]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
For "ether proto", allow LLC value names as well as Ethernet type value
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22 #ifndef lint
23 static const char rcsid[] _U_ =
24 "@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.220 2005-03-17 07:02:31 guy Exp $ (LBL)";
25 #endif
26
27 #ifdef HAVE_CONFIG_H
28 #include "config.h"
29 #endif
30
31 #ifdef WIN32
32 #include <pcap-stdinc.h>
33 #else /* WIN32 */
34 #include <sys/types.h>
35 #include <sys/socket.h>
36 #endif /* WIN32 */
37
38 /*
39 * XXX - why was this included even on UNIX?
40 */
41 #ifdef __MINGW32__
42 #include "IP6_misc.h"
43 #endif
44
45 #ifndef WIN32
46
47 #ifdef __NetBSD__
48 #include <sys/param.h>
49 #endif
50
51 #include <netinet/in.h>
52
53 #endif /* WIN32 */
54
55 #include <stdlib.h>
56 #include <string.h>
57 #include <memory.h>
58 #include <setjmp.h>
59 #include <stdarg.h>
60
61 #ifdef MSDOS
62 #include "pcap-dos.h"
63 #endif
64
65 #include "pcap-int.h"
66
67 #include "ethertype.h"
68 #include "nlpid.h"
69 #include "llc.h"
70 #include "gencode.h"
71 #include "atmuni31.h"
72 #include "sunatmpos.h"
73 #include "ppp.h"
74 #include "sll.h"
75 #include "arcnet.h"
76 #include "pf.h"
77 #ifndef offsetof
78 #define offsetof(s, e) ((size_t)&((s *)0)->e)
79 #endif
80 #ifdef INET6
81 #ifndef WIN32
82 #include <netdb.h> /* for "struct addrinfo" */
83 #endif /* WIN32 */
84 #endif /*INET6*/
85 #include <pcap-namedb.h>
86
87 #define ETHERMTU 1500
88
89 #ifndef IPPROTO_SCTP
90 #define IPPROTO_SCTP 132
91 #endif
92
93 #ifdef HAVE_OS_PROTO_H
94 #include "os-proto.h"
95 #endif
96
97 #define JMP(c) ((c)|BPF_JMP|BPF_K)
98
99 /* Locals */
100 static jmp_buf top_ctx;
101 static pcap_t *bpf_pcap;
102
103 /* Hack for updating VLAN, MPLS offsets. */
104 static u_int orig_linktype = -1U, orig_nl = -1U, orig_nl_nosnap = -1U;
105
106 /* XXX */
107 #ifdef PCAP_FDDIPAD
108 static int pcap_fddipad;
109 #endif
110
111 /* VARARGS */
112 void
113 bpf_error(const char *fmt, ...)
114
115 {
116 va_list ap;
117
118 va_start(ap, fmt);
119 if (bpf_pcap != NULL)
120 (void)vsnprintf(pcap_geterr(bpf_pcap), PCAP_ERRBUF_SIZE,
121 fmt, ap);
122 va_end(ap);
123 longjmp(top_ctx, 1);
124 /* NOTREACHED */
125 }
126
127 static void init_linktype(pcap_t *);
128
129 static int alloc_reg(void);
130 static void free_reg(int);
131
132 static struct block *root;
133
134 /*
135 * We divy out chunks of memory rather than call malloc each time so
136 * we don't have to worry about leaking memory. It's probably
137 * not a big deal if all this memory was wasted but if this ever
138 * goes into a library that would probably not be a good idea.
139 *
140 * XXX - this *is* in a library....
141 */
142 #define NCHUNKS 16
143 #define CHUNK0SIZE 1024
144 struct chunk {
145 u_int n_left;
146 void *m;
147 };
148
149 static struct chunk chunks[NCHUNKS];
150 static int cur_chunk;
151
152 static void *newchunk(u_int);
153 static void freechunks(void);
154 static inline struct block *new_block(int);
155 static inline struct slist *new_stmt(int);
156 static struct block *gen_retblk(int);
157 static inline void syntax(void);
158
159 static void backpatch(struct block *, struct block *);
160 static void merge(struct block *, struct block *);
161 static struct block *gen_cmp(u_int, u_int, bpf_int32);
162 static struct block *gen_cmp_gt(u_int, u_int, bpf_int32);
163 static struct block *gen_mcmp(u_int, u_int, bpf_int32, bpf_u_int32);
164 static struct block *gen_bcmp(u_int, u_int, const u_char *);
165 static struct block *gen_ncmp(bpf_u_int32, bpf_u_int32, bpf_u_int32,
166 bpf_u_int32, bpf_u_int32, int);
167 static struct block *gen_uncond(int);
168 static inline struct block *gen_true(void);
169 static inline struct block *gen_false(void);
170 static struct block *gen_ether_linktype(int);
171 static struct block *gen_linux_sll_linktype(int);
172 static struct block *gen_linktype(int);
173 static struct block *gen_snap(bpf_u_int32, bpf_u_int32, u_int);
174 static struct block *gen_llc(int);
175 static struct block *gen_hostop(bpf_u_int32, bpf_u_int32, int, int, u_int, u_int);
176 #ifdef INET6
177 static struct block *gen_hostop6(struct in6_addr *, struct in6_addr *, int, int, u_int, u_int);
178 #endif
179 static struct block *gen_ahostop(const u_char *, int);
180 static struct block *gen_ehostop(const u_char *, int);
181 static struct block *gen_fhostop(const u_char *, int);
182 static struct block *gen_thostop(const u_char *, int);
183 static struct block *gen_wlanhostop(const u_char *, int);
184 static struct block *gen_ipfchostop(const u_char *, int);
185 static struct block *gen_dnhostop(bpf_u_int32, int, u_int);
186 static struct block *gen_host(bpf_u_int32, bpf_u_int32, int, int);
187 #ifdef INET6
188 static struct block *gen_host6(struct in6_addr *, struct in6_addr *, int, int);
189 #endif
190 #ifndef INET6
191 static struct block *gen_gateway(const u_char *, bpf_u_int32 **, int, int);
192 #endif
193 static struct block *gen_ipfrag(void);
194 static struct block *gen_portatom(int, bpf_int32);
195 #ifdef INET6
196 static struct block *gen_portatom6(int, bpf_int32);
197 #endif
198 struct block *gen_portop(int, int, int);
199 static struct block *gen_port(int, int, int);
200 #ifdef INET6
201 struct block *gen_portop6(int, int, int);
202 static struct block *gen_port6(int, int, int);
203 #endif
204 static int lookup_proto(const char *, int);
205 static struct block *gen_protochain(int, int, int);
206 static struct block *gen_proto(int, int, int);
207 static struct slist *xfer_to_x(struct arth *);
208 static struct slist *xfer_to_a(struct arth *);
209 static struct block *gen_mac_multicast(int);
210 static struct block *gen_len(int, int);
211
212 static struct block *gen_msg_abbrev(int type);
213
214 static void *
215 newchunk(n)
216 u_int n;
217 {
218 struct chunk *cp;
219 int k;
220 size_t size;
221
222 #ifndef __NetBSD__
223 /* XXX Round up to nearest long. */
224 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
225 #else
226 /* XXX Round up to structure boundary. */
227 n = ALIGN(n);
228 #endif
229
230 cp = &chunks[cur_chunk];
231 if (n > cp->n_left) {
232 ++cp, k = ++cur_chunk;
233 if (k >= NCHUNKS)
234 bpf_error("out of memory");
235 size = CHUNK0SIZE << k;
236 cp->m = (void *)malloc(size);
237 if (cp->m == NULL)
238 bpf_error("out of memory");
239 memset((char *)cp->m, 0, size);
240 cp->n_left = size;
241 if (n > size)
242 bpf_error("out of memory");
243 }
244 cp->n_left -= n;
245 return (void *)((char *)cp->m + cp->n_left);
246 }
247
248 static void
249 freechunks()
250 {
251 int i;
252
253 cur_chunk = 0;
254 for (i = 0; i < NCHUNKS; ++i)
255 if (chunks[i].m != NULL) {
256 free(chunks[i].m);
257 chunks[i].m = NULL;
258 }
259 }
260
261 /*
262 * A strdup whose allocations are freed after code generation is over.
263 */
264 char *
265 sdup(s)
266 register const char *s;
267 {
268 int n = strlen(s) + 1;
269 char *cp = newchunk(n);
270
271 strlcpy(cp, s, n);
272 return (cp);
273 }
274
275 static inline struct block *
276 new_block(code)
277 int code;
278 {
279 struct block *p;
280
281 p = (struct block *)newchunk(sizeof(*p));
282 p->s.code = code;
283 p->head = p;
284
285 return p;
286 }
287
288 static inline struct slist *
289 new_stmt(code)
290 int code;
291 {
292 struct slist *p;
293
294 p = (struct slist *)newchunk(sizeof(*p));
295 p->s.code = code;
296
297 return p;
298 }
299
300 static struct block *
301 gen_retblk(v)
302 int v;
303 {
304 struct block *b = new_block(BPF_RET|BPF_K);
305
306 b->s.k = v;
307 return b;
308 }
309
310 static inline void
311 syntax()
312 {
313 bpf_error("syntax error in filter expression");
314 }
315
316 static bpf_u_int32 netmask;
317 static int snaplen;
318 int no_optimize;
319
320 int
321 pcap_compile(pcap_t *p, struct bpf_program *program,
322 char *buf, int optimize, bpf_u_int32 mask)
323 {
324 extern int n_errors;
325 int len;
326
327 no_optimize = 0;
328 n_errors = 0;
329 root = NULL;
330 bpf_pcap = p;
331 if (setjmp(top_ctx)) {
332 lex_cleanup();
333 freechunks();
334 return (-1);
335 }
336
337 netmask = mask;
338
339 snaplen = pcap_snapshot(p);
340 if (snaplen == 0) {
341 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
342 "snaplen of 0 rejects all packets");
343 return -1;
344 }
345
346 lex_init(buf ? buf : "");
347 init_linktype(p);
348 (void)pcap_parse();
349
350 if (n_errors)
351 syntax();
352
353 if (root == NULL)
354 root = gen_retblk(snaplen);
355
356 if (optimize && !no_optimize) {
357 bpf_optimize(&root);
358 if (root == NULL ||
359 (root->s.code == (BPF_RET|BPF_K) && root->s.k == 0))
360 bpf_error("expression rejects all packets");
361 }
362 program->bf_insns = icode_to_fcode(root, &len);
363 program->bf_len = len;
364
365 lex_cleanup();
366 freechunks();
367 return (0);
368 }
369
370 /*
371 * entry point for using the compiler with no pcap open
372 * pass in all the stuff that is needed explicitly instead.
373 */
374 int
375 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
376 struct bpf_program *program,
377 char *buf, int optimize, bpf_u_int32 mask)
378 {
379 pcap_t *p;
380 int ret;
381
382 p = pcap_open_dead(linktype_arg, snaplen_arg);
383 if (p == NULL)
384 return (-1);
385 ret = pcap_compile(p, program, buf, optimize, mask);
386 pcap_close(p);
387 return (ret);
388 }
389
390 /*
391 * Clean up a "struct bpf_program" by freeing all the memory allocated
392 * in it.
393 */
394 void
395 pcap_freecode(struct bpf_program *program)
396 {
397 program->bf_len = 0;
398 if (program->bf_insns != NULL) {
399 free((char *)program->bf_insns);
400 program->bf_insns = NULL;
401 }
402 }
403
404 /*
405 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
406 * which of the jt and jf fields has been resolved and which is a pointer
407 * back to another unresolved block (or nil). At least one of the fields
408 * in each block is already resolved.
409 */
410 static void
411 backpatch(list, target)
412 struct block *list, *target;
413 {
414 struct block *next;
415
416 while (list) {
417 if (!list->sense) {
418 next = JT(list);
419 JT(list) = target;
420 } else {
421 next = JF(list);
422 JF(list) = target;
423 }
424 list = next;
425 }
426 }
427
428 /*
429 * Merge the lists in b0 and b1, using the 'sense' field to indicate
430 * which of jt and jf is the link.
431 */
432 static void
433 merge(b0, b1)
434 struct block *b0, *b1;
435 {
436 register struct block **p = &b0;
437
438 /* Find end of list. */
439 while (*p)
440 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
441
442 /* Concatenate the lists. */
443 *p = b1;
444 }
445
446 void
447 finish_parse(p)
448 struct block *p;
449 {
450 backpatch(p, gen_retblk(snaplen));
451 p->sense = !p->sense;
452 backpatch(p, gen_retblk(0));
453 root = p->head;
454 }
455
456 void
457 gen_and(b0, b1)
458 struct block *b0, *b1;
459 {
460 backpatch(b0, b1->head);
461 b0->sense = !b0->sense;
462 b1->sense = !b1->sense;
463 merge(b1, b0);
464 b1->sense = !b1->sense;
465 b1->head = b0->head;
466 }
467
468 void
469 gen_or(b0, b1)
470 struct block *b0, *b1;
471 {
472 b0->sense = !b0->sense;
473 backpatch(b0, b1->head);
474 b0->sense = !b0->sense;
475 merge(b1, b0);
476 b1->head = b0->head;
477 }
478
479 void
480 gen_not(b)
481 struct block *b;
482 {
483 b->sense = !b->sense;
484 }
485
486 static struct block *
487 gen_cmp(offset, size, v)
488 u_int offset, size;
489 bpf_int32 v;
490 {
491 struct slist *s;
492 struct block *b;
493
494 s = new_stmt(BPF_LD|BPF_ABS|size);
495 s->s.k = offset;
496
497 b = new_block(JMP(BPF_JEQ));
498 b->stmts = s;
499 b->s.k = v;
500
501 return b;
502 }
503
504 static struct block *
505 gen_cmp_gt(offset, size, v)
506 u_int offset, size;
507 bpf_int32 v;
508 {
509 struct slist *s;
510 struct block *b;
511
512 s = new_stmt(BPF_LD|BPF_ABS|size);
513 s->s.k = offset;
514
515 b = new_block(JMP(BPF_JGT));
516 b->stmts = s;
517 b->s.k = v;
518
519 return b;
520 }
521
522 static struct block *
523 gen_mcmp(offset, size, v, mask)
524 u_int offset, size;
525 bpf_int32 v;
526 bpf_u_int32 mask;
527 {
528 struct block *b = gen_cmp(offset, size, v);
529 struct slist *s;
530
531 if (mask != 0xffffffff) {
532 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
533 s->s.k = mask;
534 b->stmts->next = s;
535 }
536 return b;
537 }
538
539 static struct block *
540 gen_bcmp(offset, size, v)
541 register u_int offset, size;
542 register const u_char *v;
543 {
544 register struct block *b, *tmp;
545
546 b = NULL;
547 while (size >= 4) {
548 register const u_char *p = &v[size - 4];
549 bpf_int32 w = ((bpf_int32)p[0] << 24) |
550 ((bpf_int32)p[1] << 16) | ((bpf_int32)p[2] << 8) | p[3];
551
552 tmp = gen_cmp(offset + size - 4, BPF_W, w);
553 if (b != NULL)
554 gen_and(b, tmp);
555 b = tmp;
556 size -= 4;
557 }
558 while (size >= 2) {
559 register const u_char *p = &v[size - 2];
560 bpf_int32 w = ((bpf_int32)p[0] << 8) | p[1];
561
562 tmp = gen_cmp(offset + size - 2, BPF_H, w);
563 if (b != NULL)
564 gen_and(b, tmp);
565 b = tmp;
566 size -= 2;
567 }
568 if (size > 0) {
569 tmp = gen_cmp(offset, BPF_B, (bpf_int32)v[0]);
570 if (b != NULL)
571 gen_and(b, tmp);
572 b = tmp;
573 }
574 return b;
575 }
576
577 static struct block *
578 gen_ncmp(datasize, offset, mask, jtype, jvalue, reverse)
579 bpf_u_int32 datasize, offset, mask, jtype, jvalue;
580 int reverse;
581 {
582 struct slist *s;
583 struct block *b;
584
585 s = new_stmt(BPF_LD|datasize|BPF_ABS);
586 s->s.k = offset;
587
588 if (mask != 0xffffffff) {
589 s->next = new_stmt(BPF_ALU|BPF_AND|BPF_K);
590 s->next->s.k = mask;
591 }
592
593 b = new_block(JMP(jtype));
594 b->stmts = s;
595 b->s.k = jvalue;
596 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
597 gen_not(b);
598 return b;
599 }
600
601 /*
602 * Various code constructs need to know the layout of the data link
603 * layer. These variables give the necessary offsets.
604 */
605
606 /*
607 * This is the offset of the beginning of the MAC-layer header.
608 * It's usually 0, except for ATM LANE.
609 */
610 static u_int off_mac;
611
612 /*
613 * "off_linktype" is the offset to information in the link-layer header
614 * giving the packet type.
615 *
616 * For Ethernet, it's the offset of the Ethernet type field.
617 *
618 * For link-layer types that always use 802.2 headers, it's the
619 * offset of the LLC header.
620 *
621 * For PPP, it's the offset of the PPP type field.
622 *
623 * For Cisco HDLC, it's the offset of the CHDLC type field.
624 *
625 * For BSD loopback, it's the offset of the AF_ value.
626 *
627 * For Linux cooked sockets, it's the offset of the type field.
628 *
629 * It's set to -1 for no encapsulation, in which case, IP is assumed.
630 */
631 static u_int off_linktype;
632
633 /*
634 * TRUE if the link layer includes an ATM pseudo-header.
635 */
636 static int is_atm = 0;
637
638 /*
639 * TRUE if "lane" appeared in the filter; it causes us to generate
640 * code that assumes LANE rather than LLC-encapsulated traffic in SunATM.
641 */
642 static int is_lane = 0;
643
644 /*
645 * These are offsets for the ATM pseudo-header.
646 */
647 static u_int off_vpi;
648 static u_int off_vci;
649 static u_int off_proto;
650
651 /*
652 * This is the offset of the first byte after the ATM pseudo_header,
653 * or -1 if there is no ATM pseudo-header.
654 */
655 static u_int off_payload;
656
657 /*
658 * These are offsets to the beginning of the network-layer header.
659 *
660 * If the link layer never uses 802.2 LLC:
661 *
662 * "off_nl" and "off_nl_nosnap" are the same.
663 *
664 * If the link layer always uses 802.2 LLC:
665 *
666 * "off_nl" is the offset if there's a SNAP header following
667 * the 802.2 header;
668 *
669 * "off_nl_nosnap" is the offset if there's no SNAP header.
670 *
671 * If the link layer is Ethernet:
672 *
673 * "off_nl" is the offset if the packet is an Ethernet II packet
674 * (we assume no 802.3+802.2+SNAP);
675 *
676 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
677 * with an 802.2 header following it.
678 */
679 static u_int off_nl;
680 static u_int off_nl_nosnap;
681
682 static int linktype;
683
684 static void
685 init_linktype(p)
686 pcap_t *p;
687 {
688 linktype = pcap_datalink(p);
689 #ifdef PCAP_FDDIPAD
690 pcap_fddipad = p->fddipad;
691 #endif
692
693 /*
694 * Assume it's not raw ATM with a pseudo-header, for now.
695 */
696 off_mac = 0;
697 is_atm = 0;
698 is_lane = 0;
699 off_vpi = -1;
700 off_vci = -1;
701 off_proto = -1;
702 off_payload = -1;
703
704 orig_linktype = -1;
705 orig_nl = -1;
706 orig_nl_nosnap = -1;
707
708 switch (linktype) {
709
710 case DLT_ARCNET:
711 off_linktype = 2;
712 off_nl = 6; /* XXX in reality, variable! */
713 off_nl_nosnap = 6; /* no 802.2 LLC */
714 return;
715
716 case DLT_ARCNET_LINUX:
717 off_linktype = 4;
718 off_nl = 8; /* XXX in reality, variable! */
719 off_nl_nosnap = 8; /* no 802.2 LLC */
720 return;
721
722 case DLT_EN10MB:
723 off_linktype = 12;
724 off_nl = 14; /* Ethernet II */
725 off_nl_nosnap = 17; /* 802.3+802.2 */
726 return;
727
728 case DLT_SLIP:
729 /*
730 * SLIP doesn't have a link level type. The 16 byte
731 * header is hacked into our SLIP driver.
732 */
733 off_linktype = -1;
734 off_nl = 16;
735 off_nl_nosnap = 16; /* no 802.2 LLC */
736 return;
737
738 case DLT_SLIP_BSDOS:
739 /* XXX this may be the same as the DLT_PPP_BSDOS case */
740 off_linktype = -1;
741 /* XXX end */
742 off_nl = 24;
743 off_nl_nosnap = 24; /* no 802.2 LLC */
744 return;
745
746 case DLT_NULL:
747 case DLT_LOOP:
748 off_linktype = 0;
749 off_nl = 4;
750 off_nl_nosnap = 4; /* no 802.2 LLC */
751 return;
752
753 case DLT_ENC:
754 off_linktype = 0;
755 off_nl = 12;
756 off_nl_nosnap = 12; /* no 802.2 LLC */
757 return;
758
759 case DLT_PPP:
760 case DLT_PPP_PPPD:
761 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
762 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
763 off_linktype = 2;
764 off_nl = 4;
765 off_nl_nosnap = 4; /* no 802.2 LLC */
766 return;
767
768 case DLT_PPP_ETHER:
769 /*
770 * This does no include the Ethernet header, and
771 * only covers session state.
772 */
773 off_linktype = 6;
774 off_nl = 8;
775 off_nl_nosnap = 8; /* no 802.2 LLC */
776 return;
777
778 case DLT_PPP_BSDOS:
779 off_linktype = 5;
780 off_nl = 24;
781 off_nl_nosnap = 24; /* no 802.2 LLC */
782 return;
783
784 case DLT_FDDI:
785 /*
786 * FDDI doesn't really have a link-level type field.
787 * We set "off_linktype" to the offset of the LLC header.
788 *
789 * To check for Ethernet types, we assume that SSAP = SNAP
790 * is being used and pick out the encapsulated Ethernet type.
791 * XXX - should we generate code to check for SNAP?
