *s;
2535
2536 switch (dir) {
2537 case Q_SRC:
2538 /*
2539 * Oh, yuk.
2540 *
2541 * For control frames, there is no SA.
2542 *
2543 * For management frames, SA is at an
2544 * offset of 10 from the beginning of
2545 * the packet.
2546 *
2547 * For data frames, SA is at an offset
2548 * of 10 from the beginning of the packet
2549 * if From DS is clear, at an offset of
2550 * 16 from the beginning of the packet
2551 * if From DS is set and To DS is clear,
2552 * and an offset of 24 from the beginning
2553 * of the packet if From DS is set and To DS
2554 * is set.
2555 */
2556
2557 /*
2558 * Generate the tests to be done for data frames
2559 * with From DS set.
2560 *
2561 * First, check for To DS set, i.e. check "link[1] & 0x01".
2562 */
2563 s = gen_load_a(OR_LINK, 1, BPF_B);
2564 b1 = new_block(JMP(BPF_JSET));
2565 b1->s.k = 0x01; /* To DS */
2566 b1->stmts = s;
2567
2568 /*
2569 * If To DS is set, the SA is at 24.
2570 */
2571 b0 = gen_bcmp(OR_LINK, 24, 6, eaddr);
2572 gen_and(b1, b0);
2573
2574 /*
2575 * Now, check for To DS not set, i.e. check
2576 * "!(link[1] & 0x01)".
2577 */
2578 s = gen_load_a(OR_LINK, 1, BPF_B);
2579 b2 = new_block(JMP(BPF_JSET));
2580 b2->s.k = 0x01; /* To DS */
2581 b2->stmts = s;
2582 gen_not(b2);
2583
2584 /*
2585 * If To DS is not set, the SA is at 16.
2586 */
2587 b1 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2588 gen_and(b2, b1);
2589
2590 /*
2591 * Now OR together the last two checks. That gives
2592 * the complete set of checks for data frames with
2593 * From DS set.
2594 */
2595 gen_or(b1, b0);
2596
2597 /*
2598 * Now check for From DS being set, and AND that with
2599 * the ORed-together checks.
2600 */
2601 s = gen_load_a(OR_LINK, 1, BPF_B);
2602 b1 = new_block(JMP(BPF_JSET));
2603 b1->s.k = 0x02; /* From DS */
2604 b1->stmts = s;
2605 gen_and(b1, b0);
2606
2607 /*
2608 * Now check for data frames with From DS not set.
2609 */
2610 s = gen_load_a(OR_LINK, 1, BPF_B);
2611 b2 = new_block(JMP(BPF_JSET));
2612 b2->s.k = 0x02; /* From DS */
2613 b2->stmts = s;
2614 gen_not(b2);
2615
2616 /*
2617 * If From DS isn't set, the SA is at 10.
2618 */
2619 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2620 gen_and(b2, b1);
2621
2622 /*
2623 * Now OR together the checks for data frames with
2624 * From DS not set and for data frames with From DS
2625 * set; that gives the checks done for data frames.
2626 */
2627 gen_or(b1, b0);
2628
2629 /*
2630 * Now check for a data frame.
2631 * I.e, check "link[0] & 0x08".
2632 */
2633 gen_load_a(OR_LINK, 0, BPF_B);
2634 b1 = new_block(JMP(BPF_JSET));
2635 b1->s.k = 0x08;
2636 b1->stmts = s;
2637
2638 /*
2639 * AND that with the checks done for data frames.
2640 */
2641 gen_and(b1, b0);
2642
2643 /*
2644 * If the high-order bit of the type value is 0, this
2645 * is a management frame.
2646 * I.e, check "!(link[0] & 0x08)".
2647 */
2648 s = gen_load_a(OR_LINK, 0, BPF_B);
2649 b2 = new_block(JMP(BPF_JSET));
2650 b2->s.k = 0x08;
2651 b2->stmts = s;
2652 gen_not(b2);
2653
2654 /*
2655 * For management frames, the SA is at 10.
2656 */
2657 b1 = gen_bcmp(OR_LINK, 10, 6, eaddr);
2658 gen_and(b2, b1);
2659
2660 /*
2661 * OR that with the checks done for data frames.
2662 * That gives the checks done for management and
2663 * data frames.
2664 */
2665 gen_or(b1, b0);
2666
2667 /*
2668 * If the low-order bit of the type value is 1,
2669 * this is either a control frame or a frame
2670 * with a reserved type, and thus not a
2671 * frame with an SA.
2672 *
2673 * I.e., check "!(link[0] & 0x04)".
2674 */
2675 s = gen_load_a(OR_LINK, 0, BPF_B);
2676 b1 = new_block(JMP(BPF_JSET));
2677 b1->s.k = 0x04;
2678 b1->stmts = s;
2679 gen_not(b1);
2680
2681 /*
2682 * AND that with the checks for data and management
2683 * frames.
2684 */
2685 gen_and(b1, b0);
2686 return b0;
2687
2688 case Q_DST:
2689 /*
2690 * Oh, yuk.
2691 *
2692 * For control frames, there is no DA.
2693 *
2694 * For management frames, DA is at an
2695 * offset of 4 from the beginning of
2696 * the packet.
2697 *
2698 * For data frames, DA is at an offset
2699 * of 4 from the beginning of the packet
2700 * if To DS is clear and at an offset of
2701 * 16 from the beginning of the packet
2702 * if To DS is set.
2703 */
2704
2705 /*
2706 * Generate the tests to be done for data frames.
2707 *
2708 * First, check for To DS set, i.e. "link[1] & 0x01".
2709 */
2710 s = gen_load_a(OR_LINK, 1, BPF_B);
2711 b1 = new_block(JMP(BPF_JSET));
2712 b1->s.k = 0x01; /* To DS */
2713 b1->stmts = s;
2714
2715 /*
2716 * If To DS is set, the DA is at 16.
2717 */
2718 b0 = gen_bcmp(OR_LINK, 16, 6, eaddr);
2719 gen_and(b1, b0);
2720
2721 /*
2722 * Now, check for To DS not set, i.e. check
2723 * "!(link[1] & 0x01)".
2724 */
2725 s = gen_load_a(OR_LINK, 1, BPF_B);
2726 b2 = new_block(JMP(BPF_JSET));
2727 b2->s.k = 0x01; /* To DS */
2728 b2->stmts = s;
2729 gen_not(b2);
2730
2731 /*
2732 * If To DS is not set, the DA is at 4.
2733 */
2734 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2735 gen_and(b2, b1);
2736
2737 /*
2738 * Now OR together the last two checks. That gives
2739 * the complete set of checks for data frames.
2740 */
2741 gen_or(b1, b0);
2742
2743 /*
2744 * Now check for a data frame.
2745 * I.e, check "link[0] & 0x08".
2746 */
2747 s = gen_load_a(OR_LINK, 0, BPF_B);
2748 b1 = new_block(JMP(BPF_JSET));
2749 b1->s.k = 0x08;
2750 b1->stmts = s;
2751
2752 /*
2753 * AND that with the checks done for data frames.
2754 */
2755 gen_and(b1, b0);
2756
2757 /*
2758 * If the high-order bit of the type value is 0, this
2759 * is a management frame.
2760 * I.e, check "!(link[0] & 0x08)".
2761 */
2762 s = gen_load_a(OR_LINK, 0, BPF_B);
2763 b2 = new_block(JMP(BPF_JSET));
2764 b2->s.k = 0x08;
2765 b2->stmts = s;
2766 gen_not(b2);
2767
2768 /*
2769 * For management frames, the DA is at 4.
2770 */
2771 b1 = gen_bcmp(OR_LINK, 4, 6, eaddr);
2772 gen_and(b2, b1);
2773
2774 /*
2775 * OR that with the checks done for data frames.
2776 * That gives the checks done for management and
2777 * data frames.
2778 */
2779 gen_or(b1, b0);
2780
2781 /*
2782 * If the low-order bit of the type value is 1,
2783 * this is either a control frame or a frame
2784 * with a reserved type, and thus not a
2785 * frame with an SA.
2786 *
2787 * I.e., check "!(link[0] & 0x04)".
2788 */
2789 s = gen_load_a(OR_LINK, 0, BPF_B);
2790 b1 = new_block(JMP(BPF_JSET));
2791 b1->s.k = 0x04;
2792 b1->stmts = s;
2793 gen_not(b1);
2794
2795 /*
2796 * AND that with the checks for data and management
2797 * frames.
2798 */
2799 gen_and(b1, b0);
2800 return b0;
2801
2802 case Q_AND:
2803 b0 = gen_wlanhostop(eaddr, Q_SRC);
2804 b1 = gen_wlanhostop(eaddr, Q_DST);
2805 gen_and(b0, b1);
2806 return b1;
2807
2808 case Q_DEFAULT:
2809 case Q_OR:
2810 b0 = gen_wlanhostop(eaddr, Q_SRC);
2811 b1 = gen_wlanhostop(eaddr, Q_DST);
2812 gen_or(b0, b1);
2813 return b1;
2814 }
2815 abort();
2816 /* NOTREACHED */
2817 }
2818
2819 /*
2820 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2821 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2822 * as the RFC states.)
2823 */
2824 static struct block *
2825 gen_ipfchostop(eaddr, dir)
2826 register const u_char *eaddr;
2827 register int dir;
2828 {
2829 register struct block *b0, *b1;
2830
2831 switch (dir) {
2832 case Q_SRC:
2833 return gen_bcmp(OR_LINK, 10, 6, eaddr);
2834
2835 case Q_DST:
2836 return gen_bcmp(OR_LINK, 2, 6, eaddr);
2837
2838 case Q_AND:
2839 b0 = gen_ipfchostop(eaddr, Q_SRC);
2840 b1 = gen_ipfchostop(eaddr, Q_DST);
2841 gen_and(b0, b1);
2842 return b1;
2843
2844 case Q_DEFAULT:
2845 case Q_OR:
2846 b0 = gen_ipfchostop(eaddr, Q_SRC);
2847 b1 = gen_ipfchostop(eaddr, Q_DST);
2848 gen_or(b0, b1);
2849 return b1;
2850 }
2851 abort();
2852 /* NOTREACHED */
2853 }
2854
2855 /*
2856 * This is quite tricky because there may be pad bytes in front of the
2857 * DECNET header, and then there are two possible data packet formats that
2858 * carry both src and dst addresses, plus 5 packet types in a format that
2859 * carries only the src node, plus 2 types that use a different format and
2860 * also carry just the src node.
2861 *
2862 * Yuck.
2863 *
2864 * Instead of doing those all right, we just look for data packets with
2865 * 0 or 1 bytes of padding. If you want to look at other packets, that
2866 * will require a lot more hacking.
2867 *
2868 * To add support for filtering on DECNET "areas" (network numbers)
2869 * one would want to add a "mask" argument to this routine. That would
2870 * make the filter even more inefficient, although one could be clever
2871 * and not generate masking instructions if the mask is 0xFFFF.
2872 */
2873 static struct block *
2874 gen_dnhostop(addr, dir)
2875 bpf_u_int32 addr;
2876 int dir;
2877 {
2878 struct block *b0, *b1, *b2, *tmp;
2879 u_int offset_lh; /* offset if long header is received */
2880 u_int offset_sh; /* offset if short header is received */
2881
2882 switch (dir) {
2883
2884 case Q_DST:
2885 offset_sh = 1; /* follows flags */
2886 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2887 break;
2888
2889 case Q_SRC:
2890 offset_sh = 3; /* follows flags, dstnode */
2891 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2892 break;
2893
2894 case Q_AND:
2895 /* Inefficient because we do our Calvinball dance twice */
2896 b0 = gen_dnhostop(addr, Q_SRC);
2897 b1 = gen_dnhostop(addr, Q_DST);
2898 gen_and(b0, b1);
2899 return b1;
2900
2901 case Q_OR:
2902 case Q_DEFAULT:
2903 /* Inefficient because we do our Calvinball dance twice */
2904 b0 = gen_dnhostop(addr, Q_SRC);
2905 b1 = gen_dnhostop(addr, Q_DST);
2906 gen_or(b0, b1);
2907 return b1;
2908
2909 case Q_ISO:
2910 bpf_error("ISO host filtering not implemented");
2911
2912 default:
2913 abort();
2914 }
2915 b0 = gen_linktype(ETHERTYPE_DN);
2916 /* Check for pad = 1, long header case */
2917 tmp = gen_mcmp(OR_NET, 2, BPF_H,
2918 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2919 b1 = gen_cmp(OR_NET, 2 + 1 + offset_lh,
2920 BPF_H, (bpf_int32)ntohs(addr));
2921 gen_and(tmp, b1);
2922 /* Check for pad = 0, long header case */
2923 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2924 b2 = gen_cmp(OR_NET, 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2925 gen_and(tmp, b2);
2926 gen_or(b2, b1);
2927 /* Check for pad = 1, short header case */
2928 tmp = gen_mcmp(OR_NET, 2, BPF_H,
2929 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2930 b2 = gen_cmp(OR_NET, 2 + 1 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2931 gen_and(tmp, b2);
2932 gen_or(b2, b1);
2933 /* Check for pad = 0, short header case */
2934 tmp = gen_mcmp(OR_NET, 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2935 b2 = gen_cmp(OR_NET, 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2936 gen_and(tmp, b2);
2937 gen_or(b2, b1);
2938
2939 /* Combine with test for linktype */
2940 gen_and(b0, b1);
2941 return b1;
2942 }
2943
2944 static struct block *
2945 gen_host(addr, mask, proto, dir)
2946 bpf_u_int32 addr;
2947 bpf_u_int32 mask;
2948 int proto;
2949 int dir;
2950 {
2951 struct block *b0, *b1;
2952
2953 switch (proto) {
2954
2955 case Q_DEFAULT:
2956 b0 = gen_host(addr, mask, Q_IP, dir);
2957 if (off_linktype != (u_int)-1) {
2958 b1 = gen_host(addr, mask, Q_ARP, dir);
2959 gen_or(b0, b1);
2960 b0 = gen_host(addr, mask, Q_RARP, dir);
2961 gen_or(b1, b0);
2962 }
2963 return b0;
2964
2965 case Q_IP:
2966 return gen_hostop(addr, mask, dir, ETHERTYPE_IP, 12, 16);
2967
2968 case Q_RARP:
2969 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
2970
2971 case Q_ARP:
2972 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP, 14, 24);
2973
2974 case Q_TCP:
2975 bpf_error("'tcp' modifier applied to host");
2976
2977 case Q_SCTP:
2978 bpf_error("'sctp' modifier applied to host");
2979
2980 case Q_UDP:
2981 bpf_error("'udp' modifier applied to host");
2982
2983 case Q_ICMP:
2984 bpf_error("'icmp' modifier applied to host");
2985
2986 case Q_IGMP:
2987 bpf_error("'igmp' modifier applied to host");
2988
2989 case Q_IGRP:
2990 bpf_error("'igrp' modifier applied to host");
2991
2992 case Q_PIM:
2993 bpf_error("'pim' modifier applied to host");
2994
2995 case Q_VRRP:
2996 bpf_error("'vrrp' modifier applied to host");
2997
2998 case Q_ATALK:
2999 bpf_error("ATALK host filtering not implemented");
3000
3001 case Q_AARP:
3002 bpf_error("AARP host filtering not implemented");
3003
3004 case Q_DECNET:
3005 return gen_dnhostop(addr, dir);
3006
3007 case Q_SCA:
3008 bpf_error("SCA host filtering not implemented");
3009
3010 case Q_LAT:
3011 bpf_error("LAT host filtering not implemented");
3012
3013 case Q_MOPDL:
3014 bpf_error("MOPDL host filtering not implemented");
3015
3016 case Q_MOPRC:
3017 bpf_error("MOPRC host filtering not implemented");
3018
3019 #ifdef INET6
3020 case Q_IPV6:
3021 bpf_error("'ip6' modifier applied to ip host");
3022
3023 case Q_ICMPV6:
3024 bpf_error("'icmp6' modifier applied to host");
3025 #endif /* INET6 */
3026
3027 case Q_AH:
3028 bpf_error("'ah' modifier applied to host");
3029
3030 case Q_ESP:
3031 bpf_error("'esp' modifier applied to host");
3032
3033 case Q_ISO:
3034 bpf_error("ISO host filtering not implemented");
3035
3036 case Q_ESIS:
3037 bpf_error("'esis' modifier applied to host");
3038
3039 case Q_ISIS:
3040 bpf_error("'isis' modifier applied to host");
3041
3042 case Q_CLNP:
3043 bpf_error("'clnp' modifier applied to host");
3044
3045 case Q_STP:
3046 bpf_error("'stp' modifier applied to host");
3047
3048 case Q_IPX:
3049 bpf_error("IPX host filtering not implemented");
3050
3051 case Q_NETBEUI:
3052 bpf_error("'netbeui' modifier applied to host");
3053
3054 default:
3055 abort();
3056 }
3057 /* NOTREACHED */
3058 }
3059
3060 #ifdef INET6
3061 static struct block *
3062 gen_host6(addr, mask, proto, dir)
3063 struct in6_addr *addr;
3064 struct in6_addr *mask;
3065 int proto;
3066 int dir;
3067 {
3068 switch (proto) {
3069
3070 case Q_DEFAULT:
3071 return gen_host6(addr, mask, Q_IPV6, dir);
3072
3073 case Q_IP:
3074 bpf_error("'ip' modifier applied to ip6 host");
3075
3076 case Q_RARP:
3077 bpf_error("'rarp' modifier applied to ip6 host");
3078
3079 case Q_ARP:
3080 bpf_error("'arp' modifier applied to ip6 host");
3081
3082 case Q_SCTP:
3083 bpf_error("'sctp' modifier applied to host");
3084
3085 case Q_TCP:
3086 bpf_error("'tcp' modifier applied to host");
3087
3088 case Q_UDP:
3089 bpf_error("'udp' modifier applied to host");
3090
3091 case Q_ICMP:
3092 bpf_error("'icmp' modifier applied to host");
3093
3094 case Q_IGMP:
3095 bpf_error("'igmp' modifier applied to host");
3096
3097 case Q_IGRP:
3098 bpf_error("'igrp' modifier applied to host");
3099
3100 case Q_PIM:
3101 bpf_error("'pim' modifier applied to host");
3102
3103 case Q_VRRP:
3104 bpf_error("'vrrp' modifier applied to host");
3105
3106 case Q_ATALK:
3107 bpf_error("ATALK host filtering not implemented");
3108
3109 case Q_AARP:
3110 bpf_error("AARP host filtering not implemented");
3111
3112 case Q_DECNET:
3113 bpf_error("'decnet' modifier applied to ip6 host");
3114
3115 case Q_SCA:
3116 bpf_error("SCA host filtering not implemented");
3117
3118 case Q_LAT:
3119 bpf_error("LAT host filtering not implemented");
3120
3121 case Q_MOPDL:
3122 bpf_error("MOPDL host filtering not implemented");
3123
3124 case Q_MOPRC:
3125 bpf_error("MOPRC host filtering not implemented");
3126
3127 case Q_IPV6:
3128 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
3129
3130 case Q_ICMPV6:
3131 bpf_error("'icmp6' modifier applied to host");
3132
3133 case Q_AH:
3134 bpf_error("'ah' modifier applied to host");
3135
3136 case Q_ESP:
3137 bpf_error("'esp' modifier applied to host");
3138
3139 case Q_ISO:
3140 bpf_error("ISO host filtering not implemented");
3141
3142 case Q_ESIS:
3143 bpf_error("'esis' modifier applied to host");
3144
3145 case Q_ISIS:
3146 bpf_error("'isis' modifier applied to host");
3147
3148 case Q_CLNP:
3149 bpf_error("'clnp' modifier applied to host");
3150
3151 case Q_STP:
3152 bpf_error("'stp' modifier applied to host");
3153
3154 case Q_IPX:
3155 bpf_error("IPX host filtering not implemented");
3156
3157 case Q_NETBEUI:
3158 bpf_error("'netbeui' modifier applied to host");
3159
3160 default:
3161 abort();
3162 }
3163 /* NOTREACHED */
3164 }
3165 #endif /*INET6*/
3166
3167 #ifndef INET6
3168 static struct block *
3169 gen_gateway(eaddr, alist, proto, dir)
3170 const u_char *eaddr;
3171 bpf_u_int32 **alist;
3172 int proto;
3173 int dir;
3174 {
3175 struct block *b0, *b1, *tmp;
3176
3177 if (dir != 0)
3178 bpf_error("direction applied to 'gateway'");
3179
3180 switch (proto) {
3181 case Q_DEFAULT:
3182 case Q_IP:
3183 case Q_ARP:
3184 case Q_RARP:
3185 if (linktype == DLT_EN10MB)
3186 b0 = gen_ehostop(eaddr, Q_OR);
3187 else if (linktype == DLT_FDDI)
3188 b0 = gen_fhostop(eaddr, Q_OR);
3189 else if (linktype == DLT_IEEE802)
3190 b0 = gen_thostop(eaddr, Q_OR);
3191 else if (linktype == DLT_IEEE802_11)
3192 b0 = gen_wlanhostop(eaddr, Q_OR);
3193 else if (linktype == DLT_SUNATM && is_lane) {
3194 /*
3195 * Check that the packet doesn't begin with an
3196 * LE Control marker. (We've already generated
3197 * a test for LANE.)
3198 */
3199 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
3200 0xFF00);
3201 gen_not(b1);
3202
3203 /*
3204 * Now check the MAC address.
3205 */
3206 b0 = gen_ehostop(eaddr, Q_OR);
3207 gen_and(b1, b0);
3208 } else if (linktype == DLT_IP_OVER_FC)
3209 b0 = gen_ipfchostop(eaddr, Q_OR);
3210 else
3211 bpf_error(
3212 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
3213
3214 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3215 while (*alist) {
3216 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
3217 gen_or(b1, tmp);
3218 b1 = tmp;
3219 }
3220 gen_not(b1);
3221 gen_and(b0, b1);
3222 return b1;
3223 }
3224 bpf_error("illegal modifier of 'gateway'");
3225 /* NOTREACHED */
3226 }
3227 #endif
3228
3229 struct block *
3230 gen_proto_abbrev(proto)
3231 int proto;
3232 {
3233 struct block *b0;
3234 struct block *b1;
3235
3236 switch (proto) {
3237
3238 case Q_SCTP:
3239 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
3240 #ifdef INET6
3241 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
3242 gen_or(b0, b1);
3243 #endif
3244 break;
3245
3246 case Q_TCP:
3247 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
3248 #ifdef INET6
3249 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
3250 gen_or(b0, b1);
3251 #endif
3252 break;
3253
3254 case Q_UDP:
3255 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
3256 #ifdef INET6
3257 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
3258 gen_or(b0, b1);
3259 #endif
3260 break;
3261
3262 case Q_ICMP:
3263 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
3264 break;
3265
3266 #ifndef IPPROTO_IGMP
3267 #define IPPROTO_IGMP 2
3268 #endif
3269
3270 case Q_IGMP:
3271 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
3272 break;
3273
3274 #ifndef IPPROTO_IGRP
3275 #define IPPROTO_IGRP 9
3276 #endif
3277 case Q_IGRP:
3278 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
3279 break;
3280
3281 #ifndef IPPROTO_PIM
3282 #define IPPROTO_PIM 103
3283 #endif
3284
3285 case Q_PIM:
3286 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
3287 #ifdef INET6
3288 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
3289 gen_or(b0, b1);
3290 #endif
3291 break;
3292
3293 #ifndef IPPROTO_VRRP
3294 #define IPPROTO_VRRP 112
3295 #endif
3296
3297 case Q_VRRP:
3298 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
3299 break;
3300
3301 case Q_IP:
3302 b1 = gen_linktype(ETHERTYPE_IP);
3303 break;
3304
3305 case Q_ARP:
3306 b1 = gen_linktype(ETHERTYPE_ARP);
3307 break;
3308
3309 case Q_RARP:
3310 b1 = gen_linktype(ETHERTYPE_REVARP);
3311 break;
3312
3313 case Q_LINK:
3314 bpf_error("link layer applied in wrong context");
3315
3316 case Q_ATALK:
3317 b1 = gen_linktype(ETHERTYPE_ATALK);
3318 break;
3319
3320 case Q_AARP:
3321 b1 = gen_linktype(ETHERTYPE_AARP);
3322 break;
3323
3324 case Q_DECNET:
3325 b1 = gen_linktype(ETHERTYPE_DN);
3326 break;
3327
3328 case Q_SCA:
3329 b1 = gen_linktype(ETHERTYPE_SCA);
3330 break;
3331
3332 case Q_LAT:
3333 b1 = gen_linktype(ETHERTYPE_LAT);
3334 break;
3335
3336 case Q_MOPDL:
3337 b1 = gen_linktype(ETHERTYPE_MOPDL);
3338 break;
3339
3340 case Q_MOPRC:
3341 b1 = gen_linktype(ETHERTYPE_MOPRC);
3342 break;
3343
3344 #ifdef INET6
3345 case Q_IPV6:
3346 b1 = gen_linktype(ETHERTYPE_IPV6);
3347 break;
3348
3349 #ifndef IPPROTO_ICMPV6
3350 #define IPPROTO_ICMPV6 58
3351 #endif
3352 case Q_ICMPV6:
3353 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3354 break;
3355 #endif /* INET6 */
3356
3357 #ifndef IPPROTO_AH
3358 #define IPPROTO_AH 51
3359 #endif
3360 case Q_AH:
3361 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3362 #ifdef INET6
3363 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3364 gen_or(b0, b1);
3365 #endif
3366 break;
3367
3368 #ifndef IPPROTO_ESP
3369 #define IPPROTO_ESP 50
3370 #endif
3371 case Q_ESP:
3372 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3373 #ifdef INET6
3374 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3375 gen_or(b0, b1);
3376 #endif
3377 break;
3378
3379 case Q_ISO:
3380 b1 = gen_linktype(LLCSAP_ISONS);
3381 break;
3382
3383 case Q_ESIS:
3384 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3385 break;
3386
3387 case Q_ISIS:
3388 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3389 break;
3390
3391 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3392 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3393 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3394 gen_or(b0, b1);
3395 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3396 gen_or(b0, b1);
3397 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3398 gen_or(b0, b1);
3399 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3400 gen_or(b0, b1);
3401 break;
3402
3403 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3404 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3405 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3406 gen_or(b0, b1);
3407 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3408 gen_or(b0, b1);
3409 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3410 gen_or(b0, b1);
3411 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3412 gen_or(b0, b1);
3413 break;
3414
3415 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3416 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3417 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3418 gen_or(b0, b1);
3419 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3420 gen_or(b0, b1);
3421 break;
3422
3423 case Q_ISIS_LSP:
3424 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3425 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3426 gen_or(b0, b1);
3427 break;
3428
3429 case Q_ISIS_SNP:
3430 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3431 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3432 gen_or(b0, b1);
3433 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3434 gen_or(b0, b1);
3435 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3436 gen_or(b0, b1);
3437 break;
3438
3439 case Q_ISIS_CSNP:
3440 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3441 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3442 gen_or(b0, b1);
3443 break;
3444
3445 case Q_ISIS_PSNP:
3446 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3447 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3448 gen_or(b0, b1);
3449 break;
3450
3451 case Q_CLNP:
3452 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3453 break;
3454
3455 case Q_STP:
3456 b1 = gen_linktype(LLCSAP_8021D);
3457 break;
3458
3459 case Q_IPX:
3460 b1 = gen_linktype(LLCSAP_IPX);
3461 break;
3462
3463 case Q_NETBEUI:
3464 b1 = gen_linktype(LLCSAP_NETBEUI);
3465 break;
3466
3467 default:
3468 abort();
3469 }
3470 return b1;
3471 }
3472
3473 static struct block *
3474 gen_ipfrag()
3475 {
3476 struct slist *s;
3477 struct block *b;
3478
3479 /* not ip frag */
3480 s = gen_load_a(OR_NET, 6, BPF_H);
3481 b = new_block(JMP(BPF_JSET));
3482 b->s.k = 0x1fff;
3483 b->stmts = s;
3484 gen_not(b);
3485
3486 return b;
3487 }
3488
3489 /*
3490 * Generate a comparison to a port value in the transport-layer header
3491 * at the specified offset from the beginning of that header.
3492 *
3493 * XXX - this handles a variable-length prefix preceding the link-layer
3494 * header, such as the radiotap or AVS radio prefix, but doesn't handle
3495 * variable-length link-layer headers (such as Token Ring or 802.11
3496 * headers).
3497 */
3498 static struct block *
3499 gen_portatom(off, v)
3500 int off;
3501 bpf_int32 v;
3502 {
3503 return gen_cmp(OR_TRAN_IPV4, off, BPF_H, v);
3504 }
3505
3506 #ifdef INET6
3507 static struct block *
3508 gen_portatom6(off, v)
3509 int off;
3510 bpf_int32 v;
3511 {
3512 return gen_cmp(OR_TRAN_IPV6, off, BPF_H, v);
3513 }
3514 #endif/*INET6*/
3515
3516 struct block *
3517 gen_portop(port, proto, dir)
3518 int port, proto, dir;
3519 {
3520 struct block *b0, *b1, *tmp;
3521
3522 /* ip proto 'proto' */
3523 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3524 b0 = gen_ipfrag();
3525 gen_and(tmp, b0);
3526
3527 switch (dir) {
3528 case Q_SRC:
3529 b1 = gen_portatom(0, (bpf_int32)port);
3530 break;
3531
3532 case Q_DST:
3533 b1 = gen_portatom(2, (bpf_int32)port);
3534 break;
3535
3536 case Q_OR:
3537 case Q_DEFAULT:
3538 tmp = gen_portatom(0, (bpf_int32)port);
3539 b1 = gen_portatom(2, (bpf_int32)port);
3540 gen_or(tmp, b1);
3541 break;
3542
3543 case Q_AND:
3544 tmp = gen_portatom(0, (bpf_int32)port);
3545 b1 = gen_portatom(2, (bpf_int32)port);
3546 gen_and(tmp, b1);
3547 break;
3548
3549 default:
3550 abort();
3551 }
3552 gen_and(b0, b1);
3553
3554 return b1;
3555 }
3556
3557 static struct block *
3558 gen_port(port, ip_proto, dir)
3559 int port;
3560 int ip_proto;
3561 int dir;
3562 {
3563 struct block *b0, *b1, *tmp;
3564
3565 /*
3566 * ether proto ip
3567 *
3568 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3569 * not LLC encapsulation with LLCSAP_IP.
3570 *
3571 * For IEEE 802 networks - which includes 802.5 token ring
3572 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3573 * says that SNAP encapsulation is used, not LLC encapsulation
3574 * with LLCSAP_IP.
3575 *
3576 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3577 * RFC 2225 say that SNAP encapsulation is used, not LLC
3578 * encapsulation with LLCSAP_IP.
3579 *
3580 * So we always check for ETHERTYPE_IP.
3581 */
3582 b0 = gen_linktype(ETHERTYPE_IP);
3583
3584 switch (ip_proto) {
3585 case IPPROTO_UDP:
3586 case IPPROTO_TCP:
3587 case IPPROTO_SCTP:
3588 b1 = gen_portop(port, ip_proto, dir);
3589 break;
3590
3591 case PROTO_UNDEF:
3592 tmp = gen_portop(port, IPPROTO_TCP, dir);
3593 b1 = gen_portop(port, IPPROTO_UDP, dir);
3594 gen_or(tmp, b1);
3595 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3596 gen_or(tmp, b1);
3597 break;
3598
3599 default:
3600 abort();
3601 }
3602 gen_and(b0, b1);
3603 return b1;
3604 }
3605
3606 #ifdef INET6
3607 struct block *
3608 gen_portop6(port, proto, dir)
3609 int port, proto, dir;
3610 {
3611 struct block *b0, *b1, *tmp;
3612
3613 /* ip6 proto 'proto' */
3614 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3615
3616 switch (dir) {
3617 case Q_SRC:
3618 b1 = gen_portatom6(0, (bpf_int32)port);
3619 break;
3620
3621 case Q_DST:
3622 b1 = gen_portatom6(2, (bpf_int32)port);
3623 break;
3624
3625 case Q_OR:
3626 case Q_DEFAULT:
3627 tmp = gen_portatom6(0, (bpf_int32)port);
3628 b1 = gen_portatom6(2, (bpf_int32)port);
3629 gen_or(tmp, b1);
3630 break;
3631
3632 case Q_AND:
3633 tmp = gen_portatom6(0, (bpf_int32)port);
3634 b1 = gen_portatom6(2, (bpf_int32)port);
3635 gen_and(tmp, b1);
3636 break;
3637
3638 default:
3639 abort();
3640 }
3641 gen_and(b0, b1);
3642
3643 return b1;
3644 }
3645
3646 static struct block *
3647 gen_port6(port, ip_proto, dir)
3648 int port;
3649 int ip_proto;
3650 int dir;
3651 {
3652 struct block *b0, *b1, *tmp;
3653
3654 /* link proto ip6 */
3655 b0 = gen_linktype(ETHERTYPE_IPV6);
3656
3657 switch (ip_proto) {
3658 case IPPROTO_UDP:
3659 case IPPROTO_TCP:
3660 case IPPROTO_SCTP:
3661 b1 = gen_portop6(port, ip_proto, dir);
3662 break;
3663
3664 case PROTO_UNDEF:
3665 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3666 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3667 gen_or(tmp, b1);
3668 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3669 gen_or(tmp, b1);
3670 break;
3671
3672 default:
3673 abort();
3674 }
3675 gen_and(b0, b1);
3676 return b1;
3677 }
3678 #endif /* INET6 */
3679
3680 /* gen_portrange code */
3681 static struct block *
3682 gen_portrangeatom(off, v1, v2)
3683 int off;
3684 bpf_int32 v1, v2;
3685 {
3686 struct block *b1, *b2;
3687
3688 if (v1 > v2) {
3689 /*
3690 * Reverse the order of the ports, so v1 is the lower one.
3691 */
3692 bpf_int32 vtemp;
3693
3694 vtemp = v1;
3695 v1 = v2;
3696 v2 = vtemp;
3697 }
3698
3699 b1 = gen_cmp_ge(OR_TRAN_IPV4, off, BPF_H, v1);
3700 b2 = gen_cmp_le(OR_TRAN_IPV4, off, BPF_H, v2);
3701
3702 gen_and(b1, b2);
3703
3704 return b2;
3705 }
3706
3707 struct block *
3708 gen_portrangeop(port1, port2, proto, dir)
3709 int port1, port2;
3710 int proto;
3711 int dir;
3712 {
3713 struct block *b0, *b1, *tmp;
3714
3715 /* ip proto 'proto' */
3716 tmp = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)proto);
3717 b0 = gen_ipfrag();
3718 gen_and(tmp, b0);
3719
3720 switch (dir) {
3721 case Q_SRC:
3722 b1 = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3723 break;
3724
3725 case Q_DST:
3726 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3727 break;
3728
3729 case Q_OR:
3730 case Q_DEFAULT:
3731 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3732 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3733 gen_or(tmp, b1);
3734 break;
3735
3736 case Q_AND:
3737 tmp = gen_portrangeatom(0, (bpf_int32)port1, (bpf_int32)port2);
3738 b1 = gen_portrangeatom(2, (bpf_int32)port1, (bpf_int32)port2);
3739 gen_and(tmp, b1);
3740 break;
3741
3742 default:
3743 abort();
3744 }
3745 gen_and(b0, b1);
3746
3747 return b1;
3748 }
3749
3750 static struct block *
3751 gen_portrange(port1, port2, ip_proto, dir)
3752 int port1, port2;
3753 int ip_proto;
3754 int dir;
3755 {
3756 struct block *b0, *b1, *tmp;
3757
3758 /* link proto ip */
3759 b0 = gen_linktype(ETHERTYPE_IP);
3760
3761 switch (ip_proto) {
3762 case IPPROTO_UDP:
3763 case IPPROTO_TCP:
3764 case IPPROTO_SCTP:
3765 b1 = gen_portrangeop(port1, port2, ip_proto, dir);
3766 break;
3767
3768 case PROTO_UNDEF:
3769 tmp = gen_portrangeop(port1, port2, IPPROTO_TCP, dir);
3770 b1 = gen_portrangeop(port1, port2, IPPROTO_UDP, dir);
3771 gen_or(tmp, b1);
3772 tmp = gen_portrangeop(port1, port2, IPPROTO_SCTP, dir);
3773 gen_or(tmp, b1);
3774 break;
3775
3776 default:
3777 abort();
3778 }
3779 gen_and(b0, b1);
3780 return b1;
3781 }
3782
3783 #ifdef INET6
3784 static struct block *
3785 gen_portrangeatom6(off, v1, v2)
3786 int off;
3787 bpf_int32 v1, v2;
3788 {
3789 struct block *b1, *b2;
3790
3791 if (v1 > v2) {
3792 /*
3793 * Reverse the order of the ports, so v1 is the lower one.
3794 */
3795 bpf_int32 vtemp;
3796
3797 vtemp = v1;
3798 v1 = v2;
3799 v2 = vtemp;
3800 }
3801
3802 b1 = gen_cmp_ge(OR_TRAN_IPV6, off, BPF_H, v1);
3803 b2 = gen_cmp_le(OR_TRAN_IPV6, off, BPF_H, v2);
3804
3805 gen_and(b1, b2);
3806
3807 return b2;
3808 }
3809
3810 struct block *
3811 gen_portrangeop6(port1, port2, proto, dir)
3812 int port1, port2;
3813 int proto;
3814 int dir;
3815 {
3816 struct block *b0, *b1, *tmp;
3817
3818 /* ip6 proto 'proto' */
3819 b0 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)proto);
3820
3821 switch (dir) {
3822 case Q_SRC:
3823 b1 = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3824 break;
3825
3826 case Q_DST:
3827 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3828 break;
3829
3830 case Q_OR:
3831 case Q_DEFAULT:
3832 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3833 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3834 gen_or(tmp, b1);
3835 break;
3836
3837 case Q_AND:
3838 tmp = gen_portrangeatom6(0, (bpf_int32)port1, (bpf_int32)port2);
3839 b1 = gen_portrangeatom6(2, (bpf_int32)port1, (bpf_int32)port2);
3840 gen_and(tmp, b1);
3841 break;
3842
3843 default:
3844 abort();
3845 }
3846 gen_and(b0, b1);
3847
3848 return b1;
3849 }
3850
3851 static struct block *
3852 gen_portrange6(port1, port2, ip_proto, dir)
3853 int port1, port2;
3854 int ip_proto;
3855 int dir;
3856 {
3857 struct block *b0, *b1, *tmp;
3858
3859 /* link proto ip6 */
3860 b0 = gen_linktype(ETHERTYPE_IPV6);
3861
3862 switch (ip_proto) {
3863 case IPPROTO_UDP:
3864 case IPPROTO_TCP:
3865 case IPPROTO_SCTP:
3866 b1 = gen_portrangeop6(port1, port2, ip_proto, dir);
3867 break;
3868
3869 case PROTO_UNDEF:
3870 tmp = gen_portrangeop6(port1, port2, IPPROTO_TCP, dir);
3871 b1 = gen_portrangeop6(port1, port2, IPPROTO_UDP, dir);
3872 gen_or(tmp, b1);
3873 tmp = gen_portrangeop6(port1, port2, IPPROTO_SCTP, dir);
3874 gen_or(tmp, b1);
3875 break;
3876
3877 default:
3878 abort();
3879 }
3880 gen_and(b0, b1);
3881 return b1;
3882 }
3883 #endif /* INET6 */
3884
3885 static int
3886 lookup_proto(name, proto)
3887 register const char *name;
3888 register int proto;
3889 {
3890 register int v;
3891
3892 switch (proto) {
3893
3894 case Q_DEFAULT:
3895 case Q_IP:
3896 case Q_IPV6:
3897 v = pcap_nametoproto(name);
3898 if (v == PROTO_UNDEF)
3899 bpf_error("unknown ip proto '%s'", name);
3900 break;
3901
3902 case Q_LINK:
3903 /* XXX should look up h/w protocol type based on linktype */
3904 v = pcap_nametoeproto(name);
3905 if (v == PROTO_UNDEF) {
3906 v = pcap_nametollc(name);
3907 if (v == PROTO_UNDEF)
3908 bpf_error("unknown ether proto '%s'", name);
3909 }
3910 break;
3911
3912 case Q_ISO:
3913 if (strcmp(name, "esis") == 0)
3914 v = ISO9542_ESIS;
3915 else if (strcmp(name, "isis") == 0)
3916 v = ISO10589_ISIS;
3917 else if (strcmp(name, "clnp") == 0)
3918 v = ISO8473_CLNP;
3919 else
3920 bpf_error("unknown osi proto '%s'", name);
3921 break;
3922
3923 default:
3924 v = PROTO_UNDEF;
3925 break;
3926 }
3927 return v;
3928 }
3929
3930 #if 0
3931 struct stmt *
3932 gen_joinsp(s, n)
3933 struct stmt **s;
3934 int n;
3935 {
3936 return NULL;
3937 }
3938 #endif
3939
3940 static struct block *
3941 gen_protochain(v, proto, dir)
3942 int v;
3943 int proto;
3944 int dir;
3945 {
3946 #ifdef NO_PROTOCHAIN
3947 return gen_proto(v, proto, dir);
3948 #else
3949 struct block *b0, *b;
3950 struct slist *s[100];
3951 int fix2, fix3, fix4, fix5;
3952 int ahcheck, again, end;
3953 int i, max;
3954 int reg2 = alloc_reg();
3955
3956 memset(s, 0, sizeof(s));
3957 fix2 = fix3 = fix4 = fix5 = 0;
3958
3959 switch (proto) {
3960 case Q_IP:
3961 case Q_IPV6:
3962 break;
3963 case Q_DEFAULT:
3964 b0 = gen_protochain(v, Q_IP, dir);
3965 b = gen_protochain(v, Q_IPV6, dir);
3966 gen_or(b0, b);
3967 return b;
3968 default:
3969 bpf_error("bad protocol applied for 'protochain'");
3970 /*NOTREACHED*/
3971 }
3972
3973 /*
3974 * We don't handle variable-length radiotap here headers yet.
3975 * We might want to add BPF instructions to do the protochain
3976 * work, to simplify that and, on platforms that have a BPF
3977 * interpreter with the new instructions, let the filtering
3978 * be done in the kernel. (We already require a modified BPF
3979 * engine to do the protochain stuff, to support backward
3980 * branches, and backward branch support is unlikely to appear
3981 * in kernel BPF engines.)
3982 */
3983 if (linktype == DLT_IEEE802_11_RADIO)
3984 bpf_error("'protochain' not supported with radiotap headers");
3985
3986 no_optimize = 1; /*this code is not compatible with optimzer yet */
3987
3988 /*
3989 * s[0] is a dummy entry to protect other BPF insn from damage
3990 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3991 * hard to find interdependency made by jump table fixup.
3992 */
3993 i = 0;
3994 s[i] = new_stmt(0); /*dummy*/
3995 i++;
3996
3997 switch (proto) {
3998 case Q_IP:
3999 b0 = gen_linktype(ETHERTYPE_IP);
4000
4001 /* A = ip->ip_p */
4002 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4003 s[i]->s.k = off_nl + 9;
4004 i++;
4005 /* X = ip->ip_hl << 2 */
4006 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4007 s[i]->s.k = off_nl;
4008 i++;
4009 break;
4010 #ifdef INET6
4011 case Q_IPV6:
4012 b0 = gen_linktype(ETHERTYPE_IPV6);
4013
4014 /* A = ip6->ip_nxt */
4015 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
4016 s[i]->s.k = off_nl + 6;
4017 i++;
4018 /* X = sizeof(struct ip6_hdr) */
4019 s[i] = new_stmt(BPF_LDX|BPF_IMM);
4020 s[i]->s.k = 40;
4021 i++;
4022 break;
4023 #endif
4024 default:
4025 bpf_error("unsupported proto to gen_protochain");
4026 /*NOTREACHED*/
4027 }
4028
4029 /* again: if (A == v) goto end; else fall through; */
4030 again = i;
4031 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4032 s[i]->s.k = v;
4033 s[i]->s.jt = NULL; /*later*/
4034 s[i]->s.jf = NULL; /*update in next stmt*/
4035 fix5 = i;
4036 i++;
4037
4038 #ifndef IPPROTO_NONE
4039 #define IPPROTO_NONE 59
4040 #endif
4041 /* if (A == IPPROTO_NONE) goto end */
4042 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4043 s[i]->s.jt = NULL; /*later*/
4044 s[i]->s.jf = NULL; /*update in next stmt*/
4045 s[i]->s.k = IPPROTO_NONE;
4046 s[fix5]->s.jf = s[i];
4047 fix2 = i;
4048 i++;
4049
4050 #ifdef INET6
4051 if (proto == Q_IPV6) {
4052 int v6start, v6end, v6advance, j;
4053
4054 v6start = i;
4055 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
4056 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4057 s[i]->s.jt = NULL; /*later*/
4058 s[i]->s.jf = NULL; /*update in next stmt*/
4059 s[i]->s.k = IPPROTO_HOPOPTS;
4060 s[fix2]->s.jf = s[i];
4061 i++;
4062 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
4063 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4064 s[i]->s.jt = NULL; /*later*/
4065 s[i]->s.jf = NULL; /*update in next stmt*/
4066 s[i]->s.k = IPPROTO_DSTOPTS;
4067 i++;
4068 /* if (A == IPPROTO_ROUTING) goto v6advance */
4069 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4070 s[i]->s.jt = NULL; /*later*/
4071 s[i]->s.jf = NULL; /*update in next stmt*/
4072 s[i]->s.k = IPPROTO_ROUTING;
4073 i++;
4074 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
4075 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4076 s[i]->s.jt = NULL; /*later*/
4077 s[i]->s.jf = NULL; /*later*/
4078 s[i]->s.k = IPPROTO_FRAGMENT;
4079 fix3 = i;
4080 v6end = i;
4081 i++;
4082
4083 /* v6advance: */
4084 v6advance = i;
4085
4086 /*
4087 * in short,
4088 * A = P[X];
4089 * X = X + (P[X + 1] + 1) * 8;
4090 */
4091 /* A = X */
4092 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4093 i++;
4094 /* A = P[X + packet head] */
4095 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4096 s[i]->s.k = off_nl;
4097 i++;
4098 /* MEM[reg2] = A */
4099 s[i] = new_stmt(BPF_ST);
4100 s[i]->s.k = reg2;
4101 i++;
4102 /* A = X */
4103 s[i] = new_stmt(BPF_MISC|BPF_TXA);
4104 i++;
4105 /* A += 1 */
4106 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4107 s[i]->s.k = 1;
4108 i++;
4109 /* X = A */
4110 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4111 i++;
4112 /* A = P[X + packet head]; */
4113 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4114 s[i]->s.k = off_nl;
4115 i++;
4116 /* A += 1 */
4117 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4118 s[i]->s.k = 1;
4119 i++;
4120 /* A *= 8 */
4121 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4122 s[i]->s.k = 8;
4123 i++;
4124 /* X = A; */
4125 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4126 i++;
4127 /* A = MEM[reg2] */
4128 s[i] = new_stmt(BPF_LD|BPF_MEM);
4129 s[i]->s.k = reg2;
4130 i++;
4131
4132 /* goto again; (must use BPF_JA for backward jump) */
4133 s[i] = new_stmt(BPF_JMP|BPF_JA);
4134 s[i]->s.k = again - i - 1;
4135 s[i - 1]->s.jf = s[i];
4136 i++;
4137
4138 /* fixup */
4139 for (j = v6start; j <= v6end; j++)
4140 s[j]->s.jt = s[v6advance];
4141 } else
4142 #endif
4143 {
4144 /* nop */
4145 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4146 s[i]->s.k = 0;
4147 s[fix2]->s.jf = s[i];
4148 i++;
4149 }
4150
4151 /* ahcheck: */
4152 ahcheck = i;
4153 /* if (A == IPPROTO_AH) then fall through; else goto end; */
4154 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
4155 s[i]->s.jt = NULL; /*later*/
4156 s[i]->s.jf = NULL; /*later*/
4157 s[i]->s.k = IPPROTO_AH;
4158 if (fix3)
4159 s[fix3]->s.jf = s[ahcheck];
4160 fix4 = i;
4161 i++;
4162
4163 /*
4164 * in short,
4165 * A = P[X];
4166 * X = X + (P[X + 1] + 2) * 4;
4167 */
4168 /* A = X */
4169 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4170 i++;
4171 /* A = P[X + packet head]; */
4172 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4173 s[i]->s.k = off_nl;
4174 i++;
4175 /* MEM[reg2] = A */
4176 s[i] = new_stmt(BPF_ST);
4177 s[i]->s.k = reg2;
4178 i++;
4179 /* A = X */
4180 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
4181 i++;
4182 /* A += 1 */
4183 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4184 s[i]->s.k = 1;
4185 i++;
4186 /* X = A */
4187 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4188 i++;
4189 /* A = P[X + packet head] */
4190 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
4191 s[i]->s.k = off_nl;
4192 i++;
4193 /* A += 2 */
4194 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4195 s[i]->s.k = 2;
4196 i++;
4197 /* A *= 4 */
4198 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
4199 s[i]->s.k = 4;
4200 i++;
4201 /* X = A; */
4202 s[i] = new_stmt(BPF_MISC|BPF_TAX);
4203 i++;
4204 /* A = MEM[reg2] */
4205 s[i] = new_stmt(BPF_LD|BPF_MEM);
4206 s[i]->s.k = reg2;
4207 i++;
4208
4209 /* goto again; (must use BPF_JA for backward jump) */
4210 s[i] = new_stmt(BPF_JMP|BPF_JA);
4211 s[i]->s.k = again - i - 1;
4212 i++;
4213
4214 /* end: nop */
4215 end = i;
4216 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
4217 s[i]->s.k = 0;
4218 s[fix2]->s.jt = s[end];
4219 s[fix4]->s.jf = s[end];
4220 s[fix5]->s.jt = s[end];
4221 i++;
4222
4223 /*
4224 * make slist chain
4225 */
4226 max = i;
4227 for (i = 0; i < max - 1; i++)
4228 s[i]->next = s[i + 1];
4229 s[max - 1]->next = NULL;
4230
4231 /*
4232 * emit final check
4233 */
4234 b = new_block(JMP(BPF_JEQ));
4235 b->stmts = s[1]; /*remember, s[0] is dummy*/
4236 b->s.k = v;
4237
4238 free_reg(reg2);
4239
4240 gen_and(b0, b);
4241 return b;
4242 #endif
4243 }
4244
4245 /*
4246 * Generate code that checks whether the packet is a packet for protocol
4247 * <proto> and whether the type field in that protocol's header has
4248 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
4249 * IP packet and checks the protocol number in the IP header against <v>.
4250 *
4251 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
4252 * against Q_IP and Q_IPV6.
4253 */
4254 static struct block *
4255 gen_proto(v, proto, dir)
4256 int v;
4257 int proto;
4258 int dir;
4259 {
4260 struct block *b0, *b1;
4261
4262 if (dir != Q_DEFAULT)
4263 bpf_error("direction applied to 'proto'");
4264
4265 switch (proto) {
4266 case Q_DEFAULT:
4267 #ifdef INET6
4268 b0 = gen_proto(v, Q_IP, dir);
4269 b1 = gen_proto(v, Q_IPV6, dir);
4270 gen_or(b0, b1);
4271 return b1;
4272 #else
4273 /*FALLTHROUGH*/
4274 #endif
4275 case Q_IP:
4276 /*
4277 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
4278 * not LLC encapsulation with LLCSAP_IP.
4279 *
4280 * For IEEE 802 networks - which includes 802.5 token ring
4281 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
4282 * says that SNAP encapsulation is used, not LLC encapsulation
4283 * with LLCSAP_IP.
4284 *
4285 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
4286 * RFC 2225 say that SNAP encapsulation is used, not LLC
4287 * encapsulation with LLCSAP_IP.
4288 *
4289 * So we always check for ETHERTYPE_IP.
4290 */
4291 b0 = gen_linktype(ETHERTYPE_IP);
4292 #ifndef CHASE_CHAIN
4293 b1 = gen_cmp(OR_NET, 9, BPF_B, (bpf_int32)v);
4294 #else
4295 b1 = gen_protochain(v, Q_IP);
4296 #endif
4297 gen_and(b0, b1);
4298 return b1;
4299
4300 case Q_ISO:
4301 switch (linktype) {
4302
4303 case DLT_FRELAY:
4304 /*
4305 * Frame Relay packets typically have an OSI
4306 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
4307 * generates code to check for all the OSI
4308 * NLPIDs, so calling it and then adding a check
4309 * for the particular NLPID for which we're
4310 * looking is bogus, as we can just check for
4311 * the NLPID.
4312 *
4313 * What we check for is the NLPID and a frame
4314 * control field value of UI, i.e. 0x03 followed
4315 * by the NLPID.
4316 *
4317 * XXX - assumes a 2-byte Frame Relay header with
4318 * DLCI and flags. What if the address is longer?
4319 *
4320 * XXX - what about SNAP-encapsulated frames?
4321 */
4322 return gen_cmp(OR_LINK, 2, BPF_H, (0x03<<8) | v);
4323 /*NOTREACHED*/
4324 break;
4325
4326 case DLT_C_HDLC:
4327 /*
4328 * Cisco uses an Ethertype lookalike - for OSI,
4329 * it's 0xfefe.
4330 */
4331 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
4332 /* OSI in C-HDLC is stuffed with a fudge byte */
4333 b1 = gen_cmp(OR_NET_NOSNAP, 1, BPF_B, (long)v);
4334 gen_and(b0, b1);
4335 return b1;
4336
4337 default:
4338 b0 = gen_linktype(LLCSAP_ISONS);
4339 b1 = gen_cmp(OR_NET_NOSNAP, 0, BPF_B, (long)v);
4340 gen_and(b0, b1);
4341 return b1;
4342 }
4343
4344 case Q_ISIS:
4345 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
4346 /*
4347 * 4 is the offset of the PDU type relative to the IS-IS
4348 * header.
4349 */
4350 b1 = gen_cmp(OR_NET_NOSNAP, 4, BPF_B, (long)v);
4351 gen_and(b0, b1);
4352 return b1;
4353
4354 case Q_ARP:
4355 bpf_error("arp does not encapsulate another protocol");
4356 /* NOTREACHED */
4357
4358 case Q_RARP:
4359 bpf_error("rarp does not encapsulate another protocol");
4360 /* NOTREACHED */
4361
4362 case Q_ATALK:
4363 bpf_error("atalk encapsulation is not specifiable");
4364 /* NOTREACHED */
4365
4366 case Q_DECNET:
4367 bpf_error("decnet encapsulation is not specifiable");
4368 /* NOTREACHED */
4369
4370 case Q_SCA:
4371 bpf_error("sca does not encapsulate another protocol");
4372 /* NOTREACHED */
4373
4374 case Q_LAT:
4375 bpf_error("lat does not encapsulate another protocol");
4376 /* NOTREACHED */
4377
4378 case Q_MOPRC:
4379 bpf_error("moprc does not encapsulate another protocol");
4380 /* NOTREACHED */
4381
4382 case Q_MOPDL:
4383 bpf_error("mopdl does not encapsulate another protocol");
4384 /* NOTREACHED */
4385
4386 case Q_LINK:
4387 return gen_linktype(v);
4388
4389 case Q_UDP:
4390 bpf_error("'udp proto' is bogus");
4391 /* NOTREACHED */
4392
4393 case Q_TCP:
4394 bpf_error("'tcp proto' is bogus");
4395 /* NOTREACHED */
4396
4397 case Q_SCTP:
4398 bpf_error("'sctp proto' is bogus");
4399 /* NOTREACHED */
4400
4401 case Q_ICMP:
4402 bpf_error("'icmp proto' is bogus");
4403 /* NOTREACHED */
4404
4405 case Q_IGMP:
4406 bpf_error("'igmp proto' is bogus");
4407 /* NOTREACHED */
4408
4409 case Q_IGRP:
4410 bpf_error("'igrp proto' is bogus");
4411 /* NOTREACHED */
4412
4413 case Q_PIM:
4414 bpf_error("'pim proto' is bogus");
4415 /* NOTREACHED */
4416
4417 case Q_VRRP:
4418 bpf_error("'vrrp proto' is bogus");
4419 /* NOTREACHED */
4420
4421 #ifdef INET6
4422 case Q_IPV6:
4423 b0 = gen_linktype(ETHERTYPE_IPV6);
4424 #ifndef CHASE_CHAIN
4425 b1 = gen_cmp(OR_NET, 6, BPF_B, (bpf_int32)v);
4426 #else
4427 b1 = gen_protochain(v, Q_IPV6);
4428 #endif
4429 gen_and(b0, b1);
4430 return b1;
4431
4432 case Q_ICMPV6:
4433 bpf_error("'icmp6 proto' is bogus");
4434 #endif /* INET6 */
4435
4436 case Q_AH:
4437 bpf_error("'ah proto' is bogus");
4438
4439 case Q_ESP:
4440 bpf_error("'ah proto' is bogus");
4441
4442 case Q_STP:
4443 bpf_error("'stp proto' is bogus");
4444
4445 case Q_IPX:
4446 bpf_error("'ipx proto' is bogus");
4447
4448 case Q_NETBEUI:
4449 bpf_error("'netbeui proto' is bogus");
4450
4451 default:
4452 abort();
4453 /* NOTREACHED */
4454 }
4455 /* NOTREACHED */
4456 }
4457
4458 struct block *
4459 gen_scode(name, q)
4460 register const char *name;
4461 struct qual q;
4462 {
4463 int proto = q.proto;
4464 int dir = q.dir;
4465 int tproto;
4466 u_char *eaddr;
4467 bpf_u_int32 mask, addr;
4468 #ifndef INET6
4469 bpf_u_int32 **alist;
4470 #else
4471 int tproto6;
4472 struct sockaddr_in *sin;
4473 struct sockaddr_in6 *sin6;
4474 struct addrinfo *res, *res0;
4475 struct in6_addr mask128;
4476 #endif /*INET6*/
4477 struct block *b, *tmp;
4478 int port, real_proto;
4479 int port1, port2;
4480
4481 switch (q.addr) {
4482
4483 case Q_NET:
4484 addr = pcap_nametonetaddr(name);
4485 if (addr == 0)
4486 bpf_error("unknown network '%s'", name);
4487 /* Left justify network addr and calculate its network mask */
4488 mask = 0xffffffff;
4489 while (addr && (addr & 0xff000000) == 0) {
4490 addr <<= 8;
4491 mask <<= 8;
4492 }
4493 return gen_host(addr, mask, proto, dir);
4494
4495 case Q_DEFAULT:
4496 case Q_HOST:
4497 if (proto == Q_LINK) {
4498 switch (linktype) {
4499
4500 case DLT_EN10MB:
4501 eaddr = pcap_ether_hostton(name);
4502 if (eaddr == NULL)
4503 bpf_error(
4504 "unknown ether host '%s'", name);
4505 b = gen_ehostop(eaddr, dir);
4506 free(eaddr);
4507 return b;
4508
4509 case DLT_FDDI:
4510 eaddr = pcap_ether_hostton(name);
4511 if (eaddr == NULL)
4512 bpf_error(
4513 "unknown FDDI host '%s'", name);
4514 b = gen_fhostop(eaddr, dir);
4515 free(eaddr);
4516 return b;
4517
4518 case DLT_IEEE802:
4519 eaddr = pcap_ether_hostton(name);
4520 if (eaddr == NULL)
4521 bpf_error(
4522 "unknown token ring host '%s'", name);
4523 b = gen_thostop(eaddr, dir);
4524 free(eaddr);
4525 return b;
4526
4527 case DLT_IEEE802_11:
4528 eaddr = pcap_ether_hostton(name);
4529 if (eaddr == NULL)
4530 bpf_error(
4531 "unknown 802.11 host '%s'", name);
4532 b = gen_wlanhostop(eaddr, dir);
4533 free(eaddr);
4534 return b;
4535
4536 case DLT_IP_OVER_FC:
4537 eaddr = pcap_ether_hostton(name);
4538 if (eaddr == NULL)
4539 bpf_error(
4540 "unknown Fibre Channel host '%s'", name);
4541 b = gen_ipfchostop(eaddr, dir);
4542 free(eaddr);
4543 return b;
4544
4545 case DLT_SUNATM:
4546 if (!is_lane)
4547 break;
4548
4549 /*
4550 * Check that the packet doesn't begin
4551 * with an LE Control marker. (We've
4552 * already generated a test for LANE.)
4553 */
4554 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS,
4555 BPF_H, 0xFF00);
4556 gen_not(tmp);
4557
4558 eaddr = pcap_ether_hostton(name);
4559 if (eaddr == NULL)
4560 bpf_error(
4561 "unknown ether host '%s'", name);
4562 b = gen_ehostop(eaddr, dir);
4563 gen_and(tmp, b);
4564 free(eaddr);
4565 return b;
4566 }
4567
4568 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4569 } else if (proto == Q_DECNET) {
4570 unsigned short dn_addr = __pcap_nametodnaddr(name);
4571 /*
4572 * I don't think DECNET hosts can be multihomed, so
4573 * there is no need to build up a list of addresses
4574 */
4575 return (gen_host(dn_addr, 0, proto, dir));
4576 } else {
4577 #ifndef INET6
4578 alist = pcap_nametoaddr(name);
4579 if (alist == NULL || *alist == NULL)
4580 bpf_error("unknown host '%s'", name);
4581 tproto = proto;
4582 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4583 tproto = Q_IP;
4584 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4585 while (*alist) {
4586 tmp = gen_host(**alist++, 0xffffffff,
4587 tproto, dir);
4588 gen_or(b, tmp);
4589 b = tmp;
4590 }
4591 return b;
4592 #else
4593 memset(&mask128, 0xff, sizeof(mask128));
4594 res0 = res = pcap_nametoaddrinfo(name);
4595 if (res == NULL)
4596 bpf_error("unknown host '%s'", name);
4597 b = tmp = NULL;
4598 tproto = tproto6 = proto;
4599 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4600 tproto = Q_IP;
4601 tproto6 = Q_IPV6;
4602 }
4603 for (res = res0; res; res = res->ai_next) {
4604 switch (res->ai_family) {
4605 case AF_INET:
4606 if (tproto == Q_IPV6)
4607 continue;
4608
4609 sin = (struct sockaddr_in *)
4610 res->ai_addr;
4611 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4612 0xffffffff, tproto, dir);
4613 break;
4614 case AF_INET6:
4615 if (tproto6 == Q_IP)
4616 continue;
4617
4618 sin6 = (struct sockaddr_in6 *)
4619 res->ai_addr;
4620 tmp = gen_host6(&sin6->sin6_addr,
4621 &mask128, tproto6, dir);
4622 break;
4623 default:
4624 continue;
4625 }
4626 if (b)
4627 gen_or(b, tmp);
4628 b = tmp;
4629 }
4630 freeaddrinfo(res0);
4631 if (b == NULL) {
4632 bpf_error("unknown host '%s'%s", name,
4633 (proto == Q_DEFAULT)
4634 ? ""
4635 : " for specified address family");
4636 }
4637 return b;
4638 #endif /*INET6*/
4639 }
4640
4641 case Q_PORT:
4642 if (proto != Q_DEFAULT &&
4643 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4644 bpf_error("illegal qualifier of 'port'");
4645 if (pcap_nametoport(name, &port, &real_proto) == 0)
4646 bpf_error("unknown port '%s'", name);
4647 if (proto == Q_UDP) {
4648 if (real_proto == IPPROTO_TCP)
4649 bpf_error("port '%s' is tcp", name);
4650 else if (real_proto == IPPROTO_SCTP)
4651 bpf_error("port '%s' is sctp", name);
4652 else
4653 /* override PROTO_UNDEF */
4654 real_proto = IPPROTO_UDP;
4655 }
4656 if (proto == Q_TCP) {
4657 if (real_proto == IPPROTO_UDP)
4658 bpf_error("port '%s' is udp", name);
4659
4660 else if (real_proto == IPPROTO_SCTP)
4661 bpf_error("port '%s' is sctp", name);
4662 else
4663 /* override PROTO_UNDEF */
4664 real_proto = IPPROTO_TCP;
4665 }
4666 if (proto == Q_SCTP) {
4667 if (real_proto == IPPROTO_UDP)
4668 bpf_error("port '%s' is udp", name);
4669
4670 else if (real_proto == IPPROTO_TCP)
4671 bpf_error("port '%s' is tcp", name);
4672 else
4673 /* override PROTO_UNDEF */
4674 real_proto = IPPROTO_SCTP;
4675 }
4676 #ifndef INET6
4677 return gen_port(port, real_proto, dir);
4678 #else
4679 {
4680 struct block *b;
4681 b = gen_port(port, real_proto, dir);
4682 gen_or(gen_port6(port, real_proto, dir), b);
4683 return b;
4684 }
4685 #endif /* INET6 */
4686
4687 case Q_PORTRANGE:
4688 if (proto != Q_DEFAULT &&
4689 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4690 bpf_error("illegal qualifier of 'portrange'");
4691 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
4692 bpf_error("unknown port in range '%s'", name);
4693 if (proto == Q_UDP) {
4694 if (real_proto == IPPROTO_TCP)
4695 bpf_error("port in range '%s' is tcp", name);
4696 else if (real_proto == IPPROTO_SCTP)
4697 bpf_error("port in range '%s' is sctp", name);
4698 else
4699 /* override PROTO_UNDEF */
4700 real_proto = IPPROTO_UDP;
4701 }
4702 if (proto == Q_TCP) {
4703 if (real_proto == IPPROTO_UDP)
4704 bpf_error("port in range '%s' is udp", name);
4705 else if (real_proto == IPPROTO_SCTP)
4706 bpf_error("port in range '%s' is sctp", name);
4707 else
4708 /* override PROTO_UNDEF */
4709 real_proto = IPPROTO_TCP;
4710 }
4711 if (proto == Q_SCTP) {
4712 if (real_proto == IPPROTO_UDP)
4713 bpf_error("port in range '%s' is udp", name);
4714 else if (real_proto == IPPROTO_TCP)
4715 bpf_error("port in range '%s' is tcp", name);
4716 else
4717 /* override PROTO_UNDEF */
4718 real_proto = IPPROTO_SCTP;
4719 }
4720 #ifndef INET6
4721 return gen_portrange(port1, port2, real_proto, dir);
4722 #else
4723 {
4724 struct block *b;
4725 b = gen_portrange(port1, port2, real_proto, dir);
4726 gen_or(gen_portrange6(port1, port2, real_proto, dir), b);
4727 return b;
4728 }
4729 #endif /* INET6 */
4730
4731 case Q_GATEWAY:
4732 #ifndef INET6
4733 eaddr = pcap_ether_hostton(name);
4734 if (eaddr == NULL)
4735 bpf_error("unknown ether host: %s", name);
4736
4737 alist = pcap_nametoaddr(name);
4738 if (alist == NULL || *alist == NULL)
4739 bpf_error("unknown host '%s'", name);
4740 b = gen_gateway(eaddr, alist, proto, dir);
4741 free(eaddr);
4742 return b;
4743 #else
4744 bpf_error("'gateway' not supported in this configuration");
4745 #endif /*INET6*/
4746
4747 case Q_PROTO:
4748 real_proto = lookup_proto(name, proto);
4749 if (real_proto >= 0)
4750 return gen_proto(real_proto, proto, dir);
4751 else
4752 bpf_error("unknown protocol: %s", name);
4753
4754 case Q_PROTOCHAIN:
4755 real_proto = lookup_proto(name, proto);
4756 if (real_proto >= 0)
4757 return gen_protochain(real_proto, proto, dir);
4758 else
4759 bpf_error("unknown protocol: %s", name);
4760
4761
4762 case Q_UNDEF:
4763 syntax();
4764 /* NOTREACHED */
4765 }
4766 abort();
4767 /* NOTREACHED */
4768 }
4769
4770 struct block *
4771 gen_mcode(s1, s2, masklen, q)
4772 register const char *s1, *s2;
4773 register int masklen;
4774 struct qual q;
4775 {
4776 register int nlen, mlen;
4777 bpf_u_int32 n, m;
4778
4779 nlen = __pcap_atoin(s1, &n);
4780 /* Promote short ipaddr */
4781 n <<= 32 - nlen;
4782
4783 if (s2 != NULL) {
4784 mlen = __pcap_atoin(s2, &m);
4785 /* Promote short ipaddr */
4786 m <<= 32 - mlen;
4787 if ((n & ~m) != 0)
4788 bpf_error("non-network bits set in \"%s mask %s\"",
4789 s1, s2);
4790 } else {
4791 /* Convert mask len to mask */
4792 if (masklen > 32)
4793 bpf_error("mask length must be <= 32");
4794 m = 0xffffffff << (32 - masklen);
4795 if ((n & ~m) != 0)
4796 bpf_error("non-network bits set in \"%s/%d\"",
4797 s1, masklen);
4798 }
4799
4800 switch (q.addr) {
4801
4802 case Q_NET:
4803 return gen_host(n, m, q.proto, q.dir);
4804
4805 default:
4806 bpf_error("Mask syntax for networks only");
4807 /* NOTREACHED */
4808 }
4809 /* NOTREACHED */
4810 }
4811
4812 struct block *
4813 gen_ncode(s, v, q)
4814 register const char *s;
4815 bpf_u_int32 v;
4816 struct qual q;
4817 {
4818 bpf_u_int32 mask;
4819 int proto = q.proto;
4820 int dir = q.dir;
4821 register int vlen;
4822
4823 if (s == NULL)
4824 vlen = 32;
4825 else if (q.proto == Q_DECNET)
4826 vlen = __pcap_atodn(s, &v);
4827 else
4828 vlen = __pcap_atoin(s, &v);
4829
4830 switch (q.addr) {
4831
4832 case Q_DEFAULT:
4833 case Q_HOST:
4834 case Q_NET:
4835 if (proto == Q_DECNET)
4836 return gen_host(v, 0, proto, dir);
4837 else if (proto == Q_LINK) {
4838 bpf_error("illegal link layer address");
4839 } else {
4840 mask = 0xffffffff;
4841 if (s == NULL && q.addr == Q_NET) {
4842 /* Promote short net number */
4843 while (v && (v & 0xff000000) == 0) {
4844 v <<= 8;
4845 mask <<= 8;
4846 }
4847 } else {
4848 /* Promote short ipaddr */
4849 v <<= 32 - vlen;
4850 mask <<= 32 - vlen;
4851 }
4852 return gen_host(v, mask, proto, dir);
4853 }
4854
4855 case Q_PORT:
4856 if (proto == Q_UDP)
4857 proto = IPPROTO_UDP;
4858 else if (proto == Q_TCP)
4859 proto = IPPROTO_TCP;
4860 else if (proto == Q_SCTP)
4861 proto = IPPROTO_SCTP;
4862 else if (proto == Q_DEFAULT)
4863 proto = PROTO_UNDEF;
4864 else
4865 bpf_error("illegal qualifier of 'port'");
4866
4867 #ifndef INET6
4868 return gen_port((int)v, proto, dir);
4869 #else
4870 {
4871 struct block *b;
4872 b = gen_port((int)v, proto, dir);
4873 gen_or(gen_port6((int)v, proto, dir), b);
4874 return b;
4875 }
4876 #endif /* INET6 */
4877
4878 case Q_PORTRANGE:
4879 if (proto == Q_UDP)
4880 proto = IPPROTO_UDP;
4881 else if (proto == Q_TCP)
4882 proto = IPPROTO_TCP;
4883 else if (proto == Q_SCTP)
4884 proto = IPPROTO_SCTP;
4885 else if (proto == Q_DEFAULT)
4886 proto = PROTO_UNDEF;
4887 else
4888 bpf_error("illegal qualifier of 'portrange'");
4889
4890 #ifndef INET6
4891 return gen_portrange((int)v, (int)v, proto, dir);
4892 #else
4893 {
4894 struct block *b;
4895 b = gen_portrange((int)v, (int)v, proto, dir);
4896 gen_or(gen_portrange6((int)v, (int)v, proto, dir), b);
4897 return b;
4898 }
4899 #endif /* INET6 */
4900
4901 case Q_GATEWAY:
4902 bpf_error("'gateway' requires a name");
4903 /* NOTREACHED */
4904
4905 case Q_PROTO:
4906 return gen_proto((int)v, proto, dir);
4907
4908 case Q_PROTOCHAIN:
4909 return gen_protochain((int)v, proto, dir);
4910
4911 case Q_UNDEF:
4912 syntax();
4913 /* NOTREACHED */
4914
4915 default:
4916 abort();
4917 /* NOTREACHED */
4918 }
4919 /* NOTREACHED */
4920 }
4921
4922 #ifdef INET6
4923 struct block *
4924 gen_mcode6(s1, s2, masklen, q)
4925 register const char *s1, *s2;
4926 register int masklen;
4927 struct qual q;
4928 {
4929 struct addrinfo *res;
4930 struct in6_addr *addr;
4931 struct in6_addr mask;
4932 struct block *b;
4933 u_int32_t *a, *m;
4934
4935 if (s2)
4936 bpf_error("no mask %s supported", s2);
4937
4938 res = pcap_nametoaddrinfo(s1);
4939 if (!res)
4940 bpf_error("invalid ip6 address %s", s1);
4941 if (res->ai_next)
4942 bpf_error("%s resolved to multiple address", s1);
4943 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4944
4945 if (sizeof(mask) * 8 < masklen)
4946 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4947 memset(&mask, 0, sizeof(mask));
4948 memset(&mask, 0xff, masklen / 8);
4949 if (masklen % 8) {
4950 mask.s6_addr[masklen / 8] =
4951 (0xff << (8 - masklen % 8)) & 0xff;
4952 }
4953
4954 a = (u_int32_t *)addr;
4955 m = (u_int32_t *)&mask;
4956 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4957 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4958 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4959 }
4960
4961 switch (q.addr) {
4962
4963 case Q_DEFAULT:
4964 case Q_HOST:
4965 if (masklen != 128)
4966 bpf_error("Mask syntax for networks only");
4967 /* FALLTHROUGH */
4968
4969 case Q_NET:
4970 b = gen_host6(addr, &mask, q.proto, q.dir);
4971 freeaddrinfo(res);
4972 return b;
4973
4974 default:
4975 bpf_error("invalid qualifier against IPv6 address");
4976 /* NOTREACHED */
4977 }
4978 }
4979 #endif /*INET6*/
4980
4981 struct block *
4982 gen_ecode(eaddr, q)
4983 register const u_char *eaddr;
4984 struct qual q;
4985 {
4986 struct block *b, *tmp;
4987
4988 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4989 if (linktype == DLT_EN10MB)
4990 return gen_ehostop(eaddr, (int)q.dir);
4991 if (linktype == DLT_FDDI)
4992 return gen_fhostop(eaddr, (int)q.dir);
4993 if (linktype == DLT_IEEE802)
4994 return gen_thostop(eaddr, (int)q.dir);
4995 if (linktype == DLT_IEEE802_11)
4996 return gen_wlanhostop(eaddr, (int)q.dir);
4997 if (linktype == DLT_SUNATM && is_lane) {
4998 /*
4999 * Check that the packet doesn't begin with an
5000 * LE Control marker. (We've already generated
5001 * a test for LANE.)
5002 */
5003 tmp = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5004 0xFF00);
5005 gen_not(tmp);
5006
5007 /*
5008 * Now check the MAC address.
5009 */
5010 b = gen_ehostop(eaddr, (int)q.dir);
5011 gen_and(tmp, b);
5012 return b;
5013 }
5014 if (linktype == DLT_IP_OVER_FC)
5015 return gen_ipfchostop(eaddr, (int)q.dir);
5016 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5017 }
5018 bpf_error("ethernet address used in non-ether expression");
5019 /* NOTREACHED */
5020 }
5021
5022 void
5023 sappend(s0, s1)
5024 struct slist *s0, *s1;
5025 {
5026 /*
5027 * This is definitely not the best way to do this, but the
5028 * lists will rarely get long.
5029 */
5030 while (s0->next)
5031 s0 = s0->next;
5032 s0->next = s1;
5033 }
5034
5035 static struct slist *
5036 xfer_to_x(a)
5037 struct arth *a;
5038 {
5039 struct slist *s;
5040
5041 s = new_stmt(BPF_LDX|BPF_MEM);
5042 s->s.k = a->regno;
5043 return s;
5044 }
5045
5046 static struct slist *
5047 xfer_to_a(a)
5048 struct arth *a;
5049 {
5050 struct slist *s;
5051
5052 s = new_stmt(BPF_LD|BPF_MEM);
5053 s->s.k = a->regno;
5054 return s;
5055 }
5056
5057 /*
5058 * Modify "index" to use the value stored into its register as an
5059 * offset relative to the beginning of the header for the protocol
5060 * "proto", and allocate a register and put an item "size" bytes long
5061 * (1, 2, or 4) at that offset into that register, making it the register
5062 * for "index".
5063 */
5064 struct arth *
5065 gen_load(proto, index, size)
5066 int proto;
5067 struct arth *index;
5068 int size;
5069 {
5070 struct slist *s, *tmp;
5071 struct block *b;
5072 int regno = alloc_reg();
5073
5074 free_reg(index->regno);
5075 switch (size) {
5076
5077 default:
5078 bpf_error("data size must be 1, 2, or 4");
5079
5080 case 1:
5081 size = BPF_B;
5082 break;
5083
5084 case 2:
5085 size = BPF_H;
5086 break;
5087
5088 case 4:
5089 size = BPF_W;
5090 break;
5091 }
5092 switch (proto) {
5093 default:
5094 bpf_error("unsupported index operation");
5095
5096 case Q_LINK:
5097 /*
5098 * The offset is relative to the beginning of
5099 * the link-layer header.
5100 *
5101 * XXX - what about ATM LANE? Should the index be
5102 * relative to the beginning of the AAL5 frame, so
5103 * that 0 refers to the beginning of the LE Control
5104 * field, or relative to the beginning of the LAN
5105 * frame, so that 0 refers, for Ethernet LANE, to
5106 * the beginning of the destination address?
5107 */
5108 s = gen_llprefixlen();
5109
5110 /*
5111 * If "s" is non-null, it has code to arrange that the
5112 * X register contains the length of the prefix preceding
5113 * the link-layer header. Add to it the offset computed
5114 * into the register specified by "index", and move that
5115 * into the X register. Otherwise, just load into the X
5116 * register the offset computed into the register specifed
5117 * by "index".
5118 */
5119 if (s != NULL) {
5120 sappend(s, xfer_to_a(index));
5121 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5122 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5123 } else
5124 s = xfer_to_x(index);
5125
5126 /*
5127 * Load the item at the offset we've put in the X register.
5128 */
5129 tmp = new_stmt(BPF_LD|BPF_IND|size);
5130 sappend(s, tmp);
5131 sappend(index->s, s);
5132 break;
5133
5134 case Q_IP:
5135 case Q_ARP:
5136 case Q_RARP:
5137 case Q_ATALK:
5138 case Q_DECNET:
5139 case Q_SCA:
5140 case Q_LAT:
5141 case Q_MOPRC:
5142 case Q_MOPDL:
5143 #ifdef INET6
5144 case Q_IPV6:
5145 #endif
5146 /*
5147 * The offset is relative to the beginning of
5148 * the network-layer header.
5149 * XXX - are there any cases where we want
5150 * off_nl_nosnap?
5151 */
5152 s = gen_llprefixlen();
5153
5154 /*
5155 * If "s" is non-null, it has code to arrange that the
5156 * X register contains the length of the prefix preceding
5157 * the link-layer header. Add to it the offset computed
5158 * into the register specified by "index", and move that
5159 * into the X register. Otherwise, just load into the X
5160 * register the offset computed into the register specifed
5161 * by "index".
5162 */
5163 if (s != NULL) {
5164 sappend(s, xfer_to_a(index));
5165 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5166 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5167 } else
5168 s = xfer_to_x(index);
5169
5170 /*
5171 * Load the item at the sum of the offset we've put in the
5172 * X register and the offset of the start of the network
5173 * layer header.
5174 */
5175 tmp = new_stmt(BPF_LD|BPF_IND|size);
5176 tmp->s.k = off_nl;
5177 sappend(s, tmp);
5178 sappend(index->s, s);
5179
5180 /*
5181 * Do the computation only if the packet contains
5182 * the protocol in question.
5183 */
5184 b = gen_proto_abbrev(proto);
5185 if (index->b)
5186 gen_and(index->b, b);
5187 index->b = b;
5188 break;
5189
5190 case Q_SCTP:
5191 case Q_TCP:
5192 case Q_UDP:
5193 case Q_ICMP:
5194 case Q_IGMP:
5195 case Q_IGRP:
5196 case Q_PIM:
5197 case Q_VRRP:
5198 /*
5199 * The offset is relative to the beginning of
5200 * the transport-layer header.
5201 * XXX - are there any cases where we want
5202 * off_nl_nosnap?
5203 * XXX - we should, if we're built with
5204 * IPv6 support, generate code to load either
5205 * IPv4, IPv6, or both, as appropriate.
5206 */
5207 s = gen_loadx_iphdrlen();
5208
5209 /*
5210 * The X register now contains the sum of the offset
5211 * of the beginning of the link-layer header and
5212 * the length of the network-layer header. Load
5213 * into the A register the offset relative to
5214 * the beginning of the transport layer header,
5215 * add the X register to that, move that to the
5216 * X register, and load with an offset from the
5217 * X register equal to the offset of the network
5218 * layer header relative to the beginning of
5219 * the link-layer header.
5220 */
5221 sappend(s, xfer_to_a(index));
5222 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
5223 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
5224 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
5225 tmp->s.k = off_nl;
5226 sappend(index->s, s);
5227
5228 /*
5229 * Do the computation only if the packet contains
5230 * the protocol in question - which is true only
5231 * if this is an IP datagram and is the first or
5232 * only fragment of that datagram.
5233 */
5234 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
5235 if (index->b)
5236 gen_and(index->b, b);
5237 #ifdef INET6
5238 gen_and(gen_proto_abbrev(Q_IP), b);
5239 #endif
5240 index->b = b;
5241 break;
5242 #ifdef INET6
5243 case Q_ICMPV6:
5244 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
5245 /*NOTREACHED*/
5246 #endif
5247 }
5248 index->regno = regno;
5249 s = new_stmt(BPF_ST);
5250 s->s.k = regno;
5251 sappend(index->s, s);
5252
5253 return index;
5254 }
5255
5256 struct block *
5257 gen_relation(code, a0, a1, reversed)
5258 int code;
5259 struct arth *a0, *a1;
5260 int reversed;
5261 {
5262 struct slist *s0, *s1, *s2;
5263 struct block *b, *tmp;
5264
5265 s0 = xfer_to_x(a1);
5266 s1 = xfer_to_a(a0);
5267 if (code == BPF_JEQ) {
5268 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
5269 b = new_block(JMP(code));
5270 sappend(s1, s2);
5271 }
5272 else
5273 b = new_block(BPF_JMP|code|BPF_X);
5274 if (reversed)
5275 gen_not(b);
5276
5277 sappend(s0, s1);
5278 sappend(a1->s, s0);
5279 sappend(a0->s, a1->s);
5280
5281 b->stmts = a0->s;
5282
5283 free_reg(a0->regno);
5284 free_reg(a1->regno);
5285
5286 /* 'and' together protocol checks */
5287 if (a0->b) {
5288 if (a1->b) {
5289 gen_and(a0->b, tmp = a1->b);
5290 }
5291 else
5292 tmp = a0->b;
5293 } else
5294 tmp = a1->b;
5295
5296 if (tmp)
5297 gen_and(tmp, b);
5298
5299 return b;
5300 }
5301
5302 struct arth *
5303 gen_loadlen()
5304 {
5305 int regno = alloc_reg();
5306 struct arth *a = (struct arth *)newchunk(sizeof(*a));
5307 struct slist *s;
5308
5309 s = new_stmt(BPF_LD|BPF_LEN);
5310 s->next = new_stmt(BPF_ST);
5311 s->next->s.k = regno;
5312 a->s = s;
5313 a->regno = regno;
5314
5315 return a;
5316 }
5317
5318 struct arth *
5319 gen_loadi(val)
5320 int val;
5321 {
5322 struct arth *a;
5323 struct slist *s;
5324 int reg;
5325
5326 a = (struct arth *)newchunk(sizeof(*a));
5327
5328 reg = alloc_reg();
5329
5330 s = new_stmt(BPF_LD|BPF_IMM);
5331 s->s.k = val;
5332 s->next = new_stmt(BPF_ST);
5333 s->next->s.k = reg;
5334 a->s = s;
5335 a->regno = reg;
5336
5337 return a;
5338 }
5339
5340 struct arth *
5341 gen_neg(a)
5342 struct arth *a;
5343 {
5344 struct slist *s;
5345
5346 s = xfer_to_a(a);
5347 sappend(a->s, s);
5348 s = new_stmt(BPF_ALU|BPF_NEG);
5349 s->s.k = 0;
5350 sappend(a->s, s);
5351 s = new_stmt(BPF_ST);
5352 s->s.k = a->regno;
5353 sappend(a->s, s);
5354
5355 return a;
5356 }
5357
5358 struct arth *
5359 gen_arth(code, a0, a1)
5360 int code;
5361 struct arth *a0, *a1;
5362 {
5363 struct slist *s0, *s1, *s2;
5364
5365 s0 = xfer_to_x(a1);
5366 s1 = xfer_to_a(a0);
5367 s2 = new_stmt(BPF_ALU|BPF_X|code);
5368
5369 sappend(s1, s2);
5370 sappend(s0, s1);
5371 sappend(a1->s, s0);
5372 sappend(a0->s, a1->s);
5373
5374 free_reg(a0->regno);
5375 free_reg(a1->regno);
5376
5377 s0 = new_stmt(BPF_ST);
5378 a0->regno = s0->s.k = alloc_reg();
5379 sappend(a0->s, s0);
5380
5381 return a0;
5382 }
5383
5384 /*
5385 * Here we handle simple allocation of the scratch registers.
5386 * If too many registers are alloc'd, the allocator punts.
5387 */
5388 static int regused[BPF_MEMWORDS];
5389 static int curreg;
5390
5391 /*
5392 * Return the next free register.
5393 */
5394 static int
5395 alloc_reg()
5396 {
5397 int n = BPF_MEMWORDS;
5398
5399 while (--n >= 0) {
5400 if (regused[curreg])
5401 curreg = (curreg + 1) % BPF_MEMWORDS;
5402 else {
5403 regused[curreg] = 1;
5404 return curreg;
5405 }
5406 }
5407 bpf_error("too many registers needed to evaluate expression");
5408 /* NOTREACHED */
5409 }
5410
5411 /*
5412 * Return a register to the table so it can
5413 * be used later.
5414 */
5415 static void
5416 free_reg(n)
5417 int n;
5418 {
5419 regused[n] = 0;
5420 }
5421
5422 static struct block *
5423 gen_len(jmp, n)
5424 int jmp, n;
5425 {
5426 struct slist *s;
5427 struct block *b;
5428
5429 s = new_stmt(BPF_LD|BPF_LEN);
5430 b = new_block(JMP(jmp));
5431 b->stmts = s;
5432 b->s.k = n;
5433
5434 return b;
5435 }
5436
5437 struct block *
5438 gen_greater(n)
5439 int n;
5440 {
5441 return gen_len(BPF_JGE, n);
5442 }
5443
5444 /*
5445 * Actually, this is less than or equal.
5446 */
5447 struct block *
5448 gen_less(n)
5449 int n;
5450 {
5451 struct block *b;
5452
5453 b = gen_len(BPF_JGT, n);
5454 gen_not(b);
5455
5456 return b;
5457 }
5458
5459 /*
5460 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
5461 * the beginning of the link-layer header.
5462 * XXX - that means you can't test values in the radiotap header, but
5463 * as that header is difficult if not impossible to parse generally
5464 * without a loop, that might not be a severe problem. A new keyword
5465 * "radio" could be added for that, although what you'd really want
5466 * would be a way of testing particular radio header values, which
5467 * would generate code appropriate to the radio header in question.
5468 */
5469 struct block *
5470 gen_byteop(op, idx, val)
5471 int op, idx, val;
5472 {
5473 struct block *b;
5474 struct slist *s;
5475
5476 switch (op) {
5477 default:
5478 abort();
5479
5480 case '=':
5481 return gen_cmp(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5482
5483 case '<':
5484 b = gen_cmp_lt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5485 return b;
5486
5487 case '>':
5488 b = gen_cmp_gt(OR_LINK, (u_int)idx, BPF_B, (bpf_int32)val);
5489 return b;
5490
5491 case '|':
5492 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
5493 break;
5494
5495 case '&':
5496 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
5497 break;
5498 }
5499 s->s.k = val;
5500 b = new_block(JMP(BPF_JEQ));
5501 b->stmts = s;
5502 gen_not(b);
5503
5504 return b;
5505 }
5506
5507 static u_char abroadcast[] = { 0x0 };
5508
5509 struct block *
5510 gen_broadcast(proto)
5511 int proto;
5512 {
5513 bpf_u_int32 hostmask;
5514 struct block *b0, *b1, *b2;
5515 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
5516
5517 switch (proto) {
5518
5519 case Q_DEFAULT:
5520 case Q_LINK:
5521 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5522 return gen_ahostop(abroadcast, Q_DST);
5523 if (linktype == DLT_EN10MB)
5524 return gen_ehostop(ebroadcast, Q_DST);
5525 if (linktype == DLT_FDDI)
5526 return gen_fhostop(ebroadcast, Q_DST);
5527 if (linktype == DLT_IEEE802)
5528 return gen_thostop(ebroadcast, Q_DST);
5529 if (linktype == DLT_IEEE802_11 ||
5530 linktype == DLT_IEEE802_11_RADIO_AVS ||
5531 linktype == DLT_IEEE802_11_RADIO ||
5532 linktype == DLT_PRISM_HEADER)
5533 return gen_wlanhostop(ebroadcast, Q_DST);
5534 if (linktype == DLT_IP_OVER_FC)
5535 return gen_ipfchostop(ebroadcast, Q_DST);
5536 if (linktype == DLT_SUNATM && is_lane) {
5537 /*
5538 * Check that the packet doesn't begin with an
5539 * LE Control marker. (We've already generated
5540 * a test for LANE.)
5541 */
5542 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5543 0xFF00);
5544 gen_not(b1);
5545
5546 /*
5547 * Now check the MAC address.
5548 */
5549 b0 = gen_ehostop(ebroadcast, Q_DST);
5550 gen_and(b1, b0);
5551 return b0;
5552 }
5553 bpf_error("not a broadcast link");
5554 break;
5555
5556 case Q_IP:
5557 b0 = gen_linktype(ETHERTYPE_IP);
5558 hostmask = ~netmask;
5559 b1 = gen_mcmp(OR_NET, 16, BPF_W, (bpf_int32)0, hostmask);
5560 b2 = gen_mcmp(OR_NET, 16, BPF_W,
5561 (bpf_int32)(~0 & hostmask), hostmask);
5562 gen_or(b1, b2);
5563 gen_and(b0, b2);
5564 return b2;
5565 }
5566 bpf_error("only link-layer/IP broadcast filters supported");
5567 /* NOTREACHED */
5568 }
5569
5570 /*
5571 * Generate code to test the low-order bit of a MAC address (that's
5572 * the bottom bit of the *first* byte).
5573 */
5574 static struct block *
5575 gen_mac_multicast(offset)
5576 int offset;
5577 {
5578 register struct block *b0;
5579 register struct slist *s;
5580
5581 /* link[offset] & 1 != 0 */
5582 s = gen_load_a(OR_LINK, offset, BPF_B);
5583 b0 = new_block(JMP(BPF_JSET));
5584 b0->s.k = 1;
5585 b0->stmts = s;
5586 return b0;
5587 }
5588
5589 struct block *
5590 gen_multicast(proto)
5591 int proto;
5592 {
5593 register struct block *b0, *b1, *b2;
5594 register struct slist *s;
5595
5596 switch (proto) {
5597
5598 case Q_DEFAULT:
5599 case Q_LINK:
5600 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5601 /* all ARCnet multicasts use the same address */
5602 return gen_ahostop(abroadcast, Q_DST);
5603
5604 if (linktype == DLT_EN10MB) {
5605 /* ether[0] & 1 != 0 */
5606 return gen_mac_multicast(0);
5607 }
5608
5609 if (linktype == DLT_FDDI) {
5610 /*
5611 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
5612 *
5613 * XXX - was that referring to bit-order issues?
5614 */
5615 /* fddi[1] & 1 != 0 */
5616 return gen_mac_multicast(1);
5617 }
5618
5619 if (linktype == DLT_IEEE802) {
5620 /* tr[2] & 1 != 0 */
5621 return gen_mac_multicast(2);
5622 }
5623
5624 if (linktype == DLT_IEEE802_11) {
5625 /*
5626 * Oh, yuk.
5627 *
5628 * For control frames, there is no DA.
5629 *
5630 * For management frames, DA is at an
5631 * offset of 4 from the beginning of
5632 * the packet.
5633 *
5634 * For data frames, DA is at an offset
5635 * of 4 from the beginning of the packet
5636 * if To DS is clear and at an offset of
5637 * 16 from the beginning of the packet
5638 * if To DS is set.
5639 */
5640
5641 /*
5642 * Generate the tests to be done for data frames.
5643 *
5644 * First, check for To DS set, i.e. "link[1] & 0x01".
5645 */
5646 s = gen_load_a(OR_LINK, 1, BPF_B);
5647 b1 = new_block(JMP(BPF_JSET));
5648 b1->s.k = 0x01; /* To DS */
5649 b1->stmts = s;
5650
5651 /*
5652 * If To DS is set, the DA is at 16.
5653 */
5654 b0 = gen_mac_multicast(16);
5655 gen_and(b1, b0);
5656
5657 /*
5658 * Now, check for To DS not set, i.e. check
5659 * "!(link[1] & 0x01)".
5660 */
5661 s = gen_load_a(OR_LINK, 1, BPF_B);
5662 b2 = new_block(JMP(BPF_JSET));
5663 b2->s.k = 0x01; /* To DS */
5664 b2->stmts = s;
5665 gen_not(b2);
5666
5667 /*
5668 * If To DS is not set, the DA is at 4.
5669 */
5670 b1 = gen_mac_multicast(4);
5671 gen_and(b2, b1);
5672
5673 /*
5674 * Now OR together the last two checks. That gives
5675 * the complete set of checks for data frames.
5676 */
5677 gen_or(b1, b0);
5678
5679 /*
5680 * Now check for a data frame.
5681 * I.e, check "link[0] & 0x08".
5682 */
5683 s = gen_load_a(OR_LINK, 0, BPF_B);
5684 b1 = new_block(JMP(BPF_JSET));
5685 b1->s.k = 0x08;
5686 b1->stmts = s;
5687
5688 /*
5689 * AND that with the checks done for data frames.
5690 */
5691 gen_and(b1, b0);
5692
5693 /*
5694 * If the high-order bit of the type value is 0, this
5695 * is a management frame.
5696 * I.e, check "!(link[0] & 0x08)".
5697 */
5698 s = gen_load_a(OR_LINK, 0, BPF_B);
5699 b2 = new_block(JMP(BPF_JSET));
5700 b2->s.k = 0x08;
5701 b2->stmts = s;
5702 gen_not(b2);
5703
5704 /*
5705 * For management frames, the DA is at 4.
5706 */
5707 b1 = gen_mac_multicast(4);
5708 gen_and(b2, b1);
5709
5710 /*
5711 * OR that with the checks done for data frames.
5712 * That gives the checks done for management and
5713 * data frames.
5714 */
5715 gen_or(b1, b0);
5716
5717 /*
5718 * If the low-order bit of the type value is 1,
5719 * this is either a control frame or a frame
5720 * with a reserved type, and thus not a
5721 * frame with an SA.
5722 *
5723 * I.e., check "!(link[0] & 0x04)".
5724 */
5725 s = gen_load_a(OR_LINK, 0, BPF_B);
5726 b1 = new_block(JMP(BPF_JSET));
5727 b1->s.k = 0x04;
5728 b1->stmts = s;
5729 gen_not(b1);
5730
5731 /*
5732 * AND that with the checks for data and management
5733 * frames.
5734 */
5735 gen_and(b1, b0);
5736 return b0;
5737 }
5738
5739 if (linktype == DLT_IP_OVER_FC) {
5740 b0 = gen_mac_multicast(2);
5741 return b0;
5742 }
5743
5744 if (linktype == DLT_SUNATM && is_lane) {
5745 /*
5746 * Check that the packet doesn't begin with an
5747 * LE Control marker. (We've already generated
5748 * a test for LANE.)
5749 */
5750 b1 = gen_cmp(OR_LINK, SUNATM_PKT_BEGIN_POS, BPF_H,
5751 0xFF00);
5752 gen_not(b1);
5753
5754 /* ether[off_mac] & 1 != 0 */
5755 b0 = gen_mac_multicast(off_mac);
5756 gen_and(b1, b0);
5757 return b0;
5758 }
5759
5760 /* Link not known to support multicasts */
5761 break;
5762
5763 case Q_IP:
5764 b0 = gen_linktype(ETHERTYPE_IP);
5765 b1 = gen_cmp_ge(OR_NET, 16, BPF_B, (bpf_int32)224);
5766 gen_and(b0, b1);
5767 return b1;
5768
5769 #ifdef INET6
5770 case Q_IPV6:
5771 b0 = gen_linktype(ETHERTYPE_IPV6);
5772 b1 = gen_cmp(OR_NET, 24, BPF_B, (bpf_int32)255);
5773 gen_and(b0, b1);
5774 return b1;
5775 #endif /* INET6 */
5776 }
5777 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5778 /* NOTREACHED */
5779 }
5780
5781 /*
5782 * generate command for inbound/outbound. It's here so we can
5783 * make it link-type specific. 'dir' = 0 implies "inbound",
5784 * = 1 implies "outbound".
5785 */
5786 struct block *
5787 gen_inbound(dir)
5788 int dir;
5789 {
5790 register struct block *b0;
5791
5792 /*
5793 * Only some data link types support inbound/outbound qualifiers.
5794 */
5795 switch (linktype) {
5796 case DLT_SLIP:
5797 b0 = gen_relation(BPF_JEQ,
5798 gen_load(Q_LINK, gen_loadi(0), 1),
5799 gen_loadi(0),
5800 dir);
5801 break;
5802
5803 case DLT_LINUX_SLL:
5804 if (dir) {
5805 /*
5806 * Match packets sent by this machine.
5807 */
5808 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_OUTGOING);
5809 } else {
5810 /*
5811 * Match packets sent to this machine.
5812 * (No broadcast or multicast packets, or
5813 * packets sent to some other machine and
5814 * received promiscuously.)
5815 *
5816 * XXX - packets sent to other machines probably
5817 * shouldn't be matched, but what about broadcast
5818 * or multicast packets we received?
5819 */
5820 b0 = gen_cmp(OR_LINK, 0, BPF_H, LINUX_SLL_HOST);
5821 }
5822 break;
5823
5824 case DLT_PFLOG:
5825 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, dir), BPF_B,
5826 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5827 break;
5828
5829 case DLT_PPP_PPPD:
5830 if (dir) {
5831 /* match outgoing packets */
5832 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_OUT);
5833 } else {
5834 /* match incoming packets */
5835 b0 = gen_cmp(OR_LINK, 0, BPF_B, PPP_PPPD_IN);
5836 }
5837 break;
5838
5839 case DLT_JUNIPER_MLFR:
5840 case DLT_JUNIPER_MLPPP:
5841 case DLT_JUNIPER_ATM1:
5842 case DLT_JUNIPER_ATM2:
5843 /* juniper flags (including direction) are stored
5844 * the byte after the 3-byte magic number */
5845 if (dir) {
5846 /* match outgoing packets */
5847 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 0, 0x01);
5848 } else {
5849 /* match incoming packets */
5850 b0 = gen_mcmp(OR_LINK, 3, BPF_B, 1, 0x01);
5851 }
5852 break;
5853
5854 default:
5855 bpf_error("inbound/outbound not supported on linktype %d",
5856 linktype);
5857 b0 = NULL;
5858 /* NOTREACHED */
5859 }
5860 return (b0);
5861 }
5862
5863 /* PF firewall log matched interface */
5864 struct block *
5865 gen_pf_ifname(const char *ifname)
5866 {
5867 struct block *b0;
5868 u_int len, off;
5869
5870 if (linktype == DLT_PFLOG) {
5871 len = sizeof(((struct pfloghdr *)0)->ifname);
5872 off = offsetof(struct pfloghdr, ifname);
5873 } else {
5874 bpf_error("ifname not supported on linktype 0x%x", linktype);
5875 /* NOTREACHED */
5876 }
5877 if (strlen(ifname) >= len) {
5878 bpf_error("ifname interface names can only be %d characters",
5879 len-1);
5880 /* NOTREACHED */
5881 }
5882 b0 = gen_bcmp(OR_LINK, off, strlen(ifname), (const u_char *)ifname);
5883 return (b0);
5884 }
5885
5886 /* PF firewall log matched interface */
5887 struct block *
5888 gen_pf_ruleset(char *ruleset)
5889 {
5890 struct block *b0;
5891
5892 if (linktype != DLT_PFLOG) {
5893 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5894 /* NOTREACHED */
5895 }
5896 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5897 bpf_error("ruleset names can only be %ld characters",
5898 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5899 /* NOTREACHED */
5900 }
5901 b0 = gen_bcmp(OR_LINK, offsetof(struct pfloghdr, ruleset),
5902 strlen(ruleset), (const u_char *)ruleset);
5903 return (b0);
5904 }
5905
5906 /* PF firewall log rule number */
5907 struct block *
5908 gen_pf_rnr(int rnr)
5909 {
5910 struct block *b0;
5911
5912 if (linktype == DLT_PFLOG) {
5913 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, rulenr), BPF_W,
5914 (bpf_int32)rnr);
5915 } else {
5916 bpf_error("rnr not supported on linktype 0x%x", linktype);
5917 /* NOTREACHED */
5918 }
5919
5920 return (b0);
5921 }
5922
5923 /* PF firewall log sub-rule number */
5924 struct block *
5925 gen_pf_srnr(int srnr)
5926 {
5927 struct block *b0;
5928
5929 if (linktype != DLT_PFLOG) {
5930 bpf_error("srnr not supported on linktype 0x%x", linktype);
5931 /* NOTREACHED */
5932 }
5933
5934 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, subrulenr), BPF_W,
5935 (bpf_int32)srnr);
5936 return (b0);
5937 }
5938
5939 /* PF firewall log reason code */
5940 struct block *
5941 gen_pf_reason(int reason)
5942 {
5943 struct block *b0;
5944
5945 if (linktype == DLT_PFLOG) {
5946 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, reason), BPF_B,
5947 (bpf_int32)reason);
5948 } else {
5949 bpf_error("reason not supported on linktype 0x%x", linktype);
5950 /* NOTREACHED */
5951 }
5952
5953 return (b0);
5954 }
5955
5956 /* PF firewall log action */
5957 struct block *
5958 gen_pf_action(int action)
5959 {
5960 struct block *b0;
5961
5962 if (linktype == DLT_PFLOG) {
5963 b0 = gen_cmp(OR_LINK, offsetof(struct pfloghdr, action), BPF_B,
5964 (bpf_int32)action);
5965 } else {
5966 bpf_error("action not supported on linktype 0x%x", linktype);
5967 /* NOTREACHED */
5968 }
5969
5970 return (b0);
5971 }
5972
5973 struct block *
5974 gen_acode(eaddr, q)
5975 register const u_char *eaddr;
5976 struct qual q;
5977 {
5978 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5979 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5980 return gen_ahostop(eaddr, (int)q.dir);
5981 }
5982 bpf_error("ARCnet address used in non-arc expression");
5983 /* NOTREACHED */
5984 }
5985
5986 static struct block *
5987 gen_ahostop(eaddr, dir)
5988 register const u_char *eaddr;
5989 register int dir;
5990 {
5991 register struct block *b0, *b1;
5992
5993 switch (dir) {
5994 /* src comes first, different from Ethernet */
5995 case Q_SRC:
5996 return gen_bcmp(OR_LINK, 0, 1, eaddr);
5997
5998 case Q_DST:
5999 return gen_bcmp(OR_LINK, 1, 1, eaddr);
6000
6001 case Q_AND:
6002 b0 = gen_ahostop(eaddr, Q_SRC);
6003 b1 = gen_ahostop(eaddr, Q_DST);
6004 gen_and(b0, b1);
6005 return b1;
6006
6007 case Q_DEFAULT:
6008 case Q_OR:
6009 b0 = gen_ahostop(eaddr, Q_SRC);
6010 b1 = gen_ahostop(eaddr, Q_DST);
6011 gen_or(b0, b1);
6012 return b1;
6013 }
6014 abort();
6015 /* NOTREACHED */
6016 }
6017
6018 /*
6019 * support IEEE 802.1Q VLAN trunk over ethernet
6020 */
6021 struct block *
6022 gen_vlan(vlan_num)
6023 int vlan_num;
6024 {
6025 struct block *b0;
6026
6027 /*
6028 * Change the offsets to point to the type and data fields within
6029 * the VLAN packet. Just increment the offsets, so that we
6030 * can support a hierarchy, e.g. "vlan 300 && vlan 200" to
6031 * capture VLAN 200 encapsulated within VLAN 100.
6032 *
6033 * XXX - this is a bit of a kludge. If we were to split the
6034 * compiler into a parser that parses an expression and
6035 * generates an expression tree, and a code generator that
6036 * takes an expression tree (which could come from our
6037 * parser or from some other parser) and generates BPF code,
6038 * we could perhaps make the offsets parameters of routines
6039 * and, in the handler for an "AND" node, pass to subnodes
6040 * other than the VLAN node the adjusted offsets.
6041 *
6042 * This would mean that "vlan" would, instead of changing the
6043 * behavior of *all* tests after it, change only the behavior
6044 * of tests ANDed with it. That would change the documented
6045 * semantics of "vlan", which might break some expressions.
6046 * However, it would mean that "(vlan and ip) or ip" would check
6047 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
6048 * checking only for VLAN-encapsulated IP, so that could still
6049 * be considered worth doing; it wouldn't break expressions
6050 * that are of the form "vlan and ..." or "vlan N and ...",
6051 * which I suspect are the most common expressions involving
6052 * "vlan". "vlan or ..." doesn't necessarily do what the user
6053 * would really want, now, as all the "or ..." tests would
6054 * be done assuming a VLAN, even though the "or" could be viewed
6055 * as meaning "or, if this isn't a VLAN packet...".
6056 */
6057 orig_linktype = off_linktype; /* save original values */
6058 orig_nl = off_nl;
6059
6060 switch (linktype) {
6061
6062 case DLT_EN10MB:
6063 off_linktype += 4;
6064 off_nl_nosnap += 4;
6065 off_nl += 4;
6066 break;
6067
6068 default:
6069 bpf_error("no VLAN support for data link type %d",
6070 linktype);
6071 /*NOTREACHED*/
6072 }
6073
6074 /* check for VLAN */
6075 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
6076
6077 /* If a specific VLAN is requested, check VLAN id */
6078 if (vlan_num >= 0) {
6079 struct block *b1;
6080
6081 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_H, (bpf_int32)vlan_num,
6082 0x0fff);
6083 gen_and(b0, b1);
6084 b0 = b1;
6085 }
6086
6087 return (b0);
6088 }
6089
6090 /*
6091 * support for MPLS
6092 */
6093 struct block *
6094 gen_mpls(label_num)
6095 int label_num;
6096 {
6097 struct block *b0;
6098
6099 /*
6100 * Change the offsets to point to the type and data fields within
6101 * the MPLS packet. Just increment the offsets, so that we
6102 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
6103 * capture packets with an outer label of 100000 and an inner
6104 * label of 1024.
6105 *
6106 * XXX - this is a bit of a kludge. See comments in gen_vlan().
6107 */
6108 orig_linktype = off_linktype; /* save original values */
6109 orig_nl = off_nl;
6110
6111 switch (linktype) {
6112
6113 case DLT_C_HDLC: /* fall through */
6114 case DLT_EN10MB:
6115 off_linktype += 4;
6116 off_nl_nosnap += 4;
6117 off_nl += 4;
6118
6119 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6120 (bpf_int32)ETHERTYPE_MPLS);
6121 break;
6122
6123 case DLT_PPP:
6124 off_linktype += 4;
6125 off_nl_nosnap += 4;
6126 off_nl += 4;
6127
6128 b0 = gen_cmp(OR_LINK, orig_linktype, BPF_H,
6129 (bpf_int32)PPP_MPLS_UCAST);
6130 break;
6131
6132 /* FIXME add other DLT_s ...
6133 * for Frame-Relay/and ATM this may get messy due to SNAP headers
6134 * leave it for now */
6135
6136 default:
6137 bpf_error("no MPLS support for data link type %d",
6138 linktype);
6139 b0 = NULL;
6140 /*NOTREACHED*/
6141 break;
6142 }
6143
6144 /* If a specific MPLS label is requested, check it */
6145 if (label_num >= 0) {
6146 struct block *b1;
6147
6148 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
6149 b1 = gen_mcmp(OR_LINK, orig_nl, BPF_W, (bpf_int32)label_num,
6150 0xfffff000); /* only compare the first 20 bits */
6151 gen_and(b0, b1);
6152 b0 = b1;
6153 }
6154
6155 return (b0);
6156 }
6157
6158 struct block *
6159 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
6160 int atmfield;
6161 bpf_int32 jvalue;
6162 bpf_u_int32 jtype;
6163 int reverse;
6164 {
6165 struct block *b0;
6166
6167 switch (atmfield) {
6168
6169 case A_VPI:
6170 if (!is_atm)
6171 bpf_error("'vpi' supported only on raw ATM");
6172 if (off_vpi == (u_int)-1)
6173 abort();
6174 b0 = gen_ncmp(OR_LINK, off_vpi, BPF_B, 0xffffffff, jtype,
6175 reverse, jvalue);
6176 break;
6177
6178 case A_VCI:
6179 if (!is_atm)
6180 bpf_error("'vci' supported only on raw ATM");
6181 if (off_vci == (u_int)-1)
6182 abort();
6183 b0 = gen_ncmp(OR_LINK, off_vci, BPF_H, 0xffffffff, jtype,
6184 reverse, jvalue);
6185 break;
6186
6187 case A_PROTOTYPE:
6188 if (off_proto == (u_int)-1)
6189 abort(); /* XXX - this isn't on FreeBSD */
6190 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0x0f, jtype,
6191 reverse, jvalue);
6192 break;
6193
6194 case A_MSGTYPE:
6195 if (off_payload == (u_int)-1)
6196 abort();
6197 b0 = gen_ncmp(OR_LINK, off_payload + MSG_TYPE_POS, BPF_B,
6198 0xffffffff, jtype, reverse, jvalue);
6199 break;
6200
6201 case A_CALLREFTYPE:
6202 if (!is_atm)
6203 bpf_error("'callref' supported only on raw ATM");
6204 if (off_proto == (u_int)-1)
6205 abort();
6206 b0 = gen_ncmp(OR_LINK, off_proto, BPF_B, 0xffffffff,
6207 jtype, reverse, jvalue);
6208 break;
6209
6210 default:
6211 abort();
6212 }
6213 return b0;
6214 }
6215
6216 struct block *
6217 gen_atmtype_abbrev(type)
6218 int type;
6219 {
6220 struct block *b0, *b1;
6221
6222 switch (type) {
6223
6224 case A_METAC:
6225 /* Get all packets in Meta signalling Circuit */
6226 if (!is_atm)
6227 bpf_error("'metac' supported only on raw ATM");
6228 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6229 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
6230 gen_and(b0, b1);
6231 break;
6232
6233 case A_BCC:
6234 /* Get all packets in Broadcast Circuit*/
6235 if (!is_atm)
6236 bpf_error("'bcc' supported only on raw ATM");
6237 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6238 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
6239 gen_and(b0, b1);
6240 break;
6241
6242 case A_OAMF4SC:
6243 /* Get all cells in Segment OAM F4 circuit*/
6244 if (!is_atm)
6245 bpf_error("'oam4sc' supported only on raw ATM");
6246 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6247 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6248 gen_and(b0, b1);
6249 break;
6250
6251 case A_OAMF4EC:
6252 /* Get all cells in End-to-End OAM F4 Circuit*/
6253 if (!is_atm)
6254 bpf_error("'oam4ec' supported only on raw ATM");
6255 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6256 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6257 gen_and(b0, b1);
6258 break;
6259
6260 case A_SC:
6261 /* Get all packets in connection Signalling Circuit */
6262 if (!is_atm)
6263 bpf_error("'sc' supported only on raw ATM");
6264 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6265 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
6266 gen_and(b0, b1);
6267 break;
6268
6269 case A_ILMIC:
6270 /* Get all packets in ILMI Circuit */
6271 if (!is_atm)
6272 bpf_error("'ilmic' supported only on raw ATM");
6273 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6274 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
6275 gen_and(b0, b1);
6276 break;
6277
6278 case A_LANE:
6279 /* Get all LANE packets */
6280 if (!is_atm)
6281 bpf_error("'lane' supported only on raw ATM");
6282 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
6283
6284 /*
6285 * Arrange that all subsequent tests assume LANE
6286 * rather than LLC-encapsulated packets, and set
6287 * the offsets appropriately for LANE-encapsulated
6288 * Ethernet.
6289 *
6290 * "off_mac" is the offset of the Ethernet header,
6291 * which is 2 bytes past the ATM pseudo-header
6292 * (skipping the pseudo-header and 2-byte LE Client
6293 * field). The other offsets are Ethernet offsets
6294 * relative to "off_mac".
6295 */
6296 is_lane = 1;
6297 off_mac = off_payload + 2; /* MAC header */
6298 off_linktype = off_mac + 12;
6299 off_nl = off_mac + 14; /* Ethernet II */
6300 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
6301 break;
6302
6303 case A_LLC:
6304 /* Get all LLC-encapsulated packets */
6305 if (!is_atm)
6306 bpf_error("'llc' supported only on raw ATM");
6307 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
6308 is_lane = 0;
6309 break;
6310
6311 default:
6312 abort();
6313 }
6314 return b1;
6315 }
6316
6317
6318 static struct block *
6319 gen_msg_abbrev(type)
6320 int type;
6321 {
6322 struct block *b1;
6323
6324 /*
6325 * Q.2931 signalling protocol messages for handling virtual circuits
6326 * establishment and teardown
6327 */
6328 switch (type) {
6329
6330 case A_SETUP:
6331 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
6332 break;
6333
6334 case A_CALLPROCEED:
6335 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
6336 break;
6337
6338 case A_CONNECT:
6339 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
6340 break;
6341
6342 case A_CONNECTACK:
6343 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
6344 break;
6345
6346 case A_RELEASE:
6347 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
6348 break;
6349
6350 case A_RELEASE_DONE:
6351 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
6352 break;
6353
6354 default:
6355 abort();
6356 }
6357 return b1;
6358 }
6359
6360 struct block *
6361 gen_atmmulti_abbrev(type)
6362 int type;
6363 {
6364 struct block *b0, *b1;
6365
6366 switch (type) {
6367
6368 case A_OAM:
6369 if (!is_atm)
6370 bpf_error("'oam' supported only on raw ATM");
6371 b1 = gen_atmmulti_abbrev(A_OAMF4);
6372 break;
6373
6374 case A_OAMF4:
6375 if (!is_atm)
6376 bpf_error("'oamf4' supported only on raw ATM");
6377 /* OAM F4 type */
6378 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
6379 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
6380 gen_or(b0, b1);
6381 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
6382 gen_and(b0, b1);
6383 break;
6384
6385 case A_CONNECTMSG:
6386 /*
6387 * Get Q.2931 signalling messages for switched
6388 * virtual connection
6389 */
6390 if (!is_atm)
6391 bpf_error("'connectmsg' supported only on raw ATM");
6392 b0 = gen_msg_abbrev(A_SETUP);
6393 b1 = gen_msg_abbrev(A_CALLPROCEED);
6394 gen_or(b0, b1);
6395 b0 = gen_msg_abbrev(A_CONNECT);
6396 gen_or(b0, b1);
6397 b0 = gen_msg_abbrev(A_CONNECTACK);
6398 gen_or(b0, b1);
6399 b0 = gen_msg_abbrev(A_RELEASE);
6400 gen_or(b0, b1);
6401 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6402 gen_or(b0, b1);
6403 b0 = gen_atmtype_abbrev(A_SC);
6404 gen_and(b0, b1);
6405 break;
6406
6407 case A_METACONNECT:
6408 if (!is_atm)
6409 bpf_error("'metaconnect' supported only on raw ATM");
6410 b0 = gen_msg_abbrev(A_SETUP);
6411 b1 = gen_msg_abbrev(A_CALLPROCEED);
6412 gen_or(b0, b1);
6413 b0 = gen_msg_abbrev(A_CONNECT);
6414 gen_or(b0, b1);
6415 b0 = gen_msg_abbrev(A_RELEASE);
6416 gen_or(b0, b1);
6417 b0 = gen_msg_abbrev(A_RELEASE_DONE);
6418 gen_or(b0, b1);
6419 b0 = gen_atmtype_abbrev(A_METAC);
6420 gen_and(b0, b1);
6421 break;
6422
6423 default:
6424 abort();
6425 }
6426 return b1;
6427 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism