]> The Tcpdump Group git mirrors - libpcap/blob - gencode.c
projects / libpcap / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Get DLT_MATCHING_MAX right in gencode.c on NetBSD.
[libpcap] / gencode.c
1 /*#define CHASE_CHAIN*/
2 /*
3 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997, 1998
4 * The Regents of the University of California. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that: (1) source code distributions
8 * retain the above copyright notice and this paragraph in its entirety, (2)
9 * distributions including binary code include the above copyright notice and
10 * this paragraph in its entirety in the documentation or other materials
11 * provided with the distribution, and (3) all advertising materials mentioning
12 * features or use of this software display the following acknowledgement:
13 * ``This product includes software developed by the University of California,
14 * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
15 * the University nor the names of its contributors may be used to endorse
16 * or promote products derived from this software without specific prior
17 * written permission.
18 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
19 * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
20 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
21 */
22
23 #ifdef HAVE_CONFIG_H
24 #include <config.h>
25 #endif
26
27 #include <pcap-types.h>
28 #ifdef _WIN32
29 #include <ws2tcpip.h>
30 #else
31 #include <sys/socket.h>
32
33 #ifdef __NetBSD__
34 #include <sys/param.h>
35 #endif
36
37 #include <netinet/in.h>
38 #include <arpa/inet.h>
39 #endif /* _WIN32 */
40
41 #include <stdlib.h>
42 #include <string.h>
43 #include <memory.h>
44 #include <setjmp.h>
45 #include <stdarg.h>
46
47 #ifdef MSDOS
48 #include "pcap-dos.h"
49 #endif
50
51 #ifdef HAVE_NET_PFVAR_H
52 /*
53 * In NetBSD <net/if.h> includes <net/dlt.h>, which is an older version of
54 * "pcap/dlt.h" with a lower value of DLT_MATCHING_MAX. Include the headers
55 * below before "pcap-int.h", which eventually includes "pcap/dlt.h", which
56 * redefines DLT_MATCHING_MAX from what this version of NetBSD has to what
57 * this version of libpcap has.
58 */
59 #include <sys/socket.h>
60 #include <net/if.h>
61 #include <net/pfvar.h>
62 #include <net/if_pflog.h>
63 #endif /* HAVE_NET_PFVAR_H */
64
65 #include "pcap-int.h"
66
67 #include "extract.h"
68
69 #include "ethertype.h"
70 #include "nlpid.h"
71 #include "llc.h"
72 #include "gencode.h"
73 #include "ieee80211.h"
74 #include "atmuni31.h"
75 #include "sunatmpos.h"
76 #include "ppp.h"
77 #include "pcap/sll.h"
78 #include "pcap/ipnet.h"
79 #include "arcnet.h"
80
81 #include "grammar.h"
82 #include "scanner.h"
83
84 #if defined(linux)
85 #include <linux/types.h>
86 #include <linux/if_packet.h>
87 #include <linux/filter.h>
88 #endif
89
90 #ifndef offsetof
91 #define offsetof(s, e) ((size_t)&((s *)0)->e)
92 #endif
93
94 #ifdef _WIN32
95 #ifdef INET6
96 #if defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF)
97 /* IPv6 address */
98 struct in6_addr
99 {
100 union
101 {
102 uint8_t u6_addr8[16];
103 uint16_t u6_addr16[8];
104 uint32_t u6_addr32[4];
105 } in6_u;
106 #define s6_addr in6_u.u6_addr8
107 #define s6_addr16 in6_u.u6_addr16
108 #define s6_addr32 in6_u.u6_addr32
109 #define s6_addr64 in6_u.u6_addr64
110 };
111
112 typedef unsigned short sa_family_t;
113
114 #define __SOCKADDR_COMMON(sa_prefix) \
115 sa_family_t sa_prefix##family
116
117 /* Ditto, for IPv6. */
118 struct sockaddr_in6
119 {
120 __SOCKADDR_COMMON (sin6_);
121 uint16_t sin6_port; /* Transport layer port # */
122 uint32_t sin6_flowinfo; /* IPv6 flow information */
123 struct in6_addr sin6_addr; /* IPv6 address */
124 };
125
126 #ifndef EAI_ADDRFAMILY
127 struct addrinfo {
128 int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
129 int ai_family; /* PF_xxx */
130 int ai_socktype; /* SOCK_xxx */
131 int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
132 size_t ai_addrlen; /* length of ai_addr */
133 char *ai_canonname; /* canonical name for hostname */
134 struct sockaddr *ai_addr; /* binary address */
135 struct addrinfo *ai_next; /* next structure in linked list */
136 };
137 #endif /* EAI_ADDRFAMILY */
138 #endif /* defined(__MINGW32__) && defined(DEFINE_ADDITIONAL_IPV6_STUFF) */
139 #endif /* INET6 */
140 #else /* _WIN32 */
141 #include <netdb.h> /* for "struct addrinfo" */
142 #endif /* _WIN32 */
143 #include <pcap/namedb.h>
144
145 #include "nametoaddr.h"
146
147 #define ETHERMTU 1500
148
149 #ifndef IPPROTO_HOPOPTS
150 #define IPPROTO_HOPOPTS 0
151 #endif
152 #ifndef IPPROTO_ROUTING
153 #define IPPROTO_ROUTING 43
154 #endif
155 #ifndef IPPROTO_FRAGMENT
156 #define IPPROTO_FRAGMENT 44
157 #endif
158 #ifndef IPPROTO_DSTOPTS
159 #define IPPROTO_DSTOPTS 60
160 #endif
161 #ifndef IPPROTO_SCTP
162 #define IPPROTO_SCTP 132
163 #endif
164
165 #define GENEVE_PORT 6081
166
167 #ifdef HAVE_OS_PROTO_H
168 #include "os-proto.h"
169 #endif
170
171 #define JMP(c) ((c)|BPF_JMP|BPF_K)
172
173 /*
174 * "Push" the current value of the link-layer header type and link-layer
175 * header offset onto a "stack", and set a new value. (It's not a
176 * full-blown stack; we keep only the top two items.)
177 */
178 #define PUSH_LINKHDR(cs, new_linktype, new_is_variable, new_constant_part, new_reg) \
179 { \
180 (cs)->prevlinktype = (cs)->linktype; \
181 (cs)->off_prevlinkhdr = (cs)->off_linkhdr; \
182 (cs)->linktype = (new_linktype); \
183 (cs)->off_linkhdr.is_variable = (new_is_variable); \
184 (cs)->off_linkhdr.constant_part = (new_constant_part); \
185 (cs)->off_linkhdr.reg = (new_reg); \
186 (cs)->is_geneve = 0; \
187 }
188
189 /*
190 * Offset "not set" value.
191 */
192 #define OFFSET_NOT_SET 0xffffffffU
193
194 /*
195 * Absolute offsets, which are offsets from the beginning of the raw
196 * packet data, are, in the general case, the sum of a variable value
197 * and a constant value; the variable value may be absent, in which
198 * case the offset is only the constant value, and the constant value
199 * may be zero, in which case the offset is only the variable value.
200 *
201 * bpf_abs_offset is a structure containing all that information:
202 *
203 * is_variable is 1 if there's a variable part.
204 *
205 * constant_part is the constant part of the value, possibly zero;
206 *
207 * if is_variable is 1, reg is the register number for a register
208 * containing the variable value if the register has been assigned,
209 * and -1 otherwise.
210 */
211 typedef struct {
212 int is_variable;
213 u_int constant_part;
214 int reg;
215 } bpf_abs_offset;
216
217 /*
218 * Value passed to gen_load_a() to indicate what the offset argument
219 * is relative to the beginning of.
220 */
221 enum e_offrel {
222 OR_PACKET, /* full packet data */
223 OR_LINKHDR, /* link-layer header */
224 OR_PREVLINKHDR, /* previous link-layer header */
225 OR_LLC, /* 802.2 LLC header */
226 OR_PREVMPLSHDR, /* previous MPLS header */
227 OR_LINKTYPE, /* link-layer type */
228 OR_LINKPL, /* link-layer payload */
229 OR_LINKPL_NOSNAP, /* link-layer payload, with no SNAP header at the link layer */
230 OR_TRAN_IPV4, /* transport-layer header, with IPv4 network layer */
231 OR_TRAN_IPV6 /* transport-layer header, with IPv6 network layer */
232 };
233
234 /*
235 * We divy out chunks of memory rather than call malloc each time so
236 * we don't have to worry about leaking memory. It's probably
237 * not a big deal if all this memory was wasted but if this ever
238 * goes into a library that would probably not be a good idea.
239 *
240 * XXX - this *is* in a library....
241 */
242 #define NCHUNKS 16
243 #define CHUNK0SIZE 1024
244 struct chunk {
245 size_t n_left;
246 void *m;
247 };
248
249 /* Code generator state */
250
251 struct _compiler_state {
252 jmp_buf top_ctx;
253 pcap_t *bpf_pcap;
254 int error_set;
255
256 struct icode ic;
257
258 int snaplen;
259
260 int linktype;
261 int prevlinktype;
262 int outermostlinktype;
263
264 bpf_u_int32 netmask;
265 int no_optimize;
266
267 /* Hack for handling VLAN and MPLS stacks. */
268 u_int label_stack_depth;
269 u_int vlan_stack_depth;
270
271 /* XXX */
272 u_int pcap_fddipad;
273
274 /*
275 * As errors are handled by a longjmp, anything allocated must
276 * be freed in the longjmp handler, so it must be reachable
277 * from that handler.
278 *
279 * One thing that's allocated is the result of pcap_nametoaddrinfo();
280 * it must be freed with freeaddrinfo(). This variable points to
281 * any addrinfo structure that would need to be freed.
282 */
283 struct addrinfo *ai;
284
285 /*
286 * Another thing that's allocated is the result of pcap_ether_aton();
287 * it must be freed with free(). This variable points to any
288 * address that would need to be freed.
289 */
290 u_char *e;
291
292 /*
293 * Various code constructs need to know the layout of the packet.
294 * These values give the necessary offsets from the beginning
295 * of the packet data.
296 */
297
298 /*
299 * Absolute offset of the beginning of the link-layer header.
300 */
301 bpf_abs_offset off_linkhdr;
302
303 /*
304 * If we're checking a link-layer header for a packet encapsulated
305 * in another protocol layer, this is the equivalent information
306 * for the previous layers' link-layer header from the beginning
307 * of the raw packet data.
308 */
309 bpf_abs_offset off_prevlinkhdr;
310
311 /*
312 * This is the equivalent information for the outermost layers'
313 * link-layer header.
314 */
315 bpf_abs_offset off_outermostlinkhdr;
316
317 /*
318 * Absolute offset of the beginning of the link-layer payload.
319 */
320 bpf_abs_offset off_linkpl;
321
322 /*
323 * "off_linktype" is the offset to information in the link-layer
324 * header giving the packet type. This is an absolute offset
325 * from the beginning of the packet.
326 *
327 * For Ethernet, it's the offset of the Ethernet type field; this
328 * means that it must have a value that skips VLAN tags.
329 *
330 * For link-layer types that always use 802.2 headers, it's the
331 * offset of the LLC header; this means that it must have a value
332 * that skips VLAN tags.
333 *
334 * For PPP, it's the offset of the PPP type field.
335 *
336 * For Cisco HDLC, it's the offset of the CHDLC type field.
337 *
338 * For BSD loopback, it's the offset of the AF_ value.
339 *
340 * For Linux cooked sockets, it's the offset of the type field.
341 *
342 * off_linktype.constant_part is set to OFFSET_NOT_SET for no
343 * encapsulation, in which case, IP is assumed.
344 */
345 bpf_abs_offset off_linktype;
346
347 /*
348 * TRUE if the link layer includes an ATM pseudo-header.
349 */
350 int is_atm;
351
352 /*
353 * TRUE if "geneve" appeared in the filter; it causes us to
354 * generate code that checks for a Geneve header and assume
355 * that later filters apply to the encapsulated payload.
356 */
357 int is_geneve;
358
359 /*
360 * TRUE if we need variable length part of VLAN offset
361 */
362 int is_vlan_vloffset;
363
364 /*
365 * These are offsets for the ATM pseudo-header.
366 */
367 u_int off_vpi;
368 u_int off_vci;
369 u_int off_proto;
370
371 /*
372 * These are offsets for the MTP2 fields.
373 */
374 u_int off_li;
375 u_int off_li_hsl;
376
377 /*
378 * These are offsets for the MTP3 fields.
379 */
380 u_int off_sio;
381 u_int off_opc;
382 u_int off_dpc;
383 u_int off_sls;
384
385 /*
386 * This is the offset of the first byte after the ATM pseudo_header,
387 * or -1 if there is no ATM pseudo-header.
388 */
389 u_int off_payload;
390
391 /*
392 * These are offsets to the beginning of the network-layer header.
393 * They are relative to the beginning of the link-layer payload
394 * (i.e., they don't include off_linkhdr.constant_part or
395 * off_linkpl.constant_part).
396 *
397 * If the link layer never uses 802.2 LLC:
398 *
399 * "off_nl" and "off_nl_nosnap" are the same.
400 *
401 * If the link layer always uses 802.2 LLC:
402 *
403 * "off_nl" is the offset if there's a SNAP header following
404 * the 802.2 header;
405 *
406 * "off_nl_nosnap" is the offset if there's no SNAP header.
407 *
408 * If the link layer is Ethernet:
409 *
410 * "off_nl" is the offset if the packet is an Ethernet II packet
411 * (we assume no 802.3+802.2+SNAP);
412 *
413 * "off_nl_nosnap" is the offset if the packet is an 802.3 packet
414 * with an 802.2 header following it.
415 */
416 u_int off_nl;
417 u_int off_nl_nosnap;
418
419 /*
420 * Here we handle simple allocation of the scratch registers.
421 * If too many registers are alloc'd, the allocator punts.
422 */
423 int regused[BPF_MEMWORDS];
424 int curreg;
425
426 /*
427 * Memory chunks.
428 */
429 struct chunk chunks[NCHUNKS];
430 int cur_chunk;
431 };
432
433 /*
434 * For use by routines outside this file.
435 */
436 /* VARARGS */
437 void
438 bpf_set_error(compiler_state_t *cstate, const char *fmt, ...)
439 {
440 va_list ap;
441
442 /*
443 * If we've already set an error, don't override it.
444 * The lexical analyzer reports some errors by setting
445 * the error and then returning a LEX_ERROR token, which
446 * is not recognized by any grammar rule, and thus forces
447 * the parse to stop. We don't want the error reported
448 * by the lexical analyzer to be overwritten by the syntax
449 * error.
450 */
451 if (!cstate->error_set) {
452 va_start(ap, fmt);
453 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
454 fmt, ap);
455 va_end(ap);
456 cstate->error_set = 1;
457 }
458 }
459
460 /*
461 * For use *ONLY* in routines in this file.
462 */
463 static void PCAP_NORETURN bpf_error(compiler_state_t *, const char *, ...)
464 PCAP_PRINTFLIKE(2, 3);
465
466 /* VARARGS */
467 static void PCAP_NORETURN
468 bpf_error(compiler_state_t *cstate, const char *fmt, ...)
469 {
470 va_list ap;
471
472 va_start(ap, fmt);
473 (void)vsnprintf(cstate->bpf_pcap->errbuf, PCAP_ERRBUF_SIZE,
474 fmt, ap);
475 va_end(ap);
476 longjmp(cstate->top_ctx, 1);
477 /*NOTREACHED*/
478 }
479
480 static int init_linktype(compiler_state_t *, pcap_t *);
481
482 static void init_regs(compiler_state_t *);
483 static int alloc_reg(compiler_state_t *);
484 static void free_reg(compiler_state_t *, int);
485
486 static void initchunks(compiler_state_t *cstate);
487 static void *newchunk_nolongjmp(compiler_state_t *cstate, size_t);
488 static void *newchunk(compiler_state_t *cstate, size_t);
489 static void freechunks(compiler_state_t *cstate);
490 static inline struct block *new_block(compiler_state_t *cstate, int);
491 static inline struct slist *new_stmt(compiler_state_t *cstate, int);
492 static struct block *gen_retblk(compiler_state_t *cstate, int);
493 static inline void syntax(compiler_state_t *cstate);
494
495 static void backpatch(struct block *, struct block *);
496 static void merge(struct block *, struct block *);
497 static struct block *gen_cmp(compiler_state_t *, enum e_offrel, u_int,
498 u_int, bpf_u_int32);
499 static struct block *gen_cmp_gt(compiler_state_t *, enum e_offrel, u_int,
500 u_int, bpf_u_int32);
501 static struct block *gen_cmp_ge(compiler_state_t *, enum e_offrel, u_int,
502 u_int, bpf_u_int32);
503 static struct block *gen_cmp_lt(compiler_state_t *, enum e_offrel, u_int,
504 u_int, bpf_u_int32);
505 static struct block *gen_cmp_le(compiler_state_t *, enum e_offrel, u_int,
506 u_int, bpf_u_int32);
507 static struct block *gen_mcmp(compiler_state_t *, enum e_offrel, u_int,
508 u_int, bpf_u_int32, bpf_u_int32);
509 static struct block *gen_bcmp(compiler_state_t *, enum e_offrel, u_int,
510 u_int, const u_char *);
511 static struct block *gen_ncmp(compiler_state_t *, enum e_offrel, u_int,
512 u_int, bpf_u_int32, int, int, bpf_u_int32);
513 static struct slist *gen_load_absoffsetrel(compiler_state_t *, bpf_abs_offset *,
514 u_int, u_int);
515 static struct slist *gen_load_a(compiler_state_t *, enum e_offrel, u_int,
516 u_int);
517 static struct slist *gen_loadx_iphdrlen(compiler_state_t *);
518 static struct block *gen_uncond(compiler_state_t *, int);
519 static inline struct block *gen_true(compiler_state_t *);
520 static inline struct block *gen_false(compiler_state_t *);
521 static struct block *gen_ether_linktype(compiler_state_t *, bpf_u_int32);
522 static struct block *gen_ipnet_linktype(compiler_state_t *, bpf_u_int32);
523 static struct block *gen_linux_sll_linktype(compiler_state_t *, bpf_u_int32);
524 static struct slist *gen_load_prism_llprefixlen(compiler_state_t *);
525 static struct slist *gen_load_avs_llprefixlen(compiler_state_t *);
526 static struct slist *gen_load_radiotap_llprefixlen(compiler_state_t *);
527 static struct slist *gen_load_ppi_llprefixlen(compiler_state_t *);
528 static void insert_compute_vloffsets(compiler_state_t *, struct block *);
529 static struct slist *gen_abs_offset_varpart(compiler_state_t *,
530 bpf_abs_offset *);
531 static bpf_u_int32 ethertype_to_ppptype(bpf_u_int32);
532 static struct block *gen_linktype(compiler_state_t *, bpf_u_int32);
533 static struct block *gen_snap(compiler_state_t *, bpf_u_int32, bpf_u_int32);
534 static struct block *gen_llc_linktype(compiler_state_t *, bpf_u_int32);
535 static struct block *gen_hostop(compiler_state_t *, bpf_u_int32, bpf_u_int32,
536 int, bpf_u_int32, u_int, u_int);
537 #ifdef INET6
538 static struct block *gen_hostop6(compiler_state_t *, struct in6_addr *,
539 struct in6_addr *, int, bpf_u_int32, u_int, u_int);
540 #endif
541 static struct block *gen_ahostop(compiler_state_t *, const u_char *, int);
542 static struct block *gen_ehostop(compiler_state_t *, const u_char *, int);
543 static struct block *gen_fhostop(compiler_state_t *, const u_char *, int);
544 static struct block *gen_thostop(compiler_state_t *, const u_char *, int);
545 static struct block *gen_wlanhostop(compiler_state_t *, const u_char *, int);
546 static struct block *gen_ipfchostop(compiler_state_t *, const u_char *, int);
547 static struct block *gen_dnhostop(compiler_state_t *, bpf_u_int32, int);
548 static struct block *gen_mpls_linktype(compiler_state_t *, bpf_u_int32);
549 static struct block *gen_host(compiler_state_t *, bpf_u_int32, bpf_u_int32,
550 int, int, int);
551 #ifdef INET6
552 static struct block *gen_host6(compiler_state_t *, struct in6_addr *,
553 struct in6_addr *, int, int, int);
554 #endif
555 #ifndef INET6
556 static struct block *gen_gateway(compiler_state_t *, const u_char *,
557 struct addrinfo *, int, int);
558 #endif
559 static struct block *gen_ipfrag(compiler_state_t *);
560 static struct block *gen_portatom(compiler_state_t *, int, bpf_u_int32);
561 static struct block *gen_portrangeatom(compiler_state_t *, u_int, bpf_u_int32,
562 bpf_u_int32);
563 static struct block *gen_portatom6(compiler_state_t *, int, bpf_u_int32);
564 static struct block *gen_portrangeatom6(compiler_state_t *, u_int, bpf_u_int32,
565 bpf_u_int32);
566 static struct block *gen_portop(compiler_state_t *, u_int, u_int, int);
567 static struct block *gen_port(compiler_state_t *, u_int, int, int);
568 static struct block *gen_portrangeop(compiler_state_t *, u_int, u_int,
569 bpf_u_int32, int);
570 static struct block *gen_portrange(compiler_state_t *, u_int, u_int, int, int);
571 struct block *gen_portop6(compiler_state_t *, u_int, u_int, int);
572 static struct block *gen_port6(compiler_state_t *, u_int, int, int);
573 static struct block *gen_portrangeop6(compiler_state_t *, u_int, u_int,
574 bpf_u_int32, int);
575 static struct block *gen_portrange6(compiler_state_t *, u_int, u_int, int, int);
576 static int lookup_proto(compiler_state_t *, const char *, int);
577 static struct block *gen_protochain(compiler_state_t *, bpf_u_int32, int);
578 static struct block *gen_proto(compiler_state_t *, bpf_u_int32, int, int);
579 static struct slist *xfer_to_x(compiler_state_t *, struct arth *);
580 static struct slist *xfer_to_a(compiler_state_t *, struct arth *);
581 static struct block *gen_mac_multicast(compiler_state_t *, int);
582 static struct block *gen_len(compiler_state_t *, int, int);
583 static struct block *gen_check_802_11_data_frame(compiler_state_t *);
584 static struct block *gen_geneve_ll_check(compiler_state_t *cstate);
585
586 static struct block *gen_ppi_dlt_check(compiler_state_t *);
587 static struct block *gen_atmfield_code_internal(compiler_state_t *, int,
588 bpf_u_int32, int, int);
589 static struct block *gen_atmtype_llc(compiler_state_t *);
590 static struct block *gen_msg_abbrev(compiler_state_t *, int type);
591
592 static void
593 initchunks(compiler_state_t *cstate)
594 {
595 int i;
596
597 for (i = 0; i < NCHUNKS; i++) {
598 cstate->chunks[i].n_left = 0;
599 cstate->chunks[i].m = NULL;
600 }
601 cstate->cur_chunk = 0;
602 }
603
604 static void *
605 newchunk_nolongjmp(compiler_state_t *cstate, size_t n)
606 {
607 struct chunk *cp;
608 int k;
609 size_t size;
610
611 #ifndef __NetBSD__
612 /* XXX Round up to nearest long. */
613 n = (n + sizeof(long) - 1) & ~(sizeof(long) - 1);
614 #else
615 /* XXX Round up to structure boundary. */
616 n = ALIGN(n);
617 #endif
618
619 cp = &cstate->chunks[cstate->cur_chunk];
620 if (n > cp->n_left) {
621 ++cp;
622 k = ++cstate->cur_chunk;
623 if (k >= NCHUNKS) {
624 bpf_set_error(cstate, "out of memory");
625 return (NULL);
626 }
627 size = CHUNK0SIZE << k;
628 cp->m = (void *)malloc(size);
629 if (cp->m == NULL) {
630 bpf_set_error(cstate, "out of memory");
631 return (NULL);
632 }
633 memset((char *)cp->m, 0, size);
634 cp->n_left = size;
635 if (n > size) {
636 bpf_set_error(cstate, "out of memory");
637 return (NULL);
638 }
639 }
640 cp->n_left -= n;
641 return (void *)((char *)cp->m + cp->n_left);
642 }
643
644 static void *
645 newchunk(compiler_state_t *cstate, size_t n)
646 {
647 void *p;
648
649 p = newchunk_nolongjmp(cstate, n);
650 if (p == NULL) {
651 longjmp(cstate->top_ctx, 1);
652 /*NOTREACHED*/
653 }
654 return (p);
655 }
656
657 static void
658 freechunks(compiler_state_t *cstate)
659 {
660 int i;
661
662 for (i = 0; i < NCHUNKS; ++i)
663 if (cstate->chunks[i].m != NULL)
664 free(cstate->chunks[i].m);
665 }
666
667 /*
668 * A strdup whose allocations are freed after code generation is over.
669 * This is used by the lexical analyzer, so it can't longjmp; it just
670 * returns NULL on an allocation error, and the callers must check
671 * for it.
672 */
673 char *
674 sdup(compiler_state_t *cstate, const char *s)
675 {
676 size_t n = strlen(s) + 1;
677 char *cp = newchunk_nolongjmp(cstate, n);
678
679 if (cp == NULL)
680 return (NULL);
681 pcap_strlcpy(cp, s, n);
682 return (cp);
683 }
684
685 static inline struct block *
686 new_block(compiler_state_t *cstate, int code)
687 {
688 struct block *p;
689
690 p = (struct block *)newchunk(cstate, sizeof(*p));
691 p->s.code = code;
692 p->head = p;
693
694 return p;
695 }
696
697 static inline struct slist *
698 new_stmt(compiler_state_t *cstate, int code)
699 {
700 struct slist *p;
701
702 p = (struct slist *)newchunk(cstate, sizeof(*p));
703 p->s.code = code;
704
705 return p;
706 }
707
708 static struct block *
709 gen_retblk(compiler_state_t *cstate, int v)
710 {
711 struct block *b = new_block(cstate, BPF_RET|BPF_K);
712
713 b->s.k = v;
714 return b;
715 }
716
717 static inline PCAP_NORETURN_DEF void
718 syntax(compiler_state_t *cstate)
719 {
720 bpf_error(cstate, "syntax error in filter expression");
721 }
722
723 int
724 pcap_compile(pcap_t *p, struct bpf_program *program,
725 const char *buf, int optimize, bpf_u_int32 mask)
726 {
727 #ifdef _WIN32
728 static int done = 0;
729 #endif
730 compiler_state_t cstate;
731 const char * volatile xbuf = buf;
732 yyscan_t scanner = NULL;
733 volatile YY_BUFFER_STATE in_buffer = NULL;
734 u_int len;
735 int rc;
736
737 /*
738 * If this pcap_t hasn't been activated, it doesn't have a
739 * link-layer type, so we can't use it.
740 */
741 if (!p->activated) {
742 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
743 "not-yet-activated pcap_t passed to pcap_compile");
744 return (-1);
745 }
746
747 #ifdef _WIN32
748 if (!done)
749 pcap_wsockinit();
750 done = 1;
751 #endif
752
753 #ifdef ENABLE_REMOTE
754 /*
755 * If the device on which we're capturing need to be notified
756 * that a new filter is being compiled, do so.
757 *
758 * This allows them to save a copy of it, in case, for example,
759 * they're implementing a form of remote packet capture, and
760 * want the remote machine to filter out the packets in which
761 * it's sending the packets it's captured.
762 *
763 * XXX - the fact that we happen to be compiling a filter
764 * doesn't necessarily mean we'll be installing it as the
765 * filter for this pcap_t; we might be running it from userland
766 * on captured packets to do packet classification. We really
767 * need a better way of handling this, but this is all that
768 * the WinPcap remote capture code did.
769 */
770 if (p->save_current_filter_op != NULL)
771 (p->save_current_filter_op)(p, buf);
772 #endif
773
774 initchunks(&cstate);
775 cstate.no_optimize = 0;
776 #ifdef INET6
777 cstate.ai = NULL;
778 #endif
779 cstate.e = NULL;
780 cstate.ic.root = NULL;
781 cstate.ic.cur_mark = 0;
782 cstate.bpf_pcap = p;
783 cstate.error_set = 0;
784 init_regs(&cstate);
785
786 cstate.netmask = mask;
787
788 cstate.snaplen = pcap_snapshot(p);
789 if (cstate.snaplen == 0) {
790 snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
791 "snaplen of 0 rejects all packets");
792 rc = -1;
793 goto quit;
794 }
795
796 if (pcap_lex_init(&scanner) != 0)
797 pcap_fmt_errmsg_for_errno(p->errbuf, PCAP_ERRBUF_SIZE,
798 errno, "can't initialize scanner");
799 in_buffer = pcap__scan_string(xbuf ? xbuf : "", scanner);
800
801 /*
802 * Associate the compiler state with the lexical analyzer
803 * state.
804 */
805 pcap_set_extra(&cstate, scanner);
806
807 if (init_linktype(&cstate, p) == -1) {
808 rc = -1;
809 goto quit;
810 }
811 if (pcap_parse(scanner, &cstate) != 0) {
812 #ifdef INET6
813 if (cstate.ai != NULL)
814 freeaddrinfo(cstate.ai);
815 #endif
816 if (cstate.e != NULL)
817 free(cstate.e);
818 rc = -1;
819 goto quit;
820 }
821
822 if (cstate.ic.root == NULL) {
823 /*
824 * Catch errors reported by gen_retblk().
825 */
826 if (setjmp(cstate.top_ctx)) {
827 rc = -1;
828 goto quit;
829 }
830 cstate.ic.root = gen_retblk(&cstate, cstate.snaplen);
831 }
832
833 if (optimize && !cstate.no_optimize) {
834 if (bpf_optimize(&cstate.ic, p->errbuf) == -1) {
835 /* Failure */
836 rc = -1;
837 goto quit;
838 }
839 if (cstate.ic.root == NULL ||
840 (cstate.ic.root->s.code == (BPF_RET|BPF_K) && cstate.ic.root->s.k == 0)) {
841 (void)snprintf(p->errbuf, PCAP_ERRBUF_SIZE,
842 "expression rejects all packets");
843 rc = -1;
844 goto quit;
845 }
846 }
847 program->bf_insns = icode_to_fcode(&cstate.ic,
848 cstate.ic.root, &len, p->errbuf);
849 if (program->bf_insns == NULL) {
850 /* Failure */
851 rc = -1;
852 goto quit;
853 }
854 program->bf_len = len;
855
856 rc = 0; /* We're all okay */
857
858 quit:
859 /*
860 * Clean up everything for the lexical analyzer.
861 */
862 if (in_buffer != NULL)
863 pcap__delete_buffer(in_buffer, scanner);
864 if (scanner != NULL)
865 pcap_lex_destroy(scanner);
866
867 /*
868 * Clean up our own allocated memory.
869 */
870 freechunks(&cstate);
871
872 return (rc);
873 }
874
875 /*
876 * entry point for using the compiler with no pcap open
877 * pass in all the stuff that is needed explicitly instead.
878 */
879 int
880 pcap_compile_nopcap(int snaplen_arg, int linktype_arg,
881 struct bpf_program *program,
882 const char *buf, int optimize, bpf_u_int32 mask)
883 {
884 pcap_t *p;
885 int ret;
886
887 p = pcap_open_dead(linktype_arg, snaplen_arg);
888 if (p == NULL)
889 return (-1);
890 ret = pcap_compile(p, program, buf, optimize, mask);
891 pcap_close(p);
892 return (ret);
893 }
894
895 /*
896 * Clean up a "struct bpf_program" by freeing all the memory allocated
897 * in it.
898 */
899 void
900 pcap_freecode(struct bpf_program *program)
901 {
902 program->bf_len = 0;
903 if (program->bf_insns != NULL) {
904 free((char *)program->bf_insns);
905 program->bf_insns = NULL;
906 }
907 }
908
909 /*
910 * Backpatch the blocks in 'list' to 'target'. The 'sense' field indicates
911 * which of the jt and jf fields has been resolved and which is a pointer
912 * back to another unresolved block (or nil). At least one of the fields
913 * in each block is already resolved.
914 */
915 static void
916 backpatch(struct block *list, struct block *target)
917 {
918 struct block *next;
919
920 while (list) {
921 if (!list->sense) {
922 next = JT(list);
923 JT(list) = target;
924 } else {
925 next = JF(list);
926 JF(list) = target;
927 }
928 list = next;
929 }
930 }
931
932 /*
933 * Merge the lists in b0 and b1, using the 'sense' field to indicate
934 * which of jt and jf is the link.
935 */
936 static void
937 merge(struct block *b0, struct block *b1)
938 {
939 register struct block **p = &b0;
940
941 /* Find end of list. */
942 while (*p)
943 p = !((*p)->sense) ? &JT(*p) : &JF(*p);
944
945 /* Concatenate the lists. */
946 *p = b1;
947 }
948
949 int
950 finish_parse(compiler_state_t *cstate, struct block *p)
951 {
952 struct block *ppi_dlt_check;
953
954 /*
955 * Catch errors reported by us and routines below us, and return -1
956 * on an error.
957 */
958 if (setjmp(cstate->top_ctx))
959 return (-1);
960
961 /*
962 * Insert before the statements of the first (root) block any
963 * statements needed to load the lengths of any variable-length
964 * headers into registers.
965 *
966 * XXX - a fancier strategy would be to insert those before the
967 * statements of all blocks that use those lengths and that
968 * have no predecessors that use them, so that we only compute
969 * the lengths if we need them. There might be even better
970 * approaches than that.
971 *
972 * However, those strategies would be more complicated, and
973 * as we don't generate code to compute a length if the
974 * program has no tests that use the length, and as most
975 * tests will probably use those lengths, we would just
976 * postpone computing the lengths so that it's not done
977 * for tests that fail early, and it's not clear that's
978 * worth the effort.
979 */
980 insert_compute_vloffsets(cstate, p->head);
981
982 /*
983 * For DLT_PPI captures, generate a check of the per-packet
984 * DLT value to make sure it's DLT_IEEE802_11.
985 *
986 * XXX - TurboCap cards use DLT_PPI for Ethernet.
987 * Can we just define some DLT_ETHERNET_WITH_PHDR pseudo-header
988 * with appropriate Ethernet information and use that rather
989 * than using something such as DLT_PPI where you don't know
990 * the link-layer header type until runtime, which, in the
991 * general case, would force us to generate both Ethernet *and*
992 * 802.11 code (*and* anything else for which PPI is used)
993 * and choose between them early in the BPF program?
994 */
995 ppi_dlt_check = gen_ppi_dlt_check(cstate);
996 if (ppi_dlt_check != NULL)
997 gen_and(ppi_dlt_check, p);
998
999 backpatch(p, gen_retblk(cstate, cstate->snaplen));
1000 p->sense = !p->sense;
1001 backpatch(p, gen_retblk(cstate, 0));
1002 cstate->ic.root = p->head;
1003 return (0);
1004 }
1005
1006 void
1007 gen_and(struct block *b0, struct block *b1)
1008 {
1009 backpatch(b0, b1->head);
1010 b0->sense = !b0->sense;
1011 b1->sense = !b1->sense;
1012 merge(b1, b0);
1013 b1->sense = !b1->sense;
1014 b1->head = b0->head;
1015 }
1016
1017 void
1018 gen_or(struct block *b0, struct block *b1)
1019 {
1020 b0->sense = !b0->sense;
1021 backpatch(b0, b1->head);
1022 b0->sense = !b0->sense;
1023 merge(b1, b0);
1024 b1->head = b0->head;
1025 }
1026
1027 void
1028 gen_not(struct block *b)
1029 {
1030 b->sense = !b->sense;
1031 }
1032
1033 static struct block *
1034 gen_cmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1035 u_int size, bpf_u_int32 v)
1036 {
1037 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JEQ, 0, v);
1038 }
1039
1040 static struct block *
1041 gen_cmp_gt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1042 u_int size, bpf_u_int32 v)
1043 {
1044 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 0, v);
1045 }
1046
1047 static struct block *
1048 gen_cmp_ge(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1049 u_int size, bpf_u_int32 v)
1050 {
1051 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 0, v);
1052 }
1053
1054 static struct block *
1055 gen_cmp_lt(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1056 u_int size, bpf_u_int32 v)
1057 {
1058 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGE, 1, v);
1059 }
1060
1061 static struct block *
1062 gen_cmp_le(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1063 u_int size, bpf_u_int32 v)
1064 {
1065 return gen_ncmp(cstate, offrel, offset, size, 0xffffffff, BPF_JGT, 1, v);
1066 }
1067
1068 static struct block *
1069 gen_mcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1070 u_int size, bpf_u_int32 v, bpf_u_int32 mask)
1071 {
1072 return gen_ncmp(cstate, offrel, offset, size, mask, BPF_JEQ, 0, v);
1073 }
1074
1075 static struct block *
1076 gen_bcmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1077 u_int size, const u_char *v)
1078 {
1079 register struct block *b, *tmp;
1080
1081 b = NULL;
1082 while (size >= 4) {
1083 register const u_char *p = &v[size - 4];
1084
1085 tmp = gen_cmp(cstate, offrel, offset + size - 4, BPF_W,
1086 EXTRACT_BE_U_4(p));
1087 if (b != NULL)
1088 gen_and(b, tmp);
1089 b = tmp;
1090 size -= 4;
1091 }
1092 while (size >= 2) {
1093 register const u_char *p = &v[size - 2];
1094
1095 tmp = gen_cmp(cstate, offrel, offset + size - 2, BPF_H,
1096 EXTRACT_BE_U_2(p));
1097 if (b != NULL)
1098 gen_and(b, tmp);
1099 b = tmp;
1100 size -= 2;
1101 }
1102 if (size > 0) {
1103 tmp = gen_cmp(cstate, offrel, offset, BPF_B, v[0]);
1104 if (b != NULL)
1105 gen_and(b, tmp);
1106 b = tmp;
1107 }
1108 return b;
1109 }
1110
1111 /*
1112 * AND the field of size "size" at offset "offset" relative to the header
1113 * specified by "offrel" with "mask", and compare it with the value "v"
1114 * with the test specified by "jtype"; if "reverse" is true, the test
1115 * should test the opposite of "jtype".
1116 */
1117 static struct block *
1118 gen_ncmp(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1119 u_int size, bpf_u_int32 mask, int jtype, int reverse,
1120 bpf_u_int32 v)
1121 {
1122 struct slist *s, *s2;
1123 struct block *b;
1124
1125 s = gen_load_a(cstate, offrel, offset, size);
1126
1127 if (mask != 0xffffffff) {
1128 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1129 s2->s.k = mask;
1130 sappend(s, s2);
1131 }
1132
1133 b = new_block(cstate, JMP(jtype));
1134 b->stmts = s;
1135 b->s.k = v;
1136 if (reverse && (jtype == BPF_JGT || jtype == BPF_JGE))
1137 gen_not(b);
1138 return b;
1139 }
1140
1141 static int
1142 init_linktype(compiler_state_t *cstate, pcap_t *p)
1143 {
1144 cstate->pcap_fddipad = p->fddipad;
1145
1146 /*
1147 * We start out with only one link-layer header.
1148 */
1149 cstate->outermostlinktype = pcap_datalink(p);
1150 cstate->off_outermostlinkhdr.constant_part = 0;
1151 cstate->off_outermostlinkhdr.is_variable = 0;
1152 cstate->off_outermostlinkhdr.reg = -1;
1153
1154 cstate->prevlinktype = cstate->outermostlinktype;
1155 cstate->off_prevlinkhdr.constant_part = 0;
1156 cstate->off_prevlinkhdr.is_variable = 0;
1157 cstate->off_prevlinkhdr.reg = -1;
1158
1159 cstate->linktype = cstate->outermostlinktype;
1160 cstate->off_linkhdr.constant_part = 0;
1161 cstate->off_linkhdr.is_variable = 0;
1162 cstate->off_linkhdr.reg = -1;
1163
1164 /*
1165 * XXX
1166 */
1167 cstate->off_linkpl.constant_part = 0;
1168 cstate->off_linkpl.is_variable = 0;
1169 cstate->off_linkpl.reg = -1;
1170
1171 cstate->off_linktype.constant_part = 0;
1172 cstate->off_linktype.is_variable = 0;
1173 cstate->off_linktype.reg = -1;
1174
1175 /*
1176 * Assume it's not raw ATM with a pseudo-header, for now.
1177 */
1178 cstate->is_atm = 0;
1179 cstate->off_vpi = OFFSET_NOT_SET;
1180 cstate->off_vci = OFFSET_NOT_SET;
1181 cstate->off_proto = OFFSET_NOT_SET;
1182 cstate->off_payload = OFFSET_NOT_SET;
1183
1184 /*
1185 * And not Geneve.
1186 */
1187 cstate->is_geneve = 0;
1188
1189 /*
1190 * No variable length VLAN offset by default
1191 */
1192 cstate->is_vlan_vloffset = 0;
1193
1194 /*
1195 * And assume we're not doing SS7.
1196 */
1197 cstate->off_li = OFFSET_NOT_SET;
1198 cstate->off_li_hsl = OFFSET_NOT_SET;
1199 cstate->off_sio = OFFSET_NOT_SET;
1200 cstate->off_opc = OFFSET_NOT_SET;
1201 cstate->off_dpc = OFFSET_NOT_SET;
1202 cstate->off_sls = OFFSET_NOT_SET;
1203
1204 cstate->label_stack_depth = 0;
1205 cstate->vlan_stack_depth = 0;
1206
1207 switch (cstate->linktype) {
1208
1209 case DLT_ARCNET:
1210 cstate->off_linktype.constant_part = 2;
1211 cstate->off_linkpl.constant_part = 6;
1212 cstate->off_nl = 0; /* XXX in reality, variable! */
1213 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1214 break;
1215
1216 case DLT_ARCNET_LINUX:
1217 cstate->off_linktype.constant_part = 4;
1218 cstate->off_linkpl.constant_part = 8;
1219 cstate->off_nl = 0; /* XXX in reality, variable! */
1220 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1221 break;
1222
1223 case DLT_EN10MB:
1224 cstate->off_linktype.constant_part = 12;
1225 cstate->off_linkpl.constant_part = 14; /* Ethernet header length */
1226 cstate->off_nl = 0; /* Ethernet II */
1227 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1228 break;
1229
1230 case DLT_SLIP:
1231 /*
1232 * SLIP doesn't have a link level type. The 16 byte
1233 * header is hacked into our SLIP driver.
1234 */
1235 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1236 cstate->off_linkpl.constant_part = 16;
1237 cstate->off_nl = 0;
1238 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1239 break;
1240
1241 case DLT_SLIP_BSDOS:
1242 /* XXX this may be the same as the DLT_PPP_BSDOS case */
1243 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1244 /* XXX end */
1245 cstate->off_linkpl.constant_part = 24;
1246 cstate->off_nl = 0;
1247 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1248 break;
1249
1250 case DLT_NULL:
1251 case DLT_LOOP:
1252 cstate->off_linktype.constant_part = 0;
1253 cstate->off_linkpl.constant_part = 4;
1254 cstate->off_nl = 0;
1255 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1256 break;
1257
1258 case DLT_ENC:
1259 cstate->off_linktype.constant_part = 0;
1260 cstate->off_linkpl.constant_part = 12;
1261 cstate->off_nl = 0;
1262 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1263 break;
1264
1265 case DLT_PPP:
1266 case DLT_PPP_PPPD:
1267 case DLT_C_HDLC: /* BSD/OS Cisco HDLC */
1268 case DLT_PPP_SERIAL: /* NetBSD sync/async serial PPP */
1269 cstate->off_linktype.constant_part = 2; /* skip HDLC-like framing */
1270 cstate->off_linkpl.constant_part = 4; /* skip HDLC-like framing and protocol field */
1271 cstate->off_nl = 0;
1272 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1273 break;
1274
1275 case DLT_PPP_ETHER:
1276 /*
1277 * This does no include the Ethernet header, and
1278 * only covers session state.
1279 */
1280 cstate->off_linktype.constant_part = 6;
1281 cstate->off_linkpl.constant_part = 8;
1282 cstate->off_nl = 0;
1283 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1284 break;
1285
1286 case DLT_PPP_BSDOS:
1287 cstate->off_linktype.constant_part = 5;
1288 cstate->off_linkpl.constant_part = 24;
1289 cstate->off_nl = 0;
1290 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1291 break;
1292
1293 case DLT_FDDI:
1294 /*
1295 * FDDI doesn't really have a link-level type field.
1296 * We set "off_linktype" to the offset of the LLC header.
1297 *
1298 * To check for Ethernet types, we assume that SSAP = SNAP
1299 * is being used and pick out the encapsulated Ethernet type.
1300 * XXX - should we generate code to check for SNAP?
1301 */
1302 cstate->off_linktype.constant_part = 13;
1303 cstate->off_linktype.constant_part += cstate->pcap_fddipad;
1304 cstate->off_linkpl.constant_part = 13; /* FDDI MAC header length */
1305 cstate->off_linkpl.constant_part += cstate->pcap_fddipad;
1306 cstate->off_nl = 8; /* 802.2+SNAP */
1307 cstate->off_nl_nosnap = 3; /* 802.2 */
1308 break;
1309
1310 case DLT_IEEE802:
1311 /*
1312 * Token Ring doesn't really have a link-level type field.
1313 * We set "off_linktype" to the offset of the LLC header.
1314 *
1315 * To check for Ethernet types, we assume that SSAP = SNAP
1316 * is being used and pick out the encapsulated Ethernet type.
1317 * XXX - should we generate code to check for SNAP?
1318 *
1319 * XXX - the header is actually variable-length.
1320 * Some various Linux patched versions gave 38
1321 * as "off_linktype" and 40 as "off_nl"; however,
1322 * if a token ring packet has *no* routing
1323 * information, i.e. is not source-routed, the correct
1324 * values are 20 and 22, as they are in the vanilla code.
1325 *
1326 * A packet is source-routed iff the uppermost bit
1327 * of the first byte of the source address, at an
1328 * offset of 8, has the uppermost bit set. If the
1329 * packet is source-routed, the total number of bytes
1330 * of routing information is 2 plus bits 0x1F00 of
1331 * the 16-bit value at an offset of 14 (shifted right
1332 * 8 - figure out which byte that is).
1333 */
1334 cstate->off_linktype.constant_part = 14;
1335 cstate->off_linkpl.constant_part = 14; /* Token Ring MAC header length */
1336 cstate->off_nl = 8; /* 802.2+SNAP */
1337 cstate->off_nl_nosnap = 3; /* 802.2 */
1338 break;
1339
1340 case DLT_PRISM_HEADER:
1341 case DLT_IEEE802_11_RADIO_AVS:
1342 case DLT_IEEE802_11_RADIO:
1343 cstate->off_linkhdr.is_variable = 1;
1344 /* Fall through, 802.11 doesn't have a variable link
1345 * prefix but is otherwise the same. */
1346 /* FALLTHROUGH */
1347
1348 case DLT_IEEE802_11:
1349 /*
1350 * 802.11 doesn't really have a link-level type field.
1351 * We set "off_linktype.constant_part" to the offset of
1352 * the LLC header.
1353 *
1354 * To check for Ethernet types, we assume that SSAP = SNAP
1355 * is being used and pick out the encapsulated Ethernet type.
1356 * XXX - should we generate code to check for SNAP?
1357 *
1358 * We also handle variable-length radio headers here.
1359 * The Prism header is in theory variable-length, but in
1360 * practice it's always 144 bytes long. However, some
1361 * drivers on Linux use ARPHRD_IEEE80211_PRISM, but
1362 * sometimes or always supply an AVS header, so we
1363 * have to check whether the radio header is a Prism
1364 * header or an AVS header, so, in practice, it's
1365 * variable-length.
1366 */
1367 cstate->off_linktype.constant_part = 24;
1368 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1369 cstate->off_linkpl.is_variable = 1;
1370 cstate->off_nl = 8; /* 802.2+SNAP */
1371 cstate->off_nl_nosnap = 3; /* 802.2 */
1372 break;
1373
1374 case DLT_PPI:
1375 /*
1376 * At the moment we treat PPI the same way that we treat
1377 * normal Radiotap encoded packets. The difference is in
1378 * the function that generates the code at the beginning
1379 * to compute the header length. Since this code generator
1380 * of PPI supports bare 802.11 encapsulation only (i.e.
1381 * the encapsulated DLT should be DLT_IEEE802_11) we
1382 * generate code to check for this too.
1383 */
1384 cstate->off_linktype.constant_part = 24;
1385 cstate->off_linkpl.constant_part = 0; /* link-layer header is variable-length */
1386 cstate->off_linkpl.is_variable = 1;
1387 cstate->off_linkhdr.is_variable = 1;
1388 cstate->off_nl = 8; /* 802.2+SNAP */
1389 cstate->off_nl_nosnap = 3; /* 802.2 */
1390 break;
1391
1392 case DLT_ATM_RFC1483:
1393 case DLT_ATM_CLIP: /* Linux ATM defines this */
1394 /*
1395 * assume routed, non-ISO PDUs
1396 * (i.e., LLC = 0xAA-AA-03, OUT = 0x00-00-00)
1397 *
1398 * XXX - what about ISO PDUs, e.g. CLNP, ISIS, ESIS,
1399 * or PPP with the PPP NLPID (e.g., PPPoA)? The
1400 * latter would presumably be treated the way PPPoE
1401 * should be, so you can do "pppoe and udp port 2049"
1402 * or "pppoa and tcp port 80" and have it check for
1403 * PPPo{A,E} and a PPP protocol of IP and....
1404 */
1405 cstate->off_linktype.constant_part = 0;
1406 cstate->off_linkpl.constant_part = 0; /* packet begins with LLC header */
1407 cstate->off_nl = 8; /* 802.2+SNAP */
1408 cstate->off_nl_nosnap = 3; /* 802.2 */
1409 break;
1410
1411 case DLT_SUNATM:
1412 /*
1413 * Full Frontal ATM; you get AALn PDUs with an ATM
1414 * pseudo-header.
1415 */
1416 cstate->is_atm = 1;
1417 cstate->off_vpi = SUNATM_VPI_POS;
1418 cstate->off_vci = SUNATM_VCI_POS;
1419 cstate->off_proto = PROTO_POS;
1420 cstate->off_payload = SUNATM_PKT_BEGIN_POS;
1421 cstate->off_linktype.constant_part = cstate->off_payload;
1422 cstate->off_linkpl.constant_part = cstate->off_payload; /* if LLC-encapsulated */
1423 cstate->off_nl = 8; /* 802.2+SNAP */
1424 cstate->off_nl_nosnap = 3; /* 802.2 */
1425 break;
1426
1427 case DLT_RAW:
1428 case DLT_IPV4:
1429 case DLT_IPV6:
1430 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1431 cstate->off_linkpl.constant_part = 0;
1432 cstate->off_nl = 0;
1433 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1434 break;
1435
1436 case DLT_LINUX_SLL: /* fake header for Linux cooked socket v1 */
1437 cstate->off_linktype.constant_part = 14;
1438 cstate->off_linkpl.constant_part = 16;
1439 cstate->off_nl = 0;
1440 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1441 break;
1442
1443 case DLT_LINUX_SLL2: /* fake header for Linux cooked socket v2 */
1444 cstate->off_linktype.constant_part = 0;
1445 cstate->off_linkpl.constant_part = 20;
1446 cstate->off_nl = 0;
1447 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1448 break;
1449
1450 case DLT_LTALK:
1451 /*
1452 * LocalTalk does have a 1-byte type field in the LLAP header,
1453 * but really it just indicates whether there is a "short" or
1454 * "long" DDP packet following.
1455 */
1456 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1457 cstate->off_linkpl.constant_part = 0;
1458 cstate->off_nl = 0;
1459 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1460 break;
1461
1462 case DLT_IP_OVER_FC:
1463 /*
1464 * RFC 2625 IP-over-Fibre-Channel doesn't really have a
1465 * link-level type field. We set "off_linktype" to the
1466 * offset of the LLC header.
1467 *
1468 * To check for Ethernet types, we assume that SSAP = SNAP
1469 * is being used and pick out the encapsulated Ethernet type.
1470 * XXX - should we generate code to check for SNAP? RFC
1471 * 2625 says SNAP should be used.
1472 */
1473 cstate->off_linktype.constant_part = 16;
1474 cstate->off_linkpl.constant_part = 16;
1475 cstate->off_nl = 8; /* 802.2+SNAP */
1476 cstate->off_nl_nosnap = 3; /* 802.2 */
1477 break;
1478
1479 case DLT_FRELAY:
1480 /*
1481 * XXX - we should set this to handle SNAP-encapsulated
1482 * frames (NLPID of 0x80).
1483 */
1484 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1485 cstate->off_linkpl.constant_part = 0;
1486 cstate->off_nl = 0;
1487 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1488 break;
1489
1490 /*
1491 * the only BPF-interesting FRF.16 frames are non-control frames;
1492 * Frame Relay has a variable length link-layer
1493 * so lets start with offset 4 for now and increments later on (FIXME);
1494 */
1495 case DLT_MFR:
1496 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1497 cstate->off_linkpl.constant_part = 0;
1498 cstate->off_nl = 4;
1499 cstate->off_nl_nosnap = 0; /* XXX - for now -> no 802.2 LLC */
1500 break;
1501
1502 case DLT_APPLE_IP_OVER_IEEE1394:
1503 cstate->off_linktype.constant_part = 16;
1504 cstate->off_linkpl.constant_part = 18;
1505 cstate->off_nl = 0;
1506 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1507 break;
1508
1509 case DLT_SYMANTEC_FIREWALL:
1510 cstate->off_linktype.constant_part = 6;
1511 cstate->off_linkpl.constant_part = 44;
1512 cstate->off_nl = 0; /* Ethernet II */
1513 cstate->off_nl_nosnap = 0; /* XXX - what does it do with 802.3 packets? */
1514 break;
1515
1516 #ifdef HAVE_NET_PFVAR_H
1517 case DLT_PFLOG:
1518 cstate->off_linktype.constant_part = 0;
1519 cstate->off_linkpl.constant_part = PFLOG_HDRLEN;
1520 cstate->off_nl = 0;
1521 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
1522 break;
1523 #endif
1524
1525 case DLT_JUNIPER_MFR:
1526 case DLT_JUNIPER_MLFR:
1527 case DLT_JUNIPER_MLPPP:
1528 case DLT_JUNIPER_PPP:
1529 case DLT_JUNIPER_CHDLC:
1530 case DLT_JUNIPER_FRELAY:
1531 cstate->off_linktype.constant_part = 4;
1532 cstate->off_linkpl.constant_part = 4;
1533 cstate->off_nl = 0;
1534 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1535 break;
1536
1537 case DLT_JUNIPER_ATM1:
1538 cstate->off_linktype.constant_part = 4; /* in reality variable between 4-8 */
1539 cstate->off_linkpl.constant_part = 4; /* in reality variable between 4-8 */
1540 cstate->off_nl = 0;
1541 cstate->off_nl_nosnap = 10;
1542 break;
1543
1544 case DLT_JUNIPER_ATM2:
1545 cstate->off_linktype.constant_part = 8; /* in reality variable between 8-12 */
1546 cstate->off_linkpl.constant_part = 8; /* in reality variable between 8-12 */
1547 cstate->off_nl = 0;
1548 cstate->off_nl_nosnap = 10;
1549 break;
1550
1551 /* frames captured on a Juniper PPPoE service PIC
1552 * contain raw ethernet frames */
1553 case DLT_JUNIPER_PPPOE:
1554 case DLT_JUNIPER_ETHER:
1555 cstate->off_linkpl.constant_part = 14;
1556 cstate->off_linktype.constant_part = 16;
1557 cstate->off_nl = 18; /* Ethernet II */
1558 cstate->off_nl_nosnap = 21; /* 802.3+802.2 */
1559 break;
1560
1561 case DLT_JUNIPER_PPPOE_ATM:
1562 cstate->off_linktype.constant_part = 4;
1563 cstate->off_linkpl.constant_part = 6;
1564 cstate->off_nl = 0;
1565 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1566 break;
1567
1568 case DLT_JUNIPER_GGSN:
1569 cstate->off_linktype.constant_part = 6;
1570 cstate->off_linkpl.constant_part = 12;
1571 cstate->off_nl = 0;
1572 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1573 break;
1574
1575 case DLT_JUNIPER_ES:
1576 cstate->off_linktype.constant_part = 6;
1577 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1578 cstate->off_nl = OFFSET_NOT_SET; /* not really a network layer but raw IP addresses */
1579 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1580 break;
1581
1582 case DLT_JUNIPER_MONITOR:
1583 cstate->off_linktype.constant_part = 12;
1584 cstate->off_linkpl.constant_part = 12;
1585 cstate->off_nl = 0; /* raw IP/IP6 header */
1586 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1587 break;
1588
1589 case DLT_BACNET_MS_TP:
1590 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1591 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1592 cstate->off_nl = OFFSET_NOT_SET;
1593 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1594 break;
1595
1596 case DLT_JUNIPER_SERVICES:
1597 cstate->off_linktype.constant_part = 12;
1598 cstate->off_linkpl.constant_part = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1599 cstate->off_nl = OFFSET_NOT_SET; /* L3 proto location dep. on cookie type */
1600 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1601 break;
1602
1603 case DLT_JUNIPER_VP:
1604 cstate->off_linktype.constant_part = 18;
1605 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1606 cstate->off_nl = OFFSET_NOT_SET;
1607 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1608 break;
1609
1610 case DLT_JUNIPER_ST:
1611 cstate->off_linktype.constant_part = 18;
1612 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1613 cstate->off_nl = OFFSET_NOT_SET;
1614 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1615 break;
1616
1617 case DLT_JUNIPER_ISM:
1618 cstate->off_linktype.constant_part = 8;
1619 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1620 cstate->off_nl = OFFSET_NOT_SET;
1621 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1622 break;
1623
1624 case DLT_JUNIPER_VS:
1625 case DLT_JUNIPER_SRX_E2E:
1626 case DLT_JUNIPER_FIBRECHANNEL:
1627 case DLT_JUNIPER_ATM_CEMIC:
1628 cstate->off_linktype.constant_part = 8;
1629 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1630 cstate->off_nl = OFFSET_NOT_SET;
1631 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1632 break;
1633
1634 case DLT_MTP2:
1635 cstate->off_li = 2;
1636 cstate->off_li_hsl = 4;
1637 cstate->off_sio = 3;
1638 cstate->off_opc = 4;
1639 cstate->off_dpc = 4;
1640 cstate->off_sls = 7;
1641 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1642 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1643 cstate->off_nl = OFFSET_NOT_SET;
1644 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1645 break;
1646
1647 case DLT_MTP2_WITH_PHDR:
1648 cstate->off_li = 6;
1649 cstate->off_li_hsl = 8;
1650 cstate->off_sio = 7;
1651 cstate->off_opc = 8;
1652 cstate->off_dpc = 8;
1653 cstate->off_sls = 11;
1654 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1655 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1656 cstate->off_nl = OFFSET_NOT_SET;
1657 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1658 break;
1659
1660 case DLT_ERF:
1661 cstate->off_li = 22;
1662 cstate->off_li_hsl = 24;
1663 cstate->off_sio = 23;
1664 cstate->off_opc = 24;
1665 cstate->off_dpc = 24;
1666 cstate->off_sls = 27;
1667 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1668 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1669 cstate->off_nl = OFFSET_NOT_SET;
1670 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1671 break;
1672
1673 case DLT_PFSYNC:
1674 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1675 cstate->off_linkpl.constant_part = 4;
1676 cstate->off_nl = 0;
1677 cstate->off_nl_nosnap = 0;
1678 break;
1679
1680 case DLT_AX25_KISS:
1681 /*
1682 * Currently, only raw "link[N:M]" filtering is supported.
1683 */
1684 cstate->off_linktype.constant_part = OFFSET_NOT_SET; /* variable, min 15, max 71 steps of 7 */
1685 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1686 cstate->off_nl = OFFSET_NOT_SET; /* variable, min 16, max 71 steps of 7 */
1687 cstate->off_nl_nosnap = OFFSET_NOT_SET; /* no 802.2 LLC */
1688 break;
1689
1690 case DLT_IPNET:
1691 cstate->off_linktype.constant_part = 1;
1692 cstate->off_linkpl.constant_part = 24; /* ipnet header length */
1693 cstate->off_nl = 0;
1694 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1695 break;
1696
1697 case DLT_NETANALYZER:
1698 cstate->off_linkhdr.constant_part = 4; /* Ethernet header is past 4-byte pseudo-header */
1699 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1700 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+Ethernet header length */
1701 cstate->off_nl = 0; /* Ethernet II */
1702 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1703 break;
1704
1705 case DLT_NETANALYZER_TRANSPARENT:
1706 cstate->off_linkhdr.constant_part = 12; /* MAC header is past 4-byte pseudo-header, preamble, and SFD */
1707 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
1708 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* pseudo-header+preamble+SFD+Ethernet header length */
1709 cstate->off_nl = 0; /* Ethernet II */
1710 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
1711 break;
1712
1713 default:
1714 /*
1715 * For values in the range in which we've assigned new
1716 * DLT_ values, only raw "link[N:M]" filtering is supported.
1717 */
1718 if (cstate->linktype >= DLT_MATCHING_MIN &&
1719 cstate->linktype <= DLT_MATCHING_MAX) {
1720 cstate->off_linktype.constant_part = OFFSET_NOT_SET;
1721 cstate->off_linkpl.constant_part = OFFSET_NOT_SET;
1722 cstate->off_nl = OFFSET_NOT_SET;
1723 cstate->off_nl_nosnap = OFFSET_NOT_SET;
1724 } else {
1725 bpf_set_error(cstate, "unknown data link type %d", cstate->linktype);
1726 return (-1);
1727 }
1728 break;
1729 }
1730
1731 cstate->off_outermostlinkhdr = cstate->off_prevlinkhdr = cstate->off_linkhdr;
1732 return (0);
1733 }
1734
1735 /*
1736 * Load a value relative to the specified absolute offset.
1737 */
1738 static struct slist *
1739 gen_load_absoffsetrel(compiler_state_t *cstate, bpf_abs_offset *abs_offset,
1740 u_int offset, u_int size)
1741 {
1742 struct slist *s, *s2;
1743
1744 s = gen_abs_offset_varpart(cstate, abs_offset);
1745
1746 /*
1747 * If "s" is non-null, it has code to arrange that the X register
1748 * contains the variable part of the absolute offset, so we
1749 * generate a load relative to that, with an offset of
1750 * abs_offset->constant_part + offset.
1751 *
1752 * Otherwise, we can do an absolute load with an offset of
1753 * abs_offset->constant_part + offset.
1754 */
1755 if (s != NULL) {
1756 /*
1757 * "s" points to a list of statements that puts the
1758 * variable part of the absolute offset into the X register.
1759 * Do an indirect load, to use the X register as an offset.
1760 */
1761 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1762 s2->s.k = abs_offset->constant_part + offset;
1763 sappend(s, s2);
1764 } else {
1765 /*
1766 * There is no variable part of the absolute offset, so
1767 * just do an absolute load.
1768 */
1769 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1770 s->s.k = abs_offset->constant_part + offset;
1771 }
1772 return s;
1773 }
1774
1775 /*
1776 * Load a value relative to the beginning of the specified header.
1777 */
1778 static struct slist *
1779 gen_load_a(compiler_state_t *cstate, enum e_offrel offrel, u_int offset,
1780 u_int size)
1781 {
1782 struct slist *s, *s2;
1783
1784 /*
1785 * Squelch warnings from compilers that *don't* assume that
1786 * offrel always has a valid enum value and therefore don't
1787 * assume that we'll always go through one of the case arms.
1788 *
1789 * If we have a default case, compilers that *do* assume that
1790 * will then complain about the default case code being
1791 * unreachable.
1792 *
1793 * Damned if you do, damned if you don't.
1794 */
1795 s = NULL;
1796
1797 switch (offrel) {
1798
1799 case OR_PACKET:
1800 s = new_stmt(cstate, BPF_LD|BPF_ABS|size);
1801 s->s.k = offset;
1802 break;
1803
1804 case OR_LINKHDR:
1805 s = gen_load_absoffsetrel(cstate, &cstate->off_linkhdr, offset, size);
1806 break;
1807
1808 case OR_PREVLINKHDR:
1809 s = gen_load_absoffsetrel(cstate, &cstate->off_prevlinkhdr, offset, size);
1810 break;
1811
1812 case OR_LLC:
1813 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, offset, size);
1814 break;
1815
1816 case OR_PREVMPLSHDR:
1817 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl - 4 + offset, size);
1818 break;
1819
1820 case OR_LINKPL:
1821 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + offset, size);
1822 break;
1823
1824 case OR_LINKPL_NOSNAP:
1825 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl_nosnap + offset, size);
1826 break;
1827
1828 case OR_LINKTYPE:
1829 s = gen_load_absoffsetrel(cstate, &cstate->off_linktype, offset, size);
1830 break;
1831
1832 case OR_TRAN_IPV4:
1833 /*
1834 * Load the X register with the length of the IPv4 header
1835 * (plus the offset of the link-layer header, if it's
1836 * preceded by a variable-length header such as a radio
1837 * header), in bytes.
1838 */
1839 s = gen_loadx_iphdrlen(cstate);
1840
1841 /*
1842 * Load the item at {offset of the link-layer payload} +
1843 * {offset, relative to the start of the link-layer
1844 * paylod, of the IPv4 header} + {length of the IPv4 header} +
1845 * {specified offset}.
1846 *
1847 * If the offset of the link-layer payload is variable,
1848 * the variable part of that offset is included in the
1849 * value in the X register, and we include the constant
1850 * part in the offset of the load.
1851 */
1852 s2 = new_stmt(cstate, BPF_LD|BPF_IND|size);
1853 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + offset;
1854 sappend(s, s2);
1855 break;
1856
1857 case OR_TRAN_IPV6:
1858 s = gen_load_absoffsetrel(cstate, &cstate->off_linkpl, cstate->off_nl + 40 + offset, size);
1859 break;
1860 }
1861 return s;
1862 }
1863
1864 /*
1865 * Generate code to load into the X register the sum of the length of
1866 * the IPv4 header and the variable part of the offset of the link-layer
1867 * payload.
1868 */
1869 static struct slist *
1870 gen_loadx_iphdrlen(compiler_state_t *cstate)
1871 {
1872 struct slist *s, *s2;
1873
1874 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
1875 if (s != NULL) {
1876 /*
1877 * The offset of the link-layer payload has a variable
1878 * part. "s" points to a list of statements that put
1879 * the variable part of that offset into the X register.
1880 *
1881 * The 4*([k]&0xf) addressing mode can't be used, as we
1882 * don't have a constant offset, so we have to load the
1883 * value in question into the A register and add to it
1884 * the value from the X register.
1885 */
1886 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
1887 s2->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1888 sappend(s, s2);
1889 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
1890 s2->s.k = 0xf;
1891 sappend(s, s2);
1892 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
1893 s2->s.k = 2;
1894 sappend(s, s2);
1895
1896 /*
1897 * The A register now contains the length of the IP header.
1898 * We need to add to it the variable part of the offset of
1899 * the link-layer payload, which is still in the X
1900 * register, and move the result into the X register.
1901 */
1902 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
1903 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
1904 } else {
1905 /*
1906 * The offset of the link-layer payload is a constant,
1907 * so no code was generated to load the (non-existent)
1908 * variable part of that offset.
1909 *
1910 * This means we can use the 4*([k]&0xf) addressing
1911 * mode. Load the length of the IPv4 header, which
1912 * is at an offset of cstate->off_nl from the beginning of
1913 * the link-layer payload, and thus at an offset of
1914 * cstate->off_linkpl.constant_part + cstate->off_nl from the beginning
1915 * of the raw packet data, using that addressing mode.
1916 */
1917 s = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
1918 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
1919 }
1920 return s;
1921 }
1922
1923
1924 static struct block *
1925 gen_uncond(compiler_state_t *cstate, int rsense)
1926 {
1927 struct block *b;
1928 struct slist *s;
1929
1930 s = new_stmt(cstate, BPF_LD|BPF_IMM);
1931 s->s.k = !rsense;
1932 b = new_block(cstate, JMP(BPF_JEQ));
1933 b->stmts = s;
1934
1935 return b;
1936 }
1937
1938 static inline struct block *
1939 gen_true(compiler_state_t *cstate)
1940 {
1941 return gen_uncond(cstate, 1);
1942 }
1943
1944 static inline struct block *
1945 gen_false(compiler_state_t *cstate)
1946 {
1947 return gen_uncond(cstate, 0);
1948 }
1949
1950 /*
1951 * Byte-swap a 32-bit number.
1952 * ("htonl()" or "ntohl()" won't work - we want to byte-swap even on
1953 * big-endian platforms.)
1954 */
1955 #define SWAPLONG(y) \
1956 ((((y)&0xff)<<24) | (((y)&0xff00)<<8) | (((y)&0xff0000)>>8) | (((y)>>24)&0xff))
1957
1958 /*
1959 * Generate code to match a particular packet type.
1960 *
1961 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
1962 * value, if <= ETHERMTU. We use that to determine whether to
1963 * match the type/length field or to check the type/length field for
1964 * a value <= ETHERMTU to see whether it's a type field and then do
1965 * the appropriate test.
1966 */
1967 static struct block *
1968 gen_ether_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
1969 {
1970 struct block *b0, *b1;
1971
1972 switch (ll_proto) {
1973
1974 case LLCSAP_ISONS:
1975 case LLCSAP_IP:
1976 case LLCSAP_NETBEUI:
1977 /*
1978 * OSI protocols and NetBEUI always use 802.2 encapsulation,
1979 * so we check the DSAP and SSAP.
1980 *
1981 * LLCSAP_IP checks for IP-over-802.2, rather
1982 * than IP-over-Ethernet or IP-over-SNAP.
1983 *
1984 * XXX - should we check both the DSAP and the
1985 * SSAP, like this, or should we check just the
1986 * DSAP, as we do for other types <= ETHERMTU
1987 * (i.e., other SAP values)?
1988 */
1989 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
1990 gen_not(b0);
1991 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
1992 gen_and(b0, b1);
1993 return b1;
1994
1995 case LLCSAP_IPX:
1996 /*
1997 * Check for;
1998 *
1999 * Ethernet_II frames, which are Ethernet
2000 * frames with a frame type of ETHERTYPE_IPX;
2001 *
2002 * Ethernet_802.3 frames, which are 802.3
2003 * frames (i.e., the type/length field is
2004 * a length field, <= ETHERMTU, rather than
2005 * a type field) with the first two bytes
2006 * after the Ethernet/802.3 header being
2007 * 0xFFFF;
2008 *
2009 * Ethernet_802.2 frames, which are 802.3
2010 * frames with an 802.2 LLC header and
2011 * with the IPX LSAP as the DSAP in the LLC
2012 * header;
2013 *
2014 * Ethernet_SNAP frames, which are 802.3
2015 * frames with an LLC header and a SNAP
2016 * header and with an OUI of 0x000000
2017 * (encapsulated Ethernet) and a protocol
2018 * ID of ETHERTYPE_IPX in the SNAP header.
2019 *
2020 * XXX - should we generate the same code both
2021 * for tests for LLCSAP_IPX and for ETHERTYPE_IPX?
2022 */
2023
2024 /*
2025 * This generates code to check both for the
2026 * IPX LSAP (Ethernet_802.2) and for Ethernet_802.3.
2027 */
2028 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2029 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
2030 gen_or(b0, b1);
2031
2032 /*
2033 * Now we add code to check for SNAP frames with
2034 * ETHERTYPE_IPX, i.e. Ethernet_SNAP.
2035 */
2036 b0 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2037 gen_or(b0, b1);
2038
2039 /*
2040 * Now we generate code to check for 802.3
2041 * frames in general.
2042 */
2043 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2044 gen_not(b0);
2045
2046 /*
2047 * Now add the check for 802.3 frames before the
2048 * check for Ethernet_802.2 and Ethernet_802.3,
2049 * as those checks should only be done on 802.3
2050 * frames, not on Ethernet frames.
2051 */
2052 gen_and(b0, b1);
2053
2054 /*
2055 * Now add the check for Ethernet_II frames, and
2056 * do that before checking for the other frame
2057 * types.
2058 */
2059 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2060 gen_or(b0, b1);
2061 return b1;
2062
2063 case ETHERTYPE_ATALK:
2064 case ETHERTYPE_AARP:
2065 /*
2066 * EtherTalk (AppleTalk protocols on Ethernet link
2067 * layer) may use 802.2 encapsulation.
2068 */
2069
2070 /*
2071 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2072 * we check for an Ethernet type field less than
2073 * 1500, which means it's an 802.3 length field.
2074 */
2075 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2076 gen_not(b0);
2077
2078 /*
2079 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2080 * SNAP packets with an organization code of
2081 * 0x080007 (Apple, for Appletalk) and a protocol
2082 * type of ETHERTYPE_ATALK (Appletalk).
2083 *
2084 * 802.2-encapsulated ETHERTYPE_AARP packets are
2085 * SNAP packets with an organization code of
2086 * 0x000000 (encapsulated Ethernet) and a protocol
2087 * type of ETHERTYPE_AARP (Appletalk ARP).
2088 */
2089 if (ll_proto == ETHERTYPE_ATALK)
2090 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2091 else /* ll_proto == ETHERTYPE_AARP */
2092 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2093 gen_and(b0, b1);
2094
2095 /*
2096 * Check for Ethernet encapsulation (Ethertalk
2097 * phase 1?); we just check for the Ethernet
2098 * protocol type.
2099 */
2100 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2101
2102 gen_or(b0, b1);
2103 return b1;
2104
2105 default:
2106 if (ll_proto <= ETHERMTU) {
2107 /*
2108 * This is an LLC SAP value, so the frames
2109 * that match would be 802.2 frames.
2110 * Check that the frame is an 802.2 frame
2111 * (i.e., that the length/type field is
2112 * a length field, <= ETHERMTU) and
2113 * then check the DSAP.
2114 */
2115 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
2116 gen_not(b0);
2117 b1 = gen_cmp(cstate, OR_LINKTYPE, 2, BPF_B, ll_proto);
2118 gen_and(b0, b1);
2119 return b1;
2120 } else {
2121 /*
2122 * This is an Ethernet type, so compare
2123 * the length/type field with it (if
2124 * the frame is an 802.2 frame, the length
2125 * field will be <= ETHERMTU, and, as
2126 * "ll_proto" is > ETHERMTU, this test
2127 * will fail and the frame won't match,
2128 * which is what we want).
2129 */
2130 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2131 }
2132 }
2133 }
2134
2135 static struct block *
2136 gen_loopback_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2137 {
2138 /*
2139 * For DLT_NULL, the link-layer header is a 32-bit word
2140 * containing an AF_ value in *host* byte order, and for
2141 * DLT_ENC, the link-layer header begins with a 32-bit
2142 * word containing an AF_ value in host byte order.
2143 *
2144 * In addition, if we're reading a saved capture file,
2145 * the host byte order in the capture may not be the
2146 * same as the host byte order on this machine.
2147 *
2148 * For DLT_LOOP, the link-layer header is a 32-bit
2149 * word containing an AF_ value in *network* byte order.
2150 */
2151 if (cstate->linktype == DLT_NULL || cstate->linktype == DLT_ENC) {
2152 /*
2153 * The AF_ value is in host byte order, but the BPF
2154 * interpreter will convert it to network byte order.
2155 *
2156 * If this is a save file, and it's from a machine
2157 * with the opposite byte order to ours, we byte-swap
2158 * the AF_ value.
2159 *
2160 * Then we run it through "htonl()", and generate
2161 * code to compare against the result.
2162 */
2163 if (cstate->bpf_pcap->rfile != NULL && cstate->bpf_pcap->swapped)
2164 ll_proto = SWAPLONG(ll_proto);
2165 ll_proto = htonl(ll_proto);
2166 }
2167 return (gen_cmp(cstate, OR_LINKHDR, 0, BPF_W, ll_proto));
2168 }
2169
2170 /*
2171 * "proto" is an Ethernet type value and for IPNET, if it is not IPv4
2172 * or IPv6 then we have an error.
2173 */
2174 static struct block *
2175 gen_ipnet_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2176 {
2177 switch (ll_proto) {
2178
2179 case ETHERTYPE_IP:
2180 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET);
2181 /*NOTREACHED*/
2182
2183 case ETHERTYPE_IPV6:
2184 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B, IPH_AF_INET6);
2185 /*NOTREACHED*/
2186
2187 default:
2188 break;
2189 }
2190
2191 return gen_false(cstate);
2192 }
2193
2194 /*
2195 * Generate code to match a particular packet type.
2196 *
2197 * "ll_proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
2198 * value, if <= ETHERMTU. We use that to determine whether to
2199 * match the type field or to check the type field for the special
2200 * LINUX_SLL_P_802_2 value and then do the appropriate test.
2201 */
2202 static struct block *
2203 gen_linux_sll_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
2204 {
2205 struct block *b0, *b1;
2206
2207 switch (ll_proto) {
2208
2209 case LLCSAP_ISONS:
2210 case LLCSAP_IP:
2211 case LLCSAP_NETBEUI:
2212 /*
2213 * OSI protocols and NetBEUI always use 802.2 encapsulation,
2214 * so we check the DSAP and SSAP.
2215 *
2216 * LLCSAP_IP checks for IP-over-802.2, rather
2217 * than IP-over-Ethernet or IP-over-SNAP.
2218 *
2219 * XXX - should we check both the DSAP and the
2220 * SSAP, like this, or should we check just the
2221 * DSAP, as we do for other types <= ETHERMTU
2222 * (i.e., other SAP values)?
2223 */
2224 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2225 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, (ll_proto << 8) | ll_proto);
2226 gen_and(b0, b1);
2227 return b1;
2228
2229 case LLCSAP_IPX:
2230 /*
2231 * Ethernet_II frames, which are Ethernet
2232 * frames with a frame type of ETHERTYPE_IPX;
2233 *
2234 * Ethernet_802.3 frames, which have a frame
2235 * type of LINUX_SLL_P_802_3;
2236 *
2237 * Ethernet_802.2 frames, which are 802.3
2238 * frames with an 802.2 LLC header (i.e, have
2239 * a frame type of LINUX_SLL_P_802_2) and
2240 * with the IPX LSAP as the DSAP in the LLC
2241 * header;
2242 *
2243 * Ethernet_SNAP frames, which are 802.3
2244 * frames with an LLC header and a SNAP
2245 * header and with an OUI of 0x000000
2246 * (encapsulated Ethernet) and a protocol
2247 * ID of ETHERTYPE_IPX in the SNAP header.
2248 *
2249 * First, do the checks on LINUX_SLL_P_802_2
2250 * frames; generate the check for either
2251 * Ethernet_802.2 or Ethernet_SNAP frames, and
2252 * then put a check for LINUX_SLL_P_802_2 frames
2253 * before it.
2254 */
2255 b0 = gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
2256 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_IPX);
2257 gen_or(b0, b1);
2258 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2259 gen_and(b0, b1);
2260
2261 /*
2262 * Now check for 802.3 frames and OR that with
2263 * the previous test.
2264 */
2265 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_3);
2266 gen_or(b0, b1);
2267
2268 /*
2269 * Now add the check for Ethernet_II frames, and
2270 * do that before checking for the other frame
2271 * types.
2272 */
2273 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ETHERTYPE_IPX);
2274 gen_or(b0, b1);
2275 return b1;
2276
2277 case ETHERTYPE_ATALK:
2278 case ETHERTYPE_AARP:
2279 /*
2280 * EtherTalk (AppleTalk protocols on Ethernet link
2281 * layer) may use 802.2 encapsulation.
2282 */
2283
2284 /*
2285 * Check for 802.2 encapsulation (EtherTalk phase 2?);
2286 * we check for the 802.2 protocol type in the
2287 * "Ethernet type" field.
2288 */
2289 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2290
2291 /*
2292 * 802.2-encapsulated ETHERTYPE_ATALK packets are
2293 * SNAP packets with an organization code of
2294 * 0x080007 (Apple, for Appletalk) and a protocol
2295 * type of ETHERTYPE_ATALK (Appletalk).
2296 *
2297 * 802.2-encapsulated ETHERTYPE_AARP packets are
2298 * SNAP packets with an organization code of
2299 * 0x000000 (encapsulated Ethernet) and a protocol
2300 * type of ETHERTYPE_AARP (Appletalk ARP).
2301 */
2302 if (ll_proto == ETHERTYPE_ATALK)
2303 b1 = gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
2304 else /* ll_proto == ETHERTYPE_AARP */
2305 b1 = gen_snap(cstate, 0x000000, ETHERTYPE_AARP);
2306 gen_and(b0, b1);
2307
2308 /*
2309 * Check for Ethernet encapsulation (Ethertalk
2310 * phase 1?); we just check for the Ethernet
2311 * protocol type.
2312 */
2313 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2314
2315 gen_or(b0, b1);
2316 return b1;
2317
2318 default:
2319 if (ll_proto <= ETHERMTU) {
2320 /*
2321 * This is an LLC SAP value, so the frames
2322 * that match would be 802.2 frames.
2323 * Check for the 802.2 protocol type
2324 * in the "Ethernet type" field, and
2325 * then check the DSAP.
2326 */
2327 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, LINUX_SLL_P_802_2);
2328 b1 = gen_cmp(cstate, OR_LINKHDR, cstate->off_linkpl.constant_part, BPF_B,
2329 ll_proto);
2330 gen_and(b0, b1);
2331 return b1;
2332 } else {
2333 /*
2334 * This is an Ethernet type, so compare
2335 * the length/type field with it (if
2336 * the frame is an 802.2 frame, the length
2337 * field will be <= ETHERMTU, and, as
2338 * "ll_proto" is > ETHERMTU, this test
2339 * will fail and the frame won't match,
2340 * which is what we want).
2341 */
2342 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
2343 }
2344 }
2345 }
2346
2347 static struct slist *
2348 gen_load_prism_llprefixlen(compiler_state_t *cstate)
2349 {
2350 struct slist *s1, *s2;
2351 struct slist *sjeq_avs_cookie;
2352 struct slist *sjcommon;
2353
2354 /*
2355 * This code is not compatible with the optimizer, as
2356 * we are generating jmp instructions within a normal
2357 * slist of instructions
2358 */
2359 cstate->no_optimize = 1;
2360
2361 /*
2362 * Generate code to load the length of the radio header into
2363 * the register assigned to hold that length, if one has been
2364 * assigned. (If one hasn't been assigned, no code we've
2365 * generated uses that prefix, so we don't need to generate any
2366 * code to load it.)
2367 *
2368 * Some Linux drivers use ARPHRD_IEEE80211_PRISM but sometimes
2369 * or always use the AVS header rather than the Prism header.
2370 * We load a 4-byte big-endian value at the beginning of the
2371 * raw packet data, and see whether, when masked with 0xFFFFF000,
2372 * it's equal to 0x80211000. If so, that indicates that it's
2373 * an AVS header (the masked-out bits are the version number).
2374 * Otherwise, it's a Prism header.
2375 *
2376 * XXX - the Prism header is also, in theory, variable-length,
2377 * but no known software generates headers that aren't 144
2378 * bytes long.
2379 */
2380 if (cstate->off_linkhdr.reg != -1) {
2381 /*
2382 * Load the cookie.
2383 */
2384 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2385 s1->s.k = 0;
2386
2387 /*
2388 * AND it with 0xFFFFF000.
2389 */
2390 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
2391 s2->s.k = 0xFFFFF000;
2392 sappend(s1, s2);
2393
2394 /*
2395 * Compare with 0x80211000.
2396 */
2397 sjeq_avs_cookie = new_stmt(cstate, JMP(BPF_JEQ));
2398 sjeq_avs_cookie->s.k = 0x80211000;
2399 sappend(s1, sjeq_avs_cookie);
2400
2401 /*
2402 * If it's AVS:
2403 *
2404 * The 4 bytes at an offset of 4 from the beginning of
2405 * the AVS header are the length of the AVS header.
2406 * That field is big-endian.
2407 */
2408 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2409 s2->s.k = 4;
2410 sappend(s1, s2);
2411 sjeq_avs_cookie->s.jt = s2;
2412
2413 /*
2414 * Now jump to the code to allocate a register
2415 * into which to save the header length and
2416 * store the length there. (The "jump always"
2417 * instruction needs to have the k field set;
2418 * it's added to the PC, so, as we're jumping
2419 * over a single instruction, it should be 1.)
2420 */
2421 sjcommon = new_stmt(cstate, JMP(BPF_JA));
2422 sjcommon->s.k = 1;
2423 sappend(s1, sjcommon);
2424
2425 /*
2426 * Now for the code that handles the Prism header.
2427 * Just load the length of the Prism header (144)
2428 * into the A register. Have the test for an AVS
2429 * header branch here if we don't have an AVS header.
2430 */
2431 s2 = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2432 s2->s.k = 144;
2433 sappend(s1, s2);
2434 sjeq_avs_cookie->s.jf = s2;
2435
2436 /*
2437 * Now allocate a register to hold that value and store
2438 * it. The code for the AVS header will jump here after
2439 * loading the length of the AVS header.
2440 */
2441 s2 = new_stmt(cstate, BPF_ST);
2442 s2->s.k = cstate->off_linkhdr.reg;
2443 sappend(s1, s2);
2444 sjcommon->s.jf = s2;
2445
2446 /*
2447 * Now move it into the X register.
2448 */
2449 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2450 sappend(s1, s2);
2451
2452 return (s1);
2453 } else
2454 return (NULL);
2455 }
2456
2457 static struct slist *
2458 gen_load_avs_llprefixlen(compiler_state_t *cstate)
2459 {
2460 struct slist *s1, *s2;
2461
2462 /*
2463 * Generate code to load the length of the AVS header into
2464 * the register assigned to hold that length, if one has been
2465 * assigned. (If one hasn't been assigned, no code we've
2466 * generated uses that prefix, so we don't need to generate any
2467 * code to load it.)
2468 */
2469 if (cstate->off_linkhdr.reg != -1) {
2470 /*
2471 * The 4 bytes at an offset of 4 from the beginning of
2472 * the AVS header are the length of the AVS header.
2473 * That field is big-endian.
2474 */
2475 s1 = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2476 s1->s.k = 4;
2477
2478 /*
2479 * Now allocate a register to hold that value and store
2480 * it.
2481 */
2482 s2 = new_stmt(cstate, BPF_ST);
2483 s2->s.k = cstate->off_linkhdr.reg;
2484 sappend(s1, s2);
2485
2486 /*
2487 * Now move it into the X register.
2488 */
2489 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2490 sappend(s1, s2);
2491
2492 return (s1);
2493 } else
2494 return (NULL);
2495 }
2496
2497 static struct slist *
2498 gen_load_radiotap_llprefixlen(compiler_state_t *cstate)
2499 {
2500 struct slist *s1, *s2;
2501
2502 /*
2503 * Generate code to load the length of the radiotap header into
2504 * the register assigned to hold that length, if one has been
2505 * assigned. (If one hasn't been assigned, no code we've
2506 * generated uses that prefix, so we don't need to generate any
2507 * code to load it.)
2508 */
2509 if (cstate->off_linkhdr.reg != -1) {
2510 /*
2511 * The 2 bytes at offsets of 2 and 3 from the beginning
2512 * of the radiotap header are the length of the radiotap
2513 * header; unfortunately, it's little-endian, so we have
2514 * to load it a byte at a time and construct the value.
2515 */
2516
2517 /*
2518 * Load the high-order byte, at an offset of 3, shift it
2519 * left a byte, and put the result in the X register.
2520 */
2521 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2522 s1->s.k = 3;
2523 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2524 sappend(s1, s2);
2525 s2->s.k = 8;
2526 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2527 sappend(s1, s2);
2528
2529 /*
2530 * Load the next byte, at an offset of 2, and OR the
2531 * value from the X register into it.
2532 */
2533 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2534 sappend(s1, s2);
2535 s2->s.k = 2;
2536 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2537 sappend(s1, s2);
2538
2539 /*
2540 * Now allocate a register to hold that value and store
2541 * it.
2542 */
2543 s2 = new_stmt(cstate, BPF_ST);
2544 s2->s.k = cstate->off_linkhdr.reg;
2545 sappend(s1, s2);
2546
2547 /*
2548 * Now move it into the X register.
2549 */
2550 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2551 sappend(s1, s2);
2552
2553 return (s1);
2554 } else
2555 return (NULL);
2556 }
2557
2558 /*
2559 * At the moment we treat PPI as normal Radiotap encoded
2560 * packets. The difference is in the function that generates
2561 * the code at the beginning to compute the header length.
2562 * Since this code generator of PPI supports bare 802.11
2563 * encapsulation only (i.e. the encapsulated DLT should be
2564 * DLT_IEEE802_11) we generate code to check for this too;
2565 * that's done in finish_parse().
2566 */
2567 static struct slist *
2568 gen_load_ppi_llprefixlen(compiler_state_t *cstate)
2569 {
2570 struct slist *s1, *s2;
2571
2572 /*
2573 * Generate code to load the length of the radiotap header
2574 * into the register assigned to hold that length, if one has
2575 * been assigned.
2576 */
2577 if (cstate->off_linkhdr.reg != -1) {
2578 /*
2579 * The 2 bytes at offsets of 2 and 3 from the beginning
2580 * of the radiotap header are the length of the radiotap
2581 * header; unfortunately, it's little-endian, so we have
2582 * to load it a byte at a time and construct the value.
2583 */
2584
2585 /*
2586 * Load the high-order byte, at an offset of 3, shift it
2587 * left a byte, and put the result in the X register.
2588 */
2589 s1 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2590 s1->s.k = 3;
2591 s2 = new_stmt(cstate, BPF_ALU|BPF_LSH|BPF_K);
2592 sappend(s1, s2);
2593 s2->s.k = 8;
2594 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2595 sappend(s1, s2);
2596
2597 /*
2598 * Load the next byte, at an offset of 2, and OR the
2599 * value from the X register into it.
2600 */
2601 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
2602 sappend(s1, s2);
2603 s2->s.k = 2;
2604 s2 = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_X);
2605 sappend(s1, s2);
2606
2607 /*
2608 * Now allocate a register to hold that value and store
2609 * it.
2610 */
2611 s2 = new_stmt(cstate, BPF_ST);
2612 s2->s.k = cstate->off_linkhdr.reg;
2613 sappend(s1, s2);
2614
2615 /*
2616 * Now move it into the X register.
2617 */
2618 s2 = new_stmt(cstate, BPF_MISC|BPF_TAX);
2619 sappend(s1, s2);
2620
2621 return (s1);
2622 } else
2623 return (NULL);
2624 }
2625
2626 /*
2627 * Load a value relative to the beginning of the link-layer header after the 802.11
2628 * header, i.e. LLC_SNAP.
2629 * The link-layer header doesn't necessarily begin at the beginning
2630 * of the packet data; there might be a variable-length prefix containing
2631 * radio information.
2632 */
2633 static struct slist *
2634 gen_load_802_11_header_len(compiler_state_t *cstate, struct slist *s, struct slist *snext)
2635 {
2636 struct slist *s2;
2637 struct slist *sjset_data_frame_1;
2638 struct slist *sjset_data_frame_2;
2639 struct slist *sjset_qos;
2640 struct slist *sjset_radiotap_flags_present;
2641 struct slist *sjset_radiotap_ext_present;
2642 struct slist *sjset_radiotap_tsft_present;
2643 struct slist *sjset_tsft_datapad, *sjset_notsft_datapad;
2644 struct slist *s_roundup;
2645
2646 if (cstate->off_linkpl.reg == -1) {
2647 /*
2648 * No register has been assigned to the offset of
2649 * the link-layer payload, which means nobody needs
2650 * it; don't bother computing it - just return
2651 * what we already have.
2652 */
2653 return (s);
2654 }
2655
2656 /*
2657 * This code is not compatible with the optimizer, as
2658 * we are generating jmp instructions within a normal
2659 * slist of instructions
2660 */
2661 cstate->no_optimize = 1;
2662
2663 /*
2664 * If "s" is non-null, it has code to arrange that the X register
2665 * contains the length of the prefix preceding the link-layer
2666 * header.
2667 *
2668 * Otherwise, the length of the prefix preceding the link-layer
2669 * header is "off_outermostlinkhdr.constant_part".
2670 */
2671 if (s == NULL) {
2672 /*
2673 * There is no variable-length header preceding the
2674 * link-layer header.
2675 *
2676 * Load the length of the fixed-length prefix preceding
2677 * the link-layer header (if any) into the X register,
2678 * and store it in the cstate->off_linkpl.reg register.
2679 * That length is off_outermostlinkhdr.constant_part.
2680 */
2681 s = new_stmt(cstate, BPF_LDX|BPF_IMM);
2682 s->s.k = cstate->off_outermostlinkhdr.constant_part;
2683 }
2684
2685 /*
2686 * The X register contains the offset of the beginning of the
2687 * link-layer header; add 24, which is the minimum length
2688 * of the MAC header for a data frame, to that, and store it
2689 * in cstate->off_linkpl.reg, and then load the Frame Control field,
2690 * which is at the offset in the X register, with an indexed load.
2691 */
2692 s2 = new_stmt(cstate, BPF_MISC|BPF_TXA);
2693 sappend(s, s2);
2694 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
2695 s2->s.k = 24;
2696 sappend(s, s2);
2697 s2 = new_stmt(cstate, BPF_ST);
2698 s2->s.k = cstate->off_linkpl.reg;
2699 sappend(s, s2);
2700
2701 s2 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
2702 s2->s.k = 0;
2703 sappend(s, s2);
2704
2705 /*
2706 * Check the Frame Control field to see if this is a data frame;
2707 * a data frame has the 0x08 bit (b3) in that field set and the
2708 * 0x04 bit (b2) clear.
2709 */
2710 sjset_data_frame_1 = new_stmt(cstate, JMP(BPF_JSET));
2711 sjset_data_frame_1->s.k = 0x08;
2712 sappend(s, sjset_data_frame_1);
2713
2714 /*
2715 * If b3 is set, test b2, otherwise go to the first statement of
2716 * the rest of the program.
2717 */
2718 sjset_data_frame_1->s.jt = sjset_data_frame_2 = new_stmt(cstate, JMP(BPF_JSET));
2719 sjset_data_frame_2->s.k = 0x04;
2720 sappend(s, sjset_data_frame_2);
2721 sjset_data_frame_1->s.jf = snext;
2722
2723 /*
2724 * If b2 is not set, this is a data frame; test the QoS bit.
2725 * Otherwise, go to the first statement of the rest of the
2726 * program.
2727 */
2728 sjset_data_frame_2->s.jt = snext;
2729 sjset_data_frame_2->s.jf = sjset_qos = new_stmt(cstate, JMP(BPF_JSET));
2730 sjset_qos->s.k = 0x80; /* QoS bit */
2731 sappend(s, sjset_qos);
2732
2733 /*
2734 * If it's set, add 2 to cstate->off_linkpl.reg, to skip the QoS
2735 * field.
2736 * Otherwise, go to the first statement of the rest of the
2737 * program.
2738 */
2739 sjset_qos->s.jt = s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
2740 s2->s.k = cstate->off_linkpl.reg;
2741 sappend(s, s2);
2742 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2743 s2->s.k = 2;
2744 sappend(s, s2);
2745 s2 = new_stmt(cstate, BPF_ST);
2746 s2->s.k = cstate->off_linkpl.reg;
2747 sappend(s, s2);
2748
2749 /*
2750 * If we have a radiotap header, look at it to see whether
2751 * there's Atheros padding between the MAC-layer header
2752 * and the payload.
2753 *
2754 * Note: all of the fields in the radiotap header are
2755 * little-endian, so we byte-swap all of the values
2756 * we test against, as they will be loaded as big-endian
2757 * values.
2758 *
2759 * XXX - in the general case, we would have to scan through
2760 * *all* the presence bits, if there's more than one word of
2761 * presence bits. That would require a loop, meaning that
2762 * we wouldn't be able to run the filter in the kernel.
2763 *
2764 * We assume here that the Atheros adapters that insert the
2765 * annoying padding don't have multiple antennae and therefore
2766 * do not generate radiotap headers with multiple presence words.
2767 */
2768 if (cstate->linktype == DLT_IEEE802_11_RADIO) {
2769 /*
2770 * Is the IEEE80211_RADIOTAP_FLAGS bit (0x0000002) set
2771 * in the first presence flag word?
2772 */
2773 sjset_qos->s.jf = s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_W);
2774 s2->s.k = 4;
2775 sappend(s, s2);
2776
2777 sjset_radiotap_flags_present = new_stmt(cstate, JMP(BPF_JSET));
2778 sjset_radiotap_flags_present->s.k = SWAPLONG(0x00000002);
2779 sappend(s, sjset_radiotap_flags_present);
2780
2781 /*
2782 * If not, skip all of this.
2783 */
2784 sjset_radiotap_flags_present->s.jf = snext;
2785
2786 /*
2787 * Otherwise, is the "extension" bit set in that word?
2788 */
2789 sjset_radiotap_ext_present = new_stmt(cstate, JMP(BPF_JSET));
2790 sjset_radiotap_ext_present->s.k = SWAPLONG(0x80000000);
2791 sappend(s, sjset_radiotap_ext_present);
2792 sjset_radiotap_flags_present->s.jt = sjset_radiotap_ext_present;
2793
2794 /*
2795 * If so, skip all of this.
2796 */
2797 sjset_radiotap_ext_present->s.jt = snext;
2798
2799 /*
2800 * Otherwise, is the IEEE80211_RADIOTAP_TSFT bit set?
2801 */
2802 sjset_radiotap_tsft_present = new_stmt(cstate, JMP(BPF_JSET));
2803 sjset_radiotap_tsft_present->s.k = SWAPLONG(0x00000001);
2804 sappend(s, sjset_radiotap_tsft_present);
2805 sjset_radiotap_ext_present->s.jf = sjset_radiotap_tsft_present;
2806
2807 /*
2808 * If IEEE80211_RADIOTAP_TSFT is set, the flags field is
2809 * at an offset of 16 from the beginning of the raw packet
2810 * data (8 bytes for the radiotap header and 8 bytes for
2811 * the TSFT field).
2812 *
2813 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2814 * is set.
2815 */
2816 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2817 s2->s.k = 16;
2818 sappend(s, s2);
2819 sjset_radiotap_tsft_present->s.jt = s2;
2820
2821 sjset_tsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2822 sjset_tsft_datapad->s.k = 0x20;
2823 sappend(s, sjset_tsft_datapad);
2824
2825 /*
2826 * If IEEE80211_RADIOTAP_TSFT is not set, the flags field is
2827 * at an offset of 8 from the beginning of the raw packet
2828 * data (8 bytes for the radiotap header).
2829 *
2830 * Test whether the IEEE80211_RADIOTAP_F_DATAPAD bit (0x20)
2831 * is set.
2832 */
2833 s2 = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
2834 s2->s.k = 8;
2835 sappend(s, s2);
2836 sjset_radiotap_tsft_present->s.jf = s2;
2837
2838 sjset_notsft_datapad = new_stmt(cstate, JMP(BPF_JSET));
2839 sjset_notsft_datapad->s.k = 0x20;
2840 sappend(s, sjset_notsft_datapad);
2841
2842 /*
2843 * In either case, if IEEE80211_RADIOTAP_F_DATAPAD is
2844 * set, round the length of the 802.11 header to
2845 * a multiple of 4. Do that by adding 3 and then
2846 * dividing by and multiplying by 4, which we do by
2847 * ANDing with ~3.
2848 */
2849 s_roundup = new_stmt(cstate, BPF_LD|BPF_MEM);
2850 s_roundup->s.k = cstate->off_linkpl.reg;
2851 sappend(s, s_roundup);
2852 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
2853 s2->s.k = 3;
2854 sappend(s, s2);
2855 s2 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_IMM);
2856 s2->s.k = (bpf_u_int32)~3;
2857 sappend(s, s2);
2858 s2 = new_stmt(cstate, BPF_ST);
2859 s2->s.k = cstate->off_linkpl.reg;
2860 sappend(s, s2);
2861
2862 sjset_tsft_datapad->s.jt = s_roundup;
2863 sjset_tsft_datapad->s.jf = snext;
2864 sjset_notsft_datapad->s.jt = s_roundup;
2865 sjset_notsft_datapad->s.jf = snext;
2866 } else
2867 sjset_qos->s.jf = snext;
2868
2869 return s;
2870 }
2871
2872 static void
2873 insert_compute_vloffsets(compiler_state_t *cstate, struct block *b)
2874 {
2875 struct slist *s;
2876
2877 /* There is an implicit dependency between the link
2878 * payload and link header since the payload computation
2879 * includes the variable part of the header. Therefore,
2880 * if nobody else has allocated a register for the link
2881 * header and we need it, do it now. */
2882 if (cstate->off_linkpl.reg != -1 && cstate->off_linkhdr.is_variable &&
2883 cstate->off_linkhdr.reg == -1)
2884 cstate->off_linkhdr.reg = alloc_reg(cstate);
2885
2886 /*
2887 * For link-layer types that have a variable-length header
2888 * preceding the link-layer header, generate code to load
2889 * the offset of the link-layer header into the register
2890 * assigned to that offset, if any.
2891 *
2892 * XXX - this, and the next switch statement, won't handle
2893 * encapsulation of 802.11 or 802.11+radio information in
2894 * some other protocol stack. That's significantly more
2895 * complicated.
2896 */
2897 switch (cstate->outermostlinktype) {
2898
2899 case DLT_PRISM_HEADER:
2900 s = gen_load_prism_llprefixlen(cstate);
2901 break;
2902
2903 case DLT_IEEE802_11_RADIO_AVS:
2904 s = gen_load_avs_llprefixlen(cstate);
2905 break;
2906
2907 case DLT_IEEE802_11_RADIO:
2908 s = gen_load_radiotap_llprefixlen(cstate);
2909 break;
2910
2911 case DLT_PPI:
2912 s = gen_load_ppi_llprefixlen(cstate);
2913 break;
2914
2915 default:
2916 s = NULL;
2917 break;
2918 }
2919
2920 /*
2921 * For link-layer types that have a variable-length link-layer
2922 * header, generate code to load the offset of the link-layer
2923 * payload into the register assigned to that offset, if any.
2924 */
2925 switch (cstate->outermostlinktype) {
2926
2927 case DLT_IEEE802_11:
2928 case DLT_PRISM_HEADER:
2929 case DLT_IEEE802_11_RADIO_AVS:
2930 case DLT_IEEE802_11_RADIO:
2931 case DLT_PPI:
2932 s = gen_load_802_11_header_len(cstate, s, b->stmts);
2933 break;
2934 }
2935
2936 /*
2937 * If there is no initialization yet and we need variable
2938 * length offsets for VLAN, initialize them to zero
2939 */
2940 if (s == NULL && cstate->is_vlan_vloffset) {
2941 struct slist *s2;
2942
2943 if (cstate->off_linkpl.reg == -1)
2944 cstate->off_linkpl.reg = alloc_reg(cstate);
2945 if (cstate->off_linktype.reg == -1)
2946 cstate->off_linktype.reg = alloc_reg(cstate);
2947
2948 s = new_stmt(cstate, BPF_LD|BPF_W|BPF_IMM);
2949 s->s.k = 0;
2950 s2 = new_stmt(cstate, BPF_ST);
2951 s2->s.k = cstate->off_linkpl.reg;
2952 sappend(s, s2);
2953 s2 = new_stmt(cstate, BPF_ST);
2954 s2->s.k = cstate->off_linktype.reg;
2955 sappend(s, s2);
2956 }
2957
2958 /*
2959 * If we have any offset-loading code, append all the
2960 * existing statements in the block to those statements,
2961 * and make the resulting list the list of statements
2962 * for the block.
2963 */
2964 if (s != NULL) {
2965 sappend(s, b->stmts);
2966 b->stmts = s;
2967 }
2968 }
2969
2970 static struct block *
2971 gen_ppi_dlt_check(compiler_state_t *cstate)
2972 {
2973 struct slist *s_load_dlt;
2974 struct block *b;
2975
2976 if (cstate->linktype == DLT_PPI)
2977 {
2978 /* Create the statements that check for the DLT
2979 */
2980 s_load_dlt = new_stmt(cstate, BPF_LD|BPF_W|BPF_ABS);
2981 s_load_dlt->s.k = 4;
2982
2983 b = new_block(cstate, JMP(BPF_JEQ));
2984
2985 b->stmts = s_load_dlt;
2986 b->s.k = SWAPLONG(DLT_IEEE802_11);
2987 }
2988 else
2989 {
2990 b = NULL;
2991 }
2992
2993 return b;
2994 }
2995
2996 /*
2997 * Take an absolute offset, and:
2998 *
2999 * if it has no variable part, return NULL;
3000 *
3001 * if it has a variable part, generate code to load the register
3002 * containing that variable part into the X register, returning
3003 * a pointer to that code - if no register for that offset has
3004 * been allocated, allocate it first.
3005 *
3006 * (The code to set that register will be generated later, but will
3007 * be placed earlier in the code sequence.)
3008 */
3009 static struct slist *
3010 gen_abs_offset_varpart(compiler_state_t *cstate, bpf_abs_offset *off)
3011 {
3012 struct slist *s;
3013
3014 if (off->is_variable) {
3015 if (off->reg == -1) {
3016 /*
3017 * We haven't yet assigned a register for the
3018 * variable part of the offset of the link-layer
3019 * header; allocate one.
3020 */
3021 off->reg = alloc_reg(cstate);
3022 }
3023
3024 /*
3025 * Load the register containing the variable part of the
3026 * offset of the link-layer header into the X register.
3027 */
3028 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
3029 s->s.k = off->reg;
3030 return s;
3031 } else {
3032 /*
3033 * That offset isn't variable, there's no variable part,
3034 * so we don't need to generate any code.
3035 */
3036 return NULL;
3037 }
3038 }
3039
3040 /*
3041 * Map an Ethernet type to the equivalent PPP type.
3042 */
3043 static bpf_u_int32
3044 ethertype_to_ppptype(bpf_u_int32 ll_proto)
3045 {
3046 switch (ll_proto) {
3047
3048 case ETHERTYPE_IP:
3049 ll_proto = PPP_IP;
3050 break;
3051
3052 case ETHERTYPE_IPV6:
3053 ll_proto = PPP_IPV6;
3054 break;
3055
3056 case ETHERTYPE_DN:
3057 ll_proto = PPP_DECNET;
3058 break;
3059
3060 case ETHERTYPE_ATALK:
3061 ll_proto = PPP_APPLE;
3062 break;
3063
3064 case ETHERTYPE_NS:
3065 ll_proto = PPP_NS;
3066 break;
3067
3068 case LLCSAP_ISONS:
3069 ll_proto = PPP_OSI;
3070 break;
3071
3072 case LLCSAP_8021D:
3073 /*
3074 * I'm assuming the "Bridging PDU"s that go
3075 * over PPP are Spanning Tree Protocol
3076 * Bridging PDUs.
3077 */
3078 ll_proto = PPP_BRPDU;
3079 break;
3080
3081 case LLCSAP_IPX:
3082 ll_proto = PPP_IPX;
3083 break;
3084 }
3085 return (ll_proto);
3086 }
3087
3088 /*
3089 * Generate any tests that, for encapsulation of a link-layer packet
3090 * inside another protocol stack, need to be done to check for those
3091 * link-layer packets (and that haven't already been done by a check
3092 * for that encapsulation).
3093 */
3094 static struct block *
3095 gen_prevlinkhdr_check(compiler_state_t *cstate)
3096 {
3097 struct block *b0;
3098
3099 if (cstate->is_geneve)
3100 return gen_geneve_ll_check(cstate);
3101
3102 switch (cstate->prevlinktype) {
3103
3104 case DLT_SUNATM:
3105 /*
3106 * This is LANE-encapsulated Ethernet; check that the LANE
3107 * packet doesn't begin with an LE Control marker, i.e.
3108 * that it's data, not a control message.
3109 *
3110 * (We've already generated a test for LANE.)
3111 */
3112 b0 = gen_cmp(cstate, OR_PREVLINKHDR, SUNATM_PKT_BEGIN_POS, BPF_H, 0xFF00);
3113 gen_not(b0);
3114 return b0;
3115
3116 default:
3117 /*
3118 * No such tests are necessary.
3119 */
3120 return NULL;
3121 }
3122 /*NOTREACHED*/
3123 }
3124
3125 /*
3126 * The three different values we should check for when checking for an
3127 * IPv6 packet with DLT_NULL.
3128 */
3129 #define BSD_AFNUM_INET6_BSD 24 /* NetBSD, OpenBSD, BSD/OS, Npcap */
3130 #define BSD_AFNUM_INET6_FREEBSD 28 /* FreeBSD */
3131 #define BSD_AFNUM_INET6_DARWIN 30 /* macOS, iOS, other Darwin-based OSes */
3132
3133 /*
3134 * Generate code to match a particular packet type by matching the
3135 * link-layer type field or fields in the 802.2 LLC header.
3136 *
3137 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3138 * value, if <= ETHERMTU.
3139 */
3140 static struct block *
3141 gen_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3142 {
3143 struct block *b0, *b1, *b2;
3144 const char *description;
3145
3146 /* are we checking MPLS-encapsulated packets? */
3147 if (cstate->label_stack_depth > 0)
3148 return gen_mpls_linktype(cstate, ll_proto);
3149
3150 switch (cstate->linktype) {
3151
3152 case DLT_EN10MB:
3153 case DLT_NETANALYZER:
3154 case DLT_NETANALYZER_TRANSPARENT:
3155 /* Geneve has an EtherType regardless of whether there is an
3156 * L2 header. */
3157 if (!cstate->is_geneve)
3158 b0 = gen_prevlinkhdr_check(cstate);
3159 else
3160 b0 = NULL;
3161
3162 b1 = gen_ether_linktype(cstate, ll_proto);
3163 if (b0 != NULL)
3164 gen_and(b0, b1);
3165 return b1;
3166 /*NOTREACHED*/
3167
3168 case DLT_C_HDLC:
3169 switch (ll_proto) {
3170
3171 case LLCSAP_ISONS:
3172 ll_proto = (ll_proto << 8 | LLCSAP_ISONS);
3173 /* fall through */
3174
3175 default:
3176 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3177 /*NOTREACHED*/
3178 }
3179
3180 case DLT_IEEE802_11:
3181 case DLT_PRISM_HEADER:
3182 case DLT_IEEE802_11_RADIO_AVS:
3183 case DLT_IEEE802_11_RADIO:
3184 case DLT_PPI:
3185 /*
3186 * Check that we have a data frame.
3187 */
3188 b0 = gen_check_802_11_data_frame(cstate);
3189
3190 /*
3191 * Now check for the specified link-layer type.
3192 */
3193 b1 = gen_llc_linktype(cstate, ll_proto);
3194 gen_and(b0, b1);
3195 return b1;
3196 /*NOTREACHED*/
3197
3198 case DLT_FDDI:
3199 /*
3200 * XXX - check for LLC frames.
3201 */
3202 return gen_llc_linktype(cstate, ll_proto);
3203 /*NOTREACHED*/
3204
3205 case DLT_IEEE802:
3206 /*
3207 * XXX - check for LLC PDUs, as per IEEE 802.5.
3208 */
3209 return gen_llc_linktype(cstate, ll_proto);
3210 /*NOTREACHED*/
3211
3212 case DLT_ATM_RFC1483:
3213 case DLT_ATM_CLIP:
3214 case DLT_IP_OVER_FC:
3215 return gen_llc_linktype(cstate, ll_proto);
3216 /*NOTREACHED*/
3217
3218 case DLT_SUNATM:
3219 /*
3220 * Check for an LLC-encapsulated version of this protocol;
3221 * if we were checking for LANE, linktype would no longer
3222 * be DLT_SUNATM.
3223 *
3224 * Check for LLC encapsulation and then check the protocol.
3225 */
3226 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
3227 b1 = gen_llc_linktype(cstate, ll_proto);
3228 gen_and(b0, b1);
3229 return b1;
3230 /*NOTREACHED*/
3231
3232 case DLT_LINUX_SLL:
3233 return gen_linux_sll_linktype(cstate, ll_proto);
3234 /*NOTREACHED*/
3235
3236 case DLT_SLIP:
3237 case DLT_SLIP_BSDOS:
3238 case DLT_RAW:
3239 /*
3240 * These types don't provide any type field; packets
3241 * are always IPv4 or IPv6.
3242 *
3243 * XXX - for IPv4, check for a version number of 4, and,
3244 * for IPv6, check for a version number of 6?
3245 */
3246 switch (ll_proto) {
3247
3248 case ETHERTYPE_IP:
3249 /* Check for a version number of 4. */
3250 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x40, 0xF0);
3251
3252 case ETHERTYPE_IPV6:
3253 /* Check for a version number of 6. */
3254 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, 0x60, 0xF0);
3255
3256 default:
3257 return gen_false(cstate); /* always false */
3258 }
3259 /*NOTREACHED*/
3260
3261 case DLT_IPV4:
3262 /*
3263 * Raw IPv4, so no type field.
3264 */
3265 if (ll_proto == ETHERTYPE_IP)
3266 return gen_true(cstate); /* always true */
3267
3268 /* Checking for something other than IPv4; always false */
3269 return gen_false(cstate);
3270 /*NOTREACHED*/
3271
3272 case DLT_IPV6:
3273 /*
3274 * Raw IPv6, so no type field.
3275 */
3276 if (ll_proto == ETHERTYPE_IPV6)
3277 return gen_true(cstate); /* always true */
3278
3279 /* Checking for something other than IPv6; always false */
3280 return gen_false(cstate);
3281 /*NOTREACHED*/
3282
3283 case DLT_PPP:
3284 case DLT_PPP_PPPD:
3285 case DLT_PPP_SERIAL:
3286 case DLT_PPP_ETHER:
3287 /*
3288 * We use Ethernet protocol types inside libpcap;
3289 * map them to the corresponding PPP protocol types.
3290 */
3291 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3292 ethertype_to_ppptype(ll_proto));
3293 /*NOTREACHED*/
3294
3295 case DLT_PPP_BSDOS:
3296 /*
3297 * We use Ethernet protocol types inside libpcap;
3298 * map them to the corresponding PPP protocol types.
3299 */
3300 switch (ll_proto) {
3301
3302 case ETHERTYPE_IP:
3303 /*
3304 * Also check for Van Jacobson-compressed IP.
3305 * XXX - do this for other forms of PPP?
3306 */
3307 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_IP);
3308 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJC);
3309 gen_or(b0, b1);
3310 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, PPP_VJNC);
3311 gen_or(b1, b0);
3312 return b0;
3313
3314 default:
3315 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H,
3316 ethertype_to_ppptype(ll_proto));
3317 }
3318 /*NOTREACHED*/
3319
3320 case DLT_NULL:
3321 case DLT_LOOP:
3322 case DLT_ENC:
3323 switch (ll_proto) {
3324
3325 case ETHERTYPE_IP:
3326 return (gen_loopback_linktype(cstate, AF_INET));
3327
3328 case ETHERTYPE_IPV6:
3329 /*
3330 * AF_ values may, unfortunately, be platform-
3331 * dependent; AF_INET isn't, because everybody
3332 * used 4.2BSD's value, but AF_INET6 is, because
3333 * 4.2BSD didn't have a value for it (given that
3334 * IPv6 didn't exist back in the early 1980's),
3335 * and they all picked their own values.
3336 *
3337 * This means that, if we're reading from a
3338 * savefile, we need to check for all the
3339 * possible values.
3340 *
3341 * If we're doing a live capture, we only need
3342 * to check for this platform's value; however,
3343 * Npcap uses 24, which isn't Windows's AF_INET6
3344 * value. (Given the multiple different values,
3345 * programs that read pcap files shouldn't be
3346 * checking for their platform's AF_INET6 value
3347 * anyway, they should check for all of the
3348 * possible values. and they might as well do
3349 * that even for live captures.)
3350 */
3351 if (cstate->bpf_pcap->rfile != NULL) {
3352 /*
3353 * Savefile - check for all three
3354 * possible IPv6 values.
3355 */
3356 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_BSD);
3357 b1 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_FREEBSD);
3358 gen_or(b0, b1);
3359 b0 = gen_loopback_linktype(cstate, BSD_AFNUM_INET6_DARWIN);
3360 gen_or(b0, b1);
3361 return (b1);
3362 } else {
3363 /*
3364 * Live capture, so we only need to
3365 * check for the value used on this
3366 * platform.
3367 */
3368 #ifdef _WIN32
3369 /*
3370 * Npcap doesn't use Windows's AF_INET6,
3371 * as that collides with AF_IPX on
3372 * some BSDs (both have the value 23).
3373 * Instead, it uses 24.
3374 */
3375 return (gen_loopback_linktype(cstate, 24));
3376 #else /* _WIN32 */
3377 #ifdef AF_INET6
3378 return (gen_loopback_linktype(cstate, AF_INET6));
3379 #else /* AF_INET6 */
3380 /*
3381 * I guess this platform doesn't support
3382 * IPv6, so we just reject all packets.
3383 */
3384 return gen_false(cstate);
3385 #endif /* AF_INET6 */
3386 #endif /* _WIN32 */
3387 }
3388
3389 default:
3390 /*
3391 * Not a type on which we support filtering.
3392 * XXX - support those that have AF_ values
3393 * #defined on this platform, at least?
3394 */
3395 return gen_false(cstate);
3396 }
3397
3398 #ifdef HAVE_NET_PFVAR_H
3399 case DLT_PFLOG:
3400 /*
3401 * af field is host byte order in contrast to the rest of
3402 * the packet.
3403 */
3404 if (ll_proto == ETHERTYPE_IP)
3405 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3406 BPF_B, AF_INET));
3407 else if (ll_proto == ETHERTYPE_IPV6)
3408 return (gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, af),
3409 BPF_B, AF_INET6));
3410 else
3411 return gen_false(cstate);
3412 /*NOTREACHED*/
3413 #endif /* HAVE_NET_PFVAR_H */
3414
3415 case DLT_ARCNET:
3416 case DLT_ARCNET_LINUX:
3417 /*
3418 * XXX should we check for first fragment if the protocol
3419 * uses PHDS?
3420 */
3421 switch (ll_proto) {
3422
3423 default:
3424 return gen_false(cstate);
3425
3426 case ETHERTYPE_IPV6:
3427 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3428 ARCTYPE_INET6));
3429
3430 case ETHERTYPE_IP:
3431 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3432 ARCTYPE_IP);
3433 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3434 ARCTYPE_IP_OLD);
3435 gen_or(b0, b1);
3436 return (b1);
3437
3438 case ETHERTYPE_ARP:
3439 b0 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3440 ARCTYPE_ARP);
3441 b1 = gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3442 ARCTYPE_ARP_OLD);
3443 gen_or(b0, b1);
3444 return (b1);
3445
3446 case ETHERTYPE_REVARP:
3447 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3448 ARCTYPE_REVARP));
3449
3450 case ETHERTYPE_ATALK:
3451 return (gen_cmp(cstate, OR_LINKTYPE, 0, BPF_B,
3452 ARCTYPE_ATALK));
3453 }
3454 /*NOTREACHED*/
3455
3456 case DLT_LTALK:
3457 switch (ll_proto) {
3458 case ETHERTYPE_ATALK:
3459 return gen_true(cstate);
3460 default:
3461 return gen_false(cstate);
3462 }
3463 /*NOTREACHED*/
3464
3465 case DLT_FRELAY:
3466 /*
3467 * XXX - assumes a 2-byte Frame Relay header with
3468 * DLCI and flags. What if the address is longer?
3469 */
3470 switch (ll_proto) {
3471
3472 case ETHERTYPE_IP:
3473 /*
3474 * Check for the special NLPID for IP.
3475 */
3476 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0xcc);
3477
3478 case ETHERTYPE_IPV6:
3479 /*
3480 * Check for the special NLPID for IPv6.
3481 */
3482 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | 0x8e);
3483
3484 case LLCSAP_ISONS:
3485 /*
3486 * Check for several OSI protocols.
3487 *
3488 * Frame Relay packets typically have an OSI
3489 * NLPID at the beginning; we check for each
3490 * of them.
3491 *
3492 * What we check for is the NLPID and a frame
3493 * control field of UI, i.e. 0x03 followed
3494 * by the NLPID.
3495 */
3496 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO8473_CLNP);
3497 b1 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO9542_ESIS);
3498 b2 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | ISO10589_ISIS);
3499 gen_or(b1, b2);
3500 gen_or(b0, b2);
3501 return b2;
3502
3503 default:
3504 return gen_false(cstate);
3505 }
3506 /*NOTREACHED*/
3507
3508 case DLT_MFR:
3509 bpf_error(cstate, "Multi-link Frame Relay link-layer type filtering not implemented");
3510
3511 case DLT_JUNIPER_MFR:
3512 case DLT_JUNIPER_MLFR:
3513 case DLT_JUNIPER_MLPPP:
3514 case DLT_JUNIPER_ATM1:
3515 case DLT_JUNIPER_ATM2:
3516 case DLT_JUNIPER_PPPOE:
3517 case DLT_JUNIPER_PPPOE_ATM:
3518 case DLT_JUNIPER_GGSN:
3519 case DLT_JUNIPER_ES:
3520 case DLT_JUNIPER_MONITOR:
3521 case DLT_JUNIPER_SERVICES:
3522 case DLT_JUNIPER_ETHER:
3523 case DLT_JUNIPER_PPP:
3524 case DLT_JUNIPER_FRELAY:
3525 case DLT_JUNIPER_CHDLC:
3526 case DLT_JUNIPER_VP:
3527 case DLT_JUNIPER_ST:
3528 case DLT_JUNIPER_ISM:
3529 case DLT_JUNIPER_VS:
3530 case DLT_JUNIPER_SRX_E2E:
3531 case DLT_JUNIPER_FIBRECHANNEL:
3532 case DLT_JUNIPER_ATM_CEMIC:
3533
3534 /* just lets verify the magic number for now -
3535 * on ATM we may have up to 6 different encapsulations on the wire
3536 * and need a lot of heuristics to figure out that the payload
3537 * might be;
3538 *
3539 * FIXME encapsulation specific BPF_ filters
3540 */
3541 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x4d474300, 0xffffff00); /* compare the magic number */
3542
3543 case DLT_BACNET_MS_TP:
3544 return gen_mcmp(cstate, OR_LINKHDR, 0, BPF_W, 0x55FF0000, 0xffff0000);
3545
3546 case DLT_IPNET:
3547 return gen_ipnet_linktype(cstate, ll_proto);
3548
3549 case DLT_LINUX_IRDA:
3550 bpf_error(cstate, "IrDA link-layer type filtering not implemented");
3551
3552 case DLT_DOCSIS:
3553 bpf_error(cstate, "DOCSIS link-layer type filtering not implemented");
3554
3555 case DLT_MTP2:
3556 case DLT_MTP2_WITH_PHDR:
3557 bpf_error(cstate, "MTP2 link-layer type filtering not implemented");
3558
3559 case DLT_ERF:
3560 bpf_error(cstate, "ERF link-layer type filtering not implemented");
3561
3562 case DLT_PFSYNC:
3563 bpf_error(cstate, "PFSYNC link-layer type filtering not implemented");
3564
3565 case DLT_LINUX_LAPD:
3566 bpf_error(cstate, "LAPD link-layer type filtering not implemented");
3567
3568 case DLT_USB_FREEBSD:
3569 case DLT_USB_LINUX:
3570 case DLT_USB_LINUX_MMAPPED:
3571 case DLT_USBPCAP:
3572 bpf_error(cstate, "USB link-layer type filtering not implemented");
3573
3574 case DLT_BLUETOOTH_HCI_H4:
3575 case DLT_BLUETOOTH_HCI_H4_WITH_PHDR:
3576 bpf_error(cstate, "Bluetooth link-layer type filtering not implemented");
3577
3578 case DLT_CAN20B:
3579 case DLT_CAN_SOCKETCAN:
3580 bpf_error(cstate, "CAN link-layer type filtering not implemented");
3581
3582 case DLT_IEEE802_15_4:
3583 case DLT_IEEE802_15_4_LINUX:
3584 case DLT_IEEE802_15_4_NONASK_PHY:
3585 case DLT_IEEE802_15_4_NOFCS:
3586 case DLT_IEEE802_15_4_TAP:
3587 bpf_error(cstate, "IEEE 802.15.4 link-layer type filtering not implemented");
3588
3589 case DLT_IEEE802_16_MAC_CPS_RADIO:
3590 bpf_error(cstate, "IEEE 802.16 link-layer type filtering not implemented");
3591
3592 case DLT_SITA:
3593 bpf_error(cstate, "SITA link-layer type filtering not implemented");
3594
3595 case DLT_RAIF1:
3596 bpf_error(cstate, "RAIF1 link-layer type filtering not implemented");
3597
3598 case DLT_IPMB_KONTRON:
3599 case DLT_IPMB_LINUX:
3600 bpf_error(cstate, "IPMB link-layer type filtering not implemented");
3601
3602 case DLT_AX25_KISS:
3603 bpf_error(cstate, "AX.25 link-layer type filtering not implemented");
3604
3605 case DLT_NFLOG:
3606 /* Using the fixed-size NFLOG header it is possible to tell only
3607 * the address family of the packet, other meaningful data is
3608 * either missing or behind TLVs.
3609 */
3610 bpf_error(cstate, "NFLOG link-layer type filtering not implemented");
3611
3612 default:
3613 /*
3614 * Does this link-layer header type have a field
3615 * indicating the type of the next protocol? If
3616 * so, off_linktype.constant_part will be the offset of that
3617 * field in the packet; if not, it will be OFFSET_NOT_SET.
3618 */
3619 if (cstate->off_linktype.constant_part != OFFSET_NOT_SET) {
3620 /*
3621 * Yes; assume it's an Ethernet type. (If
3622 * it's not, it needs to be handled specially
3623 * above.)
3624 */
3625 return gen_cmp(cstate, OR_LINKTYPE, 0, BPF_H, ll_proto);
3626 /*NOTREACHED */
3627 } else {
3628 /*
3629 * No; report an error.
3630 */
3631 description = pcap_datalink_val_to_description_or_dlt(cstate->linktype);
3632 bpf_error(cstate, "%s link-layer type filtering not implemented",
3633 description);
3634 /*NOTREACHED */
3635 }
3636 }
3637 }
3638
3639 /*
3640 * Check for an LLC SNAP packet with a given organization code and
3641 * protocol type; we check the entire contents of the 802.2 LLC and
3642 * snap headers, checking for DSAP and SSAP of SNAP and a control
3643 * field of 0x03 in the LLC header, and for the specified organization
3644 * code and protocol type in the SNAP header.
3645 */
3646 static struct block *
3647 gen_snap(compiler_state_t *cstate, bpf_u_int32 orgcode, bpf_u_int32 ptype)
3648 {
3649 u_char snapblock[8];
3650
3651 snapblock[0] = LLCSAP_SNAP; /* DSAP = SNAP */
3652 snapblock[1] = LLCSAP_SNAP; /* SSAP = SNAP */
3653 snapblock[2] = 0x03; /* control = UI */
3654 snapblock[3] = (u_char)(orgcode >> 16); /* upper 8 bits of organization code */
3655 snapblock[4] = (u_char)(orgcode >> 8); /* middle 8 bits of organization code */
3656 snapblock[5] = (u_char)(orgcode >> 0); /* lower 8 bits of organization code */
3657 snapblock[6] = (u_char)(ptype >> 8); /* upper 8 bits of protocol type */
3658 snapblock[7] = (u_char)(ptype >> 0); /* lower 8 bits of protocol type */
3659 return gen_bcmp(cstate, OR_LLC, 0, 8, snapblock);
3660 }
3661
3662 /*
3663 * Generate code to match frames with an LLC header.
3664 */
3665 static struct block *
3666 gen_llc_internal(compiler_state_t *cstate)
3667 {
3668 struct block *b0, *b1;
3669
3670 switch (cstate->linktype) {
3671
3672 case DLT_EN10MB:
3673 /*
3674 * We check for an Ethernet type field less than
3675 * 1500, which means it's an 802.3 length field.
3676 */
3677 b0 = gen_cmp_gt(cstate, OR_LINKTYPE, 0, BPF_H, ETHERMTU);
3678 gen_not(b0);
3679
3680 /*
3681 * Now check for the purported DSAP and SSAP not being
3682 * 0xFF, to rule out NetWare-over-802.3.
3683 */
3684 b1 = gen_cmp(cstate, OR_LLC, 0, BPF_H, 0xFFFF);
3685 gen_not(b1);
3686 gen_and(b0, b1);
3687 return b1;
3688
3689 case DLT_SUNATM:
3690 /*
3691 * We check for LLC traffic.
3692 */
3693 b0 = gen_atmtype_llc(cstate);
3694 return b0;
3695
3696 case DLT_IEEE802: /* Token Ring */
3697 /*
3698 * XXX - check for LLC frames.
3699 */
3700 return gen_true(cstate);
3701
3702 case DLT_FDDI:
3703 /*
3704 * XXX - check for LLC frames.
3705 */
3706 return gen_true(cstate);
3707
3708 case DLT_ATM_RFC1483:
3709 /*
3710 * For LLC encapsulation, these are defined to have an
3711 * 802.2 LLC header.
3712 *
3713 * For VC encapsulation, they don't, but there's no
3714 * way to check for that; the protocol used on the VC
3715 * is negotiated out of band.
3716 */
3717 return gen_true(cstate);
3718
3719 case DLT_IEEE802_11:
3720 case DLT_PRISM_HEADER:
3721 case DLT_IEEE802_11_RADIO:
3722 case DLT_IEEE802_11_RADIO_AVS:
3723 case DLT_PPI:
3724 /*
3725 * Check that we have a data frame.
3726 */
3727 b0 = gen_check_802_11_data_frame(cstate);
3728 return b0;
3729
3730 default:
3731 bpf_error(cstate, "'llc' not supported for %s",
3732 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
3733 /*NOTREACHED*/
3734 }
3735 }
3736
3737 struct block *
3738 gen_llc(compiler_state_t *cstate)
3739 {
3740 /*
3741 * Catch errors reported by us and routines below us, and return NULL
3742 * on an error.
3743 */
3744 if (setjmp(cstate->top_ctx))
3745 return (NULL);
3746
3747 return gen_llc_internal(cstate);
3748 }
3749
3750 struct block *
3751 gen_llc_i(compiler_state_t *cstate)
3752 {
3753 struct block *b0, *b1;
3754 struct slist *s;
3755
3756 /*
3757 * Catch errors reported by us and routines below us, and return NULL
3758 * on an error.
3759 */
3760 if (setjmp(cstate->top_ctx))
3761 return (NULL);
3762
3763 /*
3764 * Check whether this is an LLC frame.
3765 */
3766 b0 = gen_llc_internal(cstate);
3767
3768 /*
3769 * Load the control byte and test the low-order bit; it must
3770 * be clear for I frames.
3771 */
3772 s = gen_load_a(cstate, OR_LLC, 2, BPF_B);
3773 b1 = new_block(cstate, JMP(BPF_JSET));
3774 b1->s.k = 0x01;
3775 b1->stmts = s;
3776 gen_not(b1);
3777 gen_and(b0, b1);
3778 return b1;
3779 }
3780
3781 struct block *
3782 gen_llc_s(compiler_state_t *cstate)
3783 {
3784 struct block *b0, *b1;
3785
3786 /*
3787 * Catch errors reported by us and routines below us, and return NULL
3788 * on an error.
3789 */
3790 if (setjmp(cstate->top_ctx))
3791 return (NULL);
3792
3793 /*
3794 * Check whether this is an LLC frame.
3795 */
3796 b0 = gen_llc_internal(cstate);
3797
3798 /*
3799 * Now compare the low-order 2 bit of the control byte against
3800 * the appropriate value for S frames.
3801 */
3802 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_S_FMT, 0x03);
3803 gen_and(b0, b1);
3804 return b1;
3805 }
3806
3807 struct block *
3808 gen_llc_u(compiler_state_t *cstate)
3809 {
3810 struct block *b0, *b1;
3811
3812 /*
3813 * Catch errors reported by us and routines below us, and return NULL
3814 * on an error.
3815 */
3816 if (setjmp(cstate->top_ctx))
3817 return (NULL);
3818
3819 /*
3820 * Check whether this is an LLC frame.
3821 */
3822 b0 = gen_llc_internal(cstate);
3823
3824 /*
3825 * Now compare the low-order 2 bit of the control byte against
3826 * the appropriate value for U frames.
3827 */
3828 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, LLC_U_FMT, 0x03);
3829 gen_and(b0, b1);
3830 return b1;
3831 }
3832
3833 struct block *
3834 gen_llc_s_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3835 {
3836 struct block *b0, *b1;
3837
3838 /*
3839 * Catch errors reported by us and routines below us, and return NULL
3840 * on an error.
3841 */
3842 if (setjmp(cstate->top_ctx))
3843 return (NULL);
3844
3845 /*
3846 * Check whether this is an LLC frame.
3847 */
3848 b0 = gen_llc_internal(cstate);
3849
3850 /*
3851 * Now check for an S frame with the appropriate type.
3852 */
3853 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_S_CMD_MASK);
3854 gen_and(b0, b1);
3855 return b1;
3856 }
3857
3858 struct block *
3859 gen_llc_u_subtype(compiler_state_t *cstate, bpf_u_int32 subtype)
3860 {
3861 struct block *b0, *b1;
3862
3863 /*
3864 * Catch errors reported by us and routines below us, and return NULL
3865 * on an error.
3866 */
3867 if (setjmp(cstate->top_ctx))
3868 return (NULL);
3869
3870 /*
3871 * Check whether this is an LLC frame.
3872 */
3873 b0 = gen_llc_internal(cstate);
3874
3875 /*
3876 * Now check for a U frame with the appropriate type.
3877 */
3878 b1 = gen_mcmp(cstate, OR_LLC, 2, BPF_B, subtype, LLC_U_CMD_MASK);
3879 gen_and(b0, b1);
3880 return b1;
3881 }
3882
3883 /*
3884 * Generate code to match a particular packet type, for link-layer types
3885 * using 802.2 LLC headers.
3886 *
3887 * This is *NOT* used for Ethernet; "gen_ether_linktype()" is used
3888 * for that - it handles the D/I/X Ethernet vs. 802.3+802.2 issues.
3889 *
3890 * "proto" is an Ethernet type value, if > ETHERMTU, or an LLC SAP
3891 * value, if <= ETHERMTU. We use that to determine whether to
3892 * match the DSAP or both DSAP and LSAP or to check the OUI and
3893 * protocol ID in a SNAP header.
3894 */
3895 static struct block *
3896 gen_llc_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
3897 {
3898 /*
3899 * XXX - handle token-ring variable-length header.
3900 */
3901 switch (ll_proto) {
3902
3903 case LLCSAP_IP:
3904 case LLCSAP_ISONS:
3905 case LLCSAP_NETBEUI:
3906 /*
3907 * XXX - should we check both the DSAP and the
3908 * SSAP, like this, or should we check just the
3909 * DSAP, as we do for other SAP values?
3910 */
3911 return gen_cmp(cstate, OR_LLC, 0, BPF_H, (bpf_u_int32)
3912 ((ll_proto << 8) | ll_proto));
3913
3914 case LLCSAP_IPX:
3915 /*
3916 * XXX - are there ever SNAP frames for IPX on
3917 * non-Ethernet 802.x networks?
3918 */
3919 return gen_cmp(cstate, OR_LLC, 0, BPF_B, LLCSAP_IPX);
3920
3921 case ETHERTYPE_ATALK:
3922 /*
3923 * 802.2-encapsulated ETHERTYPE_ATALK packets are
3924 * SNAP packets with an organization code of
3925 * 0x080007 (Apple, for Appletalk) and a protocol
3926 * type of ETHERTYPE_ATALK (Appletalk).
3927 *
3928 * XXX - check for an organization code of
3929 * encapsulated Ethernet as well?
3930 */
3931 return gen_snap(cstate, 0x080007, ETHERTYPE_ATALK);
3932
3933 default:
3934 /*
3935 * XXX - we don't have to check for IPX 802.3
3936 * here, but should we check for the IPX Ethertype?
3937 */
3938 if (ll_proto <= ETHERMTU) {
3939 /*
3940 * This is an LLC SAP value, so check
3941 * the DSAP.
3942 */
3943 return gen_cmp(cstate, OR_LLC, 0, BPF_B, ll_proto);
3944 } else {
3945 /*
3946 * This is an Ethernet type; we assume that it's
3947 * unlikely that it'll appear in the right place
3948 * at random, and therefore check only the
3949 * location that would hold the Ethernet type
3950 * in a SNAP frame with an organization code of
3951 * 0x000000 (encapsulated Ethernet).
3952 *
3953 * XXX - if we were to check for the SNAP DSAP and
3954 * LSAP, as per XXX, and were also to check for an
3955 * organization code of 0x000000 (encapsulated
3956 * Ethernet), we'd do
3957 *
3958 * return gen_snap(cstate, 0x000000, ll_proto);
3959 *
3960 * here; for now, we don't, as per the above.
3961 * I don't know whether it's worth the extra CPU
3962 * time to do the right check or not.
3963 */
3964 return gen_cmp(cstate, OR_LLC, 6, BPF_H, ll_proto);
3965 }
3966 }
3967 }
3968
3969 static struct block *
3970 gen_hostop(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
3971 int dir, bpf_u_int32 ll_proto, u_int src_off, u_int dst_off)
3972 {
3973 struct block *b0, *b1;
3974 u_int offset;
3975
3976 switch (dir) {
3977
3978 case Q_SRC:
3979 offset = src_off;
3980 break;
3981
3982 case Q_DST:
3983 offset = dst_off;
3984 break;
3985
3986 case Q_AND:
3987 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3988 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3989 gen_and(b0, b1);
3990 return b1;
3991
3992 case Q_DEFAULT:
3993 case Q_OR:
3994 b0 = gen_hostop(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
3995 b1 = gen_hostop(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
3996 gen_or(b0, b1);
3997 return b1;
3998
3999 case Q_ADDR1:
4000 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4001 /*NOTREACHED*/
4002
4003 case Q_ADDR2:
4004 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4005 /*NOTREACHED*/
4006
4007 case Q_ADDR3:
4008 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4009 /*NOTREACHED*/
4010
4011 case Q_ADDR4:
4012 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4013 /*NOTREACHED*/
4014
4015 case Q_RA:
4016 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4017 /*NOTREACHED*/
4018
4019 case Q_TA:
4020 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4021 /*NOTREACHED*/
4022
4023 default:
4024 abort();
4025 /*NOTREACHED*/
4026 }
4027 b0 = gen_linktype(cstate, ll_proto);
4028 b1 = gen_mcmp(cstate, OR_LINKPL, offset, BPF_W, addr, mask);
4029 gen_and(b0, b1);
4030 return b1;
4031 }
4032
4033 #ifdef INET6
4034 static struct block *
4035 gen_hostop6(compiler_state_t *cstate, struct in6_addr *addr,
4036 struct in6_addr *mask, int dir, bpf_u_int32 ll_proto, u_int src_off,
4037 u_int dst_off)
4038 {
4039 struct block *b0, *b1;
4040 u_int offset;
4041 uint32_t *a, *m;
4042
4043 switch (dir) {
4044
4045 case Q_SRC:
4046 offset = src_off;
4047 break;
4048
4049 case Q_DST:
4050 offset = dst_off;
4051 break;
4052
4053 case Q_AND:
4054 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4055 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4056 gen_and(b0, b1);
4057 return b1;
4058
4059 case Q_DEFAULT:
4060 case Q_OR:
4061 b0 = gen_hostop6(cstate, addr, mask, Q_SRC, ll_proto, src_off, dst_off);
4062 b1 = gen_hostop6(cstate, addr, mask, Q_DST, ll_proto, src_off, dst_off);
4063 gen_or(b0, b1);
4064 return b1;
4065
4066 case Q_ADDR1:
4067 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4068 /*NOTREACHED*/
4069
4070 case Q_ADDR2:
4071 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4072 /*NOTREACHED*/
4073
4074 case Q_ADDR3:
4075 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4076 /*NOTREACHED*/
4077
4078 case Q_ADDR4:
4079 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4080 /*NOTREACHED*/
4081
4082 case Q_RA:
4083 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4084 /*NOTREACHED*/
4085
4086 case Q_TA:
4087 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4088 /*NOTREACHED*/
4089
4090 default:
4091 abort();
4092 /*NOTREACHED*/
4093 }
4094 /* this order is important */
4095 a = (uint32_t *)addr;
4096 m = (uint32_t *)mask;
4097 b1 = gen_mcmp(cstate, OR_LINKPL, offset + 12, BPF_W, ntohl(a[3]), ntohl(m[3]));
4098 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 8, BPF_W, ntohl(a[2]), ntohl(m[2]));
4099 gen_and(b0, b1);
4100 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 4, BPF_W, ntohl(a[1]), ntohl(m[1]));
4101 gen_and(b0, b1);
4102 b0 = gen_mcmp(cstate, OR_LINKPL, offset + 0, BPF_W, ntohl(a[0]), ntohl(m[0]));
4103 gen_and(b0, b1);
4104 b0 = gen_linktype(cstate, ll_proto);
4105 gen_and(b0, b1);
4106 return b1;
4107 }
4108 #endif
4109
4110 static struct block *
4111 gen_ehostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4112 {
4113 register struct block *b0, *b1;
4114
4115 switch (dir) {
4116 case Q_SRC:
4117 return gen_bcmp(cstate, OR_LINKHDR, 6, 6, eaddr);
4118
4119 case Q_DST:
4120 return gen_bcmp(cstate, OR_LINKHDR, 0, 6, eaddr);
4121
4122 case Q_AND:
4123 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4124 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4125 gen_and(b0, b1);
4126 return b1;
4127
4128 case Q_DEFAULT:
4129 case Q_OR:
4130 b0 = gen_ehostop(cstate, eaddr, Q_SRC);
4131 b1 = gen_ehostop(cstate, eaddr, Q_DST);
4132 gen_or(b0, b1);
4133 return b1;
4134
4135 case Q_ADDR1:
4136 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11 with 802.11 headers");
4137 /*NOTREACHED*/
4138
4139 case Q_ADDR2:
4140 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11 with 802.11 headers");
4141 /*NOTREACHED*/
4142
4143 case Q_ADDR3:
4144 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11 with 802.11 headers");
4145 /*NOTREACHED*/
4146
4147 case Q_ADDR4:
4148 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11 with 802.11 headers");
4149 /*NOTREACHED*/
4150
4151 case Q_RA:
4152 bpf_error(cstate, "'ra' is only supported on 802.11 with 802.11 headers");
4153 /*NOTREACHED*/
4154
4155 case Q_TA:
4156 bpf_error(cstate, "'ta' is only supported on 802.11 with 802.11 headers");
4157 /*NOTREACHED*/
4158 }
4159 abort();
4160 /*NOTREACHED*/
4161 }
4162
4163 /*
4164 * Like gen_ehostop, but for DLT_FDDI
4165 */
4166 static struct block *
4167 gen_fhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4168 {
4169 struct block *b0, *b1;
4170
4171 switch (dir) {
4172 case Q_SRC:
4173 return gen_bcmp(cstate, OR_LINKHDR, 6 + 1 + cstate->pcap_fddipad, 6, eaddr);
4174
4175 case Q_DST:
4176 return gen_bcmp(cstate, OR_LINKHDR, 0 + 1 + cstate->pcap_fddipad, 6, eaddr);
4177
4178 case Q_AND:
4179 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4180 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4181 gen_and(b0, b1);
4182 return b1;
4183
4184 case Q_DEFAULT:
4185 case Q_OR:
4186 b0 = gen_fhostop(cstate, eaddr, Q_SRC);
4187 b1 = gen_fhostop(cstate, eaddr, Q_DST);
4188 gen_or(b0, b1);
4189 return b1;
4190
4191 case Q_ADDR1:
4192 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4193 /*NOTREACHED*/
4194
4195 case Q_ADDR2:
4196 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4197 /*NOTREACHED*/
4198
4199 case Q_ADDR3:
4200 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4201 /*NOTREACHED*/
4202
4203 case Q_ADDR4:
4204 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4205 /*NOTREACHED*/
4206
4207 case Q_RA:
4208 bpf_error(cstate, "'ra' is only supported on 802.11");
4209 /*NOTREACHED*/
4210
4211 case Q_TA:
4212 bpf_error(cstate, "'ta' is only supported on 802.11");
4213 /*NOTREACHED*/
4214 }
4215 abort();
4216 /*NOTREACHED*/
4217 }
4218
4219 /*
4220 * Like gen_ehostop, but for DLT_IEEE802 (Token Ring)
4221 */
4222 static struct block *
4223 gen_thostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4224 {
4225 register struct block *b0, *b1;
4226
4227 switch (dir) {
4228 case Q_SRC:
4229 return gen_bcmp(cstate, OR_LINKHDR, 8, 6, eaddr);
4230
4231 case Q_DST:
4232 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4233
4234 case Q_AND:
4235 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4236 b1 = gen_thostop(cstate, eaddr, Q_DST);
4237 gen_and(b0, b1);
4238 return b1;
4239
4240 case Q_DEFAULT:
4241 case Q_OR:
4242 b0 = gen_thostop(cstate, eaddr, Q_SRC);
4243 b1 = gen_thostop(cstate, eaddr, Q_DST);
4244 gen_or(b0, b1);
4245 return b1;
4246
4247 case Q_ADDR1:
4248 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4249 /*NOTREACHED*/
4250
4251 case Q_ADDR2:
4252 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4253 /*NOTREACHED*/
4254
4255 case Q_ADDR3:
4256 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4257 /*NOTREACHED*/
4258
4259 case Q_ADDR4:
4260 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4261 /*NOTREACHED*/
4262
4263 case Q_RA:
4264 bpf_error(cstate, "'ra' is only supported on 802.11");
4265 /*NOTREACHED*/
4266
4267 case Q_TA:
4268 bpf_error(cstate, "'ta' is only supported on 802.11");
4269 /*NOTREACHED*/
4270 }
4271 abort();
4272 /*NOTREACHED*/
4273 }
4274
4275 /*
4276 * Like gen_ehostop, but for DLT_IEEE802_11 (802.11 wireless LAN) and
4277 * various 802.11 + radio headers.
4278 */
4279 static struct block *
4280 gen_wlanhostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4281 {
4282 register struct block *b0, *b1, *b2;
4283 register struct slist *s;
4284
4285 #ifdef ENABLE_WLAN_FILTERING_PATCH
4286 /*
4287 * TODO GV 20070613
4288 * We need to disable the optimizer because the optimizer is buggy
4289 * and wipes out some LD instructions generated by the below
4290 * code to validate the Frame Control bits
4291 */
4292 cstate->no_optimize = 1;
4293 #endif /* ENABLE_WLAN_FILTERING_PATCH */
4294
4295 switch (dir) {
4296 case Q_SRC:
4297 /*
4298 * Oh, yuk.
4299 *
4300 * For control frames, there is no SA.
4301 *
4302 * For management frames, SA is at an
4303 * offset of 10 from the beginning of
4304 * the packet.
4305 *
4306 * For data frames, SA is at an offset
4307 * of 10 from the beginning of the packet
4308 * if From DS is clear, at an offset of
4309 * 16 from the beginning of the packet
4310 * if From DS is set and To DS is clear,
4311 * and an offset of 24 from the beginning
4312 * of the packet if From DS is set and To DS
4313 * is set.
4314 */
4315
4316 /*
4317 * Generate the tests to be done for data frames
4318 * with From DS set.
4319 *
4320 * First, check for To DS set, i.e. check "link[1] & 0x01".
4321 */
4322 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4323 b1 = new_block(cstate, JMP(BPF_JSET));
4324 b1->s.k = 0x01; /* To DS */
4325 b1->stmts = s;
4326
4327 /*
4328 * If To DS is set, the SA is at 24.
4329 */
4330 b0 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4331 gen_and(b1, b0);
4332
4333 /*
4334 * Now, check for To DS not set, i.e. check
4335 * "!(link[1] & 0x01)".
4336 */
4337 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4338 b2 = new_block(cstate, JMP(BPF_JSET));
4339 b2->s.k = 0x01; /* To DS */
4340 b2->stmts = s;
4341 gen_not(b2);
4342
4343 /*
4344 * If To DS is not set, the SA is at 16.
4345 */
4346 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4347 gen_and(b2, b1);
4348
4349 /*
4350 * Now OR together the last two checks. That gives
4351 * the complete set of checks for data frames with
4352 * From DS set.
4353 */
4354 gen_or(b1, b0);
4355
4356 /*
4357 * Now check for From DS being set, and AND that with
4358 * the ORed-together checks.
4359 */
4360 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4361 b1 = new_block(cstate, JMP(BPF_JSET));
4362 b1->s.k = 0x02; /* From DS */
4363 b1->stmts = s;
4364 gen_and(b1, b0);
4365
4366 /*
4367 * Now check for data frames with From DS not set.
4368 */
4369 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4370 b2 = new_block(cstate, JMP(BPF_JSET));
4371 b2->s.k = 0x02; /* From DS */
4372 b2->stmts = s;
4373 gen_not(b2);
4374
4375 /*
4376 * If From DS isn't set, the SA is at 10.
4377 */
4378 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4379 gen_and(b2, b1);
4380
4381 /*
4382 * Now OR together the checks for data frames with
4383 * From DS not set and for data frames with From DS
4384 * set; that gives the checks done for data frames.
4385 */
4386 gen_or(b1, b0);
4387
4388 /*
4389 * Now check for a data frame.
4390 * I.e, check "link[0] & 0x08".
4391 */
4392 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4393 b1 = new_block(cstate, JMP(BPF_JSET));
4394 b1->s.k = 0x08;
4395 b1->stmts = s;
4396
4397 /*
4398 * AND that with the checks done for data frames.
4399 */
4400 gen_and(b1, b0);
4401
4402 /*
4403 * If the high-order bit of the type value is 0, this
4404 * is a management frame.
4405 * I.e, check "!(link[0] & 0x08)".
4406 */
4407 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4408 b2 = new_block(cstate, JMP(BPF_JSET));
4409 b2->s.k = 0x08;
4410 b2->stmts = s;
4411 gen_not(b2);
4412
4413 /*
4414 * For management frames, the SA is at 10.
4415 */
4416 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4417 gen_and(b2, b1);
4418
4419 /*
4420 * OR that with the checks done for data frames.
4421 * That gives the checks done for management and
4422 * data frames.
4423 */
4424 gen_or(b1, b0);
4425
4426 /*
4427 * If the low-order bit of the type value is 1,
4428 * this is either a control frame or a frame
4429 * with a reserved type, and thus not a
4430 * frame with an SA.
4431 *
4432 * I.e., check "!(link[0] & 0x04)".
4433 */
4434 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4435 b1 = new_block(cstate, JMP(BPF_JSET));
4436 b1->s.k = 0x04;
4437 b1->stmts = s;
4438 gen_not(b1);
4439
4440 /*
4441 * AND that with the checks for data and management
4442 * frames.
4443 */
4444 gen_and(b1, b0);
4445 return b0;
4446
4447 case Q_DST:
4448 /*
4449 * Oh, yuk.
4450 *
4451 * For control frames, there is no DA.
4452 *
4453 * For management frames, DA is at an
4454 * offset of 4 from the beginning of
4455 * the packet.
4456 *
4457 * For data frames, DA is at an offset
4458 * of 4 from the beginning of the packet
4459 * if To DS is clear and at an offset of
4460 * 16 from the beginning of the packet
4461 * if To DS is set.
4462 */
4463
4464 /*
4465 * Generate the tests to be done for data frames.
4466 *
4467 * First, check for To DS set, i.e. "link[1] & 0x01".
4468 */
4469 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4470 b1 = new_block(cstate, JMP(BPF_JSET));
4471 b1->s.k = 0x01; /* To DS */
4472 b1->stmts = s;
4473
4474 /*
4475 * If To DS is set, the DA is at 16.
4476 */
4477 b0 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4478 gen_and(b1, b0);
4479
4480 /*
4481 * Now, check for To DS not set, i.e. check
4482 * "!(link[1] & 0x01)".
4483 */
4484 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
4485 b2 = new_block(cstate, JMP(BPF_JSET));
4486 b2->s.k = 0x01; /* To DS */
4487 b2->stmts = s;
4488 gen_not(b2);
4489
4490 /*
4491 * If To DS is not set, the DA is at 4.
4492 */
4493 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4494 gen_and(b2, b1);
4495
4496 /*
4497 * Now OR together the last two checks. That gives
4498 * the complete set of checks for data frames.
4499 */
4500 gen_or(b1, b0);
4501
4502 /*
4503 * Now check for a data frame.
4504 * I.e, check "link[0] & 0x08".
4505 */
4506 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4507 b1 = new_block(cstate, JMP(BPF_JSET));
4508 b1->s.k = 0x08;
4509 b1->stmts = s;
4510
4511 /*
4512 * AND that with the checks done for data frames.
4513 */
4514 gen_and(b1, b0);
4515
4516 /*
4517 * If the high-order bit of the type value is 0, this
4518 * is a management frame.
4519 * I.e, check "!(link[0] & 0x08)".
4520 */
4521 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4522 b2 = new_block(cstate, JMP(BPF_JSET));
4523 b2->s.k = 0x08;
4524 b2->stmts = s;
4525 gen_not(b2);
4526
4527 /*
4528 * For management frames, the DA is at 4.
4529 */
4530 b1 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4531 gen_and(b2, b1);
4532
4533 /*
4534 * OR that with the checks done for data frames.
4535 * That gives the checks done for management and
4536 * data frames.
4537 */
4538 gen_or(b1, b0);
4539
4540 /*
4541 * If the low-order bit of the type value is 1,
4542 * this is either a control frame or a frame
4543 * with a reserved type, and thus not a
4544 * frame with an SA.
4545 *
4546 * I.e., check "!(link[0] & 0x04)".
4547 */
4548 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4549 b1 = new_block(cstate, JMP(BPF_JSET));
4550 b1->s.k = 0x04;
4551 b1->stmts = s;
4552 gen_not(b1);
4553
4554 /*
4555 * AND that with the checks for data and management
4556 * frames.
4557 */
4558 gen_and(b1, b0);
4559 return b0;
4560
4561 case Q_AND:
4562 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4563 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4564 gen_and(b0, b1);
4565 return b1;
4566
4567 case Q_DEFAULT:
4568 case Q_OR:
4569 b0 = gen_wlanhostop(cstate, eaddr, Q_SRC);
4570 b1 = gen_wlanhostop(cstate, eaddr, Q_DST);
4571 gen_or(b0, b1);
4572 return b1;
4573
4574 /*
4575 * XXX - add BSSID keyword?
4576 */
4577 case Q_ADDR1:
4578 return (gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr));
4579
4580 case Q_ADDR2:
4581 /*
4582 * Not present in CTS or ACK control frames.
4583 */
4584 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4585 IEEE80211_FC0_TYPE_MASK);
4586 gen_not(b0);
4587 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4588 IEEE80211_FC0_SUBTYPE_MASK);
4589 gen_not(b1);
4590 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4591 IEEE80211_FC0_SUBTYPE_MASK);
4592 gen_not(b2);
4593 gen_and(b1, b2);
4594 gen_or(b0, b2);
4595 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4596 gen_and(b2, b1);
4597 return b1;
4598
4599 case Q_ADDR3:
4600 /*
4601 * Not present in control frames.
4602 */
4603 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4604 IEEE80211_FC0_TYPE_MASK);
4605 gen_not(b0);
4606 b1 = gen_bcmp(cstate, OR_LINKHDR, 16, 6, eaddr);
4607 gen_and(b0, b1);
4608 return b1;
4609
4610 case Q_ADDR4:
4611 /*
4612 * Present only if the direction mask has both "From DS"
4613 * and "To DS" set. Neither control frames nor management
4614 * frames should have both of those set, so we don't
4615 * check the frame type.
4616 */
4617 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B,
4618 IEEE80211_FC1_DIR_DSTODS, IEEE80211_FC1_DIR_MASK);
4619 b1 = gen_bcmp(cstate, OR_LINKHDR, 24, 6, eaddr);
4620 gen_and(b0, b1);
4621 return b1;
4622
4623 case Q_RA:
4624 /*
4625 * Not present in management frames; addr1 in other
4626 * frames.
4627 */
4628
4629 /*
4630 * If the high-order bit of the type value is 0, this
4631 * is a management frame.
4632 * I.e, check "(link[0] & 0x08)".
4633 */
4634 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4635 b1 = new_block(cstate, JMP(BPF_JSET));
4636 b1->s.k = 0x08;
4637 b1->stmts = s;
4638
4639 /*
4640 * Check addr1.
4641 */
4642 b0 = gen_bcmp(cstate, OR_LINKHDR, 4, 6, eaddr);
4643
4644 /*
4645 * AND that with the check of addr1.
4646 */
4647 gen_and(b1, b0);
4648 return (b0);
4649
4650 case Q_TA:
4651 /*
4652 * Not present in management frames; addr2, if present,
4653 * in other frames.
4654 */
4655
4656 /*
4657 * Not present in CTS or ACK control frames.
4658 */
4659 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_TYPE_CTL,
4660 IEEE80211_FC0_TYPE_MASK);
4661 gen_not(b0);
4662 b1 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_CTS,
4663 IEEE80211_FC0_SUBTYPE_MASK);
4664 gen_not(b1);
4665 b2 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, IEEE80211_FC0_SUBTYPE_ACK,
4666 IEEE80211_FC0_SUBTYPE_MASK);
4667 gen_not(b2);
4668 gen_and(b1, b2);
4669 gen_or(b0, b2);
4670
4671 /*
4672 * If the high-order bit of the type value is 0, this
4673 * is a management frame.
4674 * I.e, check "(link[0] & 0x08)".
4675 */
4676 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
4677 b1 = new_block(cstate, JMP(BPF_JSET));
4678 b1->s.k = 0x08;
4679 b1->stmts = s;
4680
4681 /*
4682 * AND that with the check for frames other than
4683 * CTS and ACK frames.
4684 */
4685 gen_and(b1, b2);
4686
4687 /*
4688 * Check addr2.
4689 */
4690 b1 = gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4691 gen_and(b2, b1);
4692 return b1;
4693 }
4694 abort();
4695 /*NOTREACHED*/
4696 }
4697
4698 /*
4699 * Like gen_ehostop, but for RFC 2625 IP-over-Fibre-Channel.
4700 * (We assume that the addresses are IEEE 48-bit MAC addresses,
4701 * as the RFC states.)
4702 */
4703 static struct block *
4704 gen_ipfchostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
4705 {
4706 register struct block *b0, *b1;
4707
4708 switch (dir) {
4709 case Q_SRC:
4710 return gen_bcmp(cstate, OR_LINKHDR, 10, 6, eaddr);
4711
4712 case Q_DST:
4713 return gen_bcmp(cstate, OR_LINKHDR, 2, 6, eaddr);
4714
4715 case Q_AND:
4716 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4717 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4718 gen_and(b0, b1);
4719 return b1;
4720
4721 case Q_DEFAULT:
4722 case Q_OR:
4723 b0 = gen_ipfchostop(cstate, eaddr, Q_SRC);
4724 b1 = gen_ipfchostop(cstate, eaddr, Q_DST);
4725 gen_or(b0, b1);
4726 return b1;
4727
4728 case Q_ADDR1:
4729 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
4730 /*NOTREACHED*/
4731
4732 case Q_ADDR2:
4733 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
4734 /*NOTREACHED*/
4735
4736 case Q_ADDR3:
4737 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
4738 /*NOTREACHED*/
4739
4740 case Q_ADDR4:
4741 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
4742 /*NOTREACHED*/
4743
4744 case Q_RA:
4745 bpf_error(cstate, "'ra' is only supported on 802.11");
4746 /*NOTREACHED*/
4747
4748 case Q_TA:
4749 bpf_error(cstate, "'ta' is only supported on 802.11");
4750 /*NOTREACHED*/
4751 }
4752 abort();
4753 /*NOTREACHED*/
4754 }
4755
4756 /*
4757 * This is quite tricky because there may be pad bytes in front of the
4758 * DECNET header, and then there are two possible data packet formats that
4759 * carry both src and dst addresses, plus 5 packet types in a format that
4760 * carries only the src node, plus 2 types that use a different format and
4761 * also carry just the src node.
4762 *
4763 * Yuck.
4764 *
4765 * Instead of doing those all right, we just look for data packets with
4766 * 0 or 1 bytes of padding. If you want to look at other packets, that
4767 * will require a lot more hacking.
4768 *
4769 * To add support for filtering on DECNET "areas" (network numbers)
4770 * one would want to add a "mask" argument to this routine. That would
4771 * make the filter even more inefficient, although one could be clever
4772 * and not generate masking instructions if the mask is 0xFFFF.
4773 */
4774 static struct block *
4775 gen_dnhostop(compiler_state_t *cstate, bpf_u_int32 addr, int dir)
4776 {
4777 struct block *b0, *b1, *b2, *tmp;
4778 u_int offset_lh; /* offset if long header is received */
4779 u_int offset_sh; /* offset if short header is received */
4780
4781 switch (dir) {
4782
4783 case Q_DST:
4784 offset_sh = 1; /* follows flags */
4785 offset_lh = 7; /* flgs,darea,dsubarea,HIORD */
4786 break;
4787
4788 case Q_SRC:
4789 offset_sh = 3; /* follows flags, dstnode */
4790 offset_lh = 15; /* flgs,darea,dsubarea,did,sarea,ssub,HIORD */
4791 break;
4792
4793 case Q_AND:
4794 /* Inefficient because we do our Calvinball dance twice */
4795 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4796 b1 = gen_dnhostop(cstate, addr, Q_DST);
4797 gen_and(b0, b1);
4798 return b1;
4799
4800 case Q_DEFAULT:
4801 case Q_OR:
4802 /* Inefficient because we do our Calvinball dance twice */
4803 b0 = gen_dnhostop(cstate, addr, Q_SRC);
4804 b1 = gen_dnhostop(cstate, addr, Q_DST);
4805 gen_or(b0, b1);
4806 return b1;
4807
4808 case Q_ADDR1:
4809 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4810 /*NOTREACHED*/
4811
4812 case Q_ADDR2:
4813 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4814 /*NOTREACHED*/
4815
4816 case Q_ADDR3:
4817 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4818 /*NOTREACHED*/
4819
4820 case Q_ADDR4:
4821 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for addresses other than 802.11 MAC addresses");
4822 /*NOTREACHED*/
4823
4824 case Q_RA:
4825 bpf_error(cstate, "'ra' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4826 /*NOTREACHED*/
4827
4828 case Q_TA:
4829 bpf_error(cstate, "'ta' is not a valid qualifier for addresses other than 802.11 MAC addresses");
4830 /*NOTREACHED*/
4831
4832 default:
4833 abort();
4834 /*NOTREACHED*/
4835 }
4836 b0 = gen_linktype(cstate, ETHERTYPE_DN);
4837 /* Check for pad = 1, long header case */
4838 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4839 (bpf_u_int32)ntohs(0x0681), (bpf_u_int32)ntohs(0x07FF));
4840 b1 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_lh,
4841 BPF_H, (bpf_u_int32)ntohs((u_short)addr));
4842 gen_and(tmp, b1);
4843 /* Check for pad = 0, long header case */
4844 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x06,
4845 (bpf_u_int32)0x7);
4846 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_lh, BPF_H,
4847 (bpf_u_int32)ntohs((u_short)addr));
4848 gen_and(tmp, b2);
4849 gen_or(b2, b1);
4850 /* Check for pad = 1, short header case */
4851 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_H,
4852 (bpf_u_int32)ntohs(0x0281), (bpf_u_int32)ntohs(0x07FF));
4853 b2 = gen_cmp(cstate, OR_LINKPL, 2 + 1 + offset_sh, BPF_H,
4854 (bpf_u_int32)ntohs((u_short)addr));
4855 gen_and(tmp, b2);
4856 gen_or(b2, b1);
4857 /* Check for pad = 0, short header case */
4858 tmp = gen_mcmp(cstate, OR_LINKPL, 2, BPF_B, (bpf_u_int32)0x02,
4859 (bpf_u_int32)0x7);
4860 b2 = gen_cmp(cstate, OR_LINKPL, 2 + offset_sh, BPF_H,
4861 (bpf_u_int32)ntohs((u_short)addr));
4862 gen_and(tmp, b2);
4863 gen_or(b2, b1);
4864
4865 /* Combine with test for cstate->linktype */
4866 gen_and(b0, b1);
4867 return b1;
4868 }
4869
4870 /*
4871 * Generate a check for IPv4 or IPv6 for MPLS-encapsulated packets;
4872 * test the bottom-of-stack bit, and then check the version number
4873 * field in the IP header.
4874 */
4875 static struct block *
4876 gen_mpls_linktype(compiler_state_t *cstate, bpf_u_int32 ll_proto)
4877 {
4878 struct block *b0, *b1;
4879
4880 switch (ll_proto) {
4881
4882 case ETHERTYPE_IP:
4883 /* match the bottom-of-stack bit */
4884 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4885 /* match the IPv4 version number */
4886 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x40, 0xf0);
4887 gen_and(b0, b1);
4888 return b1;
4889
4890 case ETHERTYPE_IPV6:
4891 /* match the bottom-of-stack bit */
4892 b0 = gen_mcmp(cstate, OR_LINKPL, (u_int)-2, BPF_B, 0x01, 0x01);
4893 /* match the IPv4 version number */
4894 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_B, 0x60, 0xf0);
4895 gen_and(b0, b1);
4896 return b1;
4897
4898 default:
4899 /* FIXME add other L3 proto IDs */
4900 bpf_error(cstate, "unsupported protocol over mpls");
4901 /*NOTREACHED*/
4902 }
4903 }
4904
4905 static struct block *
4906 gen_host(compiler_state_t *cstate, bpf_u_int32 addr, bpf_u_int32 mask,
4907 int proto, int dir, int type)
4908 {
4909 struct block *b0, *b1;
4910 const char *typestr;
4911
4912 if (type == Q_NET)
4913 typestr = "net";
4914 else
4915 typestr = "host";
4916
4917 switch (proto) {
4918
4919 case Q_DEFAULT:
4920 b0 = gen_host(cstate, addr, mask, Q_IP, dir, type);
4921 /*
4922 * Only check for non-IPv4 addresses if we're not
4923 * checking MPLS-encapsulated packets.
4924 */
4925 if (cstate->label_stack_depth == 0) {
4926 b1 = gen_host(cstate, addr, mask, Q_ARP, dir, type);
4927 gen_or(b0, b1);
4928 b0 = gen_host(cstate, addr, mask, Q_RARP, dir, type);
4929 gen_or(b1, b0);
4930 }
4931 return b0;
4932
4933 case Q_LINK:
4934 bpf_error(cstate, "link-layer modifier applied to %s", typestr);
4935
4936 case Q_IP:
4937 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_IP, 12, 16);
4938
4939 case Q_RARP:
4940 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_REVARP, 14, 24);
4941
4942 case Q_ARP:
4943 return gen_hostop(cstate, addr, mask, dir, ETHERTYPE_ARP, 14, 24);
4944
4945 case Q_SCTP:
4946 bpf_error(cstate, "'sctp' modifier applied to %s", typestr);
4947
4948 case Q_TCP:
4949 bpf_error(cstate, "'tcp' modifier applied to %s", typestr);
4950
4951 case Q_UDP:
4952 bpf_error(cstate, "'udp' modifier applied to %s", typestr);
4953
4954 case Q_ICMP:
4955 bpf_error(cstate, "'icmp' modifier applied to %s", typestr);
4956
4957 case Q_IGMP:
4958 bpf_error(cstate, "'igmp' modifier applied to %s", typestr);
4959
4960 case Q_IGRP:
4961 bpf_error(cstate, "'igrp' modifier applied to %s", typestr);
4962
4963 case Q_ATALK:
4964 bpf_error(cstate, "AppleTalk host filtering not implemented");
4965
4966 case Q_DECNET:
4967 return gen_dnhostop(cstate, addr, dir);
4968
4969 case Q_LAT:
4970 bpf_error(cstate, "LAT host filtering not implemented");
4971
4972 case Q_SCA:
4973 bpf_error(cstate, "SCA host filtering not implemented");
4974
4975 case Q_MOPRC:
4976 bpf_error(cstate, "MOPRC host filtering not implemented");
4977
4978 case Q_MOPDL:
4979 bpf_error(cstate, "MOPDL host filtering not implemented");
4980
4981 case Q_IPV6:
4982 bpf_error(cstate, "'ip6' modifier applied to ip host");
4983
4984 case Q_ICMPV6:
4985 bpf_error(cstate, "'icmp6' modifier applied to %s", typestr);
4986
4987 case Q_AH:
4988 bpf_error(cstate, "'ah' modifier applied to %s", typestr);
4989
4990 case Q_ESP:
4991 bpf_error(cstate, "'esp' modifier applied to %s", typestr);
4992
4993 case Q_PIM:
4994 bpf_error(cstate, "'pim' modifier applied to %s", typestr);
4995
4996 case Q_VRRP:
4997 bpf_error(cstate, "'vrrp' modifier applied to %s", typestr);
4998
4999 case Q_AARP:
5000 bpf_error(cstate, "AARP host filtering not implemented");
5001
5002 case Q_ISO:
5003 bpf_error(cstate, "ISO host filtering not implemented");
5004
5005 case Q_ESIS:
5006 bpf_error(cstate, "'esis' modifier applied to %s", typestr);
5007
5008 case Q_ISIS:
5009 bpf_error(cstate, "'isis' modifier applied to %s", typestr);
5010
5011 case Q_CLNP:
5012 bpf_error(cstate, "'clnp' modifier applied to %s", typestr);
5013
5014 case Q_STP:
5015 bpf_error(cstate, "'stp' modifier applied to %s", typestr);
5016
5017 case Q_IPX:
5018 bpf_error(cstate, "IPX host filtering not implemented");
5019
5020 case Q_NETBEUI:
5021 bpf_error(cstate, "'netbeui' modifier applied to %s", typestr);
5022
5023 case Q_ISIS_L1:
5024 bpf_error(cstate, "'l1' modifier applied to %s", typestr);
5025
5026 case Q_ISIS_L2:
5027 bpf_error(cstate, "'l2' modifier applied to %s", typestr);
5028
5029 case Q_ISIS_IIH:
5030 bpf_error(cstate, "'iih' modifier applied to %s", typestr);
5031
5032 case Q_ISIS_SNP:
5033 bpf_error(cstate, "'snp' modifier applied to %s", typestr);
5034
5035 case Q_ISIS_CSNP:
5036 bpf_error(cstate, "'csnp' modifier applied to %s", typestr);
5037
5038 case Q_ISIS_PSNP:
5039 bpf_error(cstate, "'psnp' modifier applied to %s", typestr);
5040
5041 case Q_ISIS_LSP:
5042 bpf_error(cstate, "'lsp' modifier applied to %s", typestr);
5043
5044 case Q_RADIO:
5045 bpf_error(cstate, "'radio' modifier applied to %s", typestr);
5046
5047 case Q_CARP:
5048 bpf_error(cstate, "'carp' modifier applied to %s", typestr);
5049
5050 default:
5051 abort();
5052 }
5053 /*NOTREACHED*/
5054 }
5055
5056 #ifdef INET6
5057 static struct block *
5058 gen_host6(compiler_state_t *cstate, struct in6_addr *addr,
5059 struct in6_addr *mask, int proto, int dir, int type)
5060 {
5061 const char *typestr;
5062
5063 if (type == Q_NET)
5064 typestr = "net";
5065 else
5066 typestr = "host";
5067
5068 switch (proto) {
5069
5070 case Q_DEFAULT:
5071 return gen_host6(cstate, addr, mask, Q_IPV6, dir, type);
5072
5073 case Q_LINK:
5074 bpf_error(cstate, "link-layer modifier applied to ip6 %s", typestr);
5075
5076 case Q_IP:
5077 bpf_error(cstate, "'ip' modifier applied to ip6 %s", typestr);
5078
5079 case Q_RARP:
5080 bpf_error(cstate, "'rarp' modifier applied to ip6 %s", typestr);
5081
5082 case Q_ARP:
5083 bpf_error(cstate, "'arp' modifier applied to ip6 %s", typestr);
5084
5085 case Q_SCTP:
5086 bpf_error(cstate, "'sctp' modifier applied to ip6 %s", typestr);
5087
5088 case Q_TCP:
5089 bpf_error(cstate, "'tcp' modifier applied to ip6 %s", typestr);
5090
5091 case Q_UDP:
5092 bpf_error(cstate, "'udp' modifier applied to ip6 %s", typestr);
5093
5094 case Q_ICMP:
5095 bpf_error(cstate, "'icmp' modifier applied to ip6 %s", typestr);
5096
5097 case Q_IGMP:
5098 bpf_error(cstate, "'igmp' modifier applied to ip6 %s", typestr);
5099
5100 case Q_IGRP:
5101 bpf_error(cstate, "'igrp' modifier applied to ip6 %s", typestr);
5102
5103 case Q_ATALK:
5104 bpf_error(cstate, "AppleTalk modifier applied to ip6 %s", typestr);
5105
5106 case Q_DECNET:
5107 bpf_error(cstate, "'decnet' modifier applied to ip6 %s", typestr);
5108
5109 case Q_LAT:
5110 bpf_error(cstate, "'lat' modifier applied to ip6 %s", typestr);
5111
5112 case Q_SCA:
5113 bpf_error(cstate, "'sca' modifier applied to ip6 %s", typestr);
5114
5115 case Q_MOPRC:
5116 bpf_error(cstate, "'moprc' modifier applied to ip6 %s", typestr);
5117
5118 case Q_MOPDL:
5119 bpf_error(cstate, "'mopdl' modifier applied to ip6 %s", typestr);
5120
5121 case Q_IPV6:
5122 return gen_hostop6(cstate, addr, mask, dir, ETHERTYPE_IPV6, 8, 24);
5123
5124 case Q_ICMPV6:
5125 bpf_error(cstate, "'icmp6' modifier applied to ip6 %s", typestr);
5126
5127 case Q_AH:
5128 bpf_error(cstate, "'ah' modifier applied to ip6 %s", typestr);
5129
5130 case Q_ESP:
5131 bpf_error(cstate, "'esp' modifier applied to ip6 %s", typestr);
5132
5133 case Q_PIM:
5134 bpf_error(cstate, "'pim' modifier applied to ip6 %s", typestr);
5135
5136 case Q_VRRP:
5137 bpf_error(cstate, "'vrrp' modifier applied to ip6 %s", typestr);
5138
5139 case Q_AARP:
5140 bpf_error(cstate, "'aarp' modifier applied to ip6 %s", typestr);
5141
5142 case Q_ISO:
5143 bpf_error(cstate, "'iso' modifier applied to ip6 %s", typestr);
5144
5145 case Q_ESIS:
5146 bpf_error(cstate, "'esis' modifier applied to ip6 %s", typestr);
5147
5148 case Q_ISIS:
5149 bpf_error(cstate, "'isis' modifier applied to ip6 %s", typestr);
5150
5151 case Q_CLNP:
5152 bpf_error(cstate, "'clnp' modifier applied to ip6 %s", typestr);
5153
5154 case Q_STP:
5155 bpf_error(cstate, "'stp' modifier applied to ip6 %s", typestr);
5156
5157 case Q_IPX:
5158 bpf_error(cstate, "'ipx' modifier applied to ip6 %s", typestr);
5159
5160 case Q_NETBEUI:
5161 bpf_error(cstate, "'netbeui' modifier applied to ip6 %s", typestr);
5162
5163 case Q_ISIS_L1:
5164 bpf_error(cstate, "'l1' modifier applied to ip6 %s", typestr);
5165
5166 case Q_ISIS_L2:
5167 bpf_error(cstate, "'l2' modifier applied to ip6 %s", typestr);
5168
5169 case Q_ISIS_IIH:
5170 bpf_error(cstate, "'iih' modifier applied to ip6 %s", typestr);
5171
5172 case Q_ISIS_SNP:
5173 bpf_error(cstate, "'snp' modifier applied to ip6 %s", typestr);
5174
5175 case Q_ISIS_CSNP:
5176 bpf_error(cstate, "'csnp' modifier applied to ip6 %s", typestr);
5177
5178 case Q_ISIS_PSNP:
5179 bpf_error(cstate, "'psnp' modifier applied to ip6 %s", typestr);
5180
5181 case Q_ISIS_LSP:
5182 bpf_error(cstate, "'lsp' modifier applied to ip6 %s", typestr);
5183
5184 case Q_RADIO:
5185 bpf_error(cstate, "'radio' modifier applied to ip6 %s", typestr);
5186
5187 case Q_CARP:
5188 bpf_error(cstate, "'carp' modifier applied to ip6 %s", typestr);
5189
5190 default:
5191 abort();
5192 }
5193 /*NOTREACHED*/
5194 }
5195 #endif
5196
5197 #ifndef INET6
5198 static struct block *
5199 gen_gateway(compiler_state_t *cstate, const u_char *eaddr,
5200 struct addrinfo *alist, int proto, int dir)
5201 {
5202 struct block *b0, *b1, *tmp;
5203 struct addrinfo *ai;
5204 struct sockaddr_in *sin;
5205
5206 if (dir != 0)
5207 bpf_error(cstate, "direction applied to 'gateway'");
5208
5209 switch (proto) {
5210 case Q_DEFAULT:
5211 case Q_IP:
5212 case Q_ARP:
5213 case Q_RARP:
5214 switch (cstate->linktype) {
5215 case DLT_EN10MB:
5216 case DLT_NETANALYZER:
5217 case DLT_NETANALYZER_TRANSPARENT:
5218 b1 = gen_prevlinkhdr_check(cstate);
5219 b0 = gen_ehostop(cstate, eaddr, Q_OR);
5220 if (b1 != NULL)
5221 gen_and(b1, b0);
5222 break;
5223 case DLT_FDDI:
5224 b0 = gen_fhostop(cstate, eaddr, Q_OR);
5225 break;
5226 case DLT_IEEE802:
5227 b0 = gen_thostop(cstate, eaddr, Q_OR);
5228 break;
5229 case DLT_IEEE802_11:
5230 case DLT_PRISM_HEADER:
5231 case DLT_IEEE802_11_RADIO_AVS:
5232 case DLT_IEEE802_11_RADIO:
5233 case DLT_PPI:
5234 b0 = gen_wlanhostop(cstate, eaddr, Q_OR);
5235 break;
5236 case DLT_SUNATM:
5237 /*
5238 * This is LLC-multiplexed traffic; if it were
5239 * LANE, cstate->linktype would have been set to
5240 * DLT_EN10MB.
5241 */
5242 bpf_error(cstate,
5243 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5244 break;
5245 case DLT_IP_OVER_FC:
5246 b0 = gen_ipfchostop(cstate, eaddr, Q_OR);
5247 break;
5248 default:
5249 bpf_error(cstate,
5250 "'gateway' supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
5251 }
5252 b1 = NULL;
5253 for (ai = alist; ai != NULL; ai = ai->ai_next) {
5254 /*
5255 * Does it have an address?
5256 */
5257 if (ai->ai_addr != NULL) {
5258 /*
5259 * Yes. Is it an IPv4 address?
5260 */
5261 if (ai->ai_addr->sa_family == AF_INET) {
5262 /*
5263 * Generate an entry for it.
5264 */
5265 sin = (struct sockaddr_in *)ai->ai_addr;
5266 tmp = gen_host(cstate,
5267 ntohl(sin->sin_addr.s_addr),
5268 0xffffffff, proto, Q_OR, Q_HOST);
5269 /*
5270 * Is it the *first* IPv4 address?
5271 */
5272 if (b1 == NULL) {
5273 /*
5274 * Yes, so start with it.
5275 */
5276 b1 = tmp;
5277 } else {
5278 /*
5279 * No, so OR it into the
5280 * existing set of
5281 * addresses.
5282 */
5283 gen_or(b1, tmp);
5284 b1 = tmp;
5285 }
5286 }
5287 }
5288 }
5289 if (b1 == NULL) {
5290 /*
5291 * No IPv4 addresses found.
5292 */
5293 return (NULL);
5294 }
5295 gen_not(b1);
5296 gen_and(b0, b1);
5297 return b1;
5298 }
5299 bpf_error(cstate, "illegal modifier of 'gateway'");
5300 /*NOTREACHED*/
5301 }
5302 #endif
5303
5304 static struct block *
5305 gen_proto_abbrev_internal(compiler_state_t *cstate, int proto)
5306 {
5307 struct block *b0;
5308 struct block *b1;
5309
5310 switch (proto) {
5311
5312 case Q_SCTP:
5313 b1 = gen_proto(cstate, IPPROTO_SCTP, Q_IP, Q_DEFAULT);
5314 b0 = gen_proto(cstate, IPPROTO_SCTP, Q_IPV6, Q_DEFAULT);
5315 gen_or(b0, b1);
5316 break;
5317
5318 case Q_TCP:
5319 b1 = gen_proto(cstate, IPPROTO_TCP, Q_IP, Q_DEFAULT);
5320 b0 = gen_proto(cstate, IPPROTO_TCP, Q_IPV6, Q_DEFAULT);
5321 gen_or(b0, b1);
5322 break;
5323
5324 case Q_UDP:
5325 b1 = gen_proto(cstate, IPPROTO_UDP, Q_IP, Q_DEFAULT);
5326 b0 = gen_proto(cstate, IPPROTO_UDP, Q_IPV6, Q_DEFAULT);
5327 gen_or(b0, b1);
5328 break;
5329
5330 case Q_ICMP:
5331 b1 = gen_proto(cstate, IPPROTO_ICMP, Q_IP, Q_DEFAULT);
5332 break;
5333
5334 #ifndef IPPROTO_IGMP
5335 #define IPPROTO_IGMP 2
5336 #endif
5337
5338 case Q_IGMP:
5339 b1 = gen_proto(cstate, IPPROTO_IGMP, Q_IP, Q_DEFAULT);
5340 break;
5341
5342 #ifndef IPPROTO_IGRP
5343 #define IPPROTO_IGRP 9
5344 #endif
5345 case Q_IGRP:
5346 b1 = gen_proto(cstate, IPPROTO_IGRP, Q_IP, Q_DEFAULT);
5347 break;
5348
5349 #ifndef IPPROTO_PIM
5350 #define IPPROTO_PIM 103
5351 #endif
5352
5353 case Q_PIM:
5354 b1 = gen_proto(cstate, IPPROTO_PIM, Q_IP, Q_DEFAULT);
5355 b0 = gen_proto(cstate, IPPROTO_PIM, Q_IPV6, Q_DEFAULT);
5356 gen_or(b0, b1);
5357 break;
5358
5359 #ifndef IPPROTO_VRRP
5360 #define IPPROTO_VRRP 112
5361 #endif
5362
5363 case Q_VRRP:
5364 b1 = gen_proto(cstate, IPPROTO_VRRP, Q_IP, Q_DEFAULT);
5365 break;
5366
5367 #ifndef IPPROTO_CARP
5368 #define IPPROTO_CARP 112
5369 #endif
5370
5371 case Q_CARP:
5372 b1 = gen_proto(cstate, IPPROTO_CARP, Q_IP, Q_DEFAULT);
5373 break;
5374
5375 case Q_IP:
5376 b1 = gen_linktype(cstate, ETHERTYPE_IP);
5377 break;
5378
5379 case Q_ARP:
5380 b1 = gen_linktype(cstate, ETHERTYPE_ARP);
5381 break;
5382
5383 case Q_RARP:
5384 b1 = gen_linktype(cstate, ETHERTYPE_REVARP);
5385 break;
5386
5387 case Q_LINK:
5388 bpf_error(cstate, "link layer applied in wrong context");
5389
5390 case Q_ATALK:
5391 b1 = gen_linktype(cstate, ETHERTYPE_ATALK);
5392 break;
5393
5394 case Q_AARP:
5395 b1 = gen_linktype(cstate, ETHERTYPE_AARP);
5396 break;
5397
5398 case Q_DECNET:
5399 b1 = gen_linktype(cstate, ETHERTYPE_DN);
5400 break;
5401
5402 case Q_SCA:
5403 b1 = gen_linktype(cstate, ETHERTYPE_SCA);
5404 break;
5405
5406 case Q_LAT:
5407 b1 = gen_linktype(cstate, ETHERTYPE_LAT);
5408 break;
5409
5410 case Q_MOPDL:
5411 b1 = gen_linktype(cstate, ETHERTYPE_MOPDL);
5412 break;
5413
5414 case Q_MOPRC:
5415 b1 = gen_linktype(cstate, ETHERTYPE_MOPRC);
5416 break;
5417
5418 case Q_IPV6:
5419 b1 = gen_linktype(cstate, ETHERTYPE_IPV6);
5420 break;
5421
5422 #ifndef IPPROTO_ICMPV6
5423 #define IPPROTO_ICMPV6 58
5424 #endif
5425 case Q_ICMPV6:
5426 b1 = gen_proto(cstate, IPPROTO_ICMPV6, Q_IPV6, Q_DEFAULT);
5427 break;
5428
5429 #ifndef IPPROTO_AH
5430 #define IPPROTO_AH 51
5431 #endif
5432 case Q_AH:
5433 b1 = gen_proto(cstate, IPPROTO_AH, Q_IP, Q_DEFAULT);
5434 b0 = gen_proto(cstate, IPPROTO_AH, Q_IPV6, Q_DEFAULT);
5435 gen_or(b0, b1);
5436 break;
5437
5438 #ifndef IPPROTO_ESP
5439 #define IPPROTO_ESP 50
5440 #endif
5441 case Q_ESP:
5442 b1 = gen_proto(cstate, IPPROTO_ESP, Q_IP, Q_DEFAULT);
5443 b0 = gen_proto(cstate, IPPROTO_ESP, Q_IPV6, Q_DEFAULT);
5444 gen_or(b0, b1);
5445 break;
5446
5447 case Q_ISO:
5448 b1 = gen_linktype(cstate, LLCSAP_ISONS);
5449 break;
5450
5451 case Q_ESIS:
5452 b1 = gen_proto(cstate, ISO9542_ESIS, Q_ISO, Q_DEFAULT);
5453 break;
5454
5455 case Q_ISIS:
5456 b1 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
5457 break;
5458
5459 case Q_ISIS_L1: /* all IS-IS Level1 PDU-Types */
5460 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5461 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5462 gen_or(b0, b1);
5463 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5464 gen_or(b0, b1);
5465 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5466 gen_or(b0, b1);
5467 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5468 gen_or(b0, b1);
5469 break;
5470
5471 case Q_ISIS_L2: /* all IS-IS Level2 PDU-Types */
5472 b0 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5473 b1 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT); /* FIXME extract the circuit-type bits */
5474 gen_or(b0, b1);
5475 b0 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5476 gen_or(b0, b1);
5477 b0 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5478 gen_or(b0, b1);
5479 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5480 gen_or(b0, b1);
5481 break;
5482
5483 case Q_ISIS_IIH: /* all IS-IS Hello PDU-Types */
5484 b0 = gen_proto(cstate, ISIS_L1_LAN_IIH, Q_ISIS, Q_DEFAULT);
5485 b1 = gen_proto(cstate, ISIS_L2_LAN_IIH, Q_ISIS, Q_DEFAULT);
5486 gen_or(b0, b1);
5487 b0 = gen_proto(cstate, ISIS_PTP_IIH, Q_ISIS, Q_DEFAULT);
5488 gen_or(b0, b1);
5489 break;
5490
5491 case Q_ISIS_LSP:
5492 b0 = gen_proto(cstate, ISIS_L1_LSP, Q_ISIS, Q_DEFAULT);
5493 b1 = gen_proto(cstate, ISIS_L2_LSP, Q_ISIS, Q_DEFAULT);
5494 gen_or(b0, b1);
5495 break;
5496
5497 case Q_ISIS_SNP:
5498 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5499 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5500 gen_or(b0, b1);
5501 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5502 gen_or(b0, b1);
5503 b0 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5504 gen_or(b0, b1);
5505 break;
5506
5507 case Q_ISIS_CSNP:
5508 b0 = gen_proto(cstate, ISIS_L1_CSNP, Q_ISIS, Q_DEFAULT);
5509 b1 = gen_proto(cstate, ISIS_L2_CSNP, Q_ISIS, Q_DEFAULT);
5510 gen_or(b0, b1);
5511 break;
5512
5513 case Q_ISIS_PSNP:
5514 b0 = gen_proto(cstate, ISIS_L1_PSNP, Q_ISIS, Q_DEFAULT);
5515 b1 = gen_proto(cstate, ISIS_L2_PSNP, Q_ISIS, Q_DEFAULT);
5516 gen_or(b0, b1);
5517 break;
5518
5519 case Q_CLNP:
5520 b1 = gen_proto(cstate, ISO8473_CLNP, Q_ISO, Q_DEFAULT);
5521 break;
5522
5523 case Q_STP:
5524 b1 = gen_linktype(cstate, LLCSAP_8021D);
5525 break;
5526
5527 case Q_IPX:
5528 b1 = gen_linktype(cstate, LLCSAP_IPX);
5529 break;
5530
5531 case Q_NETBEUI:
5532 b1 = gen_linktype(cstate, LLCSAP_NETBEUI);
5533 break;
5534
5535 case Q_RADIO:
5536 bpf_error(cstate, "'radio' is not a valid protocol type");
5537
5538 default:
5539 abort();
5540 }
5541 return b1;
5542 }
5543
5544 struct block *
5545 gen_proto_abbrev(compiler_state_t *cstate, int proto)
5546 {
5547 /*
5548 * Catch errors reported by us and routines below us, and return NULL
5549 * on an error.
5550 */
5551 if (setjmp(cstate->top_ctx))
5552 return (NULL);
5553
5554 return gen_proto_abbrev_internal(cstate, proto);
5555 }
5556
5557 static struct block *
5558 gen_ipfrag(compiler_state_t *cstate)
5559 {
5560 struct slist *s;
5561 struct block *b;
5562
5563 /* not IPv4 frag other than the first frag */
5564 s = gen_load_a(cstate, OR_LINKPL, 6, BPF_H);
5565 b = new_block(cstate, JMP(BPF_JSET));
5566 b->s.k = 0x1fff;
5567 b->stmts = s;
5568 gen_not(b);
5569
5570 return b;
5571 }
5572
5573 /*
5574 * Generate a comparison to a port value in the transport-layer header
5575 * at the specified offset from the beginning of that header.
5576 *
5577 * XXX - this handles a variable-length prefix preceding the link-layer
5578 * header, such as the radiotap or AVS radio prefix, but doesn't handle
5579 * variable-length link-layer headers (such as Token Ring or 802.11
5580 * headers).
5581 */
5582 static struct block *
5583 gen_portatom(compiler_state_t *cstate, int off, bpf_u_int32 v)
5584 {
5585 return gen_cmp(cstate, OR_TRAN_IPV4, off, BPF_H, v);
5586 }
5587
5588 static struct block *
5589 gen_portatom6(compiler_state_t *cstate, int off, bpf_u_int32 v)
5590 {
5591 return gen_cmp(cstate, OR_TRAN_IPV6, off, BPF_H, v);
5592 }
5593
5594 static struct block *
5595 gen_portop(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5596 {
5597 struct block *b0, *b1, *tmp;
5598
5599 /* ip proto 'proto' and not a fragment other than the first fragment */
5600 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5601 b0 = gen_ipfrag(cstate);
5602 gen_and(tmp, b0);
5603
5604 switch (dir) {
5605 case Q_SRC:
5606 b1 = gen_portatom(cstate, 0, port);
5607 break;
5608
5609 case Q_DST:
5610 b1 = gen_portatom(cstate, 2, port);
5611 break;
5612
5613 case Q_AND:
5614 tmp = gen_portatom(cstate, 0, port);
5615 b1 = gen_portatom(cstate, 2, port);
5616 gen_and(tmp, b1);
5617 break;
5618
5619 case Q_DEFAULT:
5620 case Q_OR:
5621 tmp = gen_portatom(cstate, 0, port);
5622 b1 = gen_portatom(cstate, 2, port);
5623 gen_or(tmp, b1);
5624 break;
5625
5626 case Q_ADDR1:
5627 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for ports");
5628 /*NOTREACHED*/
5629
5630 case Q_ADDR2:
5631 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for ports");
5632 /*NOTREACHED*/
5633
5634 case Q_ADDR3:
5635 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for ports");
5636 /*NOTREACHED*/
5637
5638 case Q_ADDR4:
5639 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for ports");
5640 /*NOTREACHED*/
5641
5642 case Q_RA:
5643 bpf_error(cstate, "'ra' is not a valid qualifier for ports");
5644 /*NOTREACHED*/
5645
5646 case Q_TA:
5647 bpf_error(cstate, "'ta' is not a valid qualifier for ports");
5648 /*NOTREACHED*/
5649
5650 default:
5651 abort();
5652 /*NOTREACHED*/
5653 }
5654 gen_and(b0, b1);
5655
5656 return b1;
5657 }
5658
5659 static struct block *
5660 gen_port(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5661 {
5662 struct block *b0, *b1, *tmp;
5663
5664 /*
5665 * ether proto ip
5666 *
5667 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
5668 * not LLC encapsulation with LLCSAP_IP.
5669 *
5670 * For IEEE 802 networks - which includes 802.5 token ring
5671 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
5672 * says that SNAP encapsulation is used, not LLC encapsulation
5673 * with LLCSAP_IP.
5674 *
5675 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
5676 * RFC 2225 say that SNAP encapsulation is used, not LLC
5677 * encapsulation with LLCSAP_IP.
5678 *
5679 * So we always check for ETHERTYPE_IP.
5680 */
5681 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5682
5683 switch (ip_proto) {
5684 case IPPROTO_UDP:
5685 case IPPROTO_TCP:
5686 case IPPROTO_SCTP:
5687 b1 = gen_portop(cstate, port, (u_int)ip_proto, dir);
5688 break;
5689
5690 case PROTO_UNDEF:
5691 tmp = gen_portop(cstate, port, IPPROTO_TCP, dir);
5692 b1 = gen_portop(cstate, port, IPPROTO_UDP, dir);
5693 gen_or(tmp, b1);
5694 tmp = gen_portop(cstate, port, IPPROTO_SCTP, dir);
5695 gen_or(tmp, b1);
5696 break;
5697
5698 default:
5699 abort();
5700 }
5701 gen_and(b0, b1);
5702 return b1;
5703 }
5704
5705 struct block *
5706 gen_portop6(compiler_state_t *cstate, u_int port, u_int proto, int dir)
5707 {
5708 struct block *b0, *b1, *tmp;
5709
5710 /* ip6 proto 'proto' */
5711 /* XXX - catch the first fragment of a fragmented packet? */
5712 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5713
5714 switch (dir) {
5715 case Q_SRC:
5716 b1 = gen_portatom6(cstate, 0, port);
5717 break;
5718
5719 case Q_DST:
5720 b1 = gen_portatom6(cstate, 2, port);
5721 break;
5722
5723 case Q_AND:
5724 tmp = gen_portatom6(cstate, 0, port);
5725 b1 = gen_portatom6(cstate, 2, port);
5726 gen_and(tmp, b1);
5727 break;
5728
5729 case Q_DEFAULT:
5730 case Q_OR:
5731 tmp = gen_portatom6(cstate, 0, port);
5732 b1 = gen_portatom6(cstate, 2, port);
5733 gen_or(tmp, b1);
5734 break;
5735
5736 default:
5737 abort();
5738 }
5739 gen_and(b0, b1);
5740
5741 return b1;
5742 }
5743
5744 static struct block *
5745 gen_port6(compiler_state_t *cstate, u_int port, int ip_proto, int dir)
5746 {
5747 struct block *b0, *b1, *tmp;
5748
5749 /* link proto ip6 */
5750 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5751
5752 switch (ip_proto) {
5753 case IPPROTO_UDP:
5754 case IPPROTO_TCP:
5755 case IPPROTO_SCTP:
5756 b1 = gen_portop6(cstate, port, (u_int)ip_proto, dir);
5757 break;
5758
5759 case PROTO_UNDEF:
5760 tmp = gen_portop6(cstate, port, IPPROTO_TCP, dir);
5761 b1 = gen_portop6(cstate, port, IPPROTO_UDP, dir);
5762 gen_or(tmp, b1);
5763 tmp = gen_portop6(cstate, port, IPPROTO_SCTP, dir);
5764 gen_or(tmp, b1);
5765 break;
5766
5767 default:
5768 abort();
5769 }
5770 gen_and(b0, b1);
5771 return b1;
5772 }
5773
5774 /* gen_portrange code */
5775 static struct block *
5776 gen_portrangeatom(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5777 bpf_u_int32 v2)
5778 {
5779 struct block *b1, *b2;
5780
5781 if (v1 > v2) {
5782 /*
5783 * Reverse the order of the ports, so v1 is the lower one.
5784 */
5785 bpf_u_int32 vtemp;
5786
5787 vtemp = v1;
5788 v1 = v2;
5789 v2 = vtemp;
5790 }
5791
5792 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV4, off, BPF_H, v1);
5793 b2 = gen_cmp_le(cstate, OR_TRAN_IPV4, off, BPF_H, v2);
5794
5795 gen_and(b1, b2);
5796
5797 return b2;
5798 }
5799
5800 static struct block *
5801 gen_portrangeop(compiler_state_t *cstate, u_int port1, u_int port2,
5802 bpf_u_int32 proto, int dir)
5803 {
5804 struct block *b0, *b1, *tmp;
5805
5806 /* ip proto 'proto' and not a fragment other than the first fragment */
5807 tmp = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, proto);
5808 b0 = gen_ipfrag(cstate);
5809 gen_and(tmp, b0);
5810
5811 switch (dir) {
5812 case Q_SRC:
5813 b1 = gen_portrangeatom(cstate, 0, port1, port2);
5814 break;
5815
5816 case Q_DST:
5817 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5818 break;
5819
5820 case Q_AND:
5821 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5822 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5823 gen_and(tmp, b1);
5824 break;
5825
5826 case Q_DEFAULT:
5827 case Q_OR:
5828 tmp = gen_portrangeatom(cstate, 0, port1, port2);
5829 b1 = gen_portrangeatom(cstate, 2, port1, port2);
5830 gen_or(tmp, b1);
5831 break;
5832
5833 case Q_ADDR1:
5834 bpf_error(cstate, "'addr1' and 'address1' are not valid qualifiers for port ranges");
5835 /*NOTREACHED*/
5836
5837 case Q_ADDR2:
5838 bpf_error(cstate, "'addr2' and 'address2' are not valid qualifiers for port ranges");
5839 /*NOTREACHED*/
5840
5841 case Q_ADDR3:
5842 bpf_error(cstate, "'addr3' and 'address3' are not valid qualifiers for port ranges");
5843 /*NOTREACHED*/
5844
5845 case Q_ADDR4:
5846 bpf_error(cstate, "'addr4' and 'address4' are not valid qualifiers for port ranges");
5847 /*NOTREACHED*/
5848
5849 case Q_RA:
5850 bpf_error(cstate, "'ra' is not a valid qualifier for port ranges");
5851 /*NOTREACHED*/
5852
5853 case Q_TA:
5854 bpf_error(cstate, "'ta' is not a valid qualifier for port ranges");
5855 /*NOTREACHED*/
5856
5857 default:
5858 abort();
5859 /*NOTREACHED*/
5860 }
5861 gen_and(b0, b1);
5862
5863 return b1;
5864 }
5865
5866 static struct block *
5867 gen_portrange(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5868 int dir)
5869 {
5870 struct block *b0, *b1, *tmp;
5871
5872 /* link proto ip */
5873 b0 = gen_linktype(cstate, ETHERTYPE_IP);
5874
5875 switch (ip_proto) {
5876 case IPPROTO_UDP:
5877 case IPPROTO_TCP:
5878 case IPPROTO_SCTP:
5879 b1 = gen_portrangeop(cstate, port1, port2, (bpf_u_int32)ip_proto,
5880 dir);
5881 break;
5882
5883 case PROTO_UNDEF:
5884 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_TCP, dir);
5885 b1 = gen_portrangeop(cstate, port1, port2, IPPROTO_UDP, dir);
5886 gen_or(tmp, b1);
5887 tmp = gen_portrangeop(cstate, port1, port2, IPPROTO_SCTP, dir);
5888 gen_or(tmp, b1);
5889 break;
5890
5891 default:
5892 abort();
5893 }
5894 gen_and(b0, b1);
5895 return b1;
5896 }
5897
5898 static struct block *
5899 gen_portrangeatom6(compiler_state_t *cstate, u_int off, bpf_u_int32 v1,
5900 bpf_u_int32 v2)
5901 {
5902 struct block *b1, *b2;
5903
5904 if (v1 > v2) {
5905 /*
5906 * Reverse the order of the ports, so v1 is the lower one.
5907 */
5908 bpf_u_int32 vtemp;
5909
5910 vtemp = v1;
5911 v1 = v2;
5912 v2 = vtemp;
5913 }
5914
5915 b1 = gen_cmp_ge(cstate, OR_TRAN_IPV6, off, BPF_H, v1);
5916 b2 = gen_cmp_le(cstate, OR_TRAN_IPV6, off, BPF_H, v2);
5917
5918 gen_and(b1, b2);
5919
5920 return b2;
5921 }
5922
5923 static struct block *
5924 gen_portrangeop6(compiler_state_t *cstate, u_int port1, u_int port2,
5925 bpf_u_int32 proto, int dir)
5926 {
5927 struct block *b0, *b1, *tmp;
5928
5929 /* ip6 proto 'proto' */
5930 /* XXX - catch the first fragment of a fragmented packet? */
5931 b0 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, proto);
5932
5933 switch (dir) {
5934 case Q_SRC:
5935 b1 = gen_portrangeatom6(cstate, 0, port1, port2);
5936 break;
5937
5938 case Q_DST:
5939 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5940 break;
5941
5942 case Q_AND:
5943 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5944 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5945 gen_and(tmp, b1);
5946 break;
5947
5948 case Q_DEFAULT:
5949 case Q_OR:
5950 tmp = gen_portrangeatom6(cstate, 0, port1, port2);
5951 b1 = gen_portrangeatom6(cstate, 2, port1, port2);
5952 gen_or(tmp, b1);
5953 break;
5954
5955 default:
5956 abort();
5957 }
5958 gen_and(b0, b1);
5959
5960 return b1;
5961 }
5962
5963 static struct block *
5964 gen_portrange6(compiler_state_t *cstate, u_int port1, u_int port2, int ip_proto,
5965 int dir)
5966 {
5967 struct block *b0, *b1, *tmp;
5968
5969 /* link proto ip6 */
5970 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
5971
5972 switch (ip_proto) {
5973 case IPPROTO_UDP:
5974 case IPPROTO_TCP:
5975 case IPPROTO_SCTP:
5976 b1 = gen_portrangeop6(cstate, port1, port2, (bpf_u_int32)ip_proto,
5977 dir);
5978 break;
5979
5980 case PROTO_UNDEF:
5981 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_TCP, dir);
5982 b1 = gen_portrangeop6(cstate, port1, port2, IPPROTO_UDP, dir);
5983 gen_or(tmp, b1);
5984 tmp = gen_portrangeop6(cstate, port1, port2, IPPROTO_SCTP, dir);
5985 gen_or(tmp, b1);
5986 break;
5987
5988 default:
5989 abort();
5990 }
5991 gen_and(b0, b1);
5992 return b1;
5993 }
5994
5995 static int
5996 lookup_proto(compiler_state_t *cstate, const char *name, int proto)
5997 {
5998 register int v;
5999
6000 switch (proto) {
6001
6002 case Q_DEFAULT:
6003 case Q_IP:
6004 case Q_IPV6:
6005 v = pcap_nametoproto(name);
6006 if (v == PROTO_UNDEF)
6007 bpf_error(cstate, "unknown ip proto '%s'", name);
6008 break;
6009
6010 case Q_LINK:
6011 /* XXX should look up h/w protocol type based on cstate->linktype */
6012 v = pcap_nametoeproto(name);
6013 if (v == PROTO_UNDEF) {
6014 v = pcap_nametollc(name);
6015 if (v == PROTO_UNDEF)
6016 bpf_error(cstate, "unknown ether proto '%s'", name);
6017 }
6018 break;
6019
6020 case Q_ISO:
6021 if (strcmp(name, "esis") == 0)
6022 v = ISO9542_ESIS;
6023 else if (strcmp(name, "isis") == 0)
6024 v = ISO10589_ISIS;
6025 else if (strcmp(name, "clnp") == 0)
6026 v = ISO8473_CLNP;
6027 else
6028 bpf_error(cstate, "unknown osi proto '%s'", name);
6029 break;
6030
6031 default:
6032 v = PROTO_UNDEF;
6033 break;
6034 }
6035 return v;
6036 }
6037
6038 #if 0
6039 struct stmt *
6040 gen_joinsp(struct stmt **s, int n)
6041 {
6042 return NULL;
6043 }
6044 #endif
6045
6046 static struct block *
6047 gen_protochain(compiler_state_t *cstate, bpf_u_int32 v, int proto)
6048 {
6049 #ifdef NO_PROTOCHAIN
6050 return gen_proto(cstate, v, proto);
6051 #else
6052 struct block *b0, *b;
6053 struct slist *s[100];
6054 int fix2, fix3, fix4, fix5;
6055 int ahcheck, again, end;
6056 int i, max;
6057 int reg2 = alloc_reg(cstate);
6058
6059 memset(s, 0, sizeof(s));
6060 fix3 = fix4 = fix5 = 0;
6061
6062 switch (proto) {
6063 case Q_IP:
6064 case Q_IPV6:
6065 break;
6066 case Q_DEFAULT:
6067 b0 = gen_protochain(cstate, v, Q_IP);
6068 b = gen_protochain(cstate, v, Q_IPV6);
6069 gen_or(b0, b);
6070 return b;
6071 default:
6072 bpf_error(cstate, "bad protocol applied for 'protochain'");
6073 /*NOTREACHED*/
6074 }
6075
6076 /*
6077 * We don't handle variable-length prefixes before the link-layer
6078 * header, or variable-length link-layer headers, here yet.
6079 * We might want to add BPF instructions to do the protochain
6080 * work, to simplify that and, on platforms that have a BPF
6081 * interpreter with the new instructions, let the filtering
6082 * be done in the kernel. (We already require a modified BPF
6083 * engine to do the protochain stuff, to support backward
6084 * branches, and backward branch support is unlikely to appear
6085 * in kernel BPF engines.)
6086 */
6087 if (cstate->off_linkpl.is_variable)
6088 bpf_error(cstate, "'protochain' not supported with variable length headers");
6089
6090 /*
6091 * To quote a comment in optimize.c:
6092 *
6093 * "These data structures are used in a Cocke and Shwarz style
6094 * value numbering scheme. Since the flowgraph is acyclic,
6095 * exit values can be propagated from a node's predecessors
6096 * provided it is uniquely defined."
6097 *
6098 * "Acyclic" means "no backward branches", which means "no
6099 * loops", so we have to turn the optimizer off.
6100 */
6101 cstate->no_optimize = 1;
6102
6103 /*
6104 * s[0] is a dummy entry to protect other BPF insn from damage
6105 * by s[fix] = foo with uninitialized variable "fix". It is somewhat
6106 * hard to find interdependency made by jump table fixup.
6107 */
6108 i = 0;
6109 s[i] = new_stmt(cstate, 0); /*dummy*/
6110 i++;
6111
6112 switch (proto) {
6113 case Q_IP:
6114 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6115
6116 /* A = ip->ip_p */
6117 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6118 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 9;
6119 i++;
6120 /* X = ip->ip_hl << 2 */
6121 s[i] = new_stmt(cstate, BPF_LDX|BPF_MSH|BPF_B);
6122 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6123 i++;
6124 break;
6125
6126 case Q_IPV6:
6127 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6128
6129 /* A = ip6->ip_nxt */
6130 s[i] = new_stmt(cstate, BPF_LD|BPF_ABS|BPF_B);
6131 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 6;
6132 i++;
6133 /* X = sizeof(struct ip6_hdr) */
6134 s[i] = new_stmt(cstate, BPF_LDX|BPF_IMM);
6135 s[i]->s.k = 40;
6136 i++;
6137 break;
6138
6139 default:
6140 bpf_error(cstate, "unsupported proto to gen_protochain");
6141 /*NOTREACHED*/
6142 }
6143
6144 /* again: if (A == v) goto end; else fall through; */
6145 again = i;
6146 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6147 s[i]->s.k = v;
6148 s[i]->s.jt = NULL; /*later*/
6149 s[i]->s.jf = NULL; /*update in next stmt*/
6150 fix5 = i;
6151 i++;
6152
6153 #ifndef IPPROTO_NONE
6154 #define IPPROTO_NONE 59
6155 #endif
6156 /* if (A == IPPROTO_NONE) goto end */
6157 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6158 s[i]->s.jt = NULL; /*later*/
6159 s[i]->s.jf = NULL; /*update in next stmt*/
6160 s[i]->s.k = IPPROTO_NONE;
6161 s[fix5]->s.jf = s[i];
6162 fix2 = i;
6163 i++;
6164
6165 if (proto == Q_IPV6) {
6166 int v6start, v6end, v6advance, j;
6167
6168 v6start = i;
6169 /* if (A == IPPROTO_HOPOPTS) goto v6advance */
6170 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6171 s[i]->s.jt = NULL; /*later*/
6172 s[i]->s.jf = NULL; /*update in next stmt*/
6173 s[i]->s.k = IPPROTO_HOPOPTS;
6174 s[fix2]->s.jf = s[i];
6175 i++;
6176 /* if (A == IPPROTO_DSTOPTS) goto v6advance */
6177 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6178 s[i]->s.jt = NULL; /*later*/
6179 s[i]->s.jf = NULL; /*update in next stmt*/
6180 s[i]->s.k = IPPROTO_DSTOPTS;
6181 i++;
6182 /* if (A == IPPROTO_ROUTING) goto v6advance */
6183 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6184 s[i]->s.jt = NULL; /*later*/
6185 s[i]->s.jf = NULL; /*update in next stmt*/
6186 s[i]->s.k = IPPROTO_ROUTING;
6187 i++;
6188 /* if (A == IPPROTO_FRAGMENT) goto v6advance; else goto ahcheck; */
6189 s[i - 1]->s.jf = s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6190 s[i]->s.jt = NULL; /*later*/
6191 s[i]->s.jf = NULL; /*later*/
6192 s[i]->s.k = IPPROTO_FRAGMENT;
6193 fix3 = i;
6194 v6end = i;
6195 i++;
6196
6197 /* v6advance: */
6198 v6advance = i;
6199
6200 /*
6201 * in short,
6202 * A = P[X + packet head];
6203 * X = X + (P[X + packet head + 1] + 1) * 8;
6204 */
6205 /* A = P[X + packet head] */
6206 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6207 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6208 i++;
6209 /* MEM[reg2] = A */
6210 s[i] = new_stmt(cstate, BPF_ST);
6211 s[i]->s.k = reg2;
6212 i++;
6213 /* A = P[X + packet head + 1]; */
6214 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6215 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 1;
6216 i++;
6217 /* A += 1 */
6218 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6219 s[i]->s.k = 1;
6220 i++;
6221 /* A *= 8 */
6222 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6223 s[i]->s.k = 8;
6224 i++;
6225 /* A += X */
6226 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
6227 s[i]->s.k = 0;
6228 i++;
6229 /* X = A; */
6230 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6231 i++;
6232 /* A = MEM[reg2] */
6233 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6234 s[i]->s.k = reg2;
6235 i++;
6236
6237 /* goto again; (must use BPF_JA for backward jump) */
6238 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6239 s[i]->s.k = again - i - 1;
6240 s[i - 1]->s.jf = s[i];
6241 i++;
6242
6243 /* fixup */
6244 for (j = v6start; j <= v6end; j++)
6245 s[j]->s.jt = s[v6advance];
6246 } else {
6247 /* nop */
6248 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6249 s[i]->s.k = 0;
6250 s[fix2]->s.jf = s[i];
6251 i++;
6252 }
6253
6254 /* ahcheck: */
6255 ahcheck = i;
6256 /* if (A == IPPROTO_AH) then fall through; else goto end; */
6257 s[i] = new_stmt(cstate, BPF_JMP|BPF_JEQ|BPF_K);
6258 s[i]->s.jt = NULL; /*later*/
6259 s[i]->s.jf = NULL; /*later*/
6260 s[i]->s.k = IPPROTO_AH;
6261 if (fix3)
6262 s[fix3]->s.jf = s[ahcheck];
6263 fix4 = i;
6264 i++;
6265
6266 /*
6267 * in short,
6268 * A = P[X];
6269 * X = X + (P[X + 1] + 2) * 4;
6270 */
6271 /* A = X */
6272 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6273 i++;
6274 /* A = P[X + packet head]; */
6275 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6276 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6277 i++;
6278 /* MEM[reg2] = A */
6279 s[i] = new_stmt(cstate, BPF_ST);
6280 s[i]->s.k = reg2;
6281 i++;
6282 /* A = X */
6283 s[i - 1]->s.jt = s[i] = new_stmt(cstate, BPF_MISC|BPF_TXA);
6284 i++;
6285 /* A += 1 */
6286 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6287 s[i]->s.k = 1;
6288 i++;
6289 /* X = A */
6290 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6291 i++;
6292 /* A = P[X + packet head] */
6293 s[i] = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
6294 s[i]->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
6295 i++;
6296 /* A += 2 */
6297 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6298 s[i]->s.k = 2;
6299 i++;
6300 /* A *= 4 */
6301 s[i] = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
6302 s[i]->s.k = 4;
6303 i++;
6304 /* X = A; */
6305 s[i] = new_stmt(cstate, BPF_MISC|BPF_TAX);
6306 i++;
6307 /* A = MEM[reg2] */
6308 s[i] = new_stmt(cstate, BPF_LD|BPF_MEM);
6309 s[i]->s.k = reg2;
6310 i++;
6311
6312 /* goto again; (must use BPF_JA for backward jump) */
6313 s[i] = new_stmt(cstate, BPF_JMP|BPF_JA);
6314 s[i]->s.k = again - i - 1;
6315 i++;
6316
6317 /* end: nop */
6318 end = i;
6319 s[i] = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
6320 s[i]->s.k = 0;
6321 s[fix2]->s.jt = s[end];
6322 s[fix4]->s.jf = s[end];
6323 s[fix5]->s.jt = s[end];
6324 i++;
6325
6326 /*
6327 * make slist chain
6328 */
6329 max = i;
6330 for (i = 0; i < max - 1; i++)
6331 s[i]->next = s[i + 1];
6332 s[max - 1]->next = NULL;
6333
6334 /*
6335 * emit final check
6336 */
6337 b = new_block(cstate, JMP(BPF_JEQ));
6338 b->stmts = s[1]; /*remember, s[0] is dummy*/
6339 b->s.k = v;
6340
6341 free_reg(cstate, reg2);
6342
6343 gen_and(b0, b);
6344 return b;
6345 #endif
6346 }
6347
6348 static struct block *
6349 gen_check_802_11_data_frame(compiler_state_t *cstate)
6350 {
6351 struct slist *s;
6352 struct block *b0, *b1;
6353
6354 /*
6355 * A data frame has the 0x08 bit (b3) in the frame control field set
6356 * and the 0x04 bit (b2) clear.
6357 */
6358 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6359 b0 = new_block(cstate, JMP(BPF_JSET));
6360 b0->s.k = 0x08;
6361 b0->stmts = s;
6362
6363 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
6364 b1 = new_block(cstate, JMP(BPF_JSET));
6365 b1->s.k = 0x04;
6366 b1->stmts = s;
6367 gen_not(b1);
6368
6369 gen_and(b1, b0);
6370
6371 return b0;
6372 }
6373
6374 /*
6375 * Generate code that checks whether the packet is a packet for protocol
6376 * <proto> and whether the type field in that protocol's header has
6377 * the value <v>, e.g. if <proto> is Q_IP, it checks whether it's an
6378 * IP packet and checks the protocol number in the IP header against <v>.
6379 *
6380 * If <proto> is Q_DEFAULT, i.e. just "proto" was specified, it checks
6381 * against Q_IP and Q_IPV6.
6382 */
6383 static struct block *
6384 gen_proto(compiler_state_t *cstate, bpf_u_int32 v, int proto, int dir)
6385 {
6386 struct block *b0, *b1;
6387 #ifndef CHASE_CHAIN
6388 struct block *b2;
6389 #endif
6390
6391 if (dir != Q_DEFAULT)
6392 bpf_error(cstate, "direction applied to 'proto'");
6393
6394 switch (proto) {
6395 case Q_DEFAULT:
6396 b0 = gen_proto(cstate, v, Q_IP, dir);
6397 b1 = gen_proto(cstate, v, Q_IPV6, dir);
6398 gen_or(b0, b1);
6399 return b1;
6400
6401 case Q_LINK:
6402 return gen_linktype(cstate, v);
6403
6404 case Q_IP:
6405 /*
6406 * For FDDI, RFC 1188 says that SNAP encapsulation is used,
6407 * not LLC encapsulation with LLCSAP_IP.
6408 *
6409 * For IEEE 802 networks - which includes 802.5 token ring
6410 * (which is what DLT_IEEE802 means) and 802.11 - RFC 1042
6411 * says that SNAP encapsulation is used, not LLC encapsulation
6412 * with LLCSAP_IP.
6413 *
6414 * For LLC-encapsulated ATM/"Classical IP", RFC 1483 and
6415 * RFC 2225 say that SNAP encapsulation is used, not LLC
6416 * encapsulation with LLCSAP_IP.
6417 *
6418 * So we always check for ETHERTYPE_IP.
6419 */
6420 b0 = gen_linktype(cstate, ETHERTYPE_IP);
6421 #ifndef CHASE_CHAIN
6422 b1 = gen_cmp(cstate, OR_LINKPL, 9, BPF_B, v);
6423 #else
6424 b1 = gen_protochain(cstate, v, Q_IP);
6425 #endif
6426 gen_and(b0, b1);
6427 return b1;
6428
6429 case Q_ARP:
6430 bpf_error(cstate, "arp does not encapsulate another protocol");
6431 /*NOTREACHED*/
6432
6433 case Q_RARP:
6434 bpf_error(cstate, "rarp does not encapsulate another protocol");
6435 /*NOTREACHED*/
6436
6437 case Q_SCTP:
6438 bpf_error(cstate, "'sctp proto' is bogus");
6439 /*NOTREACHED*/
6440
6441 case Q_TCP:
6442 bpf_error(cstate, "'tcp proto' is bogus");
6443 /*NOTREACHED*/
6444
6445 case Q_UDP:
6446 bpf_error(cstate, "'udp proto' is bogus");
6447 /*NOTREACHED*/
6448
6449 case Q_ICMP:
6450 bpf_error(cstate, "'icmp proto' is bogus");
6451 /*NOTREACHED*/
6452
6453 case Q_IGMP:
6454 bpf_error(cstate, "'igmp proto' is bogus");
6455 /*NOTREACHED*/
6456
6457 case Q_IGRP:
6458 bpf_error(cstate, "'igrp proto' is bogus");
6459 /*NOTREACHED*/
6460
6461 case Q_ATALK:
6462 bpf_error(cstate, "AppleTalk encapsulation is not specifiable");
6463 /*NOTREACHED*/
6464
6465 case Q_DECNET:
6466 bpf_error(cstate, "DECNET encapsulation is not specifiable");
6467 /*NOTREACHED*/
6468
6469 case Q_LAT:
6470 bpf_error(cstate, "LAT does not encapsulate another protocol");
6471 /*NOTREACHED*/
6472
6473 case Q_SCA:
6474 bpf_error(cstate, "SCA does not encapsulate another protocol");
6475 /*NOTREACHED*/
6476
6477 case Q_MOPRC:
6478 bpf_error(cstate, "MOPRC does not encapsulate another protocol");
6479 /*NOTREACHED*/
6480
6481 case Q_MOPDL:
6482 bpf_error(cstate, "MOPDL does not encapsulate another protocol");
6483 /*NOTREACHED*/
6484
6485 case Q_IPV6:
6486 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
6487 #ifndef CHASE_CHAIN
6488 /*
6489 * Also check for a fragment header before the final
6490 * header.
6491 */
6492 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, IPPROTO_FRAGMENT);
6493 b1 = gen_cmp(cstate, OR_LINKPL, 40, BPF_B, v);
6494 gen_and(b2, b1);
6495 b2 = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, v);
6496 gen_or(b2, b1);
6497 #else
6498 b1 = gen_protochain(cstate, v, Q_IPV6);
6499 #endif
6500 gen_and(b0, b1);
6501 return b1;
6502
6503 case Q_ICMPV6:
6504 bpf_error(cstate, "'icmp6 proto' is bogus");
6505 /*NOTREACHED*/
6506
6507 case Q_AH:
6508 bpf_error(cstate, "'ah proto' is bogus");
6509 /*NOTREACHED*/
6510
6511 case Q_ESP:
6512 bpf_error(cstate, "'esp proto' is bogus");
6513 /*NOTREACHED*/
6514
6515 case Q_PIM:
6516 bpf_error(cstate, "'pim proto' is bogus");
6517 /*NOTREACHED*/
6518
6519 case Q_VRRP:
6520 bpf_error(cstate, "'vrrp proto' is bogus");
6521 /*NOTREACHED*/
6522
6523 case Q_AARP:
6524 bpf_error(cstate, "'aarp proto' is bogus");
6525 /*NOTREACHED*/
6526
6527 case Q_ISO:
6528 switch (cstate->linktype) {
6529
6530 case DLT_FRELAY:
6531 /*
6532 * Frame Relay packets typically have an OSI
6533 * NLPID at the beginning; "gen_linktype(cstate, LLCSAP_ISONS)"
6534 * generates code to check for all the OSI
6535 * NLPIDs, so calling it and then adding a check
6536 * for the particular NLPID for which we're
6537 * looking is bogus, as we can just check for
6538 * the NLPID.
6539 *
6540 * What we check for is the NLPID and a frame
6541 * control field value of UI, i.e. 0x03 followed
6542 * by the NLPID.
6543 *
6544 * XXX - assumes a 2-byte Frame Relay header with
6545 * DLCI and flags. What if the address is longer?
6546 *
6547 * XXX - what about SNAP-encapsulated frames?
6548 */
6549 return gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, (0x03<<8) | v);
6550 /*NOTREACHED*/
6551
6552 case DLT_C_HDLC:
6553 /*
6554 * Cisco uses an Ethertype lookalike - for OSI,
6555 * it's 0xfefe.
6556 */
6557 b0 = gen_linktype(cstate, LLCSAP_ISONS<<8 | LLCSAP_ISONS);
6558 /* OSI in C-HDLC is stuffed with a fudge byte */
6559 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 1, BPF_B, v);
6560 gen_and(b0, b1);
6561 return b1;
6562
6563 default:
6564 b0 = gen_linktype(cstate, LLCSAP_ISONS);
6565 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 0, BPF_B, v);
6566 gen_and(b0, b1);
6567 return b1;
6568 }
6569
6570 case Q_ESIS:
6571 bpf_error(cstate, "'esis proto' is bogus");
6572 /*NOTREACHED*/
6573
6574 case Q_ISIS:
6575 b0 = gen_proto(cstate, ISO10589_ISIS, Q_ISO, Q_DEFAULT);
6576 /*
6577 * 4 is the offset of the PDU type relative to the IS-IS
6578 * header.
6579 */
6580 b1 = gen_cmp(cstate, OR_LINKPL_NOSNAP, 4, BPF_B, v);
6581 gen_and(b0, b1);
6582 return b1;
6583
6584 case Q_CLNP:
6585 bpf_error(cstate, "'clnp proto' is not supported");
6586 /*NOTREACHED*/
6587
6588 case Q_STP:
6589 bpf_error(cstate, "'stp proto' is bogus");
6590 /*NOTREACHED*/
6591
6592 case Q_IPX:
6593 bpf_error(cstate, "'ipx proto' is bogus");
6594 /*NOTREACHED*/
6595
6596 case Q_NETBEUI:
6597 bpf_error(cstate, "'netbeui proto' is bogus");
6598 /*NOTREACHED*/
6599
6600 case Q_ISIS_L1:
6601 bpf_error(cstate, "'l1 proto' is bogus");
6602 /*NOTREACHED*/
6603
6604 case Q_ISIS_L2:
6605 bpf_error(cstate, "'l2 proto' is bogus");
6606 /*NOTREACHED*/
6607
6608 case Q_ISIS_IIH:
6609 bpf_error(cstate, "'iih proto' is bogus");
6610 /*NOTREACHED*/
6611
6612 case Q_ISIS_SNP:
6613 bpf_error(cstate, "'snp proto' is bogus");
6614 /*NOTREACHED*/
6615
6616 case Q_ISIS_CSNP:
6617 bpf_error(cstate, "'csnp proto' is bogus");
6618 /*NOTREACHED*/
6619
6620 case Q_ISIS_PSNP:
6621 bpf_error(cstate, "'psnp proto' is bogus");
6622 /*NOTREACHED*/
6623
6624 case Q_ISIS_LSP:
6625 bpf_error(cstate, "'lsp proto' is bogus");
6626 /*NOTREACHED*/
6627
6628 case Q_RADIO:
6629 bpf_error(cstate, "'radio proto' is bogus");
6630 /*NOTREACHED*/
6631
6632 case Q_CARP:
6633 bpf_error(cstate, "'carp proto' is bogus");
6634 /*NOTREACHED*/
6635
6636 default:
6637 abort();
6638 /*NOTREACHED*/
6639 }
6640 /*NOTREACHED*/
6641 }
6642
6643 struct block *
6644 gen_scode(compiler_state_t *cstate, const char *name, struct qual q)
6645 {
6646 int proto = q.proto;
6647 int dir = q.dir;
6648 int tproto;
6649 u_char *eaddr;
6650 bpf_u_int32 mask, addr;
6651 struct addrinfo *res, *res0;
6652 struct sockaddr_in *sin4;
6653 #ifdef INET6
6654 int tproto6;
6655 struct sockaddr_in6 *sin6;
6656 struct in6_addr mask128;
6657 #endif /*INET6*/
6658 struct block *b, *tmp;
6659 int port, real_proto;
6660 int port1, port2;
6661
6662 /*
6663 * Catch errors reported by us and routines below us, and return NULL
6664 * on an error.
6665 */
6666 if (setjmp(cstate->top_ctx))
6667 return (NULL);
6668
6669 switch (q.addr) {
6670
6671 case Q_NET:
6672 addr = pcap_nametonetaddr(name);
6673 if (addr == 0)
6674 bpf_error(cstate, "unknown network '%s'", name);
6675 /* Left justify network addr and calculate its network mask */
6676 mask = 0xffffffff;
6677 while (addr && (addr & 0xff000000) == 0) {
6678 addr <<= 8;
6679 mask <<= 8;
6680 }
6681 return gen_host(cstate, addr, mask, proto, dir, q.addr);
6682
6683 case Q_DEFAULT:
6684 case Q_HOST:
6685 if (proto == Q_LINK) {
6686 switch (cstate->linktype) {
6687
6688 case DLT_EN10MB:
6689 case DLT_NETANALYZER:
6690 case DLT_NETANALYZER_TRANSPARENT:
6691 eaddr = pcap_ether_hostton(name);
6692 if (eaddr == NULL)
6693 bpf_error(cstate,
6694 "unknown ether host '%s'", name);
6695 tmp = gen_prevlinkhdr_check(cstate);
6696 b = gen_ehostop(cstate, eaddr, dir);
6697 if (tmp != NULL)
6698 gen_and(tmp, b);
6699 free(eaddr);
6700 return b;
6701
6702 case DLT_FDDI:
6703 eaddr = pcap_ether_hostton(name);
6704 if (eaddr == NULL)
6705 bpf_error(cstate,
6706 "unknown FDDI host '%s'", name);
6707 b = gen_fhostop(cstate, eaddr, dir);
6708 free(eaddr);
6709 return b;
6710
6711 case DLT_IEEE802:
6712 eaddr = pcap_ether_hostton(name);
6713 if (eaddr == NULL)
6714 bpf_error(cstate,
6715 "unknown token ring host '%s'", name);
6716 b = gen_thostop(cstate, eaddr, dir);
6717 free(eaddr);
6718 return b;
6719
6720 case DLT_IEEE802_11:
6721 case DLT_PRISM_HEADER:
6722 case DLT_IEEE802_11_RADIO_AVS:
6723 case DLT_IEEE802_11_RADIO:
6724 case DLT_PPI:
6725 eaddr = pcap_ether_hostton(name);
6726 if (eaddr == NULL)
6727 bpf_error(cstate,
6728 "unknown 802.11 host '%s'", name);
6729 b = gen_wlanhostop(cstate, eaddr, dir);
6730 free(eaddr);
6731 return b;
6732
6733 case DLT_IP_OVER_FC:
6734 eaddr = pcap_ether_hostton(name);
6735 if (eaddr == NULL)
6736 bpf_error(cstate,
6737 "unknown Fibre Channel host '%s'", name);
6738 b = gen_ipfchostop(cstate, eaddr, dir);
6739 free(eaddr);
6740 return b;
6741 }
6742
6743 bpf_error(cstate, "only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name");
6744 } else if (proto == Q_DECNET) {
6745 unsigned short dn_addr;
6746
6747 if (!__pcap_nametodnaddr(name, &dn_addr)) {
6748 #ifdef DECNETLIB
6749 bpf_error(cstate, "unknown decnet host name '%s'\n", name);
6750 #else
6751 bpf_error(cstate, "decnet name support not included, '%s' cannot be translated\n",
6752 name);
6753 #endif
6754 }
6755 /*
6756 * I don't think DECNET hosts can be multihomed, so
6757 * there is no need to build up a list of addresses
6758 */
6759 return (gen_host(cstate, dn_addr, 0, proto, dir, q.addr));
6760 } else {
6761 #ifdef INET6
6762 memset(&mask128, 0xff, sizeof(mask128));
6763 #endif
6764 res0 = res = pcap_nametoaddrinfo(name);
6765 if (res == NULL)
6766 bpf_error(cstate, "unknown host '%s'", name);
6767 cstate->ai = res;
6768 b = tmp = NULL;
6769 tproto = proto;
6770 #ifdef INET6
6771 tproto6 = proto;
6772 #endif
6773 if (cstate->off_linktype.constant_part == OFFSET_NOT_SET &&
6774 tproto == Q_DEFAULT) {
6775 tproto = Q_IP;
6776 #ifdef INET6
6777 tproto6 = Q_IPV6;
6778 #endif
6779 }
6780 for (res = res0; res; res = res->ai_next) {
6781 switch (res->ai_family) {
6782 case AF_INET:
6783 #ifdef INET6
6784 if (tproto == Q_IPV6)
6785 continue;
6786 #endif
6787
6788 sin4 = (struct sockaddr_in *)
6789 res->ai_addr;
6790 tmp = gen_host(cstate, ntohl(sin4->sin_addr.s_addr),
6791 0xffffffff, tproto, dir, q.addr);
6792 break;
6793 #ifdef INET6
6794 case AF_INET6:
6795 if (tproto6 == Q_IP)
6796 continue;
6797
6798 sin6 = (struct sockaddr_in6 *)
6799 res->ai_addr;
6800 tmp = gen_host6(cstate, &sin6->sin6_addr,
6801 &mask128, tproto6, dir, q.addr);
6802 break;
6803 #endif
6804 default:
6805 continue;
6806 }
6807 if (b)
6808 gen_or(b, tmp);
6809 b = tmp;
6810 }
6811 cstate->ai = NULL;
6812 freeaddrinfo(res0);
6813 if (b == NULL) {
6814 bpf_error(cstate, "unknown host '%s'%s", name,
6815 (proto == Q_DEFAULT)
6816 ? ""
6817 : " for specified address family");
6818 }
6819 return b;
6820 }
6821
6822 case Q_PORT:
6823 if (proto != Q_DEFAULT &&
6824 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6825 bpf_error(cstate, "illegal qualifier of 'port'");
6826 if (pcap_nametoport(name, &port, &real_proto) == 0)
6827 bpf_error(cstate, "unknown port '%s'", name);
6828 if (proto == Q_UDP) {
6829 if (real_proto == IPPROTO_TCP)
6830 bpf_error(cstate, "port '%s' is tcp", name);
6831 else if (real_proto == IPPROTO_SCTP)
6832 bpf_error(cstate, "port '%s' is sctp", name);
6833 else
6834 /* override PROTO_UNDEF */
6835 real_proto = IPPROTO_UDP;
6836 }
6837 if (proto == Q_TCP) {
6838 if (real_proto == IPPROTO_UDP)
6839 bpf_error(cstate, "port '%s' is udp", name);
6840
6841 else if (real_proto == IPPROTO_SCTP)
6842 bpf_error(cstate, "port '%s' is sctp", name);
6843 else
6844 /* override PROTO_UNDEF */
6845 real_proto = IPPROTO_TCP;
6846 }
6847 if (proto == Q_SCTP) {
6848 if (real_proto == IPPROTO_UDP)
6849 bpf_error(cstate, "port '%s' is udp", name);
6850
6851 else if (real_proto == IPPROTO_TCP)
6852 bpf_error(cstate, "port '%s' is tcp", name);
6853 else
6854 /* override PROTO_UNDEF */
6855 real_proto = IPPROTO_SCTP;
6856 }
6857 if (port < 0)
6858 bpf_error(cstate, "illegal port number %d < 0", port);
6859 if (port > 65535)
6860 bpf_error(cstate, "illegal port number %d > 65535", port);
6861 b = gen_port(cstate, port, real_proto, dir);
6862 gen_or(gen_port6(cstate, port, real_proto, dir), b);
6863 return b;
6864
6865 case Q_PORTRANGE:
6866 if (proto != Q_DEFAULT &&
6867 proto != Q_UDP && proto != Q_TCP && proto != Q_SCTP)
6868 bpf_error(cstate, "illegal qualifier of 'portrange'");
6869 if (pcap_nametoportrange(name, &port1, &port2, &real_proto) == 0)
6870 bpf_error(cstate, "unknown port in range '%s'", name);
6871 if (proto == Q_UDP) {
6872 if (real_proto == IPPROTO_TCP)
6873 bpf_error(cstate, "port in range '%s' is tcp", name);
6874 else if (real_proto == IPPROTO_SCTP)
6875 bpf_error(cstate, "port in range '%s' is sctp", name);
6876 else
6877 /* override PROTO_UNDEF */
6878 real_proto = IPPROTO_UDP;
6879 }
6880 if (proto == Q_TCP) {
6881 if (real_proto == IPPROTO_UDP)
6882 bpf_error(cstate, "port in range '%s' is udp", name);
6883 else if (real_proto == IPPROTO_SCTP)
6884 bpf_error(cstate, "port in range '%s' is sctp", name);
6885 else
6886 /* override PROTO_UNDEF */
6887 real_proto = IPPROTO_TCP;
6888 }
6889 if (proto == Q_SCTP) {
6890 if (real_proto == IPPROTO_UDP)
6891 bpf_error(cstate, "port in range '%s' is udp", name);
6892 else if (real_proto == IPPROTO_TCP)
6893 bpf_error(cstate, "port in range '%s' is tcp", name);
6894 else
6895 /* override PROTO_UNDEF */
6896 real_proto = IPPROTO_SCTP;
6897 }
6898 if (port1 < 0)
6899 bpf_error(cstate, "illegal port number %d < 0", port1);
6900 if (port1 > 65535)
6901 bpf_error(cstate, "illegal port number %d > 65535", port1);
6902 if (port2 < 0)
6903 bpf_error(cstate, "illegal port number %d < 0", port2);
6904 if (port2 > 65535)
6905 bpf_error(cstate, "illegal port number %d > 65535", port2);
6906
6907 b = gen_portrange(cstate, port1, port2, real_proto, dir);
6908 gen_or(gen_portrange6(cstate, port1, port2, real_proto, dir), b);
6909 return b;
6910
6911 case Q_GATEWAY:
6912 #ifndef INET6
6913 eaddr = pcap_ether_hostton(name);
6914 if (eaddr == NULL)
6915 bpf_error(cstate, "unknown ether host: %s", name);
6916
6917 res = pcap_nametoaddrinfo(name);
6918 cstate->ai = res;
6919 if (res == NULL)
6920 bpf_error(cstate, "unknown host '%s'", name);
6921 b = gen_gateway(cstate, eaddr, res, proto, dir);
6922 cstate->ai = NULL;
6923 freeaddrinfo(res);
6924 if (b == NULL)
6925 bpf_error(cstate, "unknown host '%s'", name);
6926 return b;
6927 #else
6928 bpf_error(cstate, "'gateway' not supported in this configuration");
6929 #endif /*INET6*/
6930
6931 case Q_PROTO:
6932 real_proto = lookup_proto(cstate, name, proto);
6933 if (real_proto >= 0)
6934 return gen_proto(cstate, real_proto, proto, dir);
6935 else
6936 bpf_error(cstate, "unknown protocol: %s", name);
6937
6938 case Q_PROTOCHAIN:
6939 real_proto = lookup_proto(cstate, name, proto);
6940 if (real_proto >= 0)
6941 return gen_protochain(cstate, real_proto, proto);
6942 else
6943 bpf_error(cstate, "unknown protocol: %s", name);
6944
6945 case Q_UNDEF:
6946 syntax(cstate);
6947 /*NOTREACHED*/
6948 }
6949 abort();
6950 /*NOTREACHED*/
6951 }
6952
6953 struct block *
6954 gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
6955 bpf_u_int32 masklen, struct qual q)
6956 {
6957 register int nlen, mlen;
6958 bpf_u_int32 n, m;
6959
6960 /*
6961 * Catch errors reported by us and routines below us, and return NULL
6962 * on an error.
6963 */
6964 if (setjmp(cstate->top_ctx))
6965 return (NULL);
6966
6967 nlen = __pcap_atoin(s1, &n);
6968 if (nlen < 0)
6969 bpf_error(cstate, "invalid IPv4 address '%s'", s1);
6970 /* Promote short ipaddr */
6971 n <<= 32 - nlen;
6972
6973 if (s2 != NULL) {
6974 mlen = __pcap_atoin(s2, &m);
6975 if (mlen < 0)
6976 bpf_error(cstate, "invalid IPv4 address '%s'", s2);
6977 /* Promote short ipaddr */
6978 m <<= 32 - mlen;
6979 if ((n & ~m) != 0)
6980 bpf_error(cstate, "non-network bits set in \"%s mask %s\"",
6981 s1, s2);
6982 } else {
6983 /* Convert mask len to mask */
6984 if (masklen > 32)
6985 bpf_error(cstate, "mask length must be <= 32");
6986 if (masklen == 0) {
6987 /*
6988 * X << 32 is not guaranteed by C to be 0; it's
6989 * undefined.
6990 */
6991 m = 0;
6992 } else
6993 m = 0xffffffff << (32 - masklen);
6994 if ((n & ~m) != 0)
6995 bpf_error(cstate, "non-network bits set in \"%s/%d\"",
6996 s1, masklen);
6997 }
6998
6999 switch (q.addr) {
7000
7001 case Q_NET:
7002 return gen_host(cstate, n, m, q.proto, q.dir, q.addr);
7003
7004 default:
7005 bpf_error(cstate, "Mask syntax for networks only");
7006 /*NOTREACHED*/
7007 }
7008 /*NOTREACHED*/
7009 }
7010
7011 struct block *
7012 gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
7013 {
7014 bpf_u_int32 mask;
7015 int proto;
7016 int dir;
7017 register int vlen;
7018
7019 /*
7020 * Catch errors reported by us and routines below us, and return NULL
7021 * on an error.
7022 */
7023 if (setjmp(cstate->top_ctx))
7024 return (NULL);
7025
7026 proto = q.proto;
7027 dir = q.dir;
7028 if (s == NULL)
7029 vlen = 32;
7030 else if (q.proto == Q_DECNET) {
7031 vlen = __pcap_atodn(s, &v);
7032 if (vlen == 0)
7033 bpf_error(cstate, "malformed decnet address '%s'", s);
7034 } else {
7035 vlen = __pcap_atoin(s, &v);
7036 if (vlen < 0)
7037 bpf_error(cstate, "invalid IPv4 address '%s'", s);
7038 }
7039
7040 switch (q.addr) {
7041
7042 case Q_DEFAULT:
7043 case Q_HOST:
7044 case Q_NET:
7045 if (proto == Q_DECNET)
7046 return gen_host(cstate, v, 0, proto, dir, q.addr);
7047 else if (proto == Q_LINK) {
7048 bpf_error(cstate, "illegal link layer address");
7049 } else {
7050 mask = 0xffffffff;
7051 if (s == NULL && q.addr == Q_NET) {
7052 /* Promote short net number */
7053 while (v && (v & 0xff000000) == 0) {
7054 v <<= 8;
7055 mask <<= 8;
7056 }
7057 } else {
7058 /* Promote short ipaddr */
7059 v <<= 32 - vlen;
7060 mask <<= 32 - vlen ;
7061 }
7062 return gen_host(cstate, v, mask, proto, dir, q.addr);
7063 }
7064
7065 case Q_PORT:
7066 if (proto == Q_UDP)
7067 proto = IPPROTO_UDP;
7068 else if (proto == Q_TCP)
7069 proto = IPPROTO_TCP;
7070 else if (proto == Q_SCTP)
7071 proto = IPPROTO_SCTP;
7072 else if (proto == Q_DEFAULT)
7073 proto = PROTO_UNDEF;
7074 else
7075 bpf_error(cstate, "illegal qualifier of 'port'");
7076
7077 if (v > 65535)
7078 bpf_error(cstate, "illegal port number %u > 65535", v);
7079
7080 {
7081 struct block *b;
7082 b = gen_port(cstate, v, proto, dir);
7083 gen_or(gen_port6(cstate, v, proto, dir), b);
7084 return b;
7085 }
7086
7087 case Q_PORTRANGE:
7088 if (proto == Q_UDP)
7089 proto = IPPROTO_UDP;
7090 else if (proto == Q_TCP)
7091 proto = IPPROTO_TCP;
7092 else if (proto == Q_SCTP)
7093 proto = IPPROTO_SCTP;
7094 else if (proto == Q_DEFAULT)
7095 proto = PROTO_UNDEF;
7096 else
7097 bpf_error(cstate, "illegal qualifier of 'portrange'");
7098
7099 if (v > 65535)
7100 bpf_error(cstate, "illegal port number %u > 65535", v);
7101
7102 {
7103 struct block *b;
7104 b = gen_portrange(cstate, v, v, proto, dir);
7105 gen_or(gen_portrange6(cstate, v, v, proto, dir), b);
7106 return b;
7107 }
7108
7109 case Q_GATEWAY:
7110 bpf_error(cstate, "'gateway' requires a name");
7111 /*NOTREACHED*/
7112
7113 case Q_PROTO:
7114 return gen_proto(cstate, v, proto, dir);
7115
7116 case Q_PROTOCHAIN:
7117 return gen_protochain(cstate, v, proto);
7118
7119 case Q_UNDEF:
7120 syntax(cstate);
7121 /*NOTREACHED*/
7122
7123 default:
7124 abort();
7125 /*NOTREACHED*/
7126 }
7127 /*NOTREACHED*/
7128 }
7129
7130 #ifdef INET6
7131 struct block *
7132 gen_mcode6(compiler_state_t *cstate, const char *s1, const char *s2,
7133 bpf_u_int32 masklen, struct qual q)
7134 {
7135 struct addrinfo *res;
7136 struct in6_addr *addr;
7137 struct in6_addr mask;
7138 struct block *b;
7139 uint32_t *a, *m;
7140
7141 /*
7142 * Catch errors reported by us and routines below us, and return NULL
7143 * on an error.
7144 */
7145 if (setjmp(cstate->top_ctx))
7146 return (NULL);
7147
7148 if (s2)
7149 bpf_error(cstate, "no mask %s supported", s2);
7150
7151 res = pcap_nametoaddrinfo(s1);
7152 if (!res)
7153 bpf_error(cstate, "invalid ip6 address %s", s1);
7154 cstate->ai = res;
7155 if (res->ai_next)
7156 bpf_error(cstate, "%s resolved to multiple address", s1);
7157 addr = &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
7158
7159 if (masklen > sizeof(mask.s6_addr) * 8)
7160 bpf_error(cstate, "mask length must be <= %u", (unsigned int)(sizeof(mask.s6_addr) * 8));
7161 memset(&mask, 0, sizeof(mask));
7162 memset(&mask.s6_addr, 0xff, masklen / 8);
7163 if (masklen % 8) {
7164 mask.s6_addr[masklen / 8] =
7165 (0xff << (8 - masklen % 8)) & 0xff;
7166 }
7167
7168 a = (uint32_t *)addr;
7169 m = (uint32_t *)&mask;
7170 if ((a[0] & ~m[0]) || (a[1] & ~m[1])
7171 || (a[2] & ~m[2]) || (a[3] & ~m[3])) {
7172 bpf_error(cstate, "non-network bits set in \"%s/%d\"", s1, masklen);
7173 }
7174
7175 switch (q.addr) {
7176
7177 case Q_DEFAULT:
7178 case Q_HOST:
7179 if (masklen != 128)
7180 bpf_error(cstate, "Mask syntax for networks only");
7181 /* FALLTHROUGH */
7182
7183 case Q_NET:
7184 b = gen_host6(cstate, addr, &mask, q.proto, q.dir, q.addr);
7185 cstate->ai = NULL;
7186 freeaddrinfo(res);
7187 return b;
7188
7189 default:
7190 bpf_error(cstate, "invalid qualifier against IPv6 address");
7191 /*NOTREACHED*/
7192 }
7193 }
7194 #endif /*INET6*/
7195
7196 struct block *
7197 gen_ecode(compiler_state_t *cstate, const char *s, struct qual q)
7198 {
7199 struct block *b, *tmp;
7200
7201 /*
7202 * Catch errors reported by us and routines below us, and return NULL
7203 * on an error.
7204 */
7205 if (setjmp(cstate->top_ctx))
7206 return (NULL);
7207
7208 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) && q.proto == Q_LINK) {
7209 cstate->e = pcap_ether_aton(s);
7210 if (cstate->e == NULL)
7211 bpf_error(cstate, "malloc");
7212 switch (cstate->linktype) {
7213 case DLT_EN10MB:
7214 case DLT_NETANALYZER:
7215 case DLT_NETANALYZER_TRANSPARENT:
7216 tmp = gen_prevlinkhdr_check(cstate);
7217 b = gen_ehostop(cstate, cstate->e, (int)q.dir);
7218 if (tmp != NULL)
7219 gen_and(tmp, b);
7220 break;
7221 case DLT_FDDI:
7222 b = gen_fhostop(cstate, cstate->e, (int)q.dir);
7223 break;
7224 case DLT_IEEE802:
7225 b = gen_thostop(cstate, cstate->e, (int)q.dir);
7226 break;
7227 case DLT_IEEE802_11:
7228 case DLT_PRISM_HEADER:
7229 case DLT_IEEE802_11_RADIO_AVS:
7230 case DLT_IEEE802_11_RADIO:
7231 case DLT_PPI:
7232 b = gen_wlanhostop(cstate, cstate->e, (int)q.dir);
7233 break;
7234 case DLT_IP_OVER_FC:
7235 b = gen_ipfchostop(cstate, cstate->e, (int)q.dir);
7236 break;
7237 default:
7238 free(cstate->e);
7239 cstate->e = NULL;
7240 bpf_error(cstate, "ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel");
7241 /*NOTREACHED*/
7242 }
7243 free(cstate->e);
7244 cstate->e = NULL;
7245 return (b);
7246 }
7247 bpf_error(cstate, "ethernet address used in non-ether expression");
7248 /*NOTREACHED*/
7249 }
7250
7251 void
7252 sappend(struct slist *s0, struct slist *s1)
7253 {
7254 /*
7255 * This is definitely not the best way to do this, but the
7256 * lists will rarely get long.
7257 */
7258 while (s0->next)
7259 s0 = s0->next;
7260 s0->next = s1;
7261 }
7262
7263 static struct slist *
7264 xfer_to_x(compiler_state_t *cstate, struct arth *a)
7265 {
7266 struct slist *s;
7267
7268 s = new_stmt(cstate, BPF_LDX|BPF_MEM);
7269 s->s.k = a->regno;
7270 return s;
7271 }
7272
7273 static struct slist *
7274 xfer_to_a(compiler_state_t *cstate, struct arth *a)
7275 {
7276 struct slist *s;
7277
7278 s = new_stmt(cstate, BPF_LD|BPF_MEM);
7279 s->s.k = a->regno;
7280 return s;
7281 }
7282
7283 /*
7284 * Modify "index" to use the value stored into its register as an
7285 * offset relative to the beginning of the header for the protocol
7286 * "proto", and allocate a register and put an item "size" bytes long
7287 * (1, 2, or 4) at that offset into that register, making it the register
7288 * for "index".
7289 */
7290 static struct arth *
7291 gen_load_internal(compiler_state_t *cstate, int proto, struct arth *inst,
7292 bpf_u_int32 size)
7293 {
7294 int size_code;
7295 struct slist *s, *tmp;
7296 struct block *b;
7297 int regno = alloc_reg(cstate);
7298
7299 free_reg(cstate, inst->regno);
7300 switch (size) {
7301
7302 default:
7303 bpf_error(cstate, "data size must be 1, 2, or 4");
7304 /*NOTREACHED*/
7305
7306 case 1:
7307 size_code = BPF_B;
7308 break;
7309
7310 case 2:
7311 size_code = BPF_H;
7312 break;
7313
7314 case 4:
7315 size_code = BPF_W;
7316 break;
7317 }
7318 switch (proto) {
7319 default:
7320 bpf_error(cstate, "unsupported index operation");
7321
7322 case Q_RADIO:
7323 /*
7324 * The offset is relative to the beginning of the packet
7325 * data, if we have a radio header. (If we don't, this
7326 * is an error.)
7327 */
7328 if (cstate->linktype != DLT_IEEE802_11_RADIO_AVS &&
7329 cstate->linktype != DLT_IEEE802_11_RADIO &&
7330 cstate->linktype != DLT_PRISM_HEADER)
7331 bpf_error(cstate, "radio information not present in capture");
7332
7333 /*
7334 * Load into the X register the offset computed into the
7335 * register specified by "index".
7336 */
7337 s = xfer_to_x(cstate, inst);
7338
7339 /*
7340 * Load the item at that offset.
7341 */
7342 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7343 sappend(s, tmp);
7344 sappend(inst->s, s);
7345 break;
7346
7347 case Q_LINK:
7348 /*
7349 * The offset is relative to the beginning of
7350 * the link-layer header.
7351 *
7352 * XXX - what about ATM LANE? Should the index be
7353 * relative to the beginning of the AAL5 frame, so
7354 * that 0 refers to the beginning of the LE Control
7355 * field, or relative to the beginning of the LAN
7356 * frame, so that 0 refers, for Ethernet LANE, to
7357 * the beginning of the destination address?
7358 */
7359 s = gen_abs_offset_varpart(cstate, &cstate->off_linkhdr);
7360
7361 /*
7362 * If "s" is non-null, it has code to arrange that the
7363 * X register contains the length of the prefix preceding
7364 * the link-layer header. Add to it the offset computed
7365 * into the register specified by "index", and move that
7366 * into the X register. Otherwise, just load into the X
7367 * register the offset computed into the register specified
7368 * by "index".
7369 */
7370 if (s != NULL) {
7371 sappend(s, xfer_to_a(cstate, inst));
7372 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7373 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7374 } else
7375 s = xfer_to_x(cstate, inst);
7376
7377 /*
7378 * Load the item at the sum of the offset we've put in the
7379 * X register and the offset of the start of the link
7380 * layer header (which is 0 if the radio header is
7381 * variable-length; that header length is what we put
7382 * into the X register and then added to the index).
7383 */
7384 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7385 tmp->s.k = cstate->off_linkhdr.constant_part;
7386 sappend(s, tmp);
7387 sappend(inst->s, s);
7388 break;
7389
7390 case Q_IP:
7391 case Q_ARP:
7392 case Q_RARP:
7393 case Q_ATALK:
7394 case Q_DECNET:
7395 case Q_SCA:
7396 case Q_LAT:
7397 case Q_MOPRC:
7398 case Q_MOPDL:
7399 case Q_IPV6:
7400 /*
7401 * The offset is relative to the beginning of
7402 * the network-layer header.
7403 * XXX - are there any cases where we want
7404 * cstate->off_nl_nosnap?
7405 */
7406 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7407
7408 /*
7409 * If "s" is non-null, it has code to arrange that the
7410 * X register contains the variable part of the offset
7411 * of the link-layer payload. Add to it the offset
7412 * computed into the register specified by "index",
7413 * and move that into the X register. Otherwise, just
7414 * load into the X register the offset computed into
7415 * the register specified by "index".
7416 */
7417 if (s != NULL) {
7418 sappend(s, xfer_to_a(cstate, inst));
7419 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7420 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7421 } else
7422 s = xfer_to_x(cstate, inst);
7423
7424 /*
7425 * Load the item at the sum of the offset we've put in the
7426 * X register, the offset of the start of the network
7427 * layer header from the beginning of the link-layer
7428 * payload, and the constant part of the offset of the
7429 * start of the link-layer payload.
7430 */
7431 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7432 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7433 sappend(s, tmp);
7434 sappend(inst->s, s);
7435
7436 /*
7437 * Do the computation only if the packet contains
7438 * the protocol in question.
7439 */
7440 b = gen_proto_abbrev_internal(cstate, proto);
7441 if (inst->b)
7442 gen_and(inst->b, b);
7443 inst->b = b;
7444 break;
7445
7446 case Q_SCTP:
7447 case Q_TCP:
7448 case Q_UDP:
7449 case Q_ICMP:
7450 case Q_IGMP:
7451 case Q_IGRP:
7452 case Q_PIM:
7453 case Q_VRRP:
7454 case Q_CARP:
7455 /*
7456 * The offset is relative to the beginning of
7457 * the transport-layer header.
7458 *
7459 * Load the X register with the length of the IPv4 header
7460 * (plus the offset of the link-layer header, if it's
7461 * a variable-length header), in bytes.
7462 *
7463 * XXX - are there any cases where we want
7464 * cstate->off_nl_nosnap?
7465 * XXX - we should, if we're built with
7466 * IPv6 support, generate code to load either
7467 * IPv4, IPv6, or both, as appropriate.
7468 */
7469 s = gen_loadx_iphdrlen(cstate);
7470
7471 /*
7472 * The X register now contains the sum of the variable
7473 * part of the offset of the link-layer payload and the
7474 * length of the network-layer header.
7475 *
7476 * Load into the A register the offset relative to
7477 * the beginning of the transport layer header,
7478 * add the X register to that, move that to the
7479 * X register, and load with an offset from the
7480 * X register equal to the sum of the constant part of
7481 * the offset of the link-layer payload and the offset,
7482 * relative to the beginning of the link-layer payload,
7483 * of the network-layer header.
7484 */
7485 sappend(s, xfer_to_a(cstate, inst));
7486 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7487 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7488 sappend(s, tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code));
7489 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl;
7490 sappend(inst->s, s);
7491
7492 /*
7493 * Do the computation only if the packet contains
7494 * the protocol in question - which is true only
7495 * if this is an IP datagram and is the first or
7496 * only fragment of that datagram.
7497 */
7498 gen_and(gen_proto_abbrev_internal(cstate, proto), b = gen_ipfrag(cstate));
7499 if (inst->b)
7500 gen_and(inst->b, b);
7501 gen_and(gen_proto_abbrev_internal(cstate, Q_IP), b);
7502 inst->b = b;
7503 break;
7504 case Q_ICMPV6:
7505 /*
7506 * Do the computation only if the packet contains
7507 * the protocol in question.
7508 */
7509 b = gen_proto_abbrev_internal(cstate, Q_IPV6);
7510 if (inst->b) {
7511 gen_and(inst->b, b);
7512 }
7513 inst->b = b;
7514
7515 /*
7516 * Check if we have an icmp6 next header
7517 */
7518 b = gen_cmp(cstate, OR_LINKPL, 6, BPF_B, 58);
7519 if (inst->b) {
7520 gen_and(inst->b, b);
7521 }
7522 inst->b = b;
7523
7524
7525 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
7526 /*
7527 * If "s" is non-null, it has code to arrange that the
7528 * X register contains the variable part of the offset
7529 * of the link-layer payload. Add to it the offset
7530 * computed into the register specified by "index",
7531 * and move that into the X register. Otherwise, just
7532 * load into the X register the offset computed into
7533 * the register specified by "index".
7534 */
7535 if (s != NULL) {
7536 sappend(s, xfer_to_a(cstate, inst));
7537 sappend(s, new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X));
7538 sappend(s, new_stmt(cstate, BPF_MISC|BPF_TAX));
7539 } else {
7540 s = xfer_to_x(cstate, inst);
7541 }
7542
7543 /*
7544 * Load the item at the sum of the offset we've put in the
7545 * X register, the offset of the start of the network
7546 * layer header from the beginning of the link-layer
7547 * payload, and the constant part of the offset of the
7548 * start of the link-layer payload.
7549 */
7550 tmp = new_stmt(cstate, BPF_LD|BPF_IND|size_code);
7551 tmp->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 40;
7552
7553 sappend(s, tmp);
7554 sappend(inst->s, s);
7555
7556 break;
7557 }
7558 inst->regno = regno;
7559 s = new_stmt(cstate, BPF_ST);
7560 s->s.k = regno;
7561 sappend(inst->s, s);
7562
7563 return inst;
7564 }
7565
7566 struct arth *
7567 gen_load(compiler_state_t *cstate, int proto, struct arth *inst,
7568 bpf_u_int32 size)
7569 {
7570 /*
7571 * Catch errors reported by us and routines below us, and return NULL
7572 * on an error.
7573 */
7574 if (setjmp(cstate->top_ctx))
7575 return (NULL);
7576
7577 return gen_load_internal(cstate, proto, inst, size);
7578 }
7579
7580 static struct block *
7581 gen_relation_internal(compiler_state_t *cstate, int code, struct arth *a0,
7582 struct arth *a1, int reversed)
7583 {
7584 struct slist *s0, *s1, *s2;
7585 struct block *b, *tmp;
7586
7587 s0 = xfer_to_x(cstate, a1);
7588 s1 = xfer_to_a(cstate, a0);
7589 if (code == BPF_JEQ) {
7590 s2 = new_stmt(cstate, BPF_ALU|BPF_SUB|BPF_X);
7591 b = new_block(cstate, JMP(code));
7592 sappend(s1, s2);
7593 }
7594 else
7595 b = new_block(cstate, BPF_JMP|code|BPF_X);
7596 if (reversed)
7597 gen_not(b);
7598
7599 sappend(s0, s1);
7600 sappend(a1->s, s0);
7601 sappend(a0->s, a1->s);
7602
7603 b->stmts = a0->s;
7604
7605 free_reg(cstate, a0->regno);
7606 free_reg(cstate, a1->regno);
7607
7608 /* 'and' together protocol checks */
7609 if (a0->b) {
7610 if (a1->b) {
7611 gen_and(a0->b, tmp = a1->b);
7612 }
7613 else
7614 tmp = a0->b;
7615 } else
7616 tmp = a1->b;
7617
7618 if (tmp)
7619 gen_and(tmp, b);
7620
7621 return b;
7622 }
7623
7624 struct block *
7625 gen_relation(compiler_state_t *cstate, int code, struct arth *a0,
7626 struct arth *a1, int reversed)
7627 {
7628 /*
7629 * Catch errors reported by us and routines below us, and return NULL
7630 * on an error.
7631 */
7632 if (setjmp(cstate->top_ctx))
7633 return (NULL);
7634
7635 return gen_relation_internal(cstate, code, a0, a1, reversed);
7636 }
7637
7638 struct arth *
7639 gen_loadlen(compiler_state_t *cstate)
7640 {
7641 int regno;
7642 struct arth *a;
7643 struct slist *s;
7644
7645 /*
7646 * Catch errors reported by us and routines below us, and return NULL
7647 * on an error.
7648 */
7649 if (setjmp(cstate->top_ctx))
7650 return (NULL);
7651
7652 regno = alloc_reg(cstate);
7653 a = (struct arth *)newchunk(cstate, sizeof(*a));
7654 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7655 s->next = new_stmt(cstate, BPF_ST);
7656 s->next->s.k = regno;
7657 a->s = s;
7658 a->regno = regno;
7659
7660 return a;
7661 }
7662
7663 static struct arth *
7664 gen_loadi_internal(compiler_state_t *cstate, bpf_u_int32 val)
7665 {
7666 struct arth *a;
7667 struct slist *s;
7668 int reg;
7669
7670 a = (struct arth *)newchunk(cstate, sizeof(*a));
7671
7672 reg = alloc_reg(cstate);
7673
7674 s = new_stmt(cstate, BPF_LD|BPF_IMM);
7675 s->s.k = val;
7676 s->next = new_stmt(cstate, BPF_ST);
7677 s->next->s.k = reg;
7678 a->s = s;
7679 a->regno = reg;
7680
7681 return a;
7682 }
7683
7684 struct arth *
7685 gen_loadi(compiler_state_t *cstate, bpf_u_int32 val)
7686 {
7687 /*
7688 * Catch errors reported by us and routines below us, and return NULL
7689 * on an error.
7690 */
7691 if (setjmp(cstate->top_ctx))
7692 return (NULL);
7693
7694 return gen_loadi_internal(cstate, val);
7695 }
7696
7697 /*
7698 * The a_arg dance is to avoid annoying whining by compilers that
7699 * a might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7700 * It's not *used* after setjmp returns.
7701 */
7702 struct arth *
7703 gen_neg(compiler_state_t *cstate, struct arth *a_arg)
7704 {
7705 struct arth *a = a_arg;
7706 struct slist *s;
7707
7708 /*
7709 * Catch errors reported by us and routines below us, and return NULL
7710 * on an error.
7711 */
7712 if (setjmp(cstate->top_ctx))
7713 return (NULL);
7714
7715 s = xfer_to_a(cstate, a);
7716 sappend(a->s, s);
7717 s = new_stmt(cstate, BPF_ALU|BPF_NEG);
7718 s->s.k = 0;
7719 sappend(a->s, s);
7720 s = new_stmt(cstate, BPF_ST);
7721 s->s.k = a->regno;
7722 sappend(a->s, s);
7723
7724 return a;
7725 }
7726
7727 /*
7728 * The a0_arg dance is to avoid annoying whining by compilers that
7729 * a0 might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
7730 * It's not *used* after setjmp returns.
7731 */
7732 struct arth *
7733 gen_arth(compiler_state_t *cstate, int code, struct arth *a0_arg,
7734 struct arth *a1)
7735 {
7736 struct arth *a0 = a0_arg;
7737 struct slist *s0, *s1, *s2;
7738
7739 /*
7740 * Catch errors reported by us and routines below us, and return NULL
7741 * on an error.
7742 */
7743 if (setjmp(cstate->top_ctx))
7744 return (NULL);
7745
7746 /*
7747 * Disallow division by, or modulus by, zero; we do this here
7748 * so that it gets done even if the optimizer is disabled.
7749 *
7750 * Also disallow shifts by a value greater than 31; we do this
7751 * here, for the same reason.
7752 */
7753 if (code == BPF_DIV) {
7754 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7755 bpf_error(cstate, "division by zero");
7756 } else if (code == BPF_MOD) {
7757 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k == 0)
7758 bpf_error(cstate, "modulus by zero");
7759 } else if (code == BPF_LSH || code == BPF_RSH) {
7760 if (a1->s->s.code == (BPF_LD|BPF_IMM) && a1->s->s.k > 31)
7761 bpf_error(cstate, "shift by more than 31 bits");
7762 }
7763 s0 = xfer_to_x(cstate, a1);
7764 s1 = xfer_to_a(cstate, a0);
7765 s2 = new_stmt(cstate, BPF_ALU|BPF_X|code);
7766
7767 sappend(s1, s2);
7768 sappend(s0, s1);
7769 sappend(a1->s, s0);
7770 sappend(a0->s, a1->s);
7771
7772 free_reg(cstate, a0->regno);
7773 free_reg(cstate, a1->regno);
7774
7775 s0 = new_stmt(cstate, BPF_ST);
7776 a0->regno = s0->s.k = alloc_reg(cstate);
7777 sappend(a0->s, s0);
7778
7779 return a0;
7780 }
7781
7782 /*
7783 * Initialize the table of used registers and the current register.
7784 */
7785 static void
7786 init_regs(compiler_state_t *cstate)
7787 {
7788 cstate->curreg = 0;
7789 memset(cstate->regused, 0, sizeof cstate->regused);
7790 }
7791
7792 /*
7793 * Return the next free register.
7794 */
7795 static int
7796 alloc_reg(compiler_state_t *cstate)
7797 {
7798 int n = BPF_MEMWORDS;
7799
7800 while (--n >= 0) {
7801 if (cstate->regused[cstate->curreg])
7802 cstate->curreg = (cstate->curreg + 1) % BPF_MEMWORDS;
7803 else {
7804 cstate->regused[cstate->curreg] = 1;
7805 return cstate->curreg;
7806 }
7807 }
7808 bpf_error(cstate, "too many registers needed to evaluate expression");
7809 /*NOTREACHED*/
7810 }
7811
7812 /*
7813 * Return a register to the table so it can
7814 * be used later.
7815 */
7816 static void
7817 free_reg(compiler_state_t *cstate, int n)
7818 {
7819 cstate->regused[n] = 0;
7820 }
7821
7822 static struct block *
7823 gen_len(compiler_state_t *cstate, int jmp, int n)
7824 {
7825 struct slist *s;
7826 struct block *b;
7827
7828 s = new_stmt(cstate, BPF_LD|BPF_LEN);
7829 b = new_block(cstate, JMP(jmp));
7830 b->stmts = s;
7831 b->s.k = n;
7832
7833 return b;
7834 }
7835
7836 struct block *
7837 gen_greater(compiler_state_t *cstate, int n)
7838 {
7839 /*
7840 * Catch errors reported by us and routines below us, and return NULL
7841 * on an error.
7842 */
7843 if (setjmp(cstate->top_ctx))
7844 return (NULL);
7845
7846 return gen_len(cstate, BPF_JGE, n);
7847 }
7848
7849 /*
7850 * Actually, this is less than or equal.
7851 */
7852 struct block *
7853 gen_less(compiler_state_t *cstate, int n)
7854 {
7855 struct block *b;
7856
7857 /*
7858 * Catch errors reported by us and routines below us, and return NULL
7859 * on an error.
7860 */
7861 if (setjmp(cstate->top_ctx))
7862 return (NULL);
7863
7864 b = gen_len(cstate, BPF_JGT, n);
7865 gen_not(b);
7866
7867 return b;
7868 }
7869
7870 /*
7871 * This is for "byte {idx} {op} {val}"; "idx" is treated as relative to
7872 * the beginning of the link-layer header.
7873 * XXX - that means you can't test values in the radiotap header, but
7874 * as that header is difficult if not impossible to parse generally
7875 * without a loop, that might not be a severe problem. A new keyword
7876 * "radio" could be added for that, although what you'd really want
7877 * would be a way of testing particular radio header values, which
7878 * would generate code appropriate to the radio header in question.
7879 */
7880 struct block *
7881 gen_byteop(compiler_state_t *cstate, int op, int idx, bpf_u_int32 val)
7882 {
7883 struct block *b;
7884 struct slist *s;
7885
7886 /*
7887 * Catch errors reported by us and routines below us, and return NULL
7888 * on an error.
7889 */
7890 if (setjmp(cstate->top_ctx))
7891 return (NULL);
7892
7893 switch (op) {
7894 default:
7895 abort();
7896
7897 case '=':
7898 return gen_cmp(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7899
7900 case '<':
7901 b = gen_cmp_lt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7902 return b;
7903
7904 case '>':
7905 b = gen_cmp_gt(cstate, OR_LINKHDR, (u_int)idx, BPF_B, val);
7906 return b;
7907
7908 case '|':
7909 s = new_stmt(cstate, BPF_ALU|BPF_OR|BPF_K);
7910 break;
7911
7912 case '&':
7913 s = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
7914 break;
7915 }
7916 s->s.k = val;
7917 b = new_block(cstate, JMP(BPF_JEQ));
7918 b->stmts = s;
7919 gen_not(b);
7920
7921 return b;
7922 }
7923
7924 static const u_char abroadcast[] = { 0x0 };
7925
7926 struct block *
7927 gen_broadcast(compiler_state_t *cstate, int proto)
7928 {
7929 bpf_u_int32 hostmask;
7930 struct block *b0, *b1, *b2;
7931 static const u_char ebroadcast[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
7932
7933 /*
7934 * Catch errors reported by us and routines below us, and return NULL
7935 * on an error.
7936 */
7937 if (setjmp(cstate->top_ctx))
7938 return (NULL);
7939
7940 switch (proto) {
7941
7942 case Q_DEFAULT:
7943 case Q_LINK:
7944 switch (cstate->linktype) {
7945 case DLT_ARCNET:
7946 case DLT_ARCNET_LINUX:
7947 return gen_ahostop(cstate, abroadcast, Q_DST);
7948 case DLT_EN10MB:
7949 case DLT_NETANALYZER:
7950 case DLT_NETANALYZER_TRANSPARENT:
7951 b1 = gen_prevlinkhdr_check(cstate);
7952 b0 = gen_ehostop(cstate, ebroadcast, Q_DST);
7953 if (b1 != NULL)
7954 gen_and(b1, b0);
7955 return b0;
7956 case DLT_FDDI:
7957 return gen_fhostop(cstate, ebroadcast, Q_DST);
7958 case DLT_IEEE802:
7959 return gen_thostop(cstate, ebroadcast, Q_DST);
7960 case DLT_IEEE802_11:
7961 case DLT_PRISM_HEADER:
7962 case DLT_IEEE802_11_RADIO_AVS:
7963 case DLT_IEEE802_11_RADIO:
7964 case DLT_PPI:
7965 return gen_wlanhostop(cstate, ebroadcast, Q_DST);
7966 case DLT_IP_OVER_FC:
7967 return gen_ipfchostop(cstate, ebroadcast, Q_DST);
7968 default:
7969 bpf_error(cstate, "not a broadcast link");
7970 }
7971 /*NOTREACHED*/
7972
7973 case Q_IP:
7974 /*
7975 * We treat a netmask of PCAP_NETMASK_UNKNOWN (0xffffffff)
7976 * as an indication that we don't know the netmask, and fail
7977 * in that case.
7978 */
7979 if (cstate->netmask == PCAP_NETMASK_UNKNOWN)
7980 bpf_error(cstate, "netmask not known, so 'ip broadcast' not supported");
7981 b0 = gen_linktype(cstate, ETHERTYPE_IP);
7982 hostmask = ~cstate->netmask;
7983 b1 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W, 0, hostmask);
7984 b2 = gen_mcmp(cstate, OR_LINKPL, 16, BPF_W,
7985 ~0 & hostmask, hostmask);
7986 gen_or(b1, b2);
7987 gen_and(b0, b2);
7988 return b2;
7989 }
7990 bpf_error(cstate, "only link-layer/IP broadcast filters supported");
7991 /*NOTREACHED*/
7992 }
7993
7994 /*
7995 * Generate code to test the low-order bit of a MAC address (that's
7996 * the bottom bit of the *first* byte).
7997 */
7998 static struct block *
7999 gen_mac_multicast(compiler_state_t *cstate, int offset)
8000 {
8001 register struct block *b0;
8002 register struct slist *s;
8003
8004 /* link[offset] & 1 != 0 */
8005 s = gen_load_a(cstate, OR_LINKHDR, offset, BPF_B);
8006 b0 = new_block(cstate, JMP(BPF_JSET));
8007 b0->s.k = 1;
8008 b0->stmts = s;
8009 return b0;
8010 }
8011
8012 struct block *
8013 gen_multicast(compiler_state_t *cstate, int proto)
8014 {
8015 register struct block *b0, *b1, *b2;
8016 register struct slist *s;
8017
8018 /*
8019 * Catch errors reported by us and routines below us, and return NULL
8020 * on an error.
8021 */
8022 if (setjmp(cstate->top_ctx))
8023 return (NULL);
8024
8025 switch (proto) {
8026
8027 case Q_DEFAULT:
8028 case Q_LINK:
8029 switch (cstate->linktype) {
8030 case DLT_ARCNET:
8031 case DLT_ARCNET_LINUX:
8032 /* all ARCnet multicasts use the same address */
8033 return gen_ahostop(cstate, abroadcast, Q_DST);
8034 case DLT_EN10MB:
8035 case DLT_NETANALYZER:
8036 case DLT_NETANALYZER_TRANSPARENT:
8037 b1 = gen_prevlinkhdr_check(cstate);
8038 /* ether[0] & 1 != 0 */
8039 b0 = gen_mac_multicast(cstate, 0);
8040 if (b1 != NULL)
8041 gen_and(b1, b0);
8042 return b0;
8043 case DLT_FDDI:
8044 /*
8045 * XXX TEST THIS: MIGHT NOT PORT PROPERLY XXX
8046 *
8047 * XXX - was that referring to bit-order issues?
8048 */
8049 /* fddi[1] & 1 != 0 */
8050 return gen_mac_multicast(cstate, 1);
8051 case DLT_IEEE802:
8052 /* tr[2] & 1 != 0 */
8053 return gen_mac_multicast(cstate, 2);
8054 case DLT_IEEE802_11:
8055 case DLT_PRISM_HEADER:
8056 case DLT_IEEE802_11_RADIO_AVS:
8057 case DLT_IEEE802_11_RADIO:
8058 case DLT_PPI:
8059 /*
8060 * Oh, yuk.
8061 *
8062 * For control frames, there is no DA.
8063 *
8064 * For management frames, DA is at an
8065 * offset of 4 from the beginning of
8066 * the packet.
8067 *
8068 * For data frames, DA is at an offset
8069 * of 4 from the beginning of the packet
8070 * if To DS is clear and at an offset of
8071 * 16 from the beginning of the packet
8072 * if To DS is set.
8073 */
8074
8075 /*
8076 * Generate the tests to be done for data frames.
8077 *
8078 * First, check for To DS set, i.e. "link[1] & 0x01".
8079 */
8080 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8081 b1 = new_block(cstate, JMP(BPF_JSET));
8082 b1->s.k = 0x01; /* To DS */
8083 b1->stmts = s;
8084
8085 /*
8086 * If To DS is set, the DA is at 16.
8087 */
8088 b0 = gen_mac_multicast(cstate, 16);
8089 gen_and(b1, b0);
8090
8091 /*
8092 * Now, check for To DS not set, i.e. check
8093 * "!(link[1] & 0x01)".
8094 */
8095 s = gen_load_a(cstate, OR_LINKHDR, 1, BPF_B);
8096 b2 = new_block(cstate, JMP(BPF_JSET));
8097 b2->s.k = 0x01; /* To DS */
8098 b2->stmts = s;
8099 gen_not(b2);
8100
8101 /*
8102 * If To DS is not set, the DA is at 4.
8103 */
8104 b1 = gen_mac_multicast(cstate, 4);
8105 gen_and(b2, b1);
8106
8107 /*
8108 * Now OR together the last two checks. That gives
8109 * the complete set of checks for data frames.
8110 */
8111 gen_or(b1, b0);
8112
8113 /*
8114 * Now check for a data frame.
8115 * I.e, check "link[0] & 0x08".
8116 */
8117 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8118 b1 = new_block(cstate, JMP(BPF_JSET));
8119 b1->s.k = 0x08;
8120 b1->stmts = s;
8121
8122 /*
8123 * AND that with the checks done for data frames.
8124 */
8125 gen_and(b1, b0);
8126
8127 /*
8128 * If the high-order bit of the type value is 0, this
8129 * is a management frame.
8130 * I.e, check "!(link[0] & 0x08)".
8131 */
8132 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8133 b2 = new_block(cstate, JMP(BPF_JSET));
8134 b2->s.k = 0x08;
8135 b2->stmts = s;
8136 gen_not(b2);
8137
8138 /*
8139 * For management frames, the DA is at 4.
8140 */
8141 b1 = gen_mac_multicast(cstate, 4);
8142 gen_and(b2, b1);
8143
8144 /*
8145 * OR that with the checks done for data frames.
8146 * That gives the checks done for management and
8147 * data frames.
8148 */
8149 gen_or(b1, b0);
8150
8151 /*
8152 * If the low-order bit of the type value is 1,
8153 * this is either a control frame or a frame
8154 * with a reserved type, and thus not a
8155 * frame with an SA.
8156 *
8157 * I.e., check "!(link[0] & 0x04)".
8158 */
8159 s = gen_load_a(cstate, OR_LINKHDR, 0, BPF_B);
8160 b1 = new_block(cstate, JMP(BPF_JSET));
8161 b1->s.k = 0x04;
8162 b1->stmts = s;
8163 gen_not(b1);
8164
8165 /*
8166 * AND that with the checks for data and management
8167 * frames.
8168 */
8169 gen_and(b1, b0);
8170 return b0;
8171 case DLT_IP_OVER_FC:
8172 b0 = gen_mac_multicast(cstate, 2);
8173 return b0;
8174 default:
8175 break;
8176 }
8177 /* Link not known to support multicasts */
8178 break;
8179
8180 case Q_IP:
8181 b0 = gen_linktype(cstate, ETHERTYPE_IP);
8182 b1 = gen_cmp_ge(cstate, OR_LINKPL, 16, BPF_B, 224);
8183 gen_and(b0, b1);
8184 return b1;
8185
8186 case Q_IPV6:
8187 b0 = gen_linktype(cstate, ETHERTYPE_IPV6);
8188 b1 = gen_cmp(cstate, OR_LINKPL, 24, BPF_B, 255);
8189 gen_and(b0, b1);
8190 return b1;
8191 }
8192 bpf_error(cstate, "link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel");
8193 /*NOTREACHED*/
8194 }
8195
8196 struct block *
8197 gen_ifindex(compiler_state_t *cstate, int ifindex)
8198 {
8199 register struct block *b0;
8200
8201 /*
8202 * Catch errors reported by us and routines below us, and return NULL
8203 * on an error.
8204 */
8205 if (setjmp(cstate->top_ctx))
8206 return (NULL);
8207
8208 /*
8209 * Only some data link types support ifindex qualifiers.
8210 */
8211 switch (cstate->linktype) {
8212 case DLT_LINUX_SLL2:
8213 /* match packets on this interface */
8214 b0 = gen_cmp(cstate, OR_LINKHDR, 4, BPF_W, ifindex);
8215 break;
8216 default:
8217 #if defined(linux)
8218 /*
8219 * This is Linux; we require PF_PACKET support.
8220 * If this is a *live* capture, we can look at
8221 * special meta-data in the filter expression;
8222 * if it's a savefile, we can't.
8223 */
8224 if (cstate->bpf_pcap->rfile != NULL) {
8225 /* We have a FILE *, so this is a savefile */
8226 bpf_error(cstate, "ifindex not supported on %s when reading savefiles",
8227 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8228 b0 = NULL;
8229 /*NOTREACHED*/
8230 }
8231 /* match ifindex */
8232 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_IFINDEX, BPF_W,
8233 ifindex);
8234 #else /* defined(linux) */
8235 bpf_error(cstate, "ifindex not supported on %s",
8236 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8237 /*NOTREACHED*/
8238 #endif /* defined(linux) */
8239 }
8240 return (b0);
8241 }
8242
8243 /*
8244 * Filter on inbound (dir == 0) or outbound (dir == 1) traffic.
8245 * Outbound traffic is sent by this machine, while inbound traffic is
8246 * sent by a remote machine (and may include packets destined for a
8247 * unicast or multicast link-layer address we are not subscribing to).
8248 * These are the same definitions implemented by pcap_setdirection().
8249 * Capturing only unicast traffic destined for this host is probably
8250 * better accomplished using a higher-layer filter.
8251 */
8252 struct block *
8253 gen_inbound(compiler_state_t *cstate, int dir)
8254 {
8255 register struct block *b0;
8256
8257 /*
8258 * Catch errors reported by us and routines below us, and return NULL
8259 * on an error.
8260 */
8261 if (setjmp(cstate->top_ctx))
8262 return (NULL);
8263
8264 /*
8265 * Only some data link types support inbound/outbound qualifiers.
8266 */
8267 switch (cstate->linktype) {
8268 case DLT_SLIP:
8269 b0 = gen_relation_internal(cstate, BPF_JEQ,
8270 gen_load_internal(cstate, Q_LINK, gen_loadi_internal(cstate, 0), 1),
8271 gen_loadi_internal(cstate, 0),
8272 dir);
8273 break;
8274
8275 case DLT_IPNET:
8276 if (dir) {
8277 /* match outgoing packets */
8278 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_OUTBOUND);
8279 } else {
8280 /* match incoming packets */
8281 b0 = gen_cmp(cstate, OR_LINKHDR, 2, BPF_H, IPNET_INBOUND);
8282 }
8283 break;
8284
8285 case DLT_LINUX_SLL:
8286 /* match outgoing packets */
8287 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_H, LINUX_SLL_OUTGOING);
8288 if (!dir) {
8289 /* to filter on inbound traffic, invert the match */
8290 gen_not(b0);
8291 }
8292 break;
8293
8294 case DLT_LINUX_SLL2:
8295 /* match outgoing packets */
8296 b0 = gen_cmp(cstate, OR_LINKHDR, 10, BPF_B, LINUX_SLL_OUTGOING);
8297 if (!dir) {
8298 /* to filter on inbound traffic, invert the match */
8299 gen_not(b0);
8300 }
8301 break;
8302
8303 #ifdef HAVE_NET_PFVAR_H
8304 case DLT_PFLOG:
8305 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, dir), BPF_B,
8306 ((dir == 0) ? PF_IN : PF_OUT));
8307 break;
8308 #endif
8309
8310 case DLT_PPP_PPPD:
8311 if (dir) {
8312 /* match outgoing packets */
8313 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_OUT);
8314 } else {
8315 /* match incoming packets */
8316 b0 = gen_cmp(cstate, OR_LINKHDR, 0, BPF_B, PPP_PPPD_IN);
8317 }
8318 break;
8319
8320 case DLT_JUNIPER_MFR:
8321 case DLT_JUNIPER_MLFR:
8322 case DLT_JUNIPER_MLPPP:
8323 case DLT_JUNIPER_ATM1:
8324 case DLT_JUNIPER_ATM2:
8325 case DLT_JUNIPER_PPPOE:
8326 case DLT_JUNIPER_PPPOE_ATM:
8327 case DLT_JUNIPER_GGSN:
8328 case DLT_JUNIPER_ES:
8329 case DLT_JUNIPER_MONITOR:
8330 case DLT_JUNIPER_SERVICES:
8331 case DLT_JUNIPER_ETHER:
8332 case DLT_JUNIPER_PPP:
8333 case DLT_JUNIPER_FRELAY:
8334 case DLT_JUNIPER_CHDLC:
8335 case DLT_JUNIPER_VP:
8336 case DLT_JUNIPER_ST:
8337 case DLT_JUNIPER_ISM:
8338 case DLT_JUNIPER_VS:
8339 case DLT_JUNIPER_SRX_E2E:
8340 case DLT_JUNIPER_FIBRECHANNEL:
8341 case DLT_JUNIPER_ATM_CEMIC:
8342
8343 /* juniper flags (including direction) are stored
8344 * the byte after the 3-byte magic number */
8345 if (dir) {
8346 /* match outgoing packets */
8347 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 0, 0x01);
8348 } else {
8349 /* match incoming packets */
8350 b0 = gen_mcmp(cstate, OR_LINKHDR, 3, BPF_B, 1, 0x01);
8351 }
8352 break;
8353
8354 default:
8355 /*
8356 * If we have packet meta-data indicating a direction,
8357 * and that metadata can be checked by BPF code, check
8358 * it. Otherwise, give up, as this link-layer type has
8359 * nothing in the packet data.
8360 *
8361 * Currently, the only platform where a BPF filter can
8362 * check that metadata is Linux with the in-kernel
8363 * BPF interpreter. If other packet capture mechanisms
8364 * and BPF filters also supported this, it would be
8365 * nice. It would be even better if they made that
8366 * metadata available so that we could provide it
8367 * with newer capture APIs, allowing it to be saved
8368 * in pcapng files.
8369 */
8370 #if defined(linux)
8371 /*
8372 * This is Linux; we require PF_PACKET support.
8373 * If this is a *live* capture, we can look at
8374 * special meta-data in the filter expression;
8375 * if it's a savefile, we can't.
8376 */
8377 if (cstate->bpf_pcap->rfile != NULL) {
8378 /* We have a FILE *, so this is a savefile */
8379 bpf_error(cstate, "inbound/outbound not supported on %s when reading savefiles",
8380 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8381 /*NOTREACHED*/
8382 }
8383 /* match outgoing packets */
8384 b0 = gen_cmp(cstate, OR_LINKHDR, SKF_AD_OFF + SKF_AD_PKTTYPE, BPF_H,
8385 PACKET_OUTGOING);
8386 if (!dir) {
8387 /* to filter on inbound traffic, invert the match */
8388 gen_not(b0);
8389 }
8390 #else /* defined(linux) */
8391 bpf_error(cstate, "inbound/outbound not supported on %s",
8392 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
8393 /*NOTREACHED*/
8394 #endif /* defined(linux) */
8395 }
8396 return (b0);
8397 }
8398
8399 #ifdef HAVE_NET_PFVAR_H
8400 /* PF firewall log matched interface */
8401 struct block *
8402 gen_pf_ifname(compiler_state_t *cstate, const char *ifname)
8403 {
8404 struct block *b0;
8405 u_int len, off;
8406
8407 /*
8408 * Catch errors reported by us and routines below us, and return NULL
8409 * on an error.
8410 */
8411 if (setjmp(cstate->top_ctx))
8412 return (NULL);
8413
8414 if (cstate->linktype != DLT_PFLOG) {
8415 bpf_error(cstate, "ifname supported only on PF linktype");
8416 /*NOTREACHED*/
8417 }
8418 len = sizeof(((struct pfloghdr *)0)->ifname);
8419 off = offsetof(struct pfloghdr, ifname);
8420 if (strlen(ifname) >= len) {
8421 bpf_error(cstate, "ifname interface names can only be %d characters",
8422 len-1);
8423 /*NOTREACHED*/
8424 }
8425 b0 = gen_bcmp(cstate, OR_LINKHDR, off, (u_int)strlen(ifname),
8426 (const u_char *)ifname);
8427 return (b0);
8428 }
8429
8430 /* PF firewall log ruleset name */
8431 struct block *
8432 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset)
8433 {
8434 struct block *b0;
8435
8436 /*
8437 * Catch errors reported by us and routines below us, and return NULL
8438 * on an error.
8439 */
8440 if (setjmp(cstate->top_ctx))
8441 return (NULL);
8442
8443 if (cstate->linktype != DLT_PFLOG) {
8444 bpf_error(cstate, "ruleset supported only on PF linktype");
8445 /*NOTREACHED*/
8446 }
8447
8448 if (strlen(ruleset) >= sizeof(((struct pfloghdr *)0)->ruleset)) {
8449 bpf_error(cstate, "ruleset names can only be %ld characters",
8450 (long)(sizeof(((struct pfloghdr *)0)->ruleset) - 1));
8451 /*NOTREACHED*/
8452 }
8453
8454 b0 = gen_bcmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, ruleset),
8455 (u_int)strlen(ruleset), (const u_char *)ruleset);
8456 return (b0);
8457 }
8458
8459 /* PF firewall log rule number */
8460 struct block *
8461 gen_pf_rnr(compiler_state_t *cstate, int rnr)
8462 {
8463 struct block *b0;
8464
8465 /*
8466 * Catch errors reported by us and routines below us, and return NULL
8467 * on an error.
8468 */
8469 if (setjmp(cstate->top_ctx))
8470 return (NULL);
8471
8472 if (cstate->linktype != DLT_PFLOG) {
8473 bpf_error(cstate, "rnr supported only on PF linktype");
8474 /*NOTREACHED*/
8475 }
8476
8477 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, rulenr), BPF_W,
8478 (bpf_u_int32)rnr);
8479 return (b0);
8480 }
8481
8482 /* PF firewall log sub-rule number */
8483 struct block *
8484 gen_pf_srnr(compiler_state_t *cstate, int srnr)
8485 {
8486 struct block *b0;
8487
8488 /*
8489 * Catch errors reported by us and routines below us, and return NULL
8490 * on an error.
8491 */
8492 if (setjmp(cstate->top_ctx))
8493 return (NULL);
8494
8495 if (cstate->linktype != DLT_PFLOG) {
8496 bpf_error(cstate, "srnr supported only on PF linktype");
8497 /*NOTREACHED*/
8498 }
8499
8500 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, subrulenr), BPF_W,
8501 (bpf_u_int32)srnr);
8502 return (b0);
8503 }
8504
8505 /* PF firewall log reason code */
8506 struct block *
8507 gen_pf_reason(compiler_state_t *cstate, int reason)
8508 {
8509 struct block *b0;
8510
8511 /*
8512 * Catch errors reported by us and routines below us, and return NULL
8513 * on an error.
8514 */
8515 if (setjmp(cstate->top_ctx))
8516 return (NULL);
8517
8518 if (cstate->linktype != DLT_PFLOG) {
8519 bpf_error(cstate, "reason supported only on PF linktype");
8520 /*NOTREACHED*/
8521 }
8522
8523 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, reason), BPF_B,
8524 (bpf_u_int32)reason);
8525 return (b0);
8526 }
8527
8528 /* PF firewall log action */
8529 struct block *
8530 gen_pf_action(compiler_state_t *cstate, int action)
8531 {
8532 struct block *b0;
8533
8534 /*
8535 * Catch errors reported by us and routines below us, and return NULL
8536 * on an error.
8537 */
8538 if (setjmp(cstate->top_ctx))
8539 return (NULL);
8540
8541 if (cstate->linktype != DLT_PFLOG) {
8542 bpf_error(cstate, "action supported only on PF linktype");
8543 /*NOTREACHED*/
8544 }
8545
8546 b0 = gen_cmp(cstate, OR_LINKHDR, offsetof(struct pfloghdr, action), BPF_B,
8547 (bpf_u_int32)action);
8548 return (b0);
8549 }
8550 #else /* !HAVE_NET_PFVAR_H */
8551 struct block *
8552 gen_pf_ifname(compiler_state_t *cstate, const char *ifname _U_)
8553 {
8554 /*
8555 * Catch errors reported by us and routines below us, and return NULL
8556 * on an error.
8557 */
8558 if (setjmp(cstate->top_ctx))
8559 return (NULL);
8560
8561 bpf_error(cstate, "libpcap was compiled without pf support");
8562 /*NOTREACHED*/
8563 }
8564
8565 struct block *
8566 gen_pf_ruleset(compiler_state_t *cstate, char *ruleset _U_)
8567 {
8568 /*
8569 * Catch errors reported by us and routines below us, and return NULL
8570 * on an error.
8571 */
8572 if (setjmp(cstate->top_ctx))
8573 return (NULL);
8574
8575 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8576 /*NOTREACHED*/
8577 }
8578
8579 struct block *
8580 gen_pf_rnr(compiler_state_t *cstate, int rnr _U_)
8581 {
8582 /*
8583 * Catch errors reported by us and routines below us, and return NULL
8584 * on an error.
8585 */
8586 if (setjmp(cstate->top_ctx))
8587 return (NULL);
8588
8589 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8590 /*NOTREACHED*/
8591 }
8592
8593 struct block *
8594 gen_pf_srnr(compiler_state_t *cstate, int srnr _U_)
8595 {
8596 /*
8597 * Catch errors reported by us and routines below us, and return NULL
8598 * on an error.
8599 */
8600 if (setjmp(cstate->top_ctx))
8601 return (NULL);
8602
8603 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8604 /*NOTREACHED*/
8605 }
8606
8607 struct block *
8608 gen_pf_reason(compiler_state_t *cstate, int reason _U_)
8609 {
8610 /*
8611 * Catch errors reported by us and routines below us, and return NULL
8612 * on an error.
8613 */
8614 if (setjmp(cstate->top_ctx))
8615 return (NULL);
8616
8617 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8618 /*NOTREACHED*/
8619 }
8620
8621 struct block *
8622 gen_pf_action(compiler_state_t *cstate, int action _U_)
8623 {
8624 /*
8625 * Catch errors reported by us and routines below us, and return NULL
8626 * on an error.
8627 */
8628 if (setjmp(cstate->top_ctx))
8629 return (NULL);
8630
8631 bpf_error(cstate, "libpcap was compiled on a machine without pf support");
8632 /*NOTREACHED*/
8633 }
8634 #endif /* HAVE_NET_PFVAR_H */
8635
8636 /* IEEE 802.11 wireless header */
8637 struct block *
8638 gen_p80211_type(compiler_state_t *cstate, bpf_u_int32 type, bpf_u_int32 mask)
8639 {
8640 struct block *b0;
8641
8642 /*
8643 * Catch errors reported by us and routines below us, and return NULL
8644 * on an error.
8645 */
8646 if (setjmp(cstate->top_ctx))
8647 return (NULL);
8648
8649 switch (cstate->linktype) {
8650
8651 case DLT_IEEE802_11:
8652 case DLT_PRISM_HEADER:
8653 case DLT_IEEE802_11_RADIO_AVS:
8654 case DLT_IEEE802_11_RADIO:
8655 b0 = gen_mcmp(cstate, OR_LINKHDR, 0, BPF_B, type, mask);
8656 break;
8657
8658 default:
8659 bpf_error(cstate, "802.11 link-layer types supported only on 802.11");
8660 /*NOTREACHED*/
8661 }
8662
8663 return (b0);
8664 }
8665
8666 struct block *
8667 gen_p80211_fcdir(compiler_state_t *cstate, bpf_u_int32 fcdir)
8668 {
8669 struct block *b0;
8670
8671 /*
8672 * Catch errors reported by us and routines below us, and return NULL
8673 * on an error.
8674 */
8675 if (setjmp(cstate->top_ctx))
8676 return (NULL);
8677
8678 switch (cstate->linktype) {
8679
8680 case DLT_IEEE802_11:
8681 case DLT_PRISM_HEADER:
8682 case DLT_IEEE802_11_RADIO_AVS:
8683 case DLT_IEEE802_11_RADIO:
8684 break;
8685
8686 default:
8687 bpf_error(cstate, "frame direction supported only with 802.11 headers");
8688 /*NOTREACHED*/
8689 }
8690
8691 b0 = gen_mcmp(cstate, OR_LINKHDR, 1, BPF_B, fcdir,
8692 IEEE80211_FC1_DIR_MASK);
8693
8694 return (b0);
8695 }
8696
8697 struct block *
8698 gen_acode(compiler_state_t *cstate, const char *s, struct qual q)
8699 {
8700 struct block *b;
8701
8702 /*
8703 * Catch errors reported by us and routines below us, and return NULL
8704 * on an error.
8705 */
8706 if (setjmp(cstate->top_ctx))
8707 return (NULL);
8708
8709 switch (cstate->linktype) {
8710
8711 case DLT_ARCNET:
8712 case DLT_ARCNET_LINUX:
8713 if ((q.addr == Q_HOST || q.addr == Q_DEFAULT) &&
8714 q.proto == Q_LINK) {
8715 cstate->e = pcap_ether_aton(s);
8716 if (cstate->e == NULL)
8717 bpf_error(cstate, "malloc");
8718 b = gen_ahostop(cstate, cstate->e, (int)q.dir);
8719 free(cstate->e);
8720 cstate->e = NULL;
8721 return (b);
8722 } else
8723 bpf_error(cstate, "ARCnet address used in non-arc expression");
8724 /*NOTREACHED*/
8725
8726 default:
8727 bpf_error(cstate, "aid supported only on ARCnet");
8728 /*NOTREACHED*/
8729 }
8730 }
8731
8732 static struct block *
8733 gen_ahostop(compiler_state_t *cstate, const u_char *eaddr, int dir)
8734 {
8735 register struct block *b0, *b1;
8736
8737 switch (dir) {
8738 /* src comes first, different from Ethernet */
8739 case Q_SRC:
8740 return gen_bcmp(cstate, OR_LINKHDR, 0, 1, eaddr);
8741
8742 case Q_DST:
8743 return gen_bcmp(cstate, OR_LINKHDR, 1, 1, eaddr);
8744
8745 case Q_AND:
8746 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8747 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8748 gen_and(b0, b1);
8749 return b1;
8750
8751 case Q_DEFAULT:
8752 case Q_OR:
8753 b0 = gen_ahostop(cstate, eaddr, Q_SRC);
8754 b1 = gen_ahostop(cstate, eaddr, Q_DST);
8755 gen_or(b0, b1);
8756 return b1;
8757
8758 case Q_ADDR1:
8759 bpf_error(cstate, "'addr1' and 'address1' are only supported on 802.11");
8760 /*NOTREACHED*/
8761
8762 case Q_ADDR2:
8763 bpf_error(cstate, "'addr2' and 'address2' are only supported on 802.11");
8764 /*NOTREACHED*/
8765
8766 case Q_ADDR3:
8767 bpf_error(cstate, "'addr3' and 'address3' are only supported on 802.11");
8768 /*NOTREACHED*/
8769
8770 case Q_ADDR4:
8771 bpf_error(cstate, "'addr4' and 'address4' are only supported on 802.11");
8772 /*NOTREACHED*/
8773
8774 case Q_RA:
8775 bpf_error(cstate, "'ra' is only supported on 802.11");
8776 /*NOTREACHED*/
8777
8778 case Q_TA:
8779 bpf_error(cstate, "'ta' is only supported on 802.11");
8780 /*NOTREACHED*/
8781 }
8782 abort();
8783 /*NOTREACHED*/
8784 }
8785
8786 static struct block *
8787 gen_vlan_tpid_test(compiler_state_t *cstate)
8788 {
8789 struct block *b0, *b1;
8790
8791 /* check for VLAN, including QinQ */
8792 b0 = gen_linktype(cstate, ETHERTYPE_8021Q);
8793 b1 = gen_linktype(cstate, ETHERTYPE_8021AD);
8794 gen_or(b0,b1);
8795 b0 = b1;
8796 b1 = gen_linktype(cstate, ETHERTYPE_8021QINQ);
8797 gen_or(b0,b1);
8798
8799 return b1;
8800 }
8801
8802 static struct block *
8803 gen_vlan_vid_test(compiler_state_t *cstate, bpf_u_int32 vlan_num)
8804 {
8805 if (vlan_num > 0x0fff) {
8806 bpf_error(cstate, "VLAN tag %u greater than maximum %u",
8807 vlan_num, 0x0fff);
8808 }
8809 return gen_mcmp(cstate, OR_LINKPL, 0, BPF_H, vlan_num, 0x0fff);
8810 }
8811
8812 static struct block *
8813 gen_vlan_no_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8814 int has_vlan_tag)
8815 {
8816 struct block *b0, *b1;
8817
8818 b0 = gen_vlan_tpid_test(cstate);
8819
8820 if (has_vlan_tag) {
8821 b1 = gen_vlan_vid_test(cstate, vlan_num);
8822 gen_and(b0, b1);
8823 b0 = b1;
8824 }
8825
8826 /*
8827 * Both payload and link header type follow the VLAN tags so that
8828 * both need to be updated.
8829 */
8830 cstate->off_linkpl.constant_part += 4;
8831 cstate->off_linktype.constant_part += 4;
8832
8833 return b0;
8834 }
8835
8836 #if defined(SKF_AD_VLAN_TAG_PRESENT)
8837 /* add v to variable part of off */
8838 static void
8839 gen_vlan_vloffset_add(compiler_state_t *cstate, bpf_abs_offset *off,
8840 bpf_u_int32 v, struct slist *s)
8841 {
8842 struct slist *s2;
8843
8844 if (!off->is_variable)
8845 off->is_variable = 1;
8846 if (off->reg == -1)
8847 off->reg = alloc_reg(cstate);
8848
8849 s2 = new_stmt(cstate, BPF_LD|BPF_MEM);
8850 s2->s.k = off->reg;
8851 sappend(s, s2);
8852 s2 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_IMM);
8853 s2->s.k = v;
8854 sappend(s, s2);
8855 s2 = new_stmt(cstate, BPF_ST);
8856 s2->s.k = off->reg;
8857 sappend(s, s2);
8858 }
8859
8860 /*
8861 * patch block b_tpid (VLAN TPID test) to update variable parts of link payload
8862 * and link type offsets first
8863 */
8864 static void
8865 gen_vlan_patch_tpid_test(compiler_state_t *cstate, struct block *b_tpid)
8866 {
8867 struct slist s;
8868
8869 /* offset determined at run time, shift variable part */
8870 s.next = NULL;
8871 cstate->is_vlan_vloffset = 1;
8872 gen_vlan_vloffset_add(cstate, &cstate->off_linkpl, 4, &s);
8873 gen_vlan_vloffset_add(cstate, &cstate->off_linktype, 4, &s);
8874
8875 /* we get a pointer to a chain of or-ed blocks, patch first of them */
8876 sappend(s.next, b_tpid->head->stmts);
8877 b_tpid->head->stmts = s.next;
8878 }
8879
8880 /*
8881 * patch block b_vid (VLAN id test) to load VID value either from packet
8882 * metadata (using BPF extensions) if SKF_AD_VLAN_TAG_PRESENT is true
8883 */
8884 static void
8885 gen_vlan_patch_vid_test(compiler_state_t *cstate, struct block *b_vid)
8886 {
8887 struct slist *s, *s2, *sjeq;
8888 unsigned cnt;
8889
8890 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8891 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8892
8893 /* true -> next instructions, false -> beginning of b_vid */
8894 sjeq = new_stmt(cstate, JMP(BPF_JEQ));
8895 sjeq->s.k = 1;
8896 sjeq->s.jf = b_vid->stmts;
8897 sappend(s, sjeq);
8898
8899 s2 = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8900 s2->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG;
8901 sappend(s, s2);
8902 sjeq->s.jt = s2;
8903
8904 /* Jump to the test in b_vid. We need to jump one instruction before
8905 * the end of the b_vid block so that we only skip loading the TCI
8906 * from packet data and not the 'and' instruction extractging VID.
8907 */
8908 cnt = 0;
8909 for (s2 = b_vid->stmts; s2; s2 = s2->next)
8910 cnt++;
8911 s2 = new_stmt(cstate, JMP(BPF_JA));
8912 s2->s.k = cnt - 1;
8913 sappend(s, s2);
8914
8915 /* insert our statements at the beginning of b_vid */
8916 sappend(s, b_vid->stmts);
8917 b_vid->stmts = s;
8918 }
8919
8920 /*
8921 * Generate check for "vlan" or "vlan <id>" on systems with support for BPF
8922 * extensions. Even if kernel supports VLAN BPF extensions, (outermost) VLAN
8923 * tag can be either in metadata or in packet data; therefore if the
8924 * SKF_AD_VLAN_TAG_PRESENT test is negative, we need to check link
8925 * header for VLAN tag. As the decision is done at run time, we need
8926 * update variable part of the offsets
8927 */
8928 static struct block *
8929 gen_vlan_bpf_extensions(compiler_state_t *cstate, bpf_u_int32 vlan_num,
8930 int has_vlan_tag)
8931 {
8932 struct block *b0, *b_tpid, *b_vid = NULL;
8933 struct slist *s;
8934
8935 /* generate new filter code based on extracting packet
8936 * metadata */
8937 s = new_stmt(cstate, BPF_LD|BPF_B|BPF_ABS);
8938 s->s.k = SKF_AD_OFF + SKF_AD_VLAN_TAG_PRESENT;
8939
8940 b0 = new_block(cstate, JMP(BPF_JEQ));
8941 b0->stmts = s;
8942 b0->s.k = 1;
8943
8944 /*
8945 * This is tricky. We need to insert the statements updating variable
8946 * parts of offsets before the traditional TPID and VID tests so
8947 * that they are called whenever SKF_AD_VLAN_TAG_PRESENT fails but
8948 * we do not want this update to affect those checks. That's why we
8949 * generate both test blocks first and insert the statements updating
8950 * variable parts of both offsets after that. This wouldn't work if
8951 * there already were variable length link header when entering this
8952 * function but gen_vlan_bpf_extensions() isn't called in that case.
8953 */
8954 b_tpid = gen_vlan_tpid_test(cstate);
8955 if (has_vlan_tag)
8956 b_vid = gen_vlan_vid_test(cstate, vlan_num);
8957
8958 gen_vlan_patch_tpid_test(cstate, b_tpid);
8959 gen_or(b0, b_tpid);
8960 b0 = b_tpid;
8961
8962 if (has_vlan_tag) {
8963 gen_vlan_patch_vid_test(cstate, b_vid);
8964 gen_and(b0, b_vid);
8965 b0 = b_vid;
8966 }
8967
8968 return b0;
8969 }
8970 #endif
8971
8972 /*
8973 * support IEEE 802.1Q VLAN trunk over ethernet
8974 */
8975 struct block *
8976 gen_vlan(compiler_state_t *cstate, bpf_u_int32 vlan_num, int has_vlan_tag)
8977 {
8978 struct block *b0;
8979
8980 /*
8981 * Catch errors reported by us and routines below us, and return NULL
8982 * on an error.
8983 */
8984 if (setjmp(cstate->top_ctx))
8985 return (NULL);
8986
8987 /* can't check for VLAN-encapsulated packets inside MPLS */
8988 if (cstate->label_stack_depth > 0)
8989 bpf_error(cstate, "no VLAN match after MPLS");
8990
8991 /*
8992 * Check for a VLAN packet, and then change the offsets to point
8993 * to the type and data fields within the VLAN packet. Just
8994 * increment the offsets, so that we can support a hierarchy, e.g.
8995 * "vlan 300 && vlan 200" to capture VLAN 200 encapsulated within
8996 * VLAN 100.
8997 *
8998 * XXX - this is a bit of a kludge. If we were to split the
8999 * compiler into a parser that parses an expression and
9000 * generates an expression tree, and a code generator that
9001 * takes an expression tree (which could come from our
9002 * parser or from some other parser) and generates BPF code,
9003 * we could perhaps make the offsets parameters of routines
9004 * and, in the handler for an "AND" node, pass to subnodes
9005 * other than the VLAN node the adjusted offsets.
9006 *
9007 * This would mean that "vlan" would, instead of changing the
9008 * behavior of *all* tests after it, change only the behavior
9009 * of tests ANDed with it. That would change the documented
9010 * semantics of "vlan", which might break some expressions.
9011 * However, it would mean that "(vlan and ip) or ip" would check
9012 * both for VLAN-encapsulated IP and IP-over-Ethernet, rather than
9013 * checking only for VLAN-encapsulated IP, so that could still
9014 * be considered worth doing; it wouldn't break expressions
9015 * that are of the form "vlan and ..." or "vlan N and ...",
9016 * which I suspect are the most common expressions involving
9017 * "vlan". "vlan or ..." doesn't necessarily do what the user
9018 * would really want, now, as all the "or ..." tests would
9019 * be done assuming a VLAN, even though the "or" could be viewed
9020 * as meaning "or, if this isn't a VLAN packet...".
9021 */
9022 switch (cstate->linktype) {
9023
9024 case DLT_EN10MB:
9025 case DLT_NETANALYZER:
9026 case DLT_NETANALYZER_TRANSPARENT:
9027 #if defined(SKF_AD_VLAN_TAG_PRESENT)
9028 /* Verify that this is the outer part of the packet and
9029 * not encapsulated somehow. */
9030 if (cstate->vlan_stack_depth == 0 && !cstate->off_linkhdr.is_variable &&
9031 cstate->off_linkhdr.constant_part ==
9032 cstate->off_outermostlinkhdr.constant_part) {
9033 /*
9034 * Do we need special VLAN handling?
9035 */
9036 if (cstate->bpf_pcap->bpf_codegen_flags & BPF_SPECIAL_VLAN_HANDLING)
9037 b0 = gen_vlan_bpf_extensions(cstate, vlan_num,
9038 has_vlan_tag);
9039 else
9040 b0 = gen_vlan_no_bpf_extensions(cstate,
9041 vlan_num, has_vlan_tag);
9042 } else
9043 #endif
9044 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num,
9045 has_vlan_tag);
9046 break;
9047
9048 case DLT_IEEE802_11:
9049 case DLT_PRISM_HEADER:
9050 case DLT_IEEE802_11_RADIO_AVS:
9051 case DLT_IEEE802_11_RADIO:
9052 b0 = gen_vlan_no_bpf_extensions(cstate, vlan_num, has_vlan_tag);
9053 break;
9054
9055 default:
9056 bpf_error(cstate, "no VLAN support for %s",
9057 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9058 /*NOTREACHED*/
9059 }
9060
9061 cstate->vlan_stack_depth++;
9062
9063 return (b0);
9064 }
9065
9066 /*
9067 * support for MPLS
9068 *
9069 * The label_num_arg dance is to avoid annoying whining by compilers that
9070 * label_num might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9071 * It's not *used* after setjmp returns.
9072 */
9073 struct block *
9074 gen_mpls(compiler_state_t *cstate, bpf_u_int32 label_num_arg,
9075 int has_label_num)
9076 {
9077 volatile bpf_u_int32 label_num = label_num_arg;
9078 struct block *b0, *b1;
9079
9080 /*
9081 * Catch errors reported by us and routines below us, and return NULL
9082 * on an error.
9083 */
9084 if (setjmp(cstate->top_ctx))
9085 return (NULL);
9086
9087 if (cstate->label_stack_depth > 0) {
9088 /* just match the bottom-of-stack bit clear */
9089 b0 = gen_mcmp(cstate, OR_PREVMPLSHDR, 2, BPF_B, 0, 0x01);
9090 } else {
9091 /*
9092 * We're not in an MPLS stack yet, so check the link-layer
9093 * type against MPLS.
9094 */
9095 switch (cstate->linktype) {
9096
9097 case DLT_C_HDLC: /* fall through */
9098 case DLT_EN10MB:
9099 case DLT_NETANALYZER:
9100 case DLT_NETANALYZER_TRANSPARENT:
9101 b0 = gen_linktype(cstate, ETHERTYPE_MPLS);
9102 break;
9103
9104 case DLT_PPP:
9105 b0 = gen_linktype(cstate, PPP_MPLS_UCAST);
9106 break;
9107
9108 /* FIXME add other DLT_s ...
9109 * for Frame-Relay/and ATM this may get messy due to SNAP headers
9110 * leave it for now */
9111
9112 default:
9113 bpf_error(cstate, "no MPLS support for %s",
9114 pcap_datalink_val_to_description_or_dlt(cstate->linktype));
9115 /*NOTREACHED*/
9116 }
9117 }
9118
9119 /* If a specific MPLS label is requested, check it */
9120 if (has_label_num) {
9121 if (label_num > 0xFFFFF) {
9122 bpf_error(cstate, "MPLS label %u greater than maximum %u",
9123 label_num, 0xFFFFF);
9124 }
9125 label_num = label_num << 12; /* label is shifted 12 bits on the wire */
9126 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, label_num,
9127 0xfffff000); /* only compare the first 20 bits */
9128 gen_and(b0, b1);
9129 b0 = b1;
9130 }
9131
9132 /*
9133 * Change the offsets to point to the type and data fields within
9134 * the MPLS packet. Just increment the offsets, so that we
9135 * can support a hierarchy, e.g. "mpls 100000 && mpls 1024" to
9136 * capture packets with an outer label of 100000 and an inner
9137 * label of 1024.
9138 *
9139 * Increment the MPLS stack depth as well; this indicates that
9140 * we're checking MPLS-encapsulated headers, to make sure higher
9141 * level code generators don't try to match against IP-related
9142 * protocols such as Q_ARP, Q_RARP etc.
9143 *
9144 * XXX - this is a bit of a kludge. See comments in gen_vlan().
9145 */
9146 cstate->off_nl_nosnap += 4;
9147 cstate->off_nl += 4;
9148 cstate->label_stack_depth++;
9149 return (b0);
9150 }
9151
9152 /*
9153 * Support PPPOE discovery and session.
9154 */
9155 struct block *
9156 gen_pppoed(compiler_state_t *cstate)
9157 {
9158 /*
9159 * Catch errors reported by us and routines below us, and return NULL
9160 * on an error.
9161 */
9162 if (setjmp(cstate->top_ctx))
9163 return (NULL);
9164
9165 /* check for PPPoE discovery */
9166 return gen_linktype(cstate, ETHERTYPE_PPPOED);
9167 }
9168
9169 struct block *
9170 gen_pppoes(compiler_state_t *cstate, bpf_u_int32 sess_num, int has_sess_num)
9171 {
9172 struct block *b0, *b1;
9173
9174 /*
9175 * Catch errors reported by us and routines below us, and return NULL
9176 * on an error.
9177 */
9178 if (setjmp(cstate->top_ctx))
9179 return (NULL);
9180
9181 /*
9182 * Test against the PPPoE session link-layer type.
9183 */
9184 b0 = gen_linktype(cstate, ETHERTYPE_PPPOES);
9185
9186 /* If a specific session is requested, check PPPoE session id */
9187 if (has_sess_num) {
9188 if (sess_num > 0x0000ffff) {
9189 bpf_error(cstate, "PPPoE session number %u greater than maximum %u",
9190 sess_num, 0x0000ffff);
9191 }
9192 b1 = gen_mcmp(cstate, OR_LINKPL, 0, BPF_W, sess_num, 0x0000ffff);
9193 gen_and(b0, b1);
9194 b0 = b1;
9195 }
9196
9197 /*
9198 * Change the offsets to point to the type and data fields within
9199 * the PPP packet, and note that this is PPPoE rather than
9200 * raw PPP.
9201 *
9202 * XXX - this is a bit of a kludge. See the comments in
9203 * gen_vlan().
9204 *
9205 * The "network-layer" protocol is PPPoE, which has a 6-byte
9206 * PPPoE header, followed by a PPP packet.
9207 *
9208 * There is no HDLC encapsulation for the PPP packet (it's
9209 * encapsulated in PPPoES instead), so the link-layer type
9210 * starts at the first byte of the PPP packet. For PPPoE,
9211 * that offset is relative to the beginning of the total
9212 * link-layer payload, including any 802.2 LLC header, so
9213 * it's 6 bytes past cstate->off_nl.
9214 */
9215 PUSH_LINKHDR(cstate, DLT_PPP, cstate->off_linkpl.is_variable,
9216 cstate->off_linkpl.constant_part + cstate->off_nl + 6, /* 6 bytes past the PPPoE header */
9217 cstate->off_linkpl.reg);
9218
9219 cstate->off_linktype = cstate->off_linkhdr;
9220 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 2;
9221
9222 cstate->off_nl = 0;
9223 cstate->off_nl_nosnap = 0; /* no 802.2 LLC */
9224
9225 return b0;
9226 }
9227
9228 /* Check that this is Geneve and the VNI is correct if
9229 * specified. Parameterized to handle both IPv4 and IPv6. */
9230 static struct block *
9231 gen_geneve_check(compiler_state_t *cstate,
9232 struct block *(*gen_portfn)(compiler_state_t *, u_int, int, int),
9233 enum e_offrel offrel, bpf_u_int32 vni, int has_vni)
9234 {
9235 struct block *b0, *b1;
9236
9237 b0 = gen_portfn(cstate, GENEVE_PORT, IPPROTO_UDP, Q_DST);
9238
9239 /* Check that we are operating on version 0. Otherwise, we
9240 * can't decode the rest of the fields. The version is 2 bits
9241 * in the first byte of the Geneve header. */
9242 b1 = gen_mcmp(cstate, offrel, 8, BPF_B, 0, 0xc0);
9243 gen_and(b0, b1);
9244 b0 = b1;
9245
9246 if (has_vni) {
9247 if (vni > 0xffffff) {
9248 bpf_error(cstate, "Geneve VNI %u greater than maximum %u",
9249 vni, 0xffffff);
9250 }
9251 vni <<= 8; /* VNI is in the upper 3 bytes */
9252 b1 = gen_mcmp(cstate, offrel, 12, BPF_W, vni, 0xffffff00);
9253 gen_and(b0, b1);
9254 b0 = b1;
9255 }
9256
9257 return b0;
9258 }
9259
9260 /* The IPv4 and IPv6 Geneve checks need to do two things:
9261 * - Verify that this actually is Geneve with the right VNI.
9262 * - Place the IP header length (plus variable link prefix if
9263 * needed) into register A to be used later to compute
9264 * the inner packet offsets. */
9265 static struct block *
9266 gen_geneve4(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9267 {
9268 struct block *b0, *b1;
9269 struct slist *s, *s1;
9270
9271 b0 = gen_geneve_check(cstate, gen_port, OR_TRAN_IPV4, vni, has_vni);
9272
9273 /* Load the IP header length into A. */
9274 s = gen_loadx_iphdrlen(cstate);
9275
9276 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9277 sappend(s, s1);
9278
9279 /* Forcibly append these statements to the true condition
9280 * of the protocol check by creating a new block that is
9281 * always true and ANDing them. */
9282 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9283 b1->stmts = s;
9284 b1->s.k = 0;
9285
9286 gen_and(b0, b1);
9287
9288 return b1;
9289 }
9290
9291 static struct block *
9292 gen_geneve6(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9293 {
9294 struct block *b0, *b1;
9295 struct slist *s, *s1;
9296
9297 b0 = gen_geneve_check(cstate, gen_port6, OR_TRAN_IPV6, vni, has_vni);
9298
9299 /* Load the IP header length. We need to account for a
9300 * variable length link prefix if there is one. */
9301 s = gen_abs_offset_varpart(cstate, &cstate->off_linkpl);
9302 if (s) {
9303 s1 = new_stmt(cstate, BPF_LD|BPF_IMM);
9304 s1->s.k = 40;
9305 sappend(s, s1);
9306
9307 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9308 s1->s.k = 0;
9309 sappend(s, s1);
9310 } else {
9311 s = new_stmt(cstate, BPF_LD|BPF_IMM);
9312 s->s.k = 40;
9313 }
9314
9315 /* Forcibly append these statements to the true condition
9316 * of the protocol check by creating a new block that is
9317 * always true and ANDing them. */
9318 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9319 sappend(s, s1);
9320
9321 b1 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9322 b1->stmts = s;
9323 b1->s.k = 0;
9324
9325 gen_and(b0, b1);
9326
9327 return b1;
9328 }
9329
9330 /* We need to store three values based on the Geneve header::
9331 * - The offset of the linktype.
9332 * - The offset of the end of the Geneve header.
9333 * - The offset of the end of the encapsulated MAC header. */
9334 static struct slist *
9335 gen_geneve_offsets(compiler_state_t *cstate)
9336 {
9337 struct slist *s, *s1, *s_proto;
9338
9339 /* First we need to calculate the offset of the Geneve header
9340 * itself. This is composed of the IP header previously calculated
9341 * (include any variable link prefix) and stored in A plus the
9342 * fixed sized headers (fixed link prefix, MAC length, and UDP
9343 * header). */
9344 s = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9345 s->s.k = cstate->off_linkpl.constant_part + cstate->off_nl + 8;
9346
9347 /* Stash this in X since we'll need it later. */
9348 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9349 sappend(s, s1);
9350
9351 /* The EtherType in Geneve is 2 bytes in. Calculate this and
9352 * store it. */
9353 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9354 s1->s.k = 2;
9355 sappend(s, s1);
9356
9357 cstate->off_linktype.reg = alloc_reg(cstate);
9358 cstate->off_linktype.is_variable = 1;
9359 cstate->off_linktype.constant_part = 0;
9360
9361 s1 = new_stmt(cstate, BPF_ST);
9362 s1->s.k = cstate->off_linktype.reg;
9363 sappend(s, s1);
9364
9365 /* Load the Geneve option length and mask and shift to get the
9366 * number of bytes. It is stored in the first byte of the Geneve
9367 * header. */
9368 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_B);
9369 s1->s.k = 0;
9370 sappend(s, s1);
9371
9372 s1 = new_stmt(cstate, BPF_ALU|BPF_AND|BPF_K);
9373 s1->s.k = 0x3f;
9374 sappend(s, s1);
9375
9376 s1 = new_stmt(cstate, BPF_ALU|BPF_MUL|BPF_K);
9377 s1->s.k = 4;
9378 sappend(s, s1);
9379
9380 /* Add in the rest of the Geneve base header. */
9381 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9382 s1->s.k = 8;
9383 sappend(s, s1);
9384
9385 /* Add the Geneve header length to its offset and store. */
9386 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_X);
9387 s1->s.k = 0;
9388 sappend(s, s1);
9389
9390 /* Set the encapsulated type as Ethernet. Even though we may
9391 * not actually have Ethernet inside there are two reasons this
9392 * is useful:
9393 * - The linktype field is always in EtherType format regardless
9394 * of whether it is in Geneve or an inner Ethernet frame.
9395 * - The only link layer that we have specific support for is
9396 * Ethernet. We will confirm that the packet actually is
9397 * Ethernet at runtime before executing these checks. */
9398 PUSH_LINKHDR(cstate, DLT_EN10MB, 1, 0, alloc_reg(cstate));
9399
9400 s1 = new_stmt(cstate, BPF_ST);
9401 s1->s.k = cstate->off_linkhdr.reg;
9402 sappend(s, s1);
9403
9404 /* Calculate whether we have an Ethernet header or just raw IP/
9405 * MPLS/etc. If we have Ethernet, advance the end of the MAC offset
9406 * and linktype by 14 bytes so that the network header can be found
9407 * seamlessly. Otherwise, keep what we've calculated already. */
9408
9409 /* We have a bare jmp so we can't use the optimizer. */
9410 cstate->no_optimize = 1;
9411
9412 /* Load the EtherType in the Geneve header, 2 bytes in. */
9413 s1 = new_stmt(cstate, BPF_LD|BPF_IND|BPF_H);
9414 s1->s.k = 2;
9415 sappend(s, s1);
9416
9417 /* Load X with the end of the Geneve header. */
9418 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9419 s1->s.k = cstate->off_linkhdr.reg;
9420 sappend(s, s1);
9421
9422 /* Check if the EtherType is Transparent Ethernet Bridging. At the
9423 * end of this check, we should have the total length in X. In
9424 * the non-Ethernet case, it's already there. */
9425 s_proto = new_stmt(cstate, JMP(BPF_JEQ));
9426 s_proto->s.k = ETHERTYPE_TEB;
9427 sappend(s, s_proto);
9428
9429 s1 = new_stmt(cstate, BPF_MISC|BPF_TXA);
9430 sappend(s, s1);
9431 s_proto->s.jt = s1;
9432
9433 /* Since this is Ethernet, use the EtherType of the payload
9434 * directly as the linktype. Overwrite what we already have. */
9435 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9436 s1->s.k = 12;
9437 sappend(s, s1);
9438
9439 s1 = new_stmt(cstate, BPF_ST);
9440 s1->s.k = cstate->off_linktype.reg;
9441 sappend(s, s1);
9442
9443 /* Advance two bytes further to get the end of the Ethernet
9444 * header. */
9445 s1 = new_stmt(cstate, BPF_ALU|BPF_ADD|BPF_K);
9446 s1->s.k = 2;
9447 sappend(s, s1);
9448
9449 /* Move the result to X. */
9450 s1 = new_stmt(cstate, BPF_MISC|BPF_TAX);
9451 sappend(s, s1);
9452
9453 /* Store the final result of our linkpl calculation. */
9454 cstate->off_linkpl.reg = alloc_reg(cstate);
9455 cstate->off_linkpl.is_variable = 1;
9456 cstate->off_linkpl.constant_part = 0;
9457
9458 s1 = new_stmt(cstate, BPF_STX);
9459 s1->s.k = cstate->off_linkpl.reg;
9460 sappend(s, s1);
9461 s_proto->s.jf = s1;
9462
9463 cstate->off_nl = 0;
9464
9465 return s;
9466 }
9467
9468 /* Check to see if this is a Geneve packet. */
9469 struct block *
9470 gen_geneve(compiler_state_t *cstate, bpf_u_int32 vni, int has_vni)
9471 {
9472 struct block *b0, *b1;
9473 struct slist *s;
9474
9475 /*
9476 * Catch errors reported by us and routines below us, and return NULL
9477 * on an error.
9478 */
9479 if (setjmp(cstate->top_ctx))
9480 return (NULL);
9481
9482 b0 = gen_geneve4(cstate, vni, has_vni);
9483 b1 = gen_geneve6(cstate, vni, has_vni);
9484
9485 gen_or(b0, b1);
9486 b0 = b1;
9487
9488 /* Later filters should act on the payload of the Geneve frame,
9489 * update all of the header pointers. Attach this code so that
9490 * it gets executed in the event that the Geneve filter matches. */
9491 s = gen_geneve_offsets(cstate);
9492
9493 b1 = gen_true(cstate);
9494 sappend(s, b1->stmts);
9495 b1->stmts = s;
9496
9497 gen_and(b0, b1);
9498
9499 cstate->is_geneve = 1;
9500
9501 return b1;
9502 }
9503
9504 /* Check that the encapsulated frame has a link layer header
9505 * for Ethernet filters. */
9506 static struct block *
9507 gen_geneve_ll_check(compiler_state_t *cstate)
9508 {
9509 struct block *b0;
9510 struct slist *s, *s1;
9511
9512 /* The easiest way to see if there is a link layer present
9513 * is to check if the link layer header and payload are not
9514 * the same. */
9515
9516 /* Geneve always generates pure variable offsets so we can
9517 * compare only the registers. */
9518 s = new_stmt(cstate, BPF_LD|BPF_MEM);
9519 s->s.k = cstate->off_linkhdr.reg;
9520
9521 s1 = new_stmt(cstate, BPF_LDX|BPF_MEM);
9522 s1->s.k = cstate->off_linkpl.reg;
9523 sappend(s, s1);
9524
9525 b0 = new_block(cstate, BPF_JMP|BPF_JEQ|BPF_X);
9526 b0->stmts = s;
9527 b0->s.k = 0;
9528 gen_not(b0);
9529
9530 return b0;
9531 }
9532
9533 static struct block *
9534 gen_atmfield_code_internal(compiler_state_t *cstate, int atmfield,
9535 bpf_u_int32 jvalue, int jtype, int reverse)
9536 {
9537 struct block *b0;
9538
9539 switch (atmfield) {
9540
9541 case A_VPI:
9542 if (!cstate->is_atm)
9543 bpf_error(cstate, "'vpi' supported only on raw ATM");
9544 if (cstate->off_vpi == OFFSET_NOT_SET)
9545 abort();
9546 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vpi, BPF_B,
9547 0xffffffffU, jtype, reverse, jvalue);
9548 break;
9549
9550 case A_VCI:
9551 if (!cstate->is_atm)
9552 bpf_error(cstate, "'vci' supported only on raw ATM");
9553 if (cstate->off_vci == OFFSET_NOT_SET)
9554 abort();
9555 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_vci, BPF_H,
9556 0xffffffffU, jtype, reverse, jvalue);
9557 break;
9558
9559 case A_PROTOTYPE:
9560 if (cstate->off_proto == OFFSET_NOT_SET)
9561 abort(); /* XXX - this isn't on FreeBSD */
9562 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9563 0x0fU, jtype, reverse, jvalue);
9564 break;
9565
9566 case A_MSGTYPE:
9567 if (cstate->off_payload == OFFSET_NOT_SET)
9568 abort();
9569 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_payload + MSG_TYPE_POS, BPF_B,
9570 0xffffffffU, jtype, reverse, jvalue);
9571 break;
9572
9573 case A_CALLREFTYPE:
9574 if (!cstate->is_atm)
9575 bpf_error(cstate, "'callref' supported only on raw ATM");
9576 if (cstate->off_proto == OFFSET_NOT_SET)
9577 abort();
9578 b0 = gen_ncmp(cstate, OR_LINKHDR, cstate->off_proto, BPF_B,
9579 0xffffffffU, jtype, reverse, jvalue);
9580 break;
9581
9582 default:
9583 abort();
9584 }
9585 return b0;
9586 }
9587
9588 static struct block *
9589 gen_atmtype_metac(compiler_state_t *cstate)
9590 {
9591 struct block *b0, *b1;
9592
9593 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9594 b1 = gen_atmfield_code_internal(cstate, A_VCI, 1, BPF_JEQ, 0);
9595 gen_and(b0, b1);
9596 return b1;
9597 }
9598
9599 static struct block *
9600 gen_atmtype_sc(compiler_state_t *cstate)
9601 {
9602 struct block *b0, *b1;
9603
9604 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9605 b1 = gen_atmfield_code_internal(cstate, A_VCI, 5, BPF_JEQ, 0);
9606 gen_and(b0, b1);
9607 return b1;
9608 }
9609
9610 static struct block *
9611 gen_atmtype_llc(compiler_state_t *cstate)
9612 {
9613 struct block *b0;
9614
9615 b0 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LLC, BPF_JEQ, 0);
9616 cstate->linktype = cstate->prevlinktype;
9617 return b0;
9618 }
9619
9620 struct block *
9621 gen_atmfield_code(compiler_state_t *cstate, int atmfield,
9622 bpf_u_int32 jvalue, int jtype, int reverse)
9623 {
9624 /*
9625 * Catch errors reported by us and routines below us, and return NULL
9626 * on an error.
9627 */
9628 if (setjmp(cstate->top_ctx))
9629 return (NULL);
9630
9631 return gen_atmfield_code_internal(cstate, atmfield, jvalue, jtype,
9632 reverse);
9633 }
9634
9635 struct block *
9636 gen_atmtype_abbrev(compiler_state_t *cstate, int type)
9637 {
9638 struct block *b0, *b1;
9639
9640 /*
9641 * Catch errors reported by us and routines below us, and return NULL
9642 * on an error.
9643 */
9644 if (setjmp(cstate->top_ctx))
9645 return (NULL);
9646
9647 switch (type) {
9648
9649 case A_METAC:
9650 /* Get all packets in Meta signalling Circuit */
9651 if (!cstate->is_atm)
9652 bpf_error(cstate, "'metac' supported only on raw ATM");
9653 b1 = gen_atmtype_metac(cstate);
9654 break;
9655
9656 case A_BCC:
9657 /* Get all packets in Broadcast Circuit*/
9658 if (!cstate->is_atm)
9659 bpf_error(cstate, "'bcc' supported only on raw ATM");
9660 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9661 b1 = gen_atmfield_code_internal(cstate, A_VCI, 2, BPF_JEQ, 0);
9662 gen_and(b0, b1);
9663 break;
9664
9665 case A_OAMF4SC:
9666 /* Get all cells in Segment OAM F4 circuit*/
9667 if (!cstate->is_atm)
9668 bpf_error(cstate, "'oam4sc' supported only on raw ATM");
9669 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9670 b1 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9671 gen_and(b0, b1);
9672 break;
9673
9674 case A_OAMF4EC:
9675 /* Get all cells in End-to-End OAM F4 Circuit*/
9676 if (!cstate->is_atm)
9677 bpf_error(cstate, "'oam4ec' supported only on raw ATM");
9678 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9679 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
9680 gen_and(b0, b1);
9681 break;
9682
9683 case A_SC:
9684 /* Get all packets in connection Signalling Circuit */
9685 if (!cstate->is_atm)
9686 bpf_error(cstate, "'sc' supported only on raw ATM");
9687 b1 = gen_atmtype_sc(cstate);
9688 break;
9689
9690 case A_ILMIC:
9691 /* Get all packets in ILMI Circuit */
9692 if (!cstate->is_atm)
9693 bpf_error(cstate, "'ilmic' supported only on raw ATM");
9694 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
9695 b1 = gen_atmfield_code_internal(cstate, A_VCI, 16, BPF_JEQ, 0);
9696 gen_and(b0, b1);
9697 break;
9698
9699 case A_LANE:
9700 /* Get all LANE packets */
9701 if (!cstate->is_atm)
9702 bpf_error(cstate, "'lane' supported only on raw ATM");
9703 b1 = gen_atmfield_code_internal(cstate, A_PROTOTYPE, PT_LANE, BPF_JEQ, 0);
9704
9705 /*
9706 * Arrange that all subsequent tests assume LANE
9707 * rather than LLC-encapsulated packets, and set
9708 * the offsets appropriately for LANE-encapsulated
9709 * Ethernet.
9710 *
9711 * We assume LANE means Ethernet, not Token Ring.
9712 */
9713 PUSH_LINKHDR(cstate, DLT_EN10MB, 0,
9714 cstate->off_payload + 2, /* Ethernet header */
9715 -1);
9716 cstate->off_linktype.constant_part = cstate->off_linkhdr.constant_part + 12;
9717 cstate->off_linkpl.constant_part = cstate->off_linkhdr.constant_part + 14; /* Ethernet */
9718 cstate->off_nl = 0; /* Ethernet II */
9719 cstate->off_nl_nosnap = 3; /* 802.3+802.2 */
9720 break;
9721
9722 case A_LLC:
9723 /* Get all LLC-encapsulated packets */
9724 if (!cstate->is_atm)
9725 bpf_error(cstate, "'llc' supported only on raw ATM");
9726 b1 = gen_atmtype_llc(cstate);
9727 break;
9728
9729 default:
9730 abort();
9731 }
9732 return b1;
9733 }
9734
9735 /*
9736 * Filtering for MTP2 messages based on li value
9737 * FISU, length is null
9738 * LSSU, length is 1 or 2
9739 * MSU, length is 3 or more
9740 * For MTP2_HSL, sequences are on 2 bytes, and length on 9 bits
9741 */
9742 struct block *
9743 gen_mtp2type_abbrev(compiler_state_t *cstate, int type)
9744 {
9745 struct block *b0, *b1;
9746
9747 /*
9748 * Catch errors reported by us and routines below us, and return NULL
9749 * on an error.
9750 */
9751 if (setjmp(cstate->top_ctx))
9752 return (NULL);
9753
9754 switch (type) {
9755
9756 case M_FISU:
9757 if ( (cstate->linktype != DLT_MTP2) &&
9758 (cstate->linktype != DLT_ERF) &&
9759 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9760 bpf_error(cstate, "'fisu' supported only on MTP2");
9761 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9762 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9763 0x3fU, BPF_JEQ, 0, 0U);
9764 break;
9765
9766 case M_LSSU:
9767 if ( (cstate->linktype != DLT_MTP2) &&
9768 (cstate->linktype != DLT_ERF) &&
9769 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9770 bpf_error(cstate, "'lssu' supported only on MTP2");
9771 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9772 0x3fU, BPF_JGT, 1, 2U);
9773 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9774 0x3fU, BPF_JGT, 0, 0U);
9775 gen_and(b1, b0);
9776 break;
9777
9778 case M_MSU:
9779 if ( (cstate->linktype != DLT_MTP2) &&
9780 (cstate->linktype != DLT_ERF) &&
9781 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9782 bpf_error(cstate, "'msu' supported only on MTP2");
9783 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li, BPF_B,
9784 0x3fU, BPF_JGT, 0, 2U);
9785 break;
9786
9787 case MH_FISU:
9788 if ( (cstate->linktype != DLT_MTP2) &&
9789 (cstate->linktype != DLT_ERF) &&
9790 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9791 bpf_error(cstate, "'hfisu' supported only on MTP2_HSL");
9792 /* gen_ncmp(cstate, offrel, offset, size, mask, jtype, reverse, value) */
9793 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9794 0xff80U, BPF_JEQ, 0, 0U);
9795 break;
9796
9797 case MH_LSSU:
9798 if ( (cstate->linktype != DLT_MTP2) &&
9799 (cstate->linktype != DLT_ERF) &&
9800 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9801 bpf_error(cstate, "'hlssu' supported only on MTP2_HSL");
9802 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9803 0xff80U, BPF_JGT, 1, 0x0100U);
9804 b1 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9805 0xff80U, BPF_JGT, 0, 0U);
9806 gen_and(b1, b0);
9807 break;
9808
9809 case MH_MSU:
9810 if ( (cstate->linktype != DLT_MTP2) &&
9811 (cstate->linktype != DLT_ERF) &&
9812 (cstate->linktype != DLT_MTP2_WITH_PHDR) )
9813 bpf_error(cstate, "'hmsu' supported only on MTP2_HSL");
9814 b0 = gen_ncmp(cstate, OR_PACKET, cstate->off_li_hsl, BPF_H,
9815 0xff80U, BPF_JGT, 0, 0x0100U);
9816 break;
9817
9818 default:
9819 abort();
9820 }
9821 return b0;
9822 }
9823
9824 /*
9825 * The jvalue_arg dance is to avoid annoying whining by compilers that
9826 * jvalue might be clobbered by longjmp - yeah, it might, but *WHO CARES*?
9827 * It's not *used* after setjmp returns.
9828 */
9829 struct block *
9830 gen_mtp3field_code(compiler_state_t *cstate, int mtp3field,
9831 bpf_u_int32 jvalue_arg, int jtype, int reverse)
9832 {
9833 volatile bpf_u_int32 jvalue = jvalue_arg;
9834 struct block *b0;
9835 bpf_u_int32 val1 , val2 , val3;
9836 u_int newoff_sio;
9837 u_int newoff_opc;
9838 u_int newoff_dpc;
9839 u_int newoff_sls;
9840
9841 /*
9842 * Catch errors reported by us and routines below us, and return NULL
9843 * on an error.
9844 */
9845 if (setjmp(cstate->top_ctx))
9846 return (NULL);
9847
9848 newoff_sio = cstate->off_sio;
9849 newoff_opc = cstate->off_opc;
9850 newoff_dpc = cstate->off_dpc;
9851 newoff_sls = cstate->off_sls;
9852 switch (mtp3field) {
9853
9854 case MH_SIO:
9855 newoff_sio += 3; /* offset for MTP2_HSL */
9856 /* FALLTHROUGH */
9857
9858 case M_SIO:
9859 if (cstate->off_sio == OFFSET_NOT_SET)
9860 bpf_error(cstate, "'sio' supported only on SS7");
9861 /* sio coded on 1 byte so max value 255 */
9862 if(jvalue > 255)
9863 bpf_error(cstate, "sio value %u too big; max value = 255",
9864 jvalue);
9865 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sio, BPF_B, 0xffffffffU,
9866 jtype, reverse, jvalue);
9867 break;
9868
9869 case MH_OPC:
9870 newoff_opc += 3;
9871
9872 /* FALLTHROUGH */
9873 case M_OPC:
9874 if (cstate->off_opc == OFFSET_NOT_SET)
9875 bpf_error(cstate, "'opc' supported only on SS7");
9876 /* opc coded on 14 bits so max value 16383 */
9877 if (jvalue > 16383)
9878 bpf_error(cstate, "opc value %u too big; max value = 16383",
9879 jvalue);
9880 /* the following instructions are made to convert jvalue
9881 * to the form used to write opc in an ss7 message*/
9882 val1 = jvalue & 0x00003c00;
9883 val1 = val1 >>10;
9884 val2 = jvalue & 0x000003fc;
9885 val2 = val2 <<6;
9886 val3 = jvalue & 0x00000003;
9887 val3 = val3 <<22;
9888 jvalue = val1 + val2 + val3;
9889 b0 = gen_ncmp(cstate, OR_PACKET, newoff_opc, BPF_W, 0x00c0ff0fU,
9890 jtype, reverse, jvalue);
9891 break;
9892
9893 case MH_DPC:
9894 newoff_dpc += 3;
9895 /* FALLTHROUGH */
9896
9897 case M_DPC:
9898 if (cstate->off_dpc == OFFSET_NOT_SET)
9899 bpf_error(cstate, "'dpc' supported only on SS7");
9900 /* dpc coded on 14 bits so max value 16383 */
9901 if (jvalue > 16383)
9902 bpf_error(cstate, "dpc value %u too big; max value = 16383",
9903 jvalue);
9904 /* the following instructions are made to convert jvalue
9905 * to the forme used to write dpc in an ss7 message*/
9906 val1 = jvalue & 0x000000ff;
9907 val1 = val1 << 24;
9908 val2 = jvalue & 0x00003f00;
9909 val2 = val2 << 8;
9910 jvalue = val1 + val2;
9911 b0 = gen_ncmp(cstate, OR_PACKET, newoff_dpc, BPF_W, 0xff3f0000U,
9912 jtype, reverse, jvalue);
9913 break;
9914
9915 case MH_SLS:
9916 newoff_sls += 3;
9917 /* FALLTHROUGH */
9918
9919 case M_SLS:
9920 if (cstate->off_sls == OFFSET_NOT_SET)
9921 bpf_error(cstate, "'sls' supported only on SS7");
9922 /* sls coded on 4 bits so max value 15 */
9923 if (jvalue > 15)
9924 bpf_error(cstate, "sls value %u too big; max value = 15",
9925 jvalue);
9926 /* the following instruction is made to convert jvalue
9927 * to the forme used to write sls in an ss7 message*/
9928 jvalue = jvalue << 4;
9929 b0 = gen_ncmp(cstate, OR_PACKET, newoff_sls, BPF_B, 0xf0U,
9930 jtype, reverse, jvalue);
9931 break;
9932
9933 default:
9934 abort();
9935 }
9936 return b0;
9937 }
9938
9939 static struct block *
9940 gen_msg_abbrev(compiler_state_t *cstate, int type)
9941 {
9942 struct block *b1;
9943
9944 /*
9945 * Q.2931 signalling protocol messages for handling virtual circuits
9946 * establishment and teardown
9947 */
9948 switch (type) {
9949
9950 case A_SETUP:
9951 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, SETUP, BPF_JEQ, 0);
9952 break;
9953
9954 case A_CALLPROCEED:
9955 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CALL_PROCEED, BPF_JEQ, 0);
9956 break;
9957
9958 case A_CONNECT:
9959 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT, BPF_JEQ, 0);
9960 break;
9961
9962 case A_CONNECTACK:
9963 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, CONNECT_ACK, BPF_JEQ, 0);
9964 break;
9965
9966 case A_RELEASE:
9967 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE, BPF_JEQ, 0);
9968 break;
9969
9970 case A_RELEASE_DONE:
9971 b1 = gen_atmfield_code_internal(cstate, A_MSGTYPE, RELEASE_DONE, BPF_JEQ, 0);
9972 break;
9973
9974 default:
9975 abort();
9976 }
9977 return b1;
9978 }
9979
9980 struct block *
9981 gen_atmmulti_abbrev(compiler_state_t *cstate, int type)
9982 {
9983 struct block *b0, *b1;
9984
9985 /*
9986 * Catch errors reported by us and routines below us, and return NULL
9987 * on an error.
9988 */
9989 if (setjmp(cstate->top_ctx))
9990 return (NULL);
9991
9992 switch (type) {
9993
9994 case A_OAM:
9995 if (!cstate->is_atm)
9996 bpf_error(cstate, "'oam' supported only on raw ATM");
9997 /* OAM F4 type */
9998 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
9999 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10000 gen_or(b0, b1);
10001 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10002 gen_and(b0, b1);
10003 break;
10004
10005 case A_OAMF4:
10006 if (!cstate->is_atm)
10007 bpf_error(cstate, "'oamf4' supported only on raw ATM");
10008 /* OAM F4 type */
10009 b0 = gen_atmfield_code_internal(cstate, A_VCI, 3, BPF_JEQ, 0);
10010 b1 = gen_atmfield_code_internal(cstate, A_VCI, 4, BPF_JEQ, 0);
10011 gen_or(b0, b1);
10012 b0 = gen_atmfield_code_internal(cstate, A_VPI, 0, BPF_JEQ, 0);
10013 gen_and(b0, b1);
10014 break;
10015
10016 case A_CONNECTMSG:
10017 /*
10018 * Get Q.2931 signalling messages for switched
10019 * virtual connection
10020 */
10021 if (!cstate->is_atm)
10022 bpf_error(cstate, "'connectmsg' supported only on raw ATM");
10023 b0 = gen_msg_abbrev(cstate, A_SETUP);
10024 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10025 gen_or(b0, b1);
10026 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10027 gen_or(b0, b1);
10028 b0 = gen_msg_abbrev(cstate, A_CONNECTACK);
10029 gen_or(b0, b1);
10030 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10031 gen_or(b0, b1);
10032 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10033 gen_or(b0, b1);
10034 b0 = gen_atmtype_sc(cstate);
10035 gen_and(b0, b1);
10036 break;
10037
10038 case A_METACONNECT:
10039 if (!cstate->is_atm)
10040 bpf_error(cstate, "'metaconnect' supported only on raw ATM");
10041 b0 = gen_msg_abbrev(cstate, A_SETUP);
10042 b1 = gen_msg_abbrev(cstate, A_CALLPROCEED);
10043 gen_or(b0, b1);
10044 b0 = gen_msg_abbrev(cstate, A_CONNECT);
10045 gen_or(b0, b1);
10046 b0 = gen_msg_abbrev(cstate, A_RELEASE);
10047 gen_or(b0, b1);
10048 b0 = gen_msg_abbrev(cstate, A_RELEASE_DONE);
10049 gen_or(b0, b1);
10050 b0 = gen_atmtype_metac(cstate);
10051 gen_and(b0, b1);
10052 break;
10053
10054 default:
10055 abort();
10056 }
10057 return b1;
10058 }
[mirror] the LIBpcap interface to various kernel packet capture mechanism