792 */
793 off_linktype = 13;
794 #ifdef PCAP_FDDIPAD
795 off_linktype += pcap_fddipad;
796 #endif
797 off_nl = 21; /* FDDI+802.2+SNAP */
798 off_nl_nosnap = 16; /* FDDI+802.2 */
799 #ifdef PCAP_FDDIPAD
800 off_nl += pcap_fddipad;
801 off_nl_nosnap += pcap_fddipad;
802 #endif
803 return;
804
805 case DLT_IEEE802:
806 /*
807 * Token Ring doesn't really have a link-level type field.
808 * We set "off_linktype" to the offset of the LLC header.
809 *
810 * To check for Ethernet types, we assume that SSAP = SNAP
811 * is being used and pick out the encapsulated Ethernet type.
812 * XXX - should we generate code to check for SNAP?
813 *
814 * XXX - the header is actually variable-length.
815 * Some various Linux patched versions gave 38
816 * as "off_linktype" and 40 as "off_nl"; however,
817 * if a token ring packet has *no* routing
818 * information, i.e. is not source-routed, the correct
819 * values are 20 and 22, as they are in the vanilla code.
820 *
821 * A packet is source-routed iff the uppermost bit
822 * of the first byte of the source address, at an
823 * offset of 8, has the uppermost bit set. If the
824 * packet is source-routed, the total number of bytes
825 * of routing information is 2 plus bits 0x1F00 of
826 * the 16-bit value at an offset of 14 (shifted right
827 * 8 - figure out which byte that is).
828 */
829 off_linktype = 14;
830 off_nl = 22; /* Token Ring+802.2+SNAP */
831 off_nl_nosnap = 17; /* Token Ring+802.2 */
832 return;
833
834 case DLT_IEEE802_11:
835 /*
836 * 802.11 doesn't really have a link-level type field.
837 * We set "off_linktype" to the offset of the LLC header.
838 *
839 * To check for Ethernet types, we assume that SSAP = SNAP
840 * is being used and pick out the encapsulated Ethernet type.
841 * XXX - should we generate code to check for SNAP?
842 *
843 * XXX - the header is actually variable-length. We
844 * assume a 24-byte link-layer header, as appears in
845 * data frames in networks with no bridges. If the
846 * fromds and tods 802.11 header bits are both set,
847 * it's actually supposed to be 30 bytes.
848 */
849 off_linktype = 24;
850 off_nl = 32; /* 802.11+802.2+SNAP */
851 off_nl_nosnap = 27; /* 802.11+802.2 */
852 return;
853
854 case DLT_PRISM_HEADER:
855 /*
856 * Same as 802.11, but with an additional header before
857 * the 802.11 header, containing a bunch of additional
858 * information including radio-level information.
859 *
860 * The header is 144 bytes long.
861 *
862 * XXX - same variable-length header problem; at least
863 * the Prism header is fixed-length.
864 */
865 off_linktype = 144+24;
866 off_nl = 144+32; /* Prism+802.11+802.2+SNAP */
867 off_nl_nosnap = 144+27; /* Prism+802.11+802.2 */
868 return;
869
870 case DLT_IEEE802_11_RADIO_AVS:
871 /*
872 * Same as 802.11, but with an additional header before
873 * the 802.11 header, containing a bunch of additional
874 * information including radio-level information.
875 *
876 * The header is 64 bytes long, at least in its
877 * current incarnation.
878 *
879 * XXX - same variable-length header problem, only
880 * more so; this header is also variable-length,
881 * with the length being the 32-bit big-endian
882 * number at an offset of 4 from the beginning
883 * of the radio header.
884 */
885 off_linktype = 64+24;
886 off_nl = 64+32; /* Radio+802.11+802.2+SNAP */
887 off_nl_nosnap = 64+27; /* Radio+802.11+802.2 */
888 return;
889
890 case DLT_IEEE802_11_RADIO:
891 /*
892 * Same as 802.11, but with an additional header before
893 * the 802.11 header, containing a bunch of additional
894 * information including radio-level information.
895 *
896 * XXX - same variable-length header problem, only
897 * even *more* so; this header is also variable-length,
898 * with the length being the 16-bit number at an offset
899 * of 2 from the beginning of the radio header, and it's
900 * device-dependent (different devices might supply
901 * different amounts of information), so we can't even
902 * assume a fixed length for the current version of the
903 * header.
904 *
905 * Therefore, currently, only raw "link[N:M]" filtering is
906 * supported.
907 */
908 off_linktype = -1;
909 off_nl = -1;
910 off_nl_nosnap = -1;
911 return;
912
913 case DLT_ATM_RFC1483:
914 case DLT_ATM_CLIP: /* Linux ATM defines this */
915 /*
916 * assume routed, non-ISO PDUs
917 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
918 */
919 off_linktype = 0;
920 off_nl = 8; /* 802.2+SNAP */
921 off_nl_nosnap = 3; /* 802.2 */
922 return;
923
924 case DLT_SUNATM:
925 /*
926 * Full Frontal ATM; you get AALn PDUs with an ATM
927 * pseudo-header.
928 */
929 is_atm = 1;
930 off_vpi = SUNATM_VPI_POS;
931 off_vci = SUNATM_VCI_POS;
932 off_proto = PROTO_POS;
933 off_mac = -1; /* LLC-encapsulated, so no MAC-layer header */
934 off_payload = SUNATM_PKT_BEGIN_POS;
935 off_linktype = off_payload;
936 off_nl = off_payload+8; /* 802.2+SNAP */
937 off_nl_nosnap = off_payload+3; /* 802.2 */
938 return;
939
940 case DLT_RAW:
941 off_linktype = -1;
942 off_nl = 0;
943 off_nl_nosnap = 0; /* no 802.2 LLC */
944 return;
945
946 case DLT_LINUX_SLL: /* fake header for Linux cooked socket */
947 off_linktype = 14;
948 off_nl = 16;
949 off_nl_nosnap = 16; /* no 802.2 LLC */
950 return;
951
952 case DLT_LTALK:
953 /*
954 * LocalTalk does have a 1-byte type field in the LLAP header,
955 * but really it just indicates whether there is a "short" or
956 * "long" DDP packet following.
957 */
958 off_linktype = -1;
959 off_nl = 0;
960 off_nl_nosnap = 0; /* no 802.2 LLC */
961 return;
962
963 case DLT_IP_OVER_FC:
964 /*
965 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
966 * link-level type field. We set "off_linktype" to the
967 * offset of the LLC header.
968 *
969 * To check for Ethernet types, we assume that SSAP = SNAP
970 * is being used and pick out the encapsulated Ethernet type.
971 * XXX - should we generate code to check for SNAP? RFC
972 * 2625 says SNAP should be used.
973 */
974 off_linktype = 16;
975 off_nl = 24; /* IPFC+802.2+SNAP */
976 off_nl_nosnap = 19; /* IPFC+802.2 */
977 return;
978
979 case DLT_FRELAY:
980 /*
981 * XXX - we should set this to handle SNAP-encapsulated
982 * frames (NLPID of 0x80).
983 */
984 off_linktype = -1;
985 off_nl = 0;
986 off_nl_nosnap = 0; /* no 802.2 LLC */
987 return;
988
989 case DLT_APPLE_IP_OVER_IEEE1394:
990 off_linktype = 16;
991 off_nl = 18;
992 off_nl_nosnap = 0; /* no 802.2 LLC */
993 return;
994
995 case DLT_LINUX_IRDA:
996 /*
997 * Currently, only raw "link[N:M]" filtering is supported.
998 */
999 off_linktype = -1;
1000 off_nl = -1;
1001 off_nl_nosnap = -1;
1002 return;
1003
1004 case DLT_DOCSIS:
1005 /*
1006 * Currently, only raw "link[N:M]" filtering is supported.
1007 */
1008 off_linktype = -1;
1009 off_nl = -1;
1010 off_nl_nosnap = -1;
1011 return;
1012
1013 case DLT_SYMANTEC_FIREWALL:
1014 off_linktype = 6;
1015 off_nl = 44; /* Ethernet II */
1016 off_nl_nosnap = 44; /* XXX - what does it do with 802.3 packets? */
1017 return;
1018
1019 case DLT_PFLOG:
1020 off_linktype = 0;
1021 /* XXX read from header? */
1022 off_nl = PFLOG_HDRLEN;
1023 off_nl_nosnap = PFLOG_HDRLEN;
1024 return;
1025
1026 case DLT_JUNIPER_MLFR:
1027 case DLT_JUNIPER_MLPPP:
1028 off_linktype = 4;
1029 off_nl = 4;
1030 off_nl_nosnap = -1;
1031 return;
1032
1033 case DLT_JUNIPER_ATM1:
1034 off_linktype = 4; /* in reality variable between 4-8 */
1035 off_nl = 4;
1036 off_nl_nosnap = 14;
1037 return;
1038
1039 case DLT_JUNIPER_ATM2:
1040 off_linktype = 8; /* in reality variable between 8-12 */
1041 off_nl = 8;
1042 off_nl_nosnap = 18;
1043 return;
1044
1045 #ifdef DLT_PFSYNC
1046 case DLT_PFSYNC:
1047 off_linktype = -1;
1048 off_nl = 4;
1049 off_nl_nosnap = 4;
1050 return;
1051 #endif
1052 }
1053 bpf_error("unknown data link type %d", linktype);
1054 /* NOTREACHED */
1055 }
1056
1057 static struct block *
1058 gen_uncond(rsense)
1059 int rsense;
1060 {
1061 struct block *b;
1062 struct slist *s;
1063
1064 s = new_stmt(BPF_LD|BPF_IMM);
1065 s->s.k = !rsense;
1066 b = new_block(JMP(BPF_JEQ));
1067 b->stmts = s;
1068
1069 return b;
1070 }
1071
1072 static inline struct block *
1073 gen_true()
1074 {
1075 return gen_uncond(1);
1076 }
1077
1078 static inline struct block *
1079 gen_false()
1080 {
1081 return gen_uncond(0);
1082 }
1083
1084 /*
1085 * Byte-swap a 32-bit number.
1086 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1087 * big-endian platforms.)
1088 */
1089 #define SWAPLONG(y) \
1090 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1091
1092 static struct block *
1093 gen_ether_linktype(proto)
1094 register int proto;
1095 {
1096 struct block *b0, *b1;
1097
1098 switch (proto) {
1099
1100 case LLCSAP_ISONS:
1101 /*
1102 * OSI protocols always use 802.2 encapsulation.
1103 * XXX - should we check both the DSAP and the
1104 * SSAP, like this, or should we check just the
1105 * DSAP?
1106 */
1107 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1108 gen_not(b0);
1109 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1110 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1111 gen_and(b0, b1);
1112 return b1;
1113
1114 case LLCSAP_IP:
1115 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1116 gen_not(b0);
1117 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1118 ((LLCSAP_IP << 8) | LLCSAP_IP));
1119 gen_and(b0, b1);
1120 return b1;
1121
1122 case LLCSAP_NETBEUI:
1123 /*
1124 * NetBEUI always uses 802.2 encapsulation.
1125 * XXX - should we check both the DSAP and the
1126 * SSAP, like this, or should we check just the
1127 * DSAP?
1128 */
1129 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1130 gen_not(b0);
1131 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1132 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1133 gen_and(b0, b1);
1134 return b1;
1135
1136 case LLCSAP_IPX:
1137 /*
1138 * Check for;
1139 *
1140 * Ethernet_II frames, which are Ethernet
1141 * frames with a frame type of ETHERTYPE_IPX;
1142 *
1143 * Ethernet_802.3 frames, which are 802.3
1144 * frames (i.e., the type/length field is
1145 * a length field, <= ETHERMTU, rather than
1146 * a type field) with the first two bytes
1147 * after the Ethernet/802.3 header being
1148 * 0xFFFF;
1149 *
1150 * Ethernet_802.2 frames, which are 802.3
1151 * frames with an 802.2 LLC header and
1152 * with the IPX LSAP as the DSAP in the LLC
1153 * header;
1154 *
1155 * Ethernet_SNAP frames, which are 802.3
1156 * frames with an LLC header and a SNAP
1157 * header and with an OUI of 0x000000
1158 * (encapsulated Ethernet) and a protocol
1159 * ID of ETHERTYPE_IPX in the SNAP header.
1160 *
1161 * XXX - should we generate the same code both
1162 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
1163 */
1164
1165 /*
1166 * This generates code to check both for the
1167 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
1168 */
1169 b0 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)LLCSAP_IPX);
1170 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)0xFFFF);
1171 gen_or(b0, b1);
1172
1173 /*
1174 * Now we add code to check for SNAP frames with
1175 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
1176 */
1177 b0 = gen_snap(0x000000, ETHERTYPE_IPX, 14);
1178 gen_or(b0, b1);
1179
1180 /*
1181 * Now we generate code to check for 802.3
1182 * frames in general.
1183 */
1184 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1185 gen_not(b0);
1186
1187 /*
1188 * Now add the check for 802.3 frames before the
1189 * check for Ethernet_802.2 and Ethernet_802.3,
1190 * as those checks should only be done on 802.3
1191 * frames, not on Ethernet frames.
1192 */
1193 gen_and(b0, b1);
1194
1195 /*
1196 * Now add the check for Ethernet_II frames, and
1197 * do that before checking for the other frame
1198 * types.
1199 */
1200 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)ETHERTYPE_IPX);
1201 gen_or(b0, b1);
1202 return b1;
1203
1204 case ETHERTYPE_ATALK:
1205 case ETHERTYPE_AARP:
1206 /*
1207 * EtherTalk (AppleTalk protocols on Ethernet link
1208 * layer) may use 802.2 encapsulation.
1209 */
1210
1211 /*
1212 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1213 * we check for an Ethernet type field less than
1214 * 1500, which means it's an 802.3 length field.
1215 */
1216 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1217 gen_not(b0);
1218
1219 /*
1220 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1221 * SNAP packets with an organization code of
1222 * 0x080007 (Apple, for Appletalk) and a protocol
1223 * type of ETHERTYPE_ATALK (Appletalk).
1224 *
1225 * 802.2-encapsulated ETHERTYPE_AARP packets are
1226 * SNAP packets with an organization code of
1227 * 0x000000 (encapsulated Ethernet) and a protocol
1228 * type of ETHERTYPE_AARP (Appletalk ARP).
1229 */
1230 if (proto == ETHERTYPE_ATALK)
1231 b1 = gen_snap(0x080007, ETHERTYPE_ATALK, 14);
1232 else /* proto == ETHERTYPE_AARP */
1233 b1 = gen_snap(0x000000, ETHERTYPE_AARP, 14);
1234 gen_and(b0, b1);
1235
1236 /*
1237 * Check for Ethernet encapsulation (Ethertalk
1238 * phase 1?); we just check for the Ethernet
1239 * protocol type.
1240 */
1241 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1242
1243 gen_or(b0, b1);
1244 return b1;
1245
1246 default:
1247 if (proto <= ETHERMTU) {
1248 /*
1249 * This is an LLC SAP value, so the frames
1250 * that match would be 802.2 frames.
1251 * Check that the frame is an 802.2 frame
1252 * (i.e., that the length/type field is
1253 * a length field, <= ETHERMTU) and
1254 * then check the DSAP.
1255 */
1256 b0 = gen_cmp_gt(off_linktype, BPF_H, ETHERMTU);
1257 gen_not(b0);
1258 b1 = gen_cmp(off_linktype + 2, BPF_B, (bpf_int32)proto);
1259 gen_and(b0, b1);
1260 return b1;
1261 } else {
1262 /*
1263 * This is an Ethernet type, so compare
1264 * the length/type field with it (if
1265 * the frame is an 802.2 frame, the length
1266 * field will be <= ETHERMTU, and, as
1267 * "proto" is > ETHERMTU, this test
1268 * will fail and the frame won't match,
1269 * which is what we want).
1270 */
1271 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1272 }
1273 }
1274 }
1275
1276 static struct block *
1277 gen_linux_sll_linktype(proto)
1278 register int proto;
1279 {
1280 struct block *b0, *b1;
1281
1282 switch (proto) {
1283
1284 case LLCSAP_IP:
1285 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1286 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1287 ((LLCSAP_IP << 8) | LLCSAP_IP));
1288 gen_and(b0, b1);
1289 return b1;
1290
1291 case LLCSAP_ISONS:
1292 /*
1293 * OSI protocols always use 802.2 encapsulation.
1294 * XXX - should we check both the DSAP and the
1295 * SSAP, like this, or should we check just the
1296 * DSAP?
1297 */
1298 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1299 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1300 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1301 gen_and(b0, b1);
1302 return b1;
1303
1304 case LLCSAP_NETBEUI:
1305 /*
1306 * NetBEUI always uses 802.2 encapsulation.
1307 * XXX - should we check both the DSAP and the
1308 * LSAP, like this, or should we check just the
1309 * DSAP?
1310 */
1311 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1312 b1 = gen_cmp(off_linktype + 2, BPF_H, (bpf_int32)
1313 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1314 gen_and(b0, b1);
1315 return b1;
1316
1317 case LLCSAP_IPX:
1318 /*
1319 * Ethernet_II frames, which are Ethernet
1320 * frames with a frame type of ETHERTYPE_IPX;
1321 *
1322 * Ethernet_802.3 frames, which have a frame
1323 * type of LINUX_SLL_P_802_3;
1324 *
1325 * Ethernet_802.2 frames, which are 802.3
1326 * frames with an 802.2 LLC header (i.e, have
1327 * a frame type of LINUX_SLL_P_802_2) and
1328 * with the IPX LSAP as the DSAP in the LLC
1329 * header;
1330 *
1331 * Ethernet_SNAP frames, which are 802.3
1332 * frames with an LLC header and a SNAP
1333 * header and with an OUI of 0x000000
1334 * (encapsulated Ethernet) and a protocol
1335 * ID of ETHERTYPE_IPX in the SNAP header.
1336 *
1337 * First, do the checks on LINUX_SLL_P_802_2
1338 * frames; generate the check for either
1339 * Ethernet_802.2 or Ethernet_SNAP frames, and
1340 * then put a check for LINUX_SLL_P_802_2 frames
1341 * before it.
1342 */
1343 b0 = gen_cmp(off_linktype + 2, BPF_B,
1344 (bpf_int32)LLCSAP_IPX);
1345 b1 = gen_snap(0x000000, ETHERTYPE_IPX,
1346 off_linktype + 2);
1347 gen_or(b0, b1);
1348 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1349 gen_and(b0, b1);
1350
1351 /*
1352 * Now check for 802.3 frames and OR that with
1353 * the previous test.
1354 */
1355 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_3);
1356 gen_or(b0, b1);
1357
1358 /*
1359 * Now add the check for Ethernet_II frames, and
1360 * do that before checking for the other frame
1361 * types.
1362 */
1363 b0 = gen_cmp(off_linktype, BPF_H,
1364 (bpf_int32)ETHERTYPE_IPX);
1365 gen_or(b0, b1);
1366 return b1;
1367
1368 case ETHERTYPE_ATALK:
1369 case ETHERTYPE_AARP:
1370 /*
1371 * EtherTalk (AppleTalk protocols on Ethernet link
1372 * layer) may use 802.2 encapsulation.
1373 */
1374
1375 /*
1376 * Check for 802.2 encapsulation (EtherTalk phase 2?);
1377 * we check for the 802.2 protocol type in the
1378 * "Ethernet type" field.
1379 */
1380 b0 = gen_cmp(off_linktype, BPF_H, LINUX_SLL_P_802_2);
1381
1382 /*
1383 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1384 * SNAP packets with an organization code of
1385 * 0x080007 (Apple, for Appletalk) and a protocol
1386 * type of ETHERTYPE_ATALK (Appletalk).
1387 *
1388 * 802.2-encapsulated ETHERTYPE_AARP packets are
1389 * SNAP packets with an organization code of
1390 * 0x000000 (encapsulated Ethernet) and a protocol
1391 * type of ETHERTYPE_AARP (Appletalk ARP).
1392 */
1393 if (proto == ETHERTYPE_ATALK)
1394 b1 = gen_snap(0x080007, ETHERTYPE_ATALK,
1395 off_linktype + 2);
1396 else /* proto == ETHERTYPE_AARP */
1397 b1 = gen_snap(0x000000, ETHERTYPE_AARP,
1398 off_linktype + 2);
1399 gen_and(b0, b1);
1400
1401 /*
1402 * Check for Ethernet encapsulation (Ethertalk
1403 * phase 1?); we just check for the Ethernet
1404 * protocol type.
1405 */
1406 b0 = gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1407
1408 gen_or(b0, b1);
1409 return b1;
1410
1411 default:
1412 if (proto <= ETHERMTU) {
1413 /*
1414 * This is an LLC SAP value, so the frames
1415 * that match would be 802.2 frames.
1416 * Check for the 802.2 protocol type
1417 * in the "Ethernet type" field, and
1418 * then check the DSAP.
1419 */
1420 b0 = gen_cmp(off_linktype, BPF_H,
1421 LINUX_SLL_P_802_2);
1422 b1 = gen_cmp(off_linktype + 2, BPF_B,
1423 (bpf_int32)proto);
1424 gen_and(b0, b1);
1425 return b1;
1426 } else {
1427 /*
1428 * This is an Ethernet type, so compare
1429 * the length/type field with it (if
1430 * the frame is an 802.2 frame, the length
1431 * field will be <= ETHERMTU, and, as
1432 * "proto" is > ETHERMTU, this test
1433 * will fail and the frame won't match,
1434 * which is what we want).
1435 */
1436 return gen_cmp(off_linktype, BPF_H,
1437 (bpf_int32)proto);
1438 }
1439 }
1440 }
1441
1442 static struct block *
1443 gen_linktype(proto)
1444 register int proto;
1445 {
1446 struct block *b0, *b1, *b2;
1447
1448 switch (linktype) {
1449
1450 case DLT_EN10MB:
1451 return gen_ether_linktype(proto);
1452 /*NOTREACHED*/
1453 break;
1454
1455 case DLT_C_HDLC:
1456 switch (proto) {
1457
1458 case LLCSAP_ISONS:
1459 proto = (proto << 8 | LLCSAP_ISONS);
1460 /* fall through */
1461
1462 default:
1463 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1464 /*NOTREACHED*/
1465 break;
1466 }
1467 break;
1468
1469 case DLT_IEEE802_11:
1470 case DLT_PRISM_HEADER:
1471 case DLT_IEEE802_11_RADIO:
1472 case DLT_FDDI:
1473 case DLT_IEEE802:
1474 case DLT_ATM_RFC1483:
1475 case DLT_ATM_CLIP:
1476 case DLT_IP_OVER_FC:
1477 return gen_llc(proto);
1478 /*NOTREACHED*/
1479 break;
1480
1481 case DLT_SUNATM:
1482 /*
1483 * If "is_lane" is set, check for a LANE-encapsulated
1484 * version of this protocol, otherwise check for an
1485 * LLC-encapsulated version of this protocol.
1486 *
1487 * We assume LANE means Ethernet, not Token Ring.
1488 */
1489 if (is_lane) {
1490 /*
1491 * Check that the packet doesn't begin with an
1492 * LE Control marker. (We've already generated
1493 * a test for LANE.)
1494 */
1495 b0 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
1496 gen_not(b0);
1497
1498 /*
1499 * Now generate an Ethernet test.
1500 */
1501 b1 = gen_ether_linktype(proto);
1502 gen_and(b0, b1);
1503 return b1;
1504 } else {
1505 /*
1506 * Check for LLC encapsulation and then check the
1507 * protocol.
1508 */
1509 b0 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
1510 b1 = gen_llc(proto);
1511 gen_and(b0, b1);
1512 return b1;
1513 }
1514
1515 case DLT_LINUX_SLL:
1516 return gen_linux_sll_linktype(proto);
1517 /*NOTREACHED*/
1518 break;
1519
1520 case DLT_SLIP:
1521 case DLT_SLIP_BSDOS:
1522 case DLT_RAW:
1523 /*
1524 * These types don't provide any type field; packets
1525 * are always IP.
1526 *
1527 * XXX - for IPv4, check for a version number of 4, and,
1528 * for IPv6, check for a version number of 6?
1529 */
1530 switch (proto) {
1531
1532 case ETHERTYPE_IP:
1533 #ifdef INET6
1534 case ETHERTYPE_IPV6:
1535 #endif
1536 return gen_true(); /* always true */
1537
1538 default:
1539 return gen_false(); /* always false */
1540 }
1541 /*NOTREACHED*/
1542 break;
1543
1544 case DLT_PPP:
1545 case DLT_PPP_PPPD:
1546 case DLT_PPP_SERIAL:
1547 case DLT_PPP_ETHER:
1548 /*
1549 * We use Ethernet protocol types inside libpcap;
1550 * map them to the corresponding PPP protocol types.
1551 */
1552 switch (proto) {
1553
1554 case ETHERTYPE_IP:
1555 proto = PPP_IP;
1556 break;
1557
1558 #ifdef INET6
1559 case ETHERTYPE_IPV6:
1560 proto = PPP_IPV6;
1561 break;
1562 #endif
1563
1564 case ETHERTYPE_DN:
1565 proto = PPP_DECNET;
1566 break;
1567
1568 case ETHERTYPE_ATALK:
1569 proto = PPP_APPLE;
1570 break;
1571
1572 case ETHERTYPE_NS:
1573 proto = PPP_NS;
1574 break;
1575
1576 case LLCSAP_ISONS:
1577 proto = PPP_OSI;
1578 break;
1579
1580 case LLCSAP_8021D:
1581 /*
1582 * I'm assuming the "Bridging PDU"s that go
1583 * over PPP are Spanning Tree Protocol
1584 * Bridging PDUs.
1585 */
1586 proto = PPP_BRPDU;
1587 break;
1588
1589 case LLCSAP_IPX:
1590 proto = PPP_IPX;
1591 break;
1592 }
1593 break;
1594
1595 case DLT_PPP_BSDOS:
1596 /*
1597 * We use Ethernet protocol types inside libpcap;
1598 * map them to the corresponding PPP protocol types.
1599 */
1600 switch (proto) {
1601
1602 case ETHERTYPE_IP:
1603 b0 = gen_cmp(off_linktype, BPF_H, PPP_IP);
1604 b1 = gen_cmp(off_linktype, BPF_H, PPP_VJC);
1605 gen_or(b0, b1);
1606 b0 = gen_cmp(off_linktype, BPF_H, PPP_VJNC);
1607 gen_or(b1, b0);
1608 return b0;
1609
1610 #ifdef INET6
1611 case ETHERTYPE_IPV6:
1612 proto = PPP_IPV6;
1613 /* more to go? */
1614 break;
1615 #endif
1616
1617 case ETHERTYPE_DN:
1618 proto = PPP_DECNET;
1619 break;
1620
1621 case ETHERTYPE_ATALK:
1622 proto = PPP_APPLE;
1623 break;
1624
1625 case ETHERTYPE_NS:
1626 proto = PPP_NS;
1627 break;
1628
1629 case LLCSAP_ISONS:
1630 proto = PPP_OSI;
1631 break;
1632
1633 case LLCSAP_8021D:
1634 /*
1635 * I'm assuming the "Bridging PDU"s that go
1636 * over PPP are Spanning Tree Protocol
1637 * Bridging PDUs.
1638 */
1639 proto = PPP_BRPDU;
1640 break;
1641
1642 case LLCSAP_IPX:
1643 proto = PPP_IPX;
1644 break;
1645 }
1646 break;
1647
1648 case DLT_NULL:
1649 case DLT_LOOP:
1650 case DLT_ENC:
1651 /*
1652 * For DLT_NULL, the link-layer header is a 32-bit
1653 * word containing an AF_ value in *host* byte order,
1654 * and for DLT_ENC, the link-layer header begins
1655 * with a 32-bit work containing an AF_ value in
1656 * host byte order.
1657 *
1658 * In addition, if we're reading a saved capture file,
1659 * the host byte order in the capture may not be the
1660 * same as the host byte order on this machine.
1661 *
1662 * For DLT_LOOP, the link-layer header is a 32-bit
1663 * word containing an AF_ value in *network* byte order.
1664 *
1665 * XXX - AF_ values may, unfortunately, be platform-
1666 * dependent; for example, FreeBSD's AF_INET6 is 24
1667 * whilst NetBSD's and OpenBSD's is 26.
1668 *
1669 * This means that, when reading a capture file, just
1670 * checking for our AF_INET6 value won't work if the
1671 * capture file came from another OS.
1672 */
1673 switch (proto) {
1674
1675 case ETHERTYPE_IP:
1676 proto = AF_INET;
1677 break;
1678
1679 #ifdef INET6
1680 case ETHERTYPE_IPV6:
1681 proto = AF_INET6;
1682 break;
1683 #endif
1684
1685 default:
1686 /*
1687 * Not a type on which we support filtering.
1688 * XXX - support those that have AF_ values
1689 * #defined on this platform, at least?
1690 */
1691 return gen_false();
1692 }
1693
1694 if (linktype == DLT_NULL || linktype == DLT_ENC) {
1695 /*
1696 * The AF_ value is in host byte order, but
1697 * the BPF interpreter will convert it to
1698 * network byte order.
1699 *
1700 * If this is a save file, and it's from a
1701 * machine with the opposite byte order to
1702 * ours, we byte-swap the AF_ value.
1703 *
1704 * Then we run it through "htonl()", and
1705 * generate code to compare against the result.
1706 */
1707 if (bpf_pcap->sf.rfile != NULL &&
1708 bpf_pcap->sf.swapped)
1709 proto = SWAPLONG(proto);
1710 proto = htonl(proto);
1711 }
1712 return (gen_cmp(0, BPF_W, (bpf_int32)proto));
1713
1714 case DLT_PFLOG:
1715 /*
1716 * af field is host byte order in contrast to the rest of
1717 * the packet.
1718 */
1719 if (proto == ETHERTYPE_IP)
1720 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1721 (bpf_int32)AF_INET));
1722 #ifdef INET6
1723 else if (proto == ETHERTYPE_IPV6)
1724 return (gen_cmp(offsetof(struct pfloghdr, af), BPF_B,
1725 (bpf_int32)AF_INET6));
1726 #endif /* INET6 */
1727 else
1728 return gen_false();
1729 /*NOTREACHED*/
1730 break;
1731
1732 case DLT_ARCNET:
1733 case DLT_ARCNET_LINUX:
1734 /*
1735 * XXX should we check for first fragment if the protocol
1736 * uses PHDS?
1737 */
1738 switch (proto) {
1739
1740 default:
1741 return gen_false();
1742
1743 #ifdef INET6
1744 case ETHERTYPE_IPV6:
1745 return (gen_cmp(off_linktype, BPF_B,
1746 (bpf_int32)ARCTYPE_INET6));
1747 #endif /* INET6 */
1748
1749 case ETHERTYPE_IP:
1750 b0 = gen_cmp(off_linktype, BPF_B,
1751 (bpf_int32)ARCTYPE_IP);
1752 b1 = gen_cmp(off_linktype, BPF_B,
1753 (bpf_int32)ARCTYPE_IP_OLD);
1754 gen_or(b0, b1);
1755 return (b1);
1756
1757 case ETHERTYPE_ARP:
1758 b0 = gen_cmp(off_linktype, BPF_B,
1759 (bpf_int32)ARCTYPE_ARP);
1760 b1 = gen_cmp(off_linktype, BPF_B,
1761 (bpf_int32)ARCTYPE_ARP_OLD);
1762 gen_or(b0, b1);
1763 return (b1);
1764
1765 case ETHERTYPE_REVARP:
1766 return (gen_cmp(off_linktype, BPF_B,
1767 (bpf_int32)ARCTYPE_REVARP));
1768
1769 case ETHERTYPE_ATALK:
1770 return (gen_cmp(off_linktype, BPF_B,
1771 (bpf_int32)ARCTYPE_ATALK));
1772 }
1773 /*NOTREACHED*/
1774 break;
1775
1776 case DLT_LTALK:
1777 switch (proto) {
1778 case ETHERTYPE_ATALK:
1779 return gen_true();
1780 default:
1781 return gen_false();
1782 }
1783 /*NOTREACHED*/
1784 break;
1785
1786 case DLT_FRELAY:
1787 /*
1788 * XXX - assumes a 2-byte Frame Relay header with
1789 * DLCI and flags. What if the address is longer?
1790 */
1791 switch (proto) {
1792
1793 case ETHERTYPE_IP:
1794 /*
1795 * Check for the special NLPID for IP.
1796 */
1797 return gen_cmp(2, BPF_H, (0x03<<8) | 0xcc);
1798
1799 #ifdef INET6
1800 case ETHERTYPE_IPV6:
1801 /*
1802 * Check for the special NLPID for IPv6.
1803 */
1804 return gen_cmp(2, BPF_H, (0x03<<8) | 0x8e);
1805 #endif
1806
1807 case LLCSAP_ISONS:
1808 /*
1809 * Check for several OSI protocols.
1810 *
1811 * Frame Relay packets typically have an OSI
1812 * NLPID at the beginning; we check for each
1813 * of them.
1814 *
1815 * What we check for is the NLPID and a frame
1816 * control field of UI, i.e. 0x03 followed
1817 * by the NLPID.
1818 */
1819 b0 = gen_cmp(2, BPF_H, (0x03<<8) | ISO8473_CLNP);
1820 b1 = gen_cmp(2, BPF_H, (0x03<<8) | ISO9542_ESIS);
1821 b2 = gen_cmp(2, BPF_H, (0x03<<8) | ISO10589_ISIS);
1822 gen_or(b1, b2);
1823 gen_or(b0, b2);
1824 return b2;
1825
1826 default:
1827 return gen_false();
1828 }
1829 /*NOTREACHED*/
1830 break;
1831
1832 case DLT_JUNIPER_MLFR:
1833 case DLT_JUNIPER_MLPPP:
1834 case DLT_JUNIPER_ATM1:
1835 case DLT_JUNIPER_ATM2:
1836 /* just lets verify the magic number for now -
1837 * on ATM we may have up to 6 different encapsulations on the wire
1838 * and need a lot of heuristics to figure out that the payload
1839 * might be;
1840 *
1841 * FIXME encapsulation specific BPF_ filters
1842 */
1843 return gen_mcmp(0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
1844
1845 case DLT_LINUX_IRDA:
1846 bpf_error("IrDA link-layer type filtering not implemented");
1847
1848 case DLT_DOCSIS:
1849 bpf_error("DOCSIS link-layer type filtering not implemented");
1850 }
1851
1852 /*
1853 * All the types that have no encapsulation should either be
1854 * handled as DLT_SLIP, DLT_SLIP_BSDOS, and DLT_RAW are, if
1855 * all packets are IP packets, or should be handled in some
1856 * special case, if none of them are (if some are and some
1857 * aren't, the lack of encapsulation is a problem, as we'd
1858 * have to find some other way of determining the packet type).
1859 *
1860 * Therefore, if "off_linktype" is -1, there's an error.
1861 */
1862 if (off_linktype == (u_int)-1)
1863 abort();
1864
1865 /*
1866 * Any type not handled above should always have an Ethernet
1867 * type at an offset of "off_linktype". (PPP is partially
1868 * handled above - the protocol type is mapped from the
1869 * Ethernet and LLC types we use internally to the corresponding
1870 * PPP type - but the PPP type is always specified by a value
1871 * at "off_linktype", so we don't have to do the code generation
1872 * above.)
1873 */
1874 return gen_cmp(off_linktype, BPF_H, (bpf_int32)proto);
1875 }
1876
1877 /*
1878 * Check for an LLC SNAP packet with a given organization code and
1879 * protocol type; we check the entire contents of the 802.2 LLC and
1880 * snap headers, checking for DSAP and SSAP of SNAP and a control
1881 * field of 0x03 in the LLC header, and for the specified organization
1882 * code and protocol type in the SNAP header.
1883 */
1884 static struct block *
1885 gen_snap(orgcode, ptype, offset)
1886 bpf_u_int32 orgcode;
1887 bpf_u_int32 ptype;
1888 u_int offset;
1889 {
1890 u_char snapblock[8];
1891
1892 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
1893 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
1894 snapblock[2] = 0x03; /* control = UI */
1895 snapblock[3] = (orgcode >> 16); /* upper 8 bits of organization code */
1896 snapblock[4] = (orgcode >> 8); /* middle 8 bits of organization code */
1897 snapblock[5] = (orgcode >> 0); /* lower 8 bits of organization code */
1898 snapblock[6] = (ptype >> 8); /* upper 8 bits of protocol type */
1899 snapblock[7] = (ptype >> 0); /* lower 8 bits of protocol type */
1900 return gen_bcmp(offset, 8, snapblock);
1901 }
1902
1903 /*
1904 * Check for a given protocol value assuming an 802.2 LLC header.
1905 */
1906 static struct block *
1907 gen_llc(proto)
1908 int proto;
1909 {
1910 /*
1911 * XXX - handle token-ring variable-length header.
1912 */
1913 switch (proto) {
1914
1915 case LLCSAP_IP:
1916 return gen_cmp(off_linktype, BPF_H, (long)
1917 ((LLCSAP_IP << 8) | LLCSAP_IP));
1918
1919 case LLCSAP_ISONS:
1920 return gen_cmp(off_linktype, BPF_H, (long)
1921 ((LLCSAP_ISONS << 8) | LLCSAP_ISONS));
1922
1923 case LLCSAP_NETBEUI:
1924 return gen_cmp(off_linktype, BPF_H, (long)
1925 ((LLCSAP_NETBEUI << 8) | LLCSAP_NETBEUI));
1926
1927 case LLCSAP_IPX:
1928 /*
1929 * XXX - are there ever SNAP frames for IPX on
1930 * non-Ethernet 802.x networks?
1931 */
1932 return gen_cmp(off_linktype, BPF_B, (bpf_int32)LLCSAP_IPX);
1933
1934 case ETHERTYPE_ATALK:
1935 /*
1936 * 802.2-encapsulated ETHERTYPE_ATALK packets are
1937 * SNAP packets with an organization code of
1938 * 0x080007 (Apple, for Appletalk) and a protocol
1939 * type of ETHERTYPE_ATALK (Appletalk).
1940 *
1941 * XXX - check for an organization code of
1942 * encapsulated Ethernet as well?
1943 */
1944 return gen_snap(0x080007, ETHERTYPE_ATALK, off_linktype);
1945
1946 default:
1947 /*
1948 * XXX - we don't have to check for IPX 802.3
1949 * here, but should we check for the IPX Ethertype?
1950 */
1951 if (proto <= ETHERMTU) {
1952 /*
1953 * This is an LLC SAP value, so check
1954 * the DSAP.
1955 */
1956 return gen_cmp(off_linktype, BPF_B, (bpf_int32)proto);
1957 } else {
1958 /*
1959 * This is an Ethernet type; we assume that it's
1960 * unlikely that it'll appear in the right place
1961 * at random, and therefore check only the
1962 * location that would hold the Ethernet type
1963 * in a SNAP frame with an organization code of
1964 * 0x000000 (encapsulated Ethernet).
1965 *
1966 * XXX - if we were to check for the SNAP DSAP and
1967 * LSAP, as per XXX, and were also to check for an
1968 * organization code of 0x000000 (encapsulated
1969 * Ethernet), we'd do
1970 *
1971 * return gen_snap(0x000000, proto,
1972 * off_linktype);
1973 *
1974 * here; for now, we don't, as per the above.
1975 * I don't know whether it's worth the extra CPU
1976 * time to do the right check or not.
1977 */
1978 return gen_cmp(off_linktype+6, BPF_H, (bpf_int32)proto);
1979 }
1980 }
1981 }
1982
1983 static struct block *
1984 gen_hostop(addr, mask, dir, proto, src_off, dst_off)
1985 bpf_u_int32 addr;
1986 bpf_u_int32 mask;
1987 int dir, proto;
1988 u_int src_off, dst_off;
1989 {
1990 struct block *b0, *b1;
1991 u_int offset;
1992
1993 switch (dir) {
1994
1995 case Q_SRC:
1996 offset = src_off;
1997 break;
1998
1999 case Q_DST:
2000 offset = dst_off;
2001 break;
2002
2003 case Q_AND:
2004 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2005 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2006 gen_and(b0, b1);
2007 return b1;
2008
2009 case Q_OR:
2010 case Q_DEFAULT:
2011 b0 = gen_hostop(addr, mask, Q_SRC, proto, src_off, dst_off);
2012 b1 = gen_hostop(addr, mask, Q_DST, proto, src_off, dst_off);
2013 gen_or(b0, b1);
2014 return b1;
2015
2016 default:
2017 abort();
2018 }
2019 b0 = gen_linktype(proto);
2020 b1 = gen_mcmp(offset, BPF_W, (bpf_int32)addr, mask);
2021 gen_and(b0, b1);
2022 return b1;
2023 }
2024
2025 #ifdef INET6
2026 static struct block *
2027 gen_hostop6(addr, mask, dir, proto, src_off, dst_off)
2028 struct in6_addr *addr;
2029 struct in6_addr *mask;
2030 int dir, proto;
2031 u_int src_off, dst_off;
2032 {
2033 struct block *b0, *b1;
2034 u_int offset;
2035 u_int32_t *a, *m;
2036
2037 switch (dir) {
2038
2039 case Q_SRC:
2040 offset = src_off;
2041 break;
2042
2043 case Q_DST:
2044 offset = dst_off;
2045 break;
2046
2047 case Q_AND:
2048 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2049 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2050 gen_and(b0, b1);
2051 return b1;
2052
2053 case Q_OR:
2054 case Q_DEFAULT:
2055 b0 = gen_hostop6(addr, mask, Q_SRC, proto, src_off, dst_off);
2056 b1 = gen_hostop6(addr, mask, Q_DST, proto, src_off, dst_off);
2057 gen_or(b0, b1);
2058 return b1;
2059
2060 default:
2061 abort();
2062 }
2063 /* this order is important */
2064 a = (u_int32_t *)addr;
2065 m = (u_int32_t *)mask;
2066 b1 = gen_mcmp(offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
2067 b0 = gen_mcmp(offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
2068 gen_and(b0, b1);
2069 b0 = gen_mcmp(offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
2070 gen_and(b0, b1);
2071 b0 = gen_mcmp(offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
2072 gen_and(b0, b1);
2073 b0 = gen_linktype(proto);
2074 gen_and(b0, b1);
2075 return b1;
2076 }
2077 #endif /*INET6*/
2078
2079 static struct block *
2080 gen_ehostop(eaddr, dir)
2081 register const u_char *eaddr;
2082 register int dir;
2083 {
2084 register struct block *b0, *b1;
2085
2086 switch (dir) {
2087 case Q_SRC:
2088 return gen_bcmp(off_mac + 6, 6, eaddr);
2089
2090 case Q_DST:
2091 return gen_bcmp(off_mac + 0, 6, eaddr);
2092
2093 case Q_AND:
2094 b0 = gen_ehostop(eaddr, Q_SRC);
2095 b1 = gen_ehostop(eaddr, Q_DST);
2096 gen_and(b0, b1);
2097 return b1;
2098
2099 case Q_DEFAULT:
2100 case Q_OR:
2101 b0 = gen_ehostop(eaddr, Q_SRC);
2102 b1 = gen_ehostop(eaddr, Q_DST);
2103 gen_or(b0, b1);
2104 return b1;
2105 }
2106 abort();
2107 /* NOTREACHED */
2108 }
2109
2110 /*
2111 * Like gen_ehostop, but for DLT_FDDI
2112 */
2113 static struct block *
2114 gen_fhostop(eaddr, dir)
2115 register const u_char *eaddr;
2116 register int dir;
2117 {
2118 struct block *b0, *b1;
2119
2120 switch (dir) {
2121 case Q_SRC:
2122 #ifdef PCAP_FDDIPAD
2123 return gen_bcmp(6 + 1 + pcap_fddipad, 6, eaddr);
2124 #else
2125 return gen_bcmp(6 + 1, 6, eaddr);
2126 #endif
2127
2128 case Q_DST:
2129 #ifdef PCAP_FDDIPAD
2130 return gen_bcmp(0 + 1 + pcap_fddipad, 6, eaddr);
2131 #else
2132 return gen_bcmp(0 + 1, 6, eaddr);
2133 #endif
2134
2135 case Q_AND:
2136 b0 = gen_fhostop(eaddr, Q_SRC);
2137 b1 = gen_fhostop(eaddr, Q_DST);
2138 gen_and(b0, b1);
2139 return b1;
2140
2141 case Q_DEFAULT:
2142 case Q_OR:
2143 b0 = gen_fhostop(eaddr, Q_SRC);
2144 b1 = gen_fhostop(eaddr, Q_DST);
2145 gen_or(b0, b1);
2146 return b1;
2147 }
2148 abort();
2149 /* NOTREACHED */
2150 }
2151
2152 /*
2153 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
2154 */
2155 static struct block *
2156 gen_thostop(eaddr, dir)
2157 register const u_char *eaddr;
2158 register int dir;
2159 {
2160 register struct block *b0, *b1;
2161
2162 switch (dir) {
2163 case Q_SRC:
2164 return gen_bcmp(8, 6, eaddr);
2165
2166 case Q_DST:
2167 return gen_bcmp(2, 6, eaddr);
2168
2169 case Q_AND:
2170 b0 = gen_thostop(eaddr, Q_SRC);
2171 b1 = gen_thostop(eaddr, Q_DST);
2172 gen_and(b0, b1);
2173 return b1;
2174
2175 case Q_DEFAULT:
2176 case Q_OR:
2177 b0 = gen_thostop(eaddr, Q_SRC);
2178 b1 = gen_thostop(eaddr, Q_DST);
2179 gen_or(b0, b1);
2180 return b1;
2181 }
2182 abort();
2183 /* NOTREACHED */
2184 }
2185
2186 /*
2187 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN)
2188 */
2189 static struct block *
2190 gen_wlanhostop(eaddr, dir)
2191 register const u_char *eaddr;
2192 register int dir;
2193 {
2194 register struct block *b0, *b1, *b2;
2195 register struct slist *s;
2196
2197 switch (dir) {
2198 case Q_SRC:
2199 /*
2200 * Oh, yuk.
2201 *
2202 * For control frames, there is no SA.
2203 *
2204 * For management frames, SA is at an
2205 * offset of 10 from the beginning of
2206 * the packet.
2207 *
2208 * For data frames, SA is at an offset
2209 * of 10 from the beginning of the packet
2210 * if From DS is clear, at an offset of
2211 * 16 from the beginning of the packet
2212 * if From DS is set and To DS is clear,
2213 * and an offset of 24 from the beginning
2214 * of the packet if From DS is set and To DS
2215 * is set.
2216 */
2217
2218 /*
2219 * Generate the tests to be done for data frames
2220 * with From DS set.
2221 *
2222 * First, check for To DS set, i.e. check "link[1] & 0x01".
2223 */
2224 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2225 s->s.k = 1;
2226 b1 = new_block(JMP(BPF_JSET));
2227 b1->s.k = 0x01; /* To DS */
2228 b1->stmts = s;
2229
2230 /*
2231 * If To DS is set, the SA is at 24.
2232 */
2233 b0 = gen_bcmp(24, 6, eaddr);
2234 gen_and(b1, b0);
2235
2236 /*
2237 * Now, check for To DS not set, i.e. check
2238 * "!(link[1] & 0x01)".
2239 */
2240 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2241 s->s.k = 1;
2242 b2 = new_block(JMP(BPF_JSET));
2243 b2->s.k = 0x01; /* To DS */
2244 b2->stmts = s;
2245 gen_not(b2);
2246
2247 /*
2248 * If To DS is not set, the SA is at 16.
2249 */
2250 b1 = gen_bcmp(16, 6, eaddr);
2251 gen_and(b2, b1);
2252
2253 /*
2254 * Now OR together the last two checks. That gives
2255 * the complete set of checks for data frames with
2256 * From DS set.
2257 */
2258 gen_or(b1, b0);
2259
2260 /*
2261 * Now check for From DS being set, and AND that with
2262 * the ORed-together checks.
2263 */
2264 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2265 s->s.k = 1;
2266 b1 = new_block(JMP(BPF_JSET));
2267 b1->s.k = 0x02; /* From DS */
2268 b1->stmts = s;
2269 gen_and(b1, b0);
2270
2271 /*
2272 * Now check for data frames with From DS not set.
2273 */
2274 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2275 s->s.k = 1;
2276 b2 = new_block(JMP(BPF_JSET));
2277 b2->s.k = 0x02; /* From DS */
2278 b2->stmts = s;
2279 gen_not(b2);
2280
2281 /*
2282 * If From DS isn't set, the SA is at 10.
2283 */
2284 b1 = gen_bcmp(10, 6, eaddr);
2285 gen_and(b2, b1);
2286
2287 /*
2288 * Now OR together the checks for data frames with
2289 * From DS not set and for data frames with From DS
2290 * set; that gives the checks done for data frames.
2291 */
2292 gen_or(b1, b0);
2293
2294 /*
2295 * Now check for a data frame.
2296 * I.e, check "link[0] & 0x08".
2297 */
2298 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2299 s->s.k = 0;
2300 b1 = new_block(JMP(BPF_JSET));
2301 b1->s.k = 0x08;
2302 b1->stmts = s;
2303
2304 /*
2305 * AND that with the checks done for data frames.
2306 */
2307 gen_and(b1, b0);
2308
2309 /*
2310 * If the high-order bit of the type value is 0, this
2311 * is a management frame.
2312 * I.e, check "!(link[0] & 0x08)".
2313 */
2314 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2315 s->s.k = 0;
2316 b2 = new_block(JMP(BPF_JSET));
2317 b2->s.k = 0x08;
2318 b2->stmts = s;
2319 gen_not(b2);
2320
2321 /*
2322 * For management frames, the SA is at 10.
2323 */
2324 b1 = gen_bcmp(10, 6, eaddr);
2325 gen_and(b2, b1);
2326
2327 /*
2328 * OR that with the checks done for data frames.
2329 * That gives the checks done for management and
2330 * data frames.
2331 */
2332 gen_or(b1, b0);
2333
2334 /*
2335 * If the low-order bit of the type value is 1,
2336 * this is either a control frame or a frame
2337 * with a reserved type, and thus not a
2338 * frame with an SA.
2339 *
2340 * I.e., check "!(link[0] & 0x04)".
2341 */
2342 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2343 s->s.k = 0;
2344 b1 = new_block(JMP(BPF_JSET));
2345 b1->s.k = 0x04;
2346 b1->stmts = s;
2347 gen_not(b1);
2348
2349 /*
2350 * AND that with the checks for data and management
2351 * frames.
2352 */
2353 gen_and(b1, b0);
2354 return b0;
2355
2356 case Q_DST:
2357 /*
2358 * Oh, yuk.
2359 *
2360 * For control frames, there is no DA.
2361 *
2362 * For management frames, DA is at an
2363 * offset of 4 from the beginning of
2364 * the packet.
2365 *
2366 * For data frames, DA is at an offset
2367 * of 4 from the beginning of the packet
2368 * if To DS is clear and at an offset of
2369 * 16 from the beginning of the packet
2370 * if To DS is set.
2371 */
2372
2373 /*
2374 * Generate the tests to be done for data frames.
2375 *
2376 * First, check for To DS set, i.e. "link[1] & 0x01".
2377 */
2378 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2379 s->s.k = 1;
2380 b1 = new_block(JMP(BPF_JSET));
2381 b1->s.k = 0x01; /* To DS */
2382 b1->stmts = s;
2383
2384 /*
2385 * If To DS is set, the DA is at 16.
2386 */
2387 b0 = gen_bcmp(16, 6, eaddr);
2388 gen_and(b1, b0);
2389
2390 /*
2391 * Now, check for To DS not set, i.e. check
2392 * "!(link[1] & 0x01)".
2393 */
2394 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2395 s->s.k = 1;
2396 b2 = new_block(JMP(BPF_JSET));
2397 b2->s.k = 0x01; /* To DS */
2398 b2->stmts = s;
2399 gen_not(b2);
2400
2401 /*
2402 * If To DS is not set, the DA is at 4.
2403 */
2404 b1 = gen_bcmp(4, 6, eaddr);
2405 gen_and(b2, b1);
2406
2407 /*
2408 * Now OR together the last two checks. That gives
2409 * the complete set of checks for data frames.
2410 */
2411 gen_or(b1, b0);
2412
2413 /*
2414 * Now check for a data frame.
2415 * I.e, check "link[0] & 0x08".
2416 */
2417 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2418 s->s.k = 0;
2419 b1 = new_block(JMP(BPF_JSET));
2420 b1->s.k = 0x08;
2421 b1->stmts = s;
2422
2423 /*
2424 * AND that with the checks done for data frames.
2425 */
2426 gen_and(b1, b0);
2427
2428 /*
2429 * If the high-order bit of the type value is 0, this
2430 * is a management frame.
2431 * I.e, check "!(link[0] & 0x08)".
2432 */
2433 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2434 s->s.k = 0;
2435 b2 = new_block(JMP(BPF_JSET));
2436 b2->s.k = 0x08;
2437 b2->stmts = s;
2438 gen_not(b2);
2439
2440 /*
2441 * For management frames, the DA is at 4.
2442 */
2443 b1 = gen_bcmp(4, 6, eaddr);
2444 gen_and(b2, b1);
2445
2446 /*
2447 * OR that with the checks done for data frames.
2448 * That gives the checks done for management and
2449 * data frames.
2450 */
2451 gen_or(b1, b0);
2452
2453 /*
2454 * If the low-order bit of the type value is 1,
2455 * this is either a control frame or a frame
2456 * with a reserved type, and thus not a
2457 * frame with an SA.
2458 *
2459 * I.e., check "!(link[0] & 0x04)".
2460 */
2461 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
2462 s->s.k = 0;
2463 b1 = new_block(JMP(BPF_JSET));
2464 b1->s.k = 0x04;
2465 b1->stmts = s;
2466 gen_not(b1);
2467
2468 /*
2469 * AND that with the checks for data and management
2470 * frames.
2471 */
2472 gen_and(b1, b0);
2473 return b0;
2474
2475 case Q_AND:
2476 b0 = gen_wlanhostop(eaddr, Q_SRC);
2477 b1 = gen_wlanhostop(eaddr, Q_DST);
2478 gen_and(b0, b1);
2479 return b1;
2480
2481 case Q_DEFAULT:
2482 case Q_OR:
2483 b0 = gen_wlanhostop(eaddr, Q_SRC);
2484 b1 = gen_wlanhostop(eaddr, Q_DST);
2485 gen_or(b0, b1);
2486 return b1;
2487 }
2488 abort();
2489 /* NOTREACHED */
2490 }
2491
2492 /*
2493 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
2494 * (We assume that the addresses are IEEE 48-bit MAC addresses,
2495 * as the RFC states.)
2496 */
2497 static struct block *
2498 gen_ipfchostop(eaddr, dir)
2499 register const u_char *eaddr;
2500 register int dir;
2501 {
2502 register struct block *b0, *b1;
2503
2504 switch (dir) {
2505 case Q_SRC:
2506 return gen_bcmp(10, 6, eaddr);
2507
2508 case Q_DST:
2509 return gen_bcmp(2, 6, eaddr);
2510
2511 case Q_AND:
2512 b0 = gen_ipfchostop(eaddr, Q_SRC);
2513 b1 = gen_ipfchostop(eaddr, Q_DST);
2514 gen_and(b0, b1);
2515 return b1;
2516
2517 case Q_DEFAULT:
2518 case Q_OR:
2519 b0 = gen_ipfchostop(eaddr, Q_SRC);
2520 b1 = gen_ipfchostop(eaddr, Q_DST);
2521 gen_or(b0, b1);
2522 return b1;
2523 }
2524 abort();
2525 /* NOTREACHED */
2526 }
2527
2528 /*
2529 * This is quite tricky because there may be pad bytes in front of the
2530 * DECNET header, and then there are two possible data packet formats that
2531 * carry both src and dst addresses, plus 5 packet types in a format that
2532 * carries only the src node, plus 2 types that use a different format and
2533 * also carry just the src node.
2534 *
2535 * Yuck.
2536 *
2537 * Instead of doing those all right, we just look for data packets with
2538 * 0 or 1 bytes of padding. If you want to look at other packets, that
2539 * will require a lot more hacking.
2540 *
2541 * To add support for filtering on DECNET "areas" (network numbers)
2542 * one would want to add a "mask" argument to this routine. That would
2543 * make the filter even more inefficient, although one could be clever
2544 * and not generate masking instructions if the mask is 0xFFFF.
2545 */
2546 static struct block *
2547 gen_dnhostop(addr, dir, base_off)
2548 bpf_u_int32 addr;
2549 int dir;
2550 u_int base_off;
2551 {
2552 struct block *b0, *b1, *b2, *tmp;
2553 u_int offset_lh; /* offset if long header is received */
2554 u_int offset_sh; /* offset if short header is received */
2555
2556 switch (dir) {
2557
2558 case Q_DST:
2559 offset_sh = 1; /* follows flags */
2560 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
2561 break;
2562
2563 case Q_SRC:
2564 offset_sh = 3; /* follows flags, dstnode */
2565 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
2566 break;
2567
2568 case Q_AND:
2569 /* Inefficient because we do our Calvinball dance twice */
2570 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2571 b1 = gen_dnhostop(addr, Q_DST, base_off);
2572 gen_and(b0, b1);
2573 return b1;
2574
2575 case Q_OR:
2576 case Q_DEFAULT:
2577 /* Inefficient because we do our Calvinball dance twice */
2578 b0 = gen_dnhostop(addr, Q_SRC, base_off);
2579 b1 = gen_dnhostop(addr, Q_DST, base_off);
2580 gen_or(b0, b1);
2581 return b1;
2582
2583 case Q_ISO:
2584 bpf_error("ISO host filtering not implemented");
2585
2586 default:
2587 abort();
2588 }
2589 b0 = gen_linktype(ETHERTYPE_DN);
2590 /* Check for pad = 1, long header case */
2591 tmp = gen_mcmp(base_off + 2, BPF_H,
2592 (bpf_int32)ntohs(0x0681), (bpf_int32)ntohs(0x07FF));
2593 b1 = gen_cmp(base_off + 2 + 1 + offset_lh,
2594 BPF_H, (bpf_int32)ntohs(addr));
2595 gen_and(tmp, b1);
2596 /* Check for pad = 0, long header case */
2597 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x06, (bpf_int32)0x7);
2598 b2 = gen_cmp(base_off + 2 + offset_lh, BPF_H, (bpf_int32)ntohs(addr));
2599 gen_and(tmp, b2);
2600 gen_or(b2, b1);
2601 /* Check for pad = 1, short header case */
2602 tmp = gen_mcmp(base_off + 2, BPF_H,
2603 (bpf_int32)ntohs(0x0281), (bpf_int32)ntohs(0x07FF));
2604 b2 = gen_cmp(base_off + 2 + 1 + offset_sh,
2605 BPF_H, (bpf_int32)ntohs(addr));
2606 gen_and(tmp, b2);
2607 gen_or(b2, b1);
2608 /* Check for pad = 0, short header case */
2609 tmp = gen_mcmp(base_off + 2, BPF_B, (bpf_int32)0x02, (bpf_int32)0x7);
2610 b2 = gen_cmp(base_off + 2 + offset_sh, BPF_H, (bpf_int32)ntohs(addr));
2611 gen_and(tmp, b2);
2612 gen_or(b2, b1);
2613
2614 /* Combine with test for linktype */
2615 gen_and(b0, b1);
2616 return b1;
2617 }
2618
2619 static struct block *
2620 gen_host(addr, mask, proto, dir)
2621 bpf_u_int32 addr;
2622 bpf_u_int32 mask;
2623 int proto;
2624 int dir;
2625 {
2626 struct block *b0, *b1;
2627
2628 switch (proto) {
2629
2630 case Q_DEFAULT:
2631 b0 = gen_host(addr, mask, Q_IP, dir);
2632 if (off_linktype != (u_int)-1) {
2633 b1 = gen_host(addr, mask, Q_ARP, dir);
2634 gen_or(b0, b1);
2635 b0 = gen_host(addr, mask, Q_RARP, dir);
2636 gen_or(b1, b0);
2637 }
2638 return b0;
2639
2640 case Q_IP:
2641 return gen_hostop(addr, mask, dir, ETHERTYPE_IP,
2642 off_nl + 12, off_nl + 16);
2643
2644 case Q_RARP:
2645 return gen_hostop(addr, mask, dir, ETHERTYPE_REVARP,
2646 off_nl + 14, off_nl + 24);
2647
2648 case Q_ARP:
2649 return gen_hostop(addr, mask, dir, ETHERTYPE_ARP,
2650 off_nl + 14, off_nl + 24);
2651
2652 case Q_TCP:
2653 bpf_error("'tcp' modifier applied to host");
2654
2655 case Q_SCTP:
2656 bpf_error("'sctp' modifier applied to host");
2657
2658 case Q_UDP:
2659 bpf_error("'udp' modifier applied to host");
2660
2661 case Q_ICMP:
2662 bpf_error("'icmp' modifier applied to host");
2663
2664 case Q_IGMP:
2665 bpf_error("'igmp' modifier applied to host");
2666
2667 case Q_IGRP:
2668 bpf_error("'igrp' modifier applied to host");
2669
2670 case Q_PIM:
2671 bpf_error("'pim' modifier applied to host");
2672
2673 case Q_VRRP:
2674 bpf_error("'vrrp' modifier applied to host");
2675
2676 case Q_ATALK:
2677 bpf_error("ATALK host filtering not implemented");
2678
2679 case Q_AARP:
2680 bpf_error("AARP host filtering not implemented");
2681
2682 case Q_DECNET:
2683 return gen_dnhostop(addr, dir, off_nl);
2684
2685 case Q_SCA:
2686 bpf_error("SCA host filtering not implemented");
2687
2688 case Q_LAT:
2689 bpf_error("LAT host filtering not implemented");
2690
2691 case Q_MOPDL:
2692 bpf_error("MOPDL host filtering not implemented");
2693
2694 case Q_MOPRC:
2695 bpf_error("MOPRC host filtering not implemented");
2696
2697 #ifdef INET6
2698 case Q_IPV6:
2699 bpf_error("'ip6' modifier applied to ip host");
2700
2701 case Q_ICMPV6:
2702 bpf_error("'icmp6' modifier applied to host");
2703 #endif /* INET6 */
2704
2705 case Q_AH:
2706 bpf_error("'ah' modifier applied to host");
2707
2708 case Q_ESP:
2709 bpf_error("'esp' modifier applied to host");
2710
2711 case Q_ISO:
2712 bpf_error("ISO host filtering not implemented");
2713
2714 case Q_ESIS:
2715 bpf_error("'esis' modifier applied to host");
2716
2717 case Q_ISIS:
2718 bpf_error("'isis' modifier applied to host");
2719
2720 case Q_CLNP:
2721 bpf_error("'clnp' modifier applied to host");
2722
2723 case Q_STP:
2724 bpf_error("'stp' modifier applied to host");
2725
2726 case Q_IPX:
2727 bpf_error("IPX host filtering not implemented");
2728
2729 case Q_NETBEUI:
2730 bpf_error("'netbeui' modifier applied to host");
2731
2732 default:
2733 abort();
2734 }
2735 /* NOTREACHED */
2736 }
2737
2738 #ifdef INET6
2739 static struct block *
2740 gen_host6(addr, mask, proto, dir)
2741 struct in6_addr *addr;
2742 struct in6_addr *mask;
2743 int proto;
2744 int dir;
2745 {
2746 switch (proto) {
2747
2748 case Q_DEFAULT:
2749 return gen_host6(addr, mask, Q_IPV6, dir);
2750
2751 case Q_IP:
2752 bpf_error("'ip' modifier applied to ip6 host");
2753
2754 case Q_RARP:
2755 bpf_error("'rarp' modifier applied to ip6 host");
2756
2757 case Q_ARP:
2758 bpf_error("'arp' modifier applied to ip6 host");
2759
2760 case Q_SCTP:
2761 bpf_error("'sctp' modifier applied to host");
2762
2763 case Q_TCP:
2764 bpf_error("'tcp' modifier applied to host");
2765
2766 case Q_UDP:
2767 bpf_error("'udp' modifier applied to host");
2768
2769 case Q_ICMP:
2770 bpf_error("'icmp' modifier applied to host");
2771
2772 case Q_IGMP:
2773 bpf_error("'igmp' modifier applied to host");
2774
2775 case Q_IGRP:
2776 bpf_error("'igrp' modifier applied to host");
2777
2778 case Q_PIM:
2779 bpf_error("'pim' modifier applied to host");
2780
2781 case Q_VRRP:
2782 bpf_error("'vrrp' modifier applied to host");
2783
2784 case Q_ATALK:
2785 bpf_error("ATALK host filtering not implemented");
2786
2787 case Q_AARP:
2788 bpf_error("AARP host filtering not implemented");
2789
2790 case Q_DECNET:
2791 bpf_error("'decnet' modifier applied to ip6 host");
2792
2793 case Q_SCA:
2794 bpf_error("SCA host filtering not implemented");
2795
2796 case Q_LAT:
2797 bpf_error("LAT host filtering not implemented");
2798
2799 case Q_MOPDL:
2800 bpf_error("MOPDL host filtering not implemented");
2801
2802 case Q_MOPRC:
2803 bpf_error("MOPRC host filtering not implemented");
2804
2805 case Q_IPV6:
2806 return gen_hostop6(addr, mask, dir, ETHERTYPE_IPV6,
2807 off_nl + 8, off_nl + 24);
2808
2809 case Q_ICMPV6:
2810 bpf_error("'icmp6' modifier applied to host");
2811
2812 case Q_AH:
2813 bpf_error("'ah' modifier applied to host");
2814
2815 case Q_ESP:
2816 bpf_error("'esp' modifier applied to host");
2817
2818 case Q_ISO:
2819 bpf_error("ISO host filtering not implemented");
2820
2821 case Q_ESIS:
2822 bpf_error("'esis' modifier applied to host");
2823
2824 case Q_ISIS:
2825 bpf_error("'isis' modifier applied to host");
2826
2827 case Q_CLNP:
2828 bpf_error("'clnp' modifier applied to host");
2829
2830 case Q_STP:
2831 bpf_error("'stp' modifier applied to host");
2832
2833 case Q_IPX:
2834 bpf_error("IPX host filtering not implemented");
2835
2836 case Q_NETBEUI:
2837 bpf_error("'netbeui' modifier applied to host");
2838
2839 default:
2840 abort();
2841 }
2842 /* NOTREACHED */
2843 }
2844 #endif /*INET6*/
2845
2846 #ifndef INET6
2847 static struct block *
2848 gen_gateway(eaddr, alist, proto, dir)
2849 const u_char *eaddr;
2850 bpf_u_int32 **alist;
2851 int proto;
2852 int dir;
2853 {
2854 struct block *b0, *b1, *tmp;
2855
2856 if (dir != 0)
2857 bpf_error("direction applied to 'gateway'");
2858
2859 switch (proto) {
2860 case Q_DEFAULT:
2861 case Q_IP:
2862 case Q_ARP:
2863 case Q_RARP:
2864 if (linktype == DLT_EN10MB)
2865 b0 = gen_ehostop(eaddr, Q_OR);
2866 else if (linktype == DLT_FDDI)
2867 b0 = gen_fhostop(eaddr, Q_OR);
2868 else if (linktype == DLT_IEEE802)
2869 b0 = gen_thostop(eaddr, Q_OR);
2870 else if (linktype == DLT_IEEE802_11)
2871 b0 = gen_wlanhostop(eaddr, Q_OR);
2872 else if (linktype == DLT_SUNATM && is_lane) {
2873 /*
2874 * Check that the packet doesn't begin with an
2875 * LE Control marker. (We've already generated
2876 * a test for LANE.)
2877 */
2878 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
2879 gen_not(b1);
2880
2881 /*
2882 * Now check the MAC address.
2883 */
2884 b0 = gen_ehostop(eaddr, Q_OR);
2885 gen_and(b1, b0);
2886 } else if (linktype == DLT_IP_OVER_FC)
2887 b0 = gen_ipfchostop(eaddr, Q_OR);
2888 else
2889 bpf_error(
2890 "'gateway' supported only on ethernet/FDDI/token ring/802.11/Fibre Channel");
2891
2892 b1 = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2893 while (*alist) {
2894 tmp = gen_host(**alist++, 0xffffffff, proto, Q_OR);
2895 gen_or(b1, tmp);
2896 b1 = tmp;
2897 }
2898 gen_not(b1);
2899 gen_and(b0, b1);
2900 return b1;
2901 }
2902 bpf_error("illegal modifier of 'gateway'");
2903 /* NOTREACHED */
2904 }
2905 #endif
2906
2907 struct block *
2908 gen_proto_abbrev(proto)
2909 int proto;
2910 {
2911 struct block *b0;
2912 struct block *b1;
2913
2914 switch (proto) {
2915
2916 case Q_SCTP:
2917 b1 = gen_proto(IPPROTO_SCTP, Q_IP, Q_DEFAULT);
2918 #ifdef INET6
2919 b0 = gen_proto(IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
2920 gen_or(b0, b1);
2921 #endif
2922 break;
2923
2924 case Q_TCP:
2925 b1 = gen_proto(IPPROTO_TCP, Q_IP, Q_DEFAULT);
2926 #ifdef INET6
2927 b0 = gen_proto(IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
2928 gen_or(b0, b1);
2929 #endif
2930 break;
2931
2932 case Q_UDP:
2933 b1 = gen_proto(IPPROTO_UDP, Q_IP, Q_DEFAULT);
2934 #ifdef INET6
2935 b0 = gen_proto(IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
2936 gen_or(b0, b1);
2937 #endif
2938 break;
2939
2940 case Q_ICMP:
2941 b1 = gen_proto(IPPROTO_ICMP, Q_IP, Q_DEFAULT);
2942 break;
2943
2944 #ifndef IPPROTO_IGMP
2945 #define IPPROTO_IGMP 2
2946 #endif
2947
2948 case Q_IGMP:
2949 b1 = gen_proto(IPPROTO_IGMP, Q_IP, Q_DEFAULT);
2950 break;
2951
2952 #ifndef IPPROTO_IGRP
2953 #define IPPROTO_IGRP 9
2954 #endif
2955 case Q_IGRP:
2956 b1 = gen_proto(IPPROTO_IGRP, Q_IP, Q_DEFAULT);
2957 break;
2958
2959 #ifndef IPPROTO_PIM
2960 #define IPPROTO_PIM 103
2961 #endif
2962
2963 case Q_PIM:
2964 b1 = gen_proto(IPPROTO_PIM, Q_IP, Q_DEFAULT);
2965 #ifdef INET6
2966 b0 = gen_proto(IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
2967 gen_or(b0, b1);
2968 #endif
2969 break;
2970
2971 #ifndef IPPROTO_VRRP
2972 #define IPPROTO_VRRP 112
2973 #endif
2974
2975 case Q_VRRP:
2976 b1 = gen_proto(IPPROTO_VRRP, Q_IP, Q_DEFAULT);
2977 break;
2978
2979 case Q_IP:
2980 b1 = gen_linktype(ETHERTYPE_IP);
2981 break;
2982
2983 case Q_ARP:
2984 b1 = gen_linktype(ETHERTYPE_ARP);
2985 break;
2986
2987 case Q_RARP:
2988 b1 = gen_linktype(ETHERTYPE_REVARP);
2989 break;
2990
2991 case Q_LINK:
2992 bpf_error("link layer applied in wrong context");
2993
2994 case Q_ATALK:
2995 b1 = gen_linktype(ETHERTYPE_ATALK);
2996 break;
2997
2998 case Q_AARP:
2999 b1 = gen_linktype(ETHERTYPE_AARP);
3000 break;
3001
3002 case Q_DECNET:
3003 b1 = gen_linktype(ETHERTYPE_DN);
3004 break;
3005
3006 case Q_SCA:
3007 b1 = gen_linktype(ETHERTYPE_SCA);
3008 break;
3009
3010 case Q_LAT:
3011 b1 = gen_linktype(ETHERTYPE_LAT);
3012 break;
3013
3014 case Q_MOPDL:
3015 b1 = gen_linktype(ETHERTYPE_MOPDL);
3016 break;
3017
3018 case Q_MOPRC:
3019 b1 = gen_linktype(ETHERTYPE_MOPRC);
3020 break;
3021
3022 #ifdef INET6
3023 case Q_IPV6:
3024 b1 = gen_linktype(ETHERTYPE_IPV6);
3025 break;
3026
3027 #ifndef IPPROTO_ICMPV6
3028 #define IPPROTO_ICMPV6 58
3029 #endif
3030 case Q_ICMPV6:
3031 b1 = gen_proto(IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
3032 break;
3033 #endif /* INET6 */
3034
3035 #ifndef IPPROTO_AH
3036 #define IPPROTO_AH 51
3037 #endif
3038 case Q_AH:
3039 b1 = gen_proto(IPPROTO_AH, Q_IP, Q_DEFAULT);
3040 #ifdef INET6
3041 b0 = gen_proto(IPPROTO_AH, Q_IPV6, Q_DEFAULT);
3042 gen_or(b0, b1);
3043 #endif
3044 break;
3045
3046 #ifndef IPPROTO_ESP
3047 #define IPPROTO_ESP 50
3048 #endif
3049 case Q_ESP:
3050 b1 = gen_proto(IPPROTO_ESP, Q_IP, Q_DEFAULT);
3051 #ifdef INET6
3052 b0 = gen_proto(IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
3053 gen_or(b0, b1);
3054 #endif
3055 break;
3056
3057 case Q_ISO:
3058 b1 = gen_linktype(LLCSAP_ISONS);
3059 break;
3060
3061 case Q_ESIS:
3062 b1 = gen_proto(ISO9542_ESIS, Q_ISO, Q_DEFAULT);
3063 break;
3064
3065 case Q_ISIS:
3066 b1 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3067 break;
3068
3069 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
3070 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3071 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3072 gen_or(b0, b1);
3073 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3074 gen_or(b0, b1);
3075 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3076 gen_or(b0, b1);
3077 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3078 gen_or(b0, b1);
3079 break;
3080
3081 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
3082 b0 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3083 b1 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
3084 gen_or(b0, b1);
3085 b0 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3086 gen_or(b0, b1);
3087 b0 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3088 gen_or(b0, b1);
3089 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3090 gen_or(b0, b1);
3091 break;
3092
3093 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
3094 b0 = gen_proto(ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
3095 b1 = gen_proto(ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
3096 gen_or(b0, b1);
3097 b0 = gen_proto(ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
3098 gen_or(b0, b1);
3099 break;
3100
3101 case Q_ISIS_LSP:
3102 b0 = gen_proto(ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
3103 b1 = gen_proto(ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
3104 gen_or(b0, b1);
3105 break;
3106
3107 case Q_ISIS_SNP:
3108 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3109 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3110 gen_or(b0, b1);
3111 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3112 gen_or(b0, b1);
3113 b0 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3114 gen_or(b0, b1);
3115 break;
3116
3117 case Q_ISIS_CSNP:
3118 b0 = gen_proto(ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
3119 b1 = gen_proto(ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
3120 gen_or(b0, b1);
3121 break;
3122
3123 case Q_ISIS_PSNP:
3124 b0 = gen_proto(ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
3125 b1 = gen_proto(ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
3126 gen_or(b0, b1);
3127 break;
3128
3129 case Q_CLNP:
3130 b1 = gen_proto(ISO8473_CLNP, Q_ISO, Q_DEFAULT);
3131 break;
3132
3133 case Q_STP:
3134 b1 = gen_linktype(LLCSAP_8021D);
3135 break;
3136
3137 case Q_IPX:
3138 b1 = gen_linktype(LLCSAP_IPX);
3139 break;
3140
3141 case Q_NETBEUI:
3142 b1 = gen_linktype(LLCSAP_NETBEUI);
3143 break;
3144
3145 default:
3146 abort();
3147 }
3148 return b1;
3149 }
3150
3151 static struct block *
3152 gen_ipfrag()
3153 {
3154 struct slist *s;
3155 struct block *b;
3156
3157 /* not ip frag */
3158 s = new_stmt(BPF_LD|BPF_H|BPF_ABS);
3159 s->s.k = off_nl + 6;
3160 b = new_block(JMP(BPF_JSET));
3161 b->s.k = 0x1fff;
3162 b->stmts = s;
3163 gen_not(b);
3164
3165 return b;
3166 }
3167
3168 static struct block *
3169 gen_portatom(off, v)
3170 int off;
3171 bpf_int32 v;
3172 {
3173 struct slist *s;
3174 struct block *b;
3175
3176 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3177 s->s.k = off_nl;
3178
3179 s->next = new_stmt(BPF_LD|BPF_IND|BPF_H);
3180 s->next->s.k = off_nl + off;
3181
3182 b = new_block(JMP(BPF_JEQ));
3183 b->stmts = s;
3184 b->s.k = v;
3185
3186 return b;
3187 }
3188
3189 #ifdef INET6
3190 static struct block *
3191 gen_portatom6(off, v)
3192 int off;
3193 bpf_int32 v;
3194 {
3195 return gen_cmp(off_nl + 40 + off, BPF_H, v);
3196 }
3197 #endif/*INET6*/
3198
3199 struct block *
3200 gen_portop(port, proto, dir)
3201 int port, proto, dir;
3202 {
3203 struct block *b0, *b1, *tmp;
3204
3205 /* ip proto 'proto' */
3206 tmp = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)proto);
3207 b0 = gen_ipfrag();
3208 gen_and(tmp, b0);
3209
3210 switch (dir) {
3211 case Q_SRC:
3212 b1 = gen_portatom(0, (bpf_int32)port);
3213 break;
3214
3215 case Q_DST:
3216 b1 = gen_portatom(2, (bpf_int32)port);
3217 break;
3218
3219 case Q_OR:
3220 case Q_DEFAULT:
3221 tmp = gen_portatom(0, (bpf_int32)port);
3222 b1 = gen_portatom(2, (bpf_int32)port);
3223 gen_or(tmp, b1);
3224 break;
3225
3226 case Q_AND:
3227 tmp = gen_portatom(0, (bpf_int32)port);
3228 b1 = gen_portatom(2, (bpf_int32)port);
3229 gen_and(tmp, b1);
3230 break;
3231
3232 default:
3233 abort();
3234 }
3235 gen_and(b0, b1);
3236
3237 return b1;
3238 }
3239
3240 static struct block *
3241 gen_port(port, ip_proto, dir)
3242 int port;
3243 int ip_proto;
3244 int dir;
3245 {
3246 struct block *b0, *b1, *tmp;
3247
3248 /*
3249 * ether proto ip
3250 *
3251 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3252 * not LLC encapsulation with LLCSAP_IP.
3253 *
3254 * For IEEE 802 networks - which includes 802.5 token ring
3255 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3256 * says that SNAP encapsulation is used, not LLC encapsulation
3257 * with LLCSAP_IP.
3258 *
3259 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3260 * RFC 2225 say that SNAP encapsulation is used, not LLC
3261 * encapsulation with LLCSAP_IP.
3262 *
3263 * So we always check for ETHERTYPE_IP.
3264 */
3265 b0 = gen_linktype(ETHERTYPE_IP);
3266
3267 switch (ip_proto) {
3268 case IPPROTO_UDP:
3269 case IPPROTO_TCP:
3270 case IPPROTO_SCTP:
3271 b1 = gen_portop(port, ip_proto, dir);
3272 break;
3273
3274 case PROTO_UNDEF:
3275 tmp = gen_portop(port, IPPROTO_TCP, dir);
3276 b1 = gen_portop(port, IPPROTO_UDP, dir);
3277 gen_or(tmp, b1);
3278 tmp = gen_portop(port, IPPROTO_SCTP, dir);
3279 gen_or(tmp, b1);
3280 break;
3281
3282 default:
3283 abort();
3284 }
3285 gen_and(b0, b1);
3286 return b1;
3287 }
3288
3289 #ifdef INET6
3290 struct block *
3291 gen_portop6(port, proto, dir)
3292 int port, proto, dir;
3293 {
3294 struct block *b0, *b1, *tmp;
3295
3296 /* ip proto 'proto' */
3297 b0 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)proto);
3298
3299 switch (dir) {
3300 case Q_SRC:
3301 b1 = gen_portatom6(0, (bpf_int32)port);
3302 break;
3303
3304 case Q_DST:
3305 b1 = gen_portatom6(2, (bpf_int32)port);
3306 break;
3307
3308 case Q_OR:
3309 case Q_DEFAULT:
3310 tmp = gen_portatom6(0, (bpf_int32)port);
3311 b1 = gen_portatom6(2, (bpf_int32)port);
3312 gen_or(tmp, b1);
3313 break;
3314
3315 case Q_AND:
3316 tmp = gen_portatom6(0, (bpf_int32)port);
3317 b1 = gen_portatom6(2, (bpf_int32)port);
3318 gen_and(tmp, b1);
3319 break;
3320
3321 default:
3322 abort();
3323 }
3324 gen_and(b0, b1);
3325
3326 return b1;
3327 }
3328
3329 static struct block *
3330 gen_port6(port, ip_proto, dir)
3331 int port;
3332 int ip_proto;
3333 int dir;
3334 {
3335 struct block *b0, *b1, *tmp;
3336
3337 /* ether proto ip */
3338 b0 = gen_linktype(ETHERTYPE_IPV6);
3339
3340 switch (ip_proto) {
3341 case IPPROTO_UDP:
3342 case IPPROTO_TCP:
3343 case IPPROTO_SCTP:
3344 b1 = gen_portop6(port, ip_proto, dir);
3345 break;
3346
3347 case PROTO_UNDEF:
3348 tmp = gen_portop6(port, IPPROTO_TCP, dir);
3349 b1 = gen_portop6(port, IPPROTO_UDP, dir);
3350 gen_or(tmp, b1);
3351 tmp = gen_portop6(port, IPPROTO_SCTP, dir);
3352 gen_or(tmp, b1);
3353 break;
3354
3355 default:
3356 abort();
3357 }
3358 gen_and(b0, b1);
3359 return b1;
3360 }
3361 #endif /* INET6 */
3362
3363 static int
3364 lookup_proto(name, proto)
3365 register const char *name;
3366 register int proto;
3367 {
3368 register int v;
3369
3370 switch (proto) {
3371
3372 case Q_DEFAULT:
3373 case Q_IP:
3374 case Q_IPV6:
3375 v = pcap_nametoproto(name);
3376 if (v == PROTO_UNDEF)
3377 bpf_error("unknown ip proto '%s'", name);
3378 break;
3379
3380 case Q_LINK:
3381 /* XXX should look up h/w protocol type based on linktype */
3382 v = pcap_nametoeproto(name);
3383 if (v == PROTO_UNDEF) {
3384 v = pcap_nametollc(name);
3385 if (v == PROTO_UNDEF)
3386 bpf_error("unknown ether proto '%s'", name);
3387 }
3388 break;
3389
3390 case Q_ISO:
3391 if (strcmp(name, "esis") == 0)
3392 v = ISO9542_ESIS;
3393 else if (strcmp(name, "isis") == 0)
3394 v = ISO10589_ISIS;
3395 else if (strcmp(name, "clnp") == 0)
3396 v = ISO8473_CLNP;
3397 else
3398 bpf_error("unknown osi proto '%s'", name);
3399 break;
3400
3401 default:
3402 v = PROTO_UNDEF;
3403 break;
3404 }
3405 return v;
3406 }
3407
3408 #if 0
3409 struct stmt *
3410 gen_joinsp(s, n)
3411 struct stmt **s;
3412 int n;
3413 {
3414 return NULL;
3415 }
3416 #endif
3417
3418 static struct block *
3419 gen_protochain(v, proto, dir)
3420 int v;
3421 int proto;
3422 int dir;
3423 {
3424 #ifdef NO_PROTOCHAIN
3425 return gen_proto(v, proto, dir);
3426 #else
3427 struct block *b0, *b;
3428 struct slist *s[100];
3429 int fix2, fix3, fix4, fix5;
3430 int ahcheck, again, end;
3431 int i, max;
3432 int reg2 = alloc_reg();
3433
3434 memset(s, 0, sizeof(s));
3435 fix2 = fix3 = fix4 = fix5 = 0;
3436
3437 switch (proto) {
3438 case Q_IP:
3439 case Q_IPV6:
3440 break;
3441 case Q_DEFAULT:
3442 b0 = gen_protochain(v, Q_IP, dir);
3443 b = gen_protochain(v, Q_IPV6, dir);
3444 gen_or(b0, b);
3445 return b;
3446 default:
3447 bpf_error("bad protocol applied for 'protochain'");
3448 /*NOTREACHED*/
3449 }
3450
3451 no_optimize = 1; /*this code is not compatible with optimzer yet */
3452
3453 /*
3454 * s[0] is a dummy entry to protect other BPF insn from damaged
3455 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
3456 * hard to find interdependency made by jump table fixup.
3457 */
3458 i = 0;
3459 s[i] = new_stmt(0); /*dummy*/
3460 i++;
3461
3462 switch (proto) {
3463 case Q_IP:
3464 b0 = gen_linktype(ETHERTYPE_IP);
3465
3466 /* A = ip->ip_p */
3467 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3468 s[i]->s.k = off_nl + 9;
3469 i++;
3470 /* X = ip->ip_hl << 2 */
3471 s[i] = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
3472 s[i]->s.k = off_nl;
3473 i++;
3474 break;
3475 #ifdef INET6
3476 case Q_IPV6:
3477 b0 = gen_linktype(ETHERTYPE_IPV6);
3478
3479 /* A = ip6->ip_nxt */
3480 s[i] = new_stmt(BPF_LD|BPF_ABS|BPF_B);
3481 s[i]->s.k = off_nl + 6;
3482 i++;
3483 /* X = sizeof(struct ip6_hdr) */
3484 s[i] = new_stmt(BPF_LDX|BPF_IMM);
3485 s[i]->s.k = 40;
3486 i++;
3487 break;
3488 #endif
3489 default:
3490 bpf_error("unsupported proto to gen_protochain");
3491 /*NOTREACHED*/
3492 }
3493
3494 /* again: if (A == v) goto end; else fall through; */
3495 again = i;
3496 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3497 s[i]->s.k = v;
3498 s[i]->s.jt = NULL; /*later*/
3499 s[i]->s.jf = NULL; /*update in next stmt*/
3500 fix5 = i;
3501 i++;
3502
3503 #ifndef IPPROTO_NONE
3504 #define IPPROTO_NONE 59
3505 #endif
3506 /* if (A == IPPROTO_NONE) goto end */
3507 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3508 s[i]->s.jt = NULL; /*later*/
3509 s[i]->s.jf = NULL; /*update in next stmt*/
3510 s[i]->s.k = IPPROTO_NONE;
3511 s[fix5]->s.jf = s[i];
3512 fix2 = i;
3513 i++;
3514
3515 #ifdef INET6
3516 if (proto == Q_IPV6) {
3517 int v6start, v6end, v6advance, j;
3518
3519 v6start = i;
3520 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
3521 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3522 s[i]->s.jt = NULL; /*later*/
3523 s[i]->s.jf = NULL; /*update in next stmt*/
3524 s[i]->s.k = IPPROTO_HOPOPTS;
3525 s[fix2]->s.jf = s[i];
3526 i++;
3527 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
3528 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3529 s[i]->s.jt = NULL; /*later*/
3530 s[i]->s.jf = NULL; /*update in next stmt*/
3531 s[i]->s.k = IPPROTO_DSTOPTS;
3532 i++;
3533 /* if (A == IPPROTO_ROUTING) goto v6advance */
3534 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3535 s[i]->s.jt = NULL; /*later*/
3536 s[i]->s.jf = NULL; /*update in next stmt*/
3537 s[i]->s.k = IPPROTO_ROUTING;
3538 i++;
3539 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
3540 s[i - 1]->s.jf = s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3541 s[i]->s.jt = NULL; /*later*/
3542 s[i]->s.jf = NULL; /*later*/
3543 s[i]->s.k = IPPROTO_FRAGMENT;
3544 fix3 = i;
3545 v6end = i;
3546 i++;
3547
3548 /* v6advance: */
3549 v6advance = i;
3550
3551 /*
3552 * in short,
3553 * A = P[X];
3554 * X = X + (P[X + 1] + 1) * 8;
3555 */
3556 /* A = X */
3557 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3558 i++;
3559 /* A = P[X + packet head] */
3560 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3561 s[i]->s.k = off_nl;
3562 i++;
3563 /* MEM[reg2] = A */
3564 s[i] = new_stmt(BPF_ST);
3565 s[i]->s.k = reg2;
3566 i++;
3567 /* A = X */
3568 s[i] = new_stmt(BPF_MISC|BPF_TXA);
3569 i++;
3570 /* A += 1 */
3571 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3572 s[i]->s.k = 1;
3573 i++;
3574 /* X = A */
3575 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3576 i++;
3577 /* A = P[X + packet head]; */
3578 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3579 s[i]->s.k = off_nl;
3580 i++;
3581 /* A += 1 */
3582 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3583 s[i]->s.k = 1;
3584 i++;
3585 /* A *= 8 */
3586 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3587 s[i]->s.k = 8;
3588 i++;
3589 /* X = A; */
3590 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3591 i++;
3592 /* A = MEM[reg2] */
3593 s[i] = new_stmt(BPF_LD|BPF_MEM);
3594 s[i]->s.k = reg2;
3595 i++;
3596
3597 /* goto again; (must use BPF_JA for backward jump) */
3598 s[i] = new_stmt(BPF_JMP|BPF_JA);
3599 s[i]->s.k = again - i - 1;
3600 s[i - 1]->s.jf = s[i];
3601 i++;
3602
3603 /* fixup */
3604 for (j = v6start; j <= v6end; j++)
3605 s[j]->s.jt = s[v6advance];
3606 } else
3607 #endif
3608 {
3609 /* nop */
3610 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3611 s[i]->s.k = 0;
3612 s[fix2]->s.jf = s[i];
3613 i++;
3614 }
3615
3616 /* ahcheck: */
3617 ahcheck = i;
3618 /* if (A == IPPROTO_AH) then fall through; else goto end; */
3619 s[i] = new_stmt(BPF_JMP|BPF_JEQ|BPF_K);
3620 s[i]->s.jt = NULL; /*later*/
3621 s[i]->s.jf = NULL; /*later*/
3622 s[i]->s.k = IPPROTO_AH;
3623 if (fix3)
3624 s[fix3]->s.jf = s[ahcheck];
3625 fix4 = i;
3626 i++;
3627
3628 /*
3629 * in short,
3630 * A = P[X];
3631 * X = X + (P[X + 1] + 2) * 4;
3632 */
3633 /* A = X */
3634 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3635 i++;
3636 /* A = P[X + packet head]; */
3637 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3638 s[i]->s.k = off_nl;
3639 i++;
3640 /* MEM[reg2] = A */
3641 s[i] = new_stmt(BPF_ST);
3642 s[i]->s.k = reg2;
3643 i++;
3644 /* A = X */
3645 s[i - 1]->s.jt = s[i] = new_stmt(BPF_MISC|BPF_TXA);
3646 i++;
3647 /* A += 1 */
3648 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3649 s[i]->s.k = 1;
3650 i++;
3651 /* X = A */
3652 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3653 i++;
3654 /* A = P[X + packet head] */
3655 s[i] = new_stmt(BPF_LD|BPF_IND|BPF_B);
3656 s[i]->s.k = off_nl;
3657 i++;
3658 /* A += 2 */
3659 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3660 s[i]->s.k = 2;
3661 i++;
3662 /* A *= 4 */
3663 s[i] = new_stmt(BPF_ALU|BPF_MUL|BPF_K);
3664 s[i]->s.k = 4;
3665 i++;
3666 /* X = A; */
3667 s[i] = new_stmt(BPF_MISC|BPF_TAX);
3668 i++;
3669 /* A = MEM[reg2] */
3670 s[i] = new_stmt(BPF_LD|BPF_MEM);
3671 s[i]->s.k = reg2;
3672 i++;
3673
3674 /* goto again; (must use BPF_JA for backward jump) */
3675 s[i] = new_stmt(BPF_JMP|BPF_JA);
3676 s[i]->s.k = again - i - 1;
3677 i++;
3678
3679 /* end: nop */
3680 end = i;
3681 s[i] = new_stmt(BPF_ALU|BPF_ADD|BPF_K);
3682 s[i]->s.k = 0;
3683 s[fix2]->s.jt = s[end];
3684 s[fix4]->s.jf = s[end];
3685 s[fix5]->s.jt = s[end];
3686 i++;
3687
3688 /*
3689 * make slist chain
3690 */
3691 max = i;
3692 for (i = 0; i < max - 1; i++)
3693 s[i]->next = s[i + 1];
3694 s[max - 1]->next = NULL;
3695
3696 /*
3697 * emit final check
3698 */
3699 b = new_block(JMP(BPF_JEQ));
3700 b->stmts = s[1]; /*remember, s[0] is dummy*/
3701 b->s.k = v;
3702
3703 free_reg(reg2);
3704
3705 gen_and(b0, b);
3706 return b;
3707 #endif
3708 }
3709
3710 static struct block *
3711 gen_proto(v, proto, dir)
3712 int v;
3713 int proto;
3714 int dir;
3715 {
3716 struct block *b0, *b1;
3717
3718 if (dir != Q_DEFAULT)
3719 bpf_error("direction applied to 'proto'");
3720
3721 switch (proto) {
3722 case Q_DEFAULT:
3723 #ifdef INET6
3724 b0 = gen_proto(v, Q_IP, dir);
3725 b1 = gen_proto(v, Q_IPV6, dir);
3726 gen_or(b0, b1);
3727 return b1;
3728 #else
3729 /*FALLTHROUGH*/
3730 #endif
3731 case Q_IP:
3732 /*
3733 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
3734 * not LLC encapsulation with LLCSAP_IP.
3735 *
3736 * For IEEE 802 networks - which includes 802.5 token ring
3737 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
3738 * says that SNAP encapsulation is used, not LLC encapsulation
3739 * with LLCSAP_IP.
3740 *
3741 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
3742 * RFC 2225 say that SNAP encapsulation is used, not LLC
3743 * encapsulation with LLCSAP_IP.
3744 *
3745 * So we always check for ETHERTYPE_IP.
3746 */
3747 b0 = gen_linktype(ETHERTYPE_IP);
3748 #ifndef CHASE_CHAIN
3749 b1 = gen_cmp(off_nl + 9, BPF_B, (bpf_int32)v);
3750 #else
3751 b1 = gen_protochain(v, Q_IP);
3752 #endif
3753 gen_and(b0, b1);
3754 return b1;
3755
3756 case Q_ISO:
3757 switch (linktype) {
3758
3759 case DLT_FRELAY:
3760 /*
3761 * Frame Relay packets typically have an OSI
3762 * NLPID at the beginning; "gen_linktype(LLCSAP_ISONS)"
3763 * generates code to check for all the OSI
3764 * NLPIDs, so calling it and then adding a check
3765 * for the particular NLPID for which we're
3766 * looking is bogus, as we can just check for
3767 * the NLPID.
3768 *
3769 * What we check for is the NLPID and a frame
3770 * control field value of UI, i.e. 0x03 followed
3771 * by the NLPID.
3772 *
3773 * XXX - assumes a 2-byte Frame Relay header with
3774 * DLCI and flags. What if the address is longer?
3775 *
3776 * XXX - what about SNAP-encapsulated frames?
3777 */
3778 return gen_cmp(2, BPF_H, (0x03<<8) | v);
3779 /*NOTREACHED*/
3780 break;
3781
3782 case DLT_C_HDLC:
3783 /*
3784 * Cisco uses an Ethertype lookalike - for OSI,
3785 * it's 0xfefe.
3786 */
3787 b0 = gen_linktype(LLCSAP_ISONS<<8 | LLCSAP_ISONS);
3788 /* OSI in C-HDLC is stuffed with a fudge byte */
3789 b1 = gen_cmp(off_nl_nosnap+1, BPF_B, (long)v);
3790 gen_and(b0, b1);
3791 return b1;
3792
3793 default:
3794 b0 = gen_linktype(LLCSAP_ISONS);
3795 b1 = gen_cmp(off_nl_nosnap, BPF_B, (long)v);
3796 gen_and(b0, b1);
3797 return b1;
3798 }
3799
3800 case Q_ISIS:
3801 b0 = gen_proto(ISO10589_ISIS, Q_ISO, Q_DEFAULT);
3802 /*
3803 * 4 is the offset of the PDU type relative to the IS-IS
3804 * header.
3805 */
3806 b1 = gen_cmp(off_nl_nosnap+4, BPF_B, (long)v);
3807 gen_and(b0, b1);
3808 return b1;
3809
3810 case Q_ARP:
3811 bpf_error("arp does not encapsulate another protocol");
3812 /* NOTREACHED */
3813
3814 case Q_RARP:
3815 bpf_error("rarp does not encapsulate another protocol");
3816 /* NOTREACHED */
3817
3818 case Q_ATALK:
3819 bpf_error("atalk encapsulation is not specifiable");
3820 /* NOTREACHED */
3821
3822 case Q_DECNET:
3823 bpf_error("decnet encapsulation is not specifiable");
3824 /* NOTREACHED */
3825
3826 case Q_SCA:
3827 bpf_error("sca does not encapsulate another protocol");
3828 /* NOTREACHED */
3829
3830 case Q_LAT:
3831 bpf_error("lat does not encapsulate another protocol");
3832 /* NOTREACHED */
3833
3834 case Q_MOPRC:
3835 bpf_error("moprc does not encapsulate another protocol");
3836 /* NOTREACHED */
3837
3838 case Q_MOPDL:
3839 bpf_error("mopdl does not encapsulate another protocol");
3840 /* NOTREACHED */
3841
3842 case Q_LINK:
3843 return gen_linktype(v);
3844
3845 case Q_UDP:
3846 bpf_error("'udp proto' is bogus");
3847 /* NOTREACHED */
3848
3849 case Q_TCP:
3850 bpf_error("'tcp proto' is bogus");
3851 /* NOTREACHED */
3852
3853 case Q_SCTP:
3854 bpf_error("'sctp proto' is bogus");
3855 /* NOTREACHED */
3856
3857 case Q_ICMP:
3858 bpf_error("'icmp proto' is bogus");
3859 /* NOTREACHED */
3860
3861 case Q_IGMP:
3862 bpf_error("'igmp proto' is bogus");
3863 /* NOTREACHED */
3864
3865 case Q_IGRP:
3866 bpf_error("'igrp proto' is bogus");
3867 /* NOTREACHED */
3868
3869 case Q_PIM:
3870 bpf_error("'pim proto' is bogus");
3871 /* NOTREACHED */
3872
3873 case Q_VRRP:
3874 bpf_error("'vrrp proto' is bogus");
3875 /* NOTREACHED */
3876
3877 #ifdef INET6
3878 case Q_IPV6:
3879 b0 = gen_linktype(ETHERTYPE_IPV6);
3880 #ifndef CHASE_CHAIN
3881 b1 = gen_cmp(off_nl + 6, BPF_B, (bpf_int32)v);
3882 #else
3883 b1 = gen_protochain(v, Q_IPV6);
3884 #endif
3885 gen_and(b0, b1);
3886 return b1;
3887
3888 case Q_ICMPV6:
3889 bpf_error("'icmp6 proto' is bogus");
3890 #endif /* INET6 */
3891
3892 case Q_AH:
3893 bpf_error("'ah proto' is bogus");
3894
3895 case Q_ESP:
3896 bpf_error("'ah proto' is bogus");
3897
3898 case Q_STP:
3899 bpf_error("'stp proto' is bogus");
3900
3901 case Q_IPX:
3902 bpf_error("'ipx proto' is bogus");
3903
3904 case Q_NETBEUI:
3905 bpf_error("'netbeui proto' is bogus");
3906
3907 default:
3908 abort();
3909 /* NOTREACHED */
3910 }
3911 /* NOTREACHED */
3912 }
3913
3914 struct block *
3915 gen_scode(name, q)
3916 register const char *name;
3917 struct qual q;
3918 {
3919 int proto = q.proto;
3920 int dir = q.dir;
3921 int tproto;
3922 u_char *eaddr;
3923 bpf_u_int32 mask, addr;
3924 #ifndef INET6
3925 bpf_u_int32 **alist;
3926 #else
3927 int tproto6;
3928 struct sockaddr_in *sin;
3929 struct sockaddr_in6 *sin6;
3930 struct addrinfo *res, *res0;
3931 struct in6_addr mask128;
3932 #endif /*INET6*/
3933 struct block *b, *tmp;
3934 int port, real_proto;
3935
3936 switch (q.addr) {
3937
3938 case Q_NET:
3939 addr = pcap_nametonetaddr(name);
3940 if (addr == 0)
3941 bpf_error("unknown network '%s'", name);
3942 /* Left justify network addr and calculate its network mask */
3943 mask = 0xffffffff;
3944 while (addr && (addr & 0xff000000) == 0) {
3945 addr <<= 8;
3946 mask <<= 8;
3947 }
3948 return gen_host(addr, mask, proto, dir);
3949
3950 case Q_DEFAULT:
3951 case Q_HOST:
3952 if (proto == Q_LINK) {
3953 switch (linktype) {
3954
3955 case DLT_EN10MB:
3956 eaddr = pcap_ether_hostton(name);
3957 if (eaddr == NULL)
3958 bpf_error(
3959 "unknown ether host '%s'", name);
3960 b = gen_ehostop(eaddr, dir);
3961 free(eaddr);
3962 return b;
3963
3964 case DLT_FDDI:
3965 eaddr = pcap_ether_hostton(name);
3966 if (eaddr == NULL)
3967 bpf_error(
3968 "unknown FDDI host '%s'", name);
3969 b = gen_fhostop(eaddr, dir);
3970 free(eaddr);
3971 return b;
3972
3973 case DLT_IEEE802:
3974 eaddr = pcap_ether_hostton(name);
3975 if (eaddr == NULL)
3976 bpf_error(
3977 "unknown token ring host '%s'", name);
3978 b = gen_thostop(eaddr, dir);
3979 free(eaddr);
3980 return b;
3981
3982 case DLT_IEEE802_11:
3983 eaddr = pcap_ether_hostton(name);
3984 if (eaddr == NULL)
3985 bpf_error(
3986 "unknown 802.11 host '%s'", name);
3987 b = gen_wlanhostop(eaddr, dir);
3988 free(eaddr);
3989 return b;
3990
3991 case DLT_IP_OVER_FC:
3992 eaddr = pcap_ether_hostton(name);
3993 if (eaddr == NULL)
3994 bpf_error(
3995 "unknown Fibre Channel host '%s'", name);
3996 b = gen_ipfchostop(eaddr, dir);
3997 free(eaddr);
3998 return b;
3999
4000 case DLT_SUNATM:
4001 if (!is_lane)
4002 break;
4003
4004 /*
4005 * Check that the packet doesn't begin
4006 * with an LE Control marker. (We've
4007 * already generated a test for LANE.)
4008 */
4009 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H,
4010 0xFF00);
4011 gen_not(tmp);
4012
4013 eaddr = pcap_ether_hostton(name);
4014 if (eaddr == NULL)
4015 bpf_error(
4016 "unknown ether host '%s'", name);
4017 b = gen_ehostop(eaddr, dir);
4018 gen_and(tmp, b);
4019 free(eaddr);
4020 return b;
4021 }
4022
4023 bpf_error("only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
4024 } else if (proto == Q_DECNET) {
4025 unsigned short dn_addr = __pcap_nametodnaddr(name);
4026 /*
4027 * I don't think DECNET hosts can be multihomed, so
4028 * there is no need to build up a list of addresses
4029 */
4030 return (gen_host(dn_addr, 0, proto, dir));
4031 } else {
4032 #ifndef INET6
4033 alist = pcap_nametoaddr(name);
4034 if (alist == NULL || *alist == NULL)
4035 bpf_error("unknown host '%s'", name);
4036 tproto = proto;
4037 if (off_linktype == (u_int)-1 && tproto == Q_DEFAULT)
4038 tproto = Q_IP;
4039 b = gen_host(**alist++, 0xffffffff, tproto, dir);
4040 while (*alist) {
4041 tmp = gen_host(**alist++, 0xffffffff,
4042 tproto, dir);
4043 gen_or(b, tmp);
4044 b = tmp;
4045 }
4046 return b;
4047 #else
4048 memset(&mask128, 0xff, sizeof(mask128));
4049 res0 = res = pcap_nametoaddrinfo(name);
4050 if (res == NULL)
4051 bpf_error("unknown host '%s'", name);
4052 b = tmp = NULL;
4053 tproto = tproto6 = proto;
4054 if (off_linktype == -1 && tproto == Q_DEFAULT) {
4055 tproto = Q_IP;
4056 tproto6 = Q_IPV6;
4057 }
4058 for (res = res0; res; res = res->ai_next) {
4059 switch (res->ai_family) {
4060 case AF_INET:
4061 if (tproto == Q_IPV6)
4062 continue;
4063
4064 sin = (struct sockaddr_in *)
4065 res->ai_addr;
4066 tmp = gen_host(ntohl(sin->sin_addr.s_addr),
4067 0xffffffff, tproto, dir);
4068 break;
4069 case AF_INET6:
4070 if (tproto6 == Q_IP)
4071 continue;
4072
4073 sin6 = (struct sockaddr_in6 *)
4074 res->ai_addr;
4075 tmp = gen_host6(&sin6->sin6_addr,
4076 &mask128, tproto6, dir);
4077 break;
4078 default:
4079 continue;
4080 }
4081 if (b)
4082 gen_or(b, tmp);
4083 b = tmp;
4084 }
4085 freeaddrinfo(res0);
4086 if (b == NULL) {
4087 bpf_error("unknown host '%s'%s", name,
4088 (proto == Q_DEFAULT)
4089 ? ""
4090 : " for specified address family");
4091 }
4092 return b;
4093 #endif /*INET6*/
4094 }
4095
4096 case Q_PORT:
4097 if (proto != Q_DEFAULT &&
4098 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
4099 bpf_error("illegal qualifier of 'port'");
4100 if (pcap_nametoport(name, &port, &real_proto) == 0)
4101 bpf_error("unknown port '%s'", name);
4102 if (proto == Q_UDP) {
4103 if (real_proto == IPPROTO_TCP)
4104 bpf_error("port '%s' is tcp", name);
4105 else if (real_proto == IPPROTO_SCTP)
4106 bpf_error("port '%s' is sctp", name);
4107 else
4108 /* override PROTO_UNDEF */
4109 real_proto = IPPROTO_UDP;
4110 }
4111 if (proto == Q_TCP) {
4112 if (real_proto == IPPROTO_UDP)
4113 bpf_error("port '%s' is udp", name);
4114
4115 else if (real_proto == IPPROTO_SCTP)
4116 bpf_error("port '%s' is sctp", name);
4117 else
4118 /* override PROTO_UNDEF */
4119 real_proto = IPPROTO_TCP;
4120 }
4121 if (proto == Q_SCTP) {
4122 if (real_proto == IPPROTO_UDP)
4123 bpf_error("port '%s' is udp", name);
4124
4125 else if (real_proto == IPPROTO_TCP)
4126 bpf_error("port '%s' is tcp", name);
4127 else
4128 /* override PROTO_UNDEF */
4129 real_proto = IPPROTO_SCTP;
4130 }
4131 #ifndef INET6
4132 return gen_port(port, real_proto, dir);
4133 #else
4134 {
4135 struct block *b;
4136 b = gen_port(port, real_proto, dir);
4137 gen_or(gen_port6(port, real_proto, dir), b);
4138 return b;
4139 }
4140 #endif /* INET6 */
4141
4142 case Q_GATEWAY:
4143 #ifndef INET6
4144 eaddr = pcap_ether_hostton(name);
4145 if (eaddr == NULL)
4146 bpf_error("unknown ether host: %s", name);
4147
4148 alist = pcap_nametoaddr(name);
4149 if (alist == NULL || *alist == NULL)
4150 bpf_error("unknown host '%s'", name);
4151 b = gen_gateway(eaddr, alist, proto, dir);
4152 free(eaddr);
4153 return b;
4154 #else
4155 bpf_error("'gateway' not supported in this configuration");
4156 #endif /*INET6*/
4157
4158 case Q_PROTO:
4159 real_proto = lookup_proto(name, proto);
4160 if (real_proto >= 0)
4161 return gen_proto(real_proto, proto, dir);
4162 else
4163 bpf_error("unknown protocol: %s", name);
4164
4165 case Q_PROTOCHAIN:
4166 real_proto = lookup_proto(name, proto);
4167 if (real_proto >= 0)
4168 return gen_protochain(real_proto, proto, dir);
4169 else
4170 bpf_error("unknown protocol: %s", name);
4171
4172
4173 case Q_UNDEF:
4174 syntax();
4175 /* NOTREACHED */
4176 }
4177 abort();
4178 /* NOTREACHED */
4179 }
4180
4181 struct block *
4182 gen_mcode(s1, s2, masklen, q)
4183 register const char *s1, *s2;
4184 register int masklen;
4185 struct qual q;
4186 {
4187 register int nlen, mlen;
4188 bpf_u_int32 n, m;
4189
4190 nlen = __pcap_atoin(s1, &n);
4191 /* Promote short ipaddr */
4192 n <<= 32 - nlen;
4193
4194 if (s2 != NULL) {
4195 mlen = __pcap_atoin(s2, &m);
4196 /* Promote short ipaddr */
4197 m <<= 32 - mlen;
4198 if ((n & ~m) != 0)
4199 bpf_error("non-network bits set in \"%s mask %s\"",
4200 s1, s2);
4201 } else {
4202 /* Convert mask len to mask */
4203 if (masklen > 32)
4204 bpf_error("mask length must be <= 32");
4205 m = 0xffffffff << (32 - masklen);
4206 if ((n & ~m) != 0)
4207 bpf_error("non-network bits set in \"%s/%d\"",
4208 s1, masklen);
4209 }
4210
4211 switch (q.addr) {
4212
4213 case Q_NET:
4214 return gen_host(n, m, q.proto, q.dir);
4215
4216 default:
4217 bpf_error("Mask syntax for networks only");
4218 /* NOTREACHED */
4219 }
4220 /* NOTREACHED */
4221 }
4222
4223 struct block *
4224 gen_ncode(s, v, q)
4225 register const char *s;
4226 bpf_u_int32 v;
4227 struct qual q;
4228 {
4229 bpf_u_int32 mask;
4230 int proto = q.proto;
4231 int dir = q.dir;
4232 register int vlen;
4233
4234 if (s == NULL)
4235 vlen = 32;
4236 else if (q.proto == Q_DECNET)
4237 vlen = __pcap_atodn(s, &v);
4238 else
4239 vlen = __pcap_atoin(s, &v);
4240
4241 switch (q.addr) {
4242
4243 case Q_DEFAULT:
4244 case Q_HOST:
4245 case Q_NET:
4246 if (proto == Q_DECNET)
4247 return gen_host(v, 0, proto, dir);
4248 else if (proto == Q_LINK) {
4249 bpf_error("illegal link layer address");
4250 } else {
4251 mask = 0xffffffff;
4252 if (s == NULL && q.addr == Q_NET) {
4253 /* Promote short net number */
4254 while (v && (v & 0xff000000) == 0) {
4255 v <<= 8;
4256 mask <<= 8;
4257 }
4258 } else {
4259 /* Promote short ipaddr */
4260 v <<= 32 - vlen;
4261 mask <<= 32 - vlen;
4262 }
4263 return gen_host(v, mask, proto, dir);
4264 }
4265
4266 case Q_PORT:
4267 if (proto == Q_UDP)
4268 proto = IPPROTO_UDP;
4269 else if (proto == Q_TCP)
4270 proto = IPPROTO_TCP;
4271 else if (proto == Q_SCTP)
4272 proto = IPPROTO_SCTP;
4273 else if (proto == Q_DEFAULT)
4274 proto = PROTO_UNDEF;
4275 else
4276 bpf_error("illegal qualifier of 'port'");
4277
4278 #ifndef INET6
4279 return gen_port((int)v, proto, dir);
4280 #else
4281 {
4282 struct block *b;
4283 b = gen_port((int)v, proto, dir);
4284 gen_or(gen_port6((int)v, proto, dir), b);
4285 return b;
4286 }
4287 #endif /* INET6 */
4288
4289 case Q_GATEWAY:
4290 bpf_error("'gateway' requires a name");
4291 /* NOTREACHED */
4292
4293 case Q_PROTO:
4294 return gen_proto((int)v, proto, dir);
4295
4296 case Q_PROTOCHAIN:
4297 return gen_protochain((int)v, proto, dir);
4298
4299 case Q_UNDEF:
4300 syntax();
4301 /* NOTREACHED */
4302
4303 default:
4304 abort();
4305 /* NOTREACHED */
4306 }
4307 /* NOTREACHED */
4308 }
4309
4310 #ifdef INET6
4311 struct block *
4312 gen_mcode6(s1, s2, masklen, q)
4313 register const char *s1, *s2;
4314 register int masklen;
4315 struct qual q;
4316 {
4317 struct addrinfo *res;
4318 struct in6_addr *addr;
4319 struct in6_addr mask;
4320 struct block *b;
4321 u_int32_t *a, *m;
4322
4323 if (s2)
4324 bpf_error("no mask %s supported", s2);
4325
4326 res = pcap_nametoaddrinfo(s1);
4327 if (!res)
4328 bpf_error("invalid ip6 address %s", s1);
4329 if (res->ai_next)
4330 bpf_error("%s resolved to multiple address", s1);
4331 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
4332
4333 if (sizeof(mask) * 8 < masklen)
4334 bpf_error("mask length must be <= %u", (unsigned int)(sizeof(mask) * 8));
4335 memset(&mask, 0, sizeof(mask));
4336 memset(&mask, 0xff, masklen / 8);
4337 if (masklen % 8) {
4338 mask.s6_addr[masklen / 8] =
4339 (0xff << (8 - masklen % 8)) & 0xff;
4340 }
4341
4342 a = (u_int32_t *)addr;
4343 m = (u_int32_t *)&mask;
4344 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
4345 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
4346 bpf_error("non-network bits set in \"%s/%d\"", s1, masklen);
4347 }
4348
4349 switch (q.addr) {
4350
4351 case Q_DEFAULT:
4352 case Q_HOST:
4353 if (masklen != 128)
4354 bpf_error("Mask syntax for networks only");
4355 /* FALLTHROUGH */
4356
4357 case Q_NET:
4358 b = gen_host6(addr, &mask, q.proto, q.dir);
4359 freeaddrinfo(res);
4360 return b;
4361
4362 default:
4363 bpf_error("invalid qualifier against IPv6 address");
4364 /* NOTREACHED */
4365 }
4366 }
4367 #endif /*INET6*/
4368
4369 struct block *
4370 gen_ecode(eaddr, q)
4371 register const u_char *eaddr;
4372 struct qual q;
4373 {
4374 struct block *b, *tmp;
4375
4376 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
4377 if (linktype == DLT_EN10MB)
4378 return gen_ehostop(eaddr, (int)q.dir);
4379 if (linktype == DLT_FDDI)
4380 return gen_fhostop(eaddr, (int)q.dir);
4381 if (linktype == DLT_IEEE802)
4382 return gen_thostop(eaddr, (int)q.dir);
4383 if (linktype == DLT_IEEE802_11)
4384 return gen_wlanhostop(eaddr, (int)q.dir);
4385 if (linktype == DLT_SUNATM && is_lane) {
4386 /*
4387 * Check that the packet doesn't begin with an
4388 * LE Control marker. (We've already generated
4389 * a test for LANE.)
4390 */
4391 tmp = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4392 gen_not(tmp);
4393
4394 /*
4395 * Now check the MAC address.
4396 */
4397 b = gen_ehostop(eaddr, (int)q.dir);
4398 gen_and(tmp, b);
4399 return b;
4400 }
4401 if (linktype == DLT_IP_OVER_FC)
4402 return gen_ipfchostop(eaddr, (int)q.dir);
4403 bpf_error("ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
4404 }
4405 bpf_error("ethernet address used in non-ether expression");
4406 /* NOTREACHED */
4407 }
4408
4409 void
4410 sappend(s0, s1)
4411 struct slist *s0, *s1;
4412 {
4413 /*
4414 * This is definitely not the best way to do this, but the
4415 * lists will rarely get long.
4416 */
4417 while (s0->next)
4418 s0 = s0->next;
4419 s0->next = s1;
4420 }
4421
4422 static struct slist *
4423 xfer_to_x(a)
4424 struct arth *a;
4425 {
4426 struct slist *s;
4427
4428 s = new_stmt(BPF_LDX|BPF_MEM);
4429 s->s.k = a->regno;
4430 return s;
4431 }
4432
4433 static struct slist *
4434 xfer_to_a(a)
4435 struct arth *a;
4436 {
4437 struct slist *s;
4438
4439 s = new_stmt(BPF_LD|BPF_MEM);
4440 s->s.k = a->regno;
4441 return s;
4442 }
4443
4444 struct arth *
4445 gen_load(proto, index, size)
4446 int proto;
4447 struct arth *index;
4448 int size;
4449 {
4450 struct slist *s, *tmp;
4451 struct block *b;
4452 int regno = alloc_reg();
4453
4454 free_reg(index->regno);
4455 switch (size) {
4456
4457 default:
4458 bpf_error("data size must be 1, 2, or 4");
4459
4460 case 1:
4461 size = BPF_B;
4462 break;
4463
4464 case 2:
4465 size = BPF_H;
4466 break;
4467
4468 case 4:
4469 size = BPF_W;
4470 break;
4471 }
4472 switch (proto) {
4473 default:
4474 bpf_error("unsupported index operation");
4475
4476 case Q_LINK:
4477 /*
4478 * XXX - what about ATM LANE? Should the index be
4479 * relative to the beginning of the AAL5 frame, so
4480 * that 0 refers to the beginning of the LE Control
4481 * field, or relative to the beginning of the LAN
4482 * frame, so that 0 refers, for Ethernet LANE, to
4483 * the beginning of the destination address?
4484 */
4485 s = xfer_to_x(index);
4486 tmp = new_stmt(BPF_LD|BPF_IND|size);
4487 sappend(s, tmp);
4488 sappend(index->s, s);
4489 break;
4490
4491 case Q_IP:
4492 case Q_ARP:
4493 case Q_RARP:
4494 case Q_ATALK:
4495 case Q_DECNET:
4496 case Q_SCA:
4497 case Q_LAT:
4498 case Q_MOPRC:
4499 case Q_MOPDL:
4500 #ifdef INET6
4501 case Q_IPV6:
4502 #endif
4503 /* XXX Note that we assume a fixed link header here. */
4504 s = xfer_to_x(index);
4505 tmp = new_stmt(BPF_LD|BPF_IND|size);
4506 tmp->s.k = off_nl;
4507 sappend(s, tmp);
4508 sappend(index->s, s);
4509
4510 b = gen_proto_abbrev(proto);
4511 if (index->b)
4512 gen_and(index->b, b);
4513 index->b = b;
4514 break;
4515
4516 case Q_SCTP:
4517 case Q_TCP:
4518 case Q_UDP:
4519 case Q_ICMP:
4520 case Q_IGMP:
4521 case Q_IGRP:
4522 case Q_PIM:
4523 case Q_VRRP:
4524 s = new_stmt(BPF_LDX|BPF_MSH|BPF_B);
4525 s->s.k = off_nl;
4526 sappend(s, xfer_to_a(index));
4527 sappend(s, new_stmt(BPF_ALU|BPF_ADD|BPF_X));
4528 sappend(s, new_stmt(BPF_MISC|BPF_TAX));
4529 sappend(s, tmp = new_stmt(BPF_LD|BPF_IND|size));
4530 tmp->s.k = off_nl;
4531 sappend(index->s, s);
4532
4533 gen_and(gen_proto_abbrev(proto), b = gen_ipfrag());
4534 if (index->b)
4535 gen_and(index->b, b);
4536 #ifdef INET6
4537 gen_and(gen_proto_abbrev(Q_IP), b);
4538 #endif
4539 index->b = b;
4540 break;
4541 #ifdef INET6
4542 case Q_ICMPV6:
4543 bpf_error("IPv6 upper-layer protocol is not supported by proto[x]");
4544 /*NOTREACHED*/
4545 #endif
4546 }
4547 index->regno = regno;
4548 s = new_stmt(BPF_ST);
4549 s->s.k = regno;
4550 sappend(index->s, s);
4551
4552 return index;
4553 }
4554
4555 struct block *
4556 gen_relation(code, a0, a1, reversed)
4557 int code;
4558 struct arth *a0, *a1;
4559 int reversed;
4560 {
4561 struct slist *s0, *s1, *s2;
4562 struct block *b, *tmp;
4563
4564 s0 = xfer_to_x(a1);
4565 s1 = xfer_to_a(a0);
4566 if (code == BPF_JEQ) {
4567 s2 = new_stmt(BPF_ALU|BPF_SUB|BPF_X);
4568 b = new_block(JMP(code));
4569 sappend(s1, s2);
4570 }
4571 else
4572 b = new_block(BPF_JMP|code|BPF_X);
4573 if (reversed)
4574 gen_not(b);
4575
4576 sappend(s0, s1);
4577 sappend(a1->s, s0);
4578 sappend(a0->s, a1->s);
4579
4580 b->stmts = a0->s;
4581
4582 free_reg(a0->regno);
4583 free_reg(a1->regno);
4584
4585 /* 'and' together protocol checks */
4586 if (a0->b) {
4587 if (a1->b) {
4588 gen_and(a0->b, tmp = a1->b);
4589 }
4590 else
4591 tmp = a0->b;
4592 } else
4593 tmp = a1->b;
4594
4595 if (tmp)
4596 gen_and(tmp, b);
4597
4598 return b;
4599 }
4600
4601 struct arth *
4602 gen_loadlen()
4603 {
4604 int regno = alloc_reg();
4605 struct arth *a = (struct arth *)newchunk(sizeof(*a));
4606 struct slist *s;
4607
4608 s = new_stmt(BPF_LD|BPF_LEN);
4609 s->next = new_stmt(BPF_ST);
4610 s->next->s.k = regno;
4611 a->s = s;
4612 a->regno = regno;
4613
4614 return a;
4615 }
4616
4617 struct arth *
4618 gen_loadi(val)
4619 int val;
4620 {
4621 struct arth *a;
4622 struct slist *s;
4623 int reg;
4624
4625 a = (struct arth *)newchunk(sizeof(*a));
4626
4627 reg = alloc_reg();
4628
4629 s = new_stmt(BPF_LD|BPF_IMM);
4630 s->s.k = val;
4631 s->next = new_stmt(BPF_ST);
4632 s->next->s.k = reg;
4633 a->s = s;
4634 a->regno = reg;
4635
4636 return a;
4637 }
4638
4639 struct arth *
4640 gen_neg(a)
4641 struct arth *a;
4642 {
4643 struct slist *s;
4644
4645 s = xfer_to_a(a);
4646 sappend(a->s, s);
4647 s = new_stmt(BPF_ALU|BPF_NEG);
4648 s->s.k = 0;
4649 sappend(a->s, s);
4650 s = new_stmt(BPF_ST);
4651 s->s.k = a->regno;
4652 sappend(a->s, s);
4653
4654 return a;
4655 }
4656
4657 struct arth *
4658 gen_arth(code, a0, a1)
4659 int code;
4660 struct arth *a0, *a1;
4661 {
4662 struct slist *s0, *s1, *s2;
4663
4664 s0 = xfer_to_x(a1);
4665 s1 = xfer_to_a(a0);
4666 s2 = new_stmt(BPF_ALU|BPF_X|code);
4667
4668 sappend(s1, s2);
4669 sappend(s0, s1);
4670 sappend(a1->s, s0);
4671 sappend(a0->s, a1->s);
4672
4673 free_reg(a0->regno);
4674 free_reg(a1->regno);
4675
4676 s0 = new_stmt(BPF_ST);
4677 a0->regno = s0->s.k = alloc_reg();
4678 sappend(a0->s, s0);
4679
4680 return a0;
4681 }
4682
4683 /*
4684 * Here we handle simple allocation of the scratch registers.
4685 * If too many registers are alloc'd, the allocator punts.
4686 */
4687 static int regused[BPF_MEMWORDS];
4688 static int curreg;
4689
4690 /*
4691 * Return the next free register.
4692 */
4693 static int
4694 alloc_reg()
4695 {
4696 int n = BPF_MEMWORDS;
4697
4698 while (--n >= 0) {
4699 if (regused[curreg])
4700 curreg = (curreg + 1) % BPF_MEMWORDS;
4701 else {
4702 regused[curreg] = 1;
4703 return curreg;
4704 }
4705 }
4706 bpf_error("too many registers needed to evaluate expression");
4707 /* NOTREACHED */
4708 }
4709
4710 /*
4711 * Return a register to the table so it can
4712 * be used later.
4713 */
4714 static void
4715 free_reg(n)
4716 int n;
4717 {
4718 regused[n] = 0;
4719 }
4720
4721 static struct block *
4722 gen_len(jmp, n)
4723 int jmp, n;
4724 {
4725 struct slist *s;
4726 struct block *b;
4727
4728 s = new_stmt(BPF_LD|BPF_LEN);
4729 b = new_block(JMP(jmp));
4730 b->stmts = s;
4731 b->s.k = n;
4732
4733 return b;
4734 }
4735
4736 struct block *
4737 gen_greater(n)
4738 int n;
4739 {
4740 return gen_len(BPF_JGE, n);
4741 }
4742
4743 /*
4744 * Actually, this is less than or equal.
4745 */
4746 struct block *
4747 gen_less(n)
4748 int n;
4749 {
4750 struct block *b;
4751
4752 b = gen_len(BPF_JGT, n);
4753 gen_not(b);
4754
4755 return b;
4756 }
4757
4758 struct block *
4759 gen_byteop(op, idx, val)
4760 int op, idx, val;
4761 {
4762 struct block *b;
4763 struct slist *s;
4764
4765 switch (op) {
4766 default:
4767 abort();
4768
4769 case '=':
4770 return gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4771
4772 case '<':
4773 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4774 b->s.code = JMP(BPF_JGE);
4775 gen_not(b);
4776 return b;
4777
4778 case '>':
4779 b = gen_cmp((u_int)idx, BPF_B, (bpf_int32)val);
4780 b->s.code = JMP(BPF_JGT);
4781 return b;
4782
4783 case '|':
4784 s = new_stmt(BPF_ALU|BPF_OR|BPF_K);
4785 break;
4786
4787 case '&':
4788 s = new_stmt(BPF_ALU|BPF_AND|BPF_K);
4789 break;
4790 }
4791 s->s.k = val;
4792 b = new_block(JMP(BPF_JEQ));
4793 b->stmts = s;
4794 gen_not(b);
4795
4796 return b;
4797 }
4798
4799 static u_char abroadcast[] = { 0x0 };
4800
4801 struct block *
4802 gen_broadcast(proto)
4803 int proto;
4804 {
4805 bpf_u_int32 hostmask;
4806 struct block *b0, *b1, *b2;
4807 static u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
4808
4809 switch (proto) {
4810
4811 case Q_DEFAULT:
4812 case Q_LINK:
4813 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4814 return gen_ahostop(abroadcast, Q_DST);
4815 if (linktype == DLT_EN10MB)
4816 return gen_ehostop(ebroadcast, Q_DST);
4817 if (linktype == DLT_FDDI)
4818 return gen_fhostop(ebroadcast, Q_DST);
4819 if (linktype == DLT_IEEE802)
4820 return gen_thostop(ebroadcast, Q_DST);
4821 if (linktype == DLT_IEEE802_11)
4822 return gen_wlanhostop(ebroadcast, Q_DST);
4823 if (linktype == DLT_IP_OVER_FC)
4824 return gen_ipfchostop(ebroadcast, Q_DST);
4825 if (linktype == DLT_SUNATM && is_lane) {
4826 /*
4827 * Check that the packet doesn't begin with an
4828 * LE Control marker. (We've already generated
4829 * a test for LANE.)
4830 */
4831 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
4832 gen_not(b1);
4833
4834 /*
4835 * Now check the MAC address.
4836 */
4837 b0 = gen_ehostop(ebroadcast, Q_DST);
4838 gen_and(b1, b0);
4839 return b0;
4840 }
4841 bpf_error("not a broadcast link");
4842 break;
4843
4844 case Q_IP:
4845 b0 = gen_linktype(ETHERTYPE_IP);
4846 hostmask = ~netmask;
4847 b1 = gen_mcmp(off_nl + 16, BPF_W, (bpf_int32)0, hostmask);
4848 b2 = gen_mcmp(off_nl + 16, BPF_W,
4849 (bpf_int32)(~0 & hostmask), hostmask);
4850 gen_or(b1, b2);
4851 gen_and(b0, b2);
4852 return b2;
4853 }
4854 bpf_error("only link-layer/IP broadcast filters supported");
4855 /* NOTREACHED */
4856 }
4857
4858 /*
4859 * Generate code to test the low-order bit of a MAC address (that's
4860 * the bottom bit of the *first* byte).
4861 */
4862 static struct block *
4863 gen_mac_multicast(offset)
4864 int offset;
4865 {
4866 register struct block *b0;
4867 register struct slist *s;
4868
4869 /* link[offset] & 1 != 0 */
4870 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4871 s->s.k = offset;
4872 b0 = new_block(JMP(BPF_JSET));
4873 b0->s.k = 1;
4874 b0->stmts = s;
4875 return b0;
4876 }
4877
4878 struct block *
4879 gen_multicast(proto)
4880 int proto;
4881 {
4882 register struct block *b0, *b1, *b2;
4883 register struct slist *s;
4884
4885 switch (proto) {
4886
4887 case Q_DEFAULT:
4888 case Q_LINK:
4889 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
4890 /* all ARCnet multicasts use the same address */
4891 return gen_ahostop(abroadcast, Q_DST);
4892
4893 if (linktype == DLT_EN10MB) {
4894 /* ether[0] & 1 != 0 */
4895 return gen_mac_multicast(0);
4896 }
4897
4898 if (linktype == DLT_FDDI) {
4899 /*
4900 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
4901 *
4902 * XXX - was that referring to bit-order issues?
4903 */
4904 /* fddi[1] & 1 != 0 */
4905 return gen_mac_multicast(1);
4906 }
4907
4908 if (linktype == DLT_IEEE802) {
4909 /* tr[2] & 1 != 0 */
4910 return gen_mac_multicast(2);
4911 }
4912
4913 if (linktype == DLT_IEEE802_11) {
4914 /*
4915 * Oh, yuk.
4916 *
4917 * For control frames, there is no DA.
4918 *
4919 * For management frames, DA is at an
4920 * offset of 4 from the beginning of
4921 * the packet.
4922 *
4923 * For data frames, DA is at an offset
4924 * of 4 from the beginning of the packet
4925 * if To DS is clear and at an offset of
4926 * 16 from the beginning of the packet
4927 * if To DS is set.
4928 */
4929
4930 /*
4931 * Generate the tests to be done for data frames.
4932 *
4933 * First, check for To DS set, i.e. "link[1] & 0x01".
4934 */
4935 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4936 s->s.k = 1;
4937 b1 = new_block(JMP(BPF_JSET));
4938 b1->s.k = 0x01; /* To DS */
4939 b1->stmts = s;
4940
4941 /*
4942 * If To DS is set, the DA is at 16.
4943 */
4944 b0 = gen_mac_multicast(16);
4945 gen_and(b1, b0);
4946
4947 /*
4948 * Now, check for To DS not set, i.e. check
4949 * "!(link[1] & 0x01)".
4950 */
4951 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4952 s->s.k = 1;
4953 b2 = new_block(JMP(BPF_JSET));
4954 b2->s.k = 0x01; /* To DS */
4955 b2->stmts = s;
4956 gen_not(b2);
4957
4958 /*
4959 * If To DS is not set, the DA is at 4.
4960 */
4961 b1 = gen_mac_multicast(4);
4962 gen_and(b2, b1);
4963
4964 /*
4965 * Now OR together the last two checks. That gives
4966 * the complete set of checks for data frames.
4967 */
4968 gen_or(b1, b0);
4969
4970 /*
4971 * Now check for a data frame.
4972 * I.e, check "link[0] & 0x08".
4973 */
4974 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4975 s->s.k = 0;
4976 b1 = new_block(JMP(BPF_JSET));
4977 b1->s.k = 0x08;
4978 b1->stmts = s;
4979
4980 /*
4981 * AND that with the checks done for data frames.
4982 */
4983 gen_and(b1, b0);
4984
4985 /*
4986 * If the high-order bit of the type value is 0, this
4987 * is a management frame.
4988 * I.e, check "!(link[0] & 0x08)".
4989 */
4990 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
4991 s->s.k = 0;
4992 b2 = new_block(JMP(BPF_JSET));
4993 b2->s.k = 0x08;
4994 b2->stmts = s;
4995 gen_not(b2);
4996
4997 /*
4998 * For management frames, the DA is at 4.
4999 */
5000 b1 = gen_mac_multicast(4);
5001 gen_and(b2, b1);
5002
5003 /*
5004 * OR that with the checks done for data frames.
5005 * That gives the checks done for management and
5006 * data frames.
5007 */
5008 gen_or(b1, b0);
5009
5010 /*
5011 * If the low-order bit of the type value is 1,
5012 * this is either a control frame or a frame
5013 * with a reserved type, and thus not a
5014 * frame with an SA.
5015 *
5016 * I.e., check "!(link[0] & 0x04)".
5017 */
5018 s = new_stmt(BPF_LD|BPF_B|BPF_ABS);
5019 s->s.k = 0;
5020 b1 = new_block(JMP(BPF_JSET));
5021 b1->s.k = 0x04;
5022 b1->stmts = s;
5023 gen_not(b1);
5024
5025 /*
5026 * AND that with the checks for data and management
5027 * frames.
5028 */
5029 gen_and(b1, b0);
5030 return b0;
5031 }
5032
5033 if (linktype == DLT_IP_OVER_FC) {
5034 b0 = gen_mac_multicast(2);
5035 return b0;
5036 }
5037
5038 if (linktype == DLT_SUNATM && is_lane) {
5039 /*
5040 * Check that the packet doesn't begin with an
5041 * LE Control marker. (We've already generated
5042 * a test for LANE.)
5043 */
5044 b1 = gen_cmp(SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
5045 gen_not(b1);
5046
5047 /* ether[off_mac] & 1 != 0 */
5048 b0 = gen_mac_multicast(off_mac);
5049 gen_and(b1, b0);
5050 return b0;
5051 }
5052
5053 /* Link not known to support multicasts */
5054 break;
5055
5056 case Q_IP:
5057 b0 = gen_linktype(ETHERTYPE_IP);
5058 b1 = gen_cmp(off_nl + 16, BPF_B, (bpf_int32)224);
5059 b1->s.code = JMP(BPF_JGE);
5060 gen_and(b0, b1);
5061 return b1;
5062
5063 #ifdef INET6
5064 case Q_IPV6:
5065 b0 = gen_linktype(ETHERTYPE_IPV6);
5066 b1 = gen_cmp(off_nl + 24, BPF_B, (bpf_int32)255);
5067 gen_and(b0, b1);
5068 return b1;
5069 #endif /* INET6 */
5070 }
5071 bpf_error("link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
5072 /* NOTREACHED */
5073 }
5074
5075 /*
5076 * generate command for inbound/outbound. It's here so we can
5077 * make it link-type specific. 'dir' = 0 implies "inbound",
5078 * = 1 implies "outbound".
5079 */
5080 struct block *
5081 gen_inbound(dir)
5082 int dir;
5083 {
5084 register struct block *b0;
5085
5086 /*
5087 * Only some data link types support inbound/outbound qualifiers.
5088 */
5089 switch (linktype) {
5090 case DLT_SLIP:
5091 b0 = gen_relation(BPF_JEQ,
5092 gen_load(Q_LINK, gen_loadi(0), 1),
5093 gen_loadi(0),
5094 dir);
5095 break;
5096
5097 case DLT_LINUX_SLL:
5098 if (dir) {
5099 /*
5100 * Match packets sent by this machine.
5101 */
5102 b0 = gen_cmp(0, BPF_H, LINUX_SLL_OUTGOING);
5103 } else {
5104 /*
5105 * Match packets sent to this machine.
5106 * (No broadcast or multicast packets, or
5107 * packets sent to some other machine and
5108 * received promiscuously.)
5109 *
5110 * XXX - packets sent to other machines probably
5111 * shouldn't be matched, but what about broadcast
5112 * or multicast packets we received?
5113 */
5114 b0 = gen_cmp(0, BPF_H, LINUX_SLL_HOST);
5115 }
5116 break;
5117
5118 case DLT_PFLOG:
5119 b0 = gen_cmp(offsetof(struct pfloghdr, dir), BPF_B,
5120 (bpf_int32)((dir == 0) ? PF_IN : PF_OUT));
5121 break;
5122
5123 case DLT_PPP_PPPD:
5124 if (dir) {
5125 /* match outgoing packets */
5126 b0 = gen_cmp(0, BPF_B, PPP_PPPD_OUT);
5127 } else {
5128 /* match incoming packets */
5129 b0 = gen_cmp(0, BPF_B, PPP_PPPD_IN);
5130 }
5131 break;
5132
5133 case DLT_JUNIPER_MLFR:
5134 case DLT_JUNIPER_MLPPP:
5135 case DLT_JUNIPER_ATM1:
5136 case DLT_JUNIPER_ATM2:
5137 /* juniper flags (including direction) are stored
5138 * the byte after the 3-byte magic number */
5139 if (dir) {
5140 /* match outgoing packets */
5141 b0 = gen_mcmp(3, BPF_B, 0, 0x01);
5142 } else {
5143 /* match incoming packets */
5144 b0 = gen_mcmp(3, BPF_B, 1, 0x01);
5145 }
5146 break;
5147
5148 default:
5149 bpf_error("inbound/outbound not supported on linktype %d",
5150 linktype);
5151 b0 = NULL;
5152 /* NOTREACHED */
5153 }
5154 return (b0);
5155 }
5156
5157 /* PF firewall log matched interface */
5158 struct block *
5159 gen_pf_ifname(const char *ifname)
5160 {
5161 struct block *b0;
5162 u_int len, off;
5163
5164 if (linktype == DLT_PFLOG) {
5165 len = sizeof(((struct pfloghdr *)0)->ifname);
5166 off = offsetof(struct pfloghdr, ifname);
5167 } else {
5168 bpf_error("ifname not supported on linktype 0x%x", linktype);
5169 /* NOTREACHED */
5170 }
5171 if (strlen(ifname) >= len) {
5172 bpf_error("ifname interface names can only be %d characters",
5173 len-1);
5174 /* NOTREACHED */
5175 }
5176 b0 = gen_bcmp(off, strlen(ifname), (const u_char *)ifname);
5177 return (b0);
5178 }
5179
5180 /* PF firewall log matched interface */
5181 struct block *
5182 gen_pf_ruleset(char *ruleset)
5183 {
5184 struct block *b0;
5185
5186 if (linktype != DLT_PFLOG) {
5187 bpf_error("ruleset not supported on linktype 0x%x", linktype);
5188 /* NOTREACHED */
5189 }
5190 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
5191 bpf_error("ruleset names can only be %ld characters",
5192 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
5193 /* NOTREACHED */
5194 }
5195 b0 = gen_bcmp(offsetof(struct pfloghdr, ruleset),
5196 strlen(ruleset), (const u_char *)ruleset);
5197 return (b0);
5198 }
5199
5200 /* PF firewall log rule number */
5201 struct block *
5202 gen_pf_rnr(int rnr)
5203 {
5204 struct block *b0;
5205
5206 if (linktype == DLT_PFLOG) {
5207 b0 = gen_cmp(offsetof(struct pfloghdr, rulenr), BPF_W,
5208 (bpf_int32)rnr);
5209 } else {
5210 bpf_error("rnr not supported on linktype 0x%x", linktype);
5211 /* NOTREACHED */
5212 }
5213
5214 return (b0);
5215 }
5216
5217 /* PF firewall log sub-rule number */
5218 struct block *
5219 gen_pf_srnr(int srnr)
5220 {
5221 struct block *b0;
5222
5223 if (linktype != DLT_PFLOG) {
5224 bpf_error("srnr not supported on linktype 0x%x", linktype);
5225 /* NOTREACHED */
5226 }
5227
5228 b0 = gen_cmp(offsetof(struct pfloghdr, subrulenr), BPF_W,
5229 (bpf_int32)srnr);
5230 return (b0);
5231 }
5232
5233 /* PF firewall log reason code */
5234 struct block *
5235 gen_pf_reason(int reason)
5236 {
5237 struct block *b0;
5238
5239 if (linktype == DLT_PFLOG) {
5240 b0 = gen_cmp(offsetof(struct pfloghdr, reason), BPF_B,
5241 (bpf_int32)reason);
5242 } else {
5243 bpf_error("reason not supported on linktype 0x%x", linktype);
5244 /* NOTREACHED */
5245 }
5246
5247 return (b0);
5248 }
5249
5250 /* PF firewall log action */
5251 struct block *
5252 gen_pf_action(int action)
5253 {
5254 struct block *b0;
5255
5256 if (linktype == DLT_PFLOG) {
5257 b0 = gen_cmp(offsetof(struct pfloghdr, action), BPF_B,
5258 (bpf_int32)action);
5259 } else {
5260 bpf_error("action not supported on linktype 0x%x", linktype);
5261 /* NOTREACHED */
5262 }
5263
5264 return (b0);
5265 }
5266
5267 struct block *
5268 gen_acode(eaddr, q)
5269 register const u_char *eaddr;
5270 struct qual q;
5271 {
5272 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
5273 if (linktype == DLT_ARCNET || linktype == DLT_ARCNET_LINUX)
5274 return gen_ahostop(eaddr, (int)q.dir);
5275 }
5276 bpf_error("ARCnet address used in non-arc expression");
5277 /* NOTREACHED */
5278 }
5279
5280 static struct block *
5281 gen_ahostop(eaddr, dir)
5282 register const u_char *eaddr;
5283 register int dir;
5284 {
5285 register struct block *b0, *b1;
5286
5287 switch (dir) {
5288 /* src comes first, different from Ethernet */
5289 case Q_SRC:
5290 return gen_bcmp(0, 1, eaddr);
5291
5292 case Q_DST:
5293 return gen_bcmp(1, 1, eaddr);
5294
5295 case Q_AND:
5296 b0 = gen_ahostop(eaddr, Q_SRC);
5297 b1 = gen_ahostop(eaddr, Q_DST);
5298 gen_and(b0, b1);
5299 return b1;
5300
5301 case Q_DEFAULT:
5302 case Q_OR:
5303 b0 = gen_ahostop(eaddr, Q_SRC);
5304 b1 = gen_ahostop(eaddr, Q_DST);
5305 gen_or(b0, b1);
5306 return b1;
5307 }
5308 abort();
5309 /* NOTREACHED */
5310 }
5311
5312 /*
5313 * support IEEE 802.1Q VLAN trunk over ethernet
5314 */
5315 struct block *
5316 gen_vlan(vlan_num)
5317 int vlan_num;
5318 {
5319 struct block *b0;
5320
5321 /*
5322 * Change the offsets to point to the type and data fields within
5323 * the VLAN packet. This is somewhat of a kludge.
5324 */
5325 if (orig_nl == (u_int)-1) {
5326 orig_linktype = off_linktype; /* save original values */
5327 orig_nl = off_nl;
5328 orig_nl_nosnap = off_nl_nosnap;
5329
5330 switch (linktype) {
5331
5332 case DLT_EN10MB:
5333 off_linktype = 16;
5334 off_nl_nosnap = 18;
5335 off_nl = 18;
5336 break;
5337
5338 default:
5339 bpf_error("no VLAN support for data link type %d",
5340 linktype);
5341 /*NOTREACHED*/
5342 }
5343 }
5344
5345 /* check for VLAN */
5346 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_8021Q);
5347
5348 /* If a specific VLAN is requested, check VLAN id */
5349 if (vlan_num >= 0) {
5350 struct block *b1;
5351
5352 b1 = gen_mcmp(orig_nl, BPF_H, (bpf_int32)vlan_num, 0x0fff);
5353 gen_and(b0, b1);
5354 b0 = b1;
5355 }
5356
5357 return (b0);
5358 }
5359
5360 /*
5361 * support for MPLS
5362 */
5363 struct block *
5364 gen_mpls(label_num)
5365 int label_num;
5366 {
5367 struct block *b0;
5368
5369 /*
5370 * Change the offsets to point to the type and data fields within
5371 * the MPLS packet. This is somewhat of a kludge.
5372 */
5373 if (orig_nl == (u_int)-1) {
5374 orig_linktype = off_linktype; /* save original values */
5375 orig_nl = off_nl;
5376 orig_nl_nosnap = off_nl_nosnap;
5377
5378 switch (linktype) {
5379
5380 case DLT_EN10MB:
5381 off_linktype = 16;
5382 off_nl_nosnap = 18;
5383 off_nl = 18;
5384
5385 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5386 break;
5387
5388 case DLT_PPP:
5389 off_linktype = 6;
5390 off_nl_nosnap = 8;
5391 off_nl = 8;
5392
5393 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)PPP_MPLS_UCAST);
5394 break;
5395
5396 case DLT_C_HDLC:
5397 off_linktype = 6;
5398 off_nl_nosnap = 8;
5399 off_nl = 8;
5400
5401 b0 = gen_cmp(orig_linktype, BPF_H, (bpf_int32)ETHERTYPE_MPLS);
5402 break;
5403
5404 /* FIXME add other DLT_s ...
5405 * for Frame-Relay/and ATM this may get messy due to SNAP headers
5406 * leave it for now */
5407
5408 default:
5409 bpf_error("no MPLS support for data link type %d",
5410 linktype);
5411 /*NOTREACHED*/
5412 }
5413 } else {
5414 bpf_error("'mpls' can't be combined with 'vlan' or another 'mpls'");
5415 /*NOTREACHED*/
5416 }
5417
5418 /* If a specific MPLS label is requested, check it */
5419 if (label_num >= 0) {
5420 struct block *b1;
5421
5422 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
5423 b1 = gen_mcmp(orig_nl, BPF_W, (bpf_int32)label_num, 0xfffff000); /* only compare the first 20 bits */
5424 gen_and(b0, b1);
5425 b0 = b1;
5426 }
5427
5428 return (b0);
5429 }
5430
5431 struct block *
5432 gen_atmfield_code(atmfield, jvalue, jtype, reverse)
5433 int atmfield;
5434 bpf_u_int32 jvalue;
5435 bpf_u_int32 jtype;
5436 int reverse;
5437 {
5438 struct block *b0;
5439
5440 switch (atmfield) {
5441
5442 case A_VPI:
5443 if (!is_atm)
5444 bpf_error("'vpi' supported only on raw ATM");
5445 if (off_vpi == (u_int)-1)
5446 abort();
5447 b0 = gen_ncmp(BPF_B, off_vpi, 0xffffffff, (u_int)jtype,
5448 (u_int)jvalue, reverse);
5449 break;
5450
5451 case A_VCI:
5452 if (!is_atm)
5453 bpf_error("'vci' supported only on raw ATM");
5454 if (off_vci == (u_int)-1)
5455 abort();
5456 b0 = gen_ncmp(BPF_H, off_vci, 0xffffffff, (u_int)jtype,
5457 (u_int)jvalue, reverse);
5458 break;
5459
5460 case A_PROTOTYPE:
5461 if (off_proto == (u_int)-1)
5462 abort(); /* XXX - this isn't on FreeBSD */
5463 b0 = gen_ncmp(BPF_B, off_proto, 0x0f, (u_int)jtype,
5464 (u_int)jvalue, reverse);
5465 break;
5466
5467 case A_MSGTYPE:
5468 if (off_payload == (u_int)-1)
5469 abort();
5470 b0 = gen_ncmp(BPF_B, off_payload + MSG_TYPE_POS, 0xffffffff,
5471 (u_int)jtype, (u_int)jvalue, reverse);
5472 break;
5473
5474 case A_CALLREFTYPE:
5475 if (!is_atm)
5476 bpf_error("'callref' supported only on raw ATM");
5477 if (off_proto == (u_int)-1)
5478 abort();
5479 b0 = gen_ncmp(BPF_B, off_proto, 0xffffffff, (u_int)jtype,
5480 (u_int)jvalue, reverse);
5481 break;
5482
5483 default:
5484 abort();
5485 }
5486 return b0;
5487 }
5488
5489 struct block *
5490 gen_atmtype_abbrev(type)
5491 int type;
5492 {
5493 struct block *b0, *b1;
5494
5495 switch (type) {
5496
5497 case A_METAC:
5498 /* Get all packets in Meta signalling Circuit */
5499 if (!is_atm)
5500 bpf_error("'metac' supported only on raw ATM");
5501 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5502 b1 = gen_atmfield_code(A_VCI, 1, BPF_JEQ, 0);
5503 gen_and(b0, b1);
5504 break;
5505
5506 case A_BCC:
5507 /* Get all packets in Broadcast Circuit*/
5508 if (!is_atm)
5509 bpf_error("'bcc' supported only on raw ATM");
5510 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5511 b1 = gen_atmfield_code(A_VCI, 2, BPF_JEQ, 0);
5512 gen_and(b0, b1);
5513 break;
5514
5515 case A_OAMF4SC:
5516 /* Get all cells in Segment OAM F4 circuit*/
5517 if (!is_atm)
5518 bpf_error("'oam4sc' supported only on raw ATM");
5519 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5520 b1 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5521 gen_and(b0, b1);
5522 break;
5523
5524 case A_OAMF4EC:
5525 /* Get all cells in End-to-End OAM F4 Circuit*/
5526 if (!is_atm)
5527 bpf_error("'oam4ec' supported only on raw ATM");
5528 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5529 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5530 gen_and(b0, b1);
5531 break;
5532
5533 case A_SC:
5534 /* Get all packets in connection Signalling Circuit */
5535 if (!is_atm)
5536 bpf_error("'sc' supported only on raw ATM");
5537 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5538 b1 = gen_atmfield_code(A_VCI, 5, BPF_JEQ, 0);
5539 gen_and(b0, b1);
5540 break;
5541
5542 case A_ILMIC:
5543 /* Get all packets in ILMI Circuit */
5544 if (!is_atm)
5545 bpf_error("'ilmic' supported only on raw ATM");
5546 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5547 b1 = gen_atmfield_code(A_VCI, 16, BPF_JEQ, 0);
5548 gen_and(b0, b1);
5549 break;
5550
5551 case A_LANE:
5552 /* Get all LANE packets */
5553 if (!is_atm)
5554 bpf_error("'lane' supported only on raw ATM");
5555 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
5556
5557 /*
5558 * Arrange that all subsequent tests assume LANE
5559 * rather than LLC-encapsulated packets, and set
5560 * the offsets appropriately for LANE-encapsulated
5561 * Ethernet.
5562 *
5563 * "off_mac" is the offset of the Ethernet header,
5564 * which is 2 bytes past the ATM pseudo-header
5565 * (skipping the pseudo-header and 2-byte LE Client
5566 * field). The other offsets are Ethernet offsets
5567 * relative to "off_mac".
5568 */
5569 is_lane = 1;
5570 off_mac = off_payload + 2; /* MAC header */
5571 off_linktype = off_mac + 12;
5572 off_nl = off_mac + 14; /* Ethernet II */
5573 off_nl_nosnap = off_mac + 17; /* 802.3+802.2 */
5574 break;
5575
5576 case A_LLC:
5577 /* Get all LLC-encapsulated packets */
5578 if (!is_atm)
5579 bpf_error("'llc' supported only on raw ATM");
5580 b1 = gen_atmfield_code(A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
5581 is_lane = 0;
5582 break;
5583
5584 default:
5585 abort();
5586 }
5587 return b1;
5588 }
5589
5590
5591 static struct block *
5592 gen_msg_abbrev(type)
5593 int type;
5594 {
5595 struct block *b1;
5596
5597 /*
5598 * Q.2931 signalling protocol messages for handling virtual circuits
5599 * establishment and teardown
5600 */
5601 switch (type) {
5602
5603 case A_SETUP:
5604 b1 = gen_atmfield_code(A_MSGTYPE, SETUP, BPF_JEQ, 0);
5605 break;
5606
5607 case A_CALLPROCEED:
5608 b1 = gen_atmfield_code(A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
5609 break;
5610
5611 case A_CONNECT:
5612 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT, BPF_JEQ, 0);
5613 break;
5614
5615 case A_CONNECTACK:
5616 b1 = gen_atmfield_code(A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
5617 break;
5618
5619 case A_RELEASE:
5620 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE, BPF_JEQ, 0);
5621 break;
5622
5623 case A_RELEASE_DONE:
5624 b1 = gen_atmfield_code(A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
5625 break;
5626
5627 default:
5628 abort();
5629 }
5630 return b1;
5631 }
5632
5633 struct block *
5634 gen_atmmulti_abbrev(type)
5635 int type;
5636 {
5637 struct block *b0, *b1;
5638
5639 switch (type) {
5640
5641 case A_OAM:
5642 if (!is_atm)
5643 bpf_error("'oam' supported only on raw ATM");
5644 b1 = gen_atmmulti_abbrev(A_OAMF4);
5645 break;
5646
5647 case A_OAMF4:
5648 if (!is_atm)
5649 bpf_error("'oamf4' supported only on raw ATM");
5650 /* OAM F4 type */
5651 b0 = gen_atmfield_code(A_VCI, 3, BPF_JEQ, 0);
5652 b1 = gen_atmfield_code(A_VCI, 4, BPF_JEQ, 0);
5653 gen_or(b0, b1);
5654 b0 = gen_atmfield_code(A_VPI, 0, BPF_JEQ, 0);
5655 gen_and(b0, b1);
5656 break;
5657
5658 case A_CONNECTMSG:
5659 /*
5660 * Get Q.2931 signalling messages for switched
5661 * virtual connection
5662 */
5663 if (!is_atm)
5664 bpf_error("'connectmsg' supported only on raw ATM");
5665 b0 = gen_msg_abbrev(A_SETUP);
5666 b1 = gen_msg_abbrev(A_CALLPROCEED);
5667 gen_or(b0, b1);
5668 b0 = gen_msg_abbrev(A_CONNECT);
5669 gen_or(b0, b1);
5670 b0 = gen_msg_abbrev(A_CONNECTACK);
5671 gen_or(b0, b1);
5672 b0 = gen_msg_abbrev(A_RELEASE);
5673 gen_or(b0, b1);
5674 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5675 gen_or(b0, b1);
5676 b0 = gen_atmtype_abbrev(A_SC);
5677 gen_and(b0, b1);
5678 break;
5679
5680 case A_METACONNECT:
5681 if (!is_atm)
5682 bpf_error("'metaconnect' supported only on raw ATM");
5683 b0 = gen_msg_abbrev(A_SETUP);
5684 b1 = gen_msg_abbrev(A_CALLPROCEED);
5685 gen_or(b0, b1);
5686 b0 = gen_msg_abbrev(A_CONNECT);
5687 gen_or(b0, b1);
5688 b0 = gen_msg_abbrev(A_RELEASE);
5689 gen_or(b0, b1);
5690 b0 = gen_msg_abbrev(A_RELEASE_DONE);
5691 gen_or(b0, b1);
5692 b0 = gen_atmtype_abbrev(A_METAC);
5693 gen_and(b0, b1);
5694 break;
5695
5696 default:
5697 abort();
5698 }
5699 return b1;
5700 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